advantages of time-triggered ethernetflightsoftware.jhuapl.edu/files/2015/day-2/2_12_2015-10... ·...

www.tttech.com

Ensuring Reliable Networks

Copyright © TTTech Computertechnik AG. All rights reserved.

Christian FidiProduct Manager

Advantages of Time-Triggered Ethernet

October 28th, 2015

www.tttech.com



Space Application Requirements

www.tttech.com



Architecture Theory

A System needs to ensure the:

• Correctness of the data

� Voting or

� ensure that the received value is right

• Temporal correctness (time of use and order)

� Synchronization

There are two architectures supporting fault-tolerants:

• Voting architecture (voting or byzantine voting)

• Fail-Silent architecture (COM/MON or dual-core lock-step)

www.tttech.com



Replica Determinism: Example Stage Separation

Consider a rocket launch. The real-time system responsible for the stage separation system has three redundant channels:

Channel 1 – Separation and Fire Boosters

Channel 2 – No Separation and do not Fire Boosters

Channel 3 – No Separation and Fire Boosters (Fault)

� Majority – No Separation and Fire Boosters!

� Temporal order within spare time needs to be guaranteed!

www.tttech.com



Voting Architecture–MIL1553 (TT)

• 3 redundant busses/lanes (1FT but not covering byzantine faults)

• Each Computer has one bus master node (bus controller)

• All Computers receive the messages from the other lanes where they are slave

• Precise synchronization has to be done between the lanes to be able to vote (state exchange)

• If one node fails than whole lane may be lost

• Voting is done in a two out of three manner

[© 2010 Data Device Corporation. Distributed and Reconfigurable Architecture for Flight Control System]

www.tttech.com



Disadvantages

• Additional point to point communication needed to ensure low latency synchronization

• Multiple protocols are needed

• For synchronization,

• Deterministic data,

• High speed data

• Additional wiring needed

• Software needs to take care of:

• Precise synchronization

• Redundancy management

• Support different protocols

• Testing effort and hardware (since this is application specific)

www.tttech.com


Copyright © TTTech Computertechnik AG. All rights reserved. Copyright © TTTech Computertechnik AG. All rights reserved. Page 8

Time-Triggered Communication

Local clocks –

free running

Local view of

global time

1. Globale Notion of Time

2. Message Schedule

www.tttech.com



Synchronization Services

Clock Synchronization Service

Startup/Restart Service

Clock Synchronization Service is executed during normal operation mode to keep the local clocks synchronized to each other. Startup/Restart Service is executed to reach an initial synchronization of the local clocks in the system. Integration/Reintegration Service is used for components to join an already synchronized system.Clique Detection Services are used to detect loss of synchronization and establishment of disjoint sets of synchronized components.

www.tttech.com



FT Synchronized Global Time

Fault-tolerant synchronization services are needed for establishing a robust global time basein the sub-microsecond area

www.tttech.com



Permanence of PCFs

Using the transparent_clock value, a receiver can determine the “earliest safe” point in time

when a PCF becomes permanent:

permanence_delay = max_transmission_delay – transparent_clock

permanence_point_in_time = receive_point_in_time + permanence_delay

Example:

• max_transmission_delay in this network is 0:30

• frame F1 is transmitted by node A at 10:00

• frame F2 is transmitted by node B at 10:05

• frame F1 has a transmission delay A �� C of 0:20. This is visible in F1’s transparent_clock

• frame F2 has a transmission delay B �� C of 0:05. This is visible in F2’s transparent_clock

• receiver C sees: F2 arrives at 10:10, becomes permanent at 10:10 + (0:30 - 0:05) = 10:35

• receiver C sees: F1 arrives at 10:20, F1 becomes permanent at 10:20 + (0:30 - 0:20) = 10:30

�� F1 becomes permanent before F2

A C

B

10:00

10:05

10:20

10:10F1

F2

Comp

www.tttech.com



TTE

TTE

TTE

TTE

TTE

ETH

ETH

ETH

Ethernet

TTETTE

ETH

TTE

TTE

TTE

TTE

External Clock Synchronization

External synchronization to e.g. PPS of the fault-tolerant clock

www.tttech.com



Time-triggered Traffic Timing

• Full control of timings in the system

• Defined latency and sub-microsecond jitter

• Minimum memory needs

• Fault-containment regions

I’ll transmit M at 10:45

I’ll accept M only between 10:40 and 10:50

I’ll forward M at 11:00

I’ll accept M only between

10:55 and 11:05

I’ll forward M at 11:10 Let’s see if I

can receive M…a switch

I’ll expect M between 11:05

and 11:15

M

M

M

M

www.tttech.com


Copyright © TTTech Computertechnik AG. All rights reserved. Page 14

TTEthernet Traffic Partitioning

www.tttech.com



Time-triggered extensions for standard switched Gigabit-Ethernet

• Startup

• Recovery

• Robust fault-tolerant distributed clock

Extensions & Standard Ethernet

Makes Ethernet viable for safety-critical distributed applications!

www.tttech.com



Fault-Containment Regions in TTEthernet

TTEthernet defines Switches and End Systems as two kinds of Fault-Containment

Regions. Frame loss is mapped to the respective sender.

Depending on cost and reliability targets, switches and or end systems may be

implemented with standard or high-integrity in order to be able to scale from

single to dual fault tolerance.

Protocol mechanisms can be configured to handle Strictly Omissive Asymmetric

switch faults (HI) and fully Transmissive Asymmetric end system faults (SI).

www.tttech.com



High-Integrity: Self-Checking Pair

• High integrity design: Self checking pair

• Two processor that execute same function in parallel

• Comparator checks output of both processors.

• If one processor fails (maliciously) and generates wrong data, second processors shuts down.

Self-checking pair ensures fail-silence !

www.tttech.com



Requirement:Easy “System of Systems” Fusion

SoS architecture with TTEthernetsupports reconfiguration

Several separate vehicles or elements fuse into a new combined network configuration

time-triggeredPriority 1

Priority 2

www.tttech.com



TTE-Controller

� Switch Controller COM

� Switch Controller MON

� End System

� CPU • Management &

• Diagnostics

Available in Q3/2016

www.tttech.com



TTEthernet

TTEthernet Products

TTESwitches A664

TTEEnd Systems A664

Software Tools and Development Systems

TTECOMTTESync Lib(middleware)

PMC Lab PMC Pro

SMC 6U VPX*

ARINC 653 v4.0 Linux v4.0

�TTETools(development)

TTEVerify(for DO cert.)

Switch Controller

End System Controller

www.tttech.com



www.tttech.com

Cross Industry

© N

AS

A

Sikorsky S97 Raider NASA Orion Vestas Wind Turbines

Audi Piloted Driving Aribus DS Ariane 6 Oil Platform

TTEthernet Examples of Reliable Safety Critical Networks

www.tttech.com



Conclusion

The protocol and implementation supports

Synchronization

Deterministic communication

Fault-tolerance

But also allows the flexibility of the standard Ethernet

� Reduces SW complexity

Space graded components are up coming

The environment is developed cross industry (embedded SW, tools, test- and development equipment)

www.tttech.com



Any Questions?

Thank You!

advantages of time-triggered ethernetflightsoftware.jhuapl.edu/files/2015/day-2/2_12_2015-10... ·...

Documents