

# D4.4

Document Code:AUR-SEN-RP-00034Document Version:1.0Document Date:30/01/2023Internal Reference:DOC00231005









This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 101004291





Signature Control

| Written             | Checked            | Approved<br>Configuration<br>Management | Approved<br>Quality Assurance | Approved<br>Project Management                     |
|---------------------|--------------------|-----------------------------------------|-------------------------------|----------------------------------------------------|
| J. Gómez del Pulgar | A. Rodríguez       | R. Talavera                             | A. López                      | A. Rodríguez                                       |
| Date and Signature  | Date and Signature | Date and Signature                      | Date and Signature            | Date and Signature<br>tronically approved by route |



30/01/2023

D4.4 Flight SW Autocoding Life-cycle process (Platform in the loop)

Changes Record

| Rev    | Date       | Author              | Affected section | Changes                       |
|--------|------------|---------------------|------------------|-------------------------------|
| Draft0 | 2023-01-18 | J. Gómez del Pulgar | All              | First issue                   |
| 1.0    | 2023-01-30 | J. Gómez del Pulgar | All              | Updated after Internal review |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |
|        |            |                     |                  |                               |



Index

D4.4 Flight SW Autocoding Life-cycle process (Platform in the loop)

| 1.I∩ | troduction                     | 5   |
|------|--------------------------------|-----|
| 1.1. | Purpose                        | 5   |
| 1.2. | Scope                          | 5   |
| 1.3. | Document structure             | 5   |
| 2.   | Related documentation          | 6   |
| 2.1. | Applicable documents           | 6   |
| 2.2. | Reference documents            | 6   |
| 2.3. | Acronyms                       | 7   |
| 2.4. | Terms and definitions          | 7   |
| З.   | Platform in the loop           | 8   |
| 3.1. | Overview                       | 8   |
| 3.2. | Software Verification Facility | 8   |
| 3.3. | Hardware Verification Facility | 10  |
| 3.3. | 1. Unitary Unit testing        | 11  |
| 3.3. | 2. Flight software testing     |     |
| 3.4. | Additional verifications       | .15 |



# Table of Figures

| Figure 1: SVF diagram                                 | 9  |
|-------------------------------------------------------|----|
| Figure 2: Euclid SCOE [RD6]                           | 11 |
| Figure 3: ATB with only the OBC as hardware component | 13 |
| Figure 4: ATB with OBC and unit as hardware component | 14 |

# **Table of Tables**

| Table 1 Applicable documents | .6 |
|------------------------------|----|
| Table 2 Reference documents  | .6 |
| Table 3 Acronyms             | ,7 |



## 1. Introduction

### 1.1. Purpose

This document describes the Flight SW life-cycle for autocoding and the different processes and stages of a model-based process which cover the whole SW life-cycle from requirements to qualification. In particular, this document presents the final verification process of a dedicated software which is embedded and tested on real hardware units, i.e., Platform in the loop, also known as Hardware in the Loop (HIL).

The procedure is mainly focused for AOCS/GNC SW which has been selected as the primary use case of the project, but it can be adapted to other subsystems as well.

### 1.2. Scope

The Flight SW autocoding life-cycle process definition is the main core of the *WP4 Flight SW Autocoding Life-cycle Process Definition* of AURORA, as described in Annex 1 Part A of [AD1]. The document gathers the main process for the SW generation toolchain departing from the System requirements up to complete qualification, detailing it for the different stages of a typical software verification process

This document is an output of the D4.4 activity included in WP4. This paper is the culmination of three previous documents that relate the process from design to validation of a piece of AOCS/GNC Software:

- D4.1 Model in the Loop
- D4.2 Software in the Loop
- D4.3 Component in the Loop

Development of a complete V&V campaign shall follow the European Cooperation for Space Standardization (ECSS) which covers the best practices inside the Industry and ESA. In particular the main standard to follow is ECSS-E-ST-10 [RD1], which deals about the general system engineering concept. For engineering process for SW, the following standards are considered fully sufficient for development of these items: ECSS-E-ST-40 Space engineering – Software ([RD2] and [RD4]) and ECSS-Q-ST-80 Space product assurance – Software product assurance ([RD3]).

### 1.3. Document structure

The document has been structured as follows:

- Section 1: this introduction.
- Section 2: related documentation.
- Section 3: this section explains the Platform-in-the-loop phase V&V campaign of a complete OBSW, from its main functionalities inside a simulated environment to its deployment on real hardware.



30/01/2023

## 2. Related documentation

The following documents in the latest issue/revision from a part of this document.

### 2.1. Applicable documents

| AD #  | Title                            | Project Reference      | lssue | Rev |
|-------|----------------------------------|------------------------|-------|-----|
| [AD1] | AURORA Grant Agreement           | GA number 101004291    | -     | -   |
| [AD2] | AURORA Consortium Agreement (CA) | CA Nº 101004291 AURORA | -     | -   |

Table 1 Applicable documents

### 2.2. Reference documents

| RD #  | Title                                                                               | Reference        | lssue | Rev   |
|-------|-------------------------------------------------------------------------------------|------------------|-------|-------|
| [RD1] | Space engineering - System engineering<br>general requirements                      | ECSS-E-ST-10C    | С     | -     |
| [RD2] | Space engineering Software                                                          | ECSS-E-ST-40     | С     | ( - ) |
| [RD3] | Space Software Product Assurance                                                    | ECSS-Q-ST-80     | С     | -     |
| [RD4] | Software Engineering Handbook                                                       | ECSS-E-HB-40     | А     |       |
| [RD5] | Space engineering Technical Memorandum.<br>System modelling and simulation          | ECSS-E-TM-10-21A | А     | -     |
| [RD6] | The Euclid verification facilities                                                  |                  |       | -     |
| [RD7] | D4.3 AURORA Flight SW Autocoding Life-<br>cycle process (Component-in-the-loop)     | AUR-SAE-RP-0033  | 1     | 1.0   |
| [RD8] | Space Engineering. Satellite attitude and orbit control systems (AOCS) requirements | ECSS-E-ST-60-30C | С     | -     |

Table 2 Reference documents



### 2.3. Acronyms

| Acronym | Description                                    |
|---------|------------------------------------------------|
| AD      | Applicable Document                            |
| AIT     | Assembly, Integration, Testing                 |
| ATB     | Avionics Test Bench                            |
| COTS    | Commercial Off The Shelf                       |
| DKE     | Dynamic Kinematic Environment                  |
| EBd     | Executive Board                                |
| ECSS    | European Cooperation for Space Standardisation |
| EM      | Engineering Model                              |
| ESE     | Engineering Simulation Facility                |
| FDIR    | Fault Detection Isolation and Recovery         |
| FES     | Functional Engineering Simulator               |
| FM      | Flight Model                                   |
| FUMO    | Functional Model                               |
| GA      | Grant Agreement                                |
| HILF    | Hardware-In-the-Loop Facility                  |
| HW      | Hardware                                       |
| MIL     | Model in the Loop                              |
| N/A     | Not Applicable or Available                    |
| OBC     | Onboard Computer                               |
| PFM     | Proto Flight Model                             |
| PIL     | Processor in the Loop                          |
| RD      | Reference Document                             |
| SDP     | Software Development Plan                      |
| SIL     | Software in the Loop                           |
| SVF     | Software Verification Facility                 |
| SW      | Software                                       |
| WP      | Work Package                                   |

Table 3 Acronyms

### 2.4. Terms and definitions

N/A



## 3. Platform in the loop

### 3.1. Overview

Platform in the loop, also known as Hardware in the Loop (HIL), is a type of testing in which a system being tested is connected to a simulation of its operating environment, such that the system being tested can be exercised through its inputs and outputs as if it were operating in the real environment. HIL simulation is commonly used to test the behavior of control systems, such as those used in aircraft, automobiles, and industrial processes. The simulated environment may include models of sensors, actuators, and other components that interact with the system being tested. By testing the system in a simulated environment, HIL simulation allows engineers to evaluate the performance of the system under a wide range of operating conditions without the need for expensive and time-consuming physical testing.

Regarding GNC/AOCS software, this process starts once after integration of the Application Software with the rest of the OBSW and a functional piece of software is completed. In the scope of Aurora's project, this process starts after the integration of the autogenerated code as per D4.3 AURORA Flight SW Autocoding Life-cycle process (Component-in-the-loop) [RD7].

As in the previous cases, this process follows an iterative approach in the sense that some modifications of the code are to be expected, even requiring a modification to the underlying GNC code, which, for the case of the autogenerated code, it implies modification of the Simulink models.

After this stage, the final product shall pass the qualification and acceptance verification stages, implying that the final design, including margins, meets the requirements (Qualification) and that it is free of workmanships errors, and it is ready for its use (Acceptance). Related verification activities, which are part of the Verification Plan ([RD8]) are presented in the Qualification Review and Acceptance Review documents respectively, ending the production phase (Phase D).

The qualification and acceptance verification stages involve:

- 1. Software Verification Facility Test campaign.
- 2. Hardware Verification Facility Test campaign.
- 3. Other relevant verification activities.

It has to be noticed that the Platform-in-the-loop process and their different verification stages shall be carried out for either autogenerated GNC/AOCS code or manual code. In some cases, the software for the simulators are subject to an autocoding process too.

### 3.2. Software Verification Facility

First validation and verification of an OBSW is performed on an SVF [RD5]. This facility allows the validation of the interface between the OBSW and the OBC (lower layers) as well as the application software layers related to the AOCS, GNC, data handling (TM/TC), mission management, monitoring and control, payload equipment, etc. Monitoring processes, which also includes the Fault Detection Isolation and Recovery (FDIR) capability, are exercised due to the ability of the SVF to inject failures.

The SVF is an important tool for ensuring the reliability and performance of the AOCS software, as it allows the software to be tested in a controlled environment without the need for costly and time-consuming physical testing. Although not including any hardware part in the loop of this environment, SVF campaign is typically included inside the Platform in the loop campaign since it represents a high-fidelity software environment of the real hardware (sensors, actuators, hardware interfaces, power lines, etc.).

The SVF is used repeatedly during the complete verification process for each version of the onboard software and each version of the spacecraft database associated with it.

Some of the validation activities that the SVF can support are:



30/01/2023

#### D4.4 Flight SW Autocoding Life-cycle process (Platform in the loop)

- Integration tests
- Parameter settings
- Functional validation in open loop
- Performance and robustness tests in closed loops
- Validation activities as required during SW maintenance and evolution (regression tests)
- Validation of the spacecraft database

SFV should be validated without the availability of a validated OBSW. The different models should be validated as a stand-alone in open loop by sending commands and verifying the proper update of the related telemetry. To do so, appropriated simulated hardware interfaces (between units and software) is needed.

The typical configuration of a SVF is as follows:



#### Figure 1: SVF diagram

in which the host machine communicates with the SVF machine via test scripts. Inside this simulation, a representative OBSW is loaded containing the Application Software, which integrates the GNC software, and the data handling software which deals with the rest of the satellite functions (TM/TC handling, mode transitions, communication with units, power management, etc.).

The unit models are also loaded inside the environment and those are the ones interacting with the Dynamic Kinematic Environment (DKE), the "Real Word", in which the evolution of the kinematics of the spacecraft due to actuator commands and external perturbations is computed.

This system is entirely closed loop due to the inclusion of the DKE, in which the initial configuration of the test is done and at certain moment of the scenario, time-tagged telecommand are sent. With this setup, it is possible to observe how the system will behave under certain circumstances. Nonetheless, open loop scenarios can be tested as the validation team may be interested in the response of a unit to a given input signal.

All in all, this facility will not represent the final satellite system response due to the lack of hardware included. The next section will include additional details when including hardware in the loop.

In case of a generic project starting from the beginning, a Test Plan shall be defined with the major objectives to be tested during the V&V campaign from which a series of Test Specifications are released. These specifications will define the test objective, the requirements to be verified, the test set up and the step by step procedure

9



(test procedure), as well as the pass/fail criteria for the test operator to follow. After competition of the test, a report is generated in which the results are gathered, along with test deviations from the original plan, if any.

As an example of the process followed by Aurora project, the SVF was readily available from Euclid's equipment. Test procedures were available as well and selected to tests the QGen autogenerated code. These particular test procedures are written in Tcl and consist on a series of steps, from which a one to one relation can be establish from the test specification, and the corresponding pass/fail checks. Once that the test has been run, results are gathered (TM results, simulator inputs and outputs, unit status, etc.) and analyzed, repeating the test if an error was encountered.

### 3.3. Hardware Verification Facility

Contrary to the previous section in which the SVF is explained, with the Hardware Verification Facility does include hardware components in the testing loop. From unitary unit testing to the real spacecraft, this process ensures that the final spacecraft to be launched has successfully passed the complete validation and verification campaign.

The level of verification activities mainly depends on the project scope, level of criticality, schedule constraints, monetary limitations, etc. Nonetheless, AOCS hardware and software verification shall be done, according to the standards [RD8], with a configuration including the flight software and representative flight hardware, interfaces, and real time performances.

The hardware facility employed for this phase can be either an avionics test bench in which a unit is installed and tested, an Engineering Model (EM), a Functional Model (FUMO) of the satellite or the main units of the spacecraft (for instance the OBC) or directly at the Flight Model (FM) of the spacecraft.

When performing tests, either on the complete satellite or in any of its subsystems, it is fundamental to have an equipment that is able to replicate the functions of the satellite on the ground before launch. This equipment is named GSE (named after Ground Support Equipment). Essentially, GSE is a non-flight product (either software or hardware) used on ground to help the validation process. These GSEs may vary in size and complexity, from a simple lamp to illuminate Sun acquisition sensors from dedicated integrated systems to validate the different satellite subsystems. Those integrated systems, also known as Special Check-Out Equipment (SCOE) are used, for example, to provide signals to the optical sensors of the spacecraft's attitude control subsystem to simulate the real conditions they will encounter in space. Other SCOE provides electrical power to the spacecraft, simulating the outputs of the solar arrays and batteries, or allows the measurement of electrical signals from selected power or data lines on the spacecraft.



#### Figure 2: Euclid SCOE [RD6]

There are different types of GSE, depending on the function it provides, namely:

- Electrical Ground Support Equipment (EGSE)
- Mechanical Ground Support Equipment (MGSE)
- Optical Ground Support Equipment (OPSE)
- Pressure Ground Support Equipment (PGSE)
- Fluidic Ground Support Equipment (FGSE)

Different GSE are used to ensure the proper validation of the system, from unitary units to the complete AOCS chain.

Safety precautions are of special importance since real hardware components are handled and those are needed to be treated according to manufacturer specification, usually involving dedicated procedures to operate, qualified personnel or certain environmental conditions (humidity levels, temperature ranges, etc.). Procedures are also required to be followed in case of emergency, i.e., safely switching off the OBC.

#### 3.3.1. Unitary Unit testing

The complete GNC with the whole flight software heavily relies on sensors and actuator performance. Unitary testing involves testing individual hardware units in isolation, rather than testing the complete AOCS system. This process can be accomplished by connecting the real unit hardware to an equipment that is able to generate the real stimuli that the unit is ready to receive and analyze its behavior under these stimuli.

• *Performance unitary test.* During the unitary testing campaign, the hardware units can be subjected to a variety of tests to ensure that the performance is according to manufacturer specification. This may include tests to verify the accuracy of sensor readings, the range and sensitivity of actuators, and the overall performance of the hardware under different operating conditions. Environmental conditions are also validated at this stage. Temperature ranges, shocks, stress are some of the main tests to be performed at unitary level.



Unitary testing is typically done before the hardware units are integrated into the complete AOCS system, as it allows any issues to be identified and addressed early in the development process. This can help to ensure the reliability and performance of the AOCS system once it is deployed in space.

- *Mapping and sign tests.* These tests ensures that a unit is correctly connected to the hardware and that the design implementation of the unit corresponds to the reality (i.e., camera head 3 of the star tracker is correctly oriented and commanded). To check that a sensor or actuator is correctly connected as part of an AOCS there exists different methods.
  - Visual inspection: visual inspection of the connections between the sensor or actuator and the rest of the AOCS system to ensure that they are secure and properly aligned. Colour coding cables greatly facilitates the inspection.
  - **Resistance measurement**: measurement of the resistance between the sensor or actuator and the rest of the AOCS system to ensure that there are no breaks or shorts in the connection.
  - **Signal measurement**: If the sensor or actuator produces an electrical signal, this signal can be measured to ensure that it is within the expected range and stable. You can also check that the signal is correctly transmitted to the rest of the AOCS system.
  - **System response**: the overall performance of the AOCS system (GNC on the loop) can be tested by applying inputs to the system and observing the response. This can help to confirm that the sensor or actuator is correctly connected and functioning as intended. An example of this can be the illumination of SAS sensor to check that the Sun vector is correctly estimated, and that correct actuation is commanded.

By using a combination of those methods, you can ensure that a sensor or actuator is correctly connected and functioning properly as part of the AOCS system.

#### 3.3.2. Flight software testing

Once a particular version of the flight software is confirmed as ready for testing in the real satellite hardware and equipment, its installation on the on-board computer starts with the dedicated testing activities. As explained at the beginning of the section, the testing environment facilities may vary due to the scope of the project. This V&V phase usually starts after the SVF testing phase (sometimes even in parallel since newer software revisions may be expected) but not earlier due to the incremental validation philosophy in which unitary models are tested prior to the complete system and on simulation environments prior to the inclusion of hardware.

Different hardware testing facilities exist with the objective of validating the final flight software version. Those are:

• Avionics Test Bench

This is a facility dedicated to the validation of the avionics and its constituents. The content of the facilities may vary due to different project scope, but it shall contain a representative hardware model of the onboard computer which shall embed the real flight software. This representative model of the OBC will make possible the comparison of the AOCS performance with the simulations performed during its development process. In addition to the FUMO OBC, the facility shall include numerical models or real hardware representative of flight units to validate the AOCS is real-time conditions, including software-hardware interfaces. The most general diagram of this facility is shown as follows





Figure 3: ATB with only the OBC as hardware component

Figure 3 shows what it is essentially the same diagram as Figure 1, but with a real hardware representative OBC. This OBC will behave the same as the real unit both in terms of interfaces and performance, while not being ready to flight, i.e., it is not protected against radiation or dimensions do not match with design. There shall be a representative communication with the simulation environment and with the OBC, which is provided by the SCOE (Front-end Equipment in the Figure) which will translate simulated sensor signals into electric currents read by the computer and vice versa, from electric signals to simulation actuator signals, closing the loop with the inclusion of the DKE.

It is noted that, in this model, all satellite units are simulated and are not part of the physical requirement of the test. However, this is not a compulsory request as real (or representative) hardware units can be included as part of the loop. It can even be the case that even some part of the unit assembly has a real representation. For instance, typical reaction wheel configuration uses four different wheels. It is possible to test three simulated wheels and one hardware wheel with the above configuration. Communication between the OBC and the unit to test shall also be representative of real flight conditions. A configuration with a real unit (Reaction wheel in this case) is shown below.





#### Figure 4: ATB with OBC and unit as hardware component

• Verification at satellite level

End-to-end tests are performed as satellite level, which are defined to validate the complete AOCS loops on the real satellite, including all the real hardware components, wiring and a flight software embed in the real computer. End-to-end tests are executed in the satellite ProtoFlight Model (PFM), it is a flight model (end product intended to flight) on which a partial or complete qualification and acceptance test campaigns are performed. Upon achievement of qualification of the design, it shall not be modified. In addition to the AOCS performance test campaign, additional campaigns are to be performed in the PFM (shock test, vibration tests, acceleration tests...)

Reference data in terms of AOCS performance collected during previous AIT campaign can serve as a reference support to the end-to-end test campaign. However, not only the AOCS performance is checked during this campaign since also the polarity of the complete AOCS chain shall be demonstrated. Therefore, dedicated tests are developed to the verification of the complete chain, including sensors, the acquisition electronics, the software processing, the actuators and the commanding electronics. In this verification, tests already performed at unit level can be used as check, since they bring great information of use.

With respect to the AOCS functional and performance tests, those shall verify the complete function of the space segment equipment, under the specified operating and environment conditions and in all operational modes. In case of unit internal redundancy, both chains shall be considered considering the type or redundancy. In addition, AOCS and OBSW parameters are varied throughout their specification ranges and sequences during flight operation.

Testing of the AOCS at this level usually involves testing activities as in real-life operations, meaning that the ground segment is also part of the loop. As for ground segment it is understood to refer to the equipment and facilities used to support the operation and control of the AOCS on a satellite. This includes the ground stations, telemetry and command systems, and the associated software and data processing systems.



### 3.4. Additional verifications

Although not part of the HIL phase, other relevant verification activities that are required as part of the final verification campaign are:

- AOCS-ground interface verification: these verification phase focus on the interfaces between the ground operations and the AOCS with real on-board software. The aim here is to verify the correct functional behaviour of the AOCS submitted to system generated telecommands, typically with some mission procedures.
- In-flight verification: during the in-flight commissioning phase of the satellite, nominal behaviour of the AOCS functional chain shall be verified since some AOCS parameters can only be verified in flight. Unit health checks are performed after switching them ON.

In the end, ECSS standards can be tailored (but approved by customer) to cope with the project constraints and limitations. Finalization of AOCS phase D ends with the QR and AR and phase E (flight phase) can be start as soon as the rest of the subsystems reach the right qualification level.

This document presents an overview of the typical hardware in the loop process for obtaining and qualified AOCS/GNC product but the level of detail in the final testing campaign is to be discussed based on the project objectives and limitations.





This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 101004291

