DO-278A Best Practices
Certain good aviation software development practices are self-evident. For software, the obvious good practices include utilizing defect prevention, experienced developers, automated testing, and fewer changes. This paper isn’t about the obvious, as it is assumed the reader is educated by virtue of making it to this page. Instead, this AFuzion DO-278A Best Practices identified herein are subtler and considerably “less practiced”, and have been deployed by AFuzion’s CNS/ATM engineers and auditors on many leading worldwide CNS/ATM projects in America, Europe, Australia, Asia, and the Middle East. Why focus on the critical path Best Practices for CNS/ATM and DO-278A deployment? Simple: today’s CNS/ATM projects are growing massively in complexity, with strong tendencies to automate former manual (controller) activities. For business reasons, engineering management is loath to affect the critical path.
CNS/ATM Systems often have significant non-certified legacy software/hardware. Instead of starting over and redeveloping these systems from scratch, the concept of “Service History” (where “history” denotes evidence of strong record-keeping) is applied. The Certification Authorities Software Team (CAST) Memorandum #1 covers the attributes applicable to applying service history; these are depicted below. Note that few systems ever rank completely high within each attribute, so the Plan for Software Aspects of Approval (DO-278A’s certification plan) must provide details on each attribute. The relevant CAST-1 table is provided below:
DO-278A has specific objectives based upon the assurance level (AL) of the software. Higher AL’s must satisfy more DO-278A objectives than lower levels. After the software criticality level has been determined, you examine DO-278A to determine exactly which objectives must be satisfied for the software. Remember, DO-278A, unlike DO-178C, has a level between “C” and “D”, called Assurance Level (AL) 4. In AFuzion’s DO-278A training, it is taught that Level C is white-box whereas Level D is black-box. Now however, AL4 is “gray-box” whereby it is often applied to COTS software where source code is not available but the COTS API is. (Details on AFuzion’s DO-278A training are available here: https://afuzion.com/private-training/do-278a-training-cnsatm-ground-based-systems-training-class/ )
Now after determining DO-278A’s Assurance Level via an ARP4754A and ARP4761A based safety assessment, you are ready for planning. This is where DO-278A is similar to building a house: you’ve performed geographic analysis to determine what type of foundation is required—that is your “safety assessment”. Then you need a Planning Process, followed by a Development Process. A concurrent Correctness Process is ongoing throughout both Planning and Development. Avionics software engineering under DO-278A is thus the same as building a house and follows the same three-phased process approach. The key DO-278A processes are depicted below, roughly to scale:
As can be seen in the above figure: the Planning process comes first, and when complete is followed by a larger Development process. In the background the largest set of processes are performed continuously: Verification, Configuration Management, Quality Assurance, and Approval Liaison. Like DO-178C, a key aspect of Quality Assurance is to ensure the plans are complete and comply with DO-278A, then assessing Engineering’s conformance to those plans. Also, Quality Assurance assesses the transition criteria between the requisite activities to ensure the timeliness and inputs/outputs of each activity are in accordance with plans. The five DO-278A plans are depicted below (excerpted from AFuzion’s DO-278A Training Class materials):
The following figure summarizes the Top 10 not-always-obvious DO-278A Best Practices. The detailed table following provides use-case information intended to help the CNS/ATM DO-278A practitioner (and auditor) perform KPI-based analysis to determine the efficacy of deploying the various best practices. (Note: Details of all the above mentioned details are contained within the following pages of this paper (download to read). For additional DO-278A training, guidance, gap analysis, and mentoring, simply contact AFuzion.)