See edit history of this section
Post feedback on this section
- 1. The Requirement
- 2. Rationale
- 3. Guidance
- 4. Small Projects
- 5. Resources
- 6. Lessons Learned
- 7. Software Assurance
1. Requirements
3.1.12 Where approved, the project manager shall document and reflect the tailored requirement in the plans or procedures controlling the development, acquisition, and deployment of the affected software.
1.1 Notes
NPR 7150.2, NASA Software Engineering Requirements, does not include any notes for this requirement.
1.2 History
1.3 Applicability Across Classes
Class A B C D E F Applicable?
Key: - Applicable | - Not Applicable
2. Rationale
Everyone working on the project has to understand what is required to be done and understand the risk associated with not performing an activity. This action assures the proper implementation of the alternate requirement throughout the various stages of the software life cycle.
3. Guidance
3.1 Record Tailored Requirements
The project is required to record tailored requirements in program/project documentation that controls the development, acquisition, and deployment of the affected software. Publication of the approved alternate requirements helps show accepted risks and assures that all affected software engineers are informed of the approved changes. This action assures the proper implementation of the alternate requirement throughout the various stages of the software life cycle. The inclusion of these changes in a configuration-managed system for the program/project will inform current and future software product developers and project managers of the correct set of requirements and procedures.
The project should generate:
- Develop a compliance matrix for the software requirements per the software classification.
- Develop a tailoring matrix of the software assurance and software safety requirements as needed and document the software assurance, and software safety approach in the software assurance plan and schedule.
- Add the compliance matrix and the software assurance and software safety tailoring matrix requirements in a software plan(s).
2.2.1 Software requirements tailoring is the process used to seek relief from NPR requirements consistent with program or project objectives, acceptable risk, and constraints. To accommodate the wide variety of software systems and subsystems, application of these requirements to specific software development efforts may be tailored where justified and approved. To effectively maintain control over the application of requirements in this directive and to ensure proposed tailoring from specific requirements are appropriately mitigated, NASA established TA governance. Tailoring from requirements in this directive are governed by the following requirements, as well as those defined in NPD 1000.3, The NASA Organization NPD 2800.1, NPR 2810.1, NPR 7120.5, NPR 7120.7, NPR 7120.8, NPR 7120.11 and NPR 8715.3 for all of the Agency’s investment areas. The Technical and Institutional Authority for each requirement in this NPR is documented in the “Authority” column of Appendix C. The responsible program, project, or operations manager need to formally accept the tailoring risk. Tailoring decided at the Center level are to consult the Center ETA, Center SMA TA, Center Health and Medical TA, and the NASA CIO’s Center IT Authority designee as defined in the requirements mapping matrix. The OSMA has co-approval on any tailoring decided at the HQ level that involves software. The Office of the Chief Medical Officer (OCHMO) has co-approval on any tailoring decided that involves software with health and medical implications. The SAISO, or designee, has co-approval on any tailoring of the cybersecurity requirements in Section 3.11. For tailoring involving human safety risk, the actual risk taker(s) (or official spokesperson[s] and appropriate supervisory chain) need to formally agree to assume the risk. ’ 083
2.2.6 Requests for software requirements relief at either the Center or HQ TA level (i.e., partial or complete relief) may be submitted in the streamlined form of a Requirements Mapping Matrix. The required signatures from engineering, NASA CIO, and SMA authorities are to be obtained. A required signature from designated SAISO is required for relief of cybersecurity requirements. If the Requirements Mapping Matrix is completed and approved in accordance with NPR 7120.5’s direction on Authority and this directive, it meets the requirements for requesting tailoring. 083
Project personnel records the appropriate information on any requirements changes resulting from the approval of a tailoring request in the project-specific software requirements documents. The Center's compliance matrix to NPR 7150.2 will also include approval of tailored requirements from the Office of the Chief Engineer (OCE).
See also, 7.16 - Appendix C. Requirements Mapping and Compliance Matrix. SWE-139 - Shall Statements,
3.2 Updates to the Compliance Matrix
Software requirements tailoring is the process used to seek relief from NPR requirements consistent with program or project objectives, acceptable risk, and constraints. To accommodate the wide variety of software systems and subsystems, the application of these requirements to specific software development efforts may be tailored where justified and approved. To effectively maintain control over the application of requirements in this directive and to ensure proposed tailoring from specific requirements are appropriately mitigated, NASA established Technical Authority (TA) governance. The Technical and Institutional Authority for each requirement in this NPR is documented in the “Authority” column of Appendix C (see topic 7.16 - Appendix C. Requirements Mapping and Compliance Matrix). The responsible program, project, or operations manager needs to formally accept the tailoring risk.
General guidelines for SWE requirements, except for SWE-032 - CMMI Levels for Class A and B Software and SWE-141 - Software Independent Verification and Validation:
- Each requirement marked ‘X’ for the project’s software classification(s) should be addressed in the Requirements Mapping Matrix.
- All requirements can be tailored per the guidance in this directive.
- Requirements Mapping Matrix with tailored requirements, deleted requirements, or requirements marked as N/A or not applicable need the approval of the Center Director’s designated Engineering Technical Authority and the Center Director’s designated SMA Technical Authority.
- If the project is a CHMO Health and Medical project, then CHMO designated Technical Authority approval is also required.
- If the project marks any of the requirements in Section 3.11 as a tailored requirement, a deleted requirement, or a requirement marked as N/A or not applicable then the project is required to get the NASA CIO approval on the Requirements Mapping Matrix, in addition to the technical authorities in item 3 and 4.
- The NASA CIO, or the designee, has institutional authority on all Class F software projects.
In the case of changes to SWE-032 - CMMI Levels for Class A and B Software and SWE-141 - Software Independent Verification and Validation, these steps are followed:
- The Project Manager fills out the compliance matrix and indicates their tailoring to SWE-032 or SWE-141.
- The Project Manager sends the Compliance Matrix to the appropriate Center TA’s and requests approval of the changed requirements.
- The Project Manager communicates the proposed request to tailor SWE-032 and SWE-141 to the OCE and OSMA for an initial discussion.
- Appropriate Center TA’s approve the proposed changes to SWE-032 or SWE-141.
- The Project Manager and Center TA’s communicate the proposed changes and rationale on either SWE-032 or SWE-141 to the OCE and OSMA for discussion.
- After OCE and OSMA approval, the Project Manager stores all related records and updated Compliance Matrix into project records.
See also SWE-150 - Review Changes To Tailored Requirements,
Exactly how each Center implements NPR 7150.2D is up to them. The Handbook is intentionally non-prescriptive, allowing Centers to develop processes for their projects to implement the requirements of the NPR. See SWE-126 - Tailoring Considerations, and SWE-125 - Requirements Compliance Matrix.
3.3 Baselined Tailoring
When approval is granted, the program/project includes the results of the tailoring request and the rationale for the request, along with any approved alterations to the initial request, in the baselined program/project documentation.
3.4 Additional Guidance
Additional guidance related to this requirement may be found in the following materials in this Handbook:
3.5 Center Process Asset Libraries
SPAN - Software Processes Across NASA
SPAN contains links to Center managed Process Asset Libraries. Consult these Process Asset Libraries (PALs) for Center-specific guidance including processes, forms, checklists, training, and templates related to Software Development. See SPAN in the Software Engineering Community of NEN. Available to NASA only. https://nen.nasa.gov/web/software/wiki 197
See the following link(s) in SPAN for process assets from contributing Centers (NASA Only).
SPAN Links |
---|
4. Small Projects
Small projects may lack the resources and schedule to individually apply for waiver relief from specific sets of NPR 7150.2 requirements. Centers can request a generic waiver that will cover multiple small projects.
5. Resources
5.1 References
- (SWEREF-066) NPD 1000.3E, Associate Administrator, April 15, 2015, Expiration Date: April 15, 2026
- (SWEREF-082) NPR 7120.5F, Office of the Chief Engineer, Effective Date: August 03, 2021, Expiration Date: August 03, 2026,
- (SWEREF-083) NPR 7150.2D, Effective Date: March 08, 2022, Expiration Date: March 08, 2027 https://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=7150&s=2D Contains link to full text copy in PDF format. Search for "SWEREF-083" for links to old NPR7150.2 copies.
- (SWEREF-197) Software Processes Across NASA (SPAN) web site in NEN SPAN is a compendium of Processes, Procedures, Job Aids, Examples and other recommended best practices.
- (SWEREF-256) NPR 1400.1H, NASA Office of Internal Controls and Management Systems, Effective Date: March 29, 2019, Expiration Date: March 29, 2024
- (SWEREF-257) NPD 7120.4E, NASA Office of the Chief Engineer, Effective Date: June 26, 2017, Expiration Date: June 26, 2022
- (SWEREF-262) NASA Headquarters NASA Office of the Chief Engineer engineering deviations and waivers website.
- (SWEREF-263) NASA HQ OCE Letter. August 15, 2012.
- (SWEREF-264) NPR 7120.7A, Office of the Chief Information Officer, Effective Date: August 17, 2020, Expiration Date: August 17, 2025 .
- (SWEREF-269) NPR 7120.8A, NASA Office of the Chief Engineer, 2008, Effective Date: September 14, 2018, Expiration Date: September 14, 2023
- (SWEREF-273) NASA SP-2016-6105 Rev2,
- (SWEREF-278) NASA-STD-8739.8B , NASA TECHNICAL STANDARD, Approved 2022-09-08 Superseding "NASA-STD-8739.8A,
- (SWEREF-403) NPR 2810.1F, Office of the Chief Information Officer, Effective Date: January 03, 2022, Expiration Date: January 03, 2027,
- (SWEREF-566) Public Lessons Learned Entry: 1715.
5.2 Tools
NASA users find this in the Tools Library in the Software Processes Across NASA (SPAN) site of the Software Engineering Community in NEN.
The list is informational only and does not represent an “approved tool list”, nor does it represent an endorsement of any particular tool. The purpose is to provide examples of tools being used across the Agency and to help projects and centers decide what tools to consider.
6. Lessons Learned
6.1 NASA Lessons Learned
A documented lesson from the NASA Lessons Learned database notes the following:
- The Pitfalls of "Engineering-by-Presentation" (2005). Lesson Number 1715 566: Without documenting and, thereby, capturing details of the rationale for decisions affecting systems designs (requirements) "...project staff found themselves repeatedly revisiting the same technical issues. "Now why did we decide..." This is a good indication that why it was done is as important, at times, as what was done. Office of the Chief Engineer (OCE) personnel and future projects or Center personnel will be able to avoid reevaluating this general exclusion or alternate requirement approvals if they have appropriate access to the rationale so they can properly understand the basis on which the exclusions were granted in the first place.
6.2 Other Lessons Learned
No other Lessons Learned have currently been identified for this requirement.
7. Software Assurance
7.1 Tasking for Software Assurance
1. Confirm that any requirement tailoring in the Requirements Mapping Matrix has the required approvals.
2. Develop a tailoring matrix of software assurance and software safety requirements.
7.2 Software Assurance Products
- Software Assurance and Software Safety Requirements Mapping Matrix for the Software Assurance and Safety Standard (SASS) requirements, including any approved tailoring
Objective Evidence
- NPR 7150.2 and NASA-STD-8739.8 requirements mapping matrices signed by the engineering and SMA technical authorities for each development organization.
7.3 Metrics
- # of safety-related non-conformances identified by life cycle phase over time
- Identify the specific requirements in NASA-STD-8739.8 that are being tailored by the projects (*organizational metric)
- % of requirements tailored per project (*organizational measure)
- # of projects tailoring each requirement (*organizational measure)
See also Topic 8.18 - SA Suggested Metrics.
7.4 Guidance
- Confirm the tailoring approvals are contained in the Software Engineering Requirements Mapping Matrix. - confirm that the engineering and software assurance technical authorities have signed or approved any NPR 7150.2 and NASA-STD-8739.8 278 requirements tailoring and that any changes have been communicated to engineering and the project Confirm that the center CIO has approved any NPR 7150.2 cybersecurity requirements, section 3.11, tailoring. Identify any issues or risks associated with the decision(s) to tailor to the NPR 7150.2 and NASA-STD-8739.8 requirements if needed. Update the SA plan to reflect the tailoring approach as well as the tailored software assurance, software safety, and IV&V requirements used for this project.
- Analyze plans and procedures to confirm that any approved tailored requirements are documented and adequately reflected., as well as any tailored software assurance, software safety, and IV&V requirements - assure that any approved tailoring is included in the software plans and software requirements specification(s) as required. Confirm that any development products (e.g., schedules, design documents, test artifacts, etc.) impacted by the tailored requirements accurately reflect the tailoring.
- Develop a tailoring matrix of the software assurance and software safety requirements, contained in NASA-STD-8739.8, as needed, and document the approved software assurance, software safety, and IV&V tailoring approach in the SA plan and schedule. Confirm that the software assurance technical authority has signed or approved any NASA-STD-8739.8 requirements tailoring and that any changes have been communicated to engineering and the project. Identify any issues or risks associated with the decision to tailor to the NASA-STD-8739.8 requirements if needed.
See also Topic 8.51 - Software Assurance Plan,
7.5 Additional Guidance
Additional guidance related to this requirement may be found in the following materials in this Handbook: