Avionics Validation and Certification FAQ
This document answers some Frequently Asked Questions (FAQs) about the certification of computer software for avionics. The answers to the questions are not intended to provide a definitive technical answer but rather to inform the reader in a general manner. Click on a question to find its answer.
SAFETY CERTIFICATION STANDARDS
Validated Software Corporation’s Validation Suite
RTCA, in the avionics sense (to which all references in this document refer) is the acronym for Radio Technical Commission for Aeronautics.
1828 L Street, NW, Suite 805
Washington, D.C. 20036
Web site: www.rtca.org/
EUROCAE is the acronym for the European Organisation for Civil Aviation Equipment. It is the European equivalent of RTCA.
17 Rue Hamelin
Tel: +33 (0) 1 4505 7188
Fax: +33 (0) 1 4505 7230
Web site: www.eurocae.org
FAA is the acronym of the U. S. Federal Aviation Administration, the organization responsible for controlling air traffic safety in the United States.
Web site: www.faa.gov
JAA is the acronym for the Joint Aviation Authorities in Europe. The JAA is an associated body of the European Civil Aviation Conference (ECAC) representing the civil aviation regulatory authorities of a number of European states that have agreed to cooperate in developing and implementing common safety regulatory standards and procedures. The JAA and the FAA work together to create complementary air traffic safety standards.
PO Box 3000
2130 KA Hoofddorp
Fax: +31 (0) 23-5621714
Web site: www.jaa.nl/
MISRA is the acronym for the Motor Industry Software Reliability Association. Its mission is "To provide assistance to the automotive industry in the application and creation within vehicle systems of safe and reliable software".
It is not a certification agency, but an association that publishes guidelines for writing more reliable software for automotive systems manufacturers. It has published a "Guidelines for The Use Of The C Language In Vehicle Based Software" manual that is available directly from their web site.
The MISRA web site is: www.misra.org.uk
SAFETY CERTIFICATION STANDARDS
DO-178, is a set of avionics standards described in the RTCA Document RTCA/DO-178, titled “Software Considerations in Airborne Systems and Equipment Certification,” was developed by the avionics industry to establish software considerations for developers, installers, and users, when aircraft equipment design is implemented using microcomputer techniques.
The first formal publication of this specification was published in 1982 by the Radio Technical Commission for Aeronautics (RTCA). This was also approved by EUROCAE as ED-12 shortly thereafter.
An update to DO-178 was published in 1985, and was called DO-178A. EUROCAE also published an matching update to ED-12, named ED-12A.
In 1992, various industry working groups published a comprehensive update to DO-178A, named DO-178C by RTCA and ED-12C by EUROCAE. This revision of DO-178C is the current working version of this specification.
RTCA Document RTCA/DO-178C, titled “Software Considerations in Airborne Systems and Equipment Certification,” was developed by the avionics industry to establish software considerations for developers, installers, and users, when aircraft equipment design is implemented using microcomputer techniques. Note that DO-178C/ED-12C projects must be certified as a system, not a standalone component, as for IEC 61508 software components.
As of 7/19/2013, the newest version DO-178C was officially accepted by the FAA.
This document is an update of ED-12A, published in 1985. It is the EUROCAE version of DO-178C. See DO-178C, above.
RTCA DO-248B is a clarification document to DO-178C. Major topics include Previously Developed Software (PDS), Commercial Off- the-Shelf (COTS) software, verification, service history, tools and control categories. RTCA DO-248B is available from RTCA.
AC20-RSC is a notice published by the FAA that defines guidelines to DERs for approving software reused from previous DO-178C projects. All software life cycle data used in DO-178C certified systems require design approval under Title14, Code of Federal Regulations (14 CFR).
DO-178C and ED-12C were developed by a broad committee of industry representatives from around the world. These specifications are published by RTCA, Inc. and EUROCAE, respectively.
DO-178C (or B) /ED-12C provides guidance on designing, specifying, developing, testing, and deploying software in safety-critical avionics systems. In sum, DO-178 is a guideline for determining, in a consistent manner and with an acceptable level of confidence, that the software aspects of airborne systems and equipment comply with FAA airworthiness requirements.
It specifies that every line of code be directly traceable to a requirement and a test routine, and that no extraneous code outside of this process be included in the build.
DO-178C software levels (A, B, etc.) are based on the potential of the software to cause safety-related failures identified in the system safety assessment. DO-178C has five levels of certification:
Level A: Software whose failure would cause or contribute to a catastrophic failure of the aircraft.
Level B: Software whose failure would cause or contribute to a hazardous/severe failure condition.
Level C: Software whose failure would cause or contribute to a major failure condition.
Level D: Software whose failure would cause or contribute to a minor failure condition.
Level E: Software whose failure would have no effect on the aircraft or on pilot workload.
The level to which a particular system must be certified is selected by a process of failure analysis and input from the device manufacturers and the certifying authority (FAA or JAA), with the final decision made by the certifying authority. Note that software does not need to be certified specifically at each designated level. Certification at any level automatically covers the lower-level requirement; but, obviously, the converse is not true. Software certified at Level A can be used in any avionics application.
The following table lists the documents and records you may need to provide for a DO-178 certification:
DO-178 Software Life Cycle Data List
Plan for Software Aspects of Certification
Software Development Plan
Software Verification Plan
Software Configuration Management Plan
Software Quality Assurance Plan
Software Requirements Standards
Software Design Standards
Software Code Standards
Software Requirements Data
Software Design Description
Executable Object Code
Software Verification Cases and Procedures
Software Verification Results
Software Life Cycle Environment Configuration Index
Software Configuration Index
Software Configuration Management Records
Software Quality Assurance Records
Software Accomplishment Summary
DERs, Designated Engineering Representatives, are experienced engineers designated by the FAA to approve engineering data used for certification. Most customers (and the FAA) will want some assurance in your DO-178C documents, and an FAA DER will provide this. All FAA projects must have an FAA representative assigned and a DER to review all submissions. A DER is an independent specialist designated by the FAA as having authority to sign off on your project as a representative of the FAA. First, the DER may insist on witnessing such items as portions of your software testing; second, the DER may not like your documentation (or processes), hence may insist on changes to them before signoff. This is a lot easier to do during design and development than at project completion.
Under the Global Aviation Traffic Management (GATM) agreement, all commercial airborne systems have to comply with Federal Aviation Administration (FAA) regulations for avionics and require DO-178 certification. In addition, all airborne military and space systems must also comply with DO-178. All retrofits, as well as new airborne system designs, also require DO-178 certification. Note that GATM has international validity and applicability.
Three primary levels of structural testing concern most DO-178C projects:
SC: Statement Coverage. Means that every statement in the program has been invoked or used at least once. This is the most common use of the term “code coverage.”
DC: Decision Coverage. Means that every point of entry and exit in the program has been invoked at least once and that each decision in the program has been taken on all possible (Boolean) outcomes at least once. Essentially, this means that every Boolean statement has been evaluated both TRUE and FALSE.
MCDC: Modified Condition Decision Coverage. Means that every point of entry and exit in the program has been invoked at least once, that every decision in the program has taken all possible outcomes at least once, and that each condition in a decision has been shown to independently affect that decision's outcome. Complex Booleans need to have truth tables developed to set each variable (inside a Boolean expression) to both TRUE and FALSE.
This table details the code coverage requirements for each DO-178C level:
Level B + 100% Modified Condition Decision Coverage
Level C + 100% Decision Coverage
Level D + 100% Statement (or Line) Coverage
100% Requirements Coverage Requirements
No Coverage Requirements
Performing this code coverage exercise is possible using manual methods, but this process is now readily facilitated by implementing commercial code coverage tools. See Code Coverage Tools page for a list of known vendors in this space.
DO-178C (or B) /ED-12C defines specific verification objectives that must be satisfied; these include:
Verification of software development processes
Review of software development life cycle artifacts
Functional Verification of software
Requirements-based testing and analysis
Structural Coverage Analysis
Structural Coverage Analysis is generally perceived to be the most difficult task to undertake by people unfamiliar with rigorous code development and testing. Furthermore, an operating system is tightly integrated with the hardware, cache, interrupts, memory management, and process/task management, thereby making structural testing even more difficult. These low-level aspects create a significant challenge to the verification process. For example, Level A certified applications must address:
Modified Condition/Decision Coverage (MCDC)
and from the code coverage table above along with:
Identification of dead or deactivated code
Traceability from source to object code
Fortunately, a variety of commercial tools are available to assist in this challenging task.
See our Code Coverage Tools page for a list of known vendors in this space.
Validated Software Corporation’s Validation Suite™
Validated’s Validation Suites are packages of standards, plans, requirements, designs, and tests to address manufacturers requiring safety certification documentation for projects. Validation Suites are typically developed for software products widely used in safety-critical products. The use of our Validation Suites allows developers to concentrate on their core product and lower their costs by purchasing an essentially off-the-shelf Validation Suite as a component.
Due to different DO-178C requirements for different certification levels, the amount of documentation will differ, but, in general, the following documentation will be provided in Level A through Level C Validation Suites.
Validation Suite Component
Plan for Software Aspects of Certification (PSAC)
Software Development Plan (SDP)
Software Verification Plan (SVP)
Software Configuration Management Plan (SCMP)
Software Quality Assurance Plan
Software Requirements Standard
Software Design Standard
C Language Coding Standard
Software Requirements Document (SRD)
Microprocessor Port Requirements and Design Documents
Software Design Document
Software Source Code, Test Code and Build Code
Software Port Image
Software Unit Test Plans and Procedures
Software Integration Test Plans and Procedures
Software Unit Test Reports
Software Integration Test Report
Software Test Coverage Report
Software Life Cycle Environment Configuration Index
Software Configuration Index
Software Problem Report History
Software Change History
Software Quality Assurance Data
Software Accomplishment Summary (SAS)
In addition, Validated also offers port-specific documentation to provide all the board support package (BSP) documentation, for example:
Port Software Design Description, Special I/O
Port Software Design Description, Special 80x86 Protected Mode Port
Q. Do I also have to pay the manufacturer for a production license when I purchase Validated’s Validation Suite?
Yes. The Validated Suite does not include a production license for the software.
Yes. The Validation Suite contains all source code to the product and all source code to test files, all test scripts, and all build/make files. Please note however that all of the products we validate are licensed by another manufacturer. As such we can not ship source code to a product until we receive confirmation from the manufacturer that you have a valid license in place with them.
No. The source code we provide is functionally identical to the manufacturers original code. In some cases the code may belong to a "safety-critical" version of the manufacturers product, but this is the exception not the rule.
Yes. Depending upon the system changes between projects, the Validation Suite can be used for multiple projects. FAA projects should refer to DO-248C (or B), FAA Notice 8110.97, and their DERs for full compliance when reusing life cycle data and artifacts on multiple projects. (Note that additional license fees for both the software product and the Validation Suite may apply, regardless of re-use.) Contact Validated Software sales for further information.
MicroC/OS-II was chosen for many reasons:
MicroC/OS-II is a very stable operating system that has been used in tens of thousands of systems and hundreds of commercial applications. It has been in use for over 10 years, with minor modifications made periodically.
MicroC/OS-II has been “open source” since its creation. Therefore, it has been reviewed by thousands of individuals. But, unlike some open source projects, revisions are tightly controlled and reviewed by Micrium, and then openly reviewed by the MicroC/OS-II community.
MicroC/OS-II was written against a very strict coding standard, which improves readability, understandability, and maintainability – all key aspects of creating software used in critical systems.
Every line of MicroC/OS-II is well documented. This is extremely rare in the software industry and is ideal for safety certification where the mapping of requirements to source code to test for every line of code is required.
All Validated Software products can be ordered from the Validated Software Sales office.