EP2801030A1

EP2801030A1 - Method and apparatus for forming software fault containment units (swfcus) in a distributed real-time system

Info

Publication number: EP2801030A1
Application number: EP13716172.5A
Authority: EP
Inventors: Stefan Poledna
Original assignee: FTS Computertechnik GmbH
Current assignee: Tttech Computertechnik AG
Priority date: 2012-03-20
Filing date: 2013-03-19
Publication date: 2014-11-12
Also published as: US20150039929A1; JP2015517140A; AT512665B1; CN104145248A; WO2013138833A1; AT512665A1

Abstract

The invention relates to a method for limiting the effects of software errors in a distributed real-time system in which a plurality of distributed application systems are executed simultaneously, wherein each application system forms an encapsulated software fault containment unit (SWFCU), wherein an SWFCU comprises the software of a distributed application system, said software being executed on one or more virtual computer nodes and one or more dedicated computer nodes, and exchanging messages via one or more encapsulated virtual communication systems, wherein a communication system consists of communication controllers, switching units and physical connections, and wherein the direct effects of a software error of an SWFCU remain limited to the SWFCU.

Description

METHOD AND APPARATUS FOR FORMING FAULT-CONTAINMENT UNITS SOFTWARE (SWFCU S) IN A DISTRIBUTED REAL-TIME SYSTEM

The invention relates to a method for limiting the effects of software errors in a distributed real-time system in which multiple distributed application systems are executed simultaneously.

Furthermore, the invention relates to a communication controller for a physical computer node for carrying out such a method.

Moreover, the invention relates to a communication controller for a personal computer for carrying out such a method.

The present invention is in the field of computer technology. It describes an innovative method and the supporting hardware that can be formed in a distributed real-time computer software fault containment unit (SWFCU) to isolate the consequences of occurring software errors on clearly demarcated areas.

In many real-time applications, tasks of different criticality must be performed. In a federated computer architecture, each of these tasks is solved on a distributed hardware system with dedicated compute nodes and proprietary communication systems to prevent errors from a lower criticality class system from affecting a higher criticality class system. This approach leads to a variety of computers, a high cabling overhead for communication and thus high costs.

The increase in performance of computer hardware due to the higher density of integration makes it possible, from the point of view of performance, to integrate many application systems of different criticality on a single powerful distributed computer system. However, this is only possible if the system architecture and the certified system software, the application software of a distributed application system can be encapsulated so that it is ensured that any software error in a Application system can affect the functionality of another application system neither in the time domain nor in the value range.

It is an object of the invention to disclose a new method of implementing spatial and temporal isolation of a distributed application system within a distributed computer system so that multiple distributed application systems of different criticality can be integrated on a single distributed computer system.

This object is achieved with a method mentioned in the introduction in that, according to the invention, each application system forms an encapsulated software fault containment unit (SWFCU), wherein a SWFCU comprises the software of a distributed application system that is based on one or more virtual computer nodes and one or more Dedicated computer node is executed, and communicate over one or more encapsulated virtual communication systems, wherein a communication system of communication controllers, switching units and physical connections, exchange messages, and the immediate effects of software error of a SWFCU remain limited to the SWFCU.

If several application systems are implemented on a distributed computer architecture, it is expedient to distinguish between the following types of computer nodes: A physical computer node is a computer with CPU, memory and communication interface, eg a personal computer. A shared computer node is a physical computer node on which several application systems are implemented, for example a personal computer on which a plurality of virtual machines are installed by means of a hypervisor or a corresponding partitioned operating system, as defined by the ARINC 653 standard [6]. The hypervisor encapsulates the virtual machines spatially and temporally. A virtual compute node is one of the virtual machines of a shared compute node, including the associated communication controller, which decapsulates the messages of the virtual machines. A dedicated compute node is a physical compute node (including the communication controller) on which only a single application system is implemented. A physical communication system enables the message transport between the communication controllers of the physical computer nodes. A physical communication system consists of the communication controllers installed in the computers, the physical lines and the switching units. On a physical communication system, a number of partitions, ie virtual communication systems, can be set up by means of time control. A partition is active when sending messages. If several partitions are active within a given time interval, the physical communication system controls which messages of which partitions are sent on the physical lines at what times.

A partition is encapsulated if the temporal guarantees regarding the communication behavior of one partition can not be influenced by the behavior of the other simultaneously active partitions. Encapsulated partitions are present when the physical communication system is implemented as a timed communication system. Since the periodic time slots for the transmission of the data and thus the bandwidths are allocated a priori to the individual subscribers in a time-controlled communication system, a mutual temporal influence on the partitions set up on a physical communication system is excluded.

Messages are assigned to predefined virtual links, where Virtual link <identifier> is the name of the virtual link. Virtual links have exactly one predefined station and one predefined group of receivers. Messages can either be time-triggered, rate-constrained, or transmitted according to the best-effort principle. Time-triggered means that the messages are sent at predefined times using a synchronized time base. Rate-constrained means that a predefined minimum distance is maintained between two messages of a virtual link. Best effort means that the transmission of messages is not guaranteed [4].

In a partition messages can be sent from one or more virtual links. According to the way the messages are communicated, we speak of time-triggered partition, rate-constrained partition, or best-effort partition. In addition, partitions are possible that send messages according to different principles; such partitions are called mixed partitions. In the following, an identified communication channel in the communication system is named as follows: Virtual link <identifier>, where <identifier> specifies the name of the virtual link. In one partition several virtual links can be active at the same time.

A physical communication system that is implemented as a time-controlled communication system and in which one or more rate-constrained partitions and / or best-effort partitions and / or mixed partitions are active does not show each individual message the rate-constrained / best-effort / mixed Partition to a time slot, but only one time slot for the sum of all messages of the corresponding partition. This ensures that messages from different partitions can not be influenced over time.

In the field of computer reliability, the notion of a fault-containment unit (FCU) is of central importance [4, p. 136]. An FCU is understood to mean an encapsulated set of subsystems, with the immediate effects of an error cause in a subsystem of the entirety limited to the specified entity. An application system constitutes such an entity, which may consist of the following subsystems: (i) the software running on one or more virtual machine nodes, (ii) the software running on one or more dedicated computer nodes, and (iii) one or more virtual encapsulated ones Communication systems that perform message transport between the virtual and dedicated compute nodes of the application system. We refer to an encapsulated set of distributed application system software executing on one or more virtual machine nodes and one or more dedicated computer nodes, and where the immediate effects of a software failure of that entity are encapsulated, a Software Fault-Containment Unit (SWFCU). The immediate consequences of a SWFCU error are thus limited to this SWFCU and can not affect another SWFCU implemented in the distributed real-time system, neither in the value range nor in the time domain. If, in an integrated distributed real-time system, each application system forms its own distributed SWFCU, the mutual influence of the application systems due to software errors in the application systems can be excluded.

The present invention discloses an innovative method of how software fault containment units (SWFCUs) distributed in a distributed real-time system can be formed. It is proposed that each of the application systems realized on a distributed real-time system forms its own SWFCU. This ensures that a software error in a SWFCU can not affect the correct function of the other SWFCUs.

Further advantageous embodiments of the method according to the invention are described in the subclaims. For example, it is advantageous for a virtual computer node to consist of a virtual machine (VM) managed by a hypervisor on a computer and an encapsulated partition of a communication controller exclusively assigned to the VM.

Furthermore, it may be advantageous if the communication controller converts the spatially encapsulated output data in the memory area into an associated time-encapsulated message and places the content of an incoming time-encapsulated message in a spatially encapsulated memory area associated with the message.

In addition, it can be provided that virtual link identifiers are used to establish the association between time-encapsulated messages and associated encapsulated partitions of a communication controller.

It is useful if a time slot for the sum of all messages (time-triggered, rate constrained, best effort) of a mixed partition is provided in a time-controlled communication system.

Furthermore, it is advantageous if different SWFCUs communicate exclusively via messages.

It is useful if the switching unit supports multicast communication so that the messages exchanged between the SWFCUs can be monitored by an independent monitor component.

The above-mentioned object is also realized with a communication controller for a physical computer node for carrying out a method as described above, wherein the communication controller encapsulates the output data spatially encapsulated in the memory area of a virtual machine into an associated time-encapsulated one Message converts and enters the data arriving in a timed message data in an associated spatially encapsulated memory area of a virtual machine.

Likewise, the above-mentioned object is realized with a communication controller for a personal computer for performing a method described above, wherein the communication controller supports the PCI interface standard and the incoming data in a timed message are stored in an associated spatially encapsulated memory area of a virtual machine.

The above-mentioned object is also realized with a communication controller for a personal computer for performing a method as described above, wherein, alternatively or as a modification of the communication controller described above, the communication controller supports the TTEthernet standard.

The present invention will be explained by way of example with reference to the following drawings. It shows

FIG. 1 shows a physical computer node on which three virtual computer nodes are realized, and

2 shows a SWFCU consisting of two virtual computer nodes, a virtual communication system and two dedicated computer nodes.

The following concrete example deals with one of the many possible realizations of the method according to the invention.

FIG. 1 shows a physical computer node on which three virtual machines 101, 102, 103 are realized. A dedicated storage area 111 of the virtual machine 101 can be addressed by both the virtual machine 101 and the communication controller 120. This dedicated memory area 111 is the end point of a virtual communication channel realized on the physical communication channel 130. On the physical communication channel 130, several time-encapsulated virtual communication channels can be set up by time control. The communication controller 120 maps the spatially encapsulated data lying in the memory area 111 into a temporally assigned encapsulated message (and vice versa). versa). The communication controller 120 provides the three encapsulated partitions 111, 112, 113, with one partition each being exclusively associated with one of the three hypervisor-managed virtual machines (VMs) 101, 102, 103.

The storage areas 111, 112, 113 associated with the virtual machines 101, 102, 103 form the endpoints of these virtual communication systems. Before system startup, the parameters of the virtual machines 101, 102, 103 and the physical communication controller 120 are set by means of a certified system software (ZSW) such that the software of one virtual machine does not obtain access rights to the storage areas of the other virtual machine, and that time-controlled messages, which are transported on the physical communication channel 130, the corresponding memory areas 111, 112, 113 of the virtual machines 101, 102, 103 are assigned. The methodology of building hypervisor virtual machines has already been disclosed in [1]. In the meantime, there are methods that make it possible to formally prove the correctness of the software of a hypervisor [2]. The interface of the communication controller 120 to the CPU and / or memory of the physical computer node may be designed according to the PCI standard [3]. The interface of the communication controller 120 to the timed communication system 130 may be designed according to the TTEthernet standard [5].

2 shows a distributed real-time system consisting of two physical node computers 210, 220, a switching unit 250 and four dedicated node computers 230, 231, 232, 233. In this real-time system there are several software fault-containment units (SWFCUs). The strongly rimmed parts of Fig. 1 constitute one of these SWFCUs. This selected SWFCU comprises the virtual machine 211, the communication controller 213 and the shared memory 212, the communication channel 251 to the switching unit 250, the virtual machine 221, the communication controller 223 and the shared memory 222 therebetween, the communication channel 252 to the switching unit 250, and the dedicated computer node 230 with the sensor 215 and the dedicated computer node 233 with the actuator 216 including the corresponding connections 256 and 253 to the switching unit 250. The two hypervisors in the physical computer nodes 210 and 220, the communication controllers 213 and 223 and the communication protocol in the Switching unit 250 prevents a software error outside of this SWFCU from affecting the operation of that SWFCU can. In the switching unit 250, the TTEthernet protocol [5] can be used to encapsulate the communication of this SWFCU. This protocol supports deterministic timed communication, as well as rate-constrained communication and best effort event-driven communication. Alternatively, another protocol that time-caps the communication channels may also be used in the switching unit 250.

The communication between different SWFCUs realized on a distributed real-time system is to be done via messages, whereby it is advantageous if these messages can be observed by an independent monitor. This can be achieved if the switching unit 250 supports multicast communication.

Quoted literature:

[1] US Pat. 4,949,254. Shorter. Method to manage concurrent execution of a distributed application program by a host. Computer and a large number of smart work stations on an SNA network. Granted August 14, 1990

[2] Klein, G. et al. (2009). Formal Verification of an OS Kernel. Proc. Of the ACM SIGOPS 22nd Symposium on Operating System Principles. ACM Press.

[3] Peripheral Component Interconnect (PCI) Standard, Wikipedia. Accessed March 3, 2012.

[4] Kopetz, H. Real-Time Systems, Design Principles for Distributed Embedded Applications. Springer Verlag. 2011th

[5] SAE standard from TTEthernet. URL: http://standards.sae.org/ as6802

[6] ARINC 653P1-3 Avionics Application Software Standard Interface, Part 1, Required Services: https://www.arinc.com/cf/store/catalog_detail.cfm?item_id=1487, 653P2-1 Avionics Application Software Standard Interface, Part 2 - Extended Services: https://www.arinc.com/ cf / störe / catalog_detail.cfm? Item_id = 1072

Claims

\. A method for mitigating the effects of software failures in a distributed real-time system in which multiple distributed application systems are executed simultaneously, characterized in that each application system forms an encapsulated software fault containment unit (SWFCU), one SWFCU being distributed software Application system, which is executed on one or more virtual machine nodes and one or more dedicated computer nodes, and exchange messages over one or more encapsulated virtual communication systems, wherein a communication system of communication controllers, switching units and physical connections, and the immediate effects of Software errors of a SWFCU remain restricted to the SWFCU.

2. The method according to claim 1, characterized in that a virtual computer node consists of a managed on a computer by a hypervisor virtual machine (VM) and one of the VM exclusively associated with the partitioned partition of a communication controller.

3. The method of claim 1 or 2, characterized in that the communication controller (120) spatially encapsulated in the memory area (111) output data into an associated time-encapsulated message and the content of an incoming time-encapsulated message in a message associated spatially encapsulated memory area sets.

4. The method according to any one of claims 1 to 3, characterized in that virtual link identifiers are used to establish the association between time-encapsulated messages and associated encapsulated partitions of a communication controller.

5. The method according to any one of claims 1 to 4, characterized in that in a time-controlled communication system, a time slot for the sum of all messages (time-triggered, rate constrained, best effort) of a mixed partition is provided.

6. The method according to any one of claims 1 to 5, characterized in that different SWFCUs communicate exclusively via messages.

The method of claim 6, characterized in that the switching unit (250) supports multicast communication so that the messages exchanged between the SWFCUs can be observed by an independent monitor component.

8. communication controller for a physical computer node of one or more of the steps outlined in claims 1 to 7 realized steps, characterized in that the communication controller spatially encapsulated in the memory area of a virtual machine output data into an associated time-encapsulated message and in a timed message stores incoming data in an associated spatially encapsulated storage area of a virtual machine.

9. communication controller for a personal computer of one or more of the steps outlined in claims 1 to 7 implemented method steps, characterized in that the communication controller supports the PCI interface standard and stored in a timed message data in an associated spatially encapsulated memory area of a virtual machine become.

10. communication controller for a personal computer of one or more of the steps outlined in claims 1 to 7 implemented method steps, characterized in that the communication controller supports the TTEthernet standard.

11. Real-time system with a communication controller according to one of claims 8 to 10.