Christian Fidi - PowerPoint Presentation

Slide1

Christian Fidi

Product Manager

Advantages of Time-Triggered Ethernet

October

28

th

,

2015Slide2

Space Application RequirementsSlide3

Space Application RequirementsSlide4

Architecture Theory

A System needs

to ensure the:Correctness of the data

Voting

or

ensure

that

the

received

value

is

right

Temporal

correctness

(time

of

use

and

order

)



Synchronization

There

are

two

architectures

supporting

fault-

tolerants

:

Voting

a

rchitecture

(

voting

or

byzantine

voting

)

Fail-Silent

a

rchitecture

(COM/MON

or

dual-core

lock-

step

) Slide5

Replica Determinism:

Example Stage

S

eparation

Consider a rocket launch. The real-time system responsible for the stage separation system has three redundant channels:

Channel 1 – Separation and Fire

B

oosters

Channel

2 – No Separation and do not Fire

B

oosters

Channel 3 – No Separation and Fire Boosters (Fault)

 Majority – No Separation and Fire Boosters

!



Temporal order within spare time needs to be guaranteed!Slide6

Voting Architecture–MIL1553 (TT)

3 redundant busses/lanes (1FT but not covering byzantine faults)

Each Computer has one bus master node (bus controller)All Computers receive the messages from the other lanes where they are slavePrecise synchronization has to be done between the lanes to be able to vote (state exchange)If one node fails than whole lane may be lost

Voting is done in a two out of three manner

[

© 2010 Data Device Corporation

. Distributed

and

Reconfigurable Architecture

for Flight

Control System]Slide7

Disadvantages

Additional point to point

communication needed to ensure low latency synchronizationMultiple protocols are neededFor synchronization, Deterministic data,

High

speed

data

Additional

wiring needed

Software needs to take care of:

Precise synchronization

Redundancy management

Support different protocols

Testing effort and hardware (since this is application specific) Slide8

Copyright © TTTech Computertechnik AG. All rights reserved.

Page

8

Time-Triggered Communication

Local

clocks

–

free

running

Local

view

of

global time

1. Globale Notion

of

Time

2

. Message Schedule Slide9

Synchronization Services

Clock Synchronization Service

Startup/Restart Service

Clock Synchronization Service is executed during normal operation mode to keep the local clocks synchronized to each other.

Startup/Restart Service is executed to reach an initial synchronization of the local clocks in the system.

Integration/Reintegration Service is used for components to join an already synchronized system.

Clique Detection Services are used to detect loss of synchronization and establishment of disjoint sets of synchronized components. Slide10

FT Synchronized Global

Time

Fault-tolerant synchronization services are needed for establishing a robust global time

base

in the sub-microsecond areaSlide11

Permanence of PCFs

Using the transparent_clock value, a receiver can determine the “earliest safe” point in time when a PCF becomes permanent:

permanence_delay = max_transmission_delay – transparent_clockpermanence_point_in_time = receive_point_in_time + permanence_delayExample: max_transmission_delay in this network is 0:30frame F1 is transmitted by node A at 10:00frame F2 is transmitted by node B at 10:05

frame F1 has a transmission delay A



C of 0:20. This is visible in F1’s transparent_clock

frame F2 has a transmission delay B



C of 0:05. This is visible in F2’s transparent_clock

receiver C sees: F2 arrives at 10:10, becomes permanent at 10:10 + (0:30 - 0:05) = 10:35

receiver C sees: F1 arrives at 10:20, F1 becomes permanent at 10:20 + (0:30 - 0:20) = 10:30



F1 becomes permanent before F2

A

C

B

10:00

10:05

10:20

10:10

F1

F2

CompSlide12

External Clock Synchronization

External synchronization to e.g. PPS of the fault-tolerant clock Slide13

Time-triggered Traffic Timing

Full

control of timings in the system

Defined

latency

and

sub-

microsecond

jitter

Minimum

memory

needsFault-containment

regions

I’ll transmit M at 10:45

I’ll accept M only between 10:40 and 10:50

I’ll forward M at 11:00

I’ll accept M only between 10:55 and 11:05

I’ll forward M at 11:10

Let’s see if I can receive M

…a switch

I’ll expect M between 11:05 and 11:15

M

M

M

MSlide14

Page

14

TTEthernet

Traffic

PartitioningSlide15

Time-triggered extensions for standard switched Gigabit-Ethernet

Startup

Recovery

Robust fault-tolerant distributed clock

Extensions

& Standard Ethernet

Makes

Ethernet

viable

for

safety-critical

distributed

applications

!Slide16

Fault-Containment Regions in TTEthernet

TTEthernet

defines

Switches

and

End Systems

as

two

kinds

of

Fault-Containment

Regions

. Frame

loss

is

mapped

to

the

respective

sender

.

Depending

on

cost

and

reliability

targets

,

switches

and

or

end

systems

may

be

implemented

with

standard

or

high-

integrity

in

order

to

be

able

to

scale

from

single

to

dual

fault

tolerance

.

Protocol

mechanisms

can

be

configured

to

handle

Strictly

Omissive

Asymmetric

switch

faults

(HI)

and

fully

Transmissive

Asymmetric

end

system

faults

(SI).Slide17

High-Integrity: Self-Checking Pair

High integrity design: Self checking pair

Two processor that execute same function in parallelComparator checks output of both processors.If one processor fails (maliciously) and generates wrong data, second processors shuts down.

Self-checking pair ensures fail-silence !Slide18

Requirement:

Easy “System of Systems” Fusion

SoS

architecture with

TTEthernet

supports reconfiguration

Several separate vehicles or elements fuse into a new combined network configuration

time-triggered

Priority 1

Priority 2Slide19

TTE-Controller



Switch Controller COM



Switch Controller MON

End System

IP/UDP

ARINC653

Partitions

support

in HW



CPU

Management &

DiagnosticsAvailable in Q3/2016Slide20

TTEthernet

TTEthernet

Products

TTE

Switches A664

TTE

End

Systems A664

Software

Tools

and

Development Systems

TTE

COM

TTE

Sync

Lib

(middleware)

PMC Lab

PMC

Pro

SMC

6U VPX

*

ARINC 653 v4.0

Linux v4.0



TTE

Tools

(development)

TTE

Verify

(for DO cert.)

Switch

Controller

End

System ControllerSlide21

Cross Industry

© NASA

Sikorsky S97 Raider

NASA Orion

Vestas

Wind Turbines

Audi Piloted Driving

Aribus

DS

Ariane

6

Oil Platform

TTEthernet

Examples of Reliable Safety

C

ritical NetworksSlide22

Conclusion

The protocol and implementation supports

SynchronizationDeterministic communication Fault-tolerance

But also allows the flexibility of the standard Ethernet

 Reduces SW complexity

Space graded components are up coming

The environment is developed cross industry (embedded SW, tools, test- and development equipment)

Slide23

Any Questions?

Thank You!