NASA Software Assurance Training
NASA Software Assurance Training
NASA Software Assurance Training
April 8, 2005
Susan J. Sekira
GSFC Software Assurance Lead
Mission Success Starts With Safety
Course Agenda
• Course Objectives
• Overview of Software Assurance
• Acquirer Software Assurance
• Provider Software Assurance
• Software Measurement
• NASA Software Assurance Classification
Assessment
• Supplementary Information
• Summary
Course Objectives
Overview of
Software Assurance
SQ IV&V V&V
Software Software
Safety Reliability
SQ = Software Quality
V&V = Verification and Validation
IV&V = Independent Verification and Validation
schedule 60
Cost to Fix
system safety 40
$20
to determine milestone completion 20
$5
• Metrics provide indicators of the 10 $1
quality and maturity of the 0
The Disciplines of
Software Assurance
Software Quality
Software Safety
Software Safety is a systematic approach to
identifying, analyzing, tracking, mitigating and
controlling software hazards and hazardous
functions (data and commands) to ensure safer
software operation within a system.
Software Reliability
Software Reliability is concerned with incorporating and
measuring reliability in the products produced
throughout the life cycle
Specifically…
Systems Engineering defines software requirements as they contribute to system robustness
Software Engineering develops software containing required redundancy and fault tolerance
AND measures and analyzes software’s ability to withstand errors
Software Quality assures quality metrics/measures are documented, monitored, analyzed and
tracked (e.g., error density) AND verifies that reliability requirements have been successfully
demonstrated
Examples:
– Validation of design to meet system needs/requirements
– Traceability of safety critical requirements
– Code analysis of mission-critical software components
– Design analysis of selected critical algorithms
Getting Started…
The NASA Software Assurance Standard [NASA-STD-8739.8]
specifies requirements for software assurance for use by NASA
projects, programs, and facilities
This standard…
– Provides a software life cycle perspective for the minimum required software
assurance procedures that contribute to quality software
– Provides specific requirements for each discipline of software assurance
– Provides the “Acquirer” and “Provider” requirements for software assurance to
obtain the most cost effective, best quality, and safest products
Provider
(May be a contractor, a university, a separate organization
within NASA, or within the same organization as the Acquirer)
Designs, develops, implements, tests,
operates, and maintains software products
Acquirer
Software Assurance
Key Activities:
• Performs Software Assurance Classification Assessment to
identify and evaluate the characteristics of software in
determining the software’s classification
• Applies software classification to tailor software assurance
requirements
• Develops SA input to the Request for Proposal (RFP)
• Reviews proposals for compliance to SA requirements
• Establishes and maintains a software assurance plan for the
acquirer
• Ensures consistency between acquirer and provider SA plans
• Ensures SA training for both the acquirer and provider
ACCEPTANCE CONTRACT
•Conduct Audits prior to delivery IMPLEMENTATION
•Assure Facility readiness •Conduct surveillance
•Assure acceptance •Assure CM
documentation •Assure provider SA
•Capture Lessons Learned •Ensure acquirer performs tasks
Provider
Software Assurance
Key Activities:
• Identifies one or more persons to direct and manage a
software assurance program (e.g., a software assurance
manager) – independent from the project
• Develops a software assurance program that includes SQ,
Software Safety, Software Reliability, V&V, and IV&V (when
required)
• Establishes and maintains a working relationship with
project management and the acquirer
• Establishes and maintains a software assurance plan that
conforms to IEEE STD 730-2002
• Conducts periodic reviews, audits, and assessments of the
development processes and products
Provider Deliverables
• Sample Software Deliverables
– Software Management Plan
– Configuration Management Plan
– Software Requirements Specification
– Requirements Traceability Matrix
– Test plans and procedures
– User’s Guides
– ** Etc.
• Software Assurance Deliverables
– Software Assurance Plan
– Software Assurance Status Reports
– Software Assurance Records
** See NPR 7150.2 for more on software products and required content
34 NASA Software Assurance V2.0
Mission Success Starts With Safety
RETIREMENT INITIALIZATION,
• Send final SA records to project PRE-AWARD
•Draft SA approach
•Respond to SA requirements in RFP
MAINTENANCE
•Ensure SA processes in place POST-RFP; PRE-AWARD
•Address SA questions from acquirer
•Conduct periodic audits or assessments
•Participate in contract negotiations for SA
PROVIDER’S
ROLE
OPERATION POST-AWARD; PRE-IMPLEMENTATION
•Develop New/updated SA plan •Develop SA plan
•Ensure SA processes in place CONTRACT •Review Acquirer SA plan
•Conduct periodic audits of OPS •Ensure trained SA personnel
IMPLEMENTATION
•Establish communication with
•
acquirer, project team
ACCEPTANCE •Maintain SA plan
•Conduct audits prior to delivery •Conduct /participate in reviews,
•Assure acceptance documentation inspections, audits and prepare SA
•Prepare Lessons learned reports
•Collect, utilize metrics to identify
trends, assess quality
•Deliver SA reports, maintain records
Communication is Essential!
Acquirer SA Provider SA
• Verify Provider SA Plan is
• Develop Provider SA Plan per
complete and compatible with Software Assurance Plan
Acquirer requirements
Acquirer SA Plan
• Review Acquirer plans and
• Review Provider plans and
procedures Plans and Procedures procedures
• Review Provider SA reports and • Flow down requirements to any
records from surveillance subcontractors
Software Products and
activities Deliverables • Prepare and maintain SA
• Evaluate software products and records (accessible by
deliverables throughout life Acquirer)
cycle Software Assurance Records
• Prepare SA Status reports for
• Prepare SA Status reports for Project and Acquirer
Project Software Assurance Status Reports • Establish and maintain working
• Establish and maintain working relationship with Project,
relationship with Project, Meetings, Telecons, and software assurance personnel,
software assurance personnel, and Project Reviews and the Acquirer
and the Provider
• Share issues/concerns/risks
Software Measurement
“…when you can measure what you are speaking about, and express
it in numbers, you know something about it; when you cannot
express it in numbers, your knowledge is of a meager and
unsatisfactory kind…”
Why Measure?
Measurements
– provide meaningful information to enable informed control decisions
– provide data from which to model and predict future software trends
Sample Metrics
Requirements Metrics
Completeness & Volatility Analysis
1000 450
Quantity
250
500
200
400
150
300
100
200
100
50
0 0
1Q94 2Q94 3Q94 4Q94 1Q95 2Q95 3Q95 1Q94 2Q94 3Q94 4Q94 1Q95 2Q95 3Q95
Defect Trending
Cumulative Problem Reports Problem --> Opening Errors
Submitted & Closed Continues sharp climb
3500
2500
2000
No. of PR's
1500
1000
500
0
4/26/96
5/26/96
7/25/96
2/20/97
4/21/97
8/19/97
1/16/98
8/24/96
9/23/96
1/21/97
3/22/97
5/21/97
6/20/97
7/20/97
9/18/97
3/17/98
4/16/98
6/25/96
2/15/98
5/16/98
10/23/96
10/18/97
11/17/97
11/22/96
12/22/96
12/17/97
Supplementary
Information
GSFC Contacts
Standard Description
NASA STD 8739.8 Software Assurance Standard
NASA GB A201 Software Assurance Guidebook
NASA STD 8719.13 Software Safety Standard
NASA GB 8719.13 Software Safety Guidebook
NPD 2820.1 NASA Software Policies
NPR 7150.2 NASA Software Engineering Requirements
ISO/IEC 12207:1995 Software Life Cycle Processes
IEEE-STD-730-2002 IEEE Standard for SQA Plans
IEEE-STD- 982.1-1998 IEEE Standard Dictionary of Measures to Product Reliability
Software
SEI-CMM Software Engineering Institute Capability Maturity Model
SEI-CMMI Software Engineering Institute Capability Maturity Model
Integration
Additional References
• Conte, Dunsmore, Shen,
Software Metrics Engineering Metrics and Models,
Benjamin/Cummings, 1986
• Leveson, Nancy G.,
SAFEWARE System Safety and Computers,
Addison-Wesley Publishing Company, Inc., 1995
• Lyu, Michael R.,
Handbook of Reliability Engineering,
IEEE Computer Society Press, McGraw Hill, 1995
• Shulmeyer, Gordon G., and James I. McManus,
The Handbook of Software Quality Assurance,
Prentice Hall, 1999
• Kan, Stephen H.,
Metrics and models in Software Quality Engineering,
Addison Wesley, 2002
Summary
Example SA Activities
More Keys…
• Assure that problems and risks are documented,
reported, addressed, and tracked to closure
• Prepare and maintain software assurance records
and status reports
• Capture Lessons Learned to improve the quality of
future products/services!
Backup Slides
Fundamental Differences
SQ IV&V
• Provides Center-level services • Provides Agency-level services
• Focuses on ALL Project • Focuses on MISSION CRITICAL
software Project software
• Emphasizes compliance to • Emphasizes completeness and
standards and procedures correctness of the product
• Reviews, monitors and audits all • Reviews, analyzes, and provides
Project processes and products in-depth evaluations of life cycle
products which have the highest
for completeness and accuracy
risk
• Matrixed to the Project as part • Independent from the Project and
of the Project Team and provides analyses and
provides daily insight/oversight evaluations per IV&V priorities
• Reports to Project and Center • Reports to Project, GPMC’s, and
Director through S&MA NASA Headquarters