Architecture conceptuelle d’un modèle avionique

flowchart LR
  Req[Requirements] --> M[Simulink Model]
  M --> P[Plant Model / Environment]
  M --> C[Controller / Laws]
  C --> O[Outputs / Actuators]
  P --> S[Sensors]
  S --> C
  C --> D[Diagnostics / Monitoring]
  D --> M
      

Points clés (safety-ready)

Le “mur” prototype → embarqué

Diagramme : model → code → back-to-back

flowchart LR
  M[Simulink Model] --> CG[Code Generation]
  CG --> C[C / Embedded Code]
  M --> T1[Model Tests]
  C --> T2[Code Tests]
  T1 --> B2B[Back-to-back Comparison]
  T2 --> B2B
  B2B --> REP[Evidence Reports]
      

Pour l’avionique, le sujet n’est pas “MATLAB certifié”, mais comment un workflow model-based produit des preuves acceptables. Cela implique : exigences, modèles, vérification, outillage, configuration, audits.

“Evidence package” (vue process)

flowchart TB
  R[System Requirements] --> SR[Software Requirements]
  SR --> M[Model (Simulink/Stateflow)]
  M --> TG[Test Generation / Scenarios]
  TG --> MR[Model Test Reports]
  M --> CG[Code Generation]
  CG --> C[Generated C Code]
  C --> CR[Code Test Reports]
  SR --> TM[Traceability Matrix]
  MR --> PKG[Certification Evidence Package]
  CR --> PKG
  TM --> PKG
      

Ce qui est “scruté” en audit

Où MATLAB apparaît typiquement dans un programme avion

Référence “737 MAX / MCAS” (lecture engineering, sans sensationalisme)

• Les systèmes de commande et logiques de modes sont typiquement conçus/validés via modèles + scénarios.
• Ce qui compte côté safety : validation des entrées, modes explicites, dégradations, limites d’autorité, tests robustesse.
• MATLAB/Simulink sert à éprouver ces transitions et cas limites avant implémentation embarquée.

Pattern recommandé (safety-ready)

flowchart LR
  In[Sensors] --> Val[Validate & plausibility]
  Val --> Norm[Normalize / filter]
  Norm --> Ctrl[Control law]
  Ctrl --> Lim[Clamp / rate limit]
  Lim --> Out[Actuators]
  Val --> Diag[Fault flags]
  Norm --> Diag
  Ctrl --> Diag
  Diag --> Mode[Mode manager (FSM)]
  Mode --> Ctrl
      

Table : règles “design for verification”

[MATLAB/Simulink Safety-Ready Checklist]

A) Determinism
- [ ] Fixed-step solver for embedded-intent models
- [ ] Explicit sample times; rate transitions handled
- [ ] No hidden dynamic memory patterns in real-time path

B) Data & Types
- [ ] Explicit data dictionary; no implicit signal typing
- [ ] Fixed-width types where needed; consider fixed-point strategy
- [ ] Saturation/clamp everywhere a boundary exists

C) Architecture
- [ ] Modes via explicit state machine (FSM)
- [ ] Separation: control loop vs monitoring/logging
- [ ] Diagnostics flags + counters (observable behavior)

D) Verification
- [ ] Requirements-based tests exist for each key requirement
- [ ] Edge cases covered: sensor out-of-range, spikes, intermittence
- [ ] Back-to-back tests between model and generated/hand code

E) Evidence
- [ ] Traceability matrix: Req -> Model element -> Test -> Report
- [ ] Coverage evidence (model and/or code as required)
- [ ] Configuration management: versioning, reproducible builds and reports
      

Toolboxes / briques utiles (typique aéronautique)

Q1 — MATLAB est-il exécuté “tel quel” sur avion ?

Q2 — Alors pourquoi MATLAB est central ?

• Accélère les itérations d’algorithmes.
• Permet des campagnes de simulation massives.
• Structure le V&V via MBD : tests + rapports + back-to-back.

Q3 — Le risque principal ?

1) Prototype algorithm in MATLAB using real flight/test data
2) Move to Simulink for executable model + timing intent
3) Enforce determinism: fixed-step, explicit sample times, bounded logic
4) Model modes explicitly (state machine) + diagnostics flags
5) Define data dictionary: types, ranges, units, scaling
6) Add clamps/rate limits + plausibility checks everywhere
7) Create requirements-based tests + edge cases
8) Run back-to-back tests (model vs generated/hand code)
9) Validate on SIL then PIL then HIL for timing/IO behavior
10) Produce evidence: reports, coverage, traceability, config management