With the rise of progressively more complex electronic hardware, which is defined as, being used in aircraft safety critical functions brings about new and challenging safety and certification considerations. Complex hardware is defined as hardware that under an exhaustive number of tests cannot be verified to ensure that it will behave correctly in all computable operating conditions. Engineers now have to be aware that aircraft functions can become more susceptible to design errors in hardware due to the progressively more elaborate hardware being developed. Since these risks are increasing, it has become apparent that the hardware design errors need to be addressed in a verifiable procedure during the design and the certification of the product.
The formal safety standard that applies to complex aircraft hardware is DO-254. This standard helps by providing direction for design assurance of airborne electronic hardware. It also provides you with certification information from the beginning of your project through validation.
This standard was officially put into place in 2005 to help make sure there is a high level of safety in airborne electronic systems. The main goal of the standard is to not only make sure the final product can be verified, but to also know that hardware implementation meets the first requirements you set out to design for in your product.
The DO-254 standard has five different levels of compliance that are known as Design Assurance Levels, or DALs. Depending on what level of harm the hardware failure would cause will determine what level the piece of hardware needs to be certified to. The 5 levels range from most severe, where a hardware failure would result in a catastrophic failure of the aircraft, down to the least severe where a hardware failure would not result in any affect towards the aircraft’s safety. The 5 levels are:
Level A: | Failure of the hardware will prevent the aircraft to continue flying safely and being able to land safely. This level of assurance is needed when a hardware function’s failure would create a failure of the system function that would create a catastrophic failure for the aircraft. |
Level B: | Failure of the hardware would limit the capability of the crew of the aircraft to deal with unfavorable operating conditions. This could include an increased workload for the crew where they could no longer be counted on to perform their job duties without error or to completion. A hardware failure could also result in serious or possible fatal injuries to some of the people aboard the aircraft. |
Level C: | Failure of the hardware would also limit the capability of the crew of the aircraft to deal with unfavorable operating conditions. This can also cause an increase workload for the crew aboard the aircraft which can hamper their efficiency. There is also a possibility that a hardware failure could result in some discomfort or injuries to the people aboard the aircraft. |
Level D: | Failure of the hardware at this level will not greatly impact the safety of the aircraft. A failure may result in some increased workload for the crew, but nothing outside of their abilities. There is also the possibility of imposing some inconvenience to the people aboard the aircraft. |
Level E: | Failure of the hardware at this level will not affect the capability of the aircraft or cause the crew to have an increased workload. |
Since DO-254 pertains to complex airborne hardware, when you set out to design a hardware component for use in an airborne system you must first develop a list of requirements that the component mus t meet. This will then help determine what DAL the component will need to be designed for. While going through the certification process, you must then show that the implementation of the component meets all of the requirements you set out from the start.
This process helps to provide affirmation that the way the hardware component was implemented also meets the requirements set forth from the beginning of the process. This will normally include doing reviews throughout the design process, performing analyses and tests on the component set forth by the verification plan. The main objectives you want to have for the verification process are:
Tool assessment is another important aspect of the DO-254 process. Tools used during verification and design are capable of introducing new sources of errors and therefore must be tested to an acceptable level of confidence. Tools specifically used in verification are important to verify themselves. Should a tool fail to detect an error in the hardware being tested, the entire DO-254 process is comprised. Assessing the tool must be done prior to use, and the results of this test must be recorded and maintained. For more information on “Tool assessment and Qualification”, see Section 11.4 of DO-254.
The process of assessing a tool begins with identifying it. This involves classifying it as either a design tool, or verification tool. Furthermore, documentation must be maintained about the details of the tool. These details are outlined in section 11.4. Figure 1 was taken directly from this section.
Design and verification tools are evaluated on a level of A to E depending on how catastrophic a result would be should the tools be faulty. A being the most catastrophic, and E which have no safety impact at all. Further assessment is required only if the tool is being used as a design tool for Level A, B, or C, or verification tool for Level A or B.
Figure 1: Design and Verification Tool Assessment Flow Chart
Independent assessment generally means that the tool has been manually reviewed, and that all outputs of the tool have been compared against the outputs of a separate tool that is capable of performing the same test. However this is not the only accepted method and the applicant may provide other methods of independent assessment. If a tool is not being independently assessed, then further testing and verification must be performed on the tool. This can be done in one of two ways.
Once the tool has been assessed in one of these three ways, it can then be used in design or verification of the complex hardware. To see how National Instrument’s test tools can be used for testing safety-related items, take a look at NI’s Best Practices for Testing Safety Compliant Systems. It covers techniques like model-in-the-loop testing and hardware-in-the-loop testing throughout the entire development process. Additionally, it discussed the advantages and efficiency gains of component re-use.