Military Embedded Systems

DO-254: The other safety-critical specification


May 16, 2009

Chris A. Ciufo

General Micro Systems, Inc.

The FAA's RTCA/DO-178B guides designers in developing software certified for flight safety. Meanwhile, its companion hardware specification, RTCA/DO-254 "Design Assurance Guidance for Airborne Electronic Hardware," is just as integral. Editor Chris Ciufo shares some tips to ease DO-254 certification.

Editor’s Note: Next month’s edition of Military Embedded Systems has our annual “FPGAs and Reconfigurable Computing” supplement, which is part of sister publication To whet your appetite, I thought it very appropriate to focus on a thin slice of the FPGA design problem that sometimes vexes military system designers: safety-critical hardware certification.

By now you’re probably aware that the FAA’s RTCA/DO-178B “Software Considerations in Airborne Systems and Equipment Certification” governs software certified for airborne systems ranked from levels E through A (the highest). DO-178B’s rigorous test methodology makes darn certain that the software controlling the flight surfaces in an avionics system exhibits no possible aberrant behaviors and doesn’t use poor coding practices such as undefined variables or priority inversions.

But did you know there’s a companion spec for hardware called RTCA/DO-254 “Design Assurance Guidance for Airborne Electronic Hardware”? This spec got much more attention five years ago when it was updated to Advisory Circular AC.20 DO-254 to specifically include the FPGAs that are integral to the Joint Tactical Radio System (JTRS). Since then, vendors Aldec and Mentor Graphics want designers to know how to create safety-critical FPGA-based defense systems.

Mentor Graphics, a broad line EDA tools company that even has its own RTOS (Nucleus), is the 800-pound gorilla in this market. Most defense designers feel more comfortable talking about VPX conduction-cooled boards or Ethernet LANs than they do about IC designs and EDA tools. And Mentor is well aware that the Aerospace and Defense (A&D) markets don’t need many of the products in the company’s arsenal. But when it comes to safety-critical systems – especially those using FPGAs – Mentor offers some worthwhile advice to achieve DO-254 design assurance levels from E to A.

The biggest issue, says Michelle Lange, Mentor’s DO-254 program manager, is risk. At the FPGA Summit held in late Fall 2008, I moderated a panel session where Lange was one of the key participants. DO-254, she said, adds “significant time, risk, and cost to design projects.” The 25 to 400 percent cost increase – and the risk of failing a certification audit and having to redesign (and rewrite code) – are the biggest reasons for tools from companies like Mentor or Aldec. DO-254’s requirements-based approach is similar to DO-178B for software. The FPGA design must capture and validate requirements, design to those requirements, and then verify that the design meets them. Sounds simple, right?

By their nature, FPGAs are a blank canvas into which RTL is applied, a design synthesized, and logic realized. There are infinite variations and countless iterations to get a design working in the first place, not to mention it fitting within available logic and then pinning out to the circuit board … thus the following four tips:

Hot Tip #1: To achieve a DO-254 certified design, the trick is proper preparation and a structured design process. Mentor advises that seeking out DO-254 certification training is well worth the cost involved, even for a large design team. This avoids missteps and rework, especially on the fixed-price programs more common in a global recession and in DoD Secretary Gates’ “new approach” to contracting.

Hot Tip #2: Plan for requirements management and traceability as part of the process. As Military Embedded Systems readers have seen on the software side with tools from IBM/Telelogic and others, software is available to help capture design requirements – even across a geographically distant design or subcontracting team. The heart of DO-254 is stating, designing to, and verifying compliance with requirements. Use a tool that automates the requirements creation process. Don’t forget about configuration management and artifacts generation during the design stage: You’ll need them later. Altera, for instance, has a DO-254 ecosystem for its products and even offers the NIOS II_SC as soft IP that’s “certifiable to DO-254.”

Hot Tip #3: When it comes to chapter 6.2 of DO-254 – verifying the design – there are myriad choices from Altera, Xilinx, Mentor, and GateRocket. Aldec, for instance, promises at-speed hardware verification and “golden” vectors. The company uses a combination of software and hardware boards to exercise speed-accurate designs.

But whichever tool or flow is used, make sure the verification process maps back to the requirements necessary to achieve DO-254 certification. Verifying a functional design is one thing, but in this case, the design must be shown to also live up to the predefined requirements. Don’t forget about configuration management and artifacts generation.

And finally, Hot Tip #4: Choose tools designed for safety-critical systems. I suppose you’d expect Mentor to say that since they’re trying to sell tools. But while self-serving, it’s really a round peg/round hole scenario. Verification companies like Aldec and Mentor have DO-254 certification success in mind with many of their products. Why choose tools that don’t mesh with hardware certification?

More information can be found at:



Mentor Graphics:


Chris A. Ciufo, Group Editorial Director

[email protected]