WO2017081634A1 - Method and apparatus for a resilient signaling of time - Google Patents

Method and apparatus for a resilient signaling of time Download PDF

Info

Publication number
WO2017081634A1
WO2017081634A1 PCT/IB2016/056768 IB2016056768W WO2017081634A1 WO 2017081634 A1 WO2017081634 A1 WO 2017081634A1 IB 2016056768 W IB2016056768 W IB 2016056768W WO 2017081634 A1 WO2017081634 A1 WO 2017081634A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
local clock
previous
uncertainty
synchronization
Prior art date
Application number
PCT/IB2016/056768
Other languages
French (fr)
Inventor
Francesco Brancati
Claudio FANTACCI
Andrea BONDAVALLI
Andrea CECCARELLI
Original Assignee
Resiltech S.R.L.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Resiltech S.R.L. filed Critical Resiltech S.R.L.
Publication of WO2017081634A1 publication Critical patent/WO2017081634A1/en

Links

Classifications

    • GPHYSICS
    • G04HOROLOGY
    • G04RRADIO-CONTROLLED TIME-PIECES
    • G04R20/00Setting the time according to the time information carried or implied by the radio signal
    • G04R20/02Setting the time according to the time information carried or implied by the radio signal the radio signal being sent by a satellite, e.g. GPS
    • G04R20/06Decoding time data; Circuits therefor

Definitions

  • the present invention concerns a method for a resilient signaling of time and for resiliently keeping the time internally to distributed "real time” systems by means of the generation of time synchronization messages.
  • Time management is pivotal in many sectors of the art, for instance:
  • PMU Measurement Units
  • synchrophasors for distributed synchronized measurements to prevent cascaded faults in a network
  • a precise and reliable time information is pivotal in many sectors of the art and as much pivotal is keeping the local time indicated by a clock internally to a system synchronous with a reference time signal.
  • the reference universal time (UT) is based on earth's rotation and the international standard that the civil time is based on is the so-called U.T.C. (an acronym for "Universal Time Coordinated") .
  • master clock we mean a precise and reliable clock that outputs the time signal for synchronizing the clocks of the individual users of a distributed network.
  • Patent application US 2014/0185632 Al describes a structure of apparatuses interconnected to each other and comprising at least two nodes wherein a local master clock is implemented for a periodical synchronization of the nodes of the network even in the case of a malfunction of either master clock.
  • a sufficiently reliable and precise master clock shall be able to provide a very precise reference time information, however not always is the oscillation frequency of any physical clocks constant, but rather it tends to vary, mainly because of the tolerances of the values of the components used in the oscillator circuit and because of changes in the operating conditions (temperature, component aging, sudden movements) .
  • the reference universal time is got from an external source, typically a satellite signal, for instance the signal provided by the Global Positioning System (GPS) or that provided by the Galileo system or by the Global Navigation Satellite System (GLONASS) . So, the master clock shall first of all be synchronized with said external reference time.
  • GPS Global Positioning System
  • GLONASS Global Navigation Satellite System
  • Patent document US 8922421 Bl describes a method for synchronizing a distributed radar network by using the time signal provided by the GPS satellite network.
  • Patent document US 9130661 B2 describes a method and an apparatus for synchronizing distributed systems by way of a satellite time signal, after checking for its reliability and safety.
  • the satellite time information is used to generate a synchronization message and to synchronize the local reference clock; whenever the satellite signal is missing or not reliable, the synchronization message is generated on the basis of the time information of said reference clock.
  • a monitor measures the time interval between two successive synchronization messages and, should such interval exceed a predetermined tolerance, it prevents network user synchronization.
  • the system will output a not sufficiently reliable time, in that it is based on the one signal provided by the local reference clock.
  • US 2015/0025831 Al describes a seismic detection network wherein the local clocks of the various nodes of the network are periodically synchronized with the GPS signal and the ambient temperature is measured and used to determine the updating rate of the local clock. So, in this case, temperature measurement is not used to calculate the drift of the local clocks, but rather for the only purpose of reducing the number of synchronizations and hence saving energy.
  • This method is based on the use of a recursive-type algorithm that, in the periods of time when the GPS universal satellite signal is missing, calculates an estimate of the correction to be applied to the oscillator of the local clock, in order to synchronize it with said universal time, account being taken of the "drift" (i.e. the deviation from the universal time) of the local clock and of temperature, in a given instant in time.
  • the parameters of the recursive algorithm are determined by way of a linear regression, starting from a set of temperature values measured in given instants in time, in the periods when the GPS signal is present, i.e. while the universal time is known.
  • the method described in the mentioned scientific article is not sufficiently safe, because it does not include any analyses about the safety of the satellite signal: it follows that, whenever the GPS signal is present, the oscillator of the local clock is always synchronized with the satellite time signal, even when the received satellite signal is wrong, disturbed, or it has been intentionally tampered with by third parties.
  • the algorithm estimates the correction to be applied to the local clock as a function of one physical quantity only, i.e. temperature.
  • one physical quantity i.e. temperature.
  • the oscillation of a crystal in a clock is affected by many physical quantities, for instance: temperature, humidity, pressure, sudden movements.
  • the correction to be applied to the local clock shall take account of the changes of all above mentioned quantities.
  • offset the deviation of the local clock from the reference time
  • the offset in a given instant in time is very difficult to calculate, mainly because of the transmission delay between the reference time source and the receiving equipment. Synchronization uncertainty is defined as a conservative estimate of such offset.
  • the modern synchronization protocols calculate an estimated offset, but without offering any guarantees about whether it is actually close to the real offset and without forecasting a threshold beyond which the system shall consider the time signal provided by the local clock not reliable any longer.
  • the invention according to the present patent application allows to overcome the drawbacks and limitations present in the present status of the art, by providing a method for providing a time signaling in a resilient manner and for a time synchronization internally to distributed systems, such as user networks. Resiliency is achieved by means of a plurality of architectural attributes:
  • Time synchronization is a process whereby the precision, accuracy, and drift properties of a local clock of a system are retained with respect to the universal time provided by an external source.
  • the "external" reference time is that got from a satellite signal sent by one of the satellite networks available, for instance the GPS, Galileo, or GLONASS networks or other similar networks.
  • the satellite signal is received by a plurality of dedicated satellite modules, equipped with an appropriate antenna, which interpret such satellite signal and derive a time signal, for instance in the form of a lPPs (one pulse per second) signal.
  • a time signal for instance in the form of a lPPs (one pulse per second) signal.
  • the satellite signal is analyzed to detect any abnormalities such as, for instance, "spoofing” or “jamming”, so as to be able to apply appropriate countermeasures , if any, suitable for making the system safe against external attacks.
  • the external time signal being received by a plurality of satellite modules makes the execution of the method continuous even when one or several satellite modules are disconnected in order for them to be modified or maintained, thus guaranteeing the availability and reliability of the method.
  • the received external time signal is used to regulate a clock, after estimating the offset and the drift of the time signaled by said local clock with respect to the universal time.
  • a set of physical quantities for instance temperature, pressure, humidity, etc.
  • a set of physical quantities for instance temperature, pressure, humidity, etc.
  • the offset and drift values of the local time estimated with respect to the universal time are stored and related to the physical quantities measured in the same instant in time by the dedicated sensors.
  • Local clock synchronization basically takes place by applying a corrective coefficient to the time signal of the local clock in order to synchronize it with the universal time .
  • the local clock is synchronized by calculating, by way of appropriate algorithms, the offset and the drift with respect to the universal time provided by the satellite network.
  • local clock synchronization takes place by using appropriate mathematical models to calculate the offset and the drift with respect to the universal time as a function of the existing environmental conditions, as measured by the dedicated sensors.
  • Such mathematical model can, if necessary, be built-up on the basis of historical offset and drift data and corresponding physical quantities, so that the mathematical model outputs the most appropriate offset and drift values for the actual environmental conditions.
  • the mathematical model be an automatic learning algorithm, capable of automatically improving its own performances as the set of data available thereto increases over time.
  • the offset and the drift of the local time are analyzed and, via a statistical and probabilistic analysis, the synchronization uncertainty, representing the degree of uncertainty of the time signaled by the local clock, is estimated, so as to get a measure of its reliability degree .
  • the present patent application makes thus it possible to get not only a quantitative estimate of the deviation (offset) of the local time from the actual universal time, but also a qualitative measure of reliability (synchronization uncertainty) of said quantitative estimate.
  • the method according to the present patent application looks for keeping synchronization uncertainty within given limits by performing, if necessary, further attempts of synchronization with the satellite time signal, whenever such synchronization uncertainty is greater than given predetermined limits.
  • the method is advantageously usable for the time synchronization of a plurality of nodes of a distributed network: in this event, once said local clock is synchronized with the universal time and the uncertainty of the local time is estimated, an iterative process is initiated which periodically generates and sends a time synchronization message to the network users, in order to synchronize the clocks of the individual nodes with the local clock.
  • Such iterative synchronization message generation and sending process can advantageously be initiated or kept active only when the estimated uncertainty is less than a predetermined threshold value.
  • the satellite signal receiving modules can be deactivated whenever the estimate uncertainty is less than a given threshold value and are re-activated whenever uncertainty exceeds such threshold value .
  • the present patent application also concerns an apparatus for a resilient signaling of time and suitable for implementing the above described method, said apparatus basically comprising:
  • an oscillator comprising a dedicated circuitry and a resonator to output a reference frequency for the remaining electronic components of the apparatus
  • the apparatus further comprises a plurality of network interface cards (NIC) which allow to send time synchronization messages to the nodes of a distributed network .
  • NIC network interface cards
  • the electronic processor periodically performs functional or structural, hardware tests and checks on any software modules being run to implement the safety attributes and, if necessary, to stop the execution of the method if any abnormality is detected.
  • the plurality of satellite receiver modules and NIC cards are configured to tolerate multiple faults or disconnections or deactivations, so as to realize the system availability and reliability attribute.
  • the time synchronization messages are transmitted according to a network time protocol, for instance IEEE Standard 1588-2008 (Precision Time Protocol v2, PTPv2) or the RFC protocol 5905 (Network Time Protocol Version 4, NTPv4), or even any other compatible or future versions.
  • a network time protocol for instance IEEE Standard 1588-2008 (Precision Time Protocol v2, PTPv2) or the RFC protocol 5905 (Network Time Protocol Version 4, NTPv4), or even any other compatible or future versions.
  • Fig. 1 shows a functional flow chart of the steps of the method according to the present patent application in accordance with a possible embodiment comprising the following steps: - receiving a satellite signal (a);
  • Fig. 2 shows a flow chart of a possible embodiment of the method, wherein step (c) is only performed if the satellite signal analyzed in step (b) is not valid.
  • Fig. 3 shows a flow chart of a possible embodiment of the method wherein, if the uncertainty estimated in step (g) is equal to or less than a threshold value, steps (a), (b) , and (d) are not performed in the next iteration of the method.
  • Fig. 4 shows a flow chart of a possible embodiment of the method wherein, after step (g) , if the estimated uncertainty is equal to or less than a predetermined value, an iterative time synchronization message generation and sending process is initiated or kept active (z) towards the users of a network, whereas if such estimated uncertainty is greater than said predetermined value, said iterative time synchronization message generation and sending process is terminated (x) .
  • the present invention provides a method for signaling time in a resilient manner by providing information on its accuracy with respect to the universal time.
  • the universal time signal is got from a reliable external source such as the satellite signal received from a constellation of satellites, for instance the satellites of the GPS, Galileo, GLONASS network or other similar networks .
  • the method comprises the steps described below.
  • step (a) wherein a satellite signal is received, said signal containing an information about the universal time based on earth's rotation, according to a given international standard.
  • a very high precision can be achieved by exploiting dedicated synchronization signals provided by the satellite module such as, for instance, the 1PPS (one pulse per second) signal .
  • said satellite signal is analyzed to check whether it is safe and reliable and to detect any abnormalities, for instance data handlings ("spoofing") or disturbances in the radio communications ("jamming"), hints of possible external attacks or data handlings or operational errors (in these cases, the satellite system possibly sends a wrong time signal not corresponding to the actual universal time) . In the absence of any abnormalities or disturbances, the signal is validated.
  • a set of physical quantities indicative of the existing environmental conditions are measured by means of a plurality of dedicated sensors.
  • the physical quantities of interest are those which might affect the oscillation of the crystal of the local clock, for instance temperature, pressure, humidity, movements and/or sudden displacements.
  • the measured physical quantities from the individual sensors are stored.
  • step (d) is initiated, wherein said signal is interpreted to extrapolate the time information about the universal time signal and, in this way, the drift and the offset of the time signaled by a local clock with respect to said universal time are estimated, by way of appropriate algorithms .
  • step (e) is performed: the offset and the drift of the local clock with respect to the universal time are calculated by way of a mathematical model, as a function of the existing environmental conditions, as defined by the physical quantities measured in the previous step (c) .
  • the time information of the local clock is properly "corrected" on the basis of the estimated offset and drift, so as to synchronize it with the universal time.
  • Local clock synchronization takes place by gradually modifying the reference time of the local clock itself, by making it go faster or slow down, until reaching the requested correction.
  • Local clock synchronization can take place by using a PTP or NTP signal or other similar protocols.
  • the synchronization message for the nodes of a distributed network conforms to the NTPv4 or PTPv2 standards.
  • step (g) the synchronization uncertainty of the local clock time is estimated by means of statistical and probabilistic analyses (for instance the Fokker-Planck equation or the Bayes theorem) .
  • the above described method can advantageously be performed periodically, in an iterative manner.
  • a new iteration of the process is only initiated whenever the uncertainty estimated in step (g) is greater than a given, preset threshold value (si) .
  • the mathematical model used in step (e) is set-up on the basis of historical data for the values of measured physical quantities and of corresponding offset and drift values of the local clock as referred to the universal time.
  • the mathematical model used in step (e) can be an automatic learning algorithm, capable of automatically improving its own “performances” on the basis of the acquired experience.
  • step (c) is only performed whenever the satellite signal analyzed in the previous step (b) is not valid, in this way preventing the measuring sensors from being activated but when it is strictly necessary, mainly for energy saving purposes .
  • steps (a) (b) (d) are not performed in the next iteration of the method, in this way preventing the satellite receiver modules from being activated.
  • step (g) an iterative process can be initiated which periodically generates a time synchronization message and sends it to the users of the network, in order to synchronize the clocks of the individual nodes at the time instant indicated by the local clock .
  • Such iterative process is started or, if already started, is simply kept activated (z), only when the estimated uncertainty is equal to or less than a predetermined value (s3); conversely, whenever said uncertainty is greater than such threshold value (s3), the iterative process is terminated (x) and it is only re-activated as soon as uncertainty comes back below the predetermined value (s3) .
  • the present patent application also concerns an apparatus for a resilient signaling of time capable of implementing the above described method.
  • such apparatus comprises :
  • an oscillator basically consisting of a circuitry and a resonator suitable for providing a reference frequency for the remaining electronic components of the apparatus
  • sensors for measuring physical quantities temperature, humidity, pressure sensors, gyroscopes, accelerometers , etc.
  • such apparatus further comprises one or several network interface cards for sending time synchronization messages to the nodes of the distributed network.
  • said one or several network interface cards conform to the IEEE 1588 PTP standard to provide a hardware time marking so as to improve synchronization accuracy in the nodes of the network.
  • the apparatus is capable of operating correctly even in the case that one or several modules stop being operational or are deactivated for maintenance purposes.
  • the system is capable of continuously operate even when one or several cards are deactivated or not operational .

Abstract

A method for a resilient signaling of time and for a time synchronization of the users of a distributed network. The invention also comprises an apparatus for implementing such method.

Description

DESCRIPTION
Title
METHOD AND APPARATUS FOR A RESILIENT SIGNALING OF TIME.
Technical field
The present invention concerns a method for a resilient signaling of time and for resiliently keeping the time internally to distributed "real time" systems by means of the generation of time synchronization messages.
Time management is pivotal in many sectors of the art, for instance:
a) in telecommunications, wherein the terminals or nodes of a network have severe time synchronization error requirements as referred to the backhaul time for communication purposes (for instance the LTE-A standard, where LTE-A stands for Long Term Evolution Advanced, requires synchronization times of less than +500 ns);
b) in electronics, for synchronizing the digital circuits of digital devices;
c) in intelligent networks or smart grids, wherein time synchronization is required by synchronized Phasor
Measurement Units (PMU) or synchrophasors , for distributed synchronized measurements to prevent cascaded faults in a network ;
d) in distributed control technologies, wherein many actuators shall have their own respective dedicated control card synchronized, to be able to perform their real-time tasks in very shorts periods of time.
Status of the art
A precise and reliable time information is pivotal in many sectors of the art and as much pivotal is keeping the local time indicated by a clock internally to a system synchronous with a reference time signal.
In particular, in distributed systems assuring a time synchronization of the individual nodes or users making-up a network is absolutely necessary.
The reference universal time (UT) is based on earth's rotation and the international standard that the civil time is based on is the so-called U.T.C. (an acronym for "Universal Time Coordinated") .
In information management and exchange systems, it is important to accurately set the order according to which the individual events occur and/or given operations are to be carried out.
In a distributed system, setting this order is complex because of the heterogeneity due to differences both in software and hardware, as well as because of the different types of connections used by each individual node and because of the distributed systems, wherein nodes or sets of nodes can come in or go out in any moment, being extremely dynamic.
In centralized systems, the communications between the individual processes in progress exclusively take place by way of message exchanges; consequently, time synchronization requirements shall be met aiming at determining which event has been generated before another. Whenever the processes are real time ones, i.e. whenever the response time problem is predominating with respect to the complexity of the algorithm to be used, it is necessary to be able to react to a given event within a delay time that it shall be possible to predetermine, irrespective of the context in which one is operating.
However, it is impossible that all clocks in the individual nodes of the system are perfectly synchronized with each other, which entails the impossibility of ordering all events that take place internally thereto in a precise and unique manner. Such failed synchronizability is due to structural differences, mostly of an electronic nature, of the various devices for generating a time signal (or clock signal) within the microprocessors or even to physical parameters such as temperature, state of use, and age of the device. For all of these reasons, a need is very much felt for obtaining a safe and reliable clock that can also operate as a "master clock" internally to a network of distributed systems, by providing the reference time to all nodes of the network which it is connected to.
By "master clock" we mean a precise and reliable clock that outputs the time signal for synchronizing the clocks of the individual users of a distributed network.
Patent application US 2014/0185632 Al describes a structure of apparatuses interconnected to each other and comprising at least two nodes wherein a local master clock is implemented for a periodical synchronization of the nodes of the network even in the case of a malfunction of either master clock.
A sufficiently reliable and precise master clock shall be able to provide a very precise reference time information, however not always is the oscillation frequency of any physical clocks constant, but rather it tends to vary, mainly because of the tolerances of the values of the components used in the oscillator circuit and because of changes in the operating conditions (temperature, component aging, sudden movements) .
This is the reason why, in modern applications, the reference universal time is got from an external source, typically a satellite signal, for instance the signal provided by the Global Positioning System (GPS) or that provided by the Galileo system or by the Global Navigation Satellite System (GLONASS) . So, the master clock shall first of all be synchronized with said external reference time.
Patent document US 8922421 Bl describes a method for synchronizing a distributed radar network by using the time signal provided by the GPS satellite network.
However, whenever the signal is disturbed and/or not sufficiently reliable, it is not possible to guarantee a safe and precise time source.
Patent document US 9130661 B2 describes a method and an apparatus for synchronizing distributed systems by way of a satellite time signal, after checking for its reliability and safety.
In this case, the satellite time information is used to generate a synchronization message and to synchronize the local reference clock; whenever the satellite signal is missing or not reliable, the synchronization message is generated on the basis of the time information of said reference clock. Also, a monitor measures the time interval between two successive synchronization messages and, should such interval exceed a predetermined tolerance, it prevents network user synchronization.
However, the system described in US 9130661 B2 is not capable of regulating its own local clock so as to take account of the clock frequency and of the environmental operating conditions being variable.
Consequently, whenever there are troubles in the satellite network or the GPS signal is missing, the system will output a not sufficiently reliable time, in that it is based on the one signal provided by the local reference clock.
In order to obviate this problem, methods have been conceived which allow to synchronize system clocks whenever the external satellite signal is not available, by exploiting appropriate mathematical models.
One of such technical solutions is, for instance, described in patent document US 8884706 B2, wherein one or more mathematical models are iteratively instructed and tested, in order to evaluate the reliability degree and to select the most reliable model in the absence of an external synchronization signal.
However, this solution does not allow either to take account of the influence of the environmental physical conditions onto the drift of the local clock with respect to the universal time.
US 2015/0025831 Al describes a seismic detection network wherein the local clocks of the various nodes of the network are periodically synchronized with the GPS signal and the ambient temperature is measured and used to determine the updating rate of the local clock. So, in this case, temperature measurement is not used to calculate the drift of the local clocks, but rather for the only purpose of reducing the number of synchronizations and hence saving energy.
The scientific article entitled "Adaptive temperature compensation of GPS disciplined quartz and rubidium oscillators", by Penrod Bruce M., disclosed in the proceedings of the IEEE International Frequency Control Symposium in 1996, illustrates a method for synchronizing (correcting) the quartz or rubidium oscillator of a (local) clock according to the universal time signal provided by the GPS satellite network. This method is based on the use of a recursive-type algorithm that, in the periods of time when the GPS universal satellite signal is missing, calculates an estimate of the correction to be applied to the oscillator of the local clock, in order to synchronize it with said universal time, account being taken of the "drift" (i.e. the deviation from the universal time) of the local clock and of temperature, in a given instant in time. The parameters of the recursive algorithm are determined by way of a linear regression, starting from a set of temperature values measured in given instants in time, in the periods when the GPS signal is present, i.e. while the universal time is known.
However, the method described in the mentioned scientific article is not sufficiently safe, because it does not include any analyses about the safety of the satellite signal: it follows that, whenever the GPS signal is present, the oscillator of the local clock is always synchronized with the satellite time signal, even when the received satellite signal is wrong, disturbed, or it has been intentionally tampered with by third parties.
Also, in the period of time when the GPS signal is missing, the algorithm estimates the correction to be applied to the local clock as a function of one physical quantity only, i.e. temperature. However, it is worth emphasizing that the oscillation of a crystal in a clock is affected by many physical quantities, for instance: temperature, humidity, pressure, sudden movements. In order to be sufficiently precise and reliable, the correction to be applied to the local clock shall take account of the changes of all above mentioned quantities.
Notwithstanding various technical solutions have been developed, no resilient synchronization methods are known that allow to "correct" the local clock as a function of changes of temperature, humidity, pressure, and other physical quantities, if any, or after sudden movements, in the absence of an external synchronization signal such as, for instance, the satellite one.
It is also known that the deviation of the local clock from the reference time, also referred to as "offset", is not easily predictable because it is continually changing as a function of the environmental conditions and of the characteristics of the local clock itself.
The offset in a given instant in time is very difficult to calculate, mainly because of the transmission delay between the reference time source and the receiving equipment. Synchronization uncertainty is defined as a conservative estimate of such offset.
According to the present status of the art, it is not possible to measure the actual offset, and the known synchronization algorithms compute an (inaccurate) estimate of the offset, but without offering any guarantees on whether such value is actually close to the actual offset. None of the methods and apparatuses described so far makes it possible to evaluate the degree of uncertainty of the time indicated by the local clock, so as to provide a qualitative and quantitative measure of the time indicated by the local clock in the absence of an external synchronization.
The modern synchronization protocols calculate an estimated offset, but without offering any guarantees about whether it is actually close to the real offset and without forecasting a threshold beyond which the system shall consider the time signal provided by the local clock not reliable any longer.
Objects and summary of the invention
The invention according to the present patent application allows to overcome the drawbacks and limitations present in the present status of the art, by providing a method for providing a time signaling in a resilient manner and for a time synchronization internally to distributed systems, such as user networks. Resiliency is achieved by means of a plurality of architectural attributes:
- availability and reliability, i.e. a correct service being provided rapidly and continuously;
- safety, i.e. no unauthorized accesses to the system status or to its management;
- maintainability, i.e. capability of undergoing modifications and repairs;
- intrinsic safety, i.e. capability of switching to a "safe state" should an error occur greater than a given tolerance .
Time synchronization is a process whereby the precision, accuracy, and drift properties of a local clock of a system are retained with respect to the universal time provided by an external source.
In the method according to the present patent application, the "external" reference time is that got from a satellite signal sent by one of the satellite networks available, for instance the GPS, Galileo, or GLONASS networks or other similar networks.
The satellite signal is received by a plurality of dedicated satellite modules, equipped with an appropriate antenna, which interpret such satellite signal and derive a time signal, for instance in the form of a lPPs (one pulse per second) signal.
The satellite signal is analyzed to detect any abnormalities such as, for instance, "spoofing" or "jamming", so as to be able to apply appropriate countermeasures , if any, suitable for making the system safe against external attacks.
The external time signal being received by a plurality of satellite modules makes the execution of the method continuous even when one or several satellite modules are disconnected in order for them to be modified or maintained, thus guaranteeing the availability and reliability of the method.
The received external time signal is used to regulate a clock, after estimating the offset and the drift of the time signaled by said local clock with respect to the universal time.
Simultaneously a set of physical quantities (for instance temperature, pressure, humidity, etc.) are measured by means of a plurality of dedicated measuring sensors.
The offset and drift values of the local time estimated with respect to the universal time are stored and related to the physical quantities measured in the same instant in time by the dedicated sensors.
Local clock synchronization basically takes place by applying a corrective coefficient to the time signal of the local clock in order to synchronize it with the universal time .
Under normal conditions, i.e. in the presence of a satellite signal, the local clock is synchronized by calculating, by way of appropriate algorithms, the offset and the drift with respect to the universal time provided by the satellite network.
Conversely, whenever the satellite signal is missing or is not validated by the system, local clock synchronization takes place by using appropriate mathematical models to calculate the offset and the drift with respect to the universal time as a function of the existing environmental conditions, as measured by the dedicated sensors.
Such mathematical model can, if necessary, be built-up on the basis of historical offset and drift data and corresponding physical quantities, so that the mathematical model outputs the most appropriate offset and drift values for the actual environmental conditions.
Very advantageously can the mathematical model be an automatic learning algorithm, capable of automatically improving its own performances as the set of data available thereto increases over time.
It is known that the offset in a given instant in time is very difficult to calculate, mainly because of the transmission delay between the reference time source and the receiving equipment.
This is the reason why a need is very much felt of introducing the concept of synchronization uncertainty which, as already said, represents a conservative estimate of the offset, such as to meet the condition ac > Uc(t) > Gc(t) (where ac is the accuracy, i.e. the upper limit of the offset predetermined for the local clock, generally very far away from the actual value of the offset; Uc(t) is the synchronization uncertainty at the instant t ; 6c(t) is the offset at the instant t) .
The offset and the drift of the local time are analyzed and, via a statistical and probabilistic analysis, the synchronization uncertainty, representing the degree of uncertainty of the time signaled by the local clock, is estimated, so as to get a measure of its reliability degree .
The present patent application makes thus it possible to get not only a quantitative estimate of the deviation (offset) of the local time from the actual universal time, but also a qualitative measure of reliability (synchronization uncertainty) of said quantitative estimate.
The concept of synchronization uncertainty is known in the reference sector and is described, for instance, in the following publicly disclosed documents: - Andrea Bondavalli, Francesco Brancati, Andrea Ceccarelli, Lorenzo Falai, Michele Vadursi: Resilient estimation of synchronisation uncertainty through software clocks. IJCCBS 4(4): 301-322 (2013) ;
- Paolo Ferrari, Alessandra Flammini, Stefano Rinaldi, Andrea Bondavalli, Francesco Brancati: Experimental Characterization of Uncertainty Sources in a Software-Only Synchronization System. IEEE Trans. Instrumentation and Measurement 61(5): 1512-1521 (2012);
- Andrea Bondavalli, Francesco Brancati, Alessandra Flammini, Stefano Rinaldi: Master Failure Detection Protocol in Internal Synchronization Environment. IEEE Trans. Instrumentation and Measurement 62(1) : 4-12 (2013)
- Bondavalli, Andrea, Andrea Ceccarelli, and Lorenzo Falai. "Assuring resilient time synchronization." Reliable
Distributed Systems, 2008. SRDS'08. IEEE Symposium on. IEEE, 2008;
- A. Bondavalli, F. Brancati and A. Ceccarelli. "Safe Estimation of Time Uncertainty of Local Clocks". Proc. of Int. IEEE Symp. on Precision Clock Synch. for Measur., Contr. and Comm., ISPCS 2009. 2009. pp. 47-52;
- F. Brancati. "Adaptive and Safe Estimation of Different Sources of Uncertainty to Improve Dependability of Highly Dynamic Systems Through Online Monitoring Analysis". Ph.D. thesis. Universita degli Studi di Firenze. Research doctorate in Information Technology and Applications (XXIV cycle) . May 14th, 2012. Supervisor ( s ) : A. Bondavalli.
The method according to the present patent application looks for keeping synchronization uncertainty within given limits by performing, if necessary, further attempts of synchronization with the satellite time signal, whenever such synchronization uncertainty is greater than given predetermined limits. The method is advantageously usable for the time synchronization of a plurality of nodes of a distributed network: in this event, once said local clock is synchronized with the universal time and the uncertainty of the local time is estimated, an iterative process is initiated which periodically generates and sends a time synchronization message to the network users, in order to synchronize the clocks of the individual nodes with the local clock.
Such iterative synchronization message generation and sending process can advantageously be initiated or kept active only when the estimated uncertainty is less than a predetermined threshold value.
Conversely, whenever said uncertainty is greater than the predetermined threshold value, said iterative process is terminated and a new synchronization attempt is initiated, if any.
The intrinsic safety of this method is guaranteed in that the generation and sending of such synchronization message do not take place whenever, because of a reason whatsoever (for instance network problems, hardware problems, etc.), uncertainty is too high.
For energy saving purposes, the satellite signal receiving modules can be deactivated whenever the estimate uncertainty is less than a given threshold value and are re-activated whenever uncertainty exceeds such threshold value .
The present patent application also concerns an apparatus for a resilient signaling of time and suitable for implementing the above described method, said apparatus basically comprising:
- an oscillator comprising a dedicated circuitry and a resonator to output a reference frequency for the remaining electronic components of the apparatus;
- an electronic processor suitable for running all processes and programs for implementing the method;
- a physical I/O ( Input /Output ) controller which allows to connect the processor to external devices such as sensors or other apparatuses;
- a plurality of sensors for measuring physical quantities (temperature, humidity, pressure, etc.);
- a plurality of satellite receiver modules.
In the case of applications to network systems, the apparatus further comprises a plurality of network interface cards (NIC) which allow to send time synchronization messages to the nodes of a distributed network .
The electronic processor periodically performs functional or structural, hardware tests and checks on any software modules being run to implement the safety attributes and, if necessary, to stop the execution of the method if any abnormality is detected.
The plurality of satellite receiver modules and NIC cards are configured to tolerate multiple faults or disconnections or deactivations, so as to realize the system availability and reliability attribute.
The time synchronization messages are transmitted according to a network time protocol, for instance IEEE Standard 1588-2008 (Precision Time Protocol v2, PTPv2) or the RFC protocol 5905 (Network Time Protocol Version 4, NTPv4), or even any other compatible or future versions.
Brief description of the drawings
Fig. 1 shows a functional flow chart of the steps of the method according to the present patent application in accordance with a possible embodiment comprising the following steps: - receiving a satellite signal (a);
- analyzing and, if necessary, validating said signal (b) ;
- measuring and storing physical quantities (c);
- interpreting the satellite signal and calculating the offset and drift of a local clock (d) ;
- calculating the offset and drift of a local clock via a mathematical model on the basis of the measured physical quantities (e) ;
- correcting the local clock time (f);
- estimating the synchronization uncertainty of the local time (g) ;
- repeating the previous steps (h) .
Fig. 2 shows a flow chart of a possible embodiment of the method, wherein step (c) is only performed if the satellite signal analyzed in step (b) is not valid.
Fig. 3 shows a flow chart of a possible embodiment of the method wherein, if the uncertainty estimated in step (g) is equal to or less than a threshold value, steps (a), (b) , and (d) are not performed in the next iteration of the method.
Fig. 4 shows a flow chart of a possible embodiment of the method wherein, after step (g) , if the estimated uncertainty is equal to or less than a predetermined value, an iterative time synchronization message generation and sending process is initiated or kept active (z) towards the users of a network, whereas if such estimated uncertainty is greater than said predetermined value, said iterative time synchronization message generation and sending process is terminated (x) .
Detailed description of an embodiment of the invention
The following detailed description, which is given for merely explanatory not limitative purposes, with reference to the attached drawings, emphasizes the further features and advantages deriving therefrom and which are an integral part of the subject invention.
The present invention provides a method for signaling time in a resilient manner by providing information on its accuracy with respect to the universal time.
The universal time signal is got from a reliable external source such as the satellite signal received from a constellation of satellites, for instance the satellites of the GPS, Galileo, GLONASS network or other similar networks .
According to a preferred embodiment, the method comprises the steps described below.
First of all, there is a step (a) wherein a satellite signal is received, said signal containing an information about the universal time based on earth's rotation, according to a given international standard. A very high precision can be achieved by exploiting dedicated synchronization signals provided by the satellite module such as, for instance, the 1PPS (one pulse per second) signal .
Then, in the step (b) , said satellite signal is analyzed to check whether it is safe and reliable and to detect any abnormalities, for instance data handlings ("spoofing") or disturbances in the radio communications ("jamming"), hints of possible external attacks or data handlings or operational errors (in these cases, the satellite system possibly sends a wrong time signal not corresponding to the actual universal time) . In the absence of any abnormalities or disturbances, the signal is validated.
In the next step (c), a set of physical quantities indicative of the existing environmental conditions, are measured by means of a plurality of dedicated sensors. The physical quantities of interest are those which might affect the oscillation of the crystal of the local clock, for instance temperature, pressure, humidity, movements and/or sudden displacements. The measured physical quantities from the individual sensors are stored.
If the satellite signal analyzed in the previous step (b) is valid, step (d) is initiated, wherein said signal is interpreted to extrapolate the time information about the universal time signal and, in this way, the drift and the offset of the time signaled by a local clock with respect to said universal time are estimated, by way of appropriate algorithms .
Conversely, if the satellite signal analyzed in step (b) is not valid, step (e) is performed: the offset and the drift of the local clock with respect to the universal time are calculated by way of a mathematical model, as a function of the existing environmental conditions, as defined by the physical quantities measured in the previous step (c) .
In the next step (f), the time information of the local clock is properly "corrected" on the basis of the estimated offset and drift, so as to synchronize it with the universal time. Local clock synchronization takes place by gradually modifying the reference time of the local clock itself, by making it go faster or slow down, until reaching the requested correction.
Local clock synchronization can take place by using a PTP or NTP signal or other similar protocols. In some embodiments of the method, the synchronization message for the nodes of a distributed network conforms to the NTPv4 or PTPv2 standards.
Finally, in step (g) , the synchronization uncertainty of the local clock time is estimated by means of statistical and probabilistic analyses (for instance the Fokker-Planck equation or the Bayes theorem) . The above described method can advantageously be performed periodically, in an iterative manner.
In a possible version of the method, a new iteration of the process is only initiated whenever the uncertainty estimated in step (g) is greater than a given, preset threshold value (si) .
According to an advanced version of the method for a resilient signaling of time according to the present patent application, the mathematical model used in step (e) is set-up on the basis of historical data for the values of measured physical quantities and of corresponding offset and drift values of the local clock as referred to the universal time.
Very advantageously, the mathematical model used in step (e) can be an automatic learning algorithm, capable of automatically improving its own "performances" on the basis of the acquired experience.
In a possible version of the method under consideration, step (c) is only performed whenever the satellite signal analyzed in the previous step (b) is not valid, in this way preventing the measuring sensors from being activated but when it is strictly necessary, mainly for energy saving purposes .
According to a further version of the method according to the present patent application, whenever the uncertainty estimated in step (g) is equal to or less than a threshold value (s2), steps (a) (b) (d) are not performed in the next iteration of the method, in this way preventing the satellite receiver modules from being activated.
In a possible variant of the method under consideration, particularly suitable for being applied to distributed networks, after step (g) an iterative process can be initiated which periodically generates a time synchronization message and sends it to the users of the network, in order to synchronize the clocks of the individual nodes at the time instant indicated by the local clock .
Such iterative process is started or, if already started, is simply kept activated (z), only when the estimated uncertainty is equal to or less than a predetermined value (s3); conversely, whenever said uncertainty is greater than such threshold value (s3), the iterative process is terminated (x) and it is only re-activated as soon as uncertainty comes back below the predetermined value (s3) . The present patent application also concerns an apparatus for a resilient signaling of time capable of implementing the above described method.
According to a possible embodiment, such apparatus comprises :
- an oscillator basically consisting of a circuitry and a resonator suitable for providing a reference frequency for the remaining electronic components of the apparatus;
- an electronic processor suitable for running all processes and programs for the implementation of the method;
- a physical I/O ( Input /Output ) controller for connecting the processor to external devices such as sensors or other apparatuses;
- one or several sensors for measuring physical quantities (temperature, humidity, pressure sensors, gyroscopes, accelerometers , etc.);
- one or several satellite receiver modules.
In a particularly advanced embodiment suitable for being used as a master clock internally to networks, such apparatus further comprises one or several network interface cards for sending time synchronization messages to the nodes of the distributed network.
Advantageously can said one or several network interface cards conform to the IEEE 1588 PTP standard to provide a hardware time marking so as to improve synchronization accuracy in the nodes of the network.
In the case of a plurality of satellite receiver modules, the apparatus is capable of operating correctly even in the case that one or several modules stop being operational or are deactivated for maintenance purposes.
Likewise, it is possible to support the implementation of several sensors of the same type for measuring each of the physical quantities of interest, for instance by providing a plurality of temperature sensors and/or a plurality of pressure sensors, etc., etc., to enable the apparatus to regularly operate even in the case of malfunctions or deactivations of one or several of said sensors.
Likewise, in the case of a plurality of network interface cards, the system is capable of continuously operate even when one or several cards are deactivated or not operational .

Claims

1. A method for a resilient signaling of time, characterized in that it comprises the following steps:
(a) receiving a satellite signal containing information on the universal time;
(b) analyzing the satellite signal and validating it in the absence of abnormalities or disturbances in the signal itself ;
(c) measuring and storing a plurality of physical quantities representative of the existing environmental conditions ;
(d) if the satellite signal is valid, interpreting the satellite signal to get the indication of the universal time and to make an estimate of the offset and of the drift of the time measured by a local clock with respect to said universal time, via appropriate algorithms ;
(e) if the satellite signal is not valid, applying a mathematical model to compute an estimate of the offset and drift of the local clock with respect to the universal time as a function of the existing environmental conditions as measured in step (c);
(f) correcting the time of the local clock on the basis of the estimated offset and drift;
(g) estimating the time synchronization uncertainty of the local clock;
(h) repeating step (a) and the following ones.
2. A method for a resilient signaling of time according to the previous claim, characterized in that the mathematical model used in step (e) relies on a local clock offset and drift database corresponding to physical quantities that represent specific environmental conditions .
3. A method for a resilient signaling of time according to one or several of the previous claims, characterized in that the mathematical model used in step (e) is an automatic learning algorithm.
4. A method for a resilient signaling of time according to one or several of the previous claims, characterized in that step (c) is performed only if the satellite signal analyzed in step (b) is not valid.
5. A method for a resilient signaling of time according to one or several of the previous claims, characterized in that if the uncertainty estimated in step (g) is equal to or less than a threshold value (s2), steps (a), (b) , and (d) are not performed during the successive iteration of the method.
6. A method for a resilient signaling of time according to one or several of the previous claims, characterized in that if the uncertainty estimated is equal to or less than a preset value (s3), after step (g) an iterative process is started or kept active (z), whereby a time synchronization message is generated and sent to the users of a network.
7. A method for a resilient signaling of time according to the previous claim, characterized in that after step (g), if the estimated uncertainty is greater than a preset value (s3), said iterative process whereby said synchronization message is generated and sent, is terminated (x) .
8. An apparatus for a resilient signaling of time for implementing the method according to one or several of the previous claims, characterized in that it comprises:
- an oscillator comprising a dedicated circuitry and a resonator to provide a reference frequency for the remaining components of the apparatus;
- an electronic processor suitable for executing all processes and programs for the implementation of the method;
- one physical I/O ( input /output ) controller to connect the processor to external devices like sensors or other apparatuses;
- one or more sensors for measuring the physical quantities ;
- one or more satellite receiver modules.
9. An apparatus according to the previous claim, characterized in that it comprises one or several network cards to send time synchronization messages to the nodes of a distributed network.
PCT/IB2016/056768 2015-11-13 2016-11-10 Method and apparatus for a resilient signaling of time WO2017081634A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ITUB2015A005561A ITUB20155561A1 (en) 2015-11-13 2015-11-13 METHOD AND APPARATUS FOR A RESILIENT TIME SIGNAL
ITUB2015A005561 2015-11-13

Publications (1)

Publication Number Publication Date
WO2017081634A1 true WO2017081634A1 (en) 2017-05-18

Family

ID=55446978

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2016/056768 WO2017081634A1 (en) 2015-11-13 2016-11-10 Method and apparatus for a resilient signaling of time

Country Status (2)

Country Link
IT (1) ITUB20155561A1 (en)
WO (1) WO2017081634A1 (en)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PENROD B M: "Adaptive temperature compensation of GPS disciplined quartz and rubidium oscillators", FREQUENCY CONTROL SYMPOSIUM, 1996. 50TH., PROCEEDINGS OF THE 1996 IEEE INTERNATIONAL. HONOLULU, HI, USA 5-7 JUNE 1996, NEW YORK, NY, USA,IEEE, US, 5 June 1996 (1996-06-05), pages 980 - 987, XP010200002, ISBN: 978-0-7803-3309-3, DOI: 10.1109/FREQ.1996.560284 *

Also Published As

Publication number Publication date
ITUB20155561A1 (en) 2017-05-13

Similar Documents

Publication Publication Date Title
US20140068315A1 (en) Method and system for clock offset and skew estimation
US9671761B2 (en) Method, time consumer system, and computer program product for maintaining accurate time on an ideal clock
US9519306B2 (en) Distribution device, distribution system, and distribution method
US8873589B2 (en) Methods and devices for clock synchronization
CN101986555B (en) System and method for built in self test for timing module holdover
US20150378356A1 (en) Control system and method for remote control of hardware components
JPH10503282A (en) Controlled time scale generator for use as primary reference clock
Ferrari et al. Experimental characterization of uncertainty sources in a software-only synchronization system
Derviškadić et al. The white rabbit time synchronization protocol for synchrophasor networks
CN100395682C (en) 'Beidou No.1' satellite navigation system and GPS mutually preparing time service method and apparatus
Cena et al. Synchronize your watches: Part I: General-purpose solutions for distributed real-time control
CN112711039B (en) Time synchronization attack detection and correction method and device based on optimal estimation
CN107566105B (en) Time synchronization equipment compensation method, device, storage medium and computer equipment thereof
JPWO2020149103A1 (en) Monitoring system and synchronization method
CN111245593A (en) Time synchronization method and device based on Kalman filtering
CN112969229B (en) Clock correction method and device and network equipment
CN106647228B (en) Converter station master clock fault judgment system
WO2017081634A1 (en) Method and apparatus for a resilient signaling of time
US20230010155A1 (en) Time correction apparatus, time correction method, and computer readable medium
Bondavalli et al. Resilient estimation of synchronisation uncertainty through software clocks
CN110471087A (en) A kind of the time drift calculation method and system of spacecraft
Ferrari et al. Improving robustness of the synchronization quality of IEEE1588 nodes
Fletcher et al. Smart clocks have a hand in the smart grid
Fugger et al. Safely Stimulating the Clock Synchronization Algorithm in Time-Triggered Systems–A Combined Formal and Experimental Approach
Quesada et al. Evaluation of clock synchronization methods for measurement and control using embedded Linux SBCs

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16801589

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16801589

Country of ref document: EP

Kind code of ref document: A1