Advantages of Time-Triggered Ethernet Christian Fidi Product Manager October 28th, 2015

Space Application Requirements

Space Application Requirements

Architecture Theory A System needs to ensure the: Correctness of the data Voting or ensure that the received value is right Temporal correctness (time of use and order)  Synchronization There are two architectures supporting fault-tolerants: Voting architecture (voting or byzantine voting) Fail-Silent architecture (COM/MON or dual-core lock-step)

Replica Determinism: Example Stage Separation Consider a rocket launch. The real-time system responsible for the stage separation system has three redundant channels: Channel 1 – Separation and Fire Boosters Channel 2 – No Separation and do not Fire Boosters Channel 3 – No Separation and Fire Boosters (Fault)  Majority – No Separation and Fire Boosters!  Temporal order within spare time needs to be guaranteed!

Voting Architecture–MIL1553 (TT) 3 redundant busses/lanes (1FT but not covering byzantine faults) Each Computer has one bus master node (bus controller) All Computers receive the messages from the other lanes where they are slave Precise synchronization has to be done between the lanes to be able to vote (state exchange) If one node fails than whole lane may be lost Voting is done in a two out of three manner [© 2010 Data Device Corporation. Distributed and Reconfigurable Architecture for Flight Control System]

Disadvantages Additional point to point communication needed to ensure low latency synchronization Multiple protocols are needed For synchronization, Deterministic data, High speed data Additional wiring needed Software needs to take care of: Precise synchronization Redundancy management Support different protocols Testing effort and hardware (since this is application specific)

Time-Triggered Communication 1. Globale Notion of Time Local clocks – free running Local view of global time 2. Message Schedule Copyright © TTTech Computertechnik AG. All rights reserved. Page 8

Synchronization Services Clock Synchronization Service Clock Synchronization Service is executed during normal operation mode to keep the local clocks synchronized to each other. Startup/Restart Service is executed to reach an initial synchronization of the local clocks in the system. Integration/Reintegration Service is used for components to join an already synchronized system. Clique Detection Services are used to detect loss of synchronization and establishment of disjoint sets of synchronized components. Startup/Restart Service

FT Synchronized Global Time Fault-tolerant synchronization services are needed for establishing a robust global time base in the sub-microsecond area

Permanence of PCFs Using the transparent_clock value, a receiver can determine the “earliest safe” point in time when a PCF becomes permanent: permanence_delay = max_transmission_delay – transparent_clock permanence_point_in_time = receive_point_in_time + permanence_delay Example: max_transmission_delay in this network is 0:30 frame F1 is transmitted by node A at 10:00 frame F2 is transmitted by node B at 10:05 frame F1 has a transmission delay A  C of 0:20. This is visible in F1’s transparent_clock frame F2 has a transmission delay B  C of 0:05. This is visible in F2’s transparent_clock receiver C sees: F2 arrives at 10:10, becomes permanent at 10:10 + (0:30 - 0:05) = 10:35 receiver C sees: F1 arrives at 10:20, F1 becomes permanent at 10:20 + (0:30 - 0:20) = 10:30  F1 becomes permanent before F2 B F2 10:05 F1 10:10 A C 10:20 Comp 10:00

External Clock Synchronization External synchronization to e.g. PPS of the fault-tolerant clock

Time-triggered Traffic Timing Full control of timings in the system Defined latency and sub-microsecond jitter Minimum memory needs Fault-containment regions I’ll expect M between 11:05 and 11:15 I’ll accept M only between 10:40 and 10:50 I’ll accept M only between 10:55 and 11:05 M M M …but sender and receiver still only do “I’ll transmit M at…” and “I’ll expect M at…” – the added complexity is in the network, not in the nodes I’ll forward M at 11:00 M I’ll transmit M at 10:45 I’ll forward M at 11:10 Let’s see if I can receive M …a switch

TTEthernet Traffic Partitioning TTEthernet provides a set of time-triggered services implemented on top of standard IEEE 802.3 Ethernet. These services are designed to enable design of synchronous, highly dependable embedded computing and networking systems, capable of tolerating multiple faults. With TTEthernet, robustly partitioned multimedia data streams, critical control data and standard LAN messages can operate in one network without congestion or unintended interactions. On this slide, four synchronous time-triggered Ethernet streams are shown in red. They are robustly separated from other asynchronous priority-based or rate-constrained datastreams such as IEEE DCB or AVB, and other lower-priority standard Ethernet traffic. Page 14

Extensions & Standard Ethernet Time-triggered extensions for standard switched Gigabit-Ethernet Startup Recovery Robust fault-tolerant distributed clock Makes Ethernet viable for safety-critical distributed applications!

Fault-Containment Regions in TTEthernet TTEthernet defines Switches and End Systems as two kinds of Fault-Containment Regions. Frame loss is mapped to the respective sender. Depending on cost and reliability targets, switches and or end systems may be implemented with standard or high-integrity in order to be able to scale from single to dual fault tolerance. Protocol mechanisms can be configured to handle Strictly Omissive Asymmetric switch faults (HI) and fully Transmissive Asymmetric end system faults (SI).

High-Integrity: Self-Checking Pair High integrity design: Self checking pair Two processor that execute same function in parallel Comparator checks output of both processors. If one processor fails (maliciously) and generates wrong data, second processors shuts down. Self-checking pair ensures fail-silence !

Requirement: Easy “System of Systems” Fusion Priority 1 time-triggered Priority 2 SoS architecture with TTEthernet supports reconfiguration Several separate vehicles or elements fuse into a new combined network configuration architecture is coupled together through Virtual Backplane The Integrated Systems ideal for system of systems individual systems come together > coupled through fusion of Virtual Backplane predetermined, yet dynamic, re-configuration of the individual computing element’s configuration tables enables the several free-flying elements start a mission with individual state vectors, to fuse into a combined configuration that share a new, common set of state vectors. 18

TTE-Controller  Switch Controller COM  Switch Controller MON End System IP/UDP ARINC653 Partitions support in HW  CPU Management & Diagnostics Available in Q3/2016

Software Tools and Development Systems TTEthernet Products TTEthernet TTESwitches A664 Software Tools and Development Systems  TTEVerify (for DO cert.) TTETools (development) Switch Controller SMC 6U VPX* TTECOM TTESync Lib (middleware) TTEEnd Systems A664 Upcoming key product launches (2013+2014) PMC Lab End System Controller PMC Pro ARINC 653 v4.0 Linux v4.0

Cross Industry © NASA Sikorsky S97 Raider NASA Orion Vestas Wind Turbines TTEthernet Examples of Reliable Safety Critical Networks Audi Piloted Driving Aribus DS Ariane 6 Oil Platform

Conclusion The protocol and implementation supports Synchronization Deterministic communication Fault-tolerance But also allows the flexibility of the standard Ethernet  Reduces SW complexity Space graded components are up coming The environment is developed cross industry (embedded SW, tools, test- and development equipment)

Thank You! Any Questions?