Airbus Helicopters Accelerates Development of DO-178B Certified Software with Model-Based Design
- Software testing time cut by two-thirds
- Requirements stabilized earlier
- Certified flight software automatically generated
“We use our system design model in Simulink for ARP4754 to establish stable, objective requirements. We save time by using the model as the basis for our software design model for DO-178—from which we generate flight code—and reusing validation tests for software verification.”Ronald Blanrue, Airbus Helicopters
Building software for aircraft in compliance with DO-178B, DO-178C, and ARP4754 guidelines presents several challenges. After developing a formal Plan for Software Aspects of Certification (PSAC) and having it approved by the European Aviation Safety Agency (EASA), the software development organization must rigorously follow that plan and then demonstrate that it has done so before receiving certification. These challenges are often compounded by changing, or poorly communicated, system and software specifications.
Engineers at Airbus Helicopters use Model-Based Design to accelerate development and to stabilize system and software specifications. Based on textual requirements, they model the software architecture, system design, and software design in Simulink®, and then use Embedded Coder® to generate code for flight software, including an air conditioning control system (with bi-zone temperature, demisting, and defrosting) aboard Airbus Helicopters EC130 helicopters.
“Simulink enables us to stabilize our requirements and specification as early as possible because we develop the specification and the design concurrently,” says Ronald Blanrue, avionic certification specialist at Airbus Helicopters. “We validate the requirements and specification with the Simulink model, and then reuse the model to generate code with Embedded Coder.”
Before beginning development, Airbus Helicopters needed a comprehensive certification strategy, which included identifying the necessary software development and verification tools. The company would then present this plan to EASA for their review and approval.
As a mature development organization, Airbus Helicopters rarely encountered difficulties with coding or testing; rather, their problems stemmed from difficulties in stabilizing the specification. Engineers sometimes misinterpreted the requirements and implemented a system that behaved correctly but not as intended. In fact, the company estimated that up to 90% of problems discovered late in development were due to errors in the specification and design, not the source code. Airbus Helicopters wanted to stabilize and validate requirements early in the development workflow for DO-178B certified software.
Airbus Helicopters developed a PSAC based on Simulink, Simulink Check™, Simulink Coverage™, and Embedded Coder for its EC130 air conditioning software.
They used Simulink to model the system design for ARP4754. To validate the specification, they conducted functional tests of this model and a behavioral plant model, also built in Simulink.
They reused the system model, adding detail to create the software design for DO-178B. The tests that the team had created for the system design were enhanced and reused to verify the software design.
The team used Simulink Check to check compliance with DO-178B modeling standards. They also checked custom modeling guidelines, for example for incorporating legacy C code into the model with S-functions.
Model coverage reports from Simulink Coverage enabled the team to identify elements of the design or specification that were not covered by their tests. Though the reports were not submitted for certification credit, the coverage analysis helped the team create a complete test suite for the object code, which was used for certification.
Using Embedded Coder, Airbus Helicopters engineers generated C code from the software design model. After conducting a code review using model-to-code bidirectional navigation links generated by Embedded Coder, the team compiled and tested the generated code. To help achieve the software verification (including code coverage), they again reused the test cases that they had used for validation and verification of the Simulink model.
The software was certified to DO-178B DAL C by EASA and is currently in production on EC130 helicopters.
Software testing time cut by two-thirds. “We used to spend weeks testing the software, but with Model-Based Design it takes just a few days,” says Thomas Gelas, design engineer at Airbus Helicopters. “We have shifted much of our testing effort to validation activities, which enables us to identify and resolve problems earlier in development.”
Requirements stabilized earlier. “With Simulink we validate the specification with the design model and then reuse it to model the software. No other process improvement has saved us as much time as rapid stabilization of our specification,” says Blanrue. This approach could enable Airbus Helicopters to freeze the specification up to a year earlier compared with previous multiyear projects.
Certified flight software automatically generated. “Our negotiations with the certification authority were positive because EASA is seeing more companies that rely on models for software development and recognize the value of modeling,” says Blanrue. “After completion of a code review, EASA certified the flight software that we built with code generated by Embedded Coder to DO-178B.”