Better V&V for Critical Flight Systems

Critical aircraft systems are becoming more dependent on software. This brings with it the need to establish that the software will perform safely and reliably through all flight regimes, including emergencies. Verification and validation (V&V) is a key process for meeting that need for both military and civil procurements. For software developed with the UML (Unified Modeling Language), we are describing MOVAT, a computer-aided approach that is much more disciplined and repeatable than current practice and at the same time offers a considerable reduction in labor and schedule. MOVAT generates a Failure Modes and Effects Analysis (FMEA) directly from UML artifacts (use case diagrams during the requirements phase and class diagrams later on), and a Timed Petri Net (TPN) analysis of timing related problems from collaboration diagrams. These identify areas of greatest failure potential (expressed in severity categories) as well as associated detection capabilities and compensation (recovery) mechanisms. While software FMEA has been described and used previously it has generally been based on “functions”, a subjective concept. MOVAT uses operations of classes, clearly documented software constructs. When all operations in a class have been analyzed we can claim that the class has been completely evaluated, equivalent to using a parts list to establish that a hardware FMEA is complete. The FMEA and TPN permit V&V to concentrate on the software constructs most critical to safety of flight and to evaluate coverage of detection and recovery mechanisms. The emphasis is in most cases shifted from assessment of the functional software to assessment of the detection and recovery segments. These are usually much simpler and more standardized that the software elements that they protect and therefore the cost of V&V will be reduced. The procedure will be demonstrated on an autonomous active/standby redundancy management system, a design element encountered in fuel management, pressurization, and communication systems but also applicable on a grander scale to the leader/follower role assignment of a swarm of UAVs. The examples will describe applications during the requirements and coding phases. The research reported on here has been sponsored by the DARPA MoBIES project and AFRL.