RTCA DO 331 Model-Based Development and Verification in aerospace

With the enhancement of the RTCA DO 178B to the RTCA DO 178C, four so-called supplements have also been developed. The RTCA DO 331 Model-Based Development is one of these four supplements and describes the requirements for model-based development and verification in aerospace. The following article provides answers to the following questions:

• How is the RTCA DO331 structured?
• What does mean the distinction between specification model and design model?

How is the RTCA DO 331 Model-Based Development structured?

The structure of the RTCA DO 331 is very similar to the RTCA DO178C. The RTCA DO 331 contains all chapters of the RTCA DO178C. Where necessary, additional/changed requirements for model-based development and verification are defined.

The RTCA DO 331 focuses on the following topics:

• System aspects related to software development
• Software Life Cycle
• Software Planning Process
• Software Development Process
• Software Verification process
• Software Configuration management process
• Software Quality Assurance Process

The most important addition to the RTCA DO 178C is the additional definition of a specification model and a design model. This topic is discussed in more detail in the following section.

What does mean the distinction between specification model and design model?

Already in the definition of the software life cycle process, the RTCA DO 331 requires the clear definition of models used as either specification model or design model.

It is not possible to use a model both as specification model and as design model! In a specification model, the RTCA DO 331 assumes that it implements high-level requirement.

For a design model, the RTCA DO 331 assumes that it implements the architecture or design and, if applicable, low-level requirements.

Furthermore, the RTCA DO 331 clearly states that a model coverage is not identical to the structural source code coverage. This means that structural source code coverage is also necessary when using model-based development.

Conclusion

The RTCA DO 331 thus transfers the clear distinction between requirements and architecture/design from the RTCA DO 178C into model-based development. This makes a lot of sense, since the requirements or specification model describes the “what” of a product and the architecture/design or design model describes the “how”.

Many who see great progress in model-based development are also doing so because they believe that they no longer need to create requirements. The RTCA DO 331 clearly contradicts this assumption.

The fact that structural coverage is still required in model-based development is probably due to the current state of the technology. In my view, the medium-term goal here has to be to replace structural coverage, but this is only possible if a clear and comprehensible relationship can be established between model and source code. With today’s technology, we are still a long way from this.

Related HEICON Blog posts

• RTCA DO 178C – Software quality in aerospace!
• The Supplements of DO 178C – Where do they come from and what is their content?

The HEICON team will be pleased to support you with our services if you have individual questions regarding your project. Please send a mail to: info[at]heicon-ulm.de.