Advanced information processing system: The Army fault tolerant architecture conceptual study. Volume 2: Army fault tolerant architecture design and analysis

Described here is the Army Fault Tolerant Architecture (AFTA) hardware architecture and components and the operating system. The architectural and operational theory of the AFTA Fault Tolerant Data Bus is discussed. The test and maintenance strategy developed for use in fielded AFTA installations is presented. An approach to be used in reducing the probability of AFTA failure due to common mode faults is described. Analytical models for AFTA performance, reliability, availability, life cycle cost, weight, power, and volume are developed. An approach is presented for using VHSIC Hardware Description Language (VHDL) to describe and design AFTA's developmental hardware. A plan is described for verifying and validating key AFTA concepts during the Dem/Val phase. Analytical models and partial mission requirements are used to generate AFTA configurations for the TF/TA/NOE and Ground Vehicle missions

Computer architecture for efficient algorithmic executions in real-time systems: New technology for avionics systems and advanced space vehicles

Improvements and advances in the development of computer architecture now provide innovative technology for the recasting of traditional sequential solutions into high-performance, low-cost, parallel system to increase system performance. Research conducted in development of specialized computer architecture for the algorithmic execution of an avionics system, guidance and control problem in real time is described. A comprehensive treatment of both the hardware and software structures of a customized computer which performs real-time computation of guidance commands with updated estimates of target motion and time-to-go is presented. An optimal, real-time allocation algorithm was developed which maps the algorithmic tasks onto the processing elements. This allocation is based on the critical path analysis. The final stage is the design and development of the hardware structures suitable for the efficient execution of the allocated task graph. The processing element is designed for rapid execution of the allocated tasks. Fault tolerance is a key feature of the overall architecture. Parallel numerical integration techniques, tasks definitions, and allocation algorithms are discussed. The parallel implementation is analytically verified and the experimental results are presented. The design of the data-driven computer architecture, customized for the execution of the particular algorithm, is discussed

Design and implementation of a modular controller for robotic machines

This research focused on the design and implementation of an Intelligent Modular Controller (IMC) architecture designed to be reconfigurable over a robust network. The design incorporates novel communication, hardware, and software architectures. This was motivated by current industrial needs for distributed control systems due to growing demand for less complexity, more processing power, flexibility, and greater fault tolerance. To this end, three main contributions were made. Most distributed control architectures depend on multi-tier heterogeneous communication networks requiring linking devices and/or complex middleware. In this study, first, a communication architecture was proposed and implemented with a homogenous network employing the ubiquitous Ethernet for both real-time and non real-time communication. This was achieved by a producer-consumer coordination model for real-time data communication over a segmented network, and a client-server model for point-to-point transactions. The protocols deployed use a Time-Triggered (TT) approach to schedule real-time tasks on the network. Unlike other TT approaches, the scheduling mechanism does not need to be configured explicitly when controller nodes are added or removed. An implicit clock synchronization technique was also developed to complement the architecture. Second, a reconfigurable mechanism based on an auto-configuration protocol was developed. Modules on the network use this protocol to automatically detect themselves, establish communication, and negotiate for a desired configuration. Third, the research demonstrated hardware/software co-design as a contribution to the growing discipline of mechatronics. The IMC consists of a motion controller board designed and prototyped in-house, and a Java microcontroller. An IMC is mapped to each machine/robot axis, and an additional IMC can be configured to serve as a real-time coordinator. The entire architecture was implemented in Java, thus reinforcing uniformity, simplicity, modularity, and openness. Evaluation results showed the potential of the flexible controller to meet medium to high performance machining requirements

A flexible high-density sensor network

Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2008.Includes bibliographical references (p. 171-174).This thesis explores building and deploying a scalable electronic sensate skin that was designed as a dense sensor network. Our skin is built from small (1" x 1") rigid circuit boards attached to their neighbors with flexible interconnects. Each boardcontained an embedded processor together with a suite of thirteen sensors, providing dense, multimodal capture of proximate and contact phenomena. In addition to the design of the physical system, this thesis develops protocols for internode communication (both neighbor-neighbor and global), and power-efficient wake-on-phenomena operation. The system was rigorously tested with an array of up to 4x3 nodes subject to a variety of sensor stimuli. Although there were some robustness issues in the final design (particularly in the wired interconnects, which were not the focus of this thesis work), the skin that we developed showed good flexibility for a prototype, ran quickly and efficiently, and could detect and respond to a variety of stimuli.by Behram Farrokh Thomas Mistree.M.Eng

Safety Assurance in Interlocking Design

This thesis takes a pedagogical stance in demonstrating how results from theoretical computer science may be applied to yield significant insight into the behaviour of the devices computer systems engineering practice seeks to put in place, and that this is immediately attainable with the present state of the art. The focus for this detailed study is provided by the type of solid state signalling systems currently being deployed throughout mainline British railways. Safety and system reliability concerns dominate in this domain. With such motivation, two issues are tackled: the special problem of software quality assurance in these data-driven control systems, and the broader problem of design dependability. In the former case, the analysis is directed towards proving safety properties of the geographic data which encode the control logic for the railway interlocking; the latter examines the fidelity of the communication protocols upon which the distributed control system depends. The starting point for both avenues of attack is a mathematical model of the interlocking logic that is derived by interpreting the geographic data in process algebra. Thus, the emphasis is on the semantics of the programming language in question, and the kinds of safety properties which can be expressed as invariants of the system's ongoing behaviour. Although the model so derived turns out to be too concrete to be effectual in program verification in general, a careful analysis of the safety proof reveals a simple co-induction argument that leads to a highly efficient proof methodology. From this understanding it is straightforward to mechanise the safety arguments, and a prototype verification system is realised in higher-order logic which uses the proof tactics of the theorem prover to achieve full automation. The other line of inquiry considers whether the integrity of the overall design that coordinates the activities of many concurrent control elements can be compromised. Therefore, the formal model is developed to specifically answer safety-related concerns about the protocol employed to achieve distributed control in the management of larger railway networks. The exercise reveals that moderately serious design flaws do exist, but the real value of the mathematical model is twofold: it makes explicit one's assumptions about the conditions under which the faults can and cannot be activated, and it provides a framework in which to prove a simple modification to the design recovers complete security at negligible cost to performance

On the Secure and Resilient Design of Connected Vehicles: Methods and Guidelines

Vehicles have come a long way from being purely mechanical systems to systems that consist of an internal network of more than 100 microcontrollers and systems that communicate with external entities, such as other vehicles, road infrastructure, the manufacturer’s cloud and external applications. This combination of resource constraints, safety-criticality, large attack surface and the fact that millions of people own and use them each day, makes securing vehicles particularly challenging as security practices and methods need to be tailored to meet these requirements.This thesis investigates how security demands should be structured to ease discussions and collaboration between the involved parties and how requirements engineering can be accelerated by introducing generic security requirements. Practitioners are also assisted in choosing appropriate techniques for securing vehicles by identifying and categorising security and resilience techniques suitable for automotive systems. Furthermore, three specific mechanisms for securing automotive systems and providing resilience are designed and evaluated. The first part focuses on cyber security requirements and the identification of suitable techniques based on three different approaches, namely (i) providing a mapping to security levels based on a review of existing security standards and recommendations; (ii) proposing a taxonomy for resilience techniques based on a literature review; and (iii) combining security and resilience techniques to protect automotive assets that have been subject to attacks. The second part presents the design and evaluation of three techniques. First, an extension for an existing freshness mechanism to protect the in-vehicle communication against replay attacks is presented and evaluated. Second, a trust model for Vehicle-to-Vehicle communication is developed with respect to cyber resilience to allow a vehicle to include trust in neighbouring vehicles in its decision-making processes. Third, a framework is presented that enables vehicle manufacturers to protect their fleet by detecting anomalies and security attacks using vehicle trust and the available data in the cloud

How To Touch a Running System

The increasing importance of distributed and decentralized software architectures entails more and more attention for adaptive software. Obtaining adaptiveness, however, is a difficult task as the software design needs to foresee and cope with a variety of situations. Using reconfiguration of components facilitates this task, as the adaptivity is conducted on an architecture level instead of directly in the code. This results in a separation of concerns; the appropriate reconfiguration can be devised on a coarse level, while the implementation of the components can remain largely unaware of reconfiguration scenarios. We study reconfiguration in component frameworks based on formal theory. We first discuss programming with components, exemplified with the development of the cmc model checker. This highly efficient model checker is made of C++ components and serves as an example for component-based software development practice in general, and also provides insights into the principles of adaptivity. However, the component model focuses on high performance and is not geared towards using the structuring principle of components for controlled reconfiguration. We thus complement this highly optimized model by a message passing-based component model which takes reconfigurability to be its central principle. Supporting reconfiguration in a framework is about alleviating the programmer from caring about the peculiarities as much as possible. We utilize the formal description of the component model to provide an algorithm for reconfiguration that retains as much flexibility as possible, while avoiding most problems that arise due to concurrency. This algorithm is embedded in a general four-stage adaptivity model inspired by physical control loops. The reconfiguration is devised to work with stateful components, retaining their data and unprocessed messages. Reconfiguration plans, which are provided with a formal semantics, form the input of the reconfiguration algorithm. We show that the algorithm achieves perceived atomicity of the reconfiguration process for an important class of plans, i.e., the whole process of reconfiguration is perceived as one atomic step, while minimizing the use of blocking of components. We illustrate the applicability of our approach to reconfiguration by providing several examples like fault-tolerance and automated resource control

Wake-up radio systems : design, development, performance evaluation and comparison to conventional medium access control protocols for wireless sensor networks

During the recent years, the research related to Wake-up Radio (WuR) systems has gained noticeable interest. In WuR systems, a node initiating a communication first sends a Wake-up Call (WuC) by means of its Wake-up Transmitter (WuTx), to the Wake-up Receiver (WuRx) of a remote node to activate it in an on-demand manner. Until the reception of the WuC, the node's MCU and main data transceiver are in sleep mode. Hence, WuR drastically reduce the power required by wireless nodes. This thesis provides a complete analysis of several WuR designs vs. conventional MAC protocols for Wireless Sensor Networks (WSN). The research is performed in an incremental fashion and includes hardware, softwar and simulation topics. WuR systems enable energy savings in plenty of different applications, e.g., retrieving information from environmental pollution sensors placed in a city by a mobile collector node, or activating a sleeping wireless AP. They are easy to program in and provide implicit synchronization. However, achieving a good WuRx design may become a challenge because power amplifiers cannot be used for the sake of energy. The system proposed in chapter 2 is a successful WuR system prototype. The so-called SµA-WuRx is less complex than commercial WuR systems, it is cheaper from the monetary point of view, requires several times less energy and allows for up to 15 meters of communication, an adequate value for WuR systems. However, the system can be improved by including several desirable features, such as longer operational ranges and/or addressing mechanisms. The so-called Time-Knocking (TicK) addressing strategy, analyzed in chapter 3, enables energy efficient node addressing by varying the time between WuCs received by a MCU. TicK allows for variable length addresses and multicast. A WuR system may not fit any possible application. Thus, while the SµA-WuRx and TicK efficiently solved many of the requirements of single-hop and data-collector applications, they lack of flexibility. Instead, SCM-WuR systems in chapter 4 feature an outstanding trade-off between hardware complexity, current consumption and operational range, and even enable multi-hop wake-up for long remote sensor measure collection. To contextualize the WuR systems developed, chapter 5 provides an overview of the most important WuR systems as of 2014. Developing a MAC protocol which performs acceptably in a wide range of diverse applications is a very difficult task. Comparatively, SCM-WuR systems perform properly in all the use cases (single and multi-hop) presented in chapter 6. Bluetooth Low Energy, or BLE, appears as a duty-cycled MAC protocol mainly targeting single-hop applications. Because of its clearly defined use cases and its integration with its upper application layers, BLE appears as an extremely energy-efficient protocol that cannot be easily replaced by WuR. Because of all these aspects, the performance of BLE is analyzed in chapter 7. Finally, chapter 8 tries to solve one of the issues affecting WuR systems, that is, the need for extra hardware. While this issue seems difficult to solve for WuRx, the chapter provides ideas to use IEEE 802.11-enabled devices as WuTx.Durant els últims anys, la investigació relativa als sistemes de Ràdios de Wake-up (de l'anglès Wake-up Radio, WuR) ha experimentat un interès notable. En aquests sistemes, un node inicia la comunicació inal.làmbrica transmetent una Wake-up Call (WuC), per mitjà del seu transmissor de Wake-up (WuTx), dirigida al receptor de Wake-up (WuRx) del node remot. Aquesta WuC activa el node remot, el microcontrolador (MCU) i la ràdio principals del qual han pogut romandre en mode "sleep" fins el moment. Així doncs, els sistemes WuR permeten un estalvi dràstic de l'energia requerida pels nodes sense fils. Aquesta tesi proposa diferents sistemes WuR i els compara amb protocols MAC existents per a xarxes de sensors sense fils (Wireless Sensor Networks, WSN). La investigació es realitza de forma progressiva i inclou hardware, software i simulació. Els sistemes WuR permeten un estalvi energètic notable en moltes aplicacions: recol¿lecció d'informació ambiental, activació remota de punts d'accés wi-fi, etc. Són fàcils de programar en software i comporten una sincronització implícita entre nodes. Malauradament, un consum energètic mínim impossibilita l'ús d'amplificadors de potència, i dissenyar-los esdevé un repte. El sistema presentat en el capítol 2 és un prototip exitós de sistema WuR. De nom SµA-WuR, és més senzill que alternatives comercials, és més econòmic, requereix menys energia i permet distàncies de comunicació WuR majors, de fins a 15 metres. L'estratègia d'adreçament Time-KnocKing, presentada en el capítol 3, permet dotar l'anterior SµA-WuR d'una forma d'especificar el node adreçat, permetent estalvi energètic a nivell de xarxa. TicK opera codificant el temps entre diferents WuC. Depenent del temps entre intervals, es desperten el/s node/s desitjats d'una forma extremadament eficient. Tot i els seus beneficis, hi ha aplicacions no implementables amb el sistema SµA-WuR. Per a aquest motiu, en el capítol 4 es presenta el sistema SCM-WuR, que ofereix un rang d'operació de 40 a 100 metres a canvi d'una mínima complexitat hardware afegida. SCM-WuR cobreix el ventall d'aplicacions del sistema SµA-WuRx, i també les que requereixen multi-hop a nivell WuR. El capítol 5 de la tesi compara els dos sistemes WuR anteriors vers les propostes més importants fins el 2014. El capítol 6 inclou un framework de simulació complet amb les bases per a substituir els sistemes basats en duty-cycling a WuR. Degut a que desenvolupar un protocol MAC que operi acceptablement bé en multitud d'aplicacions esdevé una tasca pràcticament impossible, els sistemes WuR presentats amb anterioritat i modelats en aquest capítol representen una solució versàtil, interessant i molt més eficient des del punt de vista energètic. Bluetooth Low Energy, o Smart, o BLE, representa un cas d'aplicació específica on, degut a la gran integració a nivell d'aplicació, la substitució per sistemes de WuR esdevé difícil Per a aquesta raó, i degut a que es tracta d'un protocol MAC extremadament eficient energèticament, aquesta tesi conté una caracterització completa de BLE en el capítol 7. Finalment, el capítol 8 soluciona un dels inconvenients del sistemes WuR, el disseny de WuTx específics, presentant una estratègia per a transformar qualsevol dispositiu IEEE 802.11 en WuTx