Safety-certifiable COTS case
StoryFebruary 24, 2017
In commercial aviation, one of the most safety-conscious industries in existence, hardware and software developers must design and test their products according to rigorous safety standards. The most well-known are DO-254 for computer hardware, such as integrated circuits (ICs) and field-programmable gate arrays (FPGAs), and DO-178 for software, such as operating systems and application code.
In commercial aviation, one of the most safety-conscious industries in existence, hardware and software developers must design and test their products according to rigorous safety standards. The most well-known are DO-254 for computer hardware, such as integrated circuits (ICs) and field-programmable gate arrays (FPGAs), and DO-178 for software, such as operating systems and application code.
The rationale for these standards is to assure – as far as humanly possible – that the millions of lines of software code and the hardware devices they interact with will perform their myriad functions on an aircraft, as intended per the requirements, and not do anything else. In other words, the standards attempt to eliminate surprises in avionics functions that might impair the safety of flight.
Although the DO-178 and DO-254 regulatory processes were invented to assure civil-aviation safety, pressure is growing for military programs to certify under these safety standards – not just to comply with them in a looser manner. Military aircraft routinely fly in civil airspace and have to communicate with FAA air traffic controllers and incorporate civil air-traffic-management technologies. Even more of a case can be made for unmanned aerial vehicles (UAVs) in the increasingly congested airways.
There are also sound business reasons for both the military and its suppliers to certify systems. Some of these reasons: higher quality, 50 to 75 percent faster integration, and greater module reusability. (see Vance Hilderman, CEO of AFuzion, Inc., “The Yin-Yang of Military Avionics & DO-254.”) DO-254 imposes discipline on the design process in an effort to ensure that all the elements of a finished product are directly and verifiably traceable to the requirements.
Hardware developers have an additional certification incentive – in the form of a quicker return on investment – compared with software developers. Commercial off-the-shelf (COTS) hardware products are less customized and more commoditizable. Hardware that is designed, from the smallest component up, on a firm DO-254 foundation is easier to repackage and reuse, especially when accompanied by long histories of safe use in flight-critical avionics.
Unfortunately, however, it is not cheap to develop certifiable COTS hardware. COTS components such as chips and interconnects are mass-produced for the consumer market. Often little is known about the internals of a processor because those details are competition-sensitive. It would require a major investment for the military customer to come up with evidence – the so-called “artifacts” – that would pass muster for a DO-254 certification. If it takes several million dollars to certify a board, the cost for systems could rapidly become unaffordable.
Certifiable COTS
That’s where the idea of vendor-supplied, certifiable COTS hardware comes in. A board developer designs a product with certifiable components and collects the artifacts – if necessary reverse-engineering them – to create a certification package. The documentation package helps the customer prove the system safety case in a DO-254 certification and reduces program costs and deployment time. The board vendor then recovers the investment through sales of a portfolio of certifiable standard products.
The practice is becoming common at the board level, although the extent of the various investments and scope of the various certification packages are closely held secrets.
An example of this trend toward certification is Abaco Systems FORCE2 rugged, small form factor avionics box – for safety-critical display, mission, and flight computer slots – implemented with high-technology-readiness level software and hardware components and supported by DO-254 artifacts for systems requiring safety assurance, all the way up to design assurance level A. (Figure 1.)
Figure 1: Abaco’s FORCE2 small-form-factor avionics box is supported by DO-254 artifacts for systems requiring safety certification.
Time to get on board
Another advantage of adherence to DO-254 is the spotlight it shines on the supply chain, promoting component manufacturers with long safety records and those inclined to share product data and build in appropriate safeguards.
A further reason for component manufacturers to get on board is the advent of driverless vehicles and UAVs that will do everything from surveillance to package delivery. Semiconductor companies are beginning to address safety concerns in their architectures, a trend that is likely to increase options in the embedded market.
DO-254 is much newer than DO-178 and has not yet worked out all the kinks; for example, DO-254’s requirements for multicore microprocessors have not yet been nailed down. But engineers are hard at work on these issues and are likely to find solutions in the near term, as single-core processors fade rapidly from the scene.