Scrum Agile Method and Safety-Critical Application ... introduction in nanosatellites is provided. ... 2015 12th International Conference on Information Technology - New Generations ... was responsibility of individual Development Teams.
2015 12th International Conference on Information Technology - New Generations
Nanosatellite Event Simulator Development Using Scrum Agile Method and Safety-Critical Application Development Environment André Luiz Pierre Mattei, Adilson Marques da Cunha, Luiz AlbertoVieira Dias, Eloi Fonseca, Osamu Saotome, Paulo Takachi, Gildárcio Sousa Gonçalves, Thoris Angelo Pivetta, Victor da Silva Montalvão, Cassio Kendi, Felipe Lopes de Freitas, Manasseis Alves Ferreira, Mateus Andrade Almeida, Gabriel Gonçalves de Oliveira Rodrigues Instituto Tecnologico de Aeronautica, ITA, Sao Jose dos Campos, Sao Paulo, Brasil {mattei, cunha, vdias, eloif, osaotome}@ita.br, {ptakachi, gildarciosousa, thorisangelo, vsmontalvao, cassiokendi, felipelopesfreitas, manasseis, mateusecomp, rodrigues.computacao}@gmail.com
systems. Aiming at providing real world experiences for students, it comprises activities of software development (using I-CASE-E), loading software into hardware (Raspberry and Arduino), simulation packages (STK), and technology for project management (Scrum). The use of Scrum Agile Methods is used in the development, integration, and management of nanosatellite Event Simulator. Making use of cycles, called Sprints, the program was developed on high level by using Integrated Computer Aided Software Engineering Environment (I-CASEE), SCADE, and had its software systematically tested [4]. SCADE intrinsic features allowed the automatic generation of C++ module codes to comply with requirements and allowed the creation of a display interface. This paper is organized in a way that describes the project of an Event Simulator and how the software development progress can be followed through its cycles (Sprints). After the description of SI-LANSAB’s both vision and architecture, an introduction in nanosatellites is provided. Subsequently, User Stories used in the project are described, as well as its related activities for software and hardware generation. At last, this paper presents models used for Software Quality, Reliability, Safety, and Testability.
Abstract—Development of satellite and launcher subsystems involves programming complex embedded systems and dealing with multiple system interactions while complying with both functional and technical requirements as well as software quality. Space onboard system project development is complex and is normally both time consuming and highly susceptible to errors. The combination of scrum agile methods with model-based programming addresses these restraints and allows synergetic interactions between team members. This paper describes the classroom experience of a group of students in the development of a Nanosatellite Event Simulator and its display interface for an Attitude Control and Determination Subsystem (ACDS). It was used the instructional technique of Interdisciplinary Project Based Learning (IPBL) and the software SAfety-Critical Application Development Environment (SCADE). Keywords- Model-based programming, Interdisciplinary Project Based Learning, Safety-Critical Application Development Environment, Scrum Agile Methods, Nanosatellite.
I.
INTRODUCTION
The use of modern techniques to develop complex systems allows faster system deployment as well as improves both quality and reliability of final product. Using Scrum Methods to manage agile teams in an Integrated Computer Aided Software Engineering Environment (I-CASE-E) for the development of embedded systems has improved the results, when considering both technical and functional requirements, [1] [2].
II.
As mentioned at the Introduction, IPBL makes use of a management method called Scrum. In accordance with this practice, this section describes project’s vision at section A and architecture at section B.
This paper describes classroom activities in the development of an Event Simulator and its visual interface for a nanosatellite project inside the Brazilian Aeronautics Institute of Technology (Instituto Tecnologico de Aeronautica - ITA), [3]. By using Scrum agile methods, the Event Simulator was developed to the Attitude Control and Determination Subsystem (ACDS) at a high level through an Interdisciplinary Project Based Learning (IPBL). It involved both undergrad and graduate students in four different courses and was named Interdisciplinary and Integrated Satellite-Launcher Brazilian Academic System 2014 (SI–LANSAB 2014). SI–LANSAB 2014 is an academic and interdisciplinary project that provides learning in real-time aerospace embedded
A. Project Prototype Vision Artifact Taking into account the Scrum agile method, the following project vision artifact was defined: “FOR aerospace companies, THAT need to develop, integrate, and manage embedded and computer systems, THE Integrated Satellite and Launch Academic Brazilian Aerospace Interdisciplinary System Project 2014 (Projeto do Sistema Interdisciplinar e Integrado de Lançamento de Satélites Acadêmicos Brasileiros de 2014, SI-LANSAB 2014) IS an embedded real-time system that provides academic and
The authors acknowledge the support of FINEP and CAPES.
978-1-4799-8828-0/15 $31.00 © 2015 IEEE DOI 10.1109/ITNG.2015.22
SI-LANSAB VISION AND ARCHITECTURE
101
interdisciplinary skills necessary to Engineers of the 21st Century. UNLIKE similar products of Universities and Research Institutes such as ITA, INPE, MIT, Aalborg, and Würzburg and companies such as Thales, Astrium, among others, OUR PRODUCT is developed academically, in an agile manner, with quality, reliability, safety, and testability and could be certifiable by DO-178C.
subsystems, which eventually allowed the whole system to work together. TABLE I. USER STORIES USED TO DEVELOP BOTH THE ACDS AND TC/TM SUBSYSTEMS. ID #US07
B. Architecture of the Prototype Project SI- LANSAB 2014 This section describes the architecture of the project SILANSAB 2014. This project, aimed to cover different aspects appertaining to both launching and operation of a nanosatellite. Despite the fact the project do not go into details, because it did not intend to master all particulars concealed in each system, main attributes were seen and treated carefully.
#US22
#US40
Embedded systems were divided into groups with high cohesion and low coupling characteristics: (i) Launcher, (ii) Satellite ACDS and Telecommand and Telemetry (TC/TM), (iii) Satellite Onboard Computer (OBDH) and Payload (Camera for Earth Observation), (iv) Launch control station, and (v) Ground Satellite Center, as depicted in Figure 1.
User Story AS An Earth Observation Satellite, I WISH to have communication systems with the ground station, TO be able to receive commands, send both telemetry data and images from the camera. AS An Earth Observation Satellite, I WISH to have four (4) operating modes: Pre-launch (ground); Launch; Attitude Acquisition; and Operational TO operate in accordance with the momentary need. AS An Earth Observation Satellite, I WISH to have transitions of Operational Modes performed, TO have the ACDS in accordance with both the operational phase and health of the satellite.
Although not being integrated into a real world satellite in this phase of the development, SI-LANSAB used ITASAT project as a reference for establishment of requirements [3]. Next section allows a general view of ITASAT. III.
ITASAT GENERAL DESCRIPTION
ITASAT is a 6U nanosatellite developed inside the Brazilian university ITA [3], with technical support from National Institute for Space Research (INPE) and sponsored by the Brazilian Space Agency (AEB). For the sake of clarification, a 1U satellite is a cube with 10cm side and roughly 1.33kg, so-called cubesat. This cubesat standard was created in 1999 at California Polytechnic State University and Stanford University. Taking into account this definition, a 6U satellite comprises six 1U units as may be seen in Figure 2. ITASAT shall be launched in 2015 in an altitude between 400 and 700 km.
Figure 1. Architecture of the project SI-LANSAB 2014.
The Scrum method divides the development into phases or cycles, called Sprints and, as expected, milestones and testing activities are very dependent on its elaboration. In the case of this project, the Development Phase was divided into three Sprints with each containing a complete test cycle for planning, design, development, implementation, and evaluation of the test. The subsystems were developed in accordance with the architecture described and the software units were called User Applications (UA), responsible for wrapping logic models up. By using SCADE, source codes in C++ were created as well as an interface via SCADE Display (ARINC 661 compliant [5]).
Figure 2. Nanosatellite ITASAT, under development by the Brazilian university ITA.
IV.
The software was loaded onto Raspberry Pi hardware [6] (with Raspbian operating system [7]) and also on Arduino microcomputer boards [8]. Modeling and loading on hardware was responsibility of individual Development Teams. Special attention and care was necessary, in order to integrate different
GENERAL VIEW OF SATELLITE PHASES
As any other satellite, all systems shall operate in different phases, [9]. These periods take into account that, before its final operation in space, the spacecraft needs to be inside the launcher as well as to find a way to make it easier to fix problems in case something goes wrong (there is no hardware maintenance in space – for software it is possible to upload a
102
new software, in some cases). With this in minnd, the system life cycle is normally broken in four phases: grouund, launch, orbit fix (safe mode), and normal operation mode, as seen in Figure 3. Considering this, the system must simulate a complete cycle of the satellite's life. Since the moment in whiich the satellite is on the launch platform until its operation phasee (taking pictures and sending them to the ground station), eacch mode must be simulated. Nevertheless, once the system m enters in an operational phase, it is not possible to revvert back to the previous one (except by means of a simulationn reset).
Ground
Launch
Attitude Acquisition
w as to send data collected orders from the ground station as well by the satellite to the ground station.. V.
THE ACDS AND TC//TM DEVELOPMENT
This section depicts the work pursued during IPBL development. Different activities weere established with the goal of providing different experiences of o real time systems for the students. At first, the state machine, dev veloped using SCADE and representing satellite phases is described. In order to provide a proper visual interface for a bettter understanding of these phases, the simulation using STK so oftware was created to work synchronized when running the codee developed at SCADE. For the hardware, different application ns were loaded into both Raspberry and Arduino boards.
Normal Phase
Figure 3. Transitions sequence between each operrational phase.
A. Code Development using SCAD DE For service to the US22 and US S40, from Table I, a model was developed within the SCADE Suite and SCADE Display. Figure 4 shows the state machine created to represent the satellite operational phases. These four f first states are the same found in Figure 3. Inside each of th hese states others states may be found in accordance with the phase p itself, as described in Section IV.
A. Satellite Phases Description Ground phase is the first one after the syystem is powered up. Usually, system is powered by an external source by means of an umbilical cable. This phase is broken iin two modes: 1. External power source is on (ground supporrt mode); and 2. External power source is off (ground safe modde). The launch phase simulates the stage where satellite is in the launching pad and still connected to the lauunch vehicle. For the user to follow satellite status and the system m to save energy; only telemetry is working in this phase.
y be either automatic or Transition between states may commanded via the display interfacce, depending on the phase characteristics. For changing from ground g to launch phase, it is necessary to make use of the upperr right push-button depicted in Figure 5 (Ground Power), it would mean that external ground power is no longer availablle. Launch phase to attitude acquiring phase is also necessary to o make use of a push button (Launch Phase button). Push this button b would mean that the satellite has left the launcher nose cone. c Since after leaving the rocket, the satellite is spinning in probably p all three axes, the attitude acquisition phase is automattic and no action is required from operator in this transition as well w as to enter in the next operational phase (normal). Noneth heless, when the satellite is in the correct relative position in relation to Earth, a signal presents this condition to operatorr. A proper position of the satellite in relation to Earth is mandatory m because of both camera and antennas needed positions.
In the attitude acquisition phase, the systeem starts to look for a reference attitude. To find this position, tthe satellite needs its sensors, actuators, and a control algorithm m to align to the reference attitude and stabilize. Every senssor and actuator needs to look for the reference attitude and stabbilize the satellite according to system requirements. Oncee stabilized, all subsystems of the satellite are powered up auutomatically. If it cannot acquire the reference attitude for any reeason (fail in sun sensor, actuator or other peripheral used to exxecute this task), the system must go to Safe Mode. In safe m mode, the system must be able to receive an update (upload off new software in partition, or configuration of parameters) thhat will help to acquire reference attitude. At normal phase, the system must track rreference attitude and wait for a command, which informs the pposition where it must get a picture. Attitude control is used forr orbit corrections according to sensors measurements. When the satellite receives a telecommand to make a picture acquisition, tthe system gets in payload mode (operational). If camera or sennsors needed for acquisition are not functional, it must be reporrted to ground. If peripherals (sun tracker, actuator or other) or software used to control attitude reference fail, satellite must ggo to Safe Mode. In safe mode, it's not possible execute telecommand to get in payload mode. Next session presents the ACDS, which iis responsible by the attitude control of the satellite, accordinng to the sensor measurements, current attitude, and the misssion commands received specifying a desired attitude. Neext session also presents some general aspects related to the Telecommand & Telemetry Subsystem (TC/TM), responsiblle for receiving
Figure 4. State machine developed in thee SCADE to create the satellite operational phaases.
103
C. Loading codes in Hardware Besides modelling the operational phases, students worked on the communication subsystem (TC/TM) using Arduino hardware. Since the simulation refers to a classroom exercise, messages were simplified and those exchanged by the TC/TM (US07) are shown on the display in a specific location, as in Figure 5. It may be seen at this Figure the inherent differences between TC and TM. TC data are orders sent by the ground station to the satellite and TM are internal data sent by the satellite to the ground. Besides this exercise in simulation, students worked in having a simple but operation hardware to send and receive data. In parallel to code development using SCADE, a transmitter and a receiver were developed using Arduino Mega 2560 and the transceiver XL24L01-D03. The general idea is to have these two transceivers emulating a TC/TM system. It was verified the correct successful messages transmission and reception. Figure 7 shows the RF module XL24L01-D03 isolated and connected to Arduino Mega 2560 (transmitter and receiver are identical).
Figure 5. Ground station interface created using the software Scade Display.
B. Satellite Phases simulation Using STK In parallel to the work in SCADE, a simulation was done using the STK software [10]. STK allows modeling both launcher characteristics and performance but also mission analysis. Although most nanosatellites are launched pig-backed to another bigger satellite and, consequently, they cannot choose a particular orbit angle and altitude, an exercise in selecting different orbits allows a verification of revisit time and a better understand of many different technical aspects. In the case of ITASAT, available launches for 2015 were observed, those with good enough orbits were spotted, and, at last, a Falcon 9 launch selected. The whole exercise of designing the rocket and satellite and their flight in good visual interface provided by STK, proved itself very attractive for students. Figure 6 shows two moments of this simulation exercise for the launcher and satellite operation.
Figure 7. RF XL24L01-D03 module connected to Arduino Mega 2560 (transmitter and receiver are identical).
VI.
SOFTWARE QUALITY, RELIABILITY, AND SAFETY
A quality plan was designed and applied to all software components and system integration in all three sprints of SILANSAB 2014. Requirements and User Stories prioritized by team members were tested in accordance with a strategy. Many different tests were pursued and transactions refer to "logical business transactions". These transactions are defined as specific functions that an end user of the system is supposed to perform when using the application, such as adding or modifying given information. Table II presents and describes the different tests done during SI-LANSAB 2014 development. TABLE II.
Type
Figure 6. Modeling of operational phases using the STK software.
104
TESTS PERFORMED DURING ACDS EVENT SIMULATOR EXERCISE. Description
Functional
Ensure proper functionality of the test target, including navigation, data entry, processing, and retrieval
User Interface
Navigation through targets properly reflects both functions and requirements. Objects and window characteristics, such as menus, position, and state, are in accordance with defined patterns.
Installation
Verification that test targets installation in new hardware performs properly.
TABLE IV. TYPES OF TEST SYSTEMS.
A. Strategies and Techniques for Software Testing A strategy for software testing integrates design techniques of test cases in a defined series of steps that result in building successful software.
Test Type Recovery Test Security Testing
The Software Testing in nanosatellite provides a roadmap that outlines the steps to be performed, and resources needed. Therefore, any test strategy for this spatial system must incorporate test planning, test case design, test execution, data collection, and evaluation of data [11]. See a sample of Test Cases from User Stories 07, in Table III.
Test of effort Performance Testing Availability Test
C. Software Testing Techniques The software test measurement in embedded system was based mainly on the Black Box Software Testing Techniques. Also known as functional testing, since it is based on the functional requirements of the software. In this case, the test focus was the established requirements, that is, actions that the system will perform. In the proceedings of the type black box carried sought to test:
TABLE III. TEST CASES. Identifier
#TS02.US07.1.
Description
Subsystem for Satellite Earth Observation, the WIDGETS should show at CDS: - Communication information, such as channel and frequency. - Communication indicator turned on / off. - Control to change the preset channels. - Control to change the pre-defined frequencies.
Expected Results
Oracle: Identifier Description Expected Results Oracle: Identifier Description Expected Results: Oracle: Identifier Description: Expected Results: Oracle:
Objective Check if the recovery runs correctly. Check if the engine that will actually incorporated protection gives protection. Check the system demand. Check the states of regularly machines. Check software in the environment of use.
• System Features - Focus on history of users, ie the use cases. • User Entries Validation - Focus on nanosatellite input data. • Checkout. Focus on nanosatellite output data. • Transaction States: Ensure the Embedded System manages the state changes. • Border values: Test the Embedded System with inputs whose values are limits or close to the maximum and minimum values allowed. • Equivalence Classes: Achieve better coverage of the input and output values.
Presentation of the channel indicator and frequency of communication and controls for channel configuration and frequency. Predefined channels 0, 1, 2, 3, 4 and 5 Pre-defined frequencies: 5.091, 5.191, 5.291, 5.391 and 5.491 MHz. #TS02.US07.2. Having a WIDGET to choose one of the predefined channels. Configure a pre-defined channels. Predefined channels 0, 1, 2, 3, 4 and 5. Pre-defined frequencies: 5.091, 5.191, 5.291, 5.391 and 5.491 MHz. #TS02.US07.3. Have a WIDGET to choose from pre-defined frequencies.
D. Methodology for Software Testing Process According to the Standard DO-178C, the purpose for the verification process is to detect and report defects (errors) that have been introduced in the development processes. The verification process does not produce software. Its responsibility is to ensure that the produced software implements intended function completely and correctly, while avoiding unintended function. Verification is an integral process (see Figure 8), which is coupled with every development process.
One set of pre-defined frequencies. Pre-defined channels 0, 1, 2, 3, 4 and 5.Pre-defined frequencies: 5.091, 5.191, 5.291, 5.391 and 5.491 MHz #TS02.US07.4. Have a WIDGET to connect or disconnect the communication. Connect and disconnect the communication. Pre-defined channels 0, 1, 2, 3, 4 and 5. Pre-defined frequencies: 5.091, 5.191, 5.291, 5.391 and 5.491 MHz.
Verification examines the relationship between the software product and the requirements. At an abstract level, the software verification process exists to constantly ask the question: “are we building the system right?”. This fact contributes to the current reliance on structural coverage as one measure the completeness of testing, [13].
B. System Testing (Functional Testing) As soon as the system elements have been properly integrated and have performed the functions allocated to them, the test was performed in order to reduce failures when in operation. The following Table IV, show additional test types for other systems, including hardware, in order to check if the nanosatellite is ready for operation. These tests, even for a nanosatellite must be performed, otherwise the risk may be unacceptable [12].
105
generation and part of the testing in order to verify whether or not they complied with stablished requirements. References [1] S. J., SCRUM Handbook, Scrum Training Institute Press, 2010. [2] S. A., Real-Time Systems and Software, New York, 2001. [3] ITA, "ITASAT," [Online]. Available: http://www.itasat.ita.br/. [Accessed 26 October 2014]. [4] Esterel Technologies, "SCADE Suite," [Online]. Available: http://www.esterel-technologies.com/products/scade-suite/. [Accessed 26 October 2014]. Figure 8. Modified Condition/ Decision Coverage (MCDC).
[5] ESTEREL, "SCADE Solutions for ARINC 661 Compliant Systems," [Online]. Available: http://www.estereltechnologies.com/products/scade-arinc-661/. [Accessed 26 October 2014].
CONCLUSION This paper was presented as a novel approach in the use of modern techniques to develop complex systems and faster system deployment, keeping both quality and reliability of final product. An exercise called Interdisciplinary and Integrated Satellite-Launcher Brazilian Academic System 2014 (SI– LANSAB 2014) conducted inside a Brazilian University, (InstitutoTecnologico de Aeronautica, ITA) made use of Scrum Agile Methods and an Integrated Computer Aided Software Engineering Environment (I-CASE-E) in the development of embedded systems for a nanosatellite.
[6] "Raspberry Pi," [Online]. Available: http://www.raspberrypi.org/. [Accessed 26 October 2014]. [7] "Raspbian," [Online]. Available: http://www.raspbian.org/. [Accessed 26 October 2014]. [8] "Arduino," [Online]. Available: http://www.arduino.cc/. [Accessed 26 October 2014]. [9] R. S. Jakhu and J. N. Pelton, "The Development of Small Satellite Systems and Technologies," in Small Satellites and Their Regulation, New York, Springer New York, 2014, pp. 13-20. [10] "STK," [Online]. Available: http://www.agi.com/. [Accessed 26 October 2014].
Though didactic, activities in the elaboration of an Event Simulator and its visual interface for a nanosatellite project proved successful in developing real-time aerospace embedded systems. The Event Simulator aimed the Attitude Control and Determination Subsystem (ACDS) at a high level was created by undergrad and graduate students in four different courses. The use of the Scrum Agile Method was used in the development, integration, and management of the nanosatellite Event Simulator. SCADE was used to automatic code
[11] P. C. JORGENSEN, Software Testing – A Craftsman’sApproach, 4th Edition ed., Boca Raton, FL: CRC Press, 2014. [12] L. COPELAND, A Practitioner’s Guide to Software Test Design, Norwood, MA: Artech House Publishers, 2007. [13] S. Cornett, "Code Coverage Analysis," Bullseye Testing Technology, 2014. [Online]. Available: http://www.bullseye.com/coverage.html. [Accessed 18 10 2014]. .
106
