POWERLINK / SERCOS III → TSN: Bridging & Dual-Stack Migration

Q: Legacy looks stable, but TSN cutover jitters — time alignment or queue mapping?

Likely cause: time-domain correction is incomplete (tap points or queue delay not accounted), OR cyclic traffic lost deterministic priority after mapping. Quick check: compare pre/post-cutover offset/jitter trend + step events; check per-class queue watermarks and cyclic deadline-miss counters under the same load. Fix: lock correction points (ingress/egress tap + queue delay accounting) and re-apply cyclic class protection (priority + policing for bursts) before enabling full cutover. Pass criteria: offset ≤ X ns; jitter(p99) ≤ X ns; cyclic latency(p99) ≤ X µs; deadline miss = 0 over Y minutes.

Q: Dual-stack shows the “same version”, but interoperability fails — capability exchange or config drift?

Likely cause: same software tag but different capability bits or runtime configuration (feature flags, queue policy, time role) causing incompatible behavior. Quick check: compare build-id + config-hash + capability bitmap between nodes; verify the negotiated roles (master/follower) are consistent across cutover boundary. Fix: enforce “version truth” (hash-based gating) and deploy a golden config artifact; block cutover unless capability+config are identical for the required profile. Pass criteria: 100% nodes report matching config-hash/capability-hash; interoperability error rate ≤ X per Y hours; rollback success ≤ X minutes.

Q: Acyclic diagnostics bursts cause cyclic deadline misses — missing policing/shaping guard?

Likely cause: acyclic traffic shares a queue/priority path with cyclic, or burst policing is absent so diagnostics steals deterministic headroom. Quick check: correlate deadline-miss timestamps with acyclic burst counters; inspect queue watermark spikes and drop-reason distribution by class. Fix: separate classes (cyclic vs acyclic) into distinct queues; enable burst policing/storm-guard for acyclic; reserve deterministic lane headroom. Pass criteria: cyclic deadline miss = 0; acyclic policing triggers for bursts > X; cyclic latency(p99) ≤ X µs under stress profile Y.

Q: Bridge works in the lab, but fails in the plant — asymmetry, topology calibration, or event storms?

Likely cause: real deployment adds path asymmetry or uncalibrated topology; field events (link flaps, management storms) starve deterministic processing. Quick check: compare plant vs lab: offset step frequency, queue delay distribution, and event/log rate; validate boundary path assumptions (active path count, link state changes/hour). Fix: apply topology calibration for the active boundary; rate-limit management/diagnostics; isolate deterministic lane from log/telemetry spikes. Pass criteria: event storm rate ≤ X/min; offset steps > X ns = 0; cyclic latency(p99) ≤ X µs in plant for Y hours.

Q: Failover after a link break is slower than expected — redundancy path or cutover state machine?

Likely cause: the intended redundant path is not “hot” during coexistence, or cutover logic waits on stale health/role conditions before switching. Quick check: inject a single link cut and measure: detection time, decision time, and forwarding re-enable time; verify both paths are active/eligible at the boundary. Fix: keep both paths pre-qualified (health + roles + counters) and simplify the cutover gate conditions; enforce deterministic failover rules with evidence logging. Pass criteria: RTO ≤ X ms; loss ≤ X packets; oscillation events = 0 across N fault injections.

Q: Timestamp health looks OK, but motion still drifts — tap point or latency accounting mismatch?

Likely cause: health metrics observe the wrong tap, or latency components (queueing, buffering, forwarding) are not included consistently end-to-end. Quick check: compare “reported health” vs “measured phase”: run controlled load steps and see if drift correlates with queue delay, FIFO watermarks, or role transitions. Fix: align the measurement tap points (ingress/egress) and standardize latency accounting; bind motion triggering to the verified time domain. Pass criteria: drift slope ≤ X ns/min; offset(p99) ≤ X ns; no load-correlated phase shift > X ns.

Q: Cutover succeeds, but rollback does not restore stability — partial state left behind?

Likely cause: rollback reverts the “mode” but not the dependent state (queue policy, policing limits, time role, cached calibration). Quick check: diff pre-cutover vs post-rollback config-hash; compare per-class queue policies and time-role flags; check whether calibration values remain changed. Fix: implement atomic rollback (mode + config + calibration) and require a post-rollback bring-up gate (time align + traffic map sanity) before resuming operation. Pass criteria: rollback completes ≤ X minutes; config-hash matches baseline; cyclic deadline miss = 0 over Y minutes after rollback.

Q: Cyclic looks fine at low load, but breaks at peak — queue watermark or head-of-line blocking?

Likely cause: at peak load, shared resources (FIFO/DMA/CPU) introduce head-of-line blocking, pushing cyclic traffic beyond its jitter budget. Quick check: capture p95/p99 queue delay and max watermarks under peak; verify deterministic queue is not served behind non-deterministic bursts. Fix: isolate deterministic queue servicing, reserve bandwidth/headroom, and set hard watermarks + alerts to prevent silent saturation. Pass criteria: queue delay(p99) ≤ X µs; deterministic queue max watermark ≤ X% for Y minutes at peak load; deadline miss = 0.

Q: gPTP offset is stable, but end-to-end phase shifts with temperature — unmodeled delay budget?

Likely cause: time-domain offset is stable, but path delay components drift (buffering, scheduling, or boundary calibration) beyond the application’s phase tolerance. Quick check: trend phase error vs temperature/power events; compare queue delay and forwarding latency statistics across temperature steps. Fix: add explicit drift budget to acceptance criteria and re-calibrate boundary timing under representative thermal/load conditions; alarm on slope violations. Pass criteria: phase drift slope ≤ X ns/°C; phase(p99) ≤ X ns across temp range; no temperature-correlated steps > X ns.

Q: Counters show “low utilization”, but the plant feels stuck — window/denominator mismatch?

Likely cause: metrics are computed with an inconsistent time window or denominator, hiding burstiness and short blocking events that break determinism. Quick check: re-sample with a shorter fixed window (X ms / X s) and segment by traffic class; compare p99 latency and peak queue watermark rather than averages. Fix: standardize metric definitions (window, denominator, class split) and trigger alarms on peak/burst indicators, not only average utilization. Pass criteria: metric windows consistent across nodes; burst indicator (peak watermark) ≤ X; p99 cyclic latency ≤ X µs during Y hours operation.

← Back to: Industrial Ethernet & TSN

This page is a migration playbook for moving POWERLINK / SERCOS III to a TSN backbone without losing determinism.

It explains how to bridge or dual-stack safely, align time domains, map cyclic/acyclic traffic into guarded TSN streams, and validate cutover with measurable pass/fail criteria.

H2-1 · Scope & Stop-Lines (What this page covers / excludes)

This page focuses on migration methodology and rollout paths—how to move POWERLINK or SERCOS III systems toward TSN using bridging and dual-stack strategies—without losing determinism, sync, diagnostics, or uptime.

Page contract (fast boundary check)

Covers

Bridging gateway and dual-stack architectures
Coexistence rules (cyclic vs acyclic, burst isolation)
Cutover playbooks: shadow mode → partial cutover → rollback
Validation plan: determinism, sync, recovery, diagnostics (thresholds as X placeholders)
Operational hooks: counters, black-box logging, field triage, safe upgrades

Excludes (with routing)

TSN parameter deep-dive (Qbv/Qci/Qav/GCL/time-slot tables): only capability flags and migration risk points live here. Go to TSN Switch / Bridge
PTP servo / timing algorithm deep-dive (servo loops, filter tuning): only time-domain alignment accounting lives here. Go to Timing & Sync
PHY / EMC / TVS / CMC layout deep-dive: only interface constraints that impact migration are referenced here. Go to Protection / PHY Co-Design

Quick routing triggers (keyword stop-lines)

If a question contains Qbv/Qci/Qav/GCL/time-slot/admission → TSN Switch/Bridge. If it contains servo/filter/holdover tuning → Timing & Sync. If it contains TVS/CMC/IEC61000/layout SI → Protection/PHY Co-Design.

Success criteria (placeholder thresholds)

Determinism: cycle jitter (pk-pk) ≤ X, deadline misses = 0 within Y minutes
Sync: time offset ≤ X, drift ≤ X over Y minutes
Recovery: failover / reconvergence ≤ X
Diagnostics: required counters & root-cause coverage ≥ X%

Project type (pick the closest)

New design (greenfield)

Recommended: Hybrid → start TSN backbone early, keep legacy islands behind a controlled bridge. First checkpoint: time-domain accounting and traffic class mapping.

Brownfield retrofit (existing plant)

Recommended: Bridge-first → minimize device changes and downtime. First checkpoint: burst isolation (acyclic diagnostics must not steal cyclic margin).

Mixed network (coexistence & phased cutover)

Recommended: Bridge + Dual-stack → measure in shadow mode, then cut over by cell/line. First checkpoint: version/config drift controls and rollback gates.

Diagram · Page Boundary Map

Boundary map: legacy islands migrate via bridging and/or dual-stack into a TSN backbone. Deep-dive topics route to dedicated pages.

H2-2 · Why Migrate: What TSN adds (and what must NOT change)

Migration should be justified by engineering outcomes, not buzzwords. TSN enables convergence and predictable behavior, but a migration is only successful if legacy guarantees remain intact: cycle jitter, sync accuracy, recovery time, and diagnostic coverage.

Determinism & Latency

What TSN adds

Traffic isolation by class (cyclic traffic protected from bursty flows)
Predictable forwarding behavior across a converged Ethernet backbone
Scalable segmentation (VLAN/QoS) without rebuilding application logic

Must NOT degrade

Cycle deadline: misses = 0 within Y minutes
Cycle jitter (pk-pk) ≤ X (same or better than legacy)
P99 end-to-end latency ≤ X under mixed load

Failure signature: acyclic bursts correlate with cyclic delay spikes or deadline misses. First check: class mapping and guard/policing at the coexistence boundary.

Time & Synchronization

What TSN adds

A unified time domain that scales across cells and lines
Cleaner coordination between control, motion, and diagnostics timelines
Time-aware behavior remains consistent when topology grows

Must NOT degrade

Offset ≤ X, drift ≤ X over Y minutes
Time alignment is consistent across load and temperature (no step shifts)
Timestamp accounting is stable (tap point and queue delay model match reality)

Failure signature: motion looks “locked” but coordination drifts over time. First check: time-domain alignment and asymmetry accounting across the migration boundary.

Operations, Diagnostics & Convergence

What TSN adds

Unified monitoring and field forensics across a single backbone
Consistent discovery and segmentation for gradual expansion
Clear separation between deterministic data and service/maintenance traffic

Must NOT degrade

Diagnostic availability: required root-cause signals ≥ X%
Recovery time after link/event ≤ X (no surprise reconvergence)
Cutover safety: rollback remains possible within the defined window

Failure signature: lab tests pass, field behavior becomes “fragile”. First check: event storms, counter coverage, and configuration drift between segments.

Diagram · Before/After Network Evolution Timeline

Use the coexistence phase to validate accounting and isolation. Success is measured by jitter, sync offset, recovery time, and diagnostic coverage.

H2-3 · Legacy Determinism Model: POWERLINK vs SERCOS III essentials you must preserve

Migration succeeds only when the legacy determinism contract remains intact. This section extracts the minimum set of invariants that must hold during coexistence, cutover, and TSN-native phases—without expanding into protocol encyclopedias.

Determinism contract (shared abstraction)

POWERLINK essentials (kept at contract level)

Cyclic vs acyclic channels: hard real-time updates must be isolated from service bursts
Slot/phase model: the cycle is partitioned into bounded windows
Master scheduling skeleton: a single authority defines cycle cadence and update timing

SERCOS III essentials (kept at contract level)

Cyclic communication backbone: fixed cadence and bounded per-cycle behavior
Sync & phase alignment: consistent actuation/measurement timing across nodes
Device timing constraints: update points must not drift under load or topology growth

Non-negotiable contracts (use as acceptance gates)

Contract A · Cycle contract

Definition: the cycle cadence and the per-cycle update points remain bounded and repeatable.
Why: motion and closed-loop stability depend on predictable update timing.
Fail symptom: deadline misses, step-like jitter increases, or stability changes only under mixed load.
Pass criteria: deadline misses = 0 within Y minutes; jitter (pk-pk) ≤ X.

Contract B · Bandwidth contract

Definition: cyclic traffic retains a guaranteed share; acyclic traffic is bounded and cannot steal margin.
Why: coexistence phases fail when diagnostics bursts interfere with cyclic windows.
Fail symptom: cyclic latency spikes correlate with parameter download or service storms.
Pass criteria: cyclic margin ≥ X; jitter remains within X under burst tests.

Contract C · Time & sync contract

Definition: a stable time domain exists; timestamp tap points and delay accounting match reality.
Why: phase-aligned actuation requires consistent offset and drift bounds.
Fail symptom: drift increases with load/temperature; step offsets appear after topology changes.
Pass criteria: offset ≤ X; drift ≤ X over Y minutes; step shifts = 0.

Contract D · Diagnostics contract

Definition: required counters, event logs, and root-cause signals remain accessible end-to-end.
Why: field failures become unfixable when evidence disappears after migration.
Fail symptom: “more fragile” behavior with no counter/log correlation.
Pass criteria: required signal coverage ≥ X%; first-level cause found within Z minutes.

Contract E · Recovery contract

Definition: failure handling returns the system to a controlled state within a bounded time.
Why: migration adds boundaries; uncontrolled reconvergence breaks production lines.
Fail symptom: link flaps, long partial outages, or repeated recovery storms.
Pass criteria: recovery ≤ X; flap rate ≤ X per hour under injected faults.

Diagram · Cyclic vs Acyclic Contract Diagram

Contracts define what must remain invariant: cyclic update timing, bandwidth isolation, time-domain accounting, diagnostic evidence, and bounded recovery.

H2-4 · Migration Strategy Selector: Bridge vs Dual-Stack vs Hybrid

A strategy is correct only if it fits constraints on device modifiability, downtime, time/sync accuracy, certification pressure, and operations maturity. The selector below combines a 5-question decision tree with a score matrix to make trade-offs explicit.

Bridge-first (gateway-based)

Best when: devices are hard to change; downtime window is small; certification impact must be minimized.
Primary risk: coexistence bursts and accounting mismatch create jitter or drift at the boundary.
First checkpoint: traffic class isolation and time-domain accounting stability.

Dual-stack (device/controller-based)

Best when: new designs or controlled revisions allow software/firmware changes; long-term maintenance cost matters.
Primary risk: version/config drift and inconsistent accounting between stacks.
First checkpoint: shadow mode equivalence and rollback gates.

Hybrid (bridge backbone → dual-stack by cell → TSN-native)

Best when: convergence is needed early but device updates take time; risk must be reduced by stages.
Primary risk: governance complexity (more phases, more boundaries).
First checkpoint: stage gates that map back to Contract A–E acceptance criteria.

Decision tree (5 questions → 1 default strategy)

Devices modifiable? (firmware/stack update feasible at scale)
Downtime window available? (cell-by-cell cutover possible)
Time/sync accuracy tight? (phase alignment sensitive to drift/step offsets)
Certification pressure high? (minimize changes to certified paths)
Operations maturity strong? (version governance, logging, rollback rehearsed)

Rule of thumb (default picks)

If devices are not modifiable or certification pressure is high → Bridge-first. If devices are modifiable and rollback is mature → Dual-stack. If convergence is needed early but device updates are staged → Hybrid.

Score matrix (dimension cards, 0–5 placeholders)

Site scale