OrbitalHub

Credits: NASA

Software is a key component of present-day aerospace systems. Increased reliability is required from operating systems that host critical software applications.

Wind River’s VxWorks is a real-time operating system that is widely used in the aerospace industry. Missions using VxWorks include the Mars Reconnaissance Orbiter, the Phoenix Mars Lander, the Deep Impact space probe, Spirit and Opportunity Mars Exploration Rovers, and Stardust.

Mike Deliman, Senior Engineering Specialist at Wind River Systems, answered a few questions related to the new VxWorks MILS Platform 2.0.

DJ: What is VxWorks MILS Platform 2.0?
Mike Deliman: VxWorks MILS Platform 2.0 is a platform for creating systems that are evaluatable to high levels of the Common Criteria / Evaluated Assurance Level scale. VxWorks MILS 2.0 separation kernel is currently under evaluation by NIAP labs to an EAL 6+ level. The VxWorks MILS 2.0 Platform contains a separation kernel and technology to allow you to create multi-partitioned software systems where each partition can be evaluated to handle multiple independent levels of security (MILS) or to handle multiple levels of security (MLS). The long-and-short of it is similar to a VxWorks 653 flight OS, you can use a VxWorks MILS 2 platform to design a single platform that is capable of replacing multiple legacy systems. In other words, like a VxWorks 653 flight system, you can create a single modern system to replace multiple legacy systems, reducing Space, Weight and Power (SWaP) requirements.

DJ: What is a separation kernel and how did the concept make its way into software development for the aerospace industry?
M.D.: Separation Kernels allow you to take a single modern high-powered CPU and use it to replace several legacy systems. There are many examples of separation kernels and paradigms for their use. ARINC 653 defines a time and memory-space partitioning paradigm, services, and an API that must be provided (the Application Executive, or APEX). We have a platform – VxWorks 653 – that implements the ARINC 653 APEX separation and API. Separation Technologies are becoming quite popular, many are called “Hypervisors”. There are many Hypervisors out in cyberspace, the “Type 1” Hypervisors can all be thought of as forms of separation kernels. The Aerospace industry is a prime target for separation technologies because of the need to reduce the “SWaP” factors.

DJ: How does the VxWorks MILS separation kernel improve the reliability of aerospace applications?
M.D.: The VxWorks MILS separation kernel could be used to allow a single satellite to fulfill multiple missions. For instance, there may be a number of sensors and experiments on board, some for civilian / educational interests, some for NASA, some for research entities, perhaps some for the USAF. A MILS kernel could be used to collect, encode, and steer data safely, providing assurance that the data will not be mixed until it is in a state deemed “safe” for mixing. A satellite running a MILS separation kernel to handle such data wrangling could combine and satisfy multiple mission masters. If I were to be asked to design such a system, I would most likely recommend a flight computer separate from the science computer. Even if the science and flight SW were to share a single CPU, the separation technology would help ensure that no problems on any science application could affect any of the other science applications or any flight applications. In this way the flight system would be protected from anomalous events in the science packages, and the overall system would benefit from improved reliability.

DJ: John Rushby introduced the concept of separation kernel in order to provide multilevel secure operation on general-purpose multi-user systems. Do software applications developed for the aerospace industry (and I have in mind software running on micro-controllers) have the level of complexity that would require a separation kernel?
M.D.: Concentrating on the micro-controller aspect, no, most single (federated) systems running one micro-controller (or even several) do not even need a 32-bit processor dedicated to their operation. However, with a proper separation kernel and time-sliced architecture, you could use one modern high-speed 32-bit CPU to control and monitor a large number of smaller systems, and ensure any faults occurring on those control-and-monitor loops are contained. And as noted above, in a system used to satisfy requirements of multiple masters (agencies), MILS-style data separation may be the only way to keep satellite weight within limits and provide the information assurance the agencies require.

DJ: What features make the VxWorks operating system reliable and secure?
M.D.: Focusing on the VxWorks family of operating systems and the VxWorks OS API, VxWorks has been used in millions of devices over more than two decades of service, in applications as simple as MP3 players and as complex as autonomous space exploring robots, and as life-critical as telerobotic surgeons. There is no way a software company could anticipate the wide range of use that our customers have dreamed up and implemented. The VxWorks family of OSes share a common ancestry of code and all can benefit from bugs discovered and fixed in any of the family line.
 
Focusing on the VxWorks MILS platform, the separation kernel was designed expressly in compliance with the SKPP (the Protection Profile for separation kernels), with a focus on controlling embedded applications that require some degree of real-time control.

DJ: What are the features that make VxWorks a real-time operating system?
M.D.: Determinism is king in the real-time world. The ability to react to events in the real world with a high degree of determinism is what gives VxWorks its hard real-time responsiveness. This hard-determinism is carried over into all of the VxWorks family line, including our separation kernels and VxWorks SMP.

DJ: What toolchain is shipped with VxWorks? What programming languages are supported by the toolchain?
M.D.: Depending on the VxWorks package, one or more toolchains may be supplied and supported. For the most part, various versions of the Wind River Complier (formerly “Diab”), and various versions of the Gnu tools are supplied / supported with VxWorks. For the VxWorks MILS 2 platform we use a couple of versions of the GNU tool chains, specially modified for the parts they are used to build.

DJ: What hardware is targeted by the platform? Is an actual board necessary for development of applications or is an emulated target environment available for software engineers?
M.D.: Specifically, chips we are targeting include the following:
– Freescale 8641D (CW VPX6-165)
– Freescale 8548 (Wind River SBC8548)
– Intel Core 2 Duo (Supermicro C2SBC-Q)
– Freescale P2020, P1011, P4080 (future)
– Intel Atom, Nehalem (future)
We currently support Simics as the only simulation environment available for the VxWorks MILS platform.

Wind River Systems was founded in Berkeley, California in 1981. Intel bought Wind River Systems for a reported $884 million in July 2009. VxWorks real-time operating system is one of the Wind River flagship products.

Credits: NASA/JPL

The Dawn spacecraft is currently performing the Mars flyby phase of its mission. The purpose of the Mars flyby is to alter the trajectory of the spacecraft in order to rendezvous with its first scientific target in the main asteroid belt.

The spacecraft will come within 549 km of the surface of Mars on February 17, 2009, at 4:28 PST.

The flyby is a gravity assist maneuver used in orbital mechanics to alter the trajectory of a spacecraft. The gravity assist is also known as a gravitational slingshot. The first ever gravity assist maneuver was performed by Mariner 10 in February 1974, and most of the interplanetary missions have made use of it since then.

The scientific objective of the Dawn mission is to answer important questions about the origin and the evolution of our solar system. The currently accepted theory about the formation of our solar system states that Jupiter’s gravity interfered with the accretion process, thereby preventing a planet from forming in the region between Jupiter and Mars. This led to the formation of the asteroid belt.

The asteroids chosen as scientific targets for the Dawn mission are Vesta and Ceres. Due to their size, they have survived the collisional phase, and it is believed that they have preserved the physical and chemical conditions of the early solar system. The asteroids have followed different evolutionary paths and have dissimilar characteristics, which makes them perfect research subjects.

Credits: NASA/JPL

The design of the Dawn spacecraft is based on Orbital’s STAR-2 series, and uses flight-proven components from other Orbital and JPL spacecraft: the propulsion system is based on the design used on Deep Space 1, the attitude control system used on Orbview, a hydrazine-based reaction control system used on the Indostar spacecraft, and command and data handling, as well as flight software, from the Orbview program.

The core structure of the spacecraft is a graphite composite cylinder, while the panels are aluminum core with aluminum/composite face sheets.

The central cylinder hosts the hydrazine and xenon tanks. The hydrazine tank can store 45 kg of fuel, while the xenon tank has a capacity of 450 kg.

The attitude control system (ACS) uses star trackers to estimate attitudes in cruise mode. A coarse Sun sensor (CSS) allows ACS to keep the solar panels normal to the Sun-spacecraft line. ACS also uses the hydrazine-based reaction control system for the control of attitude and for desaturation of the reaction wheels.

Credits: NASA/George Shelton

The solar panels are capable of producing more than 10 kW at 1 AU and 1 kW at 3 AU (on Ceres’ orbit).

The command and data handling system (CDHS) is based on a RAD6000 board running VxWorks. The software is written in C. There are 8GB available on the board as storage for engineering and scientific data.

The scientific payload consists of the Framing Camera (FC), the Gamma Ray and Neutron Detector (GRaND), and the visible and infrared (VIR) mapping spectrometer.

The FC will be used for determining the bulk density, the gravity field, for obtaining images of the surface, and for compiling topographic maps of Vesta and Ceres. In addition, the FC will capture images for optical navigation in the proximity of the asteroids. For reliability purposes, the payload includes two identical cameras that can run independently.

GRaND will serve for the determination of the elemental composition of the asteroids. GRaND is the result of the expertise accumulated during the Lunar Prospector and Mars Odyssey programs.

Credits: NASA/Jack Pfaller

VIR will help map the surface mineralogy of the asteroids. The instrument is a modified version of the visible and infrared spectrometer flying on the Rosetta mission.

The Dawn spacecraft uses ion propulsion to make its journey to Vesta and Ceres. Ion propulsion will also be used by Dawn during the low altitude flights over the asteroids.

While the fact that Dawn’s engines have a thrust of only 90 mN can hardly impress a reader, the important detail to mention when discussing propulsion systems is the specific impulse. Dawn’s engines have a specific impulse of 3100 s. For a chemical rocket, the specific impulse ranges from 250 s for solid rockets to 450 s for bipropellant liquid rockets. The only drawback (if this can be regarded as a drawback) is that the ion engines must be fired for much longer in order to achieve an equivalent trajectory.

With such high specific impulse engines, Dawn makes use of the fuel onboard in a very efficient way. The fuel used is xenon, a heavy noble gas placed in group 8A of the periodic table. The power produced by the large solar panels is used to ionize the fuel and then accelerate it with an electric field between two grids. In order to maintain a neutral plasma, electrons are injected into the beam after acceleration.

Credits: NASA/Amanda Diller

Dawn was launched from Cape Canaveral Air Force Station and injected on an interplanetary trajectory by a Delta II launch vehicle.

The main contributors to the Dawn mission are the University of California in Los Angeles (science lead, science operations, data products, archiving, and analysis), the Jet Propulsion Laboratory (project management, systems engineering, mission assurance, payload, navigation, mission operations, level zero data), and the Orbital Sciences Corporation (spacecraft design and fabrication, quality assurance, and payload integration).

The scientific payload was provided by the Los Alamos National Laboratory, the German Aerospace Center, the Max Planck Institute, and the Italian Aerospace Center. The Deep Space Network is responsible for data return from the spacecraft.

For more information about Dawn, you can visit the Dawn Mission Home Page on the JPL web site.