This paper reports the results of a small study of requirementschanges to the onboard software of three spacecraft subsequent tolaunch. Only those requirement changes that resulted from post-launchanomalies (i.e., during operations) were of interest here, since thegoal was to better understand the relationship between criticalanomalies during operations and how safety-critical requirements evolve.The results of the study were surprising in that anomaly-driven,post-launch requirements changes were rarely due to previousrequirements having been incorrect. Instead, changes involved newrequirements: (1) for the software to handle rare events; or (2) for thesoftware to compensate for hardware failures or limitations. Theprevalence of new requirements as a result of post-launch anomaliessuggests a need for increased requirements-engineering support ofmaintenance activities in these systems. The results also confirm boththe difficulty and the benefits of pursuing requirements completeness,especially in terms of fault tolerance, during development of criticalsystems
展开▼