Proving “no Cliques” in a Protocol Agathe Merceron Basser Department of Computer Science, University of Sydney Madsen Building F09, NSW 2006, Australia E-mail: agathe@cs.usyd.edu.au Abstract The actual trend in the transport industry is to have elec- tronic systems without mechanical back-up, so-called ”by- wire” systems. Micro-computers control steering, brakes, power train etc... Robust protocols are needed to make these micro-computers communicate. They should be fault- tolerant and yet not let the micro-computers split into dis- joint communicating subsets. TTP is a time-triggered pro- tocol that has been proposed for the automotive industry. In this paper we investigate the clique avoidance mechanism of TTP/C, the last version of TTP, and prove that it is effec- tive. 1 Introduction The actual trend in the transport industry is to have elec- tronic systems without mechanical back-up, so-called ”by- wire” systems. Steering, brakes, power trains are controlled by powerful micro-computers which calculate set points for safe driving within fractions of a second, taking sensor- recorded data about the driving situation at any given point in time into account. On this basis, the computers execute the driver’s commands in such a way that the car always remains safely on course, even in critical situations. A re- liable and fault-tolerant protocol is needed to allow the dif- ferent micro-computers to exchange data and communicate with each other. Such protocols fall into two categories: event-triggered protocols and time-triggered protocols. In an event-triggered protocol, the start of a communi- cation or of any computational activity is triggered by an event, either from the environment (detected by a sensor) or from the computer system itself. Event-triggered pro- tocols have the advantage of flexibility and fast response. They have one major disadvantage: their inherent non de- terminism; a multiplicity of events, possibly simultaneous, can trigger communication. Therefore event-triggered pro- tocols require much communication bandwith to coordinate operations; the design of a stable interface at certain points of time between processes and the development of a con- structive test methodology is extremely difficult. Time-triggered protocols assume the existence of a global time. The progression of time triggers the start of communication and of computational activities according to a pre-determined, static schedule. Such protocols need to spend extra efforts on clock synchronisation. However, because they are deterministic, they don’t have the draw- backs of event-triggered protocols regarding bandwith, sta- ble interface or testing. Among the most well known time- triggered protocols are ARINC 659 for the avionic indus- try and TTP for the automotive industry. The Time Trig- gered Protocol, TTP, has been developed over the past fif- teen years by the Technical University of Vienna [5, 6]. Presently the Time Triggered Protocol Class C (TTP/C) specification is a document of some 140 pages of natural language description [4]. TTP allows a fixed number of stations to communicate via a shared bus. Messages are broadcast to all stations via the bus. Each station that participates in the communication sends a message when it is the right time to do so. There- fore, access to the bus is determined by a time division multiple access (TDMA) schema controlled by the global time generated by the protocol. A TDMA round is divided into time slices. The stations are statically ordered and time slices are allocated to the stations according to their order. During its time slice, a station has exclusive sending rights. A TDMA round for three stations is shown in Figure 1. In this paper we tackle the clique problem of TTP basing our work on the last description of TTP, called TTP/C, men- tioned above [4]. Throughout the reports on TTP, cliques are meant as subsets of stations communicating exclusively whith each other. The clique problem is to avoid the forma- tion of such subsets. To solve this problem a precise defi- nition of the clique notion is needed. A way to proceed is to borrow the notion from graph theory or, more exactly, to take the notion of graph theory and to map the stations onto 1