Lorraine Fesq

Planning for V&V of the Mars Science Laboratory rover software

NASAs Mars Science Laboratory (MSL) rover mission is planning to make use of advanced software technologies in order to support fulfillment of its ambitious science objectives. The mission plans to adopt the mission data system (MDS) as the mission software architecture, and plans to make significant use of on-board autonomous capabilities (e.g., path planning, obstacle avoidance) for the rover software. The use of advanced software technologies embedded in advance mission software architecture represents a turning point in software for space missions. While prior flight experiments (notably the deep space one remote agent experiment) have successfully demonstrated aspects of autonomy enabled by advanced software technologies, and MDS has been tested in ground experiments (e.g., on-earth tests on rover hardware), MSL is the first science mission to rely on this combination. The success of the MSL mission is predicated upon our ability to adequately verify and validate the advanced software technologies, the MDS architectural elements, and the integrated system as a whole. Because MSL is proposing a shift from traditional approaches to flight software, approaches to verification and validation (V&V) require scrutiny to determine whether traditional methods are adequate, and where they need adjustment and/or augmentation to handle the new challenges. This work presents a study of the V&V needs and opportunities associated with MSLs novel approach to mission software, and provides an assessment of V&V techniques, both current and emerging, vis-a-vis their adequacy and suitability for V&V of the MSL rover software.

Current fault management trends in NASA's planetary spacecraft

Fault management for todays space missions is a complex problem, going well beyond the typical safing requirements of simpler missions. Recent missions have experienced technical issues late in the project lifecycle, associated with the development and test of fault management capabilities, resulting in both project schedule delays and cost overruns. Symptoms seem to become exaggerated in the context of deep space and planetary missions, most likely due to the need for increased autonomy and the limited communications opportunities with Earth-bound operators. These issues are expected to cause increasing challenges as the spacecraft envisioned for future missions become more capable and complex. In recognition of the importance of addressing this problem, the Discovery and New Frontiers Program Office hosted a Fault Management Workshop on behalf of NASAs Science Mission Directorate, Planetary Science Division, to bring together experts in fault management from across NASA, DoD, industry and academia. The scope of the workshop was focused on deep space and planetary robotic missions, with full recognition of the relevance of, and subsequent benefit to, Earth-orbiting missions. Three workshop breakout sessions focused the discussions to target three topics: 1) Fault Management Architectures, 2) Fault Management Verification and Validation, and 3) Fault Management Development Practices, Processes and Tools. The key product of this three-day workshop is a NASA White Paper that documents lessons learned from previous missions, recommended best practices, and future opportunities for investments in the fault management domain. This paper summarizes the findings and recommendations that are captured in the White Paper.

Quality attributes for mission flight software: A reference for architects

In the international standards for architecture descriptions in systems and software engineering (ISO/IEC/IEEE 42010), “concern” is a primary concept that often manifests itself in relation to the quality attributes or “ilities” that a system is expected to exhibit - qualities such as reliability, security and modifiability. One of the main uses of an architecture description is to serve as a basis for analyzing how well the architecture achieves its quality attributes, and that requires architects to be as precise as possible about what they mean in claiming, for example, that an architecture supports “modifiability.” This paper describes a table, generated by NASAs Software Architecture Review Board, which lists fourteen key quality attributes, identifies different important aspects of each quality attribute and considers each aspect in terms of requirements, rationale, evidence, and tactics to achieve the aspect. This quality attribute table is intended to serve as a guide to software architects, software developers, and software architecture reviewers in the domain of mission-critical real-time embedded systems, such as space mission flight software.

Managing space system faults: Coalescing NASA's views

Managing faults and their resultant failures is a fundamental and critical part of developing and operating aerospace systems. Yet, recent studies have shown that the engineering “discipline” required to manage faults is not widely recognized nor evenly practiced within the NASA community. Attempts to simply name this discipline in recent years has been fraught with controversy among members of the Fault Management (FM), Integrated Systems Health Management, Fault Protection, Hazard Analysis, and Aborts communities. Approaches to managing space system faults typically are unique to each organization, with little commonality in the architectures, processes and practices across the industry. A spectrum of issues and options affect the scope and implementation of how faults are managed within space systems. At one end of this spectrum are activities that manage faults via prevention and containment, and typically are performed either before flight or in non-real-time such as designing in margins or inspecting airframes for fractures. On the other end of the spectrum lie activities that manage faults after they occur, including detection, isolation, diagnosis and response. Mission characteristics such as the length of the mission, human vs. robotic, availability of communication with a control center, risk and cost profile drive very different approaches to emphasizing different ends of this spectrum. Human spaceflight missions to low Earth orbit experience almost continuous communication with ground controllers and design for round-trips. Alternately, deep-space robotic probes are one-way missions that experience long communication delays and outages. These characteristics drive the focus of managing space system faults into the non-real-time prevention/containment end of the spectrum for the former, and toward the respond-to-faults end of the spectrum for the latter. In fact, automating these capabilities is especially critical for deep space and planetary missions where the limited communication opportunities may prevent timely intervention by ground control. With ever increasing complexity in aerospace systems, the task of managing faults becomes both increasingly important and increasingly complex. As NASA reaches toward the goal of sending humans beyond the Earth-moon system, there is a significant need to better understand the challenges, options and technologies of managing faults. Architects and stakeholders need to become more aware of and conversant in the issues and design options early in development and thereby balance/optimize automation vs. human-in-the-loop handling of faults. To achieve long duration human spaceflight to asteroids and/or Mars, NASA must employ the experience across the sub-communities that, until now, have taken very different approaches to managing faults. This paper describes the diverse views and approaches that must be coalesced in order to successfully achieve NASAs future space missions.

Model-based approach to rover health assessment for increased productivity

This paper presents an analysis tool useful for assessing diagnostic performance of a model-based fault management (FM) system. The FM system called MONSID is designed to provide off-nominal state detection and identification capabilities that are key components to assessing spacecraft state awareness. The analysis tool can be applied to MONSID models to predict MONSIDs diagnostic performance for various sensor suite configurations and model topologies. The underlying algorithms of the diagnostic resolution analysis tool are discussed. The tool is applied to a MONSID model of a robot power subsystem to illustrate how MONSIDs ability to distinguish among potentially faulty components is affected by the number of sensors and their placement (injection points) in the model. The tool can be utilized for FM design early in the program by supporting sensor suite selection. In the operations phase, it can be used to reduce the amount of onboard processing required by the MONSID engine in the fault identification process.

Model-based off-nominal state isolation and detection system for autonomous fault management

This paper presents a model-based fault management (FM) system designed to provide off-nominal state detection and isolation capabilities that are key components to assessing spacecraft state awareness. The ability to autonomously isolate spacecraft failures to component levels will enable faster and more targeted responses and recovery thereby reducing down time. The use of model-based systems and practices is being explored by the FM community as a viable approach to developing more capable, autonomous systems in order to meet mission objectives. Model-based systems can provide better fault identification than traditional methods of fault detection such as limit-checking. They also lend themselves to more straight-forward approaches to verification and validation. We have chosen a particular model-based technique called Constraint Suspension for autonomous fault detection and isolation that does not require explicit fault modeling. The system is composed of a diagnostic engine and nominal system models of the target application, for example sensors and actuators. Sensed data are propagated through models of nominal system behavior. Faults are diagnosed when inconsistencies arise between sensed and modeled data. Several benefits result from this choice. First, because knowledge of faulty behavior is not required, it is possible to detect unanticipated and unforeseen faults. In fact, anomalous, degraded, and failed states all can be detected. Second, the same models used for nominal analyses and operations can be re-used for fault management, saving development resources and time. Third, the core diagnostic engine algorithm is complete and requires no additions to accommodate a potentially growing number of faults over time resulting in a relatively compact software footprint. Related to the second and third points is that the core algorithm and, potentially, models can be reused from mission to mission. Finally, the system can be used early in the design phase as a tool for sensor placement analyses and model verification. Health information produced by the FM system can be used to make resource allocation and planning and scheduling decisions by ground operations or by other on-board autonomy agents. Autonomous fault detection, isolation, and recovery (FDIR) on board space vehicles will provide protection and increased mission availability and reliability. On the ground such systems enable lights-out monitoring as well as training and support for operators. This paper presents the development of fault detection and isolation algorithms and models. Application of the system to a spacecraft attitude control system is discussed. Finally we apply Model-Based Systems Engineering (MBSE) modeling patterns to the fault management system models as a way to facilitate the development of the models through the use of SysML.

Fault-class-aware fault tree generation and analysis

Over decades, fault-tree has remained as one of the most widely used fault management (FM) mechanisms by practitioners as a visualization/communication media, as well as a quantitative analysis tool for building dependable systems. Nonetheless, to date fault tree analysis is often unable to provide us with high-confidence results due to potential misrepresentation of the relationships among failure events. In retrospect, catastrophic system failures were almost always caused by a chain of mixed fault manifestation and interaction. Moreover, faults in FM itself may become a critical element in a fault-manifestation chain. The 1996 Ariane-5 rocket self-destruction provides us with a lesson on the devastating consequence of inappropriate FM application. Such prior lessons have inspired us to propose a fault-class-aware and FM-capability-aware fault tree analysis framework.

The Development of NASA's Fault Management Handbook

Abstract Fault management (FM) is a maturing discipline; currently there is no unifying description or set of guidelines for this field. Disciplines related to FM such as Reliability and Hazard Analysis do have formal methodology documents, and in some cases, the National Aeronautics and Space Administration (NASA) Procedural Requirements to guide development of the work products. However, none fully addresses the needs of FM. FM is a key factor to increase safety, reliability, availability, and performance in systems, and requires the rigor of other safety-critical processes in order for significant improvements to be made. Without this rigor, improvements to safety and reliability will be limited. A number of approaches to FM have been tried, and while many of these have been locally successful, they are inconsistent with each other and often deal with FM issues in a fragmented way. Currently it is difficult to assess the appropriateness of the architecture selected, the quality of the processes used and the development of interfaces, which can lead to designs that are complex and/or difficult to verify and validate. All of these approaches have difficulty addressing questions of completeness and effectiveness. NASA is developing a FM Handbook to establish guidelines and to provide recommendations for defining, developing, analyzing, evaluating, testing, and operating FM systems. It establishes a process for developing FM throughout the lifecycle of a mission and provides a basis for moving the field toward a formal and consistent FM methodology to be applied on future programs. This paper describes the motivation for, the development of, and the future plans for the NASA FM Handbook.