On-Board Guarded Software Upgrading for Space Missions

The evolvable avionics systems such as the X2000 at NASA/JPL are able to have software upgrades during a long-life mission for dependability, performance and functionality improvement (we call it “on-board software upgrade”) [1]. While evolvability itself can be viewed as on-board perfective maintenance, it necessitates preventive maintenance and corrective maintenance for eliminating or mitigating potential error conditions caused by residual faults in an upgraded system configuration or software version, and tolerating possible inconsistencies between the old and new configurations/versions. We collectively view the three types of mechanisms as on-board maintenance and have been investigating into the development and implementation issues [1, 2]. To date, on-board software upgrade still requires to reboot the entire flight software for terminating the old version and starting the new one. In the Mars Pathfinder mission, it took two hours to complete the patch process for two small changes (in the flight software) made as a result of Operational Readiness Test, during which the normal functions of the flight computer was stopped [3]. The cost of the unavailability is apparently unacceptable for the future NASA missions. Other types of deficiency in software upgrading may even cause more severe damages to a mission. For example, NASA experienced a gap in fault protection on April 10, 1981, when a timely synchronization check was omitted after the addition of an alternate reentry program [4]. As a result, the first flight of the US space shuttle program was aborted 19 minutes