



## V&V Activities within two Brazilian Space Research Institutes

#### Miriam C. Bergue Alves\* Valdivino Alexandre de Santiago Júnior<sup>+</sup> Nandamudi L. Vijaykumar+

NASA IV&V Workshop Morgantown, WV September 11-13, 2012

\*National Institute for Space Research - INPE São José dos Campos, SP, Brazil \* Institute of Aeronautics and Space - IAE São José dos Campos, SP, Brazil



## Objective



This presentation relates some of the research initiatives of the Institute of Aeronautics and Space (IAE) and the National Institute for Space Research (INPE) with respect to the use of formal methods for the improvement of their V&V activities within the software development life cycle.





## Outline

- Brazilian Space Program
- Presentation of IAE
- V&V Projects at IAE: Software Engineering Lab
- Presentation of INPE
- V&V Activities (Products/Projects) at INPE: CEA/LAC
- Conclusions



## Brazilian Space Program



-Rocketry: launching and sounding rockets (IAE)

-Space exploration: satellites (INPE)

– Launch sites: Alcantara Launch Center and Barreira do Inferno Launch Center (DCTA)









## IAE's Organization Chart







## IAE's Organization Chart









- Use of topology for verification of deadlocks in concurrent systems
  - This project proposes a method that maps scenario-based specifications of concurrent systems, represented formally by MSCs (Message Sequence Charts), to a topological space. This mapping allows to formally verify these specifications for deadlock scenarios.
  - A simple "proof-of-concepts" prototype was constructed.







NASA IV&V - Sept. 2012





- Use of statechart-assertions for requirements specification, validation and verification
  - Formal computer-aided validation and verification of critical timeconstrained requirements of the Brazilian Satellite Launcher flight software. It included the entire specification, validation, and verification process based on UML statechart-assertions and log files.





#### • The SV&V process







#### • SV&V – Some results

| Validation Tests                                                       | Verification Tests                                                          |
|------------------------------------------------------------------------|-----------------------------------------------------------------------------|
| 220 tests (around 5 tests per assertion)                               | 4 log files (4 tests per assertion)                                         |
| 220 JUnit classes - 1 JUnit class per test                             | 4 JUnit class- 1 JUnit class per log file                                   |
| 132 success scenarios (around 60% of the scenarios)                    | 31 assertions passed in all tests (around 70% of the assertions)            |
| 88 scenarios expect an assertion failure (around 40% of the scenarios) | 13 assertions failed at least in one test<br>(around 30% of the assertions) |





- Use of timed automata for model verification
  - A case study of a legacy space flight software system is being conducted, where the flight control and the flight events sequence chain of a satellite launcher are under study.
  - Use of model checking and a timed automata (TA) network to model the original requirements specification, incorporating new mission requirements and modifications.
  - Improve reliability in legacy systems evolution.





Use of timed automata for model verification



NASA IV&V - Sept. 2012





- Use of Event-B and Rodin Platform
  - The UML-B and Event-B language are being used for the models elaboration of a case study that involves the control of the first stage of a launch vehicle, with the support of the computer-aided tool Rodin Platform (Rigorous Open Development Environment for Complex Systems).
  - The work is at its initial phases of creating and refining the models, with emphasis to the improvement of the system dependability.



Event-B and Rodin Platform: the process

🖤 IAE

ÍÆ





• Use of Event-B and Rodin Platform: example



NASA IV&V - Sept. 2012



#### **INPE's Organization Chart**









- Automated Test Case Generation based on Statecharts (GTSC):
  - Model-based test case generation based on Statecharts ⇒ four test criteria (all-transitions, all-simple-paths, all-paths-k-C0configuration, all-paths-k-configurations) from the Statechart Coverage Criteria Family (SCCF);
  - Model-based test case generation based on FSM ⇒ three test criteria (DS, UIO, H-switch cover) where one (H-switch cover) is a new test criterion.



#### GTSC 2.0: Main Interface





NASA IV&V – Sept. 2012



Log-out Project in use: APEX

#### V&V Activities at INPE: Products



Admin Mode



| Project | : | Statechart | EX | PerformCharts | l | FSM | I | Condado | 1 | Test Case Gen. | 1 | Help | Quinta, 14 de Junho de 2012 -<br>11:46 AM |
|---------|---|------------|----|---------------|---|-----|---|---------|---|----------------|---|------|-------------------------------------------|
|         |   |            |    |               | _ |     |   |         |   |                |   |      | -                                         |

| Step | Event                          | State                       | Output |
|------|--------------------------------|-----------------------------|--------|
| 1    | EB9                            | CountingTimeWaitingExpid    |        |
| 2    | WaitingTimeExpired             | IdleWaitingSync             |        |
| -    | -                              | -                           | -      |
| 3    | EB9                            | CountingTimeWaitingExpid    |        |
| 4    | ExpidRec                       | CountingTimeWaitingType     |        |
| 5    | WaitingTimeExpired             | IdleWaitingSync             |        |
| -    | -                              | -                           | -      |
| 6    | EB9                            | CountingTimeWaitingExpid    |        |
| 7    | ExpidRec                       | CountingTimeWaitingType     |        |
| 8    | TypeRec                        | CountingTimeWaitingSize     |        |
| 9    | WaitingTimeExpired             | IdleWaitingSync             |        |
| -    | -                              | -                           | -      |
| 10   | EB9                            | CountingTimeWaitingExpid    |        |
| 11   | ExpidRec                       | CountingTimeWaitingType     |        |
| 12   | TypeRec                        | CountingTimeWaitingSize     |        |
| 13   | SizeRec                        | CountingTimeWaitingData     |        |
| 14   | WaitingTimeExpired             | IdleWaitingSync             |        |
| -    | -                              | -                           | -      |
| 15   | EB9                            | CountingTimeWaitingExpid    |        |
| 16   | ExpidRec                       | CountingTimeWaitingType     |        |
| 17   | TypeRec                        | CountingTimeWaitingSize     |        |
| 18   | SizeRec                        | CountingTimeWaitingData     |        |
| 19   | DataRec                        | CountingTimeWaitingChecksum |        |
| 20   | WaitingTimeExpired+ChecksumRec | IdleWaitingSync             |        |
| -    | -                              | -                           | -      |
| 21   | NotEB9                         | IdleWaitingSync             |        |
| -    | -                              | -                           | -      |

📬 Intranet local | Modo Protegido: Desativado





- SOLIMVA  $\Rightarrow$  A methodology aiming at:
  - the generation of model-based system and acceptance test cases considering Natural Language (NL) requirements deliverables (artifacts) ⇒ Version 1.0 (software testing);
  - the detection of incompleteness in software specifications ⇒ Version 2.0 (software inspection with the aid of formal verification);
  - Formal Verification (Model Ckecking) of UML-based software  $\Rightarrow$  Version 3.0 (Formal Verification in the traditional approach).







The SOLIMVA methodology 1.0: Workflow





NASA IV&V – Sept. 2012



The SOLIMVA methodology 1.0: Tool (1.0) 🏼 🍹

| 🕌 SOLIMV                                      | A                                                                                                                |                    |
|-----------------------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------|
| Specification                                 | Model Generation Test Case Generation Analysis of Defects Help                                                   |                    |
| Dictionary                                    | Scenarios Requirements Model Generation                                                                          |                    |
|                                               |                                                                                                                  |                    |
| ReqId                                         | Requirement                                                                                                      |                    |
| SRS001                                        | The PDC shall be powered on by the Power Conditioning Unit.                                                      | Requirements       |
| SRS002                                        | The PDC shall be in the Initiation Operation Mode after being powered on. The SWPDC shall then accomplish a P    | Requirements       |
| SRS003                                        | If PDC does not present any irrecoverable problem, after the initiation process, the PDC shall automatically ent | Select action 💙    |
| POCP001                                       | The PDC can only respond to requests (commands) from OBDH after the PDC has been energized for at least 1        |                    |
| RB001                                         | The OBDH shall send VER-OP-MODE to PDC.                                                                          |                    |
| RB002                                         | The PDC shall switch each Event Pre-Processor (EPP Hx, x = 1 or 2) on or off independently, when the OBDH s      |                    |
| PECP001                                       | Each EPP Hx can only respond to requests (commands) from PDC after each EPP Hx has been energized for at I       |                    |
| SRS004                                        | The OBDH should wait 600 seconds before asking for a Housekeeping Data frame.                                    |                    |
| SRS005                                        | Housekeeping data transmission shall start with prep-hk. After that, the OBDH can send several tx-data-hk to P   |                    |
| RB003                                         | The OBDH shall send CH-OP-MODE-Nominal to PDC.                                                                   | ОК                 |
| RB001                                         | The OBDH shall send VER-OP-MODE to PDC.                                                                          |                    |
| POCP002                                       | The OBDH should wait 10 seconds before asking for a Scientific Data frame.                                       |                    |
| SRS006                                        | The SWPDC shall obtain and handle scientific data from each EPP Hx. The SWPDC shall also accept scientific dat   |                    |
| RB004                                         | The OBDH shall send CH-OP-MODE-Safety to PDC. After that, the PDC shall be in the Safety Operation Mode.         |                    |
| RB002                                         | The PDC shall switch each Event Pre-Processor (EPP Hx, x = 1 or 2) on or off independently, when the OBDH s      | Clear Requirements |
| RB005                                         | After switching both EPPHxs off via PDC, the OBDH shall switch the PDC off via the Power Conditioning Unit.      |                    |
|                                               |                                                                                                                  |                    |
| Project (<br>Dictiona<br>Tuples g<br>Model ge | ry Done.<br>enerated.                                                                                            |                    |

NASA IV&V - Sept. 2012

The SOLIMVA methodology 2.0: Workflow





NASA IV&V – Sept. 2012

The SOLIMVA methodology 3.0: Workflow





NASA IV&V – Sept. 2012



#### V&V Activities at INPE: Products



 Quality of Space Application Embedded Software – Automated Software Testing (QSEE-TAS): Automated test case execution, Automated test process documentation generation.

| 🔁 SWPDC - Payload Data Computer (QSEE) - PTS v04 - QSEE-TAS                                                                            |              |                |            |          |                                     |  |  |  |
|----------------------------------------------------------------------------------------------------------------------------------------|--------------|----------------|------------|----------|-------------------------------------|--|--|--|
| Itens de teste                                                                                                                         |              |                |            |          | Projeto                             |  |  |  |
| IT-001 Verificar disponibilidade do SWPDC para comunicação com OBDH                                                                    | Tes          | te Funcional   |            |          | Abrir                               |  |  |  |
| IT-002 Iniciar SWPDC via PCD                                                                                                           | Tes          | te Funcional   |            |          | ADTIF                               |  |  |  |
| IT-003 Verificar disponibilidade do swpdc para comunicação com EPPs                                                                    | Tes          | te Funcional   |            |          | Novo                                |  |  |  |
| IT-004 Realizar Power-On Self Test (POST)                                                                                              | te Funcional |                |            |          |                                     |  |  |  |
| IT-005 Atuar no hardware                                                                                                               | Tes          | te Funcional   |            |          | Salvar                              |  |  |  |
| IT-006 Solicitar relógio                                                                                                               | Tes          | te Funcional   |            |          | Salvar Como                         |  |  |  |
| IT-007 Mudar modo de operação                                                                                                          | Tes          | te Funcional   |            |          |                                     |  |  |  |
| IT-008 Parar aquisição de dados                                                                                                        | Tes          | te Funcional   |            | ~        | Importar/Exportar                   |  |  |  |
| Novo Item Editar Excluir Mover Acima Mover Abaixo                                                                                      |              |                |            |          | Propriedades                        |  |  |  |
| Casos de teste                                                                                                                         |              |                | 1          |          | Sair                                |  |  |  |
| CT-001 Verificação da disponibilidade do SWPCD para comunicação com OBDH                                                               |              |                | Passou     |          |                                     |  |  |  |
| CT-002 Verificação da disponibilidade do SWPDC para comunicação com EPP                                                                |              |                | Falhou     |          | Aplicação                           |  |  |  |
| CT-003 Reiniciar processador                                                                                                           |              |                | Passou     | -        | Canais                              |  |  |  |
| CT-004 Reiniciar processador, e verificar se buffer de dados científicos são mantidos                                                  |              |                | Passou     |          | Canais                              |  |  |  |
| CT-005 Power Off / Power On                                                                                                            |              |                | Passou     |          | Ciclos                              |  |  |  |
| CT-006 Realização de POST, com PDC iniciando via PCD Restrição CT-007 Realização de POST, com PDC iniciando via comando do OBDH Falhou |              |                |            |          |                                     |  |  |  |
| CT-007 Realização de POST, com PDC iniciando via comando do OBDH                                                                       |              | Executar Casos |            |          |                                     |  |  |  |
| CT-008 Verificação de modo de operação após processo de iniciação                                                                      | ~            | Mensagens      |            |          |                                     |  |  |  |
| Novo Caso Editar Excluir Mover Acima Mover Abaixo Histórico                                                                            | E            | (ecutar        | 4          |          | Configurações                       |  |  |  |
| Passos de teste do caso selecionado                                                                                                    |              |                |            |          |                                     |  |  |  |
| Passo de Teste                                                                                                                         | Iterações    | Intervalo      | Tentativas |          | Modo Execução                       |  |  |  |
| 001 Interação com a fonte de alimentação: PCD-ON                                                                                       |              |                |            |          |                                     |  |  |  |
| 002 PDC-OBDH CMD: Solicitar relógio                                                                                                    | 5            | 11000          | 0          |          | Relato                              |  |  |  |
| 003 PDC-OBDH CMD: Solicitar relógio                                                                                                    | 1            | 0              | 0          |          | Relatos                             |  |  |  |
| 004 Set parameters - EPPSimulator                                                                                                      | 1            | 2000           | 0          |          |                                     |  |  |  |
|                                                                                                                                        |              |                |            | -        | Apagar Relato                       |  |  |  |
|                                                                                                                                        |              |                |            |          | Plano de Teste                      |  |  |  |
| ]                                                                                                                                      |              |                |            | <b>×</b> |                                     |  |  |  |
| Novo Passo Editar Excluir Mover Acima Mover Abaixo Importar                                                                            |              |                |            |          | Módulos                             |  |  |  |
| Detalhes do passo de teste                                                                                                             |              |                |            |          | ♦ Housekeeping ✓ Análise Dados EPPs |  |  |  |
| · · · · · · · · · · · · · · · · · · ·                                                                                                  |              |                |            |          | I → Analise Dados EPPs              |  |  |  |
| Tipo Observação Local da observação Interação com a fonte de alimentação: PCD-ON                                                       |              |                |            |          | Gerar Temperaturas                  |  |  |  |
| Ligar gerador de funções Gerador ligado                                                                                                |              |                |            | -        | Ler Temperaturas                    |  |  |  |
| Ligar fonte Fonte ligada: PDC em POWER ON                                                                                              |              |                |            |          |                                     |  |  |  |
| Ponte ligada: PDC em POWER ON                                                                                                          |              |                |            | ~        | ]                                   |  |  |  |



V&V Activities at INPE: Application to Projects



- Alpha, Proton and Electron Monitoring Experiment in the Magnetosphere (APEX).
  - Products  $\Rightarrow$  GTSC, WEB-PerformCharts, QSEE-TAS.
- Quality of Space Application Embedded Software (QSEE) – Software for the Payload Data Handling Computer (SWPDC).
  - Products  $\Rightarrow$  GTSC, WEB-PerformCharts, SOLIMVA, QSEE-TAS.
- protoMIRAX Scientific Experiment (Balloon application).
  - Products  $\Rightarrow$  GTSC, SOLIMVA.









IUT: -Command Recognition Component of the APEX embedded software;

- Simulated version (Java).



NASA IV&V - Sept. 2012



### **QSEE/SWPDC:** Physical Architecture







# QSEE/SWPDC: Example of Statechart model





## QSEE/SWPDC: Example of CTL properties and NuSMV model (SOLIMVA 2.0)



 $\neg \exists [\neg(prim = valprim_i \land sec_j = valsec_{t1}) \cup ((prim = valprim_i \land sec_j = valsec_{t2}) \land \neg(prim = valprim_i \land sec_j = valsec_{t1}))]$ 





### QSEE/SWPDC: Remarks



- GTSC  $\Rightarrow$  test suites with more than 300 test cases.
- SOLIMVA 1.0 ⇒ better strategy with test objectives clearly separated according to the directives of Combinatorial Designs.
- SOLIMVA 1.0 ⇒ Executable Test Cases predicted behaviors that did not exist (Expert's strategy).
- SOLIMVA 2.0 ⇒ 362 CTL properties formalized, 21 incompleteness defects detected.



NASA IV&V - Sept. 2012



### QSEE/SWPDC: IV&V



- Test Case Generation  $\Rightarrow$  Model-Based Testing (FSM).
- Test Case Execution  $\Rightarrow$  QSEE-TAS tool.
- Test Results Evaluation  $\Rightarrow$  Four-step process:
  - Observation of test results (QSEE-TAS interface);
  - Assignment of a preliminary verdict;
  - Meeting (every week)  $\Rightarrow$  IV&V team and customer representatives at INPE to evaluate the test reports;
  - Final verdict  $\Rightarrow$  Non-Conformance Record (NCR).



#### protoMIRAX Scientific Experiment





NASA IV&V - Sept. 2012



#### Conclusions



- Main V&V activities, products and projects in the area of formal V&V of safety-critical space software systems within IAE-LES and INPE (CEA/LAC).
- More confidence in the right choice of techniques to be used in each phase of development and in each part or component of the space software.
- Importance of computer-aided tools to support the formal V&V process.
- Efforts to bridge the gap between the state of the art and the state of the practice (application of research results to space projects development).





## **THANK YOU!**

Miriam C. Bergue Alves: miriammcba@iae.cta.br

Valdivino Alexandre de Santiago Júnior: http://www.cea.inpe.br/~valdivino/

Nandamudi L. Vijaykumar: http://www.lac.inpe.br/~vijay/Welcome.html