面向工业 IoT 的弹性 TSN：配置与容错评估

Ensuring deterministic, low-latency, and fault-tolerant communication is vital for industrial automation and control systems. The convergence of Information Technology (IT) and Operational Technology (OT), coupled with the rise of cyber-physical systems, imposes stringent performance and reliability requirements on network infrastructures. While traditional Ethernet remains widespread, it lacks the timing guarantees, traffic isolation, and failure resilience required by real-time industrial applications.

Time-Sensitive Networking (TSN), a suite of IEEE 802.1 standards, augments Ethernet with features such as precise time synchronization, Generalized Precision Time Protocol (gPTP), time aware shaping (TAS), per-stream filtering and policing, VLAN-based prioritization, and Frame Replication and Elimination for Redundancy (FRER). These capabilities collectively enable deterministic behavior, low jitter, and high availability, making TSN a key enabler for industrial Internet of Things (IIoT) and smart manufacturing networks. However, assessing TSN’s effectiveness under real-world failure conditions remains an open research challenge.

This paper presents a modular OMNeT++/INET-based simulation framework that models a realistic, multi-cell industrial network equipped with TSN features. Our simulation framework includes configurable traffic patterns, Virtual Local Area Network (VLAN)-based stream prioritization, gPTP-based synchronization, per-stream filtering, and stream redundancy using FRER. Crucially, the framework integrates XML-based failure scenarios to simulate both link and cell-level disruptions and evaluates TSN’s recovery behavior with and without redundancy. The key contributions of this work are: • Realistic Industrial TSN Modeling: A full-scale industrial network with two production cells [ 1 ] is implemented in OMNeT++, integrating TSN mechanisms such as time synchronization, stream filtering, traffic shaping, and redundancy. • Scenario-Based Fault Injection: Link and node failures are modeled using timed XML scripts, enabling the evaluation of FRER and failover mechanisms under controlled disruptions. • Resilience Evaluation: The framework provides detailed performance insights—including latency, jitter, and recovery time—under both baseline and redundancy-enhanced TSN configurations.

Realistic Industrial TSN Modeling: A full-scale industrial network with two production cells [ 1 ] is implemented in OMNeT++, integrating TSN mechanisms such as time synchronization, stream filtering, traffic shaping, and redundancy.

Scenario-Based Fault Injection: Link and node failures are modeled using timed XML scripts, enabling the evaluation of FRER and failover mechanisms under controlled disruptions.

Resilience Evaluation: The framework provides detailed performance insights—including latency, jitter, and recovery time—under both baseline and redundancy-enhanced TSN configurations.

The remainder of this paper is structured as follows: Section II reviews related work on TSN for industrial systems. Section III outlines the system architecture. Section IV details the simulation setup, including topology, traffic modeling, and fault injection. Section V presents results across the four scenarios. Section VI concludes and outlines future directions.

TSN has emerged as a key enabler of deterministic Ethernet communication for industrial automation, automotive, and other latency-sensitive domains. Defined by the IEEE 802.1 working group, TSN incorporates core features such as time synchronization (IEEE 802.1AS), time-aware scheduling (IEEE 802.1Qbv), per-stream filtering and policing (IEEE 802.1Qci), and Frame Replication and Elimination for Redundancy (FRER, IEEE 802.1CB) to ensure low-latency, bounded jitter, and high availability of critical traffic flows [ 2 ]. These mechanisms allow Ethernet to meet the stringent requirements of Industrial Internet of Things (IIoT) applications, replacing traditional fieldbus and proprietary real-time solutions [ 3 ].

Extensive research has confirmed the benefits of TSN in reducing jitter and improving deterministic behavior in mixed-criticality environments [ 4 ]. Simulation-based studies—particularly those using OMNeT++ and the INET framework—have validated the effectiveness of TSN for traffic prioritization, scheduling, and reliability in industrial scenarios [ 5 ]. Fault tolerance, a cornerstone of industrial communication, is typically achieved in TSN using redundant streams and fast fail-over techniques such as FRER [ 6 ]. These features are especially relevant in factory networks where uptime and predictable performance are critical.

While TSN has gained traction in automotive networking [ 7 ], its deployment in industrial automation—particularly under realistic fault conditions—remains an open research challenge. Recent work has examined TSN’s integration with legacy protocols such as PROFINET and EtherCAT [ 8 ], and proposed new scheduling strategies for optimizing latency and bandwidth usage [ 9 ]. Beyond scheduling, several studies have focused on fault-tolerance and redundancy in TSN and wireless TSN systems. Sudhakaran et al. [ 10 ] introduced a dynamic scheduling approach enabling zero-delay roaming for mobile robots using wireless TSN redundancy, showing that FRER can uphold real-time guarantees under mobility. Jover et al. [ 11 ] analyzed the trade-off between reliability and redundancy cost in TSN networks through simulation-based configuration insights. On the wireless side, Cena et al. [ 12 ] proposed seamless redundancy techniques for high-reliability Wi-Fi, leveraging Wi-Fi 7 Multi-Link Operation (MLO) to implement FRER-like duplication and de-duplication. Those complement our study by tackling advanced fault-handling approaches. However, most existing efforts focus on static performance or isolated failure events, overlooking complex failure injection scenarios with synchronized industrial traffic. Our work addresses this gap by introducing a scenario-driven simulation framework (IN2C) that models industrial production cells, real-time traffic, and coordinated failure events. It evaluates four distinct failure configurations, each with and without FRER, to quantify TSN’s fault-recovery capabilities in terms of latency, jitter, and recovery time. The novelty of this work lies in: • Comprehensive fault injection across layered industrial traffic flows, using XML-triggered scenarios and real-world-inspired production logic; • Comparative evaluation of TSN with and without redundancy, enabling quantitative insights into the impact of FRER and per-flow protection under failure; • Multi-role traffic modeling (sensor-actuator-PLC-SCADA-Edge unit-HMI), reflecting realistic IIoT interactions rarely combined at this level of detail in existing TSN studies.

Comprehensive fault injection across layered industrial traffic flows, using XML-triggered scenarios and real-world-inspired production logic;

Comparative evaluation of TSN with and without redundancy, enabling quantitative insights into the impact of FRER and per-flow protection under failure;

Multi-role traffic modeling (sensor-actuator-PLC-SCADA-Edge unit-HMI), reflecting realistic IIoT interactions rarely combined at this level of detail in existing TSN studies.

These contributions provide a deeper understanding of TSN’s resilience in industrial environments and offer a reusable simulation testbed for future TSN extensions and industrial scheduling strategies.

The industrial TSN network designed in this work models a realistic smart factory with two production cells and centralized infrastructure, incorporating sensing, actuation, control, inspection, SCADA, HMI, and edge computing units over wired TSN links. The section outlines the network architecture, traffic models, node configurations, fault injection methods, and performance metrics used to evaluate system behavior under both normal and failure conditions.

The industrial network follows a modular, hierarchical architecture designed to emulate realistic industrial automation environments. It comprises two independent production cells, each capable of autonomous operation, and a centralized infrastructure responsible for supervision, monitoring, and edge processing. The network topology includes cell-level TSN switches, central aggregation switches, and interconnecting links configured for redundancy and time synchronization.

Each production cell integrates five key functional units: a sensing unit, actuating unit, robotic arm, inspection system, and a control unit (PLC). These units, detailed in Table I, are dual-homed through two TSN-capable switches (SwitchA_X and SwitchB_X, where X denotes the cell index), forming a fault-tolerant local sub-network. This dual-switch design allows for redundant forwarding paths toward central infrastructure via centralSwitch_1, centralSwitch_2, and centralSwitch_3. The backbone consists of 1-Gbps Ethernet links interconnecting switches at the core and aggregation layers. These include: • c ⁢ e ⁢ n ⁢ t ⁢ r ⁢ a ⁢ l ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 1 𝑐 𝑒 𝑛 𝑡 𝑟 𝑎 𝑙 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 1 centralSwitch\_1 italic_c italic_e italic_n italic_t italic_r italic_a italic_l italic_S italic_w italic_i italic_t italic_c italic_h _ 1: Core switch connecting both cells. • c ⁢ e ⁢ n ⁢ t ⁢ r ⁢ a ⁢ l ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 2 𝑐 𝑒 𝑛 𝑡 𝑟 𝑎 𝑙 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 2 centralSwitch\_2 italic_c italic_e italic_n italic_t italic_r italic_a italic_l italic_S italic_w italic_i italic_t italic_c italic_h _ 2 and c ⁢ e ⁢ n ⁢ t ⁢ r ⁢ a ⁢ l ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 3 𝑐 𝑒 𝑛 𝑡 𝑟 𝑎 𝑙 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 3 centralSwitch\_3 italic_c italic_e italic_n italic_t italic_r italic_a italic_l italic_S italic_w italic_i italic_t italic_c italic_h _ 3: Interconnect with SCADA, HMI, Edge unit, and quality-control switches (q ⁢ c ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 1 𝑞 𝑐 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 1 qcSwitch\_1 italic_q italic_c italic_S italic_w italic_i italic_t italic_c italic_h _ 1, q ⁢ c ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 2 𝑞 𝑐 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 2 qcSwitch\_2 italic_q italic_c italic_S italic_w italic_i italic_t italic_c italic_h _ 2).

c ⁢ e ⁢ n ⁢ t ⁢ r ⁢ a ⁢ l ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 1 𝑐 𝑒 𝑛 𝑡 𝑟 𝑎 𝑙 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 1 centralSwitch\_1 italic_c italic_e italic_n italic_t italic_r italic_a italic_l italic_S italic_w italic_i italic_t italic_c italic_h _ 1: Core switch connecting both cells.

c ⁢ e ⁢ n ⁢ t ⁢ r ⁢ a ⁢ l ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 2 𝑐 𝑒 𝑛 𝑡 𝑟 𝑎 𝑙 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 2 centralSwitch\_2 italic_c italic_e italic_n italic_t italic_r italic_a italic_l italic_S italic_w italic_i italic_t italic_c italic_h _ 2 and c ⁢ e ⁢ n ⁢ t ⁢ r ⁢ a ⁢ l ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 3 𝑐 𝑒 𝑛 𝑡 𝑟 𝑎 𝑙 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 3 centralSwitch\_3 italic_c italic_e italic_n italic_t italic_r italic_a italic_l italic_S italic_w italic_i italic_t italic_c italic_h _ 3: Interconnect with SCADA, HMI, Edge unit, and quality-control switches (q ⁢ c ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 1 𝑞 𝑐 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 1 qcSwitch\_1 italic_q italic_c italic_S italic_w italic_i italic_t italic_c italic_h _ 1, q ⁢ c ⁢ S ⁢ w ⁢ i ⁢ t ⁢ c ⁢ h ⁢ _ ⁢ 2 𝑞 𝑐 𝑆 𝑤 𝑖 𝑡 𝑐 ℎ _ 2 qcSwitch\_2 italic_q italic_c italic_S italic_w italic_i italic_t italic_c italic_h _ 2).

End devices (e.g., PLCs, sensors, actuators) are connected via 100-Mbps links, representing edge connections commonly found in factory deployments. Figure 1 illustrates this architecture. All switches and hosts are configured with TSN capabilities under the TSNBase configuration. Table II summarizes the TSN features implemented in the network, as configured in the INET-based.ini file.

This architectural design provides a robust and flexible testbed for evaluating TSN performance in a realistic industrial setting, enabling detailed investigation of latency, jitter, and recovery under fault conditions.

The industrial network models a diverse set of traffic streams that reflect the communication requirements of industrial automation systems. These streams are classified by source-destination roles, communication patterns (periodic vs. event-driven), packet size, and criticality level. TSN mechanisms—including stream identification and Priority Code Point (PCP)-based prioritization—are configured to ensure that high-priority traffic receives deterministic service, even under network stress or failure. Table III summarizes key traffic types modeled in the simulation, along with their associated PCP values and timing constraints.

All streams are tagged and encoded using PCP values, as defined by per-stream mapping in the configuration. TSN switches perform ingress classification, policing, and shaping per stream to enforce bandwidth and burst control.

To evaluate the fault resilience of the TSN network, two types of failure scenarios are introduced: • S1A1/S1A2 simulate a mid-cell link failure (SwitchA_1 - SwitchB_1), • S2A1/S2A2 simulate cell disconnection (centralSwitch_2 - Edge unit and SCADA).

S1A1/S1A2 simulate a mid-cell link failure (SwitchA_1 - SwitchB_1),

S2A1/S2A2 simulate cell disconnection (centralSwitch_2 - Edge unit and SCADA).

Table IV summarizes these fault scenarios and their recovery logic. The following metrics are used to evaluate network behavior during fault events: • End-to-End Latency: Transmission delay from source to destination. • Jitter: Variability in packet delay over time. • Packet Loss: Number of packets dropped during normal and faulted operation. • Recovery Time: Time required to reestablish stream delivery after a failure.

End-to-End Latency: Transmission delay from source to destination.

Jitter: Variability in packet delay over time.

Packet Loss: Number of packets dropped during normal and faulted operation.

Recovery Time: Time required to reestablish stream delivery after a failure.

The IN2C simulation framework is implemented in OMNeT++ using the INET framework, extended with TSN-specific modules to emulate industrial communication behavior. The simulation models two synchronized production cells and centralized infrastructure, capturing interactions across sensors, PLCs, robot arms, inspection units, SCADA, Edge unit, and HMI systems. INET’s TSN extensions—including time-aware switches, gPTP clocks, per-stream filtering, and traffic shaping—enable deterministic and fault-tolerant communication modeling.

All nodes are built from INET’s TsnDevice and StandardHost templates, depending on their role. Each functional unit (e.g., Sensing_1, Control_1, Inspection_2) includes: • A local clock module with oscillator drift, • User Datagram Protocol(UDP) traffic generators and sinks, • Stream coders with PCP-tag mapping, • Bridging and scheduling logic for TSN operation.

A local clock module with oscillator drift,

User Datagram Protocol(UDP) traffic generators and sinks,

Stream coders with PCP-tag mapping,

Bridging and scheduling logic for TSN operation.

Cell switches (SwitchA_X, SwitchB_X) and aggregation switches (centralSwitch_X, qcSwitch_X) use the TsnSwitch type, with FRER, stream filtering, and shaping enabled as configured.

The master clock (masterClock) operates as a global time reference, distributing synchronization via gPTP across the topology. Each node aligns its local clock to this source, ensuring coherent transmission timing for time-sensitive streams.

The workflow follows an event-driven model: • Initialization: Node clocks are configured, traffic applications instantiated, stream encoders applied, and synchronization established. • Traffic Generation: Application modules produce cyclic or event-driven UDP streams with preconfigured packet size, interval, and destination. • Scheduling: Time-aware and credit-based shaping modules manage queueing and dispatch under bounded latency constraints. • Failure Handling: XML-based ScenarioManager scripts trigger link/node failures (e.g., linkfailure.xml or cellfailure.xml). • Redundancy/Recovery: If redundancy is enabled, FRER-based failover automatically engages. Otherwise, communication may stall. • Metrics Collection: Throughout the simulation, OMNeT++ records delay, jitter, packet drops, and fault recovery durations.

Initialization: Node clocks are configured, traffic applications instantiated, stream encoders applied, and synchronization established.

Traffic Generation: Application modules produce cyclic or event-driven UDP streams with preconfigured packet size, interval, and destination.

Scheduling: Time-aware and credit-based shaping modules manage queueing and dispatch under bounded latency constraints.

Failure Handling: XML-based ScenarioManager scripts trigger link/node failures (e.g., linkfailure.xml or cellfailure.xml).

Redundancy/Recovery: If redundancy is enabled, FRER-based failover automatically engages. Otherwise, communication may stall.

Metrics Collection: Throughout the simulation, OMNeT++ records delay, jitter, packet drops, and fault recovery durations.

Synchronization is driven by IEEE 802.1AS. Each switch forwards sync messages downstream to maintain precise offset and frequency alignment. TSN traffic scheduling uses always-open TAS gates and per-stream credit-based shaping. This configuration is intentionally chosen to isolate the impact of shaping and redundancy mechanisms by avoiding the additional complexity introduced by time-aware gate scheduling.

Streams are filtered and metered based on source and PCP. Faults are introduced at simulation time using scheduled disconnect/connect events. Redundant configurations trigger alternate paths using FRER trees and packet duplication. This modular, event-driven structure enables controlled experimentation with traffic shaping, synchronization, stream redundancy, and recovery behavior under realistic factory network conditions.

This section analyzes the performance of the IN2C TSN network under fault conditions affecting link and cell connectivity. Four scenarios are evaluated to examine the impact of redundancy on latency, jitter, packet loss, and recovery time. Results reflect how TSN mechanisms perform when subject to realistic disruptions in smart manufacturing environments.

The evaluation is based on the IN2C simulation framework [ 13 ], developed in OMNeT++ using the INET-TSN extension. The network, Figure 2, consists of two TSN-enabled production cells connected to centralized infrastructure (SCADA, Edge unit, HMI) through a 1-Gbps backbone. End devices communicate via 100-Mbps links. Each simulation captures behavior across initialization, steady-state, failure, and recovery phases. In this context, four scenarios are defined: • S1A1 / S1A2: Simulate a link failure between SwitchA_1 and SwitchB_1 at 4 seconds. S1A2, Figure 3, enables FRER; S1A1 does not. Runtime: 10 ⁢ s 10 𝑠 10s 10 italic_s. • S2A1 / S2A2: Simulate cell isolation by disconnecting centralSwitch_2 from both Edge unit and SCADA at 2 seconds. S2A2, Figure 4, uses FRER for redundancy. Runtime: 5 ⁢ s 5 𝑠 5s 5 italic_s.

S1A1 / S1A2: Simulate a link failure between SwitchA_1 and SwitchB_1 at 4 seconds. S1A2, Figure 3, enables FRER; S1A1 does not. Runtime: 10 ⁢ s 10 𝑠 10s 10 italic_s.

S2A1 / S2A2: Simulate cell isolation by disconnecting centralSwitch_2 from both Edge unit and SCADA at 2 seconds. S2A2, Figure 4, uses FRER for redundancy. Runtime: 5 ⁢ s 5 𝑠 5s 5 italic_s.

Failures are introduced using XML-based ScenarioManager scripts, which explicitly disconnect and later restore Ethernet gates between modules. No node-level failures are used; instead, link-level disruptions emulate practical fault cases such as cable damage or aggregation switch malfunction.

Redundancy mechanisms, including Frame Replication and Elimination for Redundancy (IEEE 802.1CB), are activated only in S1A2 and S2A2 via StreamRedundancyConfigurator. Gate control and clock synchronization are implemented using EagerGateScheduleConfigurator and IEEE 802.1AS-compliant gPTP via a centralized masterClock. The full simulation source code, scenarios, and TSN configurations are publicly available at [ 13 ].

Figure 5 shows the performance of the S1 stream under a link failure between SwitchA_1 and SwitchB_1 injected at t = 4 𝑡 4 t=4 italic_t = 4 s and resolved at t = 6 𝑡 6 t=6 italic_t = 6 s. In the non-redundant setup (S1A1), latency becomes highly variable post-failure, with a median of 24.01 ⁢ μ 24.01 𝜇 24.01\mu 24.01 italic_μ s and a wide spread (mean 18.93 ⁢ μ 18.93 𝜇 18.93\mu 18.93 italic_μ s). Jitter increases significantly, with a standard deviation of 6.29 ⁢ μ 6.29 𝜇 6.29\mu 6.29 italic_μ s due to unstable retransmissions and path recovery effects. Despite the existence of physical alternate paths, their absence from the active stream configuration renders the stream vulnerable to the failure.

In contrast, the redundant configuration (S1A2) uses FRER to pre-distribute stream replicas over disjoint paths. This eliminates the need for dynamic rerouting or recovery signaling. As expected, latency remains consistently bounded despite the fault, though its median rises slightly to 29.81 ⁢ μ 29.81 𝜇 29.81\mu 29.81 italic_μ s. This increase stems from buffering delay introduced by duplicate frame handling. The trade-off yields a more stable mean delay (27.43 ⁢ μ 27.43 𝜇 27.43\mu 27.43 italic_μ s) and enhanced fault tolerance. Jitter remains controlled (std 8.13 ⁢ μ 8.13 𝜇 8.13\mu 8.13 italic_μ s) as the FRER mechanism ensures that the first valid frame at the receiver is delivered without delay, masking the failure entirely.

Figure 6 presents the S2 stream under a cell-level fault, where centralSwitch_2 is disconnected from the Edge and SCADA units at t = 2 𝑡 2 t=2 italic_t = 2 s and reconnected at t = 3 𝑡 3 t=3 italic_t = 3 s.

In the non-redundant case (S2A1), latency spikes sharply, with a median of 51.28 ⁢ μ 51.28 𝜇 51.28\mu 51.28 italic_μ s and peaks over 90 μ 𝜇 \mu italic_μ s. Jitter remains moderate (std 17.32 ⁢ μ 17.32 𝜇 17.32\mu 17.32 italic_μ s), reflecting consistent recovery behavior once the fault is resolved.

In contrast, S2A2 with FRER exhibits a more complex profile. While the median latency improves slightly to 45.99 ⁢ μ 45.99 𝜇 45.99\mu 45.99 italic_μ s, the mean increases to 63.27 ⁢ μ 63.27 𝜇 63.27\mu 63.27 italic_μ s, and the tail becomes pronounced—latency reaches up to 879 ⁢ μ 879 𝜇 879\mu 879 italic_μ s, and jitter swings from –224 to +224 μ 𝜇 \mu italic_μ s. This indicates that while FRER masks the failure itself, it introduces significant delivery variability even under normal operation. The congestion between centralSwitch_1 and centralSwitch_3, likely due to duplicate stream forwarding, amplifies path imbalance and leads to large jitter fluctuations. These results reveal that FRER is not universally beneficial. While it provides failover protection, it may degrade performance for bursty or high-bandwidth streams like inspection traffic.

The right-hand boxplots in both figures confirm these observations statistically. In S1, the non-redundant configuration exhibits outliers and jitter spread during failure, while FRER (S1A2) achieves consistently low variance, validating its effectiveness for critical, low-volume streams. However, in S2, FRER (S2A2) displays a heavy-tailed distribution and wide jitter range, in contrast to the more stable profile of the non-redundant setup (S2A1). These results highlight that while FRER prevents packet loss and ensures continuity, it can introduce delivery unpredictability under normal load, particularly for high-throughput or bursty traffic.

To quantify the resilience of each configuration, Table V summarizes packet transmission, loss, and recovery characteristics for all scenarios.

For the Sensing_1 → → \rightarrow → Control_1 stream (S1), which transmits every 7.5 ms on average, the S1A1 configuration experiences 270 lost packets during the 2-second link failure—yielding a 20.2% loss rate. Recovery is purely reactive and delayed until the link is restored. In contrast, FRER-enabled S1A2 maintains continuous delivery across disjoint paths, with no packet loss and instantaneous failover.

The Inspection_2 → → \rightarrow → Edge unit stream operates at a high rate (66 μ 𝜇 \mu italic_μ s intervals), and the S2A1 setup suffers 19,776 dropped packets during a 1-second isolation, corresponding to a 26.3% loss rate. Despite available physical paths, the absence of redundancy prevents their use. S2A2, leveraging FRER, avoids loss by using duplicate streams; however, as discussed earlier, this comes at the cost of significant jitter and latency variability.

This study compares FRER against a non-redundant baseline, excluding traditional protection schemes like Spanning Tree Protocol (STP), Rapid STP (RSTP), and Ethernet Ring Protection Switching (ERPS), which require tens to hundreds of milliseconds to recover—too slow for Time-Sensitive Networking (TSN) traffic with sub-millisecond deadlines.

FRER enables zero recovery time via data-plane replication over disjoint paths but introduces bandwidth overhead and possible jitter due to path imbalance. Alternatives include FRER with Scheduled Traffic (FRER-ST), which improves determinism but needs centralized scheduling; Packet Duplication and Elimination Function (P-DEF) in 5G, which is wireless-specific; and reactive options like Multi-Protocol Label Switching - Transport Profile (MPLS-TP) and IEEE 802.1Qca, which offer fast failover at the cost of added complexity. While FRER is ideal for critical flows, selective or hybrid use is advised for high-bandwidth or bursty traffic.

While FRER eliminates packet loss and enables seamless failover, it introduces measurable bandwidth overhead. Figure 7 shows link utilization over time for the Sensing_1 → → \rightarrow → SwitchB_1, resulting in steady utilization (4–5%) until the link failure at t = 4 𝑡 4 t=4 italic_t = 4 s. Utilization then drops to zero, confirming complete disconnection, and only resumes after recovery at t = 6 𝑡 6 t=6 italic_t = 6 s. The lack of alternative forwarding results in data loss.

In S1A2, FRER replicates traffic across disjoint paths— SwitchA_1 → → \rightarrow → centralSwitch_1 link consistently reaches 13–15%, while centralSwitch_1 → → \rightarrow → SwitchB_1 carries 5%. Meanwhile, the direct path remains active with a reduced load (2%). This validates continuous delivery of duplicate frames, confirming the overhead introduced by FRER.

Figure 8 captures the impact of FRER in the S2 scenario, which involves high-bandwidth streaming from Inspection_2 → → \rightarrow → centralSwitch_3 to near saturation (100%). Even during fault-free operation, these links remain heavily loaded due to constant duplication. This congestion not only increases latency and jitter, as shown earlier, but also reduces available headroom for other traffic.

These findings demonstrate that while FRER offers fault resilience, it comes at the cost of substantial link overhead. This trade-off must be carefully considered—especially for high-rate or bursty streams—where redundancy may amplify congestion risks in shared core segments.

Recommendation: In bandwidth-constrained or converged TSN networks, FRER use must be selective and strategic, prioritizing critical control flows with strict latency and loss constraints. Our evaluation (Section V) shows that indiscriminate replication can increase congestion and jitter, particularly for high-bandwidth streams like inspection video, which experience marginal benefit from FRER unless provisioned with excess capacity. These observations are consistent with prior analyses on redundancy overhead and congestion risk in TSN systems [ 11 ], [ 12 ]. To mitigate these risks and maintain deterministic performance, we recommend the following: • Topology-aware stream allocation to prevent redundant paths from overlapping at congestion-prone links. • Per-link capacity planning that accounts FRER duplication overhead under both nominal and failure conditions (e.g., up to 2× bandwidth increase). • Flow-aware shaping and policing to bound burst sizes before replication and avoid queue buildup. • VLAN-based isolation to confine traffic classes and avoid cross-stream contention during failover events. • Adaptive redundancy levels, where redundancy is enabled dynamically based on flow criticality, system load, or link health indicators (as explored in [ 10 ]).

Topology-aware stream allocation to prevent redundant paths from overlapping at congestion-prone links.

Per-link capacity planning that accounts FRER duplication overhead under both nominal and failure conditions (e.g., up to 2× bandwidth increase).

Flow-aware shaping and policing to bound burst sizes before replication and avoid queue buildup.

VLAN-based isolation to confine traffic classes and avoid cross-stream contention during failover events.

Adaptive redundancy levels, where redundancy is enabled dynamically based on flow criticality, system load, or link health indicators (as explored in [ 10 ]).

These measures, informed by both our simulation results and recent studies, help ensure that FRER delivers its intended benefits—lossless failover and zero recovery time—without destabilizing the broader TSN network.

This paper introduced a scenario-driven simulation framework for evaluating TSN resilience under fault conditions in industrial networks. By modeling synchronized production cells with stream-level redundancy, we assessed the impact of link and cell failures on latency, jitter, packet loss, and recovery time.

Results show that FRER achieves zero-loss failover and uninterrupted operation during faults. However, this reliability comes at the cost of significantly increased bandwidth usage—up to 2–3× in some cases—due to redundant traffic. These findings underscore the need for selective, traffic-aware application of redundancy in bandwidth-constrained environments.

Future work will enhance the framework with dynamic reconfiguration capabilities, enabling networks to autonomously adapt to faults via gate schedule updates, stream rerouting, and flow prioritization. We also plan to simulate multi-fault and transient failure scenarios to assess TSN’s robustness under more realistic industrial conditions.