The future of warfare is rapidly evolving, with the advent of autonomous vehicles and the increasing integration of artificial intelligence (AI) technologies. By 2030, the Army is likely to look vastly different from what we see today, with unmanned vehicles and drones playing a critical role in modern warfare.

China and Russia are already at the forefront of this segment, with their substantial investments leading to improved defensive capabilities against drone swarms and other automated systems. On its part, the U.S. is also making significant strides in developing its own autonomous warfront systems, such as AI-driven command-and-control centers and semi-automated tanks.

The only way we can guarantee our security is by looking ahead- understanding where the world of military robotics, artificial intelligence, and autonomous systems is going and planning for potential threats. By embracing the technologies available today and staying ahead of the curve in terms of future developments, we can ensure that our nations remain militarily safe from any challenge posed by our rivals.

However, with the increasing complexity of these systems, ensuring their reliability and safety has become a critical challenge. This is where safety standards such as DO-254 come into play, providing a set of guidelines and processes to ensure the safe operation of autonomous military vehicles.

The Advantages of the Future Automated Army

The autonomous warfront of the future will be a complex landscape, featuring dozens of different technologies working in tandem to ensure battlefield survivability. Autonomous vehicles, drones, and weapons are expected to provide several strategic advantages to military forces and would be deployed in various combat situations, such as urban warfare and desert warfare, providing real-time data and intelligence to increase mission efficiency and accuracy.

Vehicles fitted with non-lethal weapons could be used to control crowds or clear buildings, reducing the risk of human fatalities. Robotic vehicles and drones would collect intelligence data on the ground, allowing commanders to make better informed decisions about their operations in real time. Autonomous systems will offer increased accuracy over manual operations since they require less interpretation from humans and can rely solely on sensors or cameras for information gathering. We can also expect to see a shift towards integrated human and automated armies where automated technologies will enhance soldier capabilities and require fewer personnel, giving more operational flexibility to military organizations. The future will rely heavily on automated technologies, making it crucial that they are designed to the highest standards of safety and reliability.

Comparing DO-254, ISO 26262, and MIL-STD 882E Safety Standards

Safety standards such as DO-254, DO-178C, ISO 26262 and MIL-STD 882E are vital for aircraft and vehicle manufacturers because they ensure critical systems in vehicles will not fail and cause accidents or injuries.

MIL-STD-882E is a safety standard used by the Department of Defense to identify and mitigate hazards associated with military systems. MIL-STD-882E defines various levels of rigor (LOR) and references other standards to meet certification. For example, the activities required to meet LOR 1 may be similar to DO-254 and DO-178C. The standard also allows the option to avoid certification; if a system hazard does not have a catastrophic severity, it may not necessarily need to go through certification if it can be mitigated in other ways. One unique aspect of MIL-STD-882E is that it addresses loss, the cost that may be incurred if a safety-critical system should fail. Due to the Army shifting towards open standard systems that are often developed to commercial safety standards, MIL-STD-882E is being phased out to further cut cost. Therefore, safety-critical hardware will most likely be designed to ISO 26262 or DO-254/DO-178C requirements.  

ISO 26262 is a safety standard that focuses on the functional safety of electrical and electronic systems installed in passenger vehicles. This standard provides guidelines for designing and testing safety-related components to ensure that they meet specific safety goals. ISO 26262 defines four Automotive Safety Integrity Levels (ASILs) based on the potential impact of a failure on vehicle occupants and other road users. The standard is applicable to any automotive system that interacts with the environment, including sensors, brakes, steering systems, and electrical systems. The ISO 26262 focus is on functional safety, or separate systems, elements and tools used in safety-critical parts of the design, so non-safety critical functions do not need to be certified. For example, the air conditioner controller in a car may not be safety-critical but the brakes are – so only the brakes need to be certified to the ISO standard. This is drastically different from DO-254 where both safety and non-safety-critical functions must be addressed.  

The FAA defines Guidelines for Development of Civil Aircraft and Systems in ARP4754A and requires compliance with DO-254 and DO-178C to ensure the safety and reliability of aviation systems. ARP4754 begins by addressing the hazards at aircraft level, then the system level, followed by hardware and software. The reasoning behind this is that aircraft are fundamentally more safety critical—after all an aircraft cannot stop flying in the air because repair mid-travel isn't an option like it is for automobiles. A safety standard that applies to airborne electronic hardware, DO-254 outlines the development process for complex airborne electronic hardware systems, including design assurance levels (DALs), verification and validation, and configuration management. Additionally, the software used to control the system must be tested for proper implementation of safety functions.

The approaches and scopes of ISO 26262 and DO-254/DO-178C are significantly different. DO-254 and DO-178C are objective-driven and there are many ways to meet these objectives. This invites more scrutiny to the process, but also allows hardware and software providers to develop more innovative processes. Because certification takes place at the aircraft level and aircraft are significantly different and have larger time gaps between generations, a system assured in accordance with DO-254 and DO-178C on one aircraft must undergo the certification process again if used in a different aircraft. This is precisely why mission computers are not advertised as DO-254 certified and are instead referred to as “safety certifiable.” In comparison, ISO 26262 has a set of clear requirements which makes them easier to understand and meet. One of the advantages of ISO 26262 is that it allows the reuse of certified systems, elements, or tools if they are used according to the safety menu, which means some elements certified on one platform can be used in another platform without recertification, saving certification cost and time.

In the past, Army vehicle hardware was primarily designed to ISO 26262 and MIL-STD-882E safety standards. However, DO-254 and DO-178C will be better suited for AI-driven vehicles of the future. The liability of future military autonomous vehicles is similar to tactical drones in the sky, which are currently being certified by DO-254 and DO-178C. Unlike commercial automobiles, a military vehicle could have automatic weapon systems and autopilot engaged at the same time. Similar to a drone, weapons misfiring and navigation going awry could lead to loss of assets and hundreds of casualties. These vehicles will also rely heavily on onboard systems to operate independently, increasing the chances of technical failures. Certifying at the platform, autonomous vehicle level would reduce the possibility of downtime due to failures and subsequent maintenance costs. By using systems designed to DO-254 and DO-178C, military developers can significantly minimize risk and ensure the vehicle can operate reliably without intervention while guaranteeing the safety of its occupants.

 DO-254/DO-178C Compliance and Certification

To meet DO-254 and DO-178C certification requirements, engineers must follow a rigorous set of design assurance processes for each electronic and software component. These include verifying components meet functional requirements, performing circuit-level analysis and testing, and validating the components’ quality at every stage of development. The process also involves documenting evidence to prove the reliability of the product before it is submitted to the vehicle’s certifying authority for approval.

DO-254/DO-178C guidelines define different levels of assurance documentation, ranging from Level A, which represents the highest level of criticality, to Level E, which represents the lowest level of criticality. Each level has specific requirements that must be met for hardware to be certified and certification itself can take anywhere from several months to over a year depending on the complexity of the project and other factors.

DO-254 and DO-178C also provide manufacturers with an audit trail, which means that every step of production can be tracked and verified if needed. This traceability helps prevent errors due to design or implementation oversights, making it easier to identify potential issues before products are released into the market. The engineering effort required to meet the standards is extensive, but it is worth the investment when considering the safety and reliability that comes with it. Plus, DO-254/DO-178C provides assurance that components are fit for purpose - every time.

 Staying Ahead with Advanced Mission Computing

It is important for the US and Allied nations to stay ahead of their rivals when it comes to advancements in autonomous warfare technology. Therefore, computers running these systems must stay up to date. 

A mission computer is a vital component of an autonomous vehicle, driving the complex computing processes onboard. It is responsible for providing real-time data and ensuring critical decisions are made safely and accurately. Multicore processing is essential for the development of autonomous and AI technologies as it allows the mission computer to quickly process large amounts of data and make decisions in real time without compromising safety or performance. The additional cores provide the power needed to carry out complex calculations, such as vehicle navigation or machine learning algorithms, much faster than a single processor system.

Multicore processors, however, are harder to design with DO-254/DO-178C than single-core processors because of the complexity associated with managing multiple cores. Each core has its own set of functionalities and behaviors that must be monitored and tested individually. Additionally, multicore processor architectures generally require a greater level of synchronization between the various cores, which adds an extra layer of difficulty in designing them for use in mission computers that adhere to DO-254 / DO-178C assurance processes. Testing each core's performance on numerous datasets is also much more complicated compared to single-core designs.

This is why developing new, multicore mission computers can take months or even years to complete and partially explains why implementation of new technology has lagged the development of the technology itself. To address this problem, Mercury works closely with silicon partners such as Intel to start the mission computer design process well in advance. To bridge the technology gap for customers looking to deploy AI and autonomous capabilities, we have developed the ROCK 4 safety-certifiable compact mission computer that fits almost anywhere, costs less, and can be quickly integrated and fielded.

 The Benefits of DO-254 / DO-178C for the Army

By adhering to safety guidelines, military developers can ensure the safe and reliable operation of autonomous vehicles, reducing the risk of accidents, injuries, and damage to equipment. The use of never-before-seen advanced technologies in autonomous military vehicles further highlights this importance as compliance will improve product quality, reduce development costs, and increase customer confidence, thereby reducing the need for costly rework in the future.

If a military organization does not keep up with the rapid pace of autonomous and AI technology, they will be left behind and unable to contend with adversaries that have embraced it fully. Failing to do so could have catastrophic consequences, ranging from compromised security to incorrect decisions in tactical situations. As we move towards an era of autonomous warfare, DO-254 and DO-178C design assurance should remain a top priority to ensure the safety and security of military personnel and civilians alike.

Learn More

Compliance to DO-254 and DO-178C requires a high level of scrutiny throughout the development process. All documentation must be traceable to ensure that all requirements are met, and rigorous quality assurance processes must be in place to periodically test and review hardware and software designs to ensure they remain consistent with the processes.  Mercury Systems has over three decades of experience designing hardware and software to DO-254 / DO-178C standards. Contact Mercury to learn more.