The natural history of bugs: using formal methods to analyse software related failures in space missions

Space missions force engineers to make complex trade-offs between many different constraints including cost, mass, power, functionality and reliability. These constraints create a continual need to innovate. Many advances rely upon software, for instance to control and monitor the next generation ‘electron cyclotron resonance’ ion-drives for deep space missions.Programmers face numerous challenges. It is extremely difficult to conduct valid ground-based tests for the code used in space missions. Abstract models and simulations of satellites can be misleading. These issues are compounded by the use of ‘band-aid’ software to fix design mistakes and compromises in other aspects of space systems engineering. Programmers must often re-code missions in flight. This introduces considerable risks. It should, therefore, not be a surprise that so many space missions fail to achieve their objectives. The costs of failure are considerable. Small launch vehicles, such as the U.S. Pegasus system, cost around $18 million. Payloads range from$4 million up to $1 billion for security related satellites. These costs do not include consequent business losses. In 2005, Intelsat wrote off$73 million from the failure of a single uninsured satellite. It is clearly important that we learn as much as possible from those failures that do occur. The following pages examine the roles that formal methods might play in the analysis of software failures in space missions

THE COLUMBUS GROUND SEGMENT – A PRECURSOR FOR FUTURE MANNED MISSIONS

In the beginning the space programs were self standing national activities, often in competition to other nations. Today space flight becomes more and more an international task. Complex space mission and deep space explorations are not longer to be stemmed by one agency or nation alone but are joint activities of several nations. The best example for such a joint (ad-) venture at the moment is the International Space Station ISS. Such international activities define complete new requirements for the supporting ground segments. The world-wide distribution of a ground segment is not any longer limited to a network of ground stations with the aim to provide a good coverage of the space craft. The coverage is sometimes – like for the ISSanyway ensured by using a relay satellite system instead. In addition to the enhanced down- and uplink methods a ground segment is aimed to connect the different centres of competence of all participating agencies/nations. From the space craft operations point of view such transnational ground segments are required to support distributed and shared operations in a predefined decision/commanding hierarchy. This has to be taken into account in the technical topology as well as for the operational set-up and teaming. Last not least increases the duration of missions, which requires a certain flexibility of the ground segment and long-term maintenance strategies for the ground segment with a special emphasis on nonintrusive replacements. The Russian space station MIR has been in the orbit for about 15 years, the ISS is currently targeted for 2020, to be for over 20 years in space

National Security Space Launch

The United States Space Force’s National Security Space Launch (NSSL) program, formerly known as the Evolved Expendable Launch Vehicle (EELV) program, was first established in 1994 by President William J. Clinton’s National Space Transportation Policy. The policy assigned the responsibility for expendable launch vehicles to the Department of Defense (DoD), with the goals of lowering launch costs and ensuring national security access to space. As such, the United States Air Force Space and Missile Systems Center (SMC) started the EELV program to acquire more affordable and reliable launch capability for valuable U.S. military satellites, such as national reconnaissance satellites that cost billions per satellite. In March 2019, the program name was changed from EELV to NSSL, which reflected several important features: 1.) The emphasis on “assured access to space,” 2.) transition from the Russian-made RD-180 rocket engine used on the Atlas V to a US-sourced engine (now scheduled to be complete by 2022), 3.) adaptation to manifest changes (such as enabling satellite swaps and return of manifest to normal operations both within 12 months of a need or an anomaly), and 4.) potential use of reusable launch vehicles. As of August 2019, Blue Origin, Northrop Grumman Innovation Systems, SpaceX, and United Launch Alliance (ULA) have all submitted proposals. From these, the U.S. Air Force will be selecting two companies to fulfill approximately 34 launches over a period of five years, beginning in 2022. This paper will therefore first examine the objectives for the NSSL as presented in the 2017 National Security Strategy, Fiscal Year 2019, Fiscal Year 2020, and Fiscal Year 2021 National Defense Authorization Acts (NDAA), and National Presidential Directive No. 40. The paper will then identify areas of potential weakness and gaps that exist in space launch programs as a whole and explore the security implications that impact the NSSL specifically. Finally, the paper will examine how the trajectory of the NSSL program could be adjusted in order to facilitate a smooth transition into new launch vehicles, while maintaining mission success, minimizing national security vulnerabilities, and clarifying the defense acquisition process.No embargoAcademic Major: EnglishAcademic Major: International Studie

Lessons learned in creating spacecraft computer systems: Implications for using Ada (R) for the space station

Twenty-five years of spacecraft onboard computer development have resulted in a better understanding of the requirements for effective, efficient, and fault tolerant flight computer systems. Lessons from eight flight programs (Gemini, Apollo, Skylab, Shuttle, Mariner, Voyager, and Galileo) and three reserach programs (digital fly-by-wire, STAR, and the Unified Data System) are useful in projecting the computer hardware configuration of the Space Station and the ways in which the Ada programming language will enhance the development of the necessary software. The evolution of hardware technology, fault protection methods, and software architectures used in space flight in order to provide insight into the pending development of such items for the Space Station are reviewed

Prognostic Launch Vehicle Probability of Failure Assessment Methodology for Conceptual Systems Predicated on Human Causal Factors

Lessons learned from past failures of launch vehicle developments and operations were used to create a new method to predict the probability of failure of conceptual systems. Existing methods such as Probabilistic Risk Assessments and Human Risk Assessments were considered but found to be too cumbersome for this type of system-wide application for yet-to-be-flown vehicles. The basis for this methodology were historic databases of past failures, where it was determined that various faulty human-interactions were the predominant root causes of failure rather than deficient component reliabilities evaluated through statistical analysis. This methodology contains an expert scoring part which can be used in either a qualitative or a quantitative mode. The method produces two products: a numerical score of the probability of failure or guidance to program management on critical areas in need of increased focus to improve the probability of success. In order to evaluate the effectiveness of this new method, data from a concluded vehicle program (USAF's Titan IV with the Centaur G-Prime upper stage) was used as a test case. Although the theoretical vs. actual probability of failure was found to be in reasonable agreement (4.46% vs. 6.67% respectively) the underlying sub-root cause scoring had significant disparities attributable to significant organizational changes and acquisitions. Recommendations are made for future applications of this method to ongoing launch vehicle development programs

Computer controlled vent and pressurization system

The Centaur space launch vehicle airborne computer, which was primarily used to perform guidance, navigation, and sequencing tasks, was further used to monitor and control inflight pressurization and venting of the cryogenic propellant tanks. Computer software flexibility also provided a failure detection and correction capability necessary to adopt and operate redundant hardware techniques and enhance the overall vehicle reliability

The 1990 Johnson Space Center bibliography of scientific and technical papers

Abstracts are presented of scientific and technical papers written and/or presented by L. B. Johnson Space Center (JSC) authors, including civil servants, contractors, and grantees, during the calendar year of 1990. Citations include conference and symposium presentations, papers published in proceedings or other collective works, seminars, and workshop results, NASA formal report series (including contractually required final reports), and articles published in professional journals

Utilizing expert systems for satellite monitoring and control

Spacecraft analysts in the spacecraft control center for the Cosmic Background Explorer (COBE) satellite are currently utilizing a fault-isolation expert system developed to assist in the isolation and correction of faults in the communications link. This system, the communication link expert assistance resource (CLEAR), monitors real time spacecraft and ground systems performance parameters in search of configuration discrepancies and communications link problems. If such a discrepancy or problem is isolated, CLEAR alerts the analyst and provides advice on how to resolve the problem swiftly and effectively. The CLEAR system is the first real time expert system to be used in the operational environment of a satellite control center at the NASA Goddard Space Flight Center. Clear has not only demonstrated the utility and potential of an expert system in the demanding environment of a satellite control center, but also has revealed many of the pitfalls and deficiencies of development of expert systems. One of the lessons learned from this and other initial expert system projects is that prototypes can often be developed quite rapidly, but operational expert systems require considerable effort. Development is generally a slow, tedious process that typically requires the special skills of trained programmers. Due to the success of CLEAR and several other systems in the control center domain, a large number of expert systems will certainly be developed to support control center operations during the early 1990's. To facilitate the development of these systems, a project was initiated to develop an integrated, domain-specific tool, the generic spacecraft analyst assistent (GenSAA), that alows the spacecraft analysts to rapidly create simple expert systems themselves. By providing a highly graphical point-and-select method of system development, GenSAA allows the analyst to utilize and/or modify previously developed rule bases and system components; thus, facilitating software reuse and reducing development time and effort

Advanced Manned Launch System (AMLS) study

To assure national leadership in space operations and exploration in the future, NASA must be able to provide cost effective and operationally efficient space transportation. Several NASA studies and the joint NASA/DoD Space Transportation Architecture Studies (STAS) have shown the need for a multi-vehicle space transportation system with designs driven by enhanced operations and low costs. NASA is currently studying an advanced manned launch system (AMLS) approach to transport crew and cargo to the Space Station Freedom. Several single and multiple stage systems from air-breathing to all-rocket concepts are being examined in a series of studies potential replacements for the Space Shuttle launch system in the 2000-2010 time frame. Rockwell International Corporation, under contract to the NASA Langley Research Center, has analyzed a two-stage all-rocket concept to determine whether this class of vehicles is appropriate for the AMLS function. The results of the pre-phase A study are discussed

Marshall Space Flight Center Research and Technology Report 2019

Today, our calling to explore is greater than ever before, and here at Marshall Space Flight Centerwe make human deep space exploration possible. A key goal for Artemis is demonstrating and perfecting capabilities on the Moon for technologies needed for humans to get to Mars. This years report features 10 of the Agencys 16 Technology Areas, and I am proud of Marshalls role in creating solutions for so many of these daunting technical challenges. Many of these projects will lead to sustainable in-space architecture for human space exploration that will allow us to travel to the Moon, on to Mars, and beyond. Others are developing new scientific instruments capable of providing an unprecedented glimpse into our universe. NASA has led the charge in space exploration for more than six decades, and through the Artemis program we will help build on our work in low Earth orbit and pave the way to the Moon and Mars. At Marshall, we leverage the skills and interest of the international community to conduct scientific research, develop and demonstrate technology, and train international crews to operate further from Earth for longer periods of time than ever before first at the lunar surface, then on to our next giant leap, human exploration of Mars. While each project in this report seeks to advance new technology and challenge conventions, it is important to recognize the diversity of activities and people supporting our mission. This report not only showcases the Centers capabilities and our partnerships, it also highlights the progress our people have achieved in the past year. These scientists, researchers and innovators are why Marshall and NASA will continue to be a leader in innovation, exploration, and discovery for years to come