Jump to content
Join the Alien Search, login or register FREE on Aliens and Space Forum
Members Can Post Anonymously On This Site

Key Considerations When Developing Avionics for Safety-Critical Systems

NASA

By NASA
in NASA

 Share

Recommended Posts

  • Publishers
NASA Mentor

NASA

Posted
  • Publishers
Posted

This article is from the 2024 Technical Update.

Multiple human spaceflight programs are underway at NASA including Orion, Space Launch System, Gateway, Human Landing System, and EVA and Lunar Surface Mobility programs. Achieving success in these programs requires NASA to collaborate with a variety of commercial partners, including both new spaceflight companies and robotic spaceflight companies pursuing crewed spaceflight for the first time. It is not always clear to these organizations how to show their systems are safe for human spaceflight. This is particularly true for avionics systems, which are responsible for performing some of a crewed spacecraft’s most critical functions. NASA recently published guidance describing how to show the design of an avionic system meets safety requirements for crewed missions.

Background
The avionics in a crewed spacecraft perform many safety critical functions, including controlling the position and attitude of the spacecraft, activating onboard abort systems, and firing pyrotechnics. The incorrect operation of any of these functions can be catastrophic, causing loss of the crew. NASA’s human rating requirements describe the need for “additional rigor and scrutiny” when designing safety-critical systems beyond that done
for uncrewed spacecraft [2]. Unfortunately, it is not always clear how to interpret this guidance and show an avionics architecture is sufficiently safe. To address this problem, NASA recently published NASA/TM−20240009366 [1]. It outlines best practices for designing safety-critical avionics, as well as describes key artifacts or evidence NASA needs to assess the safety of an avionics architecture.

Failure Hypothesis
One of the most important steps to designing an avionics architecture for crewed spacecraft is specification of the failure hypothesis (FH). In short, the FH summarizes any assumptions the designers make about the type, number, and persistence of component failures (e.g., of onboard computers, network switches). It divides the space of all possible failures into two parts – failures the system is designed to tolerate and failures it is not.

screenshot-2024-12-12-at-9-58-01 am.png?

One key part of the FH is a description of failure modes the system can tolerate – i.e., the behavior exhibited by a failed component. Failure modes are categorized using a failure model. A typical failure model for avionics splits failures into two broad categories:

  • Value failures, where data produced by a component is missing (i.e., an omissive failure) or incorrect (i.e., a transmissive failure).
  • Timing failures, where data is produced by a component at the wrong time.

Timing failures can be further divided into many sub-categories, including:

  • Inadvertent activation, where data is produced by a component without the necessary preconditions.
  • Out-of-order failures, where data is produced by a component in an incorrect sequence.
  • Marginal timing failures, where data is produced by a component slightly too early or late.

In addition to occurring when data is produced by a component, these failure modes can also occur when data enters a component. (e.g., a faulty component can corrupt a message it receives). Moreover, all failure modes can manifest in one of two ways:

  • Symmetrically, where all observers see the same faulty behavior.
  • Asymmetrically, where some observers see different faulty behavior.

Importantly, NASA’s human-rating process requires that each of these failure modes be mitigated if it can result in catastrophic effects [2]. Any exceptions must be explicitly documented and strongly justified. In addition to specifying the failure modes a system can tolerate, the FH must specify any limiting assumptions about the relative arrival times of permanent failures and radiation-induced upsets/ errors or the ability for ground operator to intervene to safe the system or take recovery actions. For more information on specifying a FH and other artifacts needed to evaluate the safety of an avionics architecture for human spaceflight, see the full report [1].

View the full article

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Similar Topics

    • NASA
      Key Portion of NASA’s Roman Space Telescope Clears Thermal Vacuum Test
      By NASA
      One half of NASA’s nearly complete Nancy Grace Roman Space Telescope just passed a lengthy test to ensure it will function properly in the space environment. This milestone keeps Roman well on track for its target launch by May 2027, with the team aiming for as early as fall 2026.
      This photo shows half of the NASA’s Nancy Grace Roman observatory — the outer barrel assembly, deployable aperture cover, and test solar arrays — fully deployed in a thermal chamber at NASA’s Goddard Space Flight Center in Greenbelt, Md., for environmental testing. Credit: NASA/Sydney Rohde “This milestone tees us up to attach the flight solar array sun shield to the outer barrel assembly, and deployable aperture cover, which we’ll begin this month,” said Jack Marshall, who leads integration and testing for these elements at NASA’s Goddard Space Flight Center in Greenbelt, Maryland. “Then we’ll complete remaining environmental tests for the flight assembly before moving on to connect Roman’s two major assemblies and run the full observatory through testing, and then we’ll be ready to launch!”
      Prior to this thermal testing, technicians integrated Roman’s deployable aperture cover, a visor-like sunshade, to the outer barrel assembly, which will house the telescope and instruments, in January, then added test solar panels in March. They moved this whole structure into the Space Environment Simulator test chamber at NASA Goddard in April.
      There, it was subjected to the hot and cold temperatures it will experience in space. Next, technicians will join Roman’s flight solar panels to the outer barrel assembly and sunshade. Then the structure will undergo a suite of assessments, including a shake test to ensure it can withstand the vibrations experienced during launch.
      This photo captures the installation of the test solar panels for NASA’s Nancy Grace Roman Space Telescope, which took place in March. One panel is lifted in the center of the frame on its way to being attached to the outer barrel assembly at right. The deployable aperture cover is stowed on the front of the outer barrel assembly, and the other half of the observatory — the spacecraft and integrated payload assembly, which consists of the telescope, instrument carrier, and two instruments — appears at the left of the photo.Credit: NASA/Jolearra Tshiteya Meanwhile, Roman’s other major portion — the spacecraft and integrated payload assembly, which consists of the telescope, instrument carrier, and two instruments — will undergo its own shake test, along with additional assessments. Technicians will install the lower instrument sun shade and put this half of the observatory through a thermal vacuum test in the Space Environment Simulator.
      “The test verifies the instruments will remain at stable operating temperatures even while the Sun bakes one side of the observatory and the other is exposed to freezing conditions — all in a vacuum, where heat doesn’t flow as readily as it does through air,” said Jeremy Perkins, an astrophysicist serving as Roman’s observatory integration and test scientist at NASA Goddard. Keeping the instrument temperatures stable ensures their readings will be precise and reliable.
      Technicians are on track to connect Roman’s two major parts in November, resulting in a complete observatory by the end of the year. Following final tests, Roman is expected to ship to the launch site at NASA’s Kennedy Space Center in Florida for launch preparations in summer 2026. Roman remains on schedule for launch by May 2027, with the team aiming for launch as early as fall 2026.
      This infographic shows the two major subsystems that make up NASA’s Nancy Grace Roman Space Telescope. The subsystems are each undergoing testing prior to being joined together this fall.Credit: NASA’s Goddard Space Flight Center To virtually tour an interactive version of the telescope, visit:
      https://roman.gsfc.nasa.gov/interactive
      The Nancy Grace Roman Space Telescope is managed at NASA’s Goddard Space Flight Center in Greenbelt, Maryland, with participation by NASA’s Jet Propulsion Laboratory in Southern California; Caltech/IPAC in Pasadena, California; the Space Telescope Science Institute in Baltimore; and a science team comprising scientists from various research institutions. The primary industrial partners are BAE Systems Inc. in Boulder, Colorado; L3Harris Technologies in Rochester, New York; and Teledyne Scientific & Imaging in Thousand Oaks, California.
      By Ashley Balzer
      NASA’s Goddard Space Flight Center, Greenbelt, Md.
      ​​Media Contact:
      Claire Andreoli
      NASA’s Goddard Space Flight Center
      301-286-1940
      Share
      Details
      Last Updated May 07, 2025 EditorAshley BalzerContactAshley Balzerashley.m.balzer@nasa.govLocationNASA Goddard Space Flight Center Related Terms
      Nancy Grace Roman Space Telescope Goddard Space Flight Center Technology Explore More
      6 min read NASA’s Roman Mission Shares Detailed Plans to Scour Skies
      Article 2 weeks ago 6 min read Team Preps to Study Dark Energy via Exploding Stars With NASA’s Roman
      Article 2 months ago 6 min read How NASA’s Roman Space Telescope Will Illuminate Cosmic Dawn
      Article 10 months ago View the full article
    • NASA
      NASA Tests Key Spacesuit Parts Inside This Icy Chamber
      By NASA
      6 min read
      Preparations for Next Moonwalk Simulations Underway (and Underwater)
      An astronaut glove designed for International Space Station spacewalks is prepped for testing in a chamber called CITADEL at NASA JPL. Conducted at temperatures as frigid as those Artemis III astronauts will see on the lunar South Pole, the testing supports next-generation spacesuit development.NASA/JPL-Caltech Engineers with NASA Johnson and the NASA Engineering and Safety Center ready an astronaut glove for insertion into the main CITADEL chamber at JPL. The team tested the glove in vacuum at minus 352 degrees Fahrenheit (minus 213 degrees Celsius).NASA/JPL-Caltech A JPL facility built to support potential robotic spacecraft missions to frozen ocean worlds helps engineers develop safety tests for next-generation spacesuits.
      When NASA astronauts return to the Moon under the Artemis campaign and eventually venture farther into the solar system, they will encounter conditions harsher than any humans have experienced before. Ensuring next-generation spacesuits protect astronauts requires new varieties of tests, and a one-of-a-kind chamber called CITADEL (Cryogenic Ice Testing, Acquisition Development, and Excavation Laboratory) at NASA’s Jet Propulsion Laboratory in Southern California is helping.
      Built to prepare potential robotic explorers for the frosty, low-pressure conditions on ocean worlds like Jupiter’s frozen moon Europa, CITADEL also can evaluate how spacesuit gloves and boots hold up in extraordinary cold. Spearheaded by the NASA Engineering and Safety Center, a glove testing campaign in CITADEL ran from October 2023 to March 2024. Boot testing, initiated by the Extravehicular Activity and Human Surface Mobility Program at NASA’s Johnson Space Center in Houston, took place from October 2024 to January 2025.

      An astronaut boot — part of a NASA lunar spacesuit prototype, the xEMU — is readied for testing in JPL’s CITADEL. A thick aluminum plate stands in for the cold surface of the lunar South Pole, where Artemis III astronauts will confront conditions more extreme than any humans have yet experienced.NASA/JPL-Caltech In coming months, the team will adapt CITADEL to test spacesuit elbow joints to evaluate suit fabrics for longevity on the Moon. They’ll incorporate abrasion testing and introduce a simulant for lunar regolith, the loose material that makes up the Moon’s surface, into the chamber for the first time.
      “We’ve built space robots at JPL that have gone across the solar system and beyond,” said Danny Green, a mechanical engineer who led the boot testing for JPL. “It’s pretty special to also use our facilities in support of returning astronauts to the Moon.”
      Astronauts on the Artemis III mission will explore the Moon’s South Pole, a region of much greater extremes than the equatorial landing sites visited by Apollo-era missions. They’ll spend up to two hours at a time inside craters that may contain ice deposits potentially important to sustaining long-term human presence on the Moon. Called permanently shadowed regions, these intriguing features rank among the coldest locations in the solar system, reaching as low as minus 414 degrees Fahrenheit (minus 248 degrees Celsius). The CITADEL chamber gets close to those temperatures.
      Engineers from JPL and NASA Johnson set up a test of the xEMU boot inside CITADEL. Built to prepare potential robotic explorers for conditions on ocean worlds like Jupiter’s moon Europa, the chamber offers unique capabilities that have made it useful for testing spacesuit parts.NASA/JPL-Caltech “We want to understand what the risk is to astronauts going into permanently shadowed regions, and gloves and boots are key because they make prolonged contact with cold surfaces and tools,” said Zach Fester, an engineer with the Advanced Suit Team at NASA Johnson and the technical lead for the boot testing.
      Keeping Cool
      Housed in the same building as JPL’s historic 10-Foot Space Simulator, the CITADEL chamber uses compressed helium to get as low as minus 370 F (minus 223 C) — lower than most cryogenic facilities, which largely rely on liquid nitrogen. At 4 feet (1.2 meters) tall and 5 feet (1.5 meters) in diameter, the chamber is big enough for a person to climb inside.
      An engineer collects simulated lunar samples while wearing the Axiom Extravehicular Mobility Unit spacesuit during testing at NASA Johnson in late 2023. Recent testing of existing NASA spacesuit designs in JPL’s CITADEL chamber will ultimately support de-velopment of next-generation suits being built by Axiom Space.Axiom Space More important, it features four load locks, drawer-like chambers through which test materials are inserted into the main chamber while maintaining a chilled vacuum state. The chamber can take several days to reach test conditions, and opening it to insert new test materials starts the process all over again. The load locks allowed engineers to make quick adjustments during boot and glove tests.
      Cryocoolers chill the chamber, and aluminum blocks inside can simulate tools astronauts might grab or the cold lunar surface on which they’d walk. The chamber also features a robotic arm to interact with test materials, plus multiple visible-light and infrared cameras to record operations.
      Testing Extremities
      The gloves tested in the chamber are the sixth version of a glove NASA began using in the 1980s, part of a spacesuit design called the Extravehicular Mobility Unit. Optimized for spacewalks at the International Space Station, the suit is so intricate it’s essentially a personal spacecraft. Testing in CITADEL at minus 352 F (minus 213 C) showed the legacy glove would not meet thermal requirements in the more challenging environment of the lunar South Pole. Results haven’t yet been fully analyzed from boot testing, which used a lunar surface suit prototype called the Exploration Extravehicular Mobility Unit. NASA’s reference design of an advanced suit architecture, this spacesuit features enhanced fit, mobility, and safety.
      In addition to spotting vulnerabilities with existing suits, the CITADEL experiments will help NASA prepare criteria for standardized, repeatable, and inexpensive test methods for the next-generation lunar suit being built by Axiom Space — the Axiom Extravehicular Mobility Unit, which NASA astronauts will wear during the Artemis III mission.
      “This test is looking to identify what the limits are: How long can that glove or boot be in that lunar environment?” said Shane McFarland, technology development lead for the Advanced Suit Team at NASA Johnson. “We want to quantify what our capability gap is for the current hardware so we can give that information to the Artemis suit vendor, and we also want to develop this unique test capability to assess future hardware designs.”
      In the past, astronauts themselves have been part of thermal testing. For gloves, an astronaut inserted a gloved hand into a chilled “glove box,” grabbed a frigid object, and held it until their skin temperature dropped as low as 50 F (10 C). McFarland stressed that such human-in-the-loop testing remains essential to ensuring future spacesuit safety but doesn’t produce the consistent data the team is looking for with the CITADEL testing.
      To obtain objective feedback, the CITADEL testing team used a custom-built manikin hand and foot. A system of fluid loops mimicked the flow of warm blood through the appendages, while dozens of temperature and heat flux sensors provided data from inside gloves and boots.
      “By using CITADEL and modern manikin technology, we can test design iterations faster and at much lower cost than traditional human-in-the-loop testing,” said Morgan Abney, NASA technical fellow for Environmental Control and Life Support, who conceived the glove testing effort. “Now we can really push the envelope on next-generation suit designs and have confidence we understand the risks. We’re one step closer to landing astronauts back on the Moon.”
      Through Artemis, NASA will send astronauts to explore the Moon for scientific discovery, economic benefits, and build the foundation for the first crewed missions to Mars.
      Houston, We Have a Podcast: next-generation spacesuits Why NASA’s Perseverance rover carries spacesuit materials News Media Contact
      Melissa Pamer
      Jet Propulsion Laboratory, Pasadena, Calif.
      626-314-4928
      melissa.pamer@jpl.nasa.gov
      2025-060
      Share
      Details
      Last Updated Apr 24, 2025 Related Terms
      Artemis 3 Earth's Moon Exploration Systems Development Mission Directorate Jet Propulsion Laboratory NASA Engineering & Safety Center Academy Spacesuits xEVA & Human Surface Mobility Explore More
      3 min read NASA’s Curiosity Rover May Have Solved Mars’ Missing Carbonate Mystery
      Article 7 days ago 4 min read NASA Aims to Fly First Quantum Sensor for Gravity Measurements
      Researchers from NASA’s Jet Propulsion Laboratory in Southern California, private companies, and academic institutions are…
      Article 1 week ago 3 min read Michael Ciancone Builds a Lasting Legacy in Human Spaceflight 
      Article 1 week ago Keep Exploring Discover Related Topics
      Missions
      Humans in Space
      Climate Change
      Solar System
      View the full article
    • NASA
      Developing Oxychalcogenide Membranes for Superconducting Power Transmission
      By NASA
      1 min read
      Preparations for Next Moonwalk Simulations Underway (and Underwater)
      ECF 2024 Quadchart Yang.pdf
      Shuolong Yang
      University of Chicago
      This effort will leverage the latest developments in superconductors to build a power transmission cable that can operate in the extreme cold temperatures found on the Moon with very low electrical losses. The team will use novel manufacturing techniques to grow alternating layers of FeSe SrTiO3 films onto a substrate and the resulting, superconducting tape can be fashioned into electrical transmission lines. The project will culminate with a demonstration 1-meter-long superconducting transmission line which supports 1 amp of power transmission at 1,000 volts.
      Back to ECF 2024 Full List
      Share
      Details
      Last Updated Apr 18, 2025 EditorLoura Hall Related Terms
      Early Career Faculty (ECF) Space Technology Research Grants View the full article
    • NASA
      Piezoelectric-Based Power Conversion for Lunar Surface Systems
      By NASA
      1 min read
      Preparations for Next Moonwalk Simulations Underway (and Underwater)
      ECF 2024 Quadchart Boles.pdf
      Jessica Boles
      University of California, Berkeley
      This project will develop piezoelectric-based power conversion for small power systems on the lunar surface. These piezoelectric systems can potentially offer high power density to significantly reduce size, weight, and cost. They can also offer high efficiency as well as resistance to the extreme lunar environment with its expected prolonged exposure to extreme cold and radiation. The effort will build and test prototype piezoelectric DC-to-DC power converters and DC-to-DC power supplies.
      Back to ECF 2024 Full List
      Share
      Details
      Last Updated Apr 18, 2025 EditorLoura Hall Related Terms
      Early Career Faculty (ECF) Space Technology Research Grants View the full article
    • Space Force
      Developing a Combat-Credible Force: STARCOM at the 40th Space Symposium
      By Space Force
      At the 40th Space Symposium, STARCOM leaders emphasized how the Space Force is developing officer, enlisted and civilian Guardians to build a combat-ready force.

      View the full article

  • Check out these Videos

×
×
  • Create New...