The data memory (SRAM) is volatile, meaning a bit flip here can be fixed with a reboot.
In the program memory, one of the biggest risks is a bit flipping in a return address, thus changing the value of the address. This, and other similar errors in the program code can be guarded against using a watchdog timer. This timer counts down from a specified value. If it reaches 0 before being reset to the original value, it triggers a reset of the entire system. Therefore, inserting a call to reset the watchdog timer in the main loop of the program (the FreeRTOS kernel in this case) will ensure that a reset takes place in the event that the program becomes corrupted. In this case, a simple reboot wouldn’t solve the problem, since the program memory would still be corrupted. Therefore, we have modified the bootloader to load a copy of the program memory stored in external memory, then copy it to overwrite the program memory on the Atmel chip. The external memory is an MRAM (MR25H10) that is not affected by the radiation in LEO.
There is not much that can be done in the event of corruption in the bootloader, since it would require a second processor to overwrite the corrupted bootloader in the SAMD21. However, the the bootloader is extremely small in size compared to the program memory and data memory, meaning corruption is much less likely to occur here. By creating solutions for corruption in the program memory and data memory, we have significantly reduced the size of the vulnerable region, making it very unlikely for a bit flip to damage the system.