Safety Critical Safety Critical SystemsSystems

andandCertification IssuesCertification Issues

DO-178BDO-178BAirborne StandardAirborne Standard

Safety Critical Safety Critical SystemsSystems

andandCertification IssuesCertification Issues

DO-178BDO-178BAirborne StandardAirborne Standard

3

SC190 / WG-52 Application SC190 / WG-52 Application Guidelines For RTCAGuidelines For RTCA

DO-178b/ED-12b DO-178b/ED-12b

DO-178B

ED-12B

RTCA EUROCAESC-167 WG-12

CAST(Certification Authority Software Team)

Cast PositionPapers

SC-190 / WG-52SC-190 / WG-52

SC-190 Products

CNS/ATMCommunity

AvionicsIndustry

4

DO-178B in a NutshellDO-178B in a NutshellDO-178B in a NutshellDO-178B in a Nutshell

Highly Process OrientedHighly Process Oriented Requires TraceabilityRequires Traceability

RequirementsRequirementsHigh Level DesignHigh Level DesignDetailed DesignDetailed DesignSource CodeSource CodeTest ProceduresTest ProceduresTest resultsTest results

Test & Test & Test & Test and …..Test & Test & Test & Test and …..

Highly Process OrientedHighly Process Oriented Requires TraceabilityRequires Traceability

RequirementsRequirementsHigh Level DesignHigh Level DesignDetailed DesignDetailed DesignSource CodeSource CodeTest ProceduresTest ProceduresTest resultsTest results

Test & Test & Test & Test and …..Test & Test & Test & Test and …..

5

DO-178B Safety LevelsDO-178B Safety LevelsDO-178B Safety LevelsDO-178B Safety Levels

Level ALevel A CatastrophicCatastrophic Failure Prevents Continued Safe Flight and LandingFailure Prevents Continued Safe Flight and Landing

Level BLevel B Hazardous/Severe-MajorHazardous/Severe-Major Potential Fatal Injuries to a Small Number of OccupantsPotential Fatal Injuries to a Small Number of Occupants

Level CLevel C MajorMajor Discomfort to Occupants or Possible InjuriesDiscomfort to Occupants or Possible Injuries

Level DLevel D MinorMinor Increased Crew WorkloadIncreased Crew Workload

Level ALevel A CatastrophicCatastrophic Failure Prevents Continued Safe Flight and LandingFailure Prevents Continued Safe Flight and Landing

Level BLevel B Hazardous/Severe-MajorHazardous/Severe-Major Potential Fatal Injuries to a Small Number of OccupantsPotential Fatal Injuries to a Small Number of Occupants

Level CLevel C MajorMajor Discomfort to Occupants or Possible InjuriesDiscomfort to Occupants or Possible Injuries

Level DLevel D MinorMinor Increased Crew WorkloadIncreased Crew Workload

6

Development TeamDevelopment TeamDevelopment TeamDevelopment Team What is COTS?What is COTS? How can objectives of DO-178B be How can objectives of DO-178B be

satisfied, using COTS?satisfied, using COTS? There is much variation in applicants There is much variation in applicants

for COTS certification creditfor COTS certification credit Is DO-178B clear on the Is DO-178B clear on the

interpretations?interpretations?

What is COTS?What is COTS? How can objectives of DO-178B be How can objectives of DO-178B be

satisfied, using COTS?satisfied, using COTS? There is much variation in applicants There is much variation in applicants

for COTS certification creditfor COTS certification credit Is DO-178B clear on the Is DO-178B clear on the

interpretations?interpretations?

Product is COTS Certification EvidenceAvailable as COTS+

Together these satisfy safety objectives

7

Testing without Testing without Source CodeSource Code

Testing without Testing without Source CodeSource Code

Commercial O/S

Wrappers to Validate Parameters

Application

This cannot be trusted unless O/S is verified

8

Special ConsiderationsSpecial ConsiderationsSpecial ConsiderationsSpecial Considerations

Worked Correctly in US for yearsWorked Correctly in US for years Transferred to U.K.Transferred to U.K.

Worked Correctly in US for yearsWorked Correctly in US for years Transferred to U.K.Transferred to U.K.

Air Traffic Control system

Plane 1

Actual Plane 2

Displayed Plane 2Greenwich Meridian

Use of Service History for Certification

9

Use of Service HistoryUse of Service HistoryUse of Service HistoryUse of Service History

SafetyCriticalSystem

Developed under a less stringent standard (Military?)

Used for 4 years

Problems tracked

Quality Good!

Dead Code(Unintended Function)Residual Error

Is this system safe for the next 4 years? At Level A, B, C?

We can bound inputs, but we cannot check internal stateswithout “looking inside”

10

Black Box TestingBlack Box TestingBlack Box TestingBlack Box Testing No single failure should prevent “Continuous safe No single failure should prevent “Continuous safe

flight and landing.”flight and landing.” Statistical testing cannot show absence of a Statistical testing cannot show absence of a

single state that will cause a failuresingle state that will cause a failure Software has discontinuitiesSoftware has discontinuities

Software does not follow Gaus/Normal Software does not follow Gaus/Normal DistributionDistribution

No single failure should prevent “Continuous safe No single failure should prevent “Continuous safe flight and landing.”flight and landing.”

Statistical testing cannot show absence of a Statistical testing cannot show absence of a single state that will cause a failuresingle state that will cause a failure

Software has discontinuitiesSoftware has discontinuities

Software does not follow Gaus/Normal Software does not follow Gaus/Normal DistributionDistributionThere is no foundation for statistical reasoning

about software faults or safety

There is no foundation for statistical reasoning about software faults or safety

11

Verification TeamVerification Teamexamples of issuesexamples of issuesVerification TeamVerification Team

examples of issuesexamples of issuesWhat are low level requirements? How can they What are low level requirements? How can they

be testedbe testedData and Control flow couplingData and Control flow couplingUse of higher level test results for lower level Use of higher level test results for lower level

requirementsrequirementsWhat is the intent of structural coverage?What is the intent of structural coverage?Traceability of source to object code for structural Traceability of source to object code for structural

coveragecoverageWhat is statement, decision, condition and MCDC What is statement, decision, condition and MCDC

coverage testing coverage testing ((Modified Condition/Decision Code)Modified Condition/Decision Code)

Verification tool qualificationVerification tool qualificationetc..etc..

What are low level requirements? How can they What are low level requirements? How can they be testedbe tested

Data and Control flow couplingData and Control flow couplingUse of higher level test results for lower level Use of higher level test results for lower level

requirementsrequirementsWhat is the intent of structural coverage?What is the intent of structural coverage?Traceability of source to object code for structural Traceability of source to object code for structural

coveragecoverageWhat is statement, decision, condition and MCDC What is statement, decision, condition and MCDC

coverage testing coverage testing ((Modified Condition/Decision Code)Modified Condition/Decision Code)

Verification tool qualificationVerification tool qualificationetc..etc..

12

Coverage AnalysisCoverage Analysisat Level B and Cat Level B and C

Coverage AnalysisCoverage Analysisat Level B and Cat Level B and C

Statement CoverageStatement Coverage Decision CoverageDecision Coverage

Entry PointsEntry PointsExit PointsExit PointsAll DecisionsAll DecisionsAll OutcomesAll Outcomes

Statement CoverageStatement Coverage Decision CoverageDecision Coverage

Entry PointsEntry PointsExit PointsExit PointsAll DecisionsAll DecisionsAll OutcomesAll Outcomes

13

Fixing anomaliesFixing anomaliesexample for level example for level

B/LibraryB/Library

Fixing anomaliesFixing anomaliesexample for level example for level

B/LibraryB/Library

Compiler

B := 3;A := Filter (B);X := X + A;

Filter

Object Code Source level coverage required Even for Filter

14

Boundary Level testingBoundary Level testingnot enough!not enough!

Boundary Level testingBoundary Level testingnot enough!not enough!

Min, Mid, Max in combination gives 27 (useless) Min, Mid, Max in combination gives 27 (useless) test casestest cases5 Bits size 5 Bits size 32 Bit size 32 Bit size 67 Bit Size67 Bit Size

FromFrom overlaps overlaps ToToToTo overlaps overlaps FromFrom

Min, Mid, Max in combination gives 27 (useless) Min, Mid, Max in combination gives 27 (useless) test casestest cases5 Bits size 5 Bits size 32 Bit size 32 Bit size 67 Bit Size67 Bit Size

FromFrom overlaps overlaps ToToToTo overlaps overlaps FromFrom

A := B; -- A and B are packed Boolean arrays

Run-time call to:Bit_Block_Move (From, To, Size); -- size in bits

Interesting test cases based on actual code

i.e. White Box Testing

Interesting test cases based on actual code

i.e. White Box Testing

15

Coverage at Level ACoverage at Level ACoverage at Level ACoverage at Level ACoverage required at Machine Code level orCoverage required at Machine Code level orShow source to object code traceability Show source to object code traceability

and test at source level orand test at source level orUse different language/compilers Use different language/compilers

and use voting systemand use voting systemMCDC testing requiredMCDC testing required

each condition must have effect on outcomeeach condition must have effect on outcomeTools which modify source for traceabilityTools which modify source for traceability

problem at level Aproblem at level AMitigation method : use 3 different compilersMitigation method : use 3 different compilers

(Now Look At Conditional Statements)(Now Look At Conditional Statements)

Coverage required at Machine Code level orCoverage required at Machine Code level orShow source to object code traceability Show source to object code traceability

and test at source level orand test at source level orUse different language/compilers Use different language/compilers

and use voting systemand use voting systemMCDC testing requiredMCDC testing required

each condition must have effect on outcomeeach condition must have effect on outcomeTools which modify source for traceabilityTools which modify source for traceability

problem at level Aproblem at level AMitigation method : use 3 different compilersMitigation method : use 3 different compilers

(Now Look At Conditional Statements)(Now Look At Conditional Statements)

16

Conditions/Decisions Conditions/Decisions

if A=B and C or D<3 then

Boolean Operators

Boolean Variable

Conditions

Decision

17

What areWhat areConditions/Decisions Conditions/Decisions

if (A=B and C) or D<3 thenAda :

if ((A==B) & C ) | (D<3) thenC :

if ((A==B) * C) + (D<3) thenC :

if ((A==B) and C) or (D<3) thenC++ :

MCDC Coverage Requires all Branches AND all Conditions Be Covered

MCDC Coverage Requires all Branches AND all Conditions Be Covered

18

More BooleanMore BooleanConditionsConditions

More BooleanMore BooleanConditionsConditions

X := (A=B and C) or D<3;if X then -- X is Boolean

Ada :

X = ((A==B) * C) + (D<3)); if X then /* X can be any Integer

C :

Cannot hide fromTesting Obligations

‘*’ and ‘+’ are Boolean Operators!

19

Condition coverageCondition coverageCondition coverageCondition coverageX := (A=B and C) or D<3;if X then -- X is Boolean

Ada :

Coverage of “Basic-Block”may not capture condition results

20

Avoiding MCDC TestingAvoiding MCDC Testing

Use Ada’s short-circuit conditions:

if A=0 and then B< 2 and then C>5 then

Or in C write:

if A== 0 && B < 2 && C < 5 {

Modified Condition/Decision Code

21

Why short-circuitWhy short-circuitconditions eliminateconditions eliminate

MCDC MCDC

if A=0 then if B<2 then if C>5 then P; end if; end if;end if;

if A=0 then if B<2 then if C>5 then P; end if; end if;end if;

if A=0 and then B< 2 and then C>5 thenif A=0 and then B< 2 and then C>5 then

MCDC not required for this code

22

Testing strategyTesting strategymust evaluate must evaluate

conditions conditions

if A=0 then if B<2 then if C>5 then P; end if; end if;end if;

if A=0 then if B<2 then if C>5 then P; end if; end if;end if;

if A=0 and then B< 2 and then C>5 thenif A=0 and then B< 2 and then C>5 then

MCDC not required for this code

BUT !!!BUT !!!

Testing must show thateach ‘then’ part hasbeen tested True and False

Testing must show thateach ‘then’ part hasbeen tested True and False

23

Inlining codeInlining codeInlining codeInlining codeIf decisions/conditions introduced If decisions/conditions introduced

Decisions must be identified and verified (level B)Decisions must be identified and verified (level B)Conditions must be identified and verified (level A)Conditions must be identified and verified (level A)

Verification may be done by analysisVerification may be done by analysisTraced to derived requirementsTraced to derived requirementsensure safety is not compromisedensure safety is not compromisedCode may be “deactivated”Code may be “deactivated”

As inlined code depends on local state it may be As inlined code depends on local state it may be very hard to test the conditions in accordance with very hard to test the conditions in accordance with standards requirements standards requirements

Intent - absence of unintended funtionIntent - absence of unintended funtionDead code not allowedDead code not allowed

If decisions/conditions introduced If decisions/conditions introduced Decisions must be identified and verified (level B)Decisions must be identified and verified (level B)Conditions must be identified and verified (level A)Conditions must be identified and verified (level A)

Verification may be done by analysisVerification may be done by analysisTraced to derived requirementsTraced to derived requirementsensure safety is not compromisedensure safety is not compromisedCode may be “deactivated”Code may be “deactivated”

As inlined code depends on local state it may be As inlined code depends on local state it may be very hard to test the conditions in accordance with very hard to test the conditions in accordance with standards requirements standards requirements

Intent - absence of unintended funtionIntent - absence of unintended funtionDead code not allowedDead code not allowed

24

Use of ToolsUse of ToolsUse of ToolsUse of ToolsTool Qualification is required if tool replaces a Tool Qualification is required if tool replaces a

step of development processstep of development processDevelopment toolsDevelopment tools

Examples - Compiler, Design to code generatorExamples - Compiler, Design to code generatorMay introduce an errorMay introduce an errorIn general - NOT qualified, not trustedIn general - NOT qualified, not trusted

Verification toolsVerification toolsExamples - Coverage analyserExamples - Coverage analyserMay conceal an errorMay conceal an errorMay be qualified - Trusted for verification purposesMay be qualified - Trusted for verification purposes

Additional verification process required if the tool Additional verification process required if the tool is not trustedis not trusted

Tool Qualification is required if tool replaces a Tool Qualification is required if tool replaces a step of development processstep of development process

Development toolsDevelopment toolsExamples - Compiler, Design to code generatorExamples - Compiler, Design to code generatorMay introduce an errorMay introduce an errorIn general - NOT qualified, not trustedIn general - NOT qualified, not trusted

Verification toolsVerification toolsExamples - Coverage analyserExamples - Coverage analyserMay conceal an errorMay conceal an errorMay be qualified - Trusted for verification purposesMay be qualified - Trusted for verification purposes

Additional verification process required if the tool Additional verification process required if the tool is not trustedis not trusted

25

CNS/ATM Process CNS/ATM Process IntegrationIntegration

CNS/ATM Process CNS/ATM Process IntegrationIntegration

Information matrixInformation matrixRegulatorsRegulatorsCommitteesCommitteesStandards BodiesStandards BodiesStandardStandard

Software Integrity Assurance Standards Software Integrity Assurance Standards vs. Software Development Standardsvs. Software Development Standards

Relationships between DO-178BRelationships between DO-178B

and IEC 61508and IEC 61508

Information matrixInformation matrixRegulatorsRegulatorsCommitteesCommitteesStandards BodiesStandards BodiesStandardStandard

Software Integrity Assurance Standards Software Integrity Assurance Standards vs. Software Development Standardsvs. Software Development Standards

Relationships between DO-178BRelationships between DO-178B

and IEC 61508and IEC 61508

26

Ground BasedGround BasedCommunityCommunity

Ground BasedGround BasedCommunityCommunity

Communications/ Navigation/Surveilance Communications/ Navigation/Surveilance and Air Traffic Management - in the loopand Air Traffic Management - in the loop

Ground Based Systems affect airborne Ground Based Systems affect airborne softwaresoftware

DO-178B addresses airborne onlyDO-178B addresses airborne onlyGuidance being prepared to encompass Guidance being prepared to encompass

needs of CNS/ATM community (SC-190 needs of CNS/ATM community (SC-190 committee)committee)

Standards tightening up Standards tightening up

Communications/ Navigation/Surveilance Communications/ Navigation/Surveilance and Air Traffic Management - in the loopand Air Traffic Management - in the loop

Ground Based Systems affect airborne Ground Based Systems affect airborne softwaresoftware

DO-178B addresses airborne onlyDO-178B addresses airborne onlyGuidance being prepared to encompass Guidance being prepared to encompass

needs of CNS/ATM community (SC-190 needs of CNS/ATM community (SC-190 committee)committee)

Standards tightening up Standards tightening up

27

Certification StandardsCertification Standardsare Improvingare Improving

Certification StandardsCertification Standardsare Improvingare Improving

““Holes” in documents are being fixedHoles” in documents are being fixedUnderstanding of Certification Requirements is Understanding of Certification Requirements is

spreadingspreadingIndustry and Certification Authorities are Industry and Certification Authorities are

collaborating on Guidance materialscollaborating on Guidance materialsIt will get more difficult to “shop around” for a It will get more difficult to “shop around” for a

more lenient signature more lenient signature

““Holes” in documents are being fixedHoles” in documents are being fixedUnderstanding of Certification Requirements is Understanding of Certification Requirements is

spreadingspreadingIndustry and Certification Authorities are Industry and Certification Authorities are

collaborating on Guidance materialscollaborating on Guidance materialsIt will get more difficult to “shop around” for a It will get more difficult to “shop around” for a

more lenient signature more lenient signature

28

( Legal)( Legal)Safety SystemsSafety Systems

LawsRegulationsStandardsGuidelines

Case LawPrecedenceInterpretationsStandardsGuidelines

Visibility Traceability

PROCESS

EVIDENCE / RECORD

Confidence / Safety

29

When Is Software SafeWhen Is Software SafeWhen Is Software SafeWhen Is Software Safe

30

When Is Software SafeWhen Is Software SafeWhen Is Software SafeWhen Is Software Safe

We Don’t Know !!We Don’t Know !!

31

What is our best guessWhat is our best guessabout the safetyabout the safety

What is our best guessWhat is our best guessabout the safetyabout the safety

When applicable processes have been When applicable processes have been followedfollowed

When we have verified the code “from When we have verified the code “from within”within”

When this has been checkedWhen this has been checkedand checkedand checked

and checkedand checked

and checkedand checked

and checkedand checked

and checked and checked

When applicable processes have been When applicable processes have been followedfollowed

When we have verified the code “from When we have verified the code “from within”within”

When this has been checkedWhen this has been checkedand checkedand checked

and checkedand checked

and checkedand checked

and checkedand checked

and checked and checked

32

The FAA/JAA RulesThe FAA/JAA Rulesare Strictare Strict

The FAA/JAA RulesThe FAA/JAA Rulesare Strictare Strict

To Date:

“no fatalities have been attributed to Software Failure”

Have we been lucky?

Have we been safe?