NASA Formal Methods

Since its dramatic landing on Mars on the night of Aug 5, 2012, the Curiosity Rover has been busy exploring Gale crater, looking for evidence of past habitable environments. To accomplish its ambitious scientific goal, Curosity is armed with a suite of sophisticated instruments, including cameras capable of 720p high definition stereo video, a gigawatt laser, a radiation detector, a weather monitoring station, and a sample delivery system that can drill into rocks and deliver the resulting powder to instruments that can determine its chemical composition. As a result, Curiosity is a rover capable of gathering large amounts of both scientific data (with results of experiments commanded by the science team) and engineering data (with critical information about rover health). This data volume is too large to be sent directly to Earth via Curiosity’s high-gain antenna (whose bandwidth is measured in hundreds of bits per second). Instead, most of the data acquired by the rover must be relayed to Earth via two orbiting spacecraft. Curiosity achieves this by autonomously engaging in “communication windows” with the orbiters, often by waking itself up in the middle of the night to avail itself of a passing overflight. The asynchronous nature of relay communications necessitates on-board software for reliably storing data captured by multiple scientific experiments, for processing requests from Earth to reprioritize, retransmit and delete data, and for autonomously selecting, retrieving and packaging data for orbiters in time for communication windows. These functions are implemented in rover flight software by a collection of modules called the data management subsystem, which includes filesystems for volatile (RAM) and non-volatile (flash) memory, an on-the-fly compression engine, and a mini-database for cataloging and retrieving data. In this talk, we describe the challenges involved in designing and implementing Curiosity’s data management subsystem, and the important role played by formal methods in the design and testing of this software. We also discuss ongoing work on building tools based on formal methods for analyzing spacecraft telemetry for early anomaly detection during mission operations. Certification Challenges When Using Formal Methods, Including Needs and Issues

[1]  Nicolas Halbwachs,et al.  Dynamic Partitioning in Analyses of Numerical Properties , 1999, SAS.

[2]  Sagar Chaki,et al.  Combining Predicate and Numeric Abstraction for Software Model Checking , 2008, FMCAD.

[3]  Patrick Cousot,et al.  The Reduced Product of Abstract Domains and the Combination of Decision Procedures , 2011, FoSSaCS.

[4]  Thomas W. Reps,et al.  Bilateral Algorithms for Symbolic Abstraction , 2012, SAS.

[5]  Cesare Tinelli,et al.  Instantiation-Based Invariant Discovery , 2011, NASA Formal Methods.

[6]  Thomas W. Reps,et al.  Symbolic Implementation of the Best Transformer , 2004, VMCAI.

[7]  Cesare Tinelli,et al.  Incremental Verification with Mode Variable Invariants in State Machines , 2012, NASA Formal Methods.

[8]  David Monniaux,et al.  Improving Strategies via SMT Solving , 2011, ESOP.

[9]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[10]  Nicolas Halbwachs,et al.  Combining Widening and Acceleration in Linear Relation Analysis , 2006, SAS.

[11]  Harald Søndergaard,et al.  Automatic Abstraction for Congruences , 2010, VMCAI.

[12]  Thomas W. Reps,et al.  Lookahead Widening , 2006, CAV.

[13]  Pierre Roux,et al.  SMT-AI: an Abstract Interpreter as Oracle for k-induction , 2010, Electron. Notes Theor. Comput. Sci..

[14]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[15]  Nicolas Halbwachs Détermination automatique de relations linéaires vérifiées par les variables d'un programme , 1979 .

[16]  Bertrand Jeannet,et al.  Extending Abstract Acceleration Methods to Data-Flow Programs with Numerical Inputs , 2010, NSAD@SAS.

[17]  Cesare Tinelli,et al.  PKind: A parallel k-induction based model checker , 2011, PDMC.

[18]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[19]  Roberto Bagnara,et al.  Precise widening operators for convex polyhedra , 2003, Sci. Comput. Program..

[20]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[21]  Herbert B. Enderton,et al.  A mathematical introduction to logic , 1972 .

[22]  Thomas W. Reps,et al.  A Method for Symbolic Computation of Abstract Operations , 2012, CAV.

[23]  Sumit Gulwani,et al.  Logical Interpretation: Static Program Analysis Using Theorem Proving , 2007, CADE.

[24]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .

[25]  David Monniaux,et al.  Automatic modular abstractions for linear constraints , 2008, POPL '09.

[26]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[27]  Laure Gonnord,et al.  Using Bounded Model Checking to Focus Fixpoint Iterations , 2011, SAS.

[28]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.