• 3.2 CoDR Checklist Kareena Shah 14 Feb 2026
• 5.2 CoDR Checklist Colter Mahabir   14 Feb 2026 
• 3.2 (Thermal Equalization) Thermal Strap Analysis Divya Krishna 14 Feb 2026 
• 4.1 (Rotational Dynamics and Updated Torque Calcs) Izaan Rizvi Colter Mahabir  Adrian Yang  Elisha Aranibar 14 Feb 2026 
• 4.1 (Tank and Propellant Pressure Analysis) Pranav Bala Colter Mahabir   21 Feb 2026 
• 7.2 CoDR Checklist Brandon Garcia 21 Feb 2026 
• 9.1 & 9.2 CoDR Checklist Rene Ramirez 21 Feb 2026 
• 4.2 (Control Authority Budgets) Colter Mahabir 21 Feb 2026 

3.1 

Spin-profile generation and regulation

• Target Spin Rate : 2-3 RPM 
• Spin-up/down profiles: 27-41 ms
• Error Bands: Given a 3-5% error bound for 2-3 RPM we can expect an error of 

         0.06-0.01 RPM 

      Depending on if we are in Safe Mode or not the expected error can be raised to 

       0.2-0.3 RPM

• Spin maintained via closed-loop rate control using IMU feedback and PWM torque commands, with ±0.840 N·m saturation and ≥30% torque margin. Spin rate is regulated by thermal gradients. 

Thermal mixing control modes

Safe-mode stabilization logic

3.2

-kareena

4.1 - 

4.1 Design Book MCU Specs:

• Frequency up to 480 Mhz
• 2 Mbytes of flash memory
• 1 Mbyte of RAM
• 3x 16-bit ADC
  • STM32H753 VI →
    • Number of Direct channels - 3
    • Number of Fast channels - 2
    • Number of Slow channels  -11
  • STM32H753 ZI →
    • Number of Direct channels - 2
    • Number of Fast channels - 9
    • Number of Slow channels  -17
  • STM32H753 AI/STM32H753 II /STM32H753 BI →
    • Number of Direct channels - 2
    • Number of Fast channels - 9
    • Number of Slow channels  -21
  • STM32H753 XI →
    • Number of Direct channels - 4
    • Number of Fast channels - 9
    • Number of Slow channels  -23
• –40 to +85 °C temperature range from a 1.62 to 3.6 V power supply
• 4x I 2Cs– 4x USARTs, 4x UARTs and 1x LPUART
• a high-resolution timer, 12 general-purpose 16-bit timers, two PWM timers for motor control, five low-power timers

Rigid-Body Rotational Dynamics (Tank Spin System):

Tank Specs:

• Material → 304L Stainless Steel
  Length → 15 cm
  Radius → 4 cm
  Thickness → 0.5 cm
  Mass → 1.143 kg

Configuration:

• Thin-walled cylindrical tank approximation
  Instrumented with internal thermocouples
  Sealed end-cap with wiring feedthrough

Moment of Inertia (Izz):

• Izz = mR²
  Izz = (1.143 kg)(0.04 m)²
  Izz = 0.001829 kg·m²

Drive Torque:

• τ = 0.840 N·m

Angular Acceleration:

• α ≈ 459.4 rad/s²

Spin Rate Requirement:

• 2–3 RPM
  ω ≈ 12.57 – 18.85 rad/s

Spin-Up Time:

• t = ω / α
  t ≈ 27 – 41 ms

Power Estimate:

• P ≈ 6.5 W

Motor / Servo Notes:

• Torque–speed curve limits max RPM
  Servo must provide ≥ 0.84 N·m stall torque
  Continuous power ≥ 6.5 W

Design Task:

• Evaluate 4 candidate servos from electrical spreadsheet →
  Compare torque, speed, power, and mass to select optimal model.

4.2

Required Torque

• Inertia torque at 2–3 RPM is very small
• Required torque is mostly caused by:
  • Bearing friction
  • Wiring and feedthrough drag (slip ring)
  • Thermal strap torsion
  • Propellant slosh disturbance
• Primary risk: underestimating disturbance torque (testing will help)
• Required torque must remain well below actuator capability to maintain margin

Available Authority

• Actuator capability: plus/minus 0.840 N·m (possible drive torque calculated in 4.1)
• Significantly larger than inertia torque requirement
• True usable torque depends on:
  • Continuous torque rating (not stall torque)
  • Thermal limits
  • Torque-speed performance curve

Control Margin (Minimum 30 Percent Required)

• System meets margin requirement if disturbance torque remains below actuator threshold
• Current analysis indicates large theoretical margin
• Margin must be proven through disturbance modeling and hardware testing

Saturation Limits

• Torque limited to plus/minus 0.840 N·m
• Continuous torque may be lower than peak rating
• Speed limited by actuator capability
• Controller must implement torque saturation limits

Coupling Effects With Other Subsystems

• Spacecraft bus experiences equal and opposite reaction torque
• ADCS (built in gyros) must compensate for tank spin momentum
• Power system sees peak draw during spin-up, less once reached speeds
• Structural elements add torsional stiffness and drag
• Propellant slosh introduces disturbance torque, strenuous on motor
• Possible micro-vibration coupling into IMU and attitude sensors

4.3

Control Laws

Preliminary control laws shall regulate tank spin rate, manage vent-induced disturbances, and protect the system through threshold-based inhibit logic. Control shall use IMU rate feedback, pressure sensing, temperature sensing, and actuator telemetry. The controller shall enforce actuator saturation limits and transition to reduced-authority modes when sensor, power, or alignment faults are detected.

4.3.1 Spin Rate Tracking

The controller shall maintain a commanded tank spin rate within the nominal operating range of 10–20 RPM using closed-loop feedback from the IMU. In nominal operation, the controller shall track a selected setpoint within this range. If tank thermal gradient exceeds a defined threshold, the controller may command a higher spin rate within the allowable band to improve mixing. If pressure rise rate exceeds a defined threshold, the controller may bias the commanded spin rate upward, provided actuator torque, current, and thermal limits are not exceeded. In safe mode, the controller shall reduce to a lower survivable spin rate and use reduced gains.

4.3.2 Vent-Thrust Logic

The controller shall treat venting as a disturbance event. Venting shall only be allowed when rate sensing is valid, no active inhibit is present, and measured spin rate is within an allowable band around the commanded value. During venting, the controller shall reduce sensitivity to transient disturbances and suppress unnecessary corrective impulses. If a vent causes angular-rate error above a defined threshold, the system shall inhibit additional venting and enter damping/recovery mode. After the disturbance decays, the controller shall smoothly return to the commanded spin rate. 

4.3.3 Safety Thresholds and Inhibit Logic

The controller shall include threshold-based inhibits for the following conditions:

• Sensor fault: If IMU data is invalid, stale, or disagrees with backup sensing, the controller shall reduce authority, use backup sensing if available, and fall back to survivable operation if not.
• Unexpected torque/disturbance: If rate error grows rapidly or actuator saturation persists, the controller shall enter damping mode and inhibit impulsive commands.
• Spin-axis misalignment: If misalignment exceeds threshold, the controller shall temporarily reduce spin rate and re-acquire alignment before resuming nominal tracking.
• Partial power loss: If available power drops below threshold, non-essential functions shall be shed and the commanded spin rate shall be reduced.
• Thermal limit approach: If actuator or electronics temperatures approach allowable limits, the controller shall inhibit aggressive spin-up and nonessential actuation.
• Actuator saturation: Torque commands shall be limited to actuator capability, with integral windup prevention and no further spin-rate increase while saturated.

4.3.4 Control States

The preliminary supervisory states are:

• Nominal tracking
• Thermal mixing mode
• Pressure response mode
• Vent disturbance recovery
• Safe mode
• Damping / re-acquisition mode

5.1

Sensor Inventory

The sensor suite must be finalized for CoDR and justified, including:

IMU (gyroscopes and accelerometers

• ignore

Redundant rate sensing

• 2 pressure sensors

Tank temperature sensor array

• Custom from WIKA

Pump RPM and motor current sensing

• ignore

Pressure and vent-state sensing

• ignore

5.2

ADI / Trinamic QSH5718-51-28-101 (Mouser)

Note: This is a stepper motor (actuator), not a sensor.

• Update rate: N/A (set by motor driver command rate)
• Accuracy & noise: Step angle accuracy ~5% of step angle; “noise” is mechanical/EMI and driver-dependent
• Drift: N/A (no sensor drift spec; temperature affects coil resistance/torque, but should be minimal)
• Survivability under spin: Not specified, is the thing itself that will be spinning
• Electrical interface: 4-wire, 2-phase stepper; requires stepper drive 

TE Connectivity 4525DO-DS3AI005DS (MS4525DO family pressure sensor)

• Update rate: 0.5 ms update time (~up to 2 kHz fresh data); 8.4 ms power-on to data ready
• Accuracy & noise: ±0.25% span (25°C BFSL); ±1% span total error band over compensated temp range; no explicit RMS noise spec (digital output)
• Drift: Long-term stability (offset & span) ±0.5% span
• Survivability under spin: No spin rating; has shock + vibration ratings (MIL-STD-202 methods)
• Electrical interface: I²C or SPI, 3.3 V variant; shared pins for SDA/MISO, SCL/SCLK, INT/SS; selectable I²C addresses

Custom Thermocouple Array (tank temperature mapping) (ballpark)

• Purpose: Multi-point temperature sensing to prevent tank overheating/freezing
• Interfaces (typical): Thermocouple junctions → harness/connector → Cold Junction Compensation + Analog to Digital Converter module (system-level), not “smart sensor” by default, needs external device to interpret data.

5.3

• Max Operating Temperatures of Components (C):
  • Tank Servos: max coil temp → 130, continuous (preferable) operating temp → 90
  • On Board Computer (OBC): -40 to 85 (assuming power supply 1.62V to 3.6V)
  • Pressure Sensor: -40 to 125
  • Watchdog timer circuit: -40 to 125
  • Thermocouple to digital converter: -55 to 125
  • RS-422 Transceiver Bus/Data: -65 to 150 (storage temperature), 150 max junction temperature, **highly recommended: -40 to 85
• Thermal strap details: STCH_Thermal Straps_Submitted_Q2 2024.pdf

6.2

Responsibility for this handed over to Electrical. Use Electrical CoDR slides as the definitive source. Some numbers have been updated to match.

Tank Motors

• QSH5718-51-28-101
• We are using the -51-28-101 because we need a high enough torque, but there isn’t enough space for a longer arm.
• Interface: Controlled by driver
• Expected Inputs: Rated for 2.8 A current, which is where we plan to run it. We are still determining optimal supply voltage, which will be handled by the driver, but power input is budgeted at 6.51 W.
• Driver Range: 9.296 V to 51.128 V
• Startup Behavior: See drivers.
• Transient Behavior: See drivers. During motor standstill, motor torque will be reduced to the minimum necessary to hold the static load (experimentally determined).
• Emergency Cutoff: Cut off power if 150% rated current/motor torque (4.2 A) or higher (docs says to operate at this only for a few seconds). 125% (3.5 A) is safe for a short period of time. For voltage, we will use 125% rated voltage (2.875 V) as the maximum, based on the documentation’s interpretation of the current rating.
• Safe Mode: OFF

Motor Driver

• DRV8452
• Interface: SPI. Options are SPI and H/W, we chose SPI for compatibility with MCU and already-written firmware
• Expected Inputs: 3.3V logic supply voltage 28 V power rail
• Startup Behavior: Microstepping should reduce issues during startup or output change.
• Transient Behavior: Low-current sleep mode (3 uA), standstill power-saving mode
• Emergency Cutoff: Voltage over 55 V. Driver has built-in safety features, including undervoltage lockout and overcurrent protection.
• Safety Mode: OFF

OBC

• STM32H753xl
• Expected Inputs: 3.30 V, 0.220 A.
• Startup Behavior: We can specify boot memory space, using a bootloader located in non-user system memory. This will reprogram the flash memory through an interface (options include FDCAN, USART, I2C, SPI, and USB—we will choose SPI for consistency and speed). At startup, inrush current may be as high as 8 mA.
• Transient Behavior: N/A
• Emergency Cutoff: The device includes automatic reset capabilities when voltage goes above a threshold or below a brownout threshold. We can program in any upper threshold, and have three options for brownout thresholds. We will choose the medium option of these, with a typical rising edge threshold of 2.41 V, as this is suitably distant from the expected 3.30 V. Upper reset will occur at 3.6 V (maximum for general operating conditions is 3.6).
• Safe Mode: ON

Pressure Sensor

• 4525DO-DS3AI005DS
• Interface: SPI (designed for I2C or SPI; SPI is faster than I2C)
• Voltage: 3.30 V, same in uplink/downlink (two modes: 3.3 or 5.0 V; 3.3 is sufficient)
• Current: 3.00 mA, 1.00 μA in uplink/downlink (3.00 mA is the maximum rating; 1.00 μA is a decrease to lower power consumption in uplink/downlink)
• Startup Behavior: 8.4 ms until data ready
• Transient Behavior: Low-power standby mode (< 1uA current) can be activated as necessary
• Emergency Cutoff: Above maximum supply voltage (5.5 V) or above 125% expected current (3.75 mA)
• Safe Mode: Low Power Mode

Watchdog

• STWD100 Watchdog
• Interface: GPIO (only option)
• Supply Voltage: 5.00 V, same in uplink/downlink (ranges 2.7 to 5.5; 5.00 is a safe number)
• Current: 26.0 μA, same in uplink/downlink (maximum, so budget for that, but we expect to use closer to 13.0 uA)
• Startup Behavior: Transformer driver has a 350 kHz startup frequency
• Emergency Cutoff: Voltage over 7.0 V or below 1.9 V, current over 26.0 uA
• Safe Mode: ON

Thermocouple to Digital Converter

• MAX31856
• Interface: SPI (only option)
• Supply Voltage: 3.3 V, same in uplink/downlink (typical)
• Supply Current: 2.0 mA, 10 μA in uplink/downlink (standby max)
• Startup Behavior: We believe that this will need to be reconfigured after every time it loses power or power is cut off. Configuration will happen via the OBC.
• Transient Behavior: Standby option, which we do not plan to use, but could be used as necessary.
• Emergency Cutoff: Recommended operating conditions go up to 2 mA and 3.6 V. Absolute maximum rating is 4.0 V. Device has automatic overvoltage and undervoltage thresholds and hysteresis to correct for unreasonable values. For current, we will cut off at 2.5 mA (125% normal maximum).
• Safety Mode: OFF

RS-4222 Transceiver

• ISO35T Isolated 3.3V RS-485 Transceiver With Integrated Transformer Driver
• Interface: GPIO (4 pins)
• Expected Inputs: 3.3 V, 16 mA for the bus and 3.3 V, 8 mA for the data (typical recommended operating conditions for voltage, reasonable maximums for current)
• Startup Behavior: No delays anticipated
• Transient Behavior: N/A
• Emergency Cutoff: Either voltage reaches 6 V, or current reaches above 125% planned value. If we use a lower, more typical current, then we will cut off at the expected input currents above.
• Safety Mode: On

Voltage/Current/Power Monitor

• INA232
• Interface: I2C (only option)
• Expected Inputs: 3.3 V, 300 uA
• Startup Behavior: Power-on reset threshold is 0.95 V
• Transient Behavior: During shutdown, 3 uA of current is expected.
• Emergency Cutoff: Voltage > 6 V (absolute maximum) or Current > 500 uA (maximum expected under any condition)
• Safety Mode: ON

7.1 -

FDIR = Continuously:

1. Observe system state

2. Compare to model/expectations

3. Flag anomalies

4. Enter a safe mode

5. Attempt recovery

6. Only return to nominal when consistent

7.2

How should the spacecraft react when something goes wrong?

Detection Limits: Numerical limits or conditions the system uses to decide when something is wrong

Fallback Control Laws: Backup control strategies when the normal system fails or becomes unreliable

Degraded Authority Allocation: How to reallocate control authority when components are partially lost

Safe-Mode Entry Conditions: What to do when normal spacecraft operations fails and protects itself

Sensor Bias / Dropout

Determine the safe bounds and measure

Implement redundant sensors and estimators with reduced measurement sets

Reduce pointing bandwidth (data transfer capacity)

Unexpected Torque Impulses

Determine the normal angular velocity and acceleration

Add impulsive actuators and transition to rate-damping (detumble) control

Spin-Axis Misalignment

Determine the normal angular momentum boundaries

Measure for deviations from the expected principal axis

Enter reacquisition mode and command alignment maneuver using coarse control

Partial Power Lose

Measure bus voltage, is it less than the minimum?

Battery state-of-charge, is it less than the lowest allowable charge?

Measure current charge, is everything running well?

Transition to low-power attitude mode (sun-pointing or thermally-safe orientation) with minimal actuation

Degraded Authority Allocation

During faulted operation, control authority is reduced and reallocated to preserve stability and survivability.

Control gains are reduced to maintain robustness under uncertainty

• High-power or high-torgue actuators become disabled under power-limited conditions
• Coarse sensors replace precision sensors when necessary
• Control priority is reallocated in this order:

1. Attitude stability
2. Power-positive orientation
3. Thermal protection
4. Precision pointing (suspended until recovery)

Safe-Mode Entry Conditions

The system will autonomously enter safe mode when any condition is met:

• Loss of valid attitude determination solution
• Angular rate exceeds safe operational limit
• Multiple sensor failures detected concurrently
• Bus voltage or battery state-of-charge falls below minimal threshold
• Persistent control residuals indicating instability or unmodeled disturbance

Safe Mode Configuration

• Sun-point of thermally safe orientation
• Rate-damping control law
• Essential avionics powered only
• Non-essential payload and mission operations are suspended

Once functionality is restored to normal conditions, the system shall exit safe mode

8.4

Correction for the tank using the ADCS

We used angular momentum to (very roughly) estimate the effect of our payload on the overall satellite, and thus the effect that the ADCS will need to correct for.

Assumptions:

• The tank is a hollow cylinder (15 cm height, 5 cm radius, 0.5 cm thickness)
• The propellent/fluid is a second cylinder completely filling the first that moves with the tank’s rotation
• The overall satellite is at least 50 kg (our payload is ~2.5 kg, so this assumption seems reasonable), and is a 1m x 1m x 1m cube (volume based approximately on NASA’s SMAP satellite, which has a 79 kg payload and 1.215 m3 volume)
• The tank is located at the center of the satellite

m_tank = 1.791 kg

m_fluid = 0.771 kg

m_t+f = 2.562 kg

I_tank = 0.00405 kg m²

I_fluid = 0.00181 kg m²

I_t+f = 0.00587 kg m²

L_t+f = 0.0135 kg m² / s

I_sat = 8.333 kg m²

ω_sat = - 0.00162 rad / s

That is, if no correction occurred during spin-up the satellite would rotate approximately once per hour. This is not insignificant, but accounts for only 0.0135 J of rotational energy. Using our previously-estimated spin-up time of 5 s, completely negating this would require 0.00307 W during spin-up, less than 0.1% of our current science mode power budget. And this would only be required for a very short period of time.

Further disturbances would be minimal, and would take even less power to correct. We will closely report tank activity during spin-up, spin-down, and if anything goes wrong, ADCS bus will be notified. Minor disturbances can be corrected for non-urgently by ADCS. ADCS can also be provided with tank monitoring information, if necessary.

Now, we change our assumption that the tank is located in the center, giving it the maximum displacement of 50 cm. This greatly increases the tank’s moment of inertia, resulting in ωsat’ = - 0.406 rad / s. This rotational velocity would be unacceptable, even for a short period of time. If we aim to fully correct for the torque during spin-up, this would require 0.338 W, still under 5% of our total power budget. Further disturbances would have a larger effect than if the tank was placed at the center, but would still take minimal power to correct.

As a dead-center position is unlikely to be possible and we do not currently know the satellite size, we present these equations to calculate power usage or acceptable distance:

P = (I_t+f + m_t+fd²) ω_t+f / 2t = (0.00587 kg m² + 2.562 kg · d²) · 5.236 s - 1 / (2 · 0.042 s)

$//<![CDATA[ \begin{array}{l}d = \sqrt{\frac{2tP}{\omega_{t+f}m_{t+f}} - \frac{I_{t+f}}{m_{t+f}}}\end{array} //]]>$

Note that the satellite mass or size does not affect these values. What it does affect is how large the effect will be of any delay in correcting for spin-up.

Thermal Straps

11. Risks and Mitigations