Why is it important & how can it affect your company?

Webinar:Understanding DO-178

www.Aversan.com

2

Agenda

Purpose

About Aversan

Independence

DO-178C Integral Processes

Design Assurance Levels (DAL) & Objectives

Q&A

RTCA DO-178C Software Considerations in Airborne Systems and Equipment Certification states:

The purpose of these documents is to provide guidance for the

production of software for airborne systems that perform their intended

functions with a level of confidence in safety that complies with

airworthiness requirements.

“

”

Purpose of DO-178C

Purpose of DO-178C Cont...

Guidance Includes:

Design Assurance

Objectives

Activities that provide a

means for satisfying these

objectives

Description of the evidence in the

form of software life cycle data

that indicate that the objectives have

been satisfied

Additional considerations (for

example, previously developed

software) that are applicable

to certain applications

System Safety Assessment5

Design Assurance Level (DAL)

The Design Assurance Level (DAL) of a software component is defined by establishing how an

error in a software component relates to the system failure condition(s) and the severity of that

failure condition(s).

The Design Assurance Level establishes

the rigor necessary to demonstrate

compliance with DO-178C

The applicant should establish the

system safety assessment process to

be used based on certification authority

guidance. DO-178C does not describe

how the System Safety Assessment is

performed.

System Safety Assessment6

References

For guidance on the system life cycle processes, refer to the following Aerospace Recommended

Practices (ARPs):

ARP4754 - Guidelines For Development Of Civil Aircraft and Systems

ARP4761 - Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems & Equipment

Functional Hazard Assessment (FHA)

(Preliminary) System Safety Assessment (SSA)

Fault Tree Analysis (FTA)

Failure Mode and Effects Analysis (FMEA)

Design Assurance Level7

Failure Condition Categories

If the anomalous behavior of a

software component contributes to

more than one failure condition, then

the assigned DAL shall correspond

to the most severe failure condition.

Design Assurance Level Failure Condition Category

Level A Catastrophic

Level B

Level C

Hazardous

Major

Level D Minor

Level E No Effect

Failure Condition Categories8

Large, Transport Aircraft

CatastrophicFailure conditions which would result in multiple fatalities, usually with the

loss of the airplane

HazardousFailure conditions which would reduce the capability of the airplane or the

ability of the flight crew to cope with adverse operating conditions to the

extent that there would be:

- A large reduction in safety margins or functional capabilities;

- Physical distress or excessive workload such that the flight crew

…….cannot be relied upon to perform their task accurately or

…….completely, or

- Serious or fatal injury to a relatively small number of the

…….occupants other than the flight crew.

Failure Condition Categories9

Continued

MajorFailure conditions which would reduce the capability of the airplane or the ability

of the flight crew to cope with adverse operating conditions to the extent that

there would be, for example, a significant reduction in safety margins or

functional capabilities, a significant increase in crew workload or in conditions

impairing crew efficiency, or discomfort to the flight crew, or physical distress to

passengers or cabin crew, possibly including injuries.

MinorFailure conditions which would not significantly reduce airplane safety, and which

involve crew actions that are well within their capabilities. Minor failure conditions

may include, for example, a slight reduction in safety margins or functional

capabilities, a slight increase in crew workload, such as routine flight plan changes,

or some physical discomfort to passengers or cabin crew.

No Safety EffectFailure conditions that would have no effect on safety; for example, failure

conditions that would not affect the operational capability of the airplane or

increase crew workload.

Design Assurance Objectives

Design Assurance Level

Design Assurance Level11

Design Assurance Objectives

Test Coverage

DAL A

Source Code (MC/DC)

Object Code that cannot be directly traced to Source Code

DAL B

Source Code (Decision)

Verification Independence

DAL C

Source Code (Statement)

Data and Control Coupling

Low-Level Requirements

DAL D

High-Level Requirements

Tool Qualification12

Overview

• Software Development or Verification Tools are assigned a Tool Qualification Level (TQL) from TQL-1 to TQL-5

(similar to the DAL) that corresponds to the rigor to which the tool must be qualified.

• RTCA DO-330 “Software Tool Qualification Considerations” provides objectives, activities, guidance, and life cycle

data expectations.

• Vendors typically offer a Tool Qualification Package (TQP) meant to satisfy RTCA DO-330 objectives including:

Requirements, Test Procedures, and other life cycle data.

“Qualification of a tool is needed when processes of this document are eliminated,

reduced, or automated by the use of a software tool without its output being verified”

DO-178C States:

Important:

When gathering quotations for tool pricing, be sure to include TQP costs.

DO-178C Integral Processes13

Embedded Systems

Certification Liaison

Establish communication with

certification authority and

provide compliance

substantiation

Software Development

Define a software life cycle,

decompose system requirements,

develop design details , and

implement the integrated solution.

Validation & Verification (V&V)

Provide assurance, detect and

report errors that may have

been introduced during

development process.

Configuration Management (CM)

Ensure each configuration item,

establish baselines, basis, and

processes. Document and

comply with the CM process.

Quality Assurance (QA)

Ensure plans, standards, and

processes are in compliance

with DO-178C. Reviews,

inspections and/or audits.

Start

Overview

DO-178C Integral Processes14

Certification LiaisonThe purpose of the Certification Liaison is to:

Establish communication with the certification authority

- Submit the Plan for Software Aspects of Certification for review.

- Resolve any issues identified by the certification authority.

- Gain agreement on the means of compliance through approval of the plan.

Provide compliance substantiation

- Resolve any issues identified by the certification authority during Stage of

…….Involvement Reviews.

- Submit life cycle data to the certification authority

- At a minimum: Plan for Software Aspects of Certification, Software

…….Configuration Index and Software Accomplishment Summary.

- Make available any other life cycle data or evidence of compliance upon

…….request.

DO-178C Integral Processes15

Embedded Systems

Software DevelopmentDefine a software life cycle with entry/exit transition criteria for each phase

of the life cycle

- Waterfall, V-Model, Prototyping, Reverse-Engineering, etc.

Decompose system requirements into software (including derived)

requirements

Develop design details based on software requirements

- Algorithms, Interface Data, Source Code

Implement the integrated solution with formal build and load control procedures

- Executable object code running on representative hardware (i.e. the target)

DO-178C Integral Processes16

Validation & Verification (V&V)The purpose of Validation is to:

- Provide assurance that the decomposition of system requirements into

…….software requirements (high-level, low-level and derived) is correct and

…….complete.

The purpose of Verification is to:

- Provide assurance that the software implementation meets all of the

…….software (including derived) requirements.

Accomplished by:

- Detect and report errors that may have been introduced during the

…….development process.

- Reviews and Analysis (of Artifacts, Requirements, Design, Code and Tests).

- Normal, Abnormal and Robustness-based testing and simulation.

- Coverage Analysis:

- Requirements-based Testing Coverage Analysis.

- Structural Code Coverage Analysis

DO-178C Integral Processes17

Embedded Systems

Configuration Management (CM)The purpose of Configuration Management is to:

- Ensure each configuration item, (whether document, design data, code, test

…….materials or records of non-compliances) is labeled unambiguously so that a

…….basis is established for control and reference.

- Establish baselines (approved, recorded configured collection of one or more

…….configuration items) of configuration items to establish traceability between

…….configuration items

- Establish a basis for change control and status accounting

- Establish the process and activities for archive, retrieval and load control

Accomplished by:

- Documenting and complying with the CM process, accounting for the

…….defined control categories

- CC1 = Baseline, Impact Analysis, & Change Authorization

- CC2 = Identify & Archive

DO-178C Integral Processes18

Embedded Systems

Quality Assurance (QM)The purpose of Quality Assurance is to:

- Ensure that the plans, standards, life cycle processes/transition criteria and

…….artifacts produced by the development effort are in compliance with DO-178C.

- Conduct a conformity review of the software product

Accomplished by:

- Reviews, inspections and/or audits of:

- Plans and Standards

- Life cycle data, processes and transition criteria, ensuring compliance

…………with DO-178C and with the approved plans and standards

- Non compliances or deviations (both current and past), ensuring such

…………items are evaluated and recorded

- Build and load procedures

Independence19

The separation of responsibilities which ensures objective evaluation.

3rd Party

Refers to intellectual independence, such as another individual, not departmental or corporate

independence.

What is it?

For Quality Assurance, independence is achieved by

ensuring that the reviewer of process compliance is

someone or something other than those that

performed the process.(Including the authority to ensure corrective action.)

For Validation and Verification, independence is

achieved by ensuring that the reviewer of the

technical correctness of the data is someone or

something other than the developer of the data.

Important:

About Aversan

Offices

Aversan is a privately-held

Canadian company based out of

Mississauga, Ontario.

Staff

We have over 200 skilled

employees and are qualified as an

ITB SME.

Certified & Registered

Aversan is AS9100C and

ISO9001:2008 Certified. We are

also CGP, ITAR and JCP

Registered.

Experienced

Programs such as the A350

XWB/A380, F-35, F-22, Boeing

777/787/747, Embraer 450,

& many more.

Embedded System (SW & HW) Staff Augmentation IV&V Training & Consulting

Any Questions? Email bd@aversan.com

Thank You

www.Aversan.com

Address30 Eglinton Ave. West, Suite 500

Mississauga, ON Canada L5R 3E7

Phone416.289.1554

E-mail

bd@aversan.com

Website

www.aversan.com

Fax

416.289.1554

Contact Us22

Keep in touch