Cyclic Behaviour with Guaranteed Maximum Cycle Time (Time-Triggered Architecture)
What is it?
Cyclic behaviour with a guaranteed maximum cycle time—often implemented as a Time-Triggered Architecture (TTA)—is a scheduling approach in which all software activities and communications start at pre-defined instants on a global time base. The system repeats a fixed major cycle that is subdivided into minor cycles and communication slots (TDMA). Because activation times are predetermined, the latency and jitter of each action are bounded and auditable. The architecture favours simple timing analysis and limits coupling between components through temporally fixed interfaces.
How it supports functional safety
TTA addresses systematic failures by design: fixed schedules remove race conditions and priority inversions, and bounded jitter ensures timing assumptions remain valid across versions and loads. Temporal firewalls and membership services prevent a faulty element from disturbing others, limiting error propagation. While it targets systematic issues, the architecture also reveals manifestations of random/common-cause hardware faults in data and timing (e.g., late/omitted frames, clock drift), enabling the safety function to reject, mask, or transition to a safe state rather than acting on corrupted information.
When to use
- Safety-critical control loops with strict end-to-end reaction times (e.g., braking, steering, flight control).
- Distributed systems that require a shared notion of time and deterministic communication.
- Projects seeking strong evidence for freedom-from-interference and predictable timing in the safety case (higher SIL targets).
- Systems where integration/composability of independently developed components is a priority.
Inputs & Outputs
Inputs
- Safety requirements for reaction time and allowable jitter.
- Worst-case execution time (WCET) of tasks and message sizes.
- Clock accuracy/drift budgets and synchronisation strategy.
- Static task/communication schedule (major/minor cycles, TDMA slots).
Outputs
- Deterministic execution timeline with guaranteed maximum cycle time.
- Time-synchronised, bounded-latency message transport and membership state.
- Verification evidence: schedulability, jitter/latency measurements, fault-injection results.
Procedure
- Derive cycle time. From hazards and control-loop stability, allocate the end-to-end reaction time across sensing, compute, communication, and actuation. Choose major/minor cycle lengths.
- Establish WCET and margins. Measure/compute WCET for each task; include margins for I/O, context switches, and clock error. Define message sizes and deadlines.
- Build the static schedule. Assign time slots for tasks and TDMA communication; ensure total utilisation <= target (e.g., ≤70–80%) with slack for sporadic/bounded aperiodic work.
- Define time synchronisation. Specify the fault-tolerant clock sync method and maximum synchronisation error; set drift/Skew budgets per node and per cluster.
- Implement temporal firewalls. Gate inputs/outputs by time windows and freshness checks; isolate tasks via fixed interfaces; handle late/early data deterministically.
- Verify determinism. Perform schedulability analysis, measure latency/jitter under worst-case load, and inject timing/communication faults (lost frame, hung task, clock slip).
- Document for the safety case. Trace timing assumptions to hazards, record evidence, and control changes to schedules and WCET.
Worked Example
High-level
A brake-by-wire ECU cluster runs a 10 ms major cycle. Wheel-speed sampling, state estimation, control law, and actuator command are scheduled in fixed 2 ms slots; the TT network provides two transmit windows for sensor and command frames. If one node misbehaves, membership excludes it within one TDMA round and other nodes ignore its frames, preventing unstable braking effort.
Code-level
// 10 ms major cycle, global time provided by TT network for (;;) { sync_to_global_time();
// Enforce temporal firewall on inputs
if (slot_open(SLOT_SENSORS) && rx_frame_in_window(SLOT_SENSORS)) {
SensorData s = read_sensor_frame();
if (!fresh(s.timestamp, MAX_AGE_MS)) {
// SAFE REACTION: discard stale frame; hold last known safe value
s = last_safe_sensor();
}
state = estimate_state(s);
} else {
// SAFE REACTION: no input in window -> degrade control authority
state = degrade_to_safe_state(state);
}
// Compute and command within allocated execution window
TorqueCmd u = braking_controller(state);
if (!membership_ok()) {
// SAFE REACTION: enter limp mode, limit torque command
u = clamp_to_safe_limit(u);
}
send_actuator_command(u, SLOT_CMD); // transmit only in assigned slot
wait_until_next_tick(); // guarantees maximum cycle time
}
Result: The braking loop executes with bounded latency and jitter; late or missing data triggers defined safe reactions rather than uncontrolled behaviour.
Quality criteria
- Schedulability margin: Sum of WCETs + communication <= cycle time with explicit slack (≥20% typical).
- Timing error bounds: Measured jitter and end-to-end latency stay within requirements across temperature, voltage, and load.
- Clock discipline: Global time error stays below the specified bound (e.g., <±ε µs) under fault-tolerant sync.
- Temporal firewalling: Inputs/outputs are accepted only within specified time windows; stale/early frames are rejected deterministically.
- Membership response: Faulty node detection/isolation <= one TDMA round; documented safe reaction.
Common pitfalls
- Overfilled cycle leading to deadline misses. Mitigation: validate WCET, add slack, split tasks, or shorten cycle.
- Ignoring sporadic events (diagnostics, faults) that burst into the schedule. Mitigation: reserve bounded aperiodic windows or handle off-cycle with strict limits.
- Weak clock synchronisation erodes determinism. Mitigation: use redundant clocks and a fault-tolerant sync algorithm; budget drift/skew.
- Undisciplined changes to schedule/WCET after certification. Mitigation: controlled change process with re-analysis and re-measurement.
- Multicore interference breaks timing assumptions. Mitigation: partition cores/caches/DMAs or use interference-aware WCET methods.
References
FAQ
How is TTA different from a priority-driven (event-driven) RTOS?
TTA activates tasks and messages at fixed times, so worst-case behaviour equals nominal behaviour. Priority-driven systems reorder work based on events and priorities, which complicates worst-case timing analysis and interference control.
Can a cyclic executive handle sporadic safety events?
Yes, if the schedule reserves bounded aperiodic capacity (or a hybrid approach is used). Without this, responsiveness may be inadequate—define limits and safe reactions.
Do I need specialised hardware?
No, but reliability improves with hardware support for fault-tolerant time synchronisation and time-triggered networking; otherwise, tighter verification and margins are required.
What evidence should go into the safety case?
WCET justifications, static schedule, measured latency/jitter across worst-case conditions, fault-injection results (late/omitted frames, membership loss), and change-control records.