RTCA DO-178C 机载系统和设备认证中的软件注意事项-软件计划过程 （四）

4.0 软件计划过程 SOFTWARE PLANNING PROCESS

本节讨论软件计划过程的目标和活动。 该过程产生指导软件开发过程和整体过程的软件计划和标准。 附件 A 的表 A-1 总结了按软件级别划分的软件计划过程的目标和输出。This section discusses the objectives and activities of the software planning process. This process produces the software plans and standards that direct the software development processes and the integral processes. Table A-1 of Annex A is a summary of the objectives and outputs of the software planning process by software level.

4.1 软件计划过程目标 Software Planning Process Objectives

软件计划过程的目的是定义生产软件的方法，以满足其需求并提供与软件水平一致的置信水平。 软件计划过程的目标是：

The purpose of the software planning process is to define the means of producing software that will satisfy its requirements and provide the level of confidence that is consistent with the software level. The objectives of the software planning process are:

a. 定义了满足系统需求和软件级别的软件开发过程的活动和软件生命周期的整体过程（见 4.2）。The activities of the software development processes and integral processes of the software life cycle that will address the system requirements and software level(s) are defined (see 4.2).

b. 确定软件生命周期，包括流程之间的相互关系、它们的顺序、反馈机制和转换准则（参见 3）。The software life cycle(s), including the inter-relationships between the processes, their sequencing, feedback mechanisms, and transition criteria are determined (see 3).

c. 软件生命周期环境，包括用于每个软件生命周期过程的活动的方法和工具已经被选择和定义（见4.4）。The software life cycle environment, including the methods and tools to be used for the activities of each software life cycle process has been selected and defined (see 4.4).

d. 如有必要，其他考虑因素（例如第 12 节中讨论的考虑因素）已得到解决。 Additional considerations, such as those discussed in section 12, have been addressed, if necessary.

e. 定义了与要生产的软件的系统安全目标一致的软件开发标准（见 4.5）。 Software development standards consistent with the system safety objectives for the software to be produced are defined (see 4.5).

f. 符合第 4.3 节和第 11 节的软件计划已经制定。Software plans that comply with sections 4.3 and 11 have been produced.

g. 软件计划的开发和修订是协调一致的（见 4.3） Development and revision of the software plans are coordinated (see 4.3).

4.2 软件计划过程活动 Software Planning Process Activities

有效的规划是生产满足本文档指导的软件的决定性因素。 软件计划过程的活动包括：

Effective planning is a determining factor in producing software that satisfies the guidance of this document. Activities for the software planning process include:

a. 应制定软件计划，为执行软件生命周期过程的人员提供指导。 另见 9.1。The software plans should be developed that provide direction to the personnel performing the software life cycle processes. See also 9.1.

b. 应定义或选择项目使用的软件开发标准。The software development standards to be used for the project should be defined or selected.

c. 应选择有助于预防错误并在软件开发过程中提供缺陷检测的方法和工具。Methods and tools should be chosen that aid error prevention and provide defect detection in the software development processes.

d. 软件计划过程应该在软件开发和整体过程之间提供协调，以保证软件计划中的策略之间的一致性。The software planning process should provide coordination between the software development and integral processes to provide consistency among strategies in the software plans.

e. 应指定随着项目进展修改软件计划的方法。 The means should be specified to revise the software plans as a project progresses.

f. 当系统中使用多个版本的不同软件时，软件计划过程应选择方法和工具来实现满足系统安全目标所需的不同性。When multiple-version dissimilar software is used in a system, the software planning process should choose the methods and tools to achieve the dissimilarity necessary to satisfy the system safety objectives.

g. 为了使软件计划过程完整，软件计划和软件开发标准应该处于变更控制之下并完成评审（见 4.6）。For the software planning process to be complete, the software plans and software development standards should be under change control and reviews of them completed (see 4.6).

h. 如果计划停用代码，软件计划过程应描述如何定义和验证停用机制和停用代码以满足系统安全目标。If deactivated code is planned, the software planning process should describe how the deactivation mechanism and deactivated code will be defined and verified to satisfy system safety objectives.

i. 如果计划用户可修改的软件，则应在软件计划和标准中规定相关流程、工具、环境和验证设计的数据项（参见 5.2.3）。If user-modifiable software is planned, related processes, tools, environment, and data items substantiating the design (see 5.2.3) should be specified in the software plans and standards.

j. 在规划参数数据项时，应解决以下问题：When parameter data items are planned, the following should be addressed:

1. 参数数据项的使用方式。The way that parameter data items are used.

2. 参数数据项的软件级别。The software level of the parameter data items.

3. 开发、验证和修改参数数据项以及任何相关工具资格的流程。The processes to develop, verify, and modify parameter data items, and any associated tool qualification.

4. 软件负载控制和兼容性。Software load control and compatibility.

k. 软件计划过程应考虑任何适用的其他注意事项。The software planning process should address any additional considerations that are applicable.

l. 如果软件开发活动将由供应商执行，则规划应考虑供应商的监督。If software development activities will be performed by a supplier, planning should address supplier oversight.

如果满足特定过程活动的转换准则，则其他软件生命周期过程可以在软件计划过程完成之前开始。

Other software life cycle processes may begin before completion of the software planning process if transition criteria for the specific process activity are satisfied.

4.3 软件计划 Software Plans

软件计划定义了满足本文档目标的方法。 他们指定将执行这些活动的组织。 软件计划是：

The software plans define the means of satisfying the objectives of this document. They specify the organizations that will perform those activities. The software plans are:

• 软件方面的认证计划（见 11.1）作为将提议的开发方法传达给认证机构以获得协议的主要方式，并定义了遵守本文件的方式。The Plan for Software Aspects of Certification (see 11.1) serves as the primary means for communicating the proposed development methods to the certification authority for agreement, and defines the means of compliance with this document.

• 软件开发计划（参见 11.2）定义了软件生命周期、软件开发环境以及满足软件开发过程目标的方法。The Software Development Plan (see 11.2) defines the software life cycle(s), software development environment, and the means by which the software development process objectives will be satisfied.

• 软件验证计划（参见11.3）定义了满足软件验证过程目标的方法。The Software Verification Plan (see 11.3) defines the means by which the software verification process objectives will be satisfied.

• 软件配置管理计划（参见 11.4）定义了满足软件配置管理过程目标的方法。The Software Configuration Management Plan (see 11.4) defines the means by which the software configuration management process objectives will be satisfied.

• 软件质量保证计划（参见 11.5）定义了满足软件质量保证过程目标的方法。The Software Quality Assurance Plan (see 11.5) defines the means by which the software quality assurance process objectives will be satisfied.

软件计划的活动包括：Activities for the software plans include:

a. 软件计划应符合本文件的规定。The software plans should comply with this document.

b. 软件计划应通过指定以下内容来定义软件生命周期过程的转换准则：The software plans should define the transition criteria for software life cycle processes by specifying:

1. 流程的输入，包括来自其他流程的反馈。The inputs to the process, including feedback from other processes.

2. 对这些输入采取行动可能需要的任何整体流程活动。Any integral process activities that may be required to act on these inputs.

3. 工具、方法、计划和程序的可用性。 Availability of tools, methods, plans, and procedures.

c. 软件计划应说明在认证产品上使用之前用于实施软件更改的程序。 此类更改可能是其他流程反馈的结果，并可能导致软件计划发生更改。The software plans should state the procedures to be used to implement software changes prior to use on a certified product. Such changes may be as a result of feedback from other processes and may cause a change to the software plans.

4.4 软件生命周期环境计划 Software Life Cycle Environment Planning

软件生命周期环境的计划定义了用于开发、验证、控制和生成软件生命周期数据（参见 11）和软件产品的方法、工具、过程、编程语言和硬件。 所选择的软件环境如何对软件产生有益影响的示例包括执行标准、检测错误以及实施错误预防和容错方法。 软件生命周期环境是可能导致故障情况的潜在错误源。 该软件生命周期环境的组成可能会受到系统安全评估过程确定的安全相关要求的影响，例如，使用不同的冗余组件。

Planning for the software life cycle environment defines the methods, tools, procedures, programming languages, and hardware that will be used to develop, verify, control, and produce the software life cycle data (see 11) and software product. Examples of how the software environment chosen can have a beneficial effect on the software include enforcing standards, detecting errors, and implementing error prevention and fault tolerance methods. The software life cycle environment is a potential error source that can contribute to failure conditions. Composition of this software life cycle environment may be influenced by the safety-related requirements determined by the system safety assessment process, for example, the use of dissimilar, redundant components.

错误预防方法的目标是避免软件开发过程中可能导致故障的错误。 基本原则是选择限制引入错误机会的需求开发和设计方法、工具和编程语言，以及确保检测到引入的错误的验证方法。 容错方法的目标是在软件设计或源代码中包含安全功能，以确保软件正确响应输入数据错误并防止输出和控制错误。 是否需要防错或容错方法取决于系统需求和系统安全评估过程。

The goal of error prevention methods is to avoid errors during the software development processes that might contribute to a failure condition. The basic principle is to choose requirements development and design methods, tools, and programming languages that limit the opportunity for introducing errors, and verification methods that ensure that errors introduced are detected. The goal of fault tolerance methods is to include safety features in the software design or Source Code to ensure that the software will respond correctly to input data errors and prevent output and control errors. The need for error prevention or fault tolerance methods is determined by the system requirements and the system safety assessment process.

上述考虑因素可能会影响：

The considerations presented above may affect:

a. 软件需求过程和软件设计过程中使用的方法和符号。 The methods and notations used in the software requirements process and software design process.

b. 软件编码过程中使用的编程语言和方法。The programming language(s) and methods used in the software coding process.

c. 软件开发环境工具。The software development environment tools.

d. 软件验证和软件配置管理工具。 The software verification and software configuration management tools.

e. 工具鉴定的需要（见 12.2）。The need for tool qualification (see 12.2).

4.4.1 软件开发环境 Software Development Environment

软件开发环境是生产高质量软件的重要因素。 软件开发环境也会以多种方式对软件的生产产生不利影响。 例如，编译器可能会通过生成错误的输出来引入错误，或者链接器可能无法显示存在的内存分配错误。 选择软件开发环境方法和工具的活动包括：

The software development environment is a significant factor in the production of high quality software. The software development environment can also adversely affect the production of software in several ways. For example, a compiler could introduce errors by producing a corrupted output or a linker could fail to reveal a memory allocation error that is present. Activities for the selection of software development environment methods and tools include:

a. 在软件计划过程中，应选择软件开发环境以减少其对正在开发的软件的潜在风险。During the software planning process, the software development environment should be chosen to reduce its potential risk to the software being developed.

b. 应选择工具或工具组合以及软件开发环境部分的使用，以达到必要的置信度，即由一个部分引入的错误将被另一部分检测到。 当两个部件始终一起使用时，就会产生可接受的环境。 此选择包括评估工具鉴定的必要性。 The use of tools or combinations of tools and parts of the software development environment should be chosen to achieve the necessary level of confidence that an error introduced by one part would be detected by another. An acceptable environment is produced when both parts are consistently used together. This selection includes the assessment of the need for tool qualification.

c. 应定义软件验证过程活动或软件开发标准，其中包括对软件等级的考虑，以减少与软件开发环境相关的潜在错误。The software verification process activities or software development standards, which include consideration of the software level, should be defined to reduce potential software development environment-related errors.

d. 如果组合使用这些工具寻求可信认证，则应在适当的计划中指定这些工具的操作顺序。 If certification credit is sought for use of the tools in combination, the sequence of operation of the tools should be specified in the appropriate plan.

e. 如果选择在项目中使用软件工具的可选功能，则应检查选项的效果并在适当的计划中指定。 这对于编译器和自动代码生成器尤其重要。 If optional features of software tools are chosen for use in a project, the effects of the options should be examined and specified in the appropriate plan. This is especially important for compilers and autocode generators.

f. 应评估已知的工具问题和限制，并解决那些可能对机载软件产生不利影响的问题。Known tool problems and limitations should be assessed and those issues which can adversely affect airborne software should be addressed.

4.4.2 语言和编译器注意事项 Language and Compiler Considerations

成功完成软件产品的验证后，编译器被认为对于该产品是可接受的。 为了使其有效，软件验证过程需要考虑编程语言和编译器的特定功能。 软件计划过程在选择编程语言和规划验证时会考虑这些功能。 活动包括：

Upon successful completion of verification of the software product, the compiler is considered acceptable for that product. For this to be valid, the software verification process needs to consider particular features of the programming language and compiler. The software planning process considers these features when choosing a programming language and planning for verification. Activities include:

a. 一些编译器具有旨在优化目标代码性能的功能。 如果测试用例给出的覆盖范围与软件级别一致，则无需验证优化的正确性。 否则，应确定这些特征对结构覆盖分析的影响。 更多信息请参见第 6.4.4.2 节。Some compilers have features intended to optimize performance of the object code. If the test cases give coverage consistent with the software level, the correctness of the optimization need not be verified. Otherwise, the impact of these features on structural coverage analysis should be determined. Additional information can be found in section 6.4.4.2.

b. 为了实现某些功能，某些语言的编译器可能会生成无法直接追溯到源代码的目标代码，例如初始化、内置错误检测或异常处理（请参阅 6.4.4.2.b）。 软件计划过程应该提供一种方法来检测该目标代码并确保验证覆盖率，并且应该在适当的计划中定义该方法。 To implement certain features, compilers for some languages may produce object code that is not directly traceable to the Source Code, for example, initialization, built-in error detection, or exception handling (see 6.4.4.2.b). The software planning process should provide a means to detect this object code and to ensure verification coverage, and should define the means in the appropriate plan.

c. 如果引入新的编译器、链接编辑器或加载程序版本，或者在软件生命周期期间更改编译器选项，则以前的测试和覆盖率分析可能不再有效。 验证计划应提供与第 6 节和 12.1.3 节一致的重新验证方法。 If a new compiler, linkage editor, or loader version is introduced, or compiler options are changed during the software life cycle, previous tests and coverage analyses may no longer be valid. The verification planning should provide a means of reverification that is consistent with sections 6 and 12.1.3.

注意：虽然一旦满足所有验证目标，编译器就被认为是可接受的，但编译器仅被认为对于该产品是可接受的，而不一定对于其他产品来说是可接受的。

Note: Although the compiler is considered acceptable once all of the verification objectives are satisfied, the compiler is only considered acceptable for that product and not necessarily for other products.

4.4.3 软件测试环境 Software Test Environment

软件测试环境规划定义了用于测试集成过程输出的方法、工具、过程和硬件。 可以使用目标计算机、目标计算机仿真器或主计算机仿真器来执行测试。

Software test environment planning defines the methods, tools, procedures, and hardware that will be used to test the outputs of the integration process. Testing may be performed using the target computer, a target computer emulator, or a host computer simulator.

活动包括：

Activities include:

a. 仿真器或模拟器可能需要按照第 12.2 节中的描述进行资格认证。The emulator or simulator may need to be qualified as described in section 12.2.

b. 应考虑目标计算机和仿真器或模拟器之间的差异，以及这些差异对检测错误和验证功能的能力的影响。 这些错误的检测应由软件验证过程提供，并在软件验证计划中指定。 The differences between the target computer and the emulator or simulator, and the effects of these differences on the ability to detect errors and verify functionality, should be considered. Detection of those errors should be provided by the software verification process and specified in the Software Verification Plan.

4.5 软件开发标准 Software Development Standards

软件开发标准定义了软件开发过程的规则和约束。 软件开发标准包括软件需求标准、软件设计标准和软件编码标准。 软件验证过程使用这些标准作为评估过程的实际输出与预期输出的符合性的基础。 软件标准开发活动包括：

Software development standards define the rules and constraints for the software development processes. The software development standards include the Software Requirements Standards, the Software Design Standards, and the Software Code Standards. The software verification process uses these standards as a basis for evaluating the compliance of actual outputs of a process with intended outputs. Activities for development of the software standards include:

a. 软件开发标准应符合第11条的规定。The software development standards should comply with section 11.

b. 软件开发标准应该使给定软件产品或相关产品集的软件组件能够被统一设计和实现。The software development standards should enable software components of a given software product or related set of products to be uniformly designed and implemented.

c. 软件开发标准应禁止使用产生无法验证或与安全相关要求不兼容的输出的结构或方法。The software development standards should disallow the use of constructs or methods that produce outputs that cannot be verified or that are not compatible with safety-related requirements.

d. 软件开发标准应考虑健壮性。Robustness should be considered in the software development standards.

注1：制定标准时可以考虑以往的经验。 可以包括对开发、设计和编码方法的约束和规则来控制复杂性。 可以考虑防御性编程实践来提高健壮性。

Note 1: In developing standards, consideration can be given to previous experience. Constraints and rules on development, design, and coding methods can be included to control complexity. Defensive programming practices may be considered to improve robustness.

注 2：如果按系统需求分配给软件，则可以使用检测和控制存储数据中的错误以及刷新和监视硬件状态和配置的做法来减轻单事件干扰。

Note 2: If allocated to software by system requirements, practices to detect and control errors in stored data, and refresh and monitor hardware status and configuration may be used to mitigate single event upsets.

4.6 软件计划过程的评审 Review of the Software Planning Process

对软件计划过程进行评审，以确保软件计划和软件开发标准符合本文件的指导，并提供执行它们的方法。 活动包括：

Reviews of the software planning process are conducted to ensure that the software plans and software development standards comply with the guidance of this document and means are provided to execute them. Activities include:

a. 选择的方法能够满足本文档的目标。Methods are chosen that enable the objectives of this document to be satisfied.

b. 软件生命周期过程可以一致地应用。Software life cycle processes can be applied consistently.

c. 每个过程都会产生证据，证明其输出可以追溯到其活动和输入，显示活动、环境和所使用方法的独立程度。 Each process produces evidence that its outputs can be traced to their activity and inputs, showing the degree of independence of the activity, the environment, and the methods to be used.

d. 软件计划过程的输出是一致的并符合第 11 节的规定。The outputs of the software planning process are consistent and comply with section 11.