The Time Triggered Architecture HERMANN KOPETZ FELLOW IEEE AND G NTHER BAUER Invited Paper The time triggered architecture TTA provides a computing infrastructure for the design and implementation of dependable distributed embedded systems A large real time application is decomposed into nearly autonomous clusters and nodes and a fault tolerant global time base of known precision is generated at every node In the TTA this global time is used to precisely specify the interfaces among the nodes to simplify the communication and agreement protocols to perform prompt error detection and to guarantee the timeliness of real time applications The TTA supports a two phased design methodology architecture design and component design During the architecture design phase the interactions among the distributed components and the interfaces of the components are fully specified in the value domain and in the temporal domain In the succeeding component implementation phase the components are built taking these interface specifications as constraints This two phased design methodology is a prerequisite for the composability of applications implemented in the TTA and for the reuse of prevalidated components within the TTA This paper presents the architecture model of the TTA explains the design rationale discusses the time triggered communication protocols TTP C and TTP A and illustrates how transparent fault tolerance can be implemented in the TTA Keywords Distributed systems embedded systems real time systems safety critical systems time triggered architecture TTA TTP C I INTRODUCTION Computer architectures establish a blueprint and a framework for the design of a class of computing systems that share a common set of characteristics The time triggered architecture TTA generates such a framework for the domain of large distributed embedded real time systems in high dependability environments It sets up the computing Manuscript received December 20 2001 revised August 31 2002 This work was supported in part by the European Information Society Technologies projects NEXT TTA Fault Injection for Time Triggered Architectures Systems Engineering for Time Triggered Architectures and Dependable Systems of Systems in part by the Time Triggered Sensor Bus project of the government of Austria and in part by the Defense Advanced Research Projects Agency projects Model Based Integration of Embedded Software and Networked Embedded Software Technology The authors are with the Vienna University of Technology A 1040 Vienna Austria e mail hk vmars tuwien ac at gue vmars tuwien ac at Digital Object Identifier 10 1109 JPROC 2002 805821 infrastructure for the implementation of applications and provides mechanisms and guidelines to partition a large application into nearly autonomous subsystems along small and well defined interfaces in order to control the complexity of the evolving artifact 1 Architecture design is thus interface design By defining an architectural style that is observed at all component interfaces the architecture avoids property mismatches at the interfaces and eliminates the need for unproductive glue code Characteristic for the TTA is the treatment of physical real time as a first order quantity The TTA decomposes a large embedded application into clusters and nodes and provides a fault tolerant global time base of known precision at every node The TTA takes advantage of the availability of this global time to precisely specify the interfaces among the nodes to simplify the communication and agreement protocols to perform prompt error detection and to guarantee the timeliness of real time applications Research work in the field of distributed dependable real time computer architectures for safety critical applications started more than 30 years ago with the design of the STAR computer 2 and the Software Implemented Fault Tolerance 3 and Fault Tolerant Multiprocessor 4 projects These projects were carefully evaluated and gave rise to new designs about ten years later Fault Tolerant Parallel Processors 5 Multicomputer Architecture for Fault Tolerance 6 and the architectural concepts of the Airbus flight control system 7 In 1992 the first paper on SAFEbus 8 the architecture that was later deployed in the Boeing 777 aircraft for flight control became available In excellent publications by Lala 9 Avizienis 10 Rechtin 11 and Laprie 12 the fundamental concepts and architectural principles for the design of dependable systems are clarified at about that time For example Lala states that field experience with approximate voting was not at all satisfying At about the same time a heated debate started concerning the cost efficiency of design diversity for the tolerance of design faults 13 15 The important ARINC 178B standard 16 published in 1992 that deals with software development for safety critical avionics systems contains no clear statement about the use of software design 0018 9219 03 17 00 2003 IEEE 112 PROCEEDINGS OF THE IEEE VOL 91 NO 1 JANUARY 2003 Authorized licensed use limited to IEEE Xplore Downloaded on March 31 2009 at 00 06 from IEEE Xplore Restrictions apply diversity This issue has not been resolved until today In Europe DELTA 4 17 a research project funded by the European Strategic Programme for Research in Information Technology ESPIRIT investigated fundamental issues in the design of distributed dependable architectures at the beginning of the 1990s and uncovered a number of fundamental concepts concerning state recovery in distributed systems Although the research community at that time was in agreement that a conscientious architectural design phase that establishes the architectural style is of utmost importance for the development of large dependable distributed real time systems industrial praxis took a different view The General Accounting Office s report 18 about the experiences with the air traffic control project presumably the largest distributed real time system project of its time paints a vivid picture of the practice of system development in that period Amid all these research activities the work on the TTA started in 1979 at the Technical University of Berlin with the Maintainable Architecture for Real Time Systems MARS project A first report on the MARS project 19 appeared in 1982 and was later published at the IEEE s 15th International Symposium on Fault Tolerant Computing in 1985 20 After 1982 different versions of the MARS architecture have been implemented at