MODUK - DEF STAN 00-055: PART 01
Requirements for Safety of Programmable Elements (PE) in Defence Systems Part: 01 : Requirements and Guidance
|Publication Date:||28 July 2021|
This Standard specifies the requirements for achieving, assuring and managing the Design Integrity of PE in PSS. This includes PE used by, or on behalf of, the MOD, and covers the whole-life support of the PE, as defined by the scope of contract.
1. The Standard can be applied to a single or multiple PE as defined in the scope of contract.
2. Increasing uncertainty in both the environment and PE behaviour may require an ongoing maintenance relationship to be established with either the Original Equipment Manufacturer (OEM) or a 3rd party maintenance supplier. Where this is required additional contractual mechanisms may be required (for example to allow the transfer of designs to the 3rd party maintenance supplier).
Whilst Contract life may be limited, this Standard considers the whole life of the PE including runtime updates and end-life disposal. The disposal procedures are defined in the Defence Logistics Framework, available through the Defence Gateway. Earlier phases in the life of the PSS need only be considered if explicitly included within the scope of analysis. Applicability relates to all situations and scenarios, including but not limited to trials, operations and training for operations as defined in the scope of contract.
Note. Information produced as part of design, manufacture and support activities could have significant value to a potential cyber adversary. To control safety risks, this information is expected to be suitably protected.
This Standard provides for the application of Open Standards supported by Recognised Good Practice (RGP) as an acceptable means of managing compliance of the PE with its Safety Requirements, within the scope of contract.
1. Many definitions of the term Open Standard exist. For the purpose this Standard, the criteria provided in the Open Standards Principles apply.
2. Guidance regarding the choice of standards or the adoption of a PE Open Standard is covered in Annexes A to D, inclusive, to this Standard.
3. The preferred route of compliance is the application of RGP through an adopted PE Open Standard, with proven pedigree, that meets the objectives and requirements of this Standard. Although this Standard sets out the use of RGP as the primary AMC, it is the responsibility of the Contractor to propose and justify the use of alternative practices as an acceptable alternative means of compliance.
It is MOD policy to use civil standards where possible and military standards only as necessary. Due to the specialised operational environment in which the MOD uses PSS, the application of PE Open Standards and RGP may not meet all Design Integrity requirements. Where there is a shortfall in achieving PE Design Integrity requirements, this Standard makes provision for the use of enhanced RGP or augmented PE Open Standards to ensure compliance with Design Integrity requirements. A number of PE Open Standards provide alternative means of compliance, this Standard allows for these alternatives to augment the chosen PE Open Standard to address the identified PE Design Integrity shortfall.
Note. Guidance addressing the unique military risk requirement and impact on PE Open Standards (Military Delta) is contained at Annex E.
PE may be developed separately from the non-PE components of a PSS or supplied as Off the Shelf (OTS) or obtained as Open Source, and hence there is a risk of incompatibility and a need for careful consideration of the overall integrated system functionality. It is essential that the Contractor has sufficient PSS information available to enable PE Failure Assessment to be undertaken.
1. Undertaking PE Failure Assessment is essential for determining the behaviour of the PE that may contribute to PSS hazards and thereby help identify the required Design Integrity. This cannot be undertaken without knowledge of the PSS.
2. This Standard is intended for all PE acquisition and its clauses are applicable to developmental as well as OTS PE.
3. Where knowledge of the PSS is incomplete, assumptions may be required. Such assumptions will need to be documented and where possible, validated. This may be accomplished through the use of independent assessment. Where identified assumptions cannot be validated prior to delivery, additional steps may be required to monitor and validate them during operational use.
4. It is possible that the PSS system integrator has already undertaken a risk assessment and the resulting PE Design Integrity is provided as DSRs.
5. The risk of incompatibility between the PE and PSS can be mitigated by maintaining good communications between the Contractor and the PSS system integrator to enable sufficient access to PSS information. Requirements for the sharing of information are derived from the interfacing clauses of Def Stan 00-056 Part 1 and are covered in more detail in this Standard.
The aim of this Standard is to be technology agnostic and it is intended to be applied to all current and emerging PE related technologies.
Where PE technologies are not covered by this Standard, the Contractor shall apply a mitigation strategy based on the sensible application of the assurance requirements will be used to satisfy the Design Integrity shortfall.
Any mitigation strategy shall be subject to agreement by the Safety Committee.
Note: For this Standard to be truly technology agnostic, all current and emerging technologies are expected to be in scope. It is unlikely that this can ever be fully achieved, but this Standard has been written with this aspiration and will be reviewed in accordance with current DStan policy.
If the PE will not credibly contribute to a hazard, impair mitigation to a hazard, or constrain recovery from the realisation of a hazard, then the Contractor, with the agreement of the MOD, need take no further action in this Standard.