# 2

A Robust Nanosatellite OBC Created with SEL and SEU Immunity as a Driving Requirement

## **OBC Design Drivers**

- Number of in-house missions requiring a robust 32bit OBCfor on-board data handlingfunction.
- No existing alternative within the typical CubeSat price point with the required level of resilience.
- Required characteristics included:
  - TID compatibility for 5 years in LEO.
  - Mitigation for SEE, SEL tolerant.
  - Low power consumption
  - Compatible with 80%+ of missions' requirements.
  - Compatible with the current Clyde Space/Bright Ascension Software product.
- Result is a layered SEE mitigation system, where hardware, firmware and software cooperate to create a robust protection system .



### **PROCESSOR SELECTION**

#### **FPGA vs MicroController**



**Total mission - Ions** 

1.00E+02

#### **FPGA**



- FPGA SoC with integrated hard processor selected.
- Hard ARM Cortex M3 = low power
- >100DMIPS
- FPGA allows custom blocks:
  - Memory controller
    - EDAC
  - TMR GPIO Ports
  - DTMF decoder
  - ... more





#### **MEMORY SUBSYSTEM**

#### **TID Performance**

- Several technologies and components evaluated for non-volatile memory.
  - Flash devices, EEPROMs, PCRAM and MRAM

Ferromagnetic memory and Magneto-resistive memories have a large tolerance for TID (partly due to the standard CMOS I/O interfaces).



#### **SEE Performance**

- Tolerance to SEL of these devices on par with other memory technologies
- Results for a specific MRAM device suggest that it is essentially immune to latch-up, with no events recorded at 84 Mev/mg/cm2 (ref: JPL/NASA).
- Memory fabric for both ferromagnetic and magneto-resistive memories essentially immune to bit-flips, however I/O interfaces are not.
- MRAM 2 device selected with an ECC code implemented for high performance for TID and SEE.

Single Event Latchup Cross Section







### **PROTECTION AGAINST SEE**

#### **Multiple levels of SEE protection**

- Multi-layer approach to SEE
- Hardware
  - LCL SEL Protection
  - Hot plug for power cycling
  - Non-volatile mem allows transparent recovery
- Firmware
  - EDAC/SECDED
- OS/Drivers
  - Retry & scrub mechanism
- Application
  - Logging, Checkpointing



## **Memory Operational Modes**

- The following modes of operation are supported by the memory system:
  - Mirrored Memory -
    - The selected memory bank is partitioned and automatically replicated by hardware on write operations.
    - Upon encountering a multi-bit read error the memory system retries the operation from the replicated bank.
  - Write Verify Mode -
    - If enabled every write operation is followed by a read-back which verifies the operation
  - EDAC Mode -
    - This is always enabled and provides SECDED protection to all memory.
    - A dual memory map is implemented, where in one location the memory is accessible in its RAW form, whilst in the other the protected memory is visible

## **RAM/ROM EDAC Protection**

- SECDED protection is implemented in hardware using a (18,6) custom Hsiao shortened Hamming code.
- The system provides:
  - 1. Transparent SECDED protection
  - 2. Transient (SEFI) protection
  - **3**. Status (count) of single and double faults
  - 4. Interrupt on fault/double fault capability
  - 5. Bus error signals on single/double fault
  - 6. Access to RAW (unprotected) memory via a dual memory map configuration
- Transient faults are dealt via an automatic retry mechanism with elevation to a software handler on double failures.





- Data is SECDED protected
  - Organisation allows for 32 and 16 bit word writes without needing read/modify/write cycles = fast access.
- SECDED not enough! Address protection using Hash. Detects transient (SEFI) errors in control/address decoding logic (i.e. Write/Read from wrong address)

#### **Transparent SEU/SEL correction**

#### Transparent SEU correction

- Interrupt/scrubbing used to write back corrected data
- Transparent Latch-up recovery
  - Automatic power cycle of memory buses
  - No loss of data due to Non-volatile memory





#### SYSTEM BLOCK DIAGRAM





#### **Comm Interfaces**

#### Intra-Board

- I2C
- SPI
- GPIO
- UART
- ADC TLM
  - 22 Board Telemetry channels

- 17 GPIO (LVDS support)
- 2x I2C

**Inter-Board** 

- SPI (6 CS lines)
- 4x RS232/422/485
- CAN
- Spacewire & QuadSPI
- DMA/PDMA support
- JTAG, DTMF







#### **End Result**



#### 17 GPIO (7 LVDS), 2xI2C, RS422/2x232, CAN









#### Summary

New OBCs for that is designed to meet over 80% of all CubeSat mission requirements.

Designed for LEO operation with TID and SEE performance a critical design driver.

The solution provides a highly resilient data handling solution with multiple layers of protection inherent to design.

Designed to the same exacting product assurance requirements and high quality as all Clyde Space products.

Now in full production at Clyde Space.