Artificial Intelligence (AI) has transformed the world of technology, enabling systems to learn, adapt, and make decisions without explicit programming. From autonomous vehicles to medical diagnostics and flight control systems, AI promises unprecedented efficiency and capability. However, when it comes to safety-critical systems—where failure could result in injury, loss of life, or significant damage—the use of AI introduces profound challenges that go far beyond traditional software engineering. Unlike conventional software, which behaves predictably according to its programmed logic, AI is built on learning and training. Its decisions and outputs depend heavily on the data it has been trained on and the patterns it recognizes during runtime. This adaptive, data-driven behavior means that an AI system’s responses may vary with changing inputs or environments, often in ways that are not explicitly defined or foreseen by developers. While this flexibility is a strength in many applica...
In conversations about DO-178C compliance, certain topics dominate almost immediately—traceability matrices, coverage metrics, independence, verification rigor. These are critical, no doubt. Yet, one of the most powerful tools for achieving all of them is often treated as administrative overhead rather than an engineering discipline.
That tool is hierarchical requirements.
In my experience working with airborne software teams, especially in safety-critical aerospace programs, most DO-178C issues do not originate in code or testing. They originate much earlier—when requirements are poorly structured, ambiguously decomposed, or inconsistently linked across levels. Hierarchical requirements, when done correctly, quietly eliminate entire classes of compliance problems before they ever surface.
What Hierarchical Requirements Really Mean in DO-178C
Hierarchical requirements are not just a stack of documents labeled “system,” “high-level,” and “low-level.” They represent a controlled decomposition of intent, where each level answers a different question:
-
System requirements define what the aircraft must do
-
High-level software requirements (HLRs) define what the software must do to support that
-
Low-level software requirements (LLRs) define how the software will do it
DO-178C does not merely encourage this structure—it depends on it. Verification, traceability, and independence all assume that requirements are layered, consistent, and progressively refined.
Without a clean hierarchy, compliance becomes fragile and reactive.
The Hidden Cost of Flat or Poorly Decomposed Requirements
One of the most common patterns I’ve seen in aerospace programs is a “flat” requirement set—hundreds of software requirements written at mixed levels of abstraction. Some describe behavior, others describe implementation details, and many unintentionally do both.
This creates predictable problems:
-
Verification teams struggle to define objective test criteria
-
Traceability matrices grow but lose meaning
-
Changes ripple unpredictably across the codebase
-
Certification reviews focus on gaps instead of evidence
In practice, teams end up compensating with excessive testing, defensive documentation, and manual reviews—none of which improve safety or clarity.
Hierarchical requirements reduce this chaos by enforcing intentional structure.
Hierarchy as the Backbone of Traceability
Traceability is often treated as a compliance deliverable rather than an engineering outcome. In reality, traceability only works when requirements are hierarchical.
When system requirements are decomposed cleanly into HLRs, and HLRs into LLRs:
-
Every line of code has a clear purpose
-
Every test case has a justified objective
-
Every change has a predictable impact radius
In one aerospace program I worked on, a late system requirement change initially looked catastrophic. Because the requirement hierarchy was well-defined, the team identified exactly which HLRs and LLRs were affected within hours—not weeks. The certification impact was contained, and the audit conversation stayed focused and factual.
That’s not luck. That’s structure.
Verification Becomes Clearer—and Cheaper
DO-178C verification is fundamentally about proving correctness against requirements. Poorly structured requirements force verification teams to interpret intent. Well-structured hierarchical requirements eliminate interpretation.
High-level requirements enable:
-
Requirement-based testing
-
Clear functional verification objectives
Low-level requirements enable:
-
Structural coverage alignment
-
Deterministic code reviews
-
Precise test conditions
When hierarchy is respected, verification becomes confirmation—not investigation. This distinction matters enormously under schedule pressure.
Independence Depends on Requirement Quality
DO-178C emphasizes independence between development and verification. What is less obvious—but equally important—is that independence only works when requirements are unambiguous.
Verification engineers cannot remain independent if they must reverse-engineer intent from vague or overloaded requirements. Hierarchical requirements reduce this risk by:
-
Separating what from how
-
Preventing implementation bias at higher levels
-
Making incorrect assumptions easier to detect
In aerospace projects, true independence is not enforced by process alone—it is enabled by clarity.
Change Management Without Fear
Aircraft software evolves. Requirements change due to safety findings, operational feedback, or system integration realities. Without hierarchy, every change feels dangerous.
Hierarchical requirements localize change. A system-level update may only affect a subset of HLRs, which may only affect a small number of LLRs. The rest of the system remains untouched—and provably so.
From a certification perspective, this dramatically reduces re-verification scope. From an engineering perspective, it restores confidence.
Hierarchy is an Engineering Skill, not a Documentation Task
One misconception I see frequently is treating requirement decomposition as a documentation activity handed off to systems or compliance teams. In reality, good hierarchical requirements demand strong engineering judgment.
In aerospace, the best requirement sets I’ve seen were created by engineers who understood:
-
System behavior under failure conditions
-
Operational constraints
-
Certification intent, not just wording
Hierarchical requirements are where system thinking meets software rigor. When that connection is lost, compliance becomes performative rather than meaningful.
Why This Tool Remains Underrated
Hierarchical requirements don’t produce flashy metrics. They don’t show up directly in coverage reports or dashboards. Their value is indirect—but profound.
They:
-
Reduce verification effort
-
Improve audit outcomes
-
Enable safer systems
-
Lower long-term maintenance cost
Most importantly, they align engineering reality with certification expectations.
In DO-178C programs, the strongest teams don’t fight compliance—they design for it. Hierarchical requirements are one of the most effective ways to do exactly that.
Closing Thoughts
DO-178C compliance is often described as documentation-heavy and process-driven. In my aerospace experience, that perception usually signals a deeper problem: weak requirement structure.
Hierarchical requirements are not bureaucracy. They are an architectural tool—one that quietly supports safety, clarity, and confidence across the entire software lifecycle.
If there is one place to invest early effort in a DO-178C program, it is here. Everything else becomes easier once the hierarchy is right.
Comments
Post a Comment