By John McHale
Designers of avionics hardware components must comply with certain safety specifications under the RTCA DO-254 certification much the way software providers must certify their code for flight operations under DO-178B.
As more and more embedded electronics get added to cockpits the number of designers needing to get familiar with the technology will only increase, says Louie De Luna, program manager with Aldec in Henderson, Nevada.
The current DO-254 standard is still somewhat in its infancy and many designers still struggle to understand its nuances – some are even calling for revisions to make it more efficient.
"Compared to DO-178B, the DO-254 guidance document is very young," says John Koumoundouros, president of Aviya Technologies in Mississauga, Ontario. "Despite its infancy, there is a consensus in the industry that changes are required now that there is a depth of experience with putting DO-254 into practice.
"The current release of the DO-254 guidance document dates back to the year 2000, although the Federal Aviation Administration (FAA) didn't release an Advisory Circular until 2005," Koumoundouros says. "Recognizing the DO-254 guidelines for use in assurance that a hardware design performs its intended functions within its target environment, and that the hardware meets all applicable airworthiness requirements is important.
"Industry needs an updated DO-254, Version A, to minimize certification costs and risks while maximizing alignment with recent FAA policies," says Francois Guay, a HighRely FAA designated engineering representative supporting DO-254 certification. "FAA guidance policy AC 20-152 and FAA Order 8110.105 state that the FAA does not intend that you apply RTCA/DO-254 to every type of electronic hardware and that it is only applicable for custom coded parts. This throws a wrench into making DO-254 comprehensive which was intended for all hardware.
"In addition, DO-254 is currently vague as it does not have the same measurable objectives as does its software counterpart RTCA DO-178B via design assurance level from which it was modeled by," Guay continues. "Therefore, support is building for implementing DO-254A which will revise DO-254, but this realistically won't happen until after the release of DO-178C later this fall."
"The current DO-254 is rather difficult to enforce and show compliance with," says Vance Hilderman, founder of HighRely. "When a standard is not clear, it increases the program risk in an industry already heavily burdened by certification costs. A new DO-254A will more objectively address criteria for complex hardware validation and verification. In addition, DO-254A will address the rapidly changing avionics hardware development and verification tools arena by clarifying how those tools can be incorporated and qualified to speed hardware certification. DO-254A should also more fully address the use of commercial-off-the-shelf (COTS) hardware components including FPGAs (field programmable gate arrays) and IP Cores. "
"Although the current DO-254 guidelines are distinct to electronic hardware, this document was developed using DO-178B as a basis to build upon for DO-254," Koumoundouros says. "Fast forward five years from FAA recognition of the guidelines and the industry clearly sees that the two are divergent. Electronic hardware has unique issues to deal with that are not relevant to software certification and this uniqueness must be further elaborated and addressed in the next revision of the DO-254 guidelines. As with the upcoming DO-178C which will address new software methods and technologies, DO-254A will also address the latest methods of hardware development and the latest hardware technologies in practice.
Common DO-254 challenges
"HighRely's DO-254 trainers have taught over 12,000 avionics engineers and managers how to better develop and certify avionics, but commonly encounter key issues from attendees, Hilderman says.
"First is the misconception that full DO-254 rigor, must be applied to all hardware components including simple peripherals and COTS components," he says. "Second, attendees don't understand the recent DO-254 tool offerings provided by various third parties and how to apply and qualify those tools to greatly simplify DO-254 compliance.
"Third, DO-254's requirement for 2-way traceability creates confusion regarding the required granularity of such traceability," Hilderman continues. "Fourth, identifying and applying DO-254's service history clause is vague and seems to allow the full use of any previously used component without further verification which is incorrect.
"Finally, DO-254's lack of a prescriptive process seems to imply that any informal hardware development technique can be used, which is absolutely incorrect," he says. "Just as DO-178's revisions over the years have improved industry's application of improved avionics software development, DO-254A will likewise enhance clarity and objectivity in hardware development."
HighRely's next two DO-254/178B training sessions are May 4-5 in Washington and September 14-15 in Rome, Italy. For more information visit the DO-254 Industry Group at www.do-254site.com.
"One of the biggest challenges in achieving DO-254 compliance is verification of the FPGA/PLD design in real hardware," says De Luna. In other words "how to ensure that the hardware implementation is functionally verified as comprehensively as during RTL functional verification. Not only designers must provide evidence of traceability between Hardware Verification Results and RTL Simulation Results, but ultimately they must do so in a time and cost efficient manner.
"The available traditional hardware verification methods simply take too long and cost too much," De Luna continues. They also present unique challenges such as:
- limited controllability and visibility of FPGA I/Os;
- development of test cases/test inputs for hardware verification takes too long;
- difficulty in running the design in the target device, at the required operational speed and drive it with the testing data that covers all design requirements;
- traceability of testing results which involves re-mapping and comparing the hardware outputs to its corresponding RTL simulation results, and tracing them to the design requirements; and
- appropriate hardware testing environment has to be created which entails manual connections of wires and cables (prone to many errors and bugs)."
"Aldec has DO-254 CTS (Compliance Tool Set) to provide customers the tools to comprehensively verify their FPGA/PLD designs in the HDL simulator first, and then prove all the same tests in the target FPGA," De Luna says. "We can replay RTL simulation in the real hardware environment with the same flexibility, traceability, and coverage. Aldec's methodology involves reusing testbench as test inputs for In-Hardware Verification. In doing so, customers do not have to spend months developing test cases for hardware verification anymore. Moreover, since the same testbench is used to drive RTL Simulation and In-Hardware Verification, evidence of traceability between two stages can be easily obtained and proven.
Challenges Koumoundouros sees include "seeing DO-254 as a process enabler by evangelizing the electronic hardware industry that although there are upstart costs to implementing DO-254, those costs diminish as your process matures. The real benefits are reaped down the road through a more reliable and safer product that results in lower in service costs.
"Due to its relative infancy as a guideline, successful certification inevitably is directly correlated with the maturity and first-hand experience of your organization with DO-254," Koumoundouros continues. "Companies such as Aviya, which have many years of certification experience have developed best practices and mature processes that fulfill the requirements of DO-254 and the FAA. The industry sees these attributes as a competitive advantage that distinguishes one company from another. Nonetheless, for the benefit of all, we must impart some of these best practices into the next revision of the guideline to help the industry as a whole to move forward."
The industry will need to utilize "the latest development methods and technologies for electronic hardware development and correlating those with the DO-254 guidelines that date back to the year 2000," he adds.
Certification solutions
"Aviya provides end-to-end solutions to support certification under DO-254 guidelines," Koumoundouros says. "Aviya's in house expertise provides support in an organization's underlying processes to bring them into compliance with DO-254. These processes range from configuration management to quality assurance to problem reporting/tracking.
Aviya's "validation and verification tools and processes provide a complete suite of testing building blocks to ensure thorough and complete requirements based testing for a successful certification," he continues. The company's "test environment with advanced scripting engine, automated execution, and high-fidelity modeling capability, allows full exercising of complex electronic hardware components from the FPGA level through to the board level."