ISO 26871:2012

INTERNATIONAL ISO
STANDARD 26871
First edition
2012-12-01
Space systems — Explosive systems
and devices
Systèmes spaciaux — Dispositifs et equipements explosifs
Reference number
©
ISO 2012
© ISO 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any
means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the
address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2012 – All rights reserved

Contents Page
Foreword .iv
1 Scope . 1
2 Normative references . 1
3 Terms, definitions, abbreviated terms and symbols . 1
3.1 Terms and definitions . 1
3.2 Abbreviated terms . 5
3.3 Symbols . 7
4 Requirements . 7
4.1 General . 7
4.2 Design . 9
4.3 Mission .13
4.4 Functionality .13
4.5 Safety .14
4.6 Survival and operational conditions .15
4.7 Interface requirements .16
4.8 Mechanical, electrical, and thermal requirements .17
4.9 Materials .22
4.10 Non-explosive components and equipment .22
4.11 Explosive components .27
4.12 Explosively actuated devices .39
4.13 Items external to the flight equipment .43
4.14 Verification .43
4.15 Transport, facilities, handling and storage .48
4.16 In-service .49
4.17 Product assurance .50
4.18 Deliverables .50
Annex A (normative) Loads and factors of safety relationship .53
Annex B (normative) Factors of safety .54
Annex C (informative) Explosive component colour code .56
Annex D (informative) Component qualification test levels .57
Annex E (informative) Product user manual (PUM/UM) — DRD .59
Bibliography .66
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 26871 was prepared by Technical Committee ISO/TC 20, Aircraft and space vehicles, Subcommittee
SC 14, Space systems and operations.
iv © ISO 2012 – All rights reserved

INTERNATIONAL STANDARD ISO 26871:2012(E)
Space systems — Explosive systems and devices
1 Scope
This International Standard specifies requirements for the use of explosives on spacecraft and other
space products, including launch vehicles. It addresses the aspects of design, analysis, verification,
manufacturing, operations and safety.
NOTE Specific requirements for man-rating are not addressed.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 14300-1, Space systems — Programme management — Part 1: Structuring of a project
ST/SG/AC.10/1, UN Recommendations on the transport of dangerous goods (Model Regulations)
UNO Manual of Tests and Criteria. United Nations, Fifth Edition, 2010
Mil-std 1576, Electroexplosive Subsystem Safety Requirements and Test Methods for Space Systems, USAF, 1992
3 Terms, definitions, abbreviated terms and symbols
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1.1
actuator
component that performs the moving function of a mechanism
NOTE An actuator can be either an electric motor, or any other mechanical (e.g. spring) or electric component
or part providing the torque or force for the motion of the mechanism.
3.1.2
all-fire level
lowest level of the fire stimulus (including rise time, shape, duration), which results in initiation of a first
element (initiator) within a specific reliability and confidence level as determined by test and analysis
NOTE 1 The stimulus duration shall be compliant with the system.
NOTE 2 It is recommended that the test sequence be carried out at the lowest temperature of the operating range.
NOTE 3 The probability of functioning should be equal to or better than 0,999 at the 95 % confidence level.
3.1.3
armed
condition that allows the probability of a wanted event to be above an agreed limit
3.1.4
cartridge
explosive device designed to produce pressure for performing a mechanical function
NOTE A cartridge is called an initiator if it is the first or only explosive element in an explosive train.
3.1.5
catastrophic failure
failure resulting in loss of life, loss of mission or loss of launch capability
3.1.6
charge
explosive loaded in a cartridge, detonator or separate container for use in a explosive device
3.1.7
component
smallest functional item in a explosive subsystem
3.1.8
deflagration
reaction of combustion through a substance at subsonic velocity in the reacting substance
3.1.9
detonation
chemical decomposition propagating through the explosive at a supersonic velocity such that a shock
wave is generated
3.1.10
detonator
first element whose output is a high-order detonation
NOTE Detonators are generally used to effect detonation transfers within explosive trains.
3.1.11
dud
explosive charge or component that fails to fire or function upon receipt of the prescribed initiating
stimulus, after an external effect (human failure, manufacturing failure, environmental, chemical,
ageing, etc.)
3.1.12
electro-explosive device
explosive cartridge that is electrically actuated
3.1.13
end user
person who, or organization that, actually uses a product
NOTE The end user is not necessarily the owner or buyer.
3.1.14
explosive US
energetic material GB
material which is capable of undergoing an explosion when subjected to heat, impact, friction, detonation
or other suitable initiation
3.1.15
explosive actuator
mechanism that converts the products of explosion into useful mechanical work
3.1.16
explosive component
any discrete item containing an explosive substance
2 © ISO 2012 – All rights reserved

3.1.17
explosive function
any function that uses energy released from explosive substances for its operation
3.1.18
explosive system
collection of all the explosive trains on the spacecraft or launcher system, and the interface aspects
of any on-board computers, launch operation equipment, ground support and test equipment and all
software associated with explosive functions
3.1.19
explosive train
series of explosive components, including initiating and igniting elements, explosive transfer assembly
and explosive actuator, arranged to realise the pyro effect required
3.1.20
extreme envelope
positive margin over the conditions of the qualification envelope
NOTE The device or system design is based on the conditions that define the extreme envelope.
3.1.21
gas generator
explosive device that produces a volume of gas or exothermic output or both
EXAMPLE Pyrotechnic igniters for solid propulsion applications, gas generator for inflatable structures.
3.1.22
initiator
first explosive element in an explosive train which, upon receipt of the proper mechanical, optical or
electrical impulse, produces a deflagrating or detonating action
NOTE 1 The initiator is divided into three categories: 1) igniter, a first element whose output is hot gases and
hot particles (igniters may be initiators for solid or liquid propellant); 2) squib, a first element whose output is
primarily gas and heat (squibs may be initiators for gas generators and igniters or may be cartridges for actuated
devices); 3) detonator, a first element whose output is a high-order detonation (detonators are generally used to
effect detonation transfers within explosive trains).
NOTE 2 The deflagrating or detonating action is transmitted to the elements following in the train.
NOTE 3 Initiators can be electrically (EEDs), optically or mechanically actuated.
3.1.23
launcher
launch vehicle
system used to transport a payload into orbit
3.1.24
lifetime
period over which any properties are required to be within defined limits
3.1.25
lot
batch
group of components produced in homogeneous groups and under uniform conditions
3.1.26
lot acceptance
demonstration by measurement or test that a lot of items meet its requirements
3.1.27
no-fire level
maximal level of input energy with an ignition stimulus (including nominal rise time and shape as required
by the system, but with a 5 min extended duration), to a first element (initiator) at which initiation will
not occur within a specific reliability and confidence level as determined by test and analysis
NOTE 1 It is recommended that the test sequence be carried out at the hottest temperature of the operating range.
NOTE 2 The probability of functioning should be less than or equal to 0,001 at the 95 % confidence level.
NOTE 3 A first element tested at this level shall remain safe and functional and shall guarantee the level of
performances required after the no-fire level test.
3.1.28
operational envelope
set of conditions in which the device or system meets its requirements
3.1.29
packaged charge
explosive material in a closed container
3.1.30
primary explosive
substance or mixture of substances used to initiate a detonation or burning reaction
NOTE In their intended role, these materials are sensitive to a range of thermal, mechanical and electrical
stimuli, including exposures during processing.
3.1.31
pyrotechnic device
device or assembly containing, or actuated by, propellants or explosives, with the exception of large
rocket motors
NOTE Initiators, ignitors, detonators, squibs, safe and arm devices, booster cartridges, pressure cartridges,
separation bolts and nuts, pin pullers, linear separation systems, shaped charges, explosive guillotines, pyrovalves,
detonation transfer assemblies (mild detonating fuse, confined detonating cord, confined detonating fuse, shielded
mild detonating cord, etc.), through-bulkhead initiators, mortars, thrusters, explosive circuit interrupters, and
other similar items.
3.1.32
qualification envelope
positive margin over the conditions of the operational envelope
3.1.33
safe
condition that renders the probability of an unwanted event below an agreed limit
3.1.34
scoop-proof connector
connector shell design in which the male contacts are recessed into the connector body to prevent
mismating damage to pins (especially in blind mating applications)
3.1.35
secondary characteristic
any characteristic other than the function
3.1.36
secondary explosive
substance or mixture which will detonate when initiated by a shock wave, but which normally does not
detonate when heated or ignited
4 © ISO 2012 – All rights reserved

3.1.37
sequential firing
application of the firing pulses to initiators separated in time
3.1.38
spacecraft
satellite or other orbiting vehicle with self-propulsion
3.1.39
space vehicle
any satellite or launch vehicle
3.1.40
success
simultaneous achievement by all characteristics of required performance
3.1.41
sympathetic firing
firing of other explosive devices due to the output of any other
3.1.42
transfer line
linear explosive assembly for propagation of deflagration or detonation
3.1.43
through-bulkhead initiator
TBI
device for transfer of detonating input to detonating or deflagrating output across a hermetically
sealed barrier
3.1.44
user manual
document provided by the supplier to describe all the appropriate rules of operations
3.2 Abbreviated terms
AIT Assembly, integration and test
AIV Assembly, integration and verification
A/N As necessary
CDR Critical design review
DC Direct current
DKP Design key point documentation
DMPL Declared materials and processes list
DRB Delivery review board
DRD Document requirements definition
DSC Differential scanning calorimetric
DTA Differential thermal analysis
EED Electro-explosive device
EMC Electromagnetic compatibility
EMI Electromagnetic interference
ESD Electrostatic discharge
FMECA Failure modes, effects and criticality analysis
FTA Fault tree analysis
FOSU Ultimate design factor of safety
FOSY Yield design factor of safety
GSE Ground support equipment
ICD Interface control document
MEOP Maximum expected operating pressure
MRR Manufacturing readiness review
N/A Not applicable
NC Normally closed
NO Normally open
PDR Preliminary design review
PUM User manual
R Reliability
RAMS Reliability, availability, maintainability, safety
RF Radio frequency
RFP Request for proposal
S/C Spacecraft
SRS Shock response spectrum
TBI Through-bulkhead initiator
TBPM To be provided by manufacturer
TBPU To be provided by user
TGA Thermo-gravimetric analysis
TRR Test readiness review
UM User manual
UNO United Nations Organization
VDC Voltage direct current
VTS Vacuum thermal stability
6 © ISO 2012 – All rights reserved

3.3 Symbols
A Ampere
F Force
F Inertial resistance force
D
F Deliverable output force
L
g Standard surface gravity (9,806 65 m/s )
h Drop height (m)
He Helium
I Inertial force
F
I Inertial torque
T
K Explosive factor
E
K Local design factor
LD
K Model factor
M
KMP Margin policy factor
K Project factor
P
KO Kick-off
K Project factor
P
M Mass of drop weight (kg)
scc Square centimetre cubic
T Torque
T Inertial resistance torque
D
T Deliverable output torque
L
V Volt
σ Standard deviation
4 Requirements
4.1 General
4.1.1 Background information
Since an explosive item used for flight can function only once, it can never be fully tested before its
crucial mission operation. The required confidence can only be established indirectly by testing
identical items. Test results and theoretical justification are essential to demonstrate fulfilment of the
requirements. The requirement for repeatability shows that product assurance plays a crucial role in
support of technical aspects.
The need for statistics requires that the explosive components used in an explosive system be tested
and characterized extensively. The variability in components means it is essential that manufacturers
provide customers with proof that the delivered items are identical to those qualified.
Failure or unintentional operation of an explosive item can be catastrophic for the whole mission and
life-threatening. Specific requirements can exist for the items associated with it. As all explosives,
whatever their use, are to be treated in a similar fashion, the same requirements, regulations, practices
and standards need to be applied, which will help to avoid human error.
If there is sufficient data to establish the reliability and confidence level for any given performance
against any given condition, this should be done. Subsequently, all margins should be converted into
standard deviations (σ) and be incorporated into the reliability and confidence analysis.
When viewed from the perspective of a specific project context, the requirements defined in this
International Standard should be tailored to match the genuine requirements of the particular profile
and circumstances of a project.
NOTE 1 Tailoring is a process by which individual requirements of specifications, standards and related
documents are evaluated, and made applicable to a specific project by selection and, in some exceptional cases,
modification of existing or addition of new requirements.
The requirements of this International Standard are drawn from the more detailed specifications of
[1] [3]
AIAA S-113 and ECSS-E-ST-33-11C .
4.1.2 Overview
Being generally applicable, the requirements stated in this section apply throughout and are not repeated
in the sections relating to specific topics.
Explosive systems and devices use energetic materials (explosives, propellants, powder) initiated by
mechanical, electrical, thermal, or optical stimuli, for unique (single-shot) functions, e.g. solid booster
initiation, structure cutting, stage distancing, pressurized venting, stage neutralization, valve opening
or closing, release of solar arrays, antennas, booms, covers and instruments.
The properties of the initiator govern the major part of the behaviour of the system.
The requirements for initiators and their derivatives, such as cartridges and detonators, are defined in
specific requirements related to the specific types.
Properties of explosive components and systems, which cannot be covered by requirements for the
initiators alone, are defined in specific requirements relating to the types of actuator.
Other components of the explosive system, which can be tested and do not need specific requirements,
are subject to the general technical and product assurance requirements. Detailed aspects of these
components are included where they have a significant influence on the success of the system.
Single-shot items can never be tested in advance. Particular care is needed in their development,
qualification, procurement and use, in accordance with the development phases specified in ISO 14300-1.
Safe handling and usage of explosive components are not governed by individual users or the suppliers.
4.1.3 Applicability
This International Standard applies in addition to any existing standards and requirements applicable
to spacecraft or launchers.
4.1.4 Properties
a) The two states of the properties of the explosive system (before firing and after firing) shall be
identified and listed in a specific document for shipper and user.
8 © ISO 2012 – All rights reserved

b) For every explosive component, the function, primary stimulus, unwanted stimuli and secondary
characteristics shall be identified and quantified.
c) Only qualified and lot-accepted items shall be used in flight systems.
d) The properties for the two states of the explosive system (before firing and after firing) referred to
in item a) of this list shall remain stable over time when subjected to external loads or environmental
conditions, within the qualification values.
4.2 Design
4.2.1 General
a) Redundant trains shall be designed such that the first component to fire does not adversely
affect the second.
b) The system lay-out should facilitate the replacement of subsystems or components.
c) Parts of the explosive system and devices identified as critical on the basis of a RAMS analysis shall
be replaceable.
d) Replaceable parts and substitutes shall be listed in the user manual of the explosive system and devices.
4.2.2 Reliability and confidence levels
a) It shall be agreed between the customer and the supplier which performance parameters are to be
defined as mean values with associated standard deviation [see g) below].
b) The explosive system shall achieve the specified properties within defined levels of reliability and
confidence agreed between the customer and the supplier.
NOTE 1 All components are contributors.
NOTE 2 This International Standard specifies critical safety and performance properties.
c) The reliability of components shall be equal to or better than 0,999 with a confidence level equal to
or better than 95 %.
d) The probability of unwanted functioning of components shall be less than or equal to 0,001 with a
confidence level equal to or better than 95 %.
e) The performance characteristics of components at any level of assembly shall be specified at the
specified level of reliability and confidence [see b) above].
f) The safety characteristics of items at any level of assembly shall be specified at the specified level of
reliability and confidence [see c) above].
g) The supplier shall provide documentation, for customer approval, justifying the validity of statistical
methods used to determine the product performances.
4.2.3 Performance
a) Except as specified in b) below, all performances shall be quantified by measurement versus time of
initial, transitional, and final values of the specified properties.
NOTE Specified properties are listed in 4.11 and 4.12.
b) The specified time interval [defined in a)] shall be identified and measured between either
1) a clear reproducible initiation event and the attainment of the performance value, or
2) an initiation event and 90 % of the measured performance value.
c) For performance that cannot be quantified based on measurements, an acceptance procedure shall
be agreed between the supplier and the customer.
d) The basis of the time shall be specified and justified.
4.2.4 Wanted and unwanted response
a) For wanted response, the response of any component, when subjected to the specified minimum
probable stimulus, shall be demonstrated to be more than the specified lower limit agreed between
the customer and the supplier.
b) For unwanted response, the response of any component, when subjected to the specified maximum
possible disturbance, shall be demonstrated to be less than the specified upper limit agreed between
the customer and the supplier.
NOTE This applies to safety and failure.
4.2.5 Dimensioning
4.2.5.1 Strength
The explosive system shall sustain, before, during and after firing:
— the internal loads due to operation, and
— the external loads defined by the user.
NOTE These loads represent the sum of pre-load, static, dynamic, thermal and any other load seen in service.
4.2.5.2 Explosive charge dimensioning
a) The methodology for dimensioning the charge of the explosive devices (using or not the modelling)
shall be justified.
NOTE 1 Dimensioning is done at the worst case (e.g. temperature of the qualification envelope).
b) Design factors and additional factor values defined in this clause shall be agreed with the customer.
c) For determination of the explosive charge, the design factor K shall be used, as defined hereinafter:
K = K × K × K × K
MP E P M
d) A “margin policy factor”, K ; shall be defined, justified and applied in accordance with the
MP
methodology given in Annex A.
NOTE 2 This factor, used to give confidence to the design, covers (non-exhaustive list)
— the lack of knowledge on the failure modes and associated criteria,
— the lack of knowledge on the effect of interaction of loadings, and
— the non-tested zones.
NOTE 3 Justification can be performed based on relevant historical practice and analytical or
experimental means.
NOTE 4 K can have different values according to the technology used for the device (e.g. expanding
MP
tube, cutter, pyrotechnic actuator).
10 © ISO 2012 – All rights reserved

NOTE 5 While going through the design refinement loops, K can be progressively reduced down to 1,0
MP
after justification.
e) When modelling is performed, a “model factor”, K , shall be applied to account for uncertainties in
M
mathematical models when used for prediction of behaviour and induced load.
NOTE 6 K is applied in cases where uncertainty exists in the model.
M
NOTE 7 While going through the design refinement loops, K can be progressively reduced down to 1,0
M
after the demonstration of satisfactory correlation between model and test measurements.
f) A specific “project factor”, K , shall be defined, justified and applied to account for the programme
P
maturity and the confidence in the specification given to the project.
NOTE 8 K is generally defined by the project and can be reduced during the development.
P
NOTE 9 K can also cover a growth potential for some further development (e.g. generic product).
P
g) An “explosive factor”, K , shall be applied for uncertainties on the behaviour of explosive materials in
E
the mission profile (e.g. ageing and temperature influences, batch influence, material compatibility).
NOTE 10 Typical values are given in Table 1.
Table 1 — Explosive factor
Explosive materials K
E
Pyrotechnic compositions ≥1,1
Propellants (e.g. NC; NC/NG, composite) ≥1,2
HE (pure) ≥1,1
HE (composite) ≥1,2
At any step, a minimization of the explosive charge shall be taken into account.
An ageing programme and manufacturing qualification process (e.g. batch influence, wear of
manufacturing tool) shall be used to reduce the K factor.
E
h) For phases C and D of the component, when all requirements are totally set up, the reliability
demonstration shall be used to justify design margins, including the influence of ageing, temperature
and explosive batch.
NOTE 12 See Figure 1.
+ −
NOTE 13 R is the estimated reliability, R and R are the limits according to the confidence level required.
Probability
distribution
Requir ed
Performance
Statistical distribution
of the performance
Marging ≥
TBPU
Phase C, D
R
Performance

R R
(reliability )

-  +
Figure 1 — Margin and reliability relationship
4.2.5.3 Integrity of the explosive system
a) The explosive system shall maintain its integrity and position during its lifetime.
b) A “margin policy” shall be defined, justified and applied in accordance with the methodology
given in Annex A.
c) Components that are intended not to rupture during operation, when installed into their
explosive system interfaces, shall be able to withstand the maximum expected operational loads
times a factor FOSU.
d) The factors FOSY and FOSU shall be consistent with the values given in Annex B depending on the
materials used.
e) The deformation of a component shall not
1) reduce its specified performance,
2) affect any part of the system,
3) cause leakage.
f) During the development phase, a dedicated margin policy shall be defined, justified and applied for
each case identified in FMECA, from major to catastrophic.
4.2.5.4 Motorization
The following motorization factor requirements are applicable to explosively actuated devices:
a) to provide throughout the operational lifetime and over the full range of travel actuation torques (or
forces) according to provision d) or e);
b) to derive the factored worst-case resistive torques (or forces), the components of resistance,
considering in-orbit worst-case conditions (environmental effects, e.g. vacuum, temperature, zero
G) shall be multiplied by the minimum uncertainty factors specified in Table 2;
Table 2 — Minimum uncertainty factors
Theoretical Measured fac-
Component of resistance Symbol
factor tor
Inertia I (or I ) 1,1 1,1
T F
Spring S 1,2 1,2
Motor magnetic losses H 1,5 1,2
M
Friction F 3 1,5
R
Hysteresis H 3 1,5
Y
Other (harness) H 3 1,5
A
Adhesion H 3 3
D
c) The theoretical uncertainty factors in Table 2 may be reduced to the measured factors providing
the worst-case measured torque or force-resistive components are determined by measurement
according to a test procedure approved by the customer and demonstrate the adequacy of
the uncertainty factor with respect to the dispersions of the resistive component functional
performances.
d) The minimum actuation torque (T ) shall be derived from the following equation:
min
T = 2,0 × (1,1I + 1,2S + 1,5H + 3F + 3H + 3H + 3H ) +1,25T + T
min T M R Y A D D L
12 © ISO 2012 – All rights reserved

where
I is the inertial torque applied to a device subjected to acceleration in an inertial frame of
T
reference (e.g. spinning spacecraft, payload or other);
T is the inertial resistance torque caused by the worst-case acceleration function specified
D
by the customer at the device level;
T is the deliverable output torque, when specified by the customer.
L
e) The minimum actuation force (F ) shall be derived using the following equation:
min
F = 2,0 × (1,1I + 1,2S + 1,5H + 3 F + 3 H + 3 H + 3 H ) + 1,25 F + F
min F M R Y A D D L
where
I is the inertial force applied to a device subjected to acceleration in an inertial frame of
F
reference (e.g. spinning spacecraft, payload or other);
F F is the inertial resistance force caused by the worst-case acceleration function speci-
D D
fied by the customer at the device level;
F is the deliverable output force, when specified by the customer.
L
f) The kinetic energy of the moving components shall not be taken into account to meet the specified
motorization factor.
4.3 Mission
a) The use of explosive functions, including those for flight termination and range safety, during all
phases of the mission, shall be specified.
b) The environmental conditions, life cycle and functions being activated shall be specified.
EXAMPLE Ground storage, transport, launcher ignition, staging and safety functions, payload
separation, motor ignition, solar array, antenna, boom or cover release, propulsion system branch opening
or closing, de-orbiting.
c) Mission-related requirements placed on the explosive system shall be specified.
4.4 Functionality
a) The timing of each function of the explosive system shall be specified.
b) The explosive system shall react only to a specified stimulus (e.g. nature, range of values) and shall
be insensitive to all others.
c) The explosive system shall ensure that the correct stimulus arrives at the specified place at the
specified time.
d) The explosive system shall prevent the stimulus from reaching the initiator at any other time.
e) Unwanted functions or malfunctions shall be prevented.
f) The firing sequence (simultaneous or sequential) shall cause no anomaly.
NOTE This applies to secondary characteristics as well as to explosive functions.
g) Explosive systems shall be single-fault tolerant.
h) Explosive systems shall be two-fault tolerant, if premature initiation causes a catastrophic failure.
i) If loss of function is safety-critical or catastrophic, the explosive system shall avoid single-point
failures and include at least two initiators.
j) Provision shall be made within the explosive system to protect its components against unwanted
operation or degradation.
4.5 Safety
4.5.1 General
a) The system, including software and procedures, shall be Fail-Safe.
b) For a catastrophic risk, the explosive system shall be Fail-Safe/Fail-Safe or Fail-Operational/Fail-Safe.
c) The response of any explosive device to conditions outside the conditions specified shall be reported
by the manufacturer to the user.
d) An explosive subsystem shall only respond to commands intended for that explosive subsystem.
4.5.2 Prevention of unintentional function
4.5.2.1 General
a) The firing pulse (e.g. detonating shock, electrical pulse, light pulse) shall be prevented from reaching
any explosive initiator at any time except the correct instant by means of switchable barriers (e.g.
electrical, mechanical, plugs, pins).
b) Provision shall be made to prevent firing in response to radio frequency, lightning, a magnetic field
and electrostatic discharge.
c) If the explosive system contains two or more barriers, then at least two of these barriers
1) shall be independent,
2) shall not be subject to common cause failure, and
3) shall each provide complete disconnection of the firing circuit.
d) For explosive systems involving a potential catastrophic risk, the barrier close to the source of the
risk shall be a mechanical barrier.
e) The primary and redundant EEDs shall not be activated through the same electrical firing circuit.
f) Stray circuits or coupling, which can result in unintentional firing, shall be avoided.
4.5.2.2 Safe and arm device pre-arm function
a) The pre-arm function shall be the fourth last in a sequence of functions.
b) The pre-arm function shall be independent and respond only to a unique action.
c) The pre-arm function shall remain in its switched state after operation until the fire function has
reverted to its initial state.
d) The pre-arm function can include the select function.
NOTE A safe and arm device is not always included.
14 © ISO 2012 – All rights reserved

4.5.2.3 Select function
a) The select function shall be the third last in a sequence of functions.
b) The select function shall select the explosive devices.
c) The select function shall be independent and respond only to a unique command.
d) The select function shall be used to control only one explosive function.
e) It shall revert to its initial state after the fire command within an interval agreed with the customer.
4.5.2.4 Arm function
a) The arm function shall be the second-last action in the sequence.
b) The arm function shall be independent and respond only to a unique command.
c) The arm function shall be used to control only one explosive function.
d) It shall be possible to restore its initial (disarmed) state after the arm command within an interval
agreed with the customer.
4.5.2.5 Fire function
a) The fire function shall be the last action in the sequence.
b) The fire function may be used to activate a number of explosive devices.
c) The fire function shall be independent and respond only to a unique command.
d) The fire function shall revert to its initial state after the firing command within an interval agreed
with the customer.
4.6 Survival and operational conditions
a) The explosive system shall survive the specified sequence of conditions without malfunctioning or
degrading beyond the specified limits.
b) The explosive system shall operate between the extremes of the ranges and combinations of
specified conditions.
c) The limits used for the qualification of elements and interfaces shall comply with the specified
reliability and confidence.
d) End users shall specify the characteristics of the expected environment.
e) The end user shall specify the explosive system constraints.
f) The explosive system shall limit the mechanical, electrical and thermal effects of its operation within
limits agreed with the user to avoid disturbance (e.g. shock, electrical short circuits, magnetic fields)
or damage to other sensitive elements on the space vehicle.
NOTE For verification tests, see 4.14.
4.7 Interface requirements
4.7.1 General
The natures of the interfaces are
— geometry, including the analysis of the dimensions for all phases of life (e.g. assembly, transport, flight);
— mechanical, including induced loads, static and dynamic;
— fluids, including venting;
— thermal loads;
— electrical, including ensuring electrical continuity and EMC;
— materials, including ensuring compatibility.
4.7.2 Functional
a) Each interface shall
1) ensure no assembly errors can be made, and
2) prevent damage during assembly or dismantling.
b) While separated, protection shall be provided to each interface.
NOTE 1 This is to prevent activation or damage by external loads and environmental conditions.
c) When closed, each interface shall establish stable continuity of properties between the joined elements.
NOTE 2 This is to prevent disturbance of, or being disturbed by, external loads and environmental conditions.
d) Each interface shall sustain, without degradation in both coupled and separated states,
1) the assembly and dismantling duty-cycle, and
2) the operational and environmental conditions of the application.
4.7.3 Internal
a) Each element in the explosive system shall be compatible with its neighbour.
b) Each element shall provide outputs (e.g. electrical, mechanical, thermal, optical) at each interface
with margins over the input requirements of the next element or the explosive system output
requirements.
4.7.4 External
a) The explosive system shall be compatible with the requirements of all other subsystems on board,
external loading and environmental conditions.
b) If case a) of this list cannot be met, it shall be agreed with the user that
1) either the on-board system requirements be changed, or
2) protection against the environmental conditions be provided or the external loads on the
explosive system be reduced.
16 © ISO 2012 – All rights reserved

4.8 Mechanical, electrical, and thermal requirements
4.8.1 Mechanical
4.8.1.1 Inertial properties
The supplier shall provide the customer with
a) the mass,
b) the centre of mass,
c) the inertial properties, and
d) the numerical model, upon request of the user,
of the components before and after firing.
4.8.1.2 Main fixings
Each element of the explosive system shall be provided with an interface compatible with the methods
of attachment to the structure or appendage agreed with the customer.
4.8.1.3 Modularity of the system
a) The explosive system shall be assembled from modular components.
b) It shall be possible to test the components separately.
c) It shall be ensured that attachment, installation, repair and replacement can be done without
affecting the surrounding equipment.
4.8.1.4 Avoidance of confusion
a) It shall be ensured, using dedicated marking, that components intended for different applications
cannot be confused.
EXAMPLE Inert components (dummies, etc.) versus live items (test models, flight models, qualification
models, etc.)
b) For launchers, the colour code (see Annex C) can be applied.
NOTE This is to prevent confusion and to ensure incorrect items are not used for flight or qualification.
4.8.1.5 Accessibility
a) Access shall be provided, throughout the space vehicle integration,
1) to the initiators, safe, test, and arm plugs for connection,
2) for measurements of properties, and
3) to all elements for inspection.
b) Access shall be safe and convenient, as agreed with the cus
...