Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 94
Текст из файла (страница 94)
4 is the primitive structure elementof the time-triggered architecture. A TTA component is a self-contained hardware/software unit that interacts with its environment solely by the exchange of messages. A component is a unit of design and a unit of fault-containment (FCU). Themessage-based linking interfaces (LIF) of a component are precisely specified inthe domains of time and value and are agnostic about the concrete implementationtechnology of a component.
A component can be used on the basis of its interfacespecification without knowing the internals of the component’s implementation.The time-triggered integration framework of the TTA ensures that real-time transactions that span over more than one component have defined end-to-end temporalproperties. In a time-critical RT-transaction, the computations of the componentsand the message transport by the time-triggered communication system can bephase-aligned.33014 The Time-Triggered ArchitectureIt is a principle of the TTA that a component can be expanded to a new clusterwithout changing the specification of the LIF of the original component thatbecomes the external LIF of the new cluster.
After such an expansion, the externalLIF is provided by a gateway component that supports on the other side a secondLIF to the new (expanded) cluster (the cluster LIF).Example: Viewed from the in-car cluster, the gateway component of the in-car cluster inthe right lower corner of Fig. 4.1 has two interfaces, the cluster LIF at its upper side and theexternal LIF at its lower side. At the external LIF only those information items from the incar cluster are made available to other cars that are relevant for the safe coordination of thetraffic.We thus have a recursive component concept in the TTA. Depending on the point ofview taken, a set of components can be viewed as a cluster (focus on the cluster LIFof the gateway component) or as a single component (focus on the external LIF ofthe gateway component). This recursive component concept makes it possible tobuild well-structured systems of arbitrary size within the TTA.Components can be integrated to form hierarchical structures or network structures.
In a hierarchical structure, a designated gateway component links differentlevels of the hierarchy. We now take the view from the lower level of the hierarchy.The designated gateway component has two LIFs, one to the lower level of thehierarchy (the cluster LIF) and another one to the higher level of the hierarchy (theexternal LIF). Since the different hierarchical levels can obey different architecturalstyles, the designated gateway component must resolve the ensuing property mismatches.
The external LIF of the gateway component, viewed from the lower level,is a local unspecified interface of the cluster. Vice versa, the cluster LIF of thegateway component becomes a local unspecified interface when viewed from above.Example: In a TTMPSoC (Time-Triggered MultiProcessor on a Chip) the primitiveelement is an IP-core (Intellectual Property core). An IP-core implements a self-containedcomponent. The set of IP-cores on the chip forms a cluster of components that areconnected by a time-triggered network on chip (TTNoC). A gateway IP-core has (inaddition to the cluster LIF) an external LIF that connects the chip to the outside world.From the point of view of the outside world, the external LIF of the gateway IP-core can beconsidered an interface to the chip component, i.e., the whole TTMPSoC.
At a higher level,a cluster of chip components forms a device component, and so on.If a cluster is linked with two (or more) gateway components to two (or more) otherclusters, flat network structures can be created. In such a flat network structure, agateway component can filter the information that is available within a particularcluster and will present only those information items at its external LIF that arerelevant for the services of the respective connected cluster.14.2.3 Coherent CommunicationThe only communication mechanism of the TTA is the unidirectional BMTS (basicmessage transport service) that follows, whenever possible, the fate-sharing model14.2 Architectural Style331of the Internet.
The fate-sharing model was formulated by David Clark, an architectof the DARPA net, as follows: The fate-sharing model suggests that it is acceptableto lose the state information associated with an entity if, at the same time, the entityitself is lost [Cla88, p. 3].
The fate-sharing principle demands that all state information that is associated with a message transfer must be stored in the endpoints ofthe communication. Even in the design of the time-triggered network-on-chip(TTNoC), described in Sect.
14.4, the fate-sharing principle was considered. Thefate sharing principle can be applied in a safety-critical configuration if the endsystems are guaranteed to be fail-silent. Otherwise, information about the intendedtemporal behavior of the end-systems has to be also stored in an independent FCU,a guardian or the network, to contain the faulty behavior of a babbling node (seealso Sect.
6.1.2).As long as different subsystems of the TTA are connected by time-triggeredcommunication systems, such as the TTNoC, TTP, or TTEthernet, the BMTS ischaracterized by a constant transport delay and a minimal jitter of one granule ofthe global time. If a message is transported via an event-triggered protocol (e.g., inthe Internet), no such temporal guarantee can be given.This single coherent communication mechanism makes it possible to move acomponent (which can be an IP-core of a system-on-chip) to another physicallocation without changing the basic communication mechanism among thecomponents.14.2.4 DependabilityThe architectural style of the TTA is strongly influenced by dependability concernssuch that secure, robust, and maintainable embedded systems can be built withreasonable effort.
The following principles of the TTA support the construction ofdependable systems:lllllA component is a fault-containment unit (FCU). Temporal failures of components are contained at the component boundaries by the time-triggered communication system.The BMTS is multicast. An independent diagnostic component can observe thebehavior at the component LIF without probe effects.The BMTS and the basic system component services avoid NDDC (nondeterministic design constructs) so it is possible to build systems with deterministic behavior in the TTA.Fault tolerant units (FTU) of replicated deterministic components can be formedto mask an arbitrary fault in any one of the components.Components publish their ground state periodically, in order that a diagnosticcomponent can monitor the plausibility of the ground state, can detect anomalies,and initiate a reset and restart of a component in case of a ground-state corruptioncaused by a transient fault.
This principle helps to improve the system robustness.332lll14 The Time-Triggered ArchitectureThe available global time can be used to strengthen the security protocols.The recursive component concept improves the evolution, since new functionscan be implemented by expanding a single component into a new cluster ofcomponents, without changing the properties of the external LIF of the newcluster.Every TTA system that is connected to the Internet should support a securedownload service so a new software version of any component can be downloaded automatically.14.2.5 Time Aware ArchitectureThe time-triggered architecture provides the framework for the design of a dependable monolithic real-time system. If we link TTA systems, designed by differentorganizations, to form a system of systems (SoS), then the design rules must berelaxed in order to match the realities of widely distributed systems that interact byevent-messages across the Internet (see also Sect.
4.7.3). If each one of theautonomous constituent systems of an SoS has access to a synchronized globaltime of known precision, then we call such an SoS a time-aware architecture(TAA). With today’s technology it is relatively easy to implement a TAA: atevery site, a GPS receiver captures the worldwide time-signal and synchronizesthe clocks at the different sites of the TAA. Although a TAA is not time-triggered, itcan still accrue many of the advantages of a global time listed in Sect. 14.2.1,provided all messages contain the time-stamp of the sender in their data field.14.3Services of the TTA14.3.1 Component-Based ServicesThe TTA provides the platform and platform services for the integration of components.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
