BY ORDER OF THE AIR FORCE MANUAL 91-119 SECRETARY OF THE AIR FORCE 5 JUNE 2012 Safety SAFETY DESIGN AND EVALUATION CRITERIA FOR NUCLEAR WEAPON SYSTEMS SOFTWARE COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available for downloading or ordering on the e- Publishing website at www.e-Publishing.af.mil RELEASABILITY: There are no releasability restrictions on this publication OPR: HQ AFSEC/SEWN Certified by: AF/SE (Maj Gen Feest) Supersedes: AFMAN 91-119, 1 February Pages: 30 1999 This manual implements AFPD 91-1, Nuclear Weapons and System Surety, and contains the minimum design and evaluation criteria for software requiring nuclear safety certification. It applies to all organizations that design, develop, modify, evaluate, operate or acquire a nuclear weapon system. This publication is consistent with AFPD 13-5, Air Force Nuclear Enterprise. This Manual is applicable to Air National Guard and Air Force Reserve units performing nuclear missions. This manual applies to new systems or modified portions of existing systems. Existing certified systems are not required to be modified solely to meet the requirements of this manual. Refer recommended changes and questions about this publication to the Office of Primary Responsibility (OPR) using the AF Form 847, Recommendation for Change of Publication; route AF Form 847s from the field through the appropriate (MAJCOM) publications/forms manager. Ensure that all records created as a result of processes prescribed in this publication are maintained in accordance with AFMAN 33-363, Management of Records, and disposed of in accordance with the Air Force Records Disposition Schedule (RDS) located at https://www.my.af.mil/afrims/afrims/afrims/rims.cfm. Send recommendations for improvements to Headquarters Air Force Safety Center (AFSEC/SEWN), 9700 G Avenue SE, Kirtland AFB, NM 87117-5670, or email [email protected] SUMMARY OF CHANGES This document is substantially revised and shall be completely reviewed. This revision includes substantive changes. It provides nuclear safety design certification and evaluation criteria for software systems, including facilities, used to support, maintain, handle or store nuclear weapons. In addition, organization names were changed to reflect changes since the last 2 AFI91-119 5 JUNE 2012 publication of this Manual. Changes include certification of Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuit (ASIC) designs, Complex Programmable Logic Devices (CPLD) and software that is unique and developed specifically to control essential facility systems outlined in AFMAN 91-118. In addition, organization names were changed to reflect changes since the last publication of this Manual. Chapter 1—GENERAL STANDARDS AND CONTROL 6 Section 1A—Responsibilities and Scope 6 1.1. Philosophy. ............................................................................................................ 6 1.2. Department of Defense (DOD) Safety Standards. ................................................. 6 1.3. Development Standards. ........................................................................................ 6 1.4. National Security Agency (NSA) Certification. .................................................... 7 1.5. Department of Energy (DOE) Certification. .......................................................... 7 1.6. Air Force Criteria. .................................................................................................. 7 1.7. Nuclear Safety Software Categories. ..................................................................... 7 1.8. Development Process. ............................................................................................ 8 1.9. Requests for Deviations. ........................................................................................ 8 1.10. Software Advisory Group (SAG) or equivalent. ................................................... 8 Chapter 2—DESIGN CRITERIA FOR NUCLEAR WEAPON SYSTEMS SOFTWARE 10 Section 2A—General Philosophy and Criteria 10 2.1. Application. ............................................................................................................ 10 2.2. Software Specifications. ........................................................................................ 10 Section 2B—Combat Delivery Aircraft, Ground Launched and Air Launched Missiles 10 2.3. Higher-Order Language (HOL). ............................................................................ 10 2.4. Hierarchical Design. .............................................................................................. 10 2.5. Fault Detection and Tolerance. .............................................................................. 11 2.6. Fault Response. ...................................................................................................... 11 2.7. Real-Time Software. .............................................................................................. 11 2.8. Responsiveness. ..................................................................................................... 11 2.9. Interrupts. ............................................................................................................... 11 2.10. Idle Operations. ...................................................................................................... 11 2.11. Instruction Alterations. .......................................................................................... 11 2.12. Initialization and Shutdown. .................................................................................. 11 2.13. Memory Characteristics. ........................................................................................ 11 AFI91-119 5 JUNE 2012 3 2.13.5. FPGAs and CPLDs. ............................................................................................... 12 2.14. Validity Checks and Special Code Restrictions. .................................................... 12 2.14.1. Unique Signal Restrictions. ................................................................................... 12 2.14.2. Authorization and Enable Code Restrictions. ........................................................ 12 2.15. Operating System (OS) and Run-Time-Executive (RTE) Development and Procurement. .......................................................................................................... 12 2.15.2. The design of the OS shall have a measureable metric to justify confidence in the design. .................................................................................................................... 12 2.16. Operator Interface. ................................................................................................. 13 2.17. Critical Function Initiation and Entry Checks. ...................................................... 13 2.18. Command and ID Word Format. ........................................................................... 13 2.19. Software Configuration. ......................................................................................... 13 2.20. Hardware/software Interactions. ............................................................................ 13 2.21. Unused Code. ......................................................................................................... 13 2.22. Global Variables. ................................................................................................... 14 2.23. Complex Mechanisms. ........................................................................................... 14 2.24. Unique Aircraft Requirements. .............................................................................. 14 Section 2C—Maintenance, Handling and Storage Facilities 14 2.25. Fault Detection. ...................................................................................................... 14 2.26. Fault Response. ...................................................................................................... 14 2.27. Alarms. ................................................................................................................... 14 2.28. Responsiveness. ..................................................................................................... 14 2.29. Initialization and Shutdown. .................................................................................. 15 2.30. Operator Interface. ................................................................................................. 15 2.31. Hardware/software Interactions. ............................................................................ 15 Section 2D—Test Equipment Software 15 2.32. Automated Test Equipment (ATE). ....................................................................... 15 Chapter 3—EVALUATION CRITERIA FOR NUCLEAR WEAPON SYSTEMS SOFTWARE 16 Section 3A—General Philosophy and Criteria 16 3.1. Evaluation Program. .............................................................................................. 16 3.2. Software Standards Compliance. ........................................................................... 16 Section 3B—Combat Delivery Aircraft, Ground Launched and Air Launched Missiles 16 4 AFI91-119 5 JUNE 2012 3.3. Critical Data Element Analysis. ............................................................................. 16 3.4. Hierarchical Design. .............................................................................................. 16 3.5.