A distributed real-time system is composed of a number of processor nodes, these being the terminal systems, in which the application software runs, and a generic communication system, via which the messages of the terminal systems are exchanged with one another. A global fault-tolerant timebase having good precision must be established in distributed real-time systems so that the terminal systems can check the temporal validity of the real-time information and carry out synchronized distributed actions. Establishing a fault-tolerant global timebase requires the execution of complex synchronization algorithms. In order to relieve the terminal systems of these synchronization tasks, according to the invention the distributed fault-tolerant clock synchronization is performed in the generic communication system, so that the terminal systems can be provided with the global time using simple fault-tolerant master-slave synchronization (refer to textbook [5], section 3).
Many of the known clock synchronization methods, such as the methods published in the cited patents [1] to [4], use the clocks of the terminal systems to establish a global time. So as to achieve this, complex synchronization algorithms must be executed in the terminal systems. According to the present invention, a fault-tolerant time is not established in the terminal systems, but in the communication system. For this purpose, a fault-tolerant switching unit (fault-tolerant switch) is provided, which contains four independent switching units, each switching unit forming an autonomous fault containment unit (FCU). These four switching units together establish a fault-tolerant timebase by exchanging messages. Two of the four switching units form a respective switch pair, whereby the fault-tolerant switching unit contains two switch pairs. Each of the two switching units of a switch pair periodically transmits a synchronization message to a comparator, which forwards a synchronization messages to a terminal system only if both synchronization messages received arrive almost simultaneously and identical in terms of content. Because the fault-tolerant switching unit contains two switch pairs, this method tolerates an arbitrary fault in a switch pair.
The exact procedure of the novel method for fault-tolerant communication and fault-tolerant clock synchronization will be described in more detail hereafter based on the figures.
The object of the invention is achieved by a method for fault-tolerant clock synchronization and for fault-tolerant time-triggered real-time communication using a number of terminal systems and one or more fault-tolerant switches, which are respectively connected via at least two communication channels, wherein each fault-tolerant switch contains a first and a second switch pair, and the first switch pair contains a first and a second switch and the second switch pair contains a third and a fourth switch, and wherein each of the four switches is connected to the remaining three switches via communication channels, and wherein the four switches establish an internal global fault-tolerant timebase having known precision via the communication channels using a known message-based internal fault-tolerant synchronization algorithm, and wherein a plurality of terminal systems can be connected to the two switch pairs, respectively, via a comparator associated with a terminal system, and wherein a first terminal system transmits a respective copy of a message to be transmitted to a terminal system to the first switch pair via the first communication channel and to the second switch pair via the second communication channel, and wherein the first comparator transmits the arriving message to the first switch via a communication channel and to the second switch via a communication channel, and wherein the third comparator transmits the arriving message to the third switch via a communication channel and to the fourth switch via a communication channel, and wherein the four switches switch the arriving messages and, if a message is addressed to the second terminal system, the switches transmit a respective copy of the message to the second comparator associated with the second terminal system via communication channels, and wherein the second comparator opens a time window having the duration D immediately after the temporally first message has arrived and, if during this interval D no second copy of this message arrives at the second comparator, the second comparator discards the message and, if during this interval D a second copy of the message arrives, the second comparator compares the two messages bit by bit and, if the comparator uncovers a bit error, it interrupts the transmission of the message and discards the message and, if all bits of this message are identical, it transmits the entire message to the second terminal system via the second communication channel, and wherein the second switch pair proceeds analogously and thus two checked copies of a message arrive at the terminal system in the fault-free case and, if one of the two switch pairs is faulty or detects an error and discards the message, a correct message still arrives at the second terminal system, and wherein the fault-tolerant switch, in addition to the messages received from the terminal systems, periodically transmits two synchronization messages generated in the switch to all connected terminal systems, wherein a synchronization message is transmitted by the first switch pair and the other synchronization message is transmitted by the second switch pair, and wherein the time at which a synchronization message arrives at a terminal system corresponds to the time contained in the data field of the synchronization message.
Advantageously, the two switch pairs are arranged spatially separate from each other.
In one variant of the method, signed messages are used as part of the clock synchronization.
In a further variant, after receiving an external synchronization message, a fault-tolerant switch adapts the internal synchronized time thereof to the time predetermined by the external synchronization message.
The switches advantageously delay the messages only by several bit lengths and switch them to the comparator using the cut-through method.
In one variant of the invention, the comparators delay the messages only by several bit lengths and switch these to the terminal system using the error-free cut-through method.
The terminal systems connected to a fault-tolerant switch advantageously transmit a mixture of event-driven, bandwidth-limited or time-triggered messages.
A priori planning information about the allowed temporal behavior of the terminal systems is located into the switches, so that a switch can detect a faulty temporal behavior of a terminal system.
The a priori planning information for the switch is advantageously provided with an electronic signature of the sender.
It is further advantageous if the a priori planning information for the switch is encrypted.
In one variant of the invention, the a priori planning information can be dynamically altered during operation.
The comparators are advantageously operated in the multiplex method.
In a further variant of the invention, the different signal propagation times on the communication channels are compensated for by the switch pairs.
The messages produced and consumed by the terminal systems advantageously correspond to the Ethernet standard.
The object of the invention is further achieved by a device for fault-tolerant time-triggered real-time communication, composed of one or more fault-tolerant switches, which are each connected via at least two communication channels, wherein each fault-tolerant switch contains two switch pairs, and the first switch pair contains a first and a second switch and the second switch pair contains a third and a fourth switch, and wherein each of the four switches is connected to the remaining three switches via the communication channels, and wherein a plurality of terminal systems can be connected to the two switch pairs via a respective dedicated comparator which is associated with the terminal system, and wherein one or more of the aforementioned method steps are implemented in this device.
The aim of the present invention is that of establishing a fault-tolerant global time in a fault-tolerant communication system of a distributed real-time system. For this purpose, a fault-tolerant message switching unit is provided, which is composed of four independent switching units. These four independent switching units jointly establish a fault-tolerant time. The terminal systems are connected to a fault-tolerant message switching unit via two independent fail-silent communication channels, so that the clock synchronization and network connections are preserved, even if a part of the fault-tolerant switching unit or of a communication channel fails.