Software Process Assurance for Complex Electronics (SPACE) by Plastow, Richard A.
Software Process Assurance for Complex Electronics 
 
Richard A. Plastow 
Science Applications International Corporation 
NASA Glenn Research Center 
 
July 24, 2007 
 
 
Complex Electronics (CE) are now programmed to perform tasks that were previously 
handled in software, such as communication protocols. Many of the methods used to 
develop software bare a close resemblance to CE development. For instance, Field 
Programmable Gate Arrays (FPGAs) can have over a million logic gates while system-on-
chip (SOC) devices can combine a microprocessor, input and output channels, and 
sometimes an FPGA for programmability. With this increased intricacy, the possibility of 
“software-like” bugs such as incorrect design, logic, and unexpected interactions within the 
logic is great.  
 
Since CE devices are obscuring the hardware/software boundary, we propose that mature 
software methodologies may be utilized with slight modifications in the development of 
these devices. Software Process Assurance for Complex Electronics (SPACE) is a 
research project that looks at using standardized S/W Assurance/Engineering practices to 
provide an assurance framework for development activities.  Tools such as checklists, best 
practices and techniques can be used to detect missing requirements and “bugs” earlier in 
the development cycle creating a development process for CE that will be more easily 
maintained, consistent and configurable based on the device used.  
https://ntrs.nasa.gov/search.jsp?R=20070031913 2019-08-30T01:46:20+00:00Z
Software 
Process 
Assurance for 
Complex 
Electronics 
(SPACE)
Richard A. Plastow
Science Applications International Corporation
NASA Glenn Research Center
July 24, 2007
i li i i l i
l
l  , 
2
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
The Quandary
Complex Electronics (CE) 
devices can have over 
one million gates and 
even a built in 
microprocessor. These 
devices are replacing 
conventional software in 
many critical applications. 
How do we assure quality 
on these devices?
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 3
How the Design Process For Complex 
Electronics should flow
4
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Planning is Where to Start
– 5
Richard.A.Plastow (SAIC)                                        
Sr. Software Assurance Engineer
Simple or Complex?
♦ The Federal Aviation Administration (FAA) provides a definition in 
DO-254, “Design Assurance Guidance for Airborne Electronic 
Hardware” document. It states “A hardware item is identified as 
simple only if a comprehensive combination of deterministic tests 
and analyses appropriate to the design assurance level can ensure 
correct functional performance under all foreseeable operating 
conditions with no anomalous behavior. When an item cannot be 
classified as simple, it should be classified as complex. An item 
constructed entirely from simple items may itself be complex.”
♦ Firmware is not CE. The most common definition is found in IEEE 
610.12-1990: “The combination of hardware device and computer 
instructions and data that reside as read-only software on that 
device.”
6
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
What is the Devices Criticality?
The complex electronics is classified as Low if it does not fall into either of the above categoriesLow
1. The complex electronics executes mission-critical functions but there is redundancy in the 
system 
2. The design is expected to be moderately complex 
3. The design is expected to have moderate risk due to one or more of these factors: 
i. Some requirements undefined or unstable 
ii. Somewhat innovative and untried design approach 
iii. Aggressive schedule 
iv. Design team contains some inexperienced members
Moderate
1. The complex electronics executes safety-critical functions 
2. The complex electronics executes mission-critical functions and is a single point of failure 
3. The design is expected to be highly complex 
4. The design is expected to have significant risk due to one or more of these factors: 
i. Unstable requirements 
ii. Technical concerns with the chosen technology, such as power consumption, design size 
for the chip, timing, packaging, or operating frequency 
iii. Highly innovative and untried design approach 
iv. Highly aggressive schedule 
v. Inexperience of the design team
High
CriteriaCriticality 
Classification
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 7
How do You Start the Process?
 Create an Assurance 
Plan for your device
 Can be stand alone or 
part of the larger 
assurance plan
 Plan is based on 
criticality of device(s)
 Get concurrence with the 
plan
 One plan can cover all 
devices needed
8
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Assurance Planning is Very Important
Assurance Planning Document
Specify criteria and tasks for acceptance of complex electronics. 13
Exit Criteria are met. 20
Identify training and tools required for the assurance tasks.7
Specify tasks for Requirements phase, including reviews, audits, and 
analyses. 
8
Define management of the assurance activities, including organization 
structure, roles and responsibilities, resources, schedule, reporting. 
6
Determine Applicable and Reference standards and documents. 5
Specify purpose and scope of plan. 4
Generate tailored Complex Electronics Assurance Plan (CEAP). This 
includes steps 4 through 14 below. 
3
Concur with complex electronics criticality classification (high, moderate, or 
low). Include in the CEAP (below) 
2
Entrance Criteria are met.1
QACompletion 
Date
Process StepID
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 9
Supporting Processes
 Controlling and monitoring the process used 
is very important.
 Configuration Management
 Audits
 Selecting the development process
 Problem reporting / monitoring
 Risk Management
 Ad Hoc is NOT a process!
10
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Involve the Correct People
Assess entrance and exit criteria for each life cycle 
phase 
Ensure traceability of the requirements through all levels 
of development 
Analyze the products produced (documents, designs, 
etc.) against the requirements and the output of the 
previous phase
Perform white box analysis on CE designs and tests
CE Process Assurance 
Identify if complex electronics can cause a hazard or 
are part of a hazard control 
Ensure that design errors in complex electronics are 
considered as a failure mode 
System Safety 
Derive requirements for the board or chip level 
Design electronics to meet the requirements, using 
good engineering practices 
Implement the design in hardware 
Test the hardware; Implement changes
Electronics Designer
Define the system requirements 
Decompose system requirements down to sub-system        
level 
Define system-level testing 
Systems Engineer 
ResponsibilityRole
11
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Requirements
The first step in any design process should be to define and 
document the requirements and constraints under which the CE 
must operate. This allows you to think through the issues and 
document any design decisions and trade-offs. 
Complex Electronics design is often started based on the engineers 
knowledge of the system, not defined requirements.
Requirements Reviews
 Clear
 Concise
 Confirmable
 Traceable
Interface Control Document verifications
Signals List
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 12
Requirements Review Checklist Snippet
Has the timing of critical signals been defined? Timing 28
Is the behavior of the CE in response to an external failure or 
fault specified? 
Error 
Handling 
27
During power-up or reset, do any lines or signals float? Initial 
Conditions
20
For each output signal, is the range of valid data defined? Is a
typical value defined? 
Signals13
For each input signal, is the range of valid data defined? Signals 12
Is the data size and bit order defined? Interfaces 11
Are the overall system configurations and operating modes 
defined? 
General 2
CommentYes/No/
NA
CriteriaTopicID
13
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Traceability Analysis 
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 14
Design
One major difference between CE and software 
is the aspect of timing and concurrency. 
 Design reviews are important.  
 Independent engineer should review the design
 Confirm the design supports the requirements
 Use a coding standard
 Have and follow Best Practices
15
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Fault Tree Analysis
16
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Code / Implementation
Although HDL is not true code, it shares many of 
the same features and attributes of software. 
Differences include:
 During synthesis (compile), the design is 
mapped to the logic gates of the device.
 The placement of the logic blocks within the 
chip, and the routing between blocks, are 
some of the processes that occur during 
implementation (link).
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 17
Ease of Coding
 Coding Standards, Code Reviews and Best 
Practices work well on HDLs. They allow:
 Readability
 Standard Signal names
 Names do not change across boundaries
 Common register names
 Maintainability
 Common naming conventions
 Code reviews
 Etc….
18
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
VHDL Code Example
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 19
Example of Code Review Best Practices
Are unused functions within the IP cores identified? Is the accidental 
execution of these functions prevented? 
Other 41
The sensitivity list contains only the signals that should cause the 
process to be executed 
Functions 39
All asynchronous inputs are first synchronized before use Interfaces 36
Provides an Asynchronous reset line Reset 34
Names shall be self-explanatory Signals 27
Do not generate the clock using combinational logic Clocks 25
All states in a state machine are defined or  invalid states are
returned to a known state 
General5
CommentYes/No/
NA
CriteriaTopicID
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 20
Test
 While complex electronics use test benches 
and timing models, the idea of a well defined 
suite of test cases is common in both 
disciplines. This includes test plans, fault 
injection and error handling testing and 
verification. 
21
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Test Methodologies
Best Practices
Test Plans 
 Tracing to requirements
 Feasible
 Cover more than just success
 Fault Injection
 Test Verification
Problem Trend Analysis / Tracking
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 22
Test Plan Review Checklist
Is the maximum allowable power and current to the CE being 
verified? 
Power/ 
Electrical 
32
Has the timing of critical signals been tested? Timing30
Have all expected errors or faults been tested to verify they are 
handled correctly? 
Error Handling 27
Is the state of programmable memory elements upon power-
up and after a reset tested? 
Initial 
Conditions 
25
For each input signal, is the range of valid data tested? Signals 17
Interfaces with COTS IP modules tested Interfaces 14
Is the functionality of the complex electronics (CE) in off-
nominal mode being tested? 
General4
CommentYes/No/NACriteriaTopicID
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 23
Reality Check
 Many assurance engineers, regardless of their 
specialty, have little understanding of the 
complexities of these devices. Any review done will 
only be to the level of knowledge of the assurance 
engineer. 
 Three courses have been developed
 Introduction to CE
 CE Life Cycle
 Assurance of CE devices
 Techniques and checklists were created to ensure 
quality.
 Not all techniques/checklists used on every part.
 Dependent on criticality and project direction.
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 24
Process Flow Example
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 25
How Complex Electronics Fits into 
Review Cycles
26
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Techniques
Change Impact Analysis
Decision Tables/Trees
Design Evaluation
Design Review
Failure Mode and Effect Analysis
Fault Tree Analysis
Function and Physical Configuration Audits
Interface Analysis
Requirements Evaluation
Requirements Review
Risk Analysis
Traceability Analysis
27
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer
Impact Analysis Defines
Rational for Change
Effects on Internal Interfaces
Effects on External Interfaces
Effects on Hazards
Effects on Operations
Potential for introducing new bugs
Impact of Change (Minor/Major and why)
Testing/Verifications needed
Things to Consider
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 28
Checklists
 Planning Phase
 Requirements Phase
 Preliminary Design Phase
 Detailed Design Phase
 Implementation Phase
 Testing Phase
 Operations Phase
 Assurance Planning
 Modifications or Upgrades
 Audits (Functional Configuration, Physical Configuration and 
In-Process)
 Best Practices (Code Review)
 Testing (Document Review)
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 29
Requirements Phase Process Checklist
 Overview 
 Entrance Criteria 
 Responsible Personnel 
 Process Step – Lists Analysis to use/update, 
documentation(to create, update, etc.), 
supporting processes needed
 Exit Criteria 
 Documentation Status 
Richard.A.Plastow (SAIC)                            
Sr. Software Assurance Engineer 30
Conclusion
 Thanks to the NASA Software Assurance 
Research Program which funded this 
Research
 Contact Information
– Richard Plastow
– 21000 Brookpark Road, MS 50-4
– Cleveland, OH 44135
– Richard.A.Plastow@nasa.gov
– (216) 433-3431
