Add to collection(s) Add to saved
  1. No category

MoM SW criticality CRs meeting 251013 final

advertisement 
ECSS SW criticality CRs meeting minutes
final - 20 November 2013
EUROPEAN COOPERATION FOR SPACE STANDARDIZATION
Minutes of Meeting on Software Criticality CRs (Q-30/Q-40/Q-80)
held at ESA HQ, 25 October 2013
Participants
Mr. L. Bianchi
Mr. JP. Blanquart
Mr. G. Crivellari
Mr. D. Demarquilly
Mr. E. Gonzalez-Conde
Mr. JY. Heloret
Mr. JP. Hulier
Mr. D. Moretti
Mr. G. Moury
Mr. L. Winzer
1.
Q-40 DiFP (ESA)
RAMS-Dependability (Astrium) – by teleconference
Eurospace Representative – ECCSS TA (TAS)
Q-30 DiFP (TAS)
ESA Representative – ECSS TA (ESA)
TAAR Q-40 – ECSS TA (Astrium)
TAAR Q-80 – ECSS TA (Astrium)
SW Product Assurance (ESA)
TAAR Q-30 – ECSS TA chairman (CNES)
Q-80 DiFP (ESA)
Agenda
1) Rationale and content of the proposed CRs
2) Q-30/Q-40/Q-80 interdiscipline discussion on the opportunity, objectives and impacts of this
redefinition of SW criticality levels
3) Decision on a way forward to disposition/implement the Software Criticality CRs in the 3
disciplines
2.
Rationale and content of the proposed CRs
Mr. D. Moretti and Mr. L. Winzer summarized the rationale and content of the proposed CRs. The
presentation made at the ECSS TA was not repeated since it was known by all participants (see
attachment 1). The 3 CRs related to Q-30, Q-40 and Q-80 together with their associated version of the
redlined standard is in attachment 2.
Mr. JP. Blanquart made by teleconference a presentation (see attachment 3) commenting the
proposed CRs.
The main points from his presentation were the following:
o
Proposed CRs introduce a dissymmetry between “software” and “hardware/operations”,
with regard to criticality level determination and compensating provisions (criticality level
of SW can be downgraded by compensating provisions, contrary to HW/operations). This
dissymmetry is not justified since compensating provisions could also be considered for
HW/operations.
MM. Winzer and Moretti did not disagree, but stated that they were tasked only to cover
SW.
Page 1 / 5
ECSS SW criticality CRs meeting minutes
final - 20 November 2013
o
Generic criteria for acceptability of compensating provisions should be specified rather
than a limited list of compensating provisions as proposed in table 5-3 (Q-30 CR) and table
6-3 (Q-40 CR).
Other remarks/questions were also discussed:
o
Can downgrading of criticality levels be performed iteratively? (in aeronautics (DO178, DO-254) this is not allowed). This should be clarified.
o
Justification is needed for the requirement forbidding any common mode failure
between SW and associated compensating provisions
o
Need for a clarification/homogenization of definition/terminology for: “compensating
provisions”, “failure propagation” (Q-30)
o
Justification for requiring at least 3 independently developed version of the SW to
downgrade SW criticality category.
o
It was agreed that re-categorization of SW criticality is a common practice in space
projects, and therefore clear rules should be established to avoid long discussions leading to
possible downgrading of categories. However, it was also agreed that, when establishing
such rules, the maximum effort shall be done to minimize changes to existing standards.
o
To the question of possible objections of the Launch Authority when downgrading the
criticality level, Mr. Moretti responded that he has already checked the CNES relevant
requirements, and they do not prevent the approach followed in the proposed CRs.
Mr. D. Demarquilly made some clarifications regarding Q-30:
o
The criticality for HW is the combination of severity (of the most critical function
implemented) with a suffix S/R (for: Single point failure / Redundant) that enables to take into
account the most common compensating measure for HW i.e. redundancy.
o
The criticality level for HW is not used for determining the level of quality assurance
that will be applied to the unit (as is done for SW where it determines the requirements to be
applied in terms of testing/validation (applicability matrix of Q-80 based on SW criticality)).
The lack of an ECSS Handbook on functional analysis/decomposition in support of Q-30/Q-40/Q-80
and system engineering standards was mentioned, hierarchical functional analysis being necessary to
refine criticality analyses. It was clarified that in the past, this document existed (ECSS-E-10-05A), but
since it contained guidelines rather than verifiable requirements, it was dropped down when releasing
issue C.
3.
Q-30/Q-40/Q-80 interdiscipline discussion on the opportunity, objectives and impacts of this
redefinition of SW criticality levels
There was a consensus on the opportunity/need to redefine/refine SW criticality levels so as to take
into account compensating measures. This redefinition has the advantage of aligning ECSS standards
with current practices in project where criticality levels of SW do take into account compensating
measures but this is subject to deviations wrt ECSS Q-80.
Discussion was then focused on how best to implement that redefinition/refinement:
o
Planning: is this modification needed urgently (i.e. before issue D)?
 Issue D being scheduled no sooner than 2016-2017, it was felt that this modification
was needed earlier since over-specification of SW criticality levels could have
Page 2 / 5
ECSS SW criticality CRs meeting minutes
final - 20 November 2013
significant cost impact on projects (e.g. between category B and C), generating also
RID’s, discussions,… when projects ask for derogations to ECSS requirements when
downgrading SW criticality with compensations.
 Moreover, Q-30 standard is scheduled to be revised next year to include pre-tailoring
matrix versus product type.
o
Compatibility of this change with launcher authority safety rules:
 No incompatibility a priori but presentation should emphasize the fact that the overall
criticality category of the SW product is not downgraded but only the criticality level
of some of its components, e.g.:
o

Monitor/inhibits components keep the criticality level of the overall SW

Only failure protected components get a lower criticality level
Definition of acceptable compensating measures:
 Rather than listing examples of acceptable compensating measures (as proposed in
CRs), some of the participants suggested to try to define generic specifications for
acceptable compensating measures. In any case, a clear and homogenous (among Q30/Q-40 and Q-80) definition of compensating provision should be provided.
4.
Decision on a way forward to disposition/implement the Software Criticality CRs in the 3
disciplines
Creating a joint Q-30/Q-40/Q-80 WG to revise coherently the 3 standards was considered impractical
given the predictable size of this WG gathering specialists from the 3 disciplines coming from the
various ECSS members. It was therefore decided to create a dedicated TA Task Force with a limited
number of key persons and the following mandate:

Elaborate a solution for implementing coherently this SW criticality level
redefinition/refinement in Q-30/Q-40/Q-80 standards with the following objectives:
o Minimize impact on existing standards
o Maximize genericity of modifications in particular with regard to compensating
measures

Make recommendations, as appropriate, to improve ECSS system with regard to
criticality analyses and criticality levels usage

Draft NWIPs for each of the WG : Q-30, Q-40, Q-80 giving clear scope to each group
with respect to SW criticality level redefinition

Refine ESA CRs on Q-30/40/80 as needed to reflect solution selected. Those modified
CRs will be the input to the 3 WG.
In terms of participation, it was decided to aim for at most 8 participants + 1 chairman with the
following repartition:

4 from industry covering the 3 disciplines
Page 3 / 5
ECSS SW criticality CRs meeting minutes
final - 20 November 2013

4 from agencies covering the 3 disciplines (tentatively, two from ESA, one from CNES
and one from DLR [TBC at next TA]).

1 chairman : proposal is Mr. L. Winzer (ESA) who has lead the effort within ESA that
produced these SW criticality CRs.
In terms of planning, target is: maximum 6 months with typically 2 x 2-day meetings on the period.
TA Chair is tasked to draft the charter of the a.m. TF.
Page 4 / 5
ECSS SW criticality CRs meeting minutes
final - 20 November 2013
LIST OF ATTACHMENTS
Attachment 1. ESA presentation of SW criticality CRs
Attachment 2.
Q-30/Q-40/Q-80 CRs and associated redlined version of the standard
Attachment 3.
ASTRIUM presentation (JP.Blanquart)
Page 5 / 5
Related documents
Jeff Fetherolf - Central Ohio ISSA
Jeff Fetherolf - Central Ohio ISSA
Initial Symptoms of Acute Radiation Syndrome in the JCO Criticality
Initial Symptoms of Acute Radiation Syndrome in the JCO Criticality
Define Project (Major/Minor)
Define Project (Major/Minor)
The Critical Thinking Community
The Critical Thinking Community
Engineering Team Manager - CRS | Emergency Toolkit
Engineering Team Manager - CRS | Emergency Toolkit
A Look into Stochastic Scheduling of Mixed Criticality Real
A Look into Stochastic Scheduling of Mixed Criticality Real
critical - Griffith University
critical - Griffith University
Confidentiality:
Confidentiality:
Download
advertisement