

### IN-FLIGHT RECONFIGURATION WITH SYSTEM-ON-MODULE BASED ARCHITECTURES FOR SCIENCE INSTRUMENTS ON NANOSATELLITES

SSC21-VIII-08 I T. NEUBERT ET AL., ZEA-2, FORSCHUNGSZENTRUM JÜLICH GMBH, GERMANY



video

Member of the Helmholtz Association

### FORSCHUNGSZENTRUM JÜLICH

#### Heritage in remote sensing instrumention at airborne, balloon and satellites





### MINIATURIZED CLIMATE RESEARCH INSTRUMENTS



#### **Objectives and Challenges**

- standardized sublevel components available (power, communication, altitude control, deorbiting,...)
- customize science payload electronics needed



SHI spectrometer for atmospheric temperature measurements

# flexibility, (re)programmability, modularity, reusability



SPIE-JARS 05/2019

video

- novel science "standardized" payload electronics based on our "system on module" approach with heritage from precursor instruments (AtmoHIT & AtmoSHINE) on sounding rocket and in space
- long-term measurements with custom mitigation techniques using COTS components
- focus is on imaging sensors in combination with integrated System-on-Chip (SoC) solutions

### SYSTEM-ON-MODULE APPROACH



#### **Features**

- Pin compatible modules with processing units, memory and power conversion
- Several processing capabilities (CPLD, FPGAs, μC, SoC, MPSoC)
- Short development time, 'low' design expertise needed (universities)

#### Challenge

- Radiation environment, system reliability
- Size, power consumption, limited data bandwidth and costs

#### **Solution approach**

- SRAM-based XILINX System-on-Chip (SoC) architectures contains processing units (PS) and reconfigurable logic (PL)
- Mitigation techniques, protection circuits and **reconfiguration** for long-term measurements



### A RECONFIGURABLE SCIENCE ELECTRONICS



#### Blockdiagram



Firmware storage devices

- QSPI nominal (primary) boot device
  - SD-Card redundant (secondary) boot device
- eMMC Transfer memory and 'Golden image'

#### **Reconfiguration strategy**

# Built-In-Self-Test (BIST): Detection and monitoring of failure

- Diagnostics for all vital functions
- Classification in

٠

- Minor  $\rightarrow$  Warning
- Major errors  $\rightarrow$  Reconfiguration
- Critical situations → Shutdown

#### ConfMems eMMC: OK eMMC: FW OK eMMC: new FW eMMC: new OK SD0: OK SD0: FW OK SDO: EQUAL **OSPIOK** OSPE FW OK **QSPI: EQUAL** LastBoot QSP REBOOT Startup OK NeedUpdate CRITICAL EMERGENCY Conf. Mem Test

#### Save reconfiguration

- on Software crash
- compensate for SEU and SEFI induced errors
- safe shutdown at SEL events

### 3

#### Highly secured boot process

- Redundant boot devices
  - Automatic switch between
    Nominal/Redundant
- 'Golden Image' in third device
- BIST and automatic correction of
- invalid FW image



Mitglied der Helmholtz-Gemeinschaft

5

### SUPERVISOR CIRCUIT

#### Simple watchdog IC with two functional blocks

- Triggering the Reconfiguration
  - 'alive' signal is a combined signal by software task at PS and logic block inside PL
  - when PS or PL stops working (crash), WDT resets the system
  - at major risks 'alive' trigger signal will suppressed by BIST
    - SEU events occur inside TMR (PL)
    - Cyclic memory pattern checks fails (PS)
    - TM/TC and HK packages inconsistent
    - Error at peripheral interfaces (I<sup>2</sup>C, SPI, DMA)
    - Discrepancies in configuration memories

### **2** Dual Boot Functionality

- using time delay at PFI input during power up to start from nominal boot device
- corrupted configuration will force a reset 1 due to missing 'alive' signal and PFI output (BootSelect) has inverted after this time





- ISL706ARH (5962R1121304VXC)
- QML qualified per MIL-PRF-38535
- High dose rate 100krad(Si)
  - SEL LETTH 86MeV•cm2/mg



video

### FIRMWARE CHECK AND ,SELF-REPAIR'

#### TMR like behavior of the three configuration memories



videc



Each configuration memory holds the binary boot image and the correct MD5 hash tag in a separate file.

1) BIST

- At power-up time 'System-checker' process
- Firmware and stored MD5# are checked
  → FW OK marker for each device
- MD5# tags are compared to each other's
  → Discrepancy of memory content
- 2) Self-Repair, in case of a discrepancy
  - consistent memory is copied to the faulty one

### **IN-FLIGHT RECONFIGURATION**

#### **Communication Concept**

- OBC handles all ground communication via radio (S-, X- Band)
- Ground testing via direct network link
- Multiple physical interfaces



#### CubeSat Space Packet Protocol\*(CSPP)

• CSPP supports multiple interfaces (physical layer)

JÜLICH

Forschungszentrum

video

• 16 Byte Header,

8

- Protocol and Routing information
- Parameter and Data block, CRC secured



### **IN-FLIGHT FIRMWARE UPLOAD**

#### **Firmware**

→ BOOT.BIN

BOOT.bin

fsbl

Firmware consists of **three** parts:

- First-Stage-Bootloader (fsbl)
- PL configuration bit stream (.bit)
- PS application code (.elf).

~ 100 KB

1.8 ... 4 MB

~ 1 MB (FreeRTOS)

or as single files

**BOOT.bin** 

- fsbl PL .bit PS .elf
- Files can be compressed in Xilinx Vivado toolchain, to reduce uplink capacity







### FIRST IMPLEMENTATION RESULTS





|                 |           |           |            | ZYNQ - 7000             |         |      | ULTRASCALE +        |         |      |
|-----------------|-----------|-----------|------------|-------------------------|---------|------|---------------------|---------|------|
|                 |           |           |            | TE720-ECC (S/N: 609088) |         |      | TE820 (S/N: 527320) |         |      |
| reconfiguration |           | dose rate |            |                         |         |      |                     |         |      |
| cycle           | meas_time | in krad/h | TID / kRad | QSPI                    | SD_Card | EMMC | QSPI                | SD_Card | EMMC |
| 1               | 18:44:00  | 1         | 0.00       | pass                    | pass    | pass | pass                | pass    | pass |
| 2               | 19:40:00  | 1         | 0.93       | pass                    | pass    | pass | pass                | pass    | pass |
| 3               | 22:05:00  | 1         | 3.35       | pass                    | pass    | pass | pass                | pass    | pass |
| 4               | 23:50:00  | 1         | 5.10       | pass                    | pass    | pass | pass                | pass    | pass |
| 5               | 05:30:00  | 1         | 10.76      | pass                    | pass    | pass | pass                | pass    | pass |
| 6               | 08:30:00  | 1         | 13.76      | pass                    | pass    | pass |                     |         |      |
| 7               | 09:15:00  | 1         | 14.51      | fail                    | pass    | pass |                     |         |      |
| 8               | 10:50:00  | 0         | 14.51      | fail                    | pass    | pass |                     |         |      |
| 9               | 12:14:00  | 3         | 18.71      | fail                    | pass    | pass |                     |         |      |
| 10              | 12:29:00  | 3         | 19.40      | fail                    | pass    | pass |                     |         |      |

#### Thermal Cycling Tests



temperature cycling test 60 120 100 40 temperature / °C 20 Time (sec) 60 0 40 -20 -40 20 -60 0 09:00:00 10:12:00 11:24:00 12:36:00 13:48:00 15:00:00 16:12:00 time / hh:mm Ambient Temperature QSPI Erase cycles

video

### **SUMMARY**

- Reconfiguration strategy using BIST classify hazards into different risk levels leads to interact on demand
- With additional memory devices available at SoM a highly secured boot process are demonstrated
- Dual boot functionality with a simple supervisor chip increases reliability
- Implementation of on-board firmware self check and repair is secured based on MD5 checksum
- In-flight reconfiguration using packet based protocol (CSP) is independent from physical layer interfaces (CAN, I<sup>2</sup>C, UART, LAN,...)
- Firmware can be partly uploaded and compressed to safe uplink time

## THANK YOU FOR YOUR ATTENTION

Please join the Q&A WEBINAR (Aug. 11th). Further information in conference proceeding paper (SSC21-VIII-08).





videc

Mitglied der Helmholtz-Gemeinschaft