DO-254 is the “254th aviation development guidance “Document” thus the name “DO-254”. It was modeled after it’s older sibling “DO-178C” which you guessed it, was the 178th such document. Now nearing 25 years old, DO-254 is clearly in need of an update which is now on the horizon as the forthcoming “DO-254A”. But what is DO-254? And what will DO-254A contain?
DO-254 (named ED-80 in Europe for “European Document”) follows DO-178C in prescribing ten categories of activities for certification of avionics electrical hardware. The first five categories of DO-254 | DO-178C activities prevent defects via:
1) Planning: five key plans must be developed for each type of avionics system including Certification Plan, Quality/Process Assurance Plan, Configuration Management Plan, Development Plan, and Verification (Validation) Plan. Additional project-specific standards must be developed which cover requirements, design, implementation, and for hardware, Validation and Verification (V&V). Most companies procure independent DO-254 Templates/Checklists to avoid the many person-years required to otherwise compose those.
2) Requirements: for avionics hardware, detailed requirements must be decomposed from system requirements with further functionality derived (these are thus called ‘derived requirements’) to close any gaps in functionality/safety.
3) Review of Plans and Requirements – these are evidence-based reviews implying the use of checklists with input/output criteria (“transitions” in aviation parlance). For more critical systems of Development Assurance Level (DAL) A and B, such reviews need to be performed independently by a different person following a different process – this comprises Validation of hardware requirements.
4) Conceptual and Detailed Design: First an initial higher-level design is formulated which meets all of the applicable hardware requirements then that conceptual design is decomposed and refined to a detailed design.
5) Implementation: the actual lowest level human decisions are transposed to hardware (Line Replaceable Unit (LRU), system, chassis, power-supply, circuit cards, silicon devices, HDL/RTL, Place & Route, Synthesis, etc.)
In theory, the above five activities should “prevent” defects. But since each of these activities involve humans and humans make mistakes, DO-254 requires the following five categories of activities which should further prevent or find/fix defects:
6) Tests of hardware to meet requirements including functional tests, robustness tests, and for DAL A/B, coverage of the lowest level (final) human decisions made during hardware implementation. Traceability of requirements to implementation and tests is also formally managed here.
7) Reviews of hardware tests and traceability.
8) Configuration Management of hardware artifacts used for engineering which enable recreation of all hardware aspects during the operational life of that hardware.
9) Process Assurance which ensure quality audits with full records thereof including process improvements over the full engineering lifecycle
10) Hardware certification which is the formal approval by a higher airworthiness certification authority to ensure all the above is complied with per DO-254.
Now, what will the new DO-254 cover? The list below summarizes the major changes from DO-254 to DO-254A:
Being old, DO-254 and AC 20-152 do not address key hardware engineering risk areas of modern avionics. Therefore AC 20-152A imposes greater rigor and increased clarity to ensure modern avionics hardware is safe and reliable in the following fourteen key avionics hardware engineering areas:
· Commercial Off-The-Shelf (COTS) hardware treatment including assessing COTS complexity
· COTS IP rules and restrictions, particularly for DAL A and B.
· Increased validation of hardware requirements including safety feedback and derived requirements
· Increased rigor for verification of hardware for worst-case performance and timing/resource scenarios
· Added Hardware Design Language (HDL) “code” (logic) coverage requirements and similarity to DO-178C
· Enhanced hardware tool qualification aspects per DO-330.
· Increased scrutiny of allegedly “simple” devices (where “simple” implies all foreseeable operation conditions and combinations including are fully defined and assessed.