DO-254 Design Assurance Process Guidelines

Design process and baselines

Introduction

This Article explains the standard, the concepts and reasoning behind the DO-254 standard, and the basic steps and components necessary to successfully complete the project and achieve DO-254 approval.

According to several industry sources, a project meeting DO-254 can cost almost 4X more than the same project without DO-254. Usually the “4X” cost increases come from a lack of DO-254 experience, further compounded when current methodologies and processes are significantly lacking compared to a structured flow conforming to DO-254.

In addition, a lack of adequate project planning and evidence that the overall process was not followed can lead to audit failures—causing design and verification re-work

However, there are ways to create a DO-254-approved project without breaking your schedule or budget. A well planned and executed DO-254 project will almost certainly take more time and money than a non-DO-254 project, but there are ways to reduce these costs to manageable levels.

The first step in the process is becoming better educated in the underlying concepts and components of DO-254.

What Is DO-254?

DO-254 is a requirements-driven process-oriented safety standard used on commercial electronics that go into aircraft. (Conceptually speaking, this standard applies to all electronics in anything that flies or could crash and pose a hazard to the public.)

Based on their safety criticality, different parts of the aircraft are designated different Design Assurance Levels, or DALs for short (Figure 1).

DO-254 Design

Figure 1: Design Assurance Levels (DALs)

Because DO-254 is a process-oriented standard, it’s important to understand the overall flow, shown
in Figure 2 expected by a DO-254 certification official.

Figure 2: DO-254 Certification Process flow

DO-254 process flow steps

  • Planning
  • Requirements Capture and Validation
  • Conceptual Design
  • Detailed Design
  • Implementation
  • Production Transition
  • Validation and verification
  • Configuration Management
  • Process Assurance
  • Certification Liaison

Planning

Planning is a critical piece of the DO-254 certification. It’s important to document your project flow up-front and approach your certification official to gain their approval early in the project.

Typically, the high-level plans are documented in the Plan for Hardware Aspects of Certification (PHAC—commonly pronounced as “pea-hack”). This plan should include all aspects of your project and how you will meet the DO-254 requirements.

Requirements Capture and Validation

The DO-254 specification utilizes a requirements-based design and verification approach. This means that the entire hardware project revolves around a formal set of high-level requirements.

Each of these requirements must be written down, given a unique reference name, and reviewed for a variety of criteria including understandability, testability, verifiability, etc.

Conceptual Design

At the conceptual design stage, a larger design is broken down into smaller, more manageable components. This might be thought of as a high-level block diagram. For a sufficiently simple system, the conceptual design step may be skipped or merged with the Detailed Design step.

Detailed Design

For each component detailed in the conceptual design, the hardware design should implement each and every requirement for that component.

Each high-level requirement should be “traced” to the top-level module implementing that requirement. This traceability can happen in a variety of ways, and it is up to the implementation team to determine the desired approach.

Separately, the verification team should create verification tests to verify that each requirement has been met by the Hardware Design, including a message to the log file showing the expected result, the actual result seen in the simulation, and the result (pass/fail).

Each test must also be linked to the high-level requirement, including the pass/fail criteria (all must pass, obviously). Constrained random testing can also be used for more complex designs; however, special care must be used to create additional verification coverage components tied to all the requirements.

Figure 3: Requirements-driven flow, including traceability

Implementation

The implementation process is obviously technology specific. Here, the main point is to follow the process detailed in your PHAC document up-front.

The DO-254 specification typically allows you to remain somewhat high level while documenting your activities during implementation. This is due to the fact that there will be significant testing performed on the final design.

Production Transition

This is the final stage, when you are transferring your design over to manufacturing. Typically, this ensures such aspects as:

How can you be sure you’re using the correct version of the Gerber data during the manufacturing process? (PCBA)

How can you be sure you’re using the correct version of the programming file during the manufacturing process? (FPGA)

Have you properly handled any errata for the device?

This portion of the process can be quite complex, and can involve several systems flowing back into the requirements process tools (such as IBM DOORS), and is critically important to ensure the final system receives the results of all processes.

Process Assurance

Along with your DO-254-compliant plan, you should also document how you will ensure you will meet this plan, typically documented in a Process Assurance or Quality Assurance plan. This plan documents who will be designated as the process assurance person or organization to double check that your PHAC and other plans are followed, and how this checking will be performed.

It’s important to realize that you must be able to prove that this checking happened, typically by creating a paper trail of internal meetings, reviews, internal audits, etc.

Typically, a DO-254 certification official wants this process assurance performed by a separate qualified person or organization (for example, someone knowledgeable about design/verification, but not someone on this design or verification team). This person/organization must also be given the authority to carry out this process, and be provided access to the engineers and design environment.

Configuration Management

In addition to the Process Assurance plan, you should also create a Configuration Management (CM) plan. In this plan, you will document how you will ensure the development process and artifact generation process is repeatable.

This typically includes a revision control and bug tracking systems for all design/verification files, as well as all documentation and artifact documents.

The DO-254 specification refers to the importance of tracking all design artifacts throughout the design process. Certification officials understand that design and verification files will go through many iterations.

However, once they are stable, you are expected to “baseline” the design. In typical commercial electronics, this is analogous to a design freeze—a point in a schedule when subsequent changes are closely controlled and documented, as shown in Figure 4.

Figure 4: Design process and baselines

Certification Liaison

Typically, a single person is selected as the main communication point for the certification officials. This single point of contact enables clean communication, and ensures that the certification official obtains a clear view of the overall design process. Typically, this certification liaison has previous DO-254 experience, with the skill to communicate the details in a way that the certification official can understand.

In-Target Testing

In-target testing is a critical component of the DO-254 specification, and is a required part of the overall flow. From a DO-254 perspective, all verification done in a simulator is performed on a model of the design. There is no guarantee that the model used in simulation matches the actual device. In addition, that simulation is typically limited and does not include the actual hardware physics such as voltage and temperature variations, as well as signal degradation, ringing, pin capacitance loading, etc.

To ensure the final device performs as expected, you must somehow demonstrate that the final device sitting on the target system that will go into the aircraft meets its requirements. In an ideal world, the certification official would like to see ALL requirements tested on the final part. However, realistically, this is frequently impossible as internal controllability and observability would be required. As a result, you can decide up-front how you will address this final testing procedure against your requirements in your PHAC document, and discuss this thoroughly with your certification official to reach agreement.

Certification Officials

There are several people that you might interact with throughout your project.

Designated Engineering Representatives (DERs) and Authorized Representatives (ARs) have FAA permission to “approve” a design. (The DER will also “find compliance” when the overall project is done and everything is in place.)

DERs are typically an independent consultant or may be an employee of a company. The AR is a somewhat is typically an employee of a larger company. Typically, during DO-254 approval audits, you will interact with a DER or AR. It’s up to you to hire one if you will be handling the certification approval, but it’s best to hire this person early during the planning process

The FAA also has Aircraft Certification Officers (ACOs) to provide guidance on aircraft-certification- related activities. ACOs assist with:

  • Design approval and certificate management
  • Production approvals
  • Engineering and analysis questions
  • Investigating and reporting aircraft accidents, incidents, and service difficulties
  • DER oversight

There are additional supplemental papers that clarify, restrict, and limit how the DO-254 specification is applied. In addition, there are follow-on papers created by other bodies such as the international Commercial Aviation Safety Team (CAST) and the European Aviation Safety Association (EASA), as well as additional regulations set by air framers such as Airbus and Boeing.

There are also a variety of commonly accepted industry practices expected by certification officials. A minimal understanding of these documents and their organization is important, as these papers limit the scope, and clarify details necessary to successfully complete a DO-254 project.

The DO-254 specification was created by an RTCA committee and was written to apply to all levels of hardware, including circuit boards, resistors, and capacitors—as well as chips such as FPGAs and ASICs.

So, if you simply go to the RTCA website and download and read the DO-254 specification, you’d be left with the impression that the document applies to a significant number of electronic components in your system.

However, when the FAA enacted the DO-254 specification as policy in 2005, it chose to limit the scope to “complex custom micro-coded components”—PALs, PLDs, FPGAs, and ASICs.

There are also other related documents such as the “AEH Job Aid”4, a collection of instructions and questionnaires to help FAA-authorized auditors audit your Airborne Electronic Hardware project.

The DO-254 specification is not a prescription—it only says WHAT must be accomplished, it does not try to stipulate HOW to do it.

Other Design Considerations

Although it’s not explicitly detailed in the DO-254 specification, certification officials will be expecting you to  design your system to adequately handle a variety of nefarious conditions, such as single event upsets on state machines, memory corruption protection (such as ECCs), block or subsystem redundancy when deemed necessary  to achieve a sufficiently low failure rate, electrical isolation of different DAL circuits so a lower DAL does not disrupt a higher DAL circuit, and many other aspects required by high-reliability environments.

In your plans, you should articulate any high-level design and verification aspects you’re adding to accommodate the needs of a safety-critical design, especially if the design is DAL A/B.

Meeting DO-254 can be a laborious and expensive process, but proper up-front education and planning can significantly ease the process of achieving DO-254 approval.

Aura – Learning Platform for working professionals imparting guidance and knowledge on Electronics System Design Best Practices.

Connect us:-info@aurapcb.com

Connect with us:-

Linkedin