July 2009 - TTEthernet
TTEthernet Protocol for Avionics Networks
Embedded Insider: July 2009 - Volume 4, Issue 2
A Powerful Time-Triggered Network Solution
As the most widely-installed local area network technology, Ethernet is used as a universal network solution in office and web applications, and production facilities. Engineering, maintenance and training costs for Ethernet-based networks are considerably lower than costs for many proprietary bus systems and Ethernet generally offers higher bandwidths. But when Ethernet was developed over 30 years ago, time-critical, deterministic or safety-relevant tasks were not taken into account.
Time-Triggered Ethernet (TTEthernet) expands classical Ethernet use with powerful services (SAE AS6802) to meet the new requirements of reliable, real-time data delivery in advanced integrated systems. In addition, TTEthernet switches provide ARINC664 functionality to meet existing requirements of avionics Ethernet networks.
With TTEthernet, critical control systems, audio/video and standard LAN applications can share one network. TTEthernet facilitates design of mixed criticality systems and system-of-systems integration.
Fig. 1: TTEthernet (SAE AS6802) enables design of advanced integrated systems utilizing asynchronous and synchronous communication via IEEE802.3 Ethernet. It is scalable and supports fault-tolerant (N-redundant), time-critical and mixed criticality functions in one network. TTEthernet supports system-of-systems integration.
In the aviation domain, TTEthernet can be used for high-speed active controls, smart sensor and actuator networks, deterministic avionics and vehicle backbone networks, critical audio/video delivery, reflective memory, modular controls and integrated modular systems such as Integrated Modular Avionics (IMA) or distributed IMA. TTEthernet also targets critical embedded systems in aerospace and defense, automotive, medical, energy production, and industrial automation.
Determinism in Critical Ethernet Networks
Determinism is dependant on application domain requirements and represents predictable operation performance. For networking domains, determinism is related to:
- Temporal communication behavior (message jitter and latency)
- Predictable bandwidth use
An Ethernet network with specified jitter and latency can be seen as deterministic “enough”, assuming that predictable data exchange without data traffic congestion is viable for a given application case. For ARINC664 networks, the context of determinism is defined as the control of maximum transmission delay (latency) throughout the network.
In the Time-Triggered Ethernet standard, SAE AS6802, Time-Triggered Ethernet provides extensions to standard IEEE802.3 to support hard real-time, rate-constrained and unconstrained IEEE802.3 traffic on a common mixed-criticality network. A synchronization strategy based on time-triggered principles is described in the SAE AS6802 standard, defining a fault-tolerant self-stabilizing synchronization strategy. Devices that comply with this standard are capable of synchronizing their local clocks to each other in a fault-tolerant way. The context of determinism is defined as exact system timing throughout the system. Messages are transferred based on a fault-tolerant system time base with microsecond jitter.
Predictable (deterministic) operation in IEEE802.3 Ethernet networks for critical embedded systems can be achieved by:
- Asynchronous approach (ARINC664): Constraining the rate (frequency) of data transmissions (e.g. max. jitter 500µs, latency > jitter) with sampling rates of upto 1KHz. Bandwidth partitioning is based on rate-constrained traffic shaping (in end systems) and policing (in the switch)
- Synchronous approach (SAE AS6802): Establishing fault-tolerant synchronized operation using asynchronous Ethernet messaging with sampling rates of upto 50kHz (jitter below few microseconds). The bandwidth partitioning is based on exact (µs) time base and message delivery based on time-triggered services.
- Mixed asynchronous/synchronous approach to satisfy different contexts of determinism in different applications using critical Ethernet networks
TTEthernet supports both asynchronous and synchronous (ARINC 664 and SAE AS6802) approaches to deterministic networking, and enables parallel operation in mixed asynchronous/synchronous networks. It is designed to cover cross-industry application needs and provide deterministic network operation for a broad range of different applications. The primary reason for the integration of both SAE AS6802 and ARINC664 on the same TTEthernet switch is the ensured availability of time-triggered services. Without those services it would be impossible to define robust network partitioning for asynchronous and synchronous data flows.
System Integration using Synchronous and Asynchronous Ethernet Communication
Distributed functionality in advanced integrated network systems is established by coordinated operation of different functions with different criticality-levels and quality of service. In order to establish coordination among all of the different functions on a network, some sort of “synchronization” is required either at the network, middleware or application layer, or combined at different layers at once.
IEEE802.3 Ethernet provides asynchronous communication services. By constraining the maximum rate of message delivery, jitter (e.g. 500µs) and latency, the deterministic communication behavior for avionics applications can be accomplished without synchronous communication, as described in the ARINC664 (Avionics Full Duplex Ethernet) Specification.
In avionics networks, the SAE AS6802 standard is a synchronous communication technology enabling hard real-time network communication and the transfer of critical audio/video data which is not handled by ARINC664. This is where time-triggered services as defined by the SAE AS6802 standard complement asynchronous services from the ARINC664 Specification.
Because TTEthernet switches can handle both synchronous and asynchronous communication in one Ethernet-based network, a network system designer can select a networking approach which makes sense for a specific deterministic application and can deliver a desired level of latency and jitter control throughout the system.
Network Dependability and Critical Ethernet Networks
Network dependability is a term which extends well beyond “system reliability”, covering such aspects as availability, reliability, integrity maintainability, confidentiality and safety. Beyond the simplified definition of communication determinism, network dependability also contributes to a systems determinism.
System engineering not only covers dependability, but many other "-ilities", such as survivability, security, adaptability, scalability, upgradeability, and real-time capability. Marrying dependability with any other "-ility" is a non-trivial task. In most cases Ethernet-based networks are tailored and modified for specific application use with focus on one dimension of dependability, but are generally less flexible and hard to integrate with IEEE802.3 Ethernet systems. Design of dependable distributed network systems can be achieved in one or a few dimensions, but even if a network system covers all dependability criteria, the following questions need to be answered:
- Will the network system be scalable, upgradeable and affordable?
- Will Quality of Service (QoS) be sufficient for time-critical applications?
- Will the system have predictable (deterministic) behavior?
TTEthernet technology exploits synchronous operation and resulting fault-tolerant time base to support different system dependability dimensions at once. It simplifies design challenges for complex distributed systems by robust partitioning, unambiguous definition of key system interfaces, and support for redundant and time-driven system design.
Robust system-level partitioning and distributed computing
With asynchronous communication, it is possible to guarantee the bandwidth use by traffic shaping and policing, without exact timing. With synchronous time-triggered services it is possible to define exact sections of bandwidth to be used for a time-driven function, and the remaining bandwidth slots to be used by asynchronous data traffic (ARINC664 Part 7 or IEEE802.3), so hard real-time communication will not be impacted by asynchronous or event-drive functions. The availability of fault-tolerant global time plays a critical role in network bandwidth partitioning and enables parallel operation of multiple streams with different QoS, including audio/video and hard real-time control loops.
There is a similarity of robust network resource partitioning and computing resource partitioning (time/space) on the host microprocessor. The time and space partitioning (via MMU and partitioning OS), as defined by ARINC653, emerged in Integrated Modular Avionics (IMA) to enable design of many functions utilizing the same computing, housing and power supply resources to take advantage of the availability of common system time (tasks run on one processor with common time anyway!).
If consistent common time can be extended to the whole system, it is possible to take advantage of time/space/communication partitioning to design distributed functions of mixed criticality integrated in one network. This type of resource partitioning in a networked system we call “system-level partitioning”. This means all distributed functions can be executed without being influenced by other less critical networked functions. From this perspective, the concept and benefits of Integrated Modular Avionics (IMA) or modular aerospace controls (MAC) can be extended to the whole networked system.
System tasks can be scheduled to take advantage of global time, send and receive data just in-time. With broadcast communication, this would mean that the periodic data transfers play the role of a distributed virtual shared system memory, an equivalent to the reflective memory. At the same time other non-critical data can be shared in the network without impact on reflective memory operation (see “Use case for TTEthernet”). In such a case, from the application perspective, all tasks and functions run on one fault-tolerant distributed embedded computer.
System-level partitioning concept simplifies design of fault-tolerant distributed embedded computing platforms and is very useful for design of centralized and distributed IMA, reflective memories, and smart sensor/actuator networks.
GE Fanuc Intelligent Platforms is releasing proven time-triggered tools that have been ported for TTEthernet systems. These tools cover the entire lifecycle of the network. Automatic and manual modeling tools allow the intuitive system design in terms of temporal behavior, network and topology. TT-based software applications generate configuration data that comply with the communication schedule and load the data into the involved systems. Monitoring switches can display the network traffic on-line and off-line, and check the accuracy and consistency of a designed system including the temporal behavior of TT and RC messages. These tools can also generate detailed reports for approving a system in compliance with application regulations such as DO-178B in the aerospace industry (see Figure 10). Open XML data exchange formats allow the simple and seamless integration with third-party tools.
To learn more about Time-Triggered networking, download Introduction to Time-Triggered Ethernet Networks from the GE Fanuc White Paper Library.
Time-Triggered Ethernet enables time-triggered communication over Ethernet networks in all application areas. A time-triggered communication capability allows for co-existence of diverse applications, such as classical web services and time-critical control systems, on the same aircraft network. Existing networks can be extended step by step using TTEthernet-capable switches and end systems without the need to change existing applications and end systems. Reducing network solutions to established and recognized Ethernet standards opens up saving potentials that secure major advantages in competitive markets. TTEthernet has great potential not only in extremely demanding aerospace applications but also in completely new cross-industry application areas.