ISO 23460:2011

INTERNATIONAL ISO
STANDARD 23460
First edition
2011-03-01


Space projects — Programme
management — Dependability assurance
requirements
Projets spatiaux — Management de programme — Exigences
d'assurance de sécurité de fonctionnement




Reference number
ISO 23460:2011(E)
©
ISO 2011

---------------------- Page: 1 ----------------------
ISO 23460:2011(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2011 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 23460:2011(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Policy and principles.2
4.1 Basic approach.2
4.2 Tailoring .2
5 Dependability programme management.2
5.1 Organization.2
5.2 Dependability programme planning.2
5.3 Dependability critical items.3
5.4 Design reviews .3
5.5 Audits.3
5.6 Use of previously designed, fabricated, qualified or flown items.3
5.7 Subcontractor control.3
5.8 Progress reporting .4
5.9 Documentation .4
6 Dependability risk reduction and control .4
6.1 General .4
6.2 Identification and classification of undesirable events.4
6.3 Assessment of failure scenarios .5
6.4 Criticality classification of functions and products.5
6.5 Actions and recommendations for risk reduction .5
6.6 Risk decisions .6
6.7 Verification of risk reduction.6
6.8 Documentation .6
7 Dependability engineering .7
7.1 Integration of dependability in the project.7
7.2 Dependability requirements in technical specification.7
7.3 Dependability design criteria .7
7.4 Involvement in test definition.9
8 Dependability analysis.9
8.1 Dependability analysis and the project life cycle .9
8.2 Dependability analytical methods .10
8.3 Classification of design characteristics in production documents .12
8.4 Critical items list.13
9 Dependability testing, demonstration and data collection .13
9.1 Dependability testing and demonstration.13
9.2 Dependability data collection and dependability growth.14
10 Lessons learned activity.14
Annex A (informative) Relationship between dependability activities and programme phases.15
Annex B (informative) Document requirement list (DRL) .17
Bibliography.18

© ISO 2011 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 23460:2011(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 23460 was prepared by Technical Committee ISO/TC 20, Aircraft and space vehicles, Subcommittee
SC 14, Space systems and operations.

iv © ISO 2011 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 23460:2011(E)
Introduction
The objective of dependability assurance is to ensure a successful mission by optimizing the system
dependability within all competing technical, scheduling and financial constraints.
Dependability assurance is a continuous and iterative process throughout the project life cycle, using
quantitative and qualitative approaches, with the aim of ensuring conformance to reliability, availability and
maintainability requirements.

© ISO 2011 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 23460:2011(E)

Space projects — Programme management — Dependability
assurance requirements
1 Scope
This International Standard presents the requirements for a dependability (reliability, availability and
maintainability) assurance programme for space projects.
It defines the dependability requirements for space products as well as for system functions implemented in
software, and the interaction between hardware and software.
The provisions of this International Standard apply to all programme phases.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 17666, Space systems — Risk management
ISO 16192, Space systems — Experience gained in space projects (Lessons learned) — Principles and
guidelines
ISO 15865, Space systems — Qualification assessment
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
failure scenario
conditions and sequence of events leading from the initial root cause to an end failure
3.2
risk
quantitative measure of the magnitude of a potential loss and the probability of incurring that loss
NOTE 1 In Clause 6, the term “risk” is as defined in ISO 17666.
NOTE 2 In the context of this International Standard, “risk” is related to the potential loss or degradation of the required
technical performance that affects the attainment of dependability objectives.
3.3
undesirable event
event whose consequences are detrimental to the success of the mission
[ISO 10795:2011, definition 1.211]
© ISO 2011 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO 23460:2011(E)
3.4
tailoring
process by which individual requirements of specifications, standards and related documents are evaluated
and made applicable to a specific project by selection, and in some exceptional cases, modification of existing
or addition of new requirements
[ISO 10795:2011, definition 1.206]
4 Policy and principles
4.1 Basic approach
To achieve the objectives of dependability, dependability assurance is implemented according to a logical
process.
This process starts in the conceptual design phase at the highest level of the functional tree with a top-down
definition of tasks and requirements to be implemented. Results achieved at all levels of the functional tree are
controlled and used in a bottom-up approach so as to consolidate dependability assurance of the product.
This process includes the following types of activities:
a) definition, organization and implementation of the dependability programme, as defined in Clause 5;
b) dependability risk identification, reduction and control, as defined in Clause 6;
c) dependability engineering, as defined in Clause 7;
d) dependability analyses, as defined in Clause 8;
e) dependability testing, demonstration and data collection, as defined in Clause 9.
4.2 Tailoring
When viewed from the perspective of a specific project context, the requirements defined in this International
Standard should be tailored to match the genuine requirements of a particular profile and circumstances of a
project.
5 Dependability programme management
5.1 Organization
The contractor shall implement the dependability (reliability, availability and maintainability) assurance as an
integral part of his product assurance discipline.
5.2 Dependability programme planning
The contractor shall develop, maintain and implement a dependability plan for all programme phases that
describes how compliance with the dependability programme requirements is demonstrated. The plan shall
address the applicable requirements of this International Standard.
For each product, the extent to which dependability assurance is applied shall be adapted to the severity (as
defined in 7.3.1) of the consequences of failures at system level. For this purpose, products shall be classified
into appropriate categories that are defined in accordance with the risk policy of the project.
2 © ISO 2011 – All rights reserved

---------------------- Page: 7 ----------------------
ISO 23460:2011(E)
5.3 Dependability critical items
Dependability critical items are identified by dependability analyses performed to support the risk reduction
and control process performed on the project. The criteria for identifying dependability critical items are given
in 6.4.
Dependability critical items shall be subject to risk assessment and critical items control.
The control measures shall include:
a) a review of all design, manufacturing and test documentation related to critical functions, critical items and
procedures, to ensure that appropriate measures are taken to control the item having a bearing on its
criticality;
b) dependability participation on nonconformance review boards (NRB), failure review boards, configuration
control boards and test review boards (TRB), and the approval process for waivers and deviations, to
ensure that dependability critical items are disposed with due regard to their criticality.
The dependability aspects shall be considered within the entire verification process for dependability critical
items until close out.
5.4 Design reviews
The contractor should establish and conduct a formal programme of scheduled and documented design
reviews using ISO 21349 as a guide.
The contractor shall ensure that all dependability data for a design review is complete to a level of detail
consistent with the objectives of the review and are presented to the customer in accordance with the project
review schedule.
The contractor shall ensure that dependability aspects are duly considered in all design reviews.
All dependability data submitted shall clearly indicate the design baseline upon which it is based and shall be
coherent with all other supporting technical documentation.
All design changes shall be assessed for their impact on dependability and a reassessment of the
dependability shall be performed on the modified design where necessary.
5.5 Audits
The audits shall include the dependability activities to verify conformance to the project dependability plan and
requirements.
5.6 Use of previously designed, fabricated, qualified or flown items
Where the contractor proposes to take advantage of previously designed, manufactured, qualified or flown
elements in his system, he shall demonstrate that the proposed elements do conform to the dependability
assurance requirements of the design specification.
Nonconformance to dependability assurance requirements shall be identified and the rationale for retention of
unresolved nonconformance shall be provided by a waiver request.
5.7 Subcontractor control
The contractor shall be responsible for ensuring that products obtained from subcontractors meet the
dependability requirements specified for the overall system.
© ISO 2011 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO 23460:2011(E)
5.8 Progress reporting
The contractor shall report dependability progress to the customer as part of product assurance.
5.9 Documentation
The contractor shall maintain all data used for the dependability programme. The file shall contain the
following as a minimum:
a) dependability analyses, lists, reports and input data;
b) dependability recommendation status log.
In accordance with the business agreement, the customer shall have access to project dependability data
upon request.
6 Dependability risk reduction and control
6.1 General
As part of the risk management process implemented on the project (in accordance with ISO 17666), the
contractor shall analyse, reduce and control all dependability risks that lead to the nonconformance of
dependability requirements, i.e. all risks of degradation or loss of technical performance required for the
product.
Dependability risk analysis reduction and control shall include the following steps:
a) identification and classification of undesirable events according to the severity of their consequences;
b) analysis of failure scenarios, determination of related failure modes, failure origins or causes;
c) classification of functions and associated products into criticality categories, allowing definition of
appropriate tailoring of risk reduction efforts in relation to their criticality;
d) definition of actions and recommendations for detailed risk assessment, risk elimination, or risk reduction
and control to an acceptable level;
e) implementation of risk reduction;
f) decisions on risk reduction and risk acceptance; and
g) verification of risk reduction, assessment of residual risks.
6.2 Identification and classification of undesirable events
The contractor shall provide identification of undesirable events leading to the loss or degradation of technical
performance, together with their classification into categories related to the severity of their consequences
(see 7.3.1).
Preliminary identification and classification of undesirable events shall be determined from analysis of criteria
for mission success, during conceptual and preliminary design phases. The undesirable events to be
considered at the highest product level (overall system including space and ground segments) shall all be
events whose occurrence can jeopardize, compromise, or degrade the success of the mission. At lower levels
of the product tree (space segment, ground segment, sub-assemblies and equipment), the undesirable events
to be considered shall be the product failure effects which can induce the undesirable events identified for the
highest product level.
Identification and classification of undesirable events shall be consolidated after assessment of failure
scenarios (see 6.3).
4 © ISO 2011 – All rights reserved

---------------------- Page: 9 ----------------------
ISO 23460:2011(E)
6.3 Assessment of failure scenarios
The contractor shall investigate the possible scenarios leading to the occurrence of undesirable events, and
shall identify related failure modes, failure origins and causes, and detailed failure effects.
In conceptual and preliminary design phases, the following analyses shall be performed for preliminary
determination and assessment of the failure scenarios:
a) analysis of functional failures (i.e. failures of the functions involved in the realization of the product
mission) using functional failure modes effects analysis (FMEA), as defined in 8.2.2, which enables the
determination of the effects (induced risks) for each function: loss, degradation and untimely occurrence.
The functions shall be defined in advance (the functional analysis can be used for this purpose);
b) the analysis of functional failure shall be conducted for each phase of the product life cycle considering all
modes of operations in their actual sequence of implementation throughout the mission with the purpose
of identifying undesirable events induced by erroneous sequencing (e.g. loss of synchronism and
untimely operations);
c) potential propagation of failures between different functions shall be investigated;
d) analysis of failure modes associated with the human factor in performance of operations;
e) analysis of potential application to the product of typical failure modes already observed from past
experience on similar products or missions.
In the detailed design phase, the assessment of failure scenarios shall be consolidated by considering the
following additional contributions:
⎯ analysis of specific failure modes and failure effects induced by the selected design which cannot be
detected by analysis of functional failure;
⎯ analysis for detection of potential failure propagation paths induced by proximity of elements.
6.4 Criticality classification of functions and products
During the preliminary design phase, the contractor shall classify functions, operations and products into
criticality categories.
The criticality category of functions and operations shall be directly related to the severity of the consequences
resulting from failure of the function or operation (e.g. a function whose failure induces a catastrophic
consequence shall be classified with the highest criticality level).
The criticality category of products (hardware and software) shall be the highest criticality category of the
functions associated to the product.
The criticality classification shall be used to focus efforts on the most critical areas.
6.5 Actions and recommendations for risk reduction
The contractor shall define actions and recommendations for risk reduction up to an acceptable level.
In the context of risk reduction, the following measures shall be considered:
a) detailed risk assessment based on performance of dedicated dependability analyses, and in specific
cases, performance of dependability tests. A selection and tailoring of the dependability analyses
presented in Clause 8 shall be defined according to the nature and the criticality category of the product;
© ISO 2011 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO 23460:2011(E)
b) elimination of failure causes, reduction of failure occurrence probability, reduction of failure effects,
monitoring and control of the failure scenarios by specifications on the design or operations as presented
in 7.3.2 and 7.3.3.
6.6 Risk decisions
The contractor shall make and document decisions on risk acceptance and actions for risk reduction.
Decisions shall be based on established criteria defined within the project risk policy, considering technical
and programming implications.
Decisions shall be taken, controlled and implemented within the risk management process applied to the
project.
6.7 Verification of risk reduction
The contractor shall perform appropriate verifications in order to ensure that identified risks have been
eliminated or reduced to an acceptable level.
Verifications shall include:
a) monitoring and close out verification of actions and recommendations,
b) review of detailed risk assessment from dependability analyses,
c) reassessment of residual risks, verification of acceptability with reference to applicable criteria defined in
the project risk policy, and
d) identification of problem areas.
Results shall be reported to project risk management for acceptance or complementary decisions.
6.8 Documentation
Documentation on dependability risk analysis reduction and control shall be established, controlled and
maintained throughout the project implementation, in order to provide:
a) visibility on results and progress of risk identification, assessment and reduction,
b) a definition of applicable requirements at the lower level of the product tree,
c) appropriate justifications of decisions on risk reduction and risk acceptance, and
d) traceability, for each risk, to all pertinent analyses, results, data, decisions and close out status.
Documentation shall include:
a) identification and classification of undesirable events,
b) identification of failure scenarios, failure modes, causes and effects,
c) criticality classification of functions and products,
d) requirements at the lower level of the product tree,
e) definition of actions and recommendations,
f) dependability analyses, as needed for the purpose of risk assessment and reduction,
g) risk reduction status, and
h) records of risk reduction and associated rationale.
6 © ISO 2011 – All rights reserved

---------------------- Page: 11 ----------------------
ISO 23460:2011(E)
7 Dependability engineering
7.1 Integration of dependability in the project
Dependability is an inherent characteristic of a system or product. Dependability shall be integrated with safety
during the design process. The dependability characteristics shall be traded with other system attributes such
as mass, size, cost and performance during the optimization of the design.
Dependability issues shall be considered in all trades and in all phases of the project beginning with the
conceptual phase. Manufacture, assembly, integration, test and operations shall not degrade dependability
attributes introduced into the design.
The results of dependability analyses, tests and demonstrations shall be reiterated in a timely manner through
the design, testing, and all fabrication/integration processes until all threats to dependability objectives are
eliminated, or rationale has been provided for the acceptance of those threats that remain.
Emphasis on dependability assurance shall be placed on either the design or manufacturing process
depending on the project phase.
7.2 Dependability requirements in technical specifications
Dependability requirements shall be taken into account during the preparation and review of design and test
specifications. The main objective shall be to implement the findings of dependability analyses, and to verify
that accepted dependability engineering recommendations have been incorporated into the relevant technical
specifications.
These specifications shall include:
a) functional, operational and environmental requirements,
b) test requirements including stress levels, test parameters, and accept/reject criteria,
c) design performance margins, derating factors, quantitative dependability requirements, and qualitative
dependability requirements (identification and classification of undesirable events), under specified
environmental conditions,
d) human factors where human error is a consideration in mission success,
e) the degree to which the design is tolerant to failures of hardware or software,
f) the detection, isolation, diagnosis, and recovery of the system from failures and its restoration to an
acceptable state,
g) the prevention of failures crossing interfaces with unacceptable consequences,
h) definition of the maintenance concept,
i) maintenance tasks and requirements for special skills, and
j) requirements for preventive maintenance, special tools, and special test equipment.
7.3 Dependability design criteria
7.3.1 Consequence category and severity
A severity classification shall be assigned in accordance with Table 1 to each identified failure mode analysed
according to the failure effect (consequence).
© ISO 2011 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO 23460:2011(E)
Table 1 — Severity of consequences
Severity Level Dependability Safety
Loss of life, life-threatening or permanently disabling injury or
occupational illness
Loss of system
Catastrophic 1 —
Loss of an interfacing manned flight system
Loss of launch-site facilities
Severe detrimental environmental effects
Temporarily disabling but not life-threatening injury, or
temporary occupational illness
Major damage to interfacing flight system
Critical 2 Complete loss of mission
Major damage to ground facilities
Major damage to public or private property
Major detrimental environmental effects
Major 3 Major mission degradation—
Minor mission degradation
Minor or negligible 4 —
or any other effect

7.3.2 Failure tolerance
The contractor shall verify the capability of the design to sustain single o
...