Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 56
Текст из файла (страница 56)
3.9). This tight phase control is also performed if a cascade of switchesmust be traversed by a time-triggered message.Example: In the smart power grid timely end-to-end transport guarantees must beprovided over an entire grid [Ter11]. Time-triggered communication minimizes the transport delay, supports fault-tolerance, and thus enables the realization of tight direct digitalcontrol loops over a wide area.7.5.1Time-Triggered ProtocolThe Time-Triggered Protocol TTP, following the CA-TCCS schema, integratestime-triggered communication, temporal error detection, a fault-tolerant clock-7.5 Time-Triggered Communication185synchronization service, and a membership service in a single protocol withminimal protocol overhead [Kop93].
The system integrator must set up theparameters for the transmission slots of the end systems a priori. Event-triggeredcommunication can be implemented by an overlay protocol on top of TTP.Fault-tolerant clock synchronization is achieved by taking the differencebetween the measured and specified arrival time of every message as a measurefor the difference of the clocks of the sender and receiver and by applying the faulttolerant average algorithm (see Sect. 3.4.3) on these differences to calculate acorrection factor for each local clock.The membership service of TTP informs all connected nodes about the healthstate of every cluster node and of the violation of the fault-hypothesis (should itoccur) such that a never-give up (NGU) strategy can be activated quickly.
Themembership is encoded in a membership vector that contains as many bits as thereare nodes in a cluster. A specified bit position of the membership vector is assignedto each node. When this bit is set to TRUE, a node is operating, if this bit is set toFALSE, this node is not operating correctly. The membership instant of a node is theperiodic send instant of a message by this node. The state of a TTP controller (Cstate) consists of the current time and the node membership vector.
To enforceagreement on the C-state of all nodes of an ensemble, TTP calculates the CRC at thesender over the message contents concatenated with the C-state of the sender. TheCRC at the receiver is calculated from the received message contents concatenatedwith the C-state of the receiver. If the result of the CRC check at the receiver isnegative then either the message was corrupted during transmission or there is adisagreement between the C-states of the sender and receiver.
In both cases, themessage is discarded and the receiving node assumes that the sender has beenfaulty. We call this assumption the self-confidence principle. The self-confidenceprinciple ensures that a single faulty node cannot kill a correct node in a system thatis assumed to contain at most one faulty node.If, in the above scenario, the sender has been correct – all other working nodeshave received the message correctly – then the receiving node must have beenfaulty. An algorithm must tolerate that a faulty node makes further faulty decisions.It will send a message with a wrong membership vector and will be taken out of themembership by all other working nodes. If the receiving node had been right, acorrect decision would have been taken and the sender of the original messagewould have been taken out of the membership.
TTP operates on two physicalchannels and has an independent bus guardian at every node that protects the busfrom babbling idiots – even a faulty node can send a message during its assignedtime slot only. It fails silently outside its time slot.Considering the services TTP provides it is a very data-efficient protocol well suitedfor applications that require a frequent update of short real-time data elements.
Examples of such applications are industrial controls or the control of robot movements.TTP has been formally certified for use in airborne system [Rus99]. It isdeployed in the A 380 and the Boeing 787 aircraft and other aerospace andindustrial control applications. TTP has been standardized in 2011 by the Societyof Automotive Engineers (SAE) and is in the standardization process by ARINC.1867.5.27 Real-Time CommunicationTime-Triggered EthernetTime-Triggered Ethernet (TTEthernet) is an extension of the switched Ethernetstandard IEEE 802.3 that supports standard Ethernet traffic on one side andprovides a deterministic message transport on the other side [Kop08]. While theprotocol controllers of the end systems can be standard Ethernet controllers, aTTEthernet switch distinguishes two message classes, the standard (event-triggered) Ethernet messages (ET-messages) and the deterministic time-triggeredmessages (TT-messages).
Both ET-messages and TT-message formats are fullycompliant with the Ethernet standard. The distinction between ET-messages andTT-messages can be made on the basis of the contents of the standard Ethernet typefield or on other information in the standard Ethernet header (e.g., the addressfields). The TTEthernet switch transports TT-messages with a constant small delaywithout intermediate storage in buffers, while ET-messages are transported duringthe time-intervals when no TT traffic is occurring. In case of conflict between an ETand TT messages, different conflict resolution strategies are applied.The entry-level TTEthernet system, a 100 Mbit/s system, recognizes TTmessages based on the contents of the standard Ethernet type field and preemptsan ET-message that is in its way employing the P-TCCS strategy.
After thetransport of the TT-message has been finished, the preempted ET-message isretransmitted autonomously by the entry-level TTEthernet switch. The entry levelTTEthernet switch is stateless and does not require any parameterization on startup. It is up to the end systems to arrive at a conflict-free schedule for allTT messages. The entry-level TTEthernet system does not protect the communication system from babbling end systems, because it is stateless and does notknow what is the intended correct temporal behavior of an end system.Normal TTEthernet switches are parameterized with state-information thatinforms the switch about the periods and phases, the cycles, and the length of alltime-triggered messages. Normal TTEthernet protects the communication systemfrom babbling end systems. Since the switch has knowledge about the cycles of allTT-messages it can deploy the CA-TCCS strategy and shift the transmission of anET message to its final destination such that a conflict with any TT-message isavoided.
In some TTEthernet switches, the message schedules can be changeddynamically during the operation of the system.Fault-tolerant TTEthernet switches provide redundant channels for the implementation of fault tolerant systems. A fault-tolerant clock synchronization establishes the required global time of sub-microsecond precision. The determinismmakes the fault-tolerant TTEthernet the communication system of choice for theimplementation of fault-tolerant systems.TT Ethernet switches support transmission speeds of 100 Mbit/s and 1 Gbit/s.Some TT-Ethernet switches are certified to the highest-criticality class of Table 11.1.TTEthernet is in the process of standardization by ARINC. TTEthernet has beenselected as the backbone communication system for the NASA Orion Program[McC09].Points to Remember7.5.3187FlexRayFlexRay is a communication protocol for automotive applications that has beendesigned by the FlexRay consortium [Ber01].
FlexRay is a combination of twoprotocols, a time-triggered protocol with fault-tolerant clock synchronization thatis similar to TTP but without the membership service, and an event-triggeredprotocol that is similar to the ARINC 629 mini-slotting protocol but without thewaiting room facility. The system integrator must partition the time into twosuccessive intervals, one for the time-triggered communication and the other onefor the event-triggered communication and set the parameters for the systemoperation accordingly. At present FlexRay is deployed in some car models ofAudi and BMW.Points to RememberlllllllllThe architectural requirements for the communication infrastructure of adistributed real-time system follow from the properties of real-time data thatmust be temporally accurate at the instant of use.A jitter of the message delay has a negative effect on the duration of the actiondelay and the precision of the clock synchronization.A shared communication system must detect and contain the temporal faultsof any component (a babbling idiot), so that the communication amongthe components that are not directly affected by the faulty component is notcompromised.The result of the intended physical action in the environment that is observed bya sensor component is the final end-to-end acknowledgement of an outgoingmessage.The behavior of a real-time communication system should be deterministic suchthat the order of messages is the same on all channels and the instants of messagearrival of replicated messages that travel on redundant independent channels areclose together.The communication topology in distributed real-time systems is multicast, notpoint-to-point.
The same image of an RT entity is needed at a number ofdifferent components, e.g., at the man-machine interface, at a process-modelcomponent, and at an alarm-monitoring component.The basic message transport service (BMTS) that is provided at the architecturelevel is at the waist of a waistline model. The BMTS is implemented by (hidden)low-level protocols and is used to construct application-specific high-level protocols.Whenever a BMTS message has been sent across the Internet, we don’t knowwhat types and how many different low-level protocols have been activated.If an exactly-once semantics must be implemented, a high-level protocol thatuses two or more BMTS messages must be provided.188llllllll7 Real-Time CommunicationIf the message length is less than the bit length of the channel, then the bestchannel utilization that can be realized with any media access protocol on ashared channel, such as a bus, is less than 50%.Implicit flow-control is the most appropriate flow-control strategy for theexchange of real-time data.Whenever queues are involved in a scenario, the possibility of queue overflowmust be considered.In real-time systems, the tradeoff between reliability and jitter should be performed at the application level.Time-triggered communication resembles time-controlled circuit switching(TCCS), where a time-controlled dedicated channel between the sender andreceiver is established for the short duration of a single message transport.TTP integrates time-triggered communication, temporal error detection, a faulttolerant clock-synchronization service, and a membership service in a singleprotocol with minimal protocol overhead.The self-confidence principle ensures that a single faulty node cannot kill acorrect node in a system that is assumed to contain at most one faulty node.TTEthernet is an extension of the switched Ethernet standard IEEE 802.3 wherestandard (event-triggered) Ethernet messages (ET-messages) and time-triggeredEthernet messages (TT-messages) are supported.Bibliographic NotesThe requirements for distributed safety-critical real-time systems onboard vehiclesare analyzed in the SAE report J20056/1 “Class C Application Requirements”[SAE95].
An interesting report about a Comparison of Bus Architectures for SafetyCritical Embedded Systems has been published by NASA [Rus03]. A rational forthe design of time-triggered Ethernet is published in [Kop08].Review Questions and Problems7.1 Compare the requirements of real-time communication systems with thoseof non real-time communication systems. What are the most significantdifferences?7.2 Why are application-specific end-to-end protocols needed at the interfacebetween the computer system and the controlled object?7.3 Describe the different flow-control strategies.