Application of a Safety-Driven Design Methodology to an Outer Planet Exploration Mission

Traditional requirements specification and hazard analysis techniques have not kept pace with the increasing complexity and constraints of modern space systems development. These techniques are incomplete and often consider safety late in the development cycle when the most significant design decisions have already been made. The lack of an integrated approach to perform safety-driven system development from the beginning of the system lifecycle hinders the ability to create safe space systems on time and within budget. To address this need, the authors have created an integrated methodology for safety-driven system development that combines four state-of-the-art techniques: 1) intent specification, a framework for organizing system development and operational information in a hierarchical structure; 2) the STAMP model of accident causation, a system-theoretic framework upon which to base more powerful safety engineering techniques; 3) STAMP-based hazard analysis (STPA); and 4) state analysis, a model-based systems engineering approach. The iterative approach specified in the methodology employs state analysis in the modeling of system behavior. STPA is used to identify system hazards and the constraints that must be enforced to mitigate these hazards. Finally, intent specification is used to document traceability of behavioral requirements and subject them to formal analysis using the SpecTRM-RL software package. In this paper, the application of this methodology is demonstrated through the specification of a spacecraft high gain antenna pointing mechanism for a hypothetical outer planet exploration mission.