A Successful Strategy for Satellite Development and Testing - Inpe

More documents

Recommendations

Info

and environment for testing the attitude control system, providingsolar illumination in vacuum for fully extended solar arrays, andfitting large systems into a relatively confined vacuum chamber).But even in light of these acknowledged limitations, Aerospacefound an increasing trend away from applying flight-like testingmethodologies where they were previously considered routine,such as in unit and subsystem performance testing and softwarecompatibility with hardware in the loop. Similarly, intersegmenttesting between the ground and space segments was often eliminatedentirely or greatly reduced in scope.The decision to omit or scale back these tests must be accompaniedby a clear assessment of the attendant risks. Where thereis significant risk exposure by not being able to test appropriately,mitigation strategies can be developed early in the life cycle.Aerospace found these risks were not always well understood, andconsequently, mitigation strategies were not effectively applied.Aerospace found that best practices for flight-like testing hadnot been codified in the industry. There was a general lack ofpractical guidance for determining how well or poorly the testingwas conducted. This was particularly true for “day in the life” operationaltesting.Traditionally, issues and problems uncovered during satellitedevelopment and testing would result in design and processchanges, which would in turn be scrutinized for insights thatvery often improve the development and verification process. Asa third-party observer, Aerospace could look across contractorboundaries and identify key lessons and practices, which couldthen be used to help prioritize the reintroduction of industry-widespecifications and standards. With the cancellation of these standardsin the mid-1990s, contractors were left on their own to accommodatetechnological changes and lessons learned into theirown processes—with variable success.A Leap in ComplexityWhile verification rigor had dropped, overall satellite complexityrose, often exponentially, as a result of advances in electronicstechnology and software. Not only were these systems usingmore parts, but the parts themselves were often far more complex,requiring much more stringent design verification and qualificationpractices. The greater use of field-programmable gate arrays(FPGAs) and application-specific integrated circuits (ASICs),with millions of embedded transistors on a single device, poses aneven greater testing challenge.Not only does increasing complexity pose a challenge tothe verification process, but it also implies an increase in thelikelihood of latent design and workmanship defects. Given theincreases in complexity, the corresponding pressures on the verificationprocesses, and the increased failure potential, the industryand government had embarked on a path of conflicted logic thatresulted in numerous problems that were often not detected untillate in development cycle, or even on orbit.Under acquisition reform, the government did not always specifyrequirements for qualifying the parts used in space systems.The manufacturers assumed responsibility for piece-part qualification,based on the application and the performance requirementsat the system level. This led to problems for several reasons.Acquiring qualified parts had become more difficult as suppliersfocused on commercial markets at the expense of the militaryspace market (which, although relatively small, typically requiresCumulative success rate (percent)Environmental test thoroughness1009080706050TraditionalacquisitionpracticesHigher-riskacquisitionpractices401980 1985 1990 1995 2000Year of launchOut of a sample of more than 450 vehicles manufactured in the United States,those developed using traditional acquisition practices show a consistentlyhigher success rate in the first year of operations. In contrast, vehicles developedusing higher-risk acquisition approaches show markedly lower successrates in the first year of operations.U.S. space asset loss (millions of dollars)100908070605030002500200015001000500Pre - 1995NRO programsPost - 1995Landsat 6NOAA 13UFO-1MarsObserverSMC programsAcquisition reform in the national security space arena reduced verificationrigor, as illustrated in the drop in environmental test thoroughness.3 Titan IV’sMilstar/NRO/DSP2 Delta III’sMars Climate Orbiter090 91 92 93 94 95 96 97 98 99YearThis chart shows the value in dollars of U.S. space assets lost during the 1990s.Recent independent studies have shown that reducing technical verificationrigor and diminishing the role of independent technical oversight in the developmentof government and commercial space systems results in greater problems,as evidenced by higher failure rates and cost and schedule overruns.
A Return to StandardsThe Air Force Space and Missile Systems Center (SMC) and the National ReconnaissanceOffice (NRO) have established policies that embrace the use of government, industry, andprofessional society specifications and standards to define program technical baselines.The effort includes the processes for the evaluation, selection, and preparation of documentsand also the processes and ground rules for implementation as compliance documentsin requests for proposals and contracts.Aerospace plays an integral role in the review of existing technical standards, the developmentand publication of new standards in several engineering disciplines, and the implementationof standards in the acquisition process for new systems. Aerospace, NRO, andSMC compiled a list of the key standards and have kept the list updated and publishedas an Aerospace technical report. Eventually, appropriate documents will be revised andreissued as military, industrial, or international standards. For example, five Aerospacestandards were recently issued as AIAA standards. In the meantime, Aerospace technicalreports will be used as compliance documents.—Valerie Lang, Joe Meltzer, and Jacqueline Unitisstricter parameter control, higher reliability,wider temperature ranges, higher dynamicresponse, radiation hardness, and similartraits). In addition, as suppliers switchedfrom a product qualification model to aprocess qualification a model, both primarycontractors and government lost insightand traceability into parts because supplierswere not required to provide technicaldata for qualification and traceability. Thegovernment had even less insight, with fewerpeople to track problems and less oversightinto manufacturing details.Cost and schedule assumed a greater rolein determining which tests and analysesshould be used to demonstrate that a devicewas acceptable and could meet system requirements.Because of inadequate resourcesand shifting priorities, only new or problematicsuppliers were evaluated or closelymonitored. Verification of compliance wasless disciplined for subtier contractors, andthe prime contractor’s role changed from“right of approval” to “right of rejection.”Flight software complexity had increasedeven more, and it is now statistically impossibleto find all possible defects in large softwaresystems. Despite continuing advances,debugging code remains time-consuming:up to 50 percent of a programmer’s timecan be spent debugging code. Furthermore,testing requires a test plan, detailed testprocedures, and scripts for providing inputto an automated testing tool—an effort thatcan be just as prone to error as the code itpurports to test. Altogether, complex softwareentails meticulous verification planningand software development, a challenge thatis not addressed in development and budgetallocations. This underscores the need for aReemerging Part SpecificationsBased on a number of recent problems, experience clearly indicates that a more stringentand consistent approach to parts, materials, and processes—including qualification—mustbe followed. One major objective is to establish a revised standard that defines the necessarycharacterization, qualification, and screening tests for microelectronics and otherpiece-part commodities (e.g., hybrids, capacitors, resistors, relays, and connectors) thatwould clear them for use in space applications. This includes government participation toensure that risks are not solely quantified on cost and schedule, but life performance aswell. A rewrite of technical requirements for space parts, materials, and processes is underway based on previously existing military standards.rigorous independent assessment of interrelatedsoftware and hardware requirementsdevelopment early in the process.Today’s satellite systems involve multipleuser nodes. The increasing number and complexityof interfaces led to a rise in interfaceproblems during system-level and end-toendtesting among ground, user, and spacesegments. These complex interfaces presenta challenge to simulation tools and limit theaccuracy of design-margin predictions andverification by use of models and simulations.A Breakdown inSystems EngineeringIn addition to finding problems with verificationand testing, the Aerospace study identifiednumerous problems with systems engineeringpractices, including source selection,requirements definition and flowdown,system design, engineering requirementverification, manufacturing and integrationsupport, and scheduling.Data analyzed pointed to a number of systemsengineering deficiencies that resulted innumerous late-build-cycle problems, highlightedby the large increase in design flaws(detected in system-level testing) since 1995.Specific deficiencies include marginalizingthe peer design review process and relateddocumentation, descoping preliminary andcritical design processes, and marginalizingthe risk management process. In general,Aerospace found that systems engineeringprocesses were fragmented.Several additional systems engineeringchallenges were also discovered—mostnotably, personnel shortfalls, flawed assumptionsregarding the insertion of commercialproducts in a given design, less emphasison achieving flight-like testing, and greateremphasis on cost and schedule versus performanceand reliability.Spacecraft are extremely complex, andprogram managers have always felt pressureto reduce costs and head count. Coupledwith the aging demographics of the spaceindustry workforce, the pressure to minimizestaffing levels had decimated governmentand contractor systems engineering teams—sometimes depleting teams from five or sixdeep to one individual who may not haveenough technical breadth to understand thepotential impact of design issues and themany problems that occur during production.This increased the chances that design errorswould go unidentified (and uncorrected) untilthey caused a failure. The lack of personnelalso led to a reduction in oversight of the8 • Crosslink Fall 2005
Page 4 and 5: prime contractors by the government
Page 6: Environmental Testingfor Launch and
Page 9 and 10: Measured accelerationtime histories
Page 11 and 12: Software Testingin Space ProgramsAs
Page 13 and 14: Method and Description Objective Te
Page 15: system-safety analyses are performe

A Successful Strategy for Satellite Development and Testing - Inpe

Create successful ePaper yourself

Delete template?

Save as template?