Day 1 (25/10/2011) 09:00-18:00
Space Avionics Open Interface Architecture
From Concept to Implementation
Scope
SAVOIR is an undertaking led by space European Agencies and Industries aiming at promoting Space Avionics based on Open Interfaces. In its first phase, SAVOIR has federated the space avionics community around the concept of reference architectures, standard interfaces, and generic specifications. Reference architectures allow defining a domain of reuse and facilitate the identification of building blocks. Generic specifications enable the harmonisation of procurements made by Agencies and System Integrators. Interface standards intend to ease systems integration and to maximise reuse. All these elements are expected to favour the existence of compatible Suppliers product lines. The major outcomes of the initial phase are R&D roadmaps and a prioritised list of building blocks.
SAVOIR second phase has started in January 2011. The project plan includes the refinement of reference architectures, the elaboration of a product portfolio, and the production of two sets of generic specifications covering on-board computer (OBC) and data concentrator (RTU) functions. The portfolio includes also many items related to architectures, communication protocols, data handling services, software libraries, sensors, actuators together with underlying enabling technologies. Each item could lead to a generic specification, validation through prototyping and eventually product(s) with an attached availability date for a given Technology Readiness Level [TRL].
The maturity and completeness of the SAVOIR concept will be assessed by building lab demonstrators integrating a consistent set of items. The selection criteria for those items will be driven by their maturity at a given date with the particular goal of demonstrating their readiness for project use.
The end Users of the SAVOIR output are projects which aim in general to minimise costs via reuse, but also may see Avionics and software as a risk often part of the development the critical path. Representatives of ESA and Industry projects such as project managers and system engineers will be invited to give their views on the initiative and the way to maximize its usability in real applications.
Topics
Invited participants will contribute with briefings and position papers coordinated by convenors covering the following topics:
• SAVOIR introduction and status.
• R&D roadmap, portfolio, schedule
• SAVOIR outputs (Reference architecture, generic specification, interface specification)
• Demonstrators
The status presentation and position papers will be an input to the round table discussion around the following topics
• How to maximize SAVOIR benefits:
• Does the SAVOIR initiative address the needs of the projects ?
• What are the steps to take to secure the transfer into projects,
• Which level of applicability shall the specifications produced by SAVOIR have within projects?
• How to define and measure “SAVOIR compliance”,
• etc
Conveners: Kjeld Hjortnaes (ESTEC/TEC-SW), Philippe Armbruster (ESTEC/TEC-ED), Alain Benoit (ESTEC/TEC-EC), Juan Miro (ESOC/HSO-G), Jacques Busseuil (TAS), Thierry Duhamel (Astrium)
Coordinator: Jean-Loup Terraillon ; jean-loup.terraillon@esa.int
Day 2 (26/10/2011) 09:00-13:00
Failure Detection, Isolation and Recovery:
Issues and Trends
Background
Achieving mission objectives and ultimate mission success depends on the space system’s resilience, survivability, ability to sustain continued operation, reliability, and availability, depending on the mission type and priorities, operations profile, and operational context. On-Board Failure Detection, Isolation and Recovery (FDIR) system, represented in the various system elements (e.g. Software, Avionics, AOCS, Equipments), is a critical element for successful mission execution.
Current FDIR development practices suffer from discontinuity between the Software and System (Hardware) RAMS activities, as representative System/Hardware data (e.g. FMEA/FMECA, FTA) becomes available late in the process, when Software and Hardware Development is far under way. Therefore only most general System-level RAMS requirements are considered in the Development Process. This poses a challenge for the FDIR specification and development as it relies on concrete system-level input, which has a detrimental effect on the eventual FDIR maturity. Changes in subsystems design, their fault modes, and possible fault combinations and scenarios, hamper the process of achieving a stable FDIR design.
Today’s challenges include, among others, mismatches between the FDIR concept, architecture, design solution, mission requirements, operational context and scope. FDIR development generally lacks a systematic approach as part of the core architectural concept rather than an add-on approach to the nominal spacecraft capabilities, eventually leading to unjustified increase in the FDIR complexity.
Within the global Mission and System scope FDIR shall be seen as a core part of the overall Space System Fault and Anomaly Management capability which is distributed across the flight and ground subsystems, addressing Faults and Anomalies pertaining to the Space System as a whole, and providing the mitigation means through cooperative design of the Spacecraft, Ground Segment, and Mission Operations.
Objective
The round table is to evaluate the issues, shortcomings, and challenges of the current FDIR Development and V&V practices and the state-of-the-art approaches offering effective solutions, including:
· Summarising the main issues and challenges of engineering and deployment of the FDIR systems (technical, programmatic, technological, processes, project organisation and reviews);
· Addressing the operational scope and goals of FDIR within the projects (e.g. limiting FDIR design to the necessary complexity as required by mission specific goals, fault tolerance and risk posture);
· Addressing the issues and challenges in the present and future missions;
· Addressing the variability of FDIR specifications for similar missions and their impact on the avionics;
· Assessing the impact of emerging techniques and technologies in the DHS, AOCS and SW domains (e.g. highly integrated systems, advanced FDIR algorithms, …)
· Assessing the existing sets of requirements and processes within the ECSS standards scope, the generic specifications to be elaborated, their impact on HW/SW architecture and functional modes
Organisation
Industry, Agencies and academia are invited to propose short contributions for the session, addressing (some of) the topics listed under above objectives.
A short abstract of the presentation shall be submitted before September 16th, 2011 to the round table coordinator
The round table will include the accepted position presentations and an open discussion with the audience, addressing;
· positioning and role of the FDIR development in the Project lifecycle
· industrial strategy
· R&D plans,
· Customer requirements versus design implementation.
Convenors: Alain Benoit (TEC-EC), Maria Hernek (TEC-SWS), Chris Taylor (TEC-EDS), Andrei Oganessian (TEC-SWS).
Coordinator: Andrei Oganessian, Andrei.oganessian@esa.int
Day 2 (26/10/2011) 14:00-18:00
Model-Based Avionics Verification & Validation
Background
During the ADCSS 2010 a session was held addressing “New Approaches for Verification and Validation of Avionics”. During that session it was generally recognised that there is a benefit in advancing (system) test activities by the use of (software) models in a test bench, being used to temporarily replace missing HW units. It enables to test the overall avionics system in context, represented by the HW units, simulation models and on-board SW. Apart from the advancing of activities it also provides additional flexibility.
Models can also be unavoidable for engineering and validation activities when the increased complexity of our systems renders other approaches ineffective or the “real world” context cannot be created on ground.
The right balance between models and real HW along the DDV cycle has yet to be defined, considering de-risking aspects (which call for an early proof-of-concept approach), objectives, schedule and costs.
The right usage of a model requires knowledge of its applicability and its objectives. Calibration with test or in-flight results is essential to characterize the actual performances in order to better reflect the reality.
It has been highlighted that the term “model” strongly depends on people and domains. A standard terminology does not yet exist. Although some progress is being made (e.g. the technical memorandum ECSS-TM-10-21, or the AOCS standard under preparation), it remains essential to involve the different domains in the definition of the terminology.
Scope
Focussing on the notion of models, it is important to get an agreement of what we understand under the term “model-based verification”. As this is a term coming from the SW domain, this definition has to be revisited in the context of avionics verification and validation. In the SW formal methods can be used to ensure that verification at model stage maintains its validity for the SW system, since (in a certain context) model transformations can be ensured to maintain the semantics and context. This is not necessarily true for avionics models, and the verification logic and corresponding plans need to reflect this to ensure that the verification flow is clearly including the switch from SW model to HW for all system elements.
Verification at avionics level (either model based or with Hw-in-the-loop) is highly dependent on the system level design properties. It is important to ensure a consistent access and management of this data for the verification process. Point-to-point solutions exist today, but are usually not entirely managed through the system engineering function. We want to identify these properties and their function in the verification process.
Organisation
Industry and organisations are invited to propose short contributions (3 to 5 slides) for the session, addressing the topics listed above with a view to answering the following questions:
1. What model-types are involved in the avionics verification and validation?
2. What is the impact on validation plans by the formal introduction of models? How is the traceability of different models and their relations throughout the verification process ensured today?
3. Which system properties (data) are required for the avionics V&V process and what function do they have? How is this handled today?
4. How are the models validated with respect to a domain of applicability and maintained throughout the avionics lifecycle?
A short abstract of the presentation shall be submitted before September 16th, 2011 to the round table coordinator. On the basis of that a plenary discussion will be animated.
Convenors: J. Fuchs (TEC-SWM), Jean-Pascal Lejault (TEC-ECC), Thierry Duhamel (Astrium), Giorgio Magistrati (TEC-EDD), Guillermo Ortega (TEC-ECN)
Coordinator: J. Fuchs (TEC-SWM) Joachim.fuchs@esa.int
Day 3 (Thursday 27/10/2011) 09:00-16:00
Multi-Core Processors for Space Applications
Scope
The advent of multi-core on embedded processors boosts computational power for space applications reducing power consumption, thermal unbalancing, as well as storage volume and harness
Following the space industries' needs expressed in the round tables of 2006 and 2007, ESA pursued the road of multi-core architectures: they enable the execution of more complex control algorithms and open the door to a higher degree of autonomy on-board, but they also shake the foundations of the traditionally used programming models, introducing the notions of concurrency, resource sharing and synchronisation.
As such, the introduction of multi-core technology in the future on-board computers requires new software solutions and software design methods.
The objective of this session is to present the current status of multi-core solutions for space applications, concerning both the hardware and software aspects and to start a debate focused on the definition of the requirements for multi-core processor usage. The discussion should converge to identify solutions to implement future platform and payload software applications on multi-core computers.
Advanced researches on the characterisation of the worst case execution time (WCET) of hard-real time multi-core systems made in the frame of FP7 projects will also be presented.
Topics
Briefings and position presentations, selected by appointment, will cover the following topics:
- The ESA Next Generation MicroProcessor (NGMP) and other multi-core architectures
- Operating Systems and IMA (Integrated Modular Avionics) for multi-core
- Benchmarks
- Predictability in multi-core computers.
- Use cases of multi-core technology in space applications
Organisation
The session will conclude with an round table concentrated around the questions listed below and the position presentation.
Open questions
- Selection of operating system(s)
- SW deployment and design model
- Selection of the programming language(s)
- Selection of the reference benchmarks
- Open source development?
- Predictability vs performance
- Selection of debugging and performance evaluation facilities (HW and SW)
- Simulator(s)
- How to deploy legacy SW on multi-core
- What is the most suitable application class for NGMP
- Is the multi-core an enabling technology for space?
- Can the intrinsic redundancy of multi-cores be used to increase the processor’s reliability and availability?
Convenors: Luca Fossati (TEC-EDM), Guillermo Ortega (TEC-ECN), Roland Weigand (TEC-EDM), Marco Zulianello (TEC-SWE), Felice Torelli (TEC-SWS), James Windsor (TEC-SWS), Giorgio Magistrati (TEC-ED)
Coordinator: Luca Fossati (TEC-EDM), Luca.fossati@esa.int
Space Avionics Open Interface Architecture
From Concept to Implementation
Scope
SAVOIR is an undertaking led by space European Agencies and Industries aiming at promoting Space Avionics based on Open Interfaces. In its first phase, SAVOIR has federated the space avionics community around the concept of reference architectures, standard interfaces, and generic specifications. Reference architectures allow defining a domain of reuse and facilitate the identification of building blocks. Generic specifications enable the harmonisation of procurements made by Agencies and System Integrators. Interface standards intend to ease systems integration and to maximise reuse. All these elements are expected to favour the existence of compatible Suppliers product lines. The major outcomes of the initial phase are R&D roadmaps and a prioritised list of building blocks.
SAVOIR second phase has started in January 2011. The project plan includes the refinement of reference architectures, the elaboration of a product portfolio, and the production of two sets of generic specifications covering on-board computer (OBC) and data concentrator (RTU) functions. The portfolio includes also many items related to architectures, communication protocols, data handling services, software libraries, sensors, actuators together with underlying enabling technologies. Each item could lead to a generic specification, validation through prototyping and eventually product(s) with an attached availability date for a given Technology Readiness Level [TRL].
The maturity and completeness of the SAVOIR concept will be assessed by building lab demonstrators integrating a consistent set of items. The selection criteria for those items will be driven by their maturity at a given date with the particular goal of demonstrating their readiness for project use.
The end Users of the SAVOIR output are projects which aim in general to minimise costs via reuse, but also may see Avionics and software as a risk often part of the development the critical path. Representatives of ESA and Industry projects such as project managers and system engineers will be invited to give their views on the initiative and the way to maximize its usability in real applications.
Topics
Invited participants will contribute with briefings and position papers coordinated by convenors covering the following topics:
• SAVOIR introduction and status.
• R&D roadmap, portfolio, schedule
• SAVOIR outputs (Reference architecture, generic specification, interface specification)
• Demonstrators
The status presentation and position papers will be an input to the round table discussion around the following topics
• How to maximize SAVOIR benefits:
• Does the SAVOIR initiative address the needs of the projects ?
• What are the steps to take to secure the transfer into projects,
• Which level of applicability shall the specifications produced by SAVOIR have within projects?
• How to define and measure “SAVOIR compliance”,
• etc
Conveners: Kjeld Hjortnaes (ESTEC/TEC-SW), Philippe Armbruster (ESTEC/TEC-ED), Alain Benoit (ESTEC/TEC-EC), Juan Miro (ESOC/HSO-G), Jacques Busseuil (TAS), Thierry Duhamel (Astrium)
Coordinator: Jean-Loup Terraillon ; jean-loup.terraillon@esa.int
Day 2 (26/10/2011) 09:00-13:00
Failure Detection, Isolation and Recovery:
Issues and Trends
Background
Achieving mission objectives and ultimate mission success depends on the space system’s resilience, survivability, ability to sustain continued operation, reliability, and availability, depending on the mission type and priorities, operations profile, and operational context. On-Board Failure Detection, Isolation and Recovery (FDIR) system, represented in the various system elements (e.g. Software, Avionics, AOCS, Equipments), is a critical element for successful mission execution.
Current FDIR development practices suffer from discontinuity between the Software and System (Hardware) RAMS activities, as representative System/Hardware data (e.g. FMEA/FMECA, FTA) becomes available late in the process, when Software and Hardware Development is far under way. Therefore only most general System-level RAMS requirements are considered in the Development Process. This poses a challenge for the FDIR specification and development as it relies on concrete system-level input, which has a detrimental effect on the eventual FDIR maturity. Changes in subsystems design, their fault modes, and possible fault combinations and scenarios, hamper the process of achieving a stable FDIR design.
Today’s challenges include, among others, mismatches between the FDIR concept, architecture, design solution, mission requirements, operational context and scope. FDIR development generally lacks a systematic approach as part of the core architectural concept rather than an add-on approach to the nominal spacecraft capabilities, eventually leading to unjustified increase in the FDIR complexity.
Within the global Mission and System scope FDIR shall be seen as a core part of the overall Space System Fault and Anomaly Management capability which is distributed across the flight and ground subsystems, addressing Faults and Anomalies pertaining to the Space System as a whole, and providing the mitigation means through cooperative design of the Spacecraft, Ground Segment, and Mission Operations.
Objective
The round table is to evaluate the issues, shortcomings, and challenges of the current FDIR Development and V&V practices and the state-of-the-art approaches offering effective solutions, including:
· Summarising the main issues and challenges of engineering and deployment of the FDIR systems (technical, programmatic, technological, processes, project organisation and reviews);
· Addressing the operational scope and goals of FDIR within the projects (e.g. limiting FDIR design to the necessary complexity as required by mission specific goals, fault tolerance and risk posture);
· Addressing the issues and challenges in the present and future missions;
· Addressing the variability of FDIR specifications for similar missions and their impact on the avionics;
· Assessing the impact of emerging techniques and technologies in the DHS, AOCS and SW domains (e.g. highly integrated systems, advanced FDIR algorithms, …)
· Assessing the existing sets of requirements and processes within the ECSS standards scope, the generic specifications to be elaborated, their impact on HW/SW architecture and functional modes
Organisation
Industry, Agencies and academia are invited to propose short contributions for the session, addressing (some of) the topics listed under above objectives.
A short abstract of the presentation shall be submitted before September 16th, 2011 to the round table coordinator
The round table will include the accepted position presentations and an open discussion with the audience, addressing;
· positioning and role of the FDIR development in the Project lifecycle
· industrial strategy
· R&D plans,
· Customer requirements versus design implementation.
Convenors: Alain Benoit (TEC-EC), Maria Hernek (TEC-SWS), Chris Taylor (TEC-EDS), Andrei Oganessian (TEC-SWS).
Coordinator: Andrei Oganessian, Andrei.oganessian@esa.int
Day 2 (26/10/2011) 14:00-18:00
Model-Based Avionics Verification & Validation
Background
During the ADCSS 2010 a session was held addressing “New Approaches for Verification and Validation of Avionics”. During that session it was generally recognised that there is a benefit in advancing (system) test activities by the use of (software) models in a test bench, being used to temporarily replace missing HW units. It enables to test the overall avionics system in context, represented by the HW units, simulation models and on-board SW. Apart from the advancing of activities it also provides additional flexibility.
Models can also be unavoidable for engineering and validation activities when the increased complexity of our systems renders other approaches ineffective or the “real world” context cannot be created on ground.
The right balance between models and real HW along the DDV cycle has yet to be defined, considering de-risking aspects (which call for an early proof-of-concept approach), objectives, schedule and costs.
The right usage of a model requires knowledge of its applicability and its objectives. Calibration with test or in-flight results is essential to characterize the actual performances in order to better reflect the reality.
It has been highlighted that the term “model” strongly depends on people and domains. A standard terminology does not yet exist. Although some progress is being made (e.g. the technical memorandum ECSS-TM-10-21, or the AOCS standard under preparation), it remains essential to involve the different domains in the definition of the terminology.
Scope
Focussing on the notion of models, it is important to get an agreement of what we understand under the term “model-based verification”. As this is a term coming from the SW domain, this definition has to be revisited in the context of avionics verification and validation. In the SW formal methods can be used to ensure that verification at model stage maintains its validity for the SW system, since (in a certain context) model transformations can be ensured to maintain the semantics and context. This is not necessarily true for avionics models, and the verification logic and corresponding plans need to reflect this to ensure that the verification flow is clearly including the switch from SW model to HW for all system elements.
Verification at avionics level (either model based or with Hw-in-the-loop) is highly dependent on the system level design properties. It is important to ensure a consistent access and management of this data for the verification process. Point-to-point solutions exist today, but are usually not entirely managed through the system engineering function. We want to identify these properties and their function in the verification process.
Organisation
Industry and organisations are invited to propose short contributions (3 to 5 slides) for the session, addressing the topics listed above with a view to answering the following questions:
1. What model-types are involved in the avionics verification and validation?
2. What is the impact on validation plans by the formal introduction of models? How is the traceability of different models and their relations throughout the verification process ensured today?
3. Which system properties (data) are required for the avionics V&V process and what function do they have? How is this handled today?
4. How are the models validated with respect to a domain of applicability and maintained throughout the avionics lifecycle?
A short abstract of the presentation shall be submitted before September 16th, 2011 to the round table coordinator. On the basis of that a plenary discussion will be animated.
Convenors: J. Fuchs (TEC-SWM), Jean-Pascal Lejault (TEC-ECC), Thierry Duhamel (Astrium), Giorgio Magistrati (TEC-EDD), Guillermo Ortega (TEC-ECN)
Coordinator: J. Fuchs (TEC-SWM) Joachim.fuchs@esa.int
Day 3 (Thursday 27/10/2011) 09:00-16:00
Multi-Core Processors for Space Applications
Scope
The advent of multi-core on embedded processors boosts computational power for space applications reducing power consumption, thermal unbalancing, as well as storage volume and harness
Following the space industries' needs expressed in the round tables of 2006 and 2007, ESA pursued the road of multi-core architectures: they enable the execution of more complex control algorithms and open the door to a higher degree of autonomy on-board, but they also shake the foundations of the traditionally used programming models, introducing the notions of concurrency, resource sharing and synchronisation.
As such, the introduction of multi-core technology in the future on-board computers requires new software solutions and software design methods.
The objective of this session is to present the current status of multi-core solutions for space applications, concerning both the hardware and software aspects and to start a debate focused on the definition of the requirements for multi-core processor usage. The discussion should converge to identify solutions to implement future platform and payload software applications on multi-core computers.
Advanced researches on the characterisation of the worst case execution time (WCET) of hard-real time multi-core systems made in the frame of FP7 projects will also be presented.
Topics
Briefings and position presentations, selected by appointment, will cover the following topics:
- The ESA Next Generation MicroProcessor (NGMP) and other multi-core architectures
- Operating Systems and IMA (Integrated Modular Avionics) for multi-core
- Benchmarks
- Predictability in multi-core computers.
- Use cases of multi-core technology in space applications
Organisation
The session will conclude with an round table concentrated around the questions listed below and the position presentation.
Open questions
- Selection of operating system(s)
- SW deployment and design model
- Selection of the programming language(s)
- Selection of the reference benchmarks
- Open source development?
- Predictability vs performance
- Selection of debugging and performance evaluation facilities (HW and SW)
- Simulator(s)
- How to deploy legacy SW on multi-core
- What is the most suitable application class for NGMP
- Is the multi-core an enabling technology for space?
- Can the intrinsic redundancy of multi-cores be used to increase the processor’s reliability and availability?
Convenors: Luca Fossati (TEC-EDM), Guillermo Ortega (TEC-ECN), Roland Weigand (TEC-EDM), Marco Zulianello (TEC-SWE), Felice Torelli (TEC-SWS), James Windsor (TEC-SWS), Giorgio Magistrati (TEC-ED)
Coordinator: Luca Fossati (TEC-EDM), Luca.fossati@esa.int
