Keplerlaan 1,2201 AZ Noordwijk (NL) voice: +3 1-7 1 -565533 1 fax: +3 1-7 1-5654295 email: tullio@wd.estec.esad
Introduction
Recent studies (cf eg: [ 111) have shown that software embedded on board of modem satellite control systems plays an increasingly important and pervasive role in the operation of the system. Distinct demands for increased responsiveness and maximised mission product, in fact, call for the progressive move of critical functions from ground to on-board software. As a result of this evolution, new-generation on-board systems appear to be incrcasingly concurrent, as they are to perform, in parallel, a growing variety of control activities feamring a broad range of activation and processing requirements, and distinctly hard real-time, in that an 'The work described in this papex has been performed, under ES- 1052-8725196 $5.00 0 1996 IEEE 129 important proportion of their software components are subject to mission-critical requirements on timeliness of execution. This paper presents the principal technical choices made by a project aimed at supporting the development of hard real-time multi-tasking on-board software systems. The project considered traditional development and scheduling methods as being too poor, rigid and unyielding in the face of the flexibility <and responsiveness required of future systems (cf eg: [7] ) and also largely unsupportive of sufficient functional cohesion. Novel engineering techniques for the construction, analysis and execution of hard real-time systems, on the other hand, had consistently emerged from the research community over the last decade (cf eg: [3, 4, 5 , 91 <and seemed mature enough for deployment.
The selected approach, which retaincd Ada [2] as the programming language of choice, was centred around fixed-priority preemptive scheduling augmented with priority ceiling emulation [5] and worst-case response time analysis [l, 6, 91. (The rationale for this choice is discussed at length in [lo] .) The feasibility and performance of the chosen approach were initially demonstrated by a couple of ESA-funded case studies (cf [ 12, 13, 171 ) and a few other independent industrial developments. Use of Ada tiwking in space and avionic applications was historically tied to the criticisms of being too complex and non-deterministic and relying on too extensive and inefficient run-time support. The project's initial results seem to dismiss a great deal of such criticisms. This paper presents the distinguishing features of the proposed concept and its anticipated benefits.
The rest of the paper is structured as follows: section 2 describes components, properties and implementation of the chosen programming model <and the associated tool-set concept; section 3 discusses the requirements on and the definition of the tools and techniques for the support of static scheduling analysis; section 4, finally, presents the current smus with the tool-set implementation and outlines its projected scope of application.
Programming Model

Programming Model Definition
Typical on-board applications (cf eg: [lo] ) are predominantly comprised of non-independent activities which exhibit a varying amount of periodic (and sporadic activation requirements and 'an equally varied degree of timing criticality.
Attitude control functions map to periodic activities whose activation needs to be as jitter-less as possible. Communication control functions map to sporadic activities whose activation requirements stem from both extemal (eg: interrupts) and internal events (eg: synchronisation). Periodic and sporadic activities often require some form of explicit cooperation to achieve dataoriented synchronisation and/or enforcement of precedence activation constraints.
Past and current evidence show that such an application model, albeit with a certain amount of bending 'and twisting, may indeed be implemented upon a singleprocess cyclic scheduling system. It is equally apparent, though, that the same application model would also nicely fit a simple and yet slightly augmented form of Adz? t ? s h g based on the Adz? 83 concurrency model, now fully supported by the revised Ada standard [16].
An Ada programming environment specialising in the support of such an application model has been built for on-board systems based on the 32-bit Embedded Real-Time Computing Core (ERC32) [14] . The ERC32 core is a SPARC v7 based chipset inclusive of Integer Unit, Floating Point Unit and Memory Controller, intended for use in no-cache no-MMU singleboard computers for highly predictable high-profile new-generation on-board systems. Amongst other features, which are not discussed in this paper, the ERC32 chipset and associated programming environment are designed to allow exploitation of the ATAC ( A h Tasking Coprocessor) chip @], a memory-mapped hardware device which performs Ada 83 tasking operations on behalf of classical software run-time systems.
In the ERC32 programming model, every distinct processing activity in the application model is modelled as an independent thread of control and maps to one designated type of Ada task. Tasks in the model are required to be libr'ary-level, flat, static, infinite tasks. Tasks exchange shared data in aprotected manner by means of mutually-exclusive calls to dedicated resource server tasks; resource server tasks may offer a variety of services, each represented by one distinct entry; entries to a resource server task must rigorously be unguarded.
Tasks synchronise with one another by means of mutually-exclusive calls to dedicated synchronisation server tasks; the model requires individual synchronisation server tasks to provide one guarded entry for exclusive use by the designated software sporadic task and one unguarded entry for use by the releasing task(s).
Interrupt sporadic tasks export interrupt entries which are attached to the designated trap in a fashion aimed to maximise potential exploitation of the ATAC and preserve to full compatibility with the non-ATAC mode.
Programming Model Implementation
The ERC32 programming model was implemented on top of a small, highly efficient and fully characterised Ada run-time system. All of the required tasking primitives were designed so as to provide for optimised bounds to worst-case execution time, In the following, a brief description is provided for the tasking primitives which contribute to the determination of the run-time scheduling behaviour of the ERC32 system.
Cyclic tasks call primitive Delay-Until to command the time of their next release and the wake-up system uses an Interval Timer instead of the conventional periodic clock. The overall worst-case execution time of the primitive results from the sum of two values: the placement of the task control structure in the interval time queue (Dly-Qon)) 'and the return from the call upon release (Dly-Q(Out)).
Interrupts off the Interval-Timer are serviced by primitive Timer while primitive Ready ch'mge the released cyclic tasks' status to ready. On modifications to the ready status list, primitive Select is invoked to determine the "best-task-out"; this may incur preemptive switch to a new running msk, which is performed by primitive Switch.
Primitive Int-Handling initiates <an interrupt accept statement in the body of the designated interrupr sporadic task, while IS-Waiton) and IS-Wait(0ut) allow control to respectively enter 'md leave the interrupt accept body.
POOn) and PO(0ut) control respectively the access to and the release of server tasks and include the relevant raising and lowering of the server's priority.
The blocking call to a synchronisation server task is implemented by use of a primitive semaphore smcture: the software sporadic task's call to one server's guarded entry translates into the caller's suspension on the primitive semaphore (SemWaiton)). Arrival of the releasing call causes the suspended task to be freed from the semaphore's queue (EQ-Mgmt, which includes call to Sem.Signal), exit from the suspensive call (Sem.Wait(Out)) and potentially become the new running task.
Primitive Select involves queue management operations which are prone to pessimistic bounds; the grimitive was, therefore, redesigned so as to preserve minimal execution time ,and also achieve low worst-case bounds. The design restriction of having at most one software sporadic task wait on .any given synchronisation server's semaphore queue allows all of the relevant primitive operations to be easily bounded. All other primitives in the above list naturally feature completely deterministic execution time bounds. The characterisation of all such bounds on execution on the selected platform is stored in the so-called run-time system characterisationfile (RCF).
Toolset Concept
The ERC32 programming model is supported by 'an integrated set of static analysis tools.
Ada programs which comply with the ERC32 programming model requirements are compiled by the ERC32 Ada compilation system (ACS). Worst-case execution profiles are automatically generated, for all tasks in the progr,un, by a specially-designed enhancement to the the ACS, the ESF generator, whose implementation was eased by by the distinguishing features of the ERC32 programming model (eg: no Ada constructs allowed which have no time-boundable operation, such as heap management and dynamic task creation) and execution platform (eg: no cache 'and no MMU allowed).
In the generation of such profiles (collectively termed the program's Execution Skeleton, ESF), the ESF generator uses information from the following sources: (i) compiler's internal data structures for path analysis and worst-case selection; (ii) configurable look-up tables describing the execution cost of the ERC32 instruction set (including guidance to resolve data-dependent computation time estimates) under the chosen board configuration; (iii) a user-provided description of the static hard real-time attributes of all cyclic, interrupt sporadic and software sporadic tasks in the system, User Configuration File (UCF); the relevant attributes include type (ie: cyclic, interrupt sporadic, software sporadic), criticality (ie: interrupt, hard, soft, non-critical), period (or minimum interarrival time) and deadline. Issues with the generation of the ESF are discussed in section 3.3.
Monty assignment is performed on static analysis of the UCF and ESF. Tasks are not allowed to share the same priority level. Tasks with decreasing criticality are assigned decreasing priority levels, whereas tasks within the same criticality range are assigned priority levels in deadline-monotonic fashion.
Server tasks do not possess user-assigned static attributes as they just inherit a ceiling priority from their cdlers and, therefore, need not appear in the UCF. Server tasks' ceiling priority is set at least one level higher than the m'wimum priority of callers. The program's ESF, together with the UCF and the RCF, is processed by the Scheduling Andyser tool to determine the tasks' worst-case response time. Elements of the undertaken analysis are discussed in section 3.5.
Enabling Static Analysis
Foundations of Response Time Analysis
The static analysis model chosen for the ERC32 system concept aims at the prediction of worst-case response times (cf eg: [l, 61). The model stipulates that one thread's worst-case response time be defined as the longest elapsed time it takes for that thread to complete its most demanding set of activities in response to an activation occurring under maximum contention from the rest of the system. (The term thread is used in the following as a synonym for task.) The worst-case response time of any thread T~ does, thus, result from suitable combination of the following three distinct components:
(i) The worst-case computation time of thread ri, WCCTi, which is defined as the Sum of the time cost of all q ' s sequential blocks of execution which lay in the statically determined worst-case path enclosed within the thread's main loop (the thread's execution profile), in addition to the time cost of the run-time system services required for the support of that execution.
(ii) The interference incurred by T;, I;, which is caused by the occurrence of preernptive execution of higher-priority threads and higher-priority run-time system services incurred during ri's ready period; in the ERC32 model, the interference from the run-time system is limited to the handling of the interrupts off the Interval Timer, as all other interrupts are tied to the run of interrupt sporadic tasks.
(iii] The blocking experienced by ~i , Bi, which originates from the possibility that a due release of T; be delayed by other effects than those 'arising from preemptive interference; such effects occur when the run-time system protects the execution of internal critical sections by temporarily inhibiting (ie: deferring) preemption as well as a consequence of adopting IPCI for the implementation of mutual exclusion in the communications between tasks and servers; use of IPCI may, in fact, delay the release of tasks whose priority is higher than the caller but lower than the server's ceiling; response time analysis prescribes that worst-case blocking be determined as the largest possible delay effect incurred from any of the two sources.
For any thread ~i , component WCCT; is fully determined at compile time on the Ada closure of the program, component Bi is a function of the assigned priorities and the system's run-time performance, and component Ii is a function of the system load.
Component WCCT; and Bi are maximised by analysis. Care must be taken, though, to avoid incurring excessive pessimism in their determination, as this may hinder the usefulness of the analysis. Section 3.2 presents the approach taken to the determination of B;, whilst section 3.3 discusses issues in the generation of the worst-case execution profiles from which WCCTi is determined. In non-ATAC mode (equation 3), there occurs no filtering and the calculation needs to consider also the frrst, non-preemptive, critical-instant release of lowerpriority cyclic threads:
y c L r c ( i )
The ERC32 tool-set supports two variants of analysis techniques. The first variant, based on deadline monotonic theory [6, 91 (DMS), assumes that tasks' deadlines cannot exceed the respective period (or minimum interarrival time) and determines, for every individual thread, the response time for a single critical-instant release. The other vari'ant, based on the extended version of deadline monotonic theory presented in [Is] (ADS), assumes that deadlines may be arbitrarily greater than the relevant period (or minimum interarrival time) and, therefore, extends the solution space to multiple, overlupping releases of a task. The critical-instant assumptions are, thus, worsened by tasks' releases being delayed past their due time also by the outstanding completion of their previous releases.
The equations for DMS and ADS response time analysis are well known from the literature 'and are not reported here for the sake of conciseness. Both equations are based on recurrence relations in which thwid T~' S response time, R;, is expressed as a summation term monotonically increasing with IF and I c l k ( i , R;). The worst-case blocking effect incurred on one thread's release is determined as the largest value between the single longest period of run-time deferred preemption and the longest-duration entry call to a higherceiling server performed by a lower-priority tiisk.
Blocking Overhead
The former value is a constant characteristic of the run-time system implementation. In the case of the ERC32 ACS, this value is minimised by the restrictions imposed on the ERC32 programming model.
The latter value is a variable thread-specific attribute which depends upon such application-wide characteristics as the assigned priorities and the performance of servers' entries. The pessimism potentially embodied in the determination of this value is minimised by the analysis which follows.
In the ERC32 programming model, calls to server tasks' entries must conform to any of the types shown in 
I.
Column 5 of Table 3 prescribes how the individual overhead components listed in Table 2 contribute to the bound for the IPCI blocking on thread ri: tag L under column 2-4 denotes that 3k : k e S ( j ) : I j d P ( i )~ calk(j, PO.Call) A POtHP(i) A WCCTk(Cd1) = mnz(WCCTj,s(CnZZ)) computed over all the entry calls of every individual server in the application; tag H denotes that the thread set S ( j ) is empty for that particular type of server call. The definitive bound on the IPCI blocking is then calculated as the maximum value 'amongst those captured by 
The generation of the ESF from the application's source code must attempt to capture both the local worst-case at thread-level and the global worst-case at application-level in a manner which incurs a controlled degree of induced pessimism.
Excessive pessimism may arise, for example, when the resolution of a branch or the bounding of an iteration within one thread's profile fail to capture applicationwide path exclusion conditions (eg: mutually exclusive operating modes) or run-time best-bounding information. This may cause otherwise provably impossible paths to be selected and consequently yield too conservative predictions.
The ESF generator attempts to mitigate such problems by providing means for the user to annotate the source code with a loop-bound and a path-exclusion pragma: (i) pragma Loop-Count (< constant >) placed before a for or while loop construct allows the user to supply the preferred bound to an otherwise unbound iteration; the compiler uses the provided bound value to cost the iteration but retums warnings if it was able to statically determine a better bound; (ii) pragma Exclude-Wcet placed inside a conditional branch, grocdure body or task body causes the exclusion of the tagged construct from the selected path. The achievement of justified maximisation of WCCTi, however, is not the sole objective of the ESF generator. There, in fact, exist two distinct ways for thread ri to effect system's responsiveness: 
Conclusions and Outlook
This paper has presented the design 'and implementation of an Ada programming model intended for use on board of new-generation software-intensive satellite control systems. The programming model is based on an educated and optimised use of Ada tasking 'and preemptive priority-based scheduling. Preliminary analyses have shown that fixed-priority process-based preemptive scheduling suits the emerging application needs better than the conventional forms of rigid and inflexible cyclic scheduling. Acceptance of the novel approach, however, critically depends upon the provision of creditable means to statically ascertain the runtime performance of the system 'and its ability to meet the designated deadlines.
The choice made as part of the ERC32 model's design was to provide comprehensive support for worstcase response time analysis. This form of 'analysis, however, may easily incur excessive pessimism 'and consequently yield too conservative, low-efficienc y predictions. This paper has described the approach taken to maximise accuracy of prediction and control of pessimism in the implementation of theERC32 ~a l y s i s model.
