# Flight Software Development with TASTE

Steve Duncan, Thales Alenia Space UK Ltd stephen.duncan@thalesaleniaspace.com

Objective O-1 Successful applications with emphasis on reporting perceived return-on-investment

#### Introduction

Thales Alenia Space in the UK is responsible for the gyro module for Space Inspire, the next generation communications satellite platform which is being developed in partnership with ESA and CNES [1]. As part of the general strategy of cost reduction, a novel architecture has been selected based on rad-hard microcontrollers, which offer the advantages of lower cost and component count when compared with FPGA-based designs.

In this presentation, we describe how we have used the TASTE toolset [2] in the design of key parts of the onboard software, in particular the onboard communications and data pool. We discuss the use of SDL for behavioural specification and ASN.1 for data modelling and show how the resulting model-based design can be transformed into a flight software implementation. The approach is not without its own challenges, and we discuss the compromises that need to be made in order to minimise the code footprint and to ensure the verifiability of the end product.

# **Design Overview**

The SGM20 Gyro (Figure 2) is a three-axis MEMS rate gyro based on the Thales Alenia Space DPC. It comprises three SGH-03 rate detectors, each driven by its own set of digital control loops. The DPC (Figure 1) is a three-core mixed-signal microcontroller based on the OpenMSP430 CPU.

A dedicated DPC is allocated to each axis. This architecture has clear benefits in terms of modularity, processing margins and schedulability, albeit with an increase in communications complexity and the need for an internal communications link between the processors.

The command/control interface is a redundant CANbus or, optionally, redundant RS422 UART. The bus is connected to one of the DPCs, known as the primary axis, which is responsible for TM/TC interfacing to the OBC, and communicates with the two secondary axes via UART protocol on point-to-point links routed internally to the PCB (Figure 3).

The high control loop iteration rates (up to 14500Hz), together with the relatively low clock rates achievable with the current generation of rad-hard processors, would present a schedulability problem for a single-core microprocessor, as the numeric processing is a hard real-time activity that would not tolerate delays introduced by the servicing of asynchronous interrupts generated by the command/control interface. The DPC, with its multi-core architecture is uniquely well suited to this type of application, as it is possible to allocate the real-time algorithm tasks and the asynchronous communications tasks to different cores.

## **Use of TASTE**

Whilst the use of TASTE in flight SW applications is still in its early stages, elements of the toolchain are stable and mature enough to be considered for use in the SW development life cycle. Specifically, these are:

- 1. Behavioural modelling in SDL
- 2. Data Modelling in ASN.1
- 3. Autogeneration of data structures and finite state machines (FSMs)
- 4. Pre-integration using MIL techniques
- 5. Validation using TASTE Python scripting engine

As discussed in our previous presentations on the subject [3], Thales Alenia Space UK consider SDL to be a key enabler in the design of complex subsystems, particularly those with multiple interacting elements connected by potentially unreliable communications links.

The SGM20 Gyro SW contains six FSMs that have been autogenerated from SDL specifications. These are responsible for a) reliable communications and error recovery on the inter-axis UART links and b) synchronisation of measurements and scheduling of TM collection and TC distribution between the primary and secondary axes. Optionally, a seventh FSM may be added as a replaceable module for CANopen, UART or MIL-1553B communications with the OBC.

Figure 4 shows the SGM20 SW in its CANbus configuration, with the autogenerated components highlighted.

The UART communications protocol FSM is lightweight, yet can be shown through analysis of the SDL to be robust against anticipated failure modes such as link interruption, bit errors and lost or repeated characters. This FSM is instantiated four times on the SGM20, once at each end of an internal UART link.

The Remote Axis Manager FSM, which is instantiated twice on the primary axis DPC, is responsible for the distribution of TCs and the aggregation of TM from the secondary axes. It contains handling for both communications and protocol errors at the application level.

The Autogeneration of C code from SDL is performed by TASTE's OpenGeode tool. The version currently shipped with TASTE produces code which, while compact, is not fully compatible with the standards and metrics applied to flight SW. We have made some simple modifications to the OpenGeode code generator to overcome some of these limitations, although this does require the design to be constrained to a subset of SDL which omits certain features that lead to higher complexity in the output code. Specifically, it has been necessary to prohibit the use of nested and parallel states.

The use of data modelling in ASN.1 allows the SGM20's data pool (object dictionary) to be specified in a modular and protocol-independent fashion that is abstracted as far as possible from the underlying implementation. As a result, the data model can be easily reconfigured for different applications using either other microcontroller platforms and/or bus types, as has been previously demonstrated with various processor targets by TAS-UK, including GR712 [4], GR716 [5], and ARM [6].

The use of model-in-the-loop (MIL) techniques is another key benefit of the TASTE approach. The system behaviour is first modelled in SDL and verified using testing performed wholly within the TASTE VM. Elements of the model are then substituted by their physical counterparts, with the internal TASTE communications being replaced by interface adapters (Figure 6).

For validation, the TASTE Python scripting engine has proven itself to be both powerful and useful. It allows TM/TC messages to be defined in the application domain language using ASN.1 value notation and automatically encoded into or decoded from the binary formats used by the communication bus. A facility is provided to check the contents of part or all of a received message against a specified value or range, and the generated C/Python support code is open and extensible, allowing it to be incorporated in an existing software validation framework.

#### **Results and Future Work**

The autogenerated code from TASTE has been operating in gyro prototypes since early 2021, and has now been incorporated in the flight software for the SGM20. SW-CDR is anticipated in September 2022 and first launch in 2024.

The SDL and ASN.1 models will be redeployed in future TAS-UK equipment SW developments, the first of these being for a small-scale Stirling Cycle cooler currently being developed under a GSTP contract.

### References

- [1] https://www.esa.int/Applications/Telecommunications\_Integrated\_Applications/New\_part nership\_to\_inspire\_competitive\_innovation
- [2] <a href="https://essr.esa.int/project/taste">https://essr.esa.int/project/taste</a>
- [3] <a href="https://indico.esa.int/event/329/contributions/5534/attachments/3890/5621/1130">https://indico.esa.int/event/329/contributions/5534/attachments/3890/5621/1130</a> Presentation Model-based techniques for space microcontroller applications.pdf
- [4] Design and Validation of Onboard Protocols using TASTE, S. Duncan, DASIA 2018, Oxford
- [5] Decentralised Subsystem Control using Rad-hard Microcontrollers J. Purnell, S. Duncan, G. Magistrati, DASIA 2019, Torremolinos
- [6] Microcontroller-based MEMS GYRO, S. Duncan, DASIA 2021, Online



Figure 2 SGM20 Gyro Board



Source: Thales Alenia Space, Belgium

Figure 1 Digital Programmable Controller (DPC)



Figure 3 SGM20 Block Diagram



Figure 4 SGM20 Software Layers



Figure 5 Illustration of three-axis operation



Figure 6 Model-in-the-loop configuration