Aerospace and Defence

Verification of Executable Object Code from a Model (Version 1.0)

7 Sections None

The introduction of RTCA/DO-331 Model based Development and Verification Supplement to DO-178C and DO-278A offers new opportunities to leverage the strengths of model based development under RTCA/DO-178C. The concept of model simulation for Executable Object Code (EOC) verification credit allows for the painstaking work of model verification to be reused to partially achieve EOC verification objectives.

This paper explores the conditions under which model verification can be used to partially satisfy EOC verification objectives and identifies areas which should be closely attended to in order to satisfy the regulatory requirements.

Model Based Development and Verification (RTCA/DO-331)

Under DO-178C and DO-331, some aspects of EOC verification can be satisfied using model simulation. Per DO-331 section MB.6.8.2:

Verification of the Executable Object Code is primarily performed by testing. This can be partially assisted by a combination of model simulation and specific analyses as described below. This combination can be used to partially satisfy the following software testing and coverage objectives:

  1. Executable Object Code complies with the high-level requirements.
  2.  Executable Object Code is robust with the high-level requirements.
  3. Test coverage of high-level requirements is achieved.
  4. Test coverage of software structure to the appropriate coverage criteria is achieved.
  5. Test coverage of software structure, both data coupling and control coupling is achieved

But specific tests should still be performed in the target computer environment, since some errors may be detectable only in this environment.

The following software testing and coverage objectives cannot be satisfied by model simulation since simulation cases should be based on the requirements from which the design model is developed:

  1. Executable Object Code complies with the low-level requirements.
  2. Executable Object Code is robust with the low-level requirements.
  3. Test coverage of low-level requirements is achieved.

It bears repeating that the simulation cases and procedures to be used for model verification are required to be developed from the higher-level requirements from which the Design Model itself was developed. It also should be noted that simulation cases and procedures are subject to the same verification objectives as test cases and procedures used in more traditional paradigms to verify the EOC in the target environment.