From 6934452a61f89acfcaacb06244df363b8a46b9d3 Mon Sep 17 00:00:00 2001 From: Jake Hageman Date: Thu, 10 Oct 2019 16:12:56 -0400 Subject: [PATCH] Fix #199, Update obj creation failure requirement --- docs/cFE_FunctionalRequirements.csv | 523 +++++ docs/cFE_FunctionalRequirements.md | 3048 --------------------------- 2 files changed, 523 insertions(+), 3048 deletions(-) create mode 100755 docs/cFE_FunctionalRequirements.csv delete mode 100644 docs/cFE_FunctionalRequirements.md diff --git a/docs/cFE_FunctionalRequirements.csv b/docs/cFE_FunctionalRequirements.csv new file mode 100755 index 000000000..e4e2651a8 --- /dev/null +++ b/docs/cFE_FunctionalRequirements.csv @@ -0,0 +1,523 @@ +Summary,Custom field (Requirement ID),Description,Custom field (Requirement Rationale) +ES: Allocate Memory,cES1321,Upon receipt of a Request the cFE shall allocate a block of memory of the specified size from the specified Memory Pool.,The Memory Allocation interface allows the cFE Application to allocate a block of memory from a previously created memory pool. +ES: Allocate Memory - Invalid ID,cES1321.2,"If the specified Memory Pool identifier is invalid then the cFE shall record the error in the System Log, and return an error code.","If the handle or Memory Pool ID is not valid, then an error must be returned." +ES: Allocate Memory - Round Up,cES1321.1,Upon receipt of a Request the cFE shall allocate a block of memory of the specified size from the specified Memory Pool.,The Memory Allocation interface allows the cFE Application to allocate a block of memory from a previously created memory pool. +ES: Allocate Memory - Too Large,cES1321.3,"If the specified size is too large for the specified Memory Pool, the cFE shall record the error in the System Log, and return an error code.",Cannot allocate a memory block bigger than the pool. +ES: Analyzer Log,cES1021,The cFE shall maintain an Executive Services Logic Analyzer Capture Log for capturing application specified timestamps and events for off-line performance analysis.,The Logic Analyzer Capture Log is used along with a performance log API to allow the cFE and cFE Applications to save performance data that can be downloaded. +ES: Analyzer Log Record Tag,cES1022,"Upon receipt of a Request, the cFE shall record the specified Logic Analyzer Capture Tag in the Logic Analyzer Capture Log.",The cFE Core and cFE Applications make specific calls to create log entries in the Logic Analyzer Capture Log. +ES: Analyzer Log Record Tag - Overwrite On Full,cES1022.2,"If the Logic Analyzer Capture Log is full, then the cFE shall write all new entries from the top of the log.", +ES: Analyzer Log Record Tag - Timestamp,cES1022.1,The cFE shall store a timestamp along with the specified Logic Analyzer Capture Tag.,Each entry is time-stamped. +ES: Analyzer Log Write To File,cES1023,"Upon receipt of a Command, the cFE shall copy the information contained in the Logic Analyzer Capture Log into a Command Specified file.",Want to be able to capture the log to a file for post processing. +ES: Analyzer Log Write To File - Default Filename,cES1023.1,"If a file is not specified, the cFE shall use the `` filename.",Want to have a default filename. +ES: Application Status Message,cES1011,"Upon receipt of a Command, the cFE shall generate a message that contains a summary of the Command specified Application's properties and state as defined in the Systems Resources Definition including: + +- cFE Application Name +- cFE Application Filename +- cFE Application Entry Point +- cFE Application Priority +- cFE Application Stack Size +- cFE Application Memory Start Address +- cFE Application Memory Size +- cFE Application Child Task Count","In order to support remote Application management then the Application's properties and current state need to be externally observable. Because the ground interface is with Applications rather than Tasks, Task information should be included as well." +ES: Application Status Record To File,cES1012,"Upon receipt of a Command, the cFE shall generate a Command specified file that contains all properties and states of all cFE Applications that are defined in the Systems Resources Definition.",May want information about all applications and tasks defined in the Systems Resources Definition in order to diagnose a problem. +ES: Application Status Record To File - Default Filename,cES1012.1,"If a file is not specified, the cFE shall use the `` filename.",Want to specify a default if the user does not want to specify a new filename. +ES: Calculate Data Integrity Value,cES1323,"Upon receipt of a Request, the cFE shall calculate a Data Integrity value over the given range of memory using the specified algorithm. The algorithm shall be one of the following: + +- XOR: Exclusive OR +- CRC16: 16 Bit Cyclic Redundancy Check +- CRC32: 32 Bit Cyclic Redundancy Check",We need to provide a checksum/CRC utility. +ES: Copy From Critical Data Store,cES1316,"Upon receipt of a Request, the cFE shall copy the contents from the Request specified Critical Data Store to the Request specified address.",Provides the capability to restore the local data with the contents of the critical data store. +ES: Copy From Critical Data Store - Invalid Data Integrity,cES1316.1,If the Data Integrity Value is invalid then the data shall not be copied from the Critical Data Store.,Critical Data Store should be verified before restoring. Assumes that if the calculated CRC does not match the stored CRC than the CDS cannot be trusted. +ES: Copy From Critical Data Store - Non-Existent,cES1316.2,If the Request Specified Critical Data Store does not exist then the data shall not be copied.,Can't copy data if the reference is wrong. +ES: Copy To Critical Data Store,cES1328,"Upon receipt of a Request, the cFE shall copy the data starting at the Request specified address to the Request specified Critical Data Store.",Applications need to periodically copy the local data into the CDS so that it can be preserved. Note that the CDS is not required to exist on-card (local address space). This provides the capability for a mission to use off-card bulk storage. +ES: Copy To Critical Data Store - Calculate Data Integrity Value,cES1328.1,The cFE shall calculate a Data Integrity Value for the Request specified Critical Data Store and store it.,"Every time data is written to the CDS, a CRC must be recalculated in order to have a reference for any CDS validation. Note that Applications are responsible for determining whether the contents of a CDS Block are still logically valid." +ES: Copy To Critical Data Store - Invalid Critical Data Store,cES1328.2,If the Request Specified Critical Data Store does not exist then the data shall not be copied.,Can't copy data if the reference is wrong. +ES: Create Child Task,cES1311,"Upon receipt of a Request, the cFE shall create the specified cFE Child Task within the cFE Application that owns the task and begin execution of the task.",Each cFE Application's main task has the capability to create and start one or more child tasks. +ES: Create Child Task - Invalid From Child Task,cES1311.2,"In the event a child task attempts to create another child task, the cFE shall record the error in the System Log, and return an error code.",Only the cFE Application's main task can create a child task. This prevents confusion with parent/child task relationships and the allocation/deallocation of resources. +ES: Create Child Task - Report Error,cES1311.1,"In the event that the cFE Child Task cannot be created, the cFE shall record the error in the System Log, and return an error code.",Need to keep track of the Child Task Create Failures. +ES: Critical Data Store Delete,cES1027,"Upon receipt of a Command, the cFE shall delete the Command Specified Critical Data Store.","As part of an Application clean-up, want to clean-up the allocated resources." +ES: Critical Data Store Size,cES1708,The cFE shall support a `` byte Critical Data Store.,TBD seems like a reasonable size based on heritage missions. +ES: Critical Data Store Write To File,cES1026,"Upon receipt of a Command, the cFE shall copy the following Critical Data Store information into the Command Specified file: + +1. Critical Data Store Name +2. Size +3. Data Integrity Value",This provides a registry of the Critical Data Store. +ES: De-allocate Memory,cES1322,Upon receipt of a Request the cFE shall de-allocate the specified block of memory from the specified Memory Pool.,The Memory Allocation interface allows the cFE Application to de-allocate a block of memory from a previously created memory pool. +ES: De-allocate Memory - Invalid ID,cES1322.1,"If the specified Memory Pool identifier is invalid, then the cFE shall record the error in the System Log, and return an error code.",Need to have a valid Memory Pool identifier in order to de-allocate a block of memory. +ES: Delete Application,cES1006,"Upon receipt of a Command, the cFE shall delete the Command specified Application including all child tasks.",Need to be able to stop the execution of an Application and remove its System Resources. The delete will clean-up the application's main task and all of its child tasks. Note: other cFE components are required to have cleanup routines that ES calls. +ES: Delete Application,cES1309,"Upon receipt of a Request, the cFE shall delete the specified Application including all child tasks.",Need to be able to stop the execution of an Application and remove its System Resources. The delete will clean-up the application's main task and all of its child tasks. Note: other cFE components are required to have cleanup routines that ES calls. +ES: Delete Application - Reject Undefined,cES1006.1,"If the specified Application is undefined then the cFE shall reject the Command, increment the invalid command counter and generate an event message.",Can't delete an undefined application. +ES: Delete Application - Reject Undefined,cES1309.1,"If the specified Application is undefined then the cFE shall record the error in the System Log, and return an error code.",Can't delete an undefined application. +ES: Delete Child Task,cES1312,"Upon receipt of a Request, the cFE shall delete the specified cFE Child Task within the cFE Application that owns the task.","As part of a cFE Application cleanup, the Application needs to be able to delete each child task." +ES: Delete Child Task - Error If Application Main Task,cES1312.1,"If the specified task is the cFE Application Main Task, the request shall record the error in the System Log, and return an error code.",Cannot use Child Task Exit or Delete on the cFE Application Main Task. +ES: Detect FP Exceptions,cES1703,The cFE shall detect all unmasked processor Floating Point Exceptions.,"The low level BSP routines allow the mission to determine what Floating Point exceptions are masked, and what Floating Point exceptions can interrupt the software." +ES: Detect FP Exceptions - Log,cES1703.1,"Upon detection of an unmasked Floating Point exception, the cFE shall add an entry in the Executive Services Exception and Reset Log.",Need to log unmasked Floating Point exceptions so that the ground can have visibility into the exception. +ES: Detect FP Exceptions - Platform Response,cES1703.3,If the Floating Point exception was caused by the OS or cFE Core then the cFE shall initiate a `` response.,"An exception in the cFE core or OS will restart the cFE, which results in all cFE Applications being restarted." +ES: Detect FP Exceptions - Restart App,cES1703.2,"If the Floating Point exception was caused by a cFE Application and the Exception Action indicates that the Application can be started individually, the cFE shall restart the cFE Application that caused the exception.","Want the capability to restart an individual application on a processor reset. Not all Applications should be started individually as they may have some dependencies that result in undesirable behavior. When the Application is started, one of the parameters is whether to restart the app of perform a cFE processor reset." +ES: Detect Unmasked Exceptions,cES1702,The cFE shall detect all unmasked CPU exceptions.,Need to be able to detect processor exceptions so that the appropriate action can be taken. +ES: Detect Unmasked Exceptions - Log,cES1702.1,"Upon detection of a CPU exception, the cFE shall add an entry in the Executive Services Exception And Reset Log.",Need to log processor exceptions so that the ground can have visibility into the exception. +ES: Detect Unmasked Exceptions - Platform Response,cES1702.3,If the CPU exception was caused by the Operating System or cFE Core then the cFE shall initiate a `` response.,"An exception in the cFE core or OS will restart the cFE, which results in all cFE Applications being restarted." +ES: Detect Unmasked Exceptions - Restart App,cES1702.2,"If the CPU exception was caused by a cFE Application and the Exception Action indicates that the Application can be started individually, the cFE shall restart the cFE Application that caused the exception.","In most cases, restarting the cFE application will clear up the problem. In some cases, however, applications are tightly coupled with other applications in which case, starting an individual application may have undesirable consequences. The cFE should provide the ability to define if the application should can be restarted or if a processor reset should occur." +ES: Disable Device Driver,cES1326,"Upon receipt of a Request, the cFE shall disable a specified hardware device driver.","Need a way of unloading, stopping a hardware device driver." +ES: Disable Device Driver - Not Loaded,cES1326.1,"If the specified hardware device driver is not loaded, then the cFE shall record the error in the System Log, and return an error code.",Cannot disable a device driver that is not loaded. +ES: Enable Device Driver,cES1327,"Upon receipt of a Request, the cFE shall re-enable a specified hardware device driver.",Need a way to re-enable the device driver and it's associated interrupt. +ES: Enable Device Driver - Not Loaded,cES1327.1,"If the specified hardware device driver is not loaded, then the cFE shall record the error in the System Log, and return an error code.",Cannot disable a device driver that is not loaded. +ES: End Child Task,cES1314,"Upon receipt of a Request, the cFE shall end execution of the calling cFE Child Task.", cFE Child Task needs to be able to exit and end execution. +ES: End Child Task - Error If Application Main Task,cES1314.1,"If the calling task is the cFE Application Main Task, the cFE shall record the error in the System Log, and return an error code.",Cannot use Child Task Exit or Delete on the cFE Application Main Task. +ES: Exception And Reset Log Size,cES1707,The cFE shall support a `` byte Executive Services Exception And Reset Log.,TBD seems like a reasonable size based on heritage missions. +ES: Exception and Reset Log,cES1017,"The cFE shall maintain an Executive Services Exception and Reset Log which will log critical system data for exceptions and resets including: + +- A time stamp +- Processor Context information +- Critical system variables +- ASCII string stating the reason for the reset","Want to be able to save state information prior to a restart (processor, power-on, application, task etc) to help with diagnosing problems. There is a separate requirement for the creation of a file to transfer the information to the ground." +ES: Exception and Reset Log - Clear On Command,cES1018,"Upon receipt of a Command, the cFE shall clear the Executive Services Exception and Reset Log.",Want to be able to clear the Executive Services Exception and Reset Log so that only the new information is saved. +ES: Exception and Reset Log - Default Filename,cES1019.1,"If a file is not specified, the cFE shall use the `` filename.",Want to provide a default in the event a user does not want to have to specify one. +ES: Exception and Reset Log - Write To File,cES1019,"Upon receipt of a Command, the cFE shall copy the information contained in the Executive Services Exception and Reset Log Buffer into a Command specified file.","The cFE Exception and Reset Log contains a large amount of data, and is variable in size. It is easier to dump the contents to a file." +ES: Exit Application,cES1319,"Upon receipt of a Request, the cFE shall exit the calling cFE Application and delete the Applications' resources.",Need to have a cFE program exit. This request can be used for both critical errors and a planned shutdown of a cFE application. +ES: Housekeeping Message,cES1000,"Upon receipt of a Command, the cFE shall generate a Software Bus message that includes the following items: + +- Number of Registered Applications +- Number of Registered Child Tasks +- Number of Registered Shared Libraries +- Reset Type +- Reset Subtype +- Number of entries in System Log +- Size of the System Log +- Number of bytes used in the System Log +- Current Exception and Reset Log Index +- Number of Processor Resets +- Maximum Number of Processor Resets before a Power On Reset +- Boot Source +- ES Valid Command Counter +- ES Invalid Command Counter",It is common for sub-systems to report housekeeping status upon receipt of a housekeeping request command. +ES: Invalid Command Counter,cES1003,"Upon receipt of an invalid Command, the cFE shall increment the invalid Command counter and generate an event message.",The ground needs an indicator if a command is rejected by the cFE. Details of what makes a command invalid are documented in the cFE Application Developer's Guide and the cFE User's Guide. +ES: Load Device Driver,cES1324,"Upon receipt of a Request, the cFE shall load and initialize a hardware device driver and connect it with the specified hardware handshaking and device processing code.",Need a standard device driver interface. +ES: Maximum Apps,cES1700,The cFE shall support a maximum `` cFE Applications.,TBD has never been exceeded on past missions. Need to bound the number of Applications in order to size the Systems Resources information. +ES: Maximum Processor Resets,cES1709,"If the cFE Core goes through `` Maximum Processor Resets, the cFE shall initiate a Power-On Reset of the cFE.","After a number of Processor Resets, the cFE will attempt to recover by doing a Power-on Reset." +ES: NOOP Event,cES1001,"Upon receipt of a Command, the cFE shall generate a NO-OP event message.",This command is useful as a general sub-system aliveness test. +ES: Non-Volatile File System Size,cES1705,The cFE shall support a `` byte non-volatile file system.,TBD seems like a reasonable size based on heritage missions. +ES: Pass String To Shell,cES1013,"Upon receipt of a Command, the cFE shall submit to the operating system shell, the string supplied as a parameter.","Having access to the operating system shell has proved invaluable during FSW development on missions such as JWST and Triana. Although it is available on-orbit, it is not intended to be used during normal operations." +ES: Pass String To Shell - Message Response,cES1013.1,"Upon execution of the operating system Command, the cFE shall generate one or more messages containing the ascii output generated by the operating system command.","This message will provide the ""output"" from the shell command to allow the implementation of a shell like interface to the cFE." +ES: Power On Reset,cES1009,"Upon receipt of a Command, the cFE shall perform a Power On Reset of the Core Flight Executive.","On a flight processor or other embedded processor this command results in rebooting the processor board through the Boot Software. On a desktop system this command will result in the restarting of the cFE, but not the operating system. Note: If the cFE implementation includes more than one cFE core images, it is the responsibility of the Boot Software to select which cFE image is booted." +ES: Power On Reset,cES1317,"Upon receipt of a Request, the cFE shall perform a Power On Reset of the Core Flight Executive.","Need to be able to reset the cFE in the event that there is a critical problem. The direct call is provided in the case where the normal task message passing is not working. As a result of the Power On Reset, all code and data are re-initialized and the cFE is returned to it’s default power-on state." +ES: Power On Reset Clear Critical Data Store,cES1504,"Upon a Power-On Reset, the cFE shall clear the contents of the Critical Data Store.",The purpose of the critical data store is to save data that an Application wants to preserve across a processor restart. This area will be cleared during a Power-On Reset. +ES: Power On Reset Clear Exception and Reset Log,cES1502,"Upon a Power-On Reset, the cFE shall clear the Executive Services Exception and Reset Log.",Want to be able to get a snapshot of some critical parameters prior to a reset as well as log the resets that have occurred. +ES: Power On Reset Clear System Log,cES1501,"Upon a Power-On Reset, the cFE shall clear the Executive Services System Log.",Want to be able to determine what errors are logged by the cFE. This log is not preserved on a Power-On reset. +ES: Power On Reset Clear Volatile File System,cES1503,"Upon a Power-On Reset, the cFE shall clear the Volatile File system.",The Volatile File system is initialized during a Power-on Reset. +ES: Power On Reset Create OS Objects,cES1505,"Upon a Power-on Reset, the cFE shall create all operating system objects required by the cFE.","This is a table driven startup that includes: Core cFE Applications, semaphores, queues, and shared memory segments. It can also contain calls to initialize device drivers and interrupts." +ES: Power On Reset Exception and Reset Log Entry,cES1509,"Upon a Power On Reset, the cFE shall make an entry in the Executive Services Exception and Reset Log, recording the Power On Reset.",One purpose of the Executive Services Exception and Reset Log is to log all resets. +ES: Power On Reset Identify Sub-Type,cES1500,"Upon a Power-on Reset, the cFE shall identify the Power On reset sub-type.",Each mission may want to further distinguish between Processor reset types in order to tailor their system's behavior. For example a mission may want to take different behavior for a watchdog time out and the execution of the processor's reset instructions. +ES: Power On Reset Mount Non-Volatile File System,cES1506,"Upon a Power-on Reset, the cFE shall mount the non-volatile file system.","Non-volatile file system contains the files for each of the cFE Applications. On a Power-On reset, the external cFE Applications are loaded from the Volatile file system." +ES: Power On Reset Process Startup File,cES1508,"Upon a Power-on Reset, the cFE shall process all entries in the cFE Startup File located in the non-volatile file system.","There is a file that contains all of the Applications, Shared Libraries, and Device Drivers that are to be created and started." +ES: Power On Reset Process Startup File - Init Device Drivers,cES1508.3,The cFE shall create and initialize cFE Device Drivers according to the entry in the cFE Startup File.,The cFE supports loading and initializing cFE Device Drivers during system startup. +ES: Power On Reset Process Startup File - Init Libs,cES1508.2,The cFE shall create and initialize cFE Shared Libraries according to the entry in the cFE Startup File.,The cFE supports creating and initializing cFE Shared Libraries during system startup. +ES: Power On Reset Process Startup File - Start Apps,cES1508.1,The cFE shall create and start cFE Applications according to the entry in the cFE Startup File.,The cFE supports loading and creating new cFE Applications during system startup. +ES: Power On Reset Set Up Volatile File System,cES1507,"Upon a Power-on Reset, the cFE shall create, format and mount the volatile file system.","The volatile file system is a key part of the cFE. It is used for logs, data files and new cFE Applications." +ES: Prepare Memory Pool,cES1320,"Upon receipt of a Request, the cFE shall prepare a Memory Pool for run time memory allocation/de-allocation.","The Memory Allocation interface allows the cFE Application to supply a Pool of memory, which can be used for efficient memory allocation and de-allocation." +ES: Prepare Memory Pool - Too Small,cES1320.1,"If the specified size is less than the minimum block size, the cFE shall record the error in the System Log, and return an error code.","If the size of the Pool is not valid, then an error must be returned." +ES: Processor Reset,cES1010,"Upon receipt of a Command, the cFE shall perform a Processor Reset of the Core Flight Executive.","Need to be able to restart the cFE in the event that there is a problem with the Real Time OS or cFE Core software. Note that restarting the cFE will result in a restart of all of the cFE applications. In addition, a restart of the cFE will initialize the (TBD - missing text from pre 2011)." +ES: Processor Reset,cES1318,"Upon receipt of a Request, the cFE shall perform a Processor Reset of the Core Flight Executive.",Need to be able to restart the cFE in the event that there is a problem with the cFE core. The direct call is provided in the case where the normal task message passing is not working. +ES: Processor Reset Create OS Objects,cES1515,"Upon a Processor Reset, the cFE shall create all operating system objects required by the cFE.","Items such as tasks, semaphores, queues, and shared memory segments would be initialized." +ES: Processor Reset Create OS Objects - Power On Reset On Failure,cES1515.1,"If the creation of the operating system object fails, the cFE shall perform a `` response.","The response to operating system object creation failure depends on the platform configuration, and is abstracted at the platform layer." +ES: Processor Reset Exception and Reset Log Entry,cES1520,"Upon a Processor Reset, the cFE shall make an entry in the Executive Services Exception and Reset Log recording the Processor Reset.",The purpose of the Executive Services Exception and Reset Log is to log all resets and all exceptions that occur. +ES: Processor Reset Identify Sub-Type,cES1510,"Upon a Processor Reset, the cFE shall identify the Processor reset sub-type.",Each mission may want to further distinguish between Processor reset types in order to tailor their system's behavior. For example a mission may want to take different behavior for a watchdog time out and the execution of the processor's reset instructions. +ES: Processor Reset Mount Non-Volatile File System,cES1516,"Upon a Processor Reset, the cFE shall mount the non-volatile file system.","Non-volatile file system contains the files for each of the cFE Applications. On a Power-On reset, the external cFE Applications can be loaded from the Volatile file system." +ES: Processor Reset Preservation List,cES1521,"Upon a Processor Reset, the cFE shall preserve the following: + +- Boot Source +- Reset Type +- Reset Subtype +- Reset Reason +- Number of Processor Resets +- Maximum Processor Resets +- Number of entries in System Log +- Size of System Log +- Number of bytes used in the System Log",The purpose of the Executive Services Exception and Reset Log is to log all resets and all exceptions that occur. +ES: Processor Reset Preserve Critical Data Store,cES1514,"Upon a Processor Reset, the cFE shall preserve the contents of the Critical Data Store.",The purpose of the critical data store is to save data that an Application wants to preserve across a processor restart. +ES: Processor Reset Preserve Exception and Reset Log,cES1512,"Upon a Processor Reset, the cFE shall preserve the Executive Services Exception and Reset Log.",ES needs to retain this information to support diagnosing cause of processor reset as well as preserving information that is required to count the number of resets. +ES: Processor Reset Preserve System Log,cES1511,"Upon a Processor Reset, the cFE shall preserve the Executive Services System Log.",Want to be able to determine what errors are logged by the cFE. This log is not preserved on a Power-On reset. +ES: Processor Reset Preserve Volatile File System,cES1513,"Upon a Processor Reset, the cFE shall preserve the Volatile File system.","During a processor reset, the Volatile File System and it's contents will be preserved." +ES: Processor Reset Process Non-Volatile Startup File,cES1519,If the system startup file is not present in the volatile file system then the cFE shall process all entries in the cFE Startup File located in the non-volatile file system.,Need to have a default system startup file which is used if there is no system startup file in volatile memory. +ES: Processor Reset Process Non-Volatile Startup File - Start Apps,cES1519.1,The cFE shall create and start cFE Applications according to the entry in the cFE Startup File.,The cFE supports loading and creating new cFE Applications during system startup. +ES: Processor Reset Process Non-Volatile Startup File - Init Libs,cES1519.2,The cFE shall create and initialize Shared Libraries according to the entry in the cFE Startup File.,The cFE supports loading and initializing cFE Shared Libraries during system startup. +ES: Processor Reset Process Volatile Startup File,cES1518,"Upon a Processor Reset, the cFE shall process all entries in the cFE Startup File located in the volatile file system.",There is a file that contains all of the cFE Applications and Shared Libraries that are to be loaded and started. The cFE will check to see if this file is in the volatile file system. This file facilitates restarting a processor using patches that were made. +ES: Processor Reset Process Volatile Startup File - Start Apps,cES1518.1,The cFE shall create and start cFE Applications according to the entry in the cFE Startup File.,The cFE supports loading and creating new cFE Applications during system startup. +ES: Processor Reset Process Volatile Startup File - Init Libs,cES1518.2,The cFE shall create and initialize Shared Libraries according to the entry in the cFE Startup File.,The cFE supports loading and initializing cFE Shared Libraries during system startup. +ES: Processor Reset Set System Log Mode To Discard,cES1522,"Upon a Processor Reset, the cFE shall set the System Log Mode to discard.",Want to preserve the System Events that may have captured the cause of the processor reset. +ES: Processor Reset Set Up Volatile File System,cES1517,"Upon a Processor Reset, the cFE shall check and mount the volatile file system.",Want to preserve the Volatile file system across a processor reset. +ES: Processor Reset Set Up Volatile File System - Format On Failure,cES1517.1,"If the volatile file system check fails, the cFE shall format the volatile file system and create a system log entry.","If the volatile file system is corrupt, it must be reformatted to allow the cFE to function." +ES: Processor Resets Counter Reset,cES1024,"Upon receipt of a Command, the cFE shall set the Processor Resets counter to zero.",Ground may want to clear this counter so that infrequent Processor Resets don't result in a Power-on Reset. +ES: Register Application,cES1300,"Upon receipt of a Request, the cFE shall register the calling cFE Application with the system.",cFE Applications must register with the cFE in order to allow the cFE to track the Application's resources. This function also allows the system to synchronize the application startup. The cFE Application will wait in this function until the cFE starts up. +ES: Register Child Task,cES1313,"Upon receipt of a Request, the cFE shall register the calling cFE Child Task with the system.","Just like cFE Applications, Child Tasks must be registered to work properly in the cFE. This function call is intended to be called by the newly created cFE Child Task." +ES: Reload Application,cES1008,Upon receipt of a Command the cFE shall Reload the Command specified cFE Application from the Command specified cFE Application file.,"This command enables the ground to replace an Application with only one command. This is required for applications such as a Command Uplink Application, which must be replaced with one command. The specified cFE Application file may be from any valid cFE." +ES: Reload Application - Delete On Non-Parameter Error,cES1008.3,"If the cFE Application Reload fails due to a non-parameter error, then the cFE shall delete the Application, increment the invalid Command counter, and generate an event message.","If the Application is already stopped and there is an error restarting it, then the cFE application will be deleted. Should the old Application be restarted? Need to be able to reset the cFE in the event that there is a critical problem. As a result of the Power On Reset, all code and data are re-initialized and the cFE is returned to a default power-on state. This reset is initiated through a common interface." +ES: Reload Application - Reject On Missing File,cES1008.2,"If the specified cFE Application file does not exist then the cFE shall reject the command, increment the invalid Command counter, and generate an event message.",Can't reload the Application if the new file does not exist. +ES: Reload Application - Reject Undefined,cES1008.1,"If the specified Application is undefined then the cFE shall reject the Command, increment the invalid Command counter and generate an event message.",Can't reload an undefined Application. +ES: Report Application ID,cES1304,"Upon receipt of a Request, the cFE shall provide the cFE Application ID of the calling cFE Application.",A cFE Application needs to determine its own Application ID. +ES: Report Application ID,cES1306,"Upon receipt of a Request, the cFE shall provide the cFE Application ID which corresponds to the specified cFE Application Name.",The Executive Services will assign an Application ID. The Application Name is specified when the cFE Application is created. This Request will provide a way to determine the cFE Application ID when the pre-determined Application Name is passed in. +ES: Report Application Name,cES1307,"Upon receipt of a Request, the cFE shall provide the cFE Application Name which corresponds to the specified cFE Application ID.",The Executive Services will assign an Application ID. This Request will provide a way to determine an Application's name from its Application ID. +ES: Report Last Reset,cES1301,"Upon receipt of a Request, the cFE shall provide the type of last reset performed by the processor.",cFE Applications may perform processing that is specific to each reset type. +ES: Report Last Reset - Types,cES1301.1,The reset types include: Power On Reset Processor Reset.,cFE Applications may perform processing that is specific to each reset type. +ES: Report Processor ID,cES1302,"Upon receipt of a Request, the cFE shall provide the Processor ID on which the Request was made.","Need to determine the Processor ID. This feature is useful in missions with multiple processors, or to help distinguish prototype vs. flight processor features." +ES: Report Spacecraft ID,cES1303,"Upon receipt of a Request, the cFE shall provide the Spacecraft ID on which the Request was made.","Need to determine the Spacecraft ID. This feature is useful in missions with multiple Spacecraft, or Spacecraft with multiple processors." +ES: Report Task and Application Name,cES1305,"Upon receipt of a Request, the cFE shall provide the cFE Task Name and cFE Application Name which corresponds to the specified cFE Task ID.",The command will provide a way to find the cFE Task Name and the parent cFE Application name from any cFE Application or Child task. +ES: Reserve Critical Data Store,cES1315,"Upon receipt of a Request, the cFE shall reserve the Request specified amount of memory in the Critical Data Store for the cFE Application using the Request specified name.",The Critical Data Store will be used by Applications to store critical parameters that will be preserved after an application or processor restart. ES will allocate the memory for the application. A pointer or memory address will be provided to the alloc. +ES: Reserve Critical Data Store - Invalid Data Integrity,cES1315.2,"If a Critical Data Store exists for the Request specified name but the Data Integrity value is invalid, the cFE shall remove the existing Critical Data Store and create a new one using the Request specified name and size.",Assumes that if the CRC is invalid then the CDS can't be trusted. +ES: Reserve Critical Data Store - Size Change,cES1315.1,"If a Critical Data Store exists for the Request specified name but has a different size than what is specified in the Request, the cFE shall remove the existing Critical Data Store and create a new one using the Request specified name and size.",Assumes that if the sizes don't match then something has changed and the CDS can't be trusted. +ES: Restart Application,cES1007,"Upon receipt of a Command, the cFE shall Restart the Command specified Application.","Need to be able to restart an Application. A restart involves deleting it (cleaning up) and then starting it again. This is similar to starting the cFE Application from a file system. When an Application is restarted, the only command parameter required is the application name. All other parameters including the filename are the same as the original cFE Application Create command. The restart is intended for error recovery such as an exception, and should not be used to start a new version of an Application. If a Critical Data Store Area is allocated for the Application, it is preserved, and the Application may re-connect to the Critical Data Store Area when it is running again." +ES: Restart Application,cES1310,Upon receipt of a Request the cFE shall Restart the specified Application.,"Need to be able to restart an Application. A restart involves deleting it (cleaning up) and then starting it again. This is similar to starting the cFE Application from a file system. When an Application is restarted, the only parameter required is the application name. All other parameters including the filename are the same as the original cFE Application Create Request. The restart is intended for error recovery such as an exception, and should not be used to start a new version of an Application. If a Critical Data Store Area is allocated for the Application, it is preserved, and the Application may re-connect to the Critical Data Store Area when it is running again." +ES: Restart Application - Delete On Non-Parameter Error,cES1007.3,"If the cFE Application Restart fails due to a non-parameter error, then the cFE shall delete the Application, increment the invalid Command counter, and generate an event message.","If the Application is already stopped and there is an error restarting it, then the cFE application will be deleted." +ES: Restart Application - Delete On Non-Parameter Error,cES1310.3,"If the cFE Application Restart fails due to a non-parameter error, then the cFE shall record the error in the System Log, and return an error code.","If the Application is already stopped and there is an error restarting it, then the cFE application will be deleted." +ES: Restart Application - Reject On Missing File,cES1007.2,"If the original cFE Application file is not found then the cFE shall reject the Command, increment the invalid Command counter, and generate an event message.","Can't restart the Application if the original file has been removed. In this case, the Application will continue without a restart." +ES: Restart Application - Reject On Missing File,cES1310.2,"If the original cFE Application file is not found then the cFE shall record the error in the System Log, and return an error code.","Can't restart the Application if the original file has been removed. In this case, the Application will continue without a restart." +ES: Restart Application - Reject Undefined,cES1007.1,"If the Command specified Application is undefined then the cFE shall reject the Command, increment the invalid Command counter and generate an event message.",Can't restart an undefined application. +ES: Restart Application- Reject Undefined,cES1310.1,"If the specified Application is undefined then the cFE shall record the error in the System Log, and return an error code.",Can't restart an undefined application. +ES: Set Maximum Processor Resets,cES1025,"Upon receipt of a Command, the cFE shall set the Maximum Processor Resets counter to the Command Specified value.","Based on ST-5 experience, want to be able to increase the maximum number of Processor Resets in order to prevent a Power-on Reset. ST-5 used these features when they were having the multiple bit errors in their recorder memory. They set both numbers to 4." +ES: Start Application,cES1005,"Upon receipt of a Command, the cFE shall create the Command specified Application by defining the Application in the System Resources Definition using information from the Command specified file, and beginning execution of the Application.",A basic feature of the cFE is to be able to dynamically (while the cFE is running) start applications. This requirement allows for an application to be created and started from one of the cFE file systems. +ES: Start Application - Command Contents,cES1005.1,"The Command shall include the following parameters: + +- Application Path/Filename +- Application Entry Point +- Application Name +- Application Priority +- Application Stack Size +- Application Load Address +- Exception Action (restart application or perform processor reset)", +ES: Start Application - Location,cES1005.2,The Command specified cFE Application file shall be in any valid cFE file system including the volatile file system and the non-volatile file system.,"The command itself does not care about where the cFE Application comes from, it is specified In the path." +ES: Start Application - Reject Already Running,cES1005.4,"If the Command specified Application is already defined and executing, then the cFE shall reject the Command, increment the invalid Command counter and generate an event message.",Can't start an application that is already running. +ES: Start Application - Reject Undefined,cES1005.3,"If the Command specified Application is undefined then the cFE shall reject the Command, increment the invalid command counter and generate an event message.",Can't start an undefined application. +ES: System Log,cES1014,The cFE shall maintain an Executive Services System Log which contains a series of ASCII text strings describing significant events or errors.,"Examples of ES System Log information includes: ""Created new cFE Application: StoredCommand.app"" or ""Could Not Create OS Queue"" or ""File not found error: /eebank1/StoredCommand.app"" This requirement states that the cFE needs to maintain this information. There is a separate requirement for the creation of a file to transfer the information to the ground. Note that the information can also be obtained with a raw memory read." +ES: System Log - Calculate Usage,cES1014.2,"The cFE shall calculate the number of bytes used and number of entries in +Executive Services System Log.","Ground operations need indication of how full the System Log is so that they can clear it, if necessary, in order to make room for new entries (or at least write it to a file to preserve it)." +ES: System Log - Clear On Command,cES1015,"Upon receipt of a Command, the cFE shall clear the Executive Services System Log.",Want to be able to clear the Executive Services System Log Buffer so that only the new information is saved. +ES: System Log - Default Filename,cES1016.1,"If a file is not specified, the cFE shall use the `` filename.",Want to provide a default in the event a user does not want to have to specify one. +ES: System Log - Discard On Full,cES1014.2.2,If the Executive Services Syste Log is full and the System Log Mode is set to DISCARD then the cFE shall discard all new entries.,Want to provide capability to stop writing to the System Log in order to preserve to Log which may contain important anomalous messages. +ES: System Log - Overwrite On Full,cES1014.2.1,If the Executive Services System Log is full and the System Log Mode is set to OVERWRITE then the cFE shall write all new entries from the top of the log.,Want to provide the capability to continuously record all new System Messages. +ES: System Log - Timestamps,cES1014.1,Each entry in the Executive Services System Log shall be time tagged with the time that the event happened.,Need to be able to determine when the event occurred. +ES: System Log - Write To File,cES1016,"Upon receipt of a Command, the cFE shall copy the information contained in the Executive Services System Log into a Command specified file.",We did not want to count on a file system for storing the ES System errors in the event that there was a problem with the file system or the file system was not mounted yet. We did want to provide an easy ground interface for getting the data to the ground +ES: System Log Mode,cES1028,"Upon receipt of Command, the cFE shall set the System Log Mode to the Command-specified mode, either overwrite or discard.","While in Overwrite Mode the oldest logged System message will be overwritten by the new System message when the System Log Full Flag is set to true. While in Discard Mode the new message will be discarded, preserving the contents of the full log." +ES: System Log Size,cES1706,The cFE shall support a `` byte Executive Services System Log.,TBD seems like a reasonable size based on heritage missions. +ES: Unload Device Driver,cES1325,"Upon receipt of a Request, the cFE shall unload a specified hardware device driver and de-allocate all previously allocated resources used by the driver.","Need a way of unloading, stopping a hardware device driver." +ES: Valid Command Counter,cES1002,"Upon receipt of a valid Command, the cFE shall increment a valid Command counter.",The ground needs the capability to verify that the command was received and accepted by the cFE. Details of valid commands are documented in the cFE Application Developer's Guide and the cFE User's Guide. +ES: Volatile File System Size,cES1704,The cFE shall support a `` byte volatile file system.,TBD seems like a reasonable size based on heritage missions. +ES: Zero Command Counters,cES1004,"Upon receipt of a Command, the cFE shall set to zero the valid Command counter and invalid Command counter.","This command is a common feature in heritage sub-system software design. In general, command counter (valid and invalid) are reset." +EVS: Add Event Filter,cEVS3019,Upon receipt of Command the cFE shall add the specified Event Filter for the specified cFE Application and Event ID.,Want to provide the ability for filters to be added at runtime. Original implentation did not provide this capability which resulted in modifications to Applications for those events that were not registered (i.e. forgotten). +EVS: Add Event Filter - Application Maximum,cEVS3019.2,If the maximum number of Event IDs have been registered for the specified Application then the cFE shall reject the command and generate an event message.,"In order to scale the cFE, allocations are made for each cFE Application (see cEVS3302)." +EVS: Add Event Filter - Reject Already Filtered ,cEVS3019.1,"If the Event ID is already registered for filtering, the cFE shall reject the command and generate an event message.",Filter is done on a per Event ID basis. +EVS: Clear Local Event Log,cEVS3013,"_(OPTIONAL)_ Upon receipt of Command, the cFE shall clear the Local Event Log.",Need to be able to clear the log if the event logging is operating in discard mode. +EVS: Control Message By Application,cEVS3008,"Upon receipt of Command the cFE shall enable/disable, as specified in the Command, the future generation of Event Messages for the Command-specified Application.",During development and integration it can be useful to turn off an Application's Event Message's without regard of the Event Type. +EVS: Control Message By Application and Event Type,cEVS3007,"Upon receipt of Command the cFE shall enable/disable, as specified in the Command, the future generation of Event Messages for the Command-specified Application and Event Type.",When diagnosing an Application it's useful to enable its informational and diagnostic Event Messages. +EVS: Control Message By Event Type,cEVS3000,"Upon receipt of Command the cFE shall enable/disable, as specified in the Command, the future generation of Event Messages for the Command-specified Event Type.",Filtering by type allows the system to behave differently for different users. +EVS: Control Message Port Routing,cEVS3017,"Upon receipt of Command the cFE shall enable/disable, as specified in the Command, the routing of all future Event Messages to the Command specified Event Message Port.","Event Message Output Ports may not be available or needed; therefore the ability to configure sending to an Event Message Port is useful." +EVS: Create Message,cEVS3103,"Upon receipt of a Request to send an Event Message, the cFE shall create a Short or Long Event Message, as specified by the SB Event Format Mode, ONLY if the following cFE conditions are met: + +1. The requesting Application's Event Service Enable Status is Enabled. +2. The requesting Application's registered message filtering algorithm indicates the message should be sent. +3. The requesting Application's Event Type Enable Status is Enabled for the Event Type of the request-specified Event Message.",Supports cFE event services. +EVS: Create Message - App ID,cEVS3103.6,The requester shall be able to specify the Application ID to be used in the Event Message.,Need to provide APIs a way to specify an Application ID to ensure the context of the Event is correct. +EVS: Create Message - Data Types,cEVS3103.2,"The cFE shall support the following data types within an applications Request specified Event Data: + +- Signed Character +- Unsigned Character +- Short Integer +- Unsigned Short Integer +- Long Integer +- Unsigned Long Integer",Not all processors supported under the cFE will allow floating point or real types. +EVS: Create Message - Increment Filter Counter,cEVS3103.3,"If the request specified Event ID has been registered for binary event filtering, the cFE shall increment the request specified Application's Binary Filter Counter for the request-specified Event ID.",Support binary event filtering algorithm. +EVS: Create Message - Increment Filter Counter - Retain Maximum Value,cEVS3103.3.1,"If the Binary Filter Counter has reached its maximum value of (2^16)-1, the cFE shall retain the maximum value (i.e. do not rollover to zero).",Preventing a counter rollover to zero eliminates the case when a user may think no events have occurred when in fact many events have occurred. +EVS: Create Message - Long Format,cEVS3103.4,"If the SB Format Mode is set to Long, the cFE shall generate an SB Event Message formatted as specified in the cFE User's Guide containing the Spacecraft Time, Processor ID, Application ID, Event ID, Event Type, and the Request-specified Event Data.","To assist with system test and diagnostics it is important to distinguish otherwise identical messages by their sources. This is especially true in a distributed system with common subsystems. It is the intent of this requirement to allow identical subsystems to be resident in multiple processors within the flight system. In cases like this, the subsystem identifier, and message identifier may be the same; only the processor identifier would make the messages unique. A long format is desirable because it contains the most information. Design Note: It is expected that in the implemented event service, the API only requires the Event ID and Type, and that the underlying utility code fills in the processor ID, and Application ID before the message is sent." +EVS: Create Message - Long Format - Truncation,cEVS3103.4.1,"If the Event Data is greater than the `` maximum Event Data, the cFE shall truncate the Event Message with a string-termination character and increment the Message Truncation Counter.","It's important to know if data is lost, but it doesn't need to be maintained on a per-Event ID basis, therefore a single counter is used. A platform-defined length was considered but this prevents application reuse unless a minimum length is specified." +EVS: Create Message - Short Format,cEVS3103.5,"If the SB Format Mode is set to Short, the cFE shall generate an SB Event Message formatted as specified in the cFE User's Guide containing the spacecraft time, Processor ID, Application ID, Event ID, and Event Type.",Providing a short format accommodates missions with limited telemetry bandwidth. +EVS: Create Message - Time,cEVS3103.7,The requester shall be able to specify the time to be used in the Event Message.,"This routine should be used in situations where an error condition is detected at one time, but the event message is reported at a later time." +EVS: Create Message - Unregistered App,cEVS3103.1,If the requesting Application has been determined to be unregistered the cFE shall increment the Unregistered Application Send Counter and send an event message.,Provides ground operators the ability to see when unregistered applications are using event services. +EVS: Delete Event Filter,cEVS3020,Upon receipt of Command the cFE shall delete the specified Event Filter for the specified cFE Application and Event ID.,Want to be able to remove event filtering since the cFE limits the number of filters that can be registered for a given cFE Application (see cEVS3302). +EVS: Delete Event Filter - Reject Not Registered,cEVS3020.1,If the Event ID is not registered for filtering then the cFE shall reject the command and generate an event message.,Notify caller that the Filter was not registered. +EVS: Event Filters Per App,cEVS3302,"The cFE shall support `` Event Message Filters per cFE Application.",Each cFE Application that register with EVS is allocated memory to support this limit. +EVS: Event Log Size,cEVS3301,"_(OPTIONAL)_ The cFE shall define a Local Event Log with a capacity of `` Event Messages.",Each mission's processor card memory capacities will dictate what is reasonable. +EVS: Free App Resources,cEVS3110,Upon receipt of Request the cFE shall free resources allocation for the specified Application.,"Need to be able to remove all resources associated with an application when Deleting, Restarting or Reloading an Application. In addition, this is required as part of a Processor Reset." +EVS: Housekeeping Message,cEVS3018,"The cFE shall provide the following Event Service data items in telemetry (SB Messages): + +- Valid Command Counter +- Invalid Command Counter +- SB Event Format Mode +- Event Message Sent Counter +- Event Message Truncation Counter +- Unregistered Application Send Counter +- Event Message Output Port Enable Statuses +- _(OPTIONAL)_ Local Event Log Full Flag +- _(OPTIONAL)_ Local Event Log Overflow Counter +- _(OPTIONAL)_ Logging Mode +- For each registered Application: + o Application Event Message Sent Counter + o Application Event Service Enable Status", +EVS: Increment App Message Sent Counter,cEVS3104,"For each created Event Message, the cFE shall increment the Application Event Message Sent Counter for the request specified Application.",A counter provides a means for keeping track of how many events an application has sent through the event service. Note: The Application Event Message Sent Counter is incremented once regardless of how many enabled ports the message has been sent through. +EVS: Increment App Message Sent Counter - Retain Maximum Value,cEVS3104.1,"If the Application Event Message Sent Counter has reached its maximum value of (2^16)-1, the cFE shall retain the maximum value (i.e. do not rollover to zero).",Preventing a counter rollover to zero eliminates the case when a user may think no events have occurred when in fact many events have occurred. +EVS: Increment Message Sent Counter,cEVS3105,"For each created Event Message, the cFE shall increment the Event Message Sent Counter.",A counter provides a means for keeping track of how many events have been sent through the event service. Note: The Event Message Sent Counter is a count of ALL messages sent through the Event Service regardless of the Application sending the event. The Event Message Sent Counter is incremented once regardless of how many enabled ports the message has been sent through. +EVS: Increment Message Sent Counter - Retain Maximum Value,cEVS3105.1,"If the Event Message Sent Counter has reached its maximum value of (2^16)-1 the cFE shall retain the maximum value (i.e. do not rollover to zero).",Preventing a counter rollover to zero eliminates the case when a user may think no events have occurred when in fact many events have occurred. +EVS: Initialize Format To Long On Power On Reset,cEVS3201,"Upon a Power-on Reset, the cFE shall set SB Event Format Mode to Long.",Each mission must determine what format they need. +EVS: Initialize Full Flag To False On Power On Reset,cEVS3202,"_(OPTIONAL)_ Upon a Power-on Reset, the cFE shall set the Local Event Log Full Flag to false.",Set cFE to default status across Power-on Resets. +EVS: Initialize Logging Mode On Power On Reset,cEVS3203,"_(OPTIONAL)_ Upon a Power-on Reset, the cFE shall set the Event Logging Mode to ``.",Set cFE to default status across Power-on Resets. +EVS: Initialize Message Port State On Power On Reset,cEVS3200,"Upon a Power-on Reset, the cFE shall set the `` Event Message Output Ports to their `` default state: + +- Port Number 1: `` +- Port Number 2: `` +- Port Number 3: `` +- Port Number 4: `` +",Event Message Ports are customized for each platform. A rationale for all of the Power-on Reset requirements is that the cFE must initialize to a known state. +EVS: Invalid Command Counter,cEVS3006,"Upon receipt of an invalid command, the cFE shall in increment the invalid command counter.",The ground needs an indicator if a command is rejected by the cFE. Details of what makes a command invalid are documented in the cFE Developer's Guide and the cFE User's Guide. +EVS: Message Port Routing,cEVS3109,"For each created Event Message, the cFE shall route the Event Message, formatted as an ASCII text string, to each enabled Event Message Output Port.",Debug ports are very useful for FSW development and maintenance. +EVS: Message Types,cEVS3102,The cFE shall support the following Event Message Types: Debug Informational Error Critical.,Supports cFE event services. +EVS: NOOP Event,cEVS3002,Upon receipt of Command the cFE shall generate a NO-OP event message.,This command is useful as a general sub-system aliveness test. +EVS: Preserve Event Log Reset Mode On Processor Reset,cEVS3207,"_(OPTIONAL)_ Upon a Processor Reset, the cFE shall preserve or overwrite the contents of the Local Event Log based on the setting of the Event Logging Mode configuration parameter.",Try to retain the contents even across a processor reset because there may be useful diagnostic information. The contents of the Local Event Log will be preserved if the Event Logging Mode is configured to Discard (1). The contents of the Local Event Log may be overwritten (depending on the size and contents of the log prior to the reset) if the Event Logging Mode is configured to Overwrite (0). +EVS: Preserve Log Full State On Processor Reset,cEVS3208,"_(OPTIONAL)_ Upon a Processor Reset, the cFE shall preserve the Local Event Log Full state.",Retain the cFE state across Processor Resets. +EVS: Preserve Log Overflow Counter On Processor Reset,cEVS3210,"_(OPTIONAL)_ Upon a Processor Reset, the cFE shall preserve the Local Event Log Overflow Counter.",Retain the cFE state across Processor Resets. +EVS: Register App,cEVS3100,"Upon receipt of Request, the cFE shall register an Application for event service, enabling the Application Event Service Enable Status and storing the following request specified Application data: Application Event IDs (for events to be filtered) Application Binary Filter Masks (one per registered Event ID).",Supports the cFE's dynamic Application model. +EVS: Register App - Create Filter Counter,cEVS3100.1,"Upon receipt of Request to register an Application for event service, the cFE shall create one Application Binary Filter Counter per registered Event ID.",Supports the cFE's Binary Filtering Algorithm. +EVS: Register App - Create Sent Message Counter,cEVS3100.2,"Upon receipt of Request to register an Application for event service, the cFE shall create an Application Event Message Sent Counter.",Supports the cFE's dynamic Application model. +EVS: Register App - Default Event Enable Status,cEVS3100.3,"Upon receipt of Request to register an Application for event service, the cFE shall use the `` Application Event Type Enable Statuses for each event.","By default each platform should have a standard configuration for each event message type (eg. DEBUGs disable. INFO, ERROR and CRITICAL events DISABLED) that should be applied to all events. Commands are available to modify the settings." +EVS: Set App Filter Mask By Event ID,cEVS3012,Upon receipt of Command the cFE shall set an Application's Binary Filter Mask to the Command-specified Event Filter for the given Application Event ID.,Allow an operator to tune the system for a particular operational environment. +EVS: Set Event Format Mode,cEVS3001,"Upon receipt of Command, the cFE shall set the SB Event Format Mode to the command specified value, either Long or Short.",Providing a short format accommodates missions with limited telemetry bandwidth. A long format is desirable because it contains the most information. +EVS: Set Event Logging Mode,cEVS3014,"_(OPTIONAL)_ Upon receipt of Command, the cFE shall set the Event Logging Mode to the Command-specified mode, either overwrite or discard.","While in Overwrite Mode the oldest logged event will be overwritten by the new event when the Event Log Full Flag is set to true. While in Discard Mode the new event will be discarded, preserving the contents of the full log. Need the ability to switch between Event Message logging modes." +EVS: Set Logging Mode On Processor Reset,cEVS3209,"_(OPTIONAL)_ Upon a Processor Reset, the cFE shall set the Event Logging Mode to the `` value. + +TBD - doesn't match rationale",Retain the cFE state across Processor Resets. +EVS: Store Message In Event Log,cEVS3108,"_(OPTIONAL)_ For each created Event Message, the cFE shall store the Event Message in the Local Event Log in the Long Event Message Format.",It's useful to save Event Messages when external communications is unavailable. This may occur during system initialization (especially events generated from other cFE components) and during a communications failure. +EVS: Store Message In Event Log - Increment Overflow Counter,cEVS3108.2,"_(OPTIONAL)_ If the Local Event Log is full, the cFE shall increment the Local Event Log Overflow counter.",Ground operations needs to know how many Event Messages were discarded or overwritten. +EVS: Store Message In Event Log - Log Full Behavior,cEVS3108.3,"_(OPTIONAL)_ If the Local Event Log is full, the cFE shall either (1) overwrite the oldest Event Message if the Event Logging Mode is overwrite, or (2) discard the Event Message if the Event Logging Mode is discard.",Overwriting the oldest message is useful for nominal operations because a user doesn't need to periodically clear the Log. If an error occurs when there's no communication then the Local Event Log size must be large enough to retain the Event Messages since communications was lost. Discarding the newest Event Message is useful for trouble shooting a problem. For example there may be a problem during processor initialization that occurs when there's no communications with the processor interfacing with the User. In this case the original Event Messages are critical to solving the problem so they should be preserved. Note that the Event Logging Mode can be changed via stored commanding. +EVS: Store Message In Event Log - Set Full Flag,cEVS3108.1,"_(OPTIONAL)_ If the Local Event Log becomes full, the cFE shall set the Local Event Log Full Flag to true.",Ground operations needs to know the state of the Local Even Log. +EVS: Support Message Ports,cEVS3300,"The cFE shall support `` Event Message Ports.",Since the number of Event Message Ports is hardware dependent a mission must be able to specify how many ports it will support. +EVS: Unregister App,cEVS3101,"Upon receipt of Request, the cFE shall un-register an Application from using event services, deleting the following Application data: + +- Application Event Message Sent Counter +- Application Event Service Enable Status +- Application Event Type Enable Statuses (one for each Event Type) +- Application Filtered Event IDs +- Application Binary Filter Masks (one per registered Event ID) +- Application Binary Filter Counters (one per registered Event ID)",Supports the cFE's dynamic Application model allowing applications to clean up after themselves. +EVS: Valid Command Counter,cEVS3005,"Upon receipt of valid command, the cFE shall increment the valid command counter.",The ground needs the capability to verify that the command was received and accepted by the cFE. Details of valid commands are documented in the cFE User's Guide. +EVS: Write Application Data File,cEVS3004,"Upon receipt of Command, the cFE shall write the following information to the Command specified cFE EVS Application Data file for each registered Application: + +- Application Event Message Sent Counter +- Application Event Service Enable Status +- Application Event Type Enable Statuses (one for each Event Type) +- Application Event IDs (for events to be filtered) +- Application Binary Filter Masks (one per registered Event ID) +- Application Binary Filter Counters (one per registered Event ID)","Visibility of Application information is essential for FSW diagnostics, testing and maintenance." +EVS: Write Application Data File - Default Filename,cEVS3004.1,"If a file is not specified, the cFE shall use the `` filename.",Want to provide a default in the event that a user does not want to specify. +EVS: Write Local Event Log Order,cEVS3016,_(OPTIONAL)_ The cFE shall write each Event Message from the earliest logged message to the most recently logged message.,"Ground operators like to see the progression of events in the order that they occurred. In a scenario when a time correction has been made, the earliest logged may not necessarily mean the oldest time stamp. This type of playback may not be desirable for Event Logs of considerable size. It is worthwhile for cFE users to keep Event Logs relatively small." +EVS: Write Local Event Log To File,cEVS3015,"_(OPTIONAL)_ Upon receipt of Command, the cFE shall write the contents of the Local Event Log to the Command specified file.",Allows for ground view of the log. Local Event Log is not intended for operation playback. The main purpose of the Local Event Log is for ground testing. Ground operators may view the data file for playing back stored events. +EVS: Write Local Event Log To File - Default Filename,cEVS3015.1,"If a file is not specified, the cFE shall use the `` filename.",Want to provide a default in the event that a user does not want to specify one. +EVS: Zero App Filter Counter By Event ID,cEVS3010,"Upon receipt of Command, the cFE shall set an Application's Binary Filter Counter to zero for the Command-specified Event ID.",Clearing an Application's Filtered Event Message Counter is a convenient method for resetting the filter on the event. +EVS: Zero App Filter Counter By Event ID,cEVS3106,"Upon receipt of a request, the cFE shall set an Application's Binary Filter Counter to zero for the Application request-specified Event ID.",Clearing an Application's Binary Filter Counter is a convenient method for resetting the filter on the event. +EVS: Zero App Filter Counters,cEVS3011,"Upon receipt of Command, the cFE shall set all of an Application's Binary Filter Counters to zero.",Having the ability to reset all Application Filtered Event Message Counters is a quick method for resetting all the application's event filters. Note: This command gives operators the ability to reset all exhausted event filters (i.e. send 16 and stop) so that filtered events may be generated once again. +EVS: Zero App Filter Counters,cEVS3107,"Upon receipt of a request, the cFE shall set all of an Application's Binary Filter Counters to zero for the request-specified Application.",Having the ability to reset all Application Filtered Event Message Counters is a quick method for resetting all the application's event filters. +EVS: Zero Application Message Sent Count,cEVS3009,"Upon receipt of Command, the cFE shall set the Command-specified Application's Event Message Sent Counter to zero.",Allow operators the ability to reset the count of application events. +EVS: Zero Counters,cEVS3003,"Upon receipt of Command the cFE shall set the following counters to zero in Event Services telemetry: + +- Valid Command Counter +- Invalid Command Counter +- Event Message Sent Counter +- Event Message Truncation Counter +- Unregistered Application Send Counter",This command is a common feature in heritage sub-system software design. +SB: Control Message Route To Pipe,cSB4004,"Upon receipt of a Command, the cFE shall enable or disable routing the command specified message to the command specified pipe.","Supports testing and maintenance. In testing, it may be desirable to enable/disable routing a message to a diagnostic application." +SB: Create Pipe,cSB4301,"Upon receipt of a Request to create a Pipe, the cFE shall create a Pipe with the Request-specified Pipe Depth and the Request-specified name.",Run time creation of Pipes supports the cFE goals of easy Application integration and system reconfiguration. +SB: Delete Pipe,cSB4302,"Upon receipt of a Request to delete a Pipe, the cFE shall Unsubscribe all messages to the Request-specified Pipe, then remove the Pipe from the Routing Information.",An Application must be capable of freeing its own resources. +SB: Free App Resources,cSB4310,Upon receipt of Request the cFE shall free resources allocation for the specified Application.,"Need to be able to remove all resources associated with an application when Deleting, Restarting or Reloading an Application. In addition, this is required as part of a Processor Reset." +SB: Housekeeping Message,cSB4005,"The cFE shall send an SB Message containing the following housekeeping telemetry items: + +- Valid command counter +- Invalid command counter +- No subscriptions counter +- Message send error counter +- Message receive error counter +- Pipe overflow error counter +- MsgId-to-pipe limit error counter","SB Telemetry is essential for operations, FSW diagnostics, testing, and maintenance." +SB: Initialize Routing On Power On Reset,cSB4500,Upon a Power-on Reset the cFE shall initialize the Routing Information and clear all error counters.,The cFE must initialize to a known state. +SB: Initialize Routing On Processor Reset,cSB4501,Upon a Processor Reset the cFE shall initialize the Routing Information and clear all error counters,The cFE must initialize to a known state. +SB: Last Message Sender Info,cSB4309,"Upon receipt of a Request, the cFE shall provide sender information for the last message received on an Application's Pipe.","Heritage SB did a 'valid senders check' before delivering a packet to a pipe. Since the cFE supports a dynamic environment and the sender of a packet is somewhat unknown, the cFE must provide a means for the application to do the 'valid sender check'." +SB: Maximum Destinations,cSB4704,"The cFE shall support a maximum of `` Destinations for a Message ID.",Allow a mission to scale the number of destinations per message ID to reduce memory requirements. A maximum is specified to yield an efficient design. The default of 16 is used in the heritage SB. +SB: Maximum Message IDs,cSB4700,"The cFE shall support a maximum of `` Message ID's.",Allow a mission to scale the number of messages it can process to reduce SB memory usage. A maximum is specified to yield an efficient design. 1024 was chosen as the default based on the message count of previous missions. +SB: Maximum Message Size,cSB4701,"The cFE shall support a `` bytes maximum system packet size.",The cFE must have some protection in the event that the packet length field of a sender's packet becomes corrupted or is invalid. +SB: Maximum Pipe Depth,cSB4706,"The cFE shall support a maximum Pipe depth of `` SB Messages.",Allow a mission to scale the Pipe depth to reduce memory requirements. The default of 65535 is a power of 2 which may simplify implementation and based on recent missions 64 SB Messages is more than adequate. +SB: Maximum Pipes,cSB4705,"The cFE shall support a maximum of `` Pipes per processor.",Allow a mission to scale the number of Pipes to reduce memory requirements. The default of 255 allows a single byte to be used for the pipe id. +SB: NOOP Increment Command Counter,cSB4000,"Upon receipt of a NOOP command, the cFE shall increment the command counter. + +TBD - Doesn't match pattern. NOOP - version event, commands increment counter, invalid increment invalid counter.",Useful for verifying communication between the ground and SB task. +SB: Receive Message Infinite Timeout,cSB4308,"Upon receipt of a Request to receive a SB Message from a Pipe with an infinite timeout, the cFE shall suspend execution of the Application until a SB Message is present on the Pipe.",This mode of receiving has been the most commonly used mode on the heritage SB. +SB: Receive Message No Timeout,cSB4306,"Upon receipt of a Request to receive a SB Message from a Pipe without a timeout, the cFE shall remove the next SB Message from the Pipe and provide the message to the Application.",Applications need a mechanism to retrieve the SB Message they have subscribed to receive. A receive Request without a suspension timeout provides a non-blocking method of retrieving SB messages. Receives are performed on a Pipe basis not on a SB Message basis. The heritage SB Pipe-based receives have served us well. A message-based receive would add extra complexity without any real benefit. +SB: Receive Message With Timeout,cSB4307,"Upon receipt of a Request to receive a SB Message from a Pipe with a pending timeout, the cFE shall suspend execution of the Application until a SB Message is present on the Pipe or the timeout has expired.","A receive Request with a suspension timeout provides a blocking method of retrieving SB messages. This is useful for data driven Applications and has been used on all heritage missions with a SB. The timeout is useful for fault recovery for Applications that always expect data to arrive or to allow periodic processing for Applications that are not purely data driven. If a SB Message is queued on the Pipe then the SB Message will be provided to the Application and the Application’s execution will not be suspended. Tasks that process telemetry packets often receive many types of packets from different sources. There should be a mechanism that allows a task to wait for many different types of messages simultaneously. Heritage implementations of SB do this by directing the messages into one queue (or several queues, to implement priority levels). +" +SB: Save Message Map To File,cSB4008,"Upon receipt of a Command, the cFE shall save the message map information to the Command specified a file.","This information provides information pertaining to the internals of the SB (Msg ID, and SB Routing table index) which can be used for diagnostic purposes." +SB: Save Message Map To File - Default Filename,cSB4008.1,"If a file is not specified, the cFE shall use the `` filename.",Want to provide a default in the event that a user does not want to specify one. +SB: Save Pipe Info To File,cSB4007,"Upon receipt of a Command, the cFE shall save the Pipe information to the Command specified a file.","This gives detailed information about each pipe such as owner of the pipe, queue depth and send errors which can be used for diagnostics purposes." +SB: Save Pipe Info To File - Default Filename,cSB4007.1,"If a file is not specified, the cFE shall use the `` filename.",Want to provide a default in the event that a user does not want to specify one. +SB: Save Routing To File,cSB4003,"Upon receipt of a Command, the cFE shall save the SB routing information to the Command specified file.","Visibility of the SB routing information is essential for FSW diagnostics, testing, and maintenance." +SB: Save Routing To File - Default Filename,cSB4003.1,"If a file is not specified, the cFE shall use the `` Filename.",Want to provide a default in the event that a user does not want to specify one. +SB: Send Message,cSB4305,"Upon receipt of a Request to send an SB Message, the cFE shall route the SB Message to the Pipes of all Applications that have Subscribed to the SB Message.","This form of message passing, supports one-to-one, one-to-many, and many-to-one (all desired by branch members) in a flexible, low overhead manner. It has been common for telemetry packets to be sent to many destinations, such as a real-time telemetry." +SB: Send Message - Exceed Message ID To Pipe Limit,cSB4305.4,"If routing a Message to an Application's Pipe would exceed the MsgId-to-Pipe Limit, the cFE shall abort the send to that pipe, issue an event, and continue sending to the remaining pipes.",The ground needs to know if a message cannot be routed to its destination. The MsgId-to-Pipe Limit is exceeded when the SB attempts to write to a Pipe that contains the maximum number of messages of a particular Message Id. +SB: Send Message - Max Size,cSB4305.6,"If the SB Message is greater than the `` bytes then the cFE shall not send the message, issue and event message and increment the message send error counter.",The cFE should not make any assumptions about why the message was too big and just not send it. +SB: Send Message - Message ID To Pipe Limit,cSB4305.1,The cFE shall limit the number of messages of a particular Message ID that can be sent to an Application's Pipe.,"Prevent an errant application from monopolizing a Software Bus Pipe. This feature was part of the heritage software bus and was found to be a useful diagnostic feature. When subscribing to a packet, an Application can specify a limit on the number of Messages for a particular Message ID that can be in the Pipe at one time. The term used for this is MsgId-to-Pipe Limit. +" +SB: Send Message - No Subscribers,cSB4305.5,"Upon receipt of a Request to send a Message, if no Application's have Subscribed to the Message, the cFE shall increment the No Subscriber's Counter and send an event that displays the Message ID.","A single counter is enough to notify operators that there are no receivers for a packet that is being sent. The ‘no subscriber’s’ event is completely filtered by default. The ground can unfilter the ‘no subscribers’ event to get more information about the message. It is not considered an error if no Applications have subscribed because of the dynamic environment supported by the cFE. In addition, during initialization of a multi-processor system, this can easily occur. +" +SB: Send Message - Pipe Overflow,cSB4305.3,"If routing a Message to an Application's Pipe results in a Pipe Overflow, the cFE shall abort the send to that pipe, issue an event, and continue sending to the remaining pipes.",The ground needs to know if a message cannot be routed to its destination. A Pipe Overflow occurs when the SB attempts to write to a Pipe that is completely full of SB messages. The number of messages a Pipe is capable of storing is defined by a platform configuration parameter. +SB: Statistics Message,cSB4002,"Upon receipt of a Command, the cFE shall send an SB Message containing the SB statistics.","Visibility of the SB statistics is essential for FSW diagnostics, testing, and maintenance." +SB: Subscribe To Message,cSB4303,"Upon receipt of a Request to Subscribe to an SB message, the cFE shall establish a route using the Request-specified Message ID, the Request-specified Pipe ID, the Request-specified MsgId-to-Pipe limit and the Request-specified QoS.",Run time subscription supports the cFE goals of easy system integration and run time reconfigurations. +SB: Subscribe To Message - Duplicate,cSB4303.1,If the Subscription is a duplicate of a previous subscription then the cFE shall issue an event message.,"Duplicate subscriptions are still a success, however, want to notify the ground." +SB: Unsubscribe To Message,cSB4304,"Upon receipt of a Request to Unsubscribe to an SB Message, the cFE shall remove the route corresponding to the Request-specified Message Id and the Request-specified Pipe Id from the Routing Information.","Allow an Application to dynamically change what Messages it receives. Since the ground can manipulate the state of the routing, it is not considered an error if the Message is not currently being subscribed to when an unsubscribe request is made." +SB: Zero Copy Message Transfer Mode,cSB4300,The cFE shall provide a zero-copy message transfer mode for intra-processor communication.,"The heritage software bus offered a zero-copy mode, it was used for transferring large packets from one application to another on the same processor. The cost of the zero-copy mode is a more complex application interface." +SB: Zero Counters,cSB4001,"Upon receipt of Command the cFE shall set to zero the following counters in housekeeping telemetry: + +- Valid command counter +- Invalid command counter +- No subscriptions counter +- Message send error counter +- Message receive error counter +- Create Pipe error counter +- Subscribe error counter +- Pipe Overflow error counter +- MsdID-to-pipe limit error counter",Providing a clear counter command eliminates the need for operators or onboard scripts to keep track of the last value of the counter. +TB: Update With Pending Load - Locked,cTBL6308.1,"If a Table is locked when an update Request is made, an appropriate error code shall be returned to the calling Application and the update shall not occur.",The Application should be made aware that the table is not being updated because it is locked. +TBL: Abort Load,cTBL6012,"Upon receipt of Command the cFE shall abort the loading of the specified Table. +","The ground needs a way to clear the inactive buffer of all loads in the event, for example, that erroneous values were loaded to the table by the ground. Note that once a table is activated, it cannot be aborted (significant for double-buffer tables)." +TBL: Abort Load - Mark Inactive Buffer Uninitialized,cTBL6012.2,"If the Table buffering characteristics for the specified Table indicate that it is a Double-buffered table, then the inactive buffer shall be marked as uninitialized.",Need to make sure that the table image gets re-initialized with the contents of the active buffer prior to a subsequent load after an abort command is sent (see cTBL6000.4) +TBL: Abort Load - No Loads Pending,cTBL6012.3,The Table Registry shall indicate that there are no loads pending for the specified Table.,Status of the table needs to updated to reflect that. +TBL: Abort Load - Release Shared Buffer,cTBL6012.1,"If the Table buffering characteristics for the specified Table indicate that it is a Single-buffered Table, then the allocated shared buffer shall be released.",The shared buffer being used for this table load should be placed back into the pool of available shared buffers. +TBL: Activate,cTBL6003,Upon receipt of Command the cFE shall make an Inactive Table Image of the Command specified Table the Active Table Image.,"A Commit Command is useful by allowing modifications and the verification of those modifications to be accomplished in the background while an Application continues to use its previous Table data. Then, upon Command, the new Table data is made Active." +TBL: Activate - Validate,cTBL6003.1,"If a Table Validation Function exists for the specified Table, the Inactive Table Image shall be validated.",Validation functions are there for a reason so want to prevent loading invalid tables. Inactive buffer retains the data so that the ground can dump the contents to see why the validation failed. +TBL: Activate - Validate - Failure,cTBL6003.1.1,If the Inactive Table Image fails validation then the Inactive Table Image shall not be loaded into the Active Table Image.,Prevent loading of an invalid table. Note that the Inactive Table still contains the table image so that the ground can dump it. +TBL: Activate - Validate - No Validation Function,cTBL6003.1.2,"If a Table Validation Function does not exist for the specified Table, the Table shall be considered valid.",If there is no validation function then assume the table has good data in it (no way to check otherwise). +TBL: Create,cTBL6300,"Upon receipt of Request, the cFE shall create a zero filled Table Image with the Request specified name, size, buffering characteristics (single or double-buffer), dump-only characteristics, criticality and Table Validation Function address.","Supports the cFE's dynamic Application model. Tables will be able to be either single or double-buffered. Double-buffering will allow instantaneous updates from the Application's point of view and will be useful for interrupt service routines, etc. However, double-buffering will consume more memory resources. The Table Validation Function is optionally provided by the Application and is called when a Command to Validate the table is made. Note that a zero filled image will not be created if the Application specifies an address for the dump-only table (see cTBL6300.1)." +TBL: Create - App Supplied Address For Dump Only,cTBL6300.1,The cFE shall allow an Application to specify an address as the one and only buffer for a dump-only Table.,"Heritage code allowed for dump only tables to come from an address instead of a true table. In this case, table services does not allocate any memory for the dump only table. This is referred to an an Application-Defined-Address-Table." +TBL: Dump To File,cTBL6001,Upon receipt of Command the cFE shall dump the Command specified Active or Inactive Table contents to a Command specified File.,Dumping the contents of a table to a file simplifies the telemetering of Table contents. The file transfer protocol between the ground and the spacecraft is capable of handling variable sized files. The telemetering of Table contents directly to ground. +TBL: Free App Resources,cTBL6301,"Upon receipt of Request, the cFE shall free the resources associated the Request specified Application.","When an Application exits prematurely, the cFE requires a mechanism to free resources allocated to that Application." +TBL: Free Resources On Power On Reset,cTBL6500,Upon a Power-on Reset all Table resources shall be freed.,The Table Service cannot assume the contents of any Table is legitimate after a reset. +TBL: Free Resources On Processor Reset,cTBL6501,Upon a Processor Reset all Table resources shall be freed.,The Table Service cannot assume the contents of any Table is legitimate after a reset. +TBL: Free Resources On Processor Reset - Preserve Critical,cTBL6501.1,If the Table is a critical table then the contents of the Table shall be preserved.,Goal of a processor reset is preserve certain data to facilitate recovery. +TBL: Free Table Resources,cTBL6304,"Upon receipt of Request, the cFE shall free resources allocated for the Request specified Table.",Supports the cFE's dynamic Application model. +TBL: Housekeeping Message,cTBL6011,"The cFE shall provide the following Table Service data items in telemetry (SB Messages): + +- Valid Command Counter +- Invalid Command Counter +- Number of Tables Currently Registered +- Table Identifier of Last Table Modified +- Time of Last Table Modification +- Source Filename of Last Table Load +- Destination Filename of Last Table Dump +- Table Identifier of Commanded Data Integrity Check +- Commanded Data Integrity Check Value +- Commanded Table Verification Function Result +- Number of unused Shared Buffers +- Table Name of Last Table Load", +TBL: Initialize Contents,cTBL6302,"Upon receipt of Request, the cFE shall initialize the contents of the Request specified Table Image with the contents of the Request specified File.",Supports the cFE's dynamic Application model. +TBL: Initialize Contents - Greater Than Max Size,cTBL6302.1,"If the Request specified File contains more data than the size of the Request specified Table, the Table Image will not be initialized and an Event Message shall be generated.","If a File contains more data than memory allows, there is a high likelihood that the Application is expecting the data to be in a different format. Additionally, the cFE would not know whether to throw out the last part or the first part of the data." +TBL: Initialize Contents - Partial,cTBL6302.2,"If the Request specified File contains less data than the size of the Request specified Table, the first portion of the Table Image will be initialized with the contents of the File and an Event Message shall be generated.",Some tables may allocate more space than is necessary at all times. The Event Message will serve as a warning but not prevent the initialization of the Table. +TBL: Invalid Command Counter,cTBL6010,"Upon receipt of an invalid command, the cFE shall in increment the invalid command counter.",The ground needs an indicator if a command is rejected by the cFE. Details of what makes a command invalid are documented in the cFE User's Guide. +TBL: Load Inactive Table From File,cTBL6000,Upon receipt of Command the cFE shall load an Inactive Table Image with the contents of the Command specified File.,Loading from a file allows for multiple versions of a table to be stored on board and loaded to the active table when appropriate. The file header will identify the Table that the file contents are for. +TBL: Load Inactive Table From File - Dump Only,cTBL6000.5,If the specified table is defined as Dump Only then the command shall be rejected and an event message be generated.,Dump only tables cant be loaded. +TBL: Load Inactive Table From File - Greater Than Max Size,cTBL6000.2,If the number of data bytes contained in the file is greater than the maximum size of the table then the load shall be aborted and an event message shall be generated.,This is a sanity check to make sure that the ground generated table load does not include more data than a table can handle. +TBL: Load Inactive Table From File - Header Size Mismatch,cTBL6000.3,If the number of bytes specified in the file's header is not equal to the number of data bytes contained in the file then the load shall be aborted and an event message be generated.,This is another sanity check to make sure that the number of bytes specified in the file header is equal to the number of data bytes in the file. +TBL: Load Inactive Table From File - Multiple Partial Loads,cTBL6000.4,The Inactive Table Image shall only be loaded with the contents of the Active Table if the Inactive Table Image has not been initialized.,Want to be able to perform successive partial table loads. The first partial load of a table requires that the inactive table image be initialized with the active table image (see cTBL6000.2). Any subsequent loads should be made with the existing contents of the Inactive Buffer. +TBL: Load Inactive Table From File - Partial Load,cTBL6000.1,"If the Command specified file's header indicates that the file contains only a portion of the Table, the cFE shall first load an Inactive Table Image with the contents of the Active Table Image and then load the contents of the Command specified File.","A Partial Table load capability is useful when dealing with large Tables. It helps to ensure that additional parameters are not unintentionally modified, reduces command time required to perform a Table update and is a feature that has been used on previous missions." +TBL: Maximum Simultaneous Loads and Dumps,cTBL6701,"The cFE shall support Single-Buffer Table Loads and Application-Defined-Address-Table dumps simultaneously. ","It is desirable to allow for Tables to be modified by ground command while other Tables are be being modified autonomously by on board software (i.e. stored command processor, etc). This limit represents the total supported for the combined number of Single-Buffer and Application-Defined-Address-Table Tables being loaded." +TBL: Maximum Tables,cTBL6700,"The cFE shall support `` Tables.",Each mission's processor card memory capacities will dictate what is reasonable. +TBL: NOOP Event,cTBL6007,Upon receipt of Command the cFE shall generate a NO-OP event message.,This command is useful as a general sub-system aliveness test. +TBL: Pending Action Status,cTBL6310,"Upon receipt of Request the cFE shall indicate if the specified table has a validation, update, or dump pending.","Applications must periodically check to see if they need to perform updates, validations or dumps." +TBL: Provide Data Address,cTBL6305,"Upon receipt of Request, the cFE shall provide the calling Application with the address of the Request specified Table data.",The Table Service 'owns' all Tables and Applications must ask for the current address of the data because the Table Service may move the Table as updates are made. +TBL: Provide Data Address - Lock Contents,cTBL6305.1,"Upon providing a calling Application with the address of a Table's data, the cFE shall lock the contents of the Table to prevent modification.","The Table Service must wait for an Application to be done with the contents of the Table before considering modifying its contents. This ensures data integrity while the Application accesses the Table contents. More than one Application can access a Table. Therefore, a reference count will be necessary to ensure that all access is complete before a Table can be modified. +" +TBL: Provide Data Address - Modified Notification,cTBL6305.2,"If a Table has been modified since the last Table address request, the cFE shall notify the calling Application that the Table has been modified.",An Application may need to know when the contents of a Table have been updated. +TBL: Provide Data Addresses,cTBL6311,"Upon receipt of Request, the cFE shall provide the calling Application with the addresses of the data for the tables requested if more than one table is needed.",Applications may need to work with more than one table at a time. +TBL: Provide Data Addresses - Lock Contents,cTBL6311.1,"Upon providing a calling Application with the addresses of a Tables' data, the cFE shall lock the contents of the Tables to prevent modification.",The Table Service must wait for an Application to be done with the contents of the Table before considering modifying its contents. This ensures data integrity while the Application accesses the Table contents. +TBL: Provide Data Addresses - Modified Notification,cTBL6311.2,"If at least one Table has been modified since the last Table addresses request, the cFE shall notify the calling Application that a Table has been modified.","An Application may need to know when the contents of a Tables has been updated; the Application just won't know which one." +TBL: Provide ID,cTBL6303,"Upon receipt of Request, the cFE shall provide the calling Application with a unique identifier of an existing Table Image.",Some Applications will not want to create a Table but obtain a handle to one that is created by another Application. +TBL: Provide Table Info,cTBL6309,"Upon receipt of Request, the cFE shall provide the following information to the calling Application for the specified Table: + +- Size of the table +- Number of Users the access to the table (sharing) +- Filename of the last file used to modify the table +- File creation time of last file used to modify the table +- Time of last modification +- Flag indicating if the Table has been initialized +- Flag indicating if the Table is dump only +- Flag indicating if the Table has a dedicated buffer +- Flag indicating if the table is maintained in the Critical Data Store",Applications such as Checksum need to obtain info such as size of the table. The API is a more generic solution. +TBL: Table Registry Message,cTBL6006,Upon receipt of Command the cFE shall telemeter the contents of the Table Registry associated with a Command specified Table.,"Operations personnel may wish to see the attributes (double or single-buffered, dump-only, etc), a history of what file(s) was/were last loaded into the Active Table Image, what time the load(s) occurred, etc." +TBL: Unlock,cTBL6306,"Upon receipt of Request, the cFE shall unlock the contents of the Request specified Table.","The Table Service must wait for an Application to be done with the contents of the Table before considering modifying its contents. This ensures data integrity while the Application accesses the Table contents. More than one Application can access a Table. Therefore, a reference count will be necessary to ensure that all access is complete before a Table can be modified." +TBL: Unlocks,cTBL6312,"Upon receipt of Request, the cFE shall unlock the contents of the Request specified Tables.",Applications may need to work with more than one table at a time. +TBL: Update With Pending Load,cTBL6308,"Upon receipt of Request, the cFE shall update the request specified Table if a load is pending and it is unlocked.",This gives control to the Application as to when the table update occurs. +TBL: Valid Command Counter,cTBL6009,"Upon receipt of valid command, the cFE shall increment the valid command counter.",The ground needs the capability to verify that the command was received a accepted by the cFE. Details of valid commands are documented in the cFE User's Guide. +TBL: Validate,cTBL6002,Upon receipt of Command the cFE shall determine the validity of the contents of either the Active or Inactive Table Image of the Command specified Table.,"Operations needs to verify the contents of an Inactive Table before committing it. Similarly, operations personnel may need to re-validate or identify the contents of an Active Table." +TBL: Validate - App Content,cTBL6002.2,The cFE shall Request an Application to validate the contents of either the Active or Inactive Table Image of the Command specified Table and report the result in telemetry.,A Table Validation function provided by the Application can verify that the data content of a Table are reasonable. +TBL: Validate - Compute Data Integrity Check Value,cTBL6002.1,The cFE shall compute a Data Integrity Check Value on the contents of either the Active or Inactive Table Image of the Command specified Table and report the result in telemetry.,A Data Integrity Check Value can provide a quick method of validating the proper contents of a Table without performing a Table Dump and Comparison. +TBL: Write Table Registry To File,cTBL6005,Upon receipt of Command the cFE shall write the contents of the Table Registry to a file.,"The Table Registry will provide a list of the Tables currently registered, their attributes (double or single-buffered, dump-only, etc), a history of what files were last loaded into the Active Table Images, what time the load occurred and whether the image has been modified via Partial Table Load." +TBL: Write Table Registry To File - Default File Name,cTBL6005.1,"If a file is not specified, the cFE shall use the `` filename.",Want to provide a default in the event that a user does not want to specify one. +TBL: Zero Counters,cTBL6008,"Upon receipt of Command the cFE shall set the following counters reported in telemetry to zero: + +- Valid Command Counter +- Invalid Command Counter +- Number of Validation Requests +- Number of successful Table Validations +- Number of Unsuccessful Validations +- Number of Completed Validations",This command is a common feature in heritage sub-system software design. +TIME: Add To Spacecraft Time,cTIME2013,Upon receipt of Command the cFE shall adjust the spacecraft time by adding the Command specified value (seconds and subseconds) to spacecraft time.,"The client’s local clock might be running a little behind the tone, therefore, an adjustment needs to be made to the time client’s time calculation." +TIME: Add Values,cTIME2309,"Upon receipt of a Request to add two time values, the cFE shall provide the result to the requester using the format specified in the cFE Application Developer's Guide.",Need to provide a common time addition function available to applications. +TIME: Adjust STCF,cTIME2008,Upon receipt of Command the cFE shall make a one time delta adjustment to the STCF by the Command-specified value.,"It is common to set the clock as a delta adjustment from the current time value. The commanded value is signed so a positive or negative adjustment may be made. Note, there's no need for a command to apply a 'large' adjustment over a command-spec." +TIME: CDS Elements,cTIME2700,"During normal operation, the cFE shall preserve the following time elements in the `` Critical Data Store: + +- Time Status Data +- STCF +- Leap Seconds +- MET",Time is a critical system resource and every effort should be made to preserve it. Preserving time allows applications to 'fly through' resets. +TIME: Compare Values,cTIME2311,"Upon receipt of a Request to compare two time values, the cFE shall provide the result to the requester using the format specified in the cFE Application Developer's Guide.",Need to provide a common time comparison function available to applications. +TIME: Compute STCF,cTIME2007,Upon receipt of Command the cFE shall compute a new value for STCF using the Command-specified value as current time.,"This command provides a useful alternative to setting the STCF +explicitly, as the command does not require knowledge of the current MET value. If the default time format is TAI then the new value for STCF is the +Command-specified time value less MET." +TIME: Convert Micro-Seconds To Sub-Seconds,cTIME2313,"Upon receipt of a Request to convert a number of micro-seconds to sub-seconds, the cFE shall provide the result to the requester.",Need to provide the inverse of the previous function. +TIME: Convert Sub-Seconds To Micro-Seconds,cTIME2312,"Upon receipt of a Request to convert a cFE sub-seconds value to micro-seconds, the cFE shall provide the result to the requester.",Converting elapsed time from sub-seconds to micro-seconds is a commonly used conversion utility. +TIME: Delta Adjust STCF,cTIME2009,Upon receipt of Command the cFE shall make a continuous 1Hz delta adjustment to the STCF by the Command-specified value.,"Upon receipt of a Command to make a 'continuous' adjustment to the STCF, the cFE shall adjust the STCF each second by the Command-specified value. The commanded value is signed so a positive or negative adjustment may be made." +TIME: Diagnostic Message,cTIME2011,Upon receipt of Command the cFE shall generate a Software Bus message that includes time diagnostic information.,"When testing or debugging the time application, more details about time services are required." +TIME: Flywheel State,cTIME2012,Upon receipt of Command the cFE Time Services shall enter the Flywheel state.,Useful for testing. This provides an easy way to cause the server or client to enter flywheeling mode so that local time calculations can be verified. Also useful for testing the server/client time relations. +TIME: Flywheel State - Ignore Updates,cTIME2012.1,The cFE shall ignore Time Updates while in Flywheel state.,"Again, this is used mainly for testing purposes. Want to ignore time updates and update time using the local hardware clock." +TIME: Housekeeping Message,cTIME2000,"Upon receipt of Command the cFE shall generate a Software Bus message that includes the following items: + +- Time Status +- MET +- STCF +- Leap Seconds +- STCF continuous adjustment value.",It is common for sub-systems to report housekeeping status upon receipt of a housekeeping request command. +TIME: Invalid Command Counter,cTIME2004,"Upon receipt of an invalid command, the cFE shall in increment the invalid command counter.",The ground needs an indicator if a command is rejected by the cFE. Details of what makes a command invalid are documented in the cFE User's Guide. +TIME: MET Resolution,cTIME2703,The cFE shall define a MET with a `` resolution.,"The resolution (clock ticks per second) is hardware dependent. Since no other cFE component places any constraints on the resolution this requirement is not bounded with a minimum. However, both the maximum number of MET seconds and the resolution of sub-seconds are both restricted to a value that can be stored as an unsigned 32 bit integer." +TIME: NOOP Event,cTIME2001,Upon receipt of Command the cFE shall generate a NO-OP event message. (Time Server and Time Client),This command is useful as a general sub-system aliveness test. +TIME: Power On Reset Default Values,cTIME2500,"Upon a Power-on Reset the cFE shall set the following time elements to their `` default values: + +- Time Status Data +- STCF +- Leap Seconds","At power on, the presumption is that the MET h/w register has been reset. It is common to set the STCF and Leap Seconds at startup such that time is computed to a known and recognizable value." +TIME: Processor Reset CDS Values,cTIME2501,"Upon a Processor Reset the cFE shall acquire the following time elements from the `` Critical Data Store: + +- Time Status Data +- STCF +- Leap Seconds","Time is a critical system resource and every effort should be made to preserve it. Following a processor reset, the presumption is that the MET h/w register is unaffected and that previously 'good' values for STCF and Leap Seconds can still be used to correct." +TIME: Processor Reset Verify CDS,cTIME2502,Upon a Processor Reset the cFE shall verify the Critical Data Store used to store time values.,"Verification of potentially damaged stored data is a standard practice. Note that because time can be any value, verification potentially involves using a pattern." +TIME: Processor Reset Verify CDS - Initialize On Failure,cTIME2502.1,"If the critical data store is not valid, all of the time elements shall be initialized in the same fashion as following a power-on reset.",If the CDS can't be trusted then need to initialize to default values. +TIME: Provide Clock State,cTIME2308,"Upon receipt of a Request for the current Clock State, the cFE shall provide the Clock State to the requester using the format specified in the cFE Application Developer's Guide.","Need to make the Clock State available to applications. Due to lack of a demonstrable use case, the requirement to provide clock state data as part of 'get time' functions has been deleted." +TIME: Provide Default,cTIME2302,"Upon receipt of a Request for the current time computed in the default format, the cFE shall provide the current time computed in the default selection of UTC or TAI to the requester using the format specified in the cFE Application Developer's Guide.",One of the mission defined selections is the choice of whether TAI or UTC will be the default time format. And most callers do not care which time format is the current default. This function avoids having to modify each individual caller when the default is requested. +TIME: Provide Leap Seconds,cTIME2307,"Upon receipt of a Request for the current Leap Seconds, the cFE shall provide the Leap Seconds to the requester using the format specified in the cFE Application Developer's Guide.",Need to make the Leap Seconds available to applications. +TIME: Provide MET,cTIME2303,"Upon receipt of a Request for the current MET, the cFE shall provide the MET to the requester using the format specified in the cFE Application Developer's Guide.",Need to make the MET available to applications. +TIME: Provide MET Seconds,cTIME2304,"Upon receipt of a Request for the current MET seconds, the cFE shall provide the MET seconds to the requester using the format specified in the cFE Application Developer's Guide.",Need to make the MET seconds available to applications. This capability simplifies application logic. +TIME: Provide MET Sub-Seconds,cTIME2305,"Upon receipt of a Request for the current MET sub-seconds, the cFE shall provide the MET sub-seconds to the requester using the format specified in the cFE Application Developer's Guide.",Need to make the MET sub-seconds available to applications. This capability simplifies application logic. +TIME: Provide Readable Format,cTIME2314,Upon receipt of a Request the cFE shall return the provided system time in the following format: `yyyy-ddd-hh:mm:ss.xxxxx\0`,Provides time in a readable string format. +TIME: Provide STCF,cTIME2306,"Upon receipt of a Request for the current STCF, the cFE shall provide the STCF to the requester using the format specified in the cFE Application Developer's Guide.",Need to make the STCF available to applications. +TIME: Provide TAI,cTIME2300,"Upon receipt of a Request for the current time computed as TAI, the cFE shall provide the TAI to the requester using the format specified in the cFE Application Developer's Guide.",Need to make the TAI available to applications. +TIME: Provide UTC,cTIME2301,"Upon receipt of a Request for the current time computed as UTC, the cFE shall provide the UTC to the requester using the format specified in the cFE Application Developer's Guide.",Need to make the UTC available to applications. +TIME: Set Leap Seconds,cTIME2005,Upon receipt of Command the cFE shall set the number of Leap Seconds to the Command-specified value.,The decision to introduce a leap second in UTC is the responsibility of the International Earth Rotation Service (IERS). The count of Leap Seconds has been incremented about every 500 days since 1972. It is therefore likely that a mission will need to update. +TIME: Set STCF,cTIME2006,Upon receipt of Command the cFE shall set the STCF to the Command specified value.,"The cFE must be provided with the appropriate correlation factor, that when combined with the current MET and Leap Seconds values, will result in current time. Historically this command has been referred to as 'jam loading' time." +TIME: Subtract From Spacecraft Time,cTIME2014,Upon receipt of Command the cFE shall adjust the spacecraft time by subtracting the Command specified value (seconds and subseconds) from spacecraft time.,"The client’s local clock might be running a little ahead the tone, therefore, an adjustment needs to be made to the time client’s time calculation." +TIME: Subtract Values,cTIME2310,"Upon receipt of a Request to subtract two time values, the cFE shall provide the result to the requester using the format specified in the cFE Application Developer's Guide.",Need to provide a common time subtraction function available to applications. +TIME: Switch Source,cTIME2010,`` Upon receipt of Command the cFE shall switch to the Command-specified hardware clock source.,This command is extremely hardware configuration dependent. The number and nature of alternate clocks will vary by system. Many system designs provide primary and redundant clock sources (tone signals) and require autonomous clock switching based on failure. +TIME: Time At Tone Window,cTIME2701,The cFE Time Services Server shall send a time at the tone Software Bus message within a `` period of time preceding or following the tone.,"The primary purpose of a time server is to distribute time updates to time clients. Although the time tone is generally a 1PPS signal, there is no cFE restriction on the frequency of the tone. Also, there is no cFE restriction on whether the ""time at the tone"" message precedes or follows the tone." +TIME: Update MET,cTIME2702,The cFE Time Services Server shall update its MET using the timer hardware interface defined in the cFE Application Developer's Guide.,Every mission needs an MET and using a cFE-defined software interface to the timer hardware driver makes the Time Services portable. +TIME: Valid Command Counter,cTIME2003,"Upon receipt of valid command, the cFE shall increment the valid command counter.",The ground needs the capability to verify that the command was received and accepted by the cFE. Details of valid commands are documented in the cFE User's Guide. +TIME: Zero Counters,cTIME2002,Upon receipt of Command the cFE shall set to zero all counters reported in Time Services telemetry. (Time Server and Time Client),This command is a common feature in heritage sub-system software design. diff --git a/docs/cFE_FunctionalRequirements.md b/docs/cFE_FunctionalRequirements.md deleted file mode 100644 index e3efd0adf..000000000 --- a/docs/cFE_FunctionalRequirements.md +++ /dev/null @@ -1,3048 +0,0 @@ ---- -title: Core Flight Software Requirements -tags: cFE -abstract: Software Requirements for the Core Flight System core applications ---- - -# Executive Services Requirements (cES) {#cES} - -## Executive Services Subgroup: Operational Interface {#cES10} - -### cES1000 - -Upon receipt of a Command, the cFE shall generate a Software Bus message that -includes the following items: - -- Number of Registered Applications -- Number of Registered Child Tasks -- Number of Registered Shared Libraries -- Reset Type -- Reset Subtype -- Number of entries in System Log -- Size of the System Log -- Number of bytes used in the System Log -- Current Exception and Reset Log Index -- Number of Processor Resets -- Maximum Number of Processor Resets before a Power -- On Reset -- Boot Source -- ES Valid Command Counter -- ES Invalid Command Counter - -*Rationale: It is common for sub-systems to report housekeeping status upon receipt -of a housekeeping request command.* - -### cES1001 - -Upon receipt of a Command, the cFE shall generate a NO-OP event message. - -*Rationale: This command is useful as a general sub-system aliveness test.* - -### cES1002 - -Upon receipt of a valid Command, the cFE shall increment a valid Command -counter. - -*Rationale: The ground needs the capability to verify that the command was received -and accepted by the cFE. Details of valid commands are documented in the cFE -Application Developer's Guide and the cFE User's Guide.* - -### cES1003 - -Upon receipt of an invalid Command, the cFE shall increment the invalid Command -counter and generate an event message. - -*Rationale: The ground needs an indicator if a command is rejected by the cFE. -Details of what makes a command invalid are documented in the cFE Application -Developer's Guide and the cFE User's Guide.* - -### cES1004 - -Upon receipt of a Command, the cFE shall set to zero the valid Command counter -and invalid Command counter. - -*Rationale: This command is a common feature in heritage sub-system software design. -In general, command counter (valid and invalid) are reset.* - -### cES1005 - -Upon receipt of a Command, the cFE shall create the Command specified -Application by defining the Application in the System Resources Definition -using information from the Command specified file, and beginning execution of -the Application. - -*Rationale: A basic feature of the cFE is to be able to dynamically (while the cFE -is running) start applications. This requirement allows for an application to be -created and started from one of the cFE file systems.* - -#### cES1005.1 - -The Command shall include the following parameters: - -- Application Path/Filename -- Application Entry Point -- Application Name -- Application Priority -- Application Stack Size -- Application Load Address -- Exception Action (restart application or perform processor reset) - -#### cES1005.2 - -The Command specified cFE Application file shall be in any valid cFE file -system including the volatile file system and the non-volatile file system. - -*Rationale: The command itself does not care about where the cFE Application -comes from, it is specified In the path.* - -#### cES1005.3 - -If the Command specified Application is undefined then the cFE shall reject -the Command, increment the invalid command counter and generate an event -message. - -*Rationale: Can't start an undefined application.* - -#### cES1005.4 - -If the Command specified Application is already defined and executing, then the -cFE shall reject the Command, increment the invalid Command counter and -generate an event message. - -*Rationale: Can't start an application that is already running.* - -### cES1006 - -Upon receipt of a Command, the cFE shall delete the Command specified -Application including all child tasks. - -*Rationale: Need to be able to stop the execution of an Application -and remove its System Resources. The delete will clean-up the application's -main task and all of its child tasks. Note: other cFE components are -required to have cleanup routines that ES calls.* - -#### cES1006.1 - -If the specified Application is undefined then the cFE shall reject the -Command, increment the invalid command counter and generate an event message. - -*Rationale: Can't delete an undefined application* - -### cES1007 - -Upon receipt of a Command, the cFE shall Restart the Command specified -Application - -*Rationale: Need to be able to restart an Application. A restart involves -deleting it (cleaning up) and then starting it again. This is similar to -starting the cFE Application from a file system. When an Application is restarted, -the only command parameter required is the application name. All other parameters -including the filename are the same as the original cFE Application Create command. -The restart is intended for error recovery such as an exception, and should not be -used to start a new version of an Application. If a Critical Data Store Area is -allocated for the Application, it is preserved, and the Application may re-connect -to the Critical Data Store Area when it is running again.* - -#### cES1007.1 - -If the Command specified Application is undefined then the cFE shall reject the -Command, increment the invalid Command counter and generate an event message. - -*Rationale: Can't restart an undefined application.* - -#### cES1007.2 - -If the original cFE Application file is not found then the cFE shall reject the -Command, increment the invalid Command counter, and generate an event message. - -*Rationale: Can't restart the Application if the original file has been removed. In -this case, the Application will continue without a restart.* - -#### cES1007.3 - -If the cFE Application Restart fails due to a non-parameter error, then the cFE -shall delete the Application, increment the invalid Command counter, and -generate an event message. - -*Rationale: If the Application is already stopped and there is an error restarting it, -then the cFE application will be deleted.* - -### cES1008 - -Upon receipt of a Command the cFE shall Reload the Command specified cFE -Application from the Command specified cFE Application file. - -*Rationale: This command enables the ground to replace an Application with only one -command. This is required for applications such as a Command Uplink Application, which -must be replaced with one command. The specified cFE Application file may be from any -valid cFE.* - -#### cES1008.1 - -If the specified Application is undefined then the cFE shall reject the -Command, increment the invalid Command counter and generate an event message. - -*Rationale: Can't reload an undefined Application.* - -#### cES1008.2 - -If the specified cFE Application file does not exist then the cFE shall reject -the command, increment the invalid Command counter, and generate an event -message. - -*Rationale: Can't reload the Application if the new file does not exist.* - -#### cES1008.3 - -If the cFE Application Reload fails due to a non-parameter error, then the cFE -shall delete the Application, increment the invalid Command counter, and -generate an event message. - -*Rationale: If the Application is already stopped and there is an error restarting -it, then the cFE application will be deleted. Should the old Application be -restarted? Need to be able to reset the cFE in the event that there is a critical -problem. As a result of the Power On Reset, all code and data are re-initialized -and the cFE is returned to a default power-on state. This reset is initiated through -a common interface.* - -### cES1009 - -Upon receipt of a Command, the cFE shall perform a Power On Reset of the Core -Flight Executive. - -*Rationale: On a flight processor or other embedded processor this command results in -rebooting the processor board through the Boot Software. On a desktop system this command -will result in the restarting of the cFE, but not the operating system. Note: If the cFE -implementation includes more than one cFE core images, it is the responsibility of the -Boot Software to select which cFE image is booted.* - -### cES1010 - -Upon receipt of a Command, the cFE shall perform a Processor Reset of the Core -Flight Executive. - -*Rationale: Need to be able to restart the cFE in the event that there is a problem with the -Real Time OS or cFE Core software. Note that restarting the cFE will result in a restart of -all of the cFE applications. In addition, a restart of the cFE will initialize the* - -### cES1011 - -Upon receipt of a Command, the cFE shall generate a message that contains a -summary of the Command specified Application's properties and state as defined -in the Systems Resources Definition including: - -- cFE Application Name -- cFE Application Filename -- cFE Application Entry Point -- cFE Application Priority -- cFE Application Stack Size -- cFE Application Memory Start Address -- cFE Application Memory Size -- cFE Application Child Task Count - -*Rationale: In order to support remote Application management then the Application's properties -and current state need to be externally observable. Because the ground interface is with -Applications rather than Tasks, Task information should be included as well.* - -### cES1012 - -Upon receipt of a Command, the cFE shall generate a Command specified file that -contains all properties and states of all cFE Applications that are defined in -the Systems Resources Definition. - -*Rationale: May want information about all applications and tasks defined in the Systems -Resources Definition in order to diagnose a problem.* - -#### cES1012.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to specify a default if the user does not want to specify a new filename.* - -### cES1013 - -Upon receipt of a Command, the cFE shall submit to the operating system shell, -the string supplied as a parameter. - -*Rationale: Having access to the operating system shell has proved invaluable during FSW -development on missions such as JWST and Triana. Although it is available on-orbit, it -is not intended to be used during normal operations.* - -#### cES1013.1 - -Upon execution of the operating system Command, the cFE shall generate one or -more messages containing the ascii output generated by the operating system -command. - -*Rationale: This message will provide the "output" from the shell command to allow the -implementation of a shell like interface to the cFE.* - -### cES1014 - -The cFE shall maintain an Executive Services System Log which contains a series -of ASCII text strings describing significant events or errors. - -*Rationale: Examples of ES System Log information includes: "Created new cFE -Application: StoredCommand.app" or "Could Not Create OS Queue" or "File not found -error: /eebank1/StoredCommand.app" This requirement states that the cFE needs to -maintain this information. There is a separate requirement for the creation of a file -to transfer the information to the ground. Note that the information can also be -obtained with a raw memory read.* - -#### cES1014.1 - -Each entry in the Executive Services System Log shall be time tagged with the -time that the event happened. - -*Rationale: Need to be able to determine when the event occurred.* - -#### cES1014.2 - -The cFE shall calculate the number of bytes used and number of entries in -Executive Services System Log. - -*Rationale: Ground operations need indication of how full the System Log is so that -they can clear it, if necessary, in order to make room for new entries (or at least -write it to a file to preserve it).* - -##### cES1014.2.1 - -If the Executive Services System Log is full and the System Log Mode is set to -OVERWRITE then the cFE shall write all new entries from the top of the log. - -*Rationale: Want to provide the capability to continuously record all new System Messages* - -##### cES1014.2.2 - -If the Executive Services Syste Log is full and the System Log Mode is set to -DISCARD then the cFE shall discard all new entries. - -*Rationale: Want to provide capability to stop writing to the System Log in order to preserve -to Log which may contain important anomolous messages* - -### cES1015 - -Upon receipt of a Command, the cFE shall clear the Executive Services System -Log. - -*Rationale: Want to be able to clear the Executive Services System Log Buffer so that only the -new information is saved* - -### cES1016 - -Upon receipt of a Command, the cFE shall copy the information contained in the -Executive Services System Log into a Command specified file. - -*Rationale: We did not want to count on a file system for storing the ES System errors in the -event that there was a problem with the file system or the file system was not mounted yet. -We did want to provide an easy ground interface for getting the data to the ground* - -#### cES1016.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to provide a default in the event a user does not want to have to specify one.* - -### cES1017 - -The cFE shall maintain an Executive Services Exception and Reset Log which will -log critical system data for exceptions and resets including: - -- A time stamp -- Processor Context information -- Critical system variables -- ASCII string stating the reason for the reset - -*Rationale: Want to be able to save state information prior to a restart -(processor, power-on, application, task etc) to help with diagnosing problems. -There is a separate requirement for the creation of a file to transfer the -information to the ground.* - -### cES1018 - -Upon receipt of a Command, the cFE shall clear the Executive Services Exception -and Reset Log. - -*Rationale: Want to be able to clear the Executive Services Exception and Reset -Log so that only the new information is saved.* - -### cES1019 - -Upon receipt of a Command, the cFE shall copy the information contained in the -Executive Services Exception and Reset Log Buffer into a Command specified file. - -*Rationale: The cFE Exception and Reset Log contains a large amount of data, and -is variable in size. It is easier to dump the contents to a file.* - -#### cES1019.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to provide a default in the event a user does not want to have -to specify one.* - -### cES1021 - -The cFE shall maintain an Executive Services Logic Analyzer Capture Log for -capturing application specified timestamps and events for off-line performance -analysis. - -*Rationale: The Logic Analyzer Capture Log is used along with a performance log -API to allow the cFE and cFE Applications to save performance data that can be -downloaded.* - -### cES1022 - -Upon receipt of a Request, the cFE shall record the specified Logic Analyzer -Capture Tag in the Logic Analyzer Capture Log. - -*Rationale: The cFE Core and cFE Applications make specific calls to create -log entries in the Logic Analyzer Capture Log.* - -#### cES1022.1 - -The cFE shall store a timestamp along with the specified Logic Analyzer Capture -Tag. - -*Rationale: Each entry is time-stamped.* - -#### cES1022.2 - -If the Logic Analyzer Capture Log is full, then the cFE shall write all new -entries from the top of the log. - -### cES1023 - -Upon receipt of a Command, the cFE shall copy the information contained in the -Logic Analyzer Capture Log into a Command Specified file. - -*Rationale: Want to be able to catpure the log to a file for post processing.* - -#### cES1023.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to have a default filename.* - -### cES1024 - -Upon receipt of a Command, the cFE shall set the Processor Resets counter to -zero. - -*Rationale: Ground may want to clear this counter so that infrequent Processor -Resets don't result in a Power-on Reset* - -### cES1025 - -Upon receipt of a Command, the cFE shall set the Maximum Processor Resets -counter to the Command Specified value. - -*Rationale: Based on ST-5 experience, want to be able to increase the -maximum number of Processor Resets in order to prevent a Power-on Reset. -ST-5 used these features when they were having the multiple bit errors in -their recorder memory. They set both numbers to 4* - -### cES1026 - -Upon receipt of a Command, the cFE shall copy the following Critical Data Store -information into the Command Specified file: - -1. Critical Data Store Name -2. Size -3. Data Integrity Value - -*Rationale: This provides a registry of the Critical Data Store.* - -### cES1027 - -Upon receipt of a Command, the cFE shall delete the Command Specified Critical -Data Store. - -*Rationale: As part of an Application clean-up, want to clean-up the allocated -resources.* - -### cES1028 - -Upon receipt of Command, the cFE shall set the System Log Mode to the -Command-specified mode, either overwrite or discard. - -*Rationale: While in Overwrite Mode the oldest logged System message -will be overwritten by the new System message when the System Log Full -Flag is set to true. While in Discard Mode the new message will be -discarded, preserving the contents of the full log.* - -## Executive Services Subgroup: Application Interface {#cES13} - -### cES1300 - -Upon receipt of a Request, the cFE shall register the calling cFE Application -with the system. - -*Rationale: cFE Applications must register with the cFE in order to allow the -cFE to track the Application's resources. This function also allows the system -to synchronize the application startup. The cFE Application will wait in this -function until the cFE starts up* - -### cES1301 - -Upon receipt of a Request, the cFE shall provide the type of last reset -performed by the processor. - -*Rationale: cFE Applications may perform processing that is specific to each -reset type.* - -#### cES1301.1 - -The reset types include: Power On Reset Processor Reset. - -### cES1302 - -Upon receipt of a Request, the cFE shall provide the Processor ID on which the -Request was made. - -*Rationale: Need to determine the Processor ID. This feature is useful in -missions with multiple processors, or to help distinguish prototype vs. -flight processor features.* - -### cES1303 - -Upon receipt of a Request, the cFE shall provide the Spacecraft ID on which the -Request was made. - -*Rationale: Need to determine the Spacecraft ID. This feature is useful in -missions with multiple Spacecraft, or Spacecraft with multiple processors.* - -### cES1304 - -Upon receipt of a Request, the cFE shall provide the cFE Application ID of the -calling cFE Application. - -*Rationale: A cFE Application needs to determine its own Application ID.* - -### cES1305 - -Upon receipt of a Request, the cFE shall provide the cFE Task Name and cFE -Application Name which corresponds to the specified cFE Task ID. - -*Rationale: The command will provide a way to find the cFE Task Name and -the parent cFE Application name from any cFE Application or Child task.* - -### cES1306 - -Upon receipt of a Request, the cFE shall provide the cFE Application ID which -corresponds to the specified cFE Application Name. - -*Rationale: The Executive Services will assign an Application ID. The Application -Name is specified when the cFE Application is created. This Request will provide -a way to determine the cFE Application ID when the pre-determined Application Name -is passed in.* - -### cES1307 - -Upon receipt of a Request, the cFE shall provide the cFE Application Name which -corresponds to the specified cFE Application ID. - -*Rationale: The Executive Services will assign an Application ID. This Request -will provide a way to determine an Application's name from its Application ID.* - -### cES1309 - -Upon receipt of a Request, the cFE shall delete the specified Application -including all child tasks. - -*Rationale: Need to be able to stop the execution of an Application and remove -its System Resources. The delete will clean-up the application's main task and -all of its child tasks. Note: other cFE components are required to have cleanup -routines that ES calls.* - -#### cES1309.1 - -If the specified Application is undefined then the cFE shall record the error -in the System Log, and return an error code. - -*Rationale: Can't delete an undefined application.* - -### cES1310 - -Upon receipt of a Request the cFE shall Restart the specified Application. - -*Rationale: Need to be able to restart an Application. A restart involves deleting it -(cleaning up) and then starting it again. This is similar to starting the cFE -Application from a file system. When an Application is restarted, the only parameter -required is the application name. All other parameters including the filename are the -same as the original cFE Application Create Request. The restart is intended for error -recovery such as an exception, and should not be used to start a new version of an -Application. If a Critical Data Store Area is allocated for the Application, it is -preserved, and the Application may re-connect to the Critical Data Store Area when it -is running again.* - -#### cES1310.1 - -If the specified Application is undefined then the cFE shall record the error -in the System Log, and return an error code. - -*Rationale: Can't restart an undefined application.* - -#### cES1310.2 - -If the original cFE Application file is not found then the cFE shall record the -error in the System Log, and return an error code. - -*Rationale: Can't restart the Application if the original file has been removed. -In this case, the Application will continue without a restart.* - -#### cES1310.3 - -If the cFE Application Restart fails due to a non-parameter error, then the cFE -shall record the error in the System Log, and return an error code. - -*Rationale: If the Application is already stopped and there is an error restarting -it, then the cFE application will be deleted.* - -### cES1311 - -Upon receipt of a Request, the cFE shall create the specified cFE Child Task -within the cFE Application that owns the task and begin execution of the task. - -*Rationale: Each cFE Application's main task has the capability to create and -start one or more child tasks.* - -#### cES1311.1 - -In the event that the cFE Child Task cannot be created, the cFE shall record -the error in the System Log, and return an error code. - -*Rationale: Need to keep track of the Child Task Create Failures.* - -#### cES1311.2 - -In the event a child task attempts to create another child task, the cFE shall -record the error in the System Log, and return an error code. - -*Rationale: Only the cFE Application's main task can create a child task. This -prevents confusion with parent/child task relationships and the allocation/deallocation -of resources.* - -### cES1312 - -Upon receipt of a Request, the cFE shall delete the specified cFE Child Task -within the cFE Application that owns the task. - -*Rationale: As part of a cFE Application cleanup, the Application needs to be -able to delete each child task.* - -#### cES1312.1 - -If the specified task is the cFE Application Main Task, the request shall -record the error in the System Log, and return an error code. - -*Rationale: Cannot use Child Task Exit or Delete on the cFE Application Main Task.* - -### cES1313 - -Upon receipt of a Request, the cFE shall register the calling cFE Child Task -with the system. - -*Rationale: Just like cFE Applications, Child Tasks must be registered to work -properly in the cFE. This function call is intended to be called by the newly -created cFE Child Task.* - -### cES1314 - -Upon receipt of a Request, the cFE shall end execution of the calling cFE Child -Task. - -*Rationale: A cFE Child Task needs to be able to exit and end execution.* - -#### cES1314.1 - -If the calling task is the cFE Application Main Task, the cFE shall record the -error in the System Log, and return an error code. - -*Rationale: Cannot use Child Task Exit or Delete on the cFE Application Main Task.* - -### cES1315 - -Upon receipt of a Request, the cFE shall reserve the Request specified amount -of memory in the Critical Data Store for the cFE Application using the Request -specified name. - -*Rationale: The Critical Data Store will be used by Applications to store critical -parameters that will be preserved after an application or processor restart. ES -will allocate the memory for the application. A pointer or memory address will be -provided to the alloc.* - -#### cES1315.1 - -If a Critical Data Store exists for the Request specified name but has a -different size than what is specified in the Request, the cFE shall remove the -existing Critical Data Store and create a new one using the Request specified -name and size. - -*Rationale: Assumes that if the sizes don't match then something has changed and -the CDS can't be trusted.* - -#### cES1315.2 - -If a Critical Data Store exists for the Request specified name but the Data -Integrity value is invalid, the cFE shall remove the existing Critical Data -Store and create a new one using the Request specified name and size. - -*Rationale: Assumes that if the CRC is invalid then the CDS can't be trusted.* - -### cES1316 - -Upon receipt of a Request, the cFE shall copy the contents from the Request -specified Critical Data Store to the Request specified address. - -*Rationale: Provides the capability to restore the local data with the contents -of the critical data store.* - -#### cES1316.1 - -If the Data Integrity Value is invalid then the data shall not be copied from -the Critical Data Store. - -*Rationale: Critical Data Store should be verified before restoring. Assumes -that if the calculated CRC does not match the stored CRC than the CDS cannot -be trusted.* - -#### cES1316.2 - -If the Request Specified Critical Data Store does not exist then the data shall -not be copied. - -*Rationale: Can't copy data if the reference is wrong.* - -### cES1317 - -Upon receipt of a Request, the cFE shall perform a Power On Reset of the Core -Flight Executive. - -*Rationale: Applications need to periodically copy the local data into the CDS -so that it can be preserved. Note that the CDS is not required to exist on-card -(local address space). This provides the capability for a mission to use off-card -bulk storage.* - -### cES1318 - -Upon receipt of a Request, the cFE shall perform a Processor Reset of the Core -Flight Executive. - -*Rationale: Everytime data is written to the CDS, a CRC must be recalculated in -order to have a reference for any CDS validation. Note that Applications are -responsible for determining whether the contents of a CDS Block are still -logically valid.* - -### cES1319 - -Upon receipt of a Request, the cFE shall exit the calling cFE Application and -delete the Applications' resources. - -*Rationale: Can't copy data if the reference is wrong.* - -### cES1320 - -Upon receipt of a Request, the cFE shall prepare a Memory Pool for runtime -memory allocation/de-allocation. - -*Rationale: The Memory Allocation interface allows the cFE Application to -supply a Pool of memory, which can be used for efficient memory allocation -and de-allocation.* - -#### cES1320.1 - -If the specified size is less than the minimum block size, -the cFE shall record the error in the System Log, and return an error code. - -*Rationale: If the size of the Pool is not valid, then an error must be returned.* - -### cES1321 - -Upon receipt of a Request the cFE shall allocate a block of memory of the -specified size from the specified Memory Pool. - -*Rationale: The Memory Allocation interface allows the cFE Application to -allocate a block of memory from a previously created memory pool.* - -#### cES1321.2 - -If the specified Memory Pool identifier is invalid then the cFE shall record -the error in the System Log, and return an error code. - -*Rationale: If the handle or Memory Pool ID is not valid, then an error must -be returned.* - -#### cES1321.3 - -If the specified size is too large for the specified Memory Pool, the cFE shall -record the error in the System Log, and return an error code. - -*Rationale: Cannot allocate a memory block bigger than the pool.* - -### cES1322 - -Upon receipt of a Request the cFE shall de-allocate the specified block of -memory from the specified Memory Pool. - -*Rationale: The Memory Allocation interface allows the cFE Application to -de-allocate a block of memory from a previously created memory pool.* - -#### cES1322.1 - -If the specified Memory Pool identifier is invalid, then the cFE shall record -the error in the System Log, and return an error code. - -*Rationale: Need to have a valid Memory Pool identifier in order to de-allocate -a block of memory.* - -### cES1323 - -Upon receipt of a Request, the cFE shall calculate a Data Integrity value over -the given range of memory using the specified algorithm. The algorithm shall be -one of the following: - -- XOR: Exclusive OR -- CRC16: 16 Bit Cyclic Redundancy Check -- CRC32: 32 Bit Cyclic Redundancy Check - -*Rationale: We need to provide a checksum/CRC utility.* - -### cES1324 - -Upon receipt of a Request, the cFE shall load and initialize a hardware device -driver and connect it with the specified hardware handshaking and device -processing code. - -*Rationale: Need a standard device driver interface.* - -### cES1325 - -Upon receipt of a Request, the cFE shall unload a specified hardware device -driver and de-allocate all previously allocated resources used by the driver. - -*Rationale: Need a way of unloading, stopping a hardware device driver.* - -### cES1326 - -Upon receipt of a Request, the cFE shall disable a specified hardware device -driver. - -*Rationale: Need a way of temporarily disabling the device driver and it's -associated interrupt.* - -#### cES1326.1 - -If the specified hardware device driver is not loaded, then the cFE shall -record the error in the System Log, and return an error code. - -*Rationale: Cannot disable a device driver that is not loaded.* - -### cES1327 - -Upon receipt of a Request, the cFE shall re-enable a specified hardware device -driver. - -*Rationale: Need a way to re-enable the device driver and it's associated interrupt.* - -#### cES1327.1 - -If the specified hardware device driver is not loaded, then the cFE shall -record the error in the System Log, and return an error code. - -*Rationale: Cannot disable a device driver that is not loaded.* - -### cES1328 - -Upon receipt of a Request, the cFE shall copy the data starting at the Request -specified address to the Request specified Critical Data Store. - -#### cES1328.1 - -The cFE shall calculate a Data Integrity Value for the Request specified -Critical Data Store and store it. - -#### cES1328.2 - -If the Request Specified Critical Data Store does not exist then the data shall -not be copied. - -## Executive Services Subgroup: Hardware Interfaces {#cES15} - -### cES1500 - -Upon a Power-on Reset, the cFE shall identify the `` Power On -reset sub-type. - -*Rationale: Each mission may want to further distinguish between Processor reset -types in order to tailor their system's behavior. For example a mission may want -to take different behavior for a watchdog time out and the execution of the -processor's reset instructions.* - -### cES1501 - -Upon a Power-On Reset, the cFE shall clear the Executive Services System Log. - -*Rationale: Want to be able to determine what errors are logged by the cFE. -This log is not preserved on a Power-On reset.* - -### cES1502 - -Upon a Power-On Reset, the cFE shall clear the Executive Services Exception and -Reset Log. - -*Rationale: Want to be able to get a snapshot of some critical parameters prior -to a reset as well as log the resets that have occurred.* - -### cES1503 - -Upon a Power-On Reset, the cFE shall clear the Volatile File system. - -*Rationale: The Volatile File system is initialized during a Power-on Reset.* - -### cES1504 - -Upon a Power-On Reset, the cFE shall clear the contents of the Critical Data -Store. - -*Rationale: The purpose of the critical data store is to save data that an -Application wants to preserve across a processor restart. This area will be -cleared during a Power-On Reset.* - -### cES1505 - -Upon a Power-on Reset, the cFE shall create all operating system objects -required by the cFE. - -*Rationale: This is a table driven startup that includes: Core cFE Applications, -semaphores, queues, and shared memory segments. It can also contain calls to -initialize device drivers and interrupts.* - -### cES1506 - -Upon a Power-on Reset, the cFE shall mount the non-volatile file system. - -*Rationale: Non-volatile file system contains the files for each of the -cFE Applications. On a Power-On reset, the external cFE Applications are -loaded from the Volatile file system.* - -### cES1507 - -Upon a Power-on Reset, the cFE shall create, format and mount the volatile file -system. - -*Rationale: The volatile file system is a key part of the cFE. It is used for logs, -data files and new cFE Applications.* - -### cES1508 - -Upon a Power-on Reset, the cFE shall process all entries in the cFE Startup -File located in the non-volatile file system. - -*Rationale: There is a file that contains all of the Applications, Shared -Libraries, and Device Drivers that are to be created and started.* - -#### cES1508.1 - -The cFE shall create and start cFE Applications according to the entry in the -cFE Startup File. - -*Rationale: The cFE supports loading and creating new cFE Applications during -system startup.* - -#### cES1508.2 - -The cFE shall create and initialize cFE Shared Libraries according to the entry -in the cFE Startup File. - -*Rationale: The cFE supports creating and initializing cFE Shared Libraries -during system startup.* - -#### cES1508.3 - -The cFE shall create and initialize cFE Device Drivers according to the entry -in the cFE Startup File. - -*Rationale: The cFE supports loading and initializing cFE Device Drivers during -system startup.* - -### cES1509 - -Upon a Power On Reset, the cFE shall make an entry in the Executive Services -Exception and Reset Log, recording the Power On Reset. - -*Rationale: One purpose of the Executive Services Exception and Reset Log is -to log all resets.* - -### cES1510 - -Upon a Processor Reset, the cFE shall identify the `` -Processor reset sub-type. - -*Rationale: Each mission may want to further distinguish between Processor reset -types in order to tailor their system's behavior. For example a mission may want -to take different behavior for a watchdog time out and the execution of the -processor's reset instructions.* - -### cES1511 - -Upon a Processor Reset, the cFE shall preserve the Executive Services System -Log. - -*Rationale: ES needs to retain this information to support diagnosing cause of -processor reset as well as preserving information that is required to count -the number of resets.* - -### cES1512 - -Upon a Processor Reset, the cFE shall preserve the Executive Services Exception -and Reset Log. - -*Rationale: Want to be able to determine what errors are logged by the cFE. This -log is not preserved on a Power-On reset.* - -### cES1513 - -Upon a Processor Reset, the cFE shall preserve the Volatile File system. - -*Rationale: Want to be able to get a snapshot of some critical parameters -prior to a reset as well as log the resets that have occurred.* - -### cES1514 - -Upon a Processor Reset, the cFE shall preserve the contents of the Critical -Data Store. - -*Rationale: During a processor reset, the Volatile File System and it's contents -will be preserved.* - -### cES1515 - -Upon a Processor Reset, the cFE shall create all operating system objects -required by the cFE. - -*Rationale: The purpose of the critical data store is to save data that an -Application wants to preserve across a processor restart.* - -#### cES1515.1 - -If the creation of the operating system object fails, the cFE shall perform a -power on reset. - -*Rationale: Items such as tasks, semaphores, queues, and shared memory segments -would be initialized.* - -### cES1516 - -Upon a Processor Reset, the cFE shall mount the non-volatile file system. - -*Rationale: If the processor reset fails, then the software must default -to a safer Power-on Reset.* - -### cES1517 - -Upon a Processor Reset, the cFE shall check and mount the volatile file system. - -*Rationale: Non-volatile file system contains the files for each of the cFE -Applications. On a Power-On reset, the external cFE Applications can be -loaded from the Volatile file system.* - -#### cES1517.1 - -If the volatile file system check fails, the cFE shall format the volatile file -system and create a system log entry. - -*Rationale: Want to preserve the Volatile file system across a processor reset.* - -### cES1518 - -Upon a Processor Reset, the cFE shall process all entries in the cFE Startup -File located in the volatile file system. - -*Rationale: If the volatile file system is corrupt, it must be reformatted -to allow the cFE to function.* - -#### cES1518.1 - -The cFE shall create and start cFE Applications according to the entry in the -cFE Startup File. - -*Rationale: There is a file that contains all of the cFE Applications and -Shared Libraries that are to be loaded and started. The cFE will check to see -if this file is in the volatile file system. This file facilitates restarting -a processor using patches that were made.* - -#### cES1518.2 - -The cFE shall create and initialize Shared Libraries according to the entry in -the cFE Startup File. - -*Rationale: The cFE supports loading and creating new cFE Applications during -system startup.* - -### cES1519 - -If the system startup file is not present in the volatile file system then the -cFE shall process all entries in the cFE Startup File located in the -non-volatile file system. - -*Rationale: The cFE supports loading and initializing cFE Shared Libraries during -system startup.* - -#### cES1519.1 - -The cFE shall create and start cFE Applications according to the entry in the -cFE Startup File. - -*Rationale: Need to have a default system startup file which is used if there -is no system startup file in volatile memory.* - -#### cES1519.2 - -The cFE shall create and initialize Shared Libraries according to the entry in -the cFE Startup File. - -*Rationale: The cFE supports loading and creating new cFE Applications during -system startup.* - -### cES1520 - -Upon a Processor Reset, the cFE shall make an entry in the Executive Services -Exception and Reset Log recording the Processor Reset. - -*Rationale: The cFE supports loading and initializing cFE Shared Libraries -during system startup.* - -### cES1521 - -Upon a Processor Reset, the cFE shall preserve the following: - -- Boot Source -- Reset Type -- Reset Subtype -- Reset Reason -- Number of Processor Resets -- Maximum Processor Resets -- Number of entries in System Log -- Size of System Log -- Number of bytes used in the System Log - -*Rationale: The purpose of the Executive Services Exception and Reset Log is to -log all resets and all exceptions that occur.* - -### cES1522 - -Upon a Processor Reset, the cFE shall set the System Log Mode to discard. - -*Rationale: Want to preserve the System Events that may have captured the cause -of the processor reset.* - -## Executive Services Subgroup: Platform Adaptation {#cES17} - -### cES1700 - -The cFE shall support a maximum `` cFE Applications. - -*Rationale: TBD has never been exceeded on past missions. Need to -bound the number of Applications in order to size the Systems Resources -information.* - -### cES1702 - -The cFE shall detect all unmasked CPU exceptions. - -*Rationale: Need to be able to detect processor exceptions so that the -appropriate action can be taken.* - -#### cES1702.1 - -Upon detection of a CPU exception, the cFE shall add an entry in the Executive -Services Exception And Reset Log. - -*Rationale: Need to log processor exceptions so that the ground can have -visibility into the exception.* - -#### cES1702.2 - -If the CPU exception was caused by a cFE Application and the Exception Action -indicates that the Application can be started individually, the cFE shall -restart the cFE Application that caused the exception. - -*Rationale: In most cases, restarting the cFE application will clear up the -problem. In some cases, however, applications are tightly coupled with other -applications in which case, starting an individual application may have -undesirable consequences. The cFE should provide the ability to define if the -application should can be restarted or if a processor reset should occur.* - -#### cES1702.3 - -If the CPU exception was caused by the Operating System or cFE Core then the -cFE shall initiate a `` response. - -*Rationale: An exception in the cFE core or OS will restart the cFE, which -results in all cFE Applications being restarted.* - -### cES1703 - -The cFE shall detect all unmasked processor Floating Point Exceptions. - -*Rationale: The low level BSP routines allow the mission to determine -what Floating Point exceptions are masked, and what Floating Point -exceptions can interrupt the software.* - -#### cES1703.1 - -Upon detection of an unmasked Floating Point exception, the cFE shall add an -entry in the Executive Services Exception and Reset Log. - -*Rationale: Need to log unmasked Floating Point exceptions so that the ground -can have visibility into the exception.* - -#### cES1703.2 - -If the Floating Point exception was caused by a cFE Application and the -Exception Action indicates that the Application can be started individually, -the cFE shall restart the cFE Application that caused the exception. - -*Rationale: Want the capability to restart an individual application on a processor -reset. Not all Applications should be started individually as they may have some -dependencies that result in undesirable behavior. When the Application is started, -one of the parameters is whether to restart the app of perform a cFE processor reset.* - -#### cES1703.3 - -If the Floating Point exception was caused by the OS or cFE Core then the cFE -shall initiate a `` response. - -*Rationale: An exception in the cFE core or OS will restart the cFE, which results -in all cFE Applications being restarted.* - -### cES1704 - -The cFE shall support a `` byte volatile file system. - -*Rationale: TBD seems like a reasonable size based on heritage missions.* - -### cES1705 - -The cFE shall support a `` byte non-volatile file system. - -*Rationale: TBD seems like a reasonable size based on heritage missions.* - -### cES1706 - -The cFE shall support a `` byte Executive Services System Log. - -*Rationale: TBD seems like a reasonable size based on heritage missions.* - -### cES1707 - -The cFE shall support a `` byte Executive Services Exception -And Reset Log. - -*Rationale: TBD seems like a reasonable size based on heritage missions.* - -### cES1708 - -The cFE shall support a `` byte Critical Data Store. - -*Rationale: TBD seems like a reasonable size based on heritage missions.* - -### cES1709 - -If the cFE Core goes through `` Maximum Processor Resets, the -cFE shall initiate a Power-On Reset of the cFE. - -*Rationale: After a number of Processor Resets, the cFE will -attempt to recover by doing a Power-on Reset.* - -# Event Services Requirements (cEVS) {#cEVS} - -## Event Services Subgroup 30xx {#cEVS30} - -### cEVS3000 - -Upon receipt of Command the cFE shall enable/disable, as specified in the -Command, the future generation of Event Messages for the Command-specified -Event Type. - -*Rationale: Filtering by type allows the system to behave differently for -different users.* - -### cEVS3001 - -Upon receipt of Command, the cFE shall set the SB Event Format Mode to the -command specified value, either Long or Short. - -*Rationale: Providing a short format accommodates missions with limited telemetry -bandwidth. A long format is desirable because it contains the most information.* - -### cEVS3002 - -Upon receipt of Command the cFE shall generate a NO-OP event message. - -*Rationale: This command is useful as a general sub-system aliveness test.* - -### cEVS3003 - -Upon receipt of Command the cFE shall set the following counters to zero in -Event Services telemetry: - -- Valid Command Counter -- Invalid Command Counter -- Event Message Sent Counter -- Event Message Truncation Counter -- Unregistered Application Send Counter - -*Rationale: This command is a common feature in heritage sub-system software design.* - -### cEVS3004 - -Upon receipt of Command, the cFE shall write the following information to the -Command specified cFE EVS Application Data file for each registered -Application: - -- Application Event Message Sent Counter -- Application Event Service Enable Status -- Application Event Type Enable Statuses (one for each Event Type) -- Application Event IDs (for events to be filtered) -- Application Binary Filter Masks (one per registered Event ID) -- Application Binary Filter Counters (one per registered Event ID) - -*Rationale: Visibility of Application information is essential for FSW diagnostics, -testing and maintenance.* - -#### cEVS3004.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to provide a default in the event that a user does not want to -specify.* - -### cEVS3005 - -Upon receipt of valid command, the cFE shall increment the valid command -counter. - -*Rationale: The ground needs the capability to verify that the command was -received and accepted by the cFE. Details of valid commands are documented -in the cFE User' Guide.* - -### cEVS3006 - -Upon receipt of an invalid command, the cFE shall in increment the invalid -command counter. - -*Rationale: The ground needs an indicator if a command is rejected by the cFE. -Details of what makes a command invalid are documented in the cFE Developer's -Guide and the cFE User's Guide.* - -### cEVS3007 - -Upon receipt of Command the cFE shall enable/disable, as specified in the -Command, the future generation of Event Messages for the Command-specified -Application and Event Type. - -*Rationale: When diagnosing an Application it's useful to enable its informational -and diagnostic Event Messages.* - -### cEVS3008 - -Upon receipt of Command the cFE shall enable/disable, as specified in the -Command, the future generation of Event Messages for the Command-specified -Application. - -*Rationale: During development and integration it can be useful to turn off -an Application's Event Message's without regard of the Event Type.* - -### cEVS3009 - -Upon receipt of Command, the cFE shall set the Command-specified Application's -Event Message Sent Counter to zero. - -*Rationale: Allow operators the ability to reset the count of application events.* - -### cEVS3010 - -Upon receipt of Command, the cFE shall set an Application's Binary Filter -Counter to zero for the Command-specified Event ID. - -*Rationale: Clearing an Application's Filtered Event Message Counter is a convenient -method for resetting the filter on the event.* - -### cEVS3011 - -Upon receipt of Command, the cFE shall set all of an Application's Binary -Filter Counters to zero. - -*Rationale: Having the ability to reset all Application Filtered Event Message -Counters is a quick method for resetting all the application's event filters. -Note: This command gives operators the ability to reset all exhausted event filters -(i.e. send 16 and stop) so that filtered events may be generated once again.* - -### cEVS3012 - -Upon receipt of Command the cFE shall set an Application's Binary Filter Mask -to the Command-specified Event Filter for the given Application Event ID. - -*Rationale: Allow an operator to tune the system for a particular operational -environment.* - -### cEVS3013 - -_(OPTIONAL)_ Upon receipt of Command, the cFE shall clear the Local Event Log. - -*Rationale: Need to be able to clear the log if the event logging is operating -in discard mode.* - -### cEVS3014 - -_(OPTIONAL)_ Upon receipt of Command, the cFE shall set the Event Logging Mode -to the Command-specified mode, either overwrite or discard. - -*Rationale: While in Overwrite Mode the oldest logged event will be overwritten -by the new event when the Event Log Full Flag is set to true. While in Discard -Mode the new event will be discarded, preserving the contents of the full log. -Need the ability to switch between Event Message logging modes.* - -### cEVS3015 - -_(OPTIONAL)_ Upon receipt of Command, the cFE shall write the contents of the -Local Event Log to the Command specified file. - -*Rationale: Allows for ground view of the log. Local Event Log is not intended -for operation playback. The main purpose of the Local Event Log is for ground -testing. Ground operators may view the data file for playing back stored events.* - -#### cEVS3015.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to provide a default in the event that a user does not want to -specify one.* - -### cEVS3016 - -_(OPTIONAL)_ The cFE shall write each Event Message from the earliest logged -message to the most recently logged message. - -*Rationale: Ground operators like to see the progression of events in the order that -they occurred. In a scenario when a time correction has been made, the earliest -logged may not necessarily mean the oldest time stamp. This type of playback may not -be desirable for Event Logs of considerable size. It is worthwhile for cFE users to -keep Event Logs relatively small.* - -### cEVS3017 - -Upon receipt of Command the cFE shall enable/disable, as specified in the -Command, the routing of all future Event Messages to the Command -- specified Event Message Port. - -*Rationale: Event Message Output Ports may not be available or needed; therefore -the ability to configure sending to an Event Message Port is useful.* - -### cEVS3018 - -The cFE shall provide the following Event Service data items in telemetry (SB -Messages): - -- Valid Command CounterInvalid Command Counter -- SB Event Format ModeEvent Message Sent Counter -- Event Message Truncation Counter -- Unregistered Application Send Counter -- Event Message Output Port Enable Statuses -- _(OPTIONAL)_ Local Event Log Full Flag -- _(OPTIONAL)_ Local Event Log Overflow Counter -- _(OPTIONAL)_ Logging ModeFor each registered -- Application:Application Event Message Sent Counter -- Application Event Service Enable Status - - -### cEVS3019 - -Upon receipt of Command the cFE shall add the specified Event Filter for the -specified cFE Application and Event ID. - -*Rationale: Want to provide the ability for filters to be added at runtime. -Original implentation did not provide this capability which resulted in -modifications to Applications for those events that were not registered -(i.e. forgotten).* - -#### cEVS3019.1 - -If the Event ID is already registered for filtering, the cFE shall reject the -command and generate an event message. - -*Rationale: Filter is done on a per Event ID basis.* - -#### cEVS3019.2 - -If the maximum number of Event IDs have been registered for the specified -Application then the cFE shall reject the command and generate an event message. - -*Rationale: In order to scale the cFE, allocations are made for each -cFE Application (see cEVS3302)* - -### cEVS3020 - -Upon receipt of Command the cFE shall delete the specified Event Filter for the -specified cFE Appliction and Event ID. - -*Rationale: Want to be able to remove event filtering since the cFE limits the -number of filters that can be registered for a given cFE Application (see cEVS3302)* - -#### cEVS3020.1 - -If the Event ID is not registered for filtering then the cFE shall reject the -command and generate an event message. - -*Rationale: Notify caller that the Filter was not registered.* - -## Event Services Subgroup: Application Interface {#cEVS31} - -### cEVS3100 - -Upon receipt of Request, the cFE shall register an Application for event -service, enabling the Application Event Service Enable Status and storing the -following request specified Application data: Application Event IDs (for events -to be filtered) Application Binary Filter Masks (one per registered Event ID). - -*Rationale: Supports the cFE's dynamic Application model.* - -#### cEVS3100.1 - -Upon receipt of Request to register an Application for event service, the cFE -shall create one Application Binary Filter Counter per registered Event ID. - -*Rationale: Supports the cFE's Binary Filtering Algorithm.* - -#### cEVS3100.2 - -Upon receipt of Request to register an Application for event service, the cFE -shall create an Application Event Message Sent Counter. - -*Rationale: Supports the cFE's dynamic Application model.* - -#### cEVS3100.3 - -Upon receipt of Request to register an Application for event service, the cFE -shall use the `` Application Event Type Enable Statuses for -each event. - -*Rationale: By default each platform should have a standard configuration for -each event message type (eg. DEBUGs disable. INFO, ERROR and CRITICAL events -DISABLED) that should be applied to all events. Commands are available to -modify the settings.* - -### cEVS3101 - -Upon receipt of Request, the cFE shall un-register an Application from using -event services, deleting the following Application data: - -- Application Event Message Sent Counter -- Application Event Service Enable Status -- Application Event Type Enable Statuses (one for each Event Type) -- Application Filtered Event IDs -- Application Binary Filter Masks (one per registered Event ID) -- Application Binary Filter Counters (one per registered Event ID) - -*Rationale: Supports the cFE's dynamic Application model allowing applications to -clean up after themselves.* - -### cEVS3102 - -The cFE shall support the following Event Message Types: Debug Informational -Error Critical. - -*Rationale: Supports cFE event services.* - -### cEVS3103 - -Upon receipt of a Request to send an Event Message, the cFE shall create a -Short or Long Event Message, as specified by the SB Event Format Mode, ONLY if -the following cFE conditions are met: - -1. The requesting Applications Event Service Enable Status is Enabled. -2. The requesting Applications registered message filtering algorithm indicates -the message should be sent. -3. The requesting Applications Event Type Enable Status is Enabled for the -Event Type of the request-specified Event Message. - -*Rationale: Supports cFE event services* - -#### cEVS3103.1 - -If the requesting Application has been determined to be unregistered the cFE -shall increment the Unregistered Application Send Counter and send an event -message. - -*Rationale: Provides ground operators the ability to see when unregistered -applications are using event services.* - -#### cEVS3103.2 - -The cFE shall support the following data types within an applications Request -specified Event Data: - -- Signed Character -- Unsigned Character -- Short Integer -- Unsigned Short Integer -- Long Integer -- Unsigned Long Integer - -*Rationale: Not all processors supported under the cFE will allow floating point or -real types.* - - -#### cEVS3103.3 - -If the request specified Event ID has been registered for binary event -filtering, the cFE shall increment the request specified Application's Binary -Filter Counter for the request-specified Event ID. - -*Rationale: Support binary event filtering algorithm.* - -##### cEVS3103.3.1 - -If the Binary Filter Counter has reached its maximum value of 2^16^-1, the cFE -shall retain the maximum value (i.e. do not rollover to zero). - -*Rationale: Preventing a counter rollover to zero eliminates the case when a -user may think no events have occurred when in fact many events have occurred.* - -#### cEVS3103.4 - -If the SB Format Mode is set to Long, the cFE shall generate an SB Event -Message formatted as specified in the cFE User's Guide containing the -Spacecraft Time, Processor ID, Application ID, Event ID, Event Type, and the -Request-specified Event Data. - -*Rationale: To assist with system test and diagnostics it is important to -distinguish otherwise identical messages by their sources. This is especially -true in a distributed system with common subsystems. It is the intent of this -requirement to allow identical subsystems to be resident in multiple processors -within the flight system. In cases like this, the subsystem identifier, and -message identifier may be the same; only the processor identifier would make the -messages unique. A long format is desirable because it contains the most -information. Design Note: It is expected that in the implemented event service, -the API only requires the Event ID and Type, and that the underlying utility code -fills in the processor ID, and Application ID before the message is sent.* - -##### cEVS3103.4.1 - -If the Event Data is greater than the `` maximum Event Data, -the cFE shall truncate the Event Message with a string-termination character -and increment the Message Truncation Counter. - -*Rationale: It's important to know if data is lost, but it doesn't need to be -maintained on a per-Event ID basis, therefore a single counter is used. A -platform-defined length was considered but this prevents application reuse unless -a minimum length is specified.* - -#### cEVS3103.5 - -If the SB Format Mode is set to Short, the cFE shall generate an SB Event -Message formatted as specified in the cFE User's Guide containing the -spacecraft time, Processor ID, Application ID, Event ID, and Event Type. - -*Rationale: Providing a short format accommodates missions with limited -telemetry bandwidth.* - -#### cEVS3103.6 - -The requester shall be able to specify the Application ID to be used in the -Event Message. - -*Rationale: Need to provide APIs a way to specify an Application ID to ensure -the context of the Event is correct.* - -#### cEVS3103.7 - -The requester shall be able to specify the time to be used in the Event Message. - -*Rationale: This routine should be used in situations where an error condition is -detected at one time, but the event message is reported at a later time* - -### cEVS3104 - -**ID:** 1126 - -For each created Event Message, the cFE shall increment the Application Event -Message Sent Counter for the request -- specified Application. - -*Rationale: A counter provides a means for keeping track of how many events an -application has sent through the event service. Note: The Application Event -Message Sent Counter is incremented once regardless of how many enabled ports -the message has been sent through.* - -#### cEVS3104.1 - -If the Application Event Message Sent Counter has reached its maximum value of -2^16^-1, the cFE shall retain the maximum value (i.e. do not rollover to zero). - -*Rationale: Preventing a counter rollover to zero eliminates the case when a -user may think no events have occurred when in fact many events have occurred.* - -### cEVS3105 - -For each created Event Message, the cFE shall increment the Event Message Sent -Counter. - -*Rationale: A counter provides a means for keeping track of how many events have -been sent through the event service. Note: The Event Message Sent Counter is a -count of ALL messages sent through the Event Service regardless of the Application -sending the event. The Event Message Sent Counter is incremented once regardless -of how many enabled ports the message has been sent through.* - -#### cEVS3105.1 - -If the Event Message Sent Counter has reached its maximum value of 2^16^-1 the -cFE shall retain the maximum value (i.e. do not rollover to zero). - -*Rationale: Preventing a counter rollover to zero eliminates the case when a -user may think no events have occurred when in fact many events have occurred.* - -### cEVS3106 - -Upon receipt of a request, the cFE shall set an Application's Binary Filter -Counter to zero for the Application request-specified Event ID. - -*Rationale: Clearing an Application's Binary Filter Counter is a convenient method -for resetting the filter on the event.* - -### cEVS3107 - -Upon receipt of a request, the cFE shall set all of an Application's Binary -Filter Counters to zero for the request-specified Application. - -*Rationale: Having the ability to reset all Application Filtered Event Message -Counters is a quick method for resetting all the application's event filters.* - -### cEVS3108 - -_(OPTIONAL)_ For each created Event Message, the cFE shall store the Event -Message in the Local Event Log in the Long Event Message Format. - -*Rationale: It's useful to save Event Messages when external communications -is unavailable. This may occur during system initialization (especially events -generated from other cFE components) and during a communications failure.* - -#### cEVS3108.1 - -_(OPTIONAL)_ If the Local Event Log becomes full, the cFE shall set the Local -Event Log Full Flag to true. - -*Rationale: Ground operations needs to know the state of the Local Even Log.* - -#### cEVS3108.2 - -_(OPTIONAL)_ If the Local Event Log is full, the cFE shall increment the Local -Event Log Overflow counter. - -*Rationale: Ground operations needs to know how many Event Messages were discarded -or overwritten.* - -#### cEVS3108.3 - -_(OPTIONAL)_ If the Local Event Log is full, the cFE shall either (1) overwrite -the oldest Event Message if the Event Logging Mode is overwrite, or (2) discard -the Event Message if the Event Logging Mode is discard. - -*Rationale: Overwriting the oldest message is useful for nominal operations because -a user doesn't need to periodically clear the Log. If an error occurs when there's -no communication then the Local Event Log size must be large enough to retain the Event -Messages since communications was lost. Discarding the newest Event Message is useful for -trouble shooting a problem. For example there may be a problem during processor initialization -that occurs when there's no communications with the processor interfacing with the User. In -this case the original Event Messages are critical to solving the problem so they should be -preserved. Note that the Event Logging Mode can be changed via stored commanding.* - -### cEVS3109 - -For each created Event Message, the cFE shall route the Event Message, -formatted as an ASCII text string, to each enabled Event Message Output Port. - -*Rationale: Debug ports are very useful for FSW development and maintenance.* - -### cEVS3110 - -Upon receipt of Request the cFE shall free resources allocation for the -specified Application. - -*Rationale: Need to be able to remove all resources associated with an -application when Deleting, Restarting or Reloading an Application. In -addtion, this is required as part of a Processor Reset* - -## Event Services Subgroup: Hardware Interfaces {#cEVS32} - -### cEVS3200 - -Upon a Power-on Reset, the cFE shall set the `` Event Message -Output Ports to their `` default state: - -- Port Number 1: `` -- Port Number 2: `` -- Port Number 3: `` -- Port Number 4: `` - -*Rationale: Event Message Ports are customized for each platform. A rationale for -all of the Power-on Reset requirements is that the cFE must initialize to a known -state.* - -### cEVS3201 - -Upon a Power-on Reset, the cFE shall set SB Event Format Mode to Long. - -*Rationale: Each mission must determine what format they need.* - -### cEVS3202 - -_(OPTIONAL)_ Upon a Power-on Reset, the cFE shall set the Local Event Log Full -Flag to false. - -*Rationale: Set cFE to default status across Power-on Resets.* - -### cEVS3203 - -_(OPTIONAL)_ Upon a Power-on Reset, the cFE shall set the Event Logging Mode to -``. - -*Rationale: Set cFE to default status across Power-on Resets.* - -### cEVS3207 - -_(OPTIONAL)_ Upon a Processor Reset, the cFE shall preserve or overwrite the -contents of the Local Event Log based on the setting of the Event Logging Mode -configuration parameter. - -Note: The contents of the Local Event Log will be preserved if the Event -Logging Mode is configured to Discard (1). The contents of the Local Event Log -may be overwritten (depending on the size and contents of the log prior to the -reset) if the Event Logging Mode is configured to Overwrite (0). - -*Rationale: Try to retain the contents even across a processor reset because -there may be useful diagnostic information.* - -### cEVS3208 - -OPTIONAL> Upon a Processor Reset, the cFE shall preserve the Local Event Log -Full state. - -*Rationale: Retain the cFE state across Processor Resets.* - -### cEVS3209 - -_(OPTIONAL)_ Upon a Processor Reset, the cFE shall set the Event Logging Mode -to the `` value. - -*Rationale: Retain the cFE state across Processor Resets.* - -### cEVS3210 - -_(OPTIONAL)_ Upon a Processor Reset, the cFE shall preserve the Local Event Log -Overflow Counter. - -*Rationale: Retain the cFE state across Processor Resets* - -## Event Services Subgroup: Platform Adaptation {#cEVS33} - -### cEVS3300 - -The cFE shall support `` Event Message Ports. - -*Rationale: Since the number of Event Message Ports is hardware dependent a -mission must be able to specify how many ports it will support.* - -### cEVS3301 - -_(OPTIONAL)_ The cFE shall define a Local Event Log with a capacity of -`` Event Messages. - -*Rationale: Each mission's processor card memory capacities will dictate -what is reasonable.* - -### cEVS3302 - -The cFE shall support `` Event Message Filters per cFE -Application. - -*Rationale: Each cFE Application that register with EVS is allocated memory to -support this limit.* - -# Software Bus Requirements (cSB) {#cSB} - -## Software Bus Subgroup: Operational Interface {#cSB40} - -### cSB4000 - -Upon receipt of a NOOP command, the cFE shall increment the command counter. - -*Rationale: Useful for verifying communication between the ground and SB task.* - -### cSB4001 - -Upon receipt of Command the cFE shall set to zero the following counters in -housekeeping telemetry: - -- Valid command counter -- Invalid command counter -- No subscriptions counter -- Message send error counter -- Message receive error counter -- Create Pipe error counter -- Subscribe error counter -- Pipe Overflow error counter -- MsdID-to-pipe limit error counter - -*Rationale: Providing a clear counter command eliminates the need for operators -or onboard scripts to keep track of the last value of the counter.* - -### cSB4002 - -Upon receipt of a Command, the cFE shall send an SB Message containing the SB -statistics. - -*Rationale: Visibility of the SB statistics is essential for FSW diagnostics, -testing, and maintenance.* - -### cSB4003 - -Upon receipt of a Command, the cFE shall save the SB routing information to the -Command specified file. - -*Rationale: Visibility of the SB routing information is essential for FSW -diagnostics, testing, and maintenance.* - -#### cSB4003.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to provide a default in the event that a user does not want to -specify one.* - -### cSB4004 - -Upon receipt of a Command, the cFE shall enable or disable routing the command -specified message to the command specified pipe. - -*Rationale: Supports testing and maintenance. In testing, it may be desirable -to enable/disable routing a message to a diagnostic application.* - -### cSB4005 - -The cFE shall send an SB Message containing the following housekeeping -telemetry items: - -- Valid command counter -- Invalid command counter -- No subscriptions counter -- Message send error counter -- Message receive error counter -- Pipe overflow error counter -- MsgId-to-pipe limit error counter - -*Rationale: SB Telemetry is essential for operations, FSW diagnostics, -testing, and maintenance.* - -### cSB4007 - -Upon receipt of a Command, the cFE shall save the Pipe information to the -Command specified a file. - -*Rationale: This gives detailed information about each pipe such as owner -of the pipe, queue depth and send errors which can be used for diagnostics purposes.* - -#### cSB4007.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to provide a default in the event that a user does not want to -specify one.* - -### cSB4008 - -Upon receipt of a Command, the cFE shall save the message map information to -the Command specified a file. - -*Rationale: This information provides information pertaining to the internals -of the SB (Msg ID, and sB Routing table index) which can be used for -diagnostic purposes.* - -#### cSB4008.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to provide a default in the event that a user does not want to -specify one.* - -## Software Bus Subgroup: Application Interface {#cSB43} - -### cSB4300 - -The cFE shall provide a zero-copy message transfer mode for intra-processor -communication. - -*Rationale: The heritage software bus offered a zero-copy mode, it was used -for transferring large packets from one application to another on the same -processor. The cost of the zero-copy mode is a more complex application -interface.* - -### cSB4301 - -Upon receipt of a Request to create a Pipe, the cFE shall create a Pipe with -the Request-specified Pipe Depth and the Request-specified name. - -*Rationale: Runtime creation of Pipes supports the cFE goals of easy -Application integration and system reconfiguration.* - -### cSB4302 - -Upon receipt of a Request to delete a Pipe, the cFE shall Unsubscribe all -messages to the Request-specified Pipe, then remove the Pipe from the Routing -Information. - -*Rationale: An Application must be capable of freeing its own resources* - -### cSB4303 - -Upon receipt of a Request to Subscribe to an SB message, the cFE shall -establish a route using the Request-specified Message ID, the Request-specified -Pipe ID, the Request-specified MsgId-to-Pipe limit and the Request-specified -QoS. - -*Rationale: Runtime subscription supports the cFE goals of easy system\ -integration and runtime reconfigurations.* - -#### cSB4303.1 - -If the Subscription is a duplicate of a previous subscription then the cFE -shall issue and event message. - -*Rationale: Duplicate subscriptions are still a success, however, want to -notify the ground.* - -### cSB4304 - -Upon receipt of a Request to Unsubscribe to an SB Message, the cFE shall remove -the route corresponding to the Request-specified Message Id and the -Request-specified Pipe Id from the Routing Information. - -*Rationale: Allow an Application to dynamically change what Messages it receives. -Comments: Since the ground can manipulate the state of the routing, it is not -considered an error if the Message is not currently being subscribed to when an -unsubscribe request is made.* - -### cSB4305 - -Upon receipt of a Request to send an SB Message, the cFE shall route the SB -Message to the Pipes of all Applications that have Subscribed to the SB Message. - -*Rationale: This form of message passing, supports one-to-one, one-to-many, and -many-to-one (all desired by branch members) in a flexible, low overhead manner. -Comment: It has been common for telemetry packets to be sent to many -destinations, such as a real-time telemetry.* - -#### cSB4305.1 - -The cFE shall limit the number of messages of a particular Message ID that can -be sent to an Application's Pipe. - -*Rationale: Prevent an errant application from monopolizing a Software Bus Pipe. -This feature was part of the heritage software bus and was found to be a useful -diagnostic feature. Comment: When subscribing to a packet, an Application -can specify a limit on the n* - -#### cSB4305.3 - -If routing a Message to an Application's Pipe results in a Pipe Overflow, the -cFE shall abort the send to that pipe, issue an event, and continue sending to -the remaining pipes. - -*Rationale: The ground needs to know if a message cannot be routed to its -destination. Comment: A Pipe Overflow occurs when the SB attempts to write -to a Pipe that is completely full of SB messages. The number of messages a -Pipe is capable of storing is defined by a platform configuration parameter.* - -#### cSB4305.4 - -If routing a Message to an Application's Pipe would exceed the MsgId-to-Pipe -Limit, the cFE shall abort the send to that pipe, issue an event, and continue -sending to the remaining pipes. - -*Rationale: The ground needs to know if a message cannot be routed to its -destination. Comment: The MsgId-to-Pipe Limit is exceeded when the SB attempts -to write to a Pipe that contains the maximum number of messages of a particular -Message Id.* - -#### cSB4305.5 - -Upon receipt of a Request to send a Message, if no Application's have -Subscribed to the Message, the cFE shall increment the No Subscriber's Counter -and send an event that displays the Message ID. - -*Rationale: A single counter is enough to notify operators that there are no -receivers for a packet that is being sent. The 'no subscriber's' event is -completely filtered by default. The ground can unfilter the 'no subscribers' -event to get more information about the* - -#### cSB4305.6 - -If the SB Message is greater than the `` bytes then the -cFE shall not send the message, issue and event message and increment the -message send error counter. - -### cSB4306 - -Upon receipt of a Request to receive a SB Message from a Pipe without a -timeout, the cFE shall remove the next SB Message from the Pipe and provide the -message to the Application. - -*Rationale: Applications need a mechanism to retrieve the SB Message they have -subscribed to receive. A receive Request without a suspension timeout provides -a non-blocking method of retrieving SB messages. Receives are performed on a -Pipe basis not on a SB Message b* - -### cSB4307 - -Upon receipt of a Request to receive a SB Message from a Pipe with a pending -timeout, the cFE shall suspend execution of the Application until a SB Message -is present on the Pipe or the timeout has expired. - -*Rationale: A receive Request with a suspension timeout provides a blocking -method of retrieving SB messages. This is useful for data driven Applications -and has been used on all heritage missions with a SB. The timeout is useful for -fault recovery for Applications t* - -### cSB4308 - -Upon receipt of a Request to receive a SB Message from a Pipe with an infinite -timeout, the cFE shall suspend execution of the Application until a SB Message -is present on the Pipe. - -*Rationale: This mode of receiving has been the most commonly used mode on the -heritage SB.* - -### cSB4309 - -Upon receipt of a Request, the cFE shall provide sender information for the -last message received on an Application's Pipe. - -*Rationale: Heritage SB did a 'valid senders check' before delivering a packet -to a pipe. Since the cFE supports a dynamic environment and the sender of a -packet is somewhat unknown, the cFE must provide a means for the application to -do the 'valid sender check'* - -### cSB4310 - -Upon receipt of Request the cFE shall free resources allocation for the -specified Application. - -*Rationale: Need to be able to remove all resources associatedwith an -application when Deleting, Restarting or Reloading an Application. -In addtion, this is required as part of a Processor Reset.* - -## Software Bus Subgroup: Hardware Interfaces {#cSB45} - -### cSB4500 - -Upon a Power-on Reset the cFE shall initialize the Routing Information and -clear all error counters. - -*Rationale: The cFE must initialize to a known state.* - -### cSB4501 - -Upon a Processor Reset the cFE shall initialize the Routing Information and -clear all error counters. - -*Rationale: The cFE must initialize to a known state.* - -## Software Bus Subgroup: Platform Adaptation {#cSB47} - -### cSB4700 - -The cFE shall support a maximum of `` Message ID's. - -*Rationale: Allow a mission to scale the number of messages it can process to -reduce SB memory usage. A maximum is specified to yield an efficient design. -1024 was chosen as the default based on the message count of previous missions.* - -### cSB4701 - -The cFE shall support a `` bytes maximum system packet -size. - -*Rationale: The cFE must have some protection in the event that the packet -length field of a sender's packet becomes corrupted or is invalid.* - -### cSB4704 - -The cFE shall support a maximum of `` Destinations for a -Message ID. - -*Rationale: Allow a mission to scale the number of destinations per message ID -to reduce memory requirements. A maximum is specified to yield an efficient -design. The default of 16 is used in the heritage SB.* - -### cSB4705 - -The cFE shall support a maximum of `` Pipes per -processor. - -*Rationale: Allow a mission to scale the number of Pipes to reduce memory -requirements. The default of 255 allows a single byte to be used for the -pipe id.* - -### cSB4706 - -The cFE shall support a maximum Pipe depth of `` SB -Messages. - -*Rationale: Allow a mission to scale the Pipe depth to reduce memory -requirements. The default of 65535 is a power of 2 which may simplify -implementation and based on recent missions 64 SB Messages is more than -adequate.* - -# Table Services Requirements (cTBL) {#cTBL} - -## Table Services Subgroup: Operational Interface {#cTBL60} - -### cTBL6000 - -Upon receipt of Command the cFE shall load an Inactive Table Image with the -contents of the Command specified File. - -*Rationale: Loading from a file allows for multiple versions of a table to -be stored on board and loaded to the active table when appropriate. Design -Note: The file header will identify the Table that the file contents are for.* - -#### cTBL6000.1 - -If the Command specified file's header indicates that the file contains only a -portion of the Table, the cFE shall first load an Inactive Table Image with the -contents of the Active Table Image and then load the contents of the Command -specified File. - -*Rationale: A Partial Table load capability is useful when dealing with large -Tables. It helps to ensure that additional parameters are not unintentionally -modified, reduces command time required to perform a Table update and is a -feature that has been used on previous missions.* - -#### cTBL6000.2 - -If the number of data bytes contained in the file is greater than the maximum -size of the table then the load shall be aborted and an event message shall be -generated. - -*Rationale: This is a sanity check to make sure that the ground generated table -load does not include more data than a table can handle.* - -#### cTBL6000.3 - -If the number of bytes specified in the file's header is not equal to the -number of data bytes contained in the file then the load shall be aborted and -an event message be generated. - -*Rationale: This is another sanity check to make sure that thenumber of bytes -specified in thefile header is equal to the number of data bytes in the file.* - -#### cTBL6000.4 - -The Inactive Table Image shall only be loaded with the contents of the Active -Table if the Inactive Table Image has not been initialized. - -*Rationale: Want to be able to perform successive partial table loads. The -first partial load of a table requires that the inactive table image be -initalized with the active table image (see cTBL6000.2). Any subsequent loads -should be made with the exisiting contents of the Inactive Buffer.* - -#### cTBL6000.5 - -If the specified table is defined as Dump Only then the command shall be -rejected and an event message be generated. - -*Rationale: Dump only tables cant be loaded.* - -### cTBL6001 - -Upon receipt of Command the cFE shall dump the Command specified Active or -Inactive Table contents to a Command specified File. - -*Rationale: Dumping the contents of a table to a file simplifies the -telemetering of Table contents. The file transfer protocol between the ground -and the spacecraft is capable of handling variable sized files. The -telemetering of Table contents directly to ground.* - - -### cTBL6002 - -Upon receipt of Command the cFE shall determine the validity of the contents of -either the Active or Inactive Table Image of the Command specified Table. - -*Rationale: Operations needs to verify the contents of an Inactive Table before -Committing it. Similarly, operations personnel may need to re-validate or -identify the contents of an Active Table.* - -#### cTBL6002.1 - -The cFE shall compute a Data Integrity Check Value on the contents of either -the Active or Inactive Table Image of the Command specified Table and report -the result in telemetry. - -*Rationale: A Data Integrity Check Value can provide a quick method of -validating the proper contents of a Table without performing a Table Dump -and Comparison.* - -#### cTBL6002.2 - -The cFE shall Request an Application to validate the contents of either the -Active or Inactive Table Image of the Command specified Table and report the -result in telemetry. - -*Rationale: A Table Validation function provided by the Application can -verify that the data content of a Table are reasonable.* - -### cTBL6003 - -Upon receipt of Command the cFE shall make an Inactive Table Image of the -Command specified Table the Active Table Image. - -*Rationale: A Commit Command is useful by allowing modifications and the -verification of those modifications to be accomplished in the background -while an Application continues to use its previous Table data. Then, upon -Command, the new Table data is made Active.* - -#### cTBL6003.1 - -If a Table Validation Function exists for the specified Table, the Inactive -Table Image shall be validated. - -*Rationale: Validation functions are there for a reason so want to prevent -loading invalid tables. Inactive buffer retains the data so that the ground -can dump the contents to see why the validation failed.* - -##### cTBL6003.1.1 - -If the Inactive Table Image fails validation then the Inactive Table Image -shall not be loaded into the Active Table Image. - -*Rationale: Prevent loading of an invalid table. Note that the Inactive Table -still contains the table image so that the ground can dump it.* - -##### cTBL6003.1.2 - -If a Table Validation Function does not exist for the specified Table, the -Table shall be considered valid. - -*Rationale: If there is no validation function then assume the table has -good data in it (no way to check otherwise).* - -### cTBL6005 - -Upon receipt of Command the cFE shall write the contents of the Table Registry -to a file. - -*Rationale: The Table Registry will provide a list of the Tables currently -registered, their attributes (double or single-buffered, dump-only, etc), a -history of what files were last loaded into the Active Table Images, what -time the load occurred and whether the ima* - -#### cTBL6005.1 - -If a file is not specified, the cFE shall use the `` filename. - -*Rationale: Want to provide a default in the event that a user does not want to -specify one.* - -### cTBL6006 - -Upon receipt of Command the cFE shall telemeter the contents of the Table -Registry associated with a Command specified Table. - -*Rationale: Operations personnel may wish to see the attributes (double or -single-buffered, dump-only, etc), a history of what file(s) was/were last\ -loaded into the Active Table Image, what time the load(s) occurred, etc.* - -### cTBL6007 - -Upon receipt of Command the cFE shall generate a NO-OP event message. - -*Rationale: This command is useful as a general sub-system aliveness test.* - -### cTBL6008 - -Upon receipt of Command the cFE shall set the following counters reported in -telemetry to zero: - -- Valid Command Counter -- Invalid Command Counter -- Number of Validation Requests -- Number of successful Table Validations -- Number of Unsuccessful Validations -- Number of Completed Validations - -*Rationale: This command is a common feature in heritage sub-system software -design.* - -### cTBL6009 - -Upon receipt of valid command, the cFE shall increment the valid command -counter. - -*Rationale: The ground needs the capability to verify that the command was -received a accepted by the cFE. Details of valid commands are documented -in the cFE User's Guide.* - -### cTBL6010 - -Upon receipt of an invalid command, the cFE shall in increment the invalid -command counter. - -*Rationale: The ground needs an indicator if a command is rejected by the cFE. -Details of what makes a command invalid are documented in the cFE User's Guide.* - -### cTBL6011 - -The cFE shall provide the following Table Service data items in telemetry (SB -Messages): - -- Valid Command Counter -- Invalid Command Counter -- Number of Tables Currently Registered -- Table Identifier of Last Table Modified -- Time of Last Table Modification -- Source Filename of Last Table Load -- Destination Filename of Last Table Dump -- Table Identifier of Commanded Data Integrity Check -- Commanded Data Integrity Check Value -- Commanded Table Verification Function Result -- Number of unused Shared Buffers -- Table Name of Last Table Load - -### cTBL6012 - -Upon receipt of Command the cFE shall abort the loading of the specified Table. - -*Rationale: The ground needs a way to clear the inactive buffer of all loads in -the event, for example, that erroneous values were loaded to the table by the -ground. Note that once a table is activated, it cannot be aborted (significant -for double-buffer tables).* - -#### cTBL6012.1 - -If the Table buffering characteristics for the specified Table indicate that it -is a Single-buffered Table, then the allocated shared buffer shall be released. - -*Rationale: The shared buffer being used for this table load should be placed -back into the pool of available shared buffers.* - -#### cTBL6012.2 - -If the Table buffering characteristics for the specified Table indicate that it -is a Double-buffered table, then the inactive buffer shall be marked as -uninitalized. - -*Rationale: Need to make sure that the table image gets re-initalized with the -contents of the active buffer prior to a subsequent load after an abort command -is sent (see cTBL6000.4)* - -#### cTBL6012.3 - -The Table Registry shall indicate that there are no loads pending for the -specified Table. - -*Rationale: Status of the table needs to updated to reflect that* - -## Table Services Subgroup: Application Interface {#cTBL63} - -### cTBL6300 - -Upon receipt of Request, the cFE shall create a zero filled Table Image with -the Request specified name, size, buffering characteristics (single or -double-buffer), dump-only characteristics, and criticality and Table Validation -Function address. - -*Rationale: Supports the cFE's dynamic Application model. Note: Tables will be -able to be either single or double-buffered. Double-buffering will allow -instantaneous updates from the Application's point of view and will be useful for -interrupt service routines, etc. However, double-buffering will consume more -memory resources. The Table Validation Function is optionally provided by the -Application and is called when a Command to Validate the table is made. Note that -a zero filled image will not be created if the Application specifies an address for -the dump-only table (see cTBL6300.1).* - -#### cTBL6300.1 - -The cFE shall allow an Application to specify an address as the one and only -buffer for a dump-only Table. - -*Rationale: Heritage code allowed for dump only tables to come from an address -instead of a true table. In this case, table services does not allocate any -memory for the dump only table. This is referred to an an -Application-Defined-Address-Table.* - -### cTBL6301 - -Upon receipt of Request, the cFE shall free the resources associated the -Request specified Application. - -*Rationale: When an Application exits prematurely, the cFE requires a -mechanism to free resources allocated to that Application.* - -### cTBL6302 - -Upon receipt of Request, the cFE shall initialize the contents of the Request -specified Table Image with the contents of the Request specified File. - -*Rationale: Supports the cFE's dynamic Application model.* - -#### cTBL6302.1 - -If the Request specified File contains more data than the size of the Request -specified Table, the Table Image will not be initialized and an Event Message -shall be generated. - -*Rationale: If a File contains more data than memory allows, there is a high -likelihood that the Application is expecting the data to be in a different -format. Additionally, the cFE would not know whether to throw out the last -part or the first part of the data.* - -#### cTBL6302.2 - -If the Request specified File contains less data than the size of the Request -specified Table, the first portion of the Table Image will be initialized with -the contents of the File and an Event Message shall be generated. - -*Rationale: Some tables may allocate more space than is necessary at all times. -The Event Message will serve as a warning but not prevent the initialization of -the Table.* - -### cTBL6303 - -Upon receipt of Request, the cFE shall provide the calling Application with a -unique identifier of an existing Table Image. - -*Rationale: Some Applications will not want to create a Table but obtain a -handle to one that is created by another Application.* - -### cTBL6304 - -Upon receipt of Request, the cFE shall free resources allocated for the Request -specified Table. - -*Rationale: Supports the cFE's dynamic Application model.* - -### cTBL6305 - -Upon receipt of Request, the cFE shall provide the calling Application with the -address of the Request specified Table data. - -*Rationale: The Table Service 'owns' all Tables and Applications must ask for -the current address of the data because the Table Service may move the Table as -updates are made.* - -#### cTBL6305.1 - -Upon providing a calling Application with the address of a Table's data, the -cFE shall lock the contents of the Table to prevent modification. - -*Rationale: The Table Service must wait for an Application to be done with the -contents of the Table before considering modifying its contents. This ensures -data integrity while the Application accesses the Table contents. Note: More -than one Application can access* - -#### cTBL6305.2 - -If a Table has been modified since the last Table address request, the cFE -shall notify the calling Application that the Table has been modified. - -*Rationale: An Application may need to know when the contents of a Table have -been updated.* - -### cTBL6306 - -Upon receipt of Request, the cFE shall unlock the contents of the Request -specified Table. - -*Rationale: The Table Service must wait for an Application to be done with -the contents of the Table before considering modifying its contents. This -ensures data integrity while the Application accesses the Table contents. -Note: More than one Application can access* - -### cTBL6308 - -Upon receipt of Request, the cFE shall update the request specified Table if a -load is pending and it is unlocked. - -*Rationale: This gives control to the Application as to when the table update -occurs.* - -#### cTBL6308.1 - -If a Table is locked when an update Request is made, an appropriate error code -shall be returned to the calling Application and the update shall not occur. - -### cTBL6309 - -Upon receipt of Request, the cFE shall provide the following information to the -calling Application for the specified Table: - -- Size of the table -- Number of Users the access to the table (sharing) -- Filename of the last file used to modify the table -- File creation time of last file used to modify the table -- Time of last modificationFlag indicating if the Table has been initialized -- Flag indicating if the Table is dump only -- Flag indicating if the Table has a dedicated buffer -- Flag indicating if the table is maintained in the Critical Data Store - -### cTBL6310 - -Upon receipt of Request the cFE shall indicate if the specified table has a -validation, update, or dump pending. - -*Rationale: Applications must periodically check to see if they need to perform -updates, validations or dumps.* - -### cTBL6311 - -Upon receipt of Request, the cFE shall provide the calling Application with the -addresses of the data for the tables requested if more than one table is needed. - -*Rationale: Applications may need to work with more than one table at a time.* - -#### cTBL6311.1 - -Upon providing a calling Application with the addresses of a Tables' data, the -cFE shall lock the contents of the Tables to prevent modification. - -*Rationale: The Table Service must wait for an Application to be done with the -contents of the Table before considering modifying its contents. This ensures -data integrity while the Application accesses the Table contents.* - -#### cTBL6311.2 - -If at least one Table has been modified since the last Table addresses request, -the cFE shall notify the calling Application that a Table has been modified. - -*Rationale: An Application may need to know when the contents of a Tables has -been updated; the Application just won't know which one.* - -### cTBL6312 - -Upon receipt of Request, the cFE shall unlock the contents of the Request -specified Tables. - -*Rationale: Applications may been to work with more than one table at a time.* - -## Table Services Subgroup: Hardware Interfaces {#cTBL65} - -### cTBL6500 - -Upon a Power-on Reset all Table resources will be freed. - -*Rationale: The Table Service cannot assume the contents -of any Table is legitimate after a reset.* - -### cTBL6501 - -Upon a Processor Reset all Table resources will be freed. - -*Rationale: The Table Service cannot assume the contents -of any Table is legitimate after a reset.* - -#### cTBL6501.1 - -If the Table is a critical table then the contents of the Table shall be -preserved. - -*Rationale: Goal of a processor reset is preserve certain data to facillitate -recovery.* - -## Table Services Subgroup: Platform Adaptation {#cTBL67} - -### cTBL6700 - -The cFE shall support `` Tables. - -*Rationale: Each mission's processor card memory capacities will dictate what -is reasonable.* - -### cTBL6701 - -The cFE shall support `` Single - -- Buffer Table Loads and Application -- Defined -- Address -- Table dumps simultaneously - -*Rationale: It is desirable to allow for Tables to be modified by ground command -while other Tables are be being modified autonomously by on board software -(i.e. stored command processor, etc). This limit represents the total supported -for the combined number of Single-Buffer and Application-Defined-Address-Table -Tables being loaded.* - -# Time Services Requirements (cTIME) {#cTIME} - -## Time Services Subgroup: Operational Interface {#cTIME20} - -### cTIME2000 - -Upon receipt of Command the cFE shall generate a Software Bus message that -includes the following items: Time StatusMETSTCFLeap SecondsSTCF continuous -adjustment value. - -*Rationale: It is common for sub-systems to report housekeeping status upon -receipt of a housekeeping request command.* - -### cTIME2001 - -Upon receipt of Command the cFE shall generate a NO-OP event message. (Time -Server and Time Client) - -*Rationale: This command is useful as a general sub-system aliveness test.* - -### cTIME2002 - -Upon receipt of Command the cFE shall set to zero all counters reported in Time -Services telemetry. (Time Server and Time Client) - -*Rationale: This command is a common feature in heritage sub-system software design.* - -### cTIME2003 - -Upon receipt of valid command, the cFE shall increment the valid command -counter. - -*Rationale: The ground needs the capability to verify that the command was received -and accepted by the cFE. Details of valid commands are documented in the cFE -User's Guide.* - -### cTIME2004 - -Upon receipt of an invalid command, the cFE shall in increment the invalid -command counter. - -*Rationale: The ground needs an indicator if a command is rejected by the cFE. -Details of what makes a command invalid are documented in the cFE Uer's Guide.* - -### cTIME2005 - -Upon receipt of Command the cFE shall set the number of Leap Seconds to the -Command-specified value. - -*Rationale: The decision to introduce a leap second in UTC is the responsibility -of the International Earth Rotation Service (IERS). The count of Leap Seconds has -been incremented about every 500 days since 1972. It is therefore likely that a -mission will need to update.* - -### cTIME2006 - -Upon receipt of Command the cFE shall set the STCF to the Command-specified -value. - -*Rationale: The cFE must be provided with the appropriate correlation factor, -that when combined with the current MET and Leap Seconds values, will result -in current time. Historically this command has been referred to as -'jam loading' time.* - -### cTIME2007 - -Upon receipt of Command the cFE shall compute a new value for STCF using the -Command-specified value as current time. - -*Rationale: This command provides a useful alternative to setting the STCF -explicitly, as the command does not require knowledge of the current MET value. -Note: If the default time format is TAI then the new value for STCF is the -Command-specified time value less MET.* - -### cTIME2008 - -Upon receipt of Command the cFE shall make a one time delta adjustment to the -STCF by the Command-specified value. - -*Rationale: It is common to set the clock as a delta adjustment from the current -time value. Comment: The commanded value is signed so a positive or negative -adjustment may be made. Note, there's no need for a command to apply a 'large' -adjustment over a command-spec.* - -### cTIME2009 - -Upon receipt of Command the cFE shall make a continuous 1Hz delta adjustment to -the STCF by the Command-specified value. - -*Rationale: Upon receipt of a Command to make a 'continuous' adjustment to the STCF, -the cFE shall adjust the STCF each second by the Command-specified value. Comment: The -commanded value is signed so a positive or negative adjustment may be made.* - -### cTIME2010 - -`` Upon receipt of Command the cFE shall switch to the -Command-specified hardware clock source. - -*Rationale: This command is extremely hardware configuration dependent. -The number and nature of alternate clocks will vary by system. Many system designs -provide primary and redundant clock sources (tone signals) and require autonomous -clock switching based on failure.* - -### cTIME2011 - -Upon receipt of Command the cFE shall generate a Software Bus message that -includes time diagnostic information. - -*Rationale: When testing or debugging the time application, more details about -time services are required.* - -### cTIME2012 - -Upon receipt of Command the cFE Time Services shall enter the Flywheel state. - -*Rationale: * - -#### cTIME2012.1 - -The cFE shall ignore Time Updates while in Flywheel state. - -*Rationale: * - -### cTIME2013 - -Upon receipt of Command the cFE shall adjust the spacecraft time by adding the -Command specified value (seconds and subseconds) to spacecraft time. - -*Rationale: * - -### cTIME2014 - -SR1306 Upon receipt of Command the cFE shall adjust the spacecraft time by -subtracting the Command specified value (seconds and subseconds) from -spacecraft time. - -*Rationale: * - -## Time Services Subgroup: Application Interface {#cTIME23} - -### cTIME2300 - -Upon receipt of a Request for the current time computed as TAI, the cFE shall -provide the TAI to the requester using the format specified in the cFE -Application Developer's Guide. - -*Rationale: Need to make the TAI available to applications.* - -### cTIME2301 - -Upon receipt of a Request for the current time computed as UTC, the cFE shall -provide the UTC to the requester using the format specified in the cFE -Application Developer's Guide. - -*Rationale: Need to make the UTC available to applications.* - -### cTIME2302 - -Upon receipt of a Request for the current time computed in the default format, -the cFE shall provide the current time computed in the default selection of UTC -or TAI to the requester using the format specified in the cFE Application -Developer's Guide. - -*Rationale: One of the mission defined selections is the choice of whether TAI or -UTC will be the default time format. And most callers do not care which time format -is the current default. This function avoids having to modify each individual caller -when the default is requested.* - -### cTIME2303 - -Upon receipt of a Request for the current MET, the cFE shall provide the MET to -the requester using the format specified in the cFE Application Developer's -Guide. - -*Rationale: Need to make the MET available to applications.* - -### cTIME2304 - -Upon receipt of a Request for the current MET seconds, the cFE shall provide -the MET seconds to the requester using the format specified in the cFE -Application Developer's Guide. - -*Rationale: Need to make the MET seconds available to applications. Comment: -There was some discussion about whether this function was actually needed since -the same data could be extracted from the MET structure by the caller. -Per Mike Blau: the function function simplifies application coding and the development -effort is trivial.* - -### cTIME2305 - -Upon receipt of a Request for the current MET sub-seconds, the cFE shall -provide the MET sub-seconds to the requester using the format specified in the -cFE Application Developer's Guide. - -*Rationale: Need to make the MET sub-seconds available to applications. Comment: There -was some discussion about whether this function was actually needed since the same data -could be extracted from the MET structure by the caller. Per Mike Blau: the function -simplifies application coding and the development effort is trivial.* - -### cTIME2306 - -Upon receipt of a Request for the current STCF, the cFE shall provide the STCF -to the requester using the format specified in the cFE Application Developer's -Guide. - -*Rationale: Need to make the STCF available to applications.* - -### cTIME2307 - -Upon receipt of a Request for the current Leap Seconds, the cFE shall provide -the Leap Seconds to the requester using the format specified in the cFE -Application Developer's Guide. - -*Rationale: Need to make the Leap Seconds available to applications.* - -### cTIME2308 - -Upon receipt of a Request for the current Clock State, the cFE shall provide -the Clock State to the requester using the format specified in the cFE -Application Developer's Guide. - -*Rationale: Need to make the Clock State available to applications. Note: Due -to lack of a demonstrable use case, the requirement to provide clock state data -as part of 'get time' functions has been deleted.* - -### cTIME2309 - -Upon receipt of a Request to add two time values, the cFE shall provide the -result to the requester using the format specified in the cFE Application -Developer's Guide. - -*Rationale: Need to provide a common time addition function available to -applications.* - -### cTIME2310 - -Upon receipt of a Request to subtract two time values, the cFE shall provide -the result to the requester using the format specified in the cFE Application -Developer's Guide. - -*Rationale: Need to provide a common time subtraction function available to -applications.* - -### cTIME2311 - -Upon receipt of a Request to compare two time values, the cFE shall provide the -result to the requester using the format specified in the cFE Application -Developer's Guide. - -*Rationale: Need to provide a common time comparison function available to -applications.* - -### cTIME2312 - -Upon receipt of a Request to convert a cFE sub-seconds value to micro-seconds, -the cFE shall provide the result to the requester. - -*Rationale: Converting elapsed time from sub-seconds to micro-seconds is a -commonly used conversion utility (per Dave McComas).* - -### cTIME2313 - -Upon receipt of a Request to convert a number of micro-seconds to sub-seconds, -the cFE shall provide the result to the requester. - -*Rationale: Need to provide the inverse of the previous function.* - -### cTIME2314 - -Upon receipt of a Request the cFE shall return the provided system time in the -following format: `yyyy-ddd-hh:mm:ss.xxxxx\0` - -*Rationale: Provides time in a readable string format.* - -## Time Services Subgroup: Hardware Interfaces {#cTIME25} - -### cTIME2500 - -Upon a Power-on Reset the cFE shall set the following time elements to their -`` default values: - -- Time Status Data -- STCF -- Leap Seconds - -*Rationale: At power on, the presumption is that the MET h/w register has been -reset. It is common to set the STCF and Leap Seconds at startup such that time -is computed to a known and recognizable value.* - -### cTIME2501 - -Upon a Processor Reset the cFE shall acquire the following time elements from -the `` Critical Data Store: - -- Time Status Data -- STCF -- Leap Seconds - -*Rationale: Time is a critical system resource and every effort should be made -to preserve it. Following a processor reset, the presumption is that the MET -h/w register is unaffected and that previously 'good' values for STCF and Leap -Seconds can still be used to correct.* - -### cTIME2502 - -Upon a Processor Reset the cFE shall verify the Critical Data Store used to -store time values. - -*Rationale: Verification of potentially damaged stored data is a standard -practice. Note that because time can be any value, verification potentiall -involves using a pattern.* - -#### cTIME2502.1 - -If the critical data store is not valid, all of the time elements shall be -initialized in the same fashion as following a power-on reset. - -*Rationale: If the CDS can't be trusted then need to initialize to default values.* - -## Time Services Subgroup: Platform Adaptation {#cTIME27} - -### cTIME2700 - -During normal operation, the cFE shall preserve the following time elements in -the `` Critical Data Store: - -- Time Status Data -- STCF -- Leap Seconds -- MET - -*Rationale: Time is a critical system resource and every effort should be made -to preserve it. Preserving time allows applications to 'fly through' resets.* - -### cTIME2701 - -The cFE Time Services Server shall send a time at the tone Software Bus message -within a `` period of time preceding or following the tone. - -*Rationale: The primary purpose of a time server is to distribute time updates to -time clients. Note: Although the time tone is generally a 1PPS signal, there is -no cFE restriction on the frequency of the tone. Also, there is no cFE restriction -on whether the "time at the tone" message precedes or follows the tone.* - -### cTIME2702 - -The cFE Time Services Server shall update its MET using the timer hardware -interface defined in the cFE Application Developer's Guide. - -*Rationale: Every mission needs an MET and using a cFE-defined software interface -to the timer hardware driver makes the Time Services portable.* - -### cTIME2703 - -The cFE shall define a MET with a `` resolution. - -*Rationale: The resolution (clock ticks per second) is hardware dependent. Since no -other cFE component places any constraints on the resolution this requirement is not -bounded with a minimum. However, both the maximum number of MET seconds and the resolution -of sub* -