Communications - October 2011

practice

Doi: 10.1145/2001269.2001286

in DO-178B is in the form of objectives and activities that must be met or performed to earn certification for the software product.

A safety assessment and hazard analysis helps determine the Design Assurance Level (DAL) for the software by characterizing the effects of its failure on the aircraft, crew, and passengers. There are five DALs (quoted directly from DO-178B and FAA Advisory Circular AC 25.1309-1A): 1

˲ ˲ Catastrophic: Failure conditions that would prevent continued safe flight and landing.

˲ ˲ Hazardous/Severe-Major: Failure conditions that would reduce the capability of the aircraft or the ability of the crew to cope with adverse operating conditions to the extent that there would be: ( 1) a large reduction in safety margins or functional capabilities, ( 2) physical distress or higher workload such that the flight crew could not be relied on to perform their tasks accurately or completely, or ( 3) adverse effects on occupants including serious or potentially fatal injuries to a small number of those occupants.

˲ ˲ Major: Failure conditions that would reduce the capability of the aircraft or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for example, a significant reduction in safety margins or functional capabilities, a significant increase in crew workload or in conditions impairing crew efficiency, or discomfort to occupants, possibly including injuries.

˲ ˲ Minor: Failure conditions that would not significantly reduce aircraft safety, and that would involve crew actions that are well within their capabilities. Minor failure conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in crew workload, such as routine flight plan changes, or some inconvenience to occupants.

˲ ˲ No Effect: Failure conditions that do not affect the operational capability of the aircraft or increase crew workload.

Article development led by queue.acm.org

BY B. scott anDeRsen anD GeoRGe Romanski
Verification of
safety-critical
software

Avionics software safety certification is achieved through objective-based standards.

AVIoNICS SoFTWARE HAS become a keystone in today’s aircraft design. Advances in avionics systems have reduced aircraft weight thereby reducing fuel consumption, enabled precision navigation, improved engine performance, and provided a host of other benefits. These advances have turned modern aircraft into flying data centers with computers controlling or monitoring many of the critical systems onboard. The software that runs these aircraft systems must be as safe as we can make it.

The Federal Aviation Administration (FAA) and its European counterparts, along with the major airframe, engine, and avionics manufacturers worked together to produce guidance for avionics software developers culminating in the document Software Considerations in Airborne Systems and Equipment Certification6 published in the United States by the nonprofit organization RTCA as DO-178B and in Europe by EUROCAE as ED-12B. The guidance