ArticlePDF Available

Design of the fault tolerant command and data handling subsystem for ESTCube-1

Authors:
Kaspars Laizans at Tartu Observatory
Kaspars Laizans
Indrek Sünter at Tartu Observatory
Indrek Sünter
Karlis Zalite at Tartu Observatory
Karlis Zalite
Henri Kuuste
Henri Kuuste
Henri Kuuste
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Show all 11 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

This paper presents the design, implementation, and pre-launch test results of the Command and Data Handling Subsystem (CDHS) for ESTCube-1. ESTCube-1 is a one-unit Cube Sat, which will perform an electric solar wind sail experiment. The development process of the CDHS for ESTCube-1 was focused on robustness and fault tolerance. A combination of hot and cold hardware redundancy was implemented. Software, including a custom-written internal communications protocol, was designed to increase the system's fault tolerance further by providing fault detection and fall-back procedures. Tests were carried out to validate the implementation's performance and physical endurance. The final CDHS design is operational within the set requirements. Tests that verify fault tolerance of the system in orbit are suggested.
Figures - uploaded by Mart Noorma
Author content
All figure content in this area was uploaded by Mart Noorma
Content may be subject to copyright.
Content uploaded by Mart Noorma
Author content
All content in this area was uploaded by Mart Noorma on May 14, 2015
Content may be subject to copyright.
Proceedings of the Estonian Academy of Sciences,
2014, 63, 2S, 222–231
doi: 10.3176/proc.2014.2S.03
Available online at www.eap.ee/proceedings
Design of the fault tolerant command and data handling subsystem
for ESTCube-1
Kaspars Laizansa,b, Indrek Süntera,b, Karlis Zalitea,b, Henri Kuustea,b, Martin Valgura,b,
Karl Tarbeb, Viljo Allika, Georgi Olentšenkob, Priit Laesb, Silver Lätta,b, and Mart Noormaa,b
aTartu Observatory, Observatooriumi 1, 61602 Tõravere, Tartumaa, Estonia
bInstitute of Physics, Faculty of Science and Technology, University of Tartu, Tähe 4-111, 51010 Tartu, Estonia
Received 15 August 2013, revised 26 February 2014, accepted 7 March 2014, available online 23 May 2014
Abstract. This paper presents the design, implementation, and pre-launch test results of the Command and Data Handling
Subsystem (CDHS) for ESTCube-1. ESTCube-1 is a one-unit CubeSat, which will perform an electric solar wind sail experiment.
The development process of the CDHS for ESTCube-1 was focused on robustness and fault tolerance. A combination of hot
and cold hardware redundancy was implemented. Software, including a custom-written internal communications protocol, was
designed to increase the system’s fault tolerance further by providing fault detection and fall-back procedures. Tests were carried
out to validate the implementation’s performance and physical endurance. The final CDHS design is operational within the set
requirements. Tests that verify fault tolerance of the system in orbit are suggested.
Key words: command and data handling subsystem, fault tolerance, redundancy, nanosatellite, CubeSat, ESTCube-1.
Acronyms and abbreviations
ADC – Analogue-to-Digital Converter
ADCS – Attitude Determination and Control Subsystem
ARQ – Automatic Repeat-Request
CAM – Camera subsystem
CAN – Controller Area Network
CDHS – Command and Data Handling Subsystem
COM – Communications subsystem
EPS – Electrical Power Subsystem
E-sail – Electric solar wind sail
FET – Field-Effect Transistor
FRAM – Ferroelectric Random Access Memory
HDLC – High-level Data Link Control
I2C – Inter-Integrated Circuit
I/O – Input/Output
ICP – Internal Communications Protocol
MCU – Microcontroller Unit
MEMS – Microelectromechanical System
NOR – Negative OR logic function
OSI – Open Systems Interconnection
PCB – Printed Circuit Board
RAM – Random Access Memory
RTC – Real-Time Clock
SPI – Serial Peripheral Interface
SS – Sun Sensor
UART – Universal Asynchronous Receiver/Transmitter
USART – Universal Synchronous/Asynchronous Receiver/
Transmitter
USB – Universal Serial Bus
XOR – Exclusive OR logic function
1. INTRODUCTION
Since the introduction of the CubeSat standard [1]
small satellite development has seen rapid growth
encompassing an increasing number of nations [2].
Advances in miniaturized integrated circuit technol-
ogies have improved environmental tolerances, stability,
and functionality while decreasing the size and reduc-
ing power consumption of satellites. Such satellites as
RAX [3], BRITE [4], SwissCube [5], CanX-2 [6], Delfi-
C3 [7], AAUSAT-II [8], AAUSAT-3 [9], and COMPASS-
1 [10] have demonstrated the versatility of CubeSats
for fulfilling a variety of missions. With the increasing
Corresponding author, kaspars.laizans@estcube.eu
K. Laizans et al.: Fault tolerant CDHS for ESTCube-1 223
scientific importance of CubeSat missions fault tolerance
is now becoming critical. However, while the topic has
been covered for larger spacecraft since the beginning
of the space age [11], redundancy and fault tolerance of
the Command and Data Handling Subsystem (CDHS) on
board micro- and nanosatellites are yet to be discussed.
The fundamentals of the fault tolerant CDHS for
CubeSats can be drawn largely from several decades
of experience acquired by designing and operating
large spacecraft. As discussed by Rennels [11], avail-
ability of commercial off-the-shelf single-chip micropro-
cessors allows for implementing several processors for
redundancy purposes. Furthermore, it allows for a dis-
tributed system design with fault recovery algorithms
[12]. This general approach is also presented by
McLoughlin et al. [13], who propose a parallel archi-
tecture that enables commercial devices to be incor-
porated into a computational unit with the total reli-
ability approaching that of space-qualified alternatives.
Nevertheless, little attempt has been made to present
a CDHS design that incorporates the aforementioned
ideas, advances in microelectronics, and CubeSat design
specifications. On Delfi-n3Xt satellite, basic on-board
computer functions were to be implemented on a micro-
controller at the primary radio transceiver [14]. CanX-1
had error detection and correction on external memories
and an implemented boot-strap code for carrying out
basic spacecraft operations in the case of failure [6].
AAUSAT-3 avoided single points of failure by adopting
a decentralized design philosophy where each subsystem
has enough processing power and data storage to carry
out its tasks [15].
In this paper we present a CDHS design with
an improved fault tolerance scheme for ESTCube-1
[16], a one-unit CubeSat, which will perform an
electric solar wind sail (E-sail) [17] experiment. Great
emphasis during the ESTCube-1 project was put on
fault tolerance, which resulted in the development of
robust subsystems, including a CDHS. Here we describe
the requirements that were derived from both the
general CubeSat specifications and the specific scientific
mission. We propose a combination of hot and cold
hardware duplication redundancy methods as a possible
solution for improving CubeSat fault tolerance. Software
solutions ensure further reduction of risks by detecting
failures and executing fall-back procedures. Finally,
results from pre-flight tests are presented and discussed.
2. REQUIREMENTS
2.1. Satellite design requirements
From a mission-specific perspective, the CDHS on
board ESTCube-1 is required to handle data needed for
controlling the satellite and for the E-sail experiment
[16]. The experiment involves a centrifugal unreel-
ing of a 10 m long conductive tether. Next, a ±500
volt potential is generated on the tether to observe its
interaction with ionospheric plasma. The observation
will be carried out indirectly by estimating changes in
the satellite spin rate. Estimation is performed using
a Kalman filter with readings from magnetometers,
Microelectromechanical Systems (MEMS), angular rate
sensors, and analogue sun sensors. The implementa-
tion of the Kalman filter on ESTCube-1 requires the
input data measurements to be carried out 2.5 times per
second [18].
Furthermore, the CDHS has to (1) store data from the
Camera subsystem (CAM) in the form of multiple binary
images of up to 600 KB each; (2) store housekeeping
data of all subsystems; and (3) compile the beacon and
data packets for downlink.
For redundancy purposes direct connections from
all subsystems to the CDHS are preferred to sequential
or daisy-chain type. As a backup method, direct
connections between the subsystems bypassing the
CDHS have to be implemented. Thus, a non-functioning
subsystem cannot hinder the operation of any other node.
This can be used in case the CDHS is rendered unusable
or as a redundant communication channel if the primary
data bus is damaged.
According to Bouwmeester and Guo [19], an Inter-
Integrated Circuit (I2C) communication bus has been
favoured for the design of small satellites. How-
ever, a bus-busy state can occur while using the I2C
for inter-subsystem communications. If one or more
subsystems are powered down during the communica-
tions, a mismatch in open-drain/collector configurations
of devices can occur, which can lead to the bus-busy state
blocking the whole bus. Other bus types used on small
satellites are Universal Serial Bus (USB) and Controller
Area Network (CAN) bus. The USB consumes much
power, while the CAN bus is not supported by many
devices. For these reasons the USB and CAN were not
selected for ESTCube-1.
Due to physical limitations of the satellite, with a
worst-case power production of 2 W, a 180 mW average
and 250 mW peak power consumption constraint for
the CDHS was set by the Electrical Power Subsystem
(EPS) [20].
To ensure lower power consumption, the use of
3.3 V supply for the whole system was adopted at
the cost of higher susceptibility to noise. The general
trend of commercial-off-the-shelf devices is to reduce
voltages even further with higher supply voltage devices
becoming obsolete. To diminish the influence of digital
noise on the signals, the use of analogue signals has been
discouraged.
Furthermore, physical requirements were introduced
primarily by the CubeSat standard for outer satellite
dimensions of 10 cm ×10 cm ×10 cm with additional
constraints for internal satellite structure derived from
those (Table 1). Mass and environmental parameter
estimates were set in early Phase B of the satellite
development, based on the preliminary design. The
vibration tolerance requirements were derived from
launcher-specific documentation.
224 Proceedings of the Estonian Academy of Sciences, 2014, 63, 2S, 222–231
Table 1. Constraints for the internal structure of ESTCube-1
Requirement parameter Maximum value
Dimensions 94 mm ×92 mm ×18 mm
Mass 60 g
Operating temperature –10 to 70 C
Vibration tolerance
sine 22.5 g
PSD random 18 g
shock 1410 g
2.2. Software requirements
Logging housekeeping and mission data, boot-loader
events, warnings, and errors has been set as the main task
of the CDHS. Part of the mission would be carried out
above the Earth’s poles with no direct communications
available. Thus, the command scheduler must be able to
execute time-specific commands unsupervised.
The on-board software of the satellite is not required
to be autonomous. All operations that involve a risk
must be started manually or it must be possible for the
satellite operator to stop these operations and disable
them permanently.
The ability to upgrade the CDHS firmware via an
access port device at the launch site as well as in orbit is
needed. In-flight upgrades also provide flexibility regard-
ing the satellite life-time schedule and functionality,
which enables implementation of unplanned tasks in
orbit. Such an approach allows for additional experi-
ments with different attitude control algorithms and
varying manners of detection of radiation effects on
electronic devices.
In order to improve the fault tolerance of the system,
it must be possible to enable, disable, and configure
CDHS software components. Configurability also pro-
vides some flexibility without the need to upgrade the
firmware.
3. SATELLITE DESIGN AND FAULT
TOLERANCE IMPLEMENTATION
3.1. Fault tolerance
One of the main classic methods of increasing hardware
fault tolerance is having hardware redundancy or
multiplication of essential parts and components rather
than modular result weighing. Having one of the
duplicated or triplicated components damaged might
lead to different results, depending on the general system
architecture: either the system switches and starts to use
another component (cold redundancy) or it experiences
loss of performance while maintaining functionality
(graceful degradation of the hot redundant system) [21].
A blend of a mixed hot–cold redundant system with
software fault-check routines is used to create a system
with enhanced fault tolerance.
3.2. Microcontrollers
Two STM32F103 Microcontroller Units (MCUs) are
used in cold redundancy mode and switched by the EPS.
Switching on one of the MCU’s power buses powers
up the MCU itself and drives the logic to enable the
corresponding peripheral lines through the bus switches
(Fig. 1). All the devices are available for both MCUs
as hot redundant, enabling access to them by the other
MCU as a backup processor in the case the main one is
damaged.
3.3. Data buses
Direct connections between all subsystems and the
CDHS were designed (Fig. 2). In particular, magneto-
meters and 3-axis MEMS angular rate sensors were
duplicated in cold redundancy (Fig. 3). Readings from
six sun sensors are digitized by two Analogue-to-Digital
Converters (ADCs) and sent via two separate Serial
Peripheral Interface (SPI) buses. Due to the limited
amount of buses available the SPI buses have to be
shared between the Attitude Determination and Control
Subsystem (ADCS) and the CDHS internal memories
and the Real-Time Clock (RTC).
Universal Synchronous/Asynchronous Receiver/
Transmitter (USART) communications were chosen
for communication between subsystems, which have
their own MCU because it is robust and supported
by the majority of microcontrollers. Apart from the
standard USART, I2C, and SPI buses additional digital
Input/Output (I/O) signals are needed for subsystem-
specific control and feedback.
3.4. Switching
All buses and peripheral lines are connected to both
microcontrollers via SN74CB3Q16211DL bus switches.
Bus switching is required in the case two MCUs are
connected directly in parallel and the inactive MCU is
able to sink all of the current injected into the bus by
another microcontroller. By default, both processors are
isolated from all peripherals and I/O lines. When the
MCU is powered up from the EPS the respective bus
switch logic is enabled allowing signals to pass through.
Care must be taken to avoid bus switch logic being
enabled for both microcontrollers at the same time. In
this case, signals would be drained by the inactive MCU.
Physically, outputs from bus switches are tied together,
making a single input on the peripheral.
Each MCU has its own set of bus switches, through
which peripherals are connected. Unlike the typical
signal division where MCUs share one bus switch, this
approach helps to alleviate the risk of a single bus
switch causing the CDHS to fail as well as keeps current
consumption to a minimum, because only half of the bus
switches are active simultaneously.
K. Laizans et al.: Fault tolerant CDHS for ESTCube-1 225
Fig. 1. Bus switch logic control via processor power buses. I/O – Input/Output, EPS – Electrical Power System.
Fig. 2. Data channels of the CDHS. ADCS – Attitude Determination and Control Subsystem, COM – Communications subsystem,
EPS – Electrical Power Subsystem, CAM – Camera subsystem, USART – Universal Synchronous/Asynchronous Receiver/
Transmitter, SPI – Serial Peripheral Interface, I2C – Inter-Integrated Circuit.
226 Proceedings of the Estonian Academy of Sciences, 2014, 63, 2S, 222–231
Fig. 3. Peripheral device distribution on data buses. I2C – Inter-Integrated Circuit, SPI – Serial Peripheral Interface, FRAM –
Ferroelectric Random Access Memory, ADC – Analogue-to-Digital Converter, SS – Sun Sensor, HV – High Voltage, RTC – Real-
Time Clock.
According to SN74CB3Q16211DL bus switch
specifications, each device can be considered as con-
sisting of a relatively small number of Field Effect
Transistors (FETs) (order of magnitude <100), which
makes it a low-density device. A probability of such
a low-density device experiencing a radiation-induced
single upset event is much smaller than the same event
happening within a microcontroller.
3.5. Storage
Storage of the CDHS and CAM firmware images,
pictures, telemetry, and science data is one of the
main tasks of the CDHS. Three fast Spansion SF25FL
128 Mbit SPI Flash memories are used for the storage
of non-critical data such as logs of housekeeping and
mission data, camera images, etc. Five Ramtron FM25
series ferroelectric 2 Mbit SPI Random Access
Memory (RAM) modules store firmware images, ADCS
constants, scheduler queues, and file system metadata
for which data integrity is crucial. For redundancy
purposes, memory devices are placed on all three SPI
buses (Fig. 3), i.e. the subsystem internal memory bus
and two SPI buses shared with the ADCS. Use of shared
buses for redundancy purposes was deemed to be an
acceptable risk due to the fact that the probability of high-
density internal SPI peripheral breaking down is much
higher than the probability of a bus becoming unavailable
due to a damaged low-density secondary device [22].
Since the CDHS has external memory devices
connected via serial buses, structures or variables in
the external memory cannot be addressed directly. This
poses an additional challenge for software development.
All external memories are shared between both CDHS
microcontrollers, and memory contents need to be back-
wards compatible with the different firmware images
stored on board the CDHS. These features could be
considered risks, which are minimized by extensive
testing and use of safe fall-back default configurations
for cases when backwards compatibility issues arise.
3.6. Real-time clock
Tether unreeling and camera image trigger events during
the mission have to be scheduled, with a timing accuracy
of 100 ms. A processor-independent external RTC is
needed to periodically synchronize millisecond timers
that are used for scheduling the CDHS events and
commands. MAX DS3234 RTC, which is connected to
the internal SPI bus (Fig. 3), was implemented. This
device has integrated temperature-compensated crystal
oscillator and voltage reference. Since the only device
on the satellite directly powered by the batteries is the
EPS, the start-up sequence of the CDHS had to include
K. Laizans et al.: Fault tolerant CDHS for ESTCube-1 227
Fig. 4. Populated board, bottom side.
the polling satellite date and time from the EPS and
reconfiguring its own RTC.
3.7. Printed circuit board and manufacture
The CDHS is assembled on a six-layer R1755V
Medium Tg 170 Printed Circuit Board (PCB) (Fig. 4).
No blind or buried vias are used to avoid their dislodging
and short circuits generated by free floating via material.
Board cut-outs were needed to provide space for sun-
sensor cabling to the ADCS. The dimensions of the
assembled board are 92 mm ×94 mm ×8.6 mm, and
the mass of the populated board is 48.54 g.
4. SOFTWARE DESIGN
4.1. General design
The CDHS software has been designed to be configur-
able in orbit and to tolerate failure of attached devices.
From the CDHS device configuration table, external
ferroelectric RAM (FRAM), Flash memories, SPI RTC,
and microcontroller internal peripherals can be enabled
or disabled individually. In the case a device failure is
detected on startup, the device is disabled automatically.
A table of integer variables is used for setting processor
clock frequency, fall-back modes for error logging
and command scheduler, beacon transmission period,
and other CDHS operational parameters. Coefficients
required for attitude determination and control are
stored in a table of floating-point values. Configuration
variables are grouped by linker regions, which allows
them to be easily synchronized with internal Flash
pages, making changes non-volatile. A safe fall-back
configuration is applied automatically in the case a
corrupted active configuration passes CDHS limit checks
and causes the CDHS to reset six times without sending
a single telemetry frame to the ground.
For error logging, once the system has at least
partially recovered again, there are multiple levels of
storage to ensure the delivery of the list of errors. Errors
during boot-up or interrupts are stored in a RAM section
that retains its contents till the next CDHS power recycle.
After the initialization of the external FRAM memories
and file systems, the list of errors is appended to a larger
error log file.
Software-induced fault tolerance by means of
modular redundancy was not used due to the per-
formance requirements and restrictions for the use of
Flash and RAM. In the scope of this paper, the CDHS
software is considered to be fault tolerant when the
CDHS remains operable after experiencing software or
hardware faults. Fault tolerance of the CDHS software
does not necessarily include the ability to continue the
operations that were interrupted by a fault.
4.2. Operating system and drivers
FreeRTOS was chosen as the operating system for the
CDHS, mainly because of its low Flash and RAM
footprints and low performance overhead. On the CDHS,
FreeRTOS takes about 11 KB of Flash and 64 KB of
RAM, most of which is reserved for the heap of dynamic
memory management.
On top of a minimalistic hardware abstraction
layer for STM32F1 and STM32F2, peripheral and
device drivers were implemented for FreeRTOS. The
Universal Asynchronous Receiver/Transmitter (UART),
I2C, and SPI drivers each have a daemon running in
the background, which processes enqueued transactions
and propagates the error codes back to the caller.
For the CDHS and the CAM, exception handling was
implemented in C.
4.3. File systems
In order to fulfil the storage requirements on the CDHS,
two types of files are needed: (1) image files for
CAM photos and calibration tables, and (2) circular
journal files for housekeeping log entries, mission data,
and buffering telemetry. For these types of files it
is unnecessary to buffer block contents before erasure.
Image files are erased and rewritten as a whole, whereas
journal files are erased and overwritten block-wise,
oldest entries first. Additional simplifications were made:
256 files per file system, hard or soft links, no directories,
filenames are numeric, and files are of constant length. It
was also decided to have only one volume per file system.
Since the CDHS has only 96 KB of static RAM,
most of the available Flash file systems could not be
used. The Transactional Flash File System was found
to have exceptionally low requirements for RAM (less
than 200 B). On the other hand, this system assumes a
not OR (NOR) Flash memory with Single Level Cells
to re-program individual bits of a Flash page. The
228 Proceedings of the Estonian Academy of Sciences, 2014, 63, 2S, 222–231
S25FL128P NOR Flash used on the CDHS is manu-
factured on MirrorBit technology. Furthermore, because
of the limited amount of static RAM and the need for file
systems for three serial NOR Flash devices with multiple
bits per cell and six FRAM devices, custom Flash and
RAM file systems with a low memory footprint had to be
developed.
The Flash file system counts bad bytes and blocks by
reading back the data written to the Flash. Mismatched
bytes are recorded in the file system metadata. Single
bytes are corrected on file reads. If more than ten bad
bytes are detected in a single block, the block is marked
as a bad block. Bad blocks are skipped on read and write
attempts, resulting in data loss. The number of detected
bad bytes and bad blocks shall be monitored in orbit.
As FRAM is more radiation tolerant than the Flash
memory, the file system metadata and system files are
stored on FRAM [23].
4.4. Internal communications protocol
A satellite-wide Internal Communications Protocol (ICP)
was designed in addition to USART communications.
The ICP was loosely based on the asynchronous version
of the High-Level Data Link Control (HDLC), and is
used by the EPS, CAM, Communications subsystem
(COM) and the CDHS for inter-subsystem data and
command transfer. The protocol covers both data link
and network layers of the Open Systems Interconnection
(OSI) model. The ICP’s design was mostly constrained
by the EPS: 16 MHz clock frequency, 2 KB of RAM
dedicated to ICP, and no operating system.
The developed ICP inherits the HDLC’s framing
mechanism: packets are delimited by 0x7E and any 0x7E
and 0x7D bytes occurring inside a packet are XORed
with 0x20 and have 0x7D added before them. Similarly
to HDLC, a 16-bit Fletcher’s checksum is computed from
the packet header, and the payload is included in the tail
of the packet.
To ensure a reliable in-order delivery of packets,
the Go-Back-N Automatic Repeat-Request (ARQ) data
transmission protocol (a variant of sliding window
protocol with the transmit window size of N and receive
window size of 1) is used on direct links. The transmit
window size is configurable, with a maximum size of 8
packets. The Go-Back-N ARQ was preferred over the
simpler stop-and-wait ARQ protocol (transmit window
size of 1) due to its higher throughput.
The routing mechanism of the ICP is very simple due
to both the simple network topology and the tight RAM
constraints. Routes from one subsystem to another are
manually and statically defined as a list of data links to
be attempted, ordered by preferability. After a packet
sending times out and is re-sent a predefined number of
times on a data link (usually three), sending via the next
data link in the routing table is attempted. Since only a
single loop exists in the network topology, infinite loops
are avoided by refusing to route a packet through the
subsystem from which the packet originated. The user is
only acknowledged of a successful delivery of a packet
over a data link and not of a delivery to the intended
destination to keep the protocol lightweight.
4.5. Command scheduler
Commands received by the CDHS are scheduled by
priority or executed immediately. The satellite’s internal
command structure supports for three different priorities:
low, high, and immediate. For low and high priorities,
separate scheduler queues are used. There is no queue
for commands of immediate priority. On each scheduler
update, either an immediate command is handled, or a
command is fetched from either the low or high queue.
It is guaranteed that high priority commands are handled
twice as often as low priority commands and that no more
than a single command is executed on each scheduler
update.
Commands received by the CDHS are enqueued
for handling in the command scheduler task. Although
the satellite’s internal command structure supports
commands of three different priorities, this feature was
rarely used and has been dropped from the command
scheduler in favour of simplicity. Commands scheduling
other commands are used to provide support for looped
execution and conditionals.
All commands are stored with a Fletcher-16 check-
sum and queue entries with invalid checksum are
discarded. To avoid memory corruption the whole queue
is cleared in the case of invalid queue entry lengths.
Clearing the queue stops active operations and prevents
corrupt commands from being executed.
A date–time scheduler is used for executing com-
mands at specified date and time. Date–time commands
are attached to FreeRTOS millisecond timers and
handled from the woken command scheduler task. Task
wake-up time can be up to 1 millisecond. Due to
possible clock drifts in the microcontroller, cumulative
error might be caused in the FreeRTOS timers configured
for long periods of time. The effects of microcontroller
clock drifts shall be monitored in orbit.
4.6. Custom bootloader
For both the CDHS and CAM, a custom bootloader
was designed and implemented. The bootloader allows
for copying a firmware image from an external FRAM
device and booting into a boot image chosen by the EPS.
It processes a list of bootloader commands stored in the
FRAM and logs status to a page in a microcontroller
Flash. Before an attempt to boot a firmware image, its
cyclic redundancy is calculated and compared against the
one stored in the firmware image header. Without any
bootloader commands or in the case of a problem with
the FRAM, the bootloader selects the default firmware,
based on the CDHS firmware select pin that can be
toggled via the EPS.
K. Laizans et al.: Fault tolerant CDHS for ESTCube-1 229
5. HARDWARE TESTING
Several tests were carried out to ensure that the CDHS
is able to survive the launch and operate in the
space environment. These included functionality tests,
performance and current consumption tests, as well as
physical tests, such as vibration and thermal vacuum
tests. During these tests, only hardware fault tolerance,
meaning the ability to remain functional in the case
of physical or electrical damage to components, was
considered.
Functionality tests are a set of basic unit tests to
ensure that hardware is functioning as intended. These
involve communication tests with all attached devices,
read and write tests on memory devices and the operating
system with device drivers and error logging. The
microcontroller supports overclocking of up to 128 MHz
while remaining stable at room temperature. Instabilities
of the overclocked microcontroller start to appear when
the operational environment temperature exceeds 50 C.
At nominal 72 MHz frequency the device is able to
operate within the ranges set in the specifications: from
–20 C up to 80 C.
Various signal injection tests were performed on
multiple engineering models and their components,
including short-circuiting, stuck-at-fault, overvoltage,
reverse polarity application, and electrostatic discharge.
Results of these tests indicated that I2C devices were
most susceptible to noise on data lines and incorrect
signal level applications, while the other devices
continued to function without problems.
The performance of the CDHS was measured
by running an in-house implementation of a Kalman
filter [24] with predefined input values. The electric
current consumption during the idle state with disabled
peripherals is 47 mA. During the active phase when
memory devices are accessed constantly, it increases to
54 mA. During the sleep mode with wake-up frequency
of 1 kHz, the average current consumption decreases
to 30 mA. Further improvements are possible with the
implementation of the tickless sleep mode.
Vibration tests were performed according to the
launch vehicle user manual of the launch provider Vega
[25]. The resonant frequency of the populated board dur-
ing the sweep-scan was found to be at 383 Hz. Such a
high resonant frequency can be explained by the design
where the placement of the 120 pin connector and large
components (bus switches, microcontrollers) stiffens
the construction. The functionality test performed after
the vibration tests revealed one non-functioning flash
memory module due to a loose solder joint connection.
No other damage was observed after two repeated tests.
Acceptance and qualification tests for launch were done
on the system level [16,25].
The purpose of the thermal vacuum test was to
measure the change in temperatures during the operation
of the subsystem and to ensure that radiative and
conductive heat dissipation were sufficient to keep the
subsystem within the operational temperature range
during uninterrupted operations. Physical connections
of the subsystem for heat exchange consist of a main
system bus connector (total conductive surface area of
43.5 mm2) and four corner mounts (27.3 mm2) with
the total area of around 70 mm2, which is negligible
compared to the heat capacity of the PCB.
Temperature measurements were performed in a
vacuum chamber at the level of 10e-4 mBar, which is
enough to remove convectional heat dissipation. The
engineering model of the subsystem was placed on a
special aluminium heat transfer plate that emulates total
heat capacity of the satellite. Contact between the heat
transfer plate and the device tested was maintained only
via special mounting rods through PCB corner mount
slots, which represent the real assembly installation. Two
calibrated temperature sensors were used: one placed on
the microcontroller and the other on the aluminium heat
transfer plate. In addition, the internal RTC temperature
sensor and the internal microcontroller temperature
sensor were tested. Temperature measurements were
performed every 10 to 30 min while running the Kalman
filter program.
The cooling of the prototype was done with a stream
of evaporated liquid nitrogen as a heat removing transfer
agent from the aluminium heat-exchange plate. During
the cooling phase, the temperature of the heat-exchange
plate dropped by 35 C, while the board temperature
(as registered by both the RTC and microcontroller
internal sensors) dropped by 8C.
The heating of the board was performed for an
hour after the cooling phase using an infra-red lamp
located underneath the heat-exchange plate. A steep
rise in the base plate temperature of 100 C was
observed for half an hour, then the CDHS PCB started to
absorb heat energy in much higher amounts than it was
able to radiate into the surrounding environment. The
temperature of both the MCU and RTC rose by 40 C,
which is not critical. After the removal of the heat
source all sensors cooled down, indicating successful
heat dissipation. The whole process took about five
hours, which is approximately three times longer than the
expected orbital period. Temperature fluctuations in orbit
should not be as severe and operational conditions are
expected to be at 30% of the test values. The built-in
temperature sensor was found to be imprecise due to the
unstable reference voltage. Effects of thermal noise on
the reference voltage source were found to be relatively
large (up to 5% of 1.3 V). Other device inbuilt thermal
sensors were found to be more accurate due to lower
internal thermal variations.
6. DISCUSSION AND CONCLUSIONS
An operational CDHS was developed and tested for
ESTCube-1. Redundancy and fault tolerance were
emphasized during the development process. While
the pre-launch tests carried out were not specifically
designed to test the fault tolerance of the system, test
230 Proceedings of the Estonian Academy of Sciences, 2014, 63, 2S, 222–231
results indicate that a robust system has been developed.
The CDHS operates in a stable manner within the
physical limits set before development. Furthermore,
thermal vacuum tests did not indicate any problems with
either the vacuum environment or the ability to dissipate
heat generated by the subsystem. Tests confirmed that
excessive heat build-up in vacuum (which could disrupt
operations of the system) was not probable. Even in
case of direct infrared radiation heat, the capacity of
the board was high enough to withstand heat build-
up for a period of multiple orbits. Accumulated heat
was rapidly dissipated via infrared radiation and thermal
exchange through the physical connections. Temperature
cycles did not impact performance and during the cycles
changes in power consumption remained below 5%.
In the future, regular in-orbit functionality and
memory integrity tests will be performed to acquire data
on the reliability, performance, and radiation tolerance of
the design. In addition, changes in current consumption,
communication latencies, number of resets, and number
of errors will be recorded. On the ground, these data will
be correlated to the solar activity.
In future missions, improvements could be made to
the subsystem to ease the implementation of advanced
functionality and increase fault tolerance. Processor core
with an inbuilt floating point unit support, cold redundant
memory units based on microSD cards, ability to power
down or power-recycle parts of the subsystem could be
considered to be able to resolve a single-event latch-up
in one device without having to power-cycle the whole
CDHS.
ACKNOWLEDGEMENT
This research was supported by the European Social
Fund’s Doctoral Studies and Internationalisation Pro-
gramme DoRa.
REFERENCES
1. CubeSat Design Specification Rev. 12. The CubeSat Pro-
gram, Cal Poly SLO. California, 2009.
2. Woellert, K., Ehrenfreund, P., Ricco, A. J., and Hertz-
feld, H. Cubesats: Cost-effective science and technol-
ogy platforms for emerging and developing nations.
Adv. Space Res., 2011, 47, 663–684.
3. Cutler, J., Bennett, M., Klesh, A., Bahcivan, H., and
Doe, R. The radio aurora explorer – a bistatic radar
mission to measure space weather phenomenon. In
Proc. 24th Annu. Small Satellite Conf. Logan, Utah,
2010.
4. Deschamps, N. C., Grant, C. C., Foisy, D. G., Zee, R. E.,
Moffat, A. F. J., and Weiss, W. W. The BRITE
space telescope: using a nanosatellite constellation to
measure stellar variability in the most luminous stars.
Acta Astronaut., 2009, 65, 643–650.
5. Borgeaud, M., Scheidegger, N., Noca, M., Roethlis-
berger, G., Jordan, F., Choueiri, T. et al. SwissCube:
the first entirely-built swiss student satellite with an
Earth observation payload. In Small Satellite Missions
for Earth Observation (Sandau, R., Roeser, H. P., and
Valenzuela, A., eds). Springer, 2010, 207–213.
6. Sarda, K., Eagleson, S., Caillibot, E., Grant, C., Kekez, D.,
Pranajaya, F. et al. Canadian advanced nanospace
experiment 2: scientific and technological innovation
on a three-kilogram satellite. Acta Astronaut., 2006,
59, 236–245.
7. Hamann, R. J., Verhoeven, C. J. M., Vaartjes, A. A., and
Bonnema, A. R. Nano-satellites for micro-technol-
ogy prequalification: the delfi program of delft
university of technology. In Selected Contributions of
the 6th IAA Symposium on Small Satellites for Earth
Observations. Berlin, 2007, 319–330.
8. Nielsen, J. F., Larsen, J. A., Grunnet, J. D. et al. AAUSAT-
II, A Danish Student Satellite. I S A S Nyusu, 2009.
9. Nielsen, J. D. and Larsen, J. A. Experiences and lessons
learned during the Launch and Early Orbit Phase
(LEOP) of AAUSAT-3. In 5th European CubeSat
Symposium Book of Abstracts. Brussels, 2013.
10. Scholz, A., Ley, W., Dachwald, B., Miau, J. J., and
Juang, J. C. Flight results of the COMPASS-1
picosatellite mission. Acta Astronaut., 2010, 67,
1289–1298.
11. Rennels, D. A. Architectures for fault-tolerant spacecraft
computers. Proc. IEEE, 1978, 60, 1255–1268.
12. Aalbers, G. T., Gaydadhiev, G. N., and Amini, R. CDHS
design for a university nano-satellite. In Proc. 57th
Int. Astronautical Congress, Valencia, 2006, IAC-06-
B5.7.05.
13. McLoughlin, I. V., Gupta, V., Sandhu, G. S., Lim, S.,
and Bretschneider, T. R. Fault tolerance through
redundant COTS components for satellite processing
applications. In Proc. 2003 Joint Conf. of the Fourth
Int. Conf. on Multimedia, 2003, 1, 296–299.
14. de Jong, S., Aalbers, G. T., and Bouwmeester, J. Improved
command and data handling system for the Delfi-
n3Xt nanosatellite. In Proc. 59th Int. Astronautical
Congress, Glasgow, 2008, IAC-08.D1.4.11.
15. Nielsen, J. D. and Larsen, J. A. A decentralized design
philosophy for satellites. In 2011 5th Int. Conf. Recent
Advances in Space Technologies (RAST). Istanbul,
2011, 543–546.
16. Lätt, S., Slavinskis, A., Ilbis, E., Kvell, U., Voor-
mansik, K., Kulu, E. et al. ESTCube-1 nanosatellite
for electric solar wind sail in-orbit technology
demonstration. Proc. Estonian Acad. Sci., 2014,
63(2S), 200–209.
17. Janhunen, P., Toivanen, P. K., Polkko, J., Merikallio, S.,
Salminen, P., Haeggström, E. et al. Electric solar wind
sail: toward test missions. Review Sci. Instruments,
2010, 81, 111301:1–11.
18. Slavinskis, A., Kvell, U., Kulu, E., Sünter, I., Kuuste, H.,
and Lätt, S. High spin rate magnetic controller for
nanosatellites. Acta Astronaut., 2013, 95, 218–226.
19. Bouwmeester, J. and Guo, J. Survey of worldwide pico-
K. Laizans et al.: Fault tolerant CDHS for ESTCube-1 231
and nanosatellite missions, distributions and sub-
system technology. Acta Astronaut., 2010, 67(7–8),
854–862.
20. Pajusalu, M., Ilbis, E., Ilves, T., Veske, M., Kalde, J.,
Lillmaa, H. et al. Design and pre-flight testing
of the electrical power system for the ESTCube-1
nanosatellite. Proc. Estonian Acad. Sci., 2014,
63(2S), 232–241.
21. Johnson, B. W. Fault-tolerant microprocessor-based
systems. IEEE Micro, 1984, 4(6), 6–21.
22. Fleetwood, D. M., Winokur, P. S., and Dodd, P. E.
An overview of radiation effects on electronics in
the space telecommunications environment. Micro-
electronics Reliability, 2000, 40(1), 17–26.
23. Wrachien, N. Advanced memories to overcome the flash
memory weaknesses: a radiation viewpoint reliability
study. Ph.D. dissertation. Dept. Inf. Eng., Padova
University, Padova, Italy, 2010.
24. Slavinskis, A., Kulu, E., Viru, J., Valner, R., Ehrpais, H.,
Uiboupin, T. et al. Attitude determination and
control for centrifugal tether deployment on the
ESTCube-1 nanosatellite. Proc. Estonian Acad. Sci.,
2014, 63(2S), 242–249.
25. VEGA User’s Manual. Issue 3, 2006, France.
ESTCube-1 veatolerantse käsu- ja andmehaldussüsteemi projekteerimine
Kaspars Laizans, Indrek Sünter, Karlis Zalite, Henri Kuuste, Martin Valgur, Karl Tarbe,
Viljo Allik, Georgi Olentšenko, Priit Laes, Silver Lätt ja Mart Noorma
On kirjeldatud ESTCube-1 käsu- ja andmehaldussüsteemi projekteerimist, selle tehnilist lahendust ning stardieelseid
katsetusi. Süsteemi arendamisel pöörati erilist tähelepanu selle robustsusele ja veatolerantsusele. Riistvara kom-
ponentide puhul rakendati kombinatsiooni kuumast ja külmast liiasusest. Tarkvaras realiseeriti protseduurid vigade
avastamiseks ja vea korral süsteemi töökorra taastamiseks. Lisaks riistvara töökindlusele simuleeritud rikete korral
testiti ka käsu- ja andmehaldussüsteemi füüsilist vastupidavust laias temperatuurivahemikus ning kontrollitud vibrat-
siooni tingimustes. Artiklis on välja pakutud ideid süsteemi veatolerantsuse kontrollimiseks orbiidil.
... If a CubeSat is made more robust, the fault tolerance is implemented rather in hardware than in software. Though, a usual hardware technique is redundancy of several or all components [19], 43% of CubeSats do not use any redundancy due to budget, time or space constraints [13]. Actually, the triple modular redundancy (TMR) is a standard aboard aircraft or bigger satellites [11] but it has a significant system overheads [26] that makes it unsuitable for small satellites such as CubeSats. ...
... Other fault tolerant techniques aboard CubeSats are for example watchdog timers [28] or data protection techniques [6]. It is also possible to analyse error reports, scan important parameters, like power consumption or temperature, in order to detect abnormal behaviour and send appropriate commands if necessary [19,6,5]. ...
... Then, the algorithm removes all task copies that have not yet started their execution, it orders tasks in the queue using the chosen ordering policy and it searches for a new schedule. Finally (Lines [16][17][18][19], the task copies starting at time t are committed. ...
Improving the CubeSat Reliability Thanks to a Multiprocessor System using Fault Tolerant Online Scheduling
Article
  • Jul 2021
  • MICROPROCESS MICROSY
More than 21000 objects fly in outer space and are exposed to the harsh space environment. The size of space objects considerably varies. Our research focuses on nanosatellites, such as CubeSats, which have to respect time, spatial and energy constraints. To tackle this issue, this paper presents and evaluates two fault tolerant online scheduling algorithms: the algorithm scheduling all tasks as aperiodic (called OneOff) and the algorithm placing arriving tasks as aperiodic or periodic tasks (called OneOff&Cyclic). Based on several scenarios, we analyse how much the performance (in terms of both the rejection rate and the scheduling time) of ordering policies are influenced by the system load and the proportions of simple and double tasks to all tasks to be executed. The “Earliest Deadline” and “Earliest Arrival Time” ordering policies for OneOff or the “Minimum Slack” ordering policy for OneOff&Cyclic reject the least tasks in all tested scenarios. The paper also deals with the analysis of scheduling time to evaluate real-time performance of ordering policies and shows that OneOff requires less time to find a new schedule than OneOff&Cyclic. Finally, it was found that the studied algorithms perform well also in a harsh environment and provide the same availability as systems based on triple modular redundancy with very much less system power consumption.
View
... Les méthodes de robustification ne sont pas de manière générale utilisées en raison des contraintes budgétaire, du temps de conception ou de l'espace disponible [55]. Par exemple, il y a 43% de CubeSats qui ne mettent pas en oeuvre la redondance, technique classique au niveau matériel [54,90]. En raison de contraintes spatiales, il est préférable d'utiliser les méthodes logicielles, comme les watchdogs ou les techniques protégeant les données [3,36,38]. ...
... They operate in the harsh space environment, where they are exposed to charged particles and radiation [89]. Since the CubeSat fault tolerance is not always considered, e.g., due to budget or time constraints, their vulnerability to faults can jeopardise the mission [54,90]. Our aim is to improve the CubeSat reliability. ...
... -Analysis of error reports [36,90] allows users to find reasons for failure occurrences and consequently to upgrade the system to be able to tolerate such faults in the future. A rectification can be made directly in the code or a correction can be defined in a library describing how to recover from failures [36]. ...
Online Fault Tolerant Task Scheduling for Real-Time Multiprocessor Embedded Systems
Thesis
  • Oct 2020
The thesis is concerned with online mapping and scheduling of tasks on multiprocessor embedded systems in order to improve the reliability subject to various constraints regarding e.g. time, or energy. To evaluate system performances, the number of rejected tasks, algorithm complexity and resilience assessed by injecting faults are analysed. The research was applied to: (i) the primary/backup approach technique, which is a fault tolerant one based on two task copies, and (ii) the scheduling algorithms for small satellites called CubeSats. The chief objective for the primary/backup approach is to analyze processor allocation strategies, devise novel enhancing scheduling methods and to choose one, which significantly reduces the algorithm run-time without worsening the system performances. Regarding CubeSats, the proposed idea is to gather all processors built into satellites on one board and design scheduling algorithms to make CubeSats more robust as to the faults. Two real CubeSat scenarios are analysed and it is found that it is useless to consider systems with more than six processors and that the presented algorithms perform well in a harsh environment and with energy constraints.
View
... The EOP firmware is primarily based on the firmware developed for the ESEO cameras. The cameras run on FreeRTOS, and microSD cards are mounted as FatFS volumes, while both ferroelectric random-access memory (FRAM) and synchronous dynamic random-access memory (SDRAM) use a minimal custom file system developed for the ESTCube-1 [38]. Several modules, such as firmware updates, command scheduler, exception handling, error logging, and several low-level drivers, are based on the ESTCube-1 legacy with minor improvements. ...
Interplanetary Student Nanospacecraft: Development of the LEO Demonstrator ESTCube-2
Article
Full-text available
  • May 2023
Nanosatellites have established their importance in low-Earth orbit (LEO), and it is common for student teams to build them for educational and technology demonstration purposes. The next challenge is the technology maturity for deep-space missions. The LEO serves as a relevant environment for maturing the spacecraft design. Here we present the ESTCube-2 mission, which will be launched onboard VEGA-C VV23. The satellite was developed as a technology demonstrator for the future deep-space mission by the Estonian Student Satellite Program. The ultimate vision of the program is to use the electric solar wind sail (E-sail) technology in an interplanetary environment to traverse the solar system using lightweight propulsion means. Additional experiments were added to demonstrate all necessary technologies to use the E-sail payload onboard ESTCube-3, the next nanospacecraft targeting the lunar orbit. The E-sail demonstration requires a high-angular velocity spin-up to deploy a tether, resulting in a need for a custom satellite bus. In addition, the satellite includes deep-space prototypes: deployable structures; compact avionics stack electronics (including side panels); star tracker; reaction wheels; and cold–gas propulsion. During the development, two additional payloads were added to the design of ESTCube-2, one for Earth observation of the Normalized Difference Vegetation Index and the other for corrosion testing in the space of thin-film materials. The ESTCube-2 satellite has been finished and tested in time for delivery to the launcher. Eventually, the project proved highly complex, making the team lower its ambitions and optimize the development of electronics, software, and mechanical structure. The ESTCube-2 team dealt with budgetary constraints, student management problems during a pandemic, and issues in the documentation approach. Beyond management techniques, the project required leadership that kept the team aware of the big picture and willing to finish a complex satellite platform. The paper discusses the ESTCube-2 design and its development, highlights the team’s main technical, management, and leadership issues, and presents suggestions for nanosatellite and nanospacecraft developers.
View
... In a conventional on-board computer (OBC) design with a primary and a backup processor, such as in [12], there are just two possible configurations: either the primary or the backup processor handles all the on-board tasks, so configuration management does not play a significant role. ...
Model-Based Reconfiguration Planning for a Distributed On-board Computer
Conference Paper
  • Oct 2020
The ScOSA project (Scalable On-board Computing for Space Avionics) of the German Aerospace Center aims at combining radiation hardened space hardware together with unreliable, but high performance COTS (commercial off-the-shelf) components as the processing nodes in a heterogeneous on-board network in order to provide future space missions with the necessary processing capabilities. However, such a system needs to cope with node failures. Our approach is to use a static reconfiguration graph that controls how software tasks are mapped to the processing nodes, and how this mapping should change in response to possible node failures. In this paper we present a model-based approach and a tool for automatic generation of reconfiguration graphs. Based on the software and hardware models, we traverse the graph of all possible failure situations. For every node of this graph we solve a combinatorial optimization problem of mapping tasks to processing nodes either with an SMT solver or using a genetic algorithm. The resulting reconfiguration graph can then be translated into the configuration files that are deployed on the target system, eliminating the need for tedious and error-prone manual configuration design.
View
... FreeRTOS is a light, open source real time operating system which has shown flight heritage in, among others, ESTCube [5], AAUSAT [6] and GOMX-1. FreeRTOS is developed for embedded applications and thus it has good support for various micro-controllers and an active community. ...
Software Development for Galassia CubeSat-Design, Implementation and In-Orbit Validation
Conference Paper
Full-text available
  • Jun 2017
Galassia is the first CubeSat developed by National University of Singapore and it was launched successfully into an orbit of 550 km altitude and 15 degrees inclination. It is the first time our scrupulously designed and developed flight software and the GUI-based ground mission control software are put into test and operation. The launch and early operations of the Galassia CubeSat have established that the flight software and ground mission control software serve their functions for the CubeSat. In this paper, the software development for the Galassia project will be outlined and elaborated. Particular highlights will be provided to elaborate on the architectures of the flight and the ground software which were designed to ensure robustness and ease-of-use respectively. These design considerations have shown to be very useful and important during the operation of the CubeSat since its launch on 16 th Dec, 2015. This paper will provide details on the implementations that exemplify these philosophies. In addition, the considerations of the testing procedure adopted for the flight software is also outlined and the limitations discussed. Moreover, the operation of Galassia provided some validations and insights for improvement for our software design, which are also shared. This paper aims to provide the salient lessons learnt in designing mission-critical flight software and intuitive ground mission control software for a successful university CubeSat project.
View
View
View
Can Communities Produce Complex Technology? Looking Into Space for Insight
Article
Full-text available
  • Sep 2021
This article examines a community producing complex space technology. We attempt to highlight which aspects of the community’s activities can help democratize high-tech development while providing a context for similar cases involved in developing and manufacturing nonhigh-technological artefacts. We discuss how this has been made possible by using a technology-determined organizational approach based on the CubeSat open platform infrastructure, blending formal and hands-on education, open communication, specific recruitment and working practices, and a genuine passion for technology. We identify as critical enablers for community-based collaborative development of space technology the open-source architecture standard called CubeSat Design Specifications, the modularization of work in subsystems and between different organizations, and the open and participatory approach work tasks distribution and decision making. Moreover, we argue that the digital/informational aspect of this technology allows the community to implement organizational practices that resemble how open-source movements over the internet produce complex digital artefacts like Wikipedia or Linux. ESTCube can shed light on community-driven complex technology development, providing lessons on what a democratized version of high technology would resemble and how open and digitalized technology can help develop the capacities of a community.
View
View
View
Design and pre-flight testing of the electrical power system for the ESTCube-1 nanosatellite
Article
Full-text available
  • Jan 2014
  • P EST ACAD SCI
This work describes the final design and implementation of the electrical power system for ESTCube-1, a 1-unit CubeSat tasked with testing the electrostatic tether concept and associated technologies for the electric solar wind sail in polar low Earth orbit. The mission required an efficient and reliable power system to be designed that could efficiently handle highly variable power requirements and protect the satellite from damage caused by malfunctions in its individual subsystems, while using only commercial-off-the-shelf components. The system was developed from scratch and includes a novel redundant stand-alone nearly 90% efficient maximum power point tracking system, based on a commercially available integrated circuit, a lithium-ion battery based fault-tolerant power storage solution, a highly controllable and monitorable power distribution system, capable of sustaining loads of up to 10 W, and an AVR microcontroller based control solution, heavily utilizing non-volatile ferroelectric random access memories. The electrical power system was finalized in January 2013 and was launched into orbit on 7th of May, 2013. In this paper, we describe the requirements for the subsystem, the design of the subsystem, pre-flight testing, and flight qualification.
View
SSC10-II-4 The Radio Aurora Explorer – A Bistatic Radar Mission to Measure Space Weather Phenomenon
Article
Full-text available
In this paper, we describe the Radio Aurora Explorer (RAX) and its space weather mission. RAX is a satellite mission funded by the National Science Foundation (NSF) to study space weather, and is a joint effort between SRI International and the University of Michigan and. The primary mission objective is to study plasma instabilities that lead to magnetic field-aligned irregularities (FAI) of electron density in the lower polar thermosphere (80-300 km). These irregularities are known to disrupt communication and navigation signals. The RAX mission will use a network of existing ground radars that will scatter signals off the FAI to be measured by a receiver on the RAX spacecraft. The satellite is a 3kg Cubesat with a scheduled launch date of May 28, 2010. RAX is the first of the NSF-sponsored satellites to be manifested for a launch and represents a path forging activity for similar science missions conducted on nanosatellite vehicles.
View
Attitude determination and control for centrifugal tether deployment on the ESTCube-1 nanosatellite
Article
Full-text available
  • May 2014
  • P EST ACAD SCI
This paper presents the design, development, and pre-launch characterization of the ESTCube-1 Attitude Determination and Control System (ADCS). The design driver for the ADCS has been the mission requirement to spin up the satellite to 360 deg × s–1 with controlled orientation of the spin axis and to acquire the angular velocity and the attitude during the scientific experiment. ESTCube-1 is a one-unit CubeSat launched on 7 May 2013, 2:06 UTC on board the Vega VV02 rocket. Its primary mission is to measure the Coulomb drag force exerted by a natural plasma stream on a charged tether and, therefore, to perform the basic proof of concept measurement and technology demonstration of electric solar wind sail technology. The attitude determination system uses three-axis magnetometers, three-axis gyroscopic sensors, and two-axis Sun sensors, a Sun sensor on each side of the satellite. While commercial off-the-shelf components are used for magnetometers and gyroscopic sensors, Sun sensors are custombuilt based on analogue one-dimensional position sensitive detectors. The attitude of the satellite is estimated on board using an Unscented Kalman Filter. An ARM 32-bit processor is used for ADCS calculations. Three electromagnetic coils are used for attitude control. The system is characterized through tests and simulations. Results include mass and power budgets, estimated uncertainties as well as attitude determination and control performance. The system fulfils all mission requirements.
View
ESTCube-1 nanosatellite for electric solar wind sail in-orbit technology demonstration
Article
Full-text available
  • May 2014
  • P EST ACAD SCI
This paper presents the mission analysis, requirements, system design, system level test results, as well as mass and power budgets of a 1-unit CubeSat ESTCube-1 built to perform the first in-orbit demonstration of electric solar wind sail (E-sail) technology. The E-sail is a propellantless propulsion system concept that uses thin charged electrostatic tethers for turning the momentum flux of a natural plasma stream, such as the solar wind, into spacecraft propulsion. ESTCube-1 will deploy and charge a 10 m long tether and measure changes in the satellite spin rate. These changes result from the Coulomb drag interaction with the ionospheric plasma that is moving with respect to the satellite due to the orbital motion of the satellite. The following subsystems have been developed to perform and to support the E-sail experiment: a tether deployment subsystem based on a piezoelectric motor; an attitude determination and control subsystem to provide the centrifugal force for tether deployment, which uses electromagnetic coils to spin up the satellite to one revolution per second with controlled spin axis alignment; an imaging subsystem to verify tether deployment, which is based on a 640 x 480 pixel resolution digital image sensor; an electron gun to keep the tether at a high positive potential; a high voltage source to charge the tether; a command and data handling subsystem; and an electrical power subsystem with high levels of redundancy and fault tolerance to mitigate the risk of mission failure.
View
High spin rate magnetic controller for nanosatellites
Article
Full-text available
  • Mar 2014
  • ACTA ASTRONAUT
This paper presents a study of a high rate closed-loop spin controller that uses only electromagnetic coils as actuators. The controller is able to perform spin rate control and simultaneously align the spin axis with the Earth's inertial reference frame. It is implemented, optimised and simulated for a 1-unit CubeSat ESTCube-1 to fulfil its mission requirements: spin the satellite up to 360 deg s−1 around the z-axis and align its spin axis with the Earth's polar axis with a pointing error of less than 3°. The attitude of the satellite is determined using a magnetic field vector, a Sun vector and angular velocity. It is estimated using an Unscented Kalman Filter and controlled using three electromagnetic coils. The algorithm is tested in a simulation environment that includes models of space environment and environmental disturbances, sensor and actuator emulation, attitude estimation, and a model to simulate the time delay caused by on-board calculations. In addition to the normal operation mode, analyses of reduced satellite functionality are performed: significant errors of attitude estimation due to non-operational Sun sensors; and limited actuator functionality due to two non-operational coils. A hardware-in-the-loop test is also performed to verify on-board software.
View
View
Electric solar wind sail: toward test missions
Article
  • Nov 2010
The electric solar wind sail (E-sail) is a space propulsion concept that uses the natural solar wind dynamic pressure for producing spacecraft thrust. In its baseline form, the E-sail consists of a number of long, thin, conducting, and centrifugally stretched tethers, which are kept in a high positive potential by an onboard electron gun. The concept gains its efficiency from the fact that the effective sail area, i.e., the potential structure of the tethers, can be millions of times larger than the physical area of the thin tethers wires, which offsets the fact that the dynamic pressure of the solar wind is very weak. Indeed, according to the most recent published estimates, an E-sail of 1 N thrust and 100 kg mass could be built in the rather near future, providing a revolutionary level of propulsive performance (specific acceleration) for travel in the solar system. Here we give a review of the ongoing technical development work of the E-sail, covering tether construction, overall mechanical design alternatives, guidance and navigation strategies, and dynamical and orbital simulations.
View
A decentralized design philosophy for satellites
Conference Paper
  • Jun 2011
For the last decade development and construction of student cubesat satellites has played an important part in the engineering Master Program within Electrical Engineering and Information Technology at Aalborg University, Denmark. As a result three cubesats AAU CUBESAT, AAUSAT-II and AAUSAT3 has been constructed and launched (AAUSAT3 will launch Q3 2011). This paper focuses on distributed system approach for internal as well as ground link structure.
View
An overview of radiation effects on electronics in the space telecommunications environment
Article
  • Jan 2000
  • MICROELECTRON RELIAB
Trapped protons and electrons in the Earth’s radiation belts and cosmic rays present significant challenges for electronics that must operate reliably in the natural space environment. Single event effects (SEE) can lead to sudden device or system failure, and total dose effects can reduce the lifetime of a space-based telecommunications system. One of the greatest sources of uncertainty in developing radiation requirements for a space system is accounting for the small but finite probability that the system will be exposed to a massive solar particle event. Once specifications are decided, standard laboratory tests are available to predict the total dose response of MOS and bipolar components in space, but SEE testing of components can be more challenging. Prospects are discussed for device modeling, and for the use of commercial electronics in space. In addition, technology trends are discussed for the radiation response of microelectronics in space.
View
Nano-Satellites for Micro-Technology Pre-Qualification: The Delfi Program of Delft University of Technology
Article
  • Jan 2008
The Delfi program run at Delft University of Technology has the objective to provide a means of fast and affordable pre-qualification of new (micro-)technology in space. A second objective is to offer to MSc students the possibility to graduate on real hardware and software development for space missions. The first satellite in this program is Delfi-C 3 , a 3 kg CubeSat, which flies a new type of Thin Film Solar Cells, two Autonomous Wireless Sun Sensors and a miniaturized UHF-VHF transponder. Next in the series will be a Delfi-C 3 successor, on which a more efficient power subsystem and a high effi-ciency Advanced Transceiver will be flown. Further missions are considered which will fly micro-technology now under development in the MISAT research program. The paper describes the Delfi-C 3 mission and satellite with its payload. Emphasis is given to technical solutions and the way the project is implemented in the university's educa-tional program. An overview is given of the current status of the project and plans for the future development of Delfi missions are outlined.
View