This document describes how Software-in-the-Loop (SIL) and Hardware-in-the-Loop (HIL) are used in this project, what each mode validates, and how both integrate with the system architecture and verification strategy.
SIL and HIL are treated as execution modes, not separate systems.
The SIL/HIL strategy is designed to ensure that:
- The same core code paths execute in all modes
- Differences between SIL and HIL are limited to the hardware backend
- Safety, policy, and profiling behave identically in both environments
- Verification evidence can be accumulated incrementally
There are no SIL-only or HIL-only control branches in the core system.
SIL runs the full system using:
- The real core logic
- The real policy evaluation
- A simulated or reference hardware backend
SIL emphasizes:
- Determinism
- Replayability
- Fast iteration
- Regression detection
HIL runs the full system using:
- The same core logic
- The same policy evaluation
- A backend connected to real or semi-real hardware
HIL emphasizes:
- Timing behavior
- Integration correctness
- Real device constraints
- Environmental effects
SIL and HIL differ only at the hardware abstraction boundary:
+---------------------+
| Core Processing |
| Policy Evaluation |
| Profiling |
+----------+----------+
|
IHardwareBackend
|
+--------------+--------------+
| |
Reference Backend Real Backend
(SIL) (HIL)
This guarantees that:
- Safety and policy logic are exercised identically
- Timing and performance differences are observable and measurable
- Verification artifacts remain comparable
The reference backend (src/hardware/reference_backend.cpp) exists to support SIL and early HIL scaffolding.
The reference backend supports deterministic modes configured via BackendConfig::opaque_options:
| Mode | Description |
|---|---|
silence |
Produces zeroed input blocks |
sine |
Generates a deterministic sine wave |
loopback |
Routes output blocks back to input with configurable delay |
The backend can simulate:
- Fixed latency (block-quantized)
- Optional jitter (block-quantized)
- End-of-stream termination for finite replays
This enables:
- Boundary testing
- Timeout handling validation
- Policy behavior under degraded timing
When jitter is disabled:
- Identical inputs produce identical outputs
- Replay runs are stable across executions
- Regression testing is straightforward
SIL is well-suited for:
- Policy boundary validation
- Regression testing
- Performance baselining
- Failure mode exploration
- Replay-based debugging
Example scenarios:
- Verifying slew-rate limits clamp correctly
- Ensuring duration limits escalate as expected
- Measuring control loop timing under load
HIL backends implement the same IHardwareBackend interface and replace the reference backend at runtime.
HIL focuses on:
- Real device timing behavior
- Driver and transport stability
- Buffer alignment and format integrity
- Interaction with OS scheduling and load
In HIL:
- Core algorithms remain unchanged
- Policy evaluation remains unchanged
- Profiling instrumentation remains unchanged
Only the backend implementation differs.
The profiling layer operates identically in both modes.
Metrics commonly collected include:
- Control loop period
- Stage execution durations
- Latency distributions
- Jitter relative to declared targets
This allows:
- Direct comparison between SIL and HIL runs
- Identification of hardware-specific timing effects
- Evidence-based tuning
Both SIL and HIL support:
- Explicit
NotReady,Timeout, andEndOfStreamsignaling - Clean startup and shutdown transitions
- Controlled injection of failure conditions (SIL)
Failures are surfaced to the caller rather than hidden or auto-recovered, enabling explicit policy decisions.
SIL and HIL provide complementary evidence:
| Aspect | SIL | HIL |
|---|---|---|
| Determinism | ✔️ | ✖️ |
| Replay | ✔️ | ✖️ |
| Timing realism | ✖️ | ✔️ |
| Hardware validation | ✖️ | ✔️ |
| Policy logic | ✔️ | ✔️ |
Together they support the verification properties defined in:
docs/verification.md
When adding new features:
- Prefer validating logic in SIL first
- Use HIL only after behavior is well understood
- Avoid introducing backend-specific conditionals
- Treat backend changes as integration changes, not logic changes
If SIL and HIL results diverge, this should be investigated and documented, not silently normalized.
SIL and HIL are first-class execution modes built into the system by design.
By isolating hardware interaction behind a strict abstraction boundary, the system achieves:
- High confidence through deterministic testing
- Real-world validation without code duplication
- A clear path from simulation to deployment
This approach supports both rapid development and high-assurance operation.