Dependability of Software of Unknown Pedigree: Case studies on unmanned aircraft systems

The use of Software of Unknown Pedigree (SOUP) in aviation systems presents uncertainty about its dependability to perform a critical function safely and securely. While some industries have established policies and best practices regarding the use of SOUP in safety-critical applications, these best practices have yet to be fully integrated in aviation. For this paper, we consider SOUP to refer to either a software item that is already developed and generally available but was not developed specifically for use in aviation, or a software item for which adequate records of the development processes are not available. In the previous phase of our research, we proposed a framework for evaluating the use of SOUP as part of a safety-critical aviation application by reviewing best practices from six industry domains (medical, nuclear, rail, space, aviation, and software security) and distilling these best practices into 45 specific tasks. We grouped these tasks into six categories to form a framework for assessing dependability of SOUP. In the current phase of our research, we have partnered with small unmanned aircraft system (sUAS) manufacturers to evaluate our framework in real world case studies. In this paper, we focus on the lessons learned on the dependability of SOUP from these partnerships in applying the framework to sUAS. We discuss improvements that were made to the framework as a result of these interactions. Additionally, we describe the way forward for transitioning this research to the aviation standards community.