Model Checking Autonomous Planners: Even the B est L aid P lans M ust be V erified

Automated planning systems (APS) are gaining acceptance for use on NASA missions as evidenced by APS flown on missions such as Earth Orbiter 1 and Deep Space 1, both of which were commanded by onboard planning systems. The planning system takes high level goals and expands them onboard into a detailed plan of action that the spacecraft executes. The system must be verified to ensure that the automatically generated plans achieve the goals as expected and do not generate actions that would harm the spacecraft or mission. These systems are typically tested using empirical methods. Formal methods, such as model checking, offer exhaustive or measurable test coverage which leads to much greater confidence in correctness. This paper describes a formal method based on the SPIN model checker. This method guarantees that possible plans meet certain desirable properties. We express the input model in Promela, the language of SPIN (Holzmann, 1997 and Holzmann, 2003) and express the properties of desirable plans formally. The Promela model is then checked by SPIN to see if it contains violations of the properties, which are reported as errors. We have applied this approach to an APS and found a defect