4 Overview of DO-178C and Supporting Documents
Acronym
| AL | assurance level |
| CAST | Certification Authorities Software Team |
| CC1 | control category #1 |
| CC2 | control category #2 |
| CNS/ATM | communication, navigation, surveillance, and air traffic management |
| COTS | commercial off-the-shelf |
| DP | discussion paper |
| EUROCAE | European Organization for Civil Aviation Equipment |
| FAQ | frequently asked question |
| OOT | object-oriented technology |
| OOT&RT | object-oriented technology and related techniques |
| PSAA | Plan for Software Aspects of Approval |
| PSAC | Plan for Software Aspects of Certification |
| RT | related techniques |
| SC-205 | Special Committee #205 |
| SW | software |
| TQL | tool qualification level |
| WG-71 | Working Group #71 |
4.1 History of DO-178
DO-178 and its EUROCAE* equivalent (ED-12) have a 30-year history. Table 4.1 summarizes the evolution of DO-178 and related documents.
In 1982, the first version of DO-178 was published. The document was very brief and only provided a high-level framework for software development.
Table 4.1 Evolution of DO-178 and Related Documents
Between 1982 and 1985 the software engineering discipline matured significantly, as did DO-178. DO-178A was published in 1985. Many systems that are still in existence today used DO-178A as their means of compliance. However, there were a few challenging characteristics of DO-178A. First, DO-178A addressed both requirements validation and verification. DO-178 and DO-178A preceded the development of ARP4754 and ARP4761, which put the system and safety assessment framework into place. With the development of ARP4754, it was determined that requirements validation (ensuring that one has the right requirements) is a system activity; whereas requirements verification (ensuring that the requirements allocated to software are implemented correctly) is a software activity. Second, DO-178A was not objective-based, making it challenging to objectively assess compliance to it. Third, DO-178A allowed structural testing, rather than structural coverage analysis. As Chapter 9 will explain, structural testing is not adequate to identify unintended functionality or to measure the completeness of requirements-based testing.
DO-178B was published in late 1992. It was developed in parallel with ARP4754 and ARP4761, which were published a short time later. DO-178B contains more detail than DO-178A and became the de facto standard for software development in civil aviation. DO-178B is objective-based; it strives to identify what the developer must do but gives flexibility for how it is accomplished. The document also requires more insight into what is being done by requiring documented evidence (life cycle data) for all activities used for certification credit; this makes it possible to objectively assess compliance. Additionally, as mentioned earlier, DO-178B does not address requirements validation; that is the responsibility of the systems team. And, DO-178B significantly clarified the expectations for structural coverage analysis.
In 1999–2001, RTCA published DO-248, DO-248A, and DO-248B. DO-248 started out as an annual report to clarify some of the more challenging aspects of DO-178B. The final version of the report was published in 2001 as DO-248B (its EUROCAE equivalent is ED-94B); it included the contents from previous releases. DO-248B included 12 errata on DO-178B (minor typographical corrections), 76 frequently asked questions (FAQs), and 15 discussion papers (DPs). A FAQ is a short clarification of less than one page and is written in the form of a question and answer. A DP is also clarification but is longer than one page and is written in the form of a topic explanation. DO-248B was never considered guidance material, but merely clarified guidance already contained in DO-178B. It is an informational and educational document to help users better understand and apply DO-178B. As will be explained later in this chapter, DO-248B has been replaced by DO-248C.
In 2005, RTCA and EUROCAE formed a joint committee to update DO-178B (and ED-12B) to provide a path forward for addressing software technology changes.* Objectives of the committee were to continue the following [1,2]:
Promoting safe implementation of aviation software
Providing clear and consistent ties with the systems and safety processes
Addressing emerging software trends and technologies
Implementing a flexible approach to change with the technology
The input to the committee’s efforts were DO-178B, DO-278, DO-248B, certification authorities’ publications (including policy, guidance, issue papers, Certification Authorities Software Team [CAST]* papers, research reports, etc.), the committee’s terms of reference, an ongoing issues list, and the experience and expertise of hundreds of professionals. The output was seven documents, often referred to as green covers, since the hard copy of each RTCA document is published with a green cover. RTCA published the following documents at the end of 2011 (a nice Christmas gift for those of us on the committee who committed 6.5 years of our lives to the effort):
DO-178C/ED-12C, Software Considerations in Airborne Systems and Equipment Certification
DO-278A/ED-109A, Guidelines for Communication, Navigation, Surveillance, and Air Traffic Management (CNS/ATM) Systems Software Integrity Assurance
DO-248C/ED-94C, Supporting Information for DO-178C and DO-278A
DO-330/ED-215, Software Tool Qualification Considerations
DO-331/ED-218, Model-Based Development and Verification Supplement to DO-178C and DO-278A
DO-332/ED-217, Object-Oriented Technology and Related Techniques Supplement to DO-178C and DO-278A
DO-333/ED-216, Formal Methods Supplement to DO-178C and DO-278A
Figure 4.1 illustrates the relationship of the seven documents. Each document is briefly described later and will be more thoroughly explained in future chapters. The RTCA DOand EUROCAE EDdocuments are the same except for page layout (RTCA uses a letter-sized page, whereas EUROCAE uses size A4) and the added French translation for EUROCAE documents. Throughout the remainder of this book, only the RTCA numbers will be referenced.
Figure 4.1 Relationship of DO-178C and related documents.
4.2 DO-178C and DO-278A Core Documents
DO-178C and DO-278A are virtually the same, except DO-178C is focused on airborne software and DO-278A on CNS/ATM ground-based software. Section 4.2.1 summarizes the primary differences between the two documents. Because of the fact that the DO-178C and DO-278A are nearly the same and DO-178C has a larger user community than DO-278A, after Section 4.2.1, only DO-178C will be mentioned unless there is a notable difference.
DO-178C and DO-278A are often called the core documents since they provide the core concepts and organization that the other documents are built upon. These core documents are intended to be as technology-independent as possible. DO-248C and the supplements reference the two core documents and provide the technology-specific details.
DO-178C is very similar to DO-178B; however, it has been updated to address unclear aspects of DO-178B, to be consistent with the system and safety documents (ARP4754A and ARP4761), and to have a full set of objectives tables that agree with the front matter of the document. Like DO-178B, DO-178C is composed of 12 sections, an Annex A that summarizes the objectives in the main body, an Annex B that includes a glossary, and some supporting appendices. The relationship of the DO-178C sections are illustrated in Figure 4.2 and briefly described in the following:
DO-178C section 1 provides an introduction to the document.
DO-178C section 2 includes the system framework which is aligned with ARP4754A.
DO-178C section 3 provides a brief overview of the DO-178C software life cycle processes: planning, development (requirements, design, code, and integration), verification, software configuration management, software quality assurance, and certification liaison.
Figure 4.2 Overview of DO-178C.
DO-178C section 4 explains the planning process objectives and activities. The planning objectives are summarized in DO-178C Table A-1.
DO-178C section 5 provides an explanation of the objectives and activities of the development processes. The development processes includes the requirements, design, code, and integration phases. The development objectives are summarized in DO-178C Table A-2.
DO-178C section 6 describes the verification process. Verification is an integral process, which begins with the verification of the plans and goes all the way through the reporting and review of verification results. Verification includes reviews, analyses, and tests. Verification plays a significant role in the software development assurance; over half of the DO-178C objectives are verification objectives. The verification objectives are summarized in DO-178C Tables A-3 through A-7.
DO-178C section 7 explains the software configuration management process, which includes change control and problem reporting. The configuration management objectives are summarized in DO-178C Table A-8.
DO-178C section 8 provides guidance for the software quality assurance process. Objectives for software quality assurance process are summarized in DO-178C Table A-9.
DO-178C sections 9 and 10 summarize the certification liaison process and the overall aircraft or engine certification process.
The certification liaison objectives are summarized in DO-178C Table A-10.
DO-178C section 11 identifies the life cycle data generated while planning, developing, and verifying the software. In many situations the term software life cycle data is also referred to as data items or artifacts. The expected contents of each life cycle data item is briefly explained in DO-178C section 11. Each data item is discussed in the chapters ahead.
DO-178C section 12 includes guidance on some additional considerations that go above and beyond the previous sections, including previously developed software, tool qualification levels (TQLs), and alternative methods (such as exhaustive input testing, multiple-version dissimilar software, software reliability models, and product service history).
DO-178C Annex A includes tables for each process that correlate the objectives and outputs. The DO-178B Annex A tables and the main body of DO-178C were slightly modified to ensure consistency. The DO-178C Annex A tables summarize objectives, applicability by software level, independence requirements for the objective, output that is typically generated to satisfy the objective, and the amount of configuration control required on the output. Section 4.2.2 explains more about the relationship between the DO-178C Annex A tables and the DO-178C document body, as well as how to interpret the tables.
DO-178C Annex B includes the glossary of terms that are used in DO-178C. DO-178C uses common software engineering definitions but modifies some of them for the aviation-specific domain.
DO-178C appendix A provides background information, a brief summary of differences from DO-178B to DO-178C, and the committee’s terms of reference.
DO-178C appendix B lists the committee membership. Anyone who attended at least two meetings was included in the membership list; therefore, it is a rather long list.
Table 4.2 provides a brief summary of the significant changes from DO-178B to DO-178C for each section (the DO-178C section references are included in parentheses). Pertinent details of the difference are explained in future chapters of this book.
4.2.1 DO-278A and DO-178C Differences
DO-278A is entitled Guidelines for Communication, Navigation, Surveillance, and Air Traffic Management (CNS/ATM) Systems Software Integrity Assurance. DO-278A focuses on ground-based CNS/ATM software, which can have a direct impact on aircraft safety. The main differences between DO-178C and DO-278A are noted here.
Table 4.2 Primary Differences between DO-178B and DO-178C
DO-178C uses airborne software; whereas DO-278A uses CNS/ATM software.
DO-178C uses certification; whereas DO-278A uses approval.
DO-178C uses airworthiness requirements; whereas DO-278A uses applicable approval requirements.
DO-178C uses parameter data item files; whereas DO-278A uses adaptation data item files.
DO-178C uses Plan for Software Aspects of Certification (PSAC); whereas DO-278A uses Plan for Software Aspects of Approval (PSAA).
DO-278A section 2 differs slightly from DO-178C, since the tie to the safety assessment process is different for CNS/ATM ground systems vs. aircraft.
DO-278A uses assurance levels 1–6 (AL1–AL6) instead ofsoftware levels A–E. The DO-278A assurance levels are equivalent to DO-178C levels, except DO-278A has an additional level between DO-178C’s levels C and D. Table 4.3 shows the mapping between DO-278A and DO-178C levels.
DO-278A has brief sections on security requirements, adaptability, cutover (hot swapping), and post-development life cycle, which are not provided in DO-178C.
DO-278A’s section on service experience is slightly different from DO-178C’s section on product service history.
DO-278A has a lengthy section on commercial off-the-shelf (COTS) software that does not exist in DO-178C.
Table 4.3 Correlation of DO-178C and DO-278A Levels
4.2.2 Overview of the DO-178C Annex A Objectives Tables
It is often said that DO-178C is best read from the back forward. DO-178C Annex A summarizes the objectives, applicable sections, and required data from DO-178C sections 4 through 11. However, if one doesn’t read the front matter, the DO-178C Annex A objectives tables will not provide a complete understanding of the subject matter. The DO-178C Annex A tables essentially provide a roadmap for applying objectives by software level. This subsection briefly explains the subject of each table, how the tables relate, and how to interpret the tables. Objectives are further discussed in Chapters 5 through 12 as the technical matter is more deeply explored.
Table 4.4 contains the title of the 10 DO-178C Annex A tables, as well as the number of objectives included in each table. Table 4.5 shows the number of objectives applicable by software level. Figure 4.3 shows the relationship between the 10 DO-178C objectives tables. The planning process drives drives the other processes, and the configuration management, quality assurance, and certification liaison processes take place throughout the entire project.
Table 4.4 Summary of DO-178C Annex A Tables
Table 4.5 Number of DO-178C Objectives by Software Level
| Software level | A | B | C | D | E |
| Number of objectives | 71 | 69 | 62 | 26 | 0 |
Figure 4.3 Relationship of DO-178C Annex A tables.
Table 4.6 shows a representative objective from DO-178C (Table A-6 objective 3). There are five major sections of each objective table. Each section is briefly described in the following:
The Objective section summarizes the objective and provides a reference back to the main body of the document where the objective is explained. The objectives are what needs to be done. They do not explain how to do it. It is important to read the referenced section in order to completely understand the objective. Most descriptions are rather intuitive, but there are a few that are more complex. The objectives will be explained in Chapters 5 through 12, including the more challenging objectives.
The Activity section provides reference back to the main body of DO-178C, where there are suggested activities for how to satisfy the objective. The activities provide the typical approach to satisfying an objective, but other approaches may be proposed in the plans.
The Applicability by Software Level identifies which objectives apply by software level. As previously noted, all objectives apply to level A; however, levels B–D are a subset. An ○ or • in columns A, B, C, or D means the objective must be satisfied for that software level. A filled circle (•) means the objective must be completed with independence. For verification objectives, independence simply means that a separate person or tool performs the verification (i.e., one that did not generate the original artifact being verified). Independence is explained later in this book (Section 9.3 for verification independence and Section 11.1.3 for software quality assurance independence).
There are a total of 71 objectives in DO-178C. For level A, all 71 objectives need to be satisfied. For levels B and lower, the number is less, as shown in Table 4.5. Depending on the software development approach, some objectives may not be applicable (e.g., if partitioning is not used, Table A-4 objective 13 does not apply, or if there are no parameter data, Table A-5 objectives 8 and 9 do not apply).
The Output columns identify the data that should be generated to prove that the objective is satisfied and its applicable reference to DO-178C section 11, where a brief explanation of each data item is provided. There is a saying in the certification world: “If it isn’t written down, it didn’t happen.” The output column identifies the data used to prove compliance to the objectives. Table 4.7 provides a summary of all the DO-178C section 11 data items that are referenced in the Annex A tables. The items shown with an asterisk are always
Table 4.6 Example DO-178C Objective
Table 4.7 Overview of Software Life Cycle Data
The Control Category by Software Level indicates the level of configuration management that applies to the output data item. A ? means control category #1 (CC1) and requires a more rigorous configuration management process. A ? indicates control category #2 (CC2) and is less rigorous. CC1 and CC2 are explained in Chapter 11.
4.3 DO-330: Software Tool Qualification Considerations
DO-178C defines a software tool as: “A computer program used to help develop, test, analyze, produce, or modify another program or its documentation. Examples are an automated design tool, a compiler, test tools, and modification tools” [1]. Because of the increased volume of tools being used and the amount of third-party tool manufacturers, tool qualification guidance was expanded and separated from the DO-178C core into a stand-alone document, DO-330. DO-178C section 12.2 explains how to determine if a tool needs to be qualified and to what level the tool needs to be qualified. There are five TQLs defined; TQL-1 is the most rigorous. DO-330 explains what needs to be done to qualify the tool. DO-330 is organized similar to DO-178C and has its own set of objectives. DO-330 is a stand-alone document that allows tool developers to develop qualifiable tools without having detailed knowledge of DO-178C itself. DO-330 was created to be as domain independent as possible so it may be used by other domains (such as aeronautical database developers, electronic hardware developers, system safety assessment tool developers, system developers). The DO-330 guidance applies to tools implemented in software (i.e., it does not apply to tools implemented in hardware). Some adaptation may be needed for each specific domain that references the guidance to identify the appropriate TQLs and usage of the tool in the life cycle for that domain. However, the overall qualification process is relatively independent of the domain in which the tool is used. DO-330 appendices C and D provide several FAQs on tool qualification. DO-330 and tool qualification are examined in Chapter 13.
4.4 DO-178C Technology Supplements
To develop an approach that can change with technology and trends, the RTCA and EUROCAE committee opted to develop technology supplements. The vision is that as technology changes, the main body of DO-178C can remain unchanged and technology supplements can be modified or added, as needed. Three technology supplements were published at the same time as DO-178C. Each technology supplement is objective-based and expands on the objectives in the DO-178C core for its specific technology. Each supplement explains how objectives from the DO-178C core apply, are modified, or are replaced. Each supplement is briefly summarized in the following and will be explained in more detail in subsequent chapters. If multiple supplements are used together, the PSAC needs to explain what supplement and objectives apply to each portion of the software life cycle and resulting data.
4.4.1 DO-331: Model-Based Development Supplement
DO-331, entitled Model-Based Development and Verification Supplement to DO-178C and DO-278A, defines a model as [3]:*
An abstract representation of a set of software aspects of a system that is used to support the software development process or the software verification process. This supplement [DO-331] addresses model(s) that have the following characteristics:
The model is completely described using an explicitly identified modeling notation. The modeling notation may be graphical and/or textual.
The model contains software requirements and/or software architecture definition.
The model is of a form and type that is used for direct analysis or behavioral evaluation as supported by the software development process or the software verification process.
DO-331 is based on the DO-178C core and modifies or adds guidance to the core. Both model-based development and model-based verification are addressed in the DO-331 supplement. DO-331 provides guidance for specification models and design models, as well as model coverage analysis and model simulation. Most of the variances between DO-178C and DO-331 are in sections 5 and 6 (the development and verification processes). There are also impacts on planning (section 4), software life cycle data (section 11), and the Annex A objectives tables. Model-based development and verification and DO-331 are discussed more in Chapter 14.
4.4.2 DO-332: Object-Oriented Technology Supplement
DO-332, entitled Object-Oriented Technology and Related Techniques Supplement to DO-178C and DO-278A, explains that: “Object-oriented technology is a paradigm for system analysis, design, modeling, and programming centered on objects. There are concepts and techniques commonly found in object-oriented languages that need to be taken into account when considering software safety” [4]. DO-332 identifies the most pertinent issues surrounding object-oriented technology (OOT) and provides guidance on what needs to be done to address them. Additionally, DO-332 addresses six related techniques commonly associated with, but not limited to, OOT: parametric polymorphism, overloading, type conversion, exception management, dynamic memory management, and virtualization. As Chapter 15 will explain, the guidance for these related techniques may be applicable to non-OOT projects, when the languages utilize these advanced techniques. Like the other supplements, the DO-332 supplement is based on the DO-178C core and identifies where guidance needs to be modified or enhanced. Some changes from DO-178C are identified in DO-332 sections 4 through 6, and 11. In general, however, the changes are relatively minor. In addition to the guidance provided in DO-332 sections 1 through 12, the supplement includes an Annex D that identifies vulnerabilities in object-oriented technology and related techniques (OOT&RT) and provides guidance on what needs to be done to address these vulnerabilities. The Annex D with vulnerabilities is unique for DO-332; other supplements do not have such a section. Like DO-330 and the other supplements, DO-332 has an appendix, which summarizes FAQs. The OOT&RT FAQs are divided into the following categories: (1) general, (2) requirements, (3) design, (4) programming, and (5) verification. DO-332 and OOT are discussed more in Chapter 15.
4.4.3 DO-333: Formal Methods Supplement
DO-333, entitled Formal Methods Supplement to DO-178C and DO-278A, defines formal methods as: “Descriptive notations and analytical methods used to construct, develop and reason about mathematical models of system behavior. A formal method is a formal analysis carried out on a formal model” [5]. DO-178B identified formal methods as an alternative method; however, the guidance was vague and not widely applied. Since DO-178B’s publication advances have been made in the area of formal methods, and tools and techniques have been improved to make the technology more feasible. Therefore, the formal methods section has been removed from DO-178C and addressed in a supplement (DO-333). DO-333 uses the DO-178C core as the foundation and supplements the core with formal methods-specific guidance. The main sections that differ between DO-178C and DO-333 are sections 5, 6, and 11, as well as the Annex A objectives tables. Most other sections remain relatively unchanged. Chapter 16 provides more information on formal methods and DO-333.
4.5 DO-248C: Supporting Material
DO-248C, entitled Supporting Information for DO-178C and DO-278A, is a collection of FAQs and DPs on DO-178C topics. It replaces DO-248B and is very similar to DO-248B, with the following differences:
As can be deduced from the title, DO-248C addresses DO-278A as well as DO-178C.*
DO-248C does not have any errata, since no DO-178C errata were identified at the time when DO-248C was published.
Some FAQs and DPs in DO-248B were removed from DO-248C since the information now exists elsewhere (e.g., in DO-178C, DO-330, the supplements, or the system and safety documents [ARP4754A and ARP4761]).
Some FAQs and DPs were updated to be consistent with DO-178C (e.g., FAQ #42 on structural coverage at object code level and FAQ #67 on data and control coupling analysis).
Some new FAQs and DPs were added to clarify pertinent topics. Some of the new FAQs or DPs were added to clarify new DO-178C topics (e.g., DP #20 on parameter data items). Other FAQs or DPs were added to clarify topics that have become more pertinent since DO-248B’s publication (e.g., DP #16 on cache management, DP #17 on floating-point arithmetic, and DP #21 on single event upset). Some FAQs or DPs were added to address some common certificationrelated subjects (e.g., FAQ #81 on merging high-level and low-level requirements, FAQ #83 on low-level requirements in the form of pseudocode, and DP #19 on independence).
Section 5 was added to DO-248C; it includes rationale for DO-178C, DO-278A, DO-330, and the supplements.
DO-248C is not written to be read from front to back. Instead, it is a series of short papers that explain commonly misunderstood or troublesome aspects of DO-178C. The key to using DO-248C is its appendices C and D. DO-248C appendix C provides an index of keywords in the document. DO-248C appendix D provides a mapping of the DO-248C papers to the DO-178C sections. When researching a topic or a DO-178C section, one can use appendix C or D to find the relevant DO-248C sections. Hyperlinks are included in the electronic version to enhance the usability. Several DO-248C FAQs and DPs will be mentioned throughout this book as germane to the subject.
It should be noted that FAQs and DPs on tool qualification or the technology supplements are included in those documents, rather than in DO-248C.
It is expected that as the aviation community gains experience with DO-178C, DO-248C will be updated to capture errata and provide additional clarification.
References
1. RTCA DO-178C, Software Considerations in Airborne Systems and Equipment Certification (Washington, DC: RTCA, Inc., December 2011).
2. RTCA DO-248C, Supporting Information for DO-178C and DO-278A (Washington, DC: RTCA, Inc., December 2011).
3. RTCA DO-331, Model-Based Development and Verification Supplement to DO-178C and DO-278A (Washington, DC: RTCA, Inc., December 2011).
4. RTCA DO-332, Object-Oriented Technology and Related Techniques Supplement to DO-178C and DO-278A (Washington, DC: RTCA, Inc., December 2011).
RTCA DO-333, Formal Methods Supplement to DO-178C and DO-278A (Washington, DC: RTCA, Inc., December 2011).
6. RTCA DO-278A, Guidelines for Communications, Navigation, Surveillance, and Air Traffic Management (CNS/ATM) Systems Software Integrity Assurance (Washington, DC: RTCA, Inc., December 2011).
*European Organization for Civil Aviation Equipment.
*The joint committee is RTCA Special Committee #205 (SC-205) and EUROCAE Working Group #71 (WG-71). The committee was divided into an executive committee and seven sub-groups.
*CAST is a team of international certification authorities who strive to harmonize their positions on airborne software and aircraft electronic hardware in CAST papers.
*Brackets added for clarification.
*For the remainder of this section, whenever DO-178C is mentioned, the same also applies for DO-278A.