第30回宇宙技術および科学の国際シンポジウム(30th ISTS) (2015年7月4日-10日. 神戸コンベンションセンター), 神戸市, 兵庫県, The 30th International Symposium on Space Technology and Science(30th ISTS) (July 4-10, 2015. Kobe Convention Center), Kobe, Hyogo, Japan, "Purpose of this paper is to propose risk assessment methodology for adaptive systems designed by emerging technology such as Resilience Engineering. ""Resilience"" is the intrinsic ability of a system to adjust its functioning prior to, during, or following changes and disturbances, so that it can sustain required operations under both expected and unexpected conditions [1]. Resilience is the typical characteristics of living organism. Animals, including human beings, have survived long history of starvation by wisely adapting to environmental changes and achieved its cost-effective and robust features. Spacecraft such as deep space exploration vehicle needs to survive extremely long mission duration enduring not only expected but also unexpected conditions. Therefore, it is highly desired to possess adaptive capability against changes in environment. However, risk assessment for this kind of system becomes challenging due to its own flexible behavior because the flexibility of system configuration could raise unexpected conditions to cause hazard. If we try to eliminate the flexibility, we may have to give up the adaptive capability itself. Since adaptive feature is strongly desired for next generation space missions, we need to establish methodology to protect it instead of giving it up.In this paper, Resilience Engineering design study result for GNC functionality of next generation spacecraft [2] will be briefly described first. As the way of adopting Resilience Engineering into design, redundancy design was reconsidered to mimic nature's “right hand & left hand” type of redundancy. By taking advantage of the nature’s resilient feature, we have found that the new design becomes significantly economical because it has no unused backup resources as well as robust against common mode failure due to its “functionally redundant” characteristics (right hand for knife, left hand for fork). Next, risk assessment methodology using Resilience Engineering will be presented. Resilience Engineering does not only focus on “failure” as the source of risk but it also looks at “success”. In the real life, failure is not the only cause of risk. Especially for modern intelligent system which is controlled extensively by software, component failure is just only part of system accident scenario because software does not “fail” as hardware does. Rather, accidents are more typically caused by unexpected interactions among correct behaviors of functions. For this type of systems, boundary of “nominal (success)” and “off-nominal (failure)” is not necessarily clear. Instead, the system will almost always keep changing/degrading itself to adapt to environment. With this perspective, it can be said that risk is not always caused by failure, but is hidden in success. So, only focusing on rare events (failure) and discard vast amount of reality (success) is not wise. Therefore, for modern adaptive intelligent system risk analysis, it is important to know “why/how it succeeds” rather than “why/how it fails”. In the second part of this paper, it will be shown how we can conduct the risk analysis looking at “success”.", 資料番号: AC1500116000