[SystemSafety] EUROCAE document 039/ ED-80
Wilkinson, Chris
Chris.Wilkinson at Honeywell.com
Mon Oct 13 20:17:42 CEST 2014
As a member of that committee I can confirm what Tom said with one reservation. DO-254 mirrored the then DO-178B approach of basing design assurance on requirements verification and defining various levels of rigor per the DAL assigned by SAE ARP-4754. Design assurance per DO-254 is thus predicated on complete and consistent requirements at both the box hardware level and flowed down through derived requirements to cards, modules, components which where it runs into a brick wall.
The application of DO-254 to all AEH always was controversial from the start. The Committee recognized that it couldn't be applied in total to any AEH that was made primarily out of COTS components (which is mostly everything) since applicants don't have access to all the required lifecycle data needed to support derived requirements based verification, even if it exists at all which is doubtful. Intel and the like consider such design data highly proprietary which it surely is. The get out was put in Section 11.2 whereby applicants with an approved, standardized ECMP and proper design procedures would get a pass on COTS. Thus an applicant would audit a COTS supplier per the standard and all would be good provided the auditor was accredited such as the STACK, BSI organizations.
The FAA understood the difficulty and restricted application to ASICs/PLDs etc (through AC 20-152) where the life cycle data (at least for the HDL) was available. It still remains impossible to comply with for 99% of SOCs, COTS uP unless the applicant can come up with 'alternate means' and get FAA concurrence; no easy matter. Same thing goes for COTS IP, life cycle data for that is almost impossible to get except in a few cases, e.g. Altera NiosSC IP.
The entire process from ARP-4754 to DO-178/254 was to intended to assure safety, at least by some qualitative probabilistic measure of safety. The assumption that the levels of rigor in 178/254 somehow assure probabilistic measures of safety seems a leap of faith that is beyond my capacity to make. But here I drift into contentious matters.
These are my personal observations and do not represent the views of my employer.
Best
-Chris-
-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Tom Ferrell
Sent: Monday, October 13, 2014 12:53 PM
To: Amund Westin; systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] EUROCAE document 039/ ED-80
This document, known as RTCA/DO-254 in the US, describes a set of objectives, activities, and data requirements for design assurance to be applied to airborne electronic hardware. It's application has had a very tumultuous history. The initial hole that the document was intended to fill was to provide a mechanism for design assurance of ASICs and simple PLDs. The committee ultimately decided that something was needed to address all airborne hardware from the box to the circuit card to the custom device level. When published in 2000, this broader scope proved controversial. The FAA ultimately recognized its use in
2005 specifically for 'custom micro-coded devices.' EASA has adopted the broader scope but only requires level D (lowest) design assurance for circuit cards even in level A equipment. EASA requires the higher levels of assurance expressly required for micro-coded devices, which today are primarily FPGAs, SOCs, and COTS microprocessors. Although a bit of an oversimplification, you can think of this document as being parallel to DO-178C/ED-12C (software design assurance), both of which are subordinate to SAE ARP-4754A which covers system design assurance and the system safety process for the airborne community. As I understand it, you have to look at all three of these documents in the aggregate to draw a proper parallel with IEC 61508. BTW, I should note that it appears DO-254/ED-80 is likely to open up for revision very soon, possibly prior to year end.
-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de
[mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Amund Westin
Sent: Monday, October 13, 2014 11:07 AM
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: [SystemSafety] EUROCAE document 039/ ED-80
The EUROCAE document 039/ ED-80 "Design Assurance Guidance for Airborne Electronic hardware" ... is it in some way the "61508" for the airborne guys?
Best regards
Amund
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
More information about the systemsafety
mailing list