Christian SCHEIDLER*, Emmerich FUCHS**, Andreas BÄCKER***
*Daimler-Benz AG, Alt-Moabit 96A, D-10559 Berlin, Germany
Email: scheid@dbag.bln.daimlerbenz.com,

1. Introduction

In the transportation industries, which are one of the most important market segments of the European industries, a fundamental paradigm shift from pure mechanical or hydraulically control towards embedded electronic control systems is taking place. An increasing number of these control systems will be used to implement safety-critical applications, e.g., drive-by-wire or fly-by-wire systems. The time-triggered paradigm we propose for the implementation of distributed embedded applications offers significant advantages like composability, fault-tolerance, and predictability over event-triggered competitors, e.g., CAN-bus based systems. Unfortunately, the design and engineering of time-triggered systems is not as easy as it is for event-triggered systems, because the system behaviour at run time has to be planned beforehand by the systems engineer. This approach, however has the advantage that a deterministic operation of the system at run time can be guaranteed statically, e.g., for certification purposes.

SETTA is an engineering environment for dependable distributed systems with a special focus on time-triggered systems. Time-triggered systems in comparison to event-triggered systems (Ethernet, CAN, etc.) offer significant advantages like composability, fault-tolerance, and predictability [1]. Therefore, time-triggered systems are well suited for safety-critical applications in the transportation industries. Typical applications targeted with SETTA are drive-by-wire systems (automotive industries) [4], fly-by-wire systems (aircraft industries), train and railway signalling systems (railway industries); of course, all these applications are safety-critical. However, time-triggered systems have one major drawback. The systems engineering is rather difficult compared to an even-triggered system: configuration files describing the system behaviour (message transfer, task scheduling, buffer addresses, etc.) have to be specified off-line by the systems engineer. This is a cumbersome task even for small-sized systems and becomes tedious, if the system complexity is growing. The highest level of complexity is reached if two or more logically independent applications of different criticality classes have to be integrated into one system. The Integrated Modular Avionics (IMA) documents published by the ARINC consortium [13] show how the aircraft community tackles similar problems. Within the IMA the modules provided by different suppliers are integrated into a cabinet by means of the SAFEbus [14] (Honeywell's implementation of ARINC 659 [12]) communication mechanisms. This manufacturer/supplier relationship is the main reason why we have structured the design process supported by SETTA into two phases and put special emphasis on the design of the interfaces between the system manufacturer and the subsystem suppliers.

SETTA takes into account the business model of the transportation industries: The system developer (e.g., the car producer) specifies the overall functionality of the application and determines the interfaces to subsystems developed by component suppliers. The supplier gets an interface description from the system developer and designs its component against this specification. The interface control documents (ICDs) applied at avionics systems demonstrates the successful use of interface descriptions. The advantage of the time-triggered paradigm is that interfaces are not only specified in the value but also in the time domain. SETTA interface descriptions are not only text documents, but also machine-readable files, which can be exchanged between system and component supplier. SETTA supports a graphical design methodology for system development based on different views: Logical topology view (no redundancy visible), physical topology view, communication dependency view, task topology view, bus scheduling view, task scheduling view, etc. Based on this data, all configuration files and frameworks for the program source code including a fault-tolerant layer are automatically generated.

This paper is organised as follows: Section 2 gives a brief overview on the engineering of time-triggered systems. In Section 3 we describe the global design together with the tools already available. In Section 4 we concentrate on the local design and the tools for the subsystem supplier. In Section 5, the monitoring and visualisation features within SETTA are presented. The expected results and the business impact are outlined in Section 6. The paper is concluded in Section 7.

 

2. System Overview

The main objectives of the engineering environment are the support of the design, monitoring, and visualisation of TTA applications. We put special emphasis on the design of the interfaces between the system manufacturer and the component suppliers and therefore distinguish between global and local design. The global design consists of all steps associated with the overall system architecture and is done by the system manufacturer. The result of the global design is a machine-readable file describing the interfaces between components in the value and time domain. This interface description is given to the component supplier who is in charge to develop the component according to this specification. The development of the components is referred to as local design. Finally, the system developer integrates the different components into one system and starts with testing and debugging. These steps are supported by the monitoring and visualisation facilities of the SETTA environment. In Sections 3 and 4 we will describe all development steps in more detail.

SETTA is not built from scratch, but consists of tool components, which are extended for our purposes. One of the main tool components is TRAPPER, an engineering environment, which was originally built for parallel transputer-based systems [9]. It has been used successfully for realising automotive research applications within the PROMETHEUS project "Collision Avoidance". TRAPPER is re-implemented in the context of the ESPRIT HPCN project WINPAR.

 

3. Global Design

• Specification of attributes common to all nodes within the distributed system.
• Partitioning into a set of hardware nodes connected by a communication network (broadcast bus).
• Configuration and replication of critical hardware nodes to achieve fault-tolerance.
• Specification of operational modes in which the distributed system may operate.
• Specification of communication relations between the individual nodes of the distributed system including history state, redundant messages, and the timing constraints for the communication relations.
• Scheduling of the messages on the communication network under the given timing constraints [8].
• Manual editing of the automatically generated communication schedules.
• Generation of the configuration tables for all nodes of the distributed system.

The different design steps listed above describe an iterative design approach where the final global design evolves over time until all participants, the system manufacturer and the subsystem suppliers, agree on a design of the global design data.

After such a point of unanimous agreement has been reached the subsystem suppliers can proceed with their application design (local design) independently and independently from the system manufacturer. If however, during the local design of the suppliers application any problems arise that make it impossible to achieve the desired functionality with the current global design then a re-iteration of the global design must be carried out. Of course such a re-iteration can become a very costly endeavor since the changes requested on the global design e.g., communication schedule, by one subsystem supplier may adversely affect the local design of another supplier.

Again all participants must reach an unanimous agreement on the global design data before they can proceed with their local design. Therefore, changes to the global design data after work on the application design has started should be handled with extreme care and may become prohibitively expensive in case substantial changes arerequired.

As shown in Figure 1 the partitioning and mode specification is done with TRAPPER, while the bus scheduling is supported by the message scheduling editor SCHED. The tool components exchange data via a central project database.

Figure 2 shows a screen dump of the TRAPPER demonstrated at the 2^nd TTA review. The user interface has been re-designed under consideration of the Microsoft style guide. In addition, some ideas of the Microsoft Visual C++ programming environment have been applied. The toolbar contains menus for file, edit, project, hardware, software, tools, and windows operations. The left part of the main window contains a browser with a MS Explorer-like interface which can be applied on the project, hardware, software, and attributes design space. The right part of the window is the drawing surface, in which the systems engineer graphically specifies the system configurations.

The browser in Figure 2 shows the hardware building blocks of the automotive demonstrator application used in the TTA project. The hardware configuration of the Brake-by-Wire cluster consists of a Monitor, a Brake-by-Wire Manager (BbWM), and four wheel nodes (Brake1-4). The Brake-by-Wire Manager is doubled, the four wheel nodes (BRAKE1-4) have no redundancy. All nodes are connected via a redundant bus.

Figure 3 shows the messages view of the scheduling editor SCHED. In the main area, two bus message schedules of the brake-by-wire application are displayed as matrices. The upper partly visible matrix contains the scheduling of the start-up mode; the lower matrix shows the message schedule of the application mode (mode 5). The horizontal axis is numbered by cluster cycle slots and on the vertical axis all nodes (controllers) taking part in the communication over the TTP/C bus [2],[3] are shown. In each slot or column of the matrix, exactly one node can send a message on both channels; the name of the messages sent, is given as matrix entry. The others views (Address Section, Slot Control, Controller, Role) enable the system engineer to manipulate the other message schedule or controller configuration parameters necessary for the proper operation of the TTP/C protocol. Finally, an individual configuration file for each controller is generated that can be downloaded into the flash EPROM of a TTP/C controller. The configuration file describes the interface of each controller in the value and time domain.

1. Local Design

The local design of a hardware/software subsystem developed by one supplier is concerned with the following activities, see Figure 4:

• Hardware and I/O interface configuration.
• Specification of application modes in which the subsystem may operate.
• Application software structuring and specification of subsystem-local communication and precedence relations between application tasks.
• Worst case execution time (WCET) analysis of the application tasks.
• Automatic task scheduling under the given timing, synchronization, and communication constraints.
• Manual editing of the automatically generated schedules.
• Generation of the configuration tables (TADL) for the time-triggered operating system.

Similar to the message scheduling in the global design we take an interactive approach during task scheduling, because experience in the last couple of years at our institute, at the Vienna University of Technology, has shown that such an approach suits the needs of an application developer better than a fully automated approach. An automatic scheduler will often produce inadequate schedules or will not find a feasible solution at all, if the application developer has forgotten to specify some constraints in full detail or if the specification formalism prevents the full specification of certain constraints. Therefore, we consider an incremental scheduling approach with explicit user interaction to aid and direct the automatic scheduler as an appropriate scheduling approach for statically scheduled task sets.

1. Monitoring and Visualisation

After finishing the local design of all components, the complete system is integrated by connecting all components, downloading, and executing the application software.

During run-time, the system behaviour can be traced by a monitoring system, which provides local and global monitoring. Global monitoring is based on bus tracing. The advantage of this approach is that the system behaviour can be observed without intrusion. However, the components are still "black boxes", because only the messages exchanged between components can be traced. The inner state of components like task states, variable values, etc., can only be observed via local monitoring. This approach requires additional system software, which observes application tasks during runtime and traces task states, variable values, etc. This additional system software shares its resources (CPU time, memory space) with the application tasks. Therefore, local monitoring will be intrusive and should be applied very carefully.

The hardware set-up for both approaches is nearly the same. The hardware components needed are a host computer (PC) with a plug-in board (ISA, PCI) with an IP interface to mount a TTA communication controller. The experience gained with this work is published in [7]. A major problem of this solution is the inability to provide a data throughput guarantee between the TTA and Windows NT [5]. Therefore, a new protocol was designed to provide a communication mechanism between TTA and Windows NT with guaranteed data throughput in both directions.

The objective of visualisation is to provide a better understanding of the dynamic behaviour of a TTA application. The visualisation is based on the data gathered by the monitoring systems. Two visualisation modes are provided by SETTA. The design graph visualisation uses the graphical representations specified by the systems engineer (e.g., communication diagram) as visualisation interface, whereas the time scale visualisation displays the same events in relation to a time scale.

Design graph visualisation is based on the representations specified in the design step. This view is very close to mental imagination of the application engineer, because it uses the graphical designs developed by the engineer. Various animation features such as colouring of nodes and edges, textures on nodes or edges, changing the line width or drawing arrows on the edges, displaying plots, histograms or coloured squares are offered by the visualisation tools. The diagrams can be associated with certain properties of the distributed system like processor states, bus, state, task states, variable values, communication, etc.

Time axis visualisation displays the system behaviour related to time. For a set of tasks the states are displayed either as a moving curve or by a coloured time bar. This animation represents communication operations also as edges between processes at different time instants. This feature allows a very detailed insight to the co-operation of distributed processes and therefore enables the programmer to debug and optimise his application.

2. Business Impact

The European industry is well known for its competitiveness in mechanical engineering market segments like automotive, railway, aircraft, etc. The prosperity of European Community strongly depends on the competitiveness of industries doing business in these traditional domains. In 1995, 13,3 million passenger cars were produced in EU countries. Compared to a world-wide production of 35,9 million passenger cars, companies manufactured in Europe held a world wide market share of 36% [15]. Similar figures can be given for the aircraft and railway domains. The Airbus consortium is the second largest supplier of civil aircrafts. The three largest companies doing business in the railway domains, Adtranz, GEC Alstom, and Siemens, are European companies.

The trend of substituting mechanical components by electronic components can be identified in all sectors of the transportation industry. The automotive industries will overtake the role of a technological pacemaker from the aircraft industries. The automotive industries will apply many concepts already used in modern aircraft systems (e.g., by-wire systems) but have the advantage of a high-volume market and therefore can determine the technology. In Germany, the market for automotive electronic components is growing faster than the overall electronic market [10],[11]. Safety-critical automotive applications like brake-by-wire and steer-by-wire will cause a further boost.

The paradigam shift from mechanical to IT-based systems has to be accompanied by adequate tools. To turn the research results on the Time-Triggered Architecture obtained at the Vienna University of Technology in the past ten years into a commercial success a company was founded in January 1998. TTTech is an SME start-up company founded by former members of the Vienna University of Technology and will commercially exploit TTA-specific products and services, in particular tools for time-triggered systems.

 

3. Conclusions

In this paper the SETTA engineering environment was presented. SETTA gives special support for the systems engineering of time-triggered systems. We feel that time-triggered systems will gain significant importance for the European industries, because they offer an appropriate platform for safety-critical real-time applications like drive-by-wire and fly-by-wire systems. SETTA supports all major development steps like system design, configuration, scheduling, monitoring, and visualisation. SETTA provides a graphical design methodology for system development based on different views: logical topology view (no redundancy visible), physical topology view, communication dependency view, task topology view, message scheduling view, task scheduling view, etc.

Future activities will deal with the integration of existing system design automation (SDA) tools like Statemate, Matlab, or MatrixX. SDA tools are of utmost importance to establish an efficient system development process at the transportation industries, in particular at the automotive industry. The competitive advantage of future cars is determined by IT technologies and has to be accompanied by concerns for adequate tools.

 

4. References