The Fault Protection (FP) system of a spacecraft is a critical component for its operation. The system diagnoses problems with the health of the spacecraft, and directs actions to resolve those problems. It therefore warrants a high degree of assurance as to its correctness. In this paper, we describe the use of model checking to help validate key requirements of such a FP system. The particular system we deal with is that of a generic FP engine "networked" to the rest of the spacecraft. Its design is specified with a high degree of rigor, using state machine diagrams to define both the FP engine, and the spacecraft-specific responses that the engine directs. We describe the way we have modeled the FP engine and its operating environment so as to validate key requirements of its operation, and the influence of the above design characteristics on this effort.
展开▼
