Formal Verification for a Next-Generation Space Shuttle [chapter]

Stacy D. Nelson, Charles Pecheur
2003 Lecture Notes in Computer Science  
This paper discusses the verification and validation (V&V) of advanced software used for integrated vehicle health monitoring (IVHM), in the context of NASA's next-generation space shuttle. We survey the current V&V practice and standards used in selected NASA projects, review applicable formal verification techniques, and discuss their integration into existing development practice and standards. We also describe two verification tools, JMPL2SMV and Livingstone PathFinder, that can be used to
more » ... horoughly verify diagnosis applications that use model-based reasoning, such as the Livingstone system. Advanced Health Management for Space Vehicles Advanced health management for space vehicles makes it possible to detect, diagnose, and in some cases, remediate faults and failures without human intervention. This is critical to future space exploration because longer missions into deep space cannot be effectively managed from earth due to the length of time for a telemetry stream to reach earth from the space vehicle. It is also important to NASA's Space Launch Initiative focusing on affordable low earth orbit space vehicle, like the U.S. Space Shuttle, in order to improve crew safety and reduce costs. NASA's Space Launch Initiative 2nd Generation Reusable Launch Vehicle (2nd Gen RLV) program is investing into future space transportation technologies, towards a flexible, commercially-produced fleet of reusable launch vehicles. The objective of the current Risk Reduction Phase is to enable a mid-decade competition such that critical technology demonstrations for each proposed architecture are adequately integrated, funded, and scheduled. Integrated Vehicle Health Management, or IVHM, is one of the technology areas supported as part of 2nd Gen RLV. Simply stated, IVHM exists to diagnose/prognose, evaluate and remediate failure modes. The system is composed of a generic (in-flight & maintenance) architecture suitable for building an IVHM system from health management subsystems developed by different vendors [19] .IVHM consists of both flight vehicle (FV-IVHM) and ground (GIVHM) components. FV-IVHM is primarily concerned with diagnosing and prognosing failures that have or might occur during the current flight. Any response to or remediation of these failures would occur during the current flight. GIVHM is primarily concerned with diagnosing/prognosing failures that may occur on the ground prior to take off or on a subsequent flight. This includes any pre-existing failure states. Both FV-IVHM and GIVHM contain modelbased reasoning software. Model-Based diagnosis is one of the key technologies currently adopted for nextgeneration shuttle IVHM. Model-Based Reasoning consists of applying a generalpurpose reasoning engine to a declarative model of the application's artifacts. Specifically, model-based diagnosis uses a description the different components in the system and their interactions, including the failure modes of each component. These models capture all the application-relevant information in an abstract, concise, declarative representation. The diagnosis program itself is re-usable across different diagnosis applications. Livingstone is a model-based diagnosis system developed at NASA Ames [26] . Livingstone models describe the normal and abnormal functional modes of each component in the system. Livingstone observes the commands issued to the plant and uses the model to predict the plant state. It then compares the predicted state against observations received from the actual sensors. If a discrepancy is found, Livingstone performs a diagnosis by searching for the most likely configuration of component modes that are consistent with the observations.
doi:10.1007/978-3-540-45133-4_5 fatcat:worqvitlkzf77aka7nq3f7unrm