DO-254: challenges and possible change

Designers of avionics hardware components expect that the Federal Aviation Administration (FAA) will soon update the DO-254 certification standard for airborne processing hardware just as they are currently updating the DO-178B standard for software certification.

Nov 19th, 2009

By David Jensen

Designers of avionics hardware components expect that the Federal Aviation Administration (FAA) will soon update the DO-254 certification standard for airborne processing hardware just as they are currently updating the DO-178B standard for software certification.

So far, the FAA has not requested a revision to DO-254, and RTCA, established to develop policy and regulations for the federal agency, currently could not take on such a project. The non-profit organization would be hard pressed to form a DO-254A steering committee, since many of the technical experts who would serve as members are currently in the SC-205 committee, working on DO-178C.

Still, Gilbert Amato, secretary general of RTCA's European counterpart, the European Organization for Civil Aviation Equipment (EUROCAE), says, "it is true that an update could be envisaged. We, EUROCAE, are presently evaluating the requirement for, and the magnitude of, such a revision."

EUROCAE and RTCA worked jointly to develop DO-254 and the European counterpart, ED-80, and they undoubtedly would work together on a new version of the standard. "The decision [to update the hardware standard] could be taken in the beginning of 2010 and, when hopefully positive, it is expected that such an updating task will be tightly coordinated between the dedicated EUROCAE working group and RTCA special committee to ensure coherence of provided documents," he says. "The outcome could be the publication of DO-254/ED-80 revision A in 2012."

Members of the avionics community also believe a DO-254/ED-80 revision will soon be weighed, if for no other reason than to have hardware development standards keep pace with, and be as rigorous as, the complementary software development standards. DO-254/ED-80 is a young standard compared to the more mature DO-178 (and Europe's ED-12), which RTCA and EUROCAE constructed jointly about 30 years ago. RTCA's SC-180 committee finalized the hardware standard in 2005 after about five years of deliberation.

Still, despite its relative freshness, DO-254 probably needs updating. It was essentially adapted, cut-and-paste style, from DO-178. A committee reworking the standard could make it more distinct and relevant by addressing issues unique to processing hardware and that have become apparent over the several years of real world DO-254 application.

Although RTCA and EUROCAE have yet to set up committees and an agenda, some issues probably will be discussed when they eventually do so. These include: modeling, reverse engineering (to make sure fielded systems function predictably and safely), specificity of processing cores (Are they hardware or software?), automated traceability throughout the hardware development cycle, and integration with commercial technology in greater detail, among others.

The benefits of establishing an updated, more rigorous standard extend beyond the civil aviation marketplace. More and more, militaries are adopting DO-254/ED-80, even to replace their own standards. The prodigious processing power on the F-35 Joint Strike Fighter is compliant to the DO-178B software standard but not to DO-254, which was published after the fighter program's launch. However, most subsequent military contracts, including for unmanned air vehicles (UAVs), have called for some form of compliance with both standards in part because most military aircraft fly in civil airspace.

Also, according to Tony Baghai, executive vice president of HighRely Inc., in San Diego military conformity to the civil standard "is becoming more common because military products are going more to COTS [commercial off-the-shelf products], which are developed for multiple purposes." Compliance ensures the COTS product performs its function safely. (HighRely is a firm that assists electronics manufacturers efficiently secure DO-178B and DO-254 implementation and certification.)

In fact, "DO-254 is becoming the U.S. military's de-facto standard," replacing the less-stringent Mil-Std-490, says Rick Hearn, product development manager for systems and sensors producer Curtiss-Wright Controls in Leesburg, Va.

European ministries of defense are turning to ED-80 because their own standards are "out of date," says Karl Gatterer, mil aero marketing manager for hardware provider Altera. "For instance, the United Kingdom military standard is about 25 years old."

For the U.S. military, 178 and 254 compliance is informal, not involving FAA oversight or approval. Some European militaries, however, have taken the extra step by working collaboratively with the European Aviation Safety Agency (EASA) for ED-80 compliance. One explanation for this is that European military aircraft must operate in smaller, more congested airspace.

DO-254 and ED-80 were established because executing the millions of lines of code to develop processing hardware was becoming more and more complex. The trend away from federated avionics systems and to partitioned, modular systems has contributed to the complexity.

"Two things triggered DO-254," explains Vance Hilderman, cofounder of HighRely. "One, FAA found that advanced logic wasn't confined to software and, second, it found manufacturers were moving increasingly complex functionality from software to hardware to avoid certification costs." Prior to DO-254, hardware was verified simply by system-level testing and not the rigorous internal design analysis, validation, and recordkeeping required today.

All electronic hardware, down to the onboard coffeemaker and restroom lighting, must be DO-254/ED-80 approved – an understandable requirement when considering the onboard fire and crash in September 1998 of Swissair flight 111. That tragedy's suspected origin was faulty wiring for the MD-11's in-flight entertainment system, which normally would have no effect on aircraft and crew performance.

DO-254 applies to the development of line replaceable units (LRUs), circuit card/board assemblies, integrated hybrid and multi-chip components, COTS devices and custom micro-coded components that include field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), and programmable logic devices (PLDs). Depending on the host system's function, a hardware device must be approved to one of five criticality levels, not unlike software for DO-178B. Those include:

• Level A – the most stringent level, applying to hardware in mission computers, terrain-following devices and any system in which a failure could cause or contribute to a catastrophic failure;

• Level B – where a hardware failure would cause or contribute to a hazardous or severe failure in the flight control system;

• Level C – where a hardware failure would cause or contribute to a major failure in the flight control system – an example would be a malfunctioning communications system, which may not cause a catastrophe but would weaken safety and perhaps cancel a mission;

• Level D – where a failure would cause or contribute to a minor failure in the flight control system; and

• Level E – where a software failure would have no adverse effect on the aircraft or pilot workload.

The principal applicants for DO-254 certification are the systems integrators who must ensure their products' functionality. However, a growing number of the integrators' vendors wisely adhere to DO-254 processes, as well.

According to Hilderman, about one third of the companies seeking HighRely's training and other assistance in developing DO-254-compliant hardware don't seek formal certification.

Yet they do gain a competitive advantage when they can deliver, along with their hardware, a certification kit that includes blueprints and other documentation to assist the integrator in securing the host system's FAA approval.

Curtiss-Wright Controls, for example, has a dedicated group called Modified COTS, or MCOTS, to assist integrators with certification. The team's expertise is beneficial when certifying a COTS product on a single platform. (Generally, processing hardware is more likely than software to be a COTS product.)

"An integrator might come to us and say we'd like your computer and graphic card, and we'd like to use them in a particular platform to Level C standard," Hearn says. "We would work with him as a partner and help him with that certification."

Systems integrators seek out vendors who can provide certification kits because gaining FAA approval can be an arduous process, especially for levels A and B.

According to a HighRely white paper, "DO-254 requires planning, consistency, determinism, thorough requirements, design documentation and testing, thorough production assurance, and proof of the preceding attributes."

In short, certified hardware development entails considerable planning and documented proof that the plans were fully executed. Many tests are required as well as independent reviews and closed-loop traceability.

Adding to the certification task is the fact that parts of DO-254 can be confusing and misunderstood. For example, the standard's Appendix B, required for levels A and B certification, recommends various methods of verifying a hardware function. But no one method is mandated.

"It thus becomes like a legal argument for safety," Hearn says. "It calls for layer upon layer of arguments for why you tested enough and why the device will work as expected." The avionics industry's mantra for DO-54 is "guilty until proven innocent."

Small wonder processing hardware producers shudder when contemplating DO-254 approval. It entails added expense and time.

"Most companies find the first time they develop hardware to 254 compliance is not cost effective," Hilderman says. "But by the second time, they become more efficient at it."

Hilderman estimates that "a company with good engineering processes will see their development costs increase by 30 to 40 percent [when applying DO-254 the first time]; about half that will go for verification and validation, or V&V. Companies with weak design processes will see much larger cost increases."

"You must have very good quality control and quality assurance," Baghai adds. "If you have those, you can reduce costs."

Hilderman says he estimates that civil certification to the standard can add about 30 to 40 percent more man hours to hardware development, and military compliance, about 20 to 25 percent more time.

Not surprisingly, electronics manufacturers that evaluate their existing engineering development procedures against those required by DO-254/ED-80 often discover a "gap," which can vary in size, depending on the level of certification pursued.

A gap analysis conducted either internally or by an outside source outlines areas of compliance and areas where the company's procedures fall short.

The intent of analysis is to provide a firm baseline of where the company is now and how much additional work and cost will be required to fill the gap and achieve compliance.

Perhaps it should be noted that compliance to the current certification standard would represent a significant preliminary step to observing DO-254A, whenever it becomes law.

To eliminate a processing gap and/or to make a product's development more efficient, hardware producers establish partnerships.

"There are so many facets of 254 that we may not play in," says Karl-Heinz Gatterer, military and aerospace marketing manager for Altera Europe. "We work with third-party firms to establish a partner network so that our customers have access to a complete DO-254 environment."

Whether to assure compatibility with selected software or conduct independent testing or attain proper documentation, hardware developers frequently establish partnerships with specialists to make sure their product is DO-254/ED-80 compliant.

An example is Altera's partnership with Hcell Engineering to develop Altera's Nios II soft processor to level A. The two companies jointly created a plan for hardware aspect of certification (PHAC), an integral part of the DO-254/ED-80 certification process. They also compiled design data, managed the processor core's configuration and drafted required paperwork for certification.

Gatterer says he believes such collaborative work done prior to a hardware products delivery could save the systems integrator up to two years development time and as much as one million dollars in cost savings when pursuing its system's DO-254/ED-80 approval.

Circuit board/assembly makers may well wonder if entering the aviation market, which is relatively small compared to most consumer markets, is worth the expense of DO-254/ED-80 compliance. For those who think it is, a HighRely white paper offers encouragement by listing 17 benefits to 254 conformity.

These include: fewer development iterations (or churn), greater consistency within the hardware, improved software integration, improved re-usability, wider market acceptance, and greater customer satisfaction.

Also, a processing hardware developer who plans to comply is not alone; there's support out there. For example, the DO-254 Industry Group for Engineers, which serves as a common depository of information pertaining to the standard, has a web site -- and blog. It also provides its members with relevant news, white papers, product announcements, seminars and meetings.

In addition to its regulatory duties, RTCA is a training organization and, in fact, has scheduled DO-254 classes Dec. 2-4 at its Washington, D.C., headquarters. HighRely, too, will offer a DO-254 class, in Phoenix, Ariz., Nov. 19-20.

And, finally, Vance Hilderman and Tony Baghai have co-authored a book, "Avionics Certification: A Complete Guide to DO-178B and DO-254." Copies are available on and from Avionics Communications Inc.

More in Home