Time-Triggered Ethernet (TTE) Design

The NASA Orion Spacecraft will have a strong fiber optic emphasis for its on-board data network. This, in conjunction with the need for command and control systems to kick in exactly at specific times for critical on-board functions, necessitates the use of a Time-Triggered Ethernet distribution architecture so these commands happen precisely at “this time.” Any delay can be fatal to a manned mission in space.

TTE combines real-time and non-real-time traffic into one architecture for communication buses. This Ethernet bus handles simple data acquisition as well as multimedia systems and even critical real-time control systems that demand a fault-tolerant communication system that can be certified.

TTE identifies the differences between two types of traffic categories. One is standard event-driven Ethernet traffic, and the other is time-triggered traffic that is temporally guaranteed. Event-driven traffic is handled in conformance with the present IEEE Ethernet standard.

In Orion’s fly-by-wire system, certification of the design is required since astronaut’s lives will depend upon this electronics control system with central computer. This means that it must be possible to establish the correct operation of the communications system in all specified fault and load scenarios.

Legacy Integration in TTE provides predictable, real-time capabilities within the IEEE standard. Uncompromising legacy integration is another key requirement of TTE.

Predictable and deterministic message transfer communications is a must so that the delay of messages is small and the jitter of the transport system in minimized.

Fault-tolerant global time provides a global time base, since any loss of that time base can crash a system and be catastrophic to an architecture such as Orion’s future manned missions.

Strong fault isolation determines the physical structure of a safety-critical processor system. If the accidental physical destruction of a component in a system is to be tolerated, then the computer system has to be distributed in space, and the destruction of one site must not cause the destruction of any other site(s) not directly impacted by the fault. Also, error propagation must not occur, so if a site produces an erroneous message, that message must not propagate to any correct nodes and corrupt them.

Consistent diagnosis ensures that all correct nodes agree at all times on which node is functional and which one has failed. This will aid in reconfiguration efforts and recovery.

Scalability is another must in TTE. No design decision can make it difficult to extend TTE to higher speeds like 10 Gbit/s. The number of controllers in the system cannot be restricted as well by any design decision.

These are just some of the precautions designed into TTE to ensure safety of lives and critical systems that protect lives.

Standard and fault-tolerant configurations
100 Mbit/s Ethernet has a switched architecture, as shown in Figure 1. Every node consists of a host computer and Ethernet controller connected to a store-and-forward switch by a bi-directional point-to-point link.

Figure 1

Standard EE Ethernet (left) and safety-critical TT Ethernet (right) configurations. (Image courtesy of IEEE paper 'The time-triggered Ethernet [TTE] design')

Standard EE Ethernet (left) and safety-critical TT Ethernet (right) configurations.
(Image courtesy of IEEE paper “The time-triggered Ethernet [TTE] design”)

TTE design is the result of more than 35 years of research efforts in the design of fault-tolerant, distributed, real-time systems. Many more improvements will be implemented to this system to ensure its ultimate safety for critical missions and systems such as Orion.

For more Orion details please see the EDN article, NASA Orion electronics: Celestial “hunter” seeking our origin.

This article is based upon an IEEE paper titled “The time-triggered Ethernet (TTE) design.”

8 comments on “Time-Triggered Ethernet (TTE) Design

  1. eafpres
    September 9, 2014

    Hi Steve–very interesting material.  In industrial systems the tradeoff is mainly cost vs. reliability; especially redundancy.  In a long space mission, as the classic line goes “failure is not an option”.  The challenge is that every bit of redundancy is more weight, and that is a major cost driver in space flight.

  2. Steve Taranovich
    September 10, 2014

    @eafpres1—-Right—manned spaceflight safety has high costs associated with it due to all the redundancy. Weight reduction is a major focus—they even take very little water up there with them and recycle sweat and bodily fluids, etc.

  3. eafpres
    September 10, 2014

    Hi Steve–in a past life I worked for a company that made, among other things, Total Organic Carbon analyzers for water purity testig.  One of the systems was specially modified and flown on a Shuttle Mission to test the water that was reprocessed.

  4. eafpres
    September 10, 2014

    I would think the design principles behind TTE would be relevant to other applications.  In particular, as more “drive by wire” systems are deployed in cars, these designs need to have redundancy and safety built in.  

    I have a recent blog on EDN (also a UBM site) talking about drive by wire.  Perhaps some of the good folks here at Planet Analog could take a look at comment over there.

  5. Steve Taranovich
    September 10, 2014

    @eafpres1—that EDN blog you wrote is really worth reading by our readers. The biggest risk in cars is distracted human beings—-semi-autonomous vehicles will help these people who are texting or talking on the phone or spilling hot coffee or…….

  6. Vishal Prajapati
    September 13, 2014

    I never knew the ethernet is being used in the spacecraft. I thought they would be using specially customised protocols to communicate over the available bus which would be highly optimised. But nice to see the plactical application of the such a speciallized protocol in safety critical systems. I would love to see such articles more and more.

  7. Steve Taranovich
    September 13, 2014

    @Vishal—Other applications are for vehicle backbone networks, critical audio/video delivery, reflective memory, modular controls and Integrated Modular Avionics (IMA) or distributed IMA.

  8. Vishal Prajapati
    September 15, 2014

    Oh that's great. I think most of the applications are for time critical systems, Avionics and militery applications. I can hardly recognize one or two applications from the list. And I can also conclude that how critical would be to work with Avionics and Militery applications. Thanks for insites.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.