Detecting Faulty Sequences of FDIR Functions on Spacecrafts Using Model Checking

Abstract

The FDIR (Fault Detection Isolation and Recovery) functions are essential for spacecraft survival, however, spacecraft are limited in resources with various constraints. The FDIR functions aim to reach spacecraft in a safe state with recovery sequences in the case of system failures. Since the FDIR has multiple processes, it has a fixed sequence to satisfy constraints. For example, a satellite system is limited in consumed power. Due to its limitation, each unit has the constraint that they cannot operate at the same time. Therefore, it is not possible to keep all units powered on, and each unit must be powered on and off according to the process. Particularly, FDIR functions must turn some units power- off to maintain the power for the next process. Therefore, the FDIR functions must perform turning units power-on and power-off with minimum power. For example, when a satellite system has excess power, the satellite system becomes safe state regardless of the sequences that turn power-on and power-off of units. On the other hand, FDIR functions perform a fixed sequence to satisfy power constraints while a satellite system consumes a large amount of power. FDIR functions firstly requires turning off the power of unused units and subsequently turning on the power of units in the next process. However, the verification of faulty sequences of FDIR functions is easily omitted during the design phase. System failures can occur in any system state. The number of system states is enormous. When a satellite system has 20 units with 2 states such as power-on and power-off and 10 processes that utilize units, the size of the system's state space becomes 1.0*10^7 states. Therefore, it is difficult to verify all FDIR sequences without any omissions during design. This paper proposes the method for detecting the faulty sequences of FDIR functions using model checking. Model checking verifies FDIR functions on huge state space. In order to output state transition, model checking verifies faulty sequences. However, model checking requires finite-state model. Finite-state model becomes state explosion. We propose a method to abstract system state affecting the success of the FDIR functions' recovery sequences.