The 18th ESA Workshop on Avionics, Data, Control and Software Systems (ADCSS) covers topics related to avionics for space applications, in the form of a set of round tables. The workshop acts as a forum for the presentation of position papers followed by discussion and interaction between ESA and Industry and between participants. Each theme part of ADCSS workshops will be first introduced and then expanded by presentations on related developments from technical and programmatic points of view. A round table discussion may follow, concluded by a synthesis outlining further actions and roadmaps for potential inclusion into ESA’s technology R&D plans.
All material presented at the workshop must, before submission, be cleared of any restrictions preventing it from being published on the ADCSS website.
Short presentations from SAG members with Q&A opportunities:
* OHB
* Thales Alenia Space
* Airbus ADS
* GMV
* Sodern
* Beyond Gravity
Abstract
The study report serves as a small introduction to the C++ programming language and to how its features could be useful when compared to software written in the C programming language. The newest revision of C++ (C++20) is explored, but code examples tend to avoid newest features when not necessary, in order to be understandable to readers familiar with older revisions of the language. The report explores topics that are relevant to or important for use in space projects, in flight software in particular. It is organized into chapters, each responsible for exploring a distinct topic.
This abstract provides a summary of the achievements of the project. The purpose of this activity was to research the latest version of the standard and determine if it is suitable for flight software development. Specifically, this translates into the following objectives:
• Identify unsafe operations and propose alternatives. Formulate a coding standard and prepare a definition for automatic code style checker.
• Identify operations in pure C that could be improved by using corresponding C++ features.
• Investigate and measure the impact of using exceptions to handle run-time errors.
• Investigate the maturity of C++20 and C++17 features and identify recommended / not-recommended constructs.
• Investigate the level of testing applied to the C++ Standard Library, compare it with the level of validation required by the ECSS software standard.
• Research how strong is the dependence of the Standard Library on dynamic memory allocation.
• Check compatibility with popular real time operating systems, in particular with RTEMS.
• Check the level of support of most popular compilers. In particular, check cross-compilers targeting architectures used in space industry (SPARC, ARM (Thumb2, A32, A64), RISC-V).
• Investigate the runtime overhead compared to implementations in C. Compare execution time and amount of generated assembly code. Specifically, look into: standard structures, exception handling, polymorphic method calls.
• Investigate availability of static analysis tools (also which C++ version they support), debuggers, syntax checker and unit testing tools.
The ESA-funded project "cRustacea in Space" marks a step forward in the adoption of Rust programming language for space applications by looking at the full chain from programming tools to integration of existing code and qualification according to ECSS.
Our presentation will present the results of this comparative study which include our experiences during first port of Rust to the RTEMS operating system and the comparison between a simple onboard application written in C and Rust . We'll also highlight the work done regarding ECSS standards, including the analysis of software-related requirements from ECSS-Q-ST-80C and ECSS-E-ST-40C and the available tools for metricat
The main objective of the activity was to evaluate the usage of Rust programming language in space applications, by providing an RTOS targeting ARM Cortex-M7 SAMV71 microcontroller, a BSP (Board Support Package) and a Demonstration Application. Creating a real time operating system validates Rust security features in practice, exercises Rust viability in space applications and additionally checks compatibility with ECSS software development process.
RTOS is implemented in the form of an executor instead of a classic scheduler. The scope of this project doesn’t include preemption. This executor runs tasklets, which are fine-grained units of computation, that execute a processing step in a finite amount of time. The main focus of the BSP part of the project was to provide a minimal set of functionalities for peripherals required to create the RTOS and interact with the board as well as example sensors. In the second part of the activity, a small demonstration application software was developed. This demonstration provided input to a Lessons Learned report, describing the encountered issues, potential problem and improvement areas, usage recommendations and proposed way forward.
In this work, we present a Large Language Model (LLM) designed for Automatic Program Repair (APR), using both source code and analysis results from the SonarQube static code analyzer. The Llama 3 (8B) was selected as the foundational model, which was fine-tuned with multiple datasets, including the CommitPack dataset, a SonarQube-generated dataset, and a synthetic dataset created with Llama 3 (70B). The fine-tuning process used techniques such as QLoRA and NEFTune to optimize training performance and reduce overfitting. Quantization was also performed using the EETQ method to reduce memory requirements and improve inference efficiency. In addition, a targeted context-based refinement approach was applied to enable the model to efficiently address specific SonarQube rules by providing precise context for each detected error. This approach provides a robust framework for automatic code repair, allowing the automatic correction of a wide range of code errors detected by Sonarqube.
The model was trained using datasets created from real-world C language projects, adhering to the MISRA C 2012 standard, which is crucial for ensuring safety and quality in software development in this language. To generate these datasets, SonarQube was used to perform static code analysis, identifying specific errors in the projects. Subsequently, manual corrections made by project's code developers were incorporated, allowing the model to learn how to apply MISRA rules more accurately and effectively. This training process was applied to significant projects such as CO2M, a key part of the COPERNICUS mission, with a particular focus on the ICU HDSW product and boot software—critical areas for system operation. Detailed manual evaluations of the results ensured that the model not only automatically corrected errors but also proved adaptable and reliable in various real-world scenarios, thus enhancing overall software quality and compliance with best coding practices. A GitLab CI/CD extension was created to run the repair pipelines in our CI/CD environment, yielding a code report for new code changes.
Software engineering processes define their verification and validation processes on requirements and metrics for which existing methods and tools exist. This is also true for the most stringent software engineering and product assurance processes such as the ones defined in ECSS E-ST-40 and Q-ST-80. E.g., logical operations require many tests, while arithmetical operations require little (the reason being, we have many tools and metrics for decision coverage while we have none apart from statement coverage for arithmetical operations). Analogously, instructions within the executable object code receive the complete focus of the verification and validation requirements while nothing is explicitly said about the data present in flight software.
This study assesses the different types of data that have implications for flight-software, from an SRDB to the constants defined within the flight software source code, putting a special focus on the data that modify the behavior of the flight software and thus, shall have the same verification and validation level as software instructions, especially for Category A software. The guidelines produced and the prototype tools developed to gather data-coverage of tests and produce corresponding evidences, shed a light onto this often neglected but fundamental part of the software we fly.
Title: Software Interlocks in the METASAT Project
Authors:
Eckart Göhler, Alfred Hönle; OHB System AG, Manfred-Fuchs-Str. 1, D-82234 Weßling, Germany
Leonidas Kosmidis; BSC, Calle Jordi Girona 31, 08034 Barcelona, Spain
In space domain a large number of requirements arising from the harsh environment, the non-availability of on-site repair measures and the drastic effects of failures typicaly impose high demands on the overall system, be it a satellite instrument or a life support module in manned flights. The corresponding system development procedures and architectures may respond with different measures like development standards or architectures with redundancies. A special topic is the introduction of an interlock to prevent degradation or loss of an instrument.
In the METASAT project a solution to establish an interlock is being proposed by employing a dedicated software architecture on top of a Hypervisor. Additionally, we propose how this solution will scale with high-performance on-board data processing.
In general, the separation of the software in different partitions helps to reduce the V&V effort and to focus on the intended functionality. Furthermore, with the proposed solution the critical functionality in interlock software partitions is kept simple while the application software could be kept at medium criticality and thus lower burden on the V&V requirements.
Deep neural networks (DNNs) have been demonstrated to be valuable components for the automation of tasks that are difficult to program, such as computer vision tasks. Unfortunately, DNNs are inexplicable by design, which makes testing the only viable solution to acquire confidence about their reliability.
This talk provides an overview of Test, Improve, Assure (TIA), an ESA activity that supports the development of trustworthy DNNs. We developed means to characterise failure scenarios, thus helping data analysts and engineers determine when DNNs may fail. Further, we developed means to combine evolutionary algorithms, simulators, and generative models to test DNNs more effectively than just by relying on test sets and improve DNNs with automatically generated training data.
Software has a prominent role in space systems; the success of space missions depends on the dependability of ground and flight software, but how can we systematically assess the quality of the test suites used to verify such software?
This talk provides an overview of the results achieved by the FAQAS-2 activity, which built an efficient toolset to go beyond structural coverage by measuring how a test suite detects faults that are automatically injected into the software under test. Leveraging technical developments in FAQAS-1, FAQAS-2 led to a methodology for the determination of test adequacy and the automated generation of the test cases required to achieve such adequacy.
Future space systems will heavily rely on autonomous Guidance, Navigation, and Control (GNC) functions to efficiently manage safe and precise self-directed operations in uncertain complex environments. Fundamentally, the GNC system plays a key role in mission performance and safety. Our current GNC systems are already highly automated and complex. The trend is for missions to become more ambitious and more diverse, thus the expectation is that the GNC systems for launch vehicles and space platforms will require even higher levels of performance and autonomous operation than previously encountered. Many future missions will have demanding new requirements for onboard autonomy, resiliency, reconfigurability, performance optimization, adaptation, and fault-tolerant operations. An Inter-Agency GNC V&V Working Group* has been investigating the advanced technologies, approaches, methodologies, tools, and processes that will be needed to efficiently perform the necessary V&V to ensure reliable and safe flight GNC system operation. Efficiency is critically important as it is well known that V&V is a cost driver in GNC system development process. In this ADCSS talk the findings and recommendations of the Inter-Agency GNC V&V Working Group will be summarized. The recent development of relevant benchmark problems will also be discussed. The benchmark problems are seen as a means to help bridge the gap between research organizations and industry counterparts, especially in the area of developing the new GNC V&V technologies. Lastly, the plans for a GNC V&V Workshop in July 2025 will be highlighted for the community. The purpose of this Workshop will be to identify and discuss the challenges and solutions for the new types of GNC V&V technologies, approaches, methodologies, tools, and processes needed to address the next generation of GNC systems for demanding aerospace mission applications. As will be discussed the primary Workshop objectives will be to raise awareness about GNC V&V challenges/issues within our community and to provide a forum for collaborative information sharing/learning on the topic of GNC V&V for future systems.
The Space Rider (SR) programme aims to provide Europe with a reusable system for routine access to low Earth orbit. A critical component of this programme is the Re-entry Module (RM), which consists of a lifting body that, starting from orbital coasting, performs a controlled hypersonic re-entry, transonic flight, and a final precision approach and landing under parafoil. The SR RM is being developed by Thales Alenia Space Italy for the European Space Agency. The re-entry GNC is based on the previous IXV mission, for which Sener Aerospace was responsible. In the Space Rider programme, Sener Aerospace is the design authority for the RM Guidance, Navigation and Control (GNC) algorithms and the developer of the new Parafoil GNC (PGNC).
The RM GNC module is currently in the middle of the formal verification process. This process includes three main Model In the Loop (MIL) campaigns and various flight tests. The MIL campaigns are executed on a validated Functional Engineering Simulator (FES) to cover different phases of the RM flight, from initialization to landing, and include failure injection scenarios to cover GNC-FDIR verification.
Further to that, a series of flight tests are planned to characterize the real dynamics of the system and test the PGNC algorithms in flight. These flights are organised in three campaigns with increasing representativity of the final system. They include a Scaled-Down Flight Test (SDFT) campaign using a modified 150-250 kg paramotor, a full-scale Drop Test (DT) campaign with a mock-up system that reproduces the real mass of the system, and a final System Drop Test (SysDT) using the complete flight model.
The SDFT campaign serves as a de-risking activity, allowing for multiple tests at a reduced cost and time. It aims to evaluate the dynamics of the parafoil-payload system, assess the PGNC performance, and test the system’s robustness against external perturbations.
The SDFT vehicle, internally referred to as Starling, is a commercial off-the-shelf (COTS) paramotor adapted to reproduce the dynamics of the full-scale system. The vehicle can take off from ground, perform a remotely controlled ascent, and conduct several tests during the descent phase in both manual and autonomous configurations.
This presentation will detail the comprehensive verification and validation process for the Space Rider RM GNC module, highlighting the critical steps taken to verify the Parafoil GNC algorithms and ensure the success of the Space Rider programme.
Ground-test facility for CubeSats attitude determination and control: the University of Bologna experience
Department of Industrial Engineering and Interdepartmental Centre for Industrial Research in Aerospace - Alma Mater Studiorum Università di Bologna, Via Fontanelle 40 47121 Forlì (Italy) e-mail: dario.modenini@unibo.it
With the rapid increase in the number of nanosatellites in orbit, there is growing interest in improving the reliability of these miniaturized platforms; the CubeSat standard, in particular, has gained significant popularity. However, some CubeSat missions experience failures or require extended commissioning phases to address issues with their attitude determination and control system (ADCS) in orbit. One potential solution is the establishment of a verification and validation facility that adheres to a ‘test-as-you-fly’ approach.
Since 2017, the u3S Laboratory at the University of Bologna has been working on the development of a facility for end-to-end testing of CubeSat-class attitude determination and control subsystems. At the heart of the facility, designed to test the ADCS of CubeSats ranging from 1U to 3U, is an articulated stand featuring a table-top air-bearing platform. This platform supports the mock-up under test and enables a nearly frictionless rotational motion. The facility is further equipped with several key subsystems, including a Helmholtz cage for simulating the geomagnetic field, a Sun simulator, and a vision system for ground-truth attitude measurement. The testbed, originally conceived for serving both educational and research purposes, has been a useful source of hands-on projects for several undergraduate, graduate, and PhD students. Among its applications, it has been employed in a joint project with the STAR laboratory at the Politecnico di Torino to support the verification of their student’s team CubeSat ADCS.
Thanks to a collaborative effort between the University of Bologna and its spin-off company, NautiluS - Navigation in Space Srl, very recently the facility underwent a major update under ESA funding. This MKII version improves upon its predecessor under several aspects, extending the range of testable CubeSat sizes up to 12U. The first model of the MKII ADCS testbed has just been installed at the AOCS Verification Laboratory in ESTEC.
The presentation will provide an overview of the development of the facility and of its current status, along with a description of some use cases.
CORTO: A Collaborative Rendering Library for Space Applications
The Celestial Objects Rendering Tool (CORTO) is an open-access, object-oriented Python repository that leverages Blender’s capabilities to synthetically generate large, annotated datasets for computer vision tasks. Designed with modularity and accessibility as core strengths, CORTO aims to facilitate collaboration among researchers in creating a reliable, easy-to-use image-label pair generator. Its primary goal is to simplify dataset generation, allowing image processing developers to focus on pipeline design, validation, verification, and testing rather than data creation. This is particularly valuable for optical navigation tasks, which involve complex, interdisciplinary pipelines that transform image data into relative pose solutions.
CORTO has been applied in two CubeSat missions, Milani and LUMIO. For Milani, it supported the validation and testing of image processing algorithms for the CubeSat's GNC subsystem, while for LUMIO, it tested a lunar limb-based navigation algorithm. CORTO was also utilized in the ASI/ESA projects DeepNav and StarNav to develop deep learning datasets and star tracker images for lunar and small body operations.
While CORTO currently supports scenarios involving minor bodies and the Moon, future updates will expand its capabilities to include other planetary phenomena and environments. The talk will be focused on the scenarios currently covered by the tool, namely, planetary exploration, small bodies, and artificial bodies.
Overview of testing and simulation capabilities of the EXTREMA Simulation Hub
The ERC-funded EXTREMA project aims to empower deep-space CubeSats with autonomous guidance, navigation, and control capabilities. To achieve this, EXTREMA is built on three foundational Pillars, designed to develop the necessary algorithm to achieve higher degrees of autonomy for cost-effective interplanetary probes.
The core of EXTREMA lies in the EXTREMA Simulation Hub (ESH), a distributed facility in which interplanetary transfers are simulated under a variable acceleration paradigm. The ESH features an air-bearing attitude simulation platform dedicated to extended V&V activities for ADC systems and algorithms; a camera-in-the-loop optical facility to test navigation and image processing capabilities with accurate geometric and radiometric fidelity; and a thruster test bench, which is able to mimic the behavior of continuous thrust engines to test control boards and algorithms. All the facilities are interconnected through a dedicated sensing suite and a high-fidelity numerical propagator, whose task is to collect the physical states of the facilities and close the loop with the additional virtualized degrees of freedom. Eventually, a monitoring and control unit enables supervision and simulation flow control.
While the ESH has been developed targeting deep space mission scenarios, it can be employed to test and characterize spacecraft systems dedicated to different scenarios, including star trackers, reaction wheels, power management systems, and on-board flight software. Future developments aim to integrate the ESH in existing CI/CD frameworks, enabling streamlined X-in-the-loop testing for a variety of applications.
Verification and validation of optical navigation algorithms and sensors in TRON
Hans Krüger, GNC Systems department, DLR Institute of Space Systems, Bremen
The Testbed for robotic optical navigation (TRON) is a Hardware-in-the-Loop Test (HiLT) facility for optical navigation technology. For imaging-based sensors TRON provides an environment that allows developing and qualifying such sensor hardware up to a TRL of 7. Typical devices tested in TRON are active and passive optical sensors like lidars and cameras. A common task for TRON is also to provide sensor data for the verification and validation of the algorithmic part of a future sensor.
Major components of the lab are a robot on a rail for dynamic positioning of the candidate sensor, a set of models of lunar terrain as sensor targets, a dynamic lighting system for defined illumination, and laser metrology equipment for high precision ground truth.
This presentation provides an overview of TRON’s building blocks, and how they work together. Examples will be presented to illustrate how the building blocks can be combined for different scenarios, such as imaging during the lunar descent orbit and lunar landing, or flash lidar characterization using geometric primitives.
A detailed example will demonstrate a generic task found often in the field of verification and validation of optical sensors. It is taking images of a terrain model from pre-defined poses, and providing ground truth for each image. The definition of ground truth will be discussed, as well as the process of determining it.
A preview of the upcoming verification of DLR’s crater navigation algorithm will highlight TRON’s relevance to current space missions.
Event-based sensor simulation for space applications in real-time
Manuel Sanchez Gestido (Guidance, Navigation and Control Section – ESTEC)
Vision-based framing sensors are well-established in the space community as a critical component of guidance, navigation and control (GNC) systems for autonomous spacecraft navigation and landing. Event-based sensors, on the contrary, detect changes in pixel intensity levels, so output an asynchronous stream of pixel events. Their unique properties (such as high temporal resolution, low latency (microseconds), and much higher dynamic range than conventional cameras) have some advantages for space mission scenarios and navigation applications. To support developments in this area, a well established real-time frame-based sensor simulator (PANGU) is being extended to simulate event-based data in a variety of space applications, with simulated data evaluated with respect to standard event-based calibration tools
ADHA has finalized its first phase of the standardization. Now the activity is entering a new phase in which modules and unit will be manufactured according to the standard and will be tested.
In this presentation considerations from the LSI-perspective will be shown. Some important changes of future satellite systems as a result of the standardization are indicated as well as challenges and opportunities for ADHA.
Furthermore the status of Airbus developments will be presented.
Mass Memory Units remain a key component of the data-handling infrastructure within modern EO satellites. The key benchmark number of a MMU remains the storage throughput. High-end missions using highest resolution optical sensor technologies as well as optical terminals for downlink introduce new limits requiring very high throughputs beyond 20 Gbps. Other missions based on proven sensors and downlink channels remain below this number.
Within the ESA lead A3M study, as a consequence, DSI is developing a new Solid State Mass Memory (SSMM) scalable in throughput (10 Gbps – 40 Gbps) and storage capacity (20 TiBit – 80 TiBit) as a set of ADHA modules. The unit consists of a master module distributing the load between up to 4 extension modules while a single extension module can be also used stand-alone. Within the presentation, DSI will present the current state of the project and provide insights in the foreseen architecture as well as the interface between both types of modules. For missions requiring storage throughput exceeding 40 Gbps the presentation will give a quick glimpse on further activities tackling these highest end missions.
EIDEL has for almost 60 years developed solutions for harsh environments and current product portfolio includes secure communication, encryption, remote crypto key management, remote radio control, secure telemetry solutions for defense and space applications.
EIDEL has through ESA funding in the Norwegian AOS-programme in 2024 embarked on building up the capability of being a satellite prime, and are hence focusing making an ecosystem of standardized modules and units. EIDEL's space products lineup is centered around the company's extensive heritage in developing secure solutions for classified systems and modules.
EIDEL is through ESA Contract No. 4000128421/19/NL/GLC developing a full set of SDLS ready CCSDS USLP encoder/decoder IP cores set for delivery to ESA at the final review in the end of October 2024. These IPs are intended to be implemented in ADHA-compliant hardware in a separate ESA project with kick-off intended for Q4 2024 / Q1 2025. In addition EIDEL is in another ESA project going to develop modules for an ADHA Payload Interface Control unit which builds upon heritage from the EIDEL payload control unit utilized on the Bartolomeo platform on the ISS.
In the advancing field of space computing, new challenges and opportunities emerge as missions demand higher performance and increased focus on cybersecurity. This presentation will provide an overview of the upcoming solutions from Frontgrade Gaisler, including two key components: the GR716B microcontroller and the GR765 microprocessor.
The GR716B, a radiation-hardened mixed-signal microcontroller, doubles the performance of the GR716A and widens the range of standard interfaces. Its versatility allows for applications in distributed control, bus bridging, DC/DC control, and FPGA supervision.
Building on the success of the GR740, the GR765 processor represents a major leap in performance for space-grade processors. Doubling the processor core count and increasing operating frequency, the GR765 also introduces significant architectural improvements to meet the most advanced mission requirements. This processor also addresses critical cybersecurity concerns, with a focus on data integrity, trusted communication, and quantum-resistant technologies
This presentation will outline the critical role of European sovereignty, the development of a strong supply chain, and the key technology domain lines. It will provide an updated status for 2024 and an overview of the contracts driving these initiatives. The presentation will emphasize the collaborative efforts between the European Space Agency, European Commission, and European Defense Agency, highlighting a proven track record of success. Specific attention will be given to Ultra-Deep Sub-Micron (UDSM) GSTP activities, foundation platforms, as well as the interface, and system-in-package technologies. Additionally, it will discuss the development plan for UDSM N7 technology, focusing on General-Purpose Processors (GPP), Field-Programmable Gate Arrays (FPGA), digital beamforming applications, and the associated IP building blocks for UDSM technologies.
As space missions evolve, security in embedded systems has become a critical aspect, that is considered not just as a tax to pay to deploy secure solutions but also as a must to protect value assets and information that would end saving money by reducing/eliminating risks. Security levels at different granularity and functions is to be integrated into existing and new avionics architectures. This presentation outlines the challenges in embedding secure architectures within space avionics, highlighting the interplay between existing and emerging systems. From the architecture level to threat modeling, trust, and security policy frameworks, we explore solutions shaped by our experience in different dedicated ESA projects for hot topics like HW Security Modules in satellite architecture, Digital Forensics, Intrusion detection-recovery, security cubesat on-board laboratory or SAVOIR security reference architecture, and of course our involvement in Galileo Control Center security. Additionally, we present our efforts in cryptographic solutions, remote attestation, and secure boot mechanisms, emphasizing the Agency’s evolving role as a SAT owner and certifier
Building trust in space-grade semiconductor architectures is essential due to their critical
information, extensive supply chains, and long product life cycles. Secure boot – that is, loadingthe operating system and other critical parameters in a trustworthy way – is the first step inthe path for creating this trust. In today’s landscape, where the development of quantum technology creates novel security threats, including Post-Quantum Cryptography (PQC) intothe secure boot process is also critical.
In this presentation, we review how hardware-based cryptographic mechanisms can be used to secure the boot process of a computing platform. We will discover how the confidentiality, integrity, and authenticity (the CIA triad) of the boot process can be secured with postquantum, secure boot in space-grade infrastructures.
More and more security required in space systems for a wide range of applications to deal with large scope of threats and weaknesses
Electronic components are used widely in other industry domain to bring authentication, integrity & confidentiality functions to improve the overall performance and security in the system.
Microchip will go to all type of security features and components available for space industry today & tomorrow.
From FPGA to different kind of processors and secure elements, Microchip can provide a large panel of solutions to deal with security functions.
NanoXplore leads Europe in the design and development of SoC FPGAs made for harsh environment applications including Space and Avionics.
Nowadays, in all domains including Space, there is an expectation of a solution that meets security requirements by at least securing the bitstream and controlling the lifecycle of the device. Attackers have many motivations to recover and manipulate bitstream, including design cloning or manipulation, IP theft, etc.
Thus, in the ULTRA family, bitstream encryption has been introduced. During this session, we will present NanoXplore solutions and its key differentiators with a focus on the latest ULTRA300 FPGA that includes dedicated security features.