Dependable MPSoC framework for mixed criticality applications

System-on-Chip such as the Zynq UltraScale+ combine multi-core processors (PS), programmable logic (PL) and peripherals in a single device. For space applications, these devices offer the possibility for unprecedented functional integration and performance in a smaller form factor. Challenges arise in mixed-critical use-cases such as onboard computers with payload integration where the dependability of critical functions can not be compromised by adjacent functions. To improve the adoption of the MPSoC technology in space, avionics developers should consider providing a baseline design framework with native functionality and the possibility for users to further exploit other MPSoC resources. For both, a safe level of dependability shall be guaranteed, which can be balanced with performance according to the use-case. One possible solution is to exploit native MPSoC isolation and fault detection features. This is often not sufficient, especially when use-cases require data to be shared across domains with different criticality levels which may lead to failure propagation. EVOLEO and AIRBUS, in the frame of the ESA GSTP project CHICS, are developing an ADHA compatible radiation tolerant 3U computer, based on the Zynq Ultrascale+ for mixed criticality space applications. The solution considers a clear separation between platform and payload functions within the MPSoC. It is oriented towards parallel but independent developments for platform and payload functions, which are often the responsibility of different entities. The platform side includes lockstep ARM R5 cores and peripherals such as DDR4, SpaceWire router, CAN and UART. The solution offers IP cores, drivers, handlers and software to command and control these peripherals. The payload side considers four ARM A53 cores with XEN Hypervisor and cache coloring, high speed serial transceivers, and dedicated DDR4 and PL resources. These elements are connected via a generic AXI infrastructure. Multiple user applications (SW or logic based) can be easily integrated. Both criticality sides are connected via a bespoke “secure data exchange unit” in the PL. Besides the data exchange, this unit supports an “exchange monitor” for fault detection and isolation with the goal of avoiding fault propagation between criticality levels. The complexity of this exchange monitor is scalable to user needs and available FPGA resources. It can range from ECC, contextual aware limit-type checks up to machine learning algorithms. All alarms are collected and managed by a configurable FDIR function running on the secure side. The consortium explores this concept in a scenario with a SAVOIR OBC on the secure side and GNSS, star tracker on the user side. Position, velocity and time (PVT) are shared to an AOCS application running on the secure side. The exchange monitor detects any out-of-range PVT values before these are fed into the AOCS algorithms. Recurrence oriented HW/SW frameworks are a key enabler to explore the functional integration capabilities of state-of-the-art SoC. These have the possibility of simplifying payload integration into avionics systems, reducing overall costs. Fault detection and isolation may be handled by this infrastructure, providing baseline levels of dependability with upper dependability levels still limited by the device itself.