Presentation on theme: "DO-178C the future of Avionics Certification"— Presentation transcript:
1DO-178C the future of Avionics Certification Martin Beeby, European Manager, Atego HighRely
2What is DO-178RTCA DO-178: “Software Considerations in Airborne Systems and Equipment Certification”Developed by Industry and Government committeesMany compromises to satisfy different goals: “Consensus”:Collective opinion or concord; general agreement or accord [Latin, from consentire, to agree]Not a recipe book or “How To” guideGuidance not prescriptionLawyers versus Software Engineers; who wins?
3DO-178: Evolution History DocYearBasisThemesDO-178498 & 2167AArtefacts, documents, traceability, testingDO-178A1985Processes, testing, components, four criticality levels, reviews, waterfall methodologyDO-178B1992Integration, transition criteria, diverse development methods, data (not documents), toolsDO-178C +Supplements.2012Reducing subjectivity; Address MBD,OO, tools, Formal methods, etc.
7Functional SafetyThe Functional Safety framework surrounding DO-178 similar to:IEC – Industrial systems developmentISO – Automotive systems developmentEN – Railway systemsIEE – Nuclear Power SystemsObjective based guidance gives development freedom with compromising the use of new technology.
8Why change DO-178B Almost 20 years since DO-178B released Software Development landscape has changed ...Advancements in:Tools & automationModelling & SimulationObject Oriented TechnologyFormal MethodologiesCommercial world has embraced the above; Avionics has slowly followedAlternate Means of Compliance does not provide a consistent mechanism for certification
9DO-178CSince 2005, committees have met to discuss, and update, DO-178BLike 178B, included Industry & AgenciesUnlike 178B, more Tool VendorsObvious focus on “acceptability” of certain types of tools, particularly “theirs”Predominantly America & Europe, nearly equal; quarterly meetings
11DO-178CUnlike the DO-178A to DO-178B update, the “core” update to 178C is modestInstead, changes are handled via four “Supplements”, which “clarify”:Tools SupplementMBD SupplementOO SupplementFM Supplement
12DeliverablesDO-178C/ED-12C Software Considerations in Airborne Systems and Equipment CertificationDO-248C/ED-94C Supporting Information for DO-178C and DO-278ADO-278A/ED-109A Software Integrity Assurance Considerations for Communication, Navigation, Surveillance and Air Traffic Management (CNS/ATM) SystemsDO-330/ED-215 Software Tool Qualification ConsiderationsDO-331/ED-216 Model-Based Development & VerificationDO-332/ED-217 Object-Oriented Technology SupplementDO-333/ED-218 Formal Methods Supplement
13Software Tool Qualification Considerations (D-330) Tool Qualification Considerations is a stand alone document that is consistent with and follows the structure of DO-178CIt recognizes that tools occupy their own domainThey are not airborne softwareTool qualification can apply to hardware and ground-based systems alsoDO-330 is a stand-alone approach to tool qualification that could be called out by any standardDomain Specific Guidance in the calling documentTool qualification guidance from DO-330 based on crteria defined in the domain specific guidance
14Same Basic Tool Qualification Principles The tool qualification is unchanged from DO-178B:The purpose of the tool qualification process is to ensure that the tool provides confidence equivalent to that of the process(es) eliminated, reduced, or automatedThe higher the risk of a tool error adversely affecting system safety, the higher the rigor required for tool qualificationDetermining if tool qualification is needed, or unchanged from DO-178B:“…when processes of this document are eliminated, reduced, or automated by the use of a software tool without its output being verified as specified…”
15DO-178C Tool Qualification Levels DO-178B Development and Verification Tools terminology is no longer used. DO-178B Definitions:Development Tools: whose output is part of airborne software and thus can introduce errorsVerification Tools: that cannot introduce errors but may fail to detect themDO-178C identifies 5 Tool Qualification Levels (TQL1-5) based on 3 criteria (see next slide):For criteria 1 and 3, the basic concept and required objectives are similar to that applied under DO-178BNew criterion 2 introduced to provide increased objectives for certain tool usage scenarios
16Advantages of Model-Based Development (DO-331) Early animation of requirementsShared language between systems and software engineersIncreased responsiveness to requirements changesAbility to use autocode and simulation as a means of verification
17Model Based Development Supplement (DO-332) Provides additional guidance for Model Based Development Technology and Related TechniquesThe MBD Supplement provides a set of approaches that can encompass most organisations uses of MBDA Framework for using MBD is establishedGuidance on where certification credit for model simulation is providedCore techniques of DO-178C are maintained in MBDRequirement LevelsRequirement Based TestingTraceabilityStructural Coverage
18Object-Oriented Supplement (DO-332) Provides additional guidance for Object-Oriented Technology and Related TechniquesMuch of the DO-178C OOT Supplement is devoted to establishing core terminology, background and interpretationFew additional objectives or activities are identifiedAdditional OOT objectives:Verify local type consistencyVerify the use of dynamic memory management is robust
19Criteria for choosing whether to use OOT Project technical criteria:Potential benefit from increased expressive power in design/code – encapsulations, class hierarchies and polymorphismNothing new here… these were original drivers behind OOTEnvironmental criteria:Guidance, Human Resources, ToolsIn industry these are all currently available…Summary:OOT is a viable technique if the software design would benefit from its expressiveness
20Formal Methods Supplement (DO-333) DO-178B allowed for consideration of formal methods as an alternate method “to improve the specification and verification of software”Included a set criteria to determine the requirements to which formal methods could be appliedSafety relatedDefinable by discrete mathematicsInvolved complex behaviorConcurrencyDistributed processingRedundancy managementSynchronization
21Formal Methods Supplement The formal methods supplement applies where formal methods analysis is replacing testing evidence in the submissionThere is no intent to suggest that formal methods adoption is an “all in” decisionCan be a selective adoption/migration for subsets of the systemThe supplement mimics the core DO-178 document structureDoes not preclude traditional software testing even when comprehensive formal methods are applied
22DO-178C Supplements Summary: Changing the Level of Abstraction There is an underlying synergy between the new DO-178C documents and supplements:Object Oriented Technology (OOT), Model Based Design and Verification (MBDV), Tools, Formal MethodsAll are moving in a common direction:Still enforce the objectives of DO-178CEnable systematic verification and/or increased level of abstractionEnabling more powerful development techniques to tackle the issues of increased complexity and limited resourcesFundamental approach of DO-178 remains intact
23DO-178C: The FutureDO-178C will be mandated by EASA, FAA, and others at some time in the future.When?But it will be mandated!The model of providing Technology Supplements will be applied to future standardsMaintain a core approachEnable approaches for new technologies to be addedBe able to react more quickly by just adding supplements
24Good Engineering Practice DO-178C: The FutureHow will DO-178C affect systems development?How did DO-178B affect systems development?No specific life-cycle model requiredSay what you are going to doDo itShow the evidence you did itAnalogous to ISO 9001, or CMMIGood Engineering Practice
25SEI CMMI Maturity Levels SEI CMMI’s 5 Levels:InitialRepeatable (disciplined)Defined (consistent))Managed (predictable)Optimizing (continuous improvement)Each level is a perfect superset of the preceding level
27DO-178C: The FutureBy Enabling new technologies it is possible to reduce the cost of developmentReduced Time of DevelopmentAbility to increase system capabilitiesReduce ObsolescenceFundamental Safety approach is not compromisedFunctional Safety Framework remainsCore approaches of DO-178 remainNew technologies have to fit within this framework