

# WHY DO WE HAVE TO PREPARE A SOFTWARE SCHEDULABILITY ANALYSIS?

SOFTWARE PRODUCT ASSURANCE WORKSHOP 2023, ESAC, SPAIN
ANDREAS WORTMANN, 25-28.09.2023

## **AGENDA**

# OHB

#### WHY DO WE HAVE TO PREPARE A SOFTWARE SCHEDULABILITY ANALYSIS?

- INTRODUCTION
  - What is a Schedulability Analysis?
- QUICK OVERVIEW
  - Preconditions: Requirements, Software Architecture
  - The Analyses: Essential Steps, Methods, Tools
- THEORY AND PRACTICE
  - Lessons Learned
  - Technical and Process specific Considerations
- BENEFITS
  - Proof of timing constraints and requirements
  - Incidental Catch

## WHAT IS A SCHEDULABILITY ANALYSIS?

# OHB

#### **INTRODUCTION**

- Focus on Onboard Flight Software (FSW, OBSW, SCSW, ICSW ...)
  - Software subsystems and central software item that glues together subsystems (hardware and software)
  - Control loops, including Attitude and Orbit Control Thermal Control
  - Telecommand and Telemetry Interfaces: Full commandability and visibility
  - Robustness and Reliability: FDIR and redundancy
  - Payload operation (very specific needs)
- Real-time needs & Timing requirements
  - Hardware access
  - Control algorithms
- Schedulability Analysis focuses on the (non-functional) timing aspects of the software (or entire systems)
  - increase confidence in correct timing
  - formally proof certain aspects correct under all circumstances
  - SA is required for flight software qualification by the [ECSS-E-40-1]



## WHAT IS A SCHEDULABILITY ANALYSIS?

# OHB

#### INTRODUCTION

- Hard deadline violation: loss of system integrity
  - "The s/w shall retrieve a data packet from the input buffer within 100ms after reception."
  - "The AOCS loop including the data acquisition and equipment commanding shall be executed at a period of 1Hz"
  - → crucial deadline, a violation might have serious impact
    - Loss of data or invalid calculation results
  - In general these requirements are also tight (small timing window for execution)
- **Soft** deadline violation: loss of performance but does not harm the system stability and safety
  - "The Telecommand TC(154,3) shall switch on the gyro within 10 seconds.
     Note: An additional delay of up to 5 seconds is tolerated."
  - → soft deadline can be missed without seriously compromising the system
    - some minor things might be effected
       (user interaction slow, limited data rate ...)
  - In general these requirements are also relaxed (large timing window for execution)



hard real-time

soft real-time

## PRECONDITION: REQUIREMENTS



**QUICK OVERVIEW** 

Precondition: Timing Requirements must be identified and characterized!

Timing requirements are extracted from Device manuals, user expectation, engaged algorithms

Decomposition of System according to temporal needs

- Periodic
- Aperiodic
- Hard
- Soft

| Temporal Characteristics |                                                                          |                                                                                                                                                                       |
|--------------------------|--------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                          | Aperiodic                                                                | Periodic                                                                                                                                                              |
| Hard                     | TM transmission TC reception Memory handling (e.g. EEPROM) UART handling | TM HK acquisition Monitoring of HK data AOC execution and related s/s commanding Thermal loop Physical interface handling (MIL-STD-1553B, CAN, SpaceWire, SpaceFiber) |
| Soft                     | TM generation TC execution Maintenance functionality                     | TM HK packet generation<br>Monitoring of HK data                                                                                                                      |

Selected Software Architecture needs to support these needs.

Use the appropriate Real-time Software Architecture to realize the temporal needs.

Combination of different architectures is feasible and common.

## PRECONDITION: SOFTWARE ARCHITECTURE



**QUICK OVERVIEW** 

Precondition: Software Architecture must be analyzable!

**Fixed Time Slice** 



Inflexible, hard to maintain, lack of compositionality, used in hypervisors etc.

Preemptive Multitasking (Real-time Operating System)



Flexible set of independent tasks, scheduling policy, preemption, blocking, shared resource with arbitration protocol used for hard (+soft) real-time

Event-Driven Cooperative Scheduling (Asynchronous Message Passing, XF)



Flexible composition of independent loosely coupled components, single task run-to-completion, cooperative sched., used for **soft real-time** 

#### **ESSENTIAL STEPS**



#### **QUICK OVERVIEW**

Analysis comprises 2 independent parts

- Formally proof all hard real-time constraints to hold under all (incl. worst case) conditions
  - Established methodology for preemptive multitasking RTOS
  - Mathematical model that allows formal reasoning for each timing constraint
  - Response Time Analysis



- Argue all soft real-time constraints to be met
  - Systematic Reasoning depends on the software architecture
  - A formal proof aiming at a 100% confidence in general is infeasible as it is
    - prohibitively expensive to carry out and
    - very likely to require the entire system to be highly inefficient
  - CPU Load Analysis based on measurements and statistics
  - Long-term system observation and monitoring

## **METHODS: RESPONSE TIME ANALYSIS**

#### **VERIFY HARD REAL-TIME CONSTRAINTS**

THB

- 1) Timing analysis of code
  - sequential code snippet
  - Safe upper bound of WCET (Worst Case Execution Time)
  - (Static) Code Analysis
    - → all execution paths & all system/memory/cache states



- 2) Schedulability calculation
  - Tasking Model (e.g. preemptive multitasking, RTOS)
  - Mathematical Theory
  - WCET serves as input data for calculating Response Time

3) Check with requirements











$$R_{i} = CS + B_{i} + C_{i} + \sum_{j \in hp(i)} \left[ \frac{R_{i}}{T_{j}} \right] \cdot (C_{j} + 2CS) + CI(R_{i})$$

 $CI(\Delta t) = \sum_{r \in ISR} \left[ \frac{\Delta t}{T_r} \right] \cdot (C_r + 2 CIS)$ 

$$\forall i \in \tau : R_i \leq D_i$$

## **TOOLS: RESPONSE TIME ANALYSIS**



#### VERIFY HARD REAL-TIME CONSTRAINTS





Response-Time Tools: OHB Excel, DSL MAST, Cheddar ... commercial ...





Calculation, Visualization and Documentation



## THEORY AND PRACTICE



#### **TECHNICAL CONSIDERATIONS**

- Classification: which requirement is a soft and which is a hard timing constraint?
  - For every hard timing constraint there must be a good and valid reason (not just a feeling and sense of urgency)
  - Just because something is important to happen (cf. FDIR) it's not necessarily to be classified "hard"
  - If a function is determined to be subject to hard real-time but the envisaged implementation "breaks" the architecture, maybe the implementation needs to be reconsidered.
    - (cf. "this TC is generated onboard as part of the control loop, so its execution needs to start and complete execution within 100ms")
  - Has impact on how to implement the respective functionality in order to be able to verify the requirements
- SA needs to be considered very early in the design and development process
  - SA is tightly coupled with software architecture
  - SA starts prior to the first line of code is written
  - It is essential for all developers to understand the real-time behavior of the software
  - Software modularity is not limited to function, but needs to consider timing and analyzability as well

## THEORY AND PRACTICE



PROCESS SPECIFIC CONSIDERATIONS











**V-Cycle** 



## THEORY AND PRACTICE

## THB

#### **LESSONS LEARNED**

- Timing requirements are essential but often are missing or of insufficient quality
  - But they are needed early to make the correct design decisions and to be able to verify/validate/test your system in the end
  - Deficiencies are in requirement documents, user manual and ICDs (and in how they are processed)
  - Timing requirements need to be as loose and relaxed as possible and not driven by a "feeling of urgency"
  - All timing requirements must have a technical justification
- Some common design/implementation pattern are in conflict with assumptions or efficient application of the theory!
  - Design for analyzability know the assumptions and show that they are obeyed
  - Great source for discussions!
  - Ex.: misconceived software modularity vs. small set of tasks and shared resources
  - Ex.: self-suspending functions in "user-friendly" API with hidden ISR vs. full knowledge of the software behavior
  - Ex.: suspensions to implement temporal sequences, hardware access, API call **vs.** each task has a single point of suspension
  - Ex.: Worst Case Time (WCET) vs. Average Time (AET) ... selecting algorithms developers tend to go for the average execution time
  - Advice: Keep it simple!
     simple code is easy to be analyzed by static code analyzers (avoid dynamic structures and data dependent control flow)
     and: less error-prone



## **BENEFITS**



#### **EXPECTATIONS: PROOF OF TIMING CONSTRAINTS AND REQUIREMENTS**

- A Schedulability Analysis can proof certain timing properties, but
  - The proof is carried out on a mathematical model
  - It is assumed that the mathematical model resembles the implementation (but in general this can't be shown)
- SA can not formally proof every timing requirement .. and this is not necessary
  - "only" hard timing requirements are formally proven,
  - Soft timing requirements are argued to be met based on measurements and estimates
- SA is only one brick contributing to System/Software correctness
  - Ongoing monitoring (of the timing behavior) still is essential
  - Comprehensive tests still are essential

#### **BENEFITS**

#### **INCIDENTAL CATCH**



- Ideally timing analysis is performed by a different team / personnel
  - Providing an extra pair of eye for thorough code review and understanding
- Orthogonal view into the software
  - Usually the function is the primary focus of developer and reviewer, now the time perspective is added
- Early considerations wrt. a clean and structured architecture
  - Shared resources and their accessors (+monitors, semaphores etc) are identified by analysis (must adhere the architecture, code review by analysis)
- Static code analysis identifies all feasible execution paths, even those not intended or tested
  - Identify unintended and untested execution paths that may lead to unexpected behavior
- Static code analysis identifies the longest execution path
  - Hot-spot identification early in the process → Optimization of algorithms, ensure scalability
  - Ex.: a data-pool is populated with a limited set of data during development and test such that search inefficiencies are identified late
- Static stack analysis is a low-hanging fruit
  - Worst case stack usage can be calculated by static timing analysis tools as it engages the same technology
- Keep it simple and stupid (KISS)
  - Architecture designed for analysis typically is simple (repetitive design pattern)
  - Simple code is easier to be analyzed by code analyzers (less manual annotations required)
  - Simple code usually is less error-prone code, (Ex.: avoid dynamic structures and data dependent control flow)

## **OUTLOOK**



#### WHAT ABOUT OTHER ARCHITECTURES?

- More advanced processing architectures (Multi-Core processors, Hypervisors, Distributed systems)
  - Proofing timing/access constraints across multiple processors yields explosion in complexity
     So we'd better avoid that ...
  - ... and follow the often suggested approach of separating hard real-time sensitive functionality into dedicated Cores or CPUs
  - Ex.: in SMP RTOS dedicated tasks are bound to specific CPU cores (BMP bound multi-processing), which are analyzable independently

- Realtime bus systems (MIL-STD-1553B, CAN, TTEthernet, SpaceWire, SpaceFibre, RS485 ...)
  - Usually restriction to a real-time capable protocol subset: periodic queries "send-list" approach
  - Often the scheduling theory is applicable similarly
    - Ex.: real-time communication via multi-master CAN with proven upper bound for the Response/Transmission Time

## **SUMMARY**

## THB

#### **INTRODUCTION & QUICK OVERVIEW**

- SA is only one brick contributing to System/Software correctness
  - Ongoing monitoring (of the timing behavior) still is essential
  - Comprehensive tests still are essential
- SA argues about timing and
  - can formally proof "only" hard timing requirements and
  - may provide systematic means to argue that soft timing requirements are met
- SA ranges the entire lifecycle and is specifically important in early phases (requirements, architecture definition ..)
- SA provides incidental benefits
  - insight in the software from a different (non-functional) perspective
  - additional confidence that the software/system works as expected

# WHY DO WE HAVE TO PREPARE A SOFTWARE SCHEDULABILITY ANALYSIS?



ANDREAS WORTMANN, SOFTWARE PRODUCT ASSURANCE WORKSHOP 2023, ESAC, SPAIN, 25-28.09.2023

# THANK YOU!

OHB SE Manfred-Fuchs-Platz 2-4 28359 Bremen Germany

Phone: +49 421 2020 8 Fax: +49 421 2020 700

Email: info@ohb.de Web: www.ohb.de