SIST-TP CEN/TR 17603-20-21:2022

SLOVENSKI STANDARD
01-marec-2022
Vesoljska tehnika - Smernice za električno načrtovanje in zahteve vmesnikov za
prožilnike
Space engineering - Guidelines for electrical design and interface requirements for
actuators
Raumfahrttechnik - Richtlinen für das elektrische Design und die
Schnittstellenanforderungen von Stellmotoren
Ingénierie spatiale - Règles de design électrique et exigences d’interfaces pour les
actionneurs
Ta slovenski standard je istoveten z: CEN/TR 17603-20-21:2022
ICS:
49.140 Vesoljski sistemi in operacije Space systems and
operations
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT CEN/TR 17603-20-21

RAPPORT TECHNIQUE
TECHNISCHER BERICHT
January 2022
ICS 49.140
English version
Space engineering - Guidelines for electrical design and
interface requirements for actuators
Ingénierie spatiale - Règles de design électrique et Raumfahrttechnik - Richtlinen für das elektrische
exigences d'interfaces pour les actionneurs Design und die Schnittstellenanforderungen von
Stellmotoren
This Technical Report was approved by CEN on 29 November 2021. It has been drawn up by the Technical Committee
CEN/CLC/JTC 5.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2022 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. CEN/TR 17603-20-21:2022 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Table of contents
European Foreword . 5
Introduction . 6
1 Scope . 7
2 References . 8
3 Terms, definitions and abbreviated terms . 9
3.1 Terms from other documents . 9
3.2 Abbreviated terms. 9
4 Explanations . 11
4.1 Explanatory note . 11
4.2 How to use this document . 11
5 Actuators Interface . 12
5.1 Type of actuators . 12
5.2 Coverage assumptions . 16
5.3 Actuators electronics, general architecture . 17
5.3.1 Overview . 17
5.3.2 ARM block . 21
5.3.3 SELECT block . 21
5.3.4 FIRE block . 22
5.4 Actuators electronic, timing sequence. 22
5.5 Actuator electronics, failure tolerance . 24
5.5.1 Double failure tolerance . 24
5.5.2 Single failure tolerance . 26
6 Explanation of ECSS-E-ST-20-21 Interface Requirements . 27
6.1 Functional general . 27
6.1.1 General . 27
6.1.2 Reliability . 27
6.2 Functional source . 29
6.2.1 General . 29
6.2.2 Reliability . 30
6.2.3 Commands . 33
6.2.4 Telemetry . 35
6.3 Functional load . 38
6.3.1 General . 38
6.3.2 Reliability . 39
6.4 Performance general . 39
6.4.1 General . 39
6.5 Performance source . 42
6.5.1 Overview . 42
6.5.2 General . 44
6.5.3 Reliability . 45
6.5.4 Telemetry . 46
6.5.5 Recurrent products. 46
6.6 Performance load . 48
6.6.1 General . 48
6.6.2 Reliability . 48
6.6.3 Recurrent products. 49

Figures
Figure 5-1: Dassault pyro initiator . 13
Figure 5-2: Pyro-valve (to be equipped with pyro initiators) . 13
Figure 5-3: Thermal knife (partially reusable – needing refurbishment) . 14
Figure 5-4: Thermal knife activation (partially reusable – needing refurbishment). 14
Figure 5-5: Thermal knife (with thermal heads visible) . 14
Figure 5-6: Glenair heavy duty HDRM (partially reusable – needing refurbishment) . 14
Figure 5-7: TINI Aerospace Frangibolt (reusable – manually resettable) . 15
Figure 5-8: NEA split-spool based HDRM (partially reusable – needing refurbishment). 15
Figure 5-9: Arquimea pin-puller family (reusable – manually resettable) . 15
Figure 5-10: Typical actuators electronic block diagram . 18
Figure 5-11: Typical actuators electronic block diagram, variant 1 . 19
Figure 5-12: Typical actuators electronic block diagram, variant 2 . 20
Figure 5-13: Actuators electronics timing sequence . 23
Figure 5-14: Actuators electronics timing sequence, different selected lines . 24
Figure 6-1: Actuator electronics {V, I} characteristic . 40
Figure 6-2: Example - case 1. 40
Figure 6-3: Example - case 2. 41
Figure 6-4: Example - case 1 and 2 . 41

Tables
Table 5-1: Actuators reusability . 13
Table A-1 : Current driven, non-explosive actuators . 51
Table A-2 : Current driven, explosive actuators . 53
Table A-3 : Voltage driven actuators. 54

European Foreword
This document (CEN/TR 17603-20-21:2022) has been prepared by Technical Committee
CEN/CLC/JTC 5 “Space”, the secretariat of which is held by DIN.
It is highlighted that this technical report does not contain any requirement but only collection of data
or descriptions and guidelines about how to organize and perform the work in support of EN 16602-
20.
This Technical report (CEN/TR 17603-20-21:2022) originates from ECSS-E-HB-20-21A.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a mandate given to CEN by the European Commission and
the European Free Trade Association.
This document has been developed to cover specifically space systems and has therefore precedence
over any TR covering the same scope but with a wider domain of applicability (e.g.: aerospace).
Introduction
The present handbook, and the relevant standard ECSS-E-ST-20-21, have been produced in a general
context to provide stable electrical interface specifications (both for the source and the load, for
functional and performance aspects).
The convergence within ECSS among agencies, of Large System Integrators and of a representative
group of electronic manufacturers on the identified requirement set can provide an effective way to
get more recurrent products for generic use, both for the actuator electronics (power source), and for
the actuators themselves, in a rather independent way from the final application.
The standard ECSS-E-ST-20-21 has therefore to be intended as a standard for product development,
and the present handbook as a guideline to understand the relevant requirements, the typical issues of
the actuators interfaces both at system and at equipment level.
This handbook complements ECSS-E-ST-20-21, and it is directed at the same time to power system
engineers, who are specifying and procuring units supplying and containing electrical actuators, to
power electronics design engineers, who are in charge of designing and verifying actuator electronics,
and to electrical actuators designers.
For the system engineers, this document explains the detailed issues of the interface and the impacts
of the requirements for the design of the actuator chain.
For design engineers, this document gives insight and understanding on the rationale of the
requirements on their designs.
It is important to notice that the best understanding of the topic of Actuators Electrical Interfaces is
achieved by the contextual reading of both the present handbook and the ECSS-E-ST-20-21.
Scope
In general terms, the scope of the consolidation of the electrical interface requirements for electrical
actuators in the ECSS-E-ST-20-21 and the relevant explanation in the present handbook is to allow a
more recurrent approach both for actuator electronics (power source) and electrical actuators (power
load) offered by the relevant manufacturers, at the benefit of the system integrators and of the
European space agencies, thus ensuring:
• Better quality,
• Stability of performances, and
• Independence of the products from specific mission targets.
A recurrent approach enables manufacturing companies to concentrate on products and a small step
improvement approach that is the basis of a high quality industrial output.
In particular, the scope of the present handbook is:
• To explain the type of actuators, the principles of operation and the typical configuration of the
relevant actuator electronics,
• To identify important issues relevant to electrical actuators interfaces, and
• To give some explanations of the requirements set up in the ECSS-E-ST-20-21.
References
EN Reference Reference in text Title
EN 16601-00-01 ECSS-S-ST-00-01 ECSS system - Glossary of terms
EN 16603-20-21 ECSS-E-ST-20-21 Space engineering - Electrical design and interface
requirements for actuators
EN 16603-33-11 ECSS-E-ST-33-11 Space engineering - Explosive subsystems and devices
EN 16602-30-11 ECSS-Q-ST-30-11 Space product assurance - Derating – EEE components
EN 16602-40 ECSS-Q-ST-40 Space product assurance - Safety
CSG-NT-SBU-16687- Payload safety handbook
CNES Ed/Rev 01/01
Terms, definitions and abbreviated terms
3.1 Terms from other documents
a. For the purpose of this document, the terms and definitions from ECSS-S-ST-00-01 apply, in
particular for the following terms:
1. redundancy
2. active redundancy
3. hot redundancy
4. cold redundancy
5. fault
6. fault tolerance
b. For the purpose of this document, the terms and definitions from ECSS-E-ST-33-11 apply, in
particular for the following terms:
1. no fire
2. all fire
c. For the purpose of this document, the terms and definitions from ECSS-E-ST-20-21 apply.
3.2 Abbreviated terms
For the purpose of this document, the abbreviated terms from ECSS-S-ST-00-01 and the following
apply:
Meaning
Abbreviation
assembly, integration and test
AIT
chief executive officer
CEO
Centre Spatial Guyanais
CSG
direct current
DC
disable
DIS
electric, electro-mechanic and electronic
EEE
electro-magnetic compatibility
EMC
electro-magnetic interference
EMI
Meaning
Abbreviation
enable
EN
fail operational
FO
failure mode effect analysis
FMEA
failure mode effect and criticality analysis
FMECA
field programmable logic array
FPGA
fail safe
FS
nominal
N
non-explosive actuators
NEA
on-board computer
OBC
printed circuit board
PCB
power conditioning and distribution unit
PCDU
redundant
R
spacecraft central software
SCSW
shape memory alloy
SMA
software
SW
telemetry
TM
worst case
WC
Explanations
4.1 Explanatory note
The present handbook refers to the electrical interface requirements defined in the ECSS-E-ST-20-21.
The ECSS-E-ST-20-21 requirements are referred to in this handbook by using following convention
and are indicated in italic font:
[requirement number]
For example:
Requirement 5.2.3.2.1a.
 [Req. 5.2.3.2.1.a.]
See also, for more information, Annex A of ECSS-E-ST-20-21.
In addition:
• each requirement (i.e. any statement containing a “shall” in the standard) is marked with red text.
• each recommendation (i.e. any statement containing a “should” in the standard) is marked with
blue text.
Keywords are highlighted in bold. A keyword is a word that either has a special meaning in the
contest of the section in which it appears, or highlight a concept.
4.2 How to use this document
For the best utilisation of this document, it is recommended to print it together with the ECSS-E-ST-20-21
and to consult both of them contextually.
In this way, the discussion and the rationale explanation of each individual requirement are clearer and
there is the minimum risk of misunderstanding.
Actuators Interface
5.1 Type of actuators
Electro-mechanic actuators of different types are used for space applications as part of hold down and
release mechanisms and deployment mechanisms.
The technologies used in electro-mechanic actuators are varied:
a. Based on pyrotechnic devices (release nuts/bolt cutter, separation nut, cutters, brazing melt,
wire cutter, cable cutter, valves),
b. Split spool devices (Fusible wire, SMA wires),
c. Solenoid actuated nuts,
d. SMA triggered release nuts,
e. SMA actuators (pin pullers and pushers),
f. Paraffin actuators (pin pullers and pushers),
g. Electro-magnetic, solenoid pin puller and pusher actuators,
h. Electromagnets, and magnetic clamps,
i. Thermal cutters and knife,
j. Piezoelectric actuators.
The actuation can be performed by provision of heat thanks to a hot head or a filament, causing
mechanical action, ignition of explosive powder, deformation of SMA or paraffin expansion, or by
direct electro-magnetic action (solenoids, electro-magnets), or by effects induced by piezo-electric
means.
Interfaces to electrical motors (for example solar array drive mechanisms, reaction wheels, and other
mechanisms) are not covered by the present handbook and standard ECSS-E-ST-20-21.
Actuators can be classified according to different criteria: from electrical point of view, they can be
classified as voltage-driven or current-driven types.
A typical example of voltage-driven actuator is a thermal knife, a typical example of current-driven
actuator is a pyro device.
Another interesting classification of actuators is according to their level of reusability, according to
Table 5-1.
Table 5-1: Actuators reusability
NON-REUSABLE PARTIALLY REUSABLE REUSABLE
REUSABLE
(manually resettable) (self-resetting)
(need for refurbishment)
Pyro cutters Pyro nuts Solenoid actuated nuts Electro-magnetic
actuators and triggers
Initiators Fusible wire actuated SMA actuated nuts
nuts Magnetic clamps
Pyrotechnic bolt, wire Paraffin actuators
cutters and pyro- SMA direct actuators
SMA actuators
cutters
Spool based devices
Wire triggers
separation nut
Thermal cutters
Thermal cutters
The database of actuators used for the drafting of the ECSS-E-ST-20-21 is reported in Annex A.
Some figures of actuators are hereby provided.

Figure 5-1: Dassault pyro initiator

Figure 5-2: Pyro-valve (to be equipped with pyro initiators)
Figure 5-3: Thermal knife (partially reusable – needing refurbishment)

Figure 5-4: Thermal knife activation (partially reusable – needing refurbishment)

Figure 5-5: Thermal knife (with thermal heads visible)

Figure 5-6: Glenair heavy duty HDRM (partially reusable – needing
refurbishment)
Figure 5-7: TINI Aerospace Frangibolt (reusable – manually resettable)

Figure 5-8: NEA split-spool based HDRM (partially reusable – needing
refurbishment)
Figure 5-9: Arquimea pin-puller family
(reusable – manually resettable)
5.2 Coverage assumptions
[Assumption 4.2a]
“This standard applies to satellites; launchers and human space applications are not included.”
For launchers and human space applications, the actuator system needs normally to be two failure
tolerant to avoid human injury, and therefore more stringent requirements are necessary to avoid
spurious actuators activation (for example, it is necessary to disconnect both hot and return line from
ground to actuators, as per [Req.5.2.2d] without alternatives as expressed in [Req.5.2.2e.1] and
[Req.5.2.2e.2]).
[Assumption 4.2b]
“According to requirement 4.4g of ECSS-E-ST-33-11 this standard covers explosive or non-
explosive actuators electronics required to comply with single fault tolerance with respect to
actuation success.”
The actuator electronics provides the requested functionality after any single failure thanks to the
provided redundancy (see [Req.5.2.2a]).
[Assumption 4.2c]
“Interfaces to electrical motors (for example solar array drive mechanisms, reaction wheels, other
mechanisms) are not covered by the present standard.”
While electrical motors can indeed be used in actuators, the complete specification of motor drive
electronics is not subject of the present standard.
[Assumption 4.2d]
“It is assumed that the two fault tolerance approach (as per ECSS-Q-ST-40 clause 6.4.2.1), with
respect to premature and unwanted actuation having catastrophic consequences, when required
according to requirement 4.4h of ECSS-E-ST-33-11, is implemented as a system (SSE and SSS)
level provision and not at equipment level. See ECSS-E-HB-20-21 section 5.5.1”
The actuator electronics covered by ECSS-E-ST-20-21 is single point failure tolerant: the coverage of
premature and unwanted actuation having catastrophic consequences is achieved by system
provisions (avoidance of mechanical interference, additional barriers like skin connectors at spacecraft
level operated during integration activities, etc.).

[Assumption 4.2e]
“Current-driven actuators covered by this standard have an inductance of 1 µH max, not
including harness.”
[Assumption 4.2f]
“Voltage-driven actuators covered by this standard have an inductance of 20 mH max.”

Current-driven actuators normally drive loads characterised by small parasitic inductance (the limit is
set to 1 µH). Normally current regulators are not well suited to drive large inductive loads, otherwise
important stability issues can arise.
Voltage-driven actuators can base their operation on electro-magnetic effects (solenoid pin puller and
pusher, electromagnets, and magnetic clamps), characterised by large inductance (the limit is set to
20 mH).
In any case, it is necessary to limit the actuator inductance to a reasonable limit to have a chance to
procure generic actuator electronics, e.g. applicable to many actuators types without any design
change.
[Assumption 4.2g]
“The actuators electronics nominal input voltage (excluding transients) is assumed to be within a
range of 21 V to 100 V.”
This is the typical range from regulated and unregulated buses used in European satellites (28 V
regulated or unregulated, 50 V regulate or unregulated, 100 V regulated).
5.3 Actuators electronics, general architecture
5.3.1 Overview
A typical block diagram for explosive or non-explosive actuator electronics is shown in Figure 5-10.
A variant of the actuators electronics block diagram is shown in Figure 5-11.
For brevity, explosive or non-explosive actuator electronics are referred as Actuator Electronics in this
document.
Note that the diagram in Figure 5-10 or Figure 5-11 is given only as a reference, without losing
generality, and some of the features thereby reported can be actually realised differently.
Without losing in generality, the general architecture of Actuator Electronics is hereby explained in
reference to in Figure 5-10.
Actuator Electronics receive power from the Power Conversion and Distribution Electronics (either
directly from a battery or from a regulated power bus).
The power lines from the Power Conversion and Distribution Electronics can be provided or not with
over-current protection to safeguard the power bus from short-circuits or overloads generated in the
Actuator Electronics.
In case over-current protections are not provided by the Power Conversion and Distribution
Electronics, it is important that Actuator Electronics failures do not cause short circuit or overload of
input power lines [Req.5.1.2b].To this respect, the relevant harness or connector lines double insulation
is applied.
To comply with the required single failure tolerance requirement [Req.5.2.2a], the Actuator Electronics
are duplicated, with a nominal (N) and a redundant (R) side.
In Figure 5-10 explosive or non-explosive actuators are just called Actuators (for clarity, only
Actuators and power and command and telemetry lines relevant to nominal side are shown).
There are three physical barriers against spurious or untimely activation of Actuators [Req.5.2.1a],
represented in Figure 5-10 by ARM, FIRE and SELECT blocks.
The need for three barriers is explained in section 5.5.1.
In accordance with best practices, any internal conductor (for example, and referring to Figure 5-11,
disconnected hot line between ARM and SELECT switches when they are both open, or disconnected
return line between ARM switch and actuators return) is grounded to power return to avoid any
build-up of potential due to electrostatic phenomena [Req.5.2.2h].
For clarity, redundant
actuators and relevant
lines are not shown
Actuator Electronics R
Power Conversion and Actuator Electronics N
Distribution Electronics
Selection
FIRE FIRE
i(1.n)
ARM (output) (output)
STATUS
CURRENT VOLTAGE
STATUS
2 2
N&R
M&R
N&R N&R
SELECT
Actuator 1N
Selector 1
FIRE*
ARM
Ground
Star Point
Actuator 2N
Selector 2
2 2
N&R N&R
N&R N&R
FIRE ON (FIRE
ARM EN ARM DIS
OFF)
Actuator nN
Selector n
*The FIRE actuator
might be a voltage or a
current source.
2n
2n
N&R N&R
Selection Selection
i(1.n) i(1.n)
EN DIS
Key: DIS = disable EN = enable N = nominal R = redundant
Figure 5-10: Typical actuators electronic block diagram
For clarity, redundant
actuators and relevant
Electrical Actuator R lines are not shown
Electrical Actuator N
Power Conversion and
Selection
i(1.n)
Distribution Electronics FIRE FIRE
STATUS
(output) (output) ARM
CURRENT VOLTAGE STATUS
N&R
2 2
N&R N&R N&R
SELECT
Actuator 1N
Selector 1
FIRE* ARM
Ground
Star Point
Actuator 2N
Selector 2
N&R 2 N&R
N&R 2 N&R 2
FIRE ON (FIRE
ARM EN ARM DIS
OFF)
Actuator nN
Selector n
2n 2n
*The FIRE actuator is
N&R
N&R
based on a solid state
device Selection
Selection
i(1.n)
i(1.n)
EN
DIS
Key: DIS = disable EN = enable N = nominal R = redundant
Figure 5-11: Typical actuators electronic block diagram, variant 1
For clarity, redundant
actuators and relevant
lines are not shown
Electrical Actuator R
Power Conversion
Electrical Actuator N
Selection
FIRE FIRE
i(1.n)
(output) (output)
ARM
STATUS
STATUS CURRENT VOLTAGE
N&R N&R N&R N&R
Actuator 1N
Selection
Selector 1
ARM FIRE
Actuator*
Actuator
Ground
Star Point
Actuator 2N
Selector 2
2 2
N&R N&R N&R N&R
FIRE ON (FIRE
ARM EN ARM DIS
OFF)
Selector n
Actuator nN
2n 2n
N&R
N&R
*The FIRE actuator
Selection Selection
might be a voltage or a
i(1.n) i(1.n)
current source.
EN DIS
Key: DIS = disable EN = enable N = nominal R = redundant
Figure 5-12: Typical actuators electronic block diagram, variant 2
5.3.2 ARM block
The ARM block is usually implemented by bi-stable relays or by solid state switches (typically
MOSFETs).
The ARM block can disconnect only the hot power line in the scheme of Figure 5-10, while on the
alternative scheme in Figure 5-11 it disconnects both the hot and the return power lines.
In the option shown in Figure 5-12, the ARM block disconnects the hot line only.
The reason of disconnecting both hot and return power lines is to avoid that any potential that can
couple with the hot line of the actuator (due to a failure, loss of insulation or similar reasons) can
trigger a spurious activation of the device [Req.5.2.2d].
In case the return lines cannot be disconnected, additional care needs to be paid to avoid coupling to
any potential that can trigger the actuator action, separating actuator groups in different connectors
and adding sufficient isolation of actuator hot lines to avoid the problem: requirements [Req.5.2.2e.1]
and [Req.5.2.2.e.2] apply.
The commands to the ARM block are ARM enable (ARM EN) and ARM disable (ARM DIS).
Both ARM EN and ARM DIS are duplicated into nominal (N) and redundant (R) commands
[Req.5.2.2a], and are provided by dedicated commands (e.g. commands that are not included in a
single general serial command flow) – [Req.5.2.3d].
The telemetry for the ARM block is the ARM STATUS, which according to [Req.5.2.4c] shall indicate
the effective condition of the ARM output (if enabled or disabled).
Both the nominal and the redundant ARM STATUS telemetries are provided to both to the nominal
and the redundant acquisition chains [Req.5.2.4a].
5.3.3 SELECT block
Apart being an electrical barrier, the SELECT block provides the specific power connection to one of
the actuators connected to the same group.
It can disconnect the hot and the return line to the actuator (as it is shown in Figure 5-10) or just the
hot line (as it is shown in Figure 5-11) in case the ARM block provides disconnection of the (common)
return line to all actuators in the same group (according to [Req.5.2.2d]).
It is also allowed that the ARM block provides just the disconnection of the hot line, but in this case:
a. It is important that the relevant actuator group does not share connectors with other groups or
with other electronic functions ([Req.5.2.2e.1]);
b. It is important that the harness of the relevant actuator group is not bundled together with any
other wire or bundle carrying a positive or negative potential sufficient to trigger the relevant
actuators ([Req.5.2.2e.2]);
The provision expressed by [Req.5.2.2e.1] and [Req.5.2.2e.2] is intended to avoid any premature
actuator firing due to unpredictable causes (see also section 6.2.2).
The SELECT block takes care of providing a resistive path for connecting the actuators to structure
[Req.5.2.2h].
The commands to the SELECT block are Select (1…n) enable (EN) and Select (1…n) disable (DIS).
Both Select EN (1…n) and Select DIS (1…n) are duplicated into nominal (N) and redundant (R)
commands [Req.5.2.2a], and are generally included in a single general serial command flow.
The telemetries for the SELECT block are the Select (1…n) STATUSes, which according to [Req.5.2.4c]
indicate the effective condition of the relevant SELECT output (if enabled or disabled).
Both the nominal and the redundant Select (1…n) STATUS telemetries are provided to both to the
nominal and the redundant acquisition chains [Req.5.2.4a].
5.3.4 FIRE block
The fire block is in charge of providing to the selected actuator controlled current (for current-driven
actuators) or controlled voltage (for voltage driven ones).
The FIRE blocks accepts a redundant FIRE ON command and can accept a redundant FIRE OFF
command. In any case the FIRE ON duration is limited (few tenths of milliseconds for pyro actuators,
few tens of seconds for thermal knives or for non-explosive actuators), meaning that if the FIRE OFF
command is not sent, the FIRE ON commands act on a monostable function to provide the requested
FIRE duration [Req.5.2.1d].
Both FIRE ON and FIRE OFF is duplicated into nominal (N) and redundant (R) command [Req.5.2.2a],
and is generally included in a single general serial command flow.
The telemetries for the FIRE block are different depending on the duration of the FIRE pulse.
For actuators characterised by a long duration of the FIRE pulse (e.g. more than 1 second), the
telemetries of the FIRE block are the FIRE (output) current and the FIRE (output) voltage [Req.5.2.4e].
For actuators characterised by a short duration of the FIRE pulse (e.g. less than 1 second), the
telemetry of the FIRE block is a peak FIRE status, providing a bi-level digital signal identifying if the
monitored fired current was larger than a given threshold of the expected firing current during a
period of time greater than a given fraction of the expected FIRE current [Req.5.2.4d].
The reason for the different implementation for long and short FIRE duration cases depends on the
need to simplify the electronics for short pulses: the recording of the FIRE event voltage and current
with the due time resolution can require memory storage capabilities, fast current and voltage
acquisition circuits, etc.
It is considered that such effort does not make sense in general for recurrent actuator electronics
products: for generic products, the peak FIRE status approach seems more than adequate to have a
confirmation of a successful FIRE pulse being transferred to the relevant actuator.
Both the nominal and the redundant FIRE telemetries are provided to both to the nominal and the
redundant acquisition chains [Req.5.2.4a].
During AIT, when actuators are implemented and actuator electronics is operational, an inhibition
strap is normally present to avoid that incorrect procedure or operator error results in unwanted
firing.
The inhibition strap normally acts on the FIRE block to disable the FIRE ON command to be executed
[Req. 5.2.3g].
5.4 Actuators electronic, timing sequence
The typical timing sequence of actuators electronics is provided in Figure 5-13.
The FIRE event is contained within the SELECT action of the specific actuator line i (i=1…n), which is
contained within the ARM action [Req.5.1.1a], [Req.5.1.1b].
In other words, and referring to Figure 5-13, if t0 is the time when ARM is enabled,
t0 < t1 < t2 < t3 < t4 < t5
where
• t0 is the time when ARM is enabled,
• t1 is the time when SELECT (specific line) is enabled,
• t2 is the time when FIRE ON pulse is executed,
• t3 is the time when FIRE OFF pulse is executed,
• t4 is the time when SELECT (specific line) is disabled,
• t5 is the time when ARM is disabled.

Figure 5-13: Actuators electronics timing sequence
The selection of different SELECT lines can be executed within the same ARM event, but with
different FIRE pulses occurrences [Req.5.1.1c], as shown in Figure 5-14.
The reason for [Req.5.1.1a], [Req.5.1.1b] and [Req.5.1.1c] is to switch the ARM and SELECT lines at zero
current: current into the lines will only appear when FIRE is commanded.
Figure 5-14: Actuators electronics timing sequence, different selected lines
It is important that before authorising a FIRE execution, it is possible to check the status of the
SELECT lines to ensure that no other line is enabled apart the intended one for firing ([Req.5.2.2g]): if
for any reason any other line is short circuited, enabled or connected (due to a failure or any spurious
effect), it is important to take measures such that the FIRE execution does not take place, unless it is
acceptable from system point of view (e.g. it does not result in critical mechanical interferences or
other unwanted effects).
5.5 Actuator electronics, failure tolerance
5.5.1 Double failure tolerance
Double failure tolerance relates to safety.
The double failure tolerance is demonstrated at overall system level (including hardware failure and
also operator error) when the associated consequences is catastrophic; this is required and defined in
the ECSS standard but also in launcher requirement such as:
a. CSG safety regulations, see Payload Safety handbook, CSG-NT-SBU-16687-CNES (see Annex B);
b. ECSS-Q-ST-40 (requirements 6.4.2.1a to 6.4.2.1e).
This double failure requirement applies for ground activities only: for examples within the large
system integrator facilities or in the launch site - clean room, and on the launcher on the launch pad.
During the ascent phase, any propagation from spacecraft to the launcher is considered as “severe” or
“critical” or “serious” (consequences) requiring only one-failure tolerant design.
Therefore, the electrical actuator circuitry shall be designed based on the safety analysis regarding the
severity, which is made at system level, considering that extra barriers can be constituted and added
to this analysis.
Historically, only explosive pyrotechnic devices were used for deployment devices; these devices have
systematically catastrophic consequences with respect to human injuries, in the case of inadvertent
pyro activation or inadvertent deployment (solar array, antenna, …) likely to kill AIT people.
For this reason, the electrical design on the activation line implements three barriers or switches
(SELECT, ARM and FIRE).
On top, inhibition strap (to inhibit physically the activation of commands as long as the spacecraft is
on the launcher), was introduced as an additional barrier considering that the software is by nature
planned to start automatically the complete deployment sequence.
Even with the implementation of 3 barriers there may be cases where double failure tolerance is not
met by the electrical actuator circuitry itself.
For example a failure in the commanding chain using the same physical interface could lead to
activate more than one barrier or to select more than one output.
Nowadays, a larger variety of actuators are considered (such as non-explosive actuator or release
system based on heating concept); the safety classification of inadvertent activation of such devices
can be discussed and criticality can decrease below catastrophic. In principle, it can open the door for
adapting the electrical design of the actuation system, compared to state of the art.
Considering that the only event to consider is the “inadvertent release and associated consequences”
because of failure or operation occurrence, the process is the following:
a. To identify the “severity” associated to risk-related activity in spacecraft large system integrator
facilities and on the launch pad; it is important that this assessment considers the operations
(e.g. pyro safe plug is one barrier as long as it is connected) and the different phases; it is
important that this assessment also considers the personnel presence (and potential impacts)
depending on the AIT operations. For example, “restricted area” around appendices that
deploy can be put in place during specific phase of the satellite integration and test, in order to
protect people from injuries.
b. To specify per phase, per activity, per function the level of failure tolerance required
c. To sum up all the barriers per phase,
d. To demonstrate how these barriers are managed and controlled.
It appears that such process can lead to different solutions, satellite and mission dependent, which is
counterproductive in the frame of a standardisation effort.
Then, the conclusion of the working group and the resulting standard was to consider a single
interface (for standardisation reason) based on the “worst case” consequence of inadvertent release of
actuator, i.e. to implement 3 barriers as it is currently. This has the benefit of:
a. Standardised circuitry for many possible actuator types, which gives also the flexibility for
allocation of the lines,
b. Single SW elementary module
c. Single operational procedure
d. Safety file and justification nearly reusable (i.e. best practice)
5.5.2 Single failure tolerance
Generally speaking, the actuator electronics is designed to be one failure tolerant, both for no
actuation case and for unwanted actuation case:
• For no actuation case: it means that after any single failure in the actuator electronics, the
actuation pulse is delivered at least to the nominal or to the redundant actuator. Such
requirement is normally implemented by actuator electronics full redundancy (duplication of
all circuitries into nominal and redundant part).
• For unwanted actuation case: it means that after any single failure in the actuator electronics,
no unwanted actuation pulse is delivered nor to the nominal nor to the redundant actuator
([Req. 5.1.2.a]).
Such requirement is normally implemented in the actuator electronics by the presence of the
three physical barriers (ARM, SELECT, FIRE) and a careful design of the circuits driving them.
[Req. 5.2.3c] specifies that the single failure tolerance requirement includes also the complete
command line to the actuator electronics.
Note that the complete command line includes the receiver part of the commands in the actuator
electronics but also the transmitter issuing the commands to the actuator electronics (Remote Terminal
Unit or other).
To fulfil [Req. 5.2.3c], the circuits delivering the commands to each of the nominal and redundant
barriers (ARM, SELECT, FIRE) are segregated in a way that no common failure mechanism exists, for
being unable to transfer both the nominal or the redundant command ([Req. 5.2.2b], [Req.5.2.2k]).
Note that a spurious command, determined for example by a failure in the command line, can activate
one of the barriers (for example ARM), but that is generally allowed due to the presence of the other
barriers (in this case, SELECT and FIRE).
An exception to the previous statement appears if a failure in the SELECT barrier happens (causing a
short circuit of a selection switch): this can cause the actuation of the intended line (as requested) but
also of the line where the selection switch is shorted.
Th
...