In-Flight Reconfiguration with System-On-Module Based Architectures for Science Instruments on Nanosatellites by Neubert, Tom et al.
video
IN-FLIGHT RECONFIGURATION WITH SYSTEM-ON-MODULE BASED
ARCHITECTURES FOR SCIENCE INSTRUMENTS ON NANOSATELLITES





















MINIATURIZED CLIMATE RESEARCH INSTRUMENTS
Objectives and Challenges
flexibility, (re)programmability, modularity, 
reusability
• standardized sublevel components available (power, 
communication, altitude control, deorbiting,…)
• customize science payload electronics needed 
• novel science “standardized“ payload electronics based on our “system on module” approach  with 
heritage from precursor instruments (AtmoHIT & AtmoSHINE) on sounding rocket and in space
• long-term measurements with custom mitigation techniques using COTS components
• focus is on imaging sensors in combination with integrated System-on-Chip (SoC) solutions 
SPIE-JARS 05/2019






• Pin compatible modules with processing units, 
memory and power conversion
• Several processing capabilities (CPLD, FPGAs, 
µC, SoC, MPSoC)
• Short development time, ‘low’ design expertise 
needed (universities)
Challenge
• Radiation environment, system reliability
• Size, power consumption, limited data bandwidth 
and costs
Solution approach
• SRAM-based XILINX System-on-Chip (SoC) 
architectures contains processing units (PS) and 
reconfigurable logic (PL)
• Mitigation techniques, protection circuits and 




A RECONFIGURABLE SCIENCE ELECTRONICS
Blockdiagram Reconfiguration strategy
Built-In-Self-Test (BIST): Detection and 
monitoring of failure
• Diagnostics for all vital functions
• Classification in
• Minor  Warning
• Major errors  Reconfiguration
• Critical situations  Shutdown
Save reconfiguration 
• on Software crash
• compensate for SEU and SEFI induced errors 
• safe shutdown at SEL events
Highly secured boot process
• Redundant boot devices
• Automatic switch between 
Nominal/Redundant
• ‘Golden Image’ in third device
• BIST and automatic correction of 
invalid FW image 
Firmware storage devices
• QSPI nominal (primary) boot device
• SD-Card redundant (secondary) boot device




























• ISL706ARH  (5962R1121304VXC)
• QML qualified per MIL-PRF-38535 
• High dose rate   100krad(Si)
• SEL LETTH 86MeV•cm2/mg
• ‘alive’ signal is a combined signal by software task at PS
and logic block inside PL
• when PS or PL stops working (crash), WDT resets the
system
• at major risks ‘alive’ trigger signal will suppressed by BIST
• SEU events occur inside TMR (PL)
• Cyclic memory pattern checks fails (PS)
• TM/TC and HK packages inconsistent
• Error at peripheral interfaces (I2C, SPI, DMA)






• using time delay at PFI input during power up to start from
nominal boot device
• corrupted configuration will force a reset due to missing
‘alive’ signal and PFI output (BootSelect) has inverted after
this time
1
Simple watchdog IC with two functional blocks
7
video
FIRMWARE CHECK AND ‚SELF-REPAIR‘
TMR like behavior of the three configuration memories
Each configuration memory holds the binary boot image
and the correct MD5 hash tag in a separate file.
1) BIST
• At power-up time ‘System-checker’ process
• Firmware and stored MD5# are checked 
 FW OK marker for each device
• MD5# tags are compared to each other’s
 Discrepancy of memory content
2) Self-Repair, in case of a discrepancy









Communication Concept CubeSat Space Packet Protocol*(CSPP)
Space Segment













• OBC handles all ground communication via radio 
(S-, X- Band)
• Ground testing via direct network link
• Multiple physical interfaces
CSPP Packet handler





























• CSPP supports multiple interfaces (physical layer)
• 16 Byte Header, 
• Protocol and Routing information
• Parameter and Data block, CRC secured






- Total size of Configuration
Upload Data blocks:
- block size in parameters
- Data-CRC secured
- Reply ACK/NAK
- on NAK: resend block
Validation
- Send MD5#
- Generate local MD5#
- Compare MD5’s#
























































Firmware consists of three parts: 
• First-Stage-Bootloader (fsbl) ~ 100 KB
• PL configuration bit stream (.bit) 1.8 … 4 MB 
• PS application code (.elf). ~ 1 MB (FreeRTOS)
 BOOT.BIN                  or as single files
• Files can be compressed in Xilinx Vivado toolchain, 



























































• Reconfiguration strategy using BIST classify hazards into different risk
levels leads to interact on demand
• With additional memory devices available at SoM a highly secured boot
process are demonstrated
• Dual boot functionality with a simple supervisor chip increases reliability
• Implementation of on-board firmware self check and repair is secured
based on MD5 checksum
• In-flight reconfiguration using packet based protocol (CSP) is
independent from physical layer interfaces (CAN, I²C, UART, LAN,…)
• Firmware can be partly uploaded and compressed to safe uplink time
Please join the Q&A WEBINAR (Aug. 11th). 
Further information in conference proceeding paper (SSC21-VIII-08). 
THANK YOU FOR YOUR ATTENTION
