What Building Artemis Flight Software At NASA Taught Me About Safety For Autonomous Vehicles

April 22, 2026

When NASA’s Artemis 2 crew splashed down in the Pacific Ocean after the first crewed lunar mission in more than 50 years, software that I built helped complete the voyage home.

This was a moment I had looked forward to for more than a decade.

I spent 13 years at NASA’s Johnson Space Center working on human spaceflight systems, starting on the Space Shuttle program and then moving to the Orion crew capsule that carried the four Artemis 2 astronauts back to Earth. What many people don’t realize is that Orion is an autonomous vehicle, capable of safely guiding its astronaut occupants home using its on-board sensors and computers.

I built and certified flight software for some of Orion’s most safety-critical guidance algorithms. This is the kind of software where getting it wrong doesn’t mean a bug report; it means losing a crew.

The same safety principles I used at NASA now guide my work in delivering safe autonomous driving technology at Kodiak.

The safety engineering challenge of deploying a self-driving truck is just as hard as the challenge of bringing astronauts back from space, and the engineering disciplines are far more alike than many people realize.

What NASA really instilled in me was a culture of vigilance, of healthy paranoia, of assuming that the next failure mode is the one you haven't thought of yet. At NASA, you learn to distrust your own confidence. You learn to operate with humility. You learn that the moment you stop looking for what can go wrong is the moment it will. I carry that mindset with me every day at Kodiak.

What I Built For Orion

Orion hit Earth's atmosphere at roughly 25,000 mph, or about Mach 32. The kinetic energy at that moment is approximately 650 gigajoules: enough to fully charge about 2,400 Teslas, or power the entire city of Mountain View for five hours. In just thirteen minutes, all of that energy needs to safely bleed off through heat generated by drag, while simultaneously steering to a landing zone the size of a small lake. To successfully return, the Orion spacecraft must re-enter the atmosphere with less than 0.1 degrees of error in the flight path angle. If Orion misses that window, the spacecraft could skip off the atmosphere or come in too steep and subject the capsule to unsurvivable heating and G-loads.

Over my eleven years on the Orion program, I was a member of the team that built and certified much of the onboard guidance software that manages this problem. I developed the Entry Monitor, the onboard system that computes the spacecraft's reachable landing area during re-entry, evaluates whether the primary target is still achievable, and recommends alternatives as needed.

The Entry Monitor is the crew's primary instrument for situational awareness during one of the most dangerous, dynamic phases of the mission: re-entry. I also helped refactor and verify Orion's primary entry guidance algorithm, its orbit powered flight guidance algorithm, onboard orbital trajectory prediction algorithms, and its onboard trajectory targeting system, transforming each from working prototypes into safety-rated software certified to NASA's stringent Class A flight software standards (roughly equivalent to ASIL-D in automotive terms). That certification process meant 100% MC/DC code coverage, full bidirectional requirements traceability, and closure of every static analysis finding.

I also developed Clutch, Orion's backup entry guidance algorithm, from concept through simulation to flight certification. Clutch is designed to provide continuous safe-abort coverage during a failure scenario where the standard emergency mode was unreliable.

To verify these systems, our NASA-led teams ran millions of Monte Carlo simulations with dispersions on atmosphere, aerodynamics, mass properties, navigation errors, sensor noise, winds, parachute performance, and many other factors to test rare events through those millions of combinations. That's how NASA builds confidence that onboard autonomy software will perform across the full range of conditions it might actually encounter, not just the nominal case.

NASA’s Space Launch System rocket carrying the Orion spacecraft with NASA astronauts Reid Wiseman, commander; Victor Glover, pilot; Christina Koch, mission specialist; and CSA (Canadian Space Agency) astronaut Jeremy Hansen, mission specialist onboard launches on the Artemis II mission, Wednesday, April 1, 2026, from Launch Complex 39B at NASA’s Kennedy Space Center in Florida. NASA’s Artemis II mission will take Wiseman, Glover, Koch, and Hansen on a 10-day journey around the Moon and back aboard their Orion spacecraft. The quartet launched at 6:35 p.m. EDT, from Launch Complex 39B at the Kennedy Space Center. Text and Image Credit: NASA/Joel Kowsky

My past NASA experience informs Kodiak’s strategy for formulating our rare-event estimation framework, known as BreakPoint. BreakPoint utilizes Monte Carlo simulation methods and other sophisticated algorithms to enable us to efficiently estimate risk across a wide spectrum of factors that can affect driving performance.

From 2018 to 2021, I was the NASA Lead for the development of Orion's Backup Flight Software, a distinct software system running on a separate flight computer that serves as a hot standby. It continuously computes and issues commands as though it's in control, but those commands are ignored so long as the four primary flight computers are healthy. The instant the primary system fails, the backup takes over seamlessly.

This closely mirrors how the Kodiak Driver is able to instantly switch from nominal driving into degraded operations to safely get the vehicle into a minimum risk condition.

Earlier in my career, I supported Orion's first flight, Exploration Flight Test 1, in 2014, and supported probabilistic risk assessment (PRA) of re-entry debris by modeling upper stage breakup trajectories over populated areas. That early PRA work planted the seed for what I do now. The Kodiak PRA model leverages similar approaches to quantitatively estimate collision risk, a critical element of our broader Kodiak safety case.

And that brings me to autonomous trucking.

The Parallels to Autonomous Trucking

At Kodiak, I'm the Lead Systems Engineer for Autonomy Software. Since joining in 2023, I've helped lead the company's efforts in Probabilistic Risk Assessment, our BreakPoint rare-event estimation program, the safety case, and fault management architecture. Our job is to build the safety case for driverless truck operations to demonstrate, with quantitative rigor, that the system is acceptably safe.

The domains are different. An autonomous truck doesn't re-enter the atmosphere at 25,000 mph. But the fundamental engineering challenges are remarkably similar:

Layered autonomy with graceful degradation

Just as Orion has redundancy layers, an autonomous truck needs layers of capability that degrade gracefully when faults occur. The primary autonomy stack handles a range of nominal driving conditions. When faults are detected, the fault management system responds appropriately and manages the safety risk effectively while following the principles of graceful degradation. The architecture isn't an accident; it's driven by systematic fault analysis.

Probabilistic Risk Assessment

Monte Carlo simulation for rare events

Rigorous verification culture

Dissimilar redundancy for common-cause failures

Why This Matters

The AV industry has spent a lot of time talking about safety. Kodiak is not borrowing aerospace language. We're applying aerospace discipline. Our PRA model is the analytical backbone of our Safety Case and applies the same rigorous probabilistic methods, embraced by NASA, to demonstrate that risk is acceptably low. Our fault management architecture is a system we design, implement, test, and trace to ensure that any system malfunctions are contained and safely handled on the road. Our BreakPoint program exists specifically to hunt for the rare events that conventional testing approaches will never find.

I spent a decade building software to bring astronauts home safely. On Artemis 2, some of that software was deployed for real, with four people aboard, for the first time. It's the culmination of years of methodical engineering.

The work I do at Kodiak is the same work, applied to a different vehicle, in a different environment, at a different speed. But the stakes are the same: getting people home safely. And the engineering discipline required to meet those stakes doesn't change whether you're decelerating from Mach 32 or merging onto Interstate 10.

_______________________________________
Kelly Smith is Lead Systems Engineer for Autonomy Software at Kodiak, where since 2023 Kelly has led the company's Probabilistic Risk Assessment, BreakPoint rare-event estimation, Safety Case, and Fault Management efforts. Previously, Kelly spent thirteen years at NASA Johnson Space Center as an Aerospace Engineer on the Orion program, serving as a Trajectory Officer (TRAJ) in Mission Control for the EFT-1 mission and contributing to flight software for entry guidance, orbit guidance, trajectory targeting, and the Backup Flight Software system.

Images sourced from NASA. NASA is acknowledged as the source of this material. Use does not imply NASA endorsement of Kodiak or its products or services.