# **Engineering Notes**

ENGINEERING NOTES are short manuscripts describing new developments or important results & a preliminary nature. These Notes cannot exceed 6 manuscript pages and 3 figures; a page & text may be substituted for a figure and vice versa. After informal review by the editors, they may be published within a few months & the date of receipt. Style requirements are the same as for regular contributions (see inside back cover).

# Managing Single Event Effects in Satellite Systems

Richard H. Maurer\* and James D. Kinnison†

Johns Hopkins University Applied Physics Laboratory,

Laurel, Maryland 20723

#### Introduction

ATELLITE systems must be able to survive the hazards of space radiation, including single event upset and latchup. However, the choice of electronic components may also be constrained by the need to perform a particular mission, by schedule, or by cost. Using radiation hardened parts is not feasible in many cases, so the effect of the radiation environment on integrated circuits must be assessed.

Inevitably, some crucial integrated circuit exhibits undesirable behavior; a device may latch up or may be overly sensitive to single event upset. System-level techniques, such as event detection and correction, can be used to compensate for susceptible devices. A decision tree representing a systematic approach to evaluate the use of single event sensitive devices is given in Fig. 1.

### **Latchup and Latchup Protection**

The first decision point on the single event effects decision tree (Fig. 1) is the box containing the question, "Does the device latch up?" Latchup is generally a high current state which may be catastrophic and must be dealt with first. Ideally, one does not want to fly any such device; but there may be compelling reasons for considering a latchup sensitive device [e.g., the device is the only Complementary Metal Oxide Semiconductor Programmable Read Only Memory (CMOS PROM) available]. To perform the required mission may necessitate use of such a device.

CMOS Very Large Scale Integrated (VLSI) digital devices generally need to be screened for latchup using an accelerator **as** a heavy ion source. If the device does latch up, the experimenter needs to determine important parameters including the latchup threshold, the latchup asymptotic cross section, the range of the latchup state currents (usually in hundreds of milliamps) and the range of the latchup state holding currents (usually less than 10 mA).

Hopefully, the latchup state will have some distinctly different characteristics from the normal operating states of the device so that a latchup protection circuit can be designed, if necessary. The difference between the operating current and the latchup

Received Oct. 21, 1992; revision received April 16, 1993; accepted for publication April 16, 1993. Copyright © 1993 by the American Institute of Aeronautics and Astronautics, Inc. The U.S. Government has a royalty-free license to exercise all rights under the copyright claimed herein for Governmental purposes. All other rights are reserved by the copyright owner.

\*Principal Physicist, Space Department Reliability Group, Johns Hopkins Road.

†Senior Physicist, Space Department Reliability Group, Johns Hopkins Road.



Fig. 1 Single event effects decision tree.

state current is one parameter that can be sensed; the change in logic state on an output or driver pin is another.

To return a device from a potentially destructive latchup state to a normal operating state, the supply current to the device must be limited by a resistor to prevent device burnout, and the supply current must be reduced to a level below the holding current. Implementing such protection in satellitehardware creates weight, volume, and power penalties. There may also be some performance impact on the device itself especially with respect to speed of operation.

For some missions, such **as** a Shuttle mission, the environment is benign and the mission duration is short. In such a case the program office may elect to accept the risk of the device latching up and use it without any protection.

An intermediate case could be one in which adequate latchup protection is not possible because of an inability to sense a latchup state or monitor the device. Even if the program were willing to support the latchup protection circuit design, a redesign or part substitution would be necessary.

#### Example: ADSP2100A

A latchup protection, detection, and removal circuit may also have **to** restart a device such **as** a processor to continue normal system operation after a latchup occurs. An example of such a circuit was designed for the ADSP2100A<sup>1</sup> digital signal processor

A small resistance in series with the device power pins protects the chip by limiting the latchup current and prevents the (device power supply) (VCC) bond wires from melting. When a latchup occurs, the current through the resistor increases and the voltage applied to the ADSP2100A drops. This drop is sensed by a comparator, producing a signal that clocks a flip flop, creating a latchup detect signal. This signal is used to turn off the series transistor, which removes power from the device VCC pins. At the same time, the entire board is reset. To extinguish the parasitic Silicon-ControlledRectifier (SCR) that forms the latchup, all of the sources of current that sustain the SCR must be eliminated. In CMOS devices, such as this, the device input pins are connected to the chip VCC bus through a diode. Therefore, input pins driven high could supply current to sustain the SCR. To prevent this, the latchup detect signal is used to tristate or force low all signals that drive ADSP2100A inputs.

The ADSP2100A processor board is under the control of the subsystem main processor. The main processor can set or clear the latchup detect flip flop with software. After the latchup has been extinguished, the main processor clears the latchup detect flip flop, which allows power to be applied to the device and inputs to be driven.

Unforeseen problems, such as a greater than expected device current increase due to total dose damage in the ADSP2100A, could cause the supply current to exceed the threshold of the latchup detect circuit. To prevent continuous triggering of the latchup detect circuit due to total dose damage, the function can be disabled. The latchup disable/enable function is under software control of the subsystem main processor. When disabled, the latchup current would be limited by a resistor, but would not be automatically switched off in the event of latchup.

The latchup detect signal is used to generate an interrupt to the subsystem main processor. The interrupt service routine reloads the random access memory (RAM) based ADSP2100A software, clears the latchup detect flip flop after a fixed length delay, and then clears the ADSP2100A reset, allowing the ADSP2100A to resume operation.

Software on the subsystem main processor is also used to detect latchups below the threshold of the latchup detection circuit, bit flips that cause the ADSP2100A to malfunction and latchups that take place when the latchup detect circuit is disabled. The ADSP2100A is programmed to generate periodic interrupts to the main processor. If the interrupt is not generated, a timer in the main processor times out and generates an interrupt. This interrupt service routine performs a similar procedure as the latch detect interrupt service routine to restart the ADSP2100A.

A reliable latchup protection circuit must not be sensitive to the radiation environment. To this end, we use a radiation hardened main processor, a CMOS/SOS 1750A. In addition, the devices used in the latchup protection circuity are not sensitive to single event upset or latchup and are hard enough to survive in the expected particle environment over the mission lifetime.

To verify that the latchup circuit functioned properly, we exposed samples of the commercial ADSP2100A to heavy ions. In all, more than 60 latchups were generated in three samples, with no damage to any device. In addition, the devices stopped operating several times due to single eventupsets; the protection circuitry detected this state and reset the upset device to restore proper function.

#### **Transient Upset**

For devices which prove to be latchup immune and, therefore, candidates for flight hardware, their susceptibility to soft errors or transient single event upset (SEU) needs to be assessed. A fairly inclusive data base is updated and published in odd-numbered years, e.g., see Ref. 2. Another approach is to test for SEU sensitivity using an accelerator.

After determining the SEU threshold and cross section as a function of linear energy transfer, we try to categorize and assess the kinds of upsets that occur with their consequent impact on the particular spacecraft system. If the transient upset causes a serious system malfunction such as a change of attitude, orientation, or pointing, then a system or device level protection scheme similar to that devised to cope with latchup must be developed.

In contrast, if soft errors do not lead to system malfunction, the designer need only to consider if the error rate for the device itself is too high for that device to perform acceptably. If the device error rate in the mission environment (including periods of flare activity) is low, one may use the chip as is. If the rate is too high, some error detection and correction (EDAC) scheme such as a parity check may be employed for the chip. With any EDAC comes an overhead exhibited as a loss of memory cells dedicated to error checking and a decrease in memory speed. Such performance impacts may or may not prove acceptable to the system design. Finally, it is possible that for the same mission a chip's upset rate might be acceptable for a science data system or one with a low duty factor but not for a command or attitude control system.

In testing devices for single event upset it is important to exercise and monitor flip flops or logic gates as well as memory registers. Even for random access memories (RAMs) or read only memories (ROMs) the test engineer should consider if any peripheral logic or power structures could be upset in addition to the memory cells.

In general, whereas device level protection devotes nodes or registers of the device to its own self-monitoring (thus decreasing device performance), system level protection requires additional hardware and/or procedures that do not necessarily decrease device performance but add complexity to system operation. The designer must monitor the upset device with a second hardened, intelligent controller detecting faults exterior to the chip in question. To rely on the system level generated resets requires a thorough testing of fault detection and correction capability. All of the error states should be known, exercised, and reset efficiently.

#### **Example: 80186 Microprocessor**

Finally, we describe the use of the 80186 microprocessor<sup>3-5</sup> in an adaptive tracker. This device was predicted (on the basis of experimental data) to upset about once every 3 days for a low-Earth-orbit mission. However, since the 80186 was also susceptible to proton induced upsets, a rate of one upset every 5 h could be reached should a large solarflare occur. A watchdog timing scheme was designed to cope with upsets.

In the adaptive tracker, SEUs are detected by two watchdog timers. The burst-rate timer must be reset approximately every **8.5** ms, and the track-rate timer every 50 ms. In the event that either timer is not reset in time, a processor reset is generated.

When a reset occurs, the microprocessor begins executing the system bootup routine. This bootup routine interrogates the command word to determine what type of reset has occurred. In the event of an error reset, which is the default, the initialization routine assumes the state of the processor is contained in write-protected RAM. This state includes the last mode command executed (idle, standby, calibrate, or track) and the values for all of the control variables. On reset, the initialization software brings the adaptive tracker up in the idle mode. This portion of the recovery requires about 16 ms. The bootup routine then copies the last mode command from write-protected RAM to the command word. Finally, the bootup routine flags the command processor ready to run and turns control over to the table manager program.

At this point, the table manager program will invoke the command processor, as it does whenever a command is received, and the command processor will execute the command word. In executing the command word, the command processor will set the synchronizer parameters, and then signal whatever

task is necessary to transfer to the correct mode of operation. This processing requires under 2 ms to complete. Thus, the adaptive tracker processor can recover from an error reset to the previous mode of operation in under 20 ms.

#### References

<sup>1</sup>Kinnison, J. D. et al., "Radiation Characterization of the ADSP 2100A Digital Signal Processor," *IEEE Transactions in Nuclear Science*, Vol. NS-38, Dec. 1991, pp. 1398–1402.

<sup>2</sup>Nichols, D. K. et al., "Update on Parts SEE Susceptibility from Heavy Ions," *IEEE Transactions in Nuclear Science*, Vol. NS-38, Dec.

1991, pp. 1529-1539.

<sup>3</sup>Kinnison, J. D., McKerracher, P. L., Maurer, R. H., and Carkhuff, B. G., "Single Event Survivability of Unhardened VLSI Devices," Proceedings ∉the 1990 Advanced Micro-electronics Technology Qualification, Reliability and Logistics Workshop, San Diego, CA, Department of Defense Tri-Service MIMIC Qualification Committee, 1990, pp. 239–248.

pp. 239–248.

<sup>4</sup>Spaur, C. W., "TOPEX Radar Altimeter Signal Processor SEU Recovery," Applied Physics Lab., S2F-890126, Laurel, MD, March

1989.

<sup>5</sup>Maurer, R. H., Kinnison, J. D., Romenesko, B. M., Carkhuff, B. G., and King, R. B., "Space Radiation Qualification of a Microprocessor Implemented for the Intel 80186," Proceedings 

the 2nd Annual AIAA/USU Conference on Small Satellites, Center for Space Engineering, Utah State University, Logan, UT, Technical Session 111, Paper 3, 1988.

## **Perturbed Volume of Orbiting Debris**

Joshua Ashenberg\*
Chelmsford, Massachusetts 01863

#### **Nomenclature**

A = particle reference area

 $C_D$  = drag coefficient

D = atmospheric drag

H = density scale height

 $J_2$  = second zonal harmonic of the Earth

m = particle mass

r = radius vector

 $R_E$  = Earth's radius

V = velocity

z = Earth's polar axis

 $\rho$  = atmospheric density

μ = geocentric gravitational constant

### Introduction

THE common scenario of debris spread due to an orbital breakup consists of the following phases.' During the first phase, which lasts only few revolutions, the debris cloud forms a pulsating ellipsoid. *An* important feature is related to the constriction points, also named "pinch points" at which the cloud is constricted in one or two dimensions. The other phases are the propagation of the cloud forming a torus-like shape, the zonal spread due to the Earth's oblateness? and finally, the "cleaning" due to the atmospheric drag. We will concentrate here on the first phase. For most of the applications, the unperturbed two-body dynamics is sufficient for dealing with the short term. However, for a more accurate prediction, especially

concerning the constriction points, the inclusion of the perturbations is essential.

Our case study is the inclusion of the dominant perturbations in the propagation of particles after an isotropic explosion in low Earth orbits. We are mainly interested in the volume which is occupied by these particles. We deal here with the perturbations due to the Earth's oblateness ( $J_2$ ) and due to the atmospheric drag. The method of solution is the linearized perturbations, which provides a first-order solution about the reference orbit. Regarding the set of coordinates, we prefer here the inertial frame of reference, rather than the orbital frame which is commonly used in problems related to relative motion.<sup>6</sup> Although the orbital frame provides us with an analytical solution? it is quite cumbersome when dealing with the linearized  $J_2$  perturbations. Since the volume is invariant under translation or rotation, we expect to get the same numerical results as those obtained from the orbital frame of reference.

#### **Formulation**

The basic equations of motion, including the perturbations due to the Earth's oblateness and the atmospheric forces, are

$$\frac{\mathrm{d}\boldsymbol{r}}{\mathrm{d}t} = \boldsymbol{V} \tag{1a}$$

$$\frac{\mathrm{d}V}{\mathrm{d}t} = g(\mathbf{r}, V) \tag{1b}$$

The vector  $g = F_{2-body} + F_{J_2} + D$  is a function of both the radius vector and the velocity. The detailed expressions for the perturbations are the following:

$$F_{2-\text{body}} = -\mu r/r^{3}$$

$$F_{J_{2}} = \nabla_{r} \Re_{J_{2}}$$

$$D = -K_{D}VV$$
(2)

where  $K_D \stackrel{\text{def}}{=} \frac{1}{2}(A/m)\rho C_D$  and  $\Re_{I_2} = [(\mu J_2 R_E^2)/2r^3] [3(z^2/r^2) - 1]$  is the disturbing function related to the Earth's oblateness. The linearized equations of motion have the form

$$\frac{\mathrm{d}}{\mathrm{d}t} \left\{ \frac{\delta \mathbf{r}}{\delta V} \right\} = \mathbf{A}(t) \left\{ \frac{\delta \mathbf{r}}{\delta V} \right\} \tag{3}$$

where

$$\mathbf{A} = \begin{pmatrix} \mathbf{0} & \mathbf{I} \\ \mathbf{G} & \mathbf{D} \end{pmatrix}, \qquad \mathbf{G} = \frac{\partial \mathbf{g}}{\partial \mathbf{r}}, \qquad \mathbf{D} = \frac{\partial \mathbf{g}}{\partial \mathbf{V}}$$
(4)

G corresponds to the gravity gradient matrix' and D will be named as the dissipation matrix. The two-body gravity gradient matrix is presented in Battin's book. Here, this matrix includes the  $J_2$  terms as well as terms related to the variations of the atmospheric density. The dissipation matrix contains the atmospheric drag. Computing the gradients and denoting the unit dyadic as I, we have

$$\frac{\partial \mathbf{g}}{\partial \mathbf{r}} = \frac{\mu}{r^5} [3\mathbf{r}\mathbf{r} - r^2\mathbf{1}] + \nabla_r \nabla_r \Re_{J_2} + \frac{K_D V}{H r} V \mathbf{r}$$
 (5)

where the last term reflects the density variation, assuming an exponential model:

$$\frac{\partial \mathbf{g}}{\partial V} = -\frac{K_D}{V}[VV + V^2\mathbf{1}] \tag{6}$$

At this point we are ready for evaluating the volume. Let  $\Phi_{12(t,t0)} = \frac{\partial r}{\partial V_0}$ , then it can be shown\*that the volume is the image of its initial value under the mapping  $\Phi_{12}$ .

Received Jan. 2, 1993; revision received March 29, 1993; accepted for publication May 12, 1993. Copyright © 1993 by the American Institute of Aeronautics and Astronautics, Inc. All rights reserved. \*Aerospace Scientist, P.O. Box 606. Member AIAA.