Five Best Practices for Virtual Primary Reference Time Clock (vPRTC) Deployment
Tips on how to supplement and create resilient timing networks using the vPRTC architecture.
vPRTC: Securing Modern Infrastructure Timing
The virtual Primary Reference Time Clock (vPRTC) is a highly secure and resilient network-based timing architecture that has been developed to meet the expanding needs of modern critical infrastructures including 5G, transportation, data centers and power utilities.
These are the five key best-practices derived from millions of cumulative hours of operation of the vPRTC timing architecture across multiple industries.
Best Practice |
Summary |
1. Establish core ePRTC timing-hub sites |
The vPRTC system allows chains of up to 15 hops where each hop can be about 150 km each; this allows for over 2000 km distance between ePRTC sites. The larger the distance between the ePRTC sites, the less chance of jamming and spoofing events affecting them both at the same time. |
2. Deploy BlueSky™ GNSS Firewall at ePRTC sites |
Install a BlueSky™ GNSS Firewall for anomaly detection and protection. With a small number of sites using GNSS for a very large network, the addition of GNSS firewalls at these sites provides protection to the entire network. |
3. Design the vPRTC network for redundancy |
Design the vPRTC network so that each TimeProvider® 4100 High Performance Boundary Clock receives two high accuracy Universal Coordinate Time (UTC) traceable timing feeds. |
4. Optimize path selection between vPRTC nodes |
Use the best and appropriate fiber path between the vPRTC nodes to ensure redundant delivery of timing from east and west directions as well as protected southbound PTP distribution to all end-application timing nodes. |
5. Monitor vPRTC service assurance |
Assure end-to-end vPRTC service with TimePictra® management to verify the integrity of the timing accuracy at each vPRTC node. |
The resilient architecture alleviates dependency on satellite-based timing sources such as Global Navigation Satellite Systems (GNSS) by placing autonomous time scale grade atomic clocks in enhanced Primary Reference Time Clock (ePRTC) area timing-hub sites at the core of a fiber based terrestrial timing distribution network. Secure core-timing sites and fiber distribution are 100% in control of the network operator, and immune to potential jamming or spoofing cyber-attacks on satellite-based timing solutions.
Best Practice 1: Setting up Your Resilient ePRTC Area Timing Hub Sites
The ePRTC performs two vital functions for any critical infrastructure network, the first being to provide a UTC reference of under 30 nanoseconds (ns) to the network with a stable frequency of 5.7 e-14, and the second being to offer a valid holdover source when GNSS is lost. When planning a network, 30 ns should be used for the error budget calculations; however, the actual performance of the TimeProvider® 4100 ePRTC units is much better, which allows the network a larger margin of error when deployed.
ePRTC Components |
Description |
Calibrated GNSS Antenna Installation |
It is vital to ensure that the GNSS antenna is accurately compensated for propagation delay through the cable length with elements such as lightning arresters, amplifiers or splitters. Consult the TimeProvider 4100 System User Guide for detailed instructions. |
BlueSky GNSS Firewall |
Recommended option for ePRTC installation to provide GNSS spoofing and jamming detection. |
TimeProvider 4100 PTP Grandmaster Server |
When equipped with dual cesium clocks, there are two advantages. First, to protect the output performance of the ePRTC system. Second, dual cesium clocks further increase the performance and holdover ability of the ePRTC. |
5071B Cesium Frequency Standard |
Provides frequency and stability reference. It’s best to have two cesium clocks at each ePRTC site, so there is a backup to the critical infrastructure that’s being established. |
TimePictra® Software |
Can view synchronization performance with end-to-end network visibility encompassing ePRTC systems at area timing hub locations and sub-tending aggregation and edge nodes. |
Best Practice 2: BlueSky™ GNSS Firewall Anomaly Detection and Protection
The ePRTC site uses clocks that are calibrated with UTC traceable timing and GNSS as the timing reference. However, these clocks run autonomously from the calibrated cesium frequency standard. Threats in the form of GNSS spoofing or jamming attacks are continuously monitored using advanced firewall technologies to assure only valid signals from the sky are passed to the central clock. The central clocking system employs industry proven cesium atomic frequency standards to establish 30 ns guaranteed accuracy traceable to UTC. If GNSS is detected to be not valid, the vPRTC source maintains 100 ns traceability to UTC for a minimum of 14 days. There are two options for how to deploy the BlueSky GNSS Firewall for GNSS anomaly detection and protection.
Option 1: Deploy the BlueSky GNSS Firewall in-line between the antenna and the TimeProvider 4100 system.
- Connect the GNSS antenna to the BlueSky GNSS Firewall.
- Connect the validated output from the BlueSky GNSS Firewall to the GNSS input on the TimeProvider 4100 ePRTC system.
- Configure anomaly detection thresholds on the BlueSky GNSS Firewall.
- If anomalies are detected and thresholds are exceeded, the firewall will generate alarms, and disable the validated output so that the ePRTC system will immediately enter holdover protection.
Option 2: Deploy the BlueSky GNSS Firewall as a separate monitoring system.
- Connect the BlueSky GNSS Firewall to a separate GNSS antenna or to a splitter on the main antenna line.
- Configure anomaly detection thresholds on the BlueSky GNSS Firewall.
- If anomalies are detected and thresholds are exceeded, the firewall will generate alarms to notify the system operations center to analyze and to take appropriate actions.
 |
Best Practice 3: Configuring the TimeProvider 4100 High Performance Boundary Clocks (HPBC) at Each vPRTC Node
The TimeProvider 4100 system is a sophisticated network clocking element with the ability to transfer timing with extraordinary levels of precision and can be configured in different operational modes: ePRTC, PRTC-A, PRTC-B, Gateway Clock and as a HPBC designed for the optical layer. In HPBC mode, it can meet or exceed ITU-T G.8273.2 Class D specifications with a typical error budget of 2 ns per HPBC hop.
When you compare traditional boundary clocks and the vPRTC HPBCs, traditional boundary clocks are unidirectional, have a single clock domain and have a very basic de-jitter function. They are designed to have a single input and no ability to make measurements between multiple references. On the other hand, the HPBC clocking element has multiple PTP input clients and dual clock domains per port. With full bi-directional functionality, the system accepts PTP input from different directions (“East Site” and “West Site”) simultaneously. HPBCs monitor the incoming clocks and can select the most stable highest quality input. HPBCs also run a global Best Master Clock Algorithm (BMCA) function that enables fast switchover between PTP inputs as necessary. Figure 4 shows the “West Site,” “East Site” and HPBC Hop configuration. Table 3 explains factors that contribute to configuring the TimeProvider 4100 HPBC at each vPRTC node.
The TimePictra synchronization management system provides concise monitoring screens to instantly detect and alert the operator to any alarm conditions. Customizable monitoring dashboard screens provide alarm status and a visual mapping of the HPBC chain with all links east and west showing lock and performance status conditions.
Best Practice 4: Redundant Fiber Interconnect Network Considerations
The optical transmission network for the vPRTC architecture is broken into two sections.
- The core fiber interconnect for the connection between the ePRTC area timing hub sites and the east to west chain of TimeProvider 4100 HPBC clocks.
- The southbound PTP distribution network from the individual TimeProvider HPBC clocks down to the end PTP client clocks in the operator’s network.
There are many benefits to using dedicated timing paths with the vPRTC network. Not only do timing paths bring deterministic timing performance to the single ns level, but also to the total separation of the traffic and the timing networks. This separation means any planned or unplanned updates or changes to the traffic network, such as firmware, line cards or adding new equipment from existing or new vendor, cannot have any effect on the timing network.
The fiber interconnect for a resilient vPRTC east/west network using a single path design is made with one of the following three options:
- DWDM using the Optical Timing Channel (OTC)
a. The OTCs often use SFPs at Fast Ethernet speed, which does allow for longer distances. It should be considered that Fast Ethernet timing channels prohibit the use of protocols like WhiteRabbit which is why vPRTC is so widely deployed for timing over a wide area.
b. OTCs will typically use an external filter, which means that the two lambdas used are very close to each other and in most cases reduce the static asymmetry to almost nothing. - Single fiber with bidirectional SFPs
a. Commonly used for medium distances (approximately 100 km).
b. Bidirectional SFPs have the advantage of using a single fiber, which saves money, but also means there are no problems with mismatched fiber pairs.
c. The one drawback is to know the length of the fiber, so that the correct offset from the chromatic dispersion can be calculated. - Fiber pairs (least common)
a. Using a pair of fibers can lead to issues; if the pair is not matched in length, any significant mismatch will create an offset.
Best Practice 5: End to End vPRTC Service Assurance and Monitoring With TimePictra
The vPRTC architecture has several unique features that are mandatory to deliver deterministic and accurate timing within a network.
These features are:
- Use of PTP between nodes, so that any path can be used, at whatever speed is appropriate.
- Use of PTP between nodes, so that and “East and West” timing solution can be used on the same path, while maintaining the complete independence of these timing directions.
- Comparison measurement between the East and West Timing directions at every node along the sync chain.
- The vPRTC network not only delivers precise time, but the vPRTC network is self-monitoring and self-diagnosing.
The combination of these features means that TimePictra can monitor every timing chain in a customer's network and confirm that each HPBC is aligned with both ePRTC nodes.
When a vPRTC chain is established, the measurements taken by TimePictra will show three components:
- The difference between the UTC sources at each end of the vPRTC timing chain.
- Static asymmetries that exist along the vPRTC chain.
- Sudden changes in static asymmetries show there have been a change in fiber or configuration.
The virtual Primary Reference Timing Clock is a new concept for a highly secure and protected network-based timing architecture developed to meet the expanding needs of modern critical infrastructures. Please contact your Microchip representative to learn more about how our solutions enable operators to build a vPRTC network delivering ultra-high precision timing services with unmatched stability, security and reliability.
Visit vPRTC for more information.