TU Wien. Shortened by Hermann Härtig The Rationale for Time-Triggered (TT) Ethernet. H Kopetz TU Wien December H. Kopetz 12.

Similar documents
TU Wien. Excerpt by Hermann Härtig The Rationale for Time-Triggered (TT) Ethernet. H Kopetz TU Wien December H. Kopetz 12.

TU Wien. Fault Isolation and Error Containment in the TT-SoC. H. Kopetz. TU Wien. July 2007

Diagnosis in the Time-Triggered Architecture

The Time-Triggered Ethernet (TTE) Design

CORBA in the Time-Triggered Architecture

An Encapsulated Communication System for Integrated Architectures

Chapter 39: Concepts of Time-Triggered Communication. Wenbo Qiao

Real-Time Communication

Distributed Embedded Systems and realtime networks

Dependable Computer Systems

Systems. Roland Kammerer. 10. November Institute of Computer Engineering Vienna University of Technology. Communication Protocols for Embedded

Developing deterministic networking technology for railway applications using TTEthernet software-based end systems

16 Time Triggered Protocol

OMG Smart Transducer Specification (I)

A Comparison of TTP/C and FlexRay

The Time-Triggered Architecture

A Fault Management Protocol for TTP/C

A Look Ahead. Dependable Embedded Systems. Outline. H. Kopetz. July Encapsulated Execution Environments. Automotive Requirements

A CAN-Based Architecture for Highly Reliable Communication Systems

A Time-Triggered Ethernet (TTE) Switch

Page 1. Real-Time Communication. TU Wien. Outline. Example of the Networks onboar a Car. Requirements on RT Communication Protocols

DISTRIBUTED REAL-TIME SYSTEMS

Real-Time Component Software. slide credits: H. Kopetz, P. Puschner

Introduction to the Distributed Real-Time System

Real-Time System Modeling. slide credits: H. Kopetz, P. Puschner

ESA ADCSS Deterministic Ethernet in Space Avionics

Time-Triggered Ethernet

Redes de Computadores. Medium Access Control

Modeling and Verification of Distributed Real-Time Systems using Periodic Finite State Machines

Issues in Programming Language Design for Embedded RT Systems

SPIDER: A Fault-Tolerant Bus Architecture

Failure Models. Fault Tolerance. Failure Masking by Redundancy. Agreement in Faulty Systems

In modern computers data is usually stored in files, that can be small or very, very large. One might assume that, when we transfer a file from one

A Framework for the Formal Verification of Time-Triggered Systems

Fault Tolerance Part I. CS403/534 Distributed Systems Erkay Savas Sabanci University

MicroCore Labs. MCL51 Application Note. Lockstep. Quad Modular Redundant System

Computer Networks Medium Access Control. Mostafa Salehi Fall 2008

Error Mitigation of Point-to-Point Communication for Fault-Tolerant Computing

High Accuracy Time Synchronization over SpaceWire Networks - update

Communication Networks for the Next-Generation Vehicles

SWE 760 Lecture 1: Introduction to Analysis & Design of Real-Time Embedded Systems

Communication in Avionics

Communication (III) Kai Huang

2. REAL-TIME CONTROL SYSTEM AND REAL-TIME NETWORKS

Distributed IMA with TTEthernet

Fault Tolerance. Distributed Software Systems. Definitions

FlexRay International Workshop. Protocol Overview

CS4514 Real-Time Systems and Modeling

Module 5. Broadcast Communication Networks. Version 2 CSE IIT, Kharagpur

Field buses (part 2): time triggered protocols

Automotive Networks Are New Busses and Gateways the Answer or Just Another Challenge? ESWEEK Panel Oct. 3, 2007

Real-Time (Paradigms) (47)

Operating Systems, Concurrency and Time. real-time communication and CAN. Johan Lukkien

Do I need Supporting TSN in my Equipment: Why, What and How?

Compositional Design of RT Systems: A Conceptual Basis for Specification of Linking Interfaces

A Design of Fail-safe Gateway-embedded System for In-vehicle Networks

Commercial Real-time Operating Systems An Introduction. Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory

A TIME-TRIGGERED NETWORK-ON-CHIP. Martin Schoeberl

Component-Based Design of Large Distributed Real-Time Systems

Real-Time Communications. LS 12, TU Dortmund

Deterministic Ethernet as Reliable Communication Infrastructure for Distributed Dependable Systems

FlexRay The Hardware View

Avnu Alliance Introduction

Data Acquisition in High Speed Ethernet & Fibre Channel Avionics Systems

Lecture 2. Basics of networking in automotive systems: Network. topologies, communication principles and standardised protocols

High temperature / radiation hardened capable ARM Cortex -M0 microcontrollers

Fault Tolerance. Basic Concepts

Jaringan Komputer. Broadcast Network. Outline. MAC (Medium Access Control) Channel Allocation Problem. Dynamic Channel Allocation

2. Introduction to Software for Embedded Systems

A Byzantine Fault-Tolerant Key-Value Store for Safety-Critical Distributed Real-Time Systems

RELIABILITY and RELIABLE DESIGN. Giovanni De Micheli Centre Systèmes Intégrés

SAE AS5643 and IEEE1394 Deliver Flexible Deterministic Solution for Aerospace and Defense Applications

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

STEVEN R. BAGLEY PACKETS

Distributed Systems. Fault Tolerance. Paul Krzyzanowski

Distributed Systems. 19. Fault Tolerance Paul Krzyzanowski. Rutgers University. Fall 2013

Part 2: Basic concepts and terminology

Getting Connected (Chapter 2 Part 4) Networking CS 3470, Section 1 Sarah Diesburg

Fault Tolerance. Distributed Systems. September 2002

Troubleshooting Ethernet Problems with Your Oscilloscope APPLICATION NOTE

An Orthogonal and Fault-Tolerant Subsystem for High-Precision Clock Synchronization in CAN Networks *

Reducing SpaceWire Time-code Jitter

The Link Layer and LANs. Chapter 6: Link layer and LANs

GUIDELINES FOR USING DEVICE LEVEL RING (DLR) WITH ETHERNET/IP. PUB00316R ODVA, Inc. Page 1 of 18

Amrita Vishwa Vidyapeetham. ES623 Networked Embedded Systems Answer Key

Mixed Critical Architecture Requirements (MCAR)

DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S. TANENBAUM MAARTEN VAN STEEN. Chapter 1. Introduction

4. Hardware Platform: Real-Time Requirements

Mixed-Criticality Systems based on a CAN Router with Support for Fault Isolation and Selective Fault-Tolerance

BOSCH. CAN Specification. Version , Robert Bosch GmbH, Postfach , D Stuttgart

End-to-end Real-time Guarantees in Wireless Cyber-physical Systems

DeviceNet - CIP on CAN Technology

An Introduction to TTEthernet

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

Evaluation of numerical bus systems used in rocket engine test facilities

Lecture 11: Networks & Networking

Boeing 777. Boeing 777. Paper: Triple-Triple Redundant 777 Primary Flight Computer. Primary Flight Control Surfaces

Dep. Systems Requirements

This chapter provides the background knowledge about Multistage. multistage interconnection networks are explained. The need, objectives, research

FOUNDATION Fieldbus Fieldbus Basics & its Benefits

Transcription:

TU Wien 1 Shortened by Hermann Härtig The Rationale for Time-Triggered (TT) Ethernet H Kopetz TU Wien December 2008

Properties of a Successful Protocol 2 A successful real-time protocol must have the following properties: Sound theoretical foundations w.r.t. time, determinism, security, and composability. Support for all types of real-time applications, from multimedia to safety-critical control systems. Support error containment of failing nodes Economically competitive--a hardware SoC protocol controller should cost less than 1. Compatibility with the Ethernet standard that is widely used in the non-real-time world will reduce the software and human effort.

Time 3 Whenever we use the term time we mean physical time as defined by the international standard of time TAI. If the occurrence of events is restricted to some active intervals on the timeline with duration π with an interval of silence of duration Δ between any two active intervals, then we call the time base π/δ-sparse, or sparse for short, and events that occur during the active intervals sparse events. 0 1 2 3 4 5 6 7 8 9 Time π Δ π Δ π Events are only allowed to occur at subintervals of the timeline

Cyclic Representation of the Sparse Time 4 Real-Time Occurrence of Sparse Events Silence

5 A component is a hardware/software unit that accepts input messages, provides a useful service, maintains internal state, and produces after some elapsed time output messages containing the results. A component is thus an identifiable functional unit of data transformation and comprehension and forms an abstract high-level concept in the mental model of system behavior. Application Software Module API Operating System and Middleware Hardware Communication Network Interface I O Application Software Module FPGA Block API Operating System and Middleware Hardware Communication Network Interface I O Application Software Module Custom Hardware API Operating System and Middleware Hardware Communication Network Interface I O

Sparse Time and State 6 Real-Time Occurrence of Sparse Events Silence, when State is defined

Determinism II (sparse time base) 7 We therefore need a revised, more pragmatic, definition of determinism in a distributed real-time computer system that takes account of the finite synchronization of clocks and the digital nature of the time base: A model of a distributed computer system (hardware, software, communication) is said to behave deterministically if and only if, given a sparse time-base with an infinite sequence of active intervals t j, the state of the system Σ(t 0 ) at t 0 (now), and a set of future sparse Input Messages IM 1 (t i1 ), IM 2 (t i2 ),..., IM n (t in ), then the set of future Output Messages OM 1 (t o1 ), OM 2 (t o2 ),.., OM n (t on ) and the state of System Σ(t x ) at all future t x is entailed.

Mitigation at the Architecture Level: TMR 8 Triple Modular Redundancy (TMR) is the generally accepted technique for the mitigation of component failures at the system level: A B

Fault-Handling at the Architectural Level: TMR 9 Triple Modular Redundancy (TMR) is the generally accepted technique for the mitigation of component failures at the system level: V O T E R A/1 V O T E R B/1 A B V O T E R A/2 V O T E R B/2 V O T E R A/3 V O T E R B/3

Purpose of TT Ethernet 10 The purpose of TT Ethernet is to provide a uniform communication system for all types of distributed nonreal-time and real-time applications, from very simple uncritical data acquisition tasks, to multimedia systems and up to safety-critical control applications, such as flyby-wire or drive-by wire. It should be possible to upgrade an application from standard TT- Ethernet to a safety-critical configuration with minimal changes to the application software.

Legacy Integration 11 TT-Ethernet is required to be fully compatible with existing Ethernet systems in hardware and software: Message format in full conformance with Ethernet standard Standard Ethernet traffic must be supported in all configurations Existing Ethernet controller hardware must support TT Ethernet traffic. IEEE 1588 standard for global time representation is supported

Distinguish between two Categories of Messages 12 ET-Messages: Standard Ethernet Messages Open World Assumption No Guarantee of Timeliness and No Determinism TT-Messages: Scheduled Time-Triggered Messages Closed World Assumption Guaranteed a priori known latency Determinism

TT and ET Ethernet Message Formats are Alike 13 Preamble (7 bytes) Start Frame Delimiter (1 byte) Destination MAC Address ( 6 bytes) Source MAC Address (6 bytes) Tag Type Field (88d7 if TT) Standard Ethernet Message Header Client Data (0 to n bytes) PAD (0 to 64 bytes) Frame Check Sequence (4 bytes)

Conflict Resolution in TT Ethernet 14 TT versus ET: TT message wins, ET message is interrupted (preempted). The switch will retransmit the preempted ET message autonomously TT versus TT: Failure, since TT messages assumed to be properly scheduled (closed world system) ET versus ET: One has to wait until the other is finished (standard Ethernet policy). There is no guarantee of timeliness and determinism for ET messages!

Global Time 15 TT Messages are used to build a global time base TT Ethernet time format is a sparse binary time format. Fractions of a second are represented as 24 negative powers of two (down to about 60 nanoseconds), and full seconds are presented in 40 positive powers of two (up to about 30 000 years) of the physical second. This binary time-format has been standardized by the OMG and IEEE 1588. TT Ethernet gives the user the option to make a tradeoff between dependability and cost of the global time.

TT Ethernet Periods 16 The TT Ethernet recommends to restrict the period durations to the positive and negative powers of two of the second, i.e. a period can be either 1 second, 2 seconds, 4 seconds, and so forth, or 1/2 second, 1/4 second, 1/8 second and so forth. The duration of each period can then be characterized by the corresponding bit (period bit) in the binary time format. The phase of a period, i.e. the offset to the start instant of the selected duration in the global time format, is designated by the specification of a pattern of twelve bits (the phase bits) to the right of the period bit. We then can represent a cycle with two Bytes (four period bits i.e. 16 periods, and twelve phase bits).

TT Ethernet Periods--Example 17 5 Bytes Period bit Phase of the Period 2 39 seconds 1 sec bit 24 2-24 sec Specification of a period of 1/2 4 (i.e 1/16) second with a phase (i.e. the offset from the periodic 1/16 second instant) of 1/2 6 +1/2 11 = 16113 µseconds.

TT Ethernet Protocol Family 18 TT Ethernet forms of an upward compatible family of protocols, starting with low-cost low-function controllers and going up to safety critical configurations with faulttolerant time base, supported by certification: Low-level TT Ethernet system which is not time-aware and provides no or minimal error containment. Professional TT Ethernet system which is time-aware and contains configuration state to perform error containment of failing nodes. Advanced TT Ethernet system with multiple switches that supports fault-tolerant clock synchronization and triple modular redundancy.

Integrity-Level of Application Domains 19 Application Low- Integrity Moderate- Integrity High- Integrity Safety- Critical System MTTF w.r.t. permanent failures (in years) System MTTF w.r.t transient failures (in years) Dataintegrity requirement Market volume Examples > 10 > 1 low huge Consumer Electronics > 100 > 10 moderate large Present-day automotive > 1000 > 100 very high moderate Enterprise server > 100 000 > 100 000 very high small Flight control

Fault Hypothesis in the TT-Ethernet 20 i. A Node Computer forms a single FCR that can fail in an arbitrary failure mode. ii. A communication channel including the central guardian in the TT Ethernet switch forms a single FCR that can fail to distribute messages iii. The central guardian within an appropriate Ethernet switch transforms non-fail-silent failures to fail-silent failures. iv. Error detection can be performed by a membership and clique avoidance algorithms in advanced TT Ethernet systems. v. The system can recover from a single failure within two TDMA rounds.

Approach to Safety: The Swiss-Cheese Model 21 Subsystem Failure From Reason, J! Managing the Risk of Organizational Accidents! 1997! Normal Operation On-Chip TMR Off-Chip TMR NGU Strategy Multiple Layers of Defenses Catastrophic System Event

Configuration with off-chip TMR 22 Red DAS Voting Actuator Voting Actuator Green DAS TNA (Trusted Network Authority) TNA (Trusted Network Authority) TNA (Trusted Network Authority) TNA (Trusted Network Authority) 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Bus Bus Bus Bus Large External Large External Large External Large External TT Ethernet Switch Blue Switch Brown TT Ethernet Standard Ethernet

Example: TMR Configuration 23 Voting Actuator Voting Actuator TNA (Trusted Network Authority) TNA (Trusted Network Authority) TNA (Trusted Network Authority) TNA (Trusted Network Authority) 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Bus Bus Bus Bus Large External Large External Large External Large External TT Ethernet Switch Blue Switch Red TT Ethernet Standard Ethernet

Conclusions 24 TT Ethernet provides a uniform communication infrastructure for all types of real-time and non real-time applications--from simple data acquisition systems, to multimedia systems up to safety-critical control applications. is based on sound theoretical concepts concerning time and determinism is fully compatible with the existing Ethernet standard. can be introduced in a modular fashion, integrating existing Ethernet hardware and software with modules that support the new services.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback