Comment:
Migration of unmigrated content due to installation of a new plugin
Tabsetup
0
1. The Requirement
1
2. Rationale
2
3. Guidance
3
4. Small Projects
4
5. Resources
5
6. Lessons Learned
6
7. Software Assurance
Div
id
tabs-1
1. Requirements
Excerpt
3.5.2 The project manager shall maintain records of each software classification determination, each software Requirements Mapping Matrix, and the results of each software independent classification assessment for the life of the project.
1.1 Notes
NPR 7150.2, NASA Software Engineering Requirements, does not include any notes for this requirement.
1.2 History
Expand
title
Click here to view the history of this requirement: SWE-176 History
Include Page
SITE:SWE-176 History
SITE:SWE-176 History
1.3 Applicability Across Classes
Applicable c
a
1
b
1
csc
1
c
1
d
1
dsc
1
e
1
f
1
g
0
h
0
Div
id
tabs-2
2. Rationale
The project manager is required to maintain the following records for the life of the project.
(1) Each software classification determination performed by the project manager, (2) Each project software requirements mapping matrix (3) The results of each software-independent classification assessment by S&MA.
It is important to maintain the records of the software classification and the resulting logic for the classification since the NPR 7150.2 requirements that need to be satisfied for the software are dependent on the software classification. The software requirements mapping matrix will contain the records of any approved tailoring of the requirements. The combination of these records determines exactly what requirements the project will need to satisfy and that information needs to be communicated to everyone on the project.
The records of the logic for the software classification are important so they can be reviewed as the project requirements change and used to help determine whether there has been sufficient change to merit a change in software classification.
Records maintained by the project manager can also be used during the Office of the Chief Engineer (OCE) survey activity (see SWE-129 ) for evaluating compliance and software classification assessments.
Div
id
tabs-3
3. Guidance
The following records are maintained throughout the life of the project.
(1) Each software classification determination performed by the project manager,
The project completes the determination of software classification (see SWE-020 ). Some projects may contain multiple systems and subsystems having different software classes. Appendix C in the NPR defines the default applicability of the requirements based on software classification and safety criticality.
(2) Each project software requirements mapping matrix
A requirements mapping matrix typically lists all of the NPR 7150.2, NASA Software Engineering Requirements, requirements applicable to a project's software, along with the planned approach for demonstrating compliance. As projects can contain multiple classes of software, a project software requirements matrix with this NPR is created for each software class.
(3) The results of software classification determination by S&MA.
If an independent assessment is needed by S&MA, S&MA will complete the assessment and compare the results to the engineering assessment and work with the TAs to resolve any differences.
These records can be used in the OCE survey of a Center's processes and directives and thorough examinations of a project's official records. These surveys are one of the tools used by the OCE to provide oversight, maintain internal control, and review its operations.
The software classification and safety criticality should be reexamined periodically, for example, whenever there are major requirement changes, and at major milestone review points.
The location of the records above should be listed on the project's data management list along with the record of the software safety criticality. The Software Management/Development Plan may list the initial determinations of the software classification and safety-critical and then point to the location of the data management list or the most up-to-date information.
When classifying software be sure to consider:
All software for the system or subsystem (classification may need to be assessed separately).
The purpose of the software.
How the software is intended to be used.
Relevance to major programs and projects.
Hardware controls.
Operations.
Interaction with humans.
Complexity (developmental and operational complexity is woven into the class definitions).
The risk to the project, Center, and Agency
Investment.
If a software component is traceable to a hazard and is determined to be safety-critical software, per the software safety-critical determination process defined in NASA-STD-8739.8, then the software component classification must be Software Class D or higher.
Div
id
tabs-4
4. Small Projects
No additional guidance is available for small projects.
Div
id
tabs-5
5. Resources
5.1 References
refstable
Show If
group
confluence-users
Panel
titleColor
red
title
Visible to editors only
Enter the necessary modifications to be made in the table below:
SWEREFs to be added
SWEREFS to be deleted
added SWEREF-278
SWEREFs called out in the text: 278
SWEREFs NOT called out in text but listed as germane: none
5.2 Tools
Include Page
Tools Table Statement
Tools Table Statement
Div
id
tabs-6
6. Lessons Learned
6.1 NASA Lessons Learned
No Lessons Learned have currently been identified for this requirement.
6.2 Other Lessons Learned
No other Lessons Learned have currently been identified for this requirement.
Div
id
tabs-7
7. Software Assurance
Excerpt Include
SWE-176 - Software Records
SWE-176 - Software Records
7.1 Tasking for Software Assurance
Confirm that records of the software Requirements Mapping Matrix and each software classification are maintained and updated for the life of the project.
7.2 Software Assurance Products
Software Classification Determination
Identify the specific requirements in NASA-STD-8739.8 that are being tailored by the projects (*organizational metric)
Note
title
Objective Evidence
NPR 7150.2 and NASA-STD-8739.8 requirements mapping matrices signed by the engineering and SMA technical authorities for each development organization.
Expand
title
Definition of objective evidence
Include Page
SITE:Definition of Objective Evidence
SITE:Definition of Objective Evidence
7.3 Metrics
% of Total Source Code for each Software Classification (*organizational measure)
Identify the specific requirements in NASA-STD-8739.8 that are being tailored by the projects (*organizational measure)
7.4 Guidance
An independent software assurance classification assessment is not required but can be done if needed by your center processes. Software engineering and software assurance must reach an agreement on the classification of systems and subsystems. Software assurance can just concur with the software engineering classification if they agree with the classification. If an independent software assurance classification is done, that record along with the rationale for the classification should be kept.
Some projects may contain multiple systems and subsystems having different software classes. Appendix C in the NPR defines the default applicability of the requirements based on software classification and safety criticality. The applicability of NPR 7150.2 requirements is determined using the Requirements Mapping and Compliance Matrix in Appendix C of the NPR using the software class definitions in Appendix D of the NPR and the software’s safety criticality designation. Important to classification is the usage of the software with or within a NASA system, the criticality of the system to NASA’s major programs and projects, the extent to which humans depend upon the system, developmental and operational complexity, and the extent of the Agency’s investment.
Complete the classification of software as soon as it has been determined that a project includes software. Both the software development organization in conjunction with the project office and software assurance classify software and, as stated in the NPR 7150.2 note for this requirement, Software engineering and software assurance must reach an agreement on the classification of systems and subsystems. Disagreements are elevated via both the Engineering Technical Authority and Safety and Mission Assurance Technical Authority chains.
Guidance: When classifying software be sure to consider:
All software for the system or subsystem (classification may need to be assessed separately).
Purpose of the software.
How the software is intended to be used.
Relevance to major programs and projects.
Hardware controls.
Operations.
Interaction with humans.
Complexity (developmental and operational complexity is woven into the class definitions).
The risk to the project, Center, and Agency Investment.
If a software component is traceable to a hazard and is determined to be safety-critical software, per the software safety-critical determination process defined in NASA-STD-8739.8
Swerefn
refnum
278
, then the software component classification must be Software Class D or higher. When classifying software be sure to consider: