Who is going to define software/SWAL requirements for particular ATM/ANS system? EASA, ANSP,...?
At this point in time, there are not specific SWAL requirements for ATM/ANS GE but perhaps it will follow the processes used in Airborne certification. SW requirements are not in the standards.
Currently, the SW requirements contained in the general specifications are guidance material. The manufacturer is expected to define the SWAL depending on the function and criticality it supports. However, a declaration of "fit for use" is important.
In the future, EASA may be introducing SW standards used in airworthiness.
In terms of hardware assurance, it is important to highlight that the new framework and the underpinning EASA detailed specifications, are built around functionalities and aimed to be agnostic in terms of the architecture of the equipment. No particular architecture is prescribed, leaving it up to the design or production organisation to define the architecture of their product in terms of software, hardware and their integration. The only requirement in terms of hardware introduced by the detailed specifications is that hardware is to be suitable to its intended use, and the hardware architecture should be considered in the assessment of that suitability.
In terms of software, the detailed specifications require software to be designed with an assurance level that is commensurate with the effects of a failure. This is a very common approach in many industries both in aviation and beyond, and EASA cannot see how this could be very demanding or constraining evolution. No industry standard is introduced as acceptable means of compliance for software assurance (ED-109 and ED-153 are just mentioned as guidance material, as they are the standards most widely used by the European ATM/ANS industry), and there are no requirements for any software certification
Did I understand correctly that SWAL assignment and stating that equipment is safe for use is moved to DPOs? I got that impression from previous sessions and disagree since safety (as security) depends on the operational usage of the equipment. What is your opinion?
The SWAL will be developed and declared by the DPO. It is their design choice. It is assumed that the DPOs will perform adequate assessment in order to allocate the appropriate SWAL. The ANSP has to assess if the SWAL declared by the DPO is the suitable for the integration they intend to perform.
If the SW DAL of equipment depends on ANSP ATM functions. How do you garantee that certified/declared equipement will be available with such expected level? Aren't we creating a chicken and egg issue?
This is similar to the case of safety objectives; the market will provide products that are demanded by the ANSPs. If an ANSP requests an assurance level for SW that is different from what is broadly used by the industry, it will have to be developed.