Application of hierarchical accident model in independent verification and validation

The software independent verification and validation (IV&V) is essential, especially in the development of aerospace systems, to improve safety and reliability and to prevent system problems. We have used a hierarchical accident method. This method investigates the latent problems in the development process of a system that have not been thoroughly recognized in past IV&V. The National Transportation Safety Board (NTSB) introduced a model that could hierarchically describe the event chains of accidents as involving three levels [Leveson, 1995]: the first level is the event chain when an accident occurs, the second level represents the conditions that allow the events to occur (the contributing factors), and the third level contains the systemic factors that contribute to the conditions and events. If a systemic factor is detected, there is a possibility of avoiding some of the event chains and the conditions that generate them. A systemic factor includes problems about cultures and rules in a development organization and a system of development, which are barely represented on development documents and accident reports. The NTSB model is usually applied to the accident analysis of airplanes. Although there are differences between an airplane accident and a software problem, if the results of the analysis are properly reflected on the IV&V activity, some viewpoints to investigate the system deeply and essentially could be acquired. Considering the differences, we have applied the NTSB model analysis to software problems and used the results of the analysis in the IV&V. Fifty system problems (mainly software) reported from the operating ground system of a spacecraft have been analyzed using the NTSB model, and more than 100 systemic factors have been acquired. To utilize these systemic factors in the IV&V of the replaced identical system, they have been applied to the IV&V actions. Moreover, we have summarized them to 18 categories, and e- - ight selected categories have been applied to the replaced system´s IV&V because of the limited IV&V budget and schedule. In this paper, the detailed method of IV&V using the NTSB model is introduced and the practical application is demonstrated. We show how it is used in the IV&V.