A Comparison of Bus Architectures for Safety-Critical Embedded Systems

John Rushby

Technical Report, September 2001

Also available as NASA Contractor Report CR-2003-212161 (pdf)

Abstract

Avionics and control systems for aircraft use distributed, fault-tolerant computer systems to provide safety-critical functions such as flight and engine control. These systems are becoming modular, meaning that they are based on standardized architectures and components, and integrated, meaning that some of the components are shared by different functions---of possibly different criticality levels.

The modular architectures that support these functions must provide mechanisms for coordinating the distributed components that provide a single function (e.g., distributing sensor readings and actuator commands appropriately, and assisting replicated components to perform the function in a fault-tolerant manner), while protecting functions from faults in each other. Such an architecture must tolerate hardware faults in its own components and must provide very strong guarantees on the correctness and reliability of its own mechanisms and services.

One of the essential services provided by this kind of modular architecture is communication of information from one distributed component to another, so a (physical or logical) communication bus is one of its principal components, and the protocols used for control and communication on the bus are among its principal mechanisms. Consequently, these architectures are often referred to as buses (or databuses), although this term understates their complexity, sophistication, and criticality.

The capabilities once found in aircraft buses are becoming available in buses aimed at the automobile market, where the economies of scale ensure low prices. The low price of the automobile buses then renders them attractive to certain aircraft applications---provided they can achieve the safety required.

In this report, I describe and compare the architectures of two avionics and two automobile buses in the interests of deducing principles common to all of them, the main differences in their design choices, and the tradeoffs made. The avionics buses considered are the Honeywell SAFEbus (the backplane data bus used in the Boeing 777 Airplane Information Management System) and the NASA SPIDER (an architecture being developed as a demonstrator for certification under the new DO-254 guidelines); the automobile buses considered are the TTTech Time-Triggered Architecture (TTA), recently adopted by Audi for automobile applications, and by Honeywell for avionics and aircraft controls functions, and FlexRay, which is being developed by a consortium of BMW, DaimlerChrysler, Motorola, and Philips.

I consider these buses from the perspective of their fault hypotheses, mechanisms, services, and assurance.

gzipped postscript, or plain postscript or PDF or crude ascii (for your Palm Pilot)

A shorter version is available; it was presented at EMSOFT 2001: First Workshop on Embedded Software, Tahoe, CA, October 2001.

BibTeX Entry


@TECHREPORT{Rushby01:buscompare,
        TITLE = {A Comparison of Bus Architectures for Safety-Critical
                Embedded Systems},
        AUTHOR = {John Rushby},
        INSTITUTION = {Computer Science Laboratory, SRI International},
        ADDRESS = {Menlo Park, CA},
        MONTH = sep,
        YEAR = 2001,
        NOTE = {Available at \url{http://www.csl.sri.com/~rushby/abstracts/buscompare}}
}
Having trouble reading our papers?
Return to the Formal Methods Program home page
Return to the Computer Science Laboratory home page