The Time-Triggered Ethernet (SAE AS6802) standard defines a fault-tolerant synchronization strategy for building and maintaining synchronized time in a distributed system of end systems and switches (we use the term end system for "data terminal equipment" (DTE) as specified in IEEE 802.3), which can be used to support communication among these components for traffic, which may have different levels of time criticality. In particular, the standard defines algorithms for clock synchronization, clique detection, startup, and restart. These algorithms have been designed to allow scalable faulttolerance and provide self-stabilization mechanisms.

Time-Triggered Ethernet supports the design of communication systems with mixed time criticality in which several applications of mixed time criticality share a single physical network. In particular, an Ethernet network can be used to transfer frames in a time-triggered mode (synchronous communication) and non-time-triggered modes (asynchronous communication as for example Ethernet frames transmitted according to the best-effort strategy). The Time-Triggered Ethernet synchronization strategy inherently compensates for latency and jitter resulting from this integration and ensures high-quality synchronization despite increased network latency and jitter. Synchronized time provides the foundation for partitioning and isolation of critical applications from the less critical or non-critical ones.

End systems exchange application data with each other by transmitting standard Ethernet frames. The points in time when end systems dispatch these frames can be coupled to the synchronized time. The transfer of these frames is then called time-triggered transfer, because the trigger for frame dispatch is derived from time. Time-Triggered Ethernet formally defines the relationship between the synchronized time and the time-triggered transfer.

Time-Triggered Ethernet covers only the network aspects for mixed time-criticality systems¹. Time-Triggered Ethernet does not address how to integrate mixed time-criticality applications within a single node. Hence, partitioning strategies for shared resources other than the network, e.g., memory partitioning, are not discussed in Time-Triggered Ethernet. Furthermore, the fault-tolerance strategies discussed in AS6802 also address only the networking aspects. Time- Triggered Ethernet does not specify or recommend any complete system architecture for highly reliable systems.

Purpose

SAE AS6802 Time-Triggered Ethernet standard is a Layer 2 Quality-of-Service (QoS) enhancement that defines timetriggered services for Ethernet networks. Time-Triggered Ethernet is designed for the development of highly dependable systems for applications in multiple industries, including integrated systems in aerospace, ground vehicles, and industrial process control. It provides the capability for deterministic, synchronous, and congestion-free (lossless) communication among distributed applications, unaffected by any asynchronous Ethernet traffic load. SAE AS6802 is compatible with higher OSI layers (3-7) and is transparent to applications designed to use asynchronous Ethernet.

EFFICIENT ACCESS CONTROL MANAGEMENT: Global time can provide a powerful fault isolation mechanism for devices with temporal faults because global time operates as a temporal firewall. In case of a failure, it is not possible for a faulty application to have access to the network at points in time other than those configured a priori and stored in locations not accessible to applications. Depending on the location of the failure, either an end system or a switch will block faulty transmission attempts. Failures of a switch can be masked by particular design choices, i.e., the so-called high-integrity designs, such as self-checking pairs. This fault masking transforms any failure of a Time-Triggered Ethernet switch into an inconsistent omission failure. This means that inconsistent omission failure is taken into account by the synchronization services described in this standard.

UNIFIED NETWORKING: The fraction of communication bandwidth assigned to time-triggered communication can be precisely located in the temporal domain. This temporal specification allows isolation of time-critical messages from messages that are not time-triggered. Bandwidth that is either not assigned to time-triggered communication or assigned but not used is free for communication that is not time-triggered. In this standard, two traffic classes, in addition to the time-triggered traffic class, are supported. These are named rate-constrained (compatible with the ARINC 664-p7 concept) and standard Ethernet (IEEE 802.3) traffic. However, a communication infrastructure that implements the timetriggered services specified in this standard document may use the non-time-triggered bandwidth for any protocol only as long as the impact of the non-time-triggered traffic on the time-triggered traffic is bounded to an application-specified degree.

EFFICIENT RESOURCE USE: The global time contributes to efficient resource use in several ways. For example, timetriggered communication allows for minimizing the memory buffers in network devices (e.g., switches) as the timetriggered communication schedule is free of conflicts. Therefore, the switches do not have to prepare for worst-case bursts of frames arriving from multiple ports to be delivered over the same destination physical link.

PRECISE DIAGNOSIS: A global time-stamping service, such as can be provided by AS6802, simplifies the process of reconstructing a chain of distributed events. At the same time, the synchronous capturing of sensor values makes it possible to build snapshots of the overall system status.

TEMPORAL COMPOSABILITY: Using global time allows the specification of device interfaces not only in the value domain, but also in the temporal domain. This means that during the design process of devices, there is a predefined access pattern to the communication network. Because of this, devices can be developed in parallel. Upon integration of the individual devices, prior service stability guarantees that the individual devices operate as a coordinated whole.

REAL-TIME CAPABILITY: Time-triggered communication is highly suited for periodic command and control tasks or synchronous data delivery with constant latency and minimum jitter (in microseconds or sub-microseconds)

SCALABLE NETWORK: Time-Triggered Ethernet QoS enhancements described in this document are appropriate for a wide range of applications with scalable fault-tolerance requirements and design of N-redundant Ethernet networks.

CIRCUIT SWITCHING EMULATION: Circuit-switching behavior with fixed latency and sub-microsecond jitter can be emulated in packet-switched Ethernet networks. Time-Triggered Ethernet switching devices send packets according to a schedule that relies on global time.

Application

AS6802 has been designed to cover a broad spectrum of fault-tolerance and dependability requirements, e.g., single and dual fault-tolerance. At the same time, the synchronization strategy can adjust in scale for compatibility with crossdiscipline applications (e.g., aerospace, automotive, medical, and industrial).

¹ a distributed system implementing AS6802 standard can use the same physical network for applications of mixed time criticality and unified Ethernet networking