Flexible Bus Media Redundancy

DETIThis paper proposes a flexible approach to bus media redundancy in Controller Area Network (CAN) fieldbuses, both to improve the bandwidth by transmitting different traffic in different channels or to promote redundancy by transmitting the same message in more than one channel. Specifically the proposed solution is discussed in the context of Flexible Time-Triggered protocol over CAN (FTTCAN) and inherits the online scheduling flexibility of FTTCAN, enabling on-the-fly modifications of the traffic conveyed in the replicated buses. Flexible bus media redundancy is useful to fulfill application requirements in terms of additional bandwidth or to react to bus failures leading the system to a degraded operational mode, without compromising safety. The arguments for and against flexible bus media redundancy in the context of FTT-CAN are also discussed in detail

Using FTT-CAN to the Flexible Control of Bus Redundancy and Bandwidth Usage

DETIController Area Network (CAN) is a popular and very well-known bus system, both in academia and in industry, initially targeted to automotive applications as a single digital bus to replace the wiring that were growing complexity, weight and cost with the advent of new automotive appliances. However, requirements have evolved and CAN’s dependability and bandwidth limitations led to the emergence of alternative networks such as FlexRay and TTP/C. Nevertheless, we believe that it is possible to improve CAN so it could fulfill contemporary requirements. This paper proposes the use of Flexible Time-Triggered CAN (FTT-CAN) to increase the available bandwidth while providing fault tolerance in CAN based systems with multiple buses. The architecture and flexibility of FTT based systems enables a tight yet flexible control of redundancy and bandwidth usage without increasing the complexity of the nodes. In this novel solution, a FTT-CAN Master controls the dispatching of messages among a set of independent buses. The Master can react online to bus failures switching the transmission of critical messages to a non-faulty bus, always keeping a predetermined redundancy level

Controller Area Network

Controller Area Network (CAN) is a popular and very well-known bus system, both in academia and in industry. CAN protocol was introduced in the mid eighties by Robert Bosch GmbH [7] and it was internationally standardized in 1993 as ISO 11898-1 [24]. It was initially designed to distributed automotive control systems, as a single digital bus to replace traditional point-to-point cables that were growing in complexity, weight and cost with the introduction of new electrical and electronic systems. Nowadays CAN is still used extensively in automotive applications, with an excess of 400 million CAN enabled microcontrollers manufactured each year [14]. The widespread and successful use of CAN in the automotive industry, the low cost asso- ciated with high volume production of controllers and CAN's inherent technical merit, have driven to CAN adoption in other application domains such as: industrial communications, medical equipment, machine tool, robotics and in distributed embedded systems in general. CAN provides two layers of the stack of the Open Systems Interconnection (OSI) reference model: the physical layer and the data link layer. Optionally, it could also provide an additional application layer, not included on the CAN standard. Notice that CAN physical layer was not dened in Bosch original specication, only the data link layer was dened. However, the CAN ISO specication lled this gap and the physical layer was then fully specied. CAN is a message-oriented transmission protocol, i.e., it denes message contents rather than nodes and node addresses. Every message has an associated message identier, which is unique within the whole network, dening both the content and the priority of the message. Transmission rates are dened up to 1 Mbps. The large installed base of CAN nodes with low failure rates over almost two decades, led to the use of CAN in some critical applications such as Anti-locking Brake Systems (ABS) and Electronic Stability Program (ESP) in cars. In parallel with the wide dissemination of CAN in industry, the academia also devoted a large eort to CAN analysis and research, making CAN one of the must studied eldbuses. That is why a large number of books or book chapters describing CAN were published. The rst CAN book, written in French by D. Paret, was published in 1997 and presents the CAN basics [32]. More implementation oriented approaches, including CAN node implementation and application examples, can be found in Lorenz [28] and in Etschberger [16], while more compact descriptions of CAN can be found in [11] and in some chapters of [31]. Despite its success story, CAN application designers would be happier if CAN could be made faster, cover longer distances, be more deterministic and more dependable [34]. Over the years, several protocols based in CAN were presented, taking advantage of some CAN properties and trying to improve some known CAN drawbacks. This chapter, besides presenting an overview of CAN, describes also some other relevant higher level protocols based on CAN, such as CANopen [13], DeviceNet [6], FTT-CAN [1] and TTCAN [25]

Tolerância a falhas em sistemas de comunicação de tempo-real flexíveis

Nas últimas décadas, os sistemas embutidos distribuídos, têm sido usados em variados domínios de aplicação, desde o controlo de processos industriais até ao controlo de aviões e automóveis, sendo expectável que esta tendência se mantenha e até se intensifique durante os próximos anos. Os requisitos de confiabilidade de algumas destas aplicações são extremamente importantes, visto que o não cumprimento de serviços de uma forma previsível e pontual pode causar graves danos económicos ou até pôr em risco vidas humanas. A adopção das melhores práticas de projecto no desenvolvimento destes sistemas não elimina, por si só, a ocorrência de falhas causadas pelo comportamento não determinístico do ambiente onde o sistema embutido distribuído operará. Desta forma, é necessário incluir mecanismos de tolerância a falhas que impeçam que eventuais falhas possam comprometer todo o sistema. Contudo, para serem eficazes, os mecanismos de tolerância a falhas necessitam ter conhecimento a priori do comportamento correcto do sistema de modo a poderem ser capazes de distinguir os modos correctos de funcionamento dos incorrectos. Tradicionalmente, quando se projectam mecanismos de tolerância a falhas, o conhecimento a priori significa que todos os possíveis modos de funcionamento são conhecidos na fase de projecto, não os podendo adaptar nem fazer evoluir durante a operação do sistema. Como consequência, os sistemas projectados de acordo com este princípio ou são completamente estáticos ou permitem apenas um pequeno número de modos de operação. Contudo, é desejável que os sistemas disponham de alguma flexibilidade de modo a suportarem a evolução dos requisitos durante a fase de operação, simplificar a manutenção e reparação, bem como melhorar a eficiência usando apenas os recursos do sistema que são efectivamente necessários em cada instante. Além disto, esta eficiência pode ter um impacto positivo no custo do sistema, em virtude deste poder disponibilizar mais funcionalidades com o mesmo custo ou a mesma funcionalidade a um menor custo. Porém, flexibilidade e confiabilidade têm sido encarados como conceitos conflituais. Isto deve-se ao facto de flexibilidade implicar a capacidade de permitir a evolução dos requisitos que, por sua vez, podem levar a cenários de operação imprevisíveis e possivelmente inseguros. Desta fora, é comummente aceite que apenas um sistema completamente estático pode ser tornado confiável, o que significa que todos os aspectos operacionais têm de ser completamente definidos durante a fase de projecto. Num sentido lato, esta constatação é verdadeira. Contudo, se os modos como o sistema se adapta a requisitos evolutivos puderem ser restringidos e controlados, então talvez seja possível garantir a confiabilidade permanente apesar das alterações aos requisitos durante a fase de operação. A tese suportada por esta dissertação defende que é possível flexibilizar um sistema, dentro de limites bem definidos, sem comprometer a sua confiabilidade e propõe alguns mecanismos que permitem a construção de sistemas de segurança crítica baseados no protocolo Controller Area Network (CAN). Mais concretamente, o foco principal deste trabalho incide sobre o protocolo Flexible Time-Triggered CAN (FTT-CAN), que foi especialmente desenvolvido para disponibilizar um grande nível de flexibilidade operacional combinando, não só as vantagens dos paradigmas de transmissão de mensagens baseados em eventos e em tempo, mas também a flexibilidade associada ao escalonamento dinâmico do tráfego cuja transmissão é despoletada apenas pela evolução do tempo. Este facto condiciona e torna mais complexo o desenvolvimento de mecanismos de tolerância a falhas para FTT-CAN do que para outros protocolos como por exemplo, TTCAN ou FlexRay, nos quais existe um conhecimento estático, antecipado e comum a todos os nodos, do escalonamento de mensagens cuja transmissão é despoletada pela evolução do tempo. Contudo, e apesar desta complexidade adicional, este trabalho demonstra que é possível construir mecanismos de tolerância a falhas para FTT-CAN preservando a sua flexibilidade operacional. É também defendido nesta dissertação que um sistema baseado no protocolo FTT-CAN e equipado com os mecanismos de tolerância a falhas propostos é passível de ser usado em aplicações de segurança crítica. Esta afirmação é suportada, no âmbito do protocolo FTT-CAN, através da definição de uma arquitectura tolerante a falhas integrando nodos com modos de falha tipo falha-silêncio e nodos mestre replicados. Os vários problemas resultantes da replicação dos nodos mestre são, também eles, analisados e várias soluções são propostas para os obviar. Concretamente, é proposto um protocolo que garante a consistência das estruturas de dados replicadas a quando da sua actualização e um outro protocolo que permite a transferência dessas estruturas de dados para um nodo mestre que se encontre não sincronizado com os restantes depois de inicializado ou reinicializado de modo assíncrono. Além disto, esta dissertação também discute o projecto de nodos FTT-CAN que exibam um modo de falha do tipo falha-silêncio e propõe duas soluções baseadas em componentes de hardware localizados no interface de rede de cada nodo, para resolver este problema. Uma das soluções propostas baseiase em bus guardians que permitem a imposição de comportamento falhasilêncio nos nodos escravos e suportam o escalonamento dinâmico de tráfego na rede. A outra solução baseia-se num interface de rede que arbitra o acesso de dois microprocessadores ao barramento. Este interface permite que a replicação interna de um nodo seja efectuada de forma transparente e assegura um comportamento falha-silêncio quer no domínio temporal quer no domínio do valor ao permitir transmissões do nodo apenas quando ambas as réplicas coincidam no conteúdo das mensagens e nos instantes de transmissão. Esta última solução está mais adaptada para ser usada nos nodos mestre, contudo também poderá ser usada nos nodos escravo, sempre que tal se revele fundamental.Distributed embedded systems (DES) have been widely used in the last few decades in several application fields, ranging from industrial process control to avionics and automotive systems. In fact, it is expectable that this trend will continue over the years to come. In some of these application domains the dependability requirements are of utmost importance since failing to provide services in a timely and predictable manner may cause important economic losses or even put human life in risk. The adoption of the best practices in the design of distributed embedded systems does not fully avoid the occurrence of faults, arising from the nondeterministic behavior of the environment where each particular DES operates. Thus, fault-tolerance mechanisms need to be included in the DES to prevent possible faults leading to system failure. To be effective, fault-tolerance mechanisms require an a priori knowledge of the correct system behavior to be capable of distinguishing them from the erroneous ones. Traditionally, when designing fault-tolerance mechanisms, the a priori knowledge means that all possible operational modes are known at system design time and cannot adapt nor evolve during runtime. As a consequence, systems designed according to this principle are either fully static or allow a small number of operational modes only. Flexibility, however, is a desired property in a system in order to support evolving requirements, simplify maintenance and repair, and improve the efficiency in using system resources by using only the resources that are effectively required at each instant. This efficiency might impact positively on the system cost because with the same resources one can add more functionality or one can offer the same functionality with fewer resources. However, flexibility and dependability are often regarded as conflicting concepts. This is so because flexibility implies the ability to deal with evolving requirements that, in turn, can lead to unpredictable and possibly unsafe operating scenarios. Therefore, it is commonly accepted that only a fully static system can be made dependable, meaning that all operating conditions are completely defined at pre-runtime. In the broad sense and assuming unbounded flexibility this assessment is true, but if one restricts and controls the ways the system could adapt to evolving requirements, then it might be possible to enforce continuous dependability. This thesis claims that it is possible to provide a bounded degree of flexibility without compromising dependability and proposes some mechanisms to build safety-critical systems based on the Controller Area Network (CAN). In particular, the main focus of this work is the Flexible Time-Triggered CAN protocol (FTT-CAN), which was specifically developed to provide such high level of operational flexibility, not only combining the advantages of time- and event-triggered paradigms but also providing flexibility to the time-triggered traffic. This fact makes the development of fault-tolerant mechanisms more complex in FTT-CAN than in other protocols, such as TTCAN or FlexRay, in which there is a priori static common knowledge of the time-triggered message schedule shared by all nodes. Nevertheless, as it is demonstrated in this work, it is possible to build fault-tolerant mechanisms for FTT-CAN that preserve its high level of operational flexibility, particularly concerning the time-triggered traffic. With such mechanisms it is argued that FTT-CAN is suitable for safetycritical applications, too. This claim was validated in the scope of the FTT-CAN protocol by presenting a fault-tolerant system architecture with replicated masters and fail-silent nodes. The specific problems and mechanisms related with master replication, particularly a protocol to enforce consistency during updates of replicated data structures and another protocol to transfer these data structures to an unsynchronized node upon asynchronous startup or restart, are also addressed. Moreover, this thesis also discusses the implementations of fail-silence in FTTCAN nodes and proposes two solutions, both based on hardware components that are attached to the node network interface. One solution relies on bus guardians that allow enforcing fail-silence in the time domain. These bus guardians are adapted to support dynamic traffic scheduling and are fit for use in FTT-CAN slave nodes, only. The other solution relies on a special network interface, with duplicated microprocessor interface, that supports internal replication of the node, transparently. In this case, fail-silence can be assured both in the time and value domain since transmissions are carried out only if both internal nodes agree on the transmission instant and message contents. This solution is well adapted for use in the masters but it can also be used, if desired, in slave nodes

In-vehicle communication networks : a literature survey

The increasing use of electronic systems in automobiles instead of mechanical and hydraulic parts brings about advantages by decreasing their weight and cost and providing more safety and comfort. There are many electronic systems in modern automobiles like antilock braking system (ABS) and electronic brakeforce distribution (EBD), electronic stability program (ESP) and adaptive cruise control (ACC). Such systems assist the driver by providing better control, more comfort and safety. In addition, future x-by-wire applications aim to replace existing braking, steering and driving systems. The developments in automotive electronics reveal the need for dependable, efficient, high-speed and low cost in-vehicle communication. This report presents the summary of a literature survey on in-vehicle communication networks. Different in-vehicle system domains and their requirements are described and main invehicle communication networks that have been used in automobiles or are likely to be used in the near future are discussed and compared with key references

Using CAN to retrofit houses for quadriplegic people

DETIThis paper describes the B-Live® system targetted to automate house appliances for severely impaired people, in particular quadriplegic. This system has been developed at Micro I/O for enhancing the quality of life and the independence of its potential users. The envisaged application is the retrofitting of common dwellings. The B-Live system is described and details on its software, hardware and CAN-based communications architecture are provided. A survey of the supported appliances and interfaces is presented as well as a description of the B-live configuration and operation procedures. The adequacy of the B-Live system to improve the autonomy of the envisaged users was informally evaluated by C5 and C6 patients at a demonstration house located in the CMRRC Rovisco Pais, a rehabilitation center near Aveiro, in Portugal. The conclusion is that the system has a short learning curve and can cope with the requirements of its potential users. The use of CAN in this application opens the possibility to include safety critical real-time systems in the BLive system. This is the case of the monitoring of the ventilator used for quadriplegic people that require breath assistance

Flexible management of bandwidth and redundancy in fieldbuses

Doutoramento em Engenharia ElectrotécnicaOs sistemas distribuídos embarcados (Distributed Embedded Systems – DES) têm sido usados ao longo dos últimos anos em muitos domínios de aplicação, da robótica, ao controlo de processos industriais passando pela aviónica e pelas aplicações veiculares, esperando-se que esta tendência continue nos próximos anos. A confiança no funcionamento é uma propriedade importante nestes domínios de aplicação, visto que os serviços têm de ser executados em tempo útil e de forma previsível, caso contrário, podem ocorrer danos económicos ou a vida de seres humanos poderá ser posta em causa. Na fase de projecto destes sistemas é impossível prever todos os cenários de falhas devido ao não determinismo do ambiente envolvente, sendo necessária a inclusão de mecanismos de tolerância a falhas. Adicionalmente, algumas destas aplicações requerem muita largura de banda, que também poderá ser usada para a evolução dos sistemas, adicionandolhes novas funcionalidades. A flexibilidade de um sistema é uma propriedade importante, pois permite a sua adaptação às condições e requisitos envolventes, contribuindo também para a simplicidade de manutenção e reparação. Adicionalmente, nos sistemas embarcados, a flexibilidade também é importante por potenciar uma melhor utilização dos, muitas vezes escassos, recursos existentes. Uma forma evidente de aumentar a largura de banda e a tolerância a falhas dos sistemas embarcados distribuídos é a replicação dos barramentos do sistema. Algumas soluções existentes, quer comerciais quer académicas, propõem a replicação dos barramentos para aumento da largura de banda ou para aumento da tolerância a falhas. No entanto e quase invariavelmente, o propósito é apenas um, sendo raras as soluções que disponibilizam uma maior largura de banda e um aumento da tolerância a falhas. Um destes raros exemplos é o FlexRay, com a limitação de apenas ser permitido o uso de dois barramentos. Esta tese apresentada e discute uma proposta para usar a replicação de barramentos de uma forma flexível com o objectivo duplo de aumentar a largura de banda e a tolerância a falhas. A flexibilidade dos protocolos propostos também permite a gestão dinâmica da topologia da rede, sendo o número de barramentos apenas limitado pelo hardware/software. As propostas desta tese foram validadas recorrendo ao barramento de campo CAN – Controller Area Network, escolhido devido à sua grande implantação no mercado. Mais especificamente, as soluções propostas foram implementadas e validadas usando um paradigma que combina flexibilidade com comunicações event-triggered e time-triggered: o FTT – Flexible Time- Triggered. No entanto, uma generalização para CAN nativo é também apresentada e discutida. A inclusão de mecanismos de replicação do barramento impõe a alteração dos antigos protocolos de replicação e substituição do nó mestre, bem como a definição de novos protocolos para esta finalidade. Este trabalho tira partido da arquitectura centralizada e da replicação do nó mestre para suportar de forma eficiente e flexível a replicação de barramentos. Em caso de ocorrência de uma falta num barramento (ou barramentos) que poderia provocar uma falha no sistema, os protocolos e componentes propostos nesta tese fazem com que o sistema reaja, mudando para um modo de funcionamento degradado. As mensagens que estavam a ser transmitidas nos barramentos onde ocorreu a falta são reencaminhadas para os outros barramentos. A replicação do nó mestre baseia-se numa estratégia líder-seguidores (leaderfollowers), onde o líder (leader) controla todo o sistema enquanto os seguidores (followers) servem como nós de reserva. Se um erro ocorrer no nó líder, um dos nós seguidores passará a controlar o sistema de uma forma transparente e mantendo as mesmas funcionalidades. As propostas desta tese foram também generalizadas para CAN nativo, tendo sido para tal propostos dois componentes adicionais. É, desta forma possível ter as mesmas capacidades de tolerância a falhas ao nível dos barramentos juntamente com a gestão dinâmica da topologia de rede. Todas as propostas desta tese foram implementadas e avaliadas. Uma implementação inicial, apenas com um barramento foi avaliada recorrendo a uma aplicação real, uma equipa de futebol robótico onde o protocolo FTT-CAN foi usado no controlo de movimento e da odometria. A avaliação do sistema com múltiplos barramentos foi feita numa plataforma de teste em laboratório. Para tal foi desenvolvido um sistema de injecção de faltas que permite impor faltas nos barramentos e nos nós mestre, e um sistema de medida de atrasos destinado a medir o tempo de resposta após a ocorrência de uma falta.Distributed embedded systems (DES) have been widely used in the last few decades in several application domains, from robotics, industrial process control, avionics and automotive. In fact, it is expectable that this trend will continue in the next years. In some of these application fields the dependability requirements are very important since the fail to provide services in a timely and predictable manner may cause important economic losses or even put humans in risk. In the design phase it is impossible to predict all the possible scenarios of faults, due to the non deterministic behaviour of the surrounding environment. In that way, the fault tolerance mechanisms must be included in the distributed embedded system to prevent failures occurrence. Also, many application domains require a high available bandwidth to perform the desired functions, or to turn possible the scaling with the addition of new features. The flexibility of a system also plays an important role, since it improves the capability to adapt to the surrounding world, and to the simplicity of the repair and maintenance. The flexibility improves the efficiency of all the system by providing a way to efficiently manage the available resources. This is very important in embedded systems due to the limited resources often available. A natural way to improve the bandwidth and the fault tolerance in distributed systems is to use replicated buses. Commercial and academic solutions propose the use of replicated fieldbuses for a single purpose only, either to improve the fault tolerance or to improve the available bandwidth, being the first the most common. One illustrative exception is FlexRay where the bus replica can be used to improve the bandwidth of the overall system, besides enabling redundant communications. However, only one bus replica can be used. In this thesis, a flexible bus replication scheme to improve both the dependability and the throughput of fieldbuses is presented and studied. It can be applied to any number of replicated buses, provided the required hardware support is available. The flexible use of the replicated buses can achieve an also flexible management of the network topology. This claim has been validated using the Controller Area Network (CAN) fieldbus, which has been chosen because it is widely spread in millions of systems. In fact, the proposed solution uses a paradigm that combines flexibility, time and event triggered communication, that is the Flexible Time- Triggered over CAN network (FTT-CAN). However, a generalization to native CAN is also presented and studied. The inclusion of bus replication in FTT-CAN imposes not only new mechanisms but also changes of the mechanisms associated with the master replication, which has been already studied in previous research work. In this work, these mechanisms were combined and take advantage of the centralized architecture and of the redundant masters to support an efficient and flexible bus replication. When considering the system operation, if a fault in the bus (or buses) occurs, and the consequent error leads to a system failure, the system reacts, switching to a degraded mode, where the message flows that were transmitted in the faulty bus (or buses) change to the non-faulty ones. The central node replication uses a leader-follower strategy, where the leader controls the system while the followers serve as backups. If an error occurs in the leader, a backup will take the system control maintaining the system with the same functionalities. The system has been generalized for native CAN, using two additional components that provide the same fault tolerance capabilities at the bus level, and also enable the dynamic management of the network topology. All the referred proposals were implemented and assessed in the scope of this work. The single bus version of FTT-CAN was assessed using a real application, a robotic soccer team, which has obtained excellent results in international competitions. There, the FTT-CAN based embedded system has been applied in the low level control, where, mainly it is responsible for the motion control and odometry. For the case of the multiple buses system, the assessment was performed in a laboratory test bed. For this, a fault injector was developed in order to impose faults in the buses and in the central nodes. To measure the time reaction of the system, a special hardware has been developed: a delay measurement system. It is able to measure delays between two important time marks for posterior offline analysis of the obtained values

Coordinating distributed autonomous agents with a real-time database: the CAMBADA project

DETIInterest on using mobile autonomous agents has been growing, recently, due to their capacity to cooperate for diverse purposes, from rescue to demining and security. However, such cooperation requires the exchange of state data that is time sensitive and thus, applications should be aware of data temporal coherency. In this paper we describe the architecture of the agents that constitute the CAMBADA robotic soccer team developed at the University of Aveiro, Portugal. This architecture is built around a real-time database that is partially replicated in all team members and contains both local and remote state variables. The temporal coherency of the data is enforced by an adequate management system that refreshes each database item transparently at a rate specified by the application. The application software accesses the state variables of all agents with local operations, only, delivering both value and temporal coherency

Identity Theft Prevention Measures for State Unemployment Benefits Offices: A Case Study of Workforce West Virginia

Identity theft continues to pose an increasingly complex problem for government benefits offices. The purpose of this study was to explore the environmental factors that affected a state unemployment benefits office’s ability to reduce identity theft. Current research focused on protecting information systems’ hardware, software, and related infrastructure, focusing on cyberattacks such as phishing, Trojan horses, or illegal access. The U.S. government focuses on informing the consumer and assisting small businesses through risk assessments, strategic plans, and regulations for cybersecurity. Researchers have not conducted a thorough investigation of the environment that makes state government benefit offices susceptible to identity theft. The theoretical framework for this study was open systems theory using the six dimensions of digital governance. The research question involved the identification of the barriers to a state unemployment benefits office’s ability to reduce identity theft. A qualitative case study approach concentrated on the external environmental factors that affect the system. Data collection included documents, archival records, and artifacts from multiple sources. The outcome of this research may help to inform state governments to improve policies and procedures by providing administrative, operational, and technical controls. This study has implications for positive social change to inform efforts to reduce human costs (identity theft) and financial costs (government program fraud and individual recovery)

Challenges in health smart homes

This paper presents an overview of the challenges in developing Health Smart Homes targeting, in particular, elderly and impaired people. As such, it identifies the current endeavors as well as the main areas of research