DO-178C – Aeronautics Industry Moves To New International Software Safety Regulation

Embedded software in today’s aircraft is becoming continually larger and more complex. For example, the volume of embedded software in the A300 was a few thousand lines and it is in the order of 100 million in the A380. Moreover, a sizeable part of this software is safety critical. Hence, delivering certified code is one of the critical path design elements that is growing in significance.

airbus-pictureIn November 2011, the RTCA/EUROCAE SC 205/WG71 joint committee, representing the whole aeronautics industry (aircraft manufacturers, equipment suppliers and software tool vendors) and its certification authorities (FAA, EASA, etc.), approved the DO-178C guidelines, Software Considerations in Airborne Systems and Equipment Certification. DO-178C is now mandated by the aeronautics certification authorities such as FAA in the USA, EASA in the European Union, Transport Canada, AR MAK in Russia, CAAC in China, and others, in the certification of a new civilian aircraft, or a military aircraft that is using civilian airspace or installations.

This document replaces the old DO-178B document that was created in 1992, taking into consideration experience gathered by the aeronautics industry during all these years and also much progress in software development technology.

This DO-178C includes supplementary material on two key topics: software modeling described in the DO-331 Model-Based Development and Verification (MBDV) supplement, and qualification of software tools described in the DO-330 Software Tool Qualification Considerations document.

do-178c-doc-structure

I had the pleasure of being a member of the committee tasked with creating the documents that define the new standard between 2005 and 2011.

To comply with the new standard cost-effectively, ANSYS provides the SCADE family of tools so aeronautics engineers can design and certify critical software on an aircraft, from Level D to Level A. Level A is software in which any failure could cause a fatal accident. The avionics certification standards require that the probability of having such an accident is no more than 1 per 109 flight hours. This makes it statistically more dangerous to be a pedestrian in a small city than being an aircraft passenger.

do-178c-software-levels

The new ANSYS SCADE 16.0 release is ready for the DO-178C standard

 SCADE 16.0 provides a modeling tool to fully describe the software behavior that implements the systems requirements allocated to software. It has a complete verification toolset, including model simulation and model coverage to demonstrate that the SCADE model is a correct implementation of its parent requirements. The SCADE Suite KCG qualified code generator can automatically produce the source code of the application. Finally, the testing tool, SCADE Test permits repeat testing both on the PC workstation and on the embedded target for final verification of the application.

This means that, with this solution that is unique on the market. Because low-level verification activities are removed, cost savings of up to 50 percent can be achieved compared to traditional software development processes.

SCADE 16.0 has already been audited by the FAA and Boeing for use on the Boeing KC-46 tanker aircraft.

To accompany this new 16.0 software release, ANSYS has created DO-178C Certification Plans for SCADE Suite Applications, Levels A and B, which is a set of application plans and templates that SCADE users can readily customize to their software application. In a DO-178C project, the planning phase describes all the project work and demonstrates how the organization will meet all the objectives of the standard in order to reach certification and ensure safe flights. This time-consuming planning phase is a key part typically takes several months to prepare and validate with the certification authority.

Using the SCADE 16.0 certification plan templates included (see Figure) all needed plans and standards for such projects (development, verification, configuration management, and quality assurance) and they are based on a typical product lifecycle, as described in the figure below.

do-178c-typical-scade-lifecycle

These certification plan templates will reduce the cost of writing plans for a given aircraft project by up to 80 percent, thus greatly facilitating the deployment of the SCADE products at the customer site during the transition from DO-178B to DO-178C standards.