Avionics Validation and Certification FAQ

This document answers some Frequently Asked Questions (FAQs) about the certification of computer software for avionics. The answers to the questions are not intended to provide a definitive technical answer but rather to inform the reader in a general manner. Click on a question to find its answer.

SAFETY AGENCIES

Q. What is RTCA?

Q. What is EUROCAE?

Q. What is the FAA?

Q. What is the JAA?

Q. What is the MISRA?

SAFETY CERTIFICATION STANDARDS

Q. What is DO-178?

Q. What is DO-178C?

Q. What is ED-12C?

Q. What is DO-248B?

Q. What is AC20-RSC?

Q. Who developed the DO-178/ED-12C spec?

Q. What does DO-178/ED-12C specify?

Q. In a nutshell, what does this DO-178C specification really do?

Q. To what do DO-178 levels refer?

Q. Who determines which DO-178 level is required?

Q. What is the total list of potential deliverables I will need to create for DO-178 certification?

Q. Who are DERs?

Q. Which systems need to be certified under DO-178?

Q. What levels of structural testing are required by DO-178?

Q. How is a software verification performed?

Validated Software Corporation’s Validation Suite

Q. What are Validated’s Validation Suites?

Q. What comprises a Validation Suite?

Q. Do I also have to pay another manufacturer for a production license when I purchase a Validation Suite?

Q. Will I get source code?

Q. Is the Validation Suite a special version of the product code?

Q. Can the Validation Suite be reused on new projects?

Q. Why MicroC/OS-II?

Q. How do I order?

Answers

SAFETY AGENCIES

Q. What is RTCA?

RTCA, in the avionics sense (to which all references in this document refer) is the acronym for Radio Technical Commission for Aeronautics.

Address:
RTCA
1828 L Street, NW, Suite 805
Washington, D.C. 20036

Tel: 202-833-9339
Fax: 202-833-9434

Web site: www.rtca.org/

Q. What is EUROCAE?

EUROCAE is the acronym for the European Organisation for Civil Aviation Equipment. It is the European equivalent of RTCA.

Address:
EUROCAE
17 Rue Hamelin
75116 Paris
FRANCE

Tel: +33 (0) 1 4505 7188
Fax: +33 (0) 1 4505 7230

Web site: www.eurocae.org

Q. What is the FAA?

FAA is the acronym of the U. S. Federal Aviation Administration, the organization responsible for controlling air traffic safety in the United States.

Web site: www.faa.gov

Q. What is the JAA?

JAA is the acronym for the Joint Aviation Authorities in Europe. The JAA is an associated body of the European Civil Aviation Conference (ECAC) representing the civil aviation regulatory authorities of a number of European states that have agreed to cooperate in developing and implementing common safety regulatory standards and procedures. The JAA and the FAA work together to create complementary air traffic safety standards.

Address: 
JAA
Saturnusstraat 8-10,
PO Box 3000
2130 KA Hoofddorp
The Netherlands

Fax: +31 (0) 23-5621714

Web site: www.jaa.nl/

Q. What is the MISRA?

MISRA is the acronym for the Motor Industry Software Reliability Association. Its mission is "To provide assistance to the automotive industry in the application and creation within vehicle systems of safe and reliable software".

It is not a certification agency, but an association that publishes guidelines for writing more reliable software for automotive systems manufacturers. It has published a "Guidelines for The Use Of The C Language In Vehicle Based Software" manual that is available directly from their web site.

The MISRA web site is: www.misra.org.uk

SAFETY CERTIFICATION STANDARDS

Q. What is DO-178?

DO-178, is a set of avionics standards described in the RTCA Document RTCA/DO-178, titled “Software Considerations in Airborne Systems and Equipment Certification,” was developed by the avionics industry to establish software considerations for developers, installers, and users, when aircraft equipment design is implemented using microcomputer techniques.

The first formal publication of this specification was published in 1982 by the Radio Technical Commission for Aeronautics (RTCA). This was also approved by EUROCAE as ED-12 shortly thereafter.

An update to DO-178 was published in 1985, and was called DO-178A. EUROCAE also published an matching update to ED-12, named ED-12A.

In 1992, various industry working groups published a comprehensive update to DO-178A, named DO-178C by RTCA and ED-12C by EUROCAE. This revision of DO-178C is the current working version of this specification.

Q. What is DO-178C and DO178B?

RTCA Document RTCA/DO-178C, titled “Software Considerations in Airborne Systems and Equipment Certification,” was developed by the avionics industry to establish software considerations for developers, installers, and users, when aircraft equipment design is implemented using microcomputer techniques.  Note that DO-178C/ED-12C projects must be certified as a system, not a standalone component, as for IEC 61508 software components.

As of 7/19/2013, the newest version DO-178C was officially accepted by the FAA.

Q. What is ED-12C?

This document is an update of ED-12A, published in 1985. It is the EUROCAE version of DO-178C. See DO-178C, above.

Q. What is DO-248B?

RTCA DO-248B is a clarification document to DO-178C. Major topics include Previously Developed Software (PDS), Commercial Off- the-Shelf (COTS) software, verification, service history, tools and control categories. RTCA DO-248B is available from RTCA.

Q. What is AC20-RSC?

AC20-RSC is a notice published by the FAA that defines guidelines to DERs for approving software reused from previous DO-178C projects. All software life cycle data used in DO-178C certified systems require design approval under Title14, Code of Federal Regulations (14 CFR).

Q. Who developed the DO-178C(or)B/ED-12C spec?

DO-178C and ED-12C were developed by a broad committee of industry representatives from around the world. These specifications are published by RTCA, Inc. and EUROCAE, respectively.

Q. What does DO-178C and DO178B/ED-12C specify?

DO-178C (or B) /ED-12C provides guidance on designing, specifying, developing, testing, and deploying software in safety-critical avionics systems. In sum, DO-178 is a guideline for determining, in a consistent manner and with an acceptable level of confidence, that the software aspects of airborne systems and equipment comply with FAA airworthiness requirements.

Q. In a nutshell, what does this DO-178C and DO178B specification really do?

It specifies that every line of code be directly traceable to a requirement and a test routine, and that no extraneous code outside of this process be included in the build.

Q. To what do DO-178C levels refer?

DO-178C software levels (A, B, etc.) are based on the potential of the software to cause safety-related failures identified in the system safety assessment. DO-178C has five levels of certification:

  1. Level A: Software whose failure would cause or contribute to a catastrophic failure of the aircraft.

  2. Level B: Software whose failure would cause or contribute to a hazardous/severe failure condition.

  3. Level C: Software whose failure would cause or contribute to a major failure condition.

  4. Level D: Software whose failure would cause or contribute to a minor failure condition.

  5. Level E: Software whose failure would have no effect on the aircraft or on pilot workload.

Q. Who determines which DO-178 level is required?

The level to which a particular system must be certified is selected by a process of failure analysis and input from the device manufacturers and the certifying authority (FAA or JAA), with the final decision made by the certifying authority. Note that software does not need to be certified specifically at each designated level. Certification at any level automatically covers the lower-level requirement; but, obviously, the converse is not true. Software certified at Level A can be used in any avionics application.

Q. What is the total list of potential deliverables I will need to create for DO-178 certification?

The following table lists the documents and records you may need to provide for a DO-178 certification:

DO-178 Software Life Cycle Data List

Document Title

Type

Section

PSAC

Plan for Software Aspects of Certification

Document

11.1

SDP

Software Development Plan

Document

11.2

SVP

Software Verification Plan

Document

11.3

SCMP

Software Configuration Management Plan

Document

11.4

SQAP

Software Quality Assurance Plan

Document

11.5

SRS

Software Requirements Standards

Document

11.6

SDS

Software Design Standards

Document

11.7

SCS

Software Code Standards

Document

11.8

SRD

Software Requirements Data

Document

11.9

SDD

Software Design Description

Document

11.10

 

Source Code

Software

11.11

 

Executable Object Code

Software

11.12

SVCP

Software Verification Cases and Procedures

Document

11.13

SVR

Software Verification Results

Records

11.14

SECI

Software Life Cycle Environment Configuration Index

Document

11.15

SCI

Software Configuration Index

Document

11.16

PRs

Problem Reports

Records

11.17

 

Software Configuration Management Records

Records

11.18

 

Software Quality Assurance Records

Records

11.19

SAS

Software Accomplishment Summary

Document

11.20

Q. Who are DERs?

DERs, Designated Engineering Representatives, are experienced engineers designated by the FAA to approve engineering data used for certification. Most customers (and the FAA) will want some assurance in your DO-178C documents, and an FAA DER will provide this. All FAA projects must have an FAA representative assigned and a DER to review all submissions. A DER is an independent specialist designated by the FAA as having authority to sign off on your project as a representative of the FAA.  First, the DER may insist on witnessing such items as portions of your software testing; second, the DER may not like your documentation (or processes), hence may insist on changes to them before signoff. This is a lot easier to do during design and development than at project completion.

Q. Which systems need to be certified under DO-178?

Under the Global Aviation Traffic Management (GATM) agreement, all commercial airborne systems have to comply with Federal Aviation Administration (FAA) regulations for avionics and require DO-178 certification. In addition, all airborne military and space systems must also comply with DO-178. All retrofits, as well as new airborne system designs, also require DO-178 certification. Note that GATM has international validity and applicability.

Q. What levels of structural testing are required by DO-178?

Three primary levels of structural testing concern most DO-178C projects:

  1. SC: Statement Coverage. Means that every statement in the program has been invoked or used at least once. This is the most common use of the term “code coverage.”

  2. DC: Decision Coverage. Means that every point of entry and exit in the program has been invoked at least once and that each decision in the program has been taken on all possible (Boolean) outcomes at least once. Essentially, this means that every Boolean statement has been evaluated both TRUE and FALSE.

  3. MCDC: Modified Condition Decision Coverage. Means that every point of entry and exit in the program has been invoked at least once, that every decision in the program has taken all possible outcomes at least once, and that each condition in a decision has been shown to independently affect that decision's outcome. Complex Booleans need to have truth tables developed to set each variable (inside a Boolean expression) to both TRUE and FALSE.

This table details the code coverage requirements for each DO-178C level:

Level

Coverage

Explanation

Level A

MCDC

Level B + 100% Modified Condition Decision Coverage 

Level B

DC

Level C + 100% Decision Coverage

Level C

SC

Level D + 100% Statement (or Line) Coverage

Level D

 

100% Requirements Coverage Requirements

Level E

 

No Coverage Requirements

Performing this code coverage exercise is possible using manual methods, but this process is now readily facilitated by implementing commercial code coverage tools. See Code Coverage Tools page for a list of known vendors in this space.

Q. How is a software verification performed?

DO-178C (or B) /ED-12C defines specific verification objectives that must be satisfied; these include:

  1. Verification of software development processes

  2. Review of software development life cycle artifacts

  3. Functional Verification of software

    1. Requirements-based testing and analysis

    2. Robustness testing

  4. Structural Coverage Analysis

Structural Coverage Analysis is generally perceived to be the most difficult task to undertake by people unfamiliar with rigorous code development and testing. Furthermore, an operating system is tightly integrated with the hardware, cache, interrupts, memory management, and process/task management, thereby making structural testing even more difficult. These low-level aspects create a significant challenge to the verification process. For example, Level A certified applications must address:

  1. Statement Coverage

  2. Decision Coverage

  3. Modified Condition/Decision Coverage (MCDC)

and from the code coverage table above along with:

  1. Identification of dead or deactivated code

  2. Traceability from source to object code

Fortunately, a variety of commercial tools are available to assist in this challenging task.

See our Code Coverage Tools page for a list of known vendors in this space.

 

Validated Software Corporation’s Validation Suite™

Q. What are Validated’s Validation Suites?

Validated’s Validation Suites are packages of standards, plans, requirements, designs, and tests to address manufacturers requiring safety certification documentation for projects. Validation Suites are typically developed for software products widely used in safety-critical products. The use of our Validation Suites allows developers to concentrate on their core product and lower their costs by purchasing an essentially off-the-shelf Validation Suite as a component.

Q. What comprises a Validation Suite?

Due to different DO-178C requirements for different certification levels, the amount of documentation will differ, but, in general, the following documentation will be provided in Level A through Level C Validation Suites.

Validation Suite Component

DO-178 Item

Plan for Software Aspects of Certification (PSAC)

11.1

Software Development Plan (SDP) 

11.2

Software Verification Plan (SVP)

11.3

Software Configuration Management Plan (SCMP)

11.4

Software Quality Assurance Plan

11.5

Software Requirements Standard 

11.6

Software Design Standard 

11.7

C Language Coding Standard

11.8

Software Requirements Document (SRD)

11.9

Microprocessor Port Requirements and Design Documents

11.9

Software Design Document

11.10

Software Source Code, Test Code and Build Code

11.11

Software Port Image

11.12

Software Unit Test Plans and Procedures

11.13

Software Integration Test Plans and Procedures

11.13

Software Unit Test Reports

11.14

Software Integration Test Report

11.14

Software Test Coverage Report

11.14

Software Life Cycle Environment Configuration Index 

11.15

Software Configuration Index

11.16

Software Problem Report History 

11.17

Software Change History

11.18

Software Quality Assurance Data

11.19

Software Accomplishment Summary (SAS)  

11.20

In addition, Validated also offers port-specific documentation to provide all the board support package (BSP) documentation, for example:

Port Software Design Description, Special I/O

Port Software Design Description, Special 80x86 Protected Mode Port

Q. Do I also have to pay the manufacturer for a production license when I purchase Validated’s Validation Suite?

Yes. The Validated Suite does not include a production license for the software.

Q. Will I get source code?

Yes. The Validation Suite contains all source code to the product and all source code to test files, all test scripts, and all build/make files. Please note however that all of the products we validate are licensed by another manufacturer. As such we can not ship source code to a product until we receive confirmation from the manufacturer that you have a valid license in place with them.

Q. Is the Validation Suite a special version of the manufactures product code?

No. The source code we provide is functionally identical to the manufacturers original code. In some cases the code may belong to a "safety-critical" version of the manufacturers product, but this is the exception not the rule.

Q. Can the Validation Suite be reused on new projects?

Yes. Depending upon the system changes between projects, the Validation Suite can be used for multiple projects. FAA projects should refer to DO-248C (or B), FAA Notice 8110.97, and their DERs for full compliance when reusing life cycle data and artifacts on multiple projects. (Note that additional license fees for both the software product and the Validation Suite may apply, regardless of re-use.) Contact Validated Software sales for further information.

 Q. Why MicroC/OS-II?

MicroC/OS-II was chosen for many reasons:

  1. MicroC/OS-II is a very stable operating system that has been used in tens of thousands of systems and hundreds of commercial applications. It has been in use for over 10 years, with minor modifications made periodically.

  2. MicroC/OS-II has been “open source” since its creation. Therefore, it has been reviewed by thousands of individuals. But, unlike some open source projects, revisions are tightly controlled and reviewed by Micrium, and then openly reviewed by the MicroC/OS-II community.

  3. MicroC/OS-II was written against a very strict coding standard, which improves readability, understandability, and maintainability – all key aspects of creating software used in critical systems.

  4. Every line of MicroC/OS-II is well documented. This is extremely rare in the software industry and is ideal for safety certification where the mapping of requirements to source code to test for every line of code is required.

Q. How do I order?

All Validated Software products can be ordered from the Validated Software Sales office.