February 24 – Final Review, Airbus Defence and Space, Ottobrunn, Germany

On the 24th of February 2017 the TCLS ARM FOR SPACE project coordination board gathered with the project officer from the European Commission and an external expert in Ottobrunn (near Munich). The project reported about their achievements during two year of R&D in TCLS ARM FOR SPACE. The project results were positively received by the European Commission.

The following provide highlights on the TCLS ARM FOR SPACE project:
An embedded system is some combination of computer hardware and software, either fixed in capability or programmable, that is designed for a specific function or for specific functions within a larger system. For example, industrial machines, agricultural and process industry devices, automobiles, medical equipment, cameras, consumer electronics, airplanes, vending machines and toys as well as mobile devices are all possible locations for an embedded system.
Complexity of such embedded systems varies from low, with a single microcontroller chip, to very high with multiple units, peripherals and networks mounted inside a large chassis or enclosure.

Of course, space domain is a perfect target for embedded systems, covering launchers, satellites, space probes and rovers. Among these embedded systems, high performance control and data processing have rapidly emerged as a key technology, on one hand in satellite payloads, especially in telecom, but also in earth observation or science missions. As data throughput and the amount of data channels increases, the need for data management and data processing is becoming more important. On the other hand, for platform control, safety is an important requirement to ensure the execution of the mission.

The digital processing equipment’s typically contain many Application Specific Integrated Circuits (ASICs) and Field Programmable Gate Arrays (FPGAs). One of the main challenges of space integrated circuits is to resist to radiations. In addition to the use of specifically rad-hardened technology, different mechanisms exist to improve the behaviour of a function to a radiation event.

Currently existing space-grade processors are not suitable to be used in the next generation spacecraft computing platforms because they do not provide sufficient performance, power-efficiency and are too expensive.

The TCLS ARM FOR SPACE project aims at retargeting an ARM processor designed for terrestrial applications for space and telecom applications by incorporating an innovative radiation tolerance technology into the existing ARM processor, assessing the radiation tolerance aspects and demonstrating its robustness in a laboratory environment.

ARM processors are known to be extremely power-efficient and low-cost while providing high performance and are at the core of the vast majority of terrestrial application markets such as smart phones, tablet computers, and other embedded devices. Future space processors and current terrestrial are now converging, as for safety and mission critical market segments there is a growing concern about radiation effects even at the ground level.

ARM is a European company, based in Cambridge (UK) that proposes different processing IP cores named Cortex for integration into silicon. To summarize the ARM offer, three families of Cortex processing cores are available, named A, R and M. Among the three different families of ARM Cortex processors available, we have selected for this TCLS ARM FOR SPACE study the Cortex-R5.

Indeed, the Cortex-R Series offers performance for real-time applications. These processors have been developed for deeply embedded real-time applications with interesting features dedicated to safety such as ECC (Error Correcting Code) on the internal busses, and a Lock-Step configuration of the processors. Typical applications include Automotive braking systems, Powertrain solutions, and Mass storage controllers. Their architecture, dedicated to safety critical applications, lead these ARM Cortex-R processors to be very interesting for space applications, provided additional hardening mechanisms, and analysis of technology and feasibility assessment.

Considering all these elements, TCLS ARM FOR SPACE targets the following high level objectives:
• Bring one of the mainstream CPUs with the largest software eco-system into the space sector (ARM Cortex R5)
• Establish an innovative radiation hardened methodology for this CPU making it attractive to both space and terrestrial applications
• Assess the radiation-hardening by design (RHBD) of a single processor core and the radiation-hardening by architecture (RHBA) of a Triple Core Lockstep (TCLS) core in terms of performance, power and radiation tolerance; take into account the specific challenge of increased susceptibility to failures with shrinking technologies, both for space and non-space sector
• Study the portability to European latest and highest performance hardened semiconductor technology (STM65nm)
• Perform a bread boarding of elements of the System-on-Chip on a FPGA platform
 These objectives have been achieved by the collaboration of the most experienced companies in this field, namely Airbus Defence and Space (G, F) for specific heritage on high reliable and radiation hardened systems, ARM (UK) providing its excellence in the processor core IPs and know-how in this field of developments and Atmel (F) and Dolphin (F) contributing with their space and STM65nm technology experience and knowledge respectively. This project has allowed the incorporation of research groups (ARM Research Group) and SMEs (Dolphin) into the space landscape.

In summary, this project will pioneer a fully European high-performance and low-power processor technology for space market, for evaluation and technical assessment before implementation in future space applications.

Airbus DS, ARM, Atmel and Dolphin are part of this H2020 consortium and have collaborated to bring this innovative technology into the European Space industry.

Under the coordination of Airbus DS, this H2020 project was structured into nine technical work packages, one specifically looking at exploitation, and one management work package. ARM and Airbus DS have mainly contributed to tasks relative to the TCLS design itself and validation, when Atmel and Dolphin have mainly contributed to the TCLS feasibility assessment with regards to the 65nm technology available in Europe.

In a first step, Airbus DS has collected the stakeholders’ needs for a new ARM-based System on Chip. This collection involved other Airbus DS electronic divisions including Software engineering team. It has covered the analysis of the needs for several types of application or equipment in order to generate a consolidated requirement specifications for a new SoC, and the requirement specification of a processing core subsystem hardened by triplication mechanism, and called TCLS (Triple Core Lockstep)

Then an architectural concept of a TCLS ARM-based System-On-Chip has been analysed and defined. The interfaces have been identified and the peripheral building blocks have been selected.
In addition we have defined a reduced architecture for the demonstrator and a reduced architecture for the SoC that has supported the Feasibility Study performed later on.

The TCLS voter logic block itself has been developed by ARM with three Cortex-R5, as described in the next chapter on Figure 2. The TCLS has been validated by simulation, with fault injections performed on the different blocks of the whole TCLS processing system.

This TCLS block has then been synthesized on the STM 65nm Rad Hard technology, in order to produce different netlists, one with a single core and one with a triplicated TCLS core, ready for the next step, the physical implementation with different libraries (standard and radiation hardened).
The objective was to assess the ASIC feasibility and compare the different implementations to give data in term of area and performances for a future choice architecture/technology.

In parallel of the development of the TCLS itself, the ARM Cortex-R5 and the TCLS Technology have been analysed in regards to the protection mechanisms needed for reliable space applications in order to define recommendations for a future development of a SoC (System on Chip) ASIC based on an ARM core with regards to radiation hardening techniques. An analysis of the chip sensitivity has been done based on the sensitivity figures (error rates) of the targeted 65nm technology.

At hardware level, a demonstrator design around the single core Cortex-R5 has been created and mapped onto FPGA hardware. Then, in a second phase, the single processor core has been replaced by the new TCLS designed during the project, allowing demonstrating the basic features of the implemented architecture with focus on benchmark tests. For these tests on an FPGA-based hardware prototyping platform, test software has been developed to demonstrate the TCLS functionalities and performances.

Different publications have been issued during the project development, for EUROSPACE DASIA 2015 & 2016, for ADCSS ESTEC 2016, for IEEE DSN and DFT.
So the TCLS ARM FOR SPACE development and results has been shared on different workshops and conferences (DASIA, ADCSS…), which allowed obtaining feedback from all the major actors of the space industry, including ESA and potential users of this technology. Final results and conclusions will be presented during DASIA 2017 for which a paper has been submitted and selected.

To summarize the state of the art around the safety mechanisms implemented in processing cores, in its “standard” version proposed by ARM, the Cortex-R5 offers the possibility to be used in a Dual-Core Lock Step (DCLS) configuration where a second redundant CPU can run in lock step with the first one. In that case, both cores execute the same code, share inputs and caches, and the outputs of the CPU are compared at every cycle to detect errors. This feature is used mainly in safety-critical automotive and industrial control systems.

In its “dual core” configuration, this Lock-Step mechanism allows detecting an error that could occur in one of the two processors, but it does not allow identifying which one of the two cores is in error in case of difference between the two cores. So as shown on the following figure, the DCLS control logic can raise a flag signal for error detection, but the output shall be discarded to avoid failure propagation.


news_1889_figure1

Figure 1. Dual Core Lockstep (DCLS)

A mechanism based on a triplication of the cores would allow the error detection, but would also allow identifying which one of the three cores differs from the two others. That’s why it has been proposed to extend the DCLS (Dual Core Lockstep) concept to the implementation of three cores. This triplication concept applied to the ARM core has been named TCLS (Triple Core Lockstep).

This mechanism is associated to a control logic performing a majority voting on the three cores to identify if one out of the three is different from the two others, which would probably indicates that a radiation event has occurred on this processing core.

news_1889_figure2

Figure 2. Triple Core Lockstep (TCLS)

So as shown on the previous figure, the TCLS control logic can raise a flag signal for error detection, but the control logic can also, thanks to majority voting, continue to output a set of correct signals, leading to no interruption of service, contrary on what can be achieved with DCLS.

In addition to the error detection, the mechanism of reinsertion of the erroneous core has been implemented, in order to come back to a situation similar to the situation before the error occurrence, minimizing the reinsertion process duration.

Now we can check the state of the art in term of processing performances for space. Existing System on Chip (SoC) designed for space are based on LEON2/LEON3 cores, on 180nm technology, allowing a maximum frequency of 80MHz-100MHz, so a maximum performance of around 100 MIPS, but more typically working between 40 and 80 MIPS.

The TCLS ARM FOR SPACE study has demonstrated that more than 300MHz can be achieved with an ARM-based SoC targeted on the 65nm, so with the Cortex-R5 and its 1.66 DMIPS/MHz performance, it leads to more than 500 DMIPS, showing a breakthrough of a factor 5 to 10 with regards to existing “Space” SoC.

With these elements, the TCLS ARM FOR SPACE paves the way to the availability of a new high performance processing core for Space, without any compromising on the safety aspects, perfectly in line with The European Space industry increased needs with regards to processing capability and safety for payload and platform applications.

It is also important to mention that the selected processing core is being restricted to export control regulation and so is a European technology.

So as a summary, the TCLS ARM FOR SPACE study has allowed to:
• Provide an improved fail functional ARM solution compared to existing fail safe methods.
• Consolidate the features, functions and interfaces needed for a future SoC covering the needs for the next generation of platform computers and payload data processing units.
• Configure, simulate and implement an ARM Cortex-R processing subsystem, including the processing core but also the trace & debug block, and the network interconnect.
• Work on the definition, architecture and technology assessment of different ARM implementations (single core / dual core lockstep / triple core lockstep). This will be directly exploited in the definition of the ARM core subsystem for this future SoC for the selection of the most appropriate implementation
• Work on the ARM Cortex-R family through the implementation of the TCLS around an ARM Cortex-R5. We have taken a particular care on the fact that all the studies and developments performed during the TCLS ARM FOR SPACE project were not locked to the use of the ARM Cortex-R5 but can also be applied to other ARM Cortex-R cores. Therefore this can be directly exploited on the new ARM Cortex-R52 that Airbus DS has selected for its future SoC.
• Obtain results of SoC implementation on the 65nm Deep Submicron (DSM) technology, paving the way to implementation of such SoC on a DSM technology (65nm, 28nm…).
• Share the TCLS ARM FOR SPACE development and results on different workshops and conferences (DASIA, ADCSS…), allowing to obtain feedback from all the major actors of the space industry, including ESA and potential users of this technology.
• Extend the partners know-how on the STM 65nm space technology.
• Develop a technology with potential interests for terrestrial applications.

This will be directly exploited for the architecture definition of the future ARM-based SoC chip under development for the Space Community, called DAHLIA (Deep submicron microprocessor for spAce rad Hard appLIcation Asic).

TCLS Cortex-R5 will also enable the implementations in commercial FPGAs for utilisation in CubeSATs and drones. ARM University Program is planning to create a standard FPGA solution implementing the TCLS Cortex-R5 to enable researchers and universities to build low-cost error-tolerant systems using TCLS Cortex-R5 in their CubeSATs and drones. Further, ARM will also engage with its eco-system partners in particular automotive Tier-1 and OEMs to explore the use of TCLS Cortex-R5 in autonomous driving. Autonomous driving requires fail functionality in many critical ECU components, and TCLS Cortex-R5 fits into the profile of fail-functional CPU sub-system.