Jump to content
Join the Alien Search, login or register FREE on Aliens and Space Forum
Members Can Post Anonymously On This Site

Key Considerations When Developing Avionics for Safety-Critical Systems

NASA

By NASA
in NASA

 Share

Recommended Posts

  • Publishers
NASA Mentor

NASA

Posted
  • Publishers
Posted

This article is from the 2024 Technical Update.

Multiple human spaceflight programs are underway at NASA including Orion, Space Launch System, Gateway, Human Landing System, and EVA and Lunar Surface Mobility programs. Achieving success in these programs requires NASA to collaborate with a variety of commercial partners, including both new spaceflight companies and robotic spaceflight companies pursuing crewed spaceflight for the first time. It is not always clear to these organizations how to show their systems are safe for human spaceflight. This is particularly true for avionics systems, which are responsible for performing some of a crewed spacecraft’s most critical functions. NASA recently published guidance describing how to show the design of an avionic system meets safety requirements for crewed missions.

Background
The avionics in a crewed spacecraft perform many safety critical functions, including controlling the position and attitude of the spacecraft, activating onboard abort systems, and firing pyrotechnics. The incorrect operation of any of these functions can be catastrophic, causing loss of the crew. NASA’s human rating requirements describe the need for “additional rigor and scrutiny” when designing safety-critical systems beyond that done
for uncrewed spacecraft [2]. Unfortunately, it is not always clear how to interpret this guidance and show an avionics architecture is sufficiently safe. To address this problem, NASA recently published NASA/TM−20240009366 [1]. It outlines best practices for designing safety-critical avionics, as well as describes key artifacts or evidence NASA needs to assess the safety of an avionics architecture.

Failure Hypothesis
One of the most important steps to designing an avionics architecture for crewed spacecraft is specification of the failure hypothesis (FH). In short, the FH summarizes any assumptions the designers make about the type, number, and persistence of component failures (e.g., of onboard computers, network switches). It divides the space of all possible failures into two parts – failures the system is designed to tolerate and failures it is not.

screenshot-2024-12-12-at-9-58-01 am.png?

One key part of the FH is a description of failure modes the system can tolerate – i.e., the behavior exhibited by a failed component. Failure modes are categorized using a failure model. A typical failure model for avionics splits failures into two broad categories:

  • Value failures, where data produced by a component is missing (i.e., an omissive failure) or incorrect (i.e., a transmissive failure).
  • Timing failures, where data is produced by a component at the wrong time.

Timing failures can be further divided into many sub-categories, including:

  • Inadvertent activation, where data is produced by a component without the necessary preconditions.
  • Out-of-order failures, where data is produced by a component in an incorrect sequence.
  • Marginal timing failures, where data is produced by a component slightly too early or late.

In addition to occurring when data is produced by a component, these failure modes can also occur when data enters a component. (e.g., a faulty component can corrupt a message it receives). Moreover, all failure modes can manifest in one of two ways:

  • Symmetrically, where all observers see the same faulty behavior.
  • Asymmetrically, where some observers see different faulty behavior.

Importantly, NASA’s human-rating process requires that each of these failure modes be mitigated if it can result in catastrophic effects [2]. Any exceptions must be explicitly documented and strongly justified. In addition to specifying the failure modes a system can tolerate, the FH must specify any limiting assumptions about the relative arrival times of permanent failures and radiation-induced upsets/ errors or the ability for ground operator to intervene to safe the system or take recovery actions. For more information on specifying a FH and other artifacts needed to evaluate the safety of an avionics architecture for human spaceflight, see the full report [1].

View the full article

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Similar Topics

    • NASA
      NASA Kennedy Ground Systems Prepping Hardware for Artemis II, Beyond
      By NASA
      Teams with NASA are gaining momentum as work progresses toward future lunar missions for the benefit of humanity as numerous flight hardware shipments from across the world arrived at the agency’s Kennedy Space Center in Florida for the first crewed Artemis flight test and follow-on lunar missions. The skyline at Kennedy will soon see added structures as teams build up the ground systems needed to support them.
      Crews are well underway with parallel preparations for the Artemis II flight, as well as buildup of NASA’s mobile launcher 2 tower for use during the launch of the SLS (Space Launch System) Block 1B rocket, beginning with the Artemis IV mission. This version of NASA’s rocket will use a more powerful upper stage to launch with crew and more cargo on lunar missions. Technicians have begun upper stage umbilical connections testing that will help supply fuel and other commodities to the rocket while at the launch pad.
      In summer 2024, technicians from NASA and contractor Bechtel National, Inc. completed a milestone called jack and set, where the center’s mega-mover, the crawler transporter, repositioned the initial steel base assembly for mobile launcher 2 from temporary construction shoring to its six permanent pedestals near the Kennedy’s Vehicle Assembly Building.   
      Teams at Bechtel National, Inc. use a crane to lift Module 4 into place atop the mobile launcher 2 tower chair at its park site on Jan. 3, 2025, at Kennedy Space Center in Florida. Module 4 is the first of seven modules that will be stacked vertically to make up the almost 400-foot launch tower that will be used beginning with the Artemis IV mission.Betchel National Inc./Allison Sijgers “The NASA Bechtel mobile launcher 2 team is ahead of schedule and gaining momentum by the day,” stated Darrell Foster, ground systems integration manager, NASA’s Exploration Ground Systems Program at NASA Kennedy. “In parallel to all of the progress at our main build site, the remaining tower modules are assembled and outfitted at a second construction site on center.”
      As construction of the mobile launcher 2’s base continues, the assembly operations shift into integration of the modules that will make up the tower. In mid-October 2024, crews completed installation of the chair, named for its resemblance to a giant seat. The chair serves as the interface between the base deck and the vertical modules which are the components that will make up the tower, and stands at 80-feet-tall.
      In December 2024, teams completed the rig and set Module 4 operation where the first of a total of seven 40-foot-tall modules was stacked on top of the chair. Becthel crews rigged the module to a heavy lift crane, raised the module more than 150-feet, and secured the four corners to the tower chair. Once complete, the entire mobile launcher structure will reach a height of nearly 400 feet – approximately the length of four Olympic-sized swimming pools placed end-to-end.
      On the opposite side of the center, test teams at the Launch Equipment Test Facility are testing the new umbilical interfaces, which will be located on mobile launcher 2, that will be needed to support the new SLS Block 1B Exploration Upper Stage. The umbilicals are connecting lines that provide fuel, oxidizer, pneumatic pressure, instrumentation, and electrical connections from the mobile launcher to the upper stage and other elements of SLS and NASA’s Orion spacecraft.
      “All ambient temperature testing has been successfully completed and the team is now beginning cryogenic testing, where liquid nitrogen and liquid hydrogen will flow through the umbilicals to verify acceptable performance,” stated Kevin Jumper, lab manager, NASA Launch Equipment Test Facility at Kennedy. “The Exploration Upper Stage umbilical team has made significant progress on check-out and verification testing of the mobile launcher 2 umbilicals.”
      https://www.nasa.gov/wp-content/uploads/2025/01/eusu-test-3-5b-run-1.mp4 Exploration Upper Stage Umbilical retract testing is underway at the Launch Equipment Test Facility at Kennedy Space Center in Florida on Oct. 22, 2024. The new umbilical interface will be used beginning with the Artemis IV mission. Credit: LASSO Contract LETF Video Group The testing includes extension and retraction of the Exploration Upper Stage umbilical arms that will be installed on mobile launcher 2. The test team remotely triggers the umbilical arms to retract, ensuring the ground and flight umbilical plates separate as expected, simulating the operation that will be performed at lift off.
      View the full article
    • NASA
      NASA Selects Electrical Systems Engineering Services Contractor
      By NASA
      Credit: NASA NASA has selected Columbus Technologies and Services Inc. of El Segundo, California, to provide electrical and electronic engineering support to the agency’s Goddard Space Flight Center in Greenbelt, Maryland.
      The Electrical Systems Engineering Services IV is a cost-plus-award-fee indefinite-delivery/indefinite-quantity contract with a maximum estimated value of $1.1 billion. The base period of performance begins on April 9 and runs for five years.
      Work performed as part of the contract will assist various technical divisions at NASA Goddard with electrical and electronic responsibilities. These divisions include the Electrical Engineering Division, Instrument Systems and Technology Division, Software Engineering Division, and Mission Engineering and Systems Analysis Division. The contractor also will help manage the development of space flight, airborne, and ground system hardware, including design, testing, and fabrication.
      For information about NASA and agency programs, visit:
      https://www.nasa.gov
      -end-
      Tiernan Doyle
      Headquarters, Washington
      202-358-1600
      tiernan.doyle@nasa.gov
      Share
      Details
      Last Updated Jan 08, 2025 LocationNASA Headquarters Related Terms
      Goddard Space Flight Center View the full article
    • NASA
      Mechanical Systems TDT Support Reaches Across NASA Programs
      By NASA
      The NESC Mechanical Systems TDT provides broad support across NASA’s mission directorates. We are a diverse group representing a variety of sub-disciplines including bearings, gears, metrology, lubrication and tribology, mechanism design, analysis and testing, fastening systems, valve engineering, actuator engineering, pyrotechnics, mechatronics, and motor controls. In addition to providing technical support, the
      TDT owns and maintains NASA-STD-5017, “Design and Development Requirements for Space Mechanisms.”

      Mentoring the Next Generation
      The NESC Mechanical Systems TDT actively participates in the Structures, Loads & Dynamics, Materials, and Mechanical Systems (SLAMS) Early Career Forum that mentors early-career engineers. The TDT sent three members to this year’s forum at WSTF, where early-career engineers networked with peers and NESC mentors, gave presentations on tasks they worked on at their home centers, and attended splinter sessions where they collaborated with mentors.

      New NASA Valve Standard to Reduce Risk and Improve Design and Reliability
      Valve issues have been encountered across NASA’s programs and continue to compromise mission performance and increase risk, in many cases because the valve hardware was not qualified in the environment as specified in NASA-STD-5017. To help address these issues, the Mechanical Systems TDT is developing a NASA standard for valves. The TDT assembled a team of subject matter experts from across the Agency representing several disciplines including mechanisms, propulsion, environmental control and life support systems, spacesuits, active thermal control systems, and materials and processes. The team has started their effort by reviewing lessons learned and best practices for valve design and hope to have a draft standard ready by the end of 2025.

      Bearing Life Testing for Reaction Wheel Assemblies
      The Mechanical Systems TDT just concluded a multiyear bearing life test on 40 motors, each containing a pair of all steel bearings of two different conformities or a pair of hybrid bearings containing silicon nitride balls. The testing confirmed that hybrid bearings outperformed their steel counterparts, and bearings with higher conformity (54%) outperformed bearings with lower conformity (52%). The team is disassembling and inspecting the bearings, and initial results have been surprising. The TDT was able to “recover” some of the bearings that failed during the life test and get them running as well as they did when testing began. Some bearings survived over five billion revolutions and appeared like new when they were disassembled and inspected. These results will be published once analysis is complete.
       
      X-57 Design Assessment
       The Mechanical Systems TDT was asked by the Aeronautics Mission Directorate to assess the design of the electric cruise motors installed on X-57. The team responded quickly to meet the Project’s schedule, making an onsite visit and attending numerous technical interchange meetings. After careful review of the design, the TDT identified areas for higher-level consideration and risk assessment and attended follow-on reviews to provide additional comments and advice.
      CLARREO Pathfinder Inner Radial Bearing Anomaly
      The Climate Absolute Radiance and Refractivity Observatory (CLARREO) Pathfinder was designed to take highly accurate measurements of reflected solar radiation to better-understand Earth’s climate. During payload functional testing, engineers detected a noise as the HySICS pointing system was rotated from its normal storage orientation. Mechanical Systems TDT members reviewed the design and inspection reports after disassembly of the inner bearing unit, noticing contact marks on the bore of the inner ring and the shaft that confirmed that the inner ring of the bearing was moving on the shaft with respect to the outer ring. Lubricant applied to this interface resolved the noise problem and allowed the project to maintain schedule without any additional costs.
      JPL Wheel Drive Actuator Extended Life Test Independent Review Team
      A consequence of changes to its mission on Mars will require the Perseverance Rover to travel farther than originally planned. Designed to drive 20 km, the rover will now need to drive ~91 km to rendezvous and support Mars sample tube transfer to the Sample Retrieval Lander. The wheel drive actuators with integral brakes had only been life tested to 40 km, so a review was scheduled to discuss an extended life test. The OCE Science Mission Directorate Chief Engineer assembled an independent review team (IRT) that included NESC Mechanical Systems TDT members. This IRT issued findings and guidance that questioned details of the JPL assumptions and plan. Several important recommendations were made that improved the life test plan and led to the identification of brake software issues that were reducing brake life. The life test has achieved 40 km of its 137 km goal and is ongoing. In addition, software updates were sent to the rover to improve brake life.

      Orion Crew Module Hydrazine Valve
      When an Orion crew module hydrazine valve failed to close, the production team asked the Mechanical Systems TDT for help. A TDT member attended two meetings and then visited the valve manufacturer, where it was determined this valve was a scaled-down version of the 12-inch SLS prevalve that was the subject of a previous NESC assessment and shared similar issues. The Orion Program requested NESC materials and mechanical systems support. The Mechanical Systems TDT member then worked closely with a Lockheed Martin (LM) Fellow for Mechanisms to review all the valve vendor’s detailed drawings and assembly procedures and document any issues. A follow-on meeting was held to brief both the LM and NASA Technical Fellows for Propulsion that a redesign and requalification was recommended. These recommendations have now been elevated to the LM Vice President for Mission Success and the LM Chief Engineer for Orion.
      NASA’s Perseverance Mars rover selfie taken in July 2024.
      View the full article
    • NASA
      Collaboration Is Key to A Strong Materials Discipline
      By NASA
      NASA has a strong need for advanced materials and processes (M&P) across the realms of robotic- and crewed-spaceflight, as well as aeronautics, particularly when one acknowledges that all craft must be made of something. To meet that need, the materials discipline relies on collaboration—both between centers and across disciplines. Reaching the Agency’s Moon-to-Mars objectives will require leveraging each center’s specific M&P expertise, cross-training among the centers, and routinely interacting with the 20-plus Agency disciplines like structures, space environments, and loads and dynamics. When a discipline touches all classes of materials; all aspects of design, manufacturing, testing, and operations; and all phases of flight, collaboration is the only way to broaden and deepen its reach.

      This year, the Materials TDT pulled in wide-ranging center and discipline support for the VIPER lunar rover, investigations of cracks in the ISS Russian PrK, the X-59 supersonic aircraft, and the SLS Program. It also leveraged its contamination control experience to aid the Commercial Crew and Orion Programs. Below are some additional highlights from the year.

      Collaboration Among Disciplines
      Ms. Alison Park, NASA Deputy Technical Fellow for Materials, led a multi-disciplinary NESC team to address JPL’s request for sup – port to investigate anomalous temperature readings during thermal vacuum testing of the NASA Indian Space Research Organization (ISRO) Synthetic Aperture Rader (NISAR) reflect-array hardware, already integrated onto the spacecraft in India. The team provided detailed reviews of the thermal models and supported materials testing and characterization of the reflect-array construction record. The team’s work identified operability concerns from higher than expected temperatures that would be seen during the multi-day deployment process. The hardware was demated from the space – craft and returned to the United States for design upgrades and modifications to address the new concerns. The hardware is now set to return to India for reintegration and final launch preparations.

      Fostering Intercenter Cooperation
      Mr. Robert Carter, NASA Deputy Technical Fellow for Materials and GRC Deputy Division Chief, attended a technical exchange between GRC and MSFC. The exchange uncovered the need for an Agency-wide, materials-driven alloy development plan to identify key needs that would benefit spaceflight and aeronautics. From there, materials representatives from 7 of the 10 centers met in-person to develop a roadmap and a plan to be released in FY25. The Materials TDT also stood up an Alloy Development Community of Practice to provide a grassroots mechanism to identify cross-Agency needs, technical challenges, and benefits that aren’t identified programmatically or within mission directorates.
      Illustration depicting the NISAR satellite in orbit over central and Northern California. The satellite features an advanced radar system to globally monitor changes to Earth’s land and ice surfaces to deepen scientists’ understanding of natural hazards, land use, climate change, and other global processes. In June 2023, NISAR’s radar instrument payload and spacecraft bus were combined in an ISRO clean room facility in Bengaluru, India. Image credit: VDOS-URSC Leveraging NASA Partnerships
      The NASA Technical Fellow for Materials, Dr. Bryan W. McEnerney, hosted visitors from the European Space Agency (ESA) for a combined trip to JPL, GRC, and KSC, as well as the jointly organized Worldwide Advanced Manufacturing Symposium (WAMS) in Orlando, FL. In-depth technical interchanges between NASA and ESA emphasized advanced manufacturing with a focus on spaceflight needs. The event increased technical collaboration be – tween the two organizations, leading to ESA’s request to NASA for a formal review of ESA’s stress corrosion standard. Work was also initiated on a joint NASA/ESA intern program. Next year brings a number of new and exciting challenges, including an elevated temperature testing program focused on HallPetch effects in C-103 (niobium alloy), the domestic North American WAMS symposium in Knoxville, TN, and a continued focus on intercenter technical support. And, always a key objective, the discipline will actively engage early-career personnel on NESC assessments to learn from our veteran materials experts and to pass on the knowledge so unique to the space industry.

      Alloy Development community of practice participants. Robert Carter is at center.View the full article
    • NASA
      Statistical Analysis Using Random Forest Algorithm Provides Key Insights into Parachute Energy Modulator System
      By NASA
      Download PDF: Statistical Analysis Using Random Forest Algorithm Provides Key Insights into Parachute Energy Modulator System

      Energy modulators (EM), also known as energy absorbers, are safety-critical components that are used to control shocks and impulses in a load path. EMs are textile devices typically manufactured out of nylon, Kevlar® and other materials, and control loads by breaking rows of stitches that bind a strong base webbing together as shown in Figure 1. A familiar EM application is a fall-protection harness used by workers to prevent injury from shock loads when the harness arrests a fall. EMs are also widely used in parachute systems to control shock loads experienced during the various stages of parachute system deployment.
      Random forest is an innovative algorithm for data classification used in statistics and machine learning. It is an easy to use and highly flexible ensemble learning method. The random forest algorithm is capable of modeling both categorical and continuous data and can handle large datasets, making it applicable in many situations. It also makes it easy to evaluate the relative importance of variables and maintains accuracy even when a dataset has missing values.
      Random forests model the relationship between a response variable and a set of predictor or independent variables by creating a collection of decision trees. Each decision tree is built from a random sample of the data. The individual trees are then combined through methods such as averaging or voting to determine the final prediction (Figure 2). A decision tree is a non-parametric supervised learning algorithm that partitions the data using a series of branching binary decisions. Decision trees inherently identify key features of the data and provide a ranking of the contribution of each feature based on when it becomes relevant. This capability can be used to determine the relative importance of the input variables (Figure 3). Decision trees are useful for exploring relationships but can have poor accuracy unless they are combined into random forests or other tree-based models.
      The performance of a random forest can be evaluated using out-of-bag error and cross-validation techniques. Random forests often use random sampling with replacement from the original dataset to create each decision tree. This is also known as bootstrap sampling and forms a bootstrap forest. The data included in the bootstrap sample are referred to as in-the-bag, while the data not selected are out-of-bag. Since the out-of-bag data were not used to generate the decision tree, they can be used as an internal measure of the accuracy of the model. Cross-validation can be used to assess how well the results of a random forest model will generalize to an independent dataset. In this approach, the data are split into a training dataset used to generate the decision trees and build the model and a validation dataset used to evaluate the model’s performance. Evaluating the model on the independent validation dataset provides an estimate of how accurately the model will perform in practice and helps avoid problems such as overfitting or sampling bias. A good model performs well on
      both the training data and the validation data.
      The complex nature of the EM system made it difficult for the team to identify how various parameters influenced EM behavior. A bootstrap forest analysis was applied to the test dataset and was able to identify five key variables associated with higher probability of damage and/or anomalous behavior. The identified key variables provided a basis for further testing and redesign of the EM system. These results also provided essential insight to the investigation and aided in development of flight rationale for future use cases.
      For information, contact Dr. Sara R. Wilson. sara.r.wilson@nasa.gov
      View the full article

  • Check out these Videos

×
×
  • Create New...