Presentation on theme: "Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate School 9/4/20091Establishing IV&V Properties."— Presentation transcript:
Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate School 9/4/20091Establishing IV&V Properties
Outline IV&V Objectives for establishing properties Concepts refresher – Assertion Statecharts – Uses for Assertion Statecharts in IV&V Discovering critical Properties (with examples) – Reentrance – Order & Precedence – Bounded Eventualities – Loops – Invariants Integrating with other parts of the SRM 9/4/20092Establishing IV&V Properties Not mutually exclusive categories Not all-inclusive
IV&V Objectives for Establishing Properties Common understanding of the system – Precise understanding asserted – Acceptable/unacceptable scenarios Provide specific requirements to be found in the developer’s specifications Provide specific scenarios and test objectives to be found in the developer’s test program Provide scenarios and test objectives for independent testing Provide test oracle for verifying the implementation – i.e a mechanism to evaluate the actual results of a test as pass or no-pass [Binder] Provide a source for automated verification test generation 9/4/2009Establishing IV&V Properties3
Statechart Assertions Each Statechart Assertion is a formal specification of a “single” requirement. – It is a requirement, not an implementation of the requirement – Easily represents sequential/temporal logic aspects – It specifies what behavior must be observed, not how it must be implemented – It is compatible with any implementation that produces the specified behavior – One-to-one correspondence of requirements to statechart assertions improves understanding, allows testing for complex interactions among requirements, and improves reuse. StateRover makes them executable by generating JAVA code Assertion statecharts are Turing equivalent (can perform any computation) A statechart assertion is fundamentally a monitoring device that observes system behavior and determines whether that behavior is valid Dynamic approach - based on runtime state of system during (simulated or real) execution Observed behavior is valid when it matches the behavior specification coded into the assertion, and invalid when it violates the specification An assertion is run against observable behavior, typically supplied by some executable artifact running under a test scenario 4
Requirements that come from analysis of the SRM IV&V Understanding of Requirement IV&V Understanding of Requirement Natural Language Requirement Represented By Statechart Assertion Formalized By Validation Test Suite Validated By Good and Bad Scenarios Formalized By 5 SRM UML and Use Case Artifacts Analysis Creates Generated from UML
The GRAIL context 9/4/2009Establishing IV&V Properties7
Reentrance 9/4/2009Establishing IV&V Properties8 Once this sequence (or any main engine burn sequence) begins, we don’t want another burn sequence starting.
Reentrance 9/4/2009Establishing IV&V Properties9 At most one propulsion burn sequence (per orbiter) can be active at any given time.
Order and Precedence 9/4/2009Establishing IV&V Properties10 Order is important. There is some minimal time for warm-up. Order is important. There is some maximum time (for efficiency).
Order and Precedence 9/4/2009Establishing IV&V Properties11
Bounded Eventualities 9/4/2009Establishing IV&V Properties12 It is critical that the main engine burn will happen within some tolerance of the prescribed time. It is also critical that the constant pitch rate maneuver begins very close to the beginning of the burn and ends very close to the end of the burn
Bounded Eventualities(2) 9/4/2009Establishing IV&V Properties13 Once LOI sequence is uploaded, the orbiter will, within the time prescribed by the command sequence parameters (± Δt1), perform a burn for the duration prescribed in the command sequence parameters (± Δt2)
Bounded Eventualities 9/4/2009Establishing IV&V Properties14 openFuelValve is mapped to p startConstantPitchManeuver is mapped to q closeFuelValve is mapped to p stopConstantPitchManeuver is mapped to q An alternative that scales to n concurrent events is in the backup
Loops 9/4/2009Establishing IV&V Properties15 Analysis of the Attitude Control states during the LOI scenario yields loops and transitions that we want to specify out of the system. No direct transition There is likely some prudent dwell time in InertialHold There is some limit to the overall cycling between SlewAbsolute and a burn state during a period of time
Loops 9/4/2009Establishing IV&V Properties16 The Attitude Control subsystem cannot change modes from Slew to LOIDeltaV or visa-versa without being in the InertialHold mode for at least TBD seconds.
Loops 9/4/2009Establishing IV&V Properties17 The Attitude Control subsystem can toggle between Slew and LOIDeltaV modes at most TBD times per TBD minutes. Note how this is a pattern that is applicable to several mode transitions (i.e. not just during LOI)
More Loops 9/4/2009Establishing IV&V Properties18 There is a limit to the number of times we should let the Kalman Filter reset before taking a different action.
More Loops 9/4/2009Establishing IV&V Properties19 Whenever the Kalman filter is reset more than TBD times in a TBD minute interval, then Safe Mode should be entered within TBD seconds afterward
Properties from Hazard Analysis 9/4/2009Establishing IV&V Properties20 The DPR instrument shall remain powered OFF from launch until termination of FTS (flight termination system) control. In the GPM Mission, if the DPR instrument is powered, it causes RF interference with the range safety destruct receiver.
Observations It is easier to discover critical properties where humans are not making the critical decisions, the system/software is. Knowing the right categories of questions to ask and having a skeptical attitude leads to discovering many potential properties. Access to knowledge of the subject area is important to deciding which properties are worth capturing. 9/4/2009Establishing IV&V Properties21