In our 20+ years in avionics and aerospace engineering, we’ve rarely seen an organization easily and quickly build and certify a project to DO-254 standards. That’s no surprise; DO-254 is vague, ironically software-centric, and complex. In truth, DO-254 is rarely cost-effective in its first usage, however, the competitive landscape of avionics, both commercial and military, is just that: competitive and focused upon long-term cost effectiveness and continual safety. Meaning, if you know DO-254, you have a key advantage over your competition. But how do you know what to expect with such an elusive guideline? What mistakes and complications can come in DO-254 project? We got you covered.
We’ve written about the history of DO-254 and how important it is to aerospace engineering, but never focused on the key challenges that can come in the guideline. So, here’s a list of the biggest mistakes we’ve seen and how to avoid them to get the most expedient and productive path to DO-254 certification.
Inappropriate Tool Qualification
DO-254 requires that certain tools be qualified in order to use them to their full ability. Tools are categorized as “development tools” (those whose output is directly associated with hardware) or “verification tools” (those whose output assesses hardware). Qualification is required when a tool augments, replaces, or automates one of the manual hardware lifecycle steps required by DO-254. Often, Tool Qualification is performed on compilers, source control, or other tools though qualification isn’t required. Other times qualification is skipped for tools which require such and the entire certification is subjugated.
Missing “No Unwarranted Changes” CM Step
DO-254 requires strong hardware Configuration Management (CM). While not required, virtually all successful avionics projects utilize a commercial CM tool. These tools range from overly simple and minimally useful, to overly complex, burdensome, and expensive. However, none of them checks or enforces DO-254’s requirement that the hardware defect correction process ensures that no unwarranted changes are made during the correction of a defect. What are unwarranted changes? Any change not specifically associated with, or cited, in the corresponding problem report. How are unwarranted changes prevented? Manually, via the reviewer (preferably independent; independence is required for the higher criticality levels of DO-254). The reviewer should merely compare “before vs. after” with the assistance of an electronic “diff” comparing the digital items (requirements, source code, tests, etc.) and ensuring that the only changes made directly pertain to the problem or anomaly described in the corresponding problem report.
Insufficient Hardware Requirement Detail
It is not possible to objectively and accurately quantify within DO-254 the required level of detail necessary for complete hardware requirements. However, the level of detail should be sufficient to allow for independent hardware designers to achieve functionally equivalent designs and implementation without the need for major clarification or assumptions. Minimally, the guideline of 1:25 should be adhered: one requirement per twenty five lines of high-order language source code. It should be noted that the majority of avionics projects suffer from insufficient requirement detail. This means that dangerous, or at least inaccurate, assumptions are made by the developer which deviate from intended functionality. An excellent means of ensuring that low-level requirements are sufficiently detailed is to develop functional (requirements-based) test cases in parallel with the specification of those requirements, by a test engineer independent from the systems engineer specifying the requirements.
The test engineer will essentially validate the requirements while writing the test cases, and the resultant test cases will be independently reviewed by the associated systems engineer to confirm correct intent of those very requirements.
Inadequate Formal Planning & DO-254 Gap Analysis
DO-254 requires six basic formal planning documents:
1. Plan for Hardware Aspects of Certification
2. Production Assurance Plan
3. Configuration Management Plan
4. Hardware Development Plan
5. Hardware Validation & Verification Plan
6. Hardware Standards
Most companies already have partially acceptable processes but don’t know how to take DO-254 credit for existing work. Instead of starting over and adopting all new processes, companies should perform a DO-254 Gap Analysis to analyze the gaps in their existing processes and how best to close them. Then procure DO-254 process templates, checklists and a formal gap analysis to adopt industry best practices.
Neglecting Independence
DO-254 requires an increasing amount of “independence” as the criticality level increases, with Level A/B requiring the highest degree of independence. Independence refers to the dissimilarity between the originator of a DO-254 required life-cycle step or artifact and the verifier of that same step/artifact. The verifier can refer to the reviewer in the case of items requiring further review. If the required degree of independence for the associated criticality level of the life-cycle artifact/step is not achieved, the entire certification is subjugated. The result is that step, and possibly the entire product, must be repeated or re-engineered. Furthermore, if a future iteration of the product has a higher criticality level (quite common) and the degree of independence required for that level is not achieved (equally common), then significant re-work is required. So, when applying independence, pay heed to the potential highest level of criticality the product “might” someday require, and always apply more independence than required.
The resultant higher level of review quality associated with greater independence is worth the slight decrease in reviewer efficiency. While we would like to say the aforementioned mistakes are the only ones people have made with DO-254, this is not the case. In fact, we have observed dozens more.
Avoiding DO-254 mistakes is easy with ConsuNova
While these top 5 mistakes are important to consider, many more can come if you’re not prepared for a DO-254 project. Check out our DO-254 white papers to get the full scope of DO-254 planning, and schedule some time with a ConsuNova team member to discuss Gap Analysis, training, or other specialized DO-254 solutions.