Formal Analysis of a Space Craft Controller using SPIN (1998) [63 citations — 30 self]
Popular Tags
No tags have been applied to this document.
BibTeX | Add To MetaCart
@INPROCEEDINGS{Havelund98formalanalysis,author = {Klaus Havelund and Mike Lowry and John Penix},
title = {Formal Analysis of a Space Craft Controller using SPIN},
booktitle = {In Proceedings of the 4th SPIN workshop},
year = {1998}
}
Years of Citing Articles
Abstract:
This paper documents an application of the finite state model checker SPIN to formally analyze a multi-threaded plan execution module. The plan execution module is one component of NASA's New Millennium Remote Agent, an artificial intelligence based spacecraft control system architecture which launched in October of 1998 as part of the DEEP SPACE 1 mission. The bottom layer of the plan execution module architecture is a domain specific language, named ESL (Executive Support Language), implemented as an extension to multi-threaded COMMON LISP. ESL supports the construction of reactive control mechanisms for autonomous robots and space crafts. For this case study, we translated the ESL services for managing interacting parallel goal-and-event driven processes into the PROMELA input language of SPIN. A total of 5 previously undiscovered concurrency errors were identified within the implementation of ESL. According to the Remote Agent programming team the effort has had a major impact, locating errors that would not have been located otherwise and, in one case, identifying a major design flaw. In fact, in a different part of the system, a concurrency bug identical to one discovered by this study escaped testing and caused a deadlock during an in-flight experiment 96 million kilometers from earth. The work additionally motivated the introduction of procedural abstraction in terms of inline procedures into SPIN. Index Terms-- Program verification, concurrent programs, model checking, temporal logic, program abstraction, model extraction, spacecraft software.
