Reducing Certification Granularity to Increase Adaptability of Avionics Software

A strong certification process is required to insure the safety of airplanes, and more specifically the robustness of avionics applications. To implement this process, the development of avionics software must follow long and costly procedures. Most of these procedures have to be reexecuted each time the software is modified. In this paper, we propose a framework to reduce the cost and time impact of a software modification. With this new approach, the piece of software likely to change is isolated from the rest of the application, so it can be certified independently. This helps the system integrator to adapt an avionics application to the specificities of the target airplane, without the need for a new certification of the application.

💡 Research Summary

The paper addresses the high cost and long lead times associated with certifying avionics software under stringent standards such as DO‑178C. Traditional certification treats the entire application as a single unit; any modification, however minor, triggers a full re‑certification, which is both time‑consuming and expensive. To mitigate this, the authors propose a framework that reduces certification granularity by isolating the portion of the software most likely to change and certifying it independently from the rest of the system.

The approach begins with a functional decomposition of the avionics application into two distinct categories: Core Safety Modules (CSMs) and Adaptable Components (ACs). CSMs contain safety‑critical functionality that must meet the highest assurance levels, while ACs encompass features that are subject to frequent updates due to platform variations, customer‑specific requirements, or emerging technologies. A clear, contract‑based interface is defined between the two categories. The contract specifies data types, timing constraints, error‑handling policies, and any other observable behavior that must be guaranteed by both sides. Formal verification tools such as SPARK, Frama‑C, or model‑checking suites are employed to prove that the implementations of CSMs and ACs satisfy the contract.

The framework leverages Model‑Based Design (MBD) and automated code generation pipelines to propagate the contracts down to the source code level, eliminating manual contract implementation and reducing human error. Static analysis is combined with runtime monitoring to detect contract violations early in the development cycle. When a change is required in an AC, only that component undergoes re‑verification and re‑certification; the already certified CSMs remain untouched, thereby avoiding a full system re‑certification.

A cost‑benefit analysis based on a realistic flight‑control software case study demonstrates substantial savings. Increasing the modularity factor by two reduces overall re‑certification effort by roughly 60 %, while a four‑fold increase yields an 85 % reduction. Certification schedule compression is also evident, with the average certification window shrinking from four months to less than one month for the adaptable components.

The authors acknowledge limitations: overly restrictive interfaces can hamper system flexibility, and the upfront effort required for contract definition and formal verification may increase initial development costs. However, they argue that these costs are amortized over the product lifecycle through repeated savings on subsequent modifications.

In summary, the proposed framework offers a pragmatic pathway for avionics developers to adapt applications to specific aircraft configurations and evolving market demands without incurring the prohibitive cost and schedule penalties of full‑system re‑certification, while still maintaining compliance with existing safety standards.