SAFE SOFTWARE FOR SPACE APPLICATIONS: BUILDING ON THE DO-178 EXPERIENCE. Cheryl A. Dorsey Digital Flight / Solutions cadorsey@df-solutions.

Similar documents
Parameters for Efficient Software Certification

AC REUSABLE SOFTWARE COMPONENTS

CERTIFICATION MEMORANDUM

1. Software Engineering Overview

The Impact of RTCA DO-178C on Software Development

Rev 1 January 16, 2004

asuresign Aero (NATEP Grant MA005)

Subject Software Aspects of Certification

Certification Authorities Software Team (CAST) Position Paper CAST-13

Software Review Job Aid - Supplement #1

Certification Authorities Software Team (CAST) Position Paper CAST-26

3 August Software Safety and Security Best Practices A Case Study From Aerospace

RTCA DO-178B/EUROCAE ED-12B

DO-178B compliance: turn an overhead expense into a competitive advantage

Certification Authorities Software Team (CAST) Position Paper CAST-9

Meeting DO-178B Software Verification Guidelines with Coverity Integrity Center

Certification of a Scade 6 compiler

DO-178B/C Differences Tool

Automating Code Reviews with Simulink Code Inspector

WORKSHOP RC EVI Integração de Sistemas Junho de 2011 Eng. Nelson José Wilmers Júnior

WIND RIVER RTCA DO-178 SOFTWARE CERTIFICATION SERVICES

Software Classification Methodology and Standardisation

Integrating System Safety and Software Assurance

F-22 Raptor. Agenda. 1. Motivation

Fundamental Principles of Software Safety Assurance

ENEA: THE PROVEN LEADER IN SAFETY CRITICAL AVIONICS SYSTEMS

Safety Analysis and Certification of Open Distributed Systems. P. M. Conmy; Department of Computer Science, University of York, York, YO10 5DD U.K.

SCADE SUITE SOFTWARE VERIFICATION PLAN FOR DO-178B LEVEL A & B

The new software standard for the avionic industry: goals, changes and challenges

ARINC 653. An Avionics Standard for Safe, Partitioned Systems

Software Process for QA

Introduction of ISO/DIS (ISO 26262) Parts of ISO ASIL Levels Part 6 : Product Development Software Level

An Interactive Video Teletraining Course. IVT Course Self-Study Video Course 25823

Best practices for developing DO-178 compliant software using Model-Based Design

Software Life Cycle Process - DO-178B

New Challenges In Certification For Aircraft Software

SOFTWARE VERIFICATION RESEARCH CENTRE SCHOOL OF INFORMATION TECHNOLOGY THE UNIVERSITY OF QUEENSLAND. Queensland 4072 Australia TECHNICAL REPORT

DO-254 Requirements Traceability

Creating Competitive Advantage: The role for ALM in the PLM world

Reverse Engineering Software and Digital Systems

Reduce Medical Device Compliance Costs with Best Practices.

Andrew J. Kornecki Embry Riddle Aeronautical University Daytona Beach, FL

FAA Requirements Engineering Management Handbook!

How To Write Software

3SL. Requirements Definition and Management Using Cradle

Advisory Circular. U.S. Department of Transportation Federal Aviation Administration

Improving Embedded Software Test Effectiveness in Automotive Applications

TITLE: Control of Software

Introduction to a Requirements Engineering Framework for Aeronautics

Quality in Aviation Software. Chris Hartgroves C.Eng. CQP Design Assurance SELEX Galileo

Certification Authorities Software Team (CAST) Position Paper CAST-3

Safety-Critical Systems: Processes, Standards and Certification

Technical Standard Order

The Comprehensive and Fully Compliant Certification Solution. Certification Services

The Road from Software Testing to Theorem Proving

Software Safety Engineering Education

Methodological Handbook. Efficient Development of Safe Avionics Software with DO-178B Objectives Using SCADE Suite

Design & Manufacture Seminar SOFTWARE SECURITY & DESIGN ASSURANCE JAYSON ROWE SENIOR ENGINEER AVIONICS

Aviation Safety Policy. Aviation Safety (AVS) Safety Management System Requirements

Interactive Guidance for Safety Critical Avionics

Critical Systems and Software Solutions

Agile Model-Based Systems Engineering (ambse)

5 Certifiable safe airborne software process analyses

Chap 1. Software Quality Management

Software in safety critical systems

Software testing. Objectives

Chapter 10. System Software Safety

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL

Mission Operation Ground. ESA. Mario Merri GSAW, Los Angeles, USA 2 Mar 2011 ESA UNCLASSIFIED

codebeamer INTLAND SOFTWARE codebeamer Medical ALM Solution is built for IEC62304 compliance and provides a wealth of medical development knowledge

JSF Software Safety Process: Providing Developmental Assurance

DNV GL Assessment Checklist ISO 9001:2015

Requirements Engineering Management Findings Report

IBM Rational Rhapsody

8. Master Test Plan (MTP)

Software Development: The Waterfall Model

Effective Application of Software Safety Techniques for Automotive Embedded Control Systems SAE TECHNICAL PAPER SERIES

STANDARD REVIEW PLAN

Certification Authorities Software Team (CAST) Position Paper CAST-15

What is a life cycle model?

Certification Authorities Software Team (CAST) Position Paper CAST-18

How To Understand The Requirements Of The Software Safety Handbook

Operation of Aircraft

Project Risk Management: IV&V as Insurance for Project Success

DO-178C: A New Standard for Software Safety Certification

Certification Authorities Software Team (CAST) Position Paper CAST-10

Software Project Models

MODEL REGULATION SAFETY MANAGEMENT SYSTEM REGULATION. International Civil Aviation Organisation

TRAINING CATALOGUE. All courses can be animated in French or English. APSYS french training agreement : N TRAINING CATALOGUE

ISOLATING UNTRUSTED SOFTWARE ON SECURE SYSTEMS HYPERVISOR CASE STUDY

Reaping the benefits of Reusable Software Components

Airworthiness and Maintenance Requirements for U.S. Registered Aircraft

Ethical Issues in the Software Quality Assurance Function

The evolving ARINC 653 standard and it s application to IMA

AS9100C Revised Standard Improves Aerospace Quality

Transcription:

SAFE SOFTWARE FOR SPACE APPLICATIONS: BUILDING ON THE DO-178 EXPERIENCE Cheryl A. Dorsey Digital Flight / Solutions cadorsey@df-solutions.com DIGITAL FLIGHT / SOLUTIONS

Presentation Outline DO-178 Overview What vs. How Standard System Safety Process (begins prior to software development) Software Tie to System Safety Requirements Traceability Standards Verification Quality Assurance Good Practices Conclusion

DO-178 Overview Presentation Context DO-178 International Standard for Assurance of Software Used in Civil Airborne Systems Also used in other Mission Critical Industries Current Status Latest Version is DO-178C (2012) Same Overall Concept as DO-178B (fixes mistakes, adds tribal knowledge) Four New Supplements (Tool Qualification, Formal Methods, OO, Model Based Development) Presentation Context Relevance to Space Community What v. How Standard Strengths and Weaknesses Best Practices RTCA SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICATION DOCUMENT NO. RTCA/DO-178B December 1, 1992 Prepared by: SC-167 Requirements and Technical Concepts for Aviation

What vs. How Standard Objective Based Approach Qualitative Requires some tribal knowledge 1 Objectives and Reference Control Category by SW level Objective Output SW Level Description Ref A B C D Description Ref A B C D Test procedures are correct. 6.3.6 b Verification Results 11.14 2 2 2

PSAC High-Level Reqs SDP Derived High- SVP Level Reqs CMP Trace data SQAP Verification Standards Results Slide Planning Four Annex Tables for Verification of Development and Test Processes Verification of Development and Test Table A-3 Table A-4 Table A-5 Table A-7 Requirements Table A-2 Design Design Architecture Low-Level Reqs Derived Reqs Trace Data Verification Results 2.5 Code/Integration Source Code Trace data Executable Object Code Verification Results Table A-6 Integration/Test Test Cases and Procedures Test Results Trace Data Verification Results

An Example of What Taken From Annex A Table 3 DO-178 attributes of requirements: High level requirements conform to system requirements High level requirements are accurate and consistent High level requirements are compatible with target computer High Level Requirements are Verifiable High level requirements conform to standards High level requirements are traceable to system requirements Algorithms are accurate

System Safety Process SAFETY ASSESSMENT Aircraft FHA SYSTEM DEVELOPMENT Aircraft Functions Aircraft Rqmts. Failure Conditions, Effects CCA Separation Rqmts. Separation Verification Failure Conditions, Effects, Classification System FHA Failure Conditions, Effects, Classification, Safety Objectives PSSA Items Rqmts, Safety Objectives Analyses SSA System Functions System Architecture Architecture Rqmts. Items Rqmts, Analyses Required Analysis Results Allocation of Rqmts. To Systems Development of System Architecture System Implementation 06/04/98 Certification (Taken from ARP 4754)

Airworthiness Requirements System Operational Requirements Systems Software Tie SYSTEM LIFE-CYCLE PROCESSES System Safety Assessment Process System Requirements Allocated to Software Software Level(s) Design Constraints Hardware Definition Fault Containment Boundaries Error Sources Identified and Eliminated Software Requirements and Architecture Slide 2.8 SOFTWARE LIFE-CYCLE PROCESSES Introduction to DO-178B Taken from DO-178B

Safety Tie To Software DO-178 References System and Safety Standard (ARP4754) Section 2 of DO-178 - Informative Section (no objectives) Safety is really a systems property in civil airborne DO-178b Safety Processes Assumes safe requirements as an entry point Extensive Verification (assures requirements are met) Safety Review of Derived Requirements (may not be enough) Best Practices

Requirements Use of non-standard requirements terminology High level requirements vs. Low level requirements Derived requirements definition and understanding Leads to problematic non-standard practices Combined low and high level requirements Derived requirements not tagged as derived Pseudo-code as low-level requirements Implementation not requirements/testability Maintenance issue after original development

Requirements Best practices for requirements Assure clear criteria is established for DO-178 requirement review Independently develop requirements based tests in parallel to assure the requirements are testable Provide clear definition and criteria for derived requirements

Traceability Traceability is a clear strength of DO-178 One way trace upward to system requirements allocated to sw Two way trace between high level requirements and low level requirements Two way trace between low-level and code Trace between tests and requirements Forward trace assures all requirements are implemented Backward trace assures nothing but requirements implemented (no unintended function on the aircraft)

Traceability Review of requirements traceability After each phase during verification Again during requirements coverage analysis (requirement completely tested (normal and robust), structure covered Best practices Clear guidance (review criteria) for tracing Nothing but the requirements are implemented (unless derived) Independent trace review in each direction and compare the results for high criticality

Standards Three development standards Requirements, Design, Code Standards in DO-178 do not assure good practices Often minimal and add little toward design assurance Best practice Use a strong standard like (MISRA or a subset of it) for DAL A and B Although not required by DO-178, use a testing standard to assure all requirements are fully tested (normal and robustly) with observable results (you don t want to find problems at the certification reviews)

Verification Reviews Requirements review Design Review (low level requirements and architecture) Code Review Test Review Testing Normal and robustness Structural Coverage of the code via requirements based testing MCDC (catastrophic), Decision (hazardous), statement (major)

Verification Analyses Data Coupling Control Coupling Requirements Coverage Stack Depth Memory Margin Worst Case Timing Analyses lack clear guidance and objectives, therefore often do not meet the intent

Verification Verification is a strength of DO-178 DO-178 is an assurance standard and verification intensive (measuring stick put over development). When done correctly, assurance is gained through a series of reviews, analysis and tests DO-178 could benefit in clearer guidance with respect to: Review criteria Clear objective criteria for each analysis Strong criteria for robustness testing commensurate with safety classification

Quality Assurance DO-178 Quality Assurance is really process assurance Main concept - say what you do (planning), do what you say (follow the plans), prove it (records) If Quality is not built into the process, than quality is not assured Quality is often not involved at key points as prescribed by DO-178 transition criteria (between each life cycle phase) Quality assurance often does not review the CM of development and verification artifacts To work QA should be fully engaged throughout DO-178 does require dated records for each QA activity (check the checker)

Good Practices in the Airborne Community Required four certification reviews called SOIs Planning, development, verification, final Support for reviews found in FAA Order 8110.49 Good news FAA Software Job Aid provides a more detailed set of evaluation criteria at the SOI audits to mitigate weaknesses of DO-178 Bad news is many companies do not know of this or use it during their development.

Conclusions Strength of DO-178 is when understood and implemented correctly provides an excellent mechanism to assure software is bug free To be effective it requires good knowledge of software engineering and process Strength and weakness is that it is not prescriptive Not tied to any specific lifecycle or methodology Requires a key knowledge of good SW Engineering processes and implementation Could benefit by clear examples and more How guidance

Conclusions (con t) Needs a stronger tie to systems and safety architectural mitigations (e.g. monitors) are implemented correctly and tested robustly Stronger tie, with feedback to systems and safety when requirements are not understood, missing, or too weak to implement ECSS has a safety process built in to the software process (this would benefit DO-178)