Introduction to DO-254 Design Assurance Guidance for Airborne Electronic Hardware

By Esteban Snchez, Project Manager,

Avionyx, 2009

Introduction to DO-254: Design Assurance Guidance for Airborne Electronic Hardware 2

Electronic aviation equipment, composed of both hardware and software, plays a critical role to fulfill

the objective of a safe flight. The DO-254 standard, Design Assurance Guidance for Airborne Electronic

Hardware, was created in April, 2000 and formally accepted by the FAA in 2005 as a means of

compliance for the design of complex electronic hardware in airborne systems. The standard was

conceived as the complement to the well-recognized homologous guidance for software, DO-178B. The

main objective of DO-254 is to provide design assurance guidance to assist organizations in the

development of electronic hardware. The intention of this paper is to provide a quick overview of the

DO-254 standard for companies, engineers and managers.

Criticality and Complexity in DO-254

The DO-254 standard defines five system development assurance levels, A through E, that varies depending on the

criticality of the system (the effect that a system failure represents for the safety of the aircraft). Level A is the

most stringent and it applies to systems whose failures would not allow continued safe flight. , Conversely, level E

is applicable to all those systems whose failures do not affect the operational capability of the aircraft or increase

the workload of the flight crew. The design assurance level determination is performed by the System

Development Process (during this process the system is conceived as a whole from the highest level of the design

hierarchy as it is intended to fit in the aircraft) and flowed down to the Hardware Development Process, where it is

used to drive the level of design assurance required to satisfy certification objectives. The more design assurance

level needed, the more complex and expensive the project will become. In its Appendix A, the DO-254 standard

includes a comprehensive list of data to be produced for each level of design assurance. This appendix is

particularly useful to avoid increasing the scope of the project and produce documents that are not required for

the certification of the electronic hardware.

DO-254 is applicable at the device, board or LRU level, although the compliance is only required at the device level

by the FAA. DO-254 distinguishes between complex and simple electronic devices; however, it recognizes that such

a differentiation is not rigorously defined anywhere. Basically, the standard defines a Simple Electronic Device as:

One that can be demonstrated, through a comprehensive combination of deterministic tests and analyses

appropriate to the design assurance level, to have a correct functional performance under all foreseeable

operation conditions with no anomalous behavior.

In terms of verification, this implies that in order to classify an electronic device as simple, exhaustive testing may

be required. Based on this definition, a Complex Electronic Device can be simply defined as one that cannot be

classified as a Simple Electronic Device. Examples of complex electronic devices include all flavors of

Programmable Logic Devices (PLDs), such as Field Programmable Gate Arrays (FPGAs), Complex Programmable

Logic Devices (CPLDs) and Application Specific Integrated Circuits (ASICs). DO-254 is written to cover all complex

electronic hardware; however, FAA advisory circular 20-152 only requires the standard to be followed for complex

electronic devices with design assurance levels of A, B and C.

Introduction to DO-254: Design Assurance Guidance for Airborne Electronic Hardware 3

Hardware Development Life Cycle

Rather than specifying how the electronic hardware is to be designed, produced and manufactured, DO-254 offers

a comprehensive list of activities that should be performed and artifacts that must be produced during the

hardware development process. The document is not intended to explain how a design should be implemented or

what makes a design approach better than another. The standard focuses on the definition of the hardware

development life cycle, its phases, activities and artifacts.

From a high level perspective, three major groups of processes are identified: 1) Planning Process, 2) Hardware

Design Processes, and, 3) Supporting Processes. With the exception of the planning process, processes 2 and 3 are

further divided into more specific processes, which are described (below) in detail, including objectives, activities

and life cycle data. Figure 1 shows the big picture of the hardware development life cycle processes and their

interactions.

System Process

Requirements Capture

Conceptual Design

Detailed Design Implementation

Production Transition

Planning

Supporting Processes

Hardware Design Processes

Verification and Validation

Configuration Management

Process Assurance

Certification Liaison

DO-254 Hardware Development Life Cycle

Manufacturing Process

Figure 1 - Hardware development life cycle under DO-254

1. Planning Process The overall development of electronic hardware according to DO-254 starts with the Planning Process. No design

data, requirements, schematics or HDL (Hardware Description Language) code is produced in this process,

however it is one of the most important processes as it defines how the hardware development processes and the

supporting processes are to be executed. This definition takes the form of planning documents, which, according

to the standard, can be contained in one or more documents. In addition to the planning documents, DO-254 also

recommends the usage of quality standards to aid in the development of electronic hardware. Both the planning

and quality standards documents constitute the output of the planning process.

2. Hardware Design Process Once the foundations for the development activities have been established in the planning documents, the

Hardware Design Process can be started. The Hardware Design Process is subdivided into five major sub-

processes that are outlined in the following table:

Requirements Identifies the hardware item requirements. The requirements may include

architectural, performance, functional and environmental requirements, as well as

Introduction to DO-254: Design Assurance Guidance for Airborne Electronic Hardware 4

Capture requirements imposed by the system safety assessment. The output of this process is

the Hardware Requirements Data.

Conceptual Design

Produces a high-level design such as a block diagram, architecture description or

circuit card assembly outline. The output of this process is the Conceptual Design

Data.

Detailed Design Uses the hardware requirements and the conceptual design to produce a more

detailed design. The output of this process is the Detailed Design Data.

Implementation In this process, the detailed design is used to produce the actual hardware item. The

output of this process is the hardware item itself.

Production Transition All the resources, including manufacturing data and test facilities are evaluated to

ensure availability and correctness for production of the hardware item.

As part of the hardware design process, the standard mentions the creation of an Acceptance Test, which

demonstrates that the manufactured, modified or repaired part performs as intended. However, no additional

guidelines are provided because it is considered out of the document scope.

3. Supporting Processes Supporting Processes is a group of processes executed in parallel with the planning and hardware design

processes to ensure correctness and completeness of the outputs generated. It is recommended that the activities

in the Supporting Processes group are carried out using personnel that are independent from the personnel

participating in the hardware design processes. The following is a list and a brief description of the supporting

processes.

Validation and Verification

The validation process ensures that the hardware requirements are correct

and complete. The verification process provides assurance that the

hardware item implementation meets all the hardware requirements. All

this is accomplished through tests, analyses and reviews of the hardware

life cycle data.

Configuration Management

Provides the ability to control the hardware life cycle data, so that, if

required, the hardware item or any documentation can be consistently

regenerated in case a modification is required.

Process Assurance

Ensures that the objectives of the life cycle process are accomplished

according to the foundations established in the planning documents or that

deviations have been justified and documented.

Certification Liaison This process constitutes the communication channel between the applicant

and the certification authority.

Introduction to DO-254: Design Assurance Guidance for Airborne Electronic Hardware 5

Why DO-254?

There are several reasons for choosing DO-254 as your standard for electronic hardware development.

The first and most important reason is that DO-254 provides design assurance that will significantly help

to ensure that the electronic hardware performs its intended function with no anomalous behavior

under the foreseeable operation conditions. Secondly, the FAA recommends that the standard is used to

pursue certification of the equipment. Even though the standard is not mentioned to be mandatory,

getting another process approved by the FAA could be cost prohibitive and may greatly impact the

schedule as well.

If you are new to DO-254, Avionyx provides a 3-day Introduction to D-254 class that is offered at RTCA in

Washington, DC, or at your site for groups of 10 or more. For more info, contact us at

sales@avionyx.com.

Avionyx, S.A.

www.avionyx.com

(321) 821-2365

info@avionyx.com