| NPR 7150.2 Section | SWE # | NPR 7150.2 Requirement | Software Assurance and Software Safety Tasks |
|---|
| 3 |
| Software Management Requirements |
|
| 3.1 |
| Software Life-Cycle Planning |
|
| 3.1.2 | 033 | | |
| 3.1.3 | 013 | | |
| 3.1.4 | 024 | | |
| 3.1.5 | 034 | | |
| 3.1.6 | 036 | | |
| 3.1.7 | 037 | | |
| 3.1.8 | 039 | | |
| 3.1.9 | 040 | | |
| 3.1.10 | 042 | | |
| 3.1.11 | 139 | | |
| 3.1.12 | 121 | | |
| 3.1.13 | 125 | | |
| 3.1.14 | 027 | | |
| 3.2 |
| Software Cost Estimation |
|
| 3.2.1 | 015 | | |
| 3.2.2 | 151 | | |
| 3.2.3 | 174 | | |
| 3.3 |
| Software Schedules |
|
| 3.3.1 | 016 | | |
| 3.3.2 | 018 | | |
| 3.3.3 | 046 | | |
| 3.4 |
| Software Training | |
| 3.4.1 | 017 | | |
| 3.5 |
| Software Classification Assessments |
|
| 3.5.1 | 020 | | |
| 3.5.2 | 176 | | |
| 3.6 |
| Software Assurance and Software
Independent Verification & Validation |
|
| 3.6.1 | 022 | | |
| 3.6.2 | 141 | | |
| 3.6.3 | 131 | | |
| 3.6.4 | 178 | | |
| 3.6.5 | 179 | | |
| 3.7 |
| Safety-Critical and Mission Critical Software |
|
| 3.7.1 | 205 | | |
| 3.7.2 | 023 | | |
| 3.7.3 | 134 | | |
| 3.7.4 | 219 | | |
| 3.7.5 | 220 | | |
| 3.8 |
| Automatic Generation of Software Source Code |
|
| 3.8.1 | 146 | | |
| 3.8.2 | 206 | | |
| 3.9 |
| Software Development Processes and Practices |
|
| 3.9.2 | 032 | | |
| 3.10 |
| Software Reuse |
|
| 3.10.1 | 147 | | |
| 3.10.2 | 148 | | |
| 3.11 |
| Software Cybersecurity |
|
| 3.11.2 | 156 | | |
| 3.11.3 | 154 | | |
| 3.11.4 | 157 | | |
| 3.11.5 | 159 | | |
| 3.11.6 | 207 | | |
| 3.11.7 | 185 | | |
| 3.11.8 | 210 | | |
| 3.12 |
| Software Bi-Directional Traceability |
|
| 3.12.1 | 052 | | |
| 4 |
| Software Engineering (Life Cycle) Requirements |
|
| 4.1 |
| Software Requirements |
|
| 4.1.2 | 050 |  The project manager shall establish, capture, record, approve, and maintain software requirements, including requirements for COTS, GOTS, MOTS, OSS, or reused software components, as part of the technical specification.
| 1. Confirm that all software requirements are established, captured, and documented as part of the technical specification, including requirements for COTS, GOTS, MOTS, OSS, or reused software components. |
| 4.1.3 | 051 | The project manager shall perform software requirements analysis based on flowed-down and derived requirements from the top-level systems engineering requirements, safety and reliability analyses, and the hardware specifications and design. | 1. Perform a software assurance analysis on the detailed software requirements to analyze the software requirement sources and identify any incorrect, missing, or incomplete requirements. |
| 4.1.4 | 184 | The project manager shall include software related safety constraints, controls, mitigations, and assumptions between the hardware, operator, and software in the software requirements documentation. | 1. Analyze and confirm that the software requirements documentation contains the software related safety constraints, controls, mitigations, and assumptions between the hardware, operator, and the software. |
| 4.1.5 | 053 | The project manager shall track and manage changes to the software requirements. | 1. Confirm the software requirements changes are documented, tracked, approved, and maintained throughout the project life cycle. |
| 4.1.6 | 054 | The project manager shall identify, initiate corrective actions, and track until closure inconsistencies among requirements, project plans, and software products. | 1. Monitor identified differences among requirements, project plans, and software products and confirm differences are addressed and corrective actions are tracked until closure. |
| 4.1.7 | 055 | The project manager shall perform requirements validation to ensure that the software will perform as intended in the customer environment. | 1. Confirm that the project software testing has shown that software will function as expected in the customer environment. |
| 4.2 |
| Software Architecture |
|
| 4.2.3 | 057 | The project manager shall transform the requirements for the software into a recorded software architecture. | 1. Assess that the software architecture addresses or contains the software structure, qualities, interfaces, and external/internal components. 2. Analyze the software architecture to assess whether software safety and mission assurance requirements are met. |
| 4.2.4 | 143 | The project manager shall perform a software architecture review on the following categories of projects:a. Category 1 Projects as defined in NPR 7120.5.b. Category 2 Projects as defined in NPR 7120.5 that have Class A or Class B payload risk classification per NPR 8705.4. | 1. Assess the results of or participate in software architecture review activities held by the project. |
| 4.3 |
| Software Design | |
| 4.3.2 | 058 | The project manager shall develop, record, and maintain a software design based on the software architectural design that describes the lower-level units so that they can be coded, compiled, and tested. | 1. Assess the software design against the hardware and software requirements and identify any gaps.2. Assess the software design to verify that the design is consistent with the software architectural design concepts and that the software design describes the lower-level units to be coded, compiled, and tested. 3. Assess that the design does not introduce undesirable behaviors or unnecessary capabilities.4. Confirm that the software design implements all of the required safety-critical functions and requirements. 5. Perform a software assurance design analysis. |
| 4.4 |
| Software Implementation |
|
| 4.4.2 | 060 | The project manager shall implement the software design into software code. | 1. Confirm that the software code implements the software designs. 2. Confirm that the code does not contain functionality not defined in the design or requirements. |
| 4.4.3 | 061 | The project manager shall select, define, and adhere to software coding methods, standards, and criteria. | 1. Assure the project manager selected and/or defined software coding methods, standards, and criteria.2. Analyze that the software code conforms to all required software coding methods, rules, and principles. |
| 4.4.4 | 135 | The project manager shall use static analysis tools to analyze the code during the development and testing phases to, at a minimum, detect defects, software security, code coverage, and software complexity. | 1. Analyze the engineering data or perform independent static code analysis to check for code detects defects, software quality objectives, code coverage objectives, software complexity values, and software security objectives.2. Confirm the static analysis tool(s) are used with checkers to identify security and coding errors and defects.3. Assess that the project addresses the results from the static analysis tools used by software assurance, software safety, engineering, or the project.4. Confirm that the software code has been scanned for security defects and confirm the result.5. Per SWE-219 for safety-critical software, verify code coverage and approved waivers.6. Per SWE-220 for safety-critical software, verify cyclomatic complexity and approved waivers.7. Confirm that Software Quality Objectives or software quality threshold levels are defined and set for static code analysis defects, checks, or software security objectives. |
| 4.4.5 | 062 | The project manager shall unit test the software code. | 1. Confirm that the project successfully executes the required unit tests, particularly those testing safety-critical functions.2. Confirm that the project addresses or otherwise tracks to closure errors, defects, or problem reports found during unit testing. |
| 4.4.6 | 186 | The project manager shall assure that the unit test results are repeatable. | 1. Confirm that the project maintains the procedures, scripts, results, and data needed to repeat the unit testing (e.g., as-run scripts, test procedures, results). |
| 4.4.7 | 063 | The project manager shall provide a software version description for each software release. | 1. Confirm that the project creates a correct software version description for each software release.2. For each software release, confirm that the software has been scanned for security defects and coding standard compliance and confirm the results. |
| 4.4.8 | 136 | The project manager shall validate and accredit the software tool(s) required to develop or maintain software. | 1. Confirm that the software tool(s) needed to create and maintain software is validated and accredited. |
| 4.5 |
| Software Testing |
|
| 4.5.2 | 065a | The project manager shall establish and maintain:
a. Software test plan(s).
… | 1. Confirm that software test plans have been established, contain correct content, and are maintained.2. Confirm that the software test plan addresses the verification of safety-critical software, specifically the off-nominal scenarios. |
| 4.5.2 | 065b | The project manager shall establish and maintain:
...
b. Software test procedure(s).
… | 1. Confirm that the test procedures have been established and are updated when changes to tests or requirements occur.
2. Analyze the software test procedures for the following: a. Coverage of the software requirements.
b. Acceptance or pass/fail criteria,
c. The inclusion of operational and off-nominal conditions, including boundary conditions,
d. Requirements coverage and hazards per SWE-066 and SWE-192, respectively.e. Requirements coverage for cybersecurity per SWE-157 and SWE-210. |
| 4.5.2 | 065c | The project manager shall establish and maintain:
...
c. Software test(s), including any code specifically written to perform test procedures.
… | 1. Confirm that the project creates and maintains any code specifically written to perform test procedures in a software configuration management system.2. Confirm that the project records all issues and discrepancies in the code specifically written to perform test procedures.3. Confirm that the project tracks to closure errors and defects found in the code specifically written to perform test procedures. |
| 4.5.2 | 065d | The project manager shall establish and maintain:
...
d. Software test report(s). | 1. Confirm that the project creates and maintains the test reports throughout software integration and test.
2. Confirm that the project records the test report data and that the data contains the as-run test data, the test results, and required approvals. 3. Confirm that the project records all issues and discrepancies found during each test.4. Confirm that the project tracks to closure errors and defects found during testing. |
| 4.5.3 | 066 | The project manager shall test the software against its requirements. | 1. Confirm test coverage of the requirements through the execution of the test procedures.
2. Perform test witnessing for safety-critical software.3. Confirm that any newly identified software contributions to hazards, events, or conditions found during testing are in the system safety data package. |
| 4.5.4 | 187 | The project manager shall place software items under configuration management prior to testing. | 1. Confirm that software items to be tested are under configuration management before the start of testing. 2. Confirm the project maintains the software items under configuration management through the completion of testing. |
| 4.5.5 | 068 | The project manager shall evaluate test results and record the evaluation. | 1. Confirm that test results are assessed and recorded. 2. Confirm that the project documents software non-conformances in a tracking system.3. Confirm that test results are sufficient verification artifacts for the hazard reports. |
| 4.5.6 | 070 | The project manager shall use validated and accredited software models, simulations, and analysis tools required to perform qualification of flight software or flight equipment. | 1. Confirm that the software models, simulations, and analysis tools used to achieve the qualification of flight software or flight equipment have been validated and accredited. |
| 4.5.7 | 071 | The project manager shall update the software test and verification plan(s) and procedure(s) to be consistent with software requirements. | 1. Analyze that software test plans and software test procedures cover the software requirements and provide adequate verification of hazard controls, specifically the off-nominal scenarios. |
| 4.5.8 | 073 | The project manager shall validate the software system on the targeted platform or high-fidelity simulation. | 1. Confirm that the project validates the software components on the targeted platform or a high-fidelity simulation. |
| 4.5.9 | 189 | The project manager shall ensure that the code coverage measurements for the software are selected, implemented, tracked, recorded, and reported. | 1. Confirm that code coverage measurements have been selected, performed, tracked, recorded, and communicated with each release. |
| 4.5.10 | 190 | The project manager shall verify code coverage is measured by analysis of the results of the execution of tests. | 1. Confirm that the project performs code coverage analysis using the results of the tests or a code coverage tool. 2. Analyze the code coverage measurements to identify uncovered software code.3. Assess any uncovered software code for potential risk, issues, or findings. |
| 4.5.11 | 191 | The project manager shall plan and conduct software regression testing to demonstrate that defects have not been introduced into previously integrated or tested software and have not produced a security vulnerability. | 1. Confirm that the project plans regression testing and that the regression testing is adequate and includes retesting of all safety-critical code components.2. Confirm that the project performs the planned regression testing. 3. Identify any risks and issues associated with the regression test set selection and execution.4. Confirm that the regression test procedures are updated to incorporate tests that validate the correction of critical anomalies. |
| 4.5.12 | 192 | The project manager shall verify through test the software requirements that trace to a hazardous event, cause, or mitigation technique. | 1. Through testing, confirm that the project verifies the software requirements which trace to a hazardous event, cause, or mitigation techniques. |
| 4.5.13 | 193 | The project manager shall develop acceptance tests for loaded or uplinked data, rules, and code that affects software and software system behavior. | 1. Confirm that the project develops acceptance tests for loaded or uplinked data, rules, and code that affect software and software system behavior.2. Confirm that the loaded or uplinked data, rules, scripts, or code that affect software and software system behavior are baselined in the software configuration system. 3. Confirm that loaded or uplinked data, rules, and scripts are verified as correct prior to operations, particularly for safety-critical operations. |
| 4.5.14 | 211 | The project manager shall test embedded COTS, GOTS, MOTS, OSS, or reused software components to the same level required to accept a custom developed software component for its intended use. | 1. Confirm that the project is testing COTS, GOTS, MOTS, OSS, or reused software components to the same level as developed software for its intended use. |
| 4.6 |
| Software Operations, Maintenance, and Retirement |
|
| 4.6.2 | 075 | The project manager shall plan and implement software operations, maintenance, and retirement activities. | 1. Assess the maintenance, operations, and retirement plans for completeness of the required software engineering and software assurance activities. 2. Confirm that the project implements software operations, software maintenance, and software retirement plans. |
| 4.6.3 | 077 | The project manager shall complete and deliver the software product to the customer with appropriate records, including as-built records, to support the operations and maintenance phase of the software’s life cycle. | 1. Confirm that the correct version of the products is delivered, including as-built documentation and project records. 2. Perform audits for all deliveries per the configuration management processes to verify that all products are being delivered and are the correct versions. |
| 4.6.4 | 194 | The project manager shall complete, prior to delivery, verification that all software requirements identified for this delivery have been met or dispositioned, that all approved changes have been implemented and that all defects designated for resolution prior to delivery have been resolved. | 1. Confirm that the project has identified the software requirements to be met, the approved changes to be implemented, and defects to be resolved for each delivery. 2. Confirm that the project has met all software requirements identified for delivery. 3. Confirm requirements once planned for delivery but no longer appearing in delivery documentation have been dispositioned. 4. Confirm that approved changes have been implemented and tested.5. Confirm that the approved changes to be implemented and the defects to be resolved have been resolved. 6. Approve or sign off on the projects delivered products. |
| 4.6.5 | 195 | The project manager shall maintain the software using standards and processes, per the applicable software classification throughout the maintenance phase. | 1. Perform audits on the standards and processes used throughout maintenance based on the software classification. |
| 4.6.6 | 196 | The project manager shall identify the records and software tools to be archived, the location of the archive, and procedures for access to the products for software retirement or disposal. | 1. Confirm that the project has identified the records and software tools for archival.2. Confirm that the project archives all software and records selected for archival, as planned. |
| 5 |
| Supporting Software Life Cycle Requirements |
|
| 5.1 |
| Software Configuration Management |
|
| 5.1.2 | 079 | The project manager shall develop a software configuration management plan that describes the functions, responsibilities, and authority for the implementation of software configuration management for the project. | 1. Assess that a software configuration management plan has been developed and complies with the requirements in NPR 7150.2 and Center/project guidance. |
| 5.1.3 | 080 | The project manager shall track and evaluate changes to software products. | 1. Analyze proposed software and hardware changes to software products for impacts, particularly safety and security.
2. Confirm the following:a. The project tracks the changes.b. The changes are approved and documented before implementation.c. The implementation of changes is complete.d. The project tests the changes.
3. Confirm software changes follow the software change control process. |
| 5.1.4 | 081 | The project manager shall identify the software configuration items (e.g., software records, code, data, tools, models, scripts) and their versions to be controlled for the project. | 1. Confirm that the project has identified the configuration items and their versions to be controlled.2. Assess that the software safety-critical items are configuration-managed, including hazard reports and safety analysis. |
| 5.1.5 | 082 | The project manager shall establish and implement procedures to:
a. Designate the levels of control through which each identified software configuration item is required to pass.
b. Identify the persons or groups with authority to authorize changes.
c. Identify the persons or groups to make changes at each level. | 1. Confirm that software assurance has participation in software control activities.2. Perform an audit against the configuration management procedures to confirm that the project follows the established procedures. |
| 5.1.6 | 083 | The project manager shall prepare and maintain records of the configuration status of software configuration items. | 1. Confirm that the project maintains records of the configuration status of the configuration items. |
| 5.1.7 | 084 | The project manager shall perform software configuration audits to determine the correct version of the software configuration items and verify that they conform to the records that define them. | 1. Confirm that the project manager performed software configuration audits to determine the correct version of the software configuration items and verify that the results of the audit conform to the records that define them. |
| 5.1.8 | 085 | The project manager shall establish and implement procedures for the storage, handling, delivery, release, and maintenance of deliverable software products. | 1. Confirm that the project establishes procedures for storage, processing, distribution, release, and support of deliverable software products.2. Perform audits on the project to ensure that the project follows defined procedures for deliverable software products. |
| 5.1.9 | 045 | The project manager shall participate in any joint NASA/developer audits. | 1. Participate in or assess the results from any joint NASA/developer audits. Track any findings to closure. |
| 5.2 |
| Software Risk Management |
|
| 5.2.1 | 086 | The project manager shall record, analyze, plan, track, control, and communicate all of the software risks and mitigation plans. | 1. Confirm and assess that a risk management process includes recording, analyzing, planning, tracking, controlling, and communicating all software risks and mitigation plans. 2. Perform audits on the risk management process for the software activities. |
| 5.3 |
| Software Peer Reviews/Inspections |
|
| 5.3.2 | 087 | The project manager shall perform and report the results of software peer reviews or software inspections for:
a. Software requirements.
b. Software plans, including cybersecurity.
c. Any design items that the project identified for software peer review or software inspections according to the software development plans.
d. Software code as defined in the software and or project plans.
e. Software test procedures. | 1. Confirm that software peer reviews are performed and reported on for project activities. 2. Confirm that the project addresses the accepted software peer review findings.3. Perform peer reviews on software assurance and software safety plans.4. Confirm that the source code satisfies the conditions in the NPR 7150.2 requirement SWE-134, "a" through "l," based upon the software functionality for the applicable safety-critical requirements at each code inspection/review. |
| 5.3.3 | 088 | The project manager shall, for each planned software peer review or software inspection:
a. Use a checklist or formal reading technique (e.g., perspective-based reading) to evaluate the work products.
b. Use established readiness and completion criteria.
c. Track actions identified in the reviews until they are resolved.
d. Identify the required participants. | 1. Confirm that the project meets the NPR 7150.2 criteria in "a" through "d" for each software peer review.2. Confirm that the project resolves the actions identified from the software peer reviews.3. Perform audits on the peer-review process. |
| 5.3.4 | 089 | The project manager shall, for each planned software peer review or software inspection, record necessary measurements. | 1. Confirm that the project records the software peer reviews and results of software inspection measurements. |
| 5.4 |
| Software Measurements |
|
| 5.4.2 | 090 | The project manager shall establish, record, maintain, report, and utilize software management and technical measurements. | 1. Confirm that a measurement program establishes, records, maintains, reports, and uses software assurance, management, and technical measures. 2. Perform trending analyses on metrics (quality metrics, defect metrics) and report. 3. Collect any identified organizational metrics and submit them to the organizational repository. |
| 5.4.3 | 093 | The project manager shall analyze software measurement data collected using documented project-specified and Center/organizational analysis procedures. | 1. Confirm software measurement data analysis conforms to documented analysis procedures.
2. Analyze software assurance measurement data. |
| 5.4.4 | 094 | The project manager shall provide access to the software measurement data, measurement analyses, and software development status as requested to the sponsoring Mission Directorate, the NASA Chief Engineer, the Center Technical Authorities, HQ SMA, and other organizations as appropriate. | 1. Confirm access to software measurement data, analysis, and status as requested to the following entities, at a minimum:
- Sponsoring Mission Directorate
- NASA Chief Engineer
- Center Technical Authorities
- Headquarters SMA |
| 5.4.5 | 199 | The project manager shall monitor measures to ensure the software will meet or exceed performance and functionality requirements, including satisfying constraints. | 1. Confirm that the project monitors and updates planned measurements to ensure the software meets or exceeds performance and functionality requirements, including satisfying constraints.
2. Monitor and track any performance or functionality requirements that are not being met or are at risk of not being met. |
| 5.4.6 | 200 | The project manager shall collect, track, and report software requirements volatility metrics. | 1. Confirm that the project collects, tracks, and reports on the software volatility metrics.
2. Analyze software volatility metrics to evaluate requirements stability as an early indicator of project problems. |
| 5.5 |
| Software Non-conformance or Defect Management |
|
| 5.5.1 | 201 | The project manager shall track and maintain software non-conformances (including defects in tools and appropriate ground software). | 1. Confirm that all software non-conformances are recorded and tracked to resolution.2. Confirm that accepted non-conformances include the rationale for the non-conformance. |
| 5.5.2 | 202 | The project manager shall define and implement clear software severity levels for all software non-conformances (including tools, COTS, GOTS, MOTS, OSS, reused software components, and applicable ground systems). | 1. Confirm that all software non-conformances severity levels are defined.
2. Assess the application and accuracy of the defined severity levels to software non-conformances.3. Confirm that the project assigns severity levels to non-conformances associated with tools, COTS, GOTS, MOTS, OSS, and reused software components. 4. Maintain or access the number of software non-conformances at each severity level for each software configuration item. |
| 5.5.3 | 203 | The project manager shall implement mandatory assessments of reported non-conformances for all COTS, GOTS, MOTS, OSS, and/or reused software components. | 1. Confirm the evaluations of reported non-conformances for all COTS, GOTS, MOTS, OSS, or reused software components are occurring throughout the project life cycle.
2. Assess the impact of non-conformances on the project software's safety, quality, and reliability. |
| 5.5.4 | 204 | The project manager shall implement process assessments for all high severity software non-conformances (closed loop process). | 1. Perform or confirm that a root cause analysis has been completed on all identified high severity software non-conformances, and that the results are recorded and have been assessed for adequacy. 2. Confirm that the project analyzed the processes identified in the root cause analysis associated with the high severity software non-conformances.
3. Assess opportunities for improvement on the processes identified in the root cause analysis associated with the high severity software non-conformances. 4. Perform or confirm tracking of corrective actions to closure on high severity software non-conformances. |