Feature Article:

DOI. No. 10.1109/MAES.2016.150162

Firmware Updating Systems for Nanosatellites Indrek Sünter, Andris Slavinskis, Urmas Kvell, Tartu Observatory & University of Tartu, Estonia and SIA Robotiem, Rïga, Latvia Andres Vahter, Tallinn University of Technology, Tallinn, Estonia Henri Kuuste, Mart Noorma, Tartu Observatory & University of Tartu, Estonia Johan Kutt, Riho Vendt, Tartu Observatory, Estonia and SIA Robotiem, Rïga, Latvia Karl Tarbe, Mihkel Pajusalu, Mihkel Veske, Taavi Ilves, University of Tartu, Tartu, Estonia

ACRONYMS List of acronyms and abbreviations used in this article: CAM – Camera system CDHS – Command and data handling system COM – Communication system CRC – Cyclic redundancy check EEPROM – Electrically erasable programmable read-only memory EPS – Electrical power system ESEO – European student Earth orbiter FRAM – Ferroelectric random access memory I2C – Interintegrated circuit ICP – Internal communications protocol MCU – Microcontroller unit OBC – On-board computer

Authors’ current addresses: I Sünter, A. Slavinskis, H. Kuuste, J. Kütt, R. Vendt, U. Kvell, Department of Space Technology, Tartu Observatory, Observatooriumi 1, 61602 Tõravere, Tartumaa, Estonia; A Vahter, Tallinn University of Technology, Ehitajate tee 5, 19086, Tallinn, Estonia; K. Tarbe, Kullerkupu 11 - 45, Tallinn 10613, Estonia; M. Pajusalu, 77 Massachusetts Avenue, Building 54-1726, Cambridge, MA 02139-4307; M. Veske, Intelligent Materials and Systems Lab, Institute of Technology, University of Tartu, Nooruse 1, 50411 Tartu, Estonia; T. Ilves, Puusepa 19, Tartu, Estonia; M. Noorma, University of Tartu, Ülikooli 18, 50090 Tartu, Estonia. Corresponding author is I. Sunter, E-mail: (fi[email protected]). This research was supported by the European Regional Development Fund and the Investment and Development Agency of Latvia via the Latvian Electronic and Optical Equipment Competence Centre in Production Sector (Agreement nLKC-11-0006) project number 2.9 Manuscript received July 30, 2015; ready for publication December 14, 2015. Refereeing of this contribution was handled by H. Liu. 0885/8985/16/$26.00 © 2016 IEEE 36

PC – Personal computer SPI – Serial peripheral interface SRAM – Static random access memory

INTRODUCTION During the course of a space mission unexpected events can occur regardless of rigorous testing. In order to ensure the ability of a spacecraft to recover and adapt to new situations, it may be necesVDU\WRXSGDWHWKH¿UPZDUHIRUUHVROYLQJWKHVRIWZDUHLVVXHVZRUN around hardware problems, or introduce new features. The imporWDQFHRIUHPRWH¿UPZDUHXSGDWHVDVZHOODVDPHWKRGWRFDOFXODWH DQLQGLFDWLYHYDOXHRIÀH[LELOLW\LQVSDFHPLVVLRQVLVVXPPDUL]HG by R. Nilchiani [1]. )RU H[DPSOH UHPRWH ¿UPZDUH XSGDWHV DUH FRPPRQO\ XVHG for small satellites [2] and Mars rovers [3]. However, often on QDQRVDWHOOLWHVWKH¿UPZDUHXSGDWLQJRSWLRQVKDYHQRWEHHQLPSOHPHQWHG6XSSRUWIRULQRUELW¿UPZDUHXSGDWHVKDVEHHQUHSRUWHG IRUVRPHQDQRVDWHOOLWHVEXWUDUHO\LVWKH¿UPZDUHXSGDWLQJV\VWHP described in detail. Support for in-orbit software updates has been reported for PlanetLabs Dove nanosatellite constellation [4]. However, the used method has not been published. AISSat-1, AAUSAT-3, and AAUSAT-4 support in-orbit software updates for the on-board auWRPDWLFLGHQWL¿FDWLRQV\VWHP$,6 UHFHLYHU>@>@6XSSRUWIRU LQRUELW ¿UPZDUH XSGDWHV RQ RWKHU VXEV\VWHPV LV QRW PHQWLRQHG It has been reported that the command and data handling system &'+6  RI ,RQRVSKHULF 2EVHUYDWLRQ 1DQRVDWHOOLWH )RUPDWLRQ ,21) VXSSRUWVLQRUELW¿UPZDUHXSGDWHV>@8SWRQRZRQO\ the solutions for on-board storage and error correction have been EULHÀ\ GHVFULEHG 7KH /LQX[EDVHG FRPPDQG DQG GDWD KDQGOLQJ & '+  V\VWHP RI 3RO\6DW &3 LQWHOOLJHQW SD\ORDG H[SHULPHQW ,3(; LVUHSRUWHGWRVXSSRUWUHPRWHVRIWZDUHXSGDWHV>@6ROXtions for on-board storage and error recovery are described. SupSRUW IRU LQRUELW ¿UPZDUH XSGDWHV RQ RWKHU VXEV\VWHPV KDYH QRW EHHQUHSRUWHG6XSSRUWIRUG\QDPLFLQRUELW¿UPZDUHXSGDWHVKDV EHHQUHSRUWHGIRU675D1'RQERDUGFRPSXWHU2%& >@)LUPware image preparation, transfer protocol, and on-board storage VROXWLRQVDUHEULHÀ\GHVFULEHG:LWKWKHH[FHSWLRQRI8:(>@ WKH UHSRUWV RQ LQRUELW ¿UPZDUH XSGDWHV RQ QDQRVDWHOOLWHV KDYH

IEEE A&E SYSTEMS MAGAZINE

MAY 2016

ESTCube-1 satellite before delivering to launch provider.

been limited to a single subsystem. Moreover, most of the reports KDYHIRFXVHGRQO\RQWKHRQERDUGVWRUDJHRI¿UPZDUHLPDJHV ,QWKLVSDSHUDWKRURXJKVWXG\DERXWWKHLVVXHVUHODWHGWR¿UPZDUHXSGDWLQJLVJLYHQDQGDPHWKRGIRUSHUIRUPLQJLQRUELW¿UPware updates on nanosatellite subsystems is proposed. Four different variants of the method are compared. The variants have been tested on the subsystems of the single unit CubeSat ESTCube-1 >@GXULQJLWVWZR\HDUPLVVLRQ,QWRWDODERXWVXFFHVVIXOLQ RUELW¿UPZDUHXSGDWHVKDYHEHHQSHUIRUPHGRQWKHVXEV\VWHPVRI ESTCube-1.

GENERAL PROCEDURE FOR REMOTE FIRMWARE UPDATING 7KHSURFHGXUHIRUUHPRWH¿UPZDUHXSGDWLQJLVGLYLGHGLQWRIRXU SDUWV ¿UPZDUH LPDJH SUHSDUDWLRQ WUDQVIHU SURWRFRO RQERDUG storage, and postprocessing. )LUVWO\WKH¿UPZDUHLPDJHLVJHQHUDWHGZLWKDFRPSLOHUWRROFKDLQDQGPHWDGDWDLVDGGHGWRWKHLPDJHIRURQERDUGYHUL¿FDWLRQ ,QWKHFDVHRIORZXSOLQNGDWDUDWHVRUODUJH¿UPZDUHLPDJHVSDUtitioning [12], [13] and delta compression [14] are sometimes used to reduce the amount of data uploaded to the spacecraft. PartitionLQJDQGGHOWDFRPSUHVVLRQDUHEULHÀ\GHVFULEHGLQWKHVHFWLRQWLWOHG “Discussion and Conclusions.” 6HFRQGO\WKH¿UPZDUHLPDJHLVXSORDGHGWRWKHVSDFHFUDIWLQ segments that can be re-sent in the case that an error occurs during WKHWUDQVPLVVLRQ$UHOLDEOHWUDQVIHUSURWRFROVXFKDV6DUDWRJD>@ may be used to account for packet loss and propagation delay. 7KLUGO\WKH¿UPZDUHLPDJHLVVWRUHGLQRQERDUGQRQYRODWLOH memory, which often has improved fault tolerance. One or more images are maintained in storage for redundancy in the case that WKH PDLQ ¿UPZDUH LPDJH IDLOV WR ERRW SURSHUO\ 7KH XVH RI WKH following nonvolatile memory devices have been reported: frerURHOHFWULF UDQGRP DFFHVV PHPRU\ )5$0  >@ SKDVHFKDQJH UDQGRP DFFHVV PHPRU\ 35$0  >@ UDGLDWLRQKDUGHQHG HOHFWULFDOO\ HUDVDEOH SURJUDPPDEOH UHDGRQO\ PHPRU\ ((3520  >@ RUFRPPHUFLDOÀDVKPHPRU\ZLWKWULSOLFDWHGYRWLQJORJLF>@>@ Lastly, depending on the variant it may be necessary to copy WKHQHZ¿UPZDUHLPDJHIURPWHPSRUDU\QRQYRODWLOHVWRUDJHLQWR executable memory. Between copying procedures as well as prior WRDQ\ERRWDWWHPSWVWKHLQWHJULW\RIWKH¿UPZDUHLPDJHLVYHULMAY 2016

¿HG ZLWK D FKHFNVXP DOJRULWKP ,Q WKH FDVH RI ¿UPZDUH LPDJH PLVPDWFK DQRWKHU ¿UPZDUH LPDJH LV ORDGHG 7KH QHZ LPDJH LV activated and tested on the platform. Error containment and error recovery algorithms are sometimes used to mitigate the risk of misVLRQFULWLFDO HUURUV LQ WKH QHZ ¿UPZDUH >@ '\QDPLF ¿UPZDUH XSGDWHV>@DUHRFFDVLRQDOO\XVHGWRPLQLPL]HGRZQWLPHIRUV\Vtems with high availability requirements. For example, the attitude control system may have to keep solar panels pointed towards the 6XQDQGWKHDQWHQQDSRLQWHGDWWKH(DUWKZKLOHWKH¿UPZDUHRIWKH system is being updated.

ESTCUBE-1 MISSION AND REQUIREMENTS (67&XEHLVDVLQJOHXQLW&XEH6DW>@IRUWHVWLQJNH\WHFKQRORgies for the deployment of electrical solar wind sails [11]. Due to the limited surface area for solar cells, ESTCube-1 subsystems KDYHEHHQRSWLPL]HGIRUSRZHUHI¿FLHQF\(DFKVXEV\VWHPKDVD dedicated microcontroller, some of which are low on volatile and nonvolatile memory. Subsystem hardware platforms are listed in Table 1. The ESTCube-1 communication system uses frequency-shift NH\LQJ)6. DQGWKH$;SDFNHWVWDQGDUG>@LQFRQQHFWLRQOHVVPRGH7KHEDXGUDWHIRUGRZQOLQNLVESVDQGESV for uplink. The system is half-duplex with a maximum packet OHQJWKRI% The satellite bus has been designed with a point-to-point mesh WRSRORJ\ RI XQLYHUVDO DV\QFKURQRXV UHFHLYHUWUDQVPLWWHU 8$57  lines. Each subsystem can be communicated with, or powerVZLWFKHGLQGLYLGXDOO\>@7KHWRSRORJ\LVLOOXVWUDWHGLQ)LJXUH Satellite subsystems communicate with each other through a PLQLPDOLVWLFFXVWRPLQWHUQDOFRPPXQLFDWLRQSURWRFRO,&3 7KH ICP is loosely based on asynchronous high-level data link conWURO+'/& DQGFRYHUVERWKGDWDOLQNDQGQHWZRUNOD\HUVRIWKH RSHQ V\VWHPV LQWHUFRQQHFWLRQ 26,  PRGHO >@7KH SD\ORDG RI ICP packets consists of piggy-backed commands or responses. (DFK FRPPDQG DQG UHVSRQVH KDV D  % KHDGHU ZLWK DQ LGHQWL¿HUVRXUFHVXEV\VWHPLQGH[DQG¿HOGIRUOHQJWKRIWKHFRPPDQG SDUDPHWHUV :KLOH UHVSRQVHV IROORZ WKH VDPH VWUXFWXUH DV FRPPDQGVWKHLULGHQWL¿HUVDUHRIIVHW(67&XEHLVGHVLJQHGWRKDYH ORZDXWRQRP\DQGSURYLGHVXSSRUWIRULQRUELW¿UPZDUHXSJUDGHV

IEEE A&E SYSTEMS MAGAZINE

37

Firmware Updating Systems for Nanosatellites Table 1.

Characteristics of Testing Platforms, Firmware Updating Variants and their Performance on ESTCube-1 Property

Variant A

Variant B

Variant C

Variant D

Subsystem

CDHS [16]

CAM [22]

EPS [23]

COM

MCU

STM32F103

STM32F217

ATMega1280

MSP430F2418

MCU flash

768 KiB

1 MiB

128 KiB

116 KiB

MCU SRAM

96 KiB

1

Ext. mem.

256 KiB

OS5 6

128 KiB 2

128 KiB

8 KiB

3

8 KiB 2

FreeRTOS [24]

FreeRTOS

2 slots

256 KiB

1 MiB4



TinyOS [25]

3 slots

1 slot

1 slot

Temp. storage7

1 slot2



3 slots3

1 slot4

Fw. rollback8









Cfg. rollback9









Segment10

128 B page

128 B page

128 B half-page

128 B page

Checksum

CRC-32

CRC-32

Fletcher-16 [26]

CRC-CCITT

Exec. storage

Log storage 12

In-orbit updates Fw. size

13

Upload time

14

11

MCU flash

MCU flash

Ext. FRAM



19/21

2/2

14/14

0/0

250/256 KiB

86/256 KiB

40/64 KiB

27/64 KiB

170 min

50 min

20 min

10 min

1

Amount of external nonvolatile memory on the platform, which is available for firmware updating procedures. External SPI FRAM memory for the temporary storage of firmware images and bootloader commands. 3 External I2C FRAM memory for the storage of bootloader commands. 4 External SPI flash memory for the temporary storage of firmware images. 5 Operating system running on the platform. 6 Number of executable firmware image slots in MCU internal flash memory. 7 Number of firmware image slots in temporary storage. 8 Automatic firmware rollback capability. 9 Automatic configuration rollback capability. 10 Size and type of the segments that are used for uploading a firmware image. 11 Parallel FRAM is used for storing the bootloader log on EPS. 12 Number of successful in-orbit updates, compared with the total number of updates. 13 Typical and maximum firmware image size. Active satellite communication time, assuming an average ESTCube-1 overpass duration of 10 min. 2

RQ VHYHUDO VXEV\VWHPV :LWKRXW D UHTXHVW IURP WKH JURXQG VWDtion, ESTCube-1 would not trigger actuators nor store or transmit data. By design, telecommands can safely be sent to the satellite repetitively, to guarantee reception. Not all commands result in a response being sent back to the ground station to avoid waiting for acknowledgements when it is not necessary. ,QJHQHUDOLWPXVWEHSRVVLEOHWRUHOLDEO\XSORDGD¿UPZDUHLPDJHWRWKHVDWHOOLWHYHULI\LWVLQWHJULW\DQGERRWLW$QLQRUELW¿UPware upload protocol must take into account low data rates, radio VLJQDOGHOD\DQGSDFNHWORVV$¿UPZDUHLPDJHLVWREHWUDQVIHUUHG in segments and it must be possible to automatically determine and UHVHQG WKH PLVVLQJ VHJPHQWV7KH LQWHJULW\ RI WKH UHFHLYHG ¿UPZDUH LPDJH PXVW EH YHUL¿HG DXWRPDWLFDOO\ EHIRUH DWWHPSWLQJ WR ERRWLW,QWKHFDVHRIDQHUURUGXULQJ¿UPZDUHXSGDWHWKHV\VWHP must be automatically restored to a safe state. It must also be posVLEOHWRUHYHUWEDFNWRWKHSUHYLRXV¿UPZDUHLPDJHRQGHPDQGRU 38

in the case of major issues with the newer version. Recurring resets of the system must be resolved by rolling back to a backup image automatically.

Figure 1. Topology of ESTCube-1 on-board communication.

IEEE A&E SYSTEMS MAGAZINE

MAY 2016

Sunter et al. 7KH ¿UPZDUH LPDJH DQG LWV SDJHPDS DUH VWRUHG LQ QRQYRODWLOH PHPRU\ DOORZLQJ WKH ¿UPZDUH XSGDWH WR EH FRQWLQXHG DIWHU the target subsystem encounters a reset or a power cycle. Errors reported from the bootloader are stored in nonvolatile memory to EHFROOHFWHGWKHQH[WWLPHD¿UPZDUHLPDJHLVORDGHGVXFFHVVIXOO\

Firmware Updating Variants on ESTCube-1

Figure 2. Software update protocol timeline. Steps involving packet transmission are indicated as oblong hexagons.

FIRMWARE UPDATING METHOD ON ESTCUBE-1 7KH LQRUELW XSGDWH RI D VXEV\VWHP ¿UPZDUH LV VWDUWHG ZLWK DQ LQLWLDOL]DWLRQ FRPPDQG ZKLFK HUDVHV WKH WDUJHW ¿UPZDUH LPDJH slot and prepares a pagemap in temporary memory. A pagemap is a bitmap where each bit indicates whether the corresponding page has been successfully received and stored on-board. The initialL]DWLRQFRPPDQGVHQGVDUHVSRQVHZKHQWKHVXEV\VWHPLVUHDG\ WRUHFHLYHWKH¿UPZDUHLPDJH7KH¿UPZDUHLPDJHLVXSORDGHG SDJH E\ SDJH HDFK ZLWK DQ DGGUHVV SUHGH¿QHG QXPEHU RI GDWD bytes, checksum, and other metadata. Page upload commands do QRWQHFHVVDULO\JHQHUDWHUHVSRQVHVDVWKHVWDWXVRISDJHVLVYHUL¿HG by requesting the pagemap. After the transmission of all pages, the pagemap is downloaded and missing pages are re-sent. This procedure is repeated until all pages have been stored in the onboard nonvolatile memory. The on-board copy of the software imDJHLVYHUL¿HGE\FRPSDULQJLWVFKHFNVXPZLWKWKDWSURYLGHGLQ the image header. Finally, bootloader commands are scheduled for FRS\LQJ WKH ¿UPZDUH LPDJH LQWR PLFURFRQWUROOHU ÀDVK PHPRU\ and rebooting the subsystem. The timeline of this procedure is illustrated in Figure 2. 7KHERRWORDGHUFRSLHVDQGYHUL¿HVWKHQHZO\XSORDGHGLPDJH DIWHUZKLFKLWERRWVWKHVHOHFWHG¿UPZDUHLPDJH7KHVHOHFWHGLPage may or may not be the one that was just uploaded. MAY 2016

7KH¿UPZDUHXSGDWLQJPHFKDQLVPKDVEHHQLPSOHPHQWHGDQGWHVWHG LQIRXUGLIIHUHQWYDULDQWVRQ(67&XEH:KLOHLQJHQHUDOWKH¿UPware updating method is the same, the variants have been independently developed by different teams at different times. Variant D has EHHQ GHYHORSHG IRU WKH FRPPXQLFDWLRQ V\VWHP &20  SODWIRUP YDULDQW & IRU WKH HOHFWULFDO SRZHU V\VWHP (36  DQG YDULDQWV$ % IRU&'+6DQGWKHFDPHUDV\VWHP&$0 UHVSHFWLYHO\7KHGHVLJQ of each variant has been driven by the amount of available RAM on WKHPLFURFRQWUROOHUXQLWH0&8 H[WHUQDOQRQYRODWLOHVWRUDJHRQWKH SODWIRUPDQGWLPHDYDLODEOHIRUGHYHORSPHQWDQGWHVWLQJ7KHVSHFL¿cations of platforms and the variants used have been listed in Table 1. In the case of variant A that is used on CDHS, one serial peULSKHUDOLQWHUIDFH63, )5$0LVXVHGIRUWKHWHPSRUDU\VWRUDJHRI DVLQJOH¿UPZDUHLPDJHGXULQJLWVXSORDG2QFHXSORDGHGERRWloader commands are scheduled and a reboot is performed. The ERRWORDGHUWKHQYHUL¿HVWKH¿UPZDUHLPDJHLQ)5$0DQGFRSLHV LWLQWRRQHRIWKHWZRH[HFXWDEOHVORWVLQWKHPLFURFRQWUROOHUÀDVK memory. In the case of an error while copying or booting the imDJHWKHRWKHUH[HFXWDEOH¿UPZDUHLPDJHLVORDGHG%\FRXQWLQJ reboots without a successful ground-communication session and ORDGLQJDPLQLPDOVRIWZDUHFRQ¿JXUDWLRQLQWKHFDVHWKDWLWH[FHHGV DVSHFL¿FYDOXHWKHULVNRIF\FOLFUHVHWVLVUHGXFHG7KHPLQLPDO VRIWZDUHFRQ¿JXUDWLRQGRHVQRWLQLWLDOL]HDQ\H[WHUQDOGHYLFHVDQG LQRUGHUWRUHVWRUH¿UPZDUHXSGDWHIXQFWLRQDOLW\WKH)5$0GHYLFH must be reenabled manually with a set of telecommands. BootORDGHUFRPPDQGVDUHVWRUHGLQWKHVDPH)5$0ZLWKWKH¿UPZDUH image, while the status of bootloader operations is stored in a dediFDWHGVHFWLRQRIWKHPLFURFRQWUROOHUÀDVK,QDGGLWLRQWRVSHFLI\LQJ WKHDFWLYH¿UPZDUHLPDJHDVDERRWORDGHUFRPPDQGWKHV\VWHP also has a dedicated hardware pin for changing the default image to ERRW$VLPSOL¿HGERRWORDGHUÀRZFKDUWLVVKRZQLQ)LJXUH)LJXUHLOOXVWUDWHVWKHÀRZRI¿UPZDUHLPDJHWUDQVIHUIRUYDULDQW$ %\GHIDXOWWKHSDJHPDSRIWKH¿UPZDUHLPDJHLVVWRUHGLQDQRWKHU 63,)5$0:LWKWKHPLQLPXPVRIWZDUHFRQ¿JXUDWLRQ0&8VWDWLFUDQGRPDFFHVVPHPRU\65$0 LVXVHGIRUWKHSDJHPDS 9DULDQW%GRHVQRWXVHH[WHUQDOPHPRU\IRU¿UPZDUHLPDJHV 7KHSDJHVDUHVWRUHGGLUHFWO\LQWRWKHPLFURFRQWUROOHUÀDVKPHPRU\7KHUHDUHWKUHHH[HFXWDEOH¿UPZDUHLPDJHVDQGLQWKHFDVHWKDW RQHRIWKHPEHFRPHVGDPDJHGWKHQH[W¿UPZDUHLPDJHLVWDNHQ 7KHLQWHJULW\RIWKH¿UPZDUHLPDJHLVYHUL¿HGZLWKELWF\FOLF UHGXQGDQF\FKHFN&5& ,QRUGHUWRPLQLPL]HWKHULVNRIF\FOLF UHERRWVGXHWRKDUGZDUHIDLOXUHWKH¿UPZDUHDOZD\VVWDUWVZLWKD PLQLPDOFRQ¿JXUDWLRQ7KHPLQLPDOFRQ¿JXUDWLRQGRHVQRWLQLWLDOL]HDQ\H[WHUQDOGHYLFHVEXWVXSSRUWV¿UPZDUHXSGDWHV([WHUQDO GHYLFHV DUH LQLWLDOL]HG PDQXDOO\ ZLWK D WHOHFRPPDQG )LUPZDUH image pagemap and bootloader commands are stored in an interLQWHJUDWHG FLUFXLW ,2&  )5$0 ZKHUHDV WKH VWDWXV RI ERRWORDGHU RSHUDWLRQVLVVWRUHGLQDGHGLFDWHGVHFWLRQRIPLFURFRQWUROOHUÀDVK

IEEE A&E SYSTEMS MAGAZINE

39

Firmware Updating Systems for Nanosatellites O\WKH¿UPZDUHXSORDGLVFRPSOHWHG E\VHQGLQJD¿QDOL]DWLRQFRPPDQG 7R FRS\ WKH ¿UPZDUH LQWR WKH PLFURFRQWUROOHULQWHUQDOÀDVKPHPRU\ the bootloader must be activated by resetting the MCU. The bootloader ¿UVW FKHFNV LI WKH ¿UPZDUH FKHFNsum matches and then copies the GDWD2QFHWKH¿UPZDUHSDJHVKDYH been copied, the microcontroller automatically starts executing the new ¿UPZDUH7KHERRWORDGHULVHQWHUHG at each restart of the MCU and it always increments a nonvolatile reset FRXQWHUZKLFKLVVXSSRVHGWREH]HURHGE\DIXQFWLRQDO¿UPZDUH,IWKH reset counter reaches its threshold, WKH ¿UPZDUH LV FRQVLGHUHG FRUUXSW DQG QHZ ¿UPZDUH LV DXWRPDWLFDOO\ ZULWWHQ WR WKH 0&8 ÀDVK PHPRU\ from the fallback slot of the SPI FRAM. For intentionally copying a ¿UPZDUHLPDJHLQWRWKHÀDVKPHPRU\VSHFLDOFRPPDQGÀDJVKDYHWR be set before the restart. A simpli¿HG ERRWORDGHU ÀRZFKDUW LV VKRZQ LQ)LJXUH Variant D is used on the COM platform and it is, by design, the VLPSOHVW 'XULQJ ¿UPZDUH XSORDG SDJHVDUHVWRUHGLQ63,ÀDVKPHPRU\7KHERRWORDGHUYHUL¿HVWKH¿UPZDUHLPDJHLQH[WHUQDOÀDVKFRSLHV it into the executable storage in miFURFRQWUROOHUÀDVKDQGWKHQERRWVLW 6LQFHWKLVYDULDQWGRHVQRWIXO¿ODOO the reliability requirements, postlaunch usage is not recommended.

FIRMWARE TESTING AND VALIDATION Figure 3. 6LPSOL¿HGÀRZFKDUWRIWKHERRWORDGHUIRUYDULDQWV$DQG%

In the case of variant C that is used on the EPS, the uploaded ¿UPZDUHLPDJHVDUHVWRUHGLQDQRQERDUG63,)5$0ZKLFKFDQ DFFRPPRGDWHXSWRWKUHH¿UPZDUHLPDJHVXSWRN%HDFK 2QH RIWKHWKUHHVORWVLVUHVHUYHGDVWKHIDOOEDFN¿UPZDUHVORWWRZKLFK RQO\WKHPRVWÀLJKWSURYHQ¿UPZDUHLPDJHVDUHUHFRUGHG7KHLPDJHVDUHWUDQVPLWWHGDVKDOISDJHV%HDFK DFFRPSDQLHGE\ ELWFKHFNVXPVDQGVWRUHGRQO\LIWKH\PDWFKWKHFRQWHQW7KHIXOO FKHFNVXPRIWKH¿UPZDUHLVFDOFXODWHGDIWHUWKHSDJHPDSUHSRUWV that all pages have been uploaded. This checksum is then compared ZLWKWKHRQHVWRUHGLQWKHLQLWLDOL]DWLRQKHDGHURIWKH¿UPZDUH)LQDO40

Individual software modules are ¿UVW WHVWHG DQG GHEXJJHG LQ D FXVtom simulation environment on the developer’s personal computer 3& 7KHPRGL¿HGPRGXOHVDUHWKHQLQWHJUDWHGLQWRWKHVXEV\VWHP code base. Further testing and debugging is performed on subsysWHPSURWRW\SHKDUGZDUH:KHUHDSSOLFDEOHKDUGZDUHLQWKHORRS testing is performed to verify that the results of on-board calculations match simulation results on the PC. The new version of the ¿UPZDUHLVXSORDGHGWRWKHHQJLQHHULQJPRGHO(0 RIWKHVDWHOlite, in order to test compliance with the rest of the satellite subsysWHPV)LQDOO\WKH¿UPZDUHLVXSORDGHGWRWKHÀLJKWPRGHOLQRUELW 5HIHU WR )LJXUH  IRU DQ LOOXVWUDWLRQ ,Q WKH FDVH RI (67&XEH basic functionality and regression tests are manually performed at

IEEE A&E SYSTEMS MAGAZINE

MAY 2016

Sunter et al. COM. The four platforms and their properties are listed in Table 1. $Q LQRUELW ¿UPZDUH XSGDWH was successfully performed while the satellite was spinning at about  GHJV :LWK  % SDJHV D SDFNHWORVVRIDERXWZDVZLWnessed. Typically after detumbling, SDFNHWORVVKDVEHHQDERXW

VARIANT A Variant A has been successfully XVHG IRU  LQRUELW ¿UPZDUH XSdates as well as for the reliable XSORDGLQJRIDUELWUDU\¿OHV7ZRLQ RUELW¿UPZDUHXSGDWHDWWHPSWVKDYH Figure 4. been unsuccessful. The system has 'DWDÀRZGXULQJD¿UPZDUHXSGDWHSURFHGXUHIRUYDULDQW$([DPSOHIRUXSGDWLQJ¿UPZDUHLPDJHVORW two microcontrollers connected in a FROGUHGXQGDQW IDVKLRQ >@ $IWHU each step. Due to time schedule constraints, some of the aforemenWKUHHPRQWKVLQRUELWD¿UPZDUHLPDJHVORWRQRQHRIWKHPLFURWLRQHGVWHSVKDYHEHHQVNLSSHGIRUPLQRUPRGL¿FDWLRQV controllers became damaged, making it impossible to be erased 'XULQJ WKH ¿UPZDUH WHVWLQJ DQG YDOLGDWLRQ SURFHGXUH HUURUV properly. On another occasion, the system indicated that all pages PD\EHIRXQGQRWRQO\LQWKH¿UPZDUHEXWDOVRLQWKHVDWHOOLWHKDUGKDGEHHQUHFHLYHGVXFFHVVIXOO\EXWWKHFKHFNVXPRIWKH¿UPZDUH ware, debugging hardware, compiler toolchain, simulation enviimage as a whole did not match. Since variant A does not store the ronment, and in the software that is used for testing. WHPSRUDU\¿UPZDUHLPDJHZLWKSHUSDJHFKHFNVXPVLWLVQRWSRVVLEOHWRSLQSRLQWWKHFRUUXSWSDJHDQGWKHZKROH¿UPZDUHXSORDG must be restarted. The exact cause of these issues is not known. DISCUSSION AND CONCLUSIONS 'XULQJWKHPDQDJHPHQWRIVRIWZDUHFRQ¿JXUDWLRQWDEOHVWKH Different variants of the software update mechanism were tested VHFRQGEDQNRIWKHPLFURFRQWUROOHUÀDVKLVXQORFNHGDQGDFFHVVHG on different ESTCube-1 subsystems: EPS, CDHS, CAM, and directly. This introduces the risk of accidentally corrupting the secRQG¿UPZDUHLPDJHIURPZLWKLQWKHPDLQ¿UPZDUHLPDJH ,Q RUGHU WR VDYH SRZHU (67&XEH &'+6 WHVWLQJ SODWIRUP IRU YDULDQW$  LV SRZHUF\FOHG IUHTXHQWO\ 7KXV LW LV GHVLUHG WR KDYHQRQYRODWLOHVHOHFWLRQRIWKHDFWLYH¿UPZDUHLPDJH2Q(67Cube-1 a dedicated hardware pin is reserved for this purpose. The

Figure 5. 6LPSOL¿HGÀRZFKDUWRIWKHERRWORDGHUIRUYDULDQW&7KHWKLUGLPDJH is copied, in the case that no valid images are found. This exception is LQGLFDWHGZLWKDQDVWHULVNLQWKH¿JXUH

MAY 2016

Figure 6. 7HVWLQJSURFHGXUHIRU(67&XEH¿UPZDUHXSGDWHV

IEEE A&E SYSTEMS MAGAZINE

41

Firmware Updating Systems for Nanosatellites SLQLVFRQWUROOHGWKURXJKWKH(36WHVWLQJSODWIRUPIRUYDULDQW&  which is always switched on.

VARIANT B :LWKRXWDQ\LVVXHVWZRLQRUELWVRIWZDUHXSGDWHVKDYHEHHQSHUformed. However, similarly to variant A, this variant also does not use per-page checksums and assumes that the COM guarantees the integrity of received packets. The contents of the microcontroller LQWHUQDO ÀDVK FDQQRW EH XSGDWHG ZLWKRXW HUDVLQJ ODUJH EORFNV RI GDWD,QWKHFDVHWKDWDFRUUXSWSDJHLVZULWWHQWRÀDVKWKHZKROH ¿UPZDUHXSORDGPXVWEHUHVWDUWHG0LFURFRQWUROOHUÀDVKLVRUJDQL]HGLQWZREDQNVWKDWFDQEHXQORFNHGVHSDUDWHO\:KLOHXSORDGLQJD¿UPZDUHLPDJHWRRQHVORWLWLVSRVVLEOHWRGDPDJHWKHFRQtent of another. Similarly to variant A it is possible for the running ¿UPZDUHLPDJHWRFRUUXSWWKHVHFRQGVRIWZDUHLPDJH Bootloader commands are stored in an I2C FRAM that shares the bus with an image sensor and a temperature sensor. This introduces the risk of the FRAM becoming inaccessible when the bus EHFRPHVEORFNHG>@

VARIANT C :LWKRXW DQ\ LVVXHV  LQRUELW VRIWZDUH XSGDWHV KDYH EHHQ SHUIRUPHG 7KH IDOOEDFN LPDJH ORDGLQJ PHFKDQLVP XVLQJ WKH UHVHW FRXQWHU KDVEHHQDFWLYDWHGWZLFHLQRUELWDQGRQERWKRFFDVLRQV WKHERRWORDGHUKDVVXFFHVVIXOO\PDQDJHGWRÀDVKWKHIDLOVDIH¿UPware. The exact cause for the resets that tripped the counter is not known and the problem has not reoccurred. 7KH¿UPZDUHLPDJHFKHFNVXPLVRQO\YHUL¿HGEHIRUHFRS\LQJ D¿UPZDUHLPDJHIURP)5$0WR0&8ÀDVK,QWKHFDVHRIPDLQ ¿UPZDUHLPDJHGDPDJHWKHFRUUXSW¿UPZDUHLPDJHLVERRWHGXQWLOF\FOLFUHERRWVFDXVHLWWREHRYHUZULWWHQZLWKWKHIDLOVDIH¿UPZDUH7KLVLQWURGXFHVWKHULVNRIUXQQLQJDFRUUXSW¿UPZDUHWKDW does not cause cyclic reboots.

VARIANT D Variant D has only been used prior to launch. Since this variant is XVHGRQ&20DQGLWGRHVQRWIHDWXUH¿UPZDUHLPDJHUROOEDFNDQ error during the image copy procedure would render the satellite nonresponsive.

COMPARISON OF VARIANTS In order to compare the variants, we outline their major strengths and weaknesses. Out of the four, variant C provides the best error GHWHFWLRQGXULQJ¿UPZDUHLPDJHXSORDG+RZHYHUWKLVFRPHVDW the price of additional postprocessing as well as increased implementation complexity when compared with other variants. Variant A is easier to implement and requires less postprocessLQJEXWLWLVXQDEOHWRSLQSRLQWHUURUVLQ¿UPZDUHLPDJHV$OWKRXJK YDULDQW$ODFNVLQHUURUGHWHFWLRQGXULQJ¿UPZDUHXSORDGLWSURvides better error detection in bootloader operations. :KLOH YDULDQWV $ & DQG ' UHTXLUH DGGLWLRQDO QRQYRODWLOH PHPRU\IRUVWRULQJ¿UPZDUHLPDJHVYDULDQW%GRHVQRW9DULDQW 42

B offers the same error detection and recovery mechanism as variant A. No postprocessing is needed for variant B; it is simple to implement and is suitable for nanosatellite subsystems with high availability constraints. :KLOHYDULDQW'LVWKHHDVLHVWWRLPSOHPHQWLWODFNVDXWRPDWLF error recovery and is not recommended for postlaunch usage.

POTENTIAL IMPROVEMENTS Due to the high risk of boot-time errors in the case of variant D, a IDOOEDFN¿UPZDUHLPDJHVKRXOGEHUHVHUYHGLQWKHPLFURFRQWUROOHU ÀDVK$GGLWLRQDOFKHFNVXPYHUL¿FDWLRQVKRXOGEHDGGHGWRYDULDQW &WRUHGXFHWKHULVNRIERRWLQJDFRUUXSW¿UPZDUH)RUYDULDQWV& and D, these improvements had been planned but were neglected due to the tight schedule. )RUYDULDQWV$DQG%HDFK¿UPZDUHLPDJHLVSURGXFHGIRUD VSHFL¿FVORWGXULQJFRPSLODWLRQ6LQFHWKHOLQNHUVWRUHVJOREDODGGUHVVHVLQWKHLPDJHWKH¿UPZDUHVLPSO\FUDVKHVLIERRWHGLQWKH wrong slot. Additional checks should be added to disable copying into an incorrect slot. Alternatively, a toolchain could be chosen that supports position independent code. 9DULDQWV % DQG & KDG WKUHH ¿UPZDUH LPDJH VORWV ZKLFK HQDEOHG VXSSRUW IRU ERWK PDQXDO DV ZHOO DV DXWRPDWLF ¿UPZDUH UROOEDFN+DYLQJDWOHDVWWKUHH¿UPZDUHLPDJHVORWVLVVXJJHVWHG VRWKDWRQHRIWKHVORWVFRXOGEHXVHGIRUWKHODWHVW¿UPZDUHRQH IRUWKHSUHYLRXV¿UPZDUHDQGRQHIRUDUROOEDFNLPDJHLQFDVHRI emergency. The rollback image would offer minimal functionality and could be updated only after extensive testing. Even if the COM ensures the integrity of uploaded pages, perSDJHFKHFNVXPVVKRXOGEHXVHGWRDYRLGIXOOUHXSORDGVRI¿UPZDUH images due to single event effects. 7KH VHOHFWLRQ RI WKH DFWLYH ¿UPZDUH LPDJH DQG LWV UROOEDFN should be nonvolatile and contained within a single subsystem. This could be achieved with a nonvolatile latch or by storing a half-word of slot indexes in the desired boot order in nonvolatile PHPRU\7KHERRWORDGHUZRXOGDWWHPSWWRERRWWKH¿UVWVORWLQWKH word and if this fails, it would take the next one. This procedure would be repeated until an image is booted successfully or until booting has failed with all slot indexes. ,QRUGHUWRPDQDJHWKHVHOHFWLRQRI¿UPZDUHLPDJHVLQDQRQvolatile manner as well as to alleviate the risk of a single point of failure in the bootloader, a small arbiter microcontroller could be introduced into the design. The controller would restore the bootloader along with a rollback image on the main microcontroller in case a number of boot attempts have failed. A dedicated hardware pin could be used to signal the other microcontroller when the bootloader checksum no longer matches. In addition, this microcontroller could serve as a watchdog and current monitoring unit. 7KH VROXWLRQ IRU UHPRWH ¿UPZDUH XSGDWHV LPSOHPHQWHG RQ Mars rovers Spirit and Opportunity is similar to variant A of the GHVFULEHGPHWKRG+RZHYHURQWKHVHURYHUVERWK¿UPZDUHLPDJHV FRQWDLQDFRS\RIWKHERRWORDGHUWKDWLVDEOHWRERRWWKHRWKHU¿UPware image in the case of an error [3]. Supplying a bootloader with HDFK¿UPZDUHLPDJHZRXOGERWKHQDEOHERRWORDGHUXSGDWHVDVZHOO as reduce the risk of a single point of failure in the bootloader.

IEEE A&E SYSTEMS MAGAZINE

MAY 2016

Sunter et al. $VLQJOH¿UPZDUHLPDJHRIYDULDQW$KDVEHHQDVODUJHDV .L%:LWK%SDJHVDQGRQHELWSHUSDJHWKHSDJHPDSGLGQRW ¿WLQDVLQJOH%UHVSRQVH7KLVLQFUHDVHGWKHFRPSOH[LW\RIVDWHOOLWHRSHUDWLRQVVRIWZDUH+RZHYHU¿UPZDUHLPDJHSDJHPDSVL]H FRXOG EH UHGXFHG VLJQL¿FDQWO\ E\ WUDQVPLWWLQJ DQG SRVVLEO\ DOVR storing it as a list of continuous ranges of missing page indexes. 7KHYDULDQWVZHUHWHVWHGZLWK¿UPZDUHLPDJHVWKDWKDGD6KDQQRQHQWURS\>@RIDERXWRQWKHVFDOHRI± 7KHRUHWLFDOO\ WKLVZRXOG\LHOGDPD[LPXPFRPSUHVVLRQUDWLRRI$VLJQL¿cant reduction in the amount of transmitted data could be obtained with delta compression [14]. Delta-compression calculates the difIHUHQFHEHWZHHQWZR¿UPZDUHLPDJHYHUVLRQVZKLFKLVWKHQXVHG to reconstruct the new image on-board [14]. A minor code modi¿FDWLRQLQFODVVLFQRQVHJPHQWHG¿UPZDUHPD\UHVXOWLQDELQDU\ GLIIHUHQFHRIDOPRVWVRWKDWWKHIXOO¿UPZDUHLPDJHKDVWREH XSGDWHG>@7KHGLIIHUHQFHEHWZHHQWKHWZRLPDJHVFDQEHPLQLPL]HGZLWKWKHKHOSRIDQLQFUHPHQWDOFRPSLOHU>@ZLWKDVSDWLDO partitioning operating system [12], [13] or by allocating a separate VHFWLRQLQWKHELQDU\IRUHDFKPRGXOH>@>@2Q0LQLVDW>@ the on-board executable EEPROM is divided into 32 segments, .L%HDFK%\XSGDWLQJWKHJOREDOGHVFULSWRUWDEOH*'7 LWLV possible to add or replace functions without replacing the whole ¿UPZDUH :LWK DGDSWDWLRQV VXFK DV GHOWD FRPSUHVVLRQ DQG SDJH UDQJHV LQVWHDGRISDJHPDSVWKH¿UPZDUHXSGDWHSURWRFROLVUHXVDEOHRQ a multitude of nanosatellite missions. However, due to hardware dependency, dedicated bootloader backend must be implemented for the different microcontroller families used on-board the satellite. The protocol and bootloader with improvements, such as nonYRODWLOHVHOHFWLRQRIWKHDFWLYH¿UPZDUHLPDJHZLOOEHXVHGRQWKH ESTCube-2 mission and on the optical payload for the European VWXGHQW(DUWKRUELWHU(6(2 >@

REFERENCES [1]

1LOFKLDQL59DOXLQJVRIWZDUHEDVHGRSWLRQVIRUVSDFHV\VWHPVÀH[ibility. Acta Astronautica, 65 ± [2] *DUULGR % *DUFtD$$OIDUR 1 DQG 0LJXHO - 0,1,6$7 RQ board software maintenance. In Proceedings of the DASIA ‘98 Conference on Data Systems in Aerospace,$WKHQV*UHHFH0D\ [3] *UHFR0(DQG6Q\GHU-)2SHUDWLRQDOPRGL¿FDWLRQRIWKH0DUV H[SORUDWLRQURYHUV¶ÀLJKWVRIWZDUH,QIEEE Systems, Man and Cybernetics, International Conference, [4] 0DUVKDOO: DQG %RVKXL]HQ & 3ODQHW /DEV¶ UHPRWH VHQVLQJ VDWHOlite system. In 27th Annual AIAA/USU Conference on Small Satellites, /RJDQ87SDSHU66&:. >@ $,66DW  $,66DW $XWRPDWLF ,GHQWL¿FDWLRQ 6\VWHP VDWHOOLWH  QDQRVDWHOOLWHFRQVWHOODWLRQ>2QOLQH@$YDLODEOHKWWSVGLUHFWRU\ eoportal.org/web/eoportal/satellite-missions/a/aissat-1-2 >@ -HVVHQ7/HGHW3HGHUVHQ-DQG0RUWHQVHQ+36RIWZDUHGH¿QHG AIS receiver for AAUSAT3. Master’s thesis, Department of ElectronLF6\VWHPV$DOERUJ8QLYHUVLW\$DOERUJ'HQPDUN-XQH >@ -HQVHQ-'DQG6ZHQVRQ&0&RPPDQGDQGGDWDKDQGOLQJVXEsystem design for the Ionospheric Observation Nanosatellite FormaWLRQ,21) ,Q14th Annual AIAA/USU Conference on Small Satellites,SDSHU66&9,,

MAY 2016

>@ )LW]VLPPRQV65HOLDEOHVRIWZDUHXSGDWHVIRURQRUELWFXEHVDWVDWHOlites. Master’s thesis, Faculty of California Polytechnic State UniverVLW\6DQ/XLV2ELVSR&$-XQH >@ %ULGJHV&3.HQ\RQ66KDZ39LVDJLH/7KHRGRURX7@ 8:(QHZV0DU>2QOLQH@$YDLODEOHKWWSZZZLQIRUPDWLN XQLZXHU]EXUJGHIRUVFKXQJVSDFHBH[SORUDWLRQSURMHFWVXZHB XZHBBQHZV [11] /lWW 6 6ODYLQVNLV$ ,OELV ( .YHOO 8 9RRUPDQVLN . .XOX E. et al. ESTCube-1 nanosatellite for electric solar wind sail in-orbit technology demonstration. Proceedings of the Estonian Academy of Sciences, 630D\ ± [12] Leiner, B., Schlager, M., Obermaisser, R., and Huber, B. A comparison of partitioning operating systems for integrated systems. In Proceedings of 26th International Conference on Computer Safety, Reliability, and Security (SAFECOMP)± [13] 5RVD-&-DQG5X¿QR-([SORLWLQJ$,5FRPSRVDELOLW\WRZDUGV spacecraft onboard software update. In Actas do INForum-Simpósio de Informática, [14] Bing, B. A fast and secure framework for over-the-air wireless softZDUHGRZQORDGXVLQJUHFRQ¿JXUDEOHPRELOHGHYLFHVIEEE Communications Magazine,± >@ :RRG/(GG\:0,YDQFLF:0F.LP-DQG-DFNVRQ&6DUDWRJDDGHOD\WROHUDQWQHWZRUNLQJFRQYHUJHQFHOD\HUZLWKHI¿FLHQWOLQN XWLOL]DWLRQ ,Q Third International Workshop on Satellite and Space Communications,± >@ /DL]ƗQV.6QWHU,=ƗOƯWH..XXVWH+9DOJXU07DUEH.HW al. The design of fault tolerant command and data handling subsystem for ESTCube-1. Proceedings of the Estonian Academy of Sciences, 63 0D\ ± >@ Nelson, V. P. Fault-tolerant computing: Fundamental concepts. IEEE Computer-XO\ ± >@ 7DL$77VR . 6$ONDODL / &KDX 6 1 DQG 6DQGHUV: + Low-cost error containment and recovery for onboard guarded software upgrading and beyond. IEEE Transactions on Computers, 51 )HE ± >@ 6HJDO0(DQG)ULHGHU22QWKHÀ\SURJUDPPRGL¿FDWLRQV\Vtems for dynamic updating. IEEE Software ± >@ /HH6+XWSXWDQDVLQ$7RRULDQ$/DQ:0XQDNDWD5&DUQDKDQ-HWDO&XEH6DWGHVLJQVSHFL¿FDWLRQ&DOLIRUQLD6WDWH3RO\WHFKQLF8QLYHUVLW\6DQ/XLV2ELVSR7HFK5HSUHYLVLRQ [21] %HHFK:$1LHOVHQ'(DQG7D\ORU-$;OLQNDFFHVVSURWRFRO for amateur packet radio. Tucson Amateur Packet Radio Corporation, 7HFK 5HS   >2QOLQH@$YDLODEOH KWWSVZZZWDSURUJSGI $;SGI [22] .XXVWH+(HQPlH7$OOLN9$JX$9HQGW5$QVNR,HWDO Imaging system for nanosatellite proximity operations. Proceedings of the Estonian Academy of Sciences, 630D\ ± [23] 3DMXVDOX0,OELV(,OYHV79HVNH0.DOGH-/LOOPDD+HW DO'HVLJQDQGSUHÀLJKWWHVWLQJRIWKHHOHFWULFDOSRZHUV\VWHPIRUWKH ESTCube-1 nanosatellite. Proceedings of the Estonian Academy of Sciences, 630D\ ± [24] Barry, R. Using the FreeRTOS Real Time Kernel - A Practical Guide. 

IEEE A&E SYSTEMS MAGAZINE

43

Firmware Updating Systems for Nanosatellites [25]

[26] [27] [28]

Lev is, P., Madden, S , Polastre, J. , Szewczyk, R. , Whi tehouse, K., Woo, A. et al. TinyOS: an operating system fo r sensor networks. Ambient Intelligence, 2005, 11 5-148. Fletcher, J. G. An arithmetic chec ksum fo r seri al transmi ssions. IEEE Transactions on Communications, 30 (Jan. 1982), 247-252. Shannon, C. E. A Mathematical Theory of Communication. 1963 . Iwinski , M. , and Sosnowski, J Re mote software reprogramming in embedded systems. PAK, 59 (Jul y 201 3), 769-77 1.

[29] [30]

[31]

Tromey, T. Incremental compilation fo r GCe. In Proceedings of the GCC Developers 'Summit, 2008, 137-142. Kenyon, S , Bridges, C., Liddle, D., Dyer, B., Parsons, J. Poll ard, M. et al. STRaND- I: use of a $500 smartphone as the central avionics of a nanosatellite. In 62nd International Astronautical Congress, 20 11 , paper IAC-II -B4.6B.8. Bruzzi, D., Tortora, P., Giulietti, E, and Galeone, P European student earth orbiter: ESA's educational microsatellite program. In AIAAIUSU Conference on Small Satellites, 20 13.

Call for Nominations IEEE AESS Judith A. Resnik

Call for Pioneer Award Nominations

Space Award

The IEEE Aerospace and Electronic Systems Society (AESS) annually awards their Pioneer Award recognizing distinguished individuals who have contributed notable achievements to the technical fields of interest of the AESS . The achievement for which the award is given should have "contributed significantly to bringing into being systems, which are still in existence today, and have occurred at least 20 years prior to the year of the award" to ensure proper historical perspective. It is not a condition that the award winner should have been sole or original inventor or developer of any system. "Significant contribution," of a specific nature, is the key criterion. Contributions by more than a single individual can be recognized by a joint award. Nationality, residence, membership in AESS, IEEE, or any other organization are not factors .

The Judith A. Resnik Space Award is an annual AESS award to recognize candidates that have provided outstanding contributions to space engineering in the AESS Fields of Interest; i.e. "the organization, systems engineering, design, development, integration, and operation of complex systems for space, air, ocean, or ground environments." The candidate does not have to be an IEEE/AESS member, but given everything else being equal, a member will be given preferential consideration. The Space achievement has to be deemed to have made a particularly noteworthy contribution in the AESS Field of Interest. Prize items consist of an honorarium of $2,000 and a plaque. Nominations are due by I July. The nomination package is to include, besides the filled out AESS nomination form, a minimum of three endorsement letters by recognized space oriented experts who have familiarity with the nominee's accomplishments and to describe the merit of the nominee's contributions to the AESS Field of Interest.

You can find the previous Pioneer winners and the nomination form on the AESS awards website http://ieee-aess.orgimembership/awards, or you can request the form by contacting the Pioneer Awards Committee Chairman, Erwin Gangl at [email protected]. The nomination should be submitted to the Committee Chairman accompanied by substantiating information, as requested by the nomination form , to justify consideration for the award. All nominations need to be received by July 31 of any year for consideration for that year's award. The award is traditionally presented at a major AESS sponsored/co-sponsored conference in the fall. The prize is a handsome cast bronze plaque and a cash stipend.

Submit nominations to the IEEE/AESS Awards Chairman, Erwin Gangl, at [email protected] See http://www.ieee-aess.orgi for the AESS Field of Interests and http: //www.ieeeaess.org/membership/awards for more details on the award.

I

1 __________________________ L _________________________ _

44

IEEE A&E SYSTEMS MAGAZINE

MAY 2016