<strong>and</strong> environment <strong>for</strong> testing the attitude control system, providingsolar illumination in vacuum <strong>for</strong> fully extended solar arrays, <strong>and</strong>fitting large systems into a relatively confined vacuum chamber).But even in light of these acknowledged limitations, Aerospacefound an increasing trend away from applying flight-like testingmethodologies where they were previously considered routine,such as in unit <strong>and</strong> subsystem per<strong>for</strong>mance testing <strong>and</strong> softwarecompatibility with hardware in the loop. Similarly, intersegmenttesting between the ground <strong>and</strong> space segments was often eliminatedentirely or greatly reduced in scope.The decision to omit or scale back these tests must be accompaniedby a clear assessment of the attendant risks. Where thereis significant risk exposure by not being able to test appropriately,mitigation strategies can be developed early in the life cycle.Aerospace found these risks were not always well understood, <strong>and</strong>consequently, mitigation strategies were not effectively applied.Aerospace found that best practices <strong>for</strong> flight-like testing hadnot been codified in the industry. There was a general lack ofpractical guidance <strong>for</strong> determining how well or poorly the testingwas conducted. This was particularly true <strong>for</strong> “day in the life” operationaltesting.Traditionally, issues <strong>and</strong> problems uncovered during satellitedevelopment <strong>and</strong> testing would result in design <strong>and</strong> processchanges, which would in turn be scrutinized <strong>for</strong> insights thatvery often improve the development <strong>and</strong> verification process. Asa third-party observer, Aerospace could look across contractorboundaries <strong>and</strong> identify key lessons <strong>and</strong> practices, which couldthen be used to help prioritize the reintroduction of industry-widespecifications <strong>and</strong> st<strong>and</strong>ards. With the cancellation of these st<strong>and</strong>ardsin the mid-1990s, contractors were left on their own to accommodatetechnological changes <strong>and</strong> lessons learned into theirown processes—with variable success.A Leap in ComplexityWhile verification rigor had dropped, overall satellite complexityrose, often exponentially, as a result of advances in electronicstechnology <strong>and</strong> software. Not only were these systems usingmore parts, but the parts themselves were often far more complex,requiring much more stringent design verification <strong>and</strong> qualificationpractices. The greater use of field-programmable gate arrays(FPGAs) <strong>and</strong> application-specific integrated circuits (ASICs),with millions of embedded transistors on a single device, poses aneven greater testing challenge.Not only does increasing complexity pose a challenge tothe verification process, but it also implies an increase in thelikelihood of latent design <strong>and</strong> workmanship defects. Given theincreases in complexity, the corresponding pressures on the verificationprocesses, <strong>and</strong> the increased failure potential, the industry<strong>and</strong> government had embarked on a path of conflicted logic thatresulted in numerous problems that were often not detected untillate in development cycle, or even on orbit.Under acquisition re<strong>for</strong>m, the government did not always specifyrequirements <strong>for</strong> qualifying the parts used in space systems.The manufacturers assumed responsibility <strong>for</strong> piece-part qualification,based on the application <strong>and</strong> the per<strong>for</strong>mance requirementsat the system level. This led to problems <strong>for</strong> several reasons.Acquiring qualified parts had become more difficult as suppliersfocused on commercial markets at the expense of the militaryspace market (which, although relatively small, typically requiresCumulative success rate (percent)Environmental test thoroughness1009080706050TraditionalacquisitionpracticesHigher-riskacquisitionpractices401980 1985 1990 1995 2000Year of launchOut of a sample of more than 450 vehicles manufactured in the United States,those developed using traditional acquisition practices show a consistentlyhigher success rate in the first year of operations. In contrast, vehicles developedusing higher-risk acquisition approaches show markedly lower successrates in the first year of operations.U.S. space asset loss (millions of dollars)100908070605030002500200015001000500Pre - 1995NRO programsPost - 1995L<strong>and</strong>sat 6NOAA 13UFO-1MarsObserverSMC programsAcquisition re<strong>for</strong>m in the national security space arena reduced verificationrigor, as illustrated in the drop in environmental test thoroughness.3 Titan IV’sMilstar/NRO/DSP2 Delta III’sMars Climate Orbiter090 91 92 93 94 95 96 97 98 99YearThis chart shows the value in dollars of U.S. space assets lost during the 1990s.Recent independent studies have shown that reducing technical verificationrigor <strong>and</strong> diminishing the role of independent technical oversight in the developmentof government <strong>and</strong> commercial space systems results in greater problems,as evidenced by higher failure rates <strong>and</strong> cost <strong>and</strong> schedule overruns.
A Return to St<strong>and</strong>ardsThe Air Force Space <strong>and</strong> Missile Systems Center (SMC) <strong>and</strong> the National ReconnaissanceOffice (NRO) have established policies that embrace the use of government, industry, <strong>and</strong>professional society specifications <strong>and</strong> st<strong>and</strong>ards to define program technical baselines.The ef<strong>for</strong>t includes the processes <strong>for</strong> the evaluation, selection, <strong>and</strong> preparation of documents<strong>and</strong> also the processes <strong>and</strong> ground rules <strong>for</strong> implementation as compliance documentsin requests <strong>for</strong> proposals <strong>and</strong> contracts.Aerospace plays an integral role in the review of existing technical st<strong>and</strong>ards, the development<strong>and</strong> publication of new st<strong>and</strong>ards in several engineering disciplines, <strong>and</strong> the implementationof st<strong>and</strong>ards in the acquisition process <strong>for</strong> new systems. Aerospace, NRO, <strong>and</strong>SMC compiled a list of the key st<strong>and</strong>ards <strong>and</strong> have kept the list updated <strong>and</strong> publishedas an Aerospace technical report. Eventually, appropriate documents will be revised <strong>and</strong>reissued as military, industrial, or international st<strong>and</strong>ards. For example, five Aerospacest<strong>and</strong>ards were recently issued as AIAA st<strong>and</strong>ards. In the meantime, Aerospace technicalreports will be used as compliance documents.—Valerie Lang, Joe Meltzer, <strong>and</strong> Jacqueline Unitisstricter parameter control, higher reliability,wider temperature ranges, higher dynamicresponse, radiation hardness, <strong>and</strong> similartraits). In addition, as suppliers switchedfrom a product qualification model to aprocess qualification a model, both primarycontractors <strong>and</strong> government lost insight<strong>and</strong> traceability into parts because supplierswere not required to provide technicaldata <strong>for</strong> qualification <strong>and</strong> traceability. Thegovernment had even less insight, with fewerpeople to track problems <strong>and</strong> less oversightinto manufacturing details.Cost <strong>and</strong> schedule assumed a greater rolein determining which tests <strong>and</strong> analysesshould be used to demonstrate that a devicewas acceptable <strong>and</strong> could meet system requirements.Because of inadequate resources<strong>and</strong> shifting priorities, only new or problematicsuppliers were evaluated or closelymonitored. Verification of compliance wasless disciplined <strong>for</strong> subtier contractors, <strong>and</strong>the prime contractor’s role changed from“right of approval” to “right of rejection.”Flight software complexity had increasedeven more, <strong>and</strong> it is now statistically impossibleto find all possible defects in large softwaresystems. Despite continuing advances,debugging code remains time-consuming:up to 50 percent of a programmer’s timecan be spent debugging code. Furthermore,testing requires a test plan, detailed testprocedures, <strong>and</strong> scripts <strong>for</strong> providing inputto an automated testing tool—an ef<strong>for</strong>t thatcan be just as prone to error as the code itpurports to test. Altogether, complex softwareentails meticulous verification planning<strong>and</strong> software development, a challenge thatis not addressed in development <strong>and</strong> budgetallocations. This underscores the need <strong>for</strong> aReemerging Part SpecificationsBased on a number of recent problems, experience clearly indicates that a more stringent<strong>and</strong> consistent approach to parts, materials, <strong>and</strong> processes—including qualification—mustbe followed. One major objective is to establish a revised st<strong>and</strong>ard that defines the necessarycharacterization, qualification, <strong>and</strong> screening tests <strong>for</strong> microelectronics <strong>and</strong> otherpiece-part commodities (e.g., hybrids, capacitors, resistors, relays, <strong>and</strong> connectors) thatwould clear them <strong>for</strong> use in space applications. This includes government participation toensure that risks are not solely quantified on cost <strong>and</strong> schedule, but life per<strong>for</strong>mance aswell. A rewrite of technical requirements <strong>for</strong> space parts, materials, <strong>and</strong> processes is underway based on previously existing military st<strong>and</strong>ards.rigorous independent assessment of interrelatedsoftware <strong>and</strong> hardware requirementsdevelopment early in the process.Today’s satellite systems involve multipleuser nodes. The increasing number <strong>and</strong> complexityof interfaces led to a rise in interfaceproblems during system-level <strong>and</strong> end-toendtesting among ground, user, <strong>and</strong> spacesegments. These complex interfaces presenta challenge to simulation tools <strong>and</strong> limit theaccuracy of design-margin predictions <strong>and</strong>verification by use of models <strong>and</strong> simulations.A Breakdown inSystems EngineeringIn addition to finding problems with verification<strong>and</strong> testing, the Aerospace study identifiednumerous problems with systems engineeringpractices, including source selection,requirements definition <strong>and</strong> flowdown,system design, engineering requirementverification, manufacturing <strong>and</strong> integrationsupport, <strong>and</strong> scheduling.Data analyzed pointed to a number of systemsengineering deficiencies that resulted innumerous late-build-cycle problems, highlightedby the large increase in design flaws(detected in system-level testing) since 1995.Specific deficiencies include marginalizingthe peer design review process <strong>and</strong> relateddocumentation, descoping preliminary <strong>and</strong>critical design processes, <strong>and</strong> marginalizingthe risk management process. In general,Aerospace found that systems engineeringprocesses were fragmented.Several additional systems engineeringchallenges were also discovered—mostnotably, personnel shortfalls, flawed assumptionsregarding the insertion of commercialproducts in a given design, less emphasison achieving flight-like testing, <strong>and</strong> greateremphasis on cost <strong>and</strong> schedule versus per<strong>for</strong>mance<strong>and</strong> reliability.Spacecraft are extremely complex, <strong>and</strong>program managers have always felt pressureto reduce costs <strong>and</strong> head count. Coupledwith the aging demographics of the spaceindustry work<strong>for</strong>ce, the pressure to minimizestaffing levels had decimated government<strong>and</strong> contractor systems engineering teams—sometimes depleting teams from five or sixdeep to one individual who may not haveenough technical breadth to underst<strong>and</strong> thepotential impact of design issues <strong>and</strong> themany problems that occur during production.This increased the chances that design errorswould go unidentified (<strong>and</strong> uncorrected) untilthey caused a failure. The lack of personnelalso led to a reduction in oversight of the8 • Crosslink Fall 2005