

# N7 SPACE

ATMEL ARM BSP with CANopen library

Michał Mosdorf, Michał Kocon & The Team

Final Presentation Days 3-4 Dec 2019

### Agenda

- N7 Space introduction
- Project scope and objectives
- Design and development aspects
- Testing approach
- Conclusion and project continuation



# N7 Space

- Joined venture between SPACEBEL and N7 Mobile located Poland
  - Company founded in 2017
  - Started operation with projects previously executed by N7 Mobile that were transferred to N7 Space
  - Software engineering team located in Warsaw office with space experience since 2014
  - Focus on software development for upstream segment
    - On-board software
      - Leon3, Cortex-M7, Zynq
    - MBSE
      - ASN.1, SDL, AADL, MSC, Capella, TASTE







# Selected activities

- ESA missions
  - CBK's subcontractor in PROBA3 mission responsible for on-board software
  - SPACEBEL's subcontractor in HERA mission
- Software development for ARM ecosystem
  - Board Support Package and Boot Loader development for Microchip Cortex-M7 processor line
  - CANopen library and RTEMS 5 demo applications
  - CoreSight usage for multi-core software tracing on ARM Cortex-A53 Zynq









©ESA–P. Carril





# Selected activities

- MBSE tools development
  - Qt based IDE for ASN.1 modelling with PUS-C template library
  - PUS-C deployment with automatic generation toolset
    - Database software, document generation ASN.1 modelling and generation
  - Capella plugins development
    - ASN.1 and AADL generator from Capella models
  - Test scripting languages
    - EBNF, Language Server Protocol Based IDE for ECSS languages
  - Providing TASTE support to target platform by integrating new compiler toolchain
  - Member of TASTE Steering Committee

| CCSDS Common Types ST[01] request verification ST[02] device access ST[03] housekeeping ST[04] parameter statistics reporting ST[05] event reporting ST[06] memory management ST[08] function management ST[08] function management ST[08] function management ST[08] function management Time reporting in CUC format ST[11] time-based scheduling ST[12] On-board monitoring ST[14] real-time forwarding control ST[17] test ST[18] On-Board control procedure ST[19] event-action System Objects Wrappers | Requires:<br>• Common Types<br>• Mission Objects<br>Spacecraft Time Reference Status<br>• PTC/PFC Types<br>Basic Types<br>Conflicts:<br>• ST[09] time management<br>• Time reporting subservice<br>Time reporting in CDS format |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Selection Mode:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Metadata                                                                                                                                                                                                                        |







# ARM BSP with CANopen library

- Project executed under ESA Polish Incentive Scheme with Microchip
- Software development activities for SAMV71 Cortex-M7 MCU
  - Bootloader compliant with the ESA SAVOIR requirements
    - Utilization of PUS-C stack supported by ASN.1/ACN formal modelling
  - Board Support Package
    - Driver library for MCU
  - CANopen library implementing tailored ECSS-E-ST-50-15C
  - Demonstration applications based on RTEMS 5
- Lifecycle and target TRL
  - Project lifecycle and quality requirements based on tailored ECSS-E-ST-40C and ECSS-Q-ST-80C
  - Target criticality C and TRL6







### Bootloader Software

- Bootloader software for Cortex-M7 SAMV71
- Software requirements specification based on SAVOIR Flight Computer Initialisation Sequence Generic Specification provided by ESA
- Major characteristics
  - Model based PUS-C TC/TM stack developed using ASN.1/ACN modelling supported by ESA tool ASN1SCC
  - Execution from internal Flash memory
  - Self-test of the internal SRAM and external SDRAM memories
  - Failure reporting through boot and death reports
  - Bare metal design (no RTOS used)
  - Utilizes a minimal set of BSP drivers developed in the project scope
  - Supported PUS (1, 5, 6, 8, 17)
    - Additional custom PUS 6 subservice for flash memory operations



#### BSW architecture overview





#### BSW states overview





2019

# ASN.1 data modelling

- ASN.1 well established data modelling standard
- ACN language for describing encoding rules, created by ESA
- ESA TASTE toolchain used to generate code and documentation
- *Single source of truth* models ensure consistency between documentation and code
- Models distributed as part of ICD (can be reused)
- PUS services data models reused from components library









| No | Field          | Comment | Present          | Type<br>NULL    | Constraint   | Min Bits | Max Bits | 0         |
|----|----------------|---------|------------------|-----------------|--------------|----------|----------|-----------|
| 2  | n<br>dataAreas |         | always<br>always | TC-6-2-DataArea | N.A.<br>N.A. | 48       |          | °<br>8240 |

| TC-6-2-DataArea (SEQUENCE) ASN.1 ACN |              |         |         |                    |            |          | Max: 1030 bytes |
|--------------------------------------|--------------|---------|---------|--------------------|------------|----------|-----------------|
| No                                   | Field        | Comment | Present | Туре               | Constraint | Min Bits | Max Bits        |
| 1                                    | startAddress |         |         | <u>BytePointer</u> | N.A.       | 32       | 32              |
| 2                                    | dataToLoad   |         | always  | <u>MemoryData</u>  | N.A.       | 16       | 8208            |



# **BSP** and **CANopen** library

- Bare metal driver library with support for following peripherals
  - Serial interfaces:
    - Ethernet, I2C, SPI, CAN, UART, ISI, QSPI
  - Other modules:
    - SDRAMC, WDT, RSWDT, LPOW, NVIC, SYSTICK, XDMAC, TIC, PWM, RTC, RTT, PIO, AFEC, FPU, EEFC, PMC, RSTC, SUPC
- Integration of the selected drivers with the RTEMS 5
  - RTEMS clock Driver Shell (SysTick) •
- RTEMS RTC device (Timer)
- RTEMS TCP/IP Driver (Ethernet) RTEMS I/O Manager (MCAN) ٠

- CANopen library
  - ECSS-E-ST-50-15C, clauses: 9 (Minimal implementation), 7 (Time distribution), 8 (Redundancy management)
  - Master and slave modes •
  - PDO data transfer: unconfirmed command, telemetry request, SYNC •



# Tailoring of the CANopen library

- Implementation followed the following clauses of the ECSS-E-ST-50-15C standard:
  - Clause 7 Time distribution
  - Clause 8 Redundancy management
  - Clause 9 Minimal implementation of CANopen protocol for highly asymmetrical control applications
- Main elements left out from the implementation:
  - SDOs (Service Data Objects)
  - Support for remote transmission request (RTR)
  - Support for setting remote SCET time
  - Implementation of an EDS-to-OD (Electronic Data Sheet to Object Dictionary) converter



# Testing & qualification approach

- Test environment
  - Controlled by CI Jenkins server
  - Unit tests implemented in open-source Cmocka
    - Achieved >80% code and branch coverage
  - Code coverage analysed with ported gcov
  - Static analysis
    - MISRA compliance with Cppcheck
    - Code metrics with Lizard
    - clang-tidy, clang-format
  - Traceability matrixes generation based on Doxygen comments
  - Integration and validation supported by Python scripting environment responsible for C&C communication
  - PEAK dongle and CANfestival used for CANopen validation
  - BSP integrated into Microchip web server demo





#### CI test stages





# Static analysis

- Checks performed as part of build steps
- Validated on Cl
- Zero tolerance (all warnings are errors)
  - failing checks block next build steps
- Checks include:
  - cppcheck static analysis and MISRA rules verification
  - clang-tidy static analysis
  - clang-format code style conformance
  - lizard complexity analysis
- Project was early adopter of cppcheck MISRA addon
  - A few bug fixes were submitted to cppcheck



### Test Suite Framework

- In-house built testing framework
- With core being platform-independent, framework was adapted for use with ATSAMV71Q21
- Main features:
  - Based on Python test scripts
  - Easy integration with different hardware platforms and setups
  - Automatic collection of debugger and application outputs
  - Enables construction of platform-agnostic, portable test scenarios



### Test cases definition

 Allows instrumentalization and inspection of communication over the C&C link

 For the purpose of the ARMBSP project, enables instrumentation of various microprocessor peripherals



#### Test environment





Power

### Test environment

- RaspberryPI used as an interface to the ATSAM V71
  - Remote IO control
  - RaspberryPl configuration with ssh
  - GDB Server host
  - Environment for running binaries to handle CAN bus and CANfestival
- Test Platform
  - Interface to the RaspberryPI with TSF (Test Suite Framework)
  - Unit test log verification
  - Several Test Suites to handle integration testing





# Unit testing

- Cmocka unit test framework
- Each module has it's own binary with test cases
- Checking done on the MCU with log sent using USART
- Verification of the results done by the Test Platform





# Testing performed by Test Suite Framework

- Direct program execution control with python scripts.
  - GDB interface
  - C&C interface communication with UART
  - CAN bus communication using CanFestival and basic CAN framework





### CANopen performance measurement scenarios

- We performed test measurements of performance of the library in three scenarios:
  - Active waiting transmit a single message or a 16-message burst and wait until the hardware queue is empty before queuing more messages;
  - Event-based transmission transmit the messages upon reception of a system event generated in the transmission interrupt handler;
  - Active queue filling variation of active waiting; poll the hardware queue status and transmit the messages whenever there's space in the queue.
- Measurements were performed with an RTEMS-based demo application, with the processor clock running at 150MHz and bus baudrate of 1MBit/s
- Data reception performed by PEAK dongle and CANfestival controlled by RPi



### CANopen performance measurement results

- Performed by triggering 10000 queueing operations (giving 10000 messages for single message transmissions and 160000 messages for bursts).
- With baudrate of 1Mbit/s, average user data rate is ~530kbit/s.

|   |                                  | Active         | waiting             | Event-based    | transmission        | Active queue |
|---|----------------------------------|----------------|---------------------|----------------|---------------------|--------------|
|   |                                  | Single message | 16-message<br>burst | Single message | 16-message<br>burst | filling      |
|   | Data bandwidth<br>usage          | 69.4%          | 93.6%               | 62.9%          | 92.9%               | 95.79%       |
|   | CPU load from<br>CANopen library | 29.8%          | 34.7%               | 30.5%          | 33.2%               | 34.3%        |
| 2 |                                  |                |                     |                |                     |              |



# GCOV/LCOV

- Adapted with coverage stubs
  - Linked custom \_read, \_write, \_open, \_close etc. functions
  - \_write forwards the coverage data to the USART
- Standard gcc --coverage binary compilation.
- Output captured by the EGSE and saved to the files for further analysis with GCOV/LCOV

| Current view: top                                    | level            |                            |                                     |                            | Hit                           | Total                       | Coverage                    |
|------------------------------------------------------|------------------|----------------------------|-------------------------------------|----------------------------|-------------------------------|-----------------------------|-----------------------------|
| Test: uni                                            | named            |                            |                                     | Lines:                     | 5730                          | 6011                        | 95.3 %                      |
| Date: 201                                            | 9-11-15 00:17:50 |                            | Fur                                 | ctions:                    | <b>62</b> 8                   | 657                         | 95.6 %                      |
|                                                      |                  |                            | Bra                                 | anches:                    | 1417                          | 1686                        | 84.0 %                      |
| Directory                                            | Line C           | overage                    | ¢                                   | Functi                     | ons 🖨                         | Bran                        | ches 🖨                      |
| Directory                                            | L ine C          | overage                    | <b></b>                             | Functi                     | ons 📤                         | Bran                        | ches ≜                      |
| Directory                                            | Line C           | overage<br>97.8 %          | ♦<br>308 / 315                      | Functi<br>96.8 %           | ons<br>30 / 31                | Bran<br>88.5 %              |                             |
|                                                      | Line C           |                            |                                     |                            |                               |                             | 77 / 87                     |
| <u>src/Afec</u>                                      | Line C           | 97.8 %                     | 308 / 315                           | 96.8 %                     | 30 / 31                       | 88. <b>5</b> %              | 77 / 87<br>68 / 82          |
| <u>src/Afec</u><br><u>src/Eefc</u>                   | Line C           | 97.8 %<br>89.0 %           | 308 / 315<br>195 / 219              | 96.8 %<br>82.4 %           | 30 / 31<br>28 / 34            | 88.5 %<br>82.9 %            | 77 / 87<br>68 / 82<br>2 / 2 |
| <u>src/Afec</u><br><u>src/Eefc</u><br><u>src/Fpu</u> | Line C           | 97.8 %<br>89.0 %<br>88.2 % | 308 / 315<br>195 / 219<br>127 / 144 | 96.8 %<br>82.4 %<br>84.6 % | 30 / 31<br>28 / 34<br>11 / 13 | 88.5 %<br>82.9 %<br>100.0 % |                             |



<><> performing unit tests. TEST RESULT - BEGIN << <testsuite name="WdtTests" time="0.000" tests="8" failures="0" <testcase name="Fpu hasCorrectFeatures" time="0.000" > </testcase> <testcase name="Fpu correctlySetsAndGetsConfig" <testcas </testcase> <testcase name="Fpu correctlyHandlesFlushToZero" time="0.000 </testcase> <testcase name="Fpu correctlyDetectsErrors" time="0.000" > </testcase> </testsuite> /testsuites> UNIT TEST RESULT >>/home/arm/dev/armmcu/BSP/build/coverage/src/Fpu/Fpu.gcda /armmc6164636772323741 >>/home/arm/dev/armmcu/BSP/build/coverage/src/Pmc/Pmc.gcda >>/home/arm/dev/armmcu/BSP/build/coverage/src/Nvic/Nvic.gcda >>>/home/arm/dev/armmcu/BSP/build/coverage/src/Startup/startup >>>/home/arm/dev/armmcu/BSP/build/coverage/src/Fpu/tests/FpuTes >> COVERAGE RESULT - END <<

# MC/DC coverage

- C language introduces "branching" in all complex conditions ("short circuit" in && and | |)
- LCOV measures branch coverage using branches from assembly, not from C code
- In result branch coverage calculated by LCOV is *almost* equivalent to modified condition/decision coverage
- Difference lays in "Boolean vectors" checks (including bit fields)

| [ + + ]:        | 5 : | <pre>if (MemoryManager_isBusy(memoryManager))</pre>                    |
|-----------------|-----|------------------------------------------------------------------------|
| :               | 1 : | return returnError(errCode, MemoryManager ErrorCode Busy);             |
| [ + + ][ + + ]: | 4 : | if (!isAligned(destination)    !isAligned(source))                     |
| :               | 2 : | return returnError(errCode, MemoryManager_ErrorCode_MemoryNotAligned); |
| [ + + ]:        | 2 : | if (size > MemoryManager_BlockMaxSize)                                 |
| :               | 1 : | return returnError(errCode, MemoryManager_ErrorCode_BlockTooBig);      |
|                 |     |                                                                        |



#### Test summary

• Code & branch coverage computed from unit tests execution

|                        | BSP                  | BSW                  | CANopen              |
|------------------------|----------------------|----------------------|----------------------|
| Line coverage          | 5730/6011<br>(95.3%) | 6738/7052<br>(95.5%) | 3999/4207<br>(95.1%) |
| Branch<br>coverage     | 1417/1686<br>(84%)   | 1439/1700<br>(84.3%) | 1095/1290<br>(84.9%) |
| Unit test cases        | 476                  | 682                  | 385                  |
| Integration test cases | 39                   | 62                   | 12                   |



# Conclusion and future

- Reusable software suite for Cortex-M7 processor line from Microchip
  - BSW, BSP
  - CANopen library
- Automatic test environment based on dev kit and RaspberryPi ensuring external access to interfaces
- BSW was successfully integrated with Microchip web server demo
- Future steps
  - Ongoing adaptation of BSW and BSP to SAMRH71 and future ARM MCU
    - Support for SpaceWire and IO Switch Matrix
    - Remote application booting through SPI and RMAP
  - Usage foreseen in future ICECube project for ISS
  - Need for criticality B qualification





# Thank you for your attention



Michał Mosdorf mmosdorf@n7space.com

Michał Kocon mkocon@n7space.com

+48 22 299 20 50 www.n7space.com

