A Component-Based Middleware for a Reliable Distributed and Reconfigurable Spacecraft Onboard Computer

Emerging applications for space missions require increasing processing performance from the onboard computers. DLR's project “Onboard Computer - Next Generation” (OBC-NG) develops a distributed, reconfigurable computer architecture to provide increased performance while maintaining the high reliability of classical spacecraft computer architectures. Growing system complexity requires an advanced onboard middleware, handling distributed (realtime) applications and error mitigation by reconfiguration. The OBC-NG middleware follows the Component-Based Software Engineering (CBSE) approach. Using composite components, applications and management tasks can easily be distributed and relocated on the processing nodes of the network. Additionally, reuse of components for future missions is facilitated. This paper presents the flexible middleware architecture, the composite component framework, the middleware services and the model-driven Application Programming Interface (API) design of OBC-NG. Tests are conducted to validate the middleware concept and to investigate the reconfiguration efficiency as well as the reliability of the system. A relevant use case shows the advantages of CBSE for the development of distributed reconfigurable onboard software

PaTaS: Quality Assurance for Model-driven Software Development

The quality of software products in safety critical applications, extensively found within the space domain, is a key success factor but also a major cost driver. To ensure high quality of the software product, quality assurance processes with quality models and metrics are applied. With these tools and processes, product assurance managers and software developers are able to quantify the quality of the software under development. Within the ESA-funded study PaTaS (Product Assurance with TASTE Study), a product quality model with software and model metrics was developed and implemented in an end-to-end model-driven software development (MDSD) life cycle demonstrator. The goal of this study was to identify applicable concepts to maintain quality and dependability levels when MDSD is applied. This requires the definition of connected model and software quality indicators. These indicators were integrated into ESA’s reference software product quality model (ECSS-Q-HB-80-04A). The resulting adapted quality model got incorporated in a model-driven software development life cycle demonstrator. To evaluate this demonstrator and the integrated quality indicators in a realistic development scenario, mission-critical parts of the command and data handling subsystem of a satellite mission were modelled and subsequently coded. The aim of the activity was to demonstrate the effect of the end-to-end life cycle in combination with the developed quality model on the final onboard software product. In this paper we present the result of the study. The focus is on the quality model for MDSD and new quality metrics for models, which can be embedded in an end-to-end model-driven product development life cycle

PaTaS - Quality Assurance in Model-Driven Software Engineering for Spacecraft

Within PATAS (Product Assurance with TASTE Study), a product quality model with software and model metrics is developed and implemented in an end-to-end model-driven software engineering (MDSE) lifecycle demonstrator, based on TASTE. The goal of this study is to find applicable concepts to maintain quality and dependability levels, when MDSE is applied. This requires the definition of connected model and software quality indicators. These indicators are identified and integrated with ESA's reference software product quality model (ECSS-Q-HB-80-04A). The resulting quality model is integrated in a model-based software development lifecycle demonstrator, based on TASTE. To evaluate this demonstrator and the integrated quality indicators, mission-critical parts of the command and data handling subsystem of a satellite mission are modelled and subsequently coded, simulating a realistic development scenario as use case. The aim of the activity is to demonstrate the effect of the end-to-end lifecycle in combination with the developed quality model on the final onboard software product. The final results will set the baseline for recommendations to improve Quality Assurance in MDSE at ESA. In this talk, we present the on-going study and its latest results

Design of an Automatic Specification-based Test-framework for On-board software of Satellites

Satellites are sophisticated and therefore complicated constructs that require interdisciplinary teamwork of various experts of different academic disciplines. The integration of specific payload components, like scientific experiments, in the on-board software of the satellite is very challenging. The domain expert, as the owner of the payload component, possesses detailed insights on his or her component, but lacks sufficient programming skills to implement it in the on-board software. The rogrammer is able to write proper code for the onboard software, but is inexperienced with the payload component of the domain expert. This report describes the design and the implementation of an automatic specification-based test-framework for on-board software of satellites to ridge the knowledge and communication gap between the programmer and the domain expert. Model- and test-driven development are in the focus of the testframework. With the help of a domain-specific language, the domain expert is able to model a specification in formal notation, representing potential use-case scenarios of the component. These scenarios are automatically translated to compilable C++ test cases, which help the programmer to verify the functional correctness of the on-board software implementation of the payload component while he or she is programming it

Design of an Automatic Specification-based Test-framework for On-board Software of Satellites

Satelliter är sofistikerade och därför komplicerade konstruktioner som kräver tvärvetenskapligt lagarbete mellan olika experter från olika akademiska discipliner. Integrationen av specifika nyttolastkomponenter, liksom vetenskapliga experiment, med inbyggd programvara för satelliter är mycket utmanande. Domänexperten, som ägare av nyttolastkomponenten, besitter detaljerade insikter om hans eller hennes del, men saknar tillräckliga kunskaper i programmering för att implementera den i den inbyggda programvaran. Programmeraren är i stånd att skriva rätt kod för den inbyggda programvaran, men är oerfaren med nyttolastkomponenten. Denna rapport beskriver utformningen och genomförandet av ett automatisk, specifikationsbaserat testramverk för inbyggd programvara för satelliter för att överbrygga kunskaps- och kommunikationsklyftan mellan programmeraren och domänexperten. Modell- och testdriven utveckling är i fokus för testramverket. Med hjälp av ett domänspecifikt språk kan domänexperten modellera en specifikation i formell notation, som representerar potentiella användningsscenarier av komponenten. Dessa scenarier är automatiskt översatta till kompilerbara testfall i C++, som hjälper programmeraren att kontrollera den funktionella korrektheten av den inbyggda programvaran för nyttolastkomponenten när han eller hon programmerar den.Satellites are sophisticated and therefore complicated constructs that require interdisciplinary teamwork of various experts of different academic disciplines. The integration of specific payload components, like scientific experiments, in the on-board software of the satellite is very challenging. The domain expert, as the owner of the payload component, possesses detailed insights on his or her component, but lacks sufficient programming skills to implement it in the on-board software. The programmer is able to write proper code for the onboard software, but is inexperienced with the payload component of the domain expert. This report describes the design and the implementation of an automatic specification-based test-framework for on-board software of satellites to bridge the knowledge and communication gap between the programmer and the domain expert. Model- and test-driven development are in the focus of the testframework. With the help of a domain-specific language, the domain expert is able to model a specification in formal notation, representing potential use-case scenarios of the component. These scenarios are automatically translated to compilable C++ test cases, which help the programmer to verify the functional correctness of the on-board software implementation of the payload component while he or she is programming it

Towards an FDIR Software Fault Tree Library for Onboard Computers

The increasing complexity of space missions, their software architectures, and hardware that has to meet the demands for those missions, imposes numerous new challenges for many engineering disciplines such as reliability engineering. Affected by the ever growing demand for more onboard computation power are the onboard computers. They in return require Fault Detection, Isolation, and Recovery (FDIR) architectures to support their fault tolerant operation in the harsh environment of space. Especially high performance commercial processing units face the challenge of dealing with negative radiation effects, which may significantly degrade their operation. To design performant and fault tolerant onboard computers, it is of high interest to assess the effectiveness of the FDIR architecture in the early phase of system design. This can be achieved using Fault Tree Analysis (FTA). However, to create complete fault trees manually is an error prone and labor intensive task. In this paper, the methodology for assessing the FDIR design of onboard computers in space systems, presented in [1], is refined by introducing a library of FDIR routines. The routines are modeled using fault trees and are composed into a software system fault tree using a basic fault model and a design configuration chosen by the reliability engineer. To assess the configurations, we give a heuristic based on a factor-criteria-metric model. We demonstrate the feasability of our approach on the basis of a case study on the rover of the Martian Moons eXploration (MMX) mission. Several FDIR configurations are studied and fault trees are generated for them. For the chosen case study, we obtain a reduction of up to 80% in terms of modeling effort

A New SpaceWire Protocol for Reconfigurable Distributed On-Board Computers

There are several standardized protocols based on SpaceWire which provide data exchange between several nodes. SpaceWire is also suitable for interprocess communication (IPC), by the help of higher level protocols. However, currently there is no standardized protocol which is targeting IPC on SpaceWire networks. This paper proposes a protocol, which uses the capabilities of SpaceWire to build up networks for distributed computing on a spacecraft. The core of this protocol is the IPC mechanism for communication between the nodes and methods to support a reconfiguration of the network. A key feature of this protocol is an interface for a reconfiguration mechanism, which can be implemented on application level. This enables the utilization of unreliable commercial off the shelf (COTS) nodes, allowing system recovery from erroneous state. Additionally, the reconfiguration can be used to adapt the distributed computer to different mission phases. The protocol has the potential to build the foundation of a distributed on-board computer consisting of COTS components. Such distributed computer could be capable of fulfilling high performance demands as well as high reliability needs. Though, the protocol itself is not restricted to be used solely in fully-featured reconfigurable distributed systems. The IPC methods can be applied stand-alone as well, to establish a lightweight communication between nodes on a SpaceWire network by excluding the reconfiguration parts of the protocol

CIS-SIM Facility: The Galileo-based European Navigation and Communication Constellation Simulator for the Cis-lunar Society

ESA's Lunar Communication and Navigation Service (LCNS) programme aims to catalyse upcoming lunar missions, including NASA's Lunar Gateway, by offering a turnkey communication and navigation service solution. The service shall be enabled by a lunar satellite constellation and offered to customers with spacecrafts in lunar orbit, lunar orbital descent and for lunar surface operations. To be able to develop, test and operate this lunar Navigation and Communication (navcom) infrastructure and the technology enabling and improving it, it is of importance to have a representative simulation environment as early as possible in the programme. Amongst others, such a simulation environment can be used to evaluate the navcom signals and mission concepts, to train operators and service customers, to troubleshoot anomalies of the deployed lunar infrastructure, to conduct test campaigns of orbital/surface mission scenarios (e.g for ESA's Moon Village, Lunar Gateway, etc.), and to develop advanced Position Navigation and Timing (PNT) solutions (e.g. lunar Precise Point Positioning (PPP) corrections, terrestrial GNSS signal augmentation, etc.). We therefore suggest beginning with the development of the CIS-SIM Facility, representing a global first for a lunar navigation and communication constellation simulator, by reusing major components of flight-proven ground segment software of an active GNSS, namely Galileo. Its main purpose is to simulate the satellite constellation in the lunar orbit environment, to model the navcom signal propagation/distribution, and to allow simulated monitoring and control of the satellite platforms as well as their navcom payloads. Therefore, the design herein presented is a holistic and hybrid solution, being a navcom signal service volume simulator and a spacecrafts constellation simulator in one facility. The facility is a key infrastructure for the development of future cis-lunar navigation and communication technologies and lowers the barriers for their potential translunar application. It brings commercial and scientific space activities together and helps legacy and new market entrants to participate in the lunar industrialization process. Within this paper, we introduce to the overall topic and in particular to ESA's LCNS programme. We elaborate on the CISSIM facility design with its core elements. We then showcase the potential for extensions by exemplary outlining three options and conclude the paper with the future outlook of the project

Final Presentation of PATAS - Quality Assurance in Model-Driven Software Engineering for Spacecraft

Within (Product Assurance with TASTE Study), a product quality model with software and model metrics had been developed and implemented in an end-to-end model-driven software engineering (MDSE) lifecycle demonstrator, based on TASTE. In this talk, we will present the condensed results of the study. This includes an applicable quality model with correlated model metrics for MDSE, the elaboration of the demonstrator implementation and qualitative as well as quantitative results of the use-case implementation. The goal of this study was to find applicable concepts to maintain quality and dependability levels, when MDSE is applied. This requires the definition of connected model and software quality indicators. These indicators are identified and integrated with ESAs reference software product quality model (ECSS-Q-HB-80-04A). Figure 1 displays the new quality model, which had been integrated in a model-based software development lifecycle demonstrator, based on TASTE. To evaluate this demonstrator and the integrated quality indicators, mission-critical parts of the command and data handling subsystem of a satellite mission had been modelled and subsequently coded, simulating a realistic development scenario as use case. The aim of the activity was to demonstrate the effect of the end-to-end lifecycle in combination with the developed quality model on the final onboard software product. The final results shall set the baseline for recommendations to improve Quality Assurance in MDSE at ESA