Design of an Autonomous Decision Support System for High...

Design of an Autonomous Decision

Support System for High-Level Planning in

Nano Satellites Using Logic Programming

Saliha Serdar

Space Engineering, masters level

2017

Luleå University of Technology

Department of Computer Science, Electrical and Space Engineering

Design of an Autonomous DecisionSupport System for High-Level

Planning in Nano Satellites UsingLogic Programming

Master Thesis in the course of the study programme"Master in Space Science and Technology" by

Saliha Serdarborn on April 24th 1991 in Groß-Gerau

Submitted on:October 11th 2016

Julius-Maximillians-University Luleå Tekniska UniversitetDepartment of Computer Science Department of Computer ScienceAerospace Information Technology Electrical and Space EngineeringProf. Dr.-Ing. Hakan Kayal Prof. Dr.Eng. Reza EmamiProf. Dr. Dietmar Seipel

Statutory declaration

I confirm that this Master’s thesis is my own work and I have documented all sources andmaterial used. This thesis was not previously presented to another examination board and hasnot been published.

Würzburg, 11.10.2016

Contents

Abstract iv

Acknowledgment v

Acronyms vi

1 Introduction 1

2 State of the Art 32.1 On-Board Autonomous Science Investigation System for Opportunistic Rover

Science - OASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2 Autonomous Exploration for Gathering Increased Science - AEGIS . . . . . . 42.3 Autonomous Science Target Identification and Acquisition - ASTIA . . . . . . 52.4 Multi-Rover Integrated Science Understanding System - MISUS . . . . . . . . 62.5 Autonomous Sciencecraft Experiment - ASE . . . . . . . . . . . . . . . . . . . 62.6 Project for On-Board Autonomy - PROBA . . . . . . . . . . . . . . . . . . . . 72.7 Conclusion of the State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 Theory 103.1 Definition of Decision Support System - DSS . . . . . . . . . . . . . . . . . . . 103.2 Logical Programming Language - Prolog . . . . . . . . . . . . . . . . . . . . . 123.3 Analytic Hierarchy Process - AHP . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.3.1 Detailed Approach of the Analytical Hierarchy Process . . . . . . . . . 153.3.2 Super Decision Software . . . . . . . . . . . . . . . . . . . . . . . . . . 163.3.3 Advantages of AHP over the Simple Scoring Model . . . . . . . . . . . 19

4 Spacecraft Mission Design 214.1 SONATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2 Orbital Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.3 Spacecraft Subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4.3.1 On-Board Computer - OBC . . . . . . . . . . . . . . . . . . . . . . . . 234.3.2 Power System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Contents ii

4.3.3 Attitude Determination and Control System - ADCS . . . . . . . . . . 254.3.4 Thermal Control System . . . . . . . . . . . . . . . . . . . . . . . . . . 254.3.5 Telemetry, Tracking and Command System - TT&C . . . . . . . . . . . 264.3.6 Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5 Definition, Analysis and Evaluation of Spacecraft Failures 285.1 Definition of Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5.1.1 OBC Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.1.2 Power System Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.1.3 Thermal Control System Failures . . . . . . . . . . . . . . . . . . . . . 315.1.4 ADCS Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.1.5 TT&C Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345.1.6 Payload Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5.2 Analysis of the Defined Failures . . . . . . . . . . . . . . . . . . . . . . . . . . 365.2.1 Definition of the Characteristics of Power System Failures . . . . . . . 375.2.2 Determining the Degree of Impact of Power System Failures . . . . . . 425.2.3 Results of the Failure Rating . . . . . . . . . . . . . . . . . . . . . . . . 51

6 Event Analysis 536.1 Defining the Features of the Events . . . . . . . . . . . . . . . . . . . . . . . . 53

6.1.1 Predictability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536.1.2 Repetition in one Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . 546.1.3 Level of Intensity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546.1.4 Strangeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

6.2 Combination of Event Features . . . . . . . . . . . . . . . . . . . . . . . . . . 556.3 Determining the Importances of Events . . . . . . . . . . . . . . . . . . . . . . 56

7 Decision Support System 607.1 Defining the Facts and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

7.1.1 Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607.1.2 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

7.2 Implementation in Prolog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647.2.1 Facts in Prolog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657.2.2 Rules in Prolog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657.2.3 Queries in Prolog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

8 Results and Future Work 708.1 Results of the Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Contents iii

9 Conclusion 73

Appendix 74A On-Board Computer Failure Analysis . . . . . . . . . . . . . . . . . . . . . . . 74B Power System Failure Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 76C Thermal Control System Failure Analysis . . . . . . . . . . . . . . . . . . . . . 78D Attitude Determination and Control System Failure Analysis . . . . . . . . . . 80E Telemetry, Tracking & Command Failure Analysis . . . . . . . . . . . . . . . . 86F Payload Failure Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88G Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90H Èxypnos System Code for Power System Failures . . . . . . . . . . . . . . . . 91

List of Figures i

List of Tables ii

References iv

Abstract

Low-level decisions in space missions, like maximizing the contact duration or bringing thespacecraft in safe mode in case of anomalies, are autonomously made by the spacecraft,whereas high-level and critical decisions are still taken by humans. Due to communicationdelays in interplanetary or even interstellar missions, this leads to the limitation of spacecraftoperations in case of unexpected situations. Unexpected situations can be either the detectionof unforeseeable short lived events or even on-board failures. In this given conditions thespacecraft have to take quick decisions to not miss the event or loss the spacecraft. Higherdemands are imposed to spacecraft autonomy, if an event is detected and an on-board failureoccurs at the same time. The presented work deals exactly with the last stated problem,which requires autonomy in high-level planning. A decision should be taken between eitherinvestigating the event or repairing the failure. Thereby the unique scientific measurements,that can result from the detected event, as well as the impact of the failure are considered. Inorder to reach this objective an approach of rule-based decision support system, also referredto as a expert system, is designed for nano satellites. For this purpose, events and on-boardfailures are defined, analyzed and converted from objective ratings into numerical values byapplying the Analytical Hierarchy Process. Since the logical programming language Prolog isan appropriate language for experts systems, a part of the developed system is implemented inProlog, to verify its use in space related expert systems.

Acknowledgment

First of all I want to thank my master thesis advisors Prof. Dr.-Ing. Hakan Kayal and Prof. Dr.Dietmar Seipel of the department of computer Science at the University Würzburg. Prof. Kayalsupported me during my thesis with his expert knowledge concerning aerospace technology andProf. Seipel, as a Prolog expert, introduced me in Prolog. I would also like to thank FlorianKempf (research assistant at the University Würzburg) for inspiring me with new ideas, thathelped me to make great progresses in my thesis.

Finally, I must express my very profound gratitude to my parents, to my partner and to myfriends for providing me with unfailing support and continuous encouragement throughoutmy years of study and through the process of researching and writing this thesis. Thisaccomplishment would not have been possible without them. Thank you.

Saliha Serdar

Acronyms

ADCS Attitude Determination and Control System

ADIA++ Autonomous Diagnostic System for nano satllites

AEGIS Autonomous Exploration for Gathering Increased Science

AHP Analytical Hierarchy Process

ANP Analytical Network Process

ASAP Autonomous Sensor And Planning

ASE Autonomous Sciencecraft Experiment

ASTIA Autonomous Science Target Identification and Acquisition

CASPER Continuous Activity Scheduling, Planning, Execution and Re-planning

ChemCam Chemistry and Camera

CI Consistency Index

DSS Decision Support System

EDAC Error Detection and Correction

EO-1 Earth Observing-1

ESA European Space Agency

ESD Electrostatic Discharge

FDIR Fault Detection Isolation and Recovery

FIDO Field Integrated Design and Operations

GESTALT Gird-based Estimation of Surface Traversability Applied to Local Terrain

GRB Gamma Ray Bursts

Acronyms vii

HG High Gain

HMNAO Her Majesty’s Nautical Almanac Office

HW Hardware

JPL Jet Propulsion Laboratory

KS Knowledge System

KSTIS Knowledge based Science Target Identification System

LG Low Gain

LIBS Laser Induced Breakdown Spectrometer

LS Language System

𝜇ASC micro Advanced Stellar Compass

MBU Multiple Bit Upset

MEL Mars Exploration Laboratory

MER Mars Exploration Rover

MISUS Multi-Rover Integrated Science Understanding System

NASA National Aeronautics and Space Administration

OASIS On-Board Autonomous Science Investigation System for Opportunistic RoverScience

OBC On-Board Computer

OBSW On-Board Software

PCDU Power Control and Distribution Unit

PPS Problem-Processing System

PROBA Project for On-Board Autonomy

PROLOG Programming in Logic

PS Presentation System

RCS Reaction Control System

RI Random Index

Acronyms viii

RIA Rock Identification Agent

RMI Remote Micro Imager

SEB Single Event Burnout

SEE Single Event Effects

SEL Single Event Latch-up

SEU Single Event Upset

SSTV Slow Scan Television

STFC Science & Technology Facilities Council

SV Science Values

TDL Task Description Language

TID Total Ionizing Dose

TOMS-EP Total Ozone Mapping Spectrometer in NASA’s Earth Probe series

TT&C Telemetry Tracking and Command System

USNO United States Naval Observatory

1 Introduction

Intelligent systems are becoming more and more a part of our daily life. Examples thereforeare the digital assistances (e.g. Siri and Amazon Echo), autonomously driving cars (e.g.Google Chauffeur), computer games (to create challenges for the player), medical diagnosissystems (MYCIN [1]) and much more. But what exactly is the definition of intelligentsystems? According to Gudwing (2000) [2] intelligent systems have the ability to work in achanging environment. Also in the space area intelligent systems are getting meaningful, butrequire a certain degree of autonomy. In a common mission, commands are uploaded to thespacecraft during the contact time window by the ground station. Afterwards they are executedsequentially by the spacecraft at a predefined time. Until the next contact, the spacecraftoperates blind according to the uploaded commands. In case of unexpected situations, thespacecraft is not able to reschedule the commands in order to respond to changes. This canlead to significant drawbacks, if an unexpected event, which might be interesting to investigate,is missed by the spacecraft. Another difficulty is given regarding to the health status of thespacecraft. Failures and anomalies can be monitored by the ground station only during contacttime. Of course the spacecraft is not totally alone with its failures and anomalies, there isa system called Fault Detection Isolation and Recovery (FDIR) on-board the spacecraft. Asthe name suggests, FDIR has the task to detect, isolate and recover the occurring failures.However the isolation and recovery parts are extremely limited to only a few operations, likepower down of the affected component, releasing the redundant element if the operating onefailed or as the last invention change the state of spacecraft to safe mode [3].

With increasing distances between spacecraft and ground station, the stated operationallimitations of spacecrafts are also increasing. For example a one way contact duration betweenmars rovers and ground stations takes approximately 20 minutes. Due to this fact teleoperationof mars rovers are impossible to realize. Since in case of an unexpected situations, e.g. slippingof the rover, there are no possibilities given to react in real-time. This is overcome with thesupervised autonomy, where the destination is transmitted by the ground station and the roverdecides autonomously about the interim goals. Some degree of autonomy is as well given insatellite missions, e.g. in NASA’s EO-1 mission, where the spacecraft is able to respond tounexpected events (2.5) and in ESA’s PROBA mission, in which the low level autonomy likepointing the camera to the desired position (2.6) are available. However the EO-1 spacecraft is

1 Introduction 2

a medium sized satellite with a mass of 572kg, which leads to high costs in development aswell in launch. The satellites of the PROBA mission are small satellites with a mass range of100kg up to 300kg, but still expensive and deliver a low level of autonomy.

Currently the department of Computer Science - Chair VIII of the University Würzburg isdeveloping SONATE, a nano satellite which will be able to detect unexpected events andreschedule the command plan in order to investigate them. Additionally it will have the abilityto diagnose its own health status. Detecting events and rescheduling the commands are thetasks of the payload ASAP, whereas the fault diagnosis will be done by ADIA++. Bothpayloads will operate autonomously, without an intervention from Earth. This project is fundedby the German Federal Ministry of Economy Affairs and Energy, represented by the GermanSpace Agency [4].

In the presented work a system, named Èxypnos System (éxypnos comes from the Greek andmeans intelligent), for high-level planning is designed. It will assist the spacecraft in criticaldecision making situations, which will increase the degree of autonomy. Here the criticalsituations are delimited by the occurrence of on-board failures and simultaneous detection ofunexpected events. Thereby the decision have to be taken between either to apply a correctivemeasure to repair the failure or to investigate the detected event. The system is designed basedon an invented nano satellite, called ÈxypnosSat, which is inspired by SONATE.

The designed system is an outline of an autonomous decision support system (DSS) for theabove specified circumstances. Since the designed DSS will act like a domain expert, suchsystems are also called expert systems. For this objective the logical programming languageProlog is chosen due to its declarative proceeding, which suits well in expert systems. Thefocus of this work is placed to the analysis of on-board failures and unexpected events. Failuresand unexpected events are converted from objective ratings into numerical values accordingto their degree of impact and importance respectively. Therefor the multi-criteria decisionmaking approach Analytical Hierarchy Process (AHP) is applied. Based on these analyses anillustrative example of the power subsystem is implemented in Prolog to verify its use as wellin space related expert systems.

The structure of the thesis is carried out as follows: As a first step a brief overview of the stateof the art of autonomous and intelligent systems in the space area will be given in Section 2.Afterwards in Section 3, the theoretical background of DSS, Prolog and the applied decisionmaking approach, AHP will be declared. In Section 4 the design of the invented ÈxypnosSatwill be outlined followed by its failure analysis in 5 and the analysis of unexpected events in 6.After the failure and event analyses, the DSS will be designed in Section 7 and implemented inthe logical programming language Prolog. Finally the results and future works will be discussedin Section 8 and in Section 9 the conclusion of the done work will be drawn.

2 State of the Art

Before designing the intelligent decision support system a research of already existing intelligentsystems in space is made and presented in this chapter. There is no differentiation madebetween rovers and spacecrafts. Since the field of high autonomous spacecrafts is limited, thesize and mass ranges of the investigated rovers and spacecrafts are as well not specified. InSection 2.1 - 2.4 intelligent systems in rovers will be addressed. Autonomous satellites will bestated in 2.5 and 2.6. After the state of the art of intelligent systems in space are outlined, asummarized review will be given in the Section 2.7.

2.1 On-Board Autonomous Science Investigation System

for Opportunistic Rover Science - OASIS

Increased traveled distance of planetary rovers can increased the chance to gain high qualitativescientific knowledge. While NASA’s first successful Mars rover, Sojourner, covered a distanceabout 100m in the whole life time, one of NASA’s Mars Exploration Rovers, Opportunity,covered up to date about 43km. This major step forward in rover missions was realized withthe autonomous driver software GESTALT (Gird-based Estimation of Surface TraversabilityApplied to Local Terrain). It provides the rover the ability to drive autonomously through theMartian surface to the desired destination. One problem here is, that with increased traveleddistance the transmission time slots between Earth an Mars remain constant and are used inmost cases for decision making purposes (e.g. detecting a rock of scientific interest is done bythe ground control system). The consequent of this procedure is that in a long journey of therover, most of the traversed terrains remain undiscovered [5].

In order to use the limited transmission time slots meaningful by transmitting more scientificdata instead of commanding the rover, the OASIS system was developed by the engineers ofNASA’s Jet Propulsion Laboratory (JPL). OASIS is able to recognize and analyze autonomouslytargets and events of scientific interest on-board the rover. Terrain features and events whichrequires further investigation can be directly identified by the rover. This system was tested

2.2 Autonomous Exploration for Gathering Increased Science - AEGIS 4

successfully by the FIDO1 rover [5].

The OASIS system first detects predefined features based on the image data. These features arepredefined by the scientific team members of the mission. After detecting features there are twoways possible for the further actions. Either an image segmentation can be done to categorizethe sky and rocks followed by the extraction of the features or the characteristics are extracteddirectly from the input image. If this is done, the features, e.g. of rocks, will be analyzed andafterwards prioritized to define new scientific goals in case of interesting observation. Fourdifferent options are given to determine the target of scientific interest:

- Detected Event: sets flag if an event of interest is captured- Key Target Signature: recognizes properties, that are predefined by scientists- Novelty Detection: recognizes properties with high deviation from usual values- Representative Sampling: identifies rocks that are representative for the traveledregion to gain characteristics of this region

OASIS has also the ability to reschedule the command sequence when an interesting feature isdetected, to monitor the actual state of the rover and to execute the rescheduled commands.Rescheduling of commands and monitoring rovers actual state is provided by the CASPER2

system [6]. The execution of the commands are performed by the system, called TDL 3 [6].Both systems, CASPER and TDL are integrated in OASIS.

2.2 Autonomous Exploration for Gathering Increased

Science - AEGIS

AEGIS is a software, which is also developed by NASA’s JPL for planetary rovers. It is apart of the OASIS framework and allows the rovers to determine autonomously targets ofscientific interest, in order to point the remote-sensing instruments. With AEGIS it is possibleto increase the efficiency of the mission. Since a common target selection by scientist on Earthcan take several days due to the transmission delay and during this time the rover has to standat the same position for several days. The target selection with AEGIS is done on the basis ofpredefined criteria and constraints by human experts [7], that are uploaded to the rover.

The strategy of this software in the first instance is to analyze images on-board, which areprovided by the navigation cameras of the rover. The result of this analysis is identification ofpotential targets. Based on this analysis relevant targets are extracted and prioritized depending

1is a prototype rover on Earth for testing purposes2Continuous Activity Scheduling, Planning, Execution and Re-planning3Task Description Language

2.3 Autonomous Science Target Identification and Acquisition - ASTIA 5

on their features (e.g. shape, size and surface reflectance). The prioritization is done therebywith the weighted sums each detected characteristics. The rating values of the characteristicsare predefined constrains integrated in the memory of the rover. The relevant target with thehighest priority is then chosen as the most interesting goal for scientific investigation [7].

AEGIS was first uploaded to one of NASA’s Mars Exploration Rover (MER) Opportunity inDecember 2009 in order to select targets for the narrow field of view Panoramic Camera, calledPanCam. It is used to gain high-resolution color images of Martian sky and surface [8] toobtain geological and physical properties of Marsc̃iteestlin2012.

After quite some time, in July 2016, the AEGIS software was also uploaded to NASA’s MarsExploration Laboratory (MEL) rover Curiosity. Here the software is as well used to selecttargets of scientific interest with the navigation camera, but it points an other remote-sensinginstrument, the Laser Induced Breakdown Spectrometer (LIBS) and the Remote Micro Imager(RMI) of Chemistry and Camera (ChemCam) instrument. The challenge compared withOpportunity is to select fine-scaled targets in order to point LIBS and RMI, since the diameterof LIBS is 0.3mm-0.5mm and the field-of-view of RMI is 1.15∘ [9].

2.3 Autonomous Science Target Identification and

Acquisition - ASTIA

The European Space Agency (ESA) makes also first steps towards on-board autonomy withthe intended ExoMars rover, which was planned to launch at first in 2018 and later changed to2020 [10]. The British government agency, Science & Technology Facilities Council (STFC),developed an OASIS like system (2.1), called ASTIA. It will identify targets of scientific interestsand analyze surface sample autonomously on-board.

To reach the on-board autonomy, the ASTIA system is made up of several components: the RockIdentification Agent (RIA), the Knowledge based Science Target Identification System (KSTIS),the 3D Vision Agent and the Arm Agent [11]. After images are taken, RIA identifies the rockswith their relative centroids. This is an important key feature for the further investigationwith the 3D Vision Agent, where the 3D coordinates of the target are extracted by stereovision methods [11]. To rank the recognized targets according to their geological importancesthe KSTIS software is involved [12]. It is a fuzzy knowledge based expert system, developedtogether with experts from the field of geology. With respect to rock features (structure, textureand composition), KSTIS classifies detected rocks with Mamdani’s fuzzy-set method. Theoutput of KSTIS are Science Values (SV) for each detected target representing its importance[11], [12]. The Arm Agent makes it possible to collect samples with the intended manipulator

2.4 Multi-Rover Integrated Science Understanding System - MISUS 6

of ExoMars rover. The Arm Agent involves the inverse kinematics of the robotic arm, to reachthe desired target for sampling purposes.

2.4 Multi-Rover Integrated Science Understanding

System - MISUS

In planetary missions a cooperation between several roves would increase new scientific dis-coveries. These rovers must have the ability to communicate and cooperate with each otherto accomplish the entire mission. NASA is developing such a system, named Multi-RoverIntegrated Science Understanding System (MISUS), to fulfill the imposed requirements. Theessential requirements are highly autonomous rovers, to reach a maximum efficiency of roveroperations with minimizing the communication with the ground station for decision makingpurposes. As a consequence, the rovers have to take their own decisions on-board.

The ability of cooperations of multiple rovers will be provided by the MISUS software. It’smain functions will be data analysis and distributed planning and scheduling. Data analysiswill involve a machine-learning module to identify interesting features and discover them withsetting new scientific goals. With this module the rocks can be analyzed and clustered regardingto their geological features. After clustering the investigated rocks, they can be prioritizedrelating to their importances, equivalent to the OASIS system (2.1). The main differencebetween MISUS and OASIS is given in the distributed planning and scheduling module. Similarlike in OASIS the CASPER software will reschedule the mission plan if an interesting eventor feature is detected. However in MISUS the planning software is divided in central planner,where one global mission is generated for all rovers and distributed planner, where each roverhas a specific mission plan. Both modules are controlled by the continuous planning softwareCASPER.

2.5 Autonomous Sciencecraft Experiment - ASE

Up to the recent past, spacecrafts were not able to take decisions autonomously on the basis ofobservations. Autonomy is an important feature for interplanetary and interstellar explorations,since phenomenas with a very short appearance period can be missed, due to the delayedcommand transmissions. The ASE software, developed by NASA, enables satellites to fulfilltheir missions completely autonomously. The autonomy involves to analyze scientific data andto plan the next steps of the observation [13]. To recognize unexpected events autonomously, theimages are analyzed with respect to the differences of previous investigated images. Implemented

2.6 Project for On-Board Autonomy - PROBA 7

algorithms make it possible to detect events (e.g. melt of ice, lava flow) and to discover them.In oder to reach this autonomy, ASE is divided in the following components [14]:

- On-board science algorithms: to analyze interesting events, features,- Robust execution management software: to make it possible to execute plans,- CASPER software to reschedule mission plans.

Since 2003, the ASE software is uploaded to NASA’s first spacecraft of the New MillenniumProgram, Earth Observing-1 (EO-1) [14], which was launched in the year 2000 [15]. The aimof this mission is to design and test new space application technologies [16]. EO-1 has a totalmass4 of 572kg [15] and is able to detect and discover dynamical events on Earth autonomously.Events of scientific interests for this mission are thermal anomalies, clouds, flood scene andchanged environment [16]. As a result of on-board autonomy the down-link data for decisionmaking is decreased and the down-link of highest science data is increased [16].

2.6 Project for On-Board Autonomy - PROBA

ESA is also willing to develop spacecrafts with on-board autonomy, which is the intension ofthe Project for On-Board Autonomy (PROBA) mission that is a part of the TechnologicalDemonstration Program. With PROBA the operation by the ground station should beminimized. Actual flying spacecrafts of this mission are PROBA-1, PROBA-2 and PROBA-Vand planned mission for the end of the year 2018 is the PROBA-3[17].

The first satellite PROBA-1, launched in October, 2001, is an Earth observation satellite withthe aim to test and demonstrate on-board autonomy[18]. The provided autonomy of PROBA-1includes low level operations and resource management, camera pointing and scanning basedon input data5, planning and execution of payload operations and communication with groundstation[18].

PROBA-2 is the successor of PROBA-1 and was launched in November, 2009 [19]. The missionof PROBA-2 is Sun observation for space weather purposes. The autonomy of PROBA-1is adopted and extended with an autonomous star tracker, named micro Advanced StellarCompass (𝜇ASC).

The last realized PROBA mission, PROBA-V was launched in May, 2013 and is able to detectand differentiate autonomously land and sea[18]. This mission was also adopted and extendedbased on previous PROBA spacecrafts. The V in PROBA-V stands for vegetation and thereforethe interesting areas are lands. A land-sea mask, a given map where lands and seas are marked,

4total mass is with propellant5the input data are geographical coordinates, latitude and longitude

2.7 Conclusion of the State of the Art 8

makes it possible to differentiate between land and sea autonomously on-board. The estimationfrom the actual position up to the position 10 minutes in the future is possible. The cameraswitching is done autonomously by the spacecraft by means of the land-sea mask. The switchingON of the cameras can be done either by detecting land or by passing through a predefinedgeographical coordinate. As usual in spacecrafts, a Failure Detection, Isolation and Recovery(FDIR) system is also on board of PROBA-V. Once an anomaly or failure is detected by FDIRand the spacecraft is in the autonomous observation mode (called nominal mode), the followingthree possibilities for isolation and recovery are given:

- power cycle resource,- switch to redundant resource,- switch to system safe mode in case no redundant resource is available at that moment.

If it is possible to overcome the anomaly with the first or the second solution, then the spacecraftwill stay still in the nominal observation mode.

The next planned spacecraft of the PROBA series is PROBA-3 and it will be the first step ofthe ESA towards formation flying. It is intended to launch two satellites in high elliptical orbits6

to fly them in precise formation with accurate pointing capability [20]. Acquired knowledgeform previous PROBA mission will be deployed in this mission as well, especially the on-boardautonomy.

2.7 Conclusion of the State of the Art

The research delivers the result, that both rovers and satellites have not the ability to handleautonomously in critical situation, e.g. an failure occurrence and event detection at the sametime. Besides the autonomous navigation which is required in interplanetary missions, theautonomy of rovers are limited by target detection based on predefined features by experts. Incase of on-board anomaly and detection of an event of scientific interest, the operators on Earthhave to intervene. If e.g. a target is visible for a short time, a unique scientific measurementcan be missed in this situation due to communication delay. The same problem is also given inEO-1 and PROBA satellites. Irrelevant what kind of strangeness the event has, e.g. the FDIRsystem of the satellites will change form observation mode into safe mode if the problem can notbe fixed or the ground station have to interact with the satellites. Furthermore it is noticeablethat intelligent systems are implemented up to now only in spacecrafts with high mass rangedfrom approximately 1000kg (e.g. Curiosity rover) to 100kg (PROBA-1). Spacecrafts with highmasses are always coupled with high costs and therefore the mission is risk-aver.

6high elliptical orbit: low altitude perigee and high altitude apogee

2.7 Conclusion of the State of the Art 9

Based on this research, it can be stated, that the spacecraft autonomy in critical situationsis an unexplored area. Concluded to this investigation an untouched field will be addressedby designing an intelligent system for nano satellites, that will support the spacecraft witha decision in case of critical situations. As stated before, a critical situation is specified byconcurrently occur of failures and unexpected events. The basic concept of target selection byrovers, where the features are rated by values, is taken up and will be applied in the designedsystem.

3 Theory

In this chapter fundamentals will be presented and help to understand the designing process ofthe developed decision support system. In Section 3.1 the definition of an decision supportsystem will be introduced firstly, followed by declaration of Prolog terms in Section 3.2. Thetheory of the applied multi criteria decision making approach, Analytical Hierarchy Process(AHP) is addressed in Section 3.3. This section involves the description of the used softwareSuper Decision for the AHP method as well the reason why the AHP is preferred over theknown simple scoring model.

3.1 Definition of Decision Support System - DSS

Decision making is a challenging task especially in complex systems. Furthermore a rightdecision making involves always an expert in the process. A system which supports and improvesthe judgment of decision makers and experts is provided by a so called decision support system(DSS). The problems involving a DSS, are usually unstructured or semi-structured, meaningthat the problem can change rapidly its state and is not predictable [21]. A DSS is able toprovide rapidly decision, when it is required in time critical problems. A specific definition of aDecision Support System is not given, that leads to not clearly defined characteristics [21].

According to BURSTEIN (2008) [22], the main components of a DSS are the language system(LS), the presentation system (PS), the knowledge system (KS) and the problem-processingsystem (PPS). The LS defines the commands, which can be translated by the DSS, whereas inPS the output vocabulary of the DSS is defined. The KS involves all informations about theproblem stored partially in a database. The last listed component PPS is a problem solvercomponent of a DSS.

Furthermore there exist several classifications of DSS frameworks like text-oriented, database-oriented, spreadsheet-oriented and still more, which can be found in [22]. For this work arule-oriented DSS is intended. In a rule-oriented or rule-based DSS, the decision is taken basedon predefined rules. These rules can be either extended by humans manually or in case ofartificial neutral network, the system can define rules based on actions and results. If the rules

3.1 Definition of Decision Support System - DSS 11

are extended by the system itself, than the system is called a learning system.

A rule-based DSS is also categorized as expert system, since the experts knowledge is imitatedin the rules [22]. This is used in case of the human expert is not available at the moment, if atime critical decision have to be taken [22]. An other factor for the absence of human expertsare high costs, since a expert system can replace a human expert. The replacement underlinesthe difference between an expert system and a DSS, since in a DSS the expert is not replaced,but supported, whereas in expert system the expert is replaced.

Rule-Based Decision Support System - Expert Systems

The designed system in this work is a rule-based system and therefore a detailed definitionof rule-based systems will be introduced. According to NEGNEVITSKY (2011) [1], thedevelopment of a rule-based system involves a domain expert, knowledge engineer, programmerand project manager. The domain expert is the person with a huge knowledge about thespecific area gained by long-standing experiences. The knowledge of the human expert willbe transferred to the expert system. The task of the knowledge engineer is to design and testthe expert system based on the expertise of the human expert. His task involves also selectingthe best programming language for the given problem. After this is done, a programmer withsymbolic programming skills translates the knowledge in form of rules in a programming code.And the last member, the project manager guides the whole team and is the interface to theusers. It is possible to reduce the number of the development team with using expert systemshells. Expert system shells are software for developing rule-based expert systems with lessprogramming skills than required. The knowledge can then be directly defined as rules. Withsuch softwares a small rule based expert system can be developed also only by one person [1].

As mentioned before the developed DSS in this work is a rule-based system or also calledproduction system. A production system is based on "IF-THEN" clauses, also referred tocondition and action clauses [1]. The condition is made up of at least one object and one value.An example therefor is

IF ’traffic light’ is red

in which ’traffic light’ is the object and red the value. If the given object has the specifiedvalue then there is a consequence, called action. As well the action can be divided in two partssimilar like in the condition part but does not require. It should be noticed, that the conditionpart requires at least one object and one value. The continuation of the above mentionedexample for the action part is then

THEN stop.

3.2 Logical Programming Language - Prolog 12

3.2 Logical Programming Language - Prolog

To develop a rule-based DSS, a logical and symbolical programming language is required.Prolog is the mostly used programming language for logic programming (Programming inlogic). In this section a short introduction into Prolog is presented, where the essential Prologterms will be introduced.

Prolog is a declarative language, that is made up of three components - facts, rules and queries.Declarative programming languages are outlined with their abstract mode of expression oflogical computations. Such languages enable domain experts to handle easier with the semanticsof the program, since declarative languages do not focus on how a given problem has to besolved like imperative programming languages. They deal with the question what is the problemto be solve [23].

The user is able to ask the Prolog program question to solve the given problem of a specificdomain. The posed questions to Prolog are called queries. With them it is possible to searchthrough the facts and rules to deliver all correct and possible solutions. Prolog is a commonused language in expert systems.

According to BRATKO (2001) [24], a Prolog program consists of clauses, where each of themends with a full stop. Types of clauses can be distinguished by facts, rules and queries. Factshave the head form and consist of a functor with a defined arity. Arity is the number ofarguments related to a functor. The arguments can be either atoms (constants) or variables(general objects). Examples of facts are

female(ann).

parent(ann, bob).

, in which the first fact has the arity 1, with the argument ann and the second fact has the arity2 with the arguments tom and bob. The combination of a functor and arity is called predicate[25]. Predicates are either predefined by the Prolog system and called built-in predicates or aredefined by the user as facts and rules, called user-defined predicates. The facts can be state asfunctor/arity, which are in the given examples female/1 and parent/2 [26]. The first fact isreading as "ann is female" and the second one "ann is parent of bob". These are user-definedpredicates. One example of built-in predicate is the write/1 predicate,in which the argumentof the functor write is given as an output on the console.

Rules are made up of the form head :- g_1, g_2, ..., g_n, in which head is the same headdefined in facts, :- is the neck operator indicating the if clauses and g_1, g_2, ..., g_n isthe body of the clauses consisting of n-goals [27], [25]. An example of a rule is

3.3 Analytic Hierarchy Process - AHP 13

mother(X, Y):-

parent( X, Y), female(X).

, in which the arguments in the functor are in this case variables. A variable in Prolog beginseither with a capital letter or with an underscore character [27]. The then clauses of an if-thenare written in Prolog after the head of the rule. An and clause in Prolog is defined by a comma.The given exemplary rule is reading as, IF X is parent of Y and X is female, THEN X is motherof Y. Rules are stated as true if the goals predefined by facts are fulfilled, otherwise they arestated as false. A Prolog program can be extended by adding rules and facts without anyproblems.

After facts and rules are set, the user can ask the implemented Prolog program questions. Thequestion must be typed after system prompt, which is a question mark followed by a hyphen?-. The user does not need to type it manually, since Prolog generates it automatically onthe console. A query is made up at least one goal, which has the same form as the facts. Forthe above introduced example of facts and rules, the question "is ann mother of bob?" can beasked with

?- mother(ann, bob).

, where the query ends with a full stop, since as mentioned before, it is also a clause. The ruledefined above is applied and the answer of the Prolog system is true since the facts parent(ann,bob). and female(ann). are fulfilled. The variables X and Y are substituted by the atomsann and bob respectively.

Up until now, a Prolog implemented decision support system is not used in space relatedmissions. In NOGUEIRA (2001) [28] an A-Prolog decision support system is designed forthe Reaction Control System (RCS) of Space Shuttle. RCS is relevant for maneuvering thespacecraft, while it is in space. It is computer controlled during take of and landing, whereasduring the flight it is controlled by the astronauts. Since in critical situations the astronautshave to communicate with the ground station, an intelligent system implemented in RCS wouldbe helpful. Such a system was designed successfully and conformed the use of the declarativeprogramming language, but it was not being used in a real mission ([28]).

3.3 Analytic Hierarchy Process - AHP

There exist several types of decision theory techniques. The designed decision support systemsare based on the Analytic Hierarchy Process (AHP). It is a concept for multi-criteria decisionmaking and is developed by the mathematician Thomas L. Saaty [29]. With AHP it is possibleto convert subjective evaluations into numerical values. Commonly this method is used in

3.3 Analytic Hierarchy Process - AHP 14

multi-criteria decisions, where applying AHP delivers the choice of the best alternative. Besides,AHP can be applied in wide range of decision making methods and one of them is the evaluationof the alternatives [29]. The AHP will be applied in the designed Èxypnos System to rate allpossible failures and all possible events with a value.

SAATY (2012) describes in [30], that the easiest way to structure a decision problem is athree level hierarchy that consists of the goal of the decision, criteria and alternatives. Figure3.1 depicts such a simple three level Hierarchy. The aim of a hierarchy is to consider by thedecision also the elements in the level linked above.

The most challenging and creative part according to SAATY (2012), [30], is to define criteriain order to build the problem in a hierarchy. The criteria should consider the environmentwithin the problem and the features influencing the problem. As illustrated in 3.1 the hierarchydoes not have to be completed, it is possible that one element is not linked with all elementsbeneath, but at least with one. This not complete hierarchy exists, if the criteria are divided insub-criteria and then linked to the alternatives.

The decision making process AHP is based on relative measurements [31], in which onecriterion, for example A, is compared pairwise with an other criterion, B [30]. Here thepairwise comparison is only done for homogeneous elements. For the comparison the socalled fundamental scale is used, which is also defined by Saaty, [30]. With these pairwisecomparisons a square matrix for the criteria or sub-criteria is set up. Out of the square matrixthe eigenvectors of the principal eigenvalue is calculated. The calculated eigenvector representsthe weighting of each criterion or sub-criterion. This was only a rough overview of the AHP, adetailed description follows in the next subsection.

Figure 3.1: Three Level Hierarchy of the Analytic Hierarchy Process.

3.3.1 Detailed Approach of the Analytical Hierarchy Process 15

Table 3.1: The Fundamental Scale according to [30].

IntensityofImportance Definition Explanation

1 EqualimportanceTwoactivitiescontributeequallyto

theobjective2 Weak

3Moderateimportance

Experienceandjudgmentslightlyfavoroneactivityover

4 Moderateplus

5 StrongimportanceExperienceandjudgmentstrongly

favoroneactivityover6 Strongplus

7 VerystrongAnactivityisfavoredverystrongly

overanother;itsdominancedemonstratedinpractice

8 Very,verystrong

9 ExtremeimportanceTheevidencefavoringoneactivityoveranotherisofthehighestpossibleorderofaffirmation

3.3.1 Detailed Approach of the Analytical Hierarchy Process

In this section the AHP will be explained step by step. An application of the method can befound in 5.2.2, in which AHP is applied to evaluate the power subsystem failures by numericalvalues.

Step 1. The first step is to divide the given decision problem into levels consisting of a goal,criteria, if appropriate sub-criteria and alternatives. As mentioned before this part is the mostcreative part to solve. The relationship between the levels is given with the connections tothe above element, which is illustrated in 3.1. In case of classifying the criteria further intosub-criteria, there would be an additional level between criteria and level for sub-criteria. Inthis case the criteria will be linked to the sub-criteria and these in turn will be linked to thealternatives.

Step 2. The next step is to compare each criterion and if defined sub-criterion pairwise. Thiscomparison has to be done for homogeneous elements. This means all criteria are compared witheach other, whereas all sub-criteria related to one criterion are compared pairwise. Comparingsub-criteria across criterion is not given and does not make sense. The comparison is scoredwith the fundamental scale (3.1). In the most cases the pairwise comparison is done by expertsor decision makers. It should be noticed that the pairwise comparison of the alternatives should

3.3.2 Super Decision Software 16

also be done with respect of the connected criteria or sub-criteria.

Step 3. Out of the pairwise comparison a square matrix, named comparison matrix, is setup, which diagonal entries are one. The other elements are based on the pairwise comparison.Lets say i is the row of the matrix A and j the column. If the i𝑡ℎ element is stronger than thej𝑡ℎ, then the entry in the matrix A at the position (i, j) is larger than 1. The element at theposition (j, i) is given by its reciprocal. But if the j𝑡ℎ element is stronger than the i𝑡ℎ element j,then entry at the position (i, j) is the reciprocal of the value, which states the importance ofthe element j based on the fundamental scale. And as well here the element at the position (j,i) is given by its inverse.

Step 4. The comparison matrix is build to derive the priority vector, w. This is done with theaid of eigenvector and eigenvalue method. The eigenvector of the principal eigenvalue is thepriority vector w. How the eigenvalues ad eigenvector are derived will be not explained in thiswork but can be found in [31]. However by applying the AHP method a software (like ExpertChoice or Super Decision) is usually used, in which eigenvalues and -vectors are derived.

Step 5. In order to check the consistency of the pairwise comparison done in step 2, theconsistency ratio CR has to be calculated. It is the ratio of the consistency index CI and therandom index RI. CI is given by

𝐶𝐼 =(𝜆𝑚𝑎𝑥 − 𝑛)

(𝑛− 1), (3.1)

in which 𝜆𝑚𝑎𝑥 is the maximum eigenvalue and n the order of the comparison matrix. RI isthe average estimation of CI of randomly generated matrices and can be found in [31]. If thecalculated CR is larger than 0.1 it exhibits the inconsistency of the pairwise comparison.

Step 6. In the last step all values of connected criteria, sub-criteria and alternative aremultiplied, which provides the evaluation of each alternative respectively to the rating of thecriteria and alternatives.

3.3.2 Super Decision Software

Due to the complexity of the Analytical Hierarchy Process, a software is necessary, whichdelivers the priority vectors described in previous subsection. In this work the Super Decisionsoftware is used. The hierarchic structure of the problem and their connections are done by theuser himself, as well the pairwise comparison of homogeneous elements. The Super Decisionsoftware generates during the pairwise comparison the comparison matrices and calculatesthe related priority vectors with their inconsistencies. There is no requirement to derive the


eigenvector of the principal eigenvalues manually, which represents the priority vector. Sincethere are many matrix multiplication, it is useful to involve a software, which is either selfimplemented or already existing. There are several softwares for the AHP, but Super Decisionis a free educational one. In this subsection a short introduction to the Super Decision softwarewill be provided. A detailed tutorial of the Super Decision software can be found in [32].

The levels goal, criteria and alternatives are named in Super Decision software clusters. Acluster consists of elements, also called nodes. If a cluster is linked with a line to an othercluster, than the elements within the clusters are connected. It is possible to check whichelements are connected by the Show Connections icon. The goal and criterion clusters canbe named arbitrarily, whereas the alternatives cluster must involve the word "Alternatives".Figure 3.2 illustrates a sample model of a car hierarchy, which can be loaded by the data nameCa_hierarchy.sdmod. E.g. the cluster 2Criteria consists of the four elements 1Prestige, 2Price,3MPG and 4Comfort. All these elements are connected to the elements of the 3Alternativescluster. As well the Goal Node element in the cluster 1Goal is linked to the elements of the2Criteria cluster.

After all clusters and elements are build and linked, the pairwise comparison of elements withinone cluster with respect to the connected element can be done. The pairwise comparison willbe made for explained sample model Car_hierarchy. The pairwise comparison can either bedone directly in the comparison matrix illustrated in 3.3 or in the so called questionnaire, whichis depicted in 3.4. Both alternatives deliver the same result as it can be see in the figures onthe right hand side in the part 3.Result. This is the priority vector for the done comparison,in which on the top the inconsistency is given. The same part is as well involved in thequestionnaire comparison. In Figure 3.3 the blue colored values indicates the dominance of theelements on the left hand side, whereas the values written in red indicates the dominance of theelements listed on the top. During the pairwise comparison the priority vector is generated stepby step. The inconsistency is increasing with increasing number of already done comparison.This can help the user of the software to control the inconsistency and not exceed the value of0,1. For the pairwise comparison the fundamental scale (3.1) is used. In the questionnaire if theelement on the left hand side (blue) is more important than on the right hand side (red), thanthe scoring is done on the left scale. Inversely if the element on the right is more important,than the scoring have to be done on the right hand sided scale. Anyway which comparisonmethod is chosen (matrix or questionnaire), as mentioned before both will supply the samepriority vector and the same inconsistency.

If all pairwise comparisons of each element within a cluster are accomplished, the weighting ofthe alternative elements can be obtained. Therefore the Synthesize icon have to be selected inthe software. A window will appear in the screen, which is depicted in 3.5. In this window theratings off the defined alternatives are presented. For the design of an DSS only the columns


Figure 3.2: Shortcut of a Sample Model, Car Hierarchy, from Super Decision software.

Figure 3.3: Shortcut of Pairwise Comparison Window with Comparison Matrix.

3.3.3 Advantages of AHP over the Simple Scoring Model 19

Figure 3.4: Shortcut of a Pairwise Comparison Window with Questionnaire.

Normals and Ideals are of interest. The first one represents the priority vector mentioned in3.3. The second one involves the normals values divided by the maximum Normals value. Inthis example the maximum Normals value is given by the alternative 3Honda Civic, thus theIdeals value leads to 1,0.

It should be noticed, that entire scores are given in percentages, both the priority vectorresulting after the pairwise comparison and the priority vector of the alternatives (Normals).As a result the Ideals are as well given in percentage. The purpose of Ideals is to rate the bestalternative with 100,0%, but the proportions remain the same as in Normals. The analysisdelivers in this case that the alternative 1Acura TL is 75,58% as good as the alternative 3HondaCivic and 2Toyota Camry is 43,95% as good as 3Honda Civic.

3.3.3 Advantages of AHP over the Simple Scoring Model

In this section a brief explanation will be given, why the AHP is preferred over the simplescoring model. With the simple scoring model, the intuitive scoring of criteria by experts andsumming them up for the ranking of the alternatives, is meant.

The AHP approach for multi criteria decision making does not only involve the intuitiveweighting of the given criteria, there are mathematically calculations behind it. Whereas thesimple scoring model is based only on subjective judgments and basic mathematics (multiplyingand summing). In both methods the ranking will be in the same order. For the purposes ofthe designed expert system not the ranking is of importance, but rather the rating of eachalternatives. With AHP the evaluation of each alternative are preciser and more significantthan in the simple scoring model. However due to pairwise comparisons the AHP approach is

3.3.3 Advantages of AHP over the Simple Scoring Model 20

Figure 3.5: The Scoring of the Alternatives of the Car_hierarchy Sample Model.

more time consuming than the simple scoring model. Furthermore the inconsistency factor,provided by AHP, method leads to overcome mismatches of the criteria ratings. Discrepanciesof criteria ratings are given if e.g. the criterion A is more important than B and B is moreimportant than C and C is more important than A.

Based on this advantages instead of applying the simple scoring model, the AHP is selectedas the multi criteria decision making approach for the intended intelligent decision supportsystem.

4 Spacecraft Mission Design

Before the rule based decision support system can be designed, a satellite mission has to becreated. In this work the hypothetical space mission is invented and will be presented. Thesatellite of this mission has the name ÈxypnosSat, which is composed of Èxypnos (derives fromthe Greek and means intelligent) and satellite. The fictional ÈxypnosSat is based on SONATE,which is currently in development by the University of Würzburg and will be launch in 2019[4]. It should be noticed that the design of the mission is simplified and not detailed. It servesthe purpose to develop a decision support system for a nano satellite.

The invented ÈxypnosSat is a nano satellite for earth observation and has the aim to testand develop high-level on-board autonomy for future interplanetary or interstellar missions.ÈxypnosSat must demonstrate the ability to detect and investigate not predictable events onand around Earth. If an anomaly of the spacecraft monitored and an event is detected at thesame time, than the satellites have to decide between fixing the failure or investigating theevent. Thereby the decision is influenced by the impact of the failure and the importance ofthe event.

Since it is a first step towards high-level autonomy, it is an earth observation mission. Greaterbenefits can be obtained in interplanetary and interstellar missions. Because in common missionsthe decision is taken by the operators on Earth and with increasing distance between spacecraftand ground station, the communication delay is also increasing. As a result unpredictable andshort lived events will be missed, that maybe will never occur.

A short overview of the SONATE mission will be given in Section 4.1 and afterwards the designof ÈxypnosSat will be presented by firstly defining its orbit in 4.2 and then specifying thesubsystems together with their related components in 4.3.

4.1 SONATE

Typically spacecrafts are controlled by the ground station. The spacecraft transmits to theground station telemetry data and based on these the operators informs the spacecraft aboutthe next steps via telecommand. Within the Earth orbit this leads to no complications. But in

4.2 Orbital Design 22

interplanetary missions, e.g. Mars mission, the communication between ground station andspacecraft will have a large delay due to the distance. This can lead to miss the not predictableevent, with a short-time occurrence. This problem can be solved with an autonomy on-boardthe spacecraft.

The key mission of SONATE is to increase the on-board autonomy. This will be done byautonomously detecting not predictable events and rescheduling the command sequence to notmiss the event. Furthermore it will be able to detect, analyze and forecast on-board anomalousthat will occur in the future [4].

The nano satellite, SONATE, is been currently developing by the University of Würzburg. Theoperational lifetime of SONATE is set to one year and its aim is the in-orbit verification of theAutonomous Diagnosis System (ADIA) and the Autonomous Sensor and Planning (ASAP)system [4]. Both systems are described in Section 4.3.6. Further components for in-orbitverification are reaction wheels, AROS (4.3.3) and SSTV camera (4.3.6).

4.2 Orbital Design

The design of a spacecraft orbit does not offer any strict specifications, but for earth observationit is obvious to select as an orbit type the Earth-referenced orbit for Earth coverage [33]. Dueto the fact that a polar orbit can cover the Earth nearly global [34], a polar orbit is chosen forÉxypnosSat mission. The orbit of a spacecraft and its position is uniquely defined with the sixKeplerian elements (also known as orbital elements). The meaning of each orbital element willbe not declared in this section, but can be found in [33]. A typical polar orbit has an altitudeof approximately 700km and an inclination of approximately 95∘. Since for the first approachof the decision support system the elements are not required and therefore they will be notdefined in this work.

4.3 Spacecraft Subsystems

More important than the orbit design for the decision support system are the subsystems ofthe spacecraft. Due to this fact, the subsystems will be explained in more detail. A spacecraftis divided in several subsystems and they are interdependent [35]. To have a fully functionalsatellite, each subsystem have to fulfill at least its purposes. The subsystems are differentiatedbetween payload and satellite bus. The payload is individually specified for each spacecraftaccording the defined mission to fulfill it and therefore are the sole reason to get a satellite intospace. The payload is not functional without the satellite bus, therefore its task is to enable

4.3.1 On-Board Computer - OBC 23

the payload to accomplish the mission and keep it healthy. In general a spacecraft’s satellitebus consists of six different parts:

1. On-Board Computer - OBC2. Power System3. Attitude Determination and Control System - ADCS4. Thermal Control System5. Telemetry Tracking and Command System - TT&C6. Structure and Mechanism.

The structure and mechanism subsystem is not considered in this work for simplificationpurposes. In the following sections all other subsystems (1. - 5.) and the payload of ÉxypnosSatwill be described in more detail with their related components (presented in Figure 6.1).Themost critical and error-prone components of subsystems are redundant, in order to enable thespacecraft reaching the intended lifetime. In Figure 6.1 the number of redundant elementsof the components is given in the brackets. In case of no brackets, non redundant element isavailable.

According to WERTZ (1999) [33], spacecraft redundancy can be categorized in either samedesign redundancy or functional redundancy. Same design redundancy is given if minimumtwo identical components exists and at least one of them is active. FORTESCUE (2011)[34] divides the same design redundancy in standby redundancy and active redundancy. Instandby redundancy, the redundant element is turned off until the active element fails. Incase of active redundancy all components are active and are sharing the load. If there occursdisagreements between active redundant elements, a voting process is applied. If there areno identical redundant elements but elements pursing the same aim, then a functional. Onesimple example for functional redundancy is the high gain and low gain antenna, since bothare transmitting telemetry and receiving telecommand (but with different gains). It shouldbe noticed that functional redundancies are not outlined in the figure 6.1. In the followingsubsections each subsystem will be presented.

4.3.1 On-Board Computer - OBC

The key subsystem, that controls the spacecraft is the on-board computer. It has a processingcapability and is linked to all other subsystems through their components. The OBC runs theon-board software to enable the remote operations, to control functionalities and to monitor ofthe health status of the spacecraft. Moreover the OBC involves the components processors,memories and the software. The processors are the cores of OBC and are responsible for allcalculations and algorithm implementations and as known from the usual memories on Earth,

4.3.2 Power System 24

Figure 4.1: Subsystems of ÉxypnosSat

the function of the memories in satellites is also to store data. It is an important component,since during the time in which no contact to the ground station can be established, all collecteddata are saved on the memories. Typically a spacecraft consists of more than one memorytype [3]. The boot loader for the OBSW is stored in the boot memory, which is non-volatileROM. The on-board software is stored in the work memory and the storage of the spacecraft’shealth status takes place in the safeguard memory. Since the satellite has not permanentlycontact with the ground station to transmit telemetry and scientific measurement data, until abroadcast takes place these are stored in the science and housekeeping data memory [3].

4.3.2 Power System

The power system gives inanimate subsystem "life", since the main function of it is to providethe subsystems with energy. A common power system is composed of three main components- primary energy source, secondary energy source and Power Control and Distribution Unit(PCDU) [34]. The primary energy source in ÈxypnosSat mission is solar arrays. They areconverting the gained solar energy into electrical power. During the sun light duration, the

4.3.3 Attitude Determination and Control System - ADCS 25

satellite uses the energy directly from the solar panels and charges the secondary energy source- the batteries. If the satellite is in eclipse duration, then the batteries will provide power tothe subsystems. The PCDU decides about the switching between solar arrays and batteries,energy distribution to other subsystems and charging the batteries [34].

4.3.3 Attitude Determination and Control System - ADCS

It is important to know the position and orientation of the spacecraft, to orient, e.g. thepayloads to the desired position to fulfill the mission or the solar arrays towards sun to gainenergy. These requirements are met with the attitude determination and control system(ADCS). Sensors enable the orbit determination and actuators the orbit control, whereby adistinction between reference sensors and inertial sensors are made. References sensors measurethe direction of the spacecraft relative to earth with reference points, like sun, stars or earth’smagnetic field lines, whereas inertial sensors measure only the change of spacecrafts attitude[34]. Therefore an inertial sensor have to collaborate at least with one reference sensor [34].

In ÈxypnosSat sun sensors, star sensors and magnetometers are used as reference sensors. Sunsensors are implemented to determine the direction of the sun in order to orient the solararrays towards sun. Only sun sensors are not enough to determine the pose of the spacecraft.Therefore additionally star sensors, magnetometers and gyroscopes are used. Star sensor candetermine the pose of the spacecraft with high accuracy by using suitable star images and a starcatalog. Usually star sensors have a high mass, big size and a high-level of energy consumption[34]. Therefor a star sensor, that suitable for nano satellites is required. Within the AROSproject such star sensors are been currently developing by the University of Würzburg. Thestar tracker AROS is intended for ÉxypnosSat for precise attitude determination. Anothertype of reference sensors for attitude determination are the magnetometers. It provides boththe magnitude and the direction of the magnetic filed relative to Earth. Indeed magnetometersare light and have a low power consumption but they are inaccurate.

For the invented mission only one inertial sensor type, the gyroscope, is intended. A gyroscopeenables the measurement of spacecraft rotation starting from an initial start position. Asdescribed previously a gyroscope alone is not able to gain information about the positionrelative to Earth, hence it has to be combined with a reference sensor, e.g. magnetometer.

4.3.4 Thermal Control System

The components within the spacecraft can survive during the whole mission, if the requiredtemperature intervals are not exceeded. The thermal control subsystem ensures, that the

4.3.5 Telemetry, Tracking and Command System - TT&C 26

temperature in the satellite is kept between these intervals. With respect to different subsystems,there is a distinction to be made between survival limits, which are always valid and operationallimits, which are valid during operational mode [33]. The temperature in the spacecraft ismeasured with thermal control sensors. The temperature is maintained passive and active.Passive thermal control is done by the design of the spacecraft, mechanical structure andmaterials (e.g. insulation) and does not need any kind of energy, whereas active thermal controlrequires energy. The active thermal control is simplified for the ÈxypnosSat mission and onlyan electrical heater is intended.

4.3.5 Telemetry, Tracking and Command System - TT&C

The communication between the spacecraft and the ground station is realized through thetelemetry, tracking and command system (TT&C ). The payload data and health status of thespacecraft are transmitted to ground station (also known as telemetry) and commandos fromthe ground station are received by the spacecraft through the transceiver component. Thesignal can either be transmitted/received by a high gain (HG) antenna or low gain antenna(LG). A high gain antenna transmits a signal with a higher amplification, but with smallerbeam width. As a consequence the antenna has to be directed with high accuracy towardsthe ground station. Vice-versa a low gain antenna transmits a signal with a broader beamwidth, but a lower amplification. Usually a spacecraft owns both antennas, since a high gainantenna is required to transmit large amounts of data and a low gain antenna is necessary, incase of emergency (e.g. high gain antenna failed or can not point to ground station due toADCS failures). Therefore low gain antennas can be seen as backup antennas and should bedistributed equally around the satellite in order to be always able to communicate with theground station during the contact duration. The ÈxypnosSat consists of transceiver, high gainand low gain antenna, whereby transceiver and low gain antenna are double-redundant (samedesign) and the high gain antenna is not redundant.

4.3.6 Payload

Payloads are required to accomplish the specified mission and are uniquely developed for eachmission. It exists several payload types for different mission purposes. Since ÈxypnosSat isan Earth observation satellite, remote sensing payloads are appropriate. The intended remotesensing payload in the invented mission is a slow scan television (SSTV) - camera for imaginingearth’s surface and near-earth space. SSTV is a way to transmit static images, in this case, tothe ground station. Thereby the images are transfered through the transceiver as audio signal.The modern SSTV features allow to transmit monochrome images as well color images with

4.3.6 Payload 27

high quality.

Another payload on-board of ÈxypnosSat is an autonomous on-board decision-making system -ASAP, which is currently been developing at the University of Würzburg. It detects unexpectedevents and reschedules the plan in order to investigate it. By means of ASAP even short-livedphenomenas will be not missed by the spacecraft, since in common spacecraft missions theoperation schedule is changed delayed only by the ground station and only during contactduration [36]. ASAP consists of an imager and planning system. The task of the imager isto detect not predictable events by detecting the changes of captured images. If an eventis detected, the ASAP planning system assists by rescheduling the operational plan of thespacecraft [4]. However in the ÈxypnosSat mission there is only one camera implemented forASAP and observations. ASAP is one of the essential components of the designed decisionsupport system for the ÈxypnosSat. Its task is to detect unexpected events, as described andforward them to the DSS as an input, which will be described in more detail in Section 7.1.

The last payload set in the ÈxypnosSat mission is the Autonomous Diagnosis System forSatellites - ADIA++. Its task is to recognize failures and anomalies of the spacecraft au-tonomously on-board and to determine their causes. At the moment ADIA++ is been as welldeveloping at the University of Würzburg [37]. It is another essential payload for the designof the decision support system and delivers additional input to it. Details about the inputdelivered by ADIA++ will follow in chapter 7.

5 Definition, Analysis and Evaluationof Spacecraft Failures

For the decision making, the degree of impact of spacecraft failures have to be expressedin numerical values, which will be done in this chapter. The process to convert the failuresin numerical values is divided in three main parts: defining, analyzing and evaluation. Thedefinition of on-board failures will be provided in Section 5.1. Based on this, failures areanalyzed in Section 5.2 with respect to their effects on the payload, satellite bus and the wholespacecraft and mission. Furthermore the effect on investigation of the event will be includedin the analysis. In the last section the AHP method will be applied to rate the failures withnumerical values according to their degree of impact. It should be noticed, that the definition,analysis and rating of failures are provided for all subsystems specified in 4.3. But a detaileddescription of the power system is presented in this chapter. The remaining subsystems analysisand rating can be found in the appendix.

5.1 Definition of Failures

In order to be able to determine the degree of impact of each failure, anomalies which can occurin a spacecraft have to be defined and analyzed. To define and analyze all kind of possiblespacecraft failures, it would go beyond the scope of this work. Therefore a few failures for eachsubsystem’s component will be exemplary presented. Moreover in this work launch failures willnot be taken into account, only failures that can occur during the operation in orbit. Afterfailures are specified together with their consequences, the Analytic Hierarchy Process will beapplied to assign a value for each failure, named degree of impact, which indicates the totalimpact of each failure. It includes effect on the spacecraft, as well the effects of investigationon the detected event.

As a first step failures will be generally described a then assigned to each component ofa subsystem. According to TAFAZOLI (2009) [38] failure types are generally divided inmechanical, electrical and software failures. Mechanical failures are caused by mechanical loadslike heat, stress, external forces, friction or pressure variation. Power overload, short circuit

5.1 Definition of Failures 29

and anomalous battery depletion can cause electrical failures. The last failure type, softwarefailures are triggered by programming errors or by incorrect commands sent from the groundstation.

A wide literature research of [39], [38], [40], [41], enabled to gather spacecraft failures frompast and ongoing missions. Tables 5.1 - 5.6, separated by subsystems and components, containthe failures which are taken into account for the developed decision support system. Errorswhich occur in several subsystems and are not self-descriptive will be described first generally.Additionally the possible corrective measures of these failures will be addressed for furtheranalysis. Specific failures, which can occur only in the given subsystem, will be defined in theSubsections 5.1.1 - 5.1.6.

A common spacecraft failure that can affect all subsystems is the Single Event Effects (SEE).The trigger of SEE are single charged particles of ionizing radiation, that can cause failures onthe affected component. According to the impact, SEE can be distinguished between soft andhard errors. Temporary failures are soft SEE, whereas permanent and destructive errors arehard SEE [33]. With respect to their effects, SEE is divided in three different types. SingleEvent Upset (SEU), also known as bit-flip, causes change state of the device and thus is an softerror. If critical parts of the spacecraft are affected, e.g. control system and decision makinglogic, the soft error can grow to a hard error. SEU is correctable with EDAC1[33], [3]. Anothertype of SEE is Single Event Latch-up (SEL), where its impact leads to an excess current flowin the affected component. Due to its effect, SEL is categorized as hard SEE. If no correctionmeasures are carried out, it can cause permanent failures or even lead to Single Event Burnout(SEB). SEB appears if the over current is also too high for the power supply. This effect leadsto destruction of the device. The corrective measure of SEL and SEB is to turn immediatelythe power OFF of the affected devices.

Multiple Bit Upset (MBU) causes also change of state, similar like SEU, but with more thanone bit-flips. In this case, the multiple bit-flips can only be corrected with algorithms.

Another failure which can occur in several subsystem components is the Electrostatic Discharge(ESD). It is caused either by spacecraft charging or by the charge accumulated over the years[41]. ESD can occur unexpectedly and lead to anomalies in the spacecraft operations [41]. Theonly possibility to handle the error is to reset the power, in order to prevent a total destructionof the device.

In the following subsections, the the spacecrafts failures of the six explained subsystems in 4.3will be presented. A summary of subsystem failures will be given in separated tables.

1EDAC - Error Detection and Correction: Algorithms to detect and correct a single bit-flip.

5.1.1 OBC Failures 30

5.1.1 OBC Failures

Processor. A failure which is known from usual computers, used in daily life, is the overheatingof the processors. This can also happen to the processor implemented in OBC. Generally ithas not an immediate effect on the system, but it leads to a degradation of the spacecraft lifetime. It is possible to overcome this failure with cooling. Another failure in the processor isthe electrical power surge, which is a high spike in the voltage. This can lead to a damage ofelectronic devices and thus lead to degradation of spacecraft life time or even loss. Since ithappens in a extremely short time, it is not possible to patch. Hardware (HW) traps are, e.g.not correctable (by EDAC) SEUs in the register file [3] and must be corrected from the groundstation with software patch. HW traps can provide wrong calculations or in case of trying toaccess the register having errors, a software crash can occur. A malfunction of the processorwill lead either to an extremely high degradation of the spacecraft life time, if the processor isredundant or to total loss of the spacecraft, if the processor is not redundant.

Memory. It is possible, e.g. due to high radiations, that instead of total memory outage,only a few memory chips fail. If the software tries to access these addresses, it will crash. Toovercome this problem the operators have to change the hardware configurations. A total lossof the memory (malfunction) means also the loss of the spacecraft.

Software. Even if the software is tested many times before launch, it still can have bugs.Past missions demonstrated, that common bugs are mostly sign error.HARLAND (2005) [40]describes such occurred events in the TIMED and TERRIERS spacecrafts. The problem wascompass confusion, which had an impact on the magnetometers and consequently on attitudedetermination. This resulted in a loss of orbit control. The error was later fixed by softwareupdates. A software error can be generally overcome with a software update and should bedone before the mission ends catastrophic.

5.1.2 Power System Failures

Solar Array. The efficiency of solar arrays will degrade over a long period time, which iscaused by the Total Ionizing Dose (TID) in the radiation environment. TID is the chargebuild up in the spacecraft, caused by the bombardment of charged particles[41]. The effectsof efficiency degradation are not immediately noticeable, but with increasing time the solararrays will provide less energy to the spacecraft. There is no chance to overcome this failureafter the spacecraft is launched, therefore it has to be considered during the design. If all solararrays will fail (malfunction), the loss of the spacecraft will enter. Since without solar arrays itis not possible to supply the spacecraft with power.

5.1.3 Thermal Control System Failures 31

Table 5.1: OBC failures

Subsystem Component Failureoverheating

electricalpowersurgehardwaretrapssoftSEU,MEUhardSEU,MEUmalfunctionsoftSEU,MEUhardSEU,MEU

failofmemorychipmalfunction

software softwareerrors

on-boardcomputer

processor

memory

Battery. An extremely hard power system failure is the exlosion of the batteries, which leadsto the total loss of the satellite [40]. This can be caused e.g. by high temperatures, since thebatteries of spacecrafts are composed of temperature dependent chemical systems, like usualbatteries. It is obvious that no possibility is given to overcome the explosion. Another possiblefailure of the batteries is the fail of a few battery cells. The outcome of this is a less poweravailability, if the spacecraft passes through the eclipse duration. Thus the operations of thesatellite can be limited during this time period.

PCDU. The failure overcharging or deep discharging in PCDU can lead to a damage of thebatteries. This error can be handled by software patches. A malfunction of the PCDU willalso lead to the loss of the spacecraft, since no power can be obtained by the solar arrays andtherefore no power can be supplied to all other subsystems.

5.1.3 Thermal Control System Failures

Thermal Sensor. If it happens that all thermal sensors malfunctioned, the spacecraft willend in a catastrophic condition leading up to the loss of it. It would not be possible anymoreto indicate the temperature of the spacecraft, which would deliver no or extremely wrongtemperature control.

Electrical heater. The temperature in the operating spacecraft is regulated by controllers,that is realized with software. Also in this component it is possible to have software failures.This would guide the spacecraft and all it subsystems into a critical state. Like all software bugs,

5.1.3 Thermal Control System Failures 32

Table 5.2: Power System failures

Subsystem Component FailureESD

efficiencydegradation/outgassing

SELSEB

malfunctionSEE

explosionduehightemperature

failofafewbatterycellsmalfunctionoverheating

SEEmalfunction

powersystem

solararray

battery

PCDU

this error can be overcome with software updates. Mechanical failures of the electrical heatercan also lead to incorrect thermal control with the consequence damaging the devices. Theresult will be the degradation of the spacecraft mission life time. In this case it is not possibleto repair the defect. If no active thermal control is possible anymore due to malfunction, theeffect on the system would be the loss of the spacecraft, since only the passive thermal controlis not enough.

Mechanical Design. Failures occurring in the mechanical design of a satellite are notrepairable. Such failure can be caused by orbital debris, out gassing and relays of cable orstructurer part due to poor design.

Table 5.3: Thermal Control System failures.

Subsystem Component Failure

SEE,ESDmalfunction

softwarefailureSEE,ESD

mechanicalfailuremalfunction

mechanicaldesign mechanicalfailure

thermalcontrolsystem

thermalsensor

electricalheater

5.1.4 ADCS Failures 33

5.1.4 ADCS Failures

Sun Sensor. It is possible that the sun sensors deliver anomalous output, which will lead topoint the solar arrays not correctly towards sun. HARALD (2005) [40] mentions the TOMS-EP2

spacecraft, in which the output of its sun sensors was incorrect. The release of this problem wasthe cross wiring of two sun sensors. This problem was cope with a software update by switchingthe sun sensors by the software. In case of anomalous outputs of sun sensor, the failures canbe tried to patch with software updates. The total loss of all sun sensors (malfunction) doesnot mean the total loss of the spacecraft, because the satellite will able to detect the positionof the Sun with other attitude determination sensor, e.g. star tracker.

Star Tracker. Attitude determination with star tracker is done with a camera, suitable starcatalogs and algorithms. As well in star sensors the possibility is given to have bugs in thesoftware (software failures). Like all software failures, star tracker failures can be handled witha software patch. If all other functional redundant components of attitude determination havealso failures or failed already, then the error in the star tracker must be corrected immediately,before the attitude control is lost. Since the loss of attitude control would lead to loss of themission. The star trackers can be affected by the solar storm resulting in loss of sight (blindingduring solar storm). One example therefore is the Genesis3 spacecraft. It was exposed to astrong solar storm [39]. Genesis survived this time period, but tracking of spacecraft attitudewas not possible with the star tracker during the solar storm. No possibilities of intervention isgiven for this kind of anomaly. The malfunction of all star trackers would lead to inaccurateattitude determination resulting also in inaccurate attitude control. If the case arises that allattitude sensors failed included the start tracker, total loss of the mission will occur.

Gyroscope. Since the gyroscope is also based on software, bugs in this component may occur.If no same design redundancy is given, the failure will be result in a weak pointing of thecamera. And here as well the problem can be tried to solve with software updates. Malfunctionof all gyroscope means not necessarily the total loss of the spacecraft. In [40] an example isgiven for a ’gyroless’ spacecraft, the BeppoSAX4.

Magnetometer. A disturbing factor in magnetometers is external magnetic filed. Similar likethe solar storm effects the star tracker, magnetometers are effected by this phenomena anddelivers incorrect attitude determination, which will lead to incorrect control. Also in this casethe problem can not be solved, but it is a non permanent error. If all magnetometers and itsfunctional redundant elements will fail (malfunction), then attitude determination will be notpossible anymore. This will lead to the loss of spacecraft attitude control and consequently to

2TOMS-EP: Total Ozone Mapping Spectrometer in NASA’s Earth Probe series.3Genesis: NASA’s sample return mission to collect probes of solar wind.4BeppoSAX, X-Ray astronomy of ASI (Italian Space Agency) and NIVR (Netherlands Agency for AerospaceProgrammes)

5.1.5 TT&C Failures 34

the loss of the mission.

Thruster. The Thrusters are controlled as well with software, therefore bugs are as well in thiscomponent possible (software failures). If the thrusters act incorrect due to software failures,the spacecraft will tumble and attitude control will be lost. Also if only one thruster of twofails during the operation, the satellite will be in an imbalance and it will tumble. Due to thechemical compositions in the thrusters, explosion of the thrusters can occur. Obviously thetotal loss of the spacecraft is not preventable in this case.

Magnetic Coils. A software failure, e.g. compass confusion in the magnetic coils, can endcatastrophically for the mission. The control of the spacecraft would be either totally incorrector even lost. In this case a software update has to be done immediately to overcome a disaster.Malfunction of the magnetic coils, when all its redundant elements (both same design andfunctional) already failed, would end with the loss of the spacecraft.

Reaction Wheels. A significant failure of reaction wheels is the problem of drifting. Thiserror would lead to the slightly loss the control of spacecrafts attitude. Before this point isreached, power reset has to be done. A total loss of all reaction wheels will lead to the loss themission, if already all functional redundant elements failed before.

5.1.5 TT&C Failures

Transceiver. The transceiver is one of the most important components of the spacecraftto stay in contact with the ground station. Its permanent outage (malfunction) implies nocommunication possibilities between the spacecraft and the ground station. This leads obviouslyto the total loss of the spacecraft, since commanding the spacecraft would be not possible andin case of a totally autonomous spacecraft, receiving scientific payload data would be omitted.

High Gain Antenna. The high gain antenna has to be point with a high precision to theground station in order to be able to transmit or receive data. If there exists an antennapointing problem, e.g. due to software failures, the transmission and receiving of large amountsof data will be difficult and time-consuming or even not possible. This problem can be solvedwith software updates, as soon the communication is possible (e.g. with low gain antennas).Equivalent to the transceiver, the malfunction of the high gain antenna would lead to loss thesatellite and consequently the mission, if its functional redundant components already failed.

Low Gain Antenna. In emergencies the spacecraft will be not able to communicate withthe ground station without a low gain antenna. For example in case of incorrect attitudedetermination and control, pointing of the high gain antenna would be not possible even if its

5.1.6 Payload Failures 35

Table 5.4: ADCS failures.

Subsystem Component Failureanomalousoutputs

malfunctionsoftwarefailure

lindingduringsolarstormSEE

malfunctionanomalies,softwarefailure

malfunctionexternalmagneticfield

SEEsoftwarefailuremalfunction

softwarefailureexplosion

malfunctionSEE,ESD

softwarefailuremalfunction

softwarefailuredrift

SEE,ESDmalfunction

sunsensor

attitudedeterminationandcontrolsystem

reactionwheels

magneticcoils

thruster

magnetometer

gyroscope

startracker

still working. This means in worst case the malfunction of the low gain antenna will lead tothe loss of the spacecraft.

5.1.6 Payload Failures

ADIA++. If bugs (software failure) are detected in ADIA++ systems, they have to bepatched immediately. It will effect the whole mission and may end in a disaster, if the failuresare incorrect or not diagnosed. For example if a repairable error is not detected, the spacecraftwill operate incorrect and the failure can arise up to a not repairable failure or release otherfailures. Since one input of the designed decision support system is delivered by ADIA++ (7),the failure will have a major impact on the decision system as well.

5.2 Analysis of the Defined Failures 36

Table 5.5: TT&C failures.

Subsystem Component Failuretransceiver malfunction

antennapointingproblemmalfunction

SEEmalfunction

tracking,telemetry&command

highgainantenna

lowgainantenna

ASAP. Another input of the decision support system is the information about the detectedevents, provided by the ASAP system. An erroneously detect event due to software failureswill risk the spacecraft for absolutely nothing. The reason is, that in case of an extremely highimportant event the decision support system will decide to investigate it, without consideringthe failure. Similar like the failures in ADIA++ system, it has to be corrected instantaneouslywith a software update.

SSTV Camera. Failures in the SSTV camera can effect the loss the purpose of the wholemission. Besides that the spacecraft can not observe the Earth, ASAP would be not ableto detect events. In case of small bugs (software failures in the camera would be not affectits operation heavily, but nevertheless it has to be patched. Also overheating is initially notdramatic for the camera, but a permanent overheating would lead to damage the optical device,which is very sensitive. Immediately cooling is the best way to prevent damages of the camera.

Table 5.6: Paylod failures.

Subsystem Component FailureADIA++ softwarefailureASAP softwarefailure

softwarefailureoverheatinganomaliesmalfunction

payloadcamera

5.2 Analysis of the Defined Failures

In order to be able to evaluate overall spacecraft failures applying the AHP method, criteriahave to be defined, which describe the failures in the best possible way. These criteria have

5.2.1 Definition of the Characteristics of Power System Failures 37

to be also defined, such that the best decision can be taken. The first question to answer forthe decision making is which effects will have the failure on the spacecraft. In this analysisthe effects on the spacecraft is divided into effect on payload, effect on satellite bus and effecton system. Effect on payload expresses the failures and anomalies which can occur on thepayload, if a corrective measure is applied. The effect on satellite bus describes the impacton all the other subsystems except the payload. And the last criterion effect on the systemcontains the information what would be the impact on the whole spacecraft and the mission.In order to take the best possible decision, the next important question to be answered is, ifthe occurring failure is repairable. Since if no possibilities are given to repair the failure, theevent can be discovered instead of spending the time with trying to repair it. Another factorwhich influences the decision making is the number of redundant elements. If a componentcontaining errors is one or more times redundant, the given opportunity to discover the eventis higher than in case of non redundant elements. The last and most important criterion is theeffect on discovery of the event. This feature indicates the opportunity to discover the detectedevent with the occurred failure in the spacecraft. For example if there is an anomaly in theADCS and the camera can not be pointed towards the phenomena to investigate, then it is notpossible to discover the event and it makes more sense to repair the failure and not risk thespacecraft. All six features explained above are factors that influences the decision making incritical situations.

In order to set all the features of each failure described above, it is required to define moreproperties than mentioned above. For example to be able to set the feature ’repairable’ to’yes’, it is necessary to investigate the corrective measure of the failure, if one exists. If nocorrective measure exists for the given failure, then the feature ’repairable’ can be labeledwith ’no’. Another example, where further analysis have to be done, is the feature ’number ofredundancy’. Before this value can be set, the type of redundancy and its redundant elementshas to be defined. This failure analysis is made for all six subsystems described in 5.1.1 - 5.1.6.The complete failure analysis can be found in appendix. However only the power subsystem willbe presented in the following sections, but the approach remains the same for all subsystems.

5.2.1 Definition of the Characteristics of Power System Failures

For demonstration and explanation purposes only the power systems will be presented. Theoptions that can be taken by the features and are influencing the decision making (explained in5.2) are specific for each subsystem. In this subsection at first the options of the features willbe defined for the entire power subsystem and afterwards assigned to the component batteryfor demonstration purposes.

Effect on the Payload. The failure can have a range of an impact from no effects up to the


loss of the payload. The most harmless effect on the payload is power limitation of the payload.In case of a failure in the battery, the power is limited during the eclipse duration, whereas afailure in the solar arrays can lead to a general power limitation, during sun and eclipse duration.Depending on the impact degree of the failure the power limitation can range from low up tovery limited. In case of a failure induced by an external energy source, e.g. by building anelectromagnetic interference in the power system, the functions of adjacent components of thepayload can be affected. It is also possible that a failure can lead to incorrectly powering of thepayload, e.g. with an extremely high current. This may result in a damage the payload. Themost critical failures on the power system can cause either to no possibilities to supply power,that may lead to the loss of payload or directly to the total loss the payload. The describedeffects on the payload due to power system failures are summarized in Figure 5.1.

Figure 5.1: Effects on Payloads caused by Power System Failures.

Effect on the Satellite Bus. Also the satellite bus can be effected by failures that appearin the power system. It is possible that the satellite bus is not affected by the failure, but thishappens only in few cases. Similar in the payload one effect is the power limitation and is alsoterraced here in levels depending on the degree of impact of the power system failure. Othereffects within the satellite bus are the destruction of solar arrays and batteries. These effectsare also scaled depending on the severity of the failures. The satellite bus operations can alsobe affected by the electromagnetic interference, similar like the payloads are affected. In theworst case the failure causes either that the satellite bus can not be powered or even totallylost. The power failure can also release a redundancy drop in the satellite bus. The effects onthe satellite bus are illustrated in the Figure 5.2.

Effect on the System. As described before, with system the entire spacecraft is meant. Itincludes the lifetime of the intended mission which is coupled with the lifetime of the spacecraftand additionally the overall operations of it. Failures in the power system can have an effecton the system in terms of degradation of the spacecraft lifetime. The degradation is stronglydepending on the degree of the error, the effects on payload and satellite bus. It can extend


Figure 5.2: Effects on the Satellite Bus caused by Power System Failures.

from slight degradation up to extremely strong degradation. As a consequence of the effect’loss of satellite bus’, the loss of the spacecraft will arise. In case of the effect ’loss of payload’,the loss of the spacecraft will not happen necessarily. But without the payload the mission canbe not fulfilled, since the payload is the main reason to launch a spacecraft and start a mission.As well here the effects on the system are depicted in Figure 5.3.

Repairable. This feature indicates whether the failure can be fixed or not. Before a decisionis taken, the repair ability of an error have to be indicated by possible corrective measures.If a corrective measure can be found, then repairable is set to ’yes’, otherwise if a correctivemeasure can be not found, the feature repairable will take the option ’no’. These are the onlytwo possible options, that the feature repairable can have not only in the power system, butalso in all other subsystems.

Number of Redundancy. As mentioned in Section 4.3 most critical and error-prone compo-nents within the spacecraft are redundant. The power system is one of these components. TheÈxypnosSat is intended to be designed with four solar arrays, meaning three active redundantelements of same design. It is planned to integrate two batteries in ÈxypnosSat. The redun-dancy of the battery is than given with one, in which the redundant element is a passive samedesign element. Equivalent to the battery, the pcdu has the same design standby redundancyof one. In all failures the drop of redundancy is included, which means that one failure is


Figure 5.3: Effects on the System caused by Power System Failures.

analyzed and rated with each possible number of redundancy. Based on the redundancy in thepower system, it can be concluded that feature number of redundancy can have the followingvalues: three, two, one and zero.

Effect on Discovery of the Event. The last and very important feature is the effect ondiscovery of the event. This feature indicates if a detected event can be investigated despitethe error. If it is not possible, than it does not make sense to try to investigate the phenomena.Following possibilities are given for the feature effect on discovery of the event: either it is notpossible to discover the event or the investigation will be affected by the failure. Depending onthe impact degree of the failure, the discovery can be effected slightly or strongly. The lastpossibility is, that the discovery is that much affected, that the investigation of the event is notpossible. The possible option of the feature effect on discovery of the event is delineated inFigure 5.4.

As mentioned before only the power system failure effects will be explained and demonstrated

Figure 5.4: Effects on the Discovery of the Event caused by Power System Failures.


by the battery component. In Table 5.7 the battery failures are characterized by the featuresand their options as described above. The number of components delivers the total number ofthe component, in this case the total number of integrated batteries in the spacecraft. Thecolumn id involves identification numbers of each individual component, which are separated bya comma. In the special case of the battery component one has the id 11 and the other one 12.Also the failures have identification numbers beginning with f followed by a number. This isrequired, since one failure can have different impacts depending on the number of redundancy.The kind of a failure is specified in the column failure mode. A failure is uniquely definedwith the name of the component, failure mode and number of redundancy. This enumeratedattributes, that define a failure uniquely, have to be supplied by the ADIA++ payload inorder to be able to categorize the failure and gain its evaluated value (which will be done inSection 5.2.2). The features described in 5.2.1 are as well present in Table 5.7. Their entries arespecifications which are also described in 5.2.1. Since only the battery component consideredall feature specifications are not present in the table, but can be found in appendix.

Table 5.7: Battery Component Failure Analysis.

componentnumberofcomponents

id failureid failuremodeeffectonpayload

effectonsatellitebus

effectonthesystem

repairablenumberofredundancy

f42 SEE

lesspoweravailablefor

payloadduringeclipse

moderatedestructionofbattery,less

poweravailable

slightdegradationofspacecraftlife

time

yes 1

f43 SEE

verylimitedpoweravailableforpayloadduringeclipse

strongdestructionofbattery,verylimitedpower

available

extremelystrong

degradationofspacecraftlife

time

yes 0

f44explosiondue

tohightemperature

lossofpayload lossofsatellitebus

lossofspacecraft

no 1

f45explosiondue

tohightemperature


lossofspacecraft

no 0

f46failoffewbaterrycell



lesspoweravailableforsatellitebusin

eclipse

slighttdegradationofspacecraftlife

time

yes 1

f47 failoffewbaterrycell

verylimitedpoweravailableforpayloadduringeclipse

verylimitedpoweravailableforsatellitebus

ineclipse

strongdegradationofspacecraftlife

time

yes 0

f48 malfunction noeffectsonpayload

dropofredundancy

extremelystrong

degradationofspacecraftlife

time

no 1

f49 malfunction payloadcannotpowered

satellitebuscannotpowered

lossofspacecraft

no 0

battery 2 11,12

5.2.2 Determining the Degree of Impact of Power System Failures 42

5.2.2 Determining the Degree of Impact of Power System Failures

Once failures are characterized with objective evaluation, they have to be converted intonumerical values in order to be able to provide scales for the decision making. This is possibleby applying the Analytic Hierarchy Process described in Subsection 3.3. This will be explainedstep by step based on the power system. At this point explaining only the rating of the batterycomponent is not possible, since the pairwise comparison technique which is required for theAHP is done for the subsystem and not for each component. The AHP analysis is done withthe aid of the Super Decision software introduced in 3.3.2.

Step 1: Representation of the Problem in a Hierarchy

The first step in AHP is to set up the given problem in a hierarchy, which includes the goal ofthe analysis, the criteria, if given the sub-criteria and the alternatives. The goal in the givenproblem is to get a value for the degree of impact of each failure. The criteria are the followingfeatures stated in 5.2.1:

- effect on payload- effect on satellite bus- effect on system- repairable- number of redundancy and- effect on discovery of the event.

The sub-criteria of each criterion are defined as well in Subsection 5.2.1. The alternatives arethe failures, which are given by their failure ids. Figure 5.5 depicts the rating problem of powersystems failures in a hierarchy. Each criterion is linked to its related sub-criteria and eachsub-criterion is linked to the according alternative. An example is illustrated in figure 5.5 forthe failure f42. The red bordered boxes are linked to the alternative f42 (which is as well redbordered) according to the analysis done in Table 5.7.

Step 2: Pairwise Comparison

After the most creative step is the next step to compare pairwise each criterion, sub-criterionand alternatives with respect to the node connected above. For the scoring of the pairwisecomparison the fundamental scale described in 3.3 is used .This comparison is done only forhomogeneous elements, meaning only elements in one box in Figure 5.5 are compared witheach other. The pairwise comparison will be explained by the pairwise comparison of thecriteria. Each criterion is compared with each other by contrasting them. The results of the


Figure 5.5: Hierarchy of Power System Failures.


pairwise comparison are collected in the comparison matrix A. In order to explain the pairwisecomparison the results are firstly collected in the Table 5.8. The criterion written in the row(c𝑖) is compared with the criterion written in the column (c𝑗). If c𝑖 is more important than c𝑗then the entry in the given row and column is scored according to their importance by thefundamental scale table. But if c𝑗 is more important than c𝑖, than the entry is the reciprocalof the value reached as well by the fundamental scale (3.1).

The comparison will be explained by some entries of the Table 5.8, which is defined as T𝑖,𝑗,where i is the row and j the column of the table. The first comparison of the table for theentry T1,1 is effect on payload and effect on payload. Since these are the same criteria, thefundamental scale table delivers the value 1. The diagonal of the table (T1,1 . . .T6,6) and laterof the matrix is always one, because the criteria listed in the row are in the same order likethe criteria listed in the column. Thus the diagonal entry of the table with one is filled inthe Table 5.9a. After the diagonal entires are defined, the table can be filled either startingwith the lower triangular or with upper. Here the upper triangular is chosen. Therefore thenext comparison is effect on payload and effect on satellite bus for the cell T1,2. As mentionedbefore the satellite bus makes it possible to use the payload. But on the other hand withoutthe payload the mission can be not fulfilled. Therefore effect on satellite bus is weakly moreimportant than effect on payload and has the scaling value 2. Since the element in the column,c𝑗 is more important than the row element c𝑖, the entry for the cell T1,2 is the reciprocal of 2,thus 1

2. The next comparison between effect on payload and effect on satellite bus delivers the

value 14, because effect on system has a moderate plus importance than the criterion effect on

payload, which is indicated with the value 4. And since the column element is more importantthan the row element, it is the reciprocal of 4. The rest of the upper triangular is filled withthe same principal. Once the upper triangular of the table is set, the lower triangular can bederived by

𝑇𝑗,𝑖 =1

𝑇𝑖,𝑗

. (5.1)

For example the element T2,1 is the reciprocal of the value in the cell T1,2 which is 11/2

= 2.Doing this for all cells for the lower triangular will provide the complete table (5.9b).

Step 3: Comparison Matrix

In the third step the comparison table has to be stated as a comparison matrix, in order tolater calculate its eigenvector of the principal eigenvalues, which is at the same time the priorityvector. Out of the comparison Table 5.9b a 6x6 matrix is set up as follows:


Table 5.8: Pairwise Comparison of Criteria.

(a) Pairwise comparison of upper triangular.

Crite

ria

effectonpa

yloa

d


effectonsystem

repa

irable

numbe

rof

redu

ndan

cy

effectondiscoverof

theeven

t

effectonpayload 1 1/2 1/4 1/2 1/2 1/6

effectonsatellitebus 2 1 1/4 1/3 1/2 1/5

effectonsystem 4 4 1 3 4 1/4

repairable 2 3 1/3 1 3 1/6

numberofredundancy 2 2 1/4 1/3 1 1/5

effectondiscoveroftheevent

6 5 4 6 5 1

(b) Complete pairwise comparison.

Crite

ria

effectonpa

yloa

d


effectonsystem

repa

irable

numbe

rof

redu

ndan

cy

effectondiscoverof

theeven

t

effectonpayload 1 1/2 1/4 1/2 1/2 1/6

effectonsatellitebus 2 1 1/4 1/3 1/2 1/5

effectonsystem 4 4 1 3 4 1/4

repairable 2 3 1/3 1 3 1/6

numberofredundancy 2 2 1/4 1/3 1 1/5


6 5 4 6 5 1

𝐴 =

⎛⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

1 12

14

12

12

16

2 1 14

13

12

15

4 4 1 3 4 14

2 3 13

1 3 16

2 2 14

13

1 15

6 5 4 6 5 1

⎞⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠.

Step 4: Priority Vector

Based on the comparison matrix the priority vector w can be derived. Therefore the eigenvaluesand eigenvector are required. The priority vector corresponds to the normalized eigenvector ofthe maximum eigenvalue, also referred to as the normalized principal eigenvector. It delivers theimportance of each criterion with as a numerical value. Since a software is used for determiningthe priority vector, how the eigenvalue and eigenvector is calculated will be not explained here.The used Super Decision software delivers priority vector simply. The result of the software forw for the matrix A is given by

𝑤 =

⎛⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

0.0483

0.0597

0.2228

0.1203

0.0748

0.4740

⎞⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠.

With the priority vector the weighting of each criterion is provided. The values of the vectorare given in percentage, in which the total sum of all values is 100,0%. The criterion effect on


payload has a weighting of 4,83%. This means that the criterion effect on payload influencesthe rating of the failures by the value 4,83%. All other criteria are weighted according to thepriority vector and the results are:

Table 5.10: Weighting of the Criteria according to the Priority Vector.

Criteria Weighting

effectonpayload 4,83%

effectonsatellitebus 5,97%

effectonsystem 22,28%

repairable 12,03%

numberofredundancy 7,48%


47,40%

Step 2 and step 3 are applied as well to the sub-criteria. The pairwise comparison of homogeneouselements are done with respect to the linked criteria. The steps 2 and 3 have to be appliedas well to the alternatives. The pairwise comparison of the alternatives are done with respectto the above linked sub-criteria. It should be noticed, that the alternatives in this work areweighted equally with respect to the linked sub-criteria for simplification purposes. But thepossibility to compare the alternatives with each other with respect to the linked criteriais also possible. These steps are jumped over and only the weighting of all sub-criteria arepresented in Table 5.11. The weights are reached as described in step 4 with deriving thepriority vector. The elements are sorted ascending by their weighting. As well here the sum ofeach sub-criterion weighting is 100,0%.

Since the pairwise comparison of the alternatives with respect to the connected sub-criteriais not carried out, only their weighting are presented in Table 5.13. The weighting is doneequally for each alternatives regarding to the linked sub-criteria. The equally weighting of thealternatives will be demonstrated by loss of spacecraft, which is an element of the sub-criterioneffect on system. Besides the battery component failures f44, f45 and f49 presented in 5.7,there are other power system failures f41 and f55, which may lead to the loss of the spacecraft.Since the weighting is done for the overall subsystem and not only for one component, these


failures have to be taken as well into account. Thus the element loss of spacecraft is linked tothe five alternatives f41, f44, f45, f49 and f55. With a total weighting sum of 100,0% and fivealternatives that have to be weighted equally, the weighting of each alternative is 20,0%. Theequally weighting of alternatives with respect to the linked sub-criteria is a default setting inthe Super Decision software and has not to be made manually.

Step 5: Determination of the Consistency Ratio CR

In order to check the inconsistency of the pairwise comparison, the consistency ratio has to bederived as described in 3.3.1 step 5. The Super Decision software determines CR automaticallyduring the pairwise comparison. There is no need to calculate the CR manually. It is necessarythat the value CR is smaller than 0,1 otherwise the pairwise comparison will be inconsistent.In this case the pairwise comparison has to be repeated, until CR is smaller than 0,1. Sincethe CR values are indicating the inconsistency of a pairwise comparison and are not requiredafterwards..

Step 6: Rating of each Alternative

In the last step the alternative, in this case the failures are evaluated by values. The rating ofeach failure can be reached by multiplying the weighting of criteria, sub-criteria and alternativeand summing them up. This approach will be illustrated by the failure f44. The Figure 5.6depicts the link of criteria with sub-criteria and the link of sub-criteria and the alternative f44.The figure is only for explanation purposes and does not contain the complete hierarchy. Thenumber in the ellipses are the weighting of each element. The weighting of the criteria are fromTable 5.10 and of the sub-criteria are from Table 5.11. The weightings of the alternative f44with respect to the linked sub-criteria are determined as described in step 5. The criterion effecton payload is linked to the sub-criterion loss of payload, which in turn is linked to the alternativef44. The weighting of the alternative varies with respect to the linked the sub-criteria.


Table 5.11: Weighting of all Sub-criteria according to the Priority Vector.Sub-criteria:

EffectonPa

yloa

dWeighting

Sub-criteria:Effecton

SatelliteBus

Weight

Sub-criteria:

Effecton

System

Weighting

Sub-criteria:

Rep

airable

Weighting

Sub-criteria:

Num

berof

Red

unda

ncyWeighting

Sub-criteria:Effect

onDicoveryofthe

Even

tWeighting

noeffectsonsatellitebus

0,69%

lowpow

eravailablefor

satellitebus

1,18%

lesspow

eravailablefor

satellitebusineclipse

1,33%

lesspow

eravailablefor

satellitebus

1,45%

slightdestruction

odSA

,lowpow

eravailable

1,71%

verylimited

pow

er

availableforsatellitebusin

eclip

se1,88%

verylimited

pow

er

availableforsatellitebus

2,51%

EMIo

nad

jacent

compo

nents,affectingthe

ir

function

s2,71%

mod

eratede

structionof

SA,lesspo

weravailable

2,81%

mod

eratede

structionof

battery,lesspow

er

available

3,06%

damageofbatterylead

ing

tolesspow

ercap

acity

3,49%

strongdestruction

ofS

A,

lesspow

eravailable

3,75%

strongdestruction

of

battery,verylim

ited

pow

er

available

4,95%

damageofbatterylead

ing

toverylim

ited

pow

er

capa

city

5,14%

incorrectpo

wer

supp

lytopa

ylao

dlead

ingtodam

age

them

11,75%

extrem

elystrong

destructionofSA,very

limited

pow

eravailable

5,27%

incorrectpo

wer

distribu

tion

tosatellitebus

canda

mageit

6,87%

drop

ofred

unda

ncy

12,71%

satellitebuscan

not

powered

16,20%

lossofsatellitebu

s22,29%

Sum:100,0%

Sum:100,0%

Sum:100,0%

Sum:100,0%

Sum:100,0%

Sum:100,0%

lossofp

ayload

payloa

dcanno

tpo

wered

verylimited

pow

er

availablefor

payloa

d

verylimited

pow

er

availablefor

payloa

ddu

ring

eclip

se

noeffectson

pa

yloa

d

lowpow

eravailable

forpa

yloa

d

lesspow

eravailable

forpa

yloa

ddu

ring

eclip

se

lesspow

eravailable

forpa

yloa

d

EMIo

nad

jacent

compo

nents

affectingtheir

function

s

1,38%

2,46%

3,21%

32,51%

22,29%

9,58%

7,66%

5,35%

3,82%

49,05%

slight

degrad

ationof

spacecraftlife

time

mod

erate

degrad

ationof

spacecraftlife

time

und

esired

op

erationsof

thespacecraft

strong

degrad

ationof

spacecraftlife

time

extremely

strong

degrad

ationof

spacecraftlife

time

lossof

spacecraft

2,80%

5,23%

7,29%

12,73%

22,90%

1 0

5,53%

3 2

90,00%

10,00%

noeffectsondiscovery

4,21%

11,75%

26,22%

56,50%

yes

no

caneffectthe

discoverystrongly

caneffectthe

discoveryslightly

notpo

ssibleto

discover

28,36%

8,12%

59,31%


Figure 5.6: Rating of the Alternative f44.

Table 5.12: Rating of the Alternative f44.

CriteriaWeighting

(Cw) Sub-CriteriaWeighting

(Sw) Alternative

Weighting(Aw),w.r.t.linkedSub-Criteria

MultiplicationofCw,Swand

Aw

effectonpayload 4,83%

lossofpayload 32,51% 50,00% 0,79%


5,97% lossofsatellitebus

22,29% 50,00% 0,67%

effectonsystem 22,28%

lossofspacecraft 49,05% 20,00% 2,19%

repairable 7,48% no 26,22% 8,33% 0,16%

numberofredundancy

12,03% 1 10,00% 7,14% 0,09%

effectondiscoveryoftheevent

47,40%notpossibletodiscover 59,31% 20,00% 5,62%

f44

Ratingoff44:9,51%

The weighting of the alternative f44 with respect to the sub-criteria element loss of payload is50,0%, whereas the weighting of the same alternative with respect to the sub-criteria elementloss of spacecraft is 20,0%. The total rating of the alternative f44 is reached by multiplying the


weighting of each connected element and summing them up. In Figure 5.6 the weighting of thelinked elements are marked in the same color. These values are also presented in the Table 5.12.The elements criteria, sub-criteria and alternative, which are in the same line are connected.The multiplication of each weighting in the same line can be found in the last column. Therating of the failure f44 is than given by the sum of the overall multiplications. As a result therating of the alternative f44 is 9,51%.

Table 5.13: Rating of all Alternatives of the Power System Failures.

component failuremode failureid normalsdegreeofimpact

(ideals)solararray efficiencydegradation/outgassing f26 0,52% 5,34%solararray malfunction f38 0,70% 7,21%solararray SEL f30 0,98% 10,15%solararray efficiencydegradation/outgassing f28 1,08% 11,13%solararray malfunction f39 1,09% 11,26%solararray efficiencydegradation/outgassing f27 1,12% 11,55%battery failoffewbaterrycell f46 1,12% 11,56%

solararray SEB f34 1,17% 12,05%pcdu overcharging,deepdischarge f50 1,25% 12,89%

solararray SEB f35 1,26% 13,01%battery SEE f42 1,52% 15,72%

solararray SEL f31 1,56% 16,04%battery malfunction f48 1,56% 16,11%pcdu malfunction f54 1,56% 16,11%

solararray electrostaticdischarge f22 1,62% 16,66%solararray SEL f32 1,67% 17,26%solararray electrostaticdischarge f23 1,71% 17,62%

pcdu SEE f52 1,78% 18,34%pcdu overcharging,deepdischarge f51 2,09% 21,54%

solararray SEB f36 2,43% 25,01%solararray malfunction f40 2,51% 25,92%solararray electrostaticdischarge f24 2,56% 26,40%solararray efficiencydegradation/outgassing f29 2,70% 27,86%solararray electrostaticdischarge f25 2,75% 28,35%battery failoffewbaterrycell f47 2,76% 28,43%pcdu SEE f53 3,01% 31,04%

solararray SEL f33 3,14% 32,36%battery SEE f43 3,39% 34,91%

solararray SEB f37 3,40% 35,03%solararray malfunction f41 8,93% 92,07%battery malfunction f49 8,93% 92,07%pcdu malfunction f55 8,93% 92,07%

battery explosionduetohightemperature f44 9,51% 98,05%battery explosionduetohightemperature f45 9,70% 100,00%

Sum:100,0%

The rating of each alternative is derived by the Super Decision software automatically and

5.2.3 Results of the Failure Rating 51

there is no need to calculate the rating of each alternative manually. The evaluation of eachalternative of the power system failures can be found in 5.13, in which the normals, arethe ratings derived as above described, which represents the ratings in the normalized form.Therefor the sum of overall rating-normals will provide 100,0%. The table is sorted in theascending order by the normals. The ideals are the normals divided by the maximum value ofthe normals column. In power system failure rating the maximum normal is given with thealternative f45, that corresponds to the failure mode explosion due high temperature. Dividingall normals by 9,70% delivers the entry in the column ideals.

With ideals the value for the degree of impact of each failure is provided. The highest degree ofimpact will be 100,0%, which is the worst failure, that can occur in the power subsystem. Withdecreasing degree of impact the severity of the failures also decreases. The degree of impactmoves towards 0% but will never reach it, since each failure will have a degree of impact, evenif it is minimal.

Figure 5.7: Assignment of Failure Impact Values to a Severity Level.

5.2.3 Results of the Failure Rating

As mentioned before only the degree of impact of power system failures are presented here.The evaluation of the remaining subsystem failures can be found in appendix. Based on areasonability analysis, the failures will be classified in levels ranging from 1 to 4. The analysisof power system failures and all other remaining subsystems show that a failure with an impactof equal and grater than 90,0% indicates the total loss of the spacecraft. This is mostly the

5.2.3 Results of the Failure Rating 52

case if a element with non redundancy fails. Extremely strong failures, e.g. explosion of thebattery, can as well lead to the loss of the spacecraft. This failures are classified as level 4failures. Failures with an impact between 40,0% and 90,0% are strong failures, which shouldbe repaired instantaneously, otherwise it can damage the spacecraft strongly or even lead toloss. These failures are assigned to level 3 failures. Whereas failures between 30,0% and 40,0%are moderate failures which will influence the spacecraft operation slightly. These failures havea severity level of 2. All failures below 30,0% are less critical for the spacecraft, but still theycan create hazards. These failures are mostly not repairable failures, failures occurring in astill redundant component or failures with minor effects. They are classed as level 1 failures.The Figure 5.7 depicts the assignment of failure impact values to their severity levels. As itcan be seen in the figure, the severity of a failure is decreasing with decreasing impact value.The assignment is required to establish later the rules of the designed DSS 7.

6 Event Analysis

A difficult part of designing a decision support system for high-level planning in criticalsituations is to specify the events that may interesting to investigate. The high-level planningin critical situations consists of unpredictable events. This in turn extends from known up tototally unknown phenomenas. In this section a detailed analysis of the events will be made andillustrated by examples. Since the Èxypnos System will operate for testing purposes as an earthobservation satellite, the most examples will be based on events occurring on and around Earth.First of all the features which will influence the importance of an event will be determined inSection 6.1. Explicit specifying each event is not possible, since the spacecraft can detect alsocompletely unknown phenomenas. Therefore in Section 6.2 all features will be combined tocover all events that can be detected. Similar like in the failure rating part, the events are alsoevaluated by applying the AHP method. In the last section the value importance of a will bederived by the AHP based on the analysis before.

6.1 Defining the Features of the Events

As a first step the events have to be characterized by features in order to rate them by theirimportances. The features predictability, repetition in one cycle and strangeness are consideredand will be defined in the following subsection.

6.1.1 Predictability

The events can be divided according to their predictability in three types. The first one arepredictable events, in which its occurrence can be calculated. There exist several books andcatalogs, which include the calculated astronomical phenomenas of each year. One of them isthe world wide known Astronomical Almanac published one year in advanced by United StatesNaval Observatory (USNO) and Her Majesty’s Nautical Almanac Office (HMNAO) [42]. Itcontains several informations of astronomical events for example phenomenas like solar andmoon eclipses, position and constellation of celestial bodies and many other calculate ableevents [42]. Another type of phenomena foresee ability is conditionally predictable events. These

6.1.2 Repetition in one Cycle 54

events involves e.g. the impact of near-earth object on Earth and polar lights. The occurrenceof these phenomena are mostly depending on the occurrence of other phenomena. For examplepolar lights are depending on solar wind. The last and for this work essential phenomenas arenot predictable. This are for example Gamma Ray Bursts (GRB)1, Novae2, extraterrestrialsignals or even totally unknown phenomena. As mentioned before the interesting events arenot predictable events for high-level planning challenge and the analysis will be continued onlywith not predictable events.

6.1.2 Repetition in one Cycle

Based on the detection of the event, the repetition in one cycle has to be supported. One cyclecan be defined by the system designer and can be one orbit, one hour, ten minutes, ten secondsand so on. In this work, one cycle is set on one minute. The feature repetition in one cycle cantake the following values for the designed system:

- 0, 1, 2, 3

- 4, 5, 6

- 7, 8, 9

- >9.

If e.g. the repetition of the event is 2 times per cycle then the input parameter has to be thetotal line, which means 0, 1, 2, 3. The reason to do it in this way was to outline the concept ofthe Èypnos System as simple as possible.

The value of repetition is necessary for the decision support system, because its importanceis increasing with decreasing repetition. The reason therefor is, if an event is repeating e.g.for one hour (meaning a repetition of >9) then the failure occurring at the same time in thespacecraft can be corrected, if it is possible and the correction will take less than one hour.After the correction the spacecraft can discover the event without risking itself.

6.1.3 Level of Intensity

Another essential feature is the level of intensity of the observed and measured phenomenon.To measure the level of intensity the standard deviation will be used. If a measurement iswithin the 3𝜎 standard deviation from its mean value, it is not significant. Since in case of

1GRBs are short electromagnetic explosions.2Noave are bright shining of stars due to explosions

6.1.4 Strangeness 55

a normal distribution of the measurement, 99,7% of the values will lie within the 3𝜎. It willbe significant if the standard deviation is above 3𝜎. Therefore with an increasing standarddeviation the importance of the event also increases. The values for the level of intensity are asfollow:

- 0, 1, 2, 3 𝜎

- 4, 5, 6 𝜎

- 7, 8, 9 𝜎

- >9 𝜎.

An example therefor is the so called Wow! signal3, measured with the Big Ear radio telescopeof the Ohio Stat University. Dr. Jerry R. Ehman recorded this signal in 1977 and analyzedit. It was recorded for 72 seconds. His results delivered with a signal intensity, which was 30times stronger than the background noise. Even now there is no clearly explanation for thisphenomenon and it is was never recorded again [43].

6.1.4 Strangeness

The last important feature to characterize the importance of a phenomenon is its strangeness.An event is strange if either the phenomena is totally unknown or the phenomena occursat a not expected region. The strangeness is divided in extremely high, high and low. Aphenomenon with an extremely high strangeness is an event that was never observed before byhumans. As a result the occurring reason is unexpected and will be investigated. An exampleof extremely high strange event is the Wow! signal mentioned in 6.1.3. Another example isGamma Ray Bursts, as they observed the first time in 1967 [44]. A high strangeness is definedas a known phenomenon occurring in a region in which it is not expected. An exaggeratedexample is a volcanic eruption in Berlin or another is liquid water on Lunar’s surface. Thestrangeness of an event is low, if the phenomenon is already observed before, therefore knownand if it occurs in an area, where it is expected.

6.2 Combination of Event Features

In summary it can be stated that an event is characterized by its repetition in one cycle,the level of intensity and its strangeness. This work is concentrated only of not predictable

3 Dr. Jerry R. Ehman circled the unusual measurement and wrote "Wow!", therefore this signal is called theWow! signal.

6.3 Determining the Importances of Events 56

events, therefore the predictability consists of one value, ’not predictable’. The propertiesrepetition in one cycle and level of intensity can have four different values described in 6.1.2(for repetition in once cycle) and 6.1.3 (for level of intensity). And the last mentioned featurein 6.1.4, strangeness can take three different attributes. The combination of all these propertiesdelivers 48 (= 4 (repetition) · 4 (level of intensity) · 3 (strangeness)) possible events which haveto be rated according to their importances. Figure 6.1 depicts a cutout of the event tree whichillustrates all possible events. The complete event tree can be found in appendix.

Figure 6.1: Cutout of the Event Tree.

The name of the events is a composition of its features: strangeness, repetition in one cycle,level of intensity and that right in this order. For example if ASAP detected an event, in whichits strangeness is high, the repetition is 3 times in one cycle and the level of intensity is 8𝜎,then the phenomenon is named e(high, {0, 1, 2, 3}, {7𝜎, 8𝜎, 9𝜎}). This is also illustrated inFigure 6.1 on the right hand side in the blue boxes. This was required to identify each eventuniquely depending on its properties.

6.3 Determining the Importances of Events

The importance of an event is required for the decision making. Equivalent to the failures, theimportance of events have to be expressed as numerical values. As well here the AHP methodis used to gain a value for the importances of the events. This is done in the same way asdescribed in Subsection 5.2.2, but with changed criteria, sub-criteria and alternatives. Thecriteria are the features defined in Section 6.1 and the sub-criteria are the related values of thecriteria. The alternatives are the resulting 48 combinations defined in 6.2. The described steps


in 5.2.2 are also applied to the events. The weighting of each criteria is presented in Table6.1 and the weighting of each sub-criteria is presented in Table 6.2. The elements are sortedascending by the weights. As well here the alternatives with respect to the linked sub-criteriaare weighted equally, which is done by the Super Decision software. The resulting weighting ofone alternative is 1

48.

The most important criterion is strangeness and influences the decision making with morethan 70,0%. The criteria level of intensity and repetition have an influence of about 22,0%and 8,0% respectively. The weightings of the sub-criteria strangeness and level of intensitydecrease with a decreasing strangeness and intensity, whereas the weighting of the sub-criteriarepetition decreases with increasing repetition of the event. This is comprehensible, since aninfrequent event gains in importance.

In Table 6.3 all possible events, derived from the combination of event features are presented.The events are not sorted in an ascending order by their importance like the power systemfailures for clarity purposes. Instead, the events are grouped first by their strangenesses thanby their repetition. As desired the importances deliver a higher value for the events withextremely high strangenesses. The most important event, in which the importance is 100,0%, isthe event with an extremely high strangeness, a repetition of {0, 1, 2, 3} and a level of intensitylarger than 9𝜎. It can be stated, that the most important events are given in extremely highstrangenesses, in which their importances range from 69,42% to 100,00%.


Table 6.1: Weighting of Event Criteria according to the Priority Vector.

Criteria Weighting

repition 8,41%

levelofintensity 21,09%

strangeness 70,49%

Sum:100,0%

Table 6.2: Weighting of Event Sub-Criteria according to the Priority Vector.

Sub-criteria:Strangeness

WeightingSub-criteria:Repetition

WeightingSub-Criteria:LevelofIntensity

Weighting

low 6,60% (>9) 7,53% (0,1,2,3)sigma 4,21%high 31,87% (7,8,9) 12,01% (4,5,6)sigma 11,90%

(4,5,6) 26,97% (7,8,9)sigma 26,92%(0,1,2,3) 53,49% (>9)sigma 56,98%

extremelyhigh 61,53%

Sum:100,0% Sum:100,0% Sum:100,0%


Table 6.3: Importance of each Event derived by AHP.

id event strangeness repetitionlevelofintensity

normalsimportance(ideals)

1 e(low,{0,1,2,3},{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 0,74% 18,10%2 e(low,{0,1,2,3},{4σ,5σ,6σ}) {4σ,5σ,6σ} 0,88% 21,41%3 e(low,{0,1,2,3},{7σ,8σ,9σ}) {7σ,8σ,9σ} 1,14% 27,87%4 e(low,{0,1,2,3},>9σ) >9σ 1,67% 40,79%5 e(low,{4,5,6},{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 0,55% 13,55%6 e(low,{4,5,6},{4σ,5σ,6σ}) {4σ,5σ,6σ} 0,69% 16,86%7 e(low,{4,5,6},{7σ,8σ,9σ}) {7σ,8σ,9σ} 0,95% 23,31%8 e(low,{4,5,6},>9σ) >9σ 1,48% 36,24%9 e(low,{7,8,9},{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 0,45% 10,98%10 e(low,{7,8,9},{4σ,5σ,6σ}) {4σ,5σ,6σ} 0,58% 14,29%11 e(low,{7,8,9},{7σ,8σ,9σ}) {7σ,8σ,9σ} 0,85% 20,75%12 e(low,{7,8,9},>9σ) >9σ 1,38% 33,68%13 e(low,>9,{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 0,42% 10,22%14 e(low,>9,{4σ,5σ,6σ}) {4σ,5σ,6σ} 0,55% 13,52%15 e(low,>9,{7σ,8σ,9σ}) {7σ,8σ,9σ} 0,82% 19,98%16 e(low,>9,>9σ) >9σ 1,35% 32,91%17 e(high,{0,1,2,3},{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 1,85% 45,33%18 e(high,{0,1,2,3},{4σ,5σ,6σ}) {4σ,5σ,6σ} 1,99% 48,64%19 e(high,{0,1,2,3},{4σ,5σ,6σ}) {7σ,8σ,9σ} 2,25% 55,10%20 e(high,{0,1,2,3},>9σ) >9σ 2,78% 68,02%21 e(high,{4,5,6},{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 1,67% 40,78%22 e(high,{4,5,6},{4σ,5σ,6σ}) {4σ,5σ,6σ} 1,80% 44,09%23 e(high,{4,5,6},{7σ,8σ,9σ}) {7σ,8σ,9σ} 2,07% 50,55%24 e(high,{4,5,6},>9σ) >9σ 2,59% 63,47%25 e(high,{7,8,9},{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 1,56% 38,22%26 e(high,{7,8,9},{4σ,5σ,6σ}) {4σ,5σ,6σ} 1,70% 41,52%27 e(high,{7,8,9},{7σ,8σ,9σ}) {7σ,8σ,9σ} 1,96% 47,98%28 e(high,{7,8,9},>9σ) >9σ 2,49% 60,91%29 e(high,>9,{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 1,53% 37,45%30 e(high,>9,{4σ,5σ,6σ}) {4σ,5σ,6σ} 1,67% 40,76%31 e(high,>9,{7σ,8σ,9σ}) {7σ,8σ,9σ} 1,93% 47,21%32 e(high,>9,>9σ) >9σ 2,46% 60,14%33 e(extremelyhigh,{0,1,2,3},{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 3,16% 77,31%34 e(extremelyhigh,{0,1,2,3},{4σ,5σ,6σ}) {4σ,5σ,6σ} 3,30% 80,62%35 e(extremelyhigh,{0,1,2,3},{7σ,8σ,9σ}) {7σ,8σ,9σ} 3,56% 87,07%36 e(extremelyhigh,{0,1,2,3},>9σ) >9σ 4,09% 100,00%37 e(extremelyhigh,{4,5,6},{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 2,97% 72,76%38 e(extremelyhigh,{4,5,6},{4σ,5σ,6σ}) {4σ,5σ,6σ} 3,11% 76,07%39 e(extremelyhigh,{4,5,6},{7σ,8σ,9σ}) {7σ,8σ,9σ} 3,37% 82,52%40 e(extremelyhigh,{4,5,6},>9σ) >9σ 3,90% 95,45%41 e(extremelyhigh,{7,8,9},{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 2,87% 70,19%42 e(extremelyhigh,{7,8,9},{4σ,5σ,6σ}) {4σ,5σ,6σ} 3,00% 73,50%43 e(extremelyhigh,{7,8,9},{7σ,8σ,9σ}) {7σ,8σ,9σ} 3,27% 79,96%44 e(extremelyhigh,{7,8,9},>9σ) >9σ 3,80% 92,88%45 e(extremelyhigh,>9,{0,1σ,2σ,3σ}) {0,1σ,2σ,3σ} 2,84% 69,42%46 e(extremelyhigh,>9,{4σ,5σ,6σ}) {4σ,5σ,6σ} 2,97% 72,73%47 e(extremelyhigh,>9,{7σ,8σ,9σ}) {7σ,8σ,9σ} 3,24% 79,19%48 e(extremelyhigh,>9,>9σ) >9σ 3,77% 92,12%

extremelyhigh

{0,1,2,3}

{4,5,6}

{7,8,9}

>9

Sum:100,0%

low

{0,1,2,3}

{4,5,6}

{7,8,9}

>9

high

{0,1,2,3}

{4,5,6}

{7,8,9}

>9

7 Decision Support System

After the degree of impact of failures and the importance of events are analyzed and expressedin numerical values, the decision support system can be built. This will be done in this chapter.Since a rule based decision support system will be developed, facts and rules will be set inSection 7.1. Finally in Section 7.2 the implementation of the defined facts and rules in Prologwill be presented. It should be noticed that only the power system is implemented in Prologfor illustration purposes.

7.1 Defining the Facts and Rules

The designed decision support system Èxypnos System is a rule-based system as described in3.1. The Èxypnos System has to decide between repairing a failure or investigating an event;incase, that both enter at the same time. The basis of a rule based system are the rules andfacts. In this chapter the rules and facts will be defined for the Èxypnos System.

7.1.1 Facts

The database of a decision support system involves facts, that are required for the conditionpart of a rule (3.1). In Èxypnos System, the the database is build up of subsystem failures andevents, which may attractive to investigate. In Prolog, databases can be expressed without anyproblems as facts [26]. The failure database of the DSS includes the following attributes whichare derived by the failure analysis in Chapter 5:

- failure id- component- failure mode- number of redundant elements- impact.

For illustrative purposes, facts for the power system failures are presented in a tabular form in5.13. The entries are sorted in the ascending order by the degree of impact of the according

7.1.2 Rules 61

power system failure. An important attribute is the number of redundancy, since a failure canoccur more than one time in a component, e.g. SEL in solar array with different degree ofimpact. This is based on the number of redundancy, since the impact of a failure in a redundantcomponent is lower than the impact of a failure in a non redundant element. The facts arepredefined and uploaded to the spacecraft and therefore it is not required to apply the AHPmethod on-board.

The importances of events, expressed in numerical values as defined in 6 are as well implementedin the Èxypnos System database and uploaded to the spacecraft. The attributes of the events -for each data set - are specified with

- event id- strangeness- repetition- level of intensity- importance.

These attributes are extracted from the Table 6.3.

7.1.2 Rules

The rules of the Èxypnos System are determined, based on the delivered result of the failure(5.2.3) and event analysis (6). The rules are the basis of the DSS, since the decision making ofthe system is depending on the rules. They are defined based on the objective evaluations, e.g.of the expert, and can be changed according to the expert knowledge, spacecraft sensitivity,defined mission and so on. The rules are defined based on their severity levels. The will providethe decisions, either to repair the failure or to investigate the event.

In case of an on-board failure occurrence in one of the subsystems and the detection of anunpredictable event at the same time, the following rules will be applied by the Èxypnos Systemfor the decision making. The condition of the rules requires as an input the value impact ofthe occurring failure and the value importance of the detected event. The rules will be firstdescribed textual and afterwards stated with IF-THEN clauses.

If a failure of level 1 occurs, in which its impact is smaller than 30,0%, and if the differencebetween importance and impact is greater than or equal 10,0%, then the failure can bediscovered. But if the difference of importance and impact is smaller than 10,0%, then thefailure has to be repaired. This description results in two IF-THEN clauses:

Rule 1:

7.1.2 Rules 62

IF impact < 30,0%AND importance - impact ≥ 10,0%THEN ’Discover the event.’

Rule 2:

IF impact < 30,0%AND importance - impact ≤ 10,0%THEN ’Repair the failure.’

If the failure is categorized as level 2 failure, meaning the impact is greater than or equal 30,0%and less than 40,0%, and the difference between importance and impact is greater than or equal20,0%, then the event have to be discovered. However, if the difference is smaller than 20,0%,then the failure has to be repaired. As well in this case two IF-THEN clauses follows with:

Rule 3:

IF impact ≥ 30,0%AND impact < 40,0%AND importance - impact ≥ 20,0%THEN ’Discover the event.’

Rule 4:

IF impact ≥ 30,0%AND impact < 40,0%AND importance - impact < 20,0%THEN ’Repair the failure.’

If the failure is assigned to the severity level 3, in which the impact of the failure is greaterthan or equal 40,0% and less than 90,0%, and the difference between importance and impactis greater than or equal 35,0%, then the event should be discovered. But if the difference ofimportance and impact is smaller than 35,0%, then the failure has to be repaired. Out of thisstatement two IF-THEN clauses can be derived:

Rule 5:

IF impact ≥ 40,0%AND impact < 90,0%AND importance - impact ≥ 35,0%THEN ’Discover the event.’

Rule 6:

7.1.2 Rules 63

IF impact ≥ 40,0%AND impact < 90%AND importance - impact < 35,0%THEN ’Repair the failure.’

If the impact of the failure is greater than or equal 90,0%, then it is classified as a failure ofseverity level 4. In this case the spacecraft should discover the event and transmit the scientificdata to Earth until the total loss enters. This leads to a non convoluted IF-THEN clauses asfollows:

Rule 7:

IF impact ≥ 90,0%THEN ’Discover until spacecraft is completely loss and can not transmit anymore.’

The last defined rule is justified with the statement, that failures with a severity level of 4will lead anyway to the loss of the spacecraft. For that reason the detected event should beinvestigated until the total loss of the spacecraft enters and the mission will be lost. Thepossibility to transmit the scientific data of the discovered event to Earth must be as well givenbefore the total loss occurs. In total, seven rules are defined for the Èxypnos System. The rulesimplemented in Prolog can be found in Subsection 7.2.2. Equivalent to the facts, the rules areas well predefined and uploaded to the spacecraft. By updating the decision support data base,the rules and facts can be extended arbitrarily.

7.2 Implementation in Prolog 64

7.2 Implementation in Prolog

For verification purposes, the facts and rules defined in previous section are implemented inProlog and will be presented in this section. It should be noticed, that only the power systemis realized in Prolog.

Figure 7.1: Input and Output of the Èxypnos System.

Failures analyzed in chapter 5 are uniquely defined with the attributes failure mode, componentand number of redundancy. With these attributes and a query, it is possible to get the failure idand the impact value of each failure. The outputs of ADIA++ have to involve these attributes,in oder to use them as an input for the Èxypnos System. Other inputs delivered by the ASAPsystem are the detected event features strangeness, repetition and level of intensity. Againwith a query, which involves these attributes, the event id and the value of its importance canbe gained by predefined facts. Figure 7.1 illustrates the inputs and the possible outputs ofthe system. Based on the applied rules either the failure has to be patched or the event hasto be discovered. If the importance of the detected event is more significant than the impactof the failure, than the event should be investigated. But in case of a failure which will leadto the loss of the spacecraft and no corrective measures are possible, then the event shouldbe investigated anyway. Obviously the scientific data have to be transmitted to the groundstation before the total loss of the spacecraft enters.

In this section the implementation of the facts and rules will be explained step by step. Afterthe definition of the facts and rules, exemplary queries will be demonstrated in order to showhow the system works.

7.2.1 Facts in Prolog 65

7.2.1 Facts in Prolog

The database of the rule-based DSS is made up of the clauses type facts as mentioned before.Each line corresponds exactly to one dataset. For the failure database, the functor failure isdefined with the arity 5. The predicate with the corresponding atoms of each failure dataset isdefined according to 7.1.1 as follows

/* failure(

failure_id, component, failure_mode, number_of_redundancy,

degree_of_impact) <-

*/.

Equivalently each event dataset has the functor event with the arity 5. In this regard thepredicate of each event fact is defined as described in 7.1.1 with the following atoms:

/* event(

event_id, strangeness, repetition, level_of_intensity,

importance) <-

*/.

7.2.2 Rules in Prolog

As mention in 3.2 a rule is composed of a head and a body, in which the body consists of ngoals, in which n is greater than or equal 1. The set rules for the Èxypnos System have thefunctor decision and the arity 2. The required variables for the rules are degree_of_impactwhich is an atom derived by the facts of the failures and importance gained by the facts ofthe events. The head and the body of the set rules are

/* decision(

Degree_of_Impact, Importance) :-

goal 1,

...

goal n-1,

write(...). <-

*/.

The predicate write, which is in each rule the n𝑡ℎ goal, is a built-in predicate with the arity1. Its argument will be streamed as an output on the console [24]. A built-in predicate is astandard predicate, which is defined by Prolog itself as mentioned in Chapter 3.

The seven defined rules in Subsection 7.1.2 are implemented in Prolog and only Rule 1 will bepresented here. The remaining six rules can be found in the appendix.

7.2.3 Queries in Prolog 66

/* decision(

Degree_of_Impact, Importance) :-

Degree_of_Impact < 30.00,

Importance - Degree_of_Impact >= 10.00,

write(’Discover the event.’). <-

*/.

7.2.3 Queries in Prolog

After the facts and rules are defined the problem can be solved by queries. As mentioned before,the ADIA++ system delivers the attributes component, failure_mode and number_of_redundancy.Since with these parameters a failure is uniquely defined, the degree_of_impact of the accord-ing failure can be figured out easily with only one query.

This will be illustrated with one example of power system failures. The following missionsscenario should be assumed and the informations are supplied by ADIA++:

A Single Event Effect (SEE) occurs in the Power Control and Distribution Unit (PCDU)component. Since the only one redundant element failed already, the actual number ofredundant elements are zero. The question is: What is the degree of impact of exactly thisfailure? Additionally the failure id can be figured out, but it is not necessarily for the furthersteps. The known parameters, which are delivered by the ADIA++ system are called inProlog atoms. The variables Failure_id and Degree_of_impact of the described failure canbe gained with the query

?- failure(Failure_id, pcdu, see, 0, Degree_of_impact).

, in which the variables have to begin with a capital letter or an underscore and the atoms,pcdu, see and 0, with small letter. It should be noticed, that the queries are clauses as welland have to end with a full stop like all clauses. The Prolog system delivers the following resultof the asked query

Failure_id = f53,

Degree_of_impact = 31.04.

, whereby the Degree_of_impact is in percentage. Comparing the results of the ÈxypnosSystem, with Table 5.13, in which the rating of all power system are presented, delivers thecorrectness.

Another query is required to figure out the importance of the event, which is detected bythe ASAP system. The input parameters of the Èxypnos System, delivered by ASAP arethe features of the detected event. These are the strangeness, the repetition and the level of


intensity of the event. The listed attributes specify an event and make it possible to figure itsimportance and if required the event id. As well in this case only one query is enough to gainthese informations.

For example an event with a high strangeness is detected, its repetition in one cycle is one andits level of intensity is given with the standard deviation of 8𝜎, then the query to find out theimportance and the id of the event is

?- event(Event_id, high, ’0, 1, 2, 3’, ’(7, 8, 9)sigma’,

Importance).

The following result is delivered by this query, whereby the Importance is given similar likeDegree_of_importance in percentage:

Event_id = e20,

Importance = 55.1 .

Checking the value of importance for the event e20 with Table 6.3 delivers the same value.

If a failure and event detection occur at the same time, a decision has to be taken betweenrepairing the failure and investigating the event. The decision is made by the predefined rulesin 7.2.2. First the Degree_of_impact of the failure and Importance of the event have to befigured out. Afterwards these values are delivered as the input to the query, which providesthe decision. There are two options possible how the decision can be obtained. The first oneis to get the Degree_of_impact and the Importance by separate queries and afterwards touse these results in the decision query. In total there exists three queries. For the exampledescribed above the queries and result would be in this case

?- failure(Failure_id, pcdu, see, 0, Degree_of_impact).

Failure_id = f53,

Impact = 31.04.

?- event(Event_id, high, ’0, 1, 2, 3’, ’(7, 8, 9)sigma’,

Importance).

Event_id = e20,

Importance = 55.1 .

?- decision(31.04, 55.10).

Discover the event.

true .

The values Degree_of_impact and Importance are set manually in the decision query. Thesecond possibility and the more elegant solution is to solve the decision problem of the givenfailure and event only by one query with three goals, in which two goals will deliver the requiredvalues for the decision and the last goal takes the decision. This would be for the same example


?- failure(Failure_id, pcdu, see, 0, Degree_of_impact),

event(Event_id, high, ’0, 1, 2, 3’, ’(7, 8, 9)sigma’,

Importance),

decision(Degree_of_impact, Importance).

Discover the event.

Failure_id = f53,

Degree_of_impact = 31.04,

Event_id = e20,

Importance = 55.1 .

Rule 3, which is defined in 7.1.2 applies, since the degree of impact of the failure is larger than30,0% and smaller 40,0%. The difference of importance of the event, with 55,10%, and degreeof impact of the failure, with 31,04%, is equal to 24,09% and is larger than 20,0%. This leadsto the decision to discover the event. In case of a failure with the id f53 and an event with theid e20, the provided decision is to discover the event. If another event is detected by ASAP,let’s say an event with a low strangeness, a repetition of 3 in one cycle and a level of intensityof 1𝜎, then the decision is taken as follows

?- failure(Failure_id, pcdu, see, 0, Degree_of_impact),

event(Event_id, low, ’0, 1, 2, 3’, ’(0, 1, 2, 3)sigma’,

Importance),


Repair the failure immediately.

Failure_id = f53,


Event_id = e21,

Importance = 18.1 .

In this example the Rule 4 applies. The failure has still the degree of impact between 30,0% and40,0% but since the detect event is another one, its importance changed to 18,20%. This resultsin a difference, which is smaller than 20,0%. The decision to repair the failure immediately istaken. In case of a failure, which degree of impact is larger than 90,0%, the importances of theevents are not taken into account. For example if the malfunction of a battery occurs, in whichnon redundant element is available and an arbitrary event is detected, let’s say the event e1described above, with the importance 18,10%, then the decision of the Èxypnos System wouldbe


?- failure(Failure_id, battery, malfunction, 0,

Degree_of_impact),

event(Event_id, low, ’0, 1, 2, 3’, ’(0, 1, 2, 3) sigma’,

Importance),


Discover until spacecraft is completely loss and can not

transmit anymore.

Failure_id = f49,


Event_id = e1,

Importance = 18.1 .

The justification, why the DSS decides to discover the event until the loss of the spacecraftenters, can be found in 7.1.2. As mentioned before only the power system failures of itscorresponding components are implemented in Prolog, to verify its use in space related expertsystems. The complete program code of Èxypnos System for power system can be found inappendix. The implemented program delivers the desired result for the decision. It is notan executable system on spacecrafts, since it would go beyond the scope of this work. Theimplementation, done in this work, is for illustration purposes to underly the idea beyond thedesign. It is a first step towards a runnable DSS in space applications.

8 Results and Future Work

In this chapter at first the results of the designed decision support system will be presented in8.1, which is followed by the statements of future works that have to be done in order to developan executable Prolog program. Besides the improvements of the concept will be mentioned inSection 8.2.

8.1 Results of the Work

The judgment of the designed system based on specific values is impossible, since the resultedvalues can vary, depending on the sensitivity of the mission and the decision of the expert, thatrates the failures, events and set the rules. Therefore the results can only be discussed basedon reasonability analysis, which will be done in this section.

With AHP it was possible to convert objective evaluations of failures and events into numericalvalues. The values degree of impact of failures and importance of events are local and notglobal ratings. With local rating the major failure in each subsystem with a rating of 100,0%and all other values for degree of impact are derived based on it, is meant. The same is givenalso in the events, the most important event that can be detected is evaluated with 100,0%.Local ratings of each subsystem failures are desired and required, since all subsystems togetherwill contribute to a functional spacecraft. Besides this issue, AHP delivers reasonable valuesfor the degree of impact and for the importance. For example the failure with the less impact,which can occur in the power system is the efficiency degradation/outgassing of a solar array,in which the number of redundant elements are three (see Table 5.13). Due to the fact thatefficiency degradation/outgassing of solar arrays can not be overcome in the space environmentand its impact of the spacecraft is noticeable after a period, its degree of impact with 5,34% of100,0% is reasonable. With this value, the failure is categorized as level 1 failure, representingminor critical failures as defined in Subsection 5.2.3. Whereas failures which will lead to thetotal loss of the spacecraft are characterized with their degree of impact above 90,0%. Suchfailures are classified as level 4 failures. If the malfunction of a solar array with none redundantelements is considered, the degree of impact will be 92,07% (see 5.13). This failure will lead tothe total loss of the spacecraft, since no power can be supplied anymore to the subsystems.

8.1 Results of the Work 71

However the failure leads to the total loss of the spacecraft even its degree of impact is notrated with 100,0%. This can be stated by the fact that the failure is not the worst one thatcan occur and the loss of the mission will enter slightly. Whereas the explosion of the batterydue to high temperature (with no redundant elements) will lead to an immediately loss of thespacecraft and is therefore rated with 100,0%. The difference between the explosion of batterywith non redundant element (100,0%) and one redundant element (98,05%) is based upon thegiven number of redundant elements. Although both will have the same consequence, theirevaluations are different. As the number of redundancy is an important factor for the decision,this side effect of the AHP can be overcome by changing the degree of impact for the explosionwith one redundant element to 100,0% manually. Nonetheless both are categorized as level 4failures and indicates with its classifications of the total loss of the spacecraft.

As well the event analysis delivers convincing values for the importance. The least importantevent presented in Table 6.3, with a value of 10,22%, is the event e(low, >9, {0, 1𝜎, 2𝜎, 3𝜎}), inwhich low indicates its strangeness, >9 its repetition and {0, 1𝜎, 2𝜎, 3𝜎} its level of intensity. Inthe same table the most important event with an importance of 100,0% is given by e(extremelyhigh, {0, 1, 2, 3}, >9𝜎). Based on the event analysis it is indicated, that with an increasingstrangeness, increasing level of intensity and decreasing repetition the importance values of anevent increases, which delivers desirable outcomes for the purposes of this work.

The definition, analysis and application of AHP is done for all subsystems, but only the powersubsystem is presented in this work, the remaining subsystems can be found in appendix. Alsoonly the failures of power system are implemented in Prolog. It is not an executable program,it is rather a demonstration of how the given problem can be expressed in facts and rules andhow the result of the decision is gained by queries. The implemented Prolog program includesthe failures and events. It implies, that Prolog is a suitable programming language for a spacemission expert system. Since defining and analyzing all failures and events and rating themwith reasonable values was an elaborate process, there were no facilities to deliver an executableProlog program within the master thesis.

Summarized it can be stated, that the designed system is a first iteration of an expert system fornano satellites, which will support the spacecraft in case of critical decision making situations.Further developments and improvements are required for an executable and precise system,which will be described in the next section. This work outlined that the AHP can be usedto convert objective evaluation into numerical values for the degree of impact of failures andimportance of events. Furthermore the failures and events can be implemented as facts inProlog and based on their evaluations, as well rules can be defined in Prolog easily.

8.2 Future Work 72

8.2 Future Work

As outlined in the previous section only the power subsystem is implemented in Prolog and anexecutable program is not developed yet. The first approach is to refine the failure and eventanalysis, as well the decision criteria. This requires a completely designed spacecraft mission,in which all details and specifications are defined. For example the decision making can involvethe remaining lifetime of the spacecraft, the resources, the probability of a failure occurrenceand many other factors desired by the expert. Furthermore the stated rules in Section 8.1 canbe specialized by defining individual rules for each subsystem or even component, depending onthe susceptibility to errors. The refinement of the events can be done by dividing the repetitionand level of intensity in only one value instead of grouped values. E.g. instead of using therange of values {4, 5, 6}, the values 4, 5 and 6 can be used separately.

In this work for each subsystem failure analysis a hierarchy is established in order to apply theAHP. Building a hierarchy for each component separately and applying the AHP, will lead torefined evaluations of the failures. In this case the worst failure in each component would havethe degree of impact of 100,0%.

An important feature, which is not considered in this work are multiple failure occurrences andmultiple event detection. Obviously in case of multiple failures the degree of impact increases,which can effect the decision making strongly, whereas in case of multiple events, the mostimportant event will be investigated.

After the refinement and the consideration of multiple failures and events, the designed systemcan be implemented in Prolog by setting new facts and rules. For an executable Prologprogram, either the payloads of SONATE, ASAP and ADIA++, have to be integrated directlyor randomly generated failures and events have to be used as inputs to the Èxypnos System.However in the second case the systems ASAP and ADIA++ have to be integrated afterwards.

A conceivable method for the rating of the failures and events is the Analytical Network Process,also developed by Saaty. ANP is as well a multi-criteria decision making approach, in whichthe criteria have dependencies, whereas in AHP the criteria are independent of each other.For example the failure criterion effect on the system is depending on the effect on payload,satellite bus and the number of redundant elements. The applied approach AHP does notconsider these dependencies.

9 Conclusion

A first approach of an intelligent decision support system, also known as expert systems, forhigh-level planning in nano satellites is designed in this work. High level planning is specifiedhere as the decision making between repairing an on-board failure or investigating an unexpectedevent, if both occur concurrently. Although an executable program was not realizable withinthis work, main features required for an intelligent decision support system are outlined. Thesemain features involve the defining, analyzing and evaluating of the failures that can occur andevents that can be detected. The rating with the AHP technique delivered from objectiveevaluations numerical values for the degree of impact of failures and for the importance ofevents. The implementation of the power system showed, that Prolog is a suitable languagefor knowledge representation of failures and events and implementation of rules for the givendecision making purposes.

Based on this work, it can be stated that an expert system for high level planning in nanosatellites can be developed using the described approaches above. But still refinements andimprovements of failure and event analyses are required. It was noticeable, that a domainexpert is an essential part of the development of an expert system. Because of this for futureexpansion of this work it is recommendable to involve a domain expert with many years ofexperience in spacecraft missions. If it is not given that the domain expert has the knowledgein a logical programming language, e.g. Prolog, then also a programmer or computer scientistis necessary with the required knowledge. These are minimum demands for the expert systemdevelopment team.

The presented work makes first steps towards high autonomy of satellites. With increasingdistances between spacecraft and ground station and with improving space technology overyears, the necessity of autonomous systems in critical situations is underlined. This work servesas preliminary study of developing an intelligent decision support system for nano satellites inProlog by evaluating the decision criteria with AHP.

Appendix

All detailed analysis and the results of the AHP approach can be found in Appendixes A - F.Firstly a detailed analysis of the according subsystem will be presented, followed by its resultingdegree of impact. The pairwise comparison will be not illustrated here, since depending on thejudgments they can vary and therefore only the results of the failure analysis is of importance.The event tree including all not predictable events for the decision making is depicted inAppendix G. The complete Prolog program is added in Appendix H.

A On-Board Computer Failure Analysis

Table A1: OBC Failures Sorted in Ascending Order According to Degree of Impact.

component failureid failuremodepriorityvector

(normals)

degreeofimpact(ideals)

processor f1 overheating 7,63% 1,16%memory f13 softSEU,MEU 8,18% 1,25%processor f7 softSEE,MEU 9,26% 1,41%processor f2 overheating 11,61% 1,77%memory f14 softSEU,MEU 12,15% 1,85%processor f8 softSEE,MEU 13,23% 2,02%processor f11 malfunction 13,58% 2,07%memory f19 malfunction 13,58% 2,07%memory f17 failofmemorychip 13,63% 2,08%processor f5 hardwaretraps 14,12% 2,15%processor f3 electricalpowersurge 15,13% 2,31%memory f15 hardSEU,MEU 16,75% 2,55%memory f18 failofmemorychip 17,61% 2,68%processor f6 hardwaretraps 31,57% 4,81%processor f9 hardSEE,MEU 33,40% 5,09%processor f4 electricalpowersurge 42,41% 6,46%memory f16 hardSEU,MEU 43,42% 6,62%processor f10 hardSEE,MEU 56,48% 8,61%software f21 softwarefailure,e.g.signerrors 82,60% 12,59%processor f12 malfunction 100,00% 15,24%memory f20 malfunction 100,00% 15,24%

A On-Board Computer Failure Analysis 75

Table A2: Detailed Analysis of OBC Failures Analysis.compo

nent

numbe

rof

compo

nents

idfailu

reid

failu

rem

ode

effectonpa

yloa

deffectonsatellitebus

effectonsystem

correctiv

emeasures

repa

irable

type

of

redu

ndan

cyredu

ndan

telem

ents

numbe

rof

redu

ndan

cyeffectondiscovery

ofth

eeven

t

f1overhe

ating

noeffe

cts

slighta

geing

slightd

egradatio

nof

s/clife

time

cooling

yes

samede

sign,active

1of{1

,2}

1no

effe

cts

f2overhe

ating

noeffe

cts

slighta

geing

slightd

egradatio

nof

s/clife

time

cooling

yes

samede

sign,active

none

0no

effe

cts

f3electricalpow

er

surge

damageofelectronic

devic

esstrongdam

ageofelectronic

devic

esstrongdegradatio

nof

s/clife

time

notrep

airable

nosamede

sign,active

1of{1

,2}

1caneffectth

ediscoverys

lightly

f4electricalpow

er

surge

damageofelectronic

devic

esstrongdam

ageofelectronic

devic

escanleadto

lossofs/c

notrep

airable

nosamede

sign,active

none

0caneffectth

ediscoverys

trong

f5hardwaretra

psprovidingw

rong

calcu

latio

ntodecision

makinglogic

providingw

rongca

lculatio

ntoco

ntrolsystem

canleadto

und

esire

dop

erationsofthe

s/c

softw

arepatch

yes

samede

sign,active

1of{1

,2}

1caneffectth

ediscoverys

lightly

f6hardwaretra

psprovidingw

rong

calcu

latio

ntodecision

makinglogic

providingw

rongca

lculatio

ntoco

ntrolsystem

unde

sired

ope

ratio

ns

ofth

es/c

softw

arepatch

yes

samede

sign,active

none

0caneffectth

ediscoverys

trong

f7softSEE,MEU

providingw

rong

calcu

latio

ntodecision

makinglogic

providingw

rongca

lculatio

ntoco

ntrolsystem

canleadto

und

esire

dop

erationsofthe

s/c

EDAC

orp

ossib

leto

corre

ct

with

algo

rithm

syes

samede

sign,active

1of{1

,2}

1no

effe

cts

f8softSEE,MEU

providingw

rong

calcu

latio

ntodecision

makinglogic

providingw

rongca

lculatio

ntoco

ntrolsystem

canleadto

und

esire

dop

erationsofthe

s/c

EDAC

orp

ossib

leto

corre

ct

with

algo

rithm

syes

samede

sign,active

none

0no

effe

cts

f9hardSE

E,M

EUno

effe

cts

cancausetowriteover

criticaldatabaseore

vento

halttheprocessor

tempo

raryoutageof

s/c

EDAC

orp

ossib

leto

corre

ct

with

algo

rithm

syes

samede

sign,active

1of{1

,2}

1caneffectth

ediscoverys

trong

f10

hardSE

E,M

EUpaylo

adca

nno

tope

rate

anym

ore

cancausetowriteover

criticaldatabaseore

vento

halttheprocessor

tempo

raryoutageof

spacecraftwhichca

nleadto

lossth

es/c

EDAC

orp

ossib

leto

corre

ct

with

algo

rithm

syes

samede

sign,active

none

0caneffectth

ediscoverys

trong

f11

malfunctio

nno

effe

cts

drop

ofred

undancy

extre

mlystrong

degradationofs/clife

tim

eno

trep

airable

nosamede

sign,active

1of{1

,2}

1no

effe

cts

f12

malfunctio

npaylo

adca

nno

tope

rate

anym

ore

satelittebusca

nno

top

erateanym

ore

lossofs/c

notrep

airable

nosamede

sign,active

none

0no

tpossib

leto

discover

f13

softSEU,M

EUno

effe

cts

statechangeofm

emory

noeffe

cts

EDAC

orp

ossib

leto

corre

ct

with

algo

rithm

syes

samede

sign,active

1of{3

,4}

1no

effe

cts

f14

softSEU,M

EUno

effe

cts

statechangeofm

emory

noeffe

cts

EDAC

orp

ossib

leto

corre

ct

with

algo

rithm

syes

samede

sign,active

none

0no

effe

cts

f15

hardSE

U,M

EUno

effe

cts

perm

anen

tlydam

ageof

mem

ory

strongdegradatio

nof

s/clife

time

EDAC

orp

ossib

leto

corre

ct

with

algo

rithm

syes

samede

sign,active

1of{3

,4}

1no

effe

cts

f16

hardSE

U,M

EUno

effe

cts

damageofstored

data

canleadto

lossofs/c

EDAC

orp

ossib

leto

corre

ct

with

algo

rithm

syes

samede

sign,active

none

0caneffectth

ediscoverys

trong

f17

failo

fmem

ory

chip

noeffe

cts

OBSW

isprone

tocrashif

tryingt

oaccessth

isaddress

slightd

egradatio

nof

s/clife

time

OnboardHW

reconfigu

artio

nyes

samede

sign,active

1of{3

,4}

1caneffectth

ediscoverys

lightly

f18

failo

fmem

ory

chip

noeffe

cts

OBSW

isprone

tocrashif

tryingt

oaccessth

isaddress

slightd

egradatio

nof

s/clife

time

OnboardHW

reconfigu

artio

nyes

samede

sign,active

none

0caneffectth

ediscoverys

lightly

f19

malfunctio

nno

effe

cts

drop

ofred

undancy

extre

mlystrong

degradationofs/clife

tim

eno

trep

airable

nosamede

sign,active

1of{3

,4}

1no

effe

cts

f20

malfunctio

npaylo

adca

nno

tope

rate

anym

ore

satelittebusca

nno

top

erateanym

ore

lossofspacecraft

notrep

airable

nosamede

sign,active

none

0no

tpossib

leto

discover

softw

are

25,6

f21

softw

arefailure,

e.g.signerro

rspaylo

adca

nno

tope

rate

anym

ore

prob

lemto

boo

tthe

op

eratings

ystemand

other

softw

are

unde

sired

ope

ratio

ns

ofth

es/c

softw

areup

date

yes

samede

sign,standb

y1of{5

,6}

1no

tpossib

leto

discover

processor

21,2

mem

ory

23,4

B Power System Failure Analysis 76

B Power System Failure Analysis

Table B1: Power System Failures Sorted in Ascending Order According to Degree of Impact.


(normals)


solararray f26 efficiencydegradation/outgassing 0,52% 5,34%solararray f38 malfunction 0,70% 7,21%solararray f30 SEL 0,98% 10,15%solararray f28 efficiencydegradation/outgassing 1,08% 11,13%solararray f39 malfunction 1,09% 11,26%solararray f27 efficiencydegradation/outgassing 1,12% 11,55%battery f46 failoffewbaterrycell 1,12% 11,56%

solararray f34 SEB 1,17% 12,05%pcdu f50 overcharging,deepdischarge 1,25% 12,89%

solararray f35 SEB 1,26% 13,01%battery f42 SEE 1,52% 15,72%

solararray f31 SEL 1,56% 16,04%battery f48 malfunction 1,56% 16,11%pcdu f54 malfunction 1,56% 16,11%

solararray f22 electrostaticdischarge 1,62% 16,66%solararray f32 SEL 1,67% 17,26%solararray f23 electrostaticdischarge 1,71% 17,62%

pcdu f52 SEE 1,78% 18,34%pcdu f51 overcharging,deepdischarge 2,09% 21,54%

solararray f36 SEB 2,43% 25,01%solararray f40 malfunction 2,51% 25,92%solararray f24 electrostaticdischarge 2,56% 26,40%solararray f29 efficiencydegradation/outgassing 2,70% 27,86%solararray f25 electrostaticdischarge 2,75% 28,35%battery f47 failoffewbaterrycell 2,76% 28,43%pcdu f53 SEE 3,01% 31,04%

solararray f33 SEL 3,14% 32,36%battery f43 SEE 3,39% 34,91%

solararray f37 SEB 3,40% 35,03%solararray f41 malfunction 8,93% 92,07%battery f49 malfunction 8,93% 92,07%pcdu f55 malfunction 8,93% 92,07%battery f44 explosionduetohightemperature 9,51% 98,05%battery f45 explosionduetohightemperature 9,70% 100,00%

B Power System Failure Analysis 77

Table B2: Detailed Analysis of Power System Failures Analysis.

componentnumberofcomponents

id failureid failuremodeeffectonpayload


effectonthesystem

correctivemeasures

repairabletypeof

redundancyredundantelements

numberofredundancy

effectondiscoveryoftheevent

f22 electrostaticdischarge

EMIonadjacentpayloadaffectingtheirfunctions

(e.gSSTVCamera)

EMIonadjacentcomponentsaffectingtheirfunctions(e.g

reactionwheels)

undesiredoperationsofs/c

turnpowerOFF

yes samedesign,active

3of{7,8,9,10}

3caneffectthediscoveryslightly



(e.gSSTVCamera)


reactionwheels)


turnpowerOFF


2of{7,8,9,10}




(e.gSSTVCamera)


reactionwheels)


turnpowerOFF


1of{7,8,9,10}

1caneffectthediscoverystrong



(e.gSSTVCamera)


reactionwheels)


turnpowerOFF


none 0caneffectthediscoverystrong

f26efficiency

degradation/outgassing

noeffectsonpayload


slightdegradationofs/clifetime

notrepairable no samedesign,active

3of{7,8,9,10}

3 noeffects

f27efficiency


lowpoweravailableforpayload

lowpoweravailableforsatellitebus

moderatedegradationofs/c

lifetimenotrepairable no samedesign,

active2of{7,8,9,

10}2 noeffects

f28efficiency


lesspoweravailableforpayload

lesspoweravailableforsatellitebus

strongdegradationofs/clifetime


1of{7,8,9,10}


f29efficiency


verylimitedpoweravailableforpayload


extremelystrongdegradationofs/c


activenone 0

caneffectthediscoverystrong

f30 SELlowpoweravailableforpayload

slightdestructionofSA,lowpower

available


turnpowerOFF


3of{7,8,9,10}

3 noeffects

f31 SELlowpoweravailableforpayload

slightdestructionofSA,lowpower

available

moderatedegradationofs/c

lifetime

turnpowerOFF


2of{7,8,9,10}

2 noeffects

f32 SELlesspoweravailableforpayload

moderatedestructionofSA,

lesspoweravailable


turnpowerOFF yes

samedesign,active

1of{7,8,9,10} 1

caneffectthediscoveryslightly

f33 SELverylimited

poweravailableforpayload

strongdestructionofSA,

verylimitedpoweravailable


lifetime

turnpowerOFF yes

samedesign,active none 0


f34 SEBlowpoweravailableforpayload


lesspoweravailable


turnpowerOFF yes

samedesign,active

3of{7,8,9,10} 3 noeffects

f35 SEBlowpoweravailableforpayload


lesspoweravailable


turnpowerOFF yes

samedesign,active

2of{7,8,9,10} 2 noeffects

f36 SEBlesspoweravailableforpayload


lesspoweravailable


turnpowerOFF yes

samedesign,active

1of{7,8,9,10} 1


f37 SEBverylimited


extremelystrongdestructionofSA,

verylimitedpoweravailable


lifetime

turnpowerOFF yes



f38 malfunctionlesspoweravailableforpayload




3of{7,8,9,10}

3 noeffects

f39 malfunctionlesspoweravailableforpayload




2of{7,8,9,10}


f40 malfunctionverylimited





active1of{7,8,9,

10}1


f41 malfunctionpayloadcannot

poweredsatellitebuscannotpowered lossofs/c notrepairable no


notpossibletodiscover

f42 SEE



moderatedestructionofbattery,less

poweravailable


turnpowerOFF yes

samedesign,standby 1of{11,12} 1


f43 SEE


duringeclipse

strongdestructionofbattery,verylimitedpower

available


lifetime

turnpowerOFF

yes samedesign,standby

none 0caneffectthediscoverystrong

f44explosiondue

tohightemperature


lossofs/c notrepairable no samedesign,active

1of{11,12} 1 notpossibletodiscover

f45explosiondue

tohightemperature


lossofs/c notrepairable no samedesign,standby

none 0 notpossibletodiscover




lesspoweravailableforsatellitebusin

eclipse

slighdegradationofs/clifetime

softwareupdateinPDU yes

samedesign,standby 1of{11,12} 1 noeffects



duringeclipse

verylimitedpoweravailableforsatellitebusin

eclipse


softwareupdateinPDU yes

samedesign,standby none 0



dropofredundancy



standby1of{11,12} 1 noeffects





f50overcharging,deepdischarge

lesspowerforpayloadavailable

damageofbatteryleadingto

lesspowercapacity


softwareupdate yes

samedesign,standby 1of{13,14} 1 noeffects

f51overcharging,deepdischarge


damageofbatteryleadingto

verylimitedpowercapacity


softwareupdate yes



f52 SEE

incorrectpowersupplytopayload

leadingtodamageit

incorrectpowerdistributiontosatellitebuscanleadtodamageit


turnpowerOFF yes

samedesign,standby 1of{13,14} 1


f53 SEE

incorrectpowersupplytopayload

leadingtodamageit

incorrectpowerdistributiontosatellitebuscanleadtodamageit

strongstdegradationof

s/clifetime

turnpowerOFF yes




dropofredundancy



standby1of{13,14} 1 noeffects





13,142

battery 11,12

4

2

solararray 7,8,9,10

pcdu

C Thermal Control System Failure Analysis 78

C Thermal Control System Failure Analysis

Table C1: Thermal Control System Failures Sorted in Ascending Order According to Degreeof Impact.


(normals)


thermalcontrolsensor f60 malfunction 1,76% 7,74%thermalcontrolsensor f56 SEE,ESD 2,94% 12,93%thermalcontrolsensor f57 SEE,ESD 3,18% 13,95%thermalcontrolsensor f61 malfunction 3,30% 14,51%thermalcontrolsensor f62 malfunction 4,28% 18,80%

electricalheater f65 SEE,ESD 5,17% 22,72%thermalcontrolsensor f58 SEE,ESD 5,41% 23,76%

electricalheater f66 mechanicalfailures 6,37% 28,00%mechanicaldesign f69 mechanicalfailures 6,95% 30,53%electricalheater f64 softwarefailure 7,50% 32,96%

thermalcontrolsensor f59 SEE,ESD 7,61% 33,44%thermalcontrolsensor f63 malfunction 22,76% 100,00%

electricalheater f67 malfunction 22,76% 100,00%

C Thermal Control System Failure Analysis 79

Table C2: Detailed Analysis of Thermal Control System Failures Analysis.compo

nent

numbe

rof

compo

nents

idfailu

reid

failu

re

mod

eeffecton

payloa

deffecton

satellitebus

effecton

the

system

corrective

measuresrepa

irab

letype

of

redu

ndan

cyredu

ndan

telem

ents

numbe

rof

redu

ndan

cy

effecton

discoveryofth

eeven

t

f56

SEE,ESD

noeffects

noeffects

slight

degradation

ofs/c

lifetim

e

turnpow

er

OFF

yes

samede

sign,

activ

e3of{1

5,16,

17,18}

3no

effects

f57

SEE,ESD

noeffects

noeffects

slight

degradation

ofs/c

lifetim

e

turnpow

er

OFF

yes

samede

sign,

activ

e2of{1

5,16,

17,18}

2no

effects

f58

SEE,ESD

criticalthe

mral

controlofp

ayload,

candamageit

slightly

criticalthe

mral

controlofsatellite

bus,candam

ageit

slightly

criticalstate

ofs/c

turnpow

er

OFF

yes

samede

sign,

activ

e1of{1

5,16,

17,18}

1caneffectth

ediscoveryslightly

f59

SEE,ESD

criticalthe

mral

controlofp

ayload,

candamageit

slightly

criticalthe

mral

controlofsatellite

bus,candam

ageit

slightly

extrem

ely

criticalstate

ofs/c

turnpow

er

OFF

yes

samede

sign,

activ

eno

ne0

caneffectth

ediscoverystrongly

f60

malfunctio

nno

effects

drop

of

redu

ndancy

slight

degradation

ofs/c

lifetim

e

not

repairable

nosamede

sign,

activ

e3of{1

5,16,

17,18}

3no

effects

f61

malfunctio

nno

effects

drop

of

redu

ndancy

strong

degradation

ofs/c

lifetim

e

not

repairable

nosamede

sign,

activ

e2of{1

5,16,

17,18}

2no

effects

f62

malfunctio

n

criticalthe

mral

controlofp

ayload,

candamageit

slightly

criticalthe

mral

controlofsatellite

bus,candam

ageit

slightly

extrem

ely

strong

degradation

ofs/c

lifetim

e

not

repairable

nosamede

sign,

activ

e1of{1

5,16,

17,18}

1caneffectth

ediscoveryslightly

f63

malfunctio

n

incorrectthe

rmal

controlofp

ayload,

candamageit

strongly

incorrectthe

rmal

controlofsatellite

bus,candam

ageit

strongly

lossofs/c

not

repairable

nosamede

sign,

activ

eno

ne0

notp

ossibleto

discover

f64

software

failure

incorrectthe

rmal

controlofp

ayload,

candamageit

strongly

incorrectthe

rmal

controlofsatellite

bus,candam

ageit

strongly

criticalstate

ofs/c

lifetim

e

software

update

yes

notred

undant

none

0caneffectth

ediscoverystrongly

f65

SEE,ESD

criticalthe

mral

controlofp

ayload,

candamageit

slightly

criticalthe

mral

controlofsatellite

bus,candam

ageit

slightly

criticalstate

ofs/c

turnpow

er

OFF

yes

notred

undant

none

0caneffectth

ediscoveryslightly

f66

mechanical

failures

incorrectthe

rmal

controlofp

ayload,

candamageit

strongly

incorrectthe

rmal

controlofsatellite

bus,candam

ageit

strongly

extrem

ely

criticalstate

ofs/c

not

repairable

nono

tred

undant

none

0caneffectth

ediscoverystrongly

f67

malfunctio

nno

thermalcon

trol

possiblelossof

payload

noth

ermalcon

trol

possiblelossof

satellitebus

lossofs/c

not

repairable

nono

tred

undant

none

0no

tpossibleto

discover

mecha

nical

design

120

f69

mechanical

failures

incorrectthe

rmal

controlofp

ayload,

candamageit

strongly

damageofsatellite

busstructure

extrem

ely

criticalstate

ofs/c

not

repairable

nofunctio

nal

none

0caneffectth

ediscoverystrongly

thermalcon

trol

sensor

415,16,17,

18

electricalheater

119

D Attitude Determination and Control System Failure Analysis 80

D Attitude Determination and Control System Failure

Analysis

Table D1: ADCS Failures Sorted in Ascending Order According to Degree of Impact (1/2).

component failureiid failuremodepriorityvector

(normals)degreeofimpact(ideals)

magnetometer f121 malfunction 0,09% 1,97%magneticcoils f153 malfunction 0,09% 1,97%reactionwheel f189 malfunction 0,09% 1,97%magneticcoils f152 malfunction 0,10% 1,99%reactionwheel f188 malfunction 0,10% 1,99%magnetometer f122 malfunction 0,10% 2,13%sunsensor f76 malfunction 0,11% 2,24%

startrackeraros f86 blindingduringsolarstrom 0,11% 2,30%magneticcoils f154 malfunction 0,11% 2,36%reactionwheel f190 malfunction 0,11% 2,36%magnetometer f123 malfunction 0,12% 2,47%magneticcoils f155 malfunction 0,12% 2,47%reactionwheel f191 malfunction 0,12% 2,47%sunsensor f77 malfunction 0,12% 2,54%

startrackeraros f94 malfunction 0,13% 2,63%startrackeraros f87 blindingduringsolarstrom 0,13% 2,68%magnetometer f102 externalmagneticfield 0,13% 2,68%magnetometer f124 malfunction 0,13% 2,77%magnetometer f119 softwarefailure 0,17% 3,58%magnetometer f113 softwarefailure 0,19% 3,97%magneticcoils f144 softwarefailure 0,19% 3,97%reactionwheel f162 softwarefailure 0,19% 3,97%magneticcoils f143 softwarefailure 0,19% 3,99%reactionwheel f161 softwarefailure 0,19% 3,99%magnetometer f114 softwarefailure 0,20% 4,13%magneticcoils f145 softwarefailure 0,20% 4,13%reactionwheel f163 softwarefailure 0,20% 4,13%magneticcoils f158 malfunction 0,20% 4,17%reactionwheel f194 malfunction 0,20% 4,17%sunsensor f70 anomalousoutputs 0,20% 4,24%

magnetometer f115 softwarefailure 0,20% 4,24%magneticcoils f146 softwarefailure 0,20% 4,24%reactionwheel f164 softwarefailure 0,20% 4,24%magneticcoils f156 malfunction 0,21% 4,34%reactionwheel f192 malfunction 0,21% 4,34%gyroscope f100 malfunction 0,21% 4,39%

magnetometer f105 SEE 0,21% 4,40%magneticcoils f135 SEE,ESD 0,21% 4,40%reactionwheel f180 SEE,ESD 0,21% 4,40%magneticcoils f134 SEE,ESD 0,21% 4,42%reactionwheel f179 SEE,ESD 0,21% 4,42%magnetometer f125 malfunction 0,21% 4,43%magneticcoils f157 malfunction 0,21% 4,43%reactionwheel f193 malfunction 0,21% 4,43%sunsensor f71 anomalousoutputs 0,22% 4,54%

magnetometer f116 softwarefailure 0,22% 4,54%magneticcoils f147 softwarefailure 0,22% 4,54%reactionwheel f165 softwarefailure 0,22% 4,54%magnetometer f106 SEE 0,22% 4,56%magneticcoils f136 SEE,ESD 0,22% 4,56%startrackeraros f82 softwarefailure 0,22% 4,63%magnetometer f117 softwarefailure 0,22% 4,63%magneticcoils f148 softwarefailure 0,22% 4,63%reactionwheel f166 softwarefailure 0,22% 4,63%magneticcoils f137 SEE,ESD 0,24% 4,90%reactionwheel f182 SEE,ESD 0,24% 4,90%startrackeraros f83 softwarefailure 0,24% 5,01%magnetometer f118 softwarefailure 0,24% 5,01%magneticcoils f149 softwarefailure 0,24% 5,01%reactionwheel f167 softwarefailure 0,24% 5,01%startrackeraros f90 SEE 0,24% 5,06%

gyroscope f98 anomalies,softwarefailure 0,25% 5,12%magneticcoils f138 SEE,ESD 0,25% 5,20%


Table D2: ADCS Failures Sorted in Ascending Order According to Degree of Impact (2/2).

component failureiid failuremodepriorityvector

(normals)degreeofimpact(ideals)

reactionwheel f183 SEE,ESD 0,25% 5,20%magneticcoils f150 softwarefailure 0,25% 5,23%reactionwheel f168 softwarefailure 0,25% 5,23%magneticcoils f139 SEE,ESD 0,25% 5,29%reactionwheel f184 SEE,ESD 0,25% 5,29%startrackeraros f91 SEE 0,26% 5,44%magneticcoils f141 SEE,ESD 0,31% 6,54%magneticcoils f140 SEE,ESD 0,32% 6,60%reactionwheel f185 SEE,ESD 0,32% 6,60%reactionwheel f186 SEE,ESD 0,33% 6,82%reactionwheel f181 SEE,ESD 0,33% 6,87%startrackeraros f95 malfunction 0,48% 9,96%

sunsensor f72 anomalousoutputs 0,50% 10,30%magnetometer f126 malfunction 0,52% 10,71%sunsensor f78 malfunction 0,53% 11,10%

magnetometer f107 SEE 0,55% 11,39%sunsensor f79 malfunction 0,55% 11,48%

magnetometer f108 SEE 0,57% 11,92%magnetometer f109 SEE 0,58% 12,01%magnetometer f103 externalmagneticfield 0,63% 13,06%magneticcoils f159 malfunction 0,63% 13,08%magnetometer f127 malfunction 0,66% 13,65%reactionwheel f195 malfunction 0,67% 13,83%startrackeraros f96 malfunction 0,67% 13,90%startrackeraros f88 blindingduringsolarstrom 0,71% 14,81%startrackeraros f92 SEE 0,74% 15,32%magnetometer f110 SEE 0,76% 15,70%magnetometer f111 SEE 0,77% 15,93%startrackeraros f84 softwarefailure 0,82% 17,14%

thruster f132 malfunction 0,84% 17,55%sunsensor f73 anomalousoutputs 0,85% 17,58%

startrackeraros f93 SEE 0,85% 17,73%startrackeraros f85 softwarefailure 0,86% 17,80%reactionwheel f171 drift 0,86% 17,97%reactionwheel f170 drift 0,87% 17,99%reactionwheel f172 drift 0,87% 18,13%reactionwheel f173 drift 0,88% 18,24%reactionwheel f174 drift 0,89% 18,54%reactionwheel f175 drift 0,90% 18,63%magnetometer f112 SEE 0,90% 18,66%reactionwheel f176 drift 0,91% 19,01%reactionwheel f177 drift 0,93% 19,23%

thruster f133 malfunction 1,02% 21,25%sunsensor f74 anomalousoutputs 1,14% 23,76%gyroscope f99 anomalies,softwarefailure 1,15% 23,99%

magnetometer f104 externalmagneticfield 1,16% 24,17%sunsensor f75 anomalousoutputs 1,59% 33,07%

reactionwheel f187 SEE,ESD 1,80% 37,50%thruster f129 softwarefailure 1,99% 41,36%thruster f130 softwarefailure 2,02% 42,03%

sunsensor f80 malfunction 2,08% 43,34%gyroscope f101 malfunction 2,15% 44,65%

magneticcoils f142 SEE,ESD 2,24% 46,51%reactionwheel f178 drift 2,53% 52,53%sunsensor f81 malfunction 2,99% 62,20%

magnetometer f120 softwarefailure 3,46% 71,93%magneticcoils f151 softwarefailure 3,49% 72,59%reactionwheel f169 softwarefailure 3,49% 72,59%startrackeraros f89 blindingduringsolarstrom 4,13% 85,91%startrackeraros f97 malfunction 4,81% 100,00%magnetometer f128 malfunction 4,81% 100,00%

thruster f131 explosion 4,81% 100,00%magneticcoils f160 malfunction 4,81% 100,00%reactionwheel f196 malfunction 4,81% 100,00%


Table D3: Detailed Analysis of ADCS Failures (1/4).component

numberof

components

idfailureiid

failurem

ode

effectonpayload


effectonthesystem

corrective

measures

repairable

typeofredundancy

redundant

elements

numberof

redundancy

effectondiscovery

oftheevent

f70

anomalousoutputs

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes

samedesign,active

5of{21,22,23,24,

25,26}

5noeffects

f71

anomalousoutputs

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes

samedesign,active

4of{21,22,23,24,

25,26}

4noeffects

f72

anomalousoutputs

noeffectsonpayload

temporarydifficulttopoint

solarpanelstowardsun,can

leadtolesspower

delayedpowersupplyto

s/c

softwareupdate

yes

samedesign,active

3of{21,22,23,24,

25,26}

3noeffects

f73

anomalousoutputs

noeffectsonpayload



leadtolesspower

slightlyisolateds/c

operation

softwareupdate

yes

samedesign,active

2of{21,22,23,24,

25,26}

2caneffectthediscovery

slightly

f74

anomalousoutputs

temporarylesspower

availableforpayload



leadtolesspower

moderatelyisolateds/c

operation

softwareupdate

yes

samedesign,active

1of{21,22,23,24,

25,26}


slightly

f75

anomalousoutputs

temporarylesspower

availableforpayload



leadtolesspower

strongisolateds/c

operation

softwareupdate

yes

samedesign,active

none


strongly

f76

malfunction

noeffectsonpayload

dropofredundancy

slightdegradationofs/ct

lifetime

notrepairable

no

samedesign,active

5of{21,22,23,24,

25,26}

5noeffects

f77

malfunction

noeffectsonpayload

dropofredundancy

slightdegradationofs/c

lifetime

notrepairable

no

samedesign,active

4of{21,22,23,24,

25,26}

4noeffects

f78

malfunction

noeffectsonpayload

difficulttopointsolar

panelstowardsun,canlead

tolesspower,dropof

redundancy

moderatedegradationof

s/clifetime

notrepairable

no

samedesign,active

3of{21,22,23,24,

25,26}


slightly

f79

malfunction

noeffectsonpayload

difficulttopointsolar

panelstowardsun,canlead

tolesspower,dropof

redundancy


s/ctlifetime

notrepairable

no

samedesign,active

2of{21,22,23,24,

25,26}


slightly

f80

malfunction


payload

notpossibletopointthe

solarpanlesaccurate

towardssun,lesspower,

dropofredundancy

strongisloationofs/c

operationandstrongs/c

lifetimedegradation

notrepairable

no

samedesign,active

1of{21,22,23,24,

25,26}


strongly

f81

malfunction


payload

detectingsunisnotpossible

anym

orewithsunsensors

extremelystrong

limitationofmission

operationandextremely

strongs/clifetime

degradation

notrepairable

no

samedesign,active

none


strongly

f82

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes

samedesign,active&functional

3of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})

3noeffects

f83

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes


2of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})

2noeffects

f84

softwarefailure

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/c

softwareupdate

yes


1of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})


strongly

f85

softwarefailure

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/c

softwareupdate

yes


none


strongly

f86

blindingduringsolar

strom

noeffectsonpayload


noeffectsonsystem

notsolveable,

nonperm

anent

failure

no


3of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})

3noeffects

f87

blindingduringsolar

strom

noeffectsonpayload


noeffectsonsystem

notsolveable,

nonperm

anent

failure

no


2of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})

2noeffects

f88

blindingduringsolar

strom

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/c

notsolveable,

nonperm

anent

failure

no


1of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})


strongly

f89

blindingduringsolar

strom

pointingofSSTVcamera

notpossible

ADCnotpossible

lossofadc

notsolveable,

nonperm

anent

failure

no


none

0notpossibletodiscover

f90

SEE

noeffectsonpayload

canleadtodamagethe

devicesperm

anently


lifetime

turnpowerOFF,

EDAC

yes


3of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})

3noeffects

f91

SEE

noeffectsonpayload

canleadtodamagethe

devicesperm

anently


lifetime

turnpowerOFF,

EDAC

yes


2of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})

2noeffects

f92

SEE

weakpointingofthe

SSTVcamera

canleadtodamagethe

devicesperm

anently,

incorrectADC


s/clifetime

turnpowerOFF,

EDAC

yes


1of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})


slightly

f93

SEE

weakpointingofthe

SSTVcamera

canleadtodamagethe

devicesperm

anently,

incorrectADC


s/clifetime

turnpowerOFF,

EDAC

yes


none


strongly

f94

malfunction

noeffectsonpayload

dropofredundancy


lifetime

notrepairable

no


3of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})

3noeffects

f95

malfunction

noeffectsonpayload

dropofredundancy


s/clifetime

notrepairable

no


2of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})


slightly

f96

malfunction

weakpointingofthe

SSTVcamera

dropofredundancy

strongdegradationofs/c

lifetime

notrepairable

no


1of{27,28,(1of{29,

30}and1of{31,32,

33,34,35,36})


strongly

f97

malfunction

lossofpayload

lossofsatellitebus

lossofs/c

notrepairable

no


none


f98

anomalies,software

failure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes

samedesign,standby

1outof{29,30}

1noeffects

f99

anomalies,software

failure

weakpointingofthe

SSTVcamera

ADCincorrect

temporaryweak

orientationofs/c

softwareupdate

yes

samedesign,standby

none


strongly

f100

malfunction

noeffectsonpayload

dropofredundancy

extremelystrong

degradationofs/c

lifetime

notrepairable

no

samedesign,standby

1outof{29,30}

1noeffects

f101

malfunction

weakpointingofthe

SSTVcamera

ADCincorrect

gyrolesss/c,weak

orientation

notrepairable

no

samedesign,standby

none


strongly

gyroscope

229,30

sunsensor

621,22,23,

24,25,26

startrackeraros

227,28


Table D4: Detailed Analysis of ADCS Failures (2/4).compo

nent

numbe

rof

compo

nents

idfailu

reiid

failu

rem

ode

effectonpa

yloa

deffectonsatellitebus

effectonthesystem

corrective

measures

repa

irab

letype

ofred

unda

ncy

redu

ndan

telem

ents

numbe

rof

redu

ndan

cyeffectondiscovery

ofthe

event

f102

externalm

agne

tic

field

noeffectsonpayload

noeffectson

satellitebu

sno

effectsonsystem

notsolveable,

nonpe

rmanen

tfailure

nofunction

al(allmagen

otom

eterare

affected

)2of{2

7,28}

2no

effcects

f103

externalm

agne

tic

field

weakpo

intingofthe

SSTV

cam

era

ADCincorrect

weakattitude

de

term

iantionand

controlofs/c

notsolveable,

nonpe

rmanen

tfailure

nofunction

al(allmagen

otom

eterare

affected

)1of{2

7,28}

1caneffectthe

discovery

slightly

f104

externalm

agne

tic

field

pointingofSSTVcam

era

notpo

ssible

ADCincorrect

weakattitude

de

term

iantionand

controlofs/c

notsolveable,

nonpe

rmanen

tfailure

nofunction

al(allmagen

otom

eterare

affected

)no

ne0

caneffectthe

discovery

strongly

f105

SEE

noeffectsonpayload

canleadtodamagethe

devicespe

rmanen

tly

slightdegradation

ofs/c

lifetim

eturnpow

erOFF

yes

samede

sign,stand

by&fu

nction

al7of{27,28,31,32,

33,34,35,36}

7no

effects

f106

SEE

noeffectsonpayload

canleadtodamagethe

devicespe

rmanen

tly

slightdegradation

ofs/c

lifetim

eturnpow

erOFF

yes

samede

sign,stand

by&fu

nction

al6of{27,28,31,32,

33,34,35,36}

6caneffectthe

discovery

slightly

f107

SEE

noeffectsonpayload

canleadtodamagethe

devicespe

rmanen

tly

slightdegradation

ofs/c

lifetim

eturnpow

erOFF

yes

samede

sign,stand

by&fu

nction

al5of{27,28,31,32,

33,34,35,36}

5caneffectthe

discovery

slightly

f108

SEE

noeffectsonpayload

canleadtodamagethe

devicespe

rmanen

tly

mod

eratede

gradationof

/clifetime

turnpow

erOFF

yes

samede

sign,stand

by&fu

nction

al4of{27,28,31,32,

33,34,35,36}

4caneffectthe

discovery

slightly

f109

SEE

noeffectsonpayload

canleadtodamagethe

devicespe

rmanen

tly

mod

eratede

gradationof

s/clifetim

eturnpow

erOFF

yes

samede

sign,stand

by&fu

nction

al3of{27,28,31,32,

33,34,35,36}

3caneffectthe

discovery

strongly

f110

SEE

noeffectsonpayload

canleadtodamagethe

devicespe

rmanen

tly

strongdegradation

ofs/c

lifetim

eturnpow

erOFF

yes

samede

sign,stand

by&fu

nction

al2of{27,28,31,32,

33,34,35,36}

2caneffectthe

discovery

strongly

f111

SEE

noeffectsonpayload

canleadtodamagethe

devicespe

rmanen

tly

strongdegradation

ofs/c

lifetim

eturnpow

erOFF

yes

samede

sign,stand

by&fu

nction

al1of{27,28,31,32,

33,34,35,36}

1caneffectthe

discovery

strongly

f112

SEE

weakpo

intingofthe

SSTV

cam

era

canleadtodamagethe

devicespe

rmanen

tly,

incorrectADC

extrem

elystrong

degradationofs/c

lifetim

eturnpow

erOFF

yes

samede

sign,stand

by&fu

nction

alno

ne0

notpo

ssibletodiscover

f113

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareup

date

yes

samede

sign,stand

by&fu

nction

al7of{27,28,31,32,

33,34,35,36}

7no

effects

f114

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareup

date

yes

samede

sign,stand

by&fu

nction

al6of{27,28,31,32,

33,34,35,36}

6no

effects

f115

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareup

date

yes

samede

sign,stand

by&fu

nction

al5of{27,28,31,32,

33,34,35,36}

5no

effects

f116

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareup

date

yes

samede

sign,stand

by&fu

nction

al4of{27,28,31,32,

33,34,35,36}

4no

effects

f117

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareup

date

yes

samede

sign,stand

by&fu

nction

al3of{27,28,31,32,

33,34,35,36}

3no

effects

f118

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareup

date

yes

samede

sign,stand

by&fu

nction

al2of{27,28,31,32,

33,34,35,36}

2no

effects

f119

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareup

date

yes

samede

sign,stand

by&fu

nction

al1of{27,28,31,32,

33,34,35,36}

1no

effects

f120

softwarefailure

weakpo

intingofthe

SSTV

cam

era

ADCincorrect

extrem

elystrong

degradationofs/c

lifetim

esoftwareup

date

yes

samede

sign,stand

by&fu

nction

alno

ne0

notpo

ssibletodiscover

f121

malfunction

noeffectsonpayload

drop

ofred

undancy

slightdegradation

of

spacecraftlifetim

eno

trepairable

nosamede

sign,stand

by&fu

nction

al7of{27,28,31,32,

33,34,35,36}

7no

effects

f122

malfunction

noeffectsonpayload

drop

ofred

undancy

slightdegradation

ofs/c

lifetim

eno

trepairable

nosamede

sign,stand

by&fu

nction

al6of{27,28,31,32,

33,34,35,36}

6no

effects

f123

malfunction

noeffectsonpayload

drop

ofred

undancy

mod

eratede

gradationof

s/clifetim

eno

trepairable

nosamede

sign,stand

by&fu

nction

al5of{27,28,31,32,

33,34,35,36}

5no

effects

f124

malfunction

noeffectsonpayload

drop

ofred

undancy

mod

eratede

gradationof

s/clifetim

eno

trepairable

nosamede

sign,stand

by&fu

nction

al4of{27,28,31,32,

33,34,35,36}

4no

effects

f125

malfunction

noeffectsonpayload

drop

ofred

undancy

strongdegradation

ofs/c

lifetim

eno

trepairable

nosamede

sign,stand

by&fu

nction

al3of{27,28,31,32,

33,34,35,36}

3no

effects

f126

malfunction

noeffectsonpayload

drop

ofred

undancy

extrem

elystrong

degradationofs/c

lifetim

eno

trepairable

nosamede

sign,stand

by&fu

nction

al2of{27,28,31,32,

33,34,35,36}

2caneffectthe

discovery

slightly

f127

malfunction

weakpo

intingofthe

SSTV

cam

era

ADCincorrect

extrem

elystrong

degradationofs/c

lifetim

eno

trepairable

nosamede

sign,stand

by&fu

nction

al1of{27,28,31,32,

33,34,35,36}

1caneffectthe

discovery

strongly

f128

malfunction

lossofp

ayload

lossofsatellitebu

slossofs/c

notrepairable

nosamede

sign,stand

by&fu

nction

alno

ne0

notpo

ssibletodiscover

f129

softwarefailure

weakpo

intingofthe

SSTV

cam

era

tumbleandincorrect

manoe

uver

canleadtolossofs/c

softwareup

date

yes

samede

sign,active

1of{3

7,38}

1caneffectthe

discovery

strongly

f130

softwarefailure

weakpo

intingofthe

SSTV

cam

era

tumbleandincorrect

manoe

uver

canleadtolossofs/c

softwareup

date

yes

samede

sign,active

none

0caneffectthe

discovery

strongly

f131

explosion

lossofp

ayload

lossofsatellitebu

slossofs/c

notrepairable

nosamede

sign,active

none

0no

tpo

ssibletodiscover

f132

malfunction

noeffectsonpayload

tumbleandincorrect

manoe

uver

extrem

elystrong

degradationofs/c

lifetim

eno

trepairable

nosamede

sign,active

1of{3

7,38}

1caneffectthe

discovery

strongly

f133

malfunction

noeffectsonpayload

noorbitm

anoe

uvre

possible

extrem

elystrong

degradationofs/c

lifetim

eno

trepairable

nosamede

sign,active

none

0caneffectthe

discovery

strongly

thruster

237,38

magne

tometer

631,32,33,

34,35,36


Table D5: Detailed Analysis of ADCS Failures (3/4).compo

nent

numbe

rof

compo

nents

idfailu

reiid

failu

rem

ode

effectonpa

yload


effectonthesystem

corre

ctive

measures

repa

irable

type

ofred

unda

ncy

redu

ndan

telem

ents

numbe

rof

redu

ndan

cyeffectondiscovery

ofth

eeven

t

f134

SEE,ESD

noef

ffectso

npaylo

ad

canleadto

dam

aget

he

devic

espermanen

tlyslightd

egradatio

nofs/c

lifetim

eturnpow

erOFF

yes

samed

esign

,stand

by&fu

nctio

nal

8of{3

9,40,41,42,

43,44,45,46,47}

8no

effects

f135

SEE,ESD

noef

ffectso

npaylo

ad

canleadto

dam

aget

he

devic

espermanen

tlyslightd

egradatio

nofs/c

lifetim

eturnpow

erOFF

yes

samed

esign

,stand

by&fu

nctio

nal

7of{3

9,40,41,42,

43,44,45,46,47}

7no

effects

f136

SEE,ESD

noef

ffectso

npaylo

ad

canleadto

dam

aget

he

devic

espermanen

tlyslightd

egradatio

nofs/c

lifetim

eturnpow

erOFF

yes

samed

esign

,stand

by&fu

nctio

nal

6of{3

9,40,41,42,

43,44,45,46,47}

6no

effects

f137

SEE,ESD

noef

ffectso

npaylo

ad

canleadto

dam

aget

he

devic

espermanen

tlymod

erated

egradatio

nof

s/clife

time

turnpow

erOFF

yes

samed

esign

,stand

by&fu

nctio

nal

5of{3

9,40,41,42,

43,44,45,46,47}

5no

effects

f138

SEE,ESD

noef

ffectso

npaylo

ad

canleadto

dam

aget

he

devic

espermanen

tlymod

erated

egradatio

nof

s/clife

time

turnpow

erOFF

yes

samed

esign

,stand

by&fu

nctio

nal

4of{3

9,40,41,42,

43,44,45,46,47}

4no

effects

f139

SEE,ESD

noef

ffectso

npaylo

ad

canleadto

dam

aget

he

devic

espermanen

tlymod

erated

egradatio

nof

s/clife

time

turnpow

erOFF

yes

samed

esign

,stand

by&fu

nctio

nal

3of{3

9,40,41,42,

43,44,45,46,47}

3no

effects

f140

SEE,ESD

noef

ffectso

npaylo

ad

canleadto

dam

aget

he

devic

espermanen

tly

extre

melys

trong

degradationofs/c

lifetim

eturnpow

erOFF

yes

samed

esign

,stand

by&fu

nctio

nal

2of{3

9,40,41,42,

43,44,45,46,47}

2no

effects

f141

SEE,ESD

noef

ffectso

npaylo

ad

canleadto

dam

aget

he

devic

espermanen

tly

extre

melys

trong

degradationofs/c

lifetim

eturnpow

erOFF

yes

samed

esign

,stand

by&fu

nctio

nal

1of{3

9,40,41,42,

43,44,45,46,47}

1no

effects

f142

SEE,ESD

weakpointingo

fthe

SSTV

camera

canleadto

dam

aget

he

devic

espermanen

tlylossofadc

turnpow

erOFF

yes

samed

esign

,stand

by&fu

nctio

nal

none

0caneffectth

edisc

overy

strongly

f143

softw

aref

ailure

noef

fectso

npaylo

adno

effectso

nsatellit

ebus

noef

fectso

nsystem

softw

areu

pdate

yes

samed

esign

,stand

by&fu

nctio

nal

8of{3

9,40,41,42,

43,44,45,46,47}

8no

effects

f144

softw

aref

ailure

noef

fectso

npaylo

adno

effectso

nsatellit

ebus

noef

fectso

nsystem

softw

areu

pdate

yes

samed

esign

,stand

by&fu

nctio

nal

7of{3

9,40,41,42,

43,44,45,46,47}

7no

effects

f145

softw

aref

ailure

noef

fectso

npaylo

adno

effectso

nsatellit

ebus

noef

fectso

nsystem

softw

areu

pdate

yes

samed

esign

,stand

by&fu

nctio

nal

6of{3

9,40,41,42,

43,44,45,46,47}

6no

effects

f146

softw

aref

ailure

noef

fectso

npaylo

adno

effectso

nsatellit

ebus

noef

fectso

nsystem

softw

areu

pdate

yes

samed

esign

,stand

by&fu

nctio

nal

5of{3

9,40,41,42,

43,44,45,46,47}

5no

effects

f147

softw

aref

ailure

noef

fectso

npaylo

adno

effectso

nsatellit

ebus

noef

fectso

nsystem

softw

areu

pdate

yes

samed

esign

,stand

by&fu

nctio

nal

4of{3

9,40,41,42,

43,44,45,46,47}

4no

effects

f148

softw

aref

ailure

noef

fectso

npaylo

adno

effectso

nsatellit

ebus

noef

fectso

nsystem

softw

areu

pdate

yes

samed

esign

,stand

by&fu

nctio

nal

3of{3

9,40,41,42,

43,44,45,46,47}

3no

effects

f149

softw

aref

ailure

noef

fectso

npaylo

adno

effectso

nsatellit

ebus

noef

fectso

nsystem

softw

areu

pdate

yes

samed

esign

,stand

by&fu

nctio

nal

2of{3

9,40,41,42,

43,44,45,46,47}

2no

effects

f150

softw

aref

ailure

noef

fectso

npaylo

adno

effectso

nsatellit

ebus

noef

fectso

nsystem

softw

areu

pdate

yes

samed

esign

,stand

by&fu

nctio

nal

1of{3

9,40,41,42,

43,44,45,46,47}

1no

effects

f151

softw

aref

ailure

weakpointingo

fthe

SSTV

camera

ADCincorre

ctextre

melys

trong

degradationofs/c

lifetim

esoftw

areu

pdate

yes

samed

esign

,stand

by&fu

nctio

nal

none

0no

tpossib

leto

disc

over

f152

malf

unction

noef

fectso

npaylo

addrop

ofred

undancy

slightd

egradatio

nofs/c

lifetim

eno

trep

airable

nosamed

esign

,stand

by&fu

nctio

nal

8of{3

9,40,41,42,

43,44,45,46,47}

8no

effects

f153

malf

unction

noef

fectso

npaylo

addrop

ofred

undancy

slightd

egradatio

nofs/c

lifetim

eno

trep

airable

nosamed

esign

,stand

by&fu

nctio

nal

7of{3

9,40,41,42,

43,44,45,46,47}

7no

effects

f154

malf

unction

noef

fectso

npaylo

addrop

ofred

undancy

mod

erated

egradatio

nof

s/clife

time

notrep

airable

nosamed

esign

,stand

by&fu

nctio

nal

6of{3

9,40,41,42,

43,44,45,46,47}

6no

effects

f155

malf

unction

noef

fectso

npaylo

addrop

ofred

undancy

mod

erated

egradatio

nof

s/clife

time

notrep

airable

nosamed

esign

,stand

by&fu

nctio

nal

5of{3

9,40,41,42,

43,44,45,46,47}

5no

effects

f156

malf

unction

noef

fectso

npaylo

addrop

ofred

undancy

strongdegradatio

nofs/c

lifetim

eno

trep

airable

nosamed

esign

,stand

by&fu

nctio

nal

4of{3

9,40,41,42,

43,44,45,46,47}

4no

effects

f157

malf

unction

noef

fectso

npaylo

addrop

ofred

undancy

strongdegradatio

nofs/c

lifetim

eno

trep

airable

nosamed

esign

,stand

by&fu

nctio

nal

3of{3

9,40,41,42,

43,44,45,46,47}

3no

effects

f158

malf

unction

noef

fectso

npaylo

addrop

ofred

undancy

extre

melys

trong

degradationofs/c

lifetim

eno

trep

airable

nosamed

esign

,stand

by&fu

nctio

nal

2of{3

9,40,41,42,

43,44,45,46,47}

2no

effects

f159

malf

unction

weakpointingo

fthe

SSTV

camera

ADCincorre

ctextre

melys

trong

degradationofs/c

lifetim

eno

trep

airable

nosamed

esign

,stand

by&fu

nctio

nal

1of{3

9,40,41,42,

43,44,45,46,47}

1caneffectth

edisc

overy

strongly

f160

malf

unction

lossofp

ayload

lossofsatelliteb

uslossofs/c

notrep

airable

nosamed

esign

,stand

by&fu

nctio

nal

none

0no

tpossib

leto

disc

over

magne

ticco

ils6

39,40,41,42,

43,44


Table D6: Detailed Analysis of ADCS Failures (4/4).component

numberof

components

idfailureiid

failurem

ode

effectonpayload


effectonthesystem

corrective

measures

repairable

typeofredundancy

redundant

elements

numberof

redundancy

effectondiscovery

oftheevent

f161

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes

samedesign,standby&functional

8of{39,40,41,42,

43,44,45,46,47}

8noeffects

f162

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes


7of{39,40,41,42,

43,44,45,46,47}

7noeffects

f163

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes


6of{39,40,41,42,

43,44,45,46,47}

6noeffects

f164

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes


5of{39,40,41,42,

43,44,45,46,47}

5noeffects

f165

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes


4of{39,40,41,42,

43,44,45,46,47}

4noeffects

f166

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes


3of{39,40,41,42,

43,44,45,46,47}

3noeffects

f167

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes


2of{39,40,41,42,

43,44,45,46,47}

2noeffects

f168

softwarefailure

noeffectsonpayload


noeffectsonsystem

softwareupdate

yes


1of{39,40,41,42,

43,44,45,46,47}

1noeffects

f169

softwarefailure

weakpointingofthe

SSTVcamera

ADCincorrect

extremelystrong

degradationofs/c

lifetime

softwareupdate

yes


none


f170

drift

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/coreven

loss

turnm

agnetic

coilsOFF

yes


8of{39,40,41,42,

43,44,45,46,47}


strongly

f171

drift

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/coreven

loss

turnm

agnetic

coilsOFF

yes


7of{39,40,41,42,

43,44,45,46,47}


strongly

f172

drift

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/coreven

loss

turnm

agnetic

coilsOFF

yes


6of{39,40,41,42,

43,44,45,46,47}


strongly

f173

drift

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/coreven

loss

turnm

agnetic

coilsOFF

yes


5of{39,40,41,42,

43,44,45,46,47}


strongly

f174

drift

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/coreven

loss

turnm

agnetic

coilsOFF

yes


4of{39,40,41,42,

43,44,45,46,47}


strongly

f175

drift

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/coreven

loss

turnm

agnetic

coilsOFF

yes


3of{39,40,41,42,

43,44,45,46,47}


strongly

f176

drift

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/coreven

loss

turnm

agnetic

coilsOFF

yes


2of{39,40,41,42,

43,44,45,46,47}


strongly

f177

drift

weakpointingofthe

SSTVcamera

ADCincorrect

weakattitude

determ

iantionand

controlofs/coreven

loss

turnm

agnetic

coilsOFF

yes


1of{39,40,41,42,

43,44,45,46,47}


strongly

f178

drift

pointingofSSTVcamera

notpossible

ADCnotpossible

canleadtolossofs/c

turnm

agnetic

coilsOFF

yes


none


strongly

f179

SEE,ESD

noefffectsonpayload

canleadtodamagethe

devicesperm

anently


lifetime

turnpowerOFF

yes


8of{39,40,41,42,

43,44,45,46,47}

8noeffects

f180

SEE,ESD

noefffectsonpayload

canleadtodamagethe

devicesperm

anently


lifetime

turnpowerOFF

yes


7of{39,40,41,42,

43,44,45,46,47}

7noeffects

f181

SEE,ESD

noefffectsonpayload

canleadtodamagethe

devicesperm

anently


lifetime

turnpowerOFF

yes


6of{39,40,41,42,

43,44,45,46,47}

6noeffects

f182

SEE,ESD

noefffectsonpayload

canleadtodamagethe

devicesperm

anently


s/clifetime

turnpowerOFF

yes


5of{39,40,41,42,

43,44,45,46,47}

5noeffects

f183

SEE,ESD

noefffectsonpayload

canleadtodamagethe

devicesperm

anently


s/clifetime

turnpowerOFF

yes


4of{39,40,41,42,

43,44,45,46,47}

4noeffects

f184

SEE,ESD

noefffectsonpayload

canleadtodamagethe

devicesperm

anently


s/clifetime

turnpowerOFF

yes


3of{39,40,41,42,

43,44,45,46,47}

3noeffects

f185

SEE,ESD

noefffectsonpayload

canleadtodamagethe

devicesperm

anently

extremelystrong

degradationofs/c

lifetime

turnpowerOFF

yes


2of{39,40,41,42,

43,44,45,46,47}

2noeffects

f186

SEE,ESD

noefffectsonpayload

canleadtodamagethe

devicesperm

anently

extremelystrong

degradationofs/c

lifetime

turnpowerOFF

yes


1of{39,40,41,42,

43,44,45,46,47}

1noeffects

f187

SEE,ESD

weakpointingofthe

SSTVcamera

canleadtodamagethe

devicesperm

anently,

incorrectADC

lossofadc

turnpowerOFF

yes


none


strongly

f188

malfunction

noeffectsonpayload

dropofredundancy


lifetime

notrepairable

no


8of{39,40,41,42,

43,44,45,46,47}

8noeffects

f189

malfunction

noeffectsonpayload

dropofredundancy


lifetime

notrepairable

no


7of{39,40,41,42,

43,44,45,46,47}

7noeffects

f190

malfunction

noeffectsonpayload

dropofredundancy


s/clifetime

notrepairable

no


6of{39,40,41,42,

43,44,45,46,47}

6noeffects

f191

malfunction

noeffectsonpayload

dropofredundancy


s/clifetime

notrepairable

no


5of{39,40,41,42,

43,44,45,46,47}

5noeffects

f192

malfunction

noeffectsonpayload

dropofredundancy


lifetime

notrepairable

no


4of{39,40,41,42,

43,44,45,46,47}

4noeffects

f193

malfunction

noeffectsonpayload

dropofredundancy


lifetime

notrepairable

no


3of{39,40,41,42,

43,44,45,46,47}

3noeffects

f194

malfunction

noeffectsonpayload

dropofredundancy

extremelystrong

degradationofs/c

lifetime

notrepairable

no


2of{39,40,41,42,

43,44,45,46,47}

2noeffects

f195

malfunction

weakpointingofthe

SSTVcamera

ADCincorrect

extremelystrong

degradationofs/c

lifetime

notrepairable

no


1of{39,40,41,42,

43,44,45,46,47}


strongly

f196

malfunction

lossofpayload

lossofsatellitebus

lossofs/c

notrepairable

no


none


reactionwheel

345,46,47

E Telemetry, Tracking & Command Failure Analysis 86

E Telemetry, Tracking & Command Failure Analysis

Table E1: TT&C Failures Sorted in Ascending Order According to Degree of Impact.

component failureid failuremode Normalsdegreeofimpact

(ideals)highgainantenna f205 malfunction 1,18% 8,46%highgainantenna f206 malfunction 1,51% 10,79%lowgainanetnna f211 malfunction 1,79% 12,79%

transceiver f200 malfunction 2,12% 15,12%highgainantenna f202 antennapointingproblemduetosoftware 2,73% 19,47%highgainantenna f203 antennapointingproblemduetosoftware 3,05% 21,81%lowgainanetnna f209 SEE 8,31% 59,36%lowgainanetnna f209 SEE 8,40% 60,02%lowgainanetnna f212 malfunction 8,77% 62,65%lowgainanetnna f210 SEE 8,78% 62,72%highgainantenna f204 antennapointingproblemduetosoftware 11,37% 81,22%

transceiver f201 malfunction 14,00% 100,00%highgainantenna f207 malfunction 14,00% 100,00%lowgainanetnna f213 malfunction 14,00% 100,00%

E Telemetry, Tracking & Command Failure Analysis 87

Table E2: Detailed Analysis of TT&C Failures.componen

tnumberof

componen

tsid

failu

reid

failu

rem

ode

effecton

payload

effecton

satellitebus

effectonthesystem

corrective

measuresrepairable

typeof

redundan

cy

redundan

telem

ents

numberof

Red

undan

cy

effecton

discoveryof

theeven

t

f200

malfunction

noeffectson

payload

dropof

redundancy


lifetim

enot

repairable

no

same

design,

active

1of{48,49}

1noeffects

f201

malfunction

transm

itof

payloaddatanot

possible

TC/TM

transm

it/receive

notpossibleany

more

notpossibleanymoreto

communicatewith

groundstation,lossof

s/c

not

repairable

no

same

design,

active

none

0notpossibleto

transm

itthe

discoverydata

f202

antennapointing

problemdueto

software

temporary

delayed

payload

datatransm

it

temporary

delayed

TC/TM

transm

it/receive

difficultto

transm

it/receivelarge

amountsofdata

software

update

yes

functional

2of{51,52}

2noeffects

f203

antennapointing

problemdueto

software

temporary

delayed

payload

datatransm

it

temporary

delayed

TC/TM

transm

it/receive

difficultto

transm

it/receivelarge

amountsofdata

software

update

yes

functional

1of{51,52}

1noeffects

f204

antennapointing

problemdueto

software

transm

itof

payloaddata

temporarynot

possible

TC/TM

transm

it/receive

temporarynot

possible

temporarylossof

communicationwith

groundstation

software

update

yes

functional

none

0notpossibleto

transm

itthe

discoverydata

f205

malfunction

delayed

payload

datatransm

itdelayed

TC/TM

transm

it/receive

difficultto

transm

it/receivelarge

amountsofdata

not

repairable

no

functional

2of{51,52}

2noeffects

f206

malfunction

delayed

payload

datatransm

itdelayed

TC/TM

transm

it/receive

difficulttotransferlarge

amountsofdata

not

repairable

no

functional

1of{51,52}

1noeffects

f207

malfunction

transm

itof

payloaddatanot

possible

TC/TM

transm

it/receive

notpossibleany

more


communicatewith


s/c

not

repairable

no

functional

none

0notpossibleto

transm

itthe

discoverydata

f209

SEE

noeffectson

payload

canleadto

receive/transm

it

incorrectTC

/TM

undesired

operationof

s/c,canleadtolosss/cin

caseofcritical

operations

turnpower

OFF

yes

same

design,

active&

functional

2of{50,51,

52}

2caneffectthe

discoveryslightly

f209

SEE

canleadto

dam

agepayload,

incaseof

incorrectTC

/TM

canleadto

receive/transm

it

incorrectTC

/TM

undesired

operationof

spacecraft,canleadto

losss/cincaseofcritical

operations

turnpower

OFF

yes

same

design,

active&

functional

1of{50,51,

52}

1caneffectthe

discoverystrongly

f210

SEE

canleadto

dam

agepayload,

incaseof

incorrectTC

/TM

canleadto

receive/transm

it

incorrectTC

/TM

undesired

operationof

s/c,canleadtolosss/cin

caseofcritical

operations

turnpower

OFF

yes

same

design,

active&

functional

none

0caneffectthe

discoverystrongly

f211

malfunction

noeffectson

payload

dropof

redundancy


lifetim

enot

repairable

no

same

design,

active&

functional

2of{50,51,

52}

2noeffects

f212

malfunction

noeffectson

payload

ifoneLG

antennaalready

failed,communic

ationwith

groundstation

during

emergenciesnot

possible

extrem

elystrong

degradationofs/c

lifetim

e

not

repairable

no

same

design,

active&

functional

1of{50,51,

52}

1caneffecthe

dicoverystrongly

f213

malfunction

transm

itof

payloaddatanot

possible

TC/TM

transm

it/receive

notpossibleany

more


communicatewith


s/c

not

repairable

no

same

design,

active&

functional

none

0notpossibleto

transm

itthe

discoverydata

lowgain

anetnna

251,52

tran

sceiver

248,49

highgain

antenna

150

F Payload Failure Analysis 88

F Payload Failure Analysis

Table F1: Payload Failures Sorted in Ascending Order According to Degree of Impact.


(normals)


ADIA++ f214 softwarefailure 4,48% 14,43%SSTVcamera f218 overheating 7,85% 25,26%SSTVcamera f217 softwarefailure 9,74% 31,37%

ASAP f216 softwarefailure 13,54% 43,60%ADIA++ f215 softwarefailure 13,95% 44,91%

SSTVcamera f219 anomalies 19,38% 62,40%SSTVcamera f220 malfunction 31,06% 100,00%

F Payload Failure Analysis 89

comp

onen

tnu

mber

ofcomp

onen

tsid

failur

eid

failur

emo

deeff

ecton

paylo

adeff

ecton

satel

litebu

seff

ecton

the

system

corre

ctive

measu

resrep

airab

letyp

eof

redun

dancy

redun

dant

eleme

ntsnu

mber

ofred

unda

ncy

effect

on

discovery

ofthe

even

t

f214

softw

are

failur

eno

effec

tson

paylo

adno

effec

tson

satel

litebu

sno

effec

tson

syste

msof

tware

up

date

yes

samed

esign

active

1of{

53,54}

1no

effec

ts

f215

softw

are

failur

e

wron

gfailu

rede

tectio

n/pred

iction

,try

ingto

repaira

fully

function

alpayl

oad

canleadto

breakit

wron

gfailu

rede

tectio

n/pred

iction

,try

ingto

repaira

fully

function

alcom

pone

ntlea

dtod

amageit

extrem

elystron

gde

gradatio

nofs/

clife

time

softw

are

update

yes

samed

esign

active

none

0can

effec

tthe

discovery

extrem

ely

stron

g

ASAP

155

f216

softw

are

failur

e

affect

ingth

eDeci

sion

Supp

ortSy

stem

incas

eofw

rong

detec

tedev

ent

trying

todicovera

ninc

orrect

even

tcanlead

todama

geth

esate

llite

busc

omple

telyfor

nothi

ng

extrem

elystron

gde

gradatio

nofs/

clife

time

softw

are

update

yes

notre

dund

ant

none

0can

effec

tthe

discovery

extrem

ely

stron

g

f217

softw

are

failur

ecan

provide

wron

gdata

toAS

APno

effec

tson

satel

litebu

stem

porar

ynot

possible

tofu

lfillth

emi

ssion

softw

are

update

yes

notre

dund

ant

none

0can

effec

tthe

discovery

slightl

y

f218

overh

eatin

gcan

slightly

dama

ge

camera

satellite

busc

anda

maged

slightl

yslig

htlyd

egrad

ation

of

s/clifeti

mecooling

yes

notre

dund

ant

none

0no

effec

ts

f219

anom

alies

canpr

ovide

wron

gdata

toAS

APno

effec

tson

satel

litebu

stem

porar

ynot

possible

tofu

lfillth

emi

ssion

turnc

amera

OF

Fyes

notre

dund

ant

none

0tem

porar

notp

ossible

todis

coverth

eevent

optical

f220

malfu

nctio

nlos

sofm

ainpa

yload

noef

fectson

satel

litebu

sext

remely

stron

gde

gradatio

nofs/

clife

time

not

repair

able

nono

tredu

ndant

none

0no

tposs

iblet

odis

coverth

eevent

optical

ADIA+

+2

53,54

SSTV

came

ra1

56

Table F2: Detailed Analysis of Payload Failures.

G Event Tree 90

G Event Tree

Figure G1: Event Tree Complete.

H Èxypnos System Code for Power System Failures 91

H Èxypnos System Code for Power System Failures

/******************************************************************/ /*** ***/ /*** Èxypnos System: Saliha Serdar ***/ /*** Failures in the Power System ***/ /*** ***/ /******************************************************************/ /*** facts ********************************************************/ /* failure( failure_id, component, failure_mode, number_of_redundancy, degree_of_impact) <- */ % solar_array failure(f22, solar_array, electrostatic_discharge, 3, 16.66). failure(f23, solar_array, electrostatic_discharge, 2, 17.62). failure(f24, solar_array, electrostatic_discharge, 1, 26.40). failure(f25, solar_array, electrostatic_discharge, 0, 28.35). failure(f26, solar_array, eff_degradation_outgassing, 3, 5.34). failure(f27, solar_array, eff_degradation_outgassing, 2, 11.55). failure(f28, solar_array, eff_degradation_outgassing, 1, 11.13). failure(f29, solar_array, eff_degradation_outgassing, 0, 27.86). failure(f30, solar_array, sel, 3, 10.15). failure(f31, solar_array, sel, 2, 16.04). failure(f32, solar_array, sel, 1, 17.26). failure(f33, solar_array, sel, 0, 32.36). failure(f34, solar_array, seb, 3, 12.05). failure(f35, solar_array, seb, 2, 13.01). failure(f36, solar_array, seb, 1, 25.01). failure(f37, solar_array, seb, 0, 35.03). failure(f38, solar_array, malfunction, 3, 7.21). failure(f39, solar_array, malfunction, 2, 11.26). failure(f40, solar_array, malfunction, 1, 25.92). failure(f41, solar_array, malfunction, 0, 92.07).


/******************************************************************/ /*** ***/ /*** Èxypnos System: Saliha Serdar ***/ /*** Failures in the Power System ***/ /*** ***/ /******************************************************************/ /*** facts ********************************************************/ /* failure( failure_id, component, failure_mode, number_of_redundancy, degree_of_impact) <- */ % solar_array failure(f22, solar_array, electrostatic_discharge, 3, 16.66). failure(f23, solar_array, electrostatic_discharge, 2, 17.62). failure(f24, solar_array, electrostatic_discharge, 1, 26.40). failure(f25, solar_array, electrostatic_discharge, 0, 28.35). failure(f26, solar_array, eff_degradation_outgassing, 3, 5.34). failure(f27, solar_array, eff_degradation_outgassing, 2, 11.55). failure(f28, solar_array, eff_degradation_outgassing, 1, 11.13). failure(f29, solar_array, eff_degradation_outgassing, 0, 27.86). failure(f30, solar_array, sel, 3, 10.15). failure(f31, solar_array, sel, 2, 16.04). failure(f32, solar_array, sel, 1, 17.26). failure(f33, solar_array, sel, 0, 32.36). failure(f34, solar_array, seb, 3, 12.05). failure(f35, solar_array, seb, 2, 13.01). failure(f36, solar_array, seb, 1, 25.01). failure(f37, solar_array, seb, 0, 35.03). failure(f38, solar_array, malfunction, 3, 7.21). failure(f39, solar_array, malfunction, 2, 11.26). failure(f40, solar_array, malfunction, 1, 25.92). failure(f41, solar_array, malfunction, 0, 92.07).


% battery failure(f42, battery, see, 1, 15.72). failure(f43, battery, see, 0, 34.91). failure(f44, battery, explosion, 1, 98.05). failure(f45, battery, explosion, 0, 100.00). failure(f46, battery, fail_of_a_few_battery_cells, 1, 11.56). failure(f47, battery, fail_of_a_few_battery_cells, 0, 28.43). failure(f48, battery, malfunction, 1, 16.11). failure(f49, battery, malfunction, 0, 92.07). % power control and distribution unit - pcdu failure(f50, pcdu, overcharging_deep_discharging, 1, 12.89). failure(f51, pcdu, overcharging_deep_discharging, 0, 21.54). failure(f52, pcdu, see, 1, 18.34). failure(f53, pcdu, see, 0, 31.04). failure(f54, malfunction, 1, 16.11). failure(f55, malfunction, 0, 92.07). /* event( event_id, strangeness, repetition, level_of_intensity, importance) <- */ event(e1, low, '0, 1, 2, 3', '(0, 1, 2, 3)sigma', 18.10). event(e2, low, '0, 1, 2, 3', '(4, 5, 6)sigma', 21.41). event(e3, low, '0, 1, 2, 3', '(7, 8, 9)sigma', 27.87). event(e4, low, '0, 1, 2, 3', '>9sigma', 40.79). event(e5, low, '4, 5, 6', '(0, 1, 2, 3)sigma', 13.55). event(e6, low, '4, 5, 6', '(4, 5, 6)sigma', 16.86). event(e7, low, '4, 5, 6', '(7, 8, 9)sigma', 23.31). event(e8, low, '4, 5, 6', '>9 sigma', 36.24). event(e9, low, '7, 8, 9', '(0, 1, 2, 3)sigma', 10.98). event(e10, low, '7, 8, 9', '(4, 5, 6)sigma', 14.29). event(e11, low, '7, 8, 9', '(7, 8, 9)sigma', 20.75). event(e12, low, '7, 8, 9', '>9 sigma', 33.68). event(e13, low, '>9', '(0, 1, 2, 3)sigma', 10.22). event(e14, low, '>9', '(4, 5, 6)sigma', 13.52). event(e15, low, '>9', '(7, 8, 9)sigma', 19.98). event(e16, low, '>9', '>9 sigma', 32.91). event(e18, high, '0, 1, 2, 3', '(0, 1, 2, 3)sigma', 45.33). event(e19, high, '0, 1, 2, 3', '(4, 5, 6) sigma', 48.64). event(e20, high, '0, 1, 2, 3', '(7, 8, 9) sigma', 55.10). event(e21, high, '0, 1, 2, 3', '>9sigma', 68.02).


event(e22, high, '4, 5, 6', '(0, 1, 2, 3)sigma', 40.78). event(e23, high, '4, 5, 6', '(4, 5, 6) sigma', 44.09). event(e24, high, '4, 5, 6', '(7, 8, 9) sigma', 50.55). event(e25, high, '4, 5, 6', '>9 sigma', 63.47). event(e26, high, '7, 8, 9', '(0, 1, 2, 3)sigma', 38.22). event(e27, high, '7, 8, 9', '(4, 5, 6)sigma', 41.52). event(e28, high, '7, 8, 9', '(7, 8, 9)sigma', 47.98). event(e29, high, '7, 8, 9', '>9sigma', 60.91). event(e30, high, '>9', '(0, 1, 2, 3)sigma', 37.45). event(e31, high, '>9', '(4, 5, 6)sigma', 40.76). event(e32, high, '>9', '(7, 8, 9)sigma', 47.21). event(e33, high, '>9', '>9sigma', 60.14). event(e34, extremely_high, '0, 1, 2, 3', '(0, 1, 2, 3)sigma', 77.31). event(e35, extremely_high, '0, 1, 2, 3', '(4, 5, 6) sigma', 80.62). event(e36, extremely_high, '0, 1, 2, 3', '(7, 8, 9) sigma', 87.07). event(e37, extremely_high, '0, 1, 2, 3', '>9 sigma', 100.00). event(e38, extremely_high, '4, 5, 6', '(0, 1, 2, 3)sigma', 72.76). event(e39, extremely_high, '4, 5, 6', '(4, 5, 6) sigma', 76.07). event(e40, extremely_high, '4, 5, 6', '(7, 8, 9) sigma', 82.52). event(e41, extremely_high, '4, 5, 6', '>9 sigma', 95.45). event(e42, extremely_high, '7, 8, 9', '(0, 1, 2, 3)sigma', 70.19). event(e43, extremely_high, '7, 8, 9', '(4, 5, 6)sigma', 73.50). event(e44, extremely_high, '7, 8, 9', '(7, 8, 9)sigma', 79.96). event(e45, extremely_high, '7, 8, 9', '>9sigma', 92.88). event(e46, extremely_high, '>9', '(0, 1, 2, 3)sigma', 69.42). event(e47, extremely_high, '>9', '(4, 5, 6)sigma', 72.73). event(e48, extremely_high, '>9', '(7, 8, 9)sigma', 79.19). event(e49, extremely_high, '>9', '>9sigma', 92.12). /*** rules ********************************************************/ /* decision(+Degree_of_Impact, +Importance) <- */ decision(Degree_of_Impact, Importance) :- Degree_of_Impact < 30.00, Importance - Degree_of_Impact >= 10.00, write('Discover the event.'). decision(Degree_of_Impact, Importance) :- Degree_of_Impact >= 30.00, Degree_of_Impact < 40.00, Importance - Degree_of_Impact >= 20.00, write('Discover the event.'). decision(Degree_of_Impact, Importance) :- Degree_of_Impact >= 40.00, Degree_of_Impact < 90, Importance - Degree_of_Impact>= 35.00, write('Discover the event.').


decision(Degree_of_Impact, _) :- Degree_of_Impact >=90.00, write('Discover until spacecraft is completely loss and can not transmit anymore.'). decision(Degree_of_Impact, Importance) :- Degree_of_Impact < 30.00, Importance - Degree_of_Impact =< 10.00, write('Repair the failure immediately.'). decision(Degree_of_Impact, Importance) :- Degree_of_Impact >= 30.00, Degree_of_Impact < 40.00, Importance - Degree_of_Impact =< 20.00, write('Repair the failure immediately.'). decision(Degree_of_Impact, Importance) :- Degree_of_Impact >= 40.00, Degree_of_Impact < 90, Importance - Degree_of_Impact =< 35.00, write('Repair the failure immediately.'). /******************************************************************/

List of Figures

3.1 Three Level Hierarchy of the Analytic Hierarchy Process. . . . . . . . . . . . . 143.2 Shortcut of a Sample Model, Car Hierarchy, from Super Decision software. . . 183.3 Shortcut of Pairwise Comparison Window with Comparison Matrix. . . . . . . 183.4 Shortcut of a Pairwise Comparison Window with Questionnaire. . . . . . . . . 193.5 The Scoring of the Alternatives of the Car_hierarchy Sample Model. . . . . . 20

4.1 Subsystems of ÉxypnosSat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.1 Effects on Payloads caused by Power System Failures. . . . . . . . . . . . . . . 385.2 Effects on the Satellite Bus caused by Power System Failures. . . . . . . . . . 395.3 Effects on the System caused by Power System Failures. . . . . . . . . . . . . 405.4 Effects on the Discovery of the Event caused by Power System Failures. . . . . 405.5 Hierarchy of Power System Failures. . . . . . . . . . . . . . . . . . . . . . . . . 435.6 Rating of the Alternative f44. . . . . . . . . . . . . . . . . . . . . . . . . . . . 495.7 Assignment of Failure Impact Values to a Severity Level. . . . . . . . . . . . . 51

6.1 Cutout of the Event Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

7.1 Input and Output of the Èxypnos System. . . . . . . . . . . . . . . . . . . . . 64

G1 Event Tree Complete. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

List of Tables

3.1 The Fundamental Scale according to [30]. . . . . . . . . . . . . . . . . . . . . . 15

5.1 OBC failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.2 Power System failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.3 Thermal Control System failures. . . . . . . . . . . . . . . . . . . . . . . . . . 325.4 ADCS failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.5 TT&C failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.6 Paylod failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.7 Battery Component Failure Analysis. . . . . . . . . . . . . . . . . . . . . . . . 415.8 Pairwise Comparison of Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . 455.10 Weighting of the Criteria according to the Priority Vector. . . . . . . . . . . . 465.11 Weighting of all Sub-criteria according to the Priority Vector. . . . . . . . . . 485.12 Rating of the Alternative f44. . . . . . . . . . . . . . . . . . . . . . . . . . . . 495.13 Rating of all Alternatives of the Power System Failures. . . . . . . . . . . . . . 50

6.1 Weighting of Event Criteria according to the Priority Vector. . . . . . . . . . . 586.2 Weighting of Event Sub-Criteria according to the Priority Vector. . . . . . . . 586.3 Importance of each Event derived by AHP. . . . . . . . . . . . . . . . . . . . . 59

A1 OBC Failures Sorted in Ascending Order According to Degree of Impact. . . . 74A2 Detailed Analysis of OBC Failures Analysis. . . . . . . . . . . . . . . . . . . . 75B1 Power System Failures Sorted in Ascending Order According to Degree of Impact. 76B2 Detailed Analysis of Power System Failures Analysis. . . . . . . . . . . . . . . 77C1 Thermal Control System Failures Sorted in Ascending Order According to Degree

of Impact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78C2 Detailed Analysis of Thermal Control System Failures Analysis. . . . . . . . . 79D1 ADCS Failures Sorted in Ascending Order According to Degree of Impact (1/2). 80D2 ADCS Failures Sorted in Ascending Order According to Degree of Impact (2/2). 81D3 Detailed Analysis of ADCS Failures (1/4). . . . . . . . . . . . . . . . . . . . . 82D4 Detailed Analysis of ADCS Failures (2/4). . . . . . . . . . . . . . . . . . . . . 83D5 Detailed Analysis of ADCS Failures (3/4). . . . . . . . . . . . . . . . . . . . . 84D6 Detailed Analysis of ADCS Failures (4/4). . . . . . . . . . . . . . . . . . . . . 85

LIST OF TABLES iii

E1 TT&C Failures Sorted in Ascending Order According to Degree of Impact. . . 86E2 Detailed Analysis of TT&C Failures. . . . . . . . . . . . . . . . . . . . . . . . 87F1 Payload Failures Sorted in Ascending Order According to Degree of Impact. . 88F2 Detailed Analysis of Payload Failures. . . . . . . . . . . . . . . . . . . . . . . . 89

References

[1] Michael Negnevitsky. Artificial Intelligence: A Guide to Intelligent Systems. Addison-Wesley, 3rd edition, 2011.

[2] Ricardo R Gudwin. Evaluating intelligence: A computational semiotics perspective. InSystems, Man, and Cybernetics, 2000 IEEE International Conference on, volume 3, pages2080–2085. IEEE, 2000.

[3] Jens Eickhoff. Onboard Computers, Onboard Software and Satellite Operations: AnIntroduction. Springer Aerospace Technology. Springer Berlin Heidelberg, 2011.

[4] Hakan Kayal, Oleksii Balagurin, Kirill Djebko, Gerhard Fellinger, A Schartel, T Schwarz,A Vodopivec, H Wojtkowiak, and F Puppe. SONATE-A Nano Satellite for the In-OrbitVerification of Autonomous Detection, Planning and Diagnosis Technologies. In AIAASPACE 2016, 2016.

[5] Rebecca Castano, Tara Estlin, Robert C Anderson, Daniel M Gaines, Andres Castano,Benjamin Bornstein, Caroline Chouinard, and Michele Judd. OASIS: Onboard autonomousscience investigation system for opportunistic rover science. Journal of Field Robotics,24(5):379–397, 2007.

[6] Tara Estlin, Daniel Gaines, Caroline Chouinard, Rebecca Castano, Benjamin Bornstein,Michele Judd, Issa Nesnas, and Robert Anderson. Increased mars rover autonomy using aiplanning, scheduling and execution. In Proceedings 2007 IEEE International Conferenceon Robotics and Automation, pages 4911–4918. IEEE, 2007.

[7] Tara A. Estlin, Benjamin J. Bornstein, Daniel M. Gaines, Robert C. Anderson, David R.Thompson, Michael Burl, Rebecca Castaño, and Michele Judd. AEGIS Automated ScienceTargeting for the MER Opportunity Rover. ACM Transactions on Intelligent Systemsand Technology (TIST), 3(3), 2012.

[8] J.F. Bell, S.W. Squyres, K.E. Herkenhoff, J.N. Maki, H.M. Arneson, D. Brown, S.A.Collins, A. Dingizian, S.T. Elliot, E.C. Hagerott, et al. Mars Exploration Rover AthenaPanoramic Camera (Pancam) investigation. Journal of Geophysical Research: Planets,108(E12), 2003.

REFERENCES v

[9] R. Francis, T. Estlin, D. Gaines, G. Doran, O. Gasnault, S. Johnstone, S. Montaño,V. Mousset, V. Verma, B. Bornstein, et al. Aegis intelligent targeting deployed forthe curiosity rover’s chemcam instrument. In Lunar and Planetary Science Conference,volume 47, page 2487, 2016.

[10] Second ExoMars mission moves to next launch opportunity in 2020. www.esa.

int/For_Media/Press_Releases/Second_ExoMars_mission_moves_to_next_launch_

opportunity_in_2020, May 2016. Accessed: 30.08.2016.

[11] Dave Barnes, Stephen Pugh, and Laurence Tyler. Autonomous science target identificationand acquisition (astia) for planetary exploration. In 2009 IEEE/RSJ InternationalConference on Intelligent Robots and Systems, pages 3329–3335. IEEE, 2009.

[12] Stephen Pugh, Dave Barnes, Derek Pullan, and Laurence Tyler. Knowledge based sciencetarget identification system (KSTIS). In Proceedings of the International Symposium onArtificial Intelligence, Robotics and Automation in Space, 2010.

[13] Autonomous Sciencecraft Experiment. http://ase.jpl.nasa.gov/. Accessed:25.08.2016.

[14] Daniel Tran, Steve Chien, Rob Sherwood, Rebecca Castano, Benjamin Cichy, AshleyDavies, and Gregg Rabideau. The autonomous sciencecraft experiment onboard the eo-1spacecraft. In Proceedings of the Third International Joint Conference on AutonomousAgents and Multiagent Systems-Volume 3, pages 1216–1217. IEEE Computer Society, 2004.

[15] EO-1 (Earth Observing-1). https://directory.eoportal.org/web/eoportal/

satellite-missions/e/eo-1. Accessed: 25.08.2016.

[16] Rob Sherwood, Steve Chien, Daniel Tran, Benjamin Cichy, Rebecca Castano, AshleyDavies, and Gregg Rabideau. The EO-1 Autonomous Sciencecraft. 21st Annual AIAA/USU- Conference on Small Satellites, 2007.

[17] About PROBA-3. http://www.esa.int/Our_Activities/Space_Engineering_

Technology/Proba_Missions/About_Proba-3, November 2014. Accessed: 25.08.2016.

[18] PROBA-1 (Project for On-Board Autonomy - 1). https://directory.eoportal.org/web/eoportal/satellite-missions/p/proba-1. Accessed: 25.08.2016.

[19] PROBA-2 (Project for On-Board Autonomy-2). https://directory.eoportal.org/

web/eoportal/satellite-missions/p/proba-2. Accessed: 25.08.2016.

[20] PROBA-3. https://directory.eoportal.org/web/eoportal/satellite-missions/

p/proba-3. Accesse: 25.08.2016.

www.esa.int/For_Media/Press_Releases/Second_ExoMars_mission_moves_to_next_launch_opportunity_in_2020



http://ase.jpl.nasa.gov/

https://directory.eoportal.org/web/eoportal/satellite-missions/e/eo-1

https://directory.eoportal.org/web/eoportal/satellite-missions/e/eo-1

http://www.esa.int/Our_Activities/Space_Engineering_Technology/Proba_Missions/About_Proba-3

http://www.esa.int/Our_Activities/Space_Engineering_Technology/Proba_Missions/About_Proba-3

https://directory.eoportal.org/web/eoportal/satellite-missions/p/proba-1






REFERENCES vi

[21] Efraim Turban, Jay E. Aronson, and Ting-Peng Liang. Decision Support Systems andIntelligent Systems. Pearson/Prentice Hall, 7th edition, 2005.

[22] Frada Burstein and Clyde Holsapple. Handbook on Decision Support Systems 1: BasicThemes. International Handbooks on Information Systems. Springer Berlin Heidelberg,2008.

[23] Dietmar Seipel, Rüdiger von der Weth, Salvador Abreu, Falco Nogatz, and AlexanderWerner. Declarative Rules for Annotated Expert Knowledge in Change Management.In 5th Symposium on Languages, Applications and Technologies (SLATE’16), volume 51of OpenAccess Series in Informatics (OASIcs). Schloss Dagstuhl-Leibniz-Zentrum fuerInformatik, 2016.

[24] Ivan Bratko. Prolog Programming for Artificial Intelligence. International computer scienceseries. Addison Wesley, 2001.

[25] Max A. Bramer. Logic Programming with Prolog. SpringerLink : Bücher. Springer London,2013.

[26] Dietmar Seipel. Lecture Notes of the Course "Advanced Databases". http://www1.pub.informatik.uni-wuerzburg.de/databases/courses/ddb/Folien.pdf, 2013/2014.

[27] Dietmar Seipel. Lecture Notes of the Course "Deduktive Datenbanken". http://www1.pub.informatik.uni-wuerzburg.de/databases/courses/db_ws1314/uebungen.html,2015.

[28] Monica Nogueira, Marcello Balduccini, Michael Gelfond, Richard Watson, and MatthewBarry. An A-Prolog decision support system for the Space Shuttle. In InternationalSymposium on Practical Aspects of Declarative Languages, pages 169–183. Springer, 2001.

[29] Navneet Bhushan and Kanwal Rai. Strategic Decision Making: Applying the AnalyticHierarchy Process. Decision Engineering. Springer London, 2004.

[30] Thomas L. Saaty and Luis G. Vargas. Models, Methods, Concepts & Applications of theAnalytic Hierarchy Process. International Series in Operations Research & ManagementScience. Springer, 2012.

[31] Matteo Brunelli. Introduction to the Analytic Hierarchy Process. SpringerBriefs inOperations Research. Springer International Publishing, 2015.

[32] Rozann W. Saaty. Decision making in complex environments. Super Decisions, 2003.

[33] J.R. Wertz and W.J. Larson. Space Mission Analysis and Design. Space TechnologyLibrary. Springer Netherlands, 1999.

http://www1.pub.informatik.uni-wuerzburg.de/databases/courses/ddb/Folien.pdf

http://www1.pub.informatik.uni-wuerzburg.de/databases/courses/ddb/Folien.pdf

http://www1.pub.informatik.uni-wuerzburg.de/databases/courses/db_ws1314/uebungen.html

http://www1.pub.informatik.uni-wuerzburg.de/databases/courses/db_ws1314/uebungen.html

REFERENCES vii

[34] P. Fortescue, G. Swinerd, and J. Stark. Spacecraft Systems Engineering. Wiley, 2011.

[35] J.J. Wijker. Spacecraft Structures. Springer Berlin Heidelberg, 2008.

[36] Harald Wojtkowiak, Oleskii Balagurin, Gerhard Fellinger, and Hakan Kayal. ASAP:Autonomy through on-board planning. In Recent Advances in Space Technologies (RAST),2013 6th International Conference on, pages 377–381. IEEE, 2013.

[37] Gerhard Fellinger, Kirill Djebko, Eric Jäger, Hakan Kayal, Frank Puppe, and Simon BStier. ADIA++: An Autonomous Onboard Diagnostic System for Nanosatellites. In AIAASPACE 2016, page 5547, 2016.

[38] Mak Tafazoli. A study of on-orbit spacecraft failures. Acta Astronautica, 64(2):195–205,2009.

[39] PROBA-1 (Project for On-Board Autonomy - 1). http://www.sat-nd.com/failures/.Accessed: 20.05.2016.

[40] D.M. Harland and R. Lorenz. Space Systems Failures: Disasters and Rescues of Satellites,Rocket and Space Probes. Springer Praxis Books. Springer New York, 2007.

[41] David A Galvan, Brett Hemenway, IV Welser, Dave Baiocchi, et al. Satellite anomalies:Benefits of a centralized anomaly database and methods for securely sharing informationamong satellite operators. Technical report, DTIC Document, 2014.

[42] The Astronomical Almanac Online. http://aa.usno.navy.mil/publications/docs/

asa.php. Accessed: 17.09.2016.

[43] Dr. Jerry R. Ehman. The Big Ear Wow! Signal, What We Know and Don’t Know AboutIt After 20 Years. http://www.bigear.org/wow20th.htm#printout, 1997. Accessed:25.08.2016.

[44] J. Bonnell. A Brief History of the Discovery of Cosmic Gamma-Ray Bursts. http:

//apod.nasa.gov/htmltest/jbonnell/www/grbhist.html, 1995. Accessed: 17.09.2016.

http://www.sat-nd.com/failures/

http://aa.usno.navy.mil/publications/docs/asa.php

http://aa.usno.navy.mil/publications/docs/asa.php

http://www.bigear.org/wow20th.htm#printout

http://apod.nasa.gov/htmltest/jbonnell/www/grbhist.html

http://apod.nasa.gov/htmltest/jbonnell/www/grbhist.html

Design of an Autonomous Decision Support System for High...

Documents

Transcript of Design of an Autonomous Decision Support System for High...