The growing demand for high-efficiency fighter aircraft, commercial airbuses and the ever-evolving Aerospace and Defense requirements are driving the demand for next-gen airborne electronics systems. Air transportation agencies and aviation OEMs across the globe have been striving to build next-generation Airborne electronics systems to make flying more reliable, predictable, and safer.
DO-254 – Design Assurance Guidance for Airborne Electronic Hardware
DO-254 is a stringent functional safety standard that defines and regulate the process of auditing and certification of Airborne electronics systems. Conceptually speaking, this standard applies to all electronics in anything that flies or could crash and pose a hazard to the public.
DO-254 is published by Radio Technical Commission for Aeronautics (RTCA) in 2005 and administered by the FAA to ensure safety in electronic-airborne systems. Simply stated, DO-254 is a requirements-driven process-oriented safety standard used on commercial electronics that go into aircraft. The standard insists on tracking the developmental activities and documenting every step and each stage involved. The standard helps minimize errors in the process of a design and brings traceability to a great extent.
The DO-254/ED-80 standard is the counterpart to the well-established software standard RTCA DO-178C/EUROCAE ED-12C. With DO-254/ED-80, the certification authorities have indicated that avionics equipment contains both hardware and software, and each is critical to safe operation of aircraft.
Based on their safety criticality, different parts of the aircraft are designated different Design Assurance Levels, or DALs for short.
There are five levels of compliance, A through E, which depend on the effect a failure of the hardware will have on the operation of the aircraft. Level A is the most stringent, defined as “catastrophic” effect (e.g., loss of the aircraft), while a failure of Level E hardware will not affect the safety of the aircraft. This implies, meeting Level A compliance for airborne electronics systems requires a very complex process of verification and validation than Level E compliance.
DO-254 covers the guidance for airborne electronics hardware such as,
- Line Replaceable Units
- Circuit board assemblies
- Programmable components such as field-programmable gate arrays (FPGA), programmable logic devices (PLD), and application-specific integrated circuits (ASIC)
- Commercial off-the-shelf (COTS) modules.
The document classifies electronic hardware items into simple or complex categories. An item is simple “if a comprehensive combination of deterministic tests and analyses appropriate to the design assurance level can ensure correct functional performance under all foreseeable operating conditions with no anomalous behavior.”
Conversely, a complex item is one that cannot have correct functional performance ensured by tests and analyses alone; so, assurance must be accomplished by additional means. The body of DO-254/ED-80 establishes objectives and activities for the systematic design assurance of complex electronic hardware, generally presumed to be complex custom micro-coded components, as listed above. However, simple electronic hardware is within the scope of DO-254/ED-80 and applicants propose and use the guidance in this standard to obtain certification approval of simple custom micro-coded components, especially devices that support higher level (A/B) aircraft functions.
According to several industry sources, a project meeting DO-254 can cost 1.5X to 4X more than the same project without DO-254
System aspects of hardware design assurance
The main regulations that must be followed are the capturing and tracking of requirements throughout the design and verification process. The following items of substantiation are required to be provided to the FAA, or the Designated Engineering Representative (DER) representing the FAA:
- Plan for Hardware Aspects of Certification (PHAC): Planning is a critical piece of the DO-254 certification.
- Hardware Verification Plan (HVP)
- Top-Level Drawing
- Hardware Accomplishment Summary (HAS)
This plan should include all aspects of your project and how you will meet the DO-254 requirements.
Requirements Capture and Validation
The DO-254 specification utilizes a requirements-based design and verification approach. This means that the entire hardware project revolves around a formal set of high-level requirements. Before any RTL is written, each of these requirements must be written down, given a unique reference name, and reviewed for a variety of criteria including understandability, testability, verifiability, etc.
At the conceptual design stage, a larger design is broken down into smaller, more manageable components. This might be thought of as a high-level block diagram.
This step is where the real design work takes place. For each component detailed in the conceptual design, the RTL hardware design should implement each and every requirement for that component. Each high-level requirement should be “traced” to the top-level RTL module implementing that requirement.
Separately, the verification team should create verification tests to verify that each requirement has been met by the RTL, including a message to the log file showing the expected result, the actual result seen in the simulation, and the result (pass/fail). Each test must also be linked to the high-level requirement, including the pass/fail criteria (all must pass, obviously). Constrained random testing can also be used for more complex designs; however, special care must be used to create additional verification coverage components tied to all the requirements.
The implementation process is obviously technology specific. For an RTL-based design (such as an FPGA or ASIC), the implementation step includes the synthesis process of converting RTL into actual technology-specific gates. For an FPGA, this also includes creating the programming file to load into the FPGA. For an ASIC, this step includes the backend design/verification steps. Here, the main point is to follow the process detailed in your PHAC document up-front.
This is the final stage, when you are transferring your design over to manufacturing. Typically, this ensures such aspects as:
• How can you be sure you’re using the correct version of the programming file during the manufacturing process? (FPGA)
• How can you be sure you’re using the correct part? (ASIC and FPGA)
• Have you properly handled any errata for the device?
Along with your DO-254-compliant plan, you should also document how you will ensure you will meet this plan, typically documented in a Process Assurance or Quality Assurance plan. This plan documents who will be designated as the process assurance person or organization to double check that your PHAC and other plans are followed, and how this checking will be performed.
It’s important to realize that you must be able to prove that this checking happened, typically by creating a paper trail of internal meetings, reviews, internal audits, etc. Typically, a DO-254 certification official wants this process assurance performed by a separate qualified person or organization (for example, someone knowledgeable about design/verification, but not someone on this design or verification team). This person/organization must also be given the authority to carry out this process, and be provided access to the engineers and design environment.
In addition to the Process Assurance plan, you should also create a Configuration Management (CM) plan. In this plan, you will document how you will ensure the development process and artifact generation process is repeatable. This typically includes a revision control and bug tracking systems for all design/verification files, as well as all documentation and artifact documents.
The DO-254 specification refers to the importance of tracking all design artifacts throughout the design process. Certification officials understand that design and verification files will go through many iterations. However, once they are stable, you are expected to “baseline” the design. In typical commercial electronics, this is analogous to a design freeze—a point in a schedule when subsequent changes are closely controlled and documented.
Typically, a single person is selected as the main communication point for the certification officials. This single point of contact enables clean communication and ensures that the certification official obtains a clear view of the overall design process.
In-target testing is a critical component of the DO-254 specification, and is a required part of the overall flow. w. From a DO-254 perspective, all verification done in a simulator was performed on a model of the design. There is no guarantee that the model used in the simulation matches the actual device as it sits on the target board that will be installed in the aircraft. In addition, that
simulation is typically limited and does not include the actual hardware physics such as voltage and temperature variations, as will as signal degradation, ringing, pin capacitance loading, etc.
To ensure the final device performs as expected, you must somehow demonstrate that the final device sitting on the target system that will go into the aircraft meets its requirements. In an ideal world, the certification official would like to see ALL requirements tested on the final part. However, realistically, this is frequently impossible as internal controllability and observe-ability would be required. As a result, you can decide up-front how you will address this final testing procedure against your requirements in your PHAC document, and discuss this thoroughly
with your certification official to reach an agreement.
Other Design Considerations
Although it’s not explicitly detailed in the DO-254 specification, certification officials will be expecting you to design your system to adequately handle a variety of nefarious conditions, such as single event upsets on state machines, memory corruption protection (such as ECCs), block or subsystem redundancy when deemed necessary to achieve a sufficiently low failure rate, electrical isolation of different DAL circuits so a lower DAL does not disrupt a higher DAL circuit, and many other aspects required by high-reliability environments.
The DO-254 specification itself is only part of the story. There are additional supplemental papers that clarify, restrict, and limit how the DO-254 specification is applied. In addition, there are follow-on papers created by other bodies such as the international Commercial Aviation Safety
Team (CAST) and the European Aviation Safety Association (EASA), as well as additional regulations set by air framers such as Airbus and Boeing. There are also a variety of commonly accepted industry practices expected by certification officials. A minimal understanding of these documents and their organization is important, as these papers limit the scope, and clarify details necessary to successfully complete a DO-254 project.
References and Resources also include: