Upload
philana-candice
View
51
Download
2
Tags:
Embed Size (px)
DESCRIPTION
A Membership Service for a Distributed, Embedded System Based on a Time-Triggered FlexRay Network Martin Mitzlaff Rüdiger Kapitza, Michael Lang, Wolfgang Schröder-Preikschat In golstadt I nstitute of the F riedrich- A lexander U niversity Erlangen-Nuremberg [email protected]. - PowerPoint PPT Presentation
Citation preview
A Membership Service for a Distributed, Embedded System
Based on a Time-Triggered FlexRay Network
Martin MitzlaffRüdiger Kapitza, Michael Lang, Wolfgang Schröder-Preikschat
Ingolstadt Institute of theFriedrich-Alexander University Erlangen-Nuremberg
230.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Drive by Wire
A non functional state is not tolerable. Most parts are time-triggered
Hard real-time Dependable
Single units not dependable enough Redundancy, Fault masking
Important to know which units are onlineNeed for a Membership Service
Provides a consistent view of the fault-free units
330.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
ECU5
ECU1
ECU4
ECU2 ECU3
Brake-by-wire
Brake!
430.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Agenda
FlexRay Membership Service Verification Evaluation
530.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
FlexRay
High-speed time-triggered bussystem De-facto standard time-triggered bussystem in the
automotive industry
Node structure:
Transceiver
CommunicationController
Host
wire
Node
630.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Cycle-based communication:
Synchronized clocks Central bus guardian in the active star No membership service
FlexRay - Features
Cycle 0 Cycle 1 Cycle 2
Slot 0
Static Part
Slot 31 32 34
Dynamic Part Idle
33
… Cycle 63
Slot 1 Slot 2 Slot 30… Slot 29
730.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Using FlexRay
Interrupts to synchronize access to message buffers
Interrupts disturb the applicationcycle
Application
700
Receive()
Send()2000
Fill_Sendbuffer()
2700
Send_Confimation()
Macrotick
FlexRay
830.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Current approaches
Membership protocols for synchronous systems already exist: F. Cristian 1988 S. Katz, P. Lincoln and J.M. Rushby 1997 R. Barbosa and J. Karlsson 2006
But all are slot based Not possible in a FlexRay system
TTP/C includes a membership service (in hardware)
930.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Round-based Approach
Slot based:
Round based:
Sending and receiving in one interval No timing requirements inside the interval
Calculation only at one point in the round
Send
Receive
Calculate
1030.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
What’s a view?
View: Just a bit vector; One bit for one node
Local view: Node’s current opinion of fault-free nodes Interchanged with other nodes
Global view Former local view Verified by the local views of other nodes
ECU 1 ECU 2 ECU 8
1130.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
ECU5
ECU1
ECU4
ECU2 ECU3
Integration
L
G
LL
L L
G
G G G
Round: 0123
1230.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Faulty node
ECU5
ECU1
ECU4
ECU2 ECU3
L
G
LL
L L
G
G G G
Round: 0123
1330.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Verification
Need for a fault hypothesis For FlexRay nothing published Each node and each logical communication-channel are a Fault-
Containment Region Active star guarantees that the message is transmitted to all or no
node by the communication system. [see TTP/C] Important to detect invalid messages
- Further CRC, including cycle counter A faulty host does not send membership messages. Different fault modes can be mapped to just three faults:
sending, receiving or sending&receiving fault At most one fault in two cycles
Formal proof of the latency Result: two rounds can be guarantied
1430.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Model checking
Modeling using PROMELA Verifying the model using SPIN Used results for decreasing number of states Only possible with small networks Results:
Absence of Livelocks Absence of Deadlocks New nodes do not disturb Latency of two rounds
1530.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Evaluation
Using TTTech Multi-Purpose ECU
- TriCore TC1796- Freescale MFR4300- TTTech AUTOSAR FlexRay-Stack
Vector VN3600 Special active star
1630.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
0
2
4
6
8
10
12
3,5 5 10
cycle-time in [ms]
CPU
-Loa
d in
[%]
2 nodes plain2 nodes MS4 nodes plain4 nodes Ms
Evaluation Results
CPU Load:
Maximal 2,4% CPU-Load caused by membership service 2.6 kbyte ROM
1730.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Conclusion
FlexRay is the bus for drive-by-wire applications But lacks a membership service
Our Contribution:Membership service for FlexRay
Key features: Round-based approach minimal CPU load Transparent to the application
Verification by different techniques Even outside the fault hypothesis, coming back to a
consistent global view
1830.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track
Thank you for your attention!
Any questions?