Diversity of Safety Arguments in the Validation of a Sounding Rocket Destruction System

This work describes an approach for the validation of a software system responsible for the destruction of the sounding rocket VS-40X. The process of validation uses three different techniques ranging from the automatic state exploration to the laborious failure analysis. The purpose of the exercise was to obtain diverse arguments in the provision of evidence that the safety properties of the sounding rocket destruction system are always maintained. The software system is modeled using a co-operative architecture, which contains abstractions for modeling and analyzing the interactions between components. The safety analysis is performed using model checking, a technique that exhaustedly explores the state space to determine whether the system satisfies a safety property. The combination of co-operative architectures and model checking has shown effective when modeling and analyzing the interactive behavior between components. However, caution must be taken over the (false) confidence that can be obtained when employing solely model checking for the safety analysis. In order to compensate this deficiency we have to seek diverse sources of evidence to build trustworthy arguments about the safety of the system. The model checking was substantiated using laborious deductive and inductive analysis techniques.