Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate...

Establishing IV&V Properties

Steve Raque, NASA IV&V FacilityDr. Doron Drusinsky, Naval

Postgraduate School

9/4/2009 1Establishing IV&V Properties

Outline• IV&V Objectives for establishing properties• Concepts refresher

– Assertion Statecharts– Uses for Assertion Statecharts in IV&V

• Discovering critical Properties (with examples)– Reentrance– Order & Precedence– Bounded Eventualities– Loops– Invariants

• Integrating with other parts of the SRM

9/4/2009 2Establishing IV&V Properties

•Not mutually exclusive categories•Not all-inclusive

IV&V Objectives for Establishing Properties

• Common understanding of the system– Precise understanding asserted– Acceptable/unacceptable scenarios

• Provide specific requirements to be found in the developer’s specifications

• Provide specific scenarios and test objectives to be found in the developer’s test program

• Provide scenarios and test objectives for independent testing

• Provide test oracle for verifying the implementation– i.e a mechanism to evaluate the actual results of a test as pass

or no-pass [Binder]• Provide a source for automated verification test generation

9/4/2009 Establishing IV&V Properties 3

Statechart Assertions• Each Statechart Assertion is a formal specification of a “single”

requirement.– It is a requirement, not an implementation of the requirement– Easily represents sequential/temporal logic aspects– It specifies what behavior must be observed, not how it must be implemented– It is compatible with any implementation that produces the specified behavior– One-to-one correspondence of requirements to statechart assertions

improves understanding, allows testing for complex interactions among requirements, and improves reuse.

• StateRover makes them executable by generating JAVA code• Assertion statecharts are Turing equivalent (can perform any computation)

• A statechart assertion is fundamentally a monitoring device that observes system behavior and determines whether that behavior is valid• Dynamic approach - based on runtime state of system during (simulated or

real) execution• Observed behavior is valid when it matches the behavior specification

coded into the assertion, and invalid when it violates the specification• An assertion is run against observable behavior, typically supplied by

some executable artifact running under a test scenario

4

Requirements that come from analysis of the SRM

IV&V Understanding

ofRequirement

IV&V Understanding

ofRequirement

NaturalLanguage

Requirement

Represented By

StatechartAssertion

Formalized By

Validation Test Suite

Validated By

Good and BadScenariosFormalized By

5

SRM UML and Use Case Artifacts

Analysis Creates

Generated fromUML

DISCOVERING CRITICAL PROPERTIES


The GRAIL context


Reentrance


Once this sequence (or any main engine burn sequence) begins, we don’t want another burn sequence starting.

Reentrance


At most one propulsion burn sequence (per orbiter) can be active at any given time.

Order and Precedence


Order is important. There is some minimal time for warm-up.

Order is important. There is some maximum time (for efficiency).

Order and Precedence


Bounded Eventualities


It is critical that the main engine burn will happen within some tolerance of the prescribed time.

It is also critical that the constant pitch rate maneuver begins very close to the beginning of the burn and ends very close to the end of the burn

Bounded Eventualities(2)


Once LOI sequence is uploaded, the orbiter will, within the time prescribed by the command sequence parameters (± Δt1), perform a burn for the duration prescribed in the command sequence parameters (± Δt2)

Bounded Eventualities


openFuelValve is mapped to pstartConstantPitchManeuver is mapped to q

closeFuelValve is mapped to pstopConstantPitchManeuver is mapped to q

An alternative that scales to n concurrent events is in the backupAn alternative that scales to n concurrent events is in the backup

Loops


Analysis of the Attitude Control states during the LOI scenario yields loops and transitions that we want to specify out of the system.

• No direct transition• There is likely some prudent dwell time in InertialHold• There is some limit to the overall cycling between SlewAbsolute and a burn state during a period of time

Loops


The Attitude Control subsystem cannot change modes from Slew to LOIDeltaV or visa-versa without being in the InertialHold mode for at least TBD seconds.

Loops


The Attitude Control subsystem can toggle between Slew and LOIDeltaV modes at most TBD times per TBD minutes.

Note how this is a pattern that is applicable to several mode transitions (i.e. not just during LOI)

More Loops


There is a limit to the number of times we should let the Kalman Filter reset before taking a different action.

More Loops


Whenever the Kalman filter is reset more than TBD times in a TBD minute interval, then Safe Mode should be entered within TBD seconds afterward

Properties from Hazard Analysis


The DPR instrument shall remain powered OFF from launch until termination of FTS (flight termination system) control.

In the GPM Mission, if the DPR instrument is powered, it causes RF interference with the range safety destruct receiver.

Observations• It is easier to discover critical properties

where humans are not making the critical decisions, the system/software is.

• Knowing the right categories of questions to ask and having a skeptical attitude leads to discovering many potential properties.

• Access to knowledge of the subject area is important to deciding which properties are worth capturing.


BACKUP


Alternative Concurrent Timing


With n>2 events, this approach results in n threads. The previous approach results in n! sequences to draw.

Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate...

Documents

Transcript of Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate...