Electronic Communications of the EASST Volume 46 ( 2011 ) Proceedings of the 11 th International Workshop on Automated Verification of Critical Systems ( AVoCS 2011 ) A Symbolic Model Checking Approach to Verifying Satellite Onboard Software

This paper discusses the use of symbolic model checking technology to verify the design of an embedded satellite software control system called the attitude and orbit control system (AOCS). This system is mission critical because it is responsible for maintaining the attitude of the satellite and for performing fault detection, isolation, and recovery decisions. An executable AOCS implementation by Space Systems Finland has been provided in Ada source code form, and we use the input language of the symbolic model checker NuSMV 2 to model the implementation at a detailed level. We describe the modeling techniques and abstractions used to alleviate the state space explosion due to the handling of timers and the large number of system components controlled by the AOCS. The required behavior has been specified as extended state machine diagrams and translated to temporal logic properties. Besides well-known LTL and CTL model checking algorithms, we adapt a previously unexplored form of the liveness-to-safety approach to the problem. The latter new technique turns out to successfully prove all desired properties of the system, outperforming both the LTL and CTL implementations of NuSMV 2.

[1]  Ilkka Niemelä,et al.  Model-Based Analysis of an Arc Protection and an Emergency Cooling System - MODSAFE 2007 Working Report , 2008 .

[2]  Stephan Merz,et al.  Model Checking , 2000 .

[3]  Keijo Heljanko,et al.  Efficient Model Checking of PSL Safety Properties , 2010, 2010 10th International Conference on Application of Concurrency to System Design.

[4]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[5]  Dirk Beyer,et al.  Software model checking via large-block encoding , 2009, 2009 Formal Methods in Computer-Aided Design.

[6]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[7]  Marco Pistore,et al.  Nusmv version 2: an opensource tool for symbolic model checking , 2002, CAV 2002.

[8]  Siert Wieringa,et al.  Tarmo: A Framework for Parallelized Bounded Model Checking , 2009, PDMC.

[9]  Viktor Schuppan,et al.  Linear Encodings of Bounded LTL Model Checking , 2006, Log. Methods Comput. Sci..

[10]  Timo Latvala,et al.  Incremental and Complete Bounded Model Checking for Full PLTL , 2005, CAV.

[11]  Antti Valmari,et al.  The State Explosion Problem , 1996, Petri Nets.

[12]  Elena Troubitsyna,et al.  An Event-B model of the Attitude and Orbit Control System , 2010 .

[13]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[14]  Viktor Schuppan,et al.  Efficient reduction of finite state model checking to reachability analysis , 2004, International Journal on Software Tools for Technology Transfer.

[15]  Elena Troubitsyna,et al.  Verifying Mode Consistency for On-Board Satellite Software , 2010, SAFECOMP.

[16]  Ilkka Niemelä,et al.  Verification of Safety Logic Designs by Model Checking , 2009 .

[17]  Kimmo Varpaaniemi DEPLOY Work Package 3 Software Requirements Document for a Distributed System for Attitude and Orbit Control for a Single Spacecraft (DEP-RP-SSF-R-006, Issue 1.3) , 2011 .

[18]  Ilkka Niemelä,et al.  Model checking of safety-critical software in the nuclear engineering domain , 2012, Reliab. Eng. Syst. Saf..

[19]  Christel Baier,et al.  Principles of model checking , 2008 .

[20]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[21]  Kimmo Varpaaniemi DEPLOY Work Package 3 Attitude and Orbit Control SystemSoftware Requirements Document (DEP-RP-SSF-R-005, Issue 1.0) , 2010 .

[22]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[23]  Christel Baier,et al.  Principles of Model Checking (Representation and Mind Series) , 2008 .

[24]  Elena Troubitsyna,et al.  Developing Mode-Rich Satellite Software by Refinement in Event B , 2010, FMICS.

[25]  Keijo Heljanko,et al.  A Symbolic Model Checking Approach to Verifying Satellite Onboard Software , 2011, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[26]  Wang Yi,et al.  UPPAAL 4.0 , 2006, Third International Conference on the Quantitative Evaluation of Systems - (QEST'06).

[27]  Ilkka Niemelä,et al.  Model-Based Analysis of a Stepwise Shutdown Logic , 2009 .