Electric Vertical Take-Off & Landing (eVTOL) has rapidly emerged as “THE” aviation technology to watch. But building the aircraft is only “half the battle” with CERTIFICATION comprising the other half …
Think about autonomous automobiles: Tesla and many other innovative companies successfully demonstrated self-driving cars years ago. But can you buy one or use one for actual real-world daily driving? The optimist says “Almost; any day now”, but the realist simply knows that day is still years away. But why delay, when the technology is here today?!? Simple: “CERTIFICATION”.
With over 240 eVTOL aircraft programs underway today, billions of dollars are demonstrating successful technology to bring eVTOL to the public now. As it today. This author and his company have assisted with over ten of those programs and the technology WORKS. Truly. However, like autonomous automobiles, even manned eVTOL aircraft exhibit certain characteristics which complicate civil certification, and eVTOL certification must comply with ARP4761/A, ARP4754A, DO-178C, DO-254, and other guidelines.
Commercial aviation is widely stratified with different certification rules and degrees of rigor based upon:
- Experimental versus true-civil
- Aircraft type
- Aircraft size/weight
- Engine type
- Number of engines
- Operational characteristics
Since the business case for eVTOL is based upon Urban Air Mobility (UAM) and revenue paying passengers, eVTOL aircraft must comply with aviation “Standards” including ARP4761/A for Safety, ARP4754A for Aircraft and Systems, DO-178C for Avionics Software and DO-254 for Avionics Hardware. But there is more … MUCH more …
The following figure shows the basic eVTOL certification ecosystem
eVTOL certification is complicated by unique factors which specifically apply to eVTOL and UAM:
- eVTOL aircraft are intended to operate from within dense urban areas;
- eVTOL aircraft must take-off and land in potentially congested and uncontrolled airspace;
- eVTOL aircraft have limited hazard recovery options during takeoff and landing (since low altitude);
- eVTOL aircraft rely upon new battery systems which must exhibit both redundancy and temperature containment;
- Because of the above, eVTOL aircraft must have higher levels of automated redundancy than similar sized general aviation fixed-wing aircraft.
The following images shows three eVTOL prototypes currently under development:
eVTOL certification has promulgated new FAA and EASA eVTOL regulations. These are summarized below:
Now, “efficient” followers of DO-178B for EVTOL/UAV’s will find even greater cost impact in adhering to DO-178C for the newer generation EVTOL/UAV’s. Their “efficiency” may have been due to taking liberties with DO-178B’s intended, but less enforced, low-level requirement detail. Such shortcuts enabled less detailed functional testing with many fewer logic branches verified. While acceptable for DO-178B Level C, it’s unacceptable for DO-178C Level C which mandates greater detailed of low level requirements. Because of that greater detail, DO-178C inadvertently reduced the difference between Level C and Level B because the decision-condition structural coverage objective of Level B is largely covered already in Level C due to those more detailed low-level requirements. Also, developers making extensive use of Parameter Data Items (objects or logic external to the main application program) are now required to fully document, review, trace, and test all that data under DO-178C; something they “should” have been doing under the intent of DO-178B. Voilà.
Level A is the most critical software level and hence the most expensive. True. Still another myth exists for Level A, namely, “Level A is extremely difficult to achieve, and the software will cost at least 30-50% more than Level B.” False. Level A imposes yet more structural coverage requirements (MCDC testing), source to binary correlation, and more independence within reviews. The most significant cost driver over Level B is the MCDC testing requirement. However, with proper application of modern structural coverage tools, personnel training, and thorough requirements based testing, the added cost for Level A can be largely contained, thus Level A software is only slightly more expensive than Level B. For this reason, most COTS EVTOL/UAVs pursuing Level B certifiability instead opt for Level A. However, as previously mentioned the system/hardware costs will be higher for Level A than B due to added redundancy required to meet Level A’s 100x higher required reliability over Level B.
Where does the money go?
The following chart shows a typical breakdown of expenditures for a Level C project; Level A of course would have a greater percentage allocated to Verification.
Benefits of DO-178C.
DO-178C is certainly neither free nor cheap, as cited above. However, DO-178C can be cost-effective for EVTOL/UAV’s, when implemented properly. This is a key reason military and government procurement/certification entities are increasingly mandating DO-178C for EVTOL/UAV’s. Particularly when evaluated over a EVTOL/UAV lifetime or subsequent EVTOL/UAV versions when DO-178C efficiency and benefits are most notable. Why then are so many entities adopting DO-178? Because of the actual DO-178 benefits.
The following describes the most commonly obtained benefits from DO-178C based upon this author’s 25 years’ experience consulting on over 250 avionics projects.
- Greater upfront requirements clarity: DO-178C mandates thorough and detailed software requirements; many prior legacy EVTOL/UAV systems clearly lacked such. Such detail, and the necessary discipline, force answers to be provided up-front instead of being deferred. Assumptions are drastically minimized. Consistency of requirements and their testability is greatly enhanced. Iterations and rework due to faulty and missing requirements are greatly reduced. Yes, other standard and guidelines such as CMMI mandate such upfront requirements; however, DO-178C is unique in its enforcement of requirement detail.
- Fewer coding iterations: Code iterations, or churn, are the bane of software engineering, especially in EVTOL/UAV development with “dynamic” customer requirements. In many cases, ten, twenty, and even thirty versions of evolving code files exist on new EVTOL/UAV avionics. With strong engineering processes and discipline, code should be largely correct the first time it is written and should not require dozens of updates to get it right, particularly when using well-advised software modeling. Models and code should be reviewed by analyzing implementation versus documented requirements.
- Fewer bugs found during module testing: Since DO-178C mandates thorough and testable requirements, in addition to code reviews for Level C and above, far fewer bugs will be found during module testing. Independent code reviews required for Level B and A also further that aim. And DO-178C code reviews require the following completed and configured items prior to writing models or code:
- Standards & checklists
- High and low-level requirements
- Traceability for the above
- Greater consistency within software: Software is like a chain: it can only be as strong as its weakest link. Software which is 99% correct is 1% incorrect, which means it is unsafe. Software is never provably perfect and DO-178C makes no claims that perfect adherence to its objectives yields perfect software. The weakest software module, or software engineer, is on the critical path of software safety. All software must be consistent per its level of criticality and DO-178 enforces such.
Fewer defects found during EVTOL/UV integration: Integration can be a lengthy.
For the remaining 13 pages of this AFuzion ARP4754A Technical Whitepaper, please download below.
Information Request Form
Please provide the following information to receive your full WhitePaper