- 3.2 CoDR Checklist Kareena Shah
- 5.2 CoDR Checklist Sreeja Akula
- 3.2 (Thermal Equalization) Thermal Strap Analysis Divya Krishna
- 4.1 (Rotational Dynamics and Updated Torque Calcs) Izaan Rizvi Colter Mahabir Adrian Yang Elisha Aranibar
- 4.1 (Tank and Propellant Pressure Analysis) Pranav Bala Colter Mahabir
- 7.2 CoDR Checklist Brandon Garcia
- 9.1 & 9.2 CoDR Checklist Rene Ramirez
- 4.2 (Control Authority Budgets) Colter Mahabir
3.2
-kareena
4.1 -
4.1 Design Book MCU Specs:
- Frequency up to 480 Mhz
- 2 Mbytes of flash memory
- 1 Mbyte of RAM
- 3x 16-bit ADC
- STM32H753 VI →
- Number of Direct channels - 3
- Number of Fast channels - 2
- Number of Slow channels -11
- STM32H753 ZI →
- Number of Direct channels - 2
- Number of Fast channels - 9
- Number of Slow channels -17
- STM32H753 AI/STM32H753 II /STM32H753 BI →
- Number of Direct channels - 2
- Number of Fast channels - 9
- Number of Slow channels -21
- STM32H753 XI →
- Number of Direct channels - 4
- Number of Fast channels - 9
- Number of Slow channels -23
- STM32H753 VI →
- –40 to +85 °C temperature range from a 1.62 to 3.6 V power supply
- 4x I 2Cs– 4x USARTs, 4x UARTs and 1x LPUART
- a high-resolution timer, 12 general-purpose 16-bit timers, two PWM timers for motor control, five low-power timers
Rigid-Body Rotational Dynamics (Tank Spin System):
Tank Specs:
- Material → 304L Stainless Steel
Length → 15 cm
Radius → 4 cm
Thickness → 0.5 cm
Mass → 1.143 kg
Configuration:
- Thin-walled cylindrical tank approximation
Instrumented with internal thermocouples
Sealed end-cap with wiring feedthrough
Moment of Inertia (Izz):
- Izz = mR²
Izz = (1.143 kg)(0.04 m)²
Izz = 0.001829 kg·m²
Drive Torque:
- τ = 0.840 N·m
Angular Acceleration:
- α ≈ 459.4 rad/s²
Spin Rate Requirement:
- 2–3 RPM
ω ≈ 12.57 – 18.85 rad/s
Spin-Up Time:
- t = ω / α
t ≈ 27 – 41 ms
Power Estimate:
- P ≈ 6.5 W
Motor / Servo Notes:
- Torque–speed curve limits max RPM
Servo must provide ≥ 0.84 N·m stall torque
Continuous power ≥ 6.5 W
Design Task:
- Evaluate 4 candidate servos from electrical spreadsheet →
Compare torque, speed, power, and mass to select optimal model.
4.2
Required Torque
- Inertia torque at 2–3 RPM is very small
- Required torque is mostly caused by:
• Bearing friction
• Wiring and feedthrough drag (slip ring)
• Thermal strap torsion
• Propellant slosh disturbance - Primary risk: underestimating disturbance torque (testing will help)
- Required torque must remain well below actuator capability to maintain margin
Available Authority
- Actuator capability: plus/minus 0.840 N·m (possible drive torque calculated in 4.1)
- Significantly larger than inertia torque requirement
- True usable torque depends on:
• Continuous torque rating (not stall torque)
• Thermal limits
• Torque-speed performance curve
Control Margin (Minimum 30 Percent Required)
- System meets margin requirement if disturbance torque remains below actuator threshold
- Current analysis indicates large theoretical margin
- Margin must be proven through disturbance modeling and hardware testing
Saturation Limits
- Torque limited to plus/minus 0.840 N·m
- Continuous torque may be lower than peak rating
- Speed limited by actuator capability
- Controller must implement torque saturation limits
Coupling Effects With Other Subsystems
- Spacecraft bus experiences equal and opposite reaction torque
- ADCS (built in gyros) must compensate for tank spin momentum
- Power system sees peak draw during spin-up, less once reached speeds
- Structural elements add torsional stiffness and drag
- Propellant slosh introduces disturbance torque, strenuous on motor
- Possible micro-vibration coupling into IMU and attitude sensors
-Colter (not done, polishing atm)
4.3
5.1
Sensor Inventory
The sensor suite must be finalized for CoDR and justified, including:
IMU (gyroscopes and accelerometers
- ignore
Redundant rate sensing
- 2 pressure sensors
Tank temperature sensor array
- Custom from WIKA
Pump RPM and motor current sensing
- ignore
Pressure and vent-state sensing
- ignore
5.2
For each sensor, Controls shall specify:
Update rate
Accuracy and noise
Drift characteristics
Survivability under spin
Electrical interface
5.3
- Max Operating Temperatures of Components (C):
- Tank Servos: max coil temp → 130, continuous (preferable) operating temp → 90
- On Board Computer (OBC): -40 to 85 (assuming power supply 1.62V to 3.6V)
- Pressure Sensor: -40 to 125
- Watchdog timer circuit: -40 to 125
- Thermocouple to digital converter: -55 to 125
- RS-422 Transceiver Bus/Data: -65 to 150 (storage temperature), 150 max junction temperature, **highly recommended: -40 to 85
- Thermal strap details: STCH_Thermal Straps_Submitted_Q2 2024.pdf
7.1 -
| Failure Mode | Detection | Isolation / Safe Mode | Recovery |
|---|---|---|---|
| Sensor bias / dropout | Redundancy, out-of-range checks, rate checks, residuals | Flag sensor invalidity, use backup, and reduce authoriuty | Sensor reset → offset compensation where valid |
| Unexpected torque | Model vs measured residuals | Switch to damping mode, inhibit impulses | Let residuals decay and re-estimate states |
| Spin-axis misalignment | Orientation vs expected dynamics | Reduce authority, re-acquisition | Re-estimate axis and update control parameters |
| Partial power loss | Voltage / Current thresholds | Disable non-essential processes and maintain survival | Gradually restore functions as power stabilizes |
FDIR = Continuously:
Observe system state
Compare to model/expectations
Flag anomalies
Enter a safe mode
Attempt recovery
Only return to nominal when consistent
7.2
How should the spacecraft react when something goes wrong?
Detection Limits: Numerical limits or conditions the system uses to decide when something is wrong
Fallback Control Laws: Backup control strategies when the normal system fails or becomes unreliable
Degraded Authority Allocation: How to reallocate control authority when components are partially lost
Safe-Mode Entry Conditions: What to do when normal spacecraft operations fails and protects itself
Sensor Bias / Dropout
Determine the safe bounds and measure
Implement redundant sensors and estimators with reduced measurement sets
Reduce pointing bandwidth (data transfer capacity)
Unexpected Torque Impulses
Determine the normal angular velocity and acceleration
Add impulsive actuators and transition to rate-damping (detumble) control
Spin-Axis Misalignment
Determine the normal angular momentum boundaries
Measure for deviations from the expected principal axis
Enter reacquisition mode and command alignment maneuver using coarse control
Partial Power Lose
Measure bus voltage, is it less than the minimum?
Battery state-of-charge, is it less than the lowest allowable charge?
Measure current charge, is everything running well?
Transition to low-power attitude mode (sun-pointing or thermally-safe orientation) with minimal actuation
Degraded Authority Allocation
During faulted operation, control authority is reduced and reallocated to preserve stability and survivability.
Control gains are reduced to maintain robustness under uncertainty
- High-power or high-torgue actuators become disabled under power-limited conditions
- Coarse sensors replace precision sensors when necessary
- Control priority is reallocated in this order:
- Attitude stability
- Power-positive orientation
- Thermal protection
- Precision pointing (suspended until recovery)
Safe-Mode Entry Conditions
The system will autonomously enter safe mode when any condition is met:
- Loss of valid attitude determination solution
- Angular rate exceeds safe operational limit
- Multiple sensor failures detected concurrently
- Bus voltage or battery state-of-charge falls below minimal threshold
- Persistent control residuals indicating instability or unmodeled disturbance
Safe Mode Configuration
- Sun-point of thermally safe orientation
- Rate-damping control law
- Essential avionics powered only
- Non-essential payload and mission operations are suspended
Once functionality is restored to normal conditions, the system shall exit safe mode
Thermal Straps
11. Risks and Mitigations
| Risk | Probability | Trigger Condition | Severity | Mitigation/Prevention |
| Tank no longer has input from motor | MED | Motor stalls | HIGH | Appropriate calculations and safety factor to ensure tanks gets sufficient torque |
| Excessive voltage/current damages motor and produces overheating | LOW | Voltage spikes/noise | HIGH | Appropriate calculations and safety factor to ensure supplied motor voltage doesn't exceed specs |
| Tank explodes and model breaksdown due to the loss of control plant | LOW | Pressure difference in vaccum exceeds tolerable forces | HIGH | Materials and mechanics should be able to withstand the expected stress |
| LN2 Freezes | LOW | Low temperatures | HIGH | Thermal controls calcs + sims, proper sealing |
| LN2 Boils | HIGH | High temperatures | HIGH | Thermal controls calcs + sims, proper sealing |
| Connection to motor breaks | LOW | torsional stresses exceed material capability | HIGH | Materials and mechanics should be able to withstand the expected stress, evaluated from tank dynamics |
| Actuators don't supply sufficient input to reach correct temperature/rotation; Worst case: Closed loop becomes open loop, which causes rotation and thermal control to runaway, without communication of failures. | LOW | Temperature sensors fail/provide false data | MED-HIGH | no TEMU |
| Rotation and and thermal control grows/doesn't respond | LOW | Actuators malfunction | HIGH | no TEMU, cutoff power to actuators if malfunction is detected |
| Excessive output from actuators to adjust for noisy data | HIGH | Sensor noise | LOW | Implement some sort of noise filter |