Engineering Spacecraft Mission Software using a Model-Based and Safety-Driven Design Methodology

Weiss, Kathryn Anne; Dulac, Nicolas; Chiesi, Stephanie; Daouk, Mirna; Zipkin, David; Leveson, Nancy G.

doi:10.2514/1.24677

Cited by 11 publications

(9 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…II) is potential interference among uncoordinated control actions by multiple controllers. The collision between two aircraft over Überlingen, Germany, has been partially blamed on conflicting advisories to the pilots by the ground air traffic controller and TCAS II, the automated collision avoidance system on the two aircraft [13]. One aircraft followed the ground advisory while the other aircraft followed the TCAS advisory.…”

Section: Identifying Potentially Unsafe Interactions Among Multiplmentioning

confidence: 99%

“…SpecTRM, a system and software engineering environment that supports safety engineering processes such as hazard analysis [13] was used to experimentally validate the feasibility of using this method to identify interference. SpecTRM allows modeling preconditions and postconditions and automated checking for consistency and interference.…”

Section: Identifying Potentially Unsafe Interactions Among Multiplmentioning

confidence: 99%

See 1 more Smart Citation

Hazard Analysis of Complex Spacecraft Using Systems-Theoretic Process Analysis

Ishimatsu¹,

Leveson²,

Thomas³

et al. 2014

Journal of Spacecraft and Rockets

View full text Add to dashboard Cite

A new hazard analysis technique, called System-Theoretic Process Analysis, is capable of identifying potential hazardous design flaws, including software and system design errors and unsafe interactions among multiple system components. Detailed procedures for performing the hazard analysis were developed and the feasibility and utility of using it on complex systems was demonstrated by applying it to the Japanese Aerospace Exploration Agency H-II Transfer Vehicle. In a comparison of the results of this new hazard analysis technique to those of the standard fault tree analysis used in the design and certification of the H-II Transfer Vehicle, System-Theoretic Hazard Analysis found all the hazardous scenarios identified in the fault tree analysis as well as additional causal factors that had not been) identified by fault tree analysis.

show abstract

Section: Identifying Potentially Unsafe Interactions Among Multiplmentioning

confidence: 99%

Section: Identifying Potentially Unsafe Interactions Among Multiplmentioning

confidence: 99%

Hazard Analysis of Complex Spacecraft Using Systems-Theoretic Process Analysis

Ishimatsu¹,

Leveson²,

Thomas³

et al. 2014

Journal of Spacecraft and Rockets

View full text Add to dashboard Cite

show abstract

“…In equation (3), the role of the monitor is to check whether the chosen action (ω 1 ) of the ownship is safe assuming that the evolution of the involved aircraft is governed by the differential equations given in equation (4). The symbol (?)…”

Section: B Safety Monitoring Using Differential Invariantsmentioning

confidence: 99%

Hybrid Theorem Proving of Aerospace Systems: Applications and Challenges

Ghorbal

Jeannin

Zawadzki

et al. 2014

Journal of Aerospace Information Systems

View full text Add to dashboard Cite

Complex software systems are becoming increasingly prevalent in aerospace applications, in particular to accomplish critical tasks. Ensuring the safety of these systems is crucial, while they can have subtly different behavior under slight variations in operating conditions. In this paper we advocate the use of formal verification techniques and in particular theorem proving for hybrid software-intensive systems as a wellfounded complementary approach to the classical aerospace verification and validation techniques such as testing or simulation. As an illustration of these techniques, we study a novel lateral mid-air collision avoidance maneuver in an ideal setting, without accounting for the uncertainties of the physical reality. We then detail the challenges that naturally arise when applying such technology to industrial-scale applications and our proposals on how to address these issues.

show abstract

“…In this study, a commercial systems engineering toolset called SpecTRM (Specification Tools and Requirements Methodology) was used to capture intent specifications [5]. SpecTRM focuses on the early stages of system development, where the foundation is set for later implementation, operations, and maintenance activities.…”

Section: Spectrm and Spectrm-rlmentioning

confidence: 99%

“…This model is used to determine what control actions are needed and it is updated through various forms of feedback. When the model does not match the controlled process, accidents can result [5,6].…”

Section: Stampmentioning

confidence: 99%

Application of a Safety-Driven Design Methodology to an Outer Planet Exploration Mission

Owens

Herring

Dulac

et al. 2008

2008 IEEE Aerospace Conference

Self Cite

View full text Add to dashboard Cite

Abstract-Traditional requirements specification and hazard analysis techniques have not kept pace with the increasing complexity and constraints of modern space systems development. These techniques are incomplete and often consider safety late in the development cycle when the most significant design decisions have already been made. The lack of an integrated approach to perform safety-driven system development from the beginning of the system lifecycle hinders the ability to create safe space systems on time and within budget. To address this need, the authors have created an integrated methodology for safety-driven system development that combines four state-of-the-art techniques: 1) Intent Specification, a framework for organizing system development and operational information in a hierarchical structure; 2) the STAMP model of accident causation, a system-theoretic framework upon which to base more powerful safety engineering techniques; 3) STAMPbased Hazard Analysis (STPA); and 4) State Analysis, a model-based systems engineering approach. The iterative approach specified in the methodology employs State Analysis in the modeling of system behavior. STPA is used to identify system hazards and the constraints that must be enforced to mitigate these hazards.Finally, Intent Specification is used to document traceability of behavioral requirements and subject them to formal analysis using the SpecTRM-RL software package. In this paper, 1,2 the application of this methodology is demonstrated through the specification of a spacecraft high gain antenna pointing mechanism for a hypothetical outer planet exploration mission.

show abstract

Engineering Spacecraft Mission Software using a Model-Based and Safety-Driven Design Methodology

Cited by 11 publications

References 4 publications

Hazard Analysis of Complex Spacecraft Using Systems-Theoretic Process Analysis

Hazard Analysis of Complex Spacecraft Using Systems-Theoretic Process Analysis

Hybrid Theorem Proving of Aerospace Systems: Applications and Challenges

Application of a Safety-Driven Design Methodology to an Outer Planet Exploration Mission

Contact Info

Product

Resources

About