A Fault-Tolerance-Layer for a Distributed Real-Time System

In this basic research project the concepts and issues related to the design and implementation of an autonomous fault-tolerant-unit (FTU) layer in a distributed time-triggered architecture for safety critical real-time applications will be investigated. The project starts with a conceptual analysis of the issues that must be explored to encapsulate the FTU layer. It then plans to build discrete. FTU Layer hardware board and to design the FTU layer software for the experimental evaluation of the concepts by fault-injection techniques. The project builds on the results of the FWF research project "Sichere Computersysteme", the BRITE EURAM project "X-by-Wire" and the ESPRIT OMI project "TTA", using the TTP controller chip that is being developed in the TTA project as a basic building block. In case the project demonstrates that an autonomous FTU layer with small external interfaces to the host system can be specified, an enhanced version of the TTP controller chip that includes this FTU layer can be built. Such a chip could become a high tech product for the world market

The constantly decreasing price/performance ratio of digital microcontrollers enables system engineers to replace traditional electro-mechanical control devices by digital control systems. Digital control saves costs and weight, introduces additional functionality, and allows for scalable reliability. This last point justifies the use of digital control in safety-critical applications like airborne systems and computer-controlled cars where reliability requirements can only be met if fault tolerance is introduced. The introduction of fault tolerance, however, increases the complexity of the digital control system and, thus, the costs for development, verification, and certification. In particular, the use of a proprietary fault tolerance layer requires renewed verification and certification of fault-tolerance mechanisms if applications are subject to changes. This project designed and implemented a generic fault tolerance layer, which can be transparent to applications in both the time and the value domain. Transparency allows application design and implementation without having to be concerned with redundancy issues. Further, generic fault tolerance services may be verified and certified once for all possible applications. These properties contribute to a reduction of the time-to-market period and, consequently, save development costs. To achieve transparency in both the time and the value domain, this fault tolerance layer is based on a time- triggered computing paradigm. The inherent properties of a time-triggered computing and communications environment support the design of transparent fault tolerance in the value domain. Further, the project demonstrates that a time-triggered approach allows temporal de-composition of components thus enabling transparent fault tolerance in the time domain. As a proof of concept, a prototype implementation of the fault tolerance layer based on the time-triggered communications protocol TTP/C was established in the course of the project. This implementation was integrated with the TTP/C communications protocol implementation and is thus contained in the firmware of a dedicated communications controller. Consequently, there is no need for specific fault tolerance mechanisms to be implemented within the host computer system. Finally, the implementation was exposed to exhaustive fault injection experiments, which gave evidence that the concepts are solid.