Supplements to DO-178C: DO-330, DO-331, DO-332 and DO-333

The supplements for DO-178C were created as a way to embrace new technologies and new methods of certification that go beyond the guidance of DO-178C.

Much of this previous guidance for DO-178B was encapsulated in FAA Order 8110.49, Chg 1. For example, object oriented technology was not addressed directly in DO-178B, but after it was published a number of notices were published regarding usage of object oriented technology in software. Now, this information has been revised and published as RTCA/DO-332. The complete list of DO-33x supplements is given below:

  • DO-330/ED-215, Software Tool Qualification Considerations Supplement
  • DO-331/ED-216, Model-Based Development and Verification Supplement
  • DO-332/ED-217, Object-Oriented Technology and Related Techniques Supplement
  • DO-333/ED-218, Formal Methods Supplement

RTCA/DO-330 Software Tool Qualification Considerations

DO-330 provides software tool qualification guidance. Examples of tools include automated code generators, compilers, test tools and modification management tools. DO-330 explains the process and objectives for qualifying tools.  The level of effort to qualify tools will depend upon how the tool impacts the airborne software as well as the design assurance level of the airborne software. DO-330 defines 5 tool qualification levels (TQL) and the chosen TQL depends on the criteria that apply to the tool and the design assurance level. Criterion 1 applies to tools that are considered development tools (such as compilers and code generators) that can introduce errors in the airborne software. Criterion 3 applies to verification tools (such as a test harness that determines pass/fail results) that may fail to detect an error in the airborne software.

Criterion 2 applies to tools that automate a verification process and are used to eliminate other additional verification or development processes. In these cases, Criterion 2 means additional activities would be required for Level A and B software to ensure the error detection capabilities of the tool are sufficient.

Software Level

Criterion 1 Criterion 2

 Criterion 3

A

TQL-1 TQL-4 TQL-5

B

TQL-2 TQL-4

TQL-5

C

TQL-3 TQL-5 TQL-5

D

TQL-4 TQL-5 TQL-5

RTCA/DO-331 Model-Based Technologies Supplement

Model-Based Technologies use a higher-level representation of a system to specify its intended behavior or to describe the design of a program.  These often use graphical notations that show state changes or information flow between elements of a system.  Work is often performed using tools to check consistency of behavior, provide alternative views that help with verification, or even translate to programming languages that implement the design described by the model.  There are many types of uses of these models and their use must be carefully managed.  The DO-331 supplement provides guidance on the use of Model-Based Technologies in the context of a DO-178C certification.  Certain activities and objectives of DO-178C are modified or added depending on how model technologies are used.  DO-331 describes how the core document and the supplement work together.

RTCA/DO-332 Object-Oriented Technologies Supplement

Object-Oriented Technologies are being adopted through the use of features added to traditional programming languages to support a more powerful programming paradigms.  For example, C++ and Ada provide an ability to define data types with operations that act on them and to define this as a class.  Objects of that class can then be defined that encapsulate the software acting on the objects with the data values in the objects themselves.  This can make the software more compact and more intuitive to integrate and extend.  But with the added flexibility, some risks may be added.  Operations may inherit behaviors and from classes that may obscure the possible meanings of the operations, and some operations may consume memory and time in ways that are hard to take into account.  The DO-332 supplement addresses such programming features and provides guidance on use of these technologies in conjunction with DO-178C.

RTCA/DO-333 Formal Methods Supplement

Formal Methods are techniques used to specify and analyze properties of a system using a degree of rigor that provides confidence in the properties.  The specifications may be provided using various levels of formalism, and may result in various levels of confidence that the properties are correct.  Specification of intended behavior may be expressed in terse mathematical notation that is unambiguous but requires special training to understand.  Semi-formal notations can make the specifications more approachable to engineers, but may potentially miss behavioral implications that cause problems.  The specifications may be processed using formal analytical techniques to expose correctness properties that may be missed if verification is performed by testing alone.  While formal methods are performed on representations of the system and not on the actual implementations, the risk exists that some behavior cannot be exposed formally and its analysis will be missed.  If formal specification and analysis is to be used, perhaps to supplement dynamic testing, then the DO-333 supplement should be used in conjunction with DO-178C.