Alenia Aermacchi Develops Autopilot Software for DO-178B Level A Certification

“For us, a key advantage of Model-Based Design is the ability to concentrate on design and development instead of low-level coding, verification, and certification tasks. The result is higher quality, DO-178B certified software, and faster iterations.”

Challenge

Develop the company’s first DO-178B Level A certified autopilot system

Solution

Use Model-Based Design to model the system and software design, verify requirements coverage, generate code, and produce reports and other artifacts for the certification authority

Results

  • Requirements review for certification up to 30% shorter
  • Time-to-flight reduced by 20%
  • Low-level certification activities automated
The Alenia Aermacchi M-346.

With flight characteristics similar to the latest fighter aircraft, the Alenia Aermacchi M-346 enables pilots to train safely in an aircraft with low life-cycle costs. Equipped with four redundant computers, the M-346 flight control system (FCS) supports fly-by-wire control and advanced autopilot capabilities.

Alenia Aermacchi used Model-Based Design to develop the autopilot software and certify it to DO-178B Level A.

“With Model-Based Design, everything is linked,” says Massimiliano Campagnoli, FCS Application Software Team Leader at Alenia Aermacchi. “Our Simulink system model is executable, enabling early validation of requirements. That same model, updated to be compliant with DO-178B modeling standards, is used to generate flight code.”

Challenge

Because the M-346 autopilot system was the first the engineering team had developed, a principal objective was to quickly identify problems and incorporate feedback from test pilots. The final autopilot software required DO-178B Level A certification.

The team decided to pursue a development approach along two paths: experimental and certification. For the experimental path, they would focus on rapid development using the less rigorous DO-178B Level D standards and adopt architectural solutions to safeguard overall system reliability and safety. For the certification path, they would reuse and refine the experimental version of the design to develop software for full DO-178B Level A certification.

Alenia Aermacchi needed a development environment that would support the activities and objectives of both paths, including design simulation, requirements traceability, model coverage analysis, code generation and analysis, and report generation.

Solution

Alenia Aermacchi engineers developed the autopilot software for the M-346 using Model-Based Design with Simulink®.

A team of system and control engineers developed a system model in Simulink and Stateflow® for ARP-4754, using Stateflow to define the six primary autopilot states, the transitions between them, and other control logic. They ran simulations to validate the system behavior.

The team elaborated the system model to create the autopilot software model, optimizing it to improve performance and incorporating modeling and safety standards to satisfy certification constraints.

They ran additional simulations on the software model and ensured 100% coverage of the software requirements from these tests using model coverage analysis with Simulink Coverage™.

They used the Requirements Management Interface in Requirements Toolbox™ to link the software requirements in IBM® Rational® DOORS® to Simulink and Stateflow objects in their model. With Simulink Report Generator™, they generated a requirements traceability report for certification.

They used Model Advisor to check their software model against DO-178B high-integrity standards and Alenia Aermacchi’s own custom rules.

Using Embedded Coder®, the team generated about 17,000 lines of C code from their software model. They compiled the generated code for a PowerPC® processor using the Green Hills® AdaMULTI® compiler.

The team used Polyspace® static analysis tools to check the code for run-time errors, ensure compliance with MISRA C® coding standards, and create artifacts for certification credit. They qualified Polyspace code verifiers and Simulink Coverage using DO Qualification Kit for DO-178.

The team created test suites for the generated code based on the software model tests they had created for Simulink. After running these tests, they compared the code coverage results with the model coverage results obtained from Simulink Coverage.

The M-346 aircraft (including autopilot functionalities) has obtained type certification from the Secretariat General of Defense and National Armaments Directorate within the Italian Ministry of Defence. Alenia Aermacchi engineers are currently working on a project in which all the software components (CSCIs) will be developed using Model-Based Design and certified to DO-178C.

Results

  • Requirements review for certification up to 30% shorter. “On previous projects, the requirements coverage analysis was performed manually and based on subjective evaluation,” says Campagnoli. “Simulink, Simulink Coverage, and Requirements Toolbox enabled us to automate this analysis and provided objective coverage metrics, which helped us shorten requirements review for certification by up to 30%.”

  • Time-to-flight reduced by 20%. “Model-Based Design enabled us to rapidly improve the design based on pilot and flight engineer feedback,” Campagnoli says. “We reduced time-to-flight by about 20%. More importantly, we did so while improving software quality.”

  • Low-level certification activities automated. “We automated many low-level certification activities, including requirements coverage analysis, run-time error checking, and standards compliance checking,” says Campagnoli. “Automation freed us to spend more time refining requirements, optimizing the system, improving our tests, and performing other higher-value tasks.”