This paper contains a methodology for analyzing and designing a packet-switched computer network for application to complex control systems. The focus is on generating the high-level control network that interconnects input-output controllers with devices for monitoring and analysis and with high-level controllers such as supervisory PLCs. Part of the development given in this paper can also be applied to the device-level network (Fieldbus) that interconnects input-output controllers with sensors, actuators, and other devices in the system being controlled. A procedure is given for generating a network design with a hierarchical hub topology having full redundancy. Then in terms of a graph model of the network, an algorithm is presented for computing the information flow rates in the network design, which can then be used for capacity planning and estimating the delay times through the network.
1. INTRODUCTION The current state of the art in the design of computer networks for complex, highly distributed control systems is based on experience. The usual approach is to evaluate network performance data from similar type systems and then to purchase the highest performing equipment the project funds will support. This approach frequently leads to expensive systems that fail to meet performance specifications. The work presented in this paper is an attempt to provide an analytic basis for making network topology and component choices. The network issues that initiated this work were network availability and the capability to transfer a required amount of information in a specified time. Given system performance requirements, the approach developed in this paper can be used to modify an existing design so as to meet the requirements. The approach ensures that equipment is added or upgraded only where a performance gain can be realized.
The paper is organized as follows. After a brief introduction to the network graph model, a heuristic approach to generate an initial design is discussed in Section 3. The initial design is a typical two or three-level architecture based on two or three classes of network switch devices. Various degrees of redundancy can be added at this stage to improve the network reliability. In Section 4, a load analysis technique is developed that to links and internal nodes of the network. The generation of an initial design requires that one specify a topology for the network that describes the interconnection of the network components. This is equivalent to specifying the network graph model G(t)=[X(r), U(t)] defined in the previous section.
The most common topology in use today (particularly for switched Ethernet) is a hierarchical hub (collapsed star) configuration. An example of a two-level hierarchical structure is shown in Fig. 1 . As seen from the figure, the top level of the network consists of the backbone and the lower level contains three hubs covering the end nodes. The backbone and the hubs are switches and the links provide full-duplex communication, and thus there are no packet collisions in the network.
Backbone
&T$pJ The number of levels in a hierarchical hub configuration depends on the number of end nodes, the physical location of the end nodes, and the number of ports on the switching hubs. We shall next give a procedure for generating an initial hierarchical hub design with an appropriate number of levels. In this procedure it is assumed that the network can be built using high-capacity (backbone), intermediate-capacity, and low-capacity switches. The steps of the procedure are as follows:
1.
2.

3.
4.
5.
6.
7.
Determine the number N of end nodes, the location of the end nodes, and the maximum flow rates ay for i,J=l ,...,N. Determine the maximum flow rate ai to and from node i, where ai is given by
Order the end nodes in terms of the flow rate ai, beginning with the end node having the smallest flow rate. Starting with the end nodes having the smallest flow rate, group the nodes that are in close physical proximity by connecting them to low-capacity switches. Continue grouping the end nodes until the total flow for a group exceeds the capacity of the low-level switch. If the grouping of the nodes does not result in a flow exceeding the capacity of the low-level switch, go to Step 7; otherwise, go to the next step. Group the remaining end nodes in close proximity by connecting them to intermediate-capacity switches. Connect the low-capacity switches and the intermediate-capacity switches to a high-capacity switch that will serve as the backbone of the network. This will result in a two-level hierarchy. If the highcapacity switch does not have a sufficient number of ports, connect the low-capacity switches and the intermediate-capacity switches to two or more highcapacity switches, and then connect these switches to a backbone. This will result in a three-level hierarchy although the same capacity switches are used for the backbone (the top level) and the first level below the backbone. Another option is to connect some or all of the low-capacity switches to intermediate-capacity switches, which are then connected to the backbone. This will also result in a three-level hierarchy.
The above procedure generates a network with no redundancy, and thus the network graph model G= [X,U] does not have any cycles, forming a tree. Also note that in this case the graph G is independent of time since there is no switching to alternate paths between nodes.
To achieve a desired reliability for a controls application, it is very likely that some degree of redundancy will be necessary; that is, it will be necessary to have alternate paths between some nodes. It is important to emphasize that for Ethernet it is not possible to have more than one operational path between a pair of nodes at the same time. However, by using Ethernet switches that support the Spanning Tree Algorithm and Protocol (IEEE Standard 802.ld), it is possible to provide alternate paths in the network. Using the Spanning Tree Algorithm, the switches learn the multiple paths, and then eliminate them by disabling switch ports to form a tree. The tree is called a spanning tree since it connects (spans) all the end nodes in the network. When the network software detects a failure, an alternate path is enabled. This corresponds to the network graph model G(t)=[X(t), U(t)] switching from one tree to another tree whenever an alternate path is enabled.
Various degrees of redundancy are possible in the network. In the hierarchical hub configuration discussed above, redundancy can be added by interconnecting switches in the same level. For example, if this is done for the two-level structure in Fig. 1 , we obtain the network in Fig. 2 . If one or more of the links connecting the hubs to the backbone fails andor the backbone fails, the redundant connections between the hubs can be enabled so that all the end nodes remain connected.
If any of the hubs or any of the links from the end nodes to the hubs fail in the network in Fig. 2 , complete connectivity of the network will be lost; that is, various pairs of end nodes will not be able to communicate. To prevent this, we must add additional redundancy so that there is an alternate link from every end node to a separate hub. This can be accomplished by using two-port network interface cards (NICs) on the end nodes.
Suppose that two-port NICs are used on each of the end nodes for the network in Fig. 2 and each end node is connected using two separate links to two different hubs in the network. Then a single failure of any link or internal node in the network will not result in a loss of connectivity; that is, all end nodes will be able to communicate, assuming that end nodes do not fail. This situation is referred to as full redundancy, meaning that any single failure of a link or internal node in the network does not affect network connectivity. For a network given by a hierarchical switching hub configuration, rules can be specified for achieving full redundancy. First, we denote the levels of the hierarchy by Level 1, Level 2, Level 3, and so on. Level 1 is the backbone, Level 2 consists of switches that connect to the backbone, Level 3 consists of switches that connect to the switches in Level 2, and so on. End nodes may be connected to switches at any level in the hierarchy, including the backbone. In terms of this setup, the rules for achieving fill redundancy are:
1. Every end node has a two-port NIC with links connected to two different switches in the same level. 2. All switches in Level 2 (below the backbone) are connected together to form a string. 3. Every switch in Level 3 is connected to two separate switches in Level 2, and if there are additional levels, each switch in these levels is connected to two separate switches in the level above.
Additional redundancy can be achieved by connecting the switches in Level 3 together to form a string, and doing the same for any additional levels.
In the configuration that results from applying the above rules, the backbone is not duplicated. If the backbone fails, the string connection of switches in Level 2 takes over. This may be acceptable for temporary operation until the backbone is repaired or replaced. However, since the switches in Level 2 will most likely have much less capacity than the backbone, the string connection of the Level 2 switches may not be able to handle the traffic that would normally go through the backbone. Determining the offered loads on the Level 2 switches in case of a backbone failure can be carried out using the load analysis given in Section 4. See [7] for a good example.
There are possible variations on the configuration that results from applying the above rules. For example, we could add an alternate backbone with every switch in Level 2 connected to both the primary and alternate backbones. In this case, the switches in Level 2 do not have to be connected together in a string. If a port on the primary backbone fails, a port on the alternate backbone can be enabled so that complete connectivity is maintained.
For any design generated via the above procedure, the reliability and availability can be determined using existing results (see [5] ), and the offered load to all the network links and nodes and the delays through the network can be found using the approaches given in Sections 4 and 5. Based on this analysis, the design can be modified and then re-analyzed in order to iterate to an acceptable design.
NETWORK LOAD ANALYSIS
As we saw earlier, the topology of switched')letworks can be conveniently described by a graph model. Graph models have been used to model local-area and heterogeneous data networks ( [3] , [4] ).
The concept of networkflow has been used to model many problems in transportation and communication networks ([2] , [SI). In computer communication networks, flows can represent either the total amount of information or the rate of information transferred between two nodes of the network. The best analogy is the use of flows in electric circuits to represent the flowing electric charges or currents. Here, we take the rate-based approach, and use flows to describe the rate of information transferred over the network. The notion of flow used here is inspired by the similar idea of a communication session in [ 13.
Let T,, denote the information flow in packets per unit time between end nodes i and j of the network. We define the traffic matrix of the network to be the nxn matrix  T=(T,,) , where n is the number of end nodes. The traffic matrix T may represent the maximum flows, average flows, etc. of the information flow between the end nodes.
In an actual network, the diagonal elements of the traffic matrix are all zero, as no end node generates data packets destined for itself. However, as we shall see, a basic step in the load analysis of tree networks is to remove some end nodes and continue the analysis on a trimmed network. The resulting network will be an artificial network with end nodes that may correspond to internal nodes of the original network. To keep track of the flows inside the network as it gets smaller, it is convenient to assign some internal trufic to the end nodes that actually represents part of the total flow through those nodes in the bigger network. The traffic matrix is therefore assumed to have nonzero diagonal elements in general. In the following analysis, it is assumed that all network traffic is generated by and destined for the end nodes.
Given the traffic matrix T and the network topology specified by a directed graph C=[X q, we next develop an algorithm for determining the totalflows through links and nodes of a network. Intuitively speaking, the total flow through a link (node), also called the offered load to the link (node), is the amount of information passing through the link (node) per unit time. The load analysis problem for a graph can be described as computing the offered load to all links and nodes of the graph. For a complete discussion of the subject see belonging to a set X is denoted by Tx. We hrther assume that G=[X,U] is an arborescence, that is, C is a directed tree with a root r d such that for every node jEX there is a path from r to j in G. The depth of a node x d denoted by d(x), is the length of the longest path starting from that node. The depth of an arborescence is the maximum depth of its nodes. For example, the graph shown in Fig. 3 is an arborescence with root 7, because there is a path from node 7 to every other node in the tree. The arborescence has a 4462 depth of two, which is also the depth of its root node. Note that the notion of depth is not the same as the notion of level used in Section 3.
L
Fig. 3 An arborescence of depth 2
In what follows we assume the network has n end nodes numbered 1 to n and denote the set of end nodes by X,. For any set X={xl, ..., x , , , }~ XI, e,,x denotes an n-vector with ones at positions x l , ..., x,,, and zeros elsewhere. When there is no ambiguity about the size of the vector we will use the simpler notation ex. If X has a single member x, we use the simplified notation en,x to represent the vector en,+).
The proofs for the following results are not included due to space limitations. The proofs can be found in [ 5 ] .
The following theorem is the first step toward the load analysis of tree networks. It basically shows that the total flow through all nodes with a depth of one can be found by simple matrix operations on the network traffic matrix.
Theorem 1 The total flow through any node i with a depth of one is given by
A, =e;T"e,-& +e:,-cl"ec +e;T"e,:
where T" is the apparent traflc matrix defined as 10 ; j = k and d ( c -' ) = l Using Theorem 1, one can find the total flow through all nodes of a tree network that have a depth of one. The next theorem paves the way for a complete analysis of the network by showing that the graph model of the network can be simplified after all nodes with a depth of one have been covered. It then follows that a recursive application of Theorem 1 and the simplification scheme, developed next, can be used to cover all nodes of the network and complete the load analysis. This theorem is the key to load analysis of switched networks with an arborescent topology. Starting with the graph model of the original network, the theorem can be repetitively applied to the model until it is reduced to a single node, which happens to be the root node for the original arborescence. Part (i) guarantees that for an arborescence of depth d , this can be achieved in exactly d steps. At step i (numbered backward from d to l ) , the total flows through the end nodes of the network T, are found by a simple operation on the traffic matrix Ti. Using the theorem, a reduced network Ti.l with a depth of i-1 and the corresponding traffic matrix are generated next, and the process is repeated until the network is reduced to a single node with a depth of zero, completing the analysis. Also, note that because of the tree structure of the network, at each step only one link is connected to each T end node, and therefore the total flow through this link is also equal to the total flow through the terminating end node. Thus, we have the following algorithm based on Theorem 2.
Load Analysis of Networks with Arborescent Topology:
Consider a network with the graph model T and the traffic matrix T. T defines an arborescence with a depth of d. Set Td:=T, Td:=T and i:=d. 1 .
2.
3.
4.
.
Let m, be the order of T, (number of TI end nodes). Do the following steps forj=l, ..., ml:
9
Compute q, sum of the elements in row j and column j of TI.
. Find the node v in the original network T that corresponds to end node j in TI, and set &:=a, . Find the link U in the original network T that corresponds to the link terminating at end node j in T,, and set yu:=q. Construct the reduced graph model T,, by removing all end nodes of T, with a predecessor having a depth of one, and the links terminating at those end nodes. Identify and number the new and possibly remaining old end nodes. Find the succession matrix E, and the apparent traffic matrix TI" as described in Theorem 2 and compute the traffic matrix for the reduced network TI-l:=EIT TI1'El. Set i := i-1. If i is greater than zero, go to step 1 and stop otherwise. At this point the total flows through all links and nodes of the network except the root node have been computed. The total flow through the root node is simply equal to the scalar value To. 0
DELAY ANALYSIS
We can estimate the delay times across the network by computing the delay time for each switch device as a function of its offered load, and combining the delay times based on the graph model to generate the end-to-end delay times. For example, assuming fixed packet sizes and Poisson arrival process for all input processes, each switch can be modeled by a simple M / D / l queueing system. Then the average queueing delay for a switch with offered load Assuming a store-and-forward operation for all switches, the communication delay time between two end nodes is found by adding the queueing times for the switches on the connecting path and the appropriate number of transmission (forwarding) times.
4463
To make it easier to compare different designs, some simple network performance measures can be defined. For example, the average end-to-end delay time is defined as the weighted combination of all end-to-end delay times a set of low-level switches are used to cover all the end nodes. These switches are in turn connected by higherlevel switches and the process is repeated until full connectivity is achieved.
In terms of the network graph model, the major difference between the two designs is in the depth of the arborescence representing the network. It is easy to see that the hierarchical design produces networks that have a lower depth and therefore easier to analyze.
We next do the load analysis for both networks. Since both networks have the same set of external nodes and the same traffic matrix, the loads on external nodes for both networks are the same. Here we compute only the offered load to internal nodes, as the loads on network switches are the primary parameters of interest. The hierarchical network has a depth of two and therefore all nodes are covered in two steps. These steps are shown in Fig. 5 . The offered loads to switches A, B, C and D are found after the first iteration, as all four nodes have the same depth of one. The last node covered is switch E, the network root node. The linear network has a depth of five and is similarly analyzed in five steps.
The average offered load to all switch devices for both designs are shown in Fig. 6 . As seen in the figure, the backbone switch E experiences the highest load in the network. As expected, the hierarchical design can be implemented by two distinct classes of switch devices. The low-level or local switches A, B, C and D experience a local traffic and have roughly the same amount of offered load, making it possible to select these devices from a class of modest switches without degrading the performance. In contrast, the high-level or backbone switch E maintains the connectivity of the entire network and clearly experiences a higher load, suggesting a high performance requirement for this device. This distinction is not that clear for the linear design and the designer is probably forced to select all five switches from the same class of switch devices. To ensure no packet drop in network internal nodes, the analysis can be repeated with maximum flows to compute the maximum loads on network switches. Each switch capacity is then selected to be higher than its maximum offered load, a design step referred to as capacityplanning. Assuming maximum-sized Ethernet packets (1 5 18 bytes) and 100 Mbps bit rate across the network, an approximate delay analysis can be conducted by estimating the delay time for each switch fiom (17) with the (fixed) packet service time T = 1518*8 bits/100 Mbps = 121.44 psec.
Linear design
(20) The end-to-end delay times for both designs are shown in Fig. 7 . As seen in the figure, the delay time for the hierarchical design has a much more uniform behavior compared to the linear design. Table 3 shows the average delay time and transport efficiency for both designs, found from (18) and (19). It is again seen that the hierarchical design offers a lower average end-to-end delay time and a better transport efficiency. In other words, compared to the linear design, the switches in the hierarchical design deliver the same amount of traffic, but experience a lower offered load. It seems these two performance measures are related, and higher transport efficiency typically translates into lower average end-to-end delay time.
Table 3
Average delay time and the transport efficiency for the two networks in Fig. 4 Hierarchical design I 320.85
38.46
7. CONCLUSIONS This paper is an attempt to develop a methodology for the design and analysis of switched networks in control systems. The starting point is an initial heuristic design based on the number and location of end nodes, and the expected information flow rates among end nodes. Based on an analysis of the availability, offered loads, and end-toend delay times for this design, it can be modified and then re-analyzed in order to iterate to an acceptable design. Via this procedure, it should be possible to generate a network design that closely meets performance requirements without having to make expensive hardware modifications to achieve the end result. 
