A Domain Specific Design Tool for Spacecraft System Behavior Sravanthi Venigalla, Brandon Eames Utah State University, USA Allan McInnes University of Canterbury, New Zealand Domain Specific Modeling Workshop 2008 (DSM’08)
Spacecraft Design Not an easy task!
Spacecraft vs. Other Systems • Interdisciplinary • Limitations & tradeoffs due to space environment • Lot of interaction for carrying out operations • Difficult/Not possible to modify after launch • Failures imply huge loss of money and reputation A typical small satellite Fig from Small Satellites Home Page http://centaur.sstl.co.uk/
Subsystem view of a Spacecraft Figure from Allan I. S. McInnes Ph.D. dissertation “A formal approach to specifying and verifying Spacecraft behaviour”
ADCS Subsystem • Concerned with the spacecraft’s orientation in space. Star camera Magnetometer • Determines whether science operations can be performed. • Affects the solar power that can be generated by the spacecraft. Actuator Figs from USU Small Satellite Program http://ususat.usu.edu/
CDH & Power Subsystems CDH Subsystem Solar cells • Consists of hardware & • Consists of sources of software power – solar cells and • Manages all interactions batteries and the with ground station wiring to other subsystems. Figs from USU Small Satellite Program http://ususat.usu.edu/
How to Analyze Spacecraft Behavior? • Simulation ? • Verification – At the subsystem level – At the system level • Validation – At the system level
Common Formalisms for modeling Behavior State charts A B PROMELA/SPIN PROMELA/SPIN Spacecraft system FFBDs design – block diagrams and figures
System Development & Verification Process ADCS(Task*); ADCS = power.on ‐ > Process CDH(Task*); mode.science… … CDH = mode.science ‐ > Process System(Task*); ... System = ADCS|||CDH… Can we verify the design itself? System Programmer System Design System Verifier
Communicating Sequential Processes (CSP) • A process algebra used for system verification. • A system is described in terms of an appropri ‐ ate combination of processes . • Each process is described in terms of channels and events. • Event is an abstract symbolic representation of an interaction. • Channels are the carriers for events.
CSP contd… • Operators for alternate actions – [] is for choice exercised by the environment and |~| is for non ‐ deterministic choice. • Generalized Parallel Combination – P1[|A|]P2 is for synchronization between processes P1, P2 over the set of events A. • Interleaved Parallel Combination – P1 ||| P2 is for the case when P1 and P2 run independently of each other.
An Example – A packet receiver channel success, fail channel response : {0,1} recv Proc = recv?packet ‐ > if (checksum = 0) Proc then success ‐ > Proc success fail else fail ‐ > Proc TxmitAck = success ‐ > response!0 ‐ > TxmitAck Txmit Txmit TxmitNack = fail ‐ > response!1 ‐ > TxmitNack Ack Nack Composite = (TxmitAck ||| TxmitNack) response [|success, fail|] Proc
High Level Spacecraft Behavior in CSP SystemBus Power Process Discrete Comm ‐ channel Msgs ands Power I/F CDH Data streams Excepti ‐ Subsystem Power ons System Bus behavior Power Power Bus CDH Process Channel ADCS Process ADCS
BASS Tool Flow Com Power BASS BASSMP SystemBus CDH Att Com Att Interpreter CDH ADCS GME model & Specifications of spacecraft model Verification Result FDR Tool Spacecraft Behavior Generated CSP Framework Library
Spacecraft System
Att ADCS Datacomm Aspect of Spacecraft Com SystemBus Com Power Att CDH CDH
Power Aspect of the Spacecraft A D C ADCS Su b CDH C D H A D C Pow er
Common Constructs Shared State Object representing a shared variable Spacecraft Commands
Power Subsystem «Model» CDH Power ADC -MaxPowerGenerated : int CDHPowPort -MinPowerGenerated : int CommandSet 1 AttitudeSpecificAvailablePower 0..* ADCSPowPort «Model» «Atom» MapFunction PowerPort AttiudeSpecificAvailablePower
CDH Subsystem Set sta Com Swi CDH Swi <<M odel>> Set CDHCmdDispatch CommandSet 1 CDHCmdDispatch Tel <<M odel>> Tel Tel AttitudeDataStream SubSysPowerIf
CDH Command Dispatch Sun Sun Rat Rat Ear Ear Ear Ear SetAttitude AttitudeCmd loa run sto unl startScienceSeq CommandSeqCmd on on off off SwitchADCS ADCSSwitch
ADCS Subsystem SSS Att Mod SSG ADCS SST <<M odel>> CommandSet Attitude ADCSModeSystem ADCSM odeSystem 1 Attitude 1 M odeSystem SharedState Tel <<M odel>> <<M odel>> Tel Tel ADCSModePower AttitudeDataStream ADCSPowerIf
ADCS Modesystem
ADCS ModeSystem Earth_Pointing1 HW_Fault Uncontrolled Sci_Active Sci_Active Safehold on Unpowered Detumbling Safehold Detumbling Sci_Standby off Sun_Safe Sci_Standby Rate_Nulled CommonMode Earth_Pointing2
Work Done Thus Far… GME model & Specifications BASS BASSMP of spacecraft Interpreter model CSP Verification Equivalent Result of model FDR Tool
Power sufficiency Check • The amount of power generated depends on the Attitude and is represented by the function AttitudeSpecificAvailablePower in the Power Subsystem • The amount of power consumed depends on the mode in which a subsystem is and is represented by the function SubsysModePower Unc 1 Unp 1 Rat 3 Det 3 Saf 5 Sun 6 Ear 8 Sci 6 Ear 8 Sci 8 fIn fOut fIn fOut AttitudeSpecificAvailablePower ADCSModePower
Check loaded into FDR Positive Result
Check Loaded into FDR Negative Result
Summary • System ‐ level spacecraft design lacks formality – Behavior implicity defined and discussed in documentation – Little to no analysis performed at system level • BASS offers a domain–specific visual modeling language for capturing spacecraft behavior – Constructs phrased in terms common to spacecraft systems engineers • Formal Behavioral Analysis – CSP used for underlying semantic model – Model checking used to prove/analyze properties of the spacecraft
Recommend
More recommend