Reliable automatic cabin pressure control is of vital importance to the occupants of any plane, and it is first and foremost a safety-critical functionality that must function without errors at all times. Some of the most important mechanical components in a cabin pressure control system are the electronically controlled, complex air outlet valves, which regulate circulation according to the fresh air intake and also control the cabin pressure via the waste air.
The software required for valve control is implemented on several electronic controllers. Sensors in the cabin pick up the air pressure data and pass it to the responsible controllers, and the flight management system provides the environment data. The cabin pressure control system not only ensures that the air pressure stays within predefined limits. Further tasks include regulating the pressure change rate, which affects the comfort of the passengers, and protecting the aircraft's outer skin against the damage that might be caused if the difference between external and internal pressure were too great.
Nord-Micro has many years of experience in developing cabin pressure control systems, especially for passenger planes with more than 80 seats. The company has been using dSPACE’s production code generator, TargetLink, to develop and autocode controller software since 2000. Thus, numerous aircraft, from regional jets such as the Boeing 737 up to the Boeing 787 Dreamliner and the Airbus A380, have Nord-Micro cabin pressure control systems on board that contain controller software developed and autocoded with TargetLink. The safety-critical software developed in this way meets the rigorous requirements defined by aircraft manufacturers and aviation authorities for software used in aircraft, including certification up to safety level A. The main standard is DO-178B, which defines the requirements for software development in aviation. In more recent projects, Nord-Micro has employed TargetLink as a design and coding tool and used the code generator's test support functionality to facilitate code reviews, module tests on the target, and tool integration with IBM Rational Test RealTime (RTR) for analyzing the required code coverage.
Because the software developed by Nord-Micro is intended for use in a safety-critical system, the production code generator has to meet numerous requirements including:
• Support for coding guidelines—Nord-Micro and aircraft manufacturers all have coding guidelines aimed at fulfilling DO-178B. Practical experience has shown that TargetLink generates code that meets the specifications.
• Code readability—The generated code’s readability makes it easier for Nord-Micro to carry out code reviews.
• Requirements for model-based design—Model-based design is not yet covered by the DO-178B standard. The American and European aviation authorities have therefore started to publish specifications for translating DO-178B requirements into requirements for model-based design. These specifications relate to issues such as meaningful names for signals in models and the modeling style that is used.
• Deterministic code generation—Nord-Micro's test efficiency benefits from deterministic code generation. This ensures that any changes made to a subfunction have only a local effect, and functionalities that were already tested are not affected by changes to other model segments.
• High code efficiency—Even at the lowest code optimization level, which is usually used for safety-critical aviation applications, the automatically generated code is efficient enough for the controller to execute it in the required time.
“TargetLink effortlessly fulfills the rigorous requirements for model-based development issued by European and American aviation authorities,“ said Andreas Alaoui, Manager Software Engineering, Nord-Micro AG & Co OHG.
Beyond autocoding, Nord-Micro uses TargetLink for model design and to automatically scale the model for fix-point arithmetics. The automatically generated documentation serves as a software design document, and the easy-to-read code and navigable links from code to model facilitate code reviews. Requirements, managed with the tool DOORS, are linked to TargetLink models for traceability, and the code generator is coupled with RTR for efficient software integration tests.
“Using TargetLink, we have successfully carried out several software developments according to DO-178B that were certified for safety level A,“ Alaoui said.
“The projects carried out between 2000 and today have shown us that TargetLink is an ideal development tool and production code generator for safety-critical aviation applications. Complete compliance with the rigorous requirements of aircraft manufacturers and aviation authorities was achieved, so code generated by TargetLink is now in use in numerous aircraft types,” Alaoui said. “Based on experience gathered so far, Nord-Micro will continue to use dSPACE’s production code generator for developing cabin pressure control systems in new aircraft in the future.”
Andreas Alaoui, Manager Software Engineering, Nord-Micro AG & Co. OHG, and Ralf Lieberwirth, Technical Author, dSPACE GmbH, wrote this article for Aerospace Engineering & Manufacturing.