Introduction to DO-178C

When a system is made up of mechanical and electronic components, for which the component failure rate is known, the probability of failure for the system can be calculated and achievement of the safety target can be demonstrated. For software, complex systems or electronic hardware, system failures can be caused by design errors (sometimes known as systematic failures) as well as component failures, but there is no agreed way of calculating the failure rate of these design errors. In the aerospace domain, the agreed approach for dealing with design errors is to implement design assurance processes that have specific activities to identify and eliminate design errors throughout the software development life cycle.

DO-178 was originally developed in the late 1970s and released in 1982 to define a prescriptive set of design assurance processes for airborne software that focused on documentation and testing. In the 1980s, DO-178 was updated to DO-178A, which suggested different levels of activities dependent on the criticality of the software, but the process remained prescriptive. Released in 1992, DO-178B was a total re-write of DO-178 to move away from the prescriptive process approach and define a set of activities and associated objectives that a design assurance process must meet.

This update allowed flexibility in the development approaches that could be followed, but also specified fundamental attributes that a design assurance process must have, which were derived from airworthiness regulations. These included, for example, demonstrating implementation of intended function, identifying potential unintended function, and verification of an integrated build running on the target hardware.

Advances in software engineering technologies and methodologies since the release of DO-178B made consistent application of the DO-178 objectives difficult. In 2012, DO- 178C was released, which clarified details and removed inconsistencies from DO-178B, and which also includes supplements that provide guidance for design assurance when specific technologies are used, supporting a more consistent approach to compliance for software developers using these technologies. DO-178C guidance also clarified some details within DO-178B so that the original intent could be better understood and more accurately met by developers.

DO-178B introduced (and DO-178C continued to use) the fundamental concept of the Design Assurance Level (DAL), which defines the amount of rigor that should be applied by the design assurance process based on the contribution to Aircraft Safety. The higher the DAL, the more activities and objectives that must be performed and met as part of the Design Assurance process because of the more severe consequences to the aircraft should the software fail or malfunction.

The basic structure of a Design Assurance process consists of three components:

• Planning
• Development
• Integral processes (Verification, Configuration Managements, Quality Assurance and Certification Liaison)

The typical process for the certification authority to determine compliance is based on four “Stage Of Involvement” (SOI) reviews. These reviews are:

• SOI#1 or Planning Review
• SOI#2 or Development Review
• SOI#3 or Verification Review
• SOI#4 or Certification review

Each of these reviews focuses on an aspect of the process and evaluates the evidence that demonstrates compliance incrementally throughout the development life cycle. We discuss each of the SOIs in more detail in the links above. Generally, certification authorities require that each SOI is passed before a project can proceed to the next SOI. SOIs thus mark key milestones in a DO-178C project.

Learn more about DO-178C by downloading our free 70-page DO-178C Handbook.