The technology described herein relates to a method of synchronizing time among free-running nodes in a dual redundant network such as an avionics full-duplex switched Ethernet as described in ARINC 664, Part 7.
In an ARINC 664, Part 7 network, each End System (ES) or terminal node assumes the role of a Network Interface Controller (NIC), capable of maintaining open communication ports on one or more channels for messages written and read by multiple applications which share a host processor. In an ARINC 664, Part 7 avionics network, nodes can operate in a normal integrity mode, where the probability of undetected error is approximately less than 10−6 per flight hour. Additional functionality in the nodes is required to support a high integrity mode, where the probability of undetected error must be no greater than 10−9 per flight hour. Applications may run in a high integrity mode where it is important to assure high integrity for safety-critical data transported across the network. Such integrity checking includes validating bit integrity (e.g., using a cyclic redundancy checksum), validating source integrity (i.e., ensuring data comes from the correct source), validating temporal ordering (i.e. checking the order in which messages are sent and received), and validating age of the data (i.e. the time difference between when the message was submitted to the transmitting node and when it was retrieved from the receiving node). To validate ordinality and age, data must be accurately time stamped both when published by the source application and, when retrieved by the destination application, referring to or using the respective local time references for each node. Therefore, it is important to for all local time references of each of the ES to track each other within a specified minimum tolerance and in a manner which prevents time from regressing.
Safety critical applications which communicate over the network could use an application specific protocol to perform their own ordinal and time integrity monitoring and validation within an application. For example, the Boeing 787 Common Data Network, which was jointly developed by GE and Rockwell Collins, uses a separate management function to provide centralized monitoring and distribution of time reference and offset tables containing the relationships between individual node time references. In this architecture, each node must compute offset information and program an ASIC processing element which applies time stamps and validates ordinal and time integrity for each received message. This approach requires significant processing within each node, as well as consuming substantial network resources to provide additional low-latency communication paths between every node and the nodes which support the management function.