[SystemSafety] EASA Notice of Proposed Amendment 2014-13

[Peter Bernard Ladkin]

On 2014-07-22 10:39 , Martyn Thomas wrote:
> It's worth a look.

Some more background. Maybe John Spriggs will have something to say, since he is involved in
discussions about possible new regs.

There is a Commission Regulation 482/2008 establishing a software safety assurance system. John S.,
Andrew Eaton of the CAA and I had some interaction in late 2011-early 2012 about Mandate 390 and a
proposed European Norm (EN) to implement it, based on EUROCAE ED-153. ED-153 is, in my judgement and
that of colleagues, technically flawed; we thus recommended against the proposed EN. I contacted
Andrew and John Penny; John was seconded to EASA and I am now guessing why. Andrew suggested that
EASA was working on material which would replace 482/2008 and imagine this NPA does just that, while
being more extensive (dealing with systems, conglomerations of components, and not just SW).

Mandate 390 says "develop software assurance levels and a means of assigning them", which ED-153
tried to do (and in our opinion failed). NPA 2014-13 does not do that either, as far as I can tell.
Our German committee DIN NA 131-05-02-01 NA is trying to do that, but to my mind we are not
sufficiently far along to meet a notional deadline of end of summer 2014 for a draft. The committee
is international; I invited John Spriggs, and Ron Pierce has taken an interest (he wrote material
with Derek Fowler on possible application of the IEC 61508 concepts to ATC/ATM). Herbert Bachmayer
of Austrocontrol is a regular participant, as is Hans de Haan of Eurocontrol; John S. is involved in
e-mail discussions.

Any notion of defining SWALs with an assignment process, that is, of satisfying Mandate 390, will
need to take account of what is proposed in NPA 2014-13, to ensure it is consistent with it - it
would be daft to have an EN that is inconsistent with a regulation or its guidance. And it will take
a while for us to digest NPA 2014-13, so end August seems out as any kind of deadline.

The other big question for our committee is, I think, ISO/IEC 15026-3, which defines system
integrity levels, and I don't think we have really discussed this in detail yet. One wonders, for
example, whether a SWAL should be different from a SW-SIL. One could well argue that a SWAL and its
assignment corresponds to the first of three required "work products" of a SIL system (15026-3:2011
6.6(a)). We'll see, I guess.

I invite anyone with expertise in software-based ground-based air traffic systems who is interested
in these issues to get in touch.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de