International Journal of Trend in Scientific Research and Development (IJTSRD)

Volume 5 Issue 4, May-June 2021 Available Online: www.ijtsrd.com e-ISSN: 2456 – 6470

Framework for Safety Critical System Software

Savitha. A, Sudeesh B
Reliability and Quality Assurance Software Group, ISRO Satellite Center, Bangalore, Karnataka, India

ABSTRACT How to cite this paper: Savitha. A |

U R Rao Satellite Centre (URSC) is the lead centre of the Indian Space Research Sudeesh B "Framework for Safety Critical
Organisation in the development and operationalisation of satellites for System Software"
communication, navigation and remote sensing applications. It also has Published in
launched many interplanetary missions. Now execution of “GAGANYAAN” is International Journal
planned in phase manner. In the initial phase, test vehicles will be used to of Trend in Scientific
demonstrate the abort capability during different phases of mission i.e. Research and
development & qualification testing of Crew Escape System (CES) and Development (ijtsrd),
recovery. Subsequently, two unmanned flights are planned prior to human ISSN: 2456-6470, IJTSRD43652
spaceflight to demonstrate the manned mission capabilities. As humans are Volume-5 | Issue-4,
involved software safety plays a critical role. Presently ISRO is having ISRO June 2021, pp.1541-1544, URL:
Software Process Document (ISPD) based on IEEE 12207:2015 framework for www.ijtsrd.com/papers/ijtsrd43652.pdf
software life cycle activities. For Gaganyaan project considering safety in to
picture additional software safety standard is brought out based on DO178C. Copyright © 2021 by author (s) and
To develop and certify safety critical software ISRO software control board has International Journal of Trend in Scientific
brought out the ISRO software safety standard for a transition from mission Research and Development Journal. This
critical software to safety critical software development. This paper discusses is an Open Access article distributed
how to incorporate safety and security standard in addition to the existing under the terms of
ISPD standard. the Creative
Commons Attribution
KEYWORDS: ISRO Software Safety Standard (ISSS), Preliminary Hazard Analysis License (CC BY 4.0)
(PHA), SubSystem Hazard Analysis (SSHA), ISRO Software Process Document (http: //creativecommons.org/licenses/by/4.0)
(ISPD), Software Fault Tree Analyses (SFTA) , Software Failure Modes and Effects
Analyses (SFMEA), Software Certification Process (SCP), Software Hazard List
(SHL), Software Certification Process (SCP), Independent Verification and
Validation (IV&V)

I. INTRODUCTION
To have a uniform engineering standard across all centres of system and software life cycle processes. It included new
ISRO, ISRO brought out its Software Engineering Standard category of software like spacecraft operations software,
called ISES 92 (ISRO Software Engineering Standard) in FPGA design, system software. It addressed some more
1992 [1]. All centres of ISRO followed this standard for process like risk management, knowledge management,
software development and implementation. Later ISES-92 system analysis, decision management etc.,
was revisited as the complexity of software was increased
As for as safety and security is concerned for Gaganyaan
and many fault tolerant features were considered for the
mission ISPD Issue-2 has been augmented with many more
design and also many autonomy features were incorporated.
features addressing safety, security and certification process.
Subsequently ISRO Software Control Board (ISCB) came into
ISRO Software Control Board has made a comprehensive
existence which brought out “ISRO Software Process
study of all applicable international standards, it has
Document” (ISPD). It acts as an implementation guide in line
generated the first issue of ISRO Software Safety Standard
with IEEE-12207 for all centres of ISRO. ISPD provides an
(ISSS). It will be used by all software teams across all centres
excellent framework for development, verification and
of ISRO to realise safety critical software and to achieve zero
validation of mission critical software.
defect in space systems.
There are different classes of software used in different
The purpose of this standard is to enable the project team,
centres of ISRO. The ISPD Issue-1 was released to use the
software development and implementation team,
common standard in all centres for implementing IEEE
independent verification and validation team, QA teams,
12207:1996. The focus of ISPD was mainly on the software
review teams and certification team to carry out the
life cycle activities followed for different category of
software life cycle activities necessary to ensure that
software. Some of the software categories like onboard
acquired or developed software has the required safety and
software, Checkout & Simulation software, Launch
security features, and to certify the software for its end use.
Operations Support & Test Facilities software, Image /data
This standard is applicable to all the software categories
processing software, Mission design software and many
described in ISPD-Issue2 and any software used for safety
more. The main focus was on software requirements, design,
critical mission, which are classified as Catastrophic, Major
implementation and software verification and validation,
and Minor based on the Preliminary Hazard analysis at
maintenance and configuration management.
system level and software subsystem level. Figure 1 explains
ISPD Issue-2 is a revised version of ISPD-Issue-1. This the software life cycle process for safety critical software.
version is introduced to achieve a fully integrated suite of

@ IJTSRD | Unique Paper ID – IJTSRD43652 | Volume – 5 | Issue – 4 | May-June 2021 Page 1541
 International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470
The technical management processes are project planning
processes, Project Assessment and Control Process, Decision
Management Process, risk management process,
Configuration Management Process, Information
Management Process, Measurement Process, Quality
Assurance Process and Certification process. As per safety
critical software the last process that is certification process
got included. In this process certification has to be issued
based on the project plans whether all activities are carried
out or not in each phase of SDLC. There is a separate board
for certification which will audit and issue the certificate at
each stage of project development life cycle.
D. Technical processes.
The Technical processes outline the activities that change
the services to possess the timeliness and convenience, the
price effectiveness, and also the practicality, maintainability,
usability and other quality metric needed. the process are
business or mission analysis process, stakeholder needs and
requirements definition process, system /software
requirements definition process, architecture definition
process, design definition process, system analysis process,
and so on. as for safety critical software is concerned 2 new
process safety process, security process got added.
III. SOFTWARE SAFETY ASSURANCE PROCESS
Software safety assurance process is to identify the safety
functions in system requirements for hardware, software
and firmware. Based on the identification the safety
functions are mapped to the requirements, design,
implementation and test cases. The safety assurance process
Figure1: Software life cycle process for safety critical
ensures the requirements are classified as safety critical and
Software
non-safety critical and ensures the safety requirements are
II. PROCESSES FOR SAFETY CRITICAL SOFTWARE correctly implemented with all the failure conditions
The Software life cycle process are categorized into accommodated. This process also ensures the functionality is
Agreement process, Organisational Project-Enabling met at specified time or sequence with predefined conditions
Processes, Technical Management Processes and Technical correctly with fault detection, isolation, tolerance, and
processes. recovery
A. Agreement Processes
The level of safety is defined through the preliminary hazard
B. Organisational Project-Enabling Processes
analysis and software sub system hazard analysis. PHA
C. Technical Management Processes
defines the overall hazards of the system. Later it is
D. Technical processes.
categorized as software critical and hardware critical. The
A. Agreement Processes software critical hazards are categorized early in the
The Agreement processes specify the requirements for the software development life cycle. Those hazard causes
establishment of agreements between suppliers and residing in the software component become the subject of
acquirers. These processes are executed through the the software subsystem hazard analysis. The hazards can be
purchase procedure between acquisition and supply in the design or in the operational concept. Those hazard
processes for the establishment of expectations and causes residing in the software component become the
responsibilities related software assurance, including legal subject of the software subsystem hazard analysis.
requirements and licensing requirements and many more. In
The PHA and the SSHA categorizes the safety critical
the acquisition process project requirements are met and in
software into 3 categories.
supply process these requirements are serviced.
1. Catastrophic
B. Organisational Project-Enabling Processes System/Software whose failure will result in loss of life, loss
The Organizational Project-Enabling processes are of mission or serious injury to the crew
concerned with meeting the project requirements by
2. Major
providing the resources required. It has processes like life
System/Software whose failure will result in partial
cycle management process, Infrastructure management
disabilities, injuries, large reduction in the mission
process, portfolio management process, human resource
functionalities
management process, quality management process and
knowledge management process. Each has separate 3. Minor
activities which all holds good for safety critical system. System/Software whose failure will result in mission
degradation or discomfort leading to physical distress to
C. Technical Management Processes
crew possibly causing minor injury
These processes are used to establish and perform technical
plans for the project. The activities are carried as per the Once the software is categorized as safety critical. The
plan depending on the risk and complexity of the project. Software Fault Tree Analyses and Software Failure Modes

@ IJTSRD | Unique Paper ID – IJTSRD43652 | Volume – 5 | Issue – 4 | May-June 2021 Page 1542
 International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470
and Effects Analyses will help to determine the critical The forward traceability will trace each unique requirement
failure conditions. to the design, design to code and the code to the test results
and the verification and validation mechanism. The
IV. SOFTWARE SECURITY ASSURANCE PROCESS
backward traceability ensures that work product is
Software Security Assurance is the process to ensure that the
implemented as per requirements and requirements are
software is designed with security requirements, coding is
traced back to the sources of the requirement.
done with secure guidelines. Security testing is carried out in
a safe secure environment and vulnerability assessment is VI. SOFTWARE CERTIFICATION PROCESS
done. Periodic review of secure threats and secure release is Software certification has four audit phases. It will ensure
more important for the secure software. The process should that safety and security is taken care and implemented in all
take care of misuse of data, resources, inaccuracy and any phases of software development life cycle. It will issue the
potential harm to the system. This process removes any certificate at the end of process. The certification team will
vulnerabilities during implementation of the design, testing, ensure the following activities are carried out.
deployment and during operation and maintenance A. Pre-audit Meeting and prepare the checklist for
processes. The most important is any new changes to the certification process
existing requirement will not create any vulnerabilities. B. Certification Audit team shall audit the activities carried
out in each phase of SDLC
V. SAFETY CRITICAL SOFTWARE PROCESS FLOW
C. Certification Phase Audit Report will be generated for
The safety critical software process flow activities are
the audit findings
carried out in each phase of software development lifecycle.
D. Non-Conformance Management
The software requirements definition process, design
E. For new and modified requirements, the re-certification
process, implementation process, integration, verification
activities will be carried out
and validation process, operation process, maintenance
process all are discussed in detail. Each of process is Figure 4 shows four certification process in each phase of the
discussed with inputs, activities/tasks, safety specific software development life cycle.
activities with the output in each phase. The safety critical
software specific activities process flow in software
requirements is depicted in Figure 2, along with inputs,
activities and outputs.

Figure 2: Software Certification Process Phase-1

Bi-Directional Traceability ensures that at each phase of
software development life cycle all functions are
implemented as expected and right products are produced at
the output of each phase along with results and reports. It
ensures the link from one phase of SDLC to another phase, it
traces both in forward and backward direction.
The Figure 3 shows the Forward and Backward Traceability
during life cycle process. Figure 4: Four Phases of Certification process
A. Software Certification Process Phase 1
This phase is the first phase of certification process which
comes at the project planning phase. The main goals are to
ensure all plans, standards, guidelines, policies are
established. Plans like software certification plan software
development plan, software configuration management plan,
verification and validation plan safety plan etc., are
generated. Hazard analysis reports, certification phase
readiness report is available. The audit team will audit the
and ensure all reviews are carried out and minutes are
available. If the certification team is satisfied it will issue the
certificate else if any non-conformances are there it has to be
Figure 3: Forward and Reverse traceability resolved.

@ IJTSRD | Unique Paper ID – IJTSRD43652 | Volume – 5 | Issue – 4 | May-June 2021 Page 1543
 International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470
B. Software Certification Process Phase 2 process will be much more rigorous by practicing this
This phase is during the requirements phase of the software standard. This standard is applicable for all safety critical
development life cycle. The main goal is to ensure software software used for space applications. It is not only applicable
requirements comply with requirement standards. for onboard software but for all the software like mission
Compliance of life cycle plans, reviews. Traceability is operation software ground software used for testing the
Established between system and software requirements. spacecraft, legacy software and commercially off the shelf
Audit team will verify all the review record, plans and software and the qualification of tools used in safety critical
traceability carried out. system.
C. Software Certification Process Phase 3 ACKNOWLEDGMENT
This phase is during the design review and code review We wish to convey our gratefulness to all our colleagues in
phase. The main objective is software design will comply to Reliability and Quality Assurance Software Group and all the
design standard. Code is developed as per the coding members of ISRO software control board and other
guidelines. Traceability is established between requirements colleagues from other centers of ISRO for their support.
and design and to code. All the design reviews and code
REFERENCES
inspection shall be carried out. The audit team will verify
[1] Space product assurance - FMEA/FMECA analysis -
design is as per design guidelines and code is as per coding
ECSS-Q-ST-30-02C
guidelines else non-conformances will be raised. Audit team
will ensure all design reviews are carried out and minutes of [2] ISRO-DOS Committee for software Engineering
the meeting is available. standards, ISRO Software Engineering Standard
(ISES-92), ISRO, May1992
D. Software Certification Process Phase 4
Phase four of certification is in validation and final [3] IEEE/EIA 12207.0-1996(ISO/IEC 12207) Standard for
certification phase. The certification team will ensure all the Information Technology – Software life cycle
verification and validation activities are completed. Processes
Completion of all the activities of SDLC. Bidirectional
[4] MIL-STD 1629 “Procedures for performing a failure
traceability is established. Independent verification and
mode and effect analysis”
validation are carried out. Robust and functionality testing is
carried out as per the plan. Results are available and test [5] NASA Software Safety Guidebook - NASA-GB-8719.13
results review is carried out. The final product meets all its
[6] ISRO software control board, ISRO Software Process
requirements taking care of safety and security. The
Document, ISRO-SES-PD-100 ISSUE-1.
certification team will ensure no open issues are available to
issue the final certificate. [7] IEEE/EIA 12207.1-1996(ISO/IEC 12207) Standard for
Information Technology – Software life cycle
VII. CONCLUSION
Processes Life cycle data
This paper discusses the two well established industry
software development standards: IEEE/EIA 12207 and RTCA [8] RTCA DO-178C,Software Considerations in Airborne
D0178C for computer-based software systems. Our existing Systems and Equipment Certification

@ IJTSRD | Unique Paper ID – IJTSRD43652 | Volume – 5 | Issue – 4 | May-June 2021 Page 1544