Introduction to DO-254

Design Assurance Guidance for Airborne Electronic Hardware

By Esteban Snchez, Project Manager, Avionyx, 2009

Introduction to DO-254: Design Assurance Guidance for Airborne Electronic Hardware

Electronic aviation equipment, composed of both hardware and software, plays a critical role to fulfill the objective of a safe flight. The DO-254 standard, Design Assurance Guidance for Airborne Electronic Hardware, was created in April, 2000 and formally accepted by the FAA in 2005 as a means of compliance for the design of complex electronic hardware in airborne systems. The standard was conceived as the complement to the well-recognized homologous guidance for software, DO-178B. The main objective of DO-254 is to provide design assurance guidance to assist organizations in the development of electronic hardware. The intention of this paper is to provide a quick overview of the DO-254 standard for companies, engineers and managers.

Criticality and Complexity in DO-254

The DO-254 standard defines five system development assurance levels, A through E, that varies depending on the criticality of the system (the effect that a system failure represents for the safety of the aircraft). Level A is the most stringent and it applies to systems whose failures would not allow continued safe flight. , Conversely, level E is applicable to all those systems whose failures do not affect the operational capability of the aircraft or increase the workload of the flight crew. The design assurance level determination is performed by the System Development Process (during this process the system is conceived as a whole from the highest level of the design hierarchy as it is intended to fit in the aircraft) and flowed down to the Hardware Development Process, where it is used to drive the level of design assurance required to satisfy certification objectives. The more design assurance level needed, the more complex and expensive the project will become. In its Appendix A, the DO-254 standard includes a comprehensive list of data to be produced for each level of design assurance. This appendix is particularly useful to avoid increasing the scope of the project and produce documents that are not required for the certification of the electronic hardware. DO-254 is applicable at the device, board or LRU level, although the compliance is only required at the device level by the FAA. DO-254 distinguishes between complex and simple electronic devices; however, it recognizes that such a differentiation is not rigorously defined anywhere. Basically, the standard defines a Simple Electronic Device as: One that can be demonstrated, through a comprehensive combination of deterministic tests and analyses appropriate to the design assurance level, to have a correct functional performance under all foreseeable operation conditions with no anomalous behavior. In terms of verification, this implies that in order to classify an electronic device as simple, exhaustive testing may be required. Based on this definition, a Complex Electronic Device can be simply defined as one that cannot be classified as a Simple Electronic Device. Examples of complex electronic devices include all flavors of Programmable Logic Devices (PLDs), such as Field Programmable Gate Arrays (FPGAs), Complex Programmable Logic Devices (CPLDs) and Application Specific Integrated Circuits (ASICs). DO-254 is written to cover all complex electronic hardware; however, FAA advisory circular 20-152 only requires the standard to be followed for complex electronic devices with design assurance levels of A, B and C.

Introduction to DO-254: Design Assurance Guidance for Airborne Electronic Hardware

Hardware Development Life Cycle

Rather than specifying how the electronic hardware is to be designed, produced and manufactured, DO-254 offers a comprehensive list of activities that should be performed and artifacts that must be produced during the hardware development process. The document is not intended to explain how a design should be implemented or what makes a design approach better than another. The standard focuses on the definition of the hardware development life cycle, its phases, activities and artifacts. From a high level perspective, three major groups of processes are identified: 1) Planning Process, 2) Hardware Design Processes, and, 3) Supporting Processes. With the exception of the planning process, processes 2 and 3 are further divided into more specific processes, which are described (below) in detail, including objectives, activities and life cycle data. Figure 1 shows the big picture of the hardware development life cycle processes and their interactions.
DO-254 Hardware Development Life Cycle

Verification and Validation Configuration Management Planning Process Assurance Certification Liaison Supporting Processes

System Process

Requirements Capture

Conceptual Design

Detailed Design

Implementation

Production Transition

Manufacturing Process

Hardware Design Processes

Figure 1 - Hardware development life cycle under DO-254

1. Planning Process
The overall development of electronic hardware according to DO-254 starts with the Planning Process. No design data, requirements, schematics or HDL (Hardware Description Language) code is produced in this process, however it is one of the most important processes as it defines how the hardware development processes and the supporting processes are to be executed. This definition takes the form of planning documents, which, according to the standard, can be contained in one or more documents. In addition to the planning documents, DO-254 also recommends the usage of quality standards to aid in the development of electronic hardware. Both the planning and quality standards documents constitute the output of the planning process.

2. Hardware Design Process

Once the foundations for the development activities have been established in the planning documents, the Hardware Design Process can be started. The Hardware Design Process is subdivided into five major subprocesses that are outlined in the following table: Requirements Identifies the hardware item requirements. The requirements may include architectural, performance, functional and environmental requirements, as well as

Introduction to DO-254: Design Assurance Guidance for Airborne Electronic Hardware

Capture

requirements imposed by the system safety assessment. The output of this process is the Hardware Requirements Data. Produces a high-level design such as a block diagram, architecture description or circuit card assembly outline. The output of this process is the Conceptual Design Data. Uses the hardware requirements and the conceptual design to produce a more detailed design. The output of this process is the Detailed Design Data. In this process, the detailed design is used to produce the actual hardware item. The output of this process is the hardware item itself. All the resources, including manufacturing data and test facilities are evaluated to ensure availability and correctness for production of the hardware item.

Conceptual Design

Detailed Design

Implementation

Production Transition

As part of the hardware design process, the standard mentions the creation of an Acceptance Test, which demonstrates that the manufactured, modified or repaired part performs as intended. However, no additional guidelines are provided because it is considered out of the document scope.

3. Supporting Processes
Supporting Processes is a group of processes executed in parallel with the planning and hardware design processes to ensure correctness and completeness of the outputs generated. It is recommended that the activities in the Supporting Processes group are carried out using personnel that are independent from the personnel participating in the hardware design processes. The following is a list and a brief description of the supporting processes. The validation process ensures that the hardware requirements are correct and complete. The verification process provides assurance that the hardware item implementation meets all the hardware requirements. All this is accomplished through tests, analyses and reviews of the hardware life cycle data. Provides the ability to control the hardware life cycle data, so that, if required, the hardware item or any documentation can be consistently regenerated in case a modification is required. Ensures that the objectives of the life cycle process are accomplished according to the foundations established in the planning documents or that deviations have been justified and documented. This process constitutes the communication channel between the applicant and the certification authority.

Validation and Verification

Configuration Management

Process Assurance

Certification Liaison

Introduction to DO-254: Design Assurance Guidance for Airborne Electronic Hardware

Why DO-254?
There are several reasons for choosing DO-254 as your standard for electronic hardware development. The first and most important reason is that DO-254 provides design assurance that will significantly help to ensure that the electronic hardware performs its intended function with no anomalous behavior under the foreseeable operation conditions. Secondly, the FAA recommends that the standard is used to pursue certification of the equipment. Even though the standard is not mentioned to be mandatory, getting another process approved by the FAA could be cost prohibitive and may greatly impact the schedule as well. If you are new to DO-254, Avionyx provides a 3-day Introduction to D-254 class that is offered at RTCA in Washington, DC, or at your site for groups of 10 or more. For more info, contact us at sales@avionyx.com.

Avionyx, S.A. www.avionyx.com (321) 821-2365 info@avionyx.com