Meeting the challenge of airworthiness certification through continuous verification
StorySeptember 04, 2025
Jay Thomas
LDRA Technology
Recent trends in embedded system development have made designing – and delivering – advanced air-mobility systems more challenging than ever before. Game-changing and innovative technology advances are being realized in software, resulting in large code bases that are more complex. Software teams are growing in size as well, but often not in line with the growth in software content and complexity. In addition, teams must comply with rapidly changing industry standards without missing launch dates or exceeding budget constraints. Changes in embedded development affect the design life cycle – from concept to achieving airworthiness certification. Design teams can take certain steps to address these changes while maintaining functional safety, supply-chain security, reliability, and time-to-market demands.
Like any industry, avionics and aerospace developers must find new ways to manage increasing software complexity as new capabilities such as electric vertical takeoff and landing (eVTOL), connectivity, and autonomy come online. However, unlike many industries, they must also verify that their systems are functionally safe and secure according to some of the strictest standards in existence. A number of trends exist that are changing how avionics and aerospace developers must approach design:
- The regulatory landscape for airworthiness is evolving rapidly, especially in the area of software: Standards that have been in place for decades are now undergoing much more frequent updates, and multiple new standards have recently been released or are under active development. As a result, the cost, time, and risk of compliance with these standards will be a major factor in determining the success of a new aircraft or other avionics system (Figure 1).
- Geographically dispersed development teams: For complex systems, development teams may be spread across the world. They must be able to work in parallel to reduce development and certification time. Notable advantages can be gained with the use of an integrated development and verification tool chain across groups and product lines.
- Increasing scrutiny of autonomous systems: As autonomous aircraft enter the market, companies need proven software development and testing processes that help them stay ahead of potential certification roadblocks and keep their early-mover advantage.
- Dramatic surge in numbers of small aircraft such as air taxis and delivery drones: Early movers need a flexible, scalable design approach that can help them pivot as requirements evolve while still supporting commercial design practices that have been proven to reduce the risk and cost of meeting such requirements.
- Design impacts for sustainability and zero emissions: As regulations and technologies evolve to reduce aircraft emissions and drive electrification, existing standards and automated development and verification tools can provide a sound foundation to mitigate risks associated with adopting complex new technologies.
- New attack vectors from increased connectivity: While a shift-left approach ensures that security is designed in alongside aviation safety, connectivity also demands the ability to quickly respond to vulnerabilities that occur in the field. Automated verification tools combined with requirements traceability tools can isolate changes and automatically regress on the affected functionality.
- Manual versus automated verification: The increasing complexity and volume of compliance requirements make verification more challenging. Trying to address them without integrated, automated tools is no longer possible.
[Figure 1 ǀ Industries are seeing an increase in both the number and the rate of change of civil aviation standards related to software. (Source: LDRA.)]
Common verification and certification challenges
Software verification typically requires at least as much time, effort, and resources as the entire planning and development processes combined, which results in costly testing and certification. In addition, software verification is an ongoing process. Thus, while an update may represent less time and effort to design, re-verification of the updated software must satisfy all the same verification objectives and can require as much effort as the initial verification.
A common tendency of many project teams is to put more focus on the outcome of individual audits and milestones than the software development and verification process itself. However, such an approach is ultimately short-sighted and can result in suboptimal software or even software failures. To be successful, development teams need to adopt a bigger-picture approach that addresses verification throughout the entire software development life cycle. This mindset requires effective communication and knowledge transfer through every design stage.
Continuous verification
Many development teams are moving to a DevSecOps (development/security/operations) framework to help reduce costs and risk while improving efficiencies. By taking a continuous integration/continuous delivery (CI/CD) approach, developers can rely on a continuous workflow built on an integrated tool chain that streamlines and/or automates different aspects of design. CI/CD makes successful delivery a part of every design stage, leading to accelerated deployment with higher-quality software. (Figure 2.)
[Figure 2 ǀ A DevSecOps framework adds secure coding practices to the software-development process. (Source: LDRA.)]
Contrast this to the handoff or waterfall approach traditionally used by development teams, in which the design group hands off completed code to the test group. With CI/CD, design and test are done using a more incremental approach – complete design of a section of code, test it, complete the next section, test it, and so on. This method has the added benefit of identifying issues earlier in the design cycle, which is known as shifting left (Figure 3). At a high level, shifting left takes advantage of the fact that issues are easier, faster, and less expensive to address the sooner in the software-development life cycle they are discovered. For example, a memory leak is simpler to fix when code is analyzed for memory leaks as soon as it is written. Identifying the source of a memory leak that is causing intermittent application failures is much more difficult and may require more effort to remediate.
[Figure 3 ǀ Shifting left is a core principle of DevSecOps. Security testing and analysis are performed as early as possible in the design life cycle to reveal issues and mitigate risks, rather than leaving it all to a later integration test phase when resolution will likely be more time-consuming and expensive. (Source: LDRA.)]
The same shift left benefits arise when continuous verification is employed. Byintegrating software verification throughout the design lifecycle, potential compliance issues can be identified earlier and resolved faster. Software development and security teams can work efficiently and cost-effectively together, in parallel. Compliance is accelerated, risk is mitigated, and higher quality code is produced.
Integrated development
The requirement to deal with both safety and security illustrates why it is important for verification to be extensible for specific needs. For example, development tools should support the development and verification of software that needs to achieve DO-178C and DO-326B certification in parallel (Figure 4). In this figure, the security process described in DO-326B has been aligned with the aircraft-development process described in ARP4754B (the international guidelines of practice for development of civil aircraft and systems), showing how developers can follow a hybrid safety and security process to satisfy both standards. Trying to achieve compliance/conformance with multiple standards sequentially increases the time and cost to develop, and often results in unnecessary rework, including costly cycles of regression and fixes.
[Figure 4 ǀ Security process and software-development process as part of the aircraft-development process. (Source: LDRA.)]
Even with the support of comprehensive automation, coming to grips with airworthiness regulations can be a daunting task. Certification and regulatory support are available to provide a helping hand and give confidence that certification costs will be contained. In the U.S., services must be delivered by a team with experience liaising with Federal Aviation Administration (FAA) Aircraft Certification Offices (ACO). In addition to comprehensive audit support, services may include training, mentoring, and the production of compliance artifacts that expedite and enhance life cycle data production.
Software development often begins before the project target hardware is available, and sometimes before it has been completely specified – an issue that is often exacerbated on smaller aircraft developed with the intent for more frequent upgrades. Hardware simulators are usually deployed in such situations, although for critical systems with higher levels of design assurance, verification must ultimately be on the final target. Verification tools must therefore be flexible enough to support both simulation and target testing.
Highly critical software developed in compliance with DO-178C DAL A requires verification that the object code executed by the microprocessor correctly reflects the requirements and the intent of the developer.
Using different tool chains for different levels of software criticality can introduce additional delays at certification. A single, flexible tool suite capable of demonstrating source code to object code traceability that can be used at any level of verification enables teams to quickly and efficiently match the level of risk identified without an additional learning curve.
Many technical leaders are incorporating new approaches such as model-based systems engineering (MBSE). While these tools enable faster development, new layers of abstraction mean that testing becomes critical to keep errors at bay. Verification tools should enable fast and frequent iterations of virtual prototyping and testing, either on the host development platforms or on the actual target hardware. This approach ensures that abstractions don’t result in late discovery of errors that can cause delays at certification.
One final and important consideration is tool qualification. Qualification of software-verification tools is required for any certification exceeding DO-178C Level C and involves validating the operation of the tool in a project-specific environment. To reduce the cost associated with this qualification process, tool providers offer tool-qualification packages and support services for programs requiring the appropriate level of assurance.
Achieving accelerated compliance
Flexible and customizable software tools easily adapt to the level of risk and necessary rigor of mitigation, and requirements traceability tools enable a rapid response for dealing with a compromised vulnerability, even for systems that have been unchanged for years. Integrated development and verification tools that work together, such as safety software company Tasking’s safety ecosystem of development tools combined with LDRA’s tool suite, enable developers to introduce continuous certification to their CI/CD or similar workflow. In this way, developers can meet the increasing challenge of delivering reliable advanced air mobility systems while ensuring safety, security, airworthiness compliance.
Jay Thomas, director of field development for LDRA, has worked on embedded controls simulation, processor simulation, mission- and safety-critical flight software, and communications applications in the aerospace industry. His focus on embedded verification implementation ensures that LDRA clients in aerospace, medical, and industrial sectors are grounded in safety-, mission-, and security-critical processes.
LDRA • https://ldra.com/
