Goal-Based Flight Software Health Management Services

Abstract

EXTENDED ABSTRACT (REVISED) The NASA-sponsored FAILSAFE project is developing concepts and prototype implementations for software health management in mission-critical real-time embedded systems. The project unites features of the industry standard ARINC-653 Avionics Application Software Standard Interface and the Jet Propulsion Laboratory's Mission Data System (MDS) technology. The ARINC-653 standard establishes requirements for the services provided by partitioned real-time operating systems. The MDS technology provides a state analysis method, canon-ical architecture, and software framework that facilitates the model-based design and implementation of software-intensive systems. Our conjecture is that a model-based development and run-time system that is both state-centric and goal-directed offers compelling features and capabilities for real-time safety-critical health monitoring. In a related prototype implementation, we are using the MDS technology to provide the health management function for an ARINC-653 application implementation. In particular, we are showing how this combination enables reasoning about and recovering from application software problems. In order to make it a compelling demonstration for current aerospace initiatives, we imposed on our prototype a number of requirements derived from NASA's Constellation Program. In particular , we adopted both the computer-based control system safety requirements and the safety-related requirements completeness checks from the Constellation Program's computing system requirements. The control system safety requirements address issues associated with loss of function and with inadvertent activation. The completeness checks address a number of issues associated with the specification and implementation of features for software safety and for the interaction of hardware and software. For each relevant element in both sets of adopted requirements, we identified one or more demonstration features that might show how the requirement might be met using a software health management approach. Our prototype application software mimics the Space Shuttle orbiter's abort control sequencer software task, which provides safety-related functions to manage vehicle performance during launch aborts. We turned this task into a goal-based function that, when working in concert with the software health manager, aims to work around software and hardware problems in order to maximize abort performance results. In addition to our adopted application requirements, the ARINC-653 standard imposes a number of requirements on the system integrator for developing the requisite error handler process. Under ARINC-653, the health monitoring (HM) service is invoked by an application calling the application error service or by the operating system or hardware detecting a fault. The recovery action depends on the error level. The system integration specifies in the module …

Cite this paper

@inproceedings{Barry2009GoalBasedFS, title={Goal-Based Flight Software Health Management Services}, author={Matthew Barry and G. Horv{\'a}th}, year={2009} }