#### 18 Years of Flight Experience with the UoSAT Microsatellites

### Craig I. Underwood The Surrey Space Centre, University of Surrey, Guildford, Surrey, GU7 5XH, U.K. Tel. +44 1483 879809 Fax. +44 1483 876021 c.underwood@ee.surrey.ac.uk

# ABSTRACT

Over the past 18 years the University of Surrey has gained significant experience of the behaviour of commercial-offthe-shelf (COTS) technologies in space, through the design, manufacture and operation of fifteen low-Earth orbiting satellites carrying out communications, remote-sensing, space-science, military, and technology demonstration missions.

Several of these spacecraft have carried radiation monitoring payloads which have enabled the behaviour of the COTS devices to be characterised with respect to the measured ionising radiation environment.

This paper reports on the principal effects observed, and describes, in general, the various methodologies that have been used to minimise the risk associated with the use of COTS devices in these spacecraft. Resilient error-detection and correction coding schemes are shown to be important to protect spacecraft data and control software, as is the need for adequate levels of shielding against total ionising radiation dose.

#### **1. INTRODUCTION**

In 1981, NASA launched the UK's first non-governmental satellite, *UoSAT-OSCAR-9* (*UoSAT-1*). This satellite, designed and built by the University of Surrey over an 18 month period, continued to operate for over 8 years until its re-entry in 1989. In 1984, a second Surrey satellite: *UoSAT-OSCAR-11* (*UoSAT-2*) was designed, built and launched within six-months. This satellite continues to operate to this day.

These 50 kg satellites pioneered a new era of low-cost (circa  $\pounds 1M$ ) "micro-satellite" designs, which are characterised by the extensive use of state-of-the-art commercial-off-the-shelf (COTS) micro-electronics to achieve complex functionality within very tight volume, mass and financial constraints.

The success of these early missions lead to the formation of a commercial company - Surrey Satellite Technology Ltd. (SSTL) - to develop and market the University's space technology research. SSTL has gone on to produce a steady stream of increasingly sophisticated micro-satellites for customers world-wide: *UoSAT-3* and *UoSAT-4* (UK, 1990); *UoSAT-5* (UK, 1991); *S80/T* and *KITSAT-1* (France, Korea, 1992); *PoSAT-1*, *KITSAT-2*<sup>1</sup> and *HealthSAT-2* (Portugal, Korea, USA, 1993); *Cerise* and *FASat-Alfa* (France, Chile, 1995); *FASat-Bravo* and *Thai Phutt* (Chile, Thailand, 1998); *UoSAT-12*<sup>2</sup> and *Clemetine* (UK, France, 1999). Three other spacecraft are awaiting launch this year: *TiungSAT* (Malaysia), *PICOSAT* (USAF) and *SNAP-1*<sup>3</sup> (UK).





Figure 1: Typical SSTL Micro-Satellite Figure 2: SSTL Micro and Mini-Satellite Missions: 1981-1999 These satellites have achieved ever more complex mission objectives at very low cost by utilising the many benefits of COTS devices – e.g. their ready availability, high performance, low power and high packing density. The commercial

<sup>&</sup>lt;sup>1</sup> KITSAT-2 was built in Korea via a Technology Transfer Programme with SSTL.

<sup>&</sup>lt;sup>2</sup> UoSAT-12 is a 350kg mini-satellite carrying propulsion and high-resolution cameras for Earth observation.

<sup>&</sup>lt;sup>3</sup> SNAP-1 is a 7kg nano-satellite for remote inspection and formation flying demonstration.

and technical success of these missions is a testament to the fact that COTS devices can be used in the space environment provided that care is taken in their procurement, handling and testing, and ensuring that sufficient care is taken with the spacecraft systems design [1,2].

### 2. DESIGN PHILOSOPHY

The use of COTS technology plays an important (though not exclusive) role in achieving low cost spacecraft designs. How then do we deal with quality, risk and reliability issues given the inherent uncertainties of flying COTS technologies?

Exhaustive ground-testing of COTS devices for space programmes is impractical given that cost-reduction and short design-to-orbit times are major mission drivers. Thus, SSTL's general approach to minimising the risks associated with the use of COTS technologies in space is to rely more on sound design practices, experience and system-level testing, rather than on (expensive) programmes of testing individual devices. However, this does require that the design-engineers to have a good knowledge of the environment to which their systems will be subjected - and to use appropriate design techniques and margins.

Most of our missions accept a moderate level of risk, set by the customer's operational objectives and financial constraints. We tailor our design activities (including component and system reliability analysis) to provide the risk level accepted by the customer.

We aim for robust designs through the application of good engineering practices (such as minimising the use of moving parts, using passive thermal control techniques, and utilising near-omni directional antennas, etc.), sharpened by continuing peer review. We augment this approach with customised versions traditional quality assurance and product assurance methods, including systematic design reviews. However, we believe that the primary sources of quality are personal craftsmanship and responsibility.

Out of the sixteen satellites designed, built and operated to date, we have only had two complete mission failures: One (UoSAT-4) was (probably) due to out-gassing in or near a high Q-factor RF filter some 30 hours after launch; and the other (FASAT-Alfa) was due to the failure of the spacecraft to separate from the launch vehicle due to insufficient energy from the pyrotechnic bolt-cutters. In both cases, replacement spacecraft were rapidly constructed and launched successfully.

Recognising the risk inherent in the use of components which are not formally "space qualified", we use redundancy at many levels to reduce the risk of total mission failure. When adopting new technologies, we employ them alongside flight-proven technologies in order to reduce risk. Thus we build a "layered architecture", in which each successive layer relies on different systems comprising increasingly well-proven technologies. The top-layer systems use state-of-the-art high-performance device types - often without flight-heritage - but which give a high degree of functionality. Whereas the lower-layer systems use device-types which have been flown and tested in previous spacecraft, and which are able to carry out most of the same functions, albeit with a possible loss of performance. In this way, problems caused by an inherent system design fault, or by the failure of a particular device-type, are not duplicated in the different layers.

If the newer devices prove successful, then they are used in the following spacecraft, allowing the capabilities of the satellites to be enhanced generation-by-generation. For example, the older spacecraft used hard-wired logic in the lowest redundant layers, implemented using standard '54HC' and '4000' series CMOS logic gates, or custom-built application-specific integrated-circuits (ASICs). Whereas, the current spacecraft all make extensive use of COTS programmable-array logic (PAL) or field-programmable gate-arrays (FPGAs), and '74AC' series surface-mount devices which have been found to be reliable.

This principle is demonstrated in the use of increasingly sophisticated microprocessors on the spacecraft (see Table 1).

For example, the main on-board computer (OBC) for the current generation of SSTL's micro-satellites make use of the Intel 80C386EX microprocessor. This is backed up by two other microprocessor-based systems: an Intel 80C186-based OBC and an imaging payload which contains two T800/T805 Transputers. Any of these systems can take full control of the spacecraft if necessary via the common on-board data-handling bus. The 80C386EX is significantly more capable than the 80C186, which was used in the primary OBCs of previous satellites (*UoSAT-3* to *PoSAT-1*), and thus offers greater utility. However, if problems were to occur, we could always switch back to the tried-and-tested 80C186.

|             | General Purpose Processors |     |        |         |
|-------------|----------------------------|-----|--------|---------|
|             | 1802                       | Z80 | 80C186 | 80386EX |
| UoSAT-2     |                            |     |        |         |
| UoSAT-3     |                            |     |        |         |
| UoSAT-5     |                            |     |        |         |
| KITSAT-1    |                            |     |        |         |
| S80/T       |                            |     |        |         |
| PoSAT-1     |                            |     |        |         |
| HealthSat-2 |                            |     |        |         |
| Cerise      |                            |     |        |         |
| FASat-Alfa  |                            |     |        |         |
| FASat-Bravo |                            |     |        |         |
| Thai Phutt  |                            |     |        |         |

Table 1



Figure 3: Intel 80386EX-Based OBC and RAMDISK (Top Module Only)

Although we fly multiple on-board computers (OBCs) on our spacecraft, we do not rely on them for the successful operation of the spacecraft. Instead, the provision of multiple processors and complex software is used to supply enhanced functionality. The OBCs also act as an intelligent "operator in the sky" giving rise to a great degree of operational autonomy. The high degree of on-board autonomy is matched in the groundstation, allowing multiple satellites to be routinely operated with minimal human intervention - and with all the cost savings that implies.

The OBCs have all been designed to enable new software (written in "C") to be uploaded to them whilst in orbit. Software developed after launch can be up-loaded via a simple "boot-loader" program permanently installed in UV-EPROMs. Thus, flight-software can be continuously upgraded throughout the mission. A fully protected-mode operating system called QNX runs on 80C386-based OBCs which allows new programs to be loaded and executed without necessarily disturbing the running of other software. In the event of a complete system crash, the spacecraft are designed to continue to operate without coming to harm whilst software is reloaded.

This software flexibility has proven its utility in allowing the spacecraft system configuration to be changed in order to cope with device failures. For example, shortly after launch, UoSAT-2's hard-wired logic telecommand system ceased to function properly due to a lower than expected system temperature. However, we were able to successfully by-pass this low-level system by up-loading a small program to one of the higher-layer experimental computer systems (the NSC-800-based Digital Communications Experiment). This enabled full command and control to be maintained. In another example, after some eight years of continuous operation in orbit, an analogue-to-digital converter (ADC) located in the UoSAT-2 navigation magnetometer failed due total dose damage. We were able to overcome this failure by reprogramming the OBC to read the magnetometer data via an ADC in the spacecraft's telemetry system instead. This enabled full attitude determination and control to be maintained.

These examples show the utility of both the layered system approach and the flexible software approach, and illustrate the need to consider the effect of the environment very carefully when using COTS devices in space.

# **3. ENVIRONMENTAL EFFECTS**

The space environment can be particularly damaging to COTS devices. Once in orbit, the devices will experience highvacuum conditions, with the possibility of extreme hot or cold temperature conditions, and relatively high levels of ionising radiation. The spacecraft designer must be aware of the potential effects of all of these, and design accordingly.

COTS parts may contain plastic materials which preclude their use in space, or require that they are further encapsulated. In our experience, the plastics used to encapsulate integrated circuits have proved sufficiently stable under vacuum not to give rise to any problems. However, prior to flight, care must be taken to store these parts under controlled temperature and humidity conditions in order to prevent the ingress of water.

Many COTS parts are only rated to operate between 0  $^{\circ}$ C and +70  $^{\circ}$ C and so particular care must be taken with the thermal design of COTS-based spacecraft. SSTL spacecraft make use of passive thermal control techniques to maintain interior temperatures at moderate levels (10-30 $^{\circ}$ C), with temperature variations kept to 1-2  $^{\circ}$ C per orbit in order to reduce thermal stress. Where available, COTS parts with extended temperature ranges are preferred. Prior to flight, extensive thermal-cycle "burn-in" testing is carried out at module level, and thermal-vacuum testing is performed on the spacecraft as a whole in order to screen the COTS parts for reliability under simulated space conditions.

COTS devices may be particularly susceptible to the total dose damage and single event effects (SEEs) due to the ionising radiation environment encountered in space, and thus particular attention must be paid to the design of COTS-based systems in order to cope with the resultant effects

The total dose tolerance of COTS devices varies widely. Some parts fail at less than 5 krad(Si), whilst others may withstand as much as 100 krad(Si). We take 10 krad(Si) to be a reasonable design limit for untested COTS parts. However, where possible we try to obtain total dose test data on parts, either from published sources, or from the results of our own testing using the University's <sup>60</sup>Cobalt  $\gamma$ -ray source.

Where a component is likely to receive more than its failure dose within the planned mission lifetime, we consider the use of spot shielding using high density metals (e.g. copper, brass or tantalum), or if possible, replacing the part with a rad-hard version. However, total dose damage will accumulate, and so design margins must be built into the spacecraft systems to cope with the expected changes - particularly with regard to voltage levels and current consumption.

Single event effects (SEEs) occur due to the charge deposited along the track of ionising particle passing through a device structure. These effects may be temporary in nature, or may lead to permanent damage.

SEEs can be reproduced in proton or ion-beam tests, but generally these tests are expensive to perform and require specialist facilities which are not widely available. We test parts whenever possible and make use of test data found in the literature. In any case, we assume SEEs will occur, and design the spacecraft systems accordingly. In particular, all the spacecraft memory systems a protected by error-detection and correction (EDAC) coding schemes to guard against the effects of single-event upset (SEU), and all sub-systems have fast over-current-sensing power-switches which can offer some protection against potential damage from single-event latch-up (SEL) [3,4].

# 4. FLIGHT EXPERIENCE

The radiation environment is a major factor in determining the reliability of COTS devices in space, and thus particular attention has been paid to the monitoring of this environment inside the SSTL spacecraft and to analysing its effects.

## 4.1 Single Event Effects (SEEs)

We fly compact radiation environment monitors (such as the UK Defence Evaluation Research Agency's "CREDO" payload and our own "CRE/CEDEX" payloads), to provide in-situ monitoring of the particle environment [5]. Radiation effects such as single-event upset (SEU) are reported routinely by the spacecraft's housekeeping systems. This has lead to a comprehensive set of radiation environment and effects data on COTS devices actually operating over an extended period in orbit. COTS SRAM technologies, ranging from 2K x 8-bit devices on-board *UoSAT-2* to 128K x 8-bit devices on-board *S80/T*, have been most extensively studied, and the results are reported in [6,7,8,9].



Figure 4: Orbital Position of *S80/T* Program Memory Upsets Correlated with the Trapped Proton Environment of the South Atlantic Anomaly as Measured by the *KITSAT-1* Cosmic-Ray Experiment (CRE).

In general, our findings are that, in LEO, the SEU-behaviour of modern COTS SRAM devices is dominated by the trapped proton environment with relatively few SEUs occurring as the result of galactic cosmic-ray (GCR) strikes or indeed as the result of particle flux enhancement due to solar flares. For example, Fig. 4 shows the correlation between the proton environment and SEUs in the 128K x 8-bit CMOS SRAM-based program memory of the *S80/T* spacecraft operating at 1320 km altitude.

SEU rates of the order of  $10^{-6}$  SEU bit<sup>-1</sup> day<sup>-1</sup> were found to be typical for all the COTS SRAM devices we fly in LEO, with the error rates scaling with proton flux. Similar results have been reported by US groups [10].

Single-event multiple-bit upsets (MBUs) - i.e. more than one bit being flipped by the passage of a single particle - were also observed in some of these memory devices, and the MBU rates were found to scale with measured changes in the GCR flux implicating these as the prime cause.

When such MBUs affect only single-bits spread across a memory word, simple (and commonly used) coding schemes such as the Hamming  $(12,8)^4$  code can provide adequate error detection and correction (EDAC). However, we also observed event *single-word* multiple-bit upsets (SMUs) in some of the older SRAM devices, which would defeat any single-bit correcting code.

A solution to this problem might be to simply re-arrange the memory so that it is constructed from devices with a "x 1bit" architecture - which is indeed the approach adopted in the program memory of the *UoSAT-2* on-board computer. With such an architecture, multiple-bit flips within a device will be spread as single-bit flips across several bytes - thus causing no difficulty. The chance that the same bit position in two separate devices will be upset can be kept small by "washing" the memory (i.e. sequentially reading, correcting and writing back each word of memory) at a sufficiently rapid rate. However, this requires several devices to be enabled at once in order to read or write to the memory. For example, for the Hamming (12,8) code, 12 memory devices will need to be active at once, whereas in a memory system with a "x 8-bit" architecture, only two devices need be enabled at any one time. The more devices which are enabled, the greater the power consumption of the memory system, and this is an important factor in a micro-satellite, where power is always a very limited resource. We therefore prefer to use "x 8-bit" dies but use a more robust EDAC scheme.

Ground test data suggest that modern high density memory devices are even more susceptible to MBU than these earlier devices, and thus when we came to design the 80C386-based OBC program memory for the *FASat-Bravo, Thai Phutt* and *UoSAT-12* satellites - using the then untried 512K x 8-bit SRAMs - we decided to use triple-modular redundancy (TMR) hardware EDAC scheme to guard against the possibility of SMUs.

In a TMR protected memory, any number of bits may be flipped within a byte - the majority-voting circuit (implemented in a single gate-array), will simply out-vote such bit-errors, two-to-one against. Whilst this is very attractive in terms of robustness, it does require a 200% storage overhead which would become a problem if we move to increased sizes of program storage memory.

However, now that these spacecraft are in orbit, we have gathered sufficient flight data to show that (contrary to our fears), there has been no dramatic increase in MBU or SMU rates for the 512K x 8-bit SRAM devices we fly. Indeed no SMUs were observed in  $\sim 10^{11}$  bit-days of exposure. Therefore for then next few spacecraft we shall use a less robust but lower overhead (16,8) code developed at Surrey (and also implemented in a single gate-array) which is capable of detecting and correcting up to two bit errors per word to protect the program memories.

The bulk memory systems on the spacecraft (which we call RAMDISKs) all use more robust block codes such as the Reed-Solomon (255,252)<sup>5</sup> code to provide multiple-bit EDAC. These codes have a very low storage overhead (less than 2%), but their complexity has meant that - to date - we have had to implement them in software. Thus, the process of encoding and decoding is too slow to use with the program memories as the CPUs require fast memory access. However, a much faster, hardware-implemented block code-based EDAC chip is currently under development which should prove useful for protecting future program and RAMDISK memories alike.

Another source of multiple-bit upsets is that due to coincidental but independent events. Such events are prevented by "washing" the memory at an adequate rate. But what is an adequate rate? Traditionally, these rates have been calculated on the basis of daily averaged SEU-rates. However, this is not a good statistic to use for these commercial memories operating in LEO, as the vast majority of SEUs occur only within the South Atlantic Anomaly (SAA) - i.e. in bursts lasting for ~5-10 minutes each orbit.

The trapped protons give a very high SEU-rate which is encountered for a relatively short period of time each orbit (see Fig. 5), and that this pattern substantially increases the expected number of MBUs due to coincidences, over that expected on the basis of the average SEU-rate [6]. The numbers of errors which occur *outside* the SAA under quiet-time conditions (i.e. no solar particle events - SPEs) are so small by comparison, that they can be effectively ignored.

<sup>&</sup>lt;sup>4</sup> i.e. 12 bits are used to encode an 8-bit byte giving single-bit error detection and single-bit error correction.

 $<sup>^{5}</sup>$  i.e. 255 bytes are used to encode 252 bytes of data. This RS code can correct any single byte and detect errors in any two bytes within the 255-byte block. A modified (256, 252) block code is flown on the current SSTL spacecraft which can correct any two bytes in error in a 256 byte block.



Figure 5 : UoSAT-5 Program Memory Upsets - Spatial Location and Error-Rate vs. L-Shell Parameter

This has implications for the memory wash-strategy: If it takes the same time, or longer, to wash the memory, as it takes for the spacecraft to fly through the SAA, then the wash may as well take up the rest of the orbit. Thus, if a spacecraft has a 100 minute orbital period, and takes 10 minutes to fly through the SAA, then if its memory wash period lies anywhere between 10 and 90 minutes, it would be just as effective to make the wash period equal to 90 minutes (thus saving CPU time).

If the wash period is longer than 90 minutes (for this spacecraft), then some part of the memory will be exposed to the SAA twice between washes. This should be avoided to reduce the risk of MBUs from coincidences - i.e. the wash should be speeded up.

If the wash-period is substantially less than the time taken to pass through the SAA, then the memory need only be washed at this high-rate whilst actually passing through the SAA. For the rest of the orbit, the wash may as well be suspended. However, there is only really any benefit from a high wash-rate if the wash period is some sub-multiple of the time taken to fly through the SAA - i.e. one half, one third, one quarter of the time, *etc*, and the resulting reduction in MBUs from coincidences is significant compared to the numbers of *single*-event MBUs which no amount of washing can prevent.

When major solar particle events (SPEs) occur, the region outside of the SAA may incur SEU-rates which are similar to those inside the SAA. Therefore, under these conditions, the memory should be washed at a continuously high rate.

In order to tailor the wash-rate to the actual environment encountered, it would be useful to fly a compact radiation detector to give warning of high proton fluxes. This could easily be linked to the OBC, which would exercise a dynamic control over the wash-rate - speeding it up in proportion to the rate at which protons are encountered. This would then be able to automatically cope with SAA traversals and major SPEs. Such an alarm is under development at Surrey.

In addition to "upsets", modern COTS devices may exhibit a variety of behaviour under SEE conditions which may lead to unexpected interruptions to their function, or indeed to the destruction of devices through such conditions as latch-up. Such events must be coped with by careful systems design. For example, LaBel *et al.* give an excellent summary of the emerging radiation issues (from NASA's perspective) and the system level mitigation techniques [11].

In our experience, the observed single-event latch-up (SEL) rates were found to be less than expected on the basis of ground-test results, and have mainly occurred in older memory technology (*UoSAT-2*), however, the computer systems on-board *UoSAT-3* and *UoSAT-5* have both exhibited unexpected power-switch trips which we have interpreted as being due to SEL. In the case of *UoSAT-5* there has been one event in eight years and no permanent damage was done. In the case of *UoSAT-3*, there were two events in reasonably close succession. After the second event, it was found to be impossible to re-load new software, and thus *UoSAT-3* is now controlled via its back-up Z-80-based OBC and by direct ground command. For all the spacecraft, no processor upsets were observed<sup>6</sup>, and only one possible (temporary) stuck bit was detected in the memory devices [13].

<sup>&</sup>lt;sup>6</sup> Research reported in [12] shows that the influence of SEUs on processor operation is strongly influenced by the type of software being executed. In much spacecraft software, the cyclic nature of the code means that any SEUs which do occur rarely have an observable consequence.

#### 4.2 Total Dose Effects (TDEs)

The effect of total dose damage is most pronounced for the *S80/T* and *KITSAT-1* spacecraft, launched in 1992, and which, due to their 1320 km altitude orbit, have received the largest accumulated dose of any of the SSTL satellites. The effect of this is apparent in the total current consumption of the regulated +5V power supply (which feeds all the COTS logic devices on the spacecraft).



Figure 6: S80/T Total +5V Line Current and Daily Number of SEUs in the RAMDISK

It is apparent that the current started to increase noticeably towards the end of 1995, 3 years after launch, corresponding to a total accumulated dose (as measured by RADFET dosimeters on *KITSAT-1*) of between 4.5 and 6.5 krad(Si). By the end of 1997, after accumulating doses of between 7.5 and 11 krad(Si), the +5V current had doubled - although both spacecraft remained fully functional<sup>7</sup>. This increase in current consumption has been matched by an increase in SEU-rate<sup>8</sup>. However, over this same period (1992-97), the CRE monitor on-board *KITSAT-1* has shown *no* significant change in the SAA proton environment, and therefore it seems likely that the increase in SEU-susceptibility is related to the accumulation of radiation dose damage - indeed, in ground testing, a rise in proton upset cross-section was observed for proton doses of 10-15 krad(Si).

On this basis, we should expect the 800 km polar-orbiting SSTL satellites (which accumulate 1-1.5 rad(Si) per day) to survive at least 9-10 years in orbit before we start to see the influence of total dose effects. Indeed, the only dose-related failure seen so far has been an analogue-to-digital converter (ADC) located in the *UoSAT-2* navigation magnetometer referred to earlier. Ground-testing confirmed that this old device was particularly sensitive to total dose damage, failing at less than 5 krad(Si).

# 5. CONCLUSIONS

Almost twenty years of practical experience have shown that low-cost spacecraft based upon COTS technologies are a practical proposition for low-Earth orbit (LEO), provided that environmental factors are taken into account - particularly at the system design level.

The harsh vacuum and thermal environment requires the choice of suitable vacuum-hard materials and, where possible, devices which have wide temperature tolerances. We have flown COTS, plastic-encapsulated ICs in LEO for 100 orbityears without reliability problems. However, many COTS devices have restricted operational temperature ranges and thus particular care must be taken with the thermal design of the spacecraft. Operating at cool "room temperature", with little variation seems to be the ideal.

The ionising radiation environment is a major issue for COTS devices:

Total dose effects are observed to become apparent after an exposure of around 5 krad(Si) with a noticeable increase in overall current consumption. However, devices generally remain functional up to a doses of 10-12 krad(Si) or beyond. Spot shielding can be effective against electron dose, however the high energy protons are not stopped by shields. Care must be taken to allow sufficient margin in terms of power consumption, otherwise, even for those COTS devices which survive to this dose level, increases in their current consumption can begin to exceed the current limits set in the spacecraft's power system - leading ultimately to system failure.

<sup>&</sup>lt;sup>7</sup> In fact both spacecraft remain functional as of March 2000 - i.e. after 7.6 years and 12-18 krad(Si) total dose.

<sup>&</sup>lt;sup>8</sup> The gaps in the SEU record indicate missing data, or periods when the memory was affected by the thermal problem with the power-switches.

Single-event effects are a constant problem, but, at the rates encountered, SEUs in memory can be dealt with successfully using adequate coding-schemes with error-detection and correction (EDAC) circuitry. Single-bit detection/correction codes are not adequate for modern memory devices due to the occurrence of MBUs. However, more robust coding schemes are available albeit with either increased storage overhead, or increased code complexity. Combinations of cyclic-code and block code-based EDAC schemes have enabled us to routinely use large amounts of COTS SRAM for on-board program and data storage without problem.

SEUs in processors are not a problem in practice due to the cyclic nature of typical spacecraft software which means that the effective bit-error cross-section is very small. On-board software has run routinely for periods of years without crashing. In any case, we design our spacecraft so they are no reliant on the OBC for safe operation. This allows us to upload new software to continuously enhance the missions post-flight.

Single-event latch-up is more of a problem, but seems rare in practice, and permanent damage can be prevented by the use of fast over-current sensing power switches.

Accurate SEE-rate predictions for COTS technologies will always be difficult due to the lack of ground-test data. Therefore, COTS-based systems must be designed with appropriate margins, and the use of the layered redundancy and software flexibility can help overcome problems should they occur.

What of the future? There will be a continuing role for COTS-based micro and mini-satellites, but advances in COTS technology open up the possibility of even smaller, yet highly capable "nano-satellites" having masses of just a few kg. Indeed Surrey's first nano-satellite of this kind - *SNAP-1* - is due for launch in June 2000.

#### 6. ACKNOWLEDGEMENTS

I should like to thank the Centre National D'Etudes Spatiales (CNES); the Korea Advanced Institute for Science and Technology; UK Defence Evaluation and Research Agency - DERA (Farnborough), European Space Agency (ESA-ESTEC) and the Engineering and Physical Sciences Research Council (EPSRC), for their support of this work.

#### 7. REFERENCES

- [1] Ward, J.W., Underwood, C.I. and Day, M (1997) "Commercial Components in Space 60 Satellite Years of Orbital Experience", *European Workshop on the Commercialization of Military & Space Electronics*, Nice, France, 12-14<sup>th</sup> November 1997.
- Sweeting, M.N. (1992) "UoSAT Microsatellite Platform & Missions", Workshop on Design Approaches & Philosophies for Small Satellites, ESA-ESTEC, Noordwijk, Holland, March 3<sup>rd</sup>-4<sup>th</sup> 1992.
- [3] Hodgart, M.S. (1992) "Efficient Coding and Error Monitoring for Spacecraft Digital Memory", Int. J. Electronics, 73, <u>1</u>, pp. 1-36, 1992.
- [4] Hodgart, M.S. and Tiggeler, H.A.B. (1998) "Fast Low Complexity Reed Solomon Codec for Space and Avionics Ramdisk Applications", ESA/Eurospace/CNES Data Systems in Aerospace Conference (DASIA98), Athens, 25-28<sup>th</sup> May 1998.
- [5] Underwood, C.I., Oldfield, M.K., Dyer, C.S., Sims, A.J. (1996) "Long-Term Trends in the LEO Radiation Environment as Measured by Radiation Monitors On-Board Three UoSAT-Class Micro-Satellites", ESA SP-392, pp.37-44, ESA Workshop on Environment Modelling for Space-Based Applications, ESTEC, Noordwijk, 18-20 Sept. 1996
- [6] Underwood, C.I. (1996) "Single Event Effects in Commercial Memory Devices in the Space Radiation Environment", *Ph.D. Thesis*, University of Surrey, August 1996.
- [7] Harboe-Sørensen, R. Daly, E.J., Adams, L., Underwood, C.I., and Muller, R. (1993) "Observation and Prediction of SEU in Hitachi SRAMs in Low Altitude Polar Orbits", *IEEE Trans. Nucl. Sci.*, 40, <u>6</u>, pp.1498-1504, December 1993.
- [8] Underwood, C.I., Ward, J.W., Dyer, C.S. and Sims, A.J. "Observations of Single-Event Upsets in Non-Hardened High-Density SRAMs in Sun-Synchronous Orbit", *IEEE Trans. Nucl. Sci.*, NS-39, 1817-1827, 1992.
- [9] Underwood, C.I. Ecoffet, R., Duzellier, S. and Faguere, D. (1993) "Observations of Single-Event Upset and Multiple-Bit Upset in Non-Hardened High-Density SRAMs in the TOPEX/ Poseidon Orbit", 1993 IEEE Radiation Effects Data Workshop Record, pp.85-92., Snowbird, Utah. July 1993.
- [10] LaBel, K.A., Stassinopoulis, E.G., Crabtree, C.M., Hengemihle, J. and Gates, M. (1993) "Solid State Tape Recorders: Spaceflight SEU Data for SAMPEX and TOMS/Meteor-3", 1993 IEEE Radiation Effects Data Workshop Record, pp.77-84., Snowbird, Utah. July 1993.
- [11] LaBel, K.A., Johston, A.H., Barth, J.L., Reed, R.A., Barnes, C.E. (1998) "Emerging Radiation Hardness Assurance (RHA) Issues: A NASA Approach for Space Flight Programs", *IEEE Trans. Nucl. Sci.*, 45, <u>6</u>, pp.2727-2736, Dec. 1998.
- [12] Asenek, V. (1998) "Predicting the Reliability of Electronic Subsystems and "Commercial-Off-The-Shelf" Microprocessors on Low-Cost Small Satellites", *Ph.D. Thesis*, University of Surrey, September 1998.
- [13] Duzellier, S., Falguere, D., Ecoffet, R. (1993) "Proton & Heavy Ion Induced Stuck Bits On Large Capacity RAMs", Proceedings of the Second European Conference on Radiations and Their Effects on Devices and Systems (RADECS 93), ESA/IEEE, pp.468-472, Sep. 13-16, 1993.