Certification of Safety-Critical Software Under DO-178C and DO-278A

The RTCA has recently released DO-178C and DO-278A as new certification guidance for the production of airborne and ground-based air traffic management software, respectively. Additionally, RTCA special committee SC-205 has also produced, at the same time, five other companion documents. These documents are RTCA DO-248C, DO-330, DO-331, DO- 332, and DO-333. These supplements address frequently asked questions about software certification, provide guidance on tool qualification requirements, and illustrate the modifications recommended to DO-178C when using model-based software design, object oriented programming, and formal methods. The objective of this paper is to first explain the relationship of DO-178C to the former DO-178B in order to give those familiar with DO- 178B an indication of what has been changed and what has not been changed. With this background, the relationship of DO-178C and DO-278 to the new DO-278A document for ground-based software development is shown. Last, an overview of the new guidance contained in the tool qualification document and the three new supplements to DO-178C and DO-278A is presented. For those unfamiliar with DO-178B, this paper serves to provide an entry point to this new certification guidance for airborne and ground-based CNS/ATM software certification

Towards Understanding the DO-178C / ED-12C Assurance Case

This paper describes initial work towards building an explicit assurance case for DO-178C / ED-12C. Two specific questions are explored: (1) What are some of the assumptions upon which the guidance in the document relies, and (2) What claims are made concerning test coverage analysis

An audit model for safety-critical software

Atualmente o uso de software considerados complexos e críticos está crescendo em diversos setores da indústria como a aeronáutica com seus diversos sistemas embarcados em aeronaves e a médica com seus dispositivos médicos cada vez mais avançados. Devido a isso, a quantidade de standards dedicados a esse tipo de desenvolvimento está crescendo nos últimos anos e autoridades regulamentadoras estão reconhecendo a sua aplicabilidade e, em alguns casos, tornando como parte dos requisitos obrigatórios de certificação ou aprovação. O intuito de uma auditoria de software é verificar que o software desenvolvido está de acordo com a norma aplicável, no entanto os modelos existentes não permitem o auditor ter a flexibilidade de adequar o modelo de auditoria às suas necessidades. Como parte dessa pesquisa, diferentes modelos de desenvolvimento software foram considerados, bem como standards da área aeronáutica (RTCA DO-178C) e área médica (IEC 62304) foram estudados quanto as suas recomendações e requisitos para desenvolvimento de software safety-crítico. Como objetivo dessa dissertação, um modelo de auditoria de software foi proposto com as atividades que são necessárias para a condução de auditoria de software safety-crítico, permitindo ao auditor aplicar o modelo de acordo com as atividades que precisam ser auditadas, dando a flexibilidade necessária para o escopo da auditoria, bem como um conjunto de perguntas para a auditoria de software desenvolvido utilizando RTCA DO-178C e IEC 62304 foi sugerido e avaliado por especialistas de software para garantir a maturidade e eficiência das perguntas propostas. Além da avaliação das perguntas, também foi conduzido um estudo de caso, em uma empresa aeroespacial, com duas instanciações para avaliar a maturidade do modelo de auditoria de software proposto.Nowadays, the use of software considered complex and critical is growing in several industry sectors, such as aeronautics with its various systems embedded in aircraft and the medical one with its increasingly advanced medical devices. Because of this, the number of standards dedicated to this type of development is growing in recent years, and regulatory authorities are recognizing its applicability and, in some cases, making it part of the mandatory certification requirements or approval. The software audit intent is to verify that the software developed complies with the applicable standard. However, the existing audit models do not allow the auditor to tailor the audit model to its audit necessities. As part of this research, the various software development models were considered, and standards in the aeronautical (RTCA DO-178C) and medical (IEC/ISO 62304) areas were studied regarding their guidelines and requirements for safety-critical software development. This thesis aims to propose a software audit model with the activities necessary for conducting a safety-critical software audit, giving the auditor the necessary flexibility in the audit execution without the need to achieve specific predetermined milestones. Additionally, a set of questions for software auditing developed using RTCA DO-178C and IEC 62304 has been suggested and evaluated by software experts to ensure the maturity and efficiency of the proposed questions. In addition to evaluating the questions, a case study was also conducted in an aerospace company, with two instances to evaluate the proposed software audit model’s maturity.Não recebi financiament

Making the Implicit Explicit: Towards an Assurance Case for DO-178C

For about two decades, compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes. A new edition of the standard, DO-178C, was published in December 2011, and regulatory bodies have started the process towards recognizing this edition. The stated purpose of DO-178C remains unchanged from its predecessor: providing guidance for the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirements. Within the text of the guidance, little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose. Thus the assurance case for the document is implicit. This paper discusses a current effort to make the implicit explicit. In particular, the paper describes the current status of the research seeking to identify the specific arguments contained in, or implied by, the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Final Report - Regulatory Considerations for Adaptive Systems

This report documents the findings of a preliminary research study into new approaches to the software design assurance of adaptive systems. We suggest a methodology to overcome the software validation and verification difficulties posed by the underlying assumption of non-adaptive software in the requirementsbased- testing verification methods in RTCA/DO-178B and C. An analysis of the relevant RTCA/DO-178B and C objectives is presented showing the reasons for the difficulties that arise in showing satisfaction of the objectives and suggested additional means by which they could be satisfied. We suggest that the software design assurance problem for adaptive systems is principally one of developing correct and complete high level requirements and system level constraints that define the necessary system functional and safety properties to assure the safe use of adaptive systems. We show how analytical techniques such as model based design, mathematical modeling and formal or formal-like methods can be used to both validate the high level functional and safety requirements, establish necessary constraints and provide the verification evidence for the satisfaction of requirements and constraints that supplements conventional testing. Finally the report identifies the follow-on research topics needed to implement this methodology

Building and Integrating an Information Security Trustworthiness Framework for Aviation Systems

The aviation infrastructure is broadly composed of aircraft, air traffic control systems, airports and public airfields. Much attention has been given to physical security along the years this industry has been expanding; and now, in the new age of interconnection devices, a growing concern about cybersecurity has risen. The never-ending improvement of new digital technology has given birth to a new generation of electronic-enabled (e-enabled) aircraft that implement a remarkable amount of new technologies such as IP-enabled networks, COTS (commercial off-the- shelf) components, wireless connectivity, and global positioning systems (GPSs). For example, aircraft manufacturers are building wireless systems to reduce the amount of wiring within an aircraft. The general purpose of this is the reduction in weight that helps an aircraft achieve lower fuel consumption, but it can result into a security issue since these wireless systems are vulnerable to cybersecurity threats. Therefore, since the aviation infrastructure has taken advantages of the era of technology and is providing unprecedented global connectivity, there is a need for an in-depth study of the measures being taken to mitigate the security vulnerabilities that these e-enabled aircraft technologies introduce that may have not been considered in the traditional aircraft design

An experimental Study using ACSL and Frama-C to formulate and verify Low-Level Requirements from a DO-178C compliant Avionics Project

Safety critical avionics software is a natural application area for formal verification. This is reflected in the formal method's inclusion into the certification guideline DO-178C and its formal methods supplement DO-333. Airbus and Dassault-Aviation, for example, have conducted studies in using formal verification. A large German national research project, Verisoft XT, also examined the application of formal methods in the avionics domain. However, formal methods are not yet mainstream, and it is questionable if formal verification, especially formal deduction, can be integrated into the software development processes of a resource constrained small or medium enterprise (SME). ESG, a Munich based medium sized company, has conducted a small experimental study on the application of formal verification on a small portion of a real avionics project. The low level specification of a software function was formalized with ACSL, and the corresponding source code was partially verified using Frama-C and the WP plugin, with Alt-Ergo as automated prover. We established a couple of criteria which a method should meet to be fit for purpose for industrial use in SME, and evaluated these criteria with the experience gathered by using ACSL with Frama-C on a real world example. The paper reports on the results of this study but also highlights some issues regarding the method in general which, in our view, will typically arise when using the method in the domain of embedded real-time programming.Comment: In Proceedings F-IDE 2015, arXiv:1508.0338

Software Safety Assurance in Non-Airborne GPS Based Landing Aids

This paper investigates the software standard DO-278A from the RTCA according to assurance level 3 to provide a concept for approving software of ground-based navigation aids. For this purpose, related literature and standards were reviewed and evaluated for their applicability for proposing such a concept. The resulting approval concept shows our approach for conducting the development process according to DO-278A based on a traditional one and focusing on an activity schedule. Therefore, the paper offers preliminary considerations at first to show the relation between system and software development. In addition, corresponding standards that are related to the development are presented as well. The concept is segmented in three main phases for software planning, realization, and verification, which are subdivided and scheduled in specific activities. Each activity consists of an outline describing the contents expected by DO-278A and our approach to organizing them. This paper shows our conceptional approach to obtain an approval for software according to DO-278A. This concept is prepared to approve a radio navigation aid

Proposing the Use of Hazard Analysis for Machine Learning Data Sets

There is no debating the importance of data for artificial intelligence. The behavior of data-driven machine learning models is determined by the data set, or as the old adage states: “garbage in, garbage out (GIGO).” While the machine learning community is still debating which techniques are necessary and sufficient to assess the adequacy of data sets, they agree some techniques are necessary. In general, most of the techniques being considered focus on evaluating the volumes of attributes. Those attributes are evaluated with respect to anticipated counts of attributes without considering the safety concerns associated with those attributes. This paper explores those techniques to identify instances of too little data and incorrect attributes. Those techniques are important; however, for safety critical applications, the assurance analyst also needs to understand the safety impact of not having specific attributes present in the machine learning data sets. To provide that information, this paper proposes a new technique the authors call data hazard analysis. The data hazard analysis provides an approach to qualitatively analyze the training data set to reduce the risk associated with the GIGO