Interfacing to Time-Triggered Communication Systems by Puschner, Peter & Kirner, Raimund
Interfacing to Time-Triggered Communication Systems
Peter Puschner Raimund Kirner
Vienna University of Technology University of Hertfordshire
Vienna, Austria Hatfield, United Kingdom
peter@vmars.tuwien.ac.at r.kirner@herts.ac.uk
Abstract
Time-triggered communication facilitates the con-
struction of multi-component real-time systems whose
components are in control of their temporal behavior.
However, the interface of a time-triggered communi-
cation system has to be accessed with care, to avoid
that the temporal independence of components gets lost.
This paper shows two interfacing strategies, one for
asynchonous interface access (in two variants, one be-
ing the new Rate-Bounded Non-Blocking Communica-
tion protocol) and one for time-aware, synchronized in-
terface access, that allow components to maintain tem-
poral independence. The paper describes and compares
the interfacing strategies.
1 Introduction
In many safety- and time-critical applications (e.g.,
powerplants, medical devices, planes), an increasing
number of functions are realized by embedded com-
puter systems. As a consequence, embedded computer
systems get more complex. They need more compu-
tational resources and are implemented as distributed
systems, consisting of an ever-growing number of com-
puter units. Given this growth, we have to ensure that
the additional interactions of components do not cre-
ate interferences that make the system behavior unpre-
dictable, thus infringing the safety of applications.
A composable system design limits the interferences
between the components of a distributed embedded
system [4]. The components of a composable multi-
component system are highly autonomous: the point
of control that determines which actions a component
performs and when these actions are triggered resides
within, not outside the component. Component au-
tonomy ensures that components and multi-component
subsystems can be developed independently. Their
functionality and timing can be verified and validated
in isolation, thus cleanly separating the responsibilies
of the suppliers of different subsystems.
Prior work has shown that time-triggered commu-
nication allows components of multi-component sys-
tems to autonomously control their timing behavior [2].
Reading from or writing to a time-triggered communi-
cation interface is similar to reading or writing program
variables that are regularly updated. As opposed to
event-triggered interfaces, where every received mes-
sage has to be read and consumed in order to keep
the receiving component in a consistent state (i.e., the
receiver must read/process every message within a de-
fined time after its arrival), time-triggered communica-
tion does not impose control pressure (or variable load)
on components whose interface data get updated [3].
While the program-variable semantics of time-
triggered interface data does not create an external
control pressure on components from the side of the
communication system, mutual-exclusion blocking,
which must be enforced when the communication sys-
tem and a component access the interface concurrently,
might still lead to external control on the blocked
subsystem. In this paper we explore two approaches
to avoid external influences on control due to mutual-
exclusion blocking when accessing the data-sharing
interface of a time-triggered communication system.
In the first approach, subsystems access the interface
asynchronously , without coordination. The software
for interface access prohibits external control on
subsystems by masking access conflicts (Section 4.1).
In the second approach, computing components that
access the time-triggered communication interface are
time-aware. They synchronize to the global time of
the communication system and take advantage of the
statically available information about the send and
receive times of messages to avoid control conflicts
when accessing the interface (Section 4.2). After
introducing each of these approaches for interface
access, Section 5 compares the two strategies in detail.
2 Time-Triggered Communication
A time-triggered communication system (TTCS) is
an autonomous subsystem of a distributed real-time
computer system that transports messages between the
nodes of the computer system in a time-predictable
way. Time-triggered messages are periodic. The
TTCS transports the messages from a sender node
to one or more receiver nodes according to a static
message-transmission schedule that is constructed at
design time. The clock synchronization service of the
TTCS provides a global clock to the distributed sys-
tem. Communication end points of the TTCS, the
linking-interface subsystems (LIFSS) of the nodes, use
this global clock to maintain a uniform view about the
progress of time and coordinate their message send and
receive operations according to the message schedule.
Further, the computational components of the nodes
can program the LIFSS to generate (periodic) clock
interrupts. This allows computational components to
synchronize their operation to the global clock.
TTCSS:	Time-Triggered
Communication	Subsystem
Co
m
pu
ta
tio
na
l
Co
m
po
ne
nt
	(C
C)
Co
m
pu
ta
tio
na
l
Co
m
po
ne
nt
	(C
C)
LI
FS
S
LI
FS
S
Figure 1. Time-Triggered System Model.
Figure 1 sketches the structure of a time-triggered
distributed computer system. The nodes of the dis-
tributed system consist of the interacting, autonomous
computational components (CCs) and the LIFSS. The
LIFSS of all nodes taken together constitute the TTCS.
3 Autonomy of Components
In a general distributed computer system, compo-
nents communicate by the exchange of messages. Be-
sides the data flow, we have to establish appropriate
control flow relations between communicating compo-
nents when we aim at constructing systems that guar-
antee component autonomy. The control flow deter-
mines who initiates message transfers and is in com-
mand of the individual steps of the transfer. Let us
consider the transfer of a message from a sending to a
receiving component. If the sender is entirely in control
of the message transfer, then the control flow originates
at the sender and terminates at the receiver. We call
this an information-push [2] operation. If the receiver
is in control of transferring the message from a sender,
then the control-flow direction is from the receiver to
the sender, in opposite direction of the data flow. We
call this an information-pull [2] operation.
Information-push operations are ideal for senders.
For an information-push operation, the sender does
not have to wait until the receiver is ready, neither
does it need buffers for storing messages while waiting.
Information-pull operations are ideal for receivers. Fol-
lowing the information-pull policy, receivers can pro-
cess messages under their own control – message-pull
receivers cannot be disturbed by messages that arrive
at times that are not under their own control.
In a TTCS, there is no explicit control flow across
the communication system. Due to the program-
variable semantics of state messages, message arrival
does not impose external control on CCs. So, CCs may,
in principle, read ports of the LIFSS in information-pull
operations and write to ports in informaion-push oper-
ations. The only potential control conflicts at a LIFSS
can arise due to mutual-exclusion blocking when the
LIFSS and a CC try to access a shared data item at the
same time. We will show how these mutual-exclusion
control conflicts can be resolved by taking advantage
of the properties of time-triggered communication re-
spectively by using LIFSS services.
4 Non-blocking Interfaces
In the following we will discuss the two alternative
strategies of accessing the LIFSS without control dis-
turbances due to mutual-exclusion blocking. CCs may
adopt one of these strategies. The chosen strategy de-
termines how and when CCs access the LIFSS ports
and whether they use the clock interrupt service of
their LIFSSs. Depending on application requirements,
CCs may use the data-sharing interface of the LIFSS
either as a
• time-agnostic, asynchronous interface, or as a
• time-aware, time-synchronized interface.
4.1 Time-Agnostic, Asynchronous Interface
Assuming that network communication is time-
triggered, but the program activation on the compu-
tational component (CC) is event-controlled, a time-
agnostic asynchronous communication protocol is re-
quired at the LIFSS. In this section we introduce the
novel Rate-bounded Non-Blocking Communication Pro-
tocol (RNBC) as such a protocol.
RNBC allows the parallel write and read of shared
data without the need for blocking or waiting, support-
ing one writer and multiple readers. To facilitate non-
blocking, RNBC comes with a schedulability criterion
2
that bounds the rate of write accesses. Reading via
RNBC always provides the latest completely written
data. Any pending data write becomes only available
for reading, once the write is completed.
RNBC has been inspired by the Non-blocking Write
Protocol (NBW) [5]. To understand the benefit of
RNBC, we first briefly describe NBW, as shown in Fig-
ure 2. The data to be communicated is stored in the
buffer buff. In addition, the writer maintains the con-
currency control flag ccf, to indicate the writing sta-
tus. Whenever ccf is odd, a writing is in progress, and
when ccf becomes even again, the writing has com-
pleted. Thus, the reader performs a busy waiting dur-
ing reading to make sure that ccf was even and did
not change during the whole read operation.
1 i n t bu f f ; // shared msg bu f f e r
2 i n t c c f = 0 ; // 0 means empty bu f f e r
3
4 void nbw write msg ( i n t msg) {
5 c c f++; // becomes odd : wr i t e in p rog r e s s
6 bu f f = msg ;
7 c c f++; // becomes even : wr i t e completed
8 }
9
10 i n t nbw read msg ( ) {
11 i n t msg ;
12 i n t cc f1 , c c f 2 =0;
13 do {
14 c c f 1 = c c f ;
15 i f ( odd ( c c f 1 ) ) cont inue ;
16 msg = bu f f ;
17 c c f 2 = c c f ;
18 } whi le ( c c f 1 != cc f 2 ) ;
19 r e turn msg ;
20 }
Figure 2. NBW: Classical Non-Blocking Write
Protocol
While NBW is simple to understand, part of its na-
ture is that it has a variable execution time, depending
on whether the read operation overlaps with a write op-
eration or not. To reduce the likelihood of such a read
delay, the authors included in the original paper also
an extended variant of NBW, which manages a ring
buffer [5]. This way, a write operation started during a
read does not necessarily cause a delayed reading. Only
in case that multiple writes fill up the ring buffer dur-
ing a pending read, then a delayed read will happen.
It has to be noted that this Extended NBW can still
suffer from occasional read delays, however, making
them more rare. But at the same time the Extended
NBW has a significantly higher code overhead than
the standard NBW, making read/write clashes more
likely. These given limitations of NBW and its ex-
tended ring-buffer variant motivated us to develop the
Rate-bounded Non-Blocking Communication Protocol
(RNBC), a new concurrent read-write protocol that is
inspired by the field of lock-free communication data
structures, for example, lock-free message queues [1, 6].
4.1.1 RNBC: A Rate-bounded Non-Blocking
Communication Protocol
The design strategy for RNBC was, instead of aiming
to minimise the likelihood of read/write clashes, to de-
velop a precise schedulability criterion that guarantees
absence of read/write clashes. This at the same time
allowed us to develop a protocol that has minimal code
overhead.
The code of RNBC is shown in Figure 3. The key
feature of RNBC is to have two communication buffers,
one for the current write operation, and the other one
for current read operations. Whenever a write finishes,
the roles of these two buffers is swapped. The shared
flag wbuff indicates which buffer index (0 or 1) is cur-
rently allocated for next writing. As we can see from
the code, the implementation of both the reader and
writer in RNBC became extremely simple, consisting
basically just of the access/update of the buffer and
the control flag.
1 i n t bu f f [ 2 ] ; // shared msg bu f f e r
2 i n t wbuff = 0 ; // bu f f e r index o f wr i t e
3
4 void rnbc wr i te msg ( i n t msg) {
5 bu f f [ wbuff ] = msg ;
6 wbuff = 1−wbuff ; // swap read/wr i t e bu f f e r
7 }
8
9 i n t rnbc read msg ( ) {
10 i n t r bu f f = 1−wbuff ;
11 r e turn bu f f [ r bu f f ] ;
12 }
Figure 3. RNBC: Rate-bounded Non-Blocking
Communication Protocol
4.1.2 Schedulability Criterion of RNBC
The strong contribution behind RNBC is the precise
schedulability criterion that guarantees the absence of
read/write clashes regardless of the relative phase be-
tween read and write operations. Before introducing
this schedulability criterion, we have to first introduce
some definitions:
cr: the WCET of the read operation
3
cw: the WCET of the write operation
mint: the minimum inter-arrival time between two
messages, i.e., consecutive write operations
Based on these definitions, we can state the schedu-
lability criterion of RNBC:
Theorem 4.1 Without any further assumption about
the synchrony between read and write, the following is
a necessary and sufficient schedulability condition for
the RNBC protocol:
cw + cr ≤ mint
This schedulability criterion implies that the max-
imum execution time available for a read operation
cr,max is as follows: cr,max ≤ mint − cw. In other
words, we have to make sure that the WCET of the
read and write operation together is less or equal than
the minimum inter-arrival time of messages.
Proof (Theorem 4.1) To prove this, we have to show,
both, that the scheduleability criterion is sufficient and
also necessary. To do so, we use Figure 4 to visualise
some key properties of the behaviour of RNBC. The
first row write shows in which buffer the individual
write operations are writing (with distance mint be-
tween them). The 2nd row wbuff shows the timing
diagram of the flag wbuff, following directly from the
implementation. The row rbuff shows the behaviour
of a read operation, depending on its starting time in
comparison to write operations. This means that the
flag rbuff at the start of a read operation is always set
as the opposite of the current value of the wbuff flag.
This line shows that after the completion of a write
operation to buffer bi, any read operation started af-
terwards and before the next writing operation starts,
will read from bi. The lines rwindow b0 and rwindow b1
show the possible reading window for buffer index 0 re-
spectively 1, such that no read/write clash will occur.
The reading window for each buffer bi is from the com-
pletion of a write into bi till the beginning of the next
write operation into bi.
Part 1: Sufficient: As shown in Figure 4, the read
access from buffer bi can only start after completion of
its write till the next write completion of buffer b1−i,
which is a time span of mint. At the same time, the
reading window of buffer bi starts as well directly after
the completion of its write and lasts till the beginning
of the next write operation to buffer bi, which is a time
span of 2mint− cw. Any valid read has to start within
rbuff == bi and has to complete before the end of the
reading window rwindow bi, for which the minimum
duration is:
lenth(rwindow) − lenth(rbuff) = (2mint − cw) −
mint = mint− cw.
Hence, the minimum guaranteed time available for
reading is mint − cw, which implies that cr ≤ mint −
cw is sufficient for non-clashing read/write operations.
This proves that the schedulability condition of Theo-
rem 4.1 is sufficient.
Part 2: Necessary: To proof that the schedula-
bility condition is necessary, we use an indirect proof.
We start with the assumption that the schedulability
condition does not hold and derive from it that the
read/write operations can clash.
Assuming that the schedulability condition does not
hold, we have the following property:
cw + cr = mint+ ∆ | ∆ > 0
To look for the worst case, we assume that the read
access to buffer bi starts just at the end of rbuff ==
bi, i.e., at mint, which is the last possible time before
reading is switched to buffer b1−i. In that situation
the remaining time of reading window rwindow bi is
mint − cw, because lenth(rwindow) − lenth(rbuff) =
(2mint− cw)−mint = mint− cw).
However, based on the assumed property cw + cr =
mint+ ∆ | ∆ > 0 it follows that the reading time cr is
cr = mint−cw+∆. Thus, the reading time of buffer bi
is by ∆ longer than the remaining length of the reading
window, causing a clash of the read/write operations to
buffer bi. This proves that the schedulability condition
of Theorem 4.1 is necessary.
b0b1 b1 b0
wbuff
write b0
rbuff
cw
mint
schedulability condition: cw + cr <= mint
b1 b1b0
1
0
1
0
b0
b1 b1
b0
rwindow b1
cr,maxcr,max
rwindow = (2mint – cw)
t
rwindow b0
Figure 4. Properties of RNBC Protocol (used
in proof of Theorem 4.1)
4
Corollary 4.2 If the condition (cw + cr ≤ mint) can
be ensured, then there is no benefit in terms of reducing
read/write clashes by using more than two communica-
tion buffers, e.g., a ring buffer with n > 2 elements.
4.1.3 NBW vs RNBC
We have stated that RNBC relies for its correctness on
some real-time assumptions, like inter-arrival time and
WCETs. NBW does not have any such requirements
specified, thus NBW looks easier to be deployed. How-
ever, we herewith compare them in further detail.
As stated above, the border-line case where RNBC
still works is cw + cr = mint.
Now lets assume that the WCETs of the read and
write operations of NBW are denoted as c′r and c
′
w.
Comparing the implementations of NBW in Figure 2
and of RNBC in Figure 3, it is clear that NBW has
more overhead for both, read and write, i.e., c′w > cw ∧
c′r > cr. From that follows that c
′
w + c
′
r > mint. This
means, while RNBC still just works for this mint value,
the same mint value will cause NBW to be caught in
never-ending read-write clashes, regardless of the phase
between read and write. Thus, also NBW has to rely
on some real-time assumptions, which are actually even
more strict than those for RNBC.
Concluding, RNBC is an efficient implementation
for the concurrent single-writer multiple-reader com-
munication pattern, using real-time properties like
WCET and minimum inter-arrival time to assure cor-
rect behaviour. Under the given schedulability con-
dition, RNBC allows a constant access time for both
reader and writer.
4.2 Time-Aware Interface
The time-synchronized access strategy solves the
mutual-exclusion problem at the LIFSS by avoiding ac-
cess conflicts from the very beginning. To this end, it
carries out the read and write operations of CCs to
the LIFSS at times that do not coincide with the ac-
cesses by the TTCS — the times when CCs must not
access the LIFSS are derived from the TTCS message-
transmission schedule that is constructed at system-
construction time.
4.2.1 Accessing the LIFSS
When designing the software for a CC with time-
synchronized LIFSS access, one will pay particular at-
tention to synchronize the time of read and write op-
erations from the very beginning. On top of conflict
avoidance, one can even benefit from the timing infor-
mation contained in the message schedule and activate
the task on a CC tailored to the timing of LIFSS-read
and write operations of the TTCS: Such a task sched-
ule will ensure that a task that reads data from the
LIFSS will be activated shortly after the message with
these data has been received and made available by the
LIFSS. In a similar way, the scheduler will activate a
task that writes to the LIFSS right before the TTCS
will transmit the written data.
To align LIFSS-read and write operations with the
actual message transfers, the CC needs (a) a real-
time task scheduler and (b) a mechanism for adjusting
its local clock to the clock of the TTCS. The align-
ment can be accomplished by means of a static, table-
driven scheduler, where the scheduling table guarantees
that the CC accesses the LIFSS in time windows that
are guaranteed to be conflict-free. The programmable
clock interrupt of the LIFSS can be triggered regularly
to synchronize the clock of the CC with the global time-
base. This clock synchronization ensures that the task
scheduler of the CC and the message schedule of the
TTCS stay consistent.
4.2.2 Interface-Timing Constraints
Let us provide a more detailed discussion on when a
CC may safely access its LIFSS without running into
mutual-exclusion conflicts. We assume that the sched-
ule of TTCS accesses to the LIFSS is given. Further we
assume that the CC regularly adjusts its clock to the
global clock using master-clock synchronization, i.e., in
the clock interrupt routine the clock of the CC is set
to the value of the global clock.
In the time intervals between clock synchronization,
the clock of the CC drifts away from the global clock.
This relative drift has to be taken into account when
planning the conflict-free schedule of accesses to the
LIFSS. In the following, we will explore how the pos-
sible clock drift can be considered when planning the
LIFSS access times for CCs. We make the following
assumptions.
• The clock of the communication controller that
represents the global time of the TTCS acts as
the reference clock.
• Tick i of the reference clock happens at time ti; tji
denotes the time of tick c on clock j.
• The drift rate ρˆ denotes the maximum drift rate
of a CC clock relative to the reference clock, i.e.,
ρˆ combines the absolute drift rate of the local rep-
resentation of the global clock and the maximum
absolute drift rate of the clocks of the CCs.
5
When planning the LIFSS-read and write operations
of the CC, we have to ensure that the time intervals
of these read and write operations do not overlap with
LIFSS-data accesses by the TTCS. The determination
of these time intervals has to take the relative drift of
the clocks of the CC and the TTCS into account (see
Fig. 5).
t0
fast CC clock
TTCS clock
slow CC clock
ts
k
ts
jtw
j
tw
k
ts
te
k
te
j tr
j
tr
k
te
Figure 5. Latest write to and earliest read from
LIFSS data.
Let us assume the TTCS accesses some LIFSS data
between ticks s and e on its clock, in the time inter-
val T = [ts, te] after the last synchronization point, at
time t0. Now we want to determine the start and end
ticks (w and r) of the access interval of the CCs that
guarantees mutual exclusion and accounts for the drift
of the clocks.
To ensure that all LIFSS accesses by CCs preceding
the LIFSS access of the TTCS have completed before
T , we must make sure that even the CC with the slow-
est clock, say CC j, has completed its access at tick w
with tjw ≤ ts, thus
w =
⌊
s
1 + ρˆ
⌋
.
Analogously, we must guarantee that CCs accessing
the LIFSS start only after the TTCS has completed
its access. In this case, the CC with the fastest clock,
CC k, must not start reading repectively writing the
LIFSS before tick r with tkr ≥ te and
r =
⌈
e
1− ρˆ
⌉
.
4.2.3 Scheduling CC Tasks
To maintain mutual exclusion, real-time tasks on the
CCs that access LIFSS data must be scheduled such
that they do not overlap with the respective [w, r] in-
tervals. These mutual exclusion constraints are added
to the application-specific precedence constraints of the
scheduler. If tasks are statically scheduled, the pre-
runtime scheduler uses those constraints together to
build the dispatch tables that the dispatchers running
on the CCs will interpret at runtime.
4.2.4 Interface Timing Properties
Synchronizing the LIFSS accesses of the CCs and the
TTCS has a positive effect on the timing properties of
the interface.
First, synchronizing both LIFSS-write and read op-
erations on all CCs to global time reduces the message-
delay jitter in comparison to non-synchronized access.
In fact, if we use a synchronized, table-driven scheduler
to trigger the LIFSS reads and writes, the jitter can be
kept as small as Π, the precision of the global clock.
Second, using table-driven schedules that are
aligned to the global clock allows system designers to
streamline task executions and message communica-
tion. This way, the overall response times of real-time
transactions spreading over two or more CCs can be
kept short.
Third, if all data manipulations and data transfers
via the TTCS follow a global time schedule, then the
information about the age of data items is implicitly
available at all CCs of the computer systems. As a
consequence, the time stamps of real-time observations
do not have to be transported via the TTCS. This
means, in a time-triggered network with fully time-
synchronized CCs, only the values of observations have
to be handed over to the LIFSS. Both, the name and
the time of the observation are implicitly known.
5 Comparison
Each of the presented access strategies to the in-
terface of a time-triggered communication system aims
at the automomy of CCs, to make components time-
composable. The different strategies are, however,
paired with significant differences in the characteristics
of the components that constituate the overall system.
We discuss the differences of the component character-
istics in the following; see also Table 1.
A CC that accesses the LIFSS as a time-agnostic
interface acts fully autonomously, i.e., it ignores the
message schedule and potential conflicts when inter-
acting with the LIFSS. A time-aware component , in
contrast, uses its knowledge about the message sched-
ule to synchronize its LIFSS accesses to the operation
of the TTCS.
The fact that components with a time-agnostic in-
terface do not synchronize with the message schedule
leads to a message-validity jitter of (almost) two times
the message period for all data items read from the
LIFSS. This is due to the fact that both at the sender
6
Table 1. Comparison of the Component Characteristics for the Interfacing Methods.
Characteristic Interface
Time Agnostic Time Synchronized
NBW RNBC
Control paradigm full autonomy full autonomy adaptation to schedule
Message validity jitter 2× message period 2× message period precision of clock
Jitter of message read 0−2 failed read attempts 0 0
Task-msg. streamlining no no yes
Use of time value (explicit) value (explicit) control (implicit)
Replica determinism no no yes
Build complexity low low medium to high
Example app. movie streaming, flight control, steel mill,
sensor network drive by wire, film stretching
side and receiver side the duration of the time interval
between the LIFSS access of the TTCS and access of
the CC may vary between zero and the duration of a
message period. This jitter is significantly higher than
for time-aware interfaces, for which it is Π, the preci-
sion of the global clock.
Write operations to the LIFSS always have a con-
stant execution time. Regarding read operations in
NBW, there is an execution-time jitter due to the
possibility of retries. Both, RNBC and the time-
synchronized reads have no execution-time jitter due
to LIFSS-access conflicts. This means that the use of
RNBC allows for a construction of components that
are fully autonomous, without any external control in-
fluences on their temporal behavior.
The lack of synchronization at time-agnostic inter-
faces inhibits the streamlining (i.e., tight synchroniza-
tion) of tasks that read from or write to the LIFSS
and the messages that transport the respective data
items. A time-aware interface with time-synchronized
interface access, in contrast, allows for the synchro-
nization of these activities. Thus time-aware interfaces
support real-time transactions with much shorter end-
to-end delays than asynchronous interfaces.
When all operations of the components and the com-
munication system are time-triggered, controlled by a
global execution plan, then the knowledge about the
points in time of all data-read and write operations
are globally known, i.e., the timestamps of these oper-
ations are implicit global knowledge in the system. As
a consequence, and in contrast to systems which oper-
ate asynchronously, one does not need to transport the
times of real-time observations in time-synchronized
systems.
Synchronizing the LIFSS-read and write operations
of a component with global time is a prerequisite for a
clear definition of the state of a CC, which, in turn, is
needed for the realization of replica-deterministic com-
ponents (i.e., components that agree both in the value
and time domain within a defined time span). As the
provision of replica determinism greatly simplifies the
construction of fault-tolerant real-time systems, time-
aware LIFSS access of CCs is of essential for imple-
menting fault tolerance, as well.
The central advantage of using interfaces without
care about timing is the low build complexity of the
components and the overall system. When using time-
agnostic interfaces, developers do not need to know
about the temporal particularities of the LIFSS or
other components. In contrast, to fully exploit the
benefits of synchronized interface access, the timing of
operations on the components and message transmis-
sion on the TTCS have to be tightly coordinated. The
complexity and cost for designing such a system-wide
coordination may be significant.
Typical example applications for non-synchonized
interfaces are entertainment systems, like movie
streaming, or monitoring systems (e.g., based on
sensor networks). Usually, these applications do not
require system-provided fault tolerance, but they
greatly benefit from the lower build complexity. Still,
they may need to compensate for jitter in the order of
message periods during message reception by appro-
priate buffering or queuing. In the case of monitoring
systems, observations can be time-stamped by reading
the global time available at the LIFSS after the
observation. Applications that use time-synchronized
interfaces trade the added build complexity for the
realization of deterministic real-time transactions with
short end-to-end delays. Typical examples of such
applications are related to control (e.g., flight control
systems, film stretching systems, . . . ) which often
require highly regular sense-control-act cycles. Some
control systems are safety critical and profit from fault
7
tolerance that is enabled at the architectural level by
the use of time-synchronized interfaces.
6 Example: CC Predictability
msg0
read-NBW
write msg0
read-RNBC a)
msg1 msg3msg2
t
read-RNBC b)
msg0 msg1msg
delay: 2"#delay: 0
msg
msg1
different msg age read
read-synchr
msg0 msg1 msg2
jitter: 2"#
predictable time and value
Figure 6. Local behaviour of different inter-
facing methods
In this section we show the temporal predictability
of components using the different access strategies to
the interface of a time-triggered communication sys-
tem. Figure 6 shows the read/write behaviour at a
local network node between the CC and the LIFSS:
• The first row shows the time line of the write ac-
cess to the LIFSS, with different message instances
over time.
• The second row ”read-NBW” shows examples of
asynchronous read access via the NBW proto-
col. The first read operation happens just after
completion of the last write access, and proceeds
with zero delay. The second read operation just
slightly overlaps with the write operation for mes-
sage msg1. This lead to two read attempts par-
tially overlapped with the write, causing them to
fail, and only the third attempt then finally suc-
ceds. Thus, NBW causes jitter to the temporal
behaviour of a component.
• The rows ”read-RNBC a)” and ”read-RNBC b)”
show examples of the asynchronous read with
RNBC. In both cases, the read operation has a
constant execution time, as RNBC is free of read-
/write conflicts by design. However, what the two
different examples also show, is that with RNBC
a small difference in the start of a read can cause
to read a different message instance. Thus, while
RNBC allows components to be time predictable,
the predictability in the value domain of messages
is not given.
• Finally, the row ”read-synchr” shows access pat-
terns with synchronous interfacing. It shows that
synchronous interfacing not only gives constant
execution time of the read operation, but also pro-
vides predictability in the value domain, as read
operations are fixed scheduled with some time off-
set after the completion of each write access.
7 Conclusion
In this paper we discussed different interfacing tech-
niques between a computing component (CC) and a
time-triggered communication network. The results
show that best predictability in time and value domain
is achieved by synchronous interfacing, where the exe-
cution of activities at the CC is synchronous with the
message communication over the time-triggered net-
work. To achieve this, the local clock of the CC has
to be synchronized to the global clock of the time-
triggered network. With asynchronous access, no clock
synchronisation is required, but it comes at the cost
of unpredictability in the value domain, as it is not
ensured which message instance is obtained by a read
access. We have also developed a new asynchronous ac-
cess protocol, called Rate-bounded Non-Blocking Com-
munication protocol (RNBC), which ensures the tem-
poral predictability and autonomy at the component
level for asynchronous access.
References
[1] J. R. Engdahl and D. Chung. Lock-free data structure
for multi-core processors. In Proc. Int’l Conference on
Control, Automation and Systems (ICCAS 2010), pages
984–989, Oct 2010.
[2] H. Kopetz. Real-Time Systems. Springer, 2nd edition,
2011.
[3] H. Kopetz and R. Nossal. Temporal firewalls in large
distributed real-time systems. In Proc. 6th IEEE Com-
puter Society Workshop on Future Trends of Distributed
Computing Systems, pages 310–315. IEEE, 1997.
[4] H. Kopetz and R. Obermaisser. Temporal compos-
ability. Computing & Control Engineering Journal,
13(4):156–162, 2002.
[5] H. Kopetz and J. Reisinger. The non-blocking write
protocol NBW: A solution to a real-time synchroniza-
tion problem. In Proc. IEEE Real-Time Systems Sym-
posium, pages 131–137, Dec. 1993.
[6] H. Ma and Y. Li. Effective data exchange in paral-
lel computing. In Proc. Int’l Conference on Informa-
tion Science and Cloud Computing, pages 106–112, Dec.
2013.
