DO-254 Intro, Compliance: Free Tools/ Papers / Resources
DO-254 Introduction
Avionics hardware DO-254 and A(M)C 20-152A / AC 20-152A clearly explained
DO-254 facts, myths, challenges, and successes are described in this paper. DO-254 can be expensive, sometimes increasing hardware development/documentation costs by 150%. Our DO-254 paper provides facts to hopefully reduce DO-254 costs by 20-50%.
DO-254 facts, myths, challenges, and successes are described in this paper. DO-254 can be expensive, sometimes increasing hardware development/documentation costs by 150%. Our DO-254 paper provides facts to hopefully reduce DO-254 costs by 20-50%.
The new A(M)C 20-152A is the latest of four DO-254 interpretations which increases the avionics hardware certification rigor and clarity while bringing DO-254 closer to software’s corollary Guideline.
DO-254 has been called “DO-178’s Little Sibling.” Like many little brothers and sisters worldwide however, the term “little” is often wrong. The following provides an overview of DO-254 plus relevant differences with DO-178C. DO-254, or more properly, “Design Assurance Guidance for Airborne Electronic Hardware,” was created as an obvious response to two simultaneous and related events:
- Firmware was playing a larger role in avionics, with developers rapidly leveraging increased silicon-based complexity, and
- The avionics firmware development process was relatively unregulated, with certification performed after-the-fact at a high level
While embedded avionics software engineering made huge strides and inroads in the eighties and nineties, firmware development was considered an informally adjunct art form. But what is “firmware”? When does “soft” become “firm” become “hard”? Time for a review .
Twenty years ago, firmware was relegated to specialized functions within avionics as compared to its highly varied role today. There were multiple reasons early firmware was more limited in aviation:
- Firmware development tools provided limited flexibility compared to software
- Firmware was difficult to change once burned or loaded in silicon devices
- Firmware was considered a less-desirable option than software due to a seemingly more difficult debugging and update process
However, great strides in Field-Programmable Gate Arrays (FPGA’s) brought such firmware to the forefront of aviation. With FPGA’s, all of the aforementioned restrictions on firmware adoption were dramatically reduced. FPGA’s increasingly had very modern development tools, were easy to update, and allowed for potential flexibility and execution speed advantages over software-based logic.
As a result of this evolution (or almost “revolution”) in silicon based logic, avionics developers increasingly exercised the choice of implementing logic via silicon instead of software. However, DO-178 did not strictly apply to silicon-based logic, and there was no regulatory counterpart. Thus the need for a similar development and certification standard that could act as a counterpart to DO-178.
DO-254 covers Complex Electronic Hardware (CEH), e.g. hardware with embedded logic. DO-254 is:
- A flexible framework for the development of airborne hardware containing avionics-specific logic.
- Able to accommodate almost all types of hardware ranging from sensors, multiplexers, and switches to full-featured FPGA’s and ASIC’s.
- A guideline which tries to cover a nearly infinite spectrum of applications and thus lacks specificity for particular projects.
Learn More About DO-254 Compliance
Understanding
Design Assurance
Levels in DO-254
DO-254’s Planning
Process
Understanding the DO-254 Ecosystem
Documenting
DO-254
Compliance
DO-254 White Paper Excerpt Continued
Understanding Design Assurance Levels in
DO-254
The Design Assurance Level (DAL) greatly affects process rigor applied to hardware certification via DO-254. The following graphic summarizes key differences between the DALS for DO-254.
Key DAL Aspect Differences for DO-254: from AFuzion DO-254 Training
Again, in DO-254 especially, the DAL of the hardware is usually, but not always, the same as the system DAL. Why? The system contains hardware which is necessary to perform its functionality, and that hardware is expected to directly correlate to the system’s contribution toward flight safety.
Process Assurance is like Quality Assurance but with a larger scope including auditing of hardware suppliers and manufacturing transition processes. Process Assurance has five primary activities as depicted in the following diagram:
Process Assurance in DO-254 differs from software’s DO-178C quality assurance because hardware’s Process Assurance must involve auditing hardware suppliers and ensuring subsequent system manufacturing processes are documented, repeatable, and conform to plans. Since DO-254’s hardware’s Process Assurance has these two additional roles versus software’s Quality Assurance, it has the different name “Process Assurance.”
Download our free technical DO-254 Intro White Paper for a complete overview
AFuzion provides more than 25 technical white papers on avionics safety and compliance. Download your free DO-254 white paper, or you can select up to two of our safety-critical avionics white papers for free and receive a detailed overview of concepts like DO-278A best practices, DO-178C top mistakes, military compliance for DO-178 and DO-254, and more.
DO-254's Planning Process
Wise people know “What gets planned, gets done.” In the same way, wiser avionics authorities know “What gets planned thoroughly can be assessed more thoroughly.” Accordingly, DO-254 requires a detailed planning process consisting of five Plans and four Standards:
The DO-254 Plan for Hardware Aspects of Certification (PHAC) is the foundational planning document of an avionics hardware system.
The DO-254 PHAC provides an overview of the avionics system’s hardware, safety criteria with respect to DAL, and planned certification activities as noted in the following figure from AFuzion’s DO-254 training classes:
A good way to understand the application of DO-254’s four standards is to consider that DO-254 itself covers the more objective (measurable) aspects of the hardware development lifecycle, whereas certain aspects are more subjective yet equally important. Those subjective areas are hardware requirements, hardware design, hardware archival, and hardware verification and validation (V&V). Since each avionics project must have its own processes and assessment criteria for these subjective areas, such are specified within the four project-specific standards thus making these “subjective” aspects “objective” for each project.
While most of the aviation guidelines are self-contained, DO-254 is unique: because it was originally intended to address all non-software aspects of a system, and there was very little complex hardware logic, numerous adjunct documents were continually added to address the evolving hardware landscape. This historical DO-254 evolution is summarized in the following graphic excerpted from AFuzion’s DO-254 training:
Compliance Templates for DO-254, DO-178C, and More
Understanding the DO-254 Ecosystem
To summarize the DO-254 ecosystem:
- DO-254 is a flexible framework for the development of airborne hardware containing avionics-specific functionality.
- DO-254 is able to accommodate almost all types of hardware ranging from sensors, multiplexers, switches, and aggregated simple silicon devices, in addition to full-featured FPGA’s and ASIC’s.
- DO-254 is a guideline which tries to cover a nearly infinite spectrum of hardware varieties thus lacks specificity for particular projects.
Like software, the term “airborne electronic hardware” from DO-254’s title is wide-ranging. At the beginning and end of the day, hardware is part of a system or more specifically an aviation eco-system. Therefore, for civil aviation DO-254 is preceded by a safety assessment per ARP4761/A and an avionics system development process per ARP4754A; military aviation is gradually adopting a similar (in some cases identical) safety/systems process for DO-254 military adoption. And DO-254 applicable hardware itself will typically be required to undergo environmental testing via DO-160.
Therefore, DO-254 is merely one link within the avionics certification ecosystem. Avionics hardware cannot be provably safe nor compliant without this ARP4761/A and ARP4754A safety/systems foundation which precedes DO-254.
The DO-254 process employs detailed project-specific planning followed by continual assessments and process feedback loops to ensure defined hardware development processes specified in those Plans and Standards are followed. For an overly simplistic view of the DO-254 lifecycle process (without depicting requisite feedback loops, changes, reviews, etc.), this author’s opinion is that the following comprises an optimal DO-254 engineering development lifecycle:
Figure: Optimal DO-254 Hardware Engineering Path per AFuzion
Discover why AFuzion's DO-254 training is the world’s most popular, X10: 42,000 avionics engineers trained in DO-254/XXX: more than all competitors combined.
Only AFuzion’s DO-254 training provides the latest A(M)C 20-152A, IP Core, MCP, Complex COTS, FPGA & VHDL hands-on real-world workshops with real-world hardware examples. In-class walkthrough of sample DO-254 PHACs, Hardware DO-254 Requirements, DO-254 Checklists, Process Assurance, plus 10 proprietary technical whitepapers. Only from AFuzion.
Documenting DO-254 Compliance
The regulatory agencies require that most airborne commercial systems operating within commercial airspace comply with DO-178C and DO-254 (details can be found in the regulatory website). The planning and processes for systems lifecycle are required for any DO-178C and DO-254 project and those processes must be defined before initiating that phase and followed during that phase.
Once acquired from AFuzion and customized on the first project, you will be able to create, customize, and reuse your DO-254 project documents as appropriate on future DO-254 projects. Note that the DO-254 Planning documents (five documents) can be purchased in either Template form or “Initial Draft” form.
The Template form option provides the basic templates which you then modify to create an initial draft. The Initial Draft option provides for AFuzion to first create initial drafts of all five planning documents using the same template, but adding the customer’s basic product information to create an initial draft; the customer then must finalize this initial draft to create the first versions of these five planning documents.
AFuzion’s DO-254 Plans and Checklist Templates cover all phases of the system’s Hardware project lifecycle, and are developed with DO-254 in mind. The users of these templates would need to have some basic understanding of DO-254, such as attendance at AFuzion DO-254 training or reading the Avionics Certification book principally written by AFuzion’s founder, Vance Hilderman.
These templates and checklists also help in getting organizations to the goal of higher SEI CMM/CMMI ratings (preferably Level 3 – 4+). Usage of AFuzion process templates and checklists are intended to maximize the probability of project success and quality.
Further, AFuzion can customize and tailor these processes by the appropriate amount as an outflow of the gap analysis process, upon request as part of the optional first draft delivery. If there are items in the checklists that are not applicable to your program, they could simply be answered with “N/A.” It is also recommended that the checklists be placed under your project’s configuration management (CM) system to ensure checklist integrity.
Independent reviews are always preferable to reviews done by the developer. It should be noted that the checklists should be widely distributed to all personnel developing any avionics lifecycle item, prior to that person beginning such initiation. Thus, the checklist serves as a “report card” whereby the originator’s success is measured. When the originator understands what the independent verification reviewer will be evaluating the related hardware artifact for, the originator will more productively attain checklist compliance during development of that artifact. This applies to requirements, design, implementation, test, etc. The level of “independence for verification” required by DO-178C and DO-254 varies according to Design Assurance level (Level A through E).
DO-254 Training for Engineers
DO-254 Whitepaper Excerpt Continued
Like software, the term “airborne electronic hardware” from DO-254’s title is wide-ranging. At the beginning and end of the day, hardware is part of a system or more specifically an aviation eco-system. Therefore, DO-254 is normally preceded by a safety assessment per ARP4761 and an avionics system development process per ARP4754A. And the hardware itself will typically be required to undergo environmental testing via DO-160. Therefore, DO-254 is merely one link within the avionics certification chain. Avionics will be neither safe nor compliant without this safe foundation which precedes DO-254.
DO-254 Objectives
DO-254 has specific objectives based upon that hardware’s DAL. There are five DALs associated with airborne avionics systems, noted as level A through E, with level A being the most stringent. For software, under DO-178C, the differences between levels are greater than they are under DO-254 and each software DAL has distinctly discrete Objectives ranging from 26 objectives for DAL D to 71 objectives for DAL A.
Overly simplified, DO-254 levels A and B are nearly identical with strict criteria applied to the engineering processes associated with each line of hardware logic; levels C and D are less rigorous and focus upon hardware black-box requirements/testing and lack consideration of hardware logic development and test. Level E requires no additional hardware design certification under DO-254.
The rigor applied to planning, development, and correctness of the hardware is directly associated with its DAL, often referred to as “criticality level.” These five levels with increasing rigor from Level E to the most stringent Level A, are depicted below:
Scope of DO-254
DO-254 applies to most all avionics hardware, however more recent interpretations and application of DO-254 focus upon Complex electronic hardware as noted previously. Why? Because the Simple hardware is definable via black-box requirements and those requirements (and thus all the Simple functionality) can be tested at a black-box system level for example as already required under ARP4754A.
For Simple hardware, the significant additional cost of detailed planning, detailed design, and low-level verification activities prescribed by DO-254 provide little added-value hence are normally not required unless a specific certification authority deems them necessary in a particular instance, for example because ARP4754A was not otherwise applied. Therefore, the most common application of DO-254 is depicted in the figure below which also elucidates the scope of DO-178C:
Common DO-254 Mistakes (excerpt from AFuzion’s “DO-254 Top Mistakes” paper Here)
DO-254A is not expected until at least 2025. However, DO-254 has been modified by AC 20-152, CAST-27, EASA SWCEH CM-001, and AMC 20-152.
Most DO-254 practitioners find their first DO-254 project incurs a 50-60% cost and schedule increase. However, the following DO-254 Mistakes are responsible for most DO-254 cost increases (download the entire free AFuzion DO-254 Paper to read further)
DO-254 is often called “DO-178C’s Little Brother” and unfortunately it bears too much resemblance to software. And you all know hardware development is virtually identical to software, surely? Not at all, and therein lies the source of the most significant mistakes with DO-254: thinking DO-178 processes fully and equally apply.
DO-254 is truly subjective, vague, and software-centric; yet avionics certification typically requires conformance combined with proven high quality and reliability. DO-254’s success is elusive and complaints abound from both sides of the certification aisle from suppliers and certifying agencies. This implies for the applicant a very tight monitoring and depth control on the procurement process, in particular when procuring commercial-off-the–shelf avionics.
In truth, DO-254 is rarely cost-effective in its first usage. However, the competitive landscape of avionics, both commercial and military, is just that: competitive and focused upon long-term cost effectiveness, long equipment lifetime, and continual safety. Therefore, the goal is to achieve DO-254 compliance while meeting (and hopefully surpassing) the competition. Such success requires achieving certification via the most expedient and productive path possible, while avoiding any major mistakes.
Remember, bad luck is not the cause of mistakes, just as those same mistakes are not prevented through good luck. Mistakes are the result of a lack of understanding, planning, and neglecting to apply DO-254’s true intent. As a famous golfer (not quite as famous as Mr. Carson Mandic) once said after a particularly spectacular tournament win, “Me, Lucky? Hmmm … Luck is interesting: I’ve found that the more I practice, the luckier I become!” With this white paper, it is hoped that your own “luck” increases with your successful DO-254 practice.
Mistake #12: Failure to Understand and Apply CAST-27
DO-254 seemingly requires mandatory application to circuit cards, Line Replaceable Units (LRU’s), and DAL D systems. However, DO-254 was informally “revised” by the cross-Atlantic North American / European coordination group known as “Certification Authorities Software Team” “(CAST). (Note: while seemingly a software-only group, there is not a similar hardware group, so CAST also delves into hardware).
The CAST group authored an official memo named CAST-27 which clarifies numerous aspects of DO-254. If you are working with DO-254, (and why wouldn’t you be if you’re reading this now), then it is incumbent upon yourself to review and apply CAST-27; this important memo reduces the work of DO-254 certification in numerous areas and thus is mandatory to save time and reduce costs.
Safety Critical Engineering Services
Safety-Critical projects require provable requirements management and traceability. Our engineering experts work onsite or offsite to perform safety assessments and develop project-specific certification plans (PSCPs) for DO-254 compliance in 30+ countries worldwide.
Aviation
Safety
Reliability
Read More
Aviation
Systems
Engineering
Read More
Aviation
Software
Engineering
Read More
Aviation
Hardware
Engineering
Read More
Aviation
Quality
Assurance
Read More
Mistake #11: Insufficient PHAC
The PHAC (Plan for Hardware Aspects of Certification) is the cornerstone document for every avionics certification. Each system requires its own PHAC and there may be additional PHACs for various hardware components within the system. The PHAC is one of the few DO-254 required hardware documents (there are over two dozen required for each project) that must be submitted to and approved by the certification authorities (FAA for civil aircraft, military authorities for defense-related aircraft).
The PHAC should clearly state all certification rationale, tools and tool qualification strategies, COTS hardware, high level system architecture, scope of DO-254 per that architecture, criticality level justification, responsibilities, and schedule aspects. In addition, the producer should obtain approval prior to meaningful additional hardware development work or be willing to stomach substantial certification risk in the absence thereof. (For additional mistakes to avoid, download the full white paper.)
Mistake #6: Excessive Logic Iterations
It is normal for a new project to evolve hardware logic via multiple iterations. However, most projects greatly exceed any reasonable number of iterations because the hardware development is viewed as an iterative process instead of an engineering process. Hardware creation does not necessarily imply hardware engineering; however it should.
Excessive logic iterations result from one or more of the following deficiencies: insufficient requirement detail, insufficient hardware development standards, and insufficient checklists. DO-254 standards and checklists are available from a variety of sources. Perform a Google search on “DO-254” for more information.
A common gap in DO-254 for Complex Electronic Hardware (CEH) with embedded logic is weak logic reviews; a proper review must be shown to meet DO-254’s transition criteria, meaning the six required inputs to, for example, a logic review are all fully utilized for all logic reviews. Engineers (the “Reviewer”) must use all these review inputs which must be specified in the HVVP and then Process Assurance audits affirm that this process is followed by the verification engineer.
Remember, DO-254 traceability should be as shown in the following DO-254 Traceability Figure:
(For the remaining Top 5 Mistakes of DO-254 PDF, please download the remaining DO-254 PDF whitepaper).
AMC 20-152A is mandatory for DO-254 beginning 2021, which replaces AC 20-152, CAST-27 and EASA CM SWCEH-001. The following figure summarizes key deltas for A(M)C 20-152A as excerpted from AFuzion’s DO-254 Training and detailed in the complete whitepaper.
Figure: DO-254’s AMC 20-152A Synopsis:
DO-254 also requires reviews, audits and proof thereof. The best “proof” is detailed and complete checklists covering the primary hardware lifecycle activities and artifacts. Using AFuzion’s DO-178C and DO-254 provided checklists ensures that you have an appropriate framework for successfully developing and certifying your system. For more mistakes, download the full white paper.
AFuzion Gap Analysis
Our engineers identify gaps in your DO-254, DO-178C, DO-278A, DO-200B, DO-326A, and ARP4754A engineering processes and help you close those gaps. Reduce costs, streamline certification processes, and analyze your system, safety, software, hardware, and tools environment with input from AFuzion’s experts.
Final Considerations
DO-254 was recently modified yet again by AMC 20-152A (also known as A(M)C 20-152A; this interim DO-254 update postpones the update to DO-254A for several more years. AMC 20-152A is the joint FAA / EASA harmonization to replace AC 20-152A, CAST-27, and the EASA SWCEH Certification Memos. AMC 20-152 clarifies numerous aspects of DO-254 as shown in the following figure extracted from AFuzion’s DO-254 / AMC 20-152A Training, titled “Understanding AMC 20-152A”:
Figure Understanding AMC 20-152A (new for DO-254 in 2021-2022)
For a copy of AMC 20-152A pdf, simply contact us with “AMC 20-152A PDF” in the subject line. For AMC 20-152A training, see AFuzion’s DO-254 Training where AMC 20-152A is more fully discussed in detail.
Via AMC 20-152A, there are new DO-254 related rules for SEH: Simple Electronics Hardware classification. (Download the full DO-254 Introduction paper for the full details). These new DO-254 SEH rules per AMC 20-152A are summarized in the following Figure:
AMC 20-152A: Assessing whether a device should be classified as simple:
- Simplicity of the functions and their number,
- Number of interfaces,
- Simplicity of data/signal processing or transfer functions,
- Independence of functions/blocks/stages.
Additional criteria specific to digital designs include:
- Whether the design is synchronous or asynchronous,
- The number of independent clocks,
- The number of state machines, number of states, and state transitions per state machine,
- The independence between the state machines.
The advantages of Simple hardware per AMC 20-152A are numerous as summarized in the following slide extracted from AFuzion’s AMC 20-152A training:
Figure: Synopsis of Simple Devices per AMC 20-152A and DO-254
Avionics hardware assessment to DO-254 has numerous potential flavors as depicted in the DO-254 Terminology figure above.
Figure: DO-254 Terminology – DO-254 Certification, Certifiability, Compliance & Qualification
To download the remaining 11+ pages of this technical DO
OTHER FREE RESOURCES
- Free 30-minute tech telecon to answer any of your tech Q’s
- Free Sample Certification Checklist
- Free AFuzion Training Video Sample
- Request invitations to future AFuzion tech webinars, fee waived (free)