DO-178 and DO-254 for Military Compliance
Military DO-178C and DO-254 are unique: safety assessments, criticality levels, mission performance and success are all unique over civil DO-178C. While DO-178C is intended for civil aircraft, it is now the defacto standard for military avionics worldwide. Learn how to achieve military DO-178C compliance in a cost effective manner.
“Defense organizations throughout the world are adopting DO-178 (Software) and DO-254 (Hardware). Why, and what are the implications? Details herein.”
For decades, military organizations have developed hardware and software using a variety of specialized, defense-oriented standards including 2167A, 498, and 882. As Military organizations, they were highly motivated to use hardware and software standards which differed from the commercial sector since it was perceived that military applications were “different.” Militaries utmost concern was primarily “Mission”. Today however, there is an accelerating momentum toward Military/Commercial avionics convergence: adopting DO-178 and DO-254 worldwide. Today, fighter jets (Joint Strike Fighter, T-50, etc), cargo planes (C-130, C-17, A400M, etc.) and UAV/UAS’s (formally called RPAS: Remotely Piloted Aircraft Systems) are requiring compliance to DO-178 and, increasingly, to DO-254.
What are DO-178 & DO-254? DO-178 is the third iteration of the FAA’s avionics software standard, required for all commercial airborne software, which contributes to safety of flight by ensuring with a sufficient level of confidence that the software performs its intended functions that have been assigned by the system requirements. For twenty years, commercial avionics software has required certification via DO-178, then DO-178A, and now for over a decade, DO-178. But several years ago, certification authorities realized that avionics safety was dictated by both software and hardware; hardware was just as important as software, but only required adherence to DO-160, the environmental testing standard. So SC-180, the precursor to DO-254, was initiated, thereby levying consistent certification requirements upon hardware. The basis for DO-254 was DO-178 itself, ensuring similarity between certification of software and hardware in terms of processes and objectives to be satisfied.
DO-178 (software) and DO-254 (hardware) presume that software and hardware must operate in harmonic unison, each with proven reliability. Previously, hardware was considered “visible” and tested at the system level with integrated software; hence hardware was exempt from DO-178 quality attributes. But that exemption resulted in functionality being moved from software to hardware for the purpose of avoiding hardware certification. Additionally, hardware complexity has evolved such that hardware is often as complex, or more so, than software due to the embedded logic within the PLDs, ASICs and FPGAs. Now, everyone recognizes that hardware and software comprise an inextricable chain with the quality equal to that of the weakest link, thus the mandate to also apply DO-254 to avionics hardware.
Military versus Civil Aircraft: DO-178/DO-254 Military Compliance versus FAA/EASA Certification
Previously, military organizations throughout the world utilized their own standards such as 498 or 2167A for hardware and software development. Their rationale for such was:
- Military projects were more complex than commercial DO-178
- Mission performance success is always a highly desirable goal and surpasses “safety” in some instances
- Military projects needed higher reliability in harsh environments than civilian projects.
- Military projects had numerous varied suppliers to manage.
- Military projects required specialized military/sensitive functionality and complex integration cycles.
- Military projects had long airframe lifetimes to account for.
The following details come from AFuzion’s 2-Day “DO-178C & DO-254 Training for Military Compliance”
And granted, prior to required DO-178 FAA certification in the 70’s and 80’s , the above rationale for military compliance was valid. However, by the 1990’s the above rationale gradually eroded. Today, consider the commonality between Military and Commercial avionics software/hardware:
- Both utilize high complexity and complex integrations.
- Both utilize hundreds of suppliers (many supplying nearly equivalent avionics to both Military and Commercial clients) with long project lifetimes.
- Both require access to leading-edge commercial technologies.
- Both are increasingly concerned with re-usability, quality, and increased cost-effectiveness.
- Both require a high level of operability, reliability, maintainability, and safety.
- Military aircraft are now utilized more and more in commercial airspace (they do not want to be restricted in flight paths or hours).
USA Military DO-178 Compliance Examples:
The following graphic (from AFuzion’s Military DO-178C & DO-254 Training, Page 114 of 279) depicts AFuzion’s recommended DO-178 Military Compliance and DO-254 Military Compliance process flow:
DO-178/DO-254/ARP4754A Benefits on Military Projects.
DO-178 is not free, as cited above. However, DO-178 can be cost-effective, when understood and implemented properly, even on military projects. Why then are so many military organizations adopting DO-178/DO-254? Because there truly are actual benefits. The following describes the most commonly obtained benefits from DO-178/DO-254/ARP4754A for Military projects based upon the experience of this author’s success on over 150 aerospace projects:
- Greater Supplier Visibility. With DO-178 (and DO-254), the expanded artifact/review processes provide greater supplier visibility; something often missing from traditional “black-box” military compliance.
- Greater upfront requirements clarity. ARP4754A mandates safety and systems requirements covering all system-level functionality, safety, performance, derived, and interfaces with Hardware/Software. DO-178 mandates thorough and detailed software requirements, both high-level and low-level. Such detail, and the necessary discipline, force answers to be provided up-front instead of being deferred. Assumptions are drastically minimized. Consistency of requirements and their testability is assured. Iterations and rework due to faulty and missing requirements are greatly reduced.
- Fewer implementation iterations. Implementation and code iterations, or churn, are the bane of software/hardware engineering. In many cases, 10, 20, and even 30 versions of evolving code files exist on new products. Code and logic should be largely correct the first time it is written and should not require dozens of updates to get it right; this is a principal tenet of DO-178 and DO-254 for FAA certification and now military compliance: code should be reviewed by analyzing implementation versus documented requirements and standards criteria.
- Decreased single-point project failures. Software is an art; artists resist documenting their work and subjecting it to common development standards and peer reviews. Without DO-178 or DO-254 compliant standards, discipline, and modern software engineering principals, software teams devolve into a group of loosely structured rogue artists; these artists are highly valuable, creative, and talented persons. But, the loss, or deficiency, of any such artist for any reason is catastrophic to the team. Unless their work is documented, understood, and consistently applied as for the other artists. DO-178C and DO-254 greatly reduces the possibility of such single-point project failures.
- Improved management awareness of true schedule status. How many software projects report a “99% Complete” status week after week? How is software progress measured? How can management truly ascertain completion status of software? The answer to all these questions is via modern and accurately detailed management techniques built around DO-178. The provision for insight, traceability, and accurate status on design, development, testing, integration, and reviews is found in DO-178.
- Greater consistency within software. Software is like a chain: only as strong as its weakest link. Software that is 99% correct is 1% incorrect, which means it is unsafe. The weakest software module, or software engineer, is on the critical path of software safety. All software must be consistent per its level of criticality and DO-178 enforces such.
- Fewer defects found during integration. Integration can be a lengthy iterative process where major defects requiring design changes are revealed and fixed. Not with DO-178, where integration is typically 50-75% faster than non-DO-178 environments.
- Improved reusability. Via thorough and consistent documentation required by DO-178C, modularization, enforcement of documented modern engineering principles, and reviews to ensure all the above was achieved, re-usability is greatly improved. In software, re-usability is the holy-grail. But the reality is that unless a software component is at least 80% re-usable (e.g. unchanged), then it is quicker and less risky to simply start from scratch. And most software is less than 50% “reusable”. With DO-178C, and enforcement of design/coding standards, coupled with independent reviews and traceability, most modules should be at least 90% reusable.
Traditional military projects under 498 and 2167A had less emphasis on cost, but as military avionics became more complex, costs increased exponentially. DO-178 and DO-254 do increase costs by 25-40% on a first project, but may recover that cost with faster integration and test; future projects should have cost reduction benefits form DO-178 and DO-254. Unfortunately, typical first-time projects often incur a 100% – 200% cost increase from DO-178 and DO-254 because of inefficient first-time implementation. The following graphic shows a proper cost-increase on a first-time project due to DO-178 and DO-254:
Information Request Form
Please provide the following information to receive your full WhitePaper