In January 2004, the National Aeronautics and Space Administration (NASA) received new strategic guidance for Space Exploration. With this new guidance, the manned spaceflight community was given an exciting opportunity to develop new human qualified space vehicles based on the latest technology and methodology. The scope of NASA's Constellation program encompasses all elements that must work together to successfully complete the mission of returning humans to the moon. These elements include a launch system, crewed vehicle, and landing module, to name a few.
Introduction
With changes in avionics architecture approaches over the last several decades, the aerospace industry has implemented differing avionics architectures across the spectrum of vehicles currently in operation. The same is true within the human-rated space community. As NASA develops the Constellation program, various vehicles are being designed to carry humans back to the moon and eventually on to Mars. Due to the size and scope of this program, various elements are being developed independently with careful consideration of the interoperability of these elements. One such example is the interface between the Orion CEV and the Ares I Launch Vehicle.
The nature of the interface between Orion and Ares I dictates a high level of reliability to ensure crew safety during launch and ascent mission phases. In particular, the two vehicles must be able to jointly identify and execute abort scenarios. Therefore, communication between the avionics systems on each vehicle is crucial to mission success and crew survival. An analysis of the interaction between the two different avionics architectures and their fault management schemes is necessary to ensure the reliability for this highly critical interface.
Background
Over the last 50 years there has been an evolution in avionics architecture within the aerospace community. Initially, independent (analog) avionics were implemented.
Within these avionics each functional area had separate dedicated sensors, processors and displays and the interconnect media was all point-to-point wiring [1] .
In the 1960's and 1970's, avionics moved more toward federated architectures. This is still the most dominant avionics architecture flying in military aircraft today. However, towards the end of the 20 th century, avionics systems evolved towards integrated architectures [1] .
1.E.2-2

Federated Avionics Architecture
Federated avionics architecture is comprised of several data boxes distributed across the vehicle, each providing a specific function with all the processing capability needed to perform that function. These data modules are generally located near the signal sources. A dedicated data bus or common data bus is used to connect each of the boxes point-to-point [2] . An example of federated avionics architecture is shown in Figure 1 .
Figure 1. Example of a Federated Avionics
Architecture [3] Federated avionics architectures have certain benefits. Since the data boxes are all designed to communicate on a dedicated data bus, they are easy to integrate into the system when building the aircraft. It is also advantageous to locate the boxes close to the signal sources, thus minimizing the cable run on those interfaces. This architecture also lends naturally to fault containment within each data box [2] .
However, there are also several drawbacks to a federated architecture. The data buses are traditionally rigid and slow. Each of the data boxes is often developed by different suppliers, each with unique software that is bound to the hardware, leading to an implementation that is inflexible. Therefore, when a small change is needed within the architecture large parts of the system have to be rebuilt. This in turn requires a large store of spare parts. Additionally, since the data modules are located close to the signal sources, they are spread out across the vehicle rather than centrally located. This distribution of modules also leads to potential duplication of functions at the lower level, resulting in excess power, weight, cost and reduced reliability [2] .
Integrated Modular Avionics Architecture
The concept of integrated modular avionics (IMA) architectures is to co-locate and share all the processing power necessary for all the functions needed on the vehicle [2] . The system functions are time and space partitioned within the operating system and hardware to allow complete flexibility to reconfigure both hardware interfaces and software applications. IMA is "not based upon traditional Byzantine redundancy structures, but on a truth based scheme where each element knows when an internal failure occurs and removes itself from the system" [4] . This architecture is dependent on a distributed, realtime network to transfer data between the standardized, central processing unit and the various functional modules [2] . An example IMA architecture is depicted in Figure 2 . The key benefits of utilizing IMA architecture flow from the fact that it is an open architecture. With an open architecture, the system is easier to integrate and maintain. Because the central processing unit is standardized, this allows the use of commercial offthe-shelf (COTS) hardware. Since there is no longer a single supplier constraint, the non-recurring cost for components within the system is reduced. This in turn reflects in a decrease in maintenance costs since the COTS producers can leverage the development and maintenance tools already available. Additionally, the use of COTS will decrease the upgrade cost since competition drives supplier upgrades to low or no cost to the project [5] .
1.E.2-3
There are also benefits to using IMA architectures to more easily support midlife upgrades to the system. This allows for incorporating technology upgrades into the system which is especially appealing to longduration systems such as human-rated space elements. With varying mission durations, it is also important that the avionics architecture allows for different safety and criticality protections. IMA architectures support this flexibility [2] .
There have been a few notable drawbacks to utilizing IMA architectures. One is the size and weight required for the central processing module. Also, the backplane in the central processing module will require increased complexity than a computer used in a federated architecture due to the increased processing capability that is co-located. Another drawback is the increased number of cables required to connect the central processing unit to the functional boxes located throughout the vehicle [2] .
However, there have been several improvements to the IMA architecture since it was first introduced which have eliminated most (if not all) of the drawbacks. The size and weight of the central processing module has decreased due to resource sharing. Also, a mass savings can be realized when power is provided through the backplane and are no longer required to be supplied through network cabling.
Ares I Avionics Architecture
An Ares I avionics architecture trade study was conducted in the spring of 2006 and recommended the use of a federated avionics architecture. The study assessed five avionics architecture concepts. Three of the concepts were IMA architectures and two were federated architectures [6] .
There was several design constraints placed on the trade study. Some of the most significant constraints were the design decisions made before the trade and the requirements to utilize heritage design. For example, use of MIL-STD-1553 for the internal data bus was decided prior to this trade study and heritage design of the first stage avionics system was required. The first stage and upper stage avionics work together, with the upper stage providing control electronics for the entire Ares I launch stack, as well as the separation systems required to perform first stage separation.
Other ground rules for the trade study are outlined in Figure 3 [6] .
Ares I Trade Study Ground Rules 1st stage and engine elements are 0 to 1 fault tolerant in many cases, due to heritage and current design options. No bus controller switchovers during ascent. All architectures must meet performance specifications; therefore, performance is not a discriminator. Cross-strapping was only allowed if it provided improvement of reliability/fault tolerance. No technology development. Commonality of hardware was not considered due to requirements immaturity. The study results identified the four and five string voting architectures as the most feasible architectures for meeting the stringent fault tolerance requirements, with the five string architecture being the most fault tolerance. Federated architecture benefits were recognized, based on heritage architecture implementation for redundancy management schemes, particularly for Mil-Std-1553 bus implementations. The benefits of not requiring technology development and using a proven human-rated N-modular redundant system were also noted by the trade study [6] .
The current Ares I avionics architecture design is a federated architecture that integrates the first stage, upper stage and upper stage engine avionics systems. However, the architecture does not strictly fall into the federated avionics architecture category. There has been some central location of processing functionality within the different computer types within the upper stage avionics, however there are still a number of processors distributed across the integrated Ares I launch stack.
The upper stage avionics controls the stack and contains three flight computers (FCs), two command and telemetry computers (CTCs), and subsystem avionics components. It is the three FCs that provide critical control, data handling, and communications with the Orion CEV. These FCs implement simplex processors that perform Byzantine-resilient data exchange with the other FC ARINC 653 ports through Cross Channel Data Links (CCDLs) to allow the voting process among the 3 FCs. The voting algorithm ensures that all valid data is bit-for-bit identical before transmitting data to the remote terminals. This process 1.E.2-4 guarantees 1 fault tolerance per the N-modular redundant scheme.
Orion Avionics Architecture
There are several key design constraint and requirement differences between the Orion and the Ares I vehicles which led to different avionics architectures. First, there were no constraints on Orion to implement or interface to heritage designs. Second, there was no constraint on Orion to use a predetermined data bus. There are also huge differences in the missions of these two elements. The Ares I Launch Vehicle mission duration is approximately 10 minutes and has a very rigid mission goal -to launch the Orion vehicle. In contrast, the Orion CEV has to meet a mission requirement of up to 5000 hours at a time and must be a flexible vehicle that will interface to several other space elements (the International Space Station, the Altair Lunar Lander, Ground Systems, and the Space Network, in addition to the Ares I interface) over the next several decades. Additionally, Orion has strict weight and power restrictions that make it desirable for its avionics system to maintain full protection against erroneous behavior even when operated in a low power partial system mode.
It is largely due to the required flexibility of the Orion CEV and the fault protection required in low power modes that the IMA architecture was chosen. By implementing an IMA architecture, Orion can support modifications and upgrades throughout the lifetime of the project. [4] Additionally, it was reasoned that the fault tolerance, scalability, and availability requirements for the Orion CEV avionics system could not be met through a traditional, federated architecture. In other words, the Orion CEV required an open architecture [5] .
An Orion CEV avionics architecture trade study was conducted in the fall of 2005. The study initially considered twelve avionics architecture concepts, but down-selected to five based on a recommendation to support a backup flight system. All of the architecture concepts considered were IMA architectures [7] . The requirements imposed on the Orion avionics architecture trade study are shown in Figure 4 .
Orion Trade Study Requirements
The Orion CEV shall meet an ascent reliability allocation of 0.9999. The Orion CEV shall meet an overall mission reliability allocation of 0.999. The Orion CEV shall be one fault-tolerant for safe return of the crew with exceptions for design for minimum risk. The Orion CEV shall safely recover from, and return the crew in case of loss of output and erroneous output from the vehicle flight computers due to software common cause failure. The Orion CEV shall allow the crew to manually control, inhibit, and/or override autonomous or ground controlled critical functions. The Orion CEV shall be one fault-tolerant for mission completion with exceptions for design for minimum risk. The Orion avionics architecture is based on the IMA architecture approach. The core processing capability is located within the two redundant Vehicle Management Computers (VMCs), which provide the one fault tolerance for the system. Each VMC is divided into partitions based on functionality and following the ARINC 653 real time operating system standard. This allows software applications to be developed and tested independently of other application developers.
Within the VMCs, the processor boards are constructed in a high-integrity, self-checking, lock-step design (shown in Figure 5 ). This design prevents hardware faults from impersonating software errors with a very low probability of not being detected. The self-checking functionality of the design includes X and Y lane, bit-by-bit comparisons of the data moving through the dual processors and dual memory controller logic. Coming out of the processor, the data flows through a high-integrity network interface card (NIC) to access the onboard data network. 
1.E.2-5
The backbone of the Orion avionics architecture is the Time Triggered Ethernet (TTEthernet) network that connects all major components within the system. By utilizing the TTEthernet technology, the concept of partitioning for fault containment can be extended from the VMCs across the network to all the attached components. This is accomplished through highintegrity TTEthernet switches that connect all modules within the avionics system, including the VMCs, through three redundant planes (only two planes are connected to Ares I). TTEthernet also provides:
• 
Ares I-to-Orion Interface Requirements
During the development of the Orion CEV and the Ares I Launch Vehicle, each project had different design requirements such as mission duration, use of heritage avionics, level of complexity, data rate needs and environments. Due to these requirement differences, the Ares I and Orion vehicles chose different avionics architectures with different fault tolerant, redundancy schemes. The Ares I Launch Vehicle chose to utilize a federated avionics architecture with integrated avionics architecture characteristics within the upper stage avionics and implementation of an N-modular redundant fault tolerant scheme. The Orion CEV is implementing a strictly IMA architecture that achieves fault tolerance through high integrity processing via self-checking processors and high integrity TTEthernet NICs. As a result of these architecture choices, special attention to the interface of these two vehicles (as shown in Figure 6 ) is necessary.
Figure 6. Ares I-to-Orion Interface
1.E.2-6
There are several requirements that must be considered across the Ares I to Orion interface. The key requirements are summarized in Figure 7 . 
Interface Requirements
Figure 7. Ares I-to-Orion Interface Requirements
At the Constellation program level, it was decided that all communication across elements would be asynchronous. This was intended to avoid close coupling between different Constellation element critical networks. Also, the decision was made that IEEE Std 802. Another physical requirement for the hard-line communication interface is that there are currently only 2 physical cable connections between these vehicles. This is an interesting design constraint on the interface considering that Orion has two VMCs while Ares I has three FCs.
The main performance requirements imposed on the interface are latency and fault detection. The latency requirement is spelled out explicitly to guarantee that critical abort recommendations are shared between vehicles within an adequate period of time. It was also determined that the vehicles jointly need to be able to handle almost any single fault. However, there is no need to handle malicious, intelligent faults, such as a computer within the Ares I system corrupting a voted message and then recalculating a new cyclic redundancy check (CRC) on that corrupted message. This assumes that there is adequate internal computer data integrity protection.
In addition to the flight critical interface discussed above, there are also two redundant hard-line interfaces between Ares I and Orion that transmit video and engineering development data from the Ares I command and telemetry computers (CTC) directly to mass storage on Orion. This interface is considered non-flight critical. It does not share all of the above requirements that are imposed on the critical interface and therefore are not scrutinized under the same fault tolerance scenarios. The non-flight critical interface is not addressed in this paper.
Ares I-to-Orion Failure Modes Analysis
When considering the failure modes of avionics across the Ares I-to-Orion interface, there are two main categories to consider: failures in the cable and failures prior to transmission on the cable. In the second category, consideration of modern processor failures and byzantine failures of the avionics architecture must be considered. The specific failure modes of modern processors that were analyzed for the Ares I to Orion interface include actual data corruption due to upset or overwrite, wild memory address pointers or cache pointers and false cache hits on stale data.
Failure Protection for Ares I to Orion Communication
The first category of failure mode is failures in the cable. Protections against this category of failure include Ethernet CRC32, 8b/10b encoding and use of the length field within the Ethernet header. When data is sent from the two Ares I FCs as an Ethernet message, the data with CRC and ARINC 664 Part 7 compliant sequence number is wrapped in another 32-bit CRC (standard Ethernet, shown in Figure 8 within the frame check sequence) and is protected by 8b/10b encoding. Additionally, the length/type field in the Ethernet header (shown in Figure 8 ) will be utilized for length protection to ensure that a truncated message does not have any potential of appearing as a correct message.
1.E.2-7
Figure 8. Ethernet Frame Format [8]
One potential problem with the cable failure protections outlined above is that CRCs have statistical holes in their protection, and the exposure is almost impossible to evaluate in complex hardware since it requires an impractical amount of knowledge of the hardware failure modes. The Ares I byzantine data exchange reduces the exposure both in time and in locality, but does not eliminate it. However, the probability of spoofing layered CRCs and a sequence number are reasonably low, and are adequate for the short mission duration of Ares I (approximately 10 minutes from launch to engine cutoff). In fact, this is an even more robust design than legacy space vehicles where flight critical command messages are protected only by simple parity.
The second category of failure mode is failures in the system prior to transmission on the wire. Protections against modern processor failure modes must be considered. In the case of data corruption due to an upset in the processor, the data CRC will protect against this type of failure with very low probability (approximately 1 in 10 9 ). To protect against wild memory address pointers or cache pointers in the Ares I processors, the message time stamp or data header will cover this exposure, assuming a wild address points to the valid previously sent message, or to data that does not satisfy message validity checks. On the Orion-side of the interface, the VMCs implement a reliable design that does not store previous messages.
Another failure mode is the case of a false cache hit on stale data. If this happens on a single Ares I FC before voting the data, it will be caught by the voting algorithm. If it happens after voting, either the CRC will recognize the data corrupted by the data read, or (if it is a pointer to the message that is corrupted) the time stamp or counter will recognize the error.
In addition to these processor failure protections, the Ares I FCs memory (including cache) is Triple Modular Redundant, so the probability of a memory error is already incredibly small. It would basically require simultaneous independent faults, each with a probability of conservatively 10 -8 to get a valid but corrupt message to Orion.
Byzantine failures along this communication path are handled in several ways. The first concern is that the source (e.g. an engine controller) could give the FC bad data. On the Ares I vehicle, this is addressed by having redundant sources. For one fault tolerance for critical data, there are at least three sources. Then, all inputs to any given FC are exchanged to the other computers using a byzantine-resilient two-round exchange mechanism in the CCDL. The CCDLs guarantee, within required reliability probability, that each nominally operational FC will have the same data. After the messages have been exchanged across the CCDLs, each computer will have three messages and at least two of the three are assumed to be valid (per one fault tolerance). Therefore, for data that is required to be bit-for-bit identical, a simple vote is sufficient.
When discussing a voting fault tolerant architecture, another scenario that should be addressed is the dilemma case. Since the Ares I vehicle has three computers, what happens in the situation when one fault has occurred? At this point there are two operational computers and there is no need (and no way) to vote since there is no majority vote result. However, it is required that a disagreement is detected, so a comparison is performed. If a disagreement is seen that truly implicates the remaining computers, Ares I generates an abort recommendation to Orion along both cable paths.
Once the messages generated on Ares I cross the interface to Orion they are each connected directly to a TTEthernet switch on two different network planes. The messages then progress through the Orion network to the VMCs. As soon as the messages enter the Orion avionics system they are within the high-integrity IMA architecture, and failures are protected per the IMA high integrity fault tolerance functionality. The failure protections for the communication path from Ares I to Orion are outlined in Figure 9 . 
Failure Protection for Orion to Ares I Communication
The communication path from the Orion IMA architecture to the Ares I federated architecture is protected from the failure modes outlined above through high integrity networking with fail-silent functionality, combined with CRC checking. In other words, if a message is received on the Ares I vehicle from Orion then that message can be assumed to be accurate with no further action required beyond an Ethernet CRC32 check to verify the correctness of the message as it traveled down the wire.
When a message is created within Orion with Ares I as the destination, the Orion computers send the message through X/Y self-checking pair fault detection schemes. The message is then sent to the highintegrity TTEthernet NIC which utilizes a command/monitor (COM/MON) scheme to communicate on the network. The combination of the X/Y self-checking and COM/MON achieve extraordinarily low probability of erroneous commanding and protect again the failure modes of modern processors. The error protection on the wire is provided through the use of the Ethernet CRC32.
The message passes the interface between vehicles on two redundant cable paths. On the Orion side of the interface, the connections are to two TTEthernet switches, each connected to one of two redundant TTEthernet planes. Alternately, on the Ares I side of the interface, each cable path is connected to one flight computer directly.
Once the message is received by the Ares I computers, the two FCs that received the messages share the messages with the third computer through the CCDLs. This exchange is necessary, not for voting purposes, but due to the fact that there is not a direct interface between the third Ares I FC and the Orion network. The failure protections for the communication path from Orion to Ares I are outlined in Figure 10. 1.E.2-9 
Summary
There has been an evolution from federated avionic architectures to IMA architectures across the last several decades. As the NASA Constellation program has developed over the last five years, two of the elements within Constellation have chosen different avionics architectures, with different failure management schemes, based on their requirements. In particular, the Ares I Launch Vehicle chose a federated avionics architecture, with a subset of the avionics configured in an integrated avionics architecture, while implementing a voting scheme for fault management. Alternately, the Orion CEV is a strictly IMA architecture implementing high integrity self-checking pair processors for fault management. These decisions were based largely on the fact that Ares I was required to interface with heritage design and a pre-determined data bus. Additionally, the two vehicles have vastly different mission definitions and mission durations.
Due to the high criticality of the interface between Ares I and Orion under abort scenarios, an analysis of the interaction between the federated and IMA architectures and their associated failure management schemes is crucial to reliability of the integrated system. Each direction of communication must be considered individually to ensure failure protection and fault tolerance. Through an analysis of the failures for cable transmission and potential failures prior to data transmission, it has been shown that different avionics architectures with different fault management schemes can be interfaced in a fault-tolerant, reliable manner.
