Certification Considerations Many customers who use MARK will have to go through some type of certification process. This chapter discusses some of the certification issues that MARK customers should consider.
- Overview of DO-178B Certification
- COTS Software
- Verification/Certification Templates Available for MARK
Because there are many types of certification, it is difficult to construct one certification package that will satisfy all customers needs. Therefore, MARK verification and certification activities are primarily handled by the end user since they are more familiar with their own certification requirements. Data that is provided by Rational is meant only as a starting point to certifying/verifying your application. In most cases, you will need to supplement this data to satisfy your certification authority.
Data that is available with MARK is modeled after the certification requirements required by most U.S. and European commercial aviation regulatory agencies. These agencies typically use a document called DO-178B, "Software Considerations in Airborne Systems and Equipment Certification." If your application is certified by a different regulatory agency, you should still be able to use these data artifacts as the foundation of the documentation that you submit to your regulatory agency. The data that Rational can make available to you is solely a starting point that you can use when certifying your application. In no way is Rational explicitly or implicitly suggesting that the certification data it is providing will completely satisfy the needs of your regulatory authority. If you would like a copy of this data from Rational, please request it through your local Rational sales office.
It is important to note at this point, that the end user of MARK is ultimately responsible for all certification aspects of MARK. Once you install the MARK source code and use it in your application, you assume all certification responsibilities of MARK. The MARK source code should be placed under your configuration management procedures, subject to your own verification and validation procedures, etc.
Overview of DO-178B CertificationThe Federal Aviation Administration (FAA) - the US regulatory agency that certifies commercial aircraft does not `certify' software per se. Instead, it grants approval for certain equipment to be used on certain airplanes (refer to section 10.0 of DO-178B). Before granting this approval, however, the FAA requires that the manufacturer demonstrates the equipment is safe and appropriate for use. This is usually accomplished through testing and documentation. Environmental tests show that the aircraft equipment can withstand the harshness of a flight environment. Functional tests show that the equipment performs the indicated function. If the equipment contains software, additional tests and documentation are also required.
When the equipment does contain software, certain FAA guidelines apply to the development and verification of the software. These guidelines, RTCA/Doc DO-178B, provide aircraft equipment manufacturers guidance on how to implement software development processes that can be used to improve the overall quality of the software. The documentation generated for DO-178B also helps the FAA to assess the quality of the software during the certification process of the aircraft equipment.
Some of this documentation is sent to the FAA, other documentation is archived by the aircraft equipment manufacturer and must be available for inspection by the FAA if necessary. With the introduction of DO-178B in 1993, the guidelines specified in DO-178B also apply to any COTS software that is used in the aircraft equipment. Therefore, either the manufacturer of the aircraft equipment or the manufacturer of the COTS software must ensure that the COTS software complies with DO-178B.
The phrase, `DO-178B certified' is a misnomer as software is not certified by the FAA. Instead, the term `DO-178B compliant' is more appropriate to use. This indicates that the software has been developed and verified in a manner that is compliant with the process outlined in DO-178B.
COTS SoftwareAs mentioned earlier in this document, DO-178B requires that COTS software must adhere to the same standards to which the aircraft software adheres to. Unfortunately, regulatory agencies cannot and do not `certify' reusable COTS software. Because of this, Rational cannot obtain formal certification recognition for any certification work that it has done for the MARK runtime.
It is the responsibility of the customer to inform their certification office that they are using reusable, COTS software (MARK runtime). This should be done early in your planning process and is described in the next section.
Verification/Certification Templates Available for MARKUpon request to your local sales office, Rational can provide you with certification templates/data artifacts that you may find useful when certifying your application. These artifacts are modeled after the documentation required by DO-178B. As mentioned earlier, these artifacts may not be sufficient for your particular safety-critical certification requirements. They are meant to be used by the customer as a starting point in generating the actual certification documentation needed for your application.
Plan for Software Aspects of Certification
Figure 1 depicts a typical certification process. This process starts with the planning process and concludes when the certification authority grants certification of the equipment. The "Plan for Software Aspects of Certification" (PSAC) is the primary document that communicates to the certification office that you are starting a new project that will require certification.
During the planning process, your product is defined, development and verification environments are determined, and software tools that will be used are identified. This information is included in the PSAC.
The PSAC should contain the following information:
- System overview
- Software overview
- Certification considerations
- Software life-style
- Schedule
- Additional considerations (including tool qualification and COTS software issues)
The last item should identify the MARK runtime as COTS software that you will use and how you plan to address any certification requirements for the MARK runtime.
If you are using TestMate MCDC, it is likely that you need to specify how you plan to qualify this tool for verification use.
Rational provides a document modeled after the PSAC for MARK. This document describes the process by which Rational produces the MARK runtime as well as a short overview of MARK. You may find it useful to include the MARK PSAC with your own PSAC.
Figure 1 Certification LifeCycle
Your certification office will send a letter to indicate if they accept or reject your PSAC. If your certification accepts your PSAC, this also serves as an indication that they agree with your plans for how to certify the MARK runtime.
Software Development Plan, Software Verification Plan, Software Quality Assurance Plan, Software Configuration Management Plan
These documents are provided as templates that you can use to document your own development environment for your application. These documents are written such that they describe how various features of the toolset in the Apex family can be used to satisfy certification requirements. If you decide to use these templates to create your own versions of these documents, you should review them to determine if all sections are applicable to your organization. Furthermore, there are several sections in these documents that need to be completed by the end user.
Software Requirements Document
This document describes the software requirements of the MARK runtime. The Ada LRM is used as a model for this document since MARK was designed to fulfill the requirements of the Ada language. If you drastically modify the MARK source code, it is possible that you will have to modify this document too.
Software Design Document Template
This document is actually a SoDA template. This template is designed to iterate through the MARK source code to construct a design document. Therefore, if you modify the MARK runtime, you must regenerate this template to generate a new version of the software design document.
Software Test Procedures Template
The Software Test Procedures document is also a SoDA template. This template is designed to iterate through the MARK tests as defined in TestMate. If you add or remove tests to the MARK test suite, you must regenerate this template to generate a new version of the test procedures document.
Software Tests
These are delivered as a set of TestMate tests. As such, you need to run these on the MARK runtime in your particular target environment to generate a set of test results. Depending on the requirements of your certification process and the variant of MARK that you use, these tests may not generate enough structural coverage for your needs. If this is the case, you need to supplement this test suite with tests of your own.
Software Test Results
This is a SoDA template. It is used to iterate through the test results generated by TestMate to produce a test results document.
Rational Software Corporation http://www.rational.com support@rational.com techpubs@rational.com Copyright © 1993-2001, Rational Software Corporation. All rights reserved. |