In the space environment, handling secure communications presents unique complications. For example, large temperature gradients occur within the electronics that must be tolerated. Specifically, two different sides of a component can be at opposite temperature extremes, e.g., the side facing the sun is hot and the side facing away from the sun is cold. Free-floating radiation, e.g., photons and neutrons, can penetrate an electronic device and cause the electronics to malfunction, e.g., flip a bit: 1 to 0 or 0 to 1, which could corrupt data communications or cause an erroneous result to be output.
Additionally, the component architecture must usually consider communications security (COMSEC) requirements to protect sensitive information and significant governmental interests. Currently, government satellite information is required to be secured with Type 1 encryption and current modules are classified and thus, impose significant hardships (i.e., costs, time, security measures, inventory controls) on satellite vendors.
There are generally two approaches to countering or mitigating the potential for error in a system: redundancy and independence. With redundancy, multiple copies of the same component perform the same functions, usually in lock-step, and each component obtains a result. The results are usually the same, and therefore, considered the correct result. There is, however, an inherent flaw in the redundancy approach when the result reached by each component is incorrect. Because of the redundancy in the components, the components make the same error and thus, determine the same incorrect result. For example, the components may be affected by free-floating radiation in space. Even with redundancy, i.e., multiple copies of the same component performing the same functions, the result may be incorrect because each of the components were affected by the radiation and thus made the same error.
With independence, multiple components reach the result without an exchange of information between/among themselves. The components could be multiple copies of the same component or different components performing the same calculations. In either instance, if the components reach the same result, then presumably the result is a correct result because none of the components communicated with each other and thus did not influence any other result. However, the inherent flaw in the independent approach arises when different results are provided and there is no indication which of the possible results is correct. Thus, with the current architecture, errors may occur unnoticed or, if an error is noted, the error may not be correctable.
One known method for countering errors caused by penetration of free-floating radiation is triple mode redundancy (TMR). TMR is a technique by which three implementations of the same function and their results are voted using a voting circuit to determine an output. Using TMR, an electronic component can, at times, continue to operate in spite of an error. A TMR implementation may be a register technique where each register is implemented by three flip-flops (or latches) that “vote” to determine the state of the register. Alternatively, combinatorial cells could be used instead of flip-flops or latches. However, there are still flaws with such a mitigation technique, particularly, if one of the registers becomes temporarily or permanently non-operable. The TMR mitigation technique becomes insufficient because only two of the three registers are operable.
Further, current architecture is generally not able to correct for errors during operation because the electronic components have fixed programming as a consequence of an effort to “harden” components against radiation influences. The term “hardened” (or “hard”) refers to forming the electronic component in such a way that the electronic is resistant to penetration by free-floating radiation, i.e., relatively unaffected by free-floating radiation.
The architecture of electronics in space, however, needs the ability to accommodate and correct for errors as they arise, e.g., by inactivating a component for reprogramming. For instance, after a space vehicle is in orbit, a need can arise that requires modification of the electronics. In order to provide such adaptability, the communications security (COMSEC) must be modifiable. Currently available space devices have limited, if any, flexibility because fixed cryptographic algorithms are used and there are a fixed number of channels available.
Current architecture can be considered radiation resistant, i.e., able to withstand particle penetration, if designed as such. Such electronic components are, for example, SOS, silicon on sapphire, or SOI, silicon on insulator. While there is a benefit to being radiation resistant, the functions of such components are fixed. There is no flexibility to adapt the components, e.g., re-program the component, to changing missions needs, or even, correcting for internal errors.
Moreover, different electrical components within a device may function at different levels with regard to maintaining, sending and receiving non-critical and critical information. For non-critical information, it is possible to include bit error checking and even some bit error correcting, while a component is in use. However, with critical information, it is not possible for even one bit to be in error; the result is that the information is corrupted and not recoverable.