Study Findings Part 2

1
Study Findings Part 2
2
Contents of Presentation

• Report on comments raised by IPTs
• Outline proposals for taking the work forward
• Development of guidance material

3
IPT comments
4
IPTs

• Fixed Wing Civil Aircraft
• Future Strategic Tanker Aircraft
• A400M
• C-17
• Fixed Wing Military Aircraft
• Hercules
• Sentry
• Rotary Wing
• Merlin Capability Sustainment Project
• Chinook Mk3
• Future Lynx

5
Discussions with IPTs

• In general, not DO-178B that is problematic
• Many issues are contractual
• Lack of access to subcontractors documentation
  and source code
• Unable to develop safety argument
• Contractual requirements not being flowed down
• Lack of experience of software engineers

6
Discussions with IPTs

• Concern that SCA necessary in order to gain a RTS
  Recommendation
• Concern that there is insufficient flexibility in
  approaches being proposed
• Stick with what has happened in past rather than
  change approach to reflect current position
• Still wide variation on whether DO-178B
  considered sufficient

7
IPT approaches

• Rely on existing certification evidence as far as
  possible
• e.g. FSTA, A400M, C-17
• Civil aircraft adapted for military application
• Focus on military deltas
• Confidence in Boeing and Airbus to develop robust
  high integrity software

8
IPT approaches

• Development of bespoke safety strategy based on
  standards
• e.g. MCSP, Chinook
• IPT has some influence on procurement programme
• Define Safety Process to be adopted by Prime
  Contractor
• Buy in from Prime Contractors

9
IPT approaches

• Re-certify by different organisation
• e.g. Future Lynx
• Specific concern over FADEC
• But very different application
• Has pedigree
• Initial proposal SCA
• Is recertification necessary?

10
IPT approaches

• Use of SCA for provision of evidence
• e.g. Hercules
• Contractual restrictions specifically limit
  access to code
• UK have to accept US audit results

11
Strategies for Re-Certification
12
Re-certification of systems

• For UK military application
• New Programmes
• Existing software developed to other standards or
  guidance material
• Existing software developed to DO-178B

13
New Programmes

• IPT have strong influence over development and
  safety process
• May not be representative of many programmes
• Formalisation of safety requirements
• Work undertaken by QQ and YSE
• ERA propose - not primary focus of study

14
Existing Software DO-178B

• Two scenarios
• Software developed for a specific application and
  certified for use in this application
• Software developed for a generic application and
  has not been certified

15
Certified Software - 1

• Need to establish how much can be claimed from
  existing safety justification
• Will have to write a Safety Case
• Note that DER will provide assurance of safety
  for previous application
• Job aids at http//www.faa.gov/certification/aircr
  aft/av-info/software/Job_Aids.htm

16
Certified Software - 2

• Identify Military deltas
• Safety Assessment
• How software behaviour could impact hazards
  associated with the new system
• Establish risk
• Risk may be higher but may be acceptable
• If risk unacceptable identify risk reduction

17
Generic Software

• Establish a safety assessment process
• Identify system hazards
• Identify software behaviours
• Need to understand implementation of requirements
• Determine what extras done by the prime
  contractor and sub-contractor

18
Where next?
19
Where next?

• ERA believes IPTs and other stakeholders would
  benefit from development of guidance material
• Benefits
• Consistency in approach
• More cost effective approaches
• Better understanding of methodologies from all
  stakeholders
• Easier to gain buy-in from safety advisors

20
Scope of Guidance Material

• One size fits all?
• Better to have guidance for a number of different
  scenarios
• Focus
• re-certification programmes
• DO-178B
• Key issues
• Relationship between safety process and DO-178B
• How to use DO-178B evidence in re-certification