A point to note is that because different barriers protect against different forms of interference it is entirely possible that the System may be nominally partitioned into one set of software architectural units with respect to one form of interference and into a different set of
software architectural units for another form of
interference. A consequence of this is that an element may belong to more than one software architectural unit e.g. an element may be adequately protected from corruption of input data by the protocol implemented on the element's interface, hence the software architectural unit in this case is the element with the implementation of the protocol as the barrier. Whereas the element's access to resources such as memory and CPU may be protected by the operating System, which also provides the same protection to all the other elements on the Equipment. Hence in this case the software architectural unit is all the elements on the Equipment, with the operating System acting as the barrier.
See Appendix A section 4.
Software Error A software fault that has been triggered which results in the program deviating from the design intent.
Software Failure The inability of a program to perform a required function correctly.
Software Fault A defect in the program code and the primary source of a software failure.
Software Safety Requirements Those requirements that define the safety behaviour of the software. Each Software Safety Requirement is specified in terms of the Behavioural Attributes.
Statement A claim.
Static analysis A means of determining certain properties of a program without executing it on a computer. These properties may include aspects of functional behaviour, timing and resource usage. Forms of static analysis include control flow, data flow, information flow, semantic and compliance analysis which are defined elsewhere in these definitions.
System Safety Requirements Those requirements that define the safety behaviour of the System. Each System Safety Requirement is specified in terms of the Behavioural Attributes.
Timing Properties The time allowed for the software to respond to given inputs or to periodic events, and/or the performance of the software in terms of transactions or messages handled per unit time.
Total service time The total service time for a (software) system is measured by adding together the total time that each example of the system has been in service (thus if 50 systems of the same type and model have been in service without revealing any dangerous failures for two years, the total operational experience can be regarded as 100 years or approximately 106 hours).
Validity Sound orformalities. defensible. Executed with the proper
Abbreviations
AEL Assurance Evidence Level
DRACAS Defect Reporting, Analysis and Corrective Action System
FMEA Failure Modes and Effects Analysis
IEC International Electrotechnical Commission
SI Safety Integrity
Appendix D to SW 01 - Derivation of Safety Objectives
The Regulator is required to set objective safety goals which do not remove the Regulatees’ freedom of solution by prescribing the means of compliance. The top-level safety goal for software used in CNS/ATM systems states that the Regulatee is:
G1. To ensure that the risks in deploying any software used in a safety related CNS/ATM system have been reduced to a tolerable level.
NOTE: For the purposes of this section Gn denotes a Safety Goal and Gn.n denotes a Safety Sub-Goal to be met by the Regulatee.
The Air Navigation Order gives the Regulator the responsibility to be assured that the Regulatee is meeting the above goal (G1.). Consequently it is the responsibility of the Regulatee to present a claim that the safety goal has been achieved and convince the regulator that it is true. It is not the responsibility of the Regulator to construct the claim on behalf of the Regulatee. Hence the Regulator requires the Regulatee to demonstrate accomplishment of G1. For accomplishment of G1 to be demonstrated to the Regulator it is necessary:
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:CAP 670 Air Traffic Services Safety Requirements 1(88)
