Top Banner
Copyright 2016-2017Throughout document Slide 1 DO-178C (With DO-254) Overview – 1 Hour

DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Jan 07, 2017



Vance Hilderman
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
  • Copyright 2016-2017 Throughout document

    Slide 1

    DO-178C (With DO-254) Overview 1 Hour

  • Copyright Afuzion Inc Slide 2

    Almost Famous Quotes

    The School Of Avionics Wishful Thinking has many students, but no graduates (Vance Hilderman)

    DO-178 is the worst standard in the world; except for all the others (Vance Hilderman paraphrasing Winston Churchill)

    Flight safety is simple: the number of successful landings should equal the number of take-offs. (Author Unknown)

    Notes about this training manual: The DO-178 related material was 100% developed from scratch, beginning in 1989 and continuing through 2015 via copyright from Vance Hilderman.

  • Copyright Afuzion Inc

    About Your Instructor (Today: Vance Hilderman)

    BSEE, MBA, MSEE (Hughes Fellow)

    Founder of two of the worlds largest avionics development services companies

    Has personally trained over 11,000 persons; more than all other DO-178/254 instructors in the world: combined.

    Has successfully contributed to over 300 diverse avionics projects

    Proven Systems, Hardware and Software success with over 100 different clients

    Have worked with 40+ of North Americas largest avionics companies and 75 of worlds 100 largest aerospace companies

  • Copyright Afuzion Inc

    Certification standards for airborne equipment DO-178 => Software DO-254 => Hardware

    Regulated by the FAA Required if target aircraft flies in commercial U.S.

    airspace Covers full engineering lifecycle: Planning (CM, QA, Development, Testing) Development (Requirements/Design/Implementation) Verification Quality Assurance, Liaison, Certification

    Slide 4

    What are DO-178 and DO-254?

  • Copyright Afuzion Inc

    RTCA DO-178: Software Considerations in Airborne Systems and Equipment Certification

    Developed 1980 2012 via 500+ Industry and Government personnel

    Many compromises to satisfy different goals

    Not a recipe book or How To guide

    Discussion flow for guidance; able to accommodate many different development approaches

    Lawyers versus Software Engineers; who wins?

    In practice: The Golden Rule

    Slide 5

    Synopsis of DO-178 and DO-254

  • Copyright Afuzion Inc

    RTCA DO-254: Design Assurance Guidance for Airborne Electronic Hardware

    Developed 1996 2000 via 100+ Industry and Government personnel

    The committee was mostly software people (Thus similar to DO-178)

    Strong focus on Complex Electronic Hardware (CEH) devices (with embedded code)

    Provides design assurance for CEH including Programmable Logic Devices (PLDs) and Application Specific Integrated Circuits (ASICs).

    Covers all electronic hardware.

    Slide 6

    Synopsis of DO-254

  • Copyright Afuzion Inc Slide 7

    Avionics Development Ecosystem

    3. Software DO-178C

    3. Hardware


    2. System Development

    ARP 4754A

    1. Safety Assessment

    ARP 4761

    Criticality Level

    Architectural Inputs

    SW Rqmts HW Rqmts

    Tests Tests

  • DO-178: Evolution History

    Doc Year Basis Themes

    DO-178 1980 -1982

    498 & 2167A

    Artifacts, documents, traceability, testing

    DO-178A 1985 DO-178 Processes, testing, components, four criticality levels, reviews, waterfall methodology

    DO-178B 1992 DO-178A Integration, transition criteria, diverse development methods, data (not documents), tools

    DO-178C 2012 DO-178B Reducing subjectivity; Address modeling, detailed requirements, OOT, Formal Methods: Ecosystem

    Slide 8

  • Copyright Afuzion Inc Slide 9

    DO-178 Document Layout(copied directly from the DO-178 document)

    1. Planning2. Development

    3. Correctness

    1. Overview

    2. System Aspects

    3. Lifecycle

    4. Planning Process

    5. Development Process

    6. Verification

    7. Configuration Mgmt

    8. Quality Assurance

    9. Certification Liaison

    10. Overview of Aircraft And Engine Certification

    11. Data & Considerations

    A. Objectives by Cert Level

  • Copyright Afuzion Inc Slide 10

    DO-254 Layout


    Correctness/ Supporting Processes

    1. Introduction

    2. System Aspects

    3. Design Lifecycle

    4. Planning Process

    5. Design Process

    6. Validation & Verification

    7. Configuration Mgmt

    8. Process Assurance

    9. Certification Liaison

    10. Lifecycle Data

    11. Additional Considerations

    A. Modulation based on level

    B. Level A and B Specifics

  • Copyright Afuzion Inc

    Planning Process Occurs first

    Development Process Follows Planning

    Correctness Process Continuous Throughout Project

    Slide 11

    Three Key Processes(same for DO-178 and DO-254)

    1. Planning Process

    2. Development Process

    3. Correctness Process

  • Optimal DO-178 & 254 Engineering RouteBy Vance Hilderman (Not FAA/EASA)

    Slide 12

    Safety Assessment &



    Develop Plans, Stnds, Chklsts

    Develop Traceability

    Implement CM

    High-Level Rqmts

    Start QA

    Low-Level Rqmts


    Code & Logic

    Verification & Validation

    Time (Planning Phase)

    Time (Development & Correctness Phases)




    SOI #1

    SOI #2

    SOI #3

    SOI #4


  • Copyright Afuzion Inc

    1 Detailed planning

    2 Five Criticality Levels (A, B, C, D, E)

    3 Consistency & Determinism

    4 Traceability: top-to-bottom, and back

    5 Independence (especially Levels A/B)

    6 Path testing

    7 Proven Tools (Qualification)

    8 Up to 20 artifact types and 71 objectives

    9 Guilty Until Proven Innocent

    Slide 13

    DO-178 and DO-254 Key Attributes(similar for DO-178 and DO-254)

  • Copyright Afuzion Inc Slide 14

    Key Principle:DO-178C Objectives by Level

    71 Objectives (30 with independence)Level A:

    69 Objectives (18 with independence)Level B:

    62 Objectives (5 with independence)Level C:

    26 Objectives (2 with independence)Level D:

    No Objectives (just prove you are Level E!)


  • DO-178 Five Key Plans











    Slide 15

    PSAC: Plan for Software Aspects of Certification

    SQAP: Software Quality Assurance Plan

    SCMP: Software Configuration Management Plan

    SWDP: Software Development Plan

    SWVP: Software Verification Plan

    (Plus 3 Standards: Requirements, Design and Coding)

  • Copyright Afuzion Inc

    1 Software Requirements Standard

    2 Software Design Standard

    3 Software Coding Standard

    4 Software Configuration Index (SCI) or Version Description Document (VDD)

    5 Software Traceability Matrix (STM)

    6 Requirements, Design, Code and Tests/Results

    7 Tool Qualification Plan/Data/Assessment

    8 Software Environment Configuration Index (SECI) Submitted to FAA

    9 Software Accomplishment Summary (SAS) Submitted to FAA

    10 CM Records & Problem Reports

    11 QA & DER Audit Records

    12 Checklists for each process step and artifact

    Slide 16

    Additional Documents/Artifacts

  • Copyright Afuzion Inc Slide 17

    Scope of DO-178 & DO-254?








    APP SW




    Typical Avionics LRU

  • Criticality Levels

    Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system functions

    A. resulting in a catastrophic failure condition for the aircraft. Level A =

  • Why Different Criticality Levels?

    Why Does 178/254 Have Different Criticality Levels?

    Who were major 178/254 contributors?

    What were their major concerns? Schedule


    Safety, but with reasonableness

    Level A

  • DO-178 Criticality Level Comparison(NOT for DO-254; See DO-254 Section Later)

    DO178 Aspect Level A Level B Level C Level D

    Independence Level High Medium Low Very Low

    Necessity of Low-Level

    RequirementsYes Yes Yes No

    Statement Structural

    CoverageYes Yes Yes No


    Structural CoverageYes Yes No No

    MCDC Structural Coverage Yes No No No

    Configuration Management Tight Tight Medium Low

    Source to Binary Correlation Yes No No No

    Requirements Correlate to

    Target processorYes Yes No No

    Architecture & Algorithms

    VerificationYes Yes Yes No

    Code Reviews Yes Yes Yes No

    SQA Transition Criteria Yes Yes Yes No

    Slide 20Reprinted from FAA Public Presentation

  • Copyright Afuzion Inc

    Certified: the entire system is Certified for flight, while components may have different certification Levels

    Certifiable: a component within a system achieving its highest certification status prior to certifying it with a certified system

    Compliant: certification via an entity other than the FAA (e.g. Military or non-commercial avionics)

    Qualified: formal approval of a tool which (since it does not fly) does not require certification

    Slide 21

    Special Terminology

  • Cost Differential per Criticality Level










    Certification $ Delta %

    Level E

    Level D

    Level C

    Level B

    Level A

    Slide 22

  • Copyright Afuzion Inc

    1. Neglecting Independence2. Science projects versus proven technologies3. Inadequate formal plans and not following them4. Inadequate level of detail in Requirements 5. Inadequate and non-automated Traceability6. Excessive code iterations via inadequate reviews/tools 7. Lack of path coverage capture during functional tests 8. Lack of automated testing = Expen$ive Regression Test 9. Creating custom RTOS & Tools10. Neglecting to eliminate early-stage coding errors11. Neglecting to prevent unwarranted changes via CM12. Insufficient PSAC/PHAC13. Insufficient Tool Qualification14. Not taking credit for existing legacy work => Gap Analysis15. Weak DO-178/254 Checklists & poor Checklist management

    Slide 23

    Top DO-178 & DO-254 Mistakes

  • Copyright Afuzion Inc Slide 24

    Safety Assessments: The Big Four

    4. Common Cause Analysis

    Verify independence of functions and systems is sufficient for defined safety

    3. Aircraft/System Safety Assessment

    Evaluate aircraft systems to determine if safety requirements are met

    2. Preliminary Aircraft/System Safety Assessment - PASA or PSSA

    Analyze the proposed architecture to determine how failures identified in FHA could occur; yields safety requirements

    1. Functional Hazard Assessment - FHA

    Identify potential failures and their effects, then classify the severity of each

  • The Three Key Processes















    Slide 25

    1. Planning Process

    2. Development Process

    3. Correctness Process

  • Copyright Afuzion Inc

    Configuration Management Objectives:

    Slide 26

    Configuration ManagementPlan Overview

    1. Baseline & Traceability

    2.Change Control, Prob Reporting &


    3. Configuration Identification

    4. Version Control & Replication

    3. SCMP

  • The Development Process Starts With System Requirements


    RqmtsRqmts Design Code



    Slide 27

    1. Planning Process

    2. Development Process

    3. Correctness Process

  • Copyright Afuzion Inc

    DO-178 & 254 provides for design/documentation flexibility

    Design requires four key aspects:

    Slide 28



    1. Low-Level Rqmts

    2. Interface


    3. Data Flow

    4. Control Flow

  • Rqmts Vs Design

    Low-level Requirements: What are they?


    Overlap of High-Level Rqmts & Design = Low-Level Rqmts

    Slide 29


    1. Low-



    2. Interface


    3. Data


    4. Control




    DesignLow-Level Rqmts

  • Copyright Afuzion Inc Slide 30

    DO-178C: Verification Pyramid Foundation




  • Copyright Afuzion Inc Slide 31

    The Verification Equation

    Verification ReviewsTests

    & Analysis

  • Copyright Afuzion Inc

    All Reviews need configured Entry (input) Criteria

    Example: Code Review. What is needed to perform Code Review?

    1. _____________

    2. _____________

    3. _____________

    4. _____________

    5. _____________

    6. _____________

    Slide 32

    Reviews Use Entry Criteria, plus a checklist

  • Copyright Afuzion Inc Slide 33

    Example: Code Review Transition Criteria

    What are the Inputs & Outputs for a Code Review?



    1. Source Code

    1. Completed Checklist2. Code Review Checklist

    3. Coding Standard

    4. Software Design

    5. Software Requirements

    6. Rqmts Trace Matrix

    2. Action Items & Defects


  • Copyright Afuzion Inc

    Four Categories of Tests:

    1. Functional Tests

    All Requirements

    2. Normal Range Tests

    Sunny Day conditions

    3. Robustness Tests

    Rainy Day conditions

    4. Structural Coverage Analysis

    Cover all code

    Slide 34

    Software Testing





    Normal Range







  • Slide 35

    DO-178C & DO-254 For Military

  • Copyright Afuzion Inc

    DO-178C for Supplier/IntegratorManagement for Military

    Examples of Military Aircraft: Which are DO-178?

    Issues & Differences: Military


    Supplier Integrator Top Issues/Concerns

  • Copyright Afuzion Inc


    C-130 & C-17

    Many new and reverse-engineering

    avionics systems, per DO-178B


    Most avionics systems: DO-178B

    B-1 & B-2

    Many new and reverse-engineering

    avionics systems, per DO-178B

  • Copyright Afuzion Inc

    ISSUES Software Considerations

    Functionality with no regulatory basis Search & Rescue

    Dedicated communication radios

    Coupled flight Dedicated communications radios

    Autoflight customizations

    Aerial refueling software Boom control

    Fuel management

    Weapons delivery

    Terrain following or low-level operations

    Black or Silent communications/navigation

    High-performance operations

  • Copyright Afuzion Inc

    ISSUES Software Considerations

    Differences for Military DO-178C: Less, but different, emphasis on Safety Analysis

    Less redundancy but harsher operational

    environments; does Commercial measure up?

    Agency approval: generally not FAA/EASA

    All documents reviewed by military/customer; not

    just PSAC, CI, SAS

  • Copyright Afuzion Inc

    Military Criticality Level Considerations

    Criticality Level:

    based upon passenger safety? No.

    Aircraft safety?

    Civilian areas?

    Aircraft protection (anti-missile defense, etc)?

    Mission success probability?

  • Copyright Afuzion Inc Slide 41

    Special Topic:

    Cost, Estimation, & Metrics

  • DO-178C Cost Metrics Level B

    CM & QA: 10% DER Services: 2-3% Management 4-7% Rqmts Development: 10% Design: 10% Code: 25% Verification: 35%

    What are Primary Cost Drivers?1. Accurate & Detailed Rqmts2. Accurate & Thorough Reviews3. Minimal Code Changes4. Efficient Testing

    CM & QA







    Slide 42

  • Copyright Afuzion Inc

    Does Cost ($) Matter? Yes!

    Are DO-178 & DO-254 Cheap? No!

    Can DO-178/254 Be Cost-Effective? Yes, but only if done smart

    Remember: Do you out-run the bear?

    What are the Top 20 Issues to address for $?

    Slide 43

    Costing for DO-178/254

  • Copyright Afuzion Inc Slide 44

    ROI vs DO-178C Hilderman Perfection Curve(Not FAA/EASA Approved)

    DO-178Cs 71 Objectives

  • Copyright Afuzion Inc

    1. Cert versus Compliance2. Augmenting existing Plans for

    DO-178 (5-Key Process Plans)3. PSAC & SAS4. Application of DO-2545. DO-178 Correlation6. DER Support7. Formalization of Rqmts &

    Traceability8. Automated Functional Test

    Environment9. Formalization of Design

    Methodology10. Structural Coverage11. Static Code Analysis

    Slide 45

    Top 20 Cost Issues

    11. Software Test Tool Selection

    12. Software Tool Qualification

    13. RTOS Considerations14. BSP Certifiability15. Previously Existent

    Software16. Gap Analysis17. Reverse Engineering18. QA Upgrades for DO-

    178, including Audits19. CM Tool: Clear case?20. Graphics


  • Copyright Afuzion Inc Slide 46

    Conclusion Q & A

    For Advanced DO-178C Training information, see:


    For DO-178C Gap Analysis information, see:

  • Copyright Afuzion Inc Slide 47

    Conclusion Q & A

    Coming in 2017: