DO-278A stands as a guiding force for ensuring the integrity and safety of software within non-airborne CNS/ATM systems. In synergy with DO-178C, it provides recommendations and a robust framework to instill confidence in the safety of on-ground software.
Relation between DO-278A and DO-178C
DO-278A and DO-178C share essential supplements, such as DO-331 (Model-Based Development), DO-332 (Object Oriented), and DO-333 (Formal Methods).
See Figure 1 below for relationships between DO-178C and DO-278A document sets.
While originating from the same RTCA/EUROCAE committee, DO-278A has identical wording and significant overlap with DO-178C. It amalgamates elements from both DO-178C and DO-278, allowing independent use.
Importance of Software Integrity Level
The significance of DO-278A mirrors that of DO-178C, acknowledging that on-ground software can impact aviation safety comparably to airborne software. Errors in Communication, Navigation, Surveillance, and Air Traffic Management software could lead to severe consequences for multiple aircraft and their occupants.
Challenges
A key challenge lies in meeting Commercial Off-The-Shelf (COTS) objectives, discussed in Table 12-4. Particularly, verification objective #2, ensuring the same integrity as meeting Sections 4 to 9 objectives, can be exceptionally challenging.
Key Differences
Primary differences are in assurance levels, approval vs regulatory compliance, and DO-278A adds COTS objectives as the CNS/ATM domain heavily utilizes COTS.
Assurance levels
The standard defines six assurance levels – A to F (DO-178C is five software levels – A to E). See table below for assurance level comparison.
| Category (SW Failure Effect) | DO-278A | DO-178C |
| Catastrophic | AL-1 | SL-A |
| Hazardous | AL-2 | SL-B |
| Major | AL-3 | SL-C |
| In between Major and Minor | AL-4 | Not used |
| Minor | AL-5 | SL-D |
| No Effect | AL-6 | SL-E |
COTS Objectives:
It contains an extensive section of COTs software that considerable expands on that in DO-278 and DO-178C.
Service Experience:
This ‘Product Service’ section has been expanded under DO-278A and is now called the ‘Service Experience’ section. This section verifies that the equivalent safety level is provided as would have been achieved following the normal DO-278A guidance.
The difference being that DO-178C achieves this using metrics for ‘Flight hours’ whereas DO-278A uses ‘In-service hours’.
More than just Assurance Levels:
The safety assurance of software for aircraft standard also discusses further details for on-ground software verification that were not previously considered under DO-178C:
- Software communication
- Security
- Adaptability
- Cutover (hot swapping)
Conclusion
The relationship between DO-278A and DO-178C is pivotal in ensuring the integrity and safety of both airborne and non-airborne CNS/ATM systems. With shared supplements and significant overlap, they provide a robust framework for software development and verification.
Recognizing the importance of software integrity levels, particularly in critical areas such as Communication, Navigation, Surveillance, and Air Traffic Management, these standards address challenges such as meeting Commercial Off-The-Shelf objectives and assure regulatory compliance. Despite primary differences in assurance levels and the incorporation of COTS objectives, DO-278A expands on-ground software verification considerations, emphasizing communication, security, adaptability, and cutover. As the aviation industry evolves, adherence to these standards remains crucial in maintaining safety and reliability in both airborne and ground-based systems