Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verifying Autonomous Planning Systems Even the best laid plans need to be verified Prepared for the 2005 Software Assurance Symposium (SAS) DS1 MSL EO1.

Published byRosanna Cobb Modified over 8 years ago

Similar presentations

Presentation on theme: "Verifying Autonomous Planning Systems Even the best laid plans need to be verified Prepared for the 2005 Software Assurance Symposium (SAS) DS1 MSL EO1."— Presentation transcript:

1 Verifying Autonomous Planning Systems Even the best laid plans need to be verified Prepared for the 2005 Software Assurance Symposium (SAS) DS1 MSL EO1 Rajeev Joshi Gordon Cucullu Gerard Holzmann Benjamin Smith Margaret Smith (PI) Affiliation: Jet Propulsion Laboratory

2 Importance This work is pursuing a solution! Autonomous Planning Systems (APSs) determine what the spacecraft / rover / installation should do. Compared to conventional software, they are able to determine this in a wide range of circumstances. As a result, no need for continual oversight (save on 24/7 operations staff) more science is done (avoid delay of calling back to Earth) improved safety (more proactive than just “safe mode”) But because APSs must operate in a wide range of circumstances – far too many to test, even if you could predict them all, how can you trust them to do the right thing??? SAS_05_Verifying_Autonomous_Planners_Smith

3 How to get from A to B ? Consequences of a bad plan Wasted Resources out of resources SAS_05_Verifying_Autonomous_Planners_Smith missed science goal

4 How to get from A to B ? Consequences of a bad plan: Loss of Mission SAS_05_Verifying_Autonomous_Planners_Smith

5 Solution SPIN Model Checker Logic Model Checker used to formally verify distributed software systems. Development began in 1980 at Bell Labs –publicly distributed source code since 1991 Most widely used logic model checker with over 10,000 users. Recipient of 2002 System Software Award for 2001 from the Association for Computing Machinery (ACM) Verifies software using a meta language called Promela –requires that system being verified be expressed in Promela SPIN flags deadlocks, unspecified receptions, incompleteness, race conditions and unwarranted assumptions about relative speeds of processes Challenge: Assure that all plans generated by the APS are safe for the spacecraft. The current empirical testing approach is insufficient because it lacks coverage. Solution: Replace current empirical testing with model checking. Model checking offers exhaustive or measurable test coverage leading to greater confidence in correctness. SAS_05_Verifying_Autonomous_Planners_Smith

6 Testing ~100 plans undesirable plan all desirable plans Empirical Testing ( current approach) undesirable plan (error trace) no errors Testing with the SPIN Model Checker (our work) input model Manually inspect plans to identify undesirable plans end testing Adjust model to exclude undesirable plan properties of desirable plans Adjust model to exclude undesirable plan end testing Testing Approach limited by time required to inspect sample plans limited only by memory and processor speed input model Promela Model requirements plans analyzes billions of plans SAS_05_Verifying_Autonomous_Planners_Smith

7 APS are needed by NASA projects to reduce operations costs and meet science return requirements. Our work retires an important class of risks inherent to all missions using APS. –we replace an inadequate testing method with a method that has greatly improved and measurable test coverage. Testing methods must keep pace with the highly complex, autonomous systems we need and are developing. Relevance to NASA testing software complexity SAS_05_Verifying_Autonomous_Planners_Smith

8 Accomplishments sample image compress data uplink oven1 oven2 camera drill location power use memory use sample1 sample2 image 1 image 2 uplink compress off-cool on off-warm off-cool on off-warm off-cool off on off hole1 oven1 hole7 oven1 For DS4 / Champollion APS model, used model checking to find a deadlock error – 10 activities = exploration of ~ 3 million plans Selected Earth Observer 1 as a target mission for application of our work. – 100+ activities = more plans than atoms in the universe!!! Current empirical method of where ~100 plans are tested is woefully inadequate. Our approach: Use model checking to greatly improve testing coverage = billions of plans. –prune the search space through the use of constraints sample2 deadlock: out of memory Currently working on a set of automated tools for automatically converting APS for model checking SAS_05_Verifying_Autonomous_Planners_Smith

9 Our goal: to improve APS testing capabilities which have been an impediment to the acceptance of APS for other than experimental use. How we will get there: –complete implementation of a set of tools to fully automate model checking of APS models –improve coverage from hundreds of test cases to billions of test cases. Where we are Going SAS_05_Verifying_ Autonomous_Planners_Smith

Download ppt "Verifying Autonomous Planning Systems Even the best laid plans need to be verified Prepared for the 2005 Software Assurance Symposium (SAS) DS1 MSL EO1."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Timing Override Verification (TOV) Erik Seligman CS 510, Lecture 18, March 2009.

Timing Override Verification (TOV) Erik Seligman CS 510, Lecture 18, March 2009.
What are Formal Verification Methods Mathematically based languages, techniques and tools for specifying and verifying systems Language – Clear unambiguous.

What are Formal Verification Methods Mathematically based languages, techniques and tools for specifying and verifying systems Language – Clear unambiguous.
© 2011 Carnegie Mellon University SPIN: Part 1 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Targeted Quality Control PI Batch in QC H. Amort, P. Robinson.

Targeted Quality Control PI Batch in QC H. Amort, P. Robinson.
Importing Transfer Equivalencies: How to Maximize Efficiency How Columbia College Office of Registrar improved productivity through third party solutions.

Importing Transfer Equivalencies: How to Maximize Efficiency How Columbia College Office of Registrar improved productivity through third party solutions.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐

SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
Demonstration Of SPIN By Mitra Purandare

Demonstration Of SPIN By Mitra Purandare
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
Argonne National Laboratory School of Computing and SCI Institute, University of Utah Formal Verification of Programs That Use MPI One-Sided Communication.

Argonne National Laboratory School of Computing and SCI Institute, University of Utah Formal Verification of Programs That Use MPI One-Sided Communication.
Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.

Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.
Smart Cruise, an application of M INERVA and Hydra Dr. William E. McUmber, Laura A. Campbell, and Dr. Betty H.C. Cheng This work is supported in part by.

Smart Cruise, an application of M INERVA and Hydra Dr. William E. McUmber, Laura A. Campbell, and Dr. Betty H.C. Cheng This work is supported in part by.
EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,

EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,
The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.

The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.

Similar presentations

Ads by Google