The NASA Orion Spacecraft will have a strong fiber optic emphasis for its on-board data network. This, in conjunction with the need for command and control systems to kick in exactly at specific times for critical on-board functions, necessitates the use of a Time-Triggered Ethernet distribution architecture so these commands happen precisely at “this time.” Any delay can be fatal to a manned mission in space.
TTE combines real-time and non-real-time traffic into one architecture for communication buses. This Ethernet bus handles simple data acquisition as well as multimedia systems and even critical real-time control systems that demand a fault-tolerant communication system that can be certified.
TTE identifies the differences between two types of traffic categories. One is standard event-driven Ethernet traffic, and the other is time-triggered traffic that is temporally guaranteed. Event-driven traffic is handled in conformance with the present IEEE Ethernet standard.
In Orion’s fly-by-wire system, certification of the design is required since astronaut’s lives will depend upon this electronics control system with central computer. This means that it must be possible to establish the correct operation of the communications system in all specified fault and load scenarios.
Legacy Integration in TTE provides predictable, real-time capabilities within the IEEE standard. Uncompromising legacy integration is another key requirement of TTE.
Predictable and deterministic message transfer communications is a must so that the delay of messages is small and the jitter of the transport system in minimized.
Fault-tolerant global time provides a global time base, since any loss of that time base can crash a system and be catastrophic to an architecture such as Orion’s future manned missions.
Strong fault isolation determines the physical structure of a safety-critical processor system. If the accidental physical destruction of a component in a system is to be tolerated, then the computer system has to be distributed in space, and the destruction of one site must not cause the destruction of any other site(s) not directly impacted by the fault. Also, error propagation must not occur, so if a site produces an erroneous message, that message must not propagate to any correct nodes and corrupt them.
Consistent diagnosis ensures that all correct nodes agree at all times on which node is functional and which one has failed. This will aid in reconfiguration efforts and recovery.
Scalability is another must in TTE. No design decision can make it difficult to extend TTE to higher speeds like 10 Gbit/s. The number of controllers in the system cannot be restricted as well by any design decision.
These are just some of the precautions designed into TTE to ensure safety of lives and critical systems that protect lives.
Standard and fault-tolerant configurations
100 Mbit/s Ethernet has a switched architecture, as shown in Figure 1. Every node consists of a host computer and Ethernet controller connected to a store-and-forward switch by a bi-directional point-to-point link.
(Image courtesy of IEEE paper “The time-triggered Ethernet [TTE] design”)
TTE design is the result of more than 35 years of research efforts in the design of fault-tolerant, distributed, real-time systems. Many more improvements will be implemented to this system to ensure its ultimate safety for critical missions and systems such as Orion.
For more Orion details please see the EDN article, NASA Orion electronics: Celestial “hunter” seeking our origin.
This article is based upon an IEEE paper titled “The time-triggered Ethernet (TTE) design.”