Catálogo de publicaciones - libros

Advances in computer and communication technologies have made it feasible to extend the application of embedded computer systems to more and more critical applications, such as automotive and avionic systems. Due to the many different and, partially, contradicting requirements, there exists no single model for building systems that interact with a physical environment. Well-known tradeoffs are predictability versus flexibility, and resource adequacy versus best-effort strategies [Kopetz, 1997]. Thus, the chosen system model depends heavily on the requirements of the application.

This chapter presents the basic concepts and terminology used in this book and gives an overview of system architectures for ultra-dependable, distributed real-time systems. Consequently, the first part of this chapter starts with an overview of distributed real-time systems and fundamental concepts of dependability in distributed real-time systems. We also present synchrony models that have been the focus of intensive theoretical studies. The second part describes event-triggered and timetriggered systems and relates these control paradigms to prevalent computational models. This chapter ends with a discussion of distributed system architectures for ultra-dependable systems and relates each architecture to the event-triggered and time-triggered computational models.

Ultra-dependable systems are deployed in applications where the loss of the computer system results in catastrophic consequences. Examples of ultra-dependable systems are X-by-wire applications in the automotive or avionic domain, where a real-time computer system is designed to replace conventional mechanical or hydraulic components. New generations of civil airliners (Airbus A320, A330, A340, Boeing 777) exploit fly-by-wire control by the interposition of the flight control computer between the pilot’s commands and the control surface actuators [Collinson, 1999]. In the automotive industry, complete drive-by-wire systems without mechanical backup for braking, steering, and higher-level driver-assisting functions will replace the existing fail-safe systems in cars [Isermann et al., 2002].

This chapter presents a distributed system architecture that integrates the eventtriggered and time-triggered control paradigms. The system architecture aims at the four integration directions (physical, functional, mixed-criticality, legacy) of an integrated architecture, with emphasis on the reuse of legacy system and the coexistence of applications with mixed-criticality levels. Time-triggered services provide the foundation for safety-critical functions. Event-triggered services support legacy applications and functions with lower criticality levels. The first part of this chapter describes the underlying synchrony model and relates the proposed integrated system architecture to the well-studied models of synchronous and asynchronous systems. Subsequently, we present the services of the integrated system architecture. We use fundamental services of a time-triggered architecture (time-triggered transport, clock synchronization, error containment, and membership) as the architecture’s basic services. On top of the basic services, we construct higher-level services aiming at mixed-criticality and legacy system integration. We establish event-triggered communication channels on top of the time-triggered transport protocol and compose multiple event-triggered communication channels into virtual networks. Gateways interconnect virtual networks with other virtual networks and with physical networks.

The Controller Area Network (CAN) protocol [Bosch, 1991] was originally developed for in-car use. Industrial control systems and embedded networks became additional application fields [Lawrenz, 1995]. Impressive sales figures demonstrate the industrial relevance of CAN with more than 200 millions of CAN controllers sold in 2001. CAN represents an event-triggered communication protocol, i.e. the temporal control signals are derived primarily fromnon-time events. Among its advantages are flexibility and the ability to achieve a high average performance through the statistical multiplexing of bandwidth between components participating in the communication. However, CAN lacks essential properties for systems that have substantial timeliness and dependability requirements. The CAN protocol [Bosch, 1991] does not support fault-tolerance by network redundancy and multiple bit-flips can result in inconsistent message disseminations [Kaiser and Livani, 1999] (i.e. no atomic broadcast mechanism). Furthermore, the mechanisms for achieving a faulty node’s self-deactivation may cause substantial periods of inaccessibility (2.5 ms at 1 Mbps [Verissimo et al., 1997]).

This chapter describes the validation results for the emulated CAN communication service of the integrated system architecture. We use analytical arguments in combination with simulation and measurements activities to demonstrate the ability of the CAN emulation to handle the communication needs of legacy and newly developed CAN applications. The implementation of the CAN emulation has been tested with message traffic from a “real-world” application provided by the automotive industry. In addition, we have applied synthetic traffic patterns in order to investigate the behavior of the event service and the CAN emulation under message loads exceeding 1 Mbps.

The main contribution of this book is the development of a generic system architecture for the integration of the time-triggered and event-triggered control paradigms. This integrated architecture supports both time-triggered and eventtriggered computational and communication activities. Thereby, a time-triggered and an event-triggered subsystem can coexist on a single, shared distributed computing platform. The application tasks executing in these subsystems adhere to different models of computation. While the time-triggered subsystem supports the time-triggered model of computation, the event-triggered subsystem is designed for client/server and event-based computing. This coexistence makes the proposed architecture suitable for mixed-criticality and legacy integration. Safety-critical time-triggered applications coexist with event-triggered legacy applications and newly developed, non-critical event-triggered applications.