Vous êtes sur la page 1sur 26


The new software standard for the avionic
industry: goals, changes and challenges

Aerospace Certication / Process Assurance & SPICE Assessor

Sven Nordhoff holds a diploma in Computer Science and has been working
for the SQS Market Unit Industrial Service & Solutions for twelve years. He
is primarily responsible for Aerospace Certication and Process Assurance,
which includes SW / HW monitoring of suppliers at Airbus Operations, Ger-
many. He also is a Principal ISO-15504/SPICE Assessor and teaches seminars
on process improvement, quality assurance and airworthiness standards. As
a member of the international working group EUROCAE/RTCA WG71/SC205,
he has been involved in the development of avionic standard DO-178C from
day one.
DO-178C/ED-12C Page 2

The standard DO-178C/ED-12C, Software Consid- The new standard DO-178C/ED-12C is divided into
erations in Airborne Systems and Equipment Cer- the core document, three supplements for the
tication, is the upcoming international standard technology-specic parts (Model-Based Develop-
jointly published by the RTCA and EUROCAE. This ment & Verication, Object-Oriented Technology
new standard will replace DO-178B/ED-12B to be and Formal Methods), and a special document con-
the primary document by which the aviation cer- sidering tool qualication. The key gures are iden-
tication authorities such as the Federal Aviation tied and put into the context of the DO-178C world
Administration (FAA, USA) and the European Avi- of thinking. The usage of this family of standards is
ation Safety Agency (EASA) approve all commer- explained and a possible workow is suggested for
cial software-based aerospace systems. DO-178B/ the introduction of the new standard.
ED-12B had been established in 1992 and it was
necessary to update this standard to clarify some DO-178C/ED-12C is now ofcially nalised the
inconsistencies and introduce some new meth- last plenary session was held in November 2011
odologies and technologies which have already in Daytona Beach, USA. All parts have been com-
been used in the current development and quality pleted and the nal step will be the formal ap-
departments in the avionic industry. In addition, proval of the RTCA (Radio Technical Commission
the new DO-178C/ED-12C has been established to for Aeronautics ) and EUROCAE (a non-prot or-
ensure the validity of this standard for the future, ganisation providing a European forum for resolv-
in view of the fact that the old B version has now ing technical problems with electronic equipment
been in use for over 20 years. for air transport). The aviation authorities have
been requested to determine whether DO-178C/
Essentially, this whitepaper summarises the fol- ED-12C and its supporting documents can be con-
lowing: sidered acceptable means for the certication of
The goal and the methodology of this software-based systems. Once they have been ap-
standard proved by the authorities, these documents will
The history and the activities which brought apply to the next aircraft programmes, to future
this standard to its current form redesign of equipment, or to new equipment for
The main facts about DO-178C/ED-12C existing aircraft or engines.
The differences between DO-178B/ED-12B and
DO-178C/ED-12C in general, and in particular The author of this whitepaper has been a member
regarding technological and methodological of the DO-178C/ED-12C working group from the
aspects very beginning and leads a group of DO-178B/C
The impact of this new standard on specialists within SQS. The gap analysis methods
development and quality departments presented below were established years ago for
all over the world DO-178B and have been complemented to accom-
A short methodology and workow how a modate the new requirements of DO-178C. Many
company can ensure compliance to this companies have dened or improved their DO-178
standard processes with the help of SQS.
A way to avoid stumbling blocks and
DO-178C/ED-12C Page 3


Building aircraft is a rather important and chal- sides companies from Canada and Brazil, which
lenging task, which requires a great amount of have already joined the market, new companies
expert knowledge and companies with an enor from China and Russia are now starting to build
mous potential in terms of nancial resources and large commercial airplanes.
strategic power. In recent years, the market for
large commercial airplanes has been dominated The number of aircraft departures and ight
by two major global players: Boeing and Airbus. hours has increased considerably over the last
In the future, more companies will enter this mar- decades, and the number of aircraft is growing,
ket, mainly encouraged to do so through political too (see Figure 1). (')
and nancial support by their governments. Be-

Flight hours
Annual departures and ight hours

40 Departures






Year 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10

Worldwide Fleet
20 Boeing Fleet
Number of airplanes


Source: Jet Information Services, Inc.
Year 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10

Figure 1: Annual aircraft departures, ight hours and the number of airplanes in the world
DO-178C/ED-12C Page 4

The future starts right here, with an explosion The increasing usage of commercial aircraft and
of aircraft orders: 797 orders for Boeing 787 the increasing complexity of the aircraft systems
(Dreamliner), and 1,055 orders for Airbus A320 including software do not lead to a higher number
Neo. (() These
software- of accidents and fatalities.
based embedded systems, which increases the
necessity of quality assurance activities dramatically. It seems that the introduction of process-related
Other companies from the new strong econ- standards (not only for software), their consistent
omies will enter the market as soon as possible application within the industry, and the rigorous
to get a share of the large cake of selling com- approval of software systems by the airworthi-
mercial aircraft, but in order to be successful ness authorities are reducing the number of fail-
they need to consider the tremendous amount ures caused by these highly integrated and com-
of quality measures which the aircraft author- plex systems. Apart from the strict introduction
ities require. of quality-based components and greater experi-
ence with the structural behaviour of materials,
If we look at the fatal accident rate of aircraft in the application of these process-related stand-
the recent past, it can be observed that it is de- ards is the main success factor. There is no trend
creasing. Figure 2 shows the annual fatal accident to decrease the level of regulation. The introduc-
rate. (') tion of the new standard DO-178C/ED-12C will not
weaken the qualication activities but rather
boost the enforcement of quality.

Annual fatal accident rate (accidents per million departures)

Rest of the World

1991 through 2010
US & Canadian Operators 2.0



30 0.5

Year 91 92 94 96 98 00 02 04 06 08 10



Year 59 60 62 64 66 68 70 72 74 76 78 80 82 84 86 88 90 92 94 96 98 00 02 04 06 08 10

Figure 2: Annual fatal accident rates for aircraft worldwide 2010 Statistical Summary, June 2011
DO-178C/ED-12C Page 5


Standard DO-178B was established in 1992 as a Both DO-178B and its successor DO-178C concen-
successor of DO-178A (1985) and DO-178 (1980). trate on the following topics:
The previous versions were often inconsistent in Focus on software by identifying interfaces
their wording and stood in the way of achieving only in terms of system and hardware aspects
the required goals. DO-178B offers a clear frame- Denition of criticality levels for software (SW
work and methodology highly accepted by au- level), derived from the associated Failure
thorities, aircraft manufacturers and the supplier Condition
industry alike. Denition of software life cycle processes
and identication of quality criteria for each
This success was achieved by eliminating the fol- process, based on the specic SW level
lowing aspects: Denition of required documents for each SW
Product-specic requirements level, identifying an overall content structure
Programming language and development Focus on objectives, SW level applicability, and
method-specic features required outputs to ensure quality goals


ARP 4761

Intended Function,
Aircraft Failure & Safety
Function Information


ARP 4754/A System

Allocated Functions
& Requirements


Figure 3: Avionic standards for development purposes

DO-178C/ED-12C Page 6



A Catastrophic Failure conditions that would result in multiple fatalities, usually with the loss
of the airplane.
B Hazardous Failure conditions that would reduce the capability of the airplane or the abil-
ity of the flight crew to cope with adverse operating conditions to the extent
that there would be:
a large reduction in safety margins or functional capabilities;
physical distress or excessive workload such that the flight crew cannot be
relied upon to perform their tasks accurately or completely; or
serious or fatal injuries to a relatively small number of persons other than
the flight crew.
C Major Failure conditions which would reduce the capability of the airplane or the
ability of the crew to cope with adverse operating conditions to the extent
that there would be, for example, a significant reduction in safety margins
or functional capabilities, a significant increase in crew workload or in condi-
tions impairing crew efficiency, or discomfort to the flight crew, or physical
distress to passengers or cabin crew, possibly including injuries.
D Minor Failure conditions which would not significantly reduce airplane safety, and
which involve crew actions that are well within their capabilities. Minor failure
conditions may include, for example, a slight reduction in safety margins or
functional capabilities, a slight increase in crew workload, such as routine
flight plan changes, or some physical discomfort to passengers or cabin crew.
E No Effect Failure conditions that would have no effect on safety; for example, failure
conditions that would not affect the operational capability of the airplane or
increase crew workload.

Figure 4: Failure condition categorisation

DO-178B/C belong to a family of similar stand- All these standards are based on a clear philosophy:
ards which were established for the avionic indus- To implement only the intended functionality
try for guidance: (and nothing else)
To ensure safety processes and safety To be safety-driven, which means that for
assessment (ARP 4761) safety-critical application the processes are
To ensure quality for complex systems more rigorous
(ARP 4754A) To implement a V-model approach for every
To ensure quality for complex electronic development cycle (SW, HW and systems),
hardware (DO-254) whose components are dependent on each
To ensure quality for software systems other and have clear interfaces
(DO-178B and C)

Figure 3 shows an overview of all standards which

focus on development processes and quality cri-
teria for the avionic industry.
DO-178C/ED-12C Page 7

All these standards share a major goal: the Therefore, the quality criteria for safety-critical SW
concentration on development processes and application within an aircraft, e.g. Flight Controls,
quality aspects specic to the required safety are more rigorous than for uncritical software sys-
level. tems like In-Flight Entertainment Systems.

This concept, on the one hand, ensures that All these standards are based on a categorisation
necessary activities for safety-critical applica- which denes failure conditions as shown in Fig-
tion are clearly specied and measures are de- ure 4 (see DO-178C, 2.3.2, Table 2-1, p. 13). The
ned to safeguard adequate implementation; DO-178C SW standard uses this kind of classi-
on the other hand, for systems which are only cation to dene the objectives to be considered.
used for the comfort of the passenger, process- These quality objectives are requirements which
es are less stringent. need to be proven to demonstrate compliance to


A Catastrophic 71 (66) 30 (25)
B Hazardous 69 (65) 18 (14)
C Major 62 (57) 5 (2)
D Minor 26 (28) 2 (2)
E No Effect 0 (0) 0 (0)

Figure 5: Number of objectives for failure conditions

SW Planning Process Integral Processes:

denes SW Verication Process
SW Conguration Management
SW Quality Assurance
Certication Liaison



Problem Reporting

Requirements Design Coding Integration
Process Process Process Process

Derived High-Level Requirements Derived Low-Level Requirements

To System Safety Assessment Process for Evaluation

Figure 6: DO-178B/C concept regarding SW life cycle and processes

DO-178C/ED-12C Page 8

The number of quality objectives related to the There is no secret behind this concept nor are the
SW level is identied in Figure 5 to show that the chosen processes specic to the avionic industry.
number of objectives is increasing the higher the However, if we are looking into the details, some
safety level is. Quality objectives need to be ad- of the principles are remarkable:
dressed for the corresponding SW level in con- The usage of high-level requirements (in SW
junction with the level of independence, meaning requirements processes) and low-level require-
that at least one other person has to check the ments (in SW design processes), which have to
adequacy of this activity. The numbers in brackets be tested (veried) adequately.
refer to DO-178B. The concept of derived requirements (without
traceability to the high-level requirements)
No objective (DAL E) does not automatically which need to be analysed within the system
mean that nothing is to be done. For example, safety activities to preclude that these require-
Airbus Directives (ABD) require industry-conform ments contradict the needs based on the
SW engineering practices for SW level E. safety classication.
The usage of a SW Planning Process and Cer-
As mentioned before, the avionic standards main- tication Process to establish an agreement
ly deal with the development life cycle and pro- with the authorities (e.g. EASA, FAA).
cesses. Therefore, DO-178C clearly denes an SW
life cycle and processes which need to be followed.


The old B version of DO-178 merely focuses on For the new version of the standard, the follow-
dening life cycle processes and quality object- ing topics were of special interest due to the fact
ives to check the adequacy of these activities. that many development departments within the
Several supporting papers were generated over avionic industry are inuenced by or want to use
the years to clarify some aspects which were not these technologies and related tools:
specied clearly in DO-178B. These supporting pa- Model-Based Development & Verication
pers were: Object-Oriented Languages
Final Report for Clarication of Commercial Off-The-Shelf Software (COTS)
DO-178B/ED-12B ()) Formal Methods
Certication Authorities Software Team
papers (*)
JAA/EASA Certication Review Items All these aspects were drivers to start the DO-
(CRI, EASA, AIRBUS) 178C development. In March 2005, the rst meet-
Some FFA papers (issue papers, AC, AR, ing was held in Washington DC, USA, with partici-
notices, OOTiA, research reports, etc.) pants from EUROCAE Working Group 71 and RTCA
EASA Memorandum for Software Aspects Special Committee 205.
of Certication (+)
DO-178C/ED-12C Page 9

The new DO-178C/ED-12C family is structured as follows:

Tool Qualication Considerations

DO-xxx/ED-218 Model-Based
Development and Verication Supplement
Core Document
Object-Oriented Methods Supplement

Formal Methods Supplement

DO-248C/ED-94C Guideline for Communication, Navigation, Sur-
Supporting Information for ED-12C and ED-109A veillance, and Air Trafc Management (CN8/
ATM) Systems Software Integrity Assurance

Figure 7: Main structure of the DO-178C family

The DO-178C core document is the successor of Table A-7 Verication of Outputs of Soft-
DO-178B with the same structure and a similar ware Testing: Objectives 5, 6, and 7 ensure
approach. The main objective for this document that test cases written for requirements
was to be explore the source code with the degree of
only guidance material (with clear rules and rigor required by the software level. For level
objectives) and C, it was deemed satisfactory to demonstrate
technology- and methodology-independent. that all statements in the source code were
explored by the set of test cases. For level
B, the addition of the requirement that all
The structure of the core document is very similar decision paths in the source are covered was
to DO-178B, but the following aspects are either considered sufcient to address the increase
new or have been changed: in the associated hazard category. However,
Establishment of Rationales for every object- for level A, the committee established that all
ive of DO-178C/ED-12C. These rationales are logic expressions in the source code should be
listed in the DO-248C document. For example, explored. The use of techniques such as multi-
the rationales for the objectives concerning ple condition decision coverage, or exhaustive
structural Code Coverage are: truth table evaluation to fully explore all of
DO-178C/ED-12C Page 10

the logic was considered impractical [] The DO-248/ED-94C is a guideline document contain-
compromise was achieved based on hardware ing additional supporting and explanatory mater-
logic testing that concentrated on showing ial, including:
that each term in a Boolean expression can be Frequently Asked Questions (FAQs)
shown to affect the result. The term for this Discussion Papers
type of coverage was Modied Condition/ The DO-178C/ED-12C Rationales
Decision Coverage (MC/DC). Correlation between DO-178C/ED-12C,
Robustness aspects improved DO-278A/ED-109A and DO-248C/ED-94
User-modiable SW aspects improved Difference between DO-178C/ED-12C and
Testing vs. Data and Control Coupling DO-178B/ED-12B
Guidance to auto-code generator added
Untraceable code added DO-278A/ED-109A is the guidance document for
Parameter Data Item consideration added CNS/ATM systems (Software Integrity Assurance
Considerations For Communication, Navigation,
Surveillance and Air Trafc Management Sys-
But the main improvement within the new DO- tems). Its structure is very similar to that of DO-
178C/ED-12C is the establishment of so-called 178C, showing the same approach but with an em-
Supplements providing technology- and method- phasis on Commercial Off-The-Shelf SW (COTS).
specic material which required a more detailed
and restrictive mapping with regard to DO-178C/ The following sections give a short overview of
ED-12C. the core document and its supplements. The de-
tails of DO-248/ED-94C and DO-278A/ED-109A
The following supplements were generated. shall not be considered in this whitepaper.
Software Tool Qualication Considerations
Model-Based Development & Verication DO-178C/ED-12C CORE DOCUMENT
Supplement (DO-xxx/ED-218)
Object-Oriented Technology Supplement The main content of the DO-178C/ED-12C core
(DO-xxx/ED-217) document is the denition of SW life cycle pro-
Formal Methods Supplement (DO-xxx/ED-216) cesses and related activities. Among these activi-
ties, the following are the most important:
Planning Process
The RTCA has not yet assigned DO numbers to Establishment of SW Plans
these supplements. Strictly speaking, the Soft- Denition of the SW Life Cycle Environment
ware Tool Qualication Considerations document Language and Compiler Considerations
is not just a supplement, because its use is also Establishment of SW Standards
intended for other industry domains. For the pur- Review and Assurance of the SW Planning
pose of the present whitepaper, however, it shall Process
be treated as a supplement. Requirements Process
Development of High-Level Requirements
Development of Derived High-Level
DO-178C/ED-12C Page 11

Design Process Software Life Cycle Environment Control

Development of SW Architecture Quality Assurance Process
Development of Low-Level Requirements Quality Assurance Activities
Development of Derived Low-Level Software Conformity Review
Requirements Certication Liaison Process
Considerations for User-Modiable Software Means of Compliance and Planning
and Deactivated Code Compliance Substantiation
Coding Process
Development of Source Code
Integration Process For every software, level-specic life cycle docu-
Executable Object Code is Loaded into ments are needed. In 11.0, detailed requirements
Target Hardware for HW/SW Integration including naming and structure are listed. Figure
Verication Process 8 describes the names, objectives and related
Reviews and Analyses of High-Level control categories of the documents which indi-
Requirements cate the rigour of the conguration- and change
Reviews and Analyses of Low-Level management.
Reviews and Analyses of Software Architecture Additional Considerations ( 12.0) deal with
Reviews and Analyses of Source Code objectives and/or activities which may replace,
Reviews and Analyses of the Outputs of modify, or add objectives and/or activities dened
the Integration Process in the rest of DO-178C/ED-12C:
Hardware/Software Integration Testing Use of Previously Developed Software
Software Integration Testing Tool Qualication
Low-Level Testing Alternative Methods
Requirements-Based Test Coverage Analysis Exhaustive Input Testing
Structural Coverage Analysis Multiple-Version Dissimilar Software
Reviews and Analyses of Test Cases, Verication
Procedures and Results Software Reliability Models
Software Development Process Traceability Product Service History
Software Verication Process Traceability
Verication of Parameter Data Items
Conguration Management Process The most important section in DO-178C/ED-12C
Conguration Identication is Annex A (Process Objectives and Outputs by
Baselines and Traceability Software Level), where the following aspects are
Problem Reporting, Tracking and dened for every process group:
Corrective Action Objectives
Change Control Applicability by SW Level
Change Review Output Documents
Conguration Status Accounting Control Category
Archive, Retrieval and Release Independence
Data Control Categories
Software Load Control
DO-178C/ED-12C Page 12


PSAC Plan for Software Aspects of Plan to describe the means of compli- 11.1 1 1 1 1 N/A
Certification ance for certification-relevant aspects
SDP SW Development Plan Plan to describe the development 11.2 1 1 2 2 N/A
process and standards
SVP SW Verification Plan Plan to describe all verification activities 11.3 1 1 2 2 N/A

SCMP SW Configuration Management Plan to describe the configuration 11.4 1 1 2 2 N/A

Plan management processes
SQAP SW Quality Assurance Plan Plan to describe the quality assurance 11.5 1 1 2 2 N/A
SRS SW Requirements Standards Standard for high-level requirements 11.6 1 1 2 N/A N/A
SDS SW Design Standards Standard for SW architecture and 11.7 1 1 2 N/A N/A
low-level requirements definition
SCS SW Coding Standards Standard for coding 11.8 1 1 2 N/A N/A

SRD SW Requirements Document High-level requirements 11.9 1 1 1 1 N/A

SDD SW Design Description SW architecture and low-level 11.10 1 1 2 2 N/A

SRC Source Code Coding 11.11 1 1 1 1 N/A

EXE Executable Object Code Executable file 11.12 1 1 1 1 N/A

SVCP SW Verification Cases and Document to identify verification, 11.13 1 1 2 2 N/A

Procedures test cases and procedures
SVR SW Verification Results Document to identify all verification 11.14 2 2 2 2 N/A
and test results
PR Problem Reports List of all deviations 11.17 2 2 2 2 N/A

SCMR SW Configuration Management Evidence about configuration 11.18 2 2 2 2 N/A

Record management
SQAR SW Quality Assurance Record Evidence about quality assurance 11.19 2 2 2 2 N/A

SECI SW Environment Life Cycle Environment definition and 11.15 1 1 1 2 N/A

Index configuration control
SAS SW Accomplishment Summary Document to show compliance 11.20 1 1 1 1 N/A
substantiation to the authorities
SCI SW Configuration Index Document to clearly identify the SW 11.16 1 1 1 1 N/A
and documentation configuration

Control Category 1 includes all Configuration Control Category 2 includes only a subset
Management Activities defined by DO-178C. of Configuration Management Activities.

Figure 8: Life cycle documents and control category

DO-178C/ED-12C Page 13



A-1 Software Planning Process 7

A-2 Software Development Process 7

A-3 Verification of Outputs of Software Requirements Process 7

A-4 Verification of Outputs of Software Design Process 13

A-5 Verification of Outputs of Software Coding & Integration Processes 9

A-6 Testing of Outputs of Integration Process 5

A-7 Verification of Outputs of Software Testing 9

A-8 Software Configuration Management Process 6

A-9 Software Quality Assurance Process 5

A-10 Certification Liaison Process 3

Figure 9: List of DO-178C/ED-12C process tables with objectives




1 Test procedures are correct. Software

2 2 2
Verification Results

2 Test results are correct and Software

2 2 2
discrepancies explained. Verification Results

3 Test coverage of high-level requirements Software

2 2 2 2
is achieved. Verification Results

4 Test coverage of low-level requirements Software

2 2 2
is achieved. Verification Results

5 Test coverage of software structure (modified Software

condition/decision coverage) is achieved. Verification Results

6 Test coverage of software structure Software

2 2
(decision coverage) is achieved. Verification Results

7 Test coverage of software structure Software

2 2 2
(statement coverage) is achieved. Verification Results

8 Test coverage of software structure (data Software

2 2 2
coupling and control coupling) is achieved. Verification Results

9 Verification of additional code, that cannot Software

be traced to source code, is achieved. Verification Results

Figure 10: DO-178C/ED-12C test process table with objectives

DO-178C/ED-12C Page 14

Figure 9 shows the different process groups and Software tools are widely used to assist in devel-
their corresponding number of objectives; and, as oping, transforming, testing, analysing, produc-
an example, taken from this list, Figure 10 shows ing, and modifying aircraft-based software pro-
Table A-7 Verication of Outputs of Software grammes, their data, or their documentation. And
Testing. in this context, tools that are used to eliminate,
reduce, or automate a specic DO-178C/ED-12C
5.2 SOFTWARE TOOL QUALIFICATION software life cycle process without verication of
CONSIDERATIONS the tool output, need particular qualication.

The purpose of this document is to provide soft- There are ve Tool Qualication Levels (TQLs),
ware tool qualication guidance to help the tool which are used similarly to the SW level in the
vendor and/or user dene the required activities. DO-178C/ED-12C core document. The kind of tool
Additional information is provided in the form of is dened by using three criteria to clarify the
FAQs. amount of qualication activities to be conducted
for a particular tool:


1 A tool whose output is part of the airborne software and thus Development Tool
could insert an error.

2 A tool that automates verification process(es) and thus Verification Tool

could fail to detect an error, and whose output is used to to verify the output of a veri-
justify the elimination or reduction of fication or development tool
1. Verification process(es) other than those automated by
the tool, or
2. Development process(es) that could have an impact on
the airborne software.

3 A tool that, within the scope of its intended use, could fail Verification Tool
to detect an error.

Figure 11: Tool criteria denition


1 2 3





Figure 12: Tool Qualication Levels (TQLs) and related SW level

DO-178C/ED-12C Page 15

Accordingly, the rigour of tool qualication can be The structure of this supplement is very similar to
dened by the criteria and the SW level of the op- the DO-178C/ED-12C core document. The supple-
erational SW for which the tool will be used. ment adds model-based development aspects to
DO-178C/ED-12C and expands chapters affected
The structure of this document is very similar by MBD&V. Chapters of DO-178C/ED-12C which are
to the DO-178C/ED-12C core document. All tool- not affected by MBD&V remain unchanged. From
relevant processes are dened and objectives and a DO-178C point of view, these models represent
activities are listed depending on the Tool Quali- software requirements and/or architecture to
cation Level (TQL). A generic tool development support the software development and verica-
process is established. Moreover, the Objective tion processes.
Tables known from the DO-178C/ED-12C core docu-
ment are established for each process, though For every model, requirements need to be iden-
here they are used for the related tool processes. tied from which the model is developed. Those
requirements should be external to the model and
A rather interesting point is the differentiation be- be a complete set of requirements and set of con-
tween the tool developer and the tool user when straints (see MBD&V Supplement, MB.1.6.1, p. 2).
a COTS tool is used. Both parties need to conduct The supplement deals with two types of models:
their own qualication activities. The task of the Specication Models containing high-level
tool user is limited to planning and integration requirements
activities regarding the operational environment, Design Models containing architecture and
while the tool developer needs to achieve com- low-level requirements
plete compliance to DO-178C/ED-12C. This gener-
ates a degree of effort at TQL1 which is similar to
SW level A activities. Figures 13 and 14 demonstrate the different
usages of models (Light green) within the con-
5.3 MODEL-BASED DEVELOPMENT & text of DO-178C/ED-12C processes (see MBD&V
VERIFICATION SUPPLEMENT Supplement, Table MB.1-1, p. 4).

This supplement deals with Model-Based Devel- The following aspects described in the MBD&V
opment & Verication (MBD&V) and was written Supplement should be highlighted:
to add, modify, and substitute the objectives de- In the Planning Phase and in the planning
ned in DO-178C/ED-12C. documentation, the usage of models needs
Essentially, the models are used to be explained and the model needs to be
To develop an unambiguous expression categorised as a specication or design model.
of requirements and architecture; All MBD&V methods used need to be identied
To assist in automated code generation; during the planning phase, including verica-
To assist in automated test generation; tion methods like model coverage analysis
As analysis tools for the verication of criteria.
requirements and architecture; and SW Model Standards are required.
In simulations for the partial verication of Simulation can be used in design models to
requirements, architecture, and/or an execut- support testing and analysis methods. The
able object code. usage of simulation in a model may produce
DO-178C/ED-12C Page 16

simulation cases, procedures, and results expressed by the design model were not
which need to be veried (MB.C-3 objectives exercised, through verication based on the
MB8MB10: Requirements; MB.C-4 objectives requirements from which the model was
MB14MB16: Design; and MB.C-7 objectives developed.
MB10MB12: Verication). Usage of Model Simulation for
Model Coverage Analysis supports the detec- Verication of the model, and
tion of unintended functions in the design Verication of the executable object code.
model by determining which requirements



System Require- Requirements Requirements Requirements Requirements Requirements

ments and allocated to SW from which the from which the from which the from which the
System Design model is devel- model is devel- model is devel- model is devel-
Process oped oped oped oped

Design Model

SW Require- Requirements Specification Specification Design Model

ments and SW from which the Model Model
Design Process model is devel-

Design Model Design Model Textual


Software Coding Source Code Source Code Source Code Source Code Source Code

Figure 13: Examples of usage of specication and design models

TYPICAL COMPLETION CRITERIA Satisfy by verication cases Satisfy by verication cases

and justications based on and justications based on
requirements from which the requirements contained in the
COVERAGE OF design model was developed design model

All characteristics of the functionality Recommended

All the transitions of state machines Recommended

All the decisions for logic equations Recommended

All equivalence classes and boundary/ Recommended Alternatively

singular values for numeric data

All derived requirements (not traceable Recommended

to higher-level requirements)

Figure 14: Model coverage criteria to identify unintended functionality

DO-178C/ED-12C Page 17

Clarication of the model coverage criteria is language background. This became necessary be-
of crucial importance to identifying unintended cause the terminology of the different OOT and
functions. Figure 14 shows some examples of cri- programming language approaches usually is
teria which are recommended by the supplement quite different, which regularly results in Baby-
(see MBD&V Supplement, Table MB.6-1, p. 32). lonian situations.

The last chapter of the supplement gives some The next chapters of the OOT Supplement are
examples clarifying the usage of the supplement structured similarly to the DO-178C/ED-12C core
with regard to the relationship between a design document, expanded by adding, modifying, or de-
model or specication model and DO-178C high- leting DO-178C/ED-12C objectives relating to OOT.
level requirements, low-level requirements, and
software architecture. The following aspects of the OOT Supplement
should be highlighted:
5.4 OBJECT-ORIENTED TECHNOLOGY In the Planning Phase and in the planning
SUPPLEMENT documentation, the usage of OOT is to be ex-
plained. All virtualisation techniques used and
Object-Oriented Technologies (OOT) and pro- any reuse of components need to be identi-
gramming languages like Java and C++ have ed during the planning phase, including all
been widely used for decades in the commercial/ verication methods employed to achieve the
industrial sectors where safety is not critical. In objectives of DO-178C/ED-12C and its supple-
the avionic industry, the usage of OOT is increas- ments.
ing but the issues with regard to certication The scope of Verication activities must be
did pose a serious problem because no proper widened to verify, e.g., the class hierarchy,
guidelines were available to clarify usage and local type consistency, memory and exception
certication. For example, for SW level A, B and management.
C software, code coverage measures need to be
taken (DO-178C/ED-12C is talking about Structural
Coverage, SW Level A -> MC/DC Coverage, SW The Annex OO.D Vulnerability Analysis deals
Level B -> Decision Coverage, SW Level C -> State- with all the features of OOT, discussing the spe-
ment Coverage). This DO-178C/ED-12C objective cic vulnerabilities and related guidance. In addi-
is very clear for the classical functional program- tion, supporting information (guidelines) is listed
ming languages like C, but for object-oriented in this chapter to help identify possible solutions
languages, e.g. with encapsulation, polymorphism and clarify the advantages and disadvantages of
and overloading, the meaning of Code Coverage the various methods.
is quite different.
Figure 15 shows some examples of possible solu-
The supplement Object-Oriented Technology tions suggested by the supplement to cope with
and Related Techniques (OOT) starts with Chap- OOT-specic problems.
ter OO.1.0 outlining the characteristics of these
techniques. The supplement was written to be
programming-language independent, using den-
itions which are understood without any specic
DO-178C/ED-12C Page 18


Dynamic Memory Management Object pooling

Stack allocation

Scope allocation

Manual heap allocation

Automatic heap allocation

Structural Coverage An acceptable means for demonstrating type consistency is by showing the
software satisfies the Liskov Substitution Principle (LSP) (see ED-217,
OO., Liskov Substitution Principle, p. 4). This may be shown through test
or formal methods.

1. Execute the requirements-based tests to capture the data for

structural coverage analysis.

2. If type consistency is shown, then evaluate at least one instance of

one of the classes that can occur at each call point.

3. If the type consistency cannot be satisfied, then evaluate at least one

instance of each class that can occur at each call point (pessimistic).

4. Perform structural coverage analysis for the appropriate level, include

data and control flow analysis.

5. Consider all inherited as well as explicit methods for each class.

Figure 15: OOT issues and proposed solutions

5.5 FORMAL METHODS SUPPLEMENT The following characteristics are associated with
formal methods:
The Formal Methods Supplement deals with Unambiguously describing requirements of
formal methods to be used for avionic projects. software systems
Formal methods are mathematically based tech- Enabling precise communication between
niques for the engineers
Specication, Providing verication evidence such as con-
Development, and sistency and accuracy of a formally specied
Verication representation of software
of software aspects of digital systems (see ED-216, Providing verication evidence of the compli-
FM1.0, p. 1). The mathematical basis of formal ance of one formally specied representation
methods consists of formal logic, discrete math- with another
ematics, and computer-readable languages. The
use of formal methods is motivated by the expect-
ation that performing appropriate mathematical Section FM.1.0 contains explanatory text to aid
analyses can contribute to establish the correct- the reader in understanding formal methods, and
ness and robustness of a design. therefore is not to be taken as guidance.
DO-178C/ED-12C Page 19

Annex FM.A of this document describes how the All assumptions related to each formal analysis
DO-178C/ED-12C objectives are revised in line with should be described and justied; such as, for
this formal methods guidance. example, assumptions associated with the
target computer or about the data range limits.
Establishing a formal model of the software arte- Reviews and analyses of the formal analysis
fact is fundamental to all formal methods. In cases, procedures, and results for require-
general, a model is an abstract representation ments, architecture, and source code are
of a given set of aspects of the software that is necessary.
used for analysis, simulation, and/or code gen-
eration. A model should have an unambiguous,
mathematically dened syntax and semantics. For the verication of SW requirements/SW de-
This makes it possible to use automated means sign, the following additional objectives are de-
to obtain guarantees that the model has certain ned:
specied properties. Formal analysis cases and procedures are
correct (FM8, FM14).
The chapters of the FM Supplement are struc- Formal analysis results are correct and
tured similarly to the DO-178C/ED-12C core docu- discrepancies explained (FM9, FM15).
ment, and expanded by adding, modifying, or Requirements formalisation is correct
deleting DO-178C/ED-12C objectives relating to (FM10, FM16).
FM. Chapters of DO-178C/ED-12C which are not af- The formal method is correctly dened,
fected by formal methods remain unchanged. justied, and appropriate (FM11, FM17).
The following aspects of the FM Supplement
should be highlighted:
In the planning phase and in the planning For the verication of SW testing, the following
documentation, the usage of FM must be additional objectives are dened:
explained. Coverage of high-level requirements is
Requirements or design artefacts can be achieved (FM3).
dened with the help of formal models. This Coverage of low-level requirements is achieved
allows for some of the verication objectives (FM4).
to be satised by the use of formal analysis. Complete coverage of each requirement
With formal analysis, the correctness of life is achieved (FM5).
cycle data with respect to a formal model can The set of requirements is complete (FM6).
be proved or disproved. Unintended dataow relationships
If formal methods are used for verication are detected (FM7).
purposes, the following considerations are Dead code and deactivated code are
important: detected (FM8).
All notations used for formal analysis should
be veried to have a precise, unambiguous,
mathematically dened syntax and semantics.
The soundness of each formal analysis
method should be justied. A sound method
never asserts that a property is true when it
may not be true.
DO-178C/ED-12C Page 20


In this chapter, a method is described how to If your SW processes are driven by embedded and
reach compliance to DO-178C and to check the ne- safety-critical application development, like IEC
cessity of applying the DO-178C supplements. This 62304 (medical) or IEC 61508 (safety-critical in-
so-called SQS gap analysis starts with the identi- dustry), the steps toward DO-178B and C are not
cation of the current maturity level of a project too big (Maturity Level 2). But some methodology
with regard to DO-178C, and the way to achieve changes may be necessary, which would result in
nal compliance to this standard. Depending on medium investments. For example, the so-called
the given maturity level, the time required to low-level requirements needed for DO-178C com-
reach compliance will be shorter or longer. If the pliance are not required by other standards like
maturity level is low, it is advisable to introduce an IEC 62304. Therefore, the requirements struc-
expert to the project so that improvement can be ture and the test approach need only be adjusted
started with guided support. slightly.

The following maturity levels can be identied: If, on the other hand, you are using industry-re-
Maturity Level 3 lated processes with only black-box testing and
DO-178B processes were successfully intro- without clear requirements management and
duced before. quality assurance activities (Maturity Level 1),
Maturity Level 2 quite a number of aspects have to be introduced
Safety-related process-driven SW development to be compliant to DO-178B/C. The analysis needs
was introduced, but DO-178B has not been to start with the identication of all the processes
introduced. used. Then the missing processes must be inte-
Maturity Level 1 grated into the existing process landscape. The
Process-driven SW development was intro- nal step is compliance to all DO-178C objectives,
duced, but DO-178B or safety-critical develop- which results in more activities or a more strin-
ment has not been introduced. gent application of existing activities within the
Maturity Level 0 different processes.
No SW processes established to date.
If a company starts from scratch, without having
either a SW process structure or experience with
Maturity Levels 3 and 2 are good starting points the safety-critical development of software, the
to achieve compliance to DO-178C/ED-12C in the management need to be aware of the fact that
short term. a lot of time, a huge amount of investments, and
With Maturity Level 3, the earlier usage of the attendance of DO-178C experts will be neces-
DO-178B-compliant processes only requires a min- sary to reach the aim. With the right spirit though,
imal amount of gap analysis in order to identify it is not impossible.
the differences between DO-178B and C (see the
previous chapter for details). No new processes or The best way to ensure compliance is using a gap
changes in methodologies need to be addressed, analysis with the help of technical and DO-178-re-
which results in manageable efforts. lated expertise and employing a sound strategy to
DO-178C/ED-12C Page 21

identify required process steps and major incon- The process workow in Figure 16 provides a
sistencies. It is necessary to establish a common short overview of which activities are necessary
process framework with a set of standardised to ensure compliance to DO-178C/ED-12C object-
templates for all related DO-178B/C SW plans and ives.
In general, this workow should ensure compli-
The fullment of DO-178C/ED-12C-related pro- ance to the DO-178C/ED-12C core document.
cesses can be achieved manually, but it will be
easier to build up a set of tools to support the de- As the supplements extend the guidance from
velopment, verication and test activities. Before DO-178C/ED-12C for a specic technology, the
a tool is acquired, it is necessary to check whether gap analysis should rst consider all of the
the tool (and the vendor) is compliant to the rules standards objectives, and then the supplements
of DO-178C/ED-12C. With most of the activities, objectives. After that, any additional considera-
the user has to ensure the tool qualication tions may follow.
the vendor can support the activities but cannot
solve all the problems alone.


Evaluation / Assessment Maturity Level 0 / 1 / 2 / 3

Improvement Actions Improvement Potentials

Adequate Implementation Priority List of Activities


Planning Process Development Process

Objectives / Activities fullled? Objectives / Activities fullled?
Templates established? Templates established?

Verication Process Certication Process

Objectives / Activities fullled? Objectives / Activities fullled?
Templates established? Templates established?

Conguration Management Process Quality Assurance Process

Objectives / Activities fullled? Objectives / Activities fullled?
Templates established? Templates established?

Additional Considerations
Objectives / Activities fullled?

Figure 16: SQS workow for DO-178C/ED-12C gap analysis

DO-178C/ED-12C Page 22


Evaluation / Assessment Maturity Level 0 / 1 / 2 / 3

Improvement Actions Improvement Potentials

Adequate Implementation Priority List of Activities


Planning Process Development Process No

Objectives / Activities fullled? Objectives / Activities fullled?
Templates established? Templates established?

Verication Process Certication Process

Objectives / Activities fullled?
Templates established?
Objectives / Activities fullled?
Templates established?
Conguration Management Process Quality Assurance Process
Objectives / Activities fullled? Objectives / Activities fullled?
Templates established? Templates established?

Additional Considerations
Objectives / Activities fullled?


Tools Consider Tools Guidelines Consider Guidance

used? Yes Introduction, FAQ (Objectives, Activities)


MBD&V Consider Tools Guidelines Consider Guidance

used? Yes Introduction, FAQ (Objectives, Activities)

Adopt own

OOT Consider Tools Guidelines Consider Guidance

used? Yes Introduction, FAQ (Objectives, Activities)


FM Consider Tools Guidelines Consider Guidance

used? Yes Introduction, FAQ (Objectives, Activities)



Figure 17: SQS workow for DO-178C/ED-12C/Supplement introduction

DO-178C/ED-12C Page 23

The best approach is to consolidate all the ob- ies some aspects by using a vulnerability ana-
jectives of DO-178C/ED-12C and the applicable lysis, the MBD&V Supplement describes examples
supplements. For each objective, it is necessary of models, and the Formal Methods Supplement
to make a statement on how compliance will be gives advice on which activities formal methods
achieved, along with identifying any applicable can be used for.
life cycle data items. Because the objective num-
bering scheme of the Annex A Tables of DO-178C/ Figure 17 shows a general workow used by SQS,
ED-12C and the Annex A Tables of the supple- considering the integration of the different sup-
ments is unique, the identication of the object- plements within the gap analysis.
ives and their document sources will be clear and
unambiguous. The most important aspect when using this work-
ow is to check which guidance needs to be ad-
As mentioned above, the supplements are sub- dressed with regard to the different supplements.
divided into guidance and guideline material. Various examples presented in the supplements
The guidelines include introductory material and show the usage of the guidelines and their ad-
FAQs. The OOT Supplement, for instance, clar- equate interpretation.


The predecessor of DO-178C standard DO-178B experience from all elds necessary to develop
had been one of the most successful international such a standard. In the end, the new DO-178C/ED-
software standards ever. In its time (19902011), 12C standard with its four supplements lled over
the complexity of aircraft systems increased mani- 650 pages, six times the volume of DO-178B.
fold whereas the number of aircraft accidents re-
lated to software failures declined. This most cer- The DO-178C/ED-12C core document is not revo-
tainly is a huge success story. lutionary it is a slight improvement in com-
prehensibility and usability, clearly separating
During the validity of DO-178B, i.a. the aircraft guidance from guidelines. The most important
types Airbus A330/340, Airbus A380, Airbus improvement is the establishment of the four
A400M and Boeing 787 conquered the market supplements in order to provide more guidance
boasting software systems of previously unknown for the interesting technology-specic elds such
complexity. At the same time, new SW develop- as Model-Based Development & Verication and
ment technologies and methodologies were intro- Object-Oriented Methods.
duced that did not have a clear and commonly
agreed certication basis. The document covering Tool Qualication was
needed because the introduction of an increasing
The committee working on DO-178C was com- number of tools for development and verication
posed of authorities, aircraft manufacturers, sys- assistance requires a lot of guidance in this eld.
tem suppliers, tool vendors and consultants with Moreover, the usage of verication tools qual-
DO-178C/ED-12C Page 24

ifying the output of a development tool had not already use the methodologies and technologies
been within the scope of DO-178B, and it was time addressed by the supplements are invited to show
to consider this type of tool. compliance as soon as possible. If they fail to do
so, they run the risk of non-compliance in case
Object-oriented languages are very well known they have to re-certify their projects. This aspect
in commercial software development, but in the is the most challenging task of the new DO-178C/
avionic industry OOT is employed mainly at the ED-12, and all companies must address these is-
requirements and design level, for example us- sues at their earliest convenience. DO-178C/ED-
ing UML for a more descriptive representation. 12C experts and quality assurance specialists can
Object-oriented languages have not been used at support them and help them reach these goals in
all for the most safety-critical SW levels AC due time and within budget.
to the fact that compliance to the objectives of
DO-178B is not easily achieved. Additional sup-
porting papers (6) were generated over the last
ten years to close this gap, but without success.
With DO-178C and the OOT Supplement, guidance
now is straightforward, and all companies using
OOT are able to check their compliance.

Model-Based Development & Verication is well

established in the eld of avionic projects. This is
mainly due to the fact that there are some tools
on the market which already qualied against DO-
178B. Also, with Software Code Generation the
industry can rely on proven concepts which have
already been used for years for the most crit-
ical software parts within an aircraft (e.g. Flight
Controls in Airbus aircraft). Nevertheless, many
issues like model coverage and simulation were
raised by the authorities and aircraft manufactur-
ers, which were then adequately addressed in the
MBD&V Supplement.

In the context of standards, the crucial task is

to achieve compliance: the above Maturity Level
concept supports this effort and identies activ-
ities and measures that are necessary to ensure
this aim. In addition, a workow explains how to
consider one or more supplements to introduce
new methodologies and technologies. Structur-
ally, these supplements are similar to the DO-178C
core document but in fact they add, modify, or de-
lete DO-178C/ED-12C objectives. Companies which
Bibliographical References Page 25

' BOEING, Aviation Safety, Boeing Commercial Airplanes. Statistical Summary

of Commercial Jet Airplane Accidents Worldwide Operations 1959 2010.
Seattle, http://www.boeing.com/news/techissues/pdf/statsum.pdf: June 2011.

( Wikipedia. [Online] 2011. http://de.wikipedia.org/wiki/Airbus-A320-Familie,


) DO-248B/ED-94B. Annual Report for Clarication of DO-178B. RTCA,

October 2001.

* CAST. Certication Authorities Software Team. http://www.faa.gov/aircraft/

air_cert/design_approvals/air_software/cast/cast_papers/: FAA.

+ EASA. Software Aspects of Certication. http://www.easa.eu.int/certica-

pdf: 02 2011.

, OOTiA. OOTiA Handbook. [Online] 26/10/2004. http://www.faa.gov/aircraft/

SQS Software Quality Systems AG
Phone: +49 (0)2203 9154-0
Stollwerckstrasse 11
51149 Cologne / Germany