Toward software-based safety systems in space

Space exploration missions became increasingly complex in past decade with new emerging capabilities such as sample returns from various celestial bodies and rovers. As many engineering constraints apply to deep space missions in terms of mass, size and energy, an increasing amount of system functionalities for housekeeping or science purposes is implemented in software. The development in other industrial domains requiring high-integrity software suggests that safety-related functions (both for protecting humans from hazards as well as for protecting the mission) will increasingly be implemented in software. This requires the software systems to become safer and more reliable than today. The current state of the art reveals a number of problems with developing and assessing safety critical software which explains the reluctance of the space community to rely on software-based safety measures to mitigate hazards. Among others, usually lack of trustworthy evidence of software integrity in all foreseeable situations and the difficulties to integrate software in the traditional safety analysis framework are cited. Experience from other domains and recent developments in modern software development methodologies and verification techniques are analyzed for the suitability for space systems and an avionics architectural framework (see STANAG 4626) for the implementation of safety critical software is proposed. This is shown to create among other features the possibility of numerous degradation modes enhancing overall system safety and interoperability of computerized space systems. It also potentials simplifies international cooperation on a technical level by introducing a higher degree of compatibility. As software safety can not be tested or argued into a system in hindsight the development process and the especially the architecture chosen are essential to establish safety properties for the software used to implement safety functions. The core of the safety argument- - evolves around the separation of different functions and software modules from each other by minimal coupling of functions and credible enforcing separation mechanisms in the architecture combined with rigorous development methodologies for the software itself.