jf.bib
@inbook{MARAU_DAES_2007,
author = {Marau, R. and Silva, V. and Ferreira, J. and Almeida, L. and Pedreiras, P. and Martins, E. and Fonseca, J. A.},
title = {Distributed Automotive Embedded Systems},
chapter = {Assessment of FTT-CAN master replication mechanisms for safety-critical applications},
pages = {},
publisher = {SAE International},
year = {2007},
volume = {},
series = {},
type = {},
address = {},
edition = {},
month = {November},
doi = {},
issn = {},
isbn = {978-0-7680-1966-7},
keywords = {FTT, FTT-CAN, CAN, Real-Time communications, protocols, Embedded systems},
note = {},
key = {},
abstract = {The operational flexibility of distributed embedded systems is receiving growing attention because it is required to support on-line adaptation to varying operational conditions, either due to changes in the environment or to faults in the system. However, flexibility makes dependability more difficult to achieve, because there is less a priori knowledge. One protocol that favors flexibility and is widely used in embedded systems, particularly in automotive and robotic systems, is CAN, but some claim that it is not adequate to support safety-critical applications. We argue that CAN, deployed with an adequate overlay protocol, can provide the required support for dependability and flexibility. One such overlying protocol is Flexible Time-Triggered CAN (FTTCAN), that enforces a global notion of time and a global periodic schedule by means of specific messages issued by a master node. In this paper we assess the FTT-CAN master replication mechanisms implemented in a distributed robot control system. Above all, we provide experimental results that show the robustness of such mechanisms}
}
@inbook{ALMEIDA_HRTES_2007,
author = {Almeida, L. and Pedreiras, P. and Ferreira, J. and Calha, J. and Fonseca, J. A. and Marau, R. and Silva, R. and Martins, E.},
title = {Handbook of Real-Time and Embedded Systems},
chapter = {Online QoS Adaptation with the Flexible Time-Triggered (FTT) Communication Paradigm},
pages = {},
publisher = {Chapman and Hall/CRC},
year = {2007},
volume = {},
series = {},
type = {},
address = {},
edition = {},
month = {},
doi = {},
issn = {},
isbn = {978-1-58488-678-5},
keywords = {Ethernet, FTT, FTT-SE, Real-Time communications},
note = {},
key = {},
abstract = {}
}
@inproceedings{SANTOS_ETFA_2006,
author = {Santos, F. and Trovao, J. and Marques, A. and Pedreiras, P. and Ferreira, J. and Almeida, L. and Santos, M.},
title = {A Modular Control Architecture for a Small Electric Vehicle},
booktitle = {11th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA'2006) Proceedings},
year = {2006},
editor = {},
volume = {},
series = {},
pages = {139-144},
address = {Prague, Czech Republic},
month = {September},
organization = {},
publisher = {},
doi = {10.1109/ETFA.2006.355456},
issn = {},
isbn = {0-7803-9758-4},
keywords = {CAN, FTT-CAN, accelerate-by-wire safety critical function, brake-by-wire safety critical functions, communication infrastructure, fault-tolerant modular control architecture, small electric vehicle, steer-by-wire safety critical function, x-by-wire subsystems},
note = {},
key = {},
abstract = {This paper presents a fault-tolerant modular control architecture for an electrical vehicle (VEIL) equipped with x-by-wire sub-systems. The proposed architecture is based on COTS components and includes steer-by-wire, brake-by-wire and accelerate-by-wire safety critical functions. The communication infrastructure is based on the FTT-CAN protocol, which provides the joint scheduling of message and tasks, according to a holistic approach}
}
@article{FERREIRA_II_2006,
author = {Ferreira, J. and Almeida, L. and Fonseca, J. A. and Pedreiras, P. and Martins, E. and Rodriguez-Navas, G. and Rigo, J. and Proenza, J.},
title = {Combining operational flexibility and dependability in FTT-CAN},
journal = {IEEE Transactions on Industrial Informatics},
year = {2006},
volume = {2},
number = {2},
pages = {95--102},
month = {May},
doi = {10.1109/TII.2005.875508},
issn = {1551-3203},
isbn = {},
keywords = {CAN, FTT-CAN, distributed safety-critical systems, dynamic online traffic scheduling, dynamic traffic management, fail-silence enforcement, fault tolerance, flexible time-triggered CAN, master replication, operational dependability, operational flexibility},
note = {},
key = {},
abstract = {The traditional approaches to the design of distributed safety-critical systems, due to fault-tolerance reasons, have mostly considered static cyclic table-based traffic scheduling. However, there is a growing demand for operational flexibility and integration, mainly to improve efficiency in the use of system resources, with the network playing a central role to support such properties. This calls for dynamic online traffic scheduling techniques so that dynamic communication requirements are adequately supported. Nevertheless, using dynamic traffic management mechanisms raises additional problems, in terms of fault-tolerance, related with the weaker knowledge of the future system state caused by the higher level of operational flexibility. Such problems have been recently addressed in the scope of using flexible time-triggered CAN (FTT-CAN) in safety-critical applications in order to benefit from the high operational flexibility of this protocol. This paper gathers and reviews the main mechanisms that were developed to provide dependability to the protocol, namely, master replication and fail-silence enforcement}
}
@article{MARAU_SAE_2006,
author = {Marau, R. and Almeida, L. and Fonseca, J. A. and Ferreira, J. and Silva, V.},
title = {Assessment of FTT-CAN master replication mechanisms for safety-critical applications},
journal = {SAE 2006 Transactions Journal of Passenger Cars: Electronic and Electrical Systems},
year = {2006},
volume = {},
number = {},
pages = {},
month = {April},
doi = {10.4271/2006-01-1024},
issn = {},
isbn = {},
keywords = {CAN, FTT, FTT-CAN, Real-Time communications, Embedded systems, protocols},
note = {E XTRA-INFO-OPTIONAL},
key = {KEY-OPTIONAL},
abstract = {The operational flexibility of distributed embedded systems is receiving growing attention because it is required to support on-line adaptation to varying operational conditions, either due to changes in the environment or to faults in the system. However, flexibility makes dependability more difficult to achieve, because there is less a priori knowledge. One protocol that favors flexibility and is widely used in embedded systems, particularly in automotive and robotic systems, is CAN, but some claim that it is not adequate to support safety-critical applications. We argue that CAN, deployed with an adequate overlay protocol, can provide the required support for dependability and flexibility. One such overlying protocol is Flexible Time-Triggered CAN (FTTCAN), that enforces a global notion of time and a global periodic schedule by means of specific messages issued by a master node. In this paper we assess the FTT-CAN master replication mechanisms implemented in a distributed robot control system. Above all, we provide experimental results that show the robustness of such mechanisms}
}
@inproceedings{SILVA_ETFA_2005,
author = {Silva, V. and Marau, R. and Almeida, L. and Ferreira, J. and Calha, M. and Pedreiras, P. and Fonseca, J. A.},
title = {Implementing a distributed sensing and actuation system: The CAMBADA robots case study},
booktitle = {10th IEEE Conference on Emerging Technologies and Factory Automation (ETFA'2005) Proceedings},
year = {2005},
editor = {},
volume = {2},
series = {},
pages = {781--788},
address = {Catania, Italy},
month = {September},
organization = {},
publisher = {},
doi = {10.1109/ETFA.2005.1612753},
issn = {},
isbn = {0-7803-9401-1},
keywords = {CAN, FTT-CAN, CAMBADA, controller area network, distributed actuation system, distributed computing architecture, distributed embedded system, distributed sensing system, mobile autonomous robotics},
note = {},
key = {},
abstract = {The use of distributed computing architectures has become commonplace in complex embedded systems with potential advantages, for example, in terms of scalability, dependability and maintainability. One particular area in which that trend can be witnessed is mobile autonomous robotics in which several sensors and actuators are interconnected by means of a control network. In this paper we address one case study concerning the CAMBADA robots that were developed at the University of Aveiro for the Robocup Middle Size League. These robots have a distributed architecture with two layers, a coordination layer responsible for the global behaviors and a distributed sensing and actuating layer that conveys internal state information and executes coordination commands. This paper focuses on the latter layer, which is based on the FTT-CAN protocol, following a network-centric approach that provides an efficient framework for the synchronization of all systems activities. We describe the computing and communication requirements, the robot architecture, the system design and implementation, and finally we provide experimental results that show advantages with respect to a non-synchronized distributed approach}
}
@inproceedings{FERREIRA_WTR_2005,
author = {Ferreira, J. and Almeida, L. and Fonseca, J. A. and Pedreiras, P. and Santos, M.},
title = {On the dependability and flexibility of CAN and CAN based protocols},
booktitle = {VII Workshop de Tempo Real (WTR'2005) Proceedings},
year = {2005},
editor = {},
volume = {},
series = {},
pages = {},
address = {Fortaleza, Brazil},
month = {May},
organization = {},
publisher = {},
doi = {},
issn = {},
isbn = {},
keywords = {CAN, FTT-CAN, FTT},
note = {},
key = {},
abstract = {The traditional approaches to the design of distributed safety-critical systems, due to fault-tolerance reasons, have mostly considered static cyclic table-based traffic scheduling. However, there is a growing demand for operational flexibility and integration, mainly to improve efficiency in the use of system resources, with the network playing a central role to support such properties. This calls for dynamic on-line traffic scheduling techniques so that dynamic communication requirements are adequately supported. Nevertheless, using dynamic traffic management mechanisms raises additional problems, in terms of fault-tolerance, related with the weaker knowledge of the future system state caused by the higher level of operational flexibility. Such problems have been recently addressed in the scope of using Flexible Time-Triggered CAN (FTT-CAN) in safety-critical applications in order to benefit from the high operational flexibility of this protocol. The paper gathers and reviews the main mechanisms that were developed to provide dependability to the protocol, namely master replication and fail-silence enforcement}
}
@inproceedings{FERREIRA_SRDS_2003,
author = {Ferreira, J. and Almeida, L. and Fonseca, J. A. and Rodriguez-Navas, G.},
title = {Enforcing Consistency of Communication Requirements Updates in FTT-CAN},
booktitle = {Workshop on Dependable Embedded Systems (SRDS'2003) Proceedings of the 22nd Symposium on Reliable Distributed Systems (DES'2003)},
year = {2003},
editor = {},
volume = {},
series = {},
pages = {},
address = {Florence, Italy},
month = {October},
organization = {},
publisher = {},
doi = {},
issn = {},
isbn = {},
keywords = {CAN, FTT-CAN, Protocols},
note = {},
key = {},
abstract = {Traditional design approaches to safety-critical distributed systems, due to fault-tolerance reasons, have typically considered static cyclic table-based traffic scheduling. However, there is a growing demand for flexibility and integration, mainly to improve efficiency in the use of system resources, with the network playing a central role to support such properties. This calls for dynamic on-line traffic scheduling techniques so that dynamic communication requirements are adequately supported. The FTT-CAN protocol (Flexible Time-Triggered communication over Controller Area Network) has been developed specifically to deliver that kind of support with timeliness guarantees. It uses a master-slave approach with one or more master replicas for faulttolerance reasons. The communication requirements are held in a table, that is replicated in all masters. This paper considers the problem of updating the communication requirements while maintaining coherency and synchronization between the master and all its replicas. The paper also discusses the generalization of the proposed mechanism which can easily be adapted to other dynamic master-slave protocols}
}
@article{FERREIRA_SICICA_2003,
author = {Ferreira, J. and Almeida, L. and Martins, L. and Pedreiras, P.},
title = {Components to enforce fail-silent behaviour in dynamic master-slave systems},
journal = {5th IFAC International Symposium on Intelligent Components and Instruments for Control Applications (SICICA'2003)},
year = {2003},
volume = {},
number = {},
pages = {143--150},
month = {July},
doi = {},
issn = {},
isbn = {},
keywords = {CAN, FTT-CAN, field buses},
note = {},
key = {},
abstract = {This paper considers the case in which master-slave fieldbus networks are used in safety-critical embedded applications, such as transportation systems. Traditional approaches to system design, due to fault-tolerance reasons, have considered static cyclic table-based traffic scheduling, only. However, there is a growing demand for flexibility and integration, mainly to improve efficiency in the use of system resources, with the network playing a central role to support such properties. This calls for dynamic on-line traffic scheduling techniques so that dynamic communication requirements are adequately supported. This paper considers such dynamic master-slave architectures and addresses the problem of enforcing fail silent behavior both in the master and in the slave nodes. Two different mechanisms are proposed, one based on dynamic bus guardians for the slave nodes only, to impose fail silent behavior in the time domain, and other based on internal replication and temporized agreement, to impose fail silence both in the temporal and value domains. Despite being potentially applicable to a set of master-slave networks, this paper discusses the specific implementation of the proposed mechanisms on top of the FTT-CAN protocol}
}
@inproceedings{FONSECA_AFRICON_2002,
author = {Fonseca, J. A. and Ferreira, J. and Calha, M. and Pedreiras, P. and Almeida, L.},
title = {Issues on task dispatching and master replication in FTT-CAN},
booktitle = {6th IEEE African Electrical Technology Conference Proceedings (AFRICON'2002)},
year = {2002},
editor = {},
volume = {1},
series = {},
pages = {221--226},
address = {George, South Africa},
month = {October},
organization = {},
publisher = {},
doi = {10.1109/AFRCON.2002.1146838},
issn = {},
isbn = {0-7803-7570-X},
keywords = {CAN, FTT-CAN, automotive applications, controller area network, distributed embedded systems, event-triggered traffic, fault tolerance, flexible time-triggered communication, master replication, protocol, task dispatching, temporal isolation},
note = {},
key = {},
abstract = {The FTT-CAN (flexible time-triggered communication on controller area network) protocol supports time-triggered communication in a flexible way as well as the combination of both time and event-triggered traffic with temporal isolation. Previous papers have already discussed its potentialities and presented worst-case temporal analysis for both types of communication. After a brief review of the main characteristics of the protocol, we present new issues concerning its use in distributed embedded systems: the extension for task dispatching and the inclusion of techniques to improve fault tolerance, namely master replication}
}
@inproceedings{FERREIRA_WFCS_2002,
author = {Ferreira, J. and Pedreiras, P. and Almeida, L. and Fonseca, J. A.},
title = {Achieving fault tolerance in FTT-CAN},
booktitle = {4th IEEE International Workshop on Factory Communication Systems (WFCS'2002) Proceedings},
year = {2002},
editor = {},
volume = {},
series = {},
pages = {125--132},
address = {V{\"a}ster{\aa}s, Sweden},
month = {August},
organization = {},
publisher = {},
doi = {10.1109/WFCS.2002.1159709},
issn = {},
isbn = {0-7803-7586-6},
keywords = {CAN, FTT-CAN, bus guardians , communication system configuration , fault hypothesis , fault tolerance techniques , flexible time triggered communication over controller area network , master node replication , master synchronization , network errors , node failures , replicated network architecture , safety-critical applications , synchronization , time triggered traffic scheduling},
note = {},
key = {},
abstract = {In order to use the FTT-CAN protocol (flexible time-triggered communication over controller area network) in safety-critical applications, the impact of network errors and node failures must be thoroughly determined and minimized. This paper presents and discusses fault-tolerance techniques to limit that impact. The particular configuration of the communication system can be more or less complex and fault-tolerant as desired by the system designer. The paper includes the fault hypothesis and presents a replicated network architecture using bus guardians. An important aspect is the replication of the master node that schedules the time-triggered traffic. In this case, it is particularly important to assure correct synchronization of the master replicas. The mechanisms that support masters' replication and synchronization are described and their performance is evaluated. The resulting architecture allows a reduction of the conflicts between safety and flexibility, supporting the use of FTT-CAN in safety critical applications}
}
@article{FERREIRA_MICRO_2002,
author = {Ferreira, J. and Pedreiras, P. and Almeida, L. and Fonseca, J. A.},
title = {The FTT-CAN protocol for flexibility in safety-critical systems},
journal = {IEEE Micro},
year = {2002},
volume = {22},
number = {4},
pages = {46--55},
month = {July/August},
doi = {10.1109/MM.2002.1028475},
issn = {0272-1732},
isbn = {},
keywords = {CAN, FTT-CAN, Time-Triggered Controller Area Network , automotive industry , communication protocol , flexible time-triggered communication on CAN , protocol , safety-critical systems},
note = {},
key = {},
abstract = {A new communication protocol for distributed embedded systems attempts to find a compromise between the often-opposing goals of system flexibility and safety}
}
@article{FERREIRA_FET_2001,
author = {Ferreira, J. and Pedreiras, P. and Almeida, L. and Fonseca, J. A.},
title = {FTT CAN Error Confinement},
journal = {4th IFAC International Conference on Fieldbus Systems and their Applications (FeT'2001) Proceedings},
year = {2001},
volume = {},
number = {},
pages = {8--15},
month = {November},
doi = {},
issn = {},
isbn = {},
keywords = {CAN, FFT-CAN},
note = {},
key = {},
abstract = {Transmission errors in a flexible distributed communication system based on the Flexible Time-Triggered Controller Area Network protocol (FTT CAN) must be confined and controlled if such a system is to be used in a safety critical real-time environment. This paper presents a first approach to error confinement in FTT CAN using a deterministic error model. Two strategies to cope with such errors are presented. In the first one the error model is introduced in the schedulability analysis causing the allocation of extra time in each elementary cycle. The second one is based on bus traffic monitoring and on a dynamic scheduler with a schedulability analyzer. The impact of this last strategy on the FTT CAN master node architecture is discussed and a possible solution is presented}
}