Across the world there is an increasing tendency for civil functional safety standards to be adopted for military applications.
For example, as weapon systems become more reliant on software implementations, software development and verification contribute increasingly to mission success. Consequently, the number of software lines of code in aerospace systems continues to increase. Military aircraft systems manufacturers face a particular challenge for software development and verification of safety-critical systems. Because military aircraft systems integrators often rely on suppliers who are also familiar with the civil market, the infrastructure and familiarity with RTCA DO-178C “Software Considerations in Airborne Systems and Equipment Certification” is often leveraged as part of supplier contracts.
However, DO-178C is not identical to military software verification practices and methods prescribed in defence standards, such as the United States Department of Defense Handbook MIL-HDBK-516C “Airworthiness Certification Criteria”, United States Department of Defense Standard Practice MIL‑STD-882E “System Safety”, United Kingdom Ministry of Defence standard 00-055 “Requirements for Safety of Programmable Elements in Defence Systems”, and other military guidance.
Further complicating the landscape is that military aircraft may have the requirement to fly in civil airspace, and therefore their communication, navigation, and surveillance equipment standards must map to DO-278A as well as the software development process standards of DO-178C for compatibility with civil requirements. (That said, DO-278A and DO-178C are closely related “safety-by-design” process standards, sharing many structural and methodological similarities, though tailored to different operational domains.)
So, to what extent can DO-178C principles be followed in pursuit of military airworthiness certification?
There is nothing mandating military organizations to adopt the DO‑178C software process standard, or its electronic hardware equivalent, DO-254. But the increasing popularity of such an approach suggests that those organizations see considerable benefit in doing so.
Perhaps the most obvious advantage is transparency and visibility. Of course, there is a need for confidentiality in military applications, but that is different to making the development processes, their products and their artefacts visible to those who need to know – from requirements, through code, to test artefacts.
A related advantage is that of improved maintainability and reusability. DO-178C requires a consistent approach to thorough documentation, modularisation, bidirectional traceability and reviews which makes software maintainable even to those not involved with its initial development, and hence more easily transferable and reusable between projects.
It is also true that many avionics applications are dual-purpose. Embracing a common standard makes that much more easily accommodated. In a similar vein, subcontractors familiar with civil avionics will clearly find working with a familiar standard much easier to accommodate, bringing the commercial advantage of increased competition. And a much larger pool of developers is familiar with DO-178C than is often the case with military specific standards, making recruitment much less onerous.
Whatever the reasons, the popularity of this approach continues to rise and so it is useful to consider how it works in practice.
The United States Department of Defense Handbook MIL-HDBK-516C “Airworthiness Certification Criteria” establishes the airworthiness certification criteria to be used in the determination of airworthiness of all manned and unmanned, fixed and rotary wing air vehicle systems. It is a foundational document for the guidance of the system programme manager, chief engineer, and contractors in the definition of the basis for their air system’s airworthiness certification.
The criteria dictated by MIL-HDBK-516 can be tailored to suit the application, according to the following process:
The resulting tailored Basis of Certification is a programme level document that described how to specify, design, build and test the system. It forms part of a set of documents which also includes the Tailored Airworthiness Certification Criteria (TACC), the Airworthiness Qualification Plan (AQP), and Performance Requirements – that is, what needs to be designed.
The guidance document DO-178 “Software Considerations in Airborne Systems and Equipment Certification” was first published in 1982, re-written in 1992 as DO-178B and updated in 2011 as DO‑178C, to reflect the experience accrued to meet today’s aviation industry needs.
The ARP 4754A standard, “Aircraft and System Development Process”, dictates that functional hazard analyses and system safety assessments are preformed prior to a system’s development. A Development Assurance Level (DAL) is assigned accordingly for that system, and for the items that implement its hardware and software requirements (below).
Design Assurance Levels used by DO-178C
The DO-178C standard then provides detailed guidance for the development and verification of safety critical airborne software items in accordance with the assigned DAL, such that the effort and expense of producing such as a flight control system is necessarily higher than that required to produce (say) an in-flight entertainment system.
DO-178C covers the complete software lifecycle: planning, development and integral processes to ensure correctness and robustness in the software. The integral processes include software verification, software quality assurance, configuration management assurance and certification liaison with the regulatory authorities.
Although the standards do not oblige developers to use analysis, test, and traceability tools in their work, such tools improve efficiency in all but the most trivial projects to the extent that they have a significant part to play in the achievement of the airworthiness objectives for airborne software throughout the development lifecycle.
Even though MIL-HDBK-516 is clearly a defence standard whereas DO-178C was designed for commercial aircraft, their relationship is complementary as illustrated below. (For context, note that MIL-STD-882E provides the safety process and analysis methods used to demonstrate compliance with the airworthiness criteria defined in MIL-HDBK-516.)
Relationships between US military and RTCA standards
There is sufficient synergy such that with careful project management these two apparently disparate standards can be applied to military avionics systems successfully.
Suppose, for example, that a system applicable to a military Unmanned Air Vehicle (UAV) is to be developed. Consideration must be given to the fact that a DO-178C approach requires that a set of compliant plans be generated, judged to be compliant by the certification authority, and then the approved plans become the basis against which the project is judged. The software development lifecycle is required by the civil regulations to be surrounded by safety, hardware, and system (including integration) disciplines.
In this scenario, the USAF would take the role of the certification authority and would likely look to ensure that all these disciplines be accounted for to create a complete lifecycle. With plans established, execution to those plans and the corresponding development of the software lifecycle data become the criterion for system approval.
One approach to the integration of appropriate standards to create that life-cycle might be as follows.
The intention here is to select specifications to define the development approaches, while taking care to implement MIL-HDBK-516B fully
The position of the UK’s Ministry of Defence is largely similar to that of the US Department of Defense in that it encourages the use of DO-178.
It also suggests the use of other civil standards where appropriate. For example, Ministry of Defence standard 0056 (or DEF-STAN-0056) “Safety Management Requirements for Defence Systems” states that “The MOD encourages the use of open, civil standards where possible, eg. ARP4754/DO-178 in an air application, or ISO 26262 in an automotive application”.
This broadening of outlook leads to some differences of approach between the two countries, as there are between different defence organizations across the world. For instance, as implied by the earlier example the US approach to UAV development tends to favour the application of DO-178C.
Functional safety management throughout Europe is based on IEC 61508. DefStan 00-55 and 00-56 represent an MoD specific interpretation and tailoring of IEC 61508, just as ISO 26262 is the automotive tailoring. The advantage from the UK perspective is that IEC 61508 is written in very general terms, so there is no mental gymnastics required to move from manned aircraft to UAVs.
DEF-STAN-0055 dictates how the principles of DEF-STAN-0056 are to be applied in the specific case of programmable elements. Issue 4 states that “The governance approach enables tailoring of the application of DO-178 to be agreed including the use of alternative methods/approaches that are at least as effective; or supplementary obligations where particular risks or circumstances suggest that the methods recommended in DO-178 may not be sufficient.”
In short and as for the US approach, the position approximates to one of “as civil as possible, military where necessary” and there is an analysis process to ascertain where there are shortfalls to be attended to.
Some of the likely shortfalls are spelled out in DEF-STAN-0055 itself. For example, there is a suggestion that “The [DO-178] Plan for Software Aspects of Certification (PSAC) may be used to partially address the requirements for a [DEF-STAN-0055] PE Safety Management Plan, however specific aspects of the interface to the MOD/PSS process may need to be captured elsewhere (eg within a higher level management plan).”
There are many other parallels between the US and UK approaches. For example, DEF-STAN-0055 also acknowledges the need for regulatory oversight in equivalence to the role of a DER for a civil application.
One of the benefits of piggy-backing DO-178C from a military perspective is that as new technologies emerge and the civil aviation sector adapts to them, developers of military aircraft and related systems automatically benefit from their work.
The emergence of Multicore Processors in safety-critical systems provides a good example of that principle. A(M)C 20-193 complements the existing DAL framework used in documents like DO-178C and DO-254 and addresses the challenges in the adoption of MCPs in hard real-time safety-critical embedded applications including non-deterministic behaviour, interference channels, and increased complexity.
Worst-Case Execution Time (WCET) plot generated by the LDRA tool suite
For example, the UK Ministry of Defence has formally incorporated AMC 20-193 into its military airworthiness standards. Specifically, Defence Standard 00-970 has been updated to reference AMC 20-193 as the Acceptable Means of Compliance (AMC) for certifying multi-core processors (MCPs) in safety-critical applications with Item Development Assurance Levels (IDAL) A to C. This integration aligns military certification practices with EASA‘s guidance.
Software development and verification has become increasingly important for all aerospace systems. Because military aircraft systems integrators often rely on suppliers familiar with the civil market, the infrastructure and familiarity with RTCA DO-178C “Software Considerations in Airborne Systems and Equipment Certification” is often leveraged as part of supplier contracts – as are supplementary documents such as A(M)C 20-193.
Integrating civil standards into a coherent development lifecycle compliant with defence standards requires care, diligence and expertise, particular with respect to gap analysis between the civil and defence methodologies. One way of ensuring success is to seek consultancy support from a provider who is experienced and expert in this specialist field. LDRA Certifications Services (LCS) is an example of such a consultancy.
Webinar-on-demand: MIL-STD-882E and DO-178C Entanglement
Website: Aerospace & Defense
Website: Demystify the who, what, when and why of successful DO-178C compliance.
Website: Understanding A(M)C 20-193
Brochure: LDRA Certification Services
Mark Pitchford has over 30 years’ experience in software development for engineering applications. He has worked on many significant industrial and commercial projects in development and management, both in the UK and internationally. Since 2001, he has worked with development teams looking to achieve compliant software development in safety and security critical environments, working with standards such as DO-178, IEC 61508, ISO 26262, IIRA and RAMI 4.0.
Mark earned his Bachelor of Science degree at Nottingham Trent University, and he became a Chartered Engineer over 35 years ago. He now works as Technical Specialist with LDRA Software Technology.
Email: info@ldra.com
EMEA: +44 (0)151 649 9300
USA: +1 (855) 855 5372
INDIA: +91 80 4080 8707