Model Checking for Proving and Improving Fault Tolerance of Satellites

Jonis Kiesbye, Kush Grover, Jan Křetínský
{"title":"Model Checking for Proving and Improving Fault Tolerance of Satellites","authors":"Jonis Kiesbye, Kush Grover, Jan Křetínský","doi":"10.1109/AERO55745.2023.10115801","DOIUrl":null,"url":null,"abstract":"Developing the Fault Detection, Isolation & Recovery (FDIR) policy often happens late in the design phase of a spacecraft and might reveal significant gaps in the redundancy concept. We propose a process for continuously analyzing and improving the architecture of a spacecraft throughout the design phase to ensure successful fault isolation and recovery. The systems engineer provides a graph of the system's architecture containing the functional modes, the hardware components, and their dependency on each other as an input and gets back a weakness report listing the gaps in the redundancy concept. Overlaying the sub-graphs for every fault scenario allows us to reason about the feasibility of fault isolation and recovery. The graph is automatically converted to a Markov Decision Process for use with a model checker to generate a control policy for the FDIR process. The model is optimized by pruning inefficient branches with Monte Carlo Tree Search. We export this policy as a decision tree that ensures explainability, fast execution, and low memory requirements during runtime. We also generate C-code for fault isolation and reconfiguration that can be integrated in the FDIR software. The tool was used on system architectures created in the Modular ADCS project which is part of ESA's GSTP program. In this context, it helped to yield an effective redundancy concept with minimum overhead and dramatically reduce the programming effort for FDIR routines. Since we use model checking for the analysis, the designer gains formal verification of the robustness towards faults.","PeriodicalId":344285,"journal":{"name":"2023 IEEE Aerospace Conference","volume":"29 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE Aerospace Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AERO55745.2023.10115801","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Developing the Fault Detection, Isolation & Recovery (FDIR) policy often happens late in the design phase of a spacecraft and might reveal significant gaps in the redundancy concept. We propose a process for continuously analyzing and improving the architecture of a spacecraft throughout the design phase to ensure successful fault isolation and recovery. The systems engineer provides a graph of the system's architecture containing the functional modes, the hardware components, and their dependency on each other as an input and gets back a weakness report listing the gaps in the redundancy concept. Overlaying the sub-graphs for every fault scenario allows us to reason about the feasibility of fault isolation and recovery. The graph is automatically converted to a Markov Decision Process for use with a model checker to generate a control policy for the FDIR process. The model is optimized by pruning inefficient branches with Monte Carlo Tree Search. We export this policy as a decision tree that ensures explainability, fast execution, and low memory requirements during runtime. We also generate C-code for fault isolation and reconfiguration that can be integrated in the FDIR software. The tool was used on system architectures created in the Modular ADCS project which is part of ESA's GSTP program. In this context, it helped to yield an effective redundancy concept with minimum overhead and dramatically reduce the programming effort for FDIR routines. Since we use model checking for the analysis, the designer gains formal verification of the robustness towards faults.
用于验证和提高卫星容错性的模型检验
故障检测、隔离和恢复(FDIR)策略的制定通常发生在航天器设计阶段的后期,可能会揭示冗余概念中的重大漏洞。我们提出了一个在整个设计阶段持续分析和改进航天器结构的过程,以确保成功的故障隔离和恢复。系统工程师提供一个系统架构图,其中包含功能模式、硬件组件以及它们之间的依赖关系,作为输入,并得到一份弱点报告,列出冗余概念中的缺陷。覆盖每个故障场景的子图使我们能够推断故障隔离和恢复的可行性。该图自动转换为马尔可夫决策过程,以便与模型检查器一起使用,以生成FDIR过程的控制策略。利用蒙特卡罗树搜索法对低效分支进行剪枝优化。我们将此策略导出为确保可解释性、快速执行和运行时低内存需求的决策树。我们还生成了可集成到FDIR软件中的故障隔离和重新配置的c代码。该工具用于模块化ADCS项目中创建的系统架构,该项目是ESA GSTP计划的一部分。在这种情况下,它有助于以最小的开销产生有效的冗余概念,并显著减少FDIR例程的编程工作。由于我们使用模型检查进行分析,设计人员获得了对故障的鲁棒性的形式化验证。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信