Certifying COTS avionics hardware to DAL A is common sense
Modern avionics systems continue to become more complex for not only military aircraft, but also commercial aircraft adapting the latest digital cockpits. This complexity and demand for increased performance has placed more pressure on industry and the civil safety certification authorities for aviation worldwide to develop processes for certifying commercial-off-the-shelf (COTS) hardware to highest safety certification level – Design Assurance Level (DAL) A. In this Q&A with Paul Hart, Chief Technology Officer (CTO) for Curtiss-Wright Defense Solutions, he discusses the objections from the civil aviation authorities to this concept as well as the benefits that occur from certifying COTS hardware to DO-254 DAL A, its similarities to certifying software to DO-178C, and how it might apply to unmanned aircraft. Edited excerpts follow.
MCHALE REPORT: Please provide a brief description of your responsibility within Curtiss-Wright and your group’s role within the company.
HART: My position is Chief Technology Officer for the Avionics & Electronics group within Curtiss-Wright Defense Solutions. I am also Technical Fellow to the Curtiss-Wright Corp. The Avionics and Electronics group develops and manufactures various ice detection and air data sensors, flight test instrumentation, flight recording systems, data acquisition and processing avionics for commercial and military aviation as well as satellite launchers and low earth orbit spacecraft. It’s my job to research new disruptive technologies that could be introduced into our future avionics and space systems that will provide better product value to our customers and continue to differentiate us from our competitors. I provide guidance and oversight to our engineering teams and advise senior management on technical matters. I also travel extensively, working with customers on future programs and presenting new ideas and technologies on the conference circuit.
MCHALE REPORT: During the Aviation Electronics Conference in Munich you started a bit of controversy during your presentation when detailing the growing demand for certifying COTS hardware technology to Avionics Design Assurance Level (DAL) A. Why is the demand increasing?
HART: The on-going digitization of cockpits has created a demand for commercial technology advancements that enable increased sophistication as well as more use of common avionics subsystems in military and commercial aircraft. Also, there is increased demand for synthetic vision systems for landing, which increases the Design Assurance Level (DAL) of mission computers on aircraft that use SVS. All of this combined with the increase of military aircraft — manned and unmanned — flying over civilian airspace has increased FAA scrutiny on U.S. military self-certification processes.
MCHALE REPORT: What are the benefits to certifying COTS hardware to DO-254?
HART: The biggest ones are reduced cost, improved reliability, quality, and maintainability, which all equates to reduced risk for the end user. Our customers in military and commercial avionics platforms also have accelerated time-to-market demands. Prime contractors and avionics suppliers need to provide support for selected RTOS vendors and graphics drivers, provide required artifacts available for the modules, and provide functionally equivalent modules available for air-cooled lab use along with rear transition modules for easy interface to I/O. All of this means they need to embrace COTS hardware and enable its certification to the highest safety levels as it’s the only way to effectively take advantage of this commercial technology.
MCHALE REPORT: What are the objections from the avionics certification community to certifying COTS hardware to this level? Who objected during the conference?
HART: At the [Aviation Electronics] Conference there were three specific areas that caused sparked debate. Firstly, regulatory agencies take issue with term “COTS” if a manufacturer is attempting to use the track record or more formally “product service experience” of say, a single board computer, that has been fielded extensively in rugged operating environments in another industry, as compliance evidence to meet certain DO-254 requirements. This is a valid point; as such a board would need to meet the relevant DAL requirements irrespectively.
Secondly there is much debate about using multi-core processors for safety certified applications and guaranteeing all the potential failure conditions can be mitigated. For the aerospace industry this is a significant problem as multi-core processors, and indeed most electronics today are developed for the mass consumer market, not for avionics. The skill in our industry is being able to adapt these electronics for flight critical applications and upgrade and support the resulting avionics products for more than 20 years, long after the original components have become obsolete. In the case of multi-core processors, most manufacturers will not release detailed documentation of internal electronics that could be used to develop certification artifacts. All these factors present considerable certification challenges to meet the DO-254 DAL A/B criteria and the “Acceptable Means of Compliance” to demonstrate these requirements have been met is often debatable. Thirdly there are different routes to achieve certification through EASA and FAA.
MCHALE REPORT: Are there different views regarding this topic based on the civil authority in question? For instance does the Federal Aviation Administration (FAA) differ in their views on certifying COTS hardware than the European Aviation Safety Agency (EASA), and if so how do they differ?
HART: There are pointed differences between EASA and the FAA on how they certify hardware to DO-254 for FPGA and other programmable logic devices. For example, the FAA states: “We recognize that the hardware life cycle data for commercial-off-the-shelf (COTS) microprocessors may not be available to satisfy the objectives of RTCA/DO-254. Therefore, we don’t intend that you apply RTCA/DO-254 to COTS microprocessors." In contrast the EASA Certification Memorandum requires deterministic tests and analysis for simple COTS and simple microcontrollers under all foreseeable operating conditions to demonstrate compliance. This can be tremendously challenging to a designer to produce test cases for the considerable number of code paths even in simple systems.
Furthermore, despite the existence of a reciprocal agreement between EASA and FAA on a certified item, the routes to certification are notably inconsistent as regards the sign-off of DO-254 and DO-178C test evidence to achieve certification. Under FAA jurisdiction a third party Designated Engineering Representative (DER) or more recently company-level Organization Designation Authorization (ODA) can approve certification artifacts through the Supplemental Type Certification (STC) process as part of an equipment upgrade on an already Type Certified (TC) aircraft. The DER or ODA would need to have been involved with the Stages Of Involvement (SOI) during the development cycle and approve the 4xSOI audits. Under EASA the DER/ODA process does not exist. Instead companies (not individuals) should be approved to EASA Part 21G as Production Organization Approvals (POA) and Declaration of Design and Performance (DDP) signatories within those companies, appointed by the regulatory agency, able to sign off conformity checks. This does not however certify the equipment on an aircraft, even with a TSO application via the EASA Part 21 Subpart O route. There is a further step (which would normally be part of the STC under the FAA process) to design and produce an EASA-approved installation design. This requires an EASA Part 21J Design Organization Approval (DOA) and splits into “Minor” and “Major” modification categories, the latter applied to significant aircraft modifications that affect handling qualities or increase pilot workload. An EASA 21J Major modification cannot be authorized by the DOA and requires EASA approval. This is sometimes referred to as an “EASA STC” but the path to this approval differs considerably from the FAA-approved STC route.
MCHALE REPORT: What steps need to be taken form a design perspective that haven’t been taken to enable certification of COTS hardware to DO-254?
HART: Safety monitoring features need to be incorporated into designs to meet DO-254 requirements. For example loopback testing of interfaces, watchdog timers to reset the processor if the software misvectors, discrete electronics to monitor power supply, temperature levels, and report fault conditions to supervisory BIT (Built In Test) software. FPGAs need to be evaluated for race hazards and timing margin analysis. Board Support Packages between the target hardware and RTOS need to be certified and incorporate safety-monitoring features – as indeed does the RTOS, which will typically incorporate time and space partitioning to run applications of different DAL criticality on the same processor. All of these features need to be approved via the SOI audit process by an EASA Certification Verification Engineer (CVE) or FAA Designated Engineering Representative (DER). Lastly, the devices must meet environmental requirements including RoHS, REACH, and CE certification.
MCHALE REPORT: How would the process for certifying hardware to DO-254 DAL A compare to the certification of software to DAL A under DO-178B & C?
HART: There are many parallels with the hardware and software certification processes. For example an organization is required to produce a PHAC/PSAC (Plan for Hardware/Software Aspects of Certification), which are similar format and follow similar design processes. It is worth noting that DO-178 software processes are much more mature in a typical avionics company, the standard having been around since the “A” issue in 1985, conversely DO-254 was first issued in 2000 and only really became adopted during the mid-2000s and hence there is more industry focus on hardware certification – especially since hardware is “software” given the that programmable FPGAs start life as VHDL (Very High Development Language) code.
MCHALE REPORT: How does COTS hardware fare when meeting DO-160 environmental concerns?
HART: There are 23 different tests within DO-160 then categories within these tests – such as vibration curves and loss of altitude - based on the type of aircraft and the zone within the aircraft where the equipment is installed. For benign, low DAL applications where equipment is installed in a cabin or “Airborne Inhabited Cargo” area, COTS can be employed extensively. In Flight Entertainment is such an example. For higher criticality applications in more severe environments – such as unpressurized areas, high-ingress areas (such as landing gear wells) or high vibration zones, COTS boards will need to use extended temperature range devices with conformally coated boards such as Parylene or Humiseal. As well as test articles meeting DO-160 qualification and EMC tests, production units will need to meet Environmental Stress Screening (ESS) requirements such as four-day burn-in, multi-axis vibration – before they leave the factory.
MCHALE REPORT: Would the process be any different for certifying avionics hardware for unmanned aircraft?
HART: That’s a very topical question. Both EASA and FAA are developing certification standards for UAVs [unmanned aerial vehicles] that weigh more than 55 pounds and operate above 500 feet outside of the line of sight of the operator. Right now, several operators have been granted waivers known as Section 333 exemptions, but these are an interim gap prior to future rulemaking. UAVs in the future will almost certainly be required to meet the same certifications standards as their manned counterparts, although additional safeguards are anticipated such as sense-and-avoid capability, geo-fencing to avoid inadvertent straying into protected airspace and autonomous safe landing in the event of command and control link failure.
MCHALE REPORT: Can the same approach for certifying COTS hardware be applied to space applications where many in that community shy away from using COTS technology in radiation-heavy environments?
HART: For low earth orbit applications the use of rugged COTS electronics and the certification routes are wholly relevant. However, specialist electronics such as radiation hardened ASICs [application specific integrated circuits] and Verification & Validation (V&V) techniques are required once above mid-earth orbits to mitigate effects of intense radiation from solar activity and Van Allen belts.