Distributed fault-tolerant communication systems are used in applications where a failure could possibly result in injury or death to one or more persons. Such applications are referred to as “safety-critical applications.” One example of a safety-critical application is in a system that is used to monitor and manage sensors and actuators included in an airplane or other aerospace vehicle. These applications can be run on various network computing architectures having a plurality of nodes. In a network computing architecture, a “node” is typically a processing location such as a computer or other data processing device.
A computing architecture that is commonly considered for use in safety-critical applications is the time-triggered architecture (TTA). In a TTA system, multiple nodes in a network communicate with one another over two replicated high-speed communication channels using, for example, the Time Triggered Protocol/C (TTP/C) or the FLEXRAY protocol. In some implementations, at least one of the nodes in such a TTA system is coupled to one or more sensors and/or actuators over two replicated, low-speed serial communication channels using, for example, the Time Triggered Protocol/A (TTP/A). Traditional time-triggered systems replicate the buses for increased communication availability and require the nodes of the system to transmit simultaneously on both buses.
Various fault-tolerant control systems have been developed for safety critical applications. For example, the full authority digital electronic control (FADEC) system includes a computer and related accessories that control all aspects of aircraft engine performance. Honeywell has developed a dual channel FADEC system based on its modular aerospace control (MAC) platform. The MAC-based FADEC uses the Time Triggered Protocol (TTP) for inter-module communication. The TTP removes the complex interdependencies among modules, and allows all modules in the system to see all data all of the time, ensuring seamless fault accommodation without complex channel-change logic. Using the TTP communications protocol, the MAC-based FADEC provides independence of safety critical functions in the engine.
The application of a time triggered network to a dual lane control system (e.g., the MAC-based FADEC) maps all of the system nodes onto a fail operational two channel network (e.g., TTP/C). This network requires complex bus guardians to protect the system against a lane failure that breaks both channels of the bus. The network bandwidth utilization is shared between all of the nodes, with each node transmitting redundant data on each of the network channels during an assigned time-division multiple access (TDMA) schedule slot. With the redundant functions of the nodes assigned to different slots, this approach requires the software of each lane to be different to account for the slot mapping.