10 April 2012

DO-178 specification gets upgrade to take account of model based design

Software has developed a reputation for being inherently bug ridden and there's one place where the last thing you need is unpredictable software – in an aeroplane. Yet software written for aerospace applications is complex, with a liberal sprinkling of decision points that might make it work in ways completely unexpected by those who wrote it. No surprise, then, the authorities are keen to see software written and tested in such a way that safety is at the top of the requirements list.

One way to ensure software is as reliable as possible is to keep a close eye on the development process – and that's the goal of DO-178B, a certification process which is used by almost every company developing software for aerospace applications. In order to comply with one of the five categories, software developers need to produce a raft of documentation that shows their process – and therefore the software produced – meets the appropriate requirements.

The problem is that the DO-178 set of standards is 30 years old and was last revised – with the introduction of DO-178B – in 1992. Time, as they say, has moved on.

Mark Walker is senior engineer with The Mathworks UK. He said: "The approach hasn't changed since the B revision was issued. While the standard has been proven in use, what has changed is the way some teams go about achieving their objectives: techniques have moved on since 1992."

But things are changing with the release at the end of 2011 of DO-178C, which retains the historical title of 'Software Considerations in Airborne Systems and Equipment Certification'. "This and its four supplements," Walker pointed out, "are all about how you work in the context of modern tools." The four supplements address: software tool qualification considerations; model based design; object oriented design; and formal methods of certification.

One of the problems, Walker highlighted, was the fact that the term 'model' wasn't used in the B revision. "We learned how to interpret models within the context of the B revision," he said, "working out what was and what wasn't acceptable. The C revision clarifies things."

When the B revision was published, specification documents were hand written. "B assumed you would write down what your software would do, but it wasn't clear about the point at which you could use models," Walker continued. "For example, you couldn't use simulation results from a model as evidence. But, because you weren't exercising the design, you could miss interactions between systems. Executable models are a good way of finding out whether things work and the simulation results will show whether you have the right answer."

Because many of the software blocks in aerospace applications are complex, there is always the chance of them containing bugs. "You'll find that things don't work properly," Walker said. "Previously, the only way you had of finding those bugs was by someone reviewing the specification document or by running the code. When you have an executable specification in a model, that will tell you whether there are problems or not."

Even though the standard has been upgraded, DO-178C still requires a specification document. "But now," Walker said, "the model is the specification and the specification document can be generated from the model."

The change is seen by Walker as bringing more efficiency to the process. "With a document driven process, bugs tended to be discovered later on after a lot of engineering effort. With a model based approach, they are more likely to be found earlier and will, therefore, be cheaper to fix."

Design and fix at a higher level
He compared the move to the DO-178C revision with the transition from assembler to C. "You can design at a higher level language using C," he said. "Going to a model based process allows software to be designed and fixed at a higher level. Because complexity is increasing, it's getting harder to take software through to production without using a model based process," he contended.

Two types of test are applied to the software model: statistical, where all the combinations are exercised; and satisfying requirements, asking whether the code satisfies higher level requirements for what it must do.

He pointed out that, once you have a model, it can be used to design tests, which can then be used to exercise the resulting software. "It's all about getting statistical coverage," he said. "If a branch exists in the source code, it will also be in the model, so you can test the model for statistical coverage."

However, it is important not to end up effectively chasing your own tail. "You shouldn't end up testing the model against itself," Walker warned. "The standard is still very clear about top down requirements and how each stage must be shown to satisfy those requirements."

Models, by their very nature, describe elements of a system; but you can link them to build bigger models. "One important thing with high integrity systems is verifying they have been put together correctly," Walker concluded.

Integrated modular avionics
Aerospace developers are increasingly looking to use COTS software to implement systems on fewer and more centralised processing units, based on partitioned Integrated Modular Avionics (IMA) architectures. Not only does this approach cut development and deployment costs, it also brings benefits in space, weight and power consumption.

Alex Wilson, senior business development manager for Wind River's aerospace and defence business, said: "In addition to consolidating multiple applications on one computing platform, IMA enables the reuse of applications, leading to lower recertification cost. It also allows for the easier upgrading of applications to add functionality through incremental certification and enables easier mid life upgrade of the hardware platform."

In Wilson's view, while IMA brings significant advantages to the supply chain, the transition offers a serious challenge for systems integrators. "They have to bring components together – often from different vendors – on a single platform, ensure there are sufficient computing resources and that applications are not demanding more computer resources than allowable, while building in the necessary safety margins."

Emerging software tools not only allow developers to simulate any target hardware – from one processor to complex electronic systems – they also allow final executable code to run in a simulated environment, enabling performance measurement and configuration testing.

"Simulation tools replace paper analysis," said Wilson. "Simulation enables fast and easy impact evaluation on complete systems and can lead to a significant reduction in the risk of moving to a new technology. This is especially true as developers look to use multicore technology in safety critical applications.

"No one is saying the integration of complex avionics electronic systems has suddenly become a simple matter," he concluded, "but there should be little doubt that simulation can make it considerably easier."

* Meanwhile, Wind River has extended its safety critical systems product capabilities to support complete RTCA DO-178C certification evidence as a COTS solution, with the VxWorks rtos conforming to DO-178C Level A guidelines.

Graham Pitcher

Supporting Information


The MathWorks Ltd
Wind River UK Ltd

This material is protected by Findlay Media copyright
See Terms and Conditions.
One-off usage is permitted but bulk copying is not.
For multiple copies contact the sales team.

Do you have any comments about this article?

Add your comments


Your comments/feedback may be edited prior to publishing. Not all entries will be published.
Please view our Terms and Conditions before leaving a comment.

Related Articles

SKA telescope developments

UK-based start up Adaptive Array Systems (AASL) has been awarded a contract by ...

'Significant' layout launch

Looking to address a range of PCB design challenges, including growing ...

UK to get space centre

A centre that will enable businesses to tap into the UK's multi-billion pound ...

Connectors cut size, weight

Aerospace, whether it's commercial aviation, defence or even satellites, is a ...

Wise eyes in the sky

Most people's first encounter with an autogyro, or gyrocopter, was in the film ...

Time to get into space?

Back in 2010, the government published the Space Innovation and Growth Strategy ...

Adapting to the extremes of rugged design

Ruggedisation and reliability are key requirements for a wide range of embedded ...

The real solution to fake parts

The high tech supply chain is more vulnerable to counterfeit components than ...

Pilatus PC-21- the ideal trainer aircraft ...

Imagine a new type of trainer aircraft for the twenty-first century. One that ...

Mil-aero SMPS capacitors

AVX has gained T-Level MIL-PRF-49470 approval for its range of 25V, ...

Ruggedised power supply units

Powerstax has launched the MC1U series of flexible, ruggedised power supply ...

GNSS receiver module

A low power GNSS receiver module available from Solid State Supplies combines ...

Future World Symposium 2014

29th - 30th April 2014, Twickenham Stadium, London

BEEAs 2013

9th October 2014, 8 Northumberland, London

Engineering Design Show 2014

22nd-23rd October 2014, Jaguar Exhibition Hall, Ricoh Arena, Coventry, UK

Electronics Design Show 2013

Take a look at some of the highlights from the 2013 Electronics Design Show and ...

3d Bloodhound animation

Take a glimpse under the skin of Bloodhound SSC.

TI HiRel Space Products

To support the demanding nature of space applications, TI HiRel has introduced ...

Rules to be relaxed?

Moves appear to be in process that will relax restrictions on the use of ...

Still working ...

NASA has determined that Voyager 1 – launched in August 1977 on a mission to ...

Cutting the mustard

In the past ten days, three clients have presented their new designs (an ...

Keith Attwood, ceo, e2v

Many UK based technology companies can trace their origins to the years ...

Rick Clemmer, ceo, NXP

Rick Clemmer believes high performance mixed signal is just one of the sectors ...

Roger Rogowski, UKEA

Last week's Anti Counterfeiting Forum saw electronics industry leaders convene ...