Software intensive systems safety analysis

Two important elements in the avionics suite of modern aircraft are: the Flight Control System (FCS) and the Flight Management System (FMS). The FCS provides the capability to stabilize and control the aircraft, while the FMS is responsible for flight planning and navigation. A clear trend in the aerospace industry is to place greater reliance on software systems, and many FCS and FMS subsystems are implemented primarily in software. For example, within the FCS is the Flight Guidance System (FGS) that generates roll and pitch guidance commands. Similarly, within the FMS is the Vertical Navigation (VNAV) function that acts like a third crew member in the cockpit, ordering mode change requests and resetting target altitude values to enable the aircraft to track the vertical flight plan. We have developed formal, executable models of the requirements for the mode logic of a FGS and for portions of the VNAV functionality. We have also conducted a comprehensive software safety analysis on the FGS mode logic model, and are completing the analysis of the VNAV model. This analysis uses as its starting point several "traditional" safety analysis techniques such as a Functional Hazard Assessment (FHA), a Fault Tree Analysis (FTA), and a Failure Mode Effects Analysis (FMEA). However, we are also using formal methods techniques known as model checking and theorem proving to verify the presence of safety properties in the model. This paper summarizes the (now completed) safety analysis that was performed on the FGS model, and highlights the similarities and differences with the (still on-going) safety analysis of the FMS model. In particular, we summarize progress made to date in the use of formal methods to verify the presence of the required safety properties in the models themselves.