DO-178C


DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, EASA and Transport Canada approve all commercial software-based aerospace systems. The document is published by RTCA, Incorporated, in a joint effort with EUROCAE, and replaces DO-178B. The new document is called DO-178C/ED-12C and was completed in November 2011 and approved by the RTCA in December 2011. It became available for sale and use in January 2012.
The FAA approved AC 20-115C on 19 Jul 2013, making DO-178C a recognized "acceptable means, but not the only means, for showing compliance with the applicable airworthiness regulations for the software aspects of airborne systems and equipment certification."

Background

Since the release of DO-178B, there had been strong calls by DERs for clarification/refinement of the definitions and boundaries between the key DO-178B concepts of high-level requirements, low-level requirements, and derived requirements and a better definition of the exit/entry criteria between systems requirements and system design and that of software requirements and software design. Other concerns included the meaning of verification in a model-based development paradigm and considerations for replacing some or all software testing activities with model simulation or formal methods. The release of DO-178C and the companion documents DO-278A, DO-248C, DO-330, DO-331, DO-332, and DO-333 were created to address the issues noted. The SC-205 members worked with the SAE S-18 committee to ensure that ARP4754A and the above noted DO-xxx documents provide a unified and linked process with complementary criteria.
Overall, DO-178C keeps most of the DO-178B text, which has raised concerns that issues with DO-178B, such as the ambiguity about the concept of low-level requirements, may not be fully resolved.

Committee organization

The RTCA/EUROCAE joint committee work was divided into seven Subgroups:
The Model Based Development and Verification subgroup, was the largest of the working groups. All work is collected and coordinated via a web-site that is a collaborative work management mechanism. Working artifacts and draft documents were held in a restricted area available to group members only.
The work was focused on bringing DO-178B/ED-12B up to date with respect to current software development practices, tools, and technologies.

Software level

The Software Level, also known as the Design Assurance Level or Item Development Assurance Level as defined in ARP4754, is determined from the safety assessment process and hazard analysis by examining the effects of a failure condition in the system. The failure conditions are categorized by their effects on the aircraft, crew, and passengers.
DO-178C alone is not intended to guarantee software safety aspects. Safety attributes in the design and as implemented as functionality must receive additional mandatory system safety tasks to drive and show objective evidence of meeting explicit safety requirements. The certification authorities require and DO-178C specifies the correct DAL be established using these comprehensive analyses methods to establish the software level A-E. "The software level establishes the rigor necessary to demonstrate compliance" with DO-178C. Any software that commands, controls, and monitors safety-critical functions should receive the highest DAL - Level A.
The number of objectives to be satisfied is determined by the software level A-E. The phrase "with independence" refers to a separation of responsibilities where the objectivity of the verification and validation processes is ensured by virtue of their "independence" from the software development team. For objectives that must be satisfied with independence, the person verifying the item may not be the person who authored the item and this separation must be clearly documented.
LevelFailure conditionObjectivesWith independence
ACatastrophic7130
BHazardous6918
CMajor625
DMinor262
ENo Safety Effect00

Traceability

DO-178 requires a documented connection between the certification artifacts. For example, a Low Level Requirement traces up to a High Level Requirement. A traceability analysis is then used to ensure that each requirement is fulfilled by the source code, that each requirement is tested, that each line of source code has a purpose, and so forth. Traceability ensures the system is complete. The rigor and detail of the certification artifacts is related to the software level.

Differences with DO-178B

SC-205 was responsible for revising DO-178B/ED-12B to bring it up to date with respect to current software development and verification technologies. The structure of the document remains largely the same from B to C. Example changes include:
DO-178B was not completely consistent in the use of the terms Guidelines and Guidance within the text. "Guidance" conveys a slightly stronger sense of obligation than "guidelines". As such, with the DO-178C, the SCWG has settled on the use of "guidance" for all the statements that are considered as "recommendations", replacing the remaining instances of "guidelines" with "supporting information" and using that phrase wherever the text is more "information" oriented than "recommendation" oriented.
The entire DO-248C/ED-94C document, Supporting Information for DO-178C and DO-278A, falls into the "supporting information" category, not guidance.

Sample difference between DO-178B and DO-178C

Chapter 6.1 defines the purpose for the software verification process. DO-178C adds the following statement about the Executable Object Code:
As a comparison, DO-178B states the following with regard to the Executable Object Code:
The additional clarification fills a gap that a software developer may encounter when interpreting the document.