Skip to main content
KBY Technologies Logo
root/it-toolkit/modelling-seu-rates-in-spaceborne-compute

Modelling SEU Rates in Spaceborne Compute

Building a Weibull cross-section calculator against CREME96 flux spectra to size ECC and TMR budgets before radiation upsets corrupt satellite memory.
Modelling SEU Rates in Spaceborne Compute
13/07/2026|12 min read|

A satellite memory controller does not crash cleanly. It flips a single bit in a DRAM row, silently corrupts a navigation checksum, and the spacecraft attitude control system acts on bad data for the next three orbits before ground telemetry notices the drift. This is the operational reality of single event upsets (SEU), and unlike terrestrial bit-flip rates, which are a rounding error in most reliability calculations, orbital radiation flux makes SEU rate modelling a mandatory line item in any spaceborne compute architecture. If you are speccing memory, choosing between rad-hard and COTS silicon, or sizing an error-correction scheme, you need a quantitative answer to one question: how many upsets per bit per day should this part expect at this orbit, behind this much shielding?

This article builds that answer from first principles: the flux environment, the device cross-section, the integration that turns the two into a rate, and the mitigation architecture that rate then justifies. The goal is a repeatable SEU rate modelling pipeline you can run against any candidate part before it goes on a bill of materials, not a spreadsheet you inherited from someone who left the programme two years ago.

#The Problem: Silent Data Corruption from Cosmic Radiation

Ionising particles — galactic cosmic rays (GCR), trapped protons in the South Atlantic Anomaly, and solar energetic particles during coronal mass ejections — deposit charge as they traverse a semiconductor junction. If the deposited charge exceeds the critical charge (Qcrit) of a memory cell or flip-flop, the stored state flips. No thermal event, no voltage excursion, no log entry beyond the corrupted bit itself. On the ground this is a statistical curiosity measured in FIT (failures in time, per 109 device-hours). In orbit, at 400 km LEO or worse at GEO with no magnetospheric shielding, the flux is high enough that SEU becomes a design constraint, not a footnote.

The bottleneck is that most engineering teams either over-provision (triple modular redundancy everywhere, at massive power and mass cost) or under-provision (single-bit ECC on a part that experiences regular multi-bit upsets, which ECC cannot correct). Both are symptoms of skipping proper SEU rate modelling and instead relying on vendor datasheet SEU numbers measured at a single test facility with a narrow LET spectrum that does not represent your actual mission orbit.

#Architectural Breakdown: Flux Spectra, Cross-Sections and Orbit Selection

#Galactic Cosmic Rays vs Solar Particle Events

GCR flux is quasi-constant, heavy-ion dominated, and modulated by the 11-year solar cycle (counter-intuitively, GCR flux increases during solar minimum because a weaker heliospheric field lets more galactic particles through). Solar particle events (SPEs) are transient, proton-dominated, and can raise flux by three to four orders of magnitude for hours to days during a large flare. Any serious SEU rate modelling exercise treats these as two separate integration problems: a baseline GCR rate for MTBF calculations, and a worst-case SPE rate for peak-flux survivability sizing.

#Linear Energy Transfer and the Weibull Cross-Section

A device’s sensitivity to a given particle is characterised by its LET (linear energy transfer, in MeV·cm2/mg) versus cross-section (σ, in cm2/bit) curve, obtained from heavy-ion beam testing at facilities such as TAMU or RADEF. This curve is almost universally fitted to the Weibull function:

1sigma(LET) = sigma_sat * [1 - exp(-((LET - LET_th) / W)^s)]  for LET > LET_th
2sigma(LET) = 0                                              for LET <= LET_th

where sigma_sat is the saturation cross-section, LET_th is the threshold below which no upset occurs, and W, s are shape parameters from the curve fit. The SEU rate is then the integral of this cross-section against the differential LET flux spectrum for the target orbit:

1R = ∫ sigma(L) * dPhi/dL dL   (integrated over the full LET range, per bit per second)

The flux spectrum, dPhi/dL, comes from an environment model — CREME96 remains the reference implementation for this, and ESA’s OMERE tool provides an equivalent for European mission planning. Both let you specify orbital altitude, inclination, shielding depth in aluminium-equivalent mils, and solar activity state, and return a differential LET spectrum you can integrate against your device’s Weibull fit.

SEU rate modelling

#Why Orbit Selection Changes the Answer by Orders of Magnitude

A part with an identical Weibull fit produces wildly different SEU rate modelling outputs depending on orbit. LEO at low inclination benefits from geomagnetic shielding except when transiting the SAA; GEO sits permanently outside the protective magnetosphere and sees close to the unshielded interplanetary GCR spectrum; a lunar or deep-space trajectory removes even the residual Earth shielding. This is the single most common mistake in early-stage SEU rate modelling: reusing a rate calculated for a previous LEO mission on a new GEO or cislunar payload without re-running the environment model.

#Implementation Logic: Building the SEU Rate Modelling Pipeline

The pipeline decomposes into five deterministic steps, each of which should be a discrete, testable unit in your tooling rather than a single monolithic spreadsheet formula:

  1. Characterise the device. Obtain or derive the Weibull parameters (sigma_sat, LET_th, W, s) from beam-test reports or vendor SEE (single event effects) data sheets.
  2. Generate the orbital flux spectrum. Run CREME96 or OMERE with mission-specific altitude, inclination, shielding, and solar activity (worst-week, worst-day, or average) to produce a differential LET flux table.
  3. Integrate cross-section against flux. Numerically integrate sigma(L) * dPhi/dL across the LET range to get an upset rate per bit per second.
  4. Scale to the array. Multiply by total bit count in the memory array or logic block under analysis to get device-level upsets per day.
  5. Feed the mitigation budget. Use the resulting rate to size ECC strength, scrubbing interval, and TMR voting margins, then verify the residual uncorrected error rate meets the mission reliability requirement.

This decomposition mirrors the layered architectural patterns used in fault-tolerant distributed systems on the ground — detect, isolate, correct, and continuously audit — just applied at the level of individual memory cells rather than service instances.

#Code and Configurations

A minimal Python implementation of steps 1 through 4, taking a Weibull fit and a CREME96-exported flux table as CSV input:

1import numpy as np
2import pandas as pd
3
4def weibull_cross_section(let, sigma_sat, let_th, w, s):
5    sigma = np.where(
6        let > let_th,
7        sigma_sat * (1 - np.exp(-(((let - let_th) / w) ** s))),
8        0.0
9    )
10    return sigma
11
12def compute_seu_rate(flux_csv_path, sigma_sat, let_th, w, s, bit_count):
13    # flux_csv columns: let_mev_cm2_mg, diff_flux_per_cm2_s_per_let
14    df = pd.read_csv(flux_csv_path)
15    let_vals = df["let_mev_cm2_mg"].to_numpy()
16    flux_vals = df["diff_flux_per_cm2_s_per_let"].to_numpy()
17
18    sigma_vals = weibull_cross_section(let_vals, sigma_sat, let_th, w, s)
19    integrand = sigma_vals * flux_vals
20
21    rate_per_bit_per_sec = np.trapz(integrand, let_vals)
22    rate_per_bit_per_day = rate_per_bit_per_sec * 86400
23    device_rate_per_day = rate_per_bit_per_day * bit_count
24
25    return {
26        "rate_per_bit_per_day": rate_per_bit_per_day,
27        "device_rate_per_day": device_rate_per_day,
28        "mtbu_hours": (1 / device_rate_per_day) * 24 if device_rate_per_day > 0 else float("inf")
29    }
30
31result = compute_seu_rate(
32    flux_csv_path="leo_600km_51deg_100mil_al.csv",
33    sigma_sat=1.2e-8,   # cm^2/bit, from beam test data
34    let_th=2.5,          # MeV.cm2/mg
35    w=12.0,
36    s=1.8,
37    bit_count=2_147_483_648  # 2 Gbit SDRAM device
38)
39print(result)

A device characterisation file, kept alongside the part number so the SEU rate modelling run is fully reproducible from the parts database rather than a one-off engineering note:

1{
2  "part_number": "MT46H128M16-RAD",
3  "device_type": "SDRAM",
4  "bit_count": 2147483648,
5  "weibull_params": {
6    "sigma_sat_cm2": 1.2e-8,
7    "let_th_mev_cm2_mg": 2.5,
8    "w": 12.0,
9    "s": 1.8
10  },
11  "test_reference": "RADEF-2022-0143",
12  "seu_type": "single_bit",
13  "mbu_fraction_observed": 0.06
14}

And the environment model invocation, run as a scripted CLI step in the mission analysis pipeline rather than a manual GUI export, so orbit parameter changes trigger an automatic re-run:

1creme96-cli 
2  --model heavy-ion 
3  --orbit-altitude-km 600 
4  --inclination-deg 51.6 
5  --shielding-mil-al 100 
6  --solar-condition worst-week 
7  --output leo_600km_51deg_100mil_al.csv

Wiring these three artefacts into a CI job means every hardware change — a new memory vendor, a revised shielding stack-up, an orbit change from the systems team — automatically re-triggers the SEU rate modelling calculation and diffs the result against the previous mitigation budget.

SEU rate modelling

#Failure Modes and Edge Cases

#Multiple-Bit Upsets Defeating Single-Error Correction

As process nodes shrink, a single ion strike increasingly deposits enough charge to flip adjacent cells simultaneously — a multiple-bit upset (MBU). Standard SEC-DED (single-error-correct, double-error-detect) Hamming codes cannot correct an MBU that lands within the same codeword; they will either miscorrect or, at best, flag an uncorrectable error. Any SEU rate modelling output must be cross-checked against the device’s observed MBU fraction (typically extracted from the same beam-test campaign) before ECC strength is finalised. If MBU fraction exceeds roughly 3–5% of total events, bit-interleaved ECC or a stronger Reed-Solomon scheme becomes necessary rather than optional.

#Single Event Latch-up

SEL is a distinct failure mode from SEU: a parasitic thyristor structure triggers a low-impedance path between supply rails, causing a destructive current surge unless current-limited within milliseconds. SEL rate modelling uses the same Weibull/flux integration methodology as SEU but with a separate cross-section curve, and the mitigation is architectural (current-limiting switches, watchdog-triggered power cycling) rather than a coding scheme. Conflating SEU and SEL mitigation budgets in the same calculation is a common and costly design error.

#Model Drift and Stale Flux Data

Environment models are periodically revised as new spacecraft instrumentation refines the GCR and trapped-particle flux estimates. A SEU rate modelling result generated against a five-year-old CREME96 dataset for a long-duration GEO mission should be re-validated against current flux tables before critical design review; solar cycle 25 flux behaviour has already diverged from some legacy predictive baselines used in earlier mission heritage documents.

#Solar Particle Event Transients

Average-case GCR rates are appropriate for MTBF and mission-lifetime reliability budgets, but they will catastrophically underestimate risk during an SPE. A worst-day or worst-week flux run, layered on top of the average-case model, is required to confirm that transient upset bursts do not exceed the correction capacity of the ECC scheme or overwhelm a scrubbing cycle before the next pass.

#Scaling and Security Trade-offs

Once the SEU rate modelling output is in hand, the mitigation architecture decision is a set of quantifiable trade-offs rather than a default to “more redundancy”:

  • SEC-DED ECC — low power and area overhead (~12–15% for typical Hamming implementations), but ineffective against MBU-heavy environments (GEO, deep space) without interleaving.
  • Bit-interleaved Reed-Solomon — corrects burst and multi-bit errors within a codeword, at higher latency and roughly 25–30% storage overhead; justified when SEU rate modelling shows MBU fraction above the 3–5% threshold.
  • Triple modular redundancy (TMR) — near-total protection against single-string upsets in combinatorial logic, at a flat 3x power and area cost; typically reserved for flight-critical control logic rather than bulk memory.
  • Periodic memory scrubbing — read-correct-rewrite cycles bound the accumulation window for latent errors before a second upset in the same word causes an uncorrectable failure; scrub interval must be shorter than the mean time between second-hit events derived from your device-level SEU rate.
  • Rad-hard vs COTS-plus-mitigation — rad-hardened-by-design parts carry 5–10x unit cost and longer lead times; COTS parts with software-managed ECC and scrubbing can meet the same reliability target at lower cost, provided the SEU rate modelling and MBU characterisation were done rigorously rather than assumed.
  • Security implication — an attacker-induced fault injection (laser or proton-beam based) on ground-testable hardware exploits the same Qcrit mechanism as natural SEU; a mitigation architecture sized purely for the natural orbital environment may leave residual margin against deliberate fault injection attacks on flight software’s cryptographic state.

None of these trade-offs are meaningful in isolation from a quantified rate. Treat SEU rate modelling as a mandatory, version-controlled artefact tied to the part number and orbit definition, not a one-time calculation buried in a PDF appendix, and the ECC/TMR/scrubbing budget that follows from it will hold up under design review and, more importantly, in orbit.

Reader Interaction

Comments

Add a thoughtful note on Modelling SEU Rates in Spaceborne Compute. Comments are checked for spam and held for moderation before appearing.

Loading comments...

Loading anti-spam check...

Eleanor Hayes

Written By

Eleanor Hayes

Dr Eleanor Hayes is a veteran cryptography researcher and enterprise security architect specialising in zero-trust network implementations. Having spent a decade securing critical national infrastructure, she now designs identity-aware proxy perimeters and mutual TLS topologies for highly distributed environments. She holds multiple GIAC certifications and regularly consults on mitigating advanced persistent threats within microservice ecosystems.

Related Architecture

View all in it-toolkit