Domestic Real-Time OS Powers Breakthrough in Industrial Ethernet Redundancy
In an era where industrial automation is converging rapidly with edge intelligence, the demand for deterministic, high-availability communication infrastructure has never been more acute. Conventional Ethernet—despite its ubiquity and bandwidth—lacks the hard real-time guarantees needed for safety-critical operations in sectors like rail transit, robotics, and process control. Into this high-stakes environment steps a newly validated solution: a dual-redundant POWERLINK master station built not on legacy commercial RTOS platforms, but on ReWorks, a homegrown real-time operating system developed in China, and deployed on the Loongson 2K1000 processor—an all-domestic hardware-software stack poised to redefine resilience and sovereignty in industrial networking.
Far from a theoretical exercise, this achievement represents a strategic pivot toward technological self-reliance. With geopolitical tensions amplifying supply-chain risks and cybersecurity concerns, industries globally are re-evaluating dependencies on foreign-controlled infrastructure. What makes this development particularly noteworthy is not just its technical rigor—sub-millisecond cycle times, seamless failover, robust debugging toolchains—but its integration maturity. The system has transitioned from lab prototype to field-deployable gateway controller, ready for integration into production-grade motion control and distributed I/O systems.
At the heart of this innovation lies a subtle but decisive architectural choice: instead of layering POWERLINK purely in software—or relying on costly ASICs—the team at Shanghai Huayuan Chuangxin Software Co., Ltd. implemented the time-critical data link layer in FPGA fabric, while anchoring the application and management layers in ReWorks. This hybrid approach yields the best of both worlds: hardware-grade timing precision for synchronization and traffic scheduling, paired with the flexibility, portability, and rich service ecosystem of a modern embedded RTOS.
ReWorks itself is no newcomer. Developed by the East China Computing Technology Research Institute, it has undergone rigorous third-party validation by national testing authorities and is already fielded in defense electronics and high-speed rail signaling. Its support for heterogeneous architectures—including LoongArch, ARM, and legacy PowerPC—makes it a rare example of a truly adaptable domestic RTOS, not confined to a single silicon ecosystem. But until now, its integration with open industrial Ethernet protocols like POWERLINK remained underexplored. This project changes that calculus.
POWERLINK, standardized under IEEE 1451 and IEC 61158, stands apart from other real-time Ethernet variants (like EtherCAT or PROFINET IRT) by operating purely in software above the MAC layer—no specialized switch silicon required. It achieves determinism through time-slot scheduling: each communication cycle is partitioned into synchronized phases—Isochronous, Asynchronous, and Idle—orchestrated by a single Management Node (MN). The MN emits a Start-of-Cycle (SoC) broadcast to align all Controlled Nodes (CNs), then polls each CN sequentially via Poll Request (PReq), collecting responses (Poll Response, PRes) in strict order. Non-urgent configuration or diagnostics occur in the Asynchronous window, triggered by Start-of-Asynchronous (SoA) frames.
This model delivers microsecond-level jitter and cycle times as low as 250 µs in ideal setups. Yet in safety-critical deployments—think signaling control in high-speed rail or coordinated multi-axis robotics—redundancy is non-negotiable. A single cable cut or PHY failure must not cascade into system shutdown. Here, the team’s dual-network implementation shines.
The redundancy mechanism is elegantly pragmatic. Two independent 100/1000BASE-T physical layers feed into a multi-path data selector—implemented in FPGA—that operates asymmetrically on transmit versus receive. During transmission, every frame is duplicated and sent concurrently over both A and B networks. During reception, the selector evaluates incoming frames from both paths using timestamp consistency, sequence numbering, and link health indicators. Only one valid stream is forwarded to the MAC and up to the protocol stack—ensuring seamless continuity even during link failover.
Crucially, this isn’t just link-layer redundancy; it’s protocol-aware. The selector doesn’t merely choose the “stronger” signal—it validates frame semantics within the POWERLINK cycle context. If one path suffers late or corrupted SoC frames, the selector can reject that stream entirely, preventing desynchronization. Failover latency, validated via real-time packet capture, clocks in under 1 millisecond—well within the safety margins for most SIL-2 and SIL-3 applications.
Complementing the hardware resilience is a purpose-built Industrial Runtime Environment, developed by Huayuan Chuangxin to bridge the gap between low-level determinism and high-level developer productivity. While ReWorks provides primitives like RMS-based timer services, CLB (Cooperative Load Balancing) bus, and dynamic module loading, the runtime adds domain-specific abstractions: remote variable mapping, cycle-synchronized task execution, on-the-fly variable forcing, and non-intrusive trace logging.
Consider the dual-buffered remote variable mapping mechanism. User applications declare I/O variables—say, motor position setpoints or valve states—linked to specific Process Data Objects (PDOs) in the CANopen object dictionary. Each application cycle, the runtime atomically swaps double-buffered memory regions: one buffer feeds outgoing PDOs to the network; the other receives incoming PDO updates from slaves. This eliminates race conditions without requiring costly mutual exclusion—critical for cycle times under 1 ms.
Even more compelling is the embedded runtime introspection capability. Unlike legacy PLC platforms where debugging often means halting the machine, this system allows engineers to monitor, log, and even override variables in real time—without interrupting the control loop. Using the AutoX IDE (Huayuan’s proprietary development environment), developers can attach to a running controller, set watchpoints on critical state variables, inject fault conditions via variable forcing, and capture temporal traces across cycles. All telemetry is streamed via a dedicated network log service, enabling remote diagnostics and predictive maintenance integration.
Underpinning all this is the CANopen application layer—the lingua franca of industrial motion control. POWERLINK doesn’t reinvent device modeling; it adopts the CANopen object dictionary, SDO (Service Data Object), and PDO (Process Data Object) frameworks, ensuring interoperability with thousands of existing servo drives, I/O modules, and encoders. The system’s object dictionary implementation is both modular and extensible: generic entries (communication profiles), manufacturer-specific extensions, and device-class objects (e.g., CiA 402 for drives) coexist in a unified hierarchy, resolved at boot via CDC (Configuration Description Container) files generated by engineering tools.
Validation wasn’t confined to benchtop simulations. The team deployed their ReWorks-powered gateway controller—a ruggedized unit sporting dual POWERLINK ports, EtherCAT master, CAN 2.0B, 8-channel isolated DI/DO, VGA output, and USB 2.0—into a dual-redundant motion control testbed. Nodes included MCUs, i.MX6-based intelligent I/Os, and commercial servo drives, all interconnected via redundant HUBs in a ring-star hybrid topology.
Using Wireshark and KUNBUS analyzers, they captured full lifecycle behavior:
- Initialization: The MN broadcast SoA to shift slaves into Pre-Operational 1; slaves responded with identity frames; SDOs then provisioned node-specific parameters (PDO mappings, sync window offsets); final transition to Operational state occurred within 1.8 seconds.
- Cyclic Operation: With eight CNs active, the system sustained a 600 µs communication cycle—verified by inter-SoC intervals—while maintaining sub-5 µs jitter on PReq-PRes roundtrips.
- Failover: Physically disconnecting one network path triggered seamless switchover: duplicate frames vanished instantly in the trace, yet cycle continuity persisted unbroken—no SoC loss, no PDO timeout, no application interruption.
That last result is perhaps the most telling. In industrial settings, perceived reliability matters as much as statistical MTBF. An operator shouldn’t see a flicker on the HMI during a cable fault. This system delivers exactly that: invisible resilience.
But why does this matter beyond a niche engineering milestone?
First, supply chain sovereignty. With Loongson CPUs and ReWorks OS, the entire stack—from silicon to system services—originates within national borders. For infrastructure like metro signaling or power grid control, that eliminates foreign backdoor risks and licensing embargoes.
Second, real-time integrity. Unlike containerized or hypervisor-based approaches (where shared-kernel vulnerabilities or VM exits introduce jitter), this design enforces temporal isolation at the process and interrupt level. ReWorks’ static priority preemptive scheduler guarantees that the POWERLINK cycle task preempts all lower-priority activities—including network stack processing—ensuring cycle deadlines are never missed.
Third, developer velocity. Historically,domestic industrial platforms suffered from poor tooling—command-line debuggers, opaque runtime states, no live variable inspection. AutoX changes that. Its integration with ReWorks’ shell terminal, dynamic loading, and variable management services creates a workflow comparable to CODESYS or TwinCAT—but without vendor lock-in.
Looking ahead, the team hints at deeper integration with edge analytics. The same gateway that synchronizes servos could, in parallel, run lightweight ML inference on vibration or thermal telemetry—feeding anomaly detection models without disrupting control cycles. ReWorks’ modular architecture supports such coexistence: deterministic tasks run in isolated partitions, while best-effort analytics consume leftover CPU cycles via bandwidth reservation.
There’s also untapped potential in time-sensitive networking (TSN) convergence. While POWERLINK predates TSN, its time-slot foundation is conceptually aligned with IEEE 802.1Qbv (time-aware shaper). Future iterations could leverage Loongson’s evolving MAC capabilities to implement hybrid POWERLINK-over-TSN, enabling mixed-criticality traffic (control + video + cloud telemetry) on a single wire.
Critically, this isn’t a “me-too” port. The engineering choices reflect deep understanding of where determinism lives: not in the OS alone, not in the protocol alone, but in their co-design. Offloading DLL state machines and timestamping to FPGA removes unpredictable software latencies. Anchoring CANopen in ReWorks’ deterministic memory and timer subsystems ensures application-layer deadlines. And building redundancy into the data path, not just the link, closes the loop on fault tolerance.
For international observers, this development dispels the outdated notion that “domestic” equals “compromise.” The cycle performance matches commercial EtherCAT masters; the redundancy exceeds basic link aggregation; the tooling rivals Western offerings. It signals a maturation—not just of components, but of system-level thinking.
As smart factories evolve toward cognitive automation, the nervous system must be both fast and trustworthy. This ReWorks-based POWERLINK master doesn’t just meet that bar—it redefines what’s possible when real-time rigor meets open, sovereign infrastructure. The era of imported industrial control hegemony may be entering its twilight. What rises in its place is not imitation, but innovation—rooted, resilient, and ready for the next decade of automation.
Huang He, Du Jian, Ren Jian, Qian Chen, Fang Guohao
Shanghai Huayuan Chuangxin Software Co., Ltd., Shanghai 200062, China
Journal of Computer Applications, 2021, 41(8): 2301–2309
DOI: 10.11772/j.issn.1001-9081.2021020328