top of page
Avionyx Frequently Asked Questions (FAQs): Navigating DO-178 & DO-254 Software Engineering Solutions
Quickly find answers with our search feature or email sales@avionyx.com for a free consultation.
DO-178C, also known as "Software Considerations in Airborne Systems and Equipment Certification," is the current standard for the development of aviation software systems. It's an update to DO-178B, providing guidelines to ensure that the software will perform its intended function under all foreseeable conditions, without introducing any unacceptable risks to the aircraft's operation. DO-178C is recognized globally and is used by the Federal Aviation Administration (FAA), the European Union Aviation Safety Agency (EASA), and other regulatory bodies to approve commercial software-based aerospace systems.
DO-178C outlines a series of objectives for software lifecycle processes, including requirements, design, coding, integration, and testing, along with guidance on how to meet these objectives. The standard categorizes software according to its criticality levels, from Level E (no effect on safety) to Level A (catastrophic effect on safety), with the stringency of the required evidence for certification increasing with the level of criticality.
The update from DO-178B to DO-178C included the addition of supplements to address modern software development methodologies and technologies, such as model-based development and verification (MBDV), object-oriented technology (OOT), and formal methods. These supplements provide guidance on how to apply these technologies within the framework of DO-178C to achieve compliance.
Avionyx provides a team of experts skilled in DO-178C, committed to helping your company bring its product to market. They offer flexible working arrangements to meet your needs, including staff augmentation or a complete turn-key solution for the certification of your software and hardware.
DO-254, formally known as "Design Assurance Guidance for Airborne Electronic Hardware," is a standard that provides guidance for the development of airborne electronic hardware to ensure it performs its intended function under all foreseeable conditions, without introducing unacceptable risks. It's analogous to DO-178C, which is focused on software, but DO-254 specifically targets complex electronic hardware, including components such as integrated circuits, field-programmable gate arrays (FPGAs), and application-specific integrated circuits (ASICs).
Issued by the Radio Technical Commission for Aeronautics (RTCA) and recognized by regulatory bodies like the Federal Aviation Administration (FAA) and the European Union Aviation Safety Agency (EASA), DO-254 is the industry standard for certification of commercial avionic systems where the hardware plays a critical role in ensuring flight safety.
DO-254 outlines a rigorous hardware development process that includes requirements capture, design, implementation, integration, verification, validation, and configuration management. Similar to DO-178C, it categorizes hardware according to criticality levels, from Level E (no effect on safety) to Level A (catastrophic effect on safety), with the level of rigor and documentation required for certification increasing with the level of criticality.
The standard emphasizes the importance of traceability, from requirements through to the final product, and requires that both the development process and the hardware itself are subjected to a thorough verification and validation process to detect and rectify any errors that could affect the safety or reliability of the system.
The adoption of DO-178C brings with it additional costs that are associated with the increased rigor and the introduction of new technologies and methods for software development and verification. These costs can be significant but are necessary for ensuring that airborne software systems meet the highest safety and reliability standards. Here are some of the key areas where added costs may arise:
1. Training and Skill Development: Teams must be trained in the specifics of DO-178C, including understanding the new supplements for model-based development and verification (MBDV), object-oriented technology (OOT), and formal methods. This training is essential for ensuring that all team members are proficient in the latest standards and methodologies.
2. Tool Qualification: DO-178C has stringent requirements for tool qualification. Tools used in the development and verification process may need to be qualified if they can introduce errors into the software or if they are used to eliminate or reduce the need for manual verification activities. The process of qualifying these tools can be time-consuming and costly.
3. Increased Documentation: DO-178C requires comprehensive documentation to demonstrate compliance with its objectives. This documentation includes plans, standards, and records for all phases of the software development lifecycle. Producing, maintaining, and reviewing this documentation can significantly increase project costs.
4. Enhanced Verification Activities: The emphasis on enhanced verification techniques, including the use of formal methods and advanced testing strategies, can lead to increased costs. These methods often require specialized tools and expertise, and the effort to thoroughly verify the software according to DO-178C standards can be substantial.
5. Supplement Integration: Incorporating the guidance from the DO-178C supplements for MBDV, OOT, and formal methods can add complexity and cost to projects. These supplements demand additional rigor and evidence of compliance, which can increase development and verification efforts.
6. Certification Liaison: Engaging with certification authorities early and throughout the project is crucial for success under DO-178C. The costs associated with certification liaison activities, including pre-certification meetings, stage of involvement (SOI) audits, and the resolution of certification issues, can be significant.
Despite these added costs, the benefits of complying with DO-178C, including enhanced safety, reliability, and a clear path to certification for aviation software products, often outweigh the initial investment. Additionally, the adoption of DO-178C aligns with industry best practices and can lead to improvements in software quality and development efficiency over time.
DO-178C certification involves complex processes and rigorous standards to ensure that airborne software systems meet the highest levels of safety and reliability. However, several common risks can impact the success of a certification effort. Identifying and mitigating these risks early in the development process is crucial. Here are some of the common DO-178C certification risks:
1. Inadequate Planning and Requirements Management: Poorly defined or changing requirements can lead to significant project delays and increased costs. It's crucial to establish clear, traceable, and stable requirements early in the project and to manage changes rigorously to avoid rework and certification issues.
2. Insufficient Traceability: DO-178C demands traceability from requirements through to the implementation and testing. Inadequate traceability can lead to difficulties in demonstrating that all requirements have been correctly implemented and verified, potentially leading to certification delays.
3. Underestimation of Verification Efforts: Verification activities, including reviews, analyses, and testing, are often more time-consuming and resource-intensive than anticipated. Underestimating these efforts can lead to project overruns and challenges in meeting certification deadlines.
4. Tool Qualification Overlooked: The use of software tools in the development and verification process requires careful consideration under DO-178C. Failure to properly qualify tools that automate or reduce manual verification efforts can lead to certification risks.
5. Lack of Experienced Personnel: DO-178C projects require a team with specialized knowledge and experience in aviation software development and certification. A lack of experienced personnel can lead to misunderstandings of the standard's requirements and increased risk of non-compliance.
6. Inadequate Configuration Management: Effective configuration management is essential to ensure that all software artifacts are correctly identified, controlled, and available for audits. Poor configuration management practices can result in the inability to reproduce and verify previous work, impacting certification.
7. Integration and Certification Challenges: Integrating software components and ensuring they work as intended in the target hardware environment can reveal issues late in the development cycle. Early and continuous integration testing is vital to mitigate these risks.
8. Communication with Certification Authorities: Miscommunication or lack of engagement with certification authorities (such as the FAA or EASA) can lead to misunderstandings about compliance requirements. Regular communication and agreement on compliance demonstration methods are critical to avoid last-minute surprises.
To mitigate these risks, it's essential to have a well-defined process that aligns with DO-178C requirements, invest in training and tool qualification, ensure rigorous project management and quality assurance practices, and maintain open lines of communication with all stakeholders, including certification authorities.
Contact Avionyx sales department at sales@avionyx.com (mailto:sales@avionyx.com)to request a meeting with our DO-178C experts.
Yes, DO-178C reverse engineering can be applied to existing software, especially in scenarios where legacy systems need to be certified under current standards or when the original design documentation is incomplete, outdated, or missing. This process involves analyzing the existing software system to create or reconstruct the required DO-178C documentation and evidence for certification. The goal is to ensure that the software meets the safety standards and objectives outlined in DO-178C, even if it was not originally developed with this standard in mind.
Applying reverse engineering for DO-178C compliance involves several key steps:
1. Source Code Analysis: This involves a detailed examination of the existing source code to understand the software's architecture, functionality, and interfaces. Tools and manual review processes are used to map out the software structure and identify any areas that may not meet DO-178C requirements.
2. Requirements Extraction: If the original software requirements are missing or incomplete, it may be necessary to extract or infer requirements from the existing source code and operational behavior. This step is crucial for establishing a baseline for further verification and validation activities.
3. Documentation Reconstruction: Based on the analysis of the source code and extracted requirements, documentation such as Software Requirements Data (SRD), Software Design Description (SDD), and others need to be created or updated to meet DO-178C standards. This documentation will support the certification process by providing evidence of compliance with the standard's objectives.
4. Verification and Validation (V&V): The software must undergo rigorous V&V activities to ensure it meets the extracted requirements and adheres to DO-178C safety objectives. This includes both dynamic testing and static analysis to cover all aspects of software functionality and performance.
5. Tool Qualification: If tools are used in the reverse engineering process, especially for automated V&V activities, they may need to be qualified under DO-178C. This ensures that the tools are reliable and capable of producing the required evidence for certification.
6. Certification Liaison: Engaging with certification authorities early in the reverse engineering process is crucial. It's important to agree on the approach for demonstrating compliance and to ensure that the methods used for reverse engineering and reconstructing documentation are acceptable.
Reverse engineering for DO-178C compliance is often more challenging and time-consuming than developing new software under the standard due to the need to infer or reconstruct missing information. However, it is a viable approach for updating legacy systems to meet current safety standards and extending their operational life in compliance with regulatory requirements.
DO-330, titled "Software Tool Qualification Considerations," is a supplement to DO-178C that provides the guidelines for the qualification of software development and verification tools used in the production of airborne systems and equipment. Tool qualification is a critical aspect of complying with DO-178C because it ensures that the tools used in the software development lifecycle do not introduce errors into the software or fail to detect errors that are present.
DO-330 defines the criteria for when a tool needs to be qualified, the process for tool qualification, and the documentation required to demonstrate that a tool is qualified. The necessity for tool qualification under DO-178C/DO-330 depends on the tool's use and impact on the airborne software and its certification:
1. Tool Classification: Tools are classified based on their impact on the product's airborne software and the software lifecycle processes. The classification determines the level of rigor required for tool qualification.
• TQL-1 (Tool Qualification Level 1): Tools whose output is part of the airborne software and for which there are no methods to independently verify the output. These tools require the highest level of qualification rigor.
• TQL-2: Tools that verify the output of the software lifecycle process but do not directly contribute to the airborne software's executable code. If these tools fail to detect an error, it could impact the safety of the software.
• TQL-3: Tools used to automate tasks within the software lifecycle process that could introduce errors if they fail to perform as intended.
• TQL-4: Tools that have no impact on the airborne software or the development and verification processes and thus do not require qualification.
2. Qualification Process: The qualification process involves demonstrating that the tool performs its intended functions correctly and consistently under all specified conditions. This typically includes:
• Tool Operational Requirements (TOR): Defining the tool's intended use and operational requirements.
• Tool Planning Data: Outlining the tool qualification plan, including the activities and methods to be used for qualification.
• Tool Accomplishment Summary: Providing evidence that the tool meets its requirements, typically through testing and analysis.
• Tool Qualification Data: Documenting the results of the qualification activities, including test results and analysis that demonstrate the tool's suitability for its intended use.
3. Documentation: Proper documentation is crucial for tool qualification, providing evidence that the tool performs as required and does not adversely affect the airborne software's safety and reliability. The documentation should detail the tool's intended use, the qualification criteria, the testing and analysis performed, and the results of these activities.
Tool qualification per DO-330 is essential for ensuring that software tools used in the development and verification of airborne systems under DO-178C do not compromise the quality or safety of the software. By rigorously qualifying these tools, organizations can ensure compliance with DO-178C and contribute to the overall safety and reliability of airborne systems.
A DO-178C Gap Analysis is a systematic review process aimed at identifying differences (or "gaps") between the current practices and artifacts of a software development project and the requirements specified in DO-178C, the standard for the development of airborne systems and equipment software. This analysis is critical for projects transitioning from previous standards or methodologies to DO-178C, as well as for projects that started under DO-178C but need to ensure ongoing compliance throughout the software development lifecycle.
The primary objectives of a DO-178C Gap Analysis include:
1. Identifying Non-Compliances: Determine areas where current software development processes, practices, or outputs do not meet the specific objectives and requirements of DO-178C.
2. Assessing Existing Documentation and Artifacts: Evaluate the completeness, adequacy, and appropriateness of existing documentation and development artifacts against DO-178C's standards for traceability, verification, and validation requirements.
3. Highlighting Process Deficiencies: Identify any deficiencies or weaknesses in the current software development and verification processes that could impact the ability to comply with DO-178C.
4. Recommending Remedial Actions: Provide specific recommendations for addressing identified gaps, including changes to processes, additional documentation, or further verification activities to ensure compliance.
5. Planning for Compliance: Assist in creating a detailed plan to address the gaps, including timelines, resources needed, and prioritization of actions based on the criticality of compliance issues.
6.
A DO-178C Gap Analysis typically involves the following steps:
• Review of DO-178C Objectives: Start with a thorough understanding of DO-178C's objectives for each level of software criticality (Levels A through E).
• Assessment of Current State: Evaluate current project documentation, processes, and artifacts. This includes reviewing software requirements, design, coding standards, verification plans and results, configuration management practices, and quality assurance procedures.
• Gap Identification: Compare the current state against DO-178C requirements to identify gaps. This involves checking for completeness, accuracy, and appropriateness of the development artifacts and processes.
• Impact Analysis: Assess the impact of identified gaps on project timelines, costs, and risks to certification.
• Remediation Plan Development: Develop a plan to address identified gaps, including corrective actions, responsible parties, and timelines.
Conducting a DO-178C Gap Analysis is a critical early step for projects facing DO-178C certification. It helps to ensure that efforts are correctly aligned with the standard's requirements, ultimately facilitating a smoother certification process and reducing the risk of costly rework or project delays.
MC/DC stands for Modified Condition/Decision Coverage. It is a software testing criterion that is particularly important in the context of safety-critical software, such as that governed by DO-178C for airborne systems. MC/DC aims to ensure a thorough testing of the logic in software programs, specifically targeting the decision-making logic to ensure that all parts of a decision have been tested and that each one can independently affect the outcome of the decision.
Under MC/DC, each condition in a decision must be shown to independently affect the decision's outcome. This means that for a given decision comprised of multiple conditions, the tests must cover:
1. Every possible outcome of the decision (true and false).
2. Each condition within a decision changes the outcome of the decision by itself while the other conditions remain fixed, demonstrating the condition's ability to independently affect the overall decision.
The importance of MC/DC stems from its ability to uncover errors in the logic and execution paths through the software that might not be detected by less rigorous testing methods. By ensuring that every condition within a decision has been individually tested to influence the decision's outcome, MC/DC helps in identifying and correcting subtle logic errors that could lead to software failures.
Implementing MC/DC testing is more rigorous and demanding than simpler coverage criteria, such as statement coverage or branch coverage, because it requires a more detailed understanding of the software's logic and more sophisticated test cases. However, this level of rigor is considered necessary for high-integrity systems where software failures could result in catastrophic outcomes, such as loss of life or significant property damage.
In the context of DO-178C, achieving MC/DC is a requirement for software at Level A, where failure could lead to catastrophic failure conditions for the aircraft. It may also be applicable to certain aspects of Level B software, where failure could lead to a hazardous or severe-major failure condition. The goal is to ensure the highest levels of software reliability and safety in systems where failure is not an option.
Avionics dead code refers to segments of software code within avionics systems that are never executed in any operational scenario or configuration of the system. In the context of safety-critical software development, such as that governed by DO-178C (Software Considerations in Airborne Systems and Equipment Certification), the identification and elimination of dead code are important for several reasons:
1. Certification Compliance: DO-178C requires that all code within the certified software must be traceable to system requirements and must be shown to contribute to the intended operational capabilities. Dead code, by definition, does not contribute to these capabilities and therefore does not comply with these requirements.
2. Safety and Reliability: Although dead code does not execute, its presence can complicate the analysis and understanding of the software's behavior, potentially obscuring paths through the code that are relevant to safety and reliability. Removing dead code simplifies verification and validation activities, making it easier to demonstrate that the software meets its safety requirements.
3. Resource Optimization: Removing dead code can contribute to more efficient use of system resources, such as memory and processing power, which are often at a premium in embedded systems like those used in avionics.
4. Maintenance and Readability: Dead code can make software more difficult to maintain and understand. Its removal helps to ensure that the software is more readable and maintainable, which is particularly important for long-lived avionics systems that undergo many cycles of modification and certification.
Dead code is typically identified through static analysis tools and manual code reviews. Once identified, it should be carefully evaluated to confirm that it truly has no impact on the software's functionality or performance under any possible operational condition. After this confirmation, the dead code can be removed, subject to the project's configuration management and change control processes, to ensure that the software remains compliant with DO-178C and other applicable standards.
Avionics deactivated code refers to portions of software within an avionics system that, while present in the software's codebase, are intentionally disabled or made non-executable under certain operational configurations or conditions. Unlike dead code, which is never executed in any scenario, deactivated code may have the potential to be executed if the conditions under which it would be activated were to occur. However, in the deployed operational configuration of the system, these conditions are prevented from occurring, effectively rendering the code inactive.
Deactivated code can arise for several reasons:
1. Configurability: Software may include features that are only enabled for specific aircraft configurations, operational modes, or customer requirements. Code supporting disabled features would be present but deactivated for configurations where those features are not used.
2. Future Use: Code may be included for features that are planned for future implementation but are not yet activated in the current version of the software.
3. Compatibility: To maintain compatibility with previous versions of software or with other systems, code may be included but deactivated in the current operational context.
The treatment of deactivated code in the context of DO-178C (Software Considerations in Airborne Systems and Equipment Certification) involves several considerations:
• Justification for Inclusion: The rationale for including deactivated code must be documented, including the conditions under which the code could be activated and the means by which those conditions are prevented in the operational configuration.
• Verification and Validation: Deactivated code must undergo the same level of verification and validation as active code to ensure that if it were ever activated, it would not adversely affect the safety or functionality of the avionics system. This includes ensuring the code meets all applicable requirements and does not introduce unintended functionality.
• Configuration Management: There must be strict configuration management controls to ensure that changes to the software or its operational environment do not inadvertently activate deactivated code without proper verification and validation.
• Certification Documentation: Documentation provided to certification authorities must clearly delineate deactivated code and provide justification and evidence of compliance with the relevant certification requirements.
Managing deactivated code requires careful planning and documentation to ensure that its presence does not compromise the safety, reliability, or certifiability of the avionics software system.
DO-178C Requirements Traceability refers to the process of establishing and documenting a bidirectional link between each requirement and its corresponding work products throughout the software development lifecycle. This traceability ensures that all requirements are addressed in the design, implementation, and testing of the software and that any changes to the requirements are reflected across all related work products. Requirements traceability is a core principle of DO-178C, which is the standard for software considerations in airborne systems and equipment certification.
The purpose of requirements traceability in the context of DO-178C includes:
1. Ensuring Coverage: Traceability helps ensure that all software requirements are covered by specific design elements, code implementations, and verification activities. This includes demonstrating that all high-level requirements are allocated to low-level requirements and that each requirement is verified by one or more test cases or analysis procedures.
2. Facilitating Verification and Validation: By linking requirements to their corresponding verification cases and procedures, traceability supports the verification and validation process. It ensures that the software meets all specified requirements and functions correctly in all intended operational conditions.
3. Supporting Impact Analysis: Traceability allows for effective impact analysis when requirements change. By understanding how each requirement is related to design elements, code, and tests, it is possible to assess the impact of changes more accurately and efficiently, ensuring that all necessary modifications are made and verified.
4. Enhancing Configuration Management: Traceability supports configuration management by providing a clear understanding of the dependencies between software requirements and other development artifacts. This facilitates the management of changes and ensures consistency across the software lifecycle.
5. Aiding Certification: For certification under DO-178C, traceability provides the evidence needed to demonstrate that the software meets all regulatory requirements. It is crucial for the certification process, as it allows certification authorities to review the completeness and correctness of the software development process.
To achieve requirements traceability, organizations typically employ traceability matrices or specialized software tools. These tools or documents map the relationships between high-level requirements, low-level requirements, design elements, code components, and test cases. Maintaining this traceability throughout the development, verification, and maintenance phases is essential for compliance with DO-178C and for ensuring the safety and reliability of the software in airborne systems.
A DO-178C checklist is a tool used by software development teams and certification authorities to ensure that the development, verification, and certification processes of airborne software systems comply with the DO-178C standard, titled "Software Considerations in Airborne Systems and Equipment Certification." This standard outlines the requirements for the development of software for aviation systems, focusing on ensuring that the software performs reliably and safely under all conditions.
The DO-178C checklist typically includes a comprehensive set of items that cover all aspects of the software development lifecycle as outlined in the standard, including but not limited to:
1. Planning Process:
• Verification of the existence and adequacy of plans for software development, quality assurance, configuration management, and certification liaison.
• Review of the Software Development Plan (SDP), Software Quality Assurance Plan (SQAP), Software Configuration Management Plan (SCMP), and Software Verification Plan (SVP) for completeness and compliance with DO-178C requirements.
2. Requirements Process:
• Confirmation that the software requirements are documented, compliant with the system requirements, and verifiable.
• Verification that the requirements are accurately and consistently traced throughout the development lifecycle.
3. Design Process:
• Examination of the software architecture and design documentation to ensure it meets the specified requirements.
• Review of the traceability from software requirements to design elements.
4. Implementation Process:
• Assurance that the code is implemented according to the design and standards.
• Validation of coding standards and guidelines adherence.
5. Verification Process:
• Verification of the test procedures and results for adequacy, accuracy, and completeness.
• Review of the traceability from requirements to test cases and results.
6. Configuration Management Process:
• Examination of the configuration management procedures for consistency with the SCMP.
• Review of change control procedures and baseline documentation.
7. Quality Assurance Process:
• Confirmation that quality assurance activities comply with the SQAP.
• Review of problem reports, audit results, and corrective actions.
8. Certification Liaison Process:
• Documentation of the certification liaison activities and evidence of compliance with the certification plan.
9. Tool Qualification (if applicable):
• Verification that any software tools used in the development and verification processes are qualified in accordance with DO-330, when required by DO-178C.
10. Additional Considerations:
• Evaluation of any additional considerations such as the use of previously developed software, parameter data items, and hardware considerations in the context of software reliability.
The checklist serves as a guide for both developers and auditors to systematically review and ensure that all necessary steps, processes, and documentation align with DO-178C's stringent requirements. It helps identify any gaps or deficiencies that need to be addressed to comply with the standard, ultimately facilitating the certification of the software for use in airborne systems. Avionyx has an off the shelf set of P&S with the appropriate DO-178C checklists ready to be used by any of our customers.
DO-178C independence refers to the requirement within the DO-178C standard that certain verification activities must be carried out by individuals or teams who are not responsible for the development of the item being verified. This principle is crucial for ensuring the objectivity and thoroughness of the verification process, which includes reviews, analyses, and testing of the software to confirm that it meets all specified requirements and is free from errors that could impact safety.
The concept of independence in DO-178C is particularly important for higher criticality levels (Level A and Level B software), where the potential impact on safety is greater. The standard specifies different levels of independence based on the software's criticality level, with more stringent requirements for higher criticality levels. Here's how independence is typically applied across different activities and criticality levels:
1. For Level A Software (most critical):
• All verification activities, including reviews of the software requirements, design, source code, and the testing process (test cases, procedures, and results), must be conducted by individuals or a team independent of those who performed the original work. This level of independence ensures that the verification process is unbiased and rigorous.
2. For Level B Software:
• A similar level of independence as Level A is required, though the specific requirements may be slightly less stringent. The objective is still to ensure that verification activities are carried out by personnel not involved in the development of the specific item being verified.
3. For Level C, D, and E Software (decreasing criticality):
• The requirements for independence decrease as the potential impact on safety decreases. For these levels, the standard may allow for less stringent independence requirements, with the understanding that the risk to safety is lower. However, best practices still encourage some degree of independence in verification to ensure quality and reliability.
The rationale behind DO-178C independence requirements is to reduce the risk of oversight or bias that could lead to undetected errors in the software. By involving independent verifiers, the process benefits from fresh perspectives and increased diligence, enhancing the likelihood of identifying and correcting potential issues before the software is deployed.
Implementing independence effectively requires careful planning and management of resources, including ensuring that staff with the necessary skills and understanding of the standard are available to perform independent verification tasks. It also involves clear documentation and communication processes to support the independent review and testing activities while maintaining the integrity and confidentiality of the development and verification efforts. If you don't have enough staff to comply with independence, Avionyx might be able to provide staff augmentation support, or a full turnkey project to get your product to market.
Avionics software structural coverage refers to a set of metrics used to assess the extent to which the software's source code has been exercised (tested) during verification activities, specifically under the guidelines of DO-178C for airborne system software development. Structural coverage analysis is crucial for demonstrating that all parts of the software have been tested, identifying any parts of the code that were not executed during testing, and ensuring that the software is reliable and behaves as expected under all possible conditions.
The importance of structural coverage analysis increases with the software's criticality level, as defined by DO-178C, from Level E (least critical) to Level A (most critical). For higher criticality software (Levels A and B), demonstrating thorough structural coverage is mandatory to ensure that potential safety impacts are fully assessed and mitigated. The main types of structural coverage metrics used in avionics software verification are:
1. Statement Coverage (SC): Measures whether each executable statement in the code has been executed at least once. This is the most basic level of coverage and ensures that there are no portions of the code that are completely untested.
2. Decision Coverage (DC): Ensures that every decision (such as an IF statement) in the code has been taken in both the true and false directions at least once. This type of coverage is more stringent than statement coverage because it requires testing to ensure that each branch of a decision has been explored.
3. Condition Coverage (CC): Requires that each logical condition within a decision statement is evaluated both to true and false. This means that for a decision composed of multiple conditions, each one must be individually tested for both outcomes. Condition coverage is more detailed than decision coverage because it requires each individual condition in a decision to be evaluated, not just the decision as a whole.
4. Modified Condition/Decision Coverage (MC/DC): Ensures that each condition in a decision has been shown to independently affect that decision's outcome. MC/DC is more rigorous than simple condition coverage because it requires demonstrating that each condition within a complex decision can independently influence the decision's true or false outcome. MC/DC is required for Level A software and is considered one of the most stringent forms of structural coverage.
5. Path Coverage: Though not explicitly required by DO-178C, path coverage involves testing to ensure that all possible paths through the software have been executed. Given the complexity of modern software, achieving complete path coverage can be impractical or impossible, but efforts should be made to cover as many critical paths as possible.
Structural coverage analysis helps identify dead code (code that cannot be executed in any operational scenario) and deactivated code (code that is not executed in the current configuration or operational mode but may be executed under different conditions). Removing or justifying the existence of such code is necessary to meet DO-178C certification requirements.
Achieving and demonstrating adequate structural coverage is a critical component of the verification and validation process for avionics software, ensuring that the software meets the highest standards of safety and reliability as required by regulatory bodies.
DO-178C certifiability refers to the readiness and capability of an aviation software system to meet the requirements of DO-178C, "Software Considerations in Airborne Systems and Equipment Certification," and thus be approved by aviation regulatory authorities such as the Federal Aviation Administration (FAA) or the European Union Aviation Safety Agency (EASA). Achieving certifiability under DO-178C is essential for software that will be used in commercial and military aircraft systems, as it demonstrates that the software has been developed, verified, and documented in a manner that ensures it meets the stringent safety standards necessary for airborne operations.
Key aspects of achieving DO-178C certifiability include:
1. Comprehensive Documentation: One of the pillars of DO-178C certifiability is the creation and maintenance of detailed documentation throughout the software development lifecycle. This includes plans for software development, verification, configuration management, and quality assurance, as well as descriptions of the software architecture, design, source code, and test cases. Documentation serves as evidence that the software has been developed and tested according to the standard's requirements.
2. Rigorous Development Processes: DO-178C outlines specific processes for the development of aviation software, including requirements capture, design, coding, integration, and testing. These processes must be followed meticulously to ensure that the software performs its intended function safely and reliably under all conditions.
3. Traceability: Requirements traceability is a critical component of DO-178C certifiability. It involves establishing a bi-directional link between each requirement and its corresponding design elements, implementation, and testing artifacts. Traceability ensures that all requirements are accounted for and verified, and it facilitates impact analysis when changes occur.
4. Verification and Validation: Verification and validation activities must be conducted to demonstrate that the software meets all its requirements and is free from defects that could affect safety. This includes a range of testing methods, such as unit testing, integration testing, and system testing, as well as analyses to achieve the required levels of structural coverage.
5. Quality Assurance: A quality assurance process must be in place to monitor and ensure that all activities and outputs comply with the defined processes and standards. This includes conducting audits, reviewing documentation, and tracking problem reports.
6. Configuration Management: Effective configuration management is essential to maintain control over software changes, ensuring that all changes are documented, reviewed, and approved before implementation. It also involves keeping accurate records of all versions of software items and their configurations.
7. Tool Qualification: If software development or verification tools are used that can introduce errors into the software or influence the outcome of the verification results, those tools must be qualified under DO-330, a supplement to DO-178C. Tool qualification ensures that the tools are appropriate and reliable for their intended use.
Achieving DO-178C certifiability is a comprehensive and rigorous process that requires careful planning, execution, and documentation. It is essential for ensuring that aviation software meets the highest standards of safety and reliability required for operation in the aerospace industry. Reach out to Avionyx at sales@avionyx.com (sales@avionyx.com)to discuss more about how to achieve DO-178C certifiability.
• Real-Time Operating System (RTOS): A DO-178C certifiable RTOS is a real-time operating system that has been designed and developed to meet the DO-178C standards for use in safety-critical aviation systems. An RTOS is a key software component that manages hardware resources, executes software applications, and ensures that operations are carried out within strict timing constraints required by real-time applications.
• Certification Aspects: For an RTOS to be DO-178C certifiable, it must provide evidence of compliance with the standard’s objectives relative to its designated software level (A through E, with A being the most critical). This involves demonstrating through rigorous testing and analysis that the RTOS can reliably manage and execute multiple software applications, ensuring deterministic performance and maintaining system safety under all conditions. The certification evidence includes detailed documentation of the RTOS design, development, verification processes, and the traceability of requirements throughout the software lifecycle.
A DO-178C/DO-254 certifiable product, including a certifiable RTOS, represents a significant investment in ensuring the highest levels of safety and reliability for aerospace applications. These products are critical components in the development and certification of airborne systems, providing a foundation for achieving regulatory approval and ensuring the safety of flight operations.
Software safety refers to the discipline and practices aimed at ensuring that software operates without causing unacceptable risks or harm to people, property, or the environment, particularly in contexts where software failures could lead to hazardous situations. It involves the systematic application of engineering and management principles, criteria, and techniques throughout the software lifecycle to achieve acceptable levels of safety. Software safety is a critical concern in many industries, including aviation, automotive, medical devices, nuclear power, and any other sector where software malfunctions could result in serious consequences.
Key aspects of software safety include:
1. Hazard Analysis and Risk Assessment: Identifying potential hazards that could be caused by software failures and assessing the associated risks. This step involves understanding how software behavior can contribute to system-level hazards and determining the likelihood and severity of potential incidents.
2. Safety Requirements: Based on the hazard analysis, safety-related requirements are defined to mitigate identified risks to an acceptable level. These requirements are aimed at preventing hazardous conditions or enabling the system to deal with them safely should they occur.
3. Design for Safety: Implementing software design practices that prioritize safety, including the use of fault-tolerant architectures, redundancy, and safety barriers. Design considerations also include ensuring software does not introduce unacceptable risks under failure conditions.
4. Safety Verification and Validation: Employing rigorous testing, analysis, and review processes to verify that safety requirements have been implemented correctly and to validate that the software, when integrated into its operational environment, meets its safety objectives. This often includes techniques like formal methods, fault injection, and safety case development.
5. Configuration Management and Change Control: Managing changes to software and its configuration in a controlled manner to ensure that safety is not compromised over time. This includes tracking versions of software components and ensuring that changes undergo appropriate safety assessment.
6. Safety Certification: For many safety-critical industries, demonstrating compliance with relevant safety standards (e.g., DO-178C for avionics software) is required. This involves providing evidence that the software has been developed and tested according to the principles and procedures that ensure safety.
7. Continuous Safety Monitoring: After deployment, continuously monitoring the software's operational performance to identify any safety-related issues that may arise, and implementing corrective actions as necessary. This includes analyzing operational incidents and feedback to identify potential safety improvements.
Software safety is not just about preventing software errors but ensuring that the system as a whole continues to operate safely, even in the presence of faults. It requires a multidisciplinary approach, integrating software engineering, system engineering, risk management, and domain-specific knowledge to address safety from the initial stages of development through to deployment and operation.
UAS (Unmanned Aircraft Systems) or UAV (Unmanned Aerial Vehicles) DO-178C certification involves the application of the DO-178C standard, "Software Considerations in Airborne Systems and Equipment Certification," to the software development process of unmanned aircraft systems. DO-178C provides a framework for ensuring that the software controlling the UAS or UAV meets rigorous safety and reliability standards required for operation within national and international airspace.
Given the increasing use of UAS/UAVs across a variety of applications—including commercial, civilian, and military—ensuring the safety and reliability of these systems is paramount. The software controlling UAS/UAVs is critical, as it manages not only the flight control systems but also navigation, communication, payload management, and safety functions. The application of DO-178C to UAS/UAV software development encompasses several key aspects:
1. Software Criticality Levels: DO-178C classifies software according to its criticality level, from Level A (where software failure would lead to catastrophic failure conditions for the aircraft) down to Level E (where software failure has no effect on aircraft operational capability or safety). The classification impacts the rigor of the development and verification processes required. UAS/UAV software components are assessed to determine their criticality level based on the potential impact of their failure.
2. Lifecycle Processes: The standard outlines processes covering the entire software lifecycle, including requirements capture, design, implementation, verification, configuration management, quality assurance, and certification liaison. Each process is defined with objectives that must be satisfied to demonstrate compliance with the standard.
3. Verification and Validation: DO-178C places a strong emphasis on verification and validation activities to ensure that the software meets its requirements and behaves correctly in all foreseeable operational conditions. This includes reviews, analyses, and testing activities tailored to the criticality level of the software.
4. Documentation: Comprehensive documentation is required to demonstrate compliance with DO-178C. This includes plans for software development, verification, configuration management, and quality assurance, as well as descriptions of software requirements, design, implementation, and verification results.
5. Tool Qualification: When software development or verification tools are used that can affect the software's behavior or are used to reduce verification efforts, DO-178C requires that these tools be qualified. This ensures that the tools themselves do not introduce errors into the software.
6. Certification Liaison: Engaging with certification authorities (such as the FAA or EASA) early and throughout the development process is crucial. This involves discussing and agreeing upon the certification plan, the means of compliance, and presenting the evidence required to demonstrate that the software meets the applicable airworthiness requirements.
For UAS/UAVs, the application of DO-178C is part of a broader certification effort that also includes considerations for the entire system, potentially involving other standards like DO-254 for hardware and specific operational standards for UAS/UAV operations. The goal is to ensure that UAS/UAVs can safely coexist with manned aircraft and operate safely in various airspace environments, including urban areas and beyond visual line of sight (BVLOS) operations.
Yes, Model-Based Development (MBD) can be certified by means of DO-178C, provided that the development process adheres to the guidelines set forth in the standard and incorporates the necessary steps to ensure compliance. DO-178C itself does not prescribe specific development methodologies but rather focuses on the objectives that need to be met for certification. To address the unique aspects of MBD, DO-178C includes a supplement, DO-331, titled "Model-Based Development and Verification Supplement to DO-178C and DO-278A.
Model-Based Development involves the use of models to represent the software's functionality and behavior throughout the development lifecycle. These models can be used for simulation, code generation, and verification purposes. MBD offers several advantages, including improved communication among stakeholders through visual representation, the ability to perform early validation of requirements, and automated code generation that can reduce errors associated with manual coding.
To certify MBD under DO-178C, the following key aspects should be considered:
1. Modeling Standards: Establish and follow modeling standards to ensure that models are developed in a clear, consistent, and verifiable manner. This includes defining conventions for model structure, data representation, and control flow.
2. Model Verification: Verify the models against the software requirements. This includes model reviews, model analysis, and model testing to ensure that the models accurately represent the intended behavior of the software.
3. Tool Qualification: If tools are used for model simulation, automated code generation, or model verification, these tools may need to be qualified under DO-330, "Software Tool Qualification Considerations." Tool qualification ensures that the tools perform their intended functions correctly and consistently.
4. Generated Code: For software projects that use automatic code generation from models, it's crucial to verify that the generated code accurately implements the model and complies with DO-178C requirements. This includes reviewing the generated code for adherence to coding standards and performing code-level testing.
5. Traceability: Maintain traceability between requirements, models, generated code, and verification results. Traceability is essential to demonstrate that all requirements have been implemented correctly and verified.
6. Supplemental Documentation: In addition to the standard DO-178C documentation, document the MBD process, including modeling standards, model verification activities, tool qualification processes, and the rationale for any deviations from traditional development processes.
By addressing these considerations, MBD can be effectively integrated into a DO-178C compliant development process. The use of DO-331 as a supplement ensures that the unique aspects of MBD are properly accounted for, facilitating the certification of software developed using this approach. Reach out to Avionyx to sales@avionyx.com (sales@avionyx.com)for any MBD certification needs.
DO-178B and DO-178C are both standards for the development of aviation software, but DO-178C includes several updates and enhancements to reflect advancements in software development technologies and methodologies since the publication of DO-178B. Here's a detailed comparison of the key differences between DO-178B and DO-178C:
Publication and Context
• DO-178B, titled "Software Considerations in Airborne Systems and Equipment Certification," was published in 1992 by the RTCA and has been the foundational standard for certifying avionics software.
• DO-178C, the successor to DO-178B, was published in 2011 to address technological advancements and lessons learned from the industry's application of DO-178B. It retains the core principles of DO-178B but provides clearer guidance and additional supplements for modern software development practices.
Key Differences
1. Clarifications and Refinements:
• DO-178C offers clarifications on many of the requirements and guidelines provided in DO-178B, reducing ambiguity and ensuring a more consistent interpretation and application of the standard across the industry.
2. Supplements for Modern Technologies:
• DO-178C includes supplements to address specific technologies and methodologies that have become prevalent in software development since the release of DO-178B. These supplements are:
• DO-330: Software Tool Qualification Considerations
• DO-331: Model-Based Development and Verification Supplement
• DO-332: Object-Oriented Technology and Related Techniques Supplement
• DO-333: Formal Methods Supplement
• These supplements provide guidance on using these technologies within the framework of DO-178C, ensuring that software developed with modern methodologies can be certified.
3. Tool Qualification:
• DO-178C includes more detailed guidance on tool qualification (through DO-330), clarifying the conditions under which software development and verification tools need to be qualified, which was a point of confusion under DO-178B.
4. Model-Based Development (MBD):
• DO-178C, with its supplement DO-331, formally recognizes and provides specific guidance on using model-based development and verification, which was not explicitly covered in DO-178B.
5. Object-Oriented Technology:
• DO-178C addresses the use of object-oriented technology in software development, offering guidance on how to manage the unique challenges associated with this paradigm through DO-332.
6. Formal Methods:
• DO-178C introduces guidance on using formal methods for software verification, recognizing the value of formal methods in proving the correctness of software algorithms and reducing the need for certain types of testing.
Impact on Certification
The updates and supplements included in DO-178C enable a more effective application of the standard to current and future software development projects. By providing clearer guidance and addressing modern technologies, DO-178C facilitates the certification process for complex software systems. However, the core objective of ensuring that aviation software meets the highest safety standards remains unchanged between DO-178B and DO-178C.
In summary, DO-178C builds upon the foundation of DO-178B, providing updated guidance and additional resources to address advancements in software development technologies and methodologies. It offers a more detailed and clear framework for the certification of aviation software, ensuring safety and reliability in the face of evolving software engineering practices.
Requirements management is a fundamental aspect of project management and systems engineering that involves the systematic identification, documentation, organization, prioritization, tracking, and maintenance of project requirements. It is a continuous process throughout the lifecycle of a project, ensuring that all requirements are clearly understood, agreed upon by stakeholders, and met by the final deliverables. Effective requirements management is crucial for the success of any project, especially complex and technical projects in industries such as software development, aerospace, automotive, and healthcare.
Key elements and activities involved in requirements management include:
1. Requirements Elicitation: Gathering requirements from all stakeholders, including customers, end-users, project managers, and technical teams, to understand their needs and expectations fully.
2. Requirements Documentation: Clearly and unambiguously documenting the requirements in a detailed and organized manner. This often involves the use of specialized tools or software to manage the requirements documentation.
3. Requirements Analysis: Analyzing the requirements for feasibility, clarity, and potential conflicts. This step often involves prioritizing requirements based on factors such as importance, cost, risk, and stakeholder value.
4. Requirements Specification: Developing a comprehensive and detailed specification document that serves as a baseline for project development and verification. This document includes all functional and non-functional requirements.
5. Requirements Verification and Validation: Ensuring that the requirements are correctly implemented and that the final product meets all specified requirements through various verification and validation techniques.
6. Requirements Traceability: Establishing a traceability matrix or framework to link requirements to their corresponding design elements, implementation components, and verification tests. This ensures that every requirement is addressed throughout the project lifecycle and facilitates impact analysis of any changes.
7. Change Management: Managing changes to requirements in a controlled and systematic manner. This includes assessing the impact of changes, obtaining stakeholder approval, and updating documentation and plans accordingly.
8. Communication and Collaboration: Facilitating effective communication and collaboration among stakeholders to ensure that requirements are understood, agreed upon, and met. This involves regular reviews and updates to keep all parties informed of requirements status and changes.
DO-178C itself does not specifically address the certification of multi-core processors in avionics; however, guidance related to the use of multi-core processors in the context of DO-178C compliance can be found in a separate, related document: the CAST-32A position paper, issued by the Certification Authorities Software Team (CAST). CAST-32A provides objectives and considerations for the certification of systems using multi-core processors under the existing regulatory framework, including DO-178C for software and DO-254 for hardware aspects.
Multi-core processors present unique challenges for avionics certification due to their complex behavior and potential for interference between cores, which can affect deterministic execution and real-time performance—key requirements for safety-critical avionics systems. CAST-32A addresses these challenges by outlining a set of objectives and considerations for certifying avionics systems that use multi-core processors, focusing on aspects such as:
1. Concurrency and Shared Resources: Ensuring that the concurrent execution of software on multiple cores does not lead to contention for shared resources (e.g., caches, buses) that could affect the software's timing and behavior.
2. Worst-Case Execution Time (WCET): Analyzing and determining the WCET for software tasks considering the potential interference and contention in a multi-core environment.
3. Interference Channels: Identifying and analyzing potential interference channels within the multi-core processor and mitigating their effects on software performance and predictability.
4. Robust Partitioning: Ensuring robust temporal and spatial partitioning between software components executing on different cores to prevent unintended interference.
5. Verification and Validation: Developing verification and validation strategies that account for the complexities of multi-core processing, including the interactions between cores and the impact on software timing and behavior.
6. Configuration and Usage Guidelines: Providing guidelines for the configuration and use of multi-core processors to ensure predictable behavior, including restrictions on core usage, affinity settings, and access to shared resources.
By addressing these and other related considerations, CAST-32A complements DO-178C and helps facilitate the certification of avionics systems that utilize multi-core processors. It ensures that the use of such processors does not compromise the safety, reliability, and performance of avionics software. Compliance with CAST-32A objectives is critical for obtaining certification from aviation regulatory authorities for systems employing multi-core technology.
The Plan for Hardware Aspects of Certification (PHAC) plays a crucial role in the DO-254 process for the development of airborne electronic hardware. Its primary functions and significance in the context of DO-254 include:
1. Certification Roadmap: The PHAC serves as a roadmap for the certification process, outlining the specific activities, standards, and methodologies that will be employed to ensure that the hardware meets the regulatory requirements and is suitable for its intended use in airborne systems.
2. Compliance Framework: It establishes a framework for demonstrating compliance with DO-254 and other relevant regulations. The PHAC details how the hardware development and verification processes will be conducted in alignment with DO-254 objectives, including the levels of rigor and documentation required based on the hardware's Design Assurance Level (DAL).
3. Stakeholder Communication: The PHAC is a key document for communicating the certification plan and strategy to all stakeholders, including development teams, management, and regulatory authorities (such as the FAA or EASA). It ensures that all parties have a clear understanding of the certification objectives, processes, and responsibilities.
4. Lifecycle Process Definition: It defines the lifecycle processes that will be followed during the hardware development, including requirements capture, design, implementation, verification, configuration management, and quality assurance activities. The PHAC outlines the standards and best practices that will be applied throughout these processes.
5. Evidence Collection Strategy: The PHAC outlines the strategy for collecting and organizing the evidence needed to demonstrate compliance with DO-254. This includes the types of documents, data, and verification results that will be generated and how they will be presented to the certification authorities.
6. Risk Management: It includes a plan for identifying, assessing, and mitigating risks throughout the hardware development and certification process. This ensures that potential issues are addressed proactively, reducing the likelihood of delays or non-compliance.
7. Change Management: The PHAC describes the approach for managing changes to the hardware design or development process, ensuring that any modifications are systematically evaluated for their impact on compliance and safety.
8. Tool Qualification: If tools that can affect the design and verification of the hardware are used, the PHAC will outline the approach for qualifying these tools in accordance with DO-254 guidelines, ensuring that the tools are appropriate and reliable for their intended use.
In summary, the Plan for Hardware Aspects of Certification is fundamental to the DO-254 process, providing a comprehensive and structured approach to achieving hardware certification. It ensures that the hardware development is conducted in a manner that meets safety standards and regulatory requirements, ultimately supporting the overall goal of ensuring the safety and reliability of airborne systems.
The Hardware Design Lifecycle according to DO-254 is structured to ensure that airborne electronic hardware meets its safety, reliability, and performance requirements through systematic processes from conceptual design to deployment and beyond. Here's a breakdown of the key stages within the lifecycle:
1. Conceptual Design Phase:
• Objective: Establish system requirements and allocate them to hardware components.
• Activities: Define the hardware's intended function within the system, initial safety assessments, and preliminary hardware-software interface definitions.
2. Requirements Capture Phase:
• Objective: Develop detailed hardware requirements from the system requirements.
• Activities: Specify functional, performance, interface, environmental, and safety requirements for the hardware.
3. Detailed Design Phase:
• Objective: Translate requirements into hardware designs.
• Activities: Develop detailed circuit diagrams, FPGA/ASIC designs, PCB layouts, and other design documents. This phase also includes selecting components and defining the hardware architecture.
4. Implementation Phase:
• Objective: Realize the design in physical hardware.
• Activities: Fabrication of PCBs, assembly of components, and initial testing of individual hardware items. For programmable logic devices like FPGAs, this phase includes coding, simulation, and synthesis.
5. Integration Phase:
• Objective: Integrate hardware components within the system.
• Activities: Combine hardware items according to the system architecture, conduct integration testing to ensure they interact correctly, and validate against system requirements.
6. Verification and Validation Phase:
• Objective: Demonstrate that the hardware meets all specified requirements.
• Activities: Systematic testing to verify functional, performance, and safety requirements are met. This includes lab testing, environmental testing, and fault injection testing. Validation ensures the hardware fulfills its intended use and meets the system's operational needs.
7. Production Transition Phase:
• Objective: Prepare the hardware design for production.
• Activities: Finalize design for manufacturability, establish production and assembly processes, and ensure quality control measures are in place. This phase may also involve pilot production runs to validate production processes.
8. Certification Phase:
• Objective: Obtain regulatory approval.
• Activities: Compile and submit the necessary certification artifacts, such as the Hardware Accomplishment Summary (HAS) and other evidence, to demonstrate compliance with DO-254 and other applicable standards.
9. Operational Deployment and In-Service Support Phase:
• Objective: Support the hardware throughout its operational life.
• Activities: Includes maintenance, updates, and modifications to address issues, improve performance, or extend capabilities. This phase also encompasses monitoring the in-service performance and safety of the hardware.
Each phase in the DO-254 Hardware Design Lifecycle is iterative, with feedback loops to previous stages as needed to address findings, enhance the design, or meet evolving requirements. The process is documented extensively to provide traceability and support certification efforts, ensuring that the hardware contributes positively to the overall safety and reliability of the airborne system it is a part of.
DO-254 addresses the use of Field-Programmable Gate Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs) with specific guidance due to their unique nature and the critical role they play in avionics systems. FPGAs and CPLDs, being programmable hardware devices, offer flexibility in design but also introduce challenges in ensuring their reliability and safety in airborne applications. Here's how DO-254 approaches these components:
Design and Development Considerations
• Requirements Specification: Just like any other hardware component under DO-254, the development of FPGAs and CPLDs starts with a clear specification of requirements. These requirements must detail the functional, performance, and interface characteristics of the device, along with safety-related aspects.
• Design and Implementation: The design process for FPGAs and CPLDs should follow rigorous engineering practices, including the use of Hardware Description Languages (HDLs) like VHDL or Verilog. The design should be thoroughly documented, including the rationale for design decisions and how the design meets its requirements.
Verification and Validation
• Verification: Extensive verification activities are crucial. This includes simulations at different levels (e.g., unit, integration, system) to verify the logic and timing of the FPGA/CPLD design against its requirements. The use of formal verification methods, where applicable, is also encouraged to prove certain properties of the design mathematically.
• Hardware Testing: Physical testing of the FPGA/CPLD in the target hardware environment is required to validate its behavior under real operating conditions, including temperature variations and other environmental stresses.
Configuration Management
• Version Control: The specific versions of the HDL code, synthesis tools, and any third-party IP (Intellectual Property) blocks used in the FPGA/CPLD design must be carefully managed and documented.
• Traceability: There must be traceability between the FPGA/CPLD requirements, design elements, and verification activities to ensure that all requirements have been met and can be audited.
Tool Qualification
• Synthesis and Place-and-Route Tools: The tools used to synthesize HDL code into the gate-level implementation and to perform place-and-route operations for FPGAs and CPLDs need to be qualified under DO-254 if they are considered critical for the device's verification and cannot be independently verified.
Programmable Logic Device (PLD) Considerations
• Security and Configuration Control: Measures must be in place to ensure the integrity and security of the FPGA/CPLD configuration data, including protection against unauthorized modifications and ensuring correct configuration at system startup.
Additional Considerations for Complex Devices
• For highly complex FPGAs and CPLDs, additional considerations might include the management of resource utilization, power consumption, and thermal effects, as well as the analysis of potential single event upsets (SEUs) in radiation environments.
By addressing these aspects, DO-254 ensures that FPGAs and CPLDs used in airborne systems are developed and verified with a level of rigor consistent with their safety impact, helping to ensure the reliability and safety of the overall avionics system.
Ensuring successful DO-254 certification of an avionics hardware project involves a comprehensive approach that spans from the initial concept phase through to the final certification by regulatory bodies. Here are key strategies to employ:
1. Early Engagement with Certification Authorities: Begin discussions with certification authorities (such as the FAA or EASA) early in the project to understand their expectations and any specific concerns they might have regarding your project. This can help tailor the development process to meet certification requirements more efficiently.
2. Thorough Requirements Management: Establish a robust process for capturing, managing, and tracing hardware requirements from the system level down to component level. Ensure that every requirement is verifiable and traceable through the design, implementation, and testing phases. Use a requirements management tool to facilitate this process and maintain an audit trail.
3. Comprehensive Planning Documents: Develop detailed planning documents that outline the processes, standards, and methodologies to be used throughout the hardware lifecycle. This includes the Plan for Hardware Aspects of Certification (PHAC), Hardware Development Plan (HDP), Hardware Verification and Validation Plan (HVVP), and others as necessary. These documents should align with DO-254 guidelines and be approved by the certification authorities.
4. Rigorous Design and Development Process: Adhere to a rigorous and structured design and development process that emphasizes quality, safety, and reliability from the outset. Employ design standards and guidelines that mitigate risks, such as single point failures and common mode failures. Incorporate formal design reviews at key milestones to ensure compliance with requirements and identify issues early.
5. Tool Qualification: When using software tools that automate tasks affecting the hardware's design, verification, or validation, ensure these tools are qualified under DO-254 guidelines if their output cannot be independently verified. Tool qualification plans and reports should demonstrate that the tools perform as intended and do not introduce errors.
6. Hardware Verification and Validation: Implement a comprehensive verification and validation strategy that includes reviews, analyses, and testing at various levels (unit, integration, and system). Ensure that all hardware requirements are verified through appropriate methods and that the testing is thorough and well-documented.
7. Effective Configuration Management: Use a robust configuration management system to control and track all changes to hardware design, documentation, and development artifacts. This ensures that the hardware configuration is known, reproducible, and traceable throughout its lifecycle.
8. Quality Assurance Processes: Establish quality assurance processes that independently verify that the hardware development and verification processes comply with both the project's defined processes and DO-254 requirements. This includes audits, process monitoring, and ensuring that any non-conformances are identified and addressed.
9. Documentation and Evidence Collection: Meticulously document every aspect of the hardware development lifecycle, including design data, test results, review records, and problem reports. This documentation serves as evidence of compliance with DO-254 and is critical for certification.
10. Continuous Risk Management: Identify, analyze, and mitigate risks throughout the hardware development lifecycle. Implement risk management processes to address potential issues proactively, reducing the likelihood of significant setbacks.
11. Training and Competency: Ensure that the project team is well-versed in DO-254 requirements and processes. Provide training as needed to maintain a high level of competency in avionics hardware development and certification.
12. Stakeholder Communication: Maintain open lines of communication with all stakeholders, including certification authorities, suppliers, and internal teams. Regular updates and transparent communication can help avoid surprises and facilitate a smoother certification process.
By integrating these strategies into the hardware development lifecycle, an organization can significantly enhance its chances of achieving successful DO-254 certification, ensuring that the hardware meets the highest standards of safety and reliability required in avionics systems.
Avionyx has completed hundreds of projects in numerous applications, including:
• Flight Displays (PFD, MFD, VID, TCAS, Weather Radar, Engine/System Monitor)
• Communication (VHF, SatCom, CPDLC, ACP, PACIC)
• Navigation (VOR, NDB, DME , DLRA, ILS, VDB, FMS)
• Surveillance (ADS-B , Mode S, TCAS, Wx Radar)
• System Monitoring (ADC, Engine & Vibration, OMS, System Synoptics)
• Flight Control (Auto-Throttle, Stall Warning/Stall Protection)
• Power Distribution, ARC-Fault Circuit Breakers
• Environmental (Cabin Pressurization, Bleed Air)
• Cabin Smoke Detection
• Cockpit Door Lock
• Cockpit Lighting
• Water Systems
• EFB Apps
Avionyx has experience with many embedded software development and test tools, including:
Microsoft Visual Studio
Texas Instruments Code Composer Studio
Greenhills MULTI IDE
Greenhills INTEGRITY RTOS
Freescale CodeWarrior IDE
Freescale CodeTEST
Cosmic Cross Development Tools (IDEA, ZAP)
Microchip MPLAB
NOHAU Seehau
ATMEL AVR Studio
DDC-I OpenArbor
National Instruments LabView
IBM-Rational Test Real Time
Rational Visual Test
VectorCAST
Sci Tools Understand
LDRA Testbed
Keil uVision (8051, ARM)
BullseyeCoverage
GE Fanuc BusTools
Cantata
Ballard CoPilot
Modelsim
Aldec
Vivado
Silos
Avionyx has experience with many change management tools, including:
Siemens Polarion (for which we have a dedicated team creating tailored plugins and customizations)
IBM Rational DOORS
SERENA PVCS
IBM Rational RequisitPro
Visible Razor
IBM Rational ClearCase
IBM Rational ClearQuest
Jama Contour
Perforce
PTC Integrity (formerly MKS Integrity)
JIRA
In addition to numerous assembly languages, Avionyx develops and tests software in a number of languages, including but not limited to:
C
C#
C++
Ada
Java
JavaScript
Perl
Visual Basic
Numerous Assemblers
VHDL
Verilog
Python
If you wish to inquire about our services, please contact sales@avionyx.com.
bottom of page