This paper discusses different approaches for implementing an EEPROM memory driver which is part of the UPMSat2 satellite on-board computer software. The Ravenscar profile restrictions are to be observed in order to ensure the analysability of the system, and therefore the approaches are evaluated against the profile. Results of this evaluation as well as considerations on a possible extension of the Ravenscar profile with respect protected entries are presented.
Introduction
The Ravenscar profile [1, D.13] allows a restricted subset Ada tasking in certain kinds of critical systems where predictability, efficiency, and static analysis are required. It has been successfully used in many real-time applications, and has enabled concurrency to be used in many situations where full Ada tasking is not allowed.
However, there are some cases in which using the profile is difficult and can lead to complex programs and abstraction inversion. At the last IRTAW meeting Rogers, Ruiz, and Gingold [3] proposed relaxing some of the restrictions while still keeping the advantages of predictability and efficiency. The rationale behind their proposal is that the current specifications in the Real-Time Annex make it possible to implement some additional tasking features in a predictable way. In particular, they showed how an implementation of an extended profile with a bounded number of protected entries and bounded entry queues can be implemented in the Ravenscar GNAt runtime while keeping the worst-case execution time (WCET) and memory space bounded, with an acceptable amount of overhead in execution time.
The purpose of this position paper is to support this proposal by showing a real example in which the use of the Ravenscar profile leads to unnecessary efficiency, whereas an extended profile allowing multiple entries in a protected object enables a much better implementation. The example is a subset of an EEPROM driver which is part of the UPMSat2 on-board software [2] .
half of the memory space is used to store the executable OBC code, and the rest is used to store parameters and data. This part of the memory is divided into blocks of two different sizes. There are 16 blocks of 512 B, which are used to store configuration parameters, and 4032 blocks of 128 B, which are used to store telemetry and telecommand messages.
Due to the technical specifications of the EEPROM, a minimum wait interval of 15 ms must be kept after a write operation before starting a new read or write operation, in order to prevent the written data to be erased. In order to obtain the required bandwidth, the EEPROM block mode, allowing up to 128 consecutive word write accesses, is used. It must be noted that block writes must be atomic.
3 Ravenscar EEPROM drivers
Basic design
The EEPROM driver is to be accessed by different software tasks, and therefore a basic approach is to use a protected object to ensure mutual exclusive access: However, there are two main issues with this design: -As stated before, a delay of 15 ms has to be enforced at the end of the Write operation. Since blocking operations are not allowed in the body of protected operations, delay may not be used to this purpose. The immediate solution is thus to implement the delay by means of an active wait loop.
-Write operations must be executed in an atomic way. In order to avoid interrupts from other devices to interfere wit them, the priority of the protected object must be set to System.Priority'Last, as above shown. This is enough to inhibit all interrupts on a monoprocessor platform, as is the case in the UPMSat2 OBC.
In consequence, a call to the Write procedure may block any other task for up to 15 ms, while the procedure is executing the active wait loop. This is clearly undesirable, and therefore a better solution has to be found.
A dissociated design
A better solution, which is currently used in UPMSat2, is to dissociate the active wait from the Write operation. Two protected objects are used, an external object which implements the external interface and the active wait loop, and an internal object which carries out the write operation. 
s EEPROM. Write and t h e n e x e c u t e s and a c t i v e w a i t l o o p −− t h e Read p r o c e d u r e dos n o t need t o be wrapped −− a s i t d o e s n o t have t o be a t o m i c end EEPROM_Interface ;
This approach provides the benefit of not executing the active wait at the highest priority. However, as stated before, the EEPROM_Interface object is called from many tasks in the system, thus inheriting a high executing priority under the ceiling priority protocol. As a result, although the priority at which the active wait loop is executed has been reduced, most tasks in the system are still experiencing long blocking times.
Extended Ravenscar drivers 4.1 Synchronized task approach
A third approach would be to do the wait after block writings outside any protected object, thus being able to use a delay statement in a low priority server task rather than an active wait. This approach would highly reduce the interference caused by the writing delay. However, it requires a more sophisticated synchronization mechanism for writing and reading operations. This is usually achieved in Ada by means of protected entries.
However, Ravenscar restrictions do not allow any possible implementation with a reasonable level of complexity. Neither a solution with a single entry queueing the calls nor a set of entries discriminating operations and tasks are acceptable under the profile.
It could be claimed that a solution with a single entry for activating the server task and procedure operations for queueing requests may be achievable even with the Ravenscar profile restrictions. But several issues arise at this point, the most relevant one being the complexity of implementing the queueing protocol. Furthermore, this implementation would be redundant, as the runtime has already implemented a queueing mechanism for entry calls.
A better solution
In fact, the most desirable approach for the EEPROM driver implementation would be to have a protected object with two entry queues, one for Write operations and another one for Read operations. As shown by Rogers et al. [3] , this would not compromise the schedulability analysis, or add a significant timing overhead.
The code scheme for this approach is listed below. 
