AMC 20-152A Development Assurance for Airborne Electronic
Hardware (AEH)
ED
Decision 2020/010/R
1 PURPOSE
1.1 This AMC describes an acceptable means, but not the only means, for showing compliance with the applicable airworthiness regulations for the electronic hardware aspects of airborne systems and equipment in product certification or ETSO authorisation. Compliance with this AMC is not mandatory, and an applicant may elect to use an alternative means of compliance. However, the alternative means of compliance must meet the relevant requirements, ensure an equivalent level of safety, and be approved by EASA on a product or ETSO article basis.
1.2 This AMC recognises EUROCAE ED-80, Design Assurance Guidance for Airborne Electronic Hardware, dated April 2000, and RTCA DO-254, Design Assurance Guidance for Airborne Electronic Hardware, dated 19 April 2000.
1.3 This AMC describes when to apply EUROCAE ED-80/RTCA DO-254, and it supplements EUROCAE ED-80/RTCA DO-254 with additional guidance and clarification for the development of custom devices, including the use of commercial off-the-shelf (COTS) intellectual property (IP), for the use of COTS devices and for the development of circuit board assemblies (CBAs).
The additional guidance and clarifications are provided in the form of objectives. The applicant is expected to describe the process and activities to satisfy the objectives of this AMC.
Note: EUROCAE ED is hereafter referred to as ‘ED’; RTCA DO is hereafter referred to as ‘DO’. Where the notation ‘ED-80/DO-254’ appears in this document, the referenced documents are recognised as being equivalent.
1.4 This AMC does not address the Single Event Effects (SEE) aspects or the assessment of the hardware susceptibility to SEE. AMC SEE aspects are usually addressed through a certification review item (CRI), and further guidance may be found in EASA CM-AS-004 Issue 01, issued 8 January 2018.
However, the Plan for Hardware Aspects of Certification may
still be used to document the certification considerations for SEE.
2 APPLICABILITY
This AMC may be used by applicants, design approval holders, and developers of airborne systems and equipment containing airborne electronic hardware (AEH) to be installed on type-certified aircraft, engines, and propellers. This applicability includes the developers of ETSO articles.
This AMC is applicable to AEH that contributes to hardware development assurance level (DAL) A, DAL B, or DAL C functions.
When an objective is not applicable to a specific hardware DAL, the applicability restriction is directly indicated within the objective text with the following convention, for instance ‘For DAL A hardware, …’ For AEH contributing to hardware DAL C functions, only a limited set of objectives applies.
Even though there is a benefit in having a structured
development process that ensures a proper flow-down of requirements to the
hardware and the fulfilment by the hardware of the intended function, the use
of this AMC is not required for AEH contributing to hardware DAL D functions.
Appendix B provides some clarifications that may be used to ensure that the
DAL D hardware performs its intended function.
3 DOCUMENT
HISTORY
This document is the initial issue of AMC 20-152. This
initial issue, jointly developed with FAA, is intentionally set at Revision A.
4 BACKGROUND
This AMC is related to the development of custom devices in AEH, including the use of commercial off-the-shelf intellectual property (COTS IP) within custom devices, the use of COTS devices, and the development of circuit board assemblies (CBAs). Each of these topics is organised with:
background information dedicated to each major topic,
— applicability, and
— sections where objectives are described and uniquely identified.
A unique identifier for each objective is defined with a prefix and an index number (i) as follows:
— for the development of custom devices, the identifier is ‘CD-i’;
— for the use of COTS IP in custom devices, the identifier is ‘IP-i’;
— for the use of COTS devices, the identifier is ‘COTS-i’;
— for the development of CBAs, the identifier is ‘CBA-i’.
Objectives are also differentiated from the rest of the text by formatting in italics.
The applicant should document in the Plan for Hardware
Aspects of Certification (PHAC), or any other related planning document, the
process and activities that the applicant intends to perform to satisfy the
objectives of this AMC. The PHAC, as well as those related planning documents,
should be submitted for certification.
5 CUSTOM
DEVICE DEVELOPMENT
This section provides guidance for the development assurance of programmable logic devices (PLDs), field-programmable gate arrays (FPGAs), or application-specific integrated circuits (ASICs), which are collectively referred to as ‘custom devices’. These custom devices are addressed in ED-80/DO-254, Section 1.2, Item 3 as ‘custom micro-coded components’.
Developing a custom device demands a well-defined development process. However, it is understood that the process to develop complex custom devices requires more comprehensive activities and artefacts than for a simple device.
Section 5.1 identifies custom devices that are within the scope of this AMC.
Section 5.2 provides guidance on simple/complex classification for custom devices.
Section 5.3 provides guidance on development assurance for complex custom devices.
Section 5.4 provides guidance on development assurance for simple custom devices. In particular, Section 5.4 defines which sections from 5.5 to 5.11 are applicable to the development assurance of simple electronic devices.
Sections 5.5 to 5.10 provide clarifications on ED-80/DO-254.
Section 5.11 provides background information and guidance
specific to COTS IP used in custom devices.
5.1 Applicability
to Custom Devices
Section 5 is applicable to a digital- or mixed-signal custom device that contributes to hardware DAL A, B or C functions.
Appendix A to ED-80/DO-254 modulates the ED-80/DO-254
life-cycle data based on the DAL allocated to the hardware function. This
document recognises Appendix A for the modulation of the life-cycle data
according to the hardware DAL for the development of custom devices.
5.2 Simple/Complex
Classification
ED-80/DO-254 introduces the notion of simple and complex hardware items. This section clarifies and provides criteria that could be used to classify a device as simple by considering the design content of the custom device, and subsequently, the ability to comprehensively verify the device.
A hardware custom device is classified as simple only if a technical assessment of the design content supports the ability of the device to be verified by a comprehensive combination of deterministic tests and analyses that ensure correct functional performance under all foreseeable operating conditions with no anomalous behaviour. The following criteria should be used for assessing whether a device should be classified as simple:
— simplicity of the functions and their number,
— number and the simplicity of the interfaces,
— simplicity of the data/signal processing or transfer functions, and
— independence of functions/blocks/stages.
Additional criteria specific to the digital part of the design include:
— whether the design is synchronous or asynchronous,
— number of independent clocks,
— number of state machines, number of states and state transitions per state machine, and
— independence between the state machines.
The applicant may propose other or additional criteria for the technical assessment of simplicity.
When an item cannot be classified as simple, it should be classified as complex. However, note that an item constructed entirely from simple items may itself be complex.
Objective
CD-1
For each custom device, the applicant
should document in the PHAC or any related planning document:
1. the
development assurance level,
2. the
simple or complex classification, and
3. if
a device is classified as simple, the justification based on the simple
classification criteria.
5.3 Development
Assurance for Complex Custom Devices
ED-80/DO-254 is recognised as the industry standard for the development assurance of complex custom devices.
The applicant should satisfy ED-80/DO-254 and the additional
objectives or clarifications described in this AMC from Sections 5.5 to 5.11.
5.4 Development
Assurance for Simple Custom Devices
For the development of simple custom devices, it is understood that the life-cycle data might be significantly reduced compared with the data required for a complex custom device.
ED-80/DO-254 acknowledges that the documentation for the design process of a simple hardware device is less extensive than the one needed for a complex device. In addition, while verification and configuration management are also needed, these supporting processes also require less documentation for a simple device.
However, it is important that a simple custom device performs its intended function, and is under configuration management, thus allowing the device to be reproduced, conformed, and analysed to ensure continued operational safety.
Objective
CD-2
The applicant should propose a process in
the PHAC, or any other appropriate planning document, to develop simple custom
devices which encompasses the following:
1. definition
of the device functions,
2. complete
verification of the device functions through tests and analyses,
3. configuration
management of the device, including problem reporting and the instructions to
reproduce the device,
4. assessment
of the build conformance of the device.
Sections 5.5.2.4 and 5.5.2.5 of this document also apply to the verification process for simple custom devices.
The life-cycle data for simple devices can be combined with other hardware data.
If tools are used for the simple custom device development process, the objectives or clarifications of those objectives described in Section 5.8 of this document are also applicable.
When the applicant intends to reuse a previously developed simple device, ED-80/DO-254 Section 11.1 and the clarifications provided in Section 5.9 of this document should be used.
If the applicant intends to use COTS IP, the objectives or
clarifications of those objectives described in Section 5.11 of this document
are also applicable.
5.5 Clarifications
to ED-80/DO-254 Validation and Verification Processes
5.5.1 Validation
Process
Establishing a correct and complete set of requirements is the cornerstone of the development assurance process. ED-80/DO-254 Section 6.1 addresses the validation process to ensure the completeness and correctness of derived requirements. Nevertheless, the validation process is essential for all the requirements. Indeed, the upper-level requirements allocated to the custom device are often refined, decomposed or restated at the custom device level, and in terms that support the hardware design. These custom device requirements, which are traceable from/to the upper-level requirements and, therefore, not considered to be ‘derived’, should also be correct and complete.
Objective
CD-3
The applicant should validate all the
custom device requirements by following the ED-80/DO254 validation process
(ED-80/DO-254 Section 6). This validation activity covers both derived and non-derived
requirements.
For DAL A and B development, validation
activities should be performed with independence.
Note: ED-80/DO-254 Appendix A defines
acceptable means for establishing independence.
5.5.2 Verification
Process
ED-80/DO-254 broadly describes the verification process, but additional guidance is needed to ensure the verification of the custom device is complete, particularly in the area of:
— design
reviews,
— reviews
of test cases and procedures, and
— verification
of the implementation.
5.5.2.1 Conceptual Design Review
Conceptual design is the process of generating a high-level design description from the hardware requirements (see ED-80/DO-254 Section 5.2). The conceptual design review is typically used to ensure that the outcome of the conceptual design activities (see ED-80/DO254 Section 5.2.2) is consistent with the requirements, and identifies constraints for the interfacing components (hardware or software) and architectural constraints for the detailed design activities of the custom device.
Since this conceptual design review is already addressed in
ED-80/DO-254 Section 5.2.2 through the note, no separate objective is needed.
5.5.2.2 Detailed Design Review
Detailed design is the process of generating, from the conceptual design and the requirements, a hardware description language (HDL) or analogue representation of the design, constraints for the implementation (e.g. timing constraints, pinout, I/O characteristics), and the hardware– software interface description.
ED-80/DO-254 introduces design reviews in Section 6.3.3.2. A design review is considered to be an essential step during the detailed design process (ED-80/DO-254 Section 5.3) supporting the implementation process, and complementing requirements-based verification.
Objective
CD-4
For hardware DAL A or DAL B, the applicant
should review the detailed design with respect to the design standards, and
review the traceability between the detailed design and the custom device
requirements, in order to demonstrate that the detailed design covers the
custom device requirements, is consistent with the conceptual design, and is
compliant with the hardware design standards.
For hardware DAL C, the applicant should
demonstrate that the detailed design satisfies the hardware design standards.
5.5.2.3 Implementation Review
Within a custom device development process, tools are used to convert the detailed design data into the physical implementation. While ED-80/DO-254 does not explicitly address it, a review of the design tool reports (e.g. synthesis and place and route reports) is necessary to ensure that the execution of the tool to generate its output was performed correctly.
Objective
CD-5
When tools are used to convert the
detailed design data into the physical implementation, the applicant should
review the design tool reports (e.g. synthesis and place and route reports) to
ensure that the tool executed properly when generating the output.
5.5.2.4 Review of Verification Cases and
Procedures
ED-80/DO-254 introduces verification coverage analysis in Section 6.2.2 Item 4 to satisfy the ED-80/DO-254 verification process objectives and determine whether the verification process is correct and complete. A part of the coverage analysis is clarified by the following objective.
Objective
CD-6
Each verification case and procedure
should be reviewed to confirm that it is appropriate for the requirements to
which it traces and that the requirements are correctly and completely covered
by the verification cases and procedures.
5.5.2.5 Verification of the Timing Performance
of the Implementation
ED-80/DO-254 Section 6.2 addresses the verification of the implementation. The implementation results from the process to generate the physical custom device from the detailed design data. The post-layout netlist is the closest virtual representation of the physical custom device, resulting from synthesis (for the digital part of the device) and place and route.
While it is recommended to test the implementation in its intended operational environment (i.e. by a physical test), verification using the post-layout netlist may be necessary to complement the verification of the implementation for certain requirements (e.g. features not accessible from the I/O pins of the device, timing, abnormal conditions, or robustness cases). In such cases, the coverage of the requirements by means other than a physical test should be justified.
The requirement to capture the activities in ED-80/DO-254 Section 5.1.2 Item 4.g introduces the need for the requirements to address signal timing characteristics under normal- and worst-case conditions. Nevertheless, ED-80/DO-254 does not explicitly address the necessity to verify the performance of the device under all possible (best-case and worst-case) timing conditions that could possibly occur during the operation of the device.
The following objective clarifies the need to take into account the variation of the environmental conditions (temperature, voltage, etc.) during the evaluation of the timing performance of the design, as well as the semiconductor device process variations.
Objective
CD-7
The applicant should verify the timing
performance of the design accounting for the temperature and power supply
variations applied to the device and the semiconductor device fabrication
process variations as characterised by the manufacturer of the semiconductor
device.
Note: Static timing analysis (STA) with
the necessary timing constraints and conditions is one of the possible means
of compliance with this objective for the digital parts of custom devices.
5.6 Clarifications
to ED-80/DO-254 ‘Robustness Aspects’
ED-80/DO-254 mentions robustness defects but does not explicitly address robustness. The robustness of the design is defined as the expected behaviour of the design under abnormal and boundary/worstcase operating conditions of the inputs and internal design states. These conditions are often captured as derived requirements when they are not allocated from the upper-level process. When subjected to these conditions, it is understood that the design may not continue to perform as it would under normal conditions.
Objective
CD-8
For DAL A or DAL B hardware, the abnormal
and boundary conditions and the associated expected behaviour of the design
should be defined as requirements.
5.7 Recognition
of HDL Code Coverage Method
HDL code coverage analysis is an assessment of whether the HDL code of the design has been exercised through HDL simulations.
The HDL code coverage method provides an assessment of the coverage of the design logic structure, giving an indication of which aspects of the logic structure are exercised and which are not.
When performed during requirements-based verification (per ED-80/DO-254 Section 6.2), HDL code coverage is recognised as a method to perform ED-80/DO-254 elemental analysis per Appendix B Section 3.3.1 for digital devices. HDL code coverage supports the assessment of whether the HDL code elements are fully covered by requirements-based simulations. As such, it does not represent an assessment of the completeness of the requirements-based testing activities or the effectiveness of the requirement coverage.
Objective
CD-9
For hardware DAL A or DAL B, where HDL
code coverage is used to perform elemental analysis (ED-80/DO-254 Appendix B
Section 3.3.1), the applicant should define in the planning documents the
detailed coverage criteria of the HDL code elements used in the design. The
criteria should ensure coverage over the various cases of the HDL code
elements used in the design (e.g. branches, conditions, etc.). Any non-covered
case or element should be analysed and justified.
Note: Code coverage might need to be
complemented by additional analysis for any hardware items that are identified
as not covered by the code coverage analysis, in order to complete the
elemental analysis of all elements. This situation may occur in the use of
some COTS IP instantiations.
5.8 Clarifications
to ED-80/DO-254 ‘Tool Assessment and Qualification’
ED-80/DO-254 introduces the notion of tool assessment and qualification. ED-80/DO-254 Figure 11-1 includes a flow chart indicating the tool assessment considerations and activities, and provides guidance for when tool qualification may be necessary. This AMC uses the flow chart and its related text as a basis for providing further clarification, as follows:
ED-80/DO-254 — Figure 11-1 Item 1 — Identify
the Tool
Information capturing the environment required for tool operation and the tool revision should be included with the tool identification.
ED-80/DO-254 — Figure 11-1 Item 2 — Identify
the Process the Tool Supports
When identifying the design or verification process that the tool supports, it is important to also identify what purpose or activity within the hardware development process the tool satisfies. While assessing the tool limitations, evidence of formal assessment of the tool problem reports is not required if the tool output has been completely and independently assessed.
ED-80/DO-254 — Figure 11-1 Item 3 — Is the
Tool Output Independently Assessed?
The purpose of assessing the tool output is to completely cover, with an independent means, the potential errors that the tool could introduce into the design or fail to detect during verification.
Objective
CD-10
When the applicant intends to
independently assess a tool output, the applicant should propose an
independent assessment that verifies the tool output is correct. The
independent assessment should justify that there is sufficient coverage of the
tool output. The completeness of the tool assessment should be based on the
design/implementation and/or verification objectives that the tool is used to
satisfy.
ED-80/DO-254 — Figure 11-1 Item 4 — Is the
Tool a Level A, B or C Design Tool or a Level A or B Verification Tool?
ED-80/DO-254 Figure 11-1 Item 4 of the tool assessment/qualification flow excludes the need for activities for tools ‘used to assess the completion of verification testing, such as in an elemental analysis’.
The last statement is misleading regarding the intent of code coverage tools used for elemental analysis. As stated in Section 5.7 of this document, ‘when a code coverage tool is used for elemental analysis, it does not represent an assessment of the completeness of the requirements-based testing activities or the effectiveness of the requirement coverage’.
It is therefore necessary to provide some further clarifications.
— This document recognises the Figure 11-1 Item 4 exclusion of tool assessment/qualification activities for code coverage tools only when they are used to assess whether the code has been exercised by requirements-based testing/simulations (elemental analysis).
— If test cases or procedures are automatically generated by a tool and this tool uses coverage to determine the completion of the requirements verification, then the tool should be considered to be a verification tool to answer the question raised in Figure 11-1 Item 4.
ED-80/DO-254 — Figure 11-1 Item 5 — Does the
Tool have Relevant History?
In ED-80/DO-254, the supporting text for Figure 11-1 Item 5 can be misinterpreted to suggest that when the tool has been previously used, no further tool assessment is necessary. Item 5 should be understood to mean that the applicant will provide sufficient data and justification to substantiate the relevance and credibility of the tool history.
Objective
CD-11
When the applicant intends to claim credit
for the relevant history of a tool, sufficient data should be provided as a
part of the tool assessment to demonstrate that there is a relevant and credible
tool history to justify that the tool will produce correct results for its
proposed use.
ED-80/DO-254 — Figure 11-1 Item 9 — Design
Tool Qualification
For design tools, contrary to the note in the supporting text for Figure 11-1 Item 9, the tool history should not be used as a stand-alone means of tool assessment and qualification. A relevant tool history may be used to compensate for some particular gaps in the tool assessment and qualification process, for example, to explain the method of independent assessment of the tool output. In this case, a relevant tool history is considered to be complementary data, providing more assurance for a tool.
In addition to what is already referenced in ED-80/DO-254 Figure 11-1 Item 9 for tool qualification guidance, ED-12C/DO-178C and ED-215/DO-330 may also be used.
5.9 Clarifications
to ED-80/DO-254 regarding Previously Developed Hardware (PDH)
Previously developed hardware (PDH) is defined as custom-developed hardware that has been installed in an airborne system or equipment either approved through EASA type certification (TC/STC) or authorized through ETSOA. The section providing clarification on the use of PDH also covers PDH that was developed and approved prior to the use of ED-80/DO-254 in civil certification.
This section provides guidance on the use of ED-80/DO-254 Section 11.1 for PDH.
Objective
CD-12
When an applicant proposes to reuse PDH,
the applicant should use ED-80/DO-254 Section 11.1 and its subordinate
paragraphs. The applicant should perform the assessments and analyses required
in ED-80/DO-254 Section 11.1 in order to ensure that using the PDH is valid
and that the compliance shown during the previous approval was not compromised
by any of the following:
1. Modification
of the PDH for the new application or for obsolescence management;
2. Change
to the function, change to its use, or change to a higher failure condition
classification of the PDH in the new application; or
3. Change
to the design environment of the PDH.
The results should be documented in the
PHAC or any other appropriate planning document.
In the context of custom device
development, any one of these three points potentially invalidates the
original development assurance credit for the PDH. In case of change or
modification, the applicant should assess these changes using ED-80/DO-254
Section 11.1 and its subordinate paragraphs. When the original design
assurance of the PDH is invalidated by one of the above points, the custom
device should be upgraded based on the assessment per ED-80/DO-254 Section
11.1. When upgrading the hardware, the applicant should consider the
objectives of this document that are applicable per the assessment.
5.10 Clarifications
to ED-80/DO-254 Appendix A
This section clarifies the life-cycle data referenced in ED-80/DO-254 Appendix A as follows.
— The row corresponding to 10.1.6 ‘Hardware Process Assurance Plan’ in Table A-1 should also indicate HC2 for Level C to be consistent with row 10.8.
— The row corresponding to 10.2.2 ‘Hardware Design Standard’ in Table A-1 should also indicate HC2 for Level C. HDL Coding Standards are part of the Hardware Design Standards.
— The row corresponding to 10.3.2.2 ‘Detailed Design Data’ in Table A-1 should indicate HC1 for Levels A, B and C.
— The row corresponding to 10.4.2 ‘Hardware Review and Analysis Procedures’ in Table A-1 should also indicate HC2 for Level C to be consistent with row 10.4.3.
— The
Top-Level Drawing referenced in ED-80/DO-254 Appendix A corresponds to a
Hardware Configuration Index (HCI) document. The HCI document completely
identifies the hardware configuration, the embedded logic, and the development
life-cycle data. To support consistent and accurate replication of the custom
device (ED-80/DO-254 Section 7.1), the Top-Level Drawing includes the hardware
life cycle environment or refers to a Hardware Environment Configuration Index
(HECI) document.
5.11 Use
of COTS IP in Custom Device Development
This section addresses COTS IP that is instantiated within FPGAs/PLDs/ASICs during the development of the custom device.
This section addresses COTS IP and its integration within custom devices and describes objectives to support the demonstration of compliance with the applicable airworthiness regulations for the hardware aspects of airborne systems and equipment certification.
Section 5.11.2, on ‘Applicability to COTS IP’, identifies
COTS IP that are within the scope of Section 5.11.
5.11.1 Background
IP refers to design functions (design modules or functional blocks, including IP libraries) used to design and implement a part of or a complete custom device such as a PLD, FPGA, or ASIC. IP is considered to be commercial off-the-shelf intellectual property, i.e. ‘COTS IP’, when it is a commercially available function, used by a number of different users, in a variety of applications and installations. Custom IP, developed for a few specific aircraft equipment, is not considered to be COTS IP.
COTS IP are available in various source formats. COTS IP are categorised as Soft IP, Firm IP, or Hard IP based on the stage in the custom device design flow where the IP is instantiated. A function can be a combination of source formats and each part needs to be addressed. Definitions for Soft IP, Firm IP, and Hard IP can be found in Appendix A ‘Glossary’.
Figure 1 shows a ‘simplified’ design flow of a PLD, FPGA, or ASIC, and where Soft IP, Firm IP, and Hard IP are located in the design flow.
Figure 1 — Position of COTS
IP within a ‘simplified’ design representation flow
The availability of a COTS IP does not guarantee that it is suitable to be used in a custom device for aircraft systems. Some COTS IP may have been developed using ED-80/DO-254, and will therefore have the necessary life-cycle data to demonstrate satisfaction of ED-80/DO-254. However, most COTS IP are not developed to meet aviation development assurance standards and, therefore, there are risks associated with their use in a custom device for aircraft systems or equipment.
The risks
of using COTS IP may include:
— Incomplete
or missing documentation/data regarding:
— the behavioural operation of the COTS IP,
— how to integrate it into the design;
— Insufficient
verification performed by the COTS IP provider;
— Deficient
quality of the COTS IP.
The
potential for design errors may be increased by the lack of development
assurance and/orby insufficient service experience.
Possible
design errors within COTS IP or in the use of COTS IP may lead to a failure
mode. Riskfactors for these types of errors include:
— Unknown
level of rigour of the COTS IP design and verification process;
— Misalignment
between the intended usage of the COTS IP by the IP provider and the usage in
the custom device by the IP user;
— Incomplete
or missing details regarding the detailed operation of the COTS IP;
— Incorrect
integration of the COTS IP with the rest of the custom device design;
— Integrator
lacking expertise with the function of the IP.
Additionally, the COTS IP user completes the development of the integrated COTS IP up to the physical implementation of the device. The COTS IP user may introduce a design error while completing the physical implementation of the COTS IP because of the user’s incomplete knowledge of the internal design of the COTS IP.
5.11.2 Applicability
to COTS IP
Section 5.11 is applicable to COTS IP used in a custom device that meets the definition of ‘commercial off-the-shelf intellectual property’ in the Glossary of Appendix A. This scope encompasses digital, analogue, and mixed-signal COTS IP.
Note: Analogue COTS IP is within the above-mentioned scope, as it could be instantiated within a custom, mixed-signal device.
Section 5.11 is applicable to COTS IP contributing to hardware DAL A, B or C functions.
Section 5.11 is applicable to Soft IP, Firm IP, and Hard IP
that are inserted within a custom device by the applicant. However, Section
5.11 does not apply to Hard IP that is embedded in the silicon of an FPGA or a
PLD by the FPGA/PLD device manufacturer. This type of IP is considered to be
part of the COTS device, and is covered in Section 6 ‘Use of Commercial
Off-the-Shelf Devices.
5.11.3 Development Assurance for COTS IP
A COTS IP development assurance approach should be based on the category of the COTS IP (Soft, Firm, Hard) and on the identified risks of failure due to a design error in the COTS IP itself or an error in the way it is used in the custom device.
This section provides objectives addressing development assurance when using COTS IP. These objectives are intended to cover the particular aspects of development when using COTS IP, and are expressed in connection with the custom device development process that follows ED-80/DO-254 and the custom device objectives of this document.
The development aspects related to COTS IP start from the custom device process that captures the allocated requirements for the function that will be performed by the COTS IP. From this entry point, the following aspects provide a basis to define the development assurance objectives for the use of COTS IP:
— Selection of the COTS IP,
— Assessment of the IP provider and the IP data,
— Planning activities, including the verification strategy,
— Definition of the requirements/derived requirements,
— Design
integration, implementation, and verification of the COTS IP in the custom
device.
5.11.3.1 Selection of the COTS IP to implement the
function
COTS IP can be available in different forms/source formats and various levels of quality. Some COTS IP may not be acceptable for use in airborne systems. The selection criteria below are intended to address the essential characteristics that are considered a minimum for the use of IP in custom AEH devices.
Objective
IP-1
The applicant should select a COTS IP that
is considered to be an acceptable solution, based on at least the following
criteria:
1. The
IP is technically suitable for implementing the intended function;
2. The
description of the COTS IP architecture or IP design concept provides an
understanding of the functionality, modes, and configuration of the IP. The
description should also include an understanding of the source format or
combination of source formats of the COTS IP;
3. The
availability and quality of data and documentation allow the understanding of
all aspects of the COTS IP functions, modes, and behaviour, and enable the
integration and verification of the COTS IP (e.g. datasheets, application
notes, user guide, knowledge of errata, etc.);
4. Information
exists for the IP user to be able to create the physical implementation of the
COTS IP (e.g. synthesis constraints, usage and performance limits, physical
implementation, and routing instructions);
5. It
can be demonstrated that the COTS IP fulfils its intended function.
5.11.3.2 Assessment of the COTS IP Provider and
COTS IP Data
Objective
IP-2
The applicant should assess the COTS IP
provider and the associated data of the COTS IP based on at least the
following criteria:
1. The
IP provider provides all the information necessary for the integration of the
COTS IP within the custom device and to support the implementation of the COTS
IP within the device (e.g. synthesis constraints, usage domain, performance
limits, physical implementation, and routing instructions);
2. The
configurations, selectable options, and scalable modules of the COTS IP design
are documented so that the implementation of the COTS IP can be properly
managed;
3. The
COTS IP has been verified by following a trustworthy and reliable process, and
the verification covers the applicant’s specific use case for the COTS IP
(including the used scale for scalable IP and the IP functions selected for
selectable functions);
4. The
known errors and limitations are available to the IP user, and there is a
process to provide updated information to the IP user;
5. The
COTS IP has service experience data that shows reliable operation for the
applicant’s specific use case for the COTS IP.
The assessment should be documented. The
results of the assessment should be submitted together with the planning
documents.
5.11.3.3 Planning of the Hardware Development
Assurance Approach related to COTS IP
5.11.3.3.1 Complementary Development Assurance
Objective
IP-3
When the IP-2 Objective criteria items 1,
2, 4 or 5 cannot be completely met using the IP provider’s data, the applicant
should define an appropriate development assurance activity to mitigate the
criteria that were not met and address the associated risk of development
errors. The development assurance activity should be based on the ED-80/DO-254
objectives.
Note: The results of the assessment of
Objective IP-2 Item 3 are considered in Section 5.11.3.3.2.
5.11.3.3.2 The Verification Strategy for COTS IP
Functions
In addition to the verification of the custom device functions supported by the COTS IP, there is a need to ensure that the aspects related to the COTS IP and its usage are addressed. This section focuses on defining a verification strategy to cover those aspects.
The verification performed by the COTS IP provider typically does not follow the ED-80/DO-254 verification process but may provide some credit to be used for the verification strategy. However, the verification process for COTS IP generally differs from one IP vendor to another, and the level of assurance varies depending on the IP provider’s development practices.
The verification strategy may combine different means to complement the traditional requirements-based testing approach.
Based on the applicant’s assessment of the IP provider and the IP data through Objective IP-2, the applicant is expected to establish a verification strategy. The aim of this verification strategy is to cover all three of the following aspects:
— The COTS IP: the purpose is to ensure that the COTS IP is verified, addressing the risk identified from the IP-2 Item 3 objective;
— Its implementation: the purpose is to ensure that the COTS IP still performs its allocated function, and that no design errors have been introduced by the design steps performed by the applicant (e.g. synthesis/place and route);
— Its integration within the custom device: the purpose is to ensure that the COTS IP has been properly connected, configured, and constrained within the custom device.
The strategy may accomplish more than one aspect within a common verification step.
This section identifies a general objective for the verification of COTS IP used in a custom device, enabling various verification approaches.
Objective
IP-4
The applicant should describe in the
hardware verification plan, PHAC, or any related planning document, a
verification strategy that should encompass all three of the following
aspects:
1. The
verification of the COTS IP itself, addressing the risk identified from the
IP-2 Item 3 objective;
2. The
verification of the COTS IP after the design steps performed by the applicant
(e.g. synthesis/place and route);
3. The
verification of the integrated COTS IP functions within the custom device.
Note 1: Reliable and
trustworthy test data, test cases or procedures from the COTS IP provider may
be used as part of the verification strategy to satisfy this objective.
Note 2: If the COTS IP
implements functions based on an industry standard, proven standardised test
vectors verifying compliance with the standard may be used in the verification
strategy of the COTS IP.
Note 3: The verification
strategy covers at a minimum the used functions of the COTS IP and ensures
that the unused functions are correctly disabled or deactivated and do not
interfere with the used functions.
5.11.3.3.3 COTS IP and Planning Aspects
The applicant has to define the activities that are needed for the hardware development assurance approach related to COTS IP.
Objective
IP-5
The applicant should describe in the PHAC,
or any related planning document, a hardware development assurance approach
for using the COTS IP that at least includes:
1. identification
of the selected COTS IP (version) and its source format(s) associated with the
point(s) in the design flow where the COTS IP is integrated into the custom
device;
2. a
summary of the COTS IP functions;
3. the
development assurance process that the applicant defines to satisfy the
objectives of Section 5.11.3;
4. the
process related to the design integration and to the usage of the COTS IP in
the development process of the custom device;
5. tool
assessment and qualification aspects when the applicant uses a tool to perform
design and/or verification steps for the COTS IP.
5.11.3.4 Requirements for COTS IP Function and
Validation
Custom device requirements typically contain requirements that relate to the function supported by the COTS IP. The granularity of these requirements may be very different depending on the COTS IP function and the visibility of the functions supported by the IP at the custom device level.
Depending on the extent of requirements-based testing as a part of the chosen verification strategy of the COTS IP, the level of detail and the granularity of the AEH custom device requirements may need to be refined to specifically address the COTS IP functions and the implementation of the COTS IP.
In addition, requirements should be captured to encompass all the necessary design detail used to connect, configure, and constrain the COTS IP and properly integrate it into the AEH custom device.
Objective
IP-6
The requirements related to the allocated
COTS IP functions should be captured to an extent commensurate with the
verification strategy.
In addition, derived requirements should
be captured to cover the following aspects associated with the integration of
the COTS IP into the custom device design:
1. COTS
IP used functions (including parameters, configuration, selectable aspects);
2. Deactivation
or disabling of unused functions;
3. Correct
control and use of the COTS IP, in accordance with the data from the COTS IP
provider.
When the applicant chooses a verification strategy (see Section 5.11.3.3.2) that solely relies on requirements-based testing, the ‘extent commensurate with the verification strategy’ corresponds to a complete requirement capture of the COTS IP following ED-80/DO-254.
Regarding the validation aspects, the COTS IP requirements
should be validated as a part of the validation process of the AEH custom
device.
5.11.3.5 Verification
The applicant should ensure that the COTS IP is verified as a part of the overall custom device verification process per ED-80/DO-254 and based on the verification strategy for the COTS IP that has been described in the PHAC or a related planning document.
For the requirements-based verification part, the applicant
should satisfy ED-80/DO-254 Section 6.2 for the verification of the
requirements related to the COTS IP (see Section 5.11.3.4 above). This can be
performed as a part of the overall custom device process, therefore there is
no separate objective.
5.11.3.6 DO-254 Appendix B considerations
When developing a hardware DAL A or B custom device, ED-80/DO-254 Appendix B is applicable.
Code coverage analysis that is recognised as part of elemental analysis (refer to Section 5.7 of this document) might not be possible for the COTS IP part of the design. However, ED-80/DO-254 Appendix B offers other acceptable methods, including safety-specific analysis. The following objective further clarifies the expectations when using safety-specific analysis.
Objective
IP-7
For COTS IP used in DAL A or DAL B
hardware, the applicant should satisfy ED-80/DO-254 Appendix B.
The applicant may choose safety-specific
analysis methods to satisfy Appendix B on the COTS IP function and its
integration within the custom device functions. This safety-specific analysis
should identify the safety-sensitive portions of the COTS IP and the potential
for design errors in the COTS IP that could affect the hardware DAL A and DAL
B functions in the custom device or system.
For unmitigated aspects of the
safety-sensitive portions of the IP, the safety-specific analysis should
determine which additional requirements, design features, and verification
activities are required for the safe operation of the COTS IP in the custom
device.
Any additional requirements, design
features and/or verification activities that result from the analysis should
be fed back to the appropriate process.
6. USE
OF COMMERCIAL OFF-THE-SHELF DEVICES
Applicants are increasingly using COTS electronic devices in aircraft/engines/propellers/ airborne systems, which may have safety implications for the aircraft, engines/propellers, or systems.
Section 6 addresses the use of COTS devices through objectives that support the demonstration of compliance with the applicable airworthiness regulations for hardware aspects of airborne systems and equipment certification when using complex COTS devices. Section 6.2 ‘Applicability to COTS devices’ enables applicants to identify the COTS devices that are within the scope of Section 6.
Note: The term ‘COTS device’ used in this document applies to
a semiconductor product that is fully encapsulated in a package. This term
does not apply to circuit board assemblies (CBAs).
6.1 Background
COTS devices continue to increase in complexity and are highly configurable. COTS devices provide ‘off-the-shelf’ already developed functions, some of which are highly complex. Their development and production processes undergo a semiconductor industry qualification based on their intended market (consumer, automotive, telecom, etc.). Their usage by the aerospace industry provides additional integration and higher performance capabilities than were possible in the past.
The design data for these COTS devices is usually not available to the COTS user. Since these devices are generally not developed for airborne system purposes, assurance has not been demonstrated that the rigour of a COTS manufacturer’s development process is commensurate with the aviation safety risks.
ED-80/DO-254 introduces a basis for the development assurance for the use of COTS devices in Section 11.2 ‘COTS components usage’. This section states that ‘the use of COTS components will be verified through the overall design process, including the supporting processes’.
Since ED-80/DO-254 was released in the year 2000, the number of functions embedded and integrated in a single COTS device has significantly increased. Functions which were previously split into various components, making the interface between those components accessible for verification, are now embedded within a single chip. While there are clearly some benefits of integrating more functions within a device, the increased level of integration makes it difficult for the user to verify the different hardware functions in the device due to lack of access to the interfaces between functions. Since these devices are more complex and highly configurable than the older separate devices, the risk is greater that the COTS device will not achieve the intended function in particular use cases over the required operating conditions.
Furthermore, some additional assurance is needed because
design errors may still be discovered after the COTS device is released to the
market, or when an applicant extends the use of the device beyond the
manufacturer’s specifications.
6.2 Applicability
to COTS Devices
Section 6 is applicable to digital, hybrid, and mixed-signal COTS devices that contribute to hardware DAL A, B or C functions. For COTS devices contributing to hardware DAL C functions, a limited set of the objectives of this section will apply.
Section 6 is also applicable to FPGA and PLD devices that embed Hard IP (see definition) in their produced/manufactured silicon, but only for the COTS part of the FPGAs/PLDs.
Section 6.4 only applies to COTS devices that are complex, as
determined by the following COTS complexity assessment.
6.3 COTS
Complexity Assessment
In order to define which COTS devices are complex, the following high-level criteria should be used, considering all functions of the device, including any functions intended to be unused:
A COTS device is complex when the device:
1. has multiple functional elements that can interact with each other; and
2. offers a significant number of functional modes; and
3. offers configurability of the functions, allowing different data/signal flows and different resource sharing within the device.
Or when the device:
4. contains advanced data processing, advanced switching, or multiple processing elements (e.g. multicore processors, graphics processing, networking, complex bus switching, interconnect fabrics with multiple masters, etc.).
For complex COTS devices, it is impractical to completely verify all possible configurations of the device, and it is difficult to identify all potential failures.
Objective
COTS-1
The applicant should assess the complexity
of the COTS devices used in the design according to the high-level criteria of
Section 6.3, and document the list of relevant devices (see Note 1), including
the classification rationale, in the PHAC or any related hardware planning
document.
Note 1: The applicant is not
expected to assess the complete bill of material to satisfy the above
objective, but only those devices that are relevant for the classification,
including devices that are at the boundary between simple and complex. The
resulting classification (simple or complex) for those devices that are at the
boundary and those that are definitely complex should be documented.
Note 2: A classification
rationale is required for those devices that are at the boundary (meeting a
part of the high-level criteria) and are classified as simple.
Some examples of classification are provided in the GM
Appendix for illustration.
6.4 Development
Assurance for Use of Complex COTS
ED-80/DO-254 Section 11.2.1 identifies some electronic
component management process (ECMP) items when using a COTS device.
ED-80/DO-254 Section 11.2.2 and Section 6.1 of this document identify some
concerns with using a COTS device. The following objectives acknowledge and
supplement ED-80/DO-254 Section 11.2 in clarifying how to gain certification
credit when using complex COTS devices.
6.4.1 Electronic
Component Management Process (ECMP)
As stated in ED-80/DO-254 Section 11.2, ‘the use of an electronic component management process, in conjunction with the design process, provides the basis for COTS components usage.’
Objective
COTS-2
The applicant should ensure that an
electronic component management process (ECMP) exists to address the
selection, qualification, and configuration management of COTS devices. The ECMP
should also address the access to component data such as the user manual, the
datasheet, errata, installation manual, and access to information on changes
made by the component manufacturer.
As part of the ECMP, for devices
contributing to hardware DAL A or B functions, the process for selecting a
complex COTS device should consider the maturity of the COTS device and, where
risks are identified, they should be appropriately mitigated.
Note: Recognised industry standards
describing the principles of electronic component management may be used to
support the development of the ECMP. See Appendix B.
6.4.1.1 Using a Device outside Ranges of Values
Specified in its Datasheet
The device reliability is established by the device manufacturer through the device qualification process (see definition of ‘qualification of a device’ in the glossary). ED-80/DO254 Section 11.2.1 Item 6 mentions that a device is selected based on the technical suitability of the device for the intended application.
In some cases, the applicant may need to use the device outside the specified operating conditions guaranteed by the device manufacturer. ED-80/DO-254 Section 11.2.1 Item 4 and Item 6 should be addressed when the device is used outside its guaranteed specification. The following objective describes what to achieve when using a device outside the ranges of values specified in its datasheet.
Objective
COTS-3
When the complex COTS device is used
outside the limits of the device manufacturer’s specification (such as the
recommended operating limits), the applicant should establish the reliability
and the technical suitability of the device in the intended application.
6.4.1.2 Considerations when the COTS Device has
Embedded Microcode
COTS devices may need microcode to execute some hardware functions. When those functions are used by the applicant, there is a risk if the microcode has not been verified by the device manufacturer during the COTS device qualification, or if the microcode is proposed to be modified by the applicant.
If the microcode is delivered by the device manufacturer, is controlled by the device manufacturer’s configuration management system, and is qualified together with the device by the device manufacturer, it is accepted that the microcode is part of the qualified COTS device. If the microcode is not qualified by the device manufacturer or if it is modified by the applicant, the microcode cannot be considered to be part of the qualified COTS device.
Objective
COTS-4
If the microcode is not qualified by the
device manufacturer or if it is modified by the applicant, the applicant
should ensure that a means of compliance for this microcode integrated within
the COTS device is proposed by the appropriate process, and is commensurate
with the usage of the COTS device.
Note: The PHAC (or any other related
planning document) should document the existence of the microcode and refer to
the process (hardware, software, system) where it is addressed.
6.4.2 COTS
Device Malfunctions
Some COTS
devices may contain errors that may or may not have been detected by the
devicemanufacturer.
Objective
COTS-5
The applicant should assess the errata of
the COTS device that are relevant to the use of the device in the intended
application, and identify and verify the means of mitigation for those errata.
If the mitigation means is not implemented in hardware, the mitigation means
should be fed back to and verified by the appropriate process.
Note: The above objective refers to any
mitigation means (such as hardware, software, system, or other means).
Objective
COTS-6
The applicant should identify the failure
modes of the used functions of the device and the possible associated common
modes, and feed both of these back to the system safety assessment process.
6.4.3 Usage
of COTS Devices
This section focuses on the usage of complex COTS devices, while Section 7 covers the overall circuit board assembly development process. This Section 6.4.3 refers to the term ’intended function of the hardware’, which is considered to be defined through the CBA development process.
Complex COTS devices can have multiple functions and many configurations of those functions. The configuration of a device should be managed in order to provide the ability to consistently apply the required configuration settings, to replicate the configuration on another item, and to modify the configuration in a controlled manner, when modification is necessary.
The configuration of the device addresses at least the following topics:
— Used functions (e.g. identification of each function, configuration characteristics, modes of operation),
— Unused functions and the means (internal/external) used to deactivate them,
— Means to control any inadvertent activation of the unused functions, or inadvertent deactivation of the used functions,
— Means to manage device resets,
— Power-on configuration,
— Clocking configuration (e.g. identification of the different clock domains), and
— Operating conditions (e.g. clock frequency, power supply level, temperature, etc.).
Objective
COTS-7
The applicant should ensure that the usage
of the COTS device has been defined and verified according to the intended
function of the hardware. This also includes the hardware–software interface
and the hardware to (other) hardware interface.
When a COTS device is used in a hardware
DAL A or B function, the applicant should show that unused functions of the
COTS device do not compromise the integrity and availability of the COTS
device’s used functions.
Note 1: For unused functions
of the COTS device, it is recommended that an effective deactivation means is
used and verified, when available.
Note 2: Verification should
be performed at an appropriate level (hardware, software, equipment).
ED-80/DO-254 Section 10.3.2.2.4 introduces hardware/software (HW/SW) interface data, which can be used as a reference to define the software interface data of the COTS device.
Some additional consideration should be given to the critical configuration settings. Those are defined as the settings that are deemed necessary by the applicant for the proper usage of the hardware, which, if inadvertently altered, could change the behaviour of the COTS device, causing it to no longer fulfil the hardware intended function.
Objective
COTS-8
If the complex COTS device contributes to
DAL A or B functions, the applicant should develop and verify a means that
ensures an appropriate mitigation is specified in the event of any inadvertent
alteration of the ‘critical configuration settings’ of the COTS device.
Note: The mitigation means might be
defined at the hardware, software, or system level, or a combination of these.
The mitigation means may also be defined by the safety assessment process.
7 Development
Assurance of Circuit Board Assemblies (CBAs)
This section provides guidance for the development assurance
of CBAs (a board or a collection of boards).
7.1 Applicability
Section 7 is applicable to CBAs that contribute to hardware
DAL A, B or C functions.
7.2 Development
Assurance of Circuit Board Assemblies (CBAs)
While it is already a common practice for applicants to have
an internal process to address the development of CBAs, it is necessary to
clarify the expectations for development assurance, including the flow-down of
the equipment/system requirements to the hardware. For consolidation of the
development and/or the use of complex devices, it is essential to ensure
consistency in the overall development assurance approach for the hardware
domain. Moreover, definition of the CBA function is also necessary to enable
the allocation of requirements and their flow-down to the complex devices.
Objective
CBA-1
The applicant should have a process to
address the development of CBAs that contain complex custom devices or complex
COTS devices, in order to ensure that the CBA performs its intended function.
The process should include requirements capture, validation, verification, and
configuration management activities, and ensure an appropriate flow-down of
requirements. See Appendix B for additional information.
Note: The applicant’s process to address
the development of the CBA may be defined together with the equipment process,
when relevant.
8 RELATED
REGULATORY, ADVISORY AND INDUSTRY MATERIAL
(a) Related
EASA Certification Specifications (CSs)
(1) CS-23, Certification
Specifications and Acceptable Means of Compliance for Normal, Utility,
Aerobatic, and Commuter Category Aeroplanes
(2) CS-25, Certification
Specifications and Acceptable Means of Compliance for Large Aeroplanes
(3) CS-27, Certification
Specifications and Acceptable Means of Compliance for Small Rotorcraft
(4) CS-29, Certification
Specifications and Acceptable Means of Compliance for Large Rotorcraft
(5) CS-E, Certification
Specifications and Acceptable Means of Compliance for Engines,and AMC 20-3B, Certification of Engines Equipped with
Electronic Engine Control Systems
(6) CS-P, Certification
Specifications for Propellers, and AMC 20-1A, Certification of
Aircraft Propulsion Systems Equipped with Electronic Control Systems
(7) CS-ETSO, Certification
Specifications for European Technical Standard Orders
(8) CS-APU, Certification
Specifications for Auxiliary Power Units; and AMC 20-2B, Certification of Essential APU Equipped
with Electronic Controls
(b) FAA Advisory Circulars (ACs)
(1) AC 20-152, Development Assurance for Airborne
Electronic Hardware
(2) AC 00-72, Best Practices for Airborne Electronic Hardware Design Assurance Using EUROCAE ED-80( ) and RTCA DO-254( )
(3) AC 23.1309-1, System Safety Analysis and Assessment for Part 23 Airplanes
(4) AC 25.1309-1, System Design and Analysis
(5) AC 27-1309, Equipment, Systems, and Installations (included in AC 27-1, Certification of Normal Category Rotorcraft)
(6) AC 29-1309, Equipment, Systems, and Installations (included in AC 29-2, Certification of Transport Category Rotorcraft)
(c) Industry
Documents
(1) EUROCAE ED-79A, Guidelines for Development of Civil Aircraft and Systems, dated December 2010
(2) EUROCAE ED-80, Design Assurance Guidance for Airborne Electronic Hardware, dated April 2000
(3) RTCA DO-254, Design Assurance Guidance for Airborne Electronic Hardware, dated 19 April 2000
(4) SAE International Aerospace Recommended Practice (ARP) 4754A, Guidelines for Development of Civil Aircraft and Systems, dated 21 December 2010
(5) SAE
International Aerospace Recommended Practice (ARP) 4761, Guidelines and Methods for Conducting the Safety Assessment Process on
Civil Airborne Systems and Equipment, dated December 1996
9 AVAILABILITY
OF DOCUMENTS
(a) EASA Certification Specifications (CSs) and Acceptable Means of Compliance (AMC) may be downloaded from the EASA website: www.easa.europa.eu
(b) FAA Advisory Circulars (ACs) may be downloaded from the FAA website: www.faa.gov
(c) EUROCAE documents may be purchased from:
European Organisation for Civil Aviation Equipment
102 rue Etienne Dolet, 92240 Malakoff, France
Telephone: +33 1 40 92 79 30, Fax: +33 1 46 55 62 65
(Email: [email protected], website: www.eurocae.net)
(d) RTCA documents may be purchased from:
RTCA, Inc.
1150 18th Street NW, Suite 910, Washington DC 20036, USA
(Email: [email protected], website: www.rtca.org)
[Amdt 20/19]