Spacecraft early design validation using formal methods

The size and complexity of software in spacecraft is increasing exponentially, and this trend complicates its validation within the context of the overall spacecraft system. Current validation methods are labor-intensive as they rely on manual analysis, review and inspection. For future space missions, we developed – with challenging requirements from the European space industry – a novel modeling language and toolset for a (semi-)automated validation approach. Our modeling language is a dialect of AADL and enables engineers to express the system, the software, and their reliability aspects. The COMPASS toolset utilizes state-of-the-art model checking techniques, both qualitative and probabilistic, for the analysis of requirements related to functional correctness, safety, dependability and performance. Several pilot projects have been performed by industry, with two of them having focused on the system-level of a satellite platform in development. Our efforts resulted in a significant advancement of validating spacecraft designs from several perspectives, using a single integrated system model. The associated technology readiness level increased from level 1 (basic concepts and ideas) to early level 4 (laboratory-tested).

[1]  Daniel L. Dvorak,et al.  NASA Study on Flight Software Complexity , 2009 .

[2]  Rupak Majumdar,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 1997, Lecture Notes in Computer Science.

[3]  Radu Mateescu,et al.  CADP 2006: A Toolbox for the Construction and Analysis of Distributed Processes , 2007, CAV.

[4]  Ana Rugina,et al.  Advanced Validation of Overall Spacecraft Behaviour Concept Using a Collaborative Modelling and Simulation Approach , 2012, 2012 IEEE 21st International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[5]  Yousry S. El Gamal,et al.  European Cooperation for Space Standardisation (ECSS) , 1996 .

[6]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[7]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[8]  Giuliana Franceschinis,et al.  Simple O(m logn) Time Markov Chain Lumping , 2010, TACAS.

[9]  Alessandro Cimatti,et al.  Formal verification of diagnosability via symbolic model checking , 2003, IJCAI 2003.

[10]  Joost-Pieter Katoen,et al.  Formal correctness, safety, dependability, and performance analysis of a satellite , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[11]  Bernd Becker,et al.  Compositional Performability Evaluation for STATEMATE , 2006, Third International Conference on the Quantitative Evaluation of Systems - (QEST'06).

[12]  Marco Bozzano,et al.  Symbolic Fault Tree Analysis for Reactive Systems , 2007, ATVA.

[13]  Holger Hermanns,et al.  Interactive Markov Chains , 2002, Lecture Notes in Computer Science.

[14]  Gerhard Goos,et al.  Automated Technology for Verification and Analysis , 2004, Lecture Notes in Computer Science.

[15]  Christel Baier,et al.  Model-Checking Algorithms for Continuous-Time Markov Chains , 2002, IEEE Trans. Software Eng..

[16]  Christel Baier,et al.  Probabilistic Models for Reo Connector Circuits , 2005, J. Univers. Comput. Sci..

[17]  Thomas A. Henzinger,et al.  The theory of hybrid automata , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[18]  Joseph H. Saleh,et al.  Spacecraft electrical power subsystem: Failure behavior, reliability, and multi-state failure analyses , 2012, Reliab. Eng. Syst. Saf..

[19]  Mariëlle Stoelinga,et al.  Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools , 2014, Comput. Sci. Rev..

[20]  Martin Feilkas,et al.  AutoFocus 3 - A Scientific Tool Prototype for Model-Based Development of Component-Based, Reactive, Distributed Systems , 2007, Model-Based Engineering of Embedded Real-Time Systems.

[21]  Christel Baier,et al.  Principles of model checking , 2008 .

[22]  Christel Baier,et al.  Modeling component connectors in Reo by constraint automata , 2004, Sci. Comput. Program..

[23]  Marco Pistore,et al.  Nusmv version 2: an opensource tool for symbolic model checking , 2002, CAV 2002.

[24]  W. E. Jordan Failure modes, effects and criticality analyses. , 1972 .

[25]  Lars Grunske,et al.  Specification patterns for probabilistic quality properties , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[26]  Mamoun Filali,et al.  Fiacre: an Intermediate Language for Model Verification in the Topcased Environment , 2008 .

[27]  Viktor Schuppan,et al.  Linear Encodings of Bounded LTL Model Checking , 2006, Log. Methods Comput. Sci..

[28]  Carlos Gershenson,et al.  Information and Computation , 2013, Handbook of Human Computation.

[29]  Thomas A. Henzinger,et al.  Interface automata , 2001, ESEC/FSE-9.

[30]  Nancy A. Lynch,et al.  Hybrid I/O automata , 2003, Inf. Comput..

[31]  Radu Mateescu,et al.  CADP 2010: A Toolbox for the Construction and Analysis of Distributed Processes , 2011, TACAS.

[32]  Jonathan F. Bard,et al.  Project Planning and Implementation , 1999 .

[33]  Joseph Sifakis,et al.  An Approach to Modelling and Verification of Component Based Systems , 2007, SOFSEM.

[34]  Joseph Sifakis,et al.  Translating AADL into BIP - Application to the Verification of Real-Time Systems , 2009, MoDELS.

[35]  Karama Kanoun,et al.  A System Dependability Modeling Framework Using AADL and GSPNs , 2006, WADS.

[36]  Marc Geilen,et al.  Software/Hardware Engineering with the Parallel Object-Oriented Specification Language , 2007, 2007 5th IEEE/ACM International Conference on Formal Methods and Models for Codesign (MEMOCODE 2007).

[37]  Matthias Kuntz,et al.  Architectural dependability evaluation with Arcade , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[38]  Michael R. Lowry,et al.  Experimental Evaluation of Verification and Validation Tools on Martian Rover Software , 2013, Formal Methods Syst. Des..

[39]  Thomas Noll,et al.  Characterization of Failure Effects on AADL Models , 2013, SAFECOMP.

[40]  William H. Sanders,et al.  Optimal state-space lumping in Markov chains , 2003, Inf. Process. Lett..

[41]  Georgios Meditskos,et al.  Ontology-Based Model Driven Engineering for Safety Verification , 2010, 2010 36th EUROMICRO Conference on Software Engineering and Advanced Applications.

[42]  Mariëlle Stoelinga,et al.  A Rigorous, Compositional, and Extensible Framework for Dynamic Fault Tree Analysis , 2010, IEEE Transactions on Dependable and Secure Computing.

[43]  Paul Pettersson,et al.  ABV - A Verifier for the Architecture Analysis and Design Language (AADL) , 2011, 2011 16th IEEE International Conference on Engineering of Complex Computer Systems.

[44]  Marco Bozzano,et al.  Formal Verification and Validation of AADL Models , 2010 .

[45]  Joost-Pieter Katoen,et al.  The COMPASS Approach: Correctness, Modelling and Performability of Aerospace Systems , 2009, SAFECOMP.

[46]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[47]  Simona Bernardi,et al.  Dependability modeling and analysis of software systems specified with UML , 2012, CSUR.

[48]  Joost-Pieter Katoen,et al.  Quantitative Timed Analysis of Interactive Markov Chains , 2012, NASA Formal Methods.

[49]  Marco Bozzano,et al.  MathSAT: Tight Integration of SAT and Mathematical Decision Procedures , 2005, Journal of Automated Reasoning.

[50]  Fabrice Kordon,et al.  Adapting Models to Model Checkers, A Case Study : Analysing AADL Using Time or Colored Petri Nets , 2009, 2009 IEEE/IFIP International Symposium on Rapid System Prototyping.

[51]  Peter H. Feiler,et al.  Model-Based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design Language , 2012 .

[52]  George S. Avrunin,et al.  Patterns in property specifications for finite-state verification , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[53]  Farhad Arbab,et al.  Reo: A Channel-based Coordination Model for Component Composition , 2005 .

[54]  Marco Bozzano,et al.  Symbolic Synthesis of Observability Requirements for Diagnosability , 2012, AAAI.

[55]  Elena Troubitsyna,et al.  Developing Mode-Rich Satellite Software by Refinement in Event B , 2010, FMICS.

[56]  Joost-Pieter Katoen,et al.  Safety, Dependability and Performance Analysis of Extended AADL Models , 2011, Comput. J..

[57]  Joseph H. Saleh,et al.  On the concept of survivability, with application to spacecraft and space-based networks , 2012, Reliab. Eng. Syst. Saf..

[58]  J. Aronson Safety , 2009, BMJ : British Medical Journal.

[59]  KatoenJoost-Pieter,et al.  Safety, Dependability and Performance Analysis of Extended AADL Models , 2011 .

[60]  Bernd Becker,et al.  Sigref- A Symbolic Bisimulation Tool Box , 2006, ATVA.

[61]  Timo Latvala,et al.  Incremental and Complete Bounded Model Checking for Full PLTL , 2005, CAV.

[62]  Joost-Pieter Katoen,et al.  The Ins and Outs of the Probabilistic Model Checker MRMC , 2009, 2009 Sixth International Conference on the Quantitative Evaluation of Systems.