DO-178B, Software Considerations in Airborne Systems and Equipment Certification

DO-178B, Software Considerations in Airborne Systems and Equipment Certification is the title of a document published by RTCA, Incorporated. Development was a joint effort with EUROCAE who publish the document as ED-12B. When specified by the Technical Standard Order (TSO) for which certification is sought, the FAA applies DO-178B as the document it uses for guidance to determine if the software will perform reliably in an airborne environment.[1]



[edit] Software level

The Design Assurance Level (DAL) is determined from the safety assessment process and hazard analysis by examining the effects of a failure condition in the system. The failure conditions are categorized by their effects on the aircraft, crew, and passengers.

  • Catastrophic – Failure may cause a crash.
  • Hazardous – Failure has a large negative impact on safety or performance, or reduces the ability of the crew to operate the aircraft due to physical distress or a higher workload, or causes serious or fatal injuries among the passengers.
  • Major – Failure is significant, but has a lesser impact than a Hazardous failure (for example, leads to passenger discomfort rather than injuries).
  • Minor – Failure is noticeable, but has a lesser impact than a Major failure (for example, causing passenger inconvenience or a routine flight plan change)
  • No Effect – Failure has no impact on safety, aircraft operation, or crew workload.

DO-178B alone is not intended to guarantee software safety aspects. Safety attributes in the design and as implemented as functionality must receive additional safety tasks to show objective evidence of meeting explicit safety requirements.

The number of objectives to be satisfied (eventually with independence) is determined by the software level. The phrase “with independence” refers to a separation of responsibilities where the objectivity of the verification and validation processes is ensured by virtue of their “independence” from the software development team. In some cases, an automated tool may be equivalent to independence[2].

Level Failure condition Objectives With independence
A Catastrophic 66 25
B Hazardous 65 14
C Major 57 2
D Minor 28 2
E No effect 0 0

[edit] Processes and documents

Processes are intended to support the objectives, according to the software level (A through D – Level E is outside the purview of DO-178B). Processes are described as abstract areas of work in DO-178B, and it is up to the planners of a real project to define and document the specifics of how a process will be carried out. On a real project, the actual activities that will be done in the context of a process must be shown to support the objectives. These activities are defined by the project planners as part of the Planning process.

This objective-based nature of DO-178B allows a great deal of flexibility in regard to following different styles of software life cycle. Once an activity within a process has been defined, it is generally expected that the project respect that documented activity within its process. Furthermore, processes (and their concrete activities) must have well defined entry and exit criteria, according to DO-178B, and a project must show that it is respecting those criteria as it performs the activities in the process.

The flexible nature of DO-178B’s processes and entry/exit criteria make it difficult to implement the first time, because these aspects are abstract and there is no “base set” of activities from which to work. The intention of DO-178B was not to be prescriptive. There are many possible and acceptable ways for a real project to define these aspects. This can be difficult the first time a company attempts to develop a civil avionics system under this standard, and has created a niche market for DO-178B training and consulting.

The processes, activities and documents described here reflect naming and structure from DO-178B. This can be different in a real-life project.

[edit] Planning

Output documents from this process:

  • Plan for software aspects of certification (PSAC)
  • Software development plan (SDP)
  • Software verification plan (SVP)
  • Software configuration management plan (SCMP)
  • Software quality assurance plan (SQAP)
  • System requirements
  • Software requirements standards
  • Software design standards (SDS)
  • Software code standards (SCS)

System requirements are typically input to the entire project.

The last 3 documents (standards) are not required for software level D.

[edit] Development

DO-178B is not intended as a software development standard; it is software assurance using a set of tasks to meet objectives and levels of rigor. IEEE/EIA 12207, now ISO 12207 is a widely used software life cycle process development standard. This software process can be divided into sub-processes: requirements, design, code and integration.

The development process output documents:

  • Software requirements data (SRD)
  • Software design description (SDD)
  • Source code
  • Executable object code

Traceability from system requirements to all source code or executable object code is typically required (depending on software level).

Typically used software development process:

[edit] Verification

Document outputs made by this process:

  • Software verification cases and procedures (SVCP)
  • Software verification results (SVR):
    • Review of all requirements, design and code
    • Testing of executable object code
    • Code coverage analysis

Analysis of all code and traceability from tests and results to all requirements is typically required (depending on software level).

This process typically also involves:

  • Requirements based test tools
  • Code coverage analyzer tools

Other names for tests performed in this process can be:

[edit] Configuration management

Documents maintained by the configuration management process:

  • Software configuration index (SCI)
  • Software life cycle environment configuration index (SECI)

This process handles problem reports, changes and related activities. The configuration management process typically provides archive and revision identification of:

  • Source code development environment
  • Other development environments (for e.g. test/analysis tools)
  • Software integration tool
  • All other documents, software and hardware

[edit] Quality assurance

Output documents from the quality assurance process:

  • Software quality assurance records (SQAR)
  • Software conformity review (SCR)
  • Software accomplishment summary (SAS)

This process performs reviews and audits to show compliance with DO-178B. The interface to the certification authority is also handled by the quality assurance process.

[edit] Certification liaison

Typically a Designated Engineering Representative (DER) working for e.g. FAA in an airplane manufacturing company.

[edit] Tools

Software can automate, assist or otherwise handle or help in the DO-178B processes. All tools used for DO-178B development must be part of the certification process. Tools generating embedded code are qualified as development tools, with the same constraints as the embedded code. Tools used to verify the code (simulators, test execution tool, coverage tools, reporting tools, etc.) must be qualified as verification tools, a much lighter process consisting in a comprehensive black box testing of the tool.

A third party tool can be qualified as a verification tool, but development tools must have been developed following the DO-178 process. Companies providing this kind of tools as COTS are subject to audits from the certification authorities, to which they give complete access to source code, specifications and all certification artifacts.

Outside of this scope, output of any used tool must be manually verified by humans.

  • A problem management tool can provide traceability for changes.
  • SCI and SECI can be created from logs in a revision control tool.

[edit] Requirements management

Requirements traceability is concerned with documenting the life of a requirement. It should be possible to trace back to the origin of each requirement and every change made to the requirement should therefore be documented in order to achieve traceability. Even the use of the requirement after the implemented features have been deployed and used should be traceable.

[edit] Criticism

Some software engineers believe that the effects of the RTCA/DO-178b standard may have contributed to unnecessary delays in the delivery of aircraft, such as the Boeing 787.[3]

[edit] Resources

  • FAR Part 23/25 §1301/§1309
  • FAR Part 27/29
  • AC 23/25.1309
  • AC 20-115B
  • RTCA/DO-178B
  • FAA Order 8110.49 Software Approval Guidelines

[edit] See also

[edit] References

  1. ^ FAA Advisory Circular 20-115B
  2. ^ RTCA/DO-178B “Software Considerations in Airborne Systems and Equipment Certification”, p.82
  3. ^ Boeing 787 Dreamliner delay conspiracy theories Design News

[edit] External links

One thought on “DO-178B, Software Considerations in Airborne Systems and Equipment Certification

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s