Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 51
Текст из файла (страница 51)
Nevertheless, instead of giving up, a never-give-up (NGU) strategyshould be employed to try to bring the system back to a correct state.It is up to quality engineering to ensure that FCUs fail independently. Even asmall correlation of the failure rates of FCUs has a tremendous impact on theoverall reliability of a system.The purpose of a fault-tolerant unit (FTU) is to mask the failure of a singleFCU inside the FTU. Although a failure of an FCU is masked by the faulttolerant mechanism and is thus not visible at the user interface, a permanentfailure of an FCU nevertheless reduces or eliminates any further fault-maskingcapability.In a triple-modular-redundant (TMR) configuration a fault-tolerant unit (FTU)consists of three synchronized deterministic FCUs, where each FCU iscomposed of a voter and the computational subsystem.A membership service consistently reports the operational state of every FTU toall operating FTUs.In many embedded applications, the fast reintegration of a failed component is ofparamount importance and must be supported by proper architectural mechanisms.Design for robustness is not concerned with finding the detailed cause of afailure – this is the task of the diagnostic subsystem – but rather with thefast restoration of the normal system service.In a safety-critical application a two-channel approach, in which one channelproduces a result and the other channel monitors whether the result is plausibleis absolutely essential.Bibliographic NotesThe seminal paper by Avizienis et al.
[Avi04] introduces the fundamental conceptsin the field of dependability and security. Anomaly detection is covered inthe comprehensive survey by Chandola [Cha09] and on line failure prediction isthe topic of [Sal10]. The yearly DSN conference (organized by the IEEE andthe IFIP WG 10.4) is the most important forum for presenting research papersin the field of dependable computing.1666 DependabilityReview Questions and Problems6.1 Give the precise meaning of the terms failure, error, and fault. What are thecharacteristics of an FCU?6.2 What are typical permanent and transient failure rates of VLSI chips?6.3 What is an anomaly? Why is anomaly detection important?6.4 Why is a short recovery time from transient faults important?6.5 What are the basic techniques for error detection? Compare ET systems andTT systems from the point of view of error detection.6.6 What is the difference between robustness and fault tolerance? Describe thestructure of a robust system!6.7 What is the difference between a Heisenbug and a Bohrbug?6.8 Describe the characteristics of a Byzantine failure! What is an SOS failure?6.9 Give some examples of security threats! What is a botnet?6.10 What is the difference between the Bipa model and the Bell-LaPaluda modelfor secure systems?6.11 What steps must be taken in a systematic security analysis? What is avulnerability? What is an intrusion?6.12 What is a membership service? Give a practical example for the need of amembership service.
What is the quality parameter of the membership service? How can you implement a membership service in an ET architecture?6.13 Describe the contents of the fault hypothesis document? What is an NGUstrategy?6.14 Discuss the different types of faults that can be masked by the replication ofcomponents. Which faults cannot be masked by the replication of components?6.15 What is required for the implementation of fault-tolerance by TMR?6.16 What is a restart vector? Give an example.Chapter 7Real-Time CommunicationOverview The focus of this chapter is on the architectural view of real-timecommunication.
The chapter commences by summarizing the requirements of areal-time communication system: low protocol latency with minimal jitter, theestablishment of a global time base, fast error detection at the receiver, and theneed for temporal error containment by the communication system, such that ababbling node cannot hinder the communication among the correct nodes. The nextsection presents a waistline model of a real-time communication system. At thecenter of the waist is the basic message transport service (BMTS) that transports amessage from a sender to a set of receivers within a given latency and with a givenreliability.
In real-time systems, the tradeoff between reliability and timeliness has toremain in the hands of the application and should not be hardwired in the BMTS. Theprotocols above the BMTS, called higher-level protocols, implement services thatrequire the bidirectional exchange of messages such as a simple request-replyservice. The protocols below the BMTS, called lower-level protocols, implementthe basic message transport service. The important topic of flow control, the different types of flow control and the phenomenon of thrashing are discussed in thefollowing section.
From the temporal point of view, three different communicationservices can be distinguished: event-triggered communication, rateconstrained communication, and time-triggered communication. The section onevent-triggered communication contains the Ethernet protocol, the CAN protocol,and the UDP protocol from the Internet suite of protocols. Since there are notemporal constraints on the sender of event-triggered messages, it is not possibleto provide temporal bounds for latency and jitter, given the limited bandwidth of anycommunication system.
The rate-constrained protocols provide bounds for latencyand jitter. The protocols covered in this section are the ARINC 629, and ARINC 684(AFDX). The final section presents the time-triggered protocol TTP, TTEthernet,and FlexRay. These protocols require the establishment of a global time base amongall communicating nodes. A cycle is assigned to every time-triggered message. Thestart of transmission of the message is triggered exactly when the global time reachesthe start of cycle.
Time-triggered communication is deterministic and well suited forthe implementation of fault tolerance by the active replication of components.H. Kopetz, Real-Time Systems: Design Principles for Distributed Embedded Applications,Real-Time Systems Series, DOI 10.1007/978-1-4419-8237-7_7,# Springer Science+Business Media, LLC 20111671687.17 Real-Time CommunicationRequirementsThe architectural requirements for the communication infrastructure of adistributed real-time system follow from the discussion about the properties ofreal-time data elaborated in the previous chapters. These requirements are substantially different from the requirements of non-real-time communication services.7.1.1TimelinessThe most important difference between a real-time communication system and anon-real-time communication system is the requirement for short message-transportlatency and minimal jitter.Short Message-Transport Latency.
The real-time duration of a distributed realtime transaction (see Sect. 1.7.3), starting with the reading of sensors and terminating with the output of the results to an actuator depends on the time needed for thecomputations within the components and the time needed for the message transportamong the involved components. This duration should be as small as possible, suchthat the dead time in control loops is minimized.
It follows that the worst-casemessage transport latency of a real-time protocol should be small.Minimal Jitter. The jitter is the difference between the worst-case message-transport latency and the best-case message-transport latency. A large jitter has anegative effect on the duration of the action delay (see Sect. 5.5.2) and the precisionof the clock-synchronization (see Sect.
3.4).Clock Synchronization. A real-time image must be temporally accurate at theinstant of use (see Sect. 5.4). In a distributed system, the temporal accuracy canonly be checked if the duration between the instant of observation of an RT-entity,observed by the sensor node, and the instant of use, determined by the actuatornode, can be measured. This requires the availability of a global time base of properprecision among all involved nodes. It is up to the communication system toestablish such a global time and to synchronize the nodes, e.g., by following theIEEE 1588 standard for clock synchronization.
If fault tolerance is required, twoindependent self-checking channels must be provided to link an end system to thefault-tolerant communication infrastructure. The clock synchronization messagesmust be provided on both channels in order to tolerate the loss of any one of them.7.1.2DependabilityCommunication Reliability. In real-time communication, the use of robust channelencoding, the use of error-correcting codes for forward error correction, or thedeployment of diffusion based algorithms, where replicated copies of a message are7.1 Requirements169sent on diverse channels (e.g., frequency hopping in wireless systems), possibly atdifferent times, are the techniques of choice for improving the communicationreliability.
In many non-real-time communication systems, reliability is achievedby time redundancy, i.e., a lost message is retransmitted. This tradeoff between timeand reliability increases the jitter significantly. This tradeoff should not be part ofthe basic message transport service (BMTS), since it is up to the application todecide if this tradeoff is desired.Example: In the positive acknowledgment-or-retransmission (PAR) protocol, widely usedin event-triggered non-real-time communication, a sender waits for a given time until it hasreceived a positive acknowledgement message from the receiver indicating that the previous message has arrived correctly.
In case the timeout elapses before the acknowledgementmessage arrives at the sender, the original message is retransmitted. This procedure isrepeated n-times (protocol specific) before a permanent failure of the communication isreported to the sender. The jitter of the PAR protocol is substantial, since in most cases thefirst try will be successful, while in a few cases the message will arrive after n times thetimeout value plus the worst-case message transport latency.
Since the timeout value mustbe longer than two worst-case message transport latencies (one for the original message andone for the acknowledgment message), the jitter of PAR is longer than (2n) worst-casemessage-transport latencies.Example: Consider a scenario, where a sensor component sends periodically, e.g., everymillisecond, a message containing an observation of an RT entity to a control component.In case the message is corrupted or lost, it makes more sense to wait for the next messagethat contains a more recent observation than to implement a PAR protocol that will resendthe lost message with the older observation.Temporal Fault Containment of Components. It is impossible to maintain thecommunication among the correct components using a shared communicationchannel if the temporal errors caused by a faulty component are not contained.A shared communication channel must erect temporal firewalls that contain thetemporal faults of a component (a babbling idiot), so that the communication amongthe components that are not directly affected by the faulty component is not compromised.
This requires that the communication system holds information aboutthe intended (permitted) temporal behavior of a component and can disconnect acomponent that violates its temporal specification. If this requirement is not met,a faulty component can block the communication among the correct components.Example: A faulty component that sends continuously high-priority messages on a CANbus will block the communication among all other correct components and thus cause atotal loss of communication among the correct components.Error Detection. A message is an atomic unit that either arrives correctly or not atall.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
