Skip to main content 
Avionic software directly influences flight safety. For this reason, regulatory authorities require a rigorous and structured approach to software development and verification. DO-178C, published by RTCA, defines this approach for airborne software systems. At the core of DO-178C lies the concept of Design Assurance Levels, commonly referred to as DAL levels. This article explains DO-178C DAL levels clearly by focusing on safety impact, compliance expectations, and engineering implications. The objective is to help avionics teams understand how DAL levels influence development rigor, verification depth, and certification effort.
Purpose of DAL Levels in DO-178C
Design Assurance Levels define the required level of confidence that airborne software performs correctly and does not contribute to unsafe conditions. Therefore, DAL levels directly link software behavior to aircraft safety.
DAL classification ensures that:
- Safety-critical software receives higher scrutiny
- Verification effort aligns with potential failure impact
- Certification activities remain proportional
- Regulatory expectations remain clear
As a result, DAL levels establish a risk-based assurance framework rather than a one-size-fits-all process.
Section summary:
DAL levels align software assurance rigor with potential safety impact.
Relationship Between System Safety and DAL Assignment
DAL levels do not originate from software design decisions. Instead, they derive from system-level safety assessments.
Typically, DAL assignment follows:
- Functional Hazard Assessment (FHA)
- Preliminary System Safety Assessment (PSSA)
- System Safety Assessment (SSA)
Therefore, software inherits its DAL from system failure conditions rather than internal complexity.
Section summary:
DAL levels originate from system safety analysis, not software design preference.
Overview of DO-178C DAL Levels
DO-178C defines five DAL levels, ranging from catastrophic to no safety effect.
The DAL hierarchy includes:
- DAL A: Catastrophic
- DAL B: Hazardous or Severe-Major
- DAL C: Major
- DAL D: Minor
- DAL E: No safety effect
Each level imposes different development and verification requirements.
Section summary:
DO-178C defines five DAL levels based on safety severity.
DAL A: Catastrophic Failure Conditions
DAL A represents the highest level of software criticality. Software failures at this level may lead to catastrophic outcomes.
Catastrophic effects may include:
- Loss of aircraft
- Multiple fatalities
- Complete loss of flight control
Therefore, DAL A requires the most stringent development and verification activities.
Key implications include:
- Full requirements traceability
- Independent verification
- Structural coverage up to Modified Condition/Decision Coverage (MC/DC)
- Robust configuration management
Section summary:
DAL A demands the highest assurance due to catastrophic safety impact.
DAL B: Hazardous or Severe-Major Failure Conditions
DAL B applies when software failure may cause hazardous conditions but not catastrophic outcomes.
Hazardous effects may involve:
- Serious crew workload increase
- Significant reduction in safety margins
- Potential serious injuries
Although less severe than DAL A, DAL B still requires rigorous assurance.
Verification expectations include:
- Independent verification
- High structural coverage, excluding MC/DC
- Comprehensive traceability
Section summary:
DAL B balances high assurance with slightly reduced verification rigor.
DAL C: Major Failure Conditions
DAL C software failures may cause major operational impacts without immediate threat to aircraft survival.
Major effects typically include:
- Increased crew workload
- Reduced operational capability
- Passenger discomfort
DAL C verification focuses on correctness rather than extreme fault tolerance.
Key characteristics include:
- Requirements-based testing
- Decision coverage
- Defined traceability
Section summary:
DAL C ensures operational reliability without extreme verification depth.
DAL D: Minor Failure Conditions
DAL D addresses software whose failure has only minor safety effects.
Minor effects may include:
- Slight crew inconvenience
- Minor operational inefficiencies
Consequently, DAL D imposes reduced verification requirements.
Typical characteristics include:
- Basic requirements testing
- Limited independence requirements
- Simplified documentation
Section summary:
DAL D supports low-criticality software with proportionate assurance.
DAL E: No Safety Effect
DAL E applies to software whose failure has no impact on aircraft safety.
Examples include:
- Cabin entertainment systems
- Maintenance support tools
DO-178C does not require formal compliance activities for DAL E software.
Section summary:
DAL E software does not require DO-178C compliance.
Impact of DAL Levels on Development Activities
DAL level selection directly affects development planning. Therefore, engineering teams must consider DAL early.
DAL influences:
- Process rigor
- Documentation depth
- Tool qualification requirements
- Development cost and schedule
Higher DAL levels demand earlier planning and tighter discipline.
Section summary:
DAL levels drive development complexity and resource allocation.
Impact of DAL Levels on Verification and Testing
Verification effort increases significantly with higher DAL levels. Therefore, testing strategies must align with DAL requirements.
Verification differences include:
- Structural coverage depth
- Independence requirements
- Test completeness criteria
DAL A requires MC/DC, while DAL C requires decision coverage.
Section summary:
Verification depth scales directly with DAL level.
DAL Levels and Tool Qualification
Tool qualification requirements depend partly on DAL levels. Tools that may mask errors require qualification.
Higher DAL levels increase:
- Tool qualification scrutiny
- Evidence requirements
- Configuration control expectations
Therefore, toolchain decisions affect certification effort.
Section summary:
DAL levels influence tool qualification strategy.
Common Misunderstandings About DAL Levels
Many organizations misinterpret DAL assignment.
Common misconceptions include:
- Higher DAL equals better software
- DAL reflects software complexity
- DAL can be chosen arbitrarily
In reality, DAL strictly reflects safety impact.
Section summary:
DAL levels measure safety impact, not software quality.
Managing Mixed DAL Systems
Modern avionics systems often contain software with different DAL levels.
Effective management requires:
- Partitioning strategies
- Clear interface definitions
- Evidence of independence
Partitioning prevents lower DAL software from affecting higher DAL components.
Section summary:
Mixed DAL systems require strong architectural controls.
Regulatory Expectations and Certification Perspective
Certification authorities expect clear justification for DAL assignments.
Typical audit focus areas include:
- Safety assessment traceability
- DAL justification
- Verification completeness
Clear documentation simplifies certification interactions.
Section summary:
Regulators focus on DAL justification and traceability.
Conclusion
DO-178C DAL levels define the backbone of airborne software assurance. By linking software behavior to system safety impact, DAL levels ensure that development and verification effort remains proportional and effective. Understanding DAL A through DAL E helps avionics teams plan processes, allocate resources, and meet certification expectations confidently. Ultimately, DAL levels do not exist to add bureaucracy. Instead, they provide a structured path to achieving demonstrable safety in airborne software systems.
