The Modeling and Simulation of an Automotive Braking System Using the TTP/C Protocol Robert France and Howard Curtis (EE382C – Embedded Software Systems) ***************************** Abstract: TTP/C, which represents one variant of the Time-Triggered Protocol (TTP), is designed to address safety-critical real-time control systems in the automotive sector. Of high interest in analyzing TTP/C, given its emphasis on “x-by-wire” environments wherein electronic control systems do not have hydraulic or mechanical back-up components, are the aspects of the TTP/C protocol and architecture which concern themselves with reliability and fault tolerance. In this paper, the authors briefly discuss the key safety-related constructs of TTP/C. An experimental project in which a TTP/C-based braking system was simulated in software, with particular emphasis on the behavior of the “bus guardian,” is then described and analyzed. The sections of this report cover the following topics: (1) description of the requirements of the SAE Class C specification for safety-critical systems; (2) overview of the reliability related aspects of the TTP/C protocol and architecture, including the bus guardian; (3) summary of modeling and simulation work in TTP/C reported in the literature; (4) description of the objectives and approaches of the modeling and simulation work conducted in this project; (5) opportunities for future investigation, and (6) summary and conclusions. _____________________________________ Key Papers: For the Literature Review portion of our project, the following represent three key papers: >> Ross Bannatyne, “Time Triggered Protocol: TTP/C,” Embedded Systems Programming, March 1999, pps. 76-86. >> Hermann Kopetz, “Should Responsive Systems be Event-Triggered or Time-Triggered?”, IEICE Transactions in Information & Systems, Vol. E76-D, No. 11 (November 1993), pps. 1325-1332. >> Hermann Kopetz, Real-Time Systems: Design Principles for Distributed Embedded Applications, Kluwer Academic Publishers, Norwell (MA), 1997. (Monograph) For the Simulation and Modeling portion of our project, the following represent three key papers: >> Elmar Dilger, Thomas Fuhrer, and Bernd Muller, “The X-By-Wire Concept: Time-Triggered Information Exchange and Fail Silence Support by New System Services,” Advances in Safety Technology, Society of Automotive Engineers, 1998, pps. 141-149. >> B. Hedenetz and R. Belschner, “Brake-by-Wire Without Mechanical Backup by Using a TTP-Communication Network,” SAE International Congress and Exposition (Detroit, Michigan), 1998, pps. 1-9. >> Hermann Kopetz, Real-Time Systems: Design Principles for Distributed Embedded Applications, Kluwer Academic Publishers, Norwell (MA), 1997. (Monograph)Curtis & France 1 Exec. S’ware Engineering: EE382C 1. Introduction and Overview TTP/C, which represents one variant of the Time-Triggered Protocol (TTP), is designed to address safety-critical real-time control systems in the automotive sector. Given the TTP/C emphasis on “x-by-wire” environments, in which there exist no mechanical or hydraulic back-ups for a system such as brakes or steering in a car, the aspects of TTP/C which provide reliability and fault-tolerance are of high interest. In our project work, we have sought to implement a first-order model of the behavior of a TTP/C system for automotive braking, with emphasis on an element of the TTP/C controller node called the “bus guardian.” The bus guardian should be considered a representative choice of modeling target, rather than the exclusive purpose of this study. Our objective is to experiment with approaches to broad-based modeling of the behavior of TTP/C systems, both when functioning normally and in the presence of injected faults. The bus guardian provides an excellent target for this investigation, given its well-defined behavioral characteristics, and the fact that it must interact closely and continuously with other elements of the TTP/C node. 2. Description of the Requirements of the SAE Class C Specification The general requirements for safety-critical protocols and systems in the automotive domain are defined by the SAE (Society for Automotive Engineers) Class C specification. The key requirements for Class C automotive communication systems include the following [1]: • A communication system which supports composability, meaning that subsystems which are developed independently, tested, and certified compliant with TTP/C requirements can then be integrated with high assurance that they will work together. • Support for the connection of replicas of processing units, and for the distribution of these replicas, so as to avoid failures of the functions provided by processing units. • The provision of an independent device to guard against failures induced by babbling idiots (babbling idiots are processing nodes which emit a constant stream of unnecessary messages, thus monopolizing the communications bus). • Provision of a mechanism that permits a distributed application to know the status of all connected system components (in TTP/C, this facility is called the membership service).Curtis & France 2 Exec. S’ware Engineering: EE382C Communication systems which are in wide use in automobiles today, such as CAN, A -BUS, VAN, J1850-DLC, and J1850-HBCC, cannot meet this rigid set of requirements; most of them lack synchronization, fault -tolerant characteristics, and deterministic behavior [2]. 3. Aspects of TTP/C that Assure Reliability and Fault-Tolerance In work at the Technical University of Vienna, Dr. Hermann Kopetz and his colleagues have designed TTP/C from the ground up to address stringent reliability requirements, such as those reflected in SAE Class 3. The following contribute to meeting the challenge posed by Class C. (1) Dual-Bus Architecture: Typically, the physical implementation that supports TTP/C features a bus with two separate channels, and the TTP/C protocol supports this dual -bus model. Even if one of the bus circuits fails or is cut, signals will continue to travel. (2) Fail-Silence: TTP/C processing nodes (also called Fail Silent Units – FSUs) are designed to meet the criterion that each individual node “must deliver either re sults which are correct in both the value and the time domain or no results at all.” [3] Nodes are assigned heavy responsibility for guaranteeing this so