Achieving fault tolerance in FTT-CAN

In order to use the FTT-CAN protocol (flexible time-triggered communication over controller area network) in safety-critical applications, the impact of network errors and node failures must be thoroughly determined and minimized. This paper presents and discusses fault-tolerance techniques to limit that impact. The particular configuration of the communication system can be more or less complex and fault-tolerant as desired by the system designer. The paper includes the fault hypothesis and presents a replicated network architecture using bus guardians. An important aspect is the replication of the master node that schedules the time-triggered traffic. In this case, it is particularly important to assure correct synchronization of the master replicas. The mechanisms that support masters´ replication and synchronization are described and their performance is evaluated. The resulting architecture allows a reduction of the conflicts between safety and flexibility, supporting the use of FTT-CAN in safety critical applications.