Interest in DO-254 first occurred in Europe and has since spread to the US commercial aircraft industry. If you are being asked about your company's DO-254 direction and compliance, but have been overwhelmed with information on the subject, then this article is for you.
TECHNICAL PUBLICATION
DemystifyingDO-254
Tom Dewey, Technical Marketing Engineer
Design Creation and Synthesis Division
Mentor Graphics Corporation
March 2008
www.mentor.comIntroduction Demystifying DO-254
INTRODUCTION document your hardware design process." Many booksInterest in DO-254 first occurred in Europe and has have been written on this topic alone and companiessince spread to the US commercial aircraft industry. If have spent years defining and perfecting this process.you are being asked about your company's DO-254direction and compliance, but have been overwhelmed DO-254 does not sit in isolation; it complements awith information on the subject, then this article is for whole host of other standards and processes, such asyou. This article presents DO-254 for the novice, safety and environmental impact assessments thatboiling down the standard, reducing it to its essential provide complete guidance. But the focus of DO-254points so that you will be ready to respond with is solely on electronic hardware. As far as the standardconfidence, as well as understand its potential impact is concerned, there only exists hardware and softwareon your products or services. (to which DO-178 applies). There is no middle ground(for example firmware). If the hardware is going intoWHAT IS DO-254? anything that flies commercially, DO-254 likelyDO-254 provides guidance for design assurance in applies. airborne electronic hardware to ensure safefunction. It provides a framework ofconsiderations for certification across theentire engineering lifecycle - but does notspecify how to implement the standard.Thus, a cottage industry has formed toprovide training and consulting,complicating the novice's task of gettingsmart quickly.
A few years back, the FAA issued AC 20-152 that stated DO-254 must be used forprogrammable hardware (they includedFPGAs as well as ASICs as programmable.At that point, the US commercial aircraftindustry took serious notice. Europe hasbeen involved in DO-254 even longer andtheir regulatory agencies apply a morerigorous treatment of the standard.
When you first take a look at the standarddocument you may be shocked to find howthin it is. After all, this standard is supposed to ensure Figure 1: Selecting Hardware Design Assurance Strategythat no aircraft drops out of the sky due to electronichardware failure. Rather than provide detail, thestandard covers a lot of ground but at high, conceptual Figure 1 shows the high-level process for selecting alevels. For example, the standard states "establish and design assurance strategy.
PAGE 2 www.mentor.com March 2007What is DO-254? Demystifying DO-254
The criticality or failure condition is determined using such a system has brought down an aircraft. Thea system safety assessment process described by the Swissair 111 crash on September 2, 1998 was traced tostandard. This process assigns a Level A to E to the in-flight entertainment system that caused arcingdescribe the severity of a failure: across wires, setting fire to the cockpit ceiling (whichwas lined with flammable material). It is unlikely thatA. Catastrophic: failure prevents the safe flight and the entertainment system would have been classifiedlanding of the aircraft, resulting in many fatalities as a Level-A system.including the crew. A Level A failure might occur 1in 1 billion flights. The standard also differentiates the rigor of theprocesses based on whether the hardware is simple orB. Hazardous: failure significantly reduces flight complex:safety margins and the capability of the aircraft tofly, possibly resulting in fatal injuries but not to the . Simple: a set of comprehensive tests can be createdcrew. A Level B failure might occur 1 in 10 million to exhaustively determine correct functionalityflights. under all operating conditions.
C. Major: failure reduces flight safety margins and . Complex: if the hardware is not simple, it isthe capability of the aircraft to the point where complex.potential injuries could occur. A Level C failureshould might 1 in 100,000 flights. Thus, the majority of FPGA and ASIC systems aretypically complex. A complex, Level-A system meansD. Minor: failure does not significantly reduce aircraft that you must follow the maximum guidance fromsafety, resulting in potential discomfort to DO-254. passengers or crew. A level D failure might occur 1in 100,000 flights. The certification process for ... [download for more]
