Israel Aerospace Industries Develops DO-178B Level B Certified Software for a Hybrid-Electric Aircraft Tractor

“We initially intended to develop only control loops with Model-Based Design, but the process proved so efficient that we decided to use Model-Based Design for the application layer as well. Being able to run a model, see that it’s working right, and then generate certifiable code is a big advantage.”

Challenge

Develop control software for the world’s first certified aircraft-taxiing vehicle

Solution

Use Model-Based Design to model the control loops, application logic, and plant; run simulations and HIL tests; and generate DO-178B certified production code

Results

  • Development time halved
  • 50% of models reused
  • DO-178B certification simplified
The TaxiBot from Israel Aerospace Industries.

Commercial aircraft engines are optimized for maximum efficiency in flight, not for taxiing around the airport. During a typical 17-minute taxi, a Boeing 747 can consume one ton (1250 liters) of fuel and emit 3.2 tons of CO2. Worldwide, annual taxiing costs could top $8 billion in 2020.

To reduce fuel costs, CO2 emissions, and airport noise levels, Israel Aerospace Industries (IAI) has developed TaxiBot, a hybrid-electric aircraft tractor that can tow a fully loaded aircraft while its main engines are off. During a typical taxi from the gate to the runway, TaxiBot consumes just 25–30 liters of fuel and emits less than 60 kg of CO2.

IAI used Model-Based Design with MATLAB® and Simulink® to develop the TaxiBot control software, which has been certified to DO-178B Level B.

“Controls development with Model-Based Design is exceptionally efficient,” says Zeev Gabbin, software manager for the TaxiBot project at IAI. “One engineer can write and model the requirements, generate code, and then integrate the code and verify it via hardware-in-the-loop testing. On projects without Model-Based Design, code implementation and integration took us three to four times longer.”

Challenge

When an aircraft is towed by TaxiBot, the nose wheel of the aircraft is secured in a turret that can rotate freely. The system may be controlled by the aircraft pilot or by an onboard driver. To sense steering and braking requests coming from the pilot in the cockpit, the TaxiBot controller monitors the turret’s orientation and the forces acting upon it. The control system must strictly limit the forces applied to the aircraft nose landing gear and provide a driving experience comparable to taxiing under engine power.

IAI needed a way to model the control loops and application logic as well as the TaxiBot vehicle and aircraft, run simulations and hardware-in-the-loop (HIL) tests to verify the design, and generate code for DO-178B Design Assurance Level (DAL) B certification.

Solution

IAI engineers developed the TaxiBot control software using Model-Based Design with MATLAB and Simulink.

Working in Simulink they developed a detailed plant model that included submodels for the aircraft being towed; the TaxiBot engine, electric motors, and tires; and environmental elements such as wind and surface slope.

Next, the engineers modeled the control system’s two main loops: the force control loop that limits the force applied to the nose landing gear and the steering control loop that senses and responds to nose wheel turns initiated by the pilot.

Application logic, including health monitoring functions, safety features, and mode transitions, was modeled in Simulink and Stateflow®.

To support requirements traceability, the team used Requirements Toolbox™ to link requirements in IBM® Rational® DOORS® to their associated Simulink and Stateflow model elements.

After running closed-loop simulations in Simulink to verify the design, the engineers generated C code from their plant model using Simulink Coder™ and deployed it to dSPACE® hardware for HIL testing. Using Embedded Coder®, they generated C code from the controller and application logic models for their production target, a Freescale™ MPC8280 PowerQUICC processor.

HIL tests were followed by field tests on a TaxiBot prototype. During field tests, the engineers gathered data that they later analyzed in MATLAB. They refined and optimized their designs in Simulink based on this analysis, and regenerated code for further tests.

Following a code review and formal verification, the TaxiBot control software was certified to DO-178B DAL B and approved by the European Aviation Safety Agency (EASA). TaxiBot is now in operation for narrow-body aircraft. IAI is currently developing a wide-body version using Model-Based Design.

Results

  • Development time halved. “With Model-Based Design our overall development time is nearly 50% shorter than it was with our traditional development process,” says Gabbin. “This reduction is due to our ability to generate code, reuse models, and rapidly make, test, and implement changes.”

  • 50% of models reused. “The modularity of our Simulink models is a big advantage,” says Gabbin. “It enables us to switch one version of a subsystem for another and to create a library of reusable components. For our wide-body TaxiBot controller, we reused more than 50% of the models from our narrow-body version.”

  • DO-178B certification simplified. “Model-Based Design helped make the DO-178B certification process straightforward and shortened the certification process,” Gabbin notes. “We used our Simulink models as our low-level requirements for formal certification. Simulink models are readable and understandable, which makes the certification process easier.”