How to certify avionics

Almost all people are enamored with flight, whether it's watching a hummingbird, a small airplane, an eVTOL, a drone, or a rocket going to space, what ever it is, we stop what we are doing to watch. Most people want to fly themselves but at what risk? When your feet leave the ground you are taking a calculated risk that they will return to the ground safely. This risk of safely landing, obviously in an airplane, is why airplanes need to be certified. A ton of complex work is performed to calculate airplane safety based on the lowest risk. But this assessment determines a 'failure rate' since nothing is 100% safe. The safety assessment process also enables architectures to be designed to be at a certain safety level based on the airplane type. For example, an Airbus A350 has higher safety requirements than a C172.

Avionics development would be a lot more fun you didn’t have to certify.?Estimates are that the development is 10 to 20 percent of the schedule and cost of an avionics program. The most cost is from writing requirements, testing, airplane integration, flight testing, documentation, and certification – ouch!? As you increase aircraft size and passengers, so increases the difficulty and the amount of work...

On a scale from 1 to 10 for how difficult certification is, most would agree with the following:

1 – Experimental aircraft;

3 – Part 23, Class 1 and 2 (single engine piston and light turbo-props)

4 – Part 23, Class 3, Part 27 Helicopters

7 – Part 23, Class 4 and Part 25 business jets, Part 29 Helicopters

10 (maybe 11) – Part 25, Air Transport

Note: eVTOLs will likely be between 4 and 10.?The industry has FAA/EASA guidance but no eVTOLs have been certified yet so it’s hard to guess the difficulty of certification.

Before jumping into the avionics certification activities, I need to start at the airplane level. The OEM must define an Aircraft Fault Hazard Assessment (AFHA) and a Preliminary Aircraft Safety Assessment (PASA). The AFHA contains all the hazards and failures that could happen to the aircraft independent of the aircraft design. The PASA is the document that contains the analysis of impacts when there are interdependencies within the proposed architecture. It shows what one system failure, e.g. electrical system, has on the failure modes in the AFHA. So, the main purpose of the PASA is to evaluate multiple architectures to determine the best one with the lowest risk. The AFHA and PASA are used to define the safety levels required for the aircraft 'Systems', of which the avionics 'system' and the individual avionics units, are derived.

Avionics certification starts with the System Functional Hazard Assessment (SFHA) that is flowed down from the AFHA. The avionics supplier would then build a Preliminary System Safety Assessment (PSSA) to determine what level of criticality the equipment needs to meet.?The PSSA is based on the aircraft(s) architecture and the type of aircraft. The aircraft and avionics safety assessment processes follow the FAA Advisory Circulars (ACs) guidance (AC 23 or 25-1309) on the condition level for what happens when the avionics fail or present hazardous or misleading information.?There are five levels – Catastrophic, Hazardous, Major, Minor, and No Effect – and each maps to a level of integrity that is needed to be met by the avionics.?For example, catastrophic events may happen no greater than once in 10^9 times or hours, that's once in a billion hours.?These levels are defined as:

·??????Catastrophic?- Failure likely to cause deaths, usually with loss of the airplane.

·??????Hazardous?- Failure has a large negative impact on safety or performance or reduces the ability of the crew to operate the aircraft due to physical distress or a higher workload, or causes serious or fatal injuries among the passengers.

·??????Major?- Failure significantly reduces the safety margin or significantly increases crew workload. May result in passenger discomfort (or even minor injuries).

·??????Minor?- Failure slightly reduces the safety margin or slightly increases crew workload. Examples might include causing passengers inconvenience or a routine flight plan change.

·??????No Effect?- Failure has no impact on safety, aircraft operation, or crew workload.

These levels also ‘map’ to the level of Functional Development Assurance Level (FDAL) that the software or firmware needs to be designed to, in other words, the rigor that the engineers must verify and test their code to.?It’s a bit more involved but for simplicity's sake, you could map Catastrophic to FDAL-A, Hazardous to FDAL-B, Major to FDAL-C, Minor to FDAL-D, and No Effect to FDAL-E.??The guidance on what steps need to be followed to meet these different FDAL levels is contained in DO-178C for software compliance and DO-254 for firmware (the code in an FPGA or ASIC) compliance.

Honestly, I’m trying to keep this simple.?Really, this is the 45,000 ft – level explanation.

Onward… the avionics must be certified on an aircraft platform as part of the airplane Type Certificate (TC) or Supplemental Type Certificate (STC), the STC is used for retrofitting equipment onto a previously TC’d plane.?Lilium recently posted their plans to achieve the TC on their 7-seat eVTOL (https://lilium.com/newsroom-detail/path-to-certification-of-the-7-seater-lilium-jet, it is worth reading).?

To make it easier on the FAA, for many aviation products they have created Technical Standard Orders (TSOs) that define how the unit must operate for the function that they are meeting.?Each TSO references an SAE or RTCA Minimum Operating Procedures Standards (MOPS) that gets into the details of the requirements the avionics must meet to get TSO-A or TSO-Approval.?So for example, the ADS-B TSO is TSO-c166b and the MOPS that it references is RTCA DO-260D.?So, the requirements in DO-260D must trace into the avionics requirements and tests, which then the engineers must show that the equipment complies with.?The TSO also points to DO-178, DO-254, and DO-160 for the processes that must be followed to get TSOA, "A" for authorization.?The DO-160 MOPS is for environmental testing levels the must be met for the type of environment that the equipment will be installed in.?It defines parameters like temperature range, altitude range, humidity, vibration, electromagnetic interference limits, lighting limits, etc – this is also a fun part of the cert process because something always fails during this testing.

The avionics development typically follows a waterfall process, where requirements start at a general level and get more detailed. The more detailed requirements turn into software and test procedures. From a review perspective, you start with a System Requirements Review (SRR), then a Preliminary Design Review (PDR), Critical Design Review (CDR or Final/FDR) then a Test Readiness Review (TRR).?If you’ve heard about the ARP-4754A, this is a means of certifying an aircraft and that process can also loosely define the avionics process, as dictated by the OEM.?Flight testing and environmental testing can happen when prototypes are built and the team feels confident in their stability.?They will need to be ‘conformed’ by the FAA or an FAA Designated Engineering Representative (DER), which makes sure the documented part numbers, specs, and software match the product under test.?

The waterfall process is a slower method than some of the new development processes like Agile.?I’m not going to get into detail here but I will say, the new DevOps strategies in the new avionics players and as embraced by the traditional avionics companies should have an efficiency impact, just as long as they can stay within the DO-178C boundaries.

The last concept to mention, and probably the most fun, is flight testing.?As an avionics system engineer for a small startup company (Avidyne), I got the unique opportunity to be a flight test engineer (FTE) for 100+ hours in Cirrus, Piper, Lancair Columbia, Mitsubishi MU-2, and the Eclipse E500 jet.?The flight testing team, composed of flight test pilots, maintenance personnel, and flight test engineers (FTEs) performs a Flight Readiness Review (FRR) and flight pre-brief for each flight test, runs a set of ‘run cards’ and then processes the data from the flight test equipment.?Picture below is the 737Max flight test equipment.

A flight test is required to verify the intended operation of the equipment, the user interface usability, and the reliability of the aircraft.?There are so many reasons why avionics must be flight tested that I won’t go into here but this is where a product becomes bad, mediocre, or great.?Anyone can use electronics in the lab but trying to use it in turbulence in the clouds while talking with ATC…well let’s just say a pilot can turn into a pile of jello if he gets confused and stressed when trying to aviate, communicate and navigate under extreme pressure.?

Ok, I’ll stop here.?If you made it this far, then congrats.?I gave a dump of stuff but hopefully, you learned a little or something filled in a gap in your knowledge.?Again, I just touched on the surface of a very complex topic that thousands of people work do every day. My hats off to them and let me know if I messed up on any of the steps.