# High Performance COTS Based Computer (Hi-P CBC) Step II activities

Mathieu Patte, Fabrice Cros, Raoul Grimoldi TO: R. Trautner, ESA

19/09/2014



# Introduction

#### High performance COTS based computer activity

- ESA activity (second step) (contract 4500142409), Technical officer : Dr. Roland Trautner
- Led by Airbus Defence and Space (Toulouse), subcontractor OHB CGS from Italy
- Objectives: Refine the architecture defined in phase I, implement a flight representative demonstrator
- COTS components: components in mass production for ground applications

#### Activity Context

- In the frame of NGDSP activities, ESA is exploring alternative ways to get a general purpose, space qualified DSP (target 1 GFLOP/s)
- ESA is exploring use of COTS components for different mission profiles (high reliability, high availability, and high performance)

2

#### Presentation outlook

- COTS components in space : highlights and constraints
- Requirements analysis
- SmartIO based mitigation architecture
- Demonstrator implementation and test results
- Flight system performance assessment



# COTS in space: highlights and constraints



reserved.

All rights

Def

This document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owner's written consent | [Airbu

# Reasons for using COTS components in space

#### Technology gap

- Latest rad-hard technology : 180nm, upcoming 65nm
- Latest commercial technology : 28nm, 22nm
- Density difference > 50x between 180nm rad-hard and 28nm node. 10x between 65nm and 28nm
- Leads to better performance per W, higher maximum performance

#### Rich ecosystems

- A lot of investments in functional architecture : FPGA, DSP, heterogeneous architecture
- Mature and efficient development and programming tools
- Large user base
- Leads to quicker and cheaper function developments
- Low cost
  - Low COTS components recurrent price compared to higher and higher non-recurrent prices for rad-hard component development!
  - Availability of low cost evaluation kits



# Constraints for using COTS components in Space

#### Mechanical and thermal

- Need to repackage commercial chip in qualified packages
- Soldering technologies for high pin count packages in development
- Latch-up tolerance:
  - External latch-up protection cannot be used  $\rightarrow$  COTS components need to be latchup immune
  - More and more COTS components are latchup immune! (SOI processes)
  - Easy to test and to screen components (laser tests, quick radiation tests)
  - → Latchup is not a problem
- Total lonizing Dose tolerance:
- Requirements : ~10Krad in LEO, ~100Krad in GEO, ~1Mrad for space exploration
- TID tolerance is getting better with technology scaling: ST-65nm is ok at 100Krad, ST-45nm is ok at 300Krad

5

- Shielding can always be used to reduce TID (trade off with mass)
- $\rightarrow$  TID is not a problem
- Single Event Effects: single bit upsets, multiple bits upsets
  - Per bit sensitivity is decreasing with scaling, but density is increasing
  - New technologies like FinFET and FDSOI show better robustness to MBU
  - COTS architecture are very complex, it's very difficult to characterize the effect of an SEU!
- $\rightarrow$  We need to handle SEU!



# Requirements analysis and demonstrator specification



å

property of Airbus Defence and Space.
third party without the owner's written consent | [Airb

This documen It shall not be

#### Requirements analysis and demonstrator specification

#### Processing power and availability requirements survey

- For several upcoming science missions, based on available documentation in 2011
- Extracting processing performance requirement
- « Guessing » availability requirement : the impact of short functional interrupts is usually not assessed
- SEE robustness is a combination of the radiation environment and the availability requirement of the mission

#### Two different performance@availability profiles:

- Medium Availability / High Performance: 2GFLOPS@99,9%, during solar storm
- High Availability / Medium Performance 1GFLOPS@99,999%, during solar storm





# Fault mitigation architecture

reserved.

All rights I

This document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owner's written consent | [Airbus Def



#### Fault mitigation architecture

#### Objective for the mitigation architecture

- Shall not reduce the performance of COTS
- Shall be as flexible and versatile as COTS (adaptable to new COTS, reprogrammable)
- Shall allow for easy demonstration of fault detection and isolation

#### State of the art: Self-mitigation

- Use redundancies internal to the COTS components to detect and correct errors
- Used in Space Micro Proton 200K SBC, with TIC6727 DSP, popular for multicore architecture
- Problems: component specific solution, corner cases not easily demonstrated (SEU in comparison logic), require detailed radiation characterization campaign

9

#### Statue of the art: Micro-mitigation

- Make use of a tightly coupled rad-hard mitigation unit
- Used in Maxwell SCS750 PowerPC architecture
- Problems: component specific solution, COTS component slow down by mitigation unit



# SmartIO based mitigation architecture

#### **Overall architecture**

- Rad hard SmartIO component is in charge of the interface between the COTS world and the rad hard world and implements the fault mitigation techniques
- COTS components are managed by the SmartIO, shared memory mechanisms
- The SmartIO can buffer input data in a local fast memory, and replay input data in case of error

#### Benefits

- SmartIO / PM link is a high level data link: SpW or SRIO, PCIe → flexibility
- PM are slaves of the SmartIO : simplicity of the fault model  $\rightarrow$  reduced radiation campaign

10

- SmartIO includes a  $\mu$  processor to manage fault mitigation techniques  $\rightarrow$  versatility
- Batch processing and results checking using signature  $\rightarrow$  performance







- Rifter P)
- 134073N7
  - After a defined static time, SmartlO triggers a RMAP read of the results the Software programs a RMAP write of the block of instrument data + DSP application program code + auxiliary data (Pereference) value) ut the PWs incondries ead data
- In 3 PMs configuration, only 2 sets of results are actually read (third is dummy) 8.



#### SmartIO based architecture, features and use cases

#### Several mitigation strategies

- Space triplication with replay : error correction, high availability
- Space duplication : error detection
- Time duplication : lower processing performance, lower mass/power
- Golden frame mode, a reference job is executed periodically to ensure good health of processing units: best efficiency, lower availability

#### Flexible and versatile architecture

- SmartIO / PM link is generic (SpW, PCIe, SRIO,...): allows selecting the best COTS for the mission (FPGA or DSP)
- Choice of mitigation strategy allow performance versus availability tradeoff, suited to mission requirements
- In flight reconfiguration of mitigation techniques

#### Use scenarios

- Centralized data processing units for several payloads
- Adapt performance/availability for different mission phases







# SmartIO Hardware & Software design



reserved.

All rights

This document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owner's written consent | [Airbus Def

#### HiP CBC demonstrator hardware design







# SmartIO demonstrator Hardware STARKIT for SCOC3

- SCOC3 SoC design by Airbus Defence and Space
- Based on SPARC V8 LEON3FT core
- Interfaces:
- Debug Support Unit interface (Serial interface via UART)
- CCSDS TC decoder, CCSDS TM encoder
- 2 MIL-STD 1553B interface
- ➤ 2 CAN modules
- > 4 UART interfaces: UART2 for the DSU, UART1 for the monitor, 2 UARTs IO
- ➢ 7 SpaceWire links
- Memory expansion connector (for additional memory connected to the SCOC3)





# SmartIO Software

# ApplicationData packets<br/>dependencies and<br/>synchronization.<br/>TM/TCMitigationError mitigation<br/>schemes and<br/>implementationGeneric BSPPM<br/>specific<br/>BSPIO and memory<br/>management.

#### **Application layer**

- Processing scheduling
- Manage communications with instruments and platform

#### **Mitigation Layer**

- · Allows the application to process data on the PMs
- · Handles the error done by the PMs transparently for the application

# **BSP** Layer

- Generic BSP
  - Drivers of the SmartIO board
- PM specific BSP
  - Drivers specific to the PM used
  - Allows control on the PM

#### → Generic software architecture, independent of actual PM used

16





## **Mitigation layer**

## 2 PM scheduling modes

- Sequential
- Pipeline (computation concurrent with data transfers)

#### 4 Mitigation techniques

- Space triplication
- Space duplication
- Time duplication
- Golden frame mode

## Scheduling capabilities

- 1 FIFO per PM that queues the application's requests
- Multiple mitigation techniques can be used
- Total deadline for a job imposed by the Application
- · Automatic replay if the deadline is not exceeded

#### → Runtime flexibility / multiple payload management







#### **Task Distribution**





#### **Task Distribution**





#### **Task Distribution**





Space Triplication



Space Triplication





# Processing Module hardware and software design

reserved.

All rights

Def

This document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owner's written consent | [Airbus



#### High Performance Processor Module Development

- The TI C6727B Floating Point DSP have been selected among different candidates for the design of a High Performance Processor Module to be coupled with the SmartIO via serial links
- The SMV320C6727B-SP has been tested for heavy ions and high energy protons in order to evaluate the behavior under radiation for Latchup, SEU and SEFI rate
- FM representative PM module has been designed around DSP SMV320C6727B-SP proto @ 250MHz with use of parts with available equivalent FM
- A Basic SW handling the communication with the Smart-IO and allowing the load of the application SW and some benchmark SWs for the performance evaluation according to the NGDSP benchmark definition have been coded
- 3 PM modules have been manufactured and integrated in the Hi-P-CBC system for overall system performance demonstration



#### C6727 DSP Overview

The C6727B DSP has the following main features:

- C67+ CPU with 2 identical datapath each composed by 4 functional units and a set of 32 32bit register files
  - D unit for data transfer between registers and memory
  - M for multiplication
  - S and L for arithmetic/logic/branch functions
- 32-bit fixed point and single precision floating-point arithmetic, 64-bit double precision floating-point arithmetic
- 256-bit very long instruction word (VLIW) that can support up to 8 32-bit instructions in parallel (e.g. 4 floating point addition/subtraction in one cycle, 2 floating-point multiply in one cycle)
- > 250-MHz maximum frequency for SMV part, 300 MHz for commercial
- Theoretical performance of 2000MIPS/1500MFLOPS
- External memory interface with 133MHz SDR SDRAM support



#### C6727 DSP Overview

- Internal memory architecture with
  - 256k-Byte unified Program and data RAM divided in 8 banks supporting 3 parallel access (if no bank conflict exist)
  - 384K-Byte unified Program and data ROM including SW primary Boot Loader, DSP BIOS and various libraries, divided in 2 256-bit wide pages each divided in 4 banks
- > 32kbyte direct mapped program cache supporting
  - Single clock access on cache hit, 2 clock cycles on cache miss from RAM/ROM
  - 256bit-wide path to ROM/RAM matched with VLIW size
  - Can be disabled and invalidated by SW
- > dMAX DMA engine with concurrent support of 2 transfers from/to SDRAM/Internal SRAM
- Universal Host Port Interface (UHPI) allowing control of the DSP from an host via 32-bit interface and boot from external host
- Temperature range : -55 °C to 125°C
- > 256 pins CQFP package
- Available in QML-V
- Single Event Latch-Up Immune to LET = 117 MeV cm<sup>2</sup>/mg
- Radiation Tolerance: 100 kRad TID (Si)



#### **Processor Module HW Overview**



#### **Features**

- DSP SMV320C6727B-SP proto @ 250MHz
- 128MByte SDRAM @ 125 MHz
- 32Mbyte Flash memory for SW storage (TMR protected)
- 128Mbyte safeguard memory with EDAC/Scrubbing
- PROASIC3000 FPGA for companion chip prototyping

#### Interfaces

- +5V primary power input
- 2 x RMAP SpaceWire ports @ 100 Mbit/s
- 2 x TLK2711 ports ready for SpaceFibre implementation
- DSP JTAG Debug port
- FPGA JTAG-based program/debug port
- UART debug port
- Up to 32 LVTTL General purpose I/Os



# **Companion Chip**

The companion chip is designed with a configurable set of modules plugged on a 32-bit AMBA bus, including the following main modules

- UHPI interface, slave on the AHB, allowing the access of the DSP resources that are mapped on the AHB address space and accessible by each master on the AMBA bus
- Boot handler, master on the AHB, allowing the boot of the DSP from the code stored in Flash memory
- DMA engine controller, allowing data transfer on the AHB under host control
- 2 x RMAP SpaceWire @ 100 Mbit/s

The FPGA is ready for the inclusion of 2 SpaceFibre RMAP interfaces





#### **Processor Module**

- In order to maximize the performance the DSP SMV320C6727B-SP is clocked at the maximum supported clock of 250MHz and no EDAC on the DSP SDRAM memory have been inserted in order to avoid clock reduction
- 128Mbyte safeguard memory with EDAC/Scrubbing have been foreseen for the storage of permanent data that some algorithm may require
- PROASIC3000 FPGA for companion chip prototyping have been selected in order to allow a fast path to an FM implementation using a TMR design in PROASIC or RT-AX FPGA





#### **Processor Module Main Design Drivers**

- The PM module is controlled by an host computer via SpW RMAP that load the code of the task to be executed and the input data, start the computation and then retrieve the data output
- On data output is computed the CRC in order to allow fast comparison of the results of multiple executions of the same task or of the same task executed on multiple PMs depending on the mitigation technique adopted at system level
- The host computer can reset and reboot the DSP, perform a power cycle of the DSP or a complete power cycle of the board via RMAP command in case of outage due to radiation on the PM module depending on the mitigation strategy defined at system level
- The Secondary Boot and Basic SW are stored in a 32Mbyte Flash memory with TMR data protection in order to perform the boot from a radiation immune memory avoiding the need for reload of the basic SW from the host computer





#### **Processor Module SW Overview**

The **PM Software** is subdivided in two components:

- PM Base Software
- PM Application Software

**PM Base Software** is in charge of the following main activities:

- Interrupt Vector table initialization (Reset, NMI, Uhpi)
- PLL initialization
- EMIF initialization
- Program Cache initialization
- Uhpi Initialization
- Boot loading from Uhpi
- SmartIO Command interpreter (DSP Reset, Start Application Function)





#### **Processor Module SW Overview**

The Application Software is in charge of the following main activities:

- Subdivision of input data frame in data segments.
- Dmax initialization (1D transfer type)
- Loading of Segments from SDRAM to Internal SRAM using dMAX.
- Input/Output data dual buffer management.
- Application Algorithm processing (performed from Internal SRAM to maximize the CPU performance )
- Loading of processing results back in SDRAM using dMAX.

In order to perform such activities, the PM SW needs to interface the SmartIO board, for

- acquisition of the PM Application SW code
- acquisition of the necessary data to be elaborated by PM Application SW
- delivery of the processed results to SmartIO.

Because of the Master/Slave architecture between SmartIO and PM, the PM Base Software doesn't participate at all in the

- upload of PM Application SW Code
- upload of PM Application SW Data
- reading of PM Application SW Results

All these activities are made by SmartIO via Rmap, without any active participation from PM Software.



### **Processing Strategy**

- Data and code of the task are loaded by the host via SpW RMAP in the DSP SDRAM and the computation is started
- In order to speed up the algorithm execution, the data loaded in the external SDRAM memory are divided in segments, transferred to the internal 256kbyte SRAM using DMAX DMA engine and processed from the internal SRAM at high speed
- Before execution the program cache is invalidated to clear errors due to radiation in the program cache: the program is read in the cache from the external SDRAM : code can be reloaded by the SmartIO in external SDRAM for each execution to improve radiation hardening
- Results are then moved again to the external SDRAM where can be retrieved by the host together with the data output CRC





# **Processing Module test results**

name]. All rights reserved.

This document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owner's written consent | [Airbus Def



0 0 0

100 (B) (B) (B)

#### DSP benchmarks performances

The performances of NGDSP benchmarks measured with the HI-P PM are shown in the following table

| Benchmark type | Samples | Sample size  | Input Data size | Execution | Proc Rate= |
|----------------|---------|--------------|-----------------|-----------|------------|
|                |         |              | [Bytes]         | time      | MSamples/s |
|                |         |              |                 | [ms]      |            |
| FIR 16 Taps    | 481,320 | 32 bit float | 1,925,280       | 43        | 11.2       |
| FIR 64 Taps    | 481,320 | 32 bit float | 1,925,280       | 88        | 5.5        |
| FIR128 Taps    | 481,320 | 32 bit float | 1,925,280       | 155       | 3.1        |
| FIR256 Taps    | 481,320 | 32 bit float | 1,925,280       | 280       | 1.7        |
| FFT 1024       | 81,920  | complex      | 655,360         | 22        | 3.7        |
|                |         | 2 x 32 bit   |                 |           |            |
|                |         | float        |                 |           |            |
| FFT 2048       | 81,920  | complex      | 655,360         | 20        | 4.1        |
|                |         | 2 x 32 bit   |                 |           |            |
|                |         | float        |                 |           |            |
| FFT 4096       | 81,920  | complex      | 655,360         | 26        | 3.1        |
|                |         | 2 x 32 bit   |                 |           |            |
|                |         | float        |                 |           |            |

Execution time measured as the interval time between the availability of the full set of data and the availability of the result in SDRAM



#### DSP benchmarks performances

| Benchmark type               | Samples | Sample size | Input Data size<br>[Bytes] | Execution<br>time<br>[ms] | Proc Rate=<br>MSamples/s |
|------------------------------|---------|-------------|----------------------------|---------------------------|--------------------------|
| Lossless comp<br>RICE. 1kx1k | 1M      | 16 bit int  | 2097152                    | 1700                      | 0,617                    |
| Lossless RICE<br>comp.5184x8 | 41,472  | 16 bit int  | 82944                      | 70                        | 0,592                    |

Measured power consumption on the PM is less than 2.6W for all the benchmarks

FIR, FFT code are optimized for the C6727

CCSDS 121.0 compression has been optimized for use of internal SRAM and DMA data transfer.



#### PM: Road to FM design

Fast path to FM is possible for a PM with Spacewire only interfaces.

In order to finalize a PM FM design the following steps are needed:

- Adaptation to the required mechanical ICD
- Only minor redesign of the PCB is needed because the PM module has been designed with EEE parts that have FM equivalent
- FPGA VHDL design porting to RT-AX from PROASIC technology
- Introduction of TMR for use with RT-PROASIC is also a possible option
- Static and Dynamic tests on the Basic SW





#### PM FM design features

Possible FM design will consist in a board with 4 PM modules each with the following features :

- TMV320C6727B-SP processor @ 250 MHz ٠
- 128Mbyte SDRAM DSP memory
- 32Mbyte of user non-volatile memory for SW storage (NAND Flash)
- 2 Spacewire data interfaces @ 100 Mbit/s
- 3.3V secondary power input
- 2.5W maximum power consumption
- 100 FITs (computation according to TAS-09-TAS-1141)

The board area will be 240mm x 240mm and the mass can be estimated in less than 1 Kg

Single PM implementation Mass 300gr Box







#### **Radiation tests**

The C6727 sensitivity to SEU and SEFI has been assessed testing 3 TMSX320C6727BGDH performing heavy ions at UCL and high energy protons at AGOR proton facility (KVI)

The DSP was tested with heavy ions at the following LET (MeV  $cm^2 / mg$ ):

| 3.3  |  |  |  |
|------|--|--|--|
| 6.2  |  |  |  |
| 10.0 |  |  |  |
| 15.9 |  |  |  |
| 21.3 |  |  |  |
| 40.1 |  |  |  |
| 67.7 |  |  |  |
|      |  |  |  |

The DSP was tested with high energy protons at the following energies :

40 MeV 70 MeV 100 MeV 180 MeV







#### **Radiation tests**

A set of different test SW have been developed in order to evaluate SEU sensitivity to different functional element of the DSP

During static test, the register and the internal SRAM were loaded with a known pattern, the part was irradiated with the DSP in IDLE and the number of errors was measured

During Dynamic test, the element under test was accessed and used during the irradiation



- Adder
- Comparator
- Multiplier
- Subtraction



#### Radiation test results

The DSP chip was found immune to latch up for energies up to 67 MeV.cm<sup>2</sup>/mg for heavy ions and up to 180 MeV for protons – no latchup event during the full test campain.

| Test                                                 | Saturated cross section (cm²/bit) | LET threshold<br>(MeV.cm²/mg) |
|------------------------------------------------------|-----------------------------------|-------------------------------|
| SRAM Heavy lons                                      | 5 x 10 <sup>-8</sup>              | 0,5                           |
| SRAM Protons                                         | 3 x 10 <sup>-14</sup>             | 1                             |
| Registers Heavy lons                                 | 4 x 10 <sup>-7</sup>              | 2                             |
| Registers Protons                                    | 2 x 10 <sup>-13</sup>             | 1                             |
| Large functional units<br>(DMAX, UHPI)<br>Heavy lons | 8 x 10 <sup>-5</sup>              | 5                             |

For small functional units (execution units, multiplier) it was not possible to measure the sensitivity because to low in order to be measured within the test



#### Radiation test results

|                              | GEO orbit (M=8)                        |                                     |                                    | L2 orbit (worst day)                   |                                     |                                    |
|------------------------------|----------------------------------------|-------------------------------------|------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|
| Functional<br>unit           | Heavy ion<br>error rate<br>(event/day) | Proton error<br>rate<br>(event/day) | Total error<br>rate<br>(event/day) | Heavy ion<br>error rate<br>(event/day) | Proton error<br>rate<br>(event/day) | Total error<br>rate<br>(event/day) |
| SRAM                         | 3.E+02                                 | 2.E+02                              | 5.E+02                             | 5.E+02                                 | 1.E+00                              | 5.E+02                             |
| Program<br>cache             | 3.E+01                                 | 3.E+01                              | 6.E+01                             | 6.E+01                                 | 1.E-01                              | 6.E+01                             |
| Registers                    | 1.E+00                                 | 6.E-01                              | 2.E+00                             | 7.E-01                                 | 2.E-03                              | 7.E-01                             |
| Large<br>functional<br>units | 3.E-01                                 | 5.E-02                              | 3.E-01                             | 8.E-01                                 | 2.E-04                              | 8.E-01                             |
| total                        | 3.E+02                                 | 2.E+02                              | 6.E+02                             | 5.E+02                                 | 1.E+00                              | 5.E+02                             |

Error rates are estimated for the following space environments:

- GEO orbit during an active solar period. The model used is the CREME-86 model with the M parameter set to 8.
- L2 orbit during an active solar period. The model used is the CREME-96 worst day.

Rates are estimated for a standard shielding of 1g/cm<sup>2</sup>.



#### Radiation test results

In the Hi-P CBC system architecture, the errors can be divided in

- transient errors : the error disappears in case the computation is performed again reloading the input data and the code task, without PM reset or power cycle
- persistent errors : the error persist in case the computation is performed again reloading the input data and code task, requiring a reset or power cycle of the PM in order to recover

Since the internal SRAM is reloaded for each computation, errors in SRAM will cause transient errors.

Persistent errors will be caused by Program cache, Registers and large functional units.

The following error rate are then expected

| Error type | GEO orbit (M=8)              | L2 orbit (worst day)         |  |
|------------|------------------------------|------------------------------|--|
| Litor type | Total error rate (event/day) | Total error rate (event/day) |  |
| Transient  | 5.E+02                       | 5.E+02                       |  |
| Persistent | 6.E+01                       | 6.E+01                       |  |



# Demonstrator processing performance benchmarks



Det

is document and its content is the property of Airbus Defence and Space. shall not be communicated to any third party without the owner's written consent | [Airbu

## Benchmarking setup description

#### « End to end » benchmarking

Performance measurements from raw data emission to results read

#### → Precise characterization of all performance contributors



47

#### Functional validation of mitigation mechanisms

EGSE is able to inject errors, measure reset time...



#### **Benchmarking results**

#### Mitigation overhead

- Negligible when size of the input increases
- Depends on the number of PMs used
- Trade off availability/performance

|        | Size (kB) | Total            | Overhead | Overhead |
|--------|-----------|------------------|----------|----------|
|        |           | measured<br>(ms) | (ms)     | (%)      |
| fir128 | 47        | 17               | 0.765    | 4.50%    |
| fir128 | 235       | 71               | 0.815    | 1.15%    |
| fir128 | 470       | 139              | 0.838    | 0.60%    |

# Sequential VS pipeline

- Theoretical maximum increase 66,6%
- Best measured increase 47% (limited by data transfer times and half duplex operation)





name]. All rights

#### **Benchmarking results**

#### Measurements:

- FIR : 1 Msamples/s
- FFT : 0.5 Msamples/s
- Lossless compression : 0.5 Msample/s

# End to end performance is limited in all cases by data transfer times

- Half duplex SpW RMAP operation
- 32 bits sample size

| Binary   | method       | Sample size<br>(bits) | Pipeline (Msamples/s) |
|----------|--------------|-----------------------|-----------------------|
| fir16    | duplication  | 32                    | 1.10                  |
| fir64    | duplication  | 32                    | 1.08                  |
| fir256   | duplication  | 32                    | 1.06                  |
| fft1024  | duplication  | 64                    | 0.53                  |
| fft2048  | duplication  | 64                    | 0.55                  |
| fft4096  | duplication  | 64                    | 0.56                  |
| lossless | duplication  | 16                    | 0.56                  |
| fir128   | duplication  | 32                    | 0.81                  |
| fir128   | duplication  | 32                    | 1.08                  |
| fir128   | duplication  | 32                    | 1.12                  |
| fir128   | time         | 32                    | 0.51                  |
| fir128   | time         | 32                    | 0.58                  |
| fir128   | time         | 32                    | 0.59                  |
| fir128   | triplication | 32                    | 0.78                  |
| fir128   | triplication | 32                    | 1.08                  |
| fir128   | triplication | 32                    | 1.12                  |



# **Demonstrator** availability

50



0 0

A . .

All rights reserved.

and Space Corr

This document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owner's written consent | [Airbus Def

## System availability evaluations

#### System availability

- Focus on un-availability of the data processing chain due to SEU
- Measure of efficiency of the mitigation technique

#### Error rates during radiation tests are not representative

Would defeat any mitigation mechanism

#### Availability evaluation methodology

- 1. Measure of DSP error rate (transient and persistent)
- 2. Modelling of the mitigation mechanisms
- 3. Parametric evaluation of availability (based on measurements performed on the demonstrator)

#### → Generic model for availability evaluations (can be reused for other PMs, other applications)



# Modelling tool

# SIMFIA

- Tool used for safety and reliability analysis
- Able to do stochastic simulations

#### Simulation model

- Designed for synchronized PMs
- Highly configurable
- Validated by analytical results in simple cases





name]. All rights reserved

# Parameters impact on Availability (Av)

#### Transient and persistent error rates (Te and Pe)

- Transient errors have a low impact but a higher probability
- Persistent errors have a bigger impact but a lower probability

#### Inter arrival of input data (Performance P)

Must be bigger than processing cycle (performance < 100%)

## Size of the input buffer (B)

Big enough to compensate the recomputations

# Reset duration (Rt)

Reduce availability

# Computation duration on the PM (Cp)

- Errors follow an exponential law
- Smaller data batches increases avialability



#### Availability evaluation results

Availability models configured according to measurements performed on the demonstrator

54

#### High availability – Moderate data processing power profile

- Objective: 99,999%
- Achievable using space triplication and with PM load of up to 98%

#### Moderate availability - High data processing power profile

- Objective: 99,9%
- Achievable using Space or Time Duplication and with a PM load of up to 98%

| Performance | Triplication | Duplication |
|-------------|--------------|-------------|
| 100%        | 99,99998%    | 99,95567%   |
| 98%         | 100,00000%   | 99,97998%   |
| 96%         | 100,00000%   | 99,98221%   |
| 95%         | 100,00000%   | 99,98438%   |
| 94%         | 100,00000%   | 99,98201%   |
| 92%         | 100,00000%   | 99,98205%   |
| 90%         | 100,00000%   | 99,98335%   |

| Performance | Time Duplication |
|-------------|------------------|
| 50%         | 99,97763%        |
| 48%         | 99,99200%        |
| 46%         | 99,99199%        |
| 45%         | 99,99213%        |
| 44%         | 99,99175%        |
| 42%         | 99,99103%        |
| 40%         | 99,99253%        |



# Flight system performance assessment



reserved.

All rights

Def

This document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owner's written consent | [Airbus

#### Flight system characteristics

#### Flight architecture

- 3 board configuration : 2(N+R) SmartIO boards, 1 Processing module boards
- SmartIO board: supports the SCOC3, SpW links to spacecraft and processing module, and DC/DC power conversion
- PM board: 4 independent processing modules made of a rad hard FPGA, the C6727 DSP and a SDRAM

#### **Estimated characteristics**

- Mass/Dimensions : 6kg, PCB sizes of 240 mm<sup>2</sup>
- Power consumption : < 20W</p>
- Fully redounded, reliability after 10 years better than 0,996





# Flight system processing performance

#### Flight system processing performance estimation

- Based on measurements on the demonstrator
- Extrapolated to assume 16 bits sample size and full duplex data transfers
- For High Availability 3 PMs are used in space triplication
- For Moderate Availability 2 PMs are used in space duplication and one PM is used time duplication

# Processing performance of the flight system will not be limited by data transfer times

- Flight application is more complex than a simple benchmark
- SpW links can be run at 160 Mbit/s (current performance estimation assuming 100 Mbit/s)

# The full processing performance of the DSP can be used!

2,19GFLOPS@99,9% or GFLOPS1,47@99,999%

| Application | Msample/s<br>99.999% availability | Msample/s<br>99.9% availability |
|-------------|-----------------------------------|---------------------------------|
| fir16       | 4.70                              | 7.01                            |
| fir64       | 4.70                              | 7.01                            |
| fir128      | 2.94                              | 4.38                            |
| fir256      | 1.67                              | 2.48                            |
| fft1024     | 2.35                              | 3.50                            |
| fft2048     | 2.35                              | 3.50                            |
| fft4096     | 2.35                              | 3.50                            |
| Lossless    | 0.59                              | 0.88                            |



# Conclusion

name]. All rights reserved.

This document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owner's written consent | [Airbus Defence and Space Company



. . . . . .

.....

...

1 m

....

..... .....

. ..... ..... ......

. ......

. .....

.......

..... ....

........

....

....

......

...... ......

#### In Conclusion, we have :

- A versatile and flexible COTS based computer architecture
- The tools and SW needed to deploy and customize this architecture for many different missions
- A hardware demonstration of the concept
- A flight ready implementation providing 1 GFLOP/s fully reprogrammable
- A cost efficient solution for next generation payload data processing







# **Points of contact**

# roland.trautner@esa.int mathieu.patte@astrium.eads.net rgrimoldi@cgspace.it





