Skip to main content
RVS 3.19 Launched
Rapita is proud to be an ISOLDE Partner
Rapita and SYSGO underline partnership
RVS 3.18 Launched
Introduction to Data Coupling and Control Coupling for DO-178C
Measuring response times and more with RapiTime
Why mitigating interference alone isn’t enough to verify timing performance for multicore DO-178C projects
There are how many sources of interference in a multicore system?
Data Coupling & Control Coupling
Verifying additional code for DO-178C
DO-178C Guidance: Introduction to RTCA DO-178 certification
MATLAB® Simulink® MCDC coverage and WCET analysis
Upcoming Webinar: Deep Dive on Multicore Interference
What is eVTOL?
VTOL (vertical takeoff and landing aircraft) is an aeronautics vehicle category that includes fixed-wing aircraft (e.g. Harrier and F35 Lightning II), rotorcraft, cyclocopters and tiltrotor aircraft. VTOL aircraft can take off and land without needing a runway, and can perform maneuvers that conventional aircraft cannot.
Electric VTOL (eVTOL) is a subcategory of VTOL. eVTOLs use electric power to drive their propulsion mechanisms. To date, eVTOL technology has primarily been developed for unmanned applications, however, the technology is now being more widely applied for use in personal aerial vehicles (PAVs).
Why use eVTOL technology?
One use case for eVTOL is to reduce traffic volumes in major cities and increase the speed of journeys in these environments. One of the well-known initiatives in this sector is Uber Elevate, which is being developed by the ride-hailing company Uber. They are working towards large-scale aerial ridesharing, which is set to launch in 2023. Another use case is for ‘last mile’ delivery solutions, where packages can be flown by an eVTOL from a warehouse to a residential destination. This technology is currently being tested by Amazon.
eVTOLs are cheaper and quieter compared to jet-propulsion or piston engine planes and are more environmentally friendly as they contribute no emissions within their area of operation, improving air quality.
Need for regulations and certification
For traditional passenger-carrying commercial aircraft, DO-178C (or ED-12C) are the primary documents by which certification authorities such as FAA, EASA and CAA approve aerospace software systems. Complying with DO-178C guidelines requires significant testing of software to ensure that the probability of software failure is extremely remote.
Some manufacturers have avoided conforming with the rigors of DO-178C certification by classifying their aircraft as ultralight vehicles as the FAA has a certification section for these. However, eVTOLs have developed significantly and need to be classified on their own and certified for revenue-generating operation. Some can’t fall under UAV regulation as they are designed to carry passengers, some will be heavier than the set allowable weight for ultralight vehicles, and some will be autonomous.
If this new mode of transportation is to be adopted, passenger safety as well as safety of people near the aerial vehicles area of operation needs to be addressed by appropriate certification. eVTOL technology is developing at a rapid rate and certification approaches are only catching up reactively. The major regulatory bodies have not yet developed the complete regulatory framework required for the increasingly ambitious eVTOL systems that are in development.
Can car software fly?
With the increased interest and development of eVTOL, companies experienced in the automotive sector often wonder if the same methodology used to develop automotive software can be used to develop aerospace software. Several analyses have shown that, while avionics software methodologies in guideline DO-178 and generated artefacts map well to, and satisfy, ISO 26262 requirements, this is not true in reverse. These analyses lead us to conclude that using automotive software methodologies in avionics development is not directly possible and would lead to issues later, during the certification stage.
A cursory evaluation may lead one to assume that these methodologies are replaceable and just applications in two different domains. Both ISO 26262 and DO-178C/ED-12C follow similar V-cycle development models, and both suggest similar software development and verification methodologies. However, there is a fundamental difference between the two which can be summarized in requirements traceability and certification of the final product. Avionics software standards are process-based compliance guidelines and are oriented towards demonstrating compliance in certification of one specific aircraft, which requires both downstream and upstream traceability from/to the high-level requirements, enabling certification of the complete process by an independent authority.
All functionality, software and its testing must be traced back to high-level requirements from the aircraft assigned to the software. On the other hand, automotive software development focuses on improving safety to acceptable levels for a given risk through demonstrating that recommended practices have been applied internally by the development teams as a self-check measure, or with compliance analysis of processes employed but with no need for independent certification.
Another common misconception is to equate software quality with certification compliance for software and to think that software of a high standard can be used without further consideration. ISO 26262 part 6, the standard for development of automotive software, has guided the improvements in software quality in modern cars but it has also led to extensive use of independent common software libraries. An average modern car contains over 100 million software lines of code. By contrast, a Boeing 787, a large modern aircraft, features only 6.5 million lines of code. Intrinsically verified and validated software does not exist in the avionics context independently of upstream system or downstream hardware considerations. All code must be traceable to a high-level system requirement allocated to this software component or, if not, must be removed.
The planning, documentation and traceability objectives for avionics software make it intractable to convert an existing piece of code to compliant code after the fact. As such, any safety-critical eVTOL flight software that will need to be certified would benefit from using DO-178C/ED-12C-compliant software development methodologies and software verification tools from the start to avoid major problems and surprises later.
The road to eVTOL certification
On 2 July 2019, EASA released the Special Condition for VTOL and Means of Compliance document (SC-VTOL-01), the first certification authority document listing regulations that must be met for eVTOLs to be classified as airworthy in a newly defined category separate from traditional aircraft. SC-VTOL-01 includes flight requirements (flying qualities, stability and control regulations), structural regulations and lift/thrust system regulations. It does not, however, include any guidance addressing certification of the avionics software used to operate eVTOLs.
VTOL-MOC SC-VTOL Issue 1, which was released on 25 May 2020, supplements the regulations in SC-VTOL-01 by providing the proposed acceptable means of compliance for VTOL systems. Within the document, requirement MOC VTOL.2510 Equipment, systems, and installations states that, in the context of AMC 20-115, DO-178C/ED-80C is an acceptable means of compliance for eVTOL systems. This means that, for safety-critical avionics software on eVTOL, safety should be demonsrated in a similar way to the way it is demonstrated in avionics for traditional aircraft. In contrary to expectations of a general alleviation in favor of alternate software development assurance processes, there is some alleviation only for some software items of IDAL-D contributing to minor failure conditions for eVTOL software.
How Rapita fits into the picture
Currently, the most rigorous certification standard in software development is DO-178C/ED-80C, which is used in the development and testing of safety-critical avionics software. DO-178 was developed by industry professionals with practicality and cost in mind for the aerospace manufacturers. It was designed to be flexible in that it can be applied to virtually any development model, and to make avionics software as reliable as can be reasonably explained. The acceptable way for eVTOL software to be certified is to develop to DO-178C.
As leaders in aerospace certification, Rapita have developed a flexible approach to proactively tackle the challenges of certifying unconventional aircraft. We are working with some of the biggest names in the eVTOL industry as a trusted partner assisting with verification and validation of software for DO-178 certification. We provide training for our tools and guidance throughout the certification process.
Find out more about Rapita’s aerospace software testing solutions or get a free trial of our tools.
