2. Rationale

The capability of the crew to control the spacecraft's flight path is a fundamental element of crew survival. The most robust satisfaction of this requirement is provided by direct manual control of the vehicle flight path, through an independent flight control system (bypassing the affected vehicle guidance, navigation, and flight control system failures). A minimum implementation of manual control allows for the crew to bypass the automated guidance of the vehicle by interfacing directly with the flight control system to affect any possible flight path within the capability of the flight control system. Limiting the crew to choices presented by the automated guidance function is not a valid implementation of manual control.  There have been several historical incidents demonstrating the effectiveness of manual control over automation leading to crew survival.  For further reading, see "Software Error Incident Categorizations in Aerospace" ⁵⁹⁶ and other citations listed under Resources.

3. Guidance

The capability of the crew to control the spacecraft's flight path is a fundamental element of crew survival. The most robust satisfaction of this requirement is provided by direct manual control of the vehicle flight path, through an independent flight control system (bypassing the primary flight software, which may be erroneous, or the affected vehicle guidance, navigation, and flight control system failures). A minimum implementation of manual control allows for the crew to bypass the automated software guidance of the vehicle by interfacing directly with the flight control system to affect any possible flight path within the capability of the flight control system. Limiting the crew to choices presented by the automated guidance function is not a valid implementation of manual control.   Providing a means of manual control to bypass software automation can also be considered a means of providing dissimilar software fault tolerance.   For more information regarding strategies to consider manual control in relation to software failure tolerance and historical incidents where manual control of flight path was utilized, please see Resources/References and "NESC Technical Bulletin 23-06: Considerations for Software Fault Prevention and Tolerance" ⁶⁸⁷.

For phases of flight where there is no active manual control of the spacecraft, such as when under passive parachutes, or when active control is not humanly feasible due to timing or safety risks, then manual control cannot be provided and this requirement would not apply.  For a space station, when there is no propulsion system available for reboost, then manual control of the flight path (orbital parameters) cannot be provided, and this requirement would not apply. During the atmospheric portion of Earth ascent (approximately the first 100,000 feet), where the trajectory and attitude are tightly constrained to maintain positive structural and thermal margins, the trajectory and attitude constraints are not typically available independent of guidance. In this case, if the only option is for the crew to follow guidance, then nothing is gained by manual control over automated control.  

For situations where manual control can be safely provided or accurately performed, the appropriate situational awareness tools to provide status, feedback, and flight control direction should be provided. Safe operation requires both accuracy of crew inputs and piloting handling qualities to meet human rating requirements. Tools include, but are not limited to, telemetry, displays, video, instrumentation, controls, and windows. Tools will be verified in a cockpit environment to ensure they are adequate to support manual control and operations.

See Topic 7.24 - Human Rated Software Requirements for other Software Requirements related to Human Rated Software. 

3.1 Software Tasks for Manual Control

To ensure that the crewed space system provides the capability for the crew to manually control the flight path and attitude of their spacecraft, except during the atmospheric portion of Earth ascent due to structural and thermal margins, the following software tasks should be implemented:

1. Manual Control Systems: Develop and implement robust manual control systems that allow the crew to take control of the spacecraft's flight path and attitude. These systems should be designed to function effectively and safely in all operational scenarios except during the specified atmospheric portion of Earth ascent.
2. Safety Analysis for Manual Control: Perform comprehensive safety analyses, including 8.07 - Software Fault Tree Analysis and 8.05 - Software Failure Modes and Effects Analysis, to identify and mitigate potential hazards associated with manual control. Ensure that manual control will not compromise structural and thermal margins during the atmospheric portion of Earth ascent and re-entry.
3. Human-Machine Interface (HMI): Design and implement an intuitive and user-friendly HMI that enables the crew to easily and effectively control the spacecraft's flight path and attitude. The interface should provide clear indications of when manual control is disabled due to atmospheric ascent conditions. The HMI design should take into consideration the Display Standards in Appendix F of NASA Spaceflight Human-System Standard, Volume 2: Human Factors, Habitability, And Environmental Health (NASA-STD-3001, Vol 2, Rev D). ⁴⁹⁸ 
4. Automated Transition to Manual Control: Design and implement automated systems that transition control to the crew once the spacecraft exits the atmospheric portion of Earth ascent. Ensure that this transition is seamless and does not introduce any hazards.
5. Redundancy and Fault Tolerance: Design and implement manual control systems that have redundancy and fault tolerance to allow the crew to automatically assume and maintain manual control of the flight path and attitude of their spacecraft even in the presence of faults or failures. This includes backup systems and failover mechanisms.
6. Real-time Monitoring and Alerts: Design and implement real-time monitoring systems that provide the crew with up-to-date information on the spacecraft's status and performance. This includes alerts for any conditions that may impact manual control capabilities.
7. Independent Verification and Validation (IV&V): Ensure independent verification and validation is performed to ensure that manual control systems meet specified requirements and function correctly under all operational conditions. IV&V activities should include rigorous testing and analysis of these systems.
   1. IV&V Analysis Results: Assure that the capability for the crew to manually control the flight path and attitude of their spacecraft has been implemented in the software and independently verified and validated to meet safety and mission requirements.
   2. IV&V Participation: Involve the IV&V provider in reviews, inspections, and technical interchange meetings to provide real-time feedback and ensure thorough assessment.
   3. IV&V Management and Technical Measurements: Track and evaluate the performance and results of IV&V activities to ensure continuous improvement and risk management.
8. Simulation and Testing: Perform extensive simulations and testing to verify that manual control systems can handle all nominal and off-nominal scenarios without compromising safety. This includes testing for unexpected conditions and boundary conditions. The flight operations team should participate in these simulations to thoroughly test the various conditions and scenarios.
   1. Code Coverage with MC/DC Criterion: Develop, implement, and execute test cases for all identified safety-critical software components to ensure that there is 100% code test coverage. This includes normal operations, failure modes, fault detection, isolation, and recovery procedures. Use the Modified Condition/Decision Coverage (MC/DC) criterion.
9. Configuration Management: Maintain strict configuration management to ensure that the correct software versions and configurations are used. This reduces the risk of errors due to incorrect or inconsistent configurations that could affect manual control capabilities.
10. Error Handling and Recovery Mechanisms: Implement robust error handling and recovery mechanisms to address errors detected during manual control. Ensure that error handling is adequate and that the system can recover from errors without leading to hazardous or catastrophic events.
11. Training and Documentation: Provide comprehensive documentation and training for the crew on how to use the manual control systems. This includes detailed procedures, troubleshooting guides, and emergency protocols to ensure the crew is well-prepared to handle any situation. This is best done by providing a User Manual with instructions and applicable information about each error/fault and how the system recovers from it.

By implementing these tasks, the crewed space system can be designed to provide the necessary capabilities for the crew to manually control the flight path and attitude of their spacecraft, ensuring mission success and safety, while considering the structural and thermal constraints during the atmospheric portion of Earth ascent.

3.2 Additional Guidance

Additional guidance related to this requirement may be found in the following materials in this Handbook:

3.3 Center Process Asset Libraries

See the following link(s) in SPAN for process assets from contributing Centers (NASA Only). 

4. Small Projects

No additional guidance is available for small projects. The community of practice is encouraged to submit guidance candidates for this paragraph.

5. Resources

5.1 References

5.2 Tools

6. Lessons Learned

6.1 NASA Lessons Learned

No Lessons Learned have currently been identified for this requirement.

6.2 Other Lessons Learned

No other Lessons Learned have currently been identified for this requirement.

7. Software Assurance

7.1 Tasking for Software Assurance

1. Ensure the development, implementation, and testing of robust control algorithms capable of managing critical functions with crew intervention for flight control. These algorithms must undergo thorough testing to guarantee their reliability and safety in all operational scenarios.
2. Ensure redundancy and fault tolerance are included in the design to ensure that critical functions can continue to operate autonomously or the crew can assume manual control of the flight path and attitude of the spacecraft, even in the presence of faults or failures. This includes implementing backup systems and failover mechanisms.
3. Ensure that Integrated real-time monitoring and diagnostic tools are used to continuously assess the health and status of critical systems and subsystems. These tools should detect anomalies and trigger autonomous responses to mitigate potential catastrophic events and alert the operators and crew of the situation for potential intervention.
4. Employ safety analysis techniques such as 8.07 - Software Fault Tree Analysis and 8.05 - Software Failure Modes and Effects Analysis to identify potential hazards and failure modes. This helps in designing controls and mitigations for the manual operation of critical functions.
5. Ensure extensive simulations and testing are conducted to verify that the crew can assume and manually control the flight path and attitude of their spacecraft, with the exception of the atmospheric portion of Earth ascent, and can handle all nominal and off-nominal scenarios. This includes testing for unexpected situations and boundary conditions.
6. Ensure strict configuration management to ensure that the correct software versions and configurations are used. This reduces the risk of errors due to incorrect or inconsistent configurations that could impact manual operations.
7. Ensure robust error handling and recovery mechanisms to address errors stemming from detected faults. This ensures that error handling is adequate and that the system can recover from errors without leading to hazardous or catastrophic events.
8. Perform safety reviews on all software changes and software defects.
9. Confirm that 100% code test coverage is addressed for all identified safety-critical software components or that software developers provide a technically acceptable rationale or a risk assessment explaining why the test coverage is not possible or why the risk does not justify the cost of increasing coverage for the safety-critical code component.
10. Analyze that the software test plans and software test procedures cover the software requirements and provide adequate verification of hazard controls, specifically that the crew can assume manual control of the flight path and attitude of the spacecraft under various conditions, including nominal and off-nominal scenarios. (See SWE-071 - Update Test Plans and Procedures tasks). Ensure that the project has developed and executed test cases to test the software system’s recovery from faults during manual operations.
11. Analyze the software test procedures for the following:
    1. Coverage of the software requirements.
    2. Acceptance or pass/fail criteria,
    3. The inclusion of operational and off-nominal conditions, including boundary conditions,
    4. Requirements coverage and hazards per SWE-066 - Perform Testing and SWE-192 - Software Hazardous Requirements, respectively.
12. Perform test witnessing for safety-critical software to ensure that the crew can assume manual control of the flight path and attitude of the spacecraft under various conditions, including nominal and off-nominal scenarios.
13. Confirm that test results are sufficient verification artifacts for the hazard reports.
14. Ensure comprehensive training and documentation for operators is available.

7.2 Software Assurance Products

1. 8.52 - Software Assurance Status Reports
2. 8.54 - Software Requirements Analysis
3. 8.55 - Software Design Analysis
4. 8.56 - Source Code Quality Analysis
5. 8.57 - Testing Analysis 
6. 8.58 - Software Safety and Hazard Analysis 
7. 8.59 - Audit Reports
8. Test Witnessing Signatures (See SWE-066 - Perform Testing)

7.3 Metrics

For the requirement that the crewed space system shall provide the capability for the crew to manually control the flight path and attitude of their spacecraft, except during the atmospheric portion of Earth ascent, the following software assurance metrics are necessary:

1. Verification and Validation Metrics:
   • Test Coverage: Ensuring that all scenarios, including manual control by the crew and its exceptions during Earth ascent, are covered by tests.
   • Defect Density: Tracking the number of defects found during testing per thousand lines of code to ensure software reliability.
   • Requirements Traceability: Ensuring that each requirement, including manual control capabilities and exceptions, is traced to its implementation and corresponding test cases.
2. Safety Metrics:
   • Hazard Analysis: Identifying and evaluating potential hazards related to manual control and ensuring adequate mitigation strategies are in place.
   • Safety-critical Requirements Compliance: Verifying that all safety-critical requirements are followed and adequately tested to prevent any failure during manual control operations.
3. Quality Metrics:
   • Code Quality: Metrics such as cyclomatic complexity and static analysis results ensure that the code is maintainable and less prone to errors.
   • Code Churn: Measuring changes in the codebase to monitor stability and identify areas of frequent modification that may need more rigorous testing.
4. Performance Metrics:
   • Response Time: Measuring the time taken for the system to respond to manual control inputs from the crew to ensure timely execution.
   • System Uptime: Ensuring that the system is available and operational when needed, especially during critical mission phases.
5. Configuration Management Metrics:
   • Version Control: Ensuring proper version control for all software components involved in manual control capabilities to track changes and maintain consistency.
   • Change Requests: Monitoring the number of change requests and their impact on the system's reliability and safety.
6. Training Metrics:
   • Personnel Training Completion: Ensuring that all personnel involved in the development, testing, and operation of the manual control system have completed the necessary training.
7. Independent Verification and Validation (IV&V) Metrics
   • IV&V Analysis Results: Provide assurance that the capability for the crew to manually control the flight path and attitude of their spacecraft has been independently verified and validated to meet safety and mission requirements.
   • IV&V Participation: Involving the IV&V provider in reviews, inspections, and technical interchange meetings to provide real-time feedback and ensure thorough assessment.
   • IV&V Management and Technical Measurements: Tracking and evaluating the performance and results of IV&V activities to ensure continuous improvement and risk management.

Examples of potential SA metrics are: 

• # of potential hazards that could lead to catastrophic events  
• # of Non-Conformances identified during each testing phase (Open, Closed, Severity)  
• Code coverage data: % of code that has been executed during testing  
• % of traceability completed for all hazards to software requirements and test procedures  
• # of hazards with completed test procedures/cases vs. total # of hazards over time  
• # of Non-Conformances identified while confirming hazard controls are verified through test plans/procedures/cases  
• # of Hazards containing software that has been tested vs. total # of Hazards containing software  
• # of safety-related Non-Conformances  
• # of Safety Critical tests executed vs. # of Safety Critical tests witnessed by SA  
• Software code/test coverage percentages for all identified safety-critical components (e.g., # of paths tested vs. total # of possible paths)   
• # of safety-critical requirement verifications vs. total # of safety-critical requirement verifications completed  
• Test coverage data for all identified safety-critical software components  
• # of Software Requirements that do not trace to a parent requirement  
• % of traceability completed in each area: System Level requirements to Software requirements; Software Requirements to Design; Design to Code; Software Requirements to Test Procedures
• % of traceability completed for all hazards to software requirements and test procedures
• Defect trends for trace quality (# of circular traces, orphans, widows, etc.)
• #  of Configuration Management Audits conducted by the project – Planned vs. Actual

These metrics ensure that the software supporting the crew's manual control capabilities is reliable, safe, and meets the specified requirements. For detailed guidance, referring to the Software Assurance and Software Safety Standard (NASA-STD-8739.8) and the NASA Procedural Requirements (NPR 7150.2) would provide a comprehensive framework.

See also Topic 8.18 - SA Suggested Metrics

7.4 Guidance

To ensure that the crewed space system allows the crew to control the spacecraft's flight path and attitude—except during the atmospheric portion of Earth ascent due to structural and thermal constraints, the following software assurance and safety tasks should be implemented:

1. Manual Control Systems: Ensure robust manual control systems for the crew to manage the spacecraft's flight path and attitude, except during atmospheric ascent, are developed and implemented.
2. Software Safety and Hazard Analysis: Develop and maintain a Software Safety Analysis throughout the software development life cycle. Assess that the Hazard Analyses (including hazard reports) identify the software components associated with the system hazards per the criteria defined in NASA-STD- 8739.8, Appendix A. (See SWE-205 - Determination of Safety-Critical Software) Perform these on all new requirements, requirement changes, and software defects to determine their impact on the software system's reliability and safety. Confirm that all safety-critical requirements related to the crew manually controlling the flight path and attitude (with exceptions) have been implemented and adequately tested to prevent catastrophic events during mission-critical operations. It may be necessary to discuss these findings during the Safety Review so the reviewers can weigh the impact of implementing the changes. (See Topic 8.58 – Software Safety and Hazard Analysis.)
   1. Hazard Analysis/Hazard Reports: Confirm that a comprehensive hazard analysis was conducted to identify potential hazards that could result from critical software behavior. This analysis should include evaluating existing and potential hazards and recommending mitigation strategies for identified hazards. The Hazard Reports should contain the results of the analyses and proposed mitigations (See Topic 5.24 - Hazard Report Minimum Content.)
   2. Software Safety Analysis: To develop this analysis, utilize safety analysis techniques, including 8.07 - Software Fault Tree Analysis and 8.05 - SW Failure Modes and Effects Analysis, to identify hazards related to manual control. Ensure it does not compromise safety during atmospheric ascent. When generating this SA product, see Topic 8.09 - Software Safety Analysis for additional guidance.
3. Human-Machine Interface (HMI): Design an intuitive HMI for easy crew control of the spacecraft, clearly indicating when manual control is disabled during ascent, is designed and implemented. The HMI design should take into consideration the Display Standards in Appendix F of NASA Spaceflight Human-System Standard, Volume 2: Human Factors, Habitability, And Environmental Health (NASA-STD-3001, Vol 2, Rev D). ⁴⁹⁸ 
4. Automated Transition to Manual Control: Ensure an automated system to seamlessly transfer control to the crew after exiting the atmospheric ascent phase, is designed and implemented.
5. Redundancy and Fault Tolerance: Ensure manual control systems have redundancy and fault tolerance to maintain functionality during faults and failures.
6. Real-time Monitoring and Alerts: Ensure real-time monitoring systems that provide the crew with current status information and alerts regarding manual control conditions, are designed and implemented.
7. Safety Reviews: Perform safety reviews on all software changes and defects to verify that the crew can assume and manually control the flight path and attitude of their spacecraft, with the exception of the atmospheric portion of Earth ascent, under various conditions, including nominal and off-nominal scenarios, that could result in a catastrophic event. This ensures that each fault has a fault detection mechanism and the modifications do not introduce new vulnerabilities or increase the risk of failure due to the fault.
8. Peer Reviews: Participate in peer reviews on all software changes and software defects affecting safety-critical software and hazardous functionality to verify that the crew can assume and manually control the flight path and attitude of their spacecraft, with the exception of the atmospheric portion of Earth ascent, under various conditions, including nominal and off-nominal scenarios. (See SWE-134 - Safety-Critical Software Design Requirements.) 
   1. Change Requests: Monitor the number of software change requests and software defects and their impact on the system's reliability and safety. Increases in the number of changes may be indicative of requirements issues or code quality issues resulting in potential schedule slips. (See SWE-053 - Manage Requirements Changes, SWE-080 - Track and Evaluate Changes.) 
9. Test Witnessing: Perform test witnessing for safety-critical software to verify that the crew can assume and manually control the flight path and attitude of their spacecraft, with the exception of the atmospheric portion of Earth ascent, under various conditions, including nominal and off-nominal scenarios. (See SWE-066 - Perform Testing.) This includes witnessing tests to:
   1. Confirm that the crew can assume and manually control the flight path and attitude of their spacecraft under various conditions without resulting in catastrophic consequences. This could include:
      1. Measuring the time taken for the system to detect and report faults to the crew so they can manually implement mitigation procedures in timely and accurate manner. A prolonged period could cause catastrophic consequences.
      2. Ensuring the system is available and operational when needed, especially during critical mission phases.
   2. Uncover unrecorded software defects and confirm they get documented and recorded.
   3. Confirm robust error handling and recovery mechanisms to address errors detected during manual control are implemented. This includes ensuring that the error handling is adequate and that the system can recover from errors without leading to hazardous or catastrophic events.
10. Simulation and Testing: Ensure extensive simulations and tests are performed to verify that manual control systems can handle all scenarios safely, including unexpected conditions.
11. Configuration Management: Ensure strict configuration management is maintained to ensure that only the correct software versions and configurations are used. (See SWE-187 - Control of Software Items for more information.) This proactive measure will significantly reduce the risk of errors due to incorrect or inconsistent configurations that could compromise monitoring and control capabilities. This also includes performing the SWE-187 tasking.
    1. Assess that the software safety-critical items, including the hazard reports and safety analysis, are configuration-managed (See SWE-081 - Identify Software CM Items tasking.)
12. Code Coverage: Confirm that 100% code test coverage is addressed for all identified safety-critical software components or ensure that software developers provide a risk assessment explaining why the test coverage is impossible or why the risk does not justify the cost of increasing coverage for the safety-critical code component. This includes normal operations, failure modes, fault detection, isolation, and recovery procedures. (See SWE-189 - Code Coverage Measurements, SWE-219 - Code Coverage for Safety Critical Software.)
13. Training and Documentation: Ensure comprehensive training and documentation are available for the crew on how to use manual control systems effectively.

By completing these tasks, the crewed space system will enable the crew to take control of their spacecraft confidently, ensuring mission success and safety while adhering to structural and thermal constraints during the atmospheric ascent phase.

7.5 Additional Guidance

Additional guidance related to this requirement may be found in the following materials in this Handbook: