France & Curtis 1 EE382C: Embedded Systems SoftwareTime Triggered Protocol (TTP/C): A Safety-Critical System ProtocolHoward Curtis and Robert FranceEE382C Literature Survey (October 24, 1999)******************************AbstractThis paper examines the Time Triggered Protocol (TTP), for the support of distributed real-time systemswhich has recently emerged from research into the commercial world, and TTP/C, a variant of TTP forsafety-critical systems that is coming into use in the automotive industry. The culmination of more than20 years of effort, TTP has been the focus of more than 100 masters level theses and 25 doctoraldissertations. [1] In the sections that follow, we begin by discussing several requirements of embeddedsafety critical systems. Next we will describe the TTP/C and many of its key features and compare thesefeatures to those of the Controller Area Network (CAN) protocol, which is currently used in automotivesystems. This comparison will illustrate why TTP/C, the first instantiation of a TTP primarily for use inautomotive systems, is the first protocol to qualify as a SAE (Society of Automotive Engineers) Class Cprotocol. [2] Finally, we will examine the current state of simulation and modeling of TTP basedsystems. As part of this examination the authors will outline a proposed approach to high-level modelingof TTP systems.IntroductionThe trend to replace expensive, inefficient mechanical systems with more cost effective, highly featuredelectronic systems has been increasing in the automotive sector since the first replacement of electro-mechanical engine management more than 20 years ago. However, the use of all-electronic systems insafety-critical applications such as braking or steering requires new technologies and more sophisticatedengineering practices.TTP/C is a protocol based on the TTP (Time-Triggered Protocol) and implemented so that it meets theSAE requirements for a class C automotive protocol. Class C protocols are suitable for high-speed,single-failure operational safety-critical applications. The protocols currently used by automotiveengineers, such as the J1850 family and CAN, are suitable only for Class A and Class B systems, whichare subject to less rigorous requirements. TTP/C is the first protocol to meet the additional safety criticalrequirements of Class C. The first class of applications in development using TTP/C are the ‘X-by-wire’applications, such as brake-by-wire, in which all-hydraulic and mechanical systems are replaced byelectronics. [3]The MARS Project and Its Follow-onsThe origins of the Time-Triggered Protocol (TTP), and its derivative TTP/C for use in safety criticalsystems, are found in the European Commission funded MARS (Maintainable Real-time System)Project, which began in 1979. The motivation for the project was the insight that within 20 years itwould become possible to implement a node of a distributed real-time system in a single chip, and thatthis chip would be inexpensive. The original MARS architecture includes node clusters, fault-tolerantFrance & Curtis 2 EE382C: Embedded Systems Softwareunits, nodes, tasks, and a fault-tolerant global time base, all of which is consistent with present-day TTP.In addition, the notion of using fail-silent behavior mechanisms when faults are detected has been a keyconcept from the beginning of MARS. The researcher who has led the development effort on TTP andTTP/C is Dr. Hermann Kopetz of the Technical University of Vienna. [4]In 1989, the follow-on project Predictably Dependable Computer Systems (PDCS) was initiated underthe European Esprit Program. PDCS involved creating a prototype of PDCS and then testing thisthrough fault-injection experiments conducted at three European universities. (HC2) More recently still,a third project called “Safety Related Fault Tolerant Systems in Vehicles” (referred to as the “X-by-Wire” Project for short) was funded under the EC program Brite-EuRam III. The X-by-Wire Project hasspecifically explored the application of TTP/C-based systems in the automotive sector. Participants areDaimler-Benz Research, Fiat Research Center, Ford Europe, Volvo, Bosch, Magneti Marelli, Mecel, theUniversity of Chalmers, and the Vienna University of Technology. [5]Embedded Safety-Critical Systems and TTP/C The Time-Triggered Domain versus the Event Triggered Domain: The two most commondomains employed in the development of transportation systems are event triggered and time triggered.Until TTP/C, time-triggered domain engineering has been primarily used in the aerospace industry,where propulsion and navigation systems must be highly reliable and fault tolerant. However, aerospacesystems such as those based on the ARINC standards are too complex and costly for use in automobiles.Event-triggered methods been the primary tool of engineers in automotive control electronics.At the highest level, event-triggered systems advance in response to a sequence of events. Because theoccurrence of these events is not time determinant, the system’s behavior is not predictable in time. Infact, functional predictability is also lessened, as event-triggered systems are not temporallycomposable. By contrast, a time-triggered system is driven by a globally synchronized clock. Thus thebehavior of the nodes can be specified in time as well as by functionality.Classes of Safety-Critical Protocols: The SAE multiplex specifications define three classes ofmultiplex protocols. Class A protocols have the lowest requirements both in terms of performance andfeatures. They are primarily intended for use in automotive body electronic applications where theperformance and feature requirements are the lowest. Cost is the driving factor in Class A applications.Class B is suitable for high-speed applications such as engine management, which demand up to 1megabit/sec. However, determinism and other safety related requirements are still not imposed. Class Cis the most demanding protocol family, and includes several key safety-related features, such asprotection against babbling idiots, deterministic behavior in all cases, low and bounded latency, anddistributed clock synchronization.[6,7] These concepts will be described in more detail in the discussionof TTP characteristics and comparison to CAN below.A principal reason that TTP/C is the first protocol to qualify as Class C, is that the previous protocols areall event triggered. Event-triggered systems are susceptible to several