DO-278A
RTCA DO-278A / EUROCAE ED-109A is the main document used for the development of ground-based software systems that support aircraft operations. The document, titled “Guidelines for Communication, Navigation, Surveillance, and Air Traffic Management (CNS/ATM) Systems Software Integrity Assurance” is the primary document by which authorities such as the FAA and EASA approve software used in ground-based systems involved in aircraft operations.
Introduction to DO-278 & DO-278A
Design assurance guidance for aircraft software began with the release of DO-178 (ED-12) and later versions, DO-178A (ED-12A) and DO-178B (ED-12A). These documents provided the means by which software developed for use in civil aircraft operations were certified for use by the FAA and EASA.
DO-278 was originally developed as a supplement to DO-178B to cover additional factors relative throughout the design assurance process. That is, the two documents were used together for approval of ground-based software involved in aircraft operations.
DO-278A was released in December 2011. This document unified the guidance in DO-178C and DO-278 to yield a single document for design assurance of ground-based software involved in aircraft operations.
Collins Aerospace
How RapiCover was used for DAL A code coverage analysis for a complex flight control system.
Triumph Group
How Rapita's V&V services produced evidence for certification of actuation system software.
Cobham Aerospace
Rapita tools efficiently produced coverage evidence for DO-178C DAL C certification of an antenna control unit.
OHB Sweden
How Rapi Cover improved code coveage analysis for DO-178C attitude orbital control system.
Assurance Levels
DO-278 introduced (and DO-278A continued to use) the fundamental concept of the Assurance Level (AL), which defines the amount of rigor that should be applied by the integrity assurance process based on the contribution to CNS/ATM system failure conditions. The lower the AL, the more activities and objectives that must be performed and met as part of the integrity assurance process because of the more severe consequences should the software fail or malfunction.
AL |
Condition |
---|---|
1 |
Catastrophic |
2 |
Hazardous |
3 |
Major |
4 |
Minor |
5 |
- |
6 |
No safety effects |
Efficient verification through the DO-178C life cycle
DO-278A is almost identical to DO-178C, making this handbook a great starting point for understanding the DO-278A process and how to efficiently verify DO-278A software.
Tool qualification
As per DO-278A, you need to qualify any software tool you use that replaces or mitigates any DO-278A process and for which the output is not manually verified. The qualification process ensures that such software tools can be relied upon to produce appropriate and repeatable results.
DO-278A itself describes when a tool must be qualified, but does not go into detail on how this should be done. The DO-330: Software Tool Qualification Considerations supplement to DO-278A expands on this guidance by defining corresponding objectives for the specification, development and verification of qualified tools.
If you use any commercial verification tools to automate DO-278A verification processes and don’t plan on manually reviewing output from the tools, they will need to be qualified at the appropriate tool qualification level. Many commercial verification tools have supporting qualification kits, which include evidence needed to demonstrate that the activities the tool developer must perform have been performed. All qualification kits should include all of the evidence needed from the tool developer. Some qualification kits may also include supporting material to help meet tool user objectives.
How can Rapita help?
The Rapita Verification Suite (R VS) reduces the effort needed to verify DO-278A software by helping to satisfy specific DO-278A objectives.
R VS includes plugins that satisfy requirements-based functional testing, structural coverage analysis and worst-case execution time analysis and is supported by a qualification kit and service to provide DO-330 tool qualification evidence.
To see how R VS could help you, contact us or download a free trial today.
Our Verification and Validation Services help satisfy DO-178C objectives. We provide services covering the full DO-278A life cycle, supporting efficient Planning, Development, and Integral processes including software verification using R VS. Our engineering team have diverse experience working in civil and defense avionics development and verification worldwide.
To see how our V&V Services could help you, download our brochure or contact us.
Our systems engineering services, with our emphasis on quality and adherence to ARP4754A industry guidance, support the development of systems with well-designed hardware and software.
We support system integration and verification and validation of system requirements. Our automated V&V tools integrate with industry standard requirements management software to capture results while seamlessly maintaining traceability to requirements. Find out more about our systems engineering services.
Specific guidance for how DO-178C should be applied to multicore software is available in the A(M)C 20-193 guidance.
MACH 178 supports Planning, Development and Integral processes for multicore DO-178C projects, including by support multicore timing analysis, which is widely considered to be the most challenging element of A(M)C 20-193 compliance. To see how MACH 178 could help you, contact us.
Our support team is comprised of our Field Application Engineers (FAEs), who use R VS every day and regularly perform integrations involving a variety of compilers, languages, and platforms.
Our policy is to always provide our customers with the best level of support we can realistically achieve, and as such we resolve support issues as quickly and effectively as we can. We have a strong history of excellent support and regard this as an essential aspect of our business. For more information on our support service, see our Support web page.
We provide training in a range of expert topics, including: DO-178C compliance, Multicore certification and setting up automated test environments.
Our training is flexible; we offer both face-to-face and virtual training and offer custom training courses to meet your specific needs.
For more information on our training solutions, see our Training web page.
DO-178C handbook preview
Read the first chapter
The safety assessment processes used in all functional safety domains rely on demonstrating that the probability of system failure that could cause harm is below an acceptable threshold.
When a system is made up of mechanical and electronic components, for which the component failure rate is known, the probability of failure for the system can be calculated and achievement of the safety target can be demonstrated. For software, complex systems or electronic hardware, system failures can be caused by design errors (sometimes known as systematic failures) as well as component failures, but there is no agreed way of calculating the failure rate of these design errors. In the aerospace domain, the agreed approach for dealing with design errors is to implement design assurance processes that have specific activities to identify and eliminate design errors throughout the software development life cycle.
DO-178 was originally developed in the late 1970s to define a prescriptive set of design assurance processes for airborne software that focused on documentation and testing.
Design Assurance Levels (DALs)
DO-178B introduced (and DO-178C continued to use) the fundamental concept of the Design Assurance Level (DAL), which defines the amount of rigor that should be applied by the design assurance process based on the contribution to Aircraft Safety. The higher the DAL, the more activities and objectives that must be performed and met as part of the Design Assurance process because of the more severe consequences to the aircraft should the software fail or malfunction. Design Assurance Level A (DAL-A) is the highest level of design assurance that can be applied to airborne software and is applied when failure or malfunction of the software could contribute to a catastrophic failure of the aircraft. The activities and objectives that must be met through the Design Assurance process gradually decrease with each level alphabetically until DAL-E, which has no objectives as there is no consequence to aircraft safety should such software fail or malfunction.
Objectives and activities
The recommendations given in DO-178 fall into two types:
- Objectives, which are process requirements that should be met in order to demonstrate compliance to regulations
- Activities, which are tasks that provide the means of meeting objectives
In total, DO-178C includes 71 objectives, 43 of which are related to verification. The number of these objectives that must be met for compliance reduces as the Design Assurance Level of the system reduces.
Supplementary objectives and guidance
DO-178C introduced three technology supplements to provide an interpretation of the DO-178C activities and objectives in the context of using specific technologies. The three technologies are Model Based Development and Verification (DO-331), Object Oriented Technology and related technologies (DO-332), and Formal Methods (DO-333). Each supplement describes the technology, defines the scope of its use within airborne software, lists additional or alternative activities and objectives that must be met when the technology is used, and includes specific FAQs (Frequently Asked Questions) that clarify objectives and activities relating to the technology.
A further supplement was introduced in DO-178C, Software Tool Qualification Considerations (DO-330), which gives guidance on the qualification of tools used in software development and verification processes. This guidance can be applied to any tools, not just those used for software development or verification, for example systems design or hardware development tools, and acts more like a stand-alone guidance document than the other supplements mentioned.
Many other documents support DO-178C by providing additional clarification or explanations that can help developers to correctly interpret the guidance and implement appropriate design assurance processes. The Supporting Information (DO-248C) supplementary document includes FAQs relating to DO-178C, and the document is commonly referred to by the title Frequently Asked Questions. In addition to the FAQs in DO-248C, the document provides the rationale for the activities and objectives listed in DO-178C and includes discussion papers that provide clarification on specific topics related to software development and verification. A series of documents produced by the Certification Authorities Software Team (CAST) since the release of DO-178B provided information on specific topics of concern to certification authorities in order to harmonize approaches to compliance. These topics have had a greater scope than just Software concerns, and much of the content in CAST documents has been implemented in guidance updates such as DO-178C, or formed the basis of authority publications, such as A(M)C 20-193 to address the use of multicore processors in avionics and A(M)C 20-152A on the development of airborne electronics hardware. CAST has remained inactive since October 2016 and links to most previous CAST papers have been removed from the FAA’s website...........