Application of Software Assurance Best Practices to Communications, Navigation, Surveillance (CNS) and Air Traffic Management (ATM) Systems

by Ronald L. Stroup, Federal Aviation Administration

The Federal Aviation Administration (FAA) is charged with maintaining a safe air transportation system within the United States, and in Oceanic Flight Information Regions assigned to the U.S. by the International Civil Aviation Organization (ICAO). This system involves aircraft and a supporting infrastructure of procedures, personnel, and equipment. Software is an essential element of the National Airspace System (NAS) including the aircraft, and embodies much of its functionality. Developed and acquired by the FAA as a portion of a system or system component, software can be a major cost and schedule risk factor in the procurement of new systems and the modernization of existing systems.

Current design practices for navigation systems have employed real-time embedded systems design techniques that rely on good software engineering practices to achieve the extremely high integrity and continuity of safety requirements. A number of guidelines have been developed to streamline the procurement of software-based systems but most guidelines do not address the assurance of software in the context of safety critical systems and environments. Nor do they address the assurance of performance with sufficient rigor for operational deployment. While guidelines for Software Development Assurance have been available for aircraft through the use of RTCA/DO-178B/ED-12B, Software Considerations in Airborne Systems and Equipment Certification, no corresponding guidelines have been universally in place for ground systems¹.

Until recently, the evaluation of ground systems was done separately from aircraft systems. However, current NAS architectural designs rely on coupled systems that require integrated analysis and mitigation of potential safety hazards. This leads to a coordinated allocation of safety objectives between airborne and ground systems. Without a consistent and equivalent set of guidelines between ground and aircraft systems, the FAA will have an extremely difficult task in assuring the safety of modern systems.

The FAA's Guidelines for the Application of Software Assurance Best Practices to Communications, Navigation, Surveillance (CNS) and Air Traffic Management (ATM) Systems is to ensure consistency and an acceptable level of confidence in the development of the software components of the NAS. Techniques available through the system safety assessment process result in risk mitigation strategies that minimize the impact of software design errors. This mitigation affects a relatively small portion of the overall systems software that can adversely affect safety of flight. The level of effort required in implementing this guidance will vary as a function of the operational use and criticality of function of that software.

Consistent development assurance practices will help to achieve technical goals for the safety requirements, interoperability, performance and security assurance, as well as management control, while promoting responsible expenditure of public funds.

These guidelines provide common sense approaches to ensuring new developments and changes to existing systems meet the NAS operational safety requirements. More important, every effort has been made to take advantage of architectural approaches which significantly reduce the amount of software that must be assured in accordance with these guidelines.

A great deal of effort has already been invested in process improvement (FAA-iCMM^®) and the Acquisition Management System (AMS) for software based systems developed and procured by the FAA. These guidelines were developed to take advantage of this work. These guidelines do not replace software development processes or software acquisition processes. These guidelines supplement those processes and provide a comprehensive set of assurance activities throughout the software development life cycle.

They were also based on the experience and knowledge gained through:

• Successful review and approval of the Special Category - I (SCAT-I) Differential Global Positioning System (DGPS)

• Approval of the Transponder Landing System (TLS)

• Ongoing efforts in the Wide Area Augmentation System (WAAS)

• Ongoing work in RTCA Special Committees SC-189 working on global implementation of CNS/ATM modern concepts, and SC-190 working on clarifying the guidance in DO-178B

• FAA Streamlining Software Aspects of Certification (SSAC) efforts

• Applying DO-178B on SCAT-1, WAAS, and TLS has demonstrated a positive effect on achieving the performance standards for t hese systems

The major impact of the guidelines to affected systems will be in the area of verification. These guidelines have very specific rigorous requirements for verification that are not provided by previous ground systems guidance materials.

The guidelines contain an overview of the end-to-end system safety process and how it is used to establish the risk control required for software. A principal purpose of this overview is to demonstrate the use of architecture in reducing the amount of software that needs to be assured. Conceptually, the guidelines contain the lessons learned in software development assurance. Experts within the realms of system safety, airborne software development assurance, ground systems acquisition and maintenance both from the FAA and industry are contributing to the document.

An approval process is presented which provides a framework for assuring the adequate evaluation of software-based systems. This process recognizes the existing approach to certification and commissioning of systems. The process also addresses the challenges that will be encountered by future systems. Detailed guidance on adapting software development assurance best practices to the ground systems environment is provided, stressing the commonality to existing guidance. The guidance demonstrates how the software development assurance process fits into the existing approval, evaluation, and procurement processes of the FAA. Specific attention is devoted to Commercial-Off-The-Shelf software, Legacy Systems, and the introduction of new technology. The guidance is linked to the appropriate hazard analysis process to ensure that risk is controlled.

The author is currently participating in RTCA Special Committee 190/EUROCAE Working Group 52 to develop associated guidance for ground systems. While the RTCA document, by necessity, will be generic, the FAA guidance will provide those details that will assist the user in implementation of the RTCA guidance. Every effort has been made to ensure that the resulting guidance contained in the FAA document remains consistent with the output of RTCA Special Committee 190.

The safety of flight operations is dependent on more than the design of the aircraft and its associated equipment. Equally important to safety are ground and flight personnel procedures, ground-based equipment, and space-based equipment. Various techniques or mitigation strategies are used to minimize the risk and impact of equipment design hazards. With proper architecture and other mitigation approaches, any portion of the remaining potential residual errors will be attributed to software. However, this results in a relatively small portion of the overall systems software that can adversely affect safety of flight. When software design errors can potentially affect safety of flight, a means is needed to establish assurance or confidence that there is a sufficient level of dependability for this software. RTCA DO-178B, Software Considerations in Airborne Systems and Equipment Certification provides an accepted approach for establishing assurance/confidence in the dependability of safety critical airborne applications. To provide a consistent, defensible approach, any systems that can adversely affect safety of flight should adopt equivalent software development assurance best practices as a basis for establishing and achieving the required level of assurance of critical systems. These guidelines provide the minimum guidance necessary to apply software development assurance best practices specifically to ground systems applications. Our goal is to do this efficiently with minimum disruption and cost to fielded products, ongoing development, and future developments that have consequences for the safety of flight operations.

Ronald L. Stroup joined the Federal Aviation Administration as an Aerospace Engineer in 1989. He holds a Bachelor of Science in Avionics Engineering from Parks College of Saint Louis University. Mr. Stroup served as a systems engineer in the Aircraft Certification Services' Chicago Aircraft Certification Office and in 1997 became the Software Technology Specialist for the Aircraft Certification Service. His responsibilities included providing technical expertise in the area of software approvals and acted as a focal point to improve the software approval process.

Since 1998, Mr. Stroup has served as the Software Safety and Certification Lead for the Office of Information Services and Chief Information Officer. His duties include developing and applying software assurance standards to the acquisitions of software-intensive National Airspace Systems.

Mr. Stroup is a member of the RTCA/SC-190 Committee, IEEE, and Co-Program Manager for the Streamlining Software Aspects of Certification initiative. He served as a Subject Matter Expert for the Software Fundamentals and Software Procedures course to develop training in the training in the application of RYCA/DO-178B Assurance Standard and Software Engineering Practices. Mr. Stroup serves on the FAA's Systems Engineering Council and the System Safety Working Group.

Author Contact Information Ronald Stroup Office of Information Services Process Engineering Division Federal Aviation Administration 800 Independence Ave, SW Washington, DC 20591 (202) 493-4390 [email protected]

---