ANNEX IRequirements applying to the software assurance level referred to in Article 4(2)

1.The software assurance level shall relate the rigour of the software assurances to the criticality of EATMN software by using the severity classification scheme set out in Section 4 of point 3.2.4 of Annex II to Regulation (EC) No 2096/2005 combined with the likelihood of the occurrence of a certain adverse effect. A minimum of four software assurance levels shall be identified, with software assurance level 1 indicating the most critical level.

2.An allocated software assurance level shall be commensurate with the most severe effect that software malfunctions or failures may cause, as referred to in Section 4 of point 3.2.4 of Annex II to Regulation (EC) No 2096/2005. This shall, in particular, take into account the risks associated with software malfunctions or failures and the architectural and/or procedural defences identified.

3.EATMN software components that cannot be shown to be independent of one another shall be allocated the software assurance level of the most critical of the dependent components.

ANNEX II

Part A:Requirements applying to the software safety requirements validity assurance referred to in Article 4(3)(a)

1.Software safety requirements shall specify the functional behaviour in nominal and downgraded modes, of the EATMN software, timing performances, capacity, accuracy, software resource usage on the target hardware, robustness to abnormal operating conditions and overload tolerance, as appropriate.

2.Software safety requirements shall be complete and correct, and compliant with the system safety requirements.

Part B:Requirements applying to the software verification assurance referred to in Article 4(3)(b)

1.The functional behaviour of the EATMN software, timing performances, capacity, accuracy, software resource usage on the target hardware, robustness to abnormal operating conditions and overload tolerance, shall comply with the software requirements.

2.The EATMN software shall be adequately verified by analysis and/or testing and/or equivalent means, as agreed with the national supervisory authority.

3.The verification of the EATMN software shall be correct and complete.

Part C:Requirements applying to the software configuration management assurances referred to in Article 4(3)(c)

1.Configuration identification, traceability and status accounting shall exist such that the software life cycle data can be shown to be under configuration control throughout the EATMN software life cycle.

2.Problem reporting, tracking and corrective actions shall exist such that safety related problems associated with the software can be shown to have been mitigated.

3.Retrieval and release procedures shall exist such that the software life cycle data can be regenerated and delivered throughout the EATMN software life cycle.

Part D:Requirements applying to the software safety requirements traceability assurances referred to in Article 4(3)(d)

1.Each software safety requirement shall be traced to the same level of design at which its satisfaction is demonstrated.

2.Each software safety requirement, at each level in the design at which its satisfaction is demonstrated, shall be traced to a system safety requirement.