Mixed-Criticality Networking

Provided by: Arjan Geven (TTTech)

Mixed-criticality features allow system developers to integrate safety-relevant and non-safety systems on the same physical platforms. Since most Cyber-Physical Systems deployed in a safety-context are of distributed nature, a way to realize a distributed mixed-criticality approach must be found. In such a distributed context, the freedom from interference must be provided by the underlying networking technology.

 

Depending on the type of networking technology , the approach to bring mixed-criticality to the network is different. In event-driven environments, the focus is on the realization and proof of freedom-of-interference by means of timing analysis. In time-triggered environments, the focus is on the architectural separation of traffic flows.

 

If a single communication system is used for both critical and non-critical traffic, some form of partitioning of the communication system must be provided for to separate the traffic streams and to ensure that lower-priority traffic does not interfere with the timing of higher-priority traffic.

 

Burns and Davis [1] provide an overview of how such a mixed-criticality network can be constructed for CAN communication technology. In their example, the CAN bus is treated as a black box communication channel that is enhanced at the edges with Trusted Network Components (TNCs) that ensure that timing constraints are kept. Based on this concept, proof by means of timing analysis ensures the feasibility of the timing constraints under all possible interactions of messages and ensure that worst-case response times of messages do not exceed the requirements.

 

Another form of partitioning can be achieved in switched networks that performing active traffic shaping and policing as part of the services offered in the core of the network, such as provided by e.g. Time-Sensitive Networking or TTEthernet. Since each link in a switched network is effectively a peer-to-peer connection, the TNC functionality must not be implemented in the edge of the network, but can be moved to the control plane of the network, which in effect ensures that timing properties of high-criticality messages are not violated by low-criticality messages [2].

 

References

[1] Alan Burns and Robert Davis. "Mixed criticality on controller area network."Real-Time Systems (ECRTS), 2013 25th Euromicro Conference on. IEEE, 2013.

[2] Wilfried Steiner, Peter Heise, and Stefan Schneele. "Recent IEEE 802 developments and their relevance for the avionics industry." Digital Avionics Systems Conference (DASC), 2014.