• 2018-07
  • 2018-10
  • 2018-11
  • 2019-04
  • 2019-05
  • 2019-06
  • 2019-07
  • get up While lowering the TID exposure of electronics


    While lowering the TID exposure of electronics is fairly straightforward, there are other get up induced effects that are not as easily mitigated, especially with COTS components. Single Event Effects (SEE) occur when a high-energy particle strikes the active area of an integrated circuit, causing changes to the behavior of the electronic system or even permanent damage if not properly treated. For orbits where higher amounts of shielding are required these effects pose an even bigger threat, as the production of secondary particles [11] when high-energy particles collide with the atoms in the shield can increase the rate of SEE effects when compared to not shielding the electronics at all. The only method for preventing failures caused by SEE is to implement proper design techniques to guard against them. The FDIR techniques presented in this paper are specifically aimed at presenting an approach to designing electronic systems, which are tolerant to most SEE effects caused by radiation. The following SEE effects were specifically considered [12]: The prevalence of SEE effect is also dependent on the individual orbit, as can be seen in Fig. 4. Additionally, the sensitivity of individual components to SEE is also heavily influenced by their design and the process used in their fabrication. For example, the sensitivity to a SEL event can range from LET values below 1 MeVcm2mg−1[13] to above 50 MeVcm2mg−1[14]. As such, each component used must be individually assessed for its SEE susceptibility in a given orbit.
    Hierarchical fault-tolerance Over the last couple of years, there have been a couple of proposals for using nanosatellites in higher than LEO orbits. What is usually missing or is not yet fully defined due to the proposals dealing with other issues such as communication, propulsion, etc., is how such a nanosatellite would cope with the increased levels of radiation. For example, [15] presents an interplanetary nanosatellite concept for space weather monitoring but the radiation tolerance and FDIR techniques presented are limited to shielding and watchdog timers. Similarly, [16] shows how nanosatellites could be used for various interplanetary missions and even presents some techniques as to how reliable operation could be achieved, most notably the use of SEL immune parts, periodic resets, and robust software design techniques. Though the use of SEL immune parts would mitigate most of the radiation induced issues that might occur on such a satellite, they can be difficult to procure for most nanosatellite teams, due to costs constraints and various international trade restrictions. A hierarchical approach to the FDIR policy was chosen in order to make the FDIR process more transparent and to decouple the design of the FDIR policy from other design requirements. The policy was split into two get up levels, similar to the method presented in [17], where one FDIR level, the vital layer, is responsible for enforcing the minimum required safety procedures, preventing permanent damage to the satellite and preventing it from becoming unresponsive. This level, which we named the Low-level FDIR, is primarily tasked with protecting the system from SEL events, and to restart those parts that fail in an unrecoverable way due to other SEE events. The other level, the nominal layer as presented in [17], is tasked with maximizing the performance and uptime of the system in the presence of other errors. This level, which we call the High-level FDIR policy, is tasked with mitigating these errors that occur due to SEE events and can be recovered from without affecting the operation of the satellite (Fig. 5). The exact scopes of both FDIR levels are determined by relying on the definition of functionality levels, as presented in [18], where three levels of functionality are defined: always-on functionality, mission-critical functionality, and non-critical functionality. Low-level FDIR policy is in charge of protecting the functionalities of all three categories, while the high-level FDIR policy is only responsible for the protection of certain parts of mission-critical functionalities and all non-critical functionalities. To illustrate how functionality can be grouped into the three defined categories: