SIST EN 16602-30:2018
(Main)Space product assurance - Dependability
Space product assurance - Dependability
This Standard defines the dependability assurance programme and the dependability requirements for space systems.
Dependability assurance is a continuous and iterative process throughout the project life cycle.
The ECSS dependability policy for space projects is applied by implementing a dependability assurance programme, which comprises:
• identification of all technical risks with respect to functional needs which can lead to non-compliance with dependability requirements,
• application of analysis and design methods to ensure that dependability targets are met,
• optimization of the overall cost and schedule by making sure that:
design rules, dependability analyses and risk reducing actions are tailored with respect to an appropriate severity categorisation,
risks reducing actions are implemented continuously since the early phase of a project and especially during the design phase.
• inputs to serial production activities.
The dependability requirements for functions implemented in software, and the interaction between hardware and software, are identified in this Standard.
NOTE 1 The requirements for the product assurance of software are defined in ECSS-Q-ST-80.
NOTE 2 The dependability assurance programme supports the project risk management process as described in ECSS-M-ST-80
This Standard applies to all European space projects. The provisions of this document apply to all project phases.
This standard may be tailored for the specific characteristic and constrains of a space project in conformance with ECSS-S-ST-00.
Raumfahrtproduktsicherung - Zuverlässigkeit
Assurance produit des projets spatiaux - Sûreté de fonctionnement
La présente norme définit le programme d’assurance de la sûreté de fonctionnement et les exigences de sûreté de fonctionnement pour les systèmes spatiaux.
L’assurance de la sûreté de fonctionnement est un processus continu et itératif mené tout au long du cycle de vie du projet.
La politique de la sûreté de fonctionnement de l’ECSS pour les projets spatiaux est appliquée par le biais de la mise en oeuvre d’un programme d’assurance de la sûreté de fonctionnement qui comprend :
- l’identification de tous les risques techniques relatifs aux besoins fonctionnels qui peuvent conduire au non-respect des exigences de la sûreté de fonctionnement ;
- l’application de méthodes d’analyse et de conception afin de garantir que les objectifs de la sûreté de fonctionnement sont atteints ;
- l'optimisation du coût global et du calendrier en s’assurant que :
- les règles de conception, les analyses de la sûreté de fonctionnement et les actions de réduction des risques sont adaptées conformément à une catégorisation appropriée de leur gravité ;
- les actions visant à réduire les risques sont mises en oeuvre de façon continue dès les premières phases d’un projet et plus particulièrement au cours de la phase de conception.
- des données d’entrée, qui sont fournies aux activités de production en série.
Les exigences de sûreté de fonctionnement pour les fonctions mises en oeuvre dans les logiciels, et l’interaction matériel-logiciel, sont définies dans la présente norme.
NOTE 1 Les exigences de l’assurance produit logiciel sont définies dans la norme ECSS-Q-ST-80.
NOTE 2 Le programme d’assurance de la sûreté de fonctionnement soutient le processus de management des risques du projet tel que décrit dans la norme ECSS-M-ST-80.
La présente norme s’applique à tous les projets spatiaux européens. Les dispositions du présent document s’appliquent à toutes les phases du projet.
Selon la catégorie de produit, l'application de la présente norme doit être vérifiée et, si nécessaire, adaptée. Le tableau de préadaptation fourni à l'Article 8 précise l'applicabilité des exigences spécifiées dans le présent document et dans ses annexes, en fonction du type de produit.
La présente norme peut être adaptée aux caractéristiques et contraintes spécifiques d’un projet spatial, conformément à l’ECSS-S-ST-00.
Zagotavljanje kakovosti proizvodov v vesoljski tehniki - Zagotovljivost
Ta standard opredeljuje program za zagotavljanje zanesljivosti in zahteve za zanesljivost vesoljskih sistemov. Zagotavljanje zanesljivosti je neprekinjen postopek, ki se ponavlja skozi življenjski cikel projekta. Pravilnik o zanesljivosti ECSS za vesoljske projekte se izvaja z izvedbo programa za zagotavljanje zanesljivosti, ki obsega: • opredelitev tehničnih tveganj, povezanih s funkcionalnimi potrebami, ki lahko povzročijo neskladnost z zahtevami za zanesljivost, • uporabo analiz in metod načrtovanja, da se zagotovi doseganje ciljev glede zanesljivosti, • optimizacijo skupnih stroškov in urnika, in sicer tako, da se zagotovi: – prilagoditev pravil za načrtovanje, analiz zanesljivosti in ukrepov za zmanjšanje tveganj v skladu z ustrezno kategorizacijo resnosti, – neprekinjeno izvajanje ukrepov za zmanjšanje tveganj že v zgodnji fazi načrtovanja, zlasti pa v fazi načrtovanja. • vložke v dejavnosti serijske proizvodnje. V tem standardu so opredeljene zahteve za zanesljivost funkcij, ki se izvajajo s programsko opremo ter interakcije med strojno in programsko opremo. OPOMBA 1: zahteve za zagotavljanje izdelkov ali programske opreme so opredeljene v standardu ECSS-Q-ST-80. OPOMBA 2: program za zagotavljanje zanesljivosti omogoča podporo v procesu obvladovanja tveganja, kot je opisan v standardu ECSS-M-ST-80. Ta standard se uporablja za vse evropske vesoljske projekte. Določila dokumenta veljajo za vse faze projekta. Ta standard se lahko prilagodi posameznim lastnostim in omejitvam vesoljskega projekta v skladu s standardom ECSS-S-ST-00.
General Information
Standards Content (Sample)
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Zagotavljanje kakovosti proizvodov v vesoljski tehniki - ZagotovljivostRaumfahrtproduktsicherung - ZuverlässigkeitAssurance produit des projets spatiaux - Sûreté de fonctionnementSpace product assurance - Dependability49.140Vesoljski sistemi in operacijeSpace systems and operations03.120.01Kakovost na splošnoQuality in generalICS:Ta slovenski standard je istoveten z:EN 16602-30:2018SIST EN 16602-30:2018en,fr,de01-julij-2018SIST EN 16602-30:2018SLOVENSKI
STANDARD
SIST EN 16602-30:2018
EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 16602-30
April
t r s z ICS
v {ä s v r
English version
Space product assurance æ Dependability
Assurance produit des projets spatiaux æ Sûreté de fonctionnement
Raumfahrtproduktsicherung æ Zuverlässigkeit This European Standard was approved by CEN on
s z September
t r s yä
C Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alterationä Upætoædate lists and bibliographical references concerning such national standards may be obtained on application to the CENæCENELEC Management Centre or to any CEN and CENELEC memberä
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CENæCENELEC Management Centre has the same status as the official versionsä
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austriaá Belgiumá Bulgariaá Croatiaá Cyprusá Czech Republicá Denmarká Estoniaá Finlandá Former Yugoslav Republic of Macedoniaá Franceá Germanyá Greeceá Hungaryá Icelandá Irelandá Italyá Latviaá Lithuaniaá Luxembourgá Maltaá Netherlandsá Norwayá Polandá Portugalá Romaniaá Serbiaá Slovakiaá Sloveniaá Spainá Swedená Switzerlandá Turkey and United Kingdomä
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels y any means reserved worldwide for CEN national Members and for CENELEC Membersä Refä Noä EN
s x x r tæ u rã t r s z ESIST EN 16602-30:2018
EN 16602-30:2018 (E) 2 Table of contents European Foreword . 6 1 Scope . 7 2 Normative references . 8 3 Terms, definitions and abbreviated terms . 9 3.1 Terms from other standards . 9 3.2 Terms specific to the present standard . 9 3.3 Abbreviated terms. 10 3.4 Nomenclature . 11 4 Dependability programme . 12 4.1 General . 12 4.2 Organization . 12 4.3 Dependability programme plan . 12 4.4 Dependability risk assessment and control . 13 4.5 Dependability critical items . 13 4.6 Design reviews . 14 4.7 Dependability Lessons learnt . 14 4.8 Progress reporting . 14 4.9 Documentation . 14 5 Dependability engineering . 15 5.1 Integration of dependability in the project . 15 5.2 Dependability requirements in technical specification . 15 5.3 Dependability design criteria . 16 5.3.1 General . 16 5.3.2 Consequences . 16 5.3.3 Failure tolerance . 17 5.3.4 Design approach . 18 5.4 Criticality classification . 19 5.4.1 Classification of critical functions, hardware and operations . 19 5.4.2 Assignment of software criticality category . 20 5.5 Involvement in testing process . 21 SIST EN 16602-30:2018
EN 16602-30:2018 (E) 3 5.6 Involvement in operational aspects . 21 5.7 Dependability recommendations . 22 6 Dependability analyses . 23 6.1 Identification and classification of undesirable events . 23 6.2 Assessment of failure scenarios . 23 6.3 Dependability analyses and the project life cycle . 23 6.4 Dependability analyses - methods . 24 6.4.1 General . 24 6.4.2 Reliability analyses. 25 6.4.3 Maintainability analyses . 28 6.4.4 Availability analysis . 28 6.5 Dependability Critical Items Criteria . 29 7 Dependability testing, demonstration and data collection . 30 7.1 Reliability testing and demonstration . 30 7.2 Availability testing and demonstration . 30 7.3 Maintainability demonstration . 30 7.4 Dependability data collection and dependability performance monitoring . 31 8 Pre-tailoring matrix per product types . 32 Annex A (informative)
Relationship between dependability activities and project phases . 41 A.1 Mission analysis / Needs identification phase (phase 0) . 41 A.2 Feasibility phase (phase A) . 41 A.3 Preliminary definition phase (phase B) . 41 A.4 Detailed definition and production/ground qualification testing phases (phase C/D) . 42 A.5 Utilization phase (phase E) . 42 A.6 Disposal phase (phase F) . 43 Annex B (informative) Dependability documents delivery per review . 44 Annex C (normative) Dependability plan - DRD . 47 C.1 DRD identification . 47 C.1.1 Requirement identification and source document . 47 C.1.2 Purpose and objective . 47 C.2 Expected response . 47 C.2.1 Scope and content . 47 C.2.2 Special remarks . 48 SIST EN 16602-30:2018
EN 16602-30:2018 (E) 4 Annex D (normative) Contingency analysis – DRD . 49 D.1 DRD identification . 49 D.1.1 Requirement identification and source document . 49 D.1.2 Purpose and objective . 49 D.2 Expected response . 49 D.2.1 Scope and content . 49 D.2.2 Special remarks . 49 Annex E (normative) Reliability prediction – DRD . 51 E.1 DRD identification . 51 E.1.1 Requirement identification and source document . 51 E.1.2 Purpose and objective . 51 E.2 Expected response . 52 E.2.1 Scope and content . 52 E.2.2 Special remarks . 52 Annex F (normative) Failure Detection Identification and Recovery Analysis – DRD . 53 F.1 DRD identification . 53 F.1.1 Requirement identification and source document . 53 F.1.2 Purpose and objective . 53 F.2 Expected response . 53 F.2.1 Scope and content . 53 F.2.2 Special remarks . 54 Annex G (normative) Zonal analysis – DRD . 55 G.1 DRD identification . 55 G.1.1 Requirement identification and source document . 55 G.1.2 Purpose and objective . 55 G.2 Expected response . 55 G.2.1 Scope and content . 55 G.2.2 Special remarks . 55 Annex H (normative) Maintainability analysis – DRD . 56 H.1 DRD identification . 56 H.1.1 Requirement identification and source document . 56 H.1.2 Purpose and objective . 56 H.2 Expected response . 56 H.2.1 Scope and content . 56 H.2.2 Special remarks . 57 SIST EN 16602-30:2018
EN 16602-30:2018 (E) 5 Annex I (normative) Common-cause analysis – DRD . 58 I.1 DRD identification . 58 I.1.1 Requirement identification and source document . 58 I.1.2 Purpose and objective . 58 I.2 Expected response . 58 I.2.1 Scope and content . 58 I.2.2 Special remarks . 58 Annex J (normative) Worst Case Analysis – DRD . 59 J.1 DRD identification . 59 J.1.1 Requirement identification and source document . 59 J.1.2 Purpose and objective . 59 J.2 Expected response . 59 J.2.1 Scope and content . 59 J.2.2 Special remarks . 59 Annex K <> . 61 Annex L (informative) Common-cause check lists . 62 Bibliography . 65
Tables Table 5-1: Severity categories . 17 Table 5-2: Criticality of functions . 19 Table 5-3: Criticality category assignment for software products vs. function criticality . 20 Table 8-1: Definitions of the columns of Table 8-2 . 33 Table 8-2: Pre-Tailoring matrix per “Space product types” . 34 Table B-1 : Dependability deliverable documents per project review . 45 Table L-1 : Common cause check list example for design . 62 Table L-2 : Common cause check list example for design (continued) . 63 Table L-3 : Common cause check list example for environment . 64 Table L-4 : Common cause check list example for unexpected operations . 64
SIST EN 16602-30:2018
EN 16602-30:2018 (E) 6 European Foreword This document (EN 16602-30:2018) has been prepared by Technical Committee CEN/CLC/JTC 5 “Space”, the secretariat of which is held by DIN (Germany). This document (EN 16602-30:2018) originates from ECSS-Q-ST-30C Rev.1. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by October 2018, and conflicting national standards shall be withdrawn at the latest by October 2018. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights. This document has been prepared under a standardization request given to CEN by the European Commission and the European Free Trade Association. This document has been developed to cover specifically space systems and has therefore precedence over any EN covering the same scope but with a wider domain of applicability (e.g. : aerospace). According to the CEN-CENELEC Internal Regulations, the national standards organisations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. SIST EN 16602-30:2018
EN 16602-30:2018 (E) 7 1 Scope This Standard defines the dependability assurance programme and the dependability requirements for space systems. Dependability assurance is a continuous and iterative process throughout the project life cycle.
The ECSS dependability policy for space projects is applied by implementing a dependability assurance programme, which comprises: • identification of all technical risks with respect to functional needs which can lead to non-compliance with dependability requirements, • application of analysis and design methods to ensure that dependability targets are met, • optimization of the overall cost and schedule by making sure that: design rules, dependability analyses and risk reducing actions are tailored with respect to an appropriate severity categorisation, risks reducing actions are implemented continuously since the early phase of a project and especially during the design phase. • inputs to serial production activities.
The dependability requirements for functions implemented in software, and the interaction between hardware and software, are identified in this Standard. NOTE 1 The requirements for the product assurance of software are defined in ECSS-Q-ST-80. NOTE 2 The dependability assurance programme supports the project risk management process as described in ECSS-M-ST-80 This Standard applies to all European space projects. The provisions of this document apply to all project phases. Depending of the product category, the application of this standard needs to be checked and if needed tailored. The pre-tailoring table in clause 8 contains the applicability of the requirements of this document and its annexes according to product type. This standard may be tailored for the specific characteristics and constraints of a space project in conformance with ECSS-S-ST-00.
SIST EN 16602-30:2018
EN 16602-30:2018 (E) 8 2 Normative references The following normative documents contain provisions which, through reference in this text, constitute provisions of this ECSS Standard. For dated references, subsequent amendments to, or revision of any of these publications do not apply, However, parties to agreements based on this ECSS Standard are encouraged to investigate the possibility of applying the more recent editions of the normative documents indicated below. For undated references, the latest edition of the publication referred to applies.
EN reference Reference in text Title EN 16601-00-01 ECSS-S-ST-00-01 ECSS system – Glossary of terms
EN 16602-10 ECSS-Q-ST-10 Space product assurance —Product assurance management EN 16602-10 ECSS-Q-ST-10-04 Space product assurance – Critical-item control EN 16602-30-02 ECSS-Q-ST-30-02
Space product assurance — Failure modes, effects (and criticality) analysis (FMEA/FMECA) EN 16602-30-11 ECSS-Q-ST-30-11 Space product assurance – Derating - EEE components
SIST EN 16602-30:2018
EN 16602-30:2018 (E) 9 3 Terms, definitions and abbreviated terms 3.1 Terms from other standards a. For the purpose of this Standard, the terms and definitions from ECSS-S-ST-00-01 apply, in particular for the following terms: 1. availability 2. failure 3. ground segment 4. hazard 5. launch segment 6. maintainability 7. reliability 8. risk 9. severity 10. single point failure 11. space segment 12. space system 3.2 Terms specific to the present standard 3.2.1 criticality classification of a function or of a software, hardware or operation, according to the severity of the consequences of its potential failures NOTE 1 Refer to clause 5.4. NOTE 2 This notion of criticality, applied to a function, software, hardware or operation, considers only severity, differently from the criticality of a failure or failure mode (or a risk), which also considers the likelihood or probability of occurrence (see 3.2.2). SIST EN 16602-30:2018
EN 16602-30:2018 (E) 10 3.2.2 criticality classification of a failure or failure mode according to a combination of the severity of the consequences and its likelihood or probability of occurrence NOTE 1 This notion of criticality, applied to a failure or failure mode, considers both the severity and likelihood or probability of occurrence, differently from the criticality of function or a software, hardware or operation, which considers only severity (see 3.2.1). NOTE 2 The criticality of a failure or failure mode can be represented by a “criticality number” as defined in ECSS-Q-ST-30-02 (see also requirement 6.5a.2). 3.2.3 failure scenario conditions and sequence of events, leading from the initial root cause, to an end failure 3.2.4 limited-life product product with useful life duration or operating cycles limitation, prone to wear out, drift or degradation below the minimum required performance in less than the storage and mission time 3.3 Abbreviated terms For the purpose of this Standard, the abbreviated terms from ECSS-S-ST-00-01 and the following apply: Abbreviation Meaning DRD Document Requirement Definition DRL Document Requirement List EEE electrical, electronic and electromechanical FDIR
failure detection isolation and recovery FMEA failure modes and effects analysis FMECA failure modes, effects and criticality analysis FTA fault tree analysis HSIA hardware-software interaction analysis MTBF mean time between failure MTTR mean time to repair NRB nonconformance review board PA product assurance WCA worst case analysis
SIST EN 16602-30:2018
EN 16602-30:2018 (E) 11 3.4 Nomenclature The following nomenclature applies throughout this document: a. The word “shall” is used in this Standard to express requirements. All the requirements are expressed with the word “shall”. b. The word “should” is used in this Standard to express recommendations. All the recommendations are expressed with the word “should”. NOTE It is expected that, during tailoring, recommendations in this document are either converted into requirements or tailored out. c. The words “may” and “need not” are used in this Standard to express positive and negative permissions, respectively. All the positive permissions are expressed with the word “may”. All the negative permissions are expressed with the words “need not”. d. The word “can” is used in this Standard to express capabilities or possibilities, and therefore, if not accompanied by one of the previous words, it implies descriptive text. NOTE In ECSS “may” and “can” have completely different meanings: “may” is normative (permission), and “can” is descriptive. e. The present and past tenses are used in this Standard to express statements of fact, and therefore they imply descriptive text. SIST EN 16602-30:2018
EN 16602-30:2018 (E) 12 4 Dependability programme 4.1 General a. The dependability assurance shall be implemented by means of a systematic process for specifying requirements for dependability and demonstrating that these requirements are achieved.
b. The dependability assurance process shall be in conformance with the dependability assurance programme plan for the project. 4.2 Organization a. The supplier shall coordinate, implement and integrate the dependability programme management with the PA programme management. 4.3 Dependability programme plan a. The supplier shall develop, maintain and implement a dependability plan for all project phases in conformance with the DRD in Annex C. NOTE
The plan can be included in the PA programme plan. b. The plan shall address the dependability requirements applicable to the project. c. The extent that dependability assurance is applied shall take account of the severity (as defined in Table 5-1) of the consequences of failures. d. The establishment and implementation of the dependability programme plan shall be considered in conjunction with the safety aspects of the programme.
e. The Supplier shall ensure that any potential conflict between dependability and safety requirements are managed.
f. Responsibilities for carrying out all dependability tasks within each phase of the lifecycle shall be defined. SIST EN 16602-30:2018
EN 16602-30:2018 (E) 13 4.4 Dependability risk assessment and control a. As part of the risk management process implemented on the project, the Dependability engineer shall be responsible for identifying and reporting dependability associated risks. NOTE
ECSS-M-ST-80 describes the risk management process. b. Dependability risk analysis reduction and control shall include the following steps: 1. identification and classification of undesirable events according to the severity of their consequences; 2. analysis of failure scenarios, determination of related failure modes, failure origins or causes; 3. classification of the criticality of the functions and associated products according to the severity of relevant failure consequences; 4. definition of actions and recommendations for detailed risk assessment, risk elimination, or risk reduction and control to an acceptable level; 5. status of risk reduction and risk acceptance; 6. implementation of risk reduction; 7. verification of risk reduction and assessment of residual risks. NOTE
The process of risk identification and assessment implies both qualitative and quantitative approaches. c. Risk reduction measures that are proposed for dependability shall be assessed at system level in order to select the optimum solution to reduce the system level risk. 4.5 Dependability critical items a. Dependability critical items shall be identified by dependability analyses performed to support the risk reduction and control process performed on the project.
NOTE
The criteria for identifying dependability critical items to be included in the Critical Items List are given in clause 6.5. b. Dependability critical items, as part of the Critical Items List, shall be subject to risk assessment and critical items control in conformance with ECSS-Q-ST-10-04. c. The control measures shall include: 1. a review of all design, manufacturing and test documentation related to critical functions, critical items and procedures; SIST EN 16602-30:2018
EN 16602-30:2018 (E) 14 2. dependability representation on relevant Review Boards to ensure that the disposition takes account of their criticality level. d. The dependability aspects shall be considered during the entire verification process for dependability critical items until closeout. e. The justification for retention of each dependability critical item shall be subject to approval by the customer. 4.6 Design reviews a. The supplier shall ensure that all dependability data for a design review are presented to the customer in accordance with the project review schedule.
b. All dependability data submitted shall indicate the design baseline and shall be coherent with all other supporting technical documentation. c. All design changes shall be assessed for their impact on dependability and a reassessment of the dependability shall be performed 4.7 Dependability Lessons learnt a. Dependability lessons learnt shall be collected during the project life cycle including operational and disposal phases. NOTE
Dependability lessons learnt consider: • the impact of newly imposed requirements; • assessment of all malfunctions, anomalies, deviations and waivers; • effectiveness of strategies of the project; • new dependability tools and methods that have been developed or demonstrated; • effective versus ineffective verifications that have been performed. 4.8 Progress reporting a. The supplier shall report dependability progress to the customer as part of product assurance activities in confo
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.