Upgrade to DO-178B certification -- DO-178C – to address modern avionics software trends
By John McHale
Avionics software designers are quite familiar with the DO-178B certification process for flight software from the Federal Aviation Administration (FAA) and the European Aviation Safety Agency (EASA). However, current technology trends in software code development are requiring new verification and certification approaches, so industry and government experts are building a new certification called DO-178C to address these concerns.
"DO-178B/ED-12B has enjoyed widespread acceptance and adoption since its release in 1992," says Bill St. Clair, technical evangelist for LDRA Technology in San Bruno, Calif. "However, this standard assumed an arbitrary world of "high level" and "low level" requirements and traceability that was easy to delineate from requirements to the object code.
"Today, in the global marketplace of avionics software, a number of development technology trends are on the rise. We see more use of model-based development tools -- e.g., Simulink, BEACON, and SCADE -- and technologies such as auto-code generation, model checking/analysis, and automatic test vector generation, St. Clair continues. "Programming languages are becoming more abstract and often graphical, and, the use of more abstract execution environments, such as Java virtual machines and other run-time interpreters, is increasing. These and other shifts in technology blur the traditional distinctions between source and object code and complicate the proper treatment of structural coverage – that is, code coverage that results from requirements-based testing – as well as other verification processes critical to certification."
"Over the course of its use, it became evident that DO-178B needs clarification, it contains ambiguities, and a revision would help to make its use more uniform," says George Romanski, president of Verocel in Westford, Mass. "Much effort has been expended to document the intent more consistently."
"The core DO-178C document will mainly be a clarified version of DO-178B with only modest changes," says Cyrille Comar, co-founder and Managing Director of AdaCore Europe in Paris, France. "The real added value of DO-178C is in its technology-specific supplements that provide clear guidance for some of the technologies that are starting to be used and expected to be even more widely used in future safety-critical systems.
"Each supplement defines the steps or activities germane to the usage of the technology and any unique objectives or criteria for acceptance of the software produced or defined by the technology," St. Clair says.
"The three technology-specific supplements are: Model Based Development; Object Oriented & Related Technologies; and Formal Methods," Comar says.
Model Based Development "does not follow all the steps of the 'V' cycle of traditional software engineering; it depends heavily on development tools that require new guidance," Comar says.
DO-178B assumes implicitly the use of procedural languages such as C or Ada 83. Object-oriented languages such as C++, Ada 95/05, and even Java are being used more and more often in safety critical applications. They offer new programming paradigms along with their own vulnerabilities."
With the Object Oriented & Related Technologies supplement these languages will be taken into consideration, Comar adds.
The Formal Methods supplement will give more attention to formal methods than in DO-178B, which gave them only passing reference, Comar says. "Their usage in industry is maturing quickly and they offer a new level of verification capabilities that complement traditional testing and can help attain the desired level of safety assurance in increasingly complex systems.
"A fourth supplement covers the qualification of tools used for automating verification or development activities," Comar notes.
The fourth supplement is" especially important because two of the three technologies are primarily implemented by third party tools," St. Clair says. "The Tools supplement supports the qualification of these tools for the purpose of flight software certification and is thereby an enabler of the application of the new development technologies."
The greater clarity provided by DO-178C – and "concise rules across a more varied market" – for formal software tool qualification "should reduce the inherent subjectivity of tool qualification rules and artifacts encountered today within DO-178B," says Vance Hilderman, president and founder of HighRely in San Diego.
Will DO-178B systems need to be recertified?
"There is nothing in DO-178C that requires recertification from DO-178B to the new DO.," St. Clair says. "In fact, the new DO includes a core document that largely reflects DO-178B. Only those certification applicants that utilize approved advanced development technologies, including Formal Methods, Modeling tools, or Objected Oriented technologies, would necessarily be applied to what is new in DO 178C – its supplements."
Upward compatibility with the previous version has been central in the formulation of the new standard," Comar says. "Therefore projects that elect to continue to use the traditional development techniques and languages that are covered by DO-178B should have minimal transition costs.
"DO-178C will provide companies with an opportunity to upgrade to more modern software engineering practices that will allow them to increase their safety/cost ratio and thus will allow them to tackle more complex safety-critical software system components," Comar adds.
"If you have a robust DO-178B set of plans and processes and follow them, then you should satisfy the intent of DO-178C," Romanski says. "However, if your plans and procedures cut corners through perceived loopholes in the current document, then you may have additional work to do as the loopholes are fixed with DO-178C. The goal of the committee is not to raise or lower the bar for certification."
"The FAA typically recognizes grandfather provisions" and as long as current systems do not require major changes, recertification via 178C should generally not be required," Hilderman says. "However, new projects on the drawing board which have not yet formally started via an official FAA or EASA project designation will likely require certification under DO-178C and not DO-178B. Therefore there may be a rush to initiate such projects before the formal ratification of DO-178C so as to avoid being the first project to face the learning curve of 178C certification."
Final adoption
When DO-178B will be finalized "is the $50 question," Hilderman says. "HighRely has participated in an offshore pool to pick the date that DO-178C will be formally released and the subsequent date that all projects will require certification to DO-178C instead of DO-178B. "Dates entered in this pool range from Feb 16, 2010 to June 2011."
The FAA is only one of the actors involved, Comar says. "There is major participation from EASA (European authorities), avionics companies, and tool providers. The work of SC-205/WG-71 is expected to be completed by mid 2010, and RTCA and EUROCAE (the organizations formally in charge of the revision) will probably publish the new documents in 2011.
Most believe a Fall 2010 date will be met for release, Hilderman says.
"It is likely that another meeting will be arranged to close any problems found in the final approval process," Romanski says. "There will be some editorial review, and final acceptance cycle, which could stretch until the end of 2010. The FAA and EASA are involved in the development of this document, but nevertheless there will an FAA acceptance process after which a regulation will be published invoking the new document. In the past this has taken three to six months.
"Note however that even before the FAA has invoked the new document, it is likely that new projects will anticipate its adoption and will invoke DO-178C through contract," Romanski continues. "This happened on projects starting just before DO-178B was published, so is likely to happen again."
In the meantime companies are already taking steps to familiarize themselves with the DO-178C process.
"Verocel has been involved in SC-205 even before the committee was fully started," Romanski says. "We have at least two people attend all plenary meetings and participate in additional subgroup meetings and teleconferences. We are updating our company process plans and procedures gradually using sections of the document which we think will be finally approved. Some of these are improvements that make our work more efficient, and others to make the results easier to audit. We are trying to ensure that as soon as the document is in place, we can start using it formally."
"AdaCore is participating actively in the international working group SC-205/WG-71 in charge of the writing DO-178C," Comar says. "We will host the next plenary meeting of this group in Paris at the end of October and are working on upgrading our commercial offering to allow our customers to migrate easily to the new standard and take advantage as quickly as possible of the new technology possibilities. We are in the process of offering DO-178C-ready tools and services for activities such as coding standard verification, source code reviews, stack usage analysis, structural coverage, safety property provers, etc.
"In keeping with our intrinsic Freely Licensed Open Source Software (FLOSS) culture, we have also helped launch a major open source initiative called Open-DO (www.open-do.org) to foster a cooperative model of agile safety-critical software development," Comar adds.
"LDRA is preparing to support mostly all DO-178C activities and associated objectives by offering a comprehensive tool ecosystem, which enables requirements engineering; lifecycle traceability; automated links to a development IDE, such as Green Hills Software, Wind River Systems, or Texas Instruments Code Composer; traceability links to modeling and Formal Methods tools; automated mapping to code and test artifacts; an integrated CM tool; static and dynamic analysis tools and finally traceability links to technical documentation," St. Clair says.
HighRely is updating its DO-178 training to fully address DO-178C. HighRely's trainers have trained more than 11,000 persons in DO-178 & DO-254, he adds.
"Also, HighRely is updating its avionics software checklists to be fully DO-178C compliant, Hilderman continues. "HighRely's avionics certification products including RelyTRACE and RelyCHECK are also being updated for DO-178C."
HighRely will also update their book on DO-178 – "Avionics Certification – A Complete Guide To DO-178 & DO-254" – to DO-178C, Hilderman says. All royalties on the book will still be donated to charity, he adds.