Data Item Failure Mode Failure Description System E ect CriticalityHeater ON Timing wrong Heater ON

Current needs for high-reliability, reusable software; rapid, evolutionary development; and veriication of innovative software architectures have focused attention on improving techniques for analysing the safety and reliability of embedded software. The work reported here integrates two successful safety analysis techniques which have been used separately on software and hardware into the system engineering process. This process combines Software Failure Modes and EEects Crit-icality Analysis (SFMECA) and Software Fault Tree Analysis (SFTA) in a way that can be readily adapted to a particular project's evolving system needs. The technique was used on two recent space instruments: the Mars Microprobe Project and the Earth Orbiting System's Microwave Limb Sounder. The main lessons learned from this experience are discussed: (1) exible use, (2) a risk-driven rather than sequential approach, (3) \zoom-in/zoom-out" use, (4) SFMECA and SFTA as complementary techniques, (5) preserving traceabil-ity, and (6) applicability to fault protection software.