FAULT-TOLERANT COMPUTER FOR THE AUTOMATED TRANSFER VEHICLE
|
|
- Winfred Baldric Parks
- 5 years ago
- Views:
Transcription
1 FAULT-TOLERANT COMPUTER FOR THE AUTOMATED TRANSFER VEHICLE R. Roques, A.Corrégé, C. Boléat Matra Marconi Space, 31, Avenue des cosmonautes, Toulouse Cedex 4, France, telefax: +33 (0) , Abstract Matra Marconi Space is developing their fourth generation fault-tolerant majority voting computers for use on future spacecraft such as the European Automated Transfer Vehicle, a servicing vehicle for the International Space Station. This paper presents how the computer participates in the spacecraft safety concept with emphasis on the critical on-orbit rendezvous phase. The functional architecture of the computer pool is described addressing fault containment layers, inter-channel synchronisation, communication, failed channel detection and passivation. Lastly, the hardware and software design of the test bench, built up to validate this new computer pool, is presented together with some performance measurements. 1. Introduction and fault-tolerance concept 1.1 Objectives The objective of this paper is to summarise the result of the initial development phase of the new generation of Matra Marconi Space fault-tolerant computers including activities focused on defining a concept suitable to the peculiarities of the Automated Transfer Vehicle and the research of key technologies required for the future units to be used by the spacecraft development programme. 1.2 ATV constraints In ATV, the data management system is highly centralised and a unique computer handles all control tasks. This approach requires the centralised data management function to fully ensure the safety of the docking phase to the Space Station without reliance on any other on-board intelligence, since the spacecraft is unmanned, thus leading to the highest level of autonomy as far as safety monitoring and safing actions are concerned Tolerance to hardware faults The fact that we deal with a vehicle with guidance, navigation and control capabilities places tight constraints on real-time performance. The central processing functions have therefore been implemented as a fault masking system, i.e. a majority voting quadruplex computer pool. This means that fault correction can be performed without delaying critical computer outputs, avoiding the delays that are associated with designs that must sequentially detect a failure, passivate it and then perform recovery actions. It also assures that incorrect outputs never occur Tolerance to software faults This is valid, however, only for hardware faults, i.e. those faults which affect only one chain at a time within the computer pool. Software faults could still induce a common mode failure in all units simultaneously with resultant loss of mission. Due to the catastrophic effect on Space Station crew safety which such a software fault could create, should it happen during the rendezvous phase, a solution had to be found to meet safety constraints while avoiding a multiplicity of computer hardware on-board Safety concept Therefore, the computer pool is split up into two zones as shown on figure The higher criticality zone, named the Vital layer is in charge of maintaining the computer pool synchronisation and of monitoring some ATV critical parameters such as attitude and distance rate elements from the docking port. The lower criticality
2 zone, named Nominal Layer is in charge of performing the nominal mission with full performance. NOMINAL LAYER Nominal LN 1 Recovery NOMINAL LAYER VITAL LAYER CHANNEL 1 CHANNEL 2 CHANNEL 3 CHANNEL 4 NOMINAL NOMINAL NOMINAL NOMINAL PROCESSOR PROCESSOR PROCESSOR PROCESSOR VITAL VITAL VITAL VITAL PROCESSOR PROCESSOR PROCESSOR PROCESSOR VITAL LAYER Warm Context (if necessary) Monitoring Contingency Vital Layer Fault Management Vital application sub-layer Input/Output sub-layer Nominal mission Fault detection Short-term Safety Mission continuation with degraded perf. MIL-STD-1553B BUSES SENSORS & ACTUATORS Figure Vital/Nominal breakdown Monitoring function The Vital Layer monitors the system in order to detect the occurrence of wrong behaviour induced by Nominal Layer failures including those that can be caused by software design faults. Both layers use the same sensors in order to limit the amount of hardware on-board, but the monitoring function uses raw sensor data whereas nominal processing uses calibrated/pre-processed data that is produced by the sensor software. The monitoring function is therefore independent from nominal sensorinternal processing algorithmic faults. Collision avoidance and safe mode When a fault is detected, the Vital Layer halts Nominal Layer operations and triggers execution of Contingency software to perform a rendezvous abort manoeuvre that avoids collision with the Station. Once short term safety is ensured, the Nominal Layer can then be reactivated to place the vehicle into a safe mode. This allows troubleshooting operations to be performed from the Ground before attempting a rendezvous retry (Recovery software). The figure summarises which software entities are executed by the pool depending on the mission phase and how they are allocated to Vital Layer or to Nominal Layer. Figure Allocation of software entities 1.3 Fault-tolerance design drivers The implementation of fault tolerance takes advantage ofdevelopments conducted in previous projects in particular in the Hermes space plane technology programme for the overall scientific and algorithmic background and also for the way to handle software faults (in [1]). It also follows the general model described in [4]. Tolerance to two hardware channel faults There are four tightly synchronised channels tied together by broadcast links with checksumed data and supporting double round exchange mechanism This is able to meet a double failure coverage requirement: At the first channel failure occurrence (four computers running, one faulty), all types of faults are covered (arbitrary fault) At the second failure occurrence (three computers active with one faulty, the fourth one passivated after the first failure), all faults which are detectable by the checksum mechanism are covered ( semi-consistent faults as defined in [4]) Tolerance to single application software fault Although located in the same physical channel unit, Vital layer and Nominal layer are segregated to prevent the propagation of software errors from one layer to the other. This is accomplished by allocating the layers to two distinct processors with firewall mechanisms. The Vital layer monitors the Layer and when at least two channels diagnose an AL failure, all AL in the pool are passivated and the FTC enters the Contingency
3 mode. This requires that the failure rate of the Vital Layer software is far smaller than the AL one, which is assumed to be achieved by applying strong design and development constraints (see [3] for use of formal description techniques) and by ensuring that the software size is relatively small to make testing easier. 2. Fault-tolerance implementation NOMINAL VITAL PROCESSOR FDIR MONITORING CONTINGENCY CPU + MEMORY NOMINAL PROCESSOR CPU + MEMORY INTERFACE MEMORY INTER CHANNEL COMM DECOUPLING TO AVOID APPLICATION FAULT PROPAGATION INTER CHANNEL LINK 2.1 General The FTC fault-tolerance implementation can be characterised with respect to: fault containment layers and sub-layers, inter-channel synchronisation, time determinism, fault passivation and reconfiguration 2.2 Fault-containment approach Nominal/vital segregation Vital Layer / Nominal Layer segregation is both physical and functional (see figure ). The two layers are implemented by two distinct sets of electronic boards : the Vital Processor (and 1553B avionics bus Input/Output Board) and the Processor. Memory is also functionally segregated between these layers. The Processor, whatever its fault condition, cannot access or alter Vital layer memory resources since it can only write in a memory space dedicated to Layer/Nominal Layer communications. Written data is checked by Vital layer software for consistency. processor faults can be of two types: faults detected by Vital layer Input/Output software and faults detected by Vital layer application monitoring software. The first group of faults includes hardware and software faults which lead to absence of communication between the two layers or to inconsistent communications. The former can be detected by a kind of watchdog system; the latter will be detected by syntactic/semantic checking (e.g. errors in the layer/vital layer protocol). The second group of faults pertain to those faults which can be detected only at the System level by the application monitoring software. This looks for the compliance during the mission to basic success criteria computed on the basis of sensor data directly acquired from the buses. ACQUIRED DATA VOTED COMMANDS Figure Nominal / Vital physical Segregation Intra-vital segregation Inside the Vital Layer, segregation is provided between the Input/output software and the vital application monitoring and contingency software. The main aim of such a segregation is to make system validation easier by being able to test and validate the two software entities separately. Indeed, these two software products are also separated in the ATV system development cycle : while the Input/Output software is part of FTC development, the monitoring/contingency software is part of the software development process. The introduction of segregation via two integrity levels therefore reduces the risk of introducing "common mode" faults during system integration and allows the two products to be validated independently. Practically speaking, the segregation is provided via special mechanisms (see [2]) and both functions are executed within the same processor. These are : memory segments provided by the microprocessor chipset with each software package running in a dedicated memory area with its own private data a secure communication mechanism between vital application and Input/Output software thus preventing lower integrity application data from contaminating higher integrity data cyclic time-slotted processing resource allocation to prevent processor hogging. 2.3 Inter-channel synchronisation approach The synchronisation between computers is mandatory to ensure the simultaneity of sensor data acquisition, as for
4 processing within each computer and emission of commands towards the actuators. This simplifies error detection in the computer pool and the voting mechanisms implemented in the actuators. The larger the drift in the time base between computers, the greater the processor resource that is lost in tolerating this drift. To meet the mission constraints, the four computers need to be synchronised with an accuracy better than 5 µs. This synchronisation is achieved by a cyclic exchange of a special synchronisation event on the inter-channel link. This exchange is handled by hardware mechanism on software request. With the intrinsic clock stability (20 ppm), a 100 ms synchronisation period is sufficient to maintain a less than 5 µs skew. At a fixed point in each cycle, each computer sends a synchronisation event to the 3 other computers and receives 3 synchronisation events. The difference between the time stamp of its own emission and the time stamp of reception of synchronisation events from the other computers is used to adjust the duration of the next cycle. The choice of the right clock inside the validation window is made according to an algorithm that depends on the configuration of the fault tolerant computer system. This algorithm is performed by software in order to provide flexibility in adapting to reduced configurations (3 or 2 computers) and to required mode changes (pool initialisation, i.e. synchronisation searching or pool nominal operations, i.e. synchronisation keeping ). 2.4 Time determinism Timewise, a robust and deterministic implementation has been selected with cyclic scheduling of Vital Layer tasks (those from the Input/Output software itself but also those belonging to the Monitoring/Contingency software) and cyclic handling of all data exchanges with the avionics buses and with the other channels of the computer pool. This strict determinism policy relies on a hierarchircal time slot concept. At the lowest level, all data exchanges are scheduled within slots. A slot is an atomic period of time which can be used to move and process one message of up to the maximum length of the MIL-STD-1553B avionics bus message. Slots are then gathered to build-up a frame. The frame period corresponds to the Vital Layer cyclic software processing rate to configure data exchanges to be performed by the Vital Layer intelligent controller devices. Lastly, the mission cycle is the complete repetition frequency of all Vital Layer data exchanges 2.5 Fault reconfiguration approach A key function of the computer pool is to manage its configuration in case of failures. Fault detection is achieved on the basis of data generated locally in a channel such as on-line built-in-tests or on the basis of what the other channels "think" of each other, e.g. via the availability or non-availability of valid information on the inter-computer link (ICL) Channel passivation after failure Assuming that a channel failure is detected, the failed channel must be passivated, i.e. its interfaces must be set to such a mode that whatever the nature of the channel failure, further error propagation outside the channel is prevented. Since the nature of the failure is unknown and might obviously affect the ICL or the Vital Layer processing unit, using the inter-channel communication resources (ICL) to passivate a channel is not possible. In fact, the local resources needed for passivation of a channel suspected by the others to have failed must be reduced down to an absolute minimum level. To this purpose, the proposed ATV FTC features a separate hardware consolidation function which consolidates by majority voting the passivation requests coming from other nodes via dedicated hardwired links. This function directly outputs the passivation signals which halt all necessary computer functions and perform interface inhibition. Two dedicated hardwired networks link the channels together: A local error notification network by which a channel tells the others that it has identified its own failure A remote error diagnosis network which allows a channel to tell that is has diagnosed the failure of another channel passivation after software failure A similar approach is implemented to handle Processor reconfigurations. In case of an application software failure, i.e. an abnormal behaviour detected by the Monitoring software running in the Vital layer, the activities in all active Processors are stopped. The Vital Layer then executes contingency software to ensure short-term safety and may ultimately order, if necessary, the reload of the Processors memory. The AP passivation decision (i.e. actuation of the contingency software) results from a voted decision of all
5 channels (at Vital Layer level), using the same mechanism as the computer channel passivation. When two or more application switch requests are received by a channel during the same time window, an interrupt is raised to the fault management software which will then halt the processor software and activate contingency software. Using a dedicated set of hardwired links has been selected for switch performance reasons, since in this case, the switch order are transmitted and hardwire voted in a single shot. The switch delay is therefore negligible compared to the time required by the Monitoring software to detect an out-of-limit condition. Using the ICL for this purpose would require scheduling of the associated data exchange for the next intercomputer link frame, followed by a double round data exchange for voting. 2.6 Hardware/software allocation Each channel is made up of several processing resources allocated to the various functional blocks: application software, vital software, inter-channel communication, avionics bus input data acquisition and command emission, and output data consolidation. Repetitive, processing intensive tasks for intra and interchannel communications and for avionics bus interfaces have been allocated to hardware whenever possible to Off-load the Vital Layer processing and increase the processing capability available to Vital applications, i.e. monitoring/contingency software Limit the period of the software real-time cycle (80 Hz) to allow deterministic software development at low technical risk. The slot level (250 µs) is autonomously performed by hardware and frame and cycle levels are managed by software Reduce the software size, and therefore make its testing easier As a consequence, off-the-shelf intelligent avionics bus interface controllers have been selected and a powerful Inter-Computer Communication Controller integrated device has been designed. This handles cyclic data transfer using tables that are downloaded by the Vital layer processing unit. It handles all communications between the following entities: avionics bus interfaces, inter-computer link, application Layer interface memory and Vital Layer software The synchronisation algorithm is also strongly supported by hardware. The Inter-Unit Communication Controller supports synchronisation message recognition and timestamping on the inter-computer link and automatically generates frame interrupts. The software is only in charge of tuning the synchronisation periodically (100 milliseconds) by adjusting the length of the last slot. 3. FTC development model 3.1 FTC hardware implementation The cmputer pool satisafies on-board space tight hardware budget constraints: small volume, low electrical power consumption, reduced number of electronic boards. Hardware architecture must also be sufficiently modular (standard backplane bus) to accommodate inevitable technical changes and component obsolescence problems that will occur during the ATV programme life cycle of almost 15 years Computer internal design Single processor type A single type of processor, a SPARC ERC32, is used throughout each computer channel for both the Processor (AP) as well as Vital Processor (VP). This allows reuse of software and hardware while minimising the implementation risks. The Processor is the Common Processor Board designed and qualified for DMS-R and Columbus (other European contributions to the Space Station). Data transfer implemented by a dedicated hardware Only limited processing power is needed from the Vital Processor : bitwise input and/or output voting, as well as an Interactive Consistency Mechanism for "Byzantine" voting) are performed in hardware with no performance impact on processor load. This also allows extremely short transit latencies which benefits the application software performance. Modular and upgradable design This selection of a full SPARC architecture will make porting of the software (coded in Ada language) easier should a computer upgrade be needed in a future development of the programme or in another programme. For the same reasons, the internal computer architecture is very modular: boards and backplane comply with the industrial VME standard and the key integrated devices (Inter-Computer Communication integrated circuit, Reconfiguration Unit) do not depend on a particular processor design.
6 The hardware architecture of an FTC channel is depicted on figure V DC POWER SUPPLY UNIT VME SPARE SLOT VME BACKPLANE 1553 I/O RECONF UNIT LOCAL BUS I/F APPLICATION PROCESSOR ERC32 CORE EEPROM VITAL PROCESSOR ERC32 CORE RAM EEPROM OBC93 LOCAL BUS RAM VME MasterI/F VME Slave I/F SHARED MEM Figure FTC channel architecture Inter-computer link design ICC NOMINAL LAYER VITAL LAYER INTER COMPUTER LINK The synchronous and deterministic data exchange mechanism provides more than 5 Mbps effective data transfer capability while including an integrated clock synchronisation mechanism The broadcast transfer topology with an additional message signature (checksum) minimises the risk of Byzantine errors. Message retransmissions which are required by the double exchange mechanism aimed at covering Byzantine faults are performed within the same data transfer slot. The length of inter-computer link messages is 32-data words. This facilitates direct transfer of full 1553B data acquisition messages. From the electrical standpoint, the RS-422 standard selfclocking interface is used. This provides scalable speed/distance properties for various missions 3.4 Test results Data throughput Several data throughput tests have been performed on the test bench. For a test case where each channel acquires on its local avionics buses a 1553B data throughput of 560 kbps (approximately the maximum bus data load) the induced processing load on the Vital Layer processor is about 10 percent, thus leaving most of the processing resource to the Vital application software (monitoring). It is worth pointing out that the same figure is obtained with or without the double round exchange mechanism of the Byzantine faults coverage algorithm. This is due to the fact that this function is fully performed by hardware Synchronisation Tests have been performed at up to a 50 Hz synchronisation frequency. The measured inter-channel clock skew was about 500 nanoseconds. For ATV purpose, a 100 millisecond (10 Hz) synchronisation frequency is selected leading to a skew within the specified 5 microseconds. 4. Conclusion and perspectives This new generation fault-tolerant computer combines a high performance, compact/low cost design and tolerance to application software faults. Integrating software fault tolerance is a significant cost saving factor since, with a classical fault-tolerant computer, vital monitoring needs to be implemented by another set of computers. The activities performed up to now have lead to a technically mature product. It is fully suitable to ATV. Its open architecture and performance margins (in particular short reconfiguration delays) make it adaptable to the needs of future reusable launch vehicles. Acknowledgement: many thanks to the Saab Ericsson Space hardware team (Mrs Svenningsson, MM. Hult, Törnberg, Jernquist), for their contribution to FTC development References: [1] Guidal, David - Development of the Hermes Fault-Tolerant Computer System, FTCS-23, November 93 [2] Roques, Corrégé - A Compact, High Performance Fault- Tolerant Computer Pool Supporting Software Fault-Tolerance, DASIA-96, Rome, May 1996 [3] Ayache, Conquet, Humbert et alii - Formal Methods for the Validation of Fault-Tolerance in Autonomous Spacecraft, FTCS-26, June 1996 [4] Powell - Generic Upgradable Architecture for Real-time Dependable Systems (GUARDS) - Preliminary Definition of the GUARDS architecture - LAAS/CNRS January 1997 Acronyms: AL AP ATV DMS-R FTC ICL VP Layer Processor Automated Transfer Vehicle Data Management System - Russian Service Module Fault-Tolerant Computer Inter-Computer Link Vital Processor
Advanced On-board Control Procedure
1 Overview The Advanced On-Board Control Procedure (AOBCP) product is one of a set of technologies that allows to implement cost effective operation and control of a spacecraft. Together these technologies
More informationTime-Triggered Ethernet
Time-Triggered Ethernet Chapters 42 in the Textbook Professor: HONGWEI ZHANG CSC8260 Winter 2016 Presented By: Priyank Baxi (fr0630) fr0630@wayne.edu Outline History Overview TTEthernet Traffic Classes
More informationESA ADCSS Deterministic Ethernet in Space Avionics
ESA ADCSS 2015 Deterministic Ethernet in Space Avionics Bülent Altan Strategic Advisor with Jean-Francois Dufour, Christian Fidi and Matthias Mäke-Kail Copyright TTTech Computertechnik AG. All rights reserved.
More informationPage 1 SPACEWIRE SEMINAR 4/5 NOVEMBER 2003 JF COLDEFY / C HONVAULT
Page 1 SPACEWIRE SEMINAR 4/5 NOVEMBER 2003 JF COLDEFY / C HONVAULT INTRODUCTION The SW IP was developped in the frame of the ESA 13345/#3 contract "Building block for System on a Chip" This presentation
More informationRedundancy in fault tolerant computing. D. P. Siewiorek R.S. Swarz, Reliable Computer Systems, Prentice Hall, 1992
Redundancy in fault tolerant computing D. P. Siewiorek R.S. Swarz, Reliable Computer Systems, Prentice Hall, 1992 1 Redundancy Fault tolerance computing is based on redundancy HARDWARE REDUNDANCY Physical
More informationEnsuring Schedulability of Spacecraft Flight Software
Ensuring Schedulability of Spacecraft Flight Software Flight Software Workshop 7-9 November 2012 Marek Prochazka & Jorge Lopez Trescastro European Space Agency OUTLINE Introduction Current approach to
More informationPROJECT FINAL REPORT
PROJECT FINAL REPORT Grant Agreement number: INFSO-ICT-224350 Project acronym: Project title: Funding Scheme: flexware Flexible Wireless Automation in Real-Time Environments STREP Period covered: from
More informationComputer-Based Control System Safety Requirements
Computer-Based Control System Safety Requirements International Space Station Program Revision B November 17, 1995 National Aeronautics and Space Administration International Space Station Program Johnson
More informationFRACTIONATED SATELLITES
EXECUTIVE SUMMARY February 2010 Page : ii/12 FRACTIONATED Executive Summary Toulouse, February 2010-02-08 Prepared by: C. Cougnet, B. Gerber ESA Project Manager: EADS Astrium Project Manager: J. F. Dufour
More informationA Fault Management Protocol for TTP/C
A Fault Management Protocol for TTP/C Juan R. Pimentel Teodoro Sacristan Kettering University Dept. Ingenieria y Arquitecturas Telematicas 1700 W. Third Ave. Polytechnic University of Madrid Flint, Michigan
More informationDistributed Systems COMP 212. Revision 2 Othon Michail
Distributed Systems COMP 212 Revision 2 Othon Michail Synchronisation 2/55 How would Lamport s algorithm synchronise the clocks in the following scenario? 3/55 How would Lamport s algorithm synchronise
More informationSICON Smart Sensors Role in Integrated System Health Management
SICON 2005 Smart Sensors Role in Integrated System Health Management Jose M Perotti, Instrumentation Group Lead Command, Monitoring and Control Branch Spaceport Engineering &Technology Directorate, Kennedy
More informationDevelopment of Formation Flight and Docking Algorithms Using the SPHERES Testbed
Development of Formation Flight and Docking Algorithms Using the Testbed Prof. David W. Miller MIT Allen Chen, Alvar Saenz-Otero, Mark Hilstad, David W. Miller Introduction : Synchronized Position Hold
More informationFlexRay International Workshop. Protocol Overview
FlexRay International Workshop 4 th March 2003 Detroit Protocol Overview Dr. Christopher Temple - Motorola FlexRay principles Provide a communication infrastructure for future generation highspeed control
More informationA CAN-Based Architecture for Highly Reliable Communication Systems
A CAN-Based Architecture for Highly Reliable Communication Systems H. Hilmer Prof. Dr.-Ing. H.-D. Kochs Gerhard-Mercator-Universität Duisburg, Germany E. Dittmar ABB Network Control and Protection, Ladenburg,
More informationFault Tolerance. Distributed Systems IT332
Fault Tolerance Distributed Systems IT332 2 Outline Introduction to fault tolerance Reliable Client Server Communication Distributed commit Failure recovery 3 Failures, Due to What? A system is said to
More informationSpaceWire-RT Project and Baseline Concepts
SpaceWire-RT Project and Baseline Concepts Steve Parkes, Albert Ferrer Space Technology Centre, University of Dundee Yuriy Sheynin, St Petersburg University of Aerospace Instrumentation 1 Aims Overview
More informationAssignment 12: Commit Protocols and Replication Solution
Data Modelling and Databases Exercise dates: May 24 / May 25, 2018 Ce Zhang, Gustavo Alonso Last update: June 04, 2018 Spring Semester 2018 Head TA: Ingo Müller Assignment 12: Commit Protocols and Replication
More information1 COMMAND AND DATA HANDLING (C&DH)
1 COMMAND AND DATA HANDLING (C&DH) 1.1 Requirements and Design Drivers 1.1.1 Functional The command and data handling shall provide the capability to: Transfer information in digital or discrete representation
More information2. REAL-TIME CONTROL SYSTEM AND REAL-TIME NETWORKS
2. REAL-TIME CONTROL SYSTEM AND REAL-TIME NETWORKS 2.1 Real-Time and Control Computer based digital controllers typically have the ability to monitor a number of discrete and analog inputs, perform complex
More informationIs This What the Future Will Look Like?
Is This What the Future Will Look Like? Implementing fault tolerant system architectures with AUTOSAR basic software Highly automated driving adds new requirements to existing safety concepts. It is no
More informationThe Avionics System Test Bench, Functional Engineering Simulator: New Developments in Support of Mission and System Verification
The Avionics System Test Bench, Functional Engineering Simulator: New Developments in Support of Mission and System Verification INTRODUCTION 11th Int. WS on Simulation & EGSE facilities for Space Programmes
More informationMOST (Modelling of SpaceWire Traffic): MTG-I simulation presentation
MOST (Modelling of SpaceWire Traffic): MTG-I simulation presentation PART 1 2 1 INTRODUCTION, HISTORY and CONTEXT MTG SpaceWire Network MOST presentation (1/5) 3 MOST (Modelling of SpaceWire Traffic) was
More informationA Byzantine Fault-Tolerant Key-Value Store for Safety-Critical Distributed Real-Time Systems
Work in progress A Byzantine Fault-Tolerant Key-Value Store for Safety-Critical Distributed Real-Time Systems December 5, 2017 CERTS 2017 Malte Appel, Arpan Gujarati and Björn B. Brandenburg Distributed
More informationReal-Time Component Software. slide credits: H. Kopetz, P. Puschner
Real-Time Component Software slide credits: H. Kopetz, P. Puschner Overview OS services Task Structure Task Interaction Input/Output Error Detection 2 Operating System and Middleware Application Software
More informationDISTRIBUTED REAL-TIME SYSTEMS
Distributed Systems Fö 11/12-1 Distributed Systems Fö 11/12-2 DISTRIBUTED REAL-TIME SYSTEMS What is a Real-Time System? 1. What is a Real-Time System? 2. Distributed Real Time Systems 3. Predictability
More informationOPTIMISING NETWORKED DATA ACQUISITION FOR SMALLER CONFIGURATIONS
OPTIMISING NETWORKED DATA ACQUISITION FOR SMALLER CONFIGURATIONS DAVE BUCKLEY ACRA BUSINESS UNIT, CURTISS-WRIGHT CONTROLS AVIONICS & ELECTRONICS ABSTRACT Network switches are a critical component in any
More informationField buses (part 2): time triggered protocols
Field buses (part 2): time triggered protocols Nico Fritz Universität des Saarlandes Embedded Systems 2002/2003 (c) Daniel Kästner. 1 CAN and LIN LIN CAN Type Arbitration Transfer rate Serial communication
More informationSystems. Roland Kammerer. 10. November Institute of Computer Engineering Vienna University of Technology. Communication Protocols for Embedded
Communication Roland Institute of Computer Engineering Vienna University of Technology 10. November 2010 Overview 1. Definition of a protocol 2. Protocol properties 3. Basic Principles 4. system communication
More informationSURVEILLANCE DATA EXCHANGE
EUROPEAN ORGANISATION FOR THE SAFETY OF AIR NAVIGATION EUROCONTROL EUROCONTROL STANDARD DOCUMENT FOR SURVEILLANCE DATA EXCHANGE Part 15: Category 65 SUR.ET1.ST05.2000-STD-15-01 Edition : 1.2 Edition Date
More informationPattern-Based Analysis of an Embedded Real-Time System Architecture
Pattern-Based Analysis of an Embedded Real-Time System Architecture Peter Feiler Software Engineering Institute phf@sei.cmu.edu 412-268-7790 Outline Introduction to SAE AADL Standard The case study Towards
More informationBoeing 777. Boeing 777. Paper: Triple-Triple Redundant 777 Primary Flight Computer. Primary Flight Control Surfaces
u Primary Flight Computer Paper: Triple-Triple Redundant 777 Primary Flight Computer» Y.C. Yeh» 1996 IEEE Aerospace Applications Conference» pg 293-307 2003 A.W. Krings Page: 1 Primary Flight Control Surfaces
More informationReaching for the sky with certified and safe solutions for the aerospace market
www.tttech.com/aerospace Reaching for the sky with certified and safe solutions for the aerospace market More about our certified and safe products inside Advancing safe technologies, improving human lives
More informationHomework 2 COP The total number of paths required to reach the global state is 20 edges.
Homework 2 COP 5611 Problem 1: 1.a Global state lattice 1. The total number of paths required to reach the global state is 20 edges. 2. In the global lattice each and every edge (downwards) leads to a
More informationEmbedded Systems: Hardware Components (part II) Todor Stefanov
Embedded Systems: Hardware Components (part II) Todor Stefanov Leiden Embedded Research Center, Leiden Institute of Advanced Computer Science Leiden University, The Netherlands Outline Generic Embedded
More informationAutomation Intelligence Enlighten your automation mind..!
Friends, It brings us immense pleasure to introduce Automation intelligence a knowledge series about automation, innovation, solutions & Technology. This series will discuss about PLC, DCS, Drives, SCADA,
More informationA Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction
A Data-Centric Approach for Modular Assurance Gabriela F. Ciocarlie, Heidi Schubert and Rose Wahlin Real-Time Innovations, Inc. {gabriela, heidi, rose}@rti.com Abstract. A mixed-criticality system is one
More informationARCHIMOD HE 240/480 HIGH POWER MODULAR UPS THE GLOBAL SPECIALIST IN ELECTRICAL AND DIGITAL BUILDING INFRASTRUCTURE
ARCHIMOD HE 240/480 HIGH POWER MODULAR THE GLOBAL SPECIALIST IN ELECTRICAL AND DIGITAL BUILDING INFRASTRUCTURE superior performance continuity of service energy efficiency 2 Legrand, world leader in the
More information16 Time Triggered Protocol
16 Time Triggered Protocol [TTtech04] (TTP) 18-549 Distributed Embedded Systems Philip Koopman October 25, 2004 Significant material drawn from: Prof. H. Kopetz [Kopetz] TTP Specification v 1.1 [TTTech]
More informationPRIMEQUEST 400 Series & SQL Server 2005 Technical Whitepaper (November, 2005)
PRIMEQUEST 400 Series & SQL Server 2005 Technical Whitepaper (November, 2005) Fujitsu Limited PRIMEQUEST 400 Series & SQL Server 2005 Technical White Paper PRIMEQUEST 400 Series Server & SQL Server 2005
More informationCommunications Infrastructure for Fractionated Spacecraft
Communications Infrastructure for Fractionated Spacecraft Michael A. Koets, Mark Tapley, Buddy Walls, Jennifer Alvarez Southwest Research Institute Fractionated Spacecraft Replace monolithic satellite
More informationLXRS and LXRS+ Wireless Sensor Protocol
LORD TECHNICAL NOTE LXRS and LXRS+ Wireless Sensor Protocol Using LXRS and LXRS+ For Long-Term Monitoring and High Bandwidth Test and Measurement Introduction LORD Sensing has developed and deployed two
More informationOn-Board Control Procedures: Autonomous and Updateable Spacecraft Operator Onboard and Beyond
On-Board Control Procedures: Autonomous and Updateable Spacecraft Operator Onboard and Beyond Marek Prochazka / Kjeld Hjortnaes European Space Agency, ESTEC, Software Systems Division. FSW-10, Pasadena
More informationPROFIBUS. Sharani Sankaran
PROFIBUS Sharani Sankaran fq8610@wayne.edu Outline Introduction TransmissionTechnologies Communication Protocol Application Profiles Integration Technologies Technical Support INTRODUCTION: Field buses
More informationGUIDELINES FOR USING DEVICE LEVEL RING (DLR) WITH ETHERNET/IP. PUB00316R ODVA, Inc. Page 1 of 18
GUIDELINES FOR USING DEVICE LEVEL RING (DLR) WITH ETHERNET/IP PUB00316R2 2017-2018 ODVA, Inc. Page 1 of 18 Guidelines for Using Device Level Ring (DLR) with EtherNet/IP Contents 1. Introduction... 3 2.
More informationSLE experience over unreliable network links
SLE experience over unreliable network links Ciprian Furtuna 1 and Carla Garcia 2 LSE Space GmbH, Argelsrieder Feld 22, 82234, Wessling, Germany Wilfried Kruse 3 Deutsches Zentrum für Luft und Raumfahrt
More informationLabVIEW FPGA in Hardware-in-the-Loop Simulation Applications
LabVIEW FPGA in Hardware-in-the-Loop Simulation Applications Publish Date: Dec 29, 2008 38 Ratings 4.16 out of 5 Overview Hardware-in-the-loop (HIL) simulation is achieving a highly realistic simulation
More informationBME CLEARING s Business Continuity Policy
BME CLEARING s Business Continuity Policy Contents 1. Introduction 1 2. General goals of the Continuity Policy 1 3. Scope of BME CLEARING s Business Continuity Policy 1 4. Recovery strategies 2 5. Distribution
More informationIntroduction to Real-Time Communications. Real-Time and Embedded Systems (M) Lecture 15
Introduction to Real-Time Communications Real-Time and Embedded Systems (M) Lecture 15 Lecture Outline Modelling real-time communications Traffic and network models Properties of networks Throughput, delay
More informationSLE experience over unreliable network links
SLE experience over unreliable network links Ciprian Furtuna 1 and Carla Garcia 2 LSE Space GmbH, Argelsrieder Feld 22, 82234, Wessling, Germany Wilfried Kruse 3 Deutsches Zentrum für Luft und Raumfahrt
More informationThe Impact of the coming Standard IEC61850 on the Life-cycle of Open Communication Systems in Substations
The Impact of the coming Standard IEC61850 on the Life-cycle of Open Communication Systems in Substations Lars Andersson, Klaus-Peter Brand, Wolfgang Wimmer ABB Power Automation Ltd, Switzerland Abstract
More informationFailure Tolerance. Distributed Systems Santa Clara University
Failure Tolerance Distributed Systems Santa Clara University Distributed Checkpointing Distributed Checkpointing Capture the global state of a distributed system Chandy and Lamport: Distributed snapshot
More informationOperability and Modularity concepts of future RTUs/RIUs
Operability and Modularity concepts of future RTUs/RIUs ADCSS2015 Day 3 Thursday 22 October 2015 What is a RTU? The Remote Terminal Unit (RTU) is an Avionics equipment that provides functions such as:
More informationCommunication in Avionics
Communication in Avionics 1 Outline Basic Overview Communication architectures Event Triggered Time Triggered Communication architecture examples Case Study: How Data Communication Affects Scheduling 2
More informationAn Orthogonal and Fault-Tolerant Subsystem for High-Precision Clock Synchronization in CAN Networks *
An Orthogonal and Fault-Tolerant Subsystem for High-Precision Clock Synchronization in Networks * GUILLERMO RODRÍGUEZ-NAVAS and JULIÁN PROENZA Departament de Matemàtiques i Informàtica Universitat de les
More informationARINC-818 TESTING FOR AVIONICS APPLICATIONS. Ken Bisson Troy Troshynski
ARINC-818 TESTING FOR AVIONICS APPLICATIONS Ken Bisson Troy Troshynski 2007 The ARINC-818 Specification is an industry standard that defines a digital video interface link and protocol that is used for
More informationEmbedded systems extend automation
Embedded systems extend automation System 800xA incorporates numerous embedded applications Kai Hansen, Tomas Lindström, Lars Mårtensson, Hans Thilderkvist Users expect and demand more functionality from
More informationTesting for the Unexpected Using PXI
Testing for the Unexpected Using PXI An Automated Method of Injecting Faults for Engine Management Development By Shaun Fuller Pickering Interfaces Ltd. What will happen if a fault occurs in an automotive
More informationDiagnosis in the Time-Triggered Architecture
TU Wien 1 Diagnosis in the Time-Triggered Architecture H. Kopetz June 2010 Embedded Systems 2 An Embedded System is a Cyber-Physical System (CPS) that consists of two subsystems: A physical subsystem the
More informationA Framework for the Formal Verification of Time-Triggered Systems
A Framework for the Formal Verification of Time-Triggered Systems Lee Pike leepike@galois.com Indiana University, Bloomington Department of Computer Science Advisor: Prof. Steven D. Johnson December 12,
More informationMulti-protocol monitoring using oscilloscopes
Multi-protocol monitoring using oscilloscopes By Roland Gamper, Senior Software Engineer Regardless of the system topology and application domain, the development, maintenance and monitoring of electronic
More informationTetraNode Scalability and Performance. White paper
White paper Issue 1.0, May 2017 Introduction Rohill solutions are known for performance, flexibility, scalability, security and affordability. Also, the strong TetraNode system architecture, open standards-based
More informationDeveloping deterministic networking technology for railway applications using TTEthernet software-based end systems
Developing deterministic networking technology for railway applications using TTEthernet software-based end systems Project n 100021 Astrit Ademaj, TTTech Computertechnik AG Outline GENESYS requirements
More informationCNES requirements w.r.t. Next Generation General Purpose Microprocessor
Round-table on Next Generation Microprocessors for Space Applications : CNES requirements w.r.t. Next Generation General Purpose Microprocessor ESA/ESTEC september 12th 2006 G.Moury, J.Bertrand, M.Pignol
More informationIBM System Storage DS5020 Express
IBM DS5020 Express Manage growth, complexity, and risk with scalable, high-performance storage Highlights Mixed host interfaces support (FC/iSCSI) enables SAN tiering Balanced performance well-suited for
More informationMultiChipSat: an Innovative Spacecraft Bus Architecture. Alvar Saenz-Otero
MultiChipSat: an Innovative Spacecraft Bus Architecture Alvar Saenz-Otero 29-11-6 Motivation Objectives Architecture Overview Other architectures Hardware architecture Software architecture Challenges
More informationCS 571 Operating Systems. Midterm Review. Angelos Stavrou, George Mason University
CS 571 Operating Systems Midterm Review Angelos Stavrou, George Mason University Class Midterm: Grading 2 Grading Midterm: 25% Theory Part 60% (1h 30m) Programming Part 40% (1h) Theory Part (Closed Books):
More informationMixed-Criticality Systems based on a CAN Router with Support for Fault Isolation and Selective Fault-Tolerance
IFAC 2014 Mixed-Criticality Systems based on a Router with Support for Fault Isolation and Selective Fault-Tolerance Roland Kammerer 1, Roman Obermaisser², Mino Sharkhawy 1 1 Vienna University of Technology,
More informationEVALUATING IEEE 1588 IN A HOMOGENOUS SWITCHED NETWORK TEST ARTICLE SEGMENT
EVALUATING IEEE 1588 IN A HOMOGENOUS SWITCHED NETWORK TEST ARTICLE SEGMENT Sinbad Wilmot MS Electronic Eng, Diarmuid Corry MS Electronic Eng ACRA CONTROL INC ABSTRACT At the 2007 inet Technology Demonstrator
More informationSatellite Technology Trends - A perspective from Intelsat
Satellite Technology Trends - A perspective from Intelsat Gonzalo de Dios ITU International Satellite Symposium 2017 May 29, 2017 2 Building Blocks of Transformation of the Satellite Industry - A Renaissance
More informationGR712RC A MULTI-PROCESSOR DEVICE WITH SPACEWIRE INTERFACES
GR712RC A MULTI-PROCESSOR DEVICE WITH SPACEWIRE INTERFACES Session: SpaceWire Components Short Paper Sandi Habinc, Jiri Gaisler Aeroflex Gaisler, Kungsgatan 12, SE-411 19 Göteborg, Sweden sandi@gaisler.com
More informationFault Diagnosis and Fault Tolerant Control
باسمه تعالی Fault Diagnosis and Fault Tolerant Control بیژن معاونی )دانشیار دانشگاه علم و صنعت ایران( نیم سال اول 97-96 باسمه تعالی Fault Diagnosis and Fault Tolerant Control Lecture 1 Introduction 1 Our
More informationDistributed Systems COMP 212. Lecture 17 Othon Michail
Distributed Systems COMP 212 Lecture 17 Othon Michail Synchronisation 2/29 What Can Go Wrong Updating a replicated database: Customer (update 1) adds 100 to an account, bank employee (update 2) adds 1%
More informationDistributed Systems COMP 212. Lecture 19 Othon Michail
Distributed Systems COMP 212 Lecture 19 Othon Michail Fault Tolerance 2/31 What is a Distributed System? 3/31 Distributed vs Single-machine Systems A key difference: partial failures One component fails
More informationWireless Sensor Networks: Clustering, Routing, Localization, Time Synchronization
Wireless Sensor Networks: Clustering, Routing, Localization, Time Synchronization Maurizio Bocca, M.Sc. Control Engineering Research Group Automation and Systems Technology Department maurizio.bocca@tkk.fi
More informationSoftware architecture in ASPICE and Even-André Karlsson
Software architecture in ASPICE and 26262 Even-André Karlsson Agenda Overall comparison (3 min) Why is the architecture documentation difficult? (2 min) ASPICE requirements (8 min) 26262 requirements (12
More informationFault-tolerant techniques
What are the effects if the hardware or software is not fault-free in a real-time system? What causes component faults? Specification or design faults: Incomplete or erroneous models Lack of techniques
More informationConfiguration Guideline for CANopen Networks
Configuration Guideline for CANopen Networks Martin Rostan, Beckhoff Unlike most other fieldbus systems, CANopen provides many degrees of freedom to configure the communication behaviour of the network.
More informationTransient Voltage Protection for Stratix GX Devices
White Paper Devices Introduction This document addresses the phenomenon known as transient voltage in a system using Stratix GX devices. Hot socketing is identified as the major source of transient voltage.
More informationAtacama: An Open Experimental Platform for Mixed-Criticality Networking on Top of Ethernet
Atacama: An Open Experimental Platform for Mixed-Criticality Networking on Top of Ethernet Gonzalo Carvajal 1,2 and Sebastian Fischmeister 1 1 University of Waterloo, ON, Canada 2 Universidad de Concepcion,
More informationPreliminary Design of Future Reconfigurable IMA Platforms
Preliminary Design of Future Reconfigurable IMA Platforms Pierre Bieber Thierry Planche Airbus, Toulouse, France Eric Noulard François Vialard Airbus, Toulouse, France Claire Pagetti ABSTRACT The next
More informationReal-time Support in Operating Systems
Real-time Support in Operating Systems Colin Perkins teaching/2003-2004/rtes4/lecture11.pdf Lecture Outline Overview of the rest of the module Real-time support in operating systems Overview of concepts
More informationThe hardware implementation of PXI/PXIe consists of a chassis, controller or computer interface, and peripheral cards.
Introduction PCI extensions for Instrumentation or PXI is a computer based hardware and software platform for test and measurement systems. Developed in the late 1990 s as an open industry standard based
More informationModeling Of Spacewire Traffic. - ESA study Contract No /10/NL/LvH. Executive Summary & Final Report
Modeling Of Spacewire Traffic - ESA study Contract No. 23037/10/NL/LvH Executive Summary & Final Report 2/25 Left Blank 3/25 OVERVIEW...5 CONTRACT EXECUTIVE SUMMARY...7 FINAL REPORT...10 1.1 Objectives...
More informationEagleEye TSP Porting to HWIL Configuration (RTB)
EagleEye TSP Porting to HWIL Configuration (RTB) Final project presentation 12.12.2017 Presenter: Dharma Teja Srungavruksham Overview_ Background Team Goals Execution Results Future Background_ EagleEye
More informationSpaceWire Backplane Application Requirements
SpaceWire Backplane Application Requirements Alan Senior 15 th December 2011 Classification Summary The work presented is part of the ESA funded SpaceWire Backplane activity reference TEC EPD/2010.88 The
More informationPart 2: Basic concepts and terminology
Part 2: Basic concepts and terminology Course: Dependable Computer Systems 2012, Stefan Poledna, All rights reserved part 2, page 1 Def.: Dependability (Verlässlichkeit) is defined as the trustworthiness
More informationSkill Tester ST05 User Manual. Ver.2.0 EN SKILL TESTER ST05. Page 2 / 60
USER MANUAL SKILL TESTER ST05 Page 2 / 60 Contents 1. Introduction... 5 SAFETY MEASURES AND PRECAUTIONS... 5 1.1 General Description Skill Tester ST05... 8 1.2 Display Description... 2 1.3 The splash-proof
More informationA Software-based Environment for Development & Validation of Spacecraft On-board Software
A Software-based Environment for Development & Validation of Spacecraft On-board Software Alessio Di Capua (1), Sante Candia (1), Tomas Di Cocco (1), Marco Anania (2) (1) Thales Alenia Space Italia Via
More informationImplementing Scheduling Algorithms. Real-Time and Embedded Systems (M) Lecture 9
Implementing Scheduling Algorithms Real-Time and Embedded Systems (M) Lecture 9 Lecture Outline Implementing real time systems Key concepts and constraints System architectures: Cyclic executive Microkernel
More informationCOP Operating Systems Design Principles (Spring 2012)
COP 5611 - Operating Systems Design Principles (Spring 2012) Homework 1 Problem 1: 1.1 Difference in physical and the logical storage units affecting (i) the readwrite coherence and (ii) the atomicity.
More informationISA100 Wireless for Control Applications. Control Data Systems. Industrial Wireless Data Systems,
Control Data Systems Industrial Wireless Communications 1 Use case 1 Industrial Remote Controls - - - End User is IKUSI VELATIA SPAIN, Remote Controls Division Remote Controls operate Industrial Cranes
More informationMAINTENANCE MANUAL. EDACS REDUNDANT POWER SUPPLY SYSTEM 350A1441P1 and P2 POWER MODULE CHASSIS 350A1441P3, P4, AND P5 POWER MODULES TABLE OF CONTENTS
MAINTENANCE MANUAL EDACS REDUNDANT POWER SUPPLY SYSTEM 350A1441P1 and P2 POWER MODULE CHASSIS 350A1441P3, P4, AND P5 POWER MODULES TABLE OF CONTENTS SPECIFICATIONS*... 2 INTRODUCTION... 3 DESCRIPTION...
More informationTop-Down Network Design
Top-Down Network Design Chapter Seven Selecting Switching and Routing Protocols Original slides by Cisco Press & Priscilla Oppenheimer Selection Criteria for Switching and Routing Protocols Network traffic
More informationDistributed Scheduling for the Sombrero Single Address Space Distributed Operating System
Distributed Scheduling for the Sombrero Single Address Space Distributed Operating System Donald S. Miller Department of Computer Science and Engineering Arizona State University Tempe, AZ, USA Alan C.
More informationHuawei CloudFabric Solution Optimized for High-Availability/Hyperscale/HPC Environments
Huawei CloudFabric Solution Optimized for High-Availability/Hyperscale/HPC Environments CloudFabric Solution Optimized for High-Availability/Hyperscale/HPC Environments Internet Finance HPC VPC Industry
More informationModule 15: Network Structures
Module 15: Network Structures Background Topology Network Types Communication Communication Protocol Robustness Design Strategies 15.1 A Distributed System 15.2 Motivation Resource sharing sharing and
More informationOverview of Microcontroller and Embedded Systems
UNIT-III Overview of Microcontroller and Embedded Systems Embedded Hardware and Various Building Blocks: The basic hardware components of an embedded system shown in a block diagram in below figure. These
More informationHIGH PERFORMANCE ELECTRONICS FOR THE NEW SPACE AGE
APP18-01c APPLICATION NOTE NOVO SPACE HIGH PERFORMANCE ELECTRONICS FOR THE NEW SPACE AGE INTRODUCTION Most subsystem can be partially or fully implemented using one or more of Novo s components. This document
More informationWhat are Embedded Systems? Lecture 1 Introduction to Embedded Systems & Software
What are Embedded Systems? 1 Lecture 1 Introduction to Embedded Systems & Software Roopa Rangaswami October 9, 2002 Embedded systems are computer systems that monitor, respond to, or control an external
More information