Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 96
Текст из файла (страница 96)
A gateway component must resolve the property mismatches thatexist between the inner world of a cluster and the external world. In particulara gateway component has to provide one or more of the following services[Obm09, p. 76]:lllllllControl of the physical interface (mechanical and electrical) to the physicalplant.Protocol translation. The protocol at the external interface has to conform to thegiven LIF standards of the environment, while the cluster LIF determines theprotocol at the inner interface.Address mapping.
While the address space inside the cluster is constrained, thename space of the environment, e.g., the Internet, is wide open. The gatewaycomponent has to map internal addresses to outer addresses.Name translation. The name-spaces within a cluster and the outside worldare in many cases incoherent. The gateway component must resolve thisincoherency.External clock synchronization. The outer interface of a gateway componentmay have access to an external time reference (e.g., GPS time) that must bebrought into the cluster.Firewall erection. The gateway component must protect the cluster from malicious outside intruders.Wireless connection. A gateway component may provide a wireless connectionto the outside world and perform the connection management.33614.414 The Time-Triggered ArchitectureThe Time-Triggered MPSoCThe shift of the computer industry from single processor systems to multiprocessorsystems on chips (MPSoC) is driven primarily by power and energy concerns, asdiscussed in Sect.
6.3.2. This shift presents a tremendous opportunity for theembedded systems industry, since a hardware architecture that consists of manyself-contained IP-cores that can operate concurrently without any non-functionaldependencies and that are connected by an appropriate network-on-chip (NoC)provides a much better match to the needs of many embedded applications than apowerful single sequential processor.Viewed from the point of the TTA, an IP-core is considered to be a componentand the whole MPSoC implements a cluster. Within the GENESYS project, fundedby the European Commission, we developed a first academic prototype of aTTMPSoC (time-triggered multiprocessor system on chip) to understand the constraints and opportunities of this new technology. The project was completed in2009 and a prototype TTMPSoC that supports an automotive application wasimplemented on an FPGA [Obm09].Figure 14.1 depicts the overall architecture of the prototype TTMPSoC witheight IP-cores.
There are two types of structural units in Fig. 14.1, the trustedstructural units (denoted by the bold boxes) and the non-trusted structural units(normal boxes). The trusted structural units, i.e., the Trusted Network Authority(TNA), the eight trusted interface subsystems (TISS), and the time-triggerednetwork on chip (TTNoC) form a trusted subsystem that is vital for the operationof the chip and is assumed to be free of design faults. In high-reliability applications, the trusted subsystems can be hardened (e.g., by using error correcting codes)to tolerate transient hardware faults.
An arbitrary failure (caused by a transienthardware fault or a software error, such as a Heisenbug) of a non-trusted structuralunit will not impact the operation of other, independent units of the chip.At the center of Fig. 14.1 is the time-triggered network on chip (TTNoC) thatconnects the IP-cores via the TISSes. Only the TNA has the authority to write a newnetwork configuration that determines the time-triggered sending slots for eachtrustednetworkauthority(TNA)clusterresourcemanagerinternetgatewayapplicationATISSTISSTISSTime-Triggered Network on Chip (TTNoC)Fig.
14.1 Architecture of theprototype TTMPSoCTISSTISSTISSTISSsecuritydiagnosisapplicationBapplicationCPoints to Remember337non-trusted IP-core into a TISS. If a non-trusted component violates its temporalspecification, the TISS will detect and contain the failure. The cluster resourcemanager, a non-trusted system component, can calculate dynamically a new communication schedule at the request of an application component (in Fig. 14.1component A, B, or C). The Cluster Resource Manager sends the new schedule tothe TNA.
The TNA verifies the schedule and checks whether any safety constraintis violated before writing the new schedule into the respective TISSes. Only theTNA has the authority to control the execution of a component via the TII interfaceof an application component. Otherwise, a single non-trusted component with asoftware error could send erroneous control messages, requesting the componentsto terminate, to all components and ruin the whole chip.The architecture of Fig. 14.1 assures that any temporal fault of a non-trustedcomponent is contained by the TISS and will not affect the communication amongthe correct components.
It is thus possible to build TMR structures of three IP-coresto mask an arbitrary fault in any one of the components. In safety-critical applications, TMR structures can be built where each IP-core of a triad resides on a differentchip in order to avoid spatial proximity faults and to tolerate a complete chip failure.The diagnostic component monitors the behavior of the components and checks theg-states of the components for plausibility. It is the task of the security component todecode and encode all messages that enter or leave the TTMPSoC. A more detaileddescription of the TTMPSoC, including the prototype application, can be found in[Obm09].
The implementation of the TTNoC is described in [Pau08].Points to RememberlllllThe architectural style describes the principles and structuring rules that characterize an architecture. In the TTA, these principles relate to complexitymanagement, a recursive component concept, coherent communication by asingle mechanism, and concern for dependability and robustness.The availability of a fault-tolerant sparse global time base in every node of alarge embedded system is part of the foundation of the TTA. This global timebase helps to simplify a design.The time-triggered integration framework of the TTA ensures that real-timetransactions that span over more than one component have defined end-to-endtemporal properties.It is a principle of the TTA that a component can be expanded to a new clusterwithout changing the specification of the LIF of the original component thatbecomes the external LIF of the new cluster.
After such an expansion, theexternal LIF is provided by a gateway component that supports on the otherside a second LIF to the new expanded cluster (the cluster LIF).Depending on the point of view taken, a set of components can be viewed as acluster (focus on the cluster LIF of the gateway component) or as a singlecomponent (focus on the external LIF of the gateway component).338lllllll14 The Time-Triggered ArchitectureComponents can be integrated to form hierarchical structures or network structures.It is an important design principle of the TTA that there is only a singlecommunication mechanism among the components, no matter whether thecomponents are close together, as in a system-on-chip, or far away at anotherplace in the world, connected by the Internet.The core system services of the TTA are minimal in the sense that only thoseservices that are absolutely indispensable to build higher-level services or tomaintain the desired properties of the architecture are included in the set of coresystem services.The core services must be free of NDDCs (non-deterministic design constructs),such that deterministic computations can be implemented.A TTA job is the core image of the component software that includes theapplication software, the GM, and the local operating system of the component.At every level of the TTA, a resource management service is provided.
At thelowest level, the component level, a local resource manager, the LRM that ispart of the GM, controls the resources local to a component.The LRM of the component can be parameterized by a cluster resource managerthat takes a holistic view of the functions of the whole cluster.Bibliographic NotesA first description of the MARS project can be found in [Kop85].
The VLSI chipfor clock synchronization is presented in [Kop87]. This chip was used in theacademic prototype of the MARS architecture [Kop89]. The time-triggered protocol TTP for the communication among the nodes of MARS was published in[Kop93]. The first overview of the time-triggered architecture appeared in thePDCS book [Kop95] which is presented in a more mature form in [Kop03a].A formal analysis of time-triggerd algorithms has been carried out by John Rushby[Rus99].
The rational of the TTEthernet protocol is described in [Kop08]. TheTTMPSoC is presented in [Pau08]. An overview of the GENESYS is given in thebook [Obm09].Review Questions and Problems14.1 List the problems where the availability of a global time base contributes tofinding a solution in a distributed real-time system!14.2 What is the fate-sharing principle?14.3 List the design principles of the TTA that help to build dependable systems!14.4 Why is deterministic behavior a desired property of a real-time transaction?14.5 Why should components publish their ground state periodically?14.6 How can the availability of a global time strengthen a security protocol?Review Questions and Problems33914.7 Why is a large monolithic real-time operating system problematic in realtime systems?14.8 How are conventional operating system functions implemented in the TTA?14.9 What are the differences between core system services and optional systemservices in the TTA?14.10 What are the functions of the generic middleware?14.11 Why is it necessary to split some system functions?14.12 What is included in the concept of a TTA job?14.13 List the core system services of the TTA!14.14 List some of the optional system services of the TTA!14.15 What are the functions of a gateway component?AbbreviationsNote: This annex contains a list of frequently used abbreviations.AESALARPAPIASICAVBBMTSCANCCFEDFEMIEPCETFRUFTUGPSIoTLIFLLMARSMPSoCMSDNBWNDDCNoCNTPPARPFSMPIMPSMRFIDRTSOCSoCSRUTADLTAIAdvanced Encryption StandardAs Low As Reasonably PracticalApplication Programming InterfaceApplication Specific Integrated CircuitAudio Video BusBasic Message Transport ServiceControl Area NetworkConcurrency Control FieldEarliest-Deadline-FirstElectro-Magnetic InterferenceElectronic Product CodeEvent-TriggeredField-Replaceable UnitFault-Tolerant UnitGlobal Positioning SystemInternet of ThingsLinking InterfaceLeast-LaxityMaintainable Real-Time SystemMultiprocessor System on ChipMessage Structure DeclarationNon-Blocking WriteNon-Deterministic Design ConstructNetwork-on-ChipNetwork Time ProtocolPositive-Acknowledgment-or-RetransmissionPeriodic Finite State MachinePlatform Independent ModelPlatform Specific ModelRadio Frequency IdentificationReal-TimeSphere of ControlSystem on ChipSmallest Replaceable UnitTask Descriptor ListInternational Atomic Time(continued)H.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
