A RADIATION-HARDENED, COMPUTER FOR SATELLITE APPLICATIONS
John I. Gaona Jr.
Sandia National Laboratories, Embedded Processor Subsystems Department 5731,
Albuquerque, New Mexico

Biography

John I. Gaona Jr. is a Senior Member of Technical Staff for Sandia National Laboratories (Sandia) in Albuquerque, New Mexico. He has a Masters degree in Electrical Engineering and has been involved in Embedded Processor Subsystem Design in Insulin Delivery Systems, Weapons, and currently Satellites.

Abstract

This paper describes high reliability radiation hardened computers built by Sandia for application aboard Department Of Energy (DOE) Satellite programs requiring 32-bit processing. The computers highlight a radiation hardened (1 Mrad(Si)) R3000 executing up to 10 Million Reduced Instruction Set Instructions (RISC) Per Second (MIPS), a dual purpose module control bus used for real-time fault and power management which allows for extended mission operation on as little as 1.2 watts, and a Local Area Network capable of 480 Megabits per second. The Central Processing Unit (CPU) is the NASA Goddard R3000 nicknamed the “Mongoose or Mongoose 1”. The Sandia Satellite Computer (SSC) uses Rational’s Ada compiler, debugger, operating system kernel, and Enhanced Floating Point Emulation Library targeted at the Mongoose.

The SSC gives Sandia the capability of processing complex types of spacecraft attitude determination and control algorithms and of modifying programmed control laws via ground command. And in general, SSC offers end users the ability to process data onboard the spacecraft that would normally have been sent to the ground which allows reconsideration of traditional space-ground partitioning options.

Introduction

The Sandia Satellite Computer is produced by/for Sandia Satellite programs which require 32-bit processing. SSC is designed to operate at any altitude and can include redundancy to address long term mission requirements.

The CPU is the NASA Goddard R3000 nicknamed the “Mongoose”. The computer design incorporates a dual purpose module control bus used for real-time power and fault management. The computer adapts to the full spectrum of performance and power conservation needs offering three software programmable (on the fly) operating frequencies.

SSC is EMI-tight, modular, and employs low risk packaging and assembly methods to minimize manufacturing cost and delivery time. SSC modules are 5.88 in. x 8.25 in. (SEM-X)

and have surface mount components on both sides. Components are hardened to at least 100 KRad Total Dose. SSC has a full range of peripherals some of which emulate flight modules to lower development costs.

Software is programmed in the Ada programming language. Sandia uses Rational’s Ada development tools which were tailored for the Mongoose CPU. Sandia developed an “emulator like” monitor TALK (Teachable inter-Active Language Kernel).

General Description

The SSC is designed to operate through launch, and ascent in addition to its station keeping duties. Redundant modules (includes CPU modules) can be used either concurrently for increased performance or as cold spares for increased reliability. Module activity is commandable either through its own software or from the Ground Station through the power management bus. Every module in SSC contains current, voltage, and temperature monitors to monitor module State-Of-Health (SOH).

The computer’s performance results from the Mongoose’s Harvard Architecture consisting of three independent non-multiplexed memory buses. Cache memory devices are required to operate with no wait state accesses. The user can expect close to a 1:1 throughput to clock speed ratio up to and including 10 MHz worst case operation (e.g., 10 RISC MIPS at 10 MHz clock speed).

Mongoose is designed with static registers (i.e., no refresh is needed) which allows the CPU to retain its information even when the clock is halted. Sandia designers take advantage of this feature by integrating a software programmable clock swapper circuit to match the appropriate clock frequency to the task at hand resulting in as little as 1.2 watt operation.

---

1 This work was supported by the United States Department of Energy under Contract DE-AC04-94AL85000.
The computer is **Qualified** to MIL-STD-1540B (Test Requirements for Space Vehicles). All parts are required to be **Radiation Hardened** to 100 KRad(Si) and parts shall not latch up. Components' shall be immune to Single Event Upset (SEU) from iron. The SSC is qualified to 14.1 Grms (20 to 20,000 Hertz) random vibration. And operates from -34 deg C to +71 deg C cold plate temperature.

Digital and analog components are procured to MIL-STD-883 Class B, and Scanning Electronic Microscope (SEM) per Method 5007, and 100% Particle Impact Noise Detection (PIND) per MIL-STD-883 Class S Method 2020. Also, discrete components are JANS and passive components are MIL-X-XXXXX (failure rate level S).

A suite of **Local Area Network** (LAN) subsystem interface modules are available for users interested in a very high speed (320 Mbits/sec (i.e., overhead not included)) payload LAN.

**SSC Thermal Design** maintains a component temperature differential of 25 deg C above cold plate temperature. Hot components were identified and their temperatures were monitored throughout development. Thermally conductive material is used to carry heat away from the component out to the module cover; and, on very hot components heat bars are used to enhance conductivity to module frames. In order to reduce **Electromagnetic Emissions** and/or provide additional **Radiation Shielding** to sensitive components, modules may be fitted with full/ partial/spot covers front and/or back. **Connectors** are flight approved circular Printed Circuit Board (PCB) mounted Radio Frequency Interference (RFI) connectors. These circular connectors are available as standard product from several companies or as long lead time filtered connectors. Backplane connectors are 220-pin AirBorn connectors.

The expected error rate for the Mongoose microprocessor in a 500 km, polar inclination orbit including earth precession (assuming Adams’s 90% worst-case LET spectrum, orbit worst-case flux under stormy geomagnetic conditions) is $4.36 \times 10^{-8}$ errors/device-day for 100 mil aluminum shielding or one device error in 6.3 years.

While operating SSC the cold plate shall not exceed the 85 deg C survival temperature. While not operating SSC the cold plate shall not exceed 110 deg C survival temperature. **Reliability** numbers were calculated for a one year mission with a cold plate temperature not to exceed 25 deg C. A 9-slot SSC with an extra Mongoose module as a cold spare yields a $R(t=1\text{year})=0.9707$ at 8 MHzertz.

Mongoose executes the MIPS R3000 Instruction Set Architecture (ISA). **Sandia uses Rational’s Ada compiler, debugger, and operating system kernel.** Sandia contracted with Rational to tailor its Ada development tools to the Mongoose. Rational increased the throughput of its Floating Point Emulation (i.e., there is no hardware Floating Point Unit (FPU) inside Mongoose 1) by a factor of 10. Floating Point emulation now incorporates direct function calls bypassing interrupt overhead. Rational’s kernel takes care of interrupt handling, process manipulation, process control block manipulation, dispatching, process synchronization, interprocess communication, support of input/output activities, storage allocation and deallocation, support of the file system, a procedure call/return mechanism, and certain system accounting functions. Sandia is anticipating that both the Ada kernel and project application (satellite) software will occupy approximately 250 KBytes of Instruction Cache or approximately half. Two (2) UARTs are dedicated for software development, the first for Rational’s tools or TDM (Target Debug Monitor), and the second used for Terminal Emulation on either a PC or workstation.

**Sandia developed TALK Monitor** features:

- Memory read/write in 8, 16, or 32 bit words
- On-line Help
- Data Conversion For Displaying Monitor Data
- Fail-safe Monitoring Of Critical Conditions
- Download And Execution Of Motorola S-Records
- Command Macro Capability
- Hosted By PC or Workstation

The **SSC Is Partitioned** into three volumes primarily to enhance its Electromagnetic Compatibility characteristics. Looking at the SSC illustration below, reading from left to right, the first volume (Power Input Dog House) contains the input power connector, fuze module, and feedthrough capacitors. The second volume (Main Section) contains core processor modules, 32-bit backplane, and feedthrough capacitors. And the third volume (Input/Output (I/O) section) contains SSC I/O modules, 16-bit backplane, user defined I/O circuitry, and I/O connectors. All I/O is printed circuit board routed including external I/O signals from the printed circuit board mounted circular connectors. The need for filtered connectors is reduced due to the compartmentalization of the SSC.

**Frame Ground** is isolated from **Circuit Ground**; however, there are several strapping options designed into
SSC that allow the frame ground to be solidly tied to circuit ground if desired. **No Outgassing materials** are used.

**Architecture**

The SSC architecture was influenced primarily by:

- Electromagnetic Compatibility
- Controlled Impedance Backplane
- Mongoose Cache Operation
- Payload Data Network (PDN)
- Low Power Operation (Launch & Ascent)

<table>
<thead>
<tr>
<th>Mongoose Operating Frequency KHz</th>
<th>Main Section (Core Processor milliwatts)</th>
<th>I/O Section (with PDN milliwatts)</th>
<th>Total Input Power (Typical milliwatts)</th>
</tr>
</thead>
<tbody>
<tr>
<td>8,000</td>
<td>3,891</td>
<td>11,908</td>
<td>15,799</td>
</tr>
<tr>
<td>4,000</td>
<td>2,502</td>
<td>11,908</td>
<td>14,410</td>
</tr>
<tr>
<td>125</td>
<td>1,105</td>
<td>11,908</td>
<td>13,013</td>
</tr>
<tr>
<td>15,625 (PDN OFF)</td>
<td>956</td>
<td>260</td>
<td>1,216</td>
</tr>
</tbody>
</table>

Table 1. SSC (with PDN) Input Power Load Vs Operating Frequency

SSC’s architecture was compartmentalized to improve EMC characteristics. The SSC **EMC Design** incorporates both box level and module level techniques. Fast rise and fall switching circuits (e.g., advanced CMOS logic, and clock oscillators) are contained in the MAIN SECTION of the SSC computer separated from the Input Power Dog House and I/O SECTION by feed through capacitors. The feed through capacitors also reduce the need for long lead time filtered connectors (external I/O connectors). Each module uses a cover on each side not only for heat conduction but also to conduct/couple module Electromagnetic Interference (EMI) and Electromagnetic Emission (EME) to ground. High frequency effects are mitigated through extensive use of filtering and decoupling. All PCBs are multilayer design containing from two to six (backplane) ground and power planes.

Limited controlled impedance **Backplane Length** mandated the SSC architecture be split between the MAIN SECTION and the I/O SECTION to allow I/O expansion. The fast rise and fall times (2 nano seconds) of the AC logic mandated the backplane be a controlled impedance design. Maximum length of twelve (12) inches allows up to 16 modules (filter, power supply, and PDN modules not included) on 0.75 inch centers.

The preferred architecture for Mongoose is that instructions reside in a suitably large Instruction Cache (I-Cache) memory array; however, instructions can reside in the M-Bus (Global Bus) memory array. The Mongoose I-Cache and Data (D-Cache) caches do not operate as true caches and are in fact simply fast single cycle execution memory. Architecturally speaking **Mongoose Uses Larger Caches** to eliminate and/or reduce the frequency of downloading new programs for execution. Each of Mongoose’s caches can be as large as 1 MByte. One of the pluses of this arrangement is that multiple Mongoose modules rarely request the services of the M-Bus at the same time. One possible configuration would include Boot PROM, I-Cache SRAM, D-Cache SRAM, and NO M-Bus SRAM.

The Payload Data Network was included in the MAIN SECTION to more easily address EMC issues and provide a closer link to the Mongoose M-Bus for data transfers. The **Payload Data Network** data bandwidth is 480 Mbits/second (320 Mbits/second effective data transfer rate). PDN provides the following functionality and services to the payload:

- Transports a large volume of data between the sensor and the solid state recorder.
- Distributes GPS time to all the boxes on the link to within 100 microseconds accuracy.
- Distributes control information and obtains status from all of the boxes and modules in the payload.
- Provides a standard interface between all boxes on the link.
- Modular design so that a “box” can simply add one or more PDN modules in order to obtain the communication functions required.
- Reduces overall cable count and weight.
- Provides a common control interface for all modules in the system. The control address structure within a box is totally independent of the control address structures within all the other boxes in the system. Design of each box and the modules in the system can progress in parallel.

The Power/Fault Management Bus is employed to turn modules on and off whether needed for **Power Management** or for controlling redundant modules. SSC can reduce its power input to approximately 1.2 watts (see Table 1).

**Fault Management** features are incorporated throughout the SSC design such as:

- Modules are designed with a small amount of control circuitry to interface to the Power/Fault Management Bus allowing modules to be turned on or off as needed.
- Power/Fault Management Bus extends out to the I/O connector (external bus master option).
- Each row of memory is resistor isolated and current limited.
- External discrete reset pulse will reset the system back to the 1.2 watt configuration.

Redundant elements can be integrated for **Multiple Year Missions** with high reliability requirements.

SSC’s **MAIN SECTION** supports core processor elements such as:

- Controlled Impedance Backplane
- Power and Fault Management Bus
- EMI Filter
- Power Supply
- Terminator/Fuse Link
- Spare Slot
- Mongoose
- Utility Module
- EEPROM
- SRAM
- Repeater/Terminator
- Mongoose to Payload Data Network I/F
- Payload Data Network I/F (PTM)
- Debug Module

The Controlled Impedance Backplane is 12 layers thick and has a 73 ohm impedance. The physical design is complex and beyond the scope of this paper. The backplane impedance was simulated with Spice to determine proper AC Termination component values. Table 2 reflects pin assignments.

<table>
<thead>
<tr>
<th>MAIN BACKPLANE SECTION (220 wires)</th>
<th>EMI BARRIER POWER &amp; SIGNALS (86 wires)</th>
</tr>
</thead>
<tbody>
<tr>
<td>Address Bus (32 MBytes)</td>
<td>Address Bus (32 KBytes)</td>
</tr>
<tr>
<td>Data Bus (32 bits)</td>
<td>Data Bus (16 bits)</td>
</tr>
<tr>
<td>Control Signal Bus (15)</td>
<td>Control Signal Bus (3)</td>
</tr>
<tr>
<td>Interrupt Bus (5-int, 8-ext)</td>
<td>Interrupt Bus (8)</td>
</tr>
<tr>
<td>Power Management (10)</td>
<td>Power Management (10)</td>
</tr>
<tr>
<td>Clock Bus (2)</td>
<td>Internal SOH Bus (9)</td>
</tr>
<tr>
<td>Arbitration Bus (1)</td>
<td>Arbitration Bus (1)</td>
</tr>
<tr>
<td>Spares Bus (23, incl 2-clock)</td>
<td>Spares Bus (4)</td>
</tr>
<tr>
<td>Software Devel Discretes (5)</td>
<td>Software Devel Discretes (5)</td>
</tr>
<tr>
<td>Software Devel UARTs (4)</td>
<td>Software Devel UARTs (4)</td>
</tr>
<tr>
<td>Reserved (8)</td>
<td>Reserved (8)</td>
</tr>
<tr>
<td>Non-CPU Reset (1)</td>
<td>Non-CPU Reset (1)</td>
</tr>
<tr>
<td>Reset Entire Box (1)</td>
<td>Reset Entire Box (1)</td>
</tr>
<tr>
<td>Digital +5 Volt (12)</td>
<td>Digital +5 Volt (2)</td>
</tr>
<tr>
<td>Digital Return (43)</td>
<td>Digital Return (4)</td>
</tr>
<tr>
<td>Analog Voltages (6)</td>
<td>Analog Voltages (5)</td>
</tr>
<tr>
<td>Analog Return (4)</td>
<td>Analog Return (1)</td>
</tr>
</tbody>
</table>

Table 2. Backplane to EMI Barrier Assignments

The Power and Fault Management Bus is common to all modules and extends out to the external interface. The bus’s main function is to turn modules on and off. Each module’s interface signal is routed through a small amount of circuitry that is always powered and controls the power to the balance of the module. Commands include On, Off, and Status. Mongoose is a secondary bus master; and, the external interface is the primary bus master. This bus is optional.

Both the EMI Filter Module and the Power Supply are designed for EMI Suppression (best practices MIL-STD-1541). The input voltage is 28 volts with a maximum 60 watt input load. The supply is commandable On/Off from either an external discrete command or internally from Mongoose.

The Terminator/Fuse Link module contains:
- 128 KByte or 64 KByte 8Kx8 Fuse Link
- Each row is resistor isolated and current limited
- Module incorporates Power Management Bus
- 32-bit Backplane AC-Termination

The Spare Slot is a generic interface slot.

The Mongoose Module contains the Instruction Cache (512 KBytes (1 MByte max)) and Data Cache (256 KBytes (1 MByte max)) arrays. Each row is resistor isolated and current limited. Memories have a 45 nano second access time and are 32Kx8 1 MRad(Si) hard SRAMs. The memories have a SEU of 1E-10 errors/bit-day. The Mongoose M-Bus interface (besides I & D Cache) which handles all uncached accesses. This interface is intended for use with boot PROMs and external devices. Accesses across the external memory bus will be slower than cached accesses as it causes processor stalls. The Mongoose will execute 4-5 times faster from the cache interfaces as it will from the external memory interface. Three pre-decoded chip selects are provided. The Mongoose contains:
- Two 32-bit Timers (one is used for Watchdog)
- One DMA Controller (Cache-Memory, Memory-Cache, Memory-Memory)
- Interrupt Controller (8 interrupts)
- UART#1 (Compatible with 8251A USART, Software Development Only)

To establish a margin for error, the SSC was run at 43 deg C and 4.7 volts up to the failure (due to memory access time limits) frequency of 19.9 MHerz.
The Utility Module contains circuitry for:

- UART#2 (Software Development Only)
- A/D (Internal SOH)
- Additional Interrupt Controller (8 - intended for the I/O Section)
- Reset (Selects Slow Operating Frequency)
- Power Management Bus - Secondary Master
- Clock Swapper (Software Selectable On The Fly)

Table 3. Clock Swapper

<table>
<thead>
<tr>
<th>Software Select (on fly)</th>
<th>Select at Assembly (Div by)</th>
<th>Oper Freq (KHz)</th>
</tr>
</thead>
<tbody>
<tr>
<td>Fast</td>
<td></td>
<td>10,000 8,000 4,000 2,000</td>
</tr>
<tr>
<td>Medium</td>
<td>32</td>
<td>312.5 250 125 62.5</td>
</tr>
<tr>
<td></td>
<td>64</td>
<td>156.25 125 62.5 31.25</td>
</tr>
<tr>
<td></td>
<td>128</td>
<td>78.125 62.5 31.25 15.625</td>
</tr>
<tr>
<td>Slow</td>
<td>64</td>
<td>156.25 125 62.5 31.25</td>
</tr>
<tr>
<td></td>
<td>128</td>
<td>78.125 62.5 31.25 15.625</td>
</tr>
<tr>
<td></td>
<td>256</td>
<td>39.0625 31.25 15.625 7.8125</td>
</tr>
</tbody>
</table>

The Clock Swapper circuit is responsible for switching between Fast, Medium, and Slow operating speeds (see Table 3) and is controlled by software. Divide by selections (pick 1 of 3 for Medium, and pick 1 of 3 for Slow) are made at time of assembly. Operating speed selection (10 MHz, 8 MHz, 4 MHz, and 2 MHz) is made at time of assembly. Hardware reset will select the Slow Operating Speed.

The EEPROM Module contains:

- 1 MByte of 32Kx8 EEPROM
- Each row is resistor isolated and current limited
- Total Dose Radiation: 14 KRad
- Power Management Bus Circuitry
- Common footprint with commercial devices

The SRAM Module contains:

- 1 MByte of 32Kx8 SRAM
- Each Row Resistor Isolated and Current Limited
- Total Dose Radiation: 1 M Rad
- Power Management Bus Circuitry
- Common footprint with commercial devices

The Repeater/Terminator Module contains:

- 32-bit to 16-bit I/O Bus Extension I/F

- 32-bit Backplane AC - Termination
- Programmable Wait State Generator

The Mongoose to Payload Data Network (PDN) I/F Module (PIM) contains:

- Formats Host Data Into and Out of the Packet Transceiver Module.
- PDN Error Logging
- Power Management Bus

The Packet Transceiver Module contains:

- Payload LAN 480 Mbits/sec Bandwidth
- On/Off Capability

Debug Module is a development tool that makes most of the Backplane signals available to the developer at the easily accessible top of the module.

SSC’s I/O SECTION has two standard I/O modules the first is the I/O Section Backplane (also comes in a wire wrap version typically used in early development), and the second is the I/O Section Buffer Terminator Module. The Buffer Terminator Module contains:

- 16-bit I/O Bus Buffering (Limited to 32 KBytes of Memory Mapped I/O)
- 16-bit I/O Bus Terminators
- Software Development UARTs (2) Line Drivers, and Receivers
- Software Development Discrete Outputs (3) and Inputs (2)
- Spare signal lines for critical point-to-point signals that need to cross the EMI Barrier
- Power Management Bus
- SOH Monitor Bus

The I/O Section supports input output interface elements such as:

- Power and Fault Management Bus
- UART Driver/Receivers, Soft Dev Discretes
- Commands (Serial Digital & Discrete Pulses)
- SOH (Telemetry) - Analog (passive/active), Serial Digital, Discretes
- Mission Specific I/O (Up to 32 KBytes)
- Spare Modules
I/O modules interface to the SSC in a variety of ways. Some will need to communicate with Mongoose directly, in which case they will require a minimum of 32 wires to communicate. Some modules will not communicate with Mongoose at all; in which case, the I/O designer will have all 220 pins at his disposal. Some modules will need to communicate only with each other. SSC is designed to accommodate the following I/O possibilities:

Other I/O Section considerations accounted for include:

- Additional Interrupt Controller(s)
- 1,400 Wire Telemetry Capacity
- Smart and Dumb I/O Modules

**Summary**

In January of 1995, Satellite programs at Sandia were in need of a highly reliable, high throughput, radiation hardened 32-bit computer (Sandia looked at systems, modules, processor chip sets, and processor chips) that would tolerate high Total Ionizing Dose radiation, and have minimum down time with very infrequent upsets. A 32-bit R3000 processor chip was selected from a NASA Goddard space program. Selection was based on its 1 MRad Total Dose hardness, its Single Event Upset rate of once every 6.3 years (see * footnote), and its off-the-shelf availability. Sandia’s selection of Rational’s development tool set along with their operating system kernel has proven to be a very positive experience. First flights of these computers will occur in the very near future.