Jump to content

Key Considerations When Developing Avionics for Safety-Critical Systems


Recommended Posts

  • Publishers
Posted

This article is from the 2024 Technical Update.

Multiple human spaceflight programs are underway at NASA including Orion, Space Launch System, Gateway, Human Landing System, and EVA and Lunar Surface Mobility programs. Achieving success in these programs requires NASA to collaborate with a variety of commercial partners, including both new spaceflight companies and robotic spaceflight companies pursuing crewed spaceflight for the first time. It is not always clear to these organizations how to show their systems are safe for human spaceflight. This is particularly true for avionics systems, which are responsible for performing some of a crewed spacecraft’s most critical functions. NASA recently published guidance describing how to show the design of an avionic system meets safety requirements for crewed missions.

Background
The avionics in a crewed spacecraft perform many safety critical functions, including controlling the position and attitude of the spacecraft, activating onboard abort systems, and firing pyrotechnics. The incorrect operation of any of these functions can be catastrophic, causing loss of the crew. NASA’s human rating requirements describe the need for “additional rigor and scrutiny” when designing safety-critical systems beyond that done
for uncrewed spacecraft [2]. Unfortunately, it is not always clear how to interpret this guidance and show an avionics architecture is sufficiently safe. To address this problem, NASA recently published NASA/TM−20240009366 [1]. It outlines best practices for designing safety-critical avionics, as well as describes key artifacts or evidence NASA needs to assess the safety of an avionics architecture.

Failure Hypothesis
One of the most important steps to designing an avionics architecture for crewed spacecraft is specification of the failure hypothesis (FH). In short, the FH summarizes any assumptions the designers make about the type, number, and persistence of component failures (e.g., of onboard computers, network switches). It divides the space of all possible failures into two parts – failures the system is designed to tolerate and failures it is not.

screenshot-2024-12-12-at-9-58-01 am.png?

One key part of the FH is a description of failure modes the system can tolerate – i.e., the behavior exhibited by a failed component. Failure modes are categorized using a failure model. A typical failure model for avionics splits failures into two broad categories:

  • Value failures, where data produced by a component is missing (i.e., an omissive failure) or incorrect (i.e., a transmissive failure).
  • Timing failures, where data is produced by a component at the wrong time.

Timing failures can be further divided into many sub-categories, including:

  • Inadvertent activation, where data is produced by a component without the necessary preconditions.
  • Out-of-order failures, where data is produced by a component in an incorrect sequence.
  • Marginal timing failures, where data is produced by a component slightly too early or late.

In addition to occurring when data is produced by a component, these failure modes can also occur when data enters a component. (e.g., a faulty component can corrupt a message it receives). Moreover, all failure modes can manifest in one of two ways:

  • Symmetrically, where all observers see the same faulty behavior.
  • Asymmetrically, where some observers see different faulty behavior.

Importantly, NASA’s human-rating process requires that each of these failure modes be mitigated if it can result in catastrophic effects [2]. Any exceptions must be explicitly documented and strongly justified. In addition to specifying the failure modes a system can tolerate, the FH must specify any limiting assumptions about the relative arrival times of permanent failures and radiation-induced upsets/ errors or the ability for ground operator to intervene to safe the system or take recovery actions. For more information on specifying a FH and other artifacts needed to evaluate the safety of an avionics architecture for human spaceflight, see the full report [1].

View the full article

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Similar Topics

    • By Space Force
      A US space domain awareness payload hosted on Japan's Quasi-Zenith Satellite 6 successfully launched on a Japanese H-3 launch vehicle from the Yoshinobu Launch Complex at the Japan Aerospace Exploration Agency’s Tanegashima Space Center in Japan on February 2.

      View the full article
    • By NASA
      For astronauts aboard the International Space Station, staying connected to loved ones and maintaining a sense of normalcy is critical. That is where Tandra Gill Spain, a computer resources senior project manager in NASA’s Avionics and Software Office, comes in. Spain leads the integration of applications on Apple devices and the hardware integration on the Joint Station Local Area Network, which connects the systems from various space agencies on the International Space Station. She also provides technical lead support to the Systems Engineering and Space Operations Computing teams and certifies hardware for use on the orbiting laboratory. 

      Spain shares about her career with NASA and more. Read on to learn about her story, her favorite project, and the advice she has for the next generation of explorers. 
      Tandra Spain’s official NASA portrait. NASA Where are you from? 
      I am from Milwaukee, Wisconsin. 

      Tell us about your role at NASA. 
      I am the Apple subsystem manager where I lead the integration of applications on Apple devices as well as the hardware integration on the Joint Station Local Area Network. We use a variety of different software but I work specifically with our Apple products. I also provide technical lead support to the Systems Engineering and Space Operations Computing teams. In addition, I select and oversee the certification of hardware for use on the International Space Station, and I research commonly used technology and assess applicability to space operations.   

      How would you describe your job to family or friends who may not be familiar with NASA? 
      I normalize living and working in space by providing the comforts and conveniences of living on Earth.
      Tandra spain
      Computer Resources Senior Project Manager
      I get the opportunity to provide the iPads and associated applications that give astronauts the resources to access the internet. Having access to the internet affords them the opportunity to stay as connected as they desire with what is going on back home on Earth (e.g., stream media content, stay in touch with family and friends, and even pay bills). I also provide hardware such as Bluetooth speakers, AirPods, video projectors, and screens. 

      How long have you been working for NASA? 
      I have been with the agency for 30 years, including 22 years as a contractor. 
      What advice would you give to young individuals aspiring to work in the space industry or at NASA? 
      I have found that there is a place for just about everyone at NASA, therefore, follow your passion.  Although many of us are, you don’t have to be a scientist or engineer to work at NASA. Yearn to learn.  Pause and listen to those around you. You don’t know what you don’t know, and you will be amazed what gems you’ll learn in the most unexpected situations. 

      Additionally, be flexible and find gratitude in every experience. Many of the roles that I’ve had over the years didn’t come from a well-crafted, laid-out plan that I executed, but came from taking advantage of the opportunities that presented themselves and doing them to the best of my ability. 
      Tandra Spain and her husband, Ivan, with NASA astronaut and Flight Director TJ Creamer when she was awarded the Silver Snoopy Award. What was your path to NASA? 
      I moved to Houston to work at NASA’s Johnson Space Center immediately upon graduating from college. 

      Is there someone in the space, aerospace, or science industry that has motivated or inspired you to work for the space program? Or someone you discovered while working for NASA who inspires you?  
      I spent over half of my career in the Astronaut Office, and I’ve been influenced in different ways by different people, so it wouldn’t be fair to pick just one! 

      What is your favorite NASA memory? 
      I’ve worked on so many meaningful projects, but there are two recent projects that stand out.

      Humans were not created to be alone, and connection is extremely important. I was able to provide a telehealth platform for astronauts to autonomously video conference with friends and family whenever an internet connection is available. Prior to having this capability, crew were limited to one scheduled video conference a week. It makes me emotional to think that we have moms and dads orbiting the Earth on the space station and they can see their babies before they go to bed, when they wake up in the morning, or even in the middle of the night if needed.  

      In addition, since iPads are used for work as well as personal activities on station, it is important for my team to be able to efficiently keep the applications and security patches up to date. We completed the software integration and are in the process of wrapping up the certification of the Mac Mini to provide this capability. This will allow us to keep up with all software updates that Apple releases on a regular basis and minimize the amount of crew and flight controller team time associated with the task by approximately 85%. 
      Tandra Spain, her mother, Marva Herndon, and her daughter, Sasha, at her daughter’s high school graduation in 2024. What do you love sharing about station? What’s important to get across to general audiences to help them understand the benefits to life on Earth? 
      When I speak to the public about the space station, I like to compare our everyday lives on Earth to life on the station and highlight the use of technology to maintain the connection to those on Earth. For example, most people have a phone. Besides making a phone call, what do you use your phone for? It is amazing to know that the same capabilities exist on station, such as using apps, participating in parent teacher conferences, and more. 

      If you could have dinner with any astronaut, past or present, who would it be? 
      I would have dinner with NASA astronaut Ron McNair. He graduated from the same university as I did, and I’ve heard great stories about him. 

      Do you have a favorite space-related memory or moment that stands out to you? 
      As I mentioned previously, human connection is extremely important. As an engineer in the Astronaut Office, I worked on a project that provided more frequent email updates when Ku-Band communication was available. Previously, email was synced two to three times a day, and less on the weekend. When the capability went active, I sent the first email exchange. 

      What are some of the key projects you’ve worked on during your time at NASA? What have been your favorite?  
      There have been so many projects over the past 30 years that I don’t think I could select just one. There is something however, that I’ve done on many occasions that has brought me pure joy, which is attending outreach events as Johnson’s “Cosmo” mascot, especially Houston Astros games.    
      Tandra Spain representing NASA as “Cosmo” the astronaut mascot at a Houston Astros baseball game. What are your hobbies/things you enjoy outside of work? 
      I enjoy crafting, traveling, mentoring students in Pearland Independent School District, spending time with family, and my Rooted Together community. 

      Day launch or night launch?  
      Night launch! 

      Favorite space movie? 
      Star Wars (the original version) 

      NASA “worm” or “meatball” logo? 
      Meatball 
      Every day, we’re conducting exciting research aboard our orbiting laboratory that will help us explore further into space and bring benefits back to people on Earth. You can keep up with the latest news, videos, and pictures about space station science on the Station Research & Technology news page. It’s a curated hub of space station research digital media from Johnson and other centers and space agencies.  

      Sign up for our weekly email newsletter to get the updates delivered directly to you.  

      Follow updates on social media at @ISS_Research on Twitter, and on the space station accounts on Facebook and Instagram.  
      View the full article
    • By NASA
      Teams with NASA are gaining momentum as work progresses toward future lunar missions for the benefit of humanity as numerous flight hardware shipments from across the world arrived at the agency’s Kennedy Space Center in Florida for the first crewed Artemis flight test and follow-on lunar missions. The skyline at Kennedy will soon see added structures as teams build up the ground systems needed to support them.
      Crews are well underway with parallel preparations for the Artemis II flight, as well as buildup of NASA’s mobile launcher 2 tower for use during the launch of the SLS (Space Launch System) Block 1B rocket, beginning with the Artemis IV mission. This version of NASA’s rocket will use a more powerful upper stage to launch with crew and more cargo on lunar missions. Technicians have begun upper stage umbilical connections testing that will help supply fuel and other commodities to the rocket while at the launch pad.
      In summer 2024, technicians from NASA and contractor Bechtel National, Inc. completed a milestone called jack and set, where the center’s mega-mover, the crawler transporter, repositioned the initial steel base assembly for mobile launcher 2 from temporary construction shoring to its six permanent pedestals near the Kennedy’s Vehicle Assembly Building.   
      Teams at Bechtel National, Inc. use a crane to lift Module 4 into place atop the mobile launcher 2 tower chair at its park site on Jan. 3, 2025, at Kennedy Space Center in Florida. Module 4 is the first of seven modules that will be stacked vertically to make up the almost 400-foot launch tower that will be used beginning with the Artemis IV mission.Betchel National Inc./Allison Sijgers “The NASA Bechtel mobile launcher 2 team is ahead of schedule and gaining momentum by the day,” stated Darrell Foster, ground systems integration manager, NASA’s Exploration Ground Systems Program at NASA Kennedy. “In parallel to all of the progress at our main build site, the remaining tower modules are assembled and outfitted at a second construction site on center.”
      As construction of the mobile launcher 2’s base continues, the assembly operations shift into integration of the modules that will make up the tower. In mid-October 2024, crews completed installation of the chair, named for its resemblance to a giant seat. The chair serves as the interface between the base deck and the vertical modules which are the components that will make up the tower, and stands at 80-feet-tall.
      In December 2024, teams completed the rig and set Module 4 operation where the first of a total of seven 40-foot-tall modules was stacked on top of the chair. Becthel crews rigged the module to a heavy lift crane, raised the module more than 150-feet, and secured the four corners to the tower chair. Once complete, the entire mobile launcher structure will reach a height of nearly 400 feet – approximately the length of four Olympic-sized swimming pools placed end-to-end.
      On the opposite side of the center, test teams at the Launch Equipment Test Facility are testing the new umbilical interfaces, which will be located on mobile launcher 2, that will be needed to support the new SLS Block 1B Exploration Upper Stage. The umbilicals are connecting lines that provide fuel, oxidizer, pneumatic pressure, instrumentation, and electrical connections from the mobile launcher to the upper stage and other elements of SLS and NASA’s Orion spacecraft.
      “All ambient temperature testing has been successfully completed and the team is now beginning cryogenic testing, where liquid nitrogen and liquid hydrogen will flow through the umbilicals to verify acceptable performance,” stated Kevin Jumper, lab manager, NASA Launch Equipment Test Facility at Kennedy. “The Exploration Upper Stage umbilical team has made significant progress on check-out and verification testing of the mobile launcher 2 umbilicals.”
      https://www.nasa.gov/wp-content/uploads/2025/01/eusu-test-3-5b-run-1.mp4 Exploration Upper Stage Umbilical retract testing is underway at the Launch Equipment Test Facility at Kennedy Space Center in Florida on Oct. 22, 2024. The new umbilical interface will be used beginning with the Artemis IV mission. Credit: LASSO Contract LETF Video Group The testing includes extension and retraction of the Exploration Upper Stage umbilical arms that will be installed on mobile launcher 2. The test team remotely triggers the umbilical arms to retract, ensuring the ground and flight umbilical plates separate as expected, simulating the operation that will be performed at lift off.
      View the full article
    • By NASA
      Credit: NASA NASA has selected Columbus Technologies and Services Inc. of El Segundo, California, to provide electrical and electronic engineering support to the agency’s Goddard Space Flight Center in Greenbelt, Maryland.
      The Electrical Systems Engineering Services IV is a cost-plus-award-fee indefinite-delivery/indefinite-quantity contract with a maximum estimated value of $1.1 billion. The base period of performance begins on April 9 and runs for five years.
      Work performed as part of the contract will assist various technical divisions at NASA Goddard with electrical and electronic responsibilities. These divisions include the Electrical Engineering Division, Instrument Systems and Technology Division, Software Engineering Division, and Mission Engineering and Systems Analysis Division. The contractor also will help manage the development of space flight, airborne, and ground system hardware, including design, testing, and fabrication.
      For information about NASA and agency programs, visit:
      https://www.nasa.gov
      -end-
      Tiernan Doyle
      Headquarters, Washington
      202-358-1600
      tiernan.doyle@nasa.gov
      Share
      Details
      Last Updated Jan 08, 2025 LocationNASA Headquarters Related Terms
      Goddard Space Flight Center View the full article
    • By NASA
      The NESC Mechanical Systems TDT provides broad support across NASA’s mission directorates. We are a diverse group representing a variety of sub-disciplines including bearings, gears, metrology, lubrication and tribology, mechanism design, analysis and testing, fastening systems, valve engineering, actuator engineering, pyrotechnics, mechatronics, and motor controls. In addition to providing technical support, the
      TDT owns and maintains NASA-STD-5017, “Design and Development Requirements for Space Mechanisms.”

      Mentoring the Next Generation
      The NESC Mechanical Systems TDT actively participates in the Structures, Loads & Dynamics, Materials, and Mechanical Systems (SLAMS) Early Career Forum that mentors early-career engineers. The TDT sent three members to this year’s forum at WSTF, where early-career engineers networked with peers and NESC mentors, gave presentations on tasks they worked on at their home centers, and attended splinter sessions where they collaborated with mentors.

      New NASA Valve Standard to Reduce Risk and Improve Design and Reliability
      Valve issues have been encountered across NASA’s programs and continue to compromise mission performance and increase risk, in many cases because the valve hardware was not qualified in the environment as specified in NASA-STD-5017. To help address these issues, the Mechanical Systems TDT is developing a NASA standard for valves. The TDT assembled a team of subject matter experts from across the Agency representing several disciplines including mechanisms, propulsion, environmental control and life support systems, spacesuits, active thermal control systems, and materials and processes. The team has started their effort by reviewing lessons learned and best practices for valve design and hope to have a draft standard ready by the end of 2025.

      Bearing Life Testing for Reaction Wheel Assemblies
      The Mechanical Systems TDT just concluded a multiyear bearing life test on 40 motors, each containing a pair of all steel bearings of two different conformities or a pair of hybrid bearings containing silicon nitride balls. The testing confirmed that hybrid bearings outperformed their steel counterparts, and bearings with higher conformity (54%) outperformed bearings with lower conformity (52%). The team is disassembling and inspecting the bearings, and initial results have been surprising. The TDT was able to “recover” some of the bearings that failed during the life test and get them running as well as they did when testing began. Some bearings survived over five billion revolutions and appeared like new when they were disassembled and inspected. These results will be published once analysis is complete.
       
      X-57 Design Assessment
       The Mechanical Systems TDT was asked by the Aeronautics Mission Directorate to assess the design of the electric cruise motors installed on X-57. The team responded quickly to meet the Project’s schedule, making an onsite visit and attending numerous technical interchange meetings. After careful review of the design, the TDT identified areas for higher-level consideration and risk assessment and attended follow-on reviews to provide additional comments and advice.
      CLARREO Pathfinder Inner Radial Bearing Anomaly
      The Climate Absolute Radiance and Refractivity Observatory (CLARREO) Pathfinder was designed to take highly accurate measurements of reflected solar radiation to better-understand Earth’s climate. During payload functional testing, engineers detected a noise as the HySICS pointing system was rotated from its normal storage orientation. Mechanical Systems TDT members reviewed the design and inspection reports after disassembly of the inner bearing unit, noticing contact marks on the bore of the inner ring and the shaft that confirmed that the inner ring of the bearing was moving on the shaft with respect to the outer ring. Lubricant applied to this interface resolved the noise problem and allowed the project to maintain schedule without any additional costs.
      JPL Wheel Drive Actuator Extended Life Test Independent Review Team
      A consequence of changes to its mission on Mars will require the Perseverance Rover to travel farther than originally planned. Designed to drive 20 km, the rover will now need to drive ~91 km to rendezvous and support Mars sample tube transfer to the Sample Retrieval Lander. The wheel drive actuators with integral brakes had only been life tested to 40 km, so a review was scheduled to discuss an extended life test. The OCE Science Mission Directorate Chief Engineer assembled an independent review team (IRT) that included NESC Mechanical Systems TDT members. This IRT issued findings and guidance that questioned details of the JPL assumptions and plan. Several important recommendations were made that improved the life test plan and led to the identification of brake software issues that were reducing brake life. The life test has achieved 40 km of its 137 km goal and is ongoing. In addition, software updates were sent to the rover to improve brake life.

      Orion Crew Module Hydrazine Valve
      When an Orion crew module hydrazine valve failed to close, the production team asked the Mechanical Systems TDT for help. A TDT member attended two meetings and then visited the valve manufacturer, where it was determined this valve was a scaled-down version of the 12-inch SLS prevalve that was the subject of a previous NESC assessment and shared similar issues. The Orion Program requested NESC materials and mechanical systems support. The Mechanical Systems TDT member then worked closely with a Lockheed Martin (LM) Fellow for Mechanisms to review all the valve vendor’s detailed drawings and assembly procedures and document any issues. A follow-on meeting was held to brief both the LM and NASA Technical Fellows for Propulsion that a redesign and requalification was recommended. These recommendations have now been elevated to the LM Vice President for Mission Success and the LM Chief Engineer for Orion.
      NASA’s Perseverance Mars rover selfie taken in July 2024.
      View the full article
  • Check out these Videos

×
×
  • Create New...