The document discusses the validation of spacecraft behavior using a collaborative approach, focusing on various subsystems like attitude and orbit control, power, thermal, and failure detection and recovery. It outlines objectives, methods, constraints, and results of early validation activities, emphasizing the integration of model-based simulations to enhance system reliability. Key findings include the identification of design issues and suggestions for improving collaborative modeling and simulation in future space projects.

1. Validation of Spacecraft
Behaviour Concept using a
Collaborative Approach
Ana Rugina, Cristiano Leorato, Elena Tremolizzo
ESA-ESTEC
26/06/2012
ESA UNCLASSIFIED – For Official Use

2. Context
• Space system engineering domains of knowledge
• Attitude and Orbit Control (AOCS)
• Power Control
• Thermal Control
• Payload
• Failure Detection Isolation and Recovery (FDIR)
• Early validation and analysis
• Usually performed independently per domain
• More or less heavy depending on project objectives
• Galileo navigation satellites  very high availability
• Approach
• Integrated model-based simulation to give confidence in
command/control and FDIR (functional and timing aspects)
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 2
ESA UNCLASSIFIED – For Official Use

3. Outline
1. Objectives
2. Perimeter of Early Validation Activities
3. Constraints and Choices
4. Modelling Insights
5. Results
6. Conclusions
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 3
ESA UNCLASSIFIED – For Official Use

4. Global Objectives
• Validate the FDIR strategy
• Behaviour « as expected » in the presence of faults
– Single fault tolerance (not considering fault combinations)
• Logical correctness
• Temporal consistency (including functional algorithms)
• Subsystems FDIR
• Consistency: no contradiction, no shading
• Completeness: no missing info to achieve executable specification
• Correctness: sound reaction to feared events
• System-level FDIR (Cross-subsystems)
• Consistency between subsystems’ modes
• Analyse impact of dependencies between the subsystems
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 4
ESA UNCLASSIFIED – For Official Use

5. Perimeter of Validation Activities
• Functional validation
• AOCS, Thermal, Power subsystems
• Command/Control and FDIR
• Mode management for subsystems
– AOCS
– Power
– Thermal
– TTC
– Payload
• System control application
• Hardware reconfiguration module
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 5
ESA UNCLASSIFIED – For Official Use

6. Functional Validation
• Per subsystem (e.g., power & thermal control, AOCS)
• Most often in Matlab/Simulink
• Most often purely cyclic data-flow (get data from sensors,
compute commands, output data to actuators)
Functional Eng Simulator
Controller
Environment
dynamics
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 6
ESA UNCLASSIFIED – For Official Use

7. Command/Control and FDIR
• Executable control-oriented models
(based on state machines)
• Two levels of early validation
a. The “What” level: what is the
chain of events/actions
leading from detected error to
reconfiguration
 Model-checking
b. The “How ” level: how the
chain of events/actions is to
be implemented (e.g.,
filtering, detection thresholds)
 Simulation
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 7
ESA UNCLASSIFIED – For Official Use

8. Constraints (Legacy)
• AOCS model
• Existing functional model
– Algorithms for most of the modes
– Environment dynamics (continuous)
• In Simulink
• Power and Thermal models
• Part of functional engineering simulator
• In Simulink
• FDIR models for power and thermal subsystems
• In RTDS (SDL language)
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 8
ESA UNCLASSIFIED – For Official Use

9. Integration Choices
• Integration backbone: Simulink
• Functional Engineering Simulator infrastructure
• Matlab scripts to launch simulations with particular parameters (fault
injections) and to log results
• Power and Thermal FDIR  legacy RTDS models
• Integration in Simulink using S-functions (black boxes in the
Simulink model)
• TASTE toolset for integration of heterogeneous models
• Description of model architecture and interfaces
• Manages code generation and interfaces
• AOCS & System FDIR  Simulink (+ Stateflow and Embedded Matlab)
• Native model  white box
• Interfaces as bus objects (defined in Excel, processed automatically)
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 9
ESA UNCLASSIFIED – For Official Use

10. Model Architecture
Observables/Action Requests
AOCS
System AOCS
Manage Mode Mgr
CDU reboot notification
commands
ment AOCS AOCS
(SW & Ctrl FDIR
HW)
Env
HW Power Control
Reconf
Thermal Control
Module
TT&C
Payload
Level ¾ alarms
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 10
ESA UNCLASSIFIED – For Official Use

11. Model Granularity
• System Control
• Equipment management (abstract, including redundancy and timing)
• High-level subsystem coordination logic
• Reconfiguration Module
• Level 3-4 alarms (computing data unit and global reconfiguration)
• Subsystems
• Mode manager (Nominal and FDIR transitions)
• Functional behaviour model
• Environment
• FDIR (partly detection, reconfiguration) for level 1-2 alarms
(subsystem level)
– Electrical, physical, internal, consistency faults
– Filtering, voting, error counters
• Timing behaviour
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 11
ESA UNCLASSIFIED – For Official Use

12. Results
1. Identification of issues in the design phase
a. Several alarms lead to the same reconfiguration (unoptimized
FDIR wrt. Payload availability requirement)
b. Reconfigurations not fully specified
c. Errors in the filtering algorithms
d. Missing information: which TCs are discared during
reconfiguration procedure
e. Diagnosis issues: how to distinguish between alarm resulting
from sequence of unsuccessful HW reconfigurations and alarm
resulting from one fault
f. Shadowed FDIR rules
g. Responsibility issues (what system application/module decides
the mode changes)
h. Timing issues
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 12
ESA UNCLASSIFIED – For Official Use

13. Conclusions & Perspectives
1. Conclusions
a. Pragmatic collaborative modelling and simulation approach in
the context of a challenging space project
b. Constraints related to legacy, schedule, organizational issues
2. Perspectives
a. Scalability of model-checking techniques
b. Test case generation from the simulation activity
c. Modelling patterns favouring integration
d. Modern collaborative platforms for multi-team/multi-site work
Validation of Spacecraft Behaviour Concept | Ana Rugina | ESA-ESTEC | 26/06/2012 | TEC | Slide 13
ESA UNCLASSIFIED – For Official Use