Safety Critical Embedded Aerospace Application

Safety Critical Aerospace Application relies on VisSim Embedded

Navy JSF
F35 Joint Strike Fighter

When a leading manufacturer of electronic instruments and electro-mechanical devices was contracted to design an embedded control system for an in-flight chiller unit in the cockpit of the Joint Strike Fighter, they turned to Visual Solutions for a complete Model-Based Embedded Development software package.

Safety Evidence Assurance Level (SEAL)

Equally important to the manufacturer was adherence to the Safety Evidence Assurance Level (SEAL) standards required by Lockheed Martin. Bi-directional links to requirements documents were easily placed in the VisSim diagram using hyperlink enabled label blocks. VisSim compound block coloring was used to track validation progress. VisSim data export with automatic source diagram and time stamping was used for evidence of validation of implementation meeting requirements. VisSim Embedded helped engineers prove that the chiller unit achieved the compulsory safety integrity level through subsystem and whole system testing, and test result archiving.

Designing a Hybrid Multi-Rate Model

To develop the system, engineers created a nonlinear plant model in the VisSim environment on a PC. The plant model was based on physics and tuned with look-up table data. They correlated and refined the model using measurements of plant responses in the lab. The control stage was a multi-loop PID controller in VisSim with interlock safety stages that stepped through the start-up and shutdown actions necessary to avoid damage to sensitive device components. Because the chiller unit contained high frequency fluid dynamics coupled with relatively low speed mechanical dynamics, it was more efficient to run the mechanical components in a lower speed continuous subsystem. Likewise, the fixed-point discrete controller had a high frequency mechanical control loop with a slower thermal outer loop.

JTAG Comms
Interactive JTAG Hotlink(TM)

Verification with Processor-in-the-Loop

After engineers debugged and tuned the controller in pure simulation mode, they automatically generated ANSI C code from the controller model and downloaded the code directly from VisSim to the TI C2000 target using the VisSim bi-directional JTAG link. Engineers interactively tested and debugged the controller algorithm running on the target using inputs acquired from the plant model running in real-time in VisSim, and providing control outputs to the embedded target.

Verification with actual equipment

Finally, the algorithm was flashed to the C2000 based controller card and tested against the actual equipment. VisSim has two modes of flash operation:

  1. With JTAG controller linkage to update setpoints and gains
  2. Stand-alone auto-boot on power-up for final product ship

Using mode 1 allowed VisSim controlled test sequences with internal monitoring of key system states. VisSim file logging capability allowed automatic creation of test file results, giving time-stamped verification of all tests run. Mode 2 was used for final product delivery. VisSim testing could still be used by exercising the system using CAN bus supervisory commands identical to the in-flight controller. CAN commands were sent from a VisSim test diagram using the VisSim/CAN addon running in real-time with logging to time-stamped result files as in mode 2.