Development and update of aerospace applications in partitioned architectures

Tese de mestrado em Engenharia Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011Para enfrentar os desafios e requisitos impostos por missões espaciais futuras, a indústria aeroespacial tem vindo a seguir uma tendência para adoptar arquitecturas computacionais inovadoras e avançadas, cumprindo requisitos estritos de tamanho, peso e consumo energético (SWaP) e assim diminuir o custo total da missão assegurando a segurança na operação e a pontualidade do sistema. A arquitectura AIR (ARINC 653 in Space Real-Time Operating System), desenvolvida para responder ao interesse da indústria aeroespacial, particularmente da Agência Espacial Europeia (ESA), fornece um ambiente compartimentado para o desenvolvimento e execução de aplicações aeroespaciais, seguindo a noção de compartimentação temporal e espacial, preservando os requisitos temporais das aplicações e a segurança na operação. Durante uma missão espacial, a ocorrência de eventos inesperados ou alterações aos planos da missão introduz novas restrições. Assim, é de grande importância ter a possibilidade de alojar novas aplicações na plataforma computacional de veículos espaciais ou modificar aplicações já existentes em tempo de execução e, deste modo, cumprir os novos requisitos ou melhorar as funções do veículo espacial. O presente trabalho introduz na arquitectura AIR o suporte à inclusão e actualização de novas funcionalidades ao plano de missão durante o funcionamento do sistema. Estas funcionalidades podem ser formadas por componentes de software modificados ou pelos requisitos temporais correspondentes. O melhoramento da arquitectura AIR com a possibilidade de realizar actualizações de software requer um ambiente e ferramentas de desenvolvimento adequados. Neste sentido, a metodologia para o desenvolvimento de software em sistemas baseados na arquitectura AIR é revisitada.To face the challenges and requirements imposed by future space missions, the aerospace industry has been following the trend of adopting innovative and advanced computing system architectures fulfilling strict requisites of size, weight and power consumption (SWaP) thus decreasing the mission overall cost and ensuring the safety and timeliness of the system. The AIR (ARINC 653 in Space Real-Time Operating System) architecture has been defined dependent on the interest of the aerospace industry, especially the European Space Agency (ESA). AIR provides a partitioned environment for the development and execution of aerospace applications, based on the idea of time and space partitioning (TSP), aiming the preservation of the application requirements, timing and safety. During a space mission, the occurrence of unexpected events or the change of the mission plans introduces new constraints to the mission. Therefore, it is paramount to have the possibility to host new applications in spacecraft onboard computer platform, or modify the existing ones in execution time, thus fulfilling new requirements or enhancing spacecraft functions. The work described on this thesis introduces in the AIR architecture the support for the inclusion of new features to the mission plan during the system operation. These new features may be composed of modified software components or the corresponding timing requirements. The improvement of the AIR architecture with the ability to perform software updates requires a suitable development environment and tools. Therefore, the methodology for software development in AIR-based systems, regarding the build and integration process, is reexamined

Integration of generic operating systems in partitioned architectures

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2009The Integrated Modular Avionics (IMA) specification defines a partitioned environment hosting multiple avionics functions of different criticalities on a shared computing platform. ARINC 653, one of the specifications related to the IMA concept, defines a standard interface between the software applications and the underlying operating system. Both these specifications come from the world of civil aviation, but they are getting interest from space industry partners, who have identified common requirements to those of aeronautic applications. Within the scope of this interest, the AIR architecture was defined, under a contract from the European Space Agency (ESA). AIR provides temporal and spatial segregation, and foresees the use of different operating systems in each partition. Temporal segregation is achieved through the fixed cyclic scheduling of computing resources to partitions. The present work extends the foreseen partition operating system (POS) heterogeneity to generic non-real-time operating systems. This was motivated by documented difficulties in porting applications to RTOSs, and by the notion that proper integration of a non-real-time POS will not compromise the timeliness of critical real-time functions. For this purpose, Linux is used as a case study. An embedded variant of Linux is built and evaluated regarding its adequacy as a POS in the AIR architecture. To guarantee safe integration, a solution based on the Linux paravirtualization interface, paravirt-ops, is proposed. In the course of these activities, the AIR architecture definition was also subject to improvements. The most significant one, motivated by the intended increased POS heterogeneity, was the introduction of a new component, the AIR Partition OS Adaptation Layer (PAL). The AIR PAL provides greater POS-independence to the major components of the AIR architecture, easing their independent certification efforts. Other improvements provide enhanced timeliness mechanisms, such as mode-based schedules and process deadline violation monitoring.A especificação Integrated Modular Avionics (IMA) define um ambiente compartimentado com funções de aviónica de diferentes criticalidades a coexistir numa plataforma computacional. A especificação relacionada ARINC 653 define uma interface padrão entre as aplicações e o sistema operativo subjacente. Ambas as especificações provêm do mundo da aviónica, mas estão a ganhar o interesse de parceiros da indústria espacial, que identificaram requisitos em comum entre as aplicações aeronáuticas e espaciais. No âmbito deste interesse, foi definida a arquitectura AIR, sob contrato da Agência Espacial Europeia (ESA). Esta arquitectura fornece segregação temporale espacial, e prevê o uso de diferentes sistemas operativos em cada partição. A segregação temporal é obtida através do escalonamento fixo e cíclico dos recursos às partições. Este trabalho estende a heterogeneidade prevista entre os sistemas operativos das partições (POS). Tal foi motivado pelas dificuldades documentadas em portar aplicações para sistemas operativos de tempo-real, e pela noção de que a integração apropriada de um POS não-tempo-real não comprometerá a pontualidade das funções críticas de tempo-real. Para este efeito, o Linux foi utilizado como caso de estudo. Uma variante embedida de Linux é construída e avaliada quanto à sua adequação como POS na arquitectura AIR. Para garantir uma integração segura, é proposta uma solução baseada na interface de paravirtualização do Linux, paravirt-ops. No decurso destas actividades, foram também feitas melhorias à definição da arquitectura AIR. O mais significante, motivado pelo pretendido aumento da heterogeneidade entre POSs, foi a introdução de um novo componente, AIR Partition OS Adaptation Layer (PAL). Este componente proporciona aos principais componentes da arquitectura AIR maior independência face ao POS, facilitando os esforços para a sua certificação independente. Outros melhoramentos fornecem mecanismos avançados de pontualidade, como mode-based schedules e monitorização de incumprimento de metas temporais de processos.ESA/ITI - European Space Agency Innovation Triangular Initiative (through ESTEC Contract 21217/07/NL/CB-Project AIR-II) and FCT - Fundação para a Ciência e Tecnologia (through the Multiannual Funding Programme

AIR Project Final Report

This document describes the main results of AIR, an innovation initiative sponsored by ESA, the European Space Agency. The acronym AIR stands for ARINC 653 Interface in RTEMS. The ARINC 653 is a civil aviation world specification addressing safety critical and certification issues in embedded systems software. The AIR Project studied the adoption of ARINC 653 in space on-board software together with the utilization of RTEMS, the Real-Time Executive for Multiprocessor Systems. This document: (i) describes the main issues regarding the AIR architecture specification; (ii) addresses how space and time partitioning could be provided in an abstract processor infrastructure, as well as those requirements can be mapped into both SPARC ERC32/LEON and Intel IA-32 (80x86) architectures; (iii) describes how to achieve the mapping of the ARINC 653 service interface in RTEMS; (iv) identifies the most relevant module dependencies of RTEMS with regard to AIR implementations; (v) identifies a preliminary set of modifications to be introduced in the RTEMS application production chain for the implementation of AIR-based systems (exemplified through a proof of concept prototype

CCSDS Time-Critical Onboard Networking Service

The Consultative Committee for Space Data Systems (CCSDS) is developing recommendations for communication services onboard spacecraft. Today many different communication buses are used on spacecraft requiring software with the same basic functionality to be rewritten for each type of bus. This impacts on the application software resulting in custom software for almost every new mission. The Spacecraft Onboard Interface Services (SOIS) working group aims to provide a consistent interface to various onboard buses and sub-networks, enabling a common interface to the application software. The eventual goal is reusable software that can be easily ported to new missions and run on a range of onboard buses without substantial modification. The system engineer will then be able to select a bus based on its performance, power, etc and be confident that a particular choice of bus will not place excessive demands on software development. This paper describes the SOIS Intra-Networking Service which is designed to enable data transfer and multiplexing of a variety of internetworking protocols with a range of quality of service support, over underlying heterogeneous data links. The Intra-network service interface provides users with a common Quality of Service interface when transporting data across a variety of underlying data links. Supported Quality of Service (QoS) elements include: Priority, Resource Reservation and Retry/Redundancy. These three QoS elements combine and map into four TCONS services for onboard data communications: Best Effort, Assured, Reserved, and Guaranteed. Data to be transported is passed to the Intra-network service with a requested QoS. The requested QoS includes the type of service, priority and where appropriate, a channel identifier. The data is de-multiplexed, prioritized, and the required resources for transport are allocated. The data is then passed to the appropriate data link for transfer across the bus. The SOIS supported data links may inherently provide the quality of service support requested by the intra-network layer. In the case where the data link does not have the required level of support, the missing functionality is added by SOIS. As a result of this architecture, re-usable software applications can be designed and used across missions thereby promoting common mission operations. In addition, the protocol multiplexing function enables the blending of multiple onboard networks. This paper starts by giving an overview of the SOIS architecture in section 11, illustrating where the TCONS services fit into the overall architecture. It then describes the quality of service approach adopted, in section III. The prototyping efforts that have been going on are introduced in section JY. Finally, in section V the current status of the CCSDS recommendations is summarized

A Survey of Operating Systems Infrastructure for Embedded Systems

Since early applications in the 1960s, embedded systems have come down in price and there has been a dramatic rise in processing power and functionality. In addition, embedded systems are becoming increasingly complex. High-end devices, such as mobile phones, PDAs, entertainment devices, and set-top boxes, feature millions of lines of code with varying degrees of assurance of correctness. Nowadays, more and more embedded systems are implemented in a distributed way, a wide range of high-performance distributed embedded systems have been designed and deployed. As a lot of aspects of embedded system design become increasingly dependent on the effective interaction of distributed processors, it is clear that as much effort needs to be focused on software infrastructure, such as operating systems, with respect to how to provide functionality in order to fulfill these requirements. This technical report presents some of the approaches associated to operating systems that have been used in order to fulfill these needs.CAPES/MEC - Brasil, Project BEX3342/08-

Safety Kernel for cooperative sensor-based systems

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2013Os sistemas críticos, usados em indústrias como a aeroespacial, aeronáutica ou automóvel, requerem novas soluções tecnológicas para responder à constante procura por novas funcionalidades que respondam aos novos desafios do futuro, tornando-se cada vez mais complexos. Estes sistemas necessitam, contudo, de respeitar elevados e rígidos requisitos, não só em termos de segurança na operação e fiabilidade, mas também em termos de requisitos de tamanho, peso e consumo energético. Arquiteturas tradicionais usadas no desenho deste tipo de sistemas críticos baseiam a segurança na operação possibilidade de provar, em tempo de desenvolvimento, que o sistema garante a previsibilidade necessária. Contudo, o aparecimento de novas tecnologias acarreta um aumento na complexidade das aplicações usadas, o que torna o objetivo de provar a sua fiabilidade uma tarefa árdua ou mesmo impossível, limitando as funcionalidades passíveis de serem integradas nestes sistemas. Por exemplo, o aparecimento de comunicações sem fios abriu um novo mundo de oportunidades: a mesma poderia permitir um conjunto de veículos comunicar e cooperar mutuamente para atingir um objetivo comum. Contudo, a incerteza que caracteriza este tipo de comunicações tem travado o desenvolvimento de aplicações passiveis de ser usados por sistemas críticos. Nesta tese, propomos uma arquitetura híbrida, constituída por componentes simples e previsíveis que coexistem com componentes complexos e imprevisíveis sem que isso, sem que essa coexistência ponha em causa as garantias de segurança na operação. A possibilidade de incluir novas aplicações, que façam uso de novas tecnologias, abre portas à introdução de novas funcionalidades em sistemas críticos, permitindo melhorar a performance e serviço prestado pelos sistemas atualmente existentes. A nossa arquitetura assenta num componente chamado Núcleo de Segurança (Safety Kernel), que tem como tarefa a monitorização dos requisitos de segurança e a gestão da configuração do sistema, assegurando-se que este se adapta às limitações observadas e que podem por em causa a segurança do sistema, evitando assim possíveis acidentes. Este documento descreve a arquitetura deste componente bem como a integração e interação do mesmo na arquitetura do sistema, apresentando a implementação de um protótipo do mesmo na arquitetura AIR - uma arquitetura baseada no conceito de compartimentação no espaço e tempo (CET) desenvolvida para sistemas aeroespaciais.Future safety-critical systems, used in, for example, the aerospacial, aeronautic and automotive industries, call for innovative computing architectures, with increased complexity. These systems must still cope with strict requirements, not only in terms of safety and reliability, but also in terms of size, weight and power consumption (SWaP). Traditional approaches used in the design of such critical systems, rely on proving and guaranteeing, at design time, the safety and predictability of their applications. However, with the emergence of new technological solutions and the increase of the complexity of applications, it gets harder or even infeasible to prove their safety by design, limiting the scope and possible features to include in such systems. For instance, the use of wireless communications opens a new world of possibilities: it may be used to develop smart vehicles that cooperate with each other to achieve some common goal. However, due to its uncertainty, the development of such applications for safety-critical systems turns out to be a challenging task. In this thesis, we propose a hybrid architecture, in which simple and predictable components coexist with complex and unpredictable ones, without compromising safety, despite the unavoidable uncertainty. The inclusion of complex components into safetycritical systems allows the emergence of new applications that provide new features or that improve the existing ones. Furthermore, we want to deal with the uncertainty that characterizes wireless communications and provide mechanisms which allow systems to cooperate with each other in a safe way. We rely on a component called Safety Kernel, in charge of monitoring and managing the runtime configuration of the system, forcing it to adapt to faults and runtime constraints in order to avoid hazardous situations. We describe the architecture and role of such Safety Kernel, and how they interact with other components in the system architecture, including the functional components of the control system. Finally we present a prototype implementation of such Safety Kernel over AIR, an architecture based on the concept of Time- and Space Partitioning (TSP) developed for aerospace systems

Proceedings Work-In-Progress Session of the 13th Real-Time and Embedded Technology and Applications Symposium

The Work-In-Progress session of the 13th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS\u2707) presents papers describing contributions both to state of the art and state of the practice in the broad field of real-time and embedded systems. The 17 accepted papers were selected from 19 submissions. This proceedings is also available as Washington University in St. Louis Technical Report WUCSE-2007-17, at http://www.cse.seas.wustl.edu/Research/FileDownload.asp?733. Special thanks go to the General Chairs – Steve Goddard and Steve Liu and Program Chairs - Scott Brandt and Frank Mueller for their support and guidance

Leveraging continuous integration in space avionics - a design using declarative build automation paradigm

There are several benefits when Continuous Integration (CI) is adopted for a software development project. This provides for a mechanism to reduce the burden on developers during the build and test of the developed software, as well as help release the product on-time. Other benefits include capturing errors quite early in the development cycle, easier integration at defined intervals over the course of software development, and faster, comprehensive feedback to developers. However, in an embedded domain, adopting CI is a challenging activity. If the project size and complexity is high, there will be a large number of activities which need to be covered in the CI workflow. Not all tools used in software development provide seamless interfaces to the CI tool. There is a need to design the interface framework which can quickly grow to be complex and time consuming. An effective CI workflow follows a set of best practices. Build automation is one of them. The existing literature does not provide comprehensive information to address the effect that the build automation tools have on the design and implementation of a CI framework in an embedded avionics domain. Tools like GNU Make and Apache Ant are primarily used for the build and test stages of development. However, these build tools are imperative in nature. As the build logic increases in complexity, the conciseness of build scripts reduces. The build runtimes should also not be large as the feedback cycle time would be longer. This study aims to design a CI workflow for a space satellite On-Board Software(OBSW) development project. The objective is to bring out the limitations and challenges of using a conventional imperative build approach during the set-up of a CI framework for the project. The proposal is to adopt a build tool which is based on declarative build paradigms and provide for mechanisms to easily integrate with CI tools. This study is carried out as an action research (AR) with study results expressed as quantitative or qualitative metrics. A prototypical CI chain is implemented with a Jenkins CI server and Gradle as the primary build tool. Parameters such as performance, maintenance complexity of build logic, and features such as integration to a CI tool, reproducible builds are investigated