# Space qualified computer server developed for long life microsatellite applications

Vicente-Vivas E.<sup>1</sup>, Mendieta J.F.J.<sup>2</sup>, Calvillo T.A.<sup>3</sup>, Tapia R.M.<sup>4</sup>

<sup>1</sup> Instituto de Ingeniería, UNAM, DF, México, evv@servidor.unam.mx

<sup>2</sup> CICESE, Ensenada BC., México, jmendiet@cicese.mx

<sup>3</sup> CITEDI, IPN, Tijuana BC., México, calvillo@citedi.mx

<sup>4</sup> CIMAT, Gto., Gto., México, max@fractal.cimat.mx

Abstract. Several research institutions from all over the country work together in the development of a 55 Kg low earth orbit (LEO) microsatellite aiming the development of in house technology in the space field, [1]. As known LEO operation implies a dephased orbital dynamics among satellite and our planet, achieving time limited communications either to download telemetry or to upload command and/or vehicle missions. By these reasons long life space computer architectures constitutes an important research field oriented to preserve communications among satellite and its control earth station (ES). Under this scenario few years of Mexican research efforts have been dedicated towards the development of a reconfigurable space qualified computer server (SQCS) which integrates cold spare redundancies in critical points of the architecture. This paper shows the SQCS hardware architecture specially developed for the Mexican Satex microsatellite and underlines the integrated features in the hardware to withstand the harsh space environment.

Keywords: Reconfigurable computers, computer architecture, flight computers and microsatellites.

Resumen. Varias instituciones de investigación Mexicanas colaboran en el desarrollo de un microsatélite de 55 Kgs, de órbita baja, con el objetivo de desarrollar tecnología nacional en el campo espacial, [1]. El desplazamiento de órbita baja conlleva un defasamiento entre la dinámica de nuestro planeta y la del satélite, lo cual implica restricciones en las comunicaciones ya sea para bajar telemetría, o bien, para enviar comandos o misiones al satélite. Por tales razones el tema de arquitecturas de cómputo espacial de larga vida constituye un importante campo de investigación que persigue preservar o mejorar las comunicaciones satélite-estación terrena. Ante este escenario, se han dedicado varios años de investigación en México para desarrollar un servidor de cómputo reconfigurable y de calificación espacial (SCCE) que cuenta con redundancias de refacción en frío en puntos críticos de su arquitectura. Este trabajo describe la arquitectura del SCCE que fue diseñada especialmente para el microsatélite Mexicano Satex; de igual forma detalla sus características de hardware que le permiten operar en el medio espacial que se caracteriza por ser un ambiente altamente agresivo para equipos electrónicos.

Palabras llave: Computadoras reconfigurables, arquitectura de computadoras, computadoras de vuelo y microsatélites.

#### 1 Introduction

Electronic equipment developed for space applications needs to accomplish a set of fundamental requirements in order to withstand the harsh space environment in terms of vibration during the launching phase as well as in terms of radiation, extreme temperatures, and vacuum during orbital operation. For this purpose space projects have employed approaches both for failure avoidance as well as for fault tolerance. [2]. The former includes the selection of qualified components, enforcing design rules and the periodical review of designs. The last handle hardware failures and software errors when they occur, through the help of redundant hardware, plus fault diagnosis, fault detection and reconfiguration techniques, [3].

Electronic equipment for space applications, and specially those projected for small space vehicles have strong limitations in terms of weight, volume, and electrical power. However, the small satellite field is also characterized by the adoption of "faster, cheaper and probably better" approaches to easy the access to space. In this sense the use of commercial-off-the-shelf (COTS) components is becoming a common practice, [4], which in turn has enabled the launching of state-of-the-art electronics into LEO orbits. This picture is represented by the successful missions developed by the University of Surrey, UK, a worldwide recognized institution both in the small satellite field as well as in the use of COTS components in space platforms, [5].

In addition, as the budget for worldwide space projects is clearly diminishing some important space institutions, such as the Jet Propulsion Laboratory from NASA have started research efforts towards reusable avionics computer architectures to be used in multiple missions, aiming to reduce the development and production costs of flight projects [6].

On the other hand, the Satex Mexican project, figure 1.a, aims the integration of microsatellite generic subsystems, figure 1.b, with capabilities to adapt them to future missions. In this sense the project demanded the development of a redundant and reusable flight computer with capabilities to apply maintenance to it after the detection of failures. It is important to highlight that all over the world very few microsatellite missions make use of redundant flight computers [7] and [8]. In other words, must of them employ centralized computer architectures to automate operations and payloads [9] and [10].

Details about Satex microsatellite subsystems, figure 1.b, are given in [1]. The project contains five payloads, few of them with dedicated control requirements. This goal demanded the development of a satellite distributed control system where satellite operations are governed by the flight computer and some payloads contain a dedicated microcomputer for dedicated control purposes. In addition communications inside the vehicle are accomplished by a fault tolerant redundant local area network (FTRLAN) that achieves safe communications through real time accomplishment of fault diagnosis, fault detection and fault reconfiguration processes, [11].



Fig. 1. (a) Satex Microsatellite project. (b) Subsystems already available for the Mexican Microsatellite.

The operations delegated to the SQCS were the followings:

- Starting operations for the satellite after liberation in space.
- Telemetry acquisition and telemetry packaging.
- Communications with the Earth Station.
- Computer server functions among satellite and ES.
- Communications with payload microcomputers.
- First stabilization stage to allow gravity gradient deployment.
- Second stabilization stage to allow payload pointing to Earth.

As seen from the previous list the SQCS represents a single point of failure whose malfunction leads to a failure of the whole satellite system. To overcome this harmful effect a reconfigurable SQCS architecture was proposed, [12], and developed. The design integrates up to three single board microcomputers (SBM) each one with enough hardware capabilities to fulfil the satellite instrumentation requirements. SBM full characteristics are given in a later paragraph.

In order to generate a cost effective design it was proposed for the architecture to use three SBM with identical printed circuit boards (PCB). This lead to the design of a single PCB which employs jumpers to program the SBM identity as well as to provide separate energization paths for three different processor configurations (main, first backup and second backup).

The SQCS architecture also demanded the design of a compact digital switching unit to cross strap any one of the SBM to the satellite instrumentation. Besides, quad digital switches were employed to provide energization for every SBM. By these means SQCS reconfiguration (maintenance) can be commanded from external sources, in this case from any microcomputer payload controlled either in automated fashion or remotely operated from the ES. This topology also allowed the definition of fault containment regions in the SQCS architecture, composed by every SBM to avoid damage propagation when failures take place. In [13] full details are given about SQCS evaluation.

In addition, the following interface requirements were settled for the SQCS:

- A multiplexing, conditioning and filtering module (MCFM) to allow the acquisition of up to 48 signals from satellite sensors (fine sun sensors, magnetometers, current, voltage, light presence, etcetera).
- Electronics for both main and redundant LANs.
- Connectors to interface the SQCS I/O signals to the satellite instrumentation as well as the required line drivers for signal coupling.



Fig. 2. Flight computer architecture developed for Satex microsatellite.

The hardware architecture developed for the Satex mission's computer server is shown in figure 2. As can be seen the microsatellite contains five payloads, they will treated with details in other publications.

# 2 Single Board Microcomputers

In order to increase satellite availability the SQCS architecture was conceived and developed to admit automatic maintenance through SBM reconfiguration facilities. However strong limitations in weight, volume and available power forced the automatic maintenance process to take advantage of onboard microcomputers to implant an N modular redundancy computer architecture. This architecture along with utilized schemes for fault diagnosis, fault detection and automatic maintenance are described in [3].

By these reasons the SQCS can be assembled with up to three SBM, each one, figure 3.a, capable of being activated through digital signals coming from an external source.



Fig. 3. (a) SBM designed and fabricated for the space qualified computer server. (b) Computer server boards attached to aluminium containers.

Under this scope, one SBM is activated at a time and remaining SBMs comprise cold standby spares that can be employed when failures are detected at main SBM. The exposed scheme enhances the relation among availability and redundancies projecting a computer with power consumption demands very likely to that of a simplex system. Each SBM contains:

- A 40 Mhz 16 bit RISC microcontroller (RISCM) from Siemens with 76 I/O lines. 16-priority-level interrupt controller, ten-channel 10-bit A/D converter, seven 16bit timers and a programmable watchdog timer.
- 64 Kb PROM containing the basic satellite software,
- 1.2 Mb SRAM for data management, for upgraded software uploading, as well as for image storage,
- EDAC protection for whole static RAM in order to prevent single-event-upsets.
- 1.2 Mb SRAM for EDAC syndrome storage,
- Three serial channels, one assigned for communications with ES and the two other for FTRLAN operation,
- Local temperature sensor with associated conditioning electronics,
- Lateral connectors that allow the interconnection of up to three identical SBM in a piggyback manner, each one rotated 180 degrees against each other. In this case every SBM is jumper programmed for identification purposes as well as to provide independent activation.

With the purpose of saving weight and space in the SQCS the PCBs were designed to hold electronic components on both of its faces. This was achieved with the use of surface mount technology for both active and passive electronic parts, and avoiding the use of electrolytic capacitors which are not recommended for use in space.

The replacement of SBMs offers redundancy support for the RISCM and its external peripherals, such as: program memory, data memory, I/O lines, A/D converter, network ports, timers, interrupt controller, oscillator, etc. In addition the basic satellite software stored in PROM is also replaced whenever a SBM reconfiguration takes place. In this way, the substitution of SBMs allows the extension of life for the flight computer and consequently the satellite availability as well as its useful life when permanent faults occur.

## 3 Fault protections for single board microcomputers

The semiconductor chips from microsatellites are exposed to space radiation, whose effects are usually a function of the total radiation dose seen by each component. The radiation is originated by anyone of the following phenomena:

- Particles associated with magnetic planetary fields, as in the case of Van Allen rings that affect satellites orbiting the Earth.
- Cosmic rays from deep space, such as Gamma rays, X rays, etc.,
- High energy protons generated during solar explosions.

Charged particles can pass through the electronic devices and generate a cloud of electrical charge. This charge can induce single-event-upsets (SEU) that may generate serious consequences to the integrated circuit, i.e., the lost of stored bits from important software variables. The permanent exposition to radiation generates charge accumulation, which modify the semiconductors properties, i.e., transistor beta goes down, threshold voltages change, leakage currents increase, and so on. This means that digital logic slows down, operational amplifiers offset voltages change, power dissipation goes up, etc. The undesirable effect of radiation is measured in rads; in general, a rad is the quantity of any type of ionizing radiation that adds 100 ergs from energy to a gram of material, [14]. Some times SEUs will be followed by a phenomenon called latch-up characterized by very large currents flowing in the device. The large currents will usually destroy the electronic part within a few tens of milliseconds. Although SEU events can occur in various integrated circuits technologies, such as CMOS and TTL bipolar devices, latch-up phenomenon has almost exclusively been observed in CMOS, [15] and [16].

#### 4 Protections against SEU events

SRAM from SQCS will always be exposed to radiation and consequently will present random data errors, in average 1 every 15 hours according with experimental data reported by [20] and [17] when using COTS memory with EDAC protection. In addition published reports show that errors are more often generated in the South America area where relatively much radiation was indirectly detected, [18].

To counteract error generation in memories each SBM integrates a 100 pins military qualified 16-bit flow-trough EDAC device placed between the microcontroller and SRAM memory. The 29C516E EDAC allows the monitoring and correction of erroneous data values coming from data memory. It detects and corrects 100% of all single-bit errors and detects all double bit-errors. However, EDAC utilization introduces a penalty because additional syndrome SRAM has to be included of the same capacity as that from the memory to be protected. In our case 1.2 Mb of SRAM were added for this purpose.

In addition, dedicated software is required for "memory wash" purposes which takes place every ten minutes when the satellite is operative. In this way when single errors are detected and corrected an interrupt request is sent to the RISCM in order to asses the number of errors. This information is attached to telemetry to notify the ES personnel about the operative state of memory. Besides, when multiple errors are detected the hardware automatically forces the SQCS to be temporally switched off taking into consideration that software status can be seriously damaged. In addition as it is considered that multiple errors might be related with the start of a latch-up phenomenon, the only safe process to overcome a latch-up event is to remove energy from the affected component [14], however for safety reasons the whole SQCS is switched off.

### 5 Latch-up protection

The integrated circuits employed at every SBM, excluding the RISCM, are all military qualified components (MQC) according with MIL-STD-883. The MOCs contain electronic protection to avoid the latch-up phenomenon. However COTS parts as the RISCM are not latch-up free. To overcome this risk two different types of protections were implemented. The first one consists of an EDAC based latch-up protection for SBMs, which was described in above paragraph. The second one is a dedicated protection for the RISCM integrated at each SBM. This is a sensor that permanently measures the microcontroller current looking for measurements whose value falls above from the nominal current driven by the microcontroller. When this event is logged an electrical pulse of 16 seconds is generated to automatically interrupt power application to the whole SQCS. After the programmed time gets over energy is applied again to the SQCS. However if the latch-up process resumes its operation the sensor protection works in iterative fashion.

#### 6 Other protections

In addition, COTS critical components from SQCS will be protected for space flight with thin sheet shields either from Tungsten or Tantalum, as recommended by [19] and [15] preventing charged particles from interacting with those devices [4].



Fig. 4. (a) Computer server boards under laboratory testing. (b) Space qualified computer server developed for Satex microsatellite.

# 7 Computer server validation

The space qualified computer server was integrated and validated in several working stages. At the beginning operative validation was performed at board level. This process took to the installation of every single board in to space qualified aluminium containers built at university workshops, figure 3.b. Afterwards the validation among adjacent boards took place, figure 4.a. Finally the computer server, figure 4.b and figure 5, was validated and evaluated with the help of special tools developed for the project as described in [13].

## **8 Concluding Remarks**

The space qualified architecture for a computer server specially developed for the Satex microsatellite has been depicted. The architecture takes in to account the strong limitations associated with small space vehicles in terms of weight, volume and available power. It also considers electronic and physical protections to cope the harsh environment expected at altitudes of 800 Km, in particular that related with the effects of radiation in electronic parts.

The SQCS consists of a maximum of three single board microcomputers (main and cold spares), each one with enough resources to fully control the satellite operations. In addition three separate boards contain an electronic switching unit that allows any one of the SBM to be energized and connected to the satellite instrumentation; a multiplexing and conditioning unit to read up to 48 electronic signals from satellite sensors; hardware for a redundant LAN employed to interconnect the satellite microcomputers; as well as protection against SEUs and latch-up phenomenon.

The flight model for the SQCS has been fully tested. Details about this as well as information related with the special tools developed in the project for testing purposes can be found in [13].



Fig. 5. Space qualified server under validation with the help of special tools developed for the project.

#### 9 Acknowledgements

The authors would like to acknowledge to federal agencies from México, TELECOM and COFETEL who supported the work described in this paper. Besides, acknowledges are given to the Mexican Research Institutions which collaborate in the development of this project, in alphabetic order: CICESE, CIMAT, CITEDI, INAOE, IPN and UNAM.

#### References

- 1. Vicente-Vivas E., Roch-Soto J. y Mendieta-Jiménez J., "La convergencia de un Proyecto multi-institucional para el desarrollo de un microsatélite con tecnología Mexicana", Revista INGENIERÍA Investigación y Tecnología, ISSN 1405-7743, pp. 157-168, Vol. III No. 4 octubre-diciembre 2002.
- 2. Johnson B. W., "Design and Analysis of Fault Tolerant Systems, Addison Wesley, 1989.
- 3. Vicente Vivas Esaú, "Arquitectura de Cómputo Semivirtual Tolerante a Fallas con Capacidad de Mantenimiento Automático Aplicada a un Microsatélite de Órbita Baja", Tesis Doctoral en Ingeniería Eléctrica, DEPFI, UNAM, 21 de Mayo de 2004, México, DF.
- 4. AstroExpo.com e-newsletter, "COTS in space, Space Electronics and Processors", March 2004, <a href="http://www.astroexpo.com/news/articlesdetail.asp?ID=233">http://www.astroexpo.com/news/articlesdetail.asp?ID=233</a>.
- 5. Day M., "30 Years of Commercial Components In Space: Selection Techniques Without Formal Qualification, 13<sup>th</sup> Annual AIAA/USU Conference on Small Satellites, Utah, USA, 1999.

- Chau S., K. Reh, B. Cox NASA/JPL, J. Barfield, W. Lockhart, M. 6. McLelland - SouthWest Research Inst. "A Multi-Mission Space Avionics Architecture", AstroExpo.com e-newsletter, March, 2004, http://www. astroexpo.com/reference/techpapersdetail.asp?ID=229.
- Frank Sperber, "Amsat-Phase 3-D a 400 Kgs International Communication 7. and Experimental Satellite in a High-Elliptical Orbit", 3<sup>rd</sup> Intl Symposium on Small Satellite Systems and Services, Annecy, France, 1996.
- Allery M., Sweeting M., and Ward J., "University of Surrey Small Satellite 8. Systems: In orbit capabilities and development programme", 1997.
- Robert Zee y Peter Stibrany, "Canada's First Microsatellite An Enabling 9. Low- Cost Technology for Future Space Science and Technology Missions", 11th CASI Conference on Astronautics, November, 2000.
- Christopher Kitts, et al., "Experiments in Distributed Microsatellite Space 10. Systems", Proceedings of AIAAA Space Technology Conference and Exhibit, Albuquerque, NM, USA, Sept., 1999.
- Vicente Vivas Esaú, "Red de Área Local Tolerante a Fallas Aplicada a 11. Sistemas de Tiempo Real con Altos Requisitos de Confiabilidad", Revista Científica de la ESIME, Num.15, pp. 13-24, Mayo-Junio de 1999.
- Vicente Vivas E. et al., "Fault-Detection and Reconfiguration Capabilities 12. Distributed Computer Architecture on board the Satex Microsatellite", Revista: Seminars of the United Nations Programme on Space Applications, Selected papers on Space Education, Remote Sensing and Small satellites, No.8, pp. 176-182, United Nations, Vienna, 1997.
- Vicente Vivas Esaú et all., "Evaluation of a Space Qualified Long Life Flight 13 Computer Server", 5th International Conference on Control, Virtual Instrumentation, and Digital Systems CICINDI 2004, México, DF, September 2004.
- Vincent L. Pisacane and Robert C. Moore, The Johns Hopkins University 14. Applied Physics Laboratory, "Fundamentals of Space Systems", Oxford University Press, 1994.
- Dino B. Milanil, John Pokoski, "Design of a Low-Cost Single Board 15. Computer System for use in Low-Earth Orbit Small Satellite Missions", Proceedings 11 AAIA/USU Small Satellite Conference, Utah, August 1997.
- Ash M., and Messenger G., "The effects of radiation on electronic systems", 16. Van Nostrand Reinhold, 1992.
- Laurence J.F., et all., "A General-Purpose MIL-STD-1750A Spacecraft 17. Computer System", American Institute of Aeronautics and Astronautics,
- Impyeong Lee et al., "Experimental Multimission Microsatellites-Kitsat 18. Series", Proceedings of 6th Annual USU/AIAA Conference on Small Satellites, Logan, Utah, September, 1992.
- Winokur P.S., Fleetwood D.M., and Sexton F.W., "Radiation-Hardened 19. Microelectronics for Space Applications", Radiation Phys. Chem. Vol 43., No. 1/2., 1994, Great Britain.
- Shaneyfelt M.R., Winokur P.S., Sexton F.W., Roeske S.B. and Knoll M.G., 20. Hardness Variability in Commercial Technologies", IEEE Transactions on Nuclear Science, Vol. 41, No. 6, December 1994.

