System Safety Engineering

ESSB-ST-Q-003-Issue1 September, 2012

System Safety Engineering Safety Technical Requirements for Human Rated Space Systems

ECSS Secretariat ESA-ESTEC

Requirements & Standards Division Noordwijk, The Netherlands

ESSB-ST-Q-003-Issue1

2

Foreword

This Standard has been prepared by the “Safety Technical Requirements for Human Rated Space

Systems” Working Group, reviewed by the ECSS Executive Secretariat and approved by the ECSS

Technical Authority.

Published by: ESA Requirements and Standards Division

ESTEC, P.O. Box 299,

2200 AG Noordwijk

The Netherlands

Copyright: 2012 © European Space Agency


3

Table of contents

1 Scope and Applicability ........................................................................................ 10

2 Terms, definitions and abbreviated terms .......................................................... 11

2.1 Terms specific to the present standard .................................................................... 11

2.2 Abbreviated terms .................................................................................................... 18

3 Responsibilities ..................................................................................................... 19

3.1 Space System Organization ..................................................................................... 19

3.2 Launcher Operator ................................................................................................... 19

3.3 Safety Review Panel & Launch Range Safety ......................................................... 19

4 Implementation and Certification ........................................................................ 20

4.1 Design Implementation Requirements ..................................................................... 20

4.2 Certification Process Requirements ......................................................................... 20

5 Mission Safety Risk ............................................................................................... 21

5.1 Orbital Flights ........................................................................................................... 21

5.1.1 Crew Safety Risk ........................................................................................ 21

5.1.2 Flight Rules ................................................................................................. 21

5.1.3 Survivability to Micrometeoroids and Debris Risk ...................................... 21

5.2 Sub-orbital Flights .................................................................................................... 21

5.2.1 Crew Safety Risk ........................................................................................ 21

5.3 Public Safety Risk .................................................................................................... 22

6 System Safety Requirements: General ............................................................... 23

6.1 Design to Tolerate Failures ...................................................................................... 23

6.1.1 Critical Hazards .......................................................................................... 23

6.1.2 Catastrophic Hazards ................................................................................. 23

6.2 Design for Minimum Risk ......................................................................................... 23

6.3 Equivalent Safety ..................................................................................................... 24

6.4 Environmental Compatibility ..................................................................................... 24

6.5 Human Compatibility ................................................................................................ 24

6.6 Flight Data Use Capability ........................................................................................ 24


4

6.7 Launcher Services .................................................................................................... 24

6.7.1 Safe Without Launcher Services ................................................................ 24

6.7.2 Critical Launcher Services .......................................................................... 25

7 Control of Safety Critical Functions .................................................................... 26

7.1 “Must Work” Functions ............................................................................................. 26

7.1.1 Functions Resulting in Critical Hazards ...................................................... 26

7.1.2 Functions Resulting in Catastrophic Hazards ............................................. 26

7.1.3 Crewed Manual Flight Control Functions ................................................... 26

7.1.4 Crewed Autonomous Operation ................................................................. 26

7.1.5 Control and Monitoring Capabilities ............................................................ 27

7.2 “Must Not Work” Functions ....................................................................................... 27

7.2.1 Functions Resulting in Critical Hazards ...................................................... 27

7.2.2 Functions Resulting in Catastrophic Hazards ............................................. 27

7.2.3 Monitors ...................................................................................................... 27

7.3 Failure Propagation .................................................................................................. 28

7.3.1 Isolate and Recover .................................................................................... 28

7.3.2 Inhibits and Barriers .................................................................................... 29

7.3.3 Independent Inhibits ................................................................................... 29

7.4 Redundancy Separation ........................................................................................... 29

8 Specific Catastrophic Hazard Functions: Explosive and Pyrotechnics .......... 30

8.1 General ..................................................................................................................... 30

8.2 Initiators .................................................................................................................... 30

8.3 Explosive / Pyrotechnic Operated Devices .............................................................. 30

8.3.1 Explosive / Pyrotechnic Power Supply ....................................................... 30

8.3.2 Debris Protection ........................................................................................ 30

8.3.1 Must Function Safety Critical Devices ........................................................ 31

8.3.2 Electrical Connection .................................................................................. 31

8.3.3 Traceability ................................................................................................. 31

8.3.4 Shielding & Grounding ................................................................................ 31

8.3.5 Use of Safe and Arm (S&A) Devices .......................................................... 32

9 Specific Catastrophic Hazard Functions: Propulsion systems ........................ 33

9.1 Premature / Inadvertent Firing .................................................................................. 33

9.2 Flow Control Valve ................................................................................................... 33

9.3 Bipropellant Separation ............................................................................................ 33

9.4 Hazardous Impingement and Venting ...................................................................... 33

9.5 Safe Distance Criteria .............................................................................................. 34


5

9.6 Isolation Valve .......................................................................................................... 34

9.6.1 Pyrotechnic Valves ..................................................................................... 34

9.7 Electrical Inhibits ...................................................................................................... 34

9.7.1 Monitoring Electrical Inhibits ....................................................................... 34

9.8 Adiabatic / Rapid Compression Detonation .............................................................. 35

9.9 Propellant Freezing .................................................................................................. 35

9.10 Propellant Overheating – Ignition Compatibility Limits ............................................. 35

9.11 Thruster Ignition Upstream of Combustion Chamber ............................................... 36

9.12 Propulsion System Leakage ..................................................................................... 36

9.13 Propulsion System Instrumentation .......................................................................... 36

9.14 Leak Detection ......................................................................................................... 36

9.15 Failed Closed Flow Path .......................................................................................... 37

9.16 Pressure Relief ......................................................................................................... 37

9.17 Hazardous Impingement and Venting ...................................................................... 37

9.18 Inadvertent Deployment, Separation and Jettison Functions ................................... 37

9.19 Planned Deployment / Extension Functions ............................................................. 37

9.19.1 Cannot Withstand Subsequent Loads ........................................................ 37

9.19.2 Fluid Released from Pressurized System Inside a Closed Volume ........... 38

10 Specific Catastrophic Hazard Functions: On-Orbit Rendezvous and docking .................................................................................................................. 39

10.1 Safe Trajectories ...................................................................................................... 39

10.2 Use of Dedicated Rendezvous Sensors ................................................................... 39

10.3 Collision Avoidance Maneuver ................................................................................. 39

11 Hazardous Commands ........................................................................................ 41

11.1 General ..................................................................................................................... 41

11.2 Command Fault Tolerance Approach ...................................................................... 41

11.2.1 Catastrophic Hazard ................................................................................... 41

11.2.2 Critical Hazard ............................................................................................ 41

11.3 Pre-requisite Checks ................................................................................................ 41

11.4 Rejection of Commands ........................................................................................... 42

11.4.1 Out of Sequence Commands ..................................................................... 42

11.5 Integrity Checks ........................................................................................................ 42

11.6 Independent Commanding Method .......................................................................... 42

11.7 Shutdown Independent Operator Action .................................................................. 42

11.8 Removal of Software Controlled Inhibits .................................................................. 42

11.9 Unique Command for Inhibit Removal ..................................................................... 42


6

11.10 Failure Recovery and Overrides ............................................................................... 42

12 Hazard Detection, Annunciation and Safing .................................................... 43

12.1 General ..................................................................................................................... 43

12.2 Safety Critical Systems and Sub-systems ................................................................ 43

12.3 Emergency, Caution and Warning ........................................................................... 43

12.4 Emergency Response .............................................................................................. 44

12.1 Rapid Safing ............................................................................................................. 44

12.2 Crew Egress ............................................................................................................. 44

12.3 Unassisted Crew Emergency Egress ....................................................................... 44

13 Abort, Escape, Neutralisation and Safe Haven ....................................... 45

13.1 Design for Safe Abort ............................................................................................... 45

13.2 Abort Capability ........................................................................................................ 45

13.3 Automatic Abort Initiation ......................................................................................... 45

13.4 Abort Sequencing ..................................................................................................... 45

13.5 Neutralisation ........................................................................................................... 45

13.5.1 Controlled Neutralisation ............................................................................ 46

13.5.2 Instantaneous Automatic Neutralisation ..................................................... 46

13.5.3 Delayed Automatic Neutralisation .............................................................. 46

13.5.4 Inhibition of On-board Receiver Equipment ................................................ 46

13.5.5 Timing for Neutralisation ............................................................................. 46

13.6 Safe-Haven .............................................................................................................. 46

13.7 Crewed Overriding Automation / Control .................................................................. 46

14 Crew Survival Capabilities ................................................................................. 47

14.1 Survival Capabilities ................................................................................................. 47

14.2 Dissimilar Redundant System Capabilities ............................................................... 47

14.3 Crashworthiness Capabilities ................................................................................... 47

15 Fire Protection ..................................................................................................... 48

15.1 General ..................................................................................................................... 48

15.2 Fire Suppressant ...................................................................................................... 48

15.3 Fire Detection and Annunciation .............................................................................. 48

16 Computer System Fault Tolerance .................................................................... 49

16.1 General ..................................................................................................................... 49

16.2 Safe State ................................................................................................................. 49

16.3 Critical Software Behavior ........................................................................................ 49

16.4 Off-nominal Power Condition ................................................................................... 49


7

16.5 Inadvertent Memory Modification ............................................................................. 50

16.6 Discriminating valid vs. Invalid Inputs ....................................................................... 50

16.7 On-orbit Response to Loss of Function .................................................................... 50

16.8 Separate Control Path .............................................................................................. 50

16.9 Monitoring ................................................................................................................. 50

17 Crew Vehicle Safety Design: Structures .................................................. 51

17.1 Structural Design ...................................................................................................... 51

17.2 Windows Structural Design ...................................................................................... 51

17.3 Design Allowables .................................................................................................... 51

17.4 Stress Corrosion ....................................................................................................... 52

17.5 Pressure Systems .................................................................................................... 52

17.5.1 Pressure Vessels ........................................................................................ 52

17.5.2 Dewars ....................................................................................................... 53

17.5.3 Pressurized Lines, Fittings and Components ............................................. 53

17.6 Pressure Hull ............................................................................................................ 54

17.7 Depressurisation and Repressurisation ................................................................... 54

17.7.1 Pressure Differential Tolerance .................................................................. 54

17.7.2 Operation during Pressure Changes .......................................................... 54

17.7.3 Flow Induced Vibration ............................................................................... 54

17.8 Sealed Compartments .............................................................................................. 55

18 Crew Vehicle Safety Design: Materials, Processes and Mechanical Parts ....................................................................................................................... 56

18.1 General ..................................................................................................................... 56

18.2 Hazardous Materials ................................................................................................ 56

18.3 Fluid Systems ........................................................................................................... 56

18.4 Chemical / Biological Contamination ........................................................................ 57

18.5 Flammable Materials in Habitable Volume ............................................................... 57

18.6 Flammable Materials outside Habitable Volume ...................................................... 57

18.7 Material Out-gassing ................................................................................................ 57

18.8 Material Off-gassing in Habitable Volumes .............................................................. 58

18.9 Electrochemical Compatibility .................................................................................. 58

18.10 Stress Corrosion ....................................................................................................... 58

18.11 Allowable Stress ....................................................................................................... 59

18.12 Fracture Sensitive Materials ..................................................................................... 59

19 Crew Vehicle Safety Design: Electrical Systems .................................... 60

19.1 General ..................................................................................................................... 60


8

19.2 Electrical Hazards .................................................................................................... 60

19.3 Electrical Systems .................................................................................................... 61

19.4 Electromagnetic Compatibility .................................................................................. 61

19.5 Lighting Protection .................................................................................................... 61

19.6 Radio Frequency Transmitters ................................................................................. 61

19.7 Batteries ................................................................................................................... 61

20 Crew Vehicle Safety Design: Mechanisms .............................................. 62

20.1 General ..................................................................................................................... 62

21 Crew Vehicle Safety Design: Radiation ................................................... 63

21.1 Ionizing Radiation ..................................................................................................... 63

21.1 Non-Ionizing Radiation ............................................................................................. 63

21.1.1 Natural Radiation Protection ....................................................................... 63

21.2 Use of On-board Mass ............................................................................................. 63

21.1 Windows Transmissivity ........................................................................................... 64

21.2 Emissions and Susceptibility .................................................................................... 64

21.3 Optical Requirements ............................................................................................... 64

22 Crew Vehicle Safety Design: Environmental Control and Habitability ............................................................................................................ 65

22.1 General ..................................................................................................................... 65

22.2 Life Support System ................................................................................................. 65

22.3 Payload / Cargo Leakage ......................................................................................... 65

22.4 Contamination Control .............................................................................................. 65

22.5 Toxicity ..................................................................................................................... 66

22.6 Acoustic Noise .......................................................................................................... 66

22.7 Vibrations ................................................................................................................. 66

22.8 Mechanical Hazards ................................................................................................. 66

22.9 Thermal Hazards ...................................................................................................... 66

22.10 Illumination ............................................................................................................... 67

22.11 Hatches .................................................................................................................... 67

22.12 Access to Moving Parts ............................................................................................ 67

22.13 Communications ....................................................................................................... 67

Applicable and Reference Documents (normative) .............................................. 68

Applicable Documents ....................................................................................................... 68

Reference Documents ....................................................................................................... 69


9


10

1 Scope and Applicability

This document establishes the requirements applicable to the development and

operations of human‐rated space systems for ESA human spaceflight missions.

These requirements are intended to protect the public, the ground and flight

personnel, the space system, any interfacing system, public and private

property and the environment from hazards associated with flight operations,

and with ground operations with fight personnel on‐board the system (e.g.

launch pad operations).

These requirements are applicable to the crewed space vehicle and to the

integrated system (i.e.: crewed vehicle on its launcher, and relevant interfaces

with control centres, launch pad, recovery system, etc.) for all phases of flight

including docking to space station. The applicability of these requirements and

their apportionment to space system functions, elements, and external

interfaces, will be determined by the safety analysis.


11

2 Terms, definitions and abbreviated terms

2.1 Terms specific to the present standard

Abort

A specific action or sequence of actions initiated by an on‐board automated

function, by crew, or by ground control that terminates a flight process.

Adiabatic Compression Detonation

An observed phenomenon whereby the heat obtained by compressing the

vapours from fluids (e.g., hydrazine) is sufficient to initiate a self‐sustaining

explosive decomposition. This compression may arise from advancing liquid

columns in sealed spacecraft systems.

Catastrophic Event

Loss of life, life threatening or permanently disabling injury or occupational

illness, loss of system, loss of an interfacing crewed flight system, loss of launch

site facilities. Severe detrimental environmental effects.

Computer System

A computer system is the composite of hardware and software components.

Crashworthiness

The ability of a crewed vehicle and its internal systems and components to

protect flight personnel from injury in the event of a crash.

Credible

A condition that can occur and is reasonably likely to occur. For the purposes of

this document, failures of structure (i.e. rupture or leakage), pressure vessels,

and pressurized lines and fittings are not considered credible failure modes if

those elements comply with the applicable requirements of this document, with

the exception of leakage of seals or items designed ‘non‐hazardous Leak Before

Burst (LBB) where leakage is considered credible.’

Crew

Any flight personnel on board the space system engaged in flying the system

and/or managing resources on board.


12

Critical Event

Temporarily disabling but not life threatening injury; occupational illness.

Major damage to interfacing flight system(s); Major damage to ground facilities,

public or private property. Major detrimental environmental effects. Also an

event that leads to the need to use a contingency procedure.

Electromagnetic Interference (EMI)

Any conducted or radiated electromagnetic energy that interrupts, obstructs, or

otherwise degrades or limits the effective performance of electronic or electrical

equipment.

Emergency (Flight Personnel)

Any condition which can result in flight personnel injury or threat to life and

requires immediate corrective action, including predetermined flight personnel

response.

Factor of Safety

The factor by which the limit load is multiplied to obtain the ultimate load. The

limit load is the maximum anticipated load or combination of loads, which a

structure may be expected to experience. Ultimate load is the load that a

structure must be able to withstand without failure.

Fail Safe

Design property of a system (or part of it), which prevents its failures from

resulting in critical or catastrophic consequences.

Failure

The inability of a system, subsystem component or part to perform its required

function under specified conditions for a specified duration.

Failure Tolerance

The number of failures which can occur in a system or subsystem without the

occurrence of a hazard. Single failure tolerance would require a minimum of

two failures for the hazard to occur. Two‐failure tolerance would require a

minimum of three failures for a hazard to occur.

Fault

A fault is defined as an undesired system state.

Final Separation

Final separation is achieved when the last physical connection between the

crewed vehicle and its launcher is severed and the crewed vehicle becomes

autonomous.


13

Fire Event

Localized or propagating combustion, pyrolysis, smouldering or other thermal

degradation processes, characterized by the potentially hazardous release of

energy, particulates, or gasses.

Ground Control Personnel

With respect to in flight monitoring, the term includes any personnel

supporting the flight from a console in a flight control centre or other support

area.

Habitable Volume

A habitable volume is defined as the volume in the on‐orbit space system,

which is capable of supporting intra‐vehicular activity.

Hazard

The presence of a potential risk situation caused by an unsafe act or condition.

A condition or changing set of circumstances that presents a potential for

adverse or harmful consequences; or the inherent characteristics of an activity,

condition, or circumstance which can produce adverse or harmful

consequences.

Hazard Controls

Design or operational features used to reduce the likelihood of occurrence of a

hazardous effect.

Hazardous Command

A command that can create an unsafe or hazardous condition which potentially

endangers the crew or the system. It is a command whose execution can lead to

an identified hazard or a command whose execution can lead to a reduction in

the control of a hazard such as the removal of a required safety inhibit to a

hazardous function.

Hazard Detection

An alarm system used to alert the crew to an actual or impending hazardous

situation for which the crew is required to take corrective or protective action.

Hazardous Function

Operational functions (e.g.: motor firings, appendage deployments, active

thermal control) whose loss or inadvertent execution may result in a hazard.

Human Performance

The physical and mental activity required of the crew and other participants to

accomplish mission goals. This includes the interaction with equipment,

computers, procedures, training material, the environment and other humans.


14

Human Rated Space System

A human‐rated space system accommodates human needs, effectively utilizes

human capabilities, controls hazards with sufficient certainty to be considered

safe for human operations, and provides, to the maximum extent practical, the

capability to safely recover the crew from hazardous situations.

Interfacing System

A system or element that during the mission is continuously or temporarily

connected to or interacts with the crewed vehicle (i.e.: launcher, ISS, launch

pad).

Note: When the crew enters a vehicle for a launch attempt, the vehicle

is physically connected to the launch pad. The entire launch pad is

not considered part of the crewed system, but the specific launch pad

systems that physically realize the connection or that functionally

interact with the crewed vehicle are considered an interfacing system

in accordance with the above definition.

Independent Inhibit

Two or more inhibits are independent if no single credible failure, event or

environmental cause can eliminate more than one inhibit.

Inhibit

A design feature that provides a physical interruption between an energy

source and a function (e.g.: a relay or transistor between a battery and a

pyrotechnic initiator, a latch valve between a propellant tank and a thruster,

etc).

Inhibit Command

A device or function that operates an inhibit is referred to as a command for an

inhibit and does not satisfy inhibit requirements. The electrical devices that

operate the flow control devices in a liquid propellant propulsion system are

exceptions in that they are referred to as electrical inhibits.

Integrated Space System

The collection of all space‐based and ground‐based systems used to conduct a

space mission (e.g. crewed vehicle, space‐based communication and navigation

systems, launch systems, and mission/launch control).

Interlock

A design feature that ensures that any conditions perquisite for a given function

or event are met before the function or event can proceed.


15

Meteoroid Orbital Debris Critical Item

An item is deemed to be M/OD critical when effects resulting from a meteoroid

or orbital debris penetration will endanger the flight personnel or the space

system survivability.

Mishap / Incident

An unplanned event which results in personnel fatality or injury; damage to or

loss of the system, environment, public property or private property; or could

result in an unsafe situation or operational mode. A mishap refers to a major

event, whereas an incident is a minor event or episode that could lead to a

mishap.

Monitor

Device use to ascertain the safety status of the space system functions, devices,

inhibits, and/or parameters.

Must-Work Function

Operational functions whose loss may result in a hazard.

Must-Not-Work Function

Operational functions whose inadvertent execution may result in a hazard.

Near Real Time Monitoring

Near‐real‐time monitoring (NRTM) is defined as notification of changes in

inhibit or safety status on a periodic basis.

Off-gassing

The emanation of volatile matter of any kind from materials into habitable

areas.

Operator Error

Any inadvertent space system action by either flight or ground personnel that

could eliminate, disable, or defeat an inhibit, redundant system, or other design

features that is provided to control a hazard. The intent is not to include all

possible actions by a crew person that could result in an inappropriate action

but rather to limit the scope of error to those actions which were inadvertent

errors such as an out‐of‐sequence step in a procedure or a wrong keystroke or

an inadvertent switch throw.

Positive Indication of Status

Direct measurement of the primary function at the output level of the

mechanism.


16

Pressure Vessel

A container designed primarily for pressurized storage of gases or liquids and:

(1) contains stored energy of 19.30 kJ (i.e.: 14,240 foot‐pounds) (0.0045 kg

trinitrotoluene (TNT) equivalent) or greater based on adiabatic expansion of a

perfect gas; or (2) will experience a design limit pressure greater than 6894.75

hPa (i.e.: 100 psia); or (3) contains a fluid in excess of 1034.21 hPa (i.e.: 15 psia)

which will create a hazard if released.

Real Time Monitoring

Real‐time monitoring (RTM) is defined as immediate notification to the crew.

RTM shall be accomplished via the use of the space system failure detection and

annunciation system.

Risk

Exposure to the chance of injury or loss. Risk is a function of the possible

frequency of occurrence of an undesirable event, of the potential severity of the

resulting consequences, and of the uncertainties associated with the frequency

and severity.

Safe

A general term denoting an acceptable level of risk, relative freedom from, and

low probability of: personal injury; fatality; damage to property; or loss of the

function of critical equipment.

Safe Haven

A functional association of capabilities and environments that is initiated and

activated in the event of a potentially life‐threatening anomaly and allows

human survival until rescue, the event ends, or repair can be affected.

Safety Analysis

The technique used to systematically identify, evaluate, and resolve hazards.

Safety Critical (System)

Containing an element of risk. Necessary to prevent a hazard.

Safing

An action or sequence of actions necessary to place systems, subsystems or

component parts into predetermined safe conditions.

Sealed Container

A housing or enclosure designed to retain its internal atmosphere and which

does not meet the pressure vessel definition (e.g., an electronics housing).


17

Single Barrier Failure

A leak through a barrier within a component that permits the fluid to contact

the materials directly behind the barrier. Single barriers include mechanical

joints, e.g., B‐nuts; O‐rings, gaskets, and bladders; and metallic and non‐

metallic diaphragms. Structural parts, such as pressure lines and tanks, welded

or brazed joints, and redundant seals in series that have been pressure‐tested

individually before use are not considered to be single barriers.

Spaceport

A base from which spacecraft are launched.

Space Flight Participant

Any human on board the space system while in flight that has no responsibility

to perform any mission task for the system, it is also referred to as space

passenger.

Space System Element

A subset of a space system (e.g., crewed vehicle, launcher).

Space System Organization

The ESA project organization which develops and/or operates the space system.

Structure

Any assemblage of materials which is intended to sustain mechanical loads.


18

2.2 Abbreviated terms For the purpose of this Standard, the abbreviated terms from ECSS‐S‐ST‐00‐01 and

the following apply:

Abbreviation Meaning

ACGIH

AE

ALARA

AI

AIAA

ANSI

COPV

CS

ECSS

EMI

GSE

GPS

ICD

KOS

LBB

LRSA

MEOP

MDP

NDE

PTFE

RF

RS

RTM

SMAC

SCC

SCP

SRP

SSO

S&A

TLV

American Conference of Governmental Industrial Hygienists

Approach Ellipsoid

As low as reasonably achievable

Approach Initiation

American Institute of Aeronautics and Astronautics

American National Standards Institute

Composite Overwrapped Pressure Vessels

Computer System

European Cooperation for Space Standardisation

Electromagnetic Interference

Ground support equipment

Geographic Positioning System

Interface Control Document

Keep‐out sphere

Leak‐before‐burst

Launch Range Safety Authority

Maximum expected operating pressure

Maximum design pressure

Non‐destructive evaluation

Polytetrafluoroethylene

Radio frequency

Range Safety

Real‐Time Monitoring

Spacecraft maximum allowable concentrations

Stress corrosion cracking

Separate Control Path

Safety Review Panel

Space System Organization

Safe and Arm

Threshold Limit Values


19

3 Responsibilities

3.1 Space System Organization

It is the responsibility of the space system organization to assure the safety of the system

and to implement the requirements of this document. It is responsibility of the Space

System Organization (SSO) to interface with ESA Independent Safety Office and with the

Launch Range Safety Authority (LRSA) to achieve the required flight certification of the

integrated system.

3.2 Launcher Operator

Hazards to the public on ground, to the ground personnel, to public and private property

and to the environment, resulting from launcher system unique operations (e.g.: staging)

or malfunction shall be precluded in compliance with the applicable regulations of the

launch safety authority.

It is the responsibility of the Launcher Operator, in support to and in coordination with

the Space System Organization, to interface with the Launch Range Safety Authority for

the specific safety certification aspects related to the launcher safety.

3.3 Safety Review Panel & Launch Range Safety

The ESA Safety Review Panel (SRP) and the Launch Range Safety Authority (LRSA) have

the joint responsibility for conducting the space system assessment for compliance with

the requirements in this document.

The detailed interpretations of these requirements will be determined jointly by the SRP

and LRSA, on a case‐by‐case basis consistent with the space system actual architecture

and hazard potential.


20

4 Implementation and Certification

This document identifies the safety policy and requirements which are to be

implemented by the Space System Organization (SSO). The implementation of safety

requirements by the SSO will be assessed jointly by the ESA Safety Review Panel (SRP)

and by the Launch Range Safety Authority (LRSA) during the safety review process and

must be consistent with the hazard potential. The following supplementary documents

are intended to assist the SSO in complying with the requirements of this document. This

document will be complemented with the following two documents to be issued.

4.1 Design Implementation Requirements The document listing and tracking all those (additional) system level technical

requirements and verification methods established by project documents, to be

considered as integral part of the safety requirements baseline (e.g., safety‐critical

software requirements), are to be developed and approved by safety review authority.

This document will also include (as deemed necessary) a collection of interpretations of

safety technical requirements.

4.2 Certification Process Requirements

The document describing certification process will be issued to assist the SSO in

achieving the safety certification by defining the overall safety certification process and

the required safety review meetings, analyses, verification methods, and data submittals.


21

5 Mission Safety Risk

5.1 Orbital Flights

5.1.1 Crew Safety Risk

The probability of loss of crew due to a catastrophic event during

the entire mission shall not exceed 3101 .

5.1.2 Flight Rules

Flight rules shall be prepared for each mission that outline pre‐

planned decisions designed to minimize the amount of real‐time

decision making required when anomalous situations occur.

Note: These flight rules are not additional safety requirements,

but do define actions for the execution of the flight consistent

with crew safety.

5.1.3 Survivability to Micrometeoroids and Debris Risk

The probability that the exposure to meteoroid and debris

environment will not lead to penetration of or spall detachment,

from Micrometeorite and Orbital Debris (MMOD), shall be higher

than 0.9946 over the mission.

5.2 Sub-orbital Flights

5.2.1 Crew Safety Risk

The probability of a catastrophic event during the entire mission

shall not exceed 4101 .


22

5.3 Public Safety Risk The probability of a catastrophic event in relation to launch and return operations shall

not exceed:

a) launch 5102 / mission

b) return 4101 / returning element


23

6 System Safety Requirements: General

6.1 Design to Tolerate Failures

a) Failure tolerance is the basic safety requirement that shall be used to control most

space system hazards.

b) The space system shall be designed to tolerate a minimum number of credible failures

and/or operator errors determined by the hazard level (i.e.: catastrophic or critical).

This criterion applies in particular when the loss of a function or the inadvertent

occurrence of a function results in a hazardous event. The use of emergency

equipment and systems should not be considered part of the failure tolerance

capability.

6.1.1 Critical Hazards

Critical hazards shall be controlled such that no single failure or

operator error can result in a critical event.

Note: Failure of de‐orbiting an unmanned cargo spacecraft

(used for servicing an on‐orbit crewed vehicle) is also

considered a critical hazard, provided the applicable

quantitative safety risk requirements for re‐entry are met.

6.1.2 Catastrophic Hazards

Catastrophic hazards shall be controlled such that no combination

of two failures or operator errors can result in a catastrophic event.

6.2 Design for Minimum Risk

Space system hazards which are controlled by compliance with specific requirements of

this document other than failure tolerance are called ʺDesign for Minimum Riskʺ areas of

design.

Note: Examples are structures, pressure vessels, pressurized line and fittings,

functional pyrotechnic devices, mechanisms in critical applications, material

compatibility, etc. Hazard controls related to these areas are extremely critical and

warrant careful attention to the details of verification of compliance by the SSO.


24

6.3 Equivalent Safety

“Equivalent safety” refers to conditions that do not meet specific requirements in the

exact manner specified. However, the system design, procedure, or configuration satisfies

the intent of the requirement by achieving a comparable or higher degree of safety.

Criteria are based on:

a) use of alternative methods/controls;

b) utilization of procedures, protective devices, pre‐flight verification

activities, and crew experience base;

c) reduced time of exposure;

d) likelihood/probability of additional failures after loss of first control/inhibit;

reduction of hazard category, and/or other factors such as minimum of single

fault tolerance with a robust design.

6.4 Environmental Compatibility

The space system shall be certified safe in the applicable worst case natural and induced

environments including those defined by the launcher interface control document (ICD).

6.5 Human Compatibility

a) The space system shall be designed to effectively utilize human capabilities, control

hazards and manage safety risk associated with human spaceflight, and provide, to

the maximum extent practical, the capability to safely recover the crew from

hazardous situations.

b) The space system shall be designed to comply with ECSS‐E‐ST‐10‐11C.

6.6 Flight Data Use Capability

To facilitate anomaly resolution and mishap/incident investigation, the space system

shall be designed to provide the capability to timely record, recover and utilize health

and status data of safety critical systems, also in case of loss of telemetry and

communication with ground.

6.7 Launcher Services

6.7.1 Safe Without Launcher Services

The crewed vehicle should be designed to maintain fault tolerance

or safety margins consistent with the hazard potential without

launcher flight services.


25

6.7.2 Critical Launcher Services

a) When launcher services are to be utilized to control the crewed

vehicle hazards, the integrated system must meet the failure

tolerance requirements of Chapter 8 and adequate redundancy

of the launcher services must be negotiated.

b) The SSO shall identify in the relevant ICD those launcher

interfaces used to control and/or monitor the hazards.

c) The crewed vehicle hazards which are controlled by launcher

provided services shall require post‐mate interface test

verification for both controls and monitors.


26

7 Control of Safety Critical Functions

7.1 “Must Work” Functions

7.1.1 Functions Resulting in Critical Hazards

a) A system function whose loss could result in a critical hazard

must be one fault tolerant, whenever the hazard potential exists.

b) No single credible failure or operator error shall cause loss of

that function.

7.1.2 Functions Resulting in Catastrophic Hazards

a) A system function whose loss operation could result in a

catastrophic hazard shall be two fault tolerant, whenever the

hazard potential exists.

b) No two credible failures, no two operator errors, or

combination thereof shall cause loss of that function.

7.1.3 Crewed Manual Flight Control Functions

The crewed space system shall provide the capability for the crew

to manually control the flight path and attitude of their spacecraft,

with the following exception: during the atmospheric portion of

Earth ascent when structural and thermal margins have been

determined to negate the benefits of manual control.

7.1.4 Crewed Autonomous Operation

The crewed space system shall provide the capability for

autonomous operation of system and subsystem functions which,

if lost, would result in a catastrophic event without depending on

communication with Earth (e.g.: mission control) to perform

functions that are required to keep the crew alive.


27

7.1.5 Control and Monitoring Capabilities

The space system shall provide real‐time monitoring capabilities

for the crew and ground operator to monitor, operate and control

the crewed space system and subsystems, where necessary to

execute the mission (incl. vehicle approach and collision

avoidance), prevent a catastrophic event and prevent an abort.

7.2 “Must Not Work” Functions

7.2.1 Functions Resulting in Critical Hazards

A system function whose inadvertent operation could result in a

critical hazard shall be controlled by two independent inhibits,

whenever the hazard potential exists. Requirements for monitoring

(req. 7.2.3) of these inhibits and for the capability to restore inhibits

to a safe condition are normally not imposed, but may be imposed

on a case‐by‐case basis.

7.2.2 Functions Resulting in Catastrophic Hazards

A system function whose inadvertent operation could result in a

catastrophic hazard shall be controlled by a minimum of three

independent inhibits, whenever the hazard potential exists.

One of these inhibits must preclude operation by a radio frequency

(RF) command or the RF link must be encrypted. In addition, the

ground return for the function circuit must be interrupted by one

of the independent inhibits. At least two of the three required

inhibits shall be monitored (req. 7.2.3).

7.2.3 Monitors

a) Monitoring circuits should be designed such that the

information obtained is as directly related to the status of the

monitored device as possible.

b) Monitoring shall be available to the launch site when necessary

to assure safe ground operations.

c) Notification of changes in the status of safety monitoring shall

be given to the flight crew in either near‐real‐time or real‐time.

7.2.3.1 Real-Time Monitoring

Real‐Time Monitoring (RTM) shall be accomplished via

the use of the space system failure detection and

annunciation system.


28

Note: Real‐time monitoring of inhibits to a

catastrophic hazardous function is required when

changing the configuration of the applicable system or

when the provisions Chapter 12 are implemented for

flight crew control of the hazard.

7.2.3.2 Unpowered Bus Exception

Monitoring and safing of inhibits for a catastrophic

hazardous function will not be required if the function

power is de‐energized (i.e., an additional fourth inhibit is

in place between the power source and the three

required inhibits) and the control circuits for the three

required inhibits are disabled (i.e., no single failure in

the control circuitry will result in the removal of an

inhibit) until the hazard potential no longer exists.

7.2.3.3 Use of Timers

a) When timers are used to control inhibits to

hazardous functions, a reliable physical feedback

system shall be in place for the initiation of the timer.

b) If credible failure modes exist that could allow the

timer to start prior to the relevant physical event a

safing capability shall be provided to the flight crew.

7.2.3.4 Control of Inhibits

Control of inhibits for safety critical functions shall be

hardwired.

Note: One of the independent inhibits may be

controlled by a computer used as a timer provided

that software meets software control safety of critical

functions (req. Chapter 11).

7.3 Failure Propagation

The design shall preclude propagation of failures from the space system or any space

system element to the interfacing systems or elements and vice‐versa.

7.3.1 Isolate and Recover

The space system shall provide the capability to isolate and/or

recover from faults identified during system development that

would result in a catastrophic event.


29

7.3.2 Inhibits and Barriers

a) In case of a power failure in the circuits of an inhibit it shall

enter into a safe state w.r.t. the safety critical function.

b) In the event of a cancellation of an inhibit function, the system

where that function was implemented

7.3.3 Independent Inhibits

Inhibits opposing a given undesired event (i.e.: hazardous circuit

or system enabled or disabled unexpectedly either due to a failure

or human error) shall be independent and, if possible, of different

types. They may be mechanical, electrical, software, etc.

7.4 Redundancy Separation

a) Redundant subsystems or alternate functional paths shall be separated by the

maximum practical distance, or otherwise protected, to ensure that an unexpected

event that damages one is not likely to prevent the others from performing the

function.

b) All redundant functions that are required to prevent a catastrophic hazard shall not be routed through a single connector.


30

8 Specific Catastrophic Hazard Functions:

Explosive and Pyrotechnics

8.1 General

If premature firing or failure to fire will cause a hazard, the pyrotechnic subsystem and

devices shall meet the design and test requirements of ECSS‐E‐ST‐33‐11C / MIL‐STD‐1576

and applicable ground safety launch services requirements.

8.2 Initiators ECSS‐E‐ST‐33‐11C, preferred initiators for all safety critical explosive pyrotechnic

functions, shall be met on qualification and acceptance test requirements, or equivalent

(e.g.: / MIL‐STD‐1576), if other initiators are used.

8.3 Explosive / Pyrotechnic Operated Devices

8.3.1 Explosive / Pyrotechnic Power Supply

The electric power supply source of pyrotechnic devices circuits

shall be preferably a direct current source. Otherwise, it shall be

proven that the electric power supply source complies with the

electromagnetic compatibility requirements.

8.3.2 Debris Protection

Pyrotechnic devices that are to be operated in proximity of an

interfacing system that do not meet the criteria of this document to

prevent inadvertent operation, shall be designed to preclude

hazards due to effects of shock, debris, and hot gasses resulting

from operation. Such devices shall be subjected to a ʺlocked‐shutʺ

safety demonstration test (i.e.: a test to demonstrate the capability

of the devices to safely withstand internal pressures generated in

operation with the moveable part restrained in its initial position).


31

8.3.1 Must Function Safety Critical Devices

a) Where failure to operate will cause a catastrophic hazard,

explosive / pyrotechnic operated devices shall be designed,

controlled, inspected, and certified to criteria equivalent to

those specified in ECSS‐E‐ST‐33‐11C / NSTS 08060. If the

device is used in a redundant application where the hazard is

being controlled by the use of multiple independent methods,

then in lieu of demonstrating compliance with criteria

equivalent to ECSS‐E‐ST‐33‐11C / NSTS 08060, sufficient

margin to assure operation must be demonstrated.

b) When required, pyrotechnic operated devices shall

demonstrate performance margin using a single charge or

cartridge loaded with 85 % (by weight) of the minimum

allowable charge or other equivalent margin demonstrations.

c) For pyrotechnic circuits involving a potentially catastrophic

hazard, the inhibit close to the source of hazard shall

mandatory be a mechanical inhibit capable of preventing the

unintentional ignition of the system.

8.3.2 Electrical Connection

a) Pyrotechnic devices which if prematurely fired may cause a

hazard shall be designed such that these devices can be

electrically connected to the launcher after all electrical

interface verification tests have been completed.

b) Ordnance circuitry shall be verified safe prior to connection of

pyrotechnic devices.

8.3.3 Traceability The SSO shall maintain a list of all safety critical pyrotechnic

initiators installed or to be installed on the space system, giving the

function to be performed, the part number, the lot number, and the

serial number.

8.3.4 Shielding & Grounding

The components of a pyrotechnic chain, initiator, safe and arm

device, transmission and distribution components, functional

devices (destruction bars, cutting charges, separation thruster,

valves, pistons, etc.) shall be designed so that external conductive

parts (metallic or non‐metallic) and shielding can be equipotential

and grounded to the crewed vehicle.


32

8.3.5 Use of Safe and Arm (S&A) Devices

a) Safe and Arm (S&A) devices shall be designed and tested in accordance with the provisions of ECSS‐E‐33‐11C.

b) In determining compliance with req. 7.2.3.2, the S&A device in

the ʺsafeʺ position shall be counted as one of the required

inhibits.

c) S&A devices shall provide easy access for assembly and

connection of initiators, and manual disarming.

d) S&A devices shall be capable of being remotely safed and

armed. The shall not be capable of being manually armed, but

shall be capable of being manually safed.

e) A remote status indicator shall be provided to show the armed

or safed condition.

f) The S&A device shall also indicate its arm or safe status by

visual inspection.

g) The ʺarmedʺ or ʺsafeʺ state is displayed by an indicator

physically linked to the disabling device;

h) The inhibit, once set to one of the states ʺarmedʺ or ʺsafeʺ, shall

not leave that state in the absence of a command or under the

effect of external interference (impacts, vibrations, electrostatic

phenomenon, etc.).


33


Propulsion systems

9.1 Premature / Inadvertent Firing

The design of the propulsion system and its operation shall preclude premature or

inadvertent thruster firing in accordance with the two failure tolerance requirement.

Note: The premature/inadvertent firing of a propellant propulsion in proximity to or

attached to an interfacing system is a catastrophic hazard.

9.2 Flow Control Valve

a) Each thruster’s flow control valve (the most downstream valve in the case of

thrusters with two or more series flow control valves) shall return to the closed

position when power is removed (i.e. in the absence of an opening signal).

b) When a valve is used as a flow control device, the number of inhibits to valve activation

shall determine the failure tolerance against fluid flow.

9.3 Bipropellant Separation

Propulsion systems using hypergolic bipropellants shall have separate pressurant and

propellant networks for the fuel and the oxidiser that ensure no contact between the two

propellants or their vapours until they reach the intended point of mixing (e.g.

combustion chamber).

Note: If it can be proved that there is no risk of oxidiser / fuel propellant vapour

mixing – even for long duration missions – then, other options might be submitted for

consideration and approval.

9.4 Hazardous Impingement and Venting

The propulsion system shall be designed such that:

a) Thruster plume or products vented from the propulsion system shall not impinge on

other elements of the vehicle or adjacent vehicles such that a hazard is created or

their function is degraded.


34

b) The products from thruster firing or propulsion system venting shall not contaminate

surfaces of the vehicle or adjacent vehicles to the extent that functional degradation

or hazards are created.

9.5 Safe Distance Criteria

The hazard of engine firing close enough to inflict damage to an interfacing system due

to heat flux, contamination, and/or perturbation of the interfacing system shall be

controlled by establishing a safe distance for the event.

9.6 Isolation Valve

c) At least one flow control device shall isolate the propellant tank(s) from the

remainder of the distribution system.

d) There shall be an isolation valve(s) below each propellant tank that isolates the tank

from the remainder of the propellant distribution system.

e) These valves shall be closed when the propulsion system is inactive and when the

corresponding tank is not in use.

9.6.1 Pyrotechnic Valves

Fluid flow or leakage past of a normally closed pyrotechnic valve may

be considered non‐credible providing the following conditions are

met:

a) The valve has an internal flow barrier fabricated from a

continuous unit of non‐welded metal.

b) The valve integrity is established by rigorous qualification and

acceptance testing.

9.7 Electrical Inhibits

a) If the space system is closer to an interfacing system than the minimum safe distance

for engine firing, there shall be at least three independent electrical inhibits that

control the opening of the flow control devices.

b) The electrical inhibits shall be arranged such that the failure of one of the electrical

inhibits will not open more than one flow control device.

9.7.1 Monitoring Electrical Inhibits

a) At least two of the three required independent electrical inhibits

shall be monitored by the flight crew and/or ground personnel

until final separation of the space system from the interfacing

system.


35

b) The position of a mechanical flow control device shall be

monitored in lieu of its electrical inhibit, provided the two

monitors used to meet the above requirement are independent.

c) Either near real‐time or real‐time monitoring will be required as

defined in 7.2.3.1. One of the monitors shall be the electrical inhibit

or mechanical position of the isolation valve. Monitoring will not

be required if the space system qualifies for the unpowered bus

exception of req. 7.2.3.2.

9.8 Adiabatic / Rapid Compression Detonation

a) The design of the propulsion system and its operation shall preclude adiabatic

detonation in accordance with fault tolerance requirements for catastrophic hazard.

b) If testing is performed to show propulsion systems insensitivity to adiabatic or rapid

compression detonation, the test plans and test results shall be submitted to the

Safety Review Panel as part of the relevant Hazard Report.

Note(1): Hydrazine systems will be considered sensitive to compression

detonation unless insensitivity is verified by testing on flight hardware or on a

high fidelity flight type system that is constructed and cleaned to flight

specifications.

Note(2): If the design solution is to fly wet downstream of the isolation valve, the

hazard analysis mush consider other issues such as propellant freezing or

overheating, leakage, single barrier failures, and back pressure relief.

9.9 Propellant Freezing

Design of liquid propulsion systems and their operation shall preclude propellant or

propellant vapour freezing during active propulsion periods. This includes freezing of

propellant vapour that migrates upstream of the propellant tank (e.g. in the case of

vapour migration after a long period of Helium flow wherein temperatures in the

pressurant area drop below the freezing point of the propellant).

9.10 Propellant Overheating – Ignition Compatibility Limits

a) Components in propellant systems that are capable of heating the system (e.g.,

heaters, valve coils, etc.) shall be two‐failure tolerant to avoid heating the propellant

above the material/fluid compatibility limits of the system.

b) Material/Fluid compatibility limits shall be based on test data derived from qualified

test methods or on data furnished by the space system manufacturer and approved

by the Safety Review Panel.

Note: Raising the temperature of a propellant above the fluid compatibility

limit for the materials of the system is a catastrophic hazard.


36

c) Propellant temperatures less than the material/fluid compatibility limit, but greater

than 110°C must be approved by the Safety Review Panel. The use of inhibits, cutoff

devices, and/or crew safing actions may be used to make the system two failure

tolerant to overheating. Monitoring of inhibits (req. 7.1.5 and functions resulting in

catastrophic hazards) or of propellant temperature will be required.

Note: Consideration is to be given to materials/fluids leading to lower auto‐

decomposition required to propellant ignition.

9.11 Thruster Ignition Upstream of Combustion Chamber

a) For liquid bipropellant propulsion systems, the thruster design shall preclude

propellant ignition upstream of the thruster combustion chamber (e.g. zot).

b) Thruster materials exposed to propellant and propellant combustion products shall

not ignite when exposed to propellant ignition (e.g. ignition of Titanium injector

when exposed to zot).

9.12 Propulsion System Leakage

a) The propulsion system shall be two failure tolerant (i.e.: have three barriers) to

prevent external leakage between the propellant tank and external ports (i.e.

thruster, test port, fill/vent/drain port).

b) The propulsion system’s pressurant assembly shall be two failure tolerant (i.e.: have

three barriers) to prevent external leakage between the pressurant tank and external

ports (i.e. test port, fill/vent/drain port).

9.13 Propulsion System Instrumentation

The space system shall provide data related to pressure, temperature, and quantity

gauging of the space system propulsion system tanks, components, and lines to the flight

crew and ground personnel to ensure system health and safety.

9.14 Leak Detection

The propulsion system and the corresponding FDIR system shall detect and isolate

propellant leakage at a level that:

a) Ensures the propulsion system and the vehicle remain fully operational after the

first failure (i.e. leak) and safe after the second failure.

b) Precludes injury to the crew of the vehicle or adjacent vehicles.

c) Precludes damage or degradation to adjacent vehicles.


37

9.15 Failed Closed Flow Path

The propulsion system shall be designed with parallel flow paths such that the

propulsion system will not be disabled by a failed closed path or a failed closed path

combined with a second failure (e.g. a second failed closed path/component or a different

failure).

Note: Examples of a “failed closed path” include: failed closed isolation valve,

failed closed flow control valve, failed closed check valve, failed closed regulator,

blocked filter or blocked propellant management device.

9.16 Pressure Relief

The propulsion system shall include pressure relief devices to prevent overpressure.

9.17 Hazardous Impingement and Venting

a) Thruster plume, including combustion products and unspent propellant, as well as,

products vented from the propulsion system shall not impinge on other elements of

the vehicle or adjacent space systems that could result in a hazard.

b) The projects from thruster firing or propulsion system venting shall not contaminate

surfaces of the space system or adjacent/interfacing space system.

c) A safe distance (from other elements of the space system or adjacent/interfacing

space systems) shall be established for thruster firing or propulsion system venting

operations.

9.18 Inadvertent Deployment, Separation and Jettison Functions

Inadvertent deployment, separation or jettison of a space system element or appendage is

a catastrophic hazard unless it is proven otherwise. The general inhibit and monitoring

requirements of 7.5 shall apply.

9.19 Planned Deployment / Extension Functions

9.19.1 Cannot Withstand Subsequent Loads

If during planned operations an element of a space system is

deployed, extended, or otherwise unstowed to a condition where it

cannot withstand subsequent induced loads, there shall be design

provisions to safe the space system with appropriate redundancy

to the hazard level. Safing may include deployment, jettison or

provisions to change the configuration of the space system to

eliminate the hazard.


38

9.19.2 Fluid Released from Pressurized System Inside a Closed Volume

Release of any fluid from pressurized systems shall not

compromise the structural integrity of any closed volume in which

the hardware is contained, such as habitable volumes.

Pressurized systems that are two fault tolerant to release of fluid

through controlled release devices do not require analysis.

Systems which do not meet the above shall be reviewed and

assessed for safety on a case‐by‐case basis.


39


On-Orbit Rendezvous and docking

10.1 Safe Trajectories

The trajectory of an active space system during rendezvous and proximity operations

shall be such that the natural drift including 3 sigma dispersed trajectories ensures that:

a) prior to the Approach Initiation (AI) burn, the space system shall stays outside the

Approach Ellipsoid (AE) for a minimum of 24 hours;

b) after the AI burn and prior to the space system stopping at the arrival point on V‐

bar inside the AE, the space system shall stays outside the keep‐out sphere (KOS)

for a minimum of 4 orbits;

c) during any retreat out of the Approach Ellipsoid, the space system shall maintains

a positive relative range rate until it is outside the Approach Ellipsoid and

thereafter it shall stays outside the Approach Ellipsoid for a minimum of 24 hours.

10.2 Use of Dedicated Rendezvous Sensors

Relative navigation during rendezvous shall be based on the use of rendezvous sensors

for docking operations on the active space system (where relative GPS data may be

corrupted by multi‐path effects and / or will not provide sufficient accuracy) and

corresponding target pattern on the passive interfacing space system.

10.3 Collision Avoidance Maneuver

a) The active space system shall implement collision avoidance manoeuvre (CAM)

function for all proximity flight phases requiring active trajectory control.

b) CAM function shall be implemented as a separate functional path from the functions

required for nominal mission operations.

c) A collision avoidance manoeuvre shall begin by creating a positive relative range

rate between the active vehicle and the passive vehicle.

d) It shall be possible to monitor the operational domain for the proper functioning of

the CAM function.

e) The active vehicle shall be able to safely complete a CAM independent of the state of

the passive target vehicle.


40

f) It shall be possible to externally command a CAM throughout proximity operations,

and during contact operations up to capture. Intermittent unavailability (due to

reconfiguration) shall be taken into account in a worst case analysis.

g) A CAM shall be triggered automatically upon violation of its flight domain or if

availability is interrupted.

h) It shall be possible for crew and ground control of either vehicle to manually initiate

a CAM.

i) It shall be possible to terminate a CAM‐in‐progress.

j) It shall be possible to inhibit a CAM (e.g.: after capture).

k) It shall be possible to detect and monitor a CAM‐in‐progress.


41

11 Hazardous Commands

11.1 General

a) All hazardous commands shall be identified from the system safety analysis.

Note: Hazardous commands are those that can; 1) remove an inhibit to a

hazardous function or 2) activate an unpowered hazardous system or 3)

deactivate an operational function resulting in a catastrophic hazard.

b) Failure modes associated with space system flight and ground operations including

hardware, software, and procedures used in commanding shall be considered in the

safety analysis to determine compliance with the requirements Section 6.1 and Chapter 7.

11.2 Command Fault Tolerance Approach

The computer system (CS) shall be designed such that no combination of two failures, or

two operator actions, or one of each will cause a catastrophic hazardous event, or no

single failure or operator action will cause a critical hazardous event.

11.2.1 Catastrophic Hazard

Where loss of a capability could result in a catastrophic hazard, the

computer system shall provide two independent and unique

command messages to deactivate any function within a failure

tolerant capability.

11.2.2 Critical Hazard

Where loss of a capability could result in a critical hazard, the

computer system shall provide two independent and unique

command messages to deactivate the capability.

11.3 Pre-requisite Checks

Pre‐requisite checks for the safe execution of hazardous commands shall be performed by

computer systems compliant with requirements of Chapter 16.


42

11.4 Rejection of Commands

The computer system (CS) shall reject hazardous commands which do not meet pre‐

requisite checks for execution.

11.4.1 Out of Sequence Commands

Where execution of commands out of sequence can cause a hazard,

the computer system (CS) shall reject commands received out of

sequence.

11.5 Integrity Checks

Integrity checks shall be performed when data or commands are exchanged across

transmission or reception lines and devices.

11.6 Independent Commanding Method

Where software provides the sole control for safety critical “must work” functions,

another non‐identical method for commanding the function shall be provided.

11.7 Shutdown Independent Operator Action

At least one independent operator action shall be required for each operator initiated

command message used in the shutdown of a capability or function that could lead to a

hazard.

11.8 Removal of Software Controlled Inhibits

Command messages to change the state of inhibits shall be unique for each inhibit.

11.9 Unique Command for Inhibit Removal

A unique command message shall be required to enable the removal of inhibits.

11.10 Failure Recovery and Overrides

a) A separate and functionally independent parameter (with at least one operator

controllable) shall be checked before issuance or execution of every hazardous

command, which can be initiated by a hard‐coded failure recovery automated

sequence.

b) Overrides shall require at least two independent actions by the operator.


43

12 Hazard Detection, Annunciation and Safing

12.1 General

a) The need for hazard detection, annunciation and safing by the flight crew to control

time‐critical hazards shall be minimized and implemented only when an alternate

means of reduction or control of hazardous conditions is not available.

b) When implemented, these functions shall be capable of being tested for proper

operations during both ground and flight phases. Likewise, space system designs

should be such that real‐time monitoring is not required to maintain control of

hazardous functions.

c) With Safety Review Panel approval, real‐time monitoring and hazard detection and

safing may be utilized to support control of hazardous functions provided that

adequate crew response time is available and acceptable safing procedures are

developed.

12.2 Safety Critical Systems and Sub-systems

The space system shall provide the capability to detect and annunciate faults, with

sufficient time to mitigate associated hazards, that affect safety critical systems,

subsystems, and crew health.

12.3 Emergency, Caution and Warning

a) The space system shall incorporate an emergency, caution and warning system.

b) All safety emergencies, caution and warning parameters shall be redundantly

monitored and shall cause annunciation.

c) As a minimum, space system total pressure, fan differential pressure, fire detection,

oxygen partial pressure and carbon dioxide partial pressure shall be monitored.

d) The status of all monitored parameters shall be available to the crew prior to in‐flight

entry into a habitable module.

e) The caution and warning system shall include test provisions to allow the crew

members to verify proper operation of the system.


44

12.4 Emergency Response

The space system shall provide the capability for the crew to readily access equipment

involved in the response to emergency situations and the capability to gain access to

equipment needed for follow‐up/recovery operations.

12.1 Rapid Safing

Safe aborts and contingency return shall include design provisions for rapid safing.

Hazard controls may include deployment, jettison or design provisions to change the

configuration of the space system.

12.2 Crew Egress

a) The space system design shall be compatible with emergency safing and rapid egress.

b) The crew shall be provided with clearly defined escape routes for emergency egress

in the event of a hazardous condition.

c) Where practical, dual escape routes from all activity areas shall be provided.

d) Equipment location shall provide for protection of compartment entry/exit paths in

the event of an accident.

e) Routing of hardlines, cables, or hoses through a tunnel or hatch which could hinder

crew escape or interfere with hatch operation for emergency egress is not permitted.

f) Hatches which could impede crew escape shall remain open during all crewed

operations.

12.3 Unassisted Crew Emergency Egress

The space system shall provide the capability for unassisted crew emergency egress to a

safe haven during Earth pre‐launch activities.


45

13 Abort, Escape, Neutralisation and

Safe Haven

13.1 Design for Safe Abort

a) The system design and operations shall allow for safe abort, including as necessary

flight personnel escape and rescue capabilities, for all flight phases starting with on

launch pad operations.

b) The escape system, including any sensor, equipment and circuitry shall comply with

the requirements 6.1 and 6.2.

13.2 Abort Capability

The space system shall provide abort capability from the launch pad until Earth‐orbit

insertion to protect for the following ascent failure scenarios (minimum list):

a. Complete loss of ascent thrust/propulsion;

b. Loss of attitude or flight path control.

13.3 Automatic Abort Initiation

The crewed space system shall monitor the launch vehicle performance during ascent

and automatically initiate an abort when an impending catastrophic failure is detected.

13.4 Abort Sequencing

If a range safety destruct system is incorporated into the launcher design, the space

system shall automatically initiate the Earth ascent abort sequence when range safety

destruct commands are received on‐board, with an adequate time delay prior to

destruction of the launch vehicle to allow a successful abort.

13.5 Neutralisation

The launch vehicle shall be equipped with an on‐board intervention system to ensure the

protection of the population flown over while not penalising the safety of the crew.


46

13.5.1 Controlled Neutralisation

A radio‐commanded order from the ground shall cause the

execution of the neutralisation function.

13.5.2 Instantaneous Automatic Neutralisation

a) An automatic on‐board system shall be used to trigger the

neutralisation function, when a non‐nominal stage separation

or a stage rupture occurs.

b) This function shall also be triggered by an on‐board automated

device, in the event of drift from the specified conditions.

13.5.3 Delayed Automatic Neutralisation

An on‐board automatic system shall be used to trigger the

neutralisation function with a specified time lag to neutralise a

stage after nominal separation, without generating any risk on the

upper stages and crewed vehicle, and before impact on the

ground, and ensuring the dispersal of remaining propellant.

13.5.4 Inhibition of On-board Receiver Equipment

This equipment shall be inhibited when in the course of the

mission the neutralisation function is no longer required.

13.5.5 Timing for Neutralisation The time selected for neutralisation shall be determined to allow

successful crew flight abort while ensuring the safety of the

population on ground.

13.6 Safe-Haven

Safe‐haven capabilities shall be included in the system design to cope with uncontrollable

emergency conditions (e.g. fire, depressurisation).

Note: The safe‐haven is meant to sustain flight personnel life until escape or rescue

can be accomplished.

13.7 Crewed Overriding Automation / Control

The crewed space system shall provide the capability for the crew to manually override

higher level software control/automation (such as automated abort initiation,

configuration change, and mode change) when the transition to manual control of the

system will not cause a catastrophic event.


47

14 Crew Survival Capabilities

14.1 Survival Capabilities

Contingencies scenarios shall be considered to address relevant crew survival

capabilities. These should include system failures and emergencies not limited to fire,

collision, toxic atmosphere, decreasing atmospheric pressure and medical emergencies

among others.

14.2 Dissimilar Redundant System Capabilities

Contingencies scenarios shall be considered to provide possible dissimilar redundant

system capabilities.

14.3 Crashworthiness Capabilities

a) The crewed vehicle design shall protect occupants from disabling injury in the event

of a crash landing.

b) the crewed vehicle design shall be compatible with worst case impact velocities and

trajectories taking into consideration nominal and contingency mission scenarios.

c) Impact on all credible surfaces and terrain inclination, considering nominal and

contingency mission shall be considered in the design of the crewed vehicle.

Note: Crash injury can arises from three distinct sources: a) excessive acceleration

forces; b) direct trauma from contact with injurious surfaces, and; c) exposure to

environmental factors such as fire, smoke, water, and chemicals resulting in

burns, drowning or asphyxiation.

d) Effective crashworthiness design shall consider all possible sources of injury and

eliminate or mitigate as many as practical. This involves considerations of;

1) prevention of structure intrusion into occupied spaces, following collapse;

2) adequacy of seats and restraint systems,

3) adequacy of energy attenuation features,

4) elimination of injurious objects in the habitable environment, and

5) post‐crash scenarios risk assessment and mitigation.


48

15 Fire Protection

15.1 General

Contingencies scenarios shall be considered to address relevant crew survival

capabilities. These should include system failures and emergencies not limited to fire,

collision, toxic atmosphere, decreasing atmospheric pressure and medical emergencies

among others.

a) A fire protection system comprised of fire detection, warning, and suppression

devices shall be provided in the space system.

b) The fire protection system shall encompass both hardware and flight personnel

procedures for adequate control of the fire hazard within the habitable volume.

c) The fire protection system shall incorporate test and checkout capabilities such

that the operational readiness of the entire system can be verified by the crew

members.

d) The fire protection system shall have redundant electrical power sources and shall

incorporate redundant detection and warning capability and redundant

activation of suppressant devices.

15.2 Fire Suppressant

a) Fire suppressant shall be compatible with space system life support hardware.

b) The fire suppressant shall not exceed 1 hour SMAC levels in any isolated elements

and shall be non‐corrosive.

c) Fire suppressant by‐products shall be compatible with the space system

contamination control capability.

15.3 Fire Detection and Annunciation

Fire detection annunciation and control of the fire protection system shall be provided to

the crew.


49

16 Computer System Fault Tolerance

16.1 General

a) The computer system (CS) software development, verification and validation shall be

performed in compliance with ECSS‐Q‐ST‐80 and ECSS‐E‐ST‐40.

b) While a computer system (CS) is being used to actively process data to operate a

system with catastrophic potential, the catastrophic hazard shall be prevented in a

two‐failure tolerant manner.

c) One of the methods to control the hazard shall be independent of the computer

system.

d) A computer system shall be considered zero fault tolerant in controlling a hazardous

system (i.e.: a single failure will cause loss of control), unless the computer system

complies with the requirements here below and the fault tolerance approach

approved by the Safety Review Panel (SRP).

16.2 Safe State

The computer system (CS) shall safely arrive to a known safe state when:

1) initializing a function,

2) performing an orderly shutdown of a function upon receipt of a

termination command or detection of a termination condition,

3) recovering upon anomaly detection.

16.3 Critical Software Behavior

The space system shall provide the capability to mitigate the hazardous behaviour of

critical software where the hazardous behaviour would result in a catastrophic event.

16.4 Off-nominal Power Condition

The computer system shall continue to operate safely during off‐nominal power

conditions, or contain design features which safe the processor during off‐nominal power

conditions.


50

16.5 Inadvertent Memory Modification

The computer system shall detect and recover from inadvertent memory modification

during use.

16.6 Discriminating valid vs. Invalid Inputs

The computer system shall be capable of discriminating between valid and invalid inputs

from sources external to the computer system and remain or recover to a known safe

state in the event of an invalid external input.

16.7 On-orbit Response to Loss of Function

a) The space system shall automatically recover functional performance for those

capabilities, which are identified through the safety analysis as requiring automatic

recovery.

b) The space system shall automatically safe in less than the time to catastrophic or

critical effect.

16.8 Separate Control Path

When computer system (CS) is used for controlling hazards of a must not work function,

the CS shall use separate control path for each inhibit used to control a hazard.

16.9 Monitoring

The computer system shall make available in a timely manner to crew and ground

operator:

a) the data necessary and sufficient for the performance of manual system safing

for identified hazard and,

b) the status of monitored inhibits used to control hazards.


51

17 Crew Vehicle Safety Design:

Structures

17.1 Structural Design Structural design shall be performed according to ECSS‐E‐ST‐32C. This includes loads

incurred for all space system configurations or while changing configuration.

a) The structure shall have positive Margin of Safety for all mission phases considering

the safety factors reported in ECSS‐E‐ST‐32‐10C for crewed space systems.

b) When failure of structure can result in a catastrophic event, the design shall be based

on fracture control procedures to prevent structural failure because of the initiation

or propagation of flaws or crack‐like defects during fabrication, testing, and service

life. Requirements for fracture control are specified in ECSS‐E‐32‐01C.

c) Safety critical fasteners shall be procured in accordance with ECSS‐Q‐ST‐70‐46C.

Safety critical fasteners shall be designed to include redundant features (e.g. torque

and self‐locking helicoids) to prevent inadvertent back‐out.

d) A Structural Verification Plan shall be submitted for Safety Review Panel review and

approval.

17.2 Windows Structural Design

a) Windows number shall be minimized and all assemblies shall provide a redundant

pressure pane.

b) The pressure panes shall be protected from damage by external impact.

c) Windows shall be designed according to ECSS‐E‐ST‐32‐01C and ECSS‐E‐ST‐32C.

d) The structural design of window panes in the pressure hull shall provide a minimum

initial ultimate factor of safety of 3.0 and an end‐of‐life minimum factor of safety of

1.4.

e) Window design shall be based on fracture mechanics considering flaw growth over

the design life of the space system.

17.3 Design Allowables

a) For safety critical structures A‐basis material allowables shall be used.

b) Material design allowables and other physical properties to be used for the design /

analysis of flight hardware shall be taken from FAA MMPDS‐01(which supersedes


52

MIL‐HDBK‐5J), or other approved resources with the same intent.

c) Material properties used for verification shall take into account any degradation of

the environment after exposure to space / atmospheric environment.

17.4 Stress Corrosion

a) Materials used in the design of the space system structures shall be rated for

resistance to stress corrosion cracking (SCC) in accordance with ECSS‐Q‐ST‐70‐36,

ECSS‐Q‐ST‐70‐37 and ECSS‐E‐ST‐32‐01.

b) Alloys with high resistance to SCC shall be used whenever possible.

c) When failure of a part made from a moderate or low resistance alloy could result in

a critical or catastrophic hazard, a Request for Approval with relevant rationale shall

be submitted to the Safety Review Panel.

17.5 Pressure Systems

a) The maximum design pressure (MDP) for a pressurized system shall be the highest

pressure defined by maximum relief pressure, maximum regulator pressure or

maximum temperature.

b) Transient pressures shall be considered.

c) Design factors of safety shall be in compliance with ECSS‐E‐ST‐32‐02C.

d) Where pressure regulators, relief devices, and/or a thermal control system (e.g.,

heaters) are used to control pressure, collectively they shall be two‐fault tolerant from

causing the pressure to exceed the MDP of the system.

e) Pressure integrity shall be verified at system level.

17.5.1 Pressure Vessels

a) Particular attention will be given to ensure compatibility of

vessel materials with fluids used in cleaning, test, and

operation.

b) The maximum design pressure (MDP) as defined in section

17.5 shall be substituted for all references to maximum

expected operating pressure (MEOP) in the pressure vessel

standards.

17.5.1.1 Metallic Pressure Vessels

Metallic pressure vessels shall comply with the pressure

vessel requirements of ECSS‐E‐ST‐32‐02C.

17.5.1.2 Composite Overwrapped Pressure Vessels

Composite Overwrapped Pressure Vessels (COPVs) shall

meet the pressure vessel requirements in ANSI/AIAA S‐

081A. A damage control plan and stress rupture life

assessment shall be developed for each COPV.


53

17.5.2 Dewars

Pressure containers in dewar / cryostat systems shall be subject to

the requirements for pressure vessels specified in Section 17.5 and

Section 17.5.1 as supplemented by the requirements of this section.

Note: Dewar/cryostat systems are a special category

of pressurized vessels because of unique structural

design and performance requirements.

a) Pressure containers shall be leak‐before‐burst (LBB) designs where possible as determined by a fracture mechanics analysis.

Containers of hazardous fluids and all non‐LBB designs must

employ a fracture mechanics safe‐life approach to assure safety

of operation.

b) MDP of the pressure container shall be as determined in

paragraph 301.5 or the pressure achieved under maximum

venting conditions whichever is higher. Relief devices shall be

sized for full flow at MDP.

c) Outer shells (i.e., vacuum jackets) shall have pressure relief capability to preclude rupture in the event of pressure container

leakage. If pressure containers do not vent external to the

dewar but instead vent into the volume contained by the outer

shell, the outer shell relief devices shall be capable of venting at

a rate to release full flow without outer shell rupture. Relief

devices shall be redundant and individually capable of full

flow.

d) Pressure relief devices which limit maximum design pressure

shall be certified to operate at the required conditions of use.

Certification shall include testing of the same part number from

the flight lot under the expected use conditions.

e) Non‐hazardous fluids may be vented into closed volumes if

analysis shows that a worst case credible volume release will

not affect the structural integrity or thermal capability of the

system.

f) The proof test factor for each flight pressure container shall be a

minimum of 1.1 times MDP. Qualification burst and pressure

cycle testing is not required if all the requirements of Sections

17.5, 17.5.2 and 17.5.2 are met. The structural integrity for

external load environments shall be demonstrated.

17.5.3 Pressurized Lines, Fittings and Components

a) Pressurized lines and fittings with less than a 38 mm (i.e.; 1.5‐

inch) outside diameter and all flex‐hoses shall have an ultimate

factor of safety equal to or greater than 4.0. Lines and fittings

with a 38 mm (i.e.:1.5‐inch) or greater outside diameter shall be

sized with an ultimate factor of safety equal to or greater than

2.5, as specified in compliance with ECSS‐E‐ST‐32‐02C.

b) All line‐installed bellows and all heat pipes shall have an


54

ultimate safety factor equal to or greater than 2.5.

c) Other components (e.g., valves, filters, regulators, sensors, etc.)

and their internal parts (e.g., bellows, diaphragms, etc.) which

are exposed to system pressure shall have an ultimate factor of

safety equal to or greater than 2.5.

d) Secondary compartments or volumes that are integral or

attached by design to the above parts and which can become

pressurized as a result of a credible single barrier failure must

be designed for safety consistent with structural requirements.

These compartments shall have a minimum safety factor of 1.5

based on MDP. If external leakage would not present a

catastrophic hazard to the system, the secondary volume shall

either be vented or equipped with a relief provision in lieu of

designing for system pressure.

17.6 Pressure Hull

a) The design of the habitable volume shall comply with the structural design

requirements of 17.1.

b) The hull MDP shall be determined as defined in requirement 17.1.

c) The ultimate factor of safety of hull design shall be equal to or greater than 2.0 for

both the MDP and the maximum negative pressure differential the hull may be

subjected to during normal and contingency operations or as the result of two

credible failures.

d) The pressure hull shall be designed to leak‐before‐burst criteria.

17.7 Depressurisation and Repressurisation

17.7.1 Pressure Differential Tolerance

Equipment located in pressurized volumes shall be capable of

withstanding the differential pressure of depressurization, re‐

pressurization, and the depressurized condition without resulting

in a hazard.

17.7.2 Operation during Pressure Changes

Equipment expected to function during depressurization or

repressurization shall be designed to operate without producing

hazards.

17.7.3 Flow Induced Vibration

Flexible hoses and bellows shall be designed in compliance with

ECSS‐E‐ST‐32‐02C to exclude flow induced vibrations which could

result in a catastrophic hazard.


55

17.8 Sealed Compartments

a) Sealed compartments within a habitable volume, including containers which present

a safety hazard if rupture occurs, shall be capable of withstanding the maximum

pressure differential associated with emergency depressurization of the habitable

volume.

b) Sealed compartments and containers located in any other region of the space system

shall be designed to withstand the decompression and re‐pressurization

environments associated with ascent or decent.


56


Materials, Processes and Mechanical Parts

18.1 General

a) The requirements of ECSS‐Q‐70B shall be followed with the modifications/additions

captured in this chapter.

b) Specification ECSS‐Q‐70‐71A rev1 contains data on materials that have been evaluated

and tested for use in space hardware and it can be used as a source for material

selection. The data herein shall be used preferentially for the selection of materials

with a previous history of space use in similar applications.

Note: Equivalent standards from MIL system or NASA (e.g. MSFC‐HDBK‐

527/JSC 09604) may also be accepted by Safety Review Panel (SRP), pending

compliance review.

c) For materials which create potential hazardous situations as described in the

requirements below and for which no prior test data or rating exists, the SSO shall

present other test results for the Safety Review Panel’s review.

18.2 Hazardous Materials Hazardous materials (solid, fluid or gases) shall not be released or ejected near crewed

systems (interfacing or in close proximity). The SSO shall submit to the SRP independent

toxicological assessments for all space system hazardous materials.

18.3 Fluid Systems

a) Particular attention shall be given to materials used in systems containing hazardous

fluids.

Note: These hazardous fluids include gaseous oxygen, liquid oxygen, fuels,

oxidizers, and other fluids that could chemically or physically degrade the

system or cause an exothermic reaction.

b) Those materials within the system exposed to oxygen (liquid and gaseous), both

directly and by a credible single barrier failure, shall meet the requirements of NASA‐

STD‐6001 / ECSS‐Q‐ST‐70 at MDP and temperature.


57

c) Materials within the system exposed to other hazardous fluids, both directly and by a

credible single barrier failure, shall pass the fluid compatibility requirements of

NASA‐STD‐6001 at MDP and temperature.

Note: Manufacturerʹs compatibility data on hazardous fluids may be used to

accept materials in this category if approved by the Safety Review Panel.

18.4 Chemical / Biological Contamination

a) Chemicals and biological materials which would create a toxicity and health problem

(including irritation to skin or eyes) or cause a hazard to space system or to

interfacing systems if released should be avoided.

b) If such chemicals and biological materials cannot be avoided, adequate containment

shall be provided by the use of an approved pressure vessel as defined in req. 17.5 or

the use of two or three redundantly sealed containers, depending on the toxicological

hazard for a chemical with a vapour pressure below 15 psi (i.e.: 1013 hPa (absolute).

c) The SSO must assure that each level of containment will not leak under the maximum

use conditions (i.e., vibration, temperature, pressure, etc.).

d) NASA SSP 50260, International Space Station Medical Operations Requirements

Document (MORD) shall be made applicable to crewed space system.

18.5 Flammable Materials in Habitable Volume

a) The space system materials shall not constitute an uncontrolled fire hazard.

b) The minimum use of flammable materials shall be the preferred means of hazard

reduction.

c) The materials flammability resistance shall be evaluated in accordance with ECSS‐Q‐

ST‐70‐21 for the most hazardous environment envisaged for their use.

Note: Guidelines for the conduct of flammability assessments are provided in JSC

29353‐revA.

18.6 Flammable Materials outside Habitable Volume

Materials used outside the space system shall be evaluated for flammability in

accordance with relevant ICD requirements with the launcher.

18.7 Material Out-gassing

a) Materials used in the design and construction of the space system hardware exposed

to the vacuum environment shall comply with ECSS‐Q‐ST‐70‐02C.

b) Whenever outgassing products may be detrimental to safety critical devices and

functions (e.g. fogging of optical sensors), more stringent requirements or detailed

material information (e.g.: dynamic outgassing data) according to ASTM E‐1559‐00


58

may be required.

18.8 Material Off-gassing in Habitable Volumes

a) Usage of materials which produce toxic levels of off‐gassing products shall be

avoided in habitable volumes.

b) The space system design shall assure that the off‐gassing load to the crewed

compartment will not exceed the spacecraft maximum allowable concentrations

(SMACʹs) of atmospheric contaminants at the time of ingress.

c) Habitable volumes will be tested for off‐gassing characteristics and shall include

measurement of the internal atmosphere of a full scale, flight configured space

system as a final verification of acceptability in accordance with ECSS‐Q‐ST‐70‐29C.

d) Time periods prior to crew ingress during which the system does not have active

atmospheric contamination control must be considered.

e) The items in such volumes (e.g., cargo, payloads) are required to be subjected to off‐

gassing tests (black‐box levels) for safety validation.

f) Rigorous material control to insure that all selected materials have acceptable off‐

gassing characteristics is a negotiable alternative to black‐box level testing.

g) The off‐gassing test specified in ECSS‐Q‐ST‐70‐29C shall be used for the black‐box

level off‐gassing test.

18.9 Electrochemical Compatibility

a) When bimetallic contacts are used, the choice of the pair of metallic materials used

shall take into account ECSS‐Q‐70‐71A rev1 (paragraph 5.2.14) or MSFC‐SPEC‐250

(Protective finishes for space vehicle structure and associated flight equipment

general specification for) data.

b) Galvanic compatibilities shall be selected in accordance with Group 0, couples that

can be used without restriction, and Group 1, couples that can be used in a non‐

controlled environment, of Table 1 of ECSS‐Q‐70‐71: Compatible couples for

bimetallic contacts.

c) Materials not listed in Table 1 of ECSS‐Q‐70‐71 shall be evaluated in a mission‐

simulated configuration.

18.10 Stress Corrosion

a) Metallic materials used in structural applications shall have a high resistance to

Stress Corrosion Cracking and shall be chosen from Table 1 of ECSS‐Q‐ST‐70‐36C.

b) Metallic materials and welds that are not listed in ECSS‐Q‐ST‐70‐36C or whose SCC

resistance is unknown shall be tested and categorized according to the requirements

of ECSS‐Q‐ST‐70‐37C.

c) When failure of a part made from a moderate or low resistance alloy could result in

a critical or catastrophic hazard, a Request for Approval with relevant rationale shall

be submitted to the Safety Review Panel.


59

18.11 Allowable Stress

a) Allowable stresses for materials shall be derived from Metallic materials and

elements for aerospace vehicle structures (FAA MMPDS‐01). Other sources shall be

subject to ESA approval.

b) Composite structure allowable stresses shall allow for degradation due to moisture,

temperature and process variables.

c) The material justification shall prove hardware structural integrity during storage

and on‐orbit life time.

18.12 Fracture Sensitive Materials

a) Fracture sensitive materials shall be subjected to fracture control as in ECSS‐E‐ST‐32‐

01C rev1 (Fracture control), ECSS‐Q‐ST‐70‐36C (Material selection for controlling

stress corrosion cracking) and ECSS‐Q‐ST‐70‐37C (Determination of susceptibility of

metals to stress corrosion cracking).

b) Materials for which no fracture mechanics data is available from FAA MMPDS‐01

shall be tested in acc. with ECSS‐Q‐ST‐70‐45C.


60


Electrical Systems

19.1 General

Electrical circuitry and electrical power distribution, in particular, shall be designed 1)

not to present any electrical shock hazard to the crew, 2) to fail safe, 3) not to create

molten material and 4) not to overheat electrical wires.

As per NSTS 1700, the following requirements are also to be satisfied:

a) Electrical power distribution circuitry shall be designed to include circuit

protection devices to guard against circuit overloads which could result in

distribution circuit damage, generation of excessive hazardous products in

habitable volumes and to prevent damage to other safety critical circuits and

interfacing systems and present a hazard to the flight personnel by direct or

propagated effects.

b) Electrical faults shall not cause ignition of adjacent materials.

c) Bent pins or conductive contamination in an electrical connector will not be

considered a credible failure mode if a post‐mating functional verification is

performed to assure that shorts between adjacent connector pins or from pins to

connector shall do not exist. If this test cannot be performed, then the electrical

design shall insure that any pin if bent prior to or during connector mating,

cannot invalidate more than one inhibit and that conductive contamination is

precluded by proper inspection procedures.

d) Circuit protective devices shall be sized such that steady state currents in excess

of the de‐rated values for wires and cables are precluded.

e) Electrical equipment shall be designed to provide protection from accidental

contact with high voltage and generation of molten metal during mating de‐

mating of power connectors.

f) Wire / cable insulation constructions shall not be susceptible to arc‐tracking.

g) All selected wire/cable shall be tested for arc‐tracking unless they are

polytetrafluoroethylene (PTFE), PTFE aminate or silicone insulated wires.

19.2 Electrical Hazards

a) Grounding, bonding, and insulation shall be provided for all electrical equipment to

protect the crew from electrical hazards.


61

b) The system shall be designed so that it does not generate electric arc or sparks during regular operating mode.

19.3 Electrical Systems

a) Separate safing systems shall be used for nominal space system functions and for

essential/emergency functions (e.g., the fire protection, caution and warning, and

emergency lighting, etc.).

b) Essential/emergency functions shall be powered from a dedicated electrical power bus

with redundant power sources.

19.4 Electromagnetic Compatibility

Electromagnetic compatibility between the various elements (incl. launcher) and electro‐

pyrotechnic devices shall be ensured.

19.5 Lighting Protection

a) Electrical circuits may be subjected to electromagnetic fields due to a lightning strike.

If circuit upset could result in a catastrophic hazard, the circuit design shall be

hardened against the environment or insensitive devices shall be added to control the

hazard.

b) A lightning protection system (detection and lightning warning) providing a

lightning forecast compatible with the time required to restore the involved system to

a safe configuration, shall be implemented for operations involving a potential

hazard with catastrophic or critical consequences.

19.6 Radio Frequency Transmitters

Allowable levels of radiation from space system shall be defined in the space system to

interfacing system ICDs.

19.7 Batteries

a) Batteries shall be designed to control applicable hazards caused by build‐up or venting of flammable, corrosive or toxic gasses and reaction products; the expulsion of

electrolyte; and by failure modes of over‐temperature, shorts, reverse current, cell

reversal, leakage, cell grounds, and overpressure.

b) Safety requirements for batteries (i.e.: ECSS‐E‐ST‐20C and JSC 20793‐rev B) shall be

complied.


62


Mechanisms

20.1 General

a. ECSS‐E‐ST‐33‐01C shall be applied for the design, sizing, manufacturing,

assembly and testing of mechanisms.

b. A Mechanical System Verification Plan (MSVP) and a Mechanical System

Verification Report (MSVR) shall be established and submitted to the safety

approval authority for review and approval.


63


Radiation

21.1 Ionizing Radiation

A space system containing or using radioactive materials or that generate ionizing

radiation shall be identified and approval obtained for their use by the relevant national

regulatory body (ies).

21.1 Non-Ionizing Radiation

21.1.1 Natural Radiation Protection

a) The space system shall include the necessary radiation protection features (shielding, radiation monitoring, etc.)

required to insure that the crew member dose rates from

naturally occurring space radiation are kept as low as

reasonably achievable (ALARA).

b) Exposure levels shall comply with NASA‐STD‐3001 limits.

21.1.1.1 Natural Radiation Event Warning

A radiation detection system shall be provided which

continuously monitors the interior radiation levels of the

crewed vehicle, records the accumulated doses and

provides clear notification of radiation conditions within

space system.

21.2 Use of On-board Mass

The space system shall make optimal use of on‐board mass as radiation shielding.


64

21.1 Windows Transmissivity

a) The transmissivity of the crewed vehicle windows shall be based on protection of

the crew from exposure to excess levels of naturally occurring non‐ionizing

radiation.

b) Exposure of the skin and eyes of flight personnel to non‐ionizing radiation shall not

exceed the Threshold Limit Values (TLV) for physical agents as defined by the

American Conference of Governmental Industrial Hygienists (ACGIH) in Threshold

Limit Values and Biological Exposure Indices.

c) Window design shall be coordinated with other shielding protection design to

comply with the ionizing radiation limits specified in req. 22.1.1.

21.2 Emissions and Susceptibility

a) A space system emissions shall be limited to those levels identified in the ICDs with

interfacing systems. Space systems with unintentional radiation level above the

levels identified in ICDs will be assessed for hazardous impact.

b) Space systems safety critical equipment shall not be susceptible to the applicable

electromagnetic environment.

21.3 Optical Requirements

a) Optical instruments shall prevent harmful light intensities and wavelengths from

being viewed by operating and flight personnel.

b) Quartz windows, apertures or beam stops and enclosures shall be used for

hazardous wavelengths and intensities.

c) Light intensities and spectral wavelengths at the eyepiece of direct viewing optical

systems shall be below the TLV for physical agents as defined by the ACGIHA in

Threshold Limit Values and Biological Exposure Indices.


65


Environmental Control and Habitability

22.1 General

a) A safe and habitable internal environment shall be provided within the space system

throughout all crewed operational phases.

b) The crewed space system shall comply with NASA‐STD‐3001 (Vol. 1 – Crew Health

and Vol. 2 – Human Factors, Habitability and Environmental Health).

22.2 Life Support System

a) The space system life support system shall be able to ensure human metabolic

consumption (e.g.: air, pressure, water, food, etc.) and waste recycling/disposal.

b) The specific requirements (e.g.: on air, pressure, etc.) shall be defined by SSO

according to mission characteristics, and then, review and ultimately accepted by

Safety Review Panel.

22.3 Payload / Cargo Leakage

a) Payload/cargo flown in the space system habitable volume shall meet the

containment requirements of Chapter 10 (i.e.: 10.2 and 10.3).

b) Payload/cargo configurations during unmanned operations are not restricted;

however, the crewed compartment shall be environmentally safe for crew ingress

during any revisit.

Note: Safe conditions for entry may be established by review of the containment

design features, proof of adequate atmospheric scrubbing for the chemical

involved, vacuum evacuation, use of equipment capable of detecting toxic

chemicals prior to crew exposure, or other techniques suitable for the particular

experiment involved.

22.4 Contamination Control

a) Specific design and mission provisions for particulate and molecular contamination

control in the launcher facility, space system and interfacing subsystems shall be in


66

compliance with ECSS‐Q‐ST‐70‐01C.

b) For internal environments:

1. the control and monitoring of particulate, molecular and microbiological

contamination shall be performed.

2. Microbial, bacterial and fungal contamination in the spacecraft internal

atmosphere shall be verified by analysis and test.

22.5 Toxicity

In the event of a ground crash or in‐flight explosion, toxicity due to on‐board propellants

shall be taken into account. When each propellant tank contains a mass of less than

500kg, protection against toxicity can be obtained by adjusting the launching azimuth.

Otherwise, a specific analysis shall be performed.

22.6 Acoustic Noise The flight crew shall be provided with an acoustic environment that will not cause injury

or hearing loss, interfere with voice or any other communications, cause fatigue, or in any

other way degrade overall human/machine system effectiveness.

22.7 Vibrations The space system vibrations environment shall not cause injury, fatigue, or in any other

way degrade human / machine system effectiveness (e.g.: instrument reading).

22.8 Mechanical Hazards

a) The space system and equipment design shall protect the crew from sharp edges,

protrusions, etc. during all flight operations.

b) Translation paths and adjacent equipment shall be designed to minimize the

possibility of entanglement or injury to crew members.

c) There shall be no sharp edges in structures in areas where cables are installed to

avoid any possibility of damaging cables.

22.9 Thermal Hazards

a) During normal operations, the crew shall not be exposed to high or low surface

temperatures.

b) Protection shall be provided against continuous skin contact with surfaces above

49°C and below 4°C.

c) Safeguards such as warning labels, protective devices or special design features to

protect the crew from surface temperatures outside these safe limits, shall be

provided for both nominal and contingency operations.


67

22.10 Illumination

a) The lighting illumination level provided throughout the space system shall permit

planned crew activities without injury.

b) A backup/secondary lighting system shall be provided consistent with emergency

egress requirements or in case of failure of the primary lighting system.

22.11 Hatches

a) The space system hatch design shall be compatible with emergency crew.

b) Hatches between different habitable modules shall provide a capability to allow a

visual inspection of the interior of the space system prior to hatch opening and crew

ingress.

c) All operable hatches that could close and latch inadvertently, thereby blocking an

escape route, shall have a redundant (backup) opening mechanism and shall be

capable of being operated from both sides.

d) External pressure hatches (i.e. interfacing directly to space vacuum) shall be self‐

sealing (i.e.: inward opening).

e) Hatches shall have a pressure difference indicator clearly visible to the crew member

operating the hatch and a pressure equalization device.

f) All hatches shall nominally be operable without detachable tools or operating

devices and shall be designed to prevent inadvertent opening prior to complete

pressure equalization.

g) Hatches at docking locations shall provide the capability to verify that the

environment is within the oxygen, nitrogen and carbon dioxide levels as well as

within the SMAC levels (of selected compounds) provide visual inspection of the

interior of the pressurized volume prior to crew ingress into an unmanned cargo

transportation spacecraft.

22.12 Access to Moving Parts

Moving parts such as fans, belt drives, and similar components that could cause

personnel injury or equipment damage due to inadvertent contact or entrapment of

floating objects shall be provided with guards or other protective devices.

22.13 Communications

The space system shall provide the capability for direct voice communication between

crewed spacecraft (2 or more) during proximity operations.


68

Applicable and Reference Documents (normative)

Applicable Documents The latest revision and changes of the following documents form a part of this document to the extent

specified herein. In the event of conflict between the reference documents and the contents of this

document, the contents of this document will be considered superseding requirements.

a. ANSI/AIAA S‐080‐1998, Standard for Space Systems ‐ Metallic Pressure Vessels,

Pressurized Structures, and Pressure Components

b. ANSI/AIAA S‐081‐2000, Standard for Space Systems ‐ Composite Overwrapped

Pressure Vessels

c. ANSI‐Z‐136.1, American National Standard for Safe Use of Lasers

d. MSFC‐HDBK‐527/JSC 09604, Materials Selection List for Space Hardware Systems

e. NASA‐STD‐6001, NASA Technical Standard, Flammability, odor, off‐gassing and

compatibility requirements and tests procedures for materials in environments that

support combustion

f. NASA‐STD‐3001, NASA Space Flight Human System – Vol. 1 and Vol. 2 (2009)

g. NSTS 08060, Space Shuttle System Pyrotechnic Specification

h. NSTS 22648, Flammability Configuration Analysis for Spacecraft Applications.

i. ECSS‐Q‐ST‐70, Material, mechanical parts and processes

j. ECSS‐Q‐ST‐70‐29C, Determination of off‐gassing products from materials and

assembled articles to be used in a manned space vehicle crew compartment

k. ECSS‐Q‐ST‐70‐21, Flammability testing for the screening of space materials

l. ECSS‐E‐ST‐20C, Determination of the susceptibility of silver‐plated copper wire and

cable to ʺred‐plagueʺ corrosion

m. ECSS‐Q‐ST‐70‐02, Thermal vacuum outgassing test for the screening of space

materials

n. ECSS‐Q‐ST‐70‐36, Material selection for controlling stress‐corrosion cracking

o. ECSS‐Q‐ST‐70‐37, Determination of the susceptibility of metals to stress‐corrosion

cracking

p. ECSS‐Q‐ST‐70‐01C, Cleanliness and contamination control

q. ECSS‐E‐ST‐32‐01, Fracture control

r. ECSS‐E‐ST‐32‐02C, Structural design and verification of pressurized hardware

s. ECSS‐E‐ST‐32, Structural general requirements

t. ECSS‐Q‐ST‐30‐11C, Derating – EEE components

u. ECSS‐E‐ST‐33‐11C. Explosive systems and devices

v. ECSS‐Q‐ST‐70‐46C, Requirements for manufacturing and procurement of threaded

fasteners

w. ECSS‐Q‐ST‐40C, Safety Standard


69

x. ECSS‐Q‐ST‐80, Software Product Assurance

y. ECSS‐E‐ST‐40C, Software General Requirements

z. ECSS‐E‐ST‐33‐11C, Explosive systems and devices

aa. ECSS‐E‐ST‐34C, Environmental control and life support

bb. JSC 20793‐Rev. B, Crewed Space Vehicle Battery Safety Requirements

cc. NASA SSP 50260, International Space Station Medical Operations Requirements

Document (MORD).

Reference Documents

ASTM E1559 93 (Standard Test Method for contamination outgassing characteristics of

Spacecraft Materials)

MIL‐STD‐1576, Military Standard Electro‐explosive Subsystem Safety Requirements and

Test Methods for Space Systems

MIL‐HDBK‐5G, Metallic Material and Elements for Aerospace Vehicle Structures

Standard NF ENV 50166‐2 (C 18‐610): Human exposure to high frequencies

electromagnetic fields (10kHz to 300GHz).

JSC 29353A, Flammability Configuration Analysis for Spacecraft Applications.

System Safety Engineering

Documents

Transcript of System Safety Engineering