Squidlord
My point is that the paragraph you quoted (I've never seen the document it comes from) does not require/mandate/regulate independent V&V (verification & validation). All it does is say that if (a big if!) independent V&V is required then access to the software must be secured by the MoD ... which is kind of obvious cos. how else is independent V&V on the software going to be carried out unless access to the software is secured.
DUS(DP)’s policy requires the contents to be incorporated into specifications, invitations to tender (both competitive and non-competitive) and project documentation by the Procurement Executive and its Project Managers (para 0, Introduction). Para A1.1 says “This policy SHALL be adopted by all MoD(PE) branches procuring operational software-based systems”. In turn, this was reflected in Controller Aircraft Instructions, Def Stans and all Airworthiness, Technical and Financial approval delegation and training.
The policy includes a mandated Compliance Matrix to be completed during tendering. There are 29 questions, each reflecting a component of the policy. Two of them apply only to MoD Project Manager (including V&V / Acceptance Criteria), emphasising the Joint nature of the policy. Non-compliant against requirements = no contract.
The relevant Def Stan mandates Independent Validation and Verification for Safety Critical Software. The use of the term “if” in this context merely reflects the fact the policy applies to all software. Safety Critical Software was then addressed in a separate section of the policy and specific Def Stans. “Independent” is defined as being commercially and managerially independent of the Design Team “both to preserve objectivity and to minimise pressure for premature acceptance”. None of the V&V team is permitted to have any other role in the project.
There is a requirement for an Independent Safety Auditor, who can be an independent company or an independent division of the prime contractor.
The MoD PM is also required to appoint an MoD Safety Assurance Authority, usually A&AEE. While at the time part of MoD, the airworthiness delegation chain ensured they were “independent” of the PM.
The regulations are written in such a way as to offer flexibility, while emphasising where independence is required. Who fulfills what role is not mandated; but must be agreed from the outset in the Safety Plan. At that stage, funding is more or less set in concrete. In practice, A&AEE were mandated because, as part of MoD, they were classed as “intramural” and little or no funding was provided to pay anyone else! (In the same way MoD workshops were mandated and paid for separately from the Centre). Also, because V&V is a system issue. You can do all the Static and Dynamic analysis you like, but the system must be integrated and verified as e.g. DECU > FADEC > Engine > Aircraft etc. (Discuss Boeing's role in this - no-one else does!).
It is at this stage A&AEE come into their own. You can see this independence within A&AEE at work in the correspondence of the day, whereby one division expressed itself reasonably content with Mk2, but those responsible for the SCS condemned it as “positively dangerous”. A&AEE followed the rules – as one component was not sufficiently mature, the whole system (including the aircraft) defaulted to that lower level of maturity. The RAF did not follow these rules.
You could exclude A&AEE from certain roles, but needed to demonstrate adequate financial provision for extramural contracting. In the case of Chinook MLU, it is obvious A&AEE had a wide ranging and pivotal role to provide independent technical advice, V&V tasks and safety assurance. This was entirely normal at the time. It is said “A&AEE only provide advice”, but in practice their signature was mandated before technical/integration maturity and adequate safety could be declared.
A&AEE were the glue holding the process together. Interestingly, the policy requires SCS to be "coded to the satisfaction of RSRE Malvern and subjected to such additional validation and verification as (RSRE Malvern) or the Project Office may determine, to establish safety accreditation of the system”. Note: RSRE could direct this, independently of the project office; an authority vested in them at Ministerial level. (At the time, of course, RSRE were completely independent of A&AEE). In the case of Chinook FADEC, you never see this mentioned when reading the lengthy MoD diatribes against A&AEE. No-one seems to have asked what RSRE thought of the quality of a product with hundreds of problems. One assumes they wouldn’t have signed it off either.
Clearly, others may have a different view borne of their own experiences, in part caused by the flexibility the system allows; but I think most would differ only in minor detail from what I describe. For example, I’ve contracted (tasked) DRA Farnborough to do the V&V (e.g. Sonics). Also, the Service themselves, in the form of both Software Support Cells and Operators. I’ve also contracted a Design Custodian to do it (e.g. Nav). However, I have also expressly refused to allow 3rd line workshops to do it, because they did not have the necessary QA certification (AQAP 13 at the time). Much of this is down to engineering judgment.
The bottom line is that both the Project Manager and Safety Assurance Authority must co-sign, for example, the Safety Critical Software Certificate and Certificates of Design. As I said before, as A&AEE had snagged the FADEC software on so many counts, it is inconceivable they contradicted themselves by signing the SCSC; so it follows there is no audit trail to proper V&V or acceptance, meaning there is no proper authorisation to fit this SCS to a Service aircraft (as opposed to the PE Fleet).
Hope this answers your question. I did PM you and was willing to discuss this off-line, so others will please excuse the lengthy reply on what is a broad subject.