DO-254 is not a technical manual, nor is it an engineering cookbook. It does not prescribe the design characteristics of electronic circuits or components, nor does it contain design standards. In fact, it contains virtually no technical information that an engineer can use to guide a circuit design. Instead, it provides guidance on the processes and methodologies that should be applied in the development and verification of electronic hardware to achieve an acceptable level of confidence that the end hardware functions correctly and will be in compliance with airworthiness requirements. While it can be argued that some aspects of a design can be influenced by the desire to facilitate the design and verification methodologies contained in DO-254, there are actually no design features that must or must not exist solely because of the need to comply with it.

The guidance in DO-254 represents industry consensus on the best practices that will ensure that electronic hardware is developed and verified in a way that is appropriate for its design assurance level (DAL)—often shortened to “Level”—and will ensure, to a realistic level, a safe and reliable product. The supporting processes defined in DO-254 (configuration management, process assurance, and validation/verification) are particularly effective in controlling the introduction of design errors as well as identifying errors that are inevitably introduced despite best efforts to the contrary. DO-254 describes the objectives for each phase of a typical electronic hardware development life cycle and describes the activities usually associated with the life cycle phase.

The genesis of DO-254 stems from concerns that as electronics technology rapidly evolved, enabling systems to become more complex and to host more functionality, proving that these systems were safe and reliable was becoming more and more difficult. Most of the electronic systems and programmable logic devices (PLDs) that are used on modern aircraft are well beyond our ability to prove safe through quantitative analysis, and in the absence of this avenue of design assurance, the only other viable means of establishing the necessary design assurance is to use structured and disciplined processes and methodologies during their development. The advantages of using this means are, first, that the processes and methodologies force designers to create a design in a logical and systematic (and therefore repeatable) manner, and second, they create a type of transparency in the design and its project by enforcing a high level of documentation and traceability that, while inconvenient on the surface, has repeatedly proven its worth over the long-term life of a design. Like them or not, the best practices in DO-254 can, particularly in the long run, be a project’s best friend.

The guidance in DO-254 was written to apply to all complex electronic hardware that performs safety-critical system functions. While DO-254 discusses PLDs, they are considered within the context of system and equipment development, and not necessarily as the only aspect of the system that should use the guidance in DO-254. When the Federal Aviation Administration (FAA) published its Advisory Circular (AC) 20-152,² which approved DO-254 as an acceptable (but not the only) means of satisfying the Federal Aviation Regulations (FARs) for PLDs, it essentially reduced the application of DO-254’s guidance to a small subset of its original scope.

Narrowing the focus of DO-254 from the system level to the component level can be problematic due to the need to interpret and apply electronic system guidance to singular components within the system. Examples of potential problems include determining the scope of the life cycle data, determining how to interpret and apply DO-254 Table A-1 to PLD life cycle data, and sorting out which activities and aspects apply at the component level as opposed to the system level (such as acceptance tests, environmental tests, functional failure path analysis, and traceability to elements in the hardware implementation, none of which are entirely practical at the component level). There are also boundary issues that arise: much of DO-254’s overall effectiveness relies upon implementing all of its guidance to all levels of a system, which creates a seamless interconnection and flow of processes and data between all levels of the system (line replaceable unit [LRU], sub-assemblies, circuit card assemblies [CCA], and component [typically a PLD]). When one level of the system is singled out for the isolated application of DO-254, it loses this flow to the other levels, creating a discontinuity in both processes and data that can, if not properly anticipated, potentially render much of the design assurance activities ineffective or meaningless. Applying DO-254 only at the PLD level can be made to work through judicious interpretation and tailoring, but in the end the document is most easily comprehended and most effectively applied according to the perspective for which it was conceived and written, and ultimately for which it was intended to be applied, in other words throughout the entire system.

Table 1.1 identifies the five hazard classifications and maps them to their corresponding design assurance level, the required probability of failure per flight hour for equipment of each level, and a description of the hazard. The hazard classifications are described with respect to the effect that a failure of the system or equipment will have on the aircraft, its occupants, its safety margins, and the ability of its crew to deal with adverse operating conditions. The most severe classification is catastrophic (level A), indicating that a failure of level A equipment will, for all practical purposes, result in a catastrophic hull loss of the aircraft. The least sever...