1 / 23

Establishing IV&V Properties

Establishing IV&V Properties. Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate School. Outline. IV&V Objectives for establishing properties Concepts refresher Assertion Statecharts Uses for Assertion Statecharts in IV&V Discovering critical Properties (with examples)

josepanderson
Download Presentation

Establishing IV&V Properties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate School Establishing IV&V Properties

  2. Outline • IV&V Objectives for establishing properties • Concepts refresher • Assertion Statecharts • Uses for Assertion Statecharts in IV&V • Discovering critical Properties (with examples) • Reentrance • Order & Precedence • Bounded Eventualities • Loops • Invariants • Integrating with other parts of the SRM • Not mutually exclusive categories • Not all-inclusive Establishing IV&V Properties

  3. IV&V Objectives for Establishing Properties • Common understanding of the system • Precise understanding asserted • Acceptable/unacceptable scenarios • Provide specific requirements to be found in the developer’s specifications • Provide specific scenarios and test objectives to be found in the developer’s test program • Provide scenarios and test objectives for independent testing • Provide test oracle for verifying the implementation • i.e a mechanism to evaluate the actual results of a test as pass or no-pass [Binder] • Provide a source for automated verification test generation Establishing IV&V Properties

  4. Statechart Assertions • Each Statechart Assertion is a formal specification of a “single” requirement. • It is a requirement, not an implementation of the requirement • Easily represents sequential/temporal logic aspects • It specifies what behavior must be observed, not how it must be implemented • It is compatible with any implementation that produces the specified behavior • One-to-one correspondence of requirements to statechart assertions improves understanding, allows testing for complex interactions among requirements, and improves reuse. • StateRover makes them executable by generating JAVA code • Assertion statecharts are Turing equivalent (can perform any computation) • A statechart assertion is fundamentally a monitoring device that observes system behavior and determines whether that behavior is valid • Dynamic approach - based on runtime state of system during (simulated or real) execution • Observed behavior is valid when it matches the behavior specification coded into the assertion, and invalid when it violates the specification • An assertion is run against observable behavior, typically supplied by some executable artifact running under a test scenario

  5. Requirements that come from analysis of the SRM Represented By IV&V Understanding of Requirement Natural Language Requirement Analysis Creates SRM UML and Use Case Artifacts Good and Bad Scenarios Formalized By Formalized By Validation Test Suite Statechart Assertion Generated from UML Validated By

  6. Discovering Critical Properties Establishing IV&V Properties

  7. The GRAIL context Establishing IV&V Properties

  8. Reentrance Once this sequence (or any main engine burn sequence) begins, we don’t want another burn sequence starting. Establishing IV&V Properties

  9. Reentrance At most one propulsion burn sequence (per orbiter) can be active at any given time. Establishing IV&V Properties

  10. Order and Precedence Order is important. There is some minimal time for warm-up. Order is important. There is some maximum time (for efficiency). Establishing IV&V Properties

  11. Order and Precedence Establishing IV&V Properties

  12. Bounded Eventualities It is critical that the main engine burn will happen within some tolerance of the prescribed time. It is also critical that the constant pitch rate maneuver begins very close to the beginning of the burn and ends very close to the end of the burn Establishing IV&V Properties

  13. Bounded Eventualities(2) Once LOI sequence is uploaded, the orbiter will, within the time prescribed by the command sequence parameters (± Δt1), perform a burn for the duration prescribed in the command sequence parameters (± Δt2) Establishing IV&V Properties

  14. Bounded Eventualities openFuelValve is mapped to p startConstantPitchManeuver is mapped to q closeFuelValve is mapped to p stopConstantPitchManeuver is mapped to q An alternative that scales to n concurrent events is in the backup Establishing IV&V Properties

  15. Loops Analysis of the Attitude Control states during the LOI scenario yields loops and transitions that we want to specify out of the system. • No direct transition • There is likely some prudent dwell time in InertialHold • There is some limit to the overall cycling between SlewAbsolute and a burn state during a period of time Establishing IV&V Properties

  16. Loops The Attitude Control subsystem cannot change modes from Slew to LOIDeltaV or visa-versa without being in the InertialHold mode for at least TBD seconds. Establishing IV&V Properties

  17. Loops The Attitude Control subsystem can toggle between Slew and LOIDeltaV modes at most TBD times per TBD minutes. Note how this is a pattern that is applicable to several mode transitions (i.e. not just during LOI) Establishing IV&V Properties

  18. More Loops There is a limit to the number of times we should let the Kalman Filter reset before taking a different action. Establishing IV&V Properties

  19. More Loops Whenever the Kalman filter is reset more than TBD times in a TBD minute interval, then Safe Mode should be entered within TBD seconds afterward Establishing IV&V Properties

  20. Properties from Hazard Analysis In the GPM Mission, if the DPR instrument is powered, it causes RF interference with the range safety destruct receiver. The DPR instrument shall remain powered OFF from launch until termination of FTS (flight termination system) control. Establishing IV&V Properties

  21. Observations • It is easier to discover critical properties where humans are not making the critical decisions, the system/software is. • Knowing the right categories of questions to ask and having a skeptical attitude leads to discovering many potential properties. • Access to knowledge of the subject area is important to deciding which properties are worth capturing. Establishing IV&V Properties

  22. Backup Establishing IV&V Properties

  23. Alternative Concurrent Timing With n>2 events, this approach results in n threads. The previous approach results in n! sequences to draw. Establishing IV&V Properties

More Related