Michael Paulitsch

Coverage and the use of cyclic redundancy codes in ultra-dependable systems

A cyclic redundancy code (CRC), when used properly, can be an effective and relatively inexpensive method to detect data corruption across communication channels. However, some systems use CRCs in ways that violate common assumptions made in analyzing CRC effectiveness, resulting in an overly optimistic prediction of system dependability. CRCs detect errors with some finite probability, which depends on factors including the strength of the particular code used, the bit-error rate, and the message length being checked. Common assumptions also include a passive network inter-stage, explicit data words, memoryless channels, and random independent symbol errors. In this paper we identify some examples of CRC usage that compromise ultra-dependable system design goals, and recommend alternate ways to improve system dependability via architectural approaches rather than error detection coding approaches.

Ringing out fault tolerance. A new ring network for superior low-cost dependability

Dependability properties of bi-directional and braided rings are well recognized in improving communication availability. However, current ring-based topologies have no mechanisms for extreme integrity and have not been considered for emerging high-dependability markets where cost is a significant driver, such as the automotive by-wire applications. This paper introduces a braided-ring architecture with superior guardian functionality and complete Byzantine fault tolerance while simultaneously reducing cost. This paper reviews anticipated requirements for high-dependability low-cost applications and emphasizes the need for regular safe testing of core coverage functions. The paper describes the rings main mechanisms for achieving integrity and availability levels similar to SAFEbus/spl reg/ but at low automotive costs. The paper also presents a mechanism to achieve self-stabilizing TDMA-based communication and design methods for fault-tolerant protocols on a network of simplex nodes. The paper also introduces a new self-checking pair concept that leverages braided-ring properties. This novel message-based self-checking-pair concept allows high-integrity source data at extremely low cost.

The real Byzantine Generals

In contrast to previous papers on the Byzantine Generals problem, this work examines the problem from a practical, lower-level, phenomena point of view. The goal is to dispel a common belief that the problem is a myth (potentially arising from the anthropomorphic nature of previous literature). This work gives practical, succinct definitions for Byzantine fault and failure. It describes how these arise and are propagated in electrical signals and digital circuitry. The paper describes actual occurrences of Byzantine faults in several different systems. A taxonomy of methods for combating the problem is presented with examples of each method. The paper brings forth the following underappreciated facts: (1) cryptography is not a useful solution to the problem in actual systems, (2) most solutions to the problem must include a Byzantine filter (a circuit that converts a Byzantine signal to a nonByzantine signal).

Model-based development and the implications to design assurance and certification

The term Model based design and development has grown in popularity over the past decade. Within the embedded avionics community the term model based design implies the development and application of control models and simulations within tools such as MATLAB. At Honeywell, the authors have been engaged in model based development (MBD) and associated tools development for avionics applications. This position paper applies the lessons learned and discusses several issues, relating to sound model-based design, to meet design assurance and certification objectives. The paper examines the dominant approaches utilized by some of the popular model-based design, code generation and verification tool suites available commercially. It contrasts these approaches to traditional software design, implementation, and verification methods. This paper also recommends taking a broader perspective of MBD and suggests adopting lessons learned from the classical software engineering arena. We discuss this together with areas for future investigation, standardization, and automation tool development and integration.

FlexRay in aerospace and safety-sensitive systems

The FlexRay field bus has potential for integrating existing networks and as a shared local sub-system network in the next generation of airplanes - leveraging a low-cost, dependable bus designed for the automotive domain. Herein, we present an overview of FlexRay and investigate FlexRays dependability for use as a field bus in the aerospace domain. FlexRay supports all major requirements for integrating systems on a single network, if controllers are deployed with a guardian to achieve good hardware fault coverage. Despite including a guardian, some vulnerability may remain, such as software-induced failures and physical layer properties.

Starting and Resolving a Partitioned BRAIN

Time-triggered communication is a favored design strategy for safety-critical systems. However, the startup of time-triggered systems is a significant concern, since the time-line from which fault-tolerance is supported must be established in segmented mediums, e.g. multi-hop networks. The startup problems are particularly challenging since clique formation, i.e. the establishment of disjoint time-triggered communication sets, may be systematically induced. This paper presents an alternative startup solution based upon a braided-ring architecture called BRAIN (braided ring availability integrity network). Segmentation-induced cliques are particularly prevalent in this architecture, since each node presents a potential medium break. The described strategy dramatically improves startup performance in relation to current approaches by leveraging the cooperative action of adjacent nodes during startup and high-integrity data propagation.

Insights into the Sensitivity of the BRAIN (Braided Ring Availability Integrity Network)--On Platform Robustness in Extended Operation

Low-cost fault-tolerant systems design presents a continual trade-off between improving fault-tolerant properties and accommodating cost constraints. With limited hardware options and to justify the system design rationale, it is necessary to formulate a fault hypothesis to bound failure assumptions. The system must be built on a foundation of real-world relevance and the assumption of coverage of the fault hypothesis. This paper discusses a study that examines the sensitivity of a BRAIN (braided ring availability integrity network) design to different fault types and failure rates in a safety-relevant application. It presents a Markov-based model (using ASSIST, SURE, and STEM analysis tools) and a series of experiments that were run to analyze the overall dependability of the BRAIN approach. The study evaluates the mission reliability and safety in the context of a hypothetical automotive integrated x-by-wire architecture on top of the BRAIN. Drawing from experience in the aerospace domain, the authors investigate the possibility of continued operation for a limited period after a detected critical electronic failure. Continued operation would allow a driver to reach repair facilities rather than stopping the vehicle to call for roadside assistance or limping home.

Design and implementation of a degraded vision landing aid application on a multicore processor architecture for safety-critical application

The progress of silicon integration has led to the ability to integrate complex systems on a single die. Integration of different application software components on a distributed system-on-chip can be demanding unless one follows a structural system integration approach with architectural support by hardware. The ACROSS Multi-Processor System-on-Chip platform provides architectural means for integration, such as well-defined communication interfaces, deterministic communication schedules, fault-containment, and error-confinement support. We present the non-functional requirements of a degraded vision landing system for a helicopter and show how the ACROSS Multi-Processor System-on-Chip research platform alleviates integration of software and system components. We also discuss more general multicore-specific software-related requirements and how the ACROSS MPSoC platform meets these.