Click to edit Master notes styles
Second Level
Third Level
Fourth Level
Fifth Level
New versions of the standard exist already, but are not yet available to the general public
TTP/C evolved from other time triggered protocol standards
Another similar standard is TTP/A, which is used for applications that require less safety
Well known fly-by-wire application: Airbus
Throttle-by-Wire already in many cars today, e.g., from GM
Steer-by-wire: might also be a “normal” steering wheel instead of a joystick
Update: TTP/C is also used in the avionics industry. E.g., Honeywell recently announced that it will use TTP for their new APEX cockpit. The TTTech AG advertises this as follows: “TTP - Aerospace safety at automotive cost”
Image shows an experimental car from DaimlerChrysler; probably does not use TTP/C. Illustrates drive-by-wire.
Vehicle based on the Mercedes SL Roadster.
Stabilizing algorithms are claimed to allow driving straight ahead even in case of strong side winds, as example.
If there is no steering column, you cannot hit against it with your head in case of an accident.
No pedals => foot cannot get caught in one of the pedals => less foot injuries
Better braking speed: In order to brake, drivers of conventional vehicles require an average 0.2 seconds to move their foot from the gas to the brake pedal. At a speed of 30 miles per hour, this translates into an additional braking distance of roughly nine and a half feet. The quicker reaction time of the sidestick system could therefore prevent many collisions.
The weight reduction is achived by saving mechanical parts such as the steering column
Yellow bus: control and sensors
Green bus: steering
Red Bus: Breaking
Again an image from DaimlerChrysler
Image shows nodes (called SRU, smalles replaceable unit) connected to the two busses of a TTP/C network
Pressing the mous button highlights one that will be shown in detail on the next slide
The protocol processor implements the TTP/C protocol; it is assumed to be independant from the host computer, which serves the application. The interface between the host computer and the protocol processor (the CNI) is technically a shared memory. The bus guardian assures fail silence in the time domain, i.e., it allows sending data only within the time slot of the unit.
TTP/C defines a “Cluster Cycle”, which contains of TDMA-rounds. The TDMA rounds consist of message slots. The slots are assigned statically to nodes. Mode changes allow selecting among a pre-defined set of such assignments.
Update: GM will decide within the next months.
Each node can receive all the messages on the bus; the message area can therefore be quite large. The controller provides numerous control and status registers.
With less than four operating nodes, the clock synchronization is no longer Byzantine resilient.
Standard Document: about 120 pages english text with figures
Implementation details are often not available from vendors
Automotive industry needs flexibility to choose among various vendors in order to keep the costs low
State: assignment to all registers in all controllers on the network
Valid initial states in case of TTP/C: All states such that all controllers are deactivated
Node 5 has two successor nodes; might be two ways to implement a specific detail as allowed by the standard
One must model them both
Verifying properties means that one considers all paths that are allowed by the set of initial states and the transition function. One then checks properties of these paths.
Specification of protocol properties: Properties of interest are usually expressed at a system level (e.g., im terms of properties of message transmission), not at an implementation level
The abstraction on time is done by refining the set of points of time that are considered.
On top of this hierarchy one might want to consider the “cluster cycle”, which consists of multiple TDMA rounds of equal length.
MFM=modified frequency modulation, also known as Miller code
The Miller Code allows encoding a clock and a data signal on a single signal.
E.g., also used in older harddisks etc.
There are much better codes available now (in particular with respect to error detection).
Sharing the same configuration sets in all machines is a simplificiation since not all registers are actually needed on all abstraction levels; one could also refine the configuration sets using a refinement mapping, which yields a commutative diagram.
Example on next slide
Slide shows states and transition relation. If one considers a transition from, e.g., state 4 to 11, there must be a path in  the machine for the lower level that starts in state 4 and ends in state 11. The number of transitions done by the lower level is fixed in this example (it is exactly the number of macro ticks for the given message slot).
Slide shows states and transition relation. If one considers a transition from, e.g., state 4 to 11, there must be a path in  the machine for the lower level that starts in state 4 and ends in state 11. The number of transitions done by the lower level is fixed in this example (it is exactly the number of macro ticks for the given message slot).
The membership service is the critical part regarding service guarantees. No node gets service without membership.
The claim is taken from the standard document.
CRC = cyclic redundancy check; a code used for error detection (no error correction is done) In case of TTP/C, the length is fixed to 16 bits, which is a very small number. Another bit of accuracy is lost by encoding membership information in the code, which leaves 2^15 = 32768 codes.
The membership service works as follows in detail:
 * all nodes watch all messages on the bus,
 * if a node does not transmit a correct message, it looses membership
The node itself notices this by observing the messages of the subsequent nodes in the TDMA round. It can decide whether the others consider it a member or not using the error detection code
“consistent membership information”: Each node encodes its membership vector in the CRC. Any other node with different membership vector will therefore fail at the CRC.
PVS = prototype verification system, software from SRI
Interactive theorem prover
Reconfiguration is considered an optional feature and GM does not want it; mode changes are not optional. However, GM does not like them, too.
Regarding download: It is probably sufficient to verify that the download feature does not interfere with the normal operation.
We expect that SyMP provides a common framework for both the theorem proving and the model-checking parts
FlexRay: GM is trying to convince the FleyRay consortium to provide the standard to us.
Example on next slide
GM would prefer TTP/C without membership service since they need redundancy manangement for higher levels anyway. This redundancy management can be used for all lower levels, too.
GM has a new version of the TTP/C standard with modifications to the membership service.
As soon as I get it, I will check whether this fixes the problems.
There are more complex examples, e.g., where a large number of nodes loosees membership or where two cliques form that consider the others not to be member.
Service Requirements: e.g., guarantee that certain messages are received with regard to real time constraints One does not want a protocol negotiation to start in case one has to break on the highway.