DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright 2016-2017 Throughout document

Slide 1

DO-178C (With DO-254) Overview 1 Hour

Copyright Afuzion Inc www.afuzion.com Slide 2

Almost Famous Quotes

The School Of Avionics Wishful Thinking has many students, but no graduates (Vance Hilderman)

DO-178 is the worst standard in the world; except for all the others (Vance Hilderman paraphrasing Winston Churchill)

Flight safety is simple: the number of successful landings should equal the number of take-offs. (Author Unknown)

Notes about this training manual: The DO-178 related material was 100% developed from scratch, beginning in 1989 and continuing through 2015 via copyright from Vance Hilderman.

Copyright Afuzion Inc www.afuzion.com

About Your Instructor (Today: Vance Hilderman)

BSEE, MBA, MSEE (Hughes Fellow)

Founder of two of the worlds largest avionics development services companies

Has personally trained over 11,000 persons; more than all other DO-178/254 instructors in the world: combined.

Has successfully contributed to over 300 diverse avionics projects

Proven Systems, Hardware and Software success with over 100 different clients

Have worked with 40+ of North Americas largest avionics companies and 75 of worlds 100 largest aerospace companies


Certification standards for airborne equipment DO-178 => Software DO-254 => Hardware

Regulated by the FAA Required if target aircraft flies in commercial U.S.

airspace Covers full engineering lifecycle: Planning (CM, QA, Development, Testing) Development (Requirements/Design/Implementation) Verification Quality Assurance, Liaison, Certification

Slide 4

What are DO-178 and DO-254?


RTCA DO-178: Software Considerations in Airborne Systems and Equipment Certification

Developed 1980 2012 via 500+ Industry and Government personnel

Many compromises to satisfy different goals

Not a recipe book or How To guide

Discussion flow for guidance; able to accommodate many different development approaches

Lawyers versus Software Engineers; who wins?

In practice: The Golden Rule

Slide 5

Synopsis of DO-178 and DO-254


RTCA DO-254: Design Assurance Guidance for Airborne Electronic Hardware

Developed 1996 2000 via 100+ Industry and Government personnel

The committee was mostly software people (Thus similar to DO-178)

Strong focus on Complex Electronic Hardware (CEH) devices (with embedded code)

Provides design assurance for CEH including Programmable Logic Devices (PLDs) and Application Specific Integrated Circuits (ASICs).

Covers all electronic hardware.

Slide 6

Synopsis of DO-254


Avionics Development Ecosystem

3. Software DO-178C

3. Hardware

DO-254

2. System Development

ARP 4754A

1. Safety Assessment

ARP 4761

Criticality Level

Architectural Inputs

SW Rqmts HW Rqmts

Tests Tests

DO-178: Evolution History

Doc Year Basis Themes

DO-178 1980 -1982

498 & 2167A

Artifacts, documents, traceability, testing

DO-178A 1985 DO-178 Processes, testing, components, four criticality levels, reviews, waterfall methodology

DO-178B 1992 DO-178A Integration, transition criteria, diverse development methods, data (not documents), tools

DO-178C 2012 DO-178B Reducing subjectivity; Address modeling, detailed requirements, OOT, Formal Methods: Ecosystem

Slide 8


DO-178 Document Layout(copied directly from the DO-178 document)

1. Planning2. Development

3. Correctness

1. Overview

2. System Aspects

3. Lifecycle

4. Planning Process

5. Development Process

6. Verification

7. Configuration Mgmt

8. Quality Assurance

9. Certification Liaison

10. Overview of Aircraft And Engine Certification

11. Data & Considerations

A. Objectives by Cert Level


DO-254 Layout

PlanningDevelopment

Correctness/ Supporting Processes

1. Introduction

2. System Aspects

3. Design Lifecycle

4. Planning Process

5. Design Process

6. Validation & Verification

7. Configuration Mgmt

8. Process Assurance

9. Certification Liaison

10. Lifecycle Data

11. Additional Considerations

A. Modulation based on level

B. Level A and B Specifics


Planning Process Occurs first

Development Process Follows Planning

Correctness Process Continuous Throughout Project

Slide 11

Three Key Processes(same for DO-178 and DO-254)

1. Planning Process


3. Correctness Process

Optimal DO-178 & 254 Engineering RouteBy Vance Hilderman (Not FAA/EASA)

Slide 12

Safety Assessment &

RqmtsSystems

Rqmts

Develop Plans, Stnds, Chklsts

Develop Traceability

Implement CM

High-Level Rqmts

Start QA

Low-Level Rqmts

Design

Code & Logic

Verification & Validation

Time (Planning Phase)

Time (Development & Correctness Phases)

Integration

Conformity

Review

SOI #1

SOI #2

SOI #3

SOI #4

Cert


1 Detailed planning

2 Five Criticality Levels (A, B, C, D, E)

3 Consistency & Determinism

4 Traceability: top-to-bottom, and back

5 Independence (especially Levels A/B)

6 Path testing

7 Proven Tools (Qualification)

8 Up to 20 artifact types and 71 objectives

9 Guilty Until Proven Innocent

Slide 13

DO-178 and DO-254 Key Attributes(similar for DO-178 and DO-254)

http://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gif


Key Principle:DO-178C Objectives by Level

71 Objectives (30 with independence)Level A:

69 Objectives (18 with independence)Level B:

62 Objectives (5 with independence)Level C:

26 Objectives (2 with independence)Level D:

No Objectives (just prove you are Level E!)

LevelE:

DO-178 Five Key Plans

1.

PSAC

2.

SQAP

3.

SCMP

4.

SWDP

5.

SWVP

Slide 15

PSAC: Plan for Software Aspects of Certification

SQAP: Software Quality Assurance Plan

SCMP: Software Configuration Management Plan

SWDP: Software Development Plan

SWVP: Software Verification Plan

(Plus 3 Standards: Requirements, Design and Coding)

http://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gifhttp://soulworker.punt.nl/upload/key.gif


1 Software Requirements Standard

2 Software Design Standard

3 Software Coding Standard

4 Software Configuration Index (SCI) or Version Description Document (VDD)

5 Software Traceability Matrix (STM)

6 Requirements, Design, Code and Tests/Results

7 Tool Qualification Plan/Data/Assessment

8 Software Environment Configuration Index (SECI) Submitted to FAA

9 Software Accomplishment Summary (SAS) Submitted to FAA

10 CM Records & Problem Reports

11 QA & DER Audit Records

12 Checklists for each process step and artifact

Slide 16

Additional Documents/Artifacts


Scope of DO-178 & DO-254?

PLD

ASIC

FPGA

CPU

RTOS

BSP

Math

APP SW

Drivers

DO-178

DO-254

Typical Avionics LRU

Criticality Levels

Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system functions

A. resulting in a catastrophic failure condition for the aircraft. Level A =

Why Different Criticality Levels?

Why Does 178/254 Have Different Criticality Levels?

Who were major 178/254 contributors?

What were their major concerns? Schedule

Cost

Safety, but with reasonableness

Level A

DO-178 Criticality Level Comparison(NOT for DO-254; See DO-254 Section Later)

DO178 Aspect Level A Level B Level C Level D

Independence Level High Medium Low Very Low

Necessity of Low-Level

RequirementsYes Yes Yes No

Statement Structural

CoverageYes Yes Yes No

Decision/Condition

Structural CoverageYes Yes No No

MCDC Structural Coverage Yes No No No

Configuration Management Tight Tight Medium Low

Source to Binary Correlation Yes No No No

Requirements Correlate to

Target processorYes Yes No No

Architecture & Algorithms

VerificationYes Yes Yes No

Code Reviews Yes Yes Yes No

SQA Transition Criteria Yes Yes Yes No

Slide 20Reprinted from FAA Public Presentation


Certified: the entire system is Certified for flight, while components may have different certification Levels

Certifiable: a component within a system achieving its highest certification status prior to certifying it with a certified system

Compliant: certification via an entity other than the FAA (e.g. Military or non-commercial avionics)

Qualified: formal approval of a tool which (since it does not fly) does not require certification

Slide 21

Special Terminology

Cost Differential per Criticality Level

0

5

10

15

20

25

30

35

40

Certification $ Delta %

Level E

Level D

Level C

Level B

Level A

Slide 22


1. Neglecting Independence2. Science projects versus proven technologies3. Inadequate formal plans and not following them4. Inadequate level of detail in Requirements 5. Inadequate and non-automated Traceability6. Excessive code iterations via inadequate reviews/tools 7. Lack of path coverage capture during functional tests 8. Lack of automated testing = Expen$ive Regression Test 9. Creating custom RTOS & Tools10. Neglecting to eliminate early-stage coding errors11. Neglecting to prevent unwarranted changes via CM12. Insufficient PSAC/PHAC13. Insufficient Tool Qualification14. Not taking credit for existing legacy work => Gap Analysis15. Weak DO-178/254 Checklists & poor Checklist management

Slide 23

Top DO-178 & DO-254 Mistakes


Safety Assessments: The Big Four

4. Common Cause Analysis

Verify independence of functions and systems is sufficient for defined safety

3. Aircraft/System Safety Assessment

Evaluate aircraft systems to determine if safety requirements are met

2. Preliminary Aircraft/System Safety Assessment - PASA or PSSA

Analyze the proposed architecture to determine how failures identified in FHA could occur; yields safety requirements

1. Functional Hazard Assessment - FHA

Identify potential failures and their effects, then classify the severity of each

The Three Key Processes

1.

PSAC

2.

QA

Plan

3.

CM

Plan

4.

SWD

Plan

5.

SWV

Plan

Slide 25

1. Planning Process




Configuration Management Objectives:

Slide 26

Configuration ManagementPlan Overview

1. Baseline & Traceability

2.Change Control, Prob Reporting &

Review

3. Configuration Identification

4. Version Control & Replication

3. SCMP

The Development Process Starts With System Requirements

System

RqmtsRqmts Design Code

Integra

tion

Slide 27

1. Planning Process




DO-178 & 254 provides for design/documentation flexibility

Design requires four key aspects:

Slide 28

DesignOverview

Design

1. Low-Level Rqmts

2. Interface

Definitions

3. Data Flow

4. Control Flow

Rqmts Vs Design

Low-level Requirements: What are they?

Answer:

Overlap of High-Level Rqmts & Design = Low-Level Rqmts

Slide 29

Design

1. Low-

Level

Rqmts

2. Interface

Definitions

3. Data

Flow

4. Control

Flow

High-Level

Rqmts

DesignLow-Level Rqmts


DO-178C: Verification Pyramid Foundation

Analysis

Tests

Reviews


The Verification Equation

Verification ReviewsTests

& Analysis


All Reviews need configured Entry (input) Criteria

Example: Code Review. What is needed to perform Code Review?

1. _____________

2. _____________

3. _____________

4. _____________

5. _____________

6. _____________

Slide 32

Reviews Use Entry Criteria, plus a checklist


Example: Code Review Transition Criteria

What are the Inputs & Outputs for a Code Review?

Code

Review

1. Source Code

1. Completed Checklist2. Code Review Checklist

3. Coding Standard

4. Software Design

5. Software Requirements

6. Rqmts Trace Matrix

2. Action Items & Defects

Transition


Four Categories of Tests:

1. Functional Tests

All Requirements

2. Normal Range Tests

Sunny Day conditions

3. Robustness Tests

Rainy Day conditions

4. Structural Coverage Analysis

Cover all code

Slide 34

Software Testing

SW

Test

Functional

Tests

Normal Range

Tests

Robustness

Tests

Structural

Coverage

Analysis

DO-178C & DO-254 For Military


DO-178C for Supplier/IntegratorManagement for Military

Examples of Military Aircraft: Which are DO-178?

Issues & Differences: Military

Certification/Concerns

Supplier Integrator Top Issues/Concerns


EXAMPLES

C-130 & C-17

Many new and reverse-engineering

avionics systems, per DO-178B

F-35

Most avionics systems: DO-178B

B-1 & B-2

Many new and reverse-engineering

avionics systems, per DO-178B

http://www.jan-mayen.no/start/c-130.jpghttp://www.jan-mayen.no/start/c-130.jpghttp://www.nsf.gov/od/opp/images/prss/c17_ice_runway.jpghttp://www.nsf.gov/od/opp/images/prss/c17_ice_runway.jpghttp://ocw.mit.edu/NR/rdonlyres/Aeronautics-and-Astronautics/16-333Fall-2004/3ADD6A6B-66B6-449E-92B6-B1A87829100A/0/chp_b1_lancer.jpghttp://ocw.mit.edu/NR/rdonlyres/Aeronautics-and-Astronautics/16-333Fall-2004/3ADD6A6B-66B6-449E-92B6-B1A87829100A/0/chp_b1_lancer.jpg


ISSUES Software Considerations

Functionality with no regulatory basis Search & Rescue

Dedicated communication radios

Coupled flight Dedicated communications radios

Autoflight customizations

Aerial refueling software Boom control

Fuel management

Weapons delivery

Terrain following or low-level operations

Black or Silent communications/navigation

High-performance operations


ISSUES Software Considerations

Differences for Military DO-178C: Less, but different, emphasis on Safety Analysis

Less redundancy but harsher operational

environments; does Commercial measure up?

Agency approval: generally not FAA/EASA

All documents reviewed by military/customer; not

just PSAC, CI, SAS


Military Criticality Level Considerations

Criticality Level:

based upon passenger safety? No.

Aircraft safety?

Civilian areas?

Aircraft protection (anti-missile defense, etc)?

Mission success probability?


Special Topic:

Cost, Estimation, & Metrics

http://froogle.google.com/froogle_cluster?btnG=Search+Froogle&hl=en&oid=12651784426072266727&pid=1899564701152634430&q=magnifying+glass&scoring=phttp://froogle.google.com/froogle_cluster?btnG=Search+Froogle&hl=en&oid=12651784426072266727&pid=1899564701152634430&q=magnifying+glass&scoring=p

DO-178C Cost Metrics Level B

CM & QA: 10% DER Services: 2-3% Management 4-7% Rqmts Development: 10% Design: 10% Code: 25% Verification: 35%

What are Primary Cost Drivers?1. Accurate & Detailed Rqmts2. Accurate & Thorough Reviews3. Minimal Code Changes4. Efficient Testing

CM & QA

DER

Mgmt

Rqmts

Design

Code

Test

Slide 42


Does Cost ($) Matter? Yes!

Are DO-178 & DO-254 Cheap? No!

Can DO-178/254 Be Cost-Effective? Yes, but only if done smart

Remember: Do you out-run the bear?

What are the Top 20 Issues to address for $?

Slide 43

Costing for DO-178/254


ROI vs DO-178C Hilderman Perfection Curve(Not FAA/EASA Approved)

DO-178Cs 71 Objectives


1. Cert versus Compliance2. Augmenting existing Plans for

DO-178 (5-Key Process Plans)3. PSAC & SAS4. Application of DO-2545. DO-178 Correlation6. DER Support7. Formalization of Rqmts &

Traceability8. Automated Functional Test

Environment9. Formalization of Design

Methodology10. Structural Coverage11. Static Code Analysis

Slide 45

Top 20 Cost Issues

11. Software Test Tool Selection

12. Software Tool Qualification

13. RTOS Considerations14. BSP Certifiability15. Previously Existent

Software16. Gap Analysis17. Reverse Engineering18. QA Upgrades for DO-

178, including Audits19. CM Tool: Clear case?20. Graphics

Package/Libraries


Conclusion Q & A

For Advanced DO-178C Training information, see:

http://afuzion.com/avionics-training/workshops/avionics-software-

advanced-do-178c-training-class/

For DO-178C Gap Analysis information, see:

http://afuzion.com/gap-analysis/

http://afuzion.com/avionics-training/workshops/avionics-software-advanced-do-178c-training-class/http://afuzion.com/gap-analysis/


Conclusion Q & A

Coming in 2017:

DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Engineering

Roadmap to a DO-178C Formal Model-Based Software … ·...

Applying DO-254 objectives referencing DO-178C activities...

DO-178C compliance: turn an overhead expense into a ...

GPSMAP 178/178C - Garmin · v Introduction Warranty and...

RTCA DO-178C “Software Considerations in Airborne Systems....

DO-178C ED-12C Overview

SCADE Safety and Audit Considerations for DO-178C · SCADE....

Verificação e validação de software no âmbito DO-178C -...

DO 178C Upcoming Guidance for OOS

Технологии A 2005 и Ada 2012 daCore · 2...

An Assurance Level Sensitive UML Proﬁle for Supporting...

DO-178C / ED-12C Model Based Supplement - MathWorks ·...