Upload
damian-shutes
View
219
Download
5
Tags:
Embed Size (px)
Citation preview
Safety Critical Safety Critical SystemsSystems
andandCertification IssuesCertification Issues
DO-178BDO-178BAirborne StandardAirborne Standard
Safety Critical Safety Critical SystemsSystems
andandCertification IssuesCertification Issues
DO-178BDO-178BAirborne StandardAirborne Standard
3
SC190 / WG-52 Application SC190 / WG-52 Application Guidelines For RTCAGuidelines For RTCA
DO-178b/ED-12b DO-178b/ED-12b
DO-178B
ED-12B
RTCA EUROCAESC-167 WG-12
CAST(Certification Authority Software Team)
Cast PositionPapers
SC-190 / WG-52SC-190 / WG-52
SC-190 Products
CNS/ATMCommunity
AvionicsIndustry
4
DO-178B in a NutshellDO-178B in a NutshellDO-178B in a NutshellDO-178B in a Nutshell
Highly Process OrientedHighly Process Oriented Requires TraceabilityRequires Traceability
RequirementsRequirementsHigh Level DesignHigh Level DesignDetailed DesignDetailed DesignSource CodeSource CodeTest ProceduresTest ProceduresTest resultsTest results
Test & Test & Test & Test and …..Test & Test & Test & Test and …..
Highly Process OrientedHighly Process Oriented Requires TraceabilityRequires Traceability
RequirementsRequirementsHigh Level DesignHigh Level DesignDetailed DesignDetailed DesignSource CodeSource CodeTest ProceduresTest ProceduresTest resultsTest results
Test & Test & Test & Test and …..Test & Test & Test & Test and …..
5
DO-178B Safety LevelsDO-178B Safety LevelsDO-178B Safety LevelsDO-178B Safety Levels
Level ALevel A CatastrophicCatastrophic Failure Prevents Continued Safe Flight and LandingFailure Prevents Continued Safe Flight and Landing
Level BLevel B Hazardous/Severe-MajorHazardous/Severe-Major Potential Fatal Injuries to a Small Number of OccupantsPotential Fatal Injuries to a Small Number of Occupants
Level CLevel C MajorMajor Discomfort to Occupants or Possible InjuriesDiscomfort to Occupants or Possible Injuries
Level DLevel D MinorMinor Increased Crew WorkloadIncreased Crew Workload
Level ALevel A CatastrophicCatastrophic Failure Prevents Continued Safe Flight and LandingFailure Prevents Continued Safe Flight and Landing
Level BLevel B Hazardous/Severe-MajorHazardous/Severe-Major Potential Fatal Injuries to a Small Number of OccupantsPotential Fatal Injuries to a Small Number of Occupants
Level CLevel C MajorMajor Discomfort to Occupants or Possible InjuriesDiscomfort to Occupants or Possible Injuries
Level DLevel D MinorMinor Increased Crew WorkloadIncreased Crew Workload
6
Development TeamDevelopment TeamDevelopment TeamDevelopment Team What is COTS?What is COTS? How can objectives of DO-178B be How can objectives of DO-178B be
satisfied, using COTS?satisfied, using COTS? There is much variation in applicants There is much variation in applicants
for COTS certification creditfor COTS certification credit Is DO-178B clear on the Is DO-178B clear on the
interpretations?interpretations?
What is COTS?What is COTS? How can objectives of DO-178B be How can objectives of DO-178B be
satisfied, using COTS?satisfied, using COTS? There is much variation in applicants There is much variation in applicants
for COTS certification creditfor COTS certification credit Is DO-178B clear on the Is DO-178B clear on the
interpretations?interpretations?
Product is COTS Certification EvidenceAvailable as COTS+
Together these satisfy safety objectives
7
Testing without Testing without Source CodeSource Code
Testing without Testing without Source CodeSource Code
Commercial O/S
Wrappers to Validate Parameters
Application
This cannot be trusted unless O/S is verified
8
Special ConsiderationsSpecial ConsiderationsSpecial ConsiderationsSpecial Considerations
Worked Correctly in US for yearsWorked Correctly in US for years Transferred to U.K.Transferred to U.K.
Worked Correctly in US for yearsWorked Correctly in US for years Transferred to U.K.Transferred to U.K.
Air Traffic Control system
Plane 1
Actual Plane 2
Displayed Plane 2Greenwich Meridian
Use of Service History for Certification
9
Use of Service HistoryUse of Service HistoryUse of Service HistoryUse of Service History
SafetyCriticalSystem
Developed under a less stringent standard (Military?)
Used for 4 years
Problems tracked
Quality Good!
Dead Code(Unintended Function)Residual Error
Is this system safe for the next 4 years? At Level A, B, C?
We can bound inputs, but we cannot check internal stateswithout “looking inside”
10
Black Box TestingBlack Box TestingBlack Box TestingBlack Box Testing No single failure should prevent “Continuous safe No single failure should prevent “Continuous safe
flight and landing.”flight and landing.” Statistical testing cannot show absence of a Statistical testing cannot show absence of a
single state that will cause a failuresingle state that will cause a failure Software has discontinuitiesSoftware has discontinuities
Software does not follow Gaus/Normal Software does not follow Gaus/Normal DistributionDistribution
No single failure should prevent “Continuous safe No single failure should prevent “Continuous safe flight and landing.”flight and landing.”
Statistical testing cannot show absence of a Statistical testing cannot show absence of a single state that will cause a failuresingle state that will cause a failure
Software has discontinuitiesSoftware has discontinuities
Software does not follow Gaus/Normal Software does not follow Gaus/Normal DistributionDistributionThere is no foundation for statistical reasoning
about software faults or safety
There is no foundation for statistical reasoning about software faults or safety
11
Verification TeamVerification Teamexamples of issuesexamples of issuesVerification TeamVerification Team
examples of issuesexamples of issuesWhat are low level requirements? How can they What are low level requirements? How can they
be testedbe testedData and Control flow couplingData and Control flow couplingUse of higher level test results for lower level Use of higher level test results for lower level
requirementsrequirementsWhat is the intent of structural coverage?What is the intent of structural coverage?Traceability of source to object code for structural Traceability of source to object code for structural
coveragecoverageWhat is statement, decision, condition and MCDC What is statement, decision, condition and MCDC
coverage testing coverage testing ((Modified Condition/Decision Code)Modified Condition/Decision Code)
Verification tool qualificationVerification tool qualificationetc..etc..
What are low level requirements? How can they What are low level requirements? How can they be testedbe tested
Data and Control flow couplingData and Control flow couplingUse of higher level test results for lower level Use of higher level test results for lower level
requirementsrequirementsWhat is the intent of structural coverage?What is the intent of structural coverage?Traceability of source to object code for structural Traceability of source to object code for structural
coveragecoverageWhat is statement, decision, condition and MCDC What is statement, decision, condition and MCDC
coverage testing coverage testing ((Modified Condition/Decision Code)Modified Condition/Decision Code)
Verification tool qualificationVerification tool qualificationetc..etc..
12
Coverage AnalysisCoverage Analysisat Level B and Cat Level B and C
Coverage AnalysisCoverage Analysisat Level B and Cat Level B and C
Statement CoverageStatement Coverage Decision CoverageDecision Coverage
Entry PointsEntry PointsExit PointsExit PointsAll DecisionsAll DecisionsAll OutcomesAll Outcomes
Statement CoverageStatement Coverage Decision CoverageDecision Coverage
Entry PointsEntry PointsExit PointsExit PointsAll DecisionsAll DecisionsAll OutcomesAll Outcomes
13
Fixing anomaliesFixing anomaliesexample for level example for level
B/LibraryB/Library
Fixing anomaliesFixing anomaliesexample for level example for level
B/LibraryB/Library
Compiler
B := 3;A := Filter (B);X := X + A;
Filter
Object Code Source level coverage required Even for Filter
14
Boundary Level testingBoundary Level testingnot enough!not enough!
Boundary Level testingBoundary Level testingnot enough!not enough!
Min, Mid, Max in combination gives 27 (useless) Min, Mid, Max in combination gives 27 (useless) test casestest cases5 Bits size 5 Bits size 32 Bit size 32 Bit size 67 Bit Size67 Bit Size
FromFrom overlaps overlaps ToToToTo overlaps overlaps FromFrom
Min, Mid, Max in combination gives 27 (useless) Min, Mid, Max in combination gives 27 (useless) test casestest cases5 Bits size 5 Bits size 32 Bit size 32 Bit size 67 Bit Size67 Bit Size
FromFrom overlaps overlaps ToToToTo overlaps overlaps FromFrom
A := B; -- A and B are packed Boolean arrays
Run-time call to:Bit_Block_Move (From, To, Size); -- size in bits
Interesting test cases based on actual code
i.e. White Box Testing
Interesting test cases based on actual code
i.e. White Box Testing
15
Coverage at Level ACoverage at Level ACoverage at Level ACoverage at Level ACoverage required at Machine Code level orCoverage required at Machine Code level orShow source to object code traceability Show source to object code traceability
and test at source level orand test at source level orUse different language/compilers Use different language/compilers
and use voting systemand use voting systemMCDC testing requiredMCDC testing required
each condition must have effect on outcomeeach condition must have effect on outcomeTools which modify source for traceabilityTools which modify source for traceability
problem at level Aproblem at level AMitigation method : use 3 different compilersMitigation method : use 3 different compilers
(Now Look At Conditional Statements)(Now Look At Conditional Statements)
Coverage required at Machine Code level orCoverage required at Machine Code level orShow source to object code traceability Show source to object code traceability
and test at source level orand test at source level orUse different language/compilers Use different language/compilers
and use voting systemand use voting systemMCDC testing requiredMCDC testing required
each condition must have effect on outcomeeach condition must have effect on outcomeTools which modify source for traceabilityTools which modify source for traceability
problem at level Aproblem at level AMitigation method : use 3 different compilersMitigation method : use 3 different compilers
(Now Look At Conditional Statements)(Now Look At Conditional Statements)
16
Conditions/Decisions Conditions/Decisions
if A=B and C or D<3 then
Boolean Operators
Boolean Variable
Conditions
Decision
17
What areWhat areConditions/Decisions Conditions/Decisions
if (A=B and C) or D<3 thenAda :
if ((A==B) & C ) | (D<3) thenC :
if ((A==B) * C) + (D<3) thenC :
if ((A==B) and C) or (D<3) thenC++ :
MCDC Coverage Requires all Branches AND all Conditions Be Covered
MCDC Coverage Requires all Branches AND all Conditions Be Covered
18
More BooleanMore BooleanConditionsConditions
More BooleanMore BooleanConditionsConditions
X := (A=B and C) or D<3;if X then -- X is Boolean
Ada :
X = ((A==B) * C) + (D<3)); if X then /* X can be any Integer
C :
Cannot hide fromTesting Obligations
‘*’ and ‘+’ are Boolean Operators!
19
Condition coverageCondition coverageCondition coverageCondition coverageX := (A=B and C) or D<3;if X then -- X is Boolean
Ada :
Coverage of “Basic-Block”may not capture condition results
20
Avoiding MCDC TestingAvoiding MCDC Testing
Use Ada’s short-circuit conditions:
if A=0 and then B< 2 and then C>5 then
Or in C write:
if A== 0 && B < 2 && C < 5 {
Modified Condition/Decision Code
21
Why short-circuitWhy short-circuitconditions eliminateconditions eliminate
MCDC MCDC
if A=0 then if B<2 then if C>5 then P; end if; end if;end if;
if A=0 then if B<2 then if C>5 then P; end if; end if;end if;
if A=0 and then B< 2 and then C>5 thenif A=0 and then B< 2 and then C>5 then
MCDC not required for this code
22
Testing strategyTesting strategymust evaluate must evaluate
conditions conditions
if A=0 then if B<2 then if C>5 then P; end if; end if;end if;
if A=0 then if B<2 then if C>5 then P; end if; end if;end if;
if A=0 and then B< 2 and then C>5 thenif A=0 and then B< 2 and then C>5 then
MCDC not required for this code
BUT !!!BUT !!!
Testing must show thateach ‘then’ part hasbeen tested True and False
Testing must show thateach ‘then’ part hasbeen tested True and False
23
Inlining codeInlining codeInlining codeInlining codeIf decisions/conditions introduced If decisions/conditions introduced
Decisions must be identified and verified (level B)Decisions must be identified and verified (level B)Conditions must be identified and verified (level A)Conditions must be identified and verified (level A)
Verification may be done by analysisVerification may be done by analysisTraced to derived requirementsTraced to derived requirementsensure safety is not compromisedensure safety is not compromisedCode may be “deactivated”Code may be “deactivated”
As inlined code depends on local state it may be As inlined code depends on local state it may be very hard to test the conditions in accordance with very hard to test the conditions in accordance with standards requirements standards requirements
Intent - absence of unintended funtionIntent - absence of unintended funtionDead code not allowedDead code not allowed
If decisions/conditions introduced If decisions/conditions introduced Decisions must be identified and verified (level B)Decisions must be identified and verified (level B)Conditions must be identified and verified (level A)Conditions must be identified and verified (level A)
Verification may be done by analysisVerification may be done by analysisTraced to derived requirementsTraced to derived requirementsensure safety is not compromisedensure safety is not compromisedCode may be “deactivated”Code may be “deactivated”
As inlined code depends on local state it may be As inlined code depends on local state it may be very hard to test the conditions in accordance with very hard to test the conditions in accordance with standards requirements standards requirements
Intent - absence of unintended funtionIntent - absence of unintended funtionDead code not allowedDead code not allowed
24
Use of ToolsUse of ToolsUse of ToolsUse of ToolsTool Qualification is required if tool replaces a Tool Qualification is required if tool replaces a
step of development processstep of development processDevelopment toolsDevelopment tools
Examples - Compiler, Design to code generatorExamples - Compiler, Design to code generatorMay introduce an errorMay introduce an errorIn general - NOT qualified, not trustedIn general - NOT qualified, not trusted
Verification toolsVerification toolsExamples - Coverage analyserExamples - Coverage analyserMay conceal an errorMay conceal an errorMay be qualified - Trusted for verification purposesMay be qualified - Trusted for verification purposes
Additional verification process required if the tool Additional verification process required if the tool is not trustedis not trusted
Tool Qualification is required if tool replaces a Tool Qualification is required if tool replaces a step of development processstep of development process
Development toolsDevelopment toolsExamples - Compiler, Design to code generatorExamples - Compiler, Design to code generatorMay introduce an errorMay introduce an errorIn general - NOT qualified, not trustedIn general - NOT qualified, not trusted
Verification toolsVerification toolsExamples - Coverage analyserExamples - Coverage analyserMay conceal an errorMay conceal an errorMay be qualified - Trusted for verification purposesMay be qualified - Trusted for verification purposes
Additional verification process required if the tool Additional verification process required if the tool is not trustedis not trusted
25
CNS/ATM Process CNS/ATM Process IntegrationIntegration
CNS/ATM Process CNS/ATM Process IntegrationIntegration
Information matrixInformation matrixRegulatorsRegulatorsCommitteesCommitteesStandards BodiesStandards BodiesStandardStandard
Software Integrity Assurance Standards Software Integrity Assurance Standards vs. Software Development Standardsvs. Software Development Standards
Relationships between DO-178BRelationships between DO-178B
and IEC 61508and IEC 61508
Information matrixInformation matrixRegulatorsRegulatorsCommitteesCommitteesStandards BodiesStandards BodiesStandardStandard
Software Integrity Assurance Standards Software Integrity Assurance Standards vs. Software Development Standardsvs. Software Development Standards
Relationships between DO-178BRelationships between DO-178B
and IEC 61508and IEC 61508
26
Ground BasedGround BasedCommunityCommunity
Ground BasedGround BasedCommunityCommunity
Communications/ Navigation/Surveilance Communications/ Navigation/Surveilance and Air Traffic Management - in the loopand Air Traffic Management - in the loop
Ground Based Systems affect airborne Ground Based Systems affect airborne softwaresoftware
DO-178B addresses airborne onlyDO-178B addresses airborne onlyGuidance being prepared to encompass Guidance being prepared to encompass
needs of CNS/ATM community (SC-190 needs of CNS/ATM community (SC-190 committee)committee)
Standards tightening up Standards tightening up
Communications/ Navigation/Surveilance Communications/ Navigation/Surveilance and Air Traffic Management - in the loopand Air Traffic Management - in the loop
Ground Based Systems affect airborne Ground Based Systems affect airborne softwaresoftware
DO-178B addresses airborne onlyDO-178B addresses airborne onlyGuidance being prepared to encompass Guidance being prepared to encompass
needs of CNS/ATM community (SC-190 needs of CNS/ATM community (SC-190 committee)committee)
Standards tightening up Standards tightening up
27
Certification StandardsCertification Standardsare Improvingare Improving
Certification StandardsCertification Standardsare Improvingare Improving
““Holes” in documents are being fixedHoles” in documents are being fixedUnderstanding of Certification Requirements is Understanding of Certification Requirements is
spreadingspreadingIndustry and Certification Authorities are Industry and Certification Authorities are
collaborating on Guidance materialscollaborating on Guidance materialsIt will get more difficult to “shop around” for a It will get more difficult to “shop around” for a
more lenient signature more lenient signature
““Holes” in documents are being fixedHoles” in documents are being fixedUnderstanding of Certification Requirements is Understanding of Certification Requirements is
spreadingspreadingIndustry and Certification Authorities are Industry and Certification Authorities are
collaborating on Guidance materialscollaborating on Guidance materialsIt will get more difficult to “shop around” for a It will get more difficult to “shop around” for a
more lenient signature more lenient signature
28
( Legal)( Legal)Safety SystemsSafety Systems
LawsRegulationsStandardsGuidelines
Case LawPrecedenceInterpretationsStandardsGuidelines
Visibility Traceability
PROCESS
EVIDENCE / RECORD
Confidence / Safety
29
When Is Software SafeWhen Is Software SafeWhen Is Software SafeWhen Is Software Safe
30
When Is Software SafeWhen Is Software SafeWhen Is Software SafeWhen Is Software Safe
We Don’t Know !!We Don’t Know !!
31
What is our best guessWhat is our best guessabout the safetyabout the safety
What is our best guessWhat is our best guessabout the safetyabout the safety
When applicable processes have been When applicable processes have been followedfollowed
When we have verified the code “from When we have verified the code “from within”within”
When this has been checkedWhen this has been checkedand checkedand checked
and checkedand checked
and checkedand checked
and checkedand checked
and checked and checked
When applicable processes have been When applicable processes have been followedfollowed
When we have verified the code “from When we have verified the code “from within”within”
When this has been checkedWhen this has been checkedand checkedand checked
and checkedand checked
and checkedand checked
and checkedand checked
and checked and checked
32
The FAA/JAA RulesThe FAA/JAA Rulesare Strictare Strict
The FAA/JAA RulesThe FAA/JAA Rulesare Strictare Strict
To Date:
“no fatalities have been attributed to Software Failure”
Have we been lucky?
Have we been safe?