Certification Chapter 14, Storey
Topics • What is certification? • Various forms of certification • The process of system certification (the planning and negotiation necessary for certification) • Nature of the safety case needed to support this process • Standards and guidelines
Certification • the process of issuing a certificate to indicate conformance with a standard, a set of guidelines or some similar product. • often carried out by government bodies, or organisations with a national standing, to indicate acceptability with respect to specific criteria. • military projects: Ministry of Defence in UK, Department of Defence in US • may also be performed by companies in relation to their suppliers or subcontractors. • many industries have a regulatory authority that governs all projects within that sector: • civil aircraft: Civil Aviation Authority in UK, Federal Aviation Authority in US. • similar regulatory authorities exist in many sectors, including nuclear, gas supply, rail and mining industries.
How to achieve certification – an overview • In order to achieve certification, the developer of a critical system or product must convince the appropriate regulator of its safety. • show that all important hazards have been identified and dealt with. • show that the integrity of the system is appropriate for the application. • in some cases, provide evidence of compliance with some particular standard (although such compliance is not in itself sufficient proof of the appropriateness of the design). • provide extensive evidence of the development methods used, and the testing performed. • provide a rigorous argument to support the claim that the system is sufficiently safe • Certification is not a discrete activity that occurs at the end of the development process. In fact, it is an ongoing activity that requires careful planning and negotiations throughout a project.
Various forms of certification • Certification may be applied to: • organisations or individuals • tools or methods • systems or products (*)
Certification of organisations and individuals • An organisation may seek certification from a regulatory authority as a means of establishing its competence in specific areas. • quality assurance (BS 5750 or ISO 9000) • testing • Certification is also applied to individuals in many industries • doctors, accountants, and welders normally require certification in order to practice their professions. • Unfortunately, certification may show a general level of training but does not indicate suitability for a given job.
Certification of tools and methods • The tools and development methods used in a safety-critical system play an important role in determining its performance. • Several standards therefore place restrictions on the tools and methods that may be used: • Defence standard 00-55 dictates that several development techniques are mandatory within the development lifecycle and places integrity requirements on all support tools. • IEC 61508 gives detailed guidance on the methods and tools that are appropriate for the various phases of the project, for systems of various levels of integrity. • DO 178 B does not explicitly define the development tools to be used, but gives details of the process of “tool qualification” required to gain acceptance. • Perhaps the most successful and widely used form of tool certification is the validation of programming languages compilers. Here a respected institution certifies that a compiler conforms to the international language standard.
Certification of systems or products • Requirements for certification of systems and products vary widely between application areas and between countries • Being voluntary in some cases and compulsory in others • In certain industries however, safety-critical systems must always be certified before they can go into service: • civil aviation • nuclear industries • In other areas, certification is voluntary and is undertaken for commercial reasons • products that have achieved certification are likely to have a distinct sales advantage
The process of system certification (1) • Although the certification phase of a project comes at the end of the development, the planning of this work should be performed at an early stage. • Because certification involves convincing an external organisation of the safety of the system, it is essential to hold discussions with this body at an early stage, to see what will be required. • Certification liaison continues throughout the development process, and establishes communications and understanding between the parties involved. • In some industries specific standards or guidelines are mandatory, and certification will require adherence to such documents. • In other industries no particular standards are required, although the adoption of a suitable standard will often make the process easier.
The process of system certification (2) • The developer will initially develop a verification plan for approval by the regulator. • gives the details of the proposed system. • sets out the development methods to be used and the documentation to be provided. • where a particular standard is being adopted, the plan will indicate the techniques proposed to achieve conformance with that standard. • also list any areas in which the developer plans to deviate from the standard, with suitable justification. • The verification plan will form the basis for the certification process
The process of system certification (3) • As the work progresses the developer will supply the regulator with suitable documentation to show that the provisions of the verification plan have been satisfied. • The developer must also provide data produced at various stages of the project, to substantiate the claim. • A large part of the documentation required will be the safety case, which details the treatment of safety issues throughout the development process. • If the regulator is satisfied that the terms of the verification plan have been satisfied, then a certificate, or a licence will be issued.
The safety case (1) • Safety case: • a record of all the safety activities associated with the system, throughout its life. • is initially developed early in the development process and then expanded to include details of all aspects of the development work that are relevant to safety. • must be maintained throughout the operational phase, to document any alternations to the system or its use. • as requirements change, or the system is modified, it will be necessary to justify such changes in terms of their implications for system safety. • support an application for certification. • must prove that all potential hazards have been identified and that appropriate steps have been taken to deal with them. • must demonstrate that appropriate development methods have been adopted and that these have been performed correctly.
The safety case (2) A safety case should include (CONTESSE Test Handbook): • A description of the safety-related system • Evidence of competence of personnel involved in any safety activity. • A specification of safety requirements. • The results of hazard and risk analysis. • Details of risk reduction techniques employed. • The results of design analysis showing that the system design meets all the required safety targets. • The verification and validation strategy. • The results of all verification and validation activities. • Record of safety reviews. • Records of all incidents which occur throughout the life of the system. • Records of all changes to the system and justification of its continued safety.
Guidelines and standards (1) • Certification often requires adherence to a particular standard or set of guidelines. • IEC 61508: • a generic standard, not limited to any specific industrial sector or application area. • primarily concerned with safety-related control systems incorporating electrical, electronic or programmable electronic subsystems. • also gives more general guidance that is relevant to all forms of safety-critical systems. • great emphasis is placed on the use of a safety lifecycle model. • DO-178B: • relates to civil aircraft and presents an agreement between US and European manufacturers in this area. • it is seen as being useful outside of the aircraft sector and is influencing work within other industries. • unlike, IEC 61508, this standard is concerned only with software.
Guidelines and standards (2) • Defence standard 00-55: • is of relevance to UK military applications. • is restricted to software issues. • this standard has proved controversial because of its emphasis on the use of formal methods. • A wide rage of other standards and guidelines are used. Some of these are general in nature, while others are specific to particular industries and application areas. • When using any standard it is important to ensure that the most recent version is used.