International Workshop on Satellite Based Traffic Measurement Berlin, Germany September 9th and 10th 2002 TECHNISCHE UNIVERSITÄT DRESDEN Onboard Computer and Data Handling of MultiSat Peter M. Behr Fraunhofer Institute for Computer Architecture and Software Technology (FIRST)
Content : System Architecture Computing Node Communication, I/O Software Structure
I/O-Devices Receivers Wheels & IMU Senders Cameras & Others Analogue Devices GPS Star Sensors Uplink Manager Downlink Manager Intrinsic Applications IO Managers Software User Applications Command Bus Housekeeping Bus Inter-Application Bus Scalable, homogeneous, symmetric, distributed, fault tolerant multi computer system Hardware System Architecture
scalable: additional nodes increase the performance and also extend the total lifetime (graceful degradation), spare nodes may further increase life time. homogeneous: identical node computers (3-16), connected by redundant communication system symmetric: each node is able to execute all tasks distributed: nodes are separate units - control is distributed among the nodes (no single point of failure) fault tolerant: based on redundancy (hardware and software); minimum three nodes for TMR multi computer system: nodes are self contained computers (processor, memory, I/O)
Computing Node Block Diagram of one Node of the Onboard Computer System MPC82xx CPU CPM EDC DRAM FLASH serial I/O parallel I/O serial I/O digital I/O local bus memory bus FPGA IP 2 x Ethernet fail safe communication interface fail safe analog input interface latch up monitor ADC analog MUX fail safe device interfaces
Computing Node Embedded processor and memory and control functions based on newest VLSI technology Small number of parts, low power dissipation, no cooling problems, low weight and space requirements Industrial versions of COTS components conform to the conditions on satellites – except for the radiation problems SEU: EDC memory, multiple copies of the software in FLASH memory, self checking design of FPGA logic. SEL: radiation tolerant components and latch-up protection for endangered parts Total dose: pre-qualification includes radiation test to ensure that the selected components fulfill the requirements according to the expected lifetime of the satellite
Computing Node Further self-test and diagnosis features in each node: extensive self-test after power-on and reset boundary scan interface for detailed remote diagnoses maintenance by updating firmware and software of a node monitoring of the temperature of critical components alive monitors for hardware and software functions (watch-dog)
EC603eTM PPC Core MHz MMU, FPU, 32 KB Cache, power management SDRAM Controller, RTC, Timer, Watchdog, COP, JTAG Communication processor supports a variety of serial and parallel I/0 Protocols 2.0V internal and 3.3V I/O only 2.5 W Block Diagram of Embedded PowerPC Processor (MPC8260) Computing Node
FPGA Telemetry I/O Interface (Downlink) UART 8 X RS 485 Latch-up Monitor Power PC MPC 8260 (200 MHz) Debug Port Ethernet Memory EDC DRAM MByte 64 x Analog Input Modem Interface Serial I/O Interface Flash 4-64 MByte UART parallel 64 Analog Input I2CI2C COBT Timer UART 8 x serial Modem Input Down Link Image Data Ethernet Prototype of the MultiSat Node Computer Computing Node
Communication and I/O Structure redundant bus system for inter node communication each node interfaces to the main I/O devices fail safe communication and I/O interfaces faulty nodes can be isolated from the busses (even in the case of a stuck-at error)
Java Virtual Machine Satellite Control Task Uplink Manager Downlink Manager User Appl. Comm. Interface Comm. Interface I/O Manager Status/Result Bus Command Bus Inter Application Bus Real Time Operating System Software Structure Linux based operating system kernel provides pre- emptive multi tasking, priority and real time based scheduling, memory management, and communication Three software busses across node boundaries provide secured, fault tolerant and and location independent communication among the tasks
Software Structure Except of the basic operating system, all functions of the satellite are implemented by dedicated tasks that have unified interfaces to the busses of the software back-plane. I/O manager tasks and the up-link and down-link managers provide location transparent access to the I/O devices. I/O manager tasks also handle the problems of replicated tasks and physical I/O interfaces: Inputs are accessible by all nodes, only the I/O manager task of the active nodes will drive the physical output lines. All nodes can read-back the output lines. Highly modular and configurable design by simply plugging software components in and out of the back plane.
Software Structure Satellite control tasks access the operating functions directly via the dedicated software busses. A Java Virtual Machine (JVM) provides an encapsulated execution environment for user specific applications. The vital control functions of the satellite are protected from the user applications and are scheduled with higher priority than the task implementing the JVM. Applications can be dynamically loaded and executed based on Java ‘applet’ or ‘servlet’ mechanisms. Java2 provides internet based communication services (including security), and hardware independence of the applications.
Software Structure To implement fault tolerance, mission critical tasks are replicated and executed in different nodes to allow for voting or monitoring of actions. Tasks with high performance requirements can be executed on several nodes by means of parallel processing. To handle the dynamically changing mission requirements for performance, memory space, and dependability it is possible to switch nodes on and off and redistribute the control and applications tasks. Unification of the different computing functions of a satellite into a single highly redundant system allows for a close cooperation between the different tasks and optimizes the flexible utilization of the redundant computing resources.