This paper presents the extended dynamic fault tree (eDFT) model for fault-tolerant Onboard Data Handling (OBDH) software used in microsatellite. For high reliability, in case of the primary processor failure, hot/warm spare automatically and uninterruptedly start torun the OBDH software without critical data missing. Memory with triple-modular redundancy and communication bus with spare are frequently employed in OBDH subsytem design. The important feature of OBDH software which is different from hardware lies in software reconfiguration/redundancy. In safe mode, some of OBDH software modules, even the whole software, can be reconfigured. Because of the limitation of traditional fault tree regardless of dynamic redundancy, the eDFT must model this case to evaluate the instantaneous reliability of OBDH software. Time-tofailure tree (TTFT) can be used to implement the conversion of eDFT model. The result shows this approach is much fast and prompt, and the acceleration value is in direct proportion to TTFT units.
INTRODUCTION
The fault tree (FT) model can be used to qualitatively and quantitatively analyze reliability of dynamic system, by representing the logic relationships among system events and the failure rate of top event (Boudali et al., 2010) . The combination of graphical and mathematical representation of FT events to obtain the failure properties of system. The traditional FT, however, can not be model the dynamic system such as restoration and reconfiguration, sequence failureand hot/cold/warm backups, etc.
Dynamic Fault Tree (DFT)model has the advantages of both fault tree model and Markov model, excludingsome of their shortcomings. There are dynamic gates (such as PAND,SEQ,FDEP, CSP, HSP, WSP, etc.) (Karanki et al., 2009) representing dynamic behaviors and standby backups. So it is convenient to represent reconfigurable and redundant system, and it is accurate to evaluate the reliability of system.Butfor OBDH software,these are some restraintsincluding binary events,unrepairable modules, failure rate distribution,and so on.Therefore, this paper presents the eDFT model for OBDH software.
For computing the quantitative reliability of dynamic system,the traditional analytic approach is to convert DFT to state-space model and solve it within the domain of the Markov chain processes (Smotherman et al., 1989) ,or Monte Carlo simulation (Manno et al., 2012) . Unfortunately, it is much difficult to use the above method for embedded system, such as OBDH hardware/software, failure rate distribution of which is not only exponential distribution, but also Weibull, Gaussian, or Lognormal probability distribution. On the other hand, Markov approach always suffers from state space explosion for complex and large system. In addition, the limitation of Monte Carlo simulation is time-consuming and the intensivecomputation. More accurate simulation needs huger number of simulated samples for rare event.So the paper provides a novel approach which converts eDFT to TTFT.And TTFT can be realized in digital circuit.
This article is organized as follows: section 2 briefly introduces DFT and eDFT model, and providesthe conversion method from eDFT to TTFT. Section 3 describes general architecture of OBDH hardware/software system of microsatellite,and model features of OBDH software. Section 4 shows translation approach how to implement by hardware design. Section 5 presents the approach to peformance estimation and provides discussion. Section 6 makes conclusion.
ANALYSIS OF EDFT MODEL

The DFT model
Static fault trees are constructed by traditional logicgates such as AND, OR and k/n, and are analyzed by Boolean algebra and probability.On the other hand, DFT is a reliability model which shows how an undesired and time-dependent event can occur ,and it is a tree graph in which the leaves are called basic events (BEs) and the other elements are gates. The occurrence of the top event (TE) with the sequent and time-dependent logic of the fault scenario represents system failure. DFT extends traditional fault tree (such as OR gate, AND gate, k/m gate, etc.) to six basic gates: priority AND gate (PAND); functional dependency gate (FDEP);sequence enforcing gate(SEQ);cold spare gate(CSP); warm spare gate(WSP);hot spare gate(HSP) (Dugan et al., 1992) . These traditional gates are shown in Figure 1 . 
The eDFT model
Because highly-reliable satellite OBDH softwareis designed to be reconfigurable /redundant/dynamic/multi-layered, we present the eDFT model on base of DFT,allowingthat BE is fuzzy, not only binary, and supports the function, module, even the whole software is repairable. In addition,the eDFT model extends spares to beany dependent/independent module, and dynamic gates istriggered by not only BEs, but also BE-extension, including static gates, hierarchical dynamic and stochastic hybrid gates.
Besides, BE/BE-spare of OBDH software may be various distributions such as exponential failure distribution, Weibull distribution, etc. What's more,The eDFT model must be suitable for not only failurerates which are individual functions of more than one timedependent variable, but also time-dependentfailure rates characterizingfailure distributions such as Weibull distribution, similar to non-homogeneous continuous time Markov chains.
The eDFT analysis by TTFT translation
This section presents the conversion tothe corresponding TTFT from eDFT, including hierarchical dynamic or static gate, stochastic hybrid dynamic gate, etc.
eSEQ-TTFT conversion
The SEQ gate isused to force the input events to occur in a specific (left-to-right) order (Karankiet al., 2009 ). An input BE to a SEQ gate is not activated until all of the inputs to its left havealready occurred. Figure 2 shows how ADD units in TTFT correspond to the hierarchical SEQ gate. Figure 2 , the failure of BE X i occursat T i ( i =1, 2….n).After current event occurs at T i ,the next event X i+1 to be active.
eFDEP-TTFT conversion
The FDEP gate allows the occurrence of someevents to trigger other dependentcomponents to become unavailable (Karanki et al., 2009 ). The TTFT of BEs or BEs-extension is equal to the shortest time left before the triggerevent or BE happens and the time left before theconsequent event happens.The MINunit ,showed in Figure  3 ,is used to implement the corresponding eFDEP event of thedynamic software. The MIN unit can be obtained by logic magnitude comparator. 
eCSP-TTFT conversion
The primary (active) BEs or BEs-extension is the left most input tothe cold spare gate. (Karanki et al., 2009 ) The CSP gate can be directly converted to Selector and ADD units.The other inputs indicate cold spare units that can bechanged on demand to active operation. Although there are more than two inputs in the CSP gates which cannot be directly implemented with Selector and ADD units, the approach can be completed with the hierarchical of two-input CSP gates , then each two-input cold spare gate can be converted with Selector and ADD units. Figure 4 showsan example of coversion to logic circuit from eCSP with three inputs and 1cold spare. 
eWSP/eHSP-TTFT conversion
The warm spare (WSP) and hot spare (HSP) gates are used to model warmand hot spares (Karanki et al., 2009 ). Evenif they are dormant, warm and hot spares may fail at any time. The failure rate of warm spare component changes when it is switched to active use. However, whether dormant or active, failure rate of hot spare is constant. The implementation of warm andhot spare can be accomplished by hybrid of Selectorand ADD units.
Take triple-redundant processorsA1, A2, A3 and one warm spare for example. Figure 5 shows how to convert to logic circuit of TTFT. In the same method, Selector and ADD units can be used to model hot spares, however, and are generated,notaltering failure rate. 
ePAND-TTFT conversion
PAND is used to detect certain sequences of events (Karanki et al., 2009; Ruijters and Stoelinga,2015) .The extended PAND (ePAND) gate has more than two-input BEs or BEsextension, which activates only if the input eventsoccur in a given order (left too right). Figure 6 shows digit circuit of the ePAND gate by converting to TTFT. and arethe TTFT and the Booleanindicatorsof component i , and are the TTFTand the Booleanindicators of system respectively. The MAX-Infinite unit can be implemented using digital magnitude comparators.
MODELING FEATURES OF OBDH SOFTWARE
3.1 OBDH software Figure 6 . ePAND to MAX-Infinte unit OBDH software is very critical for satellite (Vladimirova et al., 2011) , which is in charge of the autonomous execution of on board sequences, including thecontrol of subsystems such as power subsystem, attitude determination and control subsystem (ADCS), the activation of subsystemsand instruments, executing and storing commands via the Telemetry, Tracking and Command (TTC) subsystem.In addition, OBDH software has a real-time, multi-tasking OS-kernel (pSOS, VxWorks, etc.), including OrbitProcess module, AttitudeMeasureControl module, and TT&C module, etc. When the Primary processor detect failure, OBDH software can start Spare processor without data missing. The overall architecture of the OBDH software of a certain microsatellite is shown in Figure 7 . Figure 7 . OBDH software architecture
VxWorks kernel （Wind）
Stattus
The main processor (386EX, 8086, SparcV7/V8, etc.) are allocated to execute different taskssequentially with pipeline, by running different processes with the certain priority level to optimize main processor efficiency,so the highly-reliability crystal oscillator is employed.But there are many nonlinear dissipations accompanied by large amplitude oscillation (Feng et al., 2016) , therefore primary processor must have spare.Meanwhile, in order to achieve high level of dependability, OBDH hardware is alsobe fault tolerant, redundant in Figure 8 . 
Features of OBDH software
Reliability analysis of OBDH software have several points as follows:
A. It is a sophisticated and multi-level architecture which has very huge number of module/BEs/BEs-extension. B. It is redundant and reconfigurable. Fault-tolerant hardware/software module with reconfiguration and redundancy are widely employed (Somani et al., 2016) . By entering spares, software can restore from failure, this can be considered as repairable. Dynamic failure behavior and complex space environment further make the quantitative analysis of reliability more difficult. C. The data coupling or indirect coupling between component level and module level of the OBDH software is stronger. D. Components/modules of the whole embedded OBDH software have many kinds of failure distribution both exponential andnon-exponential distributions (such as Weibull, Gaussian, and so on).
TRANSLATION APPROACH AND HARDWARE IMPLEMENTATION
This section shows how to develop translationprogram which is more convenient and promptfor the user to complete eDFT-TTFT conversion. The library of VHDL codes includes FPGA description for basic TTFT unit (i.e. MIN, MAX, ADD, Selector, MAX-Infinite andstochastic selector).For example, MIN unit can be programed by theVHDL description in Figure 9 .
The VHDL library also contains synthesizable representation for pseudo-random number generators (Aliee and Zarandi,2013) . Because the generation of random numbers can be A fixed-point values representation of eDFT-TTFT has been employed in order to make full use of FPGA resources, instead of a floating-point representation. The widths of numbers can be easily increased through digital circuits, so anoverflow never occurs. On the other hand, eDFT-TTFT model excludes division/multiplication operations ,and MAX, MIN, Selector and Stochastic Selector units do not increase thewidths of operations, the addition of two fixed-point numbers of nbits only produces (n+1) bits long number. Therefore, the translation of eDFT-TTFT does not increase bit numbers of FPGA. Because the outputs of MAX-Infinite unit are infinite, the numberrepresentation used for the FPGA transformation of eDFT-TTFTs should be able to represent infinity. When a number with all-1s bit can express infinity, an n-bit number can represent finite fixed-point numbers with the range of [0,2 -1] as well as +∞.
As for reliability indices, it is requisite to repeat the same task for many timeswith different samples, the transformation circuitplaces parallel pipelining registers between the instantiations of BEs or BE-extension. Take an example, Figure 10 shows the hardware implementation of an eDFT-TTFT example. The boxes labeled "R(n)" in the figureare parallel pipelining registers. Thewidth of each parallel register is "n" which can be simultaneously changed as demands, so it avoids overflow.The clock period of parallel pipeline is determined by the longest fault propagation delay, the clock may become longer by the slow stage. But the longer stage can be cut into plenty of smaller parallel pipelinestages. Figure 10 .Parallel pipeline implementation of TTFT
PERFORMANCE ESTIMATION AND DISCUSSION
Performance assessment
The estimationapproach to the speed-up performance based on FPGA hardware is as follows: It can be concluded from the above equation that the speed-up ratio is directly proportional to , nRNG, nTTFT. So the speed-up grows with , nRNG, nTTFT.
Discussion
OBDH softwareis taken as an example to evaluate performance of the eDFT-TTFT model by aPCI-based FPGA board on which Altera ACEX chip is mounted. This board can be configured and communicated to the host computer through the PCI bus. The host computer is ThinkPad T450 (CPU= Inter®core™i7-5500U@2.4GHz,RAM=4.0 GB, OS= Windows7 professional edition).
Figure 11. FPGA benchmark board
With the transformation program, the TTFT model of OBDH software was converted into the parallel pipeline FPGA implementation (as is shown in Figure 11 ) in a few seconds. During evaluation of such benchmark, if the clock rate of the stochastic number generators was 128 MHz, then the parallelpipeline clock rate of FPGA was 128/k MHz, k is random variables which can be generate by k random number generator, and the random variables with the various distribution can share the samestochastic number generator and the only limitation is the operatingspeed of the random number generator. Table 1 showsthe total FPGA-cell resources inthe experiments. The host computerreceives and stores the outputs of each eDFT-TTFT from the target FPGA board,then quantitative reliability ofOBDH subsystem can be estimated using these stored values. Suppose Nis the result of output values obtained from N simulation iterations, and is thefrequency of the output values when the system fails before time t, so according to probability statistics, the quantitative reliability ofthe dynamic system at t is estimated by
To get the speed-up ratio of the presentedmethod to the approach based on computer, the target program code of FPGA was developed for OBDH software and was executed on the host computer. The speed-up values can be obtained from the following equation:
is the setup time forstarting simulation based on computer and isthe setup time for starting simulation based on FPGA. The speed-up increases as thenumber of simulation iterations increases from 10 8 to10 10 .The speed-up finally achieves limit when thenumber of sample iterations approaches ∞, and p quickly grows with increase of number of theeDFT-TTFTs unit, number of FPGA logic cells of random number generators, number of FPGA logic cells of TTFT.
CONCLUSION
This paper presents the eDFT model of OBDH software, and show how to convert to TTFT from eDFT model, FPGA-based method of TTFT is available andfast.The advantages of this approach are: a) TTFT of eDFT model can be converted to digital circuit to getreliability indice of OBDH software. Being synthesized into FPGA chip makes the random sample faster and faster b) By parallel pipeline hardware implementation of TTFT,the speed-up values is directly proportional to the number of FPGA logic cells of TTFT.
ACKNOWLEDGEMENT
This research has been partially funded by Strategic Priority ResearchProgramme of Chinese Academy of Sciences (Project No. XDA04030200).
REFERENCES
Aliee H., ZarandiH.R. (2013) . A fast and accurate fault treeanalysis based on stochastic logic implemented on field programmable gate arrays, IEEE Transaction on Reliability, 62(1), 13-22. BoudaliH., CrouzenP., StoelingaM.(2010) . A rigorous, compositional, and extensible framework for dynamic fault tree analysis, IEEE Transaction on Dependable Secure Computing, 7(2), 128-143. Dugan J.B., Bavuso S.J., Boyd M.A. (1992) .Dynamic fault tree modelsfor fault tolerant computer systems, IEEE Transaction on Reliability, 41(3),363-377.
