Design and pre-flight testing of the electrical power system for the ESTCube-1 nanosatellite

This work describes the final design and implementation of the electrical power system for ESTCube-1, a 1-unit CubeSat tasked with testing the electrostatic tether concept and associated technologies for the electric solar wind sail in polar low Earth orbit. The mission required an efficient and reliable power system to be designed that could efficiently handle highly variable power requirements and protect the satellite from damage caused by malfunctions in its individual subsystems, while using only commercial-off-the-shelf components. The system was developed from scratch and includes a novel redundant standalone nearly 90% efficient maximum power point tracking system, based on a commercially available integrated circuit, a lithiumion battery based fault-tolerant power storage solution, a highly controllable and monitorable power distribution system, capable of sustaining loads of up to 10 W, and an AVR microcontroller based control solution, heavily utilizing non-volatile ferroelectric random access memories. The electrical power system was finalized in January 2013 and was launched into orbit on 7th of May, 2013. In this paper, we describe the requirements for the subsystem, the design of the subsystem, pre-flight testing, and flight qualification.


ADC
-Analogue-to-digital converter ADCS -Attitude determination and control system ADS -Antenna deployment system BOL -Beginning-of-life CAM -Camera system CDHS -Command and data handling system COM -Communications system COTS -Commercial off the shelf EPS -Electrical power system FRAM -Ferroelectric random access memory ICP -Internal Communications Protocol LEO -Low Earth orbit MCU -Microcontroller unit MPB -Main power bus MPPT -Maximum power point tracking

INTRODUCTION
ESTCube-1 [1] is a 1-unit CubeSat [2] with the volume of roughly 1 liter and the mass of 1.05 kg.The satellite's main mission is a test of technologies required for the Electric Solar Wind Sail concept [3][4][5] that involves unreeling of a thin 10 m long conductive tether [1,6,7] in a circular sun-synchronous midday-midnight polar low Earth orbit (LEO) with the altitude of 660 km, charging it to a high voltage of 500 V, and measuring its interaction with atmospheric plasma.
This article describes the electrical power system (EPS) of the satellite [8,9], how the system was designed and how it was tested.The EPS harvests energy from solar panels, stores it in lithium-ion battery cells, and distributes it to other consumers.Since the mission [1] involves complicated and dynamic power conditions, such as high-power systems that need to be turned on during some mission phases for short durations, the satellite is continuously balancing between powernegative and power-positive modes.As an additional challenge, the satellite is required to spin fast (1 rotation per second) as a part of its mission and that causes complications for efficient solar power harvesting.
The aim of developing the power system was to produce a cost-efficient and reliable system constructible from commercial off the shelf (COTS) components that could successfully operate in the required conditions.The system utilizes stand-alone maximum power point tracking (MPPT) chips that do not require control by a microcontroller, unlike regular MPPT systems used on nanosatellites [10][11][12], without sacrificing efficiency like simpler systems [13] (see [14] for a comparison of different approaches to solar power harvesting), making efficient solar power harvesting very easy to implement.Another important aspect is reliability, therefore several parts of the EPS, such as battery systems, regulators, and MPPT drivers have been made hot redundant.This means that the loss of functionality in those parts does not endanger the mission as long as the duplicates are functioning, making catastrophic failure less likely.Command systems of the satellite have been reinforced by ferroelectric random access memories (FRAM) [15], which have been used on CubeSats before [16], but to our knowledge not to this extent (using FRAM as microcontroller RAM, external storage and statesavers).

REQUIREMENTS FOR THE SUBSYSTEM
The satellite's expected deorbiting time from a 660 km sun-synchronous circular LEO is predicted to be 23 years and its designed operational lifetime 2 years [1].
The satellite is equipped with 12 3G30C 30% efficient triple junction GaAs solar cells from AZUR SPACE Solar Power.The cells were mounted on 1 mm thick aluminium sidepanels, which also offer limited shielding from radiation for the internal components of the satellite, using 3M 1205 polyimide tape as an insulator and Dow Corning 9161 RTV silicone for gluing.Each cell has a beginning-of-life (BOL) maximum power point of about 1.2 W at 2.4 V and 0.5 A under AM-0 (atmosphere 0, referring to lighting conditions just outside Earth's atmosphere) direct illumination and at reference temperatures.This energy has to be harvested, stored, and distributed as efficiently as possible.
Due to the mission specifics, the satellite can rotate fast (up to 1 rotation per second) and is subjected to both illuminated and eclipsed sunlight conditions (eclipsed for approximately 1/3 of the orbit), making both lighting and temperature conditions vary in time.
The EPS has to power all of the other subsystems of the satellite using 3.3, 5, and 12 V voltage lines and has to be able to communicate with other subsystems over the Internal Communication Protocol (ICP) [1,18], a fault-tolerant communication system developed for the project that uses UART transceivers to form a faulttolerant communication network.The way all of the subsystems are connected together is shown in Fig. 1.
The power requirements within the satellite also vary during time and are not correlated with the power production, requiring the use of a battery even in illuminated conditions.The measured power requirements are given in Table 1.The average power output the EPS has to be able to provide must not be smaller than 920 mW.The antenna deployment system needs to be activated only once during the mission (just after deployment), so the maximum theoretical load is slightly over 8 W. The consumption is, however, divided between different voltage levels: CAM, CDHS, and COM microcontroller (plus minor PL consumption) operate on 3.3 V, ADCS and COM power electronics (plus minor PL consumption) operate on 5 V; PL major consumers operate on 12 V; and antenna deployment system and ADCS coils operate on battery voltage level directly.The major data and power connections within the satellite and between the satellite and the groundstation.Power lines and ICP communication lines are shown: GS -groundstation; COM -communications system; CAM -camera system [17]; CDHS -command and data handling system, three separate 3.3 V lines are required to select which redundant module is active [18]; PL -payload [7]; ADCSattitude determination and control system [19,20].In orbit, the satellite is subjected to cosmic radiation that causes both total dose and single event effects [21], which will eventually make the satellite's electronics inoperable.Since the satellite is in a polar orbit, the radiation dose will be higher than that of lower inclination orbits, resulting in a total ionizing dose that would be reaching 10 kRad in 3 years for the case of 1 mm of aluminium shielding used [22]; the actual dose, received by individual components, will be considerably smaller since other parts of the satellite also participate in shielding.The power system must be stable and radiationtolerant enough to power the satellite reliably during its mission and to protect its consumers from damage.
There have been previous studies of such effects in the context of small satellites and CubeSats [23,24] that have shown that COTS components start showing effects of radiation damage at 5 kRad and start to threat the mission at about 10 kRad.The results of these studies had to be taken into account when designing the EPS for ESTCube-1.
In addition to previous, the EPS had to be able to survive the shock and vibrations that occur during the launch and the thermal and vacuum conditions in the orbit.The requirements include operation on temperatures from -10 to 60 °C in vacuum and the ability to endure sinusoidal sweep vibration loads of 22.5 g at 30-200 Hz and 10 g at 200-2000 Hz in every axis (for 15 min), random vibrations with loads up to 18 g at 20-2000 Hz (for 4 min), and mechanical shocks of 1410 g without any damage.The tests performed are described in Chapter 8.

GENERAL DESIGN
The EPS was designed to consist of three separate functional blocks: energy harvesting, energy storage, and power distribution (Fig. 2).All of them are controlled and monitored by the EPS microcontroller and energy is transferred between them on the main power bus (MPB).The voltage on the MPB is unregulated, normally 3.7-4.2V, staying on the same voltage level as the battery cells.This architecture was chosen to minimize the need  for voltage conversion steps for battery charging and discharging, therefore increasing efficiency.This architecture is also popular among other CubeSats with MPPT systems [11,14], because it is very efficient.This configuration also allows battery cells to work as voltage stabilizers, reducing noise on the main power bus and therefore in the whole system.To make the system more dependable, high-reliability components were used where possible, such as TDK CGA automotive (AEC-Q200) grade ceramic capacitors.To avoid single points of failure of power buses, all critical decoupling capacitors were connected in pairs in series.Still, the expected total ionizing radiation dose during the required satellite lifetime for the EPS components allows the use of COTS components [23], but redundant systems were used where possible.
The EPS consists of two printed circuit boards (PCBs, Fig. 3).Both PCBs were produced in Brandner PCB with FR4 prepreg, conforming to PERFAG 3C specifications.One of them contains power electronics (6 layer PCB) and the other one command electronics (4 layer PCB).Battery cells were both glued to the power electronics board and secured with wires.The second EPS PCB has a hole in the middle for the battery pack.For increased mechanical stability, the EPS boards are also connected together on two opposite sides using vertical connectors.

ENERGY HARVESTING SUBSYSTEM
The energy harvesting subsystem of the EPS collects energy from 12 solar cells.Cells are placed pairwise on all of the 6 sides of the satellite.In this configuration only three sides of the satellite can be in direct sunlight at any given time, meaning that only the cells on those sides produce power.Also, the cells on any single side of the satellite are in identical lighting conditions and in virtually identical thermal conditions.
The most effective way of collecting energy from the solar cells is by using maximum power point tracking [14,25].Due to the placement of the solar cells, the satellite needs to track only three power points at any given moment in time and therefore three separate MPPT systems were planned for the EPS.In the final design, SPV1040 maximum power point tracking chips from STMicroelectronics were used.These chips were originally meant for battery charging and regulate their output voltage in order to match the effective input resistance of consumers with the optimal consumer resistance, corresponding to the maximum power point of the solar cells, making them ideal for the chosen power topology.The chips only work in boost mode, meaning that the solar cells had to be placed in parallel, which in turn creates relatively large currents and low voltages, making voltage drops on components an issue.To get around this problem, an ideal diode system was used, consisting of MOSFETs driven by LTC4352 ideal diode controllers from Linear Technology.The design of the system is shown in Fig. 4.While maximum power point tracking has been used on nanosatellites before [10][11][12], the systems tend to be complex and require development of customized MPPT software that has to be run on a microcontroller.This has often lead to sacrificing MPPT systems and thereby power harvesting efficiency in order to reduce the complexity of power systems [13].Using an integrated MPPT solution, such as the one described, simplifies design of MPPT systems and would theoretically even allow integration of MPPT's into solar arrays themselves.
The MPPT system described has been implemented in the ESTCube-1 flight model hardware, consisting of three SPV1040 chips, connected to the solar cells on the opposite sides of the satellite through ideal diodes.The efficiency of this system was measured by first determining the maximum power point of a 3G30C solar cell, illuminated by a high-pressure Xenon arc discharge lamp (using measurements of the current-voltage curve directly), and then by measuring the power output of the MPPT tracking circuits to the MPB.The tests showed that the actual efficiency of the whole energy harvesting subsystem (the energy inserted to the MPB) is approximately 87% from the actual maximum power point of the solar panels in stationary conditions.An additional advantage of this system is that the tracking is done internally in the chips, both freeing up computational resources, and also providing efficient energy production when the microcontrollers are offline (this component could also theoretically be used to design a processor-free MPPT-based EPS).
It was evident that the system allows to produce enough power in BOL conditions for the satellite to be power-positive according to Table 1, because even when taking into account MPPT, power conversion and storage losses in the worst-case configuration (one solar panel constantly facing the sun), the system can support over 1.1 W of average power consumption during one orbit, which is higher than the satellite's average power consumption.

ENERGY STORAGE SUBSYSTEM
For energy storage, P-CGR 18650C cylindrical lithiumion battery cells were used with nominal capacity of 2200 mAh.
To protect both the battery cells and the EPS itself from damage due to malfunctions, both cells are equipped with independent battery protection circuits (Fig. 5), which allow to protect the cells from overvoltage, overcurrent, and too deep discharge.The system was implemented through antiparallel TPS2557 power switches that allow power to be turned off separately for both battery charging and discharging directions and provide The battery protection circuit for a single battery cell (both cells have identical copies of the system).The main power bus is connected to the battery cell through a circuit, consisting of power switches and diodes.Enabling the charge switch enables battery charging, enabling the discharge switch enables discharging.The outputs of the switches are connected together in order to utilize the reverse conduction of the switches in ON state to minimize voltage drop.Arrows with dotted, dashed and dash-dotted lines show the paths of current, when only the charge switch is enabled, only discharge switch is enabled, or when both switches are enabled, respectively.Discharge switch is permanently disabled as long as satellite killswitches are depressed (i.e.before launch).Both of the switches will automatically turn off in overcurrent conditions.Both charging and discharging currents, alongside with the battery cell voltage, are monitored in the current and voltage measurement block.auto-resetting overcurrent protection for both sides separately.Due to the internal driven MOSFET circuits, efficiency losses on the battery protection circuitry are low (voltage drop of the whole system less than 20 mV in normal operating conditions when both charge and discharge directions are enabled).As an extra layer of protection, the temperature of both battery cells is constantly monitored.In case of battery temperature exceeding 60 °C, charging will be turned off (battery temperatures were expected to stay between 2 and 27 °C according to temperature modelling).

POWER DISTRIBUTION SUBSYSTEM
The power distribution subsystem uses the energy, harvested from the solar cells and stored in the battery cells, to power all of the subsystems.To do this, switching regulators and control circuits were used.For powering the other subsystems per requirements, it was decided to create 3 voltage buses within the EPS: 3.3, 5, and 12 V.Both 3.3 and 5 V lines use LTC3440 buck-boost regulators (running at 300 kHz switching frequency) from Linear Technology for power conditioning.The 12 V regulator uses LM2700 boost regulators (running at 600 kHz switching frequency) from National Semiconductor.As all of these operate on high frequencies, it is possible to use small power inductors.The frequency was chosen in this range in order to minimize electromagnetic interference coming from the regulators.Also, only electromagnetically shielded power inductors were used within the system.
Each power regulator was connected in parallel with a duplicate, while their outputs were summed using diodes (Fig. 6).By moving the voltage feedback point of the regulators to the other side of the regulators, both of them can be turned on at the same time, sharing the load and being hot redundant.
All consumers are connected to respective regulated voltage lines using either TPS2551 or TPS2557 power switches, depending on the rated current consumption.These provide resistor-selectable overcurrent protection with auto-reset functionality.The same switches are also used to connect regulators to the MPB.The current is also constantly monitored by the central microcontroller of the EPS and all switches can be turned off if needed.This gives a two-layer system for protecting consumers against short circuits and single-event latch-ups.Since all consumers are powered using separate power lines (Fig. 1), it is possible to switch systems off with a high granularity, making it possible to both save power and to turn off some systems without disturbing other systems.
The current limits for the power systems were designed so that, firstly, all of the switches immediately before consumers can provide more power to their consumer lines than the requirements state.Secondly, the power conversion block allows to produce more power than the maximum of all of the consumers on that line could consume before tripping their respective current limiting switches (in case of 5 V regulators, this requires both regulators to be active, in the case of 3.3 V regulators, both regulators can meet the specifications separately).The 12 V line lacks the current limiting switch before the consumer, but both regulators can produce enough power separately to power the PL peak load.Therefore, there are no conditions during normal operations, in case of which the converter block would not be able to supply enough peak power.Also, the battery system can output enough power to supply all of the peak currents simultaneously (12.2 W maximum with both batteries active in worst-case conditions).All in all, the system is designed to be able to handle the peak consumption of all of the consumers simultaneously when all of the redundant modules are operational.

TELEMETRY AND CONTROL
In order to analyse the performance of the EPS and to control its operation, all major voltages and currents can be measured all together at 44 analog voltage measurement points.All of the measurement systems, comprising of the whole measurement circuit on the PCB and the ADCs (MAX1230BEEG, ATMega1280 internal ADCs, and MAX1119 ADCs), have been calibrated insystem using an Agilent 3458A benchtop multimeter.The processing is done on an ATMega1280 AVR microprocessor from Atmel.The processor has been tested for space conditions previously [23] and was considered to be suitable for the requirements of this mission (total ionizing dose received would be less than 6 kRad [22]).To harden the system against radiation effects and to provide long-term storage possibility both for firmwares and for telemetry, the processor has been augmented with parallel (256 kbit FM18W08 from Ramtron) and SPI (two 2 Mbit FM25V20 chips from Ramtron) ferroelectric random access memories.This memory technology has been proven to be very radiation tolerant [15].The FRAM has currently three main usages: storing state variables in a non-volatile form (using Atmega1280's external memory interface, allowing fast and easily usable access), ensuring correct satellite operation even if the microcontroller resets, and storing firmware images.Another use of FRAM is Ramtron FM1105 statesaver chips, which are placed on the enable pins of all power switches within the system, allowing to store states even when power is lost.The same chips also provide better noise immunity for the switches.To avoid permanent freezing up of the processor, either due to a programming error or a radiation effect, an external electronic watchdog chip is used to reset the processor if not responsive.
The processor and adjacent ADCs are powered from an independent power bus (secondary power bus, or SPB), backed by a capacitor array with over 1 mF of capacitance.The capacitors are charged from the main power bus using switching regulators and this provides the EPS MCU time to react in case of a power failure (approximately 80 ms of extra time).For example, this would help the EPS to shut off a faulty consumer and recover the satellite, even if MPB power is lost for some time.
The processor is equipped with a bootloader that can upgrade the processor's firmware from the attached SPI serial FRAM module.The processor itself holds both the bootloader and firmware in a 128 kB flash memory.There are 4 firmware slots in total in the SPI FRAM module, each 64 kB in size.The memory is divided into areas, equal to the size of flash pages of the microcontroller.Each page can be sent separately and is checked against a checksum on delivery.This allows to send the image in pieces and re-send corrupted parts easily without the need to resend the correct pages.To detect if any of the pages gets malformed during delivery, it is possible to ask a bitmask that shows the missing pieces.After all of the pages have arrived successfully, the total checksum is calculated and verified.Flashing of the firmware is allowed in the bootloader only if the overall checksum is correct.An additional layer of protection is added by applying a non-volatile reset counter.If the processor resets repeatedly, it is considered an indication of firmware corruption and the bootloader automatically rolls back the image to previous version.This process can continue until it reaches a fail-safe image that has been proven to work on the Earth prior to launch and that will not be updateable in orbit.
EPS communicates with other subsystems using UART transceivers that connect it to the COM and the CDHS (Fig. 1).An Internal Communications Protocol [18] was developed to send the data packets between subsystems.It implements checksums and routing to correct endpoint, allowing connections through different physical links.In case of a hardware malfunction, a communication link can be disabled in the ICP routing table, allowing continuation of normal operation.The same communication protocol works transparently over the communication link from the groundstation to the recipient subsystem, allowing direct communication (Fig. 1).The firmware update works over the same link allowing to upload firmware whenever there is a possibility to send commands to the satellite.
The EPS also directly controls the satellite's radio beacon.In normal operation mode the messages are generated by the CDHS and sent using ICP commands to the EPS.When the CDHS is offline in the very beginning of the mission or in case of a major failure, the EPS generates the beacon messages itself.
Since the EPS is responsible for power distribution, it also handled the satellite's activation and timing requirements, as required by the CubeSat standard [2], when aboard the launch vehicle and also controlled the satellite when being serviced before the launch.A set of remove before flight pins were used to control the exact behaviour, such as which subsystems are enabled.During the pre-launch operations the satellite was powered and communicated with using access port that could be used to directly communicate with the EPS, the CDHS, and the COM.Prior to the deployment into orbit, the satellite was powered down using a two-level protection system.Firstly, the battery discharging was disabled by disabling discharge enable signals using MOSFETs that were connected to the satellite's killswitches.Secondly, the FRAM statesavers on the pins enabling battery discharge in the battery protection circuit were turned off.The satellite turns on if the solar panels receive enough light to power the satellite and then it turns on the statesavers that control the battery discharge.The statesavers in the battery protection circuits can also be used to make a hard reset of the satellite by disabling discharging while the satellite is eclipsed.The satellite can then power itself again when exiting from the Earth's shade and the EPS microcontroller will then automatically re-enable battery discharge, allowing normal satellite operations to continue.Battery discharging was also disabled using the statesavers for safety during pre-launch operations.

TESTING
Samples of all of the major components were stresstested before integration into the EPS module.The battery test [26] included charge cycling, thermal cycling, and vacuum tests.The combined capacity of two battery cells was measured to be between 9 and 14 Wh at temperatures of -15 °C and 20 °C, respectively [26].
The voltage regulators, providing the power to the regulated voltage lines, were also tested for efficiency and the results in the normal configuration, where both of the redundant regulators are turned on at the same time, are presented in Table 2.
The testing of the full EPS module followed the protoflight approach, i.e. the same physical module that was tested in order to qualify for the launch was launched into orbit aboard ESTCube-1.An engineering model was also made for functional tests and to make software development independent from the testing schedule of the protoflight model.These tests included sinusoidal vibrations tests, mechanical shock tests, thermal cycle tests, and thermal vacuum tests.The final tests were conducted with the EPS, mounted into the full flight model of the ESTCube-1 satellite.
In vibration tests, the system managed to endure sinusoidal sweep loads of 22.5 g at 30-200 Hz and 10 g at 200-2000 Hz in every axis (15 min) without any damage.Also random vibration tests with loads up to 18 g at 20-2000 Hz (4 min) were conducted.In shock tests the satellite was subjected to mechanical shock of 1410 g.The tests showed that EPS is mechanically stable and able to survive the launch onboard the Vega rocket.
In thermal cycle tests the satellite was cycled from -10 to 60 °C and was kept at the extremes for two hours.This test was repeated.EPS module was functional for the whole time and collected telemetry data without any problems; therefore, it was concluded that the EPS can survive the thermal conditions in orbit, which has also been proven by the actual satellite operations.

CONCLUSIONS
In this work the requirements for and the final design of the electrical power system for the ESTCube-1 nanosatellite were reported alongside with testing results.
The system was built from commercial-off-the-shelf components and uses several new approaches, such as a novel application of maximum power point tracking ICs, extensive usage of FRAM memories and statesavers with an AVR microcontroller, and use of hot-redundant power supply systems.All of these could help the designers of future small spacecraft power systems by providing both simple-to-implement, cost-efficient, and reliable systems.The EPS was designed to match its requirements from both power production and reliability standpoints.The power harvesting system was tested to be 87% efficient, all of the converters were more than 83% efficient in normal conditions and over 75% efficient in peak load conditions.The system also survived the thermal cycling and thermal vacuum tests, vibration and shock tests, qualifying for flight.
ESTCube-1 was launched into orbit on 7th of May 2013 onboard the Vega rocket and has successfully started its operation.The exact performance in orbit remains to be seen from telemetry and will be published in the future.efektiivne ja tõrkekindel toitesüsteem, mis suudaks satelliidi kõikuvate energiavajadustega toime tulla ning satelliiti üksikutes alamsüsteemides toimuvate rikete eest kaitsta.
Fig.1.The major data and power connections within the satellite and between the satellite and the groundstation.Power lines and ICP communication lines are shown: GS -groundstation; COM -communications system; CAM -camera system[17]; CDHS -command and data handling system, three separate 3.3 V lines are required to select which redundant module is active[18]; PL -payload[7]; ADCSattitude determination and control system[19,20].

Fig. 2 .
Fig.2.The schematic representation of the electrical power system.Arrows denote the flow of energy.

Fig. 4 .
Fig.4.Schematic of the maximum power point tracking system for two opposite sides of the satellite[9].
Fig.5.The battery protection circuit for a single battery cell (both cells have identical copies of the system).The main power bus is connected to the battery cell through a circuit, consisting of power switches and diodes.Enabling the charge switch enables battery charging, enabling the discharge switch enables discharging.The outputs of the switches are connected together in order to utilize the reverse conduction of the switches in ON state to minimize voltage drop.Arrows with dotted, dashed and dash-dotted lines show the paths of current, when only the charge switch is enabled, only discharge switch is enabled, or when both switches are enabled, respectively.Discharge switch is permanently disabled as long as satellite killswitches are depressed (i.e.before launch).Both of the switches will automatically turn off in overcurrent conditions.Both charging and discharging currents, alongside with the battery cell voltage, are monitored in the current and voltage measurement block.

Fig. 6 .
Fig.6.General regulator topology.Each voltage line (either 3.3, 5, or 12 V) is supplied by two hot-redundant switching regulators, outputs of which are summed using diodes.All of the consumers are connected to the voltage lines through switches and current measurement systems.The only exception to this is the 12 V line, in case of which the current limiting switch after the regulated voltage bus is omitted, as PL is the only consumer.

Table 1 .
The measured power requirements of satellite's subsystems.Subsystems denoted by * are only used in specific mission phases and therefore do not affect mission average power consumption considerably

Table 2 .
The measured efficiencies of regulator systems (when both regulators are enabled)