Redundancy concepts are major design drivers in fault-tolerant space systems. It can be a difficult task to decide when to activate which redundancy, and which component should be replaced. In this paper, we refine a methodology where recovery strategies are synthesized from a model of non-deterministic dynamic fault trees. The synthesis is performed by transforming non-deterministic dynamic fault trees into Markov automata that represent all possible choices between recovery actions. From the corresponding scheduler, optimized for maximum expected long-term reachability of failure states, a recovery strategy, optimal with respect to mean time to failure, can then be derived and represented by a model we call recovery automaton. We discuss techniques for reducing the state space of this recovery automaton, and analyze their soundness and completeness. We show that they do not generally guarantee recovery automata with the minimal number of states and derive a class where this guarantee holds. Implementation details for our approach are given and its effectiveness is verified on the basis of three case studies.

冗余概念是容错空间系统中的主要设计驱动力。决定何时激活哪个冗余以及应该更换哪个组件可能是一项艰巨的任务。在本文中，我们改进了一种从不确定性动态故障树模型中综合恢复策略的方法。通过将不确定的动态故障树转换为代表恢复操作之间所有可能选择的马尔可夫自动机来执行综合。然后，可以从相应的调度程序（针对故障状态的最大预期长期可达性进行了优化）中得出相对于平均故障时间而言最佳的恢复策略，并由我们称为恢复自动机的模型表示。我们讨论了减少此恢复自动机状态空间的技术，并分析其健全性和完整性。我们表明，它们通常不保证具有最少状态数的恢复自动机，并派生出此类保证成立的类。给出了我们方法的实施细节，并在三个案例研究的基础上验证了其有效性。