This article describes four case studies in which requirements for new flight software subsystems on NASA's Space Shuttle were analyzed using mechanically supported formal methods. Three of the studies used standard formal specification and verification techniques, and the fourth used state exploration. These applications illustrate two theses: (1) formal methods complement conventional requirements analysis processes effectively and (2) formal methods confer benefits even when only selectively adopted and applied. The studies also illustrate the interplay of application maturity level and formal methods strategy, especially in areas such as technology transfer, legacy applications, and rapid formalization, and they raise interesting issues in problem domain modeling and in tailoring formal techniques to applications.dating from the late 1970s and early 1980s. As a result, these analysis and assurance activities remain largely manual exercises lacking well-defined methods or techniques. At the same time, Shuttle flight software is life-critical and increasingly complex, and software upgrades are continually introduced. Upgrades accommodate new missions such as the recent MIR docking; provide new capabilities such as Global Positioning System (GPS) navigation; enhance existing capabilities such as the crew displays for Heading Alignment Cylinder (HAC) initiation; and improve algorithms such as the newly automated three-engine-out contingency abort maneuvers (3E/O), and the recent optimization of Reaction Control System Jet Selection (JS). These upgrades underscore the need recognized in the NASA community and in a recent assessment of Shuttle flight software development for "state-of-the-art technology" and "leading-edge methodologies" to meet the demands of software development for increasingly large and complex systems [NRCC 1993, p. 91]. 1 The work described in this article had three main goals: first, to explore and document the feasibility and utility of formalizing critical Shuttle software requirements representing a spectrum of maturity levels; second, to develop reusable formal methods strategies for representative classes of Shuttle software; and third, to identify and assess key factors in the transfer of this technology to the aerospace community.The Shuttle subsystems selected for the project directly reflect the first two goals. GPS, JS, HAC, and 3E/O are all part of critical on-board flight software. The JS requirements are mature and stable; the 3E/O requirements are somewhat newer, having only recently stabilized after a series of iterations; and the GPS and HAC requirements are relatively new. GPS, JS, and HAC belong to a class of Shuttle software that is readily formalized using a functional model of computation-basically a control function augmented with state variables-and effectively analyzed using standard theorem-proving techniques. By contrast, 3E/O represents a class of modesequencing software that can be quite naturally modeled as a finite-state system and effectively analyzed using st...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.