

## Dependable MPSoC framework for mixed criticality applications



Renato Costa Amorim Rodolfo Martins Prem Harikrishnan renato.amorim@evoleotech.com



Max Ghiglione
Tim Helfers

16th June 2021





## **Presentation Outline**





## **EVOLEO Technologies GmbH**

- Founded March 2018 in Munich, Germany
- The company is an independent SME based on the joint "Know How" of the founders and shareholders and on technology transfer from EVOLEO Technologies, Lda in Portugal.
- Focus on Space activities in electronics and embedded computational solutions
- Company development: organic growth, no leverage
- Staff of 8 engineers specialised in design and development of space hardware.





## **EVOLEO Technologies GmbH**

- Recurrency is critical towards the survival, expansion and profitability
- EVOLEO is looking to the New Space market
- EVOLEO GmbH focuses on the development of electronic concepts (avionics) as response to the increasing demand from the "New Space" market.



#### Key Goal

To design, develop and sell modular, flexible, recurrence oriented and "low cost" subsystems for small satellites classes in LEO (at best low MEO), under the spirit of "New Space using COTS".





# Airbus Defence & Space Ottobrunn

#### Focus on:

- Digital Payload Processing (including Analog ADC/DAC)
  - UPM Universal Processing Module
  - CHICS COTS Highly Integrated Computer System
- Space grade and COTS (commercial) technologies
  - ICAM OneWeb OBC GNSS module
  - Leopard COTS GNSS Receiver
- Machine Learning & Artificial Intelligence
- Telecom processing / control platforms,
- R&D:
  - Versal Al Core Beta Program
  - ML Inference on UltraScale+
  - Image processing on FPGAs







## **CHICS – ADHA COTS-based OBC**

- CHICS COTS-based Highly Integrated Computer System (OBC) for small satellites
- ESA Contract 4000130743/20/NL/FE supported by DLR
- Joint effort by EVOLEO and AIRBUS Defence and Space GmbH for a solution towards <u>high reliability and availability</u> through <u>the concurrent use of COTS and</u> <u>space qualified components</u>
- Aim to become the centerpiece controller for an <u>avionics suite</u>, compliant with the Advanced Data Handling Architecture (ADHA) based on cPCI Serial Space
- Demonstration of <u>AOCS payload integration</u>: <u>Star Tracker & GNSS</u>
- TRL6 target by Q1 2022









## CHICS – ADHA COTS-based OBC

#### **Design philosophy**

- 1. <u>Full SAVOIR OBC</u> No compromises on critical functions
- Compatible with <u>cPCI Serial Space Advanced Data Handling Architecture</u> (ADHA)
- 3. Fault-tolerant power chain and PUS-based FDIR
- 4. Streamline implementation of mission critical and non-critical functions
- 5. Versatile processing board compatible with multiple use-cases
- 6. Business and product oriented





## CHICS – ADHA COTS-based OBC



#### XQ Zynq UltraScale +

- High performance functions & interfaces
- OBSW + Payload applications
- SpaceWire Router for TM/TC and data

#### PolarFire FPGA

- Critical Functions maintains controllability of OBC
- CCSDS TM/TC Encoder/Decoder
- SpaceWire Router for TM/TC distribution
- Complex board supervision & recovery
- Secure storage of critical datasets (TMR NAND Flash)





#### **Challenges**

- Radiation effects "Can the device survive the radiation environment?" "How can we observe non-destructive events?"
- Resource isolation "How do we create isolated pools of resources inside the MPSoC?"
- Functional availability "How can we optimize the individual availability of each application/function?"
- Fault propagation through data sharing "Can two applications talk with each without spreading faults?"
- Ease of adoption and tailoring "How can we reuse this baseline HW/SW technology for multiple use-cases?"
- Minimal baseline dependability "Can we guarantee baseline availability/performance/FDIR features with little to no tailoring?"





#### **Approach**

#### 1. Secure side + Non-secure side isolation

- Secure side for OBC in Lockstep ARM-R5 Real-Time Cores (RPU)
- Non-secure side for payload applications on ARM-A53 Application Cores (APU) with XEN Hypervisor
- Programmable logic, memories and peripherals reserved for each side and isolated

#### 2. Secure Exchange Buffer/Monitor

- Ensure all data exchange between secure and non-secure side is flow-controlled and monitorable
- Configurable monitoring blocks from limit checks up to machine learning algorithms for fault detection.

#### 3. External Supervisor for critical faults

- Local MPSoC fault detection, isolation and recovery features for lower criticality faults
- External Supervisor device for critical faults and independent monitoring





#### Secure side + Non-secure side isolation

- Separated by enabling ARM TrustZone
- Virtualization of A53 via XEN Hypervisor with cache colouring
- All AXI transactions are tied off with Unique Master IDs
- AXI infrastructure provides timeout and isolation features
- Address translation using embedded memory management unit (SMMU)
- Embedded memory and peripheral protection units (XMPU/XPPU) prevent illegal access
- Violations will interrupt the PUS-based FDIR App







## **Secure Exchange Buffer/Monitor**

- Exchange buffer (EB) is a Dual Port BRAM in Programmable logic
- APU and RPU can only access the address allocated
- Interprocessor Interrupts are used to sync R/W
- All RAM with SECDED
- Data in EB can be monitored in parallel
- Exchange monitor can support complex algorithms (AI/ML)
- Interrupts the RPU for corrective action







#### **External Supervisor**

- Centralized acquisition and evaluation of telemetries (from MPSoC and backplane via SpaceWire and board level discrete analog and digital telemetries)
- SAVOIR Reconfiguration, Essential TM and Essential Telecommand functions.
- Compatible with PUS services (TC decoded and implemented directly in hardware)
- Monitoring of 10's of power chain telemetries (voltage, currents) and fine control of power chain (LCL and switches)







#### **GNSS and Star Tracker**

Demonstrate the capability to locally run two AOCS applications (SW+VHDL) interface with AOCS software.







# Artificial Intelligence/Machine Learning based FDIR

Demonstrate the capability to deploy the real-time condition monitoring of spacecraft housekeeping parameters, at system as well as at unit/equipment level



# **Early Test Results**

#### **Exchange Buffer**

- Validated FreeRTOS on lockstep RPU and hypervisor guests on APU (baremetal and FreeRTOS)
- Synchronized using Inter Processor Interrupts
- R/W at 1KHz and 64KB data buffers (both can be further increased)

#### **Hypervisor**

- DMA interrupts from PL to APU validated to 10 microseconds
- Interrupt latency around 130 ns for baremetal guest and 230 ns for FreeRTOS guest (interference from guests to be measured).
- Cache colouring enabled to avoid sharing of L2 cache in APU







## **Upcoming developments**



#### Conclusions

- Alignment with standards (ECSS, SAVOIR, cPCI, ADHA) are key to the adoption of COTS-based processing units in mini satellites.
- Native MPSoC features, development tools and open-source software can be leveraged for mixed-criticality space applications and offer good baseline dependability.
- Separation of MPSoC into "secure" and "non-secure" areas increases functional integration with lower development risk and effort.
- Customizable and monitorable data interfaces between criticality areas to detect soft errors.





# Dependable MPSoC framework for mixed criticality applications

**Thank You** 

The Team,

**EVOLEO Technologies GmbH** 

**Airbus Defence & Space GmbH** 

