Understanding DO-178C and SCADE
The DO-178B software aspects of airworthiness regulation have been in force since 1992, driving the certification process of most civilian aircrafts and systems. Given the technology evolvement, new design tools and inputs and constraints from all stakeholders (airframers, system suppliers, design tool suppliers and certification authorities), a DO-178C initiative was launched in 2007 to update DO-178B, according to new design methodologies.
DO-178C was approved by the committee in December 2011 and released in 2012. Major certification bodies, including the FAA and EASA, are expected to adopt DO-178C in 2012.
SCADE is DO-178C ready and the application development process under DO-178C does not change significantly from what it has been so far.
What does DO-178C mean?
- Document the intent of DO-178 more consistently.
- Does not raise or lower the bar for certification.
- Make the newer techniques, such as model-based development and verification, object-oriented design, and formal methods easier to apply through technology specific supplements.
- Provide a document to better explain when and how to qualify tools.
What is the structure of DO-178C?
- DO-178C: Software Considerations in Airborne Systems and Equipment Certification (“Core” document)
- DO-248C: Supporting Information for DO-178C (FAQs, Discussion Papers, and Rationale)
- DO-330: Software Tool Qualification Considerations (STQC)
- DO-331: Model-Based Development and Verification Supplement to DO-178C (MBDV)
- DO-332: Object-Oriented Technology and Related Techniques Supplement to DO-178C (OORT)
- DO-333: Formal Methods Supplement to DO-178C (FM)
Supplements to DO-178C extend the guidance in DO-178C to a specific technique. Supplements are used in conjunction with DO-178C and may be used in conjunction with one another.
Understanding Tool Qualification under DO-178C
The DO-330: Software Tool Qualification Considerations (STQC) provides guidance to qualify tools.
The terms “development tool” and “verification tool” are no longer used in DO-178C. There are 3 criterias (to be considered in sequence) within DO-178C:
- Criteria 1 tool: A tool whose output is part of the airborne software and thus could insert an error
- Criteria 2 tool: A tool that automates verification process(es) and thus could fail to detect an error, and whose output is used to justify the elimination or reduction of verification process(es) other than that automated by the tool, or development process(es) that could have an impact on the airborne software
- Criteria 3 tool: A tool that, within the scope of its intended use, could fail to detect an error
Five Tool Qualification Levels (TQL) are defined within DO-178C, with TQL-1 the most rigorous through TQL-5, the least rigorous. In the case a tool has to be qualified, the table below defines the tool TQL as a function of the Software Level (A to D) and the tool criteria (1 to 3).
SCADE Suite and DO-178C
The SCADE processes that are currently used with DO-178B adapt easily to a typical DO-178C SCADE flow. The MBDV Supplement will be used as SCADE is a modeling tool. The STQC Document will be used as Reporter, MTC, KCG, and QTE (Qualified Test Environment) will have to be qualified (see next Table).
The main points regarding the benefits of the approach are as follows:
- DO-178B/C Table A-5 – No code reviews as SCADE Suite KCG is qualified
- DO-178B/C Table A-6 – Testing can be achieved through a combination of HLR-based tests performed on host and target and testing of a representative sample of Source Code
- DO-178B/C Table A-7 – Structural Coverage objectives may be achieved by performing Model Coverage Analysis: running MTC on SCADE model on the basis of the above HLR-based tests