By Bill Potter and Matt Behr

Clear design communication, engineering efficiencies, and automatic code generation are some of the benefits that model-based design provides to aerospace design organizations. Recently, many engineers have focused on using model-based design to systematically and continuously test designs through simulations, with a focus on pulling verification activities ahead in the design cycle. This early verification is accomplished by using commercial off-the-shelf (COTS) software so that designers can find errors earlier, when they are easier and less expensive to fix.

While the need to integrate verification into the design cycle is recognized throughout the aerospace industry, it is perhaps most acutely felt in the design of safety- and mission-critical systems. This need arises because, throughout the design cycle, engineers must validate requirements; that is, they must ensure that the thing is built correctly and verify compliance to the requirements. Moreover, engineers must demonstrate traceability from the requirements to the design and provide documentation of this traceability as well as the verification of the design. The mandates span global markets with DO-178B for software and DO-254 for electronics hardware (i.e., ASICs, FPGAs, etc.) in the U.S., and ED-12B and ED-80 standards in Europe.

Importance of standards

All commercial aircraft software and electronics must be certified as compliant to these standards to have authority to fly in commercial airspace. In addition, many defense suppliers are also required to certify military systems or follow processes compliant to these standards for applications such as unmanned aerial vehicles (UAVs). This required compliance is unfamiliar territory for many suppliers and can increase costs and lead to delays.

While the cost of developing certified systems is appreciably high, the resulting quality and reliability increase as well. For instance, in the U.S., the goal of DO-178B and -254 standards for safety-critical systems is one out of a billion probability of causing a crash. Even without an accident, in commercial aerospace, there are government airworthiness directives. If a regulatory agency finds a problem with hardware or software, it could mandate that airlines change or update equipment–which can increase cost and possibly damage the designers’ reputations.

Certification authorities expect electronic systems developers to verify their requirements, design, and source code, and to conduct testing on the actual microcontroller, FPGA, or ASIC. Simultaneously, it is necessary to review outputs, maintain traceability, and perform version control for all artifacts throughout the process.

Estimates predict that conformance to DO-178B adds 50 percent to 200 percent to software development costs. One way to circumvent these costs is to integrate verification activities earlier in the design process to ensure conformance to standards. This helps engineers find design errors earlier in the development process, before significant rework and re-documentation is needed.

Help is in the tools

Model-based design and COTS software tools can streamline the development of certified systems throughout design and implementation. These tools can aid designers in four key areas: traceability, requirements validation, verification, and conformance.

To comply with DO-178B or DO-254, each portion of a design must be traceable from requirements to implementation to test cases. With model-based design, engineers can insert traceability links that connect the model to the requirements. This requirements traceability is maintained through code generation by insertion of comments and links in C (DO-178B) or HDL (DO-254). In this way, full traceability is achieved, from requirements to design to implementation. Recent tool advances have provided bidirectional traceability in all cases, as well as the capability to generate summary reports, including a report summarizing all the requirements information contained within a model.

Simulation helps validate that requirements are being satisfied by enabling a design to be executed and easily exercised over a range of conditions. However, it is difficult to ensure that a set of simulations exercises a design over all conditions. To facilitate complete functional test case coverage, a complement to simulation is the use of formal analysis, or property proving to generate test cases. These techniques use mathematically rigorous procedures to simplify and search through a model’s possible execution paths to find test cases and counterexamples. This systematic analysis provides deeper understanding of the behavior of designs.

For example, consider an aircraft engine thrust reverser that can be used to help the aircraft brake on short landing strips. Typically, reverser function is driven by logic, in software or hardware, which involves a number of sensor inputs, such as airspeed, weight on wheels, engine thrust, etc. Using property proving technology, an engineer can pose the question to the COTS tools–“Prove to me that this logic will never engage if the airspeed is above a certain value or the weight is off the wheels.” In this way, a developer can define these mission-critical properties, and formal analysis tools with model-based design can prove certain scenarios cannot happen under any conditions.

Verification

Verification is needed at each step of the process to ensure that an implementation matches the design and satisfies requirements. Using the executable models, developed as part of model-based design, engineers can continuously and systematically test their designs in simulation as part of the development process. An additional benefit of this continuous test and verification is that the design is developed with testability in mind. This ensures that the design can be tested both in simulations and on physical prototypes.

Another verification activity is to ensure that test cases reach 100 percent MCDC coverage. While functional tests are used to ensure that performance requirements are met, they often do not exercise 100 percent of the design. Achieving this can be a daunting task. Model-based design and COTS tools can help address this challenge through formal analysis. Automatic test-generation tools, such as Simulink Design Verifier, ensure 100 percent coverage of the design at the model level. Note that in the end, the testing must also be exercised on the generated C or HDL code. However, the test cases generated on the model can be reused in C- or HDL-level testing.

Formal verification methods can be used at the source code level, as well. New COTS tools, such as PolySpace products, employ formal methods called abstract interpretation. These tools can find, for example, divisions by zero and overflows. These errors have actually occurred in production and helped motivate the development of formal analysis tools. In one example, a booster rocket went off course and had to be destroyed. In the original test case, designers upgraded the engines with greater thrust, producing greater G loads. But in the control system, software was reused from a previous version of the rocket, which produced lower levels of acceleration. The result was an overflow causing a problem in the control logic.

Conformance to standards

The development of and adherence to design and coding styles is a key part of a safety-critical workflow. To aid engineering, model-based design tools provide a static check on the model and determine if it conforms to corporate or industry modeling standards. Modeling standards are equivalent to coding standards and can dictate aesthetic and functional aspects of the model. Model-based design provides this static check, meaning design engineers are not executing the model, but rather looking at it statically and analyzing its characteristics. Typical characteristics include: settings, data types, code generator settings, HDL settings, etc.

This static process can detect mistakes as simple as a missing connection for a block output or input. The method can also uncover more serious, but nuanced issues.

The actual implementation, C or HDL, must also conform to standards. Tools, such as PolySpace, can analyze C code to ensure it conforms to MISRA-C code standards.

On the HDL side, tools such as HDL Designer from Mentor Graphics provide HDL conformance checking capabilities. Conformance to design, code, and HDL standards is another objective that must be met for DO-178B and DO-254.

Tool qualification

A review is necessary after many stages of development and verification. Traditionally these reviews have been time-consuming manual processes, usually taking the form of design review sessions. However, the certification standards discussed here allow for verification tools to be qualified on a program-by-program basis. Tool qualification enables engineers to trust the output of the verification tool and skip manual reviews.

Today, engineers can use products such as The MathWorks DO Qualification Kit to qualify tools for use on their specific projects. With tool operational requirements, tool qualification plans, test case models, and code, the kit helps address the individual components of each standard’s tool qualification requirements and produce the required evidence to demonstrate compliance.

Bill Potter and Matt Behr are involved in aerospace industry marketing at The MathWorks, a provider of software for technical computing and model-based design in Natick, Mass.

More Military & Aerospace Electronics Current Issue Articles
More Military & Aerospace Electronics Archives Issue Articles