Mixed-criticality design of a satellite software system

The continuous increment of processors computational power and the requirements on additional functionality and services are motivating a change in the way embedded systems are built. Components with different criticality level are allocated in the same processor, which give rise to mixed-criticality systems. The use of partitioned systems is a way of preventing undesirable interferences between components with different criticality level. An hypervisor provides these partitions or virtual machines, ensuring spatial, temporal and fault isolation between them. The purpose of this paper is to illustrate the development of a mixed-critical system. The attitude control subsystem is used for showing the different steps, which are supported by a toolset developed in the context of the MultiPARTES research project

Static analysis of WCET in a satellite software subsystem

This paper describes the authors? experience with static analysis of both WCET and stack usage of a satellite on-board software subsystem. The work is a continuation of a previous case study that used a dynamic WCET analysis tool on an earlier version of the same software system. In particular, the AbsInt aiT tool has been evaluated by analysing both C and Ada code generated by Simulink within the UPMSat-2 project. Some aspects of the aiT tool, specifically those dealing with SPARC register windows, are compared to another static analysis tool, Bound-T. The results of the analysis are discussed, and some conclusions on the use of static WCET analysis tools on the SPARC architecture are commented in the paper

ARINC-653 Inter-partition communications and the ravenscar profile

The ARINC-653 standard is often used to build mixed-criticality systems, using a partitioned architecture. Inter-partition communication is carried out by means of a message-passing mechanism based on ports. The standard includes an API for Ada, but the implementation semantics of operation ports is not fully defined. Furthermore, the API was defined for the Ada 95 standard, and therefore does not take into account the enhancements to the real-time features of the language that have been incorporated in the 2005 and 2013 standards, most notably the Ravenscar profile. This paper is aimed at clarifying the implementation of ARINC communication ports in Ada and the Ravenscar profile. ARINC communication ports are analysed, and their compatibility with the Ravenscar profile is assessed. A new API that can be used with the profile is defined, and a pilot implementation is introduced

In support of extending the Ravenscar profile

This paper discusses different approaches for implementing an EEPROM memory driver which is part of the UPMSat2 satellite on-board computer software. The Ravenscar profile restrictions are to be observed in order to ensure the analysability of the system, and therefore the approaches are evaluated against the profile. Results of this evaluation as well as considerations on a possible extension of the Ravenscar profile with respect protected entries are presented

Diseño e implementación del software del UPMSat-2 en el entorno de desarrollo TASTE.

Como respuesta a a necesidad de modernizar y homogeneizar el proceso de diseño y desarro llo de software par a el segmento de vuelo de sus misiones, la Agencia Espacial Europea puso en marcha en 2004 el proyecto ASSERT El resultado de este proyecto fue una nueva metodología basada en el desarrollo basado en modelo. Posteriormente, la propia Agencia promovió un nuevo proyecto, TASTE, con el objetivo de desarrollar un entorno de desarrollo que permitiera la puesta en práctica de la metodología propuesta en ASSERT. En el presente artículo se describen las principales características de este entorno de desarrollo, así como la experiencia en su uso en el ámbito del proyecto UPMSat-

Analysis of WCET in an experimental satellite software development.

This paper describes a case study in WCET analysis of an on-board spacecraft software system. The attitude control system of UPMSat-2, an experimental micro-satellite which is scheduled to be launched in 2013, is used for an experiment on analysing the worst-case execution time of code automatically generated from a Simulink model. In order to properly test the code, a hardware-in-the-loop configuration with a simulation model of the spacecraft environment has been used as a test bench. The code has been analysed with RapiTime, with some modifications to the original instrumentation routines, in order to take into account the particularities of the test configuration. Results from the experiment are described and commented in the paper

Ada, the programming language of choice for the UPMSAT-2 satellite

The proper selection of development mechanisms and tools is essential for the final success of any engineering project. This is also true when it comes to software development. Furthermore, when the system shows very specific and hard to meet requirements, as it happens for high-integrity real-time systems, the appropriate selection is crucial. For this kind of systems, Ada has proven to be a successful companion, and satellites are not an exception. The paper presents the reasons behind the selection of Ada for the UPMSat-2 development, along with the experience and examples on its usage

Experience in spacecraft on-board software development

This paper describes some important aspects of high- integrity software development based on the authors' work. Current group research is oriented towards mixed- criticality partitioned systems, development tools, real- time kernels, and language features. The UPMSat-2 satellite software is being used as technology demonstra- tor and a case study for the assessment of the research results. The flight software that will run on the satellite is based on proven technology, such as GNAT/ORK+ and LEON3. There is an experimental version that is being built using a partitioned approach, aiming at assessing a toolset targeting partitioned multi-core em- bedded systems. The singularities of both approaches are discussed, as well as some of the tools that are being used for developing the software

Arquitectura de tiempo real para el control de actitud en un satélite experimental

La misión UPMSat-2 tiene por objetivo la construcción y el lanzamiento de un microsatélite experimental que sirva como plataforma de educación e investigación en diversos aspectos de la ingeniería de sistemas espaciales. En este artículo se describe la arquitectura y el diséño del software de tiempo real que realiza el control de actitud del satélite. La arquitectura está basada en modelos, y las herramientas utilizadas permiten la validación de las propiedades de tiempo real y la generación de código de forma casi totalmente automátic