The Mars Science Laboratory developed the WorkStation TestSet (WSTS) to support flight software development. The WSTS is the non-real-time flight avionics simulator that is designed to be completely softwarebased and run on a workstation class Linux PC. This provides flight software developers with their own virtual avionics testbed and allows device-level and functional software testing when hardware testbeds are either not yet available or have limited availability. The WSTS has successfully off-loaded many flight software development activities from the project testbeds. At the writing of this paper, the WSTS has averaged an order of magnitude more usage than the project's hardware testbeds.
I. Introduction
The MSL WorkStation TestSet (WSTS) was originally designed to serve as a development environment for flight software developers to exercise and debug their software. It was designed to be completely software-based and run on a flight software developer class Linux workstation. This allows individual users to have their own execution environment and allows device-level and high-level flight software testing when hardware testbeds are either not yet available or have limited availability. Due to it's success it has also evolved into a verification and validation (V&V) environment for Systems Engineers, System Integration and Test Engineers, and Mission Operations Engineers for validating system-level behaviors and executing dry-runs of flight sequences.
In order to meet the needs of the MSL project, the WSTS was designed with certain principles in mind. The first principle was that flight software executing in WSTS should not know whether it is running against real or simulated hardware. It must serve as the virtual reality for the flight software. Any piece of engineering data visible to flight software must be modeled to meet this objective. This generally implied that there was a simulation software object for every MSL hardware element except the flight processor, which was not emulated. Each software objects was coded to accurately model the hardware behavior visible to flight software, as well as modeling the finite state behavior of the device. Hardware specifications were used as the source material for modeling the device behavior as well as the format and content of the engineering data. However, in the case of some devices like science instruments, the simulation software objects were accurate in data format but not necessarily in content because flight software behavior was insensitive to the content of the data packets. Only when flight software responses were a function of data content that the simulation software objects in WSTS accurately modeled both the device behavior and the output.
The second design principle was to maximize simulation software object commonality between WSTS and the hardware-in-the-loop testbeds. By doing so, the WSTS software objects could be reused in the hardware-in-the-loop testbeds in the event that a hardware device was not present. This is a common occurrence during the development cycle of a flight project when hardware is not yet ready for delivery to the testbeds, is never intended to be delivered to all the testbeds for cost reasons, or has to be removed for repair or additional standalone testing. By simply adding interface code so that the WSTS simulation objects have access to I/O cards, so that they electrically appear to the flight system as the missing device, system level testing can progress with simulated devices. This has proven to be extremely cost effective for MSL, especially when hardware originally intended to be built for some of the testbeds was descoped and replaced by simulated hardware.
Continuing with the second principle, WSTS also has the same user interface as the hardware-in-the-loop testbeds. The look and feel is identical to the testbeds and most of the user interface commands are common as well. However, one major difference is that the WSTS was designed to minimize idle time and run as fast as possible. T WSTS typically runs between 2 and 10 times faster than real-time, depending on the simulation complexity. The 2 complexity is mostly a function of the number of continuous states in the dynamic simulation that require numerical integration of differential equations. The other major difference between the non-real-time WSTS and the real-time testbeds is that users can have fine control of execution time in WSTS. Users are able to pause, resume and singlestep the WSTS simulation, which is extremely valuable for analysis of flight software task behavior.
The final major principle driving the design of the WSTS was that the system must support an extensive fault injection capability because many faults can only be tested in a simulation. Hardware-in-the-loop testbeds are constrained because users usually cannot fail the real hardware. WSTS can inject faults either at a functional level like failing a thruster in a stuck-closed position, or at a very low level like setting a specific bit in an output data packet from a simulated device. This flexibility in testing can only occur in a software-based test environment. Additionally, the WSTS allows flight software testers to stress test the software in an environment that is safe and doesn't risk exposing flight hardware to unforeseen paths in the flight software. Hence, it is usually desirable to first test in WSTS before repeating the same tests in the hardware-in-the-loop testbeds.
These above design principles have guided WSTS architecture and resulted in a product that is designed to serve as a powerful development and V&V tool for all phases of the MSL mission, which includes Launch, Cruise, EntryDescent-and-Landing (EDL) and Surface mission phases. It truly serves as a virtual reality for MSL flight software.
II. Architecture

A. Overview
The Workstation Testset (WSTS) consists of five Linux software applications executing as an integrated session on a workstation-class Linux PC. Together, the applications provide a flight-like environment for developing and testing high-level flight software, device-level flight software, flight commands and flight telemetry. The five applications of a WSTS integrated session are listed in Table 1 The Wind River VxWorks Simulator (VxSim) provides the familiar Wind River Target Shell interface within which MSL flight software builds are executed. Users have access to the same VxWorks system and API calls as they would on a hardware-in-the-loop testbed. The only notable difference is that the flight software can execute at a faster rate when the VxSim system tick is configured to clock faster than real-time. Out of the box, VxSim simulates the behavior of a standalone target computer and supports socket interprocess communication with external applications. The socket interface was too limited for the WSTS architecture because the external application (i.e. the MSL Simulator) simulated the other devices that are "collocated" on the same PCI bus as the target simulation. VxSim was modified for WSTS to use POSIX semaphores, POSIX message queues and POSIX shared memory for its interprocess communication with the other applications in WSTS. These additions provided the infrastructure needed to implement time slice execution control between VxSim and the MSL Simulator and also the PCI Bus Simulation that enabled simulated PCI devices in the MSL Simulator to communicate with the MSL flight software device drivers executing on VxSim. 4 deadlines. This execution model enables faster and slower than real-time execution of WSTS as well as provide the pause, resume and step execution control.
The Timing Executive implemented the above execution model by sharing a pair of POSIX semaphores (i.e. "go" and "done") with the modified VxSim application (see previous section) and another pair of POSIX semaphores with the MSL Simulator application. Each application waits for the release of the "go" semaphore to begin execution and then releases the "done" semaphore when finished. After either application is "done" with its time slice, it goes back to the top of its loop and waits for the "go" semaphore again, remaining inactive until it is released again by the Timing Executive. The Timing Executive guarantees that one side receives its "go" semaphore only when the other side has sent its "done" semaphore; thereby ensuring that one side cannot run and interfere with other. This sequential execution avoids race conditions between the flight software running on VxSim and simulated hardware running on the MSL Simulator and maintains synchronization. A summary of the WSTS execution model in the WSTS is shown in a sequence diagram in Figure 2 . MSL flight software can generally be categorized in to two types of activities: real-time and background tasks. Real-time tasks can be described as those tasks that must be procedurally and temporally correct. In other words, they must do the right thing, and do it at the right time. Real-time tasks are given a high priority in to ensure that critical activities are completed on time. Background tasks are job-related tasks that do not have a real-time deadline. They are typically episodic in nature. Consequently, they are given lower priorities than the real-time tasks.
The flight software real-time task cycles are initiated by hardware-based timing signals. A high-accuracy, highprecision time source sends hardware interrupts on a programmed interval. For the MSL software, that interval is 64Hz. MSL flight software ties the VxWorks system tick to the 64Hz RTI to control the OS preemption and roundrobin task scheduling. Additional asynchronous hardware interrupts cause real-time tasks to cycle when different hardware activities complete. The frequency of these interrupts is dependent on the operation of the hardware being 
B. MSL Simulator Scheduling Model
The MSL Simulator is a multi-thread process with a main thread, a thread for processing simulation commands and several threads for sending the telemetry down to MPCS. It is in the main thread that computes all the simulated device objects and dynamics models are scheduled and executed.
The MSL Simulator must execute all the difference types of simulated device and dynamics models in the right order. Certain devices need to run at one rate to periodically generate timing interrupts and bus events, while the integration of the dynamics model might need to run at a different rate than those. This presents a challenge to coordinate all these events to occur at the right order. The MSL Simulator is able to execute the various objects in the proper rate group with it master event-based scheduler to sort the events and to determine the execution order. The event-based scheduler treats every simulation computation as a schedulable event. Events can be periodic or aperiodic. The MSL Simulator is able to advance for any arbitrarily sized time slice and still execute the events in the proper order (see Figure 6Figure 6 ). Running the scheduler as a single thread also eliminates concurrency issues of running all the simulated devices simultaneously at difference rate groups. Most simulated devices in the Peripheral Device Simulation Layer can be executed in the event scheduler without loss in fidelity. However, device objects in the PCI Board Simulation Layer interact very closely with the flight software. This class of simulated device required additional capability to simulate the register-level interfaces that are visible to flight software. Example rate groups in the system:
Step size determines the events to be executed in a single pass (ex. step size = 4ms)
200Hz Bus Event (5ms) 400Hz IMU (2.5ms)
C. PCI Board Simulation & PCI Bus Simulation
At the lowest layer, the PCI Bus Simulation implements the flight-like interface between the flight software and the MSL Simulator. The PCI Bus Simulation had to address the following PCI bus behaviors 2 :
1. Register & memory accesses 2. PCI device configuration and enumeration 3. Interrupts 4. DMA transfers WSTS uses a combination of POSIX shared memory and POSIX message queues to implement its PCI Bus Simulation. The shared memory is used to represent the PCI memory space that is mapped to the flight processor memory space in VxSim. The flight software PIO reads and writes are redirected to this shared memory to simulate access to the card hardware. PCI DMA transactions and PCI interrupts are simulated by messages sent via the message queues. These POSIX interprocess communication mechanism are instantiated at run with unique identifier. This allows multiple instances of the WSTS to run on each workstation without interfering with each other. Both the simulation and the flight software applications attach to the shared memory and shared message queues during initialization. The shared memory also contains the PCI configuration header space that stores the PCI device and function information. These regions are initialized by the simulation and accessed by the flight software during its initialization. Flight software become aware PCI device base address offsets and interrupts in the same manner as it would in a real rover computer; the only difference is that the offsets refer to simulated PCI device address regions in the shared memory.
Simulating programmed I/O behavior of the PCI devices presents another challenge because the flight software directly interacts with these simulated devices by reading device registers that often require immediate. The WSTS round-robin execution paradigm does not allow the MSL Simulator to run and respond while the flight software has the control in a time slice. In the real hardware, the response triggered by the register access can occur on the order of microseconds. This is much shorter than the shortest period of a reasonably sized time slice. Since the MSL Simulator cannot respond while the flight software is running, part of the simulation logic needs to reside in the execution context of the VxSim in order to respond support programmed I/O. This is accomplished by capturing every PCI access from the flight software into a special function call. This function call distributes the PCI accesses to a proxy, simulated device that resides in the VxSim. This simulation proxy is simply a subset of the PCI device simulation that implements special register behaviors that require immediate responses to stimulus. The register access responses are immediately written to the appropriate register address in the VxSim context and also forwarded to the MSL Simulator using the shared memory. This allows the simulated devices in the MSL Simulator to synchronize with the proxy simulations running in VxSim by picking up these requests and continue with the processing of these events.
Interrupts and burst transactions (i.e. DMA transfers) are events implemented as messages in a POSIX message queue in the PCI Bus Simulation. There is a queue for each transfer direction: one for events directed at the MSL Simulator, and one for events directed at the flight software in VxSim. PCI devices issue interrupts to signal the processor. The processor, upon receipt of these interrupts, invokes Interrupt Service Routines (ISRs) that are registered by the flight software. The PCI interrupt message sent to the flight software contains the interrupt line information as the parameter. When the flight software dequeues the message, it determines which interrupt was sent and calls the correct interrupt handler.
Direct Memory Access (DMA), also known as PCI burst transactions, is handled differently in WSTS than programmed I/O. The PCI bus allows burst transactions whereby an initial address and a block of data are presented to the bus, allowing it to efficiently transfer large blocks of data between a PCI initiator and a PCI target. The PCI Bus Simulation handles this differently in that it does not write the data anywhere in the shared memory regions of the cards. Instead, the data is written to one of two allocated staging areas within in the shared memory. The DMA write staging area in the shared memory is used to hold blocks of data that would be transferred from the flight processor to the simulated PCI cards, or from the simulated PCI cards to the flight processor. During each time slice, the flight software and/or the simulated devices will stage buffers in this area, and the buffers will be picked by its counterpart during its next time slice. This write is combined with a DMA event to simulate a DMA transfer. Similarly for DMA reads, a separate staging area is allocated in the shared memory.
V. Conclusion
9
The first version of WSTS was deployed to MSL in October 2006 with only a compute element simulation. At the writing of this paper, the 30 th release (wsts-8.02) of WSTS was just delivered to MSL. In all this time, the WSTS architecture and design principles have held up. WSTS has not needed any major redesign as more capabilities have been added to it. On the contrary, WSTS has been successfully used in closed-loop cruise testing, closed-loop motor control software development and in developing flight software for hardware that has not been delivered to the hardware-in-the-loop testbeds. The MSL Flight Software Development Team and the MSL System Integration and Test Team have made extensive use of the capabilities in WSTS.
The procedures and scripts development by these teams can be developed on WSTS and reused on the hardware-in-the-loop testbeds. These early successes for WSTS have encouraged the MSL project to make more use of it a V&V tool for all phases of the MSL mission.
WSTS has already been credited to uncovering flight software defects and also defects in the flight hardware where it deviated from its specification. WSTS has proven to be a valuable development tool and has helped decrease the number of flight software development shifts on the hardwarein-the-loop testbeds. At the writing of this paper, the WSTS has already averaged an order of magnitude greater usage than the project's hardware-in-the-loop testbeds. As MSL approaches its launch date, the WSTS usage can only increase.
