Components to Enforce Fail-Silent Behavior in Dynamic Master-Slave Systems

Abstract

This paper considers the case in which master-slave fieldbus networks are used in safety-critical embedded applications, such as transportation systems. Traditional approaches to system design, due to fault-tolerance reasons, have considered static cyclic table-based traffic scheduling, only. However, there is a growing demand for flexibility and integration, mainly to improve efficiency in the use of system resources, with the network playing a central role to support such properties. This calls for dynamic on-line traffic scheduling techniques so that dynamic communication requirements are adequately supported. This paper considers such dynamic master-slave architectures and addresses the problem of enforcing fail silent behavior both in the master and in the slave nodes. Two different mechanisms are proposed, one based on dynamic bus guardians for the slave nodes only, to impose fail silent behavior in the time domain, and other based on internal replication and temporized agreement, to impose fail silence both in the temporal and value domains. Despite being potentially applicable to a set of master-slave networks, this paper discusses the specific implementation of the proposed mechanisms on top of the FTT-CAN protocol.