Skip to main content
← Back to Blog

DO-254: How Airborne Electronic Hardware Earns Its Design Assurance

DO-254 is the hardware companion to DO-178C: the design assurance standard for the FPGAs, ASICs, and complex electronic hardware that fly on certified aircraft. Same DAL logic, same traceability demands, aimed at the silicon instead of the code.

DO-254 is the standard that governs how complex electronic hardware earns the right to fly on a type-certified aircraft. If DO-178C is the discipline for airborne software, DO-254 is its hardware twin, the assurance regime for the FPGAs, ASICs, and complex programmable logic devices that increasingly do the work that used to live in software or discrete circuits. Certification authorities accept DO-254 as the means of showing that this hardware was developed with rigor proportionate to the consequences of its failure. A team that already understands DO-178C recognizes DO-254 immediately, because it inherits the same core logic and points it at the silicon.

That shared logic starts with the Design Assurance Level. As in DO-178C, DO-254 classifies hardware by the severity of the worst credible failure condition it could contribute to, derived from the system safety assessment. Level A hardware is that whose failure could be catastrophic; Level B is hazardous, Level C major, Level D minor, and Level E has no safety effect. The DAL is not a quality grade a team aspires to; it is a measured statement of consequence, and the amount of assurance effort scales directly from it. A Level A flight-critical FPGA carries obligations that a Level D hardware item never sees.

The scope of DO-254 is deliberately narrow and worth stating precisely. It applies to complex custom micro-coded and programmable devices, the parts whose internal behavior cannot be exhaustively tested by conventional means because there are simply too many states. Simple hardware, the kind that can be fully verified by testing every combination of inputs, can be handled with a lighter touch. The complexity of the device, not merely its presence in the design, is what pulls it into the full weight of the standard. This is why FPGAs and ASICs sit at the center of DO-254 practice: they are the components complex enough to hide a failure mode that no reasonable test campaign would stumble across by accident.

The life cycle DO-254 defines will feel familiar to anyone who has read a systems-engineering process standard. It runs from requirements capture, through conceptual design, detailed design, implementation, and production transition, wrapped in supporting processes for planning, configuration management, process assurance, and validation and verification. Requirements-based verification is the heart of it: every hardware requirement must be verified, and the verification must be traceable to the requirement it satisfies. The parallel to DO-178C is exact. The evidence a program produces is not a description of what the hardware does; it is proof that each requirement was implemented and shown to be met.

Verification of complex hardware raises a problem that pure requirements testing does not fully solve, and DO-254 addresses it at the higher assurance levels. For Level A and Level B devices, certification guidance expects additional confidence that the verification actually exercised the implemented design, analogous in spirit to the structural coverage demands DO-178C places on Level A software. Techniques such as elemental analysis, requirements-based test coverage of the device elements, and in some cases functional failure path analysis or the use of independent verification tools come into play. The intent is the same one that drives MC/DC in software: to close the gap between what the requirements said and what the hardware actually implemented, so that untested corners of a complex device cannot hide a latent failure.

All of this rests on traceability, and this is where DO-254 programs live or die on schedule. The standard expects a traceable chain from system requirements to hardware requirements, from hardware requirements to the design and its implementation, and from every requirement to the verification that demonstrates it. Because FPGA and ASIC development involves synthesis, place-and-route, and toolchains that transform the design between representations, the trace has to survive those transformations, and tool qualification enters the picture where a tool could introduce or fail to detect an error. When a requirement changes late, the program must identify every downstream design element and verification activity affected and re-establish confidence in each. Reconstructing that trace by hand across a complex device before an audit is exactly the scramble the standard is trying to prevent.

DO-254 does not exist in isolation any more than DO-178C does. It is the hardware member of the same avionics assurance family, and it shares the criticality-scaling, requirements-driven, evidence-heavy philosophy common to the functional safety standards across every high-consequence domain. A hardware engineer who has internalized the DAL concept and the traceability discipline from one standard carries most of the mental model straight across to the others; what changes is the specific artifacts and verification techniques the domain demands.

This is the kind of program where keeping the traceability matrix as first-class data changes the economics of certification. Hitt Hosting SE maintains the requirement-to-design-to-verification chain as live, structured data rather than a spreadsheet reassembled at the end of the program. Hardware requirements carry their design assurance level as an explicit attribute, verification activities link back to the requirements they satisfy, and a change to a requirement flags every downstream design element and verification result as suspect for reassessment. The assurance evidence a DO-254 program has to hand a certification authority becomes a byproduct of working this way, rather than a separate, late, and error-prone reconstruction.

More from the Blog

ARP4754A: The Systems Standard That Sits Above DO-178C and DO-254

DO-178C certifies the software and DO-254 certifies the hardware, but something has to decide how safe each of them needs to be in the first place. That something is ARP4754A, the aircraft-and-systems development assurance standard that allocates a Development Assurance Level to every function before a line of code is written.

DO-178C: How Airborne Software Earns Its Design Assurance Level

DO-178C is the standard that airborne software must satisfy to fly on a certified aircraft. Its Design Assurance Levels, objective counts, and demand for end-to-end traceability make it one of the most rigorous software processes in any industry.

Trade Studies: How Systems Engineers Defend the Decisions That Shape a Program

Almost every consequential decision on a program, which architecture, which supplier, which redundancy scheme, is a choice among alternatives that were never equally good. A trade study is the discipline that turns that choice from an argument won by seniority into a decision defended by evidence.

Ready to try it?

Start a free 30-day pilot and see how Hitt Hosting SE handles your mission data.

Start Your PilotSee Features