Technical, Security, and Regulatory Considerations When Planning the Use of Simplex Telecommand Systems in Small Satellites
Jan A. King
Radio Amateur Satellite Corp. (AMSAT)
June 6, 2004
The availability of low cost transmitter/receiver hardware in SIMPLEX operation, has come to the attention of many of the universities developing small satellite systems. The concept of using this telecommunications hardware, upgraded for space use, is attractive and has many advantages for low-cost systems. Among the advantages are:
These advantages are compelling. However, one must consider these advantages in the light of other important considerations. It is our intent here to outline the overall “cost” of using simplex telecommunications equipment on board a small satellite system. These recommendations made (and insights provided) are based on many years of AMSAT experience in operating small satellite systems. There are network reliability, satellite security, and regulatory factors that should be considered before final choices for the telecommunications equipment and method of operation are determined for any particular satellite system.
2.0 Technical Considerations:
There are several purely technical factors that should be considered before a satellite project chooses to use a simplex telecom system. Some of the issues may be well understood, however, there are others that may be less obvious.
2.1 The Doppler Effect:
The apparent shift in frequency caused by the velocity of a satellite relative to an observer is proportional to both the absolute frequency of the transmitter and the satellite’s velocity. It is worth noting, by the way, that not only the carrier frequency is shifted but, the modulating frequency is also Doppler-shifted. The appropriate relationship here is:
where: f ‘ = Doppler-shifted carrier or modulation frequency
fo = nominal carrier frequency or mean modulation frequency
v = satellite velocity relative to the observer (It is noted that this is normally a vector quantity). The use of the “±” here is to denote the two extreme Doppler shifted values.
c = velocity of the carrier wave = speed of light
It’s important to get a feel for the magnitude of the Doppler shift in frequency that occurs between a ground station and a satellite. Take, as an example, a satellite in a circular orbit at 600 km altitude. To first order, the speed of the satellite is constant and equal to 7,558 m/s. If the satellite had a transmitter operating at exactly 100 MHz, the Doppler- shifted frequency as the satellite moves directly toward the ground station observer would be 100.002521 MHz. As the satellite moved directly away from the observing ground station the observed transmitter frequency is 99.997478 MHz. It can be seen, with a little thought, that the worst-case Doppler shift for a direct overhead pass in this example satellite would be ±2521 Hz or a total shift of 5042 Hz.
Continuing with this example, the following table gives the worst case or largest value of Doppler shift that can occur in frequency bands commonly in use within the amateur-satellite service. The same orbit is assumed.
Max. Doppler Shift
As can be seen, the maximum Doppler shift is small at low frequencies such as within the 29 MHz band. The frequency shift experienced during a typical pass (perhaps amounting to only 70-80% of the maximum shift) is on the order of one kilohertz. This is a small fraction of the modulation bandwidth of most contemporary digital radio systems. However, if the use of the most popular band at 435-438 MHz is contemplated, the Doppler shift over a pass is typically as large as 18 kHz (note that it could be as large as 22 kHz) for LEO missions. When popular modulation methods for data transmission such as 9600 bps “G3RUH FSK” are used, the Doppler shift in frequency is approximately equal to the entire channel bandwidth and the bandwidth of the ground station receiver filter. This requires the radio or the operator to retune the receiver several times during a pass in order to keep the signal centered in the passband. If higher frequencies such as 2400 MHz are to be used, the Doppler shift and time rate of change of frequency caused by Doppler are large indeed. The change in frequency can be as large as 120 kHz, which is approximately six times the bandwidth occupied by this same type of data system. The time rate of change at the center of the pass (time of closest approach or TCA) is on the order of 1.0 kHz/sec.
This then brings up the first set of issues that must be dealt with if a simplex radio system is to be employed:
a) It is important that both the satellite transmitter/receiver system and the ground station system (whether it is a companion radio or not) are capable of handling the Doppler shift in frequency. Most terrestrial radios are not capable of adjusting for Doppler shift since satellite systems and very high-speed aircraft are about the only vehicles that travel fast enough to require this capability. The vendor of the transceiver may not have contemplated this application. One means of dealing with this problem is to increase the bandwidth of the receiver filters on both ends of the link so that even with the Doppler shift, the modulation bandwidth of the transmitted signal still stays within the receiver filter bandwidth. This has a penalty associated with it. The extra bandwidth adds thermal noise (Pn = kTB) and this noise reduces the S/N (or Eb/Nt) of received signal.
b) If the satellite transmitter is normally OFF and is commanded ON, there must be a means (automatic or manual) for adjusting the receiver center frequency to account for the change in frequency since the last transmission. To the receiver this will appear as a “jump” in frequency between two ON periods. If the transmitter is commanded ON only once during a pass then the Doppler shift introduces an uncertainty in terms of where the center frequency (f’) will be located at any given instant in time when the transmitter comes ON.
c) Some receiver systems are required to be “locked” to a carrier (usually, but not always located in the center of the modulation spectrum) prior to demodulation of data. Such a system is known as a coherent system. These systems must be able to acquire and track a changing carrier frequency. If the simplex system contemplated for use employs coherent technology, it should be verified that the frequency tracking range of the carrier acquisition and tracking loop is large enough to accommodate the maximum Doppler shift in frequency. It would be very useful if the receiver could automatically acquire the carrier by using a sweeping loop or equivalent technology.
It’s important to realize that when a simplex system is used, the satellite receiver will experience the same Doppler shift on the command uplink. Any correction made to the downlink frequency must be made to the uplink as well, and in the OPPOSITE direction. In this situation, the use of simplex can be helpful as the measured downlink Doppler frequency shift can be applied as a correction on the command uplink.
2.2 Energy Management:
For most very small satellite systems, energy management is a first-order system design parameter. In order to maintain a positive energy budget, which will allow the spacecraft battery to remain fully charged, it may be necessary to cycle the transmitter ON and OFF. The RF transistors used for the power amplifier chain of a spacecraft transmitter are critical devices in many ways. The transistors or integrated circuits employed in that application should have the highest DC-to-RF conversion efficiency possible. At VHF and UHF frequencies, these devices could have efficiencies as high as 85% (given the current state of technology). However, RF devices employed in most commercial radio products operating in this frequency range and designed for terrestrial use do not achieve this level of efficiency. Values in the 30% range are more typical and efficiencies can be as poor as 15%. So, independent of the issue of simplex utilization, the telecommunications engineer for a satellite project should seek the most efficient RF transmitter design possible as a first-order design consideration.
The amount of power required to complete the data link is given by the system link analysis (or budget) and at a given data rate and for a given LEO orbit, that value is fixed once a minimum elevation angle for communications has been selected. If the reference orbit given above is used (600 km circular orbit) and if a typical UHF ground station is employed (13 dBi antenna gain and 425K system noise temperature) then at 437.5 MHz, approximately 2 watts of RF power will be required to complete the link with 4 dB of link margin. [NOTE: For a small Earth station, a 4 dB link margin is not very much. A margin of 10 dB should be the design objective of a low cost ground station.] It has been assumed that the system has a 9600 bps data rate (using G3RUH FSK) and that a 10° minimum elevation angle must be supported. If the transmitter portion of the radio is 33% efficient and 2 watts of RF output is required, then the input power requirement is 6 watts DC. This implies that 4 watts of power are dissipated as heat during periods when the transmitter is ON.
For transmitter amplifier chains that have only modest efficiency and if data rates as high as 9600 bps must be sustained, it is clear that several watts of power must be dissipated by the transmitter when it is on the air. Since the satellite systems using this radio equipment are themselves very small, the transceiver must be highly miniaturized. So the power density (measured in watts/cm²) in the vicinity of the amplifier chain is necessarily high.
A transmitter designed for terrestrial use can depend on three methods for the dissipation of the heat it generates:
· Convection: Heat transferred from the device to the air around it.
· Conduction: Heat transferred from the device to primary structure and then convected or radiated away.
· Radiation: Heat transferred from the device and converted into IR energy as a black body radiator.
If the same transmitter is to be used in space, dissipation via convection is no longer possible as all of the air goes away (unless some sort of pressure vessel is employed – an old Russian satellite thermal design trick).
[NOTE: In order to get a feel for this problem, take a 1 watt resistor of 4.7 ohms and place it across the leads of a current-limited power supply. Turn on the supply and limit the current to .45 amps. You should find the voltage is about 2.2 volts. This set of conditions will cause the resistor to dissipate approximately 1 watt. Wait a few minutes and carefully touch the resistor with your finger. You should find it’s at least warm to the touch if not quite hot. If you were to repeat the exercise but, now place the resistor into a vacuum chamber (bell jar) and pump all of the air out, you would find the resistor would be very hot indeed and depending on the conductive nature of the leads used to connect the resistor within the vacuum chamber, the resistor might eventually fail. Now, what would happen if the current were increased to .90 amps (double the original value)? At this point the 1 watt resistor is dissipating 4 watts and in about the same volume of material as the 2 watt RF transmitter operating at 33% efficiency. The satellite designer must solve the problem of successfully dissipating this heat without destroying the transmitter and/ or the satellite. AND, this problem must be solved without using convection as a heat dissipation mode.]
The satellite system designer must determine:
a) If the system can conduct the heat away from the transmitter and toward the radiating surfaces of the spacecraft sufficiently well so that the transmitter does not overheat during the ON period.
b) If the system has sufficiently large surface area and sufficiently high thermal emittance properties so that the average temperature of the satellite is not exceeded during ON periods of the transmitter. [Note that the thermal equilibrium temperature achieved passively by the satellite (and given by the radiance equation) depends upon the total surface area of the satellite and the thermal emittance of each surface. If the surface area of the satellite is very small then the equilibrium temperature can be quite high, especially if one has up to 4 watts of additional heat from the transmitter that must be dissipated.]
It is now appropriate to discuss the next set of issues related to the simplex operation of the system. The ON duration of the transmitter must be chosen. Several outcomes are possible:
a) It may be that the ON duration of the transmitter is driven by the need to maintain the temperature at acceptable levels per the above discussion. This is bad, as will be pointed out shortly.
b) It may be that the ON duration of the transmitter is driven by the need to maintain a positive energy balance for the spacecraft system.
c) It may be that the ON duration of the transmitter is driven by the desire to transmit only during the time when the satellite is within range of the command station.
d) Ideally, conditions b) and c) are mutually satisfied.
The above outcomes are in ascending order of desirability. If it is possible to maintain a positive energy balance for the satellite system by turning the transmitter ON only during periods when you can communicate with the spacecraft and IF it is possible to keep the transmitter on during the entire pass, this is the optimum outcome from both a technical and a frequency regulatory point of view. From a satellite security perspective, it may be desirable to turn ON the transmitter only when the satellite is in range of your ground station AND only for as long as it is necessary to download your data. In fact, it is worth noting here that other satellite systems licensed to transmit in other services are nearly always REQUIRED to keep their transmitters OFF except when in range of their respective ground stations. It is only in the Amateur Satellite Service that this is even an option. But, it is an option rapidly decreasing in popularity due to the rapid increase in satellite systems occupying Amateur Radio spectrum and the consequent need for them to share frequencies.
2.3 Failure Modes:
Outcome (a) is particularly bad. If the transmitter can be turned ON only for very short periods so as to avoid overheating and if this process is continuous around each orbit, a new failure mechanism arises. Not only are the transistor die heating up when the transmitter is turned ON and OFF, but the bond wires are also rapidly heating up and they also quickly cool down. Since the bond wires are tiny and transport significant current and have very low thermal inertia they heat and cool very rapidly. Like any piece of metal that is rapidly and repeatedly heated and cooled, the bond wires are subject to expansion/contraction stresses that can (and usually will) lead to a failure of one of the bond wires inside the transistor or integrated circuit. If plastic parts are used, the bond wires are embedded in a plastic material. It is often true that the thermal coefficient of expansion (TCE) of the bond wires and the plastic around them are quite different. If this is the case, the failure will occur all the sooner. So, the worst thing that can be done in this regard is to cycle the transmitter ON and OFF with a short period and with plastic parts which have a poor TCE match between the bond lead and the plastic.
The author learned this lesson the hard way. One mission, for which I had direct responsibility, used a VHF transmitter that had an ON duration of 30 seconds (which was long enough to download a long frame of data from the satellite instrument) and an OFF duration of 2 minutes (which was long enough to collect the data from the instrument for the next transmission period). The transmitter operated in this mode continuously. Despite the fact that this failure mode was anticipated prior to launch and that care was taken to fully heat-sink the transistors in the power amplifier chain, the transmitter failed after about 1.5 years in orbit. The transmitter should have lasted for many years in orbit. It was not possible to prevent the thermal exercising of the bond wires.
The lesson here is to avoid rapid cycling of the transmitter unless you are certain that it is rated for this type of service. Minimize the total number of ON/OFF cycles for the mission. Turning ON and OFF the transmitter 6 to 8 times per day during passes is not a big problem. Turning ON and OFF the transmitter every two minutes, continuously around the orbit, every orbit of every day, in order to maintain thermal equilibrium is establishing a failure mode that cannot be avoided.
2.4 System Security:
Secure operation of satellites has not been a first order design priority in the amateur-satellite service. There have been no known cases of anyone willfully commanding an amateur satellite without authorization and only a few cases where individuals have attempted to interfere with another station's uplink signal. Where this has occurred, it has been related to signals associated with the normal communications function of the satellite and not the command or telemetry functions.
Still, some precautions have always been taken to avoid the temptation that may exist for someone else to commandeer a satellite. The standard precautions are:
a) Never publish or, in any other way, cause to have known the command receiver frequency of the spacecraft. This should only be known by a very limited number of people within the project.
b) Do not publish or reveal the details of the command system data and modulation formats.
c) The spacecraft flight computer (or in a simpler case, the command decoder) should use some sort of password or ID (coded in hardware or firmware). This is to be done at the physical layer of the protocol.
d) At a higher link layer in the software add some additional password-like security.
One might note that because of these precautions we probably wouldn’t know if someone was trying to “hack” one of our spacecraft. It would be prudent to assume that regardless of the frequency or radio service, modulation technique or protocol, there are a finite number of people with the desire and capability to hack the satellite. The purpose of security techniques is to make it difficult for them to be successful usually by withholding the needed information.
In addition to the above precautions, many satellites have used fully uploadable software. The only unchangeable code is that used to do the uploading itself. The theory is that if a hacker does find the information needed to hack your satellite one can upload new code with a different set of codes or a different protection technique. Most very small satellites do not have this capability so must have an “unhackable” command scheme that will protect it for the duration of the mission.
These precautions are quite simple and have always worked to date. Still, there has been much talk about using TCP/IP protocol to control satellite systems. Also, there has been considerable discussion about remote commanding using the Internet. Once a satellite system has been “connected” to the Internet and if the spacecraft employs standard data protocols, then clearly the satellite flight computer becomes an extension of the net. This action would open up the satellite system to the entire world of hackers. Such thoughts might cause some rethinking of how important it is to protect amateur satellite systems.
Let’s, however, return to the radio frequency domain for it is here that the simplex system is most vulnerable. If someone wanted to directly tamper with a satellite’s operation, there would be two ways to proceed:
a) Obtain all of the information necessary to command the spacecraft and develop a system that operates on the command frequency used by the spacecraft and then transmit a valid command to the spacecraft, thus changing its state of operation.
b) Obtain knowledge of the satellites command frequency. This could be obtained by anyone living or operating near the command station site since the emissions from the command station during routine commanding could be heard (detected, decoded, analyzed) from many kilometers away and in any direction from the command station via ground wave. Once the command frequency is known, the “bad guy” only needs to transmit a CW carrier toward the victim satellite at a power level (EIRP) adequate to interfere with that of the real commanding ground station. This is formally called a “denial of service” attack.
In case (a), the “bad guy” must work very hard because he has to implement all of the features the real command station has, including the security features. This is very difficult and there is little real motivation for someone to do this. Still, if someone were to do this, they would have the ability to cause maximum chaos up to and including the ability to “kill” the victim spacecraft. What prevents this from happening regularly is the lack of information necessary to accomplish it and the difficulty of obtaining that information.
In case (b), the “bad guy” only needs to detect the presence of your command link or know it because someone let it leak out. In addition, this person would need to know the orbital elements for the satellite. This set of information, available to all on the Internet, will allow him/her to know when the satellite is passing over the “bad guy’s” ground station. By transmitting a simple carrier in the general direction of the victim satellite and at an adequately high EIRP level, the “bad guy” can deny access to the satellite by the real command station. If, at a particular time, a critical command was to be sent (such as one that turns a particular subsystem ON or OFF for energy balance purposes), then by denying the real command station access to the satellite, damage to the satellite could occur - up to and possibly including causing the “death” of the satellite. NOTE: This is very easy for the “bad guy” to do. He needs only a little information to cause the victim very considerable potential grief.
A case (b) access denial event could occur at any time the real command station and the “bad guy” station are in mutual visibility of the satellite AND provided that the interferer’s EIRP is higher. In effect, if the “bad guy’s” location was within several hundred kilometers of the victim satellite’s real command station, the interferer could prevent the spacecraft from being commanded by the real command station during virtually all of each pass. This situation is also somewhat difficult to recover from without another command station in another part of the world planned for in advance. Most small satellite programs have only one ground station. Quickly establishing another ground station outside the bad guy’s footprint with all the needed capability is costly, time consuming and difficult. There may be licensing issues associated with the new station as well.
There is something else to be said about case (b). Many, if not most command receivers used by the small satellite community employ frequency modulation (FM). FM receivers are cheap, non-critical to use and they are less prone to audio distortion due to an offset in frequency as could result from a Doppler-induced error in the command station’s uplink frequency. FM systems, however, have one feature which helps the “bad guy” in our above scenario. FM receivers exhibit a phenomenon known as the capture effect. Let’s assume two FM-modulated carriers are present and both are centered on the receiver’s bandpass filter but that they are of different signal amplitudes. The receiver will enhance the signal-to-interference ratio of the stronger signal and reduce the signal-to-interference ratio of the weaker signal at the output of the FM demodulator. This behavior is quite non-linear and is known as the capture effect. This effect is more pronounced for FM receivers that have a high modulation index (that is, they have a high deviation compared with the tone frequencies used to represent a “1” or a “0”). For a high-deviation FM receiver, the weaker signal may be virtually fully suppressed even if it is only 1 dB weaker than the “winning” signal. For low-deviation receivers (as may be found in the amateur radio service) the stronger signal might have to be 6-10 dB stronger than the weaker signal but, if that condition is met, the weaker signal will simply disappear from the output of the receiver. This information thus allows quantification of how easy or hard it would be for an intentional interferer to overcome the desired command signal. By the way, having a signal 6 dB (a factor of 4) stronger than that used by the command station may not be a difficult task for the “bad guy” to accomplish. This can be done with a power amplifier device and/or a larger antenna.
Given the above set of explanations, the issue of simplex operation vs. security can now be discussed. It is clear that a case (b) scenario is far more likely than case (a). So much so, that case (a) can be ignored for purposes of these discussions. Let’s assume that a simplex transceiver is used in the satellite such that the command channel is shared with the telemetry downlink channel. That is, the satellite might normally be in receive mode but, occasionally (upon command, via timer or under computer control) the receiver is turned OFF and ON THE VERY SAME FREQUENCY the transmitter is turned ON. If the “bad guy” knows only that the satellite is using a simplex system for telemetry and command, then it is already clear to him/her that the transmitter is broadcasting the command frequency. Now the “bad guy” is able to use a combination of automated and manual means to block the command frequency and deny access to the real command station and even the Doppler correction information is automatically provided to the interferer. This is a terrible scenario for satellite security! One could not possibly make it easier for an intentional interferer to be successful.
There is one variation on the pure simplex case that can occur and it is the next worst case. Sometimes the receiver is offset in frequency from the transmitter by a fixed amount. Standard amateur radio transceivers operating in the 144-148 MHz band, for instance, have a standard offset of 600 kHz (plus or minus, depending on the part of the band where operations occur). So, a “bad guy” would naturally look for the command frequency at 0 kHz, +600 kHz and –600 kHz from the transmit frequency in trying to jam the command frequency. There are standard offsets used in other frequency bands as well.
After these warnings, if it is still deemed appropriate to operate a simplex radio for telemetry/command, then the following practices can be recommended to provide some measure of security:
a) Use a transmitter capable of using the highest reasonable output power and the highest practical gain antenna at the satellite command station. This will give the command station the ability to generate a high EIRP and the largest link margin. This high power level should not be used unless it is strictly necessary to do so, but it will also help prevent an intentional interferer from capturing the command link. [NOTE: It is common practice in the amateur service and amateur-satellite service to use only the MINIMUM power necessary to maintain communications (and in some countries, including the United States, this is the law). However, it is also extremely important to be able to control the emissions from every satellite. Therefore, if intentional interference were to occur, it only seems prudent to be capable of generating a high EIRP in order to overcome a denial of service attempt. Such high power should only be used when necessary.]
b) Use additional command stations located in other parts of the world. This is appropriate in any case but, such a strategy makes access denial much more difficult.
c) Do not rapidly cycle between receive and transmit modes during any given pass. It is tempting to do this as the telemetry downlink could be used to acknowledge each command before the next command is sent. This is logical but is not in the interest of security. The “bad guy” can simply key his interfering transmitter based on detecting the trailing edge of the satellite’s telemetry signal (just as the satellite goes into the command receive mode). It is better to send commands at the beginning of the pass before the telemetry transmitter is turned ON and then verify that an entire batch of commands has been accepted. This, of course, means the command station must transmit to the satellite blind (i.e., without hearing the satellite at the time of acquisition-of-signal) and this requires operational confidence. Once one turns ON the telemetry transmitter, leave it on until the end of the pass (or until sufficient data has been collected) and make sure that there is a safe hardware or firmware timer that will eventually turn the transmitter OFF if the command station is denied access to the satellite. This will prevent the satellite from fully discharging the battery if the transmitter OFF command is not received. Notice that this recommendation is in keeping with the recommendation made in Section 2.2 above. That is, in general, do not cycle the transmitter ON and OFF rapidly. Operationally, all of this is not very attractive. It’s much more likely the command station will want to first look at telemetry, then send some commands, and then once again, look at telemetry. However, a denial of service attack is likewise, undesirable. This is one more reason why simplex communications is a poor option.
d) Do not use an FM receiver with a high modulation index UNLESS the command station being used can be sure of “winning” against an intentional interferer. Such a receiver “increases the stakes” in the access denial game.
e) Do not tell anyone without a firm need to know about the details of your command system. The command receiver frequency is THE most sensitive of all pieces of information. By “details of the command system” it is meant ANY information about how it works. A potential bad guy can accumulate seemingly unimportant bits of information from a variety of sources and develop knowledge sufficient to attempt an attack. One of the fundamental precepts of this type of security is to make the job of interfering with your operation look so difficult that no one is tempted ever to try.
f) Do not use a standard frequency offset (i.e., one common in amateur use) between the command receiver and the telemetry transmitter.
3.0 Regulatory Considerations:
This section has been left until last but, it is the most important set of reasons as to why serious consideration should be given as to how SIMPLEX operation is employed on any amateur satellite – indeed any satellite at all.
In principle, it must be agreed that simplex operation saves spectrum since two functions share the same radio channel. This is a very positive feature of simplex operation.
The problem lies with other regulatory considerations based upon failures similar to those in AMSAT operations discussed earlier.
3.1 Interference Control:
Both national and international regulations governing ALL satellite operations in space require that transmissions from any spacecraft (amateur or otherwise) be under positive control at all times. A critical part of this control function is the ability to rapidly and effectively terminate some or all transmissions from your spacecraft.
It is not the intention of this paper to interpret the meaning of the words used in these regulations. That has been done elsewhere and will, no doubt, be done again in the future. However, it is a simple argument to make (and fundamental to the way radios work) that when the satellite’s receiver is OFF and its transmitter is ON, the command station cannot successfully command the satellite. In that literal sense, the command station does not have effective control of the spacecraft in the case of simplex operation. In simplex operation, when the transmitter is ON and the receiver is OFF, it is obvious that the system depends upon some form of timer or logical process to terminate the transmitter’s operation and return the command receiver to its “normal” state AFTER some event has occurred.
The failure of this mechanism leading to unintended transmitter emissions and uncontrollable interference is the root of the real regulatory concern.
There is a second part to this concern. Even if the transmitter and the receiver could operate separately and even if the receiver could be turned ON while the transmitter is transmitting and even if they did not share the same antenna and even if the transmitter and receiver were not on the SAME frequency (but, they were operating in the same frequency band)…then IF the transmitter became “stuck” in the ON position, it is highly unlikely that the receiver could be accessed by the command station to turn OFF the transmitter. This is because the transmitter is so physically close to the receiver that it “overloads” the receiver front-end transistor devices. It is no exaggeration to say that the signal level reaching the command receiver input terminals from the on-board transmitter is typically on the order of 100 dB (that’s 10 orders of magnitude) stronger than a command signal arriving from the ground. If one was to attempt a filter design that would attenuate the transmitter at the receiver’s frequency say, 500 to 1000 kHz away, within the 435-438 MHz band and by an amount equal to 100 dB, it would be found that the filter is larger than the spacecraft (certainly larger than a “CubeSat”). So, the second concern is ANY type of satellite malfunction that causes the transmitter to become turned ON permanently and thus deny real access to the command system by the ground command station (even if the transmitter and receiver are separate but share the same frequency band).
In Section 2 above, it was noted that to successfully complete the downlink for a satellite in a circular reference orbit of 600 km altitude and at 9600 bps FSK it will require about 2 watts of RF power. That, in turn, implies a DC power requirement that could be as high as 6 watts (and is at best 3.5 watts) whenever the transmitter is ON. Certainly other functions on-board the spacecraft will require additional power. It is understood that very small satellites cannot sustain a positive energy budget if the transmitter is stuck ON. That means the satellite’s battery will discharge. If careful attention has been given to the system design there will be protective hardware and/or software that will detect a battery low voltage condition and “shed” the major loads (i.e., turn them OFF). The “most major” of all such loads is surely the telemetry transmitter. If less care has been taken in the design, then the battery simply discharges and some logic states will change along the way and maybe the transmitter logic will reset as the batteries are discharged. This whole set of logical conditions may be modified by eclipse events that can occur on top of the battery discharge taking place…which was caused by the stuck transmitter. This is to say nothing about whatever the satellite experiments or payload may do to add to the set of logical conditions that must be considered. The question then is…what happens next? If the satellite is designed to allow the battery to become fully charged before the major loads can be switched ON, then all could be fine. But, the question that must be asked is, under all possible logical combinations of conditions that could occur on-board the spacecraft…when power is restored, will the transmitter remain OFF until commanded to do otherwise? The key to all of this is very careful design consideration AND VERY THOROUGH FUNCTIONAL TESTING of the satellite in all of its modes prior to launch.
3.2 Recommendations to Enhance Compliance with the Radio Regulations:
The following recommendations are made to those who still find simplex operation an imperative:
a) Under no circumstances should a satellite be designed so that the transfer of a simplex radio system from its transmit mode to its receive mode is controlled only by a flight computer or a flight controller and its software (and most particularly software executed from RAM). If such control is executed by flight computer software and it is logically backed up by a hardware timer that could be OK. The most reliable way to control the transfer is by using a simple hardware timer/logic solution ONLY. This is, admittedly the most conservative way.
Another solution would possibly be to place a second command receiver in another frequency band. This receiver could have, as its sole purpose, the resetting of the flight computer should it fail to perform the transfer from transmitter ON to transmitter OFF. Even placing the timer in firmware can be risky. Some FLASH ROM devices are radiation soft in the write mode. That is, they fail due to radiation damage (total cumulative dose) at low levels and the write function fails before the read function. This cannot be detected from the ground when it first occurs. So, if you were to write to the memory to change some function, the area of memory lost could be larger than the area being addressed. In this way, the firmware timer function could be lost. Certainly, not all FLASH RAM has this problem and by using FLASH known to be good for space, the designer could make this solution reliable. EPROM solutions are also bad, as EPROM is also prone to radiation problems. A controller/timer using radiation hard fusible-link ROM is a good solution. Also, an FPGA solution is good provided that the gate array is radiation tolerant.
b) The spacecraft system design should assure that if the battery is ever discharged fully, for whatever reason, (but, most particularly because the transmitter was “stuck” ON) that after the flight battery has recharged and the system is ready for service again, the transmitter does not come ON again until it is commanded to do so. A good spacecraft system design will “gracefully” turn OFF all loads, starting with the transmitter so that the battery is never allowed to go completely flat (to 0 voltage). For many battery technologies, reaching such a low voltage state can cause what is known as cell reversal, and that condition is usually system-fatal.
c) The spacecraft system design should assure that no combination of commands can cause the transmitter to become latched in the transmit mode, regardless of whether the system may recover once the battery discharges and then recharges. That is, one must not assume that battery discharge/recharge is the means of protection against a transmitter latch-up condition. A spacecraft known to work in this way should never be launched AND this would not satisfy the ITU Radio Regulations which require all satellite transmitters to be under positive command control at all times.
d) As a part of the spacecraft design process and as a part of the system level paperwork done for the project, the spacecraft should be thoroughly functionally tested to verify all of the modes of operation and all commands within each mode. Most particularly, it should be verified by test that no command sequence can be issued that will latch the transmitter ON and that after recovery from a battery under-voltage condition the spacecraft system returns to service with the command receiver ON and functional and with the transmitter OFF. Verification of this should be documented in a system LOG and it wouldn’t be a bad idea if a letter were to be written for the file from the telecommunications engineer to the project manager verifying that these successfully completed tests were witnessed to occur. That letter should be signed by the telecommunications engineer and endorsed by the project manager. Thorough system level functional testing of the spacecraft is the most important recommendation the author can make. There are many space projects which have been launched by amateurs and professionals where testing has been abbreviated or eliminated due to the pressures of time. THIS IS A BIG MISTAKE. In almost every case, the project has lived to regret it. Murphy’s law says,…”If something can go wrong it will.” If you don’t think this is a valid law, then you haven’t built enough spacecraft yet. Don’t test Murphy. Test the spacecraft so that design errors don’t get into space.
4.0 The Relative Risk of TX ON vs. TX OFF:
Many will say they have heard this author say, “Never turn your transmitter OFF if you don’t have to.” This is a true statement. It is difficult and sometimes impossible to figure out what is wrong with a “sick” spacecraft if the transmitter is not ON as any data is far better than no data. Even an unmodulated carrier from a spacecraft gives far more information than no signal at all.
It is also very difficult to command a spacecraft blindly and especially the very first time it “comes over the hill.” So, it is reasonable during the commissioning phase of a space mission to consider leaving the transmitter ON more of the time.
When using a simplex system, unfortunately, you are evoking the “unless you have to” clause associated with the above little rule. From a regulatory standpoint and from a common sense standpoint it is important to have positive control. Spectrum is valuable and spectrum used for space is very valuable because of the surface area of the Earth covered by the satellite’s transmissions. In many ways a simplex system works against the principle of positive control. Therefore, there is a consequence. The consequence is that you will most likely have to command the satellite without knowing where to point antennas and there will be some uncertainty regarding the AOS time for the spacecraft. This is particularly true in the first few days or weeks following launch, when definitive orbital elements for all objects placed into orbit have not yet been firmly established. Assuming that all of the above rules can be followed, it should still be possible to program the flight computer to turn ON transmitter just prior to AOS at the satellite ground station and then OFF some minutes later (say, just before LOS). So, all is not lost if that flexibility exists. The transmitter could be turned OFF a few times during a pass by program control to allow commanding but, remember the “bad guy”!
A preferred telecommunication implementation for small space systems is a full duplex system that allows simultaneous command and telemetry transmission at will. There need not be any obvious relationship between the command frequency and the telemetry frequency. An alternative to turning the transmitter entirely OFF is to reduce its power (and data rate) so that at least some signal is present to track. Such an approach also reduces the potential for interference to others since the power level radiated by the satellite is lower and a lower data rate emission requires less bandwidth. This technique may require a larger ground station antenna system but then, that’s a system trade you must make.
And, the subject of a low power beacon or telemetry link gets to the very last point. A part of the, “Never turn OFF the transmitter if you don’t have to” rule also has to do with interference to others. A good reason for not keeping the transmitter ON when the satellite is not in view of the command station is the crowded state of the radio spectrum today. In the early days of amateur satellites everyone – everywhere – wanted to hear the very few (usually one) satellites that were available.
With the advent of the university satellite programs it has become an “every university for itself” kind of affair. So, one university’s data are another university’s interference. There are several cases where, in order to coordinate the frequencies for two or more satellites, the same frequency has been recommended. In such a case, successful coordination assumes that widely separated command sites will be used by these co-frequency projects and that the spacecraft transmitters will be used only in range of their respective ground stations.
So things are not as they used to be. Interference conditions nowadays dictate that satellite transmissions should be of short duration. Thus, it is no longer possible for everyone, everywhere to participate in the use of every satellite. For many of us this is an unfortunate state of affairs.
It must be acknowledged that there are several advantages to employing a simplex telecommunication design in very small satellites. However, the telecom link employed in a space system is not only critical to the operators of the system, but also to others who share the same frequency band. One must recall that the amateur satellite service is allowed in the 435-438 MHz frequency band only on a secondary basis. This means we must give way to other services that are primary services in the band. In the United States and in many other countries, this band is allocated on a “primary” basis to radiolocation (RADAR), usually for the government (military). If interference is caused to a primary service, we are compelled to cease all radio transmissions. This, in turn, means that it is absolutely imperative that each space system in the amateur-satellite service be capable of controlling its emissions. That burden is harder to confidently shoulder when a simplex system is used.
In addition to the regulatory imperative, there are other security and technical issues that have been raised in this paper. An effort has been made to point out solutions to these issues based on experience. It has been noted that the preferred solution is to employ a full duplex telecom system where data (commands and telemetry) may flow in both directions simultaneously and at the will of the command station operator.
Finally, it might be worth noting that, while flying a component designed for a terrestrial application appears attractive at first glance, after reviewing the modifications that must be made to the hardware and software in order for it to be flight worthy (both from a reliability AND a DESIGN point of view), it may turn out to have been wiser to design the unit “from scratch” to begin with. It’s also true that you learn more by doing it that way. Unfortunately, this option is nearly always put aside as being too difficult, and the real problems of using terrestrial technologies in space are frequently “swept under the carpet.”
The author hopes this paper had provided some insight into the subject of simplex operation of small satellite systems.
- end -
ANNEX – USEFUL TERMS DEFINED
Administration: Any governmental department or service responsible for discharging the obligations undertaken in the Constitution of the International Telecommunication Union, in the Convention of the International Telecommunication Union and in the Administrative Regulations. [CS 1002.]
Radiocommunication service: A service as defined in this Section involving the transmission, emission and/or reception of radio waves for specific telecommunication
purposes. [RR 1.19.]
Simplex operation: Operating method in which transmission is made possible alternately in each direction of a telecommunication channel, for example, by means of manual
Control. [RR 1.125.]
Duplex operation: Operating method in which transmission is possible simultaneously in both directions of a telecommunication channel. [RR 1.126.]
Semi-duplex operation: A method which is simplex operation at one end of the circuit and duplex operation at the other. [RR 1.127.]
Amateur service: A radiocommunication service for the purpose of self-training,
intercommunication and technical investigations carried out by amateurs, that is, by
duly authorized persons interested in radio technique solely with a personal aim and without pecuniary interest. [RR 1.56.]
Amateur-satellite service: A radiocommunication service using space stations on Earth satellites for the same purposes as those of the amateur service. [RR 1.57.]
Station: One or more transmitters or receivers or a combination of transmitters and receivers, including the accessory equipment, necessary at one location for carrying on a radiocommunication service, or the radio astronomy service. Each station shall be classified by the service in which it operates permanently or temporarily. [RR 1.61.]
Terrestrial station: A station effecting terrestrial radiocommunication.
In these Regulations, unless otherwise stated, any station is a terrestrial
station. [RR 1.62.]
Earth station: A station located either on the Earth's surface or within the major portion of the Earth's atmosphere and intended for communication:
– with one or more space stations; or
– with one or more stations of the same kind by means of one or more
reflecting satellites or other objects in space. [RR 1.63.]
Space station: A station located on an object which is beyond, is intended to go beyond, or has been beyond, the major portion of the Earth's atmosphere. [RR 1.64.]
Telecommand: The use of telecommunication for the transmission of signals
to initiate, modify or terminate functions of equipment at a distance. [RR 1.134.]
Space telecommand: The use of radiocommunication for the transmission of signals to a space station to initiate, modify or terminate functions of equipment on an associated
space object, including the space station. [RR 1.135.]
 With editorial assistance from: Tom Clark (W3IWI), Arthur Feller (W4ART), Graham Shirville (G3VZV), Ray Soifer (W2RS) and Jim White (WD0E).
 “Simplex operation: Operating method in which transmission is made possible alternately in each direction of a telecommunication channel, for example, by means of manual control.” [RR 1.125] Simplex operation may use either one or two frequencies.
 See the ANNEX for definitions of related and other useful terms.
 “Space stations shall be fitted with devices to ensure immediate cessation of
their radio emissions by telecommand, whenever such cessation is required under the provisions of these Regulations.” [RR 22.1.]
 1.125.1, 1.126.1 and 1.127.1 In general, duplex operation and semi-duplex operation require two requencies in radiocommunication; simplex operation may use either one or two.