5.1.5.1 The Software Assurance Plan(s) shall be developed and documented per NASA-STD-8739.8, Software Assurance Standard. [SWE-106] NPR 7150.2, NASA Software Engineering Requirements, does not include any notes for this requirement. Class A_SC A_NSC B_SC B_NSC C_SC C_NSC D_SC D_NSC E_SC E_NSC F G H Applicable? Key: A_SC = Class A Software, Safety-Critical | A_NSC = Class A Software, Not Safety-Critical | ... | - Applicable | - Not Applicable Software assurance activities ensure that the project team implements software engineering products and processes according to the plans established by the project and that these products and projects comply with requirements in NASA-STD-8739.8. NASA-STD-8739.8 278 captures the assurance requirements in a single place for more uniform application across projects where software is developed or acquired for NASA. The Software Assurance Plan (SAP) represents an agreement between the project, the software developers, and the software assurance personnel. It describes the activities, roles, and responsibilities of software assurance on the project. As with any task, a plan helps ensure that the team performs all necessary and required tasks. Development of the plan provides the opportunity for stakeholders to give input and assist with the documentation and tailoring of the planned activities for the project. Specific to software assurance, NASA-STD-8739.8 278 provides requirements that the team can use as the basis for development of a project's SAP. Using this previously thought-out, defined set of requirements gives plan development teams a common starting point for their activities and ensures that all SAPs include and address the same key tasks and assurance activities. For projects that involve contracted work, both the acquirer and the provider (subcontractor) need SAPs, and those plans must work together to accomplish the required level of software assurance. The preliminary acquirer plan is developed at the same time that the Request for Proposal (RFP) or Memorandum of Agreement/Memorandum of Understanding (MOA/MOU) is created. Both acquirer and provider plans are to be completed by the time the contract is awarded, though an update of the provider plan is expected at the Software Requirements Review (SwRR). As with many project plans, the SAP may be a separate document or may be combined with another project plan such as the Software Development Plan (SDP). However, the independent software assurance organization of the acquirer Safety and Mission Assurance (SMA) Office needs to have sign-off authority on the content no matter into what document the SAP contents may be incorporated. The SAP is a joint agreement between acquirer SMA and the project/facility for software assurance activities. While NASA-STD-8739.8 278 contains requirements for software assurance in general, it also contains minimum content requirements for the SAP. The following requirements, identified by NASA-STD-8739.8 paragraph numbers, apply specifically to the development and documentation of a SAP. These requirements, shown here without their associated project life-cycle phase, provide a high-level content overview of both the acquirer and provider SAPs. When carrying out these requirements, consult NASA-STD-8739.8 278 to determine the specific life-cycle phase in which they are to be completed. Acquirer SAP: Provider SAP: NASA-STD-8719.13B, Software Safety Standard, 271 also includes two requirements that address content to consider for the SAP: Before writing a SAP, it is recommended that the team review the following material as preparation: Using an existing template will ensure consistency of plans across projects, as well as ensure all key information is included in the SAP. If a project or Center SAP template or "best-in-class" example does not exist, NASA-STD-8739.8 278 contains a basic outline in its Appendix B. Templates are included in the Resources section of this guidance, including one from Goddard Space Flight Center (GSFC) based on IEEE 730-2002 noted in NASA-STD-8739.8 278 requirements, which includes suggested content for each section of the SAP. Other content elements to consider include: Ensure that the SAP is reviewed prior to implementation and at appropriate life cycle reviews by personnel with sufficient software assurance knowledge to identify omissions, inadequacies, and other issues. Include stakeholders affected by the plan in the reviews for awareness of planned activities and so that their suggestions can be addressed within the bounds of the project's required level of software assurance. Any identified issues need to be corrected before plan implementation or before carrying out affected software assurance activities in the next life-cycle phase. The following diagram excerpted from the Glenn Research Center SQA Process for Software Assurance, SEGP-SQA-PRC-1 382, shows a basic flow of activities for developing and documenting a SAP: Any changes to the baselined SAP (typically baselined at PDR (Preliminary Design Review)) need to be made via the appropriate formal change request process (internal to the project for the acquirer SAP or via NASA's formal change request process for the provider SAP) and be accompanied by a risk analysis to ensure the project's level of software assurance is not compromised. The acquirer software assurance personnel are responsible for ensuring the provider software assurance personnel are meeting the contents of the provider SAP. The acquirer SAP describes how this will be done (based on software size, software class, safety criticality, and other factors that may be specific to a project). Guidance related to software assurance and to be considered for inclusion in the SAP may be found in the following related requirements in this Handbook: Software Plans Software Classification Software Assurance Independent Software Classification Assessment Software Safety Determination According to NASA-STD-8739.8 278, smaller projects have the choice of incorporating their SAP in another project-planning document or using a separate document. Tools to aid in compliance with this SWE, if any, may be found in the Tools Library in the NASA Engineering Network (NEN). NASA users find this in the Tools Library in the Software Processes Across NASA (SPAN) site of the Software Engineering Community in NEN. The list is informational only and does not represent an “approved tool list”, nor does it represent an endorsement of any particular tool. The purpose is to provide examples of tools being used across the Agency and to help projects and centers decide what tools to consider. There must be a software assurance plan. "Most Project Managers feel they have too many plans, and the suggestion of another one for Software Quality Assurance might be the proverbial straw that breaks the camel's back! But the success of any undertaking is to know what one is trying to achieve and how one expects to accomplish it, hence, the necessity of a plan for SQA. The plan will specify the goals, what is to be performed, standards against which the development work is to be measured, all relevant procedures, and the organizational structure of the Quality Assurance within the project. At NASA a software assurance plan is required." (Lesson 4 of 12, SoftwareTech News 433). The NASA Lesson Learned database contains the following lessons learned related to software assurance planning:
See edit history of this section
Post feedback on this section
1.Requirement
1.2 Notes
1.3 Applicability Across Classes
X - Applicable with details, read above for more | P(C) - P(Center), follow center requirements or procedures2. Rationale
3. Guidance
NOTE: For smaller projects, this plan may be incorporated in another project-planning document or may be a separate document. Larger projects may have a separate plan or more than one software assurance plan.4. Small Projects
5. Resources
5.1 Tools
6. Lessons Learned
SWE-106 - Software Assurance Plan
Web Resources
View this section on the websiteUnknown macro: {page-info}
NPR 7150.2, section 5.1.5, states that: "The Software Assurance Plan details the procedures, reviews, and audits required to accomplish software assurance. The project office should coordinate with the Office of Safety and Mission Assurance for help in scoping and adapting the effort appropriately, and to designate the individual responsible for software assurance on the project."