ݺߣ

ݺߣShare a Scribd company logo

Guaranteeing Timing Requirements in the IXV On-Board Software

?
?
Santiago Urue?a Pascual
Santiago Urue?a Pascual

Presentation for the Ada-Europe 2015 conference (22-26 June 2015, Madrid, Spain) of the paper in the Real-Time Applications regular session. Ensuring the correct timing behavior of the control software of a spacecraft is a complex endeavor. This paper describes the real-time aspects of the Intermediate eXperimental Vehicles (IXV) On-Board Software (OBSW), including the schedulability analysis performed for the validation of this safety-critical, hard real-time system of the European Space Agency (ESA). We then give details of how the Ravenscar profile has been used to obtain predictability over RTEMS, and quantify the overhead of different mechanisms for measuring computation times. We provide the timing measurements of each task during the different modes of the mission, including the Guidance, Navigation, and Control (GNC) tasks, to aid in the development of future OBSW projects.

1 of 19
Download to read offline
? GMV, 2015 Property of GMV All rights reserved Guaranteeing Timing Requirements in the IXV On-Board Software Conference on Reliable Software Technologies Santiago Urue?a, Nuria Prez, Bruno N. Calvo, Carlos Flores, Andreas Jung
? GMV, 2015 IXV OVERVIEW WHAT IS THE INTERMEDIATE EXPERIMENTAL VEHICLE? Page 2 Guaranteeing Timing Requirements in the IXV OBSW Space vehicle from the European Space Agency (ESA) to experiment on atmospheric re-entry successfully launched on February 11th, 2015 2015-06-24
? GMV, 2015 IXV OVERVIEW MISSION Page 3 ? Around 100 min suborbital flight ? Representative return missions from Low-Earth Orbit ? Fully automated flight, unmanned vehicle ? No telecommanding after launch ? Monitored from ground stations Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24
? GMV, 2015 IXV ON-BOARD SOFTWARE HIGHLIGHTS Page 4 Control Software in charge of autonomously flying the IXV vehicle following a predefined mission timeline ? Safety-Critical Software (DAL-B) ? C99 & MISRA-C:2004 ? Fault tolerance ? 50 MHz LEON2-FT CPU (radiation hardened SPARCv8) ? Hard real time requirements ? Caches enabled & code optimized ? RTEMS operating system ? Ravenscar profile OBSW Application & Service layer: - OBSW MVM: 55 kLOC - OBSW GNC: 22 kLOC OBSW Basic layer: - BSW (drivers): 7 kLOC - RTEMS (subset): 16 kLOC Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24
? GMV, 2015 RAVENSCAR PROFILE INTRODUCTION Page 5 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Ada run-time profile C Subset of concurrency features to allow schedulability analysis ? Advantages: C Timing predictability, strict deadlines, low jitter C Small run-time to enable certification to high-integrity levels C Low resource consumption, high performance ? Defined in IRTAW 1997 (held in English village of same name) C 8th International Real-Time Ada Workshop ? Part of Annex D (Real-Time Systems) since Ada 2005 pragma Profile (Ravenscar);
? GMV, 2015 RAVENSCAR PROFILE ARM 2012 DEFINITION Page 6 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 pragma Task_Dispatching_Policy (FIFO_Within_Priorities); pragma Locking_Policy (Ceiling_Locking); pragma Detect_Blocking; pragma Restrictions ( No_Abort_Statements, No_Dynamic_Attachment, No_Dynamic_Priorities, No_Implicit_Heap_Allocations, No_Local_Protected_Objects, No_Local_Timing_Events, No_Protected_Type_Allocators, No_Relative_Delay, No_Requeue_Statements, No_Select_Statements, No_Specific_Termination_Handlers, No_Task_Allocators, No_Task_Hierarchy, No_Task_Termination, Simple_Barriers, Max_Entry_Queue_Length => 1, Max_Protected_Entries => 1, Max_Task_Entries => 0, No_Dependence => Ada.Asynchronous_Task_Control, No_Dependence => Ada.Calendar, No_Dependence => Ada.Execution_Time.Group_Budget, No_Dependence => Ada.Execution_Time.Timers, No_Dependence => Ada.Task_Attributes, No_Dependence => System.Multiprocessors.Dispatching_Domains);
? GMV, 2015 RAVENSCAR PROFILE ADAPTATION TO RTEMS Page 7 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Success of Ravenscar profile, not just for Ada C Adapted to Java (A. Wellings & J. Kwon) C No previous publications to enforce Ravenscar in RTEMS ? Analysis of RTEMS documentation and source code internals C Qualified version of RTEMS by Edisoft in IXV C API compatibility (e.g. scheduling and synchronization policies) C Find primitives requiring memory allocation/deallocation ? Classification of RTEMS primitives C Unrestricted use (e.g. rtems_semaphore_obtain) C OBSW initialization only (e.g. rtems_interrupt_catch) C Completely forbidden (e.g. rtems_task_delete) ? Creation of RTOS wrapper (just allowed RTEMS primitives) C Periodic / sporadic tasks, mutexes, and interrupt service routines C Ported in new OBSW projects to different RTOS / CPU
? GMV, 2015 IXV OBSW VALIDATION OVERVIEW Page 8 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? System validation tests C Open-loop and closed-loop tests C Emphasis in fault injection test (OBSW, OBC, avionics devices) ? 100% branch coverage (ECSS-E-ST-40C decision coverage) ? Stack analysis C Check maximum stack usage at different validation tests ? Timing analysis C Validation & Flight: Task overruns monitored (event to Ground) C Validation: 1. Response time analysis (dynamic analysis) ? All tasks and mutexes 2. WCET with RapiTime (dynamic & static analysis) ? Critical tasks only ? Analysis of results reveals coding errors (e.g. nesting of locks)
? GMV, 2015 IXV OBSW VALIDATION TIMING ANALYSIS Page 9 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Measure the computation times of tasks and critical sections C Timestamps at beginning and end of each task activation C Timestamps at lock and unlock routines ? Store all the timestamps generated in different system tests ? Script to analyze the computation time of every task activation and critical section
? GMV, 2015 IXV OBSW VALIDATION TEST ENVIRONMENTS Page 10 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Software Validation Facility (SVF) C Pure software emulation of OBC and avionics, Real-World simulator C LEON2-FT tsim emulator C Flexibility: introspection, debugging, fault injection ? Avionics / GNC Test Bench (AGTB) C Hardware avionics (engineering models) & software Real-World C OBC Functional Model (FPGA LEON2) C Representative avionics hardware ? Proto-Flight Model (PFM) C Flight hardware avionics + Real-World simulator (GPS stimulators) C OBC with AT697E (ASIC LEON2) C Flight software
? GMV, 2015 TIMING ANALYSIS MEASUREMENT TECHNIQUES Page 11 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Measurement techniques analyzed (SVF only) 1. Low overhead traces (invalid instruction processed by tsim module) ? Instrumented executable ? Very easy to use, convenient just for application code ? Some overhead (more instructions in memory, less code optimizations) 2. Breakpoints (debugger) ? No instrumentation needed ? Difficult to use, but very flexible ? Initially no overhead ? Both techniques can also be used with RapiTime
? GMV, 2015 TIMING ANALYSIS COMPARISON AVERAGE COMPUTATION TIMES Page 12 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Average task times comparison measured with both techniques C Higher overhead of traces than breakpoints as expected C Some tasks execute faster with traces! (cache anomalies?) Task Priority Period Breakpoints Traces Overhead MILB 150 10.00 0.427 0.435 0.0077 1.8% RCS 155 10.00 0.085 0.089 0.0045 5.3% SUP 160 50.00 0.036 0.038 0.0014 3.9% ACQ 165 50.00 1.634 1.657 0.0238 1.5% GNC_C 170 50.00 1.956 1.973 0.0168 0.9% EH 175 50.00 2.353 2.361 0.0078 0.3% MVM 177 50.00 0.059 0.060 0.0002 0.3% CMD 180 50.00 0.063 0.064 0.0008 1.3% GPS 182 50.00 0.188 0.194 0.0063 3.4% HK 185 50.00 2.061 2.066 0.0049 0.2% TTM 190 50.00 1.190 1.124 C0.0662 C5.6% TC 195 50.00 0.034 0.039 0.0054 16.0% GNC_N 200 500.00 10.655 10.458 C0.1977 C1.9% GNC_G 210 500.00 1.574 1.601 0.0267 1.7%
? GMV, 2015 TIMING ANALYSIS COMPARISON WITH NO TIMING MEASUREMENTS Page 13 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 Event message Reference timestamp (no timing measurements) Interference breakpoints Interference traces EV_MOS_ACTION_TRIGGERED 4316.97509 second +0.00 ms +424.32 ms EV_ACTION_SUCCESSFUL_EXEC 4316.97686 second +0.00 ms +424.38 ms EV_MOS_TRANS_TO_REENTRY 4371.97497 second +0.06 ms C75.68 ms EV_ACTION_SUCCESSFUL_EXEC 4371.97552 second +0.06 ms C75.62 ms ? Timestamp comparison of transmitted packets in same SVF test 1. Flight executable with no timing measurements 2. Flight executable with breakpoints 3. Instrumented executable with traces ? Breakpoints also introduce some timing overhead ? Overhead of traces affects test behavior ? Similar comparison with AGTB (SVF adds less than 1 ms)
? GMV, 2015 TIMING ANALYSIS SCHEDULABILITY ANALYSIS Page 14 ASCENT ORBITAL RE-ENTRY DESCENT SEA LANDING Thrusters Flaps Parachutes Balloons Thrusters VEGA Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Separate schedulability analysis for each mission phase ? The OBSW is schedulable in all phases, with 35% CPU margin ? No task overrun ever detected during validation or the mission
? GMV, 2015 TIMING ANALYSIS TIMING RESULTS Page 15 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Publication of response times of every thread per mission mode ? Useful in future projects (budget estimations at early phases)
? GMV, 2015 TIMING ANALYSIS CONCLUSIONS Page 16 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Ravenscar profile allows the schedulability analysis C IXV OBSW schedulable in all phases ? Different measurement techniques analyzed 1. Low-overhead traces ? Easy to use, but just application code ? Some overhead and noticeable software interference ? Convenient during development 2. Breakpoints ? Very flexible, both for application and RTOS code ? Negligible overhead, minor software interference ? Difficult to use manually, just for final tests ? Emulators and CPUs must provide better timing features ? Critical software should monitor its timing attributes
? GMV, 2015 Property of GMV All rights reserved Thank you Santiago Urue?a Section Head Critical Software Software Engineering department Email: suruena@gmv.com www.gmv.com
? GMV, 2015 IXV OVERVIEW PAST (EUROPE) & FUTURE Page 18 HERMES (1990) (cancelled) ARD (1998) (successful) X38/CRV (1999) (cancelled) PHOENIX (2004) (cancelled) USV1,2,3 (2007) (successful) EXPERT (2012) (on-hold) IXV (2015) (successful) Reentry vehicle applications: - Servicing of orbital infrastructures (e.g. ISS) - Servicing of satellites (e.g. refueling or disposal) - Robotic exploration (e.g. sample return from Mars) - Microgravity experiments - Earth sciences (e.g. high-altitude atmospheric research) - Earth observation (e.g. crisis monitoring) Next step: PRIDE (Programme for Reusable In-orbit Demonstrator for Europe) Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24
? GMV, 2015 IXV INTRODUCTION MISSION Page 19 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24

More Related Content

Guaranteeing Timing Requirements in the IXV On-Board Software

  • 1. ? GMV, 2015 Property of GMV All rights reserved Guaranteeing Timing Requirements in the IXV On-Board Software Conference on Reliable Software Technologies Santiago Urue?a, Nuria Prez, Bruno N. Calvo, Carlos Flores, Andreas Jung
  • 2. ? GMV, 2015 IXV OVERVIEW WHAT IS THE INTERMEDIATE EXPERIMENTAL VEHICLE? Page 2 Guaranteeing Timing Requirements in the IXV OBSW Space vehicle from the European Space Agency (ESA) to experiment on atmospheric re-entry successfully launched on February 11th, 2015 2015-06-24
  • 3. ? GMV, 2015 IXV OVERVIEW MISSION Page 3 ? Around 100 min suborbital flight ? Representative return missions from Low-Earth Orbit ? Fully automated flight, unmanned vehicle ? No telecommanding after launch ? Monitored from ground stations Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24
  • 4. ? GMV, 2015 IXV ON-BOARD SOFTWARE HIGHLIGHTS Page 4 Control Software in charge of autonomously flying the IXV vehicle following a predefined mission timeline ? Safety-Critical Software (DAL-B) ? C99 & MISRA-C:2004 ? Fault tolerance ? 50 MHz LEON2-FT CPU (radiation hardened SPARCv8) ? Hard real time requirements ? Caches enabled & code optimized ? RTEMS operating system ? Ravenscar profile OBSW Application & Service layer: - OBSW MVM: 55 kLOC - OBSW GNC: 22 kLOC OBSW Basic layer: - BSW (drivers): 7 kLOC - RTEMS (subset): 16 kLOC Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24
  • 5. ? GMV, 2015 RAVENSCAR PROFILE INTRODUCTION Page 5 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Ada run-time profile C Subset of concurrency features to allow schedulability analysis ? Advantages: C Timing predictability, strict deadlines, low jitter C Small run-time to enable certification to high-integrity levels C Low resource consumption, high performance ? Defined in IRTAW 1997 (held in English village of same name) C 8th International Real-Time Ada Workshop ? Part of Annex D (Real-Time Systems) since Ada 2005 pragma Profile (Ravenscar);
  • 6. ? GMV, 2015 RAVENSCAR PROFILE ARM 2012 DEFINITION Page 6 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 pragma Task_Dispatching_Policy (FIFO_Within_Priorities); pragma Locking_Policy (Ceiling_Locking); pragma Detect_Blocking; pragma Restrictions ( No_Abort_Statements, No_Dynamic_Attachment, No_Dynamic_Priorities, No_Implicit_Heap_Allocations, No_Local_Protected_Objects, No_Local_Timing_Events, No_Protected_Type_Allocators, No_Relative_Delay, No_Requeue_Statements, No_Select_Statements, No_Specific_Termination_Handlers, No_Task_Allocators, No_Task_Hierarchy, No_Task_Termination, Simple_Barriers, Max_Entry_Queue_Length => 1, Max_Protected_Entries => 1, Max_Task_Entries => 0, No_Dependence => Ada.Asynchronous_Task_Control, No_Dependence => Ada.Calendar, No_Dependence => Ada.Execution_Time.Group_Budget, No_Dependence => Ada.Execution_Time.Timers, No_Dependence => Ada.Task_Attributes, No_Dependence => System.Multiprocessors.Dispatching_Domains);
  • 7. ? GMV, 2015 RAVENSCAR PROFILE ADAPTATION TO RTEMS Page 7 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Success of Ravenscar profile, not just for Ada C Adapted to Java (A. Wellings & J. Kwon) C No previous publications to enforce Ravenscar in RTEMS ? Analysis of RTEMS documentation and source code internals C Qualified version of RTEMS by Edisoft in IXV C API compatibility (e.g. scheduling and synchronization policies) C Find primitives requiring memory allocation/deallocation ? Classification of RTEMS primitives C Unrestricted use (e.g. rtems_semaphore_obtain) C OBSW initialization only (e.g. rtems_interrupt_catch) C Completely forbidden (e.g. rtems_task_delete) ? Creation of RTOS wrapper (just allowed RTEMS primitives) C Periodic / sporadic tasks, mutexes, and interrupt service routines C Ported in new OBSW projects to different RTOS / CPU
  • 8. ? GMV, 2015 IXV OBSW VALIDATION OVERVIEW Page 8 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? System validation tests C Open-loop and closed-loop tests C Emphasis in fault injection test (OBSW, OBC, avionics devices) ? 100% branch coverage (ECSS-E-ST-40C decision coverage) ? Stack analysis C Check maximum stack usage at different validation tests ? Timing analysis C Validation & Flight: Task overruns monitored (event to Ground) C Validation: 1. Response time analysis (dynamic analysis) ? All tasks and mutexes 2. WCET with RapiTime (dynamic & static analysis) ? Critical tasks only ? Analysis of results reveals coding errors (e.g. nesting of locks)
  • 9. ? GMV, 2015 IXV OBSW VALIDATION TIMING ANALYSIS Page 9 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Measure the computation times of tasks and critical sections C Timestamps at beginning and end of each task activation C Timestamps at lock and unlock routines ? Store all the timestamps generated in different system tests ? Script to analyze the computation time of every task activation and critical section
  • 10. ? GMV, 2015 IXV OBSW VALIDATION TEST ENVIRONMENTS Page 10 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Software Validation Facility (SVF) C Pure software emulation of OBC and avionics, Real-World simulator C LEON2-FT tsim emulator C Flexibility: introspection, debugging, fault injection ? Avionics / GNC Test Bench (AGTB) C Hardware avionics (engineering models) & software Real-World C OBC Functional Model (FPGA LEON2) C Representative avionics hardware ? Proto-Flight Model (PFM) C Flight hardware avionics + Real-World simulator (GPS stimulators) C OBC with AT697E (ASIC LEON2) C Flight software
  • 11. ? GMV, 2015 TIMING ANALYSIS MEASUREMENT TECHNIQUES Page 11 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Measurement techniques analyzed (SVF only) 1. Low overhead traces (invalid instruction processed by tsim module) ? Instrumented executable ? Very easy to use, convenient just for application code ? Some overhead (more instructions in memory, less code optimizations) 2. Breakpoints (debugger) ? No instrumentation needed ? Difficult to use, but very flexible ? Initially no overhead ? Both techniques can also be used with RapiTime
  • 12. ? GMV, 2015 TIMING ANALYSIS COMPARISON AVERAGE COMPUTATION TIMES Page 12 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Average task times comparison measured with both techniques C Higher overhead of traces than breakpoints as expected C Some tasks execute faster with traces! (cache anomalies?) Task Priority Period Breakpoints Traces Overhead MILB 150 10.00 0.427 0.435 0.0077 1.8% RCS 155 10.00 0.085 0.089 0.0045 5.3% SUP 160 50.00 0.036 0.038 0.0014 3.9% ACQ 165 50.00 1.634 1.657 0.0238 1.5% GNC_C 170 50.00 1.956 1.973 0.0168 0.9% EH 175 50.00 2.353 2.361 0.0078 0.3% MVM 177 50.00 0.059 0.060 0.0002 0.3% CMD 180 50.00 0.063 0.064 0.0008 1.3% GPS 182 50.00 0.188 0.194 0.0063 3.4% HK 185 50.00 2.061 2.066 0.0049 0.2% TTM 190 50.00 1.190 1.124 C0.0662 C5.6% TC 195 50.00 0.034 0.039 0.0054 16.0% GNC_N 200 500.00 10.655 10.458 C0.1977 C1.9% GNC_G 210 500.00 1.574 1.601 0.0267 1.7%
  • 13. ? GMV, 2015 TIMING ANALYSIS COMPARISON WITH NO TIMING MEASUREMENTS Page 13 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 Event message Reference timestamp (no timing measurements) Interference breakpoints Interference traces EV_MOS_ACTION_TRIGGERED 4316.97509 second +0.00 ms +424.32 ms EV_ACTION_SUCCESSFUL_EXEC 4316.97686 second +0.00 ms +424.38 ms EV_MOS_TRANS_TO_REENTRY 4371.97497 second +0.06 ms C75.68 ms EV_ACTION_SUCCESSFUL_EXEC 4371.97552 second +0.06 ms C75.62 ms ? Timestamp comparison of transmitted packets in same SVF test 1. Flight executable with no timing measurements 2. Flight executable with breakpoints 3. Instrumented executable with traces ? Breakpoints also introduce some timing overhead ? Overhead of traces affects test behavior ? Similar comparison with AGTB (SVF adds less than 1 ms)
  • 14. ? GMV, 2015 TIMING ANALYSIS SCHEDULABILITY ANALYSIS Page 14 ASCENT ORBITAL RE-ENTRY DESCENT SEA LANDING Thrusters Flaps Parachutes Balloons Thrusters VEGA Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Separate schedulability analysis for each mission phase ? The OBSW is schedulable in all phases, with 35% CPU margin ? No task overrun ever detected during validation or the mission
  • 15. ? GMV, 2015 TIMING ANALYSIS TIMING RESULTS Page 15 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Publication of response times of every thread per mission mode ? Useful in future projects (budget estimations at early phases)
  • 16. ? GMV, 2015 TIMING ANALYSIS CONCLUSIONS Page 16 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24 ? Ravenscar profile allows the schedulability analysis C IXV OBSW schedulable in all phases ? Different measurement techniques analyzed 1. Low-overhead traces ? Easy to use, but just application code ? Some overhead and noticeable software interference ? Convenient during development 2. Breakpoints ? Very flexible, both for application and RTOS code ? Negligible overhead, minor software interference ? Difficult to use manually, just for final tests ? Emulators and CPUs must provide better timing features ? Critical software should monitor its timing attributes
  • 17. ? GMV, 2015 Property of GMV All rights reserved Thank you Santiago Urue?a Section Head Critical Software Software Engineering department Email: suruena@gmv.com www.gmv.com
  • 18. ? GMV, 2015 IXV OVERVIEW PAST (EUROPE) & FUTURE Page 18 HERMES (1990) (cancelled) ARD (1998) (successful) X38/CRV (1999) (cancelled) PHOENIX (2004) (cancelled) USV1,2,3 (2007) (successful) EXPERT (2012) (on-hold) IXV (2015) (successful) Reentry vehicle applications: - Servicing of orbital infrastructures (e.g. ISS) - Servicing of satellites (e.g. refueling or disposal) - Robotic exploration (e.g. sample return from Mars) - Microgravity experiments - Earth sciences (e.g. high-altitude atmospheric research) - Earth observation (e.g. crisis monitoring) Next step: PRIDE (Programme for Reusable In-orbit Demonstrator for Europe) Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24
  • 19. ? GMV, 2015 IXV INTRODUCTION MISSION Page 19 Guaranteeing Timing Requirements in the IXV OBSW 2015-06-24