A Membership Service for a Distributed, Embedded System Based on a Time-Triggered FlexRay Network Martin Mitzlaff Rüdiger Kapitza, Michael Lang, Wolfgang Schröder- Preikschat Ingolstadt Institute of the Friedrich-Alexander University Erlangen-Nuremberg [email protected]
A Membership Service for a Distributed, Embedded System Based on a Time-Triggered FlexRay Network Martin Mitzlaff Rüdiger Kapitza, Michael Lang, Wolfgang.
Dec 27, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A Membership Service for a Distributed, Embedded System
Based on a Time-Triggered FlexRay Network
Martin MitzlaffRüdiger Kapitza, Michael Lang, Wolfgang Schröder-Preikschat
Ingolstadt Institute of theFriedrich-Alexander University Erlangen-Nuremberg
230.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Drive by Wire
A non functional state is not tolerable.
Most parts are time-triggered Hard real-time
Dependable
Single units not dependable enough Redundancy, Fault masking
Important to know which units are online
Need for a Membership ServiceProvides a consistent view of the fault-free units
330.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
ECU5
ECU1
ECU4
ECU2 ECU3
Brake-by-wire
Brake!
430.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Agenda
FlexRay
Membership Service
Verification
Evaluation
530.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
FlexRay
High-speed time-triggered bussystem
De-facto standard time-triggered bussystem in the automotive industry
Node structure:
Transceiver
CommunicationController
Host
wire
Node
630.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Cycle-based communication:
Synchronized clocks
Central bus guardian in the active star
No membership service
FlexRay - Features
Cycle 0 Cycle 1 Cycle 2
Slot 0
Static Part
Slot 31 32 34
Dynamic Part Idle
33
… Cycle 63
Slot 1 Slot 2 Slot 30… Slot 29
730.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Using FlexRay
Interrupts to synchronize access to message buffers
Interrupts disturb the application
cycle
Application
700
Receive()
Send()
2000
Fill_Sendbuffer()
2700
Send_Confimation()
Macrotick
FlexRay
830.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Current approaches
Membership protocols for synchronous systems already exist: F. Cristian 1988
S. Katz, P. Lincoln and J.M. Rushby 1997
R. Barbosa and J. Karlsson 2006
But all are slot based Not possible in a FlexRay system
TTP/C includes a membership service (in hardware)
930.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Round-based Approach
Slot based:
Round based:
Sending and receiving in one interval No timing requirements inside the interval
Calculation only at one point in the round
Send
Receive
Calculate
1030.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
What’s a view?
View: Just a bit vector; One bit for one node
Local view: Node’s current opinion of fault-free nodes
Interchanged with other nodes
Global view Former local view
Verified by the local views of other nodes
ECU 1 ECU 2 ECU 8
1130.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
ECU5
ECU1
ECU4
ECU2 ECU3
Integration
L
G
LL
L L
G
G G G
Round: 0123
1230.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Faulty node
ECU5
ECU1
ECU4
ECU2 ECU3
L
G
LL
L L
G
G G G
Round: 0123
1330.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Verification
Need for a fault hypothesis For FlexRay nothing published Each node and each logical communication-channel are a Fault-
Containment Region Active star guarantees that the message is transmitted to all or no
node by the communication system. [see TTP/C] Important to detect invalid messages
- Further CRC, including cycle counter A faulty host does not send membership messages. Different fault modes can be mapped to just three faults:
sending, receiving or sending&receiving fault At most one fault in two cycles
Formal proof of the latency Result: two rounds can be guarantied
1430.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Model checking
Modeling using PROMELA
Verifying the model using SPIN
Used results for decreasing number of states
Only possible with small networks
Results: Absence of Livelocks
Absence of Deadlocks
New nodes do not disturb
Latency of two rounds
1530.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Evaluation
Using TTTech Multi-Purpose ECU
- TriCore TC1796
- Freescale MFR4300
- TTTech AUTOSAR FlexRay-Stack Vector VN3600 Special active star
1630.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
0
2
4
6
8
10
12
3,5 5 10
cycle-time in [ms]
CP
U -
Lo
ad
in
[%
]
2 nodes plain
2 nodes MS
4 nodes plain
4 nodes Ms
Evaluation Results
CPU Load:
Maximal 2,4% CPU-Load caused by membership service
2.6 kbyte ROM
1730.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Conclusion
FlexRay is the bus for drive-by-wire applications But lacks a membership service
Our Contribution:Membership service for FlexRay
Key features: Round-based approach
minimal CPU load
Transparent to the application
Verification by different techniques
Even outside the fault hypothesis, coming back to a consistent global view
1830.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Thank you for your attention!
Any questions?
Related Documents
