DO-178B Level A "Compliant" Software

I get asked a lot about developing software for systems undergoing DO-178B certification. This entry attempts to dispel some myths and provide some information about building safety critical software under this regime, and what to look for in partners offering "DO-178B Compliant" components.

If you've not seen it before, DO-178B is a set of guidelines relating to the development of software for the avionics industry. In recent years its usage has been spreading beyond aircraft, primarily due to its success in maintaining safety in complex software systems. As far as I am aware, there's never been an aircraft fatality linked to a failure of DO-178B Level A software (more about levels in a second).

The DO-178B guidelines allow for software to be divided into levels of criticality. The lowest is Level E, which means it's not going to hurt anyone if it fails. The highest is Level A, which means there's a good chance the platform will crash and people will die if it fails. The DO-178B guidelines propose different levels of planning, requirements documentation, testing effort and validation for each level, obviously getting progressively harder until you hit 'A'.

There's no such thing as "reusable" DO-178B software. Each and every implementation has to be re-certified from scratch for the specific system undergoing review. This is because DO-178B is evidence based, and tests must be exercised on the final flight hardware (not some other piece of equipment with some other version of the software).

There is a lot of confusion about building software for DO-178B certified platforms. Unfortunately a lot of the marketing done by various companies (with phrases like DO-178B "ready" or "compliant") makes the situation very difficult for first-time entrants to the avionics software market. Some of these companies have caused whole avionics programs to be delayed or even fail outright due to their inability to generate satisfactory evidence for the flight certification authority.

Given the risks involved with not achieving certification - how does a company select a provider to work with?

1. Confirm the provider has pedigree in delivery of software and certification evidence on DO-178B Level A systems. They should have done dozens of these before (you don't want to be number one or two).
   
2. Get contact details for a reference customer who has achieved successful certification using the same version of software as you will be using. Don't accept a reference who used a different version of the software. Again, you don't want to be the first person certifying some new experimental software - you want proven experience.
   
3. Confirm that the COTS supplier is providing the certification evidence using their own experts. Ask to talk with their DER (Designated Engineering Resource) about the solution and how previous certifications have gone with the FAA, EASA or whoever. If they don't have internal experts, including a DER, then they don't have the expertise to get your solution over the line. Never accept a COTS supplier who refers you to a 3rd party for generation of certification evidence. The 3rd party agent is not an expert in the software, can't make changes or fixes as necessary to assure success and probably hasn't got the financial backing to be in the market for the next 20-30 years as required for maintaining support (in case a fielded defect is discovered and a fix needs to be made and re-certified quickly).
   
4. Ensure the COTS supplier has a program for developing the certification evidence on your specific flight hardware. You cannot reuse evidence from different hardware. You especially can't reuse evidence from a different version of software.
   
5. Request an onsite audit of the COTS supplier's software and processes prior to selection. Visit their facilities. Talk with their DER. Understand their process and how they will work with you to get your product successfully through certification. Discuss how your specific code-branch is handled, how you are notified in the event that a defect is found, who will provide your engineering support during development and what experience they've had with previous programs.
   
6. Ask the supplier outright (in writing) if certification for their software has ever delayed a program or caused it to fail certification.
   

There's probably lots more. A great reference for first-time DO-178B software developers is "Avionics Certification - A Complete Guide to DO-178 (Software) DO-254 (Hardware)" by Vance Hilderman and Tony Baghai. I believe it's now available on Amazon.