DO-331 MBD Intro For Engineers & Managers
DO-331 MBD Intro For Engineers & Managers
DO-331 MBD Intro For Engineers & Managers
# Question Answer?
1. If you use Modeling but not auto-code generation (e.g. you write code (Yes, No or
manually), do you still need a Software Modeling Standard and also Model Maybe)
Coverage Analysis?
2. When using models for verification, should expected results be determined prior (Yes, No or
to test execution? Maybe)
3. Can the Design Model be developed from System Requirements without first (Yes or No)
decomposing System requirements to High Level Software requirements
4. Must the System Requirements first be decomposed to High Level Software (Yes or No)
Requirements prior to making the Design Model?
5. If System Requirements are used for the source of requirements in the Design (Yes, No, or
Model, are those System Requirements then treated as High level Requirements Maybe)
and does the Design Model thus contain Low-Level Requirements?
Why Modeling?
Software modeling is almost as old as software development, with models being actively used to assist
engineers in early NASA lunar launches. Today, modeling refers to a generic activity whereby structure and
behavior by and between objects is defined at a higher level abstracted from logic development. Common
usage of “model” implies developing a model of structure and behavior prior to using that model to generate
actual software or hardware logic. (Remember, in the avionics world, the term “hardware” includes logic
embedded in silicon, previously known as “firmware” but now termed “complex electronic hardware” via DO-
254). However, modeling can actually follow the logic development process instead of preceding it; many
legacy codebases have modeling applied to them post-facto to aid in understanding, verifying, improving, or
reusing those code bases; especially within the field of avionics whereby most systems make at least partial
reuse of preceding, similar systems. This process is commonly known as “reverse engineering.”
Why is modeling increasingly important to avionics as evidenced by the release of DO-331 in December of
2011? There are many reasons including those below:
2
2. Improved Reusability
Modeling promotes reuse by enabling developers to abstract functionality.
6. Improved Traceability
Modeling tools can automate traceability from requirements to design to code.
7. Earlier Verification
Model simulation enables earlier requirements validation and design verification.
Benefits of Modeling
As seen in the above Figure: “Benefits of Modeling”, there are many advantages to modeling complex systems
and software. Other software domains such as telecommunications have been utilizing modeling for many
years; avionics has been gradually catching up. It should be noted that the realm of avionics software
certification guidance is generally devoid of cost and schedule considerations: while no one desires or expects
avionics developers to go bankrupt, they are free to do so. Accordingly, what then keeps everyone from
unanimously adopting modeling within their avionics development organizations? The following are often
cited as reasons avionics developers avoid partial or full use of modeling:
Are the aforementioned reasons for avoiding modeling valid? To the extent that perception equals reality for
some people, the answer is “maybe”. But with a more informed understanding, perceptions may be changed.
First, DO-331 provides a framework for enabling the usage of modeling within a prescribed regimen of
modeling standards and model verification: just as for traditional software requirements and software design
which must be verified to show compliance to user-defined standards, the same is true for avionics modeling.
Second, modeling tool licensing costs are really not that great when considering the cost-savings obtained
via engineering productivity improvements; and some modeling tools such as IBM’s Rhapsody™ and Magic
Draw are quite affordable while providing the necessary key features. Third, like licensing costs, the learning
curve of modeling tools is usually conquered in a matter of weeks or a few months at most; relatively short
considering the multi-year duration of most avionic system developments. Fourth, it is not necessary to qualify
a modeling tool: while benefits of qualification are noteworthy (such as eliminating the need for manual code
peer reviews, automatic code generation, and model-level verification), all the benefits of modeling cited
previously apply whether or not the modeling tool is Qualified. Fifth, all engineers are capable of learning new
techniques and most actually embrace such knowledge improvements in recognition of the resume-
enhancement benefits thereof. So the seeming disadvantages of modeling are readily dispelled. Further,
tools such as IBM’s Rhapsody tool have been around for 20 years and are quite mature in both the quality of
the code that is generated and in the ability to control and customize the generation of that code.
Modeling Terminology
Modeling is a domain which has its own vernacular; common modeling terms are summarized below.
Code The generation of code from a design model in a specified software source code
Generation language, such as C, C++, or Ada.
A model that defines any software design such as low-level requirements, software
Design
Model architecture, algorithms, component internal data structures, data flow and/or
control flow. A model used to generate Source Code is a Design Model.
An abstract representation of a given set of aspects of a system used for
Model
analysis, verification, simulation, code generation, or any combination thereof. It
should be unambiguous, regardless of its level of abstraction
• Note: The "given set of aspects of a system" may contain all aspects of the system or only a subset.
Model- The creation of test cases within a modeling language and tool for the purpose of
Based Test verifying the model and/or the generated source code.
4
Model
Element A unit from which a model is constructed
Model
Simulation The activity of exercising the behavior of a model using a model simulator
Report The generation of documents from a model for the particular purpose, often
Generation template-based to generate documents in a standardized format.
Reverse
Engineering The creation of a model from source code.
Symbology
The graphical appearance of modeling elements. Some modeling environments
allow custom symbology to be defined.
SysML
The Systems Modeling Language, a specialized variant of the UML for use in
systems modeling.
The Unified Modeling language, which is, by far, the most common software
UML modeling language in used. The UML has language elements to specified software
structure, behavior, functionality, and relationships.
It is important to recall a basic DO-178C tenet is stepwise refinement: system requirements must precede
high level requirements (HLR’s) and HLR’s must precede low-level requirements (LLR’s). The temptation to
5
develop code directly from HLR’s must be avoided. Modeling provides the ability to express HLR’s and/or
LLR’s directly within a Model. A key facet of DO-331 modeling is the differentiation between a Specification
Model and a Design Model as depicted in the following figure:
Specification Model
Design Model
Typically expresses low-level requirements
May be used to produce code
(LLR's)
The Design Model and the Specification Model are different, just as HLR’s differ and precede LLR’s: stepwise
refinement. Similar to HLR’s and LLR’s which may reside within the same requirements specification, the
Design Model and Specification Model could reside within the same model. But when both models exist, the
development of the Specification Model precedes the Design Model. Since the Specification Model and
Design Model accomplish different purposes, they each must use a different modeling standard.
In the UML, the specification model typically employs use cases to cluster requirements, and then employs
various UML mechanisms (state machines, scenario modeling, and activity modeling) to quality and
disambiguate requirements. The design model identifies the LLRs needed to meet the refined requirements
6
and specification models. The «trace» relation supports traceability between the requirements, the
specification model, and the design model.
The process for model development is not specified within DO-178C or DO-331, although those standards
specify the objectives with which such processes must comply and the evidence they must produce. A
common process is the Harmony Process for Embedded Software (see Real-Time Agility or Real-Time UML
Workshop for Embedded Systems 2nd Edition, both by Bruce Powel Douglass).
Example Use Case Diagram (reused with permission of Dr. Bruce Douglass, IBM):
Example Class Diagram (reused with permission of Dr. Bruce Douglass, IBM):
Example State Diagram (reused with permission of Dr. Bruce Douglass, IBM):
Example Simulink Model (reused with permission of Mr Eric Dillaber, Simulink Certification Manager):
Like art, music, and gourmet dining, modeling means different things to different people and there are vastly
different means to implement modeling. To narrow down the myriad modeling implementation possibilities,
DO-331 describes five different modeling options and advises users to adopt one of those five. The following
figure depicts the five recommended modeling options MB1 through MB5.
As with most decisions in life, there are choices and one size does not fit everyone. But when considering
where you are from, where you are at, and where you are going, a preferred choice can be more readily
ascertained. The pro/con of each modeling option is summarized below:
MB4 HLR's merged with System Rqmts; SW Engrs develop Design Model
• Pro: Promotes Systems insight and contribution to software requirements. Enables autocode generation
• Con: Doesn't use a Specification Model so particularly complex systems may miss stepwise model refinement
MB5 HLR's merged with System Rqmts; Sys Engrs develop Design Model
• Pro: Promotes strong Systems-centric development and control of HLRs and Model; very little ambiguity.
• Con: Doesn't use Specification Model and possible large step between requirements and code
10
In some software development domains, designers begin with a blank slate or concept, then iteratively evolve
a corresponding software model. But in aviation, the “guilty until proven innocent” paradigm holds true:
engineering work is not trusted until it is either qualified or verified. So consider: a model needs to be verified;
can a model be verified merely by inspecting it? Of course not: model verification requires formal
consideration of multiple inputs as depicted below:
Which of the above five inputs are actually required to perform a requisite model review? All of them, and
each of the five must be under configuration management, meaning it has a unique identifier and can be
retrieved in exactitude at any time in the future to determine its exact content used during the corresponding
model review. Note that a common challenge in modeling is requirement verification; again, models must
have requirements (software functionality) which can be used during the model review to assess the
correctness and completeness of the model.
In addition to review which assesses the model’s conformance to the applicable modeling standard and
system/software requirements, , models themselves may be verified through testing. The UML Profile for
Testing defines a standard way for test case specification, architecting, execution and analysis. This may be
done by manually creating the test elements and using model simulation/execution to ensure that the
outcomes match expectations. Tools such as IBM Rhapsody’s add-on Test Conductor automate some of
these steps and may be used as well.
11
Formal methods are another key means to verify models, especially subsets of system models. Some
engineers attempt to verify entire system models via formal methods, and such is ostensibly “allowed” by DO-
333 (the supplement commonly applied to DO-178C and DO-278A). However, a “Best Practice” is to instead
focus formal method-based model verification to a particular algorithm or set of cohesive algorithms within a
model to maximize provability. (See Formal Methods for additional information).
Model Simulation
Another advantage of modeling is simulation: a model simulator may be used to execute the model earlier in
the development lifecycle. Model simulation can be used to aid verification in the following ways:
✓ Verifiability
✓ Algorithm aspects
X Conformance to standards
X Traceability
X Partitioning integrity
The UML Testing Profile (www.omg.org) provides a standard approach for specifying, executing, and
analyzing test cases in the UML language. This means that all the advantages of modeling can be gained not
only from the specification and design models, but also the means by which those models are verified. The
IBM Rhapsody tool add-on “Test Conductor” implements that standard and comes with a qualification kit for
DO-178. This tool automates test generation, execution and analysis and can provide detailed statistics about
model coverage (see the next section) and, when coupled with code verification tools, code-level coverage
as well.
Since the models are developed by engineers and engineers can neglect to add necessary model details or
remove model details which are no longer needed, model coverage analysis must be performed. Model
coverage analysis can determine which model elements may not have been completely verified and it can
12
also detect unintended functionality within the model. Model coverage analysis may be done via simulation
or formal methods, however software structural coverage is performed via actual testing.
Model traceability must also exist to prove that each model element is there for a reason. Each part of the
model should be traced to:
Model traceability can of course be performed manually, but modeling tools increasingly have built-in
capabilities to support and provide traceability.
Conclusion
Modeling is a powerful capability which is increasingly applied to avionics. DO-331 provides a framework to
understand modeling, harness modeling’s power, and help prove the model is correct.
# Question Answer?
1. If you use Modeling but not auto-code generation (e.g. you write code Yes
manually), do you still need a Software Modeling Standard and also Model Code
Analysis?
2. When using models for verification, should expected results be determined prior Yes
to test execution?
3. Can the Design Model be developed from System Requirements without first Yes
decomposing System requirements to High Level Software requirements
4. Must the System Requirements first be decomposed to High Level Software No
Requirements prior to making the Design Model?
5. If System Requirements are used for the source of requirements in the Design Yes
Model, are those System Requirements then treated as High level Requirements
and the Design Model thus contains Low-Level Requirements?
Is YOUR team optimally trained? AFuzion: 23,000 aviation engineers trained; more than all
competitors COMBINED:
Have Aviation Certification Gaps? Fun 1-Minute video to close them: http://afuzion.com/gap-
analysis/
13
Free avionics development DO-178C, DO-254, ARP4754A, DO-326A, & ARP4761/A training
videos, here: https://www.youtube.com/playlist?list=PL0es63yi1vbw9Tt1GWX8TtiFm4R2qRryu
For DO-178 & DO-254 specific details, procure the book “Avionics Certification: A Complete Guide
to DO-178 & DO-254”, from major bookstores such as Amazon.com. (The author of this whitepaper
is the primary author of that book.) Also, the new book “Avionics Development Ecosystem” by
Vance Hilderman covers the big-picture view of avionics development from safety, to systems, and
through all key regulatory and design aspects for modern avionics development. See the Afuzion
website, www.afuzion.com, for advanced training modules relevant to DO-331 MBD and DO-178C
for beginners and experts alike.