SIST EN 16603-20:2024

SLOVENSKI STANDARD
01-februar-2024
Vesoljska tehnika - Električna in elektronska
Space engineering - Electrical and electronic
Raumfahrttechnik - Elektrik und Elektronik
Ingénierie spatiale - Électrique et électronique
Ta slovenski standard je istoveten z: EN 16603-20:2023
ICS:
49.060 Letalska in vesoljska Aerospace electric
električna oprema in sistemi equipment and systems
49.140 Vesoljski sistemi in operacije Space systems and
operations
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 16603-20

NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2023
ICS 49.140
Supersedes EN 16603-20:2020
English version
Space engineering - Electrical and electronic
Ingénierie spatiale - Électrique et électronique Raumfahrttechnik - Elektrik und Elektronik
This European Standard was approved by CEN on 20 November 2023.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN 16603-20:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Table of contents
European Foreword . 6
1 Scope . 7
2 Normative references . 8
3 Terms, definitions and abbreviated terms . 9
3.1 Terms from other standards . 9
3.2 Terms specific to the present standard . 9
3.3 Abbreviated terms . 16
3.4 Nomenclature . 18
4 General requirements . 19
4.1 Interface requirements. 19
4.1.1 Overview . 19
4.1.2 Signals interfaces . 19
4.1.3 Commands . 19
4.1.4 Telemetry . 21
4.2 Design . 21
4.2.1 Failure containment and redundancy . 21
4.2.2 Data processing . 30
4.2.3 Electrical connectors . 32
4.2.4 Testing . 33
4.2.5 Mechanical: Wired electrical connections . 34
4.2.6 Miscellaneous . 34
4.3 Verification . 35
4.3.1 Provisions . 35
4.3.2 Documentation . 35
5 Electrical power . 36
5.1 Functional description . 36
5.2 Power subsystem and budgets . 36
5.2.1 General . 36
5.2.2 Provisions . 36
5.3 Failure containment and redundancy . 37
5.4 Electrical power interfaces . 38
5.5 Power generation . 39
5.5.1 Solar cell, coverglass, SCA and PVA qualification . 39
5.5.2 Solar array specification and design . 39
5.5.3 Solar array power computation . 42
5.5.4 Solar array drive mechanisms . 44
5.6 Electrochemical Energy Storage . 44
5.6.1 Applicability . 44
5.6.2 Batteries . 45
5.6.3 Battery cell . 47
5.6.4 Battery use and storage . 47
5.6.5 Battery safety . 48
5.7 Power conditioning and control . 49
5.7.1 Applicability . 49
5.7.2 Spacecraft bus . 49
5.7.3 Battery Charge and Discharge Management . 53
5.7.4 Bus under-voltage or over-voltage . 53
5.7.5 Power converters and regulators . 54
5.7.6 Payload interaction . 55
5.8 Power distribution and protection . 56
5.8.1 General . 56
5.8.2 Harness . 59
5.9 Safety . 60
5.10 High voltage engineering . 60
5.11 Verification . 61
5.11.1 Provisions . 61
5.11.2 <> . 61
6 Electromagnetic compatibility (EMC) . 62
6.1 Overview . 62
6.2 Policy . 62
6.2.1 Overall EMC programme . 62
6.2.2 EMC control plan . 62
6.2.3 Electromagnetic compatibility advisory board (EMCAB). 63
6.3 System level . 63
6.3.1 Electromagnetic interference safety margin (EMISM) . 63
6.3.2 Inter-element EMC and EMC with environment . 64
6.3.3 Hazards of electromagnetic radiation . 64
6.3.4 Spacecraft charging protection program . 65
6.3.5 Intrasystem EMC . 66
6.3.6 Radio frequency compatibility . 66
6.3.7 Spacecraft DC magnetic field emission . 66
6.3.8 Design provisions for EMC control . 67
6.3.9 Detailed design requirements . 67
6.4 Verification . 67
6.4.1 Verification plan and report . 67
6.4.2 Safety margin demonstration for critical or EED circuit . 68
6.4.3 Detailed verification requirements . 68
7 Radio frequency systems . 69
7.1 Functional description . 69
7.2 Antennas . 70
7.2.1 General . 70
7.2.2 Antenna structure . 71
7.2.3 Antenna interfaces . 76
7.2.4 Antennas Verification . 77
7.3 RF Power . 77
7.3.1 Overview . 77
7.3.2 RF Power handling (thermal) . 78
7.3.3 Corona or Gas Discharge . 78
7.3.4 Qualification for power handling and gas discharge . 79
7.4 Passive intermodulation . 79
7.4.1 Overview . 79
7.4.2 General requirements . 79
7.4.3 Identification of potentially critical intermodulation products . 79
7.4.4 Verification . 80
7.4.5 Qualification for passive intermodulation . 80
7.5 Verification . 80
8 Pre-tailoring matrix per space product and feature types . 81
8.1 Introduction . 81
8.2 Use of the inclusive and exclusive requirement categories . 82
Annex A (normative) EMC control plan - DRD . 125
Annex B (normative) Electromagnetic effects verification plan (EMEVP) -
DRD . 128
Annex C (normative) Electromagnetic effects verification report (EMEVR) -
DRD . 131
Annex D (normative) Battery user manual - DRD . 133
Bibliography . 135

Figures
Figure 5-1: Output impedance mask (Ohm) . 51
Figure 5-2: Source and load impedance characterisation . 57
Figure 5-3: Thevenin equivalent model . 58
Figure 5-4: Norton equivalent model . 58

Tables
Table 4-1: List of rigid and non-rigid materials . 28
Table 5-1: Parameters for BOL worst and best case power calculations . 43
Table 5-2: Additional power parameters for EOL worst and best case calculations. . 44
Table 8-1: Definition of pre-tailoring matrix applicability statuses . 84
Table 8-2: Definition of features for exclusive requirements . 84
Table 8-3: Pre-tailoring matrix per “Space product and feature types" . 85

European Foreword
This document (EN 16603-20:2023) has been prepared by Technical Committee
CEN-CENELEC/TC 5 “Space”, the secretariat of which is held by DIN.
This standard (EN 16603-20:2023) originates from ECSS-E-ST-20C Rev.2.
This European Standard shall be given the status of a national standard, either
by publication of an identical text or by endorsement, at the latest by May 2024,
and conflicting national standards shall be withdrawn at the latest by May 2024.
Attention is drawn to the possibility that some of the elements of this document
may be the subject of patent rights. CEN [and/or CENELEC] shall not be held
responsible for identifying any or all such patent rights.
This document supersedes EN 16603-20:2020.
The main changes with respect to EN 16603-20:2020 are listed below:
• clause 4.2.1.1 added due to addition of new clause 4.2.1.2;
• addition of requirements in new clause 4.2.1.2 “Reliable insulation”;
• the addition of the new clause 4.2.1.2 made it necessary to add the new
header 4.2.1.1 “General requirements” to separate the requirement
from the former clause 4.2.1 “Failure containment and redundancy”
from the new requirements for “Reliable insulation”;
• update to cover the aspects of “reliable insulation” also known as
“double insulation”;
• addition of several terms in clause 3.2 related to the added subject of
“Reliable insulation”.
This document has been prepared under a standardization request given to CEN
by the European Commission and the European Free Trade Association.
This document has been developed to cover specifically space systems and has
therefore precedence over any EN covering the same scope but with a wider
domain of applicability (e.g. : aerospace).
According to the CEN-CENELEC Internal Regulations, the national standards
organizations of the following countries are bound to implement this European
Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United
Kingdom.
Scope
This Standard establishes the basic rules and general principles applicable to the
electrical, electronic, electromagnetic, microwave and engineering processes. It
specifies the tasks of these engineering processes and the basic performance and
design requirements in each discipline.
It defines the terminology for the activities within these areas.
It defines the specific requirements for electrical subsystems and payloads,
deriving from the system engineering requirements laid out in ECSS-E-ST-10
“Space engineering – System engineering general requirements”.
This standard may be tailored for the specific characteristics and constrains of a
space project in conformance with ECSS-S-ST-00.

Normative references
The following normative documents contain provisions which, through
reference in this text, constitute provisions of this ECSS Standard. For dated
references, subsequent amendments to, or revision of any of these publications
do not apply. However, parties to agreements based on this ECSS Standard are
encouraged to investigate the possibility of applying the more recent editions of
the normative documents indicated below. For undated references, the latest
edition of the publication referred to applies.

EN reference Reference in text Title
EN 16601-00-01 ECSS-S-ST-00-01 ECSS system – Glossary of terms
EN 16603-10 ECSS-E-ST-10 Space engineering – System engineering general
requirements
EN 16603-20-06 ECSS-E-ST-20-06 Space engineering – Spacecraft charging
EN 16603-20-07 ECSS-E-ST-20-07 Space engineering – Electromagnetic
compatibility
EN 16603-20-08 ECSS-E-ST-20-08 Space engineering - Photovoltaic assemblies and
components
EN 16603-20-20 ECSS-E-ST-20-20 Space engineering - Electrical design and
interface requirements for power supply
EN 16603-33-11 ECSS-E-ST-33-11 Space engineering – Explosive systems and
devices
EN 16603-50-05 ECSS-E-ST-50-05 Space engineering – Radio frequency and
modulation
EN 16603-50-14 ECSS-E-ST-50-14 Space engineering – Spacecraft discrete interfaces
EN 16602-30-02 ECSS-Q-ST-30-02 Space product assurance – Failure modes, effects
(and criticality) analysis (FMEA/FMECA)
EN 16602-30-11 ECSS-Q-ST-30-11 Space product assurance – Derating – EEE
components
EN 16602-40 ECSS-Q-ST-40 Space product assurance – Safety
EN 16602-70-12 ECSS-Q-ST-70-12 Space product assurance – Design rules for
printed circuit boards
IEEE 145-1993 Antenna Terms
Impedance Specifications for Impedance Specifications for Stable DC
Stable DC Distributed Power Distributed Power Systems, X. Feng, J. Liu,
Systems, EEE transactions on F.C. Lee, IEEE Transactions on power
power electronics, Vol. 17, electronics, Vol. 17, no. 2, March 2002
no. 2, March 2002
Terms, definitions and abbreviated terms
3.1 Terms from other standards
a. For the purpose of this Standard, the terms and definitions from
ECSS-S-ST-00-01 apply.
b. For the purpose of this Standard, the following terms and definitions from
ECSS-E-ST-20-20 apply:
1. latching current limiter (LCL);
2. retriggerable latching current limiter (RLCL).
3.2 Terms specific to the present standard
3.2.1 antenna farm
ensemble of all antennas accommodated on the spacecraft and provides for all
the transmission and reception of RF signals
3.2.2 antenna port
abstraction of the physical connection among the antenna and its feeding lines,
realised by means of connectors or waveguide flanges
3.2.3 antenna RF chain
sequence of microwave components inserted between an antenna input port or
a BFN output port and a corresponding individual radiating element
NOTE Examples of microwave components are: ortho-
mode transducers, polarisers, transformers as
well as filters.
3.2.4 antenna support structure
part of an antenna having no electrical function, which can however impact its
electrical performances, either directly due to scattering or indirectly
NOTE Example of indirect effect is induced thermo-
elastic deformations.
3.2.5 array antenna
antenna composed by a number of, possibly different, elements that radiate RF
signals directly into free space operating in combination, such that all or a part
of them radiate the same signals
3.2.6 array-fed reflector antenna
antenna composed by a feed array, which can include or not a beam forming
network, and one or more optical elements like reflectors and lenses
3.2.7 battery bus
primary power bus directly connected to the battery
NOTE Battery bus is sometimes called unregulated bus
(although the battery charge is regulated).
3.2.8 beam forming network (BFN)
wave-guiding structure composed a chain of microwave components and
devices aimed at distributing the RF power injected at the input ports to a
number of output ports; in a transmitting antenna the RF power injected from
the transmitter is routed to the radiating elements, in a receiving antenna the RF
power coming from the radiating elements is routed to the antenna ports
connected to the receiver
NOTE Examples of microwave components and
devices are lines, phase shifters, couplers, loads.
3.2.9 conducted emission (CE)
desired or undesired electromagnetic energy that is propagated along a
conductor
3.2.10 critical line
[CONTEXT: reliable insulation] line that is part of a critical net
NOTE As an example, limited to a solar array, typically
a critical line is a line that carries the current of
a section downstream from the electrical node
collecting the current from the different strings
that constitute the section. However, in case a
short between strings within a section leads to a
failure propagation, then correspondingly a
string is considered as a critical line.
3.2.11 critical net
[CONTEXT: reliable insulation] electrical net that if short circuited with another
electrical net or another conductor including satellite and launcher structure can
cause critical effects
NOTE For “critical effects” see Table 4-1 of
ECSS-Q-ST-30-02.
3.2.12 critical pressure
pressure at which corona or partial discharge can occur in an equipment
3.2.13 diffusivity
ability of a body to generate incoherent diffuse scattering due to local roughness,
inhomogeneity or anysotropy when illuminated by RF waves
3.2.14 depth of discharge (DOD)
ampere–hour removed from a battery expressed as a percentage of the
nameplate capacity
3.2.15 double insulation
see “reliable insulation”
3.2.16 electrical bonding
process of connecting conductive parts to each other so that a low impedance
path is established for grounding and shielding purposes
3.2.17 electromagnetic compatibility (EMC)
ability of equipment or an element to function satisfactorily in its
electromagnetic environment without introducing intolerable electromagnetic
disturbances to anything in that environment
3.2.18 electromagnetic compatibility control
set of techniques to effectively regulate the electromagnetic interference
environment or susceptibility of individual space system components or both
NOTE They include, among others, the design,
placement of components, shielding, and
employment of rejection filters.
3.2.19 electromagnetic interference (EMI)
undesired electrical phenomenon that is created by, or adversely affects any
device whose normal functioning is predicated upon the utilization of electrical
phenomena
NOTE It is characterized by the manifestation of
degradation of the performance of an
equipment, transmission channel, or element
caused by an electromagnetic disturbance.
3.2.20 electromagnetic interference safety margin
(EMISM)
ratio between the susceptibility threshold and the interference present on a test
point
3.2.21 emission
electromagnetic energy propagated by radiation or conduction
3.2.22 energy balance
situation in which the spacecraft energy budget is positive when elaborated over
a considered period of time
NOTE 1 Energy budget is generation minus
consumption and losses.
NOTE 2 The considered period of time can be one orbit,
several orbits or any relevant mission period.
3.2.23 energy reserve
energy that remains available from the energy storage assembly at the worst-
case, most depleted, point of nominal operations
NOTE It is important that the energy reserve is
sufficient to permit reaching a safe operating
mode upon occurrence of an anomaly.
3.2.24 essential function
function without which the spacecraft cannot be recovered following any
conceivable on-board or ground-based failure
NOTE Examples of unrecoverable spacecraft is when
spacecraft cannot be commanded, or
permanently losses attitude and control, or the
energy balance is no longer ensured, or the
spacecraft consumables (e.g. hydrazine or
Xenon) are depleted to such an extent that more
than 10 % of its lifetime is affected, or the safety
of the crew is threatened.
3.2.25 faulty signal
signal generated by a circuit, appearing at its interface to another circuit, going
out of its nominal range because of a failure
3.2.26 foldback current limiter (FCL)
non latching current-limiting function where the current limit decreases with the
output voltage
NOTE This function is used for power distribution and
protection typically for essential loads.
3.2.27 fully regulated bus
bus providing power during sunlight and eclipse periods with a regulated
voltage
3.2.28 grounding
process of establishing intentional electrical conductive paths between an
electrical circuit reference or a conductive part and equipment chassis or space
vehicle structure
NOTE Grounding is typically performed for safety,
functionality, signal integrity, EMI control or
charge bleeding purpose.
3.2.29 high Priority telecommand (HPC)
command originated from ground and issued by the telecommand decoder for
essential spacecraft functions without main on board software intervention
3.2.30 high voltage
AC or DC voltage at which partial discharges, corona, arcing or high electrical
fields can occur
3.2.31 insulation
separation of elements either by material or by a distance
NOTE Etymologically, insulation is the act of
protecting something with a material that
prevents heat, sound, electricity, etc. from
passing through. To insulate will then
correspond to the action to protect by adding a
material, an insulation (materials or device used
for this protection).
3.2.32 invariable gap
physical distance among electrically conductive elements respecting the
specified minimum limits independent from the stresses applied to the unit or
part of the unit
NOTE 1 Changes of the gap can result from effects of
mechanical, thermomechanical or other nature,
applied to the unit or part of the unit.
NOTE 2 Stresses include the impacts of AIT operations,
environmental tests, ageing and the use of
insulation materials.
3.2.33 isolation
separation of elements put far from each other, with the notion of distance
NOTE To isolate is the action to separate by adding
distance and to be isolated means protected by
a distance.
3.2.34 lens antenna
antenna composed by a number of RF lenses and reflecting surfaces illuminated
by a primary source, the feed
3.2.35 lightning indirect effects
electrical transients induced by lightning in electrical circuits due to coupling of
electromagnetic fields
3.2.36 major reconfiguration function
function used to recover from system failures of criticality 1, 2 or 3
NOTE Criticality categories are defined in
ECSS-Q-ST--30 and ECSS-Q-ST-40.
3.2.37 nameplate capacity
capacity stated by the manufacturer of an energy storage cell or battery
NOTE It is given in ampere-hours. It is not necessarily
equal to any measurable capacity.
3.2.38 non essential loads
loads related to units which do not implement essential functions for the
spacecraft
3.2.39 passive intermodulation products (PIM)
spurious signals generated by non-linear current-voltage characteristics in
materials and junctions exposed to sufficiently RF high power carried by guided
or radiated fields and currents, possibly triggered by microscopic mechanical
movement
3.2.40 photovoltaic assembly (PVA)
power generating network comprising the interconnected solar cell assemblies,
the shunt and blocking diodes, the busbars and wiring collection panels, the
string, section and panel wiring, the wing transfer harness, connectors, bleed
resistors and thermistors
3.2.41 primary cell or battery
battery or cell that is designed to be discharged once and never to be recharged
3.2.42 primary power bus
spacecraft electrical node closest to the power sources where power is controlled
and made available to the user equipment
3.2.43 radiofrequency (RF)
frequency band used for electromagnetic waves transmission
3.2.44 radiated emission (RE)
radiation and induction field components in space
3.2.45 recharge ratio (k)
ampere–hours charged divided by the ampere–hours previously discharged,
starting and finishing at the same state of charge
NOTE It is also known as the k factor.
3.2.46 reflector antenna
antenna composed by a number of reflecting surfaces, RF reflectors, illuminated
by a primary source, the feed
3.2.47 reliable insulation
barrier between conductors or elements of an electrical circuit such that after any
credible single failure, conductors or elements of an electrical circuit are still
insulated from each other
NOTE The term “reliable insulation” is preferred to
the term “double insulation” that was used in
the previous version.
3.2.48 RF chain
sequence of microwave components inserted between the RF power amplifier
and the antenna input port
3.2.49 RF lens
plastic, composite or metallic structure acting on transmitted RF waves to control
the antenna pattern
NOTE Example of metallic structures are waveguide
array lenses.
3.2.50 RF reflector
metallic or composite structure, possibly metallised or with printed or
embedded metallic elements, acting on reflected RF waves to control the antenna
pattern
NOTE Frequency and polarisation surfaces as well as
other fully reflecting or partially reflecting and
transmitting structures, also having non-
uniform or anisotropic scattering behaviour, are
considered reflectors
3.2.51 secondary cell or battery
battery or cell that is designed to be charged and discharged multiple times.
3.2.52 solar aspect angle (SAA)
angle between the normal to a solar panel and the sun vector
3.2.53 solar cell assembly (SCA)
solar cell together with interconnector, coverglass and if used, also a by-pass
diode
3.2.54 susceptibility
malfunction, degradation of performance, or deviation from specified
indications, beyond the tolerances indicated in the individual equipment or
subsystem specification in response to other than intended stimuli
3.2.55 susceptibility threshold
interference level at a test point which just causes malfunction in the equipment,
subsystem, or system
3.2.56 vacuum
environment with a pressure of 10 Pa or below
3.2.57 variable gap
physical distance among electrically conductive elements that can be subject to
changes due to different effects
NOTE 1 Changes of the gap can result from effects of
mechanical, thermomechanical or other nature,
applied to the unit or part of the unit.
NOTE 2 Changes include the impacts of AIT operations,
environmental tests, ageing and the use of
insulation materials.
3.3 Abbreviated terms
For the purpose of this Standard, the abbreviated terms from ECSS-S-ST-00-01
and the following apply:
Abbreviation Meaning
analysis
A
alternating current
AC
attitude and orbit control subsystem
AOCS
acceptance review
AR
beginning–of–life
BOL
critical design review
CDR
direct current
DC
design definition file
DDF
design justification file
DJF
depth of discharge
DOD
delivery review board
DRB
document requirement definition
DRD
document requirement list
DRL
electro-explosive device
EED
electrical ground support equipment
EGSE
end item data-package
EIDP
electromagnetic compatibility
EMC
EMC Advisory Board
EMCAB
electromagnetic effects verification plan
EMEVP
electromagnetic effects verification report
EMEVR
electromagnetic interference
EMI
end of life
EOL
electrical power subsystem
EPS
European space agency
ESA
electrostatic discharge
ESD
FCL fold-back current limiter
failure detection isolation and recovery
FDIR
Abbreviation Meaning
failure modes and effects analysis
FMEA
FMECA failure mode effect and criticality analysis
GDIR general design and interface requirements
interface control document
ICD
inspection
INS
I-V current-voltage
latching current limiter
LCL
maximum power point tracker
MPPT
manufacturing review board
MRB
on-board computer
OBC
printed circuit board
PCB
preliminary design review
PDR
photovoltaic assembly
PVA
qualification test report
QTR
radio frequency
RF
retriggerable latching current limiter
RLCL
review of design
RoD
part stress analysis
PSA
solar array
SA
solar aspect angle
SAA
solar array drive mechanism
SADM
solar array regulator
SAR
solar cells assembly
SCA
single event effects
SEE
single event upsets
SEU
single point failure
SPF
system requirement review
SRR
test
T
telemetry/telecommand
TM&TC
test review board
TRB
test readiness review
TRR
ultraviolet
UV
verification control document
VCD
worst case analysis
WCA
3.4 Nomenclature
The following nomenclature applies throughout this document:
a. The word “shall” is used in this Standard to express requirements. All the
requirements are expressed with the word “shall”.
b. The word “should” is used in this Standard to express recommendations.
All the recommendations are expressed with the word “should”.
NOTE It is expected that, during tailoring,
recommendations in this document are either
converted into requirements or tailored out.
c. The words “may” and “need not” are used in this Standard to express
positive and negative permissions, respectively. All the positive
permissions are expressed with the word “may”. All the negative
permissions are expressed with the words “need not”.
d. The word “can” is used in this Standard to express capabilities or
possibilities, and therefore, if not accompanied by one of the previous
words, it implies descriptive text.
NOTE In ECSS “may” and “can” have completely
different meanings: “may” is normative
(permission), and “can” is descriptive.
e. The present and past tenses are used in this Standard to express
statements of fact, and therefore they imply descriptive text.
General requirements
4.1 Interface requirements
4.1.1 Overview
ECSS-E-ST-10 specifies that interfaces external or internal to a system are
adequately specified and verified. The following requirements address this issue
and are processed in phase B, C and D of a project (see ECSS-E-ST-10).
4.1.2 Signals interfaces
a. Interface engineering shall ensure that the characteristics on both sides of
each interface are compatible, including source and load impedances, the
effects of the interconnecting harness and the grounding network between
both sides comprising: common mode impedance conducted and radiated
susceptibility and emission.
b. In order to minimize the number of interface types, standard interface
circuitry shall be defined to be applied throughout a project.
c. Reconfiguration, high level or high priority command lines shall be
immune to spurious activation.
d. The application of the nominal signals or a faulty signal to an un-powered
interface shall not cause damage to that interface.
NOTE This requirement covers all types of interfaces.
Standard interfaces are covered in clauses
4.2.4.3 and 4.2.4.4 of ECSS-E-ST-50-14.
e. An undetermined status at the interfaces of a powered unit shall not cause
damage to an un-powered interface.
NOTE Undetermined status includes: non-nominal
operating modes, permanent and non-
permanent failure modes, powered and un-
powered interfaces.
f. Signal interfaces shall withstand without damage positive or negative
nominal voltages that are accessible on the same connector, coming from
the unit itself, from the interfaced units or from EGSE.
4.1.3 Commands
a. Every command (intended to be sent to the spacecraft) shall be assessed
for criticality at equipment level, and confirmed at subsystem/system
level.
NOTE The criticality of a command is measured as its
impact on the mission in case of inadvertent
function (erroneous transmission), incorrect
function (aborted transmission) or loss of
function. The definition of criticalities can be
found in ECSS-Q-ST-30 and ECSS–Q-ST-40.
b. All executable commands shall be explicitly acknowledged by telemetry.
c. High Priority telecommand decoding and generation shall be
independent from the main on-board processor and its software.
NOTE For failure case, refer to requirement 4.2.1.1a.
d. With the exception of pyrotechnic commands, the function of an
executable command shall
1. not change throughout a mission; and
2. not depend on the history of previous commands.
e. For commands of category 1 and 2 criticality, at least two separate
commands for execution: an arm/safe or enable/disable followed by an
execute command shall be used.
NOTE For criticality categories, see ECSS-Q-ST-30 or
ECSS-Q-ST-40.
f. The functionality shall be provided to repeat the transmission of all the
executable commands without degradation of the function or a change of
its status.
g. In case of critical commands of category 1 and 2, at least two physically
independent electrical barriers, including associated control circuits, shall
be implemented for arming and executing the command.
NOTE 1 For criticality categories, see ECSS-Q-ST-30 or
ECSS-Q-ST-40.
NOTE 2 Mechanical barriers can be considered.
NOTE 3 Physically independent electrical barriers and
associated control circuits are the ones not
sharing any hardware function and without risk
of reciprocal failure propagation.
h. Processor and simple logic circuits shall not be able to issue category 1 and
2 critical commands without a ground commanded arm/safe or
enable/disable command.
NOTE To avoid inadvertent activation of processes
enabled/disabled by category 1 or 2 critical
commands during ground operations and in
low earth orbit phases, it is necessary to foresee
safety barriers (arm/safe commands) to inhibit
the execution of such critical commands. Such
safety barriers might be spacecraft skin
connections (to be established or broken just
before flight) or connections/disconnection
plugs to be activated by launcher stages release
(in flight). The activation/deactivation of such
barriers has to be independent from on board
processor.
i. Any on–board processing which issues commands to reconfigure
subsystems or payloads shall be overridable and potentially inhibited by
ground command.
NOTE For criticality categories, see ECSS-Q-ST-30 or
ECSS-Q-ST-40.
j. No valid command shall be issued until the transmitter power supply is
within operational voltage range and ready to transmit the command.
4.1.4 Telemetry
a. Telemetry data devoted to the spacecraft subsystem and payloads
monitoring shall allow:
1. the retracing of the overall configuration at least up to all
reconfigurable elements;
2. the location of any failure able to impact the mission performances
and reliability at least up to all reconfigurable elements.
b. The operational status (On/Off, enabled/disabled, active/not-active) of
each element of any telemetry acquisition chain should be provided to the
on-board computer in order to determine without ambiguity the validity
of the telemetry data at the end of the overall chain.
c. Primary bus load currents shall be monitored by telemetry, to enable,
together with the bus voltage telemetry, a complete monitoring of a
primary bus power load.
d. Telemetry shall be implemented to monitor the evolution of the
power-energy resources and the source temperatures during the mission.
4.2 Design
4.2.1 Failure containment and redundancy
4.2.1.1 General requirements
a. Failure propagation shall meet the following conditions:
1. a single hardware failure does not propagate to neighbouring
components circuits or interfaces in an undetermined way;
2. failure propagation is verified by analysis;
3. mechanical, thermal or electrical propagation of single hardware
failures does not impair the corresponding protection or
redundancy implemented at equipment or system level;
4. single hardware failure does not propagate to equipment or
functions under different contractual responsibility than the item
where the failure takes place.
NOTE 1 4.2.1.1a.4 is normally covered by specification of
fault emission and tolerance conditions.
NOTE 2 Component assembly (e.g. single cavity hybrid)
and integrated circuits, especially if they contain
redundancy or protection, require special
attention.”
b. Redundant signal or power lines should be segregated via physically
separated connectors and harnesses.
c. Routing of redundant power or signal lines within common harness or
connector shall be justified by analysis showing that inside the electrical
unit and at external connector interface level there is no potential single
failure leading to affect both nominal and redundant lines or to generate
electrical or electromagnetic interference between both.
NOTE 1 Typical analysis for demonstrating compliance
is provided within FMEA and EMC coupling
analysis.
NOTE 2 Potential single failure includes short-circuit
cases.”
d. Redundant functions shall be physically separated with no risk o
...