Change Management Strategies for Safety-Critical Software

Safety-critical embedded systems go through rigorous verification processes before being put into service. Verification is a major source of cost in the development process because of the rigour with which the verification is carried out. Most designs are subject to high levels of change traffic during development. This greatly increases the cost of the development as the complete system may need to be re-verified to full rigour several times before release to service. Thus there is potential benefit in designing to support ease of change, and focused re-verification after change. We briefly consider the current change management approaches, which have mainly targeted object-oriented software, and indicate some of their limitations when applied to safety-critical software. We then set out a number of proposed principles for the design of systems that facilitate change, and assess their effectiveness by discussing changes made to an aerospace system demonstrator. Their impact on more general software development is also considered.