Safety Documents

IPT Guidance for Acquisition of Systems with Complex Programmable Hardware using DO-254 (January 2009) (36 Pages) Final

For UK military systems, the safety assurance of Complex Electronic Hardware (CEH) was specifically addressed by Def Stan 00-54 introduced in 1999. However, this standard was withdrawn in December 2004 and stated to be superseded by the much wider system level Def Stan 00-56 issue 3. The MoD intended that the less prescriptive approach to system safety assurance introduced by Def Stan 00-56 issue 3 would facilitate the development and certification of novel systems, including those with CEH.

The effect of this approach to safety assurance has been the removal of detailed guidance for the specification and procurement of safe CEH for UK military systems. For a rapidly developing technology, guidance is required for IPTs and suppliers and its omission may discourage the exploitation of CEH due to the perception of increased project risk.

To address this deficiency, this booklet aims to guide the procurement and acceptance of military avionic systems. It is based on the continuing technical advances that are being made in electronic system design and the capabilities of Programmable Logic Devices (PLDs).

The guidance concentrates on the process by which a strategy to achieve the required Design Assurance for these devices can be developed and implemented.

The basis of this guidance is that the DO-254, Design Assurance Guidance For Airborne Electronic Hardware, civil guidance produced to aid the certification of systems and equipment for civil aviation can be adapted for military acceptance.

The July 2008 version of the guidance, containing additional appendices, can be found here.

Safety Analysis Strategy Guidance for a Previously Developed System (PDS) (September 2008) (48 Pages) Final
In its procurement strategies, the MoD has consistently recognised the potential benefits of the use of a Previously Developed (Deployed) System (PDS) compared with a bespoke development. These potential benefits include lower cost and reduced project risk as well as faster deployment. As well as the re-use of military systems, the MoD is striving to be as commercial as possible, military as necessary by encouraging the greater use of commercially available equipment and,
where appropriate, adopting commercial standards and guidelines. Consequently, the use of systems previously developed and used in civil applications is becoming increasingly common in military procurements.

The benefits of procuring PDSs have not always been realised due to lack of proper consideration of the differences in the proposed use of the system compared with its previous application(s). These problems tend to be revealed late in the programme when unplanned rework and testing is expensive.

The guidance presented is for general application and may be used to develop procurement requirements, acceptance criteria and help IPTs assess proposed solutions. The aim of this document is to provide IPTs with guidance to address the safety aspects for the following:

1. Procurement of a system consisting of, or adapted from, a PDS for incorporation into a military platform (sometimes referred to as the 'overall system').

2. A proposed platform modification based on the integration of a PDS which, it is claimed, has been installed and deployed safely in other similar platforms and/or operating environments.

The Certification of Systems containing Software developed using RTCA DO-178B - ERA Report 2006-0036 (June 2006) (75 Pages) Final
Much of the avionics software now procured from the US has been previously developed to RTCA's DO-178B. However, in order to gain certification for use in a UK military application, much additional work appears to be required before a RTS can be provided.

The perceived weaknesses of DO-178B are investigated and outline approaches to certification for UK military applications are investigated that could overcome identified shortcomings.

ASSC C++ Strategy Paper - ERA Report 2005-0293 - (July 2005) (26 Pages)
The use of C++ for safety related and safety critical defence applications is becoming more prevalent. Certification of these applications is being carried out on a case-by-case basis. In order to reduce costs the MoD need to define a universal process for practitioners and assessors of these systems. It is therefore considered necessary for a guidance document to be produced for the practitioners of C++ for safety related and safety critical defence applications.

ASSC/330/2/135-Issue 1 : Safety critical software standards survey and summary (Apr 96) (48 pages)
A literature search has been carried out for standards relating to the development of safety critical software. A total of approximately forty standards were found, including those concerned with the safety certification of programmable system as well as those covering software development.

Standards in five industry sectors were selected. The sectors are UK and US defence, civil aerospace, European rail transport and nuclear power. The applicable standards in each sector were summarised. Each summary uses the same headings so that the standards can be compared.

A notable standard covering safety critical software is draft IEC 1508, 'Functional Safety - Safety-Related Systems'. This is a generic standard, which is designed to be adapted to each industry sector. IEC 1508 not one of the standards selected for summary in this report, because of its complexity. However, the selected European railway standard, although based on an earlier draft of IEC 1508, is an example of an industry specific adaptation of IEC 1508.

ASSC/310/2/28-Issue4 : Issues in the standardisation of hardware for high integrity systems for application to avionics systems (Apr 95) (10 pages)
 The use of programmable digital hardware in high integrity systems has been increasing over the past ten years. Reasons for this include ease of use, adaptability, physical stability, potential for built-in integrity, etc. Areas where digital technology has been applied include fly-by-wire aircraft control systems, autonomous robotics and command and control systems.

The development of software for safety critical systems has been addressed at many levels and is the subject of standardisation activities sponsored by the UK MoD with Def Stan 00-55, the FAA in the US with RTCA 178, and the US DoD with DOD STD-2167A. These activities address software solely. The concept of the system and the use of a system wide approach to high integrity is given little or no concern. This is especially true for hardware.

The use of hardware in high integrity systems is usually decided at the requirements capture stage in the system life cycle. It will always be a system issue rather than isolated to individual components of the hardware. The techniques available for hardware are seen in this document in the context of the system as a whole and are not considered in isolation. It is important that all the individuals involved in the project realisation have a coherent view of the fault tolerance philosophy adopted. Establishing this philosophy at the outset of a project can be viewed as a risk reduction process.

Point of contact: Kevin Moore
Tel: +44 (0) 1372 367141
E-mail:era.assc@cobham.com

© 2009 Cobham Technical Services, Cleeve Road, Leatherhead, Surrey. KT22 7SA UK.
Tel: +44 (0) 1372 367000 | Fax: +44 (0) 1372 367099
All rights reserved. All trademarks acknowledged.
Cobham Technical Services Privacy Statement | Legal Notice