<BACK

ROSS B A N N AT Y N E
f e a t u r e

Time Triggered
Protocol: TTP/C
Fault-tolerant, real-time performance is vital to the success of by-wire systems. Here is a solution that meets
safety-critical requirements.

I
n this article I’ll discuss an advanced serial communications pro-
tocol/system that has been developed for applications that
require highly dependable or fault-tolerant operation. “TTP”
stands for “Time Triggered Protocol,” which describes the first
fundamental property of this new communication protocol:
access to the communication medium is granted to the comput-
er nodes on a time-slot principle. The suffix “/C” indicates that this proto-
col conforms to so called class C applications, classified by the Society of
Automotive Engineers, Inc. (SAE). Class C applications are all electronic
systems of an automobile which are connected by a high-speed communi-
cation bus.
This article will discuss the beginnings of TTP/C, the requirement for
such a solution, some explanation of why no other suitable solutions exist,
the principles of the communications system, and details on the actual ser-
ial communications protocol message frames. Finally, I’ll describe some
typical applications of TTP/C.
TTP/C has been developed over the last 15 years from a research pro-
ject at the Technical University of Vienna, directed by Professor Hermann
Kopetz. The research project migrated into a European Community-fund-
ed scientific project by a consortium that included Daimler-Benz, Volvo,
Ford, Bosch, and Magneti-Marelli. The standard is open and a significant
amount of advanced development work has been undertaken using
TTP/C. The references at the end of this article provide some more
detailed writing on the subject matter.
Typical TTP/C applications would include automotive brake-by-wire or
steer-by-wire systems, in which the systems must be “fail-operational,” as the
applications are safety-critical. “By-wire” systems transfer electrical signals
down a wire instead of using a medium such as hydraulic fluid to transfer

76 MARCH 1999 Embedded Systems Programming

 Although several nontrivial challenges must be overcome before by-
wire systems become the mainstream, many compelling reasons exist
for the technology to be introduced.

muscular energy. A conventional this type of system, regularity of infor- the variability of this transmission time
antilock braking system (ABS) is con- mation transfer is critical to maintain (the minimum transmission timesub-
sidered “fail-silent”; if a fault in the control of the system. tracted from the maximum transmis-
electronic control system is detected, The distributed embedded control sion time). The maximum jitter
the control system is switched off, leav- world already supports several serial depends on the longest message that
ing the manual hydraulic back-up still communications systems such as CAN is possible to transmit.
operational. If no such hydraulic back- (Controller Area Network), SAE The type of communications proto-
up is available (as in the case of a by- J1850-DLC, and SAE J1850-HBCC col most suitable for ensuring regular-
wire system), the system must contin- specifications. Three categories of ity of information transfer is TDMA
ue to function in the event of a fault communications systems are classified (Time Division Multiple Access).
occurring. by the SAE: Class A is for low-speed Using a TDMA scheme ensures that
The automotive industry has iden- networks typically used in vehicle body nonpredictable message delays aren’t
tified many good reasons to develop controls; Class B is for high-speed net- possible, as message transmissions are
by-wire systems: reduction in parts works but with no safety-critical scheduled at the time of the design.
count, removal of hydraulic system, requirement; and Class C systems Each electronic control unit is
improved maintenance, increased per- require certain stringent safety-critical assigned a time slot in which it’s given
formance and functionality, increased requirements. The existing communi- exclusive access to the bus to send
passive safety by removal of mechani- cations protocols do not meet Class C messages. As every control unit has its
cal linkages to passenger compart- requirements, hence the Time own time slot, collisions are impossi-
ment, fuel economy, and so on. Triggered Protocol was developed. ble. Also, as each transmission has the
Although several nontrivial challenges The additional requirements for Class same priority for bus access, worst-case
must be overcome before by-wire sys- C are that they must be deterministic jitter can be easily calculated.
tems become the mainstream, many with small and bounded latencies, all- In time-triggered systems all
compelling reasons exist for the tech- fault scenarios must be accounted for actions are derived from the progres-
nology to be introduced—so the chal- with a safe alternative operating mode, sion of a globally synchronized time
lenges should be overcome relatively distributed clock synchronization base accessible to all nodes, whereas in
quickly. The TTP overcomes the chal- (global time) must be supported, and event-triggered systems, all actions are
lenge of fault-tolerant distributed the bus is guarded against “babbling derived from the occurrence of
embedded processing. idiot” nodes. events. Table 1 outlines the main dif-
Additional interest is expected in The unsuitability of the existing ferences between TTP/C and the
several other applications that require communications protocols stems from CAN protocol.
a high degree of dependability, partic- the fact that they are “event-trig- TDMA-based systems transmit state
ularly in the fields of aeronautics, mil- gered,” in that a precise moment in messages—for example, a switch
itary, and medical systems. time when a message will be received being either on or off. State messages
isn’t specified. A communications pro- can be observed for a longer period of
Requirements for safety- tocol can only be predictable if worst- time than an event and are transmit-
critical systems case transmission time and jitter are ted periodically. No new value over-
Closed-loop control-orientated safety known at the time of the design and writes an old value until the next
critical applications usually execute a meet the requirements of the applica- TDMA round, and the state informa-
control cycle in a pre-defined time tion. Real-time control applications tion isn’t consumed when it’s read. In
period. For example an electronic are very sensitive to jitter, and so it is a typical distributed embedded con-
braking system usually executes a con- an important parameter for develop- trol system in which a number of sen-
trol loop every 10ms or thereabouts. ing real-time distributed systems. The sors are sampled or polled periodical-
In this cycle, several sensor inputs are time delay between presenting a mes- ly during the control cycle, state mes-
RUPERT ADLEY

evaluated, an algorithm in which out- sage to be transmitted at the senders sages prove to be the most suitable
put control variables are calculated, interface and receiving the message at message type for closed-loop control
then signals are sent to actuators at the the receivers interface is known as the applications. Events, on the other
wheel. The loop is then repeated. In transmission time. Jitter is defined as hand, contain information that is valid

Embedded Systems Programming MARCH 1999 77

ttp/c

The resource requirements for a time-triggered system are

determined before run time so the system will behave predictably and (controller network interface), and
be able to handle peak load situations deterministically. the TTP/C controller. Two buses are
present to support redundancy; if a
fault develops on one bus, the alter-
at a particular point of time (until an to handle worst-case conditions that nate bus is available.
overriding event occurs). An example may rarely occur. The host controller of each mod-
of such an event would be when a The Time Triggered Protocol was ule runs the application software. The
push-button switch is pressed and developed to meet the requirements sending of messages is controlled by a
released. Event messages are typically of deterministic communications, as scheduling table called the message
queued for consumption and con- well as to support the fail-operational descriptor list. This list contains the
sumed when read. These event mes- or fault tolerant requirements that are information that controls access to the
sages are more efficient in systems critical in systems which would other- bus in any particular time slot. The
with sporadic or rare occurences that wise exhibit catastrophic behavior in communications system and TTP/C
require observation. the event of a fault. controller will operate autonomously
The resource requirements for a from the host software, using the mes-
time-triggered system are determined Time Triggered Protocol sage descriptor list which is stored in
before run time so the system will principles the CNI. Each node in the network is
behave predictably and be able to han- A TTP/C-based network is shown in synchronized to a common global
dle peak load situations deterministi- Figure 1. Four host controllers are time. The CNI decouples the commu-
cally. Event-triggered systems are usu- shown. These hosts could be electron- nication network from the host and
ally more inefficient than time-trig- ic control units in a vehicle network provides a data-sharing interface
gered systems when the system is oper- such as braking, steering, suspension, between the host and the TTP/C con-
ating at less than peak loading, and powertrain. Each of the four troller. This is best physically imple-
because the system must be designed nodes are composed of a host, CNI mented with dual port RAM that can
be addressed by either the host or the
TTP/C controller.
TABLE 1 Differences between TTP/C and CAN The third segment of the node is
the actual TTP/C controller, which
Function TTP/C CAN
Multi-Master Bus ✔ ✔
connects the node to the network.
Medium Access Control TDMA CSMA/CA The TTP/C controller provides guar-
Flexible Bus Access limited (modes) 4 anteed transmission times with mini-
Replicated Broadcast Buses 4 2 CAN controllers
Global Time Base 4 software mal latency jitter, fault-tolerant clock
Membership Service 4 no synchronization, and fast error detec-
Bus Guardian 4 no
Replica Determinism 4 no
tion. In support of fault tolerance, the
Composability 4 limited TTP/C also supports replica deter-
minism as well as a replicated commu-
nications channel.
The system is based on state mes-
FIGURE 1 Typical TTP/C-based system sage transmission; state messages can
typically be observed over a longer
period of time than an event message,
which would change every time there
Host Host Host Host is a new event, as opposed to periodi-
cally. State messages are well suited to
CNI CNI CNI CNI closed-loop control type applications,
in which inputs are usually required to
TTP/C TTP/C TTP/C TTP/C be sampled once per control cycle. No
queuing of messages occurs in the
CNI, as a new version of the state mes-
sage overwrites the old one every
TDMA round. The Class B communi-
cations protocols, which we discussed
previously, operate using event-based
messaging.

78 MARCH 1999 Embedded Systems Programming

ttp/c

The global time base is critical to the system, as the communications

protocol depends on the knowledge of when every transmitted tecture must deliver a correct output
message is specified. or no output at all. When no output is
generated, the hardware has devel-
oped a fault. A number of error-detec-
Replica determinism is implement- node that broadcasts the same result tion strategies, both in hardware and
ed by duplicating nodes, so that if one in a different time slot. The main strat- software, must be employed in order
node develops a fault, the signal from egy for fault tolerance in the TTP/C to ensure fail-silence. The TTP/C con-
the node is replaced by a redundant system is fail-silence. A fail-silent archi- troller uses watchdogs as well as a bus
guardian which enables the bus driver
only during the nodes transmission
slot and disables it at all other times.
This arrangement prevents the bab-
bling idiot problem which can cause
havoc in priority-based event triggered
systems.
The second replica is grouped
together in a cluster with the first
replica, and is known as a fault-toler-
ant unit (FTU). A system consisting of
three FTUs is shown in Figure 2.
The same message is sent on both
channels by the first replica at a par-
ticular pre-defined timeslot and then
re-sent by the second replica at a later
TDMA slot. The second replica is com-
pletely physically separate from the
first replica.
Error detection is achieved at the
receiver side, since the arrival time of
all messages in the system is known at
design time. If a message isn’t received
at the expected time, this is regarded
as a transmission error by all receivers.
The global time base is thus critical to
the system, as the communications
protocol depends on the knowledge
of when every transmitted message is
specified. A synchronization algo-
rithm is executed by each of the con-
trollers in the network so that clock
correction is possible and each node
in the system will always have an iden-
tical notion of global time.
The concept of fail-silence in the
communications system means that no
voting system by several (minimum
three) components is required, as in
traditional fault-tolerant computer
architectures. This concept is impor-
tant, as typical voting schemes involv-
ing three or more CPUs are expensive
to implement in lower-cost applica-
tions (such as the automotive indus-
try). Each node focuses only on

80 MARCH 1999 Embedded Systems Programming

ttp/c

depending on the operating mode.

FIGURE 2 Fault-tolerant units Finally, a CRC field consists of two
bytes. The CRC is a slightly different
Host Subsystems calculation for the N- and I-frames,
Fault-tolerant units (FTUs): and makes it posssible for the receiver
FTU 0 FTU 1 FTU 2
Host Host Host Groups of actively replicated
Host CPU Host CPU Host CPU nodes of the frame to detect errors in trans-
CPU CPU CPU mission. A normal frame is accepted
only if the receiver and sender agree
TTP
TTP
TTP
TTP TTP on the mode, global time, and node
TTP
membership (which nodes are active
or inactive, and which have a bit set to
1 or 0).
Neither the I-frame nor the N-
Duplicated
broadcast buses frame have any identifier to indicate
from which node they were transmit-
Communication Subsystem
ted. The message sender is implied
from the time of sending.
I-frames are used for system initial-
detecting faults within its own entity; if redundancy check (CRC) field. Clock ization and contain data on the inter-
a fault is detected, it switches itself off. synchronization occurs just prior to nal state of the TTP controller for its
the control field. It is inevitable that associated node in its data field. This
TTP/C message frame local timebases drift apart; therefore, a information is known as the C-State
types resynchronization strategy is imple- (controller state). In TTP/C, all nodes
Two types of frame exist in TTP/C: ini- mented using the control field. The are forced to implicitly agree on their
tialization frames (I-frames) and nor- control field in the N-frame consists of C-states. The C-State contains informa-
mal frames (N-frames). These frames an initialization bit which indicates tion about the current operating
are indicated in Figure 3. that it is a normal frame. The mode mode, TDMA slot, global time, and
N-frames are transmitted periodi- bits are also contained in the control the membership status. If the C-state
cally during normal operation of the field, and indicate the operating mode of the sender isn’t identical to the C-
system and contain application data. of the system. The next field in the N- state of a receiver, the message will be
Three fields are present in the frame: frame is the data field, which can con- disregarded by the receiver, due to the
a control field, data field, and cyclic tain up to 16 bytes of application data, different CRC.
Continuous clock synchronization
without any overhead to the frame
length is acheived by executing an
FIGURE 3 Frame types averaging algorithm periodically at
each node. The node is given access to
a global time base transmitted in the I-
No identifier! and N-frames. The receiver knows
N-Frames (Normal Frames): Message contents are derived
• Periodic transmission of state messages from time of sending. apriori the sending time of each frame
• Majority of frames during normal operation
from each node, so the disparity
between the specified send time and
the observed receive time indicates
the time difference between sending
Control Data (max. 16 Bytes) CRC
and receiving nodes. Thus the appro-
priate distributed time bases can be
tweaked to ensure uniform global
I-Frames (Initialization Frames):
• Startup phase: periodic lifesign of sending node time.
• Normal operation: at predefined intervals to facilitate
reintegration of recovering nodes
Because real-time distributed sys-
tems typically have different operating
Control C-State (max. 10 Bytes) CRC modes such as start-up, normal oper-
ating, emergency, and so on, TTP/C
supports rapid mode changing. At any
given time, the ensemble of nodes in

82 MARCH 1999 Embedded Systems Programming

ttp/c

the system will be operating in a par-

FIGURE 4 Possible steer-by-wire architecture using TTP/C ticular mode. A mode change is per-
mitted when any node indicates that a
mode change should occur using the
Front-wheel steer-by-wire
• 3 tie rod actuators, each 50% of mode bit in its control field.
necessary power
• 2 driver feedback actuators
• steering angle and steering wheel sensors Applications
Host F
TTP A number of by-wire projects, mainly
CPU T
U
in the automotive industry, are being
Host developed using the TTP/C protocol.
TTP
CPU TTP TTP TTP/C has been shown to be a suit-
Host able communications protocol for
CPU TTP
Host Host
T

such applications because it satisfies

CPU CPU
U

Host the requirements of safety-critical

CPU TTP
communications systems by being
Host F deterministic, providing redundancy,
TTP T
CPU U and guarding against a fault which
results in a single node monopolizing
Optional rear-wheel steering
the bus. The architecture is also com-

T
posable, which allows the behavior of
an overall system to be predicted from
the subsystem properties. Therefore,

84 MARCH 1999 Embedded Systems Programming

ttp/c

A high level of redundancy is anticipated to be required on a steer-by-

wire system, as no direct mechanical connection will exist between address new, advanced systems which
the driver and the wheels. will emerge and possess requirements
that cannot be met by today’s popular
event-triggered Class B protocols.
independent development, testing, connection will exist between the dri- Both Class B and Class C systems will
validation, and certification of subsys- ver and the wheels. coexist in modern vehicles with a com-
tems (nodes) may be accomplished. Brake-by-wire is another applica- munications gateway that will allow
A possible steer-by-wire architec- tion that can be developed using the them to share information. Although
ture is shown in Figure 4. The TTP/C TTP/C communications protocol. An the initial applications are likely to be
in the automotive market, many unre-
lated fields may require robust net-
FIGURE 5 Possible brake-by-wire architecture using TTP/C work operation that can continue to
operate as normal if a node stops
working correctly.
As with other popular serial com-
Host Host
CPU CPU munications protocols, the TTP/C
controller module is planned to be
integrated along with other functions
TTP FTU TTP
on microcontrollers or as a stand-
Host Host alone entity that can be designed into
CPU CPU
nodes in a given system. esp

TTP TTP Ross Bannatyne graduated from the

TTP TTP University of Edinburgh, Scotland, with
honors in Electrical Electronic Engineering
Host Host and is currently a systems engineering
CPU CPU manager for Motorola’s Transportation
Systems Group in Austin, TX.

Recommended Reading
Daimler-Benz AG, B.Hedenetz, and R.
communications network is used to example of a brake-by-wire architec- Belschner, “Brake-by-wire without
connect the steering actuators (motor ture is shown in Figure 5. Mechanical Backup by Using a TTP-
controllers) at the front of the vehicle, The system illustrates wheel nodes Communication Network,” SAE
the steering control unit mounted that control actuation of braking Congress Conference Proceedings,
near the steering wheel, and the actu- motors as well as providing the inter- 1998.
ator units on the rear wheels (motors face with the wheel speed sensors. It Kopetz, H., “Fault Management in the
used for four-wheel steering). Three may be the case that a fault-tolerant Time Triggered Protocol (TTP),” SAE
replicated nodes are present at the unit isn’t required at the wheel node, Congress Conference Proceedings, 1998.
front actuator. These nodes receive because a catastrophic event may not Koptez, Hermann. Real-Time Systems:
information on intended steering occur if one of the wheel nodes Design Principles for Distributed
angle from the main control unit and inhibits itself. It should be possible to Embedded Applications. Dordrecht, The
drive motors, which control the angle brake the vehicle to rest safely with any Netherlands: Kluwer Academic
of the wheels. Feedback on angle and three wheel nodes operational. The Publishers, 1997.
motor torque is returned to the main main central control unit consists of Kopetz, H., “Should Responsive Systems
controller, and additional actuators two replica controllers. The main con- Be Event-Triggered or Time-Triggered?,”
are used to provide a comfortable trol unit must be redundant because if IEICE Transactions on Electronics,
level of steering wheel feedback to the a fault develops, a catastrophic situa- November 1993.
driver. The main controller also con- tion could occur. Robert Bosch GmbH, E. Dilger, T. Fuhrer, B.
sists of two nodes because steering is a Muller, and S. Poledna, “The X-By-Wire
safety-critical application. Automotive and beyond Concept: Time-Triggered Information
A high level of redundancy is antic- TTP/C wasn’t developed to compete Exchange and Fail Silence Support by
ipated to be required on a steer-by- with existing serial communications New System Services,” SAE Congress
wire system, as no direct mechanical protocols; rather, it was developed to Conference Proceedings, 1998.

86 MARCH 1999 Embedded Systems Programming