International Journal of Reliability, Risk and Safety:

Theory and Application / Vol. 1, No. 1, 2018 17

www.IJRRS.com

Triple-Triple Redundant Reliable Onboard

Computer Based on Multicore Microcontrollers
G. Kahe1*
1. Assistant Professor, Aerospace Research Institute, Tehran, IRAN
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Abstract
The flight control system must meet extremely high levels of functional integrity and availability. The control algorithm is processed
by onboard computer (OBC). To meet the reliability requirements for onboard computers, various type of redundancy must be employed.
In this paper, we concerned with the triple modular redundancy (TMR) for an onboard computer with aerospace application. In the
proposed architecture, control inputs and system states are measured using designated sensors. According to the acquired data, mission
scenario and control algorithm are processed by the processing unit. Thereafter, the results are applied to the system by actuators.TMR
technology in component level is used to improve the reliability of OBC according to the system requirements. All of the constituent
modules of OBC, comprising processing unit, bus interface, sensor, actuators, and IO devices, benefits from triple redundancy. The case
study shows that the similar architecture is used for high reliable flight computer of passenger airplanes except that our architecture is
based on the available multicore microcontrollers. The reliability of the designed onboard computer is evaluated analytically, which
indicates that the proposed OBC can meet the reliability requirements.

Keywords: Onboard Computer, Triple Modular Redundancy, Reliability

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
minicomputers developed and manufactured by
1. Introduction *
Digital Equipment Corporation (DEC) based on VAX
The onboard computer (OBC) is at the core of any instruction set architecture [1]. Two layered software
aerospace system such as satellite, spacecraft, and products, VAXft System Services and VMS Volume
aircraft. In aircraft, the typical flight control computer Shadowing, were required to support the fault-tolerant
not only drives the primary flight control surfaces, but features of the VAXft. NonStop is a series of server
also provides finer control for stability. Given the computers introduced to market in 1976 by Tandem
criticality of this function, these computers are often Computers Inc. The production line was later owned
used in a dual or triple redundant configuration, by Compaq (from 1997) and Hewlett-Packard (since
providing that these additional components be 2003). To circumvent single points of failure, the
properly employed and subject to strict compliance to NonStop servers are equipped with some redundant
safety standards for software and hardware such as components. The HP Integrity NonStop computers are
DO-178C and DO-254. In addition to the aerospace based on the Intel Itanium processor platform which
applications, reliable OBCs are extensively used in feature a massively parallel processing (MPP)
various applications including banks, stock exchanges, architecture and provide linear scalability. Average
telecommunication providers, railways. Various availability levels of 99.999% have been observed for
companies introduce their fault-tolerant OBCs to this NonStop servers [2]. In [3, 4], the abundant on-chip
high demand market. Despite an extensive research in processor cores are exploited for redundant hardware
this era and development of diverse product for safety in transaction processing, which provides native
critical applications, related papers and documents support for error detection and recovery against soft
have covered only the generals and have rarely errors. Their experimental evaluations confirm the
published the details. effectiveness of the proposed redundant architecture in
Transaction servers, which are used in bank and achieving low cost reliable computing against soft
stock exchanges, are required to be highly available. errors with moderate performance, area and power
As an example, the VAXft (Virtual Address overheads.
Extension, fault tolerant) was a family of reliable Radiation hardening is a costly technology to
make electronic components and systems resistant to
damage or malfunctions caused by ionizing radiation
*. kahe@ari.ac.ir
International Journal of Reliability, Risk and Safety:
Theory and Application / Vol. 1, No. 1, 2018 18
www.IJRRS.com
in outer space and high-altitude flights. Most of the For small satellites, the size and weight of
semiconductor companies produce a broad range of components are so limited. The new generation low-
radiation hardened (RadHard) MIL-PRF-38535/QML power 32-bit MCU has been identified as an ideal
compliant products for aerospace and harsh candidate for the ADCS in [11]. It not only can handle
environment applications. Due to the specific the computational requirements of the ADCS
fabrication process, low volume production, and algorithms, but also includes enough energy-saving
extensive development and testing process, the price features, which will be required on the limited power
of radiation-hardened chips is very high and tends to budget of a CubeSat. Design and implementation of an
lag behind the most recent developments. For example OBC using COTS components for a small satellite
a 32-bit ARM Cortex-M0 microcontroller (Aalto-1) is demonstrated in [12]. The Aalto-1 OBC is
manufactured with HARDSIL technology by based on ATMEL ARM 9 processors and is designed
VORAGO [5] offering superior radiation performance to provide a platform for Command and Data
over 300 K radiation and latch-up immunity for Handling System (CDHS) that interfaces with other
extreme environments, costs about 1 K$, which is not subsystems of the satellite and controls their
comparable with 10 $, which is the price of same operations. An emerging class of small satellite
commercial type. missions demand assured operational lifetime and
To bypass the RadHard problems and feature rapid development on a reasonable budget. The paper
from the most-recent technologies, aerospace centers [13] describes a “Careful COTS” approach to
are going to utilize enabling or emerging commercial component selection and testing to meet these
devices. Small size, lower power, and lower cost are requirements. This approach is developed over the
the main features of commercial device compared to course of a number of real successful experiences:
the RadHard ones. Current trends throughout the low-earth orbit missions. A low cost space qualified
world space centers, national aeronautical space computer using thermally and dynamically enhanced
agency (NASA), European space agency (ESA), and commercial computers have been developed at
other space sectors, favor the insertion of commercial Southwest Research Institute [14]. A packaging
off-the-shelf (COTS) technologies for space missions. technique has been developed and tested in this paper,
However, the presence of ionizing particle in space allowing commercial computers to be used
environments must be considered for assuring safety successfully in the severe thermal and vibration
and reliability [6, 7]. Redundancy is an available and environments encountered in some flight missions.
affordable solution. Redundancy at high-level to low- Field Programmable Gate Arrays (FPGA)
level (system-level to circuit-level) can be employed devices are also used to meet the reliability and
to meet the reliability and safety requirement for availability requirements of safety and mission critical
aerospace applications. The “TCLS ARM FOR applications including industrial, aviation, military and
SPACE” projects were an answer to the Horizon 2020 communications applications. TMR solution based on
(H2020) topic "Bottom-up Space Technologies at low MicroBlaze cores (in Xilinx FPGA) is used to design
TRL". This project target the ARM processors an OBC for high reliable applications in [15]. This
designed for terrestrial applications to be used in space processing subsystem is fault-tolerant, together with
and telecom applications, assessing the radiation the capability to detect and recover from errors.
tolerance aspects and demonstrating its robustness in a Development of a SmallSat computer system that
laboratory environment [8]. provides increased tolerance to radiation induced
In aviation industry, the design of avionic faults through a novel architecture implemented on
embedded systems requires high-dependability. In [9] COTS FPGA is presented in [16]. The fault mitigation
the dependability of the triple modular redundancy approach in this computer involves TMR technology.
(TMR) hardware for highly reliable aviation This computer provides increased reliability,
embedded system is investigated. Their experimental computational performance, and power efficiency at a
results confirm that the reliability of the TMR ARM fraction of the cost of existing radiation-hardened
processor is greater than the single one by ten times in computer systems. This computer successfully passed
some cases. Development and test of a triple modular eight high altitude balloon flights to 30 km, and a
redundant digital fly-by-wire system implemented 2014 sounding rocket flight to 120 km. Xilinx
with embedded computer PC-104 and real time radiation-tolerant FPGAs are successfully used in jet
operating system (RTOS) is presented in [10]. Their propulsion laboratory (JPL) space missions like the
evaluations show that COTS embedded computers Mars Exploration Rover Mission [17]. In case of
comprising RTOS can be used in avionic subsystems: Xilinx radiation-tolerant FPGAs, all single-event
They are easy to use, low cost, flexible, and reliable. phenomena are taken into account either through the
International Journal of Reliability, Risk and Safety:
Theory and Application / Vol. 1, No. 1, 2018 19
www.IJRRS.com
radiation-tolerant manufacturing and processing steps the RAM, program and data storage, and timing
or through TMR technique. Authors in paper [18, 4] requirement of the dedicated mission. Control inputs
evaluate the efficiency and performance of a dual-core and the system/mission states are measured through
lockstep ARM for fault-tolerance running FreeRTOS input sensors. Mission scenario or the control
applications. The method was implemented on a dual- algorithm is processed based on measurement and
core ARM microcontroller embedded into the Zynq- then the control outputs are implied to the system
7000 FPGA. Fault injection experiments show that the using the actuators and other IO devices.
method can mitigate up to 63% of faults on the FLASH RAM
FreeRTOS applications. Multicore microcontrollers
with lockstep synchronous configuration are explored
in [19, 6] to design a fault-tolerance and dependable EEPROM
OBC. As a case study, they demonstrate the design
and implementation of a dependable OBC based on RTC CPU

dual-core ARM Cortex-A9 processor embedded in Sensors

WDT
FPGA. Their empirical evaluations show the
effectiveness of the proposed approach to mitigate
around 91% of bit flips injected in the ARM registers. BUS
As we seen in the previous discussions, RadHard
components for reliable onboard computer are very
expensive and hardly available. Therefore, an
affordable and accessible method to design a reliable IO Devices Actuator

OBC is redundancy. Dual redundant system based on

COTS components, as the simplest redundant method,
can cover only a limited level of reliability for critical
applications [20, 4]. Consequently, to cover the Figure 1 . OBC Architecture
reliability requirement of mission critical aerospace 2.2. TMR Architecture for OBC
applications, it is necessitate more level of redundancy
While dual redundant is the simplest redundant form
like TMR. In this paper, we concerned with the triple
for reliable systems, triple modular redundancy is the
modular redundancy (TMR) for an onboard computer
most used one. In the proposed architecture, an
with aerospace applications. The processing unit, bus
onboard computer is designed based on triple modular
interface, sensors, and actuators benefits from TMR
redundancy (TMR).
technology. Therefore, OBC redundancy is in
component level. The reliability of the proposed
onboard computer is evaluated, which indicates system
reliability improvement according to the predetermined
requirements.
The paper structure is as follows. In the next
Section (Section 2) design of a reliable OBC is
described based on TMR architecture. Section 3
describes the case study and then the reliability
evaluation is presented in Section 4, and finally Figure 2 . Triple Modular Redundant configuration
conclusions are described in Section 5.

As it can be seen in Figure 2, The redundancy of

2. Reliable Onboard Computer Design the onboard computer is in component-level and all
In this section, a reliable onboard computer is modules of the onboard computer, including
designed, and according to the available multicore processing unit, sensors, bus, actuators, and voters are
microcontroller, its implementation is described. triple redundant. The TMR configuration (Figure 2) is
2.1.OBC Architecture considerably different from the triple redundancy
because it employs three identical voters instead of
The architecture of an OBC, suitable for small
one voter and avoids single point of failure due to the
satellite, is shown in Figure 1, which consist of
single voter. In this architecture, while two of three
processing unit, interfacing bus, sensors, actuators,
systems are healthy, the system is operational. If at
and other IO devices. The processing unit covers also
least two of three modules fail, the system breaks
International Journal of Reliability, Risk and Safety:
Theory and Application / Vol. 1, No. 1, 2018 20
www.IJRRS.com
down and needs recovery. The voting logic is a process is done through restarting the corresponding
majority voter, which takes the majority of the inputs failed processor core. Communication bus also
to be the output value. features from triple redundancy, which is controlled/
monitored by a supervisor. Similar to the previous
design, the processing module benefits from error
detection and localization capability. In addition, using
TCLS ARM, the processing module can tolerate 1-of-
3 faulty core in each microcontroller.
Bus interface also has triple redundancy. RS-422 is
used as the physical layer and data link and data
transmission layer must be designed and implemented to
support TMR technique. A supervisor monitors the bus
operation. Sensor and actuators have also redundant
structure. According to the mission scenario and control
algorithm, various types of sensors including, attitude
and navigation, environmental and monitoring sensors
must be employed. The more critical ones are configured
in redundant structure based on TMR. The system output
Figure 3 . Triple cores lock step ARM are derived through the actuators, which are configured
in redundant architecture.

ARM TCLS CORTEX-R5 consists of three same S11 S12 S13 S21 S22 S23 S31 S32 S33

cores that can run the same program in synchronously

lockstep mode. Figure 3 shows the ARM TCLS
V11 V12 V13 V21 V22 V23 V31 V32 V33

CORTEX-R5 CPU. This device presents a system-

level solution to mitigate soft errors that may occur
inside the three redundant cores [6]. Using available
multicore microcontrollers, the reliable OBC is
B1 B2 B3

designed based on dual and triple core ARMs.

In the first approach, the OBC is designed using V11 V12 V13

dual-core lock-step (DCLS) ARM based on TMR

technology. As shown in Figure 4, the proposed C11 C12 C21 C22 C31 C32

architecture can tolerate 1-of-3 faulty module for each ? ? ?

subsystem. Due to the substantial role of the
processing unit, error detection and localization is
employed using DCLS ARM, which provide the V11 V12 V13

reconfiguration capabilities of the processing cores.

Using available triple cores lock step (TCLS) B1 B2 B3

ARM microcontroller (Figure 3), the onboard

computer has been designed based on TMR
architecture. The proposed architecture is shown in V11 V12 V13

Figure 5. The onboard computer generally consist of

four modules: processing unit (microcontroller), bus,
sensors (input devices), and actuators (output devices). O1 O2 O3

The microcontroller consists of a central processing

unit (CPU), program and data memory, and I/O
circuitry. To prevent the single point of failure, all Figure 4 . OBC with TMR architecture using DCLS ARM
modules, including bus, sensors, actuators,
microcontroller, and voters, have triple redundancy
configuration. In case of any detected fails, it alarms
the supervisor and tries to recover itself to the healthy
and normal condition. In the processing unit, the
failure detection is covered using voting the outputs of
the three synchronous cores and the recovering
International Joournal of Reliabilitty, Risk and Safetty:
Theory and Appplication / Vol. 1, No. 1, 2018 21
www.IJRRS.coom
S11 S12 S13 S21 S22 S23 S31 S32 S333
Sensor1 Sensor Sensor Sensor Sensor Sensor Sensor Sensor Sensoor

V11 V12 V13 V21 V22 V33 V31 V32 V33

B1 B2 B3
BUS BUS BUS

Figure 7 . Airplanee control/aerodyynamics/structu

ure/pilot
Interractions Conceppt Diagram
V41 V42 V43

Pilot commaands are electtrically transm mitted and

C11 C12 C13 C21 C22 C23 C31 C32 C33
proccessed for appplication to thhe primary flig
ght control
surfa
faces. Two eleevators and a horizontal staabilizer are
ARM TCLS
V1
ARM TCLS
V2
ARM TCLS
V3
d for control in the pitchh axis. Roll control is
used
achiieved with twwo ailerons annd two flapero ons, and is
B1 B2 B3
augmmented with fourteen spoiilers. The spo oilers also
BUS BUS BUS
prov
vide speed braake control. Y Yaw control is provided
h a single, tabbbed rudder [21]. The prim
with mary flight
conttrol surfaces are
a illustrated iin Figure 8.
V51 V52 V53

O1 O2 O3
Actuator Actuator Actuator

Figure 5 . OB
BC with TMR arcchitecture using TCLS
T ARM

3. Case Sttudy
The Boeing 777 flight coomputers conntrol electric and a
electro hydraaulic actuatorss using electrically transmittted
commands. TheT 777 fly-byy-wire (FBW) system providdes
manual and automatic
a conttrol of the airpplane in the pitcch,
roll, and yaw
w axes (see Figgure 6 and Figgure 7).

Figure
F 8 . Boeingg 777 Primary Fliight Controls Surrfaces [21]

The flight coontrol system for airplane must meet

extreemely high levels of fuunctional inteegrity and
avaiilability. The flight controll system for the
t Boeing
777 airplane is the NASA Fly-B By-Wire (FBW W) system
[22, 23] which provide
p the nnumerical integrity and
funcctional availabbility requiremments for hig
gh reliable
commputers and is very sim milar to the proposed
arch
hitecture in thhis paper. T The heart of the FBW
systeem is the use of triple reduundancy for all hardware
resources (see Figure 9) inclluding processsing unit,
airpllane electricall power, hydrraulic power (actuators),
(
and communicattion path (buus) [24]. Th his is the
featu
ure, which is also appplied to the proposed
ure 6 . Boeing 7777 Flight Control System
Figu S [21] arch
hitecture in thiis paper. As iit can be seen
n in Figure
9, sensors
s (air data inertiall reference and other
International Joournal of Reliabilitty, Risk and Safetty:
Theory and Appplication / Vol. 1, No. 1, 2018 22
www.IJRRS.coom
sensors), actuators
a (prrimary surfaace actuatorrs), p closure for alll flight controll surface and the
loop t variable
interfacing bus (triplex ARINC 6299 flight contrrol feel actuators [21]]. Each ACE contains threee terminals,
buses), and processing unnit (primary flight
f computer) whicch comply with
w the ARIN NC629 specification to
features fromm TMR technnology. It is similar
s with the
t mmunicate withh the databasees. In Direct Mode, the
com
architecture proposed in this paper inn Figure 4 and a ACE Es do not resppond to comm mands on the digital
d data
Figure 5 in which
w the connstituent moduules of the OBBC, bus but, instead provide
p simplee analog contrrol laws to
including prrocessing unitt, sensors, buss, actuators, and
a com
mmand the surfface actuators ddirectly. Figuree 11 shows
voters are triple redundannt. the functions
f perfoormed by the A ACEs.

F
Figure 9 . NASA
A FBW Architectuure [25]
ure 11 . Actuattor Control Elecctronics Overviiew [24]
Figu
The Priimary Flight Computer
C (PF
FC) is the centtral
computationn element of the FBW sysstem. The TM MR
concept alsoo is applied to the each PF FC architectuural The Boeing--designed gloobal DATAC bus [27],
design [24].. Further, the N-version disssimilarity isssue also known as thhe ARINC 6229 data bus, is used to
is integratedd to the TMR R concept off the PFC. TheT commmunicate am mong all compputing systemms for the
PFCs consisst of three siimilar channeels (of the sam me fligh
ht control functions
f in 777 airplan
nes. Each
part numbeer), and eacch channel contains thrree DAT TAC bus is i isolated, both physiccally and
dissimilar computation
c lanes [24]. The N-versiion electtrically, from the other two [21].
software disssimilarity exxperiment at UCLA
U [26] and
a
in the avionnics industry led Boeing to the selection of
the triple-dissimilarity for the PFC arcchitecture in the
t 4. Reliability
R E
Evaluation
n
processors and the asssociated proccessor interfaace Assuuming that thhe onboard coomputer is com mposed of
hardware deesigns. It is coomparable wiith the propossed m modules
m with series
s configuuration, the reliability of
architecture in this paperr in Figure 4 and Figure 5 in a sin
ngle onboard computer
c ( ) is obtained as:
a
which the TMR technoology appliedd in CPU levvel
using the avvailable multiccourse microcoontrollers. = (1)
Left PFC Center
C PFC Right PFC

LANE1 LANE2 LANE3 LANE1 LANE2 LANE3 LANE1 LANE2 LANE3

3 wheere Ri is the reeliability of eeach module. Assuming
Power Power Power Power Power Power Power Power Powerr an equal reliabilityy for all moduules, we have::
/
CPU CPU CPU CPU CPU CPU CPU CPU CPU = → = (2)
Bus
Interface
Bus
Interface
Bus
Interface
Bus
Interface
Bus
Interface
Bus
Interface In
Bus
nterface
Bus
Interface
Bus
Interfacce
The reliability of TMR architeccture is as folllows
(min
nimum 2-out-oof-3 module m
must be operattional):
ARINC Buses
(3)
Figure 10 . Prrimary Flight Com
mputer Architectuure [24]
3
( , )=∑ (1 − ) =3 −2
Four ACEs
A (Figurre 4) providee the interfaace
between thee FBW analoog domain (crrew controlleers,
For a TMR R architecture with m mo
odules, the
electro hydrraulic actuatorrs, and electric actuators) and
a
reliaability is obtaiined as [28]:
the FBW digital
d domainn (digital datta buses, PFC Cs,
AFDCs, etcc.). The AC CEs provide excitation and a
demodulationn of all positiion transducerrs and the serrvo
International Journal of Reliability, Risk and Safety:
Theory and Application / Vol. 1, No. 1, 2018 23
www.IJRRS.com
redundancy and error/fail detection. Analytical results
( , )= 3 −2 (4) show the reliability improvement of the proposed
onboard computer, so that it is suitable for aerospace
Considering the reliability of majority-voter , the reliability applications.

of the TMR onboard computer is obtained as follows:

5. Conclusion
A reliable OBC is designed exploiting the TMR
( , , )= 3 −2 (5)
technology. Using available multicore ARM (TCLS
ARM), the reliable OBC employs component-level
4.1. Results redundancy in which all of the constituting modules
In the proposed architecture, the onboard computer (processing unit, bus, sensors and actuator, voters, and
consists of five modules (m=5). The TMR reliability the other IO devices) are triple redundant. Therefore, it
versus module reliability (RM), with m as a parameter, is is immune from single point of failures. The case study
shown in Figure 12, which indicates that the system shows that the proposed architecture is very similar
reliability increases monotonically with increasing m with the Boeing 777 highly reliable flight control
and close to unity by making an increasingly finer computer in which all of its hardware resources (flight
modular breakdown (large m). Figure 13 shows the computer, control surfaces/actuators, interfacing bus,
system reliability versus time with different values of and inertial/attitude sensor) employ TMR technology
failure rates (λ). As it can be seen, for high failure rates, but with the new and high-tech available multicore
the system reliability drops very fast. microcontrollers. Evaluation results show that the
designed OBC constituting five modules with TMR
1.00 technology can meet the reliability requirement for
aerospace application.
0.99
SystemReliability

m 1
References
0.98 [1] D. Siewiorek and R. Swarz, Reliable Computer
m 3
Systems: Design and Evaluatuion, Digital Press,
0.97 m 5
2017.
m 7
[2] M. Rausand and H. Arnljot, System reliability
0.96 m 9
theory: models, statistical methods, and
m 11
0.95 applications, vol. 396, John Wiley & Sons, 2004.
0.80 0.85 0.90 0.95 1.00 [3] C. Zheng, P. Shukla, S. Wang and J. Hu,
Module Reliability
"Exploring hardware transaction processing for
Figure 12 .System reliability versus module reliability reliable computing in chip-multiprocessors against
soft errors," in IEEE International Symposium on
1.0000
Defect and Fault Tolerance in VLSI and
0.9998
Nanotechnology Systems (DFT), Austin, TX, USA,
2012.
Sys. Reliability

0.9996 [4] G. Kahe, "Reliable flight computer for sounding

m 5 rocket with dual redundancy: design and
0.9994 0.001 implementation based on COTS parts,"
0.0001 International Journal of System Assurance
0.9992 0.00001 Engineering and Management, vol. 8, no. 3, pp.
560-571, 2017.
0.9990
0 20 40 60 80 100
[5] V. Technologies, "Radiation Hardened ARM®
Time hour Cortex-M0 Microcontroller," VOGARO Tech.,
2017.
Figure 13 . System reliability versus time (module count m=5)
[6] X. Iturbe, B. Venu, E. Ozer and S. Das, "A Triple
Core Lock-Step (TCLS) ARM® Cortex®-R5
Design and reliability evaluation of a reliable Processor for Safety-Critical and Ultra-Reliable
onboard computer based on multicore microcontrollers Applications," in 46th Annual IEEE/IFIP
has been presented. The selected ARM microcontroller International Conference on Dependable Systems
has triple lock step cores, which are beneficial for
International Journal of Reliability, Risk and Safety:
Theory and Application / Vol. 1, No. 1, 2018 24
www.IJRRS.com
and Networks Workshop (DSN-W), Toulouse, [19] D. Oliveira, Á. Barros, L. A. Tambara and F. L.
France, 2016. Kastensmidt, "Exploring performance overhead
[7] K. LaBel, M. Gates, A. Moran, P. Marshall, J. versus soft error detection in lockstep dual-core arm
Barth, E. Stassinopoulos, C. Seidleck and C. Dale, Cortex-A9 processor embedded into Xilinx Zynq
"Commercial microelectronics technologies for APSOC," in International Symposium on Applied
applications in the satellite radiation environment," Reconfigurable Computing, Springer, Cham, 2017.
in IEEE Aerospace Applications Conference, [20] G. Kahe and M. A. Rostami, "Design and
Aspen, CO, USA, 1998. Implementation of a Reliable Flight Computer
[8] J.-L. Poupat, B. Leroy and T. Helfers, "TCLS for Sounding Rocket with Dual Redundancy
ARM for Space," in DASIA (DAta Systems in Based on COTS Parts," in The 4th International
Aerospace), Estonia, 2016. Reliability Engineering Conference (IREC),
[9] D.-W. Lee, B.-Y. Kim, W.-J. Ko and J.-W. Na, "A Tabriz, IRAN, 2016.
Study on the Triple Module Redundancy ARM [21] Y. Yeh, "Design considerations in Boeing 777
processor for the Avionic Embedded System," The fly-by-wire computers," in Third IEEE
Journal of Advanced Navigation Technology, vol. International High-Assurance Systems
14, no. 1, pp. 87-92, 2010. Engineering Symposium (Cat. No.98EX231),
[10] J. A. Wang and Z. S. Li, "Development of flight Washington, DC, USA, 1998.
control system Using embedded computer PC- [22] J. Wensley, L. Lamport, J. Goldberg, M. Green,
104," in 26th International Congress of the K. Levitt, P. Melliar-Smith, R. Shostak and C.
Aeronautical Sciences, 2008. Weinstock, "SIFT: Design and analysis of a
[11] M. M. Daffalla, A. TagElsir and A. S. Kajo, fault-tolerant computer for aircraft control,"
"Hardware selection for attitude determination Proceedings of the IEEE, vol. 66, no. 10, pp.
and control subsystem of 1U cube satellite," in 1240-1255, Oct 1978.
International Conference on Computing, [23] A. Hopkins, T. Smith and J. Lala, "FTMP—A
Control, Networking, Electronics and Embedded highly reliable fault-tolerant multiprocess for
Systems Engineering (ICCNEEE) , Khartoum, aircraft," Proceedings of the IEEE, vol. 66, no.
Sudan, 2015. 10, pp. 1221-1239, 1978.
[12] E. Razzaghi, "Design and qualification of on- [24] Y. Yeh, "Triple-triple redundant 777 primary
board computer for Aalto-1 CubeSat," flight computer," in IEEE Aerospace Applications
MASTER'S THESIS, Luleå University of Conference, Aspen, CO, USA, 1998.
Technology, 2012. [25] J.D.Aplin, "Primary flight computers for the
[13] D. Sinclair and J. Dyer, "Radiation effects and Boeing 777," Microprocessors and
COTS parts in SmallSats," in 27th Annual Microsystems, vol. 20, no. 8, pp. 473-478, 1997.
AIAA/USU Conference on Small Satellites, 2013. [26] A. Avizienis, M. Lyu and W. Schutz, "In search
[14] G. Dirks, "Producing a Low Cost, Space of effective diversity: a six-language study of
Qualified Computer by Ruggedizing Commercial fault-tolerant flight control software," in The
Computer Cards," Southwest Research Institute, Eighteenth International Symposium on Fault-
Texas, 1992. Tolerant Computing, Tokyo, Japan, 1988.
[15] X. P. Guide, "MicroBlaze Triple Modular [27] J. SHAW, H. HERZOG and K. Okubo, "Digital
Redundancy (TMR) Subsystem," Xilin Corp., autonomous terminal access communication
2017. (DATAC)," in 7th Digital Avionics Systems
[16] B. J. LaMeres, S. Harkness, M. Handley, P. Conference, Fort Worth, TX, 1986.
Moholt, C. Julien, T. Kaiser, D. Klumpar, K. [28] R. E. Lyons and W. Vanderkulk, "The use of
Mashburn, L. Springer and G. A. Crum, "RadSat triple-modular redundancy to improve computer
- Radiation Tolerant SmallSat Computer reliability," IBM Journal of Research and
System," in Small Satellite Conference, 2015. Development, vol. 6, no. 2, pp. 200-209, 1962.
[17] D. Ratter, "FPGAs on Mars, Xilinx xCell Journal," [29] X. Iturbe, B. Venu, E. Ozer and S. Das, "A
Xilinx xCell Journal, vol. 50, pp. 8-11, 2004. Triple Core Lock-Step (TCLS) ARM® Cortex-
[18] Á. B. d. Oliveira, G. S. Rodrigues and F. L. R5 Processor for Safety-Critical and Ultra-
Kastensmidt, "Analyzing lockstep dual-core Reliable Applications," in 46th Annual
ARM cortex-A9 soft error mitigation in IEEE/IFIP International Conference on
freeRTOS applications," in 30th Symposium on Dependable Systems and Networks Workshop
Integrated Circuits and Systems Design: Chip on (DSN-W) , Toulouse, France, 2016.
the Sands (SBCCI '17), NY, USA, 2017.