Beruflich Dokumente
Kultur Dokumente
6 March 2009
Space product
assurance
Safety
ECSS Secretariat
ESA-ESTEC
Requirements & Standards Division
Noordwijk, The Netherlands
ECSSQST40C
6March2009
Foreword
This Standard is one of the series of ECSS Standards intended to be applied together for the
management, engineering and product assurance in space projects and applications. ECSS is a
cooperative effort of the European Space Agency, national space agencies and European industry
associationsforthepurposeofdevelopingandmaintainingcommonstandards.Requirementsinthis
Standardaredefinedintermsofwhatshallbeaccomplished,ratherthanintermsofhowtoorganize
and perform the necessary work. This allows existing organizational structures and methods to be
appliedwheretheyareeffective,andforthestructuresandmethodstoevolveasnecessarywithout
rewritingthestandards.
This Standard has been prepared by the ECSSQST40C Working Group, reviewed by the ECSS
ExecutiveSecretariatandapprovedbytheECSSTechnicalAuthority.
Disclaimer
ECSSdoesnotprovideanywarrantywhatsoever,whetherexpressed,implied,orstatutory,including,
butnotlimitedto,anywarrantyofmerchantabilityorfitnessforaparticularpurposeoranywarranty
that the contents of the item are errorfree. In no respect shall ECSS incur any liability for any
damages,including,butnotlimitedto,direct,indirect,special,orconsequentialdamagesarisingout
of, resulting from, or in any way connected to the use of this Standard, whether or not based upon
warranty,businessagreement,tort,orotherwise;whetherornotinjurywassustainedbypersonsor
propertyorotherwise;andwhetherornotlosswassustainedfrom,oraroseoutof,theresultsof,the
item,oranyservicesthatmaybeprovidedbyECSS.
Publishedby:
Copyright:
ESARequirementsandStandardsDivision
ESTEC, P.O. Box 299,
2200 AG Noordwijk
The Netherlands
2009 by the European Space Agency for the members of ECSS
ECSSQST40C
6March2009
Change log
ECSSQ40A
Firstissue
19April1996
ECSSQ40B
Secondissue
17May2002
ECSSQST40C
Thirdissue
6March2009
ThemainchangesbetweenECSSQ40Bandthecurrentversionarethe
following:
CompleteandthoroughreviewofECSSQ40Bwiththefocuson
simplificationandstreamliningtoimproveclarityandconsistency
ofrequirements.
ApplicabilityguidelinesofECSSQST40tothedifferentspace
systemshasbeendefined(seeapplicabilitymatrixprovidedin
AnnexE).
Systemsafetyprogrammerequirementsreworked,i.e.thesystem
safetyprogrammesupportstheriskmanagementprocess
describedinECSSMST80.
Spacedebrismitigationstreamlined.
Atmosphericreentryaddressed.
Safetydesignprinciplesreworked.
Safetyriskreductionandcontrolupdated.
Safetyanalysisrequirementsandtechniquesupdated.
Commonschemeforconsequenceseverityclassificationusedin
ECSSQST30CandECSSQST40C.
Identificationandcontrolofsafetycriticalfunctionsupdated.
EstablishedlinktoECSSstandardonCriticalitemcontrol
(ECSSQST1004).
HarmonizedECSSQST40CwithassociatedLevel3standards.
InformativeannexonEuropeanlegislationandCEmarking
added(AnnexF).
DRDsrevisitedandupdated.
DocumentreworkedtobeincompliancewithECSSstandards
draftingrules.
ECSSQST40C
6March2009
Table of contents
Change log .................................................................................................................3
1 Scope.......................................................................................................................8
2 Normative references .............................................................................................9
3 Terms, definitions and abbreviated terms..........................................................10
3.1
3.2
3.3
4 Safety principles...................................................................................................14
4.1
Objective ..................................................................................................................14
4.2
Policy........................................................................................................................14
4.3
4.2.1
General.......................................................................................................14
4.2.2
Implementation ...........................................................................................14
Scope .......................................................................................................................16
5.2
5.3
Conformance............................................................................................................16
5.4
Safety organization...................................................................................................17
5.4.1
5.4.2
5.4.3
Safety audits...............................................................................................18
5.4.4
Approval of documentation......................................................................... 18
5.4.5
5.4.6
5.4.7
5.5
5.6
5.7
ECSSQST40C
6March2009
5.7.1
5.7.2
Progress meetings......................................................................................23
5.7.3
5.8
5.9
General.......................................................................................................24
5.9.2
5.9.3
5.9.4
5.9.5
Training records..........................................................................................25
General.......................................................................................................25
5.11.2
5.11.3
5.11.4
5.11.5
Overview ..................................................................................................................28
6.2
6.3
6.4
6.3.1
6.3.2
6.3.3
6.3.4
Environmental compatibility........................................................................31
6.3.5
6.3.6
6.3.7
6.3.8
6.3.9
6.3.10
6.3.11
Access ........................................................................................................33
6.4.2
6.4.3
6.4.4
ECSSQST40C
6March2009
6.5
6.6
Identification ...............................................................................................38
6.5.2
Inadvertent operation..................................................................................38
6.5.3
Status information....................................................................................... 38
6.5.4
6.5.5
6.5.6
Operational Safety....................................................................................................39
6.6.1
Basic requirements..................................................................................... 39
6.6.2
6.6.3
Ground operations......................................................................................41
Overview ..................................................................................................................43
7.2
General.....................................................................................................................43
7.3
7.3.2
7.3.3
7.3.4
7.3.5
Justification.................................................................................................44
7.3.6
7.4
7.5
General.......................................................................................................45
7.5.2
7.5.3
7.5.4
8 Safety verification.................................................................................................50
8.1
General.....................................................................................................................50
8.2
8.3
8.2.1
8.2.2
8.2.3
Documentation ...........................................................................................50
8.3.2
8.3.3
Analysis ......................................................................................................51
6
ECSSQST40C
6March2009
8.4
8.5
8.6
8.3.4
Inspections .................................................................................................51
8.3.5
Validation....................................................................................................52
8.4.2
Qualification................................................................................................ 52
8.4.3
8.4.4
8.4.5
8.5.2
Tables
Table 6-1: Severity of consequences ..................................................................................... 35
ECSSQST40C
6March2009
1
Scope
This Standard defines the safety programme and the safety technical
requirementsaimingtoprotectflightandgroundpersonnel,thelaunchvehicle,
associatedpayloads,groundsupportequipment,thegeneralpublic,publicand
private property, the space system and associated segments and the
environmentfromhazardsassociatedwithEuropeanspacesystems.
ThisStandardisapplicabletoallEuropeanspaceprojects.
Thisstandardmaybetailoredforthespecificcharacteristicandconstraintsofa
spaceprojectinconformancewithECSSSST00.
ECSSQST40C
6March2009
2
Normative references
The following normative documents contain provisions which, through
reference in this text, constitute provisions of this ECSS Standard. For dated
references,subsequentamendmentsto,orrevisionofanyofthesepublications
donotapply.However,partiestoagreementsbasedonthisECSSStandardare
encouragedtoinvestigatethepossibilityofapplyingthemorerecenteditionsof
the normative documents indicated below. For undated references, the latest
editionofthepublicationreferredtoapplies.
ECSSSST0001
ECSSsystemGlossaryofterms
ECSSEST10
SpaceengineeringSystemengineeringgeneral
requirements
ECSSEST3201
SpaceengineeringFracturecontrol
ECSSEST3210
SpaceengineeringStructuralfactorsofsafetyfor
spaceflighthardware
ECSSEST40
SpaceengineeringSoftwaregeneralrequirements
ECSSMST10
SpaceprojectmanagementProjectplanningand
implementation
ECSSMST40
SpaceprojectmanagementConfigurationand
informationmanagement
ECSSMST80
SpaceprojectmanagementRiskmanagement
ECSSQST10
SpaceproductassuranceProductassurance
management
ECSSQST1004
SpaceproductassuranceCriticalitemcontrol
ECSSQST20
SpaceproductassuranceQualityassurance
ECSSQST30
SpaceproductassuranceDependability
ECSSQST60
SpaceproductassuranceElectrical,electronicand
electromechanical(EEE)components
ECSSQST70
SpaceproductassuranceMaterials,mechanicalparts
andprocesses
ECSSQST80
SpaceproductassuranceSoftwareproductassurance
ECSSQST40C
6March2009
3
Terms, definitions and abbreviated terms
3.1
(SpecifictothisStandard)Hazardsarepotential
threats to the safety of a system. They are not
events.
hazardousevent
inhibit
risk
safety
NOTE
safetycriticalfunction
3.2
cause
actionorconditionbywhichahazardouseventisinitiated(aninitiatingevent)
NOTE1 The cause can arise as the result of failure,
human error, design inadequacy, induced or
natural environment, system configuration or
operationalmode(s).
NOTE2 This definition is specific to this Standard,
whenusedinthecontextofhazardanalysis.
10
ECSSQST40C
6March2009
3.2.2
fail-safe
design property of a system (or part of it), which prevents its failures from
resultingincriticalorcatastrophicconsequences
NOTE
3.2.3
hazard control
3.2.4
hazardous command
3.2.5
hazard reduction
processofeliminationorminimizationandcontrolofhazards
3.2.6
hazard scenario
sequence of events leading from the initial cause to the unwanted safety
consequence
NOTE
3.2.7
Thecausecanbeasingleinitiatingevent,oran
additional action or a change of condition
activatingadormantproblem.
likelihood
probabilityofoccurrenceorthemeasurefortheoccurrencerate
3.2.8
operator error
3.2.9
entity that defines or makes applicable, for a given project, detailed technical
safetyrequirements,andreviewstheirimplementation
3.2.10
safety audit
11
ECSSQST40C
6March2009
3.2.11
safety risk
measure of the threat to safety posed by the hazard scenarios and their
consequences
NOTE1 Safety risk is always associated with a specific
hazardscenariooraparticularsetofscenarios.
The risk posed by a single scenario is called
individualscenariorisk.Theriskposedbyaset
of scenarios with the same top consequence is
calledoverallrisk.
NOTE2
3.2.12
Themagnitudeofasafetyriskisacombination
of the severity and the likelihood of the
consequence.
parameterthatmakesitpossibletoassessthestatusofanimplementedhazard
control
3.2.13
system
3.2.14
system safety
applicationofengineeringandmanagementprinciples,criteria,andtechniques
to optimize all aspects of safety within the constraints of operational
effectiveness,time,andcostthroughoutallphasesofthesystemlifecycle
[ISO146201]
3.3
Abbreviated terms
ForthepurposeofthisStandard,theabbreviatedtermsfromECSSSST0001
andthefollowingapply:
Abbreviation
Meaning
AR
acceptancereview
CCB
configurationcontrolboard
CDR
criticaldesignreview
12
ECSSQST40C
6March2009
CRR
commissioningresultreview
EEE
electronic,electrical,electromechanical
ELR
endoflifereview
FMEA
failuremodesandeffectsanalysis
FMECA
failuremodes,effectsandcriticalityanalysis
FRR
flightreadinessreview
FTA
faulttreeanalysis
GSE
groundsupportequipment
IEC
InternationalElectrotechnicalCommission
LRR
launchreadinessreview
MIP
mandatoryinspectionpoint
NRB
nonconformancereviewboard
NUREGCR
USNuclearRegulatoryCommissioncontractorreport
ORR
operationalreadinessreview
PDR
preliminarydesignreview
PRR
preliminaryrequirementsreview
QR
qualificationreview
SRR
systemrequirementsreview
SVTL
safetyverificationtrackinglog
TRB
testreviewboard
13
ECSSQST40C
6March2009
4
Safety principles
4.1
Objective
Theobjectiveofsafetyassuranceistoensurethatallsafetyrisksassociatedwith
the design, development, production and operations of space product are
adequately identified, assessed, minimized, controlled and finally accepted
throughtheimplementationofasafetyassuranceprogramme.
4.2
Policy
4.2.1
General
TheECSSsafetypolicyisto:
ensurethatspacesystemsdonotcauseahazardto,inorderofpriority:
humanlife,
theenvironment,
publicandprivateproperty(includinglaunchfacilities),
spacecraftandlauncher,
groundsupportequipmentandfacilities,
determineandevaluatethesafetyrisksassociatedwithprojectactivities,
minimizesafetyrisksinatechnicallyeffectiveandcosteffectivemanner,
ensureadequateverificationofsafetycontrolmeasures.
4.2.2
Implementation
TheECSSsafetypolicyisimplementedbyapplyingasafetyprogrammewhich
ensuresthat:
safetyisdesignedintothesystem,
safetycontrolsareadequatelyimplementedintheverificationplan,
safetyrequirementsincludinglaunchcentresafetyregulationsaremet,
hazards are identified, and eliminated or, where this is not possible,
minimized,rankedandcontrolledinaccordancewithprojectobjectives
in a manner acceptable to the customer and to the safety organisations
involvedintheimplementationofthemission.
14
ECSSQST40C
6March2009
4.3
Safety programme
Thesafetyprogrammecomprisesthe:
identification and control of all safety related risks with respect to the
design,developmentandoperationsofspaceproducts,
assessmentoftherisksbasedonqualitativeandquantitativeanalysisas
appropriate,
applicationofahazardreductionprecedenceandofcontrolmeasuresof
theresidualrisks.
15
ECSSQST40C
6March2009
5
Safety programme
5.1
Scope
a.
b.
5.2
b.
5.3
The supplier shall cover, in his safety programme plan, the safety tasks
fortheprojectphasesinconformancewith5.7.1.
Conformance
a.
16
ECSSQST40C
6March2009
b.
Thelaunchsitesafetyregulationsandrulesshallbeapplied.
c.
Theimplementationofsafetyrequirementsshallnotbecompromisedby
otherrequirements.
NOTE
5.4
Forexample:securityrequirements.
Safety organization
5.4.1
Safety manager
a.
b.
establishandmaintainasafetyprogrammeinaccordancewiththe
projectsafetyrequirements,
2.
3.
coordinatetheinterfaces:
(a)
(b)
withthesafetylauncherauthority.
NOTE
5.4.2
5.4.2.1
Access
a.
Thesafetymanagershall:
1.
2.
5.4.2.2
a.
Authority
Thesafetymanagerorsafetyrelevantauthorityshallhavetheauthority
to:
1.
17
ECSSQST40C
6March2009
2.
5.4.3
Safety audits
a.
Thesuppliershallperformsafetyauditsorreviewstoverifycompliance
toprojectsafetypolicyandrequirements.
b.
ThesafetyauditsshallbeinaccordancewithECSSMST10andECSSQ
ST10.
NOTE
c.
Thecustomershallbeinformedoftheauditschedule.
5.4.4
a.
Approval of documentation
Documentationrelatedtosafetyshallbeapprovedbythesafetymanager
upon his verification of completeness, compliance with stated safety
requirements and formal closeout of open safety verification items (as
definedandagreedduringsafetyauditsandreviews).
5.4.5
a.
Thesafetymanager(oradesignatedrepresentative)shallhaveconcluded
the review of, and approved, any hazardous operation before it is
executed.
5.4.6
Representation on boards
a.
b.
Thesafetyfunctionshallbefurtherrepresentedatallboardsdealingwith
healthmatterswhereexposureorendurancelimitsaredefinedforflight
andgroundcrews.
5.4.7
a.
Thesafetyapprovalauthorityshall:
1.
reviewanddisposesthesafetydatasubmittals,
2.
approvethecloseoutofhazards,
3.
decideondeviationsandwaivers,andfinally
4.
acceptthestatementofsafetycompliance.
18
ECSSQST40C
6March2009
5.5
The safety risk identification, reduction and control shall be part of the
projectsriskmanagementprocessasspecifiedinECSSMST80.
b.
Safetyriskidentification,reductionandcontrolshallbeacontinuousand
iterativeprocessthroughouttheprojectlifecycle,encompassing
c.
5.6
allocationofsafetyrequirements;
2.
hazardandsafetyriskidentification;
3.
evaluation(includingcategorisation)ofconsequenceseverity;
4.
hazardandsafetyriskreductionandcontrol;
5.
closeoutandacceptanceofresidualrisk.
5.7
1.
Thesafetycriticalitemsshallbepartoftheprojectsoverallcriticalitems
controlprogrammeasspecifiedinECSSQST1004.
5.7.1.1
a.
Safetyanalysisshallsupporttheidentificationofsourcesofsafetyriskas
well as the performance of preliminary tradeoff analyses between
alternativesystemconcepts.
b.
Thefollowingsafetyprogrammetasksshallapplyforhumanspaceflight
programmesandsafetycriticalsystems:
1.
2.
3.
Performcomparativesafetyriskassessmentoftheconceptoptions;
4.
Identifytherelevantprojectsafetyrequirements;
5.
Plansafetyactivitiesforthefeasibilityphase;
6.
Supportthemissiondefinitionreview.
NOTE
Thesetasksshouldalsoserveasaguidelinefor
otherspaceprogrammes.
19
ECSSQST40C
6March2009
5.7.1.2
Feasibility - Phase A
a.
Safetyanalysisshallsupporttradeoffanalysesinarrivingattheconcept
that has acceptable safety risk considering the project and mission
constraints.
b.
c.
Thefollowingsafetyprogrammetasksshallapplyforhumanspaceflight
programmesandsafetycriticalsystems:
1.
Commencehazardanalysesofthedesignandoperationsconcepts
in order to identify applicable system level hazards, hazardous
conditions,andpotentialhazardouseventsandconsequences;
2.
Supportconcepttradesbyidentifyingsafetycriticalaspectsofthe
conceptoptions;
3.
4.
5.
Identifysystemlevelsafetycriticalfunctions;
6.
Identifysystemlevelprojectspecificsafetyrequirements;
7.
Plansafetyactivitiesfortheprojectdefinitionphase;
8.
Supportthepreliminaryrequirementsreview.
NOTE
5.7.1.3
Thesetasksshouldalsoserveasaguidelinefor
otherspaceprogrammes.
a.
The safety analysis shall support a continued and more detailed safety
optimization of the system design and operations and the identification
oftechnicalsafetyrequirementsandtheirapplicability.
b.
c.
Thefollowingsafetyprogrammetasksshallapplyforhumanspaceflight
programmesandsafetycriticalsystems:
1.
Updatehazardanalysisinsupportofdesignandmissionconcept
definition activities; identify additional project specific safety
requirements;
2.
3.
Identifyemergency,warning,andcautionsituations;
4.
20
ECSSQST40C
6March2009
5.
Identifyprojectsafetyrequirements;
6.
7.
8.
Planverificationofsafetyrequirementsimplementation;
9.
Preparethesafetyplanforthedetaileddefinition,productionand
qualificationphase.
NOTE
5.7.1.4
Thesetasksshouldalsoserveasaguidelinefor
otherspaceprogrammes.
a.
b.
Safetyanalysisshallalsosupportoperationalsafetyoptimization,safety
requirementsimplementationevaluation,riskreductionverification,and
hazardandriskacceptance.
c.
Analysisofoperationsshallalsosupporttheidentificationofemergency
and contingency response planning and training requirements, and the
developmentofprocedures.
d.
Thefollowingsafetyprogrammetasksshallapplyforhumanspaceflight
programmesandsafetycriticalsystems:
1.
Performdetailedsystemlevelhazardanalysis;
2.
Performsupportingsafetyanalysis;
3.
Updatetheprojecttechnicalsafetyrequirementstoincorporatethe
resultsofsafetyanalyses;
4.
Forexample:reviews,inspections,analysesand
tests.
5.
6.
Implementcontrolprogrammeforsafetycriticalitems;
7.
Performsafetyriskassessmentinsupportofdesignimprovement,
project resource apportionment, control programme for safety
criticalitemsandprojectreviews;
8.
Monitorverificationofsafetyrequirementsimplementation;
9.
Verifyanddocumenthazardcontrolimplementation;
10.
Check that all open verification items are recorded and agreed
proceduresareinplace;
11.
Supportthecriticaldesignreview,thequalificationreviewandthe
acceptancereview;
21
ECSSQST40C
6March2009
12.
Performprojectinternalsafetyreviewsandinternalaudits;
13.
Identify,monitorandcontrolprojectassembly,integration,testing
and handling operations which are potentially hazardous to
personnelorhardware;
14.
15.
Performaccidentincidentreportingandinvestigation;
16.
17.
Prepareaprojectsafetylessonslearnedreport;
18.
Prepareoperationalphasesafetyplan.
NOTE
5.7.1.5
Thesetasksshouldalsoserveasaguidelinefor
otherspaceprogrammes.
Utilization - Phase E
a.
Safetyanalysisshallevaluatedesignandoperationalchangesforimpact
tosafety,assuringthatsafetymarginsaremaintainedandthatoperations
areconductedwithinacceptedrisk.
b.
c.
Thefollowingsafetyprogrammetasksshallapplyforhumanspaceflight
programmesandsafetycriticalsystems:
1.
Issuetheoperationalphasesafetyplan;
2.
Reviewoperationalprocedures;
3.
Approvesafetycriticaloperationalprocedures;
4.
Identifyandmonitorhazardousoperations;
5.
Supporttheflightreadinessreview,operationalreadinessreview,
launchreadinessreviewandflightqualificationreviews;
6.
Supportgroundandflightoperations;
7.
Performsafetycriticalitemscontrol;
8.
9.
Updatehazardanalysesandimplementadditionalhazardcontrols
asnecessary;
10.
Investigatesafetyrelatedflightanomaliesandtrends;
11.
Updatesafetyriskassessmentasnecessarytosupportoperational
decisions;
12.
Preparedisposalphasesafetyplan.
NOTE
Thesetasksshouldalsoserveasaguidelinefor
otherspaceprogrammes.
22
ECSSQST40C
6March2009
5.7.1.6
Disposal - Phase F
a.
b.
c.
Thefollowingsafetyprogrammetasksshallapplyforhumanspaceflight
programmesandsafetycriticalsystems:
1.
Performhazardanalysiswithrespecttothedisposaloperations;
2.
Checkthatthedisposaloperationconformstointernationalsafety
regulationsbyperformingthenecessarysafetyanalysis;
3.
Reviewtheproceduresofthedisposaloperations;
4.
Supportthemissioncloseoutreview.
NOTE
5.7.2
Progress meetings
a.
Thesuppliershallholdregularsafetystatusandprogressmeetingswith
thecustomerandhislowertiersuppliersaspartoftheprojectprogress
meetingsasspecifiedinECSSMST10.
b.
Therelevantcustomerandsupplierspecialistsshallattendthemeetings.
5.7.3
a.
Safety reviews
Thecustomershalldefine,conductandchairthesafetyreviewstoensure
satisfactory implementation of safety programme and technical safety
requirements.
NOTE
5.8
Thesetasksshouldalsoserveasaguidelinefor
otherspaceprogrammes.
Asupplierisconsideredasacustomer visvis
its lower tier suppliers (as defined in ECSSS
ST00).
b.
The supplier shall support safety reviews by the customer and the
relevant safety approval authority, as specified in the relevant review
plans.
c.
Eachsupplierparticipatinginasafetyreviewshallprepare,andsubmit
forreview,thesafetydatapackage.
d.
Safetyreviewsshallbeperformed,andthereviewobjectivesachieved,in
conformancewithclause5.7.1.
23
ECSSQST40C
6March2009
5.9
b.
Thesuppliershallincludeinhisstatementofcomplianceastatementthat
openverificationsarefollowedupinthesafetyverificationtrackinglog
(SVTL), as defined in clause 8.5.1, and do not affect further safe
processing.
c.
The project shall provide to the safety approval authority all safety
related information for their acceptance of the statement of safety
compliance.
Safety training
5.9.1
General
a.
b.
2.
basictechnicaltrainingintherequiredsafetytechniquesandskills
which is a prerequisite to fulfil the job function under
consideration;
NOTE
3.
5.9.2
productspecifictrainingthatfocusesonthehazardsrelatedtothe
specificsystemelement.
a.
The supplier shall identify the need for product specific safety training
and implement the corresponding safety training programme for all
relevantparties.
b.
The supplier shall inform the customer of any safety training identified
by him as necessary for the flight operations crew or mission control
personnel,togetherwithadefinitionofthetypeoftrainingrequiredand
itsscope.
c.
Thesuppliershallsupporttheimplementationofthecustomerstraining
programmefortheflightoperationscrewormissioncontrolpersonnel.
5.9.3
a.
All personnel accessing the area where the product is processed shall
participatepreviouslyinthegeneralsafetyawarenessbriefing.
24
ECSSQST40C
6March2009
5.9.4
a.
5.9.5
a.
Training records
The supplier shall report to the customer all accidents and incidents
occurredduringprojectactivitiesunderthecontrolofthesupplierorhis
lowertiersuppliersthataffectthesystemelement.
b.
c.
d.
Theaccidentorincidentinvestigationreportshallbeformallyclosedby
thesupplieruponapprovalbythecustomer.
e.
f.
General
a.
b.
Thecustomershallbegivenaccesstothisdataonrequestduringaudits,
safety reviews and meetings held at the suppliers premises in
accordancewithECSSMST40.
5.11.2
a.
25
ECSSQST40C
6March2009
safety review is part of an overall project
review.
b.
Thesafetydatapackageshallcontainatleastthefollowingsafetyrelated
documentation:
1.
Safetyanalysisreport(inaccordancewithAnnexD);
2.
Supportinganalysis(ifapplicable);
3.
Safetyriskassessment(ifapplicable);
4.
Hazardousgroundoperationslistandprocedures;
5.
Safetyverificationtrackinglog(SVTL,inaccordancewithAnnexC).
c.
Thecontentsofthesafetydatapackagesfortheplannedsafetyreviewsof
a project or programme shall be specified by the Safety Approval
Authoritytoassuretheysupporttheobjectivesofthesafetyreviewsfor
whichtheyaredelivered(inconformancewithclause5.7.2).
d.
e.
Thesuppliershallintegratesafetydatarelatedtothevarioussubsystems
orequipmentthatmakesupthesystemintothesafetydatapackagethat
ispresentedatthereview.
f.
All safety data shall be traceable from the safety data package and
availableforreview.
5.11.3
5.11.3.1
a.
Safetyrequirementsthatcannotbemetshallbeidentifiedasspecifiedin
ECSSMST40.
b.
5.11.3.2
a.
b.
5.11.3.3
a.
26
ECSSQST40C
6March2009
5.11.3.4
a.
Deviationsandwaiversthataffectprojectsafetyrequirementsorsafety
criticalfunctionswhichthesupplierconsidersacceptableshallbesubject
of review and disposition by the customer and the safety approval
authority.
5.11.4
a.
Safety lessons learned shall be collected during the project and used
duringtheproject,asfarastheyarerelevant.
NOTE
b.
5.11.5
a.
27
ECSSQST40C
6March2009
6
Safety engineering
6.1
Overview
Safety is an integral part of all project product assurance and engineering
activities. It is not a standalone activity. The quality of all safety engineering
related work is based on assurance that the system is designed, qualified,
manufactured, and operated in accordance with the ECSS product assurance
requirements.
Safety engineering consists of safetyanalysis, management of hazard and risk
reduction processes, hazard and risk potential assessment, design assurance,
andhazardandriskcontrolactivities.
Safetyengineeringmakesuseoflessonslearnedthroughouttheprogramme.
6.2
6.3
Safetyrequirementsshallbeidentifiedandtracedfromthesystemlevel
intothedesignandthenallocatedtothelowerlevels.
b.
Whenspecifiedbytheproject,theidentifiedsafetyrequirementsshallbe
justifiedinthedesignandpresentedinanappropriatedocument.
The order of priority with respect to safety, which is part of ECSS policy, is
presentedinclause4.
6.3.2
a.
Design selection
Appropriatedesignfeaturesshallbeselectedtoensureinherentsafety.
NOTE
28
ECSSQST40C
6March2009
6.3.3
6.3.3.1
General
a.
Hazardelimination
2.
Hazardminimization
3.
Hazardcontrol.
6.3.3.2
a.
6.3.3.3
a.
Hazard elimination
Hazard minimization
Wherehazardsandhazardousconditionsarenoteliminated,theseverity
of the associated hazardous events and consequences shall, consistent
with the project constraints and mission objectives, be reduced to an
accepted level through the change of the design architecture,
technologies,andoperationalcharacteristicsallowingthesubstitutionof
thosehazardsbyotherhazardswithlowerpotentialthreat.
6.3.3.4
Hazard control
6.3.3.4.1
General
a.
Hazards that have not been eliminated and have been subjected to
hazard minimization (as defined in 6.3.3.3a) shall be controlled through
preventative or mitigation measures, associated to hazard scenarios,
whichareintroducedintothesystemdesignandoperationtoavoidthe
eventsortointerrupttheirpropagationtoconsequences.
b.
Thefollowingmeasuresshallbeappliedinorderofprecedence:
1.
Designselection
2.
Automaticsafetydevices
3.
Warningdevices
4.
Specialprocedures.
6.3.3.4.2
a.
b.
Thedesignshalltolerateaminimumnumberofcrediblefailuresand/or
operatorerrorsdeterminedbythehazardconsequence.
c.
29
ECSSQST40C
6March2009
6.3.3.4.3
a.
6.3.3.4.4
a.
b.
c.
Useofsoftwareinautomaticsafetydevicesshouldbeavoided.
d.
6.3.3.4.5
Warning devices
a.
Whenitisnotpracticaltoprecludetheexistenceoroccurrenceofknown
hazardsortouseautomaticsafetydevices,devicesshallbeusedforthe
timelydetectionoftheconditionandthegenerationofawarningsignal.
b.
6.3.3.4.6
Special procedures
a.
Whenitisnotpossibletoreducethemagnitudeofahazardthroughthe
design, the use of safety devices or the use of warning devices, special
procedures shall be developed to control the hazardous conditions for
theenhancementofsafety.
b.
c.
d.
To permit the use of real time monitoring, hazard detection and safing
systems for hazard control, the availability of sufficient response time
shallbeverifiedandcorrespondingsafingproceduresbedevelopedand
verifiedandthepersonneltrained.
NOTE
Specialproceduresaretheleasteffectiveofthe
hazard control and risk reduction measures
available. They can include emergency and
contingency
procedures,
procedural
constraints, or the application of a controlled
maintenanceprogramme.
30
ECSSQST40C
6March2009
6.3.4
Environmental compatibility
a.
The system design shall meet the safety requirements under the worst
casenaturalandinducedenvironmentsdefinedfortheproject.
b.
6.3.5
External services
a.
Loss,malfunctioning,andsuddenrestorationofexternalservicesshallbe
definedasaninputtothedevelopmentphase.
b.
6.3.6
a.
b.
These capabilities shall provide the information to allow the crew and
system operators to take actions to protect personnel from the
consequencesoffailureswithinsafetycriticalfunctionsandthefailureof
hazardcontrolmeasures.
c.
Thesystemdesignshallprovidethecapabilityfordetectingfailuresthat
result in degradation of failure tolerance with respect to the hazard
detection,signallingandsafingfunction.
d.
e.
Theemergency,cautionandwarningfunctionshalldetectandnotifythe
crew and system operators of emergency, warning and caution
situations.
f.
Safing functions and capabilities shall be included that provide for the
containmentorcontrolofemergency,warningandcautionsituations.
g.
h.
Dedicatedsafingfunctionsshallbeprovidedforemergencysituations.
i.
Controlofwarningandcautionsituationsshallbeacceptablebysystem
reconfigurationorbydedicatedsafingfunctions.
j.
A single failure shall not cause loss of the emergency and warning
function.
k.
31
ECSSQST40C
6March2009
l.
A single failure shall not cause loss of the emergency and warning
functionstogetherwiththemonitoredfunctions.
m.
n.
Whensystemsorelementsareintegratedinto,ordockedwiththeother
systems or elements, the emergency, warning, caution, and safing
function shall enable the areas of control responsibility to monitor and
display the applicable parameters, and to control the related safing
functions.
o.
p.
It shall be possible for the crew to ascertain and monitor in real time
thestatusofemergency,warningandcautionparametersofnoncrewed
systemsorelementspriortodockingwithcrewedsystems.
6.3.7
a.
The design and the operational characteristics of the space system shall
besuchthatthegenerationofspacedebrisisminimizedconsistentwith
theprojectconstraintsandmissionobjectives.
6.3.8
a.
Atmospheric re-entry
Thespacevehicleshallbedesignedandoperated(postmissiondisposal
manoeuvres)suchthat,whereapplicable,theriskofacatastrophicevent
does not exceed the levelof acceptable risk specified by the project and
bythelaunchbasesafetyauthority.
NOTE
6.3.9
a.
b.
c.
d.
32
ECSSQST40C
6March2009
e.
6.3.10
a.
Amissionabortcapabilityshallbeprovided.
b.
Safingandsafeheavenfunctionsshallbeprovided.
NOTE
c.
Escapeandrescuefunctionsshallbeprovided.
d.
e.
Thecapabilitytomonitor,detectandassesshazardsandeffectsofslow
insidious events with hazardous consequences shall be detailed
accordingtoprojectconstraintsandmissionobjectives.
NOTE
f.
a.
Suchhazardsincludefatigue,corrosion,micro
organisms,aging,deterioration,contamination.
The space system shall provide an onboard medical facility and the
capability for handling a permanently impaired or deceased
crewmember.
6.3.11
6.4
Access
a.
b.
c.
33
ECSSQST40C
6March2009
NOTE1 Table 61 is used both in ECSSQST30 and
ECSSQST40.
NOTE2 This impact can be immediate and personal. It
also can be on a broader scale not limited to a
single
person
only.
The
hazardous
consequencescanbeshorttermorlongterm.
NOTE3 Inspaceflight,theenvironmentconcernedcan
be outer space, including the Moon and the
planets, geostationary orbit (GEO), low Earth
orbit(LEO)aswellastheEarthsatmosphere.
d.
The availability of the following shall not be used as rationale for the
reductionoftheseverity:
1.
designfeatureswhichreducetheprobabilityofahazardousevent
occurring,butwhichdonotaffectitsseverity;
2.
warningdevices,crewsafehaven,orcrewescapecapabilities.
e.
f.
These categories shall not violate the safety policy and principles as
definedinclause4.2.1fortheprotectionofhumanlifeortheprinciplesof
categorizationinaccordancewiththedefinitionofconsequenceseverity
categoriesinTable61.
g.
h.
Forexample:maximumallowableconcentrations,
maximum emission concentrations or radiation
doses.
34
ECSSQST40C
6March2009
Table61:Severityofconsequences
Dependability
Severity
Level
Safety
(refertoECSSQST30)
(ECSSQST40)
ExtractfromECSSQST30
Catastrophic
Failurespropagation
Lossoflife,lifethreateningor
permanentlydisablinginjuryor
occupationalillness;
Lossofsystem;
Lossofaninterfacingmannedflight
system;
Lossoflaunchsitefacilities;
Severedetrimentalenvironmentaleffects.
Critical
Lossofmission
Temporarilydisablingbutnotlife
threateninginjury,ortemporary
occupationalillness;
Majordamagetointerfacingflight
system;
Majordamagetogroundfacilities;
Majordamagetopublicorprivate
property;
Majordetrimentalenvironmentaleffects.
Major
Majormissiondegradation
Minoror
Negligible
Minormissiondegradationor
anyothereffect
NOTE: Whenseveralcategoriescanbeappliedtothesystemorsystemcomponent,thehighestseveritytakes
priority
6.4.2
6.4.2.1
Basic requirements
a.
b.
c.
d.
e.
35
ECSSQST40C
6March2009
6.4.2.2
a.
Redundancy separation
Thesystemdesignshall:
1.
2.
providefailuretoleranceandredundancystatusinformationtothe
flightandgroundcrews,includingimmediatecrewnotificationin
the case of failure detection, redundancy switchover, or loss of
operationalredundancy,
3.
b.
Thecapabilityshallbeprovidedtotheflightcrewandmissioncontrolto
overrideautomaticsafingandredundancyswitchover.
c.
6.4.2.3
a.
Failure propagation
6.4.3
6.4.3.1
General
a.
6.4.3.2
Safety factors
a.
Structuralsafetyfactorsshallbedefinedandappliedinaccordancewith
ECSSEST3210orhighersafetyfactorwhereapplicable.
b.
6.4.3.3
a.
Fracture control
36
ECSSQST40C
6March2009
b.
6.4.3.4
Materials
a.
MaterialsshallbeselectedandcontrolledinaccordancewithECSSQST70.
b.
c.
Ifrequirement6.4.3.4b.isnotfeasible,thesystemdesignshallincludethe
necessary provisions to control hazardous events associated with
material characteristics in accordance with the requirements of this
Standard.
NOTE
6.4.4
a.
Anexampleofprovisionstobeincludedbythe
system design is containment of hazardous
substances.
Whengiven,theprobabilisticsafetytargetsshallbeusedfor
1.
identifyingandrankingmajorriskcontributors,
2.
makingtheacceptableriskdecisionforeachidentifiedhazard,
3.
b.
37
ECSSQST40C
6March2009
6.5
Identification
Asafetycriticalfunctionthat,iflostordegraded,orthroughincorrector
inadvertent operation, can result in a catastrophic or critical hazardous
consequence,shallbeidentifiedasasafetycriticalfunction.
NOTE
b.
Identificationshallbedonewithouttakingintoaccounthazardscontrols
tobeoralreadyimplemented.
6.5.2
a.
Inadvertent operation
Inadvertentoperationofasafetycriticalfunctionshallbepreventedby
1.
twoindependentinhibits,ifitinducescriticalconsequences,or
2.
threeindependentinhibits,ifitinducescatastrophicconsequences.
6.5.3
Status information
a.
b.
notificationinrealtimeincaseoffailuredetection,
2.
announcementofanylossofoperationalredundancy,
3.
notificationofredundancyswitchover,or
4.
changesofinhibitstatus.
6.5.4
a.
The design shall either provide the capability for the safe shutdown of
safetycritical functions prior to inflight maintenance operations or
conform to the failure tolerance requirements during maintenance
operations.
6.5.5
a.
38
ECSSQST40C
6March2009
6.5.6
Software functions
6.5.6.1
Software criticality
a.
b.
6.5.6.2
a.
Duringtheprojectlifecycle,safetyanalysisshallbecarriedoutto:
1.
identifythecriticalityofsoftwarecomponentsinaccordancewith
theseverityoftheconsequencesasdefinedinTable61,
2.
3.
defineverificationmethodsforhazardcontrolsinvolvingsoftware,
4.
provideverificationevidenceofhazardcontrolimplementation.
6.5.6.3
a.
6.5.6.4
6.6
Software development
a.
b.
c.
Operational Safety
6.6.1
Basic requirements
a.
Safetyinvolvementintheoperationalphaseshallbeplanned.
b.
39
ECSSQST40C
6March2009
c.
d.
e.
f.
6.6.2
6.6.2.1
Launcher operations
a.
6.6.2.2
a.
6.6.2.3
a.
Contamination
Flight rules
Flight rules shall be prepared for each mission that outline preplanned
decisions in case of offnominal situations and consistent with safety
requirements.
6.6.2.4
a.
b.
c.
d.
.Hazardouscommandingcontrolshallensurethatcommands,whichcan
result in catastrophic or critical hazardous consequences, are not
performeduntiltheyareauthorizedandverified.
40
ECSSQST40C
6March2009
6.6.2.5
a.
Missionoperationchangecontrolshallensurethatallchanges,whichare
desired or become necessary during mission, are reviewed for safety
impact.
b.
Missionoperationchangecontrolshallensurethattheresponsiblesafety
approvalauthorityapprovesalloperationalchangerequestswithsafety
impact.
6.6.2.6
a.
Safetystatusparametersshallbeidentified.
b.
Safetystatusparametersshallbemonitored.
c.
Deviationfromspecifiedlimitsshallbemanaged.
6.6.2.7
a.
b.
c.
Residualpropellantscontainedinspentorabortedsuborbitalstagesshall
besafelydispersed.
6.6.3
Ground operations
6.6.3.1
Applicability
a.
development,qualificationoracceptancetesting;
2.
assembly,integrationortestoperations;
3.
launchsiteoperations;
4.
servicingorturnaroundoperations;and
5.
transportationorhandlingoperations,
6.6.3.2
a.
Initiation
41
ECSSQST40C
6March2009
6.6.3.3
a.
6.6.3.4
Hazardous operations
a.
b.
Wherenecessary,contingencyandemergencyplansorproceduresshall
beestablishedandverifiedpriortothecommencementoftheoperation.
c.
Thesafetymanagerorsafetyrelevantauthorityshallhavetheauthority
tostopanyoperationthatdoesnotconformtosafetyrequirements.
6.6.3.5
a.
Launch,landing,turnaroundandmissionoperationsshallbesubjectto
hazardanalysis.
b.
Forgroundoperations,theanalysisshalladdressthe:
1.
potentialhazardousconsequencesofhumanerrorandprocedural
deficiencies;
2.
adequacyandmaintenanceofoperationalmargins;
3.
potentialforhumanexposuretohazardsandhazardouseffects;
4.
requirementsforoperatorandflightcrewtraining;
5.
6.6.3.6
a.
b.
AllGSEshallconformtotheEssentialHealth&SafetyRequirementsof
allapplicableEUNewApproachdirectives.
c.
Conformanceto6.6.3.6b.shallbeshownbytheadditionoftheCEmark
totheproductandtheissuingofaDeclarationofConformity.
d.
FurtherguidanceisgiveninAnnexG.
42
ECSSQST40C
6March2009
7
Safety analysis requirements and
techniques
7.1
Overview
Safetyrisksaretheresultofthehazardouscharacteristicsassociatedwiththe:
7.2
operatingmodes;
potentialforoperatorerror;
operatingenvironment;
General
a.
Safetyanalysisshallbeperformedinasystematicmannerasabasisfor
allapplicablephasesandtoensurethathazardsareidentified,eliminated
orminimizedandcontrolledandsafetyrisksareassessedandreduced.
b.
Safetyanalysesshallbeinitiatedearlyinthedesignprocessandprovide
concurrent support to project engineering in the selection of the least
hazardous design and operational options that are compatible with the
project mission and programme constraints and conform to the
requirements.
c.
d.
Analysisshallalwaysbemadewithreferencetoadefinedconfiguration
baselineasdefinedbyECSSMST40.
43
ECSSQST40C
6March2009
7.3
The supplier shall respond to and comply with the applicable safety
requirementsfortheproject.
7.3.2
a.
7.4
Justification
7.3.6
a.
The supplier shall define the safety requirements associated with the
varioussubsystemsandlowerlevels.
7.3.5
a.
The supplier shall define the safety requirements for the various
functionsofthesystem.
7.3.4
a.
7.3.3
a.
Safety requirements
The supplier shall ensure that the function and subsystem safety
requirements are included in the relevant functional and subsystem
specification.
Safetyanalysisshallberefinedandupdatedinaniterativemannerasthe
design process proceeds, to ensure that hazards and hazardous events
are assessed, and that the relevant detailed design and operational
requirements,hazardcontrols,andverificationactivitiesaredefinedand
implemented.
NOTE
Referto5.7fordetailedsafetyprogrammetasks
inthedifferentprojectphases
44
ECSSQST40C
6March2009
7.5
Safety analyses
7.5.1
a.
General
7.5.2
Hazard analysis
a.
Hazardanalysisshallbeperformedinasystematicmanner,beginningin
the concept phase and continuing through the operational phase,
includingendoflifeanddisposal.
b.
Hazardanalysisshallsupportthehazardreductionprocess.
c.
Hazardanalysisshallidentifyandevaluate:
d.
e.
1.
2.
3.
thehazardouseventsresultingfromthefailureofsystemfunctions
andfunctionalcomponents;
4.
timecriticalsituations.
Thefollowingpotentialinitiatoreventsshallbeconsidered:
1.
hardwarefailure(randomortimedependent);
2.
latentsoftwareerror;
3.
operatorerror;
4.
designinadequacies,including:
(a)
inadequatemargins;
(b)
unintendedoperatingmodescausedbysneakcircuits;
(c)
materialinadequaciesandincompatibilities;
(d)
hardwaresoftwareinteractions;
5.
naturalandinducedenvironmentaleffects;
6.
proceduraldeficiencies.
45
ECSSQST40C
6March2009
f.
7.5.3
a.
Safetyriskassessmentshall
1.
2.
3.
beusedtofacilitateeffectiveandefficientsafetyriskreductionand
control,
4.
supportprojectriskmanagementasdefinedinECSSMST80,
5.
assesscompliancewithprobabilisticsafetytargets.
NOTE1 Theestimationofeventlikelihoodsisbasedon
theuseofdifferentsourcesofdatai.e.:
previous experience on the particular
system (i.e. measured or observed directly
relevanttestorexperiencedata),
data from other systems or projects (i.e.
extrapolation from generic data, similarity
data,orphysicalmodels),and
expert judgment (i.e. direct estimation of
likelihoodsbydomainspecialists).
NOTE2
b.
Safety risk assessment shall be started early in the design process and
performed in progressive steps during the implementation of the safety
programme.
7.5.4
7.5.4.1
General
a.
Followingsupportingassessmentandanalysismethodsshallbeusedas
necessary(tailoredbyproject)tosupporthazardsanalysisandsafetyrisk
assessment.
NOTE1 Example of tailoring by project is when the
supporting assessment and analysis methods
arenotapplicableine.g.unmannedmissions.
NOTE2 Assessments and analyses from ECSSQST30
canbeusedtosupportsafetyassessment.
b.
Supportinganalysesshallbeagreedwithallrelevantparties.
46
ECSSQST40C
6March2009
7.5.4.2
a.
Warningtimeanalysisshallbeperformedduringtheconceptdefinition
phaseandthedesignanddevelopmentphaseinordertoevaluatetime
critical situations identified in the hazard analysis and to support the
implementationofhazardoussituationdetectionandwarningdevicesor
contingencyprocedures.
b.
Theanalysisshalldeterminethe
c.
1.
timeintervalduringwhichtheeventisdetectedandtheresponse
actiontaken;
2.
3.
resultanttimeavailableforresponse;
4.
Thedetectiontimesshallbedeterminedfromthe
1.
2.
occurrenceoftheinitiatingeventtothetimeofearliestdetectionor
annunciation;and
3.
timetakenforcorrectiveactiontobeimplemented.
7.5.4.3
a.
b.
emergency,warning,andcautionparameters;
2.
therequiredsafingfunctionsandcapabilities;
3.
limitsensingrequirements;
4.
theapplicabilityoftheindividualcautionandwarningfunctions
tothedifferentmissionphases.
Thecautionandwarninganalysisshallutilizetheresultsofthewarning
timeandhazardsanalysesasappropriate.
7.5.4.4
7.5.4.4.1
Multiple failures
a.
47
ECSSQST40C
6March2009
7.5.4.4.2
a.
The supplier shall identify the requirement for and the scope of
dedicated commoncause and commonmode analyses by means of the
reviewoftheresultsoftheothersafetyanalyses,suchasFTAandhazard
analysis,andofthecharacteristicofthesystemandofitsenvironment.
7.5.4.4.3
a.
b.
7.5.4.4.4
a.
Commonmodefailuresshallbeanalysedbymeansoftheuseofcheck
lists(tobeestablishedbythesupplier)thatlistpotentialcommonmodes
for system components during the manufacturing, integration, test,
operationandmaintenancephases.
b.
7.5.4.4.5
a.
Integration of results
Resultsofcommoncauseandcommonmodeanalysisshallbeintegrated
with the results of the system level safety analyses (fault tree analysis,
hazardanalysis).
7.5.4.5
a.
The fault tree analysis shall be used to establish the systematic link
betweenthesystemlevelhazardandthecontributinghazardousevents
andsubsystem,equipmentorpiecepartfailure.
b.
7.5.4.6
a.
RefertoECSSQST4012Faulttreeanalysis
Adoption notice ECSS/IEC 61025 for further
instructionsonfaulttreeanalyses.
48
ECSSQST40C
6March2009
b.
Thehumanerroranalysisshallbeusedtosupportthesafetyanalysisfor
theidentificationofhumanoperatorerrormodesandtheireffectsandfor
thedefinitionofadequatecountermeasurestopreventorcontrolhuman
operatorerrors.
c.
Thehumanerroranalysisshallbedevelopedfromtheearlyphasesofthe
project onwards in order to define recommendations for the hardware
and software design, procedure development and training preparation
programme.
7.5.4.7
a.
7.5.4.8
Refer to ECSSQST3002
instructionsonFMEA/FMECA.
for
further
Zonal analysis
a.
b.
basicinstallationrulesandspacepractices;
2.
interactionbetweensubsystems;
3.
implicationofoperatorerrors;
4.
effectsofexternalevents.
NOTE
49
ECSSQST40C
6March2009
8
Safety verification
8.1
8.2
General
a.
A system shall be in place that tracks all hazards and related risks, to
relate all verifications of the corresponding hazard uniquely to
unambiguouscausesandcontrols.
b.
Forcommontechniquesforverificationofdesignfeaturesusedtocontrol
hazards,therequirementsofECSSEST10shallapply.
c.
a.
The supplier shall establish a hazard reporting system for tracking the
statusofallidentifiedhazards.
b.
Thesystemshallbeappliedforallhazardswithpotentiallycatastrophic
orcriticalconsequences.
c.
Thesuppliershallreport,andprovideevidence,that
d.
1.
controlsaredefinedandagreed;
2.
verificationmethodsaredefinedandagreed;
3.
verificationiscompleted.
8.2.2
a.
Statusofhazardcontrolandriskreductionactivitiesshallbereviewedat
safetyprogressmeetingsandprojectsafetyreviewsforcompliancewith
decisionstakenandachievementofintendedresults.
8.2.3
a.
Documentation
Allhazarddocumentationshallbeformallyissuedforeachsafetyreview
andmajorprojectreview,asspecifiedinclause5.11).
50
ECSSQST40C
6March2009
8.3
b.
Verificationengineeringshallselecttheverificationmethodsconsistent:
1.
2.
withthelaunchbasesafetyrules.
8.3.2
a.
Safetyverificationmethodsshallincludealternativelyorincombination
reviewofdesign,analysis,inspectionandtest.
b.
Forallsafetyverificationstraceabilityshallbeprovided.
8.3.3
Analysis
a.
b.
8.3.4
Inspections
8.3.4.1
General
a.
8.3.4.2
a.
Preflight inspections
AllpreflightsafetyinspectionsshallbeassessedforinclusionintheMIP
list.
NOTE
b.
c.
Thecloseoutshallbegivenbytheapprovedlaunchauthorityprocedure.
51
ECSSQST40C
6March2009
d.
Lateaccessproceduresshallbethesubjectoftrainingandbeperformed
byqualifiedpersonnel.
e.
Trainingforflightcrewandmissionoperationteamsshallbeperformed,
includingspecificsafetybriefing,trainingandmissionsimulation.
f.
8.3.4.3
a.
Inflightinspectionsshallbeenteredintoflightproceduresandoperation
manuals.
8.3.5
8.4
Inflight inspections
a.
The supplier shall select, and propose to the safety approval authority,
the safety verification methods to be used in conformance to the
applicablesafetyrequirements.
b.
Validation
a.
b.
8.4.2
Qualification
a.
b.
c.
52
ECSSQST40C
6March2009
8.4.3
a.
Inducedfailuretestsshallbeperformedwhenrequiredbysafetyanalysis
for evaluating failure effects, and for demonstrating failure tolerance
conformanceinsafetycriticalfunctions.
8.4.4
a.
8.4.5
8.5
Failure tests
a.
b.
Fortheverificationofhazardcontrolsincatastrophichazardswherenon
flight equipment replaces part of the flight equipment to test a flight
function the verification shall be performed independently by a third
partywhichwasnotinvolvedinthedesignandqualificationoftheflight
model(FM).
Hazard close-out
8.5.1
a.
b.
Intimeforacceptancebythecustomer,andinpreparationoftransferto
thenextstageofsystemintegration,thesafetymanagershallverifythat:
c.
1.
hazardcloseoutsperformedsofarbytheresponsibleengineerare
stillvalid;
2.
3.
allopenverificationsatthistimeareacceptablefortransfertothe
nextstageofsystemintegration;
4.
allopenverificationsareenteredintotheverificationtrackinglog
(SVTL);
5.
53
ECSSQST40C
6March2009
8.5.2
a.
8.6
Thesafetymanagershallassurethateachhazardconsideredforclosure
hastheapprovalbythesafetyapprovalauthority,verifyingthat
1.
2.
All ground equipment that falls into the scope of an applicable New
ApproachdirectiveshallbeCEmarkedandsuppliedwithasupporting
Declaration of Conformity and User Manual detailing all safety
warnings.
NOTE
Additional information
InformativeAnnexG.
is
provided
in
54
ECSSQST40C
6March2009
Annex A (informative)
Analyses applicability matrix
ScopeoftheTableA1istopresentrelationofdocumentsassociatedtosafety
activitiestosupportprojectreviewobjectivesasspecifiedinECSSMST10.
NOTE
Thistableconstitutesafirstindicationforthedata
package content at various reviews. The full
contentofsuchdatapackageisestablishedaspart
of the business agreement, which also defines the
deliveryofthedocumentbetweenreviews.
Thetableliststhedocumentsnecessaryfortheprojectreviews(identifiedbyX).
The various crosses in a row indicate the increased levels of maturity
progressivelyexpectedversusreviews.Thelastcrossinarowindicatesthatat
thatreviewthedocumentisexpectedtobecompletedandfinalized.
NOTE
DocumentslistedinTableA1areeitherECSSQST40DRDs,orDRDstoother
ECSSQ40XXstandards.
55
ECSSQST40C
6March2009
TableA1:SafetyDRL
Phase
DocumentorDRDtitle
A
PRR
Safetyprogrammeplan
QR
AR
ORR FRR
LRR CRR
ELR MCR
Documentor
DRDreference
ECSSQST40AnnexB
Safetyverificationtrackinglog
ECSSQST40AnnexC
Safetyanalysisreport
(includinghazardreports)
ECSSQST40AnnexD
Faulttreeanalysis
ECSSQST4012
56
ECSS-Q-ST-40C
6 March 2009
Annex B (normative)
Safety programme plan - DRD
B.1
DRD identification
B.1.1 Requirement identification and source document
ThisDRDiscalledfromECSSQST40,requirement5.2a.
B.2
thesafetyprogrammetaskstobeimplemented;
thepersonnelorsupplierresponsiblefortheexecutionofthetasks;
thescheduleofsafetyprogrammetasksrelatedtoprojectmilestones;
Expected response
B.2.1 Contents
<1>
a.
Description
The safety programme plan shall include a description of the project
safety organization, responsibilities, and its working relationship and
interfaceswithproductassurancedisciplines(reliability,maintainability,
software product assurance, parts, materials and processes and quality
assurance according to ECSSQST10, 20, 30, 60, 70 and 80), with
configuration management according to ECSSMST40, system
engineering according to ECSSEST10, design and other project
functionsanddepartmentsoforganizations.
ECSSQST40C
6March2009
b.
<2>
a.
<3>
a.
<4>
a.
ThesafetyprogrammeplanshalldescribehowtheprovisionsofECSSQ
ST40areimplemented:
1.
Safetyprogrammeandorganization;
2.
Safetyengineering;
3.
Safetyanalysisrequirementsandtechniques;
4.
Safetyverification;
5.
Operationalsafety.
Safetyandprojectengineeringactivities
The plan shall show how the project safety organization implements
concurrent safety and project engineering activities in continuous
supportoftheprojectdesignanddevelopmentprocess.
Supplierandlowertiersupplierpremises
Theplanshalldescribehowsafetyrelatedactivitiesandrequirementsare
defined for and controlled at suppliers and lower tier suppliers
premises.
Conformance
The plan shall make provisions for assuring conformance to safety
requirements and regulations that are applicable to any other facilities
andservicethatareutilizedduringthecourseoftheproject.
58
ECSSQST40C
6March2009
Annex C (normative)
Safety verification tracking log (SVTL) DRD
C.1
DRD identification
C.1.1 Requirement identification and source document
ThisDRDiscalledfromECSSQST40,requirement8.5.1a.
inputs from the different safety verification tasks i.e. hardware and
softwarechanges,tests,reviewofdesignactivities,analyses,inspections
and development of procedures which are performed as agreed per
hazardreportsoftheFlightSDP(FSDP)andtheGroundSDP(GSDP)
oracombinationthereof,
otherinformationlikeconstraintsandschedule.
NOTE
C.2
Anexampleofaformatthatcanbeusedforthe
SVTLispresentedinFigureC1.
Expected response
C.2.1 Contents
<1>
a.
Generalinformation
TheSVTLshallidentifythefollowinggeneralinformation:
1.
nameoftheprojectforwhichithasbeenestablished;
59
ECSSQST40C
6March2009
<2>
2.
projectdocumentationidentificationnumber;
3.
applicabilityforflightorgroundsafetyverifications;
4.
5.
nameoftheequipment,payloadorexperimentforwhichtheSVTL
hasbeenestablished;
6.
7.
datesofissueandupdate.
Lognumber
a.
Foreachverificationitemtobetrackedauniqueidentifiershallbeused.
b.
TheSVTLshallusethedesignationsassignedbythesafetymanager.
<3>
a.
<4>
a.
<5>
Hazardreportnumber
Theidentificationnumberofthehazardreportcontainingtheverification
itemshallbeindicated.
Safetyverificationnumber
The verification method or the verification means shall be transferred
fromthehazardreportincludingtheproceduresbynumberandtitle.
Groundoperationsconstrained
a.
Theinputofyesornoshallindicatewhetherthissafetyverification
constrainsanygroundoperations.
b.
c.
<6>
a.
<7>
a.
Independentverificationrequired,yesorno
Theinputofyesornoshallindicatewhethertheverificationhastobe
performedindependently(inaccordancewith8.4.5b).
Scheduledcompletiondate
Theplanneddateforthecompletionoftheverificationshallbeindicated.
60
ECSSQST40C
6March2009
<8>
Methodofclosure/comments
a.
The SVTL log shall indicate the title and serial number of the tests,
reviewofdesigns,inspectionsandanalysesbywhichthisverificationis
formallyclosed.
b.
Anyappropriateinformationorremarksmaybeadded.
61
ECSSQST40C
6March2009
Safetyverificationtrackinglog
Flight
Ground
Project ID:
Issue date
updated
Log
no.
Hazard
report
number
Safety
verification
number
Safety verification
method
(Identify procedures
by number and title)
Ground
Independent
operations
verification
constrained required
Scheduled
completion
date
Completion
date
Method of closure/comments
(Provide reference ID)
FigureC1:Safetyverificationtrackinglog(SVTL)
62
ECSSQST40C
6March2009
Annex D (normative)
Safety analysis report including hazard
reports - DRD
D.1
DRD identification
D.1.1 Requirement identification and source document
ThisDRDiscalledfromECSSQST40,requirement7.5.1a.
D.2
Expected response
D.2.1 Contents
<1>
Safetyanalysisreportpreliminaryelements
a.
TitleThetitleofthesafetyanalysisreportshallidentifytheapplicable
project.
b.
TitlepageAtitlepageshallbeprovided.
c.
ContentsAcontentslistshallbeprovided.
d.
ForewordAforewordshallbeprovided.
e.
IntroductionAnintroductionshallbeprovided.
<2>
a.
Safetyanalysisreportcontent
The safety analysis report shall identify the following general
information:
1.
2.
theprojectphase;
3.
63
ECSSQST40C
6March2009
b.
c.
4.
informationregardingtheapprovalofthedocument;
5.
astatementofeffectivityidentifyingwhichotherdocumentshave
beencancelledandreplacedinwholeorinpart.
The safety analysis report shall contain the following analysis specific
information:
1.
objectiveofsafetyanalysis;
2.
applicablerequirementsrelevanttothesafetyanalysis;
3.
4.
descriptionofsafetyanalysisprocessandmethods;
5.
6.
listofsafetycriticalfunctions;
7.
safetycriticalitemlist;
8.
safetyinputtoriskmanagement;
9.
supportanalysesused(e.g.FTA,FMEA/FMECA);
10.
overallconclusionsfromsafetyassessment.
Eachhazardreportshallcontainasaminimumthefollowingdata:
1.
title;
2.
3.
4.
consequenceseveritycategory;
5.
propagationtimefromcausetoconsequence;
6.
7.
applicablesafetyrequirements;
8.
9.
verificationmeasures;
10.
safetyrisktrendafterhazardreduction(optional);
11.
12.
approval;
13.
acceptanceofsafetyrisk(optional).
NOTE
64
ECSSQST40C
6March2009
Annex E (informative)
Criteria for probabilistic safety targets
E.1
E.2
b.
Whengiven,theseprobabilistictargetsshouldbeusedfor:
1.
identifyingandrankingmajorriskcontributors,
2.
makingtheacceptableriskdecisionforeachidentifiedhazard,
3.
Probabilisticsafetytargetsshouldconformtotherequirementsgivenby
launchsafetyauthoritiesandnationalandinternationalregulations.
b.
With respect to safety targets for the ground and flight personnel, the
individual risk should not exceed that accepted for other professionally
andcomparablyexposedpersonnel.
NOTE
c.
Withrespecttosafetytargetsforthecivilpopulation,thetotalriskforthe
exposed ground population should not exceed that caused by other
hazardoushumanactivities.
NOTE
d.
65
ECSSQST40C
6March2009
Annex F (informative)
Applicability guidelines
ThismatrixdeterminestheapplicabilityofECSSQST40tothedifferentspace
systems,i.e.:
Satellite:Unmannedpayloadonanexpendablelaunchvehicle,
Launchvehicle:Vehicledesignedtocarrypayloadsintospace.
Tailoringoftherequirementsidentifiedasapplicable(orpartiallyapplicable)is
necessaryfortakingintoaccountthespecificrequirementsfor,orthepeculiar
characteristicsof,thesystem.
Unmannedspace
system
Clause
5
5.1
5.2
5.3
5.4
5.4.1
5.4.2
5.4.2.1
5.4.2.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
Headline
Safetyprogramme
Scope
Safetyprogrammeplan
Conformance
Safetyorganization
Safetymanager
Safetymanageraccessand
authority
Access
Authority
Safetyaudits
Approvalofdocumentation
Approvalofhazardous
operations
Representationonboards
Safetyapprovalauthority
Launchvehicle
Manned
forun
for
space
system manned manned
space
space
craft
craft
Satellite
Safety
critical
systems
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Remarks
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
P/A1
Y
Y
1)accordingtosafety
launcherauthority
66
ECSSQST40C
6March2009
Unmannedspace
system
Clause
5.5
Headline
Safetyriskassessmentand
control
Satellite
Safety
critical
systems
P/A3
Y2
Launchvehicle
Manned
forun
for
space
manned
manned
system
space
space
craft
craft
Y2
P/A2
Y2
Remarks
2)Useofprobabilistic
safetyriskassessment
subjecttospecific
projectrequirements
)Useofprobabilistic
safetyriskassessment
ifrequiredbyinter
nationalrules(e.g.,
nuclearmaterial
onboard)
5.6
5.7
P/A4
P/A4
P/A4
4)Asappropriatefor
theproject
P/A4
P/A4
P/A4
4)Asappropriatefor
theproject
P/A4
P/A4
P/A4
P/A4
P/A4
P/A4
P/A4
P/A4
P/A4
4)Asappropriatefor
theproject
5.7.1.5
Preliminarydefinition
PhaseB
Detaileddefinition,
productionandqualification
testingPhaseC/D
UtilizationPhaseE
)Asappropriatefor
theproject
4)Asappropriatefor
theproject
P/A4
P/A4
P/A4
5.7.1.6
DisposalPhaseF
P/A4
P/A4
P/A4
5.7.2
5.7.3
Progressmeeting
Safetyreviews
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
)Asappropriatefor
theproject
4)Asappropriatefor
theproject
5.8
Safetycompliance
demonstration
Safetytraining
General
Productspecifictraining
Generalawarenessbriefing
Basictechnicaltraining
Trainingrecords
Accidentincidentreporting
andinvestigation
Safetydocumentation
General
Safetydatapackage
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
P/A5
Y
Y
P/A6
5.7.1
5.7.1.1
5.7.1.2
5.7.1.3
5.7.1.4
5.9
5.9.1
5.9.2
5.9.3
5.9.4
5.9.5
5.10
5.11
5.11.1
5.11.2
5.11.3
5.11.3.1
Safetycriticalitems
Projectphasesandsafety
reviewcycle
Safetyprogramtasksand
reviews
Missionanalysis/Needs
identificationPhase0
FeasibilityPhaseA
Safetydeviationsand
waivers
Requestfordeviationor
waiver
Asappropriateforthe
project
5)Accordingtothe
launchbasesafety
rules,ifany
6)Followingthe
processdefinedbythe
Safetylaunchbase
rules,ifany,and
specificprotocol
67
ECSSQST40C
6March2009
Unmannedspace
system
Clause
Headline
Satellite
5.11.3.2
5.11.3.3
5.11.3.4
5.11.4
5.11.5
6
6.1
6.2
6.3
6.3.1
6.3.2
6.3.3
6.3.3.1
6.3.3.2
6.3.3.3
6.3.3.4
6.3.4
6.3.5
6.3.6
6.3.7
6.3.8
6.3.9
6.3.10
6.3.11
6.4
6.4.1
6.4.2
6.4.2.1
6.4.2.2
6.4.2.3
6.4.3
6.4.3.1
6.4.3.2
6.4.3.3
6.4.3.4
6.4.4
Assessmentofdeviationor
waiver
Acceptancebythesafety
approvalauthority
Reviewanddisposition
Safetylessonslearned
Documentationofsafety
criticalitems
Safetyengineering
Overview
Safetyrequirements
identificationandtraceability
Safetydesignobjectives
Safetypolicyandprinciples
Designselection
Hazardreductionprecedence
General
Hazardelimination
Hazardminimization
Hazardcontrol
Environmentalcompatibility
Externalservices
Hazarddetectionsignalling
andsafing
Spacedebrismitigation
Atmosphericreentry
SafetyofEarthreturn
missions
Safetyofhumanspaceflight
missions
Access
Safetyrisksreductionand
control
Severityofhazardousevent
Failuretolerance
requirements
Basicrequirements
Redundancyseparation
Failurepropagation
Designforminimumrisk
General
Safetyfactors
Fracturecontrol
Materials
Probabilisticsafetytargets
Safety
critical
systems
Launchvehicle
Manned
forun
for
space
manned
manned
system
space
space
craft
craft
Remarks
applicable.Only
waiversforlaunchers
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Nonnormative
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
N/A
Y
Y
Y
Y
Y
Y
Y
Y
P/A7
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
N/A
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
N/A
Y
Y
Y
Y
Y
Y
Y
Y
Y
N/A
N/A
N/A
Y
N/A
Y
Y
Y
Y
Y
N/A
Y
Y
Y
Y
Y
Y
Y
P/A
Y
Y
Y
Y
Y
Y
Y
P/A
Y
N/A
Y
Y
Y
Y
Y
P/A
Y
Y
Y
Y
Y
Y
Y
P/A
7)asappropriatefor
theproject
Applicabilityof
probabilisticsafety
targetstobedefined
bytheproject
68
ECSSQST40C
6March2009
Unmannedspace
system
Clause
6.5
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.6.1
6.5.6.2
6.5.6.3
6.5.6.4
6.6
6.6.1
6.6.2
6.6.2.1
6.6.2.2
6.6.2.3
6.6.2.4
6.6.2.5
6.6.2.6
6.6.2.7
6.6.3
6.6.3.1
6.6.3.2
6.6.3.3
6.6.3.4
6.6.3.5
6.6.3.6
7
7.1
7.2
7.3
7.3.1
7.3.2
Headline
Identificationandcontrolof
safetycriticalfunctions
Identification
Inadvertentoperation
Statusinformation
Safeshutdownandfailure
tolerancerequirements
Electronic,electrical,
electromechanical
components
Softwarefunctions
Softwarecriticality
Analysisofsafetycritical
software
Evaluationofsoftware
criticality
Softwaredevelopment
Operationalsafety
Basicrequirements
Flightoperationsandmission
control
Launcheroperations
Contamination
Flightrules
Hazardouscommanding
control
Missionoperationchange
control
Safetysurveillanceand
anomalycontrol
Hazardousdebris,fallout
andimpactcontrol
Groundoperations
Applicability
Initiation
Reviewandinspection
Hazardousoperations
Launchandlandingsite
Groundsupportequipment
Safetyanalysisrequirements
andtechniques
Overview
General
Assessmentandallocationof
requirements
Safetyrequirements
Additionalsafety
Launchvehicle
Manned
forun
for
space
manned
manned
system
space
space
craft
craft
Remarks
Satellite
Safety
critical
systems
Y
Y
P/A8
Y
Y
Y
Y
Y
Y
Y
Y
P/A8
Y
Y
Y
N/A
N/A
8)Onlybulletb4.is
applicableto
unmannedsystem
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
N/A
P/A
N/A
N/A
Y
N/A
P/A9
N/A
Y
N/A
Y
N/A
Y
Y
Y
Y
Y
N/A
P/A9
Y
Y
Y
Y
N/A
N/A
9)Applicableto
unmannedsystem
beforeliftoff
N/A
N/A
N/A
N/A
N/A
Y
Y
Y
Y
N/A
Y
Y
Y
Y
Y
N/A
Y
Y
Y
Y
Y
N/A
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Nonnormative
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
69
ECSSQST40C
6March2009
Unmannedspace
system
Clause
7.3.3
7.3.4
7.3.5
7.3.6
7.4
7.5
7.5.1
7.5.2
7.5.3
7.5.4
7.5.4.1
7.5.4.2
7.5.4.3
7.5.4.4
7.5.4.5
7.5.4.6
7.5.4.7
7.5.4.8
8
8.1
8.2
8.2.1
8.2.2
8.2.3
8.3
8.3.1
8.3.2
8.3.3
8.3.4.3
8.3.4.1
8.3.4.2
8.3.4.3
8.3.5
8.4
Headline
requirements
Definesafetyrequirements
functions
Definesafetyrequirements
subsystems
Justification
Functionalandsubsystem
specification
Safetyanalysesduringthe
projectlifecycle
Safetyanalyses
General
Hazardanalysis
Safetyriskassessment
Supportingassessmentand
analysis
General
Warningtimeanalysis
Cautionandwarning
analysis
Commoncauseand
commonmodeanalysis
Faulttreeanalysis
Humanerroranalysis
Failuremodes,effectsand
criticalityanalysis
Zonalanalysis
SafetyVerification
General
Hazardreportingandreview
Hazardreportingsystem
Safetystatusreview
Documentation
Safetyverificationmethods
Verificationengineeringand
planning
Methodsandreports
Analysis
Inspections
General
Preflightinspections
Inflightinspections
Verificationandapproval
Verificationofsafetycritical
functions
Launchvehicle
Manned
forun
for
space
manned
manned
system
space
space
craft
craft
Remarks
Satellite
Safety
critical
systems
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
P/A
Y10
P/A
Y6
10)Asappropriatefor
theproject
Y
Y
N/A
Y
Y
Y11
Y
Y
Y11
Y
Y
N/A
Y
Y
Y11
N/A
P/A
P/A
N/A
P/A
N/A
N/A
P/A
P/A
P/A
P/A
N/A
N/A
P/A
P/A
N/A
P/A
P/A
N/A
P/A
N/A
N/A
N/A
P/A
P/A
P/A
P/A
P/A
P/A
N/A
N/A
N/A
P/A
P/A
P/A
N/A
P/A
P/A
N/A
P/A
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
P/A12
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
P/A12
Y
Y
Y
Y
N/A
Y
N/A
Y
Y
Y
N/A
Y
N/A
Y
11)Useofprobabilistic
safetyriskassessment
subjecttospecific
projectrequirements
Asappropriateforthe
project
12)Onlybulletc.
applicableto
unmannedsystem
70
ECSSQST40C
6March2009
Unmannedspace
system
Clause
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5
8.5.1
8.5.2
8.6
Legend:
Headline
Validation
Qualification
Failuretests
Verificationofdesignor
operationalcharacteristics
Safetyverificationtesting
Hazardcloseout
Safetyassuranceverification
Hazardcloseoutverification
Declarationofconformityof
groundequipment
Launchvehicle
Manned
forun
for
space
manned
manned
system
space
space
craft
craft
Remarks
Satellite
Safety
critical
systems
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
YYES(=applicable)
Onlyground
equipment
P/APartiallyapplicable N/ANotapplicable
NOTE:GSEispartofthesystemconsideredhere
71
ECSSQST40C
6March2009
Annex G (informative)
European legislation and CE marking
G.1
Overview
CEMarkingisarequirementthatisapplicabletovirtuallyallproductswhich
are designed and intended for use on the Ground. This includes all Ground
productsandGroundSupportEquipment(GSE)andinparticularallEGSEand
mostMGSE.
It should be noted that the CE standards in themselves do not ensure that a
system is entirely safe and should be used in the context of additional safety
analysisaswellasshowingcompliancetotheminimumlegalrequirements.
G.2
CE mark
The CE is a mark by the producer/supplier to show he has satisfied all
applicableDirectivesforthesafetyofhisproductandisintendedtoallowthe
Free movement of Goods within the European Community. This requires
compliance with European directives generally through assessments to EN
standards.
Itisanoffenceto:
a.
putaCEmarkonaproduct,withoutthesupportingTechnicalFile;
b.
nottoCEmarkaproduct,ifthereisanapplicabledirective(s);
c.
G.3
72
ECSSQST40C
6March2009
TheDesignAuthorityisrequiredto:
G.4
a.
Identifyallapplicabledirectives;
b.
Demonstratetechnicalcompliance;
c.
HoldaTechnicalFilefor10years;
d.
IssueaDeclarationofConformity,aUserManualwithsafetywarnings
andputtheCEmarkontheproduct.
Declaration of conformity
The Declaration of Conformity is a Legal statement by the Design Authority
thattheEssentialHealth&SafetyRequirementsofallapplicabledirectivesfor
theproduct(s)havebeensatisfiedandisissuedonlywhendocumentsshowing
compliancy are in place and before dispatch of the product or putting into
service.
G.5
References
ThereferencesbelowareprovidedtoassistwithCEassessment.Thelistisnot
exhaustive and is provided as general guidance for the directives which
typicallyapplytothemajorityofspacerelatedgroundproducts.Inthemajority
of cases, CE compliance can be declared by the Self Declaration route, thus
avoidingtheneedtoinvolveanythirdpartyCertificationBodies.
a.
AllElectricalGroundSupportEquipment(EGSE)andelectricalsystems
or equipment used in Ground stations conform to the Low Voltage
directive(LVD),(2006/95/EC)andtheEMCdirective(2004/108/EC).This
is usually demonstrated by evaluation and testing to the most
appropriate EN standards, typically EN 61010 (LVD) and EN 61326
(EMC).
b.
c.
GSE having pressure circuits and all Pressure Ground Equipment and
Ground Support Equipment (PGSE) needs to be evaluated for
applicability against the Pressure Equipment directive (PED) (97/23/EC)
forGroundsystemsworkingatapressureinexcessof0,5bar.
d.
TerminalEquipmentneedstobeevaluatedforapplicabilityoftheRadio
& Telecommunications Terminal Equipment (R&TTE) directive
(1999/5/EC)forterminalequipment,oftenfoundinGroundStations.
e.
f.
73
ECSSQST40C
6March2009
g.
1.
2.
AllfutureLegislationandEuropeandirectivesshouldbeevaluatedand
appliedifapplicabletotheproduct.
74
ECSSQST40C
6March2009
Bibliography
ECSSSST00
ECSSsystemDescriptionandimplementation
andgeneralrequirements
ECSSQST3002
SpaceproductassuranceFailuremodes,effects,
andcriticalityanalysis(FMECA)
ECSSQST4002
SpaceproductassuranceHazardanalysis
ECSSQST4012
SpaceproductassuranceFaulttreeanalysis,
AdoptionnoticeECSS/IEC61025
IEC50:1992
Electricity,electronicsandtelecommunications
multilingualdictionary
ISO146201:2002
SpacesystemsSafetyrequirements
Part1:Systemsafety
75