1、_ SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this report is entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising there
2、from, is the sole responsibility of the user.” SAE reviews each technical report at least every five years at which time it may be revised, reaffirmed, stabilized, or cancelled. SAE invites your written comments and suggestions. Copyright 2016 SAE International All rights reserved. No part of this p
3、ublication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of SAE. TO PLACE A DOCUMENT ORDER: Tel: 877-606-7323 (inside USA and Canada) Tel: +1 724-776-497
4、0 (outside USA) Fax: 724-776-0790 Email: CustomerServicesae.org SAE WEB ADDRESS: http:/www.sae.org SAE values your input. To provide feedback on this Technical Report, please visit http:/www.sae.org/technical/standards/AS6802 AEROSPACE STANDARD AS6802 Issued 2011-11 Reaffirmed 2016-11 Time-Triggered
5、 Ethernet RATIONALE AS6802 has been reaffirmed to comply with the SAE five-year review policy. INTRODUCTION Time-Triggered Ethernet functionality described in the SAE AS6802 standard is a Layer 2 Quality-of-Service (QoS) enhancement for Ethernet networks. It provides the capability for deterministic
6、, synchronous, and congestion-free communication, unaffected by any asynchronous Ethernet traffic load. This occurs via a fault-tolerant, self-stabilizing synchronization strategy, which helps to establish temporal partitioning and ensures isolation of the synchronous time-critical dataflows from ot
7、her asynchronous Ethernet dataflows. By implementing this standard in network devices (network switches and network interface cards), Ethernet becomes a deterministic network which can be shared by low-latency, low-jitter, and non-time-critical applications. This means that distributed applications
8、with mixed time-criticality requirements (e.g., real-time command and control, audio, video, voice, data) can be integrated and coexist on one Ethernet network. TABLE OF CONTENTS 1. SCOPE 61.1 Purpose . 71.2 Application . 71.3 Interpretation . 81.4 Structure 8 2. APPLICABLE DOCUMENTS 82.1 ARINC Publ
9、ications 82.2 IEEE Publications 82.3 Definitions . 8 3. TIME-TRIGGERED ETHERNET OVERVIEW 93.1 Support for Traffic with Differing Timing Requirements 93.1.1 Time-Triggered Dataflow Specifics . 123.1.2 Rate-Constrained Dataflow Specifics . 143.2 Transparent Synchronization 153.3 Scalable Fault Toleran
10、ce 173.3.1 Failure Modes . 173.3.2 Failure Hypothesis 183.4 System-of-Systems Support . 193.4.1 Synchronization Domains . 193.4.2 Synchronization Priorities . 193.5 Normative Description . 193.5.1 Dataflow Requirements . 193.5.2 Failure Hypothesis Requirements . 20 SAE INTERNATIONAL AS6802 Page 2 of
11、 108 4. SYNCHRONIZATION PROTOCOL CONTROL FLOW 214.1 Supported Topologies . 214.2 Fault-Tolerant Synchronization Approach 224.2.1 Scenario 1 - Uncompressed PCF Flow 254.2.2 Scenario 2 - Compressed PCF Flow 264.3 Protocol Control Flow in a Simple Cluster 264.4 Protocol Control Flow in Cascaded Cluster
12、s 284.5 Protocol Control Flow in Cascaded Clusters with Multiple Compression Masters . 304.6 Normative Description . 30 5. MESSAGE PERMANENCE FUNCTION 325.1 Transparent Clock Calculation 335.2 Permanence Delay Calculation. 355.3 Normative Description . 36 6. COMPRESSION FUNCTION . 376.1 Compression
13、Function Discussion . 376.1.1 Discussion Scenarios 396.2 Normative Description . 406.2.1 Collection Phase . 406.2.2 Calculation Phase . 406.2.3 Delay Phase 416.2.4 PCF Field Assignments 416.2.5 Bounded Influence Requirements 426.2.6 Compression Function Parameter Ranges. 42 7. CLOCK SYNCHRONIZATION
14、SERVICE . 427.1 Clock Synchronization in Synchronization Master/Client . 437.2 Clock Synchronization in Compression Master 467.3 Compressed PCF Dispatch 477.4 Normative Description . 487.4.1 Synchronization Master/Client 487.4.2 Compression Master . 48 8. CLIQUE DETECTION AND RESOLUTION SERVICES 498
15、.1 Synchronous Clique Detection Function . 508.2 Asynchronous Clique Detection Function . 518.3 Relative Clique Detection Function . 528.4 Normative Description . 52 9. STARTUP AND RESTART SERVICE 539.1 Description of the Protocol State Machine Formalism 549.2 Synchronization Master Protocol State M
16、achine 559.2.1 SM_INTEGRATE State . 579.2.1.1 Description 579.2.1.2 Transition Summary 579.2.2 SM_WAIT_4_CYCLE_START State 579.2.3 SM_UNSYNC State 589.2.3.1 Description 589.2.3.2 Transition Summary 589.2.4 SM_FLOOD State . 599.2.4.1 Description 599.2.4.2 Transition Summary 599.2.5 SM_WAIT_4_CYCLE_ST
17、ART_CS State . 599.2.5.1 Description 599.2.5.2 Transition Summary 609.2.6 SM_TENTATIVE_SYNC State . 609.2.6.1 Description 609.2.6.2 Transition Summary 61SAE INTERNATIONAL AS6802 Page 3 of 108 9.2.7 SM_SYNC State . 619.2.7.1 Description 619.2.7.2 Transition Summary 629.2.8 SM_STABLE State 629.2.8.1 D
18、escription 629.2.8.2 Transition Summary 639.2.9 SM_WAIT_4_CYCLE_START State 639.2.9.1 Description 639.2.9.2 Transition Summary 649.3 Synchronization Client Protocol State Machine 659.3.1 SC_INTEGRATE State . 659.3.1.1 Description 659.3.1.2 Transition Summary 669.3.2 SC_SYNC State 669.3.2.1 Descripti
19、on 669.3.2.2 Transition Summary 679.3.3 SC_STABLE State 679.3.3.1 Description 679.3.3.2 Transition Summary 689.4 Compression Master Protocol State Machine for High-Integrity Synchronization Masters 699.4.1 CM_INTEGRATE State 719.4.1.1 Description 719.4.1.2 Transition Summary 719.4.2 CM_WAIT_4_CYCLE_
20、START State 719.4.2.1 Description 719.4.2.2 Transition Summary 729.4.3 CM_UNSYNC State 729.4.3.1 Description 729.4.3.2 Transition Summary 729.4.4 CM_TENTATIVE_SYNC State . 729.4.4.1 Description 729.4.4.2 Transition Summary 739.4.5 CM_ SYNC State 739.4.5.1 Description 739.4.5.2 Transition Summary 749
21、.4.6 CM_STABLE State . 749.4.6.1 Description 749.4.6.2 Transition Summary 749.5 Compression Master Protocol State Machine for Standard-Integrity Synchronization Masters 759.5.1 CM_INTEGRATE State 779.5.1.1 Description 779.5.1.2 Transition Summary 779.5.2 CM_UNSYNC State 779.5.2.1 Description 779.5.2
22、.2 Transition Summary 789.5.3 CM_CA_ENABLED State . 789.5.3.1 Description 789.5.3.2 Transition Summary 789.5.4 CM_WAIT_4_IN State 789.5.4.1 Description 789.5.4.2 Transition Summary 799.5.5 CM_ SYNC State 799.5.5.1 Description 799.5.5.2 Transition Summary 799.5.6 CM_STABLE State . 799.5.6.1 Descripti
23、on 799.5.6.2 Transition Summary 809.6 Normative Description . 81 SAE INTERNATIONAL AS6802 Page 4 of 108 10. SYSTEM-OF-SYSTEMS SYNCHRONIZATION . 8110.1 Normative Description . 83 11. SYNCHRONIZATION PARAMETERS SUMMARY 8311.1 Transport Parameters . 8311.2 Schedule Parameters . 8711.3 Clock Synchroniza
24、tion Parameters . 8711.4 Startup and Restart Parameters . 8811.4.1 Synchronization Master Parameters . 8811.4.1.1 Timeouts . 8811.4.2 Compression Master Parameters . 9111.4.2.1 Timeouts . 9111.5 Synchronization Priority 9311.6 Diagnosis 9311.6.1 Synchronization Master 9311.6.1.1 Protocol Diagnosis 9
25、311.6.1.2 Clock Synchronization Diagnosis . 9411.6.1.3 Membership Diagnosis . 9411.6.1.4 Other Diagnosis 9511.6.2 Compression Master . 9511.6.3 Additional Diagnosis . 95 APPENDIX A ABBREVIATIONS AND GLOSSARY 96 APPENDIX B FAULT CONTAINMENT . 104 APPENDIX C TIME-TRIGGERED ETHERNET REALIZATION ON IEEE
26、 802.3 (GENERIC ETHERNET) . 106 APPENDIX D TIME-TRIGGERED ETHERNET REALIZATION ON ARINC 664-P7 107SAE INTERNATIONAL AS6802 Page 5 of 108 FIGURE 1 SCOPE OVERVIEW - AS6802 SPECIFIES A FAULT-TOLERANT SYNCHRONIZATION PROTOCOL TO BE LEVERAGED FOR TIME-TRIGGERED COMMUNICATION AND PARTITIONING . 6 FIGURE 2
27、 INTERACTION OF STANDARDS . 10 FIGURE 3 ROBUST PARTITIONING THROUGH TTETHERNET SERVICES 11 FIGURE 4 EXAMPLE TTETHERNET NETWORK 11 FIGURE 5 RELEVANT POINTS IN TIME IN THE FLOW OF A FRAME 12 FIGURE 6 CHARACTERIZATION OF A FRAME . 14 FIGURE 7 LEAKY BUCKET ALGORITHM . 15 FIGURE 8 TRANSPARENT CLOCK REMOT
28、E CLOCK TIME READING . 17 FIGURE 9 FAILURE MODES OVERVIEW . 18 FIGURE 10 TTETHERNET EXAMPLE NETWORKS . 22 FIGURE 11 TTETHERNET TWO-STEP SYNCHRONIZATION APPROACH DURING SYNCHRONIZED OPERATION 22 FIGURE 12 EXAMPLE OF CLUSTER CYCLE AND INTEGRATION CYCLES . 24 FIGURE 13 UNCOMPRESSED PCF ROUTING 25 FIGUR
29、E 14 COMPRESSED PCF ROUTING 26 FIGURE 15 PROTOCOL CONTROL FLOW DETAILED TIMING . 27 FIGURE 16 PROTOCOL CONTROL FLOW IN MULTI-HOP DETAILED TIMING 29 FIGURE 17 PCF FORMAT 30 FIGURE 18 TTETHERNET EXAMPLE NETWORK 32 FIGURE 19 DATAFLOW EXAMPLE EQUAL SEND AND RECEIVE ORDERS 34 FIGURE 20 DATAFLOW EXAMPLE D
30、IFFERENT SEND AND RECEIVE ORDERS . 35 FIGURE 21 OVERVIEW OF THE COMPRESSION FUNCTION 37 FIGURE 22 SYNCHRONIZATION COMPRESSION FUNCTION DETAILED DESCRIPTION . 38 FIGURE 23 EXAMPLE OF CLUSTER CYCLE AND INTEGRATION CYCLES . 43 FIGURE 24 LOCAL CLOCK IN SYNCHRONIZATION MASTER AND SYNCHRONIZATION CLIENT 4
31、4 FIGURE 25 LOCAL_CLOCK IN COMPRESSION MASTER 46 FIGURE 26 SYNCHRONOUS CLIQUE DETECTION FUNCTION 50 FIGURE 27 ASYNCHRONOUS CLIQUE DETECTION FUNCTION 51 FIGURE 28 SYNCHRONIZATION MASTER PROTOCOL STATE MACHINE 56 FIGURE 29 SYNCHRONIZATION CLIENT PROTOCOL STATE MACHINE . 65 FIGURE 30 COMPRESSION MASTER
32、 PROTOCOL STATE MACHINE FOR HIGH-INTEGRITY SYNCHRONIZATION MASTERS . 70 FIGURE 31 COMPRESSION MASTER PROTOCOL STATE MACHINE FOR STANDARD-INTEGRITY SYNCHRONIZATION . 76 FIGURE 32 TTETHERNET MULTICLUSTER CONSISTING OF THREE CHANNELS . 81 FIGURE 33 TTETHERNET COMBINED CLUSTER MULTICLUSTER ARCHITECTURES
33、 . 82 FIGURE 35 OVERVIEW OF A HIGH-INTEGRITY DESIGN ACHIEVED VIA A COM/MON PAIR . 104 FIGURE 34 ARINC 664-P7 FRAME FORMAT AND VL ID (FROM ARINC 664-P7 STANDARD) 107 SAE INTERNATIONAL AS6802 Page 6 of 108 1. SCOPE The Time-Triggered Ethernet (SAE AS6802) standard defines a fault-tolerant synchronizat
34、ion strategy for building and maintaining synchronized time in a distributed system of end systems and switches (we use the term end system for “data terminal equipment“ (DTE) as specified in IEEE 802.3), which can be used to support communication among these components for traffic, which may have d
35、ifferent levels of time criticality. In particular, the standard defines algorithms for clock synchronization, clique detection, startup, and restart. These algorithms have been designed to allow scalable fault-tolerance and provide self-stabilization mechanisms. Time-Triggered Ethernet supports the
36、 design of communication systems with mixed time criticality in which several applications of mixed time criticality share a single physical network. In particular, an Ethernet network can be used to transfer frames in a time-triggered mode (synchronous communication) and non-time-triggered modes (a
37、synchronous communication as for example Ethernet frames transmitted according to the best-effort strategy). The Time-Triggered Ethernet synchronization strategy inherently compensates for latency and jitter resulting from this integration and ensures high-quality synchronization despite increased n
38、etwork latency and jitter. Synchronized time provides the foundation for partitioning and isolation of critical applications from the less critical or non-critical ones. End systems exchange application data with each other by transmitting standard Ethernet frames. The points in time when end system
39、s dispatch these frames can be coupled to the synchronized time. The transfer of these frames is then called time-triggered transfer, because the trigger for frame dispatch is derived from time. Time-Triggered Ethernet formally defines the relationship between the synchronized time and the time-trig
40、gered transfer. Time-Triggered Ethernet covers only the network aspects for mixed time-criticality systems1. Time-Triggered Ethernet does not address how to integrate mixed time-criticality applications within a single node. Hence, partitioning strategies for shared resources other than the network,
41、 e.g., memory partitioning, are not discussed in Time-Triggered Ethernet. Furthermore, the fault-tolerance strategies discussed in AS6802 also address only the networking aspects. Time-Triggered Ethernet does not specify or recommend any complete system architecture for highly reliable systems. AS68
42、02Synchronization ServiceFIGURE 1 - SCOPE OVERVIEW - AS6802 TIME-TRIGGERED ETHERNET SPECIFIES A FAULT-TOLERANT SYNCHRONIZATION PROTOCOL TO BE LEVERAGED FOR TIME-TRIGGERED COMMUNICATION AND PARTITIONING 1a distributed system implementing AS6802 standard can use the same physical network for applicati
43、ons of mixed time criticality and unified Ethernet networking SAE INTERNATIONAL AS6802 Page 7 of 108 1.1 Purpose SAE AS6802 Time-Triggered Ethernet standard is a Layer 2 Quality-of-Service (QoS) enhancement that defines time-triggered services for Ethernet networks. Time-Triggered Ethernet is design
44、ed for the development of highly dependable systems for applications in multiple industries, including integrated systems in aerospace, ground vehicles, and industrial process control. It provides the capability for deterministic, synchronous, and congestion-free (lossless) communication among distr
45、ibuted applications, unaffected by any asynchronous Ethernet traffic load. SAE AS6802 is compatible with higher OSI layers (3-7) and is transparent to applications designed to use asynchronous Ethernet. EFFICIENT ACCESS CONTROL MANAGEMENT: Global time can provide a powerful fault isolation mechanism
46、 for devices with temporal faults because global time operates as a temporal firewall. In case of a failure, it is not possible for a faulty application to have access to the network at points in time other than those configured a priori and stored in locations not accessible to applications. Depend
47、ing on the location of the failure, either an end system or a switch will block faulty transmission attempts. Failures of a switch can be masked by particular design choices, i.e., the so-called high-integrity designs, such as self-checking pairs. This fault masking transforms any failure of a Time-Triggered Ethernet switch into an inconsistent omission failure. This means that inconsistent omission failure is taken into ac