This document describes the design and development of a fault-tolerant and dynamically reconfigurable payload processing unit (PPU) for the Pakistan National Student Satellite-1 (PNSS-1). The proposed PPU uses a Xilinx Virtex 5QV field-programmable gate array (FPGA) and a radiation-hardened Leon 3 FT processor. Triple modular redundancy is implemented to minimize effects of single event upsets, single event latchups, and total ionizing dose from radiation in space. The PPU is responsible for receiving, storing, processing, and transmitting data from various satellite payloads. It will provide telemetry to and receive commands from the satellite's data handling unit over a CAN bus or dedicated

1. Design and Development of Fault-tolerant and
Dynamically Reconfigurable PPU for PNSS-1
Salim Ullah, Muhammad Jaleed Khan, Asif Ali Khan
Department of Computer Systems Engineering
University of Engineering & Technology, Peshawar
saleemullah@nwfpuet.edu.pk, mjaleedkhan@outlook.com,
asif.ali@nwfpuet.edu.pk
Laiq Hasan, Abdullah, Aqsa Khan, M. Yahya
Department of Computer Systems Engineering
University of Engineering & Technology, Peshawar
laiqhasan@nwfpuet.edu.pk,
abdullah.khan00185@yahoo.com,
aqsakhan915@gmail.com, yahya_bungash@yahoo.com
Abstract— Microsatellites are efficient for space missions in terms
of speed and cost. The success and reliability of a satellite greatly
depends upon the proper working and processing of its payloads.
For this purpose, different techniques are used to achieve a reliable
and efficient payload processing unit (PPU). This paper presents a
fault tolerant and dynamically reconfigurable PPU, using Xilinx
space grade FPGA, for Pakistan National Student Satellite -1
(PNSS-1).
Keywords— Microsatellites, PPU, FPGAs, COTS, PNSS-1,
Reconfigurable Architecture, Payloads
I. INTRODUCTION
With the recent developments in space technology,
microsatellites have gained importance due to their beneficial
services in navigation, communication and weather
forecasting. Pakistan National Student Satellite-1 (PNSS-1), a
mega project initiated by Pakistan Space and Upper
Atmosphere Research Commission (SUPARCO), is a right
step in this direction. The purpose of this project is to use the
expertise of brilliant and young researchers, from academia, in
space science development in Pakistan and many different
higher educational institutes are participating in this project.
PNSS-1 is planned to be launched in the sun-synchronous
Low Earth Orbit (LEO) at an altitude of 450-700km, in 2015-
2016.
The payload subsystem in the satellite contains several
payloads such as narrow view camera payload, wide view
camera payload, experimental payload and the payload
transmitter. In order to control and receive data streams
produced by these payloads, an on board PPU is required. The
PPU stores the received information temporarily and performs
telemetry and telecommand operations on it.
The reliability of a payload processing unit is very critical
for a satellite to complete its mission successfully. A PPU
must withstand the harsh radiations and temperature variations
in upper space. Among other damages caused by radiations,
the three noticeable radiation effects are (i) Single Event
Upset (SEU), (ii) Single Event Latch (SEL) and (iii) Total
Ionizing Dose (TID). SEU changes the state of a logic element
in the configuration or processing memory due to ionization
caused by radiation which may result in temporary unexpected
behavior of the system. SEL gives rise to parasitic components
e.g. a short circuit which can damage the hardware
permanently. TID results in accumulation of radiations and
causing permanent damage to the hardware. Radiation
hardened ASICs have been in common use for decades for
mitigating these risks and designing various parts of a satellite.
However, these ASICs are inefficient in terms of cost and
computational power and they do not offer fault tolerance and
reconfiguration of hardware to meet the changing mission
requirements [1].
For the past few years, FPGA based systems have gained
significant importance in designing hardware modules for
space applications [2]. Modern space grade FPGAs support
high data rate applications with flexibility, fault tolerance and
dynamic reconfiguration at low power and cost. Dynamic
reconfiguration enables FPGA based systems to be changed or
adapted at run time according to unanticipated mission
requirements [3][4][5].
This paper presents a dynamically reconfigurable and fault
tolerant PPU, using Xilinx Virtex 5QV space grade FPGA, for
PNSS-1. Triple Modular Redundancy (TMR) has been used
for to minimize the effects of SEU, SEL and TID.
Section II briefly describes the related work. Section III
presents the requirements and restraints faced by PPU of
PNSS-1. Section IV explains the proposed design in detail.
Section V concludes the paper.
II. RELATED WORK
A scalable, fault tolerant and dynamically reconfigurable
PPU prototype supporting three types of reconfiguration
using RAPTOR-X64 is presented in [1]. An on board
payload processor has been designed using Virtex 5 FPGA
by JPL to process the data of MSPI, a high resolution
camera payload [6]. A reconfigurable on board processing
system has been designed for H2sat satellite supporting

2. triple modular redundancy and cyclic redundancy check in
[7]. The authors of [8] have presented three different
techniques for the reconfiguration of an FPGA based
satellite processing system using a microcontroller for
initiating and controlling the reconfiguration process. The
three configuration techniques are function reconfiguration,
restoring configurations and upgrading reconfiguration. An
SRAM based FPGA has been used for the development of a
processing system for microsatellite in [9]. The presented
system uses three Nios-2 cores and a mathematical
coprocessor, for performing all the mathematical
operations, housekeeping, error detection and correction
checks. A low cost and fault tolerant on board computer has
been designed for microsatellite using an ARM7 based
processor and two anti-fuse FPGAs to protect different
kinds of memories from radiation effects in [10]. The
authors of [11] have presented a single chip reconfigurable
processing system for satellites using Virtex FPGA. The
presented system is divided into two parts; the static part
which is not reconfigurable and it supervises the dynamic
part of the FPGA. The dynamic part is reconfigurable at
runtime without interrupting its normal flow using Partial
reconfiguration technique [11].
III. REQUIREMENT ENGINEERING
A. Design Requirements
The proposed PPU, for PNSS-1, presented in this paper is
responsible to perform the following operations:
1. Receive and store data from payloads.
2. Process and transmit the data provided by payloads to
the payload transmitter (PLT).
3. Provide telemetry to the Data Handling Unit (DHU)
over CAN Bus.
4. Execute its own telecommand from DHU over CAN
Bus.
5. Gather telemetry of payloads that are not directly
connected to the CAN bus.
6. Distribute telecommand of the payloads that are not
directly connected to the CAN bus.
7. Perform Telemetry and Telecommand (TMTC)
operations of payloads through a dedicated link in case
of CAN bus failure.
8. Act as a slave CAN controller.
9. Equipped with self-testing and diagnostic capabilities
of all units and interfaces upon startup or by ground
command. Status of self-testing and diagnosis should
be transmitted to ground via telemetry.
B. Design Constraints
1. The design of payload processing unit is restricted to
certain constraints as follows.
2. Operating Voltage should be +12 V and/or +5 VDC.
3. Power consumption should not be more than 3W.
4. The dimensions of PPU shall not be greater than
300x170x65 mm.
5. The mass of the PPU shall not be greater than 2.5 kg.
6. It should be physically redundant.
7. It should provide cross strapping.
8. PPU shall be testable through its I/O connectors.
Based on the requirements and constraints, Figure 1 shows
a block diagram of the proposed design of payload subsystem.
IV. DESIGN MODULES
The design requirements include use of Commercial-Off-
The-Shelf (COTS) components with preference to those
components that have already been used for space missions
and compromise should be made on the reliability of the
payload processing unit. The proposed payload processing
unit for PNSS-1 is designed using Xilinx Virtex 5QV FPGA
and radiation hardened and fault tolerant Leon 3 FT processor
as shown in Figure 2. This selection is made after detailed
PPU
Figure 1. Proposed Design of Payload Subsystem
CAN Bus
NVC
WVC
PLT
EXP
DHU
RS 422
Payload
Subsystem
Command & Data Handling
Subsystem (CDHS)
Dedicated
Link

3. comparisons between multiple available solutions and
carrying out detailed case studies about them. Given below are
the selection details for each module of proposed PPU.
A. Microprocessor (Reconfigurable Unit)
Leon 3FT V8 SPARC and ARM7 based Cortex M3 with
CM3 core are two competing solutions for processing unit of
PPU. However, after multiple comparisons between the two
solutions, it is decided to use Leon 3FT for microprocessor of
proposed PPU. The selection of LEON 3FT processor is
advantageous for PNSS-1 as it is commercial-off-the-shelf and
has already been used in many space missions.
The main advantage of using Xilinx Virtex 5 QV FPGA is
that, it is highly reliable and tolerant to radiation hazards such
as Single Event Upsets (SEU). Moreover, it is a dynamically
reconfigurable FPGA, allowing rectification of various design
faults, thus improving the overall life time of the proposed
system. For complex mathematical operations and equations,
LEON 3FT supports mathematical co-processor cores. It also
supports dual redundant CAN bus which is the primary route
for all telemetry, telecommand and inter-module
communication in PNSS-1.
B. Memories
A nonvolatile memory (EEPROM) is used to store the
bootable image of VxWorks, a Linux based Real Time
Operating System (RTOS), and the configuration files of PPU.
The proposed EEPROM uses Error Detection and Correction
(EDAC) memory in which the word length is 39 bit, where 7
bits are reserved for the checksum and 32 bits are reserved for
the data. Since EEPROM can tolerate SEUs, therefore the PPU
configurations files will not be affected by these upsets.
For program space of LEON 3FT SPARC V8, a volatile
memory, SRAM (static RAM) is implemented on the FPGA
with TMR. SRAM is loaded with VxWorks and the main
application software on system reboot.
C. FPGA Reconfiguration Control Unit
Unlike other available reconfigurable designs which use a
separate microcontroller for reconfiguration control, the
proposed design uses MicroBlaze for the reconfiguration
control unit. It is a 32-bit soft-core processor optimized for
embedded applications. It receives heartbeat signals from other
applications about their health status. In case a fault is detected,
the recovery techniques is initialized. In case of a fault detected
in the processing unit (Leon 3FT), MicroBlaze reconfigures the
processing unit.
D. Buses and Interfaces
The PPU design proposed in this paper features Fast
Simplex Links (FSL) for interfacing MicroBlaze with LEON
3FT core. It is a 32bit, unidirectional point-to-point
communication channel with extremely low latency which
makes it more powerful and reliable. MicroBlaze supports up
to sixteen FSL interfaces.
MicroBlaze is connected to SRAM by Local Memory Bus
(LMB). It is a power efficient bus, utilizing very few resources,
and providing separate channels for reading and writing to
achieve uninterrupted communication.
AMBA High Performance Bus (AMBA AHB) is used in
proposed design for interconnection of LEON 3FT,
MicroBlaze and the interfaces.
RS-422 is used to connect the Payload Processing Unit
(PPU) to Payload Transmitter. It is a reliable full-duplex
interface that provides a maximum throughput of 10Mbits/s
with uninterrupted communication.
The proposed design of payload processing unit is shown in
Figure-2.
FSL
Virtex 5Q FPGA
(PPU)
CAN Bus
AMBA
AHB
Bus
AMBA
AHB
Bus
Figure-2 Proposed Design of Payload Processing Unit
Interfaces
-CAN
-RS-422
-Dedicated Link
Dynamically
Reconfigurable
Processing Unit
(LEON 3FT)
Controller for
Recovery and
Reconfiguration
(MicroBlaze)
Memory
(SRAM)
LMB

4. V. FAULT TOLERANCE AND REDUNDANCY
The proposed system uses TMR for introducing fault
tolerance and redundancy in design. In TMR design technique,
three independent and identical systems perform the same task,
Using majority voter technique, a single correct output is
achieved. TMR helps reduce the single event effects, SEUs and
SELs. Moreover, Data Scrubbing technique is used to
minimize hardware faults by reconfiguring proposed PPU
periodically.
VI. CONCLUSION
This paper presents the design of a dynamically
reconfigurable and fault tolerant payload processing unit for
PNSS-1. The proposed design uses COTS components such as
Virtex 5QV FPGA, Leon 3FT fault tolerant processor and
MicroBlaze based reconfiguration control unit. TMR is also
used for providing increased fault tolerance. The proposed
design meets all the requirements and constraints of PNSS-1
satisfactorily.
ACKNOWLEDGMENT
We are thankful to SUPARCO for their help. We are also
grateful to Dr. Hamad Alizai and Ms. Ramsha Narmeen for
their constant support and encouragement throughout this
project.
REFERENCES
[1] Hagemeyer, J.; Hilgenstein, A.; Jungewelter, D.; Cozzi, D.;
Felicetti, C.; Rueckert, U.; Korf, S.; Koester, M.; Margaglia, F.;
Porrmann, M.; Dittmann, F.; Ditze, M.; Harris, J.; Sterpone, L.;
Ilstad, J., "A scalable platform for run-time reconfigurable
satellite payload processing," Adaptive Hardware and Systems
(AHS), 2012 NASA/ESA Conference on , vol., no., pp.9,16, 25-
28 June 2012 doi: 10.1109/AHS.2012.6268642
[2] Ferguson, R.C.; Tate, R., "Use of field programmable gate array
technology in future space avionics," Digital Avionics Systems
Conference, 2005. DASC 2005. The 24th , vol.2, no., pp.11 pp.
Vol. 2,, 30 Oct.-3 Nov. 2005
[3] Steiner, N.; Athanas, P., "Hardware autonomy and space
systems," Aerospace conference, 2009 IEEE , vol., no., pp.1,13,
7-14 March 2009
[4] Koester, M.; Luk, W.; Hagemeyer, J.; Porrmann, M.; Ruckert,
U., "Design Optimizations for Tiled Partially Reconfigurable
Systems," Very Large Scale Integration (VLSI) Systems, IEEE
Transactions on , vol.19, no.6, pp.1048,1061, June 2011
[5] Guodong Xu; Song Wang; Jie Lin; Yuan Liu, "A novel
reconfigurable on-board computer based on soft core CPU,"
Mechatronics and Automation, 2009. ICMA 2009. International
Conference on , vol., no., pp.2467,2471, 9-12 Aug. 2009
[6] Bekker, D.L.; Werne, T.A.; Wilson, T.O.; Pingree, P.J.;
Dontchev, K.; Heywood, M.; Ramos, R.; Freyberg, B.; Saca, F.;
Gilchrist, B.; Gallimore, A.; Cutler, J., "A CubeSat design to
validate the Virtex-5 FPGA for spaceborne image processing,"
Aerospace Conference, 2010 IEEE , vol., no., pp.1,9, 6-13
March 2010
[7] Hofmann, A.; Wansch, R.; Glein, R.; Kollmannthaler, B., "An
FPGA based on-board processor platform for space application,"
Adaptive Hardware and Systems (AHS), 2012 NASA/ESA
Conference on , vol., no., pp.17,22, 25-28 June 2012
[8] Xu Guo-dong; Zhao Dan; Sui Shi-jie; Lan Sheng-chang, "Run-
time control design of micro-satellite OBC based on
reconfigurable architecture," Industrial Electronics and
Applications, 2009. ICIEA 2009. 4th IEEE Conference on , vol.,
no., pp.2591,2595, 25-27 May 2009
[9] Guodong Xu; Song Wang; Jie Lin; Yuan Liu, "A novel
reconfigurable on-board computer based on soft core CPU,"
Mechatronics and Automation, 2009. ICMA 2009. International
Conference on , vol., no., pp.2467,2471, 9-12 Aug. 2009
[10] Shiqiang Tian; Zuobiao Yin; Jian Yan; Xuming Liu, "Design
and implementation of a low-cost fault-tolerant on-board
computer for micro-satellite," Communications and Networking
in China (CHINACOM), 2012 7th International ICST
Conference on , vol., no., pp.129,134, 8-10 Aug. 2012
[11] Daixun Zheng, Dr. Tanya Vladimirova, Hans Tiggeler, Prof.
Martin Sweeting, “Reconfigurable single-ship on board
computer for a small satellite,” IAF-01-U3.09.
`