# A Fault-Tolerant Reconfigurable Platform for Communication Modules of Satellites

Cezar A. Rigo<sup>4</sup>, Lucas M. Luza<sup>4</sup>, Elder D. Tramontin<sup>4</sup>, Victor Martins<sup>1\*</sup>, Sara Vega Martinez<sup>4</sup>,

Leonardo K. Slongo<sup>4,6</sup>, Laio O. Seman<sup>2\*,4</sup>, Luigi Dilillo<sup>3\*</sup>, Fabian L. Vargas<sup>5\*</sup>, Eduardo A. Bezerra<sup>3,4\*</sup>

<sup>1</sup>European Space Agency, \*victor.martins@esa.int

<sup>2</sup>Universidade Tecnológica Federal do Paraná, Apucarana, Brazil, \*laioseman@gmail.com

<sup>3</sup>LIRMM, Université de Montpellier, 34095 Montpellier Cedex 5, France, \*dilillo@lirmm.fr

<sup>4</sup>Universidade Federal de Santa Catarina, Florianópolis, Brazil, \*Eduardo.Bezerra@ufsc.br

<sup>5</sup>Catolic University - PUCRS, Brazil, \*vargas@computer.org

<sup>6</sup>SENAI Innovation Institute for Embedded Systems, Florianópolis, Brazil

Abstract—This work presents a fault-tolerant reconfigurable hardware platform for the communication module of satellites. A printed circuit board (PCB) was designed following the European Space Agency (ESA) space product standards. It has a layered structure that mitigates the effects of ionizing radiation and electromagnetic interference (EMI) on the signals traveling on board. Also, all components were selected to tolerate wide temperature variation and, when possible, tolerate ionizing radiation. The main feature of the architecture is to allow changing the hardware configuration of the FPGA (Field Programmable Gate Array) containing the telecommand and telemetry unit through remote uplink of its bitstream. In this approach, we consider a microcontroller as the responsible entity for updating the configuration bitstream stored in a non-volatile flash memory. An alternative bitstream is also stored in the memory, as a fail-safe technique. For each of the bitstreams (the main and the alternative), there are three copies stored in memory, and a voting scheme is used to ensure the data integrity, as the flash memory is susceptible to Single Event Effects (SEE). The proposed architecture allows testing all the implementations, exercising their functionalities, and also the modules integration as a payload in the FloripaSat mission.

*Index Terms*—Fault-tolerant, reconfiguration, space-packetprotocol, radiation-hardened, satellites, printed-circuit-board.

#### I. INTRODUCTION

For the last two decades, satellite systems engineers have been using reconfigurable computing and adaptive hardware in on-board computer designs [1]–[3]. However, reconfigurable devices are usually avoided as the main processing unit element, as a result of its vulnerability to radiation effects. An important motivation is the possibility of implementing hardware and system-wide functional changes, which are remotely transmitted [4]. That is done through reconfiguring the satellite embedded systems with updates coming from the ground station. Usually, the component underlying this functionality is a Field Programmable Gate Array (FPGA).

Protons and electrons trapped in Earth's radiation belts, as well as cosmic rays, present significant challenges to electronics, which must operate reliably in the natural space environment. Single-event effects (SEE) can lead to a sudden

978-1-7281-1756-0/19/\$31.00 ©2019 IEEE

failure of the device or system, and the effects of total ionizing dose (TID) radiation can reduce the lifetime of a satellite mission as a whole [5].

The disturbing effects of ionizing radiation in electronic devices [6] are well known and have been widely studied since the loss of the Telestar satellite in 1962, due to a nuclear test at high altitude. Ionizing radiation and electromagnetic radiation can cause a series of sporadic, periodic or permanent damages in circuits, which result in loss of reliability and ultimately, permanent malfunction of the device. When an ionizing particle goes through an integrated circuit, extra electron and hole pairs are created along the path due to the ionizing effect that may include SEEs.

It is imperative to consider these effects in all design stages of devices or electronic systems that require robustness and safety in space applications since this is a naturally radioactive environment. Therefore, FPGAs of high performance, high density and endured to radiation are in great demand. In this direction, NanoXplore SAS implemented a 65 nm complementary metal-oxide-semiconductor (CMOS) FPGA with radiation protection up to 100 000 rads and 60  $MeV \cdot cm^2 \cdot mg^{-1}$ , multiple voltage level inputs and outputs, and double data rate type 2 (DDR2) memory support [7]. Those devices are called Big Re-programmable Array for Versatile Environments (BRAVE). However, this device has never been tested in orbit.

Furthermore, the standardization of communication protocols for nanosatellites has the aim to remove integration barriers between space missions. On this aspect, the international recommendations of the Consultative Committee for Space Data Systems (CCSDS) bring a standardization for space communications. These recommendations have already been used in more than 900 space missions [8]. In this context, this work proposes a radiation-hardened reconfigurable hardware platform to implement a telecommand (TC) and telemetry (TM) module in satellites, using the CCSDS protocol. The platform is implemented in a printed circuit board (PCB), designed for a radioactive environment [9], having as a main feature the possibility to change the hardware configuration of the FPGA through remote uplink of its bitstream. Also, the proposed architecture will be used as a payload of FloripaSat-I, a nanosatellite under development at the Federal University of Santa Catarina (UFSC) [10], [11], aiming its in-orbit validation (IoV).

This paper is organized as follows. Section 2 presents the proposed platform, describing its components. Section 3 shows simulations results regarding the functionalities of the platform. Final remarks appear in Section 4.

# II. PROPOSED PLATFORM

The platform that is described in this paper, henceforth called Payload-X, consists of: a MCU (Microcontroller Unit) model MSP430FR6989; a BRAVE radiation-hardened FPGA (model NX1H35S-BG625PR); a 128 Mbit FLASH memory; a multiplexer; 3 SRAM memories of 16 Mbit each; 5 temperature sensors; a time recorder; a 13 MHz, a 16 MHz and a 25 MHz oscillator. The interconnection diagram between these components is shown in Fig. 1.

System and respective functions are described in the following sections.

#### A. Reconfiguration and Housekeeping

Payload-X MCU has two main purposes: manage the FPGA reconfiguration and perform housekeeping tasks. Therefore, it receives the acronym HUMAN (Housekeeper and Update MANager). It is a Texas Instruments MSP430FR series MCU and has a FRAM (Ferroelectric Random-Access Memory) memory to store program data. This specific technology was chosen to ensure a better tolerance against bit-flips [12].

As the main feature while in orbit, Payload-X must be able to update its operation by receiving a new configuration file sent from a ground station to reconfigure the FPGA. This new configuration file (also called "bitstream") is sent split into multiple packets, where a few bytes per packet are for sequencing and error detection. HUMAN is responsible for receiving, integrity checking and storing the bitstream segments in a non-volatile memory, as well as waiting for a "commit" telecommand to change the current configuration of the FPGA to the new one.

The non-volatile memory is a flash memory. Although it is more radiation tolerant than SRAM or DRAM memories, some bit-flips are expected to occur [13]. To ensure that data is corrected after a bit-flip occurrence, the bitstream is stored with redundancy: 3 copies of it are stored in different regions of the flash memory. There are memory locations that are not used between copies, so even if some error occurs in consecutive bits, only one of them will be affected. Then, a voting scheme is used to check and correct possible errors.

Even after many tests, it is impossible to predict every error that could happen in orbit. Thus, there is a secure fallback bitstream, and in case of a critical error in the current one, HUMAN will change the current version to the secure (fallback) version. Therefore, a total of 6 bitstreams, in 2 versions, are stored in the flash memory: 3 for the configuration in use, and 3 for the fallback version.

HUMAN is also responsible for managing incoming messages to Payload-X. These messages may be related to reconfiguration, such as new bitstream segments or bitstream status requests, or they may be telecommands/telemetry arriving/incoming from the communication module.

When a new bitstream segment is received from the OBDH (on-board data handling), HUMAN checks the data integrity through a CRC technique (CRC-16-CCITT). In case the segment is correct, it is stored in the flash memory. When a telecommand is received, it is stored in the FRAM memory and sent to the communications module via UART. Likewise, telemetry transmitted by the communications module is stored in the FRAM memory, and sent to the OBDH via I<sup>2</sup>C protocol.

The bitstream exchange is only performed when all packets are received correctly. To achieve an error-free bitstream, a request is made periodically to check which packets were received correctly so that one may retransmit lost packets and this behavior is presented by the Fig. 2.

Since there is a triple redundancy in the stored bitstreams, a HUMAN secondary activity consists of memory scanning, checking and correcting possible errors. This task is performed when the others are not under execution, such as an idle task. All the HUMAN states can be seen in Fig.3.

#### B. Scientific Data Sensors

To monitor the radiation levels that affect the printed circuit board (PCB), this platform adopts SRAM memories as single events sensors. Experiments with this technique have already been performed [14]. The number of ionizing particles that reached the memory may be expressed by a constant multiplied by the number of detected events. The algorithms designed for that experiment are implemented in the proposed platform. To take into account the effects of temperature influence in the rate of bit-flips, five temperature sensors were included in the board. To be able to infer radiation incidence with the satellite position, an elapsed total time recorder (TET-R) has also been incorporated in the platform PCB to generate time-stamps.

# C. FPGA Implementation

The implementation ported into the FPGA can be divided into two main blocks. The first block handles the telecommand and telemetry flow and was based in previous works from our research group [15], [16] and [17]. It is also used as an interface between the transceiver and the Payload-X OBDH. In the second block, there is the Payloads OBDH, which is responsible for handling the TM and TC packets. To accomplish this, it uses the Space Packet Protocol, characterizing the last layer of the CCSDS/ECSS protocol. It also acquires and packages data from sensors. This implementation is based on the ECSS Packet Utilization Services (PUS) [18]. This communication module is identified by the acronym UTMC, as shown in Fig 4.

The UTMC block is divided into two segments that are dedicated to telemetry data processing and telecommands handling. In the TC flow, when a TC is delivered to UTMC from UART interface, the Command Link Transfer Unity (CLTU) is decoded by using a Bose-Chaudhuri-Hocquenghem





Receive a TC

Power off

Data

was

stored

Uploading

FLASH data

Fig. 3. HUMAN state diagram.

Upload done

Running

nousekeeping



Fig. 4. FPGA implementation top level diagram.

(BCH) algorithm that performs error detection and correction [19].

Fig. 2. HUMAN upload request sequence diagram.

send a status request

answer with the status of

each image segment (OK / NOK)

Swap current image request

Swap image ACK

Following the TM flow, the data generated by the sensors are processed in the OBDH block, which creates a telemetry packet and sends it to the UTMC. The Telemetry Transfer Frame (TMTF) is generated and can be coded with Reed-Solomon, Convolutional, Reed-Solomon + Convolutional, or Low-Density Parity-Check (LDPC), which results in the Channel Access Data Unit (CADU) that is dispatched by UART interface [8], [15]. Fig.4 presents the architecture implemented in the FPGA.

# D. Board Design

Repeat until all packets

are correctly

received

The PCB design follows the ESA standards, which contemplates rules regarding PCB materials, build-up, dimensions, and thickness; track width, spacing and routing; pad design and fan out; copper planes; thermal analysis; electrical analysis; high-frequency analysis; manufacturing and reliability; placement and assembly. In [20], the author developed PCBs to perform radiation effects tests on integrated circuits (ICs). For that purpose, it was necessary to implement a PCB structure that isolates all circuits from the radioactive effects, except the IC under test. Based on the IEC 62.132-1 standard, all layers of the PCB were inserted between layers of VCC and or GND, minimizing routing tracks in the top or bottom layers. Therefore, a similar structure was applied in Payload-X's board layers, shown in Fig. 5.



#### **III. SIMULATION RESULTS**

This section presents the simulation results of the proposed architecture regarding its reconfiguration procedure and UTMC functionality.

#### A. Reconfiguration Results

Every time the FPGA is reset, it needs to be reconfigured. This is done by reading the bitstream from the flash memory. For this purpose, the SPI serial protocol is used, with the FPGA as the master node and the memory as the slave. There are two pins used in the configuration procedure for the signals "Ready" and "Error". Both signals are in low level at the reset state. After a successful reconfiguration, the "Ready" pin is set 'high'. In case of an error during the reconfiguration procedure, the "Error" is set to high level.

Fig. 6 shows the waveforms of this process, the data transfer is done through the SPI interface and is demonstrated by the signals "Clock" and "Data", also, the end of the bitstream transmission is check when the "Ready" signal is asserted and the signal "Error" shows that no error occurred.

## B. UTMC Results

The UTMC results were obtained through 3 different test procedures: CPDU procedure; Reed-Solomon encoding; and LDPC encoding. 1) CPDU Procedure: Fig. 7 shows the diagram of the test procedure for the telemetry and telecommand flows. A direct telecommand to the CPDU is created within a CLTU; then this data is transferred by the communication interface to the FPGA. The FPGA receives this command and generates an ACK (acknowledged) or NACK (not acknowledged) within a CADU, that is dispatched by the TM flow.

This flow was simulated with ModelSim, and the resulting waveform is presented in Fig. 8. For the TC flow, the "start\_seq\_ok\_s" signal is active when the start sequence of the CLTU is identified and the signal "stop\_seq\_ok\_s" is activated by a stop sequence. In the specific example, the CLTU is composed of several blocks that are coded following the BCH(63,56) algorithm, then the signals "status\_s" and "aff\_s" are defined according to the situations presents in Table I. Also, the signal sindrome\_s is responsible for the BCH algebraic decoding method known as syndrome decoding [19]. For example, in the flow presented in Fig. 8 two errors were found and corrected.

In addition, it is possible to identify the pulse of 13 ms in the signal "*pulses\_o(0)*". The "*ready\_i*" stands for the CPDU acknowledge value, "*done\_o*" is set to '0' when the layer is busy, "*cpdu\_size\_i*" represents  $13 \cdot 2^n$  ms pulse duration and "*cpdu\_addr\_i* is the physical address of the output pin.

TABLE I BCH CASES

| Status | Aff | Result                                           |
|--------|-----|--------------------------------------------------|
| 0      | X   | An error has been found and can not be corrected |
| 1      | 0   | No error was found                               |
| 1      | 1   | An error was found and corrected                 |

2) Reed-Solomon Encoding: The Reed-Solomon coding algorithm implemented in the TM flow uses an interleaving of 4 and 128 bytes of parity. To present this functionality, the UTMC was configured to send intermittent TM. Table II shows the received data by a UART terminal, where the "Packet" contains the full received data. This data are separated into the ASM (Attached Synchronization Mark) and the CADU, see Table II for details.

3) LDPC Encoding: The Low-Density Parity-Check (LDPC) version uses a rate of approximately 7/8, resulting in a code defined as (8160, 7136). In this strategy, the message has a length of 7136 bits that are prefixed by 18 zeros before the encoding process, resulting in 1022 parity bits. In the transmission end, the 18 virtual fill zeros are removed, and two zeros are appended to the end of the parity bits, resulting in a codeword of 8160. At the receiving end, the decoder must remove the 2 zero fill bits at the codeword end, and add the 18 zero fills bits before decoding the message. Table III shows the received data.

#### **IV. CONCLUSION**

This paper presented a radiation-hardened reconfigurable hardware platform to implement a telecommand and telemetry



Fig. 6. Signals captured during reconfiguration process.



Fig. 7. Test flow performed in the simulation process.



Fig. 8. Results captured from the VHDL simulation of the CPDU procedure (ModelSim).

TABLE II IDLE PACKET RECEIVED FROM THE BRAVE FPGA WITH RS ENCODING

| <b>Received Data (1024 Bytes)</b> |                         |                              |  |  |
|-----------------------------------|-------------------------|------------------------------|--|--|
| ASM                               | 1acffc1d                |                              |  |  |
| CADU                              | TM Idle Header          | 3ff331311ffe                 |  |  |
|                                   | TM Idle Packet          | 5555                         |  |  |
|                                   | CLCW                    | 01002000                     |  |  |
|                                   | FECW                    | 88a5                         |  |  |
|                                   | RS Verification Symbols | 84b7498a64b790c39fb062279d4b |  |  |
|                                   |                         | 92ad23f7db2925ee0b6c51cbbc3d |  |  |
|                                   |                         | 2b2443ace181c6cf5f4d24d52e25 |  |  |
|                                   |                         | a3bebedbd2ce617cb45a4c746840 |  |  |
|                                   |                         | 900d1906f507d261e78d330cddc7 |  |  |
|                                   |                         | 0acd8e477c6622d3331747acd086 |  |  |
|                                   |                         | 95a94187f1006d099ffb8559bca3 |  |  |
|                                   |                         | 672ca05758a7c02485c4e7338318 |  |  |
|                                   |                         | 16cf1ea135e7f4e6f0ce3ff55e46 |  |  |
|                                   |                         | 044f                         |  |  |

TABLE III IDLE PACKET RECEIVED FROM THE BRAVE FPGA WITH LDPC ENCODING.

| ASM  | 1acffc1d             | · · · ·                      |
|------|----------------------|------------------------------|
| CADU | TM Idle Header       | 3ff300001ffe                 |
|      | TM Idle Packet       | 5555                         |
|      | CLCW                 | 01002000                     |
|      | FECW                 | 1929                         |
|      | LDPC Parity Bits and | ae6fdf5dd16cfb2c55afe4e9e990 |
|      | Zero Fill Bits       | e3b815a463a79df9f2b936af33bf |
|      |                      | d9ce19d14804aa21796b3cf297e5 |
|      |                      | a56ae5bc90ef0d56b0ada370506f |
|      |                      | aab53bb651e75db65c7f8f8586e2 |
|      |                      | 64bc787735baf6c61526c6b65da0 |
|      |                      | 940a856068d2411afebe0c40425e |
|      |                      | 30b97c20d4230a52bbf0d6aafd10 |
|      |                      | b3d891cfd8dba41b90b7a0b2013e |
|      |                      | 8904                         |

**Received Data (1024 Bytes)** 

module in CubeSats, called Payload-X. The developed platform consists of a PCB designed to be radiation-hardened, an MCU to manage the reconfiguration process and a radiationhardened FPGA responsible for implementing the telecommand and telemetry module.

Simulations were performed to verify the capability of the FPGA reconfiguration. Also, the TC and TM flows were tested to validate the coding and decoding algorithms present in the implementation.

While the simulated results show efficiency, in-orbit results will be considered as a next step in the validation process. The platform will be used for the in-orbit validation (IoV) of two new components never tested in-flight yet: the novel spaceclass BRAVE FPGA, which has been developed in France; and an IP Core for telemetry and telecommand following the CCSDS standard. This experiment will be handled along the FloripaSat-I mission of the Federal University of Santa Catarina, in the form of a payload.

## ACKNOWLEDGMENTS

The authors thank for the support of CAPES, the Brazilian Federal Agency for Support and Evaluation of Graduate Education. This work was partially supported by CNPq/Brazil grants 151390/2018-5.

#### References

- [1] D. A. Ebert, "Design and development of a configurable fault-tolerant processor (CFTP) for space applications," 2003.
- [2] P. Pingree, D. Bekker, T. Werne, T. Wilson, and B. Franklin, "The COVE Payload - A Reconfigurable FPGA-Based Processor for CubeSats," in *California Institute of Technology - Small Satellite Conference*, (Logan, UT), p. 8, Jet Propulsion Laboratory, 2011.
- [3] F. Viel and C. A. Zeferino, "A Module for Remote Reconfiguration of FPGAs in Satellites," (Bariloche), pp. 50–53, IBERCHIP workshop, 2017.
- [4] C. Carmichael, E. Fuller, P. Blain, and M. Caffrey, "SEU Mitigation Techniques for Virtex FPGAs in Space Applications," *Architeture*, pp. 1– 11, 1999.
- [5] D. M. Fleetwood, P. S. Winokur, and P. E. Dodd, "An overview of radiation effects on electronics in the space telecommunications environment," *Microelectronics Reliability*, vol. 40, pp. 17–26, jan 2000.
- [6] R. Velazco, P. Fouillat, and R. Reis, *Radiation effects on embedded systems*. Dordrecht: Springer Netherlands: Springer, 2007.
- [7] NanoXplore, "NX1H35S Datasheet," NanoXplore, vol. 1.6, no. March, pp. 1–70, 2018.
- [8] CCSDS, "The Consultative Commite for Space Data Systems The Official Web Site." [Online] Available: https://public.ccsds.org/default.aspx, 2018. Acessed on 2018-10-02.
- [9] J. Benfica, L. M. Bolzani Poehls, F. Vargas, J. Lipovetzky, A. Lutenberg, E. Gatti, and F. Hernandez, "A Test Platform for Dependability Analysis of SoCs Exposed to EMI and Radiation," *Journal of Electronic Testing*, vol. 28, pp. 803–816, dec 2012.
- [10] V. Martin, P. Villa, L. Slongo, J. Salamanca, F. Sabino, S. Martinez, L. Mariga, I. Vidal, B. Eiterer, M. Baldini, M. Felix, A. Spengler, F. Melo, D. Lettnin, and E. Bezerra, "The experience of designing and developing the on-board electronics of a Cubesat in Brazil," *1st IAA Latin American CubeSat Workshop*, vol. 2, no. 3, pp. 69–73, 2016.
- [11] P. Villa, L. Slongo, J. Salamanca, V. Martins, F. Silva, S. Martinez, L. Mariga, B. Eiterer, I. Vidal, V. Menegon, *et al.*, "A complete cubesat mission: the floripa-sat experience," in *1st IAA Latin American Cubesat Workshop*, vol. 2, pp. 307–314, 2014.
- [12] V. Gupta, A. Bosser, G. Tsiligiannis, A. Zadeh, A. Javanainen, A. Virtanen, H. Puchner, F. Saign, F. Wrobel, and L. Dilillo, "Heavy-ion radiation impact on a 4 mb fram under different test modes and conditions," *IEEE Transactions on Nuclear Science*, vol. 63, pp. 2010– 2015, Aug 2016.
- [13] F. Irom, G. R. Allen, and D. J. Sheldon, "Heavy Ion, Proton and Electron Single-Event Effect Measurements of a Commercial Samsung NAND Flash Memory," in 2016 IEEE Radiation Effects Data Workshop (REDW), 2016.
- [14] G. Tsiligiannis, L. Dilillo, A. Bosio, P. Girard, S. Pravossoudovitch, A. Todri, A. Virazel, J. Mekki, M. Brugger, F. Wrobel, and F. Saigne, "Evaluating a radiation monitor for mixed-field environments based on SRAM technology," *Journal of Instrumentation*, vol. 9, no. 5, pp. 1663– 1670, 2014.
- [15] E. A. Bezerra, G. M. Almeida, L. R. Azevedo, and C. G. Ferreira, "An adaptive communications module for on-board computers of satellites," in 2010 NASA/ESA Conference on Adaptive Hardware and Systems, pp. 317–324, June 2010.
- [16] G. Almeida, E. Bezerra, L. Cargnini, R. Fagundes, and D. Mesquita, "A Reed-Solomon Algorithm for FPGA Area Optimization in Space Applications," in *Second NASA/ESA Conference on Adaptive Hardware* and Systems (AHS 2007), pp. 243–249, IEEE, aug 2007.
- [17] L. V. Cargnini, R. D. R. Fagundes, E. A. Bezerra, and G. M. Almeida, "Parallel Algebraic Approach of BCH Coding in VHDL," in 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07), pp. 22–22, IEEE, mar 2007.
- [18] ECSS, "ECSS-E-ST-70-41C Space engineering Telemetry and telecommand packet," 2016.
- [19] T. K. Moon, Error correction coding : mathematical methods and algorithms. Wiley-Interscience, 2005.
- [20] J. Benfica *et al*, "Analysis of sram-based fpga seu sensitivity to combined emi and tid-imprinted effects," *IEEE Transactions on Nuclear Science*, vol. 63, pp. 1294–1300, April 2016.