Model Checking Driven Simulation of Sat Procedures

Abstract

A Satellite Operational Procedure (OP) consists of a set of instructions reading information from the satellite (telemetries, TM) and sending commands to it (telecommands, TC). An OP can be executed by a human or by a computer (on-board procedures). Typically OPs are mission critical systems since their failure may entail hardware damages, degradation of satellite services or costly human based recovery actions. For this reason OPs are typically thoroughly tested in order to have reasonable assurances about their correctness. Unfortunately, traditional simulation based verification of OPs is highly expensive, since it requires a high amount of time from highly skilled personnel and does not provide formal assurance about the correctness of the OP under verification. We show how a model checker (CMurphi) can be used to drive a satellite simulator (namely, SIMSAT). The proposed approach has the following benefits. First, it improves OP quality assurance by automatic exhaustive exploration of all possible simulation scenarios whereas a manually driven simulation campaign cannot offer any formal assurance on the coverage achieved by the simulation campaign. Second, it decreases OP verification costs by using a model checker to automatically drive (via fault injections) the simulator. The model checker will record the considered simulation scenarios and automatically generate fresh (i.e., not previously considered) scenarios automatically stopping when all meaningful scenarios have been considered. Third, our approach allows humans to focus on the design of disturbance models (e.g., how many faults it makes sense to consider, when such faults may occur, etc.) which are highly reusable across verification of similar OPs. We implemented a prototype system by interfacing the CMurphi model checker to the SIMSAT simulator. Our experimental results show the feasibility of the proposed approach. I. Introduction MOTIVATIONS Building a satellite, getting it into orbit and then maintaining it from the ground control facility is a big financial endeavor. When orbiting, satellites are controlled from the ground by means of satellite Operational Procedures (OPs), executed by human operators. OPs consist of a set of instructions reading information from the satellite (telemetries, TM) and sending commands to it (telecommands, TC). OPs are mission critical. In fact, OPs failure may entail hardware damages, degradation of satellite services as well as costly human based recovery actions. Verification of OPs is thus needed in order to avoid failures. However, traditional simulation based verification of OPs is highly expensive, since it requires a huge amount of time of highly skilled personnel. The previous considerations motivate research on methods and tools that allow automatic verification of OPs. This is the focus of the present paper. CONTRIBUTION In this paper we present a model checking based approach for the automatic verification of OPs. Our approach is aimed at improving OP quality assuranceby automatic exhaustive exploration of all possible simulation scenarios. Moreover, our solution aims at decreasing OP verification time (and thus cost) by using a model checker to automatically drive (via fault injections) the simulator. Finally, our approach allows humans to focus on the design of disturbance models ‐e.g. how many faults are allowed, etc.‐which are highly reusable across similar OPs. Since we use model checking for OPs verification, we need a model for the satellite. Unfortunately, modeling the satellite from scratch using a model checker input language is prohibitively expensive. We overcome this obstruction