Transcription
NEPP ETW 2019Model-Based Radiation Assurance forSatellites with Commercial PartsA. Witulski, B. Sierawski, R. Austin, G. Karsai,N. Mahadevan, R. Reed, R. SchrimpfVanderbilt UniversityThis work supported by NEPP and NASA OSMA Grant andCooperative Agreement Number 80NSSC18K0493 and byJPL Subcontract Number 1592616
Acronyms and AbreviationsVanderbilt EngineeringCRÈME: Cosmic Ray Effects on Micro-Electronics CodeGSN: Goal Structuring NotationJWST: James Webb Space TelescopeMBMA: Model-Based Mission AssuranceMBE: Model-Based EngineeringMOSFET: Metal Oxide Field Effect TransistorMRQW: Microelectronics Reliability & Qualification WorkshopNASA: National Aeronautics and Space AdministrationR&M: Reliability & MaintainabiltiyR-GENTIC: Radiation GuidelinEsfor Notional Threat Identification and ClassificationRESIM Radiation Effect System Impact ModelingRHA: Radiation Hardness AssuranceSEAM: System Engineering and Assurance ModelingSEB: Single Event BurnoutSiC: Silicon CarbideSTD: StandardSysML: System Modeling Language2
Radiation Assurance Approaches for Space SystemsVanderbilt EngineeringConventional: Widespread use of radiationhardened components Deep knowledge of components Several heavy-ion beam testcampaigns Informed use of physics-basedradiation modeling tools Relatively high budget and longterm development schedule Formal documentation of testprocedures and results“New, Commercial Space” Widespread, if not 100% use ofCOTS parts Little insight into components Minimal testing, possibly onlyproton testing of sub-systems Little use of radiation modelingtools Low budget, accelerateddevelopment schedule Little formal documentation orevidence of radiation behavior3
Radiation Assurance for Space SystemsVanderbilt EngineeringConventional: Widespread use of radiationhardened components Several heavy-ion beam testcampaigns Relatively high budget and longterm development schedule“New, Commercial Space” Widespread, if not 100% use ofCOTS parts Minimal testing, possibly onlyproton testing of sub-systems Low budget, accelerateddevelopment scheduleWhat can we do early in the development of theproject, other than formal modeling or ion-beamtesting, to “buy down” risk of radiation-relatedfailures?4
Platform for Creation of a Radiation Assurance CaseVanderbilt EngineeringUseful radiation reliability assurance platformcharacteristics: Model-based approach digital representation of objects Tolerant of uncertainty, various levels of model fidelity Flexible as new info/design changes become available Qualitative arguments about why the system will work Quantitative estimates for reliability and location ofweak links Systematically covers known faults (not ad hoc)5
System Engineering and AssuranceModeling (SEAM) Platform Web-browser based Can access as guestor create account Creates systemmodel diagrams andargument for radiationassurance case Maintained byVanderbilt University Contains examplesand /Vanderbilt Engineering
Overall System Reliability Characterization FlowVanderbilt EngineeringRESIM/Questa [1,2]QuantitativeBased on rad dataMixed Signal SimFunctional modelsSystem WaveformsElectrical Rad simsTiming diagramsProbability distributionsSysML: DiagramaticSystem ArchitecturePart rad faultsSystem functionsSpecificationsBayesian NetsIdentify a functionCreate BN graphExport to BN Tool[1] A. F. Witulski, et al, RADECS, Sept. 2018.[2] A. F. Witulski, et al, Trans. Nucl. Sci., August, 2019.GSN: Text BasedSpecificationsEnvironment infoGoal/Strategy/EvidenceAssurance ArgumentFault TreesTied to system functionsCreate FT structureExport to FT Eval toolsSEAM
Systems Engineering Assurance and Modeling (SEAM)Vanderbilt EngineeringProgram History FY16: Started as collaboration of NASA OSMA, HQ, NEPP Work on Goal Structuring Notation Safety Cases Single events on SRAM CubeSat application FY17: collaboration of NASA OSMA, HQ, NEPP Added SysML and Bayesian Nets (BN) to platform JPL sponsors application to C&DH board FY18: NASA OSMA, HQ, NEPP, JPL Coverage Checks, Start work on Requirements,Compatibility with Magic Draw, Fault Trees FY19: NASA OSMA, HQ, NEPP, JPL Requirements, Fault Trees Initial import of radiation modeling tools Application of SEAM to development lifecycle
Radiation Reliability Assessment of CubeSatSRAM Experiment BoardVanderbilt Engineering Assessment completed onREM- 28nm SRAM SEUexperiment Reasons for integratedmodeling1. Use commercial off-theshelf (COTS) parts2. System mitigation ofSEL3. System mitigation ofSEFI on microcontrollerSRAMCourtesy of AMSAT
System-level RHA:Block Diagram of 28nm SRAM SEU ExperimentSRAMAddr, Data,ControlLogicTranslationVanderbilt EngineeringMain Concern: Single Event LatchupAddr, Data,ControlPower Domain Color Key:Blue: Spacecraft 3VOrange: 3V switchGreen: 3V uCRed: SRAM VoltagesCore RegulatorLoad Switch BI/O RegulatorLoad Switch BLogic RegulatorLoad Switch BuControllerWDIWDTQuadFlip-FlopWDOLoadSwitch ALoadSwitch A“REM Board”
Functional Model: Count Upsets in SRAMVanderbilt EngineeringModelbasedassurance.orgTop Level Function: Count UpsetsRadiation effectMitigation FunctionsElectrical FunctionsComponentsFunctional models associate functions with components
Architectural Model of REM BoardVanderbilt EngineeringPower(red lines)Modelbasedassurance.orgArchitecturalModels capturethe structureandinterconnectionof the systemand faultpropagationSignal (green lines)
Component Fault Propagation ModelVanderbilt EngineeringFault PropagationModels show how faulteffects originate incomponents andpropagate from thecomponent throughthe structure of thesystemModelbasedassurance.org
Component Fault Propagation Model: FaultVanderbilt EngineeringFault PropagationModels show how faulteffects originate incomponents andpropagate from thecomponent throughthe structure of thesystemOriginatingfault:TID, SEE
Component Fault Propagation Model: AnomalyVanderbilt EngineeringAnomaly:Effect of aFaultFault PropagationModels show how faulteffects originate incomponents andpropagate from thecomponent throughthe structure of thesystem
Component Fault Propagation Model: PortVanderbilt EngineeringFault PropagationModels show how faultPort:effects originate inPasses anomalies to components andother componentspropagate from thecomponent throughthe structure of thesystem
Goal Structuring Notation (GSN)Vanderbilt EngineeringGoal ClaimStrategy InferenceSolution EvidenceContext BackgroundJustification RationaleAssumption Unsubstantiated ClaimColors/Shapes Denote Function[1] GSN Community Standard Version 1 2011Benefits of GSNMakes assumptions explicitConnects assurance case tomodels of systemShows how argument issupported by evidenceContext shows spacecraftenvironment and requirements
GSN Assurance REM SEU Experiment BoardVanderbilt Engineering Top Goal states overallobjective Mission constraintscan be radiationenvironment,performancerequirements, costconstraints, etc. Top-level goals andstrategies track NASAR&M templateTo Strategy 2
Mission Assurance over the Development LifecycleVanderbilt Engineering Create radiation assurance case early in thedevelopment cycle-find radiation problems earlier ”Time-Varying” Radiation Assurance Case R. A. Austin, R. D. Schrimpf, A. F. Witulski, N. Mahadevan, G. Karsai, B. D.Sierawski, and R. A. Reed, “Capturing and Modeling RadiationHardness Assurance throughout the Project Lifecycle,”27th Annual Single Events Symposium, La Jolla, CA, 2019. Interaction of requirements, component knowledge, andsystem design information
The Parts EngineerVanderbilt Engineering Starting point: Single-event Burnout Requirement End work product: The approved part list Information needed: Mission orbit and lifetime (can change), parts currently in thesystem (can change), how the parts are used in the system (can change)- How can I keep up to date with system changes?- How can I capture my analysis?Northrop GrummanNASA
The Parts EngineerVanderbilt Engineering Starting point: Single-event Burnout Requirement End work product: The approved part list Information needed: Mission orbit and lifetime (can change), parts currently in thesystem (can change), how the parts are used in the system (can change)- How can I keep up to date with system changes?- How can I capture my analysis?PartStatusCommentMicrocontrollerPassedSiC powerMOSFETPassed withcommentsNorthrop GrummanProbability of failure of 2% at derating of 50%with current shieldingNASA
The Parts EngineerVanderbilt Engineering Starting point: Single-event Burnout Requirement End work product: The approved part list Information needed: Mission orbit and lifetime (can change), parts currently in thesystem (can change), how the parts are used in the system (can change)- How can I keep up to date with system changes?- How can I capture my analysis?PartStatusCommentMicrocontrollerPassedSiC powerMOSFETPassed withcommentsNorthrop GrummanProbability of failure of 2% at derating of 50%with current shieldingReliabilityCalculationNASA
The Parts EngineerVanderbilt Engineering Starting point: Single-event Burnout Requirement End work product: The approved part list Information needed: Mission orbit and lifetime (can change), parts currently in thesystem (can change), how the parts are used in the system (can change)- How can I keep up to date with system changes?- How can I capture my analysis?PartStatusCommentMicrocontrollerPassedSiC powerMOSFETPassed withcommentsProbability of failure of 2% at derating of 50%with current shieldingReliabilityCalculationHappens over the lifecycleNorthrop GrummanNASA
The Parts EngineerVanderbilt Engineering End work product: The approved part list Information needed: Mission orbit and lifetime (can change), parts currently in thesystem (can change), how the parts are used in the system (can change)- How can I keep up to date with system changes?- How can I capture my analysis? Solution: Model-BasedMission Assurance (MBMA)
NASA Project Lifecycle PhasesVanderbilt Engineering The reliability tests and analysis required to verify the requirement take place duringseveral life-cycle phases- In addition, the analysis requires the system to mature and will have to be re-evaluated ifthe system or mission changes
NASA Project Lifecycle PhasesVanderbilt Engineering The reliability tests and analysis required to verify the requirement take place duringseveral life-cycle phases- In addition, the analysis requires the system to mature and will have to be re-evaluated ifthe system or mission changesRequirement DefinedEnvironment Definition,Worst Case AnalysisRadiationtestsReliability predicted
Today’s Example: Single Event BurnoutRequirementRequirement Defined Beginning of Phase B:GSN template for part assurance- Generic goals generated frompart assurance templates- Framework for planning RHAactivities Requirement: The probability of failure from SEBshall be less than 1%Vanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementVanderbilt EngineeringRequirement Defined Beginning of Phase B:GSN template for part assurance- Generic goals generated frompart assurance templates- Framework for planning RHAactivities Requirement: The probability of failure from SEBshall be less than 1%InPhaseB
Today’s Example: Single Event BurnoutRequirement Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementEnvironment Definition Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementEnvironment Definition Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementWorst Case Analysis Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementWorst Case Analysis Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementWorst Case Analysis Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementRadiation Test Performed Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementRadiation Test Performed Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementRadiation Test Performed Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementRadiation Test Performed Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementRadiation Test Performed Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environment Happens over the course of phase Btool and part failureanalysis Inputs forradiation testVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementVanderbilt EngineeringRadiation Test Performed Information about system needed in order toperform test:- Mission length, orbit, and shielding Inputs to environment tool- Part use in system Inputs to determineparametric failure levels- Outputs from environmenttool and part failureanalysis Inputs forradiation testInPhaseC
Today’s Example: Single Event BurnoutRequirementReliability Predicted Requirement: Mission shall meet a reliability level End of Phase C- Probability calculation- Assuming nothing changed about the system from Phase BVanderbilt Engineering
Today’s Example: Single Event BurnoutRequirementReliability Predicted Requirement: Mission shall meet a reliability level End of Phase C- Probability calculation- Assuming nothing changed about the system from Phase B Reliability calculation attached to solutionVanderbilt Engineering
ConclusionsVanderbilt Engineering MBMA is a function of time- Captures the evolution of mission assurance as the system is developed MBMA enables concurrent engineering of reliability and design engineering- Argument structure show how a requirement is verified and how it is derived MBMA enables intelligent mission-specific requirements- Illustrates the creation of reliability requirements as more about the mission is known
ConclusionsVanderbilt Engineering MBMA is a function of time- Captures the evolution of mission assurance as the system is developed MBMA enables concurrent engineering of reliability and design engineering- Argument structure show how a requirement is verified and how it is derived MBMA enables intelligent mission-specific requirements- Illustrates the creation of reliability requirements as more about the mission is known
ConclusionsVanderbilt Engineering MBMA is a function of time- Captures the evolution of mission assurance as the system is developed MBMA enables concurrent engineering of reliability and design engineering- Argument structure show how a requirement is verified and how it is derived MBMA enables intelligent mission-specific requirements- Illustrates the creation of reliability requirements as more about the mission is known
ConclusionsVanderbilt Engineering MBMA is a function of time- Captures the evolution of mission assurance as the system is developed MBMA enables concurrent engineering of reliability and design engineering- Argument structure show how a requirement is verified and how it is derived MBMA enables intelligent mission-specific requirements- Illustrates the creation of reliability requirements as more about the mission is known
Fault Tree Generation Capability Added to SEAMVanderbilt Engineering Fault tree captures logicalrelationships between events Inputs are probabilities ofevents System information in SEAMSysML model can be used togenerate fault trees for varioussystem functions Fault tree structure can beexported in standard format toother reliability tools
Example: Fault Tree for Temperature Control Loopof a Command and Data-Handling BoardVanderbilt EngineeringGenerated from Functional& Architectural Model inSEAMSystem Function FailureComponent failure modes
Activities for SEAM Development in Coming YearVanderbilt Engineering Promote visibility and adoption of SEAM, e.g., UniversityNanosat program at AFRL, S3VI at NASA, AAQ atAuburn, NASA MBx community Lower the barriers to learning and using SEAM-identifyrequired prior knowledge and skills and make thatinformation explicit Develop more libraries and templates of commonspacecraft components, functions, assurance arguments
BibliographyVanderbilt EngineeringSystems Engineering Model-Based Assurance (SEAM) R. Austin, “A Radiation-Reliability Assurance Case Using Goal Structuring Notation for aCubeSat Experiment,” M.S. Thesis, Vanderbilt University, 2016. Evans, J. Cornford, S., Feather, M. (2016). “Model based mission assurance: NASA's assurancefuture,” Reliability and Maintainability Symposium, p. 1-7. RAMS. 2016. Sanford Friedenthal, Alan Moore, Rick Steiner, “OMG SysML ial-Final-090901.pdf, INCOSE, 2009. A. Witulski, R. Austin, G. Karsai, N. Mahadevan, B. Sierawski, R. Schrimpf, R. Reed, “ReliabilityAssurance of CubeSats using Bayesian Nets and Radiation-Induced Fault Propagation Models,”NEPP Electronic Technology Workshop (ETW), 2017,nepp.nasa.gov/workshops/etw2017/talks.cfm. GSN Community Standard Version 2, Assurance Case Working Group (ACWG), SCSC-141B,Jan. 2018. J. W. Evans, F. Groen, L. Wang, R. Austin, A. Witulski, N. Mahadevan, S. L. Cornford, M. S.Feather and N. Lindsey, “Towards a Framework for Reliability and Safety Analysis of ComplexSpace Missions” Session 269-NDA-06, 2017 AIAA SciTech Conference, Grapevine, Texas,January 11, 2017.
BibliographyVanderbilt Engineering A. Witulski, B. Sierawski, R. Austin, G. Karsai, N. Mahadevan, R. Reed, R. Schrimpf, K. LaBel, J.Evans, P. Adell, “Model-Based Assurance for Satellites with Commercial Parts in RadiationEnvironments,” Paper SSC18-WKV-04, AIAA Small Satellite Conference, Ogden, Utah, August2018, available online in Small Sat archive. B. Sierawski, R. Austin, A. Witulski, N. Mahadevan, G. Karsai, R. Schrimpf, R. Reed, “ModelBased Mission Assurance,” 27th Annual Single Event Effects (SEE) Symposium, May 21-24,2018, San Diego, CA. R. Austin, N. Mahadevan, J. Evans, A. Witulski, “Radiation Assurance of CubeSat PayloadsUsing Bayesian Networks and Fault Models,” 64th IEEE Annual Reliability and MaintainabilitySymposium, Reno, NV, January 22-25, 2018.Radiation Effect System Impact Modeling (RESIM) (Mentor Questa Flow) A. F. Witulski, N. Mahadevan, Jeff Kauppila, Gabor Karsai, Philippe Adell, Harald Schone,Ronald D. Schrimpf, “Simulation of Transistor-Level Radiation Effects On Board-LevelPerformance Parameters,” IEEE Radiation Effects on Components and Systems, (RADECS),Sept. 2018. A. F. Witulski, N. Mahadevan, Jeff Kauppila, Gabor Karsai, Philippe Adell, Harald Schone,Ronald D. Schrimpf, A. Privat, and H. Barnaby, “Simulation of Transistor-Level Radiation EffectsOn System-Level Performance Parameters,” Accepted for publication in the IEEE Transactionson Nuclear Science. Available on IEEE Xplore Early Access
Several heavy-ion beam test campaigns Informed use of physics -based radiaton modelng tools Relatively high budget and long- . Blue: Spacecraft 3V. Green: 3V_u
