UNDER CONSTRUCTION
Many of the SWEs in this activity appear in other Activities where they are used. They are also included here, as sub-activities tabs, to emphasize how they are related to one another. The software assurance and software safety activities provide a level of confidence that software is The software assurance process is the planned and systematic set of activities that ensure the conformance of software life cycle processes and products to requirements, standards, and procedures. Software assurance assures that the software and its related products meet their specified requirements, conform to standards and regulations, are consistent, complete, correct, safe, secure, and reliable as warranted for the system and operating environment, and satisfy customer needs. The objectives of software assurance and software safety activities include the following: This is a continuous activity. Analysis is performed by Software Assurance on a variety of areas on a software development project. Analysis provides additional focus on providing a level of confidence that software is Analysis tasks are related to SWEs in accordance with NASA-STD-8739.8B. These relationships may be found in the topics. Analysis is performed as needed on the project. It is performed during the activity where the development work is performed. Auditing is performed by Software Assurance on a variety of areas on a software development project. Auditing provides additional focus on providing a level of confidence that software is Auditing is focused on the performance of the work directed by the guidance in processes selected to do the work. Auditing tasks are related to SWEs in accordance with NASA-STD-8739.8B. These relationships may be found in the topics. Auditing is performed as necessary on work products and processes throughout the project. Independent validation and verification (IV&V) is a part of Software Assurance playing a role in the NASA software risk mitigation strategy. OSMA is responsible for determining which projects have IV&V for NASA in conjunction with the responsible Mission Directorate. The rationale for independent validation and verification (IV&V) on a project is to reduce the risk of failures due to software and provide assurance that the software will operate as intended, not operate unexpectedly and respond appropriately to adverse conditions. Performing IV&V on projects yields greater confidence that the delivered software products are error-free and meet the customer’s needs. IV&V across the project life cycle increases the likelihood of uncovering high-risk errors early in the life cycle. IV&V is a technical discipline of software assurance that employs rigorous analysis and testing methodologies to identify objective evidence and conclusions to provide an independent assessment of critical products and processes throughout the software development life cycle. The evaluation of products and processes throughout the life cycle demonstrates whether the software is fit for nominal operations (required functionality, safety, dependability, etc.) and off-nominal conditions (response to faults, responses to hazardous conditions, etc.). The goal of the IV&V effort is to contribute assurance conclusions provided to the project and stakeholders based on evidence found in software development artifacts and risks associated with the intended behaviors of the software. The rationale for independent validation and verification (IV&V) on a project is to reduce the risk of failures due to software. Performing IV&V on projects yields greater confidence that the delivered software products are error-free and meet the customer’s needs. IV&V across the project life cycle increases the likelihood of uncovering high-risk errors early in the life cycle. The IV&V Project Execution Plans (IPEP) documents the activities, methods, level of rigor, environments, tailoring (if any) of the IV&V requirements, and criteria to be used in performing verification and validation of in-scope system/software behaviors (including responsible software components) determined by the planning and scoping effort. IV&V artifacts and products required to perform the IV&V analysis on NASA projects are to be made available in electronic format in the original format. The electronic availability of the IV&V products and artifacts facilitates post-deliveries that might be necessary with software updates. Electronic access to IV&V artifacts and products reduces NASA's IV&V project costs and accommodates the longer-term needs when performing software maintenance. If the project manager does not address the issues and risks found by IV&V and track them to closure, these unaddressed risks and issues could cause the project to fail to meet its objectives (e.g. schedule, planned quality, functionality, etc.) Since IV&V personnel have generally worked across many projects, they are often likely to recognize risks and issues to the project that the project manager may not recognize. a. Category 1 projects as defined in NPR 7120.5. It is important to determine the safety criticality of each software component to identify the most critical software system components and to ensure that the software safety-critical requirements and processes are followed. The implementation of the safety-critical software requirements and processes helps ensure that a safe product is produced. Implementing safety-critical software or mission-critical software design requirements helps ensure that the systems are safe and that the safety-critical software or mission-critical software requirements and processes are followed. All Safety-critical software decisions must be tested to protect against loss of crew or vehicle. MCDC testing represents the minimal set of tests necessary to achieve test coverage over decisions that change the behavior/outcome/output of a computer program. Anything less than MCDC exposes a risk of a safety-critical decision based on a set of conditions not being tested. Aerospace and space guidance prioritizes safety above all else in the software development life cycle. MC/DC represents a compromise that finds a balance between rigor and effort, positioning itself between decision coverage (DC) and multiple condition coverage (MCC). MC/DC requires a much smaller number of test cases than multiple condition coverage (MCC) while retaining a high error-detection probability. To minimize risk, ensure complete software testing and increase reliability associated with safety-critical software code components. a. The software is initialized, at first start and restarts, to a known safe state.
See edit history of this section
Post feedback on this section
02.00. Software Assurance and Software Safety Activity Overview
The inclusion of content from NASA-STD-8739.8B adds breadth to the Handbook in Software Assurance and Safety areas. Frequency Of This Activity
02.00.1 Related SWEs
02.00.2 Related Work Products
02.00.3 Related Topics
02.00.4 Related SPAN Links
02.01. Software Assurance Analysis
Frequency Of This Activity
02.01.1 Related SWEs
02.01.2 Related Work Products
02.01.2.1 Related Process Asset Templates
02.01.3 Related Topics
02.01.4 Related SPAN Links
02.02. Software Assurance Auditing
Frequency Of This Activity
02.02.1 Related SWEs
02.02.2 Related Work Products
02.02.2.1 Related Process Asset Templates
02.02.3 Related Topics
02.02.4 Related SPAN Links
02.03. Independent Verification & Validation
Frequency Of This Activity
02.03.1 Related SWEs
b. Category 2 projects as defined in NPR 7120.5, that have Class A or Class B payload risk classification per NPR 8705.4, Risk Classification for NASA Payloads.
c. Projects selected explicitly by the Mission Directorate Associate Administrator (MDAA) to have software IV&V.02.03.2 Related Work Products
02.03.2.1 Related Process Asset Templates
02.03.3 Related Topics
02.03.4 Related SPAN Links
02.04. Safety-Critical
Frequency Of This Activity
02.04.1 Related SWEs
b. The software safely transitions between all predefined known states.
c. Termination performed by software functions is performed to a known safe state.
d. Operator overrides of software functions require at least two independent actions by an operator.
e. Software rejects commands received out of sequence when execution of those commands out of sequence can cause a hazard.
f. The software detects inadvertent memory modification and recovers to a known safe state.
g. The software performs integrity checks on inputs and outputs to/from the software system.
h. The software performs prerequisite checks prior to the execution of safety-critical software commands.
i. No single software event or action is allowed to initiate an identified hazard.
j. The software responds to an off-nominal condition within the time needed to prevent a hazardous event.
k. The software provides error handling.
l. The software can place the system into a safe state.02.04.2 Related Work Products
02.04.2.1 Related Process Asset Templates
02.04.3 Related Topics
02.04.4 Related SPAN Links