Predictable and Reliable Time Triggered Platform for Ambient Assisted Living Zaher Owda, Mohammed Abuteir, Roman Obermaisser, Hamzah Dakheel University of Siegen, Germany {zaher.owda,mohammed.abuteir,roman.obermaisser,hamzah.dakheel}@uni-siegen.de Abstract—Today’s Ambient Assisted Living (AAL) architectures do not support the real-time and reliability requirements of medical monitoring and closed-loop control applications. Fault- tolerant embedded system architectures, on the other hand, do not address the openness required for the dynamic integration of AAL components. This paper present an AAL architecture based on Time-Triggered Ethernet with support for openness, real-time support and reliability. The starting point is a static allocation of communication slots to end-systems. Based on this static schedule, we perform a dynamic allocation of communication resources to the components within an end-system. Each end-system can host multiple components and the communication of these components is dynamically mapped to parts of the end-system’s slot. For this purpose, admission control and resource management services are introduced that ensure temporal and spatial partitioning within end-systems. The architecture is evaluated in a simulation environment based on a medical use case. I. I NTRODUCTION It is expected that by 2020, 25% of the EU’s population will be aged over 65 [1] and this will result in a serious pressure on European Society due to an increase in the number of people with chronic conditions that depend on the health care system and require costly long-term care. Ambient Assisted Living (AAL) solutions and next generation networked embedded de- vices and health management systems aim at improving elderly people’s quality of life in general and provide cost-effective services for independent living in their familiar surroundings, better health-care delivery and mobility [2]. In an AAL environment two categories of applications can be distinguished according to criticality: safety and non safety- critical applications. An example of a safety-critical AAL appli- cation is a tele-monitoring service that is provided by a medical health center to monitor patients at home who are suffering from chronic diseases, e.g., hypertension and arrhythmia. In such a healthcare environment, sensors are used for measuring vital-parameters, e.g., blood pressure, pulse oximetry and elec- trocardiogram (ECG). Also, pressure and motion sensors can monitor the patients activities. These parameters are collected by a health care unit [3] to be forwarded to a monitoring center. The collection and the processing of data must be supported in real-time to realize timely patient monitoring and enable closed-loop control functions. Furthermore, reliability despite hardware and software faults is required when the patient’s health depends on the correct operation of the AAL services. Software faults are of particular relevance in AAL systems with mixed-criticality, where subsystems with different criticality levels share the network and computational resources. An AAL architecture should prevent fault propagation between applications with different criticalities by temporal and spatial partitioning [4], thereby preventing design faults of non safety- critical applications from affecting safety-critical ones. Moreover, the AAL architecture should support openness by managing the communication and computational resources in a flexible way. The result is the ability to adapt to the dynamic changes of the AAL environment where AAL components can join and leave the system at run time. In our previous example, the physician’s visit to his patient will be much more efficient when he joins the patients healthcare environment directly from his medical device. To our knowledge, a solution combining real-time support, reliability, mixed-criticality support and openness in an AAL architecture is not considered in the state-of-the-art. Therefore, a novel AAL architecture that supports dynamicity at end- system level in combination with real-time support, reliability and partitioning is presented in this work. For example, OASIS [5] uses web services (SOAP-over- UDP) and AmI Framework as a bridge connection between the platform services layer and the lower execution environment. The MPOWER [6] architecture consists of set of platform services that use the UDP communication protocol to achieve high speed connectivity requirements. Openness of the system is provided in both cases while real-time, fault isolation and fault tolerance are not supported. Communication buses that lie on top of the OSGi core in the case of SOPRANO [7] and PERSONA [8] aim to resolve the challenges of the seamless connectivity and hide heterogeneity of operating systems and network protocols. These architectures support the openness of the system, but they do not deliver reliability and real-time guarantees beyond the assurance of no packet-loss by sending acknowledgments and performing retransmissions of messages within timeout boundaries as pro- vided by TCP/IP and UPnP protocols. The remainder of the paper is organized as follows. In section II the Time-Triggered Ethernet is revealed then in section III challenges and requirements of the work are presented. In section IV the proposed architectural model is illustrated. Two evaluation scenarios and the results are introduced in section V. Finally, in section VI the discussion and conclusion are drawn. II. TIME TRIGGERED ETHERNET Time-Triggered Ethernet (TTEthernet) [9] communication supports distributed non real-time and real-time components by combining them in a single Ethernet-based network. In TTEthernet, real-time components use time-triggered (TT) mes- sages with pre-assigned time slots based on a global time base. This network-access method based on Time Division Multiple Access (TDMA) offers a predictable transmission behavior without queuing in the switches and achieves low latency and low jitter. The global time concept is realized by the synchronization of the local clocks of the communicating end-systems and switches. Temporal partitioning in the TT communication is guaranteed using the concepts of Virtual Links (VL). Each VL offers a unidirectional connection from one end-system to one or more destination end-systems. ISMICT 2014 1569881427 1
Abstract—Today’s Ambient Assisted Living (AAL) architecturesdo not support the real-time and reliability requirements ofmedical monitoring and closed-loop control applications. Fault-tolerant embedded system architectures, on the other hand, donot address the openness required for the dynamic integration ofAAL components. This paper present an AAL architecture basedon Time-Triggered Ethernet with support for openness, real-timesupport and reliability. The starting point is a static allocation ofcommunication slots to end-systems. Based on this static schedule,we perform a dynamic allocation of communication resources tothe components within an end-system. Each end-system can hostmultiple components and the communication of these componentsis dynamically mapped to parts of the end-system’s slot. For thispurpose, admission control and resource management servicesare introduced that ensure temporal and spatial partitioningwithin end-systems. The architecture is evaluated in a simulationenvironment based on a medical use case.
I. INTRODUCTION
It is expected that by 2020, 25% of the EU’s population willbe aged over 65 [1] and this will result in a serious pressure onEuropean Society due to an increase in the number of peoplewith chronic conditions that depend on the health care systemand require costly long-term care. Ambient Assisted Living(AAL) solutions and next generation networked embedded de-vices and health management systems aim at improving elderlypeople’s quality of life in general and provide cost-effectiveservices for independent living in their familiar surroundings,better health-care delivery and mobility [2].
In an AAL environment two categories of applications canbe distinguished according to criticality: safety and non safety-critical applications. An example of a safety-critical AAL appli-cation is a tele-monitoring service that is provided by a medicalhealth center to monitor patients at home who are sufferingfrom chronic diseases, e.g., hypertension and arrhythmia. Insuch a healthcare environment, sensors are used for measuringvital-parameters, e.g., blood pressure, pulse oximetry and elec-trocardiogram (ECG). Also, pressure and motion sensors canmonitor the patients activities. These parameters are collectedby a health care unit [3] to be forwarded to a monitoring center.
The collection and the processing of data must be supportedin real-time to realize timely patient monitoring and enableclosed-loop control functions. Furthermore, reliability despitehardware and software faults is required when the patient’shealth depends on the correct operation of the AAL services.Software faults are of particular relevance in AAL systems withmixed-criticality, where subsystems with different criticalitylevels share the network and computational resources. AnAAL architecture should prevent fault propagation betweenapplications with different criticalities by temporal and spatialpartitioning [4], thereby preventing design faults of non safety-critical applications from affecting safety-critical ones.
Moreover, the AAL architecture should support openness bymanaging the communication and computational resources in
a flexible way. The result is the ability to adapt to the dynamicchanges of the AAL environment where AAL components canjoin and leave the system at run time. In our previous example,the physician’s visit to his patient will be much more efficientwhen he joins the patients healthcare environment directly fromhis medical device.
To our knowledge, a solution combining real-time support,reliability, mixed-criticality support and openness in an AALarchitecture is not considered in the state-of-the-art. Therefore,a novel AAL architecture that supports dynamicity at end-system level in combination with real-time support, reliabilityand partitioning is presented in this work.
For example, OASIS [5] uses web services (SOAP-over-UDP) and AmI Framework as a bridge connection between theplatform services layer and the lower execution environment.The MPOWER [6] architecture consists of set of platformservices that use the UDP communication protocol to achievehigh speed connectivity requirements. Openness of the systemis provided in both cases while real-time, fault isolation andfault tolerance are not supported.
Communication buses that lie on top of the OSGi core in thecase of SOPRANO [7] and PERSONA [8] aim to resolve thechallenges of the seamless connectivity and hide heterogeneityof operating systems and network protocols. These architecturessupport the openness of the system, but they do not deliverreliability and real-time guarantees beyond the assurance ofno packet-loss by sending acknowledgments and performingretransmissions of messages within timeout boundaries as pro-vided by TCP/IP and UPnP protocols.
The remainder of the paper is organized as follows. In sectionII the Time-Triggered Ethernet is revealed then in section IIIchallenges and requirements of the work are presented. Insection IV the proposed architectural model is illustrated. Twoevaluation scenarios and the results are introduced in section V.Finally, in section VI the discussion and conclusion are drawn.
II. TIME TRIGGERED ETHERNET
Time-Triggered Ethernet (TTEthernet) [9] communicationsupports distributed non real-time and real-time componentsby combining them in a single Ethernet-based network. InTTEthernet, real-time components use time-triggered (TT) mes-sages with pre-assigned time slots based on a global timebase. This network-access method based on Time DivisionMultiple Access (TDMA) offers a predictable transmissionbehavior without queuing in the switches and achieves lowlatency and low jitter. The global time concept is realized bythe synchronization of the local clocks of the communicatingend-systems and switches. Temporal partitioning in the TTcommunication is guaranteed using the concepts of VirtualLinks (VL). Each VL offers a unidirectional connection fromone end-system to one or more destination end-systems.
In case of less stringent timing requirements, TTEthernetuses two other communication modes: rate-constrained (RC)and best-effort (BE) communication. RC messages are basedon the AFDX protocol with bounded latencies, but higherjitter compared to TT messages. BE messages comply to theIEEE Ethernet 802.3 standard and provide no real-time guaran-tees. TTEthernet uses timely block, shuffling and preemptionmechanisms to resolve conflicts between different types ofmessages [10], [11].
III. CHALLENGES
The following technical requirements should be addressed inan architecture for AAL:
1) Real-Time (Predictable behavior): Many safety-criticalcomponents in an AAL system (e.g., healthcare components,e-care emergency systems) must react in real-time. Therefore,predictable computation and predictable communication shouldbe guaranteed. A Real-Time Operating System (RTOS) isrequired to allocate the computational resources. A real-timecommunication network is responsible for the allocation ofthe communication resources. For example, a time-triggerednetwork such as TTEthernet based on TDMA can providetemporal guarantees with bounded delays and minimal jitter.
2) Reliability (physical faults): Reliability is defined asthe probability of the failure-free operation of a system fora specified period of time in a specified environment [12].In order to avoid physical faults the proposed architectureestablishes three types of following fault containment regions(FCR): endsystems, TTEthernet switches and time-triggeredcommunication channels.
The determinism, fault containment and global time ofTTEthernet are a baseline for the establishment of fault tol-erance mechanisms like Triple Modular Redundancy (TMR).Fault masking and diagnostic services based on TTEthernet candetect, mask and tolerate the physical faults and thus improvethe reliability of the system.
3) Openness: One of the most important features that char-acterize AAL systems is the requirement to adapt to changescaused by removing or adding new subsystems or componentsto the system at run time, the newly accepted changes mustnot affect the spatial and temporal restrictions of the criticalsubsystems and components.
BE traffic within a TTEthernet network would give thesystem high flexibility to adapt to any number of components,but without any temporal guarantees or fault containment. Onthe other hand, TT traffic which is intended to serve the safety-critical real-time components provides each end-system with apredefined static transmission slot.
The architecture proposed in this paper addresses dynam-icity by reallocating the TT resources at run time based onthe change requests of the components. Admission control isperformed in order to assure that the decided reallocation willnot affect the overall behavior of the system.
4) Mixed criticality (design faults): In AAL environmentsdifferent application subsystems can be hosted in one or moreend-systems, where computational resources (e.g. CPU time,memory) and communication resources (e.g. network band-width) are shared between the application subsystems.
The computational partitioning problem has been addressedin several partitioning RTOS (e.g., LynxOS-178 that adheresto the ARINC standard 653 [13], PikeOS [14]). These RTOSs
provide Virtual Machine (VM) brick-wall partitions that pre-vent interference of messages between the partitions. Spatialpartitioning ensures that components cannot modify the codeor the private data of other components. Temporal partitioningprevents components from interfering with the timing propertiesof resource as perceived by other components [15].
This paper address the partitioning of the communicationresources, while it is assumed that one of the available partition-ing RTOS is used for protecting the computational resources.
IV. SYSTEM MODEL OF A PREDICTABLE AND RELIABLEAAL PLATFORM
The system model illustrated in figure 1 consists mainly ofthree parts: end-systems, TTEthernet switches and TT com-munication channels. This system supports full flexibility fordesigning complex network topologies with different numbersof end-systems, TTEthernet switches and communication chan-nels. Each end-system contains one or more components pro-viding application services. In addition, an end-system containslayers for managing access to the communication network.
In the design phase of the AAL system an offline scheduleshould be created and used to configure the end-systemsand TTEthernet switches. To compute this static communica-tion schedule for TT messages suitable scheduling tools areused [10].
Although this schedule provides a static allocation of com-munication slots to end-systems, openness is supported bydynamically allocating parts of the communication slots to thecomponents within an end-system.
Components can be dynamically added to an end-system.The number of components that can be added to each end-system is only restricted by the computational and the com-munication resources which are available for this end-system.Furthermore, spare slots can be made available for the incor-poration of additional end-systems at run-time.
TTEthernet protects the slots of end-systems and prevents in-terference between end-systems. In addition to these guaranteesof TTEthernet, the generic services layer and the middlewarelayer ensure temporal and spatial partitioning between thecomponents within an end-system. Also, the generic serviceslayer with the mapping unit assigns the communication ofcomponents to the desired VL of TTEthernet.
A. Conceptual End-system ModelThe conceptual end-system model presented in figure 1
illustrates the proposed end-system architecture of a reliableand predictable AAL system. Our end-system model establishesseveral building blocks and layers to address the challengespresented in section III by introducing admission control,design-fault containment and the dynamic mapping betweenAAL components and the virtual links (VLs).
In the proposed model, each application in the applicationlayer consists of one or several subsystems; each subsystemcontains one or several components, where each component ex-ecutes tasks. Our model establishes a general service layer be-tween the application and the middleware layers. The resourcemanager (RM) is responsible for managing the communicationresources; it maps and reallocates the VLs of TTEthernet to thedynamically added components in order to adapt to changes.When the requirements of the newly integrated componentsdo not meet any of the available VLs, the RM rejects the
VL‐Port 1 VL‐Port 2 VL‐Port 3 VL‐Port N‐1 VL‐Port N
Hardware Timer Driver
TTE ListnerTTE Listener
TTE Service
RT Operating System
Resource ManagerMapping Unit
TTethernet Switch
AAL End‐system #1
Fig. 1. Distributed Time-Triggered AAL System Model
integration request of this component, thus the RM is actingalso as an on-line admission controller. The mapping unit(MU) is responsible for linking the queued messages to thecorresponding VLs specified earlier by the resource manager.
Two more building blocks are contained in the middlewarelayer to control the access from and to the generic servicelayer. The TTEthernet dispatcher forwards the messages ofdifferent components from the MU to their corresponding VLs,where one message is handled each time according to the timeschedule and a synchronized timer based on the global time.This building block provides temporal isolation within the end-system between the messages that are sent from the applicationlayer to the middleware layer. In this way, interference due tocomponents’ design faults can be avoided. In addition, multipleTTE listeners are provided where one TTE listeners is assignedfor each VL to redirect its messages from the lower layer tothe MU and finally to be used by the destination component.
The TTE software stack implements the TTEthernet protocolby using the underlying building blocks (i.e., Ethernet con-troller and hardware timer drivers) and the TTE operatingsystem driver. The TTE service layer accesses the Ethernetcontroller and provides the network’s virtual interfaces. Thehardware timer driver is synchronized with the network’sglobal time. Based on this timing and the predefined schedule,messages are sent and received.
B. Concrete End-system Model
In this section, a detailed description of interfaces, data andcontrol flows between the building blocks is given. Further-more, the network and end-system configurations are discussed.
In order to apply admission control mechanisms, the resourcemanager (RM) requires a priori knowledge about the overallavailable resources and the current network configuration whichis defined in the service profile. This service profile is aconfiguration file with the characteristics of the network (e.g.,transmission times of periodic messages, sporadic messages,frame loss rate).
Each new component that joins the AAL end-system hasthe ability to set its own parameters in the service profile.
Consequently, the component should notify the RM aboutits request for resource allocation. The RM investigates theavailable network resources that could meet the componentsdemand. Finally, an acknowledgment is sent from the RMinforming the component of the RM’s decision and allowingthe component to start using its newly assigned resources.
Moreover, when a component attempts to leave its AALsystem, the RM should be informed in order to free or reallocatethe reserved resources. In this way, the RM is up to date aboutthe condition of the network resources at run-time.
The mapping units at the end-systems are informed aboutthe RM decisions by confirmation messages that contain thename of the newly added (or left) component and the VirtualLink IDentification (VLID) that is assigned to (or removedfrom) that component. The MU consists mainly of two datastructures. The first one, the so-called send mapping tabledetermines the messages that are sent from the applicationlayer toward the middleware layer. The send mapping tableconsists of four columns; component-ID, virtual link ID, timestamp (period and phase) and components message buffer. Thesecond table is called receive mapping table and describesthe messages received from the middleware layer. The receivemapping table consists of three columns; virtual link-ID columnand its correspondent component-ID and message buffers.
As shown in figure 2 the MU tables contain two types ofinformation: Firstly, the static network information is based onthe predefined TTEthernet schedule (colored in red). Secondly,the tables contain the dynamic end-system information accord-ing to the RM decisions taken at run time.
In the send mapping table, the component-ID of the newlyadded component will be assigned to the corresponding VLIDby the MU. Whenever a component tries to send messages,the MU will buffer them to the corresponding row in the tableaccording to the component-ID. In case a component leaves, thesend mapping table should remove the corresponding dynamicinformation. In addition, modifications of the local mappingunit are broadcast to all mapping units in the remote end-systems of the AAL system.
The TTE dispatcher uses the information of each component
Red Font : Static Network Conf.Black Font: Dynamic end-system Conf.
Fig. 2. Concrete End-system Model and Interfaces (solid line representingdata flow, dashed line representing control flow, red color for static networkconfiguration, black color for dynamic end-system configuration)
that is listed in the MU to pull the messages from the table’sbuffers according to the components timestamps and thenforwards them to the TTE software stack.
The receive mapping table is responsible for storing themessages that are coming from the TTE listeners, while theMU maps these messages to the corresponding componentsaccording to the table’s records. The Component-ID columnincludes the components that are subscribed to a specific VLID,thus each VLID is able to contain more than one subscribedcomponent.
The TTE listener can receive information about modificationsthat occurred in MUs of other end-systems. In this case, theTTE listener forwards this information to the RM. Thereafterthe RM verifies and studies this information in comparisonwith the existing resource allocation and the current serviceprofile. Based on the RM decision the receive mapping tableare modified accordingly.
V. SIMULATION ENVIRONMENT AND EVALUATION
The introduced building blocks of the proposed AAL ar-chitecture and end-systems model have been realizing usinga TTEthernet simulation environment [16]. This simulationenvironment uses the OPNET tool suite for discrete eventsimulations of TTEthernet communication networks [17].
The use case is an emergency room (ER) of a hospital,where each patient is modelled as an end-system. An end-system contains a set of sensors and medical monitoring units(e.g., ECG) associated to the application layer. As shownin figure 3, the end-systems are connected through a TTEnetwork to the Central Health Monitoring Unit (CHMU) whereeach end-system has its own sensors and medical devices. Asshown in table 4 the data exchange of the sensors and medicaldevices is performed using TT slots and BE communication.For the evaluation of the proposed architecture we comparedour dynamic end-systems with a conventional static TTEthernetend-system behavior.
For example, end-system 1 in the use case contains thefollowing medical and vital sensors for monitoring the patient’shealth condition: Sensors using TT traffic include (1) an airflowsensor and (2) a pulse and oxygen saturation sensor (SPO2).Sensors using BE traffic are (1) the galvanic skin response(GSR) sensor and (2) the body temperature sensor.
Table 4 illustrates the traffic generated by the end-systemsfor this use case and the observed timing of the communicationsystem. There are two evaluation scenarios, a fault-free scenariowhere in case of changes in the patient’s medical condition,the CHMU decides to disable the SPO2 sensor and replaces itwith the ECG unit. In the proposed architecture, the resourcemanager adapts to this change request and dynamically recon-figures the end-systems accordingly. In the use case, the ECGunit uses TT messages and replaces the SPO2 sensor whichuses BE traffic.
We dynamically reallocate the use of the TT slots for the newcomponent using the mapping unit and the resource manager.In contrast, the newly added ECG component could only berealized as BE traffic in conventional TTEthernet without theproposed extensions, because the use of TT slots is static.
The simulated behavior of the ECG output for this scenario isshown in figures 5 (a) and (b), where the jitter of the proposedarchitecture is zero1 in the simulation, while it is 1.5 msec incase of the BE communication.
CHMU
Emergency Room
End System #1
End System #4
End System #2
End System #3
Application Layer
General Service Layer
Middlew
are Layer
TTE Software Stack
ECGVL‐Port 1
VL‐Port 2
VL‐Port 3
RT Operating System
Galvanic sensor
Airflow sensor
SPO2
Body temp. TTE Switch
Fig. 3. Emergency Room Use Case
In the second scenario, the CHMU decided to start anotherend-system with a video camera application to observe thepatients in addition to the changes of the first scenario. Thevideo camera communication is realized as BE traffic. After10 seconds the video camera floods the network with messagescausing a babbling idiot (BI) failure.
In the proposed architecture, the spatial and temporal be-havior of the ECG output is not affected by the failure of thecamera as shown in figure 5 (a). In the case of BE traffic,there is no fault isolation and the jitter increases to 4.5 msec.Additionally, the jitter significantly affects the shape of the ECGoutput, thereby affecting the ability for the interpretation of thesignals as shown in figure 5 (c).
VI. DISCUSSION AND CONCLUSION
This paper introduced a novel architecture supporting real-time requirements, fault containment and dynamicity in the
1In a real system the expected jitter value for the proposed architecture woulddepend on the precision of the global time base, which is typically in the sub-microsecond range. The clock synchronization algorithm of TTEthernet wasnot simulated in the evaluation.
Source Type Sender End-system # Traffic Type Bandwith Service Rate PayloadAirflow 1 TT 0.512 1ms 64Pulse and oxygen saturation sensor 1 TT 0.512 1ms 64Body temperature 1 BE 512 1s 64Galvanic skin response sensor 1 BE 8000 10s 100ECG 2 TT 0.512 1ms 64Airflow 2 TT 0.512 1ms 64Body temperature 2 BE 512 1s 64Galvanic skin response sensor 2 BE 8000 10s 100Video camera 3 BE [2.7, 10.8] 0.8 ms [300, 900]Video camera 4 BE [2.7, 10.8] 0.8 ms [300, 900]
Fig. 4. Characteristics of the Use Case End-systems Traffic Types
a
b
c
Fig. 5. ECG Simulation Results
allocation of the end-systems’ communication resources to thecomponents within the end-systems.
The real-time support is established by the bounded delayand jitter of the TT messages. The delays of the messages sentby a component are independent from the behavior of the othercomponents in the same end-system and in other end-systems.
The fault containment mechanisms of the architecture area baseline for the implementation of fault-tolerance and ob-taining high reliability. TTEthernet provides fault containmentfor TT communication between end-systems based on the apriori knowledge of the permitted end-system behavior. TheTTEthernet switch blocks untimely TT messages and limitsthe effect of other traffic classes (e.g., using timely block orshuffling). The mapping unit and resource manager extendthe fault containment mechanisms to a finer granularity bysegregating the communication of different components in thesame end-system.
In TTEthernet the propagation of timing failures at networklevel is avoided using the temporal partitioning. The proposedarchitecture introduces the admission control and the resourcemanagement units to extend the partitioning of communicationresources towards components within the end-system.
As mentioned in the introduction, the openness of the systemis a vital requirement for AAL systems. In the new architec-ture, the ability of reallocating the TT resources according toapplication requests combines the support for openness withreliability and real-time guarantees.
Additionally, a simulation environment for the proposedarchitecture has been developed using OPNET. For the eval-uation of the proposed architecture in a medical use case, theproposed architecture was compared to the behavior of a normalTTEthernet system with BE communication for dynamicallyadded components. The simulation results demonstrate that thenew architecture supports spatial and temporal guarantees uponreconfiguration with bounded delays and minimal jitter. Thebehavior of the critical components in the AAL use case wasnot affected by the faulty BI end-system.
ACKNOWLEDGMENT
This work has been supported by the European projectDREAMS (No. 610640).
REFERENCES
[1] E. P. Release, “Ageing well: European commission unleashes e600mfor development of new digital solutions for europe’s elderly people,”EUROPA - Press Release, vol. IP/08/994, 2008.
[2] S. Lui, A. Ashok, A. Tarek, G. Christopher, R. Raj, and S. John,“”distributed real-time and embedded systems research in the context ofgeni”,” in GENI Design Document 06-32, vol. GDD-06-32, September2006.
[3] M. Lipprandt and et al., “Osami-d: an open service platform for healthcaremonitoring applications,” in Proceedings of the 2nd conference on HumanSystem Interactions. IEEE Press, 2009, pp. 136–142.
[4] J. Rushby, “Partitioning for avionics architectures: Requirements, mecha-nisms, and assurance,” NASA Contractor Report CR-1999-209347, 1999.
[5] I. Amundson and et al, “”oasis: A service-oriented middleware forpervasive ambient-aware sensor networks”,” Tech. Rep., 2006.
[6] S. Hanke and T. Fuxreiter, “”interoperability in smart home middleware- the mpower project”,” in HEALTHINF (1), L. Azevedo andA. R. Londral, Eds., 2008, pp. 176–181. [Online]. Available:http://dblp.uni-trier.de/db/conf/biostec/healthinf2008-1.html#HankeF08
[7] P. Wolf, A. Schmidt, and M. Klein, “”soprano - an extensible, open aalplatform for elderly people based on semantical contracts”,” in Workshopon Artificial Intelligence Techniques for Ambient Intelligence, 2008.
[8] M.-R. Tazari and et al, “”the persona service platform for AAL spaces”,”in Handbook of Ambient Intelligence and Smart Environments, 2010, pp.1171–1199.
[9] A. I. T. Company, “White paper: SAE AS6802 deterministic ethernetnetwork solution,” Tech. Rep., Mar. 2011.
[10] R. Obermaisser, ”Time-Triggered Communication”. Boca Raton, Fla. :London : CRC ; Taylor & Francis [distributor], 2011.
[11] W. Steiner and et al., “TTEthernet dataflow concept,” in Proc.of the2009 8th IEEE International Symposium on Network Computing andApplications, ser. NCA ’09. IEEE Computer Society, 2009, pp. 319–322.
[12] A. Avizienis, J.-C. Laprie, B. Randell, and Vytautas. (2000) FundamentalConcepts of Dependability.
[13] A. E. E. Committee, ”Avionics Application Software Standard Interface:ARINC Specification 653P1-2”. Aeronautical Radio, Nov. 2006, vol.ARINC Specification 653P1-3.
[14] S. W. R. Kaiser, “”the pikeos concept: History and design”,”SysGO AG White Paper, Tech. Rep., 2007. [Online]. Available:http://www.sysgo.com
[15] B. Leiner, M. Schlager, R. Obermaisser, and B. Huber, in SAFECOMP,pp. 342–355.
[16] M. Abuteir and R. Obermaisser, “Simulation environment for time-triggered ethernet,” in Industrial Informatics (INDIN), 2013 11th IEEEInternational Conference on, 2013, pp. 642–648.
![Page 1: [IEEE 2014 8th International Symposium on Medical Information and Communication Technology (ISMICT) - Firenze, Italy (2014.4.2-2014.4.4)] 2014 8th International Symposium on Medical](https://reader035.documents.pub/reader035/viewer/2022080412/57509be31a28abbf6bfa71af/html5/thumbnails/1.jpg)
![Page 2: [IEEE 2014 8th International Symposium on Medical Information and Communication Technology (ISMICT) - Firenze, Italy (2014.4.2-2014.4.4)] 2014 8th International Symposium on Medical](https://reader035.documents.pub/reader035/viewer/2022080412/57509be31a28abbf6bfa71af/html5/thumbnails/2.jpg)
![Page 3: [IEEE 2014 8th International Symposium on Medical Information and Communication Technology (ISMICT) - Firenze, Italy (2014.4.2-2014.4.4)] 2014 8th International Symposium on Medical](https://reader035.documents.pub/reader035/viewer/2022080412/57509be31a28abbf6bfa71af/html5/thumbnails/3.jpg)
![Page 4: [IEEE 2014 8th International Symposium on Medical Information and Communication Technology (ISMICT) - Firenze, Italy (2014.4.2-2014.4.4)] 2014 8th International Symposium on Medical](https://reader035.documents.pub/reader035/viewer/2022080412/57509be31a28abbf6bfa71af/html5/thumbnails/4.jpg)
![Page 5: [IEEE 2014 8th International Symposium on Medical Information and Communication Technology (ISMICT) - Firenze, Italy (2014.4.2-2014.4.4)] 2014 8th International Symposium on Medical](https://reader035.documents.pub/reader035/viewer/2022080412/57509be31a28abbf6bfa71af/html5/thumbnails/5.jpg)
