Reconfiguring an FPGA for space travel
It is possible to reconfigure radiation-hardened Xilinx FPGAs with the reliability required for space applications, writes a team of developers from Germany-based Fraunhofer IIS RF and microwave design department
In 2017 the experimental Heinrich Hertz communications satellite (H2Sat) commissioned by the German Federal Ministry of Economics and Technology will be launched into space, to support research into communications technologies operating in the Ka and K bands.
H2Sat contains a regenerative transponder built around a reconfigurable processor developed at Fraunhofer IIS in Erlangen, Germany.
The ability to reconfigure the transponder’s processor for various tasks saves space, reduces weight and enables systems to support future communications protocols.
In this example, the processor is implemented on radiation-hardened Xilinx Virtex-5QV FPGAs, which are designed to have resistance to total ionising dose and single-event effects. They also withstand high vibration and thermal cycling.
A special configuration methodology combining a new configuration method in parallel with a fail-safe partial-reconfiguration method ensures the system can be reconfigured reliably in space and is not vulnerable to a single point of failure.
The approach uses an external radiation-hardened configuration processor with a rad-hard mass memory (for example, flash). The (partial) bit file is stored in the memory and the processor configures the FPGA with the bit stream. This offers flexibility if the design requires a full FPGA reconfiguration and has many bit files on-board.
Bit files are updated or verified via a telemetry channel or a digital communication up- or downlink.
This method is non-redundant. If the processor or configuration interface fails, as illustrated in Figure 2, reconfiguration becomes impossible.
Designed to be a “fail-safe configuration” method, it allows self-reconfiguration of the FPGAs and is also used for initial configuration. Only one radiation-hardened non-volatile memory (PROM or magnetoresistive RAM) is needed per FPGA to store the initial firmware.
Using both methods in parallel combines the advantages of each while increasing reliability by overcoming the single-point-of-failure problem. Figure 2 illustrates both configuration methods for one FPGA.
The fail-safe configuration method
The FPGA configures itself with the initial configuration at start-up of the on-board processor. Configuration uses either the serial master configuration protocol with PROM, or the Byte Peripheral Interface of a magnetoresistive RAM (MRAM).
The firmware of the initial configuration in dynamic (blue) and static (light-red and red) areas are separated as shown in Figure 2. Partial reconfiguration (PR) allows reconfiguring dynamic areas while static and other dynamic areas are still running.
After the FPGA automatically configures itself with the initial firmware, it is ready to receive new partial or even complete (only by MRAM) bit files. A transmitter on Earth sends these files over the uplink to the satellite.
After signal conditioning and digitizing, the first reconfigurable partition (RP0) inside the FPGA receives the digital data stream. RP0 performs a digital demodulation and decoding. The Block RAM (BRAM) shares the packed bit file with the FPGA’s embedded soft-core processor, called MicroBlaze.
The processor unpacks the bit file and stores it in the SRAM or SDRAM. It reconfigures a dynamic reconfigurable partition (RP) or all RPs with a direct-memory access (DMA) via the Internal Configuration Access Port (ICAP). The static part of the FPGA should not be reconfigured.
In case of an overwritten RP0, a high-priority command over the satellite control bus could reboot the on-board processor. This command would restore the initial fail-safe configuration.
Reconfigurable partitions can also be used for new applications, such as digital transmitters, digital receivers, or replacement of a highly reliable communications protocol, or to reconfigure and switch to new sub-modules like demappers or decoders for adaptive coding and modulation.
The entire fail-safe configuration bit file can be replaced with a new double-checked initial bit file via MRAM as storage for the initial configuration, if required. With a digital transmitter, the on-board processor can also send the configuration data back to Earth in order to verify bit files on the ground.
A major benefit of using both configuration methods is an increase of the overall system reliability. Over this 15-year mission, reliability of the most important procedures such as configuration depends on the failure-in-time (FIT) rates of both configuration methods.
Studying a representative configuration processor and its peripherals suggests a typical FIT rate of 500 for this method. The PROM achieves a much better FIT rate of 61 (part stress method for failure-rate prediction at operating conditions regarding MIL-HDBK 217).
Since both methods are single points of failure, only parallel operation can significantly increase the reliability of the configuration procedure. Calculating the standalone reliability using given mission parameters gives Rsc of 0.9364, for this configuration method. This compares with Ric of 0.9920 for the previous configuration method.
The overall configuration reliability for systems in parallel (Rc) is 0.9929. Comparing Rc and Rsc shows a 5.65% increase in reconfiguration reliability.
The initial configuration method has some restrictions in terms of FPGA resources. Nevertheless, the whole FPGA can be reconfigured anytime using the same configuration method if the external configuration processor is still operating.
Both methods can correct failures of the FPGA caused by configuration single-event upsets. For the new configuration method, the external configuration processor performs a scrubbing, as does the self-scrubbed soft-core processor for the initial configuration method.
Implementing Fail-Safe Configuration
Figure 2 illustrates the detailed architecture of one of the on-board processor’s FPGAs. The FPGA is divided into three parts: processor, RPs and static intellectual-property (IP) cores such as BRAM, RocketIO and digital clock manager (DCM).
An SRAM and an SDRAM are attached alongside the PROM or MRAM to enable applications like temporary packet buffers and content storage (for example, video files). The memory multiplexer block (Mem Mux) multiplexes the memory to RPs or to the soft-core processor elements for increased flexibility. Semaphores control the multiplexer via a general-purpose input/output (GPIO) connection.
So, only one region can use the single-port memory at any given time. The initial configuration also contains internal memory with BRAM, presenting an opportunity for a fast data exchange of both regions.
The build wrapper in Xilinx Platform Studio (XPS) enables a universal integration of the MicroBlaze processor with support and connection of independent ports.
The RP switching block connects the RPs by means of settings in the RP switching configuration. A data flow control (DFC) manages the data flow among the RPs. Inter-FPGA communication is via RocketIO and low-voltage differential signaling (LVDS).
The main part of the implementation is the system design and floorplanning which combines the processor system, IP cores, software design and the reconfigurable modules in hardware description language (HDL). We also defined the location of RPs, planned design runs, chose a synthesis strategy and constrained the design in this step.
A BRAM memory map file defines the BRAM resources for data and instruction memory. This enables an integration of the initial MicroBlaze software in the bit file.
Currently we are developing a highly reliable receiver for the first partition (RP0), which will be used in the initial configuration (on the satellite) to receive (demodulating, demapping, deinterleaving and decoding) the configuration data.
The concept has been proved in a commercial Virtex-5 FX130. At this point, we are about to port this design to the Virtex-5QV and implement further features, such as triple-modular redundancy or error-correction codes.
A single point of failure regarding FPGA configuration is a problem in high-reliability applications. An initial configuration, which needs only one additional device per FPGA, can help overcome this issue. Partial reconfiguration enables the remote FPGA configuration via this fail-safe initial configuration. Using both configurations in parallel combines their main advantages: a 5.65% increase in configuration reliability with the flexibility to reconfigure the complete FPGA.
Authors are Robért Glein System Engineer Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Information Technology (Communication Electronics), Florian Rittner Firmware Designer Fraunhofer IIS RF and Microwave Design Department and Alexander Hofmann Telecommunications Engineer Fraunhofer IIS RF and Microwave Design Department