Communications systems often operate in an environment whose disturbance potential cannot be defined precisely. This is especially the case for avionic and automotive applications, whose disturbance environment changes constantly. The communications systems [1] currently in use, which are not of a critical security nature, meet the following requirements for reliability:
It must be possible to detect communication errors.
The failure of one subscriber cannot debilitate the communications system.
The sequence of transmitter messages is retained upon reception.
It is highly probable that messages are transmitted timely.
At this time, motor vehicles contain components that administer individual critical security tasks and communicate with other components. The communication is not of a critical security nature. The focus of the research, in contrast, is components which together perform complex, critical security tasks under hard real-time conditions, so the communications system itself is of a critical security nature. Such applications impose further requirements on a communications system that can only be partially met by current systems:
The communications system must be fail-operational, that is, it must continue to perform its task regardless of any possible disturbance or possible failure. In other words, redundant communications paths must be supported.
The communications system must reliably distinguish between permanent disturbance errors, and exclude defective componentsxe2x80x94and only defective components.
Changes in the communications system (failure and restart) must be reported to the application as quickly as possible and consistently over the network.
In the messages, distortions must be reliably recognized for the maximum duration of the disturbance.
Critical messages must be transmitted within a guaranteed time frame.
Multicast messages are necessary, and must be transmitted atomically. The retention of the global sequence of certain messages from various sources must be guaranteed.
It must be possible to perform a safety verification, in which it must be precluded that the communications system can negatively impact safety functions in the individual components. If components must collectively perform a critical security task, a safety verification must be performed for the communications system, including all components.
In addition to reliability and safety requirements, communications systems are also subject to the following requirements in practice:
It is crucial that stations and functions be integrated easily into a total system. The individual stations must be simple to configure.
Dynamic termination and inclusion of communication subscribers and the ability of the network to be expanded are other important features.
A future-oriented communications system must keep pace with advancements, and be able to be advanced. It should be suitable for high transmission speeds and be able to operate on different physical media. Conceivable application architectures, particularly for redundant operation, cannot be impeded or prevented.
Finally, the communications system must be cost-effective.
The protocol of a communications system is the system""s xe2x80x9cmotor.xe2x80x9d Protocols can be roughly divided into two classes based on their access method: synchronous and asynchronous.
Asynchronous access methods have a short access time in the middle, which cannot, however, be guaranteed (or only for a specific message). The best-known protocols with asynchronous arbitration that have been developed for motor-vehicle use are CAN [2] and ABUS [3].
Synchronous access methods are more capable of assuring access. They operate according to three different fundamental principles: master/slave, token access and time-division multiple access (TDMA):
Simple master-slave protocols, such as the MIL standard protocol 1553B [12] developed for the field of military aircraft and vehicles, rely on the capability of their master, and fail in the event of an error. In other multi-master protocols, the master property can also be transferred to other network stations in the event of an error, but, in such a case, the flow of messages is interrupted and not deterministic.
Protocols operating according to the token principle, such as the token-bus protocol [9] and its variations, are also not strictly deterministic in cases of errors (timing problems in identifying token loss and matching in the new generation process), or, as in the token-ring protocol [10], an active communication path is required, which is a difficult and costly demand to meet.
TDMA-based protocols can be designed so as to operate deterministically, even in the event of an error.
Standardized protocols are often combinations of the above fundamental principles.
Hence, the TCN protocols [4] MVB and WBT are used, for example, in the railway industry. They include an alternating central master control, but otherwise function according to the TDMA principle. A non-deterministic TDMA protocol in which the subscribers are dynamically allocated time slices during operation is the protocol according to U.S. Pat. No. 4,161,786 [14]. The protocol ARINC 629 (MTDB) [13], which was developed for the field of aviation, is a TDMA protocol controlled by local clocks, but monitors the bus to prevent collisions and only operates deterministically if all subscribers abide by their time limit. The protocol ARINC 659 (SAFEbus) [7] provides a strict TDMA arbitration. It was likewise developed for reliable aviation systems, but requires a complex and costly physical embodiment, and, as a back-plane bus, is too short (42 inches) for spatially-distributed applications.
This application introduces a protocol that is based on a pure, distributed and strictly-deterministic TDMA arbitration. The protocol takes into consideration the aforementioned requirements, is extremely robust with respect to short, sustained and periodic disturbances, and encompasses all justifiable options of maintaining communication. It presupposes a synchronous, distributed time base that can be realized with continuous messages [5] and by local clocks [6]. The protocol is not biased toward any particular software architecture for the application. It is compatible with combinations ranging from redundant, critical security stations to non-critical, and simple stations, with less-stringent to hard real-time requirements. In addition to the recurring themes of error tolerance and reliability, aspects such as practicality, costs and advancement were of prime consideration in the development of the protocol.
For critical security systems, static (pre-runtime) scheduling of application processes is advantageous because they are easier to verify. An obvious concept lies in the synchronization of protocol and application, which results in a time-controlled architecture. In such a time-triggered architecture (TTA), a single global time clock, which can be realized in distributed form, controls all system activities: user functions and communication. In such an architecture, information can flow as follows: A message is produced in a predetermined time slice, transmitted and received in the subsequent time slice and further processed (delivery delay minimal, delay jitter=0) in the receiver station during the next time slice. The present protocol and the time-triggered protocol [8], also provided for applications in a motor vehicle, can be components of such a continuously time-controlled architecture.
Continuously time-controlled architectures and their static activity allocations are extremely advantageous, particularly with respect to the simplification of the safety verification and the synchronization of redundant stations. They are, however, also associated with several problems:
If, during transport, for example, messages are disturbed or lost, there is no time for a re-transmission. The TTP protocol provides the termination of relevant stations in such a case.
Because the time response of each component must match that of the entire system, costs and outlay become problematic if a time-controlled architecture is to be applied to a system or product having numerous variations, rather than a specialized product. Different configurations of the same component exist for both different vehicle types and different equipment variations. This necessitates a configuration management in the construction of a motor vehicle and later installation and exchange of components.
Time-controlled systems that execute so-called mode changes during transitions between flight phases are used in the fields of aviation and aerospace. Different modes, that is, different allocations of transmission rights, are necessary in time-controlled systems if a system must be adapted to a changed situation. Mode changes are therefore provided in the present protocol. Executing a mode change in the case of a disturbance, however, causes considerable problems with respect to consistency and real-time processing, even if the modes are severely limited and no random modes are permitted. They can, therefore, only be executed in a disturbance-free case. In addition, each mode of each component must be carried along by each component, even if the component itself requires no different modes. This means that each component must, in principle, perform its task in each mode. The internal temporal processes must conform to the modes.
To summarize: The protocol should not compel a general synchronization with the application; it should, however, permit synchronization so that parts of the application can operate with simultaneous time control, protocol-synchronized time control and result control. A time-controlled and also protocol-synchronized software architecture can be practical for a reliable and readily-available motor-vehicle base system comprising, for example, a redundant driver station and four wheel-module stations. All other parts can operate with result control. Mode changes, that is, jumps in different time-slice allocations, during operation should not constitute normal procedure.
It is the primary object of the invention to provide a protocol for transmitting messages between transmitting and receiving stations for critical security applications, based on a global time-slice allocation, with which disturbances in the communications system are reliably and consistently recognized, and disturbed communication subscribers are reliably and consistently ascertained and eliminated. In accordance with the invention, this object is accomplished by the features characterized in the claims.
The function of the protocol is independent of the application, and its course cannot be influenced by the latter. The protocol provides each station with a certain degree of transmission capacity per time unit. As long as the application localized there requests transfer services within these limits, a maximum transmission time can be guaranteed under given disturbance conditions. No special configuration of the protocol is necessary due to the independence from the application. The coordinates of the different suppliers of station modules with respect to the protocol are limited to the use of a matched, unambiguous station address and the access information.
The protocol is based on the TDMA (Time-Division Multiple Access) method. In the TDMA method, the time is divided into time slices, which are maintained largely synchronously in all stations. At least one time slice is statically allocated to each station in a TDMA cycle. Within its time slice, the station is exclusively authorized to transmit on the common communication medium. This method is efficient if, as in our case, the number of communication subscribers and the lengths of the messages are likely to be small. In addition to the transmission rate of the hardware, which must be economically justifiable, both of these parameters are decisive for the access time.
A significant advantage of TDMA is deterministic access. A total blockade of the communications system is precluded by principle. In the case of no errors, a maximum duration for the transmission of messages can be guaranteed for each station if the station abides by its authorized limit. To ensure a maximum duration for message transport even with disturbances and failures, the simple TDMA method must be expanded for the protocol.
The higher the transmission speed on a communication line, the more likely a disturbance is to occur. The possible disturbances to which a motor vehicle is exposed and which are caused by devices in the motor vehicle itself must be overcome either structurally or by the protocol. These include, on the one hand, stochastic as well as burst-type disturbances that are caused by external influences or originate from internal switching processes. On the other hand, there are other periodic disturbances, which are caused by internal or neighboring sources and can have particularly negative effects on the course of a periodic protocol. Examples include disturbances due to the ignition and generator, whose period also changes as a function of the rpm. If such disturbances occur even only temporarilyxe2x80x94which can be the case due to production errors, aging errors or maintenance errors at disturbance-eliminating componentsxe2x80x94a certain rpm can have a fatal effect on a strictly-periodic TDMA protocol.
The following marginal conditions apply:
The topology of the communications system:
A bit-serial bus is used whose maximum length is in about the 100-m range and which can be redundantly provided. The subscriber stations are connected by means of transceivers to the bus linexe2x80x94e.g. a (shielded) two-wire linexe2x80x94so as to rule out a communication blockage by a permanent hardware error of an individual station.
Requirements for the communication subscribers:
The subscriber stations possess an error-avoidance device, which ensures that a transmission attempt outside of the station""s time interval is intercepted. Stations are furthermore in a position to generate special signals (VETO) that can very likely be identified, even under heavy disturbance influences. Because VETO signals cannot transmit any information other than their presence, they can be realized as dominant signal levels or fed-back bidirectional signals. The signals should, however, have such a distinct appearance that the receiver only rarely interprets a disturbance as a VETO signal.
The lengths of messages, messages per time unit:
The necessary message length of the applications is anticipated to be between a few bytes and a few tens of bytes. If future data-intensive applications, such as route guidance, are to be operated with this communications system, the use of high-speed hardware will be essential.
The number of communication subscribers:
Depending on the task, vehicle applications require
extremely-frequent, periodic bus access, e.g. control subsystem;
frequent, periodic bus access, e.g. brakes subsystem;
or less-frequent (periodic) access with fewer time requirements.
The necessary access times of the subscribers are therefore varied, and in the hardest case, are expected to be about 1 ms. The maximum number of stations that require more or less hard real-time transport conditions is limited to about 32 in the aforementioned useful data quantities and at today""s conventional transport speeds (1 to 10 MBits/s). In addition, further stations that require fewer real-time guarantees operate in the same network.
Quality of the message transport (transport duration, loss, doubling, sequence):
The transport duration of the message is guaranteed. If a message is lost, the application is notified directly and immediately. Doubling and transposition of message sequences are precluded.
Type of connection (synchronous, asynchronous), communication relationships (1 to 1, 1 to n):
For reasons of system consistency (all stations receive a command or status message simultaneously) and system expansion capability, messages are broadcast, which precludes connection-oriented functioning. The protocol controller operates independently of the application; in other words, the user messages are either transmitted synchronously, and must wait, or asynchronously, without waiting, via queues or at pre-planned times. If no message is present, the protocol controller acts according to its own needs.
The type and frequency of environmental disturbances:
The protocol is intended to operate reliably in severely-disturbed environments with frequent as well as periodically-occurring transmission errors that can last in burst fashion from time to time. Therefore, permanent errors of the communication hardware are recognized and the relevant subscriber is terminated. Transient disturbances do not lead to the termination of a station. A station can be re-incorporated into the running protocol.
Tolerable disturbances into the environment from the communications system:
In the use of encapsulated stations and shielded bus lines, disturbances into the environment due to communication, as well as disturbances from the environment, can be greatly reduced. The protocol includes no measures for this.
The invention is described below by way of an example in a short introduction of the protocol. A detailed description, protocol states and rules are illustrated in the subsequent sections.