Open Collections

UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

Fault tolerant reconfiguration of multi-satellite interactions using high-level petri nets Einafshar, Atefeh 2015

Your browser doesn't seem to have a PDF viewer, please download the PDF to view this item.

Item Metadata

Download

Media
24-ubc_2015_may_einafshar_atefeh.pdf [ 3.34MB ]
Metadata
JSON: 24-1.0166159.json
JSON-LD: 24-1.0166159-ld.json
RDF/XML (Pretty): 24-1.0166159-rdf.xml
RDF/JSON: 24-1.0166159-rdf.json
Turtle: 24-1.0166159-turtle.txt
N-Triples: 24-1.0166159-rdf-ntriples.txt
Original Record: 24-1.0166159-source.json
Full Text
24-1.0166159-fulltext.txt
Citation
24-1.0166159.ris

Full Text

I  Fault Tolerant Reconfiguration of Multi-Satellite Interactions Using High-Level Petri Nets       by Atefeh Einafshar M.Sc., Mechanical Engineering, Ferdowsi University, Mashhad, Iran 2007    A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF  DOCTOR OF PHILOSOPHY in  THE FACULTY OF GRADUATE AND POSTDOCTORAL STUDIES (Mechanical Engineering)   The University of British Columbia  (Vancouver) April 2015  © Atefeh Einafshar, 2015 ii  Abstract An integrated reconfiguration performance model for interacting satellite networks is an important tool in analyzing reliability and developing protocols for uninterrupted operation. However, such a quantitative model is not easy to develop since it involves many parameters related to the network’s operation and all the earth-linked operational information communicated through it. The aim of this study is to propose an integrated communication model for a network of interacting satellites using high-level petri nets which permit sub-network reconfiguration without loss of communication ability whenever there are satellite communication faults or full failures. To quantify the Vulnerability, Uncertainty and Probability (VUP) in a network a Stochastic Petri Net (SPN) based model is developed. Three indicators are proposed to determine the VUP definitions in interacting network of satellites. To model the overall reconfiguration schemes of a network of interacting satellites, Colored Petri Nets (CPN) paradigm is used so as to simulate the reconfiguration operation of the integrated Networked Control System (NCS). A modular representation of the interacting satellites with the network in terms of satellites’ subsystems and their interconnection together and through the network is provided. Transmission network is modeled through senders and receivers including packet-data transmission. The four developed reconfiguration methods are used to recover the network in case of partial/ full failures occur in the system. The proposed approaches are then used to study the overall response time of a given NCS in interacting satellites, as well as the delays between the mutual senders and receivers. Simulations of the detailed models show that the networked control performance of the interacting satellites, in particular with reference to any satellite failure, can be improved with inclusion of appropriate monitors within the networked system as represented by sub-networks in the CPN model. The suggested integrated networked control schemes can be used to obtain a fault tolerant reconfiguration for a required network performance. iii  Preface This thesis entitled “Fault Tolerant Reconfiguration of Multi-Satellite Interactions Using High-Level Petri Nets” presents the research performed by Atefeh Einafshar. The research conducted was supervised by Dr. Farrokh Sassani. The following are the publications that have resulted from this thesis [1-4].  Atefeh Einafshar and Farrokh Sassani, 2013, "Vulnerability, Uncertainty and Probability (VUP) Quantification of a Network of Interacting Satellites Using Stochastic Petri Nets (SPN)", ASME International Mechanical Engineering Congress and Exposition, IMECE, San Diego, CA, USA, Proc. ASME. 56246; Volume 4A: Dynamics, Vibration and Control, V04AT04A073. November 15, DOI: 10.1115/IMECE2013-64774. The proposed VUP quantification scheme is used and explained in  Chapter 2 as a methodology which employs a Stochastic Petri Net for quantitative analysis of the behavior of the network. After generating a Markov Stochastic Petri Net model, the probability of a given condition in the network at a specified time can be computed. The author of this thesis was the principal researcher of this publication. Dr. Farrokh Sassani assisted with formulating the problem, and with writing and editing the manuscript.  Atefeh Einafshar and Farrokh Sassani, 2013, "Modeling and Control of Cooperative Satellites Using Neural Networks", ASME International Mechanical Engineering Congress and Exposition, IMECE, San Diego, CA, USA, Proc. ASME. 56406; Volume 11: Emerging Technologies, V011T06A005. November 15, DOI: 10.1115/IMECE2013-65962. The proposed technique which is partially used (i.e. iv  Modeling Concept) and explained in  Chapter 2, is a neural control scheme and refers to a methodology in which the controller is assumed as a neural network and the dynamical model of the system is identified through the training stages of the neural model. The author of this thesis was the principal researcher of this publication. Dr. Farrokh Sassani assisted with formulating the problem, and with writing and editing the manuscript.  Atefeh Einafshar and Farrokh Sassani, 2014, " Multi-Satellite Failure Evasion through Colored Petri Net Reconfiguration Modeling", UBC Department of Chemical & Biological Engineering Research Day, October 1, University of British Columbia, Vancouver, Canada. [Best Poster Award Winner] This poster illustrated the overall reconfiguration schemes of a network of interacting satellites using Colored Petri Nets (CPNs), presented in  Chapter 3,  Chapter 4 and  Chapter 5. The author of this thesis was the principal researcher of this publication. Dr. Farrokh Sassani assisted with modeling the problem and preparing the poster.  Atefeh Einafshar and Farrokh Sassani, 2015, "Integrated Reconfiguration of Multi-Satellite Network Communication Using Colored Petri Nets". Integrated Systems: Innovations and Applications. Editor: M. Fathi, Springer, 3-28. This paper/chapter presents an integrated communication model for a network of interacting satellites using high-level Petri Nets which permits sub-network reconfiguration without loss of communication whenever there are satellite faults. The proposed models and techniques are thoroughly explained and discussed in  Chapter 3. The author of this thesis was the principal researcher of this publication. Dr. Farrokh Sassani assisted with modeling the problem, and with writing and editing the manuscript. v  Table of Contents Abstract ........................................................................................................................................................ ii Preface ......................................................................................................................................................... iii Table of Contents ......................................................................................................................................... v List of Tables ............................................................................................................................................... ix List of Figures .............................................................................................................................................. x List of Symbols .......................................................................................................................................... xiii List of Abbreviations .................................................................................................................................. xv Acknowledgements .................................................................................................................................... xvi Dedication ................................................................................................................................................. xviii 1. Introduction ............................................................................................................................................. 1 1.1 SATELLITE SYSTEM FUNDAMENTALS ...................................................................................................... 3 1.1.1 Satellite Subsystems...................................................................................................................... 3 1.1.2 Satellite Orbit Configurations ...................................................................................................... 4 1.2 SATELLITE NETWORKS ............................................................................................................................ 5 1.2.1 Satellite Network Architectures .................................................................................................... 6 1.2.2 Satellite Communications ............................................................................................................. 8 1.2.3 Network Communication Protocols ............................................................................................. 9 1.3 NETWORKED CONTROL AND RECONFIGURATION .................................................................................. 10 1.4 LITERATURE REVIEW ............................................................................................................................ 12 1.5 IMPLEMENTATION COMPLEXITIES ......................................................................................................... 15 1.6 RESEARCH OBJECTIVES ......................................................................................................................... 16 1.7 SCOPE OF THE PRESENT WORK .............................................................................................................. 16 vi  1.8 THESIS OUTLINE .................................................................................................................................... 17 2. Fault Diagnosis and Supervisory Control of Multi-Satellite Interactions Using SPNs......................... 19 2.1 INTRODUCTION ...................................................................................................................................... 19 2.2 BASIC AND HIGH-LEVEL PETRI NETS .................................................................................................... 20 2.2.1 Basic Petri Nets .......................................................................................................................... 20 2.2.2 Petri Net Analysis Techniques .................................................................................................... 22 2.2.3 Stochastic Petri Nets (SPNs) ...................................................................................................... 23 2.3 MODELING METHODOLOGY FOR FAULT DIAGNOSIS AND SUPERVISORY CONTROL OF MULTI-SATELLITE INTERACTIONS USING SPNS .................................................................................................................. 24 2.3.1 Controllability and Observability in Petri Nets ......................................................................... 24 2.3.1.1 Uncontrollable Transitions ................................................................................................................... 25 2.3.1.2 Unobservable Transitions ..................................................................................................................... 25 2.3.2 Supervisory Controller Synthesis Using Petri Nets .................................................................... 26 2.3.3 Integrating Fault Analysis Indicators Using SPNs .................................................................... 27 2.4 PETRI NET MODELING AND SUPERVISORY SYNTHESIS OF MULTI-SATELLITE INTERACTIONS USING SPNS ..................................................................................................................................................... 29 2.5 FAULT DIAGNOSIS MODELING OF MULTI-SATELLITES INTERACTIONS USING SPNS ............................. 33 2.5.1 SPN Fault Tolerant Modeling of Multi-Satellite Interactions .................................................... 33 2.6 CONCLUSIONS ....................................................................................................................................... 43 3. Networked Reconfiguration of Multi-Satellite Interactions Subject to Partial Failure Using CPNs ... 44 3.1 INTRODUCTION ...................................................................................................................................... 44 3.1.1 Colored Petri Nets (CPNs) ......................................................................................................... 45 3.2 NETWORKED RECONFIGURATION SCHEME OF MULTI-SATELLITE INTERACTIONS SUBJECT TO PARTIAL FAILURE USING CPNS ........................................................................................................................... 46 3.2.1 Methodology ............................................................................................................................... 46 3.2.2 Reconfiguration Models- An Overview ...................................................................................... 46 vii  3.3 PARTIALLY FAILED NETWORK RECONFIGURATION BY TRANSMITTING DATA THROUGH OTHER SATELLITES (SCENARIO 1) ..................................................................................................................... 48 3.3.1 CPN Simulation- Main Modules ................................................................................................ 49 3.3.2 CPN Modeling of Partially Failed Network Reconfiguration .................................................... 57 3.3.2.1 CPN Specification of Stable Configuration .......................................................................................... 59 3.3.2.2 Reconfiguration Protocol of Scenario 1 Using CPN ............................................................................. 61 3.3.2.3 Integrated CPN Simulation of Satellite Cluster Reconfiguration (Scenario 1) ..................................... 62 3.4 PERFORMANCE MODELING OF MULTI- SATELLITE INTERACTIONS ........................................................ 64 3.4.1 Network Performance Indicators ............................................................................................... 65 3.5 FAULTLESS SIMULATION RESULTS OF SATELLITE NETWORKS .............................................................. 66 3.6 PERFORMANCE ANALYSIS AND SIMULATION RESULTS ......................................................................... 69 3.7 CPN MODEL VERIFICATION .................................................................................................................. 70 3.8 PERFORMANCE ANALYSIS OF RECONFIGURATION MODEL SCENARIO 1 ................................................ 72 3.9 CONCLUSIONS ....................................................................................................................................... 76 4. Networked Reconfiguration of Multi-Satellite Interactions with Specific Topologies Subject to Full Failure Using CPNs................................................................................................................................ 78 4.1 INTRODUCTION ...................................................................................................................................... 78 4.1.1 Satellite Maneuvering in Space .................................................................................................. 79 4.2 NETWORKED RECONFIGURATION METHODOLOGY OF MULTI-SATELLITE INTERACTIONS WITH SPECIFIC TOPOLOGIES SUBJECT TO FULL FAILURE ............................................................................................... 84 4.2.1 Networked Reconfiguration (Scenario 2- Using a Backup Satellite) ......................................... 84 4.2.2 Networked Reconfiguration (Scenario 3- Repositioning In-Orbit Healthy Satellites) ............... 87 4.2.2.1 Coverage Types of Communication Networks ..................................................................................... 87 4.3 NETWORKED RECONFIGURATION MODELING OF MULTI-SATELLITE INTERACTIONS USING CPNS ....... 88 4.3.1 CPN Modeling of Reconfiguration Scenario 2 ........................................................................... 91 4.3.2 CPN Modeling of Reconfiguration Scenario 3 ........................................................................... 99 4.4 PERFORMANCE ANALYSIS RESULTS OF RECONFIGURATION MODEL SCENARIO 2 ............................... 102 viii  4.5 PERFORMANCE ANALYSIS RESULTS OF RECONFIGURATION MODEL SCENARIO 3 ............................... 107 4.5.1 Networked Reconfiguration Performance Analysis.................................................................. 110 4.6 CONCLUSIONS ..................................................................................................................................... 110 5. General Networked Reconfiguration Method for Multi-Satellite Interaction .................................... 111 5.1 INTRODUCTION .................................................................................................................................... 111 5.1.1 Network Reconfiguration Scenario 4 (Orbit Transfer) ............................................................ 112 5.1.2 CPN Modeling of Reconfiguration Scenario 4 ......................................................................... 113 5.2 PERFORMANCE ANALYSIS RESULTS OF RECONFIGURATION MODEL SCENARIO 4 ............................... 117 5.3 CONCLUSIONS ..................................................................................................................................... 120 6. Conclusions .......................................................................................................................................... 121 6.1 SUMMARY ........................................................................................................................................... 121 6.1.1 VUP Quantification Using Stochastic Petri Nets (SPN) .......................................................... 122 6.1.2 Networked Control Using Colored Petri Nets .......................................................................... 122 6.1.3 Future Work ............................................................................................................................. 123 Bibliography ............................................................................................................................................. 125      ix  List of Tables TABLE  2.1: DESCRIPTION OF PLACES AND TRANSITIONS IN SPN GRAPH OF FIGURE  2.7 .............................................. 36 TABLE  2.2: TOKEN DISTRIBUTION OF THE SPN OF FIGURE  2.7 ..................................................................................... 40 TABLE  2.3: DESCRIPTION OF THE REACHABILITY TREE OF THE SPN OF FIGURE  2.7 ..................................................... 41 TABLE  3.1: PLACES IN FIGURE  3.4 AND FIGURE  3.5 AND THEIR DEFINITIONS ............................................................... 55 TABLE  3.2: TRANSITIONS IN FIGURE  3.4 AND FIGURE  3.5 AND THEIR DEFINITIONS ...................................................... 56 TABLE  3.3: MAJOR MODULES AND RELATED SUB-MODULES OF THE CPN MODEL ..................................................... 57 TABLE  3.4: PLACES DEFINED IN FIGURE  3.6 AND THEIR DEFINITIONS ........................................................................... 63 TABLE  3.5: TRANSITIONS DEFINED IN FIGURE  3.6 AND THEIR DEFINITIONS .................................................................. 64 TABLE  3.6: VERIFICATION RESULTS FOR A THREE-SATELLITE NETWORK IN FAULTLESS CONDITION (𝛽𝑖 = 4, 𝐼𝑖𝑔 =0.0350 , NCL=98%) .......................................................................................................................................... 71 TABLE  3.7: VERIFICATION RESULTS FOR A FOUR SATELLITE NETWORK IN FAULTLESS CONDITION, (𝐼𝑖𝑔 = 0.0979, NCL=98%) ......................................................................................................................................................... 72 TABLE  4.1: PLACES DEFINED IN FIGURE  4.5 AND FIGURE  4.6 AND THEIR DEFINITIONS ................................................ 97 TABLE  4.2: TRANSITIONS DEFINED IN FIGURE ‎4.5 AND FIGURE ‎4.6 AND THEIR DEFINITIONS ....................................... 98 TABLE  4.3: THRUSTER TYPES AND THEIR PROPERTIES ............................................................................................... 104 TABLE  4.4: THREE FREQUENCY BASEBANDS AND THEIR SPECIFICATIONS ................................................................. 105    x  List of Figures FIGURE  1.1: TYPICAL SATELLITE SUBSYSTEMS .............................................................................................................. 3 FIGURE  1.2: A TYPICAL INTERACTING SATELLITE NETWORK SYSTEM ........................................................................... 6 FIGURE  1.3: GENERAL ARCHITECTURE OF SATELLITE SYSTEMS .................................................................................... 7 FIGURE  1.4: SATELLITES COMMUNICATIONS FREQUENCY BANDS [23] .......................................................................... 9 FIGURE  2.1: A SIMPLE GRAPH REPRESENTATION OF A MARKED PETRI NET ................................................................... 21 FIGURE  2.2: THE MARKING RESULTS FROM FIRING TRANSITION T1 IN FIGURE  2.1 ........................................................ 21 FIGURE  2.3: A NETWORK OF THREE COOPERATING SATELLITES COMMUNICATING THROUGH A GROUND STATION RESOURCE (A) A SCHEMATIC, (B) A BLOCK DIAGRAM....................................................................................... 29 FIGURE  2.4:  PETRI NET MODEL OF A NETWORK OF THREE SATELLITES ...................................................................... 30 FIGURE  2.5:  FOLDED PETRI NET MODEL OF FIGURE  2.4 .............................................................................................. 31 FIGURE  2.6:  FOLDED SPN SCHEME OF A NETWORK OF THREE COOPERATING SATELLITES USING PETRI NET EDITOR SOFTWARE .......................................................................................................................................................... 34 FIGURE  2.7: SATELLITE NETWORK SPN MODELING INCLUDING FAILURES AND REPAIRS USING PETRI NET EDITOR SOFTWARE .......................................................................................................................................................... 35 FIGURE  2.8: STATE FUNCTIONS FOR THE SPN SYSTEM OF FIGURE  2.7 A) VULNERABILITY FOR [0, 23.17], B) STAY TIME AT T=23.17, C) RETURN TIME AT T=23.17, D) PROBABILITY AT T=23.17 .................................................. 42 FIGURE  3.1:  A SIMPLE REPRESENTATION OF COLORED PETRI NETS ............................................................................. 45 FIGURE  3.2: RECONFIGURATION BY TRANSMITTING DATA THROUGH OTHER SATELLITES .......................................... 49 FIGURE  3.3:  GENERAL OVERVIEW OF AN INTERACTING MULTI-SATELLITE SYSTEM ................................................... 51 FIGURE  3.4: DATA PACKET TRANSMISSION MODULE (STANDARD DATA PACKET TRANSMISSION PROTOCOL [72]).... 53 FIGURE  3.5: GROUND STATION MODULE AND RELATED SUB-MODULES ...................................................................... 54 xi  FIGURE  3.6: SATELLITE COMPOSITION SYSTEM MODULE AND RELATED SUB-MODULES FOR PARTIALLY FAILED NETWORK RECONFIGURATION............................................................................................................................ 58 FIGURE  3.7: A STABLE CONFIGURATION OF A NETWORK OF INTERACTING SATELLITES FOR PARTIALLY FAILED NETWORK RECONFIGURATION............................................................................................................................ 60 FIGURE  3.8:  MEAN DELAY TIME VERSUS SIMULATION TIME FOR A THREE SATELLITE NETWORK IN FAULTLESS CONDITION FOR VARIOUS BUFFER SIZES, (IIG = 0.0350, GI = 0.01, NCL=98%). ............................................ 67 FIGURE  3.9: THROUGHPUT VERSUS BUFFER SIZE FOR A THREE SATELLITE NETWORK IN FAULTLESS CONDITION, (𝐺𝑖 = 0.01,  𝐼𝑖𝑔 = 0.0979 , NCL=98%). .......................................................................................................... 68 FIGURE  3.10: THROUGHPUT VERSUS NUMBER OF SATELLITES IN THE NETWORK IN FAULTLESS CONDITION, (𝛽𝑖 = 4,  𝐺𝑖 = 0.01,  𝐼𝑖𝑔 = 0.0979, NCL=98%). ............................................................................................................. 69 FIGURE  3.11: A NETWORK OF FOUR SATELLITES COMMUNICATING TOGETHER AND WITH THE GROUND STATION (A) SCHEMATIC DIAGRAM, (B) BLOCK DIAGRAM ..................................................................................................... 70 FIGURE  3.12: THROUGHPUT VERSUS FAILURE CONDITIONS FOR THREE SATELLITE NETWORK (𝛽𝑖 = 4, 𝐺𝑖 = 0.01,  𝐼𝑖𝑔 = 0.0979, NCL=98%). ................................................................................................................................ 73 FIGURE  3.13: THROUGHPUT VERSUS FAILURE CONDITIONS FOR FOUR SATELLITE NETWORK (𝛽1 = 2, 𝛽2 = 3, 𝛽3 =4, 𝛽4 = 5, 𝐺𝑖 = 0.01, 𝐼𝑖𝑔 = 0.0979,  NCL=98%). .......................................................................................... 74 FIGURE  3.14: RECONFIGURATION PROTOCOL ASSESSMENT FOR NETWORKS OF THREE AND FOUR SATELLITES........... 75 FIGURE  3.15: MEAN DELAY VERSUS DATA PACKET ARRIVAL RATE FOR A NETWORK OF FOUR SATELLITES IN DIFFERENT PARTIAL FAILURE CONDITIONS (𝛽𝑖 = 4, 𝐼𝑖𝑔 = 0.0979, NCL=98%). ............................................. 75 FIGURE  3.16: THROUGHPUT VERSUS DATA PACKET ARRIVAL RATE FOR A NETWORK OF FOUR SATELLITES IN DIFFERENT PARTIAL FAILURE CONDITIONS (𝛽𝑖 = 4, 𝐼𝑖𝑔 = 0.0979, NCL=98%). ............................................. 76 FIGURE  4.1: PERIGEE AND APOGEE POINTS IN AN ELLIPTICAL ORBIT .......................................................................... 80 FIGURE  4.2: SATELLITE COMMUNICATION NETWORK RECONFIGURATION BY (A) MOVE IN-ORBIT SPARE SATELLITE (B) RE-POINT THE GROUND STATION .................................................................................................................. 85 FIGURE  4.3: (A) SATELLITE FIXED CELL AND (B) EARTH FIXED CELL SATELLITE SYSTEMS [20] ................................. 88 xii  FIGURE  4.4: SATELLITE SUBSYSTEM BLOCK DIAGRAM ................................................................................................ 90 FIGURE  4.5: CPN MODEL OF THE BACKUP SATELLITE AND THE RELATED SUBSYSTEMS IN SCENARIO 2 ..................... 92 FIGURE  4.6: CPN MODEL OF THE FAILED SATELLITE AND THE RELATED SUBSYSTEMS IN SCENARIO 2 ...................... 93 FIGURE  4.7: SATELLITE FIXED CELL FORMAT RECONFIGURATION A) FAILED, B) RECONFIGURED ............................ 100 FIGURE  4.8: CPN MODEL OF AN INDIVIDUAL SATELLITE IN SCENARIO 3 ................................................................... 101 FIGURE  4.9: REPOSITIONING A BACKUP SATELLITE IN THE SAME ORBIT TO RECONFIGURE THE NETWORK ............... 102 FIGURE  4.10: RECONFIGURATION TIME FOR BACKUP SATELLITE REPOSITIONING IN THE SAME ORBIT ..................... 103 FIGURE  4.11: RECONFIGURATION TIME FOR BACKUP SATELLITE REPOSITIONING (20°) WITH DIFFERENT TYPE OF THRUSTERS ....................................................................................................................................................... 104 FIGURE  4.12:  THROUGHPUT VERSUS DATA PACKET ARRIVAL RATE FOR THE SATELLITE NETWORK OF ................... 106 FIGURE  4.13: MEAN DELAY TIME VERSUS DATA PACKET ARRIVAL RATE FOR THE SATELLITE NETWORK OF .......... 106 FIGURE  4.14: EFFECT OF DIFFERENT TYPES OF THRUSTERS IN RECONFIGURATION TIME OF SCENARIO 3 ................. 108 FIGURE  4.15: THROUGHPUT VERSUS DATA PACKET ARRIVAL RATE FOR DIFFERENT BASEBANDS IN SCENARIO 3 .... 109 FIGURE  4.16: MEAN DELAY TIME VERSUS DATA PACKET ARRIVAL RATE FOR DIFFERENT BASEBANDS IN SCENARIO 3 ......................................................................................................................................................................... 109 FIGURE  5.1: RECONFIGURATION SCENARIO 4 (UPPER ORBIT TRANSFER)................................................................... 113 FIGURE  5.2: CPN MODEL OF AN INDIVIDUAL SATELLITE IN SCENARIO 4 ................................................................... 116 FIGURE  5.3: EFFECT OF DIFFERENT TYPES OF THRUSTERS IN RECONFIGURATION TIME OF SCENARIO 3 ................... 118 FIGURE  5.4: THROUGHPUT VERSUS DATA PACKET ARRIVAL RATE FOR DIFFERENT BASEBANDS IN SCENARIO 4 ...... 118 FIGURE  5.5: MEAN DELAY TIME VERSUS DATA PACKET ARRIVAL RATE FOR DIFFERENT BASEBANDS IN SCENARIO 4 ......................................................................................................................................................................... 119 FIGURE  5.6: THROUGHPUT VERSUS FAILURE CONDITIONS FOR RECONFIGURATION SCENARIO 4 ............................... 120  xiii  List of Symbols a Length of the Semi-Major Axis in The Elliptical Orbit b Length of the Semi-Minor Axis in The Elliptical Orbit C A Petri Net Structure D Incidence Matrix 𝐷𝑈𝐶  Uncontrollable Incidence Matrix  𝐷𝑈𝑂 Unobservable Incidence Matrix  𝑒 Eccentricity 𝐺 Gravitational Constant 𝐺𝑖 Satellite Packet Generation Rate GS Ground Station h Altitude F(δ) Firing Vector 𝐼𝑖𝑗 Capacity of Links from Satellite i to Satellite j L Amount of Data to Be Lost 𝑀𝑒 Earth Mass 𝑀𝑓 Final Mass of the Satellite 𝑀𝑝 Propellant Mass of the Satellite 𝑃𝑖 Set of Places in a Petri Net Model 𝑅𝑒 Average Radius of the Earth 𝑅𝑎𝑟𝑒𝑎 Radius of the Maximum Circular Region Can be Viewed by A Satellite xiv  𝑆𝑖 Identity of Satellite 𝑇 Thrust Force 𝑇𝑖 Set of Transitions in a Petri Net Model 𝑇𝑖𝑔 Throughput (the average number of packets transmitted from the domain of the ith satellite to the ground station in one time slot) V Speed 𝑉𝑒 𝛼 Exhaust Velocity Latitude of the Observer 𝛽𝑖 𝛾 Satellite Buffer Capacity Longitude of the Satellite 𝛥𝑃 Period Time Difference 𝛥𝑉 Speed Difference 𝛥𝜃 Relocation of a Satellite in Degrees 𝜀𝑚𝑖𝑛 𝜆 Minimum Elevation Angle Wavelength µ 𝜈 Marking of A Petri Net Model Wave Speed 𝜉𝑖 𝜑 Number of Packets Sent from Satellite i to the Ground Station Latitude of the Satellite 𝜑𝑖  𝜓 Number of Packets Originated from Satellite i Over the Total Number of Received Packets in the Ground Station Longitude of the Observer xv  List of Abbreviations ABM Apogee Boost Motor AOCS Attitude and Orbit Control Subsystem CPN CDF Colored Petri Net Cumulative Distribution Function EFC Earth Fixed Cells GEO Geostationary GS Ground Station IP Internet Protocol LEO Low Earth Orbit NCL Network Confidence Level NCS Networked Control System PSS Power Supply Subsystem PYROS Propulsion and Station Keeping Subsystems 𝑆𝐹𝐶 Satellite Fixed Cells SPN Stochastic Petri Net TCS Thermal Control Subsystem TCP Transmission Control Protocol TTCS Telemetry Tracking and Command Subsystem VUP Vulnerability, Uncertainty, Probability  xvi  Acknowledgements First and foremost, I would like to express my deepest appreciation to my supervisor, Dr. Farrokh Sassani, for his inspiration, encouragement, patience and unconditional adherence. His support and detailed comments have helped me shape my ideas, realize my aims and complete this thesis. I owe him a depth of gratitude that cannot be measured. I would like to convey my gratitude to my supervisory committee, Dr. Nagamune and Dr. Mirabbasi, for their helpful advice during my research which gave me a new perspective on the available options and aspects. I also extend my gratitude to the university examiners, Dr. Gopaluni and Dr. de Silva for their time. I owe particular thanks to all my dear colleagues and friends, especially Behnam Razavi, Hamed Darban Hosseini, Morteza Taiebat and Abbas Hosseini in the Process Automation and Robotic Laboratory (PAR-LAB) at UBC who have inspired me to continue my work in this field. Additionally, I am grateful to the faculty, staff and my fellow students of Mechanical Engineering Department at UBC, notably our wonderful graduate secretary of Mechanical Engineering Department, Ms. Yuki Matsumara, whose kindness and support will always be remembered.  I would also like to acknowledge the sources of financial support for this research, namely: Natural Sciences and Engineering Research Council (NSERC) of Canada, CSA (Canadian Space Agency) and GlobVision Inc. xvii  I offer my enduring gratitude to Dr. Hassan Shojaee and Dr. Farideh Rezazadeh for their never-ending support and guidance. Their advocacy throughout the years of my Ph.D. education in Canada has been a great motivation for me.  Finally, I wish to express my genuine appreciation to my wonderful family for their endless love and support. My mother’s moral support and encouragement, my father’s consistency and persistency have always been a great motivation for me. I am indebted to my fiancé, Sohrab, who is also my best friend, without whose love, encouragement and support, I would not have accomplished this thesis. xviii  Dedication  To my family, “An insufficient token of my appreciation for their unwavering love and support”    1  Chapter 1  1.Introduction  Satellite networks due to their location and the nature of inter-connection require several specific factors to be taken into consideration for optimal and sustained operation. In satellite networks, many nodes and links are required to reach each other through time varying long distances (much longer than on the ground). Satellites are prone to several space-specific hazards. Damage from solar radiation pressure, for instance, is a factor that is considered in satellite operations.  Despite the fact that solar radiation pressure is extensively used as a source of energy in controlling the satellites, it can also severely damage them at excessive levels when there are sudden sun activities which are also called sun-storms. In addition, the space around the earth is surrounded by artificial satellites and debris which have intentionally placed into orbit. As a result of occasional collision between the space objects, either directly or indirectly, satellites are impacted and damaged.  The solar panels of satellites are particularly vulnerable and prone to damage. Furthermore, satellites pass through the shadow of the earth and back into direct solar radiation and as such experience significant temperature variation, thereby affecting their life [5]. Generally, satellite networks’ requirements are different for various configurations 2  depending on their distance from the earth, design, operation and maintenance, transmission technologies, topologies and costs [6]. The control issue in a network of cooperating satellites is thus very important due to the operational and environmental variation they encounter in the space. The constant growth in the global communications and the need to replace aging and out of commission satellites, call for new concepts in the design and operation of satellites. Because of the lower cost of smaller satellites numerous units can be incorporated in an interacting network. In such a system, if properly configured, a satellite failure should not have a severe impact on the network’s intended mission. As a result, there is a growing trend toward deployment of networks of interacting low cost small satellites. Thus with networks of satellites, communication can be more reliably maintained [7, 8]. According to the literature, much of the research work on fault and failure detection, and control methods of satellites has been carried out by assuming an individual satellite regardless of its interaction in a network [9-12]. In case of multi-satellite interactions in a cluster, the faultless performance parameters have been analyzed [13-15]. To this extent, developing a performance analysis procedure by which the complex satellite system can be intelligently controlled and faults evaded is very important [16, 17].   In this study, we develop supervisory control and networked reconfiguration schemes using high-level petri nets which allow a graceful performance degradation of interacting satellites in case of faults to maintain availability and seamless operation. 3  1.1 Satellite System Fundamentals 1.1.1 Satellite Subsystems A satellite is composed of several interconnected subsystems which provide and maintain the full operational conditions [18]. Figure  1.1 shows the most typical satellite subsystems. The communication module on board the satellite is termed the communication payload. All the other subsystems in the satellite support the communication payload in a way that the sending/ receiving links between the earth and the space segments can be maintained. Noting the importance of communication payloads in satellites and their critical role in networked control operation and coordination, they should be closely monitored and controlled to enable all the required operations to be efficiently performed.        Figure  1.1: Typical Satellite Subsystems   Power Supply Subsystem (PSS) The power subsystem is the energy source for the satellite. This subsystem primarily consists of folded solar panels located on two arrays and are deployed after satellite launch and orbit transfer.  Power Supply Communication Payload Telemetry, Tracking & Command Thermal Control Attitude & Orbit Control Satellite Modules Pyrotechnic 4   Communication Payload/ Telemetry Tracking and Command Subsystems (TTCS) The communications and telemetry subsystems orchestrate the flow of data between onboard subsystem components, and between the satellite and the ground station. These subsystems are typically composed of the communications portion, and the telemetry, tracking, and control (TTC) portion.   Thermal Control Subsystem (TCS) The thermal control subsystem is responsible for maintaining the components of the satellite within their operational temperature limits.   Attitude and Orbit Control Subsystem (AOCS) The attitude and orbit control subsystem (AOCS) maintains the pointing accuracy of the satellite by controlling the motion of the satellite in any of the pitch, roll, or yaw axes. It usually deploys thrusters to apply desirable changes in the altitude and orbit.  Propulsion and Station Keeping Subsystems (PYROS) This section includes Pyrotechnic (PYRO) and Apogee Boost Motor (ABM) subsystems. The first one generates and routes the pulses to deploy solar arrays and fire ABM which functions to keep the satellite in its intended orbit or performs desired orbital changes as directed by the mission. ABM subsystem is usually composed of a source of fuel and oxidizer, or liquefied gas, whose limited volume usually determines the duration of the mission.  1.1.2 Satellite Orbit Configurations Satellites operate at various orbits: Low Earth Orbit (LEO) which is close to the earth (200-2000 km), Polar Orbit which passes over or close to polar regions, and Geostationary (GEO) which is located around 35000 km above the earth equator. To an observer located on the earth a satellite in this orbit appears motionless. GEO satellites have a high signal propagation delay, 5  which result in reduction of network performance. LEO satellites have lower propagations delays, because of the lower altitude they have, but there are a large number of these satellites around the earth which provide services through such an orbit. Despite the lower propagation delays in LEO satellites, their enormous numbers in the space create additional propagation problems due to the buffering delays. To this extent, the real-time and non-real time applications of satellites are largely affected due to the large propagation delays in GEO and delay changes in LEO systems [1, 5].  1.2 Satellite Networks Currently, the global satellite communication networks include a number of satellites, where each satellite covers a designated area on the earth (or a number of ground stations), all of which are not visible by any single satellite. These stations are served using ground communication lines via an intermediate ground station which is in the line of sight of all the satellites in the cluster [15]. Interconnections between these satellites using inter-satellites links (ISL) are organized to provide a significant flexibility for satellite communication networks to reconfigure in case of faults without losing data [15, 19, 20]. As a result, using ISL in satellite networks will increase the effectiveness of satellite communication, providing higher quality of services. Here, we present integrated networked reconfiguration schemes for a network of satellites interconnected via ISL. A typical satellite communication network system or cluster is shown in  Figure ‎1.2. Such clusters consist of a number of satellites located around a nominal position in one or multiple orbits (GEO, LEO, etc.). The satellites are connected via RF (Radio Frequency) links and through a ground station. The satellites are also interconnected via ISL for reconfiguration purposes in case of faults.  6    Figure  1.2: A typical Interacting Satellite Network System 1.2.1 Satellite Network Architectures A general architecture of a satellite network is shown in Figure  1.3. Basically, in a network of interacting satellites the system is divided into two segments: space segment and the earth segment. The space segment consists of one or more satellites in particular orbits. Generally, the satellites in a network are located in the same orbit. In some particular networks, the satellites are located in different orbits which are referred to as multitier satellite networks. The operating orbit of satellites and their characteristics depend on the applications and services provided in the networks.  As discussed in the previous section, satellites are controlled and monitored via Telemetry Tracking and Command (TTC) subsystems. TTC subsystems include earth segment interfaces as well. Ground Station  7                                                    Figure  1.3: General Architecture of Satellite Systems The earth segment include the ground station and user networks (terrestrial network) interconnecting to each other. Operation control center is needed to provide feedback information to the satellite network for resource management and other required control functions. Terrestrial Network  Operation Control Center  TTC (Earth Segment)  TTC (Space Segment) Space Segment Earth Segment 8  Connectivity is the way that satellites interacting in a network provide links to each other and to the ground station. There are three major types of connectivity among satellites which are point to point, point to multi-point (also called broadcasting) and multi-point to point [18]. Adding a transmission technology to each satellite, convert the broadcast system into a multipoint to multipoint one, by which each satellite in the network interacts as both sender and receiver [21]. 1.2.2 Satellite Communications Electromagnetic waves are employed in a satellite communication system to transfer the information via an interacting multi-satellite network. Frequency band is a specific range of frequencies while spectrum is a full range of all the frequencies from zero to infinity.  The frequencies between 1 and 4 GHz are the optimum range of the spectrum for space-earth transmissions. A significant amount of atmospheric signal absorption occurs above 12 GHz. At 22 GHz and 60 GHz, there are very high signal absorption due to resonance by water (humidity) and oxygen, respectively. Therefore, these frequencies can only be used for interlinked satellites communications [22]. For interconnection between the satellites and the ground station or among the satellites interacting in a network, radio links are used. Satellite communications depend on the availability of radio spectrum which is limited.  In Figure  1.4 satellite communications frequency bands are shown which can be found in detail in [23]. On the basis of the communication range of frequencies, different types of information may be sent via the network in data, voice and multimedia formats. Below 1 GHz, 9  only data packets may be sent. Between 1 GHz and 7 GHz, voice packets are transferred. Above 7 GHz, data of multimedia nature are transferrable.   V-Band     Ka           K     Ku     X     C     S     L     UHF     VHF     Figure  1.4: Satellites Communications Frequency Bands [23] 1.2.3 Network Communication Protocols Data communication networks are based on the concept of data protocol by which the data stream is broken down into packets that satisfy certain constraints such as length [24]. The data 100 GHz 0.1 GHz 59.3-64 27.5-29.5 uplink 22.5-23.55 17.7-19.7 15.4-15.6 10 GHz 6.7-7.07 downlink 5.85-6.7 downlink 5.09- 5.25 uplink 3.4-4.2 downlink 1 GHz 0.3-0.4 GHz 0.137-0.15 GHz ISLs Voice LEOs /GEOs Data LEOs 10  protocol is used to check the reliability of the transmission process in a network of interacting satellites.  TCP/IP (Transmission Control Protocol/ Internet Protocol) is an adequate candidate for satellite communication networks [20, 25]. According to TCP principles, the sender sends a packet and waits until it receives an acknowledgement from the receiver to indicate that the packet has arrived correctly [26]. The sender keeps a copy of the sent data with its time stamp and if the related acknowledgement receipt times out, a lost packet will be detected. The lost packet will be resent. This is called a congestion avoidance which is identified by using TCP over satellites [27, 28]. For modeling of the network of interacting satellites in  Chapter 4, TCP algorithm is used as the functional protocol in the network. 1.3 Networked Control and Reconfiguration Fault diagnosis in a network is concerned with detecting, isolating and resolving problems. Therefore, control issues in a network of interacting satellites are very important due to the operational and environmental variation they encounter in the space. The constant growth in the global communications and the need to replace older and out of commission satellites, call for design and launch of newer satellites. Because of the lower cost of smaller satellites numerous units can be incorporated in an interacting network. In such a system, if properly configured, one satellite’s failure should not lead to a severe impact on the network’s performance or intended mission. As a result, there is a growing trend toward employing networks of interacting low cost small satellites. With networks of satellites, communication can be more reliably maintained [7, 8]. 11  Controllers can be designed to have a dynamic system behave in some desired fashion. The designed controller will depend on the knowledge about the plant and the available data. When a control system is shared via a communication medium within several nodes beyond the operating system, then a networked control system (NCS) is obtained. Exchanging data, including input, output and control parameters, among the system components through the network is the key feature of an NCS [29]. Using the control over a network reduces the system complexity as well as allows the data to be shared efficiently. Furthermore, intelligent decisions can be made over a large physical environment such as the space where the cooperating satellites are deployed. In this study, an integrated supervisory fault tolerant control and networked reconfiguration scheme is developed to simulate the communication interactions over multiple satellites. In this method, the reconfiguration procedure refers to the retransmission of the data related to the faulty satellite by distributing and sending it via other satellites operating in the network. Orbit transferring, redundant satellite substitution and repositioning the healthy satellites are other reconfiguration schemes which are developed and simulated in this study. Depending on the operating conditions and the size of the affected data, different reconfiguration topologies are used. The main goal of applying networked control in multi-satellite interactions is to monitor and/or to control the data transmission and the communication system to ensure overall systems stability. This can be done by applying supervisory control using high-level petri nets. Network performance is then evaluated using this method [30, 31]. This approach is mainly studied by taking into account the delays and/or packet losses that occur in the network and are used to design a fault tolerant system.  12  All the essential parameters influencing the satellites’ communication status can be modeled through Stochastic Petri Nets (SPNs)/ Colored Petri Nets (CPNs) to be autonomously reconfigurable. For a network consisting of n interacting satellites, where satellite i (i=1, …, n) has buffer capacity β𝑖, the number of possible states in interacting communication would be identical to the probable number of packets in each satellite in healthy condition of the network which we call steady state [15]. In case of a fault in the network, the number of states will change depending on the loss conditions. To prevent these loss conditions due to faults, a networked control model of a multi-satellite communication system is developed using high-level petri nets [32]. 1.4 Literature Review Increasing number of man-made objects deployed in space, whether geostationary or orbiting, can become a danger or at least a problem for the construction and operation of developing aerospace systems. These growing operational constraints deserve attention in the form of monitoring, fault diagnosis and reconfigurable control [18]. To this extent many investigations have been conducted on satellite fault diagnosis and control. James Albus and colleagues [33] focused on Collaborative Tactical Behaviors for Autonomous Ground and Air Vehicles by developing a four dimensional real time control system. Their methodology resulted in detailed design requirements for perception, knowledge representation, decision making, and behavior generation processes that enable complex methods to be planned and executed by unmanned ground and air vehicles working in collaboration with manned systems. Feng et al developed a dynamic simulation to evaluate the location update 13  efficiency in LEO satellite networks. Only LEO satellite communication networks are proposed in their modeling.  Angeli developed an artificial intelligent fault diagnosis method for on-line systems by applying numerical techniques. In this method fault detection is performed by comparing the predicted behavior of a system based on qualitative models with the actual observation [34]. Barua and colleagues made an attempt to conduct Hierarchical Fault Diagnosis and Health Monitoring in Satellites Formation Flight [35]. Through their research a methodology is developed for specifying the network parameters that utilize both node fault-diagnosis performance data and domain experts’ beliefs. Their proposed model development procedure reduces the demand for expert’s time in eliciting probabilities significantly. Joshi et al developed a fault tolerant diagnosis system for the RADARSAT-1 attitude control system (ACS) telemetry [36]. The proposed system uses computational intelligence (CI) to detect and isolate faults and also to infer cause of failures from the telemetry data time series history using functional models of satellite ACS.  Huang et al. studied the congestion control in a satellite network [37]. They investigated how to set rules for a satellite queuing system so that all the GEO satellites as users have self-interest in controlling congestion when it occurs. Xing and colleague attempted to design and simulate an autonomous control system for satellites [38]. In their research a satellite autonomous orbital control system was designed and the semi-major axis control, the eccentricity and the inclination angle were discussed. Powel and Morgansen [39] derived performance limits for a group of autonomous space vehicles obeying a nonlinear motion control model. They performed Monte–Carlo simulations with random initial headings to analyze the communication energy required for the convergence of the discrete-time system. The results 14  implied a strategy for designing minimum communication energy algorithms for heading alignment and coordination for vehicles in which communication is energetically expensive. Casbeer and Holsapple [40] investigated a column generation technique as a distributed method for solving task assignment problems with precedence constraints. With a careful division of the overall problem into small local problems, the column generation approach iteratively solves the sub-problems in a distributed way to reach an overall optimum. Owing to the complexity introduced by the precedence constraints, they conclude that it is unlikely that column generation alone would be practical for distributed task assignment but could perhaps be used in conjunction with other methods or a hierarchical design to allow sub-groups to solve smaller sized problems. Lee and Kim developed a fault tolerant control scheme for satellite attitude control system [41]. In their research a sliding mode control scheme with finite reaching time is proposed for a fault-tolerant satellite attitude control system in the presence of actuator faults and external disturbances. The actuator fault is modeled to reflect the degradation of the actuation effectiveness, and the solar array induced disturbance is considered as external disturbance. The control scheme is designed to perform the rest-to-rest maneuver of a satellite system with the degradation of the actuation effectiveness, and the stability analysis is performed using the Lyapunov theorem. Also numerical simulations are conducted and the results are compared to verify the performance of the proposed fault-tolerant control scheme.  Neural network control methods are widely used by many researchers for different purposes of fault diagnosis and control [16, 42-45]. Li proposed a neural network based fault tolerant controller for mobile robots [42]. The effectiveness of his proposed method is illustrated by performing the simulation of a circular trajectory tracking control.  15  Kalman filters are also one of the most common methods for fault diagnosis and control purposes [46]. Hu et al [47] proposed a navigation and coordination control system by applying Extended Kalman Filters (EKF). Semsar-Kazerooni and Khorasani investigated the optimal consensus algorithms for cooperating team of agents subject to partial information [48]. The objectives of their work were the design and development of controllers for a team of agents that accomplish consensus for agents' output in both leaderless and modified leader-follower architectures.  According to the literature, much of the research work on fault detection and control methods of satellite networks has been conducted by assuming only computer type of problem or a limited mechanical failure, but not for a combination of them. Also intelligent fault prognosis and control recovery scheme have not been investigated for a network of cooperating satellites [16, 17, 49]. Furthermore; the monitoring and controlling of non-measurable faults (hidden faults) is still an open research field [25]. 1.5 Implementation Complexities An adaptable fault prognosis and control system within and on-board a network of interacting satellites is an important module which is desired for unmanned and eventually autonomous space vehicles. However, such a prognosis and control system is not easy to develop since it is the core of the network’s operation and all the earth-linked operational information is reviewed and analyzed through it. Furthermore, some networks of cooperating satellites are used for multi-purpose missions. To this extent often several decisions are made simultaneously about necessary changes to the satellite’s operational parameters (i.e., orbit, inclination, etc.).  Also, despite the time-invariant attributes of air-borne networks, the topology of satellites networks can vary with time.  16  Figure  1.2 depicts a typical management system of a network of cooperating satellites. (We use the terms “cooperating” and “interacting” interchangeably.) Satellite networks have a vast range of applications in many key industries and as such must be monitored, controlled and managed, in order to make such a complex system operate efficiently and securely. Actually, the system must have the ability to adapt itself to the required changes of an application in the presence of fault or emergency cases, and reconfigure accordingly [50]. 1.6 Research Objectives As a consequence of the issues outlined in previous sections, the related demand in industry has been to develop better control and monitoring means for the interacting satellite networks. The proposed research specifically intends to analysis and development of: 1) a fault detection and reliability analysis strategy for the network;  2) a supervisory control system to monitor the behavior of the network in order to meet the performance criteria; and 3) networked reconfiguration schemes without disturbing the stability of the system.  1.7 Scope of the Present Work This research deals with the supervisory control of a network of interacting satellites to establish solutions for fault detection and automatic control. This research is carried out to develop discrete event models using high-level petri nets. A fault tolerant reconfiguration approach is used to formulate such solutions with SPNs. Also, a networked reconfiguration protocol in multi-satellite interactions is generated using CPNs to manage the full/partial failures 17  occurring in the system. These methods help to reconfigure the network to full functional performance conditions. Previous studies have been on individual satellites to detect and control their faults and reconfiguration issues have not been addressed. 1.8 Thesis Outline This thesis is organized as follows:  Chapter 2 presents a methodological approach to objectives 1) and 2) of the research, stated in Section  1.6. The developed methodology is based on Stochastic Petri Nets.  Chapter 2 also presents the basic supervisory controller  to determine the uncontrollable and unobservable state transitions. Synthesizing a controller with such transitions in the network is then explained and the deadlock conditions discussed. To be more specific,  Chapter 2 develops a fault diagnosis and supervisory control system of multi-satellite interactions using SPNs. Vulnerability, uncertainty and probability of the presence of a fault in the network are then assessed using SPN models. To enable the system to operate in fault tolerant conditions, a set of reconfiguration models in a faulty network are developed using CPNs, in  Chapter 3,  Chapter 4 and  Chapter 5 to meet the objectives 2) and 3) of Section  1.6. Also the required performance parameters in a satellite network are developed in these chapters to evaluate network functions.   Chapter 3 is devoted to development of fault tolerant reconfiguration schemes for networks subject to partial failure that meets objective 3). The proposed reconfiguration method enables the faulty network to operate in full performance condition. A stability analysis of the faultless system is shown in this chapter. The reconfiguration method is verified and investigated by measuring the performance parameters in terms of mean delay and throughput. The results are compared to that of an analytical method in the absence of faults. 18   Chapter 4 proposes a networked control scheme for specific types of failures that enables the network to be reconfigured through in-orbit satellite repositioning to achieve objective 3).  The fault tolerant control method of  Chapter 4 is further developed in  Chapter 5 to reconfigure the networks subject to general types of failures and accomplish objective 3).The sensitivity of the performance measures to network input parameters is determined in the absence and presence of faults in the networks. The results are then discussed and compared.   Chapter 6 concludes and remarks on the findings and proposes ideas for future work to improve the implementation and further refine of the developed techniques.            19    Chapter 2  2.Fault Diagnosis and Supervisory Control of Multi-Satellite Interactions Using SPNs  2.1 Introduction This chapter investigates the fault diagnosis and supervisory control of multi satellite interactions and provides a solution to analyze a faulty network. Supervisors are used to ensure that the behavior of the network, which needs to be controlled and reconfigured, does not violate a set of required operational conditions. The supervisory control and reconfiguration actions are based on system observations.  The methodology developed here is divided into two stages. In the first stage a network of interacting satellites is modeled using Stochastic Petri Nets (SPNs) and controllability and observability characteristics of the network are analyzed. Then in the second stage, three major indicators are developed to quantify the vulnerability, uncertainty and failure probability characteristics of the system. The results of the proposed methodology are then presented.  20  2.2 Basic and High-Level Petri Nets 2.2.1 Basic Petri Nets In the 1960s, discrete-event simulation techniques became very popular. In many cases, this resulted in the development of advanced simulation languages such as SLAM, Arena, Simula and SimScript. Some references best explain these references are [51-53]. More recent applications are reported in [54-56]. One method to model complex systems such as multi-satellite interactions is to use petri nets. Petri nets have a simple mathematical representation by employing linear matrix algebra making them particularly useful for analysis and design of discrete event systems [57-59]. Petri nets are divided into low and high-level forms [60, 61].  Stochastic Petri Nets (SPNs) and Colored Petri Nets (CPNs) are classified as high level. The advantage of using high-level petri nets in a satellite network is its both state and action oriented nature which describes the states of the system and the transitions (events) which cause changes in the states. Therefore, for a complex system such as a multi-satellite interaction, the networked control performance can be modeled, using much of the existing real conditions. A Petri Net structure, C, is a four tuple, C=(P, T, I, O), where P is a finite set of places which define the network conditions, T is a finite set of transitions which define the network events, I and O are the Input and Output functions (I,O: TP) [62]. A petri net is a multi-graph, since it allows multiple arcs from one node of the graph to another. Since the nodes of the graph can be partitioned into two sets (places and transitions), such that each arc is directed from an element of one set to an element of the other set, it is a bipartite directed multi-graph. As shown in Figure  2.1, a petri net graph is equivalent to the petri 21  net structure C= (P, T, I, O). A marking is an assignment of tokens (dots) to the places of a petri net. A transition can be caused, i.e. triggered or fired (in the petri net vocabulary), if there are required number of tokens in all the places preceding a transition node.     Figure  2.1: A simple graph representation of a marked petri net      Figure  2.2: The marking results from firing transition t1 in Figure  2.1 In Figure  2.1 if transition t1 is fired, the marking shown in Figure  2.2 will result. In a petri net model, the conditions are modeled as places and events as transitions. The occurrence of an event in the physical plant is modeled by the triggering (firing) of a transition [2]. Reachable Marking [62]: For a petri net C= (P, T, I, O) with marking m, a marking 𝑚′ is immediately reachable from m, if there exists a transition 𝑡𝑗 whose firing result in 𝑚′. Deadlock [62]: A deadlock in petri net is a transition which cannot be fired.   P3 P1 t1 P2 P3  t1 P2 P1 22  A transition is live if it is not deadlocked. A transition is live at level i, if every transition is live at this level. 2.2.2 Petri Net Analysis Techniques There are two major methods to analyze petri net models including the reachability tree and the matrix equations.  Reachability tree [62] represents the infinite number of markings which result from loops. Frontier nodes are those which have not yet been processed. The root of the reachability tree is set equal to the initial marking as a frontier node. As long as frontier nodes remain, they are processed by the following algorithm: Let x be the frontier node to be processed. If there exists another node y in the tree which is not a frontier node, and has the same marking associated with it, 𝜇[𝑥] = 𝜇[𝑦], then node x is a duplicate node. If no transitions are enabled for the marking 𝜇[𝑥], then x is a terminal node. For all transitions which are enabled in 𝜇[𝑥], create a new node z in the reachability tree. The marking 𝜇[𝑧] associated with this new node is, for each place 𝑝𝑖, 1. If 𝜇[𝑥𝑖] = 𝜔, then 𝜇[𝑧𝑖] = 𝜔. 2. If there exists a node y on the path from the root node to x with 𝜇[𝑦] < 𝜕(𝜇[𝑥], 𝑡𝑗) and 𝜇[𝑦]𝑖 < 𝜕(𝜇[𝑥], 𝑡𝑗)𝑖, then 𝜇[𝑧]𝑖 = 𝜔. 3. Otherwise, 𝜇[𝑧𝑖] = 𝜕(𝜇[𝑥], 𝑡𝑗)𝑖. 𝜔 represents the marking vector, showing current marking in each place. An arc, labeled 𝑡𝑗 is directed from node x to node z. Node x is redefined as an interior node; node z becomes a frontier node. 23  Matrix equations [62] are another means of analyzing petri net models. An alternative to the (P, T, I, O) definition of petri net is to define two matrices 𝐷− and 𝐷+ to represent the input and output functions (P, T, 𝐷−, 𝐷+). Each matrix is m rows (one for each transition) by n columns (one for each place). We define 𝐷−[𝑗, 𝑖] = #(𝑝𝑖 , 𝐼(𝑡𝑗)) and 𝐷+[𝑗, 𝑖] = #(𝑝𝑖, 𝑂(𝑡𝑗)). Let e[j] (transition matrix) be the unit m-vector which is zero everywhere except in the 𝑗𝑡ℎ component. A transition 𝑡𝑗 is enabled in a marking 𝜇 if  𝜇 ≥ (𝑒[𝑗]. 𝐷−). The system incidence matrix and the reached marking after firing the enabled transitions are shown respectively in Equations ( 2.1) and ( 2.2). D= 𝐷+- 𝐷− ( 2.1) 𝜇′ = 𝜇 + 𝑒[𝑗]. 𝐷  =𝜇 + 𝑓(𝛿). 𝐷 ( 2.2) The vector 𝑓(𝛿)=e[𝑗1] + [𝑗2] + ⋯+ 𝑒[𝑗𝑘] is called the firing vector of the sequence 𝑡𝑗1. 𝑡𝑗2…𝑡𝑗𝑘 . The 𝑖𝑡ℎelement of 𝑓(𝛿), 𝑓(𝛿)𝑖, is the number of times that transition 𝑡𝑖 fires in the sequence 𝑡𝑗1. 𝑡𝑗2…𝑡𝑗𝑘. 2.2.3 Stochastic Petri Nets (SPNs) As it is not always easy to assess system performance due to modeling difficulties, simulation is often the only available numerical method. SPN as a simulation method is an attractive graphically-oriented modeling framework well-suited to path generation on computer [63, 64]. System states change when events occur. Stochastic changes occur at random times. By modeling a stochastic process, X(t) is assumed as the state of the system at time t which is a random variable. The network of interacting satellites is considered as a discrete event stochastic system by defining appropriate system states [64]. 24  2.3 Modeling Methodology for Fault Diagnosis and Supervisory Control of Multi-Satellite Interactions Using SPNs Control design using petri net models enforces the desired events to occur and prohibits the undesired ones from occurring. To model the supervisory controllers using petri nets, controllability and observability specifications have to be checked to prevent forbidden connections in the model [65]. 2.3.1 Controllability and Observability in Petri Nets Petri net models provide the option to design supervisory controllers which prevent forbidden or undesirable states from occurring in a modeled system. Many researchers have used petri nets as a tool for modeling and synthesizing the control laws for different types of discrete event systems [13, 60, 61, 66, 67]. The goal of supervisory control is to restrict the reachable marking of a plant to b tokens [61]: 𝑙𝑇𝜇𝑝 ≤ 𝑏 ( 2.3) where 𝜇𝑝 is the plant’s marking, l is an integer weight vector and b is an integer scalar. The inequality constraint in relation ( 2.3) can be transferred to equality by introducing a slack variable 𝜇𝑐which has to be nonnegative, as shown in Equation ( 2.4) [61]. 𝒍𝑻𝝁𝒑 + 𝝁𝒄 = 𝒃 ( 2.4) Therefore, the incidence matrix of the petri net plant will be divided into two sections as 𝐷𝑝 and 𝐷𝑐 (Equation ( 2.5)), where the first is the plant’s incidence matrix and the second is the controller incidence matrix.  25  𝐷 = [𝐷𝑝𝐷𝑐] ( 2.5) Referring to Equations ( 2.4) and ( 2.5), a petri net controller with initial marking 𝜇𝑐0 is obtained using Equations ( 2.6) and ( 2.7): 𝐷𝑐 = −𝑙. 𝐷𝑝 ( 2.6) 𝜇𝑐 = 𝑏 − 𝑙. 𝜇𝑝0 ( 2.7) where 𝜇𝑝0 is the plant’s initial marking and l can be determined using the constraint conditions. 2.3.1.1 Uncontrollable Transitions A petri net transition is called uncontrollable if the firing of that transition cannot be prevented by an external action [61]. According to this definition, an uncontrollable transition can be observed. Therefore, the arcs can be freely connected from uncontrollable ‘transition’ to a controller ‘place’. But the inverse case is not applicable which means that the arcs cannot be connected from controller places to the uncontrollable transitions. This requirement is checked in petri net models using Equation ( 2.8): 𝑙𝑇𝐷𝑢𝑐 ≤ 0 ( 2.8) where 𝐷𝑢𝑐 is the uncontrollable subspace of the incidence matrix 𝐷𝑝[m×n], where its ranking is less than the n (full rank). The controller places work on the basis of disabling/ enabling controllable transitions in a way that the number of tokens in the controller place is less/ more than the weight of the connector arc.   2.3.1.2 Unobservable Transitions A petri net transition is called unobservable, if the firing of that transition cannot be directly measured or detected [61]. There cannot be any connection between the controller places and the 26  unobservable transitions. Therefore, the unobservable transitions are also uncontrollable. This requirement is checked using Equation ( 2.9):    𝑙𝑇𝐷𝑢𝑜 = 0 ( 2.9) where 𝐷𝑢𝑜 is the unobservable subspace of the incidence matrix 𝐷𝑝[m×n]. 2.3.2 Supervisory Controller Synthesis Using Petri Nets If the uncontrollability and unobservability conditions, checked by Equations ( 2.8) and ( 2.9), are not met in the petri net model, the defined constraints have to be transformed given by Equations      ( 2.10),      ( 2.11),      ( 2.12) and      ( 2.13) [32, 61, 68]: 𝐿𝑒𝑡 𝑅1 ∈ 𝑍𝑛𝑐×𝑛 𝑠𝑎𝑡𝑖𝑠𝑓𝑦 𝑅1𝜇𝑝 ≥ 0 ∀ 𝜇𝑝      ( 2.10) 𝐿𝑒𝑡 𝑅2 ∈ 𝑍𝑛𝑐×𝑛𝑐  𝑏𝑒 𝑎 𝑝𝑜𝑠𝑖𝑡𝑖𝑣𝑒 𝑑𝑒𝑓𝑖𝑛𝑖𝑡𝑒 𝑑𝑖𝑎𝑔𝑜𝑛𝑎𝑙 𝑚𝑎𝑡𝑟𝑖𝑥      ( 2.11) 𝑖𝑓 𝐿′𝜇𝑝 ≤ 𝑏′ 𝑤ℎ𝑒𝑟𝑒 𝐿′ = 𝑅1 + 𝑅2. 𝐿 and  𝑏′ = 𝑅2(𝑏 + 1) − 1, then  𝐿. 𝜇𝑝 ≤ 𝑏.      ( 2.12) [𝑅1   𝑅2] [𝐷𝑢𝑐𝐿𝐷𝑢𝑐𝐷𝑢𝑜𝐿𝐷𝑢𝑜−𝐷𝑢𝑜−𝐿𝐷𝑢𝑜 𝜇𝑝0𝜇𝑝0 − 𝑏 − 1] ≤ [0 0 0 − 1]      ( 2.13) A major goal in designing supervisors and analyzing control properties of petri net plants is that certain state to state transitions cannot be inhibited using any control law, so the developed PN models have to meet certain requirements. Therefore, by checking these requirements the PN model would be applicable in the real time systems for on-line reconfiguration and handling the uncontrollability and unobservability conditions. 27  2.3.3 Integrating Fault Analysis Indicators Using SPNs The fault analysis indicators of a system can be quantified in terms of vulnerability, uncertainty and probability and these are used for multi-satellite interactions. The related indicators’ analytical results are given in Section  2.5. Here the definition of each term is provided: Vulnerability: Is defined as a quantity which indicates how many times an event has occurred within a time interval [49]. Uncertainty: Is defined as the number of failed components at time t [69]. Probability:  Is defined as the sum of probabilities of being in state “s” at time t [62]. Here we have developed formulas to calculate these indicators using SPN models. Vulnerability: Is defined as a quantity which indicates how many times an event modeled by a PN transition, has occurred in that interval. The expected number of firings of 𝑡𝑘  (transition k) in (0, t) is given by [49]: 𝜇𝑘(𝑡) =∑∫ 𝑞𝑠𝑡0𝑠𝜖𝑆(𝑧). 𝜆𝑘(𝑠). 𝑑𝑧      ( 2.14) where 𝜆𝑘(𝑠) is the firing rate of 𝑡𝑘 in marking s and 𝑞𝑠(𝑡) is the probability of being in state “s” at time t. Firing rate is a probabilistic delay after which the transitions are fired and is determined by a random variable. In steady state, the expected number of firings per unit time becomes: 𝜐𝑘(𝑡) =∑𝑞𝑠𝑠𝜖𝑆(∞). 𝜆𝑘(𝑠)             ( 2.15) 28  For example, in a network of cooperating satellites, the mean number of failures (repairs) of the network components in (0, t) is quantified as the vulnerability level of the system in each failure case. Uncertainty: Let 𝑃i be a place in the petri net model. The cumulative distribution function (CDF) of the number of tokens in 𝑃𝑖 at time t is a staircase function in which the amplitude of the k-th step is obtained by summing up the probabilities of all the markings, containing k tokens (k= 0, 1, 2,…) in 𝑃𝑖 at time t. The density 𝑓𝑖(𝑘, 𝑡) is a mass function equal to the amplitude of the k-th step. The expected value of the number of tokens in place 𝑃𝑖 at time t  is [69]: 𝐸[𝑚𝑖(𝑡)] =∑ 𝑘. 𝑓𝑖(𝑘, 𝑡)∞𝑘=0      ( 2.16) For instance, if place 𝑃𝑖 represents identical satellites queuing up to communicate with a Ground Station, the above quantity (CDF) is the expected value of the number of satellites in the queue versus time. In uncertainty analysis a very interesting case arises when place 𝑃𝑖 represents failed components. Equation      ( 2.16) provides the expected value of the number of failed components at time t. Probability:  By means of logical or algebraic functions of the number of tokens in the PN places, an output condition can be specified, for instance the number of tokens in the defined failed condition place. The probability of the output measure [62, 70]: [𝑄𝑠(𝑡) = 𝑃𝑟𝑜𝑏 {𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛 𝑖𝑠 𝑡𝑟𝑢𝑒 𝑎𝑡 𝑡𝑖𝑚𝑒 𝑡}] is given by:  𝑄𝑠(𝑡) =∑ 𝑞𝑠𝑠∈𝑆(𝑡)      ( 2.17) where 𝑞𝑠(𝑡) is the probability of being in state “s” at time t. The simulation details and quantification results are presented in Section  2.5. 29  2.4 Petri Net Modeling and Supervisory Synthesis of Multi-Satellite Interactions Using SPNs To verify the petri net control concepts discussed in Sections  2.3.1 and  2.3.2, we consider a network of three interacting satellites S1, S2 and S3 communicating through a ground station GS, Figure  2.3.                                                                                                                                                                                                                                                                                                                          (a)                    (b)  Figure  2.3: A Network of Three Cooperating Satellites Communicating through a Ground Station Resource (a) A Schematic, (b) A Block Diagram The related petri net model of this network is shown in Figure  2.4. It contains 10 places and 9 transitions. Each of the places P1, P5 and P8 show the independent operational conditions of each satellite in its orbit. By firing transitions T1, T4 and T7, each satellite sends an access  S1 S2 S3 GS 30  request to the ground station at known time stamps which may result in waiting condition of the satellites to access the ground station (shown by places P2, P6 and P9). Place P4 shows the ground station availability where its buffer size is considered to be equal to the number of initial tokens in it. In this model place P4 is marked with two tokens, which means that the ground station is able to communicate with only two satellites at the same time.                   Figure  2.4:  Petri Net Model of a Network of Three Satellites  Communicating through a Ground Station P1 P2 P3 T3 T2 T1 T6 T4 T5 P5 P6 P7 P8 T9 T7 T8 P4 P9 P10 31  If the specified number of tokens is available in place P4, the transitions T2, T5 or T8 will fire and result in tokens to appear in each of the places P3, P7 or P10, respectively. These places denote the condition when each satellite is communicating with the ground station.  In the satellite network of Figure  2.4, if all the three satellites are identical, we can fold the three symmetric parts of the PN of Figure  2.4 into a compact PN of Figure  2.5.                  Figure  2.5:  Folded Petri Net Model of Figure  2.4 The incidence matrix of the petri net model shown in Figure  2.5 is calculated using Equation ( 2.1):                       P1 P2 P3 T3 T2 T1 P4 32  𝐷𝑝 = 𝐷+ − 𝐷− = [010010001001] − [100100000110] = [−1 0 1+1 −1 00 +1 −10 −1 +1] The ranking of the incidence matrix is equal to 2 and the uncontrollable portion of the network is the third column. So, transition T2 is uncontrollable.  The following constraints have to be imposed upon the networked system: 𝜇3 + 𝜇4 ≤ 2 𝜇1 ≤ 3 According to the above constraints, matrix l will be: 𝑙 = [0 01 0    1 10 0] As Transition T2 is uncontrollable, the condition of Equation ( 2.8) is checked to determine if the defined constraints are admissible with respect to the plant uncontrollable transition.  𝑙𝑇.𝐷𝑢𝑐 = [00], so it meets the requirement as checked below: 𝑙𝑇.𝐷𝑢𝑐 ≤ 0 𝐷𝑢𝑐  33  Using the controller synthesis rules of petri nets, as defined in this section, all the developed models in this chapter are analyzed using the same method. 2.5 Fault Diagnosis Modeling of Multi-Satellites Interactions Using SPNs In this chapter, application of SPN in measuring and quantifying the vulnerability, uncertainty and probability in a satellite network is studied. All the effective parameters influencing the network status can be modeled through SPN concepts and autonomously managed. In Section  2.3.3, a set of indicators were identified to quantify vulnerability, uncertainty and probability. In the following sections of this chapter, an SPN model is developed to measure the three indicators in a network of satellites. 2.5.1 SPN Fault Tolerant Modeling of Multi-Satellite Interactions Performance reliability of a satellite network can be determined through vulnerability, uncertainty and probability analysis using SPN. To do so, a detailed modeling of a network of “n” cooperating satellites communicating with each other and through a ground station is undertaken. As explained for the networked satellites modeled in Section  2.4 and assuming S1, S2 and S3 are identical satellites, fault free network operation is modeled and simulated using petri net Editor Software [71]. The model is shown in Figure  2.6. The stochastic properties of the satellite network are determined by allocating a firing rate to transition T1.  Failure Modeling- Taking into account the failure and repair of each satellite, the network operation is modeled by the SPN of Figure  2.6. In Table  2.1, the description of places and transitions related to the Stochastic Petri Net graph of Figure  2.7 and the numerical values 34  assigned to the firing rates associated with each PN transition are shown. The sum of tokens in P1 is equal to “n” (the number of satellites), whereas the sum of tokens in P4 is equal to “m” (the number of available processing buffer in the ground station). In this simulation, it is assumed that “n” is equal to 3 and “m” is equal to “n-1”. T2 and T9 are assumed as immediate transitions (uncontrollable).   Figure  2.6:  Folded SPN Scheme of a Network of Three Cooperating Satellites Using Petri Net Editor Software 35    Figure  2.7: Satellite Network SPN Modeling Including Failures and Repairs Using Petri Net Editor Software 36  Table  2.1: Description of Places and Transitions in SPN Graph of Figure  2.7 P1 Satellite working independently.  P2 Satellite waiting for access to GS.  P3 Satellite interacting with GS.  P4 GS free.  P5 GS failed.  P6 Satellite failed. Firing Rate (Average Number of Triggers/ Time Slot) T1 Satellite requesting access to GS. 1 × 𝑚1 T2 Satellite accessing GS. 104 T3 Satellite releasing GS. 5 T4 Satellite failure in local mode. 10−4 ×𝑚1 T5 Satellite failure while waiting. 10−4 ×𝑚2 T6 Satellite failure while working with GS. 10−4 T7 GS failure while working. 10−4 T8 GS failure while free. 10−4 T9 Return to local mode when GS failed. 104 T10 Satellite repair. 10−2 T11 GS repair. 10−2 37  The incidence matrix of the plant calculated using Equation (‎2.1) is: -1 0 1 -1 0 0 1 0 1 1 0 1 -1 0 0 -1 0 0 0 -1 0 0 0 1 -1 0 0 -1 -1 0 0 0 0 0 -1 1 0 0 1 0 -1 0 0 1 0 0 0 0 0 0 1 1 0 0 -1 0 0 0 1 1 1 0 0 0 -1 0 Because the rank of the incidence matrix is equal to 4, there are 7 uncontrollable transitions as T2, T4, T5, T6, T7, T8 and T9. As defined in the previous section, there are two required constraints as: 𝜇3 + 𝜇4 + 𝜇5 ≤ 2 𝜇1 + 𝜇3 + 𝜇2 + 𝜇6 ≤ 3  𝑙𝑇. 𝐷𝑢𝑐 is then calculated as:  0 0 0 0 0 0 0    0 0 0 0 0 0 0   Checking the condition set by Equation ( 2.8), makes it possible to see whether 𝑙𝑇.𝐷𝑢𝑐 contains any positive values which indicate whether the current constraints would prevent the controllability conditions. As it is shown in the calculated 𝑙𝑇.𝐷𝑢𝑐, it meets the required conditions: 𝑙𝑇.𝐷𝑢𝑐 ≤ 0.  0 0 1 1 1 0 1 1 1 0 0 1    𝐷𝑝 = 𝑙 = 𝑙𝑇. 𝐷𝑢𝑐= 38  Because all the elements of 𝑙𝑇. 𝐷𝑝 are equal to zero, if any transition becomes unobservable, it will meet the required condition of 𝑙𝑇.𝐷𝑢𝑜= 0. After synthesizing the developed petri net model to see whether it meets the system requirements according to the controllability rules, the observability conditions are checked as well using Equation ( 2.9). If any obstructions appear in a part of the identified transitions T1 to T11, the transitions become observable. Therefore, on the basis of Equation ( 2.9), 𝑙𝑇. 𝐷𝑢𝑜 should be equal to zero.  With the initial marking M1 shown in Figure  2.6, 21 states are reachable in the SPN model whose token distribution is shown in Table  2.2. By examining the data reported in Table  2.1 and Table ‎2.2, the following subsets of states are identified as reachable:  States 1, 2, 3, 4: fault free operation of the satellite network;  States 5, 6, 7: two satellites in normal operation, one satellite in failed condition;  States 8, 9: one satellite in normal operation, two satellites in failed condition;  States 15, 20, 21: all satellites in normal operation, ground station in failed condition;  States 14, 18, 19: two satellites in normal operation, one satellite and ground station in failed condition;  States 13, 16, 17: one satellite in normal operation, two satellites and the ground station in failed condition;  State 10: all satellites in failed condition;  States 11, 12: three satellites and ground station in failed condition. 39  Table  2.3 is the description of the reachability tree of the SPN. According to Table  2.3, for each state shown on the first column, the enabled transitions and the immediate reachable states (in parentheses) are specified.  Substituting the numerical values of the firing rates given in Table  2.1, the transition rate matrix is automatically generated using Petri Net Editor Software [71]. According to the Probability definition in Section  2.3.3 and with respect to the generated transition matrix in Table  2.3, the probabilities of all the 21 states are quantified using Equation      ( 2.17).  The Vulnerability in the time interval of [0, 23.17] is shown in Figure  2.8(a). The stay time in each state and the return time to each state, are given in Figure  2.8(b) and (c), respectively. Probabilities at time t=23.17 is shown in Figure  2.8(d). According to the Vulnerability definition in Section  2.3.3, the vulnerability of the defined network at the time interval of [0, 23.17] is determined using Equation      ( 2.14) and is shown in Figure  2.8(a). For the specified SPN of Figure  2.7, the vulnerability is quantifiable for the transitions identifying a failure in the system (for{𝑇4, 𝑇5, 𝑇6, 𝑇7, 𝑇8}) at t=23.17. For the given time interval, marking no.8 (which means one satellite is in normal operational condition when the other two ones have failed) happens for 5 times and is the most frequent vulnerable event. Referring to Figure  2.8(b) and (c), at t=23.17, it remains in this state for around 0.2 time slots and takes around 1 time slot to return again.  According to Figure  2.8(b) and (c), state 7 has the longest stay time as well as a longer return time at t=23.17.  So, if one of the satellites fails during operation at t=23.17, it will take more than 1.5 time slot to transit to another state. With reference to the Uncertainty definition in Section  2.3.3, the uncertainty of the cooperating satellites network, defined in Figure  2.7 by a SPN model at time t=23.17, is 40  quantified using Equation      ( 2.16). The results show that there are a cumulative number of tokens in place “𝑃5 “, which is identical to a failure in the ground station at this time step. In Figure  2.8(d), the states probabilities for the modeled SPN system of Figure  2.7, are shown at time t=23.17 seconds. It shows that state 20 is the most probable event which may happen in the system. So the least reliable section at this time step is the ground station which failure is the most probable event. Table  2.2: Token Distribution of the SPN of Figure  2.7 State Marking m1 m2 m3 m4 m5 m6 1 3 0 0 2 0 0 2 2 0 1 1 0 0 3 1 0 2 0 0 0 4 0 1 2 0 0 0 5 0 0 2 0 0 1 6 1 0 1 1 0 1 7 2 0 0 2 0 1 8 1 0 0 2 0 2 9 0 0 1 1 0 2 10 0 0 0 2 0 3 11 0 0 0 1 1 3 12 0 0 0 0 2 3 13 1 0 0 0 2 2 14 2 0 0 0 2 1 15 3 0 0 0 2 0 16 1 0 0 1 1 2 17 0 0 1 0 1 2 18 1 0 1 0 1 1 19 2 0 0 1 1 1 20 3 0 0 1 1 0 21 2 0 1 0 1 0    41  Table  2.3: Description of the Reachability Tree of the SPN of Figure  2.7 State Enabled transitions and reachable states 1 T1 (2) T4 (7) T8 (20)     2 T1 (4) T3  (1) T4 (6) T6 (7) T7 (20) T8 (21)  3 T1 (4) T3  (2) T4 (5) T6 (6) T7 (21)   4 T3 (3) T5  (5) T6 (5) T7 (21)    5 T3 (6) T6  (9) T7 (18) T10 (3)    6 T1 (5) T3  (7) T4 (9) T6 (8) T7 (19) T8 (18) T10 (2) 7 T1 (6) T4  (8) T8 (19) T10 (1)    8 T1 (6) T4 (10) T8 (16) T10 (7)    9 T3 (8) T6 (10) T7 (16) T8 (17) T10 (6)   10 T8 (11) T10 (8)      11 T8 (12) T10 (16) T11 (10)     12 T10 (13) T11 (11)      13 T1 (14) T4 (12) T10 (14) T11 (16)    14 T1 (19) T4 (13) T10 (15) T11 (19)    15 T1 (20) T4 (14) T11 (20)     16 T1 (17) T4 (11) T8 (13) T10 (19) T11 (8)   17 T3(16) T6 (11) T7 (13) T10 (18) T11 (9)   18 T1 (21) T3 (19) T4 (17) T6 (16) T7 (14) T10 (2) T11 (6) 19 T1 (18) T4 (16) T8 (14) T10 (20) T11 (7)   20 T1 (21) T4 (19) T8 (15) T11 (15)    21 T1 (3) T3 (20) T4 (18) T6 (19) T7 (15) T11 (2)    42    Figure  2.8: State Functions for the SPN System of Figure  2.7 a) Vulnerability for [0, 23.17], b) Stay Time at t=23.17, c) Return Time at t=23.17, d) Probability at t=23.17 (a) (b) (c) (d) No. of Occurrences Time Slot Time Slot Percentage (%) × 100 Vulnerability 43  2.6 Conclusions The chapter proposed a procedure to analyze the controllability and observability characteristics of petri net models for a given set of system parameters. A petri net supervisory controller is then designed for the networked satellites.  Reliability indicators are also integrated in terms of vulnerability, uncertainty and probability in the network using SPN models. The reliability of the developed supervisory control and fault detection model is assessed for a network of three satellites using SPNs. The information provided in Section  2.5, lets the system to analyze the reliability of the network components to take the required actions under a supervisory control system. The faults and their occurrences lead us to vulnerability, uncertainty and probability criteria which indicate the performance of the system. The SPN model provides the possibility of monitoring system’s behavior. This procedure addresses objectives 1) and 2).         44   Chapter 3  3.Networked Reconfiguration of Multi-Satellite Interactions Subject to Partial Failure Using CPNs  3.1 Introduction This chapter deals with the fault tolerant control and networked reconfiguration of multi satellite interactions subject to partial communication failure. Partial failure addresses the faults in part of the satellite communication system. Although losing the connection with some components in partial failure, it is still able to communicate with the other ones. Full failure refers to the condition when a component in the network (satellite) is fully failed to operate. Using the physical specifications of space objects, a procedure is developed in  3.3 to reconfigure the network, subject to partial failure, to its default functional conditions with full performance operation. A Colored Petri Net approach is used to analyze the system [4].  45  3.1.1 Colored Petri Nets (CPNs) Colored Petri Nets are high-level or advanced version of the ordinary petri nets that are used for development of compact and parameterized models of complex systems [72]. A CPN represents a graphical language for modeling and simulation of concurrent and non-deterministic systems and analyzing their performance and properties. Figure  3.1 shows a simple Colored Petri Net. Colored Petri Nets allow tokens to have a data value assigned to them. The assignment is called a token color. The color can be assigned arbitrarily to the places in CPNs in a way that each place contains tokens of one type. This type is called color set of the place. To distinguish the same data packet contents from one another, token colors with different time stamps are used. By performing simulation of the Colored Petri Net models, it is possible to describe different states and investigate the behavior of the system [73-75]. The developed models and simulations, shown in  Chapter 3,  Chapter 4 and  Chapter 5 are created using the “CPN Tools” software [76].        Figure  3.1:  A simple representation of Colored Petri Nets  46  The advantage of applying Colored Petri Nets in a satellite network is its both state and action oriented nature which describes the states (places) of the system and the transitions (events) that cause changes in the states. Therefore, for a complex system such as a multi-satellite network, the networked control performance can be simulated using much of the real conditions. 3.2 Networked Reconfiguration Scheme of Multi-Satellite Interactions Subject to Partial Failure Using CPNs 3.2.1 Methodology Faultless operation of satellites in a network plays an important role in the availability of the respective network. Within a network, the satellites and their related payloads are the only non-terrestrial (space segment) elements of the system. The non-terrestrial state of the satellite communication networks means that the repair of a failed space segment of the satellites or their subsystems is not generally possible. There are several reconfiguration scenarios to enhance availability of the network when one of the interacting satellites or its corresponding transponder fails.  Using these reconfiguration procedures ensure that the network remain available following a failure event.  Chapter 3,  Chapter 4 and  Chapter 5 explain the concepts we have developed to reconfigure network of interacting satellites to a fault tolerant mode. The proposed reconfiguration simulation results are presented at the end of each chapter. 3.2.2 Reconfiguration Models- An Overview A network consisting of n satellites connected through inter-satellite links is considered. Each satellite 𝑆𝑖 has β𝑖 on-board buffer capacity in which subscript i refers to the satellite 47  number from 1 to n. It is assumed that each buffer of a satellite can be accessed by all the uplinks/downlinks connected to the satellite and all the downlinks and uplinks capacities are equal. Assuming 𝐼𝑆𝐿𝑖𝑗 to be the inter-satellite link from satellite i to satellite j, 𝐼𝑖𝑗  is defined as its buffer capacity. Time is divided into slots of duration equal to the packet transmission time.  Under normal faultless condition, each satellite communicates through a space network transmission protocol with the ground station. According to the applied communication protocol, each satellite will know whether its transmitted packet has been successfully received by the ground station, if it receives an acknowledgement. Packets sent to satellite i may be rejected due to three main reasons: - Full buffer of the satellite which may result in retransmission after a delay; and satellite-ground station connection faults which result in retransmission of the data through other satellites, for which reconfigurations are modeled in this chapter. - Full failure of a satellite for which reconfiguration models are discussed in  Chapter 4 and  Chapter 5. - Network collisions (conflicts) which may result in “data loss” or “acknowledgement loss” which is modeled using TCP communication protocol in all developed reconfiguration models. It is assumed that each satellite updates itself and follows a random generation with mean 𝐺𝑖(i=1,…,n) in which the new packets are generated in each satellite and transmitted from them to the ground station. The following summarizes the general system parameter notations used in all the developed reconfiguration schemes:   48  𝑆𝑖- identity of satellite, β𝑖- number of on-board buffers (capacity), 𝐼𝑖𝑗- capacity of links from satellite i to satellite j (packets per slot), 𝐺𝑖- mean satellite packet generation rate (packets per time slot). This in fact emulates the  arrival of external data packets to the network, NCL- Network Confidence Level which defines the efficiency of the network transmission, Although the recovery procedure of failed satellites in a network is very costly and time consuming, the proposed reconfiguration models prevent the cluster from failing, and reconfigure the network to an acceptable level. Therefore, the main effort is devoted to the reconfiguration of the satellite cluster, some components of which have fully/partially failed.  3.3 Partially Failed Network Reconfiguration by Transmitting Data through Other Satellites (Scenario 1) When one of the satellites in the network fails to connect to the ground station but is still able to continue its operation, the generated data in the faulty satellite is distributed among the other satellites in the network based on their available buffer size. This includes a time delay in the receiving and sending functions of the faulty satellite.     49                                   Figure  3.2: Reconfiguration by Transmitting Data through Other Satellites Figure  3.2 shows a schematic view of the cluster when the earth link of the satellites interacting in the network is lost. The proposed reconfiguration procedure provides the possibility of uninterrupted services in the network with some additional delay time. The related simulation results are presented at the end of this chapter. 3.3.1 CPN Simulation- Main Modules The first step in modeling the reconfiguration in CPN is to identify the places required. With the proposed reconfiguration model, there are relatively a few places involved, although they are repeated many times through the collection of sub-pages which constitute the specifications. In this thesis, for all the developed CPN models, the places which are repeated are shown with tags marked as “Fusion m” in which m refers to the number of fusion set. A fusion place means that its multiple appearances are to be treated as if there were only one place. The next phase in the simulation is to add transitions, whose occurrences, as explained in Section  2.2, represent events. These events are identified at a level of abstraction that corresponds to an informal description. The arcs and transition conditions (java inscriptions    50  defined for a transition in CPN tools), are then added to relate the events and the states (conditions which represent objects or data). To satisfy the required desirable conditions, variables are defined so that transitions can be referred to the initial conditions.  The places and transitions are defined to be easily related to the reconfiguration specifications. They are given suggestive names to indicate their brief functional description. To retain the defined places and transitions corresponding to some obvious notion of states or events, which are the graphical aspects of CPN, complex text inscriptions have been used. This is useful for following the graphical elements identified in the CPN model, because the number of graphical objects increases exponentially.  The idea of hierarchical modeling is also used with substitution transitions. A hierarchical CPN model allows representing a complex simulation through a simplified net that gives a broad overview of the system [72]. So, in the process of CPN modeling a coarse-grained structure for the CPN is used by substituting the double line box transitions in a top level with more pages which bring details into the model. For example all the transitions shown in Figure  3.3 are the top levels which bring more details in their subpages as shown in Figure  3.4, Figure ‎3.5 and Figure ‎3.6. Using the CPN hierarchical techniques, a model of the network is developed. Figure  3.3 shows an overview of a multi-satellite system consisting of four satellites communicating to the ground station via a network. 51   Figure  3.3:  General overview of an Interacting Multi-Satellite System As shown in Figure  3.3, the reconfiguration CPN model consists of one main page and several sub-pages, each of which represents one of the major modules of the network. The three main modules in the model include: a) Each satellite’s reconfiguration module,  b) Space network transmission module, and  c) The ground station module. The first module consists of satellite sub-systems and their interconnections and is different for each reconfiguration procedure presented in this and the next two chapters. So this module is 52  explained separately for each reconfiguration scenario investigated in  Chapter 3,  Chapter 4 and  Chapter 5.  The last two modules are the same for all reconfiguration schemes. Therefore they are presented in this section. As it was discussed in section  1.2.3, TCP/IP protocol is a good option for setting up the communication procedure in the network module. A standard basic TCP/IP protocol is used in this research by which the lost data are detected and the received data are acknowledged. Both of these characteristics are defined by TCP/IP protocol. Figure  3.4 illustrates the transmission procedure of the data packets after they are received in the place “Data Ready To Send In-Queue Buffer”.  Data packets are sent from each satellite via the network to the ground station. Also receipt of acknowledgements occurs only when there are identical acknowledgments from the receiver. The transmission network performance is also considered by modeling the loss of data packets in the system. Network’s Confidence Level (NCL) is defined with a variable called success which for the purpose of simulation randomly assigns true or false value to “Transmit Data” transition with a pre-set probability value [72]. The loss of acknowledgements is modeled in a similar way. 53   Figure  3.4: Data Packet Transmission Module (Standard Data Packet Transmission Protocol [72]) The color set for data packets has been extended to include information about the time at which a data packet is generated at the senders and arrives at receivers. When the transition “Transmit Data” in Figure  3.4 fires, a data packet token is removed from the place “Space1” and arrives at the place “Space2”, if the success variable is equal to true. Else, lost data in the network is identified in the “Lost Data” place. For the same conditions in “Transmit Confirm” transition, lost data is identified through place “Lost Confirmation”. Place “Confirm Received” lets the network to remove the data which have been received and acknowledged. ConfirmReceivedSatellitesxINTNextSendSatellitesxINTkk()Space1SatellitesxINTxDATAxTSpace3SatellitesxINTLostConfirmationSatellitesxINTLost DataSatellitesxINTxDATAxTSpace2SatellitesxINTxDATAxTNextReceiveSatellitesxINTkk()Space4SatellitesxINTReceivedData in Ground StationIn/OutSatellitesxDATAData Ready To SendIn-queue BufferIn/OutSatellitesxINTxDATAxTLimit14RemoveDataReceiveConfirm@+8Send Data @+10TransmitConfirm@+Delay()TransmitData@+Delay()ReceiveData@+25if n>kthen 1` (ss,k)else empty(ss,n,p,t)(ss,n,p,t)if Success()then 1` (ss,n,p,t)else empty(ss,n)(ss,k)if n=kthen (ss, k+1)else (ss,k)if Success()then emptyelse 1` (ss,n)(ss,n,p,t)(ss,k)if Success()then 1` (ss,n)else empty(ss,n)(ss,n)if n=kthen (ss,k+1)else (ss,k)if Success()then emptyelse 1` (ss,n,p,t)if n>kthen (ss,n)else (ss,k)(ss,n)if n=kthen (ss,data^ p)else (ss,data)(ss,data)(ss,n,p,t)@+Retransmission()(ss,n,p,t)(ss,n,p,t)@+Retransmission()1` eif Success()then emptyelse 1` e1` eif Success()then emptyelse 1` e54  The ground station module is shown in Figure  3.5 , in which the “Received Data in Ground Station” place collects all the data received from each satellite according to each sender’s identification number.  Figure  3.5: Ground Station Module and related Sub-Modules A list of all the defined places and transitions shown in Figure  3.4  and Figure ‎3.5 are identified in Table  3.1 and Table ‎3.2, respectively.      S a te llite sS a te llite sS a te llite s .a ll( )In it ia l D a taD a ta1 `""R e c e iv e dD a ta  in  G ro u n d  S ta tio nO u tS a te llite s x D A T AIn it ia tio nS e t to  S to p  s im u la tio n[s to p ()]d a tas s(s s ,d a ta )(s s ,d a ta ) 55  Table  3.1: Places in Figure  3.4 and Figure  3.5 and their Definitions Name Module Description Data Ready To Send In-Queue Buffer Main / Satellite Composition System/ Data Packet Transmission/ Ground Station Modules Data packets are ready to be sent from each satellite through the network. Received Data in Ground Station Main/ Data Packet Transmission/ Ground Station Modules Data packets received in the ground station from the satellites. Space1, Space2 Data Packet Transmission Module Data packets being sent/ received through the network. Space3, Space4 Data Packet Transmission Module Acknowledgements being sent/ received through the network. Lost Data/ Lost Confirmation Data Packet Transmission Module Data packets/ Acknowledgements which are lost due to the confidence deficiency level in the network. Network Transmission Capacity Data Packet Transmission Module Restricts the number of data packets which are allowed to pass through the network at once. Next Receive Data Packet Transmission Module Counter to check receiving of the packet in the ground station. Next Send Data Packet Transmission Module Counter to put the next packet in send order. Confirm Received Data Packet Transmission Module Counter to check receiving of the acknowledgement in the satellite. Satellites Ground Station Module List of all available satellites cooperating in the network. Initial Data Ground Station Module Data Packet types.  56  Table  3.2: Transitions in Figure  3.4 and Figure  3.5 and their Definitions Name Module Description Space Network Transmission Top level hierarchy/ Data Packet Transmission Module Contains the detailed CPN model of transmission protocol used to transmit data packets from satellites to the ground station. Ground Station Processing Top level hierarchy/ Ground Station Module Contains the detailed CPN model of data processing in the ground station. Send Data Data Packet Transmission Module Satellites Sending the data packets through the network. Transmit Data Data Packet Transmission Module Network transmits the data packets. Transmit Confirm Data Packet Transmission Module Ground station sends acknowledgements through the network. Receive Confirm Data Packet Transmission Module Satellites receive the related acknowledgements from the ground station through the network. Receive Data Data Packet Transmission Module Ground station receives the data packets through the network. Remove Data Data Packet Transmission Module Satellite removes the identical data from the buffer after receiving its acknowledgement. Initiation Ground Station Module Initiating list of all available satellites cooperating in the network.  The satellites CPN modules are developed in  Chapter 3,  Chapter 4 and  Chapter 5 for full failures, referring to the type of reconfiguration method which is different in each chapter. 57  3.3.2 CPN Modeling of Partially Failed Network Reconfiguration As explained in Section  3.3, when one of the satellites loses its connection with the ground station, the network can be reconfigured to send its data through the functioning satellites.   Table  3.3: Major Modules and Related Sub-Modules of the CPN Model  to Reconfigure Partially Failed Network Major Module Sub-Module Related CPN Graph Satellite Composition System Data Initiation and Updating Figure  3.6, Pink Section Fault Detection Figure  3.6, Red Section Reconfiguration Figure  3.6, Blue Section Ground Station Satellites Availability Processing Figure  3.5, All the Net Except Place “Initial Data” Data Type Processing Figure  3.5, All the Net Except Place “Satellites” Data Packet Transmission Communication States Figure  3.4 58   Figure  3.6: Satellite Composition System Module and related Sub-Modules for Partially Failed Network Reconfiguration Legend: • Red: Fault Detection; • Blue: Reconfiguration; • Pink: Stable Configuration 59  The model is divided into three main modules as shown in Table  3.3. The first module is the satellite composition system consisting of data initiation and updating, fault detection and reconfiguration sub-modules which define the reconfiguration protocol for the network. The second module is the ground station consisting of the satellites availability information and data type processing sub-modules. The data packet transmission is the third module that determines the packet transmissions and run the acknowledgement protocol. The entire model is explained in the next section. 3.3.2.1 CPN Specification of Stable Configuration The representation of a healthy stable configuration can in a sense be confined to the combination of data packet transmission module, ground station module and the data initiation and updating sub-module of the satellite composition system (pink section of Figure  3.6). Figure  3.7 shows a specification of a healthy stable configuration of a network of four interacting satellites. In this figure, the identical module of operation for each satellite in the network is shown. Places referred to as “Satellite” and “Next Generated Packets” shown in Figure  3.7 are respectively identical to the satellite index (ID) and the content of data packets generated in each satellite. A “Satellites” place represents an individual satellite from an arbitrary number of satellites within the network. This number is given by a constant rate (𝐺𝑖).  𝐺𝑖 is determined by means of a function called “NextGeneration()” which is defined as a declaration in the CPN model and can be readily changed without modifying other definitions. “Next Generated Packets” place identifies the content of the messages as strings.  60   Figure  3.7: A Stable Configuration of a Network of Interacting Satellites for Partially Failed Network Reconfiguration The place “Data Ready To Send In-queue Buffer” shows the concept of sharing the capacity of the communication payload within the satellites. As it is shown in Figure  3.5, Figure ‎3.6 and Figure ‎3.7, all the sent data from each satellite arrives at this place to be sent to the ground station via the transmission network. Each satellite receives and transmits data packets (in the size of an allocated buffer) which are a channelized share of the total network capacity. As it is shown in Figure  3.6, the data packet generation in each satellite occurs through a transition called “Data Packets Generation at S(i)” (S(i) stands for each satellite i in the network). This is for the stable operation when the satellites communicate through the ground station in the absence of any fault. 61  3.3.2.2 Reconfiguration Protocol of Scenario 1 Using CPN   The reconfiguration protocol aims at graceful degradation of the network performance by preventing the network to fall into a complete fail condition. It reconfigures the network to attain performance at an acceptable level and avoid loss of data. This is achieved by adding shared communication places between interacting satellites with the interconnection capability and by sending the faulty satellite’s data to these places when required.  Figure  3.6 shows the entire concept of the reconfiguration model using CPNs. In case the connection between one of the satellites and the ground station fails, the “Fault Detection” transition is fired and the faulty satellite is identified in the “Fault Detected Satellite” place. So the data from the faulty satellite which has not been transmitted to the shared communication payload place is identified in the place “Faulty Satellite’s Data Ready to Send to the Other Satellites”. The fault detection sub-module is shown in red color in Figure  3.6.  The procedure sends the identified data from the faulty satellite to the other satellites via interconnection links to the ground station. This process continues until the failed satellite is corrected and returns to the normal operation. If the failed satellite has been damaged beyond repair (depending on the failure types and available solutions), it will no longer return to the network and in a long run it may be replaced by a new satellite. Therefore, the network will continue its operation using the reconfiguration mode as defined. A record of all the data from the faulty satellite “i” which has been retransmitted via other satellites is maintained in the place “Sent Record of Fault Data in S(i)”. The inter-satellite packet transmission capacity is defined in the place “Inter-satellite Network Buffer” to control the number of packets that can be sent to the other satellites within one time slot. The data, to be retransmitted, is distributed between the other satellites according to their buffer capacity. These buffer capacities are defined through places “S(i)Buffer” to restrict 62  the number of the packets they receive from the failed satellites. Primarily, the data from faulty satellite S(i) will arrive at the places “Data Received from Faulty Satellites in S(j)” in which i≠j. These places are shared in the satellite modules, so that their tokens are sent to the shared payload place “Data Ready To Send In-queue Buffer” by triggering “Send Faulty Satellite’s Data” transition. The reconfiguration sub-model is shown in blue color in Figure  3.6.  3.3.2.3 Integrated CPN Simulation of Satellite Cluster Reconfiguration (Scenario 1) The integrated CPN reconfiguration model of a multi-satellite network facilitates a gradual increase in communication capacity after a failure without losing any data. Substitution of modules shown in Figure  3.4, Figure ‎3.5 and Figure ‎3.6 into the main modules shown in Figure  3.3 provides an integrated model of the network. On the basis of the integrated model, each satellite in the network is substituted with the major satellite composition module shown in Figure  3.6. The “Data Ready To Send In-queue Buffer” place receives all the user communication signals from all the satellites, then via the “Data Packet Transmission” module shown in Figure  3.4, performs an on-board signal switching and routing, and finally transmits the data through the network to the ground station. A record of all the data packets, which have been sent, but not yet acknowledged, is kept in the shared communication payload known as place “Data Ready To Send In-queue Buffer”. The network transmission link capacity is defined by using the place “Network Transmission Capacity”. The number of tokens in this place is identical to the number of data packets which are allowed to be transmitted via the network per round trip time. Therefore, dividing the number of tokens by the total round trip time of the packets in the network determines the network transmission rate. 63  A list of all assigned places and transitions in Figure  3.6 and their descriptions are shown in Table  3.4 and Table  3.5, respectively. Table  3.4: Places defined in Figure  3.6 and their definitions Place Module Description Satellite Satellite Composition System Module Satellite available to communicate (𝑆𝑖). Next Generated Packets Satellite Composition System Module Updated data packets in satellites over time. Packet Satellite Composition System Module Packet data including sender, receiver, ID number of message and the message content. Fault Detected Satellite Satellite Composition System Module Faulty satellite which failed to communicate with the ground station.  Faulty Satellite’s Data Ready To Send To Other Satellites Satellite Composition System Module   Data packets of the failed satellite sending through other satellites Data Received from Faulty Satellites in 𝑆𝑘 Satellite Composition System Module Data packets from failed satellite received in other satellites. Sent Record of Fault Data in 𝑆𝑘 Satellite Composition System Module Record of all the data packets of a failed satellite sent through other satellites. Inter-satellite Network  Buffer Satellite Composition System Module Network Transmission Link Capacity S(i)Buffer Satellite Composition System Module Restrict the buffer capacity of each satellite to accept the data of failed satellite.   64  Table  3.5: Transitions defined in Figure  3.6 and their definitions Transition Module Description Satellite i (i is the  satellite ID number) Top level hierarchy/  Satellite Composition System Module Contains the detailed CPN model of each satellite i for normal communication, fault detection and recovery procedure. Data Packet Generation at 𝑆𝑖 Satellite Composition System Module Data packets are generated and updated over the time in each satellite. Fault Detection Satellite Composition System Module Detecting faulty satellite which cannot connect to the ground station. Data Packets Generate Satellite Composition System Module Generating and updating data packet contents of faulty satellite to be sent to the other satellites. COMM Satellite Composition System Module Generating a list of all available satellites in the network and the ID and content of the messages has not been sent due to the failed connection. Send Data Packets Satellite Composition System Module Sending data packets stored on-board of faulty satellite to the other satellites. Recover Satellite Composition System Module Recovering procedure of the faulty satellite. Send Faulty Satellite’s Data Satellite Composition System Module Send the data packets received from the faulty satellites through the network to the ground station  3.4 Performance Modeling of Multi- Satellite Interactions Performance is a central issue in the design and evaluation of networked control systems. It also makes it possible to compare reconfiguration options as discussed in Section  3.2 to find an optimal configuration.  65  3.4.1 Network Performance Indicators The most common network performance indicators are mean packet transmission delay and packet throughput (the number of successfully delivered packets per time unit) [13, 14, 72-75].  Packet Throughput- Throughput (𝑇𝑖𝑔) is the average number of packets transmitted from the domain of the satellite i to the ground station g in one time slot. According to [15], the analytical method to calculate throughput is simplified in Equation ( 3.1). 𝜑𝑖 is defined as the probability that out of 𝛽 packets sent to the ground station, 𝛽𝑖 packets originated from satellite i. Also, ξ𝑖 represents the the number of packets sent from satellite i to the ground station in one time slot. {    𝑇𝑖𝑔 = 𝜑𝑖 × 𝜉𝑖 ×𝑁𝐶𝐿 ×𝐼𝑖𝑔∑ 𝐺𝑘𝑛𝑘=1, 𝑖𝑓 𝐼𝑖𝑔∑ 𝐺𝑘𝑛𝑘=1≤ 1.0𝑇𝑖𝑔 = 𝜑𝑖 × 𝜉𝑖 ×𝑁𝐶𝐿,                              𝑖𝑓 𝐼𝑖𝑔∑ 𝐺𝑘𝑛𝑘=1> 1.0 ( 3.1) where 𝐺𝑘 and 𝐼𝑖𝑔 stand for packet generation rate of satellite i and network link capacity to transmit packets from satellite i to the ground station, respectively. NCL is the network confidence level as defined in Section  3.2.2. 𝜑𝑖 and ξ𝑔 are computed as follows: 𝜑𝑖 =𝛽𝑖∑ 𝛽𝑖𝑚𝑖=1 ( 3.2) 𝜉𝑖 =𝛽𝑖𝑇𝑖𝑚𝑒 𝑜𝑓 𝑃𝑎𝑐𝑘𝑒𝑡 𝐺𝑒𝑛𝑒𝑟𝑎𝑡𝑖𝑜𝑛  ( 3.3) Sum of obtained 𝑇𝑖𝑔 is the total throughput.  66  Mean Packet Transmission Delay- The average transmission delay of packets is the average time difference of packets originated in the domain of the satellite i and received at the ground station. Network delay effects are challenging control problems in the systems such as multi satellite networks. The time to read a component measurement and to send the related data to a receiver through the network depends on network characteristics such as the topology and routing schemes. The delay is intensified when a data loss occurs during a transmission. Delays not only degrade the performance of a network-based control, but they can also destabilize the system. 3.5 Faultless Simulation Results of Satellite Networks In this section, initially the network performance in terms of the mean delay time and throughput as a function of the system load, i.e. packet arrival rate to each satellite (𝐺𝑖), and the size of buffer on-board the satellites (𝛽𝑖) is examined in the absence of any faults.  The variation of Mean Delay Time versus Simulation Time is shown in Figure  3.8 for three buffer sizes on a network of three satellites. The delay time decreases with the increase in the buffer size. A significant improvement is seen when the buffer size is increased from two to four and only a marginal improvement is achieved when the buffer size is increased from four to six. Figure  3.9 shows the Throughput versus buffer size of two, four and six. By increasing the buffer size, throughput increases as well. The packet generation rate is considered to be constant and equal to 0.01 packets per time slot.  As it is shown in Figure  3.8, the “Mean Delay Time” becomes stable with time. Here, for the condition of this simulation, it occurs after time slots 600,000 for all the three buffer sizes. 67   Figure  3.8:  Mean Delay Time versus Simulation Time for a Three Satellite Network in Faultless Condition for Various Buffer Sizes, (Iig = 0.0350, Gi = 0.01, NCL=98%). 05001000150020000 200000 400000 600000 800000 1000000Mean Delay Time (Time Slots) Time (Time Slot) Buffer Size=2 020040060080010001200140016000 200000 400000 600000 800000 1000000Mean Delay Time (Time Slots) Time (Time Slot) Buffer Size=4 01002003004005000 200000 400000 600000 800000 1000000Mean Delay Time (Time Slots) Time (Time Slot) Buffer Size=6 68   Figure  3.9: Throughput versus Buffer Size for a Three Satellite Network in Faultless Condition, (𝐺𝑖 = 0.01,  𝐼𝑖𝑔 = 0.0979 , NCL=98%). In Figure  3.10, the variation of throughput versus different number of satellites in the network is shown. As the number of satellites increases in a network, an improvement in throughput is observed. After increasing the number of the satellites from three to four, the throughput increases by 33%. Whereas increase in throughput with increase in the number of satellites may seem obvious, for the given network transmission capacity (𝐼𝑖𝑔 = 0.0979) and the buffer size (𝛽𝑖 = 4), further increase of the number of satellites from four to five, leads only to a marginal improvement of 0.7% in the throughput.    0.019750.01980.019850.01990.019950.020.02005Throughput (Packets/Time Slot) Buffer Sizes BufferSize=2 BufferSize=4 BufferSize=669   Figure  3.10: Throughput versus Number of Satellites in the Network in Faultless Condition, (𝛽𝑖 = 4,  𝐺𝑖 = 0.01,  𝐼𝑖𝑔 = 0.0979, NCL=98%). Therefore, from the results obtained for the faultless scenario, it is concluded that for a required performance in terms of throughput and delay, a minimal configuration can be considered in terms of the number of satellites in the network, the buffer size on-board the satellites, and the network transmission capacity. 3.6 Performance Analysis and Simulation Results To conduct a performance analysis, a number of lengthy simulations of a Colored Petri Net model are run, during which data are collected from places, transitions and the markings reached. Simulation output data exhibit stochastic behavior, and therefore appropriate statistical analysis must be used both to design and to interpret simulation experiments [72]. 00.0050.010.0150.020.0250.03Throughput (Packets/Time Slot) Buffer Sizes Three Satellites Four Satellites Five Satellites70  The communication performance can be improved by running the state space simulation, analyzing the results and applying suitable changes and strategies to the four reconfiguration models developed in  Chapter 5. Figure  3.11(a) is a symbolic representation of a network of four interacting satellites interacting in a network. Figure  3.11(b) is a block diagram representation of the network. In this section, the performance of the reconfiguration procedure (discussed in  3.3.2) is analyzed and presented for network of three and four interacting satellites.  First, in Section  3.7, the results are verified using Equations ( 3.1) to ( 3.3) (developed in Section  3.4.1) for faultless conditions.                            (a) (b) Figure  3.11: A Network of Four Satellites Communicating Together and with the Ground Station (a) Schematic Diagram, (b) Block Diagram 3.7 CPN Model Verification The accuracy of the developed model in faultless condition is verified. 71  The throughput performance obtained from the simulations is compared against the analytical results from Equations ( 3.1) to ( 3.3) and shown in Table  3.6 and Table  3.7. A network of n satellites communicating with each other and a ground station is considered (Figure  3.11).  Table  3.6 shows the verification results for a system of three interacting satellites, with equal buffer size (𝛽𝑖 = 4), a network link capacity of 𝐼𝑖𝑗 = 0.0350, a packet generation rate of 𝐺𝑖 =0.02 packets per time slots and a network confidence level (NCL) of 98% in faultless condition. Table  3.6: Verification Results for a Three-Satellite Network in Faultless Condition (𝛽𝑖 = 4, 𝐼𝑖𝑔 = 0.0350 , NCL=98%) Satellite No. i 𝑮𝒊 (Packets/Time Slot) Throughput (Packets/ Time Slot) Analytical  Simulation 1 0.020 0.0065 0.0064 2 0.020 0.0065 0.0064 3 0.020 0.0065 0.0064  Total 0.06 Total 0.0196 Total 0.0192  Table  3.7 shows the verification results for a system of four satellites with different buffer sizes (𝛽1 = 2, 𝛽2 = 3, 𝛽3 = 4, 𝛽4 = 5), different packet generation rates (𝐺1 =0.010, 𝐺2 =0.015, 𝐺3 =0.020, 𝐺4 =0.025), a network link capacity of  𝐼𝑖𝑗 = 0.0979 and NCL of 98% in faultless condition. 72  Table  3.7: Verification Results for a Four Satellite Network in Faultless Condition, (𝐼𝑖𝑔 =0.0979, NCL=98%) Satellite No. i Buffer Size 𝛽𝑖 𝑮𝒊 (Packets/ Time Slot) Throughput (Packets/ Time Slot) Analytical Simulation 1 2 0.010 0.0020 0.0037 2 3 0.015 0.0044 0.0056 3 4 0.020 0.0078 0.0075 4 5 0.025 0.0122 0.0093   Total 0.07 Total 0.0264 Total 0.0261  It is observed that throughput result from simulations and analytical calculations differ 4% at the most. A number of additional experiments were conducted for different system parameters which also exhibited similar behaviors.  3.8 Performance Analysis of Reconfiguration Model Scenario 1 In this section, the network performance is investigated when a satellite fails to communicate with the ground station. The effectiveness of the reconfiguration protocol and the level of performance degradation are then evaluated.  To investigate the effects of satellite failures, first, a network of three satellites is considered with a buffer size of four, transmission network capacity of 0.0979 packets per time slots, packet generation rate of 0.02 packets per time slots and a network confidence level of 98% (𝛽𝑖 =73  4, 𝐼𝑖𝑔 = 0.0979, 𝐺𝑖 = 0.01, NCL=98%). The network performance is studied in terms of throughput and transmission delay when one of the satellites partially fails to connect to the ground station. The satellite’s data is then distributed among the other two satellites in the network. The results are then compared to the faultless condition. As it is shown in Figure  3.12, when one satellite fails, the throughput decreases by 33%. Using the reconfiguration protocol, the cluster is reconfigured to 67% of the faultless case. When two of the satellites fail, then the system degrades to 33% of the faultless case. It is very important to note that no data is lost, but the quality of service drops significantly.    Figure  3.12: Throughput versus Failure Conditions for Three Satellite Network (𝛽𝑖 =4, 𝐺𝑖 = 0.01,  𝐼𝑖𝑔 = 0.0979, NCL=98%). In Figure  3.13, the quality of service of a network of four satellites with different buffer sizes (𝛽1 = 2, 𝛽2 = 3, 𝛽3 = 4, 𝛽4 = 5, 𝐺𝑖 = 0.01, 𝐼𝑖𝑔 = 0.0979, NCL=98%) is evaluated, when the satellite with the lowest (or highest) buffer size fails and the results are compared to the faultless condition. The results show that by applying the proposed reconfiguration procedure, 00.0050.010.0150.020.025Throughput(Packets/Time Slot) Operating Condition FaultlessOne Failed SatelliteTwo Failed Satellites74  the network is degraded to 74% of the faultless condition. This percentage is almost the same (slightly different) for the lowest and the highest buffer sizes failures. If three of the four satellites in the cluster fail, the performance quality will be degraded to 25% of the faultless case. No data is lost due to these failures.  Figure  3.13: Throughput versus Failure Conditions for Four Satellite Network (𝛽1 = 2,𝛽2 = 3,  𝛽3 = 4, 𝛽4 = 5, 𝐺𝑖 = 0.01,  𝐼𝑖𝑔 = 0.0979,  NCL=98%). In Figure  3.14, a comparison of applying reconfiguration protocol to networks of three and four satellites is shown. It is concluded that if one satellite fails, the network with higher number of satellites respond better to reconfiguration.  If (n-1) satellites fail, networks with smaller number of satellites have a better response to the reconfiguration. This happens because of the smaller throughput distribution in larger networks. So in a larger network, if only one component fails, a smaller section of data is missed and redistributed, comparing to the smaller networks. When (n-1) satellites are failed in the larger networks, only a small capacity is remained healthy which has to transfer the faulty satellites’ data in addition to its own generated data. 0.00000.00500.01000.01500.02000.02500.0300Throughput(Packets/Time Slot) Operating Condition FaultlessHighest Buffer Satellite FailsLowest Buffer Satellite FailsThe First 3 Lowest BufferSatellites Fail75   Figure  3.14: Reconfiguration Protocol Assessment for Networks of three and four Satellites. Figure  3.15 and Figure  3.16 depict the mean delay time and throughput performance measures, respectively, as a function of packet arrival rate to the satellites for three different scenarios of failures in a four-satellite network. Examination of the plots in Figure  3.15 suggests that, within the range of the data shown, mean delay time is more sensitive to the packet arrival rate than to the number of failed satellites in the network.   Figure  3.15: Mean Delay versus Data Packet Arrival Rate for a Network of four Satellites in Different Partial Failure Conditions (𝛽𝑖 = 4, 𝐼𝑖𝑔 = 0.0979, NCL=98%). 020406080100Faultless One SatelliteFailed(n-1) SatellitesFailed100 74 25 100 67 33 Relative Throughput (%) 4 Satellites Cluster3 Satellites Cluster1842342843343844344840 0.02 0.04 0.06 0.08 0.1Mean Delay Time (Time Slots) Data Packet Arrival Rate (Packets/Time Slot) One Failed SatelliteTwo Failed SatellitesThree Failed Satellites76  Sensitivity of throughput to the number of failed satellites is shown in Figure  3.16. As seen, the throughput is not very sensitive to packet arrival rate, but it highly depends on the number of failed satellites, network transmission capacity and on-board buffer size.  Figure  3.16: Throughput versus Data Packet Arrival Rate for a Network of Four Satellites in Different Partial Failure Conditions (𝛽𝑖 = 4, 𝐼𝑖𝑔 = 0.0979, NCL=98%). 3.9 Conclusions Using CPNs, we proposed a technique to reconfigure a partially failed satellite network for a given set of conditions. Systematic intelligent networked control schemes were simulated to reconfigure the network to normal operational conditions. The faultless condition scheme was verified through a CPN simulation analysis which results in stable performance. The performance of the proposed reconfiguration protocol is assessed in terms of mean delay time and throughput for various specifications and conditions. These performance measures are obtained as a function of buffer sizes on-board the satellites, network transmission 00.0050.010.0150.020.0250 0.02 0.04 0.06 0.08 0.1Throughput (Packets/ Time Slot) Data Packet Arrival Rate (Packets/Time Slot) One failed SatelliteTwo Failed SatellitesThree Failed Satellites77  capacity, data packet arrival rate and system configuration in terms of the total number of satellites in the network, the number of failed satellites and the inter-satellite link capacity.  In the performance analyses conducted in Section 3.8, it became apparent that there are some un-intuitive system behavior that cannot be determined without modelling and simulation. CPN provides means of detailed modelling and produces simulation output that satellite network operators can use to design the network and appropriate reconfiguration protocols depending on the intended mission of the satellite network.              78    Chapter 4  4.Networked Reconfiguration of Multi-Satellite Interactions with Specific Topologies Subject to Full Failure Using CPNs   4.1 Introduction This chapter deals with the fault tolerant control and networked reconfiguration of multi satellite interactions with specific topologies subject to full failure.  A methodology is developed in Section  4.2 to reconfigure a network, subject to full failure in one or more satellites, to its default functional conditions with full performance operation capability according to its physical specifications. The satellite networks to be reconfigured are considered to include a backup satellite or to have specific topologies. To analyze the system 79  Colored Petri Net models are constructed [3]. Simulations are then conducted and the results reported and discussed.  4.1.1 Satellite Maneuvering in Space The basic maneuver used in the developed reconfiguration schemes includes changing the shape and size of the operating orbit of the respective satellite, without altering its orbital plane [77]. To explain this we consider a satellite in a circular orbit at an altitude h. The linear speed of the satellite is related to its orbital altitude and is given by Equation      ( 4.1) [78]. 𝑉 = √𝐺𝑀𝑒ℎ + 𝑅𝑒      ( 4.1) where G is the gravitational constant and 𝑀𝑒 is the mass of the earth (𝐺𝑀𝑒 = 3.99 ×1014𝑚3𝑠2⁄ ) and 𝑅𝑒 is the average radius of the earth (6370 kilometers) [20, 26].  If the speed of the satellite is increased by an amount ∆𝑉 in the same direction as it moves forward, the satellite does not go faster around the same orbit. Instead, its orbit becomes elliptical in the same plane [79]. The point at which the satellite speed is increased is called “Perigee” of the new elliptical orbit which is the closest point to the earth. The farthest point of the elliptical orbit from the earth is referred to as “Apogee” [80]. Figure  4.1 shows the Perigee and Apogee points more clearly.    80                                                                                 Figure  4.1: Perigee and Apogee Points in an Elliptical Orbit Maneuvering between Circular Orbits- This procedure is used in reconfiguration models for scenario 4 (Section  5.1). With calculated speed changes one circular orbit can be changed to another in two steps. The first step is to increase the speed of the satellite by ∆𝑉1 to change its circular orbit of altitude ℎ1 to an elliptical one where apogee is equal to ℎ2. The second step is to increase the speed of satellite by ∆𝑉2 at the apogee point to change the elliptical orbit to a circular orbit with an altitude ℎ2. Increasing the altitude of a satellite helps to cover a larger area of the earth. This concept is also used in Section  5.1 to reconfigure the network by increasing the coverage area of one of the satellites adjacent to the failed one [78]. The process is completely reversible if the steps are carried out in the reverse order. ∆𝑉2 ℎ1 𝑃𝑒𝑟𝑖𝑔𝑒𝑒 𝐴𝑝𝑜𝑔𝑒𝑒 ∆𝑉1 ℎ2 81  The following equations lead us to the required speed change and altitude to increase the satellite coverage area [78, 81]: 𝑅𝑎𝑟𝑒𝑎 = 𝑅𝑒(𝜋2− 𝜀𝑚𝑖𝑛 − sin−1(𝑅𝑒 . cos(𝜀𝑚𝑖𝑛)𝑅𝑒 + ℎ))      ( 4.2) where 𝑅𝑎𝑟𝑒𝑎 represents the radius of the maximum circular region that can be viewed by a satellite at an altitude of h, and 𝜀𝑚𝑖𝑛 represents the minimum elevation angle at which the user can communicate with the satellite without interruption and geological obstructions such as mountains.  𝜀𝑚𝑖𝑛 = tan−1 (cos ∅ − 𝑅𝑒/(𝑅𝑒 + ℎ)sin ∅)      ( 4.3) cos ∅ = cos(𝜓 − 𝛾) . cos 𝛼. cos 𝜑 + sin 𝛼. sin 𝜑      ( 4.4) where 𝜑 and 𝛾 are latitude and longitude of the satellite and 𝛼 and 𝜓 are latitude and longitude of the observer, respectively.  ∆𝑉1 = √𝐺𝑀𝑒ℎ1 + 𝑅𝑒(√(1 + 𝑒) − 1      ( 4.5) ∆𝑉2 = √𝐺𝑀𝑒ℎ2 + 𝑅𝑒(1 − √1 − 𝑒)      ( 4.6) Equations      ( 4.5) and      ( 4.6) give the velocity differentials for the two-step process to change the circular orbit ℎ1 to circular orbit ℎ2.  In Equations      ( 4.5) and      ( 4.6), e is the eccentricity which is calculated as: e= √1 −𝑏2𝑎2      ( 4.7) 82                                              =√𝑟2−𝑟1𝑟2+𝑟1 where a is the length of the semi-major axis and b is the length of the semi-minor axis in the elliptical orbit (𝑟2 = ℎ2 + 𝑅𝑒, 𝑟1 = ℎ1 + 𝑅𝑒). The period of an elliptical orbit is given by: P= 2𝜋√𝑎3𝐺𝑀𝑒      ( 4.8) where a=h+𝑅𝑒 and 𝐺𝑀𝑒 = 3.99 × 1014𝑚3𝑠2⁄  [78]. Changing the Relative Position of a Satellite in the Same Orbit- This procedure is used in reconfiguration models for scenarios 2 and 3 (Sections  4.2.1 and  4.2.2). To change the relative position of a satellite in the same orbit, the period of the satellite must be altered. For instance, consider two satellites in the same circular orbit, the distance (both angular and linear) between them remains constant. To change the relative position between the two satellites, one of them is temporarily moved to a higher or lower orbit (elliptical) and subsequently returned to the original circular orbit at a new position. Equations      ( 4.9) and      ( 4.10) are used to calculate the length of time which is required to relocate a satellite in an orbit by ∆𝜃 degrees [78, 82]. ∆𝜃= (360.𝑛.∆𝑃)𝑃      ( 4.9)                                = 3(360.𝑛.∆𝑉)𝑉 ∆𝑡𝑝=P.n.      ( 4.10) 83  where ∆𝜃 is the repositioning in degrees, n is the number of revolutions, ∆𝑃 is the period time difference and ∆𝑉 is the speed change. ∆𝑡𝑝 is the required time to stay in the temporary orbit for the process. This method is used in Sections  4.2.1 and  4.2.2 to reposition a redundant or a non-redundant satellite in SFC (Satellite Fixed Cell) network architecture in the same orbit in order to reconfigure the network into a fault tolerant condition. How fast a satellite can maneuver depends on the amount of propellant it carries to fire its thrusters for Altitude and Orbit Control Purposes. There are practical limits to the amount of the propellant which can be carried on-board of a satellite, since it increases the total mass at launch. Currently, there are new thruster technologies which can be used rather than the so called conventional thrusters (chemical propellant). Below are the properties of different thrusters which can be used for different purposes [78]: Conventional Thrusters- The power source is a chemical reaction. Its exhaust velocity (𝑉𝑒) is up to 3 or 4 km/s with a conventional thrust force (T) of several hundreds or even several thousands Newtons (N). Electric Arc-jet Thrusters- Use an arc-jet to preheat the propellant before burning to improve the efficiency. Its exhaust velocity (𝑉𝑒) is above 5 km/s, but the thrust force (T) is less than one Newton (N). Ion Thrusters- Use electric ion reaction which is the main alternative for conventional thrusters. Its exhaust velocity (𝑉𝑒) is 10 to 20 times greater than the velocity provided by the conventional thrusters, but the thrust force (T) is still less than one Newton. The low thrust results in a longer time to complete the maneuver. 84  Nuclear Thrusters- This type of thruster is still under investigation and has not yet become practical. They can produce a high thrust force (T). The time required to complete a given maneuver (transferring to a higher orbit/ lower orbit) is calculated as: ∆t= 𝑀𝑝𝑑𝑀𝑑𝑡⁄= 𝑀𝑓(𝑒∆𝑉𝑉𝑒⁄−1)𝑇𝑉𝑒⁄      ( 4.11) where 𝑀𝑝 and 𝑀𝑓 are the propellant mass and final mass of the satellite (after the thrusters operate), respectively. 4.2 Networked Reconfiguration Methodology of Multi-Satellite Interactions with Specific Topologies Subject to Full Failure 4.2.1 Networked Reconfiguration (Scenario 2- Using a Backup Satellite) Inclusion of an “in orbit” spare backup satellite in a network provides the possibility to reconfigure a failed network to a fault tolerant condition. For this purpose, the earth users/ground stations are repointed to the available backup/ restoral satellite. This reconfiguration does not guarantee an uninterrupted operation of the network but ensure that the services can be restored following a failure event. Depending on the type of the network and the satellite, a degraded performance may result.  Under conditions where the primary communication satellite is unable to fulfill its mission in the network, either the earth users repoint to the orbital position of the spare satellite or the spare satellite relocates to the failed primary satellite’s position. 85  To illustrate both reconfiguration cases, a network of four interacting satellites and an “in-orbit” backup satellite that occupies a free orbital slot position is considered (Figure  4.2). The satellites are assumed to interact at 3° longitudinal increments. Satellite1             Satellite2           Spare Satellite        Satellite3          Satellite4                     (a) Satellite1             Satellite2           Spare Satellite        Satellite3          Satellite4                     (b) Figure  4.2: Satellite Communication Network Reconfiguration by (a) Move In-Orbit Spare Satellite (b) Re-point the Ground Station  3°Longitude Spacing 3°Longitude Spacing 3°Longitude Spacing 3°Longitude Spacing Failed Move  3°Longitude Spacing 3°Longitude Spacing 3°Longitude Spacing 3°Longitude Spacing Failed Repoint 86  Figure  4.2 (a) shows that a network of satellites is reconfigured as the in-orbit spare satellite moves from its original position to the position of the failed satellite. Figure  4.2 (b) represents the reconfiguration where the backup satellite stays in its original orbital position and the ground station is repointed to access the new satellite’s transponder. Both of these methods can be applied to reconfigure the multi-satellite interactions to its full functional conditions. The most appropriate reconfiguration method is determined according to some key parameters such as network topology, network operator speed, cost, etc. For example, networks with relatively small number of ground station antennas can consider the use of in-orbit backup satellite located at a different orbital position as long as it is visible from all ground stations. Reconfiguration of the network using this method depends on how quickly the operator can repoint the ground stations’ antennas to the orbital position of the spare satellite. Assuming a network of n satellite with one failed satellite which is communicating through “E” Ground Stations, the reconfiguration procedure requires (about one hour for problem identification, two hours for resolution coordination and another couple of hours for ground station antenna repointing). The average downtime for the network is about five hours which causes in Loss amount of data to be lost, calculated as: 𝐿𝑜𝑠𝑠 = (𝐴𝑣𝑒𝑟𝑎𝑔𝑒 𝑁𝑒𝑡𝑤𝑜𝑟𝑘 𝐷𝑜𝑤𝑛 𝑇𝑖𝑚𝑒) × (𝑀𝑒𝑎𝑛 𝑃𝑎𝑐𝑘𝑒𝑡 𝐴𝑟𝑟𝑖𝑣𝑎𝑙 𝑅𝑎𝑡𝑒) ( 4.12)  Changing the location of the back-up satellite in the same orbit is a two-step process [78]. First, the backup satellite is moved to a higher or lower orbit to change its period, and then after appropriate time has passed, it is maneuvered to its desired position relative to the other satellites in its original orbit with the same period. 87  4.2.2 Networked Reconfiguration (Scenario 3- Repositioning In-Orbit Healthy Satellites) When one of the satellites in the network fails to operate, the other in-orbit healthy satellites can be repositioned to cover the footprint area of that satellite. This reconfiguration procedure is applicable if the satellites obey one of the two covering concepts as explained in Section  4.2.2.1.  4.2.2.1 Coverage Types of Communication Networks Essentially, there are two types of coverage concepts: Satellite Fixed Cell (SFC) and Earth Fixed Cell (EFC) [83, 84]. The footprint of the satellites is divided into radio cells (spot beams) each of which corresponding to a beam of a satellite antenna. Referring to Figure  4.3(a) for SFC coverage type the specified cells on the ground move along with the satellites. So the earth users experience two types of handovers: beam to beam and satellite to satellite. For instance, in Figure  3.4 (a), if a fixed earth user is covered by b3 of S2, as the satellites move to the right, it will be covered first by b2 of S2 (b3 to b2 beam-to-beam handover) and b3 of S1 (S2 to S1 satellite-to-satellite handover), then by b1 of S2 and b2 of S1, and finally by b1 of S1.  For EFC coverage type, as represented in Figure  4.3(b), each satellite beam is assigned to a ground cell for a fixed period of time. When the time period ends, each beam is assigned to an adjacent cell on the ground. If the satellites follow SFC concept format, they are able to reposition in-orbit to cover an adjacent failed satellite’s coverage area on the earth. This results in partial interruption of network services for a short period of time. If the network covering concept follows EFC format, Figure ‎4.3(b), then failure of one satellite results in a duplicated operation of the adjacent satellites as they have the same coverage area in terms of earth fixed cells.  88                                                                  C1 C2 C3 C4 C5 (a)                                                                 C1 C2 C3 C4 C5 (b) Figure  4.3: (a) Satellite Fixed Cell and (b) Earth Fixed Cell Satellite Systems [20] Attitude and Orbit Control Subsystem and the received tele-commands are used to enable the thrusters reposition the respective satellite’s in-orbit conditions. The satellite repositioning obeys the same multi-step process as discussed in Section  4.2.1 for spare satellite restoration. 4.3 Networked Reconfiguration Modeling of Multi-Satellite Interactions Using CPNs It appears difficult to mathematically model a satellite communication network as a complex plant with many changing parameters. Modeling the system by Colored Petri Net is a possible way to design and apply a networked control system according to the real world conditions. The  𝑏1 𝑏2 𝑏3 𝑏1 𝑏2 𝑏3 𝑏1 𝑏2 𝑏3 𝑏1 𝑏2 𝑏3  S1 S2 S1 S2 89  observable transition firings of the plant are the information available to the networked control system. A transition firing may trigger a change in the state of the networked control system, while a change in the system state can change the set of plant events disabled by the networked control. Physically, the event disablement can be done by restricting the range of the inputs of the plant [32, 85, 86].  Using CPNs to simulate the multi-satellite interactions also makes it possible to provide a modular representation of the cluster in terms of senders and receivers including packet data transmission through the network. The block diagram of the satellite subsystems is shown in Figure  4.4. The interconnections between the subsystems and the external interfaces are also shown. The Power Supply Subsystem (PSS) provides others subsystems the required electricity shown with 50V blue lines in Figure  4.4.  A Colored Petri Net model is developed to monitor and control the satellites, communications and data exchanges via the network itself. The CPN model is a discrete event representation of the system that monitors and controls the Telemetry, Tracking and Command functions such that a given set of specifications is satisfied. These are performed via inter-satellite links. The networked control system modeled in CPN in this study is different from a traditional controller in the sense that the traditional controller dictates the input applied to the system, while the networked control mechanism defined here only confines the set of inputs that can be applied to the system and reconfigures its overall operation. The set of inputs is restricted dynamically based on the observation of the plant [32].  90            Figure  4.4: Satellite Subsystem Block Diagram        TX: Transmitting Traffic, RX: Receiving Traffic Thermal Subsystem  Pyrotechnic  Subsystem TX RX TELEMETRY (TM) TELECOMMAND (TC) Communication Payload Attitude & Orbit Control Subsystem Power Supply Subsystem Solar  Arrays Sun Sensors Earth Sensors Ground Segment Tracking Communication Links Users/ Coverage Area  Sun Ray 50V 50V 50V 50V 50V 50V TC TC TC TM TC TM TC TM TM TM  ABM TM TC  Control Workstations  Executive Control Facilities  TM Decode  TC Encode RX TX Ground TTC System 91  4.3.1 CPN Modeling of Reconfiguration Scenario 2 Referring to Section  4.2.1, a backup satellite is launched with the other networked satellites into the same orbit. In case of a full failure of one of the main satellites, the backup satellite is relocated to the position of the failed satellite to reconfigure the network.  The ground station and the network transmission modules are the same as explained for scenario 1.  As it is shown in Figure  4.4, a satellite operates according to its subsystems. A CPN model of the redundant satellite including all the required subsystems is shown in Figure  4.5. Each color in the CPN model in this figure represents a different subsystem as explained in  Chapter 2 and  Chapter 3. The pink color represents the Communication Payload which sends the satellite information to the ground station via the network.  The data are generated in place “PG” and are processed in place “Next Generated Packets” through the transitions “DG” and “Data Packets Generation at 𝑆𝑖”. This data is then sent to the ground station via the network. The place “Data Ready to Send in Queue Buffer” which is a fusion place in all the three main modules collects all the data from the satellites and sends them to the network. The communication payload is the same for all the main and backup satellites. Figure  4.6 shows the CPN model of a main satellite which is the same for backup satellite, except for some subsystems which are explained in the next paragraphs. 92   Figure  4.5: CPN Model of the Backup Satellite and the Related Subsystems in Scenario 2 Next GeneratedPacketsINTxDATASatelliteSatellitesData Ready To SendIn-queue Buf ferOutSatellitesxINTxDATAxTTSSTemperaturexT1`(10.00,0)Determined TempSatellitesxTemperaturexTDeterminedSpeed & AltitudeSatellitesxAltitudexSpeedxTAltitudeSensorsAltitude1`1000.00CA1Fusion 12AreaRequiredAltitudeAltitudeSpeedSensorsSpeed1`7.40RequiredSpeed1Dif ferenceSatellitesxAltitudexSpeedxTBackToPrimaryOrbitSatellitesxAltitudexSpeedxTSolarArraysNoxTPow erSupplySatellitesxNoxTPYRONo1`50PGNo1`1BufGenINTBufGenINTNew BufINTS1Fusion 22SatellitesS2Fusion 23SatellitesS3Fusion 25SatellitesDegree1Fusion 15REALDegree2Fusion 16REALDegree3Fusion 17REALDegreeREALCA2Fusion 13AreaCA3Fusion 14AreaData Packets Generation at S4TEMPMeasuringRegulateTemperatureAltitude&OrbitalControlCalculateAltitude1Dif ference ofRequired &ActualAltitudeFire Propellant through ThrustersFinal Speed and AltitudeSupply Pow erto All SubsystemsDeploy/Fold Solar ArraysDGSetBufS1S2S3D1D2D3CalculateAltitude2CalculateAltitude3(n,p)ss((n+Buf fer4),p)@+NextGeneration()PacketGen(ss,n,p)ss(temp,t)TempGen(ss,temp)(ss,temp,t)TempReg(temp,t)@+NextGeneration()A ALT(A)ralt(ss,alt,sp,t)altAOC(ss,alt,sp)spss(ss,alt,sp,t)@+((round(Mf*(Math.exp(dsp/Ve)-1.00)*Ve/T))+(round(Deg*(2.00*3.14*(Math.sqrt((alt+6370.00)*(alt+6370.00)*(alt+6370.00)/399000.00)))*(2.00*3.14*(Math.sqrt((alt+6370.00)*(alt+6370.00)*(alt+6370.00)/399000.00)))/360.00/((2.00*3.14*(Math.sqrt((ralt+6370.00)*(ralt+6370.00)*(ralt+6370.00)/399000.00)))-(2.00*3.14*(Math.sqrt((alt+6370.00)*(alt+6370.00)*(alt+6370.00)/399000.00))))))+(round(Mf*(Math.exp(dsp/Ve)-1.00)*Ve/T)))(ss,alt,sp,t)altsp(ss,alt,sp,t)(ss,ralt,dsp,t)if  ralt<>altthen 1`(ss,ralt,Math.sqrt(399000.00/(alt+6370.00)*(Math.sqrt(1.00+(Math.sqrt((ralt-alt)/(ralt+alt+6370.00+6370.00)))))-1.00),t)else emptyss(volt,t)(ss,volt,t)f ire1`50volt@+NextGeneration()VoltGen(volt)ssssnif  n<Buf fer4then 1`(n+1)else emptyNEXTDataPacket(n)Buf fer4Buf fer4if  n<Buf fer4then 1`Buf fer4else emptyBuf fer4Buf ferBuf fer4volt1`1Buf fer4ssssss1`S(4)1`S(4)1`S(4)S1Buf ferS2Buf ferS3Buf ferDegDegDegDegDegDegDegAAALT(A)ALT(A)93   Figure  4.6: CPN Model of the Failed Satellite and the Related Subsystems in Scenario 2Next GeneratedPacketsINTxDATASatelliteSatellites1`S(3)Data Ready To SendIn-queue BufferOutSatellitesxINTxDATAxTTSSTemperaturexT1`(10.00,0)Determined TempSatellitesxTemperaturexTDeterminedSpeed & A ltitudeSatellitesxA ltitudexSpeedxTAltitudeSensorsA ltitude1`1000.00RequiredCoverageArea3AreaRequiredA ltitudeA ltitudeSpeedSensorsSpeed1`7.40RequiredSpeed1DifferenceSatellitesxA ltitudexSpeedxTBackToPrimaryPositionSatellitesxA ltitudexSpeedxTSolarArraysNoxTPowerSupplySatellitesxNoxTPYRONo1`50FailedSatelliteSatellitesCA3Fusion 14AreaPGNo1`1BufGenINT1`S3BufferBufGenINTNewBufINT1`S3BufferDegree3Fusion 17REALS3Fusion 25SatellitesData Packets Generation at S3TEMPMeasuringRegulateTemperatureA ltitude&OrbitalControlCalculateRequiredA ltitudeDifference ofRequired &ActualA ltitudeFire Propellant through ThrustersFinal Speed and A ltitudeSupply Powerto A ll SubsystemsDeploy/Fold Solar ArraysCalculate CoverageAreaDGSetBufFailure[(discrete(1,100))> (!FaultRate)](n,p)ss((n+Buffer3),p)@+NextGeneration()PacketGen(ss,n,p)ss(temp,t)TempGen(ss,temp)(ss,temp,t)TempReg(temp,t)@+NextGeneration()A ALT(A)ralt(ss,alt,sp,t)altAOC(ss,alt,sp)spss(ss,alt+dalt,sp+dsp+Math.sqrt (399000.00/(alt+dalt)),t)@+((round(Mf*(Math.exp(Math.sqrt (399000.00/(alt+dalt))/Ve)-1.00)*Ve/T))+(round(Mf*(Math.exp(dsp/Ve)-1.00)*Ve/T)))(ss,alt,sp,t)altsp(ss,alt,sp,t)(ss,dalt,dsp,t)if ralt<>altthen 1`(ss,ralt-alt,Math.sqrt(399000.00/(alt+6370.00)*(Math.sqrt(1.00+(Math.sqrt((ralt-alt)/(ralt+alt+6370.00+6370.00)))))-1.00),t)else emptyss(volt,t)(ss,volt,t)fire1`50volt@+NextGeneration()VoltGen(volt)ssssss4.00/3.00*A3nif n<Buffer3then 1`(n+1)else emptyNEXTDataPacket(n)S3Buffer+S4BufferBuffer3Buffer3if n<Buffer3then 1`Buffer3else emptyBuffer3BufferBuffer3volt1`1Buffer31`20.00ssssss94  The Thermal Subsystem is shown in purple color in Figure  4.5. First the temperature is measured by the sensors through transition “TEMP Measuring” and place “Regulate Temperature”. Then by firing the transition “Regulate Temperature” the networked feedback controller regulate the temperature in place “TSS”.  The blue color in Figure  4.5, shows the Pyrotechnic Subsystem (PYRO) which helps to first deploy and fold the solar arrays using the place “PYRO” and transition “Deploy/Fold Solar Arrays”, and second to control the firing of propellant through the thrusters in the AOC subsystem.  Attitude and Orbit Control Subsystem (AOCS) is represented by green color in Figure  4.5 which controls and keeps the station of the satellites. The places “Altitude Sensors” and “Speed Sensors” determine the actual altitude and speed of the satellite. The required and actual altitude and speed are compared through the transition “Difference of Required& Actual Altitude”. As soon as one of the satellites fails, a signal is sent from TTC subsystem to the AOCS which result in one of the places"𝐶𝐴1", "𝐶𝐴2" and "𝐶𝐴3" being marked accordingly. This new marking contains the new desired coverage area. The new desired altitude is then calculated using Equation      ( 4.2), through the transition “Calculate Altitude i”. After determining the difference between the required and the actual altitudes, the required speed difference is calculated using Equation      ( 4.5) and passed to “Required Speed 1 Difference” place. The backup satellite’s speed is then increased using the thrusters which are activated by firing the propellant. After firing the transition “Fire Propellant through Thrusters”, the orbit transition starts and the related satellite halts its operation until it achieves its new desired information which occurs after firing the transition “Final Speed and Altitude”. To transmit the backup satellite to the position of the failed satellite, as explained in Section  4.1.1, first the speed is increased to achieve a 95  higher altitude and a longer period. On the basis of the position difference between the failed and the backup satellites which is defined in degrees and determined in TTC subsystem, Equation      ( 4.9) is used to calculate the time required to reposition the backup satellite to the failed satellite’s position. Equation      ( 4.10) is used to calculate the required time to stay in the temporary orbit to reach the desired position. Then the speed is reduced again (calculated by Equation      ( 4.5)) to have the satellite back in the original orbit. In the Model, after activating the thrusters by firing the transition “Fire Propellant through Thrusters”, the specifications for the maneuvers are calculated and inserted as an inscription in the model. The place “Back To Primary Orbit” is then marked following the completion of both maneuvers. The place is marked at the calculated time equal to (∆𝑡 + ∆𝑡𝑝) which is the sum of Equations      ( 4.8) and      ( 4.9). This is inserted in the CPN model by the arc inscription shown in Figure  4.5 after firing the transition “Fire Propellant through Thrusters”.  The “Final Speed and Altitude” transition is then fired to activate the sensors to measure the new values of altitude and speed.  AOCS, shown in green color in Figure  4.6 operates only for station keeping purposes, when an altitude change is needed.  The red color in Figure  4.5 represents the Power Supply Subsystem (PSS), which provides 50 volts to all the other subsystems after the solar arrays are deployed. For orbit transition and altitude control, the propellant is fired in AOCS, the place “PYRO” loses its marking, the solar arrays are folded and PSS is deactivated. After the satellite position is stabilized using the transition “Final Speed and Altitude” in AOCS, the PYRO is marked with the voltage requirements for power supply, and PYRO then sends signal to deploy the solar arrays and 96  activate the PSS again. The TTS, PYRO and PSS subsystems are the same for the main and the backup satellites, as shown in Figure  4.5 and Figure  4.6. TTC Subsystem is shown in light brown color in Figure  4.5 and Figure  4.6. When one of the main satellites fails, the “failure” transition shown in Figure  4.6 is fired. The failed satellite enters the place “Failed Satellites” and all the subsystems become unobservable which means that a satellite full failure has occurred. Failed satellite’s information is then sent to the backup satellite. The information includes the position difference between the failed and the backup satellites in degrees (place “𝐷𝑒𝑔𝑟𝑒𝑒3") and the determined change in speed to alter the failed satellite altitude (place “𝐶𝐴3”). They are then received in the backup satellite through the same places as shown in Figure  4.5.  All the transitions and places, used in Figure  4.5 and Figure  4.6, are described in Table  4.1 and Table  4.2 including the name of the subsystem they belong to.         97  Table  4.1: Places Defined in Figure  4.5 and Figure  4.6 and their Definitions Name Satellite Subsystem Description TSS Thermal Subsystem Current actual satellite’s temperature Determined Temp Thermal Subsystem Measured temperature Solar Arrays Power Supply Subsystem (PSS) Deploying of solar arrays to generate electricity Power Supply Power Supply Subsystem (PSS) The required voltage provided to all subsystems PYRO PYRO Subsystem Determining the required signals to deploy/ fold solar arrays or to fire the propellant Satellite Communication Payload Operating satellite Next Generated Packets Communication Payload Data packets are generated and updated over the time in each satellite. Data Ready To Send In-queue Buffer Communication Payload Data packets are ready to be sent from each satellite through the network. NewBuf Communication Payload The new buffer of the satellite after being substituted for the faulty one PG Communication Payload Packet generation according to coverage area BufGen Communication Payload Identifying the new specified buffer after reconfiguration Altitude Sensors AOCS Identify the current actual altitude Speed Sensors AOCS Identify the current actual speed Determined Speed &Altitude AOCS Identify the current actual speed and altitude CA(i) AOCS Identify the required coverage area Required Altitude AOCS Identify the calculated altitude required for the new coverage area Required Speed1 Difference AOCS Identify the primary speed changes  Back To Primary Orbit AOCS Identify the altitude and speed after repositioning Required Coverage Area(i) AOCS Identify the required coverage area Degree(i) TTC Identify the difference in position between satellite i and the backup satellite (degrees) Degree TTC Identify the required position change (degrees) S(i) TTC Identify the failed satellite Failed Satellite TTC Identify the failed satellite 98   Table  4.2: Transitions Defined in Figure ‎4.5 and Figure ‎4.6 and their Definitions  Name Satellite Subsystem Description Temp Measuring Thermal Subsystem Temperature sensor (e.g. thermometer) Regulate Temperature Thermal Subsystem Temperature Actuator (e.g. heater) Supply Power to All Subsystems Power Supply Subsystem (PSS) Supply the required electrical power to all subsystems  Deploy/Fold Solar Arrays PYRO Subsystem Deploy or fold the solar arrays according to the received signals from PYRO DG Communication Payload Generate packet data SetBuf Communication Payload Set the amount of the new buffer after reconfiguration Data Packets Generation at S(i) Communication Payload Data packets are generated and updated over the time in each satellite. Altitude& Orbital Control AOCS Transmit orbit and altitude information of the satellite for control purposes Calculate Altitude(i) AOCS Calculate the new altitude required for the new coverage area (Equation      ( 4.2)) Difference of Required& Actual Altitude AOCS Calculate the difference of the actual and required altitude to determine the speed changes (Equation      ( 4.5)) Fire Propellant through Thrusters AOCS Activate thruster to make the required maneuvers during the required time (Equations      ( 4.6),      ( 4.8),      ( 4.9), and      ( 4.11)) Final Speed and Altitude AOCS Transmit the final altitude and speed after reconfiguration through the related sensors D(i) TTC Transmit the information on position difference S(i) TTC Transmit failed satellite information including the buffer size to the backup satellite Calculate Coverage Area TTC Determine the required speed change according to new coverage area Failure TTC Determine if a satellite is failed 99  4.3.2 CPN Modeling of Reconfiguration Scenario 3 Repositioning a healthy satellite in the same orbit to cover the failed satellite’s footprint in addition to its own coverage area, is another reconfiguration method as explained in Section  4.2.2. This type of reconfiguration is applicable if the satellites cooperating in the network have the same or joint footprint area. As discussed in Section  4.2.2.1, if the footprints are in Satellite Fixed Cell format (SFC), the satellite adjacent to the failed one is repositioned in the same orbit to provide coverage for cells which were no longer covered.  Considering a network of three interacting satellites, as shown in Figure  4.7, the earth surface which is covered by the whole network is divided into cells C1 to C6. If the middle satellite fails, its footprint cells (C3, C4 and C5) are covered automatically with the first and the third satellite. If any of the first or the third satellites fails, the middle satellite is repositioned as shown in  Figure  4.7 (b) to cover the cells of the failed satellite (C1 and C2). To reposition the middle satellite from its position in Figure  4.7 (a) to the position in Figure  4.7 (b), the two-step process explained in Section  4.2.1 is followed. The middle satellite’s speed is increased, so its orbit becomes elliptical. After staying in the temporary elliptical orbit for determined period of time (Equation      ( 4.10)), the satellite is returned to reaches the desired position with respect to the failed satellite. The calculations required to determine the speed changes and the staying time to complete the maneuvers and to reach the desired position are performed through Equations      ( 4.2) to      ( 4.11).    100                                                                  C1 C2 C3 C4 C5 C6 (a)                                                                                       C1 C2 C3 C4 C5 C6 (b) Figure  4.7: Satellite Fixed Cell Format Reconfiguration a) Failed, b) Reconfigured Similar to the previous scenarios, the developed CPN model has three main modules, namely the Transmission Network, Ground Station and the Satellite modules. The first two modules are the same for all the models as noted before. The developed CPN model has the same subsystems as explained in Section  4.3.1, for reconfiguration scenario 2. The only difference is in the designed Telemetry and Tracking Control (TTC) subsystem which is shown in Figure  4.8. As used before, the light brown color shows the TTC subsystem. After a failure occurs and place “Failed Satellite” is marked and transition “Calculate Coverage Area” is fired, the required new coverage area appears in place “Coverage Area2”. The latter place is a fusion type which is connected to the TTC subsystem in the middle satellite and sends signals to its AOC subsystem to execute the required altitude and speed changes for in-orbit repositioning. 𝑏1 𝑏2 𝑏3 𝑏1 𝑏2 𝑏3 𝑏3 𝑏2 𝑏1  𝑏1 𝑏2 𝑏3 𝑏1 𝑏2 𝑏3 S1 S2 S3 S2 S3 101   Figure  4.8: CPN Model of an Individual Satellite in Scenario 3 Next GeneratedPacketsINTxDATASatelliteSatellites1`S(3)Data Ready To SendIn-queue Buf ferOutSatellitesxINTxDATAxTTSSTemperaturexT1`(10.00,0)Determined TempSatellitesxTemperaturexTDeterminedSpeed & AltitudeSatellitesxAltitudexSpeedxTAltitudeSensorsAltitude1`1000.00RequiredCoverageArea3Fusion 11AreaRequiredAltitudeAltitudeSpeedSensorsSpeed1`7.40RequiredSpeed1Dif ferenceSatellitesxAltitudexSpeedxTBackToPrimaryOrbitSatellitesxAltitudexSpeedxTSolarArraysNoxTPow erSupplySatellitesxNoxTPYRONo1`50FailedSatelliteSatellitesCoverageArea2Fusion 10AreaPGNo1`1BufGenINT1`S3Buf ferBufGenINTNew BufINT1`S3Buf ferData Packets Generation at S1TEMPMeasuringRegulateTemperatureAltitude&OrbitalControlCalculateRequiredAltitudeDif ference ofRequired &ActualAltitudeFire Propellant through ThrustersFinal Speed and AltitudeSupply Pow erto All SubsystemsDeploy/Fold Solar ArraysFailure[(discrete(1,100))>(!FaultRate)]Calculate CoverageAreaDGSetBuf(n,p)ss((n+Buffer3),p)@+NextGeneration()PacketGen(ss,n,p)ss(temp,t)TempGen(ss,temp)(ss,temp,t)TempReg(temp,t)@+NextGeneration()A ALT(A)ralt(ss,alt,sp,t)altAOC(ss,alt,sp)spss(ss,alt,sp,t)@+((round(Mf*(Math.exp(dsp/Ve)-1.00)*Ve/T))+(round(Deg*(2.00*3.14*(Math.sqrt((alt+6370.00)*(alt+6370.00)*(alt+6370.00)/399000.00)))*(2.00*3.14*(Math.sqrt((alt+6370.00)*(alt+6370.00)*(alt+6370.00)/399000.00)))/360.00/((2.00*3.14*(Math.sqrt((ralt+6370.00)*(ralt+6370.00)*(ralt+6370.00)/399000.00)))-(2.00*3.14*(Math.sqrt((alt+6370.00)*(alt+6370.00)*(alt+6370.00)/399000.00))))))+(round(Mf*(Math.exp(dsp/Ve)-1.00)*Ve/T)))(ss,alt,sp,t)altsp(ss,alt,sp,t)(ss,ralt,dsp,t)if  ralt<>altthen 1`(ss,ralt,Math.sqrt(399000.00/(alt+6370.00)*(Math.sqrt(1.00+(Math.sqrt((ralt-alt)/(ralt+alt+6370.00+6370.00)))))-1.00),t)else emptyss(volt,t)(ss,volt,t)f ire1`50volt@+NextGeneration()VoltGen(volt)ssssssssssA2+2.00/3.00*A1nif  n<Buffer3then 1`(n+1)else emptyNEXTDataPacket(n)S3Buffer+S4BufferBuf fer3Buffer3if  n<Buffer3then 1`Buf fer3else emptyBuffer3BufferBuf fer3volt1`1Buf fer3102  4.4 Performance Analysis Results of Reconfiguration Model Scenario 2 The performance analysis results of reconfiguration model explained in Section  4.3.1 as scenario 2, are discussed in this section.  Figure  4.9 shows a network of three interacting satellites and a fourth satellite as a backup in the same orbit. All the satellites are at an assumed altitude of 1000 km with an orbital speed of 7.4 km/sec. The satellites are located 20 degrees apart from one other and each has an initial coverage area equal to 6.8% of earth’s surface. In case of failures in satellites 1, 2 or 3, the backup satellite is repositioned by 60°, 40° or 20°, respectively. During this transition the data generated in the failed satellite coverage area will be lost.  Satellite1             Satellite2           Satellite3          Backup Satellite          Figure  4.9: Repositioning a Backup Satellite in the Same Orbit to Reconfigure the Network  20°Longitude Spacing 20°Longitude Spacing 20°Longitude Spacing 103  Assuming a conventional thruster with a thrust force of one thousand Newtons (T=1000 N) and an exhaust velocity of 3 km/sec (𝑉𝑒 = 3𝑘𝑚/sec ) is used, if satellite 3 fails, it takes 341 minutes (5 hours and 41 minutes) to reposition the backup satellite for 20°. If satellite 2 or 1 fails, the reconfiguration times for repositioning the backup satellite to their position will require 428 minutes (7 hours and 8 minutes), and 519 minutes (8 hours and 39 minutes), respectively as shown in Figure  4.10.   Figure  4.10: Reconfiguration Time for Backup Satellite Repositioning in the Same Orbit Table  4.3 shows the different types of thrusters and their properties.  If a different type of thruster, as explained in Section  4.1.1, is used the repositioning time of the backup satellite will of course differ.   0100200300400500600341.4 428.3  518.6 Reconfiguration Time (minutes) Angular Distance from the Backup Satellite (degrees) Satellite1 Failed Satellite2 Failed Satellite3 Failed20° 40° 60° 104  Table  4.3: Thruster Types and their Properties Thruster Type Thruster Force (N) Exhaust Velocity (km/sec) Conventional Thruster 1000 3 Electric Arc-jet Thruster 1 5 Ion Thruster 0.6 100 Nuclear Thruster 10000 100  As shown in Figure  4.11, a 20-degree repositioning of the spare satellite using Electric Arc-jet or Ion thrusters takes a long time of 2068 hours (86.17 days) or 1503 hours (62.62 days), respectively. This also results in a high amount of lost data during the reconfiguration process. Nuclear thrusters, on the other hand, will require about one hour (one-fifth of the conventional thrusters) for repositioning, and prevent the high amount of data loss.  As discussed in Section  3.2.2, the nuclear thrusters are still under investigation and not practically used yet.  Figure  4.11: Reconfiguration Time for Backup Satellite Repositioning (20°) with Different Type of Thrusters 05001000150020002500206 2068 1503 2 Reconfiguration Time (hours) Different Type of Thrusters for 20 degrees Repositioning ConventionalThrusterElectric Arc-jet ThrusterIon ThrusterNuclear Thruster105  Different frequency basebands are used to transmit specific types of the data as explained in Section  1.2.2 and shown in Figure  1.4. In this section, three types of frequency bands are used in the Network Transmission Module, each of which has different wavelengths and frequencies shown in Table  4.4. Using the equation V=𝜆. 𝜈, we can calculate the satellite-to-earth transmission time: t𝑟𝑎𝑛𝑠𝑚𝑖𝑠𝑠𝑖𝑜𝑛 𝑡𝑖𝑚𝑒 =𝑎𝑙𝑡𝑖𝑡𝑢𝑑𝑒𝜆. 𝜈      ( 4.13) where 𝛌 is the wavelength and 𝛎 is the wave speed. Table  4.4: Three Frequency Basebands and Their Specifications Baseband Frequency (𝝊, GHz) Wavelength (𝝀, cm) Packet Type Ku 12 2.5 Multimedia C 5 7.5 Voice L 2 30 Data  Figure  4.12 shows the throughput versus data packet arrival rate for the three different basebands. Figure  4.12 reveals that after certain arrival rate, when the network is saturated with data, the throughput levels off. It is clear that this will lead to transmission delay time, which is in fact evident from Figure  4.13.  What is also evident from Figure  4.12 and Figure  4.13 is that due to the nature of multi-media data (being complex and having linked audio and video content), for a given data arrival rate, it has less throughput and longer transmission delay. 106   Figure  4.12:  Throughput versus Data Packet Arrival Rate for the Satellite Network of  Figure  4.9 with Different Basebands  Figure  4.13: Mean Delay Time versus Data Packet Arrival Rate for the Satellite Network of  Figure  4.9 with Different Basebands 00.0020.0040.0060.0080.010.0120.0140.0160.0180.020 0.005 0.01 0.015 0.02 0.025Throughput (Packets/Time Slot) Data Packet Arrival Rate (Packet/ Time Slot) L Baseband C Baseband Ku Baseband0501001502002503003500 0.005 0.01 0.015 0.02 0.025Mean Delay Time (Time Slot) Data Packet Arrival Rate (Packet/ Time Slot) Ku Baseband C Baseband L Baseband107  4.5 Performance Analysis Results of Reconfiguration Model Scenario 3 The performance analysis results of reconfiguration model, outlined in Section  4.3.2 as scenario 3, are discussed in this section. As shown in Figure  4.7, a network of three interacting satellites is considered, in which the middle satellite has a joint coverage head cell with the first and the third satellites. All three satellites are in the same orbit at an altitude of 1000 km having an orbital speed of 7.4 km/sec. Each satellite has an initial coverage area equal to 6.8% of earth’s surface, two-third of which is joint with the middle satellite. In case of failures in the first or third satellite, the second satellite is repositioned to cover all the cells of the failed satellite, as shown in Figure  4.7. During this transition the generated data in the failed satellite coverage area will be lost. If the second satellite fails, the network continues its normal operation because its coverage area is shared with the first and third satellites.  Assuming a conventional thruster with a thrust force of T=1000 N and an exhaust velocity of 𝑉𝑒 = 3𝑘𝑚/sec , if one of the first or third satellites fails, it takes around 4 hours and 32 minutes to reposition the middle satellite to cover the coverage area of the failed satellite.  As discussed in scenario 2 and shown in Table  4.3, different types of thrusters affect the reconfiguration time of the network.  As shown in Figure  4.14, for repositioning the middle satellite to the failed satellite’s position using an Electric Arc-jet thruster or Ion thruster, a reconfiguration time of 2187 hours (91.12 days) or 1544 hours (64.33 days) is required. This causes a high amount of data loss during the reconfiguration process. Applying nuclear thrusters, which are still under investigation and not practical as yet, result in very efficient reconfiguration process which requires 14 minutes and prevents a huge quantity of data being lost. 108   Figure  4.14: Effect of Different Types of Thrusters in Reconfiguration Time of Scenario 3 Figure  4.15 shows the throughput versus data packet arrival rate for the three different basebands shown in Table  4.4.  Very similar to the discussions of scenario 2, here Figure  4.15 reveals that after certain arrival rate, the network is saturated with data and throughput drops to a fairly constant level. It is expected this to lead to transmission delay time. In fact this effect is seen in in Figure  4.16.  What is evident from Figure  4.15 and Figure  4.16 is that due to the complex nature of multi-media data for a given data arrival rate, it exhibits less throughput and longer transmission delay.  050010001500200025005 2179 1544 0 Reconfiguration Time (hours) Different Type of Thrusters Conventional Thruster Electric Arc-jet Thruster Ion Thruster Nuclear Thruster109   Figure  4.15: Throughput versus Data Packet Arrival Rate for Different Basebands in Scenario 3   Figure  4.16: Mean Delay Time versus Data Packet Arrival Rate for Different Basebands in Scenario 3 00.0050.010.0150.020.0250.030 0.005 0.01 0.015 0.02 0.025Throughput (Packets/Time Slot) Data Packet Arrival Rate (Packet/ Time Slot) L Baseband C Baseband Ku Baseband0204060801001201400 0.005 0.01 0.015 0.02 0.025Mean Delay Time (Time Slot) Data Packet Arrival Rate (Packet/ Time Slot) Ku Band C Baseband L Baseband110  4.5.1 Networked Reconfiguration Performance Analysis The CPN models and simulations, introduced in this chapter, make it possible to analyze the performance of an interacting multi-satellite networks before, after and during the orbit transition. They also provide the solution to supervisory control and automatic reconfiguration of the network to fault tolerant conditions when full or partial failures in any of the satellites.   In  Chapter 5, the developed models are verified. Then the networked performance is analyzed, related results presented, and discussed.  4.6 Conclusions In this chapter we studied the performance analysis of the networked reconfiguration schemes for multi-satellite networks in terms of throughput and transmission mean delay time for a variety of scenarios and conditions. It was demonstrated that Colored Petri Nets provide powerful means to model the operation of multi-satellite networks to significant details, and obtain meaningful performance metrics. Additionally, all control, failure and reconfiguration processes and can be embedded within one model from discrete events to mathematical relations all manners of change.        111  .   Chapter 5  5.General Networked Reconfiguration Method for Multi-Satellite Interaction  5.1 Introduction This chapter proposes a systematic reconfiguration procedure for multi satellite interactions with specific topologies subject to full failure in one or more satellites.  A general networked fault tolerant control methodology is developed to reconfigure a network with general specifications, subject to full failure of one or more satellites, to its default full performance capability according to its performance specifications. To analyze the system a Colored Petri Net model is constructed. Simulations are then conducted and the results are discussed in the remainder of the chapter.  112  5.1.1 Network Reconfiguration Scenario 4 (Orbit Transfer) In this general case, when one of the satellites fail to interact in the network, some or all of remaining satellites use their on-board thrusters to re-orbit to a formation by which the failed satellite’s coverage area is compensated and the network continues its operation.  As was discussed previously, a satellite footprint is defined as its coverage area on the earth which has a direct relation to the satellite altitude. This means that greater the altitude of the satellite the larger will be its coverage area.  Figure  5.1 shows a network of three satellites. If any of these satellites fail, its footprint on the earth will no longer be covered. To compensate for this, the closest satellite is moved to a higher orbit where its footprint contains its own and the failed satellite’s coverage areas. Referring to Figure  5.1, when 𝑆2 fails, 𝑆1 moves to an upper orbit as shown inside the dashed circle. After the orbit transfer of 𝑆2, its footprint covers areas 𝐴1 and 𝐴2.        113                                                                                                                                                                       Figure  5.1: Reconfiguration Scenario 4 (Upper Orbit Transfer) 5.1.2 CPN Modeling of Reconfiguration Scenario 4 The last reconfiguration method (Scenario 4) is the most general, applicable and versatile. It does not include any restrictions for the failure conditions and networked satellites, as the previous scenarios did. The first scenario’s restriction was the necessity of launching a backup satellite which may result in higher costs and risks. The second scenario was restricted by identifying a partial failure (fault) condition. The third scenario was limited to the networks where the cooperating satellites had joint footprints including the SFC and EFC formats. The     𝑺𝟏 𝑺𝟏 𝑺𝟐 𝑺𝟑 𝑨𝟏 𝑨𝟐 𝑨𝟑 114  fourth reconfiguration method which is explained in details in this section is not limited to any type of network conditions or failures. The only disadvantage of this method is the additional delay, due to the longer propagation times from upper orbits.   After a failure occurs in a satellite in a network, the adjacent satellite is launched to a higher orbit in a way that its coverage area becomes equal or greater than the sum of the primary and the failed satellite’s footprints. The developed CPN model includes the three main modules as explained in Section  3.3.1. Similar to the previous scenarios, the network transmission and ground station modules are the same, but the satellites’ modules are different.  The CPN simulation of the satellite module is the same as Scenario 3 in terms of the number of places and transitions and their setting orders, but is different in terms of arc inscriptions and programming commands in Attitude and Orbit Control Subsystem (AOCS) which is shown in green color in Figure  5.2.  According to Section  5.1, to cover the footprint area of the failed satellite, say #i (𝑆𝑖), by an adjacent satellite in the network, the altitude of the satellite orbit has to be increased.  For this purpose, TTC Subsystem of satellite # i-1 (𝑆𝑖−1) receives the command to increase its coverage to encompass (𝐴𝑖 + 𝐴𝑖−1). The command passes from place “Coverage Area i” in TTC subsystem to the place “Required Coverage Area” in the AOC subsystem. The required altitude is then calculated by firing transition “Calculate Required Altitude”, so ℎ2, the new altitude is marked as token in place “Required Altitude” in AOCS using Equation      ( 4.2). To increase the satellite’s altitude, its speed is increased by ∆𝑉1 calculated through the specified arc inscription defined before the place “Required Speed1 Difference” (Equation      ( 4.5)). Acquiring the speed V+∆𝑉1, the circular orbit becomes elliptical with an apogee point at ℎ2. When satellite arrives at 115  the apogee point, its speed is increased again by ∆𝑉2 (Equation      ( 4.6)) through transition “Fire Propellant through Thrusters” and the satellite enters a circular orbit with an altitude of ℎ2. The footprint of the satellite at this altitude covers 𝐴𝑖 + 𝐴𝑖−1. All these calculations are simulated using the arc inscription commands before place “Required Speed2 Difference”. The completion time of these maneuvers are calculate using Equation      ( 4.11). During this period, starting from firing time of the transition “Fire Propellant through Thrusters”, the satellite subsystems stop their normal operation which results in data loss. This is modeled through “PYRO” and “Satellite” places whereby markings are removed by firing the thrusters. So the solar arrays are folded and the communication payload stops its data collection through the network. After orbit transition is completed, which occurs by firing “Final Speed and Altitude” transition, the satellite subsystems restart their normal operation by re-marking places “PYRO” and “Satellite”.  116   Figure  5.2: CPN Model of an Individual Satellite in Scenario 4 Next GeneratedPacketsINTxDATASatelliteSatellites1`S(3)Data Ready To SendIn-queue BufferOutSatellitesxINTxDATAxTTSSTemperaturexT1`(10.00,0)Determined TempSatellitesxTemperaturexTDeterminedSpeed & AltitudeSatellitesxAltitudexSpeedxTAltitudeSensorsAltitude1`1000.00RequiredCoverageArea3Fusion 11AreaRequiredAltitudeAltitudeSpeedSensorsSpeed1`7.40RequiredSpeed1DifferenceSatellitesxAltitudexSpeedxTRequiredSpeed2DifferenceSatellitesxAltitudexSpeedxTSolarArraysNoxTPowerSupplySatellitesxNoxTPYRONo1`50FailedSatelliteSatellitesCoverageArea4Fusion 12AreaPGNo1`1BufGenINT1`S3BufferBufGenINTNewBufINT1`S3BufferData Packets Generation at S1TEMPMeasuringRegulateTemperatureAltitude&OrbitalControlCalculateRequiredAltitudeDifference ofRequired &ActualAltitudeFire Propellant through ThrustersFinal Speed and AltitudeSupply Powerto All SubsystemsDeploy/Fold Solar ArraysFailure[(discrete(1,100))>(!FaultRate)]Calculate CoverageAreaDGSetBuf(n,p)ss((n+Buffer3),p)@ +NextGeneration()PacketGen(ss,n,p)ss(temp,t)TempGen(ss,temp)(ss,temp,t)TempReg(temp,t)@ +NextGeneration()A ALT(A)ralt(ss,alt,sp,t)altAOC(ss,alt,sp)spss(ss,ralt,sp+dsp+Math.sqrt(399000.00/(ralt+6370.00)*(1.00-(Math.sqrt(1.00-(Math.sqrt((ralt-alt)/(ralt+alt+6370.00+6370.00))))))),t)@ +((round(Mf*(Math.exp(Math.sqrt(399000.00/(ralt+6370.00)*(1.00-(Math.sqrt(1.00-(Math.sqrt((ralt-alt)/(ralt+alt+6370.00+6370.00)))))))/Ve)-1.00)*Ve/T))+(round(Mf*(Math.exp(dsp/Ve)-1.00)*Ve/T)))(ss,alt,sp,t)altsp(ss,alt,sp,t)(ss,ralt,dsp,t)if ralt<>altthen 1`(ss,ralt,Math.sqrt(399000.00/(alt+6370.00)*(Math.sqrt(1.00+(Math.sqrt((ralt-alt)/(ralt+alt+6370.00+6370.00)))))-1.00),t)else emptyss(volt,t)(ss,volt,t)fire1`50volt@ +NextGeneration()VoltGen(volt)ssssssssssA3+A4nif n<Buffer3then 1`(n+1)else emptyNEXTDataPacket(n)S3Buffer+S4BufferBuffer3Buffer3if n<Buffer3then 1`Buffer3else emptyBuffer3BufferBuffer3volt1`1Buffer3117  5.2 Performance Analysis Results of Reconfiguration Model Scenario 4 In this section, the performance analysis results of the fourth reconfiguration scenario are discussed. The scenario and the related CPN model are explained in Section  5.1.2.  In the developed model, a network of four interacting satellites is considered. All four satellites are in the same orbit at an altitude of 1000 km with an orbital speed of 7.4 km/sec. The satellites have an initial coverage area equal to 6.8% of the earth’s surface.   As explained in Section  4.1.1, for maneuvering between the orbits, the related data is calculated according to the equations discussed in this section. For example, a conventional thruster with a thrust force of T=1000 N and an exhaust velocity of 𝑉𝑒 = 3𝑘𝑚/sec is assumed. If any of the satellites fails, it takes 2 hours and 42 minutes to increase the adjacent satellite’s altitude from 1000 km to 4275 km to cover the coverage area of the failed satellite with a minimum elevation angle of 10 degrees. The orbital speed is increased from 7.4 km/sec to 18.6 km/sec.  As discussed before, using different types of thrusters result in varied reconfiguration time for the network. Figure  5.3 shows the reconfiguration times for Electric Arc-jet thruster and Ion thrusters, which are 1382 hours (57.58 days) and 1085 hours (45.21 days), respectively. This waiting times cause a high amount of data loss during the reconfiguration process. With nuclear thrusters, which are still under development and investigation and are not practical yet, the reconfiguration time will be 7 minutes which is the best achieved reconfiguration time among scenarios 2, 3 and 4.  118   Figure  5.3: Effect of Different Types of Thrusters in Reconfiguration Time of Scenario 3  Figure  5.4: Throughput versus Data Packet Arrival Rate for Different Basebands in Scenario 4 02004006008001000120014003 1382 1085 0 Reconfiguration Time (hours) Different Type of Thrusters Conventional Thruster Electric Arc-jet Thruster Ion Thruster Nuclear Thruster00.0020.0040.0060.0080.010.0120.0140.0160.0180.020 0.005 0.01 0.015 0.02 0.025Throughput (Packets/Time Slot) Data Packet Arrival Rate (Packet/ Time Slot) L Baseband C Baseband Ku Baseband119   Figure  5.5: Mean Delay Time versus Data Packet Arrival Rate for Different Basebands in Scenario 4 Referring to Figure  5.4 and Figure ‎5.5, expectedly, results very similar to those of scenarios 2 and 3 of  Chapter 4 are obtained for variation of throughput and mean delay time when the data packet arrival rate increases. It should be mentioned that the mean delay time of scenario 4 is ten times greater than the ones related to scenarios 2 and 3. The higher orbit of the repositioned satellites in the reconfigured network result in higher mean delay times in network after stable steady state operation. Figure  5.6 shows the average throughput after the network is reconfigured. Three cases are considered: failure of one satellite, failure of two satellites and faultless condition. As shown in Figure  5.6, when one satellite fails, the throughput decreases by 51%. When two of the satellites fail, the system performance degrades to 6.8% of the faultless case. It is very important to note that during the reconfiguration, when the altitude increases the data would be lost. But after 05001000150020002500300035000 0.005 0.01 0.015 0.02 0.025Mean Delay Time (Time Slot) Data Packet Arrival Rate (Packet/ Time Slot) Ku Band C Baseband L Baseband120  reconfiguration, the performance is back to the normal operation which is the best advantage of the reconfiguration form in scenario 4. To this extent, the last developed model referred to as scenario 4, is the best reconfiguration solution to the network of multi- interacting satellites.  Figure  5.6: Throughput versus Failure Conditions for Reconfiguration Scenario 4 5.3 Conclusions In this chapter we studied the performance analysis of a general networked reconfiguration scheme for a multi-satellites system in terms of throughput and mean delay time. It is shown that the general reconfiguration scheme is able to make the network fault tolerant with an acceptable performance. The best reconfiguration time is also obtained using the networked control scheme developed in this chapter.  00.0050.010.0150.020.0250.030.0350.033056 0.016347 0.002279 Throughput (Packets/Time Slot) Operation Conditions Faultless One Satellite Failes Two Satellites Fail121   Chapter 6  6.Conclusions 6.1 Summary In this research integrated supervisory control and reconfiguration models of networks of interacting satellites (Multi-Satellite) using high-level petri nets were developed, in order to make the networked control system (NCS) robust to the network failures. A supervisory control was developed to determine the controllability and observability characteristics of a network and extract VUP quantification indicators using Stochastic Petri Nets (SPNs). Petri nets are essentially discrete event modeling and simulation tools. In particular high-level stochastic petri nets provide utility and features for extensive statistics on state probabilities and high-level colored petri nets offer complex data manipulation as well as data type investigation and modification when events occur within the system. Reconfiguration protocols were developed for different network failure conditions to make the network fault tolerant and to analyze the network performance parameters. 122  6.1.1 VUP Quantification Using Stochastic Petri Nets (SPN) This research presents a new approach to reason with Vulnerability, Uncertainty and Probability (VUP) quantification procedure using Stochastic Petri Nets (SPN) within and on-board a network of interacting satellites. A supervisory control and reliability analysis simulation is performed for interacting satellite networks. The system reliability quantification in terms of Vulnerability, Uncertainty and Probability is analyzed using integrated indicators developed as the methodology. The first indicator, Vulnerability, is a quantity which indicates how many times, a faulty event modeled by a SPN transition, has occurred within a time interval. The second indicator, Uncertainty, is the number of failed components in the network at time t. The third indicator, Probability, is defined as the sum of probabilities of being in state “s” at time t. The network designers can use these indicators to obtain early ideas about the relative merits of various configurations before detailed models are constructed and simulations carried out.  6.1.2 Networked Control Using Colored Petri Nets Four reconfiguration models were developed for a network of n satellites interacting with each other and a ground station, to circumvent the communication failure of any satellite or the ground station, maintain a level of performance, and prevent loss of data or network functionality. The networked control simulations reconfigure four major failure conditions. The first is the connection failure between the ground station and one of the satellites which result in sending the packet data via other satellites in the network. The second reconfiguration considered a backup satellite in the network, to be substituted for the failed satellite. The third scenario was to reposition the healthy satellites in the same orbit, and the fourth scenario was to reposition one of the healthy satellites to the higher altitude orbit. The developed reconfiguration protocols were simulated using CPN tools. The network performance is evaluated to the extreme case where only one satellite remains functional. The performance of the proposed reconfigurations is 123  assessed in terms of throughput and mean delay time for various specifications and conditions. These performance measures are obtained as a function of buffer sizes on-board the satellites, network transmission capacity, data packet arrival rate and system configuration in terms of the total number of satellites in the network, the number of failed satellites and the inter-satellite link capacities.  In the absence of faults, the results obtained from the proposed model are within the confidence intervals of the results achieved from an analytical model. In the presence of failures, the network reconfiguration effectively prevents loss of data, but expectedly at some reduced quality of service.   Overall, the versatility of SPN and CPN as a powerful modeling tools were demonstrated, it was shown that the developed models can be used as satellite network design and control tools to obtain the optimal configuration required for a desired performance in the absence and presence of failures.  The novelty of this research is that it investigates the possible reconfiguration schemes for different failure conditions for satellite networks by utilizing high-level petri nets in an integrated and embedded fashion within the models. This makes the models more practical for real world applications. In fact the communication, its control, all other satellite subsystems and the reconfiguration schemes are combined into self-contained models which are highly complex. 6.1.3 Future Work Although objectives were achieved, and informative and useful results were obtained, the proposed networked control and reconfiguration schemes can be improved and extended. For 124  instance, develop a java script to use the model in connection with a real satellite network. The applications will be relevant to global communication rather that localized coverage. Model is also extendable for multi-ground station networks when there is more than one ground station communicating within the space cluster.               125  7.Bibliography [1] A. Einafshar and F. Sassani, "Modeling and control of a network of cooperative satellites using neural networks," in ASME 2013 International Mechanical Engineering Congress and Exposition, pp. V011T06A005-V011T06A005, 2013. [2] A. Einafshar and F. Sassani, "Vulnerability, uncertainty and probability (VUP) quantification of a network of interacting satellites using stochastic petri nets (SPN)," in ASME 2013 International Mechanical Engineering Congress and Exposition, pp. V04AT04A073-V04AT04A073, 2013. [3] A. Einafshar and F. Sassani, "Multi-satellite failure evasion through colored petri net reconfiguration modeling (best poster award winner)," in UBC Department of Chemical & Biological Engineering Research Day, October 1, University of British Columbia, Vancouver, Canada, 2014. [4] A. Einafshar, B. Razavi and F. Sassani, "Integrated reconfiguration of multi-satellite network communication using colored petri nets," in Integrated Systems: Innovations and Applications, Springer, pp. 3-28, 2015. [5] D. J. Newman, Interactive Aerospace Engineering and Design. McGraw-Hill, 2002. [6] W. Zhang, L. Zhang and X. Tan, "A cooperation-based fault management method for satellite networks,"  Research Journal of Applied Sciences, Engineering and Technology, vol. 4, pp. 2191-2198, 2012.  [7] M. O. Kolawole, Satellite Communication Engineering. CRC Press, 2002. [8] G. Krüger, R. Springer and W. Lechner, "Global navigation satellite systems (GNSS),"  Computers and Electronics in Agriculture, vol. 11, pp. 3-21, 1994.  [9] A. Barua and K. Khorasani, "Hierarchical fault diagnosis and fuzzy rule-based reasoning for satellites formation flight,"  IEEE Transactions on Aerospace and Electronic Systems, vol. 47, pp. 2435-2456, 2011.  [10] A. Barua and K. Khorasani, "Hierarchical fault diagnosis and health monitoring in satellites formation flight,"  IEEE Transactions on Systems, Man and Cybernetics Part C: Applications and Reviews, vol. 41, pp. 223-239, 2011.  [11] P. Goel, G. Dedeoglu, S. I. Roumeliotis and G. S. Sukhatme, "Fault detection and identification in a mobile robot using multiple model estimation and neural network," in IEEE International Conference on Robotics and Automation, April 24-28, pp. 2302-2309, 2000. 126  [12] H. Hao, Z. Sun and Y. Zhang, "Fault diagnosis on satellite attitude control with dynamic neural network," in Advances in Neural Networks-ISNN, Springer, pp. 537-542, 2004. [13] M. Zhou, Petri Nets in Flexible and Agile Automation. Kluwer Academic Publishers, 1995. [14] R. F. Garzia and M. R. Garzia, Network Modeling Simulation and Analysis. Marcel Dekker, Inc., 1990. [15] A. Ganz and B. Li, "Performance of packet networks in satellite clusters,"  Selected Areas in Communications, IEEE Journal On, vol. 10, pp. 1012-1019, 1992.  [16] H. A. Talebi and R. V. Patel, "An intelligent fault detection and recovery scheme for reaction wheel actuator of satellite attitude control systems," in Joint IEEE Conference on Control Applications (CCA), Computer-Aided Control Systems Design Symposium (CACSD) and International Symposium on Intelligent Control (ISIC), October 4-6, pp. 3282-3287, 2007. [17] G. Vachtsevanos, F. Lewis, M. Roemer, A. Hess and B. Wu, Intelligent Fault Diagnosis and Prognosis for Engineering Systems, USA, 2006. [18] J. Garner, "Satellite control: A comprehensive approach,"  Small Satellites Systems and Services, vol. 1, pp. 361-371, 1993.  [19] B. Tiemeyer, Performance Evaluation of Satellite Navigation and Safety Case Development, 2002.  [20] H. N. Nguyen, Routing and Quality-of-Service in Broadband LEO Satellite Networks. Springer, 2003. [21] V. U. Manual, "Arianespace,"  2006.  [22] B. R. Elbert, Introduction to Satellite Communication. Artech house, 2008. [23] L. Budget, "Satellite systems for personal and broadband communications,"  2000.  [24] P. Conforto, C. Tocci, G. Losquadro, R. Sheriff and P. Chan, "Global mobility and QoS provision for internet services: The SUITED solution," in Service Portability and Virtual Customer Environments, 2000 IEEE, pp. 3-12, 2000. [25] H. Benıtez-Pérez and F. Garcıa-Nocetti, Reconfigurable Distributed Control. Springer, 2005. [26] S. Feng, H. Zhu and G. Li, "Dynamic modeling and simulation for LEO satellite networks," in 11th IEEE International Conference on Communication Technology, November 10-12, pp. 37-40, 2008. 127  [27] T. R. Henderson, Networking Over Next-Generation Satellite Systems, 1999.  [28] V. Jacobson, "Congestion avoidance and control," in ACM SIGCOMM Computer Communication Review, pp. 314-329, 1988. [29] D. Liu, Networked Control Systems: Theory and Applications. Girona, Spain: Springer, 2008. [30] B. Brahimi, E. Rondeau and C. Aubrun, "Integrated approach based on high level petri nets for evaluating networked control systems," in Mediterranean Conference on Control and Automation, June 25-27, pp. 1118-1123, 2008. [31] A. Giua and C. Seatzu, "Modeling and supervisory control of railway networks using petri nets,"  IEEE Transactions on Automation Science and Engineering, vol. 5, pp. 431-445, 2008.  [32] M. V. Iordache and P. J. Antsaklis, Supervisory Control of Concurrent Systems: A Petri Net Structural Approach. Springer, 2006. [33] J. Albus, A. Barbera, H. Scott and S. Balakirsky, "Collaborative tactical behaviors for autonomous ground and air vehicles," in Defense and Security, pp. 244-254, 2005. [34] C. Angeli and A. Chatzinikolaou, "On-Line Fault Detection Techniques for Technical Systems: A Survey."  IJCSA, vol. 1, pp. 12-30, 2004.  [35] A. Barua and K. Khorasani, "Hierarchical fault diagnosis and fuzzy rule-based reasoning for satellites formation flight,"  Aerospace and Electronic Systems, IEEE Transactions On, vol. 47, pp. 2435-2456, 2011.  [36] A. Joshi, V. Gavriloiu, A. Barua, A. Garabedian, P. Sinha and K. Khorasani, "Intelligent and learning-based approaches for health monitoring and fault diagnosis of RADARSAT-1 attitude control system," in IEEE International Conference on Systems, Man, and Cybernetics, October 7-10, pp. 3177-3183, 2007. [37] X. Huang and J. Chengbo, "Congestion control in satellite networks," in IEEE International Conference on Wireless Communications, Networking and Mobile Computing, October 12-14, 2008. [38] J. Xiang and Y. Zhang, "Design and simulation of autonomous control system of satellite," in 1st International Conference on Innovative Computing, Information and Control 2006, August 30 - September 1, pp. 109-112, 2006. [39] N. D. Powel and K. A. Morgansen, "Communication‐based performance bounds in nonlinear coordinated control,"  International Journal of Robust and Nonlinear Control, vol. 21, pp. 1410-1420, 2011.  128  [40] D. W. Casbeer and R. W. Holsapple, "Column generation for a UAV assignment problem with precedence constraints,"  International Journal of Robust and Nonlinear Control, vol. 21, pp. 1421-1433, 2011.  [41] H. Lee and Y. Kim, "Fault-tolerant control scheme for satellite attitude control system,"  IET Control Theory and Applications, vol. 4, pp. 1436-1450, 2010.  [42] Z. Li, "Application of fault tolerant controller based on RBF neural networks for mobile robot," in International Symposium on Intelligent Ubiquitous Computing and Education, may 16-17, pp. 531-534, 2009. [43] H. A. Talebi, K. Khorasani and S. Tafazoli, "A recurrent neural-network-based sensor and actuator fault detection and isolation for nonlinear systems with application to the satellite's attitude control subsystem,"  IEEE Transaction Neural Networks, vol. 20, pp. 45-60, 2009.  [44] E. N. Skoundrianos and S. G. Tzafestas, "Finding fault-fault diagnosis on the wheels of a mobile robot using local model neural networks,"  Robotics & Automation Magazine, IEEE, vol. 11, pp. 83-90, 2004.  [45] H. T. Nguyêñ and E. A. Walker, A First Course in Fuzzy Logic. CRC press, 2006. [46] N. Tudoroiu and K. Khorasani, "Satellite fault diagnosis using a bank of interacting Kalman filters,"  Aerospace and Electronic Systems, IEEE Transactions On, vol. 43, pp. 1334-1350, 2007.  [47] M. Hu, G. Zeng and J. Song, "Navigation and coordination control system for formation flying satellites," in International Conference on Computer Application and System Modeling, October 22-24, pp. V395-V399, 2010. [48] E. Semsar-Kazerooni and K. Khorasani, "Team consensus for a network of unmanned vehicles in presence of actuator faults,"  IEEE Transaction Control and System Technology, vol. 18, pp. 1155-1161, 2010.  [49] N. Tudoroiu and K. Khorasani, "Fault detection and diagnosis for satellite's attitude control system (ACS) using an interactive multiple model (IMM) approach," in IEEE International Conference on Control Applications, August 28-31, pp. 1287-1292, 2005. [50] M. L. Ayers, Telecommunications System Reliability Engineering, Theory, and Practice. John Wiley & Sons, 2012. [51] G. M. Birtwistle, G. M. Birtwistle, G. M. Birtwistle and G. M. Birtwistle, DEMOS, a System for Discrete Event Modelling on Simula. Macmillan, 1979. [52] K. Nygaard and O. Dahl, The Development of the SIMULA Languages. ACM, 1978. [53] A. A. B. Pritsker, "Introduction to stimulation and Slam II,"  1986.  129  [54] G. Tuna, K. Gulez, V. C. Gungor and T. Veli Mumcu, "Evaluations of different simultaneous localization and mapping (SLAM) algorithms," in IECON 2012-38th Annual Conference on IEEE Industrial Electronics Society, pp. 2693-2698, 2012. [55] B. Razavi, A. Einafshar and F. Sassani, "Decision analysis model for optimal aircraft engine maintenance policies using discrete event simulation," in Integrated Systems: Innovations and Applications, Springer, pp. 69-87, 2015. [56] P. T. Barnett, D. M. Braddock, A. D. Clarke, D. L. DuPré, R. Gimarc, T. F. Lehr, A. Palmer, R. Ramachandran, J. Renyolds and A. C. Spellman, Method of Semi-Automatic Data Collection, Data Analysis, and Model Generation for the Performance Analysis of Enterprise Applications, 2007.  [57] G. A. Wainer, Discrete-Event Modeling and Simulation: A Practitioner's Approach. CRC Press, 2010. [58] C. G. Cassandras, Discrete Event Systems: Modeling and Performance Analysis. Irwin Homewood, IL, 1993. [59] Y. Ho, "Introduction to special issue on dynamics of discrete event systems,"  Proc IEEE, vol. 77, pp. 3-6, 1989.  [60] J. Moody and K. Yamalidou, "Feedback control of petri nets based on place invariants," in Proceedings of the 2nd IEEE International Symposium on Requirements Engineering, March 27-29, pp. 3104-3109, 1995. [61] J. Moody and P. J. Antsaklis, Supervisory Control of Discrete Event Systems using Petri Nets. Springer, 1998. [62] J. L. Peterson, "Petri net theory and the modeling of systems,"  1981.  [63] P. W. Glynn and P. J. Haas, "Laws of large numbers and functional central limit theorems for generalized semi-Markov processes,"  Stochastic Models, vol. 22, pp. 201-231, 2006.  [64] P. J. Haas and G. S. Shedler, "Stochastic Petri nets with timed and immediate transitions,"  Stochastic Models, vol. 5, pp. 563-600, 1989.  [65] M. Blanke and J. Schröder, Diagnosis and Fault-Tolerant Control. Springer, 2006. [66] T. Murata, "Petri nets: Properties, analysis and applications,"  Proc IEEE, vol. 77, pp. 541-580, 1989.  [67] K. Yamalidou, J. Moody, M. Lemmon and P. Antsaklis, "Feedback control of Petri nets based on place invariants,"  Automatica, vol. 32, pp. 15-28, 1996.  130  [68] E. Villani, P. E. Miyagi and R. Valette, Modelling and Analysis of Hybrid Supervisory Systems: A Petri Net Approach. London, UK: Springer, 2007. [69] P. T. Biltgen, "Uncertainty quantification for capability-based systems-of-systems design," in Proc. of 26 Th Congress of International Council of the Aeronautical Sciences ICAS, pp. 10, 2008. [70] A. Bobbio, "System modelling with petri nets," in Systems Reliability Assessment, Springer, pp. 103-143, 1990. [71] JGraph Ltd., "PetriNet Editor,"  vol. 1.4.1.2, 2010.  [72] K. Jensen, L. M. Kristensen and L. L. M. Kristensen, Coloured Petri Nets: Modelling and Validation of Concurrent Systems. New York, USA: Springer, 2009. [73] A. Ghanaim and G. Frey, "Markov modeling of delays in networked automation and control systems using colored petri net models simulation," in 18th IFAC World Congress, August 28 - September 2, pp. 2731-2736, 2011. [74] A. Ghanaim, G. A. Borges and G. Frey, "Estimating delays in networked control systems using colored petri nets and markov chain models," in IEEE Conference on Emerging Technologies and Factory Automation, September 22-26, pp. 1-6, 2009. [75] A. Ghanaim and G. Frey, "Component based colored petri net model for ethernet based networked control systems," in 13th IEEE International Conference on Emerging Technologies and Factory Automation, September 15-18, pp. 1100-1103, 2008. [76] Eindhoven University of Technology, "CPN Tools", vol. 4.0.0., September, 2013.  [77] C. Toh and V. O. Li, "Satellite ATM network architectures: an overview,"  IEEE Network, vol. 12, pp. 61-71, 1998.  [78] D. Wright, L. Grego and L. Gronlund, "The physics of space security,"  A Reference Manual.Cambridge: American Academy of Arts and Sciences, 2005.  [79] M. Werner, A. Jahn, E. Lutz and A. Bottcher, "Analysis of system parameters for LEO/ICO-satellite communication networks,"  Selected Areas in Communications, IEEE Journal On, vol. 13, pp. 371-381, 1995.  [80] T. V. G. Babu, T. Le-Ngoc and J. Hayes, "Performance analysis of on-board switching in broadband satellite communication systems," in Communications, IEEE International Conference on Converging Technologies for Tomorrow's Applications, pp. 1487-1491, 1996. 131  [81] M. Kessler, J. Steinz, M. Anderegg, J. Clavel, G. Drechsel, P. Estaria, J. Faelker, J. Riedinger, A. Robson and B. Taylor, "The Infrared Space Observatory (ISO) mission."  Astronomy and Astrophysics, vol. 315, pp. L27-L31, 1996.  [82] V. A. Chobotov, Orbital Mechanics. Aiaa, 2002. [83] L. Boukhatem, A. Beylot, D. Gaïti and G. Pujolle, "Performance analysis of dynamic and fixed channel allocation techniques in a LEO constellation with an “Earth-fixed cell” system," in Global Telecommunications Conference, 2000. GLOBECOM'00. IEEE, pp. 1145-1149, 2000. [84] G. Maral, J. Restrepo, E. Del Re, R. Fantacci and G. Giambene, "Performance analysis for a guaranteed handover service in an LEO constellation with a “satellite-fixed cell” system,"  Vehicular Technology, IEEE Transactions On, vol. 47, pp. 1200-1214, 1998.  [85] P. J. Igei, C. E. Cugnasca, J. I. Garcia and P. E. Miyagi, "Modeling of distributed control systems in intelligent building based on colored Petri nets,"  IEEE Latin America Transactions, vol. 8, pp. 589-596, 2010.  [86] R. Kumar and L. E. Holloway, "Supervisory control of deterministic petri nets with regular specification languages,"  IEEE Transactions on Automatic Control, vol. 41, pp. 245-249, 1996.    

Cite

Citation Scheme:

        

Citations by CSL (citeproc-js)

Usage Statistics

Share

Embed

Customize your widget with the following options, then copy and paste the code below into the HTML of your page to embed this item in your website.
                        
                            <div id="ubcOpenCollectionsWidgetDisplay">
                            <script id="ubcOpenCollectionsWidget"
                            src="{[{embed.src}]}"
                            data-item="{[{embed.item}]}"
                            data-collection="{[{embed.collection}]}"
                            data-metadata="{[{embed.showMetadata}]}"
                            data-width="{[{embed.width}]}"
                            async >
                            </script>
                            </div>
                        
                    
IIIF logo Our image viewer uses the IIIF 2.0 standard. To load this item in other compatible viewers, use this url:
http://iiif.library.ubc.ca/presentation/dsp.24.1-0166159/manifest

Comment

Related Items