Comment:
Migration of unmigrated content due to installation of a new plugin
Set Data
hidden
true
name
reftab
4
Tabsetup
0
1. Introduction
1
2. Product Schedules
2
3. Product/SASS Task Mapping
3
4. Resources
Div
id
tabs-1
1. Introduction
Excerpt
hidden
true
Provides information for the major software assurance and safety work products resulting from the performance of the Software Assurance and Software Safety (SASS) tasks required in the NASA Software Assurance and Software Safety Standard, NASA-STD-8739.8
Swerefn
refnum
278
. Each product’s section may include sub-products, potential analysis methods/technologies, and suggested content for capturing and reporting on the product activities.
This topic provides detailed information on the work products produced as a result of the performing the Software Assurance and Software Safety (SASS) tasks required in NASA-STD-8739.8
Swerefn
refnum
278
. Each SASS task has been mapped to one or more of nine major SASS products or the product listed as "Objective Evidence". See Topic 8.15 - SA Tasking Checklist Toolfor the mapping. Each of the major products has sub-products that may include suggested content, methodologies, and result recording. The “Objective Evidence” products prove that a required SASS task has been performed. (A more specific definition of “Objective Evidence” may be found in the “Objective Evidence” tab.)
Each major product has a detailed description and may include:
Sub-products – Sub-products are often part of the major work product but may also be recorded separately. For example, a Software Assurance Plan may contain the Safety Plan or the Safety Plan may be a separate document.
Product Guidance – Approaches and guidance that may be used to produce the product. For example, an analysis product may include information on the various types of analysis methods that could be used to produce the product.
Content List - Minimum required content that comprise the product. The work product content for a particular project will depend on the project’s approved SASS Requirements Mapping Matrix (i.e., tailoring matrix), safety criticality, and software classification. If the SASS tasks in NASA-STD-8739.8
Swerefn
refnum
278
have been tailored out and approved, then the content associated with those tailored tasks would no longer be required for inclusion in the products.
1.1 The major SASS work products are:
Software Assurance Plan - Describes Software Assurance Plan content as well as sub-plans for Safety and Security
IV&V Program Execution Plan - This is produced by the IV&V team and is not a software assurance or safety team responsibility.
Source Code Quality Analysis - Section focuses on analysis techniques for determining and improving source code quality.
Testing Analysis - Discusses considerations for developing and evaluating test products (test plans, test procedures and test results)
Software Assurance Status Reports - Contains recommended content for SA status reporting, including reporting details for analysis, assessments and audits.
Audit Reports - Discusses required audits and provides information and resources for performing audits
Choose the individual product titles to see the detailed information on each work product.
The chart in tab 2 of this topic lists the work products, sub-products and the approximate phasing schedule for the work products.
Div
id
tabs-2
2. Product Schedules
The following chart lists the major products with their sub-products and other details and provides the life cycle phase(s) where is product is typically developed. The SWE numbers associated with the SASS tasks that require the products are also listed. For the details of each task, see the chart in tab 3: Product/SASS task Mapping.
o *See Confirmations topic for other confirmations
X
X
X
X
X
X
All "Confirm" SASS Tasks
o Software control activities
X
X
X
X
X
X
082
Approvals/sign-offs on deliveries
X
094
SA Peer Review records
X
X
X
087
Key Definitions:
Draft: Product is in outline form with some content; Still has a lot of TBDs (To Be Determined).
Preliminary: Most content is there but has not been baselined yet.
Baseline: Product reviewed and all actions completed.
Anytime: Product could be generated at anytime.
Div
id
tabs-3
3. Product/SASS Task Mapping
This chart lists all the products and sub-products required by NASA-STD-8739.8 and show the associated tasks relating to the products.
#
Product
Sub-Product
o Product Detail
Associated Tasks in NASA-STD-8739.8
1
Software Assurance Plan
SWE-013 Task 2: Develop a Software Assurance Plan following the content defined in NASA-HDBK-2203 for a software assurance plan, including software safety.
SWE-016 Task 2: Develop a software assurance schedule, including software assurance products, audits, reporting, and reviews.
SWE-151 Task 1e: Assess the project's software cost estimate(s) to determine if the stated criteria listed in "a" through "f" are satisfied.
e. Includes the cost of the required software assurance support.
Software Safety Plan
SWE-013 Task 2: Develop a Software Assurance Plan following the content defined in NASA-HDBK-2203 for a software assurance plan, including software safety.
Software Assurance Schedule
SWE-016 Task 2: Develop a software assurance schedule, including software assurance products, audits, reporting, and reviews.
SWE-046 Task 1: Confirm the project's schedules are updated.
SASS Requirements Mapping Matrix
SWE-013 Task 2: Develop a Software Assurance Plan following the content defined in NASA-HDBK-2203 for a software assurance plan, including software safety.
SWE-121 Task 2: Develop a tailoring matrix of software assurance and software safety requirements.
SWE-125 Task 2: Maintain the requirement mapping matrix (matrices) for requirements in NASA-STD-8739.8.
SASS-09: The Center SMA TA shall review and agree with any tailored Software Assurance and Software Safety Standard requirements.
SASS-10: If a system or subsystem development evolves to meet a higher or lower software classification as defined in NPR 7150.2 then the software assurance, software safety, and IV&V organizations shall update their plan(s) to fulfill the applicable requirements per the Requirements Mapping Matrix and any approved changes, and initiate adjustments to applicable contracts to meet the modified requirements.
Software Classification Determination
SWE-020 Task 1: Perform a software classification or concur with the engineering software classification of software per the descriptions in NPR 7150.2.
2
IV&V Program Execution Plan (Done by IV&V)
SWE-131 Task 1: Confirm that the IV&V Program Execution Plan (IPEP) exists.
To be done by IV&V:
SASS-02: The IV&V Provider shall: b. Develop and negotiate with the project an IV&V Execution Plan documenting the activities, methods, level of rigor, environments, tailoring (if any) of these requirements, and criteria to be used in performing verification and validation of in-scope system/software behaviors (including responsible software components) determined by the planning and scoping effort.
3
Software Requirements Analysis
SWE-034 Task 1: Confirm software acceptance criteria are defined and assess the criteria based on guidance in the NASA Software Engineering Handbook, NASA-HDBK-2203.
SWE-051 Task 1: Perform a software assurance analysis on the detailed software requirements to analyze the software requirement sources and identify any incorrect, missing, or incomplete requirements.
SWE-080 Task 1: Analyze proposed software and hardware changes to software products for impacts, particularly to safety and security.
SWE-081 Task 2: Assess that the software safety-critical items are configuration managed, including hazard reports and safety analysis.
SWE-184 Task 1: Analyze that the software requirements documentation contains the software related safety constraints, controls, mitigations, and assumptions between the hardware, operator, and the software.
SWE-203 Task 2: Assess the impact of non-conformances on the safety, quality, and reliability of the project software.
4
Software Safety and Hazard Analysis
SWE-034 Task 1: Confirm software acceptance criteria are defined and assess the criteria based on guidance in the NASA Software Engineering Handbook, NASA-HDBK-2203.
SWE-080 Task 1: Analyze proposed software and hardware changes to software products for impacts, particularly to safety and security.
SWE-081 Task 2: Assess that the software safety-critical items are configuration managed, including hazard reports and safety analysis.
SWE-203 Task 2: Assess the impact of non-conformances on the safety, quality, and reliability of the project software.
SWE-205 Task 2: Assess that the hazard reports identify the software components associated with the system hazards per the criteria defined in NASA-STD- 8739.8, Appendix A.
SWE-205 Task 3: Assess that hazard analyses (including hazard reports) identify the software components associated with the system hazards per the criteria defined in NASA-STD- 8739.8, Appendix A.
SWE-205 Task 5: Develop and maintain a software safety analysis throughout the software development life-cycle.
5
Software Design Analysis
SWE-034 Task 1: Confirm software acceptance criteria are defined and assess the criteria based on guidance in the NASA Software Engineering Handbook, NASA-HDBK-2203.
SWE-057 Task 1: Assess that the software architecture addresses or contains the software structure, qualities, interfaces, and external/internal components.
SWE-057 Task 2: Analyze the software architecture to assess whether software safety and mission assurance requirements are met.
SWE-058 Task 1: Assess the software design against the hardware and software requirements and identify any gaps.
SWE-058 Task 2: Assess the software design to verify that the design is consistent with the software architectural design concepts and that the software design describes the lower-level units to be coded, compiled, and tested.
SWE-058 Task 3: Assess that the design does not introduce undesirable behaviors or unnecessary capabilities.
SWE-058 Task 5: Perform a software assurance design analysis.
SWE-080 Task 1: Analyze proposed software and hardware changes to software products for impacts, particularly to safety and security.
SWE-081 Task 2: Assess that the software safety-critical items are configuration managed, including hazard reports and safety analysis.
SWE-134 Task 6: Analyze the software design to ensure:
a. Use of partitioning or isolation methods in the design and code,
b. That the design logically isolates the safety-critical design elements and data from those that are non-safety-critical.
SWE-143 Task 1: Assess the results of or participate in software architecture review activities held by the project.
SWE-203 Task 2: Assess the impact of non-conformances on the safety, quality, and reliability of the project software.
6
Source Code Quality Analysis
SWE-034 Task 1: Confirm software acceptance criteria are defined and assess the criteria based on guidance in the NASA Software Engineering Handbook, NASA-HDBK-2203.
SWE-061 Task 1: Analyze that the software code conforms to all of the required software coding methods, rules, and principles.
SWE-080 Task 1: Analyze proposed software and hardware changes to software products for impacts, particularly to safety and security.
SWE-081 Task 2: Assess that the software safety-critical items are configuration managed, including hazard reports and safety analysis.
SWE-134 Task 1: Analyze the software requirements and the software design and work with the project to implement NPR 7150.2 requirement items "a" through "l."
SWE-134 Task 2: Assess that the source code satisfies the conditions in the NPR 7150.2 requirement "a" through "l" for safety-critical and mission-critical software at each code inspection, test review, safety review, and project review milestone.
SWE-135 Task 2: Assess that the project addresses the results from the static analysis tools used by software assurance, software safety, engineering, or the project.
SWE-158 Task 2: Perform static code analysis on the software or analyze the project's static code analysis tool results for cybersecurity vulnerabilities and weaknesses.
SWE-159 Task 2: Assess the quality of the cybersecurity mitigation implementation testing and the test results.
SWE-185 Task 1: Analyze the engineering data or perform independent static code analysis to verify that the code meets the project’s secure coding standard requirements.
SWE-203 Task 2: Assess the impact of non-conformances on the safety, quality, and reliability of the project software.
SWE-207 Task 1: Assess that the software coding guidelines (e.g., coding standards) includes secure coding practices.
7
Testing Analysis
See individual sub-products.
Software Test Plan Analysis
SWE-034 Task 1: Confirm software acceptance criteria are defined and assess the criteria based on guidance in the NASA Software Engineering Handbook, NASA-HDBK-2203.
SWE-071 Task 1: Analyze that software test plans and software test procedures cover the software requirements and provide adequate verification of hazard controls, specifically the off-nominal scenarios.
SWE-080 Task 1: Analyze proposed software and hardware changes to software products for impacts, particularly to safety and security.
SWE-081 Task 2: Assess that the software safety-critical items are configuration managed, including hazard reports and safety analysis.
SWE-203 Task 2: Assess the impact of non-conformances on the safety, quality, and reliability of the project software.
Software Test Procedures Analysis
SWE-034 Task 1: Confirm software acceptance criteria are defined and assess the criteria based on guidance in the NASA Software Engineering Handbook, NASA-HDBK-2203.
SWE-065b Task 2: Analyze the software test procedures for:
a. Coverage of the software requirements.
b. Acceptance or pass/fail criteria,
c. The inclusion of operational and off-nominal conditions, including boundary conditions,
d. Requirements coverage and hazards per SWE-66 and SWE-192, respectively.
SWE-071 Task 1: Analyze that software test plans and software test procedures cover the software requirements and provide adequate verification of hazard controls, specifically the off-nominal scenarios.
SWE-080 Task 1: Analyze proposed software and hardware changes to software products for impacts, particularly to safety and security.
SWE-081 Task 2: Assess that the software safety-critical items are configuration managed, including hazard reports and safety analysis.
SWE-134 Task 1: Analyze the software requirements and the software design and work with the project to implement NPR 7150.2 requirement items "a" through "l."
SWE-134 Task 2: Assess that the source code satisfies the conditions in the NPR 7150.2 requirement "a" through "l" for safety-critical and mission-critical software at each code inspection, test review, safety review, and project review milestone.
SWE-159 Task 2: Assess the quality of the cybersecurity mitigation implementation testing and the test results.
SWE-191 Task 3: Identify any risks and issues associated with the regression test set selection and execution.
SWE-203 Task 2: Assess the impact of non-conformances on the safety, quality, and reliability of the project software.
Software Test Results Analysis
SWE-034 Task 1: Confirm software acceptance criteria are defined and assess the criteria based on guidance in the NASA Software Engineering Handbook, NASA-HDBK-2203.
SWE-080 Task 1: Analyze proposed software and hardware changes to software products for impacts, particularly to safety and security.
SWE-081 Task 2: Assess that the software safety-critical items are configuration managed, including hazard reports and safety analysis.
SWE-134 Task 1: Analyze the software requirements and the software design and work with the project to implement NPR 7150.2 requirement items "a" through "l."
SWE-134 Task 2: Assess that the source code satisfies the conditions in the NPR 7150.2 requirement "a" through "l" for safety-critical and mission-critical software at each code inspection, test review, safety review, and project review milestone.
SWE-159 Task 2: Assess the quality of the cybersecurity mitigation implementation testing and the test results.
SWE-190 Task 2: Analyze the code coverage measurements for uncovered software code.
SWE-190 Task 3: Assess any uncovered software code for potential risk, issues, or findings.
SWE-191 Task 3: Identify any risks and issues associated with the regression test set selection and execution.
SWE-203 Task 2: Assess the impact of non-conformances on the safety, quality, and reliability of the project software.
o Test Witnessing
SWE-066 Task 2: Perform test witnessing for safety-criticality software.
8
SA Status Reports
SWE-037 Task 2: Participate in project milestones reviews.
SWE-039 Task 6: Develop and provide status reports.
SWE-143 Task 1: Assess the results of or participate in software architecture review activities held by the project.
SWE-191 Task 3: Identify any risks and issues associated with the regression test set selection and execution.
SWE-199 Task 2: Monitor and track any performance or functionality requirements that are not being met or are at risk of not being met.
Results of any Analysis done in current phase
o Verification Activities Analysis
SWE-034 Task 1: Confirm software acceptance criteria are defined and assess the criteria based on guidance in the NASA Software Engineering Handbook, NASA-HDBK-2203.
SWE-039 Task 3: Analyze the verification activities to ensure adequacy.
SWE-081 Task 2: Assess that the software safety-critical items are configuration managed, including hazard reports and safety analysis.
o Software Assurance Measurements & Analysis
SWE-090 Task 2: Perform trending and analyses on metrics (quality metrics, defect metrics) and report.
SWE-093 Task 2: Analyze software assurance measurement data collected.
SWE-200 Task 2: Analyze software volatility measures to evaluate requirements stability as an early indicator of project problems.
SWE-202 Task 4: Maintain or have access to the number of software non-conformances at each severity level for each software configuration item.
o Root Cause Analysis
SWE-204 Task 1: Perform or confirm that a root cause analysis has been completed on all identified high severity software non-conformances, the results are recorded, and that the results have been assessed for adequacy.
SWE-204 Task 3: Assess opportunities for process improvement on the processes identified in the root cause analysis associated with the high severity software non-conformances.
Results of Assessments Done Since Last Report
See assessments listed below.
o Assessment of SA Plan
SWE-016 Task 1: Assess that the software schedule satisfies the conditions in the requirement.
SWE-075 Task 1: Assess the plans for maintenance, operations, and retirement for completeness of the required software engineering and software assurance activities.
SWE-151 Task 1: Assess the project's software cost estimate(s) to determine if the stated criteria listed in "a" through "f" are satisfied.
o Assessment of SA Compliance w/ NASA-STD-8739.8
SWE-024 Task 1: Assess plans for compliance with NPR 7150.2 requirements, NASA-STD-8739.8, including changes to commitments.
o Assessment of Software Engineering Plans
SWE-016 Task 1: Assess that the software schedule satisfies the conditions in the requirement.
SWE-075 Task 1: Assess the plans for maintenance, operations, and retirement for completeness of the required software engineering and software assurance activities.
SWE-086 Task 1: Confirm and assess that a risk management process includes recording, analyzing, planning, tracking, controlling, and communicating all of the software risks and mitigation plans.
SWE-146 Task 1: Assess that the approach for the auto-generation software source code is defined, and the approach satisfies at least the conditions “a” through “g.”
SWE-151 Task 1: Assess the project's software cost estimate(s) to determine if the stated criteria listed in "a" through "f" are satisfied.
o Assessment of SW Engineering Compliance w/ NPR 7150.2
SWE-024 Task 1: Assess plans for compliance with NPR 7150.2 requirements, NASA-STD-8739.8, including changes to commitments.
SWE-079 Task 1: Assess that a software configuration management plan has been developed and complies with the requirements in NPR 7150.2 and Center/project guidance.
SWE-139 Task 1: Assess that the software requirements, products, procedures, and processes of the project are compliant with the NPR 7150.2 requirements per the software classification and safety criticality for software.
o Assessment of CMMI Assessment Findings
SWE-032 Task 2: Assess potential process-related issues, findings, or risks identified from the CMMI assessment findings.
o Assessment of Hazard Analyses and Reports
SWE-081 Task 2: Assess that the software safety-critical items are configuration managed, including hazard reports and safety analysis.
SWE-205 Task 2: Assess that the hazard reports identify the software components associated with the system hazards per the criteria defined in NASA-STD- 8739.8, Appendix A.
SWE-205 Task 3: Assess that hazard analyses (including hazard reports) identify the software components associated with the system hazards per the criteria defined in NASA-STD- 8739.8, Appendix A.
o Assessment of Software Reviews results
SWE-034 Task 1: Confirm software acceptance criteria are defined and assess the criteria based on guidance in the NASA Software Engineering Handbook, NASA-HDBK-2203.
SWE-143 Task 1: Assess the results of or participate in software architecture review activities held by the project.
Record of Corrective Action Closures
SWE-204 Task 4: Perform or confirm tracking of corrective actions to closure on high severity software non-conformances.
9
Audit Reports
Peer Review Process Audit Report
SWE-088 Task 3: Perform audits on the peer-review process.
Risk Management Process Audit Report
SWE-086 Task 2: Perform audits on the risk management process for the software activities.
Software Assurance Process Audit Report
SWE-022 Task 1: Perform according to the software assurance plan and the software assurance and software safety standard requirements in NASA-STD-8739.8.
SWE-032 Task 3: Perform audits on the software development and software assurances processes.
SW Development Processes and Practices Audit Report
SWE-032 Task 3: Perform audits on the software development and software assurances processes.
SWE-039 Task 5: Perform audits on software development processes and practices at least once every two years.
Standards and Processes Audit Report
SWE-195 Task 1: Perform audits on the standards and processes used throughout maintenance based on the software classification.
Software Configuration Management Baseline and Process/Procedure Audit Report
SWE-077 Task 2: Perform audits on the configuration management processes to verify that all products are being delivered and are the correct versions.
SWE-085 Task 2: Perform audits on the project to ensure that the project is following defined procedures for deliverable software products.