CAN AND CANOPEN IMPLEMENTATION IN DISTRIBUTED AVIONICS FOR

CAN AND CANOPEN IMPLEMENTATION IN DISTRIBUTED AVIONICS FOR MINI AND MICROSATELLITES Alessandro Avanzi CAN In Space Workshop, 14 -16 June 2017 Mola di Bari

Outline • Introduction to SITAEL CAN Bus experience • SITAEL mini and micro platforms: – ESEO – u. HETSat • Data handling subsystem: components and architecture • CANopen services configuration CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 2

SITAEL CAN Bus Experience 1999 2000 Hurri. CANe ALPHA version is provided by ESA for completion and verification against BOSCH testbenches 2002 The new CAN bus Controller (Hurri. CANe core version 5. 0) is delivered to ESA First ASIC prototypes in DMILL CMOS 0. 8 um process Collaboration with Alenia Spazio and Roscosmos to develop a new CAN bus controller with 3 mailboxes and u. CU I/F (CASA 2) for ATV fully compliant with CAN 2. 0 B protocol 2012 ESEO Phase C 0/C 1/D/E 1 development start. 2013 CANopen Controller IP Core (CCIPC) is delivered to Thales Alenia Space in the frame of an Exo. Mars Contract CAN In Space Workshop, 14 -16 June 2017 Mola di Bari 2007 2004 Final Presentation of ESA Integrated Payload Processor Module (IPPM) with CANbus for housekeeping as instrument bus or avionic bus in alternative to MILSTD-1553 CANTRAN ASIC and Am. CAN IP Core are developed and tested in the frame of an ASI contract. CASA 2 is licensed to ATMEL and manufactured with MG 2 RTP Rad-hard Sea of Gate (P/N AT 7908 E). 2009 Hurri. CANe core IP update (version 5. 2. 3) - last by SITAEL 2015 CCIPC improvement for SATCOM Payload and Platform Management 2016 u. HETSat – in orbit validation of SITAEL HT 100 Thruster CONFIDENTIAL SITAEL PROPERTY 2017 Release of a new CCIPC implementation with improved performances and wider usability. SCAT – C-band transceiver module for small satellites 3

SITAEL micro-satellite missions ESEO: approaching TRR and FM integration, expected launch in 2018 CAN In Space Workshop, 14 -16 June 2017 Mola di Bari u. HETSat: CDR completed beginning of June CONFIDENTIAL SITAEL PROPERTY 4

CAN in Micro-satellites – why? • Low-cost platform from 50 to 100 kg, mostly based on COTS components. • Technology demonstration and educational missions • The CAN is selected for platform and payload bus. Why? üCompliant with data rate and power requirements; Simple topology üWidely used in terrestrial application, consolidated technology with wide spread know-how (design cases, best practices). üLarge availability of components, both integrated microcontrollers or as independent controllers. in üLarge availability of software support, including higher level protocol stacks (CANopen), simulation and validation tools üRobustness CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 5

CAN view for a Micro-satellite (1/2) Redounded configuration, each unit connected with the CAN bus. ü OBDH Main and Redundant ü TMTC Prime and Secondary ü PMU Main and Redundant ü AOCS equipment: Fine Sun Sensors, Earth Sensors, Coarse Sun Sensors, Magnetometers, Reaction Wheels, Magneto. Torquers, GPS receivers, Bus redundancy is managed with an Heartbeat based algorithm. CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 6

CAN view of a Micro-satellite (2/2) Two CAN busses: the platform and payload bus. The OBDH is the only node which is connected to both. Dual bus implemented to allow data traffic between the payloads without on-board computer intervention, and without interfering with the platform data exchange latency. Each bus is composed of a Main and a Redundant CAN connection. CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 7

Hardware IF (1/2) o Controller, COTS based I/F ü Embedded in STM 32 F 407. a microcontroller; Cortex-M 4 based § Three transmit mailboxes with configurable priority § Two receive FIFOs with three stages § 28 filter banks ü As an external SPI-based controller MCP 2515. § Three transmit buffers § Two receive buffer § 6 filter banks o Parts are not SEL immune, require external latch-up protection. CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 8

Hardware IF (2/2) o Transceiver ü TI SN 65 HVD 233 -HT § 3. 3 V device, LVTTL § -55 to 175 deg. C § Up to 1 Mbps § Cold spare § Loopback function ü Tested with Laser Beam and SET/SEL under heavy ions. The device is not SEL immune, requires external latch-up protection. CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 9

Software IF (1/3) o CANopen stack implemented on TOP of CAN controller drivers: ü CAN controller device driver embedded in RTEMS ü Vector Gmbh CANopen software stack integrated in RTEMS ü Same approach for masters and slaves ü Vector Gmbh stack updated to: • Include multiple SDO client channels (same approach used for servers) • Expand Rx/Tx buffer length • Remove dead code (unused services) • Improve metrics ü Resulting stack validated against a specific set of service requirements CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 10

Software IF (2/3) o ESEO CANopen implementation (OBDH): ü 43 TPDOs ü 24 RPDOs ü 19 SDO clients ü Heartbeat producer/consumer with master role ü Manages two busses, platform and payload o Footprint (controller driver + CANopen + add-on custom layer + API) o FLASH 110 kbytes o SRAM 16 kbytes CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 11

Software IF (3/3) Housekeeping PDOs Telemetry SDOs Commanding SYNC Bus redundancy NMT services Time distribution Error management FDIR Handbook? CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 12

Housekeeping data collection o Housekeeping data collection is based on SDO block transfer ü Many data types collected in structures, with signed and unsigned integers, 32 and 64 bits floating point values; From few bytes to hundreds bytes; ü Platform housekeeping data set refreshed periodically by the units; generally 1 Hz, higher rate is foreseen only for a small subset of parameters (eg main bus voltage is automatically sampled up to 1 KHz in case of under-voltages); ü Master/Slave configuration: the OBDH issues SDO uploads to the units periodically, with a pre-defined sequence; ü Master role can be reconfigured: there are specific safe modes where the ODBH is unavailable, the TMTC can access same data using another SDO channel; CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 13

On-board time distribution o On-board time distribution is based on broadcasted PDOs ü Master/Slave configuration: OBDH is keeping on board time, and broadcasting it with 1 TPDO. Every other is receiving with 1 RPDO. ü Time is kept and broadcasted in form of Days past J 2000 plus milliseconds of day. ü Units autonomously propagate time in case the service goes missing (safe mode) CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 14

PING service for essential subsystems o PING service is established as part of essential subsystems FDIR policies; o It is based on PDOs o Master/Slave configuration: the TMTC (which incorporates CPDU and HPC functions) issues PING requests to the OBDH and power subsystems; o If the PING answer goes missing, platform FDIR algorithm operates (rebooting, switching to redundant) CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 15

On-board commanding o On-board commanding is based on PDOs ü Additional protocol layer is added on top of CANopen to ensure command execution acknowledge; ü Error codes handling includes invalid command, unit not answering or late acknowledge; ü PDOs command data field is fixed: • 1 byte specifying the access type (read or write); • 1 byte carrying a sequence number used to correlate ACK • 4 bytes specifying data to be written (a parameter, or bit-per-bit command definition) ü Master/Slave (OBDH is master for TC, TMTC is master for HPC) CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 16

Bus redundancy management o Bus redundancy is based is managed with Heartbeats: 1. A master node periodically broadcasts heartbeats on the active CAN bus; 2. If a units misses a number of heartbeats, it switches to the redundant and start producing heartbeats on it, to inform the master; 3. The master switches to the redundant bus, and start broadcasting heartbeats on it; 4. Every other unit switches to the redundant; o Infinite toggling is possible (process above repeated). Is it a good idea? What happens is a unit losses the main, and another one the redundant? FDIR policy on the master node shall consider the event, and exclude one of the two. CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 17

Multiple bus management o Platform and payload separate busses would require two instances of the stack in the OBDH o To reduce footprint impact: ü Implemented a single stack instance ü The custom API switches between busses according to the addressed units (PDOs only) ü An additional layer between the stack and the driver sniffs packets and switches bus according to the addressed units CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 18

Mini-satellite platform (S-200) (1/2) SITAEL S-200 Targeted mission EO SSO in very-LEO @350 -800 km P/L max mass Up to 80 kg P/L avg power cons. Up to 120 W P/L allowable volume S/C launch mass (kg) Up to 900 x 700 x 560 mm 3 150/200 kg S/C envelope Lx. Wx. H 900 x 700 x 900 mm 3 S/C power gen. (W) Up to 200 W Avg (*), 510 W Peak Battery capacity Li-Ion, 880 Whr Pointing accuracy < 0. 05° , 3 -axis stabilization Pointing knowledge Up to 0. 006° (*) Slew Rate Up to 3°/s (0. 5°/s 2) Delta-V Up to 1000 m/s TT&C PDHT data rate S-Band, up to 1 Mbps X-band, up to 400 Mbps PDHT data storage Up to 256 GB S/C redundancies Full-cold P/F red. Lifetime Up to 5 years (*): Two scaled versions available CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY 19

Mini-satellite platform (S-200) (2/2) For SITAEL higher-class small satellite (namely S-200 mini-sat , up to 200 kg launch mass), the CANbus technology is present on-board, as one of possible data handling bus (with Spacewire, Mil-1553 b, RS 422). Differently from micro-sat product (low cost, fully COTS-based, max 3 y lifetime), for S-200 platform, which aims to provide high performances (up to 5 y lifetime) and multi-purpose features (different missions/different P/Ls), it is fundamental to foresee a strong configurability in terms of subsystems and on-board equipments (and their I/F). An example of S-200 optional configurations , with different platform features (answering different missions/orbital/reliability needs): S-200 CONF. A (without CANbus) S-200 CONF. B (with CANbus) Institutional Missions (EO, Science) Hi-Reliability for single mini-sat (> 0. 7) Lifetime up to 5 years All orbit scenarios (LEO, MEO), also in severe RADenv Space-grade (ECSS -C) subsystems/units C&C I/F: Mil 1553, Space. Wire, RS-422 Low cost/ Commercial Missions (EO, TLC) Reliability figure negotiable, evaluated at system level Lifetime up to 3 years LEO (<500 km) constellations, less severe RADenv Also COTS-based subsystems/units C&C I/F: CANbus, CAN In Space Workshop, 14 -16 June 2017 Mola di Bari CONFIDENTIAL SITAEL PROPERTY (ECSS tailoring) 20

Thank you. SITAEL S. p. A. Via San Sabino, 21 70042 Mola di Bari (BA) – ITALY Tel: +39 080 5321796 Fax: +39 080 5355048 www. sitael. com 07 -Dec-20 CONFIDENTIAL SITAEL PROPERTY 21