sign in sign up
<<
Home , Batteries in space

Crosslink Fall 2007 • 1 rosslink In This Issue CFall 2007 Vol. 8 No. 2 6 The Role of Independent Assessments for Mission Readiness Departments Tom Freitag and Bernardo Higuera Independent teams—once viewed as costly and time-consuming—play a vital 2 Headlines role in helping to ensure mission success. 4 Profile 10 A Mission Assurance Toolbox Allyson D. Yarbrough Jim Roberts, Bruce Simpson, and Sergio Guarro

25 Profile Aerospace has developed a suite of specialized tools that facilitate technical ­analysis and program assessment in support of mission success. The Embedded Program Office 14 The Mission Assurance Guide: System Validation 44 Research Horizons and Verification to Achieve Mission Success Miniature Space-Weather Sergio Guarro Instrumentation Aerospace has codified a set of core processes and supporting disciplines to 45 Bookmarks ­ensure successful development, deployment, and operation of space systems ­ranging in type and complexity. 50 Contributors 20 Learning from Other People’s Mistakes 52 The Back Page Paul Cheng and Patrick Smith How Did They Do It? Most satellite mishaps stem from engineering mistakes. To prevent the same errors from being repeated, Aerospace has compiled lessons that the space ­community should heed. 26 A Program for Success: The Aerospace Role in Software Assurance John Cantrell, Suellen Eslinger, and Robert Duvall Aerospace works to ensure that mission assurance is a component of every phase of software development. 32 Mission Assurance: A Human-Rated Space Perspective Garry Boggan (from left) Rich Haas, Bill Tosney, Gail Johnson- Roth, and Brandon Wong bring their skills and Aerospace has a long history of working with NASA on mission assurance backgrounds together to collaborate on successful ­initiatives for humans as they venture into space. program execution. Photo by Eric Hamburg, design by Karl Jacobs. 38 Battery Testing and Assessment to Promote Mission Assurance Copyright © 2007 The Aerospace Corporation. All rights reserved. Per- mission to copy or reprint is not required, but appropriate credit must be Valerie Ang, Boyd Carter, Warren Hwang, Margot Wasz, and given to Crosslink and The Aerospace Corporation. All trademarks, service marks, and trade names are the property of Albert Zimmerman their respective owners. Crosslink (ISSN 1527-5264) is published by The Aerospace Cor- poration, an independent, nonprofit corporation dedicated to providing Aerospace expertise in diverse cell chemistries and technologies has helped objective technical analyses and ­assessments for military, civil, and com- ­resolve numerous issues with launch and space system batteries. mercial space programs. Founded in 1960, the corporation operates a federally funded research and development center specializing in space systems architecture, engineering, planning, analysis, and research, pre- dominantly for programs managed by the Air Force Space and Missile 41 The Space Quality Improvement Council Systems Center and the National Reconnaissance Office. For more information about Aerospace, visit www.aero.org or write Gary Schipper to Corporate Communications, P.O. Box 92957, M1-447, Los Angeles, CA 90009-2957. Questions about Crosslink may be sent via email to crosslink@aero. The national security space community has embraced cooperation and collective org or write to The Aerospace Press, P.O. Box 92957, Los Angeles, CA action as the best way to meet the mission assurance challenges faced by all. 90009-2957. Visit the Crosslink Web site at www.aero.org/publications/ crosslink. From the President’s Desk The Aerospace Corporation was established as an objective, trusted partner and advisor to the nation’s defense space pro- grams. In partnership with the government and industry, Aero- space has contributed to the successful performance of critical missions by national security space systems for nearly 50 years. Effective mission assurance is critical because space is an unforgiving business. Mission failures in the 1990s resulted in $11 billion in lost assets. Many of these losses resulted from the use of unvalidated acquisition practices—the “better, cheaper, faster” approach that grew popular after the Cold War. More significant than the loss in dollars was the loss of vital military and intelligence capabilities and opportunities for , research, and commerce. Since 1999, the national security space industry has been recov- ering from those losses by reestablishing tried-and-true practices that emphasize mission success over schedule and cost reduction. This “back-to-basics” approach recognizes that optimum cost performance results from doing the job right the first time and achieving 100-percent mission success. Aerospace plays a vital role in this effort, and shares basic accountability for mission as- surance for defense and some intelligence space systems. An ob- of different systems assembled through coupled acquisitions. vious part of this accountability entails objective assessment and Mission success, in this environment, requires managing an independent monitoring of program executability. But another expanding number of complex architectures and interfaces. A important aspect involves helping the government to be a smart key challenge, then, will be to sustain existing capabilities while buyer. This begins by helping the government set an acceptable building more comprehensive systems to replace them—and that level of risk on a program. It also includes establishing appropri- means that space programs must perform to greater levels than ate incentives to guide prime contractor behavior and foster the ever before. technical curiosity that can reveal unexpected issues that can Aerospace is an integral part of the overall solution to mission have catastrophic consequences. Applying these principles with assurance and mission success. The whole picture includes put- equal rigor at the subcontractor and supplier levels is likewise ting the right teams in place, capping risk at an acceptable level, essential to mission assurance. establishing realistic cost and schedule estimates, using validated As a nonprofit trusted agent with an extensive and well orga- processes for predictable results, maintaining program stability, nized cross-program historical memory, Aerospace is uniquely and enhancing the industrial base. Efforts to institute this com- positioned to support the government’s mission assurance goals. prehensive approach are paying off: National security space Respected for their credibility and objectivity, Aerospace rep- launches (and their associated on-orbit missions) are enjoying a resentatives serve on the Space and Missile Systems Center tremendous string of successes—more than 50 in a row, including Independent Readiness Review Team and the NRO Mission 15 EELV launches. As long as space system developers maintain Assurance Team, provide independent program assessments, clear accountabilities and sustain the focus on mission assurance, and work alongside contractors in their own facilities. They inves- this positive trend can continue indefinitely. tigate system anomalies and disseminate lessons learned. They develop and modernize relevant specifications and standards, provide independent review of testing protocols, and establish technology readiness criteria. To help the government manage complex space projects, Aerospace has developed tools such William F. Ballhaus Jr. as the Aerospace Watch List and the Launch Verification Matrix. To strengthen partnerships and help the government and industry President and CEO work toward common goals, Aerospace serves as coordinator of the Space Quality Improvement Council and the National Space Suppliers Council. These efforts have helped get space programs back on the right track. But challenges will continue, as space systems become more complex and vital and as the number of missions and users continues to grow. Many new and next-generation space systems function as elements of broader enterprises, composed Headlines

Aerospace Assesses Hailstorm Damage

Aerospace has worked closely with NASA to assess the foam the repaired foam, and the results showed the risk was minimal com- debris hazard for every mission since the Columbia pared with other known foam debris sources. accident in 2003. This included the Atlantis mission, STS-117, Aerospace assessed the repairs and concluded that the hail dam- which launched from Cape Canaveral on June 8, 2007. Just prior to age no longer threatened the launch. Results of the Aerospace hazard the Atlantis launch, NASA revised its damage map, derived using analysis for foam debris were presented to NASA at the second flight Monte Carlo analysis. The map, which tells how much damage the readiness review for STS-117 in late May. Atlantis safely returned shuttle’s tiles can sustain from foam impacts, is now more accurate from the International Space Station on June 22. for impacts from small foam debris (less than 0.002 pound mass). Space shuttle Endeavour, mission STS-118, also experienced foam As it sat on the pad ready for launch in February, Atlantis was loss that caused damage to the orbiter’s thermal tiles when it launched pummeled by a hailstorm that caused extensive damage to its orbiter on Aug. 8. After much testing and assessment, NASA concluded that and external tank. The launch date was canceled, and a three-month the shuttle could safely return to Earth, which it did, on Aug. 21. repair of the hardware systems began. The outer mold line of the ex- ternal tank has certain critical thickness and flatness criteria that must be met for the tank to survive the heat it experiences during ascent. NASA decided to carve out the foam from damaged areas on the external tank and spray new foam. Repairs of this magnitude had been done only once before in the shuttle program’s history. NASA now needed to know whether the repairs to the hail-damaged foam would increase the risk to the orbiter. After the repairs were completed, Aerospace assessed the foam debris hazard to the shuttle. Aerospace had two concerns with the condition of the external tank. The first was that some foam softened by the hail, but not identi- fied and replaced, could release during ascent because of structural degradation. Aerospace intentionally damaged multiple foam samples from the external tank to simulate the hail strikes. Each sample was then subjected to ascent environments in Aerospace’s wind tunnel and monitored for foam loss. None of the samples experienced an anoma- lous release that could be associated with the hail impacts. Aerospace concluded there was no increased risk to Atlantis. The second concern Courtesy of NASA was that the repaired foam might release during ascent. Aerospace The space shuttle Endeavour and its seven-member STS-118 crew head toward analyzed the location, timing, mass, and expected release frequency of Earth orbit and a link-up with the International Space Station on Aug. 8, 2007. Near-Field Infrared Experiment (NFIRE)

NFIRE’s tracking sensor payload successfully tracked and collected images of a thrusting target—a modified Minuteman II booster—launched from Vandenberg Air Force Base on Aug. 23, 2007. Images from the successful test will improve understanding of missile exhaust plume observations and plume-to-rocket body discrimination, according to the U.S. Missile Defense Agency. Program officials will continue to evaluate system performance based upon telemetry and other data obtained during the exercise. The data will be used to validate and update models and simulations that are fun- damental to missile defense technologies. The NFIRE satellite is the Missile Defense Agency’s demonstration satellite program aimed at collecting long-wave infrared rocket plume data at close proximities, explained Pete Thomas, senior project engineer with the Aerospace Technology Development Test and Demonstration Directorate. The satellite supports the Missile Defense Agency’s Kinetic Energy Interceptor Program, designed to produce interceptors capable of shooting down enemy ballistic missiles during their boost and ascent phases of flight. The tracking sensor payload, NFIRE’s primary payload, was developed by Science Applica- tions Inter­national Corporation under the stewardship of the Air Force Research Laboratory and Aerospace. “The payload, developed under strict cost and schedule constraints, involved lots of direct Aerospace and Air Force insight into payload design, build, and test prior to launch and on-orbit op- erations,” Thomas said. “Aerospace was present continually during the development to give immediate attention to issues or problems. Aerospace implemented an effective but informal process for manag- ing problem and failure reports to help ensure the low-cost payload wouldn’t fail.” Courtesy of NASA The NFIRE satellite has been in orbit since it was launched from Wallops Island, Virginia, on The Air Force Minotaur 1 rocket carrying the April 24. The successful target launch mission is the first of two such dedicated missions. Near-Field Infrared Experiment satellite.

2 • Crosslink Fall 2007 Royalty Checks Go to Aerospace Inventors

Approximately 30 Aerospace inventors were awarded royalty checks flexibility in supporting the vast array of interesting ideas being in a ceremony held at Aerospace in June. Aerospace president and investigated at Aerospace. Inventors are encouraged to work CEO William Ballhaus distributed the checks, which ranged from closely with Aerospace’s intellectual property office to build on several hundred dollars to almost $64,000. Andrew Quintero from this recent success. the Office of Intellectual Property Management discussed a num- ber of recently licensed Aerospace inventions, including a golf put- ter, a “smart” fridge, a microvalve, and an Internet security program. Quintero gave a brief overview of the licensing process. He explained that when an Aerospace researcher discovers what is thought to be a new idea, that idea is listed in Aerospace’s intel- lectual property database and reviewed by one of Aerospace’s patent committees. If it is approved by the reviewing committee, a patent attorney prepares an application that is submitted to the United States Patent and Trademark Office. The inventor then prepares a summary of the invention, and this generally triggers the formal commercialization effort, which typically requires the inventor to conduct a technology opportunity briefing. “This is critical, because it is the primary document that works to market the technology,” said Quintero. However, the intellectual property can be licensed in many ways, and this ceremony represented a number of those methods, representing almost $1 million. Aerospace has licensed its inventions to many people and companies, including individual entrepreneurs, small startup companies, and large corporations. The revenue generated from the licensed patent is distributed among the inventors, their Andrew Quintero, William Ballhaus, and general counsel Gordon Louttit awarded departments, and the corporation. The money distributed to royalty checks to Aerospace employees. The June ceremony recognized 30 Aero- space inventors. the departments and corporation as a whole allows additional Colorado Springs Security Award

The Aerospace security group in Colorado Springs has been awarded the James S. Cogswell Outstanding Industrial Security Achievement Award for 2007. The award was presented by the Defense Security Service at the annual training seminar of the National Classification Management Society in Reno, Nevada, in June. Thirty facilities were granted the award, from a pool of nearly 12,000 cleared DOD contractors. The criteria for this award focus on principles of industrial security excellence. These include establishing and maintaining a security pro- gram that goes well beyond basic requirements. The award cited Aero- space for providing leadership to other cleared facilities in setting high standards for security. Only facilities that have at least two consecutive superior industrial security review ratings and those that show a sustained degree of ex- cellence and innovation in their overall security program may be nomi- nated for the award. Aerospace received superior ratings in 2004–2006. The award, established in 1966, is named in honor of the late Air Force Col. James S. Cogswell, who was the first chief of the unified office of industrial security within the DOD. The annual award is the most prestigious honor the Defense Security Service bestows on a cleared facility. Aerospace’s Western Range Directorate at Vandenberg Air Force Base in California received the award in 1997. “I am extremely proud of the Colorado Springs security group for its continued commitment to excellence,” said Mike Drennan, Mark Wedo and Celia Canaan of the Colorado Springs security group are Aerospace vice president of Space Operations, Requirements, and joined by Mike Drennan as they display the 2007 James S. ­Cogswell Award. The Aerospace Colorado Springs security group was recognized as a leader ­Technology. in setting high security standards for its facility.

Crosslink Fall 2007 • 3 Profile Allyson D. Yarbrough, Associate Principal Director, EHF Systems Mission Assurance for AEHF Allyson Yarbrough brings personal and professional qualities to the table that contribute to a rewarding Aerospace career. Donna Born

The Advanced Extremely High Frequency (AEHF) next-­generation military protected communications system is scheduled for launch in 2008. AEHF is the successor to the current Milstar system, re- plenishing Milstar satellites in the EHF band. The new system will have up to twice as many tactical networks, provide 10 times greater total capacity, and offer channel data rates 6 times higher than that Yarbrough leads the mission assurance team for AEHF. of Milstar II. The higher data rates will permit transmission of tac- tical military communications such as real-time video, battlefield maps, and targeting data. Interoperability and coalition operations Although Yarbrough thought she was not an expert in mission will benefit from international partners in the development and assurance when she was assigned that task for the AEHF system, operation of the system. she soon realized how central it had been to so much of her engi- Helping prepare for the launch of this mission is one of Allyson neering work at Aerospace. Her previous assignments were in the Yarbrough’s principal responsibilities. For the past two years, she Engineering and Technology Group, which provided her with spe- has led the development and implementation of the AEHF Mis- cific technical expertise in disciplines relevant to space and launch sion Assurance Framework, which seeks to deliver mission success programs. These experiences directly prepared her for the AEHF through the disciplined application of thorough, documented pro- assignment. “I can wind a thread from every task to having some cesses and the capture of technical evidences for launch and opera- relevance to mission assurance, whether it was developing proto- tions readiness. She is quick to credit others whose work she has types in the labs, looking at current and alternative solutions to built upon, who initiated the framework for AEHF, having adapted microwave circuit hardware, participating in anomaly investigations, it from the formal mission assurance process that had been in place assessing feasibility of new technologies, or technology forecasting. for some years for launch vehicle programs. But it is her tenacity All of that certainly plays a role in overall mission assurance.” and leadership of the Mission Assurance Framework that will see In her position as associate principal director of the EHF the new system to the launch and beyond. Systems Program Office, Yarbrough shares management of the Each portion of the Mission Assurance Framework, Yarbrough Aerospace AEHF organization and interacts with Aerospace explained, is assigned to separate teams that monitor systems engi- customers and government contractors. Nearly single-handedly neering, the mission control system, launch vehicle integration, sys- she secured $1.3 million in DOD funds for a major field program- tems effectiveness, the space segment (payload and spacecraft bus), mable gate array risk-mitigation test program. “The multiprogram information assurance, international partners, and operations. The activity is focused on characterizing the reliability of this exciting teams meet regularly to discuss progress of the respective mission new technology being deployed on AEHF and planned for use on assurance tasks and the milestones, documentation, and evidence numerous other national security space programs,” she said. It’s just that support decisions, rationale, task completions, and any devia- one of many mission assurance enhancing initiatives she has led or tions or exceptions. A computer-based assessment tool tracks the ­supported. progress, and supporting documentation is captured in an electronic Before joining the EHF Systems Program Office, Yarbrough was archive. principal director of the Electronics Engineering Subdivision that “It’s the totality of those assessments concatenated together that provided expertise in space system electronics engineering. Prior we are working to complete in a way that, come launch, we’ll be to that, she was the director of the Electromagnetic Techniques ready to give a thumbs up or not. What we’re trying to do is iden- Department, providing program support and leading technology tify, document, track, and assess all the activities that need to be per- studies and prototype development efforts for military, civil, and formed in order for us to stand up before our program manager, Air commercial satellite customers. Her main background is microwave Force Col. William Harding, and Aerospace management and say: circuits and analysis, semiconductor processing, and microelectro- ‘All requirements have been met. Yes, this satellite is ready to go.’ ” mechanical systems. For ten years after joining Aerospace in 1989

4 • Crosslink Fall 2007 Profile Allyson D. Yarbrough, Associate Principal Director, EHF Systems

in what was then the Electronics Research Laboratory, she worked in the Communication Systems Subdivision in the Microwave and Millimeter-wave Electronics Section, first as a member of the tech- nical staff and then as manager. Career Highlights In her career at Aerospace, Yarbrough has been successful at both research and management and can’t decide which she likes best. Her research has led to five patents that have generated revenue for the company. “There has been nothing quite like learning some- thing new in the lab and working in teams with some of the senior colleagues. Not much compares to those five patents,” she said. “It was really a thrill to realize that somebody else actually thought something I created was useful enough to license.” On the other hand, she has derived great satisfaction from her management experiences. “Management has helped me grow per- sonally. I’ve gotten as much excitement out of some management successes as I have derived from being in the lab or satisfying a Woodworking has often inspired Yarbrough’s Aerospace research. customer need. Some of the most rewarding occasions for me have been when employees come in to talk to me, and their level of con- ­laboratories and simulation centers, being appreciated—all of these fidence seems to be enhanced, just by our talking. Those occasions combine to make Aerospace a very intellectually stimulating and have really made me very proud to be a part of the management personally fulfilling place to work.” team. Seeing people grow. Helping employees pursue opportunities. For now, Yarbrough exercises her imagination and fills her spare Giving people honest feedback.” time with woodworking, which she approaches with the same pas- So it seems it comes down to simply working at Aerospace that sion she gives to her work. She has made utilitarian pieces, beauti- has offered her opportunity, growth, and fulfillment: “What has ful furniture for her home and gifts for others. But not even that been most invigorating is being part of a pool of engineers and sci- fulfilling avocation carries her too far from Aerospace: “Sometimes entists who represent virtually every discipline relevant to space. It I have a challenge that I’m walking around with in my head for is no exaggeration that regardless of the space-related expertise one days or weeks, and when I’m in the middle of doing something like needs, there is an expert in that area somewhere in the company. sanding in my woodshop, my mind just goes off and starts working What I admire and treasure most about the Aerospace environment on that problem. I remember an etching idea I had for one of the is the diversity of talent, skill, and knowledge represented among patents, and I got a little breakthrough while I was in my wood- our staff and management. The environment fosters initiative and shop. Frankly, two of my patents I figured out while I was in my creativity and has forced me to open my technical aperture to en- woodshop. I really got a kick out of that because woodworking is gage in activities that take me outside of my technical expertise and totally unrelated to what I do here in the office.” She is also an avid comfort zone.” seamstress and makes many of her own garments. She is enthusiastic about soon-to-be Aerospace president, She likes the fact that her husband, John Scarpulla, also works Wanda Austin, who was once her division manager and has con- at Aerospace as a scientist in the labs and now on a rotation as- tinued to be a friend and mentor. She is convinced that Austin will signment in a program office. They have worked together on teams be an extraordinary CEO and believes Aerospace is fortunate to be and projects—they collaborated on a 2003 Crosslink article on the led by a person of her technical talents, her initiative, her leadership effects of ionizing radiation on space electronics: “What Could Go skills, and her stamina. “Dr. Austin’s poise and her ability to just stay Wrong?” He has helped set up her woodshop and buys her power focused and her recognition of how important it is to get the cus- tools and pieces of exotic wood as birthday and anniversary gifts. tomer the most rigorous—and programmatically viable—solutions “He knows what I enjoy, and he’ll buy those things that will actually combine to put her in that position. She has been a role model to make my woodworking easier.” many junior and experienced engineers, both men and women— They met in graduate school at Cornell University, where Yar- just being technically outstanding, responsive to customers, and brough earned her M.S. and Ph.D. degrees in electrical engineering. following through. And what’s so wonderful about her is that she’s She is close to her family and extremely proud of her father, who remained the same warm person as she’s risen through the ranks. I finished his degree in mechanical engineering after retiring from just admire her on so many levels.” the Air Force, and of her mother, who returned to college to con- Many at Aerospace say the same things about Yarbrough, who tinue her own education. In fact, at the same time she was working is widely admired and liked. In addition to her five patents, she has on her undergraduate degree in electrical engineering, her father, published papers, won professional awards, and belongs to several her sister, and her mother were also studying at New Mexico State professional societies and associations. Adding value to the Aero- University. “If I have a major decision to make, I talk to my hus- space product for customers, serving as a role model, and assuming band, my parents, and my graduate thesis advisor, who remains one greater responsibility are among her ambitions. “I enjoy it here. of my heroes and mentors after all these years that I have been away This is my career home now. The quality of the staff, the interac- from Cornell. I feel very fortunate to have such a strong support tions with colleagues, the opportunities for growth, the various network.”

Crosslink Fall 2007 • 5 The Role of Independent Assessments for Mission Readiness

Independent teams—once viewed as costly and time-consuming—play a vital role in helping to ensure mission success.

Tom Freitag and Bernardo Higuera

n the 1980s, Air Force regulations prescribed indepen- Delta II and newer vehicles such as the Delta IV and Atlas dent reviews for all boosters and many satellite missions. V. These newer vehicles in particular needed multiple inde- Independent review teams composed of Aerospace, gov- pendent review teams because they were being developed by Iernment, and contractor personnel would review each mis- different contractors and designed with multiple configura- sion, present a risk assessment, and then disband. The teams tions. In 2001, SMC formally resurrected its independent were large and required a significant amount of contractor reviews, establishing a permanent Independent Readiness support. They had no permanent members, and the results Review Team with more direct reporting lines to SMC lead- of their reviews were often shared late in the launch flow ership and an annual budget. process. If significant issues arose, options were limited and Subsequently, a decision was made to have the SMC expensive. review team focus on Atlas and Delta missions for the Air In the mid-1990s, the Air Force Space and Missile Sys- Force, while the Mission Assurance Team would focus on tems Center (SMC) largely eliminated these independent Atlas and Delta missions for the NRO. Both teams would reviews as part of the cost reductions sought through acqui- share information on a regular basis. sition reform. In contrast, the National Reconnaissance Of- In establishing these formal review teams, the NRO and fice (NRO) continued its independent reviews, and in 1997 SMC recognized the need for a dedicated core group of established a Mission Assurance Team composed of Aero- people who would maintain continuity throughout launch space, government, and contractor personnel. An early as- campaigns. This continuity would allow the teams to delve signment for this team was to evaluate the advanced avionics into specific problems requiring a high degree of investi- and new solid rocket motor upgrade of the Titan IVB-24. gation, analysis, and data review. Permanent membership At the same time, launch schedule slips to some Titan IVA would also reduce the number of orientation briefings that missions—which had been reviewed by independent teams had been necessary each time a new team was formed. The that had since disbanded—necessitated a supplemental government started budget planning to ensure the teams review of those vehicles. The newly evolving Mission Assur- would be funded for several years, and this, in turn, stimu- ance Team stepped in to review them, addressing component lated long-term commitments from launch vehicle experts. aging, storage, and site processing. It also fostered better coordination and integration with the In late 1999, after the Department of Defense suffered launch vehicle contractors, which led to early and timely several launch failures involving Titan IV vehicles, SMC and resolution of issues and the reduction of costly schedule slips. NRO formed an agreement establishing the Mission As- The Mission Assurance Team surance Team as the independent reviewer of all remaining Titan IVB missions, including those using the Centaur and Today, the Mission Assurance Team is an integral part of the Inertial Upper Stages. The team’s knowledge of the Titan the mission certification process for the NRO. Its overall IVB had developed to the point where it was seen as the ex- objective is to complement the more extensive launch veri- pert on that launch vehicle. fication performed by Aerospace. The focus is on deviations The agreement between SMC and NRO was later ex- to the launch vehicle baseline, including documented non- tended to include the Atlas II and III medium launch ve- conformances, out-of-family items, work performed out of hicles. Meanwhile, SMC was developing its own process for position, and changes implemented by the launch vehicle independent review of heritage launch vehicles such as the contractor without supporting qualification or adequate Mission Impact Definitions Risk Matrix Negligible – No mission capability degradation. Critical Moderate – Mission capability degradation. Moderate Critical – Loss of mission or safety hazard.

Probability Impact Definitions Negligible

Baseline – Probability of undesired outcome enveloped by baseline Mission Impact program qualification and is no higher than other missions. Low Medium High Probability of Occurrence Low – Probability of undesired outcome exceeds baseline, but is bound by supporting analysis/test. Undesired outcomes are highly unlikely (≥1 in 1000) under predicted flight environs or conditions. Low-Medium – Probability of undesired outcome exceeds low, and some data needed to reliably predict success is provided. Undesired outcomes are unlikely (between 1 in 100 and 1 in 1000) under predicted flight environs or conditions. Medium – Out-of-family condition exists and is trending to be out of specification before deployment. Condition is outside of the test/flight experience. Data to support a success prediction is absent, or existing data may be negated by other data suggestive of possible failure. Undesired outcome unlikely (~1 in 100) under predicted flight conditions. High – Significant out-of-family condition rapidly trending to out of specification condition or outside of test/flight experience. Low confidence in supporting analysis/test and/or assumptions. Available data foreshadows system performance failure. Occurrence likely (≥1 in 10) under predicted flight environments or conditions.

The Independent Readiness Review Team uses this chart to assess risk, probability, and potential impact to a mission as issues are raised during reviews.

­verification. These include in-line design, area has 10–12 members with two leads. tation of manufacturer’s corrective actions in vendor, and production optimization Half of the members serve full time, and the production of launch vehicle batteries. changes known as Class II changes. The half provide part-time support, including The Mission Assurance Team participates in team also identifies and evaluates hardware members of Aerospace, contractors, and the Aerospace President’s Review, the SMC and mission design first-time flight items ­expert consultants. Flight Readiness Review, and the NRO’s and pursues the intersection of companion In the past, the NRO’s Mission Assur- Mission ­Certification Review, as well as hardware failures (similar hardware not ance Team supported SMC in its inde- quarterly program reviews to senior NRO assigned to the specific vehicle being re- pendent risk assessment for select Titan, management. viewed) to ensure there are no latent defects Atlas II, and Delta II launch vehicles. In Team members work daily alongside present. Postflight data review (“test like fact, with the exception of the NASA contractors, and this interaction has cre- you fly” screening) and acceptance testing Cassini mission, the team has assessed all ated a strong understanding of the need for evaluation is also an integral part of the Titan IVB vehicles for SMC and NRO, timely risk assessments, early involvement, ­assessments. including some SMC unique Inertial Upper and ample time to review and manage risk Aerospace provides technical leadership Stage missions. The team assessed the At- issues. The team’s mission assurance proce- to the group, and the NRO provides fund- las II MLV 7 and MLV 9–15 missions, the dures are continuously reviewed, compared ing and management. The Mission Assur- Delta GPS IIR-2, Geolite, and NROL-21 with those of other independent teams, ex- ance Team performs an in-line independent missions, and the Orbital Sciences Taurus/ amined with respect to government studies, technical risk assessment of launch vehicle Stex mission. The technical risk assessments and redesigned as necessary. issues, configuration, hardware disposition, have evolved along with space launch ve- Examples of Findings and all other areas of launch vehicle build hicles. The team has moved from assessing and process that can potentially increase mature Titan, Atlas II/III, and Delta II The Mission Assurance Team supported mission risk. This risk assessment is made programs to looking at the new Atlas V the development and use of a structural dy- on a purely technical basis, according to and Delta IV rockets. Work for these new namics high-frequency data-reduction and published guidelines, and is independent boosters, which lack an extensive histori- harmonics analysis tool used to screen out- of programmatic constraints such as cost cal baseline, relies on lessons learned from of-family harmonics behavior in an upper and schedule. It is a comparative analysis test failures and near misses as well as the stage engine system. The harmonics were based on a defined and accepted launch ­overall ­incorporation of best practices the suspected source of some RL-10 engine vehicle baseline and its associated baseline shared by team members. failures. This analysis tool has undergone ­reliability. The Mission Assurance Team tracks chal- significant improvements and has since The Mission Assurance Team covers lenging launch fleet issues and investigates identified engines that have unusually high three main areas: structural and mechani- associated risks that have been identified by harmonic content in the Atlas II AC-109 cal engineering, propulsion, and avionics Aerospace, the Launch Directorate, SMC’s and Delta IV NROL-26. The team’s find- and mission design. Although the focus is Independent Readiness Review Team, and ings on the harmonics were presented to the primarily on hardware, overlap into mission contractors. For example, the teams are appropriate contractors, who subsequently design, analysis, and integration helps the working together to analyze the constantly removed the engines. team evaluate the suitability of each system evolving defect criteria for delaminations in Another review identified high porosity for a particular mission. Each main review a graphite epoxy motor and the implemen- in a composite structure. This high-porosity Crosslink Fall 2007 • 7 area had escaped the original inspection, participates in space program development, locked loop circuit in a microwave imager and the Mission Assurance Team presented including technical interchange meetings, sounder and recommended corrective action its findings and recommended repairs. The integrated product team meetings, hard- that was implemented by the program office team also identified an improperly quali- ware acceptance, and pedigree and design and contractor. By examining schematics, a fied acceptable defect size for composite reviews; it also examines selected parts, review engineer identified the location of an structures, and recommended additional components, subsystems, and compliance open circuit that was causing intermittent testing to validate the allowable defect sizes. documentation. The reviews usually start operation of the phase-locked oscillator. The contractor performed additional testing on a satellite two years before a launch and The engineer visited the contractor’s facility and concluded that the drawings should be on boosters one year before launch. The and examined the hardware firsthand. The modified in the majority of the structures team has performed independent reviews of engineer was able to reproduce the anoma- to reflect a new, smaller allowable defect, the Atlas V and Delta IV boosters as well lous behavior by pressing on the transistor which was one-quarter the size of the origi- as heritage boosters such as the Titan II, lead identified during the schematic review. nal defect. Delta II, Pegasus, and Minotaur. The team While diagnosing this problem, the review A review of hardware photos during ve- also reviews payloads for the Defense Sup- team also discovered severe workmanship hicle assembly identified potential scuffing port Program, Global Positioning System, problems. These were corrected, and the or chafing of a wire harness on a payload Space-Based Infrared System, Defense payload launched. It continues to perform adapter. Because this phenomenon was im- Meteorological Satellite Program, Military as intended. plicated in a prior booster failure, the Mis- Strategic and Tactical Relay System, Ad- The review team’s structural and me- sion Assurance Team promptly brought the vanced Extremely High Frequency system, chanical engineering panel provided rec- findings to the contractor’s attention. The Wideband Global Satcom System, and se- ommendations to reduce the risk of latch contractor added standoffs and additional lected Space Development and Test Wing failure in a telescope’s protective contamina- wire-harness protection, and implemented flights. tion cover, which represented a single point new criteria to ensure proper standoff be- These independent reviews support the of failure. The program office and contractor tween wire harnesses and structures. SMC flightworthiness certification process accepted the design and test recommenda- A standard review of a solid rocket mo- and are based on published guidelines such tions to reduce the risk of mission loss. tor included an allocation for the twisting of as SMCI 63-1201, Assurance of Operational During booster component reviews, the a composite motor case resulting from the Safety, Suitability & Effectiveness (OSS&E) team identified two motors with suspect internal motor pressure, which is defined as for Space and Missile Systems; SMCI 63- nozzles. The first had a nozzle that was case twist. Mission Assurance Team engi- 1202, Space Flight Worthiness; SMCI 63- dropped off a pallet and later installed. neers identified the proposed case stack as 1203, Independent Readiness Reviews; and The review team found that the analysis to an out-of-family worst-case twist, which SMCI 63-1204, Readiness Review Process. justify the use of the dropped nozzle was exceeded the twist on all previously flown The Independent Readiness Review Team inadequate because it did not consider dy- missions. The case twist had the potential also evaluates each mission-specific space namic loads. The motor manufacturer and for generating additional internal loads that program office and the contractor processes, the program office agreed that additional were not accounted for in the stress analysis and, as necessary, offers opinions and rec- work was required to clear the nozzle for and load calculations for the vehicle. The ommendations for improvement. Team flight. The second motor had two separate contractor accepted the team’s recommen- members participate in problem resolution sources of polyacrylonitrile tape used to dation and rearranged the solid rocket mo- and failure investigation activities, such as manufacture the carbon-phenolic exit-cone tor stack to minimize case twist. nozzle delamination investigations, solid liner. Tape from one source was used on The Independent Readiness rocket motor redesign, and satellite mecha- half of the liner, and tape from another nism failure resolution activities. The team source was used for the remainder. The two ­Review Team formally presents its results at periodic tapes had mechanical properties that dif- The Independent Readiness Review Team program reviews with SMC leadership, at fered by as much as a factor of 2. The motor performs risk assessments of space launches the Aerospace President’s Review, and at manufacturer had not done any analysis and reports findings in prelaunch reviews to the SMC Commander’s Flight Readiness to determine the effects of using an exit- the SMC commander. Aerospace provides Review. cone liner with mechanical properties that technical leadership for the group, supply- Examples of Findings changed dramatically midway through. The ing 10 full-time employees on the team; only prudent course was to replace the mo- these are augmented as necessary with ad- The Independent Readiness Review Team’s tor and set it aside until an adequate struc- ditional Aerospace engineers and industry software group identified severe shortcom- tural analysis of the exit-cone liner could be contractors. The Independent Readiness ings in flight software development and ­performed. Review Team is a matrix-style organization execution for an SMC program. The team Another issue involved the lack of trace- with system and panel leaders. Each system created a risk-reduction road map that the ability to a qualified baseline for a solid leader is responsible for the review of a system program office adopted and has rocket motor. The team reviewed 11 ship specific system. Each panel leader supports been using ever since to track risk reduction. sets, including several that had flown, to multiple system leaders in specific disci- The team also uncovered grossly inadequate create a baseline and evaluate flight risk. plines such as propulsion, avionics, software, unit-level tests for flight software and rec- Results showed that each change, while not and mechanical and structural engineering. ommended remedies that have since been necessarily qualified by SMC standards, was Primary objectives include identifying implemented by the program office and reasonably supported by flight test analysis technical risks, making recommendations contractor. or experience from other programs. The for mitigation, and providing independent In another investigation, the team diag- launch proceeded with an elevated risk rat- assessments of launch readiness. The team nosed the root cause of a failure in a phase- ing and was successful. The Independent

8 • Crosslink Fall 2007 A Ten-Step Approach to Independent Review Aerospace has established historical best practices for independent 6. Anomalies review teams, leading to the current operations policies and procedures Anomalies represent situations where hardware or software did not per- of the Mission Assurance Team and the Independent Readiness Review form as expected. Careful review and analysis is required to determine Team. This approach is based on determination and evaluation of the root cause and verify that the anomaly will not recur in flight or will not main items believed to pose the greatest risk to space launch missions. A have a significant impact on the mission. short, but powerful summary of these practices is below: 7. Escapes 1. Test-Like-You-Fly Exceptions Escapes represent events in which the contractor missed something, One of the most important lessons in the space launch business is that such as releasing hardware that did not receive all of the required test- hardware and software must be tested in the same manner that they ing. The review team strives to identify escapes as part of the pedigree will be flown. Exceptions to the test-like-you-fly approach have resulted review and hardware acceptance review. The Mission Assurance Team in mission failures and represent an increased program risk that must be requests a list of contractor escapements as part of the review “inbrief.” addressed. Once identified, escapes are carefully reviewed to assess the likely 2. Critical Qualification Margins impact on mission performance, and recommendations are made for Hardware that has minimal safety margins poses an increased risk to corrective action. This may include test or analysis or simply use as is. failure because of variations in mechanical properties, performance, or 8. Unverified Failures other critical measures. It is important to check the qualification margins Unverified failures are those in which the root cause is not identified. of critical items. Without a root cause, it is hard to know what to fix, nor can there be 3. First-Flight Items assurance that the failure will not occur in flight. In these cases, fishbone First-flight items receive increased scrutiny simply because they have not diagrams are created, which detail cause and effect relationships, and been demonstrated to work under actual flight conditions. The review potential root causes and remedies. team requests a list of first-flight items at each review along with a clear 9. Out-of-Position/Sequence Work description of the qualification performed on them. Occasionally, contractors will deviate from their paperwork and perform 4. Single-Point Failures work out of sequence, or in a configuration different from the one that Redundancy in a system significantly reduces the probability of failure. was used to build up the original assembly. This may result in assembly The manufacturing documentation of single-point failures must be care- errors that need to be addressed or test results that need to be revali- fully scrutinized to ensure an adequate level of quality. dated. The review team reviews these cases to evaluate their impact on the mission and to offer recommendations. 5. Nonconformance 10. Out-of-Family Results Hardware or software that does not meet specifications will be reworked or reevaluated for use “as is.” Panel members review the actions taken Out-of-family results are carefully reviewed because they often indicate to correct these nonconformances and assess them for adequacy. In that something has changed in the production process that may cause some cases, independent review has shown that the contractor’s justi- a reduction in performance. The use of statistical process control is an fication for use “as is” was inadequate, resulting in the replacement of effective means to identify out-of-family results. ­questionable hardware.

Readiness Review Team has since recom- for communicating lessons learned across assurance process. Although some of the mended that the contractor show proper programs, and the ability of team mem- specific processes differ, the objectives and traceability to the qualification baseline, bers to discuss and transfer experiences products of each team are highly valued by or perform additional qualification tests as has proved highly effective. However, the their sponsors. As the failures of the 1990s needed. merger presents a new challenge: Much recede further into the past and budgets Conclusion of the engineering and manufacturing for receive greater scrutiny, there is a danger the Delta and Atlas will be moving from that mission success may lose its emphasis. In 2006, Boeing and Lockheed Martin es- Huntington Beach, California, to ULA The results would be disastrous. Since 2001, tablished United Launch Alliance (ULA), headquarters in Denver, Colorado, for en- the NRO and SMC have experienced an a joint venture to produce the Atlas V, gineering, and to Decatur, Alabama, where unprecedented string of successful launches, Delta II, and Delta IV launch vehicles. This the launch vehicles are currently built and and this trend has been sustained through has allowed the Mission Assurance Team assembled. The logistics of these new ar- an unyielding commitment to mission suc- and the Independent Readiness Review rangements make the need for independent cess. The continued focus on operational Team to blend their Atlas and Delta review review all the more critical. safety, suitability, and effectiveness— functions, which had to be isolated when The Independent Readiness Review including the use of independent teams to the two contractors were competitors. These Team and Mission Assurance Team have minimize risk—must not be marginalized unified teams have even stronger processes become accepted members of the mission or eliminated.

Crosslink Fall 2007 • 9 A Mission Assurance Toolbox

Aerospace has developed a suite of specialized tools that facilitate technical analysis and program assessment in support of mission success.

Jim Roberts, Bruce Simpson, and Sergio Guarro

s anyone who has undertaken a home remodeling independent analytical tools and independently acquired project knows, the proper tools can make the dif- telemetry data to generate useful feedback and monitor per- ference between finishing in a timely manner, with formance trends. aA product that will be a source of pride, or having to make The activities encompassed by this process are defined by repeated trips to the store for additional tools and materials. approximately 2000 specific tasks. Aerospace codified this Aerospace is entrusted to provide objective assessments of task list in 2001, identifying completion criteria, categorizing national security space programs and recommendations for the rigor with which a task would be executed (from basic addressing potential problems. Through the years, Aerospace monitoring through full independent analysis), and estab- has developed tools to support this effort. Some have proved lishing execution priority (based on mission criticality). useful for specific problems, while others could be adapted These tasks were initially presented in a spreadsheet, re- to a wide range of issues and have survived the test of time ferred to as the Launch Verification Matrix. As the value of and repeated use. The more functional tools have been con- this matrix was recognized and the number of missions grew, tinually improved and adapted to serve more people and a more engineers needed access to record their launch verifica- greater variety of tasks. tion information. So, the matrix moved to a database, which To support the broader goal of mission assurance, these was subsequently made available to approved users via a Web tools must be flexible, easy to use, adaptable to a diverse set server maintained by the SMC Launch and Range Systems of customer requirements, and capable of being tailored to Wing. the needs of a specific program. They must also have the The database contains the verification tasks, their com- capacity to store, organize, and present data in a format that pletion criteria, the rigor with which the task is executed, easily facilitates comprehensive and reliable analysis and the completion date, the responsible engineer’s evidence of evaluation. completion, and other tracking information. Responsibility The following is by no means a comprehensive list of tools for each task is assigned to two people, an Air Force engineer available to Aerospace personnel, but represents some of the and an Aerospace or SETA engineer, who work together more frequently used tools. throughout the mission to complete the task, recording sta- Launch Verification Matrix tus information, issues, and completion rationale. A mission’s launch verification tasks are selected from the The Aerospace launch verification process independently general task list based on the launch vehicle configuration, determines launch system flight readiness. It is a capability mission requirements, and first-flight items. The task set is unique to Aerospace that has been employed for more than reviewed by the responsible engineers, their management, 40 years. This process extends from concept and require- and the vehicle chief systems engineer for appropriate- ments definition through flight operations; it entails the de- ness to the mission. Upon concurrence by the Launch and tailed scrutiny of hundreds, if not thousands, of components, Range Systems Wing program manager and chief engineer, procedures, and test reports; it draws upon independently the cognizant Aerospace principal director, and (for NRO derived system and subsystem models to objectively validate missions) the Office of Space Launch mission manager, contractor data; it provides timely review through firsthand the matrix is presented to the Launch and Range Systems involvement in all aspects of the launch campaign; and Wing Configuration Control Board for approval. Frequently, it concludes with a thorough postflight assessment­using changes during the launch campaign dictate changes to the launch verification plan. When changes that could affect the program occur (such Mission as changes to the Aerospace staff bud- planning, Planning verification, and get, launch schedule, or launch verifica- and analysis management tion tasks), they are made to the Launch Verification Matrix with approval by the Software Configuration Control Board. This mission- verification and ­specific database is maintained throughout validation the postflight review and final mission report. Launch System design Manufacturing Hardware Countdown The user interface for the Launch Veri- and and readiness and launch verification fication Matrix provides several features qualification quality verification operations in addition to displaying task status to the responsible engineers. Among these are user Assembly, reports, facilities to track launch readiness test, and Postflight issues to be resolved before flight, hardware pre-flight analysis pedigree, parts/serial number database, and readiness several management reports and metrics as well as the necessary infrastructure facilities to set up and manage the mission databases. The functional flow diagram outlines the primary elements of the Aerospace independent launch-readiness verifica- Management reports of note include task tion process, as embodied in the Launch Verification Matrix. This comprehensive process extends from concept and requirements definition through flight operations and includes a postflight assessment. completion status, delinquencies, upcoming task deadlines, and graphical representa- tion of key management information. Most missions. It is currently in use to manage with additional task details and implements reports can be exported to a spreadsheet for upcoming Delta IV and Atlas V missions that support the task tailoring, execution, further manipulation. Additionally, data­ and to support legacy Delta II missions. and assessment needs of specific programs. bases from different missions are linked The Mission Assurance Guide (For more about the guide, see the compan- together for easy viewing of history on a ion article in this issue.) particular launch verification task. TheMission Assurance Guide was developed to provide basic mission assurance docu- Mission Assurance The spectrum of launch verification Verification Matrix activities is accomplished by a cadre of en- mentation and guidance and to reinforce gineers with expertise in a wide variety of the corporate system engineering and mis- The Mission Assurance Verification Matrix disciplines, including systems engineering, sion assurance functions and accountabili- (MAVM) is a database and software tool mission integration, structures and mechan- ties, aligning them with the SMC/NRO that defines, documents, and supports the ics, structural dynamics, guidance and con- systems engineering revitalization efforts. implementation of the guidance contained trol, power and electrical systems, avionics, The guide defines a baseline of six core mis- in the Mission Assurance Guide. It provides telemetry, safety, flight mechanics, environ- sion assurance processes and seven support a full definition of the mission assurance mental testing, computers, software, product disciplines in terms of executable functions. core process and support-discipline task assurance, propulsion, fluid mechanics, It identifies the major objectives, tasks, and structures and execution flows, organized aerodynamics, thermal engineering, ground techniques associated with these processes by program acquisition phase, hierarchi- systems, and facilities and operations. and disciplines, referring to Aerospace cal relationship, and WBS element. It also These engineers document in the Launch systems engineering and test engineering defines and documents each individual mis- Verification Matrix their efforts and issues handbooks as well as to current standards sion assurance task, providing specific in- through all phases of launch vehicle devel- for technical task guidance. Core processes formation that supports associated planning opment and operations. This information are: requirement analysis and validation; and execution activities—including the provides the basis for the launch readiness design assurance; manufacturing assurance; assessment of risk associated with planned verification letter that Aerospace delivers to integration, test and evaluation; operations and actual levels of task criticality and depth the Air Force before launch. readiness assurance; and mission assurance of execution. The Launch Verification Matrix has reviews and audits. The support disciplines The MAVM, like an early version of the become the cornerstone of launch vehicle are: risk management; reliability engineer- Launch Verification Matrix (upon which it mission assurance. It establishes the launch ing; configuration management; parts, ma- was modeled), is based on a Microsoft Ac- readiness verification plan for a mission; it terials, and processes management; quality cess database platform. It uses the relational provides a repository for the launch readi- assurance; systems safety assurance; and database features of Access to record and ness verification information during the software assurance. document more than 2000 mission assur- launch campaign; and it captures historical The guide is structured to allow the user ance tasks according to acquisition-phase documentation for future anomaly resolu- to develop a plan for applying these pro- sequence of execution, core-process and tion. It identifies that set of mission assur- cesses and disciplines in a flow of executable support-discipline structural hierarchy, and ance activities that cannot be compromised tasks applied against specific work break- association with specific WBS elements. and that must not be traded against cost, down structure (WBS) elements. TheMis - Its task documentation, editing, and assess- schedule, and performance. It has been a sion Assurance Guide is designed to be used ment features enable the execution of the key tool for Air Force and Aerospace launch in conjunction with the Mission Assurance entire cycle of mission assurance planning verification management on multiple EELV Verification Matrix, which provides users and ­execution that is defined and prescribed

Crosslink Fall 2007 • 11 The Mission Assurance Verification Matrix defines and documents the tasks set associated planning and execution activities—including the assessment of risk as- forth in the Mission Assurance Guide, providing specific information that supports sociated with planned and actual levels of task criticality and depth of execution. by the Mission Assurance Guide. More task and WBS structures also produces risk ­satisfied. Together with the information ­specifically, it facilitates the execution of the ratings for groups of tasks and entire WBS on task criticality, which can be further following key implementation steps by us- areas. The potential risk exposure rating per- updated to reflect the most recent program ers supporting mission assurance functions mits a rapid engineering evaluation of the developments, this is used to produce an in a specific space program: adequacy of resources assigned to validation assessment of the residual risk after task Mission assurance plan definition and and verification in all significant program execution. As with the earlier potential risk tailoring. This implementation step is sup- areas. It also enables, in relative terms, a rating, the residual risk rating for each task ported by the MAVM capability to edit judgment of the overall balance of the mis- can be rolled-up to produce residual risk (add, delete, copy, and move) mission assur- sion assurance plan. If inadequacies are ratings for groups of program WBS ele- ance tasks within the process and discipline identified in either sense, the plan-tailoring ments and entire program areas and can be structures defined in the guide. In this step can be revisited to achieve a better risk used to support decisions concerning pro- fashion, task groups can be tailored to meet exposure balance. gram and mission readiness and launch cer- specific program needs and constraints and Detailed mission assurance task defini- tification, including the question of whether can be associated with specific elements of tion, documentation, and tracking. Each additional assurance activities are warranted the program WBS. At completion, this tai- task record in the MAVM contains fields in any particular area. loring activity results in the definition of a for storing detailed information concerning A new implementation of the Mis- program-specific mission assurance plan. the task. This includes, but is not limited sion Assurance Verification Matrix, called Mission assurance plan risk assess- to, definitions, active links to reference and “iMAT,” is being developed. It will employ ment. This step produces an evaluation of guidance documents, identification of re- a Web-based tool and a more robust Oracle the overall adequacy of the mission assur- lated tasks and checklists, task closure/com- database. Early versions of this tool are ance plan in the form of a “plan risk as- pletion criteria, criticality and risk ratings, being piloted in an Aerospace program sessment.” To carry out the assessment, the accountable personnel, and planned and office, with plans to introduce the tool to user rates each task associated with a WBS actual schedule. The sum of this information two or more additional program offices in element in terms of its “criticality” (i.e., permits the full definition and tracking of 2008. The iMAT software currently in use importance, relative to other tasks) and in- the activities associated with the execution is in alpha-stage testing, with beta testing tended depth of execution (i.e., the amount of each individual task. scheduled to begin in early 2008. The goal of time and personnel assigned to it), which Mission assurance task execution is to produce a flexible and efficient tool— in turn generates a “potential risk exposure” assessment. The MAVM records task deployable and controllable at the corporate rating for the task. A risk roll-up algorithm completion information and the degree level—that Aerospace personnel can use that proceeds upwards in the hierarchical to which task closure criteria have been to effectively implement the principles

12 • Crosslink Fall 2007 and tenets of the Mission Assurance Guide, ad hoc queries and searches, without pre- programs. A copy of the bulletin is stored in ­providing program managers with informa- defined views, and to download the results the corporation’s electronic archives. tion and assessments that assist their deci- to a spreadsheet for further manipulation. Other Tools sions concerning any level of mission assur- Based on this feedback, the portal develop- ance in any phase of the acquisition process. ers created a new tool that will be tied in to In addition to the tools presented here, The Mission Assurance Portal the corporate Space Systems Engineering Aerospace has created numerous others Database and coordinated with the Space for a variety of programs. For example, the The Mission Assurance Framework, Guide, Launch Office. It allows users to quickly Spacelift Telemetry Acquisition and Re- and Verification Matrix all reside on an specify parameters of interest, generate a porting System (STARS) is used to record internal Web site known as the Mission variety of charts and graphs, and download real-time launch-vehicle telemetry for Assurance Portal. The site provides ready the results. postlaunch analysis; it’s been instrumental access to a diverse set of information and in achieving the current high rate of suc- data to support mission assurance efforts. The Aerospace Problem cessful defense program launches. The The tools enable Aerospace engineers and Notification Processes Continuous Aerospace Risk Management scientists to answer questions pertaining to In the early 1970s, Aerospace developed and Assessment (CARMA) tool enables specific missions. an internal problem notification process consistent implementation of risk manage- For example, the site contains the latest because information pertaining to noncon- ment and assessment processes across a approved versions of NRO and Air Force formance in parts, materials, and processes broad spectrum of programs; it is made up acquisition policies and supporting docu- was not being effectively disseminated to all of a database and associated analytical mod- mentation. The site also provides access to the programs that might potentially be af- ules that can be applied at the program level the approved lists of specifications and stan- fected. In addition, Aerospace realized that or within the context of specific mission dards for SMC, NRO, and MDA as well as the Government-Industry Data Exchange assurance activities. There’s also the Envi- a list of specs and standards compiled by the Program (GIDEP) for problem notification ronmental Test Thoroughness Assessment Aerospace Specs and Standards Commu- needed supplementing, primarily because tool, the Reliability Network Analysis tool, nity of Practice. A “lessons learned” section it suffered from long delays and could miss and the Satellite Orbital Analysis Program provides access to numerous Aerospace re- problems with suppliers that were not (SOAP). These and other tools are acces- views covering a wide range of topics. Simi- GIDEP members. sible via the corporation’s internal Web site, larly, the “best practices” area lists Aerospace The Aerospace process relies on three and most will ultimately be available via the technical reports, memoranda, and brief- types of documents to disseminate informa- Mission Assurance Portal. ings on topics ranging from acquisition tion pertaining to nonconformance of parts, Conclusion strategies to hardware and software testing. materials, and processes: problem advisories, There is also documentation on addressing product/process alerts, and experience- The ultimate goal is to enable all employees items in the Data Item Descriptions—the sharing bulletins. Problem advisories pro- to search for the data and information they government-issued documents that define vide early notification of nonconformance need to support their customers. The Mis- the data required of a contractor. A resource and contain preliminary information such sion Assurance Portal, in the future, will directory contains a list of functional area as a description of the nonconformance, the provide links to these and other tools iden- experts and a list of corporate databases. supplier identity, part number, and lot date tified by the corporation as beneficial to the In addition, the site contains a document code or other unique identifier to allow pro- goal of mission assurance. In addition, the search engine, a catalog of Aerospace grams to assess the impact on their hard- portal will provide links to corporate subject reports, and a repository of 45 technical ware. Product and process alerts formally matter experts—people recognized by the handbooks primarily produced by Aero- document an issue and contain additional corporation and their peers for their profes- space, the DOD, and NASA. information not found in problem adviso- sional expertise in their field. Aerospace is One of the goals of the Mission Assur- ries, such as the root cause of the noncon- committed to reducing the time and effort ance Portal is to facilitate the distribution of formance, recommendations to correct it, spent searching for information so that staff corporate mission assurance information to and recommendations to prevent its recur- members can devote more of their efforts to the relevant Aerospace user community. A rence. Experience-sharing bulletins are used analysis and problem ­resolution. great example of this is launch history data. to document and share lessons learned from As it is at most corporations, the work- There are numerous users of launch history the resolution of nonconformance ­issues. force at Aerospace is subject to regular and data throughout the company with varying To modernize the process and to support continual change. Employees retire or leave, objectives and needs. Although Aerospace the SMC/NRO alert systems, Aerospace and new employees replace them. Some maintains a validated launch history data created an internal Web site that allows any come with experience, others arrive fresh set in the Space Systems Engineering Data­ employee to create an alert bulletin. The out of school, eager to learn and make an base, many users maintain their own inde- document is automatically routed through impact. The goal of the corporate toolset pendent data sets or use public sources. the approval cycle. Once it is approved, a is to provide all these scientists and engi- The portal developers interviewed vari- link is sent to all programs via e-mail. The neers with a standardized methodology for ous stakeholders and determined the fea- site offers search capabilities for unique analyzing programs, answering technical tures and requirements that would assist identifying information, summarization questions, suggesting improvements, and them in completing their analysis on launch of alert bulletins for a time period, and resolving difficult problems. history. These interviews revealed a strong discussion threads for interaction between need for a tool that would provide graphical the originator, the Parts, Materials, and Acknowledgments charting and trending capabilities for high- Processes Department, and the affected The authors thank Art McClellan and Mark level analysis. Also, users wanted to run Goodman for their contributions to this article.

Crosslink Fall 2007 • 13 The Mission Assurance Guide: System Validation and Verification to Achieve Mission Success

Aerospace has codified a set of core processes and supporting disciplines to ensure successful development, deployment, and operation of space systems ranging in type and complexity.

Sergio Guarro

n the context of a major engineering endeavor such as An essential complement of the guide is the database the acquisition of a space system, mission assurance is of mission assurance tasks that it references. These tasks— that part of the systems engineering and integration grouped according to execution timelines, hierarchy, and activitiesI which, by means of a combination of design valida- functional organization—are selected and tracked using a tion and product verification, provides both the designer and software tool associated with the database. This combina- the user with a high degree of confidence in the successful tion of database and software is known as the Mission As- execution of the required system functions. surance Verification Matrix, and it constitutes the actual Consistent with this perspective, mission assurance is at implementational instrument of the Mission Assurance Guide. the core of the Aerospace charter and represents one of the In addition to facilitating task management and tailoring, primary technical functions that the corporation performs this matrix enables a number of other user functions—most for its national security space customers. Accordingly, Aero- notably, the various types of assessments defined in the guide space has prioritized a series of development initiatives to to gauge the quality of planning and execution of mission better document and facilitate the application of mission assurance activities by individual programs. assurance processes. One of these initiatives led to the recent Processes and Disciplines publication of the Mission Assurance Guide. The guide defines mission assurance in terms of a reference Principles and Organization set of core mission assurance processes, supporting mission TheMission Assurance Guide addresses mission assurance assurance disciplines, and associated tasks. This definition from a systems engineering perspective. It introduces the draws from a foundation of systems engineering principles fundamental principles and objectives, then further defines and from Aerospace experience in applying engineering best them in practical terms as a hierarchically organized set of practices to the procurement and launch-readiness certifica- standard processes and methodologies. These processes cover tion of space systems. This experience has established that a the complete life cycle of space, launch, and ground system judiciously combined application of the mission assurance programs, from concept to disposal, and are systematically processes and disciplines maximizes the likelihood that a interweaved in their application to achieve a repeatable and system will not only meet its basic, specified performance successful mission outcome. requirements, but also user expectations regarding safety, op- Mission assurance objectives complement key acquisi- erability, suitability, and supportability. tion tasks. For example, in the early conceptual phases of a Core Mission Assurance Processes program, the primary objective is to ensure that the archi- tecture and system requirements are aligned with user needs Core mission assurance processes identify and organize—in and expectations. A parallel and equally important goal is a standard systems engineering execution flow that naturally to lay the contractual groundwork for staffing, generation of lends itself to actual programmatic implementation—tasks ­design-relevant data, and open communications necessary that focus on the validation and verification of system ac- for successful program execution. As the program moves quisition activities. Because these activities are sequentially from design through fabrication to checkout and operation, linked in “waterfall” fashion, the bulk of the tasks associated the mission assurance focus moves accordingly to ensure that with each core process are typically concentrated in one or the integrity of the system design is maintained throughout. two specific acquisition phases, although the­entire process may span several phases of the ­acquisition that are part of these disci- life cycle. plines are selectively chosen The core processes can actually be ex- during tailoring to support ecuted through a combination of tasks and the execution of certain por- technical approaches that can vary in nature tions of core mission assur- and depth. A degree of flexibility is in fact ance processes. Tasks and necessary to accommodate the scope and practices from traditional constraints of each specific space program engineering disciplines—e.g., implementation. Such flexibility is achieved structural mechanics, fluid through a tailoring process, which is an dynamics, etc.—also may essential element in defining the program complement the core pro- mission assurance plan. In the course of this cesses. The aggregation of dis- process tailoring, the core processes also cipline elements into the core draw upon the mission assurance support- processes may be planned to ing disciplines, borrowing specific subsets of occur, from a task execution tasks as necessary to construct an efficient point of view, in any of the and effective mission assurance program. program life cycle phases, as The six core mission assurance processes required by the overall pro- defined by the guide are: requirements gram mission assurance plan. ­analysis and validation; design assurance; The Mission manufacturing assurance; integration, test- ing, and evaluation; operational readiness Assurance Plan assurance; and mission assurance reviews The core processes, support- and audits. The tasks contained within ing technical disciplines, and each of these processes are designed to associated tasks defined by cover, from a validation and verification the guide provide the frame- standpoint, the typical systems engineering work needed to formulate activities employed during the life cycle of a program-specific mission a typical space system, from inception to assurance plan to validate and The Aerospace Mission Assurance Guide, published in 2007. operation. verify the concept develop- Supporting Mission ment, design, manufacturing, in- structure” (WBS—essentially, the list of ev- Assurance Disciplines tegration, test, deployment, and operations erything needed to bring a system to its full of a space system. This reference framework operational capability). Supporting mission assurance disciplines covers all the system development and uti- provide the more technically oriented under­ lization activities defined in the acquisition Step 2: Mission Assurance pinning of mission assurance application directives of both the Department of De- Plan Risk Assessment and include engineering methodologies and fense (NSS-03-01) and the National Re- The extent and scope of the mission as- techniques that specifically address system connaissance Office (“Directive 7”). It must surance plan is practically defined once a design validation and product verification. be tailored to suit the needs of each specific comprehensive set of executable tasks has The support disciplines provide execu- program, and this tailoring process requires been selected for each of the core mission tion instructions that are broadly accepted a series of distinct steps. assurance processes. The guide provides an in the technical community, including rec- Step 1: Core Process Tailoring instrument to evaluate the overall adequacy ommended or mandated tools, techniques, by Acquisition Phase of the plan in the form of a “plan risk as- models, and standards. Each individual sessment.” This is based on the risk rating of discipline involves a comprehensive and The full set of executable core mission as- each task associated with a WBS element, coordinated flow of execution tasks that surance process tasks must be tailored to deduced from the task’s relative importance typically span the entire life cycle of a space reflect the objectives, risks, and constraints and intended depth of execution (i.e., the program. Any single program, however, of each individual space program. The amount of time and personnel assigned to usually selects a reduced subset of the entire tailoring produces a phase-dependent it), and on a risk roll-up algorithm that pro- body of tasks within a discipline. This selec- organization of tasks, which also reflects ceeds upwards in the hierarchical task and tion is a key part of the program-specific the acquisition phase that the program is WBS structures, producing risk ratings for tailoring conducted at program onset, entering (i.e., concept study, concept de- groups of tasks and/or entire WBS areas. which takes into account, on the one hand, velopment, preliminary design, complete The significance of the risk rating is that it program risk priorities, and on the other, design, fabrication and integration, fielding permits a rapid engineering evaluation of practical budget and resource constraints. and checkout, and disposal). This tailoring the adequacy of resources assigned to vali- The seven supporting mission assurance essentially involves the identification of dation and verification in all significant pro- disciplines addressed by the guide are: risk core process tasks to be executed and the gram areas. It also enables, in relative terms, assessment and management; reliability selection of support discipline tasks to aug- a judgment of the overall balance of the engineering; configuration management; ment and complement them. Normally, the associated mission assurance plan. If inad- parts, materials and processes engineering; tailoring will also tie individual mission as- equacies are identified in either sense, then quality assurance; systems safety assurance; surance tasks, or groups of tasks, to existing the process-tailoring step can be revisited to and software assurance. Tasks and practices elements of the program “work breakdown achieve a better risk rating and balance.

Crosslink Fall 2007 • 15 Core Mission Assurance Processes The Mission Assurance Guide recognizes six core mission assurance and as part of the finished system. Most hardware integration tasks are processes executed through a combination of tasks and technical ap- formally planned and performed by contractor personnel; but the pro- proaches that can be adjusted in focus and intensity to reflect program gram office must ensure that the appropriate testing is properly planned, needs and constraints. performed, witnessed, documented, and confirmed. Testing specialists must evaluate the formal test program and provide guidance based on Requirements analysis and validation entails the rigorous re- best practices, standards, and lessons learned. They must periodically view of formally specified user requirements and their consistency with assess the overall test program as well as specific test results and the formally or informally stated user needs and expectations. It begins by in- resolution of test failures. Informal tests can also be conducted to clarify dependently tracing requirements to top-level documents such as the ca- design decisions or to investigate problems discovered during formal pabilities description and concepts of operations. The resulting allocated testing. Contractor-provided evidence of compliance to specifications system requirements are reviewed to ensure they are valid and can be must be closely scrutinized. A careful review should identify issues with verified using the methods selected. Models and simulations of expected the proposed test, integration, and verification plans, explore alternatives system performance are generated to verify mission effectiveness, and to testing, and evaluate the risk of deviating from applicable standards performance attributes are quantified and compared with baseline tests. or best practices. Testing specialists must confirm that the test regimen is Models and simulations are validated by examining their development realistic and that the requirements can be objectively verified. requirements, design and architecture, assumptions and constraints, input data, the operating characteristics of the targeted system, comparison Operational readiness encompasses all activities required to trans- benchmarks, and the correlation to actual or predicted performance. port, receive, accept, store, handle, deploy, configure, field-test, and op- Cost and schedule may also be independently evaluated to ensure erate launch and space vehicles and supporting ground systems. Major that realistic targets are being used and that adequate reserves exist to milestones include review of factory acceptance testing, preshipment handle unforeseen problems. It is also important to verify that adequate reviews, commencement of launch base operations, system activation, staff, schedule, and funds are allocated to mission assurance. preflight review of flight operations, postlaunch analysis, and commence- ment of on-orbit operations. Mission assurance here includes verification Design assurance is a set of planning, analysis, and inspection activi- that operational procedures are consistent with overall system integrity ties to assess whether the evolving designs can produce a system that and safety goals and validation that these procedures will achieve the will perform as intended over all operating conditions and throughout its desired results. Specific efforts include tasks that assess the feasibility design life. Design assurance has several main objectives. The first is to of operational requirements, design adequacy relative to operational verify traceability and compliance of proposed design elements to the needs, site activation planning and execution, personnel proficiency, requirements baseline and user needs. Next, space, launch, and ground and operations. Initial planning must ensure that infrastructure require- segment designs are examined for accuracy and completeness. Design ments are clearly identified, including certification of training devices, audits search for common problems or potential ones introduced by rehearsal tools, and simulators. For ground systems, site activation and new technologies, and independent analyses validate the broad range transition plans must accommodate lengthy installation, checkout, and of relevant design parameters such as dynamic loads and clearances, testing cycles. As the operational procedures are defined, the opera- structural margins, thermal protection, link margins, power margins, and tional readiness plan should identify the verification points that will even- control stability. Production feasibility must also be verified. The produc- tually support the flightworthiness certification. ibility review ensures that what is produced is a valid interpretation of the design and manufacturing drawings and that the product can be reliably Mission assurance reviews and audits are the most visible manifesta- reproduced and integrated with the system. Design assurance also veri- tion of independent technical analysis. They facilitate understanding of fies that the finished system can be tested and maintained. the interfaces and composite performance of a system while synchro- nizing government and contractor expectations. There are three types: Manufacturing assurance seeks to ensure that the planned manu- technical reviews, audits, and readiness reviews. Technical reviews inves- facturing processes are repeatable and reliable and can produce the tigate the status and performance of units, subsystems, and systems to system as designed. Manufacturing assessment actually begins in the uncover potential problems and recommend steps to resolve them. These concept design phase, when the manufacturing plan and process map include the production capability review, integrated baseline reviews, should be generated to help understand and optimize the production system requirements reviews, system design reviews, preliminary design workflow. Similarly, early producibility assessments help ensure that review, critical design review, test readiness review, formal qualification the most appropriate manufacturing techniques will be applied. Manu- review, production readiness reviews, system verification reviews, and facturing processes must be qualified to instill confidence that design hardware reviews. Audits are independent inspections of each con- changes can be accommodated without adverse effect. They must also figuration item or process to ensure that functional characteristics and be monitored and controlled to ensure that the produced hardware physical attributes comply with relevant specifications, standards, and matches appropriate qualified units. Periodic analyses are conducted of concepts of operations. These include functional configuration audits, manufacturing methods, processes, techniques, equipment, and materi- physical configuration audits, preliminary design audits, and critical de- als. Advances in manufacturing technology are reviewed to encourage sign audits. Readiness reviews serve as formal checkpoints to approve the use of the latest and most efficient manufacturing technology. transition to operational status. These include independent readiness Integration, testing, and evaluation is a broad process intended reviews, mission readiness reviews, preshipment reviews, flight readiness to verify that assembled components meet requirements individually reviews, launch readiness reviews, and postflight reviews.

16 • Crosslink Fall 2007 Timeline distribution of core mis- sion assurance processes with NSS-03-01 Acquisition Phases respect to program acquisition Phase 0 Phase A Phase B Phase C Phase D phases identified in NSS-03-01. Pre-KDP A Concept Preliminary Complete D1 Fabrication D2 Fielding D3 Operations The bulk of the tasks associated concept development design design and integration and checkout and disposal studies with each core process are typi- cally concentrated in one or two Mission Assurance Execution specific acquisition phases, al- though the entire process may Core Mission Assurance span several phases of the acquisi- processes tion life cycle. Requirements analysis and validation

Design assurance

Manufacturing assurance

Test and integration verfication

Operations assurance

Mission Assurance Reviews and Audits

Insertion of support discipline task sets into core process execution NSS-03-01 Acquisition Phases flow. Each individual discipline Phase 0 Phase A Phase B Phase C Phase D involves a comprehensive set of Pre-KDP A Concept Preliminary Complete D1 Fabrication D2 Fielding D3 Operations concept development design design and integration and checkout and disposal execution tasks that typically span studies the entire life cycle of a space pro- gram. A given program, however, Mission Assurance Execution will generally select a reduced subset of these tasks. Core Mission Assurance processes Ta ilored Mission Assurance discipline tasks inserted into core Mission Assurance processes

Supporting Mission Assurance Risk assessmentessme andd managementmana disciplines Reliabilityy engineerengin ing Configurationation mmanagementement Parts, materials and processesproces Quality assurance Systems safety Software assurance

Step 3: Mission Assurance Task ­execution timelines (e.g., actual versus areas. The residual risk information can be Reference Documentation planned start and completion dates) and used as part of the overall program readi- After the mission assurance plan has been the degree to which the task closure criteria ness and launch certification process to help defined in terms of core processes and have been met. The number and type of determine whether the level of risk in any tasks, then the task instructions, planned criteria—e.g., successful completion of tests, particular area is acceptable, or whether ad- timelines, and reference documentation can independent analyses, reviews, etc.—is task- ditional assurance activities are warranted. be also defined. The associated activities dependent and is documented in the Mis- The residual risk assessment following plan are supported by the Mission Assurance sion Assurance Verification Matrix. execution completes the sequence of mis- Verification Matrix, which also records the Step 5: Mission Assurance Task sion assurance activities recommended by relative information in its task database, in- Execution Assessment the guide and directly supported by the cluding active links to supporting technical Mission Assurance Verification Matrix. instructions, specifications, and standards. The information recorded in the Mission Assurance Verification Matrix concerning Conclusion Step 4: Mission Assurance Task task closure criteria and their satisfaction The implementation of mission assurance Execution Tracking in actual execution enables an assessment cannot succeed without a solid founda- Progress in implementing the mission as- of residual risk. As in Step 2, the residual tion of baseline activities executed by space surance plan is measured in terms of two risk rating for each task can be propagated program contractors and suppliers. Beyond parameters associated with the execution upward through the task hierarchy to pro- that, however, mission assurance requires of each task—namely, the variance of task duce residual risk ratings for entire program detailed technical insight into each program

Crosslink Fall 2007 • 17 Supporting Mission Assurance Disciplines The six core mission assurance processes identified in the Mission Assur- that adequate PMP controls and procedures have been developed ance Guide are supported by seven mission assurance disciplines. These and applied across the program. In the implementation phase, it must provide the more technically oriented underpinning of mission assurance be ensured that these controls and procedures are rigorously followed application and include engineering methodologies specifically geared and that the program has indeed acquired robust components. PMP toward system design validation and product verification. engineers must work closely with design engineers to prevent selection of parts and materials that are not readily available at the quality and reli- Risk management is a structured approach to identifying and evalu- ability levels required. The PMP lists should be independently reviewed ating risk and risk-control measures and communicating mission threats with respect to past performance of similar items. Past performance of to program stakeholders. It requires a vigilant focus on technical perfor- selected suppliers should also be independently examined. mance and should be executed and reported independently. It provides an overarching framework under which mission risk issues can be Quality assurance is the engineering and management discipline evaluated and handled. Risk management moves typically through four intended to ensure that a product meets the specified performance pa- stages. The first, risk planning, consists of the up-front activities needed to rameters. A well defined and properly implemented quality assurance execute a successful risk management program; it is a vital part of nor- program instills confidence that all quality requirements have been met mal planning and management. The second, risk assessment, includes through control of operations, processes, procedures, testing, and inspec- the identification of critical events and conditions and an analysis of their tion. A wide range of skills and expertise is required to support these likelihood, consequences, and time frame. Third, risk handling is the pro- activities. These include a thorough familiarity with applicable standards cess that identifies, evaluates, selects, and implements actions to reduce for various types of parts, materials, and processes and their associated risk to acceptable levels. Lastly, risk monitoring involves tracking the prog- testing methods. A thorough comprehension of the underlying technolo- ress of risk handling actions and making adjustments as needed. gies is also required to ensure that selected parts or materials will meet performance needs and that manufacturing processes are qualified and Reliability engineering encompasses a set of analytical activities reliable. Because of the diversity of expertise involved, a team of techni- that cover the entire system life cycle. In the early program phases, it in- cal specialists is normally required. cludes the development and validation of probabilistic system reliability requirements and design trade-off studies. During design development System safety assurance applies engineering and management and production, it assists with the determination of component failure principles and techniques to control system hazards within the constraints rates and development of probabilistic reliability models, analysis of of operational effectiveness, schedule, and cost. Safety is a fundamental failure modes and effects, identification and control of critical items, ap- system requirement. The preferred method to handle safety risks is to plication of worst-case and parts-stress analyses, and analysis of acceler- eliminate hazards by design. If this is not possible, the risk of mishaps ated life test data. Particularly critical is the assessment of failures during should be reduced via safety features or protective devices. These in- integration and testing and the implementation of measures to prevent clude detection and warning systems to alert personnel of hazards and failure recurrence. Early planning of a solid reliability assurance process special training to counter hazardous conditions. A system safety man- will contribute to a robust system design and minimize the chances of agement process provides effective implementation of safety and occu- late and costly detection of problems. pational health policies. To ensure that hazards are identified, all areas of design, development, manufacturing, integration, test, operation, and Configuration management seeks to control the technical hard- maintenance must be subjected to a systematic hazard analysis and ware and software baselines of a program—the requirements, specifi- risk assessment. Identifying different risk mitigations and their expected cations, designs, interfaces, data, and supporting documentation. The effectiveness is part of this risk management process. goal is to ensure that the functional, allocated, developmental, test, and product baselines are consistent, accurate, and repeatable and that any Software assurance seeks to ensure that system software will changes to those baselines will be recorded and will maintain the same meet performance requirements and user expectations and will be accuracy, consistency, and repeatability. Configuration management dependable, maintainable, and applicable to the user’s operational must begin in the conceptual phase and cover contract and program environment. It entails verifying that the software architecture can ac- documentation. During the design phases, the focus is on ensuring that commodate future change and growth. Large software projects are usu- baselines are properly established and that configuration management ally developed in asynchronous, concurrent streams. At any time, these is maintained at all levels during all design reviews, with well defined streams will be in different states and may need synchronization. Thus, hardware and software configured items and change-control boards. software assurance includes analysis in acquisition planning to consider These baselines must be updated to reflect design and part changes the phasing of software tasks. A software assurance plan should define resulting from failures observed during tests. tasks and roles such as requirements development, systems engineering planning, support for integration of requirements flow-down, analysis of Parts, materials, and processes (PMP) engineering seeks to performance and design alternatives, analysis of subsystem and system provide a standardized set of qualified components from which to build design and integration, investigation of design trades, cross-systems inte- a reliable product at a reasonable cost and risk. The mission assurance gration between programs, lessons learned, technology commonality, aspect starts with independently verifying that proposed contractual evaluation of systems interfaces, and other functions focusing on system PMP requirements are consistent with the overall program priority and integrity and reliability. risk management approaches. In the planning phase, it must be verified

18 • Crosslink Fall 2007 The risk roll-up view in the Mission As- surance Verification Matrix for a spe- cific WBS area of a space program. The risk roll-up produces risk ratings for groups of tasks or entire WBS areas.

Risk-rating information synthesis for a Mission Assurance Verification Matrix task or group of tasks. The risk rating permits a rapid engineering evalu- ation of the adequacy of resources assigned to validation and verification in all significant program areas. It also helps in judging the overall balance of the associated mission assurance plan.

by a truly independent organization to Besides the definition of reference base reorganizes—and this creates a chal- measure the effectiveness and outcome of processes and disciplines, successful pro- lenge for critical program management; core processes and tasks. Through the dis- grammatic implementation of mission but it also underscores the importance of ciplined application of mission assurance assurance relies on the application of risk comprehensive and consistent mission as- practices, Aerospace has contributed to the criteria to tailor processes and tasks onto surance support. current string of successful launches and a specific program based on resource and Acknowledgments their associated missions on orbit. schedule constraints and system priorities. As practiced by Aerospace, mission as- Thus, the breadth and depth of mission The author thanks Rich Haas for his support surance comprises a set of management assurance processes for a given program in developing the Mission Assurance Guide as and engineering activities organized into will depend on several factors, including well as those who contributed chapters: George two complementary classes—core pro- budget, schedule, technology maturity, Cuevas, Ron Duphily, Jim Gebhard, James Gin, cesses and supporting disciplines—for purpose, and mission criticality. Dan Hanifen, Paul Hesse, Leslie Holloway, which the Mission Assurance Guide pro- As programs transition to their opera- Andrew Hsu, Rick Maynard, Art McClellan, vides a formal definition and codification. tional phase or achieve legacy status, atten- Steve Robertson, Gary Shultz, Mark Simpson, Dana Speece, Joe Statsinger, Lou Tolentino, In essence, the guide provides the means tion shifts to those programs that are still Bill Tosney, Linda Vandergriff, Julie White, and for making mission assurance practices in the formative and production stages; Howard Wishner. more accessible and repeatable across all but mission assurance continues for the the space programs that the company life of the program. Technologies advance, supports. acquisition policies change, the industrial

Crosslink Fall 2007 • 19 Learning from Other People’s Mistakes

Most satellite mishaps stem from engineering mistakes. To prevent the same errors from being repeated, Aerospace has compiled lessons that the space community should heed.

Paul Cheng and Patrick Smith

he computer onboard the Clementine spacecraft froze immediately after a thruster was commanded to fire. A “watchdog” algorithm designed to stop “It’s always the simple stuff the thrusters from excessive firing could not execute, and TClementine’s fuel ran out. The mission was lost. Based on that kills you…. With all the this incident, engineers working on the Near Earth Asteroid Rendezvous (NEAR) program learned a key lesson: the testing systems, everything watchdog function should be hard-wired in case of a com- puter shutdown. As it happened, NEAR suffered a similar computer crash during which its thrusters fired thousands looked good.” of times, but each firing was instantly cut off by the still- —James Cantrell, main engineer operative watchdog timer. NEAR survived. As this example illustrates, insights from past anoma- for the joint U.S.-Russian Skipper lies are of considerable value to design engineers and other mission, which failed because program stakeholders. Information from failures (and near its solar panels were connected failures) can influence important design decisions and pre- vent the same mistakes from being made over and over. backward (Associated Press, 1996) Contrary to popular belief, satellites seldom fail because of poor workmanship or defective parts. Instead, most failures are caused by simple engineering errors, such as an over- looked requirement, a unit mix-up, or even a typo in a docu- ment. Such blunders are often too subtle to be caught during other factors that may warrant correction. These notes are all routine verification and review because flight items can only collected in a comprehensive database, which now archives be checked against known requirements. But by understand- more than 20,000 launch vehicle and satellite anomalies that ing the types of errors that can occur, mission planners can occurred in the factory, at the launch site, during flight, and adjust their review processes to more effectively screen them in operation. out. For example, all off-nominal telemetry readings from The Engineering Database a launch are logged into the database. A technical expert is assigned to explain each anomaly and why it occurred. As part of its overall mission assurance role, Aerospace in- Every investigation is tracked by the program office as part vestigates anomalies on national security space missions and of Aerospace’s flight-readiness verification responsibilities. uses this information to help program managers improve Fault-management lessons, reliability impacts, and suggested their systems and processes. Throughout the development, corrective actions are documented. launch, and deployment of defense space systems, engineers This rigorous postflight analysis was largely prompted by at Aerospace analyze all anomaly reports to identify engi- the failure in 1999 of a Defense Support Program launch neering errors, workmanship escapes, model deficiencies, (DSP-19). The transfer vehicle for this mission, the Inertial test inadequacies, defective parts, hostile environments, and Upper Stage (IUS), used thermal tape on the connector plug housing. The thermal tape was supposed to be wrapped with enough clearance to let the harness disengage. The assembly instruc- tions stated that the tape shall be applied “within 0.5 inches of the mounting bracket flange” (instead of, for example, “no closer than 0.5 inches and no farther than 1.0 inch”). Unaware that the parts had to unfas- ten, and thinking that they should wrap the tapes as tightly as possible, the technicians applied the tapes so close to the flange that the separator jammed, preventing stage sep- aration. Afterwards, engineers reviewing the telemetry from previous IUS flights realized that the connector had jammed every time. In fact, seven of the previous flights dodged failure only because the taped connectors were jerked apart when they hit the allow- able stops. Unfortunately, the warning signs in the telemetry data were not heeded. Gleaning Lessons from Failures

To disseminate information like this in a US Air Force format that is readily absorbed, Aerospace The Genesis capsule, embedded in the sands of Utah after its parachute system failed to deploy in September began publishing a series of “Space Systems 2004. The Mishap Investigation Board said the likely cause was a design error involving the orientation of Engineering Lessons Learned” bulletins. To gravity-switch devices. date, more than 120 of these papers have been produced. Each tells a failure story, dissipation; one look at the hardware would verified, but not the direction. Once in orbit, spotlighting three questions: How did the have made it obvious. Another asks, “Have the battery drained, scuttling the mission. mistake occur? What prevented its detec- designs been analytically established before More recently, the Genesis spacecraft tion? Why did it bring down the entire testing?” This is prompted by an incident in crashed. Genesis brought back solar-wind system? which the spacecraft tumbled after deploy- samples. During reentry, aerodynamic The reports also spell out the specific ment. The magnetic torque rods were set deceleration was supposed to cause a para- practices that could have prevented the during test instead of being determined by chute to unfold. Genesis’s avionics design mishap. For example, one lesson traced an analysis. Because the test engineer did not was derived from an earlier mission, Star- instrument’s power-supply malfunction in realize the Earth’s magnetic North pole is in dust, but was too complex to fit into Star- space. The problem was not caught on the Antarctica, he set the phasing wrong. dust’s one-box package. Genesis designers ground because the test set supplied backup Five Common Mistakes cut and pasted Stardust’s schematic into power, and would have been avoided if the a new two-box design. The Stardust unit test equipment provided metering to show to Look Out For had been spin tested, but the two boxes in the unit was unexpectedly drawing cur- The most common mistakes are gathered Genesis were difficult to spin together. So, rent from it. In another case, a payload was in an Aerospace report, “Five Common believing that the design was flight proven, damaged during thermal vacuum testing Mistakes Reviewers Should Look Out For.” Genesis engineers simply verified the new because the test cable, which was not space- This document, available to U.S. govern- assembly “by inspection.” Unfortunately, qualified, induced multipaction breakdown. ment agencies and contractors, includes the nobody knew that a pair of deceleration Obviously, tools used in simulated space “100 Questions” and all the lesson bulletins sensors were direction-sensitive—even the environments must be space-rated. published through June 2007. Stardust drawings did not flag any polar- To help reviewers increase the odds of This report recommends that reviewers ity constraint. The sensors were by chance finding mistakes, Aerospace also parsed first ponder, “Could the sign be wrong?” turned sideways in the new layout, and as a through the lessons-learned bulletins to Sign errors involving orientation and phas- result, the parachute could not open. generate a reviewer’s checklist titled, “100 ing (polarity) of equipment have caused nu- The second major questions is, “How Questions for Technical Review.” Reviewers merous failures. For example, the TERRI- will last-minute configuration changes be will more than earn their pay if just one of ERS spacecraft was lost because one of its verified?” Satellites are frequently modified these items gets the response: “You know, torque coils had to be installed with a phase after factory testing. Placeholder blankets we hadn’t thought about that—we’d better opposite of that of the other two coils—but need to be swapped out, flight connectors check it!” the change was not incorporated into flight mated, and databases updated. Some items, For example, one review question asks, software. Likewise, a design mistake caused such as brackets to secure hardware during “Has the analyst inspected the actual the solar panels on the Skipper spacecraft ascent, have to be installed at the launch hardware?” This question derives from an to be connected backward. During system site. Nonflight items such as test plugs and incident where a satellite failed because integration, the magnitude of current flow dust covers must be removed. Late changes, the solar-array thermal model did not ac- between the solar array and battery was especially those made in the heat of a count for the harnesses that prevent heat countdown, have caused several failures, in

Crosslink Fall 2007 • 21 U.S. Government Satellite and Launch Vehicle Failures from 1990 to 2006

These charts show U.S. Government satellite (below) and launch vehicle (facing page) failures from 1990 to 2006. In contrast to common beliefs, mishaps are seldom due “Space is unforgiving; thousands of good to poor workmanship, defective parts, or environmental factors. Notice that engineering mistakes—such as a typo ­decisions can be undone by a single engineer- (Contour), an overlooked requirement (MPL), and a unit mix-up (MCO)—caused the majority of failures. These ing flaw or workmanship error, and these embarrassing snafus are often so subtle that they are not flaws and errors can result in catastrophe.” caught during verification and review. — Defense Science Board, 2003

Launch Engineering Technology Date Program Cause Mistake Surprise 04/90 Hubble Flawed manufacturing equipment misshaped the mirror. Quality assurance relied on x the same equipment and could not perceive the mistake, even though independent checks indicated a defect.

07/92 TSS-1 Tether deployment mechanism was jammed by a bolt added at the launch site. x

09/92 Mars Corroded braze jammed a regulator, causing a breach of the propulsion line. The x x Observer regulator was not qualified for a long mission.

08/93 NOAA 13 The battery charger was shorted by a long screw. The unit had low dimensional toler- x ance and experienced thermal stress outside its qualification envelope.

10/93 Landsat F Pyrovalve exploded because of an unpredictable mechanism. x

01/94 Clementine Computer froze, disabling the fault management software. Patches were prepared but x x not uploaded.

05/94 MSTI 2 Cause unknown, attributed to impact by micrometeoroid or debris, or charging. x

12/95 Skipper Solar array was miswired. Test did not ascertain current direction. x

02/96 TSS-1R Contamination in the tether caused arcing. x

08/97 Lewis Satellite lost orientation. The stability simulation was performed for the wrong orbit, x the attitude control was improper, and the satellite was not monitored.

10/97 STEP-4 Satellite/launcher resonance caused vibration damage. The resonance was known but x not addressed.

10/98 STEX Solar array failed—analysis was run on wrong configuration. x

12/98 MCO Burned up because of unit mix-up in the navigation software. x

01/99 MPL Requirement flowdown omission resulted in premature shutdown of descent engine. x

03/99 WIRE Unexpected start-up transient fired pyros, causing the loss of all cryogen. The inhibit x x circuit design was flawed, and inappropriate test configuration masked the chip’s misbehavior.

08/01 Simplesat Transmitter suffered arcing in vacuum. x

11/01 Genesis Parachute could not deploy because of deceleration sensor misorientation brought x about by a layout change.

07/02 Contour Spacecraft broke up upon firing of an embedded solid motor. The plume analysis used x to qualify the design by similarity relied on an AIAA paper that had a critical typo.

04/05 DART Spacecraft failed to rendezvous with its target satellite because of a combination of x x GPS software bug and flawed navigation design.

22 • Crosslink Fall 2007 Launch Engineering Technology Date Program Cause Mistake Surprise 03/90 Titan III Satellite could not be deployed because the pyro separation harness routed firing com- x mands to ports different from those specified by software.

04/91 Atlas I Air was sucked through a defective checkvalve during ascent and froze in a turbo­ x x pump, preventing a Centaur engine from starting. Air was able to get in because of design changes that were not accompanied by reanalysis.

07/91 Pegasus The shaped-charge detonation system caused an incomplete cut, thwarting stage x separation.

08/92 Atlas I Same as 04/91 Centaur failure. x x

03/93 Atlas I A set screw in the throttle setting regulator came loose in flight because rework in- x structions neglected to require retorquing and verification.

08/93 Titan IV A propellant cut made during a repair opened in flight, instead of staying closed by x internal pressure as expected, exposing the insulation to flame.

06/94 Pegasus XL Vehicle lost control because of unexpected aerodynamic load. The control loop design x x used improper variance analysis.

06/95 Pegasus XL Second-stage nozzle could not gimbal because of an incorrectly installed foam skid. x Operator concerns regarding foam skid orientation were ignored because there was no specific orientation requirement.

08/95 Delta II Wind shear caused a large deflection, damaging the explosive transfer line and pre- x venting one of the strap-on motors from separating.

08/95 Athena I Thruster-vector-actuation hydraulic oil dumped overboard was ignited by the rocket’s x x plume, damaging a control cable. The failure mode occurred on a similar European rocket earlier. Also, high-voltage power supply, qualified only for aviation applications, suffered arcing at high altitude.

10/95 Conestoga Low-frequency noise of the vehicle was not filtered out, causing the vehicle to exces- x sively actuate the vector thruster control, eventually exhausting hydraulic oil.

11/96 Pegasus XL Payload did not separate, probably because of shock damage to a battery or switch. x

01/97 Delta II The motor case of a solid strap-on was damaged before launch and split in flight. x

08/98 Titan IV Wire insulation damage on the power supply caused intermittent short of the com- x puter. Upon power-on reset, the avionics system improperly commanded the vehicle, resulting in self-destruction.

08/98 Delta III A roll mode was not accounted for in the control system, resulting in loss of control. x

04/99 Titan IV Upper stages could not separate because vague assembly instructions misled techni- x cians into wrapping insulating tapes too tightly. Problems repeatedly occurred on previous flights.

04/99 Athena II Nose cone failed to separate—the operation of one set of pyros pulled open the con- x x nectors for the second set. The tolerance buildup problem was manifested in an earlier flight but was not addressed.

04/99 Titan IV A roll filter manually entered in the transfer vehicle’s avionics database had an expo- x nent error (effectively misplaced a decimal point) which caused control loss.

05/99 Delta III A defective brazing in the combustion chamber was noticed during inspection x but was allowed to pass because of ambiguous drawing instructions. The chamber breached in flight.

09/01 Taurus An attitude-control valve was jammed shut by debris. The problem had occurred sev- x eral times previously but was deemed acceptable because the valves had always fortu- itously stuck in nonfatal positions.

12/04 Delta IV The first stage shut down too early because cavitation spoofed the sensors into react- x Heavy ing to phantom fuel depletion.

03/06 Falcon A fuel leak, attributed to a corroded B-nut, started a fire. x

Crosslink Fall 2007 • 23 Taking Heed of Lessons Ben Franklin wrote, “Experience keeps a dear school, but fools will learn in no other.” In the space business, the cost of experi- ence is very high indeed. But learning is hampered by a widespread reluctance to share failure information. Consider a 1993 incident with the Orion rocket: Someone forgot to install a critical voltage-clamp component into the test meter used to check the solid motor’s firing circuit. The full test voltage ignited the rocket, killing a technician. Only after this accident was made public did two other facilities reveal Courtesy of NASA that the same meter had inadvertently set Pure tin plating can grow conductive whiskers. ­Numerous satellites have been disabled because whiskers off their rockets, too! inside the control processors caused plasma arcing that blew the fuses. Engineers also neglect to research les- sons. The WIRE mission failed because of part because late installations and removals failures. Fuses, circuit breakers, and other a start-up quirk in a logic controller, which can be difficult to verify. devices are intended to protect upstream had been previously described in NASA’s An eleventh-hour analysis of the Teth- components, but careful design is required “Application Notes.” Similarly, a Maxus ered Satellite System (TSS) uncovered to prevent the safety devices from mis- rocket crashed because drained hydraulic a structural shortfall in the deployment behaving. Plasma arcing most frequently fluid started a fire that burned through a mechanism, making it necessary to add a results from pure tin plating that grows guidance cable. This debacle prompted sev- bolt. The original design engineer, thou- conductive filaments (commonly known eral programs to redesign fluid drains or add sands of miles away, could not see firsthand as “whiskers”). Numerous satellites, such cable insulation—but the Athena program how the modified hardware fit. The bolt as Galaxy VII, had been disabled because did not do so. Athena’s maiden flight subse- protruded against a traveling ball nut, and whiskers grew on the relays of their control quently suffered exactly the same failure. consequently, TSS could not deploy. processors, causing arcing that blew the Aerospace is striving to improve its The third question asks, “Can the vehicle fuses. process for disseminating lessons learned, survive a computer crash?” As the Clemen- The IMAGE satellite’s single-string most importantly by incorporating them tine and NEAR examples illustrate, com- transponder was protected by a circuit into engineering standards, mission assur- puter errors—often caused by subtle timing breaker. Radiation tripped the breaker, ance handbooks, testing guidelines, and or memory glitches—have affected several turning the transponder off. Unfortu- military specifications. References to real missions. Every vehicle should be able nately, a design flaw caused the breaker to failures should impress upon designers the to gracefully handle a computer fault by misreport itself as “on,” which prevented importance of following (and the risks of reverting to the “last known good state,” re- the onboard fault-management software ignoring) a given set of guidelines, specs, booting without being stuck in endless reset from resetting the circuit. The malfunc- or standards. Still, if the space industry is cycles, remaining in a safe mode, recovering tion disabled uplink, making ground rescue to head off further mistakes, it must over- from low bus voltage, and so on. ­impossible. come proprietary concerns and bureaucratic The safety analysis must ensure that The last question is, “Can pyros cause inertia to share, seek out, and heed lessons the fault-management system cannot be unexpected damage?” Premature firings learned. spoofed into making a wrong move, as hap- caused the Wide-field Infrared Explorer Further Reading pened to Ariane 501. This rocket’s flight (WIRE) spacecraft to open its telescope software carried over a function, “platform cover, venting all the cryogens and ending “Five Common Mistakes Reviewers Should alignment calculation,” from Ariane 4, even the mission in the first orbit. The mishap Look Out For,” Aerospace Report TOR-2007- though it was no longer needed. But the occurred because a logic controller chip (8617)-1 (The Aerospace Corporation, El Se- 501 vehicle flew a different trajectory, creat- unexpectedly asserted all outputs during gundo, CA, 2007). ing an alignment bias too large for the leg- power-on. Both “arm” and “fire” inhibits J. F. Binkley, P. G. Cheng, P. L. Smith, and W. F. acy code to compute and resulting in an “er- were commanded by the same chip (a com- Tosney, “From Data Collection to Lessons ror exception.” Although the exception was mon design oversight), and therefore failed Learned—Space Failure Information Exploita- irrelevant, the avionics system presumed together. tion at The Aerospace Corporation,”Proceedings that all faults were caused by bad hardware, Unexpected pyro firings have also caused of the First International Forum on Integrated and should be handled by an equipment the death of personnel. In 2003, a Brazilian System Health Engineering and Management in swap. It thus halted the active controller and launch vehicle was being readied for launch Aerospace (Napa, CA, November 2005). switched to the backup, which of course when an electrostatic discharge introduced “Report of the Defense Science Board/Air Force immediately encountered the same error an arc in the unshielded pyro circuits, set- Scientific Advisory Board Joint Task Force on and also shut down. The rocket needlessly ting off the initiator. Because the rocket Acquisition of National Security Space Pro- self-destructed. had no safe-arm devices to contain an grams” (Defense Science Board, 2003). The fourth question asks, “Is the circuit ­accidental flash, it caught fire on the pad, overcurrent protection adequate?” Short- killing 21 workers. ing and plasma arcing have caused many

24 • Crosslink Fall 2007 Profile The Embedded Program Office

to implement the interface for $3000 in parts and two months in Boots on the Ground labor. This interface capability served Milstar well through its devel- opment, launch, and on-orbit operations,” he explained. The idea of embedding program office representatives in contractor His second successful recommendation—to use launch-base facilities has been gaining support from government program man- checkout vans for a second test of the satellite—saved millions of agers. Personnel from Aerospace, the Air Force, and SETAs have dollars. The proposal, which had been readily accepted by the pro- had a presence at contractor facilities since the beginning of the gram office and the contractor, allowed early checkout of the flight space program, but their assignments have traditionally been tem- article, uncovering deficiencies that were fixed in good time. porary—just a few days at a time or for monthly reviews. In those When Kluetmeier returned to El Segundo in 1992, Aerospace instances where Aerospace personnel remained at a contractor asked him to write guidelines for in-plant representatives. He called facility for extended periods—for example, to minimize impact on his report the “rules of engagement,” and addressed it directly to a the program’s technical schedule during integration and test—they prospective representative who, he wrote, should have at least 10 worked day-to-day issues with the contractor and coordinated with years of experience, preferably in a program office. The full list reads: Aerospace management to resolve questions. What is new today is that decisions are now being made at the embedded program office. • Demonstrate initiative. Be proactive and a problem solver, Jorn Kluetmeier, principal engineer and scientist in Space Pro- rather than a note taker. gram Operations, is Aerospace’s in-plant representative for the • Show positive support for the contractor. Helping the contrac- Space-Based Infrared System (SBIRS) at Lockheed Martin in tor be successful will help the program be successful. Sunnyvale, California. When Kluetmeier was first assigned to • Become part of the customer/contractor team, but remain inde- SBIRS at the contractor’s site in July 2002, the program was transi- pendent (though you cannot be perceived as giving direction— tioning from total system program responsibility (which tradition- only the ­government procuring contractor officer can do this). ally lay with the contractor) to Aerospace oversight. As the only on- site representative during his first three years with the program, he • Listen to and work closely with counterparts, providing con- was able to provide timely resolution of technical issues, although structive information on technical investigations and solutions. guidance affecting contractual and technical direction continued to • Earn the contractor’s confidence in your judgment. Only as a come from the Aerospace program office in El Segundo. last resort should you need to request that the Air Force inter- Then, in late 2005, a decision was made to increase the SBIRS vene with a direct order to the contractor. program office’s on-site presence. “The increase consisted of two • Earn the contractor’s trust; never be perceived as a spy. The con- Aerospace and five SETA personnel,” Kluetmeier said. “It was tractor will test you by feeding you information to see how fast my challenge to phase in the additional staff and assign meaning- it comes back from the program office. ful work without disrupting the ongoing program-office business • Use good judgment about when to forward information. If test rhythm. The majority of the staff had not worked on SBIRS, but results at first seem to show that the sky is falling, wait until the had satellite experience on other programs. The integration was ac- data analysis matures before raising a red flag. complished seamlessly,” he said. Finally, in the summer of 2006, responsibilities (including tech- • Give credit to the contractor for solving problems or saving costs. nical direction) that had previously resided in the El Segundo of- The contractor will acknowledge your value to the program. fices were transferred to the SBIRS operating location under the • Get a contractor computer account to ease communication and direction of an Air Force lieutenant colonel. Another five Air Force data flow—but for good communication, stay in close contact officers were added to the embedded staff. This final integration was with your counterparts and rely as little as possible on phone accomplished with minimum impact to the daily activities. calls and e-mails. Get an office close to theirs. Kluetmeier had earlier been an Aerospace in-plant representa- • Follow the clear line of responsibility between your level 3 and tive at Lockheed Missiles and Space in Sunnyvale, but at that time, 4 managers to be certain the contractor gets no mixed messages technical direction and final decisions still came from the program from the program ­office. office in El Segundo. In 1989, he and another Aerospace engineer, together with one junior Air Force officer, were assigned to the Kluetmeier values his experience in the factory as a worthwhile Milstar program office at the Sunnyvale facility. He described the endeavor and a career enhancement and believes that “boots on following three years as “exciting times working hands-on with the the ground” offers clear benefits to the success of a mission. For contractor developing the first satellite. Being located directly with example, young Aerospace engineers can take advantage of mentor- the contractor makes a difference when you are working problems ing by senior staff members at the program office on the contractor in real time versus the 500-mile delay. You can quickly report back site. Issues can be handled in a timely manner on site with the gov- to the program office on proposed solutions and their merits. In- ernment counterpart, thus contributing to efficient and successful plant presence allows you to be more effective.” completion of the project. On the other hand, installing a perma- Kluetmeier led two major initiatives during those years. “I pro- nent staff member in a remote contractor facility may require relo- posed a command and control interface between the Milstar Mis- cating employees or even hiring new employees from the local area. sion Control Center and the Milstar Development Test Facility to Aerospace has 25 in-plant representatives at 12 contractor lo- perform early checkout of the Milstar data-system modernization cations, with plans for more; but, Kluetmeier predicted that only software with Milstar bus engineering units. The initial cost quoted “time will tell if the embedded program office is a temporary by the contractor was $600,000. Through my efforts, I was able ­phenomenon or a permanent practice.”

Crosslink Fall 2007 • 25 A Program For Success: The Aerospace Role in Software Assurance

Aerospace works to ensure that mission assurance is a component of every phase of software development.

John Cantrell, Suellen Eslinger, and Robert Duvall

oftware size and complexity are on the increase and integration up to qualification testing, and even validation have been since the first computer programs were and verification efforts, Aerospace can alert both the con- developed in the 1950s. Unfortunately this develop- tractor and the customer of national space systems to prob- mentS has been accompanied by an increased chance of er- lems early, when correcting them is less expensive. ror. More and more often, failures in space can be traced to The Role of Software Engineering software problems. The first Ariane 5 launch ended in fail- ure because of reuse of Ariane 4 software combined with Good software engineering practices provide one pillar specification and design errors and inadequate testing. The supporting mission assurance. Development of quality Mars Climate Orbiter was lost because different units were software includes the following essential fundamentals. used for parameters interpreted by software for different • Have a process and use it. A documented well- parts of the system. The most likely cause of the failure of ­understood software development process provides the Mars Polar Lander appears to be inadequate specifica- from the outset an understanding of the goal of the de- tion of known physical behavior. These accidents are dis- velopment effort and prevents the effort from becom- cussed by Nancy Leveson of the Massachusetts Institute of ing ­interminable. Technology in her 2004 article in Journal of Spacecraft and • Strive for high quality. Managers and software leads Rockets, “The Role of Software in Spacecraft Accidents.” should stress the necessity for software that is reliable These failures in space, although attributed to software, and safe. have broader implications for mission assurance. They can be attributed to many factors ranging from inadequate • Involve the customer. Customer feedback is not just definition or communication of requirements to the failure important in the world of business. to test for correct implementation of requirements. Mis- • Implement management fundamentals. Personnel and sion assurance for software must cover the entire software equipment resources must be carefully planned and life cycle. It must play a role in requirements definition; continually monitored and managed. Metrics to help requirement flow down to the subsystems; and software monitor and manage software quality and productivity design, coding, integration, and testing. Software mission should be collected. assurance is not a quality that can be bolted on or tested • Implement software engineering fundamentals. This just before launch. Rather, it must be engineered into the starts with requirements management and moves entire system from inception. through design, construction, and testing of the soft- The Aerospace Corporation works to ensure that mis- ware. Consistent application over the entire life cycle is sion assurance is a component of every phase of software key. development. The corporation’s work in software standards helps put customer contracts on a good foundation for • Use quality assurance fundamentals. Technical reviews software development. Monitoring the software develop- must be a regular part of development. Peer reviews ment effort over the entire life cycle raises the customer’s tend to locate defects earlier than testing and identify confidence that the contractor is adhering to recognized different types of defects (e.g., requirements and design good development processes. Finally, by scrutinizing the flaws). Testing and reviews should complement one thorough testing of the software, from unit testing, through ­another. Certain steps should be included in whatever process the development or- ganization chooses to use. These include requirements definition for the software, architectural design, detailed design, cod- ing, and finally testing. These steps may or may not overlap, depending on the design methodology. The process should describe what is necessary in each step. A systems engineer present at the requirements definition meetings should provide a broader perspective than that coming from software engineers alone. A test engineer present during the requirements definition meetings should lead to requirements that can be tested. While it is possible for the steps in the process to overlap, any step that is missed or any shortcut taken increases mission risk. Not having a test engineer during requirements definition may result in re- quirements that are difficult to test. This may necessitate a requirements change, the acquisition of expensive test equipment, or software changes because of ambiguities. While it is not a foregone conclusion that these outcomes will occur, the presence of a test engineer may well prove to be a cheap insurance policy. Technical review of the code and design is another area that is sometimes over- An actual launch vehicle flight computer is a rugged closed system well suited for flight, but not ideal for looked. When programmers review each validation of flight software in the laboratory. The highly integrated design makes the attachment of internal other’s design and code, everyone strives to electrical and logical probes difficult. do a better job. In addition, changes made in one software module as a result of a ­questions that Aerospace answers in striv- review usually are implemented immedi- ing to provide mission assurance. ately in subsequent modules, obviating the When a dramatic increase in on-orbit When programmers need for the same change repeated again anomalies and space-vehicle failures oc- and again. Such practices contribute to curred in the late 1990s and early 2000s, review each other’s programmer education and to overall code anomaly investigations and major cross- quality. program studies cited a foremost root design and code, Setting the Standards cause as the lack of adequate processes by the development contractors, especially everyone strives to do Aerospace cannot dictate to contractors processes for testing and other activities how they should handle their software related to mission assurance. Software development efforts. However, Aerospace was affected as well as hardware. With a better job. can gain insight into the processes that the the removal of software-related military contractor uses and, based on experience, standards from contracts, military space- make judgments about the efficacy of these system contracts mandated no specific Improvement Task Force was initiated, processes. All peer reviews, for example, are contractual requirements for software test- revitalizing emphasis on contractual not the same, even within a single contrac- ing and other critical activities related to standards. The principal software-related tor organization. software mission assurance, such as peer product of this effort was an update of the Aerospace’s long experience guides its reviews of software work products. Elimi- military standard for software develop- efforts to monitor the contractor’s per- nating these requirements led directly to ment (MIL-STD-498), which had been formance. Are the processes followed by a dramatic increase in on-orbit anomalies canceled during the acquisition reform ini- the contractor in line with its promises and mission degradations caused by tiatives of the mid-1990s. The team modi- (software development plan, software test software. fied MIL-STD-498 to bring the standard plan)? Do the plans make sense in the Aerospace has been a leader in defining up to date and to add requirements related program environment? How could they contractual requirements driven by mission to software mission assurance. The updated be improved within schedule and budget assurance. In 2003, the Space and Missile standard is documented in an Aerospace constraints? These are just some of the Systems Center/National Reconnaissance technical operating report, “Software De- Office (SMC/NRO) Mission Assurance velopment Standard for Space Systems.”

Crosslink Fall 2007 • 27 The GPS Control System Transition limits and boundary conditions), and all Transition from the Global Positioning System (GPS) legacy control system to the new Op- algorithms. Software integration testing must successfully test all interfaces among erational Control Segment Architecture Evolution Plan (OCS/AEP) provides flexibility and the software and hardware (including lim- growth to meet military and civil needs for the next 30 years. The control system provides its and boundary conditions), end-to-end command, control, and maintenance services to the GPS space segment. The transition’s functional and performance requirements key event—Enhanced Phased Operations Transition—occurred on Sept. 14, 2007. Aero- under conditions reflecting operations, space, the Air Force, and other mission partners were involved in a number of activities that stress testing including worse-case scenar- took place before and after this major event, and their work is ongoing. ios, fault detection and recovery handling, and start-up, termination, and restart. Mission assurance for the transition is composed of interrelated efforts by many different Software qualification testing must suc- groups, including Aerospace, the 50th Space Wing at Schriever Air Force Base, the GPS cessfully verify all software and interface Independent Review Team, and the GPS Wing—the DOD acquisition office for developing requirements—whether satisfied by new, and producing GPS satellites, ground systems, and military user equipment. Aerospace’s reuse, or commercial off-the-shelf (COTS) launch readiness review process is a model for the SMC chief engineer’s Control System software—on the target processing hard- Independent Readiness Review Team, a component of mission assurance for the transition. ware using the actual interfaces where possible and high-fidelity simulators where The control system transition, however, occurred over a period of 5 days—rather than the not possible. Based on lessons learned seconds to minutes for a launch vehicle—and was supported continuously by satellite opera- from space-system failures caused by soft- tors in the worldwide network of GPS monitoring stations. ware, the software-development standard Aerospace and the GPS Wing performed a comprehensive review of all mission assurance was updated to also require regression test- ing of affected unit, integration, and quali- activities to make certain that the transition was transparent to the GPS user community. The fication test cases for any modifications to purpose of the analysis was to ensure that the efforts are effective, adequate, and efficient. previously tested software. In addition, the Specifically: Are there any gaps between the various mission assurance efforts and the standard specifies minimum requirements disparate teams executing them? Are there any unnecessary duplications of effort? In cases for testing of COTS and reuse software. where there are beneficial or necessary overlaps, are the participants taking advantage of The SMC specifications and standards the synergies between them? effort (part of the SMC systems engineer- ing revitalization initiative) has been in- To identify possible gaps or overlaps, the transition team examined all efforts related to mis- strumental in updating and reintroducing sion assurance, with emphasis on software testing and on the transition from the legacy con- other military specifications and standards trol system to OCS/AEP. The results were captured in a simple matrix format that revealed a important to space-system mission success. few minor overlaps, now adjusted to streamline the processes and improve efficiency in the One of the most important of these is the future. Initial findings have been briefed to the GPS Independent Review Team and senior standard for space-vehicle test require- military leadership in the GPS community. ments (MIL-STD-1540), which has been updated for enhanced mission assurance —Michael Campbell, Chief Software Engineer (documented in an Aerospace technical report, “Test Requirements for Launch, Upper Stage and Space Vehicles”). Aero- space was responsible for getting software test requirements included in this stan- The additional requirements related to quality assurance reviews, software product dard for the first time in its history. This mission assurance are based on experience evaluations, and joint technical reviews) standard now includes requirements for a with multiple space programs and on well- is paramount. A robust software test pro- robust software test program appropriate researched and documented results from gram, however, is the last line of defense to onboard software. In addition to the test the software engineering literature. These against latent defects in the software that requirements in the new software standard, requirements address peer reviews; trace- could cause mission loss or degradation, the update to MIL-STD-1540 includes ability; assurance of critical requirements and thus is critically important to any suc- requirements for testing the software for dependability, reliability, maintainabil- cessful space program. during thermal vacuum tests where the ity and availability, and key performance The robustness of a test program is processor speed can be affected by the en- parameters; software unit testing and soft- determined by its depth and breadth. For vironmental temperature conditions. An- ware unit integration testing; hardware and depth, the software standard requires other software test requirement driven by software integration testing; and software multiple levels of software testing: unit lessons learned with actual space-system qualification testing, quality assurance, and testing, integration testing (both among failures is the requirement to regression metrics. Although titled “Software Devel- software units and among hardware and test the software when the operational val- opment Standard for Space Systems,” the software), and qualification testing. For ues of the onboard constants database are updated software standard actually applies breadth, specific test coverage criteria are loaded. The updated software development to any software-development effort. required by the standard for each level standard and the updated space-vehicle From a mission assurance perspective, of software testing. Software unit testing test requirements standard are now be- the importance of building quality into must successfully test all statements and ing cited as compliance standards on new the software prior to testing (e.g., using branches in the code, all error and excep- SMC and NRO contracts. such techniques as peer reviews, software tion handling, all unit interfaces (including

28 • Crosslink Fall 2007 Software Qualification and Spacecraft Bus Testing Qualification testing for software in na- tional space systems is the verification that the software correctly implements its requirements. While qualification test- ing cannot guarantee mission success by itself, it improves overall confidence that the contractor understood the software requirements and implemented them, and that the software will perform as designed once on orbit. It is another building block in the foundation of confidence supporting mission assurance. Qualification testing activities usually occur at the end of the software develop- ment cycle. If the final deadline (launch) of a system is fixed, which is frequently the case, and the software development effort underestimated the time required to implement the software, pushing back de- livery of the software to the testing phase, the testing effort is compressed. Conse- quently, the launch may take place before all software has undergone qualification testing. What happens now? In terms of the payload, Aerospace has identified key functions that are more es- sential to mission assurance than others. While all payload functions are clearly important, these key functions have been identified as such because software failure in any one of them could cause loss of the payload. An Aerospace technical report— “Recommended Process for Qualification Testing of Payload Software Prior to Use on Orbit”—identifies core functions that must undergo complete qualification test- ing prior to launch. These functions are supplemented by ancillary functions that could be qualified on the ground using simulators before being uploaded in orbit. The report does make clear that all flight software should be qualified before launch, but real situations often allow less-than- This hardware-in-the-loop simulation was developed at Aerospace for the Atlas V. The single board computers ideal actions. are built with the same processors, bus controller chipsets, and other electronic components that are used in The various payload functions are clas- the flight unit. These boards, however, plug into an equipment rack with standardized data-bus connections that allow easy use of logic analyzer probes to measure signals and timing. The boards also have special probe sified as core—capabilities that require pads that allow direct access to the central processing unit (CPU) buses. This open design allows complete ac- qualification testing before launch—and cess to the flight software behavior with a resolution of a single CPU clock cycle. Aerospace currently maintains basic—capabilities that may be qualified hardware-in-the-loop simulations for the Delta II, Delta IV, and Atlas V launch vehicles. and uploaded to the payload after launch. Booting up, for example, is a core function that describes the ability of the payload For this reason, this function needs to be with the ground but rather communicates to start after the application of power and tested as much as possible before launch. by way of the spacecraft. If this capability to enter a known safe state defined by the Core functions include booting up, does not operate properly, the payload can- payload designers. The safe state might spacecraft communications, system up- not offload its mission data to the ground mean any state from the payload waiting load, reporting the status of hardware and and the ground cannot command the for a ground command to the payload in software, and “safing” the payload. Basic payload. In this case, the payload capability full-blown operation. What is important is functions are hardware control and payload would be lost. that the payload is able to enter this state data processing. If perfect software is loaded at launch, after power is applied. If an error occurs Spacecraft communications assumes it is possible that the system upload ca- while booting up, the payload may be lost. the payload does not communicate directly pability may never be used, but it may be Crosslink Fall 2007 • 29 The Chief Software Engineering Advisory Council considered core for the payload must also The Chief Software Engineering Advisory Council (CSEAC) was established in March be considered core for the corresponding capabilities on the space vehicle. Com- 2006 within Aerospace Space Program Operations to determine how the corporation can munication, for example, is considered core best provide software support for Air Force acquisition programs. Specifically, the council for both payload and space vehicle because assists the Space and Missile Systems Center (SMC) in its software-acquisition efforts for it is essential for them to communicate intensive space systems. It aligns all Aerospace software-related initiatives to focus support with each other. Another example is boot- toward the success of SMC missions. ing up the spacecraft, which performs much the same actions as booting up the The CSEAC developed its structure to accommodate a long-term operational strategy to payload. Other spacecraft core functions carry out this goal. The council is cosponsored by Space Program Operations and the En- analogous to those of the payload are gineering and Technology Group and reports to both vice presidents. An Aerospace chief system upload, hardware/software status software engineer is designated for each Space Program Operations division. Providing reporting, and safing the spacecraft. software engineering and oversight for software issues, these chief engineers constitute a Several additional capabilities are powerful team resource. In addition, senior software engineers participate in CSEAC activi- considered core for the spacecraft: the ties to ensure that all facets of Aerospace software efforts are represented. executive/operating system, whether a commercial product or purpose-built by In February 2007, CSEAC expanded one of its strategic components, the Software Lead- the contractor; guidance, navigation, and ership Initiative, to assist in forming the SMC Software Action Group. A collaboration of control; thermal control; and electrical representatives from both SMC software customers and Aerospace software support, this power control. Any failure of these systems group is addressing a number of software-related issues, including those directly associated because of software puts the entire mis- sion in jeopardy. They must be exercised with acquisition mission assurance, such as the use of common software acquisition tools. as thoroughly as possible before launch to —Francis Sisti, Chief Software Engineer increase confidence that this software and the accompanying hardware will work to- gether to accomplish their subsystem tasks. Another core function is on-orbit deploy- necessary to exercise this function at some most likely back to the boot-up function. ments and beginning-of-life testing. future date—for example, if a new software This entire path, from anomaly to safing to Command execution and onboard system upload is needed. If qualification recovery, must undergo extensive testing command storage must also be subjected testing and the preceding testing efforts before launch to provide maximum confi- before launch to as much testing as pos- were not thorough enough, a problem dence that it will perform its function after sible, usually involving all possible com- may leave the payload incapable of either launch. mands. If the spacecraft cannot execute starting the new system or returning to the Hardware control and payload data pro- commands issued from the ground, mis- previous version of the software. cessing, on the other hand, are considered sion goals would not be achieved. For this The hardware and software status re- basic, or ancillary, functions. Proper testing reason, ground communications are also porting capability is considered a core of the actual flight hardware involved in considered core. Onboard command stor- function mainly because of its value in these actions usually involves the use of age is usually provided to store commands the event of an anomaly. If everything is test (i.e., not flight) software. Such test- for future execution. These may be certain working correctly with the payload, this ing may not have been at the qualification command sequences, such as the actions function will only reinforce what is already level, but it does show that the hardware needed to safe the spacecraft that must be known—that everything is working cor- and data processing can be controlled activated quickly in the event of a fault, or rectly. However, when things go wrong, properly with software. If the space vehicle they may be sequences that allow ground this may be the only way ground control- must be launched before such software controllers to upload one command while lers are able to analyze the root cause of capabilities are qualification tested, this the spacecraft actually performs a large the anomaly and devise a correction. This software can be omitted from the launch number of commands. Often, these com- capability is especially important during configuration of the software and uploaded mand sequences are used at the beginning the early life of a payload, when ground later. In this case, mission availability is and end of life for the spacecraft—the controllers are not thoroughly familiar negatively affected because the payload function of storing commands and then with its behavior. will not function as designed until all soft- executing them at the appropriate time is Safing the payload is another capability ware components are operating onboard. vital to the health of the spacecraft and the that may never be exercised, but if the pay- Because all core functions are working as mission. load must be put into a safe state because designed, the hardware control and pay- A basic function that could be consid- of an anomaly, this capability will be called load data-processing capabilities can be ered core involves end-of-life maneuvers, upon. Depending on the payload, this tested thoroughly on the ground and up- which have gained importance in recent capability may require that the mechani- loaded and tested in flight, allowing full- years. These end-of-life maneuvers may be cal doors be closed, power be removed or scale operations to be started. This saves a controlled deorbit of the spacecraft, mov- reduced, or other actions be taken to pro- schedule time on one side of the launch at ing it to a higher orbit where it will not tect the payload from the environment of the cost of schedule on the other side. jeopardize other spacecraft or leaving it space. In addition to allowing the payload The list of core and basic functions for where it is, if that is an option. In this par- to enter into a safe state, this capability spacecraft bus capabilities is longer for this ticular case, though, any hardware used by must also allow it to exit this safe state— software-intensive system. Capabilities these maneuvers will have been tested, and

30 • Crosslink Fall 2007 lation done completely in software that simulation that combines a 6-degrees- mathematically simulates the subject— of-freedom, rigid-body simulation with a Aerospace has provided which runs in a standard workstation en- computational fluid-dynamics simulation. vironment. The models are developed and This integrated simulation allows Aero- a path to launch that tested by running a version of the vehicle space to analyze the interactions between flight code that can execute on the work- fuel/oxidizer dynamics, stability control, offers more flexibility station. Once the fidelity of the vehicle attitude control, and other interactions models has been validated, they are moved with flight code. This new simulation ca- when reality prevents to the hardware-in-the-loop simulation. pability is a first step in Aerospace’s plans Launch vehicle scientific simulations are to integrate simulation models developed also used for day-of-launch activities. The in house. This systems simulation envi- optimal testing. simulation executes the flight software to ronment would more fully ensure that all generate real-time predictions of launch- subsystems that interact with software/ vehicle behavior during atmospheric flight hardware avionics are fully tested. as these maneuvers are not scheduled for on launch day. Wind data measured by Aerospace has made major contribu- years after launch, they only become criti- weather balloons at the launch site are tions to software mission assurance for cal at that time. There are circumstances incorporated into the simulation to allow launch vehicles and continues to pursue a in which these maneuvers may become for up-to-date predictions. Structural loads number of diverse efforts to maintain and needed far earlier than planned, such as and engine deflections are found from enhance its leading-edge role in software an anomaly with the launch vehicle that these real-time predictions and compared mission assurance for space systems. These puts the spacecraft in the incorrect orbit. with launch-day limits. This capability al- include defining the contents of critical This situation would drastically shorten lows Aerospace to make a go/no-go launch technical contract deliverables for soft- the testing schedule for such software. This recommendation based on flight-software ware, tailoring space and ground reliability capability is still considered basic because performance in the face of actual condi- standards and their associated contractual it can be tested at relative leisure on the tions at the launch site. deliverables to include software, using ground before being uploaded to the space Aerospace also develops and maintains static and dynamic software analysis tools vehicle in most cases. Other basic func- hardware-in-the-loop simulations for for identifying problems in software prod- tions are onboard data storage and retrieval satellites. Independent analysis is carried ucts, evaluating contractor compliance and onboard data processing. out by developing models of the spacecraft with software development and testing Flight Software Validation dynamics, including all deployables (solar processes, defining software technology arrays, antennae, etc.), control sensors, readiness levels and evaluating software Although it is never a good idea to launch and actuators. For example, the Global technology readiness for programs, and a mission with software that has not un- Positioning System Block IIR spacecraft performing research in software reliability dergone complete qualification testing, has 13 articulated bodies, all modeled and and software acquisition. Aerospace has provided a path to launch simulated. In each hardware-in-the-loop Acknowledgment that offers more flexibility when reality simulation, the actual flight computer or prevents optimal testing. equivalent is included. Mission assurance The authors thank Daniel Dayton, Douglas Aerospace develops and maintains is enhanced by this independent analysis Buettner, Michael Tanzillo, Joseph Anselmi, hardware-in-the-loop (HIL) simulations through the use of both scientific and and Marin Panevsky for contributing to this for the validation of flight software for hardware-in-the-loop real-time simula- article. both satellites and launch vehicles. A hard- tions that are used to validate the attitude ware-in-the-loop simulation is built from control design, performance, and stability Further Reading a combination of flight-equivalent avionics of the satellite. Included in this validation Aerospace Report No. TR-2006(1472)-1, that can execute the same flight code im- are the control laws that are implemented “Recommended Process for Qualification Test- age and mission data that will be loaded on in the flight code. ing of Payload Software Prior to Use on Orbit” the real system for flight. This “test-like- Independent testing with the hardware- (The Aerospace Corporation, El Segundo, CA, you-fly” approach gives the most realistic in-the-loop simulator leads to discovery 2006). evaluation of how the system software will of flight-software weaknesses, which are Aerospace Report No. TR-2004(8583)-1, perform during flight. In most cases, the brought to the attention of the contractor. Rev. A, “Test Requirements for Launch, Up- hardware-in-the-loop simulation runs in Workarounds or design changes are used per Stage, and Space Vehicles” (The Aerospace real time, meaning that the flight software to eliminate or mitigate the weaknesses. Corporation, El Segundo, CA, 2006). is being executed at the same speed as it The simulator is used to support launch Aerospace Report No. TOR-2004(8506)-106, would on the real system. training, launch support, and on-orbit 107, 108, “Space and Missile Systems Center The simulation emulates all input and anomalies if they occur. This can include Test Assessment Study Report(s)” (The Aero- output (I/O) interfaces that are visible validation of the contractor’s flight-code space Corporation, El Segundo, CA, 2004). to the processing hardware on which the software patches before they are loaded up Aerospace Report No. TOR-2004(3909)-3537, flight software runs. The I/O interfaces to the spacecraft. Rev. B, “Software Development Standard for are driven by high-fidelity simulations of Aerospace continues to improve the Space Systems” (The Aerospace Corporation, all vehicle subsystem hardware, as well as fidelity of the vehicle dynamics and flight El Segundo, CA, 2005). vehicle dynamics and flight environment environment models that are used by the N. G. Leveson, “The Role of Software in models. These are initially developed in the scientific and hardware-in-the-loop simu- Spacecraft Accidents,” Journal of Spacecraft and form of a “scientific simulation”—a simu- lations. One example is a new integrated Rockets, Vol. 41, No. 4 ( July–August 2004).

Crosslink Fall 2007 • 31 Mission Assurance: A Human-Rated Space Perspective

Aerospace has a long history of working with NASA on mission assurance initiatives for humans as they venture into space.

Garry Boggan

erospace is no stranger to mission assurance for NASA policy allocates responsibilities for mission success human-rated space programs, including those of to the mission directorate associate administrators, center the early space race. The National Aeronautics and directors, the chief safety and mission assurance officer, and SpaceA Act of 1958 stated as an objective “the development program managers, as well as to supervisors, managers, and and operation of vehicles capable of carrying instruments, employees. equipment, supplies and living organisms through space.” While all space systems share a risk to the general pub- Aerospace assisted in early efforts for the Mercury and lic of accidents on ascent and reentry, human-rated space Gemini programs, sharing its expertise in launch vehicles. programs must also be developed with consideration of the Later, when the Air Force planned to deliver satellites to risks posed to humans on the flight and those in orbital orbit using the Space Transportation System, Aerospace space system segments. Humans in space are vulnerable to a worked to assist in this goal. But after the Challenger ac- loss of atmosphere or exposure to hazardous environments, cident in 1986, the Air Force decided to deliver defense such as fire or radiation. These and other considerations payloads into orbit using unmanned launch vehicles. must be addressed so that the support systems in a space ve- Nevertheless, Aerospace stayed involved with NASA hicle are provided with an appropriately redundant design. programs. Today, Aerospace personnel working at Johnson Requirements for safe extravehicular activities by humans Space Center in Houston support the NASA Space Shuttle must also be considered. Program and the military Space Test Program. For more These human-rating requirements—and their contribu- than a decade, Aerospace employees have worked with the tion to mission assurance and success—are by policy the NASA Office of Safety and Mission Assurance performing responsibility of the program managers. Other NASA independent assessments during the development and de- organizations and contractors support program managers ployment of the International Space Station. Aerospace also as the system requirements are implemented. Endorse- assisted the NASA Space Shuttle Systems Engineering and ment by contractors, NASA project and program manag- Integration Office directly following the Columbia tragedy, ers, and higher-level NASA management occurs through working on return-to-flight initiatives and an ongoing ef- a sequence of flight-readiness reviews prior to mission fort for debris risk characterization and testing. ­deployment. Mission Assurance Perspectives Safety and Mission Assurance Policies Mission assurance, from an Aerospace perspective, is the NASA policy distinguishes between human-rated space disciplined application of general systems engineering, systems and nonhuman systems. Space systems and their quality, and management principles toward achieving mis- human-rating requirements have evolved over the years, sion success. It focuses on the detailed engineering of the and a review of related specifications and handbooks offers acquired system using independent technical assessments a snapshot of this evolution. For example, lessons learned as a cornerstone throughout the entire concept and require- provide a basis for adaptation and, ideally, improvement of ments definition, design, development, production, test, system expectations. Problem-reporting systems are a col- deployment, and operations phases. lection of experiences with systems during development and Mission assurance within NASA is formally aligned deployment. Procedures for addressing the root causes of under the Office of Safety and Mission Assurance; however, problems, evaluating the risks of using “as is,” or requiring Courtesy of NASA Courtesy of NASA

Left: The capsule of the Apollo/Saturn 204 space vehicle after the tragic flash fire after the fire. Results of the investigation into the cause of the fire led to major that killed three astronauts readying for flight.Right: The exterior of the spacecraft design and engineering modifications for future space capsules. immediate mitigation and fielding correc- 13 mishap. In the Apollo 13 case, a design lowing this loss. The board recommended tive actions, are all elements of the safety discrepancy within the oxygen tank, cou- changes within NASA to instill a renewed and mission assurance discipline and sup- pled with improvised ground procedures, commitment to safety and mission success, port the implementation of these policies. were identified as the likely cause of the including providing independent reviews NASA directives and work instructions on-orbit explosion that could have ended in and elevating dissenting opinions to pro- are designed to help implement established tragedy if not for an available lunar module gram managers. safety and mission assurance policies, ad- refuge and operational workarounds. The organization and operation of dressing the fundamental issues of consid- As it began its initial set of orbital tests NASA’s Mission Management Team was ering the safety of the flight crew as well as on April 21, 1981, the space shuttle rep- changed as a result of the board’s recom- ensuring mission success. These directives resented the start of a new mode of space mendations. This team is responsible for and work instructions help guide program transportation—that of a large, mostly making programmatic decisions and trades managers, the engineering and program reusable space vehicle. Reusability brought associated with launch countdown and in- teams, and contractors. its own set of concerns, namely, that the flight activities. The Mission Management Events can drive changes to policies vehicle’s design had to address the rigors Team is now responsible for oversight and and how they are implemented. The flash- of multiple launches and recoveries. Un- daily reviews of ongoing operations dur- fire on January 27, 1967, that killed the fortunately, the program has witnessed its ing shuttle flights, while the flight control Apollo 1 crew was a jolt to NASA and own set of problems, in which the objective team and flight crew continue to have drove the agency to address safety as part of crew safety fell victim to mistakes and operational authority of all crew and mis- of its culture. The team that led the failure failures in the safety and mission assurance sion safety matters. Mission Management investigation identified flaws in all aspects processes, as exemplified by the losses of Team roles and responsibilities are assigned of the capsule design, operations, and test- Challenger in 1986 and Columbia in 2003. to several elements of the Space Shuttle ing. NASA took efforts to increase flight In the case of the Challenger disaster, Program, including the Office of Safety crew safety by addressing basic operational the Rogers Commission highlighted the and Mission Assurance, which is charged concepts, such as reducing the likelihood root cause as a leaky O-ring on the star- with reporting independent risk evalua- of a fire by making changes to the capsule’s board solid rocket motor that allowed hot tions of anomalies, in-flight anomalies, and atmosphere while on the ground and in- exhaust gases to compromise the external problem reports, and elevating concerns troducing fireproof covers for suits. Design tank. But the commission also wrote a through the in-flight crew safety and mis- flaws were also addressed, such as providing chapter about the “silent safety program” sion success reporting process. for quicker crew escape with a redesigned that contributed to organizational missteps. The paths leading up to deployment hatch, by reducing flammable materials in The commission highlighted pressures to of an operational system must also be the capsule, and by redesigning electrical maintain the launch schedule as contribut- included in safety and mission assurance connections to avoid disconnects with the ing to the accident. policies and processes. NASA has imple- power on. Even with these fixes and lessons More than 15 years later, the Columbia mented these procedures agency-wide learned, the still encoun- accident raised additional concerns about within its civil servant and contractor tered problems that impacted safety of lapses in safety. Aerospace assisted the Co- organizations. Individual NASA centers flight, including the well-publicized Apollo lumbia Accident Investigation Board fol- also house their own safety and mission

Crosslink Fall 2007 • 33 ­assurance organizations, and supporting contractors participate in program reviews and analyses. Contractors charged with the development of flight hardware and sys- tems are also tasked with including mission assurance functions in their development and manufacturing processes. They must supply NASA with the information neces- sary to meet the safety and mission assur- ance requirements levied on their system. The International Space Station Aerospace has also provided support in ad- dressing technical challenges encountered by the International Space Station. During

the station’s development phase, Aerospace Courtesy of NASA addressed technical concerns during several independent assessments. These included Using the shuttle’s robotic arm and 50-foot-long Orbiter Boom Sensor System, the STS-118 crew photographed component breakdown phenomena present this close-up view of damaged tile on the underside of the Endeavour during an inspection of the shuttle’s heat shield while docked with the International Space Station on August 12, 2007. After extensive analysis, engineers in the design of the electrical power system, decided that the tile did not need to be replaced before the shuttle disembarked for a return to Earth. such as the dc-to-dc converter unit, and concerns with the remote power control module. Aerospace assessed the fiber optics technology evaluated by Aerospace prior to craft charging models and environments integral to the onboard avionics computer the ISS 6A mission, which was launched and compared them to those used for network because there was concern that in 2001 and was the sixth American flight military satellite operations. In addition to the installation procedures could degrade delivering materials for the construction of review of the orbital environment (i.e., the the transmission quality of the commu- the International Space Station. ambient electron density and temperature, nication path between the avionics boxes. Aerospace was asked to evaluate the and variations based on orbital param- NASA also asked Aerospace to assist in plasma charging models developed for eters and seasons), Aerospace reviewed evaluating technology for maintaining the the space station because NASA was con- contractor-developed models for validity fiber-optic cable installation and signal cerned for the crew’s safety in respect to of ground rules and assumptions, such as integrity equipment being considered for the level of electrical discharge that might charge-collection areas based on physical use on orbit. The flight equipment, an opti- traverse a spacesuit during a spacewalk. configuration. cal time-domain reflectometer, is based on Aerospace and NASA reviewed the space- Aerospace evaluated command and con- trol software procedures used to increase the capability of the International Space Station throughout various configuration changes, and also assisted in developing an observation window that would satisfy stringent optical requirements for on-orbit photographic experiments. The internal ac- tive thermal control system that provides cooling for the internal heat sources of the space station was evaluated by Aerospace for corrosion and microbial contamina- tion. Aerospace chemists reviewed the system configuration and its operation in the orbital environment, conducted analyses of the material compatibility and possible causes of corrosion, made recom- mendations of options, and evaluated a contractor-offered solution. The operation Courtesy of NASA of this thermal control system remains under observation to ensure that the solu- The on-orbit imagery collection procedures that were updated following the Columbia accident help to tion implemented provides the necessary better inform the flight control team, the flight crew, and the mission management team of the state of mitigation. the shuttle after its ascent. This image from STS-121 shows an inspection of the external tank following its separation from the orbiter. Astronauts use handheld cameras to evaluate the performance of the external As the International Space Station be- tank foam after it has experienced the rigors of ascent heating. The digital photographs are downlinked to gan operations, NASA began a review of engineers for imagery analysis. The shadow of the orbiter is shown on the intertank region. Missing foam is the system-readiness reporting procedures shown near the foot of the third ice/frost ramp from the intertank flange. Foam ramps are used to provide a and asked Aerospace to evaluate options more aerodynamic shape for the brackets supporting the tank repress lines. Design changes to the orbiter systems include adding imagery assets that will work in sunlit and unlighted separations. for improving the status reporting of the various distributed systems. This analysis

34 • Crosslink Fall 2007 Analysis Techniques for the Space Shuttle

Aerospace personnel have conducted extensive testing of foam debris in support of the Space Shuttle Systems Engineering and Integration Office at NASA’s Johnson Space Center. These tests began in support of STS- 114 return-to-flight activity, but expanded in depth and scope for STS-121 and beyond. Here, Brian Hardy of Laboratory Operations prepares external-tank foam samples for combined environments testing.

Matt Eby, Vehicle Systems Division, and John Brekke, Space Launch Operations, review damage to the orbiter’s thermal protection system tiles following its return from space.

An image of a foam particle striking a sample shuttle tile as photographed from a high-speed camera in a labo- ratory at Aerospace.

Tim Graves from the Space Materials Laboratory pre- pares the debris impact shock cannon for testing small foam on shuttle tiles.

Crosslink Fall 2007 • 35 Courtesy of NASA

New operational techniques have been developed for on-orbit inspection of the photograph taken by an astronaut in space of the underside of space shuttle Dis- orbiter’s thermal protection system tiles. The image on the left shows a protrud- covery on mission STS-114. The new techniques help to identify additional debris ing gapfiller on STS-121 and the gaps between the tiles where heat resistant filler threats not considered by NASA prior to the Columbia tragedy in 2003. material can protrude following ascent environments. The image on the right is a included developing a methodology that Space Shuttle Return to Flight Aerospace has since participated in risk as- would provide linkage of the relationships NASA focused on reinvigorating its sys- sessments of foam debris, including on the between redundant system components, tems engineering capabilities following the Discovery STS-114 return-to-flight mis- on-orbit spares, and flight rule procedures investigation into the Columbia accident. sion in 2005, and subsequent flights. for workarounds. Aerospace assisted these and other return- Aerospace has also been supporting Trash and how it is discarded is a logis- to-flight activities, working closely with NASA’s Space Shuttle Program by testing tical problem for an orbital human-rated NASA’s Space Shuttle Systems Engineer- iceballs to understand the physics of their station. Trash in space is typically stored for ing and Integration Office and its Safety release and breakup, performing residual eventual return to Earth via an expendable and Mission Assurance organization. Aero- risk analysis on the potential for metal par- capsule, such as Russia’s Progress spacecraft space helped develop plans for recertifica- ticle combustion with the orbiter’s liquid- or onboard the orbiter itself. One idea tion of the vehicle, assisted in developing oxygen system, and assisting in structural was to discard the trash overboard so that a method to assess the risks of debris in modeling. Aerospace has also worked on it would disintegrate during reentry. An comparison to the capabilities of the ve- propellant quality methodology com- Aerospace and space station program team hicle and its components, and helped in the parisons between approaches used in the worked together to assess the risks to the understanding of new imagery technology Space Shuttle Program and for expendable public from trash that would survive reen- that would evaluate debris during ascent. launch vehicles, assisted in peer reviews try, and also for the potential of an increase Aerospace worked with NASA to de- of wind-tunnel test planning and evalua- in orbital debris. velop a debris risk assessment approach tion of results from thermal and acoustics The Apollo-Soyuz interchange, Ameri- that evolved from a basic understanding testing, and with tin whisker concerns for can participation on Russia’s Mir space sta- of risks to establishing a probabilistic as- orbiter avionics. Aerospace assists NASA tion, and involvement of Russian spacecraft sessment technique for determining the with estimates of risks to the public on and ground elements (i.e., Soyuz, Progress, debris threat to the space shuttle system’s shuttle reentry sites and provides support and Baikonur) in the International Space capabilities. The goal was to understand on in-flight anomaly investigations, safety Station program offer opportunities to the origins of all potential debris sources reviews, and integrated hazard reports. evaluate risk management and mission as- and determine the level of threat from each Aerospace is acknowledged as playing “a surance processes from different cultures one. Meanwhile, the vulnerabilities of the key role for systems engineering for debris and nations. Aerospace has also supported various components, such as the reinforced and end-to-end Monte Carlo analysis” in NASA with independent assessments carbon-carbon or ceramic tiles of the or- NASA’s 2007 implementation plan, “Space for encryption analysis for the command biter’s thermal protection system, were be- Shuttle Return to Flight and Beyond.” and control communication of the Zarya ing scrutinized. The analysis revealed that Conclusion module of the space station, evaluation of the strength of these structural capabili- ­Russian nickel-cadmium batteries, and ties did not remain intact after reuse. This Aerospace’s involvement with mission as- postentry analysis of the Mir space station. reduction in capability had to be factored surance for NASA programs has evolved into NASA’s debris threat risk assessment. into support of independent evaluations

36 • Crosslink Fall 2007 Predicted Starboard Damage of advanced human-rated space pro- 500 grams, including an orbital space-plane project where program requirements were 400 Source for aft ­evaluated for interface, safety, and alloca- < 0.05aa impacts under tion requirements. 300 < 0.1aa investigation Aerospace has also provided inde- pendent assessments for launch vehicle < 0.25aa 200 structural and propulsion technology trade > 0.25aa studies in support of the most recent vision 100 for space exploration. As the human-rated space program takes its next steps with the Constellation program, Aerospace plans to 0 support NASA in mission assurance activi- ties, just as it has since the beginnings of –100 Project Mercury. –200 Acknowledgments The Aerospace efforts presented in this article –300 represent work by many technical experts from a variety of departments and organizations over –400 many years. NASA has publicly recognized Predictions made for ascent portion of flight only many of these people for their efforts. Space –500 Flight Awareness Award honors have gone to 1000 1200 1400 1600 1800 2000 2200 2400 Raymond DeGaston and Karen Scott for recog- nition of their work on the International Space An Aerospace model designed to predict damage and its depth to the space shuttle thermal protection Station, and to Pete Choban for his efforts on system. The numbers along the axes refer to the coordinate system of the integrated vehicle in inches. The the STS-102 flight. NASA awarded Bruce overall length of the shuttle is 184 feet; the wingspan is 78 feet. Wendler with the Exceptional Public Service Medal, which he received for his support of the space shuttle return to flight and debris identifi- cation and mitigation efforts. Recent Aerospace work that has drawn praise is in the end-to-end risk assessment for ascent foam debris accomplished by John Brekke and Matthew Eby. Their work has been supported by a team of scientists, engineers, and technicians from several organizations within Aerospace. Randall Williams, Richard Welle, and Brian Hardy developed test techniques to provide NASA with novel, lower-cost test op- tions for combined environments and iceball testing. Mike Cavanaugh, Yontha Ath, and Jim Womack provided statistical options for use in the probabilistic risk techniques. John Murdock supported aerodynamic modeling techniques. Peter Pollock and Scott Peck developed material modeling techniques for the external tank foam.

Further Reading John Brekke and John Skratt, Space Launch Operations, with Jim Peters (right) of NASA’s debris integration S. R. Strom, “A Perfect Start to the Operation: group. The three are standing under the belly of the orbiter prior to inspection of its thermal protection system The Aerospace Corporation and Project Mer- at Kennedy Space Center. cury,” Crosslink, Vol. 2, No. 2 (Summer 2001). S. R. Strom, “A Stellar Rendezvous,” Crosslink, “Report of the Presidential Commission on the “NASA ­Quality Assurance Program Policy,” Vol. 4, No. 1, (Winter 2002–2003). Space Shuttle Challenger Accident,” Rogers Com- NPD 8730.5 (2005); “Safety and Mission As- mission Report, June 6, 1986 (www.nasa.gov). surance Audits, Reviews, and Assessments,” E. J. Tomei, “The Air Force Space Shuttle Pro- NPR 8705.6 (2005); “NASA Reliability and gram: A Brief History,” Crosslink, Vol. 4, No. 1 “Columbia Accident Investigation Board Final Maintainability Program Policy,” NPD 8720.1B (Winter 2002–2003). Report,” August 26, 2003 (www.nasa.gov). (2004); “Software Safety,” NASA-STD- M. Williamson, “Aiming for the Moon: The NASA Policies 8719.13 (2004); “Software Assurance Standard,” Engineering Challenge of Apollo,” The IEE En- “NASA Policy for Safety and Mission Suc- NASA-STD-8739.8 (2005); and “Management gineering Science and Education Journal, Vol. 11, cess,” NPD 8700.1C (2004); “NASA General of Government Quality Assurance Functions No. 5 (October 2002). Safety Program Requirements,” NPR 8715.3B for NASA Contracts,” NPR 8735.2A (2006). (2007); “Human-Rating Requirements for (All NASA policies published by NASA, Systems,” NPR 8705.2A (2005); Washington, D.C.)

Crosslink Fall 2007 • 37 Battery Testing and Assessment to Promote Mission Assurance

Aerospace expertise in diverse cell chemistries and technologies has helped resolve numerous issues with launch and space system batteries.

Valerie Ang, Boyd Carter, Warren Hwang, Margot Wasz, and Albert Zimmerman

atteries are used on all space and launch vehicles. Nickel Hydrogen These batteries consist of a number of cells, usually In the 1980s, the Air Force began its Nickel-Hydrogen connected in series, and sensors to monitor condi- Cell-Test Program, an extensive effort to life-test several new tionsB such as voltage and temperature. Space systems impose cell designs. Aerospace initiated the program concept and stringent requirements concerning mass, stability, reliability, provided the planning, technical oversight, analysis, and as- and performance that typically necessitate batteries that are sessments for the tests. Still active, the program has provided specifically designed for space applications. For example, long-term low-Earth-orbit life-test data for NiH2 cells, with requirements for high energy density favor cell chemistries variations in cell vendors, cell designs per vendor, tempera- with highly reactive electrochemical electrodes that can ture, depth of discharge, and storage. Results have shown provide tremendous electrical power on demand; however, how these variables affect battery life and have provided the these cells degrade over time, and their highly reactive, high- basis for mission life verification for several programs. The surface-area electrodes can participate in a number of side present testing is providing more extensive life data for spe- reactions and processes. Performance requirements, such as cific variables and is helping improve the fidelity of NiH2 life 20 years of service life and 50,000 charge/discharge cycles, performance models. stretch the capabilities of the cell technologies and designs. Early research and testing at Aerospace helped clarify the

Cells and batteries also need to meet high safety standards, cause of permanent loss of capacity in NiH2 batteries dur- remain stable through long storage periods, and withstand ing prelaunch storage. At that time, the batteries were made the stressful launch environment. Batteries for space applica- from cells that maintained an excess of hydrogen gas upon tions are specially designed and tested to meet these multiple complete discharge (a condition known as hydrogen pre- requirements. For space vehicles, nickel hydrogen (NiH2), charge). The capacity loss was caused by slow reactions of the nickel cadmium (NiCd), and lithium ion (Li-ion) are the hydrogen gas that predominate at low cell voltages. This un- technologies now in use or under consideration. For launch derstanding led to changes in cell designs, and all NiH2 cells vehicles, silver-oxide–zinc (AgZn) batteries have tradition- are now made with an excess of nickel rather than an excess ally been used, and Li-ion technology is being considered. of hydrogen upon complete discharge. This change has dra- Battery tests and test assessments at Aerospace have sup- matically reduced the number of batteries in space programs ported mission assurance by helping to define requirements exhibiting loss of capacity as a result of hydrogen precharge. and verify that selected batteries can meet them. These Still, the excess nickel in NiH2 can decrease with time, tests—at the battery, cell, and cell-component levels—have and cells originally made with nickel precharge can acquire involved multiple programs and suppliers and provided criti- a hydrogen precharge, with its associated capacity loss. cal information for both generic and specific battery types. Aerospace characterized the different voltage signatures for They have shown that large decreases in battery performance cells with the two types of precharge and used this informa- can often be traced to issues with cell components, such as tion to develop a simple, nondestructive test that is widely the positive electrode, the negative electrode, the separator used to monitor battery cells prior to launch. The test entails between the electrodes, and the electrolyte that transports completely discharging the battery at the launch site and charge during cell operation. monitoring the recovery of the open-circuit cell voltage. The ElectrolyteElectrolyte products products on ontop top of offill fill tube tube shows show thatthat there there is isa patha path from from void voidto exterior. to exterior. were also used to help Air Force Range Cross section shows void close to surface but did not capture exit path. (cross section shows void close to surface but did not capture exit path.) Safety develop guidelines for using com- mercial NiCd batteries on space and launch ­vehicles. Aerospace has also developed a unique destructive physical analysis to assess the condition of stored sample cells from a flight lot. The process entails disassembling the cells in oxygen-free conditions; the amount of active material in various oxida- tion states of the electrodes can then be electrochemically quantified. Results from this type of test have been used to help as- sess shelf-life extensions for space vehicle programs that use NiCd batteries. CrossCross section section of offill fill tube tube shows shows pathpath fromfrom void void to tocell cell interior. interior. In one test program, latent leaks were discovered in the fill tubes of NiCd cells. These flight units had been stored for several years and had passed periodic leak tests. Aerospace guided and closely co- ordinated the root cause investigations, which involved three programs and two prime contractors. X rays and destructive physical analyses of a large number of cells indicated that the leaks were caused by the propagation of cracks in the fill tube used to introduce electrolyte into the cell during manufacturing. The cracks were reaching large internal voids in the weld region and Latent leaks were discovered in the fill tubes of NiCd cells in flight batteries that had been stored for ­several connecting them to the outside. The voids years. X rays and destructive physical analyses revealed that the leaks were caused by the propagation of cracks were caused by electrolyte left in the fill in the fill tube. These cracks were ­reaching large internal voids in the weld region, caused by electrolyte left in the fill tubes prior to their pinch-off closure and weld. Based on these tests, Aerospace developed a way to tubes before their pinch-off closure and screen for potential cell leaks. weld. Based on these tests results, Aero- space helped develop an x-ray procedure for voltage signature indicates whether the cells from insufficient electrolyte. Aerospace screening cells for potential leaks; thanks to in the battery still have nickel precharge. developed a unique, nondestructive acoustic this procedure, all three programs were able to use the batteries successfully. The first NiH2 cells used in space were method to detect liquid levels at the bot- designed with separators made of asbestos, tom of NiH2 cells during ground testing. Silver-Oxide Zinc a material used in fuel cells. Aerospace tests, The method was used by a program that using a unique gas-sampling apparatus, had experienced a battery failure during The AgZn battery has been used in all detected chemical contamination from testing. The method showed that the failure launch vehicle programs since the 1950s be- the asbestos, which had been stored under was the result of improper test design and cause it is robust, energy dense, and capable uncontrolled conditions. This contamina- that modifications in thermal control would of providing high currents at a low system tion reduced usable capacity over time. avoid any problem in space. The method is weight. Its common failure modes, such as This finding helped to promote better cell now being used on internal tests of other internal shorting and electrolyte spewing, designs that used a separator made from programs. are well known and understood—as are the more unusual failure modes, such as the zirconium oxide, a material that does not Nickel Cadmium exhibit the contamination problem and that sensitivity of the cellophane separator to retains electrolyte more readily; this mate- A life-test program for NiCd batteries— sugar crystals or the relationship between rial is now used by all space vehicles that use similar to the Nickel-Hydrogen Cell-Test current capability and cell compression. Aerospace has captured many of these “les- NiH2. Program—was initiated and overseen by Liquid electrolyte in the central electro- Aerospace for design variations in NiCd sons learned” in technical reports and has also used them to develop a menu-driven lyte stack in NiH2 cells can condense on the technology. Assessments of results identi- colder cell walls during normal operation. In fied designs with sufficient performance life software program that can diagnose the ground tests, this liquid would collect at the and aided the selection of cells for several most likely causes of abnormal battery be- cell bottom, but in space, it would remain space-vehicle programs. In cases where the havior. Developed for NASA, this expert along the wall. If the electrolyte freezes on mission durations were short and program system has proven highly effective in re- the wall, or if the average condensation rate managers wanted to use commercial NiCd sponding to battery failures close to launch. away from the stack is greater than average cells, Aerospace tests were used to establish For example, a week before launch, a electrolyte return rate along the wall wick (a qualification and acceptance tests and to low capacity was found in a coupon cell (a structure designed to return liquid from the verify life capability. Results from inter- sample cell from the production lot) associ- wall to the stack), then the cell can ­suffer nal tests and assessments of external tests ated with the flight hardware. The expert

Crosslink Fall 2007 • 39 1.6 A nondestructive acoustic 1.4 method was developed to detect liquid levels at the

bottom of NiH2 cells during 1.2 ground testing. In one case, the method showed that the Voltage cause of an external test fail- 1.0 ure was improper test design and that modifications in thermal control would avoid 0.8 ltage (V) any problem in space. vo 0.6 Cell lume at cell bottom dome Volume 0.4

0.2 Liquid vo

0 Test time (hours)

Cell 1 Cell 2 Voltage

system was used to identify a likely cause: monitored through the umbilical connec- under conditions that enveloped worst- direct exposure to air after electrolyte was tion to the ground support equipment to case safety conditions was performed. The added to the battery cells. The contrac- detect problems prior to launch. In one tests were quickly designed and carried out tor then found that the coupon cells for a instance, unexpected voltage trends for a to assess worst-case discharge, overcharge, follow-on flight were being built without new battery design and new vehicle caused and temperature. The results, which dem- the necessary valves to prevent exposure concern from range safety about possible onstrated safety under worst-case condi- to air. Aerospace conducted a quick physi- leakage currents and paths caused by an tions, were presented to range personnel cal analysis of the low-capacity cells and unknown mechanism with unpredictable in time to avoid any launch schedule slip. produced evidence consistent with the consequences. Internal tests and analyses Those results, along with results from scenario. The flight batteries were ap- demonstrated that the phenomenon was other safety tests of performance limits, are proved for use once it was verified that the result of chemical phase realignment at providing an expanding database for mis- processing procedures would not permit the current collectors, caused by the con- sion assurance questions of this new space a similar mistake on the flight hardware, nection loads from other active electronic technology. and the mission was successfully flown on devices on the electrical bus. Because Conclusion ­schedule. these loads were so small—on the order Similarly, low performance of another of micro­amps—they were not simulated Battery tests and test assessments at Aero- battery being processed for flight was also during qualification testing. Using preci- space have supported mission assurance evaluated and found to be caused by a sion test equipment capable of applying for all space battery technologies used in current collector that was thinner than in loads in the nanoamp range, the connec- high-reliability space and launch vehicle previous builds of the same design. The tion loads were applied to a variety of test applications. Results have led to improve- current collector in these batteries was cells under different states of charge to ments in technologies, procedures, testing, a highly conductive grid used inside the reproduce the effect. Then, mission loads and reliability. In a number of cases, results electrode plates to reduce resistance and were simulated to demonstrate that cell have allowed the maintenance of schedule provide mechanical strength. The relation- performance was still acceptable. These re- in high-reliability programs. ship between the thickness of the grid sults provided confidence in the new flight Acknowledgment and conductivity was confirmed using a designs and reduced concerns about insuf- four-point probe, and the impact on volt- ficient remaining battery capacity. The support from space and launch vehicle pro- grams, Mission Oriented Investigation and Ex- age during discharge was found to be con- Lithium Ion sistent with the performance losses seen perimentation, and Independent Research and on the flight batteries. That mission also Safety of space Li-ion cells and batteries Development is very gratefully acknowledged. flew on time and without anomaly with is a concern that needs to be addressed for Further Reading batteries produced at the same time as mission assurance. The safety issues can the suspect hardware because Aerospace’s vary according to the design of the cell, L. Thaller and A. Zimmerman,Nickel-Hydrogen evaluation confirmed that the condition battery, and control electronics. When Life Cycle Testing (The Aerospace Press, El Se- was screenable by test. the lack of a safety demonstration caused gundo, CA, 2003). The open-circuit voltage of AgZn concern for one of the first U.S. missions batteries in launch vehicles is closely to use Li-ion batteries, testing of the cells 40 • Crosslink Fall 2007 The Space Quality Improvement Council The national security space community has embraced cooperation and collective action as the best way to meet the mission assurance challenges faced by all.

Gary Schipper

n the late 1990s, a rash of satellite and launch vehicle anomalies severely curtailed national space system ca- pabilities. A concerned Congress and Department of “Nobody wants to see a Defense initiated a Broad Area Review of the U.S. space Iindustry, which found that shortfalls in contractor engi- national asset go up with a neering and quality practices, along with U.S. Government emphasis on cost and schedule over mission success, were known problem, whether a largely responsible for the loss of critical space assets. As part of a comprehensive effort to get the industry back on track, competitor’s or our own. It’s a Aerospace began investigating ways to put into practice a renewed emphasis on mission success. One key element that needed to be addressed was reluctance and, in many cases, small community, and it hurts inability within the contractor community to share informa- tion, discuss common concerns, and work together to resolve us all when a failure occurs.” industry-wide difficulties. Also lacking was a way for con- — 2002 SQIC quality sensus perspectives and recommendations of the contractor community to reach national security space leadership. assurance study As an objective third party, Aerospace was in a unique position to orchestrate such a dialog and forum for action among the contractors themselves and between the contrac- Charter and Composition tors and key government personnel. To that end, Aerospace established the Space Quality Improvement Council (SQIC) SQIC membership is composed of The Aerospace Corpora- in 2001, an industry forum dedicated to identifying and tion and executive-level mission assurance and engineer- collaboratively solving systemic problems across the design, ing leadership from ATK, Ball Aerospace & Technologies development, deployment, operation, and acquisition of na- Corp., Boeing, General Dynamics, ITT, Lockheed Martin, tional space systems. The contractor community was quick to Northrop Grumman, Orbital Sciences Corp., Pratt & Whit- embrace the idea, understanding that a failure for anyone is ney, Raytheon, Space Systems/Loral, and United Launch a problem for everyone, affecting the technical decisions, risk Alliance. The SQIC is cosponsored by Lt. Gen. Michael A. profiles, scheduling, and cost structure of every other pro- Hamel, Commander, Space and Missile Systems Center, gram in development. Moreover, by speaking with a unified USAF Space Command; Lt. Gen. Henry A. “Trey” Ober- voice, contractors would be better positioned to make policy ing III, Director, Missile Defense Agency; Maj. Gen. James recommendations that would improve the business environ- B. Armor Jr., Director, National Security Space Office; Brig. ment while serving the broader interests of national security. Gen. Edward L. Bolton Jr., Deputy Director, Systems Inte- The SQIC provides a unique and effective means for con- gration and Engineering, National Reconnaissance Office; tractor cooperation and contractor-customer communication and Bryan D. O’Connor, Chief Safety and Mission As- and action. surance Officer, NASA. As the sole FFRDC on the roster, of counterfeit parts; and the definition of uniform subcontractor requirements and as- sessment criteria. These are not small under- takings nor candidates for easy resolution, yet all significantly relate to the health and continuous improvement of mission assur- ance across national space programs. One of the more significant initiatives of the SQIC has been the creation of the National Security Space Advisory Forum (NSSAF). In 2003, a SQIC study investi- gated the use of lessons-learned repositories, shared failure data and anomaly resources, and the use of such data sources in conjunc- tion with system engineering and anomaly investigation processes within the contrac- tor community. This study revealed a clear need for an early warning anomaly and alert system for problems affecting spacecraft, A Space Quality Improvement Council meeting held in June, 2007, at The Aerospace Corporation in El Se- payload, launch, and ground systems at the gundo, California. The group of aerospace industry leaders is dedicated to identifying and collaboratively solv- ing issues faced by a variety of stakeholders in the national security space community. part, material, and system levels. Existing industry-wide problem-alert resources were not supporting the specialized nature, pro- Aerospace serves as a member, impartial discussion of areas where the contractors prietary controls, and timeliness required host, and intermediary for the government believe that government acquisition and to identify and remedy potentially systemic and contractors. management practices may be complicit in problems early in a space system’s develop- The SQIC operates as a nonattributive the issues and problems being addressed. It ment cycle, resulting in costly late-term body, where perspectives and recommenda- has proven extremely valuable—ultimately fixes or irrecoverable on-orbit anomalies. tions for improvement are carried forward essential—for SQIC discussions to include The SQIC created and implemented the to the cosponsors as representing the indus- direct and informed critique of the govern- NSSAF by means of a secure, Web-based try consensus, and initiatives of the SQIC ment’s role alongside the contractors’ own resource specifically developed for shar- are executed cooperatively by all. Though challenges. This enables the group to resolve ing critical space-system anomaly data and competitors for government contracts, action plans and implement initiatives to problem alerts. It was designed to comple- SQIC members have recognized that rais- address mission assurance and program ex- ment and augment the Government-Indus- ing the caliber of national space programs ecutability shortfalls head-on. try Data Exchange Program (GIDEP), a through cooperation benefits the industry Major Initiatives general program for the exchange of techni- as a whole. And this collective drive toward cal information and data (particularly failure risk reduction and elevated mission assur- While the meetings provide a focal point for data and corrective actions) between diverse ance has been recognized by the SQIC’s the SQIC, the most significant work contin- government agencies and participating con- cosponsors, who regard the council as an ues year-round. Some of the key initiatives tractors. The NSSAF allows space industry efficient, institutionalized, trusted means for that the SQIC has undertaken include the contractors to share information about parts bringing industry contributions directly into prioritization of specifications and standards problems, test results, failure investigations, their program and acquisition decisions. for reimplementation as compliance docu- system and subsystem anomalies, and les- SQIC members meet approximately ments on national security space programs; sons learned in a controlled environment. twice per year, with additional subgroup and creation of a mission assurance best practices It became fully operational in September special-topic technical meetings as needed. symposium; comparative analysis of quality 2005 and is in use by all SQIC member These biannual meetings proceed in two assurance approaches; creation of the Sup- organizations. In its first four months, it parts. The morning begins with a closed plier Quality Initiative to address quality proved instrumental in facilitating the se- session for contractors only. This is followed and subcontract management shortfalls in cure exchange of highly technical failure in the afternoon by the sponsor forum, in the space system supply chain; drafting of a data associated with a critical space system which consensus perspectives and recom- memorandum of understanding for critical part, enabling an immediate, coordinated, mendations from the morning’s session are data-sharing during anomaly-investigation and successful risk assessment before the presented to the SQIC cosponsors without lockdowns; dissemination of critical tech- imminent launch of a national space asset. attribution, and action plans are discussed nology industrial-base reports identifying Aerospace directs and administers the NS- and formalized. This two-part format allows root causes and improvement opportunities SAF and helps the contractor community open discussion of problems and lessons to ensure the viability of the domestic space investigate and resolve technical and opera- learned among the contractors, including supply chain; examination of technology tional anomalies as they are identified. highly informative failure reviews and pro- transition alternatives for critical space tech- prietary information that may be germane nologies; studies of workforce and resource Cooperation and Community to resolving problems but inappropriate to limitations; coordinated vetting of new and The SQIC has also become a valuable point disclose out of program context to govern- updated specifications and standards slated of origin for collaborative technical inves- ment customers. Additionally, it allows open for government implementation; a study tigations involving systemic anomalies that

42 • Crosslink Fall 2007 A Savvy Consumer: Educating the Acquisition Community

The term “smarter buyer” has entered the lexicon of the government strategic and financial targets may impede mission assurance activities space workforce, thanks in part to Aerospace’s popular Smarter Buyer because it limits contingency responses when risks are realized. course, which has been given more than 40 times to more than 1200 The success of the first Smarter Buyer course, focused on industry per- government program managers and their staff since 2004. The one-day spectives, spawned the concept for a series of related courses for gov- class is designed to help participants perform four specific functions: ernment acquisition personnel. For example, the Smarter Buyer 2 class 1. Define what the government is buying, along with appropriate will focus on program executability. In particular, it will examine ways value trades. to establish program performance expectations that support both the acquisition baseline and the need to ensure mission success. It will em- 2. Set and manage the acceptable level of program risk to ensure phasize the importance of program executability assessment points—a mission success through program executability. fundamental principle that considers mission assurance as a set of activi- 3. Accept accountability for the work of contractors and their suppliers ties and assessments that are applied across the life cycle of a program, and ensure that contractors use validated processes that produce not just during the prelaunch verification. predictable results. Other Smarter Buyer courses are on the drawing board. Smarter 4. Assess contractor performance and provide proper incentives. Buyer 3, focusing on mission assurance, is planned for 2008. This one- Smarter Buyer provides insight into what motivates a contractor to work day course will explain how to organize the government team, levy con- in the space business and investigates ways to create mutually beneficial tractor work, and integrate results to prioritize mission success throughout plans for success. For example, although government and industry part- the program life cycle. Smarter Buyer 4, on software-intensive systems, is ner to ensure mission success, industry has the added goal of making also planned for release next year. the best use of resources to maximize corporate earnings and share- The educational design team is also considering a course on parts, holder value. At times, this need for financial performance conflicts with materials, and processes along with a Smarter Seller course to round the need to ensure mission success. This is the case, for instance, when out the curriculum. contractors “bid to win.” This contract capture strategy takes a very lean —Al Hoheb, Principal Engineer approach to staffing and accomplishing tasks and relies on a success- oriented approach without much risk reserve. Bidding to win to preserve

may affect multiple programs, contractors, been, in the past, little cross-fertilization of spinoffs. The first, the National Space and customers. The trusted relationships best practices or any effort to derive an op- Supplier Council, was established by among SQIC members have proven an timal and uniform acquisition model. And the National Security Space Office to invaluable element in the rapid, targeted ex- while the SQIC is neither resourced nor approach industrial base issues with change of failure and anomaly data critical chartered to realize this grand goal, bring- third- and fourth-tier suppliers. The sec- to the investigation and resolution of root ing the largely common contractor body ond, the SQIC Science and Technology cause and potential impacts. Some recent together with the different customers has Sub-Council, was created to improve tech- investigations have been pursued via the made it easier to address global shortfalls nology transition processes and funding SQIC body as a whole, while others simply in acquisition practice and policy and has unique to national space system develop- exploit the executive-level relationships and elevated awareness in the benefits of uni- ment and acquisition. expert communities represented among the form processes. Nothing has demonstrated Conclusion SQIC membership: launch vehicles and this better than the reimplementation of propulsion systems, satellites and interplan- specifications and standards to the acquisi- The SQIC has continued to grow in rele- etary vehicles, ground and communication tion baseline. Having a common set—or vance, effectiveness, participation, and rec- systems, and payloads and hardware for re- at least a common core set—of specifica- ognition, even though no SQIC meeting, mote sensing, navigation, meteorology, and tions and standards between customers can issue, or initiative is ever centered around space-based communications. lead to tremendous cost savings through success or a job well done. The premise of This was a key objective of the SQIC repeatability of design and development pro- the SQIC has been that, given the right from the outset: to strengthen the trust cesses at contractors. And this, in turn, raises implementation, participants, and objec- and cooperative spirit among the national confidence in those processes because they tives—along with the honest willingness to space contractor community. Another goal don’t have to be reexamined and reinvented share shortfalls and contribute best prac- was to harmonize the objectives, practices, for each customer and program. Steps taken tices—a larger objective of sustaining and and acquisition policies of space system via the SQIC to prioritize uniform compli- furthering the mission assurance priorities customers, principally the Air Force Space ance specifications and standards for all space of national space systems can be achieved, and Missile Systems Center, National systems and customers has set a valuable and even if it means the sharp examination of Reconnaissance Office, Missile Defense successful example for broader multiagency what’s wrong, what can be improved, and Agency, and NASA. While each has its space acquisition practices. what can be accomplished together to re- own processes for ensuring the success of In the past year, the scope of the SQIC cover from past problems and share lessons acquired and deployed systems, there has has broadened still further through two that need to be learned.

Crosslink Fall 2007 • 43 Research Horizons Independent R&D at Aerospace

Miniature Space-Weather Instrumentation

Space-weather situational awareness is hampered by a lack of en- a smaller detector, reducing the size of the dosimeter package even vironmental sensors that could be used by operators and analysts further. to assess mission hazards and improve future spacecraft designs. As the research continues, Crain plans to test the enhanced Environmental monitors are not routinely flown on all spacecraft ­reduced-size dosimeter devices, including radiation tests at LBL, because of the significant costs and resources associated with their and develop a high-reliability fabrication process for dosimeter integration. When anomalies occur on a spacecraft without envi- devices. The dosimeter will be upgraded to improve its commercial ronmental monitors, the anomalies can only be diagnosed using viability and work will continue on developing a licensing plan for environmental data from nearby spacecraft. This can give erroneous it. A dosimeter will be integrated on the NASA Lunar Reconnais- results because of the highly localized environmental input and dif- sance Orbiter, which is scheduled to launch in 2008. ferences in spacecraft design. Crain, Mabry, and Jim Roeder of the Space Sciences Depart- To improve situational awareness and anomaly diagnosis, there ment have also been working on the ESD monitor. The monitor is is a need for small, cost-effective, and commercially viable devices based on the SC1-8B transient pulse shape analyzer, which was de- to serve as standard housekeeping monitors on all spacecraft. Wil- veloped at Aerospace and first flown on the Spacecraft Charging at liam Crain of the Space Instrumentation Department, along with High Altitude (SCATHA) mission in 1979. This mission provided Dan Mabry, Bern Blake, and Norman Katz, is working on two such a fertile proving ground for the measurement technique, detection instruments: a compact radiation dosimeter and an electrostatic dis- ranges, antenna selection, and software processing algorithms to be charge (ESD) monitor. implemented in the ESD monitor. The SCATHA experience also Aerospace has developed several energetic particle sensors that demonstrated Aerospace’s ability to detect and identify discharge have flown on Air Force, National Reconnaissance Office, NASA, events throughout the spacecraft, and to discriminate environmen- and commercial satellites, but no radiation dosimeters have been tally induced events from those caused by operations (e.g., relay made small enough to enable their placement directly on critical switching, thruster firing). The SCATHA mission also revealed that subsystems. “At present,” Crain explained, “the radiation dose at one the transient signature of an ESD event contains vital information location on a spacecraft can only be inferred from the dosimeter in- to determine whether the discharge was operationally induced, strument placed at another location.” Also, no ESD monitors have caused by the environment, or the result of hostile action. been developed with the ability to record a transient waveform, The ESD monitor Crain and Mabry are developing will be small which is critical to determining the discharge source. and lightweight and will interface with standard spacecraft house- Crain’s team successfully addressed the first problem by develop- keeping systems. A central element of the device will be an ASIC ing a small dosimeter that directly measures the radiation dose in chip containing an analog transient recorder and readout system. a package about the size of a coin. “The new miniature dosimeter Research is under way to determine the best way to display ESD is small enough to be placed anywhere on a spacecraft, inside a transients on a ground system terminal in a form operators can use payload, or on a circuit board,” Crain said. “Because its detection el- for mission risk assessment. Further study will be aimed at deter- ement is a silicon test mass, the absorbed dose measured by the de- mining the sufficient data set needed from an ESD event to im- vice portrays an accurate prediction of the dose being absorbed by prove anomaly analysis and enhance environmental specifications. other neighboring payload microelectronics.” When the dosimeter Both the dosimeter and the ESD monitor will provide operators was tested at the 88-inch cyclotron at Lawrence Berkeley Labora- with a visual warning of hazardous environments, data for anomaly tory (LBL) at UC Berkeley, it was found to be in good agreement diagnosis, improved environmental specifications, and the ability to with two laboratory control dosimeters. distinguish environmental phenomena from hostile action. Two patents were granted to Crain and his team this year, one for the dosimeter device and another for a dosimeter system that profiles the wide area total radiation dose distributed throughout a given spacecraft. A novel method to increase the accuracy of the radiation dose measurement in the presence of low-energy elec- trons, which can dominate the dose in some orbits and locations on spacecraft, was conceived by Norm Katz of the Space Instru- mentation Department. The system integrates detector charge prior to threshold detection and adds the result to the post-threshold charge. “This eliminates the error associated with detection and in- tegration of radiation pulses whose amplitudes are near the energy threshold of the detector,” Crain said. Work continues on the next version of the dosimeter, which will use a new application-specific integrated circuit (ASIC) that includes the improved integrator, logarithmic output range to compress the dose readout, and a threshold compensation circuit Dan Mabry uses a miniature dosimeter to record the total radiation dose absorbed to improve the dose efficiency at low particle energies. It will also by the silicon detector over the life of a spacecraft mission. The dose is read over be designed for single event upset tolerance. The dosimeter will use standard spacecraft analog housekeeping interfaces similar to simple tempera- ture readouts.

44 • Crosslink Fall 2007 Bookmarks Recent Publications, Papers, and Patents by the Technical Staff

Publications and Papers

R. L. Bishop and P. R. Straus, “Characterizing Ionospheric Variations Journal of Spacecraft and Rockets, Vol. 43, No. 6, pp. 1404–1411 (Nov./ in the Vicinity of Hurricanes and Typhoons Using GPS Occulta- Dec. 2006). tion Measurements,” AGU Fall Meeting (San Francisco, Dec. 11–15, L. J. Gelinas, J. H. Hecht, R. G. Roble, and R. L. Walterscheid, “A Sea- 2006); EOS Transactions, American Geophysical Union, Vol. 87, No. sonal Study of Mesospheric Temperatures and Emission Intensities 52, Suppl. (Dec. 26, 2006), Report No. SA33B-0276. at Adelaide and Alice Springs,” AGU Fall Meeting (San Francisco, B. B. Brady, “Transient Fluid Flow in Short-Pulse Operation of Bipro- Dec. 11–15, 2006); EOS Transactions, American Geophysical Union, pellant Thrusters,”Journal of Propulsion and Power, Vol. 23, No. 2, pp. Vol. 87, No. 52, Suppl. (Dec. 26, 2006), Report No. SA21A-0221. 398–403 (Mar./Apr. 2007). J. George, R. Koga, G. Swift, G. Allen, C. Carmichael, and C. W. Tseng, J. C. Camparo, “Lamp Stabilization Using Ion Waves: Smart-Clock “Single Event Upsets in Xilinx Virtex-4 FPGA,” 2006 IEEE Radia- Technology to Eliminate Light-Shift Variations,” Proceedings of the tion Effects Data Workshop, p. 6 (Ponte Vedra, FL, July 17–21, 2006). 2006 IEEE International Frequency Control Symposium and Exposi- M. M. Gorlick, G. S. Peng, S. D. Gasster, and M. D. McAtee, “Flow tion, p. 5 (Miami, FL, June 4–7, 2006). Webs: Mechanism and Architecture for the Implementation of Sen- J. C. Camparo and R. Mackay, “Spectral Mode Changes in an Alkali RF sor Webs,” AGU Fall Meeting (San Francisco, Dec. 11–15, 2006); Discharge,” Journal of Applied Physics, Vol. 101, No. 5, pp. 53303.1– EOS Transactions, American Geophysical Union, Vol. 87, No. 52, Suppl. 53303.6 (Mar. 1, 2007). (Dec. 26, 2006), Report No. IN23A-1216. M. W. Chen, C. Wang, M. Schulz, and L. R. Lyons, “ Influ- T. D. Hain and T. J. Curtiss, “Experimental Validation of Formaldehyde ence on MLT Dependence of Plasmasheet Conditions and Implica- Rotational State Selection,” Chemical Physics Letters, Vol. 441, No. tions for Ring Current Modeling,” AGU Fall Meeting (San Francisco, 1–3, pp. 25–28 ( June 13, 2007). Dec. 11–15, 2006); EOS Transactions, American Geophysical Union, J. S. Halpine, S. H. Liu, E. J. Simburger, H. Yoo, D. Hinkley, and D. Vol. 87, No. 52, Suppl. (Dec. 26, 2006), Report No. SM33D-05. Rumsey, “Pico-Satellite Solar Cell Testbed Qualification Testing,” T. K. Cheung, B. A. Blake, and T. T. Lam, “Heating of Finite Slabs Sub- Conference Record of the 2006 IEEE 4th World Conference on Photovol- jected to Laser Pulse Irradiation and Convective Cooling,” Journal of taic Energy Conversion, p. 4 (Waikoloa, HI, May 7–12, 2006). Thermophysics and Heat Transfer, Vol. 21, No. 2, pp. 323–329 (Apr.– P. Hantos, “Defense Acquisition Performance Assessment—The Life- June 2007). Cycle Perspective of Selected Recommendations,” CrossTalk, Vol. 20, J. H. Clemmons, D. R. Salem, R. L. Bishop, and A. B. Christensen, No. 5, pp. 25–29 (May 2007). “Measurements in the : First Results from the Ion- J. H. Hecht, R. J. Rudy, R. L. Walterscheid, A. Z. Liu, S. J. Franke, P. ization Gauge on the Streak Mission,” AGU Fall Meeting (San Pautet, and M. J. Taylor, “Characteristics of Short-Period Wavelike Francisco, Dec. 11–15, 2006); EOS Transactions, American Geo- Features near 90 km Altitude from Airglow and Lidar Observations physical Union, Vol. 87, No. 52, Suppl. (Dec. 26, 2006), Report No. over Maui,” AGU Fall Meeting (San Francisco, Dec. 11–15, 2006); SA11A-06. EOS Transactions, American Geophysical Union, Vol. 87, No. 52, J. A. Conway, S. Sahni, and T. Szkopek, “Plasmonic Interconnects versus Suppl. (Dec. 26, 2006), Report No. SA21A-0233. Conventional Interconnects: A Comparison of Latency, Cross-Talk, M. Hecht, K. Owens, and J. Tagami, “Reliability-Related Requirements and Energy Costs,” Optics Express, Vol. 15, No. 8, pp. 4474–4484 in Software-Intensive Systems,” 2007 Annual Reliability and Main- (Apr. 16, 2007). tainability Symposium, p. 6 (Orlando, FL, Jan. 22–25, 2007). J. D. Desain, L. Valachovic, L. E. Jusinski, and C. A. Taatjes, “Reaction J. K. Holmes, Spread Spectrum Systems for GNSS and Wireless Commu- of Chlorine Atom with Trichlorosilane from 296 to 473 K,” Journal nications, GNSS Technology, and Applications Series (Artech House, of Chemical Physics, Vol. 125, No. 22, pp. 224308.1–224308.8 (Dec. Boston and London, 2007). 14, 2006). J. K. Holmes, N. Morgan, and P. Dafesh, “A Theoretical Approach to K. D. Diamant, B. L. Zeigler, and R. B. Cohen, “Microwave Electro- Determining the 95% Probability of TTFF for the P(Y) Code thermal Thruster Performance,”Journal of Propulsion and Power, Vol. Utilizing Active Code Acquisition,” 24th AIAA International Com- 23, No. 1, pp. 27–34 ( Jan./Feb. 2007). munications Satellite Systems Conference and 4th Annual International K. W. Dotson and B. H. Sako, “Interaction between Solid Rocket Mo- Satellite and Communications Conference and Expo (San Diego, June tor Internal Flow and Structure During Flight,” Journal of Propulsion 11–14, 2006), AIAA Paper 2006-5321. and Power, Vol. 23, No. 1, pp. 140–145 ( Jan./Feb. 2007). M. Huang, J. G. Coffer, and J. C. Camparo, “Rb87 Hyperfine-Transition J. F. Fennell, J. L. Roeder, and R. H. Friedel, “Stormtime Electron PSD Dephasing in Mixed Buffer-Gas Systems,”Physical Review A: Radial Profiles for Small and Large K Values: SCATHA Observa- Atomic, Molecular, and Optical Physics, Vol. 75, No. 5, p. 052717 (May tions,” AGU Fall Meeting (San Francisco, Dec. 11–15, 2006); EOS 24, 2007). Transactions, American Geophysical Union, Vol. 87, No. 52, Suppl. A. B. Jenkin and R. A. Gick, “Collision Risk Posed to the Global Posi- (Dec. 26, 2006), Report No. SM41C-05. tioning System by Disposed Upper Stages,” Journal of Spacecraft and M. P. Ferringer, R. S. Clifton, and T. G. Thompson, “Efficient and Ac- Rockets, Vol. 43, No. 6, pp. 1412–1418 (Nov./Dec. 2006). curate Evolutionary Multi-Objective Optimization Paradigms for J. A. Kechichian and M. E. Sorge, “The Efficient Analytic Computation Satellite Constellation Design,” Journal of Spacecraft and Rockets, Vol. of Fractional Reentering Debris from an Idealized Isotropic Explo- 44, No. 3, pp. 682–691 (May/June 2007). sion in General Elliptic Orbit,” Spaceflight Mechanics 2006, Vol. 2, pp. M. P. Ferringer and D. B. Spencer, “Satellite Constellation Design 2161–2182 (Tampa, FL, Jan. 22–26, 2006). Tradeoffs Using Multiple-Objective Evolutionary Computation,”

Crosslink Fall 2007 • 45 Bookmarks (continued)

S. Kenderian, R. E. Green Jr., and B. B. Djordjevic, “Ultrasonic Moni- D. E. Pansatiankul and V. S. Lin, “End-to-End Communication Sys- toring of Dislocations during Fatigue of Pearlitic Steel,” Materials tems Modeling Using Hardware-Accelerated Simulation Tool,” Evaluation, Vol. 65, No. 5, pp. 467–471 (May 2007). MILCOM 2006, p. 6 (Washington, DC, Oct. 23–25, 2006). H. I. Kim and J. R. Lince, “Direct Visualization of Sliding-Induced Tri- R. P. Patera, “Collision Probability for Larger Bodies Having Nonlinear bofilm on Au/MoS2 Nanocomposite Coatings by c-AFM,” Tribol- Relative Motion,” Journal of Guidance, Control, and Dynamics, Vol. ogy Letters, Vol. 26, No. 1, pp. 61–65 (Apr. 2007). 29, No. 6, pp. 1468–1472 (Nov./Dec. 2006). R. Koga, J. George, P. Yu, S. Grain, M. Zakrzewski, and K. Crawford, R. P. Patera, “Space Vehicle Conflict-Avoidance Analysis,”Journal of “Single Event Effects Sensitivity of the Q Series Advanced CMOS Guidance, Control, and Dynamics, Vol. 30, No. 2, pp. 492–498 (Mar./ Technology,” 2006 IEEE Radiation Effects Data Workshop, p. 6 Apr. 2007). (Ponte Vedra, FL, July 17–21, 2006). L. A. Peterson, T. K. Cheung, T. T. Lam, and B. A. Blake, “Exponential C. Lemon, M. Chen, T. P. O’Brien, F. Toffoletto, S. Sazykin, R. Wolf, Heating of Two-Dimensional Slabs,” Collection of Technical Papers: and V. Kumar, “The Evolution of the Storm-Time Ring Current in 45th AIAA Aerospace Sciences Meeting, Vol. 4, pp. 2316–2332 (2007). Response to Different Characteristics of the Plasma Source,”AGU R. G. Pettit and H. Gomaa, “Analyzing Behavior of Concurrent Soft- Fall Meeting (San Francisco, Dec. 11–15, 2006); EOS Transactions, ware Designs for Embedded Systems,”10th IEEE International American Geophysical Union, Vol. 87, No. 52, Suppl. (Dec. 26, 2006), Symposium on Object and Component-Oriented Real-Time Distributed Report No. SM14B-02. Computing, p. 9 (Santorini, Greece, May 7–9, 2007) S. H. Liu, J. E. Granata, J. C. Nocerino, J. S. Halpine, and E. J. Sim- G. Radhakrishnan, P. M. Adams, and L. S. Bernstein, “Probing the burger, “Thin-Film Photovoltaic Radiation Testing for Space Ap- Chemical Role of Ambient O2 in the Formation of Carbon Nano- plications,” Conference Record of the 2006 IEEE 4th World Conference tubes via Excimer Laser Ablation,” Proceedings of SPIE: Photon on Photovoltaic Energy Conversion, p. 3 (Waikoloa, HI, May 7–12, Processing in Microelectronics and Photonics VI Conference, Vol. 6458, p. 2006). 64581I (2007). S. H. Liu, J. S. Halpine, D. Hinkley, J. R. Srour, and D. Rumsey, “Pico G. Radhakrishnan, P. M. Adams, and F. D. Ross, “Plume Diagnostics Satellite Solar Cell Testbed (PSSC Testbed),” Conference Record of the and Room-Temperature Deposition of Carbon Nanotubes and 2006 IEEE 4th World Conference on Photovoltaic Energy Conversion, Nano-Onions at 248 nm,” Journal of Physics, Vol. 59, No. 1, pp. p. 3 (Waikoloa, HI, May 7–12, 2006). 424–427 (2007). M. D. Looper, J. B. Blake, and T. L. Mulligan, “A Search for Energetic- J. L. Roeder, J. F. Fennell, T. L. Mulligan, and A. Korth, “Field-Aligned Electron Precursors to SEP Ions in SAMPEX Observations,” AGU Energetic Electrons during the Storm of July 24, 2004: Cluster Fall Meeting (San Francisco, Dec. 11–15, 2006); EOS Transactions, RAPID Observations,” AGU Fall Meeting (San Francisco, Dec. American Geophysical Union, Vol. 87, No. 52, Suppl. (Dec. 26, 2006), 11–15, 2006); EOS Transactions, American Geophysical Union, Vol. 87, Report No. SH42A-06. No. 52, Suppl. (Dec. 26, 2006), Report No. SM53B-04. D. C. Marvin, “Final Flight Data Report from ASCOT,” Conference P. R. Rousseau, P. H. Pathak, and H.-T. Chou, “A Time Domain For- Record of the 2006 IEEE 4th World Conference on Photovoltaic Energy mulation of the Uniform Geometrical Theory of Diffraction for Conversion, p. 4 (Waikoloa, HI, May 7–12, 2006). Scattering from a Smooth Convex Surface,” IEEE Transactions on J. E. Mazur, G. M. Mason, M. I. Desai, J. R. Dwyer, J. Giacalone, J. R. Antennas and Propagation, Vol. 55, No. 6 I, pp. 1522–1534 ( June Jokipii, and E. C. Stone, “The Structure of the Interplanetary Mag- 2007). netic Field as Revealed by Solar Flare Particles,” AGU Fall Meeting R. S. Selesnick and S. G. Kanekal, “Variability of the Outer Radiation (San Francisco, Dec. 11–15, 2006); EOS Transactions, American Geo- Belt Electron Content,” AGU Fall Meeting (San Francisco, Dec. physical Union, Vol. 87, No. 52, Suppl. (Dec. 26, 2006), Report No. 11–15, 2006); EOS Transactions, American Geophysical Union, Vol. 87, SH11B-07. No. 52, Suppl. (Dec. 26, 2006), Report No. SM43B-1499. T. L. Mulligan, J. B. Blake, H. E. Spence, A. P. Jordan, J. J. Quenby, and Y. Sin, B. Foran, N. Presser, M. Mason, and S. C. Moss, “Reliability and D. Shaul, “Transient IP Structures Associated with Short-Period Failure Mode Investigation of High-Power Multimode InGaAs Variations in the Solar Energetic Particle and Galactic Cosmic Ray Strained Quantum Well Single Emitters,” Proceedings of SPIE: High- Flux,” AGU Fall Meeting (San Francisco, Dec. 11–15, 2006); EOS Power Diode Laser Technology and Applications V Conference, Vol. Transactions, American Geophysical Union, Vol. 87, No. 52, Suppl. 6456, pp. 645605.1–645605.13 (2007). (Dec. 26, 2006), Report No. SH54A-06. D. Speckman, D. C. Marvin, J. Matossian, N. Ianno, and W. Stuckey, T. L. Mulligan, B. V. Jackson, and M. Tokumaru, “3-D Magnetic Field “Atomic Oxygen Testing of MgF2 Coatings,” Conference Record of the Geometry of the October 28, 2003 ICME: Comparison with SMEI 2006 IEEE 4th World Conference on Photovoltaic Energy Conversion, White-Light Observations,” AGU Fall Meeting (San Francisco, Dec. p. 4 (Waikoloa, HI, May 7–12, 2006). 11–15, 2006); EOS Transactions, American Geophysical Union, Vol. 87, No. 52, Suppl. (Dec. 26, 2006), Report No. SH33A-0397. J. R. Srour and J. W. Palko, “A Framework for Understanding Displace- ment Damage Mechanisms in Irradiated Silicon Devices,” IEEE M. J. O’Brien, H. F. Von Bremen, M. Furukawa, Z. Horita, and T. G. Transactions on Nuclear Science, Vol. 53, No. 6, pp. 3610–3620 (Dec. Langdon, “A Finite Element Analysis of the Superplastic Forming 2006). of an Aluminum Alloy Processed by ECAP,” Materials Science and Engineering A, Vol. 456, No. 1–2, pp. 236–242 (May 15, 2007). J. Stillman, J. Judy, and H. Helvajian, “Processing Parameters for the Development of Glass/Ceramic MEMS,” Proceedings of SPIE: T. P. O’Brien, “Capturing the Variable Outer-Zone Relativistic Elec- Micromachining­ Technology for Micro-Optics and Nano-Optics V and trons for Spacecraft Designers,” AGU Fall Meeting (San Francisco, Microfabrication Process Technology XII, Vol. 6462, p. 64620A (2007). Dec. 11–15, 2006); EOS Transactions, American Geophysical Union, Vol. 87, No. 52, Suppl. (Dec. 26, 2006), Report No. SM42A-05.

46 • Crosslink Fall 2007 P. R. Straus, “Ionospheric Climatology Derived from GPS Occultation R. B. Kaner, J. Huang, B. H. Weiller, and S. Virji, “Synthetic Method Observations Made by the Ionospheric Occultation Experiment,” for Conducting Polymer Nanofibers,” U.S. Patent No. 7,144,949, Advances in Space Research, Vol. 39, No. 5, pp. 793–802 (2007). Dec. 2006; “Conducting Polymer Nanofiber Sensors,” U.S. Pat- P. R. Straus, R. Bishop, and G. Crowley, “Measurements of the E- and ent No. 7,226,530, June 2007. F-Region Post-Sunset Ionosphere,” AGU Fall Meeting (San Fran- Conducting polymers can be used in chemical sensors based on cisco, Dec. 11–15, 2006); EOS Transactions, American Geophysical changes in optical, electrochemical, or conductive properties. The Union, Vol. 87, No. 52, Suppl. (Dec. 26, 2006), Report No. SA33B- small diameters of conducting polymer nanofibers result in high 0275. surface areas and faster diffusion rates of gas molecules into the G. C. Valley, “Photonic Analog-to-Digital Converters,” Optics Express, nanofiber material as compared with standard thin-film coatings. Vol. 15, No. 5, pp. 1955–1982 (Mar. 5, 2007). No practical nanostructured conducting polymer sensors have G. C. Valley, G. A. Sefler, C. Chou, and B. Jalali, “Continuous Time Re- been available because of the lack of reliable synthesis methods alization of Time-Stretch ADC,” 2006 International Topical Meeting for high-quality materials in bulk quantities. This invention uses on Microwave Photonics, pp. 271–273 (Grenoble, France, Oct. 3–6, a simple aqueous and organic interfacial polymerization method 2006). for producing conducting polymer nanofibers based on chemical F. J. Villegas, “Parallel Genetic-Algorithm Optimization of Shaped oxidative polymerization of organic monomers in a two-phase Beam Coverage Areas Using Planar 2-D Phased Arrays,” IEEE solvent system. This template-free process is a practical way to Transactions on Antennas and Propagation, Vol. 55, No. 6 II, pp. produce large quantities of purified nanofibers with narrow size 1745–1753 ( June 2007). distributions of diameters less than 500 nm. The diameter of the nanofibers can also be controlled by choice of synthesis condi- J. W. Welch, “Comparison of Recent Satellite Flight Temperatures tions. Aqueous dispersions of the nanofibers can be used to drop with Thermal Model Predictions,”International Conference on Environmental Systems: Spacecraft Thermal Design and Technology cast nanofiber films on planar interdigitated electrodes to form (Norfolk,VA, July 2006), SAE Document 2006-01-2278. chemical sensors. The resulting sensors have superior perfor- mance in both sensitivity and time response to a variety of gases. R. P. Welle, C. Chrystal, and B. S. Hardy, “Standoff Pressures and Ther- mal Characterization of the Peltier-Actuated Microvalve,” 25th R. Kumar and T. M. Nguyen, “Polyphase Channelization System,” International Conference on Thermoelectrics, p. 6 (Vienna, Austria, Aug. U.S. Patent No. 7,145,972, Dec. 2006. 6–10, 2006). The digital implementation of communication systems for broad- T. S. Yeoh, N. A. Ives, N. Presser, G. W. Stupian, M. S. Leung, J. L. band signals requires analog-to-digital converters (ADC) operat- McCollum, and F. W. Hawley, “Focused Ion Beam Tomography of a Microelectronic Device with Sub-2-nm Resolution,” Journal ing at high speed. This high-speed conversion imposes limita- of Vacuum Science and Technology B: Microelectronics and Nanometer tions, and for a wideband signal in conventional implementation, Structures, Vol. 25, No. 3, pp. 922–925 (2007). the ADC may not be available, may not have the required num- ber of bits, may require excessive power, or may be too expensive. M. A. Zurbuchen, W. Tian, X. Q. Pan, D. Fong, S. K. Streiffer, M. E. This invention uses parallel low-speed ADCs in combination Hawley, J. Lettieri, Y. Jia, G. Asayama, S. J. Fulk, D. J. Comstock, S. with polyphase channelization to process wideband signals in Knapp, A. H. Carim, and D. G. Schlom, “Morphology, Structure, communications systems. A polyphase channelizer downconverts and Nucleation of Out-of-Phase Boundaries (OPBs) in Epitaxial Films of Layered Oxides,” Journal of Materials Research, Vol. 22, No. the wideband input signal into baseband quadrature signals that 6, pp. 1439–1471 ( June 2007). are fed into the parallel ADCs. The converter-channelized out- puts from the ADCs are then processed by a filter bank and a fast Patents Fourier transform processor. This parallel architecture operates at significantly lower speed to effectively provide a high-speed analog-to-digital conversion. The method is well suited for satel- Charles C. Wang, “M-Ary Quadrature Amplitude Modulation lite communication systems using digital signal processing of (QAM) Bit-Boundary Turbo-Coded System,” U.S. Patent No. broadband or wideband signals. 7,142,610, Nov. 2006; “M-Ary Phase-Shift Keying (PSK) Bit- Boundary Turbo-Coded System,” U.S. Patent No. 7,142,611, B. S. H. Michel, “Cooperative Adaptive Web Caching Routing and Nov. 2006. Forwarding Web Content Data Requesting Method,” U.S. Pat- This M-ary phase-shift keying (PSK) bit-boundary turbo-coded ent No. 7,146,429, Dec. 2006. system provides a soft metric generator using boundary lines Traditional, noncooperative Web-caching systems reduce an within the symbol constellation space for gray-code encoded organization’s Internet traffic load by locally storing copies of re- symbols in a turbo-code communication system using PSK quested content that can be quickly retrieved without sending re- modulation. It forms bit-boundary turbo-decoding metrics both quests via the Internet. A cooperative caching system, by contrast, for M-ary quadrature amplitude modulation and for M-ary PSK uses multiple caches to store requested content and can further waveforms. The bit-boundary metrics and preferred gray-scale reduce overall Internet traffic load and scale to a larger user base. encoding provide improved bit-error ratio with efficient soft However, locating the requested content can be a problem. Typi- metrics computations and performance determinations and can cally, cooperative Web-caching systems maintain a logical central be directly implemented without prior knowledge of channel directory, so that one Web cache can easily locate the requested condition. The system can be applied to various communication content stored on another cache. This invention is an adaptive systems, including direct broadcasting, personal communications, and cooperative Web-caching method that uses an “Internet and satellite communications. style” application-level routing and forwarding approach to locate

Crosslink Fall 2007 • 47 Bookmarks (continued)

stored Web content along a path within a network of caches. The H. G. Muller, “Method of Making Copper and Carbon Nanotube caches construct and maintain routing and forwarding tables that Thermal Conductor,” U.S. Patent No. 7,197,804, Apr. 2007. store decomposed URLs in a compressed format. The cache’s High-power systems tend to generate heat in localized areas, forwarding table efficiently translates a user request to the IP ad- causing the devices used in such systems to overheat. The key dress of the next-hop cache server along a path in the Web cache to efficient cooling is to bring the thermal conductor as close as network where the replicated Web content can be retrieved. Con- possible to the devices and create a good thermal contact. The sequently, Web content can be replicated along the paths within best thermal conductors, however, tend to have a much higher the caching network, reducing Internet traffic load and perceived coefficient of thermal expansion than the semiconductor devices. content fetching delay. This invention is a thermal conductor made of copper and carbon nanotubes compressed and cold rolled together so that the car- K. Siri, “Uniform Converter Output Voltage Distribution Power bon nanotubes are aligned. The conductor has increased thermal System,” U.S. Patent No. 7,151,362, Dec. 2006. and electrical conductivity and a reduced coefficient of thermal A common practice in managing expandable power systems is expansion. Various pressures, temperatures, and mixture ratios to use identical dc-to-dc converters connected in a parallel-input can be used to form the thermal conductor and achieve different parallel-output configuration with uniform power distribution coefficients of thermal expansion, thermal conductivities, and among them. A less common practice is to connect the convert- electrical conductivities. The conductor can be used as a conduct- ers using a parallel-input and series-output configuration. How- ing heat sink, such as a laser submount, for heat dissipation and ever, such series-output–connected converters lack the ability to electrical grounding of high-power electrical components and precisely control the proper distribution of power. Internal com- circuits, such as a laser diode. ponent variations or mismatches can result in undesirable non- uniform output voltage distribution, causing overthermal stresses J. J. Poklemba, G. S. Mitchell, and R. F. Smith, “Quadrature Vestigial to those converters with higher output voltages, despite the Sideband Digital Communications Method and System with parallel connection of the converters to the same input voltage Correlated Noise Removal,” U.S. Patent No. 7,200,193, Apr. 2007. source. This invention offers a unified control approach to achieve One way to transmit digital data in a bandwidth-efficient manner uniform distribution of converter output voltages, leading to uni- is to use quadrature vestigial-sideband (QVSB) transmission. The form power distribution and robust system reliability. It compares QVSB technique enables simultaneous transmission of two inde- the converter output voltages with a distribution reference signal, pendent data streams on quadrature carriers, providing twice the and then generates separate control signals for regulation of indi- information-carrying capacity of vestigial-sideband transmission. vidual converters. This provides improved power system stability The disadvantages of QVSB, however, are greater implementa- and uniform output voltage distribution among the converters. tion complexity and typically reduced detection noise margins Employing a common regulation control signal, the controller because of crosstalk between the quadrature channels. Previous can also provide system output-voltage regulation, system input- methods aimed at unraveling the crosstalk have proved unsatis- current limiting, proportional-voltage control, relaxed-voltage factory because of the effects of correlated noise. This invention uniformity, and fault-tolerant power control. is a QVSB method with correlated noise removal embodied in a QVSB receiver. Correlated-noise components in each of the W. R. Crain Jr., D. J. Mabry, J. B. Blake, and N. Katz, “Radiation Do- quadrature channels are estimated and subtracted from their simeter Device,” U.S. Patent No. 7,157,715, Jan. 2007; “Radiation respective incoming signals, plus noise, which degenerates the re- Dosimeter System,” U.S. Patent No. 7,223,979, May 2007. mainder of the signal processing to a quadrature-coupled, partial- Microelectronics in spacecraft are vulnerable to degradation and response detection problem in white noise. The principles of this even failure from the radiation dose caused by energetic electrons invention are applicable to a variety of applications, particularly and ions. Radiation sensors, such as dosimeters, are therefore those that require bandwidth-efficient digital data transmission. needed onboard the spacecraft to continuously monitor the radiation exposure. Some current dosimeters, however, do not P. A. Dafesh, “Direct-Sequence Spread-Spectrum Optical- measure the radiation directly, and thus are prone to error. Oth- ­Frequency-Shift-Keying Code-Division-Multiple-Access Com- ers do measure the radiation directly, but are heavy, consume lots munication System,” U.S. Patent No. 7,200,342, Apr. 2007. of energy, need a clear field of view for each sensor, and must be Fiber-optic communications have become increasingly popular as fine-tuned for each host vehicle. This invention is a dosimeter a means to extend the bandwidth of existing networks. A num- that provides direct measurements of the energy deposited in ber of different spread-spectrum code division multiple-access test masses of silicon in packages, including charge contribution (CDMA) schemes have been proposed to allow asynchronous prior to radiation energy threshold detection. This dosimeter user access to optical networks. Optical CDMA communications can be made small, is relatively easy to manufacture, and offers can increase the capacity and improve the performance of exist- preintegration performance improvement, mounting flexibility, ing wavelength division multiplexing systems, without altering and conventional electrical interface. The dosimeter provides the basic infrastructure of existing fiber-optic networks. In cur- chained analog outputs that can be read by conventional satellite rent approaches, however, the data are susceptible to amplitude systems that accept analog input from sensors, such as tempera- fluctuations, which result in degraded communications. This ture sensors. Many of the devices can be deployed aboard a single invention is an optical CDMA system that uses direct sequence spacecraft. They can be daisy-chained, distributed, and used for spectrum spreading and frequency shift-keying modulation. It generating a radiation exposure profile of the spacecraft. provides a secure means to transport multiple user data across a wideband network while maintaining the flexibility to reassign

48 • Crosslink Fall 2007 secure spreading sequences to different user channels. The system invention provides both a means of maintaining the small Earth has applications to fiber-optic networks and secure communica- station antenna while providing the ability to add multiple beams tion along both free-air and fiber-optic links. across multiple frequency bands, and the ability to implement low-loss, lightweight RF lenses. Compensating structures formed J. C. Camparo and C. M. Klimcak, “Discharge Lamp Stabilization from multiple layers of nonuniform arrays of conductive patches System,” U.S. Patent No. 7,221,231, May 2007. are configured to modify the phase and amplitude distribution Vapor-cell atomic clocks employ an RF-discharge lamp to gen- of an incident field in such a way as to provide additional degrees erate the atomic clock signal. Therefore, the performance of the of freedom in placement of traditional scalar feed horns while atomic clock depends on the spectral output of the RF-discharge increasing the efficiency of the antenna system. This allows the lamp (through the light-shift mechanism), which in turn is deter- use of smaller reflectors and provides the desired element pattern mined by the detailed properties of the light-generating plasma modification in phased array systems. within the lamp. The plasma temperature and power changes of the RF-discharge lamp are not characterized or stabilized in an R. B. Dybdal and D. D. Pidhayny, “Methods and Systems for Track- atomic clock system, which can lead to atomic clock instability. ing Signals with Diverse Polarization Properties,” U.S. Patent No. This invention is a system that senses the acoustic ion oscillations 7,239,275, July 2007. in the 20 kHz range that come from the discharge lamp. The fre- Radio-frequency signals have polarization properties that char- quency of the acoustic ion oscillations can be used to measure the acterize the orientation of the incident electric fields. Communi- amount of power coupled into the plasma, and thus to determine cation system antennas are generally designed to receive signals the RF performance characteristics of the lamp. The RF power having a specified polarization, but incident fields matching this of the lamp can be stabilized by locking the acoustic oscillation specified polarization are not always received. Narrow-beam- frequency of the plasma ions to a specific value in the 20 kHz width antennas must track the signal’s direction to maintain the range. This stabilizes the electron temperature of the plasma and received signal level, but cannot do so when the incident and de- the spectral character of the RF-discharge lamp, resulting in im- sign polarizations are cross-polarized. This crossed polarized sig- proved vapor-cell clock performance. nal condition also reduces the signal level and hence the system sensitivity. This invention presents several methods for tracking Y. Sin and N. Presser, “Focused Ion Beam Heater Thermally Tunable signals with diverse polarization properties. One method applies Laser,” U.S. Patent No. 7,224,708, May 2007. complex weighting circuitry to match the incident signal’s polar- Tunable lasers at the wavelength of 1550 nm are indispensable ization. Another method determines the stronger signal level in components for all optical networks. Both distributed Bragg re- the two orthogonally polarized tracking channels, and uses this to flector (DBR) lasers and distributed feedback (DFB) lasers could select a polarization of the data channel. A third method sequen- be used; however, DBR lasers require complicated fabrication tially sums the received orthogonal signal levels for tracking and steps in addition to sophisticated control electronics, and DFB selects the stronger received signal polarization for the data chan- lasers suffer from a narrow tuning range. This invention is a new nel. These methods make antenna tracking independent of the method of thermal tuning that significantly improves the tun- incident polarization while keeping a high received signal level. ing range of DFB lasers. One method of thermally tuning the lasers is to form thin-film heaters near the laser active region. This G. Radhakrishnan, “Method for Producing Carbon Surface Films technique, however, requires high heater current because of the by Plasma Exposure of a Carbide Compound,” U.S. Patent No. low electrical resistance from the platinum thin films deposited 7,241,475, July 2007. by conventional techniques. In this invention, a focused ion beam A hard and low-friction coating is of great value to devices such technique deposits platinum thin-film heaters in thermally tun- as moving microelectromechanical systems (MEMS) that have able lasers. Focused ion beam platinum is not normally suitable moving mechanical parts and are susceptible to high wear and for use in microelectronic devices because a significant amount damage from frequent sliding contact. A multifunctional coating of carbon is incorporated into platinum during the deposition can be produced by depositing a thin layer of low-friction carbon process. The impurity, however, provides high electrical resistance, on top of a hard, wear-resistant carbide coating. Chlorination of allowing excellent thermal tuning efficiency of the laser. The- in carbides at high temperatures on the order of 1000oC will remove tegrated laser is tunable over a wide wavelength range of ~5 nm the metal from the carbide, leaving behind a lubricious carbon using a heater current of only 13 mA. film. MEMS devices are typically produced on silicon substrates, which are attacked by the chlorination process, and the high M. J. Lange, “Compensating Structures and Reflector Antenna Sys- temperatures involved degrade the standard mask materials used tems Employing the Same,” U.S. Patent No. 7,227,501, June 2007. for protecting the silicon. This invention is a method for produc- Increasing the capacity of small Earth station antennas neces- ing low-friction carbon coatings at low temperatures on bulk or sitates the implementation of multiple beams across multiple thin films of wear-resistant carbides. A reactive halogen plasma frequency bands. However, moving to higher frequencies requires is generated from low-pressure halogen gases, such as chlorine or the use of larger Earth station antennas to accommodate the fluorine, using a radio-frequency source. The surface of a metal smaller orbital separation of the satellites. Increasing the size of carbide is then exposed to the halogen plasma at or near room the Earth station antenna is unacceptable for many applications. temperature. The halogen radicals react with the carbide and Additionally, it is sometimes desirable to modify the phase and extract the metal constituent from the carbide, leaving a pure lu- amplitude distribution of satellite antennas using dielectric lenses. bricious surface film of carbon. This method is easy to implement, However, the size and weight of spacecraft payloads are heavily can treat large areas, and can be applied to any bulk or thin-film constrained and make the massive dielectric lenses infeasible. This metal carbide. Crosslink Fall 2007 • 49 Contributors

Learning From Other People’s Mistakes

Patrick L. Smith (left), Principal Director, Mission Assurance Subdivision, has many years of technical experience in estimation and control. He has also supported tactical applications of space systems and efforts to improve acquisition planning, particularly in the area of risk analy- sis. He has a Ph.D. in control systems engineering from UCLA and has been with Aerospace since 1968. Paul G. Cheng (right), Senior Engineering Specialist, Risk Assessment and Management Sub- division, supports numerous cross-program mission assurance activities, such as gleaning lessons from past anomalies. Paul joined Aerospace in 1999. He received a Ph.D. in chemistry from UCLA. Independent Assessments for Mission Readiness

Thomas A. Freitag (left), Systems Director, Mission Assurance, is coleader of the SMC Inde- pendent Readiness Review Team. Freitag cofounded the team in 2000 and created its organiza- tional structure, policies, and procedures. The team reviews satellites and boosters before launch to ensure successful satellite deployment. Freitag joined Aerospace in 1981. He has an M.S. in engineering from UCLA. Bernardo Higuera (right), Principal Engineer, Launch Directorate, serves as the directorate’s chief engineer in support of the NRO Office of Space Launch. He also provides technical ad- vice and guidance to the Mission Assurance Team and is the directorate’s primary liaison with the Atlas V and Delta IV chief engineers. Higuera joined Aerospace in 1992 and has an M.S. in applied mechanics from Stanford University. A Mission Assurance Toolbox

Bruce L. Simpson (left), Systems Director, Systems Engineering, is responsible for systems en- gineering and launch readiness verification. He joined Aerospace in 1985 after 17 years develop- ing, integrating, testing, and activating weapon systems software for the Minuteman II and III, and the GPS control segment. Since joining Aerospace, he has led the Consolidated Space Op- erations Center systems test, activation, and operations turnover to the Air Force’s 50th Space Wing. Simpson has an M.S. in engineering from California State University, Fullerton. James P. Roberts (right), Senior Project Leader, Corporate Chief Architect/Engineer, supports mission assurance related activities with a focus on the sustainment and continuous improve- ment of the Mission Assurance Portal. Roberts has a B.S. in information technology from The Johns Hopkins University and joined Aerospace in 2001.

Mission Assurance: The Space Quality A Human-Rated Space Perspective Improvement Council The Mission Assurance Guide

Garry H. Boggan, Senior Project Engi- Gary L. Schipper, Senior Project Leader, Sergio B. Guarro, Distinguished Engi- neer, Civil and Commercial Operations, Corporate Chief Architect/Engineer, has neer, Risk Assessment and Management, is Houston office, has most recently worked led the Space Quality Improvement Coun- responsible for risk management and mis- with the Space Shuttle Program Systems cil since its inception in 2001. He also sion assurance process development. He is Engineering and Integration Office. Since heads up mission assurance initiatives with an expert in the areas of probabilistic risk joining Aerospace in 2000, he has supported industry and government agencies, as well assessment, risk management, and related NASA’s human-rated space programs, as cross-program and multidisciplinary fields, and has served on several panels including the space failure investiga- and committees to shuttle, Interna- tions. Schipper has provide advice and tional Space Station, an M.B.A. from assistance on these and Constellation Rensselaer Poly- subjects to U.S. gov- programs. Boggan technic Institute ernment agencies. received an M.S. and joined Aero- Guarro has a Ph.D. in materials science space in 1989. in nuclear engineer- from the University ing from UCLA and of Texas, Arlington, has worked for Aero- and a J.D. from South space since 1989. Texas College of Law. 50 • Crosslink Fall 2007 Battery Testing

(from left to right) Valerie J. Ang, Senior Scientist, Energy Technology, has more than 25 years experience in battery design, development, system integration, testing, and failure investigation. Since joining Aero- space in 1999, she has provided support to many government and commercial space satellite and launch vehicle programs. She re- ceived a B.S. in chemistry from Andrews University. Albert H. Zimmerman, Distinguished Engineer and Scientist, Electronics Technology Center, is a consultant in aerospace bat- teries for space programs and a team leader for electrochemical performance and modeling research efforts. He is an internation- ally recognized expert in electrochemistry—his research has led to an understanding of how the nickel electrode in batteries works and how it controls the performance and lifetime of the nickel cad- mium and nickel hydrogen space batteries used on satellites and launch vehicles. Zimmerman has a Ph.D. in physical chemistry ­lithium-ion batteries for space vehicle applications, and has served from Stanford University and has been with Aerospace since 1977. as the technical focal point for batteries for Air Force programs such as GPS, DSP, DMSP, and DSCS. Hwang has a Ph.D. in Margot L. Wasz is a Senior Scientist in the Electronics and Pho- physical chemistry from UCLA and has been with Aerospace tonics Laboratory, where her specialty is batteries—particularly since 1973. those used on launch vehicles. Her work in investigating the cause of capacity loss in batteries used by the Titan program earned her a Boyd J. Carter, Senior Scientist, Energy Technology, joined Aero- President’s Distinguished Achievement Award in 2002. She has a space in 1987 and specializes in application of nickel cadmium, Ph.D. in materials science from Rice University and has been with nickel hydrogen, and lithium ion batteries for space vehicles. He has Aerospace since 1996. worked to guide the transition of new battery products and tech- nology to space vehicles and other high-reliability programs. He Warren C. Hwang, Director, Energy Technology, is a special- has a Ph.D. in chemistry from California Institute of Technology. ist in the application of nickel cadmium, nickel hydrogen, and

Software Mission Assurance

(from left to right) Michael L. Campbell, Chief Software Engineer, Navigation Division, supports the SMC Global Positioning Systems Wing. In this position, he promotes effective and coordinated application of best practices for software acquisition, software engineering, soft- ware development, and mission assurance for GPS-related soft- ware systems. He has a Ph.D. in computer science from UCLA and has worked at Aerospace since 1992. Francis J. Sisti, Principal Engineer/Scientist, Milsatcom Divi- sion, is Chief Software Engineer supporting the SMC Milsatcom Systems Wing. He provides software assurance and quality guid- ance, software engineering expertise, and oversight for related software issues spanning milsatcom acquisition programs. Sisti is Robert E. Duvall is Manager of the Avionics Section in Flight a doctoral candidate in organizational leadership at the University Software Validation. His section is responsible for the develop- of ­Phoenix. ment and operation of real-time hardware-in-the-loop test beds for launch vehicle flight software. He has a Ph.D. in astrophysical Suellen Eslinger, Distinguished Engineer, Software Engineering sciences from Princeton University and has been with Aerospace Subdivision, leads the subdivision’s software acquisition research since 2000. program. She recently led the Software Process Integrated Product Team for the SMC/NRO Mission Assurance Improvement Task John C. Cantrell, Senior Engineering Specialist, Software Force, which was responsible for updating the military standard ­Architecture and Engineering, joined Aerospace in 1987 and has for software and for incorporating software testing requirements worked on numerous satellite flight software projects ranging from into the updated space vehicle test military standard. Eslinger has small test efforts to multiyear multisatellite projects including an M.S. in mathematics from the University of Arizona. SMC, NASA, and NRO commercial programs. He has an M.S. in computer science from Illinois Institute of Technology.

Crosslink Fall 2007 • 51 The Back Page

It is not only the terrain of Mars that can prove perilous to the rovers. How Did They Do It? Maintaining sufficient power to drive and perform scientific operations David Bearden and Matthew Hart is challenging. Both Spirit and Opportunity recently braved a severe global dust storm that reduced the amount of sunlight they received to a The Mars rovers have outlasted their 90-day design life by tiny fraction of normal for almost two months. Sunlight is used to power more than three years, and they continue to provide clues to the rovers—they were forced to lie dormant and wait out the storm. past water activity on Mars. Both rovers are situated near the Martian equator, where high and low The United States and the former Soviet Union have attempted trips to temperatures can differ by more than 100°C. This is equivalent to going Mars for 40 years. But two out of three missions to the red planet have from a beach in Hawaii to the South Pole in midwinter—every day! In failed because of the great difficulty involved. The most recent journey spite of all the challenges, both rovers continue to function remarkably to the surface of Mars was in mid-2003, with the launch of twin rovers well, and mission funding has been extended. Spirit and Opportunity on June 10 and July 7. To get to the red planet, the rovers flew through approximately 483 million kilometers of deep Developing the Rovers space toward a precise landing spot. The road to the launchpad was nearly as daunting as the journey to Mars. A spacecraft had to be built that could not only make the arduous The seven-month journey was far from easy. Hazards ranged from trip, but could also complete its scientific mission upon arrival—nothing “single event upsets”—which occur when a stray particle passes through less than exceptional technology and planning was required. a chip in a spacecraft’s computer, causing a glitch and possibly cor- rupting data—to massive solar flares that can damage or even destroy The rovers were developed at the Jet Propulsion Laboratory (JPL), in spacecraft electronics. Adjustments to the rovers’ flight paths were made Pasadena, California, at a cost of approximately $820 million, includ- along the way, but a small trajectory error could have resulted in a big ing launch. The team that sent the two rovers made history, completing detour, or even missing the planet completely. in 3.5 years what mission planners usually complete in 5 to 7 years. The team revived an ailing planetary exploration program that NASA If getting to Mars was hard, landing proved even tougher. The rovers had to rebuild following the catastrophic loss of two spacecraft en route had to decelerate into the tenuous atmosphere to safely reach the sur- to Mars in 1999. The team did this knowing that landing on Mars is face. The challenge of entry, descent, and landing—sometimes described always an extreme challenge, particularly with such a short develop- as six minutes of terror—is how to decelerate something that weighs half ment schedule. a ton traveling at 19,300 kilometers per hour enough to ensure it has a chance of survival. The spectacular scientific and engineering successes of Spirit and Op- portunity were aided with mission assurance and project systems engi- During the first 4 minutes of descent, friction with the atmosphere consid- neering expertise managed by Aerospace’s NASA/JPL program office, erably slowed the rovers. Even then, they were traveling at 1600 kilo- also based in Pasadena. Aerospace provided support to the JPL team meters per hour with only 100 seconds remaining as they reached the in developing the rovers through system-level mission assurance and by altitude where commercial airliners typically fly. Parachutes slowed the spacecraft, and then, with only 6 seconds left, retrorockets fired to bring it down to zero velocity—at the height of a four-story building above the surface. The spacecraft fell the rest of the way cocooned in airbags to cushion the blow of hitting the ground at 48 kilometers per hour or more and bounced before coming to rest. Spirit landed in Gusev crater on January 4, 2004. Once there, it had to extract itself from the airbags used for landing, deploy its gear, and finally, check out its systems and instruments. The landing captured the world’s attention. In the following week, NASA’s Web site recorded 1.7 billion hits and 34.6 terabytes of data transferred, eclipsing records set by previous NASA missions. Three weeks later, Opportunity landed in the Meridiani Planum on the opposite side of Mars. Chief among the scientific accomplishments of the rovers is the discovery of conclusive evidence that water was common and flowed freely on the surface of Mars in its ancient past. Both rovers have outlived and Testing of a rover prior to its flight into and mission to Mars. The appli- outlasted expectations for reliability and performance, surviving two cation of selective redundancy to the single-string design allowed for optimal use Martian winters, climbing into and out of craters, hills, and valleys, and of the available mass and volume to maximize reliability and mission success. traveling a combined distance of more than 18 kilometers.

52 • Crosslink Fall 2007 An artist’s concept of a rover operating on the surface of Mars. The rovers Spirit and Members of the Aerospace Mars Exploration Rovers engineering team with a rep- Opportunity have been traversing the terrain of the red planet since January, 2004, lica of the rover. (L-R) Eric Breckheimer, David Bearden, Rocky Khullar, Maria Sklar, far outliving their 90-day design life expectancy. Matthew Hart, and Abraham Santiago. providing continuity across systems engineering, mission assurance, and number of subsystems—including the cruise-stage attitude determination flight project engineering. and control, power, pyro, and terminal descent subsystems—required some redundancy to maximize reliability and ensure mission success. The Aerospace also wrote the original risk management plan for the project, questions were: Which subsystems should be made redundant, and how which documented the approach to capturing, documenting, evaluating, should each be designed? and mitigating project risks. Aerospace conducted requirement audits, performed the linkage between higher- and lower-level requirements, To answer these, Aerospace offered expert design guidance, evaluating and enforced systems engineering structure and rigor that ensured that options for diversity in functionality and the use of redundant design ele- key systems engineering requirements, mission assurance, and verifica- ments. Aerospace developed reliability models for alternate designs and tion documentation were synchronized. collected and applied failure rate data at the component level. Aerospace applied failure-mode effects and criticality analysis techniques to interfaces and components of the rovers’ flight systems. Aerospace sys- Assuring the Rovers Were Launch Ready tematically addressed each of the rover and carrier vehicle subsystems, Earth and Mars align for a short time every 26 months, such that a identifying failure modes, classifying root causes, and documenting the Delta II launch vehicle can be used to carry a spacecraft to Mars. criticality to mission success of each potential failure and the likelihood Motion of the planets limited the launch period for the rovers to several of it occurring during the mission. These data were regularly gathered weeks. Daily launch opportunities were also constrained to short periods across all areas of the flight system by interviewing key design engineers, of hours or minutes per day, after which Earth’s rotation and the location by analyzing design changes, and by documenting the implications of of the launch site would no longer allow the launch vehicle to reach its design updates and potential failures on interrelated subsystems. target. The ability to successfully launch on any given day depends on many Reliability Analysis for Selective Redundancy technical and operational factors, as well as uncontrollable events, such The Mars rovers were designed to be 30 percent larger than the previous as the weather or errant incursions of aviation or marine vehicles into the Mars Pathfinder rover and lander, but had to fit within the same volume keep-out zone surrounding the launch site. Aerospace examined U.S. as their smaller and less capable predecessor. However, volume was not launch history, focusing on launch delays and root causes to provide an the only constraint facing designers: Mass growth threatened the project assessment of launch-readiness requirements. throughout its development. In the end, the rover and lander touched down on Mars weighing almost 50 percent more than Pathfinder. Exploration Continues Design information for Mars entry and landing systems is based on Technical specialists from Aerospace were called upon to support experience from the Viking lander missions more than 30 years ago. major milestone reviews, troubleshoot component-level technical issues, Engineers decided that if the rovers were too large or too heavy, they and assist in resolving major risks to the rovers’ missions throughout the would not be able to land safely on the Martian surface. development of this project. Today, as the rovers continue to send back fascinating and never-before-seen images of Mars, these specialists can The mass and volume constraints led to a design philosophy based be proud of their involvement with, and the remarkable success of, this on high-reliability, mostly single-string subsystems. However, a limited stunning exploratory project.

Crosslink Fall 2007 • 53 rosslink Board of Trustees C Fall 2007 Vol. 8 No. 2 Donald L. Cromer, Chair Howell M. Estes III, Vice Chair Editor in Chief Illustrator William F. Ballhaus Jr. Gabriel Spera John A. Hoyem Corporate Officers Barbara M. Barrett William F. Ballhaus Jr. Editor Photographers Guion S. Bluford Jr. Nancy K. Profera Eric Hamburg President and CEO Rufus A. Fulton Jr. Mike Morales Joe M. Straus Technical Editor Nelson F. Gibbs Executive Vice President Editorial Board Paul R. Rousseau Daniel E. Hastings Dean C. Marvin, Chair Wanda M. Austin Guest Editor David A. Bearden John E. McLaughlin Marlene M. Dennis Valerie I. Lang John E. Clark John A. McLuckey Manuel De Ponte Contributing Editor David J. Evans Thomas S. Moorman Jr. Jerry M. “Mike” Drennan Donna Born Linda F. Halle Dana M. Muir David J. Gorney Staff Editor Malina M. Hills M. Elisabeth Paté-Cornell Lawrence T. Greenberg Jon S. Bach Michael R. Hilton Sally K. Ride Ray F. Johnson Diana M. Johnson Summer Intern Donald W. Shepperd Gordon J. Louttit William C. Krenz Laura M. Johnson James C. Slattery Mark W. Maier Gary P. Pulliam Jeffrey H. Smith Art Director Fredric M. Pollack Rami R. Razouk Karl W. Jacobs Paul R. Rousseau K. Anne Street Donald R. Walker Graphic Designer Gabriel Spera Peter B. Teets Dale E. Wallis John D. Griffith Marilee Wheaton John H. Tilelli Jr. John R. Wormington Robert S. Walker

The Crosslink Crossword 1 2 3 4 5 6 7 Across 8 9 10 11 12 13 14 2. Junk 15 16 17 4. The bottom of it 6. “How I Spent My Vacation” 18 19 8. Work together 20 21 22 23 13. Precision 24

14. Estimate 25

16. Temporary step down 26 27 18. Doing one’s own thing 21. Check out 28 29 24. Kryptonite is Kent’s 30 31 26. Play dough 32

27. Returning to normal 33 34 35 36 37 38

30. Drinking buddies? 39 40 41 31. Due date 32. Free from harm 42 37. Unfortunate occurrence 43 39. Fields 44 45 46

41. It cascades 47

42. Door 48 49 43. Problem evasion 45. Desert 50 51 47. Learning unit 52 53 48. Unanimity 54 49. Holding steady 50. Repair 51. Take for no credit 7. Intended agenda 25. It can slip 52. Inadequacy 9. Supervision 28. Way of working 53. It may be calculated 10. Opposition 29. Plumbing is one 54. Legwork 11. Possession of value 33. Perfection-maker 12. Bust out 34. Tire around the middle Down 15. Extreme scenario 35. Evaluation by equals 1. Preview version 17. “The manual” 36. Alphabet soup 2. MDs do it 19. Diamond defect 38. Rules & regulations 3. Computer collapse 20. Obtaining 40. Neighborhood 5. System element 22. Close call 44. Grid 6. Go over 23. Warning 46. Kind of clause

Most puzzle words and clues are from articles in this issue. The solution is on the Crosslink Web site: http://www.aero.org/publications/crosslink/.