1. Field of the Invention
The invention relates to a method for providing at least two mutually independent time sources for at least one real-time operating system and to virtualization software for a data processing device having a plurality of processor cores.
2. Description of the Related Art
For automation tasks in which an increased demand is imposed on operational reliability, use is made of fail-safe automation systems in which technical measures are used to ensure that, even if individual components fail or are faulty, reliable operation is still ensured or a system or the like is changed to a safe state. An important measure for meeting such demands involves providing important operating device or components repeatedly and independently of one another, with the result that at least one fault in an individual component can be recorded. In the case of highly available systems, continued operation could also be ideally effected with the redundant replacement component.
An important resource of fail-safe automation systems shall be considered below to be a time source, i.e., a component that provides a clock, a time or a similar item of time information that is needed by an automation program or an underlying operating system to perform tasks with the correct timing, at the correct speed and in a reliable manner.
Whereas special fail-safe control devices, i.e., Fail-safe Central Processing Units (F-CPUs), or Fail-safe Programmable Logic Controllers (F-PLCs), i.e., programmable logic controllers specially provided with redundant components, are often used in the prior art, personal computers or similar standardized architectures are increasingly being provided with real-time operating systems and are being used for control and automation tasks. Even with a standard architecture, such as a personal computer, it is possible, in principle, to provide two mutually independent time sources for a real-time operating system with a corresponding reliability requirement. The important factor is that both time sources are independent of one another, i.e., they are derived from different clock sources (usually based on crystal oscillators), particularly with respect to the hardware thereof. With respect to personal computers, use is often made of a real-time clock module (RTC) on one side and a special counter of the CPU, the time-stamp counter (TSC), on the other side for this purpose. Whereas the real-time clock module obtains its clock signal from a crystal (i.e., a crystal oscillator) specially provided for this purpose, the time-stamp counter is derived from the processor clock (CPU clock) and is thus independent of the RTC clock. In this manner, it has hitherto already also been possible to provide a fail-safe automation system implemented on PC hardware or the like with two mutually independent time sources.
In the meantime, increasing use has been made of virtualization techniques in the field of control engineering. Consequently, a plurality of virtual machines each with an operating system are operated on the same hardware platform, where at least one of the operating systems is able to run under “real-time conditions” and is able to form a “fail-safe” automation component, such as a fail-safe CPU, which implemented as software. For such fields of use, it is appropriate to use a hardware platform having a plurality of processors or a plurality of processor cores, i.e., multicore CPUs, where one CPU or one processor core is able to be exclusively assigned to the virtual machine with the fail-safe real-time operating system, for example. Whereas, in such constellations, each processor or each processor core also has a time-stamp counter that is derived from the processor clock, the problem of jointly accessing resources that are present only once, especially the exemplary RTC module, arises in such “virtualized” arrangements. Although it is possible, in principle, to virtualize such a resource that is present only once, with the result that any unit (“virtualized operating system”) running in a virtual machine gains access and can read an RTC module, for example, any interaction with the virtualization software, the “hypervisor”, necessarily results in the execution of the requesting virtual machine being interrupted. As a result, impairment of the real-time performance occurs, in particular as a result of latency times caused thereby. This concerns, in particular, the systems in which more than one “virtualized automation system” is operated on the same hardware platform, with the result that a required resource, i.e., the clock module RTC discussed, cannot be exclusively made available to the single automation system present.