EUROCAE - ED-153
GUIDELINES FOR ANS SOFTWARE SAFETY ASSURANCE
|Publication Date:||1 August 2009|
This document applies to software that forms part of an ANS system. The scope of this extends to the overall lifecycle of software within an ANS system, however this document considers aircraft software out of scope and is therefore limited to the "ground" segment of ANS.
This document assumes that a risk assessment and mitigation process has been undertaken along with an a priori system (where system includes people, procedure and equipment) safety assessment (eg a SAM-FHA and SAM-PSSA) with the results forming an input to this document.
This document is limited to software safety assurance and any references to software lifecycle data are made solely within the context of software safety assurance. Documentation not related to software lifecycle data is therefore out of scope.
This document covers:
• Guidance for an ANSP to establish a software safety assurance system;
• Guidance for software suppliers on the necessary software safety assurance regarding products and processes;
• A reference against which stakeholders can assess their own practices for software safety assurance of: specification, design, development, operation, maintenance, and decommissioning;
• A software assurance process that will promote interoperability through its common application to ANS software development.
An increasing proportion of safety-critical Air Navigation Service (ANS) functions are being supported by software. This shift towards more automated ANS functions assumes at least equal, if not improved, levels of safety and efficiency provided by the overall system. Therefore, it is necessary to offer guidance on how to assure that the risk associated with deploying the software is reduced to a tolerable level.
This document provides:
• Recommendations and requirements on the major processes necessary to provide safety assurance for software in ANS systems, including:
- A Software Assurance Level (SWAL) allocation process;
- A list of objectives to be satisfied per SWAL;
- A SWAL grading policy, ie the definition of a policy and its rationale to justify and substantiate the stringency of the objectives to be met per SWAL;
- The identification of some appropriate activities (techniques or methods) to achieve these objectives, principally through referencing existing standards that offer guidance on how to provide evidence and confidence that these objectives are achieved and the SWAL is satisfied;
This document also provides:
• A recommended ANS Software lifecycle and its associated activities in support of achieving the objectives identified herein;
• A reference to other standards (focusing on ED-109/DO-278, ISO/IEC 12207, IEC 61508, CMMi and ED-12B/DO-178B) that relate to the identified objectives;
NOTE: IEC12207, ED-12B/DO-178B, ED-109/DO-278 and IEC61508 consider a system as being hardware and software and consequently, the people and procedure aspects of a system are not taken into account by these four standards.
• An assessment of the referenced standards' coverage of the recommended lifecycle and its associated activities for the development, operation and maintenance of ANS software.
• Guidance towards satisfying ESARR6 and EC Regulation 482/2008 (see Annex C). This guidance does not address the generation of the required safety arguments. Generation of these safety arguments that use the evidence generated by the SWAL processes are outside the scope of this document. Formal compliance with ESARR6 cannot be claimed as it is under the responsibility of Eurocontrol Safety Regulation Commission (SRC) to state it.
NOTE: Whilst the objectives described in this document support the achievement of many (but not all) of the articles within EC Regulation 482/2008, in no way can compliance with any such articles be claimed as this is the responsibility of regulatory and legislative authorities.