Image Processing Reference
In-Depth Information
synchronization mechanism, and power supply. In addition, they should be located at a distance from
the protected node to increase immunity to spatial proximity faults. To cope with internal physical
faults, TTA employs partitioning of nodes into so-called fault-tolerant units (FTUs), each of which is
a collection of several stations performing the same computational functions. As each node is (stat-
ically) allocated a transmission slot in a TDMA round, failure of any node, or a frame corruption is
not going to cause degradation of the service. In addition, data redundancy allows, by voting process,
to ascertain the correct data value.
TTP/C employs synchronous TDMA medium access control scheme on replicated channels,
which ensures fault-tolerant transmission with known delay and bounded jitter between the nodes of
a cluster. he use of replicated channels, and redundant transmission, allows for the masking of a tem-
porary fault on one of channels. he payload section of the message frame contains up to bytes of
data protected by a -bit CRC checksum. In TTP/C the communication is organized into rounds. In
a round, diferent slot sizes may be allocated to diferent stations. However, slots belonging to the same
stationareofthesamesizeinsuccessiverounds.Everynodemustsendamessageineveryround.
Another feature of TTP/C is fault-tolerant clock synchronization that establishes global time base
without a need for a central time provider. In the cluster, each node contains the message schedule.
Based on that information, a node computes the difference between the predetermined and actual
arrival time of a correct message. hose differences are averaged by a fault-tolerant algorithm which
allows for the adjustment of the local clock to keep it in synchrony with clocks of other nodes in
the cluster. TTP/C provides so-called membership service to inform every node about the state of
every other node in the cluster; it is also used to implement the fault-tolerant clock synchronization
mechanism. his service is based on a distributed agreement mechanism which identifies nodes with
failed links. A node with a transmission fault is excluded from the membership until restarted with a
proper state of the protocol. Another important feature of TTP/C is a clique avoidance algorithm to
detect and eliminate formation of cliques in case the fault hypothesis is violated. In general, the fault-
tolerant operation based on FTUs cannot be maintained if the fault hypothesis is violated. In such a
situation, TTA activates never-give-up (NGU) strategy []. [].The NGU strategy, specific to the appli-
cation, is initiated by TTP/C in combination with the application with an aim to continue operation
in a degraded mode.
The TTA infrastructure and the TTP/A and TTP/C protocols have a long history dating back
towhentheMaintainableArchitectureforReal-TimeSystemsprojectstartedattheTechnical
University of Berlin. Subsequently, the work was carried out at the Vienna University of Technology.
TTP/C protocols have been experimented with and considered for deployment for quite some time.
However, to date, there have been no actual implementations of that protocol involving safety-critical
systems in commercial automobiles, or trucks. In , a “proof of concept,” organized jointly by
Vienna University of Technology and DaimlerChrysler, demonstrated a car equipped with a “Brake-
by-Wire” system based on time-triggered protocol.
FlexRay, which appears to be the frontrunner for future automotive safety-critical control applica-
tions, employs a modified TDMA medium access control scheme on a single or replicated channel.
The payload section of a frame contains up to bytes of data protected by a -bit CRC checksum.
To cope with transient faults, FlexRay also allows for a redundant data transmission over the same
channel(s) with a time delay between transmissions. The FlexRay communication cycle comprises
of a network communication time and network idle time. Two or more communication cycles can
form an application cycle. he network communication time is a sequence of static segment, dynamic
segment, and symbol window. he static segment uses a TDMA MAC protocol. he static segment
comprises of static slots of fixed duration. Unlike in TTP/C, the static allocation of slots to a node
(communication controller) applies to one channel only. he same slot may be used by another node
on the other channel. Also, a node may possess several slots in a static segment. The dynamic seg-
ment uses a Flexible Time Division Multiple Access (FTDMA) MAC protocol, which allows for a
priority and demand-driven access pattern. he dynamic segment comprises of so-called mini-slots
