MICROSATELLITE POWER CONTROL AND DISTRIBUTION UNIT FOR THE INNOSAT PLATFORM

The Power Control and Distribution Unit (PCDU) described in this paper is a custom design for the InnoSat satellite platform. Particular attention is given to the architecture, design techniques and general failure mitigation approach that has been adopted to meet the low cost constraints of the platform while maintaining reliability for its entire mission lifetime. A point of importance is the scalability of the design in order to meet different payload power demands from mission to mission while minimizing NRE work. The very important areas of component selection, testing and qualification are also described. In order to quantify some of the topics discussed, the description is mostly focused on the PCDU of the first InnoSat based satellite named MATS and which is expected for launch at 2018.


INTRODUCTION
InnoSat is a micro-satellite platform (40 -100 kg) that targets scientific and earth observation missions [1]. The platform in its low power configuration, on which the first satellite MATS is based, has an average power consumption of 80W (in its high power mode can this can reach up to 180W). Therefore two of the design requirements have been scalability and modularity so that changes in power requirements can be easily absorbed by the design with minimal NRE effort. Another constraint coming from the system has been the cost which has had a large impact on the component selection. However, the plan for commercializing the platform places a strong requirement for reliability and being able to support mission lifetimes up to 5 years is the platform baseline. Therefore producing a PCDU that provides the best trade-off between reliability and cost was necessary.

PCDU ARCHITECTURE
The MATS satellite architecture is based on a 28V main power bus while it provides isolation towards the lowpower 5V bus used primarily by the data handling system. An 8s5p LiPo battery configuration is used for energy storage and a 19s9p solar panel for energy generation. The PCDU has been split in three separate units which are placed in a stack as shown in figure 1. The bottom unit is the battery management unit which handles the input power from the solar panel, performs battery charge regulation and under voltage detection on the 28V bus. The middle unit is the power management unit which receives the 28V battery regulated bus and through a number of latching current limiters performs power distribution to all the 28V consumers of the satellite. An isolated DC-DC converter generates the 5V low-voltage bus. The third unit on top is the control unit. Its core functionality of this unit is to receive the 5V power and distribute it through latching current limiters to the 5V consumers on the satellite. This unit also constitutes the brain of the MPDU since it contains the FPGA logic that collects housekeeping from all three units and controls all latching current limiters. The above functionality partitioning enables a flexible design since, within the InnoSat platform concept, it allows quick adaptation to requirements that can differ from mission to mission.

Component Selection
In order to keep the cost low while maintaining a highenough reliability, a mix of Commercial-Of-The-Shelf (COTS) and space-qualified components have been used in the design. When selecting the COTS components, parts for which radiation test results are available has been used where possible. Parts which have previously been used successfully in actual flight missions have also been selected. In cases where no such data has been available, other factors have been taken into account such as similarity to components with known radiation performance, e.g. if it is produced with the same process at the same fab. Regarding general reliability, automotive parts have been preferred throughout the selection. Derating according to ECSS is also applied. For critical parts where single-event failure modes exist which may be mission critical, such as the switch MOSFET in the flyback converter, space qualified parts have been used as no other form of mitigation has been identified. For some passive components, specifically tantalum capacitors and power inductors, military or space grade components have been used to ensure reliable functionality in the space environment.
Single Event Effects (SEE) are mitigated throughout the design with a number of different approaches: x Internal supply voltages are current limited with automatic restart x Digital signals are filtered to mitigate transients x Discrete bipolar design used for many functions rather than integrated circuits. x Triple-Voting is used on critical external signals such as separation detection.
x Triple-Modular-Redundancy (TMR) is used in the FPGA.
Overall, the component selection has been done as a trade-off where cost, reliability and power consumption has been taken account. The resulting approach maintains a higher level of reliability than a pure COTS solution, while the price and power consumption is kept significantly lower compared to a fully qualified solution. The resulting quality level is also well matched with the relatively short life-time requirements of the mission.

BATTERY MANAGEMENT
The battery charging is done through Direct Energy Transfer (DET), where the solar panels are connected directly to the battery through diodes. The solar panel strings are arranged into three groups, each group being connected through a separate diode. The system bus is unregulated and no battery discharge regulator is used.
The battery charge regulation is performed using Sequential Switching Shunt Regulation (S 3 R) [2] with one shunt section per solar array string group. A maximum of one group is switching at any given time, with the other two groups being either fully shunted or fully on, depending on the battery voltage. The battery charge current is limited by a separate charge current regulator with linear shunts. The linear shunt MOSFETs are chassis mounted in order to provide low thermal resistance and maintain an acceptable temperature during shunting. With the specific configuration of battery and solar arrays that is used in the InnoSat platform, the linear current shunt will only operate in very specific cases (and for a limited period of time) where the battery voltage is low (so that no switching shunts are activated) and the satellite is in safe mode so that the bus current is low.
The battery is protected from deep discharge by an Under Voltage Lock Out (UVLO) switch which will turn off all parts of the system except the battery charging if the bus voltage reaches a critically low level. This switch is also used to keep the system powered down until the separation detection indicates that the satellite has separated from the launcher. The same   (2017 ) switch is also controlled by a hardware pulse command decoding circuit so that a full system reset can be performed through a pulse command. The pulse command decoding is edge triggered and requires both a rising and falling edge to trigger. It also uses timer circuits to only trigger on pulses with lengths within a specific interval. Together, these functions protect the system reset function from both transient and permanent errors on the pulse command inputs.

Scalability
As the Battery Management module is located in its own separate mechanical housing, and the interfaces are separated so that it can operate independently, the power capability of the platform can easily be extended by adding a second module providing the required interfaces and shunt sections for additional solar panel strings. The limiting factor for this scalability is mainly the current rating of the connectors and other upstream components such as the system UVLO switch. This modularity also enables the possibility to change from a DET system with an unregulated bus to a system which uses for instance Maximum Power Point Tracking (MPPT) or which has a regulated bus, without modifying any other modules in the unit.

POWER DISTRIBUTION
The PCDU handles power distribution for both the 28V and 5V power channels. Generation of 5V takes place at the power management unit while the distribution of it happens at the control unit.

DC/DC Conversion
The DC/DC converter is a 25W flyback type operating in always-on mode. It provides a 5V main output as well as a few auxiliary output voltages. The design is made with special attention to protection against singleevent upset conditions. The converter has fault sensing which will detect: x primary side controller errors x output overload conditions or S/C x output overvoltage conditions A detected error condition triggers a complete shutoff of the converter and a timer circuit is then used for automatic restart after 2 seconds. Components that are vital for the system performance have been selected for high reliability; e.g. the main MOSFET switch in the flyback circuit is a spacequalified type, and a military-grade two-channel optocoupler with known good radiation tolerance is used for isolation of the control loop and error signals from the secondary side.

Distribution channels
All 28V or 5V power outputs have latching current limiter protection and they are designed using discrete semiconductors and passive components. Following a discrete design approach not only provides improved reliability but makes the design more analysable. The current limit and trip time for each LCL is selected by choosing the values of particular programming resistors at the time of board assembly.
There are three types of distribution circuitry. Class A type LCLs are by default in the ON state after power-up and they recover automatically after a latch condition with a delay of 5 seconds. Such LCLs are used for systems that need to be continuously ON such as the data handling and the receiver section of the radio. Class B LCLs are by default in the OFF state and they require a command in order to turn ON. When tripped, they remain in the LATCHED state until they are reset explicitly with a command. The third type is a current limited switch which is used for release mechanism deployment of QWKNUT type. For release mechanisms the Arm and Fire strategy is adopted. A main arm switch is followed by current limited switches and that prevents from an accidental deployment.
Each LCL has ON/OFF control and trip status signals that connect to the Control Unit. The status of these signals is treated as telemetry and allows knowing the state of each LCL.
In addition, each LCL has a measurement amplifier to monitor the output current. Multi-channel ADCs are used to provide readout of the output current values from all LCLs through the SPI bus. The purpose of these measurements are to allow detecting anomalies that result in increased power consumption but are low enough to not trip the LCL.

Design Scalability
Adding more LCLs in the present design does not require a complete redesign of the PCDU thanks to the modularity of the design. The serial control interface, described later, allows for a different number of LCLs without any hardware changes in the OBC interface.

MAGNETORQUER CONTROL
For the MATS mission, the satellite platform is equipped with three magnetorquers for attitude control. A digitally controlled three-channel bipolar current drive circuit is implemented on the Power Unit for this purpose.

Current drive principle
Each of the three channels consists of a voltage- 18007 (2017 ) controlled precision DC current generator, in series with an H-bridge circuit for polarity selection.
A 12-bit DAC is used to generate the control voltage for the current generator. The digital control signals needed for complete control of all three axes can be summarized as: x SPI-bus communication for setting the individual DC current values x On/off control (one per channel) x Polarity control (one per channel) The on/off function and current control form a redundant means of disabling the current drive in case of a single fault condition in a drive channel.

PCDU HOUSEKEEPING AND CONTROL
The top unit of the PCDU stack, the control unit, is responsible for collecting all housekeeping and controlling the LCLs. Therefore usage of FPGA logic on the control unit allows the satellite OBC to interface directly the PCDU through a point to point RS485 interface. This approach has the following advantages: x No matter what number of LCLs or amount of housekeeping, the interface of the PCDU towards the system remains simple. This simplifies harnessing significantly and reduces cost. The approach also relaxes the OBC requirements regarding input/output interfaces.
x Using a balanced point to point interface towards the OBC prevents troublesome ground loops since the FPGA operates on the 28V ground domain while the OBC is on the 5V ground domain. This also demonstrates the cost reduction contribution of this solution since in a different case isolation would be necessary for every input/output interface from the OBC towards the PCDU.
x The FPGA logic gives the capability to the PCDU to very precisely and deterministically control the duty cycle of the magnetorquers. Due to the point to point interface and the entirely hardware based FPGA logic (no soft processor used) the PCDU has the capability to duty cycle the magnetorquers even down to a duration of 1ms. That relaxes the OBC which just passes the duration information to the PCDU and lets it handle the ON/OFF-timing of the magnetorquers.
The RS485 interface towards the OBC is UART based and thus asynchronous. This feature relaxes the OBC design since UARTs are widely used and commonly found in on-board computers. This also simplifies testing of the PCDU since the unit now can be directly connected through a low cost USB-to-RS485 converter to a standard PC. In figure 4 is shown a snapshot of the test software application tool that has been developed for this purpose. This tool in combination with a USBto-RS485 converter can replace an OBC in unit level tests by controlling the PCDU and visualizing received telemetry. This not only assists unit testing and verification but only contributes to cost reduction since the engineer who runs the tests can interpret and log data directly thus saving a lot of time. The same tool is also planned to be used during the qualification process of the FM unit.

TESTING AND RESULTS
The engineering model of the PCDU has passed all electrical tests and is delivered for system integration with the rest of the spacecraft subsystems. To ease the integration process and make the EPS subsystem transparent to the AIT personnel, a power electrical ground support equipment (EGSE) had to be built to perform the following: x Allow the user to easily switch between different power modes without any need to mount/dismount connectors or prepare any harnesses.
x Allow the user to have control of the mating/separation process. x Allow complete power OFF of the S/C through a single key switch which can bring the S/C in a known safe state in which it can stay during long periods of inoperability. x The design shall support not only the power requirements of the MATS mission but also the high-power configuration of the platform. This enables using the same power EGSE equipment for all missions based on the InnoSat platform.
The power EGSE allows the user to choose between three power modes through a rotary selector switch. Those power modes are: x External Power Mode. In this mode the S/C is powered externally from a power supply. During the long phase of AIT, this mode is preferred since it reduces the usage of the battery and as a result extends its life. The battery is disconnected and the Solar Array Simulator or the Solar Panel is inhibited (shunted). x SAS Power Mode. In this mode the battery and the Solar Array Simulator are connected thus having an orbit like set-up.
x External Battery Charge Mode. In this mode the power EGSE mates the spacecraft and charges the battery from an external power supply.
For the design of the power EGSE, apart from the main functional requirements, some critical usability and reliability requirements have been also taken into account: x The user interface/panel shall be designed such that there is no possible action or sequence of actions from the user that can lead to S/C failure or even put it to a risk. Isolating the EPS subsystem reduces the risk for accidents.
x There shall be no single failure in the EGSE that can lead to S/C failure. There is no need for a single point failure free EGSE as long as it does not propagate the failure to the S/C. x For every potential failure there shall be an indication or a combination of indications that will inform the user to take actions about it.

EGSE Implementation
To realize the power EGSE in a cost effective way, an external dual channel power supply has been chosen. One power supply channel is used for the external power mode and therefore its output is overcurrent and overvoltage protected. The second channel used to charge the battery is current limited and overvoltage protected. By using the external power supply with all necessary built in protections and given that an external Solar Array Simulator (SAS) is available, the main functionality of the built power EGSE is to handle the power routing and implement the user interface. A brief block diagram of the power EGSE is shown in figure 5.
A voltage sense distribution in the EGSE allows the Solar Array Simulator and both power supply channels to sense accurately the battery bus voltage in the PCDU. For the power supply this is critical in order to compensate for the long harness to the umbilical. The SAS on the other hand uses the voltage sense only for protection purposes (e.g. overvoltage). The sense distribution is implemented as three separate voltage followers thus providing high impedance towards the battery bus. Power switching between the power supply channels takes place through high power industrial relays which are controlled from the EGSE logic and the user mode selection switch. Power from the Solar Array Simulator is applied only during the SAS Power Mode. The PCDU has two interfaces; the SA power from which it receives power and the SA safe which can be used to shunt externally the power from the SA power interface. Power relay logic ensures that SAS power is applied only when is needed. Another important functionality of the EGSE is the inserted delays between user actions. On-delay timers ensure that we avoid race conditions and that power is applied safely after 3 seconds. The battery arm interface is a critical one since it connects the battery electrically to the system. The battery has its own physical interface. Since InnoSat is based on a battery regulated bus, it is very critical to control reliably the battery connection. The only power mode in which the battery is not needed is the external power mode. At this mode the battery is disconnected and the S/C is powered entirely from an external power supply. Also when the user turns the EGSE OFF through the key switch, the EGSE ensures that nothing in the S/C is powered by disconnecting the battery and the rest of the power interfaces.

Figure 6. EGSE Front Panel
The EGSE has been already tested and integrated in the avionics test bench. In figure 6 is shown the external power supply and the user front panel. On-going work now is to assemble that in movable rack installation so that it is more compact and easy to move. The power supply has been selected and the EGSE designed already having the rack installation in mind from the start. In figure 7 the PCDU is installed in the avionics test bench.

CONCLUSIONS AND FUTURE WORK
A low cost PCDU, meeting the reliability requirements of a small satellite platform has been developed. Through the use of both COTS and space grade components, together with design mitigation of failure cases, good performance and reliability is achieved while keeping the cost low. The modular design and the use of a serial control interface allows for the system to be easily extended. An external software test tool and a power EGSE have been built that ease integration and aim to support the platform in its entire lifetime.
The next step in the development is the manufacturing of the qualification model and the qualification testing will follow. An extensive qualification/environmental campaign is foreseen according to the flow in figure 8. 18007 (2017 ) A potential future upgrade of this unit is a higher power configuration, which can be performed with minimal changes to most parts of the unit thanks to the modularity of the design. To change the battery charging principle from DET to MPPT is another possible future addition.