“We use our system design model in Simulink for ARP4754 to establish stable, objective requirements. We save time by using the model as the basis for our software design model for DO-178—from which we generate flight code—and reusing validation tests for software verification.”
Ronald Blanrue, Airbus Helicopters
Building software for aircraft in compliance with DO-178B, DO-178C, and ARP4754 guidelines presents several challenges. After developing a formal Plan for Software Aspects of Certification (PSAC) and having it approved by the European Aviation Safety Agency (EASA), the software development organization must rigorously follow that plan and then demonstrate that it has done so before receiving certification. These challenges are often compounded by changing, or poorly communicated, system and software specifications.
Engineers at Airbus Helicopters use Model-Based Design to accelerate development and to stabilize system and software specifications. Based on textual requirements, they model the software architecture, system design, and software design in Simulink®, and then use Embedded Coder® to generate code for flight software, including an air conditioning control system (with bi-zone temperature, demisting, and defrosting) aboard Airbus Helicopters EC130 helicopters.
“Simulink enables us to stabilize our requirements and specification as early as possible because we develop the specification and the design concurrently,” says Ronald Blanrue, avionic certification specialist at Airbus Helicopters. “We validate the requirements and specification with the Simulink model, and then reuse the model to generate code with Embedded Coder.”
Before beginning development, Airbus Helicopters needed a comprehensive certification strategy, which included identifying the necessary software development and verification tools. The company would then present this plan to EASA for their review and approval.
As a mature development organization, Airbus Helicopters rarely encountered difficulties with coding or testing; rather, their problems stemmed from difficulties in stabilizing the specification. Engineers sometimes misinterpreted the requirements and implemented a system that behaved correctly but not as intended. In fact, the company estimated that up to 90% of problems discovered late in development were due to errors in the specification and design, not the source code. Airbus Helicopters wanted to stabilize and validate requirements early in the development workflow for DO-178B certified software.
Airbus Helicopters developed a PSAC based on Simulink, Simulink Verification and Validation™, and Embedded Coder for its EC130 air conditioning software.
They used Simulink to model the system design for ARP4754. To validate the specification, they conducted functional tests of this model and a behavioral plant model, also built in Simulink.
They reused the system model, adding detail to create the software design for DO-178B. The tests that the team had created for the system design were enhanced and reused to verify the software design.
The team used Simulink Verification and Validation to check compliance with DO-178B modeling standards. They also checked custom modeling guidelines, for example for incorporating legacy C code into the model with S-functions.
Model coverage reports from Simulink Verification and Validation enabled the team to identify elements of the design or specification that were not covered by their tests. Though the reports were not submitted for certification credit, the coverage analysis helped the team create a complete test suite for the object code, which was used for certification.
Using Embedded Coder, Airbus Helicopters engineers generated C code from the software design model. After conducting a code review using model-to-code bidirectional navigation links generated by Embedded Coder, the team compiled and tested the generated code. To help achieve the software verification (including code coverage), they again reused the test cases that they had used for validation and verification of the Simulink model.
The software was certified to DO-178B DAL C by EASA and is currently in production on EC130 helicopters.
Speed the development, validation, and verification of DO-178B certified helicopter flight software
Use Model-Based Design to model the system design and software design, and to generate flight code