Weakly synchronized clock architecture for distributed real-time automation applications

Documents and media

Download support

pdf (1.94 MB)

Abstract

This work has several stories. Firstly, a long friendship with Paul Caspi, who was a long-time consultant to the Airbus teams developing flight control software (in Scade). Paul knew that Airbus engineers, when they had to use a distributed architecture for a critical system, resorted to an asynchronous, non-blocking communication architecture (without access conflicts); each entity (calculation, communication, sensors and actuators) is punctuated by its own autonomous periodic clock, without synchronization. Paul Caspi had studied the Airbus programming methodology to compensate for the non-determinism resulting from such an architecture. Over the course of the 2000s, we then worked on refining this methodology, reducing it to a simple explanation.

Another important starting point is Hermann Kopetz's TTA (Time-Triggered Architecture) philosophy, which consists in creating a strictly synchronous (in the sense of the languages of the same name) and temporally periodic model right from the computing and communication hardware level, thus offering a natural target for the deployment of Scade programs; this approach is favored by Boeing. However, from an automation engineer's point of view, a control loop can certainly be satisfied with a certain amount of asynchronism, tolerated thanks to the robustness margins of the control laws: why bother with TTA in this case? Of course, discrete controls such as protection and running mode management must also be taken into account, so the natural idea would be to tolerate asynchronism for distributed continuous control while combating its non-determinism at the level of discrete control.

Finally, the world of circuitry is experiencing the same problem with the emergence of asynchronous circuits without global clock propagation, see Jordi Cortadella's lecture last year and Gérard Berry's lecture today. As far as time management is concerned, this area actually poses similar difficulties to the previous one.

The emerging vision is simple. Synchronous programming enables applications to be deployed on any virtual machine obeying Kahn's network model. The problem is then to design, on top of the distributed physical architecture of non-synchronized pseudo-periodic systems, an algorithmic layer giving the latter a Kahn network behavior. With Paul Caspi and other colleagues, we have developed two techniques for this. One is a token-based algorithm that does not use physical dates, and is very similar to elastic circuits à la Cortadella; the other uses bounds on jitter and inter-clock drift to "thicken" events, thus mathematizing the original philosophy of the Airbus engineers. The tools of Petri nets and max-plus algebra allow us to analyze these two approaches in a unified way.