

## **ADCSS: FATI TAS PRESENTATION**

### GOAL: PRESENT THE RESULT OF STUDIES ON HIGHLY INTEGRATED AVIONICS

**Barthelemy Attanasio** 

12/11/2019

Date: 12/11/2019 Ref: Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION

This document is not to be reproduced, modified, adapted, published, translated in any material form in whole or in part nor disclosed to any third party without the prior written permission of Thales Alenia Space. © 2019 Thales Alenia Space

THALES ALENIA SPACE INTERNAL



# TABLE OF CONTENTS



Highly Integrated Avionic Principles



**Next Activities** 



TAS point of view



Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION

This document is not to be reproduced, modified, adapted, published, translated in any material form in whole or in part nor disclosed to any third party without the prior written permission of Thales Alenia Space. © 2019 Thales Alenia Space

THALES ALENIA SPACE INTERNAL



### HIGHLY INTEGRATED AVIONIC PRINCIPLES

#### /// Objective :

 To study and consolidate future integrated avionics architectures based on SoC (System on Chip). Using new FPGA chips.

#### /// Expected result :

• First redundancy choices and associated reliability/availability figures.

#### /// Questions:

 How will be developed and implemented the classical avionic functions in a SoC. Proposition on a new implementation

### /// To re-think SAVOIR generic OBC

specification scope with some minor modifications.

### SoC Boundaries



#### PROPRIETARY INFORMATION

This document is not to be reproduced, modified, adapted, published, translated in any material form in whole or in part nor disclosed to any third party without the prior written permission of Thales Alenia Space. © 2019 Thales Alenia Space





Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

### DIFFERENCE OF ARCHITECTURE

### **Cutting-Edge Computers** Star TMTC Tracker Security



**Current SMU** 

/// Composed of Several Boards with each its controller or processor: Nominal and redundant boards

Vs

GNSS

/// Multi-processing System-**On-a-Chip enables** disruptive avionic architecture: Single high processing capacity chip.

/// Maximum use of mezzanine boards for remaining HW.

# File management system + Memory







Date: 12/11/2019 Ref: XXXXX Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION

### **IMPLEMENTATION OF HIGHLY INTEGRATED AVIONICS**

#### /// Integrated functions in the MP SoC

- Hardware
- IP integration in the FPGA
- Detailed design of the SW

/// Classical Avionic functions all integrated

 /// New SoC defined "from scratch" with DAHLIA
 H2020 project. Possibility to do a high step forward getting rid of "burdening" heritage,
 following still applicable Standards but re-shaping it when possible.

/// FPGA allows flexibility with implementation which can be modified from one mission to the other: (additional X/Ka-Band TM encoder).



#### Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION

This document is not to be reproduced, modified, adapted, published, translated in any material form in whole or in part nor disclosed to any third party without the prior written permission of Thales Alenia Space. © 2019 Thales Alenia Space OPEN



### **FPGA**

#### New FPGAs: breakthrough technology.

Two examples:

#### In the frame of DAHLIA consortium

- NG-Ultra SoC developed by STMicro and NanoXplore
- · Rad-hard components not affected by SEE.

### Hyperion on ATTIPIC Project:

- Based on COTS chip which is Fault-tolerant.
- New opportunity for cheap missions

### These two FPGA used for space bring new architecture

But different because of the nature of the chip and SoC services available inside.



Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION





### **FUTURE MISSIONS**

# /// Included in the Roadmap for next TAS satellites in the next years.

#### /// Computers which will be more integrated, bring:

- Cost saving for telecommunication satellites or constellations
- mass saving : very interesting specially for exploration missions
- a more powerful processing unit.

#### /// Can save equipment thanks to SW involvement, Several SW can run on it:

- Additional OBC board to be avoided.
- Perform other Data Handling functions such as PDHT function payload memory management or even on-board pre-processing.
- Add new kind of function like monitoring of equipment.

#### /// Low recurrent cost due to HW reduction

Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION

This document is not to be reproduced, modified, adapted, published, translated in any material form in whole or in part nor disclosed to any third party without the prior written permission of Thales Alenia Space. © 2019 Thales Alenia Space



/// Non-exhaustive list. In addition, Observation missions, science missions...





### SW INVOLVED EARLY IN THE DESIGN

/// SW involved at the beginning of the SoC start up after being powered.

- /// SW involved in early designs to share avionic functions implementation.
- /// More confident in the SW thanks to CORE partitioning and SW partitioning thanks to new hypervisor.
- /// Decades of use of single core processors have not prepare us to the new multiple cores paradigm. In particular, the classical way to manage the interruptions must be rethought.
- /// Opening point on possible improvement and modification of some parts of Standards due to Modification on the implementation SW, HW, IPs in discussion

#### PROPRIETARY INFORMATION





### **NEW SW PERSPECTIVES**

. . . . .

|                                  | <ul> <li>/// SW Architectures</li> <li>Single Core vs Multi-core Processor</li> <li>Partitioning: New kind of use.</li> </ul> | New Approach                  |                                   |                                 |        |  |
|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------|-------------------------------|-----------------------------------|---------------------------------|--------|--|
| Previous SW design               |                                                                                                                               |                               |                                   |                                 |        |  |
| riccoonig                        | /// The new type of processor core require a new OS                                                                           | Processing Subsystem          |                                   |                                 |        |  |
| Core 0 : Applicative<br>Software | /// Use of RTOS and<br>hypervisor                                                                                             | Core 0 :<br>Applicative<br>SW | Core 1 :<br>Avionic<br>Monitoring | Core 2 :<br>Payload<br>Software | Core 3 |  |
|                                  | /// Multi-core architecture can<br>offer advanced features                                                                    |                               |                                   |                                 |        |  |
|                                  | /// Dispatching of the tasks within clusters                                                                                  |                               |                                   |                                 |        |  |

Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION





### TRADE-OFF IN FATI

/// Functional Trade-off: Take the benefit of the new development with a disruptive technology to do a huge step forward but controlling the technical choices. Specially of the most important avionic functions for the satellite. Objective to reduce HW functions to reduce the recurrent cost when it is feasible and acceptable.

#### /// Reconfiguration Unit inside the SoC but with a mutual monitoring:

- One function in one SoC check the integrity of the partner one.
- If one SoC fails, it is accepted to work with a one single RM.

#### /// Essential TC: need to control the spacecraft still identified even in case of SW bug.

- More than hundred of Essential TC.
- With highly integrated avionic, some essential TC are internally in the SoC. Therefore, a distinction shall be made between internal essential TC and those which are external to the SoC which would be less than before. Implementation subject to evolve.

# /// Essential TM: to retrieve an observability of the spacecraft in case of ASW bug still identified as an option:

Dedicated discussions on this subject internally and with agencies.

Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION





### **RELIABILITY: NEW APPROACH**

/// Modification of the approach: New paradigm for OBC FMEA analysis. All will be integrated in the same chip and functions will be shared between HW, Firmware and IPs.

#### /// Modify the scope of the analysis:

- The chip has basic services to make it work: must be familiar with these SoC services.
- Impossible or very hard to put number of FIT on a SW function or on services not already tested.
- Reliability seems to be easier because everything is included in the same chip. But the definition of hypotheses shall be clear.



Template: 83230347-DOC-TAS-EN-006

or in part nor disclosed to any third party without the prior written permission of Thales Alenia Space. © 2019 Thales Alenia Space

### RELIABILITY: FMEA METHODOLOGY

#### /// Input for the Reliability Analysis

- First Focused on the SoC NG-Ultra but generalized to any SoC.
- Inputs on the design and SoC services from Dahlia Consortium.
- Study commonly done with ADS and TAS RAMS and avionic engineers.
- HW and SW teams including experts brought their feelings.
- Beginning of FMEA with failure analysis on functional chains.

#### /// Clarify the HW failure: Temporary Failure or Permanent failures. Not the same impact depending when the failure occurs:

- First boot of the SoC
- SoC reboot during the mission
- At any time during the mission

#### /// Classical Functions: the impacts of failures on the OBC and at satellite level with their criticality, are expressed.



OPEN

Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION

This document is not to be reproduced, modified, adapted, published, translated in any material form in whole or in part nor disclosed to any third party without the prior written permission of Thales Alenia Space. © 2019 Thales Alenia Space





DHALIA Project

MP-SOC









life, augmented

### RELIABILITY: FMEA METHODOLOGY SoC functions:

#### Hypotheses:

- /// SoC with Redundancy: two redundant parts exist as for every mission.
- /// SW problems/failures linked to the implementation/coding/etc. are not part of the analysis. RAMS and SW Quality competences and expertise will be mixed later.
- /// Hypotheses on Power Supply: 2 SoC are power supplied by 2 DC/DC boards.
- /// No environment impacts directly to the HW parts studied
  - No Radiation: SoC SEE Free
  - No Hw failure during launch

 /// eROM, eRAM, DDR controller, DMA controller, Flash Controller, Boot SpW, JTAG, Debug and Test, Power Management, Clock, Reset, Bitstream Manager, OTP Security, Network Interconnect, Watchdog.



#### /// Generalization to all SoC

#### Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION





### **RELIABILITY: FIRST RESULTS**

**Blocking points:** 

/// Hard to assess the feared event almost since no experience exists on this technology.

/// Hard to know the best way to recover.

End of the first analyses:

/// No ground recommendation

- Before launch during integration. It is assumed that failures are detected.
- Operation during in-flight processes.

#### /// Recommendation at SoC level regarding the I/O, the use of the SoC and the use of the redundancy.

- From an FDIR point of view, it is essential to know the health of each embarked units, both at their start up and while functioning.
- New philosophy of reconfiguration. In several cases, the only consequence at system level is a global switch of SoC due to highly integrated avionic functions.
- New interesting recommendation regarding mainly the boot strategy and the monitoring of the chips.

Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION





### **NEXT ACTIVITIES**

/// Reliability Analysis on the NG-Ultra chip: All the different SoC services have been studied.

/// Next Steps will enable activities on the overall board design and the overall OBC.



#### Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION





### **NEXT ACTIVITIES**

#### /// To link quantitatively the design and the reliability scheme:

- Design made in Capella : on a Model based approach. Design of SoC generally fixed but the design of boards will be fully in industrial hands.
- Assessment of reliability of each service or function shall be done thanks to expert feelings depending on the implementation by HW, FW or SW.
- Tool to Link with Excel Reliability computing developed after ESA studies.



Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION





### CONCLUSIONS

/// Synergies with Airbus D&S.

/// Involvement of each family work: HW engineers, SW engineers, FPGA engineers, RAMS engineers.

/// Still work to be done on reliability to converge on the architecture and the reconfiguration strategies.

/// Enter in details to SoC functioning improves engineer skills to use this breakthrough technology for space application.

#### PROPRIETARY INFORMATION



# **QUESTIONS?**

Date: 12/11/2019 Ref: xxxxx Template: 83230347-DOC-TAS-EN-006

#### PROPRIETARY INFORMATION

This document is not to be reproduced, modified, adapted, published, translated in any material form in whole or in part nor disclosed to any third party without the prior written permission of Thales Alenia Space. © 2019 Thales Alenia Space

THALES ALENIA SPACE INTERNAL

