Model Based Systems Engineering for CubeSat Mission ...
1
Model Based Systems Engineering for CubeSat Mission Reliability Tatyana Rakalina, Soon Ong, Michel Izygon – Tietronix, Lui Wang - NASA Johnson Space Center Isabelle Conway, Silvana Radu – ESA, Naoki Ishihama – JAXA, Martin Feather – Jet Propulsion Laboratory, California Institute of Technology, Arthur Witulski – Vanderbilt, John Evans – NASA HQ ABSTRACT Model Based Systems Engineering (MBSE) is moving to the forefront of small spacecraft development. The benefits of SysML as a language for the elucidation of the system architecture for CubeSats is well understood and is implemented in standard model formats. Concurrently, the benefits of the evolving development of MBSE for assurance has been recognized and is emerging as Model Based Mission Assurance (MBMA), which promises the development of integral assurance stakeholder views into the model as well as the production of useful products from the model. In this regard, the assurance organizations of NASA, ESA and JAXA are exploring jointly the potential benefits of MBSE and MBMA in anticipation of future joint projects in which an architecture for a flight mission will be shared in a SysML model. Traditionally, only mission-critical aspects of large systems have been able to justify the time and expense of creating reliability analyses. This work aims to make these analyses practical for a wide range of missions, from small to large to support architectural design decisions, rapidly and cost effectively, across organizations. In addition to exploring basic modeling concepts and communicating over the model, the partners have shown that reliability analysis can be generated from the model. These include early Failure Modes, Effects, and Criticality Analysis (FMECA) and Fault Tree Analysis (FTA) based on the simulated mission. The intent is to test basic meta-model frameworks and compare these results across the agencies. One such basic framework employs SysML state machines as the basis for developing FMEAs and FTAs. When failures are modeled using this framework, plugins (developed by NASA under a Small Business Innovation Research project) for the SysML tool are able automatically to generate a FMECA table and Fault Trees. The expected outcome of this project is a compilation of lessons learned across the 3 agencies (NASA-ESA-JAXA) to be shared with their assurance communities. In addition, comparisons and utility of SysML derived products from the model are planned. Finally, a framework for standardization to the extent possible will be proposed to facilitate model sharing in the future for more complex scenarios, as a result of lessons learned herein. MODEL BASED MISSION ASSURANCE (MBMA) Systems Engineering System Architecture Behavior Requirements SysML Model System with Integration of RAMS Mission Assurance & Safety Parts failure modes catalogue Reliability/Probability of failure Safety Analysis Fault Tree FMECA Reliability Availability Maintainability Project Risk MBMA is integration of Mission Assurance products Reliability, Availability, Maintainability, and Safety (RAMS) with System Engineering Model (SysML Model). BENEFITS OF MBMA: Speed – reliability artifacts can be rapidly produced, and thus the results of reliability studies and analyses can be fed back to system engineers in a timely manner Correctness – automatic derivation of artifacts directly form system models ensures they are correct and complete with respect to those models Expertise – by relieving reliability engineers from manual construction of reliability artifacts, their time and effort can be put to valued use to provide insights and guidance to system engineers APPLICATION OF MBMA TO CUBESAT PROJECT The CubeSat model was created, and failures and the effects of the failures were added to the model from ESA Space Product Assurance Standard, Annex G Failure Modes, Effects (and criticality) Analysis catalogue. Adapted and Modified from ESTCube-1 Catalogue Example: Captures the behavior of a component State Machine can have one or more States Each State has Activity on entering the State Use Send Signal Action to send either Failure Mode, Effect or nominal state transition signals Use Call Behavior Action to trigger the affected system components Each State Machine has Transition Triggers and Guards MODELING FAILURE MODES (META-MODEL) CONCLUSION A modeling methodology was developed to extend the system model (in SysML) with failure mode information. The methodology was applied to an example CubeSat’s power system as the most critical system for the CubeSat. The benefit of this application is the ability to rapidly perform reliability analyses such as Fault Trees and a FMECA table, demonstrating that system reliability can be analyzed in the early design stage of the project. Model Based Mission Assurance, of which this is an example, aims to be applicable to a wide range of missions, from small satellites to large systems, to support and analyze designs in a fast and effective manner. Fault Tree generated for No Bus Power effect, showing all propagated failures starting with a cause of the failure. The propagation path for the Kill Switch Stuck Off failure mode is circled. MODELING FAILURE MODES EXAMPLE FAULT TREE PLUGIN OUTPUT FMECA PLUGIN OUTPUT FMECA table generated for Power Bus, showing the failure propagation path, end effect, and likelihood of each failure mode. Kill Switch is modeled as a <<Block>> that owns Stuck Off signal with <<Failure Mode>> stereotype, Unable to Disconnect Bus Power signal with <<Effect>> stereotype and Kill Switch Failure Modes state machine with Mechanical Failure – Stuck Off signal. Kill Switch state machine diagram shows transition (with <<Failure>> stereotype) from nominal to failed (Stuck Off) state using Mechanical Failure – Stuck Off signal as a trigger. The Enter Stuck Off activity diagram (entry behavior for Stuck Off failed state) declares the failure mode, Stuck Off and its effect, Unable to Connect Bus Power using send signal actions. The effect of Kill Switch Stuck Off failure, Unable to Connect Bus Power will trigger the transition for the Power Bus state machine from nominal to failed (Kill Switch Failure – Locked Off) state. Use the Fault Tree plugin to generate the list of failure mode effects. Select the effect to generate the Fault Tree. 1 1 2 2 3 3 4 4 Kill Switch Failure – Locked Off 5 6 MODELING METHODOLOGY APPLIED AUTOMATICALLY GENERATE FAULT TREE AUTOMATICALLY GENERATE FMECA META-MODEL FOR MODELING METHODOLOGY For more information contact: John Evans - [email protected] Lui Wang - [email protected] Isabelle Conway - [email protected] Naoki Ishihama - [email protected] Example for Kill Switch component, “Stuck Off” failure mode: UNIFY MISSION ASSURANCE WITH SYSTEMS MODELING STUDY EXAMPLE For components with redundancy, Guard conditions are used along with propagation signals. In this example, the Power Bus draws power from Battery and Solar Cells, so both upstream components must fail for this transition to occur. 5 6
Transcript of Model Based Systems Engineering for CubeSat Mission ...
Model Based Systems Engineering for CubeSat Mission ReliabilityTatyana Rakalina, Soon Ong, Michel Izygon – Tietronix, Lui Wang - NASA Johnson Space CenterIsabelle Conway, Silvana Radu – ESA, Naoki Ishihama – JAXA, Martin Feather – Jet Propulsion
Laboratory, California Institute of Technology, Arthur Witulski – Vanderbilt, John Evans – NASA HQ
ABSTRACTModel Based Systems Engineering (MBSE) is moving to the forefront of small spacecraft development. The benefits ofSysML as a language for the elucidation of the system architecture for CubeSats is well understood and isimplemented in standard model formats. Concurrently, the benefits of the evolving development of MBSE forassurance has been recognized and is emerging as Model Based Mission Assurance (MBMA), which promises thedevelopment of integral assurance stakeholder views into the model as well as the production of useful products fromthe model. In this regard, the assurance organizations of NASA, ESA and JAXA are exploring jointly the potentialbenefits of MBSE and MBMA in anticipation of future joint projects in which an architecture for a flight mission will beshared in a SysML model. Traditionally, only mission-critical aspects of large systems have been able to justify thetime and expense of creating reliability analyses. This work aims to make these analyses practical for a wide range ofmissions, from small to large to support architectural design decisions, rapidly and cost effectively, acrossorganizations. In addition to exploring basic modeling concepts and communicating over the model, the partnershave shown that reliability analysis can be generated from the model. These include early Failure Modes, Effects, andCriticality Analysis (FMECA) and Fault Tree Analysis (FTA) based on the simulated mission. The intent is to test basicmeta-model frameworks and compare these results across the agencies. One such basic framework employs SysMLstate machines as the basis for developing FMEAs and FTAs. When failures are modeled using this framework, plugins(developed by NASA under a Small Business Innovation Research project) for the SysML tool are able automatically togenerate a FMECA table and Fault Trees.
The expected outcome of this project is a compilation of lessons learned across the 3 agencies (NASA-ESA-JAXA) to beshared with their assurance communities. In addition, comparisons and utility of SysML derived products from themodel are planned. Finally, a framework for standardization to the extent possible will be proposed to facilitate modelsharing in the future for more complex scenarios, as a result of lessons learned herein.
MODEL BASED MISSION ASSURANCE (MBMA)
Systems EngineeringSystem ArchitectureBehaviorRequirements
SysML ModelSystem with Integration of RAMS
Mission Assurance & SafetyParts failure modes catalogueReliability/Probability of failure
Safety AnalysisFault TreeFMECAReliabilityAvailabilityMaintainability
Project Risk
MBMA is integration of Mission Assurance products Reliability,Availability, Maintainability, and Safety (RAMS) with System EngineeringModel (SysML Model).
BENEFITS OF MBMA: Speed – reliability artifacts can be rapidly produced, and thus the results of reliability studies and analyses
can be fed back to system engineers in a timely manner Correctness – automatic derivation of artifacts directly form system models ensures they are correct and
complete with respect to those models Expertise – by relieving reliability engineers from manual construction of reliability artifacts, their time and
effort can be put to valued use to provide insights and guidance to system engineers
APPLICATION OF MBMA TO CUBESAT PROJECTThe CubeSat model was created, and failures and the effects of the failures were added tothe model from ESA Space Product Assurance Standard, Annex G Failure Modes, Effects(and criticality) Analysis catalogue. Adapted and Modified from ESTCube-1
Catalogue Example:
Captures the behaviorof a component
State Machine can haveone or more States
Each State has Activity on entering the State
Use Send Signal Action to send either Failure Mode, Effect or nominal state transition signals
Use Call Behavior Action to trigger the affected system components
Each State Machine has Transition Triggers and Guards
MODELING FAILURE MODES (META-MODEL)
CONCLUSIONA modeling methodology was developed to extend the system model (in SysML) with failure modeinformation. The methodology was applied to an example CubeSat’s power system as the most criticalsystem for the CubeSat. The benefit of this application is the ability to rapidly perform reliability analysessuch as Fault Trees and a FMECA table, demonstrating that system reliability can be analyzed in the earlydesign stage of the project. Model Based Mission Assurance, of which this is an example, aims to beapplicable to a wide range of missions, from small satellites to large systems, to support and analyzedesigns in a fast and effective manner.
Fault Tree generated for No Bus Power effect, showing all propagated failures starting with a cause of the failure. The propagation path for the Kill Switch Stuck Off failure mode is circled.
MODELING FAILURE MODES EXAMPLE
FAULT TREE PLUGIN OUTPUT
FMECA PLUGIN OUTPUT
FMECA table generated for Power Bus, showing the failure propagation path, end effect, and likelihood of each failure mode.
Kill Switch is modeled as a <<Block>> that owns Stuck Off signal with <<Failure Mode>> stereotype, Unableto Disconnect Bus Power signal with <<Effect>> stereotype and Kill Switch Failure Modes state machine withMechanical Failure – Stuck Off signal.
Kill Switch state machine diagram shows transition (with <<Failure>> stereotype) from nominal to failed(Stuck Off) state using Mechanical Failure – Stuck Off signal as a trigger.
The Enter Stuck Off activity diagram (entry behavior for Stuck Off failed state) declares the failure mode,Stuck Off and its effect, Unable to Connect Bus Power using send signal actions.
The effect of Kill Switch Stuck Off failure, Unable to Connect Bus Power will trigger the transition for thePower Bus state machine from nominal to failed (Kill Switch Failure – Locked Off) state.
Use the Fault Tree plugin to generate the list of failure mode effects. Select the effect to generate the Fault Tree.
1
1
2
2
3
3
4
4
Kill Switch Failure – Locked Off
5
6
MODELING METHODOLOGY
APPLIED
AUTOMATICALLY GENERATE FAULT
TREE
AUTOMATICALLY GENERATE FMECA
META-MODEL FOR MODELING METHODOLOGY
For more information contact:John Evans - [email protected] Wang - [email protected] Conway - [email protected] Ishihama - [email protected]
Example for Kill Switch component, “Stuck Off” failure mode:
UNIFY MISSION ASSURANCE WITH
SYSTEMS MODELING
STUDY EXAMPLE
For components with redundancy, Guard conditions are used along with propagation signals. In this example, the Power Bus draws power from Battery and Solar Cells, so both upstream components must fail for this transition to occur.
5
6
