897 research outputs found
Centralized vs distributed communication scheme on switched ethernet for embedded military applications
Current military communication network is a generation
old and is no longer effective in meeting the emerging
requirements imposed by the future embedded military applications. Therefore, a new interconnection system is needed to overcome these limitations. Two new communication networks based upon Full Duplex Switched Ethernet are presented herein in this aim. The first one uses a distributed communication scheme where equipments can emit their data simultaneously, which clearly improves system’s throughput and flexibility. However, migrating all existing applications into a compliant form could be an expensive step. To avoid this process, the second proposal consists in keeping the current centralized communication scheme. Our objective is to assess and compare the real time
guarantees that each proposal can offer. The paper includes the functional description of each proposed communication network and a military avionic application to highlight proposals ability to support the required time constrained communications
Using FTT-CAN to the Flexible Control of Bus Redundancy and Bandwidth Usage
DETIController Area Network (CAN) is a popular and very well-known bus system, both in
academia and in industry, initially targeted to automotive applications as a single
digital bus to replace the wiring that were growing complexity, weight and cost with
the advent of new automotive appliances. However, requirements have evolved and
CAN’s dependability and bandwidth limitations led to the emergence of alternative
networks such as FlexRay and TTP/C. Nevertheless, we believe that it is possible to
improve CAN so it could fulfill contemporary requirements. This paper proposes the
use of Flexible Time-Triggered CAN (FTT-CAN) to increase the available bandwidth
while providing fault tolerance in CAN based systems with multiple buses. The
architecture and flexibility of FTT based systems enables a tight yet flexible control of
redundancy and bandwidth usage without increasing the complexity of the nodes. In
this novel solution, a FTT-CAN Master controls the dispatching of messages among a
set of independent buses. The Master can react online to bus failures switching the
transmission of critical messages to a non-faulty bus, always keeping a predetermined
redundancy level
Flexible Bus Media Redundancy
DETIThis paper proposes a flexible approach to bus media
redundancy in Controller Area Network (CAN) fieldbuses,
both to improve the bandwidth by transmitting different
traffic in different channels or to promote redundancy by
transmitting the same message in more than one channel.
Specifically the proposed solution is discussed in the context
of Flexible Time-Triggered protocol over CAN (FTTCAN)
and inherits the online scheduling flexibility of FTTCAN,
enabling on-the-fly modifications of the traffic conveyed
in the replicated buses. Flexible bus media redundancy
is useful to fulfill application requirements in terms
of additional bandwidth or to react to bus failures leading
the system to a degraded operational mode, without compromising
safety. The arguments for and against flexible
bus media redundancy in the context of FTT-CAN are also
discussed in detail
Controller Area Network
Controller Area Network (CAN) is a popular and very well-known bus system, both in academia and in industry. CAN protocol was introduced in the mid eighties by Robert Bosch GmbH [7] and it was internationally standardized in 1993 as ISO 11898-1 [24]. It was initially designed to distributed automotive control systems, as a single digital bus to replace traditional point-to-point cables that were growing in complexity, weight and cost with the introduction of new electrical and electronic systems. Nowadays CAN is still used extensively in automotive applications, with an excess of 400 million CAN enabled microcontrollers manufactured each year [14].
The widespread and successful use of CAN in the automotive industry, the low cost asso- ciated with high volume production of controllers and CAN's inherent technical merit, have driven to CAN adoption in other application domains such as: industrial communications,
medical equipment, machine tool, robotics and in distributed embedded systems in general.
CAN provides two layers of the stack of the Open Systems Interconnection (OSI) reference model: the physical layer and the data link layer. Optionally, it could also provide an additional application layer, not included on the CAN standard. Notice that CAN physical layer was not dened in Bosch original specication, only the data link layer was dened. However, the CAN ISO specication lled this gap and the physical layer was then fully specied. CAN is a message-oriented transmission protocol, i.e., it denes message contents rather than nodes and node addresses. Every message has an associated message identier, which is unique within the whole network, dening both the content and the priority of the message. Transmission rates are dened up to 1 Mbps.
The large installed base of CAN nodes with low failure rates over almost two decades, led to the use of CAN in some critical applications such as Anti-locking Brake Systems (ABS) and Electronic Stability Program (ESP) in cars. In parallel with the wide dissemination of CAN in industry, the academia also devoted a large eort to CAN analysis and research, making CAN one of the must studied eldbuses. That is why a large number of books or book chapters describing CAN were published. The rst CAN book, written in French by D. Paret, was published in 1997 and presents the CAN basics [32]. More implementation oriented approaches, including CAN node implementation and application examples, can be found in Lorenz [28] and in Etschberger [16], while more compact descriptions of CAN can be found in [11] and in some chapters of [31].
Despite its success story, CAN application designers would be happier if CAN could be made faster, cover longer distances, be more deterministic and more dependable [34]. Over the years, several protocols based in CAN were presented, taking advantage of some CAN properties and trying to improve some known CAN drawbacks. This chapter, besides presenting an overview of CAN, describes also some other relevant higher level protocols based on CAN, such as CANopen [13], DeviceNet [6], FTT-CAN [1] and TTCAN [25]
In-vehicle communication networks : a literature survey
The increasing use of electronic systems in automobiles instead of mechanical and hydraulic parts brings about advantages by decreasing their weight and cost and providing more safety and comfort. There are many electronic systems in modern automobiles like antilock braking system (ABS) and electronic brakeforce distribution (EBD), electronic stability program (ESP) and adaptive cruise control (ACC). Such systems assist the driver by providing better control, more comfort and safety. In addition, future x-by-wire applications aim to replace existing braking, steering and driving systems. The developments in automotive electronics reveal the need for dependable, efficient, high-speed and low cost in-vehicle communication. This report presents the summary of a literature survey on in-vehicle communication networks. Different in-vehicle system domains and their requirements are described and main invehicle communication networks that have been used in automobiles or are likely to be used in the near future are discussed and compared with key references
Using CAN to retrofit houses for quadriplegic people
DETIThis paper describes the B-Live® system targetted to automate house appliances for
severely impaired people, in particular quadriplegic. This system has been developed
at Micro I/O for enhancing the quality of life and the independence of its potential
users. The envisaged application is the retrofitting of common dwellings.
The B-Live system is described and details on its software, hardware and CAN-based
communications architecture are provided. A survey of the supported appliances and
interfaces is presented as well as a description of the B-live configuration and
operation procedures. The adequacy of the B-Live system to improve the autonomy of
the envisaged users was informally evaluated by C5 and C6 patients at a
demonstration house located in the CMRRC Rovisco Pais, a rehabilitation center near
Aveiro, in Portugal. The conclusion is that the system has a short learning curve and
can cope with the requirements of its potential users. The use of CAN in this
application opens the possibility to include safety critical real-time systems in the BLive system. This is the case of the monitoring of the ventilator used for quadriplegic people that require breath assistance
Towards Efficient Transient Fault Handling in Time-Triggered Systems
DETITransient communication faults in distributed control systems
(DCS) are unavoidable but must be handled adequately in order to
enforce correct system behaviour. A typical way of handling transient
faults is temporal redundancy by means of retransmissions. However,
DCS are frequently designed with time-triggered architectures, being
scheduled offline and not coping efficiently with retransmissions as these
require the pre-allocation of bandwidth that, in the absence of errors, is
wasted. In this paper we propose using the Flexible Time-Triggered
paradigm to reconcile the Time-Triggered model with on-line scheduling
of retransmissions when needed, only, leading to an efficient bandwidth
usage. This is confirmed with preliminary experimental results obtained
on an FTT-CAN network
Tolerância a falhas em sistemas de comunicação de tempo-real flexÃveis
Nas últimas décadas, os sistemas embutidos distribuÃdos, têm sido usados em
variados domÃnios de aplicação, desde o controlo de processos industriais até
ao controlo de aviões e automóveis, sendo expectável que esta tendência se
mantenha e até se intensifique durante os próximos anos.
Os requisitos de confiabilidade de algumas destas aplicações são
extremamente importantes, visto que o não cumprimento de serviços de uma
forma previsÃvel e pontual pode causar graves danos económicos ou até pôr
em risco vidas humanas.
A adopção das melhores práticas de projecto no desenvolvimento destes
sistemas não elimina, por si só, a ocorrência de falhas causadas pelo
comportamento não determinÃstico do ambiente onde o sistema embutido
distribuÃdo operará. Desta forma, é necessário incluir mecanismos de
tolerância a falhas que impeçam que eventuais falhas possam comprometer
todo o sistema.
Contudo, para serem eficazes, os mecanismos de tolerância a falhas
necessitam ter conhecimento a priori do comportamento correcto do sistema
de modo a poderem ser capazes de distinguir os modos correctos de
funcionamento dos incorrectos.
Tradicionalmente, quando se projectam mecanismos de tolerância a falhas, o
conhecimento a priori significa que todos os possÃveis modos de
funcionamento são conhecidos na fase de projecto, não os podendo adaptar
nem fazer evoluir durante a operação do sistema. Como consequência, os
sistemas projectados de acordo com este princÃpio ou são completamente
estáticos ou permitem apenas um pequeno número de modos de operação.
Contudo, é desejável que os sistemas disponham de alguma flexibilidade de
modo a suportarem a evolução dos requisitos durante a fase de operação,
simplificar a manutenção e reparação, bem como melhorar a eficiência usando
apenas os recursos do sistema que são efectivamente necessários em cada
instante. Além disto, esta eficiência pode ter um impacto positivo no custo do
sistema, em virtude deste poder disponibilizar mais funcionalidades com o
mesmo custo ou a mesma funcionalidade a um menor custo.
Porém, flexibilidade e confiabilidade têm sido encarados como conceitos
conflituais.
Isto deve-se ao facto de flexibilidade implicar a capacidade de permitir a
evolução dos requisitos que, por sua vez, podem levar a cenários de operação
imprevisÃveis e possivelmente inseguros. Desta fora, é comummente aceite
que apenas um sistema completamente estático pode ser tornado confiável, o
que significa que todos os aspectos operacionais têm de ser completamente
definidos durante a fase de projecto.
Num sentido lato, esta constatação é verdadeira. Contudo, se os modos como
o sistema se adapta a requisitos evolutivos puderem ser restringidos e
controlados, então talvez seja possÃvel garantir a confiabilidade permanente
apesar das alterações aos requisitos durante a fase de operação.
A tese suportada por esta dissertação defende que é possÃvel flexibilizar um
sistema, dentro de limites bem definidos, sem comprometer a sua
confiabilidade e propõe alguns mecanismos que permitem a construção de
sistemas de segurança crÃtica baseados no protocolo Controller Area Network
(CAN). Mais concretamente, o foco principal deste trabalho incide sobre o
protocolo Flexible Time-Triggered CAN (FTT-CAN), que foi especialmente
desenvolvido para disponibilizar um grande nÃvel de flexibilidade operacional
combinando, não só as vantagens dos paradigmas de transmissão de
mensagens baseados em eventos e em tempo, mas também a flexibilidade
associada ao escalonamento dinâmico do tráfego cuja transmissão é
despoletada apenas pela evolução do tempo.
Este facto condiciona e torna mais complexo o desenvolvimento de
mecanismos de tolerância a falhas para FTT-CAN do que para outros
protocolos como por exemplo, TTCAN ou FlexRay, nos quais existe um
conhecimento estático, antecipado e comum a todos os nodos, do
escalonamento de mensagens cuja transmissão é despoletada pela evolução
do tempo.
Contudo, e apesar desta complexidade adicional, este trabalho demonstra que
é possÃvel construir mecanismos de tolerância a falhas para FTT-CAN
preservando a sua flexibilidade operacional.
É também defendido nesta dissertação que um sistema baseado no protocolo
FTT-CAN e equipado com os mecanismos de tolerância a falhas propostos é
passÃvel de ser usado em aplicações de segurança crÃtica.
Esta afirmação é suportada, no âmbito do protocolo FTT-CAN, através da
definição de uma arquitectura tolerante a falhas integrando nodos com modos
de falha tipo falha-silêncio e nodos mestre replicados.
Os vários problemas resultantes da replicação dos nodos mestre são, também
eles, analisados e várias soluções são propostas para os obviar.
Concretamente, é proposto um protocolo que garante a consistência das
estruturas de dados replicadas a quando da sua actualização e um outro
protocolo que permite a transferência dessas estruturas de dados para um
nodo mestre que se encontre não sincronizado com os restantes depois de
inicializado ou reinicializado de modo assÃncrono.
Além disto, esta dissertação também discute o projecto de nodos FTT-CAN
que exibam um modo de falha do tipo falha-silêncio e propõe duas soluções
baseadas em componentes de hardware localizados no interface de rede de
cada nodo, para resolver este problema. Uma das soluções propostas baseiase
em bus guardians que permitem a imposição de comportamento falhasilêncio
nos nodos escravos e suportam o escalonamento dinâmico de tráfego
na rede. A outra solução baseia-se num interface de rede que arbitra o acesso
de dois microprocessadores ao barramento. Este interface permite que a
replicação interna de um nodo seja efectuada de forma transparente e
assegura um comportamento falha-silêncio quer no domÃnio temporal quer no
domÃnio do valor ao permitir transmissões do nodo apenas quando ambas as
réplicas coincidam no conteúdo das mensagens e nos instantes de
transmissão. Esta última solução está mais adaptada para ser usada nos
nodos mestre, contudo também poderá ser usada nos nodos escravo, sempre
que tal se revele fundamental.Distributed embedded systems (DES) have been widely used in the last few
decades in several application fields, ranging from industrial process control to
avionics and automotive systems. In fact, it is expectable that this trend will
continue over the years to come.
In some of these application domains the dependability requirements are of
utmost importance since failing to provide services in a timely and predictable
manner may cause important economic losses or even put human life in risk.
The adoption of the best practices in the design of distributed embedded
systems does not fully avoid the occurrence of faults, arising from the nondeterministic
behavior of the environment where each particular DES operates.
Thus, fault-tolerance mechanisms need to be included in the DES to prevent
possible faults leading to system failure.
To be effective, fault-tolerance mechanisms require an a priori knowledge of
the correct system behavior to be capable of distinguishing them from the
erroneous ones.
Traditionally, when designing fault-tolerance mechanisms, the a priori
knowledge means that all possible operational modes are known at system
design time and cannot adapt nor evolve during runtime. As a consequence,
systems designed according to this principle are either fully static or allow a
small number of operational modes only. Flexibility, however, is a desired
property in a system in order to support evolving requirements, simplify
maintenance and repair, and improve the efficiency in using system resources
by using only the resources that are effectively required at each instant. This
efficiency might impact positively on the system cost because with the same
resources one can add more functionality or one can offer the same
functionality with fewer resources.
However, flexibility and dependability are often regarded as conflicting
concepts. This is so because flexibility implies the ability to deal with evolving
requirements that, in turn, can lead to unpredictable and possibly unsafe
operating scenarios. Therefore, it is commonly accepted that only a fully static
system can be made dependable, meaning that all operating conditions are
completely defined at pre-runtime.
In the broad sense and assuming unbounded flexibility this assessment is true,
but if one restricts and controls the ways the system could adapt to evolving
requirements, then it might be possible to enforce continuous dependability.
This thesis claims that it is possible to provide a bounded degree of flexibility
without compromising dependability and proposes some mechanisms to build
safety-critical systems based on the Controller Area Network (CAN).
In particular, the main focus of this work is the Flexible Time-Triggered CAN
protocol (FTT-CAN), which was specifically developed to provide such high
level of operational flexibility, not only combining the advantages of time- and
event-triggered paradigms but also providing flexibility to the time-triggered
traffic. This fact makes the development of fault-tolerant mechanisms more
complex in FTT-CAN than in other protocols, such as TTCAN or FlexRay, in
which there is a priori static common knowledge of the time-triggered message
schedule shared by all nodes. Nevertheless, as it is demonstrated in this work,
it is possible to build fault-tolerant mechanisms for FTT-CAN that preserve its
high level of operational flexibility, particularly concerning the time-triggered
traffic. With such mechanisms it is argued that FTT-CAN is suitable for safetycritical
applications, too.
This claim was validated in the scope of the FTT-CAN protocol by presenting a
fault-tolerant system architecture with replicated masters and fail-silent nodes.
The specific problems and mechanisms related with master replication,
particularly a protocol to enforce consistency during updates of replicated data
structures and another protocol to transfer these data structures to an
unsynchronized node upon asynchronous startup or restart, are also
addressed.
Moreover, this thesis also discusses the implementations of fail-silence in FTTCAN
nodes and proposes two solutions, both based on hardware components
that are attached to the node network interface. One solution relies on bus
guardians that allow enforcing fail-silence in the time domain. These bus
guardians are adapted to support dynamic traffic scheduling and are fit for use
in FTT-CAN slave nodes, only. The other solution relies on a special network
interface, with duplicated microprocessor interface, that supports internal
replication of the node, transparently. In this case, fail-silence can be assured
both in the time and value domain since transmissions are carried out only if
both internal nodes agree on the transmission instant and message contents.
This solution is well adapted for use in the masters but it can also be used, if
desired, in slave nodes
- …