CAST-15

CAST-15, ''Merging High-Level and Low-Level Requirements'' is a Certification Authorities Software Team (CAST) Position Paper. It is an FAA publication that "does not constitute official policy or guidance from any of the authorities", but is provided to applicants for software and hardware certification for educational and informational purposes only.

As established by the FAA advisory circular AC 20-115, the RTCA publication DO-178B/C defines an acceptable means of certification of airworthy software. Unique among development standards, DO-178B introduced a distinction between High-Level Requirements and Low-Level Requirements as formal products of software requirements analysis and design when developing airworthy software.

DO-17B/C assigned different sets of objectives to these two levels of requirements. To accomplish compliance, the Applicant needs to fulfill both sets of objectives with their requirements. However, ''under narrow conditions'', that standard's guidance permits combination of these two levels into just one level of requirements, but warns against the practice in general.

This position paper is concerned with observed misuse of this guidance; some applicants were combining High-Level and Low-Level Requirements for "simple" products, but were not accomplishing all of the related objectives for both levels of requirements.

This position paper is also an example of Certification Authorities using their "what" versus "how" distinctionRierson, p. 113, "In order to avoid this slippery slope, I suggest that engineers ... Clearly define the division between requirements (''what'') and design (''how'') .... " between high-level and low-level requirements that DO-178B/C does not clearly explain.

Background

Various stakeholders for software definition and verification have differing objectives and levels of abstraction. Those stakeholders responsible for defining or verifying high-level software product functionality are generally concerned with the structures and behaviors of the product's external interfaces, and details of internal software structures do not necessarily support that focus. On the other hand, those responsible for defining and verifying requirement coverage of all internal code need much finer details of internal software structures. This is the justification for DO-178B/C establishing distinct objectives for high-level and low-level requirements, with consideration for applicants developing additional requirement layering on large projects.Jamie P. White, Hassan Reza, p. 432. "The end goal is to place requirements in the requirements document that provides the most visibility to the stakeholders while preserving the scope of the document. Hence, there is a fine line between putting too much information in a high-level requirements document and providing an appropriate amount of visibility to stakeholders."

However, DO-178B allowed for the possibility of developing only one level of requirements for ''particularly simple'' systems. That is, Certification Authorities (e.g., FAA-Designated Engineering Representatives) would not expect any more or fewer requirement layers than necessary. However, the Certification Authorities’ experience was that some applicants misused or abused this intention, and as a result, such applicants discovered late in their projects that they were unable to demonstrate compliance and had to repeat some activities.

This is also an issue for any usage of development tools that potentially reduce the resolution of requirements in a project, particularly those that use notations of higher abstraction (e.g., UML or block flow modeling). Applicants using such tools generally are expected to declare if their development processes use such tool's notation the role of describing either high-level requirements or low-level requirements, but usually not both.Raymond G. Estrada, Eric Dillaber, Gen Sasaki, "... 5 This is because of the different purposes of each level of requirements; HLR state what the system software is to do, while the LLR state how it is done and what components are used to do it. Verification must be performed on the data for both HLR and LLR separately, and merging the two may make this impossible. Note that although Section 5 of DO-178C allows a single level of requirements, it is typically not done because it requires the system level requirements to contain additional detail to allow traceability to the combined HLR/LLR data item."

Status

In general, CAST Position Papers were issued to harmonize review of software projects conducted under DO-178B or DO-254. But, they were also intended to inform the development and eventual release of DO-178C and supporting publications. As much of the discussion and rationale recorded in the CASTs is not included in the newer publications, the CASTs remain a source of insight into the updated standards.

This CAST-15 Position Paper is no longer provided on the FAA's publications site as the team's concerns were addressed by FAQ #81 in DO-248C, ''Supporting Information for DO-178C and DO-278A''Rierson, p. 113, "DO-248C's FAQ #81 ... and the ... CAST-15" and by changes and clarification in the release of DO-178 Revision C:

* The FAQ was originated by European Certification Authorities who were concerned with the risk of applicants developing untraceable and unverifiable gaps in their requirements, and it does not recommend merging high and low levels of requirements into a single level.
* The note "The applicant may be required to justify software development processes that produce a single level of requirements." was added to DO-178C Section 5.0, page 31.

However, neither DO-248C nor DO-178C completely incorporates the "full discussion of this topic" that is recorded CAST-15.

Much of the same content of the original CAST-15 Position Paper is published in the 2012 EASA Certification Memo EASA CM-SWCEH-002 (Section 23 Merging High-Level and Low-Level Requirements).

Contents

DO-178C/DO-178B provides guidance for merging High-Level and Low-Level Software Requirements. Nominally, in the DO-178C/DO-178B context, the High-Level Requirements for a Certified Software Product are distinct from the Low-Level Software Requirements, the former being outputs of the Software Requirements Process and the latter being outputs of the Software Design Process.RTCA/ DO-248C "Supporting Information for DO-178C and DO-278A", FAQ #81, pages 43-44. "When airborne software components are large or complex, the software requirements process produces the HLRs and the software design process produces the LLRs and architecture. Thus, HLRs and LLRs are not the outputs of the same development processes."
* High-Level Requirements are essentially those System Requirements that are allocated to the Software Product (an outside view of ''what'' the full Software Product shall be and do).
* Low-Level Requirements are the results of decomposition and elaboration of requirements such that the source code may be produced, reviewed, and tested ''directly'' from the Low-Level Requirements (an inside view of ''how'' the Software Product shall be implemented to do it).RTCA/DO-178C "Software Considerations in Airborne Systems and Equipment Certification", p. 31. "Low-level requirements are software requirements from which Source Code can be directly implemented without further information." ... "However, if Source Code is generated directly from high-level requirements, then the high-level requirements are also considered low-level requirements and the guidance for low-level requirements also apply."

In some applications, the System/High-Level Requirements are of sufficient simplicity and detail that the Source Code can be produced and verified directly. In this situation, the System/High-Level Requirements are also considered to be Low-Level Requirements, which means that, in addition to accomplishing the objectives for High-Level Requirements, the same requirements must also accomplish the objectives for Low-Level Requirements.

The concern that prompted CAST-15 is that some applicants for software certification interpreted the above guidance as permitting combining ''both'' High-Level Software Requirements and Low-Level Software Requirements in a single software requirements document or other artifact ''without'' making any indication of which requirements are High-Level and which are Low-Level, but also omitting traceability between the Low-Level and High-Level Requirements and neglecting to identify derived requirements for feedback to System Processes, including System Safety.

This Position Paper discusses several problems and hazards that Certification Authorities see arising from merging Low-Level Requirements into the collection of High-Level Requirements, recommending that this not be done.Raymond G. Estrada, Eric Dillaber, Gen Sasaki, "Merging the HLR and LLR into a single model or data item is not recommended 5" The replacement content published in FAQ #81 in DO-248C ''Supporting Information for DO-178C and DO-278A'' provides a shorter list of certification concerns for combining (or merging) these two "what" and "how" levels into a single set of requirements without distinguishing the relevant certification objectives of the two levels. FAQ #81 also recommends against merging High-Level and Low-Levels even in cases where the code can be written and verified in a "single step" of requirements as the original DO-178B/C guidance allows, but does offer suggestions on how to address concerns.RTCA/ DO-248C "Supporting Information for DO-178C and DO-278A", FAQ #81, pages 43-44. "There may be some systems where the system level requirements are refined into software requirements suitable for coding in one refinement step. In this case, a single level of software requirements may be feasible; however, ...."

Model-based development

The distinction between, or combination of, High-Level and Low-Level Requirements is a particular issue with Model-based development. As vendors and applicants employ Model-Based Development tools in the development of airborne software, concern arises about automation and elimination of levels of certification evidence. Arguments are made for careful designation of which Model-Based artifacts represent High-Level Requirements and which represent Low-Level Requirements.
Finally, the standard DO-331 (Model-Based Development and Verification), supplement to DO-178C has clarified these aspects stating that high level requirements are requirements located prior to the model from which the model has been developed, the low level requirements being those located in the model itself. DO-331 having clarified the issue for model based development, the level-merging concerns of CAST-15 are not applicable to model based development.

References

External links

* {{Webarchive, url=https://web.archive.org/web/20170829220106/https://www.faa.gov/aircraft/air_cert/design_approvals/air_software/cast/cast_papers/media/cast-15.pdf , date=2017-08-29 , title= CAST-15. Retrieved 2021-12-03.

Avionics
Safety
Software requirements
RTCA standards
Computer standards