In today’s connected world, aviation keeps the world moving by ensuring safe transport of people and goods. With the FAA Air Traffic Organization alone providing service to over 45,000 flights per day1, we’ve come a long way since the Wright brothers’ first flight in 1903, and the numbers are only moving in one direction.
From the fasten seatbelt sign to the flight control unit, software can be found almost everywhere in avionics systems.
Failure of onboard safety-critical software could have far-reaching repercussions. To ensure the safety of passengers, crew, and aircraft, software applications for civil aviation must be vigorously tested within strict guidelines such as DO-178C and ED-12C to ensure that they operate correctly.
Verification requirements for civil avionics software
Software verification is crucial to demonstrate that safety-critical civil avionics software meets its functional and nonfunctional requirements. A range of activities support meeting verification requirements for civil avionics software, including the following.
Civil avionics software needs to be tested to verify that it functions correctly. To meet DO-178C objectives, tests should be based on high and low level software requirements (DO-178C §6.4.a, 6.4.b, 6.4.c, 6.4.d).
Structural coverage analysis (code coverage analysis) for civil avionics software ensures that requirements-based testing has sufficiently tested the code structure. Structural coverage analysis is required to meet DO-178C objectives, with the coverage metrics required depending on the software DAL (DO-178C §6.4.4.a, 6.4.4.b, 6.4.4.b).
Data Coupling and Control Coupling coverage analysis for civil avionics software demonstrates that software data flows and control flows have been exercised during requirements-based testing. This analysis is required for DAL A-C DO-178C software (DO-178C §6.4.4.d). Unlike other forms of structural coverage analysis, many organizations use different criteria for determining couplings that should be observed during testing.
Safety-critical civil avionics software must operate within timing deadlines. Timing analysis, including worst-case execution time analysis, is required to meet various DO-178C objectives (DO-178C §6.4.3.a, 6.3.4.f, 6.3.3.f).
Multicore processing for real time software makes systems less deterministic, as program behavior can be influenced by interference from software running on different processors. The use of multicore processing for DO-178C projects requires following the multicore-specific guidance in A(M)C 20-193. The 10 additional objectives in this guidance bring extra requirements to understand multicore interference and its impact on the system, including the worst-case execution time of applications.
When developing software to DO-178C DAL A, it should be demonstrated that the correctness of any additional code introduced by the compiler has been verified (DO-178C §6.4.4.2.b). This objective is often incorrectly interpreted – object code coverage analysis alone is not typically enough to achieve the objective, as the correctness of additional code should be verified. This objective is usually achieved by analyzing the patterns of additional code that may be introduced by the compiler based on the coding standard and compiler options used in a project, and verifying the correctness of this code through requirements-based testing.
“The qualification and deployment of a new tool takes effort, but the Rapita team have an excellent qualification solution and worked closely with us to produce an efficient deployment. The quality and ease-of-use of Rapita’s Qualification products and services is second to none and made the adoption of RVS simple and pain-free.”
Kyle Ford
Principal Software Engineer, TSO Certification Representative, Design Certification Engineering
Collins Aerospace