How Do You Qualify Tools for DO-254

Tools used in the design and verification of electronics have played a huge role in the dramatic evolution of these devices over the past few decades. Afterall, there is a limit to the amount of work and detail that even a good aerospace engineer can handle, but add the use of tools, and the sky (pun intended) is the limit.

While the use of state-of-the art development tools has led to ever increasing design complexity, the use of modern verification tools has at the same time made these complex designs more reliable. In addi­tion, lifecycle management tools have facilitated management of both the development process and data. All these types of tools have been essential in modern avionics development.

While tools make amazing designs possible, what hap­pens when you need to “Qualify” these tools? What does that even mean? How much work is it? Is it worth it? These are common questions asked by tool users sub­ject to RTCA/DO-254 compliance. Companies, like Siemens, who provide tools that are of great benefit to the goal of safety (such as in the aerospace domain), must understand and support their tools in the context of these programs. This paper describes the terminology and requirements related to tool qualification specific to the safety-critical programs governed by DO-254 com­pliance. It also provides some practical examples of tool qualification processes and strategies for commonly used tools.

Policy

Complying with DO-254 provides a means for avionics designers to demonstrate that their designs meet the rigorous design and safety requirements for airborne electronics mandated by the FAA, EASA, and other worldwide certification agencies. (To purchase the DO-254 document from the RTCA organization, click here. For a short, complimentary overview of DO-254, click here.).

So, what does DO-254 say about tools?

First, as part of project planning, you must identify the tools you plan to use in the context of the hardware design life cycle processes and how you intend to use them. This is summarized in the Plan for Hardware Aspects of Certification (PHAC) and then typically elaborated on in the specific document focusing on each part of the development process; for example, the Hardware Design Document may describe the detailed process for using development tools such as code generators and the Hardware Verification & Validation Processes Document may describe the detailed process for using verification tools, such as simulators. See DO-254 Section 4 for more information on the documentation requirement of tools within the planning process. Second, tools must be part of the configuration man­agement processes of DO-254. See DO-254 Section 7 for more information on the configuration management requirements for tools. Third, you must adhere to the requirements of “Tool Assessment and Qualification,” which is the real focus of this paper.

DO-254 Section 11.4 is entitled “Tool Assessment and Qualification.” To understand this content, it helps to understand the terminology used. Tool assessment means examining the role of the tool in the design process and determining if it needs to be qualified. All tools must be assessed. Tool qualification means dem­onstrating that the tool produces the expected outputs. Not all tools must be qualified. All too often these two terms are equated, and tool users may end up perform­ing more work than required as a result.

Next, to understand the point of all this, it helps to be reminded that DO-254 is a design assurance standard. Design assurance requires multiple layers of review and verification within the development process to ensure safe operation of the design being produced. This means when an engineer is doing design work, his/her work is always being reviewed and verified, usually in numerous ways – depending on the safety criticality as indicated by the design assurance level, or DAL. When tools auto­mate processes that an engineer would normally per­form, then these tools need some checks and balances as well. This is where tool assessment, and in some cases, qualification, fits in. To quote from DO-254, “The purpose of tool assessment and qualification is to ensure that the tool is capable of performing the particular design or verification activity to an acceptable level of confidence for which the tool will be used.”