Certification of software for real-time safety-critical systems: state of the art

  • Andrew Kornecki
  • Janusz ZalewskiEmail author
Original Paper


This paper presents an overview and discusses the role of certification in safety-critical computer systems focusing on software, and partially hardware, used in the civil aviation domain. It discusses certification activities according to RTCA DO-178B “Software Considerations in Airborne Systems and Equipment Certification” and touches on tool qualification according to RTCA DO-254 “Design Assurance Guidance for Airborne Electronic Hardware.” Specifically, certification issues as related to real-time operating systems and programming languages are reviewed, as well as software development tools and complex electronic hardware tool qualification processes are discussed. Results of an independent industry survey done by the authors are also presented.


Software certification Software tools Software safety Tool qualification Safety-critical systems Real-time systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    RTCA DO-178B, EUROCAE ED-12B (1992) Software considerations in airborne systems and equipment certification, RTCA Inc., Washington, DCGoogle Scholar
  2. 2.
    RTCA DO-254, EUROCAE ED-80 (2000) Design assurance guidance for airborne electronic hardware, RTCA Inc., Washington, DCGoogle Scholar
  3. 3.
    Kesseler E (2004) Integrating air transport elicits the need to harmonise software certification while maintaining safety and achieving security, Report NLR-TP-2004-255. Aerosp Sci Technol J 8(4): 347–358CrossRefGoogle Scholar
  4. 4.
    CAP 670 Air Traffic Services Safety Requirements (2007) Part B, Section 3, Systems engineering. SW 01 regulatory objectives for software safety assurance in ATS equipment, Safety Regulation Group, Civil Aviation Authority, Norwich, UKGoogle Scholar
  5. 5.
    NATO (2005) Validation, verification and certification of embedded systems, Report TR-IST-027, NATO RTO Task Group IST-027/RTG-009Google Scholar
  6. 6.
    RTCA DO-278 (2002) Guidelines For communication, navigation, surveillance, and air traffic management (Cns/Atm) systems software integrity assurance, RTCA Inc., Washington, DCGoogle Scholar
  7. 7.
    NASA (2004) NASA-STD-8739.8 w/Change 1, Software assurance standard, National aeronautics and space administration, Washington, DCGoogle Scholar
  8. 8.
    IEEE (1992) IEEE Std 610.12 standard glossary of software engineering terminology. IEEE, Washington, DCGoogle Scholar
  9. 9.
    NASA (2004) NASA-STD-8719.13B w/Change 1, Software safety standard, National aeronautics and space administration, Washington, DCGoogle Scholar
  10. 10.
    NASA (2004) NASA software safety guidebook, NASA-GB-1740.13. National aeronautics and space administration, Washington, DCGoogle Scholar
  11. 11.
    Nelson S (2003) Certification processes for safety-critical and mission-critical aerospace software, Report NASA/CR-2003-212806, Ames Research Center, Moffet FieldGoogle Scholar
  12. 12.
    Reifer DJ (1978) Airborne systems software acquisition engineering guidebook for verification, validation and certification, Technical Report ASD-TR-79-5028, TRW Defense and Space Systems, Redondo BeachGoogle Scholar
  13. 13.
    U.S. Department of Defense (2005) MIL-HDBK-516B, Department of Defense Handbook: Airworthiness Certification CriteriaGoogle Scholar
  14. 14.
    U.S. Department of Defense (2000) MIL-STD-882D, standard practice for system safetyGoogle Scholar
  15. 15.
    Joint Services Computer Resource Management Group (1999) Software system safety handbook: a technical and managerial approachGoogle Scholar
  16. 16.
    UK Ministry of Defence (2007) Def Stan 00-56 issue 4. Safety management requirements for defence systemsGoogle Scholar
  17. 17.
    Australian Ministry of Defence (1998) DEF(AUST) 5679, the procurement of computer-based safety critical systems, Australian Defence Standard, Army Engineering AgencyGoogle Scholar
  18. 18.
    Cant T, Mahony B, Atchison B (2005) Revision of Australian defence standard DEF(AUST) 5679. In: Proceedings of 10th Australian workshop on safety-critical systems and software, Sydney, August 25–26, pp 85–94Google Scholar
  19. 19.
    Swedish Armed Forces (2005) M7762-000621-7 handbook for software in safety-critical applicationsGoogle Scholar
  20. 20.
    Romanski G (2002) Certification of an operating system as a Reusable Component. In: Proceedings of DASC’02, 21st digital avionics systems conference, Irvine, October 27–21, pp 5.D.3–5.D.1/9Google Scholar
  21. 21.
    Fachet R (2004) Re-use of software components in the IEC-61508 certification process. In: Proceedings of IEE COTS & SOUP seminar, London, October 21, pp 8/1–17Google Scholar
  22. 22.
    Parkinson P, Kinnan L (2007) Safety-critical software development for integrated modular avionics, White Paper, Wind River Systems, AlamedaGoogle Scholar
  23. 23.
    International Electrotechnical Commission (1998) IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems, Parts 1–9. GenevaGoogle Scholar
  24. 24.
    Rose G (2003) Safety critical software, CompactPCI Systems, April 2003Google Scholar
  25. 25.
    Kleidermacher D, Griglock M (2001) Safety-critical operating systems. Embedded Syst Program 14(10): 22–36Google Scholar
  26. 26.
    Kleidermacher D (2004) Operating systems: shouldering the security and safety burden, RTC Magazine, September 2004Google Scholar
  27. 27.
    Locke CD (2003) Safety-critical software certification: open source operating systems less suitable than proprietary? COTS J 5(9): 54–59Google Scholar
  28. 28.
    Moraes R et al (2007) Component-based software certification based on experimental risk assessment. In: Proceedings of LADC 2007, 3rd Latin-American symposium on dependable computing, Morelia, Mexico, September 26–28, pp 179–197Google Scholar
  29. 29.
    Maxey B (2003) COTS integration in safety critical systems using RTCA/DO-178B guidelines. In: Proceedings of ICCBSS 2003, 2nd international conference on COTS-based software systems, Ottawa, ON, February 10–13, pp 134–142Google Scholar
  30. 30.
    Labrosse JJ (1993) MicroC/OS-II: the real-time kernel. R&D Books, LawrenceGoogle Scholar
  31. 31.
    Romanski G (2001) The challenges of software certification. CrossTalk J Def Softw Eng 14(9): 15–18Google Scholar
  32. 32.
    Medoff M (2007) Using certified operating systems effectively in safety critical embedded designs. Embed Syst Des.
  33. 33.
    Halang W, Zalewski J (2003) Programming languages for use in safety related applications. Ann Rev Control 27: 39–45CrossRefGoogle Scholar
  34. 34.
    Goodenough JB (1980) The Ada compiler validation capability. ACM SIGPLAN Notices 15(11): 1–8CrossRefGoogle Scholar
  35. 35.
    Santhanam V (2003) The anatomy of an FAA-qualifiable Ada subset compiler. Ada Lett 23(1):40–43 (Proceedings of SIGAda’02, Houston, Texas, December 8–12, 2002)Google Scholar
  36. 36.
    Comar C, Dewar R, Dismukes G (2006) Certification & object orientation: the new Ada answer. In: Proceedings of ERTS 2006, 3rd embedded real-time systems conference, Toulouse, France, January 25–27Google Scholar
  37. 37.
    Brosgol BM (2006) Ada 2005: a language for high-integrity applications. CrossTalk J Def Syst 19(8): 8–11Google Scholar
  38. 38.
    Amey P, Chapman R, White N (2005) Smart certification of mixed criticality systems. In: Proceedings of Ada-Europe 2005, 10th international conference on reliable software technologies, York, UK, June 20–24, pp 144–155Google Scholar
  39. 39.
    Hatton L (2004) Safer language subsets: an overview and case history—MISRA C. Inform Softw Technol 46(7): 465–472CrossRefGoogle Scholar
  40. 40.
    Hatton L (2007) Language subsetting in an industrial context: a comparison of MISRA C 1998 and MISRA C 2004. Inform Sci Technol 49(5): 475–482CrossRefGoogle Scholar
  41. 41.
    Lindner A (1998) ANSI-C in safety critical applications: lessons learned from software evaluation. In: Proceedings of SAFECOMP’98, 17th international conference on computer safety, reliability and security, Heidelberg, Germany, October 5–7, pp 209–217Google Scholar
  42. 42.
    Subbiah S, Nagaraj S (2003) Issues with object orientation in verifying safety-critical systems. In: Proceedings of ISORC’03, 6th international IEEE symposium on object-oriented real-time distributed computing, Hakodate, Hokkaido, Japan, May 14–16Google Scholar
  43. 43.
    Berlejung H, Baron W (1996) Aspects of the development of safety-critical real-time software with the C programming language, Softwaretechnik-Trends, Band 16, Heft 4, ss 21–25Google Scholar
  44. 44.
    Romanski G, Chelini J (1997) A response to the use of C in safety-critical systems, Softwaretechnik-Trends, Band 17, Heft 1, ss 38–43Google Scholar
  45. 45.
    Parkinson P, Gasperoni F (2002), High-integrity systems development for integrated modular avionics Using VxWorks and GNAT. In: Proceedings of the 7th Ada-Europe international conference on reliable software technologies Vienna, Austria, June 17–21, pp 163–178Google Scholar
  46. 46.
    Nilsen K (2006) Leveraging Java to achieve component reusability in safety-critical systems. COTS J 8(4): 43–50Google Scholar
  47. 47.
    Nilsen K, Larkham A (2005) Applying Java technologies to mission-critical and safety-critical development. In: Proceedings of 13th safety-critical systems symposium, Southampton, UK, February 8–10, pp 211–223Google Scholar
  48. 48.
    Bollella G et al (2000) The real-time specification for Java. Addison-Wesley, ReadingGoogle Scholar
  49. 49.
    Schoeberl M et al (2007) A profile for safety critical Java. In: Proceedings of ISORC 2007, 10th IEEE international symposium on object/component/service-oriented real-time distributed computing, Santorini Island, Greece, May 7–9Google Scholar
  50. 50.
    Kwon J, Wellings A, King S (2002) Ravenscar-Java: a high integrity profile for real-time Java. Concurrency Comput Pract Experience 17(5–6): 681–713Google Scholar
  51. 51.
    Dautelle JM (2005) Validating Java for safety-critical applications. In: Proceedings of AIAA space 2005 conference, Long Beach, 30 August–1 SeptemberGoogle Scholar
  52. 52.
    Hu EYS et al (2006) Safety critical applications and hard real-time profile for Java: a case study in avionics. In: Proceedings of JTRES’06, 4th workshop on Java technologies for real-time and embedded systems, Paris, October 11–13, pp 125–134Google Scholar
  53. 53.
    Armbruster A et al (2007) A real-time Java virtual machine with applications in avionics. ACM Trans Embed Comput Syst 7(1): 5:1–5:49CrossRefGoogle Scholar
  54. 54.
    Brosgol BM, Wellings A (2006) A comparison of Ada and real-time Java for safety-critical applications. In: Proceedings of Ada-Europe 2006, 11th international conference on reliable software technologies, Porto, Portugal, June 5–9, pp 13–26Google Scholar
  55. 55.
    Kornecki A, Brixius N, Zalewski J (2007) Assessment of software development tools for safety-critical real-time systems, Technical Report DOT/FAA/AR-06/36, Federal Aviation Administration, Washington, DCGoogle Scholar
  56. 56.
    Kornecki A, Zalewski J (2005) Experimental evaluation of software development tools for safety-critical real-time systems. Innov Syst Softw Eng NASA J 1(2): 176–188CrossRefGoogle Scholar
  57. 57.
    Kornecki A, Zalewski J (2006) The qualification of software development tools from the DO-178B certification perspective. CrossTalk J Def Softw Eng 19(4): 19–23Google Scholar
  58. 58.
    Santhanam V et al (2007) Software verification tools assessment study, Technical Report DOT/FAA/AR-06/54, Federal Aviation Administration, Washington, DCGoogle Scholar
  59. 59.
    Zalewski J, Kornecki A, Pfister H (2006) Numerical assess- ment of software development tools in real-time safety-critical systems using Bayesian belief networks. In: Proceedings of IMCSIT’06 international multiconference on computer science and information technology, Wisla, Poland, November 6–10, pp 433–442Google Scholar
  60. 60.
    Dewar R, Brosgol B (2006) Using static analysis tools for safety certification, VMEbus Systems, pp 28–30, April 2006Google Scholar
  61. 61.
    Dewar RBK (2006) Safety critical design for secure systems, EE Times-India, July 2006Google Scholar
  62. 62.
    Anderson P (2008) Detecting bugs in safety-critical code. Dr Dobb’s J 406: 22–27Google Scholar
  63. 63.
    Gasperoni F (2008) Code coverage: free software and virtualization to the rescue. Boards Syst April:32–35Google Scholar
  64. 64.
    Santhanam U (2001) Automating software module testing for FAA certification. Ada Lett 21(4):31–37 (Proceedings of SIGAda’01, Bloomington, MN, September 30–October 4, 2001)Google Scholar
  65. 65.
    Fey I, Stürmer I (2008) Code generation for safety-critical systems—open questions and possible solutions. In: Proceedings of the SAE World congress, Detroit, April 14–17, Paper No. 2008-01-0385Google Scholar
  66. 66.
    Intermational Organization for Standardization (2007) IEC 26262 road vehicles—functional safety. Baseline 10Google Scholar
  67. 67.
    Conrad M (2007) Using simulink and real-time workshop embedded coder for safety-critical automotive applications. In: Proceedings of MBEES’07 Workshop on Modellbasierte Entwicklung Eingebetteter Systeme III, Dagstuhl, Germany, January 15–18, pp 41–50; an updated version (for IEC 61508 Applications) appears at:
  68. 68.
    Erkkinen T (2004) Production code generation for safety-critical systems. In: Proceedings of the SAE World Congress, Detroit, March 8–11, Paper No. 2004-01-1780Google Scholar
  69. 69.
    Potter B (2008) Model-based design for DO-178B. MATLAB Dig 17(3).
  70. 70.
    Bhatt D et al (2005) Model-based development and the implications to design assurance and certification. In: Proceedings of DASC’05, 24th digital avionics systems conference, Washington, DC, 30 October–3 NovemberGoogle Scholar
  71. 71.
    Stürmer I et al (2007) Systematic testing of model-based code generators. IEEE Trans Softw Eng 33(9): 622–634CrossRefGoogle Scholar
  72. 72.
    Sampath P et al (2008) Verification of model processing tools. In: Proceedings of the SAE World Congress, Detroit, April 14–17, Paper No. 2008-01-0124Google Scholar
  73. 73.
    Jaw LC et al (2008) Model-based approach to validation and verification of flight critical software. In: Proceedings of NAECON’08, IEEE National aerospace and electronic conference, Fairborn, July 16–18Google Scholar
  74. 74.
    Denney E, Trac S (2008) A software safety certification tool for automatically generated guidance, navigation and control code. In: Proceedings of NAECON’08, IEEE National aerospace and electronic conference, Fairborn, July 16–18Google Scholar
  75. 75.
    Zoffmann G et al (2001) A classification scheme for software verification tools with regard to RTCA/DO-178B. In: Proceedings of SAFECOMP 2001, 20th international conference on computer safety, reliability and security, Budapest, Hungary, September 26–28, pp 166–175Google Scholar
  76. 76.
    Bunyakiati P, Finkelstein A, Rosenblum D (2007) The certification of software tools with respect to software standards. In: Proceedings of 2007 IEEE international conference on information reuse and integration, Las Vegas, August 13–15, pp 724–729Google Scholar
  77. 77.
    Souyris J, Delmas D (2007) Exterimental assessment of Astreé on safety-critical avionics software. In: Proceedings of SAFECOMP 2007, 26th international conference on computer safety, reliability and security, Nuremberg, Germany, September 18–21Google Scholar
  78. 78.
    McCabe Software (2006) DO-178B and McCabe IQ, Warwick, RIGoogle Scholar
  79. 79.
    Safety Critical Systems Club (2009) Tools directory, London, UK.
  80. 80.
    Aldec Corp. (2007) DO-254 hardware verification: prototyping with vectors mode. White Paper, Rev. 1.2, Henderson, NevadaGoogle Scholar
  81. 81.
    Lange M (2008) Automated CDC verification protects complex electronic hardware from metastability issues. VME Critical Syst 26(3): 24–26Google Scholar
  82. 82.
    Lange M (2007) Assessing the ModelSim tool for use in DO-254 and ED-80 projects, White Paper, Mentor Graphics Corp., Wilsonville, May 2007Google Scholar
  83. 83.
    Baghai T, Burgaud L (2006) Reqtify: product compliance with RTCA/DO-254 document, TNI-Valiosys, Caen, France, May 2006Google Scholar
  84. 84.
    Dellacherie S, Burgaud L, di Crescenzo P (2003) Improve—HDL: a DO-254 formal property checker used for design and verification of avionics protocol controllers. In: Proceedings of DASC’03, 22nd digital avionics systems conference, Indianapolis, October 12–16, vol 1, pp 1.A.1–1.1-8Google Scholar

Copyright information

© Springer-Verlag London Limited 2009

Authors and Affiliations

  1. 1.Embry-Riddle Aeronautical UniversityDaytona BeachUSA
  2. 2.Florida Gulf Coast UniversityFort MyersUSA

Personalised recommendations