INCOSE Italian Chapter Conference on Systems Engineering (CIISE2014) Rome, Italy, November 24 – 25, 2014 The Verification Process in the ASTRI Project: the Verification Control Document (VCD) L. Stringhetti1, N. La Palombara1, R. Canestrari2, O. Catalano3, M. Fiorini1, E. Giro4, M.C. Maccarone3, G. Pareschi2, G. Tosti5, S. Vercellone3 on behalf of the ASTRI Collaboration6 and for the CTA Consortium7 1INAF - IASF Milano, Via Bassini 15, 20133 Milano (I) 2INAF - Osservatorio Astronomico di Brera, Via Bianchi 46, 23807 Merate (Lc) (I) 3 INAF - IASF Palermo, Via U. La Malfa 153, 90146 Palermo (I) 4INAF - Osservatorio Astronomico Padova, Vicolo Osservatorio 5, 35122 Padova (I) 5Universita' di Perugia, Dipartimento di Fisica, Via A. Pascoli, 06123 Perugia (I) 6http://www.brera.inaf.it/astri/ 7http://www.cta-observatory.orgContact Information Copyright © held by the authors. Abstract. ASTRI is a flagship project of the Italian Ministry of Education, University and Research, addressed to the implementation of an end-to-end prototype for the Cherenkov Telescope Array (CTA), an observatory which will be the main representative of the next generation of Imaging Atmospheric Cherenkov Telescopes. It will explore the uppermost end of the Very High Energy domain up to about few hundreds of TeV with unprecedented sensitivity, angular resolution and imaging quality. In this framework the ASTRI project, led by the Italian National Institute of Astrophysics (INAF), has proposed an original design for the Small Size Telescope, devoted to the highest energy range, whose prototype has been successfully installed in Italy. It is characterized by challenging but innovative technological solutions which will be adopted for the first time on a Cherenkov telescope: a dual-mirror Schwarzschild-Couder configuration, a modular, light and compact camera based on Silicon photomultipliers, and a front-end electronic based on specifically designed ASIC. In this paper we describe the functional and performance verification process set up for the ASTRI prototype, which, based on different methods (inspection, analysis, certification, and test), shall demonstrate the telescope compliance with the CTA requirements. The approach followed by the ASTRI project is to have all the information needed to report the verification process along all project stages in a single layer. The paper describes in details how the layer, which is based on Excel, is formed and how it will be used all along the verification process. The layer, called Verification Control Document (VCD), is presented as a powerful tool to help the flow of the verification process also because it is possible to, in a semi-automatic way, generate updated project documentation and progress report. Introduction In modern astrophysics, projects tend to have global dimensions, involving tens of different countries and hundreds, or in case thousands, of scientists working together. Projects are therefore complicated, because generally astrophysics works to answer to very complicated questions, and complex, because they involve many players. The success of a complex system depends also upon a thorough application of the validation, verification and integration processes all along the project life cycle. A bad or incomplete application of these processes from the starting stages of the project can have a strong impact on cost and on the project success if discovered too late, therefore greater attention has to be paid during the initial stages of the project. This is particularly true for scientific experimental projects where instrument characteristics and performance must be known exactly to produce at the end valuable science. More than this typically the Integration and Verification stages, comprehensive of tests, drain important quantities of the budget associated to scientific projects either for space application or for ground facilities. In Space programs it has been shown [1] that a quite important percentage of the failures during missions comes from a bad execution of processes such as Validation and Verification (V&V) of requirements and Integration. Ground based experiments and space programs are quite different on the amount of application of the verification processes, because fixing a problem for ground facilities is possible, even if it can be expensive, while it is normally not possible for satellite missions. Most of modern ground projects are based in very far sites, where it is still possible to have clear sky for instance, so maintenance is getting more and more an important part of the budget. A better application of integration and verification processes can improve also the success of ground experiments. The correct application of these processes helps to identify potential causes of failure well in advance. One of the tools to improve the effectiveness of such processes is to keep a well configured level of documentation, in order to have the project under configuration control. While for trivial systems the integration and verification is possible without properly written documentation, any system integration process for complex systems is expected to fail if not well prepared and properly documented [2]. There are many examples that give good guidelines that can be used and applied to different systems. One model used in astrophysical applications comes from the European Cooperation for Space Standardization (ECSS) that lays down many guidelines that can be followed for a proper application of V&V and Integration processes. The ECSS standard dedicated to Verification [3] describes in the annexes section how a Verification plan should be effectively written and how a Verification Control Document (VCD) should be prepared. The NASA System Engineering Handbook [4] defines a Validation Requirements Matrix (VRM) with the same objective. The INCOSE (International Council on Systems Engineering) Handbook [5] gives quite similar Guidelines in order to build and keep updated, along the project stages, the Requirements Verification and Traceability Matrix (RVTM), which has basically the same objective of the ECSS VCD. Also in literature, many examples can be found which give very interesting guidelines as the Individual Specification Dedicated Verification Ledger (ISDVL) [1], which, despite the complicated name, is a very interesting example on field of the above standards. A trade-off between the full application of System Engineering Standards for V&V, which has a not negligible cost, and maintenance planning, which indeed has a cost on operation, must be done in the early stage of the project. The objective of this paper is to present a tool used for the ASTRI project tailored from well-known standards and guidelines in order to flow the complex verification stage of such project and, at the same time, reporting in easy way that mission objectives and scientific needs are fulfilled. The ASTRI project The ASTRI project, led by the Italian National Institute of Astrophysics (INAF), has the objectives to characterize challenging but innovative technological solutions, which will be adopted for the first time on a Cherenkov telescope [6]: a dual-mirror (2M) Schwarzschild-Couder configuration, a modular, light and compact camera based on Silicon photomultipliers, and a front-end electronic based on CITIROC [7]. Actually, a prototype of the telescope, named ASTRI-SST-2M, has been successfully integrated at the INAF “M.C. Fracastoro” observing station (1735 m a.s.l) located in Serra La Nave [8], and dedicated tests on electro-mechanical structure and optic system are about to start [Figure 1]. It is expected that, in the early months of 2015, the whole integrated system will go through the scientific validation phase. As a second step, the ASTRI project aims to implement an ASTRI/CTA mini-array composed of seven SST-2M telescopes [9]; they will be placed at the final CTA Southern Site and will represent a precursor and seed of the whole CTA Observatory [10]. The Cherenkov Telescope Array (CTA) is a large collaborative effort aimed at the design and operation of an observatory dedicated to the very high-energy gamma-ray astrophysics. In order to achieve such objectives, it is planned to deploy, in an area covering roughly 10 square kilometers, four 23m diameter Large Size Telescopes (LSTs), about twenty-five 12m Medium Size Telescope (MST), and a number between 50 and 70 of 4-6m diameter Small Size Telescopes (SSTs). Two sites, one in the Southern and one in the Northern emisphere, are currently foreseen for the CTA observatory; the final decision on which site will host the array of the Southern-emisphere is expected within 2014. Figure 1. ASTRI telescope prototype ready to start System verification Verification Flow The verification of several ASTRI specifications needs the execution of a test, which can be of different types (functional, mechanical, electrical, optical, environmental ...). In order to be fully representative of the operating conditions, usually these tests should be performed on the final system, which includes all the necessary subsystems. However, it is possible that some specifications can be verified also at an earlier stage of the project development, on stand-alone subsystems or on the partially assembled systems; in addition, it is possible that some specifications can be tested only at subsystem level. Therefore, it is necessary to set-up a comprehensive Test Plan that involves not only the whole telescope but also its assemblies and subsystems. To this aim, it is necessary to take into account not only the function of each item, which composes the final system, but also the priorities and time constraints which affect the system construction. The outcome of this activity is the so-called Assembly, Integration and Verification (AIV) plan, which defines the various phases of the system integration and verification: the assembly of the system components, the tests to be performed on the stand-alone subsystems, their integration into the final system and the system-level tests. The plan has been prepared starting from the system level because at the beginning only high-level requirements were available. The more in details the design was proceeding, the more it was possible to describe subsystem level verification and to include specific tests. On the other hand, the execution of the plan is a hierarchical process that goes in the right opposite direction. It starts from the low-level components of the system and, going through increasing levels of complexity, arrives to the end-to-end final system. This process is well described with the VEE-Model approach, which is widely used in astrophysical projects involving in scientific instrument development. In Figure 2 a classical VEE-Model representation is reported. This is applicable also for the AIV processes. On the left side of the V the verification preparation can be found, starting from the system level and proceeding at lower level. At the right side of the V the verification execution starts from low level of complexity and it is completed when the whole telescope is tested. Figure 2: VEE-Model graphical representation. The life cycle of a project starts with high-level definition and proceeds to define all the details of subsystems and elements. This is the Validation process: Are we building the right thing? Once the subsystems are assembled, they are verified and so this time the complexity increases with time and the complete system is verified only at the end of the stage. This is the Verification process: Are we building it right? The AIV plan describes the verification flow of the specifications identified in the ASTRI System Specification Document (SSD), which collects all the specification needed to validate the design of the telescope. ASTRI telescope can be divided in the following sub-systems - MECH: the mechanical structure and all the electronics that ensure the telescope movement (i.e. Motors, Drives) - OPT: the two mirrors that define the optical design - CAM: the Cherenkov Camera which collects the light produced by a Cherenkov event - AUX: all the auxiliary sub-systems of the telescope (Communication, Power, ..) - SW: all the SW running in the telescope. Figure 3 shows the above subsystem in the product breakdown structure of the ASTRI project. Figure 3: First three levels of the Product Breakdown Structure (PBS) of ASTRI telescope The AIV plan describes the integration of these elements to form a telescope and the subsequent verification as a complete system. Surely it is the right tool to plan and organize the verification process but it is not the right tool in order to flow the verification. Therefore, a Verification Control Document (VCD) has been created. These two documents are the master documents that follow the AIV manager during the complete verification phase. While the AIV plan is mainly a description of the steps that have been planned, the VCD is a live document that can give, in a single glance, the status of the verification stage. The verification flow used in ASTRI project is depicted in Figure 4. Figure 4: The ASTRI verification process. The Verification Control Document The ASTRI VCD is a modified version of the ESA VCD tailored on the specific needs and project organization of the ASTRI project. The same tailoring process can make use of ASTRI VCD to a different scientific project. The VCD is organized as an MS Excel table. There are many commercial tools that can be tailored to cover the above specific needs, but the MS Excel was already well used in the ASTRI collaboration, so it was quite natural to use an existing and well-known tool. At system level the number of specifications is less than 400 which remains a number that MS Excel can easily handle. Finally from an Excel table, using the merge letter function in MS Word it is quite simple to generate semi-automatic reports. In any case a different tool can be also effectively used; the template definition is shown in Figure 5. For each line it is reported the text of a single specification, and there are as many lines as many specifications are presented in the ASTRI System Specification Document (SSD). The table is organized in less than ten columns that are explained here after. Figure 5: Verification Control Document example. PUID Project Unique ID. This is the code used in the ASTRI SSD. It is unique and describes only one specification. From the code it is possible to derive also its direct applicability because a three letter field is associated to the second level of the product tree. A CAM code refers to a specification directly related to the Cherenkov Camera Assembly, a SYS code is referring to a general requirement that can be applied to all the subsystem and to the entire telescope. Specification description In this field the Specification text as per ASTRI SSD is reported. Trace Each specification must answer to at least one need (requirement). The requirement can be derived by a specific CTA need, by a standard, or a national rule. So it is possible to have a specification that answers to many requirements, but on the opposite way it is not possible to have a specification that traces to nothing. In this case the specification is not needed and should be removed from the VCD. In the example references to requirement from the CTA collaboration are reported. Verification Method The preferable verification method in ASTRI project is by test. Unfortunately, it is not always possible to test each specification, for many different reasons (i.e. cost), so different verification methods can be accepted. In ASTRI project, A stands for Analysis (i.e. FEM analysis), C stands for certification, I stands for Inspection, and finally T stands for Test. At least one verification method must be listed, otherwise the specification is not verifiable, but more than one methods can be listed. Compliancy In this field the compliancy to the specification expectation is reported. This is an important field because if noncompliance (NC) appears it means that a problem is found and the AIV manager shall focus his attention on this. Verification document In this field the reference to the document where the verification execution has been performed is reported. In case a test is requested by the verification method, a test report document is expected. In case an analysis is requested, for instance a specific load must be verified on the structure, a FEM analysis is expected. At the start of the verification, these fields are blank, but for any further step in testing document references are added. Reference to schedule It has been found very useful to use a field which refers directly to a task in the schedule. It is reported the name of the task, which in ASTRI project is the name of a work package associated in ASTRI Work Breakdown Strudture (WBS). This field is useful because it is possible to cross-check that all specifications are verified at a specific time in the project, and sorting out for the name of the task, it is possible to obtain easily which specifications must be fulfilled at a specific test. This helps the AIV to create a very simple pass/fail criterion for the completion of a task: if all specs associated to that task have been successfully verified the task is completed. NCR and NCR status In this field it is reported the reference to the non conformity reports (NCR) associated to that verification step. The ASTRI Quality Plan outlines the correct definition of the NCR, and in this field the code of the specific NCRs are reported. During tests for instance many problems or unexpected features can pop up and they are traced with a specific NCRs. During the Verification process these NCRs can be worked out and resolved, so the next field (NCR status) would report CLOSED; but it is important to keep the history of the problem encountered. This is strategically important for the ASTRI project because the prototype is the first telescope to be built and many more are to come. If one or more of the listed NCRs are still under work the field will appear as OPEN. RFW and RFW status The RFW are collected in this field if any. This happens only in case the specification is not satisfied and it is requested to accept the assembly anyhow. Normally the VCD is created while the System Specification document is created. In this configuration only the PUID, the text, the trace and the verification methods are listed. Also in this phase the VCD is useful to cross-check that requirements are unique, that they are complete, that they are verifiable. During the planning phase, or basically during the composition of the AIV plan, the AIV manager fills the column related to the reference of the schedule, so he can be sure that each specification verification has been planned carefully in the schedule. Also in this phase a detailed Test plan, when needed, and specific procedures are prepared. While the verification proceeds the other fields of the table are filled with references to verification reports, when tests are executed, or with references to NCRs, if any problems appeared. At the end of the verification phase all the NCRs should be closed or solved with a RFW process. Conclusion The VCD here presented is a modified version of ESA VCD and it is used in the ASTRI project. It helped to generate the SSD and to report the compliancy status of the project in some internal reviews. It has been used to create the AIV plan and verification strategy has been checked in the schedule. It will be used during the prototyping testing phase that has just started, with the objective to trace in a configured and controlled way all possible unexpected problems that could pop up. The outcome of the VCD at the end of the prototyping phase would be to have a reference for the preproduction phase and in case an update of the SSD document for those telescopes. This work was partially supported by the ASTRI "Flagship Project" financed by the Italian Ministry of Education, University, and Research (MIUR) and led by the Italian National Institute of Astrophysics (INAF). We also acknowledge partial support by the MIUR Bando PRIN 2009. Reference [1] Nagano, S. “Space Systems Verification Program and Management Process”, System Engineering, Wiley Periodicals, Vol. 11, No 1, 27-38 (2008) [2] Madni, A. M., Sievers, M. “System Integration: key perspectives, Experiences and Challenges” System Engineering, Wiley Periodicals, Vol. 17, No 1, 37-51 (2014) [3] ECSS “Space Engineering Verification, ECSS-E-ST-10-02C, ESA-ESTEC, (2009) [4] NASA, “NASA System Engineering Handbook”, NASA, NASA/SP-2007-6105 (2007) [5] International Council on Systems Engineering (INCOSE), “System Engineering Handbook”, INCOSE, INCOSE‐TP‐2003‐002‐03.2.2, (2011) [6] Canestrari, R. & al., “The ASTRI SST-2M prototype for the Cherenkov Telescope Array: manufacturing of the structure and of the mirrors”, SPIE proc. 9145 (2014) [7] Catalano, O. “The camera of the ASTRI SST-2M prototype for the Cherenkov Telescope Array”, SPIE proc. 9147 (2014) [8] M.C, Maccarone, G. Leto, P. Bruno, et al., "The Site of the ASTRI SST-2M Telescope Prototype", Procs. 33rd ICRC2013, 2-9 July 2013, Rio de Janeiro (Brazil) - (arXiv:1307.5139) [9] Pareschi, G. & al “The ASTRI/CTA mini-array of Small Size Telescopes Dual-Mirror: a first seed of the for the Cherenkov Telescope Array”, SPIE proc. 9145 (2014) [10] Acharya, B. et al., “Introducing the CTA concept”, Astroparticle Physics, Vol 43, 3-18 (2013) [11] Marchant, A. “Obstacle to the flow of requirements Verification”, System Engineering, Wiley Periodicals, Vol. 13, No , 1-13 (2010) Biography Luca Stringhetti is a researcher of the National Institute of Astrophysics in Italy (INAF). He is a senior system engineer who during the last ten years participated to several important projects in INAF spacing from satellite based (LFI/Planck, ACES) projects to ground base and large infrastructure projects (SRT) devoted to experimental astrophysics.Actually he is the Lead System Engineer of the ASTRI prototype. Nicola La Palombara has been working at INAF as technologist since 1996. He has worked at the design, testing and commissioning of XMM-Newton, the ESA cornerstone mission for X-ray astronomy, and at the scientific exploitation of its observations. Currently he is involved as AIV manager in the development of the ASTRI prototype for the Cherenkov CTA observatory.