Skip to main content
SAIF Autonomy to use RVS to verify their groundbreaking AI platform
RVS 3.22 Launched
Hybrid electric pioneers, Ascendance, join Rapita Systems Trailblazer Partnership Program
Magline joins Rapita Trailblazer Partnership Program to support DO-178 Certification
How to certify multicore processors - what is everyone asking?
Data Coupling Basics in DO-178C
Control Coupling Basics in DO-178C
Components in Data Coupling and Control Coupling
DO-278A Guidance: Introduction to RTCA DO-278 approval
ISO 26262
Data Coupling & Control Coupling
Verifying additional code for DO-178C
Avionics and Testing Innovations 2025
DASC 2025
DO-178C Multicore In-person Training (Fort Worth, TX)
DO-178C Multicore In-person Training (Toulouse)
In the second of two related blog posts, I describe one method to present a certification argument for the use of instrumentation in source code coverage analysis.
In a previous post I explained how the coverage gained from instrumented code can be used to support DO-178B/C Level A compliance for code coverage. RapiCover uses lightweight source code instrumentation in order to perform coverage analysis. This means that a copy of the application code is annotated so that when it is run we can capture trace data to see which lines of source, decisions, etc., were exercised.
The instrumented code is typically not deployed on the final system. As we want to ensure the results are accurate, we need to be sure that the instrumentation process has not changed the functionality of the original application. For example, if the instrumentation had somehow removed or altered a construct and hence misleading results were presented. As part of our tool qualification process we perform rigorous testing on our instrumenter to ensure that this doesn't occur, using specially designed test programs.
To provide additional confidence the applicant should also run their test suite on both the instrumented and uninstrumented source code and compare the results. If there are no discrepancies then this provides evidence of no changes to functionality. A safety argument representing this dual approach is presented using the Goal Structuring Notation (see GSN description). Note that this provides diverse evidence of the instrumenter's non-interference (StDiverse, SysTestWithWithout, EgProgWithWithout).
The strength of evidence will depend on the depth of testing of the different software (EquivTests). We also need a sanity check to ensure that all the types of construct that are instrumented on the application have been represented in our test programs (AllConstCov). To be complete, I should mention that a pathological case exists where the compiler may have inserted additional code related to the instrumentation which is somehow not tested. However, this is a much wider issue with compiler trustworthiness affecting all aspects of the application code, and is why additional certification requirements exists to examine the object code at Level A. Also, the instrumentation routine itself (generally written by the customer) could have nasty side effects. Our advice would be to avoid these!
DO-178C webinars
White papers
Mitigation of interference in multicore processors for A(M)C 20-193
Developing DO-178C and ED-12C-certifiable multicore software
Efficient Verification Through the DO-178C Life Cycle
A Commercial Solution for Safety-Critical Multicore Timing Analysis
