Nebula Public Library

The knowledge bank of ESA’s R&D programmes

Qualification activity for COTS IMA Kernel

Programme Reference
Prime Contractor
Start Date
End Date
Qualification activity for COTS IMA Kernel
The overall purpose of this activity is to build on the work being performed in the ongoing GSTP activity (G607-029SW - IMA Separation Kernel Qualification Campaign- Preparation). It will take and refine the defined qualification framework, adapt existing use cases, analyse for requirements that cannot be tested, design and develop validation tests suites, set-up a Software Validation Facility and execute test campaigns.
In order to address the increasing complexity of spacecraft avionics, ESA is adopting a technological solution from the aviation domain: Integrated Modular Avionics (IMA). In the early 1990s, the aeronautical domain defined a solution which, by means of software partitioning, allows for integration of several functions onto the same computational node while still keeping them separated from each other in a way which also preserves many of the benefits of a federated systems approach. The IMA approach reduces the required mass, volume and power for a given set of functions or applications.
IMA in the aeronautical domain is based on the ARINC 653 standard. ESA has studied how IMA could be adopted in the space domain; an approach named IMA for Space (IMA-SP for short) has been introduced providing an IMA-SP Platform. The IMA-SP platform is dedicated to supporting the time and space partitioning of the spacecraft applications. The core software component is called the System Executive Platform software (SEP). The IMA-SP platform is thus considered to be composed of the following high-level components:
  • Hardware node(s).
  • System Executive Platform (SEP) with the separation kernel: designed to execute independent partitions according to a static schedule and responsible for inter partition communication and TSP Abstraction Layer (equivalent to APEX).
  • Guest OS (optional) inside the partition(s). It is designed to execute independent processes according to a local scheduling policy.
  • System support services inside dedicated partition(s).
  • Application support services.
The TSP Abstraction Layer is derived from the ARINC 653 and allows the SEP to offer services to the hosted applications that comply with the previously identified IMA-SP requirements. Above the Abstraction Layer are the System and Application support services.
The activities initiated by ESA have established the following IMA Separation Kernels as the basis for partitioning activities within the Agency: AIR, PikeOS and XtratuM. For this activity, the conformance of one dedicated separation kernel will be assessed. This kernel will further be the target of a subsequent more detailed case study.
Proper implementation of time and space partitioning requires support from hardware. In order to protect memory regions, an MMU (Memory Management Unit) is in principle required. For this reason, the hardware used in this activity shall conform to the minimum hardware platform for IMA-SP as defined by SAVOIR IMA. The hardware platform is as a minimum based on a LEON2-FT with MMU, or a LEON3-FT.
There is an ongoing GSTP activity preparing for future IMA Separation Kernel qualification (G607-029SW, IMA Separation Kernel Qualification: Preparation). It includes consolidation of requirements, technical as well as related to the development process; definition of the qualification process; and identification and evaluation of verification and validation techniques. The outcome of that activity will provide a qualification framework containing basic technical and process requirements that need to be fulfilled and the overall process for qualification together with identification of the artefacts required.
The overall purpose of this activity is to continue and build on the previous GSTP activity, taking as an input the defined qualification framework assessing the kernel PikeOS. It consists of the following tasks:
  • ECSS E40 Q80 compliance assessment of PikeOS artefacts constituting the qualification evidence
  • Refinement of the qualification framework material (generic validation test plan and techniques) made available as output of the previous activity to fulfil the needs of the COTS product
  • Consolidate the Validation test strategy resulting from the preparatory activity and assess necessary robustness and stress tests to extend test suit for the case of COTS hypervisor.
  • Identify additional tests focus on FDIR capability of the dedicated kernel.
  • Design and development of the validation tests suites
  • Outline and execute the analysis foreseen to verify non-functional requirements where analyse is the assigned validation method.
  • Set up Software Validation Facility in hybrid configuration for one or more space representative configurations to be determined - configure subsequently PikeOS product + test application SW
  • Execution of test campaigns on the various scenarios and configurations/analysis of results and reports, In conformance with ECSS E40/Q80.
Application Domain
Generic Technologies
Technology Domain
2 - Space System Software
Competence Domain
3-Avionic Systems
Initial TRL
Target TRL
Public Document