Model Checking Ariane 5 Flight Program: Bozga, Mounier, FMICS 2001

1
Model Checking Ariane 5 Flight Program Bozga,
Mounier, FMICS 2001

• I guess most of us remember when Ariane 5 rocket
  blew up on the sky. This happened on June 4,
  1996, and was certainly one of the most expensive
  fireworks that year
• Anyhow, this accident sparked an interest in
  the European Space Agency (ESA) towards formal
  specification and verification of the flight
  program
• Some engineers working in ESA co-operated to
  produce a high level specification of the Ariane
  5 flight program, which will be discussed in the
  following slides.
• The analysis of the specification was completed
  using the IF toolset, whose main architect Bozga
  (the writer of the article) is.

2
What is IF (Intermediate Format) ?

• IF is a language for
• -gt TIMED AUTOMATA
• -gt ASYNCHRONOUS
  COMMUNICATION THROUGH BUFFERS
• IF is well supported by tools, and there exists
  e.g. an automatic translator from SDL
  (Specification and Description Language) to IF.
• IF-toolbox consists of the IF language and the
  set of IF tools used in the analysis.

3
IF-language

• As already mentioned, IF is a language for timed
  automata. It is actually quite a rich language,
  because it allows the modeller the choice of
  transition types, queueing policies, etc.
• E.g. A transition in IF language may be one of
  three types
• -gt EAGER transition is fired
  immediately after being enabled.
• -gt LAZY transition that never
  prevents the progress of time
• -gt DELAYABLE transition whose
  firing is guaranteed to a certain
• 
  time interval (I.e. Combination of EAGER and
  LAZY)
• The communication takes place via buffers. The
  buffer types are either
• -gt FIFO (first-in first-out
  queueing policy)
• -gt BAG (I.e. a multiset, where
  message reordering is possible)
• The signal routes connecting processes and
  buffers may be
• -gt LOSSY
• -gt DELAYING

4
IF validation environment

• Very simply, the specification is made via
  ObjectGEODE, and the resulting SDL specification
  is automatically translated to IF language
  sdl2if
• The resulting IF language specification is
  optimised using liveness analyses, etc. if2if
• A simulation model (a labelled transition system
  (LTS) a type of process algebra) may be
  generated for simulation purposes if2c

5
Ariane 5 Flight Program - Overview

• The functioning of Ariane 5 can be divided neatly
  into six stages
• The EPC (Main Stage Engine) is ignited
• When EPC is working properly, two solid boosters
  (EAP) are ignited
• When EAPs burn out, they are jettisoned
• When the atmosphere is thin enough, the
  protection of the satellites is jettisoned away
  (less weight is better)
• EPC finally shuts down and becomes inert
• EPS (Storable propellant stage) takes over and
  places the satellite in orbit

6
Ariane 5 Formal Spec

• The whole Ariane 5 program can be divided into
  communicating finite state machines. The model
  consists of three parts
• Flight Control Navigation and guidance
• Flight Regulation Control and observation of
  propulsion stages
• Flight Configuration Manages changes in
  launcher components
• The formal model developed for Ariane 5
  concentrated on flight regulation and
  configuration. That means, that from our point
  of view, even flight control is part of the
  environment !!

7
Ariane 5 - modelling

• FLIGHT REGULATION
• Consists of six SDL processes
• Each task is broken down into subtasks, and then
  each is executed within some time deadline
• If something goes wrong, the stop-sequence is
  entered
• FLIGHT CONFIGURATION
• Consists of seven SDL processes
• -gt EAP, EPC, payload
  separation, each with a given deadline
• ENVIRONMENT
• We provide a nominal environment that interacts
  with the above parts of the flight program this
  is radically simplified

8
Ariane 5 Modelling the Environment

• Flight Control
• Very radically simplified. This part is supposed
  to send (with some degree of uncertainty) the
  right flight commands, with the right parameters,
  at the right time to the rocket
• Redundant Program
• Very simple modelling The flight control
  program asks for the status of the redundant
  program, which non-deterministically answers
  YES/NO
• Ground
• Models the launch protocol on the ground. I.e.
  it gives the control to the on-board launch
  sequence, but is ready to take back complete
  control if something goes wrong

9
Ariane 5 Model Requirements

• GENERAL REQUIREMENTS
• Absence of deadlocks, livelocks and signal losses
• OVERALL SYSTEM REQUIREMENTS
• I.e. the global order of the flight phases is
  correct
• LOCAL COMPONENT REQUIREMENTS
• I.e. the checking of the occurrence of actions at
  the local level (e.g. payload separation occurs
  eventually during and attitudinal positioning
  phase, or the stop sequence no. 3 can happen only
  after liftoff, etc..)

10
Ariane 5 Verification method with IF

• The whole verification can be divided into five
  phases (possible to iterate these phases as
  well!)
• BASIC STATIC ANALYSIS
• We detect unused variables and timers as well as
  uninitialised ones
• MODEL EXPLORATION
• We generate a part of the models behaviour
  either randomly or using guided generation. In
  so doing, we may test simple properties
• ADVANCED STATIC ANALYSIS
• We eliminate dependent timers, dead variables.
• We do program slicing (I.e. consider only the
  part useful for the analysis)
• We employ LIVE EQUIVALENT STATES (I.e. we
  consider those states equivalent that agree on
  live variables and independent timers -gt state
  reduction)

11
Ariane 5 Verification with IF (2)

• MODEL GENERATION
• This is the same as exhaustive reachability
  analysis
• We may use partial order reduction and live
  variable reduction to reduce state space
• We may assume the environment to be
  time-deterministic or time-nondeterministic
• MODEL CHECKING
• Properties may be expressed in a temporal logic,
  and the resulting formula is verified over the
  generated state space

12
Conclusion

• IF is a versatile language for describing
  communicating systems
• IF allows the integration of various tools as
  there exist numerous compilers to/from IF
• Verification should be done by stages (and if
  needed, iterations could be performed as well).
  The stages should include static analyses,
  simulation, exhaustive reachability analysis, and
  model checking
• The Ariane-5 flight program was partially
  verified using this methodology. However, we ran
  to the problem of state explosion rather quickly.