Microchip and O.C.E. Technology Deliver High-Reliability RTOS for PolarFire® SoC FPGA Space Applications

O.C.E. Technology's Breakthroughs in High-Reliability RTOS for Space Applications

O.C.E. Technology has been developing software tools and high-reliability operating systems for the European Space Agency almost since its foundation in 2013. Building on its single-core Real-Time Operating System (RTOS), called OCEOS, designed for radiation-hardened microcontrollers, it recently showcased the multicore version of the product on the PolarFire® System-on-Chip Field-Programmable Gate Array (SoC FPGA) at Embedded World. The RTOS boasts some unique (patent pending) features to improve application reliability.

One of the first applications is an optical inter-satellite communications constellation where small memory footprint, high efficiency and application policing features make it the RTOS of choice.

Microchip and O.C.E. Technology Deliver High-Reliability RTOS for PolarFire® SoC FPGA Space Applications

Credit: DARPA

So how does OCEOSmp achieve better reliability than other RTOSs?

• The single-stack per core design makes deadlocks impossible on single-cores and warnings are provided on multicore where mutexes are obtained in a different order by different tasks.
• Another common problem is avoided as unbounded priority inversion and chained blocking cannot occur by design.
• Task scheduling information is available to the application (e.g. longest time on the ready-to-run queue, the shortest time between task finish and next start, the maximum time to finish after starting and the maximum number of times the task was pre-empted). This information can be used to ensure that the design assumptions are holding true and, if not, problem avoidance action may be taken.
• Return codes for each warning or error again provide the application with useful information on which decisions can be made about the state of the system.
• Logging of system and application errors to non-volatile memory provides for pre- or post-issue analysis.
• Cores can be switched on or off or disabled in the case of core damage by high-velocity particles.

Many Commercial-Off-the-Shelf (COTS) components are moving to radiation-tolerant fabrication processes, such as Fully Depleted Silicon On Insulator (FD-SOI), giving them good Total Ionizing Dose (TID) performance but still exposure to Single-Event Upsets (SEUs). In many cases, the software has to mitigate the SEU effects. “New Space” companies design-in these radiation-tolerant COTS parts. Their prototypes are often based on an RTOS with no safety certification, but production models generally move to a safety-certified RTOS usually driven by their experience from their early missions. OCE has noted this trend with its space customers. Beus-Dukic in his paper about RTOS for space says that “in applications with safety-critical software components, COTS RTOS needs to be certifiable, the challenge only a few vendors can currently meet.”

The design of the PolarFire SoC FPGA allows for parallel execution of a high-reliability RTOS and Linux. Many “New Space” applications need to take advantage of APIs available under Linux which leaves the real-time processing to the RTOS running on other cores.

In summary, OCEOSmp offers the following features:

• Fixed priority pre-emptive scheduling
• Based on the Stack Resource Policy—unbounded priority inversion and chained blocking cannot occur 
• Deadlocks are impossible on a single core and warnings are provided on multicore
• Single stack per CPU rather than separate stack for each task
• Small code footprint (<30 kB for core functionality)
• Mutex (standard and read/write), counting semaphore and data queue support
• High-precision timed actions independent of scheduling (data output and task start)
• Supports SPARC, ARM and RISC-V processor architectures
• DMON debug tool support showing task/interrupt execution timeline
• Certification service for OCEOSmp to run on customer-designed boards
• Support & Independent Software Validation services available from OCE
• Compliant with ESA ECSS Category B standard

If OCEOSmp sounds suitable for your application, the company will certify it as your customer-designed board as part of the development kit sale.