- Email: [email protected]
Network-Centric Approach for Modular Avionics
19th IFAC Symposium on Automatic Control in Aerospace September 2-6, 2013. Würzburg, Germany
Network-Centric Approach for Modular Avionics H.-J. Herpel, G. Willich ∗ T. Vogel, A. Schuettauf ∗∗ S. Pletner, F. Schoen ∗∗∗ C. Fidi ∗∗∗∗ M. Loetzke † L. Dittrich ‡ P. Schuelke, T. Wolf § ∗∗
∗ Astrium GmbH, Satellites Astrium GmbH, Space Transportation ∗∗∗ Fraunhofer FOKUS, Berlin ∗∗∗∗ TTTech AG, Wien † Sysgo AG, Mainz ‡ STI GmbH, Immenstaad § DLR RfM, Bonn-Oberkassel
Abstract: Today’s spacecraft avionics architecture is characterised by a broad variety of processing modules, operating systems and interfaces for exchanging data between different processing modules. The software that implements most of the satellite functionality has to deal with this fact and is one of the reasons why software has become one of the major cost drivers in satellite projects. Similar problems have triggered developments in other industrial domains like AUTOSAR in the automotive area or Integrated Modular Architecture (IMA) in the aerospace industry [8]. All these initiatives are based on the definition of standards for computing platforms and the interfaces between these platforms. The goals of the Open Modular Avionics Architecture for Space Applications (OMAC4S) initiative started by Astrium, Fraunhofer FOKUS, STI, SYSGO and TTTech are to outline a solution that helps to reduce complexity and costs for space avionics significantly. This initiative is partly funded by the German national space agency (DLR) through the project On-Board Computer System Architecture (OBC-SA). In this paper we describe how standardization and the usage of already proven technologies from other industrial domains will help to limit the effect of the software development on schedule and costs of satellite projects. In addition we will demonstrate a migration path to make these technologies available for space applications. Keywords: Avionics and on-board equipment, distributed real-time systems, time and space partitioning, time-triggered ethernet 1. BACKGROUND AND MOTIVATION A typical satellite avionics architecture is characterised by dedicated computers (core processing module) for different tasks like satellite attitude and orbit control, instrument control and payload data processing. The spectrum of CPU’s used for these computers ranges from Sparc based CPUs (e.g. Leon family) to application specific processors implemented in FPGAs or ASICs. One each of these computers different operating systems are used. This ranges from no operating system at all to real-time operating systems like RTEMS and VxWorks, for example. Also many different busses, networks and point-topoint connections are used to transfer data between these core processing modules. Traditionally, the MIL1553 bus is used for deterministic command and control while Spacewire and Spacefibre are used for point-to-point interconnections when higher data rates are required. In addition, many different types of payload specific interfaces are used, e.g. Ethercat for robotics applications or high speed serial links to transfer image data to the mass memory unit. Like in other domains more and more functionality is implemented in software. The software that implements most of the satellite’s functionality has to deal with this fact and this is one of the reasons why software has become one of the major cost drivers in satellite projects. Similar reasons have triggered developments in other industrial domains like AUTOSAR in the automotive area or Integrated Modular 978-3-902823-46-5/2013 © IFAC
178
Architecture (IMA) in the aerospace industry [7]. All these initiatives are based on the definition of standards for computing platforms and the interfaces between these platforms. A similar approach for space avionics is described in this paper. Standardized computing platforms will help reduce the effect of the software development on schedule and costs of satellite projects can be limited. The reasons are: (1) the software has to deal with a much smaller spectrum of computing platforms, (2) using standards will allow to combine solutions from different vendors either hardware or software, (3) modular certification will be possible as hardware or software components can be reused without any modification.
2. BASIC CONCEPT During the first phase of the activity the requirements of future space missions and available solutions from other domains were carefully analysed, an architectural concept was elaborated and hardware and software (OS, framework) was preselected. The main characteristics of the envisaged system architecture are listed below: 10.3182/20130902-5-DE-2040.00147
2013 IFAC ACA September 2-6, 2013. Würzburg, Germany
• Network centric approach (Satellite Deterministic Network), · interconnection of different core processing modules (CPM) and interface boards via backplane using network type of interconnections · Network topology either full mesh or star (depending on availability, data traffic, etc.) · Support for different traffic classes over the same physical network (fully deterministic, rate constraint, best effort) · time synchronization over network • Using passive backplane based on industrial standard • Various CPU boards with different performance and qualification level • Using radiation hard CPUs and radiation tolerant COTS CPUs in dual or triple redundant configuration • Full support for time and secure space partitioning · to prevent error propagation and to limit the effects of failures in the application · to allow applications of different criticality on the same computing platform • Provision of a software framework that provides all basic services of a typical on-board software · PUS based communication and services · housekeeping reporting · data management and monitoring · event handling · event/action mechanism · execution of mission timelines · execution of On-Board Control Procedures (OBCP) based on widely used open source script language · logging · system supervision · generic part of equipment management · interface to on-board mission planning In all industrial domains some common trends are visible: • Ethernet is used also for time critcal command and control [4] • going away from parallel busses to serial interconnections. • most embedded devices using low power CPU’s based on ARM IP cores • using multi-core to get performance at low power consumption • combining safety critical and non-critical applications on a common computing platform (time and space partitioning) 3. ARCHITECTURE
· High performance CPM based on Freescale QorIQ P4080 [11] eight core CPU (Fraunhofer FOKUS, Berlin) · Remote Data Concentrator (RDC) based on a radhard FPGA with TTE IP core (STI, Immenstaad) · Versatile I/O board for backward compatibility with existing satellite equipment (Astrium Sat, Ottobrunn) • PikeOS as the certified real-time operating system providing Time and Space Partitioning (SYSGO AG, Mainz) [] • Application Framework (KARS, DLR Raumfahrt Management) The figure below provides an overview on the OMAC4S architecture:
Fig. 1. OMAC4S Architecture Each processing or I/O node is connected at least to the TTE switch. All other interconnections are optional. PikeOS is running on each CPM (other ARINC 653 compatible operating systems are possible). The TSSP microkernel provides a configurable number of partitions. Each partition may contain the KARS middleware (or others). Some of the partitions on a node are reserved for KARS framework services. The free partitions can be assigned to applications. The inter-partition communication and the partition scheduling can be configured with the system configuration tool. The initial member structure for the OMAC4S initiative reflects this selection of hardware and software items. 4. COMPONENTS The following sections provide a brief description of the major elements of the system.
Hardware and software items were selected according to the requirements, the basic concept, the maturity and growth of the technology and its migration potential to space applications (radiation hardeness): • Satellite Deterministic Network (SDN) based Time Triggered Ethernet (TTTech AG, Vienna) [2] [3] • Backplane: compactPCI serial (PICMG CPCI-S.0) [5] • Processing and I/O modules characterized by reliability, availability, performance · High reliability, low performance CPM based on LEON3FT with MMU (Astrium Sat, Ottobrunn) · High availablility, medium performance CPM based on Intel Atom (Astrium ST, Bremen) 179
4.1 Satellite Deterministic Network (DSN) Time Triggered Ethernet provides broad compatibility to established Ethernet standards [2] [3]. The key TTEthernet operation principles allow its future use with other Ethernet-based networks in heterogeneous or legacy systems. By adding TTEthernet switches guaranteed hard real-time communication pathways can be created in an Ethernet network, without impacting any of the existing applications. It can be used for the design of deterministic control systems, faulttolerant systems and infotainment/media applications which require multiple large congestion-free data streams.
2013 IFAC ACA September 2-6, 2013. Würzburg, Germany
The TTEthernet product family supports bandwidths of 10, 100 Mbit/s, 1 Gbit/s, and higher, as well as copper and fiber optics physical networks. It enables purely synchronous and asynchronous operation over the same network. By using the TTEthernet fault tolerant clock synchronization mechanisms of the protocol the time- and space partitioned concept of the operating system can be extended via the communication interface. Therefore the time-triggered traffic class of TTEthernet provides the necessary communication partitioning on the network level and ensures a synchronous deterministic communication with respect to the schedule of the partitions and leads to a full deterministic distributed computer. Furthermore the determinism of the protocol leads to effort reduction during the whole lifecycle of the mission because of the strictly defined communication interface if each communication participant. This reaches from the design phase where all interfaces will be defined leading to effort reductions during development, testing, until production. If it comes to redesigns or updates, the static deterministic communication will ensure that changes of the applications will not lead to a retesting and requalification of the full system and therefore only affect the parts of the system which have to be changed to support the additional functionality. Also the reuse of former developed subsystems with these static interfaces will be much more affordable. Using TTEthernet on-board a spacecraft allows to reduce the amount of different interconnection by a single network as low rate but deterministic data traffic can be combined with traffic to transfer high volumes of data, e.g. images on a single physical link. 4.2 Core Processing Modules (CPM) CPM-HR - Leon CPU Board The Leon based highly reliable CPM (CPM-HR) is a versatile 4HP/3U rad hard single-board computer supporting a multitude of modern serial interfaces according to the CompactPCI Serial standard. It is thus perfectly suited for on-board control applications which require high reliability and low power consumption. The CPU card is equipped with Gaisler’s LEON processor running at up to 100 MHz. The main characteristics of the board are as follows: • LEON with MMU, 100 MHz Single-core 32-bit processor in radiation hard technology • 8 MB SRAM, 256 MB SDRAM • 16 MB of Non-Volatile Memory (FLASH) for storage of boot and application • PICMG CPCI-S.0 CompactPCI Serial • Standard rear I/O: 2 TTE ports, 2 PCIe, 4 SpW, UART CPM-HA - Intel Atom TMR CPU Board The Intel Atom based highly available CPM (CPM-HA) is a versatile 4HP/3U computer in TMR configuration. The major characteristics of the Intel Atom CPU board are listed hereafter: • • • • • •
Intel Atom N270, 1.6 GHz Sinle-core 32-bit processor PICMG CPCI-S.0 CompactPCI Serial Up to 4 GB DDR3 DRAM soldered, ECC Standard front I/O: 2 Gb Ethernet Standard rear I/O: 2 TTE ports, 4 PCIe, 2 Spw DisplayPort/HDMI
• Flexible rear I/O via mezzanine board • Board support packages available for PikeOS and Linux CPM-HP - Freescale P4080 DMR CPU Board The high performance CPM (CPM-HP) is designed to exploit the advantages of embedded multi-core processing in future space missions [12]. The compactPCI serial compliant on-board computer system is based on Freescale’s P4080 of the PowerPC multi-core family QorIQ. The P4080 integrates eight Power Architecture e500mc cores which can operate at up to 1.5 GHz. The processor device is fabricated in SOI (silicon on insulator) technology with 45nm feature size which offers particularly low power dissipation and provides low sensitivity to radiation. Further the processor supports extensive power saving functions so that the performance and thus the power consumption can be adapted to different mission phases [13]. The complete functionally of the CPM-HP fits onto a single 3U PCB board. The PCB contains up to 4 Gbyte of ECC protected node memory formed out of two redundant operating DDR3 memory banks and a radiation tolerant NOR flash memory stack of 256 Mbyte for the system and application software. All interface functions and TMR logic is implemented within an radtolerant FPGA resulting in a SEU immune implementation. The main features of the 3U board are listed below: • • • • • • • • •
QorIQ P4080 CPU Eight e500mc PowerPC cores, Freescale PICMG CPSI-S.0 CompactPCI Serial Up to 4 Gbyte DDR3, 2 banks, EDC 256 Mbyte NOR flash memory stack, radiation tolerant 4 Gbyte NAND flash memory Standard front I/O: 2 Gb Ethernet, RS232C Standard rear I/O: 2 TTE-Ports, 3 PCIe, IC, 2 SpW Board support packages for PikeOS and Linux available
Remote Data Concentrator (RDC) The Remote Data Concentrator (RDC) allows to connect legacy devices, as well as discrete sensors and actuators to the TTEthernet based network. The generic RDC provides the following interfaces: • • • • • •
2x 10Mb TTEthernet 8 timer input 8 PWM output 8 digital output (HPC) 8 digital input (HPC) 20 analog input (12 bit ADC)
The RDC provides on-board memory and an embedded microcontroller. Thus, the necessary flexibility for data storage, data processing, application specific signal acquisition schemes and protocol handling is provided. 4.3 Time and Space Partitioning (TSP) By using time and space partitioning the application software within the partitions can be executed independently from each other both in terms of functionality and timing. Error propagation from one partition to another will be prevented by the operating system. Communication between partitions will be based on ARINC 653 [6] compliant communication channels. The concept of PikeOS combines real-time operating system (RTOS), virtualization platform, and Eclipse based integrated development environment (IDE) for embedded systems. The underlaying PikeOS micro-kernel is especially suitable for
180
2013 IFAC ACA September 2-6, 2013. Würzburg, Germany
safety-critical and security-critical applications [10]. PikeOS has been certified according to multiple industrial safety and security standards [9]. PikeOS real-time operating system is a virtualization platform allowing to run several applications - whether real-time or not in different virtual machine (VM) together on a single hardware platform. For those applications having hard real-time requirements the scheduling mechanism of PikeOS ensures spatial and temporal deterministic. Thus, in terms of realtime, PikeOS RTOS technology competes head to head with conventional real-time operating systems.
· EventHandler (event handling and event/action mechanism) · OBCPHandler (execution of On-Board Control Procedures (OBCP)) · LogginHandler (logging) · Supervisor (system supervision) · EquipmentHandler (generic part of equipment management) · MissionPlanner (interface to on-board mission planning)
The major characteristics of PikeOS are summarized hereafter: • Strict time and resource partitioning providing guaranteed access to assigned resources and deterministic timing behavior • Micro-kernel based hard real-time virtualization • MILS compliant and designed for CCs EAL 5/6 • Eclipse based IDE • Certified (DO-178B, IEC 61508, EN 50128) • Largest range of APIs, run-time environments and guest operating systems in the market: · Linux, legacy RTOS, RTEMS · POSIX, ARINC-653 · Android, AUTOSAR* • Board support packages available for CPM-HA (Intel Atom), CPM-HR (Sparc/Leon), CPM-HP (Freescale P4080) • Multi-core processors support • Certified IP Stack and File System available 4.4 Framework KARS (Controller for autonomous spacecrafts) is a versatile framework for on-board and ground software. It provides basic services needed on-board a spacecraft. This includes data management and monitoring, housekeeping reporting, event and event-action handling, logging, basic equipment handling, interface to the command and control bus based on the Packet Utilization Standard (PUS), execution of on-board control procedures and mission timelines. The strict component based approach supports the easy integration of third-party components such as AOCS. An Operating System Abstraction Layer allows porting to different operating systems with minimal effort. Currently, Linux, PikeOS and VxWorks653 are supported as standard. Board support packages are available for Intel, ARM and Leon3FT CPU boards. The development of the software has been performed according to the strict rules of the ECSS-E40. A full set of documentation is available to support certification activities. Figure 2 shows the framework as layer beween the applications and the TSSP microkernel. The framework includes the following packages: • SystemConfiguration (node and application specific settings) • Middleware (PUS, inter-partition communication, OSAL) • Basic Components · IOHandler (PUS based inter-node communication) · MissionTimelineHandler (execution of mission timelines and cyclic housekeeping reporting) · Datamanagement (data management and monitoring) 181
Fig. 2. Software Elements This framework is a key element to build realiable application software (e.g. platform or payload control) to be executed on the various on-board computers (On-board Computer (OBC) and Payload Control Units (PCU). An application programming interface (API) with a rich set of functions is provided to allow standardized access to all basic services and computer resources. Additional software is provided to easily configure the system, i.e. number and type of CPM and I/O channels, mapping of applications to CPMs, inter-partition and inter-node communication. 5. CONCLUSIONS AND FUTURE WORK This paper presents an open and modular architectural concept for space applications. The type of applications ranges from unit testers and HIL capable software validation facilities to onboard computers for satellite or instrument control. CPU and I/O boards in different performance classes are being developed and will be available soon. The network centric approach based on Time Triggered Ethernet allows to reduce cabeling as different traffic classes can be route via the same network and opens the system to a rich set of cheap test equipment. Combining all these features will result in significant cost reduction for typical space applications with a growth potential for future missions. ACKNOWLEDGEMENTS The OBC-SA (FKZ 50RM1210) and the KARS (FKZ 50RA 1110) project are both (co-)funded by the German Federal Ministry of Economics and Technology. Responsibility for the content lies with the authors.
2013 IFAC ACA September 2-6, 2013. Würzburg, Germany
REFERENCES [1] Steiner W., Time-Triggered Ethernet Specifcation, SAE Group, Available at http://www.sae.org, 2011 [2] Kopetz H., Ademaj A.,Grillinger P,Steinhammer K., The time-triggered ethernet (tte) design, 8th IEEE International Symposium on Object-oriented Real- time distributed Computing (ISORC), Seattle, Washington, May 2005 [3] Kopetz H., Ochsenreiter W., Clock synchronization in distributed real-time systems, IEEE Trans. Comput., vol. 36, no. 8, pp. 933940, 1987 [4] Steinbach T., Time-Triggered Ethernet in Fahrzeugnetzwerken, Report, 2009 [5] PICMG:, CPCI-S.0: CompactPCI Serial, Standard, 2011 [6] Logoy A., Gauer T.A., IV&V on Orions ARINC 653 Flight Software Architecture, NASA Presentation [7] Butz H.:, Open Integrated Modular Avionic (IMA): State of the Art and future Development Road Map at Airbus Deutschland [8] Windsor J., Hjortnaes K., Time and Space Partitioning in Spacecraft Avionics, 3rd IEEE International Conference on Space Mission Challenges for Information Technology, 2009 [9] Fuchsen R.:, How to address certification for multi-core based ima platforms: current status and potential solutions, 29th Digital Avionics Systems Conference [10] Loetzke M.:, Mixed Criticality and Modular Certification. Minimize certification costs by separating critical functions from non-critical functions, Embedded World conference, 2013 [11] Logan J., Svennebring J., Embedded Multicore EMBMCRM Rev. 0 07/2009, freescale semiconductor [12] Hilbrich R., van Kampenhout J. R., Partitioning and Task Transfer on NoC-based Many-Core Processors in the Avionics Domain, 4. Workshop: Entwicklung zuveraessiger Software-Systeme (Stuttgart,Deutschland) and Journal Softwaretechniktrends, 2011 [13] Behr P. M., Haulsen I., van Kampenhout J. R., Pletner S., Multi-Core Technology for Fault Tolerant HighPerformance Spacecraft Computer Systems, DASIA, 2012
182
Network-Centric Approach for Modular Avionics H.-J. Herpel, G. Willich ∗ T. Vogel, A. Schuettauf ∗∗ S. Pletner, F. Schoen ∗∗∗ C. Fidi ∗∗∗∗ M. Loetzke † L. Dittrich ‡ P. Schuelke, T. Wolf § ∗∗
∗ Astrium GmbH, Satellites Astrium GmbH, Space Transportation ∗∗∗ Fraunhofer FOKUS, Berlin ∗∗∗∗ TTTech AG, Wien † Sysgo AG, Mainz ‡ STI GmbH, Immenstaad § DLR RfM, Bonn-Oberkassel
Abstract: Today’s spacecraft avionics architecture is characterised by a broad variety of processing modules, operating systems and interfaces for exchanging data between different processing modules. The software that implements most of the satellite functionality has to deal with this fact and is one of the reasons why software has become one of the major cost drivers in satellite projects. Similar problems have triggered developments in other industrial domains like AUTOSAR in the automotive area or Integrated Modular Architecture (IMA) in the aerospace industry [8]. All these initiatives are based on the definition of standards for computing platforms and the interfaces between these platforms. The goals of the Open Modular Avionics Architecture for Space Applications (OMAC4S) initiative started by Astrium, Fraunhofer FOKUS, STI, SYSGO and TTTech are to outline a solution that helps to reduce complexity and costs for space avionics significantly. This initiative is partly funded by the German national space agency (DLR) through the project On-Board Computer System Architecture (OBC-SA). In this paper we describe how standardization and the usage of already proven technologies from other industrial domains will help to limit the effect of the software development on schedule and costs of satellite projects. In addition we will demonstrate a migration path to make these technologies available for space applications. Keywords: Avionics and on-board equipment, distributed real-time systems, time and space partitioning, time-triggered ethernet 1. BACKGROUND AND MOTIVATION A typical satellite avionics architecture is characterised by dedicated computers (core processing module) for different tasks like satellite attitude and orbit control, instrument control and payload data processing. The spectrum of CPU’s used for these computers ranges from Sparc based CPUs (e.g. Leon family) to application specific processors implemented in FPGAs or ASICs. One each of these computers different operating systems are used. This ranges from no operating system at all to real-time operating systems like RTEMS and VxWorks, for example. Also many different busses, networks and point-topoint connections are used to transfer data between these core processing modules. Traditionally, the MIL1553 bus is used for deterministic command and control while Spacewire and Spacefibre are used for point-to-point interconnections when higher data rates are required. In addition, many different types of payload specific interfaces are used, e.g. Ethercat for robotics applications or high speed serial links to transfer image data to the mass memory unit. Like in other domains more and more functionality is implemented in software. The software that implements most of the satellite’s functionality has to deal with this fact and this is one of the reasons why software has become one of the major cost drivers in satellite projects. Similar reasons have triggered developments in other industrial domains like AUTOSAR in the automotive area or Integrated Modular 978-3-902823-46-5/2013 © IFAC
178
Architecture (IMA) in the aerospace industry [7]. All these initiatives are based on the definition of standards for computing platforms and the interfaces between these platforms. A similar approach for space avionics is described in this paper. Standardized computing platforms will help reduce the effect of the software development on schedule and costs of satellite projects can be limited. The reasons are: (1) the software has to deal with a much smaller spectrum of computing platforms, (2) using standards will allow to combine solutions from different vendors either hardware or software, (3) modular certification will be possible as hardware or software components can be reused without any modification.
2. BASIC CONCEPT During the first phase of the activity the requirements of future space missions and available solutions from other domains were carefully analysed, an architectural concept was elaborated and hardware and software (OS, framework) was preselected. The main characteristics of the envisaged system architecture are listed below: 10.3182/20130902-5-DE-2040.00147
2013 IFAC ACA September 2-6, 2013. Würzburg, Germany
• Network centric approach (Satellite Deterministic Network), · interconnection of different core processing modules (CPM) and interface boards via backplane using network type of interconnections · Network topology either full mesh or star (depending on availability, data traffic, etc.) · Support for different traffic classes over the same physical network (fully deterministic, rate constraint, best effort) · time synchronization over network • Using passive backplane based on industrial standard • Various CPU boards with different performance and qualification level • Using radiation hard CPUs and radiation tolerant COTS CPUs in dual or triple redundant configuration • Full support for time and secure space partitioning · to prevent error propagation and to limit the effects of failures in the application · to allow applications of different criticality on the same computing platform • Provision of a software framework that provides all basic services of a typical on-board software · PUS based communication and services · housekeeping reporting · data management and monitoring · event handling · event/action mechanism · execution of mission timelines · execution of On-Board Control Procedures (OBCP) based on widely used open source script language · logging · system supervision · generic part of equipment management · interface to on-board mission planning In all industrial domains some common trends are visible: • Ethernet is used also for time critcal command and control [4] • going away from parallel busses to serial interconnections. • most embedded devices using low power CPU’s based on ARM IP cores • using multi-core to get performance at low power consumption • combining safety critical and non-critical applications on a common computing platform (time and space partitioning) 3. ARCHITECTURE
· High performance CPM based on Freescale QorIQ P4080 [11] eight core CPU (Fraunhofer FOKUS, Berlin) · Remote Data Concentrator (RDC) based on a radhard FPGA with TTE IP core (STI, Immenstaad) · Versatile I/O board for backward compatibility with existing satellite equipment (Astrium Sat, Ottobrunn) • PikeOS as the certified real-time operating system providing Time and Space Partitioning (SYSGO AG, Mainz) [] • Application Framework (KARS, DLR Raumfahrt Management) The figure below provides an overview on the OMAC4S architecture:
Fig. 1. OMAC4S Architecture Each processing or I/O node is connected at least to the TTE switch. All other interconnections are optional. PikeOS is running on each CPM (other ARINC 653 compatible operating systems are possible). The TSSP microkernel provides a configurable number of partitions. Each partition may contain the KARS middleware (or others). Some of the partitions on a node are reserved for KARS framework services. The free partitions can be assigned to applications. The inter-partition communication and the partition scheduling can be configured with the system configuration tool. The initial member structure for the OMAC4S initiative reflects this selection of hardware and software items. 4. COMPONENTS The following sections provide a brief description of the major elements of the system.
Hardware and software items were selected according to the requirements, the basic concept, the maturity and growth of the technology and its migration potential to space applications (radiation hardeness): • Satellite Deterministic Network (SDN) based Time Triggered Ethernet (TTTech AG, Vienna) [2] [3] • Backplane: compactPCI serial (PICMG CPCI-S.0) [5] • Processing and I/O modules characterized by reliability, availability, performance · High reliability, low performance CPM based on LEON3FT with MMU (Astrium Sat, Ottobrunn) · High availablility, medium performance CPM based on Intel Atom (Astrium ST, Bremen) 179
4.1 Satellite Deterministic Network (DSN) Time Triggered Ethernet provides broad compatibility to established Ethernet standards [2] [3]. The key TTEthernet operation principles allow its future use with other Ethernet-based networks in heterogeneous or legacy systems. By adding TTEthernet switches guaranteed hard real-time communication pathways can be created in an Ethernet network, without impacting any of the existing applications. It can be used for the design of deterministic control systems, faulttolerant systems and infotainment/media applications which require multiple large congestion-free data streams.
2013 IFAC ACA September 2-6, 2013. Würzburg, Germany
The TTEthernet product family supports bandwidths of 10, 100 Mbit/s, 1 Gbit/s, and higher, as well as copper and fiber optics physical networks. It enables purely synchronous and asynchronous operation over the same network. By using the TTEthernet fault tolerant clock synchronization mechanisms of the protocol the time- and space partitioned concept of the operating system can be extended via the communication interface. Therefore the time-triggered traffic class of TTEthernet provides the necessary communication partitioning on the network level and ensures a synchronous deterministic communication with respect to the schedule of the partitions and leads to a full deterministic distributed computer. Furthermore the determinism of the protocol leads to effort reduction during the whole lifecycle of the mission because of the strictly defined communication interface if each communication participant. This reaches from the design phase where all interfaces will be defined leading to effort reductions during development, testing, until production. If it comes to redesigns or updates, the static deterministic communication will ensure that changes of the applications will not lead to a retesting and requalification of the full system and therefore only affect the parts of the system which have to be changed to support the additional functionality. Also the reuse of former developed subsystems with these static interfaces will be much more affordable. Using TTEthernet on-board a spacecraft allows to reduce the amount of different interconnection by a single network as low rate but deterministic data traffic can be combined with traffic to transfer high volumes of data, e.g. images on a single physical link. 4.2 Core Processing Modules (CPM) CPM-HR - Leon CPU Board The Leon based highly reliable CPM (CPM-HR) is a versatile 4HP/3U rad hard single-board computer supporting a multitude of modern serial interfaces according to the CompactPCI Serial standard. It is thus perfectly suited for on-board control applications which require high reliability and low power consumption. The CPU card is equipped with Gaisler’s LEON processor running at up to 100 MHz. The main characteristics of the board are as follows: • LEON with MMU, 100 MHz Single-core 32-bit processor in radiation hard technology • 8 MB SRAM, 256 MB SDRAM • 16 MB of Non-Volatile Memory (FLASH) for storage of boot and application • PICMG CPCI-S.0 CompactPCI Serial • Standard rear I/O: 2 TTE ports, 2 PCIe, 4 SpW, UART CPM-HA - Intel Atom TMR CPU Board The Intel Atom based highly available CPM (CPM-HA) is a versatile 4HP/3U computer in TMR configuration. The major characteristics of the Intel Atom CPU board are listed hereafter: • • • • • •
Intel Atom N270, 1.6 GHz Sinle-core 32-bit processor PICMG CPCI-S.0 CompactPCI Serial Up to 4 GB DDR3 DRAM soldered, ECC Standard front I/O: 2 Gb Ethernet Standard rear I/O: 2 TTE ports, 4 PCIe, 2 Spw DisplayPort/HDMI
• Flexible rear I/O via mezzanine board • Board support packages available for PikeOS and Linux CPM-HP - Freescale P4080 DMR CPU Board The high performance CPM (CPM-HP) is designed to exploit the advantages of embedded multi-core processing in future space missions [12]. The compactPCI serial compliant on-board computer system is based on Freescale’s P4080 of the PowerPC multi-core family QorIQ. The P4080 integrates eight Power Architecture e500mc cores which can operate at up to 1.5 GHz. The processor device is fabricated in SOI (silicon on insulator) technology with 45nm feature size which offers particularly low power dissipation and provides low sensitivity to radiation. Further the processor supports extensive power saving functions so that the performance and thus the power consumption can be adapted to different mission phases [13]. The complete functionally of the CPM-HP fits onto a single 3U PCB board. The PCB contains up to 4 Gbyte of ECC protected node memory formed out of two redundant operating DDR3 memory banks and a radiation tolerant NOR flash memory stack of 256 Mbyte for the system and application software. All interface functions and TMR logic is implemented within an radtolerant FPGA resulting in a SEU immune implementation. The main features of the 3U board are listed below: • • • • • • • • •
QorIQ P4080 CPU Eight e500mc PowerPC cores, Freescale PICMG CPSI-S.0 CompactPCI Serial Up to 4 Gbyte DDR3, 2 banks, EDC 256 Mbyte NOR flash memory stack, radiation tolerant 4 Gbyte NAND flash memory Standard front I/O: 2 Gb Ethernet, RS232C Standard rear I/O: 2 TTE-Ports, 3 PCIe, IC, 2 SpW Board support packages for PikeOS and Linux available
Remote Data Concentrator (RDC) The Remote Data Concentrator (RDC) allows to connect legacy devices, as well as discrete sensors and actuators to the TTEthernet based network. The generic RDC provides the following interfaces: • • • • • •
2x 10Mb TTEthernet 8 timer input 8 PWM output 8 digital output (HPC) 8 digital input (HPC) 20 analog input (12 bit ADC)
The RDC provides on-board memory and an embedded microcontroller. Thus, the necessary flexibility for data storage, data processing, application specific signal acquisition schemes and protocol handling is provided. 4.3 Time and Space Partitioning (TSP) By using time and space partitioning the application software within the partitions can be executed independently from each other both in terms of functionality and timing. Error propagation from one partition to another will be prevented by the operating system. Communication between partitions will be based on ARINC 653 [6] compliant communication channels. The concept of PikeOS combines real-time operating system (RTOS), virtualization platform, and Eclipse based integrated development environment (IDE) for embedded systems. The underlaying PikeOS micro-kernel is especially suitable for
180
2013 IFAC ACA September 2-6, 2013. Würzburg, Germany
safety-critical and security-critical applications [10]. PikeOS has been certified according to multiple industrial safety and security standards [9]. PikeOS real-time operating system is a virtualization platform allowing to run several applications - whether real-time or not in different virtual machine (VM) together on a single hardware platform. For those applications having hard real-time requirements the scheduling mechanism of PikeOS ensures spatial and temporal deterministic. Thus, in terms of realtime, PikeOS RTOS technology competes head to head with conventional real-time operating systems.
· EventHandler (event handling and event/action mechanism) · OBCPHandler (execution of On-Board Control Procedures (OBCP)) · LogginHandler (logging) · Supervisor (system supervision) · EquipmentHandler (generic part of equipment management) · MissionPlanner (interface to on-board mission planning)
The major characteristics of PikeOS are summarized hereafter: • Strict time and resource partitioning providing guaranteed access to assigned resources and deterministic timing behavior • Micro-kernel based hard real-time virtualization • MILS compliant and designed for CCs EAL 5/6 • Eclipse based IDE • Certified (DO-178B, IEC 61508, EN 50128) • Largest range of APIs, run-time environments and guest operating systems in the market: · Linux, legacy RTOS, RTEMS · POSIX, ARINC-653 · Android, AUTOSAR* • Board support packages available for CPM-HA (Intel Atom), CPM-HR (Sparc/Leon), CPM-HP (Freescale P4080) • Multi-core processors support • Certified IP Stack and File System available 4.4 Framework KARS (Controller for autonomous spacecrafts) is a versatile framework for on-board and ground software. It provides basic services needed on-board a spacecraft. This includes data management and monitoring, housekeeping reporting, event and event-action handling, logging, basic equipment handling, interface to the command and control bus based on the Packet Utilization Standard (PUS), execution of on-board control procedures and mission timelines. The strict component based approach supports the easy integration of third-party components such as AOCS. An Operating System Abstraction Layer allows porting to different operating systems with minimal effort. Currently, Linux, PikeOS and VxWorks653 are supported as standard. Board support packages are available for Intel, ARM and Leon3FT CPU boards. The development of the software has been performed according to the strict rules of the ECSS-E40. A full set of documentation is available to support certification activities. Figure 2 shows the framework as layer beween the applications and the TSSP microkernel. The framework includes the following packages: • SystemConfiguration (node and application specific settings) • Middleware (PUS, inter-partition communication, OSAL) • Basic Components · IOHandler (PUS based inter-node communication) · MissionTimelineHandler (execution of mission timelines and cyclic housekeeping reporting) · Datamanagement (data management and monitoring) 181
Fig. 2. Software Elements This framework is a key element to build realiable application software (e.g. platform or payload control) to be executed on the various on-board computers (On-board Computer (OBC) and Payload Control Units (PCU). An application programming interface (API) with a rich set of functions is provided to allow standardized access to all basic services and computer resources. Additional software is provided to easily configure the system, i.e. number and type of CPM and I/O channels, mapping of applications to CPMs, inter-partition and inter-node communication. 5. CONCLUSIONS AND FUTURE WORK This paper presents an open and modular architectural concept for space applications. The type of applications ranges from unit testers and HIL capable software validation facilities to onboard computers for satellite or instrument control. CPU and I/O boards in different performance classes are being developed and will be available soon. The network centric approach based on Time Triggered Ethernet allows to reduce cabeling as different traffic classes can be route via the same network and opens the system to a rich set of cheap test equipment. Combining all these features will result in significant cost reduction for typical space applications with a growth potential for future missions. ACKNOWLEDGEMENTS The OBC-SA (FKZ 50RM1210) and the KARS (FKZ 50RA 1110) project are both (co-)funded by the German Federal Ministry of Economics and Technology. Responsibility for the content lies with the authors.
2013 IFAC ACA September 2-6, 2013. Würzburg, Germany
REFERENCES [1] Steiner W., Time-Triggered Ethernet Specifcation, SAE Group, Available at http://www.sae.org, 2011 [2] Kopetz H., Ademaj A.,Grillinger P,Steinhammer K., The time-triggered ethernet (tte) design, 8th IEEE International Symposium on Object-oriented Real- time distributed Computing (ISORC), Seattle, Washington, May 2005 [3] Kopetz H., Ochsenreiter W., Clock synchronization in distributed real-time systems, IEEE Trans. Comput., vol. 36, no. 8, pp. 933940, 1987 [4] Steinbach T., Time-Triggered Ethernet in Fahrzeugnetzwerken, Report, 2009 [5] PICMG:, CPCI-S.0: CompactPCI Serial, Standard, 2011 [6] Logoy A., Gauer T.A., IV&V on Orions ARINC 653 Flight Software Architecture, NASA Presentation [7] Butz H.:, Open Integrated Modular Avionic (IMA): State of the Art and future Development Road Map at Airbus Deutschland [8] Windsor J., Hjortnaes K., Time and Space Partitioning in Spacecraft Avionics, 3rd IEEE International Conference on Space Mission Challenges for Information Technology, 2009 [9] Fuchsen R.:, How to address certification for multi-core based ima platforms: current status and potential solutions, 29th Digital Avionics Systems Conference [10] Loetzke M.:, Mixed Criticality and Modular Certification. Minimize certification costs by separating critical functions from non-critical functions, Embedded World conference, 2013 [11] Logan J., Svennebring J., Embedded Multicore EMBMCRM Rev. 0 07/2009, freescale semiconductor [12] Hilbrich R., van Kampenhout J. R., Partitioning and Task Transfer on NoC-based Many-Core Processors in the Avionics Domain, 4. Workshop: Entwicklung zuveraessiger Software-Systeme (Stuttgart,Deutschland) and Journal Softwaretechniktrends, 2011 [13] Behr P. M., Haulsen I., van Kampenhout J. R., Pletner S., Multi-Core Technology for Fault Tolerant HighPerformance Spacecraft Computer Systems, DASIA, 2012
182