DOCSLIB.ORG

Aligning Deos and RTEMS with the FACE Safety Base Operating System Profile

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Aligning Deos and RTEMS with the FACE Safety Base Operating System Profile Gedare Bloom Joel Sherrill Gary Gilliland Howard University OAR Corporation DDC-I, Inc. Washington, D.C. Huntsville, AL Phoenix, AZ [email protected] [email protected] [email protected] ABSTRACT application portability across platforms. This includes re- The Open Group Future Airborne Capability Environment quirements that impact the operating system, programming (FACETM) Consortium has developed a reference architec- languages, graphics support, and information interchange ture and standard for real-time embedded avionics systems. between application components. The FACE Technical Standard defines required capabilities The FACE Technical Standard defines four operating sys- for real-time operating systems (RTOS), portable compo- tem profiles, which are a combination of the ARINC 653 [4] nents, and a shared data model to facilitate information and POSIX [3] standards. The profiles are designed to be exchange between components. FACE RTOS requirements amenable to different levels of safety and security certifica- are based on ARINC 653 and POSIX 1003.1b with tailor- tion. The capabilities provided by the RTOS are tailored ing to address the safety and security needs of avionics sys- to meet the requirements of avionics systems. ARINC 653 tems. Deos is a safety-certified RTOS that supports AR- support is required in three of the four operating system INC 653 but not POSIX. In contrast, RTEMS is an open profiles. When initially defined, no existing RTOS provided source RTOS that supports POSIX but not ARINC 653. all of the capabilities required to be FACE conformant. Integrating a paravirtualized RTEMS with Deos combines Applications may either be written to the ARINC 653 the strengths of both and provides a path to conformance APIs or to one of the four POSIX profiles. In three of the with the FACE Safety Base operating system profile. This POSIX profiles, the ARINC 653 services for health, sampling paper presents the FACE operating system profiles and dis- ports, and queueing ports are required to be available for use cusses the technical challenges of the paravirtualization and by POSIX applications while in the fourth profile, this ca- integration effort. pability is optional. Logically, this is two separate execution environments hosted on an underlying operating system that provides virtualized time and space isolation. There is no CCS Concepts requirement that both environments be the same operating •Computer systems organization → Real-time oper- system, which led to our approach of using Deos together ating systems; •Software and its engineering → Real- with RTEMS to meet FACE conformance requirements. time systems software; DDC-I and OAR Corporation were tracking the FACE Consortium effort, but both Deos and RTEMS had signif- Keywords icant capabilities missing for conformance. Deos met the FACE ARINC 653 RTOS requirements but did not meet RTEMS, Deos, POSIX, FACE, paravirtualization, avionics any of the POSIX requirements. RTEMS nearly completely met the POSIX requirements for the single process Safety 1. INTRODUCTION Base profile but had no ARINC 653 support. After analysis The Open Group Future Airborne Capability Environ- in conjunction with discussions, we decided that executing ment (FACETM) is a collaboration of US government and a paravirtualized RTEMS in a Deos partition was a feasible industry to define an open avionics platform suitable for use and affordable path to FACE Safety Base conformance that in both military and commercial aircraft. The Consortium offered a unique value proposition to end users. Combin- has developed a technical standard and conformance process ing Deos and RTEMS capabilities meets most of the FACE as well as implementation and business practice guidance. operating system profile requirements. Purely POSIX appli- The FACE Technical Standard (Edition 2.1 [8]) defines the cations can run under RTEMS, while ARINC 653 tasks can infrastructure and application structure required to ensure run under Deos. For applications that require tasks with both POSIX and ARINC 653 services we provide a novel approach that supports tasks in Deos that request POSIX services from an RTEMS task. The POSIX service is satis- fied by RTEMS as if it were a library in another partition. In this manner, application developers do not need to split their application into tasks specifically to run under RTEMS or Deos, and instead can rely on Deos and RTEMS to work together to satisfy the POSIX and ARINC 653 interface re- EWiLi ’16, October 6th, 2016, Pittsburgh, USA. quirements. Copyright retained by the authors. Figure 1: FACE Architecture with Deos and RTEMS in the Operating System Segment (OSS). Other seg- ments shown: Portable Components Segment (PCS), Platform-Specific Services Segment (PSSS) Transport Services Segment (TSS), I/O Services Segment (IOSS). In this paper, we provide an overview of the FACE oper- 2.1 FACE Operating System Profiles ating system profile requirements, a discussion of the techni- The FACE Technical Standard Edition 2.1 [8] defines four cal capabilities missing from Deos and RTEMS to meet the operating system profiles. These profiles were carefully de- Safety Base profile, and the activities required to integrate signed to reflect the RTOS services and capabilities that had the two RTOSes capabilities and jointly meet the profile re- been through avionics and medical safety and security cer- quirements. tifications at various levels of criticality. All of these profiles are subsets of the full POSIX 1003.1b standard, which in- 2. BACKGROUND cludes approximately 1300 methods. The FACE operating The FACE Reference Architecture is defined in terms of system profiles are as follows with the smaller profiles being five segments. Figure 1 shows how these segments interface proper subsets of the larger profiles: with each other. The Portable Component Segment con- tains portable business logic as components that are poten- • Security - a single process profile that includes 136 tially applicable to multiple avionics systems. These com- POSIX methods and requires ARINC 653. This pro- ponents communicate solely using the Transport Services file was designed for an application such as an infor- Segment (TSS). The TSS is a critical segment in the FACE mation gateway. Applications written to this profile Reference Architecture because all application information do not exit; they execute forever. As such, methods to exchanges are defined in terms of the FACE Shared Data delete, close, or destroy operating system objects are Model and transferred using TSS services. The Platform- not included. Specific Services Segment (PSSS) contains components that • Safety Base - a single process profile which includes include platform specific business logic and device interfaces. 246 POSIX methods and requires ARINC 653. This PSSS components may interface with both the TSS and I/O profile also does not include methods used to delete or Services Segment (IOSS). The IOSS is comprised of software close operating system objects. components that provide a bridge between operating system device drivers to the PSSS. The IOSS is accessed only by • Safety Extended - a multiprocess, multithreaded pro- PSSS components and does not use the TSS. file which includes 335 POSIX methods and requires All of the FACE architectural segments are built on top ARINC 653. This profile also does not include meth- of the Operating System Segment (OSS), which includes the ods used to delete or close operating system objects. operating system, programming language run-times, frame- works, and health services. However, the foundation for all • General Purpose - a multiprocess, multithreaded pro- architectural segments and the deployed platform is the real- file which includes 812 POSIX methods. ARINC 653 time operating system (RTOS) software within the OSS. As support is optional. This profile addresses the needs shown in Figure 1, the OSS is the only segment that con- of applications which do not have safety certification nects with every other segment in the FACE architecture. requirements and require richer POSIX support. This Figure 2: System Architecture Across User-Kernel Modes. profile includes methods used to delete or close oper- to satisfy the conformance requirements for the Safety Base ating system objects, and is also the only profile to OS profile. include stdin, stdout, and stderr. RTEMS is an open source single process, multithreaded RTOS with robust POSIX 1003.1b support. As a mature, POSIX partitions hosted on ARINC 653 RTOSes have ac- community-developed software system, RTEMS has wide cess to the ARINC 653 health services as well as sampling support for about fifteen processor architectures and over and queueing ports. POSIX partitions may use shared mem- 175 board support packages. With user selectable scheduling ory, ARINC 653 ports, or TCP/IP to communicate with algorithms, it supports SMP on PowerPC, ARM, SPARC, applications in other partitions. and x86 and has been tested on systems up to 24 cores. At first glance, the FACE profiles appear to duplicate RTEMS includes multiple file systems including in-memory, those defined by POSIX.13 [1], but there are significant dif- FAT, JFFS2 and a custom RTEMS File System (RFS) for ferences. For example, all FACE POSIX profiles include real-time predictable performance. It also includes FreeBSD networking while only two of the four defined by POSIX.13 TCP/IP and USB support. RTEMS does not have ARINC- include it. The largest difference is that the FACE profiles 653 support so it cannot alone satisfy the Safety Base OS were defined based on industry experience with avionics and profile, and yet when initially evaluated, RTEMS was miss- other safety qualification. This leads to methods considered ing fewer than 10 of the 246 POSIX methods required by unsafe for multi-threaded programming like strtok() being this profile. included in all profiles defined in POSIX.13-1998 but only in Interestingly, evaluated against the multiprocess FACE the FACE General Purpose Profile. Even the largest FACE General Purpose OS profile RTEMS does surprisingly well, profile, the General Purpose Profile, only includes 812 of supporting approximately 90% of the methods required.
Recommended publications
  • Software Model Checking of ARINC-653 Flight Code with MCP Sarah J

    Software Model Checking of ARINC-653 Flight Code with MCP Sarah J

    Software Model Checking of ARINC-653 Flight Code with MCP Sarah J. Thompson Guillaume Brat SGT Inc., NASA Ames Research Center CMU, NASA Ames Research Center MS269-1, Moffett Field, California MS-269-1, Moffett Field, California [email protected] [email protected] Arnaud Venet SGT Inc., NASA Ames Research Center MS269-1, Moffett Field, California [email protected] Abstract The ARINC-653 standard defines a common interface for Integrated Modular Avionics (IMA) code. In particular, ARINC-653 Part 1 specifies a process- and partition-management API that is analogous to POSIX threads, but with certain extensions and restrictions intended to support the implementation of high reliability flight code. MCP is a software model checker, developed at NASA Ames, that provides capabilities for model checking C and C++ source code. In this paper, we present recent work aimed at implementing extensions to MCP that support ARINC-653, and we discuss the challenges and opportunities that consequentially arise. Providing support for ARINC-653’s time and space partitioning is nontrivial, though there are implicit benefits for partial order reduction possible as a consequence of the API’s strict interprocess communication policy. 1 Introduction NASA missions are becoming increasingly complex, and, more and more of this complexity is imple- mented in software. In 1977, the flight software for the Voyager mission amounted to only 3000 lines. Twenty years later, the software for Cassini had grown by a factor of ten, and more strikingly, the soft- ware for the Mars Path Finder mission amounted to 160 KLOCs (thousands of lines of code).
  • Communications for Integrated Modular Avionics

    Communications for Integrated Modular Avionics

    Communications for Integrated Modular Avionics Richard L. Alena [email protected] John P. Ossenfort IV, SAIC Kenneth I. Laws, QSS Andre Goforth NASA Ames Research Center Moffett Field, CA 94035 Fernando Figueroa, NASA Stennis Space Center TABLE OF CONTENTS Abstract—The aerospace industry has been adopting avionics architectures to take advantage of advances in computer engineering. Integrated Modular Avionics (IMA), 1. INTRODUCTION ..................................................... 1 as described in ARINC 653, distributes functional modules 2. INTEGRATED MODULAR AVIONICS...................... 2 into a robust configuration interconnected with a “virtual 3. NETWORKS FOR AEROSPACE ............................... 4 backplane” data communications network. Each avionics 4. MISSION COMPUTER DESIGN............................... 8 module’s function is defined in software compliant with the 5. LAB EVALUATION............................................... 12 APEX Application Program Interface. The Avionics Full- 6. CONCLUSIONS..................................................... 16 Duplex Ethernet (AFDX) network replaces the point-to- REFERENCES........................................................... 17 point connections used in previous distributed systems with BIOGRAPHY ............................................................ 18 “virtual links”. This network creates a command and data path between avionics modules with the software and 1. INTRODUCTION network defining the active virtual links over an integrated physical network.
  • Overrun Handling for Mixed-Criticality Support in RTEMS Kuan-Hsun Chen, Georg Von Der Brüggen, Jian-Jia Chen

    Overrun Handling for Mixed-Criticality Support in RTEMS Kuan-Hsun Chen, Georg Von Der Brüggen, Jian-Jia Chen

    Overrun Handling for Mixed-Criticality Support in RTEMS Kuan-Hsun Chen, Georg von der Brüggen, Jian-Jia Chen To cite this version: Kuan-Hsun Chen, Georg von der Brüggen, Jian-Jia Chen. Overrun Handling for Mixed-Criticality Support in RTEMS. WMC 2016, Nov 2016, Porto, Portugal. hal-01438843 HAL Id: hal-01438843 https://hal.archives-ouvertes.fr/hal-01438843 Submitted on 25 Jan 2017 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Overrun Handling for Mixed-Criticality Support in RTEMS Kuan-Hsun Chen, Georg von der Bruggen,¨ and Jian-Jia Chen Department of Informatics, TU Dortmund University, Germany Email: fkuan-hsun.chen, georg.von-der-brueggen, [email protected] Abstract—Real-time operating systems are not only used in of real-time operation systems is sufficient. However, some embedded real-time systems but also useful for the simulation and applications also have tasks with arbitrary deadlines, i.e., for validation of those systems. During the evaluation of our paper some tasks D > T . If the tasks are strictly periodic, this about Systems with Dynamic Real-Time Guarantees that appears i i in RTSS 2016 we discovered certain unexpected system behavior leads to a situation where two or more instances of the same in the open-source real-time operating system RTEMS.
  • The Many Approaches to Real-Time and Safety Critical Linux Systems

    The Many Approaches to Real-Time and Safety Critical Linux Systems

    Corporate Technology The Many Approaches to Real-Time and Safety-Critical Linux Open Source Summit Japan 2017 Prof. Dr. Wolfgang Mauerer Siemens AG, Corporate Research and Technologies Smart Embedded Systems Corporate Competence Centre Embedded Linux Copyright c 2017, Siemens AG. All rights reserved. Page 1 31. Mai 2017 W. Mauerer Siemens Corporate Technology Corporate Technology The Many Approaches to Real-Time and Safety-Critical Linux Open Source Summit Japan 2017 Prof. Dr. Wolfgang Mauerer, Ralf Ramsauer, Andreas Kolbl¨ Siemens AG, Corporate Research and Technologies Smart Embedded Systems Corporate Competence Centre Embedded Linux Copyright c 2017, Siemens AG. All rights reserved. Page 1 31. Mai 2017 W. Mauerer Siemens Corporate Technology Overview 1 Real-Time and Safety 2 Approaches to Real-Time Architectural Possibilities Practical Approaches 3 Approaches to Linux-Safety 4 Guidelines and Outlook Page 2 31. Mai 2017 W. Mauerer Siemens Corporate Technology Introduction & Overview About Siemens Corporate Technology: Corporate Competence Centre Embedded Linux Technical University of Applied Science Regensburg Theoretical Computer Science Head of Digitalisation Laboratory Target Audience Assumptions System Builders & Architects, Software Architects Linux Experience available Not necessarily RT-Linux and Safety-Critical Linux experts Page 3 31. Mai 2017 W. Mauerer Siemens Corporate Technology A journey through the worlds of real-time and safety Page 4 31. Mai 2017 W. Mauerer Siemens Corporate Technology Outline 1 Real-Time and Safety 2 Approaches to Real-Time Architectural Possibilities Practical Approaches 3 Approaches to Linux-Safety 4 Guidelines and Outlook Page 5 31. Mai 2017 W. Mauerer Siemens Corporate Technology Real-Time: What and Why? I Real Time Real Fast Deterministic responses to stimuli Caches, TLB, Lookahead Bounded latencies (not too late, not too Pipelines early) Optimise average case Repeatable results Optimise/quantify worst case Page 6 31.
  • Avionics Applications on a Time-Predictable Chip-Multiprocessor

    Avionics Applications on a Time-Predictable Chip-Multiprocessor

    Avionics Applications on a Time-predictable Chip-Multiprocessor Andre´ Rocha and Claudio´ Silva Rasmus Bo Sørensen, Jens Sparsø, and Martin Schoeberl GMV Department of Applied Mathematics and Computer Science Lisbon, Portugal Technical University of Denmark Email: [andre.rocha, claudio.silva]@gmv.com Email: [rboso, jspa, masca]@dtu.dk Abstract—Avionics applications need to be certified for The demonstrators were ported to the T-CREST platform the highest criticality standard. This certification includes using its compiler tool-chain and analysis tools. The demon- schedulability analysis and worst-case execution time (WCET) strators validate the T-CREST platform. Part of the exercise, analysis. WCET analysis is only possible when the software is written to be WCET analyzable and when the platform is however, is to evaluate the added value of the platform. The time-predictable. In this paper we present prototype avionics platform shall enable application developers to determine the applications that have been ported to the time-predictable WCET of their applications more precisely or more easily. T-CREST platform. The applications are WCET analyzable, Therefore, we compare the T-CREST platform with a well- and T-CREST is supported by the aiT WCET analyzer. This established platform in the avionics domain. combination allows us to provide WCET bounds of avionic tasks, even when executing on a multicore processor. The T-CREST platform was evaluated with the aid of the following three real-world avionic applications: (1) an Airlines Operational Centre (AOC), (2) a Crew Alerting I. INTRODUCTION System (CAS), and (3) an I/O Partition (IOP). We chose The mission of the T-CREST project [1], [2] is to develop T-CREST as platform for avionics applications as this is and build a multicore processor that is time-predictable and currently the only multicore processor where static WCET easy to analyze for the worst-case execution time (WCET).
  • OPERATING SYSTEMS.Ai

    OPERATING SYSTEMS.Ai

    Introduction Aeroflex Gaisler provides LEON and ERC32 users with a wide range of popular embedded operating systems. Ranging from very small footprint task handlers to full featured Real-Time Operating System (RTOS). A summary of available operating systems and their characteristics is outlined below. VxWorks The VxWorks SPARC port supports LEON3/4 and LEON2. Drivers for standard on-chip peripherals are included. The port supports both non-MMU and MMU systems allowing users to program fast and secure applications. Along with the graphical Eclipse based workbench comes the extensive VxWorks documentation. • MMU and non-MMU system support • SMP support (in 6.7 and later) • Networking support (Ethernet 10/100/1000) • UART, Timer, and interrupt controller support • PCI, SpaceWire, CAN, MIL-STD-1553B, I2C and USB host controller support • Eclipse based Workbench • Commercial license ThreadX The ThreadX SPARC port supports LEON3/4 and its standard on-chip peripherals. ThreadX is an easy to learn and understand advanced pico-kernel real-time operating system designed specifically for deeply embedded applications. ThreadX has a rich set of system services for memory allocation and threading. • Non-MMU system support • Bundled with newlib C library • Support for NetX, and USBX ® • Very small footprint • Commercial license Nucleus Nucleus is a real time operating system which offers a rich set of features in a scalable and configurable manner. • UART, Timer, Interrupt controller, Ethernet (10/100/1000) • TCP offloading and zero copy TCP/IP stack (using GRETH GBIT MAC) • USB 2.0 host controller and function controller driver • Small footprint • Commercial license LynxOS LynxOS is an advanced RTOS suitable for high reliability environments.
  • Final Report

    Final Report

    Parallel Programming Models for Space Systems BSC - Evidence ESA Contract No. 4000114391/15/NL/Cbi/GM Final Report Parallel Programming Models for Space Systems (ESA Contract No. 4000114391/15/NL/Cbi/GM) Main contractor Subcontractor Barcelona Supercomputing Center (BSC) Evidence Srl. Eduardo Quiñones, Paolo Gai, [email protected] [email protected] Dissemination level: All information contained in this document is puBlic June 2016 1 Parallel Programming Models for Space Systems BSC - Evidence ESA Contract No. 4000114391/15/NL/Cbi/GM Table of Contents 1 Introduction ..................................................................................................... 3 2 Future work: Next development activities to reach higher TRL (5/6) ................ 4 Annex I - D1.1. Report on parallelisation experiences for the space application .... 5 Annex II - D2.1. Report on the evaluation of current implementations of OpenMP ............................................................................................................................ 23 Annex III - D3.1. Report on the applicability of OpenMP4 on multi-core space platforms ............................................................................................................ 36 2 Parallel Programming Models for Space Systems BSC - Evidence ESA Contract No. 4000114391/15/NL/Cbi/GM 1 Introduction High-performance parallel architectures are becoming a reality in the critical real-time embedded systems in general, and in the space domain in particular. This is the case of the
  • WIND RIVER Vxworks 653 PLATFORM 2.4 and 2.5

    WIND RIVER Vxworks 653 PLATFORM 2.4 and 2.5

    WIND RIVER VxWORKS 653 PLATFORM 2.4 AND 2.5 TABLE OF CONTENTS RTCA DO-178C Certification Evidence .......................................... 2 VxWorks 653 Platform Benefits ................................................. 2 VxWorks 653 Runtime Components ............................................ 3 VxWorks 653 Module OS ................................................... 4 Partition Management ..................................................... 4 Partition Scheduling ....................................................... 4 Partition Operating System ................................................. 4 COIL .................................................................... 5 APEX Application Support .................................................. 5 FACE Technical Reference 2.0 and 2.1 Support ................................ 5 Inter-partition Communication ............................................... 6 Intra-partition Communication ............................................... 6 Health Monitor ........................................................... 6 Wind River Workbench ..................................................... 7 Included Runtime Products .................................................. 12 Wind River DO-178C Network Stack ......................................... 12 Wind River Highly Reliable File System ....................................... 12 Technical Specifications ..................................................... 12 Supported Target Architectures ...........................................
  • Towards a Real-Time Component Framework for Software Health Management

    Towards a Real-Time Component Framework for Software Health Management

    Institute for Software Integrated Systems Vanderbilt University Nashville, Tennessee, 37203 Towards a Real-time Component Framework for Software Health Management Abhishek Dubey , Gabor Karsai , Robert Kereskenyi , Nagabhushan Mahadevan TECHNICAL REPORT ISIS-09-111 November, 2009 Towards a Real-time Component Framework for Software Health Management Abhishek Dubey Gabor Karsai Robert Kereskenyi Nagabhushan Mahadevan Institute for Software Integrated Systems, Vanderbilt University, Nashville, TN 37203, USA Abstract— The complexity of software in systems like aerospace industry, that deals with detecting anomalies, di- aerospace vehicles has reached the point where new techniques agnosing failure sources, and prognosticating future failures are needed to ensure system dependability. Such techniques in complex systems, like aerospace vehicles. While System include a novel direction called ‘Software Health Management’ (SHM) that extends classic software fault tolerance with tech- Health Management has been developed for physical (hard- niques borrowed from System Health Management. In this ware) systems, it provides interesting systems engineering paper the initial steps towards building a SHM approach are techniques for other fields like embedded software systems. described that combine component-based software construction The use of System Health Management techniques for with hard real-time operating system platforms. Specifically, embedded software systems points beyond the capabilities the paper discusses how the CORBA Component Model could be combined with the ARINC-653 platform services and the provided by the SFT techniques and can potentially in- lessons learned from this experiment. The results point towards crease a system’s dependability. This new direction is called both extending the CCM as well as revising the ARINC-653. Software Health Management (SHM) [4].
  • KINTSUGI Identifying & Addressing Challenges in Embedded Binary

    KINTSUGI Identifying & Addressing Challenges in Embedded Binary

    KINTSUGI Identifying & addressing challenges in embedded binary security jos wetzels Supervisors: Prof. dr. Sandro Etalle Ali Abbasi, MSc. Department of Mathematics and Computer Science Eindhoven University of Technology (TU/e) June 2017 Jos Wetzels: Kintsugi, Identifying & addressing challenges in embed- ded binary security, © June 2017 To my family Kintsugi ("golden joinery"), is the Japanese art of repairing broken pottery with lacquer dusted or mixed with powdered gold, silver, or platinum. As a philosophy, it treats breakage and repair as part of the history of an object, rather than something to disguise. —[254] ABSTRACT Embedded systems are found everywhere from consumer electron- ics to critical infrastructure. And with the growth of the Internet of Things (IoT), these systems are increasingly interconnected. As a re- sult, embedded security is an area of growing concern. Yet a stream of offensive security research, as well as real-world incidents, contin- ues to demonstrate how vulnerable embedded systems actually are. This thesis focuses on binary security, the exploitation and miti- gation of memory corruption vulnerabilities. We look at the state of embedded binary security by means of quantitative and qualitative analysis and identify several gap areas and show embedded binary security to lag behind the general purpose world significantly. We then describe the challenges and limitations faced by embedded exploit mitigations and identify a clear open problem area that war- rants attention: deeply embedded systems. Next, we outline the cri- teria for a deeply embedded exploit mitigation baseline. Finally, as a first step to addressing this problem area, we designed, implemented and evaluated µArmor : an exploit mitigation baseline for deeply em- bedded systems.
  • Flight Software Workshop 2007 ( FSW-07)

    Flight Software Workshop 2007 ( FSW-07)

    Flight Software Workshop 2007 ( FSW-07) Current and Future Flight Operating Systems Alan Cudmore Flight Software Branch NASAIGSFC November 2007 Page I Outline Types of Real Time Operating Systems - Classic Real Time Operating Systems - Hybrid Real Time Operating Systems - Process Model Real Time Operating Systems - Partitioned Real Time Operating Systems Is the Classic RTOS Showing it's Age? Process Model RTOS for Flight Systems Challenges of Migrating to a Process Model RTOS Which RTOS Solution is Best? Conclusion November 2007 Page 2 GSFC Satellites with COTS Real (waiting for launch) (launched 8/92) (launched 12/98) (launched 3/98) (launched 2/99) (12/04) XTE (launched 12/95) TRMM (launched 11/97) JWST lSlM (201 1) Icesat GLAS f01/03) MAP (launched 06/01) LRO HST 386 4llH -%Y ST-5 (5/06) November 2007 Page 3 Classic Real Time OS What is a "Classic" RTOS? - Developed for easy COTS development on common 16 and 32 bit CPUs. - Designed for systems with single address space, and low resources - Literally Dozens of choices with a wide array of features. November 2007 Page 4 Classic RTOS - VRTX Ready Systems VRTX Size: Small - 8KB RTOS Kernel Provides: Very basic RTOS services Used on: - Small Explorer Missions Used from 1992 to 1999 8086 and 80386 Processors - Medium Explorer Missions XTE (1995) TRMM (1997) 80386 Processors - Hubble Space Telescope 80386 Processors Advantages: - Small, fast - Uses 80386 memory protection -- A feature we have missed since we stopped using it! Current use: - Only being maintained, not used for new development
  • ARINC-653 Inter-Partition Communications and the Ravenscar Profile

    ARINC-653 Inter-Partition Communications and the Ravenscar Profile

    ARINC-653 Inter-partition Communications and the Ravenscar Profile Jorge Garrido Juan Zamorano Juan A. de la Puente Abstract The ARINC-653 standard is often used to build mixed-criticality systems, using a partitioned archi­ tecture. Inter-partition communication is carried out by means of a message-passing mechanism based on ports. The standard includes an API for Ada, but the implementation semantics of operation ports is not fully defined. Furthermore, the API was defined for the Ada 95 standard, and therefore does not take into account the enhancements to the real-time features of the language that have been incorporated in the 2005 and 2013 standards, most notably the Ravenscar profile. This paper is aimed at clarifying the implementation of ARINC communication ports in Ada and the Ravenscar profile. ARINC communi­ cation ports are analysed, and their compatibility with the Ravenscar profile is assessed. A new API that can be used with the profile is defined, and a pilot implementation is introduced. 1 Introduction Partitioning is a convenient approach for developing mixed-criticality systems on a single hardware plat­ form. Under this approach, a system is divided into a set of logical partitions, which are isolated from each other both in the temporal and spatial domains. Subsystems with different levels of criticaliry are allocated to different partitions, and failures in low-criticality components cannot propagate to high-criticality ones. Critical subsystems can thus be certified in isolation to the required level, provided that the partitioning ker­ nel is also certified to that level, but the validation of lower-criticality subsystems can be greatly simplified.