• Proposed a SysML-based workflow enabling early validation of cross-organizational safety-critical software. • Conducted systematic requirement review for nominal and two-failure-safe scenarios in HTV-X automated docking system develolpment. • Extracted lessons learned and limitations from Engineering Model phase application, providing reusable insights for future programs. This paper presents a Model-Based Systems Engineering (MBSE) approach for the early validation of safety-critical software in cross-organizational development, with lessons learned from its application to Japan’s HTV-X automated docking system. The HTV-X, developed by JAXA as an uncrewed cargo spacecraft for ISS (International Space Station) resupply, will conduct a technology demonstration of automated docking compliant with the International Docking System Standard (IDSS). A central system-level challenge lies in coordinating interactions between the HTV-X host vehicle and the Japan Docking System (JDS), each equipped with independent computers and software developed by different organizations. To address this, we formulated a behavior-model-driven validation workflow for evaluating the interface software, utilizing SysML models—including state machines, transition trees, and activity diagrams—to analyze both nominal and off-nominal interactions, including two-fault tolerance scenarios required for ISS safety. This paper reports the application of the proposed SysML-based workflow during the engineering model (EM) development phase, where behavioral models representing interactions among software developed by different organizations were used in scenario-based software reviews to extract review comments. These comments, derived from discrepancies or ambiguities identified in interface logic, were analyzed to clarify potential software risks at an early development stage. From this application, lessons learned were derived on the practicality, strengths, and limitations of the proposed method in software evaluation. By integrating model-based analysis with verification and validation practices, the workflow helped reduce rework, improve interface clarity, and support efficient assurance across organizational boundaries in safety-critical missions.
Tomita et al. (Thu,) studied this question.