Dependable Embedded Systems –– A Look Ahead · ♦Only applications that require millions of...
Transcript of Dependable Embedded Systems –– A Look Ahead · ♦Only applications that require millions of...
1
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Dep
enda
ble
Em
bedd
ed S
yste
ms
––A
Loo
k A
head
H. K
opet
z
July
200
3
2
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Out
line
♦In
trod
uctio
n
♦H
ardw
are
Dev
elop
men
ts
♦A
utom
otiv
e R
equi
rem
ents
♦E
ncap
sula
ted
Exe
cutio
n E
nvir
onm
ents
♦C
oncl
usio
n
3
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Intr
oduc
tion
Dep
enda
ble
embe
dded
sys
tem
tec
hnol
ogy
is a
n im
port
ant
enab
ling
tech
nolo
gy f
or th
e in
dust
rial
sec
tor.
Alth
ough
com
para
tivel
y s
mal
l in
valu
e, th
is te
chno
logy
hol
ds th
e ke
y f
orde
term
inin
g th
e co
mpe
titiv
enes
s of
man
y te
chni
cal p
rodu
cts:
♦A
utom
otiv
e (e
.g.,
Acc
iden
t-fr
ee d
rivi
ng)
♦A
eros
pace
(e.
g., F
ly b
y w
ire)
♦R
ailw
ays
(e.g
., Si
gnal
ling)
♦M
edic
al (
e.g.
, int
ensi
ve c
are
cont
rol)
♦Pr
oces
s C
ontr
ol (
e.g.
, nuc
lear
rea
ctor
s)
Bec
ause
of
its s
ize,
the
auto
mot
ive
mar
ket i
s th
e m
ost i
mpo
rtan
tse
gmen
t for
the
emer
ging
mar
ket m
arke
t of
depe
ndab
leem
bedd
ed s
yste
ms.
4
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
The
10-9
Cha
lleng
e in
Saf
ety
Crit
ical
App
licat
ions
♦T
he s
yste
m a
s a
who
le m
ust
be m
ore
relia
ble
than
any
one
of
its
com
pone
nts:
e.g
., Sy
stem
Dep
enda
bilit
y 1
FIT
--C
ompo
nent
depe
ndab
ility
100
0 F
IT (
1FIT
: 1
failu
re in
109
hour
s)
♦A
rchi
tect
ure
mus
t su
ppor
t fa
ult-
tole
ranc
e to
mas
k co
mpo
nent
failu
res
♦Fa
ult t
oler
ance
is b
ased
on
com
pari
ng r
esul
ts p
rodu
ced
with
inin
depe
nden
t fa
ult-
cont
ainm
ent
regi
ons
(FC
R).
♦Sy
stem
as
a w
hole
is n
ot t
esta
ble
to th
e re
quir
ed le
vel o
fde
pend
abili
ty.
♦T
he s
afet
y ar
gum
ent i
s ba
sed
on a
com
bina
tion
of
expe
rim
enta
lev
iden
ce a
nd f
orm
al r
easo
ning
usi
ng a
n an
alyt
ical
dep
enda
bilit
ym
odel
♦P
iece
to
be t
rust
ed m
ust
be v
ery
smal
l
5
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Inde
pend
ence
of F
ault
Con
tain
men
t Reg
ions
(F
CR
)
The
re a
re tw
o ba
sic
mec
hani
sms
that
com
prom
ise
the
inde
pend
ence
of
FCR
s in
a d
istr
ibut
ed s
yste
m♦
Mis
sing
fau
lt is
olat
ion
♦E
rror
pro
paga
tion
The
inde
pend
ence
of
failu
res
of d
iffe
rent
FC
Rs
is t
he m
ost
crit
ical
issu
e in
the
des
ign
of a
n ul
tra-
depe
ndab
le s
yste
m:
♦Is
it ju
stif
ied
to a
ssum
e th
at a
sin
gle
silic
on d
ie c
onta
ins
two
inde
pend
ent F
CR
s?--
NO
♦C
an w
e as
sum
e th
at th
e fa
ilure
mod
es o
f a
sing
le s
ilico
n di
e ar
e w
ell-
beha
ved
(e.g
., fa
il-si
lent
) to
the
requ
ired
leve
l of
prob
abili
ty?-
- N
O♦
How
can
we
mak
e su
re th
at F
CR
fai
lure
s ar
e no
t cor
rela
ted,
eve
n at
ave
ry lo
w le
vel o
f co
rrel
atio
n (
e.g.
, 1 in
100
0)?
6
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Inde
pend
ence
of F
CR
(ii)
The
div
ersi
ty o
f Fa
ult C
onta
inm
ent R
egio
ns (
FCR
s) th
at a
relo
cate
d on
a s
ingl
e So
C (
Syst
em o
n C
hip)
is c
ompr
omis
ed b
y:♦
Sam
e Ph
ysic
al S
pace
(Ph
ysic
al P
roxi
mity
Fai
lure
s)♦
Sam
e M
ask
(Mas
k A
lignm
ent I
ssue
s)♦
Sam
e B
ulk
Mat
eria
l♦
Sam
e W
afer
Pro
duct
ion
Proc
ess
♦Sa
me
Pow
er S
uppl
y♦
Sam
e E
arth
ing
♦Sa
me
Tim
ing
Sour
ce♦ Alth
ough
som
e of
thes
e de
pend
enci
es c
an b
e el
imin
ated
,ot
hers
can
not.
7
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
App
roac
h to
Saf
ety:
The
Swis
s-C
hees
e M
odel
Sub
syst
emF
ailu
re
Cat
astr
ophi
cS
yste
m E
vent
Mul
tiple
La
yers
of
Def
ense
sIn
depe
nden
ce o
f Lay
ers
ofE
rror
Det
ectio
n ar
e im
port
ant
Fro
m R
easo
n, J
Man
agin
g th
e R
isk
ofO
rgan
isat
iona
l A
ccid
ents
19
97
8
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
A L
ook
Bac
k
In th
e pa
st, m
any
depe
ndab
le e
mbe
dded
sys
tem
s ha
ve b
een
desi
gned
fro
m s
crat
ch w
ith a
n en
orm
ous
desi
gn, d
evel
opm
ent
and
valid
atio
n ef
fort
, e.g
.,
♦N
ucle
ar C
ontr
ol S
yste
m
♦A
eros
pace
Sys
tem
s
♦R
ailw
ay C
ontr
ol S
yste
ms
Wha
t is
need
ed is
an
inte
grat
ed d
istr
ibut
ed a
rchi
tect
ure
and
a ge
neri
c m
etho
dolo
gy f
or t
he d
esig
n of
dep
enda
ble
embe
dded
sys
tem
s su
ppor
ted
by c
omm
erci
al-o
ff-t
he-s
helf
(CO
TS)
har
dwar
e co
mpo
nent
s an
d so
ftw
are
tool
s su
ch th
atth
e en
gine
erin
g ef
fort
nee
ded
to d
esig
n, p
rodu
ce a
nd v
alid
ate
depe
ndab
le e
mbe
dded
sys
tem
s ca
n be
dra
stic
ally
red
uced
.
9
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Win
dow
of O
ppor
tuni
ty fo
r C
OT
S
Tec
hnol
ogy
Con
stra
ints
(Cos
t, Pr
oces
sing
Pow
er,
Com
mun
icat
ion
Cap
abili
ties)
Func
tiona
l R
equi
rem
ents
Use
r N
eeds
Eco
nom
ic C
onst
rain
tsSt
ate
and
Nee
ds o
f th
e M
arke
t(D
omin
ance
, Mat
urity
)
All
thre
e ax
esch
ange
wit
hti
me
10
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Tec
hnol
ogy
Con
stra
ints
: S
ilico
n
♦A
t the
end
of
this
dec
ade,
we
will
see
pur
ely
digi
tal
Syst
ems-
on-a
-Chi
p (S
OC
) th
at w
ill h
ost u
p to
one
bill
ion
tran
sist
ors.
♦M
ixed
sig
nal I
C s
tha
t may
incl
ude
ME
MS
sens
ing
and
actu
ator
ele
men
ts w
ill h
ave
a si
gnif
ican
tly lo
wer
logi
cde
nsity
.
♦Fr
om a
n ar
chite
ctur
e po
int-
of-v
iew
, we
will
hav
e ve
rypo
wer
ful p
roce
ssin
g no
des
and
smar
t tra
nsdu
cers
,co
nnec
ted
via
fiel
d-bu
ses,
with
a li
mite
d pr
oces
sing
pow
er
♦In
the
pas
t fe
w y
ears
, the
tec
hnol
ogic
al d
evel
opm
ents
have
acc
lera
ted.
Whe
reas
a n
ew g
ener
atio
n of
chi
ps is
intr
oduc
ed e
very
tw
o ye
ars,
it t
akes
fou
r ye
ars
toce
rtif
y a
safe
ty-c
riti
cal a
eros
pace
app
licat
ion.
♦A
pplic
atio
ns m
ay li
ve u
p to
thi
rty
year
s!
11
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Tec
hnol
ogy
Con
stra
ints
: D
epen
dabi
lity
♦T
he p
erm
anen
t fai
lure
rat
e of
chi
ps w
ill b
e st
ayin
g w
here
it is
toda
y--b
etw
een
1000
and
10
year
s M
TB
F.
♦T
he tr
ansi
ent f
ailu
re r
ate
will
be
orde
rs o
f m
agni
tude
high
er a
nd is
exp
ecte
d to
incr
ease
due
to r
educ
ed f
eatu
resi
ze.
♦In
hig
h-de
pend
abili
ty a
pplic
atio
ns, i
t is
not j
ustif
ied
toas
sum
e th
at a
sin
gle
die
can
host
mor
e th
an o
ne f
ault
cona
inm
ent r
egio
n: u
ncon
stra
ined
fai
lure
of
SoC
s.
♦A
n in
crea
sing
tran
sien
t fai
lure
rat
e (i
nter
mitt
ent f
ailu
res)
are
an in
dica
tor
for
an u
pcom
ing
perm
anen
t fai
lure
.
12
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Inte
rmitt
ent F
ailu
res:
Pre
vent
ive
Dia
gnos
tics
Failu
re R
ate
Fits
10
100
1000
10 0
00
100
000
Rea
l Tim
e
Sta
rt o
f int
erm
itten
tfa
ilure
s du
e to
a p
hysi
cal
defe
ct
Per
man
ent
Fai
lure M
onito
r ev
ery
sing
leS
OC
to d
etec
t a
degr
adat
ion
befo
rea
perm
anen
t fai
lure
occu
rs.
Det
ect i
ncre
ase
inT
rans
ient
fai
lure
rat
e
13
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Eco
nom
ic C
onst
rain
ts
♦T
he d
esig
n o
f a
new
SoC
req
uire
s an
inve
stm
ent i
n th
eor
der
of 1
0 M
io €
(de
sign
cos
t, m
ask
cost
s, e
tc.)
♦T
he p
rodu
ctio
n co
st o
f an
SoC
are
in th
e or
der
of 1
0 €.
♦O
nly
appl
icat
ions
that
req
uire
mill
ions
of
chip
s ca
n af
ford
the
desi
gn c
ost.
♦In
the
dom
ain
of d
epen
dabl
e em
bedd
ed s
yste
ms
only
the
auto
mot
ive
appl
icat
ions
com
man
d a
suff
icie
ntly
larg
em
arke
t.
♦E
urop
e au
tom
otiv
e in
dust
ry h
as a
lead
ing
posi
tion
in th
ew
orld
and
thus
can
dri
ve th
e de
pend
able
em
bedd
edsy
stem
s te
chno
logy
.
14
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Aer
ospa
ce A
pplic
atio
ns
♦R
adia
tion
hard
ened
chi
ps c
arry
a in
pen
alty
in p
roce
ssin
gca
pabi
lity,
pow
er c
onsu
mpt
ion
and
cost
that
is b
ecom
ing
diff
icul
t to
just
ify.
♦E
xper
imen
ts in
spa
ce (
e.g.
, the
AR
GO
S:
Adv
ance
dR
esea
rch
and
Glo
bal O
bser
vatio
n S
atel
lite
pro
ject
) h
ave
show
n th
at is
cos
t-ef
fect
ive
to u
se C
OT
S ch
ips
in s
pace
and
to im
plem
ent t
he f
ault-
tole
ranc
e by
sof
twar
e.
♦N
ASA
is p
lann
ing
to u
se s
tate
of
the
art C
OT
Sco
mpo
nent
s in
spa
ce to
per
form
on-
boar
d m
assi
veca
lcul
atio
n in
fut
ure
scie
ntif
ic e
xper
imen
ts.
♦T
he r
atio
nal f
or s
plit
mar
kets
in th
e hi
gh d
epen
dabi
lity
sect
or is
dis
appe
arin
g.
15
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
16
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
17
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Wha
t can
we
Exp
ect o
n th
e H
ardw
are
Sid
e?
♦T
he r
ate
of tr
ansi
ent f
ailu
res
of S
oCs
is o
n th
e in
crea
se d
ue to
the
follo
win
g•
Sing
le e
vent
ups
ets
•Si
gnal
inte
grity
pro
blem
s•
Var
iatio
ns d
ue to
man
ufac
turi
ng•
Deg
rada
tion
prob
lem
s af
ter
ship
men
t
♦T
he s
ingl
e bi
t-fl
ip m
odel
is o
ut
♦R
adia
tion
hard
ened
chi
ps c
an b
e re
plac
ed b
y fa
ult-
tole
rant
arch
itect
ures
bas
ed o
n co
mm
odity
SoC
s
♦T
he in
itial
cos
t of
a So
C is
so
high
, tha
t onl
y ap
plic
atio
ns th
atre
quir
e m
illio
ns o
f ch
ips
can
affo
rd th
eir
own
SoC
♦T
he p
ace
of h
ardw
are
inno
vatio
ns is
acc
eler
atin
g.
♦O
nly
the
auto
mot
ive
mar
ket i
s of
a s
ize
that
can
sup
port
spec
ial S
oCs
for
high
dep
enda
bilit
y ap
plic
atio
ns.
18
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Aut
omot
ive
Ele
ctro
nics
--U
ser
Nee
ds
♦T
he w
ide
depl
oym
ent o
f in
telli
gent
dri
ver-
assi
stan
ce s
yste
ms
has
the
pote
ntia
l to
sign
ific
antly
red
uce
the
num
ber
ofac
cide
nts
and
to s
ave
man
y hu
man
live
s.
♦So
oner
or
late
r, X
-by-
Wir
e w
ill h
appe
n. T
he s
oone
r it
com
es, t
he m
ore
lives
will
be
save
d.
♦T
he d
esig
n of
the
X-b
y-W
ire
chi
ps w
ill b
e de
cisi
ve, s
ince
they
will
con
stitu
te th
e ra
w m
ater
ial f
utur
e de
pend
able
embe
dded
sys
tem
s w
ill h
ave
to b
e m
ade
of.
Wha
t ar
e th
e m
ain
obst
acle
s th
at h
inde
r th
e w
ide
depl
oym
ent
of e
lect
roni
c sy
stem
s in
car
s?
19
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Exa
mpl
e of
Ele
ctro
nics
in a
n U
psca
le C
ar:
♦D
iffe
rent
leve
l of
cont
rols
:•P
ower
trai
n (e
ngin
e, tr
ansm
issi
on)
•Bra
kes,
Sus
pens
ion
•Bod
y el
ectr
onic
s•M
ultim
edia
♦Fe
dera
ted
Arc
hite
ctur
e w
ith u
p to
70
node
s (E
lect
roni
cC
ontr
ol U
nits
--E
CU
s) in
an
ups
cale
car
•Ess
entia
lly, e
very
new
fun
ctio
n re
quir
es a
new
box
♦D
iffe
rent
net
wor
ks•L
IN f
ield
bus
(< 2
0 kb
its/s
)•C
AN
(<
500
kbi
ts/s
)•M
OST
(M
ultim
edia
> 1
0 M
bits
/s)
20
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Wha
t is
Diff
eren
t in
the
Aut
omot
ive
Indu
stry
?
♦L
arge
num
ber
of c
ars
(50
mill
ion/
year
)
♦M
inim
izat
ion
of r
ecur
ring
cos
ts in
a m
ass
mar
ket
♦V
ery
high
leve
l of
depe
ndab
ility
at a
ffor
dabl
e co
st•M
ajor
ity o
f re
calls
are
har
dwar
e re
late
d f
ailu
res
♦Fe
w in
depe
nden
t aut
omot
ive
com
pani
es in
the
wor
ld•L
arge
eno
ugh
to m
ake
thei
r ow
n C
OT
S
♦A
ttitu
de: W
e ow
n th
e w
orld
--a
nd in
som
e re
spec
ts th
ey d
o•E
xam
ple
CA
N•C
onve
rgen
ce C
onfe
renc
e on
Aut
omot
ive
Ele
ctro
nics
•Abs
ence
of
acad
emic
s at
rel
evan
t SA
E m
eetin
gs (
e.g.
Nam
ing)
♦D
iffi
culti
es w
hen
it co
mes
to in
terf
acin
g w
ith th
e w
orld
wid
ein
form
atio
n in
fras
truc
ture
: ex
ampl
e M
OST
21
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Cur
rent
Obs
tacl
es in
the
Aut
omot
ive
Mar
ket
1.E
lect
roni
c H
ardw
are
Cos
t
2.D
iagn
osis
and
Mai
nten
ance
3.D
epen
dabi
lity
4.D
evel
opm
ent C
ost:
Lim
ited
Reu
se
5.In
telle
ctua
l Pro
pert
y (I
P) P
rote
ctio
n
Why
don
’t w
e m
ove
ahea
d?A
fter
dis
cuss
ions
with
aut
omot
ive
com
pani
es, w
e ha
veid
entif
ied
the
follo
win
g fi
ve m
ajor
cur
rent
obs
tacl
es:
22
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Ele
ctro
nic
Har
dwar
e C
ost
Har
dwar
e co
sts
are
recu
rrin
g co
sts
that
are
dec
isiv
e fo
r th
eec
onom
ic s
ucce
ss in
a m
ass
mar
ket.
♦A
t pre
sent
, the
ele
ctro
nic
arch
itect
ure
on-b
oard
veh
icle
s is
fede
rate
d, n
ot in
tegr
ated
.
♦In
a f
eder
ated
arc
hite
ctur
e ev
ery
new
fun
ctio
n re
quir
es a
new
ele
ctro
nic
box
(EC
U-E
lect
roni
c C
ontr
ol U
nit)
.
♦T
oday
we
find
mor
e th
an 7
0 E
CU
s in
ups
cale
car
s.
♦In
an
inte
grat
ed a
rchi
tect
ure
the
num
ber
of h
ardw
are
boxe
s ca
n be
red
uced
sig
nifi
cant
ly, r
esul
ting
in a
sign
ific
ant r
educ
tion
of th
e ha
rdw
are
cost
s.
♦T
he t
echn
olog
y to
sup
port
an
inte
grat
ed a
rchi
tect
ure
wit
h en
caps
ulat
ed e
xecu
tion
and
com
mun
icat
ion
serv
ices
is n
ot y
et m
atur
e.
23
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Dia
gnos
is a
nd M
aint
enan
ce
♦T
he v
ast m
ajor
ity o
f fa
ilure
s in
the
elec
tron
ic s
yste
m o
f a
car
is tr
ansi
ent o
r in
term
itten
t, bu
t nor
per
man
ent.
♦T
he p
rese
nt e
lect
roni
c ar
chite
ctur
es w
ithin
car
s do
not
sup
port
the
diag
nosi
s of
tran
sien
t fau
lts in
an
optim
al w
ay.
♦T
he r
atio
of
first
-tim
e-co
rrec
t mai
nten
ance
act
ions
is in
man
ysc
enar
ios
belo
w 5
0 %
.
♦If
we
assu
me
that
2%
of
the
cost
of
a c
ar (
300
€ pe
r ca
r) a
resp
ent f
or e
lect
roni
c di
agno
sis,
the
wor
ld-w
ide
auto
mot
ive
elec
tron
ic d
iagn
osis
mar
ket i
s 15
000
000
000
€.
♦T
he t
echn
olog
y to
dia
gnos
e co
rrec
tly
tran
sien
tm
alfu
ncti
ons
need
s to
be
deve
lope
d fu
rthe
r.
24
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Dep
enda
bilit
y
♦A
ccor
ding
to th
e A
DA
C s
tatis
tics
in G
erm
any
clos
e to
50
% o
fth
e fa
ilure
s of
car
s on
the
road
are
cau
sed
by d
efec
ts in
the
elec
tron
ic s
yste
ms.
♦C
onne
ctor
fai
lure
s ar
e an
impo
rtan
t fai
lure
cla
ss.
♦Fa
il-op
erat
iona
l app
licat
ions
(e.
g., X
-by-
Wir
e) r
equi
re a
relia
bilit
y th
at m
ust b
e be
tter
than
the
relia
bilit
y of
the
mec
hani
cal s
yste
m th
ey r
epla
ce--
a le
vel o
f el
ectr
onic
sys
tem
safe
ty th
at th
e au
tom
otiv
e in
dust
ry is
not
yet
use
d to
.
♦T
he a
ircr
aft i
ndus
ty h
as th
e lo
nges
t exp
erie
nce
in d
esig
ning
safe
ty-c
ritic
al b
y-w
ire-
syst
ems.
25
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Dev
elop
men
t Cos
t
♦T
he u
nint
ende
d si
de e
ffec
ts b
etw
een
diff
eren
t app
licat
ion
subs
yste
ms
incr
ease
sig
nifi
cant
ly th
e de
velo
pmen
t and
inte
grat
ion
effo
rts.
♦T
here
is o
nly
a lim
ited
reus
e of
sof
twar
e an
d ex
istin
g IP
due
to th
e m
issi
ng c
ompo
sabi
lity
supp
ort o
f cu
rren
tel
ectr
onic
arc
hite
ctur
es.
♦T
he h
ardw
are
envi
ronm
ent c
hang
es s
o qu
ickl
y, th
at it
isdi
ffic
ult t
o co
nsol
idat
e th
e ap
plic
atio
n de
velo
pmen
t.
♦A
s a
cons
eque
nce,
mod
ular
dev
elop
men
t, v
alid
atio
nan
d ce
rtif
icat
ion
are
still
mor
e on
the
wis
h-lis
t th
an in
the
real
wor
ld.
26
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Inte
llect
ual P
rope
rty
(IP
) P
rote
ctio
n
♦Su
b-su
pplie
rs o
f th
e ca
r co
mpa
nies
are
not
ver
y w
illin
g to
open
thei
r IP
, bec
ause
they
are
afr
aid
of g
ivin
g up
thei
rco
mpe
titiv
e ed
ge (
e.g.
, sof
twar
e fo
r en
gine
con
trol
).
♦W
ithou
t a d
eep
know
ledg
e of
the
soft
war
e-in
tern
als,
car
com
pani
es a
re r
eluc
tant
to a
ccep
t sys
tem
res
pons
ibili
ty f
orth
e co
rrec
t ope
ratio
n of
EC
Us
that
con
tain
sof
twar
em
odul
es f
rom
dif
fere
nt s
ub-s
uppl
iers
.
♦T
he c
ontr
actu
al a
nd le
gal i
mpl
icat
ion
of f
ault
-dia
gnos
isan
d re
pair
res
pons
ibili
ty o
f m
ulti
-ven
dor
EC
Us
are
diff
icul
t to
res
olve
.
27
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Wha
t mak
es In
tern
et s
uch
a S
ucce
ss?
Bas
ic S
ervi
ces:
•TC
P/IP
•UR
Ls•H
TT
P
App
licat
ions
dep
end
only
the
pr
oper
tieso
f th
e ba
sic
serv
ices
Impl
emen
tatio
n of
bas
ic s
ervi
ces
is
hidd
en fr
om th
e ap
plic
atio
n
Stab
le t
echn
olog
y in
vari
ant
inte
rfac
es t
o ba
sic
serv
ices
28
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Nee
ded:
An
Inte
grat
ed D
istr
ibut
ed A
rchi
tect
ure
An
Int
egra
ted
Dis
trib
uted
Arc
hite
ctur
e f
or d
epe
ndab
le e
mbe
dded
appl
icat
ions
is b
adly
nee
ded:
♦In
an
In
gegr
ated
D
istr
ibut
ed
Arc
hite
ctur
e
the
nu
mbe
r of
no
des
(EC
Us)
ca
n
be s
igni
fican
tly
redu
ced
b
y pr
ovid
ing
mul
tipl
een
caps
ulat
ed
exec
utio
n en
viro
nmen
ts fo
r d
iffe
ren
t D
istr
ibut
edA
pplic
atio
n Su
bsys
tem
s (D
AS
) th
at a
re i
nte
grat
ed w
ithin
a s
ingl
eph
ysic
al n
ode
and
prot
ect
ed
from
ea
ch o
the
r.♦
The
num
ber
of c
able
s an
d co
nnec
tors
ca
n be
red
uce
d by
pro
vidi
ngm
ultip
le e
ncap
sula
ted
virt
ual n
etw
orks
on
a s
ingl
e w
ire.
♦G
ener
ic s
ervi
ces
for
stro
ng f
ault
isol
atio
n,
faul
t to
lera
nce
and
mon
itorin
g a
re p
rovi
ded
at th
e a
rchi
tect
ure
leve
l.♦
Sta
nd
ard
tech
nolo
gy
inva
riant
in
terf
aces
are
p
rovi
de
d
by
the
mid
dlew
are
to
the
appl
ica
tion,
irr
espe
ctiv
e of
the
phy
sica
l cu
rren
tph
ysic
al e
nviro
men
t, w
hich
can
evo
lve.
29
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Enc
apsu
late
d E
xecu
tion
Env
ironm
ents
Phy
sica
l Har
dwar
e N
etw
ork
Sem
i-V
irtu
al C
AN
Net
wor
k 1
TT
Net
wor
kSe
mi-
Vir
tual
CA
N N
etw
ork
2 (D
iagn
osis
)
Phys
ical
CA
N
Phys
ical
CA
N
Dia
gnos
tic N
ode
AB
CD
30
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Mul
tiple
Enc
apsu
late
d E
xecu
tion
Env
ironm
ents
♦A
re e
ncap
sula
ted
by m
iddl
ewar
e an
d do
not
inte
rfer
ew
ith e
ach-
othe
r, n
eith
er in
the
dom
ains
of
time
no v
alue
.
♦Pr
ovid
e st
anda
dize
d te
chno
logy
inva
rian
t in
terf
aces
toth
e m
ultip
le d
istr
ibut
ed a
pplic
atio
n sy
stem
s (D
AS
).
♦T
he s
peci
fied
ope
ratio
n of
a D
AS
is c
onti
nuou
sly
mon
itor
ed b
y an
arc
hite
ctur
e ba
sed
diag
nost
ic s
ervi
ce.
♦Su
ppor
ts th
e fr
ee m
ovem
ent
of a
pplic
atio
ns w
ithin
asi
ngle
DA
S (l
oad
shar
ing
with
in th
e no
des)
.
♦P
rovi
de s
tron
g fa
ult-
isol
atio
n o
f th
e ap
plic
atio
nsde
term
ined
by
basi
c se
rvic
es o
f an
arc
hite
ctur
e.
♦Fa
ult t
oler
ance
is p
rovi
ded
by th
e se
rvic
es o
f th
em
iddl
ewar
e.
31
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Arc
hite
ctur
e V
isio
n fo
r E
mbe
dded
Sys
tem
s
Lay
ers
Bas
ic L
ayer
: M
inim
al S
afet
y C
ritic
al F
unct
iona
lity
•Pre
dict
able
Tra
nspo
rt o
f M
essa
ge•F
ault
Tol
eran
t Clo
ck S
ynch
roni
zatio
n•F
ault
Isol
atio
n•S
yste
m D
iagn
ostic
s
Mid
dlew
are
Lay
er: T
echn
olog
y In
vari
ant I
nter
face
s•E
ncap
sula
ted
Exe
cutio
n E
nvir
onm
ents
•Enc
apsu
late
d V
irtu
al N
etw
orks
•Fau
lt T
oler
ance
Ser
vice
s•A
pplic
atio
n E
nvir
onm
ent D
iagn
ostic
s
App
licat
ions
are
bas
ed o
n te
chno
logy
inva
rian
t in
terf
aces
32
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Tec
hnol
ogy
Inva
riant
Inte
rfac
es
Bas
ic S
ervi
ces:
•TT
Tra
nspo
rt•C
lock
Syn
c•F
ault
Isol
atio
n•D
iagn
osis
App
licat
ions
Impl
emen
tatio
n of
bas
ic s
ervi
ces
is
hidd
en fr
om th
e ap
plic
atio
n
For
mal
ly a
naly
zed
and
valid
ated
bas
ic s
ervi
ces
are
avai
labl
e an
d st
able
Ext
end
the
rang
e of
Impl
emen
tatio
n ch
oice
s
Mid
delw
are
Serv
ices
Stab
le t
echn
olog
y in
vari
ant
appl
icat
ion
Int
erfa
ces
Not
saf
ety
crit
ical
33
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Inte
grat
ion
of C
ritic
al w
ith N
on-C
ritic
al S
ervi
ces
Cri
tica
l and
Non
-cri
tica
l ser
vice
s ca
n on
ly b
e in
tegr
ated
wit
hin
a si
ngle
arc
hite
ctur
e if
the
arc
hite
ctur
e su
ppor
tsth
e sa
fety
req
uire
men
ts o
f th
e m
ost
crit
ical
ser
vice
cla
ss.
The
y m
ust b
e se
para
ted
for
the
follo
win
g re
ason
s:
♦T
he b
asic
ser
vice
s gu
aran
tee
faul
t-is
olat
ion
and
inde
pend
ence
of
FC
Rs.
♦T
he b
asic
ser
vice
s m
ust
be m
inim
al in
ord
er th
at th
eir
corr
ectn
ess
can
be e
stab
lishe
d.
♦T
he m
iddl
ewar
e se
rvic
es a
re n
ot in
the
sam
e cr
itica
lity
clas
s as
the
basi
c se
rvic
es, s
ince
it m
ust b
e as
ssum
ed t
hat
an S
oC c
an f
ail i
n an
arb
itra
ry f
ailu
re m
ode.
34
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
The
TT
A P
rovi
des
the
Bas
ic S
ervi
ces
Bas
ic S
ervi
ces:
•TT
Tra
nspo
rt•C
lock
Syn
c•F
ault
Isol
atio
n•D
iagn
osis
Impl
emen
tatio
n of
bas
ic s
ervi
ces
is
hidd
en fr
om th
e ap
plic
atio
n
For
mal
ly a
naly
zed
and
valid
ated
bas
ic s
ervi
ces
are
avai
labl
e an
d st
able
Ext
end
the
rang
e of
Impl
emen
tatio
n ch
oice
s
Mid
dlew
are
Serv
ices
not
yet
avai
labl
e
35
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Arc
hite
ctur
e ba
sed
Fau
lt Is
olat
ion
in th
e T
TA
TT
P/C
-C1-
base
d ha
rdw
are
prot
otyp
e w
ith X
ILIN
X 6
00k
FP
GA
deve
lope
d w
ithin
NE
XT
TT
A(t
este
d by
IST
pro
ject
FIT
):
Hea
vy I
on E
xper
imen
ts (
at C
halm
ers)
:
Bus
topo
logy
: 37
036
faul
ts--
78 e
rror
pro
paga
tions
(0.
21 %
)
Star
topo
logy
: 26
600
faul
ts--
0 e
rror
pro
paga
tion
Soft
war
e Im
plem
ente
d F
ault
Inj
ecti
on (
Vie
nna)
:
Bus
topo
logy
: 56
2122
fau
lts--
14 e
rror
pro
paga
tions
(0.
02 %
)
Star
topo
logy
: 54
1744
fau
lts--
0 e
rror
pro
paga
tion
Publ
ishe
d a
t DSN
, San
Fra
ncis
co,
June
200
3
For
mal
Ver
ifica
tion
usin
g M
odel
Che
ckin
g (S
AL,
UP
PA
AL2
k) a
nd T
heor
emP
roof
ing
(PV
S)
is o
ngoi
ng in
the
NE
XT
TT
A P
roje
ct.
36
© H
. Kop
etz
05.
07.2
003
Intr
oduc
tion
Con
clus
ion
♦H
ardw
are
gets
mor
e po
wer
ful b
ut le
ss r
elia
ble
at a
nac
cele
ratin
g pa
ce. T
he r
easo
ns f
or s
plit
hard
war
e m
arke
tsar
e di
sapp
eari
ng.
♦W
e m
ust m
ove
from
the
fede
rate
d ar
chit
ectu
res
of to
day
tow
ards
the
inte
grat
ed a
rchi
tect
ures
of
tom
orro
w th
atpr
ovid
e st
able
tec
hnol
ogy
inva
rian
t in
terf
aces
to th
eap
plic
atio
ns.
♦T
he f
ull i
nteg
ratio
n ef
fect
can
onl
y be
ach
ieve
d, if
the
base
arch
itect
ure
supp
orts
the
hig
hest
cri
tica
lity
clas
s.
♦T
he A
utom
otiv
e M
arke
t is
the
dri
ver
of th
e m
arke
t for
depe
ndab
le e
mbe
dded
sys
tem
s.