Application of SMT solvers for evaluation of Real-Time control logic of spacecraft

SMT solvers are promising intelligent software successfully applied today in various areas. The paper is describes how the functionality of SMT solver can be utilized for spacecraft’s control logic key parameters’ evaluation. Use of SMT in spacecraft control problem domain is based on real-time control calculus developed by A.A. Kalentyev, and the semantic model of real-time control logic. A formal specification of real-time control is feasible or non-feasible on the defined basis of functional processes, this is depends on their parameters’ values, including duration of executed process. We check the feasibility using SMT solver. The example in the paper demonstrates effectiveness call of Z3 SMT solver from specially developed Java application.


Introduction
The modern technical object such as airplane, submarine, spacecraft, nuclear power station can be reviewed as 'system of the systems' which includes a lot of subsystems, actuators, sensors, devices. All of these devices should co-function in harmonic manner to produce a useful outcome like an orchestra playing symphony. Each instrument must start play at a right time. In orchestra, the control functions are executed by a conductor. In modern complex technical complexes, the control system should provide that functionality. The human could be involved in the process in case of automated control, or not be involved in case of automatic system. Moreover, in according to Ahby's Law of Requisite Variety [1], "Variety absorbs variety", so the complexity of control system should be adequate to a complexity of controlled object. Control algorithms must implement the right 'control logic', i.e. coordinated functioning of the all units. The 'coordinated' word means both a semantic coordination related to physical restrictions and logic of actions and coordination in time. The time characteristics of the control logic should be adequate to the speed of ongoing physical processes associated with the controlled technical complex [2][3][4][5].
The very important problem for control logic of complex technical object is evaluation of its parameters and checking if these values are correspond to existing physical and technological constraints. This problem is quite actual both at design stage when the key question is feasibility of the required system and even during operation of the existing technical object when we need to analyze performance, for example. This paper is focused on timing (synchronization) parameters, and use of accessible resources (level of workload/overload). The problem has an additional importance due to its straight connection to dependability/safety issues of spaceflights.
Today, as a rule, the evaluation process is being performed by a human. Unfortunately, the number of parameters of real modern spacecraft must be analyzed, for example, can be very big and exceed the human opportunities.
So, it is a potentially useful approach to apply existing automation tools to provide some assistance to specialists who are responsible for control logic evaluation [6][7]. The very popular and promising e-mail: tau797@mail.ru 2 technology today is Satisfiability Modulo Theories (SMT) approach supported by a lot of commercial and free solvers such as ABSolver, Alt-Ergo, Barcelogic, MathSAT, CVC, OpenSMT, Simplify, STeP, Yices, Z3, etc. We can specify the existing constraints using smt-lib formal language, and then get the answer if the system satisfies (sat) the constraints, or not (unsat). The system even can calculate the values of the variables which provide satisfiability.

Method
We will consider core staff of the paper in this section. First subsection is devoted to mathematical modeling of Real-Time control Logic, second subsection is about practical ways of utilization of SMT solvers functionality, and third subsection describes developed prototype software tool.

Mathematical model of Real-Time Control Logic
In previous papers [3,6,7] author proposed the semantic model for real-time control algorithms. The model represents control actions by the set of following: (1) f i represents an ID of functional process (FP) to be executed, and: t i -time of f i begin (non-negative integer),  i -its duration (non-negative integer). li is a 'logical vector' defining if the process should be executed. The logical vector is formed by the logical variables with its values: Herewith, 1 and 0 corresponds to True and False, and 'H' value means that execution of the process is not depends on value of this logical variable. The presence of logical variables in the model allows specifying a set of options of implementation of the algorithm (including normal and abnormal situations).
Some parameters can be specified by a known constants, some be initially unknown and stated as variables.
The constraints and requirements for the Real-Time control logic can be specified using language of CA formal theory (calculus of real-time control algorithms) proposed by . The extended version of this theory developed by author [6] contains the following operators allowed for use in specification (see Table 1). There are also 'soft' bindings: <. << and <>. Special operator <l> means logical incompatibility of actions, i.e. the processes cannot be found in the same case of execution. This is means that the same logical variables has 1 value in one vector, and 0 in another. We focus on synchronization of functional processes to be executed. The synchronization of two processes can be expressed by following operators: coincidence by begin (named CH from Russian abbreviation), coincidence by end (named CK), direct following (→), time uncrossing (<>), precedence (<), strict precedence (<<), the overlap with the specified shift (H), parameterized following with the specification of the delay (3A).
The sense of operators becomes quite clear after looking at Figures 1-6.   The operators: <. << and <> expressed 'soft' bindings where times of processes' begins and ends may vary in some intervals.   Special operator <l> means logical incompatibility of actions, i.e. the processes cannot be found in the same case of execution. This is means that the same logical variable has value 1 in one vector, and 0 in another.  Figure 6. Parameterized overlap.
As is was presented in [7], in some cases with the preset values of the model variables, wanted specification of the control actions may be feasible, but the same set of requirements and constraints may be unfeasible with the other values.
Example 1. For the following synchronization requirements: and values  1 = 20,  2 = 100,  3 = 200,  4 = 10,  5 = 50, the specification is not feasible due to impossibility of fulfillment of f 2 →f 5 formulae, this fact can be visually verified in Figure 7. But if we have the another parameters, for example,  1 = 100,  2 = 150, 3 = 70,  4 = 10,  5 = 50, specification becomes feasible (see Figure 8).  The problem of satisfiability of required specification on the defined basis of FPs with the fully known parameters is quite important and interesting. At the same time, even more interesting are two significant issues: 1) For the known specification and partially defined parameters of the functional processes, such as starting time, duration and logical conditions, to check if the specification is satisfiable -in general.
2) Find out the parameters of the FPs, which are satisfy the defined specificationin other words, build the needed algorithm.
The very important point is that the model above can be applied not only for real-time onboard flight control software it was initially developed for, but for representation of any sort of activity/processes performed by human, technical devices, processors, mechanisms, etc. Indeed, the presented model is independent on nature of implementer of functional process. On the other hand, the model allows representing adequately complexity of Real-Time control actions in 'time space' and 'logical space'.

Ways of utilization of SMT solvers functionality
The most common of mathematical objects and constructs such as rational and real numbers, vectors, and matrix are already supported by existing SMT solvers. So, if we will transform requirements to real-time control logic into requirements to these kinds of entities, we will have possibility to utilize functionality of SMT solver.
To do this we may use following way from the formulas and relations between the functional processes to equations and inequalities on the numbers.
set of boolean equations logical incompatibilities of FPs (see above) This way allows us to formulate in notions of smt-lib language.

Program implementation
Many of the free accessible SMT solvers provide API for integration with user developed software. Moreover, Z3, for example, can be executed online via Internet. It is allowed us to utilize SMT solver functionality for practical goals in control logic problem domain. Special program prototype was developed to validate applicability of the describing approach.
The prototype written using Java 8 and has intuitive graphical user interface (see Figure 3, in Russian).
Many of the free accessible SMT solvers provide API for integration with user developed software. Moreover, Z3, for example, can be executed online via Internet. It is allowed us to utilize SMT solver 6 functionality for practical goals in control logic problem domain. Special program prototype was developed to validate applicability of the describing approach.
The prototype written using Java 8 and has intuitive graphical user interface (see Figure 9, in Russian). User can set known values of model variables in dedicated editor fields. There are also special field on form for specification of requirements in terms of control logic, buttons for solving (trying to evaluation of feasibility -sat or unsat, and finding parameters which are make the set of requirements feasible).

Conclusion and Future Work
We have shown how the algebraic and logical based models of real-time control logic can be applied for feasibility checking using Satisfiability Modulo Theories solvers. The Real Time Control Logic