An Incremental Strategy for Spacecraft Flight Software Reuse Gary M. Heiligman, T. Adrian Hill, Robyn L. LeGrys, and Stephen P. Williams The Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins Road, Laurel, MD 20723-6099 mailto:[email protected] Abstract IDPU software is delivered with the instruments; C&DH and G&C software are provided with the spacecraft bus. This paper describes a process of spacecraft flight In 1997, JHU/APL completed the critical design review software development that reuses requirements, designs, (CDR) for the TIMED mission. Mission-level CDRs for and implementations. Beginning in 1997, The Johns three other flight projects followed in quick succession: Hopkins University Applied Physics Laboratory CONTOUR in 2000, MESSENGER in 2002, and STEREO (JHU/APL) developed the flight software for five different in 2003. The CDR for a fourth mission, New Horizons, space missions: (1) Thermosphere, Ionosphere, will also be held in 2003. Each of these missions requires Mesosphere Energetics and Dynamics (TIMED), (2) C&DH and G&C software; some require instrument COmet Nucleus TOUR (CONTOUR), (3) MErcury software as well. Surface, Space ENvironment, GEochemistry, and Ranging As one of its unique capabilities, JHU/APL’s Space (MESSENGER), (4) Solar TErrestrial RElations Department provides experience and expertise in Observatory (STEREO), and (5) New Horizons, a mission developing and testing spacecraft flight software. A group to Pluto and beyond. JHU/APL met strict constraints of of less than 30 developers delivers the software for these budget and schedule by reusing products from each and future missions. Software reuse plays an important mission for the following one in a successively more role in the way the group creates these computer comprehensive fashion. Keys to the success of this reuse programs. are consistent external interface protocols, rigorous At JHU/APL, reuse consists of taking the requirements, requirements management, retention of the original designs, source code, and associated documentation from development documentation, use of a consistent past missions as the starting point for each new mission. development process, and a group organization that The developers of CONTOUR and later missions have fosters reuse. The reused packages include bootstrap, task succeeded in reusing incrementally greater portions of the scheduling, uplink, command handling, autonomy, and software from past missions in a process that we describe 1553 bus support. here. 2. Motivations for reuse 2.1. Reliability 1. Introduction Because failure of a critical computer program could The Johns Hopkins University Applied Physics easily lead to the loss of the entire mission, reliability is Laboratory (JHU/APL) has been developing spacecraft paramount for spacecraft flight software. JHU/APL flight software ever since the first general-purpose therefore takes a conservative approach to the computers were flown on spacecraft [1]. This software is development of both hardware and software. For example, of three types. JHU/APL uses only space-qualified, radiation-hard (1) Command and data handling (C&DH) programs processors and memory in its spacecraft. The development process telecommands, transmit telemetry, and tools (compiler, locator, and operating system) must also provide onboard data storage. be highly reliable. “Flight heritage”—the proven (2) Guidance and control (G&C) programs determine the capability of an article to perform to specifications in the spacecraft’s attitude and trajectory and control them. harsh environment of space—is considered an asset in (3) Instrument programs control and take data from the both hardware and software. payload and usually run on a dedicated instrument In software, flight heritage is obvious when source data processing unit (IDPU). code is reused from previous missions. However, flight heritage is also valuable for designs and requirements, mission all affect the software in fundamental ways. The because correctness of these products is just as critical to different mission drivers, though, are often the most mission success as bug-free software. critical barriers to reuse, because they may dictate that a solution that worked for past missions is untenable for the 2.2. Volume new mission. They may affect the level of autonomy, the The C&DH and G&C programs for each mission timing constraints, or the basic assumptions under which require tens of thousands of lines of code. Starting in the software must function. 1997, JHU/APL has had to develop spacecraft flight 3.2. Focus on individual missions means limited software at a rate of approximately one new mission per year. Developing this much software anew for each effort for reuse per se mission would strain JHU/APL’s in-house capability even Flight software development at JHU/APL is funded if time were not a factor. almost entirely by the individual missions. Mission managers are understandably reluctant to devote precious 2.3. Time dollars allocated to their own mission to fund reusability Deep-space missions must be launched on a schedule improvements that primarily benefit future missions. And dictated by the dynamics of the Solar System. In order to missions not yet funded for implementation generally are be ready for launch, the software must be developed, unable to provide the resources to ensure that a flight integrated, and tested. Thus reuse often becomes essential software product is developed for reusability. Thus there is even if the developers would like to make changes (for no ready pool of money for reuse per se. The staff efficiency, maintainability, reusability, etc.), because there organization within JHU/APL takes on the responsibility is simply not enough time. of fostering reuse as a part of its primary goal of developing mission-specific software. 3. Barriers to Reuse 4. Framework for reuse 3.1. Differences in mission-level requirements dictate different solutions 4.1. Hardware architecture The most important barrier to reuse is the different The spacecraft before TIMED distributed the data requirements at the mission level that lead to different processing over hardware in several different ways and software architectures. The five missions discussed in this used a variety of processors and implementation paper are the following. languages. Since then, however, three features have (1) TIMED is the first mission in NASA’s Solar contributed to the stabilization of G&C and C&DH Terrestrial Probes program. It studies the Earth’s software. upper atmosphere with four remote-sensing 4.1.1. The integrated electronics module (IEM). On instruments. It has performed its scientific mission TIMED and all subsequent missions, a PCI backplane successfully since its launch on December 7, 2001. connects the command and data handling (C&DH) (2) CONTOUR was a Discovery-class mission to explore processor, solid-state recorder, and transponder interfaces the diversity of comets. It performed flawlessly for six in one physical box: the IEM. Consistency of uplink weeks of phasing orbits, but it was destroyed on protocols is in part a result of this decision. Most missions August 15, 2002, during the solid-rocket motor burn have two IEMs for full redundancy. that was to place it in heliocentric orbit. (3) MESSENGER is a Discovery-class mission to fly by 4.1.2. The UTMC SµMMIT chip. TIMED and all and orbit Mercury. It is manifested for launch on subsequent missions have used a consistent protocol and March 10, 2004. hardware set to communicate between the processor and (4) STEREO is the third mission in NASA’s Solar many system components: the MIL-STD-1553B Notice 2 Terrestrial Probes program. It consists of two bus and the SµMMIT integrated circuit family from identical spacecraft in different heliocentric orbits. UTMC. Consistency of this interface enables much of the Launch (from a single vehicle) will occur in external communication software to be reused. November 2005. 4.1.3. The power distribution unit interface. On (5) New Horizons is the first mission to Pluto-Charon and CONTOUR and all subsequent missions, electronics in the the Kuiper Belt of rocky, icy objects beyond. Launch power distribution unit provide the interface to the power is planned for January 2006. system electronics and some attitude control hardware We summarize the differences for these five missions (e.g., thrusters, sun-angle sensors, reaction wheels, and in the Appendix. The number and types of processors, solar-array drives). It translates 1553 bus messages into how they are interconnected, and the lifetime of the command signals to the hardware and translates data signals into 1553 bus messages. Consistency of this the developers reuse part or all of a product from an earlier interface also leads to software reuse. mission. Also, during the review of a partially reused design, the 4.2. Development methodology and language reviewers may find defects in a reused portion of the A shared methodology and language are essential for design. The corrective actions may apply to both the reuse. The flight software developers use a “waterfall” earlier and later missions; thus, corrective actions development methodology, as shown in Figure 1. themselves can be reused. Software Acceptance Requirements Requirements Test Plan Review Test Plan 4.4. Process documentation Definition Review (Each Build) Generation Each mission requires a software development Preliminary Preliminary Design Design management plan (SDMP) tailored to its unique needs. Review Large portions of this document are often reusable. Detailed Detailed Design Perhaps more importantly, consistency of the software Design Review modus operandi means that the developers need not learn Code a new way of doing business when they begin work on a Code Walkthroughs mission. It is particularly important that the graphical design notation not change, because these products are Unit Test both time-consuming to produce and nontrivial to review. Build 4.5. Development tools Integration Repeat for and Test Each Build For a mission to reuse the development products of a Acceptance Test preceding mission efficiently, paper copies are inadequate.