TTP/C
TTP/C is a time-triggered communication protocol for safety-critical
distributed real-time control systems. Its intended application domains are
automotive control systems, aircraft control systems, industrial and power
plants, or airtraffic control.
[ System Overview ]
[ Node Computers ]
[ The Time-Triggered Paradigm ]
[ Frame Formats ]
[ Bus Access Scheme ]
[ Message Descriptor List ]
[ Controller State ]
System Overview
A computer control systems built around the TTP/C protocol consists of
at least one computational cluster. Such a computational
cluster comprises a set of self-contained computers (nodes), which
communicate via a broadcast bus using the TTP protocol. An
approximate global time base is established throughout the
cluster by synchronizing the clocks located within the nodes. Each
node is considered to be fail-silent, i.e., only crash failures and
omission failures can occur. On the cluster level, node failures and
communication failures can be masked by replicating the nodes and
grouping them into Fault-Tolerant Units (FTUs). Message
transmission is replicated in both the space domain, by using two
busses, and the time domain, by sending the messages twice on each
bus.
Within a computational cluster, the communication subsystem
manages the global concern of providing reliable real-time message
transmission. The host subsystems comprise the host CPUs of
each node computer, which execute the local real-time application. The
interface between these two subsystems is called the Communication
Network Interface (CNI). It provides the host CPUs with a memory
area for submitting and receiving messages and for obtaining status
and control information about the real-time network.
Node Computers
The figure below shows the schematic structure of a TTP node computer.
The system-wide partitioning into host subsystem and communication
subsystem is reflected by the design of the node computer hardware.
There is a host subsystem executing the local part of a distributed
real-time application.
The CNI is implemented by a dual-ported memory and represents the
interface to the communication subsystem, which executes the real-time
communication protocol TTP. The protocol code as well as static
configuration data are stored in a ROM device. The TTP controller is
supported by two bus guardians (BGs). Each channel is
protected by one of these devices, which protect the bus from being
monopolized by a faulty node sending at arbitrary points in time
(babbling idiot failure).
The Time-Triggered Paradigm
In a time-triggered architecture all information about the behaviour
of the system, e.g., which node has to send what type of message at a
particular point in time, is known a priori (at design time) to all
nodes of the ensemble. TTP makes best use of this a priori information
to reduce the number and size of messages, for example, by retrieving
the message identification from the a priori known time of message
reception.
TTP is an integrated time-triggered protocol that provides prompt
transmission of messages with high data efficiency, a responsive
membership service, a fault-tolerant clock synchronization service,
mode change support, error detection with short latency, and
distributed redundancy management.
Frame Formats
TTP distinguishes two frame types. I-frames (initialization
frames) are used for system initialization. They contain the internal
state of the TTP controller in their data field. This allows
integrating nodes to participate in the protocol when they receive an
I-frame. I-frames are sent by the communication subsystem
- during the startup phase of the protocol (cold start after
power-up), and
- at predefined intervals during normal operation of the
protocol to facilitate re-integration of failed nodes.
N-frames (normal frames) are used during normal operation and
contain application data. The header byte of an N-frame contains two
fields: the first bit identifies the message type, and a three bit
mode change field is used to request system-wide mode changes.
Bus Access Scheme
Access to the transmission medium is controlled by a static TDMA
scheme. Each node is allowed to send messages only during a
predetermined time span, called its TDMA slot. The nodes of
an FTU send in subsequent TDMA slots, their FTU slot.
The sequence of the periodic TDMA slots is called a TDMA
cycle. With regard to the duration of the TDMA slots and to the
sending sequence of the nodes, all TDMA cycles are equal. However, the
length and contents of the messages (the application data) may
differ. The set of periodically recurring TDMA cycles with possibly
different message length and contents is called a cluster
cycle.
The following figure illustrates these concepts.
The Message Descriptor List
The attributes of the messages sent and received by the protocol are
described in a static configuration data structure, the Message
Descriptor List (MEDL) that resides in the ROM within the
communication subsystem. According to this list the TTP controller
periodically and autonomously reads the messages to be transmitted
from the MBI and writes received messages to the MBI. The most
important information contained in the MEDL is therefore the address
of each message in the message base interface MBI and the length of
the message.
The Controller State
In TTP all nodes are forced to implicitly agree on their
controller states (C-states). The controller state consists
of three fields: the MEDL position, the time, and the membership. The
MEDL position field is a pointer to the current entry in the MEDL,
i.e., it identifies the current mode and TDMA slot. The time field
contains the global time at the beginning of the current FTU slot. The
membership field indicates which FTUs have been active and which FTUs
have been inactive at their last membership point. To enforce C-state
agreement between a sender and a receiver the CRC of a normal message
is calculated over the message contents concatenated with the local
C-state. A receiver can only interpret the frame if sender and
receiver agree about the controller state at the time of sending and
receiving. In case the C-state of the sender differs from the C-state
of the receiver, the message will be discarded by the receiver due to
the different CRC.
[ Home ]
[ Back to the TTP Page ]
[ Back to Research Projects ]
This page was last updated on Sep 30 1997 by webmaster@vmars.tuwien.ac.at