Experiences Using Formal Methods for Requirements Modeling

This paper describes three cases studies in the lightweight application of formal methods to requirements modeling for spacecraft fault protection systems. The case studies differ from previously reported applications of formal methods in that formal methods were applied very early in the requirements engineering process, to validate the evolving requirements. The results were fed back into the projects, to improve the informal specifications. For each case study, we describe what methods were applied, how they were applied, how much effort was involved, and what the findings were. In all three cases, the formal modeling provided a cost effective enhancement of the existing verification and validation processes. We conclude that the benefits gained from early modeling of unstable requirements more than outweigh the effort needed to maintain multiple representations

A Framework for Reliability and Safety Analysis of Complex Space Missions

Long duration and complex mission scenarios are characteristics of NASA's human exploration of Mars, and will provide unprecedented challenges. Systems reliability and safety will become increasingly demanding and management of uncertainty will be increasingly important. NASA's current pioneering strategy recognizes and relies upon assurance of crew and asset safety. In this regard, flexibility to develop and innovate in the emergence of new design environments and methodologies, encompassing modeling of complex systems, is essential to meet the challenges

Safety Considerations in the Ground Environment

In the history of humankind, every great space adventure has begun on the ground. While this seems to be stating the obvious, mission and spacecraft designers who have overlooked this fact have paid a high price, either in loss or damage to the spacecraft pre-launch, or in mission failure or reduction. Spacecraft personnel may risk not only their flight hardware, but they may also risk their lives, their co-workers lives and even the general public by not heeding safety on the ground. Their eyes may be on the stars but their feet are on the ground! One additional comment: Although the design requirements are very different for human rated and nonhuman rated flight hardware, while on the ground that flight hardware (and its ground support equipment) doesn't care about what it is flying on. On the ground, additional requirements are often levied to protect the work force and general public. (Authors' Note: The source material for this chapter is primarily taken from the Kennedy Space Center Handbook (KHB) 1700.7/45 SW Handbook S-100 Space Shuttle Payload Ground Safety Handbook and the authors' personal experiences

Operations Systems Engineering for the Lunar Flashlight Mission

Lunar Flashlight, a 6U CubeSat developed by NASA\u27s Jet Propulsion Laboratory (JPL) and operated by students at the Georgia Institute of Technology (GT), was launched in December 2022 with a mission to demonstrate novel small satellite technologies, including a first-of-its-kind green monopropellant system, and to map surface water ice in permanently shadowed regions of the lunar south pole using near-infrared laser reflectometry. As operations systems engineers, the GT team has maintained, developed, and refined models of spacecraft subsystems as well as coordinated the project\u27s approach to anomaly response and fault protection. This paper reports how analysis of flight data and post-launch experiences have allowed the team to make more efficient use of the spacecraft\u27s capabilities by taking advantage of margins, synthesizing data, and adapting flight rules and constraints. In-flight anomalies have required substantial rework of the mission\u27s concept of operations, and anomaly management and resolution has leaned heavily on modeling and predictions from the operations systems engineers. The GT operations team has made full use of available data, including telemetry and observed system behavior, to swiftly recognize and address anomalies, support strenuous recovery efforts, and make possible a realignment of the concept of operations despite significant challenges

Determining Logistics Ground Support Manpower Requirements for a Reusable Military Launch Vehicle

Successful space-based technologies like satellite imagery and GPS have increased military demand for a rapid-response launch capability. AF Space Command\u27s Operationally Responsive Spacelift program was developed to ensure that the AF has the capability to launch a payload into orbit within hours of a tasking notification, and requires development of a new space launch vehicle. The Reusable Military Launch Vehicle (RMLV) is currently in the design phase. The AF Research Laboratory sponsored development of the MILEPOST simulation model in order to assess the turnaround time, and thus responsiveness, of various design alternatives. The focus of this thesis is to improve the fidelity of the MILEPOST model by assessing the logistics manpower required to support the modeled turnaround activities. The research determined the appropriate AF organizational structure and manpower requirements for RMLV ground support agencies based on the activities modeled in MILEPOST. This information will be incorporated into the model in future research efforts, resulting in the capability to evaluate RMLV design alternatives based on both turnaround time and workforce requirements

Tug fleet and ground operations schedules and controls. Volume 1: Executive summary

This study presents Tug Fleet and Ground Operations Schedules and Controls plan. This plan was developed and optimized out of a combination of individual Tug program phased subplans, special emphasis studies, contingency analyses and sensitivity analyses. The subplans cover the Tug program phases: (1) Tug operational, (2) Interim Upper Stage (IUS)/Tug fleet utilization, (3) and IUS/Tug payload integration, (4) Tug site activation, (5) IUS/Tug transition, (6) Tug acquisition. Resource requirements (facility, GSE, TSE, software, manpower, logistics) are provided in each subplan, as are appropriate Tug processing flows, active and total IUS and Tug fleet requirements, fleet management and Tug payload integration concepts, facility selection recommendations, site activation and IUS to Tug transition requirements. The impact of operational concepts on Tug acquisition is assessed and the impact of operating Tugs out of KSC and WTR is analyzed and presented showing WTR as a delta. Finally, cost estimates for fleet management and ground operations of the DDT&E and operational phases of the Tug program are given

Engineering Resilient Space Systems

Several distinct trends will influence space exploration missions in the next decade. Destinations are becoming more remote and mysterious, science questions more sophisticated, and, as mission experience accumulates, the most accessible targets are visited, advancing the knowledge frontier to more difficult, harsh, and inaccessible environments. This leads to new challenges including: hazardous conditions that limit mission lifetime, such as high radiation levels surrounding interesting destinations like Europa or toxic atmospheres of planetary bodies like Venus; unconstrained environments with navigation hazards, such as free-floating active small bodies; multielement missions required to answer more sophisticated questions, such as Mars Sample Return (MSR); and long-range missions, such as Kuiper belt exploration, that must survive equipment failures over the span of decades. These missions will need to be successful without a priori knowledge of the most efficient data collection techniques for optimum science return. Science objectives will have to be revised ‘on the fly’, with new data collection and navigation decisions on short timescales. Yet, even as science objectives are becoming more ambitious, several critical resources remain unchanged. Since physics imposes insurmountable light-time delays, anticipated improvements to the Deep Space Network (DSN) will only marginally improve the bandwidth and communications cadence to remote spacecraft. Fiscal resources are increasingly limited, resulting in fewer flagship missions, smaller spacecraft, and less subsystem redundancy. As missions visit more distant and formidable locations, the job of the operations team becomes more challenging, seemingly inconsistent with the trend of shrinking mission budgets for operations support. How can we continue to explore challenging new locations without increasing risk or system complexity? These challenges are present, to some degree, for the entire Decadal Survey mission portfolio, as documented in Vision and Voyages for Planetary Science in the Decade 2013–2022 (National Research Council, 2011), but are especially acute for the following mission examples, identified in our recently completed KISS Engineering Resilient Space Systems (ERSS) study: 1. A Venus lander, designed to sample the atmosphere and surface of Venus, would have to perform science operations as components and subsystems degrade and fail; 2. A Trojan asteroid tour spacecraft would spend significant time cruising to its ultimate destination (essentially hibernating to save on operations costs), then upon arrival, would have to act as its own surveyor, finding new objects and targets of opportunity as it approaches each asteroid, requiring response on short notice; and 3. A MSR campaign would not only be required to perform fast reconnaissance over long distances on the surface of Mars, interact with an unknown physical surface, and handle degradations and faults, but would also contain multiple components (launch vehicle, cruise stage, entry and landing vehicle, surface rover, ascent vehicle, orbiting cache, and Earth return vehicle) that dramatically increase the need for resilience to failure across the complex system. The concept of resilience and its relevance and application in various domains was a focus during the study, with several definitions of resilience proposed and discussed. While there was substantial variation in the specifics, there was a common conceptual core that emerged—adaptation in the presence of changing circumstances. These changes were couched in various ways—anomalies, disruptions, discoveries—but they all ultimately had to do with changes in underlying assumptions. Invalid assumptions, whether due to unexpected changes in the environment, or an inadequate understanding of interactions within the system, may cause unexpected or unintended system behavior. A system is resilient if it continues to perform the intended functions in the presence of invalid assumptions. Our study focused on areas of resilience that we felt needed additional exploration and integration, namely system and software architectures and capabilities, and autonomy technologies. (While also an important consideration, resilience in hardware is being addressed in multiple other venues, including 2 other KISS studies.) The study consisted of two workshops, separated by a seven-month focused study period. The first workshop (Workshop #1) explored the ‘problem space’ as an organizing theme, and the second workshop (Workshop #2) explored the ‘solution space’. In each workshop, focused discussions and exercises were interspersed with presentations from participants and invited speakers. The study period between the two workshops was organized as part of the synthesis activity during the first workshop. The study participants, after spending the initial days of the first workshop discussing the nature of resilience and its impact on future science missions, decided to split into three focus groups, each with a particular thrust, to explore specific ideas further and develop material needed for the second workshop. The three focus groups and areas of exploration were: 1. Reference missions: address/refine the resilience needs by exploring a set of reference missions 2. Capability survey: collect, document, and assess current efforts to develop capabilities and technology that could be used to address the documented needs, both inside and outside NASA 3. Architecture: analyze the impact of architecture on system resilience, and provide principles and guidance for architecting greater resilience in our future systems The key product of the second workshop was a set of capability roadmaps pertaining to the three reference missions selected for their representative coverage of the types of space missions envisioned for the future. From these three roadmaps, we have extracted several common capability patterns that would be appropriate targets for near-term technical development: one focused on graceful degradation of system functionality, a second focused on data understanding for science and engineering applications, and a third focused on hazard avoidance and environmental uncertainty. Continuing work is extending these roadmaps to identify candidate enablers of the capabilities from the following three categories: architecture solutions, technology solutions, and process solutions. The KISS study allowed a collection of diverse and engaged engineers, researchers, and scientists to think deeply about the theory, approaches, and technical issues involved in developing and applying resilience capabilities. The conclusions summarize the varied and disparate discussions that occurred during the study, and include new insights about the nature of the challenge and potential solutions: 1. There is a clear and definitive need for more resilient space systems. During our study period, the key scientists/engineers we engaged to understand potential future missions confirmed the scientific and risk reduction value of greater resilience in the systems used to perform these missions. 2. Resilience can be quantified in measurable terms—project cost, mission risk, and quality of science return. In order to consider resilience properly in the set of engineering trades performed during the design, integration, and operation of space systems, the benefits and costs of resilience need to be quantified. We believe, based on the work done during the study, that appropriate metrics to measure resilience must relate to risk, cost, and science quality/opportunity. Additional work is required to explicitly tie design decisions to these first-order concerns. 3. There are many existing basic technologies that can be applied to engineering resilient space systems. Through the discussions during the study, we found many varied approaches and research that address the various facets of resilience, some within NASA, and many more beyond. Examples from civil architecture, Department of Defense (DoD) / Defense Advanced Research Projects Agency (DARPA) initiatives, ‘smart’ power grid control, cyber-physical systems, software architecture, and application of formal verification methods for software were identified and discussed. The variety and scope of related efforts is encouraging and presents many opportunities for collaboration and development, and we expect many collaborative proposals and joint research as a result of the study. 4. Use of principled architectural approaches is key to managing complexity and integrating disparate technologies. The main challenge inherent in considering highly resilient space systems is that the increase in capability can result in an increase in complexity with all of the 3 risks and costs associated with more complex systems. What is needed is a better way of conceiving space systems that enables incorporation of capabilities without increasing complexity. We believe principled architecting approaches provide the needed means to convey a unified understanding of the system to primary stakeholders, thereby controlling complexity in the conception and development of resilient systems, and enabling the integration of disparate approaches and technologies. A representative architectural example is included in Appendix F. 5. Developing trusted resilience capabilities will require a diverse yet strategically directed research program. Despite the interest in, and benefits of, deploying resilience space systems, to date, there has been a notable lack of meaningful demonstrated progress in systems capable of working in hazardous uncertain situations. The roadmaps completed during the study, and documented in this report, provide the basis for a real funded plan that considers the required fundamental work and evolution of needed capabilities. Exploring space is a challenging and difficult endeavor. Future space missions will require more resilience in order to perform the desired science in new environments under constraints of development and operations cost, acceptable risk, and communications delays. Development of space systems with resilient capabilities has the potential to expand the limits of possibility, revolutionizing space science by enabling as yet unforeseen missions and breakthrough science observations. Our KISS study provided an essential venue for the consideration of these challenges and goals. Additional work and future steps are needed to realize the potential of resilient systems—this study provided the necessary catalyst to begin this process

Design Development Test and Evaluation (DDT and E) Considerations for Safe and Reliable Human Rated Spacecraft Systems

A team directed by the NASA Engineering and Safety Center (NESC) collected methodologies for how best to develop safe and reliable human rated systems and how to identify the drivers that provide the basis for assessing safety and reliability. The team also identified techniques, methodologies, and best practices to assure that NASA can develop safe and reliable human rated systems. The results are drawn from a wide variety of resources, from experts involved with the space program since its inception to the best-practices espoused in contemporary engineering doctrine. This report focuses on safety and reliability considerations and does not duplicate or update any existing references. Neither does it intend to replace existing standards and policy

System safety checklist Skylab program report

Design criteria statement applicable to a wide variety of flight systems, experiments and other payloads, associated ground support equipment and facility support systems are presented. The document reflects a composite of experience gained throughout the aerospace industry prior to Skylab and additional experience gained during the Skylab Program. It has been prepared to provide current and future program organizations with a broad source of safety-related design criteria and to suggest methods for systematic and progressive application of the criteria beginning with preliminary development of design requirements and specifications. Recognizing the users obligation to shape the checklist to his particular needs, a summary of the historical background, rationale, objectives, development and implementation approach, and benefits based on Skylab experience has been included

Reusable Centaur study. Volume 2: Final report

For abstract, see N74-31346