The FTT-CAN Protocol for Flexibility in Safety-Critical Systems

Flexibility and safety are often considered conflicting concepts because flexibility implies dealing with changing requirements that can, in turn, produce unpredictable and possibly unsafe operating scenarios. Therefore, some in the automotive and avionic system design industry believe that a safety-critical system implies a fully static system in which all operating conditions are completely defined at pre-runtime. However, flexibility supports evolving requirements, simplifies maintenance and repair, and improves efficiency in system resources. The issue, then, becomes how to find a compromise achieving flexibility without jeopardizing system safety. Achieving this compromise is particularly important in safety-critical systems that demand resource efficiency. For example, heavy pressure exists to reduce cost in automotive distributed computer control systems. Here, the communication infrastructure deserves particular attention because of the current trend toward encapsulating single functions in separate nodes. This fully distributed scenario has several advantages: