Professional Documents
Culture Documents
DO-178B To 178C: Avoiding The Unlucky 13 Mistakes, November 2011
DO-178B To 178C: Avoiding The Unlucky 13 Mistakes, November 2011
Agenda
The Unlucky 13: Predicted Top DO-178C Mistakes (Synopsis) DO-178B in Three Minutes DO-178B Weaknesses Today DO-178C in Five Minutes The Unlucky 13 DO-178C Mistakes: Details Questions & Answers
Largest repository of DO-178B & DO-254 White Papers One Stop Supplier for all your Avionics Development needs!
2011 Atego. All Rights Reserved.
What is DO-178?
Certification standards for airborne equipment
DO-178 => Software DO-254 => Hardware
DO-178B
1992
DO-178A
DO-178C
2008-
DO-178B
3. Correctness Process
1. Planning Process
2. Development Process
Develop Traceability
Start QA
Implement CM
SOI #1
Cert
SOI #2 SOI #4
Conformity
Review Integration
Time (Development & Correctness Phases)
2011 Atego. All Rights Reserved.
Design
10
PSAC: Plan for Software Aspects of Certification SQAP: Software Quality Assurance Plan SCMP: Software Configuration Management Plan SWDP: Software Development Plan SWVP: Software Verification Plan *** Plus 3 Standards: Requirements, Design and Coding
11
Scope of DO-178B
Typical Avionics LRU
PLD
CPU BSP
ASIC
DO-178B
FPGA
Drivers
DO-254
12
13
Incomplete Level A objective coverage Advancements in Tools, implying more appropriate Qualification Thus: DO-178C
2011 Atego. All Rights Reserved.
14
15
DO-178C Preview
Almost 20 years since DO-178B released Software landscape has changed ... Advancements in:
Tools & automation Modeling & Object Oriented Technology Formal Methodologies
Commercial world has embraced the above; Avionics has slowly followed
16
DO-178C Preview
Since 2005, committees have met to discuss, and update, DO-178B Like 178B, includes Industry & Agencies Unlike 178B, more Tool Vendors Obvious focus on acceptability of certain types of tools, particularly theirs Predominantly America & Europe, nearly equal; quarterly meetings
17
18
DO-178C Preview
Unlike the DO-178A to DO-178B update, the core update to 178C is modest Instead, changes are handled via four Supplements, which clarify:
Tools Supplement MBD Supplement OO Supplement FM Supplement
19
Tool Qualification
DO-178B / 2 Criteria: Development Verification DO-178C / 3 Criteria: Development Verification & Augments other development or verification activities Verification only Five Tool Qualification Levels:
For Level A For Level B For Level C Tool Operational Requirements (TOR), Arch, Additional Verification TOR Verification
20
No Explicit Provisions Assumes structured design OO acceptance, but user-defined (subjective) Maximize Determinism & Visibility Weak on OO and MBD traceability Weak on structural coverage application to OO & Models
DO-178C: Allow controlled modeling & OO Bound MBD & OO acceptability Emphasize traceability Address memory management & exception handling Verify type consistency (verify substitutes, Each subclass passes all tests applicable to parent Verify all callable methods for each invocation Emphasize detailed MBD & OO design standards Allow defined generics Acceptable Virtualization (code versus data)
21
Memory Management
DO-178B: No Explicit Provisions DO-178C: Verify common vulnerabilities of memory managers:
Fragmentation Ambiguous references Heap memory Deallocation Garbage collection (tightly constrained, but allowable)
22
Formal Methods
DO-178B: No Explicit Provisions (But commonly applied, subjectively (and via ED-12B in Europe) DO-178C: Recognize acceptance of formal methods for:
Requirements correctness, consistency, and reviews Source code reviews, particularly autocode generation from models (low level requirements) Test cases covering low level requirements Replacement of some forms of testing via formal method-based reviews Potential to reduce testing via code analysis
23
24
25
26
27
System Development
ARP 4754A
HW Rqmts
SW Rqmts
Tests
Tests
Software DO-178B
Hardware DO-254
28
Mistake #2: Insufficient PSAC per ARP 4754A and ARP 4761
Related to Mistake #1 More consistent and justifiable criticality level determination and application of corresponding lifecycle DO-178C users: heed ARP 4754A and address system level development
ARP 4761
ARP 4754A
29
30
31
DO-178C will require most source-code branches to directly trace to lowlevel requirements:
Bonus question: What will thus be the difference between Level C and B?
32
Functional Tests
Robustness Tests
33
DO-178C recognizes major advances in avionics development tools Tool Vendors were major contributors to DO-178C DO-178C will require more thoughtful application of Tool Qualification
Consider the tools application and criticality level of associated software Specify all software related tools in the PSAC Justify which tools will not require Qualification and why Tool
Qualification
Plan
34
DO-178C provides Formal Methods to assist Formal Methods may greatly enhance verification However, Formal Methods should use formal requirement notation
Formal notation quantifies relationships and allows verification traceability
35
36
Due to modelling tool qualification difficulty, and expanded DO-178C Tool Qualification criteria, inexperienced users may wrongly avoid modelling HOWEVER: modelling tools do NOT require qualification!
Simply verify the outputs of the tool and traceability; avoid qualification!
37
38
39
However, Level A systems must be 100X more reliable than Level B DO-178Cs Solution:
More stringent MCDC criteria More stringent source-to-object code correlation
Software Verification Plan
40
Additional Information
Email: info@atego.com Website: www.atego.com DO-178B/254 White Papers: www.atego.com/wp DO-178B Websites:
www.do178site.com www.do178blog.com
DO-254 Websites:
www.do254site.com www.do254blog.com
41