The TimeTriggered Architecture

1
The Time-Triggered Architecture

• H. Kopetz
• TU Vienna, Austria
• June 2000

2
Outline

• Introduction
• Some Technology Trends
• The Three Interfaces of an Embedded Node
• The Time-Triggered Architecture
• Conclusion

3
Technology Trends

• Systems on a chip (SOC)
• Smart MEMS sensors
• COTS Components
• INTERNET Connectivity
• High-Dependability Systems

4
Systems on Chip

• Current Semiconductor Technology makes it
  possible to design a self-contained 32 bit
  computer system, including 1 Mbyte of memory,
  Network Access and I/O on a single die, e.g.,
  the Motorola Golden Oak Chip.
• Development cost of an SOC 10 Mio US
• Production cost

5
Semiconductor Roadmap--Motorola MCORE
Performance(MIPS)
M6
300 200 100 50
M5
M3
M2
1998 1999 2000
2001 Time 0.35? 0.25?
0.18? 0.10????????Feature Size
Source Motorola MCORESTRATEGIC/D REV.1, 1999,
p..3
6
Smart MEMS Sensors

• A smart device is the combination of a sensor or
  actuator element and a local microcontroller that
  contains the interface circuitry, a processing
  element, memory and a network controller, and the
  application software in a single
  hardware/software unit.
• Some sensing elements are themselves
  microelectronic mechanical systems (MEMS) that
  can be integrated on the same silicon die as the
  associated microcontroller.

7
COTS Components

• There is an enormous economic pressure on all
  but the large-volume applications to use
  commercial-off-the-shelf (COTS) hardware and
  software components when designing new computer
  systems.
• COTS components are designed to provide the
  optimum price-performance in the targeted
  mass-market applications.
• The real-time market is often a "victim" of this
  COTS-component movement (e.g., Windows NT has not
  been designed as a real-time operating system,
  ETHERNET is not optimal for real-time
  communication).

8
INTERNET Connectivity

• INTERNET Connectivity can bring a number of
  advantages to an industrial control system
• Remote monitoring of processes
• Remote diagnostics
• Download of new software versions.
• However
• Security problem must be solved
• Inherent Jitter of the INTERNET limits the use in
  hard real-time environment.

9
High Dependability Systems

• There is a visible trend to high-dependability
  and fault-tolerant control systems in the
  embedded system market for the following reasons
• The successful use of high-dependability computer
  systems in critical applications, such as
  flight-control systems.
• The production loss caused by a single failure of
  a control system in a highly automated production
  facility is often more significant than the cost
  of duplicating the control system hardware.
• Smaller VLSI feature sizes will cause an increase
  in the transient failure rates of chips.
• In a fault-tolerant system the expensive
  "on-call" maintenance can be replaced by the less
  expensive regular preventive maintenance.

10
What Is Required?

• An architecture based approach to real-time
  system design that supports
• Two-level design methodology--to be able to
  separate architecture design from component
  design.
• Composability--to build systems constructively
  out of prevalidated components.
• Generic fault-tolerance--to implement
  fault-tolerance without any change in the
  application software.
• Flexible configuration--to support the reuse of
  existing components
• Volume market real-time applications--efficient
  use of hardware is a real concern.

11
What is a Technical System Architecture?

• Architectural style An architecture must
  provide rules and guidelines for the partitioning
  of a system into subsystems and for the design of
  the interactions among the subsystems.
• Composability An architecture must provide a
  framework for the systematic construction of a
  system out of subsystems (components).
• Property Match Components must comply with the
  architectural style to avoid a property mismatch
  at the component interfaces.
• Elegance An architecture must constrain an
  implementation in such a way that the ensuing
  system is understandable, maintainable,
  extensible, and can be built cost-effectively--in
  other words, it is elegant.
• Architecture Design is Interface Design

12
Principles of Composability

• The principles of composability are
• Independent development of components--relates to
  the architecture support for a two-level design
  process
• architecture design with precise interface
  specification
• component design, w.r.t these interface
  specification
• Stability of prior services--relates the
  components that are used in different system
  contexts.
• Constructive integration of components--component
  integration should be linear and not
  circular--relates to the communication system.
• Furthermore, if fault-tolerance is to be
  implemented by component replication, the
  component must be replica deterministic.

13
Architecture Design is Interface Design

• The three interfaces of an embedded system node
• Realtime Service (RS) Interface
• In control applications periodic
• Contains RT observations
• Time sensitive
• Diagnostic and Maintenance (DM) Interface
• Sporadic access
• Requires knowledge about internals of a node
• Not time sensitive
• Configuration Planning (CP) Interface
• Sporadic access
• Used to install a node into a new configuration
• Not time sensitive

14
RS Interface Important for Composability

• For the temporal composability, only the RS
  interface is relevant.
• An RS interface to a RT service module (e.g., a
  control algorithm) must specify
• At what point in time the input information is
  delivered to a module (temporal pre-conditions)
• At what point in time the output information must
  be produced by the module (temporal
  post-conditions).
• The properties of the intended information
  transformation provided by the module (a proper
  model)
• The RS interface contains RT images of the
  relevant RT entities.

15
Temporal Accuracy of Real-Time Information
How long is the RT image, based on the
observation The traffic light is
green temporally accurate ?
RT entity
RT image in the car
If the correct value is used at the wrong time,
its just as bad as the opposite.
16
Real-Time Observation

• An RT-observation is an atomic triple
• of observation
• Traffic-light at 12000
  p.m. Red
• The assignment of a value to a (dynamic)
  real-time entity is futile if there is no
  explicit or implicit notion of time.
• Every RT observation has a limited temporal
  validity.
• An RT-observation must be used before it becomes
  temporally invalid.

17
An Example Rolling Mill
Man MachineInterface (MMI)
MMI
Model
Comm.
Real-Time Bus
Actuator
Actuator
Actuator
Sensor
RT Transaction between Sensor and
Actuator Exchange of RT observations
18
Real-Time Transaction
EI1 II2 II3
II4 II5 EI6
Sensor
Model
Actuator
Com.
Com.
Real Time
Stimulus from Environment
Response to Environment
If the intermediate interfaces are not fully
specified in the temporal domain, composability
cannot be achieved.
19
The Diagnostic and Maintenance (DM) View
20
The Configuration Planning (CP) View

• End-points of the communication are an external
  configuration agent and an appropriate
  middleware process.
• Configuration agent does not need knowledge about
  the internal operation of the interfacing
  subsystem
• Not time-critical

21
The Three Interfaces (1)
22
The Three Interfaces(2)
23
The Realtime Service (RS) Interface is Different

• The characteristics of CORBA match well with the
  DM and CP interface, but the RS interface--the
  most important one--is different
• Global notion of time is part of the interface
  specification.
• Precise specification of temporal parameters
  crucial
• Jitter has detrimental effect on the quality of
  service (control)
• Simple data sharing interface for temporally
  accurate observations--update in place, no queues
  needed
• Periodic time-triggered access with implicit flow
  control
• Multicast topology
• If we want to achieve composability in real-time
  distributed systems, we need new standards for
  the RS Interface.

24
In Embedded Systems, we Need Open Standards for

• The representation of real time (not as trivial
  as it looks)--to avoid a property mismatch at
  interfaces
• An API that includes the temporal dimension of
  behaviour--to be able to reuse existing
  application software in different contexts
• A generic interface of a smart transducer--to
  integrate smart transducers with small effort
• Temporally predictable communication in
  distributed real-time systems--to be able to
  determine a priori whether a design will meet its
  temporal specification.
• The lack of standards in the embedded system
  market is a serious obstacle for the further
  development of the industry.

25
The Time-Triggered Architecture (TTA)

• Has been designed to provide the required
  mechanisms
• Supports the decomposition of a large hard
  real-time system into nearly autonomous
  subsystems with precise (temporal and value)
  interface specifications,
• Allows the independent development and testing of
  these subsystems versus the given interface
  specifications, avoiding unplanned integration
  effects,
• Provides all mechanisms needed for the
  implementation of fault tolerance,
• Makes it possible to design and implement
  real-time systems with a priori predictable
  temporal behaviour and thus provides a solution
  to the most pressing interoperability and
  software reuse problems.

26
Event-Triggered vs. Time-Triggered

• Event Triggered (e.g, CAN)
• Temporal control derived from the occurrence of
  eventsunpredictable
• Flexibility
• Large Jitter
• No precise temporal specification of interfaces
• Good for sporadic data
• Membership difficult
• Probabilistic Access

• Time Triggered (e.g., TTP)
• Temporal control derived from the progression of
  timepredictable
• Interoperability
• Minimal Jitter.
• Interfaces are temporal firewalls.
• Good for regular data
• Membership easy
• Replica Determinism

27
Time Format in the TTA
Absolute Time
Full seconds of TAI
Fractional part in 2-n seconds
Relative Time (relative to now)
Time Window
Most significant bit determines time horizon
and modulo arithmetic
Least significant bit determined by precision
and reasonableness condition
Different applications have different
requirements concerning precision and time
horizon.
28
The TTA Communication Network Interface (CNI)

• Interface between the host computer and the
  communication system within a node.
• Contains temporally accurate images of the
  host-relevant real-time variables.
• Data-sharing interface with state-data semantics,
  free of control signals--no control error
  propagation possible.
• The precise points in real time, when data is
  accessed by the node-local communication
  controller is known a priori and common
  knowledge to all host computers.
• Pays the key role in determining the composability

29
Smart Transducer Interface (STI) in the TTA

• The STI is the standard interface for smart
  sensors and actuators
• Supports the three interfaces (RS,DM, and CP)
• Is time-triggered (TTP/A protocol)
• Hides the internal smart sensor logic behind a
  simple encapsulated Interface-File System (IFS)
• Can be implemented efficiently on lowest cost
  micro-controllers (about 2 kbyte of ROM, 64
  bytes of RAM)
• And thus provides plug-and-play functionality.

30
Global Interactions versus Local Processing
HostComputer
HostComputer
HostComputer
C NI
C NI
C NI
In TT systems, the locus of
temporal control is in
the communic- ation system.
CCMEDL
CCMEDL
CCMEDL
CCMEDL
CCMEDL
C NI
C NI
In ET systems, the locus of temporal control is
inhost computers.
HostComputer
HostComputer
I/O
I/O
31
The TTA distinguishes between the

• Distributed Computational Core (DCC)
• consists of the set of host computers connected
  by TTP/C
• operates on a sparse time base with agreed
  discrete input values
• supports the transparent implementation of
  fault-tolerance
• Distributed Input/Output System (DIOS)
• connects the intelligent sensors and actuators to
  a node (or a fault-tolerant unit) by one or more
  TTP/A sensor busses.
• transforms the analogue inputs into a consistent
  representation of discrete values on a sparse
  timebase.
• handles sensor and actuator fault-tolerance by
  providing the appropriate sensor agreement
  protocols.

32
Two Real-Time Networks in the TTA

• The following two different real-time network
  types are needed in distributed control
  applications for economic reasons (from the
  technical point of view a single system network
  type would be sufficient)
• System Bus TTP/C The system bus connects the
  system nodes of the DCC.
• Field Bus TTP/A The field bus connects one or
  more system nodes to the smart sensors and
  actuators. The field bus can be a multi-master
  network where one or more powerful masters
  control a set of simple associated smart sensor
  nodes.
• The CNIs to both networks are syntactically and
  semantically alike.

33
TTP/C Protocol for System Bus

• The Time-Triggered Protocol (TTP), connecting the
  nodes of the system, is at the core of the
  Time-Triggered Architecture. It provides the
  following services
• guaranteed for composability by full
  specification of the temporal properties of the
  interfaces.
• timely membership service (fast error detection)
• replica determinism
• replicated communication channels (support of
  fault- tolerance)
• good data efficiency
• limited flexibility (preplanned mode changes)

34
TTP-A Protocol for Smart Transducers

• Composability and Testability
• Provides Standard Interface File System (IFS)
• Universal Smart Transducer Interface
• Latency Guarantee for Control Applications, Clock
  Synchronization of better than .1 msec
• Good Error Detection for fail safe operations
• Low Cost for intelligent sensors, smallest
  implementation less than 2 kbytes of ROM, 64
  bytes of RAM (including IFS, software UART at 10
  kbits on single wire)
• Fault tolerance at system level (duplicated
  buses)

35
Conclusions

• An adequate model of time must be a core element
  of any real-time system architecture.
• Many of the available architectures do not
  consider time as a first order quantity, but
  rather as an addendum.
• We will never achieve the desired architectural
  properties, such as composability, reuse of
  components, constructive validation, etc., if we
  do not give time its proper place.
• The time-triggered architecture (TTA) tries to
  play tribute to the essential role of time in a
  real-time system architecture.