9.01 Software Design Principles Assuming preconditions and post-conditions are met can lead to hazardous situations and system malfunction. When a system transitions from one state to another, the hardware configuration may change, software controls may be enabled or disabled, or both. For example, a transition from test mode to launch mode may enable the system to execute commands to power on transmitters, fire pyrotechnic devices, deploy mechanisms, and other potentially hazardous operations. When the system transitions back to test mode, commands to execute them can be inadvertently processed, and harm to personnel and equipment can ensue if these operations are not completely disabled. Unverified assumptions about system state can threaten mission success. Useful development practice is to itemize the desired/required state of all aspects of the system at each state transition, and then ensure that all items on the list are implemented and verified. Desired/required states can be asserted by explicit command, or where this is not safe or practical, by verifying via other telemetry (e.g., a valve position might be verified by downstream pressure). Where additional safeguards are required or desired, another design option to consider would be to enforce a man-in-the-loop checkpoint that requires manual operator intervention before a system can transition to a potentially hazardous state. None None None None The NASA Lesson Learned 439 database contains the following lessons learned related to safe transitions:
See edit history of this section
Post feedback on this section
1. Principle
1.1 Rationale
2. Examples and Discussion
3. Inputs
3.1 ARC
3.2 GSFC
3.3 JPL
3.4 MSFC
4. Resources
4.1 References
5. Lessons Learned
5.1 NASA Lessons Learned
9.15 Safe Transitions
Web Resources
View this section on the websiteUnknown macro: {page-info}