#### DEVELOPMENT STATUS OF THE RAD-TOLERANT TTETHERNET CONTROLLER Christian Fidi, Matthias Mäke-Kail, Ivan Masar, TTTech Computertechnik AG

## Introduction

The use of switched networking technologies in the aerospace and more recently in the automotive field brings additional advantages to space applications like the increase in performance of the overall avionics of a spacecraft. These networks are characterized by a central device (switch) and a point-to-point structure between switch and terminal devices that eases electrical and logical insulation.

However, for use in highly-reliable or highlyavailable applications as in launchers or satellites systems, these network technologies have to also provide built-in determinism and redundancy to fulfill the tight latency and jitter requirements of the avionics control loops and the respective hardware redundancy required in the harsh space environments. A state of the art networking technology already provides these features and allows the modularity and scalability to be used for the different space applications and would allow combining the deterministic avionics with the high speed payload network in a spacecraft [1].

Introducing the time-triggered principle to Ethernet allows combining the open industry standard IEE802.3 [6] Ethernet currently used in ground support equipment and control benches with full control of latency and jitter resulting from the time-triggered approach. To allow the time-triggered dataflow network-wide over Ethernet, a synchronization time-base has to be established to allow deriving all network events on a globally known time which is typically done in software in almost all spacecraft [3]. The synchronization service of Time-triggered Ethernet has been implemented as additional quality of service (QoS) on layer 2 of the ISO/OSI network model and been standardized in SAE AS6802 [8].

In a launch vehicle [10], the communication system ensured the data exchanges between avionic functions during all phases of the launcher lifecycle [9] which is composed of three phases: AIT operations, ground phase and flight phase. To ensure the use of a single network for the different phases, the network needs to support features like the handling of different traffic classes (critical traffic and non-critical traffic, i.e. TT, RC and BE). Also the compatibility to the IEEE 1588 synchronization protocol can be used to connect legacy IEEE1588 equipment for GSE equipment.

This commercially available technology currently used in the aviation, the industrial and the automotive markets needs to be matured for the use in space applications. Therefore the development of the necessary space-graded components for switching and interfacing to the network ("end systems") was necessary. Now this paper presents the current development status of the required radiation tolerant integrated circuit for the use in different space applications. It outlines the different steps needed to be performed to ensure the usability of this digital chip in highly reliable as well as in highly available space applications.

#### **The TTE-Controller**

The TTE-Controller is a digital "system on a chip" designed to fulfill two main TTEthernet functions:

- 1. The TTEthernet Switch function
- 2. The TTEthernet End System function and

The chip also includes an integrated CPU with multiple general-purpose interfaces as it is illustrated in Figure 1. The TTE-Controller has an AHB system-bus on which all modules are connected. With a configuration register the used blocks can be selected. This election enables the blocks and performs clock gating on all the not-used blocks. All blocks not used are also memory protected on the AHB-bus. Moreover the main blocks (the end system, the switch and the CPU) are sharing a common volatile memory assigned to these blocks during start-up. If configured accordingly the CPU has access to all used AHB addresses for status and diagnostics and is therefore able to provide the diagnostic and status data via the network.



Figure 1: TTE-Controller Architecture

The TTE-Controller consists of the following main blocks next to the End System and Switch Controller cores:

1. Clock Generation Unit (CGU):

This block includes the clock inputs, PLL and clock distribution for all internal blocks. It is possible to use the internal PLL for the generation of the higher frequencies or to connect these clock to the chip directly via the clock I/Os to allow working without the external PLL.

2. Reset Generation Unit (RGU)

This block resets all internal configuration registers to a pre-defined state at power-up.

3. (Quad) Serial Peripheral Interface (SPI/QSPI)

This block is used for an external non-volatile memory which holds the configuration and firmware which is loaded during start-up by the CPU into the volatile memory of the TTE-Controller.

4. Media Independent Interfaces (MII)

This block is a wrapper and multiplexer for the MII interface options. The device supports RMII and RGMII.

5. Management Data Input/Output (MDIO)

For the configuration and management of the Ethernet PHY this interface is used. There are three MDIO interfaces available to ensure the addressing of the Ethernet PHY chips via the MDIO interface.

6. Management CPU

The integrated CPU is used primarily for the end system and switch management and diagnostics. It has access to the end system and switch via the AMBA AHB/APB interfaces allowing downloading or uploading configurations to these blocks or reading out status information. Therefore the CPU is able to send out diagnostic data frames including the status and diagnostics information of the switch and end system internal status for e.g. health monitoring purposes.

7. I/O Multiplexing Unit (IOMU):

This block includes the multiplexing of the I/Os between the different use-cases.

8. Memory Control Unit (MCU):

The MCU ensures the management of the internal volatile memory between the different use-cases.

9. Debug Interface Unit (DIF):

The DIF provides GPIOs for debug and interrupts functionality.

The End System and Switch use-cases will be described in the two following sections:

# **TTE-End System Controller**

The End System is responsible for connecting to a host (internal CPU, external CPU or FPGA) to allow sending and receiving Ethernet frames into the TTEthernet network. The End System supports the three different traffic classes: time-triggered, rateconstraint and best effort. It further supports the AS6802 synchronization protocol. The End System block provides the following main interfaces:

- 1. Reduced (Gigabit) Media Independent Interface (RGMII/RMII) to the Ethernet PHY transceiver (external)
- 2. AHB on-chip interface (internal)
- 3. SRAM memory interface (internal)
- 4. IRQ signals (internal)

The TTE-End System block provides a memory partitioning at the host interface which allows accessing the different partitions via different participants on the AHB-bus allowing to send and receive data from different interfaces e.g. SPI and SpaceWire via the TTE-End System block simultaneously. Moreover the TTE-End System provides a in hardware built-in IP/UDP/ARINC653 network stack for critical traffic which allows a convenient way to send and receive data between different end systems in the network. It further supports IP fragmentation of frame with up to 8kByte for streaming data.

#### **TTE-Switch Controller**

The TTE-Switch block provides Ethernet switching functionality of 6x10/100/1000Mbit/s and 18x10/100Mbit/s Ethernet ports on ISO-Layer 2 for

time-triggered, rate-constrained and standard Ethernet traffic. Together with the TTE-End System and the CPU (with the respective firmware) the TTE-Switch Controller is a fully managed (TT)Ethernet switch providing TFTP data loading and SNMP diagnostics functionality. The switch block also supports IEEE802.3 features like bandwidth policing per port, dynamic address learning and performs all the Ethernet frame checks as standard Ethernet switches do. It further supports VLANs and IEEE1588V2 one-step clock.

The TTE-Switch further supports critical traffic (time-triggered and rate-constrained) and therefore implements the AS6802 [8] and the ARINC664 part 7 [7] standards.

### **Radiation Tolerance**

The TTE-Controller has been designed to withstand harsh space environments in terms of temperature, shock and vibration as well as radiation. To ensure radiation-tolerance the chip uses EDAC on all memories and additional scrubbing on all configuration memories. The status of the errors and their correction is stored in diagnostic registers.

For the protection of all logic cells the hardened cells of a mature radiation tolerant library have been used.

The use of register BIST and memory BIST allows ensuring the right production test-coverage but these are also checked during start-up to ensure the correct behavior of the cells and memories after each start-up. The test-results are stored in the diagnostic registers.

#### **Development Process**

The TTE-Controller was developed according to TTTech internal processes which are compliant to the relevant ECSS standards. A full verification and validation according to these processes has been executed and the chips are available for high-volume low-cost in the plastic package and for long-term high reliable applications in the ceramic package.

The supply chain has been setup according to QML-V/ESCC9000 standards and the qualification of the chip to these standards is ongoing.

## Conclusion

In this paper it has been presented that a highperformance space graded TTEthernet component supporting both End System and Switch functionality has been developed which is used in the biggest space programs or Europe and the US. The chip acts as a main building block providing a infrastructure network supporting built-in determinism, redundancy, a global fault-tolerant time-base [11] and everything fully Ethernet compliant. This allows reducing the software overhead for these features since they are implemented on the network level in hardware. The partitioned host interface of the TTE-End System block allows interfacing from multiple tasks or hosts to the same interface without implementing mutual exclusion in software. The device shall be fully compliant to the planned ECSS standard on TTEthernet and the existing SAE AS6802.

This chip also provides the key building blocks to build bridges to different data communication technologies such as SpaceWire to (TT)Ethernet, I<sup>2</sup>C, SPI, QSPI, UART, ...

Since the chip is developed according to ECSS standards and is baselined in an ESA financed space application, the whole reliability data will be available for other applications.

## References

[1] Mitch Fletcher, Progression of an Open Architecture: from Orion to Altair and LSS, May 2009

[2] W.Steiner, R.Maier, D.Jameux, A.Ademaj, "Time-Triggered Services For *SpaceWire*", *SpaceWire Conference*, Nara, Japan, 2008

[3] Steve Jolly, "Is Software Broken?", NASA ASK MAGAZINE INSIGHT, Oct 2009, pp. 22-25.

[4] H. Kopetz and G. Bauer, The Time-TriggeredArchitecture," Proceedings of the IEEE, vol. 91, no. 1, pp. 112- 126, Jan. 2003.

[5] Rumpler, B., Complexity Management for Composable Real-Time Systems, Ninth IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC'06), Gyeongju, Korea, April 2006

[6] R.W. Butler, NASA/TM-2008-215108, A Primer on Architectural Level Fault Tolerance, Langley Research Center, Hampton, Virginia, February 2008

[7] ARINC 664 - Part 7, www.arinc.org

[8] SAE AS6802, <u>www.sae.org</u>

[9] Rémi Clavier, Pierre Sautereau, Jean-François Dufour, TTEthernet, a promising candidate for Ariane 6, DASIA 2014

[10] Robert F. Hodson, Yuan Chen, Dwayne R. Morgan, A. Marc Butler, Joseph M. Schuh, and Jennifer K. Petelle, David

A. Gwaltney, Lisa D. Coe, and Terry G. Koelbl, Hai D., Nguyen Heavy Lift Vehicle (HLV) Avionics Flight Computing Architecture Study, NASA/TM–2011-217168

[11] A. Loveless, On TTEthernet for Integrated Fault-Tolerant Spacecraft Networks, AIAA SPACE 2015, Aug. 31st – Sep. 2nd 2015