Trustworthy Systems

QB50 Project

Trustworthy COTS for aerospace applications.


To demonstrate the effectiveness and performance of our Trustworthy COTS and Mixed-Criticality Real-time Systems projects in a hostile, mission critical, aerospace environment.


While bench top testing offers a convenient environment for system performance evaluation, nothing beats a real world scenario. We intend to show that expensive CubeSat computing systems can be retired in favour of inexpensive COTS hardware with essential reliability and schedulability provided by the installed software system.

The QB50 project has the scientific objective of measuring key environmental conditions in the lower thermosphere and to study the re-entry process. The project will meet these objectives by launching 40 miniature satellites into a low earth orbit. To offset the costs of this project, QB50 has invited universities from around the world to contribute by constructing a custom CubeSat miniature satellite. While these CubeSats are required to satisfy the sensor requirements of the QB50 project, contributers are rewarded with satellite real estate for independent research.

TS sees this as an invaluable opportunity to evaluate the trustworthiness of its formally verified micro-kernel and other reliability driven IP. We are collaborating with various faculties at UNSW to meet these objectives.


A custom motherboard has been engineered to meet the mechanical and electrical interfacing requirements defined by the 2U UNSW-EC0 CubeSat in which the payload will be installed. This motherboard hosts a 1.7GHz quad core ARM Cortex-A9 COTS CPU module. It also provides 512KB of FRAM for reliable storage of the first stage boot loader and multiple SD cards for redundant storage of system software. All communication between CubeSat modules is achieved through an I2C bus which the motherboard routes from the standard CubeSat header to the COTS CPU module.

The system software which runs on the payload offers key support features to other satellite payloads. These features include a real time clock, a file server, data compression service and Attitude Determination and Control (ADC) algorithms. The compression service is critical for maximising the efficiency of the limited communication link to the ground station. With a high power CPU, the payload is able to perform more complex ADC algorithms for efficient satellite detumbling and positioning without sacrificing reaction time.

To address the reliability concerns of COTS hardware in an aerospace application, we deploy Trustworthy COTS IP developed at NICTA. Multiple system images will execute in parallel. Regular synchronisation will reveal the divergence of one image from another and hence system integrity loss will be detected and recovery procedures can commence.

To ensure that ADC algorithms operate within strict execution bounds, we deploy Mixed-Criticality Real-time Systems IP developed at NICTA. This IP allows us to provide temporal isolation of the mission critical ADC component and maintain co-schedulability with less critical payload functions.

While the payload system software is integrated to supplement the activities of the primary computer, we intend to show that it can indeed operate as a replacement to the primary computer in future CubeSat designs.