YOU ARE DOWNLOADING DOCUMENT

Please tick the box to continue:

Transcript
Page 1: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright 2016-2017– Throughout document

Slide 1

DO-178C (With DO-254) Overview – 1 Hour

Page 2: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 2

Almost Famous Quotes

“The School Of Avionics Wishful Thinking has many students, but no graduates …” (Vance Hilderman)

“DO-178 is the worst standard in the world; except for

all the others” (Vance Hilderman paraphrasing Winston Churchill)

“Flight safety is simple: the number of successful landings should equal the number of take-offs.” (Author Unknown)

Notes about this training manual: The DO-178 related material was 100% developed from scratch, beginning in 1989 and continuing through 2015 via copyright from Vance Hilderman.

Page 3: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

About Your Instructor (Today: Vance Hilderman)

BSEE, MBA, MSEE (Hughes Fellow)

Founder of two of the world’s largest avionics development services companies

Has personally trained over 11,000 persons; more than all other DO-178/254 instructors in the world: combined.

Has successfully contributed to over 300 diverse avionics projects

Proven Systems, Hardware and Software success with over 100 different clients

Have worked with 40+ of North America’s largest avionics companies and 75 of world’s 100 largest aerospace companies

Page 4: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

Certification standards for airborne equipment DO-178 => Software DO-254 => Hardware

Regulated by the FAA Required if target aircraft flies in commercial U.S.

airspace Covers full engineering lifecycle: Planning (CM, QA, Development, Testing) Development (Requirements/Design/Implementation) Verification Quality Assurance, Liaison, Certification

Slide 4

What are DO-178 and DO-254?

Page 5: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

• RTCA DO-178: “Software Considerations in Airborne Systems and Equipment Certification”

• Developed 1980 – 2012 via 500+ Industry and Government personnel

• Many compromises to satisfy different goals

• Not a recipe book or “How To” guide

• “Discussion” flow for guidance; able to accommodate many different development approaches

• Lawyers versus Software Engineers; who wins?

• In practice: The Golden Rule …

Slide 5

Synopsis of DO-178 and DO-254

Page 6: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

•RTCA DO-254: “Design Assurance Guidance for Airborne Electronic Hardware”

•Developed 1996 – 2000 via 100+ Industry and Government personnel

•The committee was mostly software people (Thus similar to DO-178)

•Strong focus on Complex Electronic Hardware (CEH) devices (with embedded ‘code’)

•Provides design assurance for CEH including Programmable Logic Devices (PLDs) and Application Specific Integrated Circuits (ASICs).

•Covers all electronic hardware.

Slide 6

Synopsis of DO-254

Page 7: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 7

Avionics Development Ecosystem

3. Software DO-178C

3. Hardware

DO-254

2. System Development

ARP 4754A

1. Safety Assessment

ARP 4761

• Criticality Level

• Architectural Inputs

SW Rqmts HW Rqmts

Tests Tests

Page 8: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

DO-178: Evolution History

Doc Year Basis Themes

DO-178 1980 -1982

498 & 2167A

Artifacts, documents, traceability, testing

DO-178A 1985 DO-178 Processes, testing, components, four criticality levels, reviews, waterfall methodology

DO-178B 1992 DO-178A Integration, transition criteria, diverse development methods, data (not documents), tools

DO-178C 2012 DO-178B Reducing subjectivity; Address modeling, detailed requirements, OOT, Formal Methods: “Ecosystem”

Slide 8

Page 9: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 9

DO-178 Document Layout(copied directly from the DO-178 document)

1. Planning2. Development

3. Correctness

1. Overview

2. System Aspects

3. Lifecycle

4. Planning Process

5. Development Process

6. Verification

7. Configuration Mgmt

8. Quality Assurance

9. Certification Liaison

10. Overview of Aircraft And Engine Certification

11. Data & Considerations

A. Objectives by Cert Level

Page 10: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 10

DO-254 Layout

PlanningDevelopment

Correctness/ Supporting Processes

1. Introduction

2. System Aspects

3. Design Lifecycle

4. Planning Process

5. Design Process

6. Validation & Verification

7. Configuration Mgmt

8. Process Assurance

9. Certification Liaison

10. Lifecycle Data

11. Additional Considerations

A. Modulation based on level

B. Level A and B Specifics

Page 11: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

Planning Process – Occurs first

Development Process – Follows Planning

Correctness Process – Continuous Throughout Project

Slide 11

Three Key Processes(same for DO-178 and DO-254)

1. Planning Process

2. Development Process

3. Correctness Process

Page 12: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Optimal DO-178 & 254 Engineering RouteBy Vance Hilderman (Not FAA/EASA)

Slide 12

Safety Assessment &

RqmtsSystems

Rqmts

Develop Plans, Stnds, Chklsts

Develop Traceability

Implement CM

High-Level Rqmts

Start QA

Low-Level Rqmts

Design

Code & Logic

Verification & Validation

Time (Planning Phase)

Time (Development & Correctness Phases)

Integration

Conformity

Review

SOI #1

SOI #2

SOI #3

SOI #4

Cert

Page 14: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 14

Key Principle:DO-178C Objectives by Level

• 71 Objectives (30 with independence)Level A:

• 69 Objectives (18 with independence)Level B:

• 62 Objectives (5 with independence)Level C:

• 26 Objectives (2 with independence)Level D:

• No Objectives (just prove you are Level E!)

LevelE:

Page 15: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

DO-178 Five Key Plans

1.

PSAC

2.

SQAP

3.

SCMP

4.

SWDP

5.

SWVP

Slide 15

PSAC: Plan for Software Aspects of Certification

SQAP: Software Quality Assurance Plan

SCMP: Software Configuration Management Plan

SWDP: Software Development Plan

SWVP: Software Verification Plan

(Plus 3 Standards: Requirements, Design and Coding)

Page 16: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

1 Software Requirements Standard

2 Software Design Standard

3 Software Coding Standard

4 Software Configuration Index (SCI) or Version Description Document (VDD)

5 Software Traceability Matrix (STM)

6 Requirements, Design, Code and Tests/Results

7 Tool Qualification Plan/Data/Assessment

8 Software Environment Configuration Index (SECI) – Submitted to FAA

9 Software Accomplishment Summary (SAS) – Submitted to FAA

10 CM Records & Problem Reports

11 QA & DER Audit Records

12 Checklists for each process step and artifact

Slide 16

Additional Documents/Artifacts

Page 17: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 17

Scope of DO-178 & DO-254?

PLD

ASIC

FPGA

CPU

RTOS

BSP

Math

APP SW

Drivers

DO-178

DO-254

Typical Avionics LRU

Page 18: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Criticality Levels

“Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system functions…

A. …resulting in a catastrophic failure condition for the aircraft.” Level A = <1E-09

B. …resulting in a hazardous/severe-major failure condition for the aircraft.” Level B <1E-07

C. …resulting in a major failure condition for the aircraft.” Level C <1E-05

D. …resulting in a minor failure condition for the aircraft.” Level D > 1E-05

E. …with no effect on aircraft operational capability or pilot workload.” Level E = No further application of 178/254 required.

Level A

<1E-09

Level B

<1E-07

Level C

<1E-05

Level D

>1E-09

Level E

NA

Slide 18

Level E

NA

Level D

>1E-05

Level C

<1E-05

Level B

<1E-07

Level A

<1E-09

Page 19: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Why Different Criticality Levels?

Why Does 178/254 Have Different Criticality Levels?

Who were major 178/254 contributors?

What were their major concerns? Schedule

Cost

Safety, but with reasonableness

Level A

<1E-09

Level B

<1E-07

Level C

<1E-05

Level D

>1E-05

Level E

NA

Slide 19

Page 20: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

DO-178 Criticality Level Comparison(NOT for DO-254; See DO-254 Section Later)

DO178 Aspect Level A Level B Level C Level D

Independence Level High Medium Low Very Low

Necessity of Low-Level

RequirementsYes Yes Yes No

Statement Structural

CoverageYes Yes Yes No

Decision/Condition

Structural CoverageYes Yes No No

MCDC Structural Coverage Yes No No No

Configuration Management Tight Tight Medium Low

Source to Binary Correlation Yes No No No

Requirements Correlate to

Target processorYes Yes No No

Architecture & Algorithms

VerificationYes Yes Yes No

Code Reviews Yes Yes Yes No

SQA Transition Criteria Yes Yes Yes No

Slide 20Reprinted from FAA Public Presentation

Page 21: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

“Certified”: the entire “system” is Certified for flight, while components may have different certification Levels

“Certifiable”: a component within a system achieving its highest certification status prior to certifying it with a “certified” system

“Compliant”: certification via an entity other than the FAA (e.g. Military or non-commercial avionics)

“Qualified”: formal approval of a tool which (since it does not “fly”) does not require “certification”

Slide 21

Special Terminology

Page 22: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Cost Differential per Criticality Level

0

5

10

15

20

25

30

35

40

Certification $ Delta %

Level E

Level D

Level C

Level B

Level A

Slide 22

Page 23: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

1. Neglecting “Independence”2. Science projects versus proven technologies3. Inadequate formal plans and not following them4. Inadequate level of detail in Requirements 5. Inadequate and non-automated Traceability6. Excessive code iterations via inadequate reviews/tools 7. Lack of path coverage capture during functional tests 8. Lack of automated testing = Expen$ive Regression Test 9. Creating custom RTOS & Tools10. Neglecting to eliminate early-stage coding errors11. Neglecting to prevent unwarranted changes via CM12. Insufficient PSAC/PHAC13. Insufficient Tool Qualification14. Not taking credit for existing legacy work => “Gap Analysis”15. Weak DO-178/254 Checklists & poor Checklist management

Slide 23

Top DO-178 & DO-254 Mistakes

Page 24: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 24

Safety Assessments: The Big Four

4. Common Cause Analysis

Verify independence of functions and systems is sufficient for defined safety

3. Aircraft/System Safety Assessment

Evaluate aircraft systems to determine if safety requirements are met

2. Preliminary Aircraft/System Safety Assessment - PASA or PSSA

Analyze the proposed architecture to determine how failures identified in FHA could occur; yields safety requirements

1. Functional Hazard Assessment - FHA

Identify potential failures and their effects, then classify the severity of each

Page 25: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

The Three Key Processes

1.

PSAC

2.

QA

Plan

3.

CM

Plan

4.

SWD

Plan

5.

SWV

Plan

Slide 25

1. Planning Process

2. Development Process

3. Correctness Process

Page 26: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

Configuration Management Objectives:

Slide 26

Configuration ManagementPlan Overview

1. Baseline & Traceability

2.Change Control, Prob Reporting &

Review

3. Configuration Identification

4. Version Control & Replication

3. SCMP

Page 27: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

The Development Process –Starts With System Requirements

System

RqmtsRqmts Design Code

Integra

tion

Slide 27

1. Planning Process

2. Development Process

3. Correctness Process

Page 28: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

DO-178 & 254 provides for design/documentation flexibility

Design requires four key aspects:

Slide 28

DesignOverview

Design

1. Low-Level Rqmts

2. Interface

Definitions

3. Data Flow

4. Control Flow

Page 29: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Rqmts Vs Design

Low-level Requirements: What are they?

Answer:

Overlap of High-Level Rqmts & Design = Low-Level Rqmts

Slide 29

Design

1. Low-

Level

Rqmts

2. Interface

Definitions

3. Data

Flow

4. Control

Flow

High-Level

Rqmts

DesignLow-Level

Rqmts

Page 30: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 30

DO-178C: Verification Pyramid Foundation

Analysis

Tests

Reviews

Page 31: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 31

“The Verification Equation”

Verification ReviewsTests

& Analysis

Page 32: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

All Reviews need configured Entry (input) Criteria

Example: Code Review. What is needed to perform Code Review?

1. _____________

2. _____________

3. _____________

4. _____________

5. _____________

6. _____________

Slide 32

Reviews Use Entry Criteria, plus a checklist

Page 33: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 33

Example: Code Review “Transition Criteria”

What are the Inputs & Outputs for a Code Review?

Code

Review

1. Source Code

1. Completed Checklist2. Code Review Checklist

3. Coding Standard

4. Software Design

5. Software Requirements

6. Rqmts Trace Matrix

2. Action Items & Defects

“Transition”

Page 34: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

Four Categories of Tests:

1. Functional Tests

– All Requirements

2. Normal Range Tests

– “Sunny Day” conditions

3. Robustness Tests

– “Rainy Day” conditions

4. Structural Coverage Analysis

– Cover all code

Slide 34

Software Testing

SW

Test

Functional

Tests

Normal Range

Tests

Robustness

Tests

Structural

Coverage

Analysis

Page 35: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Slide 35

DO-178C & DO-254 For Military

Page 36: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

DO-178C for Supplier/IntegratorManagement for Military

Examples of Military Aircraft: Which are DO-178?

Issues & Differences: Military

Certification/Concerns

Supplier Integrator Top Issues/Concerns

Page 38: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

ISSUES Software Considerations

Functionality with no regulatory basis Search & Rescue

Dedicated communication radios

Coupled flight Dedicated communications radios

Autoflight customizations

Aerial refueling software Boom control

Fuel management

Weapons delivery

Terrain following or low-level operations

“Black” or “Silent” communications/navigation

High-performance operations

Page 39: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

ISSUES Software Considerations

Differences for Military DO-178C: Less, but different, emphasis on Safety Analysis

Less redundancy but harsher operational

environments; does Commercial measure up?

Agency approval: generally not FAA/EASA

All documents reviewed by military/customer; not

just PSAC, CI, SAS

Page 40: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

Military “Criticality Level” Considerations

Criticality Level:

based upon passenger safety? No.

Aircraft safety?

Civilian areas?

Aircraft protection (anti-missile defense, etc)?

Mission success probability?

Page 42: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

DO-178C Cost Metrics Level B

CM & QA: 10% DER Services: 2-3% Management 4-7% Rqmts Development: 10% Design: 10% Code: 25% Verification: 35%

What are Primary Cost Drivers?1. Accurate & Detailed Rqmts2. Accurate & Thorough Reviews3. Minimal Code Changes4. Efficient Testing

CM & QA

DER

Mgmt

Rqmts

Design

Code

Test

Slide 42

Page 43: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

Does Cost ($) Matter? Yes!

Are DO-178 & DO-254 Cheap? No!

Can DO-178/254 Be Cost-Effective? Yes, but only if done “smart” …

Remember: “Do you out-run the bear?”

What are the Top 20 Issues to address for $?

Slide 43

Costing for DO-178/254

Page 44: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 44

ROI vs DO-178C “Hilderman Perfection Curve”(Not FAA/EASA Approved)

DO-178C’s 71 Objectives

Page 45: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com

1. Cert versus Compliance2. Augmenting existing Plans for

DO-178 (5-Key Process Plans)3. PSAC & SAS4. Application of DO-2545. DO-178 Correlation6. DER Support7. Formalization of Rqmts &

Traceability8. Automated Functional Test

Environment9. Formalization of Design

Methodology10. Structural Coverage11. Static Code Analysis

Slide 45

Top 20 Cost Issues

11. Software Test Tool Selection

12. Software Tool Qualification

13. RTOS Considerations14. BSP Certifiability15. Previously Existent

Software16. Gap Analysis17. Reverse Engineering18. QA Upgrades for DO-

178, including Audits19. CM Tool: Clear case?20. Graphics

Package/Libraries

Page 46: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 46

Conclusion Q & A

For Advanced DO-178C Training information, see:

http://afuzion.com/avionics-training/workshops/avionics-software-

advanced-do-178c-training-class/

For DO-178C Gap Analysis information, see:

http://afuzion.com/gap-analysis/

Page 47: DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

Copyright Afuzion Inc www.afuzion.com Slide 47

Conclusion Q & A

Coming in 2017:


Related Documents