Firmware Fault Detection, Isolation, and Recovery Plan

Rough Notes

Two ways of doing this; half FDIR and hierarchal FDIR
- Half FDIR is basically just doing no isolation autonomously, if a component fails just switch to the code spare and do the diagnosis when the satellite comes in contact with the ground
  - We can’t do this, since we don’t have any redundant components
- Hierarchal FDIR is based on hierarchal levels (obviously), so it provides a graduated reaction based on the fault
  - this enables fault recovery on the lowest levels and guarantees isolation
Then there’s the whole thing about risk management and analysis
- There’s two ways to do it, statistics or an analytical approach
  - For the statistical approach, you test a sample of the population either for a pre-defined duration or until every unit in the sample wears out
    - Then you record the mean time to failure, after which makes calculating the reliability fairly easy
  - Quantitative methods can be broken down into two further categories, qualitative and quantitative
    - Qualitative is just describing the cause and effects of certain risk events
      - Top-down and bottom-up approaches are useful here
    - Quantitative provides estimation about failure severity and their probability of occurrence
The two most popular tools of risk analysis are FMEA and FTA
- FTA is a top-down method used to trace backward the potential causes of every failure event of the system
  - Interrelationships between events inducing a top-level error
- FMEA is bottom-up, tracing the effects of certain component failures to performance on a system level
  - All adverse effects caused by a single component failure
Since FMEA does a good job of covering all the effects, a lot of people tend to use this method
- FMEA itself is broken done into multiple methods; functional, piece-part, process
  - Piece-part is hardware oriented, since it looks at the lowest-levels of the system (that would be the hardware) and uses that to identify all points of failure
    - Its time consuming though, and it only really works if you’re doing a wide component review anyways
  - Functional approach is (you guessed it) function oriented
    - It only covers major contributors to large-scale system failures rather than focusing on each possible component
    - It is more efficient, but it is obviously not as comprehensive and it fails to tackle complex issues that involve the failure of multiple components
    - Functional FMEA is used alongside FTA or RBDs
  - The paper I’m looking at used functional FMECA with RBD analysis (the scope of their study was limited to the subsystem level)
According to the ECSS-Q-ST-30-02-C standard, there is a procedure we should follow for functional FMECA activities

Untitled

The table above is used to rank each event based on the severity it can have on the mission as well as the probability of occurrence. These numbers can be used to calculate a failure criticality number that can allow us to prioritize the types of errors that could really cause us problems. In terms of the SN and PN values, they seem pretty qualitative. Just rankings based on the description of the impact the error could have the likelihood of occurrence. Based on these calculations, you can create a criticality matrix

Untitled

RBD - Reliability Block Diagram

How to Create A Reliability Block Diagram?

Partition the system into functional blocks with clearly defined tasks
- Each block is linked to the next block either in series or parallel
  - For each required block, necessary blocks are connected in series and redundant blocks are connected in parallel

Untitled

Only major components such as controllers and memory are considered in these calculations, connectors and EEE parts are ignored

Untitled

^ This is just examples of how to do this analysis, we can apply this to our own system and see if we can come up with reasonable answers of our own

We don’t have any redundancy components for most systems (let’s see if we regret this sooner), so we should just have all series block diagrams so the calculations would be easy

Untitled

^ Something to keep in mind, if OBC goes down we’ll need PAY MCU to take over satellite operations, so we’ll need to include the PAY controller for our OBC RBD