The correctness of a distributed real-time system

In this thesis we review and extend the pervasive correctness proof for an asynchronous distributed real-time system published in [KP07a]. We take a two-step approach: first, we argue about a single electronic control unit (ECU) consisting of a processor (running the OSEKtime-like operating system OLOS) and a FlexRay-like interface called automotive bus controller (ABC). We extend [KP07a] among others by a local OLOS model [Kna08] and go into details regarding the handling of interrupts and the treatment of devices. Second, we connect several ECUs via the ABCs and reason about the complete distributed system, see also [KP07b]. Note that the formalization of the scheduling correctness is reported in [ABK08b]. Through several abstraction layers we prove the correctness of the distributed system with respect to a new lock-step model COA that completely abstracts from the ABCs. By establishing the DISTR model [Kna08] it becomes possible to literally reuse the arguments from the first part of this thesis and therefore to simplify the analysis of the complete distributed system. To illustrate the applicability of DISTR, we have formally proven the top-level correctness theorem in the theorem prover Isabelle/HOL. Throughout the thesis we tie together theorems regarding: processor, ABC, compiler, micro kernel, operating system, and the worst case execution time analysis of applications and systems software.In dieser Arbeit betrachten und erweitern wir den durchgängigen Korrektheitsbeweis für ein asynchrones verteiltes Echtzeitsystem aus [KP07a]. Wir gehen in zwei Schritten vor: Zuerst betrachten wir eine einzelne elektronische Kontrolleinheit (ECU) bestehend aus einem Prozessor (welcher das OSEKtime ähnliche Betriebsystem OLOS ausführt) und einem FlexRay ähnlichem Interface, auch automobiler Bus Controller (ABC) genannt. Wir erweitern [KP07a] unter anderem um ein lokales OLOS Model [Kna08] und detaillieren die Behandlung von Interrupts sowie den Umgang mit Geräten. Im zweiten Schritt verbinden wir mehrere ECUs durch die ABCs und argumentieren über das gesamte System, siehe auch [KP07b]. Über die Formalisierung der Scheduler Korrektheit wird in [ABK08b] berichtet. Über mehrere Abstraktionsebenen beweisen wir die Korrektheit des verteilten Systems bezüglich eines neuen gleichgetakteten Modells COA in dem vollständig von den ABCs abstrahiert wird. Durch die Einführung des DISTR Models [Kna08] ist es möglich die Argumente aus dem ersten Teil dieser Arbeit in der Analyse des gesamten verteilten Systems wörtlich wieder zu verwenden. Um die Anwendbarkeit von DISTR zu verdeutlichen haben wir formal die oberste Korrektheits-Aussage im Theorembeweiser Isabelle/HOL bewiesen. Im Zuge dieser Arbeit verbinden wir Theoreme bezüglich: Prozessor, ABC, Compiler, Mikrokern, Betriebsystem und der Worst-Case Laufzeit-Analyse von Applikationen und System Software

Design of a New High Bandwidth Network for Agricultural Machines

Ethernet is by now the most adopted bus for fast digital communications in many environments, from household entertainment to PLC robotics in industrial assembly lines. Even in automotive industry, the interest in this technology is increasingly growing, pushed forward by research and by the need of high throughput that high dynamics distributed control demands. Although 100base-TX physical layer (PHY) does not seem to meet EMC requirements for vehicular and heavy-duty environments, OPEN Alliance BroadR Reach (soon becoming IEEE standard as IEEE 802.3bw) technology is the most promising and already adopted Ethernet-compatible PHY, reaching 100Mbps over an unshielded twisted pair. An agricultural machine is usually a system including tractor and one or more implements attached to it, to the back or to the front. Nowadays, a specific CAN-based distributed control network support treatments and applications, namely ISOBUS, defined by ISO 11783. This work deals with architectural and technological aspects of advanced Ethernet networks in order to provide a high-throughput deterministic network for in-vehicle distributed control for agricultural machinery. Two main paths of investigation will be presented: one concerning the prioritization of standard Ethernet taking advantage of standard ways of prioritization in well-established technologies; the other changing the channel access method of Ethernet using an industrial fieldbus, chosen after careful investigation. The prioritization of standard Ethernet is performed at two, non-mutual exclusive layers of the ISO OSI stack: one at L3, using the diffserv (former TOS) Ip field; one at L2, using the priorities defined in IEEE 802.1p, used in IEEE 802.1q (VLAN). These choices have several implications in the specific field of application of the agricultural machines. The change of the access method, instead, focused on the adoption of a specific fieldbus, in order to grant deterministic access to the medium and reliability of communications for safety-relevant applications. After a survey, that will be reported, the Powerlink fieldbus was chosen and some modifications will be discussed in order to suit the scope of the research