RVS 3.18 Launched
Solid Sands partners with Rapita Systems
Danlaw Acquires Maspatechnologies - Expanding Rapita Systems to Spain
Rapita co-authored paper wins ERTS22 Best paper award
Measuring response times and more with RapiTime
Why mitigating interference alone isn’t enough to verify timing performance for multicore DO-178C projects
There are how many sources of interference in a multicore system?
Supporting modern development methodologies for verification of safety-critical software
DO-178C Guidance: Introduction to RTCA DO-178 certification
MATLAB® Simulink® MCDC coverage and WCET analysis
Code coverage for Ada, C and C++
AMC 20-193
NAVAIR FACE & SOSA TIM and Expo
DASC 2023
HISC 2023
Aerospace Tech Week Americas 2023
In the second of two related blog posts, I describe one method to present a certification argument for the use of instrumentation in source code coverage analysis.
In a previous post I explained how the coverage gained from instrumented code can be used to support DO-178B/C Level A compliance for code coverage. RapiCover uses lightweight source code instrumentation in order to perform coverage analysis. This means that a copy of the application code is annotated so that when it is run we can capture trace data to see which lines of source, decisions, etc., were exercised.
The instrumented code is typically not deployed on the final system. As we want to ensure the results are accurate, we need to be sure that the instrumentation process has not changed the functionality of the original application. For example, if the instrumentation had somehow removed or altered a construct and hence misleading results were presented. As part of our tool qualification process we perform rigorous testing on our instrumenter to ensure that this doesn't occur, using specially designed test programs.
To provide additional confidence the applicant should also run their test suite on both the instrumented and uninstrumented source code and compare the results. If there are no discrepancies then this provides evidence of no changes to functionality. A safety argument representing this dual approach is presented using the Goal Structuring Notation (see GSN description). Note that this provides diverse evidence of the instrumenter's non-interference (StDiverse, SysTestWithWithout, EgProgWithWithout).
The strength of evidence will depend on the depth of testing of the different software (EquivTests). We also need a sanity check to ensure that all the types of construct that are instrumented on the application have been represented in our test programs (AllConstCov). To be complete, I should mention that a pathological case exists where the compiler may have inserted additional code related to the instrumentation which is somehow not tested. However, this is a much wider issue with compiler trustworthiness affecting all aspects of the application code, and is why additional certification requirements exists to examine the object code at Level A. Also, the instrumentation routine itself (generally written by the customer) could have nasty side effects. Our advice would be to avoid these!
DO-178C webinars
White papers
Efficient Verification Through the DO-178C Life Cycle
A Commercial Solution for Safety-Critical Multicore Timing Analysis
Compliance with the Future Airborne Capability Environment (FACE) standard
5 key factors to consider when selecting an embedded testing tool
