A safety-critical system is a system whose failure or malfunction may result in death or serious injury to people, loss or severe damage to equipment, environmental harm, or other similar catastrophic event. For example, an aircraft control system is considered a safety-critical system since the failure of the system may result in the loss of human life and the aircraft. Various standards, such as the Radio Technical Committee on Aeronautics (RTCA) guidance document DO-178B, entitled “Software Considerations in Airborne Systems and Equipment Certification”, focus on the safety of software used in airborne systems. Other documents, such as DO-254, entitled “design assurance guidance for airborne electronic hardware”, provide guidance for the development of airborne electronic hardware.
In addition to satisfying the safety requirements, airborne systems also need to provide certain security functions. For example, Multi-Level Security (MLS) or Multiple Independent Levels of Security (MILS) functions allow a computer system to process information with different sensitivities (i.e., at different security levels), permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. The Evaluation Assurance Level (EAL 1 through EAL 7) of a computer system is a numerical grade assigned following the completion of a Common Criteria security evaluation. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented.
Previously, physically separate federated systems have been used to handle the safety and security functions. However, due to platform size, weight, and power (SWAP) constraints, new systems may be required to simultaneously perform flight critical safety functions and high robustness MLS/MILS functions. In such systems, however, reconciling the allocation of operational requirements between the safety and security domains can be difficult. Therein lies a need for a method and system for reconciling safety-critical and high assurance security functional requirements between safety and security domains.