See edit history of this section
Post feedback on this section
- 1. The Requirement
- 2. Rationale
- 3. Guidance
- 4. Small Projects
- 5. Resources
- 6. Lessons Learned
- 7. Software Assurance
1. Requirements
3.1.11 The project manager shall comply with the requirements in this NPR that are marked with an “X” in Appendix C consistent with their software classification.
1.1 Notes
NPR 7150.2, NASA Software Engineering Requirements, does not include any notes for this requirement.
1.2 History
1.3 Applicability Across Classes
Class A B C D E F Applicable?
Key: - Applicable | - Not Applicable
2. Rationale
In this NPR, all mandatory actions (i.e., requirements) are denoted by statements containing the term “shall,” followed by a software engineering (SWE) requirement number.
b. This NPR applies to the complete software development life cycle, including software planning, development, testing, maintenance, retirement, operations, management, acquisition, and assurance activities. The requirements of this directive cover such software created, acquired, or maintained by NASA or for NASA to the extent specified or referenced in an appropriate contract, grant, or cooperative agreement. The applicability of these requirements to specific systems and subsystems within the Agency’s investment areas, programs, and projects is through the use of the NASA-wide definition of software classes, defined in Appendix D. Some projects may contain multiple software systems and software subsystems having different software classes. For this directive, software is defined in Appendix A, and includes software executing on processors embedded in programmable logic devices.
g. In this NPR, all mandatory actions (i.e., requirements) are denoted by statements containing the term “shall,” followed by a software engineering (SWE) requirement number. The terms “may” or “can” denote discretionary privilege or permission, “should” denotes a good practice and is recommended but not required, “will” denotes expected outcome, and “are/is” denotes descriptive material.
NPR 7150.2 was written to include the explicit statement in the requirement that full compliance with the requirement is necessary for those entries assigned an "X" in Appendix D.
3. Guidance
3.1 Tailoring
Tailoring. The process is used to adjust a prescribed requirement to accommodate the needs of a specific task or activity (e.g., program or project). Tailoring may result in changes, subtractions, or additions to a typical implementation of the requirement.
Software requirements tailoring is the process used to seek relief from NPR requirements consistent with program or project objectives, acceptable risk, and constraints. To accommodate the wide variety of software systems and subsystems, the application of these requirements to specific software development efforts may be tailored where justified and approved. To effectively maintain control over the application of requirements in this directive and to ensure proposed tailoring from specific requirements is appropriately mitigated, NASA established Technical Authority governance. Tailoring from requirements in this directive is governed by the following requirements, as well as those defined in NPD 1000.3, The NASA Organization NPD 2800.1 598, NPR 2810.1 403, NPR 7120.5 082, NPR 7120.7 264, NPR 7120.8 269, NPR 7120.11 229 and NPR 8715.3 286 for all of the Agency’s investment areas. The Technical and Institutional Authority(s) for each requirement in this NPR are documented in the “Authority” column of Appendix C. The responsible program, project, or operations manager needs to formally accept the tailoring risk. Tailoring decided at the Center level is to consult the Center Engineering Technical Authority, Center SMA Technical Authority, Center Health and Medical Technical Authority, and the NASA CIO’s Center IT Authority designee as defined in the requirements mapping matrix. The OSMA has co-approval on any tailoring decided at the Headquarters level that involves software. The Office of the Chief Medical Officer (OCHMO) has co-approval on any tailoring decided that involves software with health and medical implications. The SAISO, or designee, has co-approval on any tailoring of the cybersecurity requirements in section 3.11. For tailoring involving human safety risk, the actual risk taker(s) (or official spokesperson[s] and appropriate supervisory chain) need to formally agree to assume the risk.
3.2 Baseline Set of Requirements
This directive establishes a baseline set of requirements to reduce software engineering risks on NASA projects and programs. Appendix C defines the default applicability of the requirements based on software classification. Each project has unique circumstances, and tailoring can be employed to modify the requirements set appropriate for the software engineering effort. Tailoring of requirements is based on key characteristics of the software engineering effort, including acceptable technical and programmatic risk posture, Agency priorities, size, and complexity. Requirements can be tailored more broadly across a group of similar projects, a program, an organization, or other collection of similar software development efforts in accordance with NPR 7120.5, Section 3.5.5.
In this directive, the phrase “the project manager shall...” means the roles and responsibilities of the project manager may be further delegated within the organization to the scope and scale of the system.
This requirement assesses that project personnel is meeting all requirements invoked for projects by NPR 7150.2 and by the NASA Software Assurance and Software Safety Standard, NASA-STD-8739.8 278.
See also SWE-140 - Comply with Requirements,
3.3 Requirements Mapping Matrix
The purpose of the Requirements Mapping Matrix in NPR 7150.2 is to essentially pre-tailor out requirements for less critical software systems, e.g., while Class A software has all of the requirements for projects, Class E has significantly fewer requirements. The purpose of the “X” label is to clarify the intent of NPR 7150.2 and to preclude any alternate interpretation of invoked requirements. See topic 7.16 - Appendix C. Requirements Mapping and Compliance Matrix.
This requirement makes a positive statement that each invoked requirement is to be fulfilled by the requirement’s responsible party (indicated by the Responsibility column in Appendix C: Requirements Mapping and Compliance Matrix).
Inherently, it affirms that fulfillment of requirements marked with an "X" is the rule for specific NASA software classifications.
Relief from invoked requirements can only be granted by the designated Technical Authority called out for each requirement in Appendix C.
Tailoring of the requirements of NPR 7150.2 is to follow the approved processes for requirements management. (See SWE-121 - Document Tailored Requirements)
Mitigations, risk acceptance, and rationale for relieved requirements are to be documented by the project. The preferred location for capturing this information is the NPR 7150.2 compliance matrix because the compliance matrix, as well as any deviations or waivers, requires the approval of the Technical Authority (see SWE-126 - Tailoring Considerations.) Placing risk and justification information in the compliance matrix ensures that the Technical Authority has the proper information in one place to make an informed approval or disapproval of any requests for relief of requirements. Additionally, capturing this information in the compliance matrix provides one document that contains the project’s software requirement plans: requirements the project intends to meet, requirements approved for deviation or waiver, and the associated background for any relief approvals or disapprovals. See also SWE-216 - Internal Software Sharing List,
3.4 Additional Guidance
Additional guidance related to this requirement may be found in the following materials in this Handbook:
Related Links |
---|
3.6 Center Process Asset Libraries
SPAN - Software Processes Across NASA
SPAN contains links to Center managed Process Asset Libraries. Consult these Process Asset Libraries (PALs) for Center-specific guidance including processes, forms, checklists, training, and templates related to Software Development. See SPAN in the Software Engineering Community of NEN. Available to NASA only. https://nen.nasa.gov/web/software/wiki 197
See the following link(s) in SPAN for process assets from contributing Centers (NASA Only).
SPAN Links |
---|
4. Small Projects
No additional guidance is available for small projects.
5. Resources
5.1 References
- (SWEREF-034) NASA-HDBK 8739.23A, Approved: 02-02-2016, Superseding: NASA-HDBK-8739.23 With Change 1,
- (SWEREF-082) NPR 7120.5F, Office of the Chief Engineer, Effective Date: August 03, 2021, Expiration Date: August 03, 2026,
- (SWEREF-229) NPR 7120.11A - Effective Date: September 08, 2020, Expiration Date: September 08, 2025
- (SWEREF-264) NPR 7120.7A, Office of the Chief Information Officer, Effective Date: August 17, 2020, Expiration Date: August 17, 2025 .
- (SWEREF-269) NPR 7120.8A, NASA Office of the Chief Engineer, 2008, Effective Date: September 14, 2018, Expiration Date: September 14, 2023
- (SWEREF-278) NASA-STD-8739.8B , NASA TECHNICAL STANDARD, Approved 2022-09-08 Superseding "NASA-STD-8739.8A,
- (SWEREF-283) NPR 7150.2C, Effective Date: August 02, 2019, Expiration Date: August 02, 2024
- (SWEREF-286) NPR 8715.3D, Effective Date: December 16, 2021, Expiration Date: December 21, 2026
- (SWEREF-403) NPR 2810.1F, Office of the Chief Information Officer, Effective Date: January 03, 2022, Expiration Date: January 03, 2027,
- (SWEREF-598) NPD 2800.1E, Office of the Chief Information Officer, Effective Date: December 09, 2019, Expiration Date: December 09, 2024,
- (SWEREF-686) NASA-HDBK-4008, Revision: Baseline w/CHANGE 1, Document Date: 2013-12-02
5.2 Tools
NASA users find this in the Tools Library in the Software Processes Across NASA (SPAN) site of the Software Engineering Community in NEN.
The list is informational only and does not represent an “approved tool list”, nor does it represent an endorsement of any particular tool. The purpose is to provide examples of tools being used across the Agency and to help projects and centers decide what tools to consider.
6. Lessons Learned
6.1 NASA Lessons Learned
No Lessons Learned have currently been identified for this requirement.
6.2 Other Lessons Learned
No other Lessons Learned have currently been identified for this requirement.
7. Software Assurance
7.1 Tasking for Software Assurance
7.2 Software Assurance Products
- Assessment of Software Engineering Compliance w/ NPR 7150.2
- Audit results for both product and process audits
- Audits against NPR 7150.2 requirements mapping matrix, including findings.
Objective Evidence
- NPR 7150.2 and NASA-STD-8739.8 requirements mapping matrices signed by the engineering and SMA technical authorities for each development organization.
7.3 Metrics
- # of software work product Non-Conformances identified by life cycle phase over time
- # of Compliance Audits planned vs. # of Compliance Audits performed
- # of software process Non-Conformances by life cycle phase over time
- # of Open vs. Closed Audit Non-Conformances over time
- Trends of # of Non-Conformances from audits over time (Include counts from process and standards audits and work product audits.)
- # of Non-Conformances per audit (including findings from process and compliance audits, process maturity)
- # of safety-related requirement issues (Open, Closed) over time
- # of safety-related non-conformances identified by life cycle phase over time
- # of Non-Conformances (activities not being performed)
• # of Non-Conformances accepted by the project
• # of Non-Conformances (Open, Closed, Total)
• Trends of Open vs. Closed over time - # of Non-Conformances identified in plans (e.g., SMPs, SDPs, CM Plans, SA Plans, Safety Plans, Test Plans)
See also Topic 8.18 - SA Suggested Metrics.
7.4 Guidance
This requirement assesses that project personnel is meeting all requirements invoked for projects by NPR 7150.2 and by the NASA Software Assurance and Software Safety Standard, NASA-STD-8739.8 278.
The purpose of the Requirements Mapping Matrix in NPR 7150.2 is to essentially pre-tailor out requirements for less critical software systems, e.g., while Class A software has all of the requirements for projects, Class E has significantly fewer requirements. The purpose of the “X” label is to clarify the intent of NPR 7150.2 and to preclude any alternate interpretation of invoked requirements.
This requirement makes a positive statement that each invoked requirement is to be fulfilled by the requirement’s responsible party (indicated by the Responsibility column in Appendix C: Requirements Mapping and Compliance Matrix).
Software that is incorporated into Complex Electronics (CE) or Programmable Logic Devices (PLDs) is covered by the NPR 7150.2 requirements and the NASA Software Assurance and Safety Standard, NASA-STD-8739.8. See the Programmable Logic Devices (PLD) Handbook, NASA-HDBK-4008 686, and the NASA Complex Electronics Handbook for Assurance Professionals, NASA-HDBK-8739.23 034 for additional guidelines.
To assess the project's compliance with the requirements in NPR 7150.2, obtain the project's approved Requirements Mapping Matrix or Matrices. Using the agreed-upon classifications of the project's software, verify that the correct column in Appendix C is being used in the Requirements Mapping Matrix for the classification of the software.
Verify that the appropriate signatories have approved any tailoring that is noted in the Matrix. The signatories for Class A through Class E should be Center Director or the Center Director’s designated Engineering Technical Authority, the Center Director's designated SMA Technical Authority, and the CHMO designated for Health and Medical Technical Authority (if there are medical or health concerns). The signatory for the Class F software is the Center Chief Information Officer or designee.
Using the set of requirements plus any approved tailoring, confirm that the project is following those requirements. Generally, this is done by auditing project documentation and activities using checklists. To confirm that all the requirements are being met completely, it will probably be necessary to do audits at different stages of the project. Any non-conformances found should be reported to the project manager and software assurance management. These should be tracked to closure.
7.5 Additional Guidance
Additional guidance related to this requirement may be found in the following materials in this Handbook: