230:
66:
168:
25:
481:. The early stages of the project, already have at least a vague idea of the main parts of the project. An engineer then takes each block of a block diagram and considers the things that could go wrong with that block, and how they affect the system as a whole. Subsequently, the severity and probability of the hazards are estimated. The problems then become requirements that feed into the design's specifications.
332:. Since most software fails because of mistakes, eliminating the mistakes at the earliest possible step is also a relatively inexpensive and reliable way to produce software. In some projects however, mistakes in the specifications may not be detected until deployment. At that point, they can be very expensive to fix.
387:, avionic and other aircraft components have safety and reliability standards mandated by the Federal Aviation Regulations, Part 25 for Transport Airplanes, Part 23 for Small Airplanes, and Parts 27 and 29 for Rotorcraft. These standards are enforced by "designated engineering representatives" of the
612:
The first test of the software, and one of the most difficult to meet in a tight schedule, is a realistic test of the unit's radio emissions. This usually must be started early in the project to assure that there is time to make any necessary changes to the design of the electronics. The software is
468:
Projects with substantial human interfaces are usually prototyped or simulated. The videotape is usually retained, but the prototype retired immediately after testing, because otherwise senior management and customers can believe the system is complete. A major goal is to find human-interface issues
525:
The code is written, then usually reviewed by a programmer (or group of programmers, usually independently) that did not write it originally (another legal requirement). Special organizations also usually conduct code reviews with a checklist of possible mistakes. When a new type of mistake is found
500:
One of the odder documentation requirements is that most commercial contracts require an assurance that system documentation will be available indefinitely. The normal commercial method of providing this assurance is to form and fund a small foundation or trust. The trust then maintains a mailbox
608:
Meanwhile, the test engineers usually begin assembling a test rig, and releasing preliminary tests for use by the software engineers. At some point, the tests cover all of the functions of the engineering specification. At this point, testing of the entire avionic unit begins. The object of the
402:
describes "recommended" requirements for safety-critical systems, which are usually adopted without change by governments. A safe, reliable piece of avionics has a "CE Mark." The regulatory arrangement is remarkably similar to fire safety in the U.S. and Canada. The government certifies testing
335:
The basic idea of any software development model is that each step of the design process has outputs called "deliverables." If the deliverables are tested for correctness and fixed, then normal human mistakes can not easily grow into dangerous or expensive problems. Most manufacturers follow the
370:
In many of these systems, failure is unacceptable. The reliability of the software running in airborne vehicles (civil or military) is shown by the fact that most airborne accidents occur due to manual errors. Unfortunately reliable software is not necessarily easy to use or intuitive, poor user
366:
Most modern commercial aircraft with auto-pilots use flight computers and so called flight management systems (FMS) that can fly the aircraft without the pilot's active intervention during certain phases of flight. Also under development or in production are unmanned vehicles: missiles and drones
621:
Each step produces a deliverable, either a document, code, or a test report. When the software passes all of its tests (or enough to be sold safely), these are bound into a certification report, that can literally have thousands of pages. The designated engineering representative, who has been
496:
There are several levels to most standards. A low-safety product such as an in-flight entertainment unit (a flying TV) may escape with a schematic and procedures for installation and adjustment. A navigation system, autopilot or engine may have thousands of pages of procedures, inspections and
449:
Since the process is legally required, most processes have documents or software to trace requirements from numbered paragraphs in the specifications and designs to exact pieces of code, with exact tests for each, and a box on the final certification checklist. This is specifically to prove
545:
or special checking programs like "lint" check to see if types of data are compatible with the operations on them, also such tools are regularly used to enforce strict usage of valid programming language subsets and programming styles. Another set of programs measure
592:
As pieces of code become available, they are added to a skeleton of code, and tested in place to make sure each interface works. Usually the built-in-tests of the electronics should be finished first, to begin burn-in and radio emissions tests of the electronics.
379:
Due to safety requirements, most nations regulate avionics, or at least adopt standards in use by a group of allies or a customs union. The three regulatory organizations that most affect international aviation development are the U.S, the E.U. and Russia.
517:. A crucial difference is that requirements are usually traced as described above. In large projects, requirements-traceability is such a large expensive task that it requires large, expensive computer programs to manage it.
599:
Some program managers try to arrange this integration process so that after some minimal level of function is achieved, the system becomes deliverable at any following date, with increasing numbers of features as time passes.
403:
laboratories, and the laboratories certify both manufactured items and organizations. Essentially, the oversight of the engineering is outsourced from the government and manufacturer to the testing laboratory.
492:
As soon as the engineering specification is complete, writing the maintenance manual can start. A maintenance manual is essential to repairs, and of course, if the system can't be fixed, it will not be safe.
445:
is that the actual standards are often far more detailed and rigorous than commercial standards, usually described by documents with hundreds of pages. It is usually run on a real time operating system.
596:
Next, the most valuable features of the software are integrated. It is very convenient for the integrators to have a way to run small selected pieces of code, perhaps from a simple menu system.
580:
This test is among the most powerful. It forces detailed review of the program logic, and detects most coding, compiler and some design errors. Some organizations write the unit tests
565:, are so well understood that software tools have been developed to write the software. In these cases, specifications are developed and reliable software is produced automatically.
433:
The regulatory requirements for this software can be expensive compared to other software, but they are usually the minimum that is required to produce the necessary safety.
355:. The rest of this article assumes familiarity with that information, and discusses differences between commercial embedded systems and commercial development models.
651:
505:) in a secure location, such as rented space in a university's library (managed as a special collection), or (more rarely now) buried in a cave or a desert location.
363:
Since most avionics manufacturers see software as a way to add value without adding weight, the importance of embedded software in avionic systems is increasing.
577:. A "coverage" tool is often used to verify that every instruction is executed, and then the test coverage is documented as well, for legal reasons.
453:
Deviations from a specific project to the processes described here can occur due to usage of alternative methods or low safety level requirements.
411:
631:
550:, to look for parts of the code that are likely to have mistakes. All the problems are fixed, or at least understood and double-checked.
584:
writing the code, using the software design as a module specification. The unit test code is executed, and all the problems are fixed.
484:
Projects involving military cryptographic security usually include a security analysis, using methods very like the hazard analysis.
399:
340:
to coordinate the design product, but almost all explicitly permit earlier work to be revised. The result is more often closer to a
497:
rigging instructions. Documents are now (2003) routinely delivered on CD-ROM, in standard formats that include text and pictures.
622:
striving for completion, then decides if the result is acceptable. If it is, he signs it, and the avionic software is certified.
456:
Almost all software development standards describe how to perform and improve specifications, designs, coding, and testing (See
130:
102:
415:
109:
83:
38:
276:
211:
149:
52:
613:
also subjected to a structural coverage analysis, where test's are run and code coverage is collected and analyzed.
193:
460:). However avionics software development standards add some steps to the development for safety and certification:
116:
388:
759:
178:
87:
695:
98:
321:
785:
780:
641:
562:
534:
514:
457:
352:
309:
242:
558:
719:
671:
301:
189:
76:
573:"Unit test" code is written to exercise every instruction of the code at least once to get 100%
755:
308:. The main difference between avionic software and conventional embedded software is that the
251:
123:
44:
742:
Personal
Information, Robert Yablonsky, Engineering manager, B.E. Aerospace, Irvine, CA, 1993
538:
324:
described below is only slightly slower and more costly (perhaps 15 percent) than the normal
530:
247:
185:
8:
371:
interface design has been a contributing cause of many aerospace accidents and deaths.
775:
329:
646:
547:
478:
442:
418:) require software development standards. Some representative standards include
348:
337:
297:
293:
609:
acceptance testing is to prove that the unit is safe and reliable in operation.
554:
395:
529:
The code is also often examined by special programs that analyze correctness (
769:
574:
384:
406:
To assure safety and reliability, national regulatory authorities (e.g. the
419:
341:
229:
367:
which can take off, cruise and land without airborne pilot intervention.
502:
16:
Embedded software with legally mandated safety and reliability concerns
541:
for the C-family of programming languages (primarily C, though). The
196:. Statements consisting only of original research should be removed.
65:
542:
305:
636:
427:
423:
391:
who are usually paid by a manufacturer and certified by the FAA.
526:
it is added to the checklist, and fixed throughout the code.
652:
The Power of 10: Rules for
Developing Safety-Critical Code
407:
441:
The main difference between avionics software and other
696:"What is the Waterfall Model? - Definition and Guide"
508:
603:
90:. Unsourced material may be challenged and removed.
767:
537:(a subset of the Ada programming language) or
450:conformance to the legally mandated standard.
632:Annex: Acronyms and abbreviations in avionics
520:
513:These are usually much like those in other
53:Learn how and when to remove these messages
347:For an overview of embedded software see
277:Learn how and when to remove this message
212:Learn how and when to remove this message
150:Learn how and when to remove this message
477:Safety-critical avionics usually have a
756:Generic Avionics Software Specification
768:
587:
469:that can affect safety and usability.
436:
487:
374:
223:
161:
88:adding citations to reliable sources
59:
18:
463:
358:
13:
533:), such as SPARK examiner for the
509:Design and specification documents
472:
14:
797:
749:
34:This article has multiple issues.
616:
604:Black box and acceptance testing
501:and deposits copies (usually in
228:
166:
64:
23:
568:
75:needs additional citations for
42:or discuss these issues on the
760:Software Engineering Institute
736:
712:
688:
664:
422:for military systems, or RTCA
328:processes used for commercial
1:
657:
7:
625:
563:inertial navigation systems
515:software development models
353:software development models
241:to comply with Knowledge's
192:the claims made and adding
10:
802:
642:Software development model
521:Code production and review
458:software development model
559:graphical user interfaces
254:may contain suggestions.
239:may need to be rewritten
320:It is claimed that the
296:with legally mandated
318:optimized for safety.
531:Static code analysis
430:for civil aircraft.
84:improve this article
588:Integration testing
553:Some code, such as
437:Development process
310:development process
99:"Avionics software"
786:Avionics computers
781:Transport software
488:Maintenance manual
426:and its successor
177:possibly contains
720:"Software models"
672:"Software models"
375:Regulatory issues
304:concerns used in
294:embedded software
290:Avionics software
287:
286:
279:
269:
268:
243:quality standards
222:
221:
214:
179:original research
160:
159:
152:
134:
57:
793:
743:
740:
734:
733:
731:
730:
724:www.cs.uct.ac.za
716:
710:
709:
707:
706:
700:Software Quality
692:
686:
685:
683:
682:
676:www.cs.uct.ac.za
668:
548:software metrics
464:Human interfaces
443:embedded systems
359:General overview
282:
275:
264:
261:
255:
232:
224:
217:
210:
206:
203:
197:
194:inline citations
170:
169:
162:
155:
148:
144:
141:
135:
133:
92:
68:
60:
49:
27:
26:
19:
801:
800:
796:
795:
794:
792:
791:
790:
766:
765:
752:
747:
746:
741:
737:
728:
726:
718:
717:
713:
704:
702:
694:
693:
689:
680:
678:
670:
669:
665:
660:
647:Hazard analysis
628:
619:
606:
590:
571:
555:digital filters
523:
511:
490:
479:hazard analysis
475:
473:Hazard analysis
466:
439:
377:
361:
349:embedded system
338:waterfall model
314:required by law
283:
272:
271:
270:
265:
259:
256:
246:
233:
218:
207:
201:
198:
183:
171:
167:
156:
145:
139:
136:
93:
91:
81:
69:
28:
24:
17:
12:
11:
5:
799:
789:
788:
783:
778:
764:
763:
751:
750:External links
748:
745:
744:
735:
711:
687:
662:
661:
659:
656:
655:
654:
649:
644:
639:
634:
627:
624:
618:
615:
605:
602:
589:
586:
570:
567:
522:
519:
510:
507:
489:
486:
474:
471:
465:
462:
438:
435:
396:European Union
376:
373:
360:
357:
285:
284:
267:
266:
236:
234:
227:
220:
219:
174:
172:
165:
158:
157:
72:
70:
63:
58:
32:
31:
29:
22:
15:
9:
6:
4:
3:
2:
798:
787:
784:
782:
779:
777:
774:
773:
771:
761:
757:
754:
753:
739:
725:
721:
715:
701:
697:
691:
677:
673:
667:
663:
653:
650:
648:
645:
643:
640:
638:
635:
633:
630:
629:
623:
617:Certification
614:
610:
601:
597:
594:
585:
583:
578:
576:
575:code coverage
566:
564:
560:
556:
551:
549:
544:
540:
536:
532:
527:
518:
516:
506:
504:
498:
494:
485:
482:
480:
470:
461:
459:
454:
451:
447:
444:
434:
431:
429:
425:
421:
417:
413:
409:
404:
401:
397:
392:
390:
386:
381:
372:
368:
364:
356:
354:
350:
345:
343:
339:
333:
331:
327:
323:
319:
315:
311:
307:
303:
299:
295:
291:
281:
278:
263:
253:
249:
244:
240:
237:This article
235:
231:
226:
225:
216:
213:
205:
195:
191:
187:
181:
180:
175:This article
173:
164:
163:
154:
151:
143:
132:
129:
125:
122:
118:
115:
111:
108:
104:
101: –
100:
96:
95:Find sources:
89:
85:
79:
78:
73:This article
71:
67:
62:
61:
56:
54:
47:
46:
41:
40:
35:
30:
21:
20:
738:
727:. Retrieved
723:
714:
703:. Retrieved
699:
690:
679:. Retrieved
675:
666:
620:
611:
607:
598:
595:
591:
581:
579:
572:
569:Unit testing
552:
528:
524:
512:
499:
495:
491:
483:
476:
467:
455:
452:
448:
440:
432:
420:MIL-STD-2167
405:
393:
382:
378:
369:
365:
362:
346:
342:spiral model
334:
325:
317:
313:
289:
288:
273:
257:
248:You can help
238:
208:
199:
176:
146:
137:
127:
120:
113:
106:
94:
82:Please help
77:verification
74:
50:
43:
37:
36:Please help
33:
302:reliability
140:August 2021
770:Categories
729:2024-01-28
705:2023-12-01
681:2024-01-28
658:References
503:ultrafiche
186:improve it
110:newspapers
39:improve it
758:from the
543:compilers
252:talk page
190:verifying
45:talk page
776:Avionics
626:See also
330:software
306:avionics
260:May 2021
202:May 2021
637:DO-178B
428:DO-178C
424:DO-178B
394:In the
383:In the
322:process
316:and is
184:Please
124:scholar
582:before
326:ad hoc
298:safety
250:. The
126:
119:
112:
105:
97:
762:(SEI)
535:SPARK
414:, or
131:JSTOR
117:books
561:and
539:lint
398:the
385:U.S.
351:and
300:and
103:news
416:DOD
412:CAA
408:FAA
400:IEC
389:FAA
312:is
292:is
188:by
86:by
772::
722:.
698:.
674:.
557:,
410:,
344:.
48:.
732:.
708:.
684:.
280:)
274:(
262:)
258:(
245:.
215:)
209:(
204:)
200:(
182:.
153:)
147:(
142:)
138:(
128:·
121:·
114:·
107:·
80:.
55:)
51:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
