Masafumi Katahira

Hazard Analysis of Complex Spacecraft Using Systems-Theoretic Process Analysis

A new hazard analysis technique, called systems-theoretic process analysis, is capable of identifying potential hazardous design flaws, including software and system design errors and unsafe interactions among multiple system components. Detailed procedures for performing the hazard analysis were developed, and the feasibility and utility of using it on complex systems was demonstrated by applying it to the Japanese Aerospace Exploration Agency H-II Transfer Vehicle. In a comparison of the results of this new hazard analysis technique to those of the standard fault tree analysis used in the design and certification of the H-II Transfer Vehicle, systems-theoretic hazard analysis found all the hazardous scenarios identified in the fault tree analysis as well as additional causal factors that had not been identified by fault tree analysis.

Scoping software process models: initial concepts and experience from defining space standards

Defining process standards by integrating, harmonizing, and standardizingheterogeneous and often implicit processes is an important task, especiallyfor large development organizations. However, many challenges exist,such as limiting the scope of process standards, coping with different levels ofprocess model abstraction, and identifying relevant process variabilities to beincluded in the standard. On the one hand, eliminating process variability bybuilding more abstract models with higher degrees of interpretation has manydisadvantages, such as less control over the process. Integrating all kinds ofvariability, on the other hand, leads to high process deployment costs. This articledescribes requirements and concepts for determining the scope of processstandards based on a characterization of the potential productzs to be producedin the future, the projects expected for the future, and the respective process capabilitiesneeded. In addition, the article sketches experience from determiningthe scope of space process standards for satellite software development. Finally,related work with respect to process model scoping, conclusions, and an outlookon future work are presented.

Making formal methods practical

Despite their potential, formal methods have had difficulty gaining acceptance in the industrial sector. Some complaints are based on supposed impracticality: many consider formal methods to be an approach to system specification and analysis that requires a large learning time. Contributing to this scepticism is the fact that some types of formal methods have not yet been proven to handle systems of realistic complexity. To learn more about how to design formal specification languages that can be used for complex systems and require minimal training, we developed a formal specification of an English language specification of the vertical flight control system similar to that found in the MD-11. This paper describes the lessons learned from this experience.

Application of GQM+Strategies® in the Japanese Space Industry

Aligning organizational goals and activities is of great importance for large organizations in order to improve their performance and achieve top-level business goals. Through alignment, organizational sub-units can optimize and explicitly highlight their contributions towards the achievement of top-level business goals. GQM+Strategies provides a systematic, measurement-based approach for explicitly linking goals and contributions on different organizational levels. This paper presents results and experiences from applying the GQM+Strategies approach at the Japan Aerospace Exploration Agency.

Software Independent Verification and Validation for Spacecraft at JAXA

In order to achieve mission success with more demanding mission requirements and more complex onboard software, our software independent verification and validation (IV&V) has been applied to various spacecraft software programs, such as software on satellites, ground stations, and the Japanese Experimental Module (JEM) of the International Space Station (ISS). The malfunction procedure in the operations data file for JEM is also the target for applying software IV&V. Suitable software IV&V can be performed for each spacecraft throughout the entire development life cycle. The objectives for software IV&V activity are the following: applying suitable software IV&V to each spacecraft, creating new software IV&V technologies for spacecraft, and spreading new software engineering technologies based on our software IV&V to development teams and contractors. This paper introduces our software IV&V activities and several examples to confirm that our activities are effective and efficient for spacecraft.

Application of hierarchical accident model in independent verification and validation

The software independent verification and validation (IV&V) is essential, especially in the development of aerospace systems, to improve safety and reliability and to prevent system problems. 12 We have used a hierarchical accident method. This method investigates the latent problems in the development process of a system that have not been thoroughly recognized in past IV&V.

Model-based independent verification and validation for dependable flight software

The role of flight software in the spacecraft is becoming more essential if missions are to be considered successful.1 2 To realize more reliable and continuous independent verification and validation (IV&V) and improve the dependability of flight software, a systems engineering process called Model-based IV&V (MBIVV) was developed and has been applied to flight software for several years. This paper examines the experience of performing MBIVV, a process which augments existing IV&V methods with various potential benefits to improve the dependability of flight software. MBIVV techniques are effective for detecting basic or complex errors and many warnings, all of which may not be identified in existing IV&V processes. Moreover, the techniques can be applied to all or only the critical portions of the target software. The number, level of abstraction, and scope of the models are adjusted to meet the objectives of the IV&V attribute and the complexity of the target flight software. This paper introduces the MBIVV paradigm, activities, and practical applications to demonstrate that this MBIVV is an effective means of ensuring the dependability of flight software.

Challenges of COTS IV & v

COTS can significantly complicate the independent verification and validation (IV&V) process. The necessarily pessimistic culture of IV&V has a perspective on COTS that greatly differs from a developers generally optimistic, success-oriented perspective. For example, there is no basis for assuming that the COTS assessments made by developers will ultimately be consistent or even compatible with those made by an IV&V group. This frequently results in higher project risk and uncertainty. This workshop seeks to illuminate these and other COTS and IV&V related challenges.

Resolving COTS system assessment clashes

COTS significantly complicates the IV&V process. The necessarily pessimistic culture of IV&V has a perspective on which COTS assessment attributes and techniques are relevant that differs greatly from developers typically optimistic, success-oriented perspective. There is no basis to assume that the COTS assessments made by developers will ultimately be consistent with IV&V COTS assessments. The result frequently results in a “lose-lose” situation where either large re-work costs are incurred to replace existing COTS with IV&V approved COTS, or higher risk and uncertainty must be tolerated (from the IV&V perspective) to continue with the COTS the developers chose. This work seeks to remedy this “culture clash” of COTS assessment perspectives by integrating IV&V and developers system level COTS assessments that provides a result that is both consistent and cost-effective.