In order to accomplish dependable onboard evolution, we develop a methodology which is called guarded software upgrading (GSU). The core of the methodology is a low-cost error containment and recovery protocol that escorts an upgraded software component through onboard validation and guarded operation, safeguarding mission functions. The message-driven confidence-driven (MDCD) nature of the protocol elim-inates the need for costly process coordination or atomic action, yet guaranteeing the system to reach a consistent global state upon the completion of the rollback or roll-forward actions carried out by individual processes during error recovery. Aimed at validating the effectiveness of the MDCD protocol with respect to its ability, in a real-istic, non-ideal execution environment, to enhance system reliability when a software component undergoes onboard upgrading, we conduct a stochastic activity network model based analysis. The results confirm the effectiveness of the protocol as origi-nally surmised. Moreover, the model-based analysis provides to us useful insights about the system behavior resulting from the use of the protocol under various conditions in its execution environment, facilitating effective utility of the protocol.

To assure dependable onboard evolution, we have developed a methodology called guarded software upgrading (GSU). In this paper, we focus on a low-cost approach to error containment and recovery for GSU. To ensure low development cost, we exploit inherent system resource redundancies as the fault tolerance means. In order to mitigate the effect of residual software faults at low performance cost, we take a crucial step in devising error containment and recovery methods by introducing the "confidencedriven " notion. This notion complements the message-driven (or "communication-induced") approach employed by a number of existing checkpointing protocols for tolerating hardware faults. In particular, we discriminate between the individual software components with respect to our confidence in their reliability, and keep track of changes of our confidence (due to knowledge about potential process state contamination) in particular processes. This, in turn, enables the individual processes in the spaceborne distributed system to make decisions locally, at run-time, on whether to establish a checkpoint upon message passing and whether to roll back or roll forward during error recovery. The resulting message-driven confidence-driven approach enables cost-effective checkpointing and cascading-rollback free recovery.