SIST EN 16602-30:2018

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Zagotavljanje kakovosti proizvodov v vesoljski tehniki - ZagotovljivostRaumfahrtproduktsicherung - ZuverlässigkeitAssurance produit des projets spatiaux - Sûreté de fonctionnementSpace product assurance - Dependability49.140Vesoljski sistemi in operacijeSpace systems and operations03.120.01Kakovost na splošnoQuality in generalICS:Ta slovenski standard je istoveten z:EN 16602-30:2018SIST EN 16602-30:2018en,fr,de01-julij-2018SIST EN 16602-30:2018SLOVENSKI
STANDARD



SIST EN 16602-30:2018



EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 16602-30
April
t r s z ICS
v {ä s v r
English version
Space product assurance æ Dependability
Assurance produit des projets spatiaux æ Sûreté de fonctionnement
Raumfahrtproduktsicherung æ Zuverlässigkeit This European Standard was approved by CEN on
s z September
t r s yä
C Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alterationä Upætoædate lists and bibliographical references concerning such national standards may be obtained on application to the CENæCENELEC Management Centre or to any CEN and CENELEC memberä
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CENæCENELEC Management Centre has the same status as the official versionsä
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austriaá Belgiumá Bulgariaá Croatiaá Cyprusá Czech Republicá Denmarká Estoniaá Finlandá Former Yugoslav Republic of Macedoniaá Franceá Germanyá Greeceá Hungaryá Icelandá Irelandá Italyá Latviaá Lithuaniaá Luxembourgá Maltaá Netherlandsá Norwayá Polandá Portugalá Romaniaá Serbiaá Slovakiaá Sloveniaá Spainá Swedená Switzerlandá Turkey and United Kingdomä
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels y any means reserved worldwide for CEN national Members and for CENELEC Membersä Refä Noä EN
s x x r tæ u rã t r s z ESIST EN 16602-30:2018



EN 16602-30:2018 (E) 2 Table of contents European Foreword . 6 1 Scope . 7 2 Normative references . 8 3 Terms, definitions and abbreviated terms . 9 3.1 Terms from other standards . 9 3.2 Terms specific to the present standard . 9 3.3 Abbreviated terms. 10 3.4 Nomenclature . 11 4 Dependability programme . 12 4.1 General . 12 4.2 Organization . 12 4.3 Dependability programme plan . 12 4.4 Dependability risk assessment and control . 13 4.5 Dependability critical items . 13 4.6 Design reviews . 14 4.7 Dependability Lessons learnt . 14 4.8 Progress reporting . 14 4.9 Documentation . 14 5 Dependability engineering . 15 5.1 Integration of dependability in the project . 15 5.2 Dependability requirements in technical specification . 15 5.3 Dependability design criteria . 16 5.3.1 General . 16 5.3.2 Consequences . 16 5.3.3 Failure tolerance . 17 5.3.4 Design approach . 18 5.4 Criticality classification . 19 5.4.1 Classification of critical functions, hardware and operations . 19 5.4.2 Assignment of software criticality category . 20 5.5 Involvement in testing process . 21 SIST EN 16602-30:2018



EN 16602-30:2018 (E) 3 5.6 Involvement in operational aspects . 21 5.7 Dependability recommendations . 22 6 Dependability analyses . 23 6.1 Identification and classification of undesirable events . 23 6.2 Assessment of failure scenarios . 23 6.3 Dependability analyses and the project life cycle . 23 6.4 Dependability analyses - methods . 24 6.4.1 General . 24 6.4.2 Reliability analyses. 25 6.4.3 Maintainability analyses . 28 6.4.4 Availability analysis . 28 6.5 Dependability Critical Items Criteria . 29 7 Dependability testing, demonstration and data collection . 30 7.1 Reliability testing and demonstration . 30 7.2 Availability testing and demonstration . 30 7.3 Maintainability demonstration . 30 7.4 Dependability data collection and dependability performance monitoring . 31 8 Pre-tailoring matrix per product types . 32 Annex A (informative)
Relationship between dependability activities and project phases . 41 A.1 Mission analysis / Needs identification phase (phase 0) . 41 A.2 Feasibility phase (phase A) . 41 A.3 Preliminary definition phase (phase B) . 41 A.4 Detailed definition and production/ground qualification testing phases (phase C/D) . 42 A.5 Utilization phase (phase E) . 42 A.6 Disposal phase (phase F) . 43 Annex B (informative) Dependability documents delivery per review . 44 Annex C (normative) Dependability plan - DRD . 47 C.1 DRD identification . 47 C.1.1 Requirement identification and source document . 47 C.1.2 Purpose and objective . 47 C.2 Expected response . 47 C.2.1 Scope and content . 47 C.2.2 Special remarks . 48 SIST EN 16602-30:2018



EN 16602-30:2018 (E) 4 Annex D (normative) Contingency analysis – DRD . 49 D.1 DRD identification . 49 D.1.1 Requirement identification and source document . 49 D.1.2 Purpose and objective . 49 D.2 Expected response . 49 D.2.1 Scope and content . 49 D.2.2 Special remarks . 49 Annex E (normative) Reliability prediction – DRD . 51 E.1 DRD identification . 51 E.1.1 Requirement identification and source document . 51 E.1.2 Purpose and objective . 51 E.2 Expected response . 52 E.2.1 Scope and content . 52 E.2.2 Special remarks . 52 Annex F (normative) Failure Detection Identification and Recovery Analysis – DRD . 53 F.1 DRD identification . 53 F.1.1 Requirement identification and source document . 53 F.1.2 Purpose and objective . 53 F.2 Expected response . 53 F.2.1 Scope and content . 53 F.2.2 Special remarks . 54 Annex G (normative) Zonal analysis – DRD . 55 G.1 DRD identification . 55 G.1.1 Requirement identification and source document . 55 G.1.2 Purpose and objective . 55 G.2 Expected response . 55 G.2.1 Scope and content . 55 G.2.2 Special remarks . 55 Annex H (normative) Maintainability analysis – DRD . 56 H.1 DRD identification . 56 H.1.1 Requirement identification and source document . 56 H.1.2 Purpose and objective . 56 H.2 Expected response . 56 H.2.1 Scope and content . 56 H.2.2 Special remarks . 57 SIST EN 16602-30:2018



EN 16602-30:2018 (E) 5 Annex I (normative) Common-cause analysis – DRD . 58 I.1 DRD identification . 58 I.1.1 Requirement identification and source document . 58 I.1.2 Purpose and objective . 58 I.2 Expected response . 58 I.2.1 Scope and content . 58 I.2.2 Special remarks . 58 Annex J (normative) Worst Case Analysis – DRD . 59 J.1 DRD identification . 59 J.1.1 Requirement identification and source document . 59 J.1.2 Purpose and objective . 59 J.2 Expected response . 59 J.2.1 Scope and content . 59 J.2.2 Special remarks . 59 Annex K <> . 61 Annex L (informative) Common-cause check lists . 62 Bibliography . 65
Tables Table 5-1: Severity categories . 17 Table 5-2: Criticality of functions . 19 Table 5-3: Criticality category assignment for software products vs. function criticality . 20 Table 8-1: Definitions of the columns of Table 8-2 . 33 Table 8-2: Pre-Tailoring matrix per “Space product types” . 34 Table B-1 : Dependability deliverable documents per project review . 45 Table L-1 : Common cause check list example for design . 62 Table L-2 : Common cause check list example for design (continued) . 63 Table L-3 : Common cause check list example for environment . 64 Table L-4 : Common cause check list example for unexpected operations . 64
SIST EN 16602-30:2018



EN 16602-30:2018 (E) 6 European Foreword This document (EN 16602-30:2018) has been prepared by Technical Committee CEN/CLC/JTC 5 “Space”, the secretariat of which is held by DIN (Germany). This document (EN 16602-30:2018) originates from ECSS-Q-ST-30C Rev.1. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by October 2018, and conflicting national standards shall be withdrawn at the latest by October 2018. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights. This document has been prepared under a standardization request given to CEN by the European Commission and the European Free Trade Association. This document has been developed to cover specifically space systems and has therefore precedence over any EN covering the same scope but with a wider domain of applicability (e.g. : aerospace). According to the CEN-CENELEC Internal Regulations, the national standards organisations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. SIST EN 16602-30:2018



EN 16602-30:2018 (E) 7 1 Scope This Standard defines the dependability assurance programme and the dependability requirements for space systems. Dependability assurance is a continuous and iterative process throughout the project life cycle.
The ECSS dependability policy for space projects is applied by implementing a dependability assurance programme, which comprises: • identification of all technical risks with respect to functional needs which can lead to non-compliance with dependability requirements, • application of analysis and design methods to ensure that dependability targets are met, • optimization of the overall cost and schedule by making sure that:  design rules, dependability analyses and risk reducing actions are tailored with respect to an appropriate severity categorisation,  risks reducing actions are implemented continuously since the early phase of a project and especially during the design phase. • inputs to serial production activities.
The dependability requirements for functions implemented in software, and the interaction between hardware and software, are identified in this Standard. NOTE 1 The requirements for the product assurance of software are defined in ECSS-Q-ST-80. NOTE 2 The dependability assurance programme supports the project risk management process as described in ECSS-M-ST-80 This Standard applies to all European space projects. The provisions of this document apply to all project phases. Depending of the product category, the application of this standard needs to be checked and if needed tailored. The pre-tailoring table in clause 8 contains the applicability of the requirements of this document and its annexes according to product type. This standard may be tailored for the specific characteristics and constraints of a space project in conformance with ECSS-S-ST-00.
SIST EN 16602-30:2018



EN 16602-30:2018 (E) 8 2 Normative references The following normative documents contain provisions which, through reference in this text, constitute provisions of this ECSS Standard. For dated references, subsequent amendments to, or revision of any of these publications do not apply, However, parties to agreements based on this ECSS Standard are encouraged to investigate the possibility of applying the more recent editions of the normative documents indicated below. For undated references, the latest edition of the publication referred to applies.
EN reference Reference in text Title EN 16601-00-01 ECSS-S-ST-00-01 ECSS system – Glossary of terms
EN 16602-10 ECSS-Q-ST-10 Space product assurance —Product assurance management EN 16602-10 ECSS-Q-ST-10-04 Space product assurance – Critical-item control EN 16602-30-02 ECSS-Q-ST-30-02
Space product assurance — Failure modes, effects (and criticality) analysis (FMEA/FMECA) EN 16602-30-11 ECSS-Q-ST-30-11 Space product assurance – Derating - EEE components
SIST EN 16602-30:2018



EN 16602-30:2018 (E) 9 3 Terms, definitions and abbreviated terms 3.1 Terms from other standards a. For the purpose of this Standard, the terms and definitions from ECSS-S-ST-00-01 apply, in particular for the following terms: 1. availability 2. failure 3. ground segment 4. hazard 5. launch segment 6. maintainability 7. reliability 8. risk 9. severity 10. single point failure 11. space segment 12. space system 3.2 Terms specific to the present standard 3.2.1 criticality classification of a function or of a software, hardware or operation, according to the severity of the consequences of its potential failures NOTE 1 Refer to clause 5.4. NOTE 2 This notion of criticality, applied to a function, software, hardware or operation, considers only severity, differently from the criticality of a failure or failure mode (or a risk), which also considers the likelihood or probability of occurrence (see 3.2.2). SIST EN 16602-30:2018



EN 16602-30:2018 (E) 10 3.2.2 criticality classification of a failure or failure mode according to a combination of the severity of the consequences and its likelihood or probability of occurrence NOTE 1 This notion of criticality, applied to a failure or failure mode, considers both the severity and likelihood or probability of occurrence, differently from the criticality of function or a software, hardware or operation, which considers only severity (see 3.2.1). NOTE 2 The criticality of a failure or failure mode can be represented by a “criticality number” as defined in ECSS-Q-ST-30-02 (see also requirement 6.5a.2). 3.2.3 failure scenario conditions and sequence of events, leading from the initial root cause, to an end failure 3.2.4 limited-life product product with useful life duration or operating cycles limitation, prone to wear out, drift or degradation below the minimum required performance in less than the storage and mission time 3.3 Abbreviated terms For the purpose of this Standard, the abbreviated terms from ECSS-S-ST-00-01 and the following apply: Abbreviation Meaning DRD Document Requirement Definition DRL Document Requirement List EEE electrical, electronic and electromechanical FDIR
failure detection isolation and recovery FMEA failure modes and effects analysis FMECA failure modes, effects and criticality analysis FTA fault tree analysis HSIA hardware-software interaction analysis MTBF mean time between failure MTTR mean time to repair NRB nonconformance review board PA product assurance WCA worst case analysis
SIST EN 16602-30:2018



EN 16602-30:2018 (E) 11 3.4 Nomenclature The following nomenclature applies throughout this document: a. The word “shall” is used in this Standard to express requirements. All the requirements are expressed with the word “shall”. b. The word “should” is used in this Standard to express recommendations. All the recommendations are expressed with the word “should”. NOTE It is expected that, during tailoring, recommendations in this document are either converted into requirements or tailored out. c. The words “may” and “need not” are used in this Standard to express positive and negative permissions, respectively. All the positive permissions are expressed with the word “may”. All the negative permissions are expressed with the words “need not”. d. The word “can” is used in this Standard to express capabilities or possibilities, and therefore, if not accompanied by one of the previous words, it implies descriptive text. NOTE In ECSS “may” and “can” have completely different meanings: “may” is normative (permission), and “can” is descriptive. e. The present and past tenses are used in this Standard to express statements of fact, and therefore they imply descriptive text. SIST EN 16602-30:2018



EN 16602-30:2018 (E) 12 4 Dependability programme 4.1 General a. The dependability assurance shall be implemented by means of a systematic process for specifying requirements for dependability and demonstrating that these requirements are achieved.
b. The dependability assurance process shall be in conformance with the dependability assurance programme plan for the project. 4.2 Organization a. The supplier shall coordinate, implement and integrate the dependability programme management with the PA programme management. 4.3 Dependability programme plan a. The supplier shall develop, maintain and implement a dependability plan for all project phases in conformance with the DRD in Annex C. NOTE
The plan can be included in the PA programme plan. b. The plan shall address the dependability requirements applicable to the project. c. The extent that dependability assurance is applied shall take account of the severity (as defined in Table 5-1) of the consequences of failures. d. The establishment and implementation of the dependability programme plan shall be considered in conjunction with the safety aspects of the programme.
e. The Supplier shall ensure that any potential conflict between dependability and safety requirements are managed.
f. Responsibilities for carrying out all dependability tasks within each phase of the lifecycle shall be defined. SIST EN 16602-30:2018



EN 16602-30:2018 (E) 13 4.4 Dependability risk assessment and control a. As part of the risk management process implemented on the project, the Dependability engineer shall be responsible for identifying and reporting dependability associated risks. NOTE
ECSS-M-ST-80 describes the risk management process. b. Dependability risk analysis reduction and control shall include the following steps: 1. identification and classification of undesirable events according to the severity of their consequences; 2. analysis of failure scenarios, determination of related failure modes, failure origins or causes; 3. classification of the criticality of the functions and associated products according to the severity of relevant failure consequences; 4. definition of actions and recommendations for detailed risk assessment, risk elimination, or risk reduction and control to an acceptable level; 5. status of risk reduction and risk acceptance; 6. implementation of risk reduction; 7. verification of risk reduction and assessment of residual risks. NOTE
The process of risk identification and assessment implies both qualitative and quantitative approaches. c. Risk reduction measures that are proposed for dependability shall be assessed at system level in order to select the optimum solution to reduce the system level risk. 4.5 Dependability critical items a. Dependability critical items shall be identified by dependability analyses performed to support the risk reduction and control process performed on the project.
NOTE
The criteria for identifying dependability critical items to be included in the Critical Items List are given in clause 6.5. b. Dependability critical items, as part of the Critical Items List, shall be subject to risk assessment and critical items control in conformance with ECSS-Q-ST-10-04. c. The control measures shall include: 1. a review of all design, manufacturing and test documentation related to critical functions, critical items and procedures; SIST EN 16602-30:2018



EN 16602-30:2018 (E) 14 2. dependability representation on relevant Review Boards to ensure that the disposition takes account of their criticality level. d. The dependability aspects shall be considered during the entire verification process for dependability critical items until closeout. e. The justification for retention of each dependability critical item shall be subject to approval by the customer. 4.6 Design reviews a. The supplier shall ensure that all dependability data for a design review are presented to the customer in accordance with the project review schedule.
b. All dependability data submitted shall indicate the design baseline and shall be coherent with all other supporting technical documentation. c. All design changes shall be assessed for their impact on dependability and a reassessment of the dependability shall be performed 4.7 Dependability Lessons learnt a. Dependability lessons learnt shall be collected during the project life cycle including operational and disposal phases. NOTE
Dependability lessons learnt consider: • the impact of newly imposed requirements; • assessment of all malfunctions, anomalies, deviations and waivers; • effectiveness of strategies of the project; • new dependability tools and methods that have been developed or demonstrated; • effective versus ineffective verifications that have been performed. 4.8 Progress reporting a. The supplier shall report dependability progress to the customer as part of product assurance activities in confo
...