Verifying command sequences for satellite systems

A formal basis for the design of a checker used in validating safe schedules and in selecting error recovery schedules for satellite control systems is presented. This design includes a high-level specification of checker behavior and properties (called flight rules) of safe schedules. Specifications are written in timed linear logic (TLL). Validation of schedules is performed in terms of real-time telemetry and deduction system proof rules. Telemetry (state information for satellite subsystems) serves as input to the checker. Detection of violation of a flight rule by the checker results in the selection of a contingency plan (error recovery schedule). The checker is illustrated by an example involving the TOPEX/Poseidon Oceanographic Satellite System