Modeling of onboard systems operation of small satellites based on general logical-probabilistic method

An approach for simulating the operation of onboard systems of small satellites has been developed. The purpose of the technique is to simulate all possible combinations of malfunctions in the onboard systems of the small satellite, leading to the occurrence of abnormal situations during their operation. As a result of using the technique, a list of emergency situations is created, which is later used to create programs for complex testing of small satellite on-board equipment at the ground testing stage. The use of the technique leads to a reduction in time for the preparation of tests, provides support in making decisions on the management of the small satellites and reduces the response time to emergency situations that arise during operation.


Introduction
During the operation of any spacecraft, a variety of abnormal situations may occur, including those that were not described in the instructions for spacecraft control in flight and that cannot be solved by using the instructions for spacecraft control prepared during the ground testing phase in the event of a failure, malfunction or other emergency [1].
In order to overcome unforeseen emergency situations, the condition of on-board systems is analyzed and the algorithms to restore the functional state are refined. However, the process of clarification, which includes the analysis of causes and consequences of emergency situations, the analysis of on-board satellite systems and the development of a final solution may take a significant amount of time, which negatively affects the performance of the satellite system. For example, the typical process of restoring the functional state of AIST (a joint project of Samara University and Progress Rocket and Space Center) after the occurrence of emergency situations not solved by standard control instructions takes from one to two months [2,3].
The solution of the problem can obtained with methods of modeling the functioning of satellites on-board systems in order to form a list of all possible combinations of malfunctions in the operation of on-board systems, resulting in emergency situations in the process of operation. The obtained information can be used to facilitate the drawing up of electrical and complex test programs, as well as to reduce the probability of non-calculated failures in the process of satellite operation.

Method of modeling the operation of onboard systems
The method of modeling the functioning of satellite on-board systems consists of the following procedures:  A disjunctive rib is a logical OR operator between multiple disjunctive ribs coming into one vertex. A conjunctive edge is an "AND" logical operator between a set of conjunctive edges coming into one vertex.
Direct output means condition of output function realization by the corresponding element ( n y ). The output function of an element (Block of equipment) is to perform its target task.
Inverse output means condition that the output function ( n y ) is not implemented by the corresponding element (logical operator "NOT") [5].   Figure 2 shows a functional integrity scheme of one of the simplest onboard systems of the "AIST" satellite -navigation equipment. The letters j, k, m, i and n indicate the units of on-board equipmentthe antenna units (j, k), the telemetry and power supply unit (TPSU) (m), the main unit of navigation equipment (i) and the information exchange module (n). Letters y j , y k , y m , y i , y n mark the corresponding output functions.

Modelling of the "AIST" navigation equipment
After drawing up the scheme of the onboard satellite system, its output functions are drawn up which combine conditions of realization by the system of the target task and conditions at which this task is not carried out (that corresponds to infringement of working capacity).
Output functions of navigation equipment: From the first function it follows that the navigation equipment of the satellite is able to perform the target task, provided that the TPSU, the main unit of navigation equipment, the information exchange module are functioning normally, and at least one of the two antennas.
The second function suggests that malfunction of the power and telemetry controller, or the main unit of navigation equipment, or information exchange module failed, or both antennas is enough to in lose the performance of navigation equipment.
Then, according to the output functions of the on-board system, combinations of conditions are prepared under which a malfunction of the system is possible (while maintaining partial operability) or a failure of the whole system (total loss of operability).
The combinations are recorded in tabular form and then interpreted in a form understandable to the satellite operator, which may be in the form of the same tables or algorithms linking the cause of the failure with the procedure for its elimination.
According to the function (1), failure of navigation equipment may occur due to failure of one of the two antennas (table 1). Failure of the antenna #2 a Navigation equipment malfunction function The reasons for complete loss of navigation equipment performance according to function (2) can be presented in the following form (table 2). Information on the performance of on-board equipment during operation is contained in the telemetry measurement (TMI) frames, which are formed by the central computer or the on-board system that functionally replaces it. The procedures presented in table 3 may serve as an example of operator's actions in case of an emergency situation related to failure to receive or violation of navigation data integrity from navigation equipment. Work with NORAD navigation data

Modelling of the "AIST" Telemetric and Power Supply Unit
As noted above, the operation of the on-board equipment is characterized by telemetric parameters such as voltage, current, speed, operating mode, etc. With the TMI, the functional integrity scheme and the output functions of the system's operability, it is possible to associate specific telemetry parameters with the functional nodes of the developed FIS and thus accelerate the process of the on-board system status analysis.
Here is an example of an FIS and output functions of the TPSU unit responsible for power distribution between the onboard systems and accumulation of telemetry information.
The TPSU consists of three identical semi-complexes, each of which is able to independently perform the functions of power distribution and TMI collection in case of failure of the other semicomplexes.
The TPSU FIS is presented in figure 3. The TPSU receives electricity from solar panels (s), converts it using DC-DC converters (g, v1, v2, v3), then accumulates it in the battery (h) and switches between consumers. Control of the onboard equipment and TMI collection is performed with the help of built-in microprocessors (m1, m2, m3) and CAN-1, CAN-2 (d1, d2) data transmission channels.
According to the presented scheme, output functions of working capacity and inoperability of TPSU are derived: The output functions of the TPSU half sets will look as follows:  Figure 3. Functional integrity scheme of the "AIST" TPSU.
The next stage consists in assignment of each functional node of FIS TPSU of telemetric parameter which characterizes its functioning according to the operational documentation on the satellite platform. Table 4 shows the list of functional vertices of "AIST" TPSU, corresponding to them telemetric parameters and values that characterize their normal and non-normal functioning. Ubs 9…15 V less than 9 and more than 15 V Thus, the evidence that the functional node properly performs its assigned function is the standard value of the corresponding telemetry parameter. In the event of a malfunction of the functional node, the corresponding telemetry parameter returns a non-normal value.
An example of satellite's operator actions in case of TPSU operability disturbance, related to incorrect power distribution between equipment units, insufficient replenishment of accumulator battery energy reserves, violation of information links with equipment units or errors in accumulated TMI, can be procedures presented in table 5.
Thus, having connected telemetric parameters of "AIST" TPSU with the developed FIS and logical functions, it becomes possible to carry out the analysis of the state of the given equipment unit, taking into account its structure and functional submission of separate elements, allowing operatively to form recommendations on the solution of emergency situations in case of their occurrence.
The information on the functional subordination of individual equipment units, which is reflected in the developed scheme and output functions, can also be used as a tool to verify the compliance of

Results
As a result of application of a method of construction of functioning schemes for research of properties of system objects, schemes of five onboard systems of "AIST" satellites have been developed, and also their output functions are determined. It allowed to create a tool to support decision making on satellite management and to reduce time of response to emergency situations. The developed schemes can be used in ground testing of similar satellites as an additional testing of subsystems compliance with their intended algorithms of operation.

Conclusion
The described method for modeling on-board systems allows to create a full logical and probabilistic satellite model, which can simplify the process of analyzing its state during operation [6,7,9]. Further evolution of the method consists in the development of an approach that allows, based on logical and probabilistic models of on-board systems, to predict the state of the satellite in order to prevent possible emergency situations associated with the degradation and failures of on-board equipment.

Acknowledgments
The research carried out within the framework of the state assignment of the Ministry of Science and Higher Education of the Russian Federation (FSSS-2020-0017).