The Startup Problem in Fault-Tolerant Time-Triggered Communication

Fault-tolerant time-triggered communication relies on the synchronization of local clocks. The startup problem is the problem of reaching a sufficient degree of synchronization after power-on of the system. The complexity of this problem naturally depends on the system assumptions. The system assumptions in this paper were compiled from cooperation with partners in the automotive and aeronautic industry. We present a general startup strategy for safety-critical systems that discusses the solution to the startup problem from an abstract point of view. From this abstract view we derive and analyze a new startup algorithm that is used in a TTP/C research derivative protocol (LTTP). We also analyze the FlexRay startup algorithm and discuss its behavior in presence of simple failures. The analyses were done by exhaustive fault simulation using the SAL model checker. While LTTP was found to tolerate the arbitrary failure of one node, the FlexRay startup shows to be vulnerable to simple failure modes