Emphasizing Understandability, Flexibility, and Verifiability in a Spacecraft Fault Management Autonomy System

Surveying the current state of practice of spacecraft autonomy, one can detect many different attributes of the various autonomy systems currently employed to maintain the safety of the spacecraft. In an effort to move beyond the state of practice, Johns Hopkins University Applied Physics Lab has focused on three of these attributes not found together in current systems: Understandability, Flexibility and Verifiability. Understandability defines the ability to specify and review the autonomy system in such a way that any nonsoftware domain expert or system engineer can understand the design. Flexibility defines the ability to modify the design preand post-launch in parts without patching or without complete code uploads. Verifiability defines the ability to exhaustively and rapidly verify correct autonomy system behavior before it is uploaded to the spacecraft. With the goal of attaining all three of these attributes, JHU/APL has designed and developed a new autonomy system called ExecSpec (short for Executable Specification). The system has been progressed to TRL 5 and is now poised for infusion into future spacecraft programs. ExecSpec is a new visual programming approach to autonomy system development that enables any system designer or domain expert to visually create spacecraft functionality and autonomous behavior in the form of up-loadable specification diagrams. ExecSpec allows developers to interactively construct autonomy systems by drawing diagrams of individual Finite State Machines (FSM) and linking them together to form autonomy components and subsystems. The diagram components are easily understandable by non-software domain experts and system engineers, allowing for system-level review of the autonomy system design. The diagram components can either be built from scratch, or instantiated from libraries of reusable FSM components. In contrast to current software capabilities, ExecSpec is not a code generator but rather an interpreter-based system which enables the uploading diagrams directly to an on-board FSM execution engine, allowing the autonomy system to be rapidly and safely modified at any time in a project's lifecycle and thus reducing overall lifecycle and maintenance costs. This makes the system inherently flexible to post launch modifications and enables changes on the individual FSM level such that new FSM diagrams can be added or interchanged. The resulting diagram behavior produced by ExecSpec can be tested directly through interactive stimulation of system inputs or by playing back scripted input scenarios. Model checking tools can also be used to rapidly verify that the diagrams obey specified constraints and requirements, and the uploaded system behavior can be visually monitored during flight. This combination of interactive testing, model checking and in-flight monitoring ensures autonomy systems built within ExecSpec can be exhaustively verified in a rapid manner. This paper will describe in detail the three attributes chosen by JHU/APL, including the driving need for each, then go on to describe how the new ExecSpec system meets these attributes. Finally, the paper will describe the current state of the ExecSpec development and plans for infusion into future spacecraft systems.