What Is DO-254? A Hardware Engineer’s Guide to Design Assurance for Airborne Electronics
When an aircraft function fails because of a hardware design error—not a manufacturing defect, not a component failure, but an error in the design itself—regulators want to know what process was in place to catch it. DO-254 is that process.
Published by RTCA as Design Assurance Guidance for Airborne Electronic Hardware, DO-254 establishes the planning, design, validation, and verification activities that hardware development teams must demonstrate before civil aviation authorities will accept a hardware item as airworthy. The FAA made it a recognized means of compliance via AC 20-152 in 2005. EASA followed with equivalent guidance. Today, any complex electronic hardware on a type-certificated aircraft—flight management processors, TCAS units, flight display controllers, fuel quantity computers—will have been developed against DO-254 or an acceptable equivalent.
Understanding what the standard actually requires, and why its scope has expanded rapidly, is now essential knowledge for any engineer working on avionics, air traffic systems, or urban air mobility hardware.
The Core Purpose: Catching Design Errors Before They Fly
DO-254 exists because hardware can fail in ways that physical qualification testing alone will not reveal. A component-level burn-in test tells you whether a part survives thermal stress. It does not tell you whether the design driving that part correctly handles an edge case in the FPGA state machine under specific combinations of input timing.
The standard’s premise is straightforward: complex electronic hardware requires a structured development process that systematically reduces the probability of undetected design errors. Testing alone cannot achieve this for sufficiently complex hardware, so DO-254 demands that the process itself be managed, documented, and independently reviewed.
This is a different framing than most hardware engineers encounter in non-aviation work. In general electronics development, verification is largely about confirming the design meets its specification. Under DO-254, verification must also show that the specification is correct, that the design correctly implements it, and that the evidence connecting all three layers is traceable and complete.
Design Assurance Levels: A through E
DO-254 defines five Design Assurance Levels, each calibrated to the severity of the failure condition the hardware item could contribute to.
DAL A — Catastrophic. Failure would cause loss of the aircraft or multiple fatalities. The highest rigor applies. Every planning document, every design requirement, every verification activity must be shown complete and correct. Independent review is required at each life-cycle phase.
DAL B — Hazardous/Severe-Major. Failure could seriously harm occupants or reduce aircraft capability to dangerous margins. Substantially the same rigor as DAL A, with slight relaxation in some review independence requirements.
DAL C — Major. Failure significantly reduces safety margin or increases crew workload. A defined process is required, but some flexibility exists in how verification is structured.
DAL D — Minor. Failure has noticeable but operationally manageable effects. Basic hardware design process documentation is required.
DAL E — No Safety Effect. No specific DO-254 requirements apply, though manufacturers typically apply their own quality processes.
The DAL for a hardware item is allocated from the system safety assessment, which is conducted under ARP4761 (the safety assessment process guidance used alongside DO-254 and DO-178C). A hardware engineer who does not know the DAL of their item before design starts has a process problem, not just a documentation problem.
DO-254 and DO-178C: Related But Not Interchangeable
Engineers who know DO-178C sometimes assume DO-254 is simply the hardware version of the same document. The relationship is close but not identical, and conflating them creates compliance gaps.
Both standards share the same safety philosophy: structured development, documented processes, independence between development and verification, and evidence that requirements are satisfied. Both were deliberately aligned when DO-254 was written. Both use the same DAL letter designations tied to the same ARP4754A system safety framework.
The differences matter in practice. DO-178C operates on source code and its compilation artifacts, where formal methods and structural coverage analysis have well-established interpretations. DO-254 operates on hardware—schematics, HDL, netlists, layout—where the path from design intent to physical behavior involves additional transformation steps and where coverage concepts are less mature.
DO-254 also has explicit provisions for elemental analysis and hardware design representation (HDR) reviews that have no direct DO-178C counterpart. The HDR review process requires that hardware developers demonstrate the design implementation correctly realizes the requirements—not just that requirements were written and tests were run.
One consequential difference: DO-254 introduced the concept of previously developed hardware (PDH) and commercial off-the-shelf (COTS) components, each with specific acceptance criteria. Software teams have analogous concerns, but the hardware domain has more complex physical dependency chains that make COTS management its own discipline.
The Four Core Processes
DO-254 structures hardware development around four interlocked processes. Understanding them in sequence clarifies what the standard actually demands in practice.
1. Planning
Before design begins, the team must produce a set of planning documents. The Hardware Development Plan (HDP) defines how the hardware will be developed. The Hardware Verification Plan (HVP) defines how verification will be conducted. The Hardware Configuration Management Plan (HCMP) and Hardware Process Assurance Plan (HPAP) address how the work products will be controlled and how process compliance will be monitored.
These are not bureaucratic formalities. Certification authorities review these documents early—often before significant design work—because the plans establish the basis for evaluating everything that follows. A plan that is vague about verification methods or that does not clearly identify what constitutes a hardware life-cycle data item will generate DER comments before the first schematic is drawn.
2. Design
The design process in DO-254 flows from requirements through conceptual design, detailed design, and implementation. At DAL A and B, each transition requires documented review and evidence that the lower-level design correctly implements the level above it.
Requirements must be written in a testable form. This is not optional. If a requirement states that the hardware “shall respond quickly,” it cannot be verified, and a reviewer will reject it. Requirements must specify conditions, outputs, and the measurable criteria that determine compliance.
For FPGA and ASIC designs, DO-254 requires that the HDL implementation be treated as a design representation that itself must be verified against the design requirements—not just synthesized and tested as a black box. This is one of the most consequential implications of the standard for teams migrating from discrete logic to programmable hardware.
3. Validation
Validation answers the question: are the requirements correct? This is distinct from verification, which asks whether the implementation satisfies the requirements. Validation activities under DO-254 typically include requirements reviews, analysis, prototype evaluation, and simulation—anything that provides evidence that the hardware specification correctly captures what the hardware needs to do.
Many teams underinvest here, treating validation as a synonym for verification. Reviewers notice. A common DER finding in first-time DO-254 programs is that the verification evidence is detailed but the validation evidence for the requirements themselves is thin or entirely absent.
4. Verification
Verification activities—test, analysis, inspection, and formal methods where applicable—must be planned, executed, and documented in a way that provides traceability from each hardware requirement to the test or analysis activity that demonstrates compliance.
The key output is not just test results but a Hardware Verification Results (HVR) document that links requirements to verification methods and results, with coverage analysis showing that all requirements have been addressed. This traceability matrix is what reviewers examine when they want to establish that the verification process was complete.
Why FPGAs and ASICs Have Raised the Stakes
DO-254 was written with FPGAs and complex programmable logic explicitly in mind. The CAST-4 position paper (from the Certification Authorities Software Team, despite its name covering hardware) and subsequent FAA guidance have progressively tightened what is expected for programmable logic at DAL A and B.
The shift is being driven by aircraft design trends. Modern avionics increasingly consolidate functions that were previously implemented in discrete logic or standard ICs into FPGAs. This reduces size, weight, and power—and it concentrates design assurance responsibility. A single FPGA on a DAL A system may implement logic that previously resided in a dozen separate hardware items, each with its own design history. The DO-254 evidence for that FPGA must cover the full scope of what it implements.
Urban air mobility platforms, next-generation regional aircraft, and advanced air traffic management systems are all bringing new teams into DO-254 compliance for the first time—teams that built capable hardware using modern toolchains but did not build it with regulatory evidence in mind. Retrofitting that evidence after the fact is expensive and unreliable. Building the process correctly from the start is the only scalable approach.
How Requirements Tools Support DO-254 Compliance
This is where the engineering process meets the documentation infrastructure, and where teams frequently struggle.
DO-254 reviewers do not accept a requirements document and a test report submitted independently and ask engineers to verbally explain the connection. They expect a traceable evidence chain—from system-level requirements down through hardware requirements, design artifacts, verification activities, and test results—where every link is explicit, documented, and bidirectionally navigable. If a requirement changes, they expect to see what verification activities were affected and re-executed.
Building this by hand in spreadsheets is possible for small programs. It does not scale. A 500-requirement FPGA design with multiple requirement hierarchies, design configuration items, and verification events across a multi-year program cannot be managed in a static RTM without introducing errors.
This is the operational space where modern requirements management tools built for hardware engineering provide direct value.
Flow Engineering (flowengineering.com) is designed specifically for hardware and systems engineering teams working in regulated domains. Its graph-based model treats requirements, design artifacts, and verification activities as nodes in a connected structure rather than rows in a document. For DO-254 programs, this architecture matters because the relationships between work products—not just the work products themselves—are the primary evidence reviewers examine.
In practice, teams using Flow Engineering can define requirement hierarchies from system safety allocation through hardware requirements, link verification activities directly to the requirements they address, and generate coverage reports that show which requirements are untested, partially tested, or fully verified. When a requirement changes—and in hardware development, requirements change—the impact analysis is immediate: every downstream link is visible in the graph, and verification closure gaps surface automatically rather than being discovered in a pre-certification audit.
Flow Engineering’s AI-assisted requirement authoring also addresses one of the most common DO-254 deficiencies: requirements written in non-testable form. The tool flags ambiguous or non-verifiable requirement language during authoring, before the requirement propagates into a design baseline.
The deliberate focus of the tool is on the engineering process itself—requirements, traceability, and verification coverage—rather than on document generation or generic project management. For teams whose certification strategy depends on demonstrating process rigor, that focus is the right trade-off to make.
Other tools in the market—IBM DOORS Next, Jama Connect, Polarion—have DO-254 compliance use cases and established user bases in aviation. They are capable and in some cases better suited to large enterprises with existing investment in those platforms and dedicated requirements management staff. The practical difference for hardware-focused teams is that Flow Engineering’s model is built around the engineering artifact graph rather than around document hierarchies adapted to that purpose.
Practical Starting Points for DO-254 Programs
If you are beginning a DO-254 program—or inheriting one that lacks mature process infrastructure—here are the activities that move the needle fastest.
Get the DAL allocation in writing before any design starts. Every subsequent decision about process rigor depends on it. If your system safety assessment is incomplete, push for a preliminary allocation rather than proceeding without one.
Write the planning documents first and review them with your DER or ACO early. A planning document reviewed and accepted before design begins is worth ten times as much as one written to document what was already done.
Structure your requirements for testability from the first draft. Every requirement should name a measurable parameter, a condition, and an acceptable range or outcome. Apply this discipline during authoring, not during verification planning.
Stand up your traceability infrastructure before the design baseline is set. Establishing requirement-to-verification links after design is complete invites errors and consumes schedule. Tools like Flow Engineering are most effective when integrated at the start of the program, not used to reconstruct a history that was never captured.
Plan for the HDR review explicitly. Many first-time programs underestimate the preparation this requires. The review examines whether the implementation correctly represents the design requirements—not just whether it works. Having requirements, design artifacts, and verification evidence in a connected model rather than separate documents makes this review significantly less painful.
Honest Assessment
DO-254 is not a bureaucratic obstacle that aviation teams reluctantly endure. It is a structured engineering discipline that, when applied correctly, catches the classes of design error that functional testing does not reliably find in complex hardware.
The standard’s scope is expanding because hardware complexity is expanding. The FPGA consolidating twenty previously separate functions is not a simplification from a design assurance perspective—it is a concentration of design risk that the certification authority will examine with corresponding scrutiny.
Teams that build their processes around the evidence chain DO-254 requires—traceable, bidirectionally linked, maintained through configuration control—are in a fundamentally better position than teams that treat compliance as a documentation exercise applied to a design that was already completed. The standard does not mandate any specific tool, but it does mandate an approach to evidence management that modern graph-based requirements tools are far better suited to support than the spreadsheet-based RTMs that remain common in legacy programs.