Verifying Executable Specifications of Spacecraft Autonomy Michael Pekala, George Cancro, Jay Moore The Johns Hopkins University Applied Physics Laboratory {mike.pekala, george.cancro, jay.moore}@jhuapl.edu Abstract Traditionally, autonomous spacecraft fault protection systems are difficult to develop and test. This difficulty is due in large part to implementations that are not amenable to direct inspection by system engineers and a dependency on having the full spacecraft available for testing, which occurs late in the program lifecycle. In response, JHU/APL has recently been investigating a graphical, state-based approach to fault autonomy, which results in designs that are easily reviewable and amenable to formal analysis. This paper describes our recent work applying modern model checking tools to verify these graphical designs. 1. Introduction On-board autonomous fault protection systems form a last line of defense to save a spacecraft in the event of anomalous conditions. A variety of approaches exist for implementing on-board fault protection, ranging from simple limit checks to sophisticated AI techniques that infer spacecraft state and recommend control actions [1]. Current practice tends toward the simpler approaches, due to their flight heritage and a natural aversion to risk associated with newer technologies. However, even these relatively simple fault protection systems are notoriously difficult to develop and field. There are two main reasons for this. First, the implementations of these systems typically do not allow for adequate review by system engineers, resulting in a potential discrepancy between system- level requirements and actual system behavior. As a result, there is a significant reliance on the scenario- driven testing performed during spacecraft integration. This testing is expensive, as spacecraft test time is a limited resource, and also tends to uncover issues relatively late in the project lifecycle. This practice leads to the second main problem with these legacy approaches, which is difficulty quickly assessing the system-wide impact of potential modifications to the autonomy system, both pre- and post-launch. The Johns Hopkins University Applied Physics Laboratory (JHU/APL) has recently been exploring executable specification techniques, whereby the state- based design formalisms utilized by system engineers also constitute the operational functionality. Instead of translating specifications into code, an on-board interpreter directly executes an uploadable form of the state-based design. This approach circumvents intermediary steps in the design process, where information may be lost or corrupted, resulting in a process benefit where system engineering and domain experts can collaborate on and adequately review a design with the guarantee that the spacecraft will act as the design intended. The state-based design also has the advantage of segregating the data and control portions of the fault protection system. This allows for independent testing of the control logic earlier in the project lifecycle, even if the full details of the corresponding data representation haven’t been finalized. The control logic can be evaluated through visual inspection, interactive simulation and automatic, exhaustive testing. This paper describes our recent work applying modern model checking tools to provide this latter automated testing capability. We discuss our approach for translating these designs into a form suitable for the NuSMV [2] model checker and provide preliminary experimental results for a representative spacecraft domain and an unmanned air vehicle (UAV) domain. 2. ExecSpec Our overarching objective is to achieve an understandable autonomy design that can be readily tested and modified, whether through discovering new techniques or modifying existing technologies. The resulting approach, termed ExecSpec [3], is a combined flight and ground system based on the Bell