Fault-tolerant satellite computing with modern semiconductors

Miniaturized satellites enable a variety space missions which were in the past infeasible, impractical or uneconomical with traditionally-designed heavier spacecraft. Especially CubeSats can be launched and manufactured rapidly at low cost from commercial components, even in academic environments. However, due to their low reliability and brief lifetime, they are usually not considered suitable for life- and safety-critical services, complex multi-phased solar-system-exploration missions, and missions with a longer duration. Commercial electronics are key to satellite miniaturization, but also responsible for their low reliability: Until 2019, there existed no reliable or fault-tolerant computer architectures suitable for very small satellites. To overcome this deficit, a novel on-board-computer architecture is described in this thesis.Robustness is assured without resorting to radiation hardening, but through software measures implemented within a robust-by-design multiprocessor-system-on-chip. This fault-tolerant architecture is component-wise simple and can dynamically adapt to changing performance requirements throughout a mission. It can support graceful aging by exploiting FPGA-reconfiguration and mixed-criticality.  Experimentally, we achieve 1.94W power consumption at 300Mhz with a Xilinx Kintex Ultrascale+ proof-of-concept, which is well within the powerbudget range of current 2U CubeSats. To our knowledge, this is the first COTS-based, reproducible on-board-computer architecture that can offer strong fault coverage even for small CubeSats.European Space AgencyComputer Systems, Imagery and Medi

Nuevas técnicas de inyección de fallos en sistemas embebidos mediante el uso de modelos virtuales descritos en el nivel de transacción

Mejor software y más rápido. Este es el desafío que se deriva de la necesidad de construir sistemas cada vez más inteligentes. En cualquier diseño embebido actual, el software es un componente fundamental que dota al sistema de una alta capacidad de configuración, gran número de funcionalidades y elasticidad en el comportamiento del sistema en situaciones excepcionales. Si además el desarrollo del conjunto hardware/software integrado en un System on Chip (SoC), forma parte de un sistema de control crítico donde se deben tener en cuenta requisitos de tolerancia a fallos, la verificación exhaustiva de los mismos consume un porcentaje cada vez más importante de los recursos totales dedicados al desarrollo y puesta en funcionamiento del sistema. En este contexto, el uso de metodologías clásicas de codiseño y coverificación es completamente ineficiente, siendo necesario el uso de nuevas tecnologías y herramientas para el desarrollo y verificación tempranos del software embebido. Entre ellas se puede incluir la propuesta en este trabajo de tesis, la cual aborda el problema mediante el uso de modelos ejecutables del hardware definidos en el nivel de transacción. Debido a los estrictos requisitos de robustez que imperan en el desarrollo de software espacial, es necesario llevar a cabo tareas de verificación en etapas muy tempranas del desarrollo para asegurar que los mecanismos de tolerancia a fallos, avanzados en la especificación del sistema, funcionan adecuadamente. De forma general, es deseable que estas tareas se realicen en paralelo con el desarrollo hardware, anticipando problemas o errores existentes en la especificación del sistema. Además, la verificación completa de los mecanismos de excepción implementados en el software, puede ser imposible de realizar en hardware real ya que los escenarios de fallo deben ser artificial y sistemáticamente generados mediante técnicas de inyección de fallos que permitan realizar campañas de inyección controlables, observables y reproducibles. En esta tesis se describe la investigación, desarrollo y uso de una plataforma virtual denominada "Leon2ViP", con capacidad de inyección de fallos y basada en interfaces SystemC/TLM2 para el desarrollo temprano y verificación de software embebido en el marco del proyecto Solar Orbiter. De esta forma ha sido posible ejecutar y probar exactamente el mismo código binario a ejecutar en el hardware real, pero en un entorno más controlable y determinista. Ello permite la realización de campañas de inyección de fallos muy focalizadas que no serían posible de otra manera. El uso de "\Leon2ViP" ha significado una mejora significante, en términos de coste y tiempo, en el desarrollo y verificación del software de arranque de la unidad de control del instrumento (ICU) del detector de partículas energéticas (EPD) embarcado en Solar Orbiter

Dynamisch partielle Rekonfiguration in fehlertoleranten FPGA-Systemen

Korf S. Dynamisch partielle Rekonfiguration in fehlertoleranten FPGA-Systemen. Bielefeld: Universität Bielefeld; 2017.Die Anforderungen an mikroelektronische Systeme steigen kontinuierlich. Rekonfigurierbare Architekturen bieten einen Kompromiss zwischen der Leistungsfähigkeit anwendungsspezifischer Schaltungen (ASICs) und der Flexibilität heutiger Prozessoren. Sogenannte im Feld programmierbare Gatter-Arrays (engl. Field-Programmable Gate Arrays, FPGAs) haben sich hierbei in den letzten Jahrzehnten besonders etabliert. Die Konfigurationsart dynamisch partielle Rekonfiguration (DPR) moderner SRAM-basierter FPGAs verdeutlicht die gewonnene System-Flexibilität. DPR wird in verschiedensten Anwendungsgebieten aus unterschiedlichsten Motivationen heraus eingesetzt. Die Hauptanwendung der DPR ist die Erstellung eines Systems, welches Veränderungen an der Schaltung auf dem FPGA zur Laufzeit erlaubt. Obwohl viele FPGA-Familien bereits seit zwei Jahrzehnten DPR hardwareseitig ermöglichen, ist die Unterstützung durch die Hersteller-Software und insbesondere die Eigenschaften des daraus resultierenden DPR-Systems verbesserungswürdig. Um das Potenzial der verfügbaren Hardware-Flexibilität ausnutzen zu können, wird in dieser Dissertation ein neuer Entwurfsablauf (INDRA 2.0, INtegrated Design Flow for Reconfigurable Architectures) vorgestellt. Dieser Entwurfsablauf ermöglicht die Erstellung eines flexiblen DPR-Systems mit geringem Speicher-, Verwaltungs- und Wartungsaufwand. Für Anwendungen mit Homogenitätsanforderungen wird mit DHHarMa (Design Flow for Homogeneous Hard Macros) ein Entwurfsablauf vorgestellt, der die Transformation eines zunächst inhomogenen Designs in ein homogenes Design ermöglicht. Bei dieser Design-Homogenisierung ergibt sich die Fragestellung nach möglichen Auswirkungen bezüglich des FPGA-Ressourcenbedarfs und der Leistungsfähigkeit durch die einzelnen Homogenisierungsschritte. Die einzelnen DHHarMa-Softwarekomponenten wurden daher detailliert durch verschiedene Bewertungsmaße analysiert. Hierbei konnte festgehalten werden, dass die Homogenisierungsschritte im Mittel einen, teils deutlichen, positiven Einfluss auf den FPGA-Ressourcenbedarf jedoch teils einen geringen negativen Einfluss auf die Leistungsfähigkeit hat. Die verwendete FPGA-Architektur hat hierbei auf beide Größen einen entscheidenden Einfluss. Zusätzlich wird in Anwendungsgebieten mit Strahlungseinfluss die DPR-Funktionalität in Verfahren zur Abschwächung von durch Strahlung induzierten Fehlern eingesetzt. In der Dissertation wird mit der Readback Scrubbing Unit eine Komponente vorgestellt, welche eine Einbitfehlerkorrektur und Zweibitfehlererkennung im FPGA-Konfigurationsspeicher implementiert. Durch integrierte Fehlerstatistikmechanismen wird eine Analyse des Systems zur Laufzeit realisiert. Zusätzlich ist die Erstellung von Readback Scrubbing Schedules möglich, sodass die Fehlererkennung und -korrektur zum einen autonom und zum anderen zur Laufzeit angepasst werden kann. Zusätzlich wird mit OLT(RE)² (On-Line on-demand Testing approach for permanent Radiation Effects in REconfigurable systems) ein Selbsttest für ein SRAM-basiertes FPGA vorgestellt. Dieser Selbsttest ermöglicht zur Systemlaufzeit eine Überprüfung einer FPGA-Fläche vor der Verwendung auf permanente Fehler in den Verdrahtungsressourcen

Communication platform for inter-satellite links in distributed satellite systems

EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Investigation of radiation-hardened design of electronic systems with applications to post-accident monitoring for nuclear power plants

This research aims at improving the robustness of electronic systems used-in high level radiation environments by combining with radiation-hardened (rad-hardened) design and fault-tolerant techniques based on commercial off-the-shelf (COTS) components. A specific of the research is to use such systems for wireless post-accident monitoring in nuclear power plants (NPPs). More specifically, the following methods and systems are developed and investigated to accomplish expected research objectives: analysis of radiation responses, design of a radiation-tolerant system, implementation of a wireless post-accident monitoring system for NPPs, performance evaluation without repeat physical tests, and experimental validation in a radiation environment. A method is developed to analyze ionizing radiation responses of COTS-based devices and circuits in various radiation conditions, which can be applied to design circuits robust to ionizing radiation effects without repeated destructive tests in a physical radiation environment. Some mathematical models of semiconductor devices for post-irradiation conditions are investigated, and their radiation responses are analyzed using Technology Computer Aided Design (TCAD) simulator. Those models are then used in the analysis of circuits and systems under radiation condition. Based on the simulation results, method of rapid power off may be effectively to protect electronic systems under ionizing radiation. It can be a potential solution to mitigate damages of electronic components caused by radiation. With simulation studies of photocurrent responses of semiconductor devices, two methods are presented to mitigate the damages of total ionizing dose: component selection and radiation shielding protection. According to the investigation of radiation-tolerance of regular COTS components, most COTS-based semiconductor components may experience performance degradation and radiation damages when the total dose is greater than 20 K Rad (Si). A principle of component selection is given to obtain the suitable components, as well as a method is proposed to assess the component reliability under radiation environments, which uses radiation degradation factors, instead of the usual failure rate data in the reliability model. Radiation degradation factor is as the input to describe the radiation response of a component under a total radiation dose. In addition, a number of typical semiconductor components are also selected as the candidate components for the application of wireless monitoring in nuclear power plants. On the other hand, a multi-layer shielding protection is used to reduce the total dose to be less than 20 K Rad (Si) for a given radiation condition; the selected semiconductor devices can then survive in the radiation condition with the reduced total dose. The calculation method of required shielding thickness is also proposed to achieve the design objectives. Several shielding solutions are also developed and compared for applications in wireless monitoring system in nuclear power plants. A radiation-tolerant architecture is proposed to allow COTS-based electronic systems to be used in high-level radiation environments without using rad-hardened components. Regular COTS components are used with some fault-tolerant techniques to mitigate damages of the system through redundancy, online fault detection, real-time preventive remedial actions, and rapid power off. The functions of measurement, processing, communication, and fault-tolerance are integrated locally within all channels without additional detection units. A hardware emulation bench with redundant channels is constructed to verify the effectiveness of the developed radiation-tolerant architecture. Experimental results have shown that the developed architecture works effectively and redundant channels can switch smoothly in 500 milliseconds or less when a single fault or multiple faults occur. An online mechanism is also investigated to timely detect and diagnose radiation damages in the developed redundant architecture for its radiation tolerance enhancement. This is implemented by the built-in-test technique. A number of tests by using fault injection techniques have been carried out in the developed hardware emulation bench to validate the proposed detection mechanism. The test results have shown that faults and errors can be effectively detected and diagnosed. For the developed redundant wireless devices under given radiation dose (20 K Rad (Si)), the fault detection coverage is about 62.11%. This level of protection could be improved further by putting more resources (CPU consumption, etc.) into the function of fault detection, but the cost will increase. To apply the above investigated techniques and systems, under a severe accident condition in a nuclear power plant, a prototype of wireless post-accident monitoring system (WPAMS) is designed and constructed. Specifically, the radiation-tolerant wireless device is implemented with redundant and diversified channels. The developed system operates effectively to measure up-to-date information from a specific area/process and to transmit that information to remote monitoring station wirelessly. Hence, the correctness of the proposed architecture and approaches in this research has been successfully validated. In the design phase, an assessment method without performing repeated destructive physical tests is investigated to evaluate the radiation-tolerance of electronic systems by combining the evaluation of radiation protection and the analysis of the system reliability under the given radiation conditions. The results of the assessment studies have shown that, under given radiation conditions, the reliability of the developed radiation-tolerant wireless system can be much higher than those of non-redundant channels; and it can work in high-level radiation environments with total dose up to 1 M Rad (Si). Finally, a number of total dose tests are performed to investigate radiation effects induced by gamma radiation on distinct modern wireless monitoring devices. An experimental setup is developed to monitor the performance of signal measurement online and transmission of the developed distinct wireless electronic devices directly under gamma radiator at The Ohio State University Nuclear Reactor Lab (OSU-NRL). The gamma irradiator generates dose rates of 20 K Rad/h and 200 Rad/h on the samples, respectively. It was found that both measurement and transmission functions of distinct wireless measurement and transmission devices work well under gamma radiation conditions before the devices permanently damage. The experimental results have also shown that the developed radiation-tolerant design can be applied to effectively extend the lifespan of COTS-based electronic systems in the high-level radiation environment, as well as to improve the performance of wireless communication systems. According to testing results, the developed radiation-tolerant wireless device with a shielding protection can work at least 21 hours under the highest dose rate (20 K Rad/h). In summary, this research has addressed important issues on the design of radiation-tolerant systems without using rad-hardened electronic components. The proposed methods and systems provide an effective and economical solution to implement monitoring systems for obtaining up-to-date information in high-level radiation environments. The reported contributions are of significance both academically and in practice

Run-time reconfigurable, fault-tolerant FPGA systems for space applications

Cozzi D. Run-time reconfigurable, fault-tolerant FPGA systems for space applications. Bielefeld: Universität Bielefeld; 2016.The aim of this thesis is to investigate the use of Dynamic Partial Reconfiguration (DPR) on Commercial Off-the-Shelf (COTS) FPGAs in space applications. Reconfigurable systems gained interest in a wide range of application fields, including aerospace, where electronic devices are exposed to a harsh working environment. COTS SRAM-based FPGA devices represent an interesting hardware platform for this kind of systems since they combine low cost with the possibility to utilize state-of-the-art processing power as well as the flexibility of reconfigurable hardware. FPGA architectures have high computational power and thanks to their ability to be reconfigured at run-time, they became interesting candidates for payload processing in space applications. The presented Dynamic Reconfigurable Processing Module (DRPM) has been developed to investigate the use of the DPR approach for satellite payload processing. This scalable platform combines dynamically reconfigurable FPGAs with the required avionic interfaces (e.g., SpaceWire, MIL-STD-1553B, and SpaceFibre). In particular, a novel communication interface has been developed, the Heterogeneous Multi Processor Communication Interface (HMPCI), which allows inter-process communication with small latency and low memory footprint. Current synthesis tools do not support fully the DPR capabilities of FPGAs. Therefore, this thesis introduces INDRA 2.0: an INtegrated Design flow for Reconfigurable Architectures. The key part of INDRA 2.0 is DHHarMa: a Design flow for Homogeneous Hard Macros, which generates homogeneous hard macros for Xilinx FPGAs starting from a high-level description (e.g., VHDL). In particular, the homogeneous DHHarMa router is explained in detail, providing novel terminologies and algorithms, which have enabled the generation of homogeneous routed designs. Results have been shown that Design flow for Homogeneous Hard Macros (DHHarMa) can route homogeneously a communication infrastructure utilizing just between 1% and 31% more resources than the Xilinx router, which cannot provide a homogeneous solution. Furthermore, the permanent faults that can occur on FPGAs have been investigated. This thesis presents OLT(RE)2: an on-line on-demand approach to testing permanent faults induced by radiation in reconfigurable systems used in space missions. The proposed approach relies on a test circuit and custom placer and router. OLT(RE)2 exploits DPR to place the test circuits at run-time. Its goal is to test unprogrammed areas of the FPGA before using them. Experimental results of OLT(RE)2 have shown that is possible to generate, place, and route the test circuits needed to detect on average more than 99 % of the physical wires and on average about 97 % of the programmable interconnection points of a large arbitrary region of the FPGA in a reasonable time. Moreover, the test can be run on the target device without interfering the functional behavior of the system