Software V&V for EarthCARE

Critical Software Technologies has secured a contract to be the principal independent software tester for the EarthCARE (Earth Clouds, Aerosols and Radiation Explorer) mission, a joint European-Japanese space project which is due for launch in 2013.First conceived in 2009, EarthCARE is the sixth Earth Explorer mission to be launched by ESA as part of its ‘Living Planet’ programme.  Its mission is to improve scientists’ understanding of the cloud, radiative and aerosol processes that affect Earth’s climate.  It will observe the influence on atmospheric radiation of clouds and aerosols (natural or man-made).  In so doing it will contribute to vital climate research and forecasting models.  Weighing a little under two tons, its mission will take three years as it orbits approximately 400km above the Earth.

Other UK companies are significant contributors to the mission, among them SSTL and its subcontractor SEA who will together develop and produce the ICU for the Multi-Spectral Imager instrument on board the satellite.

For its part, Critical Software will independently verify and validate the on-board software that goes into creating this hugely complex system designed to create a successful space mission.  Critical will be predominantly responsible for identifying areas that are particularly complex, and which exhibit a high degree of criticality, and then ensuring that the software developed meets the stated requirements and is implemented correctly.

Independent Software Verification and Validation (ISVV) is a term that may not be familiar to all software developers.  In this context it is a comprehensive process that is undeniably expensive and so is reserved mainly for projects that exhibit either or both of the following attributes: software failures may cause injuries or deaths; and/or software failures may be difficult if not impossible to correct once the implementation is live.  ISVV typically involves the use of more formal methods and documentation than that used in more mundane developments.

The two ‘V’s are easily confused.  The verification part of ISVV involves ensuring that the software conforms to its specification.  In other words: “are we building this thing right?”.  Validation on the other hand asks a more fundamental question: does the software do what the user or specifier originally intended, or “are we building the right thing?”.

The crucial part of ISVV is Independence.  In applications that are not mission or safety critical, it is often acceptable to have the same teams carrying out all forms of testing at various stages during the development lifecycle.  It could be argued that a certain amount of independence may be obtained by the simple expedient of ensuring that test teams for a particular part of the system are drawn from among those that never worked on it directly.  Ultimately, there are flaws with such an approach.  Firstly, with any kind of integrated system, the developers of one part are likely to have some idea of the assumptions underlying the design and implementation of any other.  Being aware of an assumption makes it more likely than not that it may be accepted without question.  Unquestioned assumptions are anathema to the concept of ISVV.  Secondly, without true independence, testing teams may find themselves under the same management pressures on time and budget that were exerted on the original development team.  In the context of a safety critical system this is clearly not a good thing.
As stated earlier, ISVV is expensive.  Not only because of the comprehensiveness of the process but also because the independence element involves the introduction of yet another party to the project, and that brings additional costs that start right at the beginning of the procurement.  Given this, it is no wonder that ISVV is used mainly on projects where catastrophic failure is a possibility.
Brian Luff, Chairman of Critical Software Technologies said: “We’re very pleased to be involved in a mission that will give scientists such valuable information about our planet.  We’re well aware of how vital it is to the success of the mission that the critical systems on board the spacecraft are as reliable as humanly possible – as a company, Critical Software has almost unparalleled expertise in this field.” “In the space industry, we are one of a very few companies that are familiar with software in all three segments: launchers, ground control and onboard spacecraft themselves.  Software on board spacecraft has the potential to be extremely complex, which is at odds with the necessity for it to also be extremely reliable.  Failure of critical software can have catastrophic consequences, and it is clearly vital to have well-tested reliable software on unmanned orbital vehicles of this magnitude.”

This article was published in the December 2010 issue of Aerospace Testing International

This entry was posted in Safety Critical and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s