Software Life Cycle Process - DO-178B

Transcription

1 1(19) Cross reference tables for H ProgSäk (E) and DO-178B A comparison has been made between requirement areas covered by H ProgSäk (E) and DO-178B respectively. Tables for correspondences and differences are presented below. An exact mapping of requirements from one document on associated requirements of another document is not possible. Formulation, structuring and refinement of the requirements within a specific area will always differ between compared documents. The presented tables are therefore only indicative of where matching requirement areas can be found. Section 1 summarizes the main differences between the compared documents. Section 2 contains tables for all requirements of H ProgSäk 1, each identified by a unique label (cf. Legend ). Section 3 includes requirements of DO-178B not covered by H ProgSäk (E). Section 4 and 5 present acronyms and references used in this document. 1. Comparisons between H ProgSäk (E) and DO-178B Both H ProgSäk and DO-178B include guidelines as well as requirements for safety-critical software and describe processes for development of such software. DO-178B requires a System Safety Assessment Process (SSA), which not is described in DO-178B or in any of its referenced documents. Software Life Cycle Process - DO-178B Input from System Life Cycle Process System Requirements allocated to SW, SW Level, Design Constraints, HW Definition Planning Resources Development Products Integral SW Development Environment Configuration Management Quality Assurance Standards Plans Problem Reports SW Development plan SW Certification plan SW Verification plan SW CM Plan SW QA plan SW Req. std. SW Design std SW Development Process System req alloc to sw, hw interfaces, system architecture SW Requirements Data, high-level requirements & derived requirements Design Description, SW architecture & low-level requirements Source Code, compiler instructions, linking&loading data Executable Object Code SW Verification Cases, Procedures & Results Baseline SW Code std. SW req std dev env highlevel compiler Requirement process test env SCM Records, SCM Index, SW Life Cycle Environment Configuration Index, Traceability, Archive SQA Records Software Planning Process Prototyping SW design std Iterations Previously developed SW Design process Low-level req sw architecture Verification process SW code std Coding process Configuration Management process Quality Assurance process Certification Liaison process Source code Verification Cases & Procedures Source code Source code Integration process Object code SW Verification Result SW Accomplishment Summary Ouput to System Life Cycle Process Fault Containment Boundaries, Error Sources identified/ eliminated, SW requirements & architecture 1 Basic requirements (i.e. requirements common to safety-critical as well as non-critical software) are found in H ProgSäk: Chap. 5. General safety requirements for software can be found in H ProgSäk: Chapters 2-4.

2 2(19) DO-178B specifies requirements for: A Certification Liaison Process aiming towards an airworthiness certificate. Project plans for the development project including plans for development, verification, configuration management (CM), and quality assurance (QA). The planning involves establishment of standards for requirement specification, design and coding. The processes for requirements, design, coding and integration The support processes for verification, configuration management and quality assurance Documentation to be produced within the defined processes. DO-178B defines Failure Condition Categories and Software Levels. Some guidance for technical solutions and how to handle COTS and reused software is provided. DO-178B is not a complete lifecycle standard but a complement focused on safety-critical issues for projects developing software for airborne equipment. H ProgSäk requires also a system safety process, described and specified in H SystSäk for the parties involved in procurement of systems for the Swedish Armed Forces (FM), e.g. the FM, the Defence Materiel Administration (FMV), and the Industry. H SystSäk includes safety requirements for all types of systems, the activities and organisation of the system safety work, methods for safety analyses and how to specify and refine the requirements on system and component level. H SystSäk also describes how to attain, maintain and verify safety requirements on system level during development, operation and disposal. For development of safety-critical software the 1996 edition of H SystSäk 2 refers to unspecified sectors of the MIL-STD-498 and the DOD-STD-2168 standards. Society: The public tolerance of deaths and injuries expressed in laws and ordinances. FM specifies the tolerable risk level for a new FM system in a TTFO/ TTEM. FMV produces a system specification including safety requirements. Industry applies a system safety methodology on the system under development and compiles the safety effort in a SCA. FMV produces a Safety Statement, including recommended Safety Restrictions. FM issues a Safety Release/ BOA including Safety Restrictions. H ProgSäk specifies safety requirements for the entire software lifecycle from the conceptual phase to development, operation, maintenance and retirement of the safety-critical software. The 2001 edition of H ProgSäk refers to specific parts of the software lifecycle standard IEC and the software quality standard ISO Compared to DO-178B, H ProgSäk covers a larger part of the lifecycle, specifying more detailed requirements for the lifecycle processes, the software products and their stakeholders. H ProgSäk also contains explanations of different software safety concepts, discussions on various safety issues, safety analysis techniques suitable for software as well as overviews and comparisons between safety standards and handbooks of interest to the defence sector. 2 A new version is planned.

3 3(19) 2. DO-178B compliance with H ProgSäk (E) requirements Compliances and differences in relation to requirements areas covered by H ProgSäk (E). Legend: Column Explanation H ProgSäk Id H ProgSäk Id is a unique requirement identity consisting of 3 parts: The 1 st part (6.) is a unique number for the handbook H ProgSäk within FMV. The 2 nd part is the section number in H ProgSäk where the requirement statement is found. The 3 rd part is letter K followed by the sequence number for the requirement in the section. For a H ProgSäk Id associated to a basic requirement 1 a reference is given to the section in table 5.1 or 5.2 where the basic requirement is listed (e.g K1: Cf ). A single H ProgSäk Id addressing several sections in ISO/IEC is below refined by appending the section number within quotes (e.g K1 6.3 in Table 5.1). One table entry per section is provided (see table 5.1 below). A further refinement into subsections is made if needed for the comparison (e.g K in Table 5.2). Critic. The criticality categories for which the requirement H ProgSäk Id applies are specified: H(igh), M(edium), L(ow) for software of high, medium or low criticality, B(asic) for a requirement relevant to safety-critical as well as non-critical software. DO-178B References to matching requirements in DO-178B are provided in the following format: paragr. a) Specified references are either one or a few direct references to matching sections in DO- 178B, or a broader reference to an entire chapter (the latter denoted Chap. ). b) A parenthesized reference means that the referred section is in the spirit of the H ProgSäk requirement, but without any obvious match. c) - denotes that the requirement area is not at all covered by DO-178B (further explanations may then be provided in the Comments column). d) + indicates that matching DO-178B references are listed in the subtable specified in the Comments column (may be relevant to a H ProgSäk Id representing a basic requirement). Comments The column includes remarks concerning the type of partial coverage that the specified DO-178B reference involves (case a-b above), requirement areas not covered by DO-178B (case c above), the subtable in this document, where for a basic requirement matching DO-178B sections are listed (case d above), or DO-178B Annex A other explanations or exceptions. Capital letters A-D in references to DO-178B Annex A refers to DO-178B software levels. Letters in reverse background denotes software lifecycle data which must be created with independence (from the developing organisation). A blank in any of the first 3 columns in the tables below is a sign of omission, which should be solved.

4 4(19) H ProgSäk E Chapter 2. CLIENT/END-USER (FM) Personnel 6.21K1 - No requirements for the client. 6.21K2-6.21K3-2.2 Control processes 2. System safety planning, management and assessment 6.221K1 - No requirements for the client K2a K2b K2c The FM Defence Materiel Acquisition Process No requirements 2.4 Products TTFO, TFOTM (TTEM, TEMU) 6.241K1 - No requirements for the client K K K K5 -

5 5(19) Chapter 3. ACQUIRER (FMV) 3.1 Personnel 6.31K1 - No requirements for the purchaser. 3.2 Control processes 3. Project planning, management and assessment 6.321K1: Cf B - No requirements for the purchaser System safety planning, management and assessment 6.322K K2 - No requirements for the purchaser K K K Quality control 6.323K1: Cf Quality assurance 6.324K1: See 5.1. B K2a K2b K2c K2d K2e - B - No requirements for the purchaser. No requirements for the purchaser. 3.3 The FMV Defence Materiel Acquisition Process H ProgSäk Id DO-178B paragr. Comments on DO-178B DO-178B Annex A Studies Procurement 6.332K1: See B - No requirements for the purchaser Operation and Maintenance (Lifecycle Management, LCM) 6.333K1: See Modifications of a completed system K K K K Disposal B - No requirements for the purchaser. No requirements for the purchaser. 3.4 Products H ProgSäk Id DO-178B paragr. Comments on DO-178B DO-178B Annex A Statement of Work (SOW) 6.341K1 - No requirements for the purchaser.

6 6(19) 3.4 Products H ProgSäk Id DO-178B paragr. Comments on DO-178B DO-178B Annex A K2 H K K4 HM K5 H K K Time Plans (Operational Plans) (TP) Lifecycle Management Support (LCMS) 6.343K1a - No requirements for the purchaser K1b K2 H Technical Specification (TS) 6.344K1 - No requirements for the purchaser K K3 H K K5 HM K6 - H ProgSäk E Chapter 4. SUPPLIER 4.1 Personnel 6.41K1 - Requirements for personnel can only be derived 6.41K2a - from the process requirements. 6.41K2b K3 H K4 M K5 HM K6-6.41K7-6.41K8-6.41K8a H K8b M K8c L K8d Control processes 4. Project planning, management and assessment 6.421K1: See 5.2. B + See K2 - No requirements for staff System safety planning, management and assessment

7 7(19) 4.2. Control processes 6.422K1 - A System Safety Program Plan (SSPP) is assumed to exist on the level above the one addressed by DO-178B Quality control 6.423K1: See B Quality assurance 6.424K1: See B + See K2 6.3, Configuration management 6.425K1a: See B 7.1a + See K1b: See B See K1c: See B 11.0h + See Production processes 6.43K1: See B + See K2 H 1.1 A SSA Process is assumed to exist on the level above the one addressed by DO-178B. 6.43K3 H K4 H Development model 6.431K1: See B + See Development methodology 6.432K1: See B + See Formal methods K1 HM K2 (6.4.1a) Does not cover formal methods Verifications iews (manual verification) K Static analysis (source code verification) K K2a 6.3.4b A-5.2(ABC) K2b 6.3.4d A-5.4(ABC) K2c 6.3.4d A-5.4(ABC) K2d HM 6.3.4d A-5.4(ABC) K2e H (6.3.4f) A-5.6(ABC) K Behaviour analysis

8 8(19) 4.3. Production processes Object code analysis K1 H ( b), 6.1d, K2 H Dynamic analysis (verification by test) K1: See B + See K2.1 Safety requirements are handled as high-level K3a K3b HM K3c H K4a K4b K4c - requirements allocated to software. Different test levels not explicitly addressed K5 HM a, c-d A-7.7(ABC) K6 H 6.4d, a, a A-7.6(AB) A-7.7(ABC) K7 H - Same as K6 in the spirit of DO-178B K b, a, a DO-178B has no specific requirements for testing of multiple simultaneous error conditions. A-7.6(AB) A-7.7(ABC) K9 - No requirement for when testing shall be conducted K a, a A-7.6(AB) A-7.7(ABC) K K12 HM c-d Deals with all code which is not used in operational modes K d K14 6.2c, 6.4.1a The term final test does not exist in DO-178B K K Statistical failure analysis Failure forecasting K1 H K2 H Resource analysis K K c, 6.3.2c A-4-3(AB) K a-bullit K a Software safety analysis 6.433K K K K K5 H K K7 HM K8 - SSA is not part of DO-178B.

9 9(19) 4.3. Production processes 6.433K9 H K K K K Production environment Support tools Configuration management system K1 HM Chap. 7 DO-178B dictates no requirements for tools. Tools are however necessary to fulfill the requirements K2: See B + See Failure reporting system K DO-178B only covers software development and documentation for the continued life-cycle. DO-178B dictates no requirements for tools K2: See B + See K3 (7.2.3) However not nearly as detailed as in 4412K K4 - No requirements for how tools shall work Requirement management tools K1 H (6.3.1f, 6.3.2f, 6.3.4e) DO-178B dictates that requirements shall be traceable. There is however no requirement for any tools K2a H (7.1h) K2b H (7.1h) Software tools 6.442K1a K1b H 12.2 No requirements for independent qualification nor for official standards K2 H 12.a-b 6.442K3 (12.2) Necessary SSA done outside DO-178B K Formal tools K Code generators K1 H 4.4.1, K2 HM ( ) Known bugs can be perceived as an operational limitation K3 H K K c K c K7 HM (12.2) DO-178B allows any optimization as long as such are qualified K8 L 4.4.2a

10 10(19) 4.4 Production environment K9 H K10 H K11 ML 4.4.2b, b A-7.7(ABC) Static and dynamic analysis tools K1 HM K2 HM K3 - DO-178B dictates no requirements for usage of tools Emulated target machine 6.443K DO-178B does not dictate any minimum level of similarity between target and emulator K2 (12.2.3) DO-178B requires qualified tools to be documented K3 - Not explicitly stated in DO-178B, however understood. 4.5 Products Standard products Reused components Off the shelf items 6.451K1 H K2a ML (12.3.5) 6.451K2b ML K2c ML 1.4, 11.3i, 6.451K K K The requirement is true for all software K K K K K10 HM 6.451K11 HM 6.451K K K14a 1, 7.2.4d, 6.451K14b 7.2.5b, 11.3h 6.451K14c 6.451K14d 6.451K14e New software development 4.5. Specification K1: See K2 H 5.1.2h, 5.1.2i, 5.1, K3 M 5.1.2h, 5.1.2i, 5.1, Software architecture / top level design K1 2.3 (1) Falls within possibly necessary tasks to satisfy 1, but not nearly this detailed in DO-178B. B + See Regression tests are not mentioned in DO-178B. It is however in practice necessary to achieve a certification if changes are made.

11 11(19) 4.5 Products Fundamental design principles K1 4.1e, 4.5c, 5.2.2a A-1.5(ABC) K2, 5.2.2c-e, K3 - A fraction of this is covered in l Safety-oriented design principles General principles K1 4.5c, 6.3.3d-e, 6.3.4c-d K2 - Follows automatically from using DO-178B K K K5 7., K No strict correspondence between DO-178B partitioning and SW configuration items in general K7 HM (5.1.2a) In a general sense K8 HM K c K10 HM c K d K12 HM 5.5c, d Risk reduction K1a.2, How to handle risks is part of the SSA and not K1b described in DO-178B K1c K2 HM 2.3.3c K K K K K7 ML 2.3.3c K8 H No requirement for physical separation K9 - SSA not part of DO-178B Resource and time allocations (real-time) - Scheduling algorithms K c, 6.3.4f, e K2 - No requirement for memory allocation Defensive programming K K K K K K K K K K K11 - DO-178B contains no instructions on defensive programming.

12 12(19) 4.5 Products K12 H Error handling - Error recovery - Fault tolerance K K K K K K6 HM - Must be handled in external system requirements or design standards K K K Language and language constructs K K K K K K K K K K K K12a K12b K12c K13a K13b K13c K13d K13e Language constraints K1 4.5c, K2 11.8a K3 HM K Coding Instructions K1a K1b 11.8b, 11.8c K1c 11.8d K1d 11.8e K1e 11.8 Not explicitly mentioned but may very well be part of a good coding standard K K d Interfaces K K2 HM K3 -

13 13(19) 4.5 Products K K K K K K K K K K K K15 HM K K K K19 HM K20 HM K K K23 HM K24 M K25 H K K Detailed design Test software for operation and maintenance K K d K K Implementation / Code Changes during production K1a 7.2.5b SSA is not part of DO-178B K1b K1c K1d 7.2.4b K1e 1.1, 11.3h Regression tests are not explicitly mentioned K1f 1.1, 11.3h Regression tests are not explicitly mentioned Documentation / Information K1: See B + See K DO-178B defines the Software Accomplishment Summary as the primary data item to show compliance with the Plan for Software Aspects of Certification. Aimed to airworthiness certification of SW controlled equipment K3 HM (Chap. 7) No strict requirements addressing the level of granularity K4 L (Chap. 7)

14 14(19) 4.5 Products Development K1a Approximately 11.9, K1b In particular System Lifecycle Management (LCM) K1a K1b K1c K1d K1e K1f K1g K1h Software maintenance K1a K1b Documentation list Target computer environment 6.453K1a K1b (2.3.3) 6.453K1c Operating and run-time systems K K2 2.4f 2.4f deals with all COTS (including O/S) K3 2.4f 2.4f deals with all COTS (including O/S) K K5: See B K6a K6b K6c Hardware equipment K1 - H ProgSäk E Chapter 5. BASIC REQUIREMENTS 5.1 Acquirer H ProgSäk Id DO-178B paragr. Comments on DO-178B DO-178B Annex A Personnel (blank section) Control processes 5.1. [ Quality assurance] K No requirements for the purchaser K K K K The FMV Defence Materiel Acquisition Process

15 15(19) 5.1 Acquirer H ProgSäk Id DO-178B paragr. Comments on DO-178B DO-178B Annex A [ Procurement] K1 - No requirements for the purchaser [ Operation and Maintenance (Lifecycle Management, LCM)] K1 - No requirements for the operational phase K Supplier H ProgSäk Id DO-178B paragr. Comments on DO-178B DO-178B Annex A. 5. Personnel (blank section) Control processes 5.2. [4.. Project planning, management and assessment] K1 7.1 Chap. 4 DO-178B does not cover project management tasks such as time schedules, resource allocation, responsibilities, costs or progress reports K2a - Resource and time estimates are not covered by DO-178B K2b Chap K2c Chap Environment, Language and compilers. See also 12.2 Tool Qualification K2d Chap K2e - DO-178B does not explicitly cover stepwise development K2f - Covered at some extent in additional considerations K2g - DO-178B does not explicitly handle how-to introduce corrections with respect to regression tests [ Quality control] K K2 - DO-178B does not cover any general QA-system [ Quality assurance] K1 6.3 Chap. 8 DO-178B SQA-process dictates no requirements for the commercial contracts, staff knowledge/training or for any general organisational QA-system (e.g. ISO9001) K (Contr. verif.) K (Process verif.) K (Req:s verif.) - A-1.1 (ABCD) A-1.2 (ABC) A-1.3 (ABC) A-1.4 (ABCD) A-1.5 (ABC) A-1.7 (ABC) A-9.1 (ABCD) A-9.2 (AB) A-9.3 (ABCD) 4.6 A-1.6 (ABC) A-1.7 (ABC) 6.3.1, A-3.1 (ABCD) A-3.2 (ABCD) A-3.3 (AB) A-3.4 (ABC) A-3.5 (ABC) A-3.6 (ABCD) A-3.7 (ABC) A-4.1 (ABC) A-4.2 (ABC) A-4.3 (AB) A-4.4 (AB) A-4.5 (ABC) A-4.6 (ABC) A-4.7 (ABC)

16 16(19) 5.2. Supplier H ProgSäk Id DO-178B paragr. Comments on DO-178B DO-178B Annex A K (Design verif.) A-4.8 (ABC) A-4.9 (ABC) A-4.10 (AB) A-4.11 (AB) A-4.12 (ABC) K (Code verif.) K (Integr. verif.) K A-4.13 (ABCD) A-5.1 (ABC) A-5.2 (ABC) A-5.3 (AB) A-5.4 (ABC) A-5.5 (ABC) A-5.6 (ABC) A-5.7 (ABC) Chap. 11 (Doc. verif.) K Certification Liaison Process covers the aspects of presenting records to authorities for certification K K d, [ Configuration management] K1 6.2 Chap. 7 A-8.1 (ABCD A-8.2 (ABCD) A-8.3 (ABCD) A-8.4 (ABCD) A-8.5 (ABCD) A-8.6 (ABCD) K2 7.1b [4.3. Production process] 6.523K1 5.3 Chap. 3 IEC Development Process is in general covered in the DO-178B life-cycle processes [ Development model] K1 Chap. 5 DO-178B does not specify a development process in detail K2 Chap. 5, 3.3 A- (ABCD) A-2.2 (ABCD) A-2.3 (ABCD) A-2.4 (ABCD) A-2.5 (ABCD) A-2.6 (ABCD) A-2.7 (ABCD) [ Development methodology] K1 Chap.5, 4.5 DO-178B does not specify any methodology. 4.5 does however call for specifying standards to be used. A-1.5 (ABC) Verifications [ Dynamic analysis (verification by test)] K A-7.3 (ABCD) A-7.4 (ABC) 3 See also K2c

17 17(19) 5.2. Supplier H ProgSäk Id DO-178B paragr. Comments on DO-178B DO-178B Annex A K2 4.3-bullit-3, 11.3 No requirements for during which phases. A-1.1 (ABCD) K K d, 11.3h K5 6.4 DO-178B specifies the test levels HW/SW, SW integration and object code level. In DO-178B all tests must be formal (as in contrast to ad-hoc) K6 - DO-178B does not cover the precise activities K7 - DO-178B does not cover the precise activities K8 11.3c K K10 6.4d K a A-7.5 (A) A-7.6 (AB) A-7.7 (ABC) A-7.8 (ABC) K12a 6.4.a, a K12b 6.4.a K13a c K13b (6.4b) If a feature = requirement specified functionality, it will be covered in the requirement based testing K13c K13d K13e K13f If performance is considered a requirement, it will be covered in the requirement based testing K13g - DO-178B does not explicitly cover recovery K Production environment Support tools [ Configuration management system] K1 Chap. 7 DO-178B dictates no requirements for tools. Tools are however necessary to fulfill the requirements [ Failure reporting system] K1 - DO-178B dictates no requirements for a Problem Resolution Process and stipulates that the CMprocess shall provide control over such tasks K , A-8.3 (ABCD) K K K5 - DO-178B does not dictate any requirements for organisation, staff or roles Products Standard product (blank section) New software development [4.5.. Specification] K K h, 5.5 DO-178B dictates no explicit traceability requirements for defect reports. 4 See also K2b

18 18(19) 5.2. Supplier H ProgSäk Id DO-178B paragr. Comments on DO-178B DO-178B Annex A K e [ Documentation / Information] K1 - DO-178B only dictates content and purpose of documents (life-cycle data), not how to produce and maintain such K DO-178B does not explicitly dictate that documentation must be correct and current. It will however not pass verification unless it is K3 (11.10d) Target computer environment [ Operating and run-time system] K1a K1b K1c K1d K1e K1f -

19 19(19) 3. Features in DO-178B not covered by H ProgSäk A summary of areas or requirements covered by DO-178B but not by H ProgSäk. H ProgSäk divergence from DO-178B DO-178B Requirement section DO-178B requirement number Comments on H ProgSäk sections 2.4 System Considerations for 2.4a-d Modified COTS addressed in User-Modifiable Software 2.5 System design Considerations 2.5 for Field-Loadable software 9.0 Certification Liaison Process Overview of Aircraft and 10.0 Engine Certification Exhaustive Input Testing Product Service History Acronyms BOA/SR Beslut om Användning /Safety Release (Decision on system usage issued by FM) CM Configuration Management COTS Commercial Of The Shelf FM Försvarsmakten (the Swedish Armed Forces) FMV Försvarets Materielverk (the Swedish Defence Materiel Administration) QA Quality Assurance Software Level Criticality category defined in DO-178B SS Safety Statement (a formal safety approval by FMV submitted to FM) SSA System Safety Assessment. DO-178B assumes a SSA process (System Lifecycle process) generating input to the Software Life Cycle processes. TTEM/TTFO Taktisk Teknisk Ekonomisk Målsättning / Tactical Technical Financial Objective Swedish Armed Forces requirements for defence materiel purchasing 5. References [1] Försvarsmaktens handbok för programvara i säkerhetskritiska tillämpningar, M , H ProgSäk [2] Handbook for Software in Safety-Critical Applications, M , H ProgSäk E (English version) 6. [3] Försvarsmaktens handbok för Systemsäkerhet, M , H SystSäk [4] System Safety Manual, M , H SystSäkE [5] Information technology Software life cycle processes, ISO/IEC 12207, [6] Software Considerations in Airborne Systems and Equipment Certification, RTCA DO-178B, Dec. 1, See under Publikationer: Handböcker: H ProgSäk A translation from Swedish of previous reference (for H ProgSäk E see web site listed in footnote 5 under Engelsk version ).