The goal of this paper is to describe the development of a hardware-in-the-loop simulation and verification environment for Field Programmable Gate Array (FPGA) based on-board computing systems. The underlying simulation environment is the Model-based Development and Verification Environment (MDVE). MDVE is an infrastructure for model-based engineering developed by EADS Astrium. A simulation environment based on MDVE was developed at the Universität Stuttgart. Recently, the demand on applying new high density FPGA technologies for innovative spacecraft on-board computing systems is rising. The small satellite "Flying Laptop" which is built by the Universität Stuttgart is the demonstrator of a FPGA-based on-board computer. In order to develop and verify the hardware and control algorithm of the computer, an extended simulation interface between MDVE and FPGA-based computing systems is established. This environment is capable of software verification and real-time simulation/verification configuration, and enables not only on-board software development but also functional real-time hardware evaluation of all the satellite components under precise space environment models. This paper describes the detailed implementation of this simulation interface and illustrates the obtained simulation results on attitude control algorithm verification and power budget calculation as well as communication timing analysis, which ensure the validity of the implementation. 
Introduction
The Universität Stuttgart is now conducting a small satellite development program named "Stuttgart Small Satellite Program." The earth-orbiting small satellite Flying Laptop is the first satellite within this program, in which the Institute of Space Systems (Institut für Raumfahrtsysteme: IRS) is developing four small satellites aiming to launch a small spacecraft to the moon (Lunar Mission BW1 1) ) as the final goal. All these satellites are developed, built and operated by the IRS. The Flying Laptop is a testbed for an On-board Computer (OBC) with a reconfigurable, redundant and self-controlling high computational ability, based on a Field Programmable Gate Array (FPGA). 2) This technology shall meet the recent needs on applying new high density FPGA technologies for space use, which enables innovative approaches to architecture of OBCs, especially for demanding small satellite applications.
Over the past few years, model-based development and verification has been playing a very important role in the satellite design process of industry-lead space projects compared to the traditional software-based simulation and verification methods of real-time on-board software. 3, 4) Since 2001 EADS Astrium GmbH for example has developed a model-based real-time system simulation infrastructure to support spacecraft development, on-board software verification and spacecraft design validation in order to accomplish the needs of a newly established engineering process. 5) This simulation infrastructure is called "Model-based Development and Verification Environment" (MDVE). At the University, a MDVE has been implemented with the support of EADS Astrium for the development and verification of the small satellites. Because the present MDVE technology is, however, only designed for the traditional processor-type on-board computing system and there is no possibility to emulate parallel execution behaviors of FPGA-type computers, a new development of an interface between FPGA-based on-board computing systems and MDVE is demanded. This paper describes the development and implementation of this interface and the results of first test simulation by the hardware-in-the-loop configuration of the MDVE with a FPGA-based OBC of the small satellite Flying Laptop. As the results of the test simulation, the performance of the attitude control algorithms and power budget calculation are presented, which play a great role for the satellite system design. Furthermore, timing analysis of the communication between the On-board Computer Simulator and the Real-Time Simulator has also been conducted.
Model-based Development and Verification Environment
The MDVE simulation environment provides a tool infrastructure allowing Spacecraft models ranging from early pure virtual simulations via hybrid testbenches up to full FlatSat configurations to be setup. This largely minimizes cost for hardware models, and in parallel provides risk mitigation through stepwise verification of on-board software, on-board hardware, flight procedures etc. first by utilization of simulation testbenches and later by hardware-in-the-loop configurations. A more detailed explanation of MDVE technology and its configurations can be found in Eickhoff et al. 6) MDVE will be used in various project phases for a number of design, development and verification tasks in different working environments. The most important MDVE standard configurations are: 1) Development SVF (DEV-SVF) 2) Software Verification Facility (SVF) 3) System Testbed (STB) 4) Extended Real-Time Testbed (FlatSat) 5) Spacecraft simulator for the mission control center. The core element of the MDVE is an On-board Computer Simulator (OBC-Simulator) and a Real-Time Simulator (RTS) modeling the remaining equipment units of the spacecraft plus space environment conditions (Fig. 1) . In dedicated simulation setups both of these simulators (synchronized to each other) are commanded via a control console -in most cases a Core EGSE. The functional behavior of the satellite system and all interactions of the on-board equipments are modeled on the basis of the system and equipment specifications. A major benefit of model-based system development utilizing MDVE is the possibility for early simulated satellite mission operations, using real on-board software in the virtual satellite. By the use of the model based concept each flight hardware unit can be realized by an equivalent software model prior to the availability of the real hardware. This represents an outstanding support to system design qualification and performance verification.
On-board Computer of the Flying Laptop

Flying Laptop satellite
The mission objectives of the Flying Laptop which is a cubic, 3-axis stabilized satellite with the edge lengths of about 600 mm x 700 mm x 800 mm and with a mass of about 120 kg are new technology demonstration and scientific earth observations. 8, 9) The satellite utilizes three high resolution camera systems with ground sampling distance of 25/100/200 m, respectively, a high accurate attitude control system with pointing knowledge of better than 7 arcseconds and a 0.5 Gbps Ka-band communication system, all of which are exceptional for small satellites. The satellite system configuration is illustrated in Fig. 2 . All satellite peripherals are connected with and controlled by the FPGA-based OBC.
On-board computer
The OBC of the Flying Laptop is based on a Xilinx's Virtex-II Pro FPGA technology, which consists of four Central Processing Nodes (CPNs) and one Command Decoder and Voter (CDV). Paying attention to the risks of the COTS approach, 10) the OBC is realized as a highly redundant replicated four-lane computing system in master/monitor configuration. The CDV monitors the other four CPNs and selects one master node out of the four. In addition to the inter-lane connections within the OBC, all CPNs are connected to all satellite peripherals via isolating buffers so that each single CPN can execute full functions and control tasks of the OBC (Fig. 3 All control and data processing functions of the satellite, which are not directly executed by the CDV, are implemented into the FPGA on the CPNs. Main tasks of the CPNs are attitude control algorithm computation, real-time image processing, generation of scientific telemetry data, TM/TC processing and execution of house keeping routines. The direct implementation of these functions into hardware, without the need of a micro processor or an operating system, reflects the features of functional parallelism and high computational throughput of FPGA, i.e. software-less implementation. This technology meets the challenging demands on operating a variety of on-board instruments and performing broad range of scientific experiments.
11)
FPGA technology for small satellites
By exploiting the capabilities of the new high density FPGA technologies, the complete functionality of the on-board computer can be integrated onto a single printed circuit board, allowing reduction of number of components, which results in lighter weight, smaller volume and better reliability figures. A FPGA is a semiconductor device containing programmable logic components and interconnects. FPGA-based OBCs can achieve multiple complex functions by re-configuring these hardware logic devices even after the launch.
Development of Hardware-in-the-Loop Simulation Environment
Implementation concept
There exists no possibility to emulate the parallel execution functionality of FPGA with software models on a x86 platform. To incorporate the real on-board control algorithms into the MDVE closed loop simulation the MDVE requires a FPGA for on-board control algorithms execution. This FPGA hardware-in-the-loop configuration applies also for the first testbed setups: the functional model configuration (configuration 1) and Software Verification Facility configuration (configuration 2).
The assumptions made for this implementation are: a) Periodical execution rate of the routine tasks on FPGA-based OBC is maximum 10 Hz b) Simulator executes each attitude control simulation loop with a frequency of minimum 20 Hz, in order to guarantee a stable simulation c) The timing discrepancy between MDVE and FPGA-based OBC is negligible during the range of simulation duration of interest According to these assumptions, it is estimated that computation speed of the FPGA-based OBC is fast enough, so that all parallel communications can be transported through serial communication line within the required time step. This communication channel consists of a full-duplex capable 921600 baud RS-422 interface.
Layered structure of control algorithms
The most important requirement of this simulation and verification environment is that the application level control algorithms remain the same in flight and verification configuration so that the verified control algorithm can be directly ported into the real flight configuration. To fulfill this requirement the control algorithm structure is separated into several layers, which represent different levels of abstraction and platform dependence as illustrated in Fig. 4 .
PSL stands for "Platform Support Library", it is platform dependent and provides access to platform specific resources, such as I/O and memory. PAL stands for "Platform Abstraction Layer", it serves as an abstraction layer to provide generic and easy-to-use access functions to the PSL. PAL-Core is the implementation specific function layer, in which routine tasks, for example periodical sensor data collection for every satellite peripheral is implemented. This is why it is also called as Satellite Hardware Interface Protocol (SHIP). In this layer, every component is represented by relevant variables and functions, which enables an application programmer to access the peripherals quite easily without knowing their exact technical specifications. Finally, the Application Layer is the highest layer. In this layer application-level control algorithms such as attitude determination and control are executed. This four level approach conceals the low level functions and platform dependent interfaces from application programmers and leads to a great portability of the application algorithms. The targeted first testbed setups differ from the real-time testbed with the flight configuration in terms of applied platform and interface type. To deal with this problem the PAL has been substantially extended to a simulator front-end (SIM_FE). The SIM_FE is a pseudo layer, located between the PAL-Core and PAL, making it possible that the simulation specific PAL-Core SIM-SHIP can access to the PSL. The interface between application layer and PAL-Core remains the same, which makes the application algorithms portable to different configurations. The SIM_FE runs, together with PSL, in another clock domain with a faster clock rate of 65 MHz in order to make the high-speed serial communication possible, while the other algorithms run with 12 MHz.
Pf_3
Parallelism
The control algorithm is divided vertically in layers and horizontally in domains. The horizontal division into multiple domains represents parallel functions. The domains in application layer represent parallel processes divided into functional units mainly such as Attitude Control System (ACS), Payload system (P/L), Power Supply System (PSS) and Telemetry, Tracking & Command system (TT&C). These domains run in parallel, completely independent of each other and are determining the own actions to perform only by analyzing input variables from other domains. In the flight configuration, these domains communicate with corresponding hardware peripherals in parallel. This parallelism is interchanged with the serial communication line between MDVE within the SIM_FE applying time discrete information transfer.
Timing
In FPGA, one clock cycle is the unit time in which a designed task is exactly executed and fulfilled. This task execution is never interrupted or postponed by temporal overload. In this sense, FPGA is superior to conventional processor-type OBC and suitable for real-time systems. Every domain in FPGA has its own control cycle with all running in parallel thus no domain needs to wait for another to finish its communication. To achieve the timing requirements a central control-loop of each domain feeds the precise timing signal to the individual component's control functions. Every time an update signal is set, the device's control-function communicates with the hardware and updates the relevant variables. Every kind of component has its own update rate. The example of ACS-Components timing is illustrated in Fig. 5 . Table 1 lists communication budget of the components relevant to the simulation purpose of this paper. Component quantity, execution rate, size of simulator transfer frame (STF), bandwidth demand and calculated data transmission time through the communication channel are listed. The factor between available baud rate and demanded bandwidth is more than 200 for both directions. Although 10 more component models shall be implemented for further attitude control simulations, the margin factor is large enough so that the communication can take place without any congestion. To ensure that induced magnetic field by torquer does not interfere the measurement of earth magnetic field, the dipole moment command is applied in a 5 s periodic cycle containing a downtime of 0.5 s for magnetometer measurements.
Implementation with the RC10 platform
Because only one of the four CPNs is allowed by CDV to communicate with satellite peripherals at any moment, it can be considered that the simulation interface connects MDVE and a single CPN. The control algorithms of the CPN have been developed based on several different types of development platforms. The simulation interface for the first test is actually developed using the RC10 development platform based on a Xilinx Spartan III FPGA which has similar FPGA architecture with that on the CPN. This RC10 has approximately 1.4 million gates, while the Xilinx's Virtex-II Pro has approximately 4 million gates.
Communication with MDVE
The low speed RS-232 standard communication port controller on RC10 was replaced with another controller and with a level converter which makes it compatible to the RS-422 standard, making it possible to take advantage of the maximum port speed of 921600 baud. As described in Fig. 4 , in case of a hardware-in-the-loop configuration the communication takes place with the SIM_FE instead of the satellite hardware peripherals. The SIM_FE encapsulates the outgoing communication into a standardized simulator transfer frame and passes it to the PSL which then sends it via the RS-422 interface to the simulator. Incoming STFs are analyzed, unpacked and passed to the SIM_FE. The structure of the STF is startbyte (STX) followed by two bytes in little endian order representing the packet length, one byte unit ID, the data to be transferred, one byte checksum and the endbyte (ETX), as illustrated in Fig. 6 . The RTS can be controlled by SCOS-2000 through commands as well as the virtual satellite, which is also commanded by the same Mission Control System. SCOS-2000 is connected by a TCP/IP connection to both, the system-simulator and the virtual satellite, via the SCOS Proxy, which fulfills the task of routing all transferred data to its destination. SCOS-2000 provides a professional environment for generating telecommands and telemetry visualization and analyses. 12) This ESA provided Mission Control System SCOS-2000 has been selected not only because it is free of charge but also it represents an accredited system.
Programming of FPGA
The complete control algorithm of the OBC is developed in Handel-C high level programming language with the help of Celoxica's hardware compiler tool chain. It mainly follows the ANSI C Syntax, but has some restrictions and add-ons which represent the unique features of FPGA, mainly the parallelism.
Attitude Control Algorithm
Attitude control system components
The Flying Laptop satellite is equipped with five different kinds of sensors and two different kinds of actuators as attitude control system components. The attitude control modes and related active components in each mode are listed in Table 2 . In this paper, the detumbling mode and safe mode are matter of concern because control algorithms of the idle mode and the other three pointing modes are now under development.
Description of attitude control modes
The objective of the detumbling mode is to reduce the angular velocity ω as circumstances demand such as after the launcher separation.
13) The control torquer dipole moment which is generated by means of three torquer rods, one rod per each body axis, can be described as:
Due to high angular rates, the measured magnetic field vector changes mainly as a result of the satellite's rotation, but not of the magnetic field's variation along the orbit. 
Thus, the derivative of the magnetic field vector is a good approximation for the magnitude of the satellite's angular velocity and detumbling can be performed with magnetometer measurements alone. The satellite is commanded to Safe mode subsequent to the initial detumbling mode. This combination of detumbling mode and safe mode is used every time the satellite gets into system level safe mode caused by some accidental errors. The sensors for this mode need to have a high reliability and high availability. Despite of having higher pointing knowledge, star trackers are not used in this mode, 14) due to their high power consumption and lower reliability. Thus, only sun sensor and magnetometer information will be used. A course pointing knowledge is sufficient for this mode. The coarse sun sensor system of Flying Laptop consists of a combination of sixteen simple solar cells to achieve a high reliability.
During sun phases in safe mode, the negative principal axis is aligned with the sun direction and at the same time an additional spin around this axis is built up. Due to the spin rate the satellite maintains its attitude even during umbra phases without any input from the sun sensor. With this simple concept a sufficient power supply is achieved as the solar panel normal is close to the sun direction and the payload cameras can be protected from sunlight at the same time. The magnetic dipole command for the safe mode can be described as:
where the sun acquisition control law is described as
and the spin-up control is described as
Because only torques perpendicular to the current magnetic field vector can be realized with magnetic torquers, only these components are commanded. The detailed derivation processes of above described control laws can be seen in Grillmayer et al. 15) 
Attitude control simulation
The satellite attitude control algorithm of detumbling mode and safe mode are simulated by MDVE with the FPGA hardware-in-the-loop configuration. The simulation results are qualitatively evaluated by comparing with simulation results of an attitude control system mathematical model based on Mathworks MATLAB. The characteristics of the two simulation environments are summarized in Table 3 . The environmental model of the MDVE is much more precise than that of MATLAB model. In addition to this, the orbit propagation method of MDVE uses an energy equation including three body effects, while the MATLAB model is based simply on the Newton law. The sampling periods of the sensor data in both environments are the same as in hardware.
During the simulation, FPGA-based OBC measures the earth magnetic field and sun vector by accessing the magnetometer and sun sensor software models in MDVE and sends back calculated commands to the magnetic torquer software models in MDVE. MDVE then propagates the satellite attitude based on the induced torques and precise environmental models and prepares sensor information for the next step. The simulation results of MDVE are illustrated in Fig. 7 and Fig. 9 , the results of MATLAB model are illustrated in Fig. 8 and Fig. 10 , respectively. The initial conditions for both simulations are the same. The orbit is a sun-synchronous orbit with an altitude of 600 km and with a local time of descending node of 10:30. Every simulation starts just after the satellite entered into the sun light out of umbra.
Detumbling mode simulation
Both Fig. 7 (a) and Fig. 8 (a) illustrate the angular rate of the satellite body and both Fig. 7 (b) and Fig. 8 (b) illustrate the induced torques after the separation from the launcher with an estimated initial angular rate of 8 deg/s. The absence of the sun light does not play any role for the detumbling mode, because the rotational rate information is based only on the magnetometer measurement.
The rotational rate is reduced by using the magnetic torquers. It can be seen that the angular rates around the three axes are reduced near to zero in both simulations. The time duration needed for the sufficient detumbling is slightly more than 100 minutes in the MDVE simulation and around 60 minutes in the MATLAB model. This difference is caused by the greater disturbance forces and the more precise calculation methods applied in MDVE, thus deviation of attitude takes much longer to damp. Even there is a quantitative difference between these figures, however, the comparison of them clearly shows the qualitative consistency between the two simulations. These figures show that the FPGA-based OBC and magnetometer and magnetic torquers software models in MDVE communicate appropriately.
Safe mode simulation
Once initiated the safe mode, the satellite spins itself up around its principle axis in order to stabilize its attitude with coarsely orienting the solar panel normal toward the sun. Fig. 9 (a) and Fig. 10 (a) illustrate the angle between solar panel normal and sun vector with the indication of sun light and umbra portion. The offset angle between solar panel normal and sun vector is about 38 degrees, because the principal axis, which is pointed toward the sun, is not aligned with the solar panel normal. When the satellite enters into umbra, the pointing accuracy becomes worse because the satellite loses the sun vector information. Fig. 9 (b) and Fig. 10 (b) illustrate the rotational rate and Fig. 9 (c) and Fig. 10 (c) illustrate the induced torques. It can be seen that the satellite gradually spins up the rotational rate at the beginning of the simulations. Because estimated value of the residual magnetic dipole moments of the satellite is implemented in the MDVE, the induced torque is not equal to zero even during the umbra. In addition to this, the earth albedo effect brings considerable errors in determining the sun vector, because of the simple mechanism of the sun sensor. These effects cause the higher magnitude of oscillation at the umbra region, which can be seen in the Fig. 9 (a) .
Despite the existence of quantitative difference, the comparison of these figures proves followings: a) all communication between FPGA-based OBC and software models in MDVE took place correctly b) hardware control algorithm implemented in the FPGA performs correct attitude control same as mathematical model in MATLAB model c) all component software models in MDVE are correctly implemented and work as same as real hardware components in the simulation environment. According to the above consideration and evaluation, the validity of the implementation of the hardware-in-the-loop simulation and verification environment in terms of satellite's attitude behavior is shown. This developed simulation environment is capable of performing a real-time attitude simulation of the satellite as well as the algorithm evaluation of the attitude control modes.
Power budget simulation
With the hardware-in-the-loop configuration, MDVE plays a significant role in operation design. Every component software model in the MDVE possesses the same properties and behaviors as the corresponding real hardware component. This includes not only electrical communication interface, power consumption and component modes, but also position, orientation, thermal properties and thermal contacts between components.
Based on these information, MDVE is able to perform, satellite's dynamics, electrical communication, ground contact, thermal and power budget simulations in parallel at the very same time. This is essential for power budget simulations because precise calculation is not possible without taking the satellite's thermal behavior into account. For example, the calculation of the power consumption of a heater placed on the surface of a battery, which is turned on and off according to the battery's variable temperature relative to its charging/discharging condition is a vital input for the power budget simulation. This chapter illustrates the results of power budget simulation by MDVE. In order to evaluate the accuracy of the simulation in hardware-in-the-loop configuration, two different simulation results are shown. Fig. 11 illustrates the power budget calculation of the satellite with the side solar panels closed, while the Fig. 11 (a) illustrates the simulation result without hardware-in-the-loop configuration and the Fig. 11 (b) illustrates the result with hardware-in-the-loop configuration. In the figures, the state of charge (SOC) of the battery (Li-ion), generated power by solar panels, consumed power and power loss are illustrated. The satellite configuration with both side solar panels closed is chosen as the worst case scenario.
For the former simulation, the average value of 38.5 deg is used for the angle between solar panel normal and sun vector, which is calculated by the MATLAB model. The lines in the former are smooth because of the constant satellite attitude relative to the sun vector, while the latter simulation reflects the precise satellite dynamics simulation and has a high magnitude of oscillation, especially in generated power on the solar panel. Even though the average value of generated power in sun light is higher than the value of consumed power, the SOC of the battery decreases constantly. Through the comparison of these two figures, it is proved that the precise dynamics simulation of the satellite with the hardware-in-the-loop configuration significantly influences the power budget calculation, showing that the satellite can not generate enough power to keep the SOC in a sufficient value.
The latter simulation result indicates that either the side solar panels shall be deployed after the separation from the launcher as early as possible to apply the simulated safe mode concept, or the safe mode concept shall be improved in order to let the satellite survive even in the configuration with the side solar panels closed. For that purpose, MDVE can further support the trade-off study and simulation activities in order to find the best solution. 
Timing analysis
In order to ensure the validity of the simulation results, the response time of each communication between MDVE and FPGA-based OBC are measured and statistically analyzed. The measured values are the time period between the moments at which the FPGA-based OBC started to send the first byte of STF and it received the last byte of replied STF from MDVE. The values are measured for each component; magnetometer, magnetic torquer, sun sensor and power control and distribution unit for 60 minutes. Fig. 12 (a) illustrates the measured response time of magnetometer communication, which needs the longest response time among the components. The response time measured for every packet exchange is plotted. Fig. 12 (b) illustrates the histogram of the measured value of the four components in concern. The number of packets is plotted according to the measured response time.
These values illustrated in Fig. 12 (b) shall be as similar as possible with those measured by corresponding real satellite hardware peripherals. The response time of the magnetometer hardware is specified as 142 ms due to its integration time, while that of the other components shall be as short as possible. This time delay of magnetometer is deliberately implemented in the software model in the MDVE. Fig. 12 illustrates that most of the magnetometer communication have took placed within 148 ms. It is estimated that the delay of approximately 6 ms from desired value is due to the transmission time through the communication line, which is listed in Table 1 , and disturbances by other internal processes. It can be seen in Fig. 12 (a) that there are many peaks with the values of up to around 175 ms. Because these peaks happen to the other components at the same moment, it is assumed that this phenomena is caused by the temporal overload on simulator kernel due to, for example, processing of keyboard input during the simulation. The lower limit of response time of the PCDU is because of the larger size of STF. Response time of sun sensors are significantly short because of the simple processing of their sensor data.
It can be seen that the implemented hardware specific time delay of magnetometer is consistent with the required value in the presence of acceptable distribution of ± 3 ms. There is also a possibility of improvement to tune this value by optimizing the software model. The other communications also take place in a sufficiently short time, which enables the update of sensor data within the required time periods. What shall be also mentioned is that these communication take place individually, without waiting for other processes, that means, the total required communication time is not the simple addition of the above measured values. According to these results, it is proved that the communication speed between MDVE and FPGA-based OBC is high enough so that the parallel communication of FPGA can be serialized by the SIM_FE with a sufficient reserve.
Conclusion
In this paper, the implementation of a simulation interface between MDVE and FPGA-based OBC is described. In order to connect the parallel running functions within the FPGA to the serial processing MDVE, a simulator front-end is implemented in the FPGA. By utilizing this simulation interface, MDVE can integrate FPGA-based computing systems into its closed loop simulation environment. The SIM_FE is implemented in the way that the application level control algorithms remain identical in both verification and flight configurations. This technology enables the ground development and testing of on-board control algorithms for FPGA-based computing systems. Within the scope of this research, basic satellite on-board control algorithms such as attitude control algorithm and power supply control algorithms are implemented and simulated in order to demonstrate the capability of the simulation environment. The results of the attitude dynamics simulations by the MDVE are evaluated by being compared with the results of the MATLAB model. Both results are quite consistent and the validity of the developed simulation environment is qualitatively proved. In order to analyze the timing issue between MDVE and FPGA-based OBC, the response time of communication are measured and statistically analyzed. It is proved that MDVE can conduct high speed response in the optimal condition without any disturbance. The implementation of response delay in software models has been also evaluated. The established hardware-in-the-loop simulation environment enables further development and verification of on-board control algorithms of the FPGA-based OBC as well as the satellite hardware components and supports wide range of system engineering activities.
