Processes are described as abstract areas of work in DOB, and it is up to the planners of a real project to define and document the specifics of how a process will be carried out. On a real project, the actual activities that will be done in the context of a process must be shown to support the objectives. These activities are defined by the project planners as part of the Planning process. This objective-based nature of DOB allows a great deal of flexibility in regard to following different styles of software life cycle. Once an activity within a process has been defined, it is generally expected that the project respect that documented activity within its process. Furthermore, processes and their concrete activities must have well defined entry and exit criteria, according to DOB, and a project must show that it is respecting those criteria as it performs the activities in the process.
|Published (Last):||20 August 2015|
|PDF File Size:||4.44 Mb|
|ePub File Size:||17.85 Mb|
|Price:||Free* [*Free Regsitration Required]|
E-mail: leslie. The objectives include: Developing and providing the data for development of educational material; Providing the rationale behind the guidance for people new to the commercial certification environment; and, Clarification of the intent and application of DOB. The derivation of the software approval guidelines from the Federal Aviation Regulations FARs to DOB is discussed to clarify its relationship to the government regulations. An explanation of the Designated Engineering Representative DER system is also provided along with a discussion of the safety process to describe the environment in which DOB is used.
The evolution of the avionics industry that led eventually to DOB is included as part of the background behind the rationale of DOB. The key aspects of each version, from the original version to DOB provide insight to the rationale for the inclusion and further development of the content. In addition, there are special considerations in using DOB concerning its current guidance for systems and highlights of the problem areas for those from a military culture. As the industry moves to use of off-the-shelf COTS components the incentive is greater to reconcile the difference between military standards and commercial standards.
Trustworthiness of software is an absolute concept independent of the verification process used. Introduction: The avionics industry has had the challenge of having to adapt quickly to the fast changing technology of real-time embedded software.
Along with that, many have entered the commercial avionics market and stumbled into a part of the government called the Federal Aviation Administration FAA , requiring certification by the FAA or their designee. For foreign markets, avionics must also be certified by other regulatory agencies.
Certification means that the software aspects of a system must be assured to be safe and airworthy. That is, they must be developed as defined by the software certification guidelines to the level of rigor and discipline required by their criticality level, as determined by a functional hazard assessment.
Many long-standing members of the commercial avionics field are experiencing demands for explanation and assistance. EDB is the European version of the same document. Some questions concern its intent and meaning, but most question the need to really do what it says and the justifying rationale.
The evolution of the content of DOB is best known by those long in the field, but the demand is greater than their numbers. The industry group responsible for DOB is now facing this dilemma. Therefore, the intention of this paper is to document the key aspects of environment and history of DOB to increase the perspective. Other airworthiness authorities have similar means of recognizing either DOB or EDB as a means of showing compliance to the regulations. Paragraph a which introduces the concept of intended function.
Subchapter covers the requirements for equipment, systems and installations. All systems including real-time embedded systems must comply with this portion of the regulations. Software approval guidance derives directly from paragraphs a and b. Paragraph a states that items coming under this regulation must be designed to ensure they perform their intended functions under any foreseeable operating condition. The last applicable paragraph b , indicates that the aircraft systems and associated components are to be considered separately and in relationship to other systems.
These systems and components must be designed so that the occurrence of any failure condition which would prevent continual safe flight and landing of the aircraft is to be extremely improbable. In addition, they must be designed so that the occurrence of any other failure condition which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable. Industry practice in complying with this chapter then results in a safety assessment for the aircraft and each system.
These definitions are further expanded in AC This includes FAR parts 21, 23, 25, 27, 29, and They will explicitly reference DOB, if they include software approval.
TSOs are what can be considered "off-the-shelf" systems, once they have been approved by the FAA - to a point. TSOs do not mean a part is approved for installation. For example, when a TSO requires DOB compliance, the airframe manufacturer may accept the software approval without further evaluation or substantiation to the FAA.
However, an installation certification is still required, which could include the full software certification where a TSO s for the system did not explicitly reference DOB. New FAA regulations undergo a process of public review and comment prior to acceptance for use. New rules may require evaluations that were not required by the TSO.
In any case, the part will have to be evaluated against the new regulations to show compliance, which may require further work. The qualifications on the applicability of a TSO for a given installation can be frustrating. It could be as simple as a commercial-off-the-shelf COTS part, or as difficult as the effort required to gain FAA approval for an original submittal. Additionally, COTS items may have extra functionality which is unused in a given installation.
This would have to be addressed in a certification program. Commercial Certification Safety Process: The FAA charter has been to foster and promote civil aviation, by promulgating and enforcing the safety regulations.
Their priority is for continued operational safety, improved regulations and policy, and to certify additional airplanes and aircraft types.
The safety process begins with aircraft level design decisions as a part of an overall airplane safety strategy.
The safety process requires an aircraft level assessment of function and hazard. The requirements for the functions and compensation for the associated hazards are distributed throughout the aircraft systems and architecture for each lower level of design refinement.
Ultimately, at a system level, the functional hazard assessment systematically defines each hazard and classifies its hazard level. A probability analysis is done with respect to the system architecture and adjustments to the design are made, as appropriate. This is also called a fault-tree analysis.
At the same time, the system is examined for availability. This means that the need for the system to remain operational in flight is assessed availability for dispatch. The software criticality is next defined, based on its function condition classification for that part of the system. However, determining software criticality is currently not straightforward.
It may be done on a case-by-case basis via FAA ruling until the FAA internally defines consistent practice using three documents. Current practice in this area is now in transition and is using SAE Aerospace Recommended Practice ARP  and , dealing with complex systems and determination of assurance, respectively.
SC will be equivalent to DOB, but for complex hardware aspects. It is expected to be released in During the development of a system, they assess and establish appropriate engineering processes and analyze design relative to the certification requirements. They are required to have direct personal understanding of the development of a system and are the onsite safety officers.
DERs either directly approve or recommend approval for the development artifacts as a representative of the FAA. Ultimately, all systems are submitted to the FAA for approval, leading to the approval of the installations and functions of the systems on an aircraft.
For software DERs, there is an additional approval qualification for each safety criticality level based on experience, while providing a direct participant in the lifecycle process described by DO See DO : In its infancy stage, software was recognized as a creative human product.
In the avionics industry, it was used to extend and modify the capabilities of mechanical and analog systems in a manner much simpler than redesigning or modifying the hardware components. It was seen as an aid to inexpensive modification and functional extension of an originally inflexible all-hardware design.
Alternate knowledge and method s were necessary to establish equivalent integrity to deal with design errors rather than component failures. It became necessary to establish a uniform, consistent definition of criteria for substantiating evidence for the absence of critical design errors, answering the following questions: How was it known that the testing was comprehensive and complete?
How was it known that the system requirements were comprehensive and complete? How was it known that the software requirements were comprehensive and complete and interpreted the system requirement accurately?
How do we provide proof that a design or implementation error, which may be present, cannot produce a safety critical situation? Verification and validation became new terms. Verification provided the proof that a system was built to the requirements and validation established that the requirements were complete and correct.
These criteria require that the software be produced using the "best known" practice, minimizing or removing the risk of a malfunction or failure. This gave birth to DO This was an alternative means for software design integrity from the classical statistical method of determining system integrity. It was created to identify and document the "best known" software practices supporting the certification of software-based equipment and systems, thus proving a basis for software certification approval.
DO was written at a conceptual level. Compliance was done by meeting its "intent. A system could be categorized as critical, essential and non-essential. DO also established the need for a certification plan that included software aspects and any special requirements called special conditions.
This has not been done explicitly in the later revisions of DO It also established the interface with system validation. This interface was covered in Revision A with less clarity, and dropped for Revision B. DOA : Its purpose was to to reflect the regulatory and industry experiences gained and consider adding additional guidance for other applications as appropriate.
Further, it was to: Establish techniques and methods for orderly software development; State that the intent of the application of the techniques was to result in documented software that is traceable, testable, and maintainable and thereby meet the certification requirements. This was to assure the absence of critical software errors. These categories were defined to be critical, essential or non-essential and the corresponding software levels were called levels 1, 2, and 3, respectively.
This allowed for a variance between the software level and criticality category inferring a level of assurance effort with adjustment according to the system design and implementation techniques. Software development processes were described in a more systematic and structured manner.
The verification process requirements implementation correctness included distinctions in effort required by software level. DOA incorporated the objective of achieving equivalent confidence in a re-certification as was obtained originally.
Additional material was added to define requirements for follow-on certifications of a product. Strengths and weaknesses of DOA soon became apparent. Literal interpretation, particularly from diagrams were a problem. Also, necessary certification submittal items were frequently contended despite the fact that they were subject to negotiation with the regulatory agencies and could vary between agencies.
Compliance with DO-178C & DO-178B
Red-colored traces are required only for Level A. Purple-colored traces are required for Levels A, B, and C. Level E does not require any tracing. DO requires a documented connection called a trace between the certification artifacts. A traceability analysis is then used to ensure that each requirement is fulfilled by the source code, that each requirement is tested, that each line of source code has a purpose is connected to a requirement , and so forth. Traceability ensures the system is complete.
Airborne Software Certification Explained
The core document is substantially the same as DOB, with a number of clarifications and a few minor corrections. The major change is the inclusion of several supplements. One supplement deals with tool qualification, and three others adapt the core document guidance when specific technologies are used: Model-Based Development, Object-Oriented Techniques, and Formal Methods. Can be purchased from RTCA here. The purpose of this document is to provide guidelines for the production of software for airborne systems and equipment that performs its intended function with a level of confidence in safety that complies with airworthiness requirements. The guidelines are in the form of: Objectives of software life cycle processes Description of activities and design considerations for achieving these objectives Description of the evidence that indicate that the objectives have been satisfied The document discusses those aspects of airworthiness certification that pertain to the production of software for airborne systems and equipment used on aircraft or engines.
AC 20-171 - Alternatives to RTCA/DO-178B for Software in Airborne Systems and Equipment
The failure conditions are categorized by their effects on the aircraft, crew, and passengers. Catastrophic — Failure may cause a crash. Error or loss of critical function required to safely fly and land aircraft. Hazardous — Failure has a large negative impact on safety or performance, or reduces the ability of the crew to operate the aircraft due to physical distress or a higher workload, or causes serious or fatal injuries among the passengers. Safety-significant Major — Failure is significant, but has a lesser impact than a Hazardous failure for example, leads to passenger discomfort rather than injuries or significantly increases crew workload safety related Minor — Failure is noticeable, but has a lesser impact than a Major failure for example, causing passenger inconvenience or a routine flight plan change No Effect — Failure has no impact on safety, aircraft operation, or crew workload. DOB alone is not intended to guarantee software safety aspects. Safety attributes in the design and implemented as functionality, must receive additional mandatory system safety tasks to drive and show objective evidence of meeting explicit safety requirements.
DO-178C Software Considerations in Airborne Systems and Equipment Certification