What is CENELEC?

CENELEC is the European Committee for Electrotechnical Standardization. Most CENELEC standards are identical or very closely based on IEC international standards. Typically, IEC standards in the 60000 to 69999 range map directly to CENELEC standards, for example, IEC 61508 to EN 61508. CENELEC’s web site is: http://www.cenelec.org

What is EUROCAE?

EUROCAE is the acronym for the European Organisation for Civil Aviation Equipment. It is the European equivalent of RTCA.

EUROCAE is located at:

17 Rue Hamelin
75116 Paris
FRANCE
Tel: +33 (0) 1 4505 7188
Fax: +33 (0) 1 4505 7230

EUROCAE’s web site is: http://www.eurocae.org

What is MISRA™?

MISRA is the acronym for the Motor Industry Software Reliability Association. Its mission is To provide assistance to the automotive industry in the application and creation within vehicle systems of safe and reliable software.

It is not a certification agency, but an association that publishes guidelines for writing more reliable software for automotive systems manufacturers. It has published a Guidelines for The Use Of The C Language In Vehicle Based Software manual that is available directly from their web site.

The MISRA web site is: http://www.misra.org.uk

What is RTCA?

RTCA, in the avionics sense (to which all references in this document refer) is the acronym for Radio Technical Commission for Aeronautics. RTCA, Inc. is located at:

1828 L Street, NW, Suite 805
Washington, D.C. 20036

Tel: 202-833-9339
Fax: 202-833-9434
Email:info@rtca.org

RTCA’s web site is: http://www.rtca.org

What is the CDRH?

The CDRH is the acronym for the Center for Devices and Radiological Health. It is a suborganization of the U.S. FDA, with the responsibility for all medical devices sold in the United States.

The CDRH web site is: http://www.fda.gov/cdrh

What is the FAA?

FAA is the acronym of the U. S. Federal Aviation Administration, the organization responsible for controlling air traffic safety in the United States.
The FAA's web site is: http://www.faa.gov

What is the FDA?

The FDA is the acronym for the U.S. Food and Drug Administration. They can be reached at:

U.S. Food and Drug Administration
5600 Fishers Lane
Rockville, MD 20857-0001
Tel: 888-INFO-FDA (1-888-463-6332)

The FDA’s web site is: http://www.fda.gov

What is the IEC?

IEC is the acronym for the International Electrotechnical Commission, the international standards and conformity assessment body for electrotechnology; specifically, functional safety of electrical/electronic/programmable electronic (E/E/PE) systems.

IEC is located in Geneva, Switzerland.

The IEC’s web site is http://www.iec.ch

What is the JAA?

JAA is the acronym for the Joint Aviation Authorities in Europe. The JAA is an associated body of the European Civil Aviation Conference (ECAC) representing the civil aviation regulatory authorities of a number of European states that have agreed to cooperate in developing and implementing common safety regulatory standards and procedures. The JAA and the FAA work together to create complementary air traffic safety standards. The JAA is located at:

Saturnusstraat 8-10,
PO Box 3000
2130 KA Hoofddorp
The Netherlands
Fax: +31 (0) 23-5621714

The JAA’s web site is: http://www.jaa.nl

How do I spell DO-178B?

It is DO-178B.

Forget DO178-B, do178b, DO 178 b, D0.178 or any other fancy combination of DOs, 178s hyphens and bs in random order. Just write DO-178B.

How is a software verification performed?

DO-178B/ED-12B defines specific verification objectives that must be satisfied; these include:

1. Verification of software development processes
2. Review of software development life cycle artifacts Functional Verification of software
   1. Requirements-based testing and analysis
   2. Robustness testing
3. Sructural Coverage Analysis

Structural Coverage Analysis is generally perceived to be the most difficult task to undertake by people unfamiliar with rigorous code development and testing. Furthermore, an operating system is tightly integrated with the hardware, cache, interrupts, memory management, and process/task management, thereby making structural testing even more difficult. These low-level aspects create a significant challenge to the verification process. For example, Level A certified applications must address:

1. Statement Coverage
2. Decision Coverage
3. Modified Condition/Decision Coverage (MCDC)

and from the code coverage table above along with:

1. Identification of dead or deactivated code
2. Traceability from source to object code

Fortunately, a variety of commercial tools are available to assist in this challenging task.

In addition, if a modern tool like SCADE is used, much of the traditional coverage analysis and coverage testing can be elimiated. See SCADE for a description of this efficient design and deployment environment.

In a nutshell, what does this DO-178B specification really do?

It specifies that every line of code be directly traceable to a requirement and a test routine, and that no extraneous code outside of this process be included in the build.

To what do DO-178B levels refer?

DO-178B software levels (A, B, etc.) are based on the potential of the software to cause safety-related failures identified in the system safety assessment. DO-178B has five levels of certification:

1. Level A: Software whose failure would cause or contribute to a catastrophic failure of the aircraft.
2. Level B: Software whose failure would cause or contribute to a hazardous/severe failure condition.
3. Level C: Software whose failure would cause or contribute to a major failure condition.
4. Level D: Software whose failure would cause or contribute to a minor failure condition.
5. Level E: Software whose failure would have no effect on the aircraft or on pilot workload.

What does DO-178B/ED-12B specify?

DO-178B/ED-12B provides guidance on designing, specifying, developing, testing, and deploying software in safety-critical avionics systems. In sum, DO-178B is a guideline for determining, in a consistent manner and with an acceptable level of confidence, that the software aspects of airborne systems and equipment comply with FAA airworthiness requirements.

What is 8110.97?

8110.97 is a notice published by the FAA that defines guidelines to DERs for approving software reused from previous DO-178B projects. All software life cycle data used in DO-178B certified systems require design approval under Title14, Code of Federal Regulations (14 CFR).

What is DO-178?

DO-178, is a set of avionics standards described in the RTCA Document RTCA/DO-178, titled Software Considerations in Airborne Systems and Equipment Certification, was developed by the avionics industry to establish software considerations for developers, installers, and users, when aircraft equipment design is implemented using microcomputer techniques.

The first formal publication of this specification was published in 1982 by the Radio Technical Commission for Aeronautics (RTCA). This was also approved by EUROCAE as ED-12 shortly thereafter.

An update to DO-178 was published in 1985, and was called DO-178A. EUROCAE also published an matching update to ED-12, named ED-12A.

In 1992, various industry working groups published a comprehensive update to DO-178A, named DO-178B by RTCA and ED-12B by EUROCAE. This revision of DO-178B is the current working version of this specification.

What is DO-178B?

DO178, currently known as DO-178B, is described in RTCA Document RTCA/DO-178B, titled Software Considerations in Airborne Systems and Equipment Certification. This specification was developed by the avionics industry to establish software considerations for developers, installers, and users, when aircraft equipment design is implemented using microcomputer techniques.

Note that DO-178B/ED-12B projects must be certified as a system, not a standalone component, as for IEC 61508 software components.

RTCA is the acronym for Radio Technical Commission for Aeronautics. RTCA, Inc. is located at:

1828 L Street, NW, Suite 805
Washington, D.C. 20036. 
Tel: 202-833-9339. 
Fax: 202-833-9434.
Email: info@rtca.org

RTCA's web site is: http://www.rtca.org/

More information on Esterel DO-178B product solutions.

What is DO-248B?

RTCA DO-248B is a clarification document to DO-178B. Major topics include Previously Developed Software (PDS), Commercial Off-the-Shelf (COTS) software, verification, service history, tools and control categories. RTCA DO-248B is available from RTCA.

What is ED-12B?

This document is an update of ED-12A, published in 1985. It is the EUROCAE version of DO-178B.

What is FDA 501(k)?

FDA Section 510(k), or Premarket Notification (or PMN), of the Food, Drug and Cosmetic Act requires device manufacturers to register and/or notify the FDA at least 90 days in advance of their intent to market a medical device. Specifically, medical device manufacturers are required to submit 501(k) premarket notifications if they intend to introduce a device into commercial distribution for the first time or reintroduce a device that will be significantly changed or modified to the extent that its safety or effectiveness could be affected. The safety implications are similar to FAA requirements, where life-critical devices and/or safety-critical devices are required to have a prudent design, code, and test/QA strategy in order to produce a product that is safe to use.

What is IEC 61508?

IEC 61508 was developed to create a standard for the functional safety of electrical/electronic/programmable electronic safety-related systems. IEC 61508 allows for the standalone certification of a software component, unlike DO-178B/ED-12B. The documentation requirements of IEC 61508 are similar to DO-178B/ED-12B, but tend to lean more heavily on design, usage, and manufacturing, due to the standalone component aspects of this certification. One of the most critical documents is the Safety Manual, which contains the rules and guidelines on how to use the software component in a system that is certified. The IEC has a great FAQ at: http://www.iec.ch/61508/Index.htm

What is the total list of potential deliverables I will need to create for DO-178B certification?

The following table lists the documents and records you may need to provide for a DO-178B certification:

What is EN-50128?

The railways industry currently relies on the EN 50128 Railway applications – Communications, signaling and processing systems – Software for railway control and protection systems standard to provide a rational and consistent approach for the development of these safety-related systems. This international standard is part of a group of related standards, which also includes:

• EN 50126 Railway applications –The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS)
• and EN 50129 Railway applications –Safety related electronic systems for signaling.

This group of standards owes much of its direction and contents to the IEC 61508 standard that is a generic safety standard for electrical/electronic/programmable electronics safety-related systems. Both of these IEC and EN standards share the same philosophy in the sense that they:

• consider all relevant E/E/PES (Electrical/Electronic/Programmable Electronic Systems) and software safety life-cycle phases, from an initial concept phase to maintenance when these systems are used to perform safety functions;
• intend to introduce a safety culture;
• have been conceived with a rapidly developing technology in mind;
• provide a method for the development of the safety requirements specification necessary to achieve the required functional safety for E/E/PE safety-related systems;
• use Safety Integrity Levels (SIL) for specifying the target level of safety integrity for the safety functions to be implemented by the E/E/PE safety-related systems;
• adopt a statistical risk-based approach for the determination of the SIL requirements;
• distinguish between safe and unsafe failure modes and require precautions for any possible undetected failures. The failure modes have a direct impact on the required Safety Integrity Level for a given E/E/PES.

The scope of an E/E/PES is presented in Figure 2.1 below:

In EN 50128, the Equipment Under Control (EUC) is subject to the certification project. The definition of the EUC depends on the scope of the certification. It can be:

• a complete interlocking system,
• a train speed control sub-system,
• any component of those system or subsystems.

More information on Esterel EN 50128 product solutions.

What levels of structural testing are required by DO-178B?

Three primary levels of structural testing concern most DO-178B projects:

1. SC: Statement Coverage. Means that every statement in the program has been invoked or used at least once. This is the most common use of the term code coverage}.
2. DC: Decision Coverage. Means that every point of entry and exit in the program has been invoked at least once and that each decision in the program has been taken on all possible (Boolean) outcomes at least once. Essentially, this means that every Boolean statement has been evaluated both TRUE and FALSE.
3. MCDC: Modified Condition Decision Coverage. Means that every point of entry and exit in the program has been invoked at least once, that every decision in the program has taken all possible outcomes at least once, and that each condition in a decision has been shown to independently affect that decision's outcome. Complex Booleans need to have truth tables developed to set each variable (inside a Boolean expression) to both TRUE and FALSE.

This table details the code coverage requirements for each DO-178B level:

Performing this code coverage exercise is possible using manual methods, but this process can also be facilitated by using commercial code coverage tools. However, if a modern tool like SCADE is used, much of the traditional coverage analysis and coverage testing can be elimiated. See SCADE for a description of this efficient design and deployment environment.

Which systems need to be certified under DO-178B?

Under the Global Aviation Traffic Management (GATM) agreement, all commercial airborne systems have to comply with Federal Aviation Administration (FAA) regulations for avionics and require DO-178B certification. In addition, all airborne military and space systems must also comply with DO-178B. All retrofits, as well as new airborne system designs, also require DO-178B certification. Note that GATM has international validity and applicability.

Who are DERs?

DERs, Designated Engineering Representatives, are experienced engineers designated by the FAA to approve engineering data used for certification. Most customers (and the FAA) will want some assurance in your DO-178B documents, and an FAA DER will provide this. All FAA projects must have an FAA representative assigned and a DER to review all submissions. A DER is an independent specialist designated by the FAA as having authority to sign off on your project as a representative of the FAA. First, the DER may insist on witnessing such items as portions of your software testing; second, the DER may not like your documentation (or processes), hence may insist on changes to them before signoff. This is a lot easier to do during design and development than at project completion.

Who determines which DO-178B level is required?

The level to which a particular system must be certified is selected by a process of failure analysis and input from the device manufacturers and the certifying authority (FAA or JAA), with the final decision made by the certifying authority. Note that software does not need to be certified specifically at each designated level. Certification at any level automatically covers the lower-level requirement; but, obviously, the converse is not true. Software certified at Level A can be used in any avionics application.

Who was behind the DO-178/ED-12B spec?

DO-178B and ED-12B were developed by a broad committee of industry representatives from around the world. These specifications are published by RTCA, Inc. and EUROCAE, respectively.