RTCA/DO-178, also known as Eurocae ED-12: “Software Considerations in Airborne Systems and Equipment Certification:. RTCA is the acronym for Radio Technical Commission for Aeronautics and is located at 1828 L Street, NW, Suite 805, Washington, D.C. 20036. RTCA/DO-178 was developed by the commercial avionics industry to establish software guidelines for avionics software developers. The first version, DO-178 covered the basic avionics software lifecycle. The second version, DO-178A, added avionics software criticality level details and emphasized software component testing to obtain quality. The current version is Do-178C and, DO-178 has evolved so it contains objectives and guidance for new technologies used in development, like OOA/OOD, MBD (Model based Development), formal Methods, and software configuration and quality via added planning, continuous quality monitoring, and verification and testing in real-world conditions. Technically, DO-178 is merely a guideline. In reality, it is a strict requirement. At around 100 pages, DO-178 is all things to all people, which means it is quite broad in nature and requires in-depth understanding of intent, voluminous ancillary documentation, and case studies to be properly used.
DO-254 (also known as DO254, D0254 and Eurocae ED-80) is a formal avionics standard which provides guidance for design assurance of airborne electronic hardware. DO-254 provides information from project conception, planning, design, implementation, testing, and validation, including DO-254 Tool Qualification considerations. DO-254 and DO-178 are actually quite similar, with both having major contributions via personnel with formal software process expertise. Today, avionics systems are comprised of both hardware and software, with each having near-equal effect upon airworthiness. Now, most avionics projects adhere to DO-254 certification or compliance. Additional information can be found via DO-254 training provided by the DO-254 trainers. For information on DO254 training options simply contact us.
A DER (Designated Engineering Representative) is an appointed engineering resource who has the authority to pass judgment on aviation-related design/development. An avionics software Designated Engineering Representative may be appointed to act as a Company DER and/or a Consultant DER. A Company DER can act as a Designated Engineering Representative for his/her employer and may only approve or recommend approval of technical data to the FAA for that company. A Consultant DER is an individual appointed to act as an independent consultant DER to approve or recommend approval of technical data to the FAA. Avionics Systems and Software DERs can be contacted via our network; simply contact us.
RTCA DO-178C is the latest revision to DO-178; DO178C was initiated in 2005 with formal publication in 2013. Our DERs have provided input to DO178C and also participate in the ongoing committee meetings. D0-178C will have the following key attributes which differ, or clarify DO-178B: improved clarification on avionics object oriented technology; formal avionics software modeling; avionics systems versus software boundaries; more consistency across the avionics software lifecycle; and consolidate various RTCA avionics documents. Otherwise, D0178C will maintain most of the principles of its predecessor. For more information on DO-178C, simply contact us.
DO-178 can add 30-150% to avionics software development costs. It should only add 25%-40%, if basic plans and approaches to software engineering principles are used from the onset. Our team can show how to minimize avionics software development costs.
DO-178 Planning requires five plans for any DALs (Design Assurance Levels). These DO-178 Plans need to be in compliant to DO-178 and with specific information. Developing the right level of plans are the key to success of any DO-178 project. The top 5 DO-178 Plans are:
1- PSAC: Plan for Software Aspects of Certification
2- SDP: Software Development Plan
3- SVP: Software Verification Plan
4- SQAP: Software Quality Assurance Plan
5- SCMP: Software Configuration Management Plan
If the Design Assurance Level are above DAL-D; Levels C, B or A, then the applicant is also required to develop three DO-178 Standards. Those standards are:
1- SCS: Software Coding Standard
2- SRS: Software Requirement Standard
3- SDS: Software Design Standard
You can have a budget over run of 30-100% if the appropriate steps are not taken in performing activities during design and development of a project that has to comply with 178. With expert DO-178 Training and FAA Training, this can be eliminated. Some of the risks are:
– Incomplete and general data within the five key DO-178 process plans prior to initiating those lifecycles
– Missing design/low-level software requirements
– Insufficient checklists for reviews
– Incorrect or Incomplete traceability between components
– Incomplete structural coverage for decision and MCDC coverage
– Missing or improper tool qualification
Yes, while DO-178 applies principally to new, custom software, there are provisions to apply DO-178 reverse-engineering to previously developed software, preserving most of the already completed work.
Software development requires many tools including design tools, code generation tools, compilers/linkers, libraries, test tools, and structural coverage tools. DO-178 tool qualification pertains to development and testing tools. Different qualification criteria apply to each and most tools do NOT need to be qualified. When required, DO-178 tool qualification utilizes a subset of DO-178. For information on DO-178 Tool Qualification, simply contact us.
DO178 Gap Analysis is an evaluation of your current avionics software engineering process and artifacts as contrasted to those required by DO-178. While DO-178 was principally written to cover original, custom developed avionics software, there is recognition that previously developed software can be DO-178 certified. In many cases, particularly military avionics software, DO-178 Compliance is used instead of DO-178 certification. DO-178 Compliance is near-certification but does not require FAA involvement and several of the formal DO-178 requirements are lessened. DO-178 Gap Analysis is typically performed by trained DO-178 consultants or Designated Engineering Representatives. The resultant DO-178 Gap Analysis Roadmap assesses all of the software processes and artifacts. It provides details for filling the gap to meet DO-178 compliance or certification requirements. For information on DO-178 Roadmaps and Analysis, visit our Gap Analysis.
The official definition of MCDC, (Modified Condition/Decision Coverage) is Every point of entry and exit in the program has been invoked at least once, every condition in a decision in the program has taken on all possible outcomes at least once, and each condition has been shown to affect that decision outcome independently. A condition is shown to affect a decisions outcome independently by varying just that decision while holding fixed all other possible conditions. The key to successful, and accurate, MCDC testing is to analyze each source code construct for potential MCDC applicability and then develop sufficient test cases to ensure that each condition in that construct is independently verified per the aforementioned MC/DC definition. MC/DC analysis is primarily done with the assistance of DO-178 qualified structural coverage analysis tools.
DO-178 dead code is executable (binary) software that will never be executed during runtime operations. Dead code has no requirements! D0178B generally does not allow for the presence of dead code: it must be removed. Dead code does not trace to any software requirements, hence does not perform any required functionality. Note that unreferenced variables or functions which are not called (hence are unreferenced) elsewhere in the program are usually removed via the compiler or linker. Since they are not present in the binary executable load image, they are not dead code per DO-178.
DO-178 deactivated code is executable (binary) software that will not be executed during runtime operations of a particular software version within a particular avionics box; however the code may be executed during ground maintenance or special operations or be executed within a different or future version of the software within a different configuration or avionic box. Unlike dead code (see above), deactivated code may be left in the source baseline. Special DO-178 deactivated code aspects must be followed. These are fully described in our DO-178 Training.
D0178 requirements traceability pertains to the correlation of individual requirements to the design, code, and test elements affiliated with implementing and verifying each requirement. Requirements traceability can be many-to-one, and one-to-many. Requirements traceability needs to be from top-to-bottom (requirements to design to code, and requirements to test). This proves that all requirements have corresponding design elements, source code, and tests. Requirements traceability also needs to be bottom-to-up (tests to requirements, code to design, and design to requirements). This proves that all code, design, and test elements are necessary and have requirements which they implement or verify. See our traceGEAR for more information on tools for requirements traceability.
High order languages (requiring a compiler with complex syntax construction capabilities) are strongly preferred as they are simply safer. Safe avionics software? Yes, DO-178 emphasizes code consistency, visibility, determinism, defensive coding, robustness, requirements and design traceability, software peer reviews per detailed checklists, thorough testing via structural coverage and real-world asynchronous testing.
Per the above, avionics code is best written in Ada, C and C++. With all languages, a safe subset should be used. Ada was the former defacto avionics language standard, and Ada95 improved the Objected Oriented capabilities. However, the tide is behind C and C++; not because of inherent superiorities, but rather the wider availability of development tools and engineers able to develop real-time embedded C and C++.
DO-178 requires configuration management of all software lifecycle artifacts including requirements, design, code, tests, documentation, etc. However, DO178 does not require specific tools, not even for avionics configuration management. Hence, avionics configuration management can be performed manually and even via a purely paper-based system. However, virtually all avionics and DO-178 software projects would be better served via configuration management tool. Simple tools (free or low-cost: $0 – $200/user) provide for basic software version control, check-in/check-out, and document management. Higher cost tools provide more complexity and automation of the required DO-178 configuration management processes including problem tracking, version branching, reviews/statusing, metrics, etc. No commercially available FAA CM tool known to us, however, performs all of the required DO-178 configuration management process steps. In particular, data security, offsite backups, peer reviewing each change, and ensuring no unwarranted changes were made, are all DO-178 configuration management process steps that are typically performed outside the scope of an avionics configuration management tool. For more information on DO-178 software tool recommendations, simply contact us.
Checklists are used to ascertain and track DO-178 compliance. You can obtain complete DO-178 checklists from ConsuNova Compliant Checklists or visit certGEAR to purchase DO-178 Checklists indivudually.
DO-178 independence is the attribute of separate development and review authority applied to different DO-178 lifecycle process steps. Development refers to origination of a DO-178 required artifact (requirements, design, code, test, etc). Review authority refers to an individual tasked with the required DO-178 compliance review of that artifact. The tables in the back of DO-178 describe which artifacts must be reviewed. The tables also cite the level of DO-178 independence to be applied to each review. These independence levels are dictated by the criticality level associated with each review protocol. Additional information, practical examples, and clear case studies are provided via DO-178 training.
There are five DO-178 criticality levels, with DO-178 Level A being most critical and DO-178 Level E being least critical. The DO-178 criticality level is based upon the contribution of the associated software to potential failure conditions. DO-178 failure conditions are determined by the FAA system safety assessment process. Each avionics system has one defined criticality level (and must be approved by the FAA); however different components within that system can have differing criticality levels subject to certain guidelines. The higher the DO-178 criticality level, the greater the amount of software development effort required. Our DO-178 Training provides additional details on DO-178 criticality levels and how to determine, apply and optimize.
DO-178 Level A software is software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a catastrophic failure condition for the aircraft. Failure of DO-178 Level A software could be typified by total loss of life.
DO-178 Level B software is software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a hazardous/severe-major failure condition for the aircraft. Failure of DO-178 Level B software could be typified by some loss of life.
DO-178 Level C software is software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a major failure condition for the aircraft. Failure of DO-178 Level C software could be typified by serious injuries.
DO-178 Level D software is software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function resulting in a minor failure condition for the aircraft. Failure of DO-178 Level D software could be typified by minor injuries.
DO-178 Level E software is software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system function with no effect on aircraft operational capability or pilot workload. Failure of DO-178 Level E software would have no impact on passenger or aircraft safety. Approximately 10% of avionics systems and 5% of avionics software code must meet DO-178 Level E criteria (note however that the amount of DO-178 Level E source code is increasing due to passenger entertainment and internet communications subsystems that are currently designated Level E; it is deemed likely by us that the criticality levels of these systems will increase due to integration with other, more critical, avionics systems).
For the construction and safety certification of airborne systems software, the software tools used to build this software generally needs to be qualified. Tool qualification is the process whereby software development and verification tools are assessed to determine if formal qualification is required. There are multiple types of qualification: DO-178/DO-330 development tool (Category 1) qualification, Category 2 tools are verification tools that automate the verification activities, but their output may be used to add development or verification activities, and DO-178/DO-330 verification tool (Category 3) qualification. Development tools provide outputs which are actually present in the embedded operational avionics software. Tools which meet these criteria and which automate or replace process steps cited by DO-178/DO-330 must be qualified. DO-178/DO-330 Tool Qualification details are provided in DO-178 Training courses.
Depending on the tool criteria and design assurance level of the application, the tool will need to be qualified to one of the five new Tool Qualification Levels. The new Tool Qualification Levels under DO-178C are TQL1 (highest) to TQL5 (lowest). The new tool qualification approach under DO-178C also recognizes the different responsibilities of Tool User and Tool Developer in the guidance provided. DO-330, the Tool Qualification guidance, provides objectives for each of the tool qualification levels for both tool user and tool developer. for more information simply contact us.
RTCA/DO-178 structural coverage requirements pertain to the proof that formal software verification test cases fully covered the applicable software structures (conditions and paths). DO-178 structural coverage is not required for Level E and Level D software; it is required in increasing degrees for Level C, Level B, and Level A software. DO-178 statement coverage is required for Level C; this essentially requires each code statement to be executed by formal test cases. DO-178 decision condition coverage is required for Level B; this essentially requires each code branch to be executed by formal test cases. DO-178 modified condition decision coverage is required for Level A; this essentially requires each condition within each decision statement to be independently verified for its effect on that statement. DO-178 structural coverage is complex and is a primary cost driver on avionics project. DO-178 structural coverage tools exist from many vendors to assist in verification. We can provide detailed DO-178 structural coverage seminars, tools and Training Programs; for more information simply contact us.
DO-178 Certifiability is the designation of an avionics component to meet a defined subset of the DO-178 certification requirements, with the remaining certification requirements to be achieved subsequently. DO-178 certification pertains to individual systems, hence requires all software components of a system to be completed, with each component, and the system, fully meeting all DO-178 requirements. However, in the absence of a completed system, an individual software component (RTOS, graphics library, communications protocol, etc) can be designated certifiable by subjecting that component to all DO-178 requirements. Ask our experts to provide DO-178 certifiability gap analysis/roadmaps and DO178 certifiability kits to enable software component developers to achieve DO-178 certifiability of their products; simply contact us.
UAVs or UAS and Military DO178 is a subset of DO-178. Until recently, aerospace and military software standards emphasized documentation consistency rather than the modern software lifecycle attributes associated with avionics software safety (SEI CMM and CMMI). For most Military programs, there has been gradual adoption of DO-178 to emulate the commercial aviation industry. However, Military DO-178 does not require FAA and Designated Engineering Representative involvement, and certain DO-178 objectives may not apply! Also in many UAV/UAS projects a similar step has been initiated. (Even though in the near future the ruling for UAV/UAS may become more clarified by the DOT and the FAA) The resultant process is thus called DO-178 Compliance rather than DO-178 Certification. Our experts provide Military DO-178 Compliance training, templates, and compliance kits; simply contact us.
Please contact us for additional information on DO-178 certifiable products and RTOS’s from team and experts.
Please contact us for additional information on DO-178 Software Safety, Avionics ARP-4761, ARP-4754, failure modes effect analysis (FMEA), Safety Assessments, and Functional Hazard Analysis (FHA); see our ARP-4754 and ARP-4761 Training and Services.
ARINC 653 (Avionics Application Standard Software Interface) is a software specification for space and time partitioning in Safety-Critical avionics Real-time operating systems. It allows to host multiple applications of different software levels on the same hardware in the context of an Integrated Modular Avionics (IMA) architecture. Please contact us for additional information on ARINC653; simply contact our FAA DER Team for details.
Unmanned Aircraft Systems (UAS) also known as Unmanned Aircraft Vehicle (UAV) are quickly becoming a reality of life. Not only has the military expanded their use, the civilian sector is now developing UAS for missions, ranging from agriculture to law enforcement to search and rescue, without risking lives and injury. Congress has approved widespread UAS use by late 2015. As a result, the FAA is working to mandate guidance for their use in civilian airspace. Please contact our FAA DER team for additional information on UAV Certification per DO-178
The Job Aid will assist engineers and inspectors in working together to perform a software review prior to certification. The goal of the software review is to assess whether or not the software developed for a project complies with the objectives of RTCA DO-178, Software Considerations in Airborne Systems and Equipment Certification.
DO-331, Model-Based Development and Verification Supplement to DO-178C, provides opportunities for increased system and software development efficiency. The Model-based development supplement provide a framework that can support almost any modeling approach while still maintaining compatibility with DO-178. Many aspects that needed attention are addressed, including: Models used as specifications, HLRs or LLRs. Use of model simulation for certification credit, use of auto code generators, and qualified auto code generators; as well as many more aspects.
Object-Oriented Technology (OOT) is widely used and is supported by a range of programming languages including C++, Java, and Ada. The issues and concerns has been the complexity of verifying software that makes use of some of OOT’s elements e.g. inheritance, polymorphism, and dynamic binding. DO-332, the DO-178C standard’s supplement on Object-Oriented Technology (OOT) and related techniques, analyzes the issues raised by object orientation in safety-critical software and supplies new guidance to deal with OOT’s vulnerabilities. An important new objective of DO-332 is “Local Type Consistency Verification,” which exploits a type theory result known as “the Liskov Substitution Principle” and helps address some of the key certification challenges raised by OOT’s dynamic flexibility.
In computer science, specifically software engineering and hardware engineering, formal methods are a particular kind of mathematically based techniques for the specification, development and verification of software and hardware systems. The use of formal methods for software and hardware design is motivated by the expectation that, as in other engineering disciplines, performing appropriate mathematical analysis can contribute to the reliability and robustness of a design. DO-333, Formal Methods Supplement to DO-178C and DO-278A provides guidance for software developers wishing to use formal methods in the certification of airborne systems and air traffic management systems. The supplement identifies the modifications and additions to DO-178C and DO-278A objectives, activities, and software life cycle data that should be addressed when formal methods are used as part of the software development process.