TU Wien 1 Shortened by Hermann Härtig The Rationale for Time-Triggered (TT) Ethernet H Kopetz TU Wien December 2008
Properties of a Successful Protocol 2 A successful real-time protocol must have the following properties: Sound theoretical foundations w.r.t. time, determinism, security, and composability. Support for all types of real-time applications, from multimedia to safety-critical control systems. Support error containment of failing nodes Economically competitive--a hardware SoC protocol controller should cost less than 1. Compatibility with the Ethernet standard that is widely used in the non-real-time world will reduce the software and human effort.
Time 3 Whenever we use the term time we mean physical time as defined by the international standard of time TAI. If the occurrence of events is restricted to some active intervals on the timeline with duration π with an interval of silence of duration Δ between any two active intervals, then we call the time base π/δ-sparse, or sparse for short, and events that occur during the active intervals sparse events. 0 1 2 3 4 5 6 7 8 9 Time π Δ π Δ π Events are only allowed to occur at subintervals of the timeline
Cyclic Representation of the Sparse Time 4 Real-Time Occurrence of Sparse Events Silence
5 A component is a hardware/software unit that accepts input messages, provides a useful service, maintains internal state, and produces after some elapsed time output messages containing the results. A component is thus an identifiable functional unit of data transformation and comprehension and forms an abstract high-level concept in the mental model of system behavior. Application Software Module API Operating System and Middleware Hardware Communication Network Interface I O Application Software Module FPGA Block API Operating System and Middleware Hardware Communication Network Interface I O Application Software Module Custom Hardware API Operating System and Middleware Hardware Communication Network Interface I O
Sparse Time and State 6 Real-Time Occurrence of Sparse Events Silence, when State is defined
Determinism II (sparse time base) 7 We therefore need a revised, more pragmatic, definition of determinism in a distributed real-time computer system that takes account of the finite synchronization of clocks and the digital nature of the time base: A model of a distributed computer system (hardware, software, communication) is said to behave deterministically if and only if, given a sparse time-base with an infinite sequence of active intervals t j, the state of the system Σ(t 0 ) at t 0 (now), and a set of future sparse Input Messages IM 1 (t i1 ), IM 2 (t i2 ),..., IM n (t in ), then the set of future Output Messages OM 1 (t o1 ), OM 2 (t o2 ),.., OM n (t on ) and the state of System Σ(t x ) at all future t x is entailed.
Mitigation at the Architecture Level: TMR 8 Triple Modular Redundancy (TMR) is the generally accepted technique for the mitigation of component failures at the system level: A B
Fault-Handling at the Architectural Level: TMR 9 Triple Modular Redundancy (TMR) is the generally accepted technique for the mitigation of component failures at the system level: V O T E R A/1 V O T E R B/1 A B V O T E R A/2 V O T E R B/2 V O T E R A/3 V O T E R B/3
Purpose of TT Ethernet 10 The purpose of TT Ethernet is to provide a uniform communication system for all types of distributed nonreal-time and real-time applications, from very simple uncritical data acquisition tasks, to multimedia systems and up to safety-critical control applications, such as flyby-wire or drive-by wire. It should be possible to upgrade an application from standard TT- Ethernet to a safety-critical configuration with minimal changes to the application software.
Legacy Integration 11 TT-Ethernet is required to be fully compatible with existing Ethernet systems in hardware and software: Message format in full conformance with Ethernet standard Standard Ethernet traffic must be supported in all configurations Existing Ethernet controller hardware must support TT Ethernet traffic. IEEE 1588 standard for global time representation is supported
Distinguish between two Categories of Messages 12 ET-Messages: Standard Ethernet Messages Open World Assumption No Guarantee of Timeliness and No Determinism TT-Messages: Scheduled Time-Triggered Messages Closed World Assumption Guaranteed a priori known latency Determinism
TT and ET Ethernet Message Formats are Alike 13 Preamble (7 bytes) Start Frame Delimiter (1 byte) Destination MAC Address ( 6 bytes) Source MAC Address (6 bytes) Tag Type Field (88d7 if TT) Standard Ethernet Message Header Client Data (0 to n bytes) PAD (0 to 64 bytes) Frame Check Sequence (4 bytes)
Conflict Resolution in TT Ethernet 14 TT versus ET: TT message wins, ET message is interrupted (preempted). The switch will retransmit the preempted ET message autonomously TT versus TT: Failure, since TT messages assumed to be properly scheduled (closed world system) ET versus ET: One has to wait until the other is finished (standard Ethernet policy). There is no guarantee of timeliness and determinism for ET messages!
Global Time 15 TT Messages are used to build a global time base TT Ethernet time format is a sparse binary time format. Fractions of a second are represented as 24 negative powers of two (down to about 60 nanoseconds), and full seconds are presented in 40 positive powers of two (up to about 30 000 years) of the physical second. This binary time-format has been standardized by the OMG and IEEE 1588. TT Ethernet gives the user the option to make a tradeoff between dependability and cost of the global time.
TT Ethernet Periods 16 The TT Ethernet recommends to restrict the period durations to the positive and negative powers of two of the second, i.e. a period can be either 1 second, 2 seconds, 4 seconds, and so forth, or 1/2 second, 1/4 second, 1/8 second and so forth. The duration of each period can then be characterized by the corresponding bit (period bit) in the binary time format. The phase of a period, i.e. the offset to the start instant of the selected duration in the global time format, is designated by the specification of a pattern of twelve bits (the phase bits) to the right of the period bit. We then can represent a cycle with two Bytes (four period bits i.e. 16 periods, and twelve phase bits).
TT Ethernet Periods--Example 17 5 Bytes Period bit Phase of the Period 2 39 seconds 1 sec bit 24 2-24 sec Specification of a period of 1/2 4 (i.e 1/16) second with a phase (i.e. the offset from the periodic 1/16 second instant) of 1/2 6 +1/2 11 = 16113 µseconds.
TT Ethernet Protocol Family 18 TT Ethernet forms of an upward compatible family of protocols, starting with low-cost low-function controllers and going up to safety critical configurations with faulttolerant time base, supported by certification: Low-level TT Ethernet system which is not time-aware and provides no or minimal error containment. Professional TT Ethernet system which is time-aware and contains configuration state to perform error containment of failing nodes. Advanced TT Ethernet system with multiple switches that supports fault-tolerant clock synchronization and triple modular redundancy.
Integrity-Level of Application Domains 19 Application Low- Integrity Moderate- Integrity High- Integrity Safety- Critical System MTTF w.r.t. permanent failures (in years) System MTTF w.r.t transient failures (in years) Dataintegrity requirement Market volume Examples > 10 > 1 low huge Consumer Electronics > 100 > 10 moderate large Present-day automotive > 1000 > 100 very high moderate Enterprise server > 100 000 > 100 000 very high small Flight control
Fault Hypothesis in the TT-Ethernet 20 i. A Node Computer forms a single FCR that can fail in an arbitrary failure mode. ii. A communication channel including the central guardian in the TT Ethernet switch forms a single FCR that can fail to distribute messages iii. The central guardian within an appropriate Ethernet switch transforms non-fail-silent failures to fail-silent failures. iv. Error detection can be performed by a membership and clique avoidance algorithms in advanced TT Ethernet systems. v. The system can recover from a single failure within two TDMA rounds.
Approach to Safety: The Swiss-Cheese Model 21 Subsystem Failure From Reason, J! Managing the Risk of Organizational Accidents! 1997! Normal Operation On-Chip TMR Off-Chip TMR NGU Strategy Multiple Layers of Defenses Catastrophic System Event
Configuration with off-chip TMR 22 Red DAS Voting Actuator Voting Actuator Green DAS TNA (Trusted Network Authority) TNA (Trusted Network Authority) TNA (Trusted Network Authority) TNA (Trusted Network Authority) 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Bus Bus Bus Bus Large External Large External Large External Large External TT Ethernet Switch Blue Switch Brown TT Ethernet Standard Ethernet
Example: TMR Configuration 23 Voting Actuator Voting Actuator TNA (Trusted Network Authority) TNA (Trusted Network Authority) TNA (Trusted Network Authority) TNA (Trusted Network Authority) 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect 10-100 Gigabyte Time-triggered Interconnect Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Processing FPGA Cromponent Cromponent near Bus Bus Bus Bus Large External Large External Large External Large External TT Ethernet Switch Blue Switch Red TT Ethernet Standard Ethernet
Conclusions 24 TT Ethernet provides a uniform communication infrastructure for all types of real-time and non real-time applications--from simple data acquisition systems, to multimedia systems up to safety-critical control applications. is based on sound theoretical concepts concerning time and determinism is fully compatible with the existing Ethernet standard. can be introduced in a modular fashion, integrating existing Ethernet hardware and software with modules that support the new services.