What Is DO-178C/ED-12C Compliance?
DO-178C, Software Considerations in Airborne Systems and Equipment Certification, is the principal certification document used by certification agencies including the Federal Aviation Administration (FAA), European Union Aviation Safety Agency (EASA), and Transport Canada to review and approve all commercial software-based aerospace systems submitted for their approval process. It is the standard that directs software certification for airborne systems for the commercial segment. (Its ramifications for military aerospace will be covered below.)
The document is published by RTCA (originally known as the Radio Technical Commission for Aeronautics) via a joint effort with European Organisation for Civil Aviation Equipment (EUROCAE) and replaces the previous version, DO-178B. ED-12C, the updated version of ED-12B, is the EUROCAE release of DO-178C. In November 2011, DO-178C/ED-12C was completed; the RTCA approved it in December of the same year. The joint contribution of RTCA and EUROCAE to DO-178C/ED-12C resulted in its joint designation.
DO-178C in the Avionics Industry
For the avionics industry, DO-178C provides important, detailed guidance for developing airborne software systems to ensure that these systems perform their intended function with a high level of reliability.
In the United States, the FAA, as part of its aerospace industry safety certification processes, uses DO-178C for software and RTCA DO-254 for complex electronic hardware.
DO-178C in the Military Aerospace Industry
The DO-178C standard must also be met within the military aerospace industry, with the following differences:
DO-178C demonstrates compliance with the applicable airworthiness regulations for the software components of airborne systems and equipment.
- While emphasis on safety analysis remains, the military version focuses more heavily on mission success probability (MSP).
- There is focus on harsher operational environments.
- There is also focus on the many onboard mission systems with only DO-178C flight-safety impact needed for mission success.
- The emphasis is on DO-178 “Military Compliance” versus DO-178C “Certification.”
- In most cases the target for approval is a military agency rather than the FAA or EASA (European Union Aviation Safety Agency).
- The military/customer receives and reviews all documents, not just the Plan for Software Aspects of Certification (PSAC) and Safety Assurance System (SAS).
RTCA/EUROCAE Certification Bodies
As outlined by the RTCA, “RTCA Special Committees leverage the top and brightest experts in the aviation community to create recommendations. RTCA works with the Federal Aviation Administration (FAA) to develop comprehensive, industry-vetted and endorsed standards that can be used as means of compliance with FAA regulations.”
The Special Committees developed a series of documents: Safety Performance Requirements (SPR), Operational Services and Environment Definitions (OSED), Interoperability Requirements (INTEROP), Minimum Aviation System Performance Standards (MASPS), and Minimum Operational Performance Standards (MOPS), as well as other reports and guidelines. These documents guide the certification of new equipment and impact the competitive market for their use.
In Europe, EUROCAE leads in the development of globally recognized aviation industry standards. Drawing on the expertise of its members, EUROCAE creates operational, development, and regulatory standards that are designed for international adoption.
The RTCA/EUROCAE joint committee work was divided into seven subgroups:
- SG1: SCWG Document Integration
- SG2: Issues and Rationale
- SG3: Tool Qualification
- SG4: Model-Based Development and Verification
- SG5: Object-Oriented Technology
- SG6: Formal Methods
- SG7: Safety-Related Considerations
DO-178 Development Assurance Levels
A major provision of DO-178C is the definition of Design Assurance Levels (DALs), which indicate the consequences of potential software failure to the system as a whole. The failure conditions are categorized by their effects on the aircraft, crew, and passengers. There are five DALs, determined from the system safety assessment process and hazard analysis.
Each DAL has stated objectives that must be satisfied. Some must be satisfied “with independence,” meaning that the person who verifies the requirement or source code cannot be the same person who wrote it. This separation of responsibilities must be clearly documented in the evidence provided.
|Failure may result in deaths and loss of the aircraft
|Failure creates a major negative impact on safety or performance or reduces the aircraft crew’s ability to operate the aircraft. This can result in serious or fatal injuries.
|Failure causes significant reduction of the safety margin or significant increase in the aircraft crew workload. Passenger discomfort or minor injuries can result.
|Failure slightly reduces the margin of safety or causes slight increase in aircraft crew workload. Results can include passenger inconvenience or changes to a routine flight plan.
|Failure causes no impact or effect on safety, crew workload, or operation of the aircraft.
Differences Between DO-178B and DO-178C
DO-178C/ED-12C was developed to address issues and errors and to use advanced software technologies to improve DO-178B/ED-12B. A comparison of DO-178C/ED-12C vs. DO-178B/ED-12B reveals seven major differences over seven different areas:
|Error and Inconsistencies
|Known errors and inconsistencies in DO-178B/ED-12B were resolved.
|Wording changes were made to DO-178C for precision and to correct inconsistencies.
|The glossary in DO-178C was updated to make terminology more consistent.
|Objectives and Activities
|Objectives and activities were refined in DO-178C.
|A new programming paradigm was added, as were software development techniques including object-oriented technology and model-based development and verification.
|Parameter Data Item (PDI) files and their verification processes were included.
|The definition of modified condition/decision coverage (MC/DC) was updated.
DO-178C Processes and Documents
Safety assessment processes are meant to support the fundamental objectives stated in the DAL levels A through D (level E does not require the same level of documentation). Planners of a real project are responsible for defining and documenting the specific details and activities of their processes. During project work, all actual activities completed in each process must be tied to a demonstration of how they support the objectives.
The objective-based character of DO-178C supports flexibility in following different software lifecycle styles. Once an activity is defined within a process, however, the project must respect that activity. All processes and their concrete activities must have well-defined entry and exit criteria, and documentation must reveal how the project adhered to those criteria.
DO-178C Project Planning Process
To successfully achieve DO-178C certification, it is important to put into place a development project planning process. The five main process plans are outlined below.
PSAC: Plan for Software Aspects of Certification
The Plan for Software Aspects of Certification (PSAC) summarizes how the software engineering team for the system project will meet DO-178C requirements and the roles for FAA and EASA certification.
SDP: Software Development Plan
The Software Development Plan (SDP) details the developers’ plans for software development, specifically outlining how they will execute software requirements, design, code, and integration. The plan must also describe the use of any associated tools needed to meet and monitor DO-178C development objectives.
SVP: Software Verification Plan
The Software Verification Plan (SVP) outlines the activities for review, test, and analysis, along with any necessary linked verification tools.
SCMP: Software Configuration Management Plan
The Software Configuration Management Plan (SCMP) details how DO-178C change management and baseline and storage objectives will be performed for the project.
SQAP: Software Quality Assurance Plan
The Software Quality Assurance Plan (SQAP) outlines how the project’s quality assurance objectives for DO-178C will be met.
How Can Wind River Help?
With more than 40 years helping the world’s leading technology companies power generation after generation of the safest, most secure devices in the world, Wind River® has extensive experience in meeting the safety-critical standards of numerous crucial sectors, including flight safety (DO-178C DAL A).
Functional Safety Certifiable Software
VxWorks®, the world’s leading real-time operating system (RTOS), boasts an extensive portfolio of safety certification history, including 600+ programs over more than 360 individual customers. Its robust safety features provide advanced time and space partitioning capabilities to enable reliable consolidation of multiple applications with different levels of criticality on a single- or multi-core platform. Conformance to standards such as POSIX® and FACE™ have been leveraged in the certification of VxWorks to DO-178C, IEC 61508, IEC 62304, and ISO 26262 safety standards.
VxWorks is certified for DO-178C, IEC 61508, IEC 62304, and ISO 26262 safety standards.
VxWorks 653 Multi-core Edition
VxWorks 653 Multi-core Edition is a safe, secure, and reliable RTOS. It delivers an ARINC 653–conformant system by providing robust time and space partitioning on the latest hardware platforms to ensure fault containment and the ability to upgrade applications with minimal test and integration demands.
Wind River Helix Virtualization Platform
Wind River Helix™ Virtualization Platform has been designed to simplify the certification of safety-critical applications according to the stringent requirements of DO-178C, IEC 61508, and ISO 26262 safety standards.
Wind River Professional Services
WInd River Professional Services offers safety-critical expertise, with years of experience in supporting certification planning, processes, and implementation. Contact Professional Services to discuss support for your certification efforts.