Technology Changes In Aeronautical Systems

International audienceGuidance for producing airborne software today must be developed to the expectations of ED- 12B/DO-178B “Software Considerations in Airborne Systems and Equipment Certification”.[1] EASA and the FAA have formally recognized this ‘objective-based’ aviation software guidance and it has proven to be extremely successful in the development of safe, in-service, operational aircraft containing software. Since its publication in 1992, ED-12B/DO- 178B has gain respect as a standard that meets the goals of safety in the airborne community. However recent technology advances such as Object Oriented Technology, Model Based Design, Software Tools and Formal Methods have applied methods that require elaboration of how the ED-12B/DO-178B objectives will be met. This paper discusses the approach for introducing new technologies with legacy aviation standards

Certification of Safety-Critical Software Under DO-178C and DO-278A

The RTCA has recently released DO-178C and DO-278A as new certification guidance for the production of airborne and ground-based air traffic management software, respectively. Additionally, RTCA special committee SC-205 has also produced, at the same time, five other companion documents. These documents are RTCA DO-248C, DO-330, DO-331, DO- 332, and DO-333. These supplements address frequently asked questions about software certification, provide guidance on tool qualification requirements, and illustrate the modifications recommended to DO-178C when using model-based software design, object oriented programming, and formal methods. The objective of this paper is to first explain the relationship of DO-178C to the former DO-178B in order to give those familiar with DO- 178B an indication of what has been changed and what has not been changed. With this background, the relationship of DO-178C and DO-278 to the new DO-278A document for ground-based software development is shown. Last, an overview of the new guidance contained in the tool qualification document and the three new supplements to DO-178C and DO-278A is presented. For those unfamiliar with DO-178B, this paper serves to provide an entry point to this new certification guidance for airborne and ground-based CNS/ATM software certification

Final Report - Regulatory Considerations for Adaptive Systems

This report documents the findings of a preliminary research study into new approaches to the software design assurance of adaptive systems. We suggest a methodology to overcome the software validation and verification difficulties posed by the underlying assumption of non-adaptive software in the requirementsbased- testing verification methods in RTCA/DO-178B and C. An analysis of the relevant RTCA/DO-178B and C objectives is presented showing the reasons for the difficulties that arise in showing satisfaction of the objectives and suggested additional means by which they could be satisfied. We suggest that the software design assurance problem for adaptive systems is principally one of developing correct and complete high level requirements and system level constraints that define the necessary system functional and safety properties to assure the safe use of adaptive systems. We show how analytical techniques such as model based design, mathematical modeling and formal or formal-like methods can be used to both validate the high level functional and safety requirements, establish necessary constraints and provide the verification evidence for the satisfaction of requirements and constraints that supplements conventional testing. Finally the report identifies the follow-on research topics needed to implement this methodology

Design and development of certification compliance tool for airborne systems.

Certification compliance check for airborne software is very critical as it aids in the certification of the software. Since this compliance check is performed manually which is time-consuming and erroneous, an in-house developed Certification Compliance Tool (CCT) helps in checking the compliance as per RTCA DO-178B/C and generate artifacts depicting the magnitude of compliance. In order to generate the magnitude of compliance for the artifacts with respect to the Civil Aerospace Certification standard, RTCA DO-178B/C, an effective parsing technique is required to be incorporated to parse the artifact/s and generate compliance metric for the artifact/s. In this paper we propose a novel approach used in the design and development of an effective and efficient parsing technique incorporated in the indigenous software tool CCT used for compliance check. The tool checks the ratio of compliance of the artifacts generated across various phases of Software Development Life Cycle (SDLC) process involved in the development of Safety-Critical software as per RTCA DO-178B/C. The indigenous tool accepts these artifacts as inputs and based on the software criticality level, it analyzes the compliance of these artifacts with the guidelines provided and recommended by RTCA DO-178B/C. The output of the tool provides the percentage of compliance of the artifacts that helps in accessing the Certification capabilities of the developed software. The percentage of compliance predicts the acceptance or rejection probabilities of the software being certified by the Certification Agency. The certification parser is developed using Python modules like Pywin32, Pypdf parsers and different approaches for Natural language processing using Python Natural Language Toolkit (NLTK). The in-house tool replaces the manual effort by an individual/s which may be erroneous and impact the time-schedule, which compromises the software safety. The integration of the tool with commercial tools will help in analyzing the report/ documentation content with respect to the certification

Towards Understanding the DO-178C / ED-12C Assurance Case

This paper describes initial work towards building an explicit assurance case for DO-178C / ED-12C. Two specific questions are explored: (1) What are some of the assumptions upon which the guidance in the document relies, and (2) What claims are made concerning test coverage analysis

An Exercise in Reverse Engineering for Safety-Critical Systems: An Experience for the Classroom

Since the Y2K crisis, reverse engineering has become a major area of work in industrial software application development, but lacks emphasis in US academia. This issue is exemplified by the high demand for software systems in new and expanding software application areas, which has resulted in systems being implemented before the requirements and design phases have been completed. Towards the maintenance of such systems, it is necessary to conducted reverse engineering for the derivation of software documentation for requirements and high-level and low-level design. When this scenario exists in the domain of safety-critical system, particularly in the aviation industry, reverse engineering takes on greater value because such software systems have to undergo development regulations and certification restrictions. This work reports on the pedagogical revelations gained from conducting reverse engineering on a software system that was developed and deployed for use in managing the assignment of commercial aircrafts to airport terminal gates. The software system incorporated genetic algorithms solutions and was implemented on a high-speed multi-processor system. The reverse engineering methodology applied was based on the RTCA DO-178C Software Considerations in Airborne Systems and Equipment Certification specification for onboard avionic software systems

Certification & Object Orientation: The New Ada Answer

International audienceThe object model of Ada 2005 is well-suited for applications that have to meet certification at various levels. We review the use of Ada in the context of certification, and show that the object-oriented facilities of the current language standard, properly restricted to avoid dynamic dispatching, can already be used without problems under current DO-178B guidelines. We then examine the complications to certification that are presented by dynamic dispatching in a single inheritance model, and show implementation-specific ways of addressing these complications. Finally, we discuss the problems introduced by the use of multiple inheritance. We conclude by showing how, regardless of the extent to which object-oriented idioms are used, Ada provides a safe and efficient vehicle to create certifiable systems

Making the Implicit Explicit: Towards an Assurance Case for DO-178C

For about two decades, compliance with Software Considerations in Airborne Systems and Equipment Certification (DO-178B) has been the primary means for receiving regulatory approval for using software on commercial airplanes. A new edition of the standard, DO-178C, was published in December 2011, and regulatory bodies have started the process towards recognizing this edition. The stated purpose of DO-178C remains unchanged from its predecessor: providing guidance for the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirements. Within the text of the guidance, little or no rationale is given for how a particular objective or collection of objectives contributes to achieving this purpose. Thus the assurance case for the document is implicit. This paper discusses a current effort to make the implicit explicit. In particular, the paper describes the current status of the research seeking to identify the specific arguments contained in, or implied by, the DO-178C guidance that implicitly justify the assumption that the document meets its stated purpose

Avionics standards, software and IMA

International audienceThe paper covers the definition of Integrated Modular Avionics (IMA), the associated avionics standards and the impact on the Avionics Software. ARINC and RTCA/EUROCAE committees, in which all Avionic stakeholders are involved, developed these standards. 2005 is a key year for standardization: ARINC653 part1 supplement2 and part3 are ready for publishing, RTCA-SC200 / EUROCAE-WG60 is under ballot. The concepts of IMA, the new architecture in Avionics, were defined in the late Eighties and published for the first time in the ARINC651 standard in 1991. The IMA concepts were firstly applied on Boeing 777, extended and used on Airbus A380 and now selected for the future Boeing 787. These concepts divide the avionic embedded domain into Platform (Hardware+Core Software) and Applications instead of Hardware and Software. Several applications of different criticality levels could reside on the same platform. The consequences were the development of new standards and guidelines for supporting these concepts, e.g.:-ARINC653 defines the API and the behavior of the Core Software services.-DO-255/ED-96 contains the description of an Avionic Computing Resource (a platform separated from its hosted applications).-DO-248B/ED-94B clarifies DO-178B/ED-12B and defines concepts like robust partitioning.-SC200/WG60 (future ED-124) contains the IMA Development Guidance and Certification.-SC205/WG71 has started. It reviews and extends DO-178B/ED-12B and DO-248B/ED-94B in regard of new technologies The paper describes the objectives and the results of these standardization committees. It focuses on ARINC653 and ED-124 standards and presents shortly the associated standards