See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/328336046

ScOSA - Scalable On-Board Computing for Space Avionics

Conference Paper · October 2018

CITATIONS READS
16 474

17 authors, including:

Carl Johann Treudler Heike Frei

5 PUBLICATIONS 34 CITATIONS
German Aerospace Center (DLR)
54 PUBLICATIONS 442 CITATIONS
SEE PROFILE
SEE PROFILE

Thomas Firchau Jörg Langwald

German Aerospace Center (DLR) German Aerospace Center (DLR)
12 PUBLICATIONS 42 CITATIONS 18 PUBLICATIONS 325 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

On-Orbit Servicing - End-to-End Simulation View project

Scalable On-Board Computing for Space Avionics View project

All content following this page was uploaded by Carl Johann Treudler on 12 July 2021.

The user has requested enhancement of the downloaded file.

 –

ScOSA - Scalable On-Board Computing for Space

Avionics
Carl Treudler Heike Benninghof Kai Borchers
Bernhard Brunner Jan Cremer Michael Dumke
Thomas Gärtner Kilian Höflinger Jörg Langwald
Daniel Lüdtke Ting Peng Eicke-Alexander Risse
Kurt Schwenk Martin Stelzer Moritz Ulmer
Simon Vellas Karsten Westerdorff

German Aerospace Center (DLR)

[email protected]
Abstract

Computational demands on-board spacecraft have continuously increased for years whereas available
space qualified hardware is not capable of satisfying these requirements completely. The project ScOSA
(Scalable On-Board Computing for Space Avionics) addresses this issue by establishing a system that
combines highly reliable space qualified hardware with highly performant commercial off-the-shelf (COTS)
components. This paper introduces the basic concepts of the system but also the concrete characteris-
tics which lead to a distributed, fault-tolerant, and reconfigurable architecture. This architecture in turn
provides multiple possibilities to increase computational performance for space applications. Several demon-
strations like earth observations or robotic on orbit servicing are applied to evaluate the system capabilities.
Additionally, these demonstrations are used to show dynamic system reconfiguration for fault mitigation.

1 Introduction Furthermore, often each dedicated unit is applied

Actual and future spacecraft encounter many chal-
lenges which might require a methodology change in
the on-board computing design. On one hand the
amount of data required to be handled rises but also
the need for on-board data processing. Architec-
tures of today’s on-board computing systems have
not changed over the years. Basically, a lot of ded-
icated units are centered around an on-board com-
puter which serves as the main control instance of
the system. However, this structure leads to several
disadvantages.
Dependent on the required reliability, most or even
all units are designed to be radiation hardened which
massively affects the costs in a negative way. Ad-
ditionally, the computation performance of radiation
hardened units is relatively low.
in a redundant way whereas each spare part can only
cover units of the same type which increases the sys-
tem mass. During operation, these spare parts are
generally performing observing tasks or they are pow-
ered off entirely. This kind of operation must be
treated as inefficient from the overall workload per-
spective because available resources are not utilized.
The objective of ScOSA, as a successor project of
[1], is to solve these disadvantages. This is done by
combining space qualified and COTS components.
They are used to create computing nodes with dif-
ferent characteristics, which are connected by a net-
work. These nodes can handle a wide range of tasks
whereas they are also able to handle different tasks
throughout system operation. This reconfiguration
capability, enables the system to mask faulty nodes
and to maintain a predefined reliability. Addition-

1
ally, workload can be distributed throughout oper-
ation dynamically to utilize the available processing
capabilities efficiently.
This paper introduces the applied concepts that
are used to create an alternative kind of on-board
computing system with a distributed, fault-tolerant
and reconfigurable architecture. The distributed and
reconfigurable nature of the system also offers great
flexibility and scalability.
The remainder of this paper is organized as follows.
The related work is given by Section 2 followed by an
introduction into the core concepts of ScOSA in Sec-
tion 3. The classification of nodes and how they are
connected to form the whole system is provided by
Section 4. Section 5 describes the system’s software.
In Section 6 the evaluation by several appllied appli-
cation demonstrations is shown. This includes com-
mand and data-handling tasks (CDH), attitude con-
trol (ACS), earth-observation (EO) data-processing,
autonomous visual navigation and robotics. High-
performance is achieved by parallel processing in
combination with Field Programmable Gate Array
(FPGA) acceleration explained in Section 7. This
is done by use of COTS parts with tailored fault-
mitigation. Finally, Section 8 provides some conclu-
sions
2 Related Work
COTS components are frequently investigated for
usage in space environments. Some research is given
in [2]. The evaluation of platforms for vision-based
navigation [3] investigates both rad-hard and COTS
based systems, and shows the differences in perfor-
mance and power between rad-hard and COTS com-
ponents.
At the time the Xilinx Zynq was selected not much
was known about its performance in a radiation en-
vironment. This situation has changed, to date mul-
tiple Instances have been flown. The flight computer
CSPv1 takes advantage from utilizing COTS compo-
nents [4]. Like our approach, the CSPv1 is based on
a Xilinx Zynq and also supported by rad-hard com-
ponents. The flight computer was able to handle sev-
eral radiation tests, including an experiment on the
ISS (International Space Station), without destruc-
2
tive events. Gomspace also offers a System on Mod-
ule based on a Xilinx Zynq, the Z7000 [5], which has
been tested in orbit.
The Xilinx Zynq products, manufactured in 28nm
technology, were already subject to radiation tests.
Thereby current increasing, which was recovered by
power cycling, and corruptions of on-chip memory
were observed. However, the occurrence of destruc-
tive events were not stated [6] [7]. This product may
be a meaningful choice for systems designed to detect
and handle recoverable data corruptions.
Promising information was recently provided by
Xilinx. Existing radiation test results of Kintex Ul-
traScale indicates the device meets space domain re-
quirements even without a need for applying a RHBD
(Radiation Hardened By Design) re-design [8].
Distributed systems are not a standard ap-
proach to solve on-board computing challenges
in spacecraft. This approach for example been
addressed by the reserch project A3M [9] and
OBC-SA [10]. Also similar in the techniques applied
are Network-on-Chip approaches like [9].
An overview of fault tolerant techniques for dis-
tributed systems in space is provided in [11]. The
research also proposes a distributed spacecraft archi-
tecture based on nodes realized as a multiprocessor
system-on-chip. The system aims to provide task mi-
gration in case of faulty behavior but also workload
sharing throughout operation.
3 Core Concepts
On the conceptual level ScOSA is build around multi-
ple central concepts. These concepts enable the main
features of ScOSA. Afterwards, the added value by
the features and the concepts are elaborated.
3.1 Distributed System
As a distributed system, multiple computing devices
on nodes can be interconnected by a network. This
allows to share the workload of applications by mul-
tiple nodes, and provides potential for parallelisation
of the algorithm, and therefore a faster processing of
the algorithm.
3.2 Network-interconnected the COTS-based nodes, mainly software mitigation
means are integrated to cope with SEEs.
ScOSA uses a packet-oriented network to exchange
data between its nodes. There are no constraints
imposed regarding the network topology, allowing 3.6 Hardware Acceleration
point-to-point connections as well as fully meshed se-
Some ScOSA nodes contain FPGAs that allows the
tups.
system to load application-specific accelerators, pro-
viding a drastic increase in throughput and offering
3.3 Heterogeneous power efficient computation. The COTS CPU of
the HPN itself offers an increased computation per-
The system does not require all nodes to be iden- formance compared to the radiation-hard RCN, but
tical. This allows nodes to have different proper- with the disadvantage of a reduced reliability. Ad-
ties, adapted to specific tasks to be performed. This ditionally, the accelerator Intellectual Property (IP)
grid computing approach allows a dedicated tailoring Core of the HPN can also be changed at run time.
of the system, demanded by the constraints and re-
quirements of the technical process it controls. This
ensures a future-proof design, enabling further up- 3.7 Scalability
grades. In ScOSA, we use the Reliable Comput- The system is designed to scale over a broad range
ing Nodes (RCN) and the High Performance Nodes design parameters. For instance, we don’t impose an
(HPN), which are explained in greater detail in Sec- artificial limit to the number of possible nodes. Also
tion 4. ties to COTS technology are seen as contemporary
with future upgrades and swaps expected.
3.4 Reconfigurable
The reconfigurability of the system is an essential 4 Base Design
functionality, allowing to change the operational sys-
tem state, i.e. the system configuration. Configura- For the duration of the project a base design was
tion is used as a collective term, and includes the acti- selected for development and testing purposes. The
vation of nodes, their roles in the system, the network following paragraphs will explain this design and the
interconnection and also the operational parameters rationale behind it. Flight hardware is not strictly
of application tasks. A system reconfiguration can be required, but a reasonable path to a flight-capable
conducted as a planned reconfiguration, determined system has to be available.
by the mission time-line, or as a reaction to mitigate We choose to implement three different types of
the effects of an inner fault in the system. nodes: Reliable Computing Nodes (RCN), High Per-
formance Nodes (HPN) and Interface Nodes (IFN).
Figure 1 reveals our base design at node level. Two
3.5 Fault-tolerance RCNs, one IFN and three HPNs are connected via
The system allows parts of it to be affected by faults, multiple SpaceWire links. The IFN and the HPNs
and has mitigation and isolation measures prepared. contain SpaceWire router IP-cores and enable the
Modeling faults is essential when implementing an routing of SpaceWire packets to other nodes.
actual ScOSA system. To reduce the complexity and
costs of fault-tolerance, a hybrid scheme is supported 4.1 High Performance Node
which allows the combination of nodes with differ-
ent fault-models (e.g. fail-stop and benign byzan- A Xilinx Zynq is used for its build-in FPGA and fast
tine). There is also fault-tolerance embedded into ARM Cortex-A9 CPU (compared to the highly reli-
some of the nodes, like tolerance to Single-Event Ef- able RCNs). The COTS Zynq is also the target Sys-
fects (SEE) in the RCN. To increase the reliability of tem on Chip (SoC) for the usage in space, but with

3

SpW Rt.
TM/TC RCN HPN
Ethernet
SpW Rt.
TM/TC RCN HPN
SpW Rt.
SpW Rt.
HPN
IFN
Other Subsystems
(e.g. ACS)
Figure 1: The block diagram of the base design and
test-bed show the distributed and heterogeneous na-
ture of the system. Multiple routes are useful to avoid
single points of failure which the system would route
around in the case of a link failure.
its surrounding support circuitry adjusted to the de-
mands of the space environment. The lack of built-in
SEE robustness is addressed by fault detection, iso-
lation and recovery means on system and node level,
in hardware and software.
4.2 Reliable Computing Node
The RCN is based on a prior development effort
named Compact On-Board Computer (COBC). It
is based on a rad-hard LEON3 SoC accompanied
by a flash-based FPGA. The RCN offers a 50MHz
dual LEON3, a 64 MiByte EDAC-protected SDRAM
and non-volatile memories for boot-images and arbi-
trary uses. For a detailed description consider our
earlier publication [12]. For the development and
demonstration work in ScOSA, an adapted bread-
board version was used. The current RCN imple-
mentation also supports Consultative Committee for
Space Data Systems (CCSDS) compatible telemetry
and telecommand interfaces, and is prepared to take
the role of the satellite bus on-board computer.
4.3 Interface Node
In our base design, the IFN exclusively interfaces the
components of the Attitude Control System (ACS),
respectively their simulation in the Hardware in the
Loop (HiL) setup. IFNs are likely to be application
specific, concentrating most modifications of hard-
ware to this type of component. The usage of multi-
ple IFNs is possible, enabling their physical distribu-
Dev. tion in the overall system.
PC
4.4 Network
We choose SpaceWire for ScOSA in the space envi-
ronment, as it is well supported in the space domain
and was developed with focus on space requirements.
SpaceWire’s limited speed is a concern, but adopting
a different technology, or SpaceFiber, is considered
feasible. The HPNs are additionally interconnected
via Gigabit Ethernet among each other, as optional
inter-nodelink, and with the development PC, for de-
bugging. The topology of the SpaceWire network
can be changed flexibly, either by altering the phys-
ical connections or via the FPGA SpaceWire router
firmware.
5 Software
The system software stack enables applications to
fully utilize ScOSA’s distributed nature. It enables
a distribution of tasks of an application across the
available computing nodes and connects them via
communication channels. To enable this and to mit-
igate potential system-internal faults, a layered ap-
proach was chosen. This results in a clear hierarchy
and data-flow within the separated system compo-
nents, forming a robust and reactive system. These
components are illustrated in Figure 2.
The following subsections will provide insights into
the different components that compose the system
software stack. The system management services are
at the top most layer. They provide high-level func-
tionality, such as reconfiguration and reintegration
of nodes as well as handling monitoring and health
management tasks. The Distributed Tasking Frame-
work is positioned at the next lower layer. It of-
fers the interface for application developers to in-
tegrate their algorithms by the definition of tasks
and communication channels between them. Which
task is executed on which node is determined by the
configuration of the system and can be changed at
run-time. Lower layers in the software stack ensure
4
 Application 1... N Sys Mgt. Services
distributed Tasking
SpW-IPC
3rd Party Libs
(e.g. OpenCV)
OUTPOST
OS (RTEMS / Linux)
Hardware
Figure 2: The layered software structure enables
developing system components with clear inter-
faces. Nonetheless, applications can access each OS-
agnostic layers for maximum flexibility while remain-
ing portable across the heterogeneous nodes.
a correct routing of the packages from one task at
one node to another task at another node via the
communication channels. This mechanism and oth-
ers are implemented in the SpaceWire-IPC [13], our
robust and Fault Detection, Isolation and Recovery
(FDIR)-capable transmission protocol. It can be de-
ployed on both, SpaceWire and Ethernet links. Ap-
plication developers are free to include third-party li-
braries and their operating system dependencies are
also respected in the deployment of tasks. The final
layer is represented by the OUTPOST library [14]
and the operating system provides the abstraction to
the hardware underneath. This is an important as-
pect, due to the heterogeneous hardware components
employed in the ScOSA setup.
5.1 System Management Services
The individual system management services are listed
in Figure 3. These implement the majority of the
system’s FDIR capabilities. They range from the
data-based voter, that implements triple modular re-
dundancy to the inter-node level reconfiguration and
reintegration services. Subsequently, a selection of
services is given a short introduction that includes
its sphere of influence and the faults it handles. The
remaining services will be described in the project’s
concluding software paper.
The reconfiguration and reintegration services
work hand in hand to configure which nodes are cur-
rently active, integrating rebooted nodes back into
5
Figure 3: A list of system management services and
how they are categorized according to their FDIR
capabilities. The green services mask errors while
the higher levels contain errors within their domains.
the system and reacting to failures reported by other
services. When the system initially boots, the reinte-
gration service on each node is responsible for acquir-
ing the system’s current state and then requesting the
master node to include them in the initial configura-
tion. The reintegration service on the master node
then notifies all active nodes to configure to a spe-
cific configuration, such as the initial configuration.
Changing configurations is handled by the reconfigu-
ration service on each node.
During a reconfiguration, all application tasks are
paused to allow them to be redistributed among the
active nodes. During this time, the associations be-
tween the channels and the tasks are set according to
the configuration. This also includes the routing of
the channels between the nodes. This is an important
aspect since a channel’s endpoints can be required on
multiple nodes, but to avoid unnecessary traffic, it
is only routed to those that have tasks that depend
on it. Once the reconfiguration has been completed,
each node is informed by the master node that the
system is ready and the application’s execution is re-
sumed.
When a fault occurs that cannot be masked, the
standard system response is to reconfigure itself to
exclude the node on which the error occurred. This is
handled by the reconfiguration service that places the
system into a reconfiguration state, redistributes the
application’s tasks, and then resumes operation once
each active node has confirmed that it successfully
reconfigured itself. The node that was excluded will
reboot itself in order to resume from a known good
state. Once it passes its own self-checks, it sends a
request to the master to be reintegrated. The pro-
cess of recovering the failed node is handled by the
reintegration service and the reconfiguration service
is then informed of this node’s renewed availability.
The reconfiguration service can then, at a given point
in the future, reconfigure the system to include the
recovered node. This allows system’s degraded per-
formance to be fully recovered.
The monitoring service is responsible for detect-
ing the loss of a node and informing the relevant
services about this loss. Once a loss has been de-
tected, its state is updated locally and the master
node is informed about this. The detection is per-
formed through heartbeats that regularly ping a node
and expect an acknowledgment within a given time.
The absence of the acknowledgment leads to the con-
clusion that the node is not available anymore. Other
services are responsible for determining the cause of
the failure.
The health manager service is used to measure
soft metrics that can lead to faults that if not handled
cause failures. The health manager service is broken
down into increasingly higher-level observations. At
the lowest level, its abnormality detection is used to
notice when specific system parameters leave their
expected range. In the case of channels that con-
nect tasks with one another, how full they are during
nominal operation is compared to their current state.
If the remaining buffer of a channel starts to dimin-
ish, it can be a good signal that a node is unable
to keep up with the data is sent to process. An-
other aspect is the number of transmission attempts
that SpaceWire-IPC, the network protocol, needs to
transmit a message.
Furthermore, the health manager’s tasks include
diagnostics reporting that give context to individual
parameters. This is useful for drawing conclusions
from the individual events, which can range from ab-
normal behavior to faults and system wide failures.
This can be used to extract a percentage of the sys-
tem’s observed health state. On the highest level,
the service provides prognostics about when the next
system failure is expected.
Another important service is the checkpoint-
ing service which is responsible for data consistency
across reconfigurations. The service provides an in-
6
Figure 4: Example of a Distributed Tasking appli-
cation. Despite tasks 2 and 3 running on different
nodes, the same data is pushed to both of them. Ef-
fectively, the channel exists on both nodes and is han-
dled transparently from the application’s view.
terface to the application developers to periodically
store their task’s state. This state is then distributed
to other nodes so that if the task’s node fails, the task
can be resumed from the checkpointed state. After a
reconfiguration completes, a task is provided with the
last available global consistent state which results in
a reduction of data loss. One example is the reloca-
tion of a Kalman filter. Its stability can be preserved
if it is initialized with a state in its past which is an
approximation of its current state had the relocation
not occurred.
5.2 Distributed Tasking
In order to deal with distributed systems, the Tasking
Framework [15] was extended to handle enabling and
disabling tasks during reconfigurations and routing
the data that is pushed into channels to the appro-
priate nodes.
Application developers implement encapsulated
logic of their application in tasks and then connect
these discrete tasks with one another with channels.
How the tasks can be distributed between nodes is
shown in Figure 4.
After a reconfiguration that results in the loss of
Node B, it is possible to relocate Task 3 on Node A.
This will increase the CPU load of that node and po-
tentially reduce its throughput. Nonetheless, from a
functional point of view, the system behaves in the
same way as it did before the reconfiguration. This
can be extended to more complex applications con-
sisting of a multitude of more nodes, tasks and chan-
nels. From a practical point of view, the system can
scale up to 20 individual nodes. a standard image processing application, which pro-
cesses RapidEye satellite imagery and prints out the
position and object feature of detected ships. It con-
5.3 SpaceWire-IPC sists mainly of three steps, the creation of a land-
The communication between nodes is handled by the watermask, the object extraction and the deeper ex-
SpaceWire-IPC [13] transmission protocol. Its main amination of each single object. One example of the
features include being FDIR-capable and functioning processing can be seen in Figure 5. Details of the ship
with a range of networks and architectures. detection application can be found in [16]. The ap-
Regarding the FDIR aspects, SpaceWire-IPC is ca-
pable of sending heartbeat requests to other nodes
and in case of a missed acknowledgment, will cre-
ate an error notification. Similarly, in order to fulfill
the system’s robustness requirements, if a message
cannot be delivered within a specific time frame, a
similar notification will be generated. These error
notifications will be forwarded to the system man-
agement services where the appropriate actions, i.e.
FDIR, can then be taken.
Figure 5: Ship detection: Example Images, Left: In-
5.4 OUTPOST and the OSes put data, Right: Result

OUTPOST [14] is a collection of low-level libraries

that provide uniform interfaces for operating system plication was available as an experimental version for
functionality. These include mutexes, interfaces to demonstrating and analysing the capabilities of a ship
User Datagram Protocol (UDP) sockets and clocks. detection method. The application is a C++ appli-
This is necessary in creating cross-platform applica-cation using the open-source computer vision library
tions. Due to the heterogeneous nature of hardware OpenCV[17] for reading in image data and for apply-
platforms and operating systems, this makes it pos- ing various filter functions to the images. Also, the
Boost library[18] was used for various components,
sible to e.g. write and run an application for an x86-
based desktop and subsequently recompile the same such as file system access and the unit-test frame-
source code for RTEMS on an ARM-based node. work. The application was never meant to be ported
Two operating systems are provided, RTEMS for to an onboard computer system, therefore no prepa-
real-time tasks and a custom Yocto Linux for the re- ration was done in this regard.
maining tasks. The customization allows for includ- When porting the application to the ScOSA plat-
ing third party system libraries and configuring the form, one goal was to share as much code as pos-
device drivers. This is relevant to add support for sible with the original application. The process-
the SpaceWire router residing in the Xilinx Zynq’s ing routines of the application where split up in
FPGA. an application-core library. This application-core li-
brary should be used by the original and the ScOSA
application. The application-core library depends on
6 Application Demonstration 3rd party libraries as OpenCV and Boost. With the
ScOSA platform supporting them, no parts of the
6.1 Earth Oberservation application-core library had to be adapted. For inte-
gration of the application in the tasking framework at
To illustrate the suitability of the ScOSA platform first a very simple approach was chosen. We imple-
for earth observation applications, a ship detection mented three tasks, one for reading the input data,
application was ported to the ScOSA platform. It is one for processing the data, and one for writing the

7
results back to the disk. This is illustrated in Fig-
ure 6. A runtime analysis reveals, that most comput-
TaskRead TaskShip TaskWrite
Data Detect Data
Figure 6: Ship Detection, Dataflow of first version.
ing time is spent on the processing task. Therefore we
build a version with three processing tasks working in
parallel. This is illustrated in Figure 7. For a single
TaskShip
Detect 1
TaskRead TaskShip TaskWrite
Data Detect 2 Data
TaskShip
Detect 3
Figure 7: Ship Detection, Dataflow second version,
with three processing tasks working in parallel.
CPU system migrating from the first to the second
version, no increase in throughput is expected. In the
the distributed setting of ScOSA the second version
can distribute the load of processing across multiple
nodes, and thus effectively multiplying the the total
throughput.
6.2 Robotic On Orbit Servicing
Regarding future On-Orbit Servicing (OOS) mis-
sions, the necessary robotics system not only requires
a dedicated manipulator system, which will be able
to work in space environments, but also the corre-
sponding computing system to control the robotics
system according to the specific requirements, e.g.
concerning real-time behavior. Especially a system
8
cycle time of 1kHz for motion control implies a HPN
running a real-time operating system to fulfil this
time constraint. Besides this motion controller the
robotics system should have a certain level of auton-
omy, which means that high-level task commands,
e.g. received from a ground station on Earth, must
be interpreted on-board, i.e. decomposed into sub-
task for execution on the robot controller. Therefore
two function blocks have to be integrated into the
ScOSA system:
• A task interpreter, which checks the incom-
ing telecommands, provides the robot controller
with the respective subcommands and parame-
ters.
• A robot controller, which calculates the motion
reference values for the manipulator system in
real-time.
The OOS application demonstrates the implemen-
tation of such a space robotics control application
to the ScOSA system using the example described in
[19]. It demonstrates the capability of running a 7 de-
grees of freedom (DOF) robotic arm with the ScOSA
HPN nodes. The system setup shown in Figure 8
contains three different nodes of which two are HPNs
(Node 2+3) and one is the ”ground operation” node
for generating and sending telecommands as well as
receiving and displaying telemetry data (Node 1).
Node 2, running Yocto Linux on a HPN, is respon-
sible for the task decomposition, control and super-
vision of the application. It provides telemetry data
and receives the command data from the ground op-
eration node.
Node 3, running RTEMS on a HPN, contains all
the real-time critical software components and con-
nects to the robot hardware via the network inter-
face. This real-time controller module (designed in
matlab/simulink) runs with 1kHz and contains the
model with all control calculations as well as the
hardware interface which acts as an EtherCat master
for the robot. This module will be controlled by the
robotControl task which again communicates with
the taskControl task on Node 2.
Figure 8 illustrates the different nodes and tasks
as well as the communication lines between all of
them via the ScOSA messaging system. Node 1 is
connected with Node 2 via Ethernet, whereas Node
 Figure 8: OOS architectural overview

2 talks with Node 3 via SpaceWire. But using the of the framework the HiL test bench utilized for the
ScOSA tasking and communication system, the com- verification of the original mission was reused to test
munication type is fully transparent. the performance of the software running on a RCN.

The RCN was extended with an IFN, overcoming

6.3 Attitude Control System the limited number of serial ports, which transpar-
ently gives the ScOSA framework access to the serial
The Attitude Control System (ACS) application channels on the IFN. Both nodes are connected via
demonstrates the real-time capability of the ScOSA SpaceWire. The twelve available serial ports are con-
framework by running realistic software on the space- nected to a dSPACE system, a simulation environ-
qualified architecture of the RCN. The application ment running a Simulink model in real-time. This
was ported from the ACS software of the satellite model simulates the sensor characteristics, including
mission Eu:CROPIS[20]. the real hardware’s protocol, and the magnetic tor-
Eu:CROPIS is a spin-stabilized satellite with mag- quers control unit. Within the Eu:CROPIS mission,
netic attitude control torquers, scheduled to be sensors and actuators are available in a redundant
launched in 2018. For demonstrating the maturity fashion. For the HiL setup, only the gyroscopes are

9

partly redundant given that four sensors are arranged
on the faces of a tetrahedron. That way, one gyro-
scope can fail during the mission while maintaining
a three-axis attitude determination. The (simulated)
devices connected to the RCN are:
• 4 Gyroscopes
• 1 Magnetometer
• 5 Sun sensors
• 1 Magnetic torquer control unit
• 1 Global positioning system (GPS) receiver
The basic functionality of the state estimation,
magnetic control, and vehicle mode transition was
proven on the ScOSA hardware. This verifies the
real-time capability and sufficient performance of the
breadboard.
The Distributed Tasking framework from Sec-
tion 5.2 is derived from the same framework that
Eu:CROPIS is using for scheduling. This limited
the porting effort except for the interface of the
(SpaceWire-tunneled) serial ports. It also gives the
opportunity to split the application within the al-
ready implemented task structure, mainly the atti-
tude Estimator task and the Controller task. These
tasks could be distributed over multiple RCNs, trans-
parently diverting the data over the SpaceWire net-
work to balance the computational effort over multi-
ple CPUs, or to handle redundancy in case one RCN
breaks down.
6.4 Autonomous Rendezvous Naviga-
tion
The Autonomous Rendezvous Navigation Applica-
tion is capable of performing a semi-autonomous
ground-controlled rendezvous maneuver towards an
uncooperative target satellite on the European Prox-
imity Operations Simulator (EPOS) HiL simula-
tor. The application makes use of three Yocto
Linux HPNs to perform computationally expensive
6D pose-estimation.
The components pose-estimation, guidance, navi-
gation and control (GNC) as shown in Figure 9, de-
scribed in detail in [21], are implemented as separate
tasks inside the ScOSA Tasking Framework. They
can be controlled independently via PUS-conform
10
SpW Rt. SpW Rt. SpW Rt.
HPN CCD EPOS
GNC Camera
Ethernet
HPN
Satellite
Pose
Simulator
Estimation
HPN
GNC
Pose
Console
Estimation
Figure 9: Rendezvous Navigation Setup
telecommands from ground and monitored by teleme-
try. This GNC-part interfering with the satellite sim-
ulator (which in turn interferes with EPOS, see [22])
is operated on a fixed framerate of 10Hz and handles
the estimated poses asynchronous.
This setup can be integrated into the End-to-End
Simulation enabling the verification of ScOSA hard-
and software in an environment as realistic as possible
which includes ground-segment, communication, on-
board computer and HiL-simulated space-segment.
See [23] for more details.
7 Hardware Accelator
Sometimes even the best commercial processors are
not fast enough for demanding tasks, like image-
processing. For these tasks the parallel architecture
of FPGAs is more powerful and efficient. The Xil-
inx Zynq SoC, as core element of the HPN, already
contains a significant number of FPGA cells. Some
FPGA fabric is reserved for chip interfacing and the
SpaceWire router. But a significant part is available
for application-specific hardware accelerators.
The FPGA configuration-file is eventually a com-
bination of fixed building blocks. To these blocks be-
long I/O-specific functionality, the SpaceWire router
and the Reconfigurable Partitions (RP) for applica-
tion specific code. One or more of these RPs can
exist and act as placeholder. The application specific
blocks are so called Reconfigurable Modules (RM)
and are loadable from the processor during the run-
time of the system to the appropriate RP. The com-
bination of RPs and RMs supports the system recon-
figuration, explained in Section 3.4.
7.1 FPGA API compute dense disparity and depth maps from stereo
images, is the Semi Global Matching (SGM) [24]. Be-
For the scalable nature of ScOSA we tried to find side the advantages of SGM in robustness, density
a general approach for integrating different types and accuracy there is the disadvantge of algorithms
of hardware-accelerators seamlessly into the tasking complexity and expense. A FPGA implementation
middleware. The FPGA-accelerators shall process of these algorithm was choosen as example to demon-
small or medium-sized pieces of the algorithm. The strate the performance capabilities of FPGAs and the
input-data will be taken directly from the memory reconfiguration concept. The FPGA based algorithm
and the output-data will be written back into the can significantly speed up the depth map generating
memory via DMA. From the hardware point-of-view task compared to a CPU only solution.
a shared memory model is used. But the tasking mid-
dleware follows a message-based approach. Two tasks
will be utilized to involve hardware-accelerators into 8 Conclusion
the overall processing flow (see Figure 10). The first
task will setup the accelerator and the corresponding This paper introduces the concepts and the actual
DMA-engine. The second task will aquire the results used architecture of a distributed on-board comput-
from the hardware-processing and transfers it to the ing system for space applications with the overall in-
next task. The hardware issues an interrupt-request, tend of providing high performance and reliability.
after the processing has been finished. The interrupt These attributes are achieved by creating a hybrid
is fetched by the tasking-middleware, which combines system consisting of traditional radiation hardened
the message sent by the first task with the interrupt and COTS components. These components are used
and puts the second task into the execution-queue. to create different nodes with specific properties, con-
nected through a SpaceWire network. Thereby it is
possible to reconfigure the whole system during run-
time. This allows on one hand workload balancing to
further increase the computation performance. On
the other hand the reaction and mitigation of occur-
ring faults are covered in that way
Multiple demonstrations are applied to evaluate
system capabilities and performance. These demon-
strations ranging from real time depending ACS
tasks, robotic motion control and also computation-
ally expensive autonomous rendezvous navigation
and data-processing for earth observation data.
At the time of writing the development and eval-
uation is ongoing. The prospect after the successful
evaluation is to increase the technological readiness of
Figure 10: Involving hardware-acceleration in the the ScOSA platform and the identification of a suit-
tasking-middleware able path from the testbed to demonstration and use
in space.

7.2 Stereo Image Processing References

A depth map generated from stereo images is useful
or mandatory for many tasks in robotics, espacially
for capturing freeflying objects or autonomous rover
exploration tasks. An algorithm, generally used to
[1] D. Lüdtke, K. Westerdorff, K. Stohlmann, A. Börner,
O. Maibaum, T. Peng, B. Weps, G. Fey, and A. Gerndt,
“OBC-NG: Towards a reconfigurable on-board comput-
ing architecture for spacecraft,” in IEEE Aerospace Con-
ference, March 2014.

11
 [2] M. Pignol, “Cots-based applications in space avionics,”
in Design, Automation and Test in Europe Conference
and Exhibition, 2010.
[3] G. Lentaris, K. Maragos, I. Stratakos, L. Papadopou-
los, O. Papanikolaou, D Soudris, M. Lourakis, X. Zabu-
lis, D. Gonzalez-Arjona, G. Furano, “High-performance
embedded computing in space: Evaluation of plat-
forms for vision-based navigation,” in JOURNAL OF
AEROSPACE INFORMATION SYSTEMS, 2018, pp.
178–192.
[4] C. Wilson, A. George, “CSP Hybrid Space Computing,”
in Journal of Aerospace Information Systems, 2018, pp.
215–227.
[5] G. A/S. Nanomind z7000. [Online]. Avail-
able: https://gomspace.com/Shop/subsystems/
computers/nanomind-z7000.aspx
[6] M. Amrbar, F. Irom, S. M. Guertin, G Allen, “Heavy
ion single event effects measurements of xilinx zynq-
7000 fpga,” IEEE Radiation Effects Data Workshop
(REDW), 2015.
[7] L. A. Tambara, F. L. Kastensmidt, N. H. Medina, N.
Added, V. A. P. Aguiar, F. Aguirre, E. L. A. Mac-
chione, M. A. G. Silveira, “Heavy ions induced single
event upsets testing of the 28 nm xilinx zynq-7000 all
programmable soc,” IEEE Radiation Effects Data Work-
shop (REDW), 2015.
[8] D. Elftmann, “Xilinx on-orbit reconfigurable kintex
ultrascale fpga technology for space,” Xilinx, Tech.
Rep., 2018. [Online]. Available: https://indico.esa.int/
event/232/contributions/2161/attachments/1811/2111/
2018-04-09 Xilinx Space Products SEFUW.pdf
[9] J. W. Alexander, B. J. Clement, K. P. Gostelow,
and J. Y. Lai, “Fault mitigation schemes for future
spaceflight multicore processors,” in Design, Automation
and Test in Europe (DATE), 2012, pp. 358–367.
[Online]. Available: https://trs.jpl.nasa.gov/bitstream/
handle/2014/42752/12-2172 A1b.pdf
[10] Obc-sa. [Online]. Available: https://www.fokus.
fraunhofer.de/go/obcsa
[11] T. V. M. Fayyaz, “Survey and future directions of fault-
tolerant distributed computing on board spacecraft,” in
Advances in Space Research, 2016, pp. 2352–2357.
[12] C. J. Treudler, J.-C. Schröder, F. Greif, K. Stohlmann,
G. Aydos, and G. Fey, “Scalability of a base level design
for an on-board-computer for scientific missions,” in Data
Systems In Aerospace (DASIA), 2014.
[13] T. Peng, B. Weps, K. Höflinger, K. Borchers,
D. Lüdtke, and A. Gerndt, “A new spacewire protocol
for reconfigurable distributed on-board computers,”
in International SpaceWire Conference 2016, October
2016, pp. 175–182. [Online]. Available: https://elib.dlr.
de/108116/
[14] F. Greif, M. Bassam, J. Sommer, N. Toth, J.-G.
Mess, A. Ofenloch, R. Rinaldo, M. Goeksu, B. Weps,
O. Maibaum, J. Reinking, and M. Ulmer, “Outpost,”
https://github.com/DLR-RY/outpost-core/, 2018.
12
View publication stats
[15] O. Maibaum, D. Lüdtke, and A. Gerndt,
“Tasking framework: Parallelization of computa-
tions in onboard control systems,” in ITG/GI
Fachgruppentreffen Betriebssysteme, November 2013,
http://www.betriebssysteme.org/Aktivitaeten/Treffen/2013-
Berlin/Programm/. [Online]. Available:
https://elib.dlr.de/87505/
[16] K. S. Katharina A. M. Willburger, “Using the time
shift in single pushbroom datatakes to detect ships and
their heading,” pp. 10 427 – 10 427 – 13, 2017. [Online].
Available: https://doi.org/10.1117/12.2277535
[17] OpenCv. (2018) Opencv project homepage -
https://opencv.org/. [Online]. Available: https:
//opencv.org/
[18] Boost. (2018) Boost c++ libraries project homepage
- https://www.boost.org/. [Online]. Available: https:
//www.boost.org/
[19] G. Hirzinger, K. Landzettel, B. Brunner, M. Fis-
cher, C. Preusche, D. Reintsema, A. Albu-Schäffer,
G. Schreiber, and B.-M. Steinmetz, “Dlr’s robotics
technologies for on-orbit servicing,” Advanced Robotics,
vol. 18, no. 2, pp. 139–174, 2004. [Online]. Available:
https://doi.org/10.1163/156855304322758006
[20] A. Heidecker, T. Kato, O. Maibaum, and M. Hölzel,
“Attitude control system of the eu:cropis mission,” in
65th International Astronautical Congress. Interna-
tional Astronautical Federation, Oktober 2014. [Online].
Available: https://elib.dlr.de/90977/
[21] F. Rems, E. Risse, and H. Benninghoff, “Rendezvous gnc-
system for autonomous orbital servicing of uncooperative
targets,” in Proceedings of the 10th International ESA
Conference on Guidance, Navigation and Control
Systems, Salzburg, Austria, 2017. [Online]. Available:
https://elib.dlr.de/112587/
[22] H. Benninghoff, F. Rems, E.-A. Risse, and C. Mietner,
“European proximity operations simulator 2.0 (EPOS)
- a robotic-based rendezvous and docking simulator,”
Journal of large-scale research facilities JLSRF, vol. 3,
apr 2017.
[23] H. Benninghoff, F. Rems, E. Risse, B. Brunner,
M. Stelzer, R. Krenn, M. Reiner, C. Stangl, and M. Gnat,
“End-to-end simulation and verification of GNC and
robotic systems considering both space segment and
ground segment,” CEAS Space Journal, jan 2018.
[24] H. Hirschmüller, “Accurate and efficient stereo process-
ing by semi-global matching and mutual information,”
in CVPR 2005, vol. 2. IEEE, June 2005, pp. 807–814.
[Online]. Available: https://elib.dlr.de/22952/