Philipp Peti

Virtual networks in an integrated time-triggered architecture

Depending on the physical structuring of large distributed safety-critical real-time systems, one can distinguish federated and integrated system architectures. This paper investigates the communication services of an integrated system architecture, which combines the complexity management advantages of federated systems with the functional integration and hardware benefits of an integrated approach. A major challenge is the need to accommodate the communication services to the different types of integrated application subsystems that range from ultra-dependable control applications (e.g., an x-by-wire system) to non safety-critical applications such as multimedia or comfort systems. In particular, the encapsulation of the communication activities of different application subsystems is required not only to prevent error propagation from non safety-critical application subsystems to higher levels of criticality, but also to facilitate complexity management and permit independent development activities. This paper introduces virtual networks as the encapsulated communication infrastructure of an application subsystem in the integrated DECOS architecture. Virtual networks are constructed as overlay networks on top of the time-triggered communication system of a base architecture. Each virtual network runs a corresponding communication protocol that is determined either by a legacy platform or selected to meet the requirements of the application subsystem. Encapsulation mechanisms ensure that the temporal properties of each virtual network are known a priori and independent from the communication activities in other virtual networks. By assigning to each application subsystem a dedicated virtual network and by ensuring that the virtual network abstractions hold also in the case of faults, the integrated architecture supports the benefits of a federated system, such as fault isolation, complexity management, independent development, and intellectual property protection. In addition, virtual networks promise massive cost savings through the reduction of physical networks and reliability improvements with respect to wiring and connectors.

DECOS: an integrated time-triggered architecture

Depending on the physical structuring of large distributed safety-critical real-time systems, one can distinguish federated and integrated system architectures. This paper describes an integrated system architecture which combines the complexity management advantages of federated systems with the functional integration and hardware benefits of an integrated approach. In order to control complexity, the overall functionality is divided into a set of application subsystems, each with dedicated architectural communication services, allowing developers to act as if they were building an application for a federated architecture. The introduced architecture builds upon the validated services of a time-triggered core architecture, which provides a physical network as a shared resource for the communication activities of more than one application subsystem. The communication resources are encapsulated and multiplexed between application subsystems. In analogy, encapsulated partitions are used to share node computers among software modules of multiple application subsystems. Architectural encapsulation mechanisms ensure that the assumptions and abstractions performed in the functional system structuring also hold after combining the different subsystems on the target platform.In Abhängigkeit der physikalischen Strukturierung von großen verteilten sicherheitskritischen Echtzeitsystemen können föderierte und integrierte Systemarchitekturen unterschieden werden. Diese Arbeit beschreibt eine integrierte Systemarchitektur, welche die Vorteile föderierter Architekturen in Bezug auf Komplexitätsmanagement mit den Vorteilen eines integrierten Ansatzes (d. h. bessere funktionale Integration und Ressourcenauslastung) vereint. Um die Komplexität des Gesamtsystems zu beherrschen, erfolgt eine Unterteilung in Applikationssubsysteme, die zudem mit spezifischen Architekturdiensten ausgestattet sind. Insbesondere werden die Kommunikationsdienste in deren Funktionalität und Zeitverhalten an die jeweiligen Applikationsanforderungen angepasst. Designer können das System daher in einer Weise entwickeln, wie dies eine föderierte Architektur gestatten würde. Die vorgestellte integrierte Systemarchitektur basiert auf den validierten Diensten einer zeitgesteuerten Kernarchitektur, wobei das physikalische Netzwerk eines einzelnen, verteilten zeitgesteuerten Computersystems als gemeinsame Ressource für die Kommunikationsaktivitäten mehrerer Applikationssubsysteme dient. Die Kommunikationsressourcen werden enkapsuliert und zwischen Applikationssubsystemen gemultiplext. Ebenso dienen enkapsulierte Partitionen innerhalb von Komponenten der Aufteilung von Komponentenressourcen (z. B. Prozessorzeit und Speicher) zwischen Softwaremodulen verschiedener Applikationssubsysteme. Die Enkapsulierungsmechanismen der Architektur auf Netzwerk- und Komponentenebene stellen sicher, dass die im Rahmen der funktionalen Systemstrukturierung getroffenen Annahmen und Abstraktionen auch nach der Integration der verschiedenen Subsysteme auf der Zielplattform halten.

Out-of-norm assertions [diagnostic mechanism]

The increasing use of electronics in transport systems, such as the automotive and avionic domain, has lead to dramatic improvements with respect to functionality, safety, and cost. However, with this growth of electronics the likelihood of failures due to faults originating from electronic equipment also increases. Although permanent failure rates are constantly diminishing due to improvements in manufacturing, the downsizing of semiconductor features has lead to a significant increase in transient system disturbances. Furthermore, transients are frequently the precursors of upcoming permanent failures. In order to cope with this development, a diagnostic subsystem must especially be designed to detect and analyze such transients to reduce the failure-not-found ratio in todays systems. Therefore, diagnostic detection mechanisms must be devised that refrain from traditional error detection techniques operating only on component-local data in favor of a system-wide view to detect and analyze correlated failures and infer the corresponding fault. In this work, we present out-of-norm assertions (ONAs) as a diagnostic mechanism operating on the distributed state to detect correlated component malfunction. ONAs take the characteristics of faults in the time, value and space domain into account in order to discriminate between different types of faults that are affecting the operation of the distributed system. Since ONAs are specified on the interface state mutual error detection of interface state variables is performed. In contrast to bivalent assertions that need to indisputably decide on correct or incorrect system states at the time of occurrence, the proposed ONAs are also useful in the detection of system irregularities that cannot be forced into the predominant bivalent assessment scheme.

An architecture supporting monitoring and configuration in real-time smart transducer networks

A smart transducer network consists of a set of transducer nodes interconnected with a digital bus. Smart transducer technology implicates the development of systems supporting the timely exchange of real-time data. Additional requirements are support for system integration, mechanisms for dynamic reconfiguration, and diagnostic interfaces. Such systems should be composable and ease controlling system complexity, i.e. support the system engineer in understanding the system behavior Furthermore, developers expect diagnostic services, which are deterministic, reproducible, and do not interfere with real-time services. This paper describes three interfaces for smart transducer networks, which provide the required services while yielding the mentioned properties. We describe a case study demonstrating the effectiveness of the three interfaces for the proclaimed purpose.

A maintenance-oriented fault model for the DECOS integrated diagnostic architecture

The increasing use of electronics in the automotive and avionic domain has lead to dramatic improvements with respect to functionality, safety, and cost. However, with this growth of electronics the likelihood of failures due to faults originating from electronic equipment also increases. In order to tackle prevalent diagnostic problems such as the reduction of the fault-not-found ratio, a maintenance-oriented fault model is needed that serves as the basis for the classification of experienced failures. In this paper we introduce such a maintenance-oriented fault model that establishes the conceptual foundation of the diagnostic services of the DECOS integrated architecture. The fault model takes the component-based nature of todays distributed embedded systems into account. According to this model each experienced failure is classified according to the field replaceable units of the system.

A Fault Hypothesis for Integrated Architectures

Integrated architectures in the automotive and avionic domain promise improved resource utilization and enable a better tactic coordination of application subsystems compared to federated systems. In order to support safety-critical application subsystems, an integrated architecture needs to support fault-tolerant strategies that enable the continued operation of the system in the presence of failures. The basis for the implementation and validation of fault-tolerant strategies is a fault hypothesis that identifies the fault containment regions, specifies the failure modes and provides realistic failure rate assumptions. This paper describes a fault hypothesis for integrated architectures, which takes into account the collocation of multiple software components on shared node computers. We argue in favor of a differentiation of fault containment regions for hardware and software faults. In addition, the fault hypothesis describes the assumptions concerning the respective frequencies of transient and permanent failures in consideration of recent semiconductor trends

MDA-based development in the DECOS integrated architecture - modeling the hardware platform

Reduced time-to-market in spite of increasing the systems functionality, reuse of software on different hardware platforms, and the demand for performing validation activities earlier in the development phase raise the need for revising the state-of-the-art development methodologies for distributed embedded systems. The model driven architecture is a design methodology addressing these emerging requirements. Developing embedded systems according to this model-based paradigm requires a platform-independent representation of the functionality of the application as well as a precise model of the targeted hardware platform. In this paper we introduce a meta-model for capturing the resources of hardware platforms realizing the DECOS architecture, which is an integrated time-triggered architecture aimed at the development of distributed embedded systems. Furthermore, we present a tool chain based on this meta-model that speeds up the modeling process and reduces the likelihood of human errors by facilitating the reuse of hardware building blocks from libraries

A diagnostic framework for integrated time-triggered architectures

Integrated architectures promise substantial technical and economic benefits in the development of distributed embedded real-time systems. In the context of diagnosis new diagnostic strategies can be applied by taking the physical and functional structure of an integrated system into account. In this paper we present a diagnostic framework that is designed to tackle prevalent diagnostic problems industry is currently facing, such as the trouble-not-identified phenomenon in electronic systems. So-called out-of-norm assertions (ONAs) are employed that combine diagnostic information to correlate experienced failures in order to decide on the type fault (e.g., transient vs. permanent, internal vs. external) affecting the system. Based on a prototype implementation of the integrated time-triggered DECOS architecture we show the feasibility of this diagnostic strategy

Specification and execution of gateways in integrated architectures

The DECOS integrated architecture divides the overall system into a set of nearly-independent distributed application subsystems, which share the node computers and the physical network of a single distributed computer system. This paper provides a solution to the controlled export and import of information between distributed application subsystems. We give the designer the ability to coordinate application services and exploit redundancy in a system to either improve reliability or reduce resource duplication. We introduce virtual gateways for the coupling of virtual networks by the selective redirection of messages. Virtual gateways not only resolve property mismatches between distributed application subsystems, but also preserve encapsulation. We capture the essential properties of each application subsystem in an interface specification based on timed automata and use this description as a parameterization of generic architectural gateway services

Realization of virtual networks in the DECOS integrated architecture

Due to the better utilization of computational and communication resources and the improved coordination of application subsystems, designers of large distributed embedded systems (e.g., in the automotive domain) are eager to replace existing federated architectures with integrated ones. This paper focuses on the communication infrastructure of the DECOS integrated system architecture, which realizes for each application subsystem a so-called virtual network as an overlay network on top of a time-triggered communication protocol. Since all virtual networks share a single physical network, virtual networks promise massive cost savings through the reduction of physical networks and reliability improvements with respect to wiring and connectors. Furthermore, virtual networks support application subsystems that range from ultra-dependable control applications (e.g., an X-by-wire system) to non safety-critical applications such as comfort systems. For this reason, two classes (event-triggered and time-triggered) of virtual networks are realized. Encapsulation mechanisms ensure that the temporal properties of each virtual network are known a priori and independent from the communication activities in other virtual networks. In order to ensure that the virtual network abstractions hold also in the case of software faults, each application subsystem possesses a dedicated virtual network with statically assigned resources at the underlying time-triggered communication service