Chapter 39: Concepts of Time-Triggered Communication. Wenbo Qiao

Transcription

1 Chapter 39: Concepts of Time-Triggered Communication Wenbo Qiao

2 Outline Time and Event Triggered Communication Fundamental Services of a Time-Triggered Communication Protocol Clock Synchronization Periodic Exchange of State Messages Fault Isolation Mechanisms Diagnostic Services Properties of Time-Triggered Communication Systems Composability Independent Fault Containment Regions Strict Control on Node Interactions Replica Determinism Performance Summary

3 Time/Event Triggered Communication Communication Protocols fall into two general categories Event-Triggered Protocols Time-Triggered Protocols Strengths Event-Tri: Exibility and Resource Efficiency Time-Tri: Predictability, composability, error detection, error containment Typical Protocols: TCP/IP, CAN, Ethernet, ARINC629 (Event) TTP/C, FlexyRay (Time)

4 Time/Event Triggered Communication Event-Triggered Architecture Triggered by occurrence of events in the environment Time-Triggered Architecture By progression of global time Time Triggered: preferred for safety critical systems. For example in communication of by-wire cars Fault-tolerance for cases of ultrahigh reliability. (10^-9 failures/h)

5 Time/Event Triggered Communication Redundancy can be added transparently to applications, without the modification of the function and timing of application systems. Error detection and establishing of membership info Time-Triggered Architecture By progression of global time

6 Time/Event Triggered Communication Time triggered system also supports replica determinism, which is essential for establishing fault-tolerance through active redundancy Time-Triggered system support temporal composability via precise specification of the interfaces between subsystems. The communication controller in a time-triggered system decides autonomously when a message is transmitted The communication network interface is a temporal firewall, which isolates the temporal behavior of the host and the rest of the system

7 Outline Time and Event Triggered Communication Fundamental Services of a Time-Triggered Communication Protocol Clock Synchronization Periodic Exchange of State Messages Fault Isolation Mechanisms Diagnostic Services Properties of Time-Triggered Communication Systems Composability Independent Fault Containment Regions Strict Control on Node Interactions Replica Determinism Performance Summary

8 Services #1: Clock Synchronization Clock drifting makes periodic clock re-synchronization necessary. Precision is an important measure for Clock Synchronization Two important parameters: Granularity and horizon Granularity determines the min. interval between two adjacent ticks of the global time Horizon is a fixed point of time in the future at which point certain processes will be evaluated or assumed to end.

9 Service #2: Periodic Exchange of State Messages Messages carrying state information need to be exchanged periodically. Following a TDMA (time division multiple access) scheme Divide channel capacity into a number of slots and assign a unique slot to each node N nodes sending messages exactly once is called a TDMA round Communication system can operate autonomously, so that can be established in isolation

10 Services #3: Fault Isolation Mechanism Error containment mechanisms for timing message failures can be enforced transparently to the application With the knowledge of global transmission scheme, autonomous guardians can block timing message failures. NMR ( N-modular redundancy). N replicas receive the same request and provide the same service. The output of all replicas is provided to a voting mechanism, which selects one of the results, based on majority voting. Replica determinism simplifies the implementation of fault tolerance by active redundancy.

11 Service #4: Diagnostic Services The identification of failed sub-systems Triggers the autonomous recovery of a system in case of transient subsystem failure. Also can support the replacement of defective subsystem if a failure is permanent Membership problem: achieving agreement on the identity of all correctly functioning process of a process group. In a time-trigger system, periodic messages are membership points of the sender. Every receiver knows a priori when a message of a sender is supposed to arrive and interprets the arrival of the message as a life sign.

12 Outline Time and Event Triggered Communication Fundamental Services of a Time-Triggered Communication Protocol Clock Synchronization Periodic Exchange of State Messages Fault Isolation Mechanisms Diagnostic Services Properties of Time-Triggered Communication Systems Composability Independent Fault Containment Regions Strict Control on Node Interactions Replica Determinism Performance Summary

13 Property #1: Composability Composability: an architectural framework that supports the smooth integration and reuse of independently developed components in order to increase the level of abstraction in the design process. An architecture must enable the precise specification of the linking interface of a node in the domain of value and time. The operational specification of the value domain of interacting message is state-of-the-art in embedded system design Composability requires the stability of prior services upon integration.

14 Cont. Property #1: Composability Another necessary condition of composability is the support for noninterfering interactions. If there exist two disjoint subgroups of cooperating nodes that share a commin communication infrastructure, then the communication activities within one subgroup may not interfere with the communication activities with the other subgroup. Composability requires the preservation of the node abstraction in the case of failures. In a composable architecture, the introduced abstraction of a node must remain intact, even if a node becomes faulty.

15 Property #2: Independent Fault Containment Regions (FCR) A FCR is the boundary of the immediate impact if a fault. Message timing failure / message value failure Error detection must be part of FCRs because it avoids error propagation. Common-mode failures are failures of multiple FCRs, which are correlated and occur due to a common cause. Common-mode failures occur when the assumption of the independence of FCRs is compromised.

16 Property #3: Strict Control on Node Interactions A distributed system needs shared networking resources to support the interaction between nodes. To preserve the independence of FCRs, strict control on node interactions and the use of shared resources is required. Temporal partitioning: Media access control is concerned with the assignment of time intervals to each node for the transmission of the node s messages. Spatial partitioning: Spatial partitioning ensures that one node can t alter the code, data, or message of another node.

17 Property #4: Replica Determinism Replica determinism has to be supported by the architecture to ensure that the replicas of an FTU (fault tolerant unit) produce the same outputs in defined time intervals. Computational activities are triggered after the last message of a set of input messages has been received by all replicas of an FTU Each replica wakes up at the same global tick and operates on the same set of input messages, the alignment of communication and computational activities on the sparse global time base ensures temporal predictability and avoids race conditions.

18 Property #5: Performance Important performance attributes in real-time communication networks are the bandwidth, the network delay and the variability of the network delay. Bandwidth measured in bits/second. Determines the types of functions that can be handled and the number of messages and nodes that can be handled by the communication network. Network delay denotes the time difference between the production of a message at a sending node and the reception of the last bit of the message by invoking a send operation at the node's communication controller.

19 Cont. Property #5: Performance In time-triggered system, the send instants of all nodes are periodically recurring instants, which are globally planned in the system and denoted with respect to the global time base. In an event triggered system, the access delay of a message depends on the state on the communication system at the send instant. A bounded network delay with a min variability is important in many embedded applications. In hard real-time systems, missed deadlines represent system failures with the potential of consequences as serious as in the case of providing incorrect results.

20 Cont. Property #5: Performance For cars: steering system outage time must not exceed 50 ms For jets: engines could blow up if inputs are not within 20-50ms Delay jitter is another uncertainty: state estimation method can be used to compensate this issue.

21 Summary Overview Time and Event Triggered Communication Fundamental Services of a Time-Triggered Communication Protocol Clock Synchronization Periodic Exchange of State Messages Fault Isolation Mechanisms Diagnostic Services Properties of Time-Triggered Communication Systems Composability Independent Fault Containment Regions Strict Control on Node Interactions Replica Determinism Performance

22 THANK YOU! QUESTIONS?