DO-178 continues to adapt to emerging digital technologies
StoryMarch 09, 2021
Guilty until proven innocent – that is how the U.S. Department of Defense (DoD) treats the safety-certification process for military avionics systems, and the software portion of these systems is no exception. Certifying DO-178 in avionics software is a detailed process by which the safety and security of the software is determined to be acceptable to fly. The certification process itself is still a work in progress: Having already undergone revisions since its conception in the late 1980s following the emergence of supplemental software in aviation, DO-178 and other safety-certification standards for military and commercial avionics are being challenged to keep pace with digital innovation.
In the past, companies specializing in both military and commercial aviation were given several years to run their products through the litany of tests and certifications required to then reach the market. Today, however, the cycle time to market is much faster and companies now face the added pressure of losing their competitive edge and spending excessive funds to certify their products.
These complications are paired with what officials say is increased scrutiny by the Federal Aviation Administration (FAA) and the European Union Aviation Safety Agency (EASA), following recent incidents with commercial aircraft. An industrywide push for increasingly complex hardware is also making software reuse a priority to ensure both affordability and a more efficient safety-certification procedure.
Trends in avionics safety certification all come down to industry innovation. As new and groundbreaking technologies emerge, standards must adapt to ensure that modernization efforts are maintained and supported, all while keeping certification documents timely and relevant. With the advent of artificial intelligence (AI), cyberwarfare, and unmanned technologies, manufacturers are pointing to a shift in avionics safety certification in hopes of finding the balance between rigor and flexibility.
Overcoming challenges with DO-178 certification
Software is still a relatively new aspect of the use of digital technology as a concept in aviation. Moreover, software evolves at what can seem like lightning speeds. As soon as the FAA, EASA, and other regulatory bodies implemented the processes and standards to certify software safety, it seemed as though even more advanced and state-of-the-art programs were released immediately after. But the aviation industry, both commercial and defense, embraces innovation in an effort to remain current with updating safety-certification documents to keep pace with new technologies. One example is the addition of an extension to the DO-178 certification.
“The DO-178C is a newer evolution to the DO-178B standard for certifying avionics software,” says Arun Subbarao, vice president of engineering at Lynx Software Technologies (San Jose, California). “The main intent was to remove some of the ambiguity that was present in the older standard, as well as to allow some newer techniques such as formal methods, object-oriented code, or model-based development into the process. It also provides allowances for new topics such as the Parameter Data Item (PDI) and extraneous code.” (Figure 1.)
[Figure 1 | The Lynx MOSA.ic for Avionics combines the power of the separation kernel and hypervisor along with the LynxOS-178 partitioned RTOS to offer a DO-178C certifiable software product.]
DO-178C is important because excessive amounts of software code are known to have a corresponding impact on the financial and laborious sides of certification. When efficiency is paramount, implementing restrictions at the standard level to keep the ball rolling can be hugely beneficial for customers. With such powerful software, however, hardware complexity is becoming a common obstacle in the safety certification bubble.
“The biggest challenge for certification to DO-178C remains mitigating multicore interference on a multicore processor in order to achieve the determinism and isolation required for safety certification,” says Richard Jaenicke, director of marketing at Green Hills Software (Santa Barbara, California). “The root of the problem is the contention for shared resources when one processor core is temporarily blocked from accessing a shared resource, such as shared memory, because it is already in use by a different processor core. This is not a problem that you can test your way out of.” (Figure 2.)
[Figure 2 | The INTEGRITY-178 tuMP RTOS from Green Hills Software includes multicore interference mitigation. Multicore inference occurs when separate processor cores (in gray) contend for shared resources (in green) ranging from the on-chip interconnect to the memory and I/O.]
Tailoring certification to military and commercial customers
The military is not required to adapt commercial aviation safety certification guidelines, but they do so because such guidelines enable a more robust and safe aircraft for the warfighter.
“Commercial avionics customers are very strict in their adherence to DO-178C and obtaining FAA approval for airworthiness,” Subbarao says. “All of these systems have to get FAA approval to fly, so there is very little flexibility in this regard. However, military avionics customers have more flexibility in choosing to adhere to DO-178C processes or evolve other similar safety certification standards in certifying military systems that are airborne.”
This is due in part to the fact that the military understands the complexity of their avionics systems. The Department of Defense (DoD) is playing the long game with its airborne platforms and fully intends to ensure that they last decades by continually evolving.
“Historically, the military had its own version of ‘certifying’ a platform for flight,” says Mike Pyne, director strategic accounts & solutions architect at CoreAVI. “Unlike commercial platforms, the military had to deal with a variety of subsystems and components, so getting a product with a TSO certification [the FAA’s civilian certification] was rare. European Ministries of Defense have required commercial certification levels for decades, but the U.S. Department of Defense has always resisted this due to cost concerns – but this is beginning to change.”
Militaries are typically allowed more flexibility and don’t often come under the same FAA or EASA scrutiny as commercial aviation companies, mostly because defense aircraft usually aren’t flying over civilian-populated cities but are instead flying in-theater or over safe airspaces. Consequently, DO-178 can be tailored to maximize the return on investment and potentially lessen the rigor in certain areas.
“Militaries used to do really advanced testing called ‘black box’ when you can’t see inside,” says Vance Hilderman, chief technical officer at AFuzion. “Military avionics was really good at testing from the outside, but while important, civil aviation DO-178 provides more intrusive ‘white box’, so you look inside the software. So, older military systems were really well tested from the outside, but you didn’t really know what was inside. Now, militaries are using 178 as almost mandatory throughout the world.”
A special case regarding DO-178 certification in both commercial and military avionics has been unmanned platforms. Unmanned aerial systems (UASs) are even newer to the industry than the emergence of software, and while they present numerous benefits to warfighting and commerce, certifying UASs for safety is dependent on several factors.
Unmanned platforms present unique certification challenges
“In the past, because we needed these UASs – the Predators, the Global Hawks – we needed them really quick in Iraq and Afghanistan,” Hilderman says. “So, we were a little less formal about DO-178C, but today we know that they are a mainstay. We know that they need to be compliant to 178, but we also export those, and other countries don’t have these huge testing ranges that we do, they’re flying their UASs over civilian airspaces. So, they want to see 178, but we also have a standard called DO-278, and that applies to the portion of the UAS that is on the ground, because the pilot is on the ground. But UASs are also smaller and don’t have as much spare room.”
Large airborne platforms allow space for redundancy, namely in commercial aviation. This is so that if an aspect of the system fails, there’s a backup. This is harder to achieve on UASs because the vehicle is lacking significantly in payload capacity.
“Applying DO-178C to unmanned platforms is relatively new, and currently we see most UASs finding a way around DO-178C certification,” Jaenicke says. “Because there is no pilot to provide a backup safety layer, an additional layer of safety often is needed in the system. That could be in the form of redundancy, which can be costly in terms not only of money but also size, weight, and power.”
The nature of a UAS on the battlefield is to protect the warfighter, to take the place of a human in a potentially life-threatening situation. In civilian airspaces, the concept isn’t all that different. Instead of waging battle, however, the UASs are delivering packages. But that doesn’t mean the human is removed from the loop entirely, and the correspondence between the machine and the human still needs to be certifiably safe.
“The architectural elements in platform software are different,” Subbarao says. “For instance, the communication between the ground station and the unmanned vehicle is directly in the safety-critical path since a failure of communication may lead to a catastrophic failure. FAA regulations on unmanned vehicles are also still evolving, so more regulations are to be expected in this area.”
It’s true that the military is heavily invested in autonomous vehicles, as is consumer technology and commercial aviation, which means that transport of materials from troops and cargo to vaccines and pizza are all in the pipeline for UASs. With that reality on the horizon, additional interest in and certification with DO-178C isn’t far behind. (Figure 3.)
[Figure 3 | An excerpt from a snapshot of AFuzion’s new DO-178C plans, standards, and templates package for 2021.]
Speaking of autonomy, AI has the potential to be an unrivaled and reliable copilot. At the same time AI – being the hot-button topic that it is in nearly every realm of commercial and defense electronics – also presents a new set of hurdles when it comes to not only keeping aircraft safe but also cementing its position in avionics as a whole.
Establishing AI’s place in avionics safety certification
“AI is an often-misunderstood term,” Hilderman says. “When we have a programmable coffee pot or the internet feeds you a new ad based on what you looked at before, that is not AI. That is just smart programming to simulate very basic human responses. True AI is via what’s called a deep neural network, and it results in a different answer given the same inputs. Real AI is when the software – the machine – is learning. [Safety-certification companies] are concerned because AI can learn in ways that are unsafe or produce an untested result. Aviation is about everything that could happen in the air has been specified and there’s a corresponding test for it.”
The potential for AI in the sky is endless. Machine learning systems have already seen success in ground-based operations, but such self-teaching algorithms are not yet certifiable and allowed in deployed cockpits. This situation exists because defining how AI learns and establishing an acceptable range of behaviors is a cardinal aspect of AI certification that has yet to be achieved.
“We don’t see machine learning or deep learning playing any role in DO-178C safety certification any time soon because the process needs to be deterministic and verifiable,” Jaenicke says. “Take code coverage, for example, which often has a machine learning component in nonsafety certifications. For DO-178C, each line of code must trace back to a specific requirement, and that is much more stringent than just making sure it gets executed properly. More traditional artificial intelligence, such as expert systems, could potentially play a role, but we haven’t seen much of that yet.”
Officials are hopeful that a more deterministic AI could one day help assess complex systems. While the AI wouldn’t be flying on its own, it could serve to understand and model safe responses in complex systems and then learn from this to predict ways they could improve or might fail. While no rules exist yet, quantifying safe AI in aviation is in the works.
“The machine learning process is by its nature very un-deterministic – it has to be, at least at the learning phase,” Pyne says. “However, in the deployment phase, the inference engines that run the convolutional neural networks and use that ‘learned information’ can be configured to satisfy the concerns of certification authorities. Not everyone realizes or is dealing with this, but at some point, inference engine determinism must be addressed by every system that wants to achieve high levels of safety criticality.” (Figure 4.)
[Figure 4 | CoreAVI’s VkCore SC Vulkan-based safety-critical graphics and compute driver is based on Khronos’ Vulkan API and designed to bring graphics and compute functions into a layer that allows applications access to low-level silicon functions while preserving portability and a hardware-agnostic approach to platform integration.]
What could help companies reach that goal would be taking inspiration from the commercial aviation industry. In general, commercial technology has been quicker to adopt AI in fields like aviation just as well as transportation and automotive. There is the same need for commercial companies to meet specific safety requirements for civilian platforms as there is for defense, and commercial aircraft often has to meet both.
