Time Triggered Protocol (TTP/C): ASafety-Critical System Protocol

Literature Review EE382c Fall 1999

Robert FranceGlobal Software DivisionMotorola, Inc.

Howard CurtisGlobal Technology ServicesMCC

+��&XUWLV��5��)UDQFH���������

• ButtonRectifiers

• PositiveCrankcaseVentilation

• PowerSteering

• UnleadedGas

• 2 & 3-WayCatalyticConverters

• EngineControl

• Fuel Injection

• Fuel MixSensors

• MPU’s

• Reformulating Gas

• High speed MCU forrealtime control

• Cold Start

• Onboard Diagnostic level 2

• Valve timing control

• Airbags

• Electric power steering

• Adaptive cruise control

• ABS with traction controland vehicle stability

• First available EVsand hybrids

The Evolution ofAutomotive Electronics

Source: Motorola, 1999

+��&XUWLV��5��)UDQFH���������

Automotive Electronics Market Development

0

5

10

15

20

25

30

35

40Automotive Semiconductor TAM World-Wide [$B]

1975 1980 1985 1990 1995 2000 2005 2010

ITS (Navigation, Telematics)

Body (Comfort, Light…)

Safety (ABS, Airbag…)Powertrain

Source: Motorola, 1999

Electronics andelectromechanics(‘Mechatronics’) arereplacing hydraulicand mechanicalcomponents invehicles.

The role of the driverwill (gradually)change from machineoperator to supervisorof a transportationsystem.

5th Wave(EPAS, X-by-Wire, 42V…)

+��&XUWLV��5��)UDQFH���������

Total Connectivity in the Vehicle

Driver Information

Systems

Powertrain Vehicle

Dynamics

Body (Comfort, Safety, Lighting, Instrumentation)

Video/Radar

Processing

LightingControl

CD/DVD

HVAC/Aux Gauges

TV-TunerVideo

Monitor

Navigation

Cellular

Multi-useDisplay

ITS

-Bu

s / M

OS

T

CAN-C

SubBus

DC Motor

CAN-B

HiFi Radio/Audio

Seat Heating

Stand-ByHeating

ISO 9141

Solenoid

Electric Brake

SquibSensor

StepperMotor

Light LevelRegulation

RemoteKeyless Entry

SeatPositioner

ControlPanel

Central ECU& Gateway

Dashboard

TTP TTPTelematics

Vehicle Dynamics

EngineControl

Gear BoxControlSun-Roof

Wiper Wish-Wash

ClimateControl

ClimatePanel

Su

b B

us

Air Bag

Left Door Module

Right DoorModule

BrakePetal

Steering

High Speed

Network Radar

Cameras

TTP

Source: Motorola, 1999

+��&XUWLV��5��)UDQFH���������

Event-Triggered vsTime-Triggered Systems

• Event-triggered systems react to events– Reception of a message

– Termination of a task

– External interrupt

• Time-triggered systems derive actions from the progressionof a globally synchronized time base

– Transmission of messages

– Task execution

– Monitoring of external states

+��&XUWLV��5��)UDQFH���������

Time-Triggered Protocols

• TTP: Family of TDMA based, fault tolerant protocols.

• TTP/C: A communication protocol specifically designed forsafety-related automotive applications.

• The development of TTP and TTP/C has been led by Prof.Hermann Kopetz, Technical University of Vienna.

• The commercial development of TTP/C tools and productsis led by TTTech.

• Existing protocols J1850 and CAN meet the the bandwidthspecification for an SAE Class C protocol, but not the faulttolerant requirements.

+��&XUWLV��5��)UDQFH���������

TTP/C Node Architecture• Host

– The Host runs the application software.

• Controller Network Interface (CNI)– De-couples the applications-level software from the network using dual ported

RAM.

– Contains the Message Descriptor List (MEDL) controlling bus access.

• TTP/C Communications Controller.– Provides the actual connection between the TTP/C node and the shared network.

– “…the TTP/C controller provides guaranteed transmission times with minimallatency,jitter, fault-tolerant clock synchronization, and fast error detection.”(Ross Bannatyne, “Time Triggered Protocol ...,” Wescon 1998, p. 88.)

• Replica Determinant– Allows multiple parallel nodes for fault tolerance

• Fail Silent– Enforced by bus guardians.

+��&XUWLV��5��)UDQFH���������

FTU 0

TTP

FTU 1 FTU 2

TTPTTP

Host Subsystems

Communication SubsystemDuplicatedbroadcastbusses

Nodes are Smallest Replaceable Units (SRUs)

Fault Tolerant Units (FTUs): Groups of actively replicated

nodes

Communication Network Interface (CNI):• System partitioning: autonomous TTP controllers, host CPUs• Hides communication subsystem behind memory abstraction• Predictable interface behavior achieves composability

TTPTTPTTP

TTP/C Cluster

HostCPU

HostCPU

HostCPU

HostCPU

HostCPU

HostCPU

Source: Motorola, 1999

+��&XUWLV��5��)UDQFH���������

TTP/C Communication Properties

• Static Scheduling– Guaranteed delivery times with known variance (jitter).

• Clock Synchronization– All nodes synchronized to within one microsecond each TDMA round.

• Composability– TTP/C nodes are temporally composable as well as functionally composable.

This is a key property of being replica determinant.

• Fail Silent– The bus guardians ensure transmission only during the correct timeslot, in all cases.

• Membership– Every node’s membership is available during each TDMA round.

+��&XUWLV��5��)UDQFH���������

FTU Slot

SRUSlot

A

A

Bus

0B

us 1

FTU 0 FTU1

FTU 2

TDMA Round

B B B

B B B

C

C

C

C

D

D

FTU 0 FTU1

FTU 2

B B B

B B B

E

E

E

E

t

t

Time Division Multiple Access (TDMA):• Fixed assignment of slots to nodes• Every node periodically transmits in its slot

Message Descriptor List (MEDL):• Static data structure• Message dispatching table

TTP/C Bus Access Scheme

Source: Motorola, 1999

+��&XUWLV��5��)UDQFH���������

X-by-Wire Systems

• Mechanical & hydraulic subsystems controllingsafety-related functions are replaced by computer controlsystems

– Examples: brake-by-wire, steer-by-wire, vehicle dynamics control, active suspension

• Advantages: Cost reduction, weight reduction, easierdesign, assembly and maintenance, passenger safety andcomfort

• Safety-critical applications require:– Fault tolerance: no single fault may lead to a system failure

– Predictable and timely system behavior

– Synchronized time base (global time)

+��&XUWLV��5��)UDQFH���������

Evolution of Steering Systems

Hydraulic Power Assist(Conventional Steering)

Cooling(high end) reservoir

Hydraulicpump

hoses

Servo actuator

Electric Power Assist(Newest Technology)

Torquesensor

Control unit

To MUX network

EPS Motor

Source: Motorola, 1999

+��&XUWLV��5��)UDQFH���������

Steer By Wire Systems

Triple Redundant

Actuators andControllers

ECU ECU

SteeringControl

Unit withRedundant

ECUs

TTP/CComms

TTP/CComms

TTP/CComms

TTP/CComms

TTP/CComms

Sensor

TTP/CComms

TTP/CComms

TTP/CComms

Sensor Sensor

ControlAnd

Motor

ControlAnd

Motor

ControlAnd

Motor

Source: Motorola, 1999

+��&XUWLV��5��)UDQFH���������

Modeling & Simulation in Automotive Design

Engine Data,Combustion ChamberBack Pressure

ElectroMechanicalValve

pre-DriverSignal ConditioningPower ModuleThermal Behavior

Matlab/SimulinkControl Algorithm

Trigger, CrankAngle based

CrankAngleSource

PWMfrequency

Source: Motorola, 1999

+��&XUWLV��5��)UDQFH���������

Position

Cylinder Back Pressure Force

Crank Angle

Coil Current

Valve Speed

Open / Close

Simulation Results

Source: Motorola, 1999

+��&XUWLV��5��)UDQFH���������

Summary & Conclusions

• Safety critical systems are the next big development area inthe automotive industry.

• TTP/C provides the basic features needed for implementingsafety critical systems.

• Modeling and Simulation are increasingly important todesigning highly complex, safety critical systems affordably.

• Proposed project to implement a partial high level model ofTTP/C in Ptolemy as proof of concept.

• Prof. Hermann Kopetz lecturing at UT, Nov. 18.