V&V of COTS RTOS for Space Flight Projects
The 1st Annual NASA Office of Safety and Mission Assurance (OSMA) Software Assurance Symposium (SAS) Michael Rahmatipour MSFC
Contact Information: MSFC Avionics Department Flight Software Group (ED14) 256-544-5115 Michael.H.Rahmatipour@msfc.nasa.gov
�Goal of V&V of COTS RTOS Center Initiative
• The main goal is to perform V&V of the RTOSs used in critical flight applications in the following steps: • Evaluate the amount of software testing performed by vendors of CTOS RTOS. • Develop a set of generic test requirements for embedded flight real-time operating systems. • Develop a test plan and approach to perform V&V on a candidate operating systems against the above generic requirements. • Develop test software and test procedures to implement the verification plan.
2
�Purpose of the V&V of COTS RTOS Center Initiative
• Multiple, space-related programs currently use commercial off-the-shelf (COTS) real-time operating systems (RTOSs) as part of the NASA goal to reduce software development time and cost. • Recent, high-profile NASA mission failures have underscored the need for highly reliable software. • An internal NASA audit showed a need for verification and validation (V&V)/certification tests of the COTS RTOSs used. • These operating systems should be tested to the same confidence level as flight critical software applications.
3
�Current Embedded OS Usage
EE Times conducted a series of surveys over the years on the operating systems used by its readers.
Proprietary VxWorks pSOS C Executive QNX VRTX LynxOS OS-9 Nucleus RTEK RTXC iRMX Windows CE
0% 10% 20% 30% 40% 50% 60%
1999 1998 1997 1996
Source: EETimes 1996-1999 Embedded Systems Study
4
�V&V of COTS RTOS Center Initiative Products and Status
• Completed deliverables
– White paper on current practices for vendor V&V of commercial operating systems. – Software Requirements Specification for a Reusable Realtime Operating System for Embedded Systems. – Software Requirements Specification for the VxWorks RTOS for Embedded Systems. – Plan and Approach for V&V of the VxWorks Realtime Operating System. – Plan for Verification of the VxWorks Realtime Operating System.
5
�V&V of COTS RTOS Center Initiative Products and Status
• Products in development
– VxWorks RTOS Test procedures and test reports • MSFC is developing the test software and procedures to verify the Software Requirements Specification for the VxWorks RTOS for Embedded Systems • There are 157 requirements that are organized in 28 cases. – Final Software Requirements Specification for the VxWorks RTOS for Embedded Systems
6
�V&V of COTS RTOS Center Initiative Test Case Status
VxWorks Verification Test Cases
Verification by Software Execution Case # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Case Title Serial Communication Driver Logging Semaphores Task Scheduling Task Services Timers Critical Sections Interrupts Memory Pool Shared Memory Message Queues Error Reporting Watchdog Timer Priority Inversion RAM File System Raw File System DOS File System Patching Background Memory Scrubbing/Health Monitoring Clock Configuration Child Task Crashes UDP/IP Sockets TCP/IP Sockets Add/Replace System Services Load/Unload Resource Allocation VxWorks ROM Image VxWorks Restart VxWorks User Restart Services # of Requirements Test Code 20 4 1 2 4 4 1 5 3 1 2 1 1 4 1 1 3 1 1 2 1 3 3 2 7 1 2 1 Completed Completed Test Procedure Completed Completed Completed Yes Yes
In Work
In Work
No
Completed
Completed
Yes
Completed
Completed
Yes
Programs Currently Using VxWorks Operating System at MSFC
VxWorks Version V&V of VxWorks OS Marshall Center -1 (MC-1) Propulsion System Controller(PSC) Urine Processor Assembly (UPA) Material Science Research Rack (MSRR) X-37 5.3.1 5.3.1 5.4 5.3.1 5.1 Board/Proc. Type PPC2-603e PPC2-603e 6000 Manufacturer Radstone Radstone Radstone 1.0 BSP Version 1.1 1.1 1.1
7
�V&V of COTS RTOS Center Initiative Summary
• There are many good packages available as real-time kernels. • The level of effort required by end users to verify/validate or certify a RTOS is highly dependent on the processor board, contents of the software executable, development and source code documentation (including requirements), and tools available for verification. • Any V&V/certification effort will be valid for the tested configuration only. Any update to the processor board, peripherals, RTOS, etc. will necessitate a re-verification. • An important consideration in choosing a COTS RTOS for a safety critical application is the degree of support the vendor will provide for a verification effort.
8
�