DO-254 Best Practices: Top Seven DO-254 Tips from Seven Projects

June 20, 2016 - AFuzion has recently engaged an unusually large number of DO-254 projects: in seven months we've completed seven projects in seven countries. Many interesting DO-254 facts were acquired and we share them here including DO-254 best practices. Below we provide one top DO-254 tip from each project/country. For more technical DO-254 details, or advanced DO-254 training, just visit the links at the end of this article.

Tip #1, from a USA project where we provided AFuzion's onsite DO-254 training and DO-254 analysis for a UAV client: DO-254 isn't normally required for UAV's, though DO-178C increasingly is. This client was using C++ within an FPGA: C++ normally comes under DO-178C (software) whereas FPGA implementations are normally covered via DO-254 (silicon Complex Electronic Hardware – CEH). So, was this client's FPGA-based solution DO-178C or DO-254? Different authorities have different opinions. However, this client was making a primary flight control computer for which their safety assessment showed DAL B. For DAL B, there is very little difference between DO-178C and DO-254 (quite the opposite for DAL C!!). So we applied DO-178C processes to the C++ baseline even though it would become FPGA firmware. Simply skipping software compliance was arguably possible, but this client wanted to export their UAV showing DO-254 & DO-178C compliance so this was the best choice. Non-technical tip: this was a Midwest client – go for the aged beef if you're non-vegetarian; some of the finest in the world.

Tip #2 from an Israel project: Client procured AFuzion's DO-254 Gap Analysis to analyze new, and some very old, legacy logic. A portion of the baseline was perfectly stable but the source no longer existed nor was it developed to any safety critical standard. The DO-254 gap analysis showed the cost to recreate this baseline would have been excessive and unnecessary since no changes were planned and the I/O was well-defined to apply exhaustive DO-254 testing. We proposed a wrapper-solution whereby the I/O was checked for all instances at runtime; DAL C and DAL D were applicable thus obviating the need for white-box DO-254 verification. Client complied with DO-254 while saving 80% of the DO-254 cost otherwise applicable with redeveloping. Non-technical tip: stay in Tel Aviv's Marina District: swim in the warm sea at dawn and try amazing local produce and fruit.

Tip #3 from a DO-254 consulting assignment in Turkey. Client had an existing board deploying both a CPU and several FPGA's; Client needed a DAL A solution for one component and could choose a software (DO-178C) or CEH (DO-254) solution. After receiving AFuzion's DO-254 training, client realized 3rd party DO-254 DAL A testing tools were less mature than DO-178C testing tools and that a software-based approach for DO-178C for their separate DAL A component. Client switched from putting this functionality in an FPGA to instead the CPU-based approach, thus deploying DO-178C with improved testability. Project is now successfully entering flight test. Non-technical tip: though inland, Ankara has incredible fish flown in daily: just ask the cook to grill it the traditional way with olive oil and lemon: amazing.

Tip #4 from a Chinese commercial aircraft project: Client needed DO-254 safety-assessments performed thinking the system required all logic to be DAL B. AFuzion's DO-254 analysis showed that the system's two FPGA's could be partitioned with one DAL A DO-254 FPGA and the other FPGA DAL D DO-254. Instead of putting all the logic in the same FPGA and invoking either expensive partitioning redesign per DO-254 or monolithic DAL B throughout, client was able to move 40% of the logic to the DAL D FPGA thus reducing DO-254 certification cost by 60% (see AFuzion's updated DO-254 Costs Whitepaper which shows why DAL D costs 35% - 60% less that DO-254 DAL B.). Non-technical tip: be sure to stay or stop in Shanghai and visit the last vestiges of traditional neighborhoods before they soon disappear – amazing contrast of old and new like nowhere in the world.

Tip #5 from a U.K. DAL D DO-254 project. This client was building an all-new system requiring certification via both EASA ED-80 and FAA DO-254. After receiving AFuzion's ED-80 training for European DO-254, client realized EASA was more strict on DAL D than FAA (where AC 20-152 thinking still often prevails). Instead of applying more liberal AC 20-152 and CAST-27, client developed both systems per stricter EASA DO-254 constraints; added slight cost was offset by cost-reduction of identical DO-254 solutions. See AFuzion's whitepaper "Avoiding DO-254 Top Mistakes" for more details. Non-technical tip: this was a small town with restaurants seemingly closed by 8 pm; instead, hit the Pub where even if the UK's delicious beer isn't to your liking, there's a good chance some fresh pub fare can be cooked up for you at 11 pm.

Tip #6 from Down Under Client was a consulting company itself branching into aviation development on an upcoming DO-254 DAL C project. They were CMMI 3 minus, with aspirations of CMMI 3-plus. They'd been previously told by another DO-254 consultant that they needed all-new processes. While all-new processes are a sure way to eventually achieve DO-254 compliance, it's also expensive, relies upon a corporate culture change, and has seriously negative schedule and adoption impact. Instead, AFuzion recommended to improve the existing processes to fully CMMI Level 3 thus minimizing the DO-254 gap; then fill in the remaining relatively small gap with improved process assurance, hardware design processes, traceability, and DO-254 compliant hardware verification. Non-technical tip: domestic travel is easy and cheap: get out of town and visit the smaller towns which also have the same famous Aussie hospitality.

Tip #7 from an Italian DO-254 Training (combined with DO-178C Training) Client. This client had DO-178C experience but was new to DO-254 and also wanted to procure new DO-254 tools for requirements, configuration management, and process assurance. AFuzion showed how the existing DO-178C tools could be readily adapted for DO-254 thus minimizing cost, risk, and adoption time. Hardware design and VHDL tools were a different story but we showed how DO-254 verification focuses upon the human quotient, e.g. verify primarily the human's output, secondarily the tool's output. Non-technical tip, go native and enjoy Cappuccino only in the morning and eat dinner after 9 pm with pasta "al dente", meaning "firm" as in firmware …

For technical specifics on AFuzion's DO-254 training, see http://afuzion.com/avionics-training/workshops/avionics-hardware-intermediate-do-254-training-class/

For technical specifics on AFuzion's DO-254 Gap Analysis, see http://afuzion.com/gap-analysis/

For free whitepapers on DO-254 (Copyright AFuzion), see http://afuzion.com/avionics-safety-critical-training-whitepapers/