[NASA Logo]

NASA Procedures and Guidelines

This Document is Obsolete and Is No Longer Used.
Check the NODIS Library to access the current version:
http://nodis3.gsfc.nasa.gov

NPR 8705.2A
Eff. Date: February 07, 2005
Cancellation Date: May 06, 2008

Human-Rating Requirements for Space Systems
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | AppendixA | AppendixB | AppendixC | ALL |


CHAPTER 3. System Design Requirements

3.1 Two-Failure Tolerance

3.1.1 Space systems shall be designed so that no two failures result in crew or passenger fatality or permanent disability ((Requirement 34419).).

Note: System design for reliability is a definitive element of space systems. While hardware is designed for inherent reliability at the component level, it is preferred that the architecture of the system also provides protection against random failures and minimizes the probability of loss of mission, space system, crew, or passengers. In systems with relatively short periods of operation, or where dynamic flight modes (such as powered ascent) are involved, installed redundancy is the principal means of ensuring the system's reliability. In space systems with longer missions and/or more time for recovery from failures, maintenance, designed-in-supportability, and logistics resupply are critical.

3.1.2 The Program Manager shall provide evidence and rationale that one or more of the following are met when requesting an exception, deviation, or waiver from the two-failure tolerance requirement ((Requirement 34421).).

  1. Two-failure tolerance is technically not feasible.
  2. The program manager demonstrates through analysis that redundancy does not reduce the critical system contribution to cumulative risk or the contribution of common cause failures to that critical system's failure.
  3. The system or subsystem, such as but not limited to, structures, pressure vessels, and thermal protection systems, that is unable to meet the two-failure tolerance requirement will be designed and certified in accordance with approved standards.

3.1.3 The system shall be designed and operated so that neither two inadvertent actions during operation or in-flight maintenance nor a combination of one inadvertent action and one failure result in crew or passenger fatality or permanent disability ((Requirement 34422).).

Note:

  1. Inadvertent action includes, but is not limited to, out-of-sequence actions, wrong keystrokes, or inadvertent switch throws.
  2. Design is the preferred method to produce an error-tolerant system. If the system cannot be designed to prevent inadvertent actions, then the system must provide the user with a method to detect and correct the inadvertent actions. An operational control is the last resort to manage this. Training is not considered an operational control to manage error because training alone does not ensure that errors are prevented or that the results of the error can be detected and corrected unless the system provides feedback and controls that allow error correction or hazard mitigation.

3.1.4 The Program Manager shall provide evidence and rationale that one or more of the following are met when requesting an exception, deviation, or waiver to the two-inadvertent action requirement ((Requirement 34424).).

  1. Meeting the two-inadvertent action requirement is technically not feasible.
  2. The program manager demonstrates through analysis that redundancy does not reduce the critical system contribution to cumulative risk, or the contribution of common cause failures to that critical system's failure.
  3. The Program Manager has demonstrated by test data and comprehensive risk analyses that the system shall provide personnel with the capability to detect and recover from the inadvertent actions in time to prevent crew or passenger fatality or permanent disability.

Note: This requirement may be implemented through a top-down approach, a bottoms-up approach, or an accident scenario analysis approach. Error tolerance may be implemented in the design, such as "ready-arm-fire" for the initiation of potentially hazardous sequences, or in the operation, through the use of multiple crewmembers required to perform hazardous tasks.

3.1.5 The space system shall provide human error management in the following order of precedence ((Requirement 34426).):

  1. The system design prevents human error.
  2. The system reduces the likelihood of human error and provides the capability for the human to detect and correct the error through the incorporation of systems, controls, and associated monitoring.
  3. The system provides a method to limit the negative effects of errors so that the error does not result in a fatality or permanent disability.

Note: The intent of this requirement is to first avoid errors and when that is not possible, to avoid the catastrophic consequences that the errors may produce. This can be accomplished by describing the system goals and functions, describing the situation, describing the task and jobs, analyzing where errors are likely to occur, estimating the probability of each error, estimating the probability that the error is not corrected, determining the worst case effects of the error, determining where error has the potential to cause fatality or permanent disability, and providing error management.

Error management uses the following principles of design:

  1. Prevent error (see Figure 5 for details).
  2. Provide redundancy to enable continued function after a failure.
  3. Isolate elements so that the failure does not cause another failure.
  4. Provide error detection, design failure limits, including the capability to sustain damage when the error occurs.
  5. Limit the negative consequences of the error.
  6. Design a failure path to control and direct the effects of the error.
  7. Allow for undefined unforeseen errors.
  8. Consider adverse affects of foreseeable errors in the design, operation, and maintenance of the system.

Figure 5: Possible Methods to Prevent Error Possible Methods to Prevent Error

3.1.6 Space systems shall not use emergency systems or contingency and emergency operations (such as fire suppression or crew escape) to satisfy the two-failure tolerance requirement or two-inadvertent action requirement ((Requirement 34429).).

3.1.7 Space systems shall not use abort as the first leg of failure tolerance ((Requirement 34430).).

3.1.8 If the Program Manager has been granted an exception, deviation, or waiver to the two-failure tolerance requirement or the two-inadvertent action requirement, the justification and documentation shall include the level of fault tolerance achieved, the quantitative evidence of reliability with applicable data, the design process used to achieve minimum risk, and evidence that the exception, deviation, or waiver has been documented in the program's critical items list including acceptance rationale ((Requirement 34431).).

Note: Applicable data is specific to the system or component being evaluated, using similar components under similar conditions.

3.2 Human-System Interactions (Crew)

3.2.1 The space system shall provide a crew station, or equivalent interface, to provide the crew the capability to monitor, at a minimum, the health and status of critical functions ((Requirement 34434).).

Note: Within the context of this requirement, NASA defines "monitoring" as the ability to determine where the vehicle is, its condition, and what it is doing. Monitoring helps to create situational awareness that improves the performance of the human operator and enhances the mission.

3.2.2 The space system shall include a crew station or equivalent interface that provides the crew the capability to operate, at a minimum, the critical functions of the system ((Requirement 34436).).

Note: Operate is equivalent to control. Determining the level of operation over individual functions is a decision made separately for specific space systems. Specifically, if a valve or relay can be controlled by a computer, then that same control could be offered to the crew to perform that function. However, a crewmember probably could not operate individual valves that meter the flow of propellant to the engines, but the function could be replaced by a throttle that incorporates multiple valve movements to achieve a desired end state (reduce or increase thrust).

3.2.3 The space system shall provide the crew feedback for all human commands for critical functions. ((Requirement 34438).).

Note: Feedback for human commands is a system communication that directly results from the user's input to the system and provides the user with information that allows him/her to determine if the input was received and what has been accomplished.

3.2.4 The space system shall provide the crew with the capability to reverse or correct inputs to critical functions from ground-control or flight crew that are physically reversible ((Requirement 34440).).

Note: Some inputs are not physically possible to reverse, such as pyrotechnic firing or activation of booster separation, and are not covered under this requirement.

3.2.5 The space system shall provide the crew accessibility to equipment involved in immediate and follow-up action that effects emergency recovery of the space system, such as, but not limited to, spacecraft compartment pressurization, life support, and emergency systems ((Requirement 34442).).

3.2.6 The space system shall provide the crew control over those systems that directly affect the performance of the crew (including, but not limited to, cabin temperature, cabin exterior/interior lighting, and radio volume) ((Requirement 34443).).

Note: This control will increase the probability of correct crew performance. Consequently, the crew will be less likely to make errors that cause loss of a critical function.

3.2.7 The space system shall provide the crew with the capability for manual override of higher-level software and automation (such as configuration change and mode change) when the transition from software/automation to manual control will not cause loss of critical functions ((Requirement 34445).).

3.3 Human-System Interactions (Ground Control)

3.3.1 The space system shall provide the ground control with the capability to monitor, at a minimum, the health and status of critical functions ((Requirement 34447).).

3.3.2 The space system shall provide the ground control the capability to operate, at a minimum, the critical functions of the system ((Requirement 34448).).

3.3.3 The space system shall provide the ground control feedback for all human commands for critical functions. ((Requirement 34449).).

3.3.4 The space system shall provide the ground control with the capability to reverse or correct inputs to critical functions from ground-control or flight crew ((Requirement 34450).).

3.3.5 The space system shall provide the ground control with the capability for manual override of higher-level software and automation (such as configuration change and mode change) when the transition from software/automation to manual control will not cause loss of critical functions ((Requirement 34451).).

3.4 Crew Workload

3.4.1 The space system shall be designed so mission design, including task design, procedures, and scheduling, does not affect the ability of the crew to successfully operate the spacecraft ((Requirement 34453).).

Note: This requirement is intended to provide a spacecraft system where mission training and operations can be accomplished with reasonable workloads for the flight and ground control crews. The system accomplishes this through system architecture being developed in parallel with, and with consideration to, the operations concept of the vehicle including the specific mission and task design.

3.4.2 The space system shall provide the flight crew with human-interfaces such that all tasks required of the flight crew meet a workload rating of 3 or better on the Bedford Workload Scale or the Modified Cooper-Harper Scale when tested by trained operators under simulated and actual flight conditions ((Requirement 34455).).

Note: One can measure the performance of the crew-system interface in terms of workload, performance, and errors. The Bedford Workload Scale (Roscoe, 1984) or the Modified Cooper-Harper Scale (Casali & Wierwille, 1983) measure workload and provide an estimate of how much workload margin is left over to perform additional tasks.

3.4.3 During periods of human-in-the-loop flight/ground path and attitude and directional control, the space system shall exhibit Level I handling qualities as defined by the Cooper-Harper Rating Scale when operated/flown by trained professionals under simulated and actual operational (flight) conditions ((Requirement 34457).).

Note: Systems such as a rover, space suit, or lunar base/processing system need Level I handling qualities for operations, whereas a flight system needs these for both flight and operations.

3.5 Fault Detection, Isolation, and Recovery

3.5.1 The system shall provide a fault detection, isolation, and recovery (FDIR) system for faults that affect critical functions ((Requirement 34460).).

3.6 Health and Status Data

3.6.1 The space system shall provide the capability to record health and status data of critical systems ((Requirement 34462).).

3.7 Autonomous Operation

3.7.1 The space system shall provide the capability for autonomous operation of critical functions ((Requirement 34464).).

Note: Autonomy from ground control is achieved through the ability of the crew to make decisions when input from the ground is unavailable or incomplete or when the situation is time-critical. Decisionmaking aids and/or expert systems that provide detailed information concerning potential system failure and recovery modes are methods that can be used when the ground support cannot be reached.

3.8 Crew and Passenger Survival for Generic System

3.8.1 The space system, such as a rover, lunar base, or other system, shall provide crew and passengers survival modes throughout the mission profile in the event of loss of a critical function ((Requirement 34467).).

3.9 Crew and Passenger Survival

3.9.1 The space system shall provide the crew and passengers with the capability for emergency egress to a safe haven during prelaunch activities ((Requirement 34469).).

3.9.2 The space system shall provide emergency egress, safe haven, and rescue post touchdown ((Requirement 34470).).

3.9.3 The space system shall provide crew and passenger survival modes throughout the ascent and on-orbit profile (from hatch closure until atmosphere entry interface) in the following order of precedence ((Requirement 34471).):

  1. Abort.
  2. Escape by retaining the crew and passengers encapsulated in a portion of the vehicle that can reenter without crew or passenger fatality or permanent disability.
  3. Escape by removing the crew and passengers from the vehicle.

    Note: The requirement is for survival modes to cover 100 percent of the ascent trajectory. The preferred method is for abort to cover 100 percent of the trajectory, thus returning the crew to the Earth in the spacecraft. Some architecture options that do not lend themselves to the 100 percent abort coverage will need to use the other methods to meet the intent of this requirement.

3.9.4 The program shall ensure that ascent survival modes can be successfully accomplished during any ascent failure mode including, but not limited to, complete loss of thrust, complete loss of control, and catastrophic booster failure at any point during ascent ((Requirement 34473).).

3.9.5 The space system shall provide crew and passenger survival modes throughout the descent profile (from entry interface through landing) in the following order of precedence ((Requirement 34474).):

  1. Design features that increase tolerance to loss of critical functions such that landing can still be accomplished.
  2. Escape.

    Note: A design feature such as a passive reentry mode is the preferred method of ensuring crew survival during reentry. Use of escape methods will be necessary for reentry vehicle designs that do not lend themselves to tolerance of loss of function.

3.9.6 The program shall ensure that the descent survival modes can be successfully accomplished for loss of critical functions including, but not limited to, loss of active attitude control and loss of primary power ((Requirement 34476).).

3.9.7 The space system shall provide the crew with the capability to select abort modes ((Requirement 34477).).

3.9.8 The space system shall provide the crew with the capability to initiate the abort sequence ((Requirement 34478).).

Note: This requirement does not preclude automatic initiation of an abort system as long as an override capability is provided.

3.9.9 The space system shall provide the crew with the capability to inhibit the abort system ((Requirement 34480).).

3.9.10 The space system shall provide the crew with the capability to initiate the crew escape system ((Requirement 34481).).

Note: This does not preclude automatic initiation of an abort or crew escape system. It is desirable for the flight crew to be able to override the initiation sequence, recognizing the fact that there are some failure modes, particularly on ascent, where the initiation of escape occurs rapidly to save the flight crew, and the crew does not have time to override the initiation.

3.9.11 The space system shall provide the crew with the capability to override automatic initiation sequences ((Requirement 34483).).

Note: This includes automatic initiation of the crew escape system and ground control initiation of the escape system.

3.9.12 The space system shall provide ground control with the capability to select abort modes ((Requirement 34485).).

3.9.13 The space system shall provide ground control with the capability to initiate the abort sequence ((Requirement 34486).).

3.9.14 The space system shall provide ground control with the capability to initiate the crew escape system ((Requirement 34487).).

3.9.15 The space system shall provide the capability to automatically initiate abort(s) during dynamic phases of flight ((Requirement 34488).).

Note: Automatic aborts may be required during dynamic phases of flight where the crew may be unable to activate the system quickly enough to ensure crew survival.

3.9.16 While on the ground or in space, the space system shall provide the capability to disable the crew escape system by mechanical means (such as a pin, handle, or lever lock) ((Requirement 34490).).

Note: This provides the capability to ensure that the crew escape system is not activated during egress and ingress.

3.10 Flight Control Systems

3.10.1 The system design shall prevent or mitigate the effects of common cause failures in time-critical software (e.g., flight control software during dynamic phases of flight such as ascent) ((Requirement 34493).).

Note: Specific implementation of this requirement can take different forms. The following methods have been used in human-rated systems and meet the intent of this requirement:

  1. Redundant independent software running on a redundant identical flight computer.
  2. Use of an alternate guidance platform, computer and software (e.g., using the space craft guidance to control a booster).
  3. Use of nearly identical source code uniquely compiled for different dissimilar processors.
  4. Regardless of the method to mitigate the effects of common cause failures, there is no substitute for software quality and exhaustive and thorough testing. An appropriate testing and verification process includes Independent Verification and Validation (IV&V) with manual code checks such as unit testing, path testing, stress testing, requirements verification, and code inspections.

3.10.2 During all phases of flight, the system shall provide the capability for manual control of flight path and attitude, when the human can operate the system within the structural, thermal, and performance margins without causing crew or passenger fatality or permanent disability ((Requirement 34495).).

3.11 Proximity Operations

3.11.1 Two crewed space systems conducting proximity operations shall have the capability to transmit and receive voice communications between each other ((Requirement 34497).).

3.11.2 When crewed and uncrewed space systems are performing proximity operations, the crewed space system shall have the capability to monitor the status of those systems on the uncrewed vehicle that are critical to the prevention of crew or passenger fatality or permanent disability ((Requirement 34498).).

3.11.3 When crewed and uncrewed space systems are performing proximity operations, the crewed space system shall have the capability to command those systems on the uncrewed space system that are critical to the prevention of crew or passenger fatality or permanent disability ((Requirement 34499).).

3.11.4 When crewed and uncrewed space systems are performing proximity operations, the ground control shall have the capability to monitor the status of those systems on the uncrewed vehicle that are critical to the prevention of crew or passenger fatality or permanent disability ((Requirement 34500).).

3.11.5 The crewed system shall provide the capability to confirm the environmental conditions of an unoccupied crew compartment prior to opening the hatch of that compartment ((Requirement 34501).).

Note: Environmental conditions include, but are not limited to, pressure, temperature, toxics, and oxygen.

3.11.6 The crewed space system shall provide the capability for manual flight control during proximity operations ((Requirement 34503).).

3.12 Flight Termination

3.12.1 Flight termination shall include features that allow sufficient time for abort or escape prior to activation of the destruct system ((Requirement 34505).).

Note: The Range is responsible for safety of the public and ultimately will determine if and when the need for flight termination exists. Design features on the space system will be required to ensure adequate time to engage crew survival modes (abort or escape) prior to initiating the flight termination function.



| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | AppendixA | AppendixB | AppendixC | ALL |
 
| NODIS Library | Program Management(8000s) | Search |

DISTRIBUTION:
NODIS

This Document is Obsolete and Is No Longer Used.
Check the NODIS Library to access the current version:
http://nodis3.gsfc.nasa.gov