ArticlePDF Available

Active mission success estimation through functional modeling


Abstract and Figures

Through the application of statistical models, the active mission success estimation (AMSE) introduced in this paper can be performed during a rapidly developing unanticipated failure scenario to support decision making. AMSE allows for system operators to make informed management and control decisions by performing analyses on a nested system of functional models that requires low time and computational cost. Existing methods for analyses of mission success such as probabilistic risk assessment or worst case analysis have been applied in the analysis and planning of space missions since the mid-twentieth century. While these methods are effective in analyzing anticipated failure scenarios, they are built on computational models, logical structures, and statistical models that often are difficult and time-intensive to modify, and are computationally inefficient leading to very long calculation times and making their ability to respond to unanticipated or rapidly developing scenarios limited. To demonstrate AMSE, we present a case study of a generalized crewed Martian surface station mission. A crew of four astronauts must perform activities to achieve scientific objectives while surviving for 1070 Martian sols before returning to Earth. A second crew arrives at the same site to add to the settlement midway through the mission. AMSE uses functional models to represent all of the major environments, infrastructure, equipment, consumables, and critical systems of interest (astronauts in the case study presented) in a nested super system framework that is capable of providing rapidly reconfigurable and calculable analysis. This allows for AMSE to be used to make informed mission control decisions when facing rapidly developing or unanticipated scenarios. Additionally, AMSE provides a framework for the inclusion of humans into functional analysis through a systems approach. Application of AMSE is expected to produce informed decision making benefits in a variety of situations where humans and machines work together toward mission goals in uncertain and unpredictable conditions.
This content is subject to copyright. Terms and conditions apply.
1 23
Research in Engineering Design
ISSN 0934-9839
Res Eng Design
DOI 10.1007/s00163-018-0285-8
Active mission success estimation through
functional modeling
Ada-Rhodes Short, Robert D.D.Hodge,
Douglas L.Van Bossuyt & Bryony
1 23
Your article is protected by copyright and all
rights are held exclusively by Springer-Verlag
London Ltd., part of Springer Nature. This e-
offprint is for personal use only and shall not
be self-archived in electronic repositories. If
you wish to self-archive your article, please
use the accepted manuscript version for
posting on your own website. You may
further deposit the accepted manuscript
version in any repository, provided it is only
made publicly available 12 months after
official publication or later and provided
acknowledgement is given to the original
source of publication and a link is inserted
to the published article on Springer's
website. The link must be accompanied by
the following text: "The final publication is
available at”.
1 3
Research in Engineering Design
Active mission success estimation throughfunctional modeling
Ada‑RhodesShort1· RobertD.D.Hodge2· DouglasL.VanBossuyt3· BryonyDuPont1
Received: 31 May 2017 / Revised: 20 February 2018 / Accepted: 25 February 2018
© Springer-Verlag London Ltd., part of Springer Nature 2018
Through the application of statistical models, the active mission success estimation (AMSE) introduced in this paper can
be performed during a rapidly developing unanticipated failure scenario to support decision making. AMSE allows for
system operators to make informed management and control decisions by performing analyses on a nested system of
functional models that requires low time and computational cost. Existing methods for analyses of mission success such as
probabilistic risk assessment or worst case analysis have been applied in the analysis and planning of space missions since
the mid-twentieth century. While these methods are effective in analyzing anticipated failure scenarios, they are built on
computational models, logical structures, and statistical models that often are difficult and time-intensive to modify, and are
computationally inefficient leading to very long calculation times and making their ability to respond to unanticipated or
rapidly developing scenarios limited. To demonstrate AMSE, we present a case study of a generalized crewed Martian surface
station mission. A crew of four astronauts must perform activities to achieve scientific objectives while surviving for 1070
Martian sols before returning to Earth. A second crew arrives at the same site to add to the settlement midway through the
mission. AMSE uses functional models to represent all of the major environments, infrastructure, equipment, consumables,
and critical systems of interest (astronauts in the case study presented) in a nested super system framework that is capable
of providing rapidly reconfigurable and calculable analysis. This allows for AMSE to be used to make informed mission
control decisions when facing rapidly developing or unanticipated scenarios. Additionally, AMSE provides a framework for
the inclusion of humans into functional analysis through a systems approach. Application of AMSE is expected to produce
informed decision making benefits in a variety of situations where humans and machines work together toward mission goals
in uncertain and unpredictable conditions.
Keywords Risk· Functional modeling· Decision making· Mission success
AI Artificial intelligence
AMSE Active mission success estimation
CDF Cumulative distribution function
DRV Daily recommended value
EMU Extravehicular mobility units
EVA Extravehicular activity
FBED Functional basis for engineering design
FFD Referred to as functional flow diagrams
FFIP Failure flow identification and propagation
ISRU In situ resource utilization
IVA Intra-vehicular activities
PDM Prognostic-enabled decision making
PHM Prognostics and health management
PRA Probabilistic risk assessment
SEV Surface exploration vehicle
WCA Worst case analysis
1 Introduction
The development of risk analysis has been deeply linked
to space exploration, since the formalization of risk analy-
sis methods following the Second World War. Both the era
* Bryony DuPont
Ada-Rhodes Short
Robert D. D. Hodge
Douglas L. Van Bossuyt
1 Oregon State University, Corvallis, OR97331, USA
2 Colorado School ofMines, Golden, CO80401, USA
3 KTM Research, LLC, Tualatin, USA
Author's personal copy
Research in Engineering Design
1 3
of space exploration and risk analysis of complex systems
spawned from the technological progress of the Second
World War and the advent of modern rocketry in the early
twentieth century (Goddard 1920). The space race between
the USA and the Soviet Union spurred the development of
tools such as probabilistic risk assessment (PRA) (Kuma-
moto and Henley 1996) with the aim to closely examine
complex system risk probabilistically and quantitatively.
At the same time, prognostics and health management
(PHM) began to emerge. As increasing complex systems
were developed for space flight and exploration, it became
imperative that engineers and operators have the ability to
accurately and actively monitor system health and perfor-
mance. Sensors were developed that could monitor every
aspect of system operation, including phenomena that would
otherwise have been imperceptible. Taking data from these
sensors, models of system operation and health could be
constructed that utilize condition-based analysis, laying the
groundwork for modern PHM. In recent years, there has
been an increased interest in understanding risk and health
of systems during the early phase of design of complex sys-
tems (Bossuyt Bossuyt and O’Halloran 2015; Van Bossuyt
and Dong 2013; Van Bossuyt and Hoyle 2012; Van Bossuyt
etal. 2013). However, a gap persists in the development
of real-time risk-informed decision support tools for active
and ongoing missions. Contemporary mission analysis and
risk modeling methodologies require lengthy and extensive
adjustment of system models and reanalysis when faced
with unforeseen events. The subsequent delay of critical
risk information necessary for decisions can lead to rapid
development of complex and dangerous scenarios.
This paper presents the active mission success estimation
(AMSE) method that provides timely risk information to
inform mission decisions being made in crisis during rapidly
evolving situations. Through adoption of a modular risk-
informed object-oriented approach to mission modeling,
health monitoring, and analysis—and active recalculation
of risk of mission failure as the mission progresses—a more
accurate estimation of the probability of mission success can
be developed and mission-critical decisions with many pos-
sible options can be analyzed to help inform mission control
decision to increase the probability of total mission success.
The performance of AMSE necessitates that all mission-
critical components be modeled thoroughly using risk analy-
sis and prognostic techniques, and the models are devel-
oped for modularity to enable the rapid rearrangement of
the model elements to evaluate available decision outcomes
and estimate each outcome’s mission success probability.
To effectively represent a mission framework, a functional
modeling method is presented where environments of inter-
est and relevance can nest within each other and contain the
systems of interest within a super system. This nested super
systems approach to modeling is used to determine what
environmental hazards are present and if these hazards can
cause damage to the system of interest. Modeled mission
tasks are analyzed including internal and external system
risks, and hazard mitigating factors such as nested functional
modeling environments representing protective barriers. The
AMSE method presented in this paper is demonstrated on
a case study of a crewed multiyear scientific mission on the
surface of Mars for the establishment of a permanent scien-
tific base. In the case study, the eight astronauts constitute
the systems of interest and their safety and survival are con-
sidered the metric for mission success.
1.1 Specific contributions
This paper presents the AMSE method for the real-time esti-
mation of risk during a space mission case study through the
utilization of risk analysis techniques and functional mod-
eling. The AMSE method provides decision-makers with up-
to-date risk information at critical mission decision points.
The AMSE method uses a form of nested functional models
to analyze the influence of various layers of environmental
protection such as space suits, vehicles, or structures. These
protective layers can either provide protection to the systems
of interest directly, protect mission-critical systems outside
of the subject of interest, or protect each other through lay-
ering systems in a nested structure. The AMSE functional
modeling technique takes a dynamic systems approach to
provide a comprehensive picture of the interactions between
various mission components. AMSE provides a rapid and
active estimation of current mission success, as well as
projections of probable total mission success based upon
potential decisions. Through active analysis of the probabil-
ity of mission success at decision points, the probability of
total mission success can be optimized allowing for greater
mission safety and potentially greater scientific yield. Addi-
tionally, the object-oriented modular nature of the AMSE
method enables fast adaption to unexpected mission sce-
narios. Though AMSE was developed for application in risk
analysis of a space mission operations case study, AMSE
can be easily adapted for use with any complex system and
has potential applications for autonomous decision making.
1.2 Assumptions
AMSE depends on the validity of multiple, informed
assumptions. The first assumption is that the functional
model used is of an appropriate level of detail to be accu-
rate. To ensure this, we have used established functional
modeling taxonomy and development standards.
Second, it is assumed that the failure distribution for a
mission can be represented by an exponential distribution.
The exponential distribution describes processes in which
events occur continuously and independently at a constant
Author's personal copy
Research in Engineering Design
1 3
average rate (a Poisson process). However, under different
missions that we did not consider, there may be a situation in
which risk cannot be described as continuous or independent,
and in those cases, an alternative distribution should be used.
The third assumption is that failure of individual sub-
systems can be considered independent. This should be the
case if a system is properly decomposed into a functional
model, in which all functions of a system are separated. At
this level of decomposition, failures that may be correlated
in the whole system are instead connected through flows and
failure propagation.
2 Background
AMSE builds on the topics of decision theory, functional
modeling, risk analysis, and PHM. Existing mission suc-
cess estimation methods rely on worst case analysis (WCA)
(Ye 1997; Nassif etal. 1986) or Probabilistic Risk Assess-
ment (PRA) (Modarres etal. 2011; Mohaghegh etal. 2009).
WCA, PRA, and other related methodologies are adept at
analyzing potential foreseeable failure scenarios, but suffer
in their ability to perform insituations where rapid recon-
figuration of the model is necessary. Such model reconfigu-
rations are needed during rapidly developing situations, such
as those faced by in a space mission disaster.
2.1 Functional modeling
Functional modeling encompasses a variety of methods used
to represent and model the functionality of a system. Func-
tional models include many sub-functions, representing work
performed in the system as flows—the passage of materials,
information, and energy—between functions and sub-func-
tions. In addition to flows internal to the system, export flows
and import flows enter and exit the system boundary. A popu-
lar way to represent a functional model is through flow block
diagrams, also often interchangeably referred to as functional
flow diagrams (FFD) (Blanchard and Fabrycky 1990; Bohm
etal. 2005). FFDs are useful for modeling systems with direct
unidirectional flows passing between a variety of functions
and clear system inputs and outputs can be defined. One issue
with many existing methodologies for functional modeling is
that they are difficult to apply to systems that are less linear,
resulting in tangled networks of functions and flows that are
difficult or impractical to analyze, or must be simplified to
the point where they provide an inaccurate representation of
the system and its associated dynamics.
The Functional Basis for Engineering Design (FBED)
(Bryant etal. 2005; Hirtz etal. 2002; Kurtoglu etal. 2005;
Stone and Wood 2000), provides concise definitions of func-
tions and flows that describe all possible engineered systems.
Through the use of FBED, we can construct functional models
of complex systems, using a common taxonomy of functions
and flows. The process of developing an FBED model is:
1. Generate a Black Box model. This takes the highest-
level-possible view of the system and only considers
flows into and out of the overarching system model.
2. Create function chains for each input flow and order
them with respect to time. This step consists of follow-
ing a flow from its entrance into the system, through all
sub-systems that interact with the flow, and finally exit-
ing the system. All systems that interact with the flow
should then be placed into chronological order from the
perspective of the flow.
3. Aggregate function chains into a functional model. In
Step 3, the final step of FBED, the functional chains
are combined to determine the underlying functional
structure of the system. FBED is utilized in this paper
due to the advanced development of failure analysis
methods that are built upon FBED (Jensen etal. 2008;
Kurtoglu etal. 2010; O’Halloran etal. 2015; Ramp and
Van Bossuyt 2014; Stone etal. 2005).
2.2 Space mission risk assessment
Many risk assessment modeling techniques attempt to rep-
resent trends of physical failure through the application of
various failure distributions. One common method is the use
of a hazard rate λ, which describes the expected number of
failures over a period of time. The hazard rate can be used
in a failure distribution such as an exponential distribution
(Eq.1) to calculate the probability of survival of a system or
sub-system at a given time (Wertz etal. 2011):
The expected survival rate can then be subtracted from
1 (Eq.2) to find the failure rate, or the probability that a
system will have survived after time, t:
The failure rate (or related metrics) appears in a wide
variety of risk assessment methods, but many additional and
more complex techniques exist for evaluating the risk of fail-
ure of a system. One such method for evaluating the risk of
failure is failure flow identification and propagation (FFIP)
(Kurtoglu etal. 2010; Jensen etal. 2008). FFIP uses a func-
tional modeling approach based in a function block diagram
structure (Stone and Wood 2000). FFIP can be enhanced to
enable mission control, navigation, and autonomous deci-
sion making through the application of failure flow deci-
sion functions (FFDF) (Short etal. 2015, 2017). FFDF is
a tool that determines an optimal decision when faced with
problems of controlling or designing a system to maximize
system survivability. Specific to the case study employed
Author's personal copy
Research in Engineering Design
1 3
in this paper, space mission risk assessment can also be
applied to control of autonomous systems to maximize mis-
sion success while minimizing human work hours (Short and
Van Bossuyt 2015; Mimlitz etal. 2016; Short etal. 2016;
Friedenthal etal. 2014; Mohaghegh etal. 2009; Kumamoto
and Henley 1996).
While many of the existing methods are robust, they suf-
fer from lengthy setup and analysis processes. The heavy
computational cost of these existing methodologies makes
active mission assessment previously infeasible.
2.3 Prognostics andhealth management
Prognostics and health management (PHM) is a suite of ana-
lytical tools and methods used to predict and prevent fail-
ures in mechatronic systems (Sheppard etal. 2014). There
are diverse approaches to PHM that are typically tuned to
specific applications or industries (Hutcheson etal. 2006;
Balaban etal. 2013). A common PHM case study for devel-
opment of models is battery health (Xing etal. 2011). Much
research has been conducted on the important issues of bat-
tery capacity depletion (Saha and Goebel 2009), optimiza-
tion of battery life (Saha etal. 2012), generation of battery
health data (Saha and Goebel 2007; Widodo etal. 2011), and
application of battery PHM analysis (Saha etal. 2011). While
battery health is a common case study, partially due to the
large quantity of available data (Saha and Goebel 2007) and
partially a result of general acceptance within the field, the
methods and techniques are generalizable to a wide variety of
systems and applications such as electrical actuators (Keller
etal. 2006), transmissions and gearboxes (Zhang and Isom
2011), and other components and systems (Pecht 2008).
PHM analysis can be used to inform a decision with the
optimum level of risk through prognostic-enabled decision
making (PDM) (Sweet etal. 2014; Herr etal. 2014; Nathalie
etal. 2016). PDM is a valuable method in health manage-
ment of complex systems, because it allows a succinct mode-
ling of potential damage caused by the failure of a subsystem
or individual part. Some PHM techniques model not only the
mechatronic system itself, but also the physical interactions
it encounters, such as mobility and environmental interface,
control systems, structural actions, and hazards (Balaban
etal. 2013; Frost etal. 2013). In this paper, we extend PHM
methods to include the consideration of humans as addi-
tional sub-systems which to our knowledge has not been
done before.
3 Methodology
The AMSE method presented here is based on a nested
super system approach to space mission risk assessment that
allows for the active estimation of mission success during an
ongoing mission. Using techniques derived from functional
modeling of systems, FFIP, and related methods in conjunc-
tion with concepts taken from decision theory, risk analysis,
and PHM, AMSE is capable of providing useful insights
when making mission control decisions by rapidly analyzing
potential options when confronted with unanticipated and
previously unanalyzed scenarios. In this section, we present
the AMSE method using a case study of a Mars mission.
First, two pre-steps are presented, then three primary phases
(modeling, analysis, and interpretation) are shown.
3.1 Pre‑step 1: Mission success definition
To glean insight from AMSE, both a definition of mission
success and a quantifiable method for evaluating success
must first be established. In many cases, mission success can
be defined as a primary system (or systems) of interest sur-
viving the length of the mission. One example of a system
of interest surviving the length of a mission is a planetary
exploration rover remaining functional for the entire dura-
tion of the planned mission. To determine the probability of
survival of a primary system of interest and the related prob-
ability of mission success, a survival rate must be calculated.
A survival rate,
, tends to take the form of a cumulative
distribution function (CDF) representing the probability
that the system of interest will not have experienced a fail-
ure by time, t. One common form for a survival rate is the
exponential survival rate which is found by subtracting the
exponential failure rate,
, from 1 as shown in Eq.5. The
exponential failure rate is found by taking the integral of the
probability density function (PDF) form of the exponential
failure rate,
, which determines the probability that a fail-
ure will occur at the instant,
, given a hazard rate,
, which
is the number of expected system failures over time. Equa-
tions(3), (4), and (5) define
, and
, respectively
(Pinto and Garvey 2012). These and other forms of failure
distributions, such as system-specific PHM models, are an
integral part of the AMSE methodology and necessary for
the development of failure models:
3.2 Pre‑step 2: Functional model development
The AMSE method requires a series of functional models
to represent every major system involved in the mission,
as well as their individual behavioral and system health
𝜆e𝜆𝜏 d𝜏
Author's personal copy
Research in Engineering Design
1 3
characteristics. We used the FBED method of functional
modeling, because it clearly represents energy, material,
and data flows. PHM information that can be collected from
systems in real-time must be identified in this step built into
the functional model where applicable. This information is
encoded into the mathematical models developed below.
3.3 Phase 1: Modeling
In Phase 1 of the AMSE method, seven distinct steps are
performed to develop the AMSE model. Figure1 graphically
shows the seven steps.
3.3.1 Step 1: Create anested functional model
The first step consists of creating a metamodel of all major
mission systems (previously modeled in the pre-steps above)
within a nested super-system framework. This is performed
by first modeling each individual system using traditional
FBED methods (pre-step 2), before placing the individual
systems into a nested super systems structure. An example
functional model of a surface exploration vehicle (SEV) can
be seen in Fig.2. A graphical representation of the AMSE
nested super systems structure for a Mars crewed surface
exploration mission can be seen in Fig.3. In Fig.3, the
outermost “system” is the space environment in the solar
system that contains the Sun, Earth, Mars, and a commu-
nications satellite. Mission Control is defined as part of the
Earth “system”. The SEV, the Martian Surface Habitat, and
the EVA suit are located within the “Mars” system. Within
the EVA suit, the astronaut is found. Thus, the astronaut (the
system of interest in the case study presented in the next sec-
tion) is inside three larger systems. Under this method, flows
can pass between systems, while crossing the boundaries of
environmental or protective systems such as an SEV, space
suit, or the Martian surface habitat module. This allows for
the entire system to be modeled and to represent environ-
mental hazards and various levels of protection that prevent
and mitigate system failure. Additionally, the effects of the
current health of each layer of protection on the system of
interest can be determined through application of PHM and
risk analysis models and information (identified in pre-step
2) for each individual system.
3.3.2 Step 2: Define critical system(s) ofinterest andcritical
In the case of a functional model of a single system, critical
functions and flows are defined as elements of the functional
model that must be operational for the system to not be in a
failure state (Lucero etal. 2014). In the context of super sys-
tems representing a mission framework, the idea of critical
functions and flows is extended from the functional level to
the system level, and a critical system of interest is defined.
A critical system (or systems) of interest is a system that
must be functioning in order for the mission to be considered
not failed. For example, in the case of a rover mission, the
critical system of interest is the rover, and for the case of a
crewed space mission, each member of the crew is consid-
ered a critical system of interest. Step 2 concludes once the
critical system(s) has been identified and defined.
3.3.3 Step 3: Develop mathematical models torepresent
graphical functional models, their health, failure
distributions, andhowfailures relate toeach other
The third step of the AMSE method consists of developing
a mathematical model to represent the graphical functional
model, and risk and PHM information developed in the sec-
ond Pre-Step. This mathematical model serves as the com-
putational basis of analysis of the system. Building on previ-
ous work on failure analysis and PHM in functional models,
Create a nested funconal model of the mission
Define the crical sub-systems andows
Develop mathemac models to represent the
funconal model
Define a general Mission Plan
Create Task modules
Organize Tasks into Task Plan
Order Task Plans within Mission Plan
Perform Analysis of th e System
Fig. 1 Phase 1, modeling, process flow
Author's personal copy
Research in Engineering Design
1 3
Fig. 2 Functional model of an
Collectable Energy
Electrical Energy
Digital Signal
Visual Informaon
Posion Informaon
Rotaonal Work
Translaonal Work
Thermal Energy
Radiaon Energy
Driving Control Signal
Record VisualProcess Sig nal
Magnitud e
Electric to
Rotaon to
Electric to
Electric to
Electric to
Rotaon to
Rotaon to
Rotaon to
Store Gas
Direct Gas
Process Gas
Couple to
Generate Heat
Electric to
Rotaon to
Electric to
Rotaon to
Control Input
Fig. 3 Nested super systems
functional model
Author's personal copy
Research in Engineering Design
1 3
the logic by which failure propagates can be described and
analyzed (Short etal. 2015, 2017).
In the AMSE method, it is important to assign failure
distributions to systems and accurately represent how failure
is passed between systems (Upadhyay 2010). These failure
distributions will describe the instantaneous hazard rate of
the system. PHM condition-based failure distributions must
be selected that are dependent on the flows passed into and
out of the system, and often are dependent on the time over
which the system is utilized (though not exclusively, and
could be dependent on resources such as the flow of cooling
fluid at appropriate levels or available energy). Additionally,
for systems for which PHM models have not been developed,
several common forms of failure distributions can be used,
such as the Weibull distribution, normal distribution, and
the exponential distribution (Upadhyay 2010). However, for
many systems, more complex prognostic health models have
been developed and can be integrated into the math of the
system models (Goebel etal. 2008; Saha etal. 2009; Gao
etal. 2002; Daigle etal. 2011).
Once the individual systems have been analyzed to deter-
mine how failure will propagate (Jensen etal. 2009; Kur-
toglu and Tumer 2007; Short etal. 2017), the entire nested
super system assembled in Step 1 can be modeled. The super
system model is constructed in the same manner as a sin-
gle functional model, but with systems in the place of sub-
systems. The end product is a mathematic representation of
a risk-informed functional model that can track the passage
of flows between all mission systems and actively reported
an estimated system health.
3.3.4 Step 4: Define amission plan
A mission plan is used in AMSE to develop future scenarios
for automatic mission success probability calculation. The
mission plan includes the planned operations and objectives
to be completed over the course of a mission. We suggest
that the mission plan start loosely with only primary mis-
sion objectives and milestones defined at first, and then the
secondary objectives and operations that must be completed
to facilitate the performance of objectives can be developed.
For use with AMSE, the mission plan is then broken down
further into actionable items that can be completed by sys-
tems in the mission. These actionable items are referred to
as “tasks” for the rest of this paper. Examples of tasks for a
rover include driving a specific distance, performing a sci-
entific operation, or performing communication with Earth.
For the case of a crewed space mission, tasks may include
EVAs, the performance of experiments, or health-related
tasks such as eating and sleeping.
3.3.5 Step 5: Develop task modules
Task modules are important to develop for the AMSE
method, because AMSE uses tasks to automatically plan
how mission objectives can be completed when analyzing
potential decision choices. Tasks modules include the dura-
tion that a task is to be performed, all systems and resources
used during the task, and any fatiguing or consumption
of systems affecting the health of systems that may occur
during completion of the task. This information will be
necessary for analyzing the mission in Phase 2 of AMSE.
Appendix1” lists several typical mission tasks, and associ-
ated resource and system health cost parameters.
3.3.6 Step 6: Organize tasks intoatask plan
Using the task modules generated in Step 5, the next step
is to organize the task modules into a task plan that defines
typical operations or schedules that are to be followed within
the mission plan. For example, a task plan can represent all
of the tasks to be completed on a particular type of day, such
as a day that an EVA is to be performed by a crew member.
Additionally, a typical week can be assembled from task
plans for days and made into a larger meta-task plan. The
bundling of task modules into task plans allows for more
rapid reconfiguration of the system model for analysis by
AMSE by allowing the mission controller or astronaut per-
forming the analysis to quickly assemble a typical period of
time to include into the analysis.
3.3.7 Step 7: Arrange task plans toalign withthemission
The general mission plan defined in Step 4 is now filled
in with task plans developed in Step 6. This enables the
analysis of the mission using AMSE by providing a time-
discretized list of all of the actions and systems that are to
be used for completion of the mission as a whole. Figure4
shows how task modules are assembled into task plans and
then arranged to align with the mission plan.
While each of the seven steps of Phase 1 must be com-
pleted prior to using AMSE, and the initial modeling can
involve a large time investment, though once many of these
steps have been performed, they do not have to be performed
again. If the model needs to be reconfigured to account for
an unforeseen circumstance or to iterate on the mission
design (in the case of using AMSE for mission design rather
than mission operations), adjustment of the models devel-
oped in Step 3 or reconfiguration of the Task Plans in Step
6 can account for the majority of changes that may need to
occur to the mission plan and its constituent parts. Due to the
ease of configurability enabled by initial up-front investment
of time and resources in model building, AMSE models are
Author's personal copy
Research in Engineering Design
1 3
able to be reconfigured rapidly to adjust to unforeseen cir-
cumstance or examine a variety of options to inform a mis-
sion control decision.
3.4 Phase 2: AMSE analysis
As with Phase 1 of AMSE, the second phase, analysis,
requires the investment of time and resources to generate the
mission models for analysis. Unlike Phase 1, Phase 2 only
must only be setup once and will be run whenever the evalu-
ation of a new mission model is desired. The majority of the
math necessary for Phase 2 was already developed from Step
3 of Phase 1 where the mathematical representation of the
mission was developed. The performance of Phase 2 takes
the form of execution of an algorithm consisting of eight
individual steps. The eight steps that comprise the Phase 2
algorithm are detailed below. A flowchart of Phase 2 algo-
rithm can be seen in Fig.5.
3.4.1 Step 1: Step throughmission plan
Starting with the earliest task that has not yet been analyzed,
select each task and then perform Steps 2 through 5 on them.
This is necessary to analyze how the success rate of the mis-
sion develops over time.
3.4.2 Step 2: Calculate resource cost oftask andPHM
Any resources consumed or systems fatigued by the comple-
tion of the task must be accounted for. One implementation
Fig. 4 Organization structure of tasks
Fig. 5 Phase 2, analysis, process flow
Author's personal copy
Research in Engineering Design
1 3
of this is a resource matrix that contains how much of
each resource is available, and subtract from the matrix as
resources are consumed. A similar approach can be utilized
for the tracking of system health from mechanical wear,
environmental conditions, or energy usage.
As an example of Step 2 of the algorithm, the model for
kilocalories used by an astronaut during the performance of
a task is displayed in Eq.(6), where k represents kilocalories
used, p represents physical exertion required to perform a
task on a scale of 0 to 10, where sleep is a 0.5 and vigorous
exercise is a 9.5,
represents the duration of the task in
hours, and
represents the astronauts current weight in kilo-
grams (Appendix2. Estimated Calorie Needs per Day, by
Age, Sex, and Physical Activity Level-2015–2020 Dietary
Guidelines-Health.Gov 2016).
3.4.3 Step 3: Calculate hazard rates presented tocritical
system ofinterest
Utilizing the mathematical system model with health infor-
mation developed in Phase 1, calculate what the risk of sys-
tem failure is for completion of the task. We recommend cal-
culating the risk in the form of an instantaneous hazard rate,
, representing the number of system failures expected at
the instant
3.4.4 Step 4: Record hazard rates
A matrix containing hazard rates for the systems of interest
and the time at which the hazard rate was reached should
be generated. This will be necessary for the calculation of
a total mission failure and success rate in later steps. The
matrix values for the first three sols spent on Mars for one
of the astronauts in the case study presented in this paper is
reported in “Appendix2”.
3.4.5 Step 5: Repeat untilcomplete
If tasks still exist in the mission plan that have not yet been
analyzed, return to Step 1 of Phase 2. If all tasks in the mis-
sion plan have been completed, then continue on to Step 6
of Phase 2.
3.4.6 Step 6: Calculate total mission hazard rate
The mission hazard,
, rate defines how often failure is
to be expected while executing a mission. For the case study
presented, failure is defined as the loss of human life during
a space mission. However, for a manufacturing process, it
could be shutting down the production line or the generation
of product that does not meet quality standards.
0.8556 +0.5622)
Taking the instantaneous hazard rates generated from the
functional models and real-time PHM information devel-
oped in Steps 2 and 3, calculate the total hazard rate for the
remainder of the mission time as a function of time over the
entire length of the mission. Like the instantaneous rate,
, the total mission hazard rate,
, describes the
number of expected system failures per unit of time. While
this can be found using integration of continuous data, for
the purpose of discretized data generated in completing the
AMSE method, a weighted average can find the total mis-
sion hazard rate. This is found by summing the product of
the instantaneous hazard rate for a task and the duration of
a task,
, and then dividing by the total mission length, T,
minus the current time of the mission (Eq.9). Formulation 1:
, formulation of hazard
rate Here we provide the mathematical formulation for
, the hazard total rate presented to a critical system of
interest from an environmental or internal hazard over the
remaining course of the mission
Losses of System
mission ]. Formulation 1.1: Sets
: set of all Tasks in a
Task Plan.
: set of all uncompleted tasks in the task plan after
: set of all hazards faced by the system of interest.
: set of all hazards presented to a critical system of
, in the completion of task,
: set of all critical systems of interest in a system.
: set of all parameters used to calculate hazard
rates in PHM-based failure distribution,
, for system,
[various units]. Formulation 1.2: Parameters
Total planned
mission length (h).
Time elapsed during the completion of a task,
(h). Formulation 1.3: Variables
Instantaneous time
in the mission (h).
Time elapsed since mission start (h). Formulation 1.4: Calculation The hazard rate for an
individual hazard,
, is found by inputting the appropriate
parameters into the PHM-based failure distribution,
The total hazard rate presented to a critical system of
, during a task,
, is:
Losses of System
hour exposed to hazard ].
Author's personal copy
Research in Engineering Design
1 3
The combined hazard rate presented to all critical systems
of interest,
, for the remainder of the mission, is given by:
3.4.7 Step 7: Calculate probability ofmission survival
In this step, calculate the probability of mission survival
over time,
, for a critical system of interest,
, using the
total mission hazard rate as shown in Eq.(10). In the case
of a single critical system of interest,
, is equivalent to
the total mission probability of success,
. However,
in the case of multiple critical systems of interest,
equivalent to the intersection of the probability of mission
, for all systems as shown in Eq.(11) Formula-
tion 2 below. Formulation 2:
formulation ofprobability
ofmission success Here we provide the mathematical for-
mulation for
the probability of total mission suc-
Successful Missions per Attempt
. Formulation 2.1: Sets
: Set of all critical sys-
tems of interest in a system. Formulation 2.2: Parameters
Total planned
mission length (h). Formulation 2.3: Variables
Time elapsed in the
mission so far (h). Formulation 2.4: Calculation The probability of
survival for a single critical of interest,
, is calculated for
planned mission time remaining,
The probability of total mission success is calculated for
mission time,
Losses of System
Losses of System
Mission .
Systems Survive Mission
Attempt ].
Successful Missions
3.4.8 Step 8: Display results
Finally, results of the AMSE analysis are presented in a
human readable form to support decision making. To make
the results of the AMSE analysis human readable, the instan-
taneous hazard rate and survival rate for an individual criti-
cal system of interest should be plotted, as well as the prob-
ability of total mission success over time. This provides a
quick visual check of how the probability of mission success
develops over time, as well as providing insight on any task
or period of time that may be adversely affecting the prob-
ability of mission success. Additionally, it may be helpful to
plot system- and hazard-specific values to determine what
degraded system health states may be leading to less-than-
desired mission success probability that need to be directly
addressed. Viewing the results of the analysis in this way
allows for easier interpretation of the results, troubleshooting
of low-success-probability mission plans, and allows prog-
nostics-enabled decisions to be made by human operators
that better consider how system health develops over time.
Similar to Phase 1, the initial setup of Phase 2 can be
time-intensive, but after it is set up the first time, it is
unlikely to require any additional work be performed and
it should be applicable to any model generated in Phase 1.
3.5 Phase 3: Interpretation ofresults
Phase 3 of the AMSE method consists of interpreting the
results of the analysis from Phase 2. This phase is difficult to
break into concise steps as it is less procedural, and instead
aims to generate mission decision or design insight that is
informed by analysis and is model- and mission-specific.
However, there are some general guidelines that can be
applied to most cases that a practitioner might encounter.
One important metric to observe is the probability of mis-
sion success at the beginning of the mission,
, or
the probability of total mission success over the entire span
of the mission from beginning to end. This metric is impor-
tant, because it describes the total probability that a mission
will be successful including all tasks, systems, expected
environmental conditions, and other health-affecting factors
over the entire mission plan. Additionally, it should be noted
at time
is the lowest that it will ever be
during a nominal mission, because it includes all of the risk
from all of the tasks that are to be completed.
One way to conceptualize
is as the probability
that a speeding driver will be pulled over by the police dur-
ing a long trip. At the beginning of the drive, there exist the
most opportunities for the driver to be pulled over. However,
over the course of the trip, the number of remaining chances
to be pulled over decreases, because there is less of a dis-
tance left to traverse, and therefore, less of a chance that the
speeding driver will be caught.
Author's personal copy
Research in Engineering Design
1 3
Additionally, it should be noted that
1 as time remaining in the mission approaches 0. It is impor-
tant to keep this in mind, especially in high-risk missions
that appear to become more successful near the end of the
mission. This line of thought constitutes a fallacy in the way
the model is viewed as the higher probability of survival
near the end can only be achieved, if a low probability of
survival is completed near the beginning. Additionally, it is
important to understand how a single high-risk mission task
could drastically lower all of the mission success estimation
before the task is completed. For example, if a mission is
conducted where all mission tasks have a 100% probability
of success, except for one task that has a 10% chance of
success but presents no long-term system health effects, the
probability of mission success will be only 10% until after
the task is completed.
An important consideration when working with AMSE
is properly defining expected and acceptable levels of risk
early in the process and realistically considering the conse-
quences of possible outcomes. If a manufacturing process
has a 70% chance that each product will pass quality checks,
then that may be acceptable in some cases. However, a 70%
chance of loss of life is generally unacceptable. Digging into
the model and seeing how it responds to a wide variety of
foreseeable issues before they come up is advisable, because
this will help to inform the decision maker’s general attitude
and will allow operators to address problems before they
Finally, if uncertain parameters are used in the creation
of the model, sensitivity analysis should be performed. This
will inform the operator of potential biases and shortcom-
ings their model could have based on assumptions about the
performance of individual sub-systems.
4 Case study
A case study is presented in this section of a hypothetical
space mission to establish a permanent research settlement
on the Martian surface using simple and widely available
models. This approach allows for the more direct evaluation
of the AMSE methodology as a decision support tool, while
using the case study as a framework for the evaluation of
AMSE’s effectiveness and responsiveness.
The planned mission consists of two crews consisting
of four female astronauts each arriving at the same site 26
months apart. The time horizon of the mission begins with
the arrival of the first crew, Crew Alpha, and continues up
to their departure after 1070 Martian sols. This time hori-
zon was selected, so that the comparatively high-risk activi-
ties of accent and descent from orbit would not affect the
analysis, and the focus can remain on surface operations and
the demonstration of AMSE. The second crew, Crew Beta,
is also analyzed with AMSE, but the primary focus of the
case study is on Crew Alpha.
4.1 Crew composition
Each crew consists of four female astronauts who are all
approximately 170cm tall and range from 60 to 65kg. The
reason behind sending an all-female crew is that it cuts down
on the quantity of food necessary to sustain their health and
allows for more shared resources such as commonly sized
space suits or extravehicular mobility units (EMUs). This
idea has been proposed in the past by a variety of individuals
including participants in the NASA Hawaii Space Explora-
tion Analog and Simulation (HI-SEAS) test (HI-SEAS Mis-
sion 3|Solar System Exploration Research Virtual Institute
2016; Greene and Oremus 2014).
To model human crew survival from a functional perspec-
tive, models of the Martian environment and the necessary
conditions for human life are developed. Critical informa-
tion used in the development of the model is presented in
Sect.4.2 through 4.5.
4.2 Human requirements tolive inspace
Humans operating in space environments requires external
life support systems to continue living and to be able to
perform work tasks. The major requirements for sustained
human survival in space include: temperatures between 4
and 35°C, 0–0.5% atmospheric carbon dioxide by volume,
35–350kPa ambient pressure, radiation dose below 15
roentgens per year (Environment of Manned Systems 2016),
2 liters of water per day (Gleick 1996), access to 34 essential
nutrients (Nutrition 2016), and a minimum of approximately
1300kcal per day (Appendix2 Estimated Calorie Needs per
Day, by Age, Sex, and Physical Activity Level-2015–2020
Dietary Guidelines-Health.Gov” 2016).
On Mars, threats to maintaining human life include:
exposure to radiation, surface storms, and exposure to the
very low atmospheric pressures and temperatures. On the
Martian surface, ambient pressures averages 0.6% of Earth
sea-level pressure, atmospheric composition consists of over
96% carbon dioxide (Mars Fact Sheet 2016), mean surface
temperatures are approximately − 63°C, and raw surface
radiation exposure is upwards of 1000 times greater on the
surface of Mars than Earth (Plante and Lee 2005).
4.3 Human exploration ofMars andsite selection
Current NASA deep space mission planning methodol-
ogy is heavily reliant on materials acquired at the site
Author's personal copy
Research in Engineering Design
1 3
through the process of insitu resource utilization (ISRU)
(NASA::S&MS::In Situ Resource Utilization (ISRU) Ele-
ment 2016). For this reason, NASA has compiled a series
of parameters that are ideal for a Mars base site. A decision
matrix, compiled by the First Landing Site/Exploration Zone
Workshop for Human Missions to the Surface of Mars, lists
two primary criteria categories: (1) Scientific Merit and (2)
ISRU/Engineering criteria. The engineering criteria consider
foundational factors such as water supply and the presence
of plant micronutrient minerals that are foundational to a
long-term human presence. The optimal ISRU/Engineering
selection criteria were used as the primary criteria for site
The principal location risk was deemed to be dust storms.
These have typically originated in the southern hemisphere
during or around perihelion, and Martian summer (Barnes
1999). Dust storms can reduce visibility over the entire
planet, making navigation difficult for astronauts during an
extravehicular activity (EVA). Additionally, dust can also
compromise solar power generation. Evidence for surface
lightning has also been observed, which could affect power
systems (Ruf etal. 2009). Dust storms occur at an average
rate of 7.1 storms per Martian year (Beish and Recorder
2016), and are generally more intense in the southern hemi-
sphere (Cantor etal. 2002). Thus, the northern hemisphere
is preferable for colonization.
The planned Mars mission utilizes solar power (Do etal.
2016). While average insolation is greater at the poles, it is
more consistent at the Martian equator. An average inso-
lation of 200W/m2 occurs around the Martian equator. A
peri-equatorial site would, therefore, be best for power and
agricultural performance.
Within these criteria, NASA has listed a few potential
landing sites for un-manned missions that exhibit fluvial fea-
tures and possible hydraulic soil infiltrates for ISRU water
reclamation. The list includes the Mawrth Vallis and Nili
Fossae sites. Martian surface spectroscopy data suggests that
the essential micronutrients and minerals vital to the growth
of most plants can be found in Martian soil. For this simula-
tion, it is assumed that all inorganic plant micronutrients are
present at the chosen Martian Sites.
4.4 Nutrition requirements
The most important long-term life support risk to humans
on any deep space mission is nutrition, because food is the
greatest one-time consumable by mass after fuel. Lifting
mass out of orbit is extremely costly, thus the total supply
of food that can be taken into space is limited. Additionally,
the biosphere in which most food is grown is arguably one
of the most complicated systems yet documented; artificial
replication is very prone to catastrophic cascading failure
(MacCallum etal. 2004). Therefore, a high risk of starvation
exists due to food production being prone to failure, and food
carrying capacity at launch being extremely limited.
The US Food and Drug Administration defines 34 key
macro and micronutrients essential to human survival (Food,
Administration, and others 2014). In addition to the daily
recommended value (DRV), each macro and micronutrient
has an approximate biological half-life. To consolidate this
information into a more concise metric, an index of critical-
ity was developed as shown in Eq.(12).
This ratio inflates for both high-intake requirements and
quick biological half-lives, yielding a metric whereby the
largest numbers represent the most critical nutrients. Con-
veniently, this criticality index also indicates which micro-
nutrients are practical to bring from Earth as supplements.
This index was used to categorize the nutrients that would be
more efficient to produce insitu on Mars. Again, high-mass
requirements for some consumables, such as carbohydrates,
protein, fat, and other macronutrients, restrict the efficiency
of supplying such materials from Earth. All macronutrients,
namely carbohydrates, fat, protein, and dietary fiber can only
be efficiently produced on site (Do etal. 2016). It was found
that the most critical nutrients are carbohydrates, protein,
dietary fiber, and fat.
Crops were selected using two criteria: the aforemen-
tioned nutrient criticality index, and growing time. Ulti-
mately, potatoes, soybeans, sweet potatoes, wheat, and
peanuts were chosen as the primary crops. Various other
crops were considered as well for their rich micronutrient
production including: cabbage, tomato, bell pepper, spinach,
cucumber, kale, garlic, onion, and broccoli. Additionally, it
should be noted that several vitamins and minerals are prin-
cipally animal products and will be assumed to be brought
along from launch as dietary supplements. These include
cholesterol, vitamin D, vitamin B12, vitamin H (biotin), and
4.5 Included model systems andresources
In addition to the models of the astronauts, two Martian
surface habitat modules, two SEVs, and twelve total space
suits are included (6 space suits brought by Alpha Crew and
6 space suits by Beta Crew). The modeled systems are bro-
ken down further into sub-systems such as those for power
generation, life support, insitu resource utilization, or waste
management in the case of the habitats. For instance, the
model for the habitat examines PHM relevant data such as
the quantity and intensity of physical work performed, power
consumption, load on the life support systems, time of expo-
sure to the Martian environment, and accumulated fatigue
Criticality Index
Bio-Halflife [g
Author's personal copy
Research in Engineering Design
1 3
from the use of the habitat airlock. Another system for which
a model was developed is the SEV, which models the hazard
rates of wheel failure, battery loss, mechanical fatigue, and
general health effects from exposure to the Martian environ-
ment. Equations(13) through (16) show the distributions
used for the hazard rates for tires, power, mechanical fatigue,
and environmental damage. Equation(17) shows how the
combined SEV failure hazard rate is found.
The SEV allows for greater mission scientific yield
through expanding the range of EVAs, but is not neces-
sary for preserving health, so Weibull distributions are fit
to desired failure rate characteristics. These distributions
can be replaced with more system-specific PHM models to
increase model accuracy in exchange for minimal compu-
tational cost. However, for the purposes of the case study—
namely to demonstrate AMSE—the models presented above
are sufficient. The hazard rate for the SEV’s wheels,
is dependent on the time that the SEV is driven on the Mar-
tian surface,
, and models six wheels designed to last
two whole mission lengths before replacement. The SEV’s
battery health,
, is dependent on the number of battery
wheel =6𝜆wheel =6
1425 )4
e(tdriven 1425)5
expected failure
hour ]
power =1
3600 )
e(Qcycle/3600)6[expected failure
hour ]
mech =1
2425 3
e(tdriven 2425)4
expected failure
hour ,
exp o=1
10, 000
(tmission tmaint
10, 000 )
e(tmissiontmaint 10000)5
expected failure
SEV =𝜆wheel +𝜆power +𝜆mech +𝜆expo
expected failure
charge cycles,
, with the equivalent cycles of five mis-
sions before failure. A larger number of missions before
expected failure were used, because replacement of the SEV
battery would be more time- and resource-intensive than the
replacement of the wheels. The SEV’s general mechanical
failure rate,
, is dependent on the intensity at which the
SEV is driven,
, and the time driven at intensity,
, with
two mission cycles at expected intensity before failure. The
SEV’s failure from exposure to the Martian environment,
, is dependent on the time that has elapsed since the
last general maintenance operation,
tmission tmaint
, with the
equivalent time between maintenance of 350 Martian sols.
Additionally, a variety of consumable resources are
brought, such as food and the supplies necessary to start a
farm to generate food and become Earth independent. The
crops brought along include soybeans, potatoes, peanuts,
wheat, and sweet potatoes. The selection of these crops is
informed by previous studies, but new calculations are per-
formed to estimate the volume of each crop to grow includ-
ing updated nutritional information for crops and metabolic
model for caloric intake (Do etal. 2016; Jones 2000). These
crops are chosen for their ability to meet DRV for necessary
macronutrients and provide a variety in the diet. The crops
are grown in a vertical farming unit attached to the Martian
habitats. It is assumed that the Martian habitats are deployed
before the arrival of the crews and only final verification
operations must be performed upon arrival.
4.6 Mission plan
The plan consists of eight stages. The stages are defined
as: (1) Alpha arrival and setup, (2) Starting Farm Alpha,
(3) Alpha primary exploration window, (4) Preparation for
arrival of Beta, (5) Start Farm Beta, (6) Crew Beta arrival
and setup, (7) Cooperative scientific window between Alpha
and Beta, and (8) Preparations for departure of crew Alpha.
On a typical day, crew members will get 8.6h allocated for
sleep/hygienic activities, 2h for food preparation and eating,
2h for exercise, 1h for farming, and then the remaining time
split between intra-vehicular activities (IVA) and extravehic-
ular activities. IVAs refer to any scientific, maintenance, or
other task that is performed within the Martian surface habi-
tat module that is not described by another category. EVAs
Table 1 Crew EVA schedule
over a nine-Sol period Crew
Sol 1 Sol 2 Sol 3 Sol 4 Sol 5 Sol 6 Sol 7 Sol 8 Sol 9
Author's personal copy
Research in Engineering Design
1 3
refer to any activities performed in an outside of the habitat
while wearing an EMU. This includes tasks that involve the
use of the SEVs. EVAs are performed on a rotating nine-sol
schedule which can be seen in Table1. On days where an
EVA is performed, it is typically an 8-h EVA. The remaining
time of the day is dedicated to IVA.
A segment of the mission plan can be found in Fig.6; the
complete mission plan can be seen in “Appendix3”.
4.7 AMSE cases
To evaluate AMSE’s ability to inform mission design and
decision making through functional modeling, several exam-
ples of mission crises that may occur were considered and
modeled in AMSE. For the purpose of this demonstration of
AMSE, it is assumed that these crises were not previously
predicted and analyzed. The primary systems of interest for
all crises considered are the astronauts and their survival
is considered the metric for mission success. Additionally,
loss of crew members has the potential to lead to loss of
mechanical systems, as it reduces the crew capability to
maintain and repair systems, potentially leading to cascad-
ing failure. Due to its high speed, AMSE is primarily useful
in supporting decision making in real-time for scenarios that
were previously unpredicted or un-modeled.
4.7.1 Inaccurate mission calculations
The first crisis to be considered in the case study is the
response to a faulty assumption or calculation performed
in the mission planning stage. Previous robotic missions to
Mars have been lost due to incorrect calculations (Board
1999). The example considered is that the estimations for
time spent performing tasks are inaccurate and as a result,
the expected caloric intake necessary is much lower than the
real needs of the astronauts.
In this case, the initial estimate for the area to allocate
to crops is 35, 40, 85, 65, and 4m2 for soybeans, potatoes,
peanuts, wheat, and sweet potatoes respectively, to serve a
caloric demand of 2565kcal per person per day. However,
in reality, each astronaut burns 3025kcal per day in the case
study. Crises related to food production and nutrition are of
particular interest due to the high impact on mission success
and the potentially limited ability to respond due to inability
to easily send more food if needed. Additionally, nutrition-
based crises provided a good test case for AMSE’s ability to
model human survival as part of a PHM problem.
Using only the resources available to them on Mars, Crew
Alpha must determine a way to compensate for the discrep-
ancy between their available caloric sources and their actual
caloric requirements.
4.7.2 Inability tofarm
Due to the criticality of food to the mission success (Weir
2011), a second food inspired case is also considered. In this
case, a correct 3025kcal per day assumption is made dur-
ing mission planning and enough emergency backup food
is planned for triple the time estimated to start the farm and
become food self-sufficient (405 sols). However, due to
unknown reasons, none of the crops grow and Crew Alpha
must wait for Crew Beta to arrive with more food on sol 770.
With no ability to generate more food, Crew Alpha must
explore options to improve their probability of survival using
AMSE to inform their decisions.
4.7.3 Broken arm
The mission plan contains many tasks that must be com-
pleted and these tasks are initially distributed to maximize
the probability of mission success. However, there are a wide
variety of situations that may necessitate a reallocation of
tasks, such as the performance of EVAs, to other crew mem-
bers. This can have potentially dire consequences, because it
increases the average caloric load on other astronauts which
can lead to nutritional issues as well as increasing the poten-
tial exposure to harm, increased wear on assigned EMUs,
and increased radiation exposure.
Sol 0
Crew Alpha Arrives on the Surface
Perform EVAs and IVAs to verify critical Martian
Surface Habitat functionality
Unpack transit vehicle
Set up habitat module
Sol 1-5
Perform EVAs to validate external less critical functions
Begin Setup for experimentation and
Start farm
Sol 6-130
Tend to farm
Sol 55: Soybeans mature
Sol 67: Wheat mature
Sol 75: Potatoes mature
Sol 125: Sweet potatoes mature
Sol 130: Peanuts mature
Sol 130: Self-sufficient food source achieved
Perform EVAs on regular schedule
Perform IVAs on regular schedule
Perform Exercise on regular schedule
Fig. 6 Sols 0 through 615 of the general mission plan
Author's personal copy
Research in Engineering Design
1 3
To use this class of problems as an example of AMSE’s
utility, it is considered that a member of Crew Alpha breaks
her arm on sol 771 when she falls from a ladder in the
farm. Analysis using AMSE is performed to determine how
work should be reassigned to give them the necessary time
(approximately 70 sols) for their arm to heal with minimal
effects on the mission health. Additionally, to maintain
desired scientific yield and continue to perform appropriate
maintenance actions on mechanical systems, work must be
reassigned to ensure no EVAs are canceled.
5 Results anddiscussion
For each of the cases described above, an initial round of
AMSE is performed for the model of the crisis and then
options are explored until an acceptable level of mission
success is achieved. Acceptable levels of success include
situations in which the total probability of mission success
over the entire span of the mission does not go below 95% or
a case in which no individual’s probability of survival goes
below 98% for the mission.
5.1 Inaccurate mission calculations
For the case of inaccurate mission calculations, a mission
plan is created that vastly underestimated the quantity of
food that is necessary for the survival of the crew. The initial
mission plan yields a probability of mission success of 0.5%
with the mean probability of survival for each crew member
being only 26.6%. The results of the analysis are shown in
Fig.7. Over the length of the mission, the average weight
of the astronauts’ decreases from 62.50 to 47.99kg which
presents a serious danger from starvation and malnutrition.
Allowing for the possibility that Crew Alpha could use
the farm section from Crew Beta’s habitat to grow more
food, and that Crew Beta can bring along a third farm unit,
a solution is found after 1 iteration of AMSE that achieves a
probability of mission success of 95.9%. Under this configu-
ration of the mission, 50, 60, 115, 90, and 5m2 are allocated
for soybeans, potatoes, peanuts, wheat, and sweet potatoes,
respectively. This plan also allows for all planned work to
be continued normally without disruption. The results of the
analysis are shown in Fig.8.
5.2 Inability tofarm
Similar to the first case, the inability to farm presents a risk
from starvation. In this case, only 405-sols worth of rations
are brought along to support a 3025kcal/day diet. Again,
Crew Beta is able to adjust what they bring along to help
solve the problem. However, Crew Beta does not arrive until
sol 770, well after the point of starvation if no other mitigat-
ing actions are taken. The success and survivability plots for
this case are presented in Fig.9.
If no action is taken, then the probability of mission suc-
cess is effectively 0% due to the astronauts starving to death
around sol 4501.
The first option that investigated involves rationing the
food to evenly split portions across all 770 sols, which while
still insufficient in total calories, at least keeps the food from
running out. However, it is found that just rationing the food
Fig. 7 Inaccurate caloric needs (top) instantaneous survival rate, (bot-
tom) mission success over time
1 This assumes no self-sacrifice or other extreme solutions.
Author's personal copy
Research in Engineering Design
1 3
leads to loss of crew due to starvation sooner due to them
being malnourished earlier on by dramatically reducing
intake of calories, but not reducing their need caloric usage.
The associated plots can be found in Fig.10.
AMSE is performed again, and again the reserve of food
is rationed to extend available food as long as possible, but
all EVAs and exercise are canceled, and the rest/sleep period
is extended from 8.6h per day to 16.6h per day. While this
approach completely halts any planned scientific endeavors,
it is enough to keep from dramatic weight loss, and the prob-
ability of mission success (defined as keeping the astronauts
alive) increases to 92.99% with a mean individual survival
probability of 98.2%. This is considered a sufficient solution
given the constraints of the problem. The associated plots
for this mission plan can be found in Fig.11.
One potential consequence of this strategy is that the
crew’s ability to respond to additionally crises is severely
limited, and taking any actions could potentially lead to
starvation. This is compounded by the canceled EVAs and
reduced IVAs, which has numerous effects on the health of
physical systems that require scheduled maintenance. For
example, when the EVAs are canceled, the SEVs are likely
to accumulate damage from ordinary Martian weather lead-
ing to reduced system health and a higher probability of
system loss. While the SEVs are not critical to mission sur-
vival and their failure does not affect mission success, the
potential scientific yield of the mission is limited after rescue
by Crew Beta is limited by their loss.
Fig. 8 Inaccurate caloric needs with larger farm (top) instantaneous
survival rate, (bottom) mission success over time
Fig. 9 Inability to farm (top) instantaneous survival rate, (bottom)
mission success over time
Author's personal copy
Research in Engineering Design
1 3
5.3 Broken arm
The broken arm problem investigates what occurs if some-
one becomes temporarily incapacitated. In this case, astro-
naut A of Crew Alpha is unable to perform EVAs for 70 sols
beginning on sol 771. EVAs are required to be performed by
two astronauts at a time in the mission plan to improve EVA
safety. However, if EVAs are canceled, scheduled system
maintenance tasks and scientific opportunities are reduced.
To keep up scientific yield, the EVA schedule is temporarily
revised to the one shown in Table2.
This leads to no significant reduction in the probability of
mission success, with a probability of success of 95.9%. The
resulting associated plots can be seen in Fig.12.
While this adjustment in task planning does not seem
to have a significant influence on the probability of mis-
sion success, it does have some effects on the individual
astronauts that may result in potential consequences. For
example, over the course of the mission, astronauts B, C,
and D end up being exposed to an additional 0.2 mSV of
radiation, which is equivalent to receiving two chest X-rays.
For this case, we considered the astronaut completely
incapacitated for the purpose of EVA’s, but their other work
assignments remained the same.
5.4 Discussion ofresults
In the cases presented above, AMSE is used to make risk-
informed space mission control decisions. In each case,
Fig. 10 Inability to farm with rationing (top) instantaneous survival
rate, (bottom) mission success over time
Fig. 11 Inability to farm with extra rest (top) instantaneous survival
rate, (bottom) mission success over time
Author's personal copy
Research in Engineering Design
1 3
the mission model is reconfigured within several minutes
and analysis can be run in under 80s. This allows for rapid
response to mission crises. The selected crises for the case
study were relatively simple with fairly apparent solutions,
but each selected case was representative of a different
class of space mission crisis that may be encountered. The
selection of simple cases was intentional to focus on the
demonstration of the AMSE as a method for risk-informed
space mission decision making.
In the initial investigation of the risk-informed space mis-
sion model used for this study, it was found that the prob-
ability of mission success was very highly dependent on
nutrition of the astronauts, and that maintaining a healthy
astronaut and a productive mission would be a difficult bal-
ancing act. Additionally, if the quantity of work is increased,
even temporarily, the caloric load can be thrown greatly out
of balance. On Earth, this would not be a significant prob-
lem, because more food can be acquired, but on Mars, addi-
tional food could take several years to arrive as flight times
are highly dependent upon launch windows. This observa-
tion was part of the inspiration for having multiple cases that
focused on food-related crises.
The uniqueness of AMSE in providing a decision support
tool that uses real-time system health information to help
mission operations managers in rapidly developing unan-
ticipated scenarios positions AMSE to be a useful addition
to space missions. The underlying system models that pro-
vide risk analysis capability are directly modified by PHM
information from the physical systems. In the case of the
case study, the systems are simulated; however, we have
conducted initial testing on a PHM testbed platform with
promising results.
While the case study focused on crises that were rela-
tively easy to avert, the AMSE method is capable of han-
dling much more complicated system failure scenarios.
The limiting factor of the AMSE method’s ability to model
and analyze a mission is the availability of computational
resources and the resolution of the developed mission model.
5.5 Generalization ofthemethod
While the presented case study focuses on space mission
control decisions, the AMSE method can be used to make
decisions for the design and management of a wide variety
of systems. As demonstrated in the case study, AMSE can
be used to model traditional engineering systems, such as
electrical and mechanical systems; however, AMSE has been
demonstrated to handle less traditional biological systems
and environmental systems.
One concept that is important to understand when it
comes to generalizing AMSE to problems outside of space
Table 2 Revised EVA nine-Sol
Schedule Crew
Sol 1 Sol 2 Sol 3 Sol 4 Sol 5 Sol 6 Sol 7 Sol 8 Sol 9
Fig. 12 Broken arm with revised EVA schedule (top) instantaneous
survival rate, (bottom) mission success over time
Author's personal copy
Research in Engineering Design
1 3
mission risk assessment is the concept of missions and mis-
sion success. While in the demonstrated case study, a very
traditional definition of mission is used, a mission is any
series of tasks that are necessary for the completion of a
goal, dependent on the state of systems for completion, and
chronologically ordered. One example of this could be the
design and production of a chair. This model could include
human designers, computer systems, tools for manufacture,
human craftspeople, and could even extend to transit sys-
tems for delivery. The objective that defines success for this
system is delivery of the correct number of chairs to a buyer
(though secondary conditions of human safety could also
be considered). A nested super system model of the entire
process could be developed, and tasks could be defined that
account for everything that must be done in production.
AMSE could then be used to explore potential problems
in production, as well as used in crises to determine poten-
tial solutions to problems as they arise, while maintaining a
long-term big picture view of success.
6 Conclusion andfuture work
Active mission success estimation (AMSE) is a method for
the modeling and analysis of space missions for the purpose
of risk analysis and informed decision making based on real-
time PHM information. The bulk of the AMSE method con-
sists of three phases. The first phase of AMSE is modeling.
In this phase, a functional model of the mission containing
PHM information is developed using a nested super systems
approach to represent multiple interacting mission compo-
nents. In addition to the functional model of the system, a
mission plan is developed that contains a list of all tasks
to be performed over the course of the mission. The tasks
are represented by task modules, which contain quantitative
information and mathematical models necessary to analyze
the effect of the task on the health of systems within the
mission framework. The second phase of AMSE, analysis,
utilizes the functional model of the system and the mission
plan to perform calculations to determine the probability of
mission success over time. This phase is highly dependent
on analysis of the system health models developed in Phase
1. The third and final phase of AMSE involves the interpre-
tation of the results of the analysis to inform mission control
The AMSE method is shown to be an effective tool for
risk-informed PHM-driven decision making using analysis
conducted on functional models representing real systems.
This is demonstrated through the evaluation of three poten-
tial crises that could occur during a space mission.
Through the case study, AMSE shows its ability to be
rapidly reconfigured in highly detailed ways.
6.1 Future work
AMSE is a promising tool for risk-informed mission risk
analysis and decision making, but is currently limited in its
user-friendliness and lacks any form of GUI or developed
UI and instead relies on the user to make changes to the
code performing the analysis. While this is doable, it is a
non-ideal implementation and it vastly reduces the ability for
AMSE to be used by new people. Therefore, development
of a GUI for the AMSE code to be run through is given a
high priority.
Another area for improvement on AMSE is in the sourc-
ing of functional models which include PHM data and health
modeling. Currently, models must be developed for each
system that is to be included in the nested super systems
framework. However, a database or design repository could
be developed of common models for use in AMSE. This
would enable the more rapid creation of mission model and
improved configurability speeds by allowing for more rapid
interchanging of systems or sub-systems.
A final avenue of interest for future investigation is the
use of AMSE with an Artificial Intelligence (AI) to enable
autonomous decision making under risk. For the case study
presented in this paper, a human was able to try multiple
solutions to the problem scenarios relatively quickly, how-
ever, as the problems get bigger and more complex, they
could become impossible for a human to manage. However,
if an autonomous decision maker was developed that could
efficiently use AMSE to respond to crises and find multiple
potential solutions, we could vastly reduce the time needed
to find a solution to a problem. Developing better methods
for autonomous decision making in hazardous and unknown
environments could have applications in a wide variety of
fields including, self-driving cars, home robotics, national
security, and space exploration.
Acknowledgements This research was partially supported by United
States Nuclear Regulatory Commission Grant number NRC-HQ-84-
14-G-0047. Any opinions or findings of this work are the responsibility
of the authors, and do not necessarily reflect the views of the sponsors
or collaborators. The authors wish to acknowledge the work of the
undergraduate research assistants in the Robotics, Automation, and
Design group at Colorado School of Mines.
Author's personal copy
Research in Engineering Design
1 3
Task Duration (sec) Systems used System health factors Resources used Quantity
Sleeping 30,960 Habitat module Time inhabited 30,960 (s) Calories burned ~8.5 (kcal/kg) ×
Astronaut weight
Physical intensity 0.5/10
Eat food 7200 Habitat module Time inhabited 7200 (s) Calories burned ~2.8 (kcal/kg) ×
Astronaut Weight
Physical intensity 1.0/10 Food eaten 3025 (kcal) Gained
Exercise 7200 Habitat module Time inhabited 7200 (s) Calories burned ~17.4 (kcal/kg) ×
Astronaut weight
Physical intensity 9.5/10
Maintain farm 3600 Farm module Time inhabited 3600 (s) Calories burned ~4.4 (kcal/kg) ×
Astronaut Weight
Physical intensity 4.5/10 Water used ~20 (L/m2 of Crops
Being Grown)
Food produced ~8.4 (kg/day) At
full production
EVA 28,800 Air lock Uses 2 Calories burned ~25 (kcal/kg) ×
Astronaut weight
EMU Time inhabited 28,800 (s)
Physical intensity 3.0/10
SEV Time inhabited 3600 (s)
Physical intensity 1.7/10
IVA 10,800 Habitat module Time inhabited 10,800 (s) Calories burned ~5 (kcal/kg) ×
Astronaut weight
Physical intensity 1.3/10
Sol Hour Radiation Temperature Starvation Exhaustion Injury
0 8.6 1.53E−06 5.09E−80 7.48E−12 9.87E−10 1.00E−09
0 9.6 1.53E−06 6.02E−10 1.25E−08 1.37E−07 8.00E−06
0 13.6 1.53E−06 1.32E−37 1.56E−08 2.33E−07 7.20E−06
0 15.6 1.53E−06 3.63E−19 1.64E−08 1.74E−06 1.00E−08
0 19.6 1.53E−06 1.32E−37 2.04E−08 4.50E−06 7.20E−06
0 24.6 1.53E−06 2.19E−28 1.24E−08 2.67E−05 1.00E−08
1 33.2 1.53E−06 5.09E−80 8.49E−12 9.87E−10 1.00E−09
1 36.2 1.53E−06 6.02E−10 7.96E−09 1.37E−07 1.00E−05
1 37.2 1.53E−06 6.02E−10 8.51E−09 2.33E−07 1.00E−05
1 38.2 1.53E−06 6.02E−10 9.10E−09 3.91E−07 1.00E−05
1 39.2 1.53E−06 6.02E−10 9.73E−09 6.49E−07 1.00E−05
1 40.2 1.53E−06 6.02E−10 1.04E−08 1.07E−06 1.00E−05
1 41.2 1.53E−06 6.02E−10 1.11E−08 1.74E−06 1.00E−05
1 42.2 1.53E−06 6.02E−10 1.19E−08 2.81E−06 1.00E−05
1 43.2 1.53E−06 6.02E−10 1.27E−08 4.50E−06 1.00E−05
1 47.2 1.53E−06 1.32E−37 1.41E−08 7.12E−06 1.00E−08
1 49.2 1.53E−06 3.63E−19 1.82E−08 4.07E−05 2.00E−05
2 57.8 1.53E−06 5.09E−80 1.38E−11 9.87E−10 1.00E−09
2 60.8 1.53E−06 6.02E−10 1.17E−08 1.37E−07 1.00E−05
2 61.8 1.53E−06 6.02E−10 1.25E−08 2.33E−07 1.00E−05
2 62.8 1.53E−06 6.02E−10 1.33E−08 3.91E−07 1.00E−05
Author's personal copy
Research in Engineering Design
1 3
Sol Hour Radiation Temperature Starvation Exhaustion Injury
2 63.8 1.53E−06 6.02E−10 1.42E−08 6.49E−07 1.00E−05
2 64.8 1.53E−06 6.02E−10 1.52E−08 1.07E−06 1.00E−05
2 65.8 1.53E−06 6.02E−10 1.62E−08 1.74E−06 1.00E−05
2 66.8 1.53E−06 6.02E−10 1.73E−08 2.81E−06 1.00E−05
2 67.8 1.53E−06 6.02E−10 1.85E−08 4.50E−06 1.00E−05
2 71.8 1.53E−06 1.32E−37 2.05E−08 7.12E−06 1.00E−08
2 73.8 1.53E−06 3.63E−19 2.64E−08 4.07E−05 2.00E−05
Mission Plan
Crew Alpha Equipment Arrives on Planet
Sol 0
Crew Alpha Arrives on the Surface
Perform EVAs and IVAs to verify critical Martian
Surface Habitat functionality
Unpack transit vehicle
Set up habitat module
Sol 1–5
Perform EVAs to validate external less critical func-
Begin Setup for experimentation and
Start farm
Sol 6-130
Tend to farm
Sol 55: Soybeans mature
Sol 67: Wheat mature
Sol 75: Potatoes mature
Sol 125: Sweet potatoes mature
Sol 130: Peanuts mature
Sol 130: Self-sufficient food source achieved
Perform EVAs on regular schedule
Perform IVAs on regular schedule
Perform Exercise on regular schedule
Sol 131–615
Perform EVAs on regular schedule
Perform IVAs on regular schedule
Perform Exercise on regular schedule
Sol 616–620
Begin verification of Beta Martian Surface Habitat
during EVAs
Perform IVAs on regular schedule
Perform Exercise on regular schedule
Sol 621–769
Sol 621
Begin Farm Beta
Tend to Farm Beta
Sol 671: Soybeans mature
Sol 688: Wheat mature
Sol 696: Potatoes mature
Sol 746: Sweet potatoes mature
Sol 751: Peanuts mature
Sol 751: Self-sufficient food source achieved
Perform EVAs on regular schedule
Perform IVAs on regular schedule
Perform Exercise on regular schedule
Sol 770
Crew Beta Arrives on surface
Perform EVAs and IVAs to verify critical habitat
Unpack transit vehicle
Set up habitat module
Sol 771–775
Crew Alpha
Perform EVAs on regular schedule
Perform IVAs on regular schedule
Perform Exercise on regular schedule
Crew Beta
Perform EVAs to validate external less critical
Begin Setup for experimentation and
Author's personal copy
Research in Engineering Design
1 3
Sols 776–1050
Crew Alpha
Perform EVAs on regular schedule
Perform IVAs on regular schedule
Perform Exercise on regular schedule
Crew Beta
Perform EVAs on regular schedule
Perform IVAs on regular schedule
Perform Exercise on regular schedule
Sols 1051–1069
Crew Alpha
Begin Prep for departure
Wrap up experiments
Perform EVAs to hand off tasks to Beta
Prepare habitat Alpha for vacancy
Will be used by Crew Gamma
Crew Beta
Perform EVAs on regular schedule
Perform IVAs on regular schedule
Perform Exercise on regular schedule
Sol 1070
Crew Alpha Departs from Martian Surface
End AMSE analysis
Sol 1540
Crew Gamma arrives and moves into habitat Alpha
Appendix2. Estimated Calorie Needs per Day, by Age, Sex, and
Physical Activity Level-2015–2020 Dietary Guidelines-Health.
Gov (2016). http://healt rygui delin es/2015/guide lines
/appen dix-2/. Accessed Apr 5 2016
Balaban E, Narasimhan S, Daigle M, Roychoudhury I, Sweet A, Bond
C, Gorospe G (2013) Development of a mobile robot test platform
and methods for validation of prognostics-enabled decision mak-
ing algorithms. Int J Prognostics Health Manag 4:1–19
Barnes JR (1999) Initiation and Spread of Martian Dust Storms. In:
The fifth international conference on Mars, 1:6011. http://adsab
s.harva cm.conf.6011B
Beish J, Former ALPO Senior Mars Recorder (2016) A trend analysis
for predicting dust storms on Mars. http://www.alpo-astro nomy.
org/jbeis h/MetTr endDu st.htm. Accessed Apr 5 2016
Blanchard BS, Fabrycky WJ (1990) Systems Engineering and analysis,
vol4. Prentice Hall Englewood Cliffs, New Jersey
Board Mars Climate Orbiter Mishap Investigation (1999) Mars Climate
Orbiter Mishap Investigation Board: Phase I Report. Jet Propul-
sion Laboratory
Bohm MR, Stone RB, Szykman S (2005) Enhancing virtual product
representations for advanced design repository systems. J Comput
Inf Sci Eng 5(4):360–372
O’Halloran B, Papakonstantinou N, Van Bossuyt DL (2015) Modeling
of function failure propagation across uncoupled systems. In:Reli-
ability and maintainability symposium (RAMS), 2015 Annual.
IEEE, pp 1–6
Bryant CR, Stone RB, McAdams DA, Kurtoglu T, Campbell MI etal
(2005) Concept generation from the functional basis of design. In:
ICED 05: 15th International conference on engineering design:
engineering design and the global economy, 1702. Engineers
Cantor B, Malin M, Edgett KS (2002) Multiyear Mars Orbiter Cam-
era (MOC) observations of repeated Martian weather phenom-
ena during the Northern Summer Season. J Geophys Res Planets
(1991–2012) 107(E3):3–11
Daigle M, Roychoudhury I, Narasimhan S, Saha S, Saha B, Goebel
K (2011) Investigating the effect of damage progression model
choice on prognostics performance. In: Proceedings of the annual
conference of the Prognostics and Health Management Society
Do S, Owens A, Ho K, Schreiner S, de Weck O (2016) An independent
assessment of the technical feasibility of the Mars One Mission
Plan—updated analysis. Acta Astronaut 120(March):192–228.
https :// stro.2015.11.025
Environment of Manned Systems (2016). http://histo
and/manne dev.htm. Accessed Apr 5 2016
Food D, Administration etal (2014) Guidance for industry: a food
labeling guide (14. Appendix F: calculate the percent daily value
for the appropriate nutrients
Friedenthal S, Moore A, Steiner R (2014) A practical guide to SysML:
the systems modeling language. Morgan Kaufmann
Frost SA, Goebel K, Obrecht L (2013) Integrating structural health
management with contingency control for wind turbines. IJPHM
Special Issue on Wind Turbine PHM (Color), p11
Gao L, Liu S, Dougal RA (2002) Dynamic lithium-ion battery model
for system simulation. IEEE Trans Compon Packag Technol
Gleick PH (1996) Basic water requirements for human activities: meet-
ing basic needs. Water Int 21(2):83–92
Goddard RH (1920) A method of reaching extreme altitudes. Nature
105(August):809–811. https :// 9a0
Goebel K, Saha B, Saxena A, Celaya JR, Christophersen JP (2008)
Prognostics in battery health management. IEEE Instrum Meas
Mag 11(4):33
Greene K, Oremus W (2014) An all-female mission to Mars Slate.
http://www.slate .com/artic les/healt h_and_scien ce/space
_20/2014/10/manne d_missi on_to_mars_femal e_astro nauts _are_
cheap er_to_launc h_into_outer .html?wpsrc =sh_all_dt_tw_top.
Accessed Oct 19 2014
Herr N, Nicod J-M, Varnier C (2014) Prognostic decision making to
extend a platform useful life under service constraint. In: Prog-
nostics and Health Management (PHM), 2014 IEEE conference
on IEEE, pp1–11
Hirtz J, Stone RB, McAdams DA, Szykman S, Wood KL (2002) A
functional basis for engineering design: reconciling and evolving
previous efforts. Res Eng Des 13(2):65–82
HI-SEAS Mission 3 | Solar System Exploration Research Virtual Insti-
tute (2016). http://sserv les/hi-seas-missi on-3/.
Accessed Apr 4 2016
Hutcheson RS, McAdams DA, Stone RB, Tumer IY (2006) A func-
tion-based methodology for analyzing critical events. In: ASME
Author's personal copy
Research in Engineering Design
1 3
2006 international design engineering technical conferences and
computers and information in engineering conference. American
Society of Mechanical Engineers, pp 1193–1204
Jensen DC, Tumer IY, Kurtoglu T (2008) Modeling the propagation
of failures in software driven hardware systems to enable risk-
informed design. In: ASME 2008 international mechanical engi-
neering congress and exposition. American Society of Mechanical
Engineers, pp 283–293. http://proce eding s.asmed igita lcoll ectio eding .aspx?artic leid=16450 06
Jensen DC, Tumer IY, Kurtoglu T (2009) Flow state logic (FSL) for
analysis of failure propagation in early design. In:ASME 2009
International design engineering technical conferences and com-
puters and information in engineering conference
Jones H (2000) Matching crew diet and crop food production in BIO-
Plex. No. 2000-01-2397. SAE Technical Paper
Keller K, Swearingen K, Sheahan J, Bailey M, Dunsdon J, Wojtek
Przytula K, Jordan B (2006) Aircraft electrical power systems
prognostics and health management. In: 2006 IEEE conference
on aerospace. IEEE, p 12
Kumamoto H, Henley EJ (1996) Probabilistic risk assessment and
management for engineers and scientists, 2nd edn.IEEE Press,
Kurtoglu T, Tumer IY (2007) Ffip: a framework for early assessment
of functional failures in complex systems. In: The International
conference on engineering design, ICED, vol 7
Kurtoglu T, Campbell MI, Bryant CR, Stone RB, McAdams DA etal
(2005) Deriving a component basis for computational functional
synthesis. In: ICED 05: 15th international conference on engineer-
ing design: engineering design and the global economy, 1687.
Engineers Australia
Kurtoglu T, Tumer IY, Jensen DC (2010) A functional failure reasoning
methodology for evaluation of conceptual system architectures.
Res Eng Des 21(4):209–234
Lucero B, Viswanathan VK, Linsey JS, Turner CJ (2014) Identifying
critical functions for use across engineering design domains. J
Mech Des 136(12):121101
MacCallum T, Poynter J, Bearden D (2004) Lessons learned from bio-
sphere 2: when viewed as a ground simulation/analog for long
duration human space exploration and settlement. In: International
conference on environmental systems
Mars Fact Sheet (2016). http://nssdc tary/facts heet/
marsf act.html. Accessed Apr 5 2016
Mimlitz Z, Short AR, Van Bossuyt DL (2016) Towards risk-informed
operation of autonomous vehicles to increase resilience in
unknown and dangerous environments. In: ASME 2016 interna-
tional design engineering technical conferences and computers
and information in engineering conference
Modarres M, Kaminskiy M, Krivtsov V (2011) Reliability engineering
and risk analysis: a practical guide. CRC Press
Mohaghegh Z, Kazemi R, Mosleh A (2009) Incorporating organiza-
tional factors into probabilistic risk assessment (PRA) of complex
socio-technical systems: a hybrid technique formalization. Reliab
Eng Syst Saf 94(5):1000–1018
NASA::S&MS::In Situ Resource Utilization (ISRU) Element (2016). Accessed Apr 5 2016
Nassif SR, Strojwas AJ, Director SW (1986) A methodology for worst-
case analysis of integrated circuits. Comput Aided Des Integr Cir-
cuits Syst IEEE Trans 5(1):104–113
Nathalie HERR, Nicod J-M, Varnier C (2016) Prognostics-based
scheduling to extend a distributed platform production horizon
under service constraint: model, complexity and resolution. https
:// ves-ouver 443/. Accessed Apr 16 2016
Nutrition, Center for Food Safety and Applied (2016) Labeling and
nutrition—guidance for industry: a food labeling guide (14.
Appendix F: Calculate the Percent Daily Value for the Appro-
priate Nutrients). WebContent.
nceRe gulat ion/Guida nceDo cumen tsReg ulato ryInf ormat ion/Label
ingNu triti on/ucm06 4928.htm. Accessed Apr 5 2016
O’Halloran BM, Papakonstantinou N, Van Bossuyt DL (2015) Mod-
eling of function failure propagation across uncoupled systems.
In Reliability and maintainability symposium (RAMS), 2015
Annual. IEEE, pp 1–6
Pecht M (2008)Prognostics and health management of electronics.
Pinto CA, Garvey PR (2012) Advanced risk analysis in engineering
enterprise systems. CRC Press, Boca Raton
Plante J, Lee B (2005) Environmental conditions for space flight hard-
ware: a survey. h.jsp?R=20060 01339 4.
Accessed 4 Apr 2016
Ramp IJ, Van Bossuyt DL (2014) Toward an automated model-based
geometric method of representing function failure propaga-
tion across uncoupled systems. In: ASME 2014 International
mechanical engineering congress and exposition, V011T14A007–
V011T14A007. American Society of Mechanical Engineers
Ruf C, Renno NO, Kok JF, Bandelier E, Sander MJ, Gross S, Skjerve
L, Cantor B (2009) Emission of non-thermal microwave radia-
tion by a Martian dust storm. Geophys Res Lett. https ://doi.
org/10.1029/2009G L0387 15/full
Saha B, Goebel K (2007) Battery Data Set, NASA Ames Prognostics
Data Repository. NASA Ames, Moffett Field, CA, USA [Online]. ct/progn ostic -data-repos itory . Accessed
15 Apr 2016
Saha B, Goebel K (2009) Modeling li–ion battery capacity depletion
in a particle filtering framework. In: Proceedings of the annual
conference of the prognostics and health management society,
pp 2909–2924
Saha B, Goebel K, Poll S. Christophersen J (2009) Prognostics methods
for battery health monitoring using a Bayesian framework.IEEE
Trans Instrum Meas58(2):291–296
Saha B, Koshimoto E, Quach CC, Hogge EF, Strom TH, Hill BL,
Vazquez SL, Goebel K (2011) Battery health management sys-
tem for electric UAVs. In: 2011 IEEE conference on aerospace.
IEEE, pp1–9
Saha B, Quach CC, Goebel K (2012) Optimizing battery life for elec-
tric UAVs using a bayesian framework. In: 2012 IEEE conference
on aerospace. IEEE, pp 1–7
Sheppard JW, Kaufman MA, Wilmering TJ (2014) IEEE standards for
prognostics and health management
Short AR, Van Bossuyt DL (2015) Risk attitude informed route plan-
ning in a simulated planetary rover. In: ASME 2015 interna-
tional design engineering technical conferences and computers
and information in engineering conference, V01BT02A048–
V01BT02A048. American Society of Mechanical Engineers
Short AR, Van Bossuyt DL etal (2015) Rerouting failure flows using
logic blocks in functional models for improved system robustness:
failure flow decision functions. In: DS 80-6 proceedings of the
20th international conference on engineering design (ICED 15)
Vol 6: design methods and tools-part 2, Milan, Italy, pp 27-30
Short AR, Mimlitz, Van Bossuyt (2016) Autonomous system design
and controls design for operations in high risk environments. In:
ASME 2016 international design engineering technical confer-
ences and computers and information in engineering conference
Short AR, Lai AD, Van Bossuyt DL (2017) Conceptual design of
sacrificial sub-systems: failure flow decision functions. Res Eng
Stone RB, Wood KL (2000) Development of a functional basis for
design. J Mech Des 122(4):359–370
Stone RB, Tumer IY, Van Wie M (2005) The function-failure design
method. J Mech Des 127(3):397–407
Sweet A, Gorospe G, Daigle M, Celaya JR, Balaban E, Roychoudhury
I, Narasimhan S (2014) Demonstration of prognostics-enabled
Author's personal copy
Research in Engineering Design
1 3
decision making algorithms on a hardware mobile robot test
Upadhyay SK (2010) Common failure distributions. Wiley Encyclope-
dia of operations research and management science
VanBossuyt DL, Hoyle C (2012) Risk attitudes in risk-based design:
considering risk attitude using utility theory in risk-based design.
Artif Intell Eng Des Anal Manuf. https ://
06041 20002 61
VanBossuyt DL, Dong A (2013) On measuring engineering risk atti-
tudes. J Mech Des. https :// 18
Van Bossuyt DL, Tumer IY, Wall SD (2013) A case for trading
risk in complex conceptual design trade studies. Res Eng Des
Weir A (2011) The Martian. Crown Publishing Group, USA
Wertz JR, Everett DF, Puschell JJ (2011) Risk and reliability. In: Space
mission engineering: the new SMAD. Microcosm Press, USA
Widodo A, Shim M-C, Caesarendra W, Yang B-S (2011) Intelli-
gent prognostics for battery health monitoring based on sample
entropy. Expert Syst Appl 38(9):11763–11769
Xing Y, Williard N, Tsui K-L, Pecht M (2011) A comparative review
of prognostics-based reliability methods for lithium batteries. In:
Prognostics and system health management conference (PHM-
Shenzhen). IEEE, pp 1–6
Ye Y (1997) Worst-case analysis. Interior point algorithms: theory
analysis, pp 147–177
Zhang G, Isom J (2011) Gearbox vibration source separation by inte-
gration of time synchronous averaged signals. In: Annual confer-
ence of the prognostics and health management society
Author's personal copy
... Routing and planning decisions are important especially in contexts where systems may be exposed to non-nominal conditions such as in a military context, a space exploration context, etc. because the decisions analyze several priority variables such as the potential for inclement weather and proximity of hazards that can impact the success of the mission [30][31][32][33]. Notably, the cost of time for employing resources against the risk of exposure to threats is a key criterion to consider. ...
... However, during mission execution, an adapted version of this method may be useful for UAS to execute autonomously as battlefield situations change. Indeed, such autonomous system behaviors have been suggested in space systems contexts in the past [30,31,67,68] although without the use of a DT. ...
Full-text available
This article presents a Model-Based Systems Engineering (MBSE) methodology for the development of a Digital Twin (DT) for an Unmanned Aerial System (UAS) with the ability to demonstrate route selection capability with a Mission Engineering (ME) focus. It reviews the concept of ME and integrates ME with a MBSE framework for the development of the DT. The methodology is demonstrated through a case study where the UAS is deployed for a Last Mile Delivery (LMD) mission in a military context where adversaries are present, and a route optimization module recommends an optimal route to the user based on a variety of inputs including potential damage or destruction of the UAS by adversary action. The optimization module is based on Multiple Attribute Utility Theory (MAUT) which analyzes predefined criteria which the user assessed would enable the successful conduct of the UAS mission. The article demonstrates that the methodology can execute a ME analysis for route selection to support a user’s decision-making process. The discussion section highlights the key MBSE artifacts and also highlights the benefits of the methodology which standardizes the decision-making process thereby reducing the negative impact of human factors which may deviate from the predefined criteria.
Full-text available
An open area of research for complex, cyber‐physical systems is how to adequately support decision making using reliability and failure data early in the systems engineering process. Having meaningful reliability and failure data available early offers information to decision makers at a point in the design process where decisions have a high impact to cost ratio. When applied to conceptual system design, widely used methods such as probabilistic risk analysis (PRA) and failure modes effects and criticality analysis (FMECA) are limited by the availability of data and often rely on detailed representations of the system. Further, existing methods for system reliability and failure methods have not addressed failure propagation in conceptual system design prior to selecting candidate architectures. Consideration given to failure propagation primarily focuses on the basic representation where failures propagate forward. In order to address the shortcomings of existing reliability and failure methods, this paper presents the function failure propagation potential methodology (FFPPM) to formalize the types of failure propagation and quantify failure propagation potential for complex, cyber‐physical systems during the conceptual stage of system design. Graph theory is leveraged to model and quantify the connectedness of the functional block diagram (FBD) to develop the metrics used in FFPPM. The FFPPM metrics include (i) the summation of the reachability matrix, (ii) the summation of the number of paths between nodes (i.e., functions) i and j for all i and j, and (iii) the degree and degree distribution. In plain English, these metrics quantify the reachability between functions in the graph, the number of paths between functions, and the connectedness of each node. The FFPPM metrics can then be used to make candidate architecture selection decisions and be used as early indicators for risk. The unique contribution of this research is to quantify failure propagation potential during conceptual system design of complex, cyber‐physical systems prior to selecting candidate architectures. FFPPM has been demonstrated using the example of an emergency core cooling system (ECCS) system in a pressurized water reactor (PWR).
Full-text available
This paper presents a method to conceptually model sacrificing non-critical sub-systems, or components, in a failure scenario to protect critical system functionality through a functional failure modeling technique. Understanding the potential benefits and drawbacks of choosing how a failure is directed in a system away from critical sub-systems and toward sub-systems that can be sacrificed to maintain core functionality can help system designers to design systems that are more likely to complete primary mission objectives despite failure events. Functional modeling techniques are often used during the early stage of conceptual design for complex systems to provide a better understanding of system architecture. A family of methods exists that focuses on the modeling of failure initiation and propagation within a functional model of a system. Modeling failure flow provides an opportunity to understand system failure propagation and inform system design iteration for improved survivability and robustness. Currently, the ability to model failure flow decision-making is missing from the family of function failure and flow methodologies. The failure flow decision function (FFDF) methodology presented in this paper enables system designers to model failure flow decision-making problems where functions and flows that are critical to system operation are protected through the sacrifice of less critical functions and flow exports. The sacrifice of less critical system functions and flows allows for mission critical functionality to be preserved, leading to a higher rate of mission objective completion. An example of FFDF application in a physical design is a non-critical peripheral piece of electrical hardware being sacrificed during an electrical surge condition to protect critical electronics necessary for the core functionality of the system. In this paper, a case study of the FFDF method is presented based on a Sojourner class Mars Exploration Rover (MER) platform.
Conference Paper
Full-text available
Autonomous systems operating in dangerous and hard-to-reach environments such as defense systems deployed into enemy territory, petroleum installations running in remote arctic and offshore environments, or space exploration systems operating on Mars and further out in the solar system often are designed with a wide operating envelope and deployed with control systems that are designed to both protect the system and complete mission objectives, but only when the on-the-ground environment matches the expected and designed for environment. This can lead to overly conservative operating strategies such as preventing a rover on Mars from exploring a scientifically rich area due to potential hazards outside of the original operating envelope and can lead to unanticipated failures such as the loss of underwater autonomous vehicles operating in Earth's oceans. This paper presents an iterative method that links computer simulation of operations in unknown and dangerous environments with conceptual design of systems and development of control system algorithms. The Global to Local Path Finding Design and Operation Exploration (GLPFDOE) method starts by generating a general mission plan from low resolution environmental information taken from remote sensing data (e.g.: satellites, plane flyovers , telescope observations, etc.) and then develops a detailed path plan from simulated higher-resolution data collected " in situ " during simulator runs. GLPFDOE attempts to maximize system survivability and scientific or other mission objective yield through iterating on control system algorithms and system design within an in-house-developed physics-based autonomous vehicle 1 Corresponding author. and terrain simulator. GLPFDOE is best suited for autonomous systems that cannot have easy human intervention during operations such as in the case of robotic exploration reaching deeper into space where communications delays become unacceptably large and the quality of a priori knowledge of the environment becomes lower fidelity. Additionally, in unknown extraterrestrial environments, a variety of unexpected hazards will be encountered that must to be avoided and areas of scientific interest will be found that must be explored. Existing exploratory platforms such as the Mars Exploratory Rovers (MERs) Curiosity and Opportunity either operate in environments that are sufficiently removed from immediate danger or take actions slowly enough that the signal delay between the system and Earth-based operators is not too great to allow for human intervention in hazardous scenarios. Using the GLPFDOE methodology, an autonomous exploratory system can be developed that may have a higher likelihood of survivability, can accomplish more scientific mission objectives thus increasing scientific yield, and can decrease risk of mission-ending system damage. A case study is presented in which an autonomous Mars Exploration Rover (MER) is generated and then refined in a simulator using the GLPFDOE method. Development of the GLPFDOE methodology allows for the execution of more complex missions by autonomous systems in remote and inaccessible environments.
Conference Paper
Full-text available
Operation of autonomous and semi-autonomous systems in hostile and expensive-to-access environments requires great care and a risk-informed operating mentality to protect critical system assets. Space exploration missions, such as the Mars Exploration Rover systems Opportunity and Curiosity, are very costly and difficult to replace. These systems are operated in a very risk-averse manner to preserve the functionality of the systems. By constraining system operations to risk-averse activities, scientific mission goals cannot be achieved if they are deemed too risky. We present a quantifiable method that increases the lifetime efficiency of obtaining scientific goals via the implementation of the Goal-Oriented, Risk Attitude-Driven Reward Optimization (GORADRO) method and a case study conducted with simulated testing of the method. GORADRO relies upon local area information obtained by the system during operations and internal Prognostics and Health Management (PHM) information to determine system health and potential localized risks such as areas where a system may become trapped (e.g.: sand pits, overhangs, overly steep slopes, etc.) while attempting to access scientific mission objectives through using an adaptable operating risk attitude. The results of our simulations and hardware validation using GORADRO show a large increase in the lifetime performance of autonomous rovers in a variety of environments, terrains, and situations given a sufficiently tuned set of risk attitude parameters. Through designing a GORADRO behavioral risk attitude set of parameters, it is possible to increase system resilience in unknown and dangerous environments encountered in space exploration and other similarly hazardous environments.
Full-text available
In recent years, the Mars One program has gained significant publicity for its plans to colonize the red planet. Beginning in 2025, the program plans to land four people on Mars every 26 months via a series of one-way missions, using exclusively existing technology. This one-way approach has frequently been cited as a key enabler of accelerating the first crewed landing on Mars. While the Mars One program has received considerable attention, little has been published in the technical literature regarding the formulation of its mission architecture. In light of this, we perform an independent analysis of the technical feasibility of the Mars One mission plan, focusing on the architecture of the life support and in-situ resource utilization (ISRU) systems, and their impact on sparing and space logistics. To perform this analysis, we adopt an iterative analysis approach in which we model and simulate the mission architecture, assess its feasibility, implement any applicable modifications while attempting to remain within the constraints set forth by Mars One, and then resimulate and reanalyze the revised version of the mission architecture. Where required information regarding the Mars One mission architecture is not available, we assume numerical values derived from standard spaceflight design handbooks and documents. Through four iterations of this process, our analysis finds that the Mars One mission plan, as publicly described, is not feasible. This conclusion is obtained from analyses based on mission assumptions derived from and constrained by statements made by Mars One, and is the result of the following findings: (1) several technologies including ISRU, life support, and entry, descent, and landing (EDL) are not currently “existing, validated and available” as claimed by Mars One; (2) the crop growth area described by Mars One is insufficient to feed their crew; (3) increasing the crop growth area to provide sufficient food for the crew leads to atmospheric imbalances that requires a prohibitively large ISRU atmospheric processor or a notably different system architecture to manage; and (4) at least 13 Falcon Heavy launches are needed to deliver a portion of the required equipment to the Martian surface, a value that is at least double that planned by Mars One for the same mission phase. Most importantly, we find that the one-way nature of the Mars One mission, coupled with its plans to increase its crew population every 26 months, causes the operating costs of the program to grow continually over time. This is due to the fact that maintaining a growing colony on the Martian surface incurs increasing equipment and spare parts resupply requirements and hence launch costs over time. Based on published launch vehicle and lander estimates, our analysis finds that by the launch of the fifth crew, the cost associated with launching a portion of all required equipment and spares is approximately equal to half of the total NASA FY2015 budget – and this cost will grow when other critical systems outside the scope of this analysis are included. To mitigate these costs and bring the plan closer towards feasibility, we recommend a number of mission architecture modifications and technology development efforts be implemented before the initiation of any Mars settlement campaign. These include the further development of EDL, life support, and ISRU technologies, as well as additive manufacturing technology that utilizes ISRU-derived Martian feedstock as a potential means to address the growing cost of resupply.
Full-text available
Maximizing turbine up-time and reducing maintenance costs are key technology drivers for wind turbine operators. Components within wind turbines are subject to considerable stresses due to unpredictable environmental conditions resulting from rapidly changing local dynamics. In that context, systems health management has the aim to assess the state-of-health of components within a wind turbine, to estimate remaining life, and to aid in autonomous decision-making to minimize damage to the turbine. Advanced contingency control is one way to enable autonomous decision-making by providing the mechanism to enable safe and efficient turbine operation. The work reported herein explores the integration of condition monitoring of wind turbine blades with contingency control to balance the trade-offs between maintaining system health and energy capture. Results are demonstrated using a high fidelity simulator of a utility-scale wind turbine.
Full-text available
This paper presents an empirical model to describe battery behavior during individual discharge cycles as well as over its cycle life. The basis for the form of the model has been linked to the internal processes of the battery and validated using experimental data. Subsequently, the model has been used in a Particle Filtering framework to make predictions of remaining useful life for individual discharge cycles as well as for cycle life. The prediction performance was found to be satisfactory as measured by performance metrics customized for prognostics. The work presented here provides initial steps towards a comprehensive health management solution for energy storage devices.
This research defines the basis for a new quantitative approach for retrieving useful analogies for innovation based on the relevant performance characteristics of functions. The concept of critical functionality is the idea of identifying only a certain set of pertinent design functions observed in a single domain that significantly define the functionality of the product. A critical function (CF) is a function within a functional model whose performance directly relates to a key performance parameter (KPP) of the system as a whole. These CFs will enable multiple analogies to be presented to a designer by recognizing similar functionality across distant design domains and incorporating key performance criteria. The ultimate focus of this research project is to create a performance-metric-based analogy library, called the design analogy performance parameter system (DAPPS). By focusing on a select set of "critical" functions, more design domains can be included in the database facilitating analogy retrieval founded on the qualification of KPPs.
Conference Paper
This paper describes a simple approach for integrating all the time synchronous average (TSA) signals from multiple shafts of a gearbox to generate a composite time synchronous average which can be subtracted from the original signal to generate a second-order cyclostationary residual. This approach is compared with other techniques including an all-shaft TSA over the least common multiple of shaft rotation periods, high-pass filtering, and self-adaptive noise cancellation (SANC). The results demonstrate that the proposed approach produces an integrated TSA signal that includes only the shaft components, gear mesh components and the sidebands associated with all the shafts, while the residual contains the random vibration components and noise. The results produced by three alternative techniques do not separate the components as well or have a lower signal-to-noise ratio.