ABSTRACT: On-board data handling (OBDH) subsystem is the critical subsystem of satellite which is supplied with hot/warm/cold spare backups, also uses triplicated bus and redundant memories for high reliability. For satellite OBDH subsystem, we present an extended dynamic fault tree model (eDFT). Because analytic approach is restricted to particular models and some probability distributions of fault rate, we use Monte Carlo simulation to analysis eDFT instead of it. However, it needs much long time to implement Monte Carlo simulation, so we provide the transformation approach to accelerate the Monte Carlo simulation. Each eDFT gate can be implemented by logic gate of mathematical circuit. The analysis result of the approach shows that acceleration value changes over the size of the eDFT-TTFT units, number of FPGA logic gates of random number generators, and number of FPGA logic gates of TTFT, so this approach can be more accurate and much faster than computer-based simulation.
INTRODUCTION
In order to meet the sound reliability, satellite OBDH subsystem usually employs dynamic redundancy and sophisticated reconfiguration [1] , however, while analyzing reliability of OBDH subsystems, some important types of dynamic behaviors cannot be represented with traditional fault tree models, such as the error/fault restoration, system reconfiguration, sequence failure and cold/warm backups, etc.
Markov chain is too flexible to model reliability analysis of many kinds of dynamic systems. But a major disadvantage of Markov chain is that it is difficult to determine the correct Markov model for a given system [2] . Furthermore, it is very hard to construct Markov chain model for OBDH subsystem with redundancy and reconfiguration.
Dynamic Fault Tree (DFT) model exploits the relative advantages of both fault tree model and Markov model, while avoiding many of their shortcomings [2] . There are dynamic gates (such as PAND, SEQ, FDEP, CSP, HSP, WSP, etc.) to represent dynamic behaviors and standby backups, and it is convenient to represent dynamic reconfigurable and redundant system with DFT model, besides, it is accurate to evaluate the reliability of system. But these are some restraints for the use, including binary events and unrepairable components, and so forth.
To compute the quantitative dependability of dynamic system, DFT model can be usually solved by Monte Carlo simulation or analytic approaches. The traditional analytic approach is to convert DFT to state-space model and solve it within the domain of the Markov chain processes [3] . Unfortunately, the above method has too many restraints, especially for complex satellite system, such as OBDH subsystem, fail rate of which is not only exponential distribution, but also Weibull, Gaussian, or Lognormal probability distribution. On the other hand, Markov approach always suffers from state space explosion for complex and large system.
In consideration of awesome capability in simulating the actual and random behavior of the dynamic system, the simulation method based on Monte Carlo simulation can depress inaccuracy in reliability modeling. However, the limitation of Monte Carlo simulation is time-consuming and the intensive computation [3] [4] . More accurate simulation needs huger number of simulated samples for rare event.
For highly-reliable satellite OBDH subsystem that is characterized by redundancy/reconfiguration, and all kinds of spares/components with various distribution, this paper extends basic DFTs and provides a novel simulation approach to quantitative analysis of the extended DFT (eDFT) model. The structure of this article is as follows: section 2 briefly introduces DFT model and the extension of DFT, and mentions the resolution procedures of eDFT according to the limitation of basic DFT. Section 3 describes modeling features of OBDH subsystem of satellite. Section 4 shows how stochastic coverage factor can be applied into eDFT-TTFT model. Section 5 explains several critical puzzles on the FPGA circuit board implementation of eDFT-TTFT. Section 6 provides the novel approach to statistical performance assessment, and then gives a benchmark of OBDH subsystem studies evaluated. Finally, Section 7 concludes the paper and suggests future research. DFT is a stochastic model of dependability assessment which shows how an undesired and time-dependent event can occur. DFT is a tree (or rather, a directed acyclic graph) in which the leaves are called basic events (BEs) and the other elements are gates [5] . The occurrence of the top event (TE) with the sequent and [5] . These traditional gates are shown in Figure 1 .
ANALYSIS OF EXTENDED DYNAMIC FAULT TREE

Dynamic fault tree (DFT)
Extended dynamic fault tree (eDFT)
Because highly-reliable satellite OBDH subsystem is designed to be reconfigurable/redundant/dynamic /multi-layered, we present the extended dynamic fault tree (eDFT) model on the research base of [6] and [7] , which allows that BE is fuzzy, not only binary, and supports the component, subsystem, even the whole system is repairable. In addition, eDFT extends spares to be any dependent/independent subsystem or module, and allows dynamic gates to trigger not only BEs, but also failure of any gate, including static gate, hierarchical dynamic and stochastic hybrid dynamic& static gate. Besides, BEs of OBDH subsystem may be various distributions such as exponential failure distribution, Weibull distribution, etc. The eDFT model must be suitable for not only failure rates which are individual functions of more than one time-dependent variable, but also time-dependent failure rates characterizing failure distributions such as Weibull distribution, similar to non-homogeneous continuous time Markov chains.
eDFT-TTFT analysis
This section presents the conversion to the corresponding TTFT (time-to-failure tree) units from several of extended dynamic gates (i.e., SEQ, PAND, FDEP, CSP, HSP, WSP, etc.), including hierarchical dynamic or static gate, stochastic hybrid dynamic gate.
eSEQ-TTFT transformation
The SEQ gate is one of the dynamic gates, which is used to force the input events to occur in a specific (left-to-right) order. That is, an input event to a SEQ gate is not enabled until after all of the inputs to its left have already occurred [8] . Figure 2 shows how ADD units in TTFT correspond to the hierarchical SEQ gate in the fault tree model. As shown in this Figure 2 , the failure of BE occurs at the time (i=1,2….n). After this event occurs at the , the event to be active. Therefore, 1 
3 4 s T T T T T    
As an arithmetic circuit, ADD unit can be implemented by digital logic gates.
eFDEP-TTFT transformation
The FDEP gate is another dynamic gate, which allows modeling of the cases where the occurrence of some event (call it trigger event) causes other dependent components to become inaccessible or unusable [9] . The TTFT of the BEs or BEs-extension is equal to the shortest time left before the trigger event or BEs-extension happens and the time left before the correlative event happens. Accordingly, as is showed in Figure 3 the MIN unit is used to implement the corresponding eFDEP-TTFT model of the dynamic system. The MIN unit can be obtained by logic magnitude comparator. 
eCSP-TTFT transformation
The cold spare gate is another dynamic gate, which is used to model CSP (cold spare) [10] . The primary (active) BEs or BEs-extension is the left most input to the cold spare gate. The CSP gate with less than two inputs can be directly converted to Selector and ADD units. We can obtain the Selector unit with digital magnitude comparator. The other inputs indicate cold spare units that can be changed on demand to active operation. Although there are more than two inputs in the CSP gates which cannot be directly implemented with Selector and ADD units, the approach can be completed with the hierarchical of two-input CSP gates and then each two-input cold spare gate can be converted with Selector and ADD units. Figure 4 shows an example of conversion to logic circuit from eCSP with three inputs and one cold spare.
eWSP/eHSP-TTFT transformation
The warm spare (WSP) and hot spare (HSP) gates are other dynamic gates, which are used to model warm and hot spares [8] . Even if they are dormant, warm and hot spares may fail at any time. The failure rate of a warm spare component changes when it is switched to active use. However, whether dormant or active, failure rate of hot spare is constant. The FPGA implementation of warm and hot spare can be accomplished by hybrid of Selector and ADD units.
For example, consider triple-redundant processors A1, A2, A3 and a warm spare. Figure 5 shows how to convert to logic circuit with TTFT. In the same method, Selector and ADD units can be used to model hot spares, however, and are generated without altering failure rate.
ePAND-TTFT transformation
PAND is another dynamic gate, which is used to detect certain sequences of events [6] . The extended PAND (ePAND) gate has more than two-input BEs or BEs-extension, which activates only if the input events occur in a given order (left to right). Figure 6 shows digit circuit of the ePAND gate by converting to TTFT. and are the TTFT and the Boolean indicators of component i , and are the TTFT and the Boolean indicators of system respectively. The MAX-Infinite unit can be demonstrated using digital magnitude comparators.
MODELING FEATURES OF OBDH SUBSYSTME
Satellite OBDH Subsystem
Satellite OBDH subsystem is very critical subsystem, which is in charge of the autonomous execution of on board sequences, including the control of subsystems such as power subsystem [11] , attitude determination and control subsystem (ADCS), the activation of subsystems and instruments, executing and storing commands via the Telemetry, Tracking and Command (TTC) subsystem. The overall architecture of the OBDH subsystem of a certain micro-satellite is seen on Figure 7 . In addition, OBDH subsystem has a real-time, multitasking OS-kernel (pSOS, VxWorks, etc.).
The main processor (386EX, 8086, SparcV7/V8, etc.) are allocated to execute different tasks sequentially with pipeline, by running different processes with the certain priority level to optimize main processor efficiency.
To achieve high level of dependability, modern satellite OBDH subsystem is designed as a fault tolerant, redundant system, by means of dynamic stochastic failure, repairable system with redundancy and reconfiguration. Therefore, traditional SFT and DFT model must be improved for the feature of dynamic OBDH subsystem.
Features of OBDH subsystem
Characteristic of reliability analysis technology of satellite OBDH subsystem have several points as follows:
a) It is a sophisticated and multi-level architecture which has very huge number of components/BEs/BEs-extension. b) It is redundant and reconfigurable. Fault-tolerant hardware/software module with reconfiguration and redundancy are widely employed. By switching to spares, subsystem can restore from failure/error, this can be considered as repairable. Dynamic failure behavior and complex space environment further make the quantitative analysis of reliability more difficult. c) The data coupling or indirect coupling between component level and module level of the OBDH subsystem is stronger. d) Components/modules of the whole OBDH subsystem have many kinds of failure distribution both exponential and non-exponential distributions (such as Weibull, Gaussian, and so forth).
EDFT-TTFT MODEL AND STOCHASTIC CONVERAGE FACTOR
Dynamic reliability allows the dependability assessment of systems operating in variable conditions and relaxes the rigid hypotheses of the traditional reliability theory [12] . It is important to contain concept of coverage factor in the system level model for the more accurate reliability analysis. Stochastic fault coverage factor is the conditional probability distribution that the system can restore from any failure that has occurred at any random time.
As is shown in Figure 8(a) , the approach to model the coverage factor can use stochastic Selector unit, the input of which is equal to with the probability Figure 5 . eWSP to hybrid Selector-ADD unit. of (i=1, 2…, n). Take satellite OBDH subsystem with (primary) and (cold spare) for example, Figure 8 (b) shows how with the stochastic coverage fault factor C = 0.6 can be modeled by stochastic Selector unit and ADD unit of digital circuit. In Figure 8(b) , and is the primary unit and spare of eDFT-TTFT model respectively. Here the probability of is 0.4, the probability of and is 0.6. So
Stochastic selector unit can also be constructed as logic circuit with multiplexer, of which inputs are determined by stochastic values.
(a) (b) Figure 7 . TTFT model of OBDH subsystem.
TRANSFORMATION APPROACH AND FPGA IMPLEMENTATION OF EDFT-TTFT
This section shows how to develop a transformation program that can automatically transform eDFT-TTFT model into the hardware implementation based on FPGA instead of computer, which is more convenient and prompt for the user to complete eDFT-TTFT conversion. The VHDL description for basic TTFT unit (i.e. MIN, MAX, ADD, Selector, MAX-Infinite and stochastic selector) can be included in a library of VHDL codes, for example, MIN unit can be implemented by the VHDL description in Figure 9 .
The VHDL library also contains synthesizable representation for pseudo-random number generators. Because the generation of random numbers is inherent to any Monte Carlo simulation, the input values of the hardware implementation of TTFT are generated using these pseudo random number generators [13] .
The transformation program implements the demonstration of extended dynamic gates with the corresponding components from the VDHL code library, and generated input values of eDFT by pseudo random number generators. By synthesis software tools, the resulting VHDL code can be synthesized to FPGA. In digital logic circuits, number representation is an important issue [14] . A fixed-point values representation of eDFT-TTFT instead of a floating-point representation has been employed in order to make full use of FPGA resources. The widths of numbers of FPGA resources can be easily increased through digital circuits, extremely extending the limited range of fixedpoint representation, so an overflow never occurs. On the other hand, eDFT-TTFT model excludes division/multiplication operations that can tremendously increase the widths of numbers, however, MAX, MIN, Selector and Stochastic Selector units do not increase the widths of operations, the addition of two fixed-point numbers of n bits only produces (n+1) bits long number. Therefore, the translation of eDFT-TTFT involves the operations, which do not increase bit numbers of FPGA. Because the outputs of MAX-Infinite unit are infinite, the number representation which is used for the FPGA transformation of eDFT-TTFTs should be able to represent infinity. When a number with all-1s bit can express infinity, an n-bit number can represent finite fixed-point numbers with the range of [0, 2 -1] as well as +∞.
Since Monte Carlo simulation needs to repeat the same task many times with different samples [15] [16], the transformation circuit places parallel pipelining registers between the instantiations of BEs or BEs-extension. Take an example, Figure 10 shows the hardware implementation of an eDFT-TTFT example. The boxes labeled "R(n)" in the figure are parallel pipelining registers. The width of each parallel register is "n" which can be simultaneously changed as demands, so it avoids overflow.
The clock period of parallel pipeline is determined by the longest fault propagation delay, the clock may become longer by the slow stage. But the longer stage can be cut into plenty of smaller parallel pipeline stages. 
It can be concluded from Eq.(4) that the speed-up ratio is directly proportional to , nRNG, nTTFT. So the speed-up grows with , nRNG, nTTFT.
Satellite OBDH subsystem study
OBDH subsystem was performed as benchmarks to evaluate performance of the eDFT-TTFT model by a PCI-based FPGA board on which Altera ACEX chip is mounted. This board can be configured and communicated to the host computer through the PCI bus. The host computer is ThinkPad T450 (CPU= Inter®core™i7-5500U@2.4GHz,RAM=4.0 GB, OS= Windows7 professional edition). Using the transformation program, eDFT-TTFT model of OBDH subsystem was converted into the parallel pipeline FPGA implementation in a few seconds and then it was analyzed by Monte Carlo simulation. During evaluation of such benchmark, if the clock rate of the stochastic number generators was 64 MHz, then the parallel pipeline clock rate of FPGA was 64/k MHz, k is random variables which can be generate by k stochastic number generator, and the random variables with the various distribution can share the same stochastic number generator and the only limitation is the operating speed of the random number generator. Table 1 shows the total FPGA-cell resources in the experiments.
During Monte Carlo simulation based on eDFT-TTFT, the host computer receives and stores the outputs of each eDFT-TTFT from the target FPGA board. The quantitative reliability of OBDH subsystem can be estimated using these stored values. Suppose N is the result of output values obtained from N simulation iterations, and is the frequency of the output values when the system fails before time t, so according to probability statistics, the quantitative reliability of the dynamic system at t is estimated by (a) Each eDFT-TTFT can be autonomously converted to arithmetic circuit that gains the eDFT-TTFT inputs of BEs or BEs-extension and quantitatively computes reliability of the dynamic system. Being synthesized into an FPGA chip makes extremely fast simulation.
(b) By parallel pipeline implementation of eDFT-TTFT model, Monte Carlo simulation results in great speed-ups.
Future research may be to further investigate the application of such a technique in the reliability analysis of OBDH subsystem which is consider as phasemission system in case of attitude determination and control of satellite.
