The presentation will describe the challenge and success of adapting the Civil Aerospace regulations for the Certification of High Integrity Software based around the DO-178 series of software development standards, the Federal Aviation Administration (FAA) Job Aid and European Union Aviation Safety Agency (EASA) Part 21 into the Submarines environment on the Dreadnought Programme. I am currently seconded into the Dreadnought Alliance (DNA), a commercial alliance between the Submarines Delivery Agency (SDA) within the Ministry of Defence and its two key industrial partners, BAE Systems Submarines (BAES) and Rolls-Royce Submarines (RRS) (Home - Dreadnought Alliance). The regulatory authorities for Submarines, the Defence Maritime Regulator (DMR) and Naval Authority Group (NAG), have requested a more formal approach to software certification compared to previous class of submarine. The DNA has been delegated responsibility for software certification due to limited software expertise in the Defence Maritime Regulator (DMR) and Naval Authority Group (NAG). Hence why I was seconded from one of the DNA Industrial partners to manage this activity.

I will outline how I adapted the EASA regulations for software certification initially for Dreadnought, which is now being considered for future class submarines across the enterprise. This resulted in a process for certification of high integrity software for submarines that uses a risk-based Level of Involvement (LOI) for the DNA to conduct the relevant Stage of Involvement (SOI) activity. This LOI is based on the considerations from the Aerospace regulations of novelty, complexity, design authority performance and safety integrity. The objective of the Certification process is to demonstrate that software has been developed to the required level of rigour for the relevant level of safety integrity. Due to the diverse technology, the software was developed to multiple standards including IEC 61508-3, DO-178 series, DEF-STAN 00-55 and in house standards. A common criteria was therefore defined in a software policy as a set requirements that read-across to these multiple standards, including between the safety integrity classifications (e.g. SILs, DALs etc), based on failure rates. Software certification was conducted against this software policy.

There were a number of challenges to implementation of this capability as it was not previously conducted on this scale. They included limited expertise of the software development process amongst the enterprise organisations, and inconsistent approaches to conducting this level of software certification activities. This process was introduced relatively late into the Dreadnought programme. So, I will discuss issues with introducing this retrospectively for some of the software development that had already been completed and where COTS software had been used. This presented a challenge to examine software development to the required level of depth as it required additional effort to obtain the relevant information.

The improvement initiative conducted has resulted in development of a new capability, organisation and governance structure for software certification for the submarine enterprise. The "make submarines fly" software certification initiative is now successfully delivering with a mature and effective capability embedded into the Submarines Enterprise.