Why today’s systems engineers should remember their pioneers

February/March 2021

Systems engineering and mission assurance were born in the days of large rockets and ever-larger spacecraft. The United States could not have caught up to the Soviet Union and reached the moon without these disciplines. Today, SE and MA remain relevant, but one must think about them differently. Retired U.S. Air Force Maj. Gen. Thomas “Tav” Taverney explains.

BY THOMAS “TAV” TAVERNEY

As the U.S. space community shifts toward smaller satellites operating in larger, more resilient constellations, we need to be sure we don’t forget lessons from the past. Whether we work for NASA or NOAA in the civil space arena, for a corporation in the commercial marketplace, or for the military or National Reconnaissance Office in national security space, our SE roots lie in Southern California.

There, in 1954, U.S. Air Force Gen. Bernard Schriever, the father of military space, teamed up with Simon “Si” Ramo, the uncle of military space and the R in TRW Inc., since acquired by Northrop Grumman Corp. Together, Schriever and Ramo began developing the concept of SE, especially as it applied to the development of technically complex space systems. An independent group of engineers would provide engineering oversight, requirements management, configuration control and interface control, the figurative glue that would bind the components of rockets, satellites or any complex mechanism into a smoothly functioning system. SE ensured that all the players worked together to properly produce the complex components that seamlessly form the final system. Therefore, when integrated as a whole, the system has a high probability of operating at the performance levels intended by the designers. The new SE discipline provided the foundation for the successes of the Thor, Atlas, Titan and Minuteman rockets, as well as the Defense Support Program missile warning satellites and the Defense Metrological Satellite Program weather satellites. SE was embraced by NASA in 1961 for the Mercury human spaceflight program. Along with SE, the modern field of mission assurance was born, and “Failure is not an option” became NASA’s mantra. If Apollo 13 flight director Gene Kranz did not say it, he probably thought it.

In these early days, SE practitioners began working with their colleagues in the mission assurance field with some urgency, given that the first space components were of uneven and inconsistent quality. Later, these processes were expanded to assure repeatable workmanship in complex systems. The emphasis of SE was to ensure the developed product fulfilled the requirements by verifying the interfaces, and the fit and tracking of components in multiple steps during development.

The emphasis of MA became validation, checking the actual and expected performance of the product. When we put the satellite in a thermal vacuum chamber for the final system checkout, we must be certain the components will work together to fulfill the mission and that the final integrated product will indeed meet performance requirements.

The ultimate goal of SE and MA is, of course, to build a quality product that meets requirements and performs the mission. For space systems, that means assuring that capabilities are available to, for instance, a soldier with a GPS unit, a scientist scouting for evidence of life beyond Earth, or a consumer with a smartphone who lives out of range of cell towers.

Ensuring that failure was not an option did not come cheaply. For successful programs, managers typically spent 8% to 12% of the contract value on SE, according to studies by the federally funded Aerospace Corp. in Los Angeles.

Exploiting new tools

Now it’s time to recognize that the advent of digital engineering and model based systems engineering tools have improved SE efficiency and cut costs without cutting rigor. We can utilize MBSE’s strengths by employing its modeling and simulation tools to make it an integral part of the technical baseline that includes the requirements, design, analysis, interfaces, implementation and verification.

Taken together, these advances will add up to robust SE that will improve cost, schedule performance, speed and agility.
Digital twins have emerged as a major component of digital engineering. We can test hardware on these precise renderings before we build the hardware and can therefore identify any problems early on. We also can decide what physical changes should be made to a system to improve it.

While historical levels of SE have been relatively consistent for successful programs, MA levels have always varied widely, with space launch vehicle programs having the largest amount of MA due to the conclusive nature of a failure. That level will likely remain consistent for the vehicles entrusted to deliver large, expensive satellites to orbit, something that won’t change until we fully move to resilient mission constellations. Likewise, MA investments will remain high for the large, expensive satellites themselves. Each satellite must be tested fully, and while that leads to longer schedules, it is necessary because there are not many of them, and no spares if they fail on orbit. But once there’s a production line of dozens or a hundred small satellites, managers can — or maybe must — be more tolerant of a launch failure or an occasional, underperforming satellite. The cost of reducing failure rates must be weighed against the operational impact of a failure and the cost it would have taken to prevent that failure. Maybe we need to certify at the component level and pull random satellites off the production line to test. It is probable that some very small number of problems will get through, but with cost and schedule as the big drivers, we likely can accept low failure rates versus adding significant costs to each and every satellite.

Looking to the auto industry

To perform SE and MA for these large production builds, we need to look outside the standard processes and procedures in the space industry. We should look to other industries that have confronted quality assurance for large production runs. SpaceX pioneered this approach in aerospace by bringing in experts from the automotive industry to help set up higher rate production capabilities. After all, the auto industry has high quality and robust digital engineering in its production facilities. While rockets and satellites will never be built in quantities like refrigerators or washing machines, we can look to such industries to sharpen our processes. Where quantities are large, and affordability is critical, each and every item likely will not be inspected, but representative systems will be pulled from production lines and heavily tested. Launch, however, is a uniquely space activity. Nothing was more damaging to success as low launch rates. As we increase launch rates, history has shown that reliability increases. Therefore, as we go to a much higher operating tempo, we need to do some rethinking or re-engineering of launch mission assurance.

As we move to proliferated constellations, we will apply SE and MA with digital engineering to accomplish robust processes while reducing the amount of testing for the hardware. Even so, we should not forget what Schriever, Ramo and Von Braun taught us about the criticality of SE in particular. In fact, SE will become even more critical but, in a different sense, supported by a combination of smart people and powerful tools, since it will have to apply across large constellations.

Greater need for speed

The new tools have arrived just in time, because we are moving into an era in which Russia and China have developed threats to our infrastructure, through hypersonic missiles. We are also in a situation in which our space assets, on which we have become so dependent, can be denied or eliminated by a determined adversary, like Russia or China, either temporarily or permanently. Significantly they are also building these systems on short development cycles of three to four years. Therefore, we must not only provide high-technology solutions, but we must field them quickly, affordably and in large enough numbers so that we can absorb losses and continue to operate our missions and assure capability availability to users. This evolution will require a bold shift away from today’s premium on stable requirements and the disdain for “requirements creep,” as it’s known. Our resilient large constellations will consist of many satellites built over years. Replenishment must be driven not just by satellite lifetimes but by significant changes in the threats. New and innovative thinking will be required. We no longer will develop identical clones. MBSE and digital engineering will enable processes for managing configuration changes between these builds.

As for MA, when we build larger quantities, we need to focus on building in quality during production, versus focusing so heavily on inspections or testing to find performance shortcomings. Adopting a continuous product improvement approach and anchoring it with strong MBSE makes every engineer a systems engineer. I suspect Schriever and Ramo would love this approach and wish they had MBSE and digital engineering tools in their day.

As we move forward with missions that must continue to operate in a now-hostile environment, we must respond with proliferation for resilience and a greater tolerance for failure. Schriever would say that we must still make SE and MA a critical part of that thinking, just in a different and more effective way.