4.3: DO-178C Integration
Introduction
DO-178C "Software Considerations in Airborne Systems and Equipment Certification" is the aviation industry's software development standard. While ASPICE is automotive-focused, this section shows how ASPICE processes can be adapted for DO-178C compliance in avionics systems.
DO-178C Overview
Design Assurance Levels (DAL)
| DAL | Failure Condition | Effect on Aircraft/Passengers | Objective Rigor | Comparable ASIL/SIL |
|---|---|---|---|---|
| DAL A | Catastrophic | Prevents safe flight/landing, likely fatalities | Highest | ≈ ASIL-D / SIL 4 |
| DAL B | Hazardous | Large reduction in safety margins, serious injuries | High | ≈ ASIL-C / SIL 3 |
| DAL C | Major | Significant reduction in safety margins, discomfort | Medium | ≈ ASIL-B / SIL 2 |
| DAL D | Minor | Slight reduction in safety, inconvenience | Low | ≈ ASIL-A / SIL 1 |
| DAL E | No Effect | No impact on safety | Minimal | QM |
Example DAL Classifications:
- DAL A: Flight control system (fly-by-wire)
- DAL B: Engine control (FADEC - Full Authority Digital Engine Control)
- DAL C: Weather radar
- DAL D: Cabin entertainment system
- DAL E: Non-safety passenger Wi-Fi
DO-178C vs ASPICE: Process Comparison
DO-178C Software Lifecycle Processes
| DO-178C Process (Section) | ASPICE Equivalent | Integration Notes |
|---|---|---|
| Planning Process (4) | MAN.3 Project Management | DO-178C requires PSAC, SDP, SVP, SCMP |
| Software Requirements (5.1) | SWE.1 Software Requirements | High-level requirements (derived from system) |
| Software Design (5.2) | SWE.2 SW Arch + SWE.3 Detailed Design | Low-level requirements + architecture |
| Software Coding (5.3) | SWE.3 BP6 Develop software unit | Source code implementation |
| Integration (5.4) | SWE.5 Software Integration | Incremental integration with testing |
| Verification (6) | SWE.4 Unit Verification + SWE.6 Qualification | Reviews, analysis, testing |
| Configuration Management (7) | SUP.8 Configuration Management | Baseline control, change management |
| Quality Assurance (8) | SUP.1 Quality Assurance | Independent audits, reviews |
| Certification Liaison (9) | N/A (DO-178C-specific) | Interaction with certification authority |
Key Insight: ASPICE maps well to DO-178C, but DO-178C demands extensive documentation and independence.
DO-178C Objectives by DAL
Verification Objectives Table (DO-178C Table A-1 to A-10)
Sample: Software Verification Objectives
| Objective | DAL A | DAL B | DAL C | DAL D | DAL E | ASPICE Integration |
|---|---|---|---|---|---|---|
| Reviews of software requirements | [OK] | [OK] | [OK] | [OK] | - | SWE.1 BP6: Ensure consistency |
| Requirements-based testing | [OK] | [OK] | [OK] | [OK] | [OK] | SWE.4 BP2: Requirements-based test design |
| Structural coverage (statement) | [OK] | [OK] | [OK] | - | - | SWE.4 BP4: Statement coverage |
| Structural coverage (decision/branch) | [OK] | [OK] | - | - | - | SWE.4 BP4: Decision coverage (DAL A/B) |
| Structural coverage (MC/DC) | [OK] | [OK] | - | - | - | SWE.4 BP4: MC/DC coverage (DAL A/B) |
Coverage Requirements by DAL (DO-178C Section 6.4.4):
- DAL A: Statement + Decision + MC/DC (Modified Condition/Decision Coverage) - 100% each
- DAL B: Statement + Decision + MC/DC - 100% each
- DAL C: Statement + Decision Coverage - 100% each; MC/DC not required
- DAL D: No structural coverage required
- DAL E: No structural coverage required
Comparison to ISO 26262:
- DAL A/B (MC/DC) = ASIL-C/D (MC/DC)
- DAL C (Statement + Decision) ≈ ASIL-B (Branch coverage)
- DAL D (no coverage) ≈ ASIL-A (Statement coverage)
DO-178C Key Planning Documents
1. Plan for Software Aspects of Certification (PSAC)
Purpose: Defines how software will achieve certification.
ASPICE Integration: MAN.3 BP2 (Define lifecycle model)
PSAC Template (Simplified):
# Plan for Software Aspects of Certification (PSAC)
## Flight Control System - DAL A
### 1. System Overview
**Aircraft**: Regional Jet X200
**Software Item**: Primary Flight Control Computer (PFCC)
**DAL**: Level A (Catastrophic failure condition)
**Certification Basis**: DO-178C, EASA CS-25
### 2. Software Lifecycle
**Lifecycle Model**: V-Model with incremental integration
Requirements → Design → Code → Unit Test ↓ ↓ ↓ ↑ System Requirements Analysis → System Verification
### 3. Software Development Standards
| Standard Type | Document | Version |
|---------------|----------|---------|
| Coding Standard | MISRA C:2012 + DO-178C Supplement | v2.0 |
| Design Standard | DO-331 (Model-Based Dev) | 2011 |
| Tool Qualification | DO-330 | 2011 |
### 4. Verification Activities
| Activity | Responsibility | Schedule |
|----------|----------------|----------|
| Requirements Review | Independent V&V Team | Monthly |
| Design Review | System Safety + IV&V | After each release |
| Code Review | Peer + IV&V | Continuous (every PR) |
| Testing (MC/DC) | Test Team + IV&V | Per build (weekly) |
### 5. Configuration Management
**Tool**: Git + Jira
**Baseline Control**: All releases tagged and archived
**Change Control**: CCB (Change Control Board) approval for DAL A changes
### 6. Quality Assurance
**Independence**: IV&V team reports to Chief Engineer (separate from development)
**Audits**: Quarterly process audits, final certification audit
### 7. Certification Milestones
| Milestone | Date | Deliverables to Authority |
|-----------|------|---------------------------|
| Software Plans Review | 2025-06-01 | PSAC, SDP, SVP, SCMP, SQAP |
| Software Accomplishment Summary | 2026-12-01 | SAS, all verification data |
| Type Certification | 2027-03-01 | Final approval from EASA |
### 8. Approval
**Applicant**: Aircraft Manufacturer Inc.
**Certification Authority**: EASA
**Approved by**: [Chief Engineer], [Certification Manager]
**Date**: 2025-12-17
2. Software Development Plan (SDP)
Purpose: Describes software development process, standards, tools.
ASPICE Integration: MAN.3 BP1 (Define project scope) + all SWE processes
Key Sections:
- Development environment (compilers, IDEs, tools)
- Coding standards (MISRA C compliance)
- Peer review process
- Development milestones
3. Software Verification Plan (SVP)
Purpose: Defines verification strategy (reviews, analysis, testing).
ASPICE Integration: SWE.4 BP1 (Develop unit verification strategy)
Verification Methods by DAL:
| Method | DAL A | DAL B | DAL C | DAL D | ASPICE Process |
|---|---|---|---|---|---|
| Requirements Review | Required | Required | Required | Required | SWE.1 BP6 |
| Design Review | Required | Required | Required | - | SWE.2 BP8 |
| Code Review | Required | Required | Required | - | SWE.3 BP7 |
| Requirements-Based Testing | Required | Required | Required | Required | SWE.4 BP2, SWE.6 BP2 |
| Structural Coverage Analysis | Stmt + Decision + MC/DC | Stmt + Decision + MC/DC | Stmt + Decision | Not required | SWE.4 BP4 |
DO-178C Verification Independence
Independence Requirements
| DAL | Independence Requirement (DO-178C Table A-7) | ASPICE Implementation |
|---|---|---|
| DAL A | Verification by person(s) other than the developer; test cases developed independently from code | Independent test engineer or IV&V team within company; external IV&V may be required by certification authority |
| DAL B | Verification by person(s) other than the developer | Peer review by different team member; independent QA team (SUP.1) |
| DAL C | Independence not explicitly required for all activities | Internal peer review acceptable (SWE.3 BP7, SWE.4 BP3) |
| DAL D | No independence required | Self-verification acceptable |
ASPICE Alignment:
- SUP.1 BP1: Establish quality assurance strategy
- SUP.1 BP4: Perform quality assurance reviews (independent for DAL A/B)
Traceability Requirements (DO-178C Section 6.3)
DO-178C Traceability Data
Required Traces:
System Requirements
↓ (derives)
High-Level Software Requirements (HLSR)
↓ (derives)
Low-Level Software Requirements (LLSR)
↓ (implements)
Source Code
↓ (verifies)
Test Cases
Traceability Matrix Example (DAL B):
| System Req | HLSR | LLSR | Source File | Function | Test Case | Status |
|---|---|---|---|---|---|---|
| SYS-REQ-042 | HLSR-089 | LLSR-142, LLSR-143 | flight_ctrl.c | calculatePitch() | TC-HLSR-089 | [PASS] Verified |
| SYS-REQ-043 | HLSR-090 | LLSR-144 | flight_ctrl.c | calculateRoll() | TC-HLSR-090 | [WARN] Partial coverage |
ASPICE Integration:
- SWE.1 BP5: Establish bidirectional traceability (SWE requirements ↔ System requirements)
- SWE.2 BP7: Establish traceability (Architecture ↔ Requirements)
- SWE.4 BP5: Establish traceability (Tests ↔ Requirements)
Structural Coverage Analysis (DO-178C Section 6.4.4)
MC/DC Coverage (DAL A)
Modified Condition/Decision Coverage: Every condition in a decision independently affects the outcome.
Example (DAL A Flight Control):
// Decision: (altitudeValid && speedValid) || emergencyMode
bool isFlightControlActive(bool altitudeValid, bool speedValid, bool emergencyMode) {
return (altitudeValid && speedValid) || emergencyMode;
}
// MC/DC Test Cases (6 tests required for 100% MC/DC)
TC-001: altitudeValid=T, speedValid=T, emergencyMode=F → Result=T (baseline)
TC-002: altitudeValid=F, speedValid=T, emergencyMode=F → Result=F (toggle altitudeValid)
TC-003: altitudeValid=T, speedValid=F, emergencyMode=F → Result=F (toggle speedValid)
TC-004: altitudeValid=T, speedValid=T, emergencyMode=T → Result=T (toggle emergencyMode)
TC-005: altitudeValid=F, speedValid=F, emergencyMode=T → Result=T (baseline for emergencyMode)
TC-006: altitudeValid=F, speedValid=F, emergencyMode=F → Result=F (toggle emergencyMode from TC-005)
// Coverage Tool Output:
// MC/DC Coverage: 100% (all conditions independently affect decision)
Tools for MC/DC:
- LDRA TBvision: DO-178C qualified MC/DC tool
- VectorCAST: Qualified for aviation use
- Gcov: NOT qualified for DAL A (requires qualification per DO-330)
Tool Qualification (DO-330: Software Tool Qualification Considerations)
Tool Qualification Levels (DO-330 Section 2.3)
DO-330 defines TQL based on the software level (DAL) and whether the tool is a development tool (Criteria 1: output becomes part of airborne software without verification) or a verification tool (Criteria 2: may fail to detect an error; Criteria 3: output is used to reduce, eliminate, or automate verification activities).
| TQL | DAL | Tool Criteria | Description | Qualification Rigor |
|---|---|---|---|---|
| TQL-1 | A | 1 (Development Tool) | Tool output used in airborne software at DAL A without independent verification | Highest: Full software lifecycle applied to the tool itself |
| TQL-2 | B | 1 (Development Tool) | Tool output used in airborne software at DAL B without independent verification | High: Full lifecycle with reduced objectives |
| TQL-3 | C | 1 (Development Tool) | Tool output used in airborne software at DAL C without independent verification | Medium: Reduced lifecycle objectives |
| TQL-4 | A/B | 2 or 3 (Verification Tool) | Tool may fail to detect errors or automates verification at DAL A/B | Medium: Operational requirements verification |
| TQL-5 | C/D or A/B/C/D | 2 or 3 (Verification Tool) | Tool may fail to detect errors or automates verification at DAL C/D, OR Criteria 3 verification tool at any level | Low: Operational requirements verification only |
Key Principle: Every TQL level requires qualification — DO-330 does not define a "no qualification required" level equivalent to ISO 26262 TCL 1.
Qualification Artifacts Required (all TQL levels require Tool Qualification Data):
| Artifact | TQL-1 | TQL-2 | TQL-3 | TQL-4 | TQL-5 |
|---|---|---|---|---|---|
| Tool Qualification Plan (TQP) | Required | Required | Required | Required | Required |
| Tool Operational Requirements (TOR) | Required | Required | Required | Required | Required |
| Tool Verification Cases & Results | Required | Required | Required | Required | Required |
| Tool Development Standards | Required | Required | Required | Not Req. | Not Req. |
| Tool Design Description | Required | Required | Reduced | Not Req. | Not Req. |
| Tool Accomplishment Summary (TAS) | Required | Required | Required | Required | Required |
ASPICE Integration (SUP.8):
- SUP.8 BP1: Develop configuration management strategy (includes tool qualification tracking)
- SUP.8 BP2: Identify configuration items (qualified tools are CIs)
Comparison to ISO 26262 TCL:
- DO-330 TQL-1 ≈ ISO 26262 TCL 3 (development tool, highest rigor)
- DO-330 TQL-4/5 ≈ ISO 26262 TCL 2/3 (verification tools)
- DO-330 is MORE stringent overall: no equivalent to TCL 1 (no qualification required); all tools affecting certification must be qualified
Software Accomplishment Summary (SAS)
Final Certification Document
Purpose: Summarize all development and verification activities for certification authority.
ASPICE Integration: Consolidation of all ASPICE work products as evidence.
SAS Template (Simplified):
# Software Accomplishment Summary (SAS)
## Primary Flight Control Computer (PFCC) - Software v3.5.0
**Aircraft**: Regional Jet X200
**Software Item**: PFCC
**DAL**: Level A
**Certification Basis**: DO-178C, EASA CS-25
**Certification Authority**: EASA
### 1. Software Identification
| Attribute | Value |
|-----------|-------|
| Software Part Number | PFCC-SW-v3.5.0 |
| Configuration Index | CI-2027-001 |
| Development Standard | DO-178C + DO-331 (Model-Based) |
| Language | C (ISO C11) + Simulink models |
### 2. Software Life Cycle Environment
**Development Tools (Qualified per DO-330)**:
- Compiler: IAR EWARM v9.30.1 (TQL-1 qualified)
- Static Analyzer: Polyspace Bug Finder R2024a (TQL-2 qualified)
- Coverage Tool: LDRA TBvision 10.5.2 (TQL-3 qualified)
- Code Generator: Simulink Embedded Coder R2024a (TQL-1 qualified)
**Configuration Management**: Git + Jira (controlled environment)
### 3. Software Conformity
| Criteria | Conformance Status | Evidence |
|----------|-------------------|----------|
| Software plans conform to DO-178C | [PASS] Compliant | PSAC, SDP, SVP approved by EASA (2025-06-15) |
| Software development performed per SDP | [PASS] Compliant | QA audit reports (quarterly, all passed) |
| Software verification performed per SVP | [PASS] Compliant | Verification results summary (below) |
| Traceability complete | [PASS] Compliant | Traceability matrices (HLSR→LLSR→Code→Tests) |
| Configuration management complete | [PASS] Compliant | All baselines controlled, change history documented |
### 4. Verification Results Summary
| Verification Activity | Objective | Completed | Pass Rate | Status |
|-----------------------|-----------|-----------|-----------|--------|
| HLSR Review | 100% | 100% | 100% | [PASS] Pass |
| LLSR Review | 100% | 100% | 98% | [WARN] 2 findings resolved |
| Code Review | 100% | 100% | 100% | [PASS] Pass |
| Requirements-Based Testing | 100% coverage | 100% | 100% | [PASS] Pass |
| MC/DC Structural Coverage | 100% MC/DC | 100% | 100% | [PASS] Pass |
### 5. Problem Reports
| PR ID | Description | Severity | Status |
|-------|-------------|----------|--------|
| PR-089 | HLSR-142 ambiguous wording | Minor | Closed (clarified in LLSR) |
| PR-102 | MC/DC gap in function calculateAltitude() | Major | Closed (additional test added) |
| PR-115 | Code review finding: magic number | Minor | Closed (replaced with #define) |
**Open PRs**: 0 (all closed)
### 6. Software Verification Data
**Deliverables**:
- Software Requirements Design Report (SRDR)
- Software Verification Report (SVR)
- Traceability Matrices (4 documents)
- Code Review Reports (150 reviews)
- Test Case Reports (500+ test cases, all passed)
- MC/DC Coverage Report (100% achieved)
### 7. Software Life Cycle Environment Configuration Index (SECI)
All tools and their qualification data are cataloged in SECI document (DO-330 compliance).
### 8. Compliance Statement
**We certify that**:
1. Software development was conducted per approved PSAC, SDP
2. Software verification was conducted per approved SVP
3. All DO-178C objectives for DAL A software have been satisfied
4. Software configuration is under controlled baseline CI-2027-001
5. Software is ready for installation in Type Certified aircraft
**Approved by**:
- **Applicant** (Aircraft Manufacturer): [Name], [Date]
- **IV&V Lead**: [Name], [Date]
- **Certification Authority** (EASA): [Name], [Date]
---
**Conclusion**: Software PFCC v3.5.0 is **CERTIFIED** for installation in Regional Jet X200.
DO-178C vs ASPICE: Key Differences
| Aspect | DO-178C | ASPICE |
|---|---|---|
| Domain | Aviation only | Automotive (but adaptable) |
| Focus | Verification evidence for certification | Process capability improvement |
| Documentation | Extensive (PSAC, SDP, SVP, SCMP, SAS) | Lightweight (CL2: work products documented) |
| Independence | Mandatory for DAL A/B (IV&V) | Optional (CL3: recommended, not mandatory) |
| Tool Qualification | Required per DO-330 for tools that eliminate, reduce, or automate verification activities (applies to all DAL levels) | Required for TCL 2/3 tools under ISO 26262-8; TCL 1 tools require no formal qualification |
| Traceability | 5-level trace (System → HLSR → LLSR → Code → Tests) | 2-level trace (System → Software) |
| Coverage | MC/DC for DAL A | MC/DC for ASIL-C/D (less strict) |
Integration Strategy: Use ASPICE as process foundation, enhance with DO-178C documentation and independence requirements.
Summary
DO-178C Integration with ASPICE:
- DAL Levels: DAL A-E (Catastrophic to No Effect) similar to ASIL-D to QM
- Process Alignment: DO-178C lifecycle maps to ASPICE SWE.1-6
- Verification Rigor: DAL A requires MC/DC, independent IV&V, extensive documentation
- Tool Qualification: DO-330 mandates qualification of all tools that eliminate, reduce, or automate verification activities; no "no qualification required" category exists (stricter overall than ISO 26262)
- Certification Documents: PSAC, SDP, SVP, SAS required for aviation authority approval
- Independence: DAL A/B require independent verification (external IV&V for DAL A)
Key Takeaway: ASPICE provides process structure; DO-178C provides aviation-specific rigor and certification pathway.