DO-178C: Software for NextGen Avionics, UAVs and More
Developing software that can be certified and used for critical functions in today’s aircraft is an extremely difficult task, with engineers continually facing challenges related to cost, schedule, risk, defects, and other factors. Avionics talks to industry experts about how standards, documents, supplements, and verification and validation efforts based on safety-critical software developed for avionics systems are expanding into new areas.
While DO-178C was published in 2012, with an Advisory Circular (AC) following in 2013, it continues to breathe life into the software development, coding, verification, configuration management, quality assurance, and liaison process of engineers creating software — and not only for airliners and business aircraft.
Even software in the autonomous cars, beyond-line-of-sight unmanned aerial vehicles, and spacecraft of 2017 and beyond are using that document (based on software foundational thinking of 1982), mainly as a best-practices guide. After all, airborne software is one of the vital elements in the safety-critical structure of airborne technologies and components that carry passengers under civil aviation rules.
After the initial document was published in 1982, it was updated twice over the next 12 years, to DO-178A and DO-178B. The latter established five levels of specified objectives, activities, and evidence for airborne software. Although DO-178C is not so different from -178B at its core and overall framework, experts say, understanding is still becoming normalized in the industry as the document is picked up by a new generation of aerospace engineers all over the world.
“DO-178C, the core document, is very similar to DO-178B. All of the changes are clarifications, but if you stick to the core document the changes are somewhat minimal. It’s not very difficult to go from developing software under DO-178B to DO-178C, if you do not have to use any of the supplements,” says Cyrille Comar.
Cofounder and managing director of AdaCore Europe, Comar was involved in the original RTCA Special Committee 205 that defined DO-178C. He says that document and its supporting supplements just started becoming more accepted and normalized in the industry in recent years as Designated Engineering Representatives (DERs) and experts handling avionics software development have become more experienced with them.
“If you’re writing code for avionics software on new platforms, DO-178C is mandatory,” says Comar. “You cannot use DO-178B anymore. New programs and projects require you to follow DO-178C.”
Development, Testing, Reducing Costs
Developing, testing, verifying, validating, and ultimately achieving certification on safety-critical airborne software make up one of the most expensive costs incurred every year by avionics companies. One of the main factors that increases costs is avionics systems’ traditional use of custom software to communicate between different applications and subsystems, like radars, displays, communication, and mission computers.
The process required to create the software and compile the necessary certification evidence can take months or years and cost on the order of $100 per line of code in some cases, according Real-Time Innovations, an Industrial Internet of Things connectivity platform company that claims to have introduced the first Data Distribution Service (DDS) standard to complete a DO-178C Design Assurance Level (DAL) A certification evidence package and be placed into a production platform.
“A critical issue for airborne software development teams and companies is shortening the development cycle and development cost of adding features to software,” says RTCA Program Director Rebecca Morrison. She is a former systems engineer and technical project manager at Rockwell Collins who has industry experience developing new technologies based on DO-178B, DO-254 and many other safety-critical standards.
Morrison says a key to controlling costs is the ability to change configuration files independently from core software processes and to demonstrate that independence so all of the software doesn’t have to be tested from the beginning. One of the biggest costs is re-testing all the software. If developers can show that service-bulletin changes can be made independently to different pieces of software, for instance, that will allow new developments to enter the cockpit faster, she says.
“The practice of testing pieces of software in isolation and relying on system testing to verify the correct intended functionality of the fully integrated software no longer has to be accepted by any certification authority,” says Tim Stockton, president and CEO of CERTON, a Melbourne, Florida-based provider of internally developed tools, processes, and exclusive technology for streamlining approvals of safety-critical systems, software, and complex hardware for aerospace companies.
Stockton says in the past many customers have relied on trying to reuse legacy requirements, code, tools, and test environments instead of evaluating how they can significantly improve their current workflow, overall efficiency, quality, and,
ultimately, the safety of their increasingly complex designs when approaching the development of safety-critical airborne software.
“One of the biggest challenges we see with any safety-critical product development effort is what I refer to as the ‘great divide’ between management, systems, software, and validation and verification engineering teams,” says Stockton.
COTS, Standards, and the Future
Demand for safety-certifiable, Commercial-Off-The-Shelf (COTS) hardware and software is increasing throughout the air transportation industry, as most advanced cockpits require increased complexity in software that is considered safety-critical. In the U.S., such software must be certified to DO-178C DAL A, (and ED-80 in Europe for EASA-certified software and hardware). As that has become the new norm, avionics software developers are increasingly looking at COTS-based Real Time Operating Systems and Agile Methods, among other commercial software trends that are slowly gaining traction in the industry.
One of the biggest recent examples of COTS elements, components, methods, and tools being introduced to safety-critical airborne software development was the announcement of the availability of the OpenGL SC Application Programming Interface (API) 2.0 specification. This applies to programmable graphics for systems that require system safety certification, such as commercial and military avionics. Launched by the Khronos Group consortium during Aviation Electronics Europe last year, the OpenGL SC 2.0 is a subset of OpenGL ES 2.0 that includes GLSL-based programmable shaders to enable enhanced graphics functionality, with increased performance and reduced power. The use of these shaders can help the display and presentation of flight path symbology and information to pilots.
Core Avionics & Industrial Inc. (CoreAVI) and Airbus Defense and Space Electronics and Border Security (EBS) used CoreAVI’s OpenGL SC graphics driver with a DO-178C certification package on the SFERION Mission System, which provides 3-D visual cues to pilots for takeoffs, low-level flight and for landing in degraded visual environments.
Best Practices and Training
Training for best practices in DO-178C is in high demand. Students from all over the world, for example, travel to Washington D.C. for three-day courses on DO-178C taught at RTCA headquarters by expert instructors from Mitre.
“A few students have come to our course out of basic curiosity or preparedness for the future, but the large majority are embarking on a new project that requires complying with the DO-178C standard,” says Kent Hollinger. “This compliance might be required by the governmental certification authority, civil or military, or contractually by a customer who seeks to obtain higher assurance that the software will meet its intended function.”
A principal engineer at Mitre who has experience in executive engineering positions with commercial airlines, Hollinger has taught the DO-178C course since its inception in 2012. He says that while DO-178C was developed as considerations for airborne software, any technology that contains software can benefit from a formal documented process to gain increased assurance that the software will fully perform its intended function, and only its intended functions.
The course covers the entire standard and is thus appropriate for students who have never worked with such a standard before, as well as students who have worked with previous revisions. It teaches what is required to show compliance with the standard by meeting all applicable objectives, through a set of planned activities that produce evidence of completion. Topics include system aspects relating to software development, software life-cycle data and processes for software planning, development, verification, configuration management, quality assurance, and certification liaison, according to Hollinger and John Charles Angermayer. Angermayer is a lead multi-disciplinary systems development and software engineer with 37 years of experience in software development and project management. He has worked at Mitre’s Center for Advanced Aviation System Development since 1998.
“Many students come from industries other than aviation because they see the benefit in obtaining a documented level of confidence in correct software design and implementation for their own applications,” says Angermayer. He added that past students have come from U.S. and foreign civil certification authorities (covering air and ground systems), military offices involved with air and sea systems, airplane and helicopter OEMs, avionics suppliers, software houses, air carriers, maintenance shops, unmanned aircraft OEMs, academia, the automotive industry, space systems organizations, and nuclear power outfits.
Examples of industry projects in which RTCA DO-178C students are involved include: new civil or military aircraft design; re-starting production of a previous civil aircraft type design to include new modern avionics; upgrading avionics in existing civil or military aircraft; design of ground-based aviation systems; design of UAS systems; autonomous automobile initiatives, and commercial space launches.
“Many people outside of aviation are not aware of the degree of rigor that is applied to developing, testing, and controlling software in aviation products,” says Angermayer “Those other industries, such as rail transit, self-driving cars, and medical devices, might benefit from the processes contained in the DO-178C standard.”
Furthermore, DO-178C, its supplements and spin-offs (such as DO-278), will remain increasingly important into the future.
The latest job outlook report from the U.S. Bureau of Labor Statistics projects the employment of software developers to grow by 17% through 2024, that of applications developers to increase 19%, and that of systems developers to rise 13%.
The main reason for the new software applications developer and systems developer jobs is a large increase in the demand for computer software. The need for new applications on mobile devices and tablets will help boost demand for application software developers, especially for applications on COTS tablets like the iPad that interact with and pull data directly from hard-wired, safety-critical avionics software, data buses, and more. Complex algorithms and coding are also needed for software that will support multi-core computing, address the security risks of new aviation Internet of Things (IoT) initiatives, ADSB-In COTS components, customized military mission operations ,and more.
“Everyone wants to move up the food chain,” says Vance Hilderman, a cofounder of AFuzion, which describes itself as a company focused on infusing technical knowledge, all training, gap analysis, whitepapers and more for avionics engineers. “The component producers want to make subsystems, the subsystems producers want to make full systems, the systems people want to make integrated systems. It’s incredibly dynamic.” He says one fourth of AFuzion’s clients each year are people who weren’t in the business two years prior.
AFuzion has provided DO-178C and other software- and hardware-related best trainings, practices and consulting for the tier 1 primary avionics systems integrators all over the world, Hilderman, adding that growth areas for DOs are in the military. Others include countries such as Russia (with its MC-21 regional jet), China (with its COMAC C919), and Turkey and India (which are in the earliest stages of building domestically developed civil air transport jets), as well as Japan’s with it Mitsubishi Regional Jet. Engineers in most of these areas were previously focused on military subsystem and component development, Now they want to become full-scale systems integrators themselves, with collaborative government-industry airframes development using software written by citizens who learn how to code to DO-178C principles under experts like the ones mentioned above.
Turkey, China and Russia also have ambitions to develop more sophisticated military aircraft to vie with fifth-generation ones like the F-35, which achieved initial operational capability in late 2016 with more than 8 million lines of code (more than any U.S. or allied military aircraft in history, according to prime contractor Lockheed Martin). That software helps power the jet’s advanced electronic warfare, radar, communication/navigation/identification, electro-optical targeting, and distributed-aperture systems. That software is designed to fully populate the F-35’s panoramic cockpit display with data gathered from sensors and shown on one screen in integrated form. AVS