120 likes | 251 Views
Model Checking Ariane 5 Flight Program: Bozga, Mounier, FMICS 2001. I guess most of us remember when Ariane 5 rocket blew up on the sky. This happened on June 4, 1996, and was certainly one of the most expensive fireworks that year
E N D
Model Checking Ariane 5 Flight Program: Bozga, Mounier, FMICS 2001 • I guess most of us remember when Ariane 5 rocket blew up on the sky. This happened on June 4, 1996, and was certainly one of the most expensive fireworks that year • Anyhow, this accident ”sparked” an interest in the European Space Agency (ESA) towards formal specification and verification of the flight program • Some engineers working in ESA co-operated to produce a high level specification of the Ariane 5 flight program, which will be discussed in the following slides. • The analysis of the specification was completed using the IF toolset, whose main architect Bozga (the writer of the article) is.
What is IF (Intermediate Format) ? • IF is a language for -> TIMED AUTOMATA -> ASYNCHRONOUS COMMUNICATION THROUGH BUFFERS • IF is well supported by tools, and there exists e.g. an automatic translator from SDL (Specification and Description Language) to IF. • IF-toolbox consists of the IF language and the set of IF tools used in the analysis.
IF-language • As already mentioned, IF is a language for timed automata. It is actually quite a rich language, because it allows the modeller the choice of transition types, queueing policies, etc. • E.g. A transition in IF language may be one of three types -> EAGER = transition is fired immediately after being enabled. -> LAZY = transition that never prevents the progress of time -> DELAYABLE = transition whose firing is guaranteed to a certain time interval (I.e. Combination of EAGER and LAZY) • The communication takes place via buffers. The buffer types are either -> FIFO (first-in first-out queueing policy) -> BAG (I.e. a multiset, where message reordering is possible) • The signal routes connecting processes and buffers may be -> LOSSY -> DELAYING
IF validation environment • Very simply, the specification is made via ObjectGEODE, and the resulting SDL specification is automatically translated to IF language: sdl2if • The resulting IF language specification is optimised using liveness analyses, etc.: if2if • A simulation model (a labelled transition system (LTS) – a type of process algebra) may be generated for simulation purposes: if2c
Ariane 5 Flight Program - Overview The functioning of Ariane 5 can be divided neatly into six stages • The EPC (Main Stage Engine) is ignited • When EPC is working properly, two solid boosters (EAP) are ignited • When EAPs burn out, they are jettisoned • When the atmosphere is thin enough, the protection of the satellites is jettisoned away (less weight is better) • EPC finally shuts down and becomes inert • EPS (Storable propellant stage) takes over and places the satellite in orbit
Ariane 5 – Formal Spec • The whole Ariane 5 program can be divided into communicating finite state machines. The model consists of three parts: • Flight Control – Navigation and guidance • Flight Regulation – Control and observation of propulsion stages • Flight Configuration – Manages changes in launcher components The formal model developed for Ariane 5 concentrated on flight regulation and configuration. That means, that from our point of view, even flight control is part of the environment !!
Ariane 5 - modelling FLIGHT REGULATION • Consists of six SDL processes • Each task is broken down into subtasks, and then each is executed within some time deadline • If something goes wrong, the stop-sequence is entered FLIGHT CONFIGURATION • Consists of seven SDL processes -> EAP, EPC, payload separation, each with a given deadline ENVIRONMENT • We provide a nominal environment that interacts with the above parts of the flight program – this is radically simplified
Ariane 5 – Modelling the Environment Flight Control • Very radically simplified. This part is supposed to send (with some degree of uncertainty) the right flight commands, with the right parameters, at the right time to the rocket Redundant Program • Very simple modelling – The flight control program asks for the status of the redundant program, which non-deterministically answers YES/NO Ground • Models the launch protocol on the ground. I.e. it gives the control to the on-board launch sequence, but is ready to take back complete control if something goes wrong
Ariane 5 – Model Requirements GENERAL REQUIREMENTS • Absence of deadlocks, livelocks and signal losses OVERALL SYSTEM REQUIREMENTS • I.e. the global order of the flight phases is correct LOCAL COMPONENT REQUIREMENTS • I.e. the checking of the occurrence of actions at the local level (e.g. payload separation occurs eventually during and attitudinal positioning phase, or the stop sequence no. 3 can happen only after liftoff, etc..)
Ariane 5 – Verification method with IF • The whole verification can be divided into five phases (possible to iterate these phases as well!) BASIC STATIC ANALYSIS • We detect unused variables and timers as well as uninitialised ones MODEL EXPLORATION • We generate a part of the model’s behaviour either randomly or using guided generation. In so doing, we may test simple properties ADVANCED STATIC ANALYSIS • We eliminate dependent timers, dead variables. • We do program slicing (I.e. consider only the part useful for the analysis) • We employ LIVE EQUIVALENT STATES (I.e. we consider those states equivalent that agree on live variables and independent timers -> state reduction)
Ariane 5 – Verification with IF (2) MODEL GENERATION • This is the same as exhaustive reachability analysis • We may use partial order reduction and live variable reduction to reduce state space • We may assume the environment to be time-deterministic or time-nondeterministic MODEL CHECKING • Properties may be expressed in a temporal logic, and the resulting formula is verified over the generated state space
Conclusion • IF is a versatile language for describing communicating systems • IF allows the integration of various tools as there exist numerous compilers to/from IF • Verification should be done by stages (and if needed, iterations could be performed as well). The stages should include static analyses, simulation, exhaustive reachability analysis, and model checking • The Ariane-5 flight program was partially verified using this methodology. However, we ran to the problem of state explosion rather quickly.