The Time-Triggered Architecture

January 23rd, 2003

The Time-Triggered Architecture

Krishnakumar [email protected]

Institute for Software Integrated Systems

Vanderbilt University, Nashville, TN

2

Krishnakumar B The Time-Triggered Architecture

ISIS, Vanderbilt University

Outline of Talk• Overview of TTA• Architecture Model• Design Principles • Communication• Fault Tolerance• Design Methodology• Questions ?

3



Time-Triggered Architecture• Treatment of physical time as a first-order

quantity• Provides fault-tolerant global time base• Decomposes a large application into:

– Clusters– Nodes– Combination of both

• Use global time to specify interfaces between nodes

• Communication and agreement protocols

4



Model of Time• Time progresses along a dense timeline• Duration – Interval delimited by two instants• Event occurs at an instant

– E.g. Observation of state

• Time-stamping– Assign state of node-local global time to event

• How to synchronize clocks ?

5



Sparse Time Base

• Continuum of time is partitioned • Infinite sequence of alternating durations of activity &

silence• Duration of the activity interval > precision of clock

synchronization• All events that occur within an interval of activity

considered simultaneous• External representation of time

6



RT Entities and RT Images • TTA system

– Node, Communication Network Interface, Host– Time domain and value domain

7



RT Entities and RT Images (Contd…)• Real-Time Entities

– State variables used to model dynamics of system– Change their state as time progresses– Mix of both static and dynamic attributes– E.g Flow of a liquid in a pipe, Temperature of valve

• Observation– State of RT Entity at a particular instant tobs

– Observation = <Name, Value, tobs>• Real-Time Image

– Temporally accurate picture of RT entity at instant t– Duration b/w time of observation and instant t <

dacc

• Observation valid forever, not true of validity of image

8



State-Information vs Event-Information

• State attribute – Property of a RT entity at a particular instant

• State Information – (state variable, value, time of observation)– Idempotent, atleast-once semantics– Sender-side – Not consumed– Receiver-side – Update-in-place, non-consuming read

• Event– Sudden change of state of an RT Entity at an instant

• Event Information– (state variable, value difference, time of event)– Exactly-once semantics– Sender-side – Consumed on sending– Receiver-side – Queued and consumed on reading

9



Structure of TTA• Node

– Self-contained unit• Communication system

– Replicated channels – Autonomous– Executes periodically– a priori TDMA schedule

• Fetch Instant– Reads state message

from CNI• Delivery instant

– Delivers it to CNI of all other nodes of cluster

– Overwriting previous version of state message

• Fetch, delivery instants in message scheduling table

10



Interconnection topology• TTA-bus

– Replicated passive buses– Each node has 3

subsystems• Node, 2 guardians• Spatial proximity faults

• Fail-safe vs fail-operational• TTA-star

– Independent guardians– n+2 packages vs 3n– Reshape physical signals

& resilient to Slightly-off-specification (SOS) faults

– Additional monitoring, better EMI characteristics

11



Design Principles of TTA• Consistent Distributed Computing Base• Unification of Interfaces – Temporal Firewalls• Composability• Scalability• Transparent Fault Tolerance• Openness

12



Consistent Distributed Computing Base

• Distributed algorithms dependent on consistent data

• TTA exploits short error detection latency of protocol– Error-detection at protocol level– Distributed agreement (membership) algorithm

• Checking membership of all nodes to ascertain correct operation

• Detect faulty outgoing link

• Violation of fault-hypothesis– Distributed agreement protocol unable to reach

conclusion– Result: Clique avoidance algorithm is activated

13



Unification of Interfaces – Temporal Firewalls

• Uni-directional data-flow interfaces– Elementary – Uni-directional control flow– Composite – Bi-directional control flow

• TTA CNI is an elementary interface• Control-error propagation prevented by design• Interface called temporal firewall

14



Different Interfaces of a Node• Real-Time Service (RS) Interface

– Provides timely real-time services to node environment

– Must satisfy temporal specification under all conditions– Affects temporal composability

• Diagnostic & Maintenance (DM) Interface– Opens channel to internals of a node– Useful in configuring node parameters– Retrieve node parameters for fault diagnosis– Doesn’t affect temporal composability

• Configuration Planning (CP) Interface– Connect node to other nodes of a system– Used during integration phase to generate “glue”– Not time critical

15



Composability• Independent development of nodes

– Differentiate between node and architecture design– Precise specification of all node services =>

independent design of nodes• Stability of Prior services

– Validated service of a node should be unaffected by integration of node into a system

• Constructive Integration– n nodes already integrated => addition of n+1

doesn’t affect previous n nodes• Replica determinism

– All members have same externally visibile state– Produce same output messages atmost d time units

apart

16



Scalability• Complexity of system should not increase with growth of

system• In TTA, CNIs provides abstraction

– Encapsulate properties of environment – Only essential properties available to nodes

• Example - Gateway nodes

17



Transparent Fault-Tolerance• Active redundancy by replication and voting• Active replication is complex

– Shouldn’t be done at application level• TTA provides dedicated Fault-Tolerance layer

– Fault-tolerant CNI (FTU-CNI)

18



Openness• Standardize interfaces • TTA interfaces submitted for standardization

by OMG• Inter-operation with CORBA clients• RS, DM and CP interfaces available at the ORB

level

19



Communication• Deliver information between CNIs

– Within interval delimited by fetch and delivery instants

• TTP/C Protocol– Autonomous, fault-tolerant, TDMA based transport– Fault-tolerant clock synchronization– Membership service

• Inform every node about “health” of every other node• Doubles as multicast acknowledgment • Used in implementing fault-tolerant clock

synchronization

– Clique avoidance to detect and eliminate the formation of cliques when fault-hypothesis is violated

20



Communication (contd…)• TTP/A protocol

– Time-triggered field-bus protocol of TTA– Connects low-cost smart transducers to a node of TTA– Two types of rounds – Master/Slave (MS) & Multi-

partner (MP)• MS – Read/write records from IFS to implement DM and CP• MP – Periodic, implements the RS service

21



Event Message Channels & Performance

• Event message channels – Created by allocating portion of TT communication– Push-pull model for events– Filter service & Garbage collection service

• Performance of TTA– Time distribution needs inter-frame gap of 5 μs– 80% bandwidth utilization => 20 μs for send-phase– 40,000 messages / second– 10 clients => 250 μs sampling period => 4kHz loop– Amount of data

• 5 Mbps => 12 bytes / 20 μs• 1 Gbps => 2400 bytes / 20 μs

22



Fault Tolerance• Fault Hypothesis

– States types and number of faults that the system should tolerate

• TTA-star cluster– Can tolerate an arbitrary failure of a single node– Single faulty unit detected by membership protocol – Isolated within two rounds (for single fault)

• Fault-tolerant Units – Triple Modular redundancy

23



Fault Tolerance (contd…)• Till now assumed that environment complies with fault-hypothesis• If environment violates fault hypothesis

– TTA activates never-give-up strategy– Initiated by TTP/C protocol in combination with application– Only when necessary resources are unavailable to provide minimum

required service• Redundant transducers

– Requires two independent TTP/A field buses

24



Design Methodology• Architecture Design

– Decompose into clusters and nodes– Can use top-down or bottom-up– Specify CNIs of nodes in both the temporal &

value domains• Node design

– Delivery and fetch instants• Used as pre-condition and post-condition by

applications

• Validation– Formal methods for consistent distributed

computing base algorithms– Reproducable, observed without probe effect,

DM interface

25



Concluding Remarks• Autonomous clusters and nodes• Global time used to specify interfaces among

nodes• Two-phased design

– Architecture and Component (Node) design

• Take advantage of global time• Currently occupies a niche position

– Time considered a nuisance in mainstream computing

• Real-Time is an integral part of real-world– Cannot be abstracted away

26



Questions ?

Documents

The Time-Triggered Architecture