ESA Mission classification and evolution of ESA RAMS approach for COTS EEE

Posted by Enmanuel Rouvier
On December 4, 2019
0

Agenda

ESA Mission Classification Proposal
COTS and RAMS
NRPM Study Overview

ESA Mission Classification Proposal

NEW CHALLENGES IN SPACE

Space is transitioning from a low-volume business dominated by public organisations to a highly competitive and dynamic business environment
Industry has an active role and demands higher effectiveness and efficiency to achieve low cost and time to market.
ESA Technology Strategy aims at boosting international competitiveness through the establishment of concrete and measurable ambitious targets.
ESA needs to introduce new working methods aiming at reducing cost and development times.
The growing interest in the application of COTS (Commercial Off The Shelf: EEE Parts, Software, etc…) in institutional missions is an example of this increasing need.

ESA MISSION CLASSIFICATION

Traditional management based on probability of failure is an output of mission analysis rather than an input to tailoring project requirements.
The establishment of a mission classification allows project and PA&S managers to define the appropriate management controls,
systems engineering as well as product assurance and safety requirements for their mission.
Probability of failure management becomes a systematic process for optimizing resources in accordance with relevant criteria
following specific project constraints, such as mission cost, mission lifetime, complexity, technology maturity, etc
It facilitates to effectively communicate the acceptable level of mission probability of failure throughout the supply chain.

MISSION CLASSIFICATION DEVELOPMENT
dev Considerations

Scope:
- All ESA space projects following the product lifecycle of ECSS-M-ST-10C and for which the Policy for ESA Project Reviews is applicable. In addition, it should applies to IOD/IOV space projects and small satellite developments funded and managed by the Agency. At this stage, the proposal does not apply to launch and ground systems. Application is at the discretion of the responsible ESA Directorate.

Background:
- Assessment performed of NASA Mission Risk Classification (NASA NPR 8705.4) for NPR 7120.5-projects (update on going)
- Consideration given to Science Directorate mission categories (Large, Medium, Small, Fast, Opportunity).

Inside specific mission, any subsystem or equipment that constitutes part of a mission may be separately classified.
The system does not contain (yet!) a tailoring of project management, system engineering or product assurance requirements (similar to Appendix C of NPR 8705.4).
How do CFIs fit into this picture? e.g. provided Payload instruments managed with non ESA funding and consequently very low influence in any design and development decisions?
This Mission Classification is a preliminary proposal, and not a validated model (validation expected by Q1 2020)
How should we take into consideration the aspect of volume/manufacturing?

MISSION CLASSIFICATION PROPOSAL

Class A: Lowest probability of failure acceptance by design
- Manned mission or a mission of exceptional priority in terms of its objectives, the failure of which would have extreme consequences to public safety or/and to ESA image.
Class B: Low probability of failure acceptance
- This would represent a high priority and an asset whose loss would constitute a high impact to public safety or/and to ESA strategy.
Class C: Moderate probability of failure acceptance
- Typically an in-orbit demonstration mission whose loss would result in a loss or delay of some ESA objectives. New technologies may be employed requiring innovative approach.
Class D: Cost and schedule are on equal or greater considerations compared to mission success risks
- Technical probability of failure is medium by design. ESA oversight without much need for interim reporting.
Class X: Highest probability of failure acceptance by design
- Short project life cycle and mission duration and low budget. High technical probability of failure by design. Typically perform a number of scientific research or educational functions and explore new space technologies. ECSS standards are specifically tailored e.g. Cubesats.

proposal

LESSONS LEARNED FROM NASA RISK CLASSIFICATION

Increasing probability of failure acceptance level (from A to D, X) leads to:
- Greater understanding of expectations throughout the supply chain.
- Increased effective use of limited resources.
- Less burden by requirements that may not affect the actual project risks.
- Less formal documentation in lower criticality projects (it does not exempt the project from sound engineering practice)

WHY CLASS “X”?

It differentiates nominal project types from R&D / educational CubeSats since there is increasing demand for ESA support to CubeSat projects
It is similar to NASA “do no harm” category
Minimum set of requirements are needed for Class “X” projects.
(Highly) reliable “CubeSat”-like projects should be class D.
Class “X” should not be a catchall box for anything undefined.

Mission Classification: Take Away

The ESA mission classification proposal is “work in progress”
It allows to focus resources and have a better understanding of expectations
It is a guide that cannot replace best engineering practices
Class A missions can have class X elements, and class D can have class A

COTS and RAMS (Reliability, Availability, Maintainability, Safety)

System criticality categories adopted by the COTS WG (ESA-TEC-EX-015073)

table

Criticality Categories in detail (ESA-TEC-EX-015073)

Q1 Criticality Category scope

The mission radiation environment (TID) should be limited to 10-15 krad(Si)
The mission operational duration should be limited to few years, typically less than one-three years, to reduce SEE probability
Equipment, subsystem or system of criticality category Q1 are not suitable (as part) of platform item that are essential for re-entry within 25 years or more
Items belonging to Criticality category Q1 should not harm satellite passivation if it is applicable

Q2 Criticality Category scope

The mission radiation exposure TID at component level should be limited to <5 Krad(Si)
The mission operational duration should be limited to few months, typically less than one year, to reduce SEE probability
Equipment, subsystem or system of criticality category Q2 are not suitable as (part of) platform item that are essential for re-entry within 25 years or less (LEO)
Items belonging to Criticality category Q2 should not harm satellite passivation if it is applicable

Q1&Q2 RAMS relevant aspects

Safety

COTS components and modules involved in safety related functions should provide the same design features and qualification evidences required to category Q0 components and modules according to the safety requirements defined by relevant Safety Launch Authority during launch phase and by national laws and regulations during AIT operations.

Dependability

COTS components and modules failures of lower risk class should not propagate to interfacing module, equipment and subsystem functions.

A minimum set of telemetries should be provided to guarantee the required level of failure observability at system level.

aspects Q1 RAM relevant aspects

Reliability quantitative requirement at system level might be specified (New Reliability Prediction Methodology Aimed at Space Application may be used)
Testing activity should be focused to reliability growth (e.g. aimed at the identification of all possible failure modes).
FMECA (Failure Mode Effect & Criticality Analysis) should demonstrate absence of failure propagation and failure prevention and ompensation.
COTS components and modules category Q1 shall not be critical SPF (e.g. not causing potentially critical effects to the system – see ECSS-Q-ST-30 classification).
At system level, autonomous recovery should be exploited as possible
At system level, robust FDIR (Failure Detection Isolation and Recovery) should be designed and implemented.

aspects Q2 RAM relevant aspects

No reliability quantitative requirement are specified for items (modules, equipment, subsystem) belonging to criticality category Q2
FMECA should demonstrate absence of failure propagation.
COTS components and modules may be accepted as SPF.
A minimum set of telemetries should be provided to guarantee the required level of failure observability at system level.
The outage budget should be set considering the unavailability of the module, equipment or subsystem due to RHA limitations.
Since autonomous recovery is expected to be very limited, availability requirement should be set considering that recovery (for example from SEFI or SEL) is mainly implemented by telecommands.

NRPM (New Reliability Prediction Methodology) Study Overview

New Reliability Prediction Methodology Study

Main Objectives

Development of a new Reliability Prediction (RP) methodology for space applications, aiming to overcome the limitations and shortcomings of methods and approaches currently used in practice.

Project and Handbook scope

A) Reliability Prediction

Availability, Maintainability and Safety out of scope

B) Space Applications

Reliability prediction for systems that operate in space – e.g. spacecraft
Focus on unmanned spacecrafts (technology coverage)

Study to be completed by end of Q2 2020

Coverage of the New Reliability Prediction Methodology

Different failure root causes (Random, Systematic, Wear-Out, Extrinsic)
Different technical domains (EEE, Mechanical, Miscellaneous)
Different levels (e.g. part, equipment/unit, spacecraft)

An overall framework and methodology is needed to cover the specific needs and constraints of space applications

For EEE & random failures, the FIDES methodology was identified as a good candidate methodology and applicable for the COTS EEE,
though:

Consistency with the overall NRPM framework needs to be ensured
Requiring some customization for space applications:
- Space adaptation and simplification of Π factors
- Space mission profiles
- Consideration of specific technologies
Performance vs. in-orbit return to be confirmed during the study

Acknowledgements