In aerospace systems, there has been a fundamental paradigm shift from predominantly mechanical control to predominantly electronic and computer-based control, with no or minimal mechanical backup. This shift towards by-wire systems has been pioneered in Europe by Airbus and now encompasses safety-critical systems. This poses fundamental technical and commercial challenges, which are the rationale for the TTA project. Three major European companies, Daimler-Benz, British Aerospace, and Alcatel Austria, have teamed up with TEMIC, GENIAS, and three European universities - Technical University of Vienna, University of York, and University of Ulm - to push a promising new technology towards real world applications.

The objective of the TTA project is to develop and evaluate a generic time-triggered computer architecture (TTA) for fault-tolerant distributed real-time systems [1]. It will be demonstrated that the architecture can be effectively deployed in safety-critical transportation systems like automotive, aerospace, and railway applications. We feel that TTA provides clear advantages over all current approaches to the design of safety-critical fault-tolerant real-time systems in the transportation sector. At the end of the project, a complete package, consisting of a VLSI device [2], an engineering environment, safety analysis tools, and application demonstrators will be available.

The time-triggered technology is concurrently driven forward in the BRITE-EURAM project X-By-Wire. In the X-By-Wire project, a framework for automotive by-wire applications focusing on technology standards for the automotive industry is elaborated. The time-triggered paradigm has been adopted by the X-By-Wire project as key technology. A close co-operation between both projects has been established.

A positive decision of the automotive industry to implement the TTA technology in future automobiles will encourage the semiconductor industry to implement hardened VLSI chips for the automotive industry mass market. This in turn will reduce the chip price considerably, to a level that will make it very desirable for the aerospace and railway industries to use this chip in their products.

This paper is organised as follows: Section 2 gives an overview on the Time-Triggered Architecture and elaborates on the services of time-triggered communication protocol. In Section 3 the systems engineering environment supporting the development of applications is presented. In Section 4 the application demonstrators built by the industrial partners are presented. The expected results and the business impact are outlined in Section 5. The paper is concluded in Section 6.

Within the Time-Triggered Architecture all system activities are initiated by the progression of a globally synchronised time-base [3]. This stands in contrast to event-driven systems, in which system activity is triggered by events. The key advantages of a TTA are composability, which greatly reduces the effort required for testing and certifying the system; the transparent implementation of fault-tolerance, which makes the architecture acceptable for safety-critical applications; and the provision of a globally synchronised time-base, which facilitates the design of distributed real-time systems.

Figure 1: Scheme of a TTA system with four SRUs

In the Time-Triggered Architecture an autonomous communication controller de-couples the host subsystem from the communication subsystem. Communication between electronic modules is performed using the Time-Triggered Protocol TTP/C [4]. The TTP/C protocol controls the exchange of messages between different electronic modules connected to a TTP/C cluster. The communication subsystem decides autonomously, according to a static schedule, when to transmit a message and whether a received message is relevant for the particular electronic module or not.

A TTP/C network [5] consists of a set of electronic modules that are connected by two replicated channels as shown in Figure 1. Each module mainly consists of a host subsystem and a communication subsystem. The host subsystem executes the application software. The communication subsystem is formed by the TTA communication controller and executes the TTP/C protocol [6]. Such an electronic module is the smallest unit replaced in case of a fault from the perspective of the communication subsystem. It is therefore referred to as a smallest replaceable unit (SRU).

A TTP/C network [7] and its associated electronic modules is called a cluster. One or more electronic modules can be combined to form a fault-tolerant unit (FTU). A FTU delivers the specified service, even if some of its constituent electronic modules fail.

Figure 2: Layout of a cluster cycle

Access to the bus is controlled by a cyclic time-division multiple access (TDMA) schema derived from the global notion of time. Every active electronic module owns a TDMA slot. The sequence of TDMA slots in which each electronic module sends its frames forms a TDMA round (Figure 2). After a TDMA round is completed, the next TDMA round, with the same temporal access pattern but possibly different frames, is started. The number of different TDMA rounds determines the length of the cluster cycle. After a cluster cycle is finished, the transmission pattern starts over again with the start of the next cluster cycle. Two types of message frames are sent on the bus: N-frames, which contain user data, and I-frames, which are system messages needed for reconfiguration.

The requirements for the engineering environment were identified from the protocol specification and by our industrial partners. The main objectives of the engineering environment are the support of the design, monitoring, and visualisation of TTA applications. We put special emphasis on the design of the interfaces between the system manufacturer and the component suppliers.

We distinguish between global and local design. The global design consists of all steps associated with the overall system architecture and is done by the system manufacturer:

• First, a TTA system is partitioned into a set of components connected by a communication network.
• Redundancy management is done in the second step. Critical components can be replicated to achieve fault-tolerance.
• Communication relations between the components have to be specified. The data which have to be exchanged via messages between components are defined. This also includes status data exchanged between redundant components.
• In the last step of the global design, a bus schedule has to be found that fulfils all the communication requirements of the previous step. The bus schedule can be determined automatically [8] or manually.

After the global design, the suppliers proceed with their application design locally and independently of each other, and independently from the system manufacturer. The suppliers receive the individual bus scheduling data for their respective components.

The local design contains all steps associated with the specification of a single component. The bus message scheduling specified in the global design defines the interface of each component in the value and time domain.

• First, the software structure of the component has to be specified. Application tasks and their communication relations including timing information have to be described.
• Fault-tolerance strategies are defined in the second step. Critical tasks can be executed in different fault-tolerance configurations, e.g. double execution, triple execution, or double execution with a golden task.
• Finally, a task schedule which fulfils the timing requirements of the previous steps has to be found.

After finishing the local design of all components, the complete system is integrated by connecting all components, downloading, and executing the application software. During run-time, the system behaviour can be optionally traced by a monitoring system, which provides local and global monitoring.

Global monitoring is based on bus tracing. The advantage of this approach is, that the system behaviour can be observed without intrusion. However, the components are still "black boxes", because only the messages exchanged between components can be traced. The inner state of components like task states, variable values, etc., can only be observed via local monitoring. This approach requires additional system software, which observes application tasks during runtime and traces task states, variable values, etc. This additional system software shares its resources (CPU time, memory space) with application tasks. Therefore, local monitoring will be intrusive and should be applied very carefully.

The objective of visualisation is to provide a better understanding of the dynamic behaviour of a TTA application. The visualisation is based on the data gathered by the monitoring systems. Two visualisation modes can be provided by the engineering environment. The design graph visualisation animates the graphical representations specified by the systems engineer during the design steps, whereas the time scale visualisation displays the same events in relation to time.

The systems engineering environment is based on concepts of TRAPPER [9], a graphical programming environment for parallel systems. TRAPPER has been developed by Daimler-Benz and GMD and is marketed by Genias. The implementation of the TTA engineering environment will be done in co-operation with the ESPRIT/HPCN-project WINPAR (see www.genias.de for further details) and will be based on a re-implemented version of TRAPPER.

The objective of the automotive demonstrator is to show the feasibility of TTA technology for automotive by-wire applications. We decided to build a Brake-by-Wire demonstrator in a laboratory environment. The purpose of the demonstrator is to show the continued service of the Brake-by-Wire system even in presence of multiple failures. Failures can be injected into the hardware as well as into the software. The Brake-by-Wire demonstrator contains the following components shown in Figure 3.

Figure 3: Brake-by-Wire demonstrator

The Brake-By-Wire system is a distributed system based on the TTA technology. It contains several TTA nodes connected by a TTP/C communication system. Each node consists of a commercial-off-the-shelf processor board equipped with a Motorola microprocessor. A TTP/C communication controller is used for external message exchange. Onboard AD/DA converters are used for sensor and actuator connection.

The vehicle system simulates in real-time the dynamic behaviour of a Mercedes-Benz passenger car (E-Class) on a road. The vehicle system is based on a workstation running the proprietary vehicle simulator software CASCaDE. CASCaDE has been developed by Daimler-Benz research and implements a realistic physical model of a car. The simulator interprets actuator commands of the Brake-by-Wire system, computes their effects to the vehicle and delivers the appropriate sensor signals. An on-line visualisation component dynamically shows the reactions of the vehicle to the applied control commands.

For the railway demonstrator, Alcatel Austria choose the interlocking system ELEKTRA [10], which connects the railway station periphery to the central control.

Figure 4: Railway signalling demonstrator

Figure 4 shows an example of a TTA based subsystem architecture for the connection of the railway periphery, e.g. signals and switches, to the Central Controllers (CC computers). The hardware interface to the railway periphery is implemented with relay technology. The transformation of this relay interface to the TTA subsystem is realised by using so called FEC nodes (Field Element Controller nodes). With respect to dependability requirements a FEC node itself is equipped with redundancy.

The ELEKTRA’s online safety concept is based on the use of two independent diverse hardware/software channels, the interlocking channel A and the safety-bag channel B. To fulfil the availability requirements, each channel architecture is composed of replicated subsystems. The used redundancy concepts are three-fold replication (for the CC computers) and hot standby (for the MMI computers). The fault-tolerance and message communication services are provided by a special layer, called VOTRICS (Voting Triple-Modular Computing System) [11]. For that reason the VOTRICS replicas shown in Figure 4 have the same degrees of replications as their corresponding application processors.

From the ELEKTRA system architecture it can be concluded that the communication partners within the TTA-based subsystem are the CC replicas and the FECs (or FEC replicas). This means that each of these communication partners must be equipped with at least one TTA communication controller.

Compared to the automotive sector, computerisation of control systems is much more advanced in the aircraft sector. However, the aerospace industry is interested in cheaper electronic components to cut the fly-away costs. British Aerospace Airbus will assess the suitability of TTA as a candidate architecture for safety-critical applications on civil aircraft. A suitable application will be selected and a specific Time-Triggered Architecture will be devised to satisfy the application requirements. The specific TTA design and safety case will be evaluated using the previously defined criteria. Potential application candidates are the flap control architecture, which is a part of the secondary flight control system, and the landing gear control architecture.

It is well known that the automotive industry is developing into one of the biggest markets for electronic equipment. In Germany, the market for automotive electronic components is growing faster than the overall electronic market [12]. Safety-critical automotive applications like brake-by-wire and steer-by-wire will cause a further boost.

A large segment of European car manufactures and suppliers, including Daimler-Benz, Fiat, Ford, Volvo, Bosch, and Magneti Marelli, have teamed up in the BRITE-EURAM project X-By-Wire, which establishes a framework for safety-related automotive by-wire systems and will promote standardisation [13]. The X-By-Wire project consortium decided to adopt the time-triggered paradigm and to use the TTP/C protocol for their first prototype implementation, thus giving TTA technology a further impetus.

The requirements of the automotive industry for safety-critical applications are unique from an economical and technical point of view: The demand for very low unit costs stands in contrast to very high requirements for reliability and safety. If the TTA technology is successfully established by the end of this project, the basic components will be available and proven. It then can be expected that affordable safety increasing driver assistance systems will hit the mass-market approximately by the year 2004.

The size of the potential market can be demonstrated using the example of a brake-by-wire system. In such a system one electronic module is attached to each wheel and the brake commands are sensed by a brake pedal module, thus requiring a total number of at least 5 TTA nodes per vehicle. The volume of the world wide passenger cars produced at 2004 is estimated at 45 million units per year [14]. If only 10 percent of these vehicles are equipped with an electronic brake system, 22.5 million TTA nodes are needed per year. Estimating a price of 5$ for a TTA system chip, which is the comparable price of a 16 Bit embedded CPU with integrated CAN-controller, a market topping the hundred billion dollars can be foreseen by 2004 - only based on brake-by-wire for passenger cars. This market will grow each year because it is expected that - like in the aircraft domain - by-wire systems will become a technology standard. Thus, in the following years, by-wire systems will move from a premium car equipment to a de-facto standard for low-price/high-volume car types.

Once standardised, system modules of the required functionality and dependability will be available on the market for a very competitive price. It can be expected that many other industrial sectors, e.g., train control, aircraft industry, industrial process control, etc., will take advantage of these very cost-effective system solutions. The technology transfer to these areas will be enabled by the fact that the industrial partners of the TTA project are involved in these industries.

The expected wide use of the TTA technology will itself generate a broad market for engineering tools for time-triggered architectures. The engineering environment developed in the context of the TTA project will assist the application developer in the design and implementation of TTA applications and thus contributes to the dissemination of the TTA technology. The engineering environment, being marketed by GENIAS, will be a further result of the TTA project with very promising business opportunities.

To summarise, the success of this project will strengthen the world market position of the European industry and generate new possibilities for growth and employment in an important high technology area.

In this paper the TTA project was presented. In the project a generic time-triggered computer architecture (TTA) for fault-tolerant distributed real-time systems based on the Time-Triggered Protocol TTP/C will be implemented. The project will also demonstrate that the architecture can be effectively deployed in safety-critical transportation systems (automotive, aerospace, railway). At the end of the project, a complete package, consisting of a VLSI device, application software engineering and safety analysis tools, and evaluation reports from the three industry sectors, will be available.

Future activities will include the development of one or more FTU layer(s) to support appropriate fault-tolerance strategies for our industrial partners. A second activity is concerned with the design and implementation of an advanced engineering toolset necessary to build, test, analyse and certify TTA-based systems. The prototype tools built in the context of the TTA project will serve as a basis for the advanced tools, which have to support the full life cycle of TTA-based systems. Moreover, these tools must offer interfaces to commercially off-the-shelf tools such as Statemate, Matlab, or MatrixX in order to be commercially successful.