Considerations for Using Autonomous Flight Termination Softwarein Crewed Launch Vehicles

This article is from the 2024 Technical Update

Autonomous flight termination systems (AFTS) are being progressively employed onboard launch vehicles to replace ground personnel and infrastructure needed to terminate flight or destruct the vehicle should an anomaly occur. This automation uses on-board real-time data and encoded logic to determine if the flight should be self-terminated. For uncrewed launch vehicles, FTS systems are required to protect the public and governed by the United States Space Force (USSF). For crewed missions, NASA must augment range AFTS requirements for crew safety and certify each flight according to human rating standards, thus adding unique requirements for reuse of software originally intended for uncrewed missions. This bulletin summarizes new information relating to AFTS to raise awareness of key distinctions, summarize considerations and outline best practices for incorporating AFTS into human-rated systems.

Key Distinctions – Crewed v. Uncrewed
There are inherent behavioral differences between uncrewed and crewed AFTS related to design philosophy and fault tolerance. Uncrewed AFTS generally favor fault tolerance against failure-to-destruct over failing silent
in the presence of faults. This tenet permeates the design, even downto the software unit level. Uncrewed AFTS become zero-fault-to-destruct tolerant to many unrecoverable AFTS errors, whereas general single fault
tolerance against vehicle destruct is required for crewed missions. Additionally, unique needs to delay destruction for crew escape, provide abort options and special rules, and assess human-in-the-loop insight, command, and/or override throughout a launch sequence must be considered and introduces additional requirements and integration complexities.

AFTS Software Architecture Components and Best-Practice Use Guidelines
A detailed study of the sole AFTS currently approved by USSF and utilized/planned for several launch vehicles was conducted to understand its characteristics, and any unique risk and mitigation techniques for effective human-rating reuse. While alternate software systems may be designed in the future, this summary focuses on an architecture employing the Core Autonomous Safety Software (CASS). Considerations herein are intended for extrapolation to future systems. Components of the AFTS software architecture are shown, consisting of the CASS, “Wrapper”, and Mission Data Load (MDL) along with key characteristics and use guidelines. A more comprehensive description of each and recommendations for developmental use is found in Ref. 1.

Mission Data Load (MDL) along with key characteristics and use guidelines
TB 24-02 AFTS Software Architecture Components

Best Practices Certifying AFTS Software
Below are non-exhaustive guidelines to help achieve a human-rating
certification for an AFTS.

non-exhaustive guidelines to help achieve a human-rating certification for an AFTS.

References

  1. NASA/TP-20240009981: Best Practices and Considerations for Using
    Autonomous Flight Termination Software In Crewed Launch Vehicles
    https://ntrs.nasa.gov/citations/20240009981
  2. “Launch Safety,” 14 C.F.R., § 417 (2024).
  3. NPR 8705.2C, Human-Rating Requirements for Space Systems, Jul 2017,
    nodis3.gsfc.nasa.gov/
  4. NASA Software Engineering Requirements, NPR 7150.2D, Mar 2022,
    nodis3.gsfc.nasa.gov/
  5. RCC 319-19 Flight Termination Systems Commonality Standard, White
    Sands, NM, June 2019.
  6. “Considerations for Software Fault Prevention and Tolerance”, NESC
    Technical Bulletin No. 23-06 https://ntrs.nasa.gov/citations/20230013383
  7. “Safety Considerations when Repurposing Commercially Available Flight
    Termination Systems from Uncrewed to Crewed Launch Vehicles”, NESC
    Technical Bulletin No. 23-02 https://ntrs.nasa.gov/citations/20230001890