Modular formal analysis of the central guardian in the Time-Triggered Architecture

https://doi.org/10.1016/j.ress.2006.10.006Get rights and content

Abstract

The Time-Triggered Protocol TTP/C constitutes the core of the communication level of the Time-Triggered Architecture for dependable real-time systems. TTP/C ensures consistent data distribution, even in the presence of faults occurring to nodes or the communication channel. However, the protocol mechanisms of TTP/C rely on a rather optimistic fault hypothesis. Therefore, an independent component, the central guardian, employs static knowledge about the system to transform arbitrary node failures into failure modes that are covered by the fault hypothesis.

This paper presents a modular formal analysis of the communication properties of TTP/C based on the guardian approach. Through a hierarchy of formal models, we give a precise description of the arguments that support the desired correctness properties of TTP/C. First, requirements for correct communication are expressed on an abstract level. By stepwise refinement we show both that these abstract requirements are met under the optimistic fault hypothesis, and how the guardian model allows a broader class of node failures to be tolerated.

The models have been developed and mechanically checked using the specification and verification system PVS.

Introduction

The Time-Triggered Architecture (TTA) [1], [2], [3] is a distributed computer architecture for the implementation of highly dependable real-time systems. In particular, it targets embedded control applications, such as by-wire systems in the automotive or aerospace industry [4], [5]. For these safety-critical systems fault tolerance is of utmost importance. The Time-Triggered Protocol TTP/C constitutes the core of the communication level of the TTA. It furnishes a number of important services, such as atomic broadcast, consistent membership and protection against faulty nodes, that facilitate the development of these kinds of fault-tolerant real-time applications. However, these protocol mechanisms rely on a rather optimistic fault hypothesis and assume that a fault is either a reception fault or a consistent send fault of some node [6]. In order to extend the class of faults that can be tolerated a special hardware component, the so-called guardian, is introduced [7]. A guardian is an autonomous unit that protects the shared communication network against faulty behaviour of nodes by supervising their output. The original bus topology of the communication network employed local bus guardians, which were placed between the nodes and the bus. In the more recent star topology, central guardians are used in the hub of each star. The guardian makes use of static knowledge available in a TTA-based system to transform arbitrary node failures into those that are covered by the optimistic fault hypothesis. For example, the time interval during which a given node is allowed to access the shared communication network is statically determined in a TTA system and known a priori. The guardian can hence control the correct timing of message transmissions by granting write access to the network only during a node's pre-defined time slot.

The goal of this work is to formally model TTP/C guardians and analyse their fault tolerance properties. In particular, we aim at describing the benefits of the guardians by giving a precise specification of the assumptions on which the derivation of the properties is based. Formal analysis can provide an additional source of confidence in correct behaviour of a system, which is particularly important in the context of safety-critical systems. Several aspects of TTP/C and related protocols have therefore been formally modelled and analysed, including clock synchronisation [8], group membership [9], [10], [11], and the startup procedure [12], [13]. A detailed overview of formal analysis work for the TTA is given by Rushby [14]. While so far the protocol algorithms of the Time-Triggered Protocol have been the focus of the formal analyses cited above, we concentrate in this paper on the communication properties of TTP/C, thereby complementing and extending previous work.

To describe the behaviour and properties of the communication network and the guardians we develop various formal models, which are organised in a hierarchical fashion. We start by specifying the desired correctness properties of the communication in an abstract form. Subsequently, in a process of stepwise refinement, more detail is added to this initial abstract model. On the next level of the hierarchy, we consider a TTP/C system without guardians. We show that in this case the strong, optimistic fault hypothesis is necessary to guarantee correct communication. Another model then introduces guardians and specifies their behaviour. At this level we demonstrate that the optimistic assumptions can be relaxed, which leads to a fault hypothesis that covers a broader class of faults.

The development of the models is in the spirit of, and builds on the work on modelling TTP-related aspects that has been carried out previously [8], [10], [15]. Specifically, it continues the use of the PVS specification and verification system [16] to both specify the model and the properties to be verified, and develop formal proofs that the model satisfies the stated properties. Previous work has demonstrated the suitability of PVS for this type of tasks. The formal models that are presented in this paper have been developed, and the proofs of their properties have been mechanically checked, with the PVS system.

The paper is organised as follows. In Section 2 we give a brief overview of the main aspects of the TTA. Section 3 describes the structure of the models and motivates their organisation. Details of the components of the formal models are elaborated in Section 4. Finally, we conclude in Section 5.

Section snippets

Brief overview of the TTA

In this section we only briefly describe the main aspects of the TTA to the extent that is required for this paper. For more detailed presentations we refer to [3], [17], [18].

In a TTA system a set of nodes are interconnected by a real-time communication system. A node consists of the host computer, which runs the application software, and the communication controller, which accomplishes the time-triggered communication between different nodes. The nodes communicate via replicated shared media,

Bird's eye view of the formal models

The overall goal of modelling the communication network is to provide a concise description of the arguments that support the following three main correctness properties of the TTP/C communication:

  • Validity: If a correct node transmits a correct frame, then all correct receivers accept the frame.

  • Agreement: If any correct node accepts a frame, then all correct receivers do.

  • Authenticity: A correct node accepts a frame only if it has been sent by the scheduled sending node of the given slot.

Once

Modular formal analysis of TTP/C communication

In this section we present the main details of the formal models for the communication network according to the hierarchy that has been set out in the previous section. Although the formal models have been developed as a set of PVS modules (i.e., theories), the presentation is in the style of a mathematical transcription of these PVS modules. Similarly, we will explain the essential steps of the major proofs in an informal way; nevertheless, all proofs presented in this section have been

Conclusions

The goal of formally analysing aspects of the TTA is to provide mathematically substantiated arguments that architecture and algorithms provide certain services and satisfy certain critical properties. This is to support the claims that the architecture meets the high reliability requirements of safety-critical applications in the automotive or aerospace domain.

In this regard we have presented a formal analysis of the guardian-based communication of TTP/C. We have developed a series of formal

References (19)

  • H. Kopetz

    The time-triggered approach to real-time system design

  • Kopetz H. The time-triggered architecture. In: Proceedings of the first international symposium on object-oriented...
  • H. Kopetz et al.

    Time-triggered architecture

    Proc IEEE

    (2003)
  • Heiner G, Thurner T. Time-triggered architecture for safety-related distributed real-time systems in transportation...
  • Ringler T, Steiner J, Belschner R, Hedenetz B. Increasing system safety for by-wire applications in vehicles by using a...
  • Bauer G, Kopetz H, Steiner W. Byzantine fault containment in TTP/C. In: Proceedings of the international workshop on...
  • Bauer G, Kopetz H, Steiner W. The central guardian approach to enforce fault isolation in the time-triggered...
  • H. Pfeifer et al.

    Formal verification for time-triggered clock synchronization

  • S. Katz et al.

    Low-overhead time-triggered group membership

There are more references available in the full text version of this article.

Cited by (2)

This research was supported by the European Commission under the IST project NEXT TTA (IST-2001-32111).

View full text