AT500103A1 - CONSTRUCTION OF A NODE COMPUTER FOR AN INTEGRATED DISTRIBUTED REAL-TIME SYSTEM - Google Patents

Description

Mixed-Criticality node computer with a connector unit

Cited Patents: [1] US 5694542 issued on Dec. 12, 1989: A loosely coupled distributed computer system with node synchronization for precision in real time.

[000] EP 0 658 257 dated 18.12.1996: Communication control unit and method for transmitting messages.

[3] US 5887143 issued on March 23, 1999: Time-Triggered Communication Control Unit and Communication.

[4] AT 407 582, Jun. 15, 2000: Message Distribution Unit with Integrated Guardian for Preventing Babbling Idiot Errors.

[AT] AT 408382, 15.3.2001: Computer node architecture with dedicated middleware processor [6] AT 410490 of 15.9.2002: Method for tolerating slightly-off-specification errors in a distributed fault-tolerant real-time system.

AT 410491, 15.9.2002: Communication method for the realization of event channels in a time-controlled communication system.

[8] AT Patent Application 844/2003 of 30.5.2003: Virtual Networks in a Time-Controlled MultiCluster Real-Time System [9] EP 1 355 456 A1 v.16.04. 2002 FlexRay Communication Protocol Other literature: [10] Kopetz, H. (1997). Real-Time Systems, Design Principles for Distributed Embedded Applications; ISBN: 0-7923-9894-7. Boston. Kluwer Academic Publishers.

[11] Kopetz, H, Bauer, G. The Time Triggered Architecture, Proc. ofthelEEE Vol. 91, No, l, Jan 2003, pp. 112-126 [12] TTP / C Specification atURL: www.tttech.com

TECHNICAL ENVIRONMENT distributed

This invention is a node computer for an integrated one

Applications with different

Sicherheitsan ^: node computer run side by side. In such a node computer must be constructively ensured that even in the case of a software error in a non-safety-critical F.inreir.hlcnnie. 5 5 2004 one

Application module does not affect the safety-critical application module behavior.

BACKGROUND OF THIS INVENTION

In many technical applications, for example in the automobile or aircraft, control tasks that have to meet different security requirements are executed on different computers. In such a case, where each function is assigned its own largely autonomous computer, one speaks of a Federated Architecture. This results in e.g. in a car of the upper class up to 70 different node computers (ECU Electronic Control Unit) are to be found. In this case, no replicated node computers are used in the existing Federated Architecture in order to be able to mask hardware errors of node computers.

By using an integrated architecture in which several tasks with different security requirements can be executed within a single computer, the number of node computers and the number of connections (which are error-prone according to experience) could be substantially reduced, which leads to considerable economic and technical advantages ,

Furthermore, in such an integrated architecture, it is relatively easy to replicate reliability-enhancing functions.

In such an integrated system, the architecture and internal structure of a node computer must ensure that, within the given error hypothesis, an error in one subsystem can not affect the function of another independent subsystem. There is a distinction between hardware errors and software errors.

In the following, it is assumed that a node computer realized as a system-on-chip (SOC) in a single chip. According to the state of the art, it must be assumed in a safety-critical system that such a chip can fail in a type of fault that can not be limited.

The well-known timed architecture [1-6, 10, 11] solves this problem in the event of any hardware failure by preventing time-domain error propagation and a flaw in the range of values over a TMR (Triple-Modular Redundancy, [10,11]) structure Value of a node computer can be masked.

The present invention addresses the problem of error isolation of software errors within a node computer.

According to the prior art, in a node computer for an integrated architecture, the independent software subsystems are encapsulated from each other by a complex operating system and corresponding additional hardware that enables dynamic memory protection. However, this operating system is so complex that it is difficult to prove the accuracy and timeliness of the applications that rely on that operating system through a formal analysis. F.inrp.ichknnip. 5 5 9004 ♦ ····· φ φ φ φ φ φ ····· · φ φ · φ · φ φ φ φ φ φ, · ······· φ φ φ φ φ »· · # · Φ • · φ φ φ φ φφφ φ · ·

The present invention proposes another way: For each security class, an independent application computer (A computer) with its own processor and own memory is provided within a node computer.

A relatively simple connector unit (C-unit), which is arranged between a timed communication controller and the A-computer distributes the contents of an incoming message on the various A-computer and summarizes the outputs of the A-computer in a single message for the timed communication system together.

In a safety-critical subsystem, the safety case must include the function (software) of the corresponding A-computer, the C-unit and the communication via the time-controlled communication system. Since the C-unit is much simpler than an operating system with memory protection, the proof of security in the proposed system is much easier

In the AT patent 410491 of 15.9.2002 and the AT patent application 844/2003 of 30.5.2003 it is disclosed how several independent communication channels for status messages and event messages can be realized on a timed communication system.

It is thus possible to largely separate the processing and communication of the distributed application systems and to prevent error propagation from one application system to another application system.

An architecture-integrated diagnostic system facilitates the diagnosis of transient hardware and software errors.

This invention provides the following significant economic advantages: The number of node computers can be significantly reduced, resulting in significant cost savings. • The number of cables, and hence the wiring points, can be significantly reduced, resulting in improved reliability and cost savings in maintenance. • The introduction of TMR structures to increase the reliability is possible without the installation of additional node computers. • The different subsystems can be developed independently - the integration effort is greatly simplified. • Diagnosis is simplified by the integrated diagnostic system. • Existing hardware / software solutions can be integrated into the new architecture by emulating the existing communication interface in the C-unit in the legacy application. • The development of the application is independent of the specific architecture of the communication system used, since the interface between A-computer and C-unit can be kept technology-invariant. F.inmichknnip. 5 5 2.004 4 • «4 • · · · ·

mb ·

SUMMARY

The present invention discloses the internal structure of a node computer for an integrated distributed real-time system, in which several subsystems with different security requirements can be executed side by side in a node computer. It is proposed to realize a plurality of independent application computers in an SOC node computer and to insert a connector unit between these application computers and the communication controller of a time-controlled communication system, which decides the distribution of the message contents to these application computers.

BRIEF DESCRIPTION OF THE FIGURES

The above-described object and other novel features of the present invention are explained in the accompanying drawings.

Fig. 1 shows the internal structure of a mixed-criticality node computer.

Fig. 2 shows a distributed computer system in which four mixed-criticality node computers are connected via two communication channels.

3 shows a mixed-criticality node computer for a security-relevant application with three connector units and eight application computers.

DESCRIPTION OF A REALIZATION

In the following section a concrete realization of the construction of a mixed-criticality node computer with a connector unit is shown on a possible example.

FIG. 1 shows a system-on-chip (SOC) node computer 100 connected to the other distributed system node computers via two replicated communication channels 108 and 109 of a real time scheduled communication system.

The node computer 100 of FIG. 1 includes four application computers (A computer) 110, 120, 130, and 140, and a connector unit (C unit) 101. A C unit 101 can also be usefully used in a node computer if only two A Computers are present.

Each of the A computers 110, 120, 130 and 140 has its own processor (CPU) and its own memory. It is therefore structurally ruled out that an A computer can directly influence another A computer in the time or value range, since neither the memory area nor the CPU represent shared resources.

Einre.ichlconie. 5th S 2004

The C-unit has an interface 102 to the communication channels 108 and 109. A concrete example of the design of such an interface is included in [11]. In the literature [10], this interface 102 is also referred to as the communication network interface (CNI).

The C unit is connected to the A computers 110, 120, 130 and 140 via the point-to-point interfaces 111, 121, 131 and 141. Through the point-to-point interface 111, the C-unit may pass the global time the C-unit of FIG. 102 receives and data from 102 to the A-computer 110 and take over from the A-computer 110. The same applies to the other A computers 120, 130 and 140.

According to the invention, the C-unit 101 only transfers to the A-computer 110 those data which are needed by the A-computer 110 to solve its task. The information as to which data is to be passed from the C-unit to the A-computer 110 can be found in a control table, which is provided to the C-unit during the initialization.

The same applies to the interface 121 to A computer 120, the interface 131 to A computer 130, and the interface 141 to A computer 140th

If from the point of view of A-computer 110 the interface 111 has the same syntactic and semantic structure as the interface 102, then from the software's point of view it is indistinguishable from 110 whether the communication to the C-unit 101 or directly to the communication controller 102 takes place. In this case, the insertion of the C-unit has no effect on the software in 110, which is a great advantage for existing legacy applications.

The A-computer 110 can directly address sensors and actuators via the input / output interface 112 via the lines 117, 118 and 119.

The interface 121 may realize a communication protocol other than 102. In this case, the C-unit assumes the role of a protocol transformation from the protocol interface 121 to the protocol interface 102.

The node computer 130 may have a local interface 132 to another communication system 139. The A-computer 130 then becomes the gateway computer between the cluster of FIG. 2 and the cluster with the communication system 139.

If the A computer 110 wants to transfer data to the A computer 120, this must be done via the interfaces 111 and 121 to the C computer. The control table must specify which data is to be forwarded from the A-computer 111 to the A-computer 121. The same applies to the other A computer of the node computer 100. So there is no direct connection between the A-computers of the node computer 100th

Fig. 2 shows a system with four node computers 210, 220, 230 and 240 which are connected via two communication channels 201 and 202 of a timed communication system.

According to the patent application AT 844/2003 of 30.5.2003, such a time-controlled communication system can support multiple encapsulated virtual communication channels with defined behavior in the time and value range on a single physical channel.

Assuming that the four application computers illustrated in FIG. 2 in the upper left corner of 210, 220, 230, and 240 form an application system, F.incremental 5 5 9004 may be assigned an encapsulated virtual communication channel for communication to this application system. Thus, the complete encapsulation of an application system in the time and value range is achieved. The unintended mutual influence of different application system is thus excluded architecturally.

3 shows the internal structure of a node computer in a safety-critical system.

In a distributed system that has to serve application subsystems with different security requirements, it makes sense to make the application system with the highest security requirement very simple in order to allow a formal analysis of that application system.

In such a system, it is therefore useful to use several C units recursively within a node computer 100. At the lowest level, a very simple C-unit 300 will perform the separation of the safety-critical applications 310 from the non-safety-critical applications 320.

The C-unit 300 takes over the data from the communication interface 102, which is connected to the other node computers via the communication channels 108 and 109, and transfers the data intended for the safety-critical system via the interface 311 to the safety-critical subsystem 310 and not to the safety-critical subsystem 310 safety-critical applications certain data via the interface 321 to the subsystem 320th

If necessary, a second C unit in 310 may encapsulate several safety critical subsystems from each other. In the non-safety-critical area, the C-unit 320 assumes this task.

The advantage of such an arrangement lies in the radical separation of the safety-critical from the non-safety-critical applications. The safety case has to deal only with the simple C-unit 300 and the safety critical subsystem and does not have to consider the non-safety critical subsystems.

If the interfaces 102, 311, and 321 are of the same type and only transmit timed state messages, then the C-unit 300 only needs to periodically copy message contents between these three interfaces. Such a simple C-unit 300 is amenable to formal analysis.

In this case, it will be useful to integrate the simple C-unit 300 in the communication controller 102 and thus make the separation of the safety-critical of the non-safety-critical applications already in the communication controller 102. Such a simple C-unit does not require its own processor and can be implemented in the form of dedicated hardware, if necessary.

An A-computer, e.g. The computer 110 of FIG. 1 may also be connected to the C-unit 101 via two interfaces (not just the one interface 111 shown in FIG. 1).

It may be advantageous to provide an interface for the transmission of status messages and a second for the transmission of event messages [9]. The C-unit 101 can then be, according to the in the patent application 429/2001 by F.inreirhknnie. S S 2004 19.3.2001 disclosed methods convert the event messages into status messages and vice versa.

In this case, it will be useful to equip the C-unit 101 with its own processor and memory. If required, the C-unit may also perform a transformation of the different protocols used at the interfaces 102, 111, 121, 131 and 141.

For example, the TT-Ethemet protocol can be used at the interface 102, the TTP / C protocol at the interface 112, the FlexRay protocol at the interface 121, the CAN protocol at the interface 131 and the TT CAN protocol at the interface 141 , The relatively complex C unit in this case can perform a transformation between all these protocols. It should be noted that any timed or event-driven protocol can determine the communication between the node computers 210, 220, 230 and 240 and the C-unit. Examples of such protocols are TTP / C [12], FlexRay [9], TT-CAN, TT-Ethemet, CAN or LIN.

The protocol at the interface 102 must support a timed transfer phase so that the various virtual communication channels can be time-isolated from each other. Examples of such protocols are TTP / C [12], FlexRay [9], TT-CAN and TT-Ethemet. The event-driven transmission phase of FlexRay [9], TT-CAN and TT-Ethemet can be used for messages that do not need to be time-isolated.

In order to be able to accurately diagnose transient and permanent errors occurring in the node computer 100, the C-unit can continuously monitor the behavior of the A-computers 110, 120, 130 and 140 at the interfaces 111, 121, 131 and 141.

For this purpose, post-conditions for messages in the time and value range can be formulated as part of the system development, which must always be complied with at these interfaces 111,121,131 and 141 and are checked by the C unit at runtime.

These post-conditions can characterize not only a misconduct but also an out-of-standard behavior of an A-computer. An out-of-norm behavior is present if a still correct but improbable behavior of the respective A-computer is observed. For example, before an event-driven interface, the length of the queue may be used before the consumer of messages to characterize out-of-norm behavior. If this queue exceeds a pre-defined critical length, then there is an out-of-norm behavior.

Any malfunction or out-of-norm behavior can be transferred to a diagnostic job for further evaluation via a dedicated diagnostic channel from the C-Unit via a virtual communication channel established on channels 108 and 109. Such a diagnostic job can be executed on a dedicated A computer of a mixed-criticality node computer or in an encapsulated partition of a mixed critcality node computer.

In order to use a given node computers in different application scenarios, it is advantageous if the existing memory of a node computer is not permanently assigned to the individual A-computers, but can be dynamically allocated to the various A-computer of the node computer in the context of initialization of the node computer. For this purpose is in the F.inreichlconie. A A 9.004

Node computer hardware a register set exists indicating which memory block is assigned to which node computer. This register set is described as part of the initialization of the node computer and then remains unchanged until the next initialization. With this mechanism, the memory allocation of the node computer can be adapted to the requirements of the application software.

It is advantageous if the control table of the C-unit 101 and the core images of the A-computers 110, 120, 130 and 140 can be loaded via the interfaces 108 and 109 in the start-up phase of the system. To prevent unauthorized access to the system, the load logs can be secured by known asymmetric cryptographic techniques. F.inre.ichknnie. 5. 5. 9004

Claims (1)

9 ·························· PATENT CLAIMS (1) Mixed-Criticality Node computer of a distributed real-time system having a communication controller for a given timed real-time communication system, characterized in that the node computer has at least one connector unit (C-unit) and n application computer (A-computer) includes and where each of the n A-computer has its own processor and its own memory and where the A-computers are arranged in a star around the C-unit, and where the C-unit has a communication interface (CNI-Communication Network Interface) to the communication controller for the real-time communication system, and where each of the n A-computers has a point-to-point interface to the C-unit, and where the C-unit the global time that it has over the CNI gets over forwarding the point-to-point interfaces to the A-computers, and where the C-unit divides the data arriving at the CNI according to a control table to the A-computer point-to-point interfaces, and where the C-unit Output data, which it receives via the point-to-point interfaces of the A-computers, to the CNI interface. (2) Mixed Criticality Node computer according to claim 1, characterized in that one or more of the point-to-point interfaces between an A-computer and the C-unit are syntactically and semantically constructed as the given CNI between the C-unit and the communication controller, so that from the point of view of the A-computer is not recognizable whether its point-to-point interface leads to a C-unit or directly to the communication controller. (3) Mixed-Criticality node computer according to one or more of claims 1 to 2, characterized in that the C-unit is integrated in the communication controller. (4) Mixed-Criticality Node computer according to one or more of claims 1 to 3, characterized in that the C-unit is realized directly in the form of dedicated hardware, which is controlled by the parameters of the control table. (5) Mixed-Criticality node computer according to one or more of claims 1 to 4, characterized in that the C-unit is an autonomous programmable computer with its own CPU, its own memory and its own software. (6) mixed-Criticality node computer according to one or more of claims 1 to 5, characterized in that instead of an A-computer, a further C-unit is arranged, which supports itself again several point-to-point interfaces to other A computers. (7) Mixed-Criticality node computer according to one or more of claims 1 to 6, characterized in that data can be transmitted via the point-to-point interface from an A-computer to the C-unit and from there to another A-computer , (8) Mixed-Criticality node computer according to one or more of claims 1 to 7, characterized in that the C-unit only those data are transmitted to an A-computer, which requires this A-computer for the solution of its task. F.inmir.hkonip. 5 5 9004 (9) Mixed-Criticality Node computer according to one or more of claims 1 to 8, characterized in that the syntax and semantics of the point-to-point interfaces of a C-unit to the different A-computers can be designed differently and can correspond to the interfaces of communication controllers of different communication protocols. (10) mixed-criticality node computer according to one or more of claims 1 to 9, characterized in that the C-unit two or more point-to-point interfaces lead to an A-computer, the syntax and semantics of this point-to Point interfaces can be different and correspond to the interfaces of communication controllers of different communication protocols. (11) Mixed-Criticality Node computer according to one or more of claims 1 to 10, characterized in that one of the point-to-point interface between the C-unit and an A-computer for the transmission of event messages and a second interface between the C Unit and the same A-computer is designed for the transmission of status messages. (12) Mixed Criticality Node computer according to one or more of claims 1 to 11, characterized in that one of the point-to-point interface between the C-unit and an A-computer for the transmission of event messages is designed according to the CAN protocol. (13) Mixed Criticality Node computer according to one or more of claims 1 to 12, characterized in that one of the point-to-point interface between the C-unit and an A-computer for the transmission of status messages according to the TTP / C protocol designed is. (14) Mixed Criticality Node computer according to one or more of claims 1 to 13, characterized in that one of the point-to-point interface between the C-unit and an A-computer for the transmission of messages according to the FlexRay protocol is designed. (15) Mixed-Criticality Node computer according to one or more of claims 1 to 14, characterized in that the C-unit decodes necessary protocol transformations between their interfaces. (16) Mixed-Criticality Node computer according to one or more of claims 1 to 15, characterized in that an A computer has a local interface to the sensors and actuators, which requires this A-computer to solve its task. (17) Mixed-Criticality Node computer according to one or more of claims 1 to 16, characterized in that an A-computer has a local communication interface to a private communication system and thus assumes the role of a gateway between two clusters. (18) Mixed-Criticality Node computer according to one or more of claims 1 to 17, characterized in that the different A-computer operate largely autonomously and perform the error handling and possibly the restart autonomously after the occurrence of an error. (19) Mixed-Criticality Node computer according to one or more of claims 1 to 18, characterized in that sent after detection of an error or an out-of-standard condition in one of the A-computer or in the C-unit, an error message to a diagnostic computer becomes. F.inre.ichkonie. 5. 5 9.004 (20) Mixed-Criticality Node computer according to one or more of claims 1 to 19, characterized in that as part of the initialization of the node computer, the existing memory of the node computer is dynamically divided among the individual A-computer. F.inre.irhknnie. 5 5 9,004