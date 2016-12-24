Copyright 2016-2017– Throughout document Slide 1 DO-178C (With DO-254) Overview – 1 Hour
Copyright Afuzion Inc www.afuzion.com  Certification standards for airborne equipment  DO-178 => Software  DO-254 => Ha...
Copyright Afuzion Inc www.afuzion.com • RTCA DO-178: “Software Considerations in Airborne Systems and Equipment Certificat...
Copyright Afuzion Inc www.afuzion.com •RTCA DO-254: “Design Assurance Guidance for Airborne Electronic Hardware” •Develope...
Copyright Afuzion Inc www.afuzion.com Slide 7 Avionics Development Ecosystem 3. Software DO-178C 3. Hardware DO-254 2. Sys...
DO-178: Evolution History Doc Year Basis Themes DO-178 1980 - 1982 498 & 2167A Artifacts, documents, traceability, testing...
Copyright Afuzion Inc www.afuzion.com Slide 9 DO-178 Document Layout (copied directly from the DO-178 document) 1. Planni...
Copyright Afuzion Inc www.afuzion.com Slide 10 DO-254 Layout Planning Development Correctness/ Supporting Processes 1. ...
Copyright Afuzion Inc www.afuzion.com  Planning Process – Occurs first  Development Process – Follows Planning  Correct...
Optimal DO-178 & 254 Engineering Route By Vance Hilderman (Not FAA/EASA) Slide 12 Safety Assessment & Rqmts Systems Rqmts ...
Copyright Afuzion Inc www.afuzion.com 1 •Detailed planning 2 •Five Criticality Levels (A, B, C, D, E) 3 •Consistency & Det...
Copyright Afuzion Inc www.afuzion.com Slide 14 Key Principle: DO-178C Objectives by Level • 71 Objectives (30 with indepen...
DO-178 Five Key Plans 1. PSAC 2. SQAP 3. SCMP 4. SWDP 5. SWVP Slide 15 PSAC: Plan for Software Aspects of Certification SQ...
Copyright Afuzion Inc www.afuzion.com 1 Software Requirements Standard 2 Software Design Standard 3 Software Coding Standa...
Copyright Afuzion Inc www.afuzion.com Slide 17 Scope of DO-178 & DO-254? PLD ASIC FPGA CPU RTOS BSP Math APP SW Drivers D...
Criticality Levels  “Software whose anomalous behavior, as shown by the system safety assessment process, would cause or ...
Why Different Criticality Levels?  Why Does 178/254 Have Different Criticality Levels?  Who were major 178/254 contribut...
DO-178 Criticality Level Comparison (NOT for DO-254; See DO-254 Section Later) DO178 Aspect Level A Level B Level C Level ...
Copyright Afuzion Inc www.afuzion.com  “Certified”: the entire “system” is Certified for flight, while components may hav...
Cost Differential per Criticality Level 0 5 10 15 20 25 30 35 40 Certification $ Delta % Level E Level D Level C Level B L...
Copyright Afuzion Inc www.afuzion.com 1. Neglecting “Independence” 2. Science projects versus proven technologies 3. Inade...
Copyright Afuzion Inc www.afuzion.com Slide 24 Safety Assessments: The Big Four 4. Common Cause Analysis Verify independen...
The Three Key Processes 1. PSAC 2. QA Plan 3. CM Plan 4. SWD Plan 5. SWV Plan Slide 25 1. Planning Process 2. Development ...
Copyright Afuzion Inc www.afuzion.com  Configuration Management Objectives: Slide 26 Configuration Management Plan Overvi...
The Development Process – Starts With System Requirements System Rqmts Rqmts Design Code Integra tion Slide 27 1. Planning...
Copyright Afuzion Inc www.afuzion.com  DO-178 & 254 provides for design/documentation flexibility  Design requires four ...
Rqmts Vs Design Low-level Requirements: What are they?  Answer: Overlap of High-Level Rqmts & Design = Low-Level Rqmts Sl...
Copyright Afuzion Inc www.afuzion.com Slide 30 DO-178C: Verification Pyramid Foundation Analysis Tests Reviews
Copyright Afuzion Inc www.afuzion.com Slide 31 “The Verification Equation” Verification Reviews Tests & Analysis
Copyright Afuzion Inc www.afuzion.com  All Reviews need configured Entry (input) Criteria  Example: Code Review.  What ...
Copyright Afuzion Inc www.afuzion.com Slide 33 Example: Code Review “Transition Criteria”  What are the Inputs & Outputs ...
Copyright Afuzion Inc www.afuzion.com Four Categories of Tests: 1. Functional Tests – All Requirements 2. Normal Range Tes...
Slide 35 DO-178C & DO-254 For Military
Copyright Afuzion Inc www.afuzion.com DO-178C for Supplier/Integrator Management for Military  Examples of Military Aircr...
Copyright Afuzion Inc www.afuzion.com EXAMPLES C-130 & C-17 Many new and reverse-engineering avionics systems, per DO-178B...
Copyright Afuzion Inc www.afuzion.com ISSUES Software Considerations  Functionality with no regulatory basis  Search & R...
Copyright Afuzion Inc www.afuzion.com ISSUES Software Considerations  Differences for Military DO-178C:  Less, but diffe...
Copyright Afuzion Inc www.afuzion.com Military “Criticality Level” Considerations  Criticality Level:  based upon passen...
Copyright Afuzion Inc www.afuzion.com Slide 41 Special Topic: Cost, Estimation, & Metrics
DO-178C Cost Metrics Level B  CM & QA: 10%  DER Services: 2-3%  Management 4-7%  Rqmts Development: 10%  Design: 10% ...
Copyright Afuzion Inc www.afuzion.com  Does Cost ($) Matter?  Yes!  Are DO-178 & DO-254 Cheap?  No!  Can DO-178/254 B...
Copyright Afuzion Inc www.afuzion.com Slide 44 ROI vs DO-178C “Hilderman Perfection Curve” (Not FAA/EASA Approved) DO-178C...
Copyright Afuzion Inc www.afuzion.com 1. Cert versus Compliance 2. Augmenting existing Plans for DO-178 (5-Key Process Pla...
Copyright Afuzion Inc www.afuzion.com Slide 46 Conclusion Q & A For Advanced DO-178C Training information, see: http://afu...
Copyright Afuzion Inc www.afuzion.com Slide 47 Conclusion Q & A Coming in 2017:
DO-178C Overview (from AFuzion Inc): excerpt of training provided to 11,500 engineers worldwide.

  1. 1. Copyright 2016-2017– Throughout document Slide 1 DO-178C (With DO-254) Overview – 1 Hour
  2. 2. Copyright Afuzion Inc www.afuzion.com Slide 2 Almost Famous Quotes “The School Of Avionics Wishful Thinking has many students, but no graduates …” (Vance Hilderman) “DO-178 is the worst standard in the world; except for all the others” (Vance Hilderman paraphrasing Winston Churchill) “Flight safety is simple: the number of successful landings should equal the number of take-offs.” (Author Unknown) Notes about this training manual: The DO-178 related material was 100% developed from scratch, beginning in 1989 and continuing through 2015 via copyright from Vance Hilderman.
  3. 3. Copyright Afuzion Inc www.afuzion.com About Your Instructor (Today: Vance Hilderman)  BSEE, MBA, MSEE (Hughes Fellow)  Founder of two of the world’s largest avionics development services companies  Has personally trained over 11,000 persons; more than all other DO-178/254 instructors in the world: combined.  Has successfully contributed to over 300 diverse avionics projects  Proven Systems, Hardware and Software success with over 100 different clients  Have worked with 40+ of North America’s largest avionics companies and 75 of world’s 100 largest aerospace companies
  4. 4. Copyright Afuzion Inc www.afuzion.com  Certification standards for airborne equipment  DO-178 => Software  DO-254 => Hardware  Regulated by the FAA  Required if target aircraft flies in commercial U.S. airspace  Covers full engineering lifecycle:  Planning (CM, QA, Development, Testing)  Development (Requirements/Design/Implementation)  Verification  Quality Assurance, Liaison, Certification Slide 4 What are DO-178 and DO-254?
  5. 5. Copyright Afuzion Inc www.afuzion.com • RTCA DO-178: “Software Considerations in Airborne Systems and Equipment Certification” • Developed 1980 – 2012 via 500+ Industry and Government personnel • Many compromises to satisfy different goals • Not a recipe book or “How To” guide • “Discussion” flow for guidance; able to accommodate many different development approaches • Lawyers versus Software Engineers; who wins? • In practice: The Golden Rule … Slide 5 Synopsis of DO-178 and DO-254
  6. 6. Copyright Afuzion Inc www.afuzion.com •RTCA DO-254: “Design Assurance Guidance for Airborne Electronic Hardware” •Developed 1996 – 2000 via 100+ Industry and Government personnel •The committee was mostly software people (Thus similar to DO-178) •Strong focus on Complex Electronic Hardware (CEH) devices (with embedded ‘code’) •Provides design assurance for CEH including Programmable Logic Devices (PLDs) and Application Specific Integrated Circuits (ASICs). •Covers all electronic hardware. Slide 6 Synopsis of DO-254
  7. 7. Copyright Afuzion Inc www.afuzion.com Slide 7 Avionics Development Ecosystem 3. Software DO-178C 3. Hardware DO-254 2. System Development ARP 4754A 1. Safety Assessment ARP 4761 • Criticality Level • Architectural Inputs SW Rqmts HW Rqmts Tests Tests
  8. 8. DO-178: Evolution History Doc Year Basis Themes DO-178 1980 - 1982 498 & 2167A Artifacts, documents, traceability, testing DO-178A 1985 DO-178 Processes, testing, components, four criticality levels, reviews, waterfall methodology DO-178B 1992 DO-178A Integration, transition criteria, diverse development methods, data (not documents), tools DO-178C 2012 DO-178B Reducing subjectivity; Address modeling, detailed requirements, OOT, Formal Methods: “Ecosystem” Slide 8
  9. 9. Copyright Afuzion Inc www.afuzion.com Slide 9 DO-178 Document Layout (copied directly from the DO-178 document) 1. Planning 2. Development 3. Correctness 1. Overview 2. System Aspects 3. Lifecycle 4. Planning Process 5. Development Process 6. Verification 7. Configuration Mgmt 8. Quality Assurance 9. Certification Liaison 10. Overview of Aircraft And Engine Certification 11. Data & Considerations A. Objectives by Cert Level
  10. 10. Copyright Afuzion Inc www.afuzion.com Slide 10 DO-254 Layout Planning Development Correctness/ Supporting Processes 1. Introduction 2. System Aspects 3. Design Lifecycle 4. Planning Process 5. Design Process 6. Validation & Verification 7. Configuration Mgmt 8. Process Assurance 9. Certification Liaison 10. Lifecycle Data 11. Additional Considerations A. Modulation based on level B. Level A and B Specifics
  11. 11. Copyright Afuzion Inc www.afuzion.com  Planning Process – Occurs first  Development Process – Follows Planning  Correctness Process – Continuous Throughout Project Slide 11 Three Key Processes (same for DO-178 and DO-254) 1. Planning Process 2. Development Process 3. Correctness Process
  12. 12. Optimal DO-178 & 254 Engineering Route By Vance Hilderman (Not FAA/EASA) Slide 12 Safety Assessment & Rqmts Systems Rqmts Develop Plans, Stnds, Chklsts Develop Traceability Implement CM High-Level Rqmts Start QA Low-Level Rqmts Design Code & Logic Verification & Validation Time (Planning Phase) Time (Development & Correctness Phases) Integration Conformity Review SOI #1 SOI #2 SOI #3 SOI #4 Cert
  13. 13. Copyright Afuzion Inc www.afuzion.com 1 •Detailed planning 2 •Five Criticality Levels (A, B, C, D, E) 3 •Consistency & Determinism 4 •Traceability: top-to-bottom, and back 5 •Independence (especially Levels A/B) 6 •Path testing 7 •Proven Tools (“Qualification”) 8 •Up to 20 artifact types and 71 objectives 9 •“Guilty Until Proven Innocent” Slide 13 DO-178 and DO-254 Key Attributes (similar for DO-178 and DO-254)
  14. 14. Copyright Afuzion Inc www.afuzion.com Slide 14 Key Principle: DO-178C Objectives by Level • 71 Objectives (30 with independence)Level A: • 69 Objectives (18 with independence)Level B: • 62 Objectives (5 with independence)Level C: • 26 Objectives (2 with independence)Level D: • No Objectives (just prove you are Level E!) Level E:
  15. 15. DO-178 Five Key Plans 1. PSAC 2. SQAP 3. SCMP 4. SWDP 5. SWVP Slide 15 PSAC: Plan for Software Aspects of Certification SQAP: Software Quality Assurance Plan SCMP: Software Configuration Management Plan SWDP: Software Development Plan SWVP: Software Verification Plan (Plus 3 Standards: Requirements, Design and Coding)
  16. 16. Copyright Afuzion Inc www.afuzion.com 1 Software Requirements Standard 2 Software Design Standard 3 Software Coding Standard 4 Software Configuration Index (SCI) or Version Description Document (VDD) 5 Software Traceability Matrix (STM) 6 Requirements, Design, Code and Tests/Results 7 Tool Qualification Plan/Data/Assessment 8 Software Environment Configuration Index (SECI) – Submitted to FAA 9 Software Accomplishment Summary (SAS) – Submitted to FAA 10 CM Records & Problem Reports 11 QA & DER Audit Records 12 Checklists for each process step and artifact Slide 16 Additional Documents/Artifacts
  17. 17. Copyright Afuzion Inc www.afuzion.com Slide 17 Scope of DO-178 & DO-254? PLD ASIC FPGA CPU RTOS BSP Math APP SW Drivers DO-178 DO-254 Typical Avionics LRU
  18. 18. Criticality Levels  “Software whose anomalous behavior, as shown by the system safety assessment process, would cause or contribute to a failure of system functions… A. …resulting in a catastrophic failure condition for the aircraft.” Level A = <1E-09 B. …resulting in a hazardous/severe-major failure condition for the aircraft.” Level B <1E-07 C. …resulting in a major failure condition for the aircraft.” Level C <1E-05 D. …resulting in a minor failure condition for the aircraft.” Level D > 1E-05 E. …with no effect on aircraft operational capability or pilot workload.” Level E = No further application of 178/254 required. Level A <1E-09 Level B <1E-07 Level C <1E-05 Level D >1E-09 Level E NA Slide 18 Level E NA Level D >1E-05 Level C <1E-05 Level B <1E-07 Level A <1E-09
  19. 19. Why Different Criticality Levels?  Why Does 178/254 Have Different Criticality Levels?  Who were major 178/254 contributors?  What were their major concerns?  Schedule  Cost  Safety, but with reasonableness Level A <1E-09 Level B <1E-07 Level C <1E-05 Level D >1E-05 Level E NA Slide 19
  20. 20. DO-178 Criticality Level Comparison (NOT for DO-254; See DO-254 Section Later) DO178 Aspect Level A Level B Level C Level D Independence Level High Medium Low Very Low Necessity of Low-Level Requirements Yes Yes Yes No Statement Structural Coverage Yes Yes Yes No Decision/Condition Structural Coverage Yes Yes No No MCDC Structural Coverage Yes No No No Configuration Management Tight Tight Medium Low Source to Binary Correlation Yes No No No Requirements Correlate to Target processor Yes Yes No No Architecture & Algorithms Verification Yes Yes Yes No Code Reviews Yes Yes Yes No SQA Transition Criteria Yes Yes Yes No Slide 20 Reprinted from FAA Public Presentation
  21. 21. Copyright Afuzion Inc www.afuzion.com  “Certified”: the entire “system” is Certified for flight, while components may have different certification Levels  “Certifiable”: a component within a system achieving its highest certification status prior to certifying it with a “certified” system  “Compliant”: certification via an entity other than the FAA (e.g. Military or non-commercial avionics)  “Qualified”: formal approval of a tool which (since it does not “fly”) does not require “certification” Slide 21 Special Terminology
  22. 22. Cost Differential per Criticality Level 0 5 10 15 20 25 30 35 40 Certification $ Delta % Level E Level D Level C Level B Level A Slide 22
  23. 23. Copyright Afuzion Inc www.afuzion.com 1. Neglecting “Independence” 2. Science projects versus proven technologies 3. Inadequate formal plans and not following them 4. Inadequate level of detail in Requirements 5. Inadequate and non-automated Traceability 6. Excessive code iterations via inadequate reviews/tools 7. Lack of path coverage capture during functional tests 8. Lack of automated testing = Expen$ive Regression Test 9. Creating custom RTOS & Tools 10. Neglecting to eliminate early-stage coding errors 11. Neglecting to prevent unwarranted changes via CM 12. Insufficient PSAC/PHAC 13. Insufficient Tool Qualification 14. Not taking credit for existing legacy work => “Gap Analysis” 15. Weak DO-178/254 Checklists & poor Checklist management Slide 23 Top DO-178 & DO-254 Mistakes
  24. 24. Copyright Afuzion Inc www.afuzion.com Slide 24 Safety Assessments: The Big Four 4. Common Cause Analysis Verify independence of functions and systems is sufficient for defined safety 3. Aircraft/System Safety Assessment Evaluate aircraft systems to determine if safety requirements are met 2. Preliminary Aircraft/System Safety Assessment - PASA or PSSA Analyze the proposed architecture to determine how failures identified in FHA could occur; yields safety requirements 1. Functional Hazard Assessment - FHA Identify potential failures and their effects, then classify the severity of each
  25. 25. The Three Key Processes 1. PSAC 2. QA Plan 3. CM Plan 4. SWD Plan 5. SWV Plan Slide 25 1. Planning Process 2. Development Process 3. Correctness Process
  26. 26. Copyright Afuzion Inc www.afuzion.com  Configuration Management Objectives: Slide 26 Configuration Management Plan Overview 1. Baseline & Traceability 2.Change Control, Prob Reporting & Review 3. Configuration Identification 4. Version Control & Replication 3. SCMP
  27. 27. The Development Process – Starts With System Requirements System Rqmts Rqmts Design Code Integra tion Slide 27 1. Planning Process 2. Development Process 3. Correctness Process
  28. 28. Copyright Afuzion Inc www.afuzion.com  DO-178 & 254 provides for design/documentation flexibility  Design requires four key aspects: Slide 28 Design Overview Design 1. Low-Level Rqmts 2. Interface Definitions 3. Data Flow 4. Control Flow
  29. 29. Rqmts Vs Design Low-level Requirements: What are they?  Answer: Overlap of High-Level Rqmts & Design = Low-Level Rqmts Slide 29 Design 1. Low- Level Rqmts 2. Interface Definitions 3. Data Flow 4. Control Flow High-Level Rqmts DesignLow-Level Rqmts
  30. 30. Copyright Afuzion Inc www.afuzion.com Slide 30 DO-178C: Verification Pyramid Foundation Analysis Tests Reviews
  31. 31. Copyright Afuzion Inc www.afuzion.com Slide 31 “The Verification Equation” Verification Reviews Tests & Analysis
  32. 32. Copyright Afuzion Inc www.afuzion.com  All Reviews need configured Entry (input) Criteria  Example: Code Review.  What is needed to perform Code Review? 1. _____________ 2. _____________ 3. _____________ 4. _____________ 5. _____________ 6. _____________ Slide 32 Reviews Use Entry Criteria, plus a checklist
  33. 33. Copyright Afuzion Inc www.afuzion.com Slide 33 Example: Code Review “Transition Criteria”  What are the Inputs & Outputs for a Code Review? Code Review 1. Source Code 1. Completed Checklist 2. Code Review Checklist 3. Coding Standard 4. Software Design 5. Software Requirements 6. Rqmts Trace Matrix 2. Action Items & Defects “Transition”
  34. 34. Copyright Afuzion Inc www.afuzion.com Four Categories of Tests: 1. Functional Tests – All Requirements 2. Normal Range Tests – “Sunny Day” conditions 3. Robustness Tests – “Rainy Day” conditions 4. Structural Coverage Analysis – Cover all code Slide 34 Software Testing SW Test Functional Tests Normal Range Tests Robustness Tests Structural Coverage Analysis
  35. 35. Slide 35 DO-178C & DO-254 For Military
  36. 36. Copyright Afuzion Inc www.afuzion.com DO-178C for Supplier/Integrator Management for Military  Examples of Military Aircraft: Which are DO-178?  Issues & Differences: Military Certification/Concerns  Supplier Integrator Top Issues/Concerns
  37. 37. Copyright Afuzion Inc www.afuzion.com EXAMPLES C-130 & C-17 Many new and reverse-engineering avionics systems, per DO-178B F-35 Most avionics systems: DO-178B B-1 & B-2 Many new and reverse-engineering avionics systems, per DO-178B
  38. 38. Copyright Afuzion Inc www.afuzion.com ISSUES Software Considerations  Functionality with no regulatory basis  Search & Rescue  Dedicated communication radios  Coupled flight  Dedicated communications radios  Autoflight customizations  Aerial refueling software  Boom control  Fuel management  Weapons delivery  Terrain following or low-level operations  “Black” or “Silent” communications/navigation  High-performance operations
  39. 39. Copyright Afuzion Inc www.afuzion.com ISSUES Software Considerations  Differences for Military DO-178C:  Less, but different, emphasis on Safety Analysis  Less redundancy but harsher operational environments; does Commercial measure up?  Agency approval: generally not FAA/EASA  All documents reviewed by military/customer; not just PSAC, CI, SAS
  40. 40. Copyright Afuzion Inc www.afuzion.com Military “Criticality Level” Considerations  Criticality Level:  based upon passenger safety? No.  Aircraft safety?  Civilian areas?  Aircraft protection (anti-missile defense, etc)?  Mission success probability?
  41. 41. Copyright Afuzion Inc www.afuzion.com Slide 41 Special Topic: Cost, Estimation, & Metrics
  42. 42. DO-178C Cost Metrics Level B  CM & QA: 10%  DER Services: 2-3%  Management 4-7%  Rqmts Development: 10%  Design: 10%  Code: 25%  Verification: 35%  What are Primary Cost Drivers? 1. Accurate & Detailed Rqmts 2. Accurate & Thorough Reviews 3. Minimal Code Changes 4. Efficient Testing CM & QA DER Mgmt Rqmts Design Code Test Slide 42
  43. 43. Copyright Afuzion Inc www.afuzion.com  Does Cost ($) Matter?  Yes!  Are DO-178 & DO-254 Cheap?  No!  Can DO-178/254 Be Cost-Effective?  Yes, but only if done “smart” …  Remember: “Do you out-run the bear?”  What are the Top 20 Issues to address for $? Slide 43 Costing for DO-178/254
  44. 44. Copyright Afuzion Inc www.afuzion.com Slide 44 ROI vs DO-178C “Hilderman Perfection Curve” (Not FAA/EASA Approved) DO-178C’s 71 Objectives
  45. 45. Copyright Afuzion Inc www.afuzion.com 1. Cert versus Compliance 2. Augmenting existing Plans for DO-178 (5-Key Process Plans) 3. PSAC & SAS 4. Application of DO-254 5. DO-178 Correlation 6. DER Support 7. Formalization of Rqmts & Traceability 8. Automated Functional Test Environment 9. Formalization of Design Methodology 10. Structural Coverage 11. Static Code Analysis Slide 45 Top 20 Cost Issues 11. Software Test Tool Selection 12. Software Tool Qualification 13. RTOS Considerations 14. BSP Certifiability 15. Previously Existent Software 16. Gap Analysis 17. Reverse Engineering 18. QA Upgrades for DO- 178, including Audits 19. CM Tool: Clear case? 20. Graphics Package/Libraries
  46. 46. Copyright Afuzion Inc www.afuzion.com Slide 46 Conclusion Q & A For Advanced DO-178C Training information, see: http://afuzion.com/avionics-training/workshops/avionics-software- advanced-do-178c-training-class/ For DO-178C Gap Analysis information, see: http://afuzion.com/gap-analysis/
  47. 47. Copyright Afuzion Inc www.afuzion.com Slide 47 Conclusion Q & A Coming in 2017:

