• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A method for mitigating the effects of software failures in a distributed real-time system in which multiple distributed application systems are simultaneously executed, each application system forming an encapsulated software fault containment unit (SWFCU), wherein a SWFCU comprises distributed application system software residing on a distributed application system or multiple virtual machine nodes and one or more dedicated computer nodes (230, 233) and which are encrypted over one or more encapsulated virtual communication systems, wherein a communications system comprises the communications controllers (213, 223), the switching units (250) and the physical links (253 , 256), exchange messages, and where the immediate effects of software error on a SWFCU remain limited to the SWFCU.
    公开号:AT512665A1
    申请号:T342/2012
    申请日:2012-03-20
    公开日:2013-10-15
    发明作者:
    申请人:Fts Computertechnik Gmbh;
    IPC主号:
    专利说明:

    1
    Method and apparatus for forming Software Fault-Containment Units (SWFCUs) in a distributed real-time system.
    Quoted literature
    Patents: [1] US Pat. 4,949,254. Shorter. Method to manage concurrent execution of a distributed application program by a host. Computer and a large number of smart workstations on an SNA network. Granted August 14,1990
    Other: [2] Klein, G. et al. (2009). Formal Verification of an OS Kemel. Proc. Of the ACM SIGOPS 22nd Symposium on Operating System Principles. ACM Press.
    [3] Peripheral Component Interconnect (PCI) Standard, Wikipedia. Accessed March 3,2012.
    [4] Kopetz, H. Real-Time Systems, Design Principles for Distributed Embedded Applications. Springer Verlag. 2011th
    [5] SAE standard by TTEthemet. URL: http://Standards.sae.org/as68Q2 [6] AR1NC 653P1-3 Avionics Application Software Standard Interface, Part 1, Required Services: https://www.arinc.com/cf/store/cataIog detail, cfm item id = 1487.653P2-l Avionics Application Software Standard Interface, Part 2 - Extended Services: https: //www.annc, com / cf / store / catalog_detail.cfm item_id = I072
    Technical environment
    The present invention is in the field of computer technology. It describes an innovative method and the supporting hardware that can be formed in a distributed software fault containment unit (SWFCU) real-time computer system in order to limit the consequences of occurring software errors to clearly demarcated areas.
    Brief description of the invention
    In many real-time applications, tasks of different criticality must be performed. In a federated computer architecture, each of these tasks is solved on a distributed hardware system with dedicated compute nodes and proprietary communication systems to prevent errors
    Submission copy 20.3.2012 of a system of a lower criticality class can affect a system of a higher criticality class. This approach leads to a variety of computers, a high cabling overhead for communication and thus high costs.
    The increase in performance of the computer hardware due to the higher integration density makes it possible-from the point of view of performance-to integrate many application systems of different criticality on a single powerful distributed computer system. However, this is only feasible if the system software and the certified system software can be used to encapsulate the application software of a distributed application system in such a way that it is ensured that any software error in one application system can not influence the functionality of another application system, neither in the time domain nor in the value range.
    The present invention discloses a novel method of how to realize spatial and temporal encapsulation of a distributed application system within a distributed computer system such that multiple distributed application systems of different criticality can be integrated on a single distributed computer system.
    When implementing multiple application systems on a distributed computer architecture, it is convenient to distinguish between the following types of compute nodes: A physical compute node is a computer with CPU, memory and communication interface, e.g. a personal computer. A shared computer node is a physical computer node on which several application systems are realized, eg B. a personal computer on the computer by means of a hypervisor or a corresponding partitioned operating system, such. defined by the ARCINC 653 standard [6], several virtual machines are installed. The hypervisor encapsulates the virtual machines spatially and temporally. A virtual compute node is one of the virtual machines of a shared compute node, including the associated one
    Communication controller that decapsulates the messages of the virtual machines. A dedicated compute node is a physical compute node (including the communication controller) on which only a single application system is implemented.
    A physical communication system allows message transport between the communication controllers of the physical computer nodes. A physical communication system consists of the communication controllers installed in the computers, the physical lines and the switching units. On a physical communication system, a number of partitions, d.s. virtual
    Communication systems, to be set up. A partition is active when sending messages. If several partitions are active at the same time, the physical communication system controls which messages of which partitions are sent on the physical lines.
    A partition is encapsulated if the temporal guarantees regarding the communication behavior of one partition can not be influenced by the behavior of the other simultaneously active partitions. Encapsulated partitions are present when the physical communication system is implemented as a timed communication system. As in a timed
    Submission copy 20.3.2012
    Communication system, the periodic time slots for the transmission of data and thus the bandwidths a priori the individual participants are assigned, a mutual temporal influence of the installed on a physical communication system partitions is excluded.
    Messages are mapped to predefined virtual links, where virtual link < identifier > gives the name of the virtual left. Virtual links have exactly one predefined station and one predefined group of receivers. Messages can either be time-triggered, rate-constrained, or transmitted according to the best-effort principle. Time-triggered means that messages are sent at predefined times using a synchronized time base. Rate-constrained means that a predefined minimum distance is maintained between two messages of a virtual link. Best-effort means that the transmission of messages is not guaranteed [4],
    In a partition messages can be sent from one or more virtual links. Depending on the type of message communication we are talking about time-triggered partition, rate-constrained partition, or best-effort partition. In addition, partitions are possible that send messages according to different principles; such partitions are called mixed partitions. In the following, an identified communication channel in the communication system will be named as follows: virtual link <identifier>, where <identifier> is <link>; gives the name of the virtual left. In one partition several virtual links can be active at the same time.
    A physical communication system that is implemented as a time-controlled communication system and in which one or more rate-constrained partitions and / or best-effort partitions and / or mixed partitions are active does not show each individual message the rate-constrained / best-effort / mixed Partition to a time slot, but only one time slot for the sum of all messages of the corresponding partition. This ensures that messages from different partitions can not be influenced over time.
    In the field of computer reliability, the term "fault containment IJnit" (FCU) is of central importance [4, p. 136]. An FCU is understood to mean an encapsulated set of subsystems, with the immediate effects of an error cause in a subsystem of the entirety limited to the specified entity. An application system constitutes such an entity, which may consist of the following subsystems: (i) the software running on one or more virtual machine nodes, (ii) the software running on one or more dedicated computer nodes, and (iii) one or more virtual encapsulated ones Communication systems that perform message transport between the virtual and dedicated compute nodes of the application system. We refer to an encapsulated set of application system software executed on one or more virtual machine nodes and one or more dedicated compute nodes, a Software Fault-Containment Unit (SWFCU). The immediate effects of a subsystem software error on a SWFCU are thus limited to that SWFCU and can not affect another SWFCU implemented in the distributed real-time system either in the range of values or in the time domain. In an integrated distributed real-time system, each application system has its own distributed one
    Submission copy 20.3.2012 SWFCU forms, so the mutual influence of the application systems can be excluded by software errors.
    Summary
    The present invention discloses an innovative method of how software fault containment units (SWFCUs) distributed in a distributed real-time system can be formed. It is proposed that each of the application systems realized on a distributed real-time system forms its own SWFCU. This ensures that a software error in one SWFCU can not affect the correct function of the other SWFCUs.
    Brief description of the drawings
    The present invention will be explained in detail with reference to the following drawings.
    FIG. 1 shows a physical computer node on which three virtual computer nodes are realized.
    2 shows a SWFCU consisting of two virtual computer nodes, a virtual communication system and two dedicated computer nodes.
    Description of a realization
    The following concrete example deals with one of the many possible implementations of the new procedure.
    FIG. 1 shows a physical computer node on which three virtual machines 101, 102 and 103 are implemented. A dedicated storage area 111 of the virtual machine 101 can be addressed by both the virtual machine 101 and the communication controller 120. This dedicated memory area 111 is the end point of a virtual communication channel realized on the physical communication channel 130. On the physical communication channel 130, several time-encapsulated virtual communication channels can be set up by time control. The communication controller 120 maps the spatial encapsulated data lying in the storage area 111 into a temporally assigned encapsulated message (and vice versa). The communication controller 120 provides the three encapsulated partitions 111, 112, and 113, with one partition each being exclusively associated with one of the three hypervisor-managed virtual machines (VMs) 101, 102, and 103.
    The storage areas 111, 112, and 113 associated with the virtual machines 101, 102, and 103 form the endpoints of these virtual communication systems. Before the system starts, the parameters of the virtual machines 101, 102, and 103 and the physical communication controller 120 must be set by means of the certified system software (ZSW) such that the software of one virtual machine does not have access rights to the storage areas of the other virtual machine Messages that are transported on the physical communication channel 130, the corresponding memory areas 111,112, and 113 of the virtual machines 101, 102, and 103 are assigned. The methodology of building virtual machines through
    Submission copy 20.3.2012
    Hypervisor has already been disclosed in [1]. In the meantime, there are methods that make it possible to formally prove the correctness of the software of a hypervisor [2]. The interface of the communication controller 120 to the CPU and / or memory of the physical computer node may be designed according to the PCI standard [3]. The interface of the communication controller 120 to the timed communication system 130 may be designed according to the TTEthemet standard [5].
    2 shows a distributed real-time system consisting of two physical node computers 210 and 220, a switching unit 250 and four dedicated node computers 230, 231, 232, and 233. In this real-time system there are several software fault-containment units (SWFCUs). The strongly rimmed parts of Fig. 1 constitute one of these SWFCUs. This selected SWFCU comprises the virtual machine 211, the communication controller 213 and the shared memory 212, the communication channel 251 to the switching unit 250, the virtual machine 221, the communication controller 223 and the shared memory 222 therebetween, the communication channel 252 to the switching unit 250, and the dedicated computer node 230 with the sensor 215 and the dedicated computer node 233 with the actuator 216 including the corresponding connections 256 and 253 to the switching unit 250. The two hypervisors in the physical computer nodes 210 and 220, the communication controllers 213 and 223 and the communication protocol in the Switching unit 250 prevent a software error outside this SWFCU from affecting the operation of this SWFCU. In the switching unit 250, the TTEthemet protocol [5] can be used to encapsulate the communication of this SWFCU. This protocol supports deterministic timed communication, as well as rate-constrained communication and best effort event-driven communication. Alternatively, another protocol that temporally isolates the communication channels can be used in the switching unit 250.
    The communication between different SWFCUs realized on a distributed real-time system is to be done via messages, whereby it is advantageous if these messages can be observed by an independent monitor. This can be achieved if the switching unit 250 supports multicast communication.
    Submission copy 20.32012
    权利要求:
    Claims (10)
    [1]
    6

    ΦΙ · * · · · 4

    A method for mitigating the effects of software failures in a distributed real-time system in which multiple distributed application systems are simultaneously executed, characterized in that each application system is embedded in an encapsulated software fault containment unit (SWFCU), wherein a software SWFCU software distributed application system executing on one or more virtual machine nodes and one or more dedicated compute nodes and exchanging messages via one or more encapsulated virtual communication systems, and where the immediate effects of software error of a SWFCU are limited to the SWFCU.
    [2]
    2. The method according to claim 1, characterized in that a virtual computer node consists of a on a computer managed by a hypervisor virtual machine (VM) and one of the VM exclusively associated with the encapsulated partition of a communication controller.
    [3]
    3. The method of claim 1 and 2, characterized in that the communication controller 120 converts the spatially encapsulated in the memory area 111 output data into an associated time-encapsulated message and the content of an incoming time-encapsulated message in a message associated spatially encapsulated memory area.
    [4]
    4. The method according to one or more of claims l to 3, characterized in that virtual link identifier are used to establish the association between time-encapsulated messages and associated encapsulated partitions of a communication controller.
    [5]
    5. The method according to one or more of claims 1 to 4, characterized in that in a time-controlled communication system, a time slot for the sum of all messages (time-triggered, rate constrained, best effort) of a mixed partition is provided.
    [6]
    6. The method according to one or more of claims 1 to 5, characterized in that different SWFCUs communicate exclusively via messages.
    [7]
    7. The method according to one or more of claims 1 to 6, characterized in that the messages exchanged between the SWFCUs can be observed by an independent monitor component.
    [8]
    8. communication controller for a physical computer node, characterized in that the communication controller spatially encapsulated in the memory area of a virtual machine output data into an associated time-encapsulated message and the data arriving in a Einreichkopie 20.3.2012 timed message data in an associated spatially encapsulated memory area of a virtual machine stores.
    [9]
    9. communication controller for a personal computer, characterized in that the communication controller supports the PCI interface standard and the incoming data in a timed message are stored in an associated spatially encapsulated memory area of a virtual machine.
    [10]
    10, communication controller for a personal computer characterized in that the communication controller supports the TTEthemet standard. Submission copy 20.3.2012
    类似技术:
    公开号 | 公开日 | 专利标题
    DE102012212511B4|2019-03-21|Operating method of a data processing system, data processing device and computer program product for providing checkpoint-based high availability with network packet buffering in the hardware
    DE602004004942T2|2007-12-13|Virtual network addresses
    DE112011102443T5|2013-06-20|Server management using a baseboard management controller to set up a wireless network
    DE112012001753B4|2020-04-23|3 login sequence for a fiber channel relay structure
    DE112012006336T5|2015-02-19|Network system configured to resolve forward error correction during a linked training sequence
    DE102015004128A1|2015-10-01|A method and system for testing cloud-based applications and services in a production environment using separate back-end systems
    DE102016102424A1|2016-08-18|Content-based hardware security module assignment to virtual machines
    DE102009043278A1|2010-10-07|Network synchronization via IP networks
    AT512665B1|2013-12-15|Method and apparatus for forming software fault containment units in a distributed real-time system
    DE102013209934B4|2017-07-06|Start or stop virtual servers in proper order
    DE102020201834A1|2020-10-01|TECHNOLOGIES FOR POWER SUPPLY BALANCING DEVICES FOR ACCELERATED FUNCTIONS-AS-SERVICE
    DE112014004208T5|2016-06-16|Integration method and system
    DE112012002404B4|2017-03-02|Configuration and management of virtual networks
    DE102014115919A1|2015-05-21|Sharing of memory by mobile devices
    DE112011104020T5|2013-08-29|Validate access to a shared record for read and write access by multiple requestors
    DE102013209515A1|2013-12-05|Providing an I2C bus via Ethernet
    DE112012005046B4|2018-03-01|Coordinate write operation sequences in a data storage system
    DE102013210336A1|2013-12-24|Mechanisms for distributed routing in a virtual switch, enabled through a structure based on TRILL
    DE102015111820A1|2016-01-21|Select a network
    DE112012005663T5|2014-09-25|Allocation of flow control credits for high performance equipment
    DE102018129112A1|2019-06-27|System decoder for training accelerators
    DE202015009265U1|2017-01-19|UNIFORM API FOR PROGRAMMING BOTH SERVER AND FABRIC FOR FEIN OPTIMIZATION OF NETWORKS
    DE112013002241B4|2018-04-05|Determine a network address for managed devices
    DE102004055445A1|2006-01-19|Methods and systems for dynamic partition management of shared connection partitions
    DE112016005840T9|2018-11-29|WIRELESS COMMUNICATION DEVICE, WIRELESS COMMUNICATION PROCESS AND WIRELESS COMMUNICATION PROGRAM
    同族专利:
    公开号 | 公开日
    US20150039929A1|2015-02-05|
    EP2801030A1|2014-11-12|
    CN104145248A|2014-11-12|
    JP2015517140A|2015-06-18|
    AT512665B1|2013-12-15|
    WO2013138833A1|2013-09-26|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    WO1994006080A1|1992-09-04|1994-03-17|Fault Tolerant Systems|Communications control unit and information transmission process|
    WO2011003121A1|2009-07-09|2011-01-13|Fts Computertechnik Gmbh|System-on-chip fault identification|
    US6075938A|1997-06-10|2000-06-13|The Board Of Trustees Of The Leland Stanford Junior University|Virtual machine monitors for scalable multiprocessors|
    AT408382B|2000-03-02|2001-11-26|Fts Computertechnik Gmbh|COMPUTER NODE ARCHITECTURE WITH DEDICATED MIDDLEWARE COMPUTER|
    AT410490B|2000-10-10|2003-05-26|Fts Computertechnik Gmbh|METHOD FOR TOLERATING "SLIGHTLY-OFF-SPECIFICATION" ERRORS IN A DISTRIBUTED ERROR-TOLERANT REAL-TIME COMPUTER SYSTEM|
    US7134050B2|2003-08-15|2006-11-07|Hewlett-Packard Development Company, L.P.|Method and system for containing software faults|
    EP2145431B1|2007-04-11|2011-10-05|FTS Computertechnik GmbH|Communication method and device for efficient and secure transmission of tt ethernet messages|
    JP5381194B2|2009-03-16|2014-01-08|富士通株式会社|Communication program, relay node, and communication method|
    US8589947B2|2010-05-11|2013-11-19|The Trustees Of Columbia University In The City Of New York|Methods, systems, and media for application fault containment|
    US8908675B2|2012-01-13|2014-12-09|Honeywell International Inc.|Virtual pairing for consistent data broadcast|WO2016033629A2|2014-09-05|2016-03-10|Fts Computertechnik Gmbh|Computer system and method for safety-critical applications|
    US10019292B2|2015-12-02|2018-07-10|Fts Computertechnik Gmbh|Method for executing a comprehensive real-time computer application by exchanging time-triggered messages among real-time software components|
    US10324797B2|2016-02-26|2019-06-18|Tttech Auto Ag|Fault-tolerant system architecture for the control of a physical system, in particular a machine or a motor vehicle|
    法律状态:
    2018-11-15| PC| Change of the owner|Owner name: TTTECH COMPUTERTECHNIK AG, AT Effective date: 20180926 |
    优先权:
    申请号 | 申请日 | 专利标题
    ATA342/2012A|AT512665B1|2012-03-20|2012-03-20|Method and apparatus for forming software fault containment units in a distributed real-time system|ATA342/2012A| AT512665B1|2012-03-20|2012-03-20|Method and apparatus for forming software fault containment units in a distributed real-time system|
    US14/379,728| US20150039929A1|2012-03-20|2013-03-19|Method and Apparatus for Forming Software Fault Containment Unitsin a Distributed Real-Time System|
    JP2015500711A| JP2015517140A|2012-03-20|2013-03-19|Method and apparatus for forming software fault containment unitsin a distributed real-time system|
    CN201380012025.7A| CN104145248A|2012-03-20|2013-03-19|Method and apparatus for forming software fault containment unitsin a distributed real-time system|
    PCT/AT2013/050068| WO2013138833A1|2012-03-20|2013-03-19|Method and apparatus for forming software fault containment unitsin a distributed real-time system|
    EP13716172.5A| EP2801030A1|2012-03-20|2013-03-19|Method and apparatus for forming software fault containment unitsin a distributed real-time system|
    [返回顶部]