DO-278A CNS/ATM Software Approval

RTCA/DO-78A, published in 2011 is the result of an update to DO-278.  The DO-278A document addresses software for Communication, Navigation, Surveillance and Air Traffic Management systems (CNS/ATM).  This includes both ground-based and satellite-based systems.

CNS/ATM systems typically integrate the management of many aircraft at the same time.  As a result they will typically be comprised of many computers which are networked together, linked to databases, communications systems, displays to air traffic controllers, etc.  Much of this infrastructure is built to supply information to air traffic controllers and pilots who use this information in conjunction with regular communications with aircraft and keep a general awareness of the motion of aircraft in the airspace under their control, and to keep them separated and aligned in traffic lanes.

With the increase in air traffic and improvements due to available technology, there is a move to provide additional capabilities that optimize movement of aircraft and maintain safe separation.  The tendency for future systems is to link aircraft and ground-based systems communications more tightly so they can exchange information more automatically and improve the safety and efficiency of flight.

DO-278 no longer requires DO-178

DO-278A is a stand-alone document.  Although it describes many activities, processes, and objectives that are in common with DO-178C, it is no longer necessary to use them side-by-side.

The Assurance Levels in DO-278A are labeled AL1 through AL6 and they are slightly different than those in DO-178C where they are labeled A through E.  The mismatch in the lists is because AL 4 has no equivalent in DO-178C.

DO-278A Assurance Level

DO-178C Software Level

AL1

A

AL2

B

AL3

C

AL4

No Equivalent

AL5

D

AL6

E

The activities and objectives for DO-178C levels A and B are identical to DO-278C AL1 and AL2.  Beyond that, there are more differences between the activities and what information is to be presented.

The biggest difference arises from the way CNS/ATM software is used.  Safety critical software is evaluated and certification evidence is fully developed before it is relied upon to control an aircraft.  We do not use a new flight control system that is working through the approval process and have a certified one running in hot standby just in case the new one fails.

In a ground-based system, the software is often integrated in stages with existing ground-based systems running alongside the proposed system.  This makes it possible to scale back control and revert back to prior systems if an anomaly is detected.  The approval processes are different, and this is reflected in the required documents; for example, under DO-178C a Plan for Software Aspects of Certification is required, but in DO-278A a Plan for Software Aspects for Approval is needed.

Life cycle data essentially same as for DO-178C

The software life cycle data for both of these DO- documents is essentially the same, each requiring a Software Development Plan, Software Verification Plan, Software Configuration Management Plan, etc. However, in DO-278C there is a bigger emphasis on use of previously developed software.  In particular, DO-278C has additional tables that cover COTS software process objectives and outputs.

At Verocel, the life cycle processes, activities and the tools used would be the same for DO-178C and DO-278A.  Depending on the project, there would be some adjustments made in the Plan for Software Aspects of Approval to describe some changes in terminology from the governing DO-178C plans.  There could be some differences in emphasis, depending on the system aspects relating to software development.

Approach to DO-278A at Verocel

Verocel has experience in approval of CNS/ATM systems using DO-278. The DO-278A lifecycle processes are fully supported by Verocel’s corporate plans and standards. Our VeroTrace Application Life Cycle Management tool forms the backbone of requirements management, configuration management and overall life cycle data management and traceability.

Verocel’s coverage tools VeroSource and VerOCode are used support the coverage requirements of DO-278A.

Tools

Projects

Verocel certified the FAA’s Wide Area Augmentation System (WAAS) safety computer to DO-278 AL2 (DO-178B level B). The certification effort included:

  • The operating system for the Wide Area Augmentation System
  • Board Support Package for the Safety Processor
  • DO-254 for Voting and signal management (using a Field Programmable Gate Array)

If you’d like to discuss your project needs or would like more information please get in touch