Autonomous Flight Software in Crewed Launches

This article is from the 2024 Technical Update

Autonomous flight termination systems (AFTS) are being progressively employed onboard launch vehicles to replace ground personnel and infrastructure needed to terminate flight or destruct the vehicle should an anomaly occur. This automation uses on-board real-time data and encoded logic to determine if the flight should be self-terminated. For uncrewed launch vehicles, FTS systems are required to protect the public and governed by the United States Space Force (USSF). For crewed missions, NASA must augment range AFTS requirements for crew safety and certify each flight according to human rating standards, thus adding unique requirements for reuse of software originally intended for uncrewed missions. This bulletin summarizes new information relating to AFTS to raise awareness of key distinctions, summarize considerations and outline best practices for incorporating AFTS into human-rated systems.

Key Distinctions – Crewed v. Uncrewed

There are inherent behavioral differences between uncrewed and crewed AFTS related to design philosophy and fault tolerance. Uncrewed AFTS generally favor fault tolerance against failure-to-destruct over failing silent

in the presence of faults. This tenet permeates the design, even downto the software unit level. Uncrewed AFTS become zero-fault-to-destruct tolerant to many unrecoverable AFTS errors, whereas general single fault

tolerance against vehicle destruct is required for crewed missions. Additionally, unique needs to delay destruction for crew escape, provide abort options and special rules, and assess human-in-the-loop insight, command, and/or override throughout a launch sequence must be considered and introduces additional requirements and integration complexities.

AFTS Software Architecture Components and Best-Practice Use Guidelines

A detailed study of the sole AFTS currently approved by USSF and utilized/planned for several launch vehicles was conducted to understand its characteristics, and any unique risk and mitigation techniques for effective human-rating reuse. While alternate software systems may be designed in the future, this summary focuses on an architecture employing the Core Autonomous Safety Software (CASS). Considerations herein are intended for extrapolation to future systems. Components of the AFTS software architecture are shown, consisting of the CASS, "Wrapper", and Mission Data Load (MDL) along with key characteristics and use guidelines. A more comprehensive description of each and recommendations for developmental use is found in Ref. 1.

Best Practices Certifying AFTS Software

Below are non-exhaustive guidelines to help achieve a human-rating

certification for an AFTS.

References

  1. NASA/TP-20240009981: Best Practices and Considerations for Using

    Autonomous Flight Termination Software In Crewed Launch Vehicles

    https://ntrs.nasa.gov/citations/20240009981

  2. "Launch Safety," 14 C.F.R., § 417 (2024).
  3. NPR 8705.2C, Human-Rating Requirements for Space Systems, Jul 2017,

    nodis3.gsfc.nasa.gov/

  4. NASA Software Engineering Requirements, NPR 7150.2D, Mar 2022,

    nodis3.gsfc.nasa.gov/

  5. RCC 319-19 Flight Termination Systems Commonality Standard, White

    Sands, NM, June 2019.

  6. "Considerations for Software Fault Prevention and Tolerance", NESC

    Technical Bulletin No. 23-06 https://ntrs.nasa.gov/citations/20230013383

  7. "Safety Considerations when Repurposing Commercially Available Flight

    Termination Systems from Uncrewed to Crewed Launch Vehicles", NESC

    Technical Bulletin No. 23-02 https://ntrs.nasa.gov/citations/20230001890

/Public Release. This material from the originating organization/author(s) might be of the point-in-time nature, and edited for clarity, style and length. Mirage.News does not take institutional positions or sides, and all views, positions, and conclusions expressed herein are solely those of the author(s).View in full here.