Any team developing custom airborne electronic hardware (AEH) for commercial aviation programs (and in some cases military programs) that may have a safety impact on system operation must comply with DO-254. The type of AEH includes chips (including PLDs, FPGAs, ASICs, including both digital and analog circuitry) and board-level designs (i.e., printed circuit boards, PCBs, or sometimes called circuit board assemblies, CBA). Note that the use of COTS (commercial off-the-shelf) and COTS IP (intellectual property) devices must also follow some aspects of compliance as noted in the new objectives detailed in AMC 20-152A.
DO-254 is a recognized means to show compliance with the applicable airworthiness regulations for the electronic hardware aspects of airborne systems and equipment in product certification or TSO/ETSO authorization. Specifically DO-254 supports US CFR Title 14: Aeronautics and Space (Title 14 → Chapter I → Subchapter C → Part XX), where Part XX is Part 23 (commuter aircraft), Part 25 (transport aircraft), Part 27 (normal rotorcraft), Part 29 (transport rotorcraft), or Part 33 (engines). These correspond to equivalent rules of the EU Certification Specifications (CS).
DO-254 is a development assurance program. Complying with DO-254 requires performing thorough planning, complying with all the objectives of the DO-254 Life Cycle (i.e., Planning), having strict oversite of all processes i.e. Process Assurance), controlling all data items (i.e. Configuration Management), clear identification and validation of hardware requirements (i.e., Requirements Capture), a clearly documented design concept (i.e., Conceptual Design), thoroughly reviewed design/code that implements requirements (i.e., Detailed Design), a physically implemented hardware item (i.e., Implementation), that is thoroughly and possibly independently verified (i.e., Verification), with instructions for repeatedly producing a controlled hardware item (i.e., Production Transition) that meets all the requirements. The objectives of DO-254 are modulated depending on the Design Assurance Level (DAL) of the design. For more information, view this free DO-254 mini-module.
This refers to the hardware development process that must comply with the objectives of DO-254. The main life cycle phases are Planning, Requirements Capture, Conceptual Design, Detailed Design, Implementation, and Production Transition. The “supporting processes” that operate alongside the development flow are Verification & Validation, Process Assurance, Configuration management, and Certification Liaison.
DO-254 is a top-down process. Its starts with an extensive planning process to define how the hardware item will be developed to be compliant with all the objectives of DO-254. These regulatory approved plans must be followed at every step of development. Many development teams make the common mistake of treating it like a bottom-up process, meaning they do the development first and then think they can just create the compliance documentation. But this is an expensive mistake. See more at our Blog here.
AMC 20-152A Chapter 5.2 provides guidance on simple/complex classification for custom devices. The definition of simple is “if a technical assessment of the design content supports the ability of the device to be verified by a comprehensive combination of deterministic tests and analyses that ensure correct functional performance under all foreseeable operating conditions with no anomalous behavior.” In essence, a device becomes complex due to design features such as complex clocking, state machines and interactions between them, interfaces, data/signal processing or transfer functions, etc.
A DER stands for Designated Engineering Representative. This is a person who has, through rigorous education and experience, been authorized by the FAA to audit programs on their behalf. DERs, can also perform training, offer advice, and do work on behalf of applicants for DO-254 compliance as independent consultants. To learn more, view our Blog on this topic.
While you do not technically need to hire a DER to audit your DO-254, there are many benefits to doing so, including avoiding long wait times for FAA auditing and getting valuable advice throughout on your program. To learn more, view our Blog on this topic.
be aware that not all DO-254 “consultants” or “certification experts” are DERs. Its best to screen folks closely, check multiple references, and verify their credentials by checking the FAA consulting directory, which identifies all the DERs authorized in various categories of expertise:
Some of the top mistakes are: 1) Not taking planning seriously, 2) doing traceability after-the-fact (as opposed to throughout development), 3) not hiring an authorized DER, 4) not holding internal reviews before certification audits, 5) not baselining/controlling data items properly.
DAL stands for Design Assurance Level, which is a measure of the criticality of a design. A hardware or software item is assigned an Item DAL (IDAL) during the system level Preliminary System Safety Assessment (PSSA). The assigned IDAL dictates the rigor of the objectives required to comply with the DO-254/DO-178C process.
DO-254 plans guide everything you do in a DO-254 program, must be approved by the certification authorities, and is in essence a contract with the certification authorities regarding how you will meet compliance.
SOI stands for Stage of Involvement, referring to the involvement of the FAA when auditing a DO-254 compliance program. While not strictly required, there are typically 4 types of SOI audits held for a program: SOI-1 (Planning), SOI-2 (Requirements and Design), SOI-3 (Verification) and SOI-4 (Final Compliance Review). The number and depth of reviews depends upon a lot of factors. See Appendix C of FAA Order 8110.105A to understand how much involvement, and therefore the number and types of audits, your program may have.
The word traceability means linking one thing to another. For DO-254, this is usually referring to the Requirements Traceability Matrix (RTM), which links requirements to the design, test, and results. The reason for this traceability is 1) to ensure that the design only includes the defined requirements. 2) any additional functions are identified as “derived” and validated, and 3) that it has been demonstrated that the design performs those requirements with no anomalous behavior. Sometimes the word traceability in a DO-254 context may mean the ability to trace design changes back to a known baseline, i.e., tracing one version of a design to a known version.
The original definition in DO-254 10.3.2.2.1 says “The top-level drawing uniquely identifies the hardware item and identifies all assemblies, subassemblies, components and relevant documentation that define the hardware item.” But this is confusing for developers of FPGAs and similar hardware. New policy clarifies that what is required is a description of the HW item that includes the source files and revision history, the hardware environment in which its built, all the related data items, and all the procedures to build the files into an implementation of the design that’s loaded into the target FPGA device. This is typically captured in a Hardware Configuration Index and Hardware Environment Configuration Index document. To read more about TLDs, click here.
Target testing refers to physical testing the implemented hardware in its “target” (or actual) environment that will be installed in the aircraft. This may mean testing a chip at the board or system level. While simulation is a common practice to verify the design during development, target testing of all requirements that are practical to physically test is expected.
This method, introduced in DO-254 Appendix B as a potential “Advanced Verification” method for DAL A/B designs, means ensuring that testing covers all the design elements, and it is most commonly implemented by running code coverage analysis during simulation.
You can find latest policy documents regarding DO-178C and DO-254 by searching the FAA and EASA websites. We’ve made it easy for you by putting all the latest pertinent documents (that are free and publicly available) on our website in one place here.
Note that DO-178C and DO-254 and the other RTCA documents (such as the DO-178C supplements) are available for purchase on the site www.rtca.org.
The answer can vary, but more and more military programs (i.e., jets, helicopters, UAVs/drones and other VTOL aircraft) are having to comply with DO-254. Its usually a requirement when then aircraft could cause a safety concern in a civilian area.