advantages of time-triggered ethernetflightsoftware.jhuapl.edu/files/2015/day-2/2_12_2015-10... ·...
TRANSCRIPT
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 1
Christian FidiProduct Manager
Advantages of Time-Triggered Ethernet
October 28th, 2015
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 2
Space Application Requirements
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 3
Space Application Requirements
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 4
Architecture Theory
A System needs to ensure the:
• Correctness of the data
� Voting or
� ensure that the received value is right
• Temporal correctness (time of use and order)
� Synchronization
There are two architectures supporting fault-tolerants:
• Voting architecture (voting or byzantine voting)
• Fail-Silent architecture (COM/MON or dual-core lock-step)
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 5
Replica Determinism: Example Stage Separation
Consider a rocket launch. The real-time system responsible for the stage separation system has three redundant channels:
Channel 1 – Separation and Fire Boosters
Channel 2 – No Separation and do not Fire Boosters
Channel 3 – No Separation and Fire Boosters (Fault)
� Majority – No Separation and Fire Boosters!
� Temporal order within spare time needs to be guaranteed!
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 6
Voting Architecture–MIL1553 (TT)
• 3 redundant busses/lanes (1FT but not covering byzantine faults)
• Each Computer has one bus master node (bus controller)
• All Computers receive the messages from the other lanes where they are slave
• Precise synchronization has to be done between the lanes to be able to vote (state exchange)
• If one node fails than whole lane may be lost
• Voting is done in a two out of three manner
[© 2010 Data Device Corporation. Distributed and Reconfigurable Architecture for Flight Control System]
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 7
Disadvantages
• Additional point to point communication needed to ensure low latency synchronization
• Multiple protocols are needed
• For synchronization,
• Deterministic data,
• High speed data
• Additional wiring needed
• Software needs to take care of:
• Precise synchronization
• Redundancy management
• Support different protocols
• Testing effort and hardware (since this is application specific)
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 8Copyright © TTTech Computertechnik AG. All rights reserved. Page 8
Time-Triggered Communication
Local clocks –
free running
Local view of
global time
1. Globale Notion of Time
2. Message Schedule
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 9
Synchronization Services
Clock Synchronization Service
Startup/Restart Service
Clock Synchronization Service is executed during normal operation mode to keep the local clocks synchronized to each other. Startup/Restart Service is executed to reach an initial synchronization of the local clocks in the system. Integration/Reintegration Service is used for components to join an already synchronized system.Clique Detection Services are used to detect loss of synchronization and establishment of disjoint sets of synchronized components.
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 10
FT Synchronized Global Time
Fault-tolerant synchronization services are needed for establishing a robust global time basein the sub-microsecond area
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 11
Permanence of PCFs
Using the transparent_clock value, a receiver can determine the “earliest safe” point in time
when a PCF becomes permanent:
permanence_delay = max_transmission_delay – transparent_clock
permanence_point_in_time = receive_point_in_time + permanence_delay
Example:
• max_transmission_delay in this network is 0:30
• frame F1 is transmitted by node A at 10:00
• frame F2 is transmitted by node B at 10:05
• frame F1 has a transmission delay A ���� C of 0:20. This is visible in F1’s transparent_clock
• frame F2 has a transmission delay B ���� C of 0:05. This is visible in F2’s transparent_clock
• receiver C sees: F2 arrives at 10:10, becomes permanent at 10:10 + (0:30 - 0:05) = 10:35
• receiver C sees: F1 arrives at 10:20, F1 becomes permanent at 10:20 + (0:30 - 0:20) = 10:30
���� F1 becomes permanent before F2
A C
B
10:00
10:05
10:20
10:10F1
F2
Comp
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 12
TTE
TTE
TTE
TTE
TTE
ETH
ETH
ETH
Ethernet
TTETTE
ETH
TTE
TTE
TTE
TTE
External Clock Synchronization
External synchronization to e.g. PPS of the fault-tolerant clock
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 13
Time-triggered Traffic Timing
• Full control of timings in the system
• Defined latency and sub-microsecond jitter
• Minimum memory needs
• Fault-containment regions
I’ll transmit M at 10:45
I’ll accept M only between 10:40 and 10:50
I’ll forward M at 11:00
I’ll accept M only between
10:55 and 11:05
I’ll forward M at 11:10 Let’s see if I
can receive M…a switch
I’ll expect M between 11:05
and 11:15
M
M
M
M
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 14Page 14
TTEthernet Traffic Partitioning
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 15
Time-triggered extensions for standard switched Gigabit-Ethernet
• Startup
• Recovery
• Robust fault-tolerant distributed clock
Extensions & Standard Ethernet
Makes Ethernet viable for safety-critical distributed applications!
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 16
Fault-Containment Regions in TTEthernet
TTEthernet defines Switches and End Systems as two kinds of Fault-Containment
Regions. Frame loss is mapped to the respective sender.
Depending on cost and reliability targets, switches and or end systems may be
implemented with standard or high-integrity in order to be able to scale from
single to dual fault tolerance.
Protocol mechanisms can be configured to handle Strictly Omissive Asymmetric
switch faults (HI) and fully Transmissive Asymmetric end system faults (SI).
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 17
High-Integrity: Self-Checking Pair
• High integrity design: Self checking pair
• Two processor that execute same function in parallel
• Comparator checks output of both processors.
• If one processor fails (maliciously) and generates wrong data, second processors shuts down.
Self-checking pair ensures fail-silence !
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 18
Requirement:Easy “System of Systems” Fusion
SoS architecture with TTEthernetsupports reconfiguration
Several separate vehicles or elements fuse into a new combined network configuration
time-triggeredPriority 1
Priority 2
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 19
TTE-Controller
� Switch Controller COM
� Switch Controller MON
� End System
� CPU • Management &
• Diagnostics
Available in Q3/2016
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 20
TTEthernet
TTEthernet Products
TTESwitches A664
TTEEnd Systems A664
Software Tools and Development Systems
TTECOMTTESync Lib(middleware)
PMC Lab PMC Pro
SMC 6U VPX*
ARINC 653 v4.0 Linux v4.0
�TTETools(development)
TTEVerify(for DO cert.)
Switch Controller
End System Controller
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 21
www.tttech.com
Cross Industry
© N
AS
A
Sikorsky S97 Raider NASA Orion Vestas Wind Turbines
Audi Piloted Driving Aribus DS Ariane 6 Oil Platform
TTEthernet Examples of Reliable Safety Critical Networks
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 22
Conclusion
The protocol and implementation supports
Synchronization
Deterministic communication
Fault-tolerance
But also allows the flexibility of the standard Ethernet
� Reduces SW complexity
Space graded components are up coming
The environment is developed cross industry (embedded SW, tools, test- and development equipment)
www.tttech.com
Ensuring Reliable Networks
Copyright © TTTech Computertechnik AG. All rights reserved. Page 23
Any Questions?
Thank You!