The avionics system software for human-rated launch vehicles requires an implementation approach that is robust to failures, especially the failure of sensors used to monitor vehicle conditions that might result in an abort determination. Sensor measurements provide the basis for operational decisions on human-rated launch vehicles. This data is often used to assess the health of system or subsystem components, to identify failures, and to take corrective action. An incorrect conclusion and/or response may result if the sensor itself provides faulty data, or if the data provided by the sensor has been corrupted. Operational decisions based on faulty sensor data have the potential to be catastrophic, resulting in loss of mission or loss of crew. To prevent these later situations from occurring, a Modular Architecture and Generalized Methodology for Sensor Data Qualification in Human-rated Launch Vehicles has been developed.

The Sensor Data Qualification (SDQ) system receives inputs from system messages and data acquisition. The sensor data includes first-stage and upper-stage flight-critical sensors.
Sensor Data Qualification (SDQ) is a set of algorithms that can be implemented in onboard flight software, and can be used to qualify data obtained from flight-critical sensors prior to the data being used by other flight software algorithms. Qualified data has been analyzed by SDQ and is determined to be a true representation of the sensed system state; that is, the sensor data is determined not to be corrupted by sensor faults or signal transmission faults. Sensor data can become corrupted by faults at any point in the signal path between the sensor and the flight computer. Qualifying the sensor data has the benefit of ensuring that erroneous data is identified and flagged before otherwise being used for operational decisions, thus increasing confidence in the response of the other flight software processes using the qualified data, and decreasing the probability of false alarms or missed detections.

At a high level, SDQ is called by the flight computer, as required each cycle, to qualify a specific sensor or set of sensors. SDQ first determines the update-rate of the data, and obtains the specified data from the sensor data table. SDQ then consults the data provided by the Mission Manager Function to determine the appropriate subset of pre-defined algorithms, thresholds, and parameters to be used in qualifying specified sensor data. Next, appropriate algorithms are applied to the data. If a given algorithm determines that the data is faulty, the associated data signal accrues a strike from that algorithm for the current flight computer cycle, and the algorithm or algorithms that failed the data are recorded. Having run all applicable fault detection algorithms, the strike counters for each of the applicable algorithm/sensor pairs are then tested for the persistence of any failures. Sensors associated with data that meets persistence criteria are flagged as permanently failed.

Alternate embodiments of some of the qualification algorithms used in the Ares SDQ architecture have prior implementations that were incorporated into commercial data qualification development and analysis tools under the SureSense trademark. SureSense has been used to develop and implement real-time data qualification algorithms for ground-based nuclear power generation systems.

This work was done by Edmond Wong and Kevin J. Melcher of Glenn Research Center; William A. Maul, Amy K. Chicatelli, Thomas S. Sowers, and Christopher Fulton of QinetiQ North America; and Randall Bickford of Expert Microsystems, Inc.

Inquiries concerning rights for the commercial use of this invention should be addressed to NASA Glenn Research Center, Innovative Partnerships Office, Attn: Steven Fedor, Mail Stop 4–8, 21000 Brookpark Road, Cleveland, Ohio 44135. LEW-18633-1