This Article was published in Electronic Products
Today, the FAA demands that suppliers of electronics system hardware used in commercial manned and unmanned aircraft develop their products to meet the strict DO-254 Design Assurance Guidance for Airborne Electronic Hardware safety certification standard. These air-worthiness regulations were originally created for the commercial aviation industry. As a result of the excellent reusability, cost, and safety successes they’ve delivered in the commercial sector, they have been adopted by the defense industry as well, especially for use in military aircraft flying in domestic airspace. This trend is being driven by a number of market factors, including cockpit digitization, multi-core processing (enabling a reduction in the number of separate systems), the growing use of common avionics subsystems, the increasing number of UAVs and other military aircraft flying over civil population centers, and the use of synthetic vision systems (SVS) for landing (which impacts the design assurance levels required of mission computers)
The DO-254 development process requires the costly and time-consuming creation of detailed sets of “data artifacts” to prove that the proper design and production processes have been followed. Data artifacts include plans, requirements, design, integration, test, verification, and validation of the specific modules. In past years, electronics modules designed to meet the FAA’s safety certification requirements were custom designs. These custom systems tended to be much simpler and easier to certify due to their relatively low complexity when compared to modern-day systems. Today, system designers face the challenge of providing safety-certifiable mission-critical systems with much higher complexity at a reasonable price point. The cost of developing all of the artifacts needed to meet certification for a custom electronics module is typically in the millions of dollars. The cost, time, and complexity of meeting DO-254 data artifact requirements has recently led integrators away from the custom-built systems of the past to instead consider the use of a new class of open-standards-based “safety-certifiable” custom-off-the-shelf (COTS) modules. These modules are already supported with data artifact packages. Even better, compared to costly custom alternatives, using COTS modules often delivers significant technology upgrades and obsolescence mitigation advantages.
About safety certification standards
To begin certification efforts, designers must first identify which level of effort their particular system requires. These requirements are outlined in a series of five Design Assurance Levels (DALs), and the stringency of the safety certification effort depends on which DAL is needed. DO-254 defines five different DAL levels — A, B, C, D, and E — each related to the severity of effects resulting from potential failure. It’s estimated that more than half of all avionics systems fit into the DAL C/D/E categories. In the event of failure, hardware that meets DAL E, the lowest level, will have no effect on the aircraft’s operational capability or pilot workload. DAL D is for hardware that would cause only a minor failure condition for the aircraft. In the middle, failure of hardware intended for DAL C usage would result in a major failure condition for the aircraft and typically involve serious injuries. As the levels go higher and the potential consequences of system failure increase, the amount and complexity of the data artifacts required for certification increases. A DAL B hardware failure is defined as one that could cause a hazardous/severe major failure condition for the aircraft and could involve some loss of life. The highest and most intensive level of the DO-254 standard, DAL A, is for hardware whose failure would result in a catastrophic failure condition for the aircraft and would likely result in loss of life for all aboard.
The COTS approach
By offering select standard modules (such as those designed to the popular VPX board architecture) that are supported with pre-existing comprehensive packages of design certification artifacts and certification evidence, COTS hardware vendors can develop safety-certifiable products that can be successfully used in a DO-254-certified system. The use of pre-existing data artifact packages effectively eliminates the complex and demanding documentation process that a customer must otherwise undertake.
Safety-certified modules in defense systems
Because custom-made safety-certified systems were traditionally based on less complex technology, traceability during the certification process was significantly easier. That’s especially true for higher DAL requirements in which every aspect of the module must be carefully scrutinized. Newer military systems demand higher performance and more capabilities with the ability to handle an increasing volume of data from varying sources. The more complex a system is, the harder it becomes to accurately measure environmental, functional, and failure probability factors. For example, processors of three cores or more are not yet approved for certification because certification authorities are concerned that software on multi-core processors could cause non-deterministic behavior or delay execution of safety-critical functions. In addition, the current certification process does not have formal procedures in place to adequately verify highly integrated modules.
For the mandatory safety certification in many military platforms, the challenge becomes balancing the need for technology advances with the ability to safety-certify complex, integrated solutions. With safety-certifiable COTS modules, vendors are able to provide customers with the necessary document package of artifacts to support system safety assessments along with customer certification efforts. COTS modules are less expensive overall, but the artifact costs are lower because of standard product sales quantities.
Reducing design risk
While traditional custom-built systems may require an analysis and reverse-engineering of artifacts in support of the certification effort, COTS artifacts are designed into the hardware development. By purchasing standard modules, designers are assured that their subsystem can be successfully integrated into the platform’s next higher level of assembly, which will undergo DO-254 certification.
COTS modules can greatly reduce a system’s development schedule. Not only are COTS modules a proven base product technology, but application development can also begin immediately in conjunction with product customization. With a custom-built system, the certification process must start from scratch every time a new system is put into place. The COTS safety certification evidence provided by vendors, along with service history collected for a given program, enables the customer to accrue significant benefits for their next design using similar hardware and board support packages.
Companies such as Curtiss-Wright have developed an internal DO-254 process, enabling them to both design new products and develop data artifacts right from the outset. This results in a family of safety-certifiable COTS modules. A module can be purchased on its own, and later, if artifacts are required, they can be purchased separately. The cost for the otherwise expensive artifacts is significantly reduced because the same data artifact package is re-usable in numerous programs.
Fig. 2: The VPX3-611 DO-254-certifiable 3U VPX I/O module supports a wide variety of I/O for military and aerospace embedded computing./p
A recent example of a safety-certifiable COTS module is Curtiss-Wright Defense Solutions’ VPX3-611 avionics I/O module (Fig. 2), an FPGA-based rugged 3U VPX module that can be configured with a virtually unlimited combination of safety-certifiable interfaces. Because DO-254 certification artifacts are available for the module’s I/O interfaces at the FPGA block macro-level, I/O configuration variants of the module can be created easily. Safety-certifiable I/O interfaces supported include MIL-STD-1553B, ARINC 429, CANbus, asynchronous UARTS, discrete, analog I/O, and Serial Peripheral Interface (SPI).
The module’s FPGA I/O blocks can be factory-configured to DO-254 Design Assurance Level (DAL) C and DO-178C DAL C. An on-module “personality module” provides all required transformers, transceivers, and drivers for I/O signal conditioning
Read the full article on Electronic Products