reference ate ssue - emits invitation to...

CONTROLLED DISTRIBUTION REFERENCE :

DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 2/106

All rights reserved, 2007, Thales Alenia Space 100181547K-EN

CONTROLLED DISTRIBUTION

CHANGE RECORDS

ISSUE DATE § CHANGE RECORDS AUTHOR

1 17-07-06 First issue for Proposal. PA Team

2 20-10-06 Document re-issued according to ESA comments as per fax RES-PSO/CB/cag/06.516 of 28 September 2006.

PA Team

3 19-04-2007 Document re-issued according to ESA comments as per E-mail dated 04/12/2006 and fax Ref. EOP-PW/PS/0027/2007 dated 25-01-2007: Sections interested by comments. General PA, RAMS and SW PA. EEE Parts. Radiation. and PA &Safety Requirements issue 2.1 of 5 february 2007.

4 27/07/2007 Document n° Change from “S1-RS-AAS-PA-0059” to “S1-RS-TASI-PA-0059” for configuration purposes.

Paragraph 3.1: Radiation environment applicable document changed to S1-RS-AAS-PA-084 Spacecraft radiation, meteoroids and debris environment.

Paragraph 7.4, Change from: “All flight equipment shall be analysed to determine individual part stresses (voltage, current power, temperature, etc.) in transient as well as in steady state conditions and the reference equipment temperature to be used in the analyses shall be the maximum acceptance temperature.”

To: “All flight equipment shall be analysed to determine individual part stresses (voltage, current power, temperature, etc.) in transient as well as in steady state conditions and the reference equipment temperature to be used in the analyses shall be the worst-case operating temperature.”

Paragraph 7.4.1, Change from: “All part temperatures are calculated at the maximum specified acceptance test temperature of the applicable assembly including any temperature rise from the component baseplate to the part location.”

To: “All part temperatures are calculated at the worst-case operating temperature conditions taking into account the unit thermal analysis.”

Paragraph 7.6.4.2, Change from: “The final assessment of each design shall incorporate failure rates derived from the calculated stress ratios and the average operating temperature of the units or equipment.”


DATE :

S1-RS-TASI-PA-0059 12-09-2007




To: “The final assessment of each design shall incorporate failure rates derived from the calculated stress ratios and the unit base plate average operating temperature.”

Change from: “Reliability assessment at unit level shall be performed over the complete acceptance temperature range (with a minimum of four temperature values), with a reliability target fixed for a typical average baseplate temperature. When performing the reliability assessment at upper level (assembly or subsystem), the unit average temperature specific to the concerned application is considered.”

To: "Reliability assessment shall be performed over the complete unit operating temperature range (with a minimum of four temperature values) taking into account the unit thermal analysis; the reliability target is defined at a typical average baseplate temperature. When performing the reliability assessment at upper level (assembly or subsystem), the unit average temperature specific to the concerned application is considered."

Paragraph 13.3:

Changed reference to environmental specification.

Paragraph 13.4.1:

Defined minimum parts radiation hardness.

Paragraph 13.4.2.1:

Updated references for clarification.

Deleted ELDRS sentence.

Added ESA test plan approval.

Paragraph 13.4.4:

spacecraft structure: removed TBC.

table 3: spacecraft thickness updated.

Paragraphs 13.5.1.1, 13.5.3, 13.5.4, 13.5.5:

Added ESA test plan approval.

Paragraph 13.5.1.2:

Added reference to para. 13.5.8.

Paragraph 13.5.6:

Added ESA SEE rate calculation approval.

Paragraph 13.6:

Paragraph updated to introduce Sentinel-1 orbit characteristics.


DATE :

S1-RS-TASI-PA-0059 12-09-2007




5 12/09/2007 Paragraph 3.1: Added RS-TASI-PA-0096 GMES SENTINEL-1 S/W Product Assurance Requirement for SUB-Contractors

Paragraph 7.6.4.2,

Change from: "Reliability assessment shall be performed over the complete unit operating temperature range (with a minimum of four temperature values) taking into account the unit thermal analysis; the reliability target is defined at a typical average baseplate temperature. When performing the reliability assessment at upper level (assembly or subsystem), the unit average temperature specific to the concerned application is considered."

To: "Reliability assessment shall be performed over the complete unit operating temperature range (with a minimum of four temperature values: average base plate temperature ± 5°C, ± 10°C) taking into account the unit thermal analysis; the reliability target is defined at a typical average baseplate temperature of 35°C. When performing the reliability assessment at upper level (assembly or subsystem), the unit average temperature specific to the concerned application is considered."

Paragraph 11: Updated to add reference to S/W PA requirements Doc. (S1-RS-TAS-I-PA-0096)

Paragraph 13.4 and Paragraph 13.6.2:

Added applicable document reference (S1-RS-TASI-PA-0084).

Paragraph 13.5.1

Change value of the LETth>100 MeV.cm2/mg to LETth>60 MeV.cm2/mg

Paragraph 13.5.1

Change value of the LETth>70 MeV.cm2/mg to LETth>60 MeV.cm2/mg

Paragraph 14: New paragraph to detail GSE requirements.


DATE :

S1-RS-TASI-PA-0059 12-09-2007




Table of Contents

1. SCOPE ...............................................................................................................................11

2. APPLICABILITY.................................................................................................................11

3. DOCUMENTS.....................................................................................................................11

3.1 Applicable Documents (Standards).....................................................................................................11

3.2 Reference Documents ..........................................................................................................................14

4. ABBREVIATIONS ..............................................................................................................14

5. PA&S PROGRAMME.........................................................................................................15

5.1 PA&S Plan .............................................................................................................................................15

5.2 Right of Access.....................................................................................................................................15

5.3 Participation ..........................................................................................................................................16

5.4 PA&S Progress Reporting ...................................................................................................................16

5.5 PA&S Databases ...................................................................................................................................16

6. QUALITY ASSURANCE ....................................................................................................16

6.1 PA&S Audit Programme .......................................................................................................................16

6.2 Critical Items Control............................................................................................................................17

6.3 Non-conformance Control System ......................................................................................................17

6.4 Alert System..........................................................................................................................................18

6.5 Handling, Storage, Preservation..........................................................................................................18

6.6 Cleanliness and Contamination Control .............................................................................................18

6.7 Test Facilities ........................................................................................................................................19

6.8 Test Reports..........................................................................................................................................19

6.9 Packaging, Marking and Labelling, Transportation ...........................................................................19

7. DEPENDABILITY ASSURANCE ....................................................................................... 20


DATE :

S1-RS-TASI-PA-0059 12-09-2007




7.1 SCOPE ...................................................................................................................................................20

7.2 FAILURE MODES, EFFECTS ANALYSES (FMEA) ..............................................................................21 7.2.1 General .................................................................................................................................................... 21 7.2.2 FMEA Approach ...................................................................................................................................... 21 7.2.3 Definition of Single Point Failure (SPF) and inputs for Critical Items List (CIL) .................................... 22 7.2.4 FMEA Contents ....................................................................................................................................... 22 7.2.5 Severity Classification ............................................................................................................................. 22 7.2.6 FMEA Report ........................................................................................................................................... 23 7.2.7 Product Design FMEA ............................................................................................................................. 24

7.3 HARDWARE SOFTWARE INTERACTION ANALYSIS ..........................................................................25

7.4 PARTS APPLICATION REVIEW ............................................................................................................25 7.4.1 Part Derating Criteria............................................................................................................................... 26

7.5 WORST CASE ANALYSIS (WCA).........................................................................................................26 7.5.1 General .................................................................................................................................................... 26 7.5.2 Analysis Method ...................................................................................................................................... 27

7.6 RELIABILITY ASSESSMENT ................................................................................................................27 7.6.1 General .................................................................................................................................................... 27 7.6.2 Reliability assessment assumptions ....................................................................................................... 28 7.6.3 Mission and system definition ................................................................................................................. 28 7.6.4 Failure rates standards............................................................................................................................ 29

7.6.4.1 Programme failure rates ................................................................................................................. 29 7.6.4.2 Failure rate and thermal and electrical stress derating ................................................................. 29 7.6.4.3 Failure rate adjustment factors....................................................................................................... 29 7.6.4.4 Quality factor equivalences ............................................................................................................ 30

7.6.5 Reliability assessment documentation.................................................................................................... 30

7.7 AVAILABILITY/OUTAGE ANALYSES...................................................................................................31 7.7.1 General .................................................................................................................................................... 31 7.7.2 Method ..................................................................................................................................................... 31 7.7.3 Outputs..................................................................................................................................................... 31

7.8 MAINTAINABILITY ................................................................................................................................32 7.8.1 Scope ....................................................................................................................................................... 32 7.8.2 Design requirements ............................................................................................................................... 32 7.8.3 Maintenance ............................................................................................................................................ 33

8. SAFETY..............................................................................................................................33

8.1 SCOPE ...................................................................................................................................................33

8.2 SAFETY PROGRAM ..............................................................................................................................34

8.3 GENERAL SAFETY DESIGN PROVISIONS .........................................................................................35 8.3.1 Hazard Levels .......................................................................................................................................... 35 8.3.2 Hazard Reduction and Control................................................................................................................ 35 8.3.3 Unresolved Residual Hazards................................................................................................................. 36 8.3.4 Fault Tolerance........................................................................................................................................ 36 8.3.5 Control of Hazardous Functions ............................................................................................................. 37


DATE :

S1-RS-TASI-PA-0059 12-09-2007




8.3.6 Safety Critical Items for Ground Handling and Testing Operations....................................................... 37

8.4 FLIGHT SYSTEMS SAFETY PROVISIONS...........................................................................................37 8.4.1 Liquid Propellant Propulsion System ...................................................................................................... 37 8.4.2 Failure Propagation ................................................................................................................................. 38

8.4.2.1 Redundancy Separation ................................................................................................................. 38 8.4.3 Structural.................................................................................................................................................. 38

8.4.3.1 Structural Design ............................................................................................................................ 38 8.4.3.2 Stress Corrosion ............................................................................................................................. 38 8.4.3.3 Pressure Systems........................................................................................................................... 38

8.4.4 Hazardous Materials................................................................................................................................ 39 8.4.5 Flammable Materials ............................................................................................................................... 39 8.4.6 Pyrotechnics Subsystem ......................................................................................................................... 39 8.4.7 Radiation Subsystem............................................................................................................................... 40

8.4.7.1 Non Ionising Radiation ................................................................................................................... 40 8.4.8 Electrical Subsystems ............................................................................................................................. 41

8.5 GROUND SUPPORT EQUIPMENT SAFETY PROVISIONS .................................................................41

8.6 SAFETY ANALYSES .............................................................................................................................41 8.6.1 Safety Analysis Process.......................................................................................................................... 42

8.6.1.1 Phase 0 Safety Review (Design Concept) .................................................................................... 43 8.6.1.2 Phase 1 Safety Review (PDR or Equivalent) ................................................................................ 43 8.6.1.3 Phase 2 Safety Review (CDR or Equivalent) ................................................................................ 43 8.6.1.4 Phase 3 Safety Review (Acceptance and Delivery) ...................................................................... 43

8.6.2 Flight Systems Hazard Report Data Submittal ....................................................................................... 45 8.6.2.1 Control of Hazardous Functions..................................................................................................... 45 8.6.2.2 Structural......................................................................................................................................... 45 8.6.2.3 Pressure Vessels ............................................................................................................................ 45 8.6.2.4 Pressurised Lines, Fittings and Other Components...................................................................... 46 8.6.2.5 Heat Pipes....................................................................................................................................... 46 8.6.2.6 Hazardous Materials....................................................................................................................... 46 8.6.2.7 Pyrotechnics ................................................................................................................................... 46 8.6.2.8 Non Ionising Radiation ................................................................................................................... 47 8.6.2.9 Electrical Systems .......................................................................................................................... 47 8.6.2.10 Hazardous Procedures .............................................................................................................. 47 8.6.2.11 Flammable Atmospheres ........................................................................................................... 47

8.6.3 Ground Support Equipment Report Data Submittal ............................................................................... 48 8.6.3.1 Mechanical Ground Support Equipment (MGSE) ......................................................................... 48 8.6.3.2 Electrical Ground Support Equipment (EGSE).............................................................................. 48 8.6.3.3 Tanking GSE................................................................................................................................... 48

8.7 SAFETY REVIEWS AND MEETINGS ....................................................................................................49

8.8 SAFETY AUDITS ...................................................................................................................................49

8.9 SAFETY TRAINING AND CERTIFICATION ..........................................................................................50

8.10 ACCIDENT/INCIDENT REPORTING AND INVESTIGATION ................................................................50

9. EEE COMPONENTS ..........................................................................................................51

9.1 GENERAL ..............................................................................................................................................51


DATE :

S1-RS-TASI-PA-0059 12-09-2007




9.2 RESPONSIBILITY ..................................................................................................................................51

9.3 Engineering requirements for parts ....................................................................................................51

9.4 General ..................................................................................................................................................51

9.5 Parts selection ......................................................................................................................................52 9.5.1 General rules ........................................................................................................................................... 52 9.5.2 Prohibited Parts ....................................................................................................................................... 52 9.5.3 Parts selection ......................................................................................................................................... 53

9.6 Radiation sensitivity .............................................................................................................................54

9.7 Derating .................................................................................................................................................54

9.8 Materials ................................................................................................................................................54

9.9 Procurement requirements ..................................................................................................................54 9.9.1 Minimum screening requirements........................................................................................................... 54 9.9.2 Lot Acceptance Testing (LAT)/ Lot Validation Test (LVT)/ Quality Conformance Inspection (QCI)/Technology Conformance Inspection (TCI) ............................................................................................... 55

9.9.2.1 ESA/ESCC System qualified parts ................................................................................................ 55 9.9.2.2 MIL-System qualified parts............................................................................................................. 55 9.9.2.3 LAT/LVT/QCI/TCI for non-qualified Parts ...................................................................................... 55 9.9.2.4 Use of life test samples .................................................................................................................. 55

9.9.3 Special parts, components and units requirements ............................................................................... 56 9.9.3.1 EEPROMs....................................................................................................................................... 56 9.9.3.2 Application-Specific and Custom Integrated Circuits, Programmable devices ............................ 56 9.9.3.3 GaAs FETs...................................................................................................................................... 57 9.9.3.4 In-house manufactured parts ......................................................................................................... 58 9.9.3.5 Procured hybrids............................................................................................................................. 60 9.9.3.6 RF switches .................................................................................................................................... 60 9.9.3.7 Ancillary RF Components............................................................................................................... 60 9.9.3.8 Non Qualified, low ESR, Solid Tantalum Chip Capacitors ............................................................ 60 9.9.3.9 Qualified, Surface mounted tantalum capacitors .......................................................................... 61 9.9.3.10 ELECTRO-OPTICAL DEVICES ................................................................................................ 61

9.9.4 Radiation lot acceptance testing (RADLAT) ......................................................................................... 61 9.9.5 Procurement specification ....................................................................................................................... 61

9.9.5.1 Upgrading/Screening ...................................................................................................................... 62 9.9.6 Off-the-shelf parts .................................................................................................................................... 62

9.10 Parts approval.......................................................................................................................................63 9.10.1 Approval process ................................................................................................................................ 63 9.10.2 Parts Control Board (PCB) ................................................................................................................. 63 9.10.3 Parts Approval Document PAD .......................................................................................................... 64 9.10.4 Declared Components list (D.C.L)..................................................................................................... 64 9.10.5 Radiation Approval Document ............................................................................................................ 65

9.11 Quality assurance for parts .................................................................................................................65

9.12 General ..................................................................................................................................................65

9.13 Manufacturer and part selection..........................................................................................................65


DATE :

S1-RS-TASI-PA-0059 12-09-2007




9.13.1 Part evaluation program...................................................................................................................... 66 9.13.1.1 Constructional analysis .............................................................................................................. 66 9.13.1.2 Manufacturer assessment.......................................................................................................... 66 9.13.1.3 Evaluation testing ....................................................................................................................... 67 9.13.1.4 Evaluation report ........................................................................................................................ 67

9.14 Radiation characterization ...................................................................................................................67

9.15 Procurement control.............................................................................................................................68

9.16 Incoming Inspection .............................................................................................................................68 9.16.1 General ................................................................................................................................................ 68 9.16.2 Destructive Physical Analysis (DPA).................................................................................................. 69

9.17 Receiving inspection for agency procured parts ...............................................................................69

9.18 Parts non conformances ......................................................................................................................69

9.19 Problem notifications/alerts.................................................................................................................70

9.20 Handling and storage ...........................................................................................................................70

9.21 Traceability............................................................................................................................................70

9.22 parts manufacturer's documentation requirements ..........................................................................71

9.23 FLOWDOWN OF REQUIREMENTS ......................................................................................................71

10. MATERIALS, MECHANICAL PARTS & PROCESSES ................................................. 72

10.1 Technical Requirements for Selection of Materials ...........................................................................72 10.1.1 VACUUM ............................................................................................................................................. 72 10.1.2 FORBIDDEN MATERIALS ................................................................................................................. 72 10.1.3 THERMAL CYCLING .......................................................................................................................... 73 10.1.4 ATOMIC OXYGEN.............................................................................................................................. 73 10.1.5 METEORITIC/DEBRIS ENVIRONMENT ........................................................................................... 73 10.1.6 ELECTROCHEMICAL COMPATIBILITY ........................................................................................... 73 10.1.7 CORROSION ...................................................................................................................................... 73 10.1.8 STRESS CORROSION ...................................................................................................................... 73 10.1.9 FLUID COMPATIBILITY ..................................................................................................................... 73 10.1.10 UV AND PARTICLE RADIATION....................................................................................................... 73 10.1.11 ALLOWABLE STRESS....................................................................................................................... 74 10.1.12 LIMITED LIFE TIME............................................................................................................................ 74

10.2 Processes..............................................................................................................................................74

10.3 Materials, Parts and Processes Lists ..................................................................................................74

11. SOFTWARE PRODUCT ASSURANCE ......................................................................... 75

12. OFF-THE-SHELF SPACE EQUIPMENT AND SOFTWARE .......................................... 76


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 10/106



13. RADIATION HARDNESS ............................................................................................... 76

13.1 GENERAL ..............................................................................................................................................76

13.2 SCOPE ...................................................................................................................................................76

13.3 SPACE RADIATION ENVIRONMENT ...................................................................................................77

13.4 TOTAL DOSE EVALUATION AND HARDNESS ...................................................................................77 13.4.1 Parts selection..................................................................................................................................... 77 13.4.2 Total dose radiation Lot Acceptance Test ( RADLAT )...................................................................... 77

13.4.2.1 Unhardened Parts ...................................................................................................................... 77 13.4.2.2 Hardened Parts .......................................................................................................................... 79

13.4.3 Use of Teflon ....................................................................................................................................... 79 13.4.4 Deposited Dose Calculation ............................................................................................................... 80 13.4.5 Worst Case Analysis ........................................................................................................................... 81

13.5 SINGLE EVENT PHENOMENA HARDNESS ASSURANCE .................................................................81 13.5.1 Non Destructive Single Event: parts selection and characterisation................................................. 82

13.5.1.1 Single Event Upset..................................................................................................................... 82 13.5.1.2 Single Event Transient ............................................................................................................... 83

13.5.2 Destructive Single Event..................................................................................................................... 83 13.5.2.1 Parts Characterisation................................................................................................................ 83

13.5.3 Single Event Latchup: Part Selection ................................................................................................. 83 13.5.4 Single Event Burnout: Part Selection ................................................................................................. 84 13.5.5 Single Event Gate Rupture: Part Selection ........................................................................................ 84

13.5.5.1 Single Event Hard Error ( stuck bit ): Part Selection ................................................................. 84 13.5.6 Single Event Effect Rate Calculation.................................................................................................. 85 13.5.7 Single Event Upset Effects Analysis .................................................................................................. 85 13.5.8 Single Event Transient Effects Analysis............................................................................................. 85 13.5.9 Destructive Single Effects Acceptance Criteria.................................................................................. 85

13.6 DISPLACEMENT DAMAGES ................................................................................................................86 13.6.1 Environment ........................................................................................................................................ 86 13.6.2 Parts Selection .................................................................................................................................... 87

13.7 RADIATION REVIEW.............................................................................................................................88

14. QUALITY ASSURANCE FOR GROUND SUPPORT EQUIPMENT (GSE) ........................... 103

14.1 Design, Configuration, Production and Test .....................................................................................103

14.2 Acceptance Data Package (ADP) and Manuals............................................................................103


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 11/106



1. SCOPE

This document defines the Product Assurance requirements applicable to the Sentinel-1 project. The satellite hardware shall be designed, manufactured and tested in compliance with these requirements, which are applicable to the Sub-contractors and suppliers. It is the responsibility of the Sub-contractors to tailor these requirements to suppliers and to ensure their implementation.

2. APPLICABILITY

The PA&S requirements specified in this document are applicable to the following:

Flight hardware and flight spare models Hardware subjected to or participating in design verification or qualification testing Deliverable Ground Support Equipment (GSE) and for GSE items with direct interface to flight hardware

Flight (software), all other deliverable software Components selection and procurement for the flight hardware Materials selection and procurement for the Spacecraft

Other hardware and software shall be safe for ground operations and shall be representative of flight hardware with respect to form, fit, and function, and shall not lead to the failure or degradation of flight hardware/software. The PA&S requirements specified in this document are applicable to the project phases B2/C/D/E1.

3. DOCUMENTS

This document is based on the ECSS standards on space product assurance and project management. The requirements specified here are established by tailoring the ECSS requirements to the needs and constraints of the GMES Sentinel-1 project. Where ECSS documents are not available, the relevant ESA PSS documents are used. Tailoring of the ECSS-Q requirements is achieved by specifying: • the clauses not applicable • clause modifications.

Clauses not mentioned in this document are applicable without modifications. Note that the current ECSS standard issue (A or B) is only specified in section 3.1, while in the rest of the document only the standard number (without issue reference) is called out.

3.1 Applicable Documents (Standards)

The following documents (latest issue at contract signature) shall be applicable to the extent and with the modifications specified in this document.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 12/106



ECSS-P-001B Glossary of Terms ECSS-M-00B Space project management - policy and principles ECSS-Q-00A Space Product Assurance - policy and principles ECSS-Q-20B Quality Assurance ECSS-Q-20-04A Critical Item Control ECSS-Q-20-07A Quality Assurance for Test Centres ECSS-Q-20-09B Non-conformance Control System PSS-01-202 Iss 1 Preservation, storage, handling and transportation of ESA spacecraft

hardware ECSS-Q-30B Dependability ECSS- Q-30-01A Worst case circuit performance analysis ECSS-Q-30-02A Failure Modes, Effects and Criticality Analysis ECSS-Q-30-11A Derating EEE components ECSS-Q-40B Safety ECSS-Q-40-02A Hazard Analysis ECSS-Q-40-12A Fault Tree Analysis – Adoption Notice ECSS/IEC61025 ECSS-Q-60A EEE Components ECSS-Q-60-01A European Preferred Parts List ECSS-Q-60-02 Draft ASIC and FPGA Development ECSS-Q-60-05 Generic procurement requirements for hybrid microcircuits ECCS-Q-60-11A Derating Requirements and end of life parameter drifts – EEE

components (Applicable for end of life paramenters drift only) ECSS-Q-60-12A Design, selection, procurement and use of die form monolithic

microwave integrated circuits (MMICs). ESCC No. 9000 Generic Specification for Integrated Circuits Monolithic MIL-STD-981 Design, Manufacturing And Quality Standards For Custom

Electromagnetic Devices For Space Applications ECSS-Q-70B Materials, Mechanical Parts and Processes ECSS-Q-70-01A Cleanliness and contamination control ECSS-Q-70-02A Thermal vacuum outgassing test for the screening of space materials ECSS-Q-70-03A Black Anodising of Aluminium using inorganic dyes ECSS-Q-70-04A Thermal cycling test for the screening of space materials and

processes ECSS-Q-70-05A The Detection of Organic contamination of Surfaces by Infrared

Spectroscopy PSS-01-706 Iss1 The Particle and UV Radiation Testing of Space Materials ECSS-Q-70-07A Verification and approval of automatic machine wave soldering ECSS-Q-70-08A The Manual soldering of high-reliability electrical connections ECSS-Q-70-09A Measurement of thermo-optical properties of thermal control

materials ECSS-Q-70-10A Qualification of printed circuit boards


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 13/106



ECSS-Q-70-11A Procurement of printed circuit boards ECSS-Q-70-13A Measurement of the peel and pull-off strength of coatings and

finishes using pressures-sensitive tapes ECSS-Q-70-18A Preparation, assembly and mounting of RF coaxial cables ECSS-Q-70-20A Determination of the susceptibility of silver plated copper wire and

cable to “red-plague” corrosion ECSS-Q-70-22A The control of limited shelf-life materials ECSS-Q-70-25A The application of the black coating Aeroglaze Z 306 ECSS-Q-70-26A The Crimping of high-reliability electrical connections ECSS-Q-70-28A The repair and modification of printed circuit board assemblies for

space use ECSS-Q-70-30A The wire wrapping of high reliability electrical connections ECSS-Q-70-33A The application of the thermal control coating PSG 120 FD ECSS-Q-70-34A The application of the black electrically conductive coating Aeroglaze

H322 ECSS-Q-70-35A The application of the black electrically conductive coating Aeroglaze

L300. ECSS-Q-70-36A Material selection for controlling stress corrosion cracking ECSS-Q-70-37A Determination of susceptibility of metals to stress corrosion cracking PSS-01-738 High reliability soldering for surface mount and mixed technology

printed circuit boards ECSS-Q-70-45A Standard methods for mechanical testing of metallic materials ECSS-Q-70-46A Requirements for manufacturing and procurement of threaded

fasteners ECSS-Q-70-71A rev1 Data for Selection of Space Materials and Processes PSS-01-738 High-reliability soldering for surface-mount & mixed technology PCB ESA/SCC No. 3901 Generic specification for wires and cables, electrical, 600V, low frequency ESA/SCC No. 3901 Generic specification for cables, coaxial, radio frequency, flexible NASA-STD-6001 Flammability, Odor, Offgassing, and Compatibility Requirements and

Test Procedures for Materials in Environments that Support Combustion

MIL-HDBK-5 Metallic Materials and Elements for Aerospace Vehicle Structures MSFC-Spec 250 General Specification for Protective Finishes for Space Vehicle

Structures and Associated Flight Equipment ECSS-Q-80B Software Product Assurance ECSS-E-30-01A Fracture Control S1-RS-TASI-PA-0084 Spacecraft radiation, meteoroids and debris environment PSS-01-204 issue 1 Particulate contamination control in clean rooms by particle fallout (

PFO ) measurements. PSS-01-604 issue 1 Generic specification for silicon solar cells PSS-01-605 issue 1 Capability approval programme for hermetic thin-film hybrid

microcircuits PSS-01-606 issue 1 The capability approval programme for hermetic thick-film hybrid

microcircuits. S1-RS-TASI-PA-0096 issue 1 GMES SENTINEL-1 S/W Product Assurance Requirement for

SUB-Contractors.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 14/106



3.2 Reference Documents

ECSS-Q-30-08A Components reliability data sources and their use ( with a tailoring provided in the SRD )

ECSS-Q-30-09A Availability Analysis MIL-HBK-217F Reliability prediction of electronic equipment ISO 19011:2002 Guidelines for quality and/or environmental management systems

auditing. MIL-STD-883C METHOD 1019.3 MIL-STD-883D METHOD 1019.5 & 1019.6 ESA/SCC 22900 Total Dose Steady State Irradiation Test Method, issue 3 MIL-HDBK-279 Total Dose Hardness Assurance Guidelines for Semiconductor

Devices and Microcircuits, 25 January 1985 ESA/SCC 25100 Single Event Effects Test Method and Guidelines ESA/SCC Basic

Specification, Draft A US JEDEC TS 57 Procedures for the Measurement of Single Event Effects in

Semiconductor Devices from Heavy Ion Irradiation, May 1996

4. ABBREVIATIONS

This list of abbreviations is not extensive. Abbreviations used in this document and not included in the list are defined in the applicable ECSS standards. ECSS European Co-operation for Space Standardisation EEE Electronic, Electrical, Electromechanical EPPL European Preferred Parts List ESCC European Space Component Co-ordination HA Hazard Analysis HSIA Hardware/Software Interaction Analysis MPP Materials, Parts and Processes NCR Non Conformance Report NCTS Non-Conformance Tracking System NPSL NASA Parts Selection List OTS Off the Shelf PA&S Product Assurance and Safety QA Quality Assurance QPL Qualified Parts List SPF Single Point Failure SPR Software Problem Report SRD Sentinel-1 System Requirements Document, ES-RS-ESA-SY-0001 SW Software SW-PA Software Product Assurance RFW Request For Waiver RFD Request For Deviation


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 15/106



5. PA&S PROGRAMME

The PA&S programme shall ensure that the Sentinel-1 flight hardware successfully achieve the intended objectives. This shall be achieved in the most cost-effective way by managing the available resources and personnel within the allocated budget, and by coordinating in an integrated effort the PA&S activities with the functions of project management and engineering. The PA&S programme shall be established according to the requirements of this document. This document takes into account ECSS-Q-00, chapter 3, Product Assurance Management and ECSS-M-00 chapter 5.2, Overall Policy and Principles.

5.1 PA&S Plan

The Sub-contractor shall prepare a PA&S Plan to describe the resources, tasks, responsibilities, methods and procedures adopted by the Sub-contractor for the implementation of the PA&S requirements and for the achievement of the PA&S objectives. The PA&S Plan shall define the PA&S programme to be implemented in compliance with the requirements of this document. The Sub-contractor shall deliver with the proposal a compliance matrix, complemented with the relevant supporting documentation. The compliance matrix shall address compliance with the requirements of this document (and the applicable ECSS standards) and shall identify any discrepancy. The PA&S Plan shall include details as to how the Sub-contractor intends to verify the implementation of the programme and how he intends to perform supervisory and monitoring actions on its Subcontractors and Suppliers. Sub-contractor internal company procedures may be referenced in the PA&S Plan, in this case they shall be provided to TAS-I on request. Sub-contractors should be aware that referencing internal company procedures in the PA&S Plan will limit the company's ability to unilaterally change the procedures. All modifications to these procedures shall be considered as modifications to the PA&S Plan. The PA&S Plan shall serve as a master planning and control document for the product assurance programme.

5.2 Right of Access

TAS-I reserves the right of access to: • all documentation relevant to the programme; • all areas and operations within the Sub-contractor’s or supplier’s facilities in which work is

performed or items are stored relevant to the project, even if the information is considered proprietary.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 16/106



TAS-I will undertake not to disclose such information to a third party, in accordance with the General Clauses and Conditions for TAS-I Contracts.

5.3 Participation

TAS-I reserves the right to perform any or all audits, surveys, inspections, reviews, etc. relevant to the project. ESA may participate in the activities described above as observers. TAS-I’s participation shall not in any way replace or relieve the Contractor of his responsibilities

5.4 PA&S Progress Reporting

PA&S progress reporting shall be part of the overall project progress reporting and shall include as a minimum: • Status of the PA&S activities since the last progress report, separated for the different

disciplines (QA, Dependability, Safety, EEE-Components, MPP, SW-PA, Others) when applicable

• Non-conformance and SPR status • Waiver/Deviation status • Critical items status • Alert status • Audit programme status • Accomplishments • Planned accomplishments in the next reporting period • Identified problems & risk factors • Activities planned to control identified problems & risk factors

5.5 PA&S Databases

All PA&S-related data and analyses (such as NCR’s, RFW’s/RFD’s, EEE components list, materials and processes lists, reliability/safety analysis) shall be stored in electronic databases (e.g. EXCEL spreadsheet). This shall allow to import and export data from and to Sub-contractors, TAS-I and ESA. The database format and content shall be agreed with TAS-I. TAS-I shall have access to the database. TAS-I/ESA recommends the use of ESA corporate NCTS (Non-Conformance Tracking System) as a web-based non-conformance registration and monitoring database tool.

6. QUALITY ASSURANCE

The contractor shall prepare, maintain, and implement a plan of the QA activities. The plan describing the QA programme for GMES Sentinel-1 shall be part of the PA&S plan. The requirements for the GMES Sentinel-1 QA programme are defined in ECSS-Q-20 with the modifications identified hereinafter.

6.1 PA&S Audit Programme

This chapter supplements clause 4.6.2 of ECSS-Q-20.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 17/106



The Sub-contractor shall identify (either in the PA&S plan or in a separate Audit Programme document) the external and in-house audits to be performed. Audits shall be planned: • to verify the implementation and effectiveness of the PA&S programme, • to assess the capability of the Sub-contractor and lower tier contractors to perform the

required tasks, such as manufacturing processes, according to the level of risk to the project. For example, higher priority shall be given to lower tier contractors or suppliers, or when new technologies are used.

At least ten working days notice shall be given of the intention to conduct an audit. TAS-I and ESA reserves the right to be represented in all audits. The Sub-contractor shall perform audits following the guidelines of ISO 19011:2002. For each audit to be performed the Sub-contractor shall prepare an audit plan and a checklist. These documents shall be subject to TAS-I acceptance before they are used. A copy of the audit report generated by the Sub-contractor shall be sent to TAS-I within two weeks after the audit has taken place. The report shall include:

• identification of areas of non-compliance or weakness, if any • corrective actions with due dates, • conclusions with statement on the acceptability to proceed with the activities, • the completed audit checklist.

At any time, TAS-I has the right to conduct PA&S audits of the Sub-contractor and/or any of his Sub-contractors at their premises. TAS-I will provide at least two weeks (ten working days) notice prior to the conduct of any such audit.

6.2 Critical Items Control

The Sub-contractor shall perform the Critical Item Control process in accordance with the requirements of ECSS-Q-20, clause 4.8, and ECSS-Q-20-04.

6.3 Non-conformance Control System

The Sub-contractor shall establish and maintain a non-conformance control system in accordance with the requirements of ECSS-Q-20, clause 5.6 and ECSS-Q-20-09. Accidents/ incidents shall be processed according to the non-conformance control system, and treated as major non-conformances. The Sub-contractor shall give visibility upon TAS-I request of all NCRs generated during the duration of the project. The Sub-contractor is required to implement an electronic NCR database. This database shall be accessible to ESA and shall contain all NCR reports and related documentation. TAS-I/ESA recommend the use of ESA corporate NCTS (Non-Conformance Tracking System) as a web-based non-conformance registration and monitoring database tool.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 18/106



6.4 Alert System

This chapter is a supplement to clause 5.7 of ECSS-Q-20. A preliminary assessment of the possible impact of an Alert on the project at all contractual levels shall be performed and submitted to TAS-I within 5 working days. The Sub-contractor shall maintain a status list of all internal and external Alerts (including ESA Alerts). This list shall identify the applicability of each alert to the project and, when applicable, the corrective measures taken by the project. The Sub-contractor shall ensure that all subordinate suppliers also participate into the ESA Alert System. This includes, as a minimum, that the Sub-contractor distributes all ESA Alerts to the lower tier suppliers and that there is an established procedure for collecting and assessing inputs from lower tier suppliers to provide inputs to the ESA Alert System where warranted.

6.5 Handling, Storage, Preservation

This chapter is a supplement to clause 5.8 of ECSS-Q-20. The applicable detailed requirements for handling, storage and preservation are defined in ESA PSS-01-202.

6.6 Cleanliness and Contamination Control

This chapter is a supplement to clause 8.8.1 of ECSS-Q-20. The Sub-contractor shall identify the hardware and facilities that require specific controls for molecular or particulate contamination. The whole process shall be defined in the Cleanliness and Contamination Control Plan. To this extent the requirements of ECSS-70-01 are applicable.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 19/106



6.7 Test Facilities

This chapter supersedes clause 9.1 of ECSS-Q-20. The Sub-contractor shall ensure that the selected test facilities are suitably qualified to perform the tests to be conducted, and do not cause any degradation to the test article or its interface. The Sub-contractor shall demonstrate that the selected test facilities, either internal or external, comply with the requirements of ECSS-Q-20-07A.

6.8 Test Reports

This chapter is a supplement to clause 9.3.2 of ECSS-Q-20. Test Reports shall include reference to NCR’s and SPR’s relevant for the test subject of the test report. The test report shall provide a conclusion stating whether the test objectives have been achieved.

6.9 Packaging, Marking and Labelling, Transportation

This chapter is a supplement to clause 10.4.1, 10.4.2 and 10.5.2 of ECSS-Q-20. The applicable detailed requirements for packing, marking and labelling and transportation are defined in ESA PSS-01-202.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 20/106



7. DEPENDABILITY ASSURANCE

7.1 SCOPE

A program shall be established and maintained to ensure fulfillment of the dependability requirements and design life requirements of the spacecraft and its equipment. The dependability program shall be planned, implemented, and integrated in conjunction with other product assurance functions and with design, development, and production functions. The organization and individuals responsible for the implementation of the dependability program and the relation to the other groups shall be identified in the product assurance plan. The Dependability, Availability and Maintainability programme shall ensure that the dependability analyses are performed with uniform contractual ground rules and standards. This section establishes the requirements in accordance with the ECSS-Q-30B for demonstration of specified quantitative and qualitative dependability requirements. Dependability shall ensure fulfilment of the dependability and design life requirements of the subsystem/assembly/equipment. Dependability shall include the following activities: Failure Modes, Effects, and Analysis (FMEA) with identification of Single Point Failures (SPFs) Hardware Software Interaction Analysis Parts Stress Analysis (Parts Application Review) Worst-Case Analysis Reliability Assessment Availability/Outage Analysis Maintainability activities. All activities shall be carried out in parallel to the design process in close co-operation with design engineers.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 21/106



7.2 FAILURE MODES, EFFECTS ANALYSES (FMEA)

7.2.1 General

To ensure that potential failures are recognised early, FMEAs of subsystem/assembly/equipment shall be performed. FMEAs shall be performed on the functional and physical design to ensure that designs react acceptably to failures and that the proper compensatory measures are implemented. The satellite mission phases, environmental constraints, and hardware operating modes shall be considered in the analyses. Failure effects shall be analysed to determine the need for design change or other action. The FMEAs shall be performed to the circuit functional level or subassembly level (mechanical items) with emphasis on equipment interface failure effects (part level FMEA), propagation of failure effects to redundant, cross-strapped, or interfacing assemblies, and identification of single-point failure effects and fail-safe features. Failure modes or effects that require corrective actions shall be followed up and documented in a formal way. For EGSE an FMEA is conducted with the aim of identifying the risk of failure propagation to the flight HW. The analysis shall be limited to analyse the interfaces between flight and EGSE hardware. Principles, requirements and procedures to apply FMEA are described in ECSS-Q-30-02. 7.2.2 FMEA Approach

The FMEAs shall be generated from the start of design phase and updated throughout the design phases. FMEA shall be implemented to: o document the interfacing failure modes of functional blocks of the satellite and the resulting

failure effects on assemblies, subsystems, and satellite o identify and eliminate single-point failure items whenever possible and minimise the

probability of occurrence of the residual risks o identify critical failure effects for concentration of efforts in the areas of quality, inspection,

manufacturing controls, design review, configuration control, and traceability o determine the need for more reliable designs; change in designs affecting parts, materials,

or processes; adequacy for fail-safe design features; possibilities for design simplification; and/or sufficiency of redundancy and cross-strapping.

Common mode and common cause failures shall be analysed as part of the above mentioned activities.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 22/106



7.2.3 Definition of Single Point Failure (SPF) and inputs for Critical Items List (CIL)

A Single Point Failure (SPF) is an item for which no redundancy or back up is implemented in the design. Such item is identified with a suffix “S” in the FMEA. Those items identified in the subsystem FMEAs with severities 1, 2 and 3 with and without suffix S shall be considered as critical items and processed as such in the CIL. Items identified in the equipment FMEAs with severities 1 (with and without suffix S) and 2 (S) shall be considered as critical items and processed as such in the equipment CIL. 7.2.4 FMEA Contents

The FMEA activity shall be carried out in a systematic way to ensure that all higher level items and their interfaces are adequately addressed. Lower level FMEAs shall be used as input in a build-up process to generate the payload and satellite higher level FMEAs. The FMEA sheets shall include for each analysed item: o identification o short description of the function o assumed failure mode o possible failure causes (when available) o effects on mission o observable symptoms o existing preventive or compensation measures o severity level and suffix according to Table xx.2-5-1 o recommendations and remarks o the probability of failure for SPF’s which are included in CIL. 7.2.5 Severity Classification

A severity level shall be assigned to each assumed failure mode according to its effect. The severity levels shall be in accordance with Table 7.2-5-1.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 23/106



SUBSYSTEM/ASSEMBLY/EQUIPMENT LEVEL FMEA

Severity Level Failure Effect Catastrophic 1 Propagation of failure to other

subsystems/assemblies/equipment Critical 2 Loss of functionality Major 3 Degradation of functionality

Negligible 4 Any other effect

TABLE 7.2-5-1 SEVERITY CATEGORIES The severity category for a particular failure mode is determined by the most severe effect of the considered failure. It has to be noted that these categories are established without considering the possible redundancy or back up. In addition to these severity categories a suffix is added with the following rules : - a suffix "R" (for Redundancy) is added in case a redundancy or a back up is provided and made operational before propagation of failure or severity increase; - a suffix "S" (for Hazardous) is added in case of hazardous risk (safety). In addition all SPFs identified at a given level shall be submitted to the upper level approval. 7.2.6 FMEA Report

A FMEA report shall be supplied and updated in accordance with the SOW. The FMEAs shall include the following information : a. A description of the mission, function and interfaces for the item for which the FMEA is being prepared,

b. The functional block diagram of the item with a description of the functional elements of the hardware,

c. Reliability block diagram, if the analyzed item includes redundancy,

d. The functional block level FMEA,

e. For equipment level, a part level FMEA shall be performed on each external interface and on each internal inteface involved in internal redundancy. The analysis at part level


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 24/106



interface shall include each failure mode for each passive part until the first active circuit excluded, f. A list of single point failure items (applicable for Subsystems and for Equipment which incorporate redundancy),

g. A summary of the FMEA, including the main following results :

• list of items to be included in Critical Items List (CIL),

• recommendations to upper level,

• effects of radiations (e.g heavy ions).

• input data for the safety analysis if not provided in separate safety document.

7.2.7 Product Design FMEA

The Product Design FMEA deals with failure mode aspects which are complementary to those of the FMEA as specified by SOW. It shall be performed on electromechanical and electrical equipment which include internal redundancy. The Product Design FMEA shall analyze the failure modes due to the packaging design and physical interactions between parts/components/equipment although they may be well decoupled from a functional point of view. The main purpose shall be to identify the potential single failures which could result in loss or important degradation of the mission, and specify for each of them the method(s) used to eliminate/control the cause of failure. The Product Design FMEA report shall consider the following points : • Identification of failures which have a credible risk to negate a redundancy by physical

(e.g thermal, mechanical, electrical, chemical) failure propagation. • Identification of single point failures modes caused by single parts having multi-

application elements. (Dual transistors in one package that furnish signals to a pair of redundant circuits; redundant circuits in the same hybrid...)

• Identification of single point failures modes associated with wiring, connectors pins,

solder joints, PCB stripes. • FMEA of interfaces between redunded circuits performed at part level.

The Product Design FMEA are part of the FMEA document.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 25/106



7.3 HARDWARE SOFTWARE INTERACTION ANALYSIS

The aim of such analysis, which is developed by the SW PA and the Dependability engineers, is to ensure that the Software reacts in an acceptable way to HW failure. This shall be performed at the level of the technical specification of the software. It can be accomplished in a dedicated document or incorporated in the FMEA, using as guideline ECSS-Q-30-02.

7.4 PARTS APPLICATION REVIEW

Stress analysis shall be performed for EEE parts at electrical unit level only. For electronic equipment, the Parts Derating Analysis shall be performed to identify non-compliances w.r.t. ECSS derating requirements and to direct the necessary changes to the design to comply with the ECSS requirements. Internal process shall be used to report, track and to ensure that corrective action takes place and that all derating issues are resolved. All flight equipment shall be analysed to determine individual part stresses (voltage, current power, temperature, etc.) in transient as well as in steady state conditions and the reference equipment temperature to be used in the analyses shall be the worst-case operating temperature. The parts stresses shall be compared to the programme derating criteria. Request for Deviation to the Programme derating requirements shall only be prepared after all applicable design alternatives have been investigated and the risks associated with the electrical stress or part application discrepancies have been determined and found acceptable. Stresses exceeding the derated value may be permissible for specific periods, such as burn-in and inadvertent overstress due to failure of related components during tests, provided these conditions do not exceed manufacturers approved ratings. A list of the parts exceeding the stress criteria shall be presented in the stress analyses.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 26/106



7.4.1 Part Derating Criteria

Electrical parts shall be derated from maximum manufacturers ratings in accordance with the ECSS-Q-30-11A “Derating – EEE components”. The maximum allowable stress ratios for parameters not specifically listed in these derating documents shall be expressed as in applicable international standards. Transient or surge conditions shall be taken into account where applicable, and derating determined as follows: o when the procurement specification includes parameter values for transient or surge

conditions, then the same derating figures as for steady state equivalent parameters shall be used, unless otherwise specified

o when transient or surge conditions are applicable, but no transient or surge values are specified, then it must be assured that the transient or surge values are below the steady values of the procurement specification.

All part temperatures are calculated at the worst-case operating temperature conditions taking into account the unit thermal analysis

7.5 WORST CASE ANALYSIS (WCA)

7.5.1 General

The worst-case analysis ensures that item electrical performances comply with the applicable equipment specification under worst-case operating conditions. It shall be performed on equipment critical elements, or elements subject to accuracy performance requirements or sensitive to environmental conditions. Engineering organisations are usually responsible for the completion of worst-case analyses on flight hardware items for which they have design responsibility. They are required to ensure that the analyses are adequately prepared, that design margins are adequately demonstrated by analyses and/or tests, and that the documentation is complete and sufficient. All WCAs shall be formally approved by engineering organisations. Worst-case analysis reports shall be prepared and submitted to the Customer as required by the SOW. Reliability personnel shall be responsible for providing the aging effect data, for ensuring that worst-case analyses are appropriately completed (methodology) and that the results of the analyses ensure compliance with all applicable requirements. Applications exceeding these criteria where it is not feasible or possible to correct by means of redesign or other means must be approved by Alcatel Alenia Space before incorporation into the design by submission of a Request for Deviation. This activity is limited to equipment level.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 27/106



7.5.2 Analysis Method

The analysis is required to demonstrate sufficient operating margins for all operating conditions of the individual circuits. The methodology guideline to be used when conducting such analysis is the ECSS Q-30-01 “Worst case circuit performance analysis”. The analyses shall consider (as applicable) such factors as :

• part parameter variations • normal operating modes and contingency operating modes • full range of input voltage, current and frequencies variations • acceptance temperature • circuit loading • circuit stimulus • ageing, total dose and displacement damage effects • potential race conditions (i.e. mismatch in delay times). • A combination of testing and analysis may be employed to obtain results through actual

measurements. The analysis method shall be tailored to the circuit function, and to the adequacy of the analytical models (true WCA, Root Mean Square Method, Monte-Carlo simulation may be used). For parts submitted to Radiation Lot Acceptance Test, the parameter drift values shall be derived from radiation test by comparing the post-test values with the pre-test value.

7.6 RELIABILITY ASSESSMENT

7.6.1 General

Reliability numerical evaluation shall be performed for components, equipment, payloads and for the satellite to demonstrate compliance with the contractual numerical reliability requirements. The reliability assessments shall be updated during the programme to include the impact of design changes and more detailed design information, as the satellite hardware design matures. Reliability trades shall be used during all phases of the programme to identify the relative merits of alternative designs and to assist in problem resolution (i.e., to determine the possible numerical reliability impact resulting from a potential problem situation). Functional Block Diagrams shall be developed and used to represent the system and subsystem design configurations as they operate over the specified mission phases. These functional Block Diagrams shall in turn be the basis for the reliability Block Diagrams that indicate the redundancy, cross-strapping, and single thread items of the designs. The Reliability Block Diagrams then become the basis for defining the quantitative reliability of hardware from the unit to the end item satellite level. Mathematical models (either discrete or dynamic) shall


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 28/106



then be used, along with the failure rates calculated for the hardware items, to determine numerical reliability. Reliability Block Diagrams are provided as part of Reliability analysis. The numerical reliability assessments shall be governed by the requirements given hereafter. Quantitative reliability requirements shall be specified in the applicable equipment/assembly/subsystem performance specifications. Reliability predictions shall be prepared with the necessary level of detail for all satellite hardware items, including operational duty cycles, dormancy factors, environmental factors, and functional descriptions. The results of quantitative reliability assessments shall be reported and provided as part of design reviews. 7.6.2 Reliability assessment assumptions

Typical assumptions which affect the interpretation of quantitative reliability results are: a. The design assessed is representative of the flight design. b. Useful life of a component begins after the satisfactory acceptance test of the component. c. Mission phases are independent. Stresses experienced in a phase do not affect the failure

rate of succeeding phases. d. Part failure rates are usually constant during the useful life period and wearout factors are

not operative during the required mission life unless otherwise stated and appropriate models shall be used in those cases.

e. Individual part failures are independent. f. Parts and materials are qualified for their application and environment. g. Circuit design performance margins are sufficient for the effects of production variance,

radiation environment, thermal environment and ageing. h. Production processes and testing do not introduce unknown latent damage or failure

mechanisms and are approved for use for the mission. i. Failures rates are estimated in accordance with the requirements detailed in Para. 7.6.4. i. For structural items and mechanisms, the most appropriate method among constant failure

rates, stress strength method (reliability estimations taking into account structural and functional safety margins) or other shall be selected by the unit supplier and submitted to upper level approval.

7.6.3 Mission and system definition

The mission and system definition required for reliability assessment consists of:

• Definition of mission functions and modes of operation including descriptions of functional modes of operation, alternate modes of operation, equipment duty cycles and required operational periods.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 29/106



• Definition of the environmental profile during the required mission time including phases of operation during which a given environment is applicable.

7.6.4 Failure rates standards

7.6.4.1 Programme failure rates

The guideline applied when selecting a failure rate source is the ECSS-Q30-08 “Components reliability data sources and their use”. The selected standard is the MIL-HDBK-217 F + Notice 2 which shall be used to determine EEE piece part failure rate, with the exception of hybrids for which MIL-HDBK-217 E + Notice 1 can be used but shall be explicitly referenced in the analysis. The failure rates listed in Annex A (Fixed Failure Rate Items) can be used instead of MIL-HDBK-217 and are provided for use to assess system reliability at all levels of indenture. Other data can only be used if justified and after Alcatel Alenia Space approval. For the equipment Preliminary Design Review, the part count reliability prediction method of the MIL-HDBK-217 shall be applied. For the Critical Design Review, the reliability shall be predicted using the part stress method, dependent upon electrical stresses and component temperatures derived from unit thermal analysis. 7.6.4.2 Failure rate and thermal and electrical stress derating

o Thermal and electrical stress influences on part failure rate shall be incorporated into the reliability assessments as soon as the necessary design data are available and stress analyses completed. The final assessment of each design shall incorporate failure rates derived from the calculated stress ratios and the unit base plate average operating temperature.

o The equipment average temperatures figures on baseplate shall be considered in the analysis. Reliability assessment shall be performed over the complete unit operating temperature range (with a minimum of four temperature values: average base plate temperature ± 5°C, ± 10°C) taking into account the unit thermal analysis; the reliability target is defined at a typical average baseplate temperature of 35°C. When performing the reliability assessment at upper level (assembly or subsystem), the unit average temperature specific to the concerned application is considered.

7.6.4.3 Failure rate adjustment factors

The multiplying factors listed in Table 7.6.4.3-1 shall be used for the purpose of assessing mission reliability. These factors are applicable only to the designated mission phase under evaluation and are to be applied to the base failure rate to adjust for mission phase environmental and equipment operating conditions. a. Duty Cycle Factors


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 30/106



When applicable, duty cycle multiplying factors shall be used.

b. Non Operating Factors

Standby or non operating multipliers shall be used to assess the reliability of non operational equipment in accordance with Table 7.6.4.3-1.

MISSION PHASE DURATION FOR CALCULATIONS MULTIPLIERS

ELECTRICAL MECHANICALLaunch/Boost 0. 5 hours (1) Perigee Burn 0.1 hours (1) Apogee Burn 2.5 hours (1)

40 (on) 4 (off)

40 (on) 1 (off)

Transfer Orbit and time prior to missionoperation in GO (IOT)

as required for the particular mission

1 (on) 0.1 (off)

1 (on) 0.01 (off)

Orbit on Station 1 (on) 1 (on) (Operational lifetime) (2) 0.1 (off) 0.01 (off)

(1): Typical value, exact value for each mission to be determined by mission analysis. (2): For the specified lifetime.

TABLE 7.6.4.3-1 STRESS/OPERATING FAILURE RATE MULTIPLIERS 7.6.4.4 Quality factor equivalences

Table 7.6.4.4-1 provides a list of equivalence’s between failure rate quality levels specified in MIL-HDBK-217 and those specified by European Space Agency documents.

PARTS MAIN TYPE EUROPEAN LEVEL MIL-HDBK-217 LEVEL Passives SCC B

SCC C MIL S MIL R

Relays SCC B SSC C

0.5* MIL R MIL R

Discrete Semiconductors

SCC B SCC C

0.5* MIL JANTXV (JANS) MIL JANTXV

Integrated Circuits SCC B SCC C

Class S categories Class B categories

Hybrids ECSS-Q60-05 Others

Class S categories Class B-1 categories

TABLE 7.6.4.4-1 QUALITY LEVEL EQUIVALENCES

7.6.5 Reliability assessment documentation

A reliability assessment report shall be prepared and submitted in accordance with the Statement of Work. Each reliability assessment shall include the following information:


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 31/106



a. A description of the item, types of redundancy, and the item operational modes. b. A functional Block Diagram of the design. c. A reliability model for each operating phase which is analysed including:

• Reliability Block Diagrams • failure rates for each block of the Reliability Block Diagram • mathematical models or applicable dynamic model data • probability of success results • comparison of the results with the specified requirements.

7.7 AVAILABILITY/OUTAGE ANALYSES

7.7.1 General

It concerns flight hardware , as well as ground stations.

It aims at assessing the performance of the concerned design in term of availability, in order to verify the compliance w.r.t. requirements and to consolidate the design (redundancy philosophy) and the maintainability requirement if any (spare policy).

The basic considered guideline for such analysis is the ECSS-Q-30-09 “Availability Analysis”. All sources of interruption are basically covered in the frame of the analysis, that says:

• definitive mission interruption consecutive to single or multiple failures,

• outages (i.e temporary non compliance with the technical requirements) caused by random events (reconfigurable failures , radiations or Single Event Phenomena) or deterministic events (like recalibration phases or un-operational periods).

7.7.2 Method

The inputs to be collected are the following: o the list of potential possibility of mission interruption with associated data and information

(MTBF, probability of occurrence, number, effect on mission, down time, MTTRepair, MTTReplace),

o the proposed redundancy and spare policy (if applicable). For the purpose of the calculation, a defined response time for remedy of the outage causing the event is generally taken into account in the accrued downtime. Then a mathematical model is built and all the data combined in order to determine the relevant availability of the item, this in a way which is compatible with the requirements terms. 7.7.3 Outputs


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 32/106



The outputs in term of availability shall be expressed in order to be adapted with the requirements. They may be presented as follows (examples): - average availability versus time - outage characteristics for certain time internals (month, year, lifetime period) including:

mean number of outages mean duration of one outage mean cumulated outage duration unavailability versus time due to outages probability to have an interruption with a duration longer than a given value, and over a given period.

In addition, recommendation for design modification or maintenance requirement adaptation may be proposed, in order to optimize the robustness of the design w.r.t. the risk of mission interruption.

7.8 MAINTAINABILITY

7.8.1 Scope

The maintainability assurance programme shall ensure that maintainability requirements of products are defined, implemented, co-ordinated and integrated throughout the product life cycle. Maintainability assurance programme applies to the activities associated with repair, rework and preventive and corrective maintenance. The maintainability assurance programme shall include: o verification that maintainability requirements are taken into account in design construction o verification that preventive and corrective maintenance are implemented according to

documented plan and procedures, and that results of implementation are property documented, reported and verified in accordance with quality assurance dispositions.

7.8.2 Design requirements

Design requirements for maintainability shall consider the following objectives: a. Optimisation of testability, including verification of redundancy, and fault isolation capability. b. Minimisation of the need for special tools and special test equipment. c. Minimisation of requirements for special skills. d. Consideration of human-factor requirements. e. Minimisation of design complexity. f. Maximisation of commonality/interchangeability. g. Simplification of maintenance tasks. h. Standardisation of products.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 33/106



i. Maximum of accessibility. j. Maximisation of modularity. k. Minimisation of the need for preventive maintenance. Related design requirements are introduced in applicable design standards (e.g. general equipment design and interfaces requirements) and technical specifications. Verification of their implementation in design shall be performed as part of design reviews. 7.8.3 Maintenance

Preventive and corrective maintenance actions/tasks including rework/repair operations shall be implemented according to the following: o items subject to preventive maintenance shall be identified. Their maintenance status shall

be systematically checked before product delivery to the next higher assembly level, during payload and satellite tests, before satellite delivery and before launch

o preventive maintenance operations shall be implemented according to controlled plans and procedures. Verification and results shall be reported and verified in compliance with applicable quality assurance dispositions. Implementation of maintenance operations shall be documented in the logbook

o implementation of corrective maintenance shall be performed within the Non Conformance processing system. Dispositions for repair/rework shall be decided and defined by the NRB. As a basic rule, re-testing after repair/rework shall include functional tests and environmental tests according to the nominal acceptance test sequence. Specific amendments to the nominal test sequence can be decided by the NRB on a case by case basis, considering the nature of repair/rework operations and potential risks resulting from cumulating of test stresses on a same item.

Maintainability analysis results shall constitute an input for availability analysis.

8. SAFETY

8.1 SCOPE

This section establishes policy and provisions for Safety activities undertaken during all phases of SENTINEL-1 program including flight and ground Systems, Subsystems, Assemblies and associated Equipment and opeartions. It also establishes the Safety requirements compliant with the ECSS-Q-40B and Launch Site CSG Safety regulations (DELTA or STARSEM launcher).


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 34/106



The Safety requirements shall be applied to the Subcontractors by the relevant technical specifications. Alternatively, these requirements may cover the Safety section of the technical specifications. The Sub-co safety engineer shall prepare and submit to TAS the safety analyses presented in this section, in accordance with the Statement Of Work . The overall objective of the SENTINEL-1 Safety Program is that both flight, GSE be free of conditions, in both design and operations, that could produce uncontrolled safety hazards for ground personnel, general public, Launch Vehicle, other launch vehicle payloads and facilities.

8.2 SAFETY PROGRAM

The safety engineer, operating in the P.A. organization, shall assure the implementation of the Safety program in close co-operation with design engineering and the other disciplines of the same organization (RAM, Parts Materials & Processes - PMP, Quality Assurance, etc.). The safety engineer shall yield an effective safety related survey of the flight equipments/GSE through all project phases including design, development, manufacturing, testing and related operations. The safety engineer shall review plans, technical specifications, operation and test procedures to ensure that: - adequate consideration is given to safety aspects - applicable safety requirements and provisions are incorporated into design, manufacturing and testing and are properly described in the relevant documentation - changes which may be necessary as a result of safety analyses and safety recommendations are adequately implemented. All proposed design changes shall be evaluated and considered against safety aspects. In particular no new potential hazards shall be introduced by the implementation of a proposed design change. Furthermore, the safety engineer shall review all non-conformances and waivers which can affect the applicable project safety requirements or safety-critical functions and items. He shall maintain a tracking list of all safety-related non- conformances and waivers reviewed and shall submit them to TAS. The safety engineer shall be present at those reviews/meetings concerned with safety-critical functions, procedures and items.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 35/106



8.3 GENERAL SAFETY DESIGN PROVISIONS

8.3.1 Hazard Levels

Hazards shall be classified as follows: Severity of identified hazards and consequences (1) 1) Catastrophic Hazard causing:

i) loss of life, life-threatening or permanently disabling injury or occupational illness, loss of an element of an interfacing manned flight system; ii) loss of launch site facilities or loss of system; iii) severe detrimental environmental effects.

2) Critical Hazard causing:

i) temporarily disabling but not life-threatening injury, or temporary occupational illness; ii) major damage to flight systems or loss or major damage to ground facilities; iii) major damage to public or private property; or iv) major detrimental environmental effects.

NOTE: In addition to the above two categories, other categories may be used to complete assessment of the safety risk being assumed. Two sample categories are shown below. Severity of identified hazards and consequences (2) 3) Marginal hazards

minor injury, minor disability, minor occupational illness, or minor system or environmental damage.

4) Negligible hazards less than minor injury, disability, occupational illness, or less than minor system or

environmental damage.

8.3.2 Hazard Reduction and Control

The identified hazards shall be eliminated, minimized or controlled to assure compliance with each applicable safety requirement. If necessary, the requirements defined in the safety standards may be also adapted to match specific requests of the SENTINEL-1 system. As far as possible, the prevention of failures caused by human errors shall be performed by design. Actions for reducing hazards shall be conducted in the following order of precedence:


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 36/106



a) Hazard elimination

from the begin of the conceptual phase, hazards and hazardous conditions shall, as far as is consistent with the project and mission objectives, be eliminated from the design and operational concepts by selection of the least hazardous design options and operational scenarios.

b) Design for minimum hazard

hazard, and hazardous conditions that cannot be eliminated, shall be minimized through the selection of design concepts and characteristics that minimize the severity of potential hazardous events and their hazardous consequences, and limit the exposure of personnel to hazardous consequences.

c) Hazard control the remaining hazards (residual hazards) shall be resolved by the application of the following hazard-control precedence:

(i) selection and implementation of appropriate design features that minimize the probability of hazardous events occurrence and their propagation to hazardous effects, including application of failure tolerance, safety factors, materials and parts selection and control, safety devices, isolation of hazards, hazard containment, and damage control.

(ii) When a corrective action is required in order to prevent the propagation of hazardous effects, warning devices shall be incorporated to provide timely detection and unambiguous visual and audible warning of the developing potentially hazardous events. The design shall provide the capability for the implementation of safing functions and/or contingency operations.

(iii) When it is not possible to satisfactorily minimize or control a residual hazard by design or by safety or warning devices, special procedures shall be developed to counteract the associated hazardous events and their consequences. Special procedures may include emergency and contingency procedures, procedural constraints, or the application of a controlled maintenance program. These procedures shall be qualified by testing, and appropriate training shall be provided for personnel.

8.3.3 Unresolved Residual Hazards

Catastrophic and critical hazards which cannot be minimized and/or resolved in accordance with the hazard reduction precedence sequence, stated in the previous paragraph, shall be notified to TAS.

8.3.4 Fault Tolerance

Specific functions or subsystems shall conform to any specific Fault Tolerance requirements established by the SENTINEL-1 Program Requirements and by the Launch Agency. Where possible, an applicable number of credible failures and/or operator errors shall be tolerated by the design whenever the potential for catastrophic or critical hazardous consequences, during manufacturing, handling and testing of the system and its GSE, exists.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 37/106



Criteria for the Single and Double Failure are: - no failure (single failure or human error) shall constitute a critical or catastrophic risk - no combination of two failures (failure and/or human error) shall constitute a catastrophic risk.

8.3.5 Control of Hazardous Functions

The following requirements apply during ground operation at the Launch Site and up to satellite separation from the Launcher: Control of functions resulting in critical hazards A function that may result in a critical hazard shall be controlled by two independent inhibits. At least one inhibit shall be monitored. Control of functions resulting in catastrophic hazards A function that may result in a catastrophic hazard shall be controlled by a minimum of three independent inhibits. At least two inhibits shall be monitored.

8.3.6 Safety Critical Items for Ground Handling and Testing Operations

All ground processing activities (ground handling, testing and relevant operating procedures) which can result in a catastrophic hazard shall be identified as safety-critical. Both safety critical items and procedures shall be properly controlled in order to assure: - identification, marking and traceability of all design, manufacturing and testing

documentation - safety validation and qualification by testing.

8.4 FLIGHT SYSTEMS SAFETY PROVISIONS

The flight equipment design shall be reviewed in the light of the compliance with the Safety requirements related to the SENTINEL-1 Program, to the Launch Site, to the Launcher. Requirements apply under worst-case natural and induced environment. They must be applied to all "safety subsystems" (electrical, structural, material, radiation, etc.) and not to the "physical subsystems" of the satellite.

8.4.1 Liquid Propellant Propulsion System

1. Minimum of three independent mechanical flow control devices in series, interruptions, are required on each distribution line whose opening may result in catastrophic consequences. At least 2 inhibits are required on lines whose opening may result in critical consequences.

2. One of these devices shall be fail-safe; it shall be capable of returning to the closed condition in the absence of an opening signal.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 38/106



3. Flow control devices shall isolate tanks from the remainder of the propulsion subsystem; these devices shall not be opened on ground.

4. Devices shall prevent propellant expulsion through thrust chambers. 5. Opening of any flow control device shall not result in an adiabatic/rapid compression

leading to detonation. 6. The leakage rate of valves shall be specified. 7. The opening of the mechanical devices shall be controlled by at least three independent

electrical inhibits that prevent firing of the engine. 8. Monitoring of the status of two electrical inhibits shall be available during ground

operations. Safety and flight plugs shall satisfy the requirements of the Launch Site Safety Regulations.

8.4.2 Failure Propagation

The Equipment/Assembly/Subsystem/System design shall minimise propagation of failure from the itself to the environment outside the Equipment/Assembly/ Subsystem/System. All Safety controls shall be designed with the intent of precluding failure propagation from one to another control in series.

8.4.2.1 Redundancy Separation

Safety critical redundant subsystems shall be arranged so that propagation of failure from main to redundant or vice versa is minimised.

8.4.3 Structural

8.4.3.1 Structural Design

Structural design Safety Factors and relevant Margins of Safety against yield and ultimate shall be provided in the Program General Design and Interface Specification.

8.4.3.2 Stress Corrosion

The selection of metallic materials used in the design of safety critical parts such as lifting points, support brackerty and mounting hardware shall comply with the Stress Corrosion Requirements (ESA ECSS-Q-70-36, Material selection for controlling stress corrosion cracking).

8.4.3.3 Pressure Systems

All pressure systems shall be leak tested at system MEOP (Maximum Expected Operating Pressure) at the range prior to its normal use.

8.4.3.3.1 Pressure Vessels

The requirements contained in the Launch Site Safety Regulations are entirely applicable. Moreover the pressure vessels shall fulfill the applicable Fracture Control Requirements (ESA ECSS-Q-30-01 ESA fracture control requirements).


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 39/106



8.4.3.3.2 Pressurised Components

Fittings, lines and all the other pressurised components shall have a safety factor against ultimate greater than or equal to 2.5.

8.4.3.3.3 Heat Pipes

Heat pipes shall have an ultimate factor of safety greater or equal to 4.

8.4.4 Hazardous Materials

Hazardous materials shall not be used without prior TAS approval for each individual application. Details of the types and locations of the items containing hazardous materials shall be given in a special section of the relevant handling istruction. In no case materials that may constitute a safety hazard shall be released or ejected. For materials used in hazardous fluid systems including propulsion, batteries and heat-pipes the following applies: a. Materials shall be compatible with identified fluids at the MEOP. b. The compatibility is required for all components wet at ground or foreseen to be wet in

flight. c. For components leak failure tolerant such as pressure transducers, fill and drain valves,

etc. the compatibility is also required for portions which shall be wet after barrier failure. d. Fluid compatibility versus material data must be provided.

8.4.5 Flammable Materials

It is good practice to: - Minimise the usage of flammable materials - Separate flammable materials to prevent flame propagation - Separate flammable materials from ignition sources to the maximum extent practicable.

8.4.6 Pyrotechnics Subsystem

a. All pyrotechnic subsystems and devices shall meet the Launch Site Safety Regulations requirements. In particular:

1. electroexplosive devices’ initiators shall be of 1A/1W/5mn no fire type.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 40/106



2. Electroexplosive devices shall be capable of withstanding a 25000 V discharge (pin to pin and pin to case) from a 500 pF capacitor.

3. Safe & Arm plugs in accordance with Launch Agencies safety regulations shall be implemented (short circuits, grounding, colours code and streamers).

Easy access for plugs installation or removal through the fairing shall be ensured. c. Arm connectors (i.e. flight connectors) shall be electrically connected after satellite

installation in launcher and electrical interface verification completed. Exceptions require specific Launch Site Safety Office approval.

Hazard classification of ordnance items shall be provided in accordance with dangerous goods

regulations.

8.4.7 Radiation Subsystem

It includes Electrical S/S, Antenna/RF S/S.

8.4.7.1 Non Ionising Radiation

The electrical subsystem shall not emit electromagnetic radiation that presents a hazard. For the antenna subsystem during an RF test, the RF hazard area (level greater than 1 mW/cm2 for unlimited exposure) shall be identified, roped off and controlled to prevent personnel exposure.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 41/106



8.4.8 Electrical Subsystems

Electrical power distribution shall be designed so that faults internal to subsystem: - do not damage launcher circuits - do not create ignition sources for satellite materials Double insulation shall be implemented for all the circuits directly connected to the main power bus, the batteries and the battery pyrotechnic bus. Electrical lines between EGSE and subsystem shall be protected by a fuse or a current limiter located in the EGSE. The relation between wire sizes, wire current capacities, wire maximum temperature and the ultimate trip limit current value of the protection device (fuse or current limiter) located upstream shall be stated. Heater temperature shall be evaluated in case of failed “ON” heater.

8.5 GROUND SUPPORT EQUIPMENT SAFETY PROVISIONS

GSE and ground operations shall be compliant with the Launch Site Safety Regulations. Anyway, use of KHB 1700.7 is strongly recommended for additional safety requirements especially regarding: - Personnel Safety (para. 4.2) - Electrical (para. 4.3.2) - Pressure systems (para. 4.3.3.1.2 and 4.3.3.1.3) - Propellants (para. 4.3.7) - Handling and Transports (para. 4.5). The tasks associated to the activity inherent to the fulfilment of these safety requirements - in addition to those required by the Launch Site Safety Regulations - shall be identified on a case by case basis and agreed individually. All GSE test equipment including RF test jig, brake-out box, etc..., shall be procured with the CE certification.

8.6 SAFETY ANALYSES

The safety engineer is responsible for assuring that both flight and ground equipment complies with the safety requirements of this document. The primary objectives of the safety analysis process is to ensure that the applicable Safety Requirements are met and to obtain concurrence with the safety assurance process conducted by the Launch Site Agency. The safety analysis can use inputs from other analyses (FMEA,


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 42/106



Fault Trees, Cause-Consequence Diagram, etc.). The analysis shall achieve the following objectives: - to identify the hazards applicable to the flight hardware, its GSE and ground processing - to assure that the hazard controls comply with the applicable safety requirements - to track the status of all identified hazards with catastrophic, critical, and significant

consequences up to their resolution and/or minimization. To allow the safety engineer to fulfill this job, the Subcontractors of safety-critical equipment shall supply him with safety analyses at equipment level to demonstrate that their project is safety addressed, controlled and achieved. The safety engineer shall analyze the documentation listed below provided by Subcontractors (both flight and GSE) and shall prepare the documentation at subsystem level which shall be submitted to TAS.

8.6.1 Safety Analysis Process

The safety analysis shall be started during the flight hardware/GSE concept phase with the Preliminary Hazard Analysis (PHA) and shall be refined and expanded as the design matures. Safety documentation shall be provided for design and ground operations of both flight and ground equipment. This safety documentation shall be provided at each main step in the program development. The safety analysis results shall be recorded on the Payload Hazard Reports (ECSS-Q-40B form figure B1 or JSC form 542 B) drawn up according to the instructions contained in ECSS-Q-40B and ECSS-Q-40-02 or in the Appendix A of NASA document JSC 13830 A containing the following data, as a minimum: hazard identification and classification - identification of applicable safety requirements - description of the hazardous events identification of the causes of the hazard - identification of the hazard controls and safety verification methods - status of verification: if the hazard causes (and the associated controls) are not under

Subcontractor control, they have to be documented in the Subcontractor safety analyses for being taken into account at system level.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 43/106



As input to the hazard analysis, the results of the FMEA shall be used, in order to identify catastrophic or critical ground, handling, test hazards which can be created by a single failure at any level.

8.6.1.1 Phase 0 Safety Review (Design Concept)

Inputs required: a safety oriented description of equipment, subsystem or system being studied, of its GSE and of its ground activities. applicable safety requirements Payload Hazard Report.

8.6.1.2 Phase 1 Safety Review (PDR or Equivalent)

Inputs required: a safety oriented description, including schematic and/or block diagram, of both flight and ground safety-critical System/Subsytems/Assemblies/Equipment and their operations applicable safety requirements a list and description of RFW/RFD/NCR having safety impacts a list of safety open points Payload Hazard Report, including appropriate support data, one for each significant hazard scenario identified in the safety analysis process.

8.6.1.3 Phase 2 Safety Review (CDR or Equivalent)

Inputs required: Phase 1 input data suitably updated; special emphasis shall be given to design changes since PDR (or equivalent); updated and additional, if any, hazard reports shall be prepared to reflect the completed design status a status of all actions items identified during phase 1 safety related failures or accidents.

8.6.1.4 Phase 3 Safety Review (Acceptance and Delivery)

Inputs required: Phase 2 input data suitably updated; special emphasis shall be given to design changes since CDR (or equivalent); hazard reports shall be completely finalised


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 44/106



a status of all actions items identified during phase 2 a list and summary of safety related failures or accidents encountered during and after qualification and acceptance testing of safety-critical flight and GSE hardware approved RFW/RFD, NCR etc. having safety impacts a list of eventual safety open points list of hazardous systems’ log books (e.g. pressure vessels) a list of Pyrotechnics (lot including serial number, certificate of conformance and DoD/IATA/UN-NATO hazard classification) a list of procedures for operations at the Launch Site procedures for hazardous operations, including those for a return to a safe condition and those for emergency in the event of an incident - proof tests data for pressurised GSE. For pressure vessels, the following data shall be included in the safety relevant analysis (summary of log book with): - maximum operating pressure - proof pressure - burst pressure - number of cycles above the maximum operating pressure - maximum level to which vessel was pressurised - date of proof tests. The actual log book shall accompany the pressure vessels.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 45/106



8.6.2 Flight Systems Hazard Report Data Submittal

As a minimum the following data shall be incorporated into the hazard analyses and hazard reports.

8.6.2.1 Control of Hazardous Functions

- Schematic diagram presented in a clear and easily readable form - identification of hardware and electrical inhibits - fault tree if necessary - analysis about inhibits independence identification of monitoring circuits and analysis to prove independence from inhibits circuits (in order not to compromise the safety of the inhibits) procedure reference.

8.6.2.2 Structural

Sketch of the hoisting points - Analysis about: - fail safe design of the hoisting points - safety factors against yield and ultimate - proof load test data metallic material choice versusregarding the high resistance to stress corrosion cracking.

8.6.2.3 Pressure Vessels

Status of compliance with Requirements for Safe Design and Operation of Pressurised Missile and Space Systems (MIL-STD-1522A) - metallic material choice versus stress corrosion cracking qualification and acceptance test plans - test results analysis showing pressure variation versus temperature on ground - Leak Before Burst demonstration test result for composite vessels having a non

hazardous leak before burst failure mode


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 46/106



material compatibility data as per paragraph ordnance 8.6.2.6 - same data as requested in paragraph 8.6.1.4 (Summary of log-book) safe operating limits Log books.

8.6.2.4 Pressurised Lines, Fittings and Other Components

Each component shall have clearly identified the: - Maximum Allowable Working Pressure (MAWP) - Maximum Expected Operating Pressure (MEOP) - external and internal leak rates - burst safety factor and qualification test reports - material compatibility data as per paragraph 8.6.2.6 - cross sectional drawing showing locations, input and output ports, flow sense, barriers

against fluids, etc. - material used including soft goods - model number, part number, manufacturer’s name, etc. - proof safety factor and acceptance test reports for proof and leak tests - fluid used during manufacturing, tests and operations.

8.6.2.5 Heat Pipes

- Material compatibility data as required in paragraph 8.6.2.6 - burst safety factor and qualification test reports including burst and cycling tests - acceptance test reports for proof and leak tests.

8.6.2.6 Hazardous Materials

- Fluid compatibility versus material data for materials used in hazardous fluid system such as propulsion, batteries, heat-pipes. Fluids lists shall include manufacturing, cleaning, test (including dye-penetrant) fluids

- listing and quantities of all hazardous materials, liquids and gases (including inert gases) used in the flight system or during the ground operations at the range

- provide material safety data sheets for all of those chemicals.

8.6.2.7 Pyrotechnics

- Compliance status with Electroexplosive Subsystem Safety Requirements and Test Methods for Space Systems (MIL-STD-1576)

- qualification and acceptance test results for EED in particular to prove: a. 1A/1W/5mn no fire b. 25 KV/500 pF requirement. - Sketch allowing physical location of EED - DoD/IATA/UN-ONU classification for EED - manufacturer reference and part number - EED and boosters drawings and cross sectional sketches


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 47/106



- chemical composition and characteristics, net explosive weight - description of function initiated by the pyrotechnic devices - drawings showing safe and arm plugs location - mechanical and electrical drawings of safe and arm plugs - firing control and monitoring circuits schematics, sequence of events which leads to

ordnance activation - analysis about independence of commands, controls and monitor circuits - analysis about EMC protection including: - 360 degree optical coverage - type of shields used - EMC analysis.

8.6.2.8 Non Ionising Radiation

- Exposure level versus distance - hazardous areas identification - transmitter peak power - type and size of antennas - antenna gain and illumination - operating frequencies - polarisation of transmitter waves

description of inhibits and other safety features which prevent inadvertent exposures.

8.6.2.9 Electrical Systems

- Description of power sources (batteries, etc.) - schematic showing power distribution, protection devices, circuits and lines needing

double insulation - comprehensive analysis about double insulation implementation and testing - analysis showing for power lines the relation between wire size, wire current capacity,

wire temperature and the ultimate trip limit current of the protection device located upstream

- analysis about temperature increase effects in case of failed heater “ON” in pressurised components such as pollution, battery, etc.

8.6.2.10 Hazardous Procedures

- Provide a list of procedures in which hazards are identified. The list shall be approved by Prime Safety Manager provide hazardous procedures approved by Prime Safety Manager.

8.6.2.11 Flammable Atmospheres

Electrical discharge: - list of all relays and similar ignition sources (thermostats, motor, etc.) - analysis showing protection against sparking hazard (sealed parts, containment, etc.)


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 48/106



- analysis showing grounding implementation (design, test) of parts which can generate electrostatic discharges

- analysis about current and voltage through umbilical connectors at lift off. Hot surfaces: - analysis identifying all surfaces (heaters, TWT, etc.) that have a temperature greater than

180°C - analysis showing inhibits and protections implementation.

8.6.3 Ground Support Equipment Report Data Submittal

As a minimum the following data shall be provided for GSE used at the Launch Site or with the project critical items (items whose loss would jeopardise the mission, program, budget, schedule or success of the program).

8.6.3.1 Mechanical Ground Support Equipment (MGSE)

- MGSE function description - sketch of MGSE permitting identification of critical welds and Single Point Failures - safety factors (against yield and ultimate) versus Maximum Safe Working Load (Design

Load) - Maximum Safe Working Load and Actual Operating Load - identification of parts needed to be disassembled - proof test factor - acceptance test reports including NDI of critical welds - materials of construction (mainly those involved in the load path) - list of interfaces with flight hardware - for hoisting points, if any, same information of paragraph 8.6.2.2. is required.

8.6.3.2 Electrical Ground Support Equipment (EGSE)

- Schematic showing power distribution, protection devices, circuits and lines needing double insulation

- comprehensive analysis about double insulation implementation and testing - analysis showing for power lines the relation between wire size, wire current capacity,

wire temperature and the ultimate trip limit current of the protection devices located upstream.

- analysis showing that electrical equipment of GSE to be used in hazardous explosible atmosphere are explosion-proof.

8.6.3.3 Tanking GSE

- TGSE description and its operating modes - TGSE schematic diagram showing the MEOP in the different portions - MAWP and MEOP of all pressure system elements - safety factors of all pressure system elements


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 49/106



- actual burst safety factor if available - proof pressure value for each system element - materials used in fabrication of each element including soft goods - cycle limits if fatigue is a factor in the system - model number, part number, manufacturer’s name for each component - safety data for vessels - sketch/drawing/cutaway for each element - temperature limit of each element - failure mode of each component - material compatibility - NDI and welding procedure certification - certification data for vessels designed to comply with an official standard - relief valve pressure settings and flow rates - system fluids and maximum expected temperatures - pressure range of all gages - pressure setting of all pressure regulators - vessel capacity and relevant vessels data - tubing diameter and wall thickness - flow paths - TGSE structural stress evaluation - operational cycles life - test and operating procedures - Log books.

8.7 SAFETY REVIEWS AND MEETINGS

Safety matters shall be reviewed regularly as part of the Program/PA Progress Meetings at all levels. Additional Safety reviews shall be held on a case-by-case basis where specific needs or problems are identified by the SENTINEL-1 program or when required by the Safety Launch Authority.

8.8 SAFETY AUDITS

The safety engineer shall perform audits in addition or in conjunction with quality audits at his own and at the Subcontractors facilities, to verify conformance to the safety requirements. In particular safety audits shall be carried-out prior to any operation or test which can determine: - potential hazard consequences to personnel or hardware - high risks of jeopardizing the SENTINEL-1 program in terms of schedule, impact, budget,

etc. - involvement of particular valuable test hardware, facilities or efforts during ground

activities - difficulties during safety critical items integration. The safety engineer shall inform the TAS of the audit schedule, and right of access for participation by Prime to these audits.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 50/106



8.9 SAFETY TRAINING AND CERTIFICATION

The safety engineer and his Subcontractors shall provide training and, where applicable, certification of the personnel involved in hazardous operations and activities, and shall identify tasks requiring personnel training and certification. A current status of certification shall be maintained in records oriented to operations, configuration, and locations. Protective devices and emergency equipment shall be identified and included as part of safety training. Hazards shall be brought to the attention of trainers. Proficiency demonstrations of training, to a feasible degree, are required for hazardous operations.

8.10 ACCIDENT/INCIDENT REPORTING AND INVESTIGATION

Accident/incident investigation and reporting shall be treated as non-conformances and handled under the provisions stated in the non-conformance requirements.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 51/106



9. EEE COMPONENTS

9.1 GENERAL

The requirements described in this document are applicable to all EEE parts used on the entire satellite (platform and payload) The subcontractor shall comply with all the general and detail requirements of ECSS-Q-60A with any amendment specified herein. The users shall describe in their Product Assurance plan all the activities dedicated to the EEE parts and implemented in conformity with this document (ISO 14621-2 may be used as a guideline).

9.2 RESPONSIBILITY

The user is responsible for controlling the satisfactory completion of these requirements throughout all phases of flight hardware development, manufacturing and logistic support. After parts approval by Alcatel Alenia Space the user will remain responsible for parts to be used.

9.3 Engineering requirements for parts

9.4 General

Each user of EEE parts shall ensure that the selected parts shall be capable of meeting the operating stability, environmental, material, safety, quality, and reliability conditions defined for applicable program. The following items shall not be considered EEE components and will be controlled at unit or higher level by the relevant disciplines:

– intermediate products containing discrete components on substrates, PCBs etc. – solar cells, – cells in batteries, – HF sub-assemblies such as coaxial cable assemblies or waveguide elements, – TWTs, – RF switches, coaxial or waveguide


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 52/106



9.5 Parts selection

9.5.1 General rules

The EEE parts selection (parts and manufacturers) shall be based on a review of quality and reliability technical data and it shall be taken into account the following : a. Maximum use of European parts.

b. Use of previously qualified parts with established reliability history.

c. Minimization and standardization of the number of different generic part types and families.

d. Early identification of parts under Export license restriction (ITAR)

e. Long term procurement availability of parts. Multiple sources are preferred.

f. Application of derating requirements shall be verified by design assurance.

g. Tolerance to radiation exposure including total dose, single events and displacement damage effects for active parts.

EEE parts shall be selected to withstand all environmental conditions specified for the project. Parts shall be selected on the basis of proven qualification and/or flight experience from qualified manufacturers or sources employing effective Product Assurance Programs.

When selecting items that have been previously qualified, the user shall pay particular attention to the current data, applicability of the basis of qualification, and adequacy of specifications. If this status is not acceptable, the user or the agency shall implement an evaluation program to comply with the requirements specified here. All parts selected for use shall be listed on the DCL (Declared Components List) described in paragraph 9.10.4.

9.5.2 Prohibited Parts

The part types listed below shall no be used in any flight hardware .

• Non metallurgically bonded diodes

• Chips non passivated on active area

• All semiconductors technologies using SI3N4 passivation in RF applications.

• Non-hermetically sealed semiconductor devices.

• Wet slug tantalum capacitors other than capacitor construction using double seals and a tantalum case ( MIL-PRF-30006/22,/25,/30,/31 “H” suffix) or ESA/ESCC qualified types.

• Potentiometers.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 53/106



• Inductors using breakthrough technologies

• Common Mode, Choke inductors using adjacent enamel wires

• TO5 relays without double welding or with integrated diodes.

• Any parts using Pure Tin or Tin electroplated surfaces. When Pure Tin is identified at Part Level, the user shall provide a Tin whisker mitigation strategy ( i.e. Tin reflow with lead , antimony or bismuth alloy on a 100% surface coverage after assembly).

9.5.3 Parts selection

The primary source of components shall be the European Manufacturers in the European Preferred Parts List (ECSS-Q-60-01). A justification for the use of non-European components shall be submitted to Alcatel Alenia Space and ESA for approval. These components shall be selected such that they are not affected by trading barriers. The selection of parts shall be based on the knowledge regarding technical performance, qualification status, and history of previous usage in similar applications. Preference shall be given to parts from sources that would necessitate the least evaluation/qualification effort.

In these circumstances preference shall be given to the following parts, but the parts listed shall be approved for use only if Alcatel Alenia Space approval is given (see paragraph 9.10 Parts approval):

• Parts from ESA/ESCC Qualified Parts List (ESA/ESCC QPL).

• Parts approved for other equivalent space programs.

• Parts that have met qualification requirements of non European standards for space flight usage (MIL, NASA, NASDA)

• Parts listed in the NASA Goddard Space Flight Center Preferred Parts List.

• Parts listed in MIL specifications and standards and European documents.

• Parts, being usually available commercially and having the capability to be used in space applications may be selected when ESA/ESCC or MIL High Reliability part does not allow to meet the program performances .

These parts shall be identified in the Critical Items List (CIL). When these parts are selected further engineering evaluation as described in paragraph 9.13.1 - Part evaluation. Procurement shall be done according internal user methodology (paragraph 9.9: procurement requirements not applicable).

Selection and procurement shall be agreed during the PAD approval process as described in paragraph 9.10: Parts approval.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 54/106



All parts that require further substantiation shall be submitted to the evaluation and approval program (refer to paragraph 9.13.1 "Part Evaluation : evaluation program" and paragraph 9.10 «Parts approval»).

9.6 Radiation sensitivity

Parts shall be reviewed as defined in paragraph 13 to meet the Sentinel 1 environment requirements.

9.7 Derating

Parts shall be reviewed for derating as defined in ECSS-Q-30-11. Caution Information on Electromagnetic relays : It is reminded , that the use of any coil voltage less than the rated coil voltage will compromise the operation of relays. Pick up , hold and dropout voltages are for test purposes only and are not to be used as design criteria. For additional application and caution information, see § 6.1 of MIL-PRF 39016.

9.8 Materials

Materials used in EEE parts shall be in accordance with the requirements in paragraph 10 to meet the Sentinel 1 requirements.

9.9 Procurement requirements

9.9.1 Minimum screening requirements

All parts to be incorporated into flight hardware shall be submitted to screening tests. The screening test requirements shall be designed so that accumulated stress will not jeopardize parts reliability. Parts shall be procured to the screening requirements of MIL or ESA/ESCC specifications as specified in table A1 and associated notes. When parts are not available to the specifications defined in table A1 they shall be procured to source specifications based on appropriate MIL or ESA/ESCC specifications .

These source specifications shall be agreed during the PAD approval process.

For MIL passive devices procured in accordance with the MIL-ER specifications or the MIL-PRF specifications addressing a failure rate level, the failure rate level selected shall be no less than failure rate level « R » for the exponential distribution or failure rate level « C » for the Weibull Distribution.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 55/106



All screening tests shall be performed by the parts manufacturer or at approved test houses.

9.9.2 Lot Acceptance Testing (LAT)/ Lot Validation Test (LVT)/ Quality Conformance Inspection (QCI)/Technology Conformance Inspection (TCI)

9.9.2.1 ESA/ESCC System qualified parts

LAT on procured lot is not requested due to periodic lot validation tests performed by the manufacturer and monitored by Space Agencies.

9.9.2.2 MIL-System qualified parts

QCI or TCI tests to be performed by the manufacturer are in accordance with the quality level of the MIL specification.

9.9.2.3 LAT/LVT/QCI/TCI for non-qualified Parts

For non qualified parts purchased to a Source Control Drawing LAT, LVT, QCI or TCI shall be performed in accordance with the closest applicable ESA/ESCC or MIL specification. The sample size for expensive parts may be reduced as agreed and specified in the appropriate PAD.

Based on past experience with the same part from the same manufacturer LAT, LVT, QCI or TCI will be decided on a case-by-case basis if there is data that demonstrates the part type under consideration consistently passes this testing and there have been no changes to the manufacturing process and no changes to the part design and construction. These data shall be less than two years old. However, LAT2 (or equivalent QCI) shall be implemented for certain families, as follows, regardless the history of the manufacturing line or previous LATs: • LAT2 per assembly date code is required on non-qualified chip solid Tantalum capacitors,

crystals, fuses, relays • LAT2 per wafer lot is required on non qualified microwave diodes, integrated circuits (chart F4 subgroups 2 and 3 per ESCC9000), MMICs and microwave transistors

Corresponding justification shall be available during the PAD approval process. Without this type of data it is required to perform LAT, QCI or TCI on a lot basis in order to accept the lot in accordance with the closest applicable ESA/ESCC specification or MIL specification.

9.9.2.4 Use of life test samples

Sample semiconductor and crystal units, from lots which have passed screening tests and quality assurance inspections, and which have been subjected to life test as specified in LAT/LVT/QCI/TCI may be used as flight model units if, during life test, the absolute maximum


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 56/106



ratings limits are not exceeded and if the sample units pass final electrical tests in accordance with the applicable device specification.

In any case an RFD is required and shall be submitted to Alcatel Alenia Space/ESA for approval.

9.9.3 Special parts, components and units requirements

9.9.3.1 EEPROMs

EEPROMs procurement specification shall specify the performance of "Data Retention tests" with the appropriate electrical charge (i.e "0" or "1"). The following sequence shall be performed.

• Data retention tests for 12 hrs at maximum rated speed and temperature and with write protect disabled (100% of the devices - devices programmed with ~97% of “0”s)

• Static burn during 72 hrs at +125°C, + dynamic burn during 240 hrs at +125°C (100% of the devices - devices programmed with ~97% of “0”s)

9.9.3.2 Application-Specific and Custom Integrated Circuits, Programmable devices

All ASICs and FPGAs shall be considered as non-standard parts and therefore controlled via PAD agreement. TAS and ESA reserve the right to request complete visibility and to attend to any stage of design and development of custom ASICs and FPGAs for the project. ECSS-Q-60-02 Draft will be considered as guideline for the design requirements. Initial procurement of Application-Specific Integrated Circuits (ASICs) and Custom Integrated Circuits (CICs) shall be made according to the screening requirements of Appendix B, a Technology Conformance Inspection (TCI), or Lot Acceptance Test (LAT) satisfying the qualification requirements. Subsequent procurements shall require screening only, without a TCI/LAT.

Validation and quality assurance of the designs related to programmable devices, and ASIC shall be done. A final design review report and the prototype parts validation results shall be available for review according to the statement of work defined for the applicable program. These devices shall be procured in accordance with the paragraph 9.9.1 minimum screening requirements. For one time programmable parts the procurement of unprogrammed parts may be done in accordance with MIL-PRF-38535 class Q instead of class V as defined in paragraph 9.9.1 minimum screening requirements. In both the cases ( QML-Q or QML- V procurement ), the paragraph 9.9.2.2. or 9.9.2.3. shall be applicable for LAT, QCI or TCI. For “one-time” programmable devices, e.g. PROM or anti-fuse type FPGA, where the programming physically alters the device configuration, a technical specification describing the programming procedure and post-programming screening and testing to be applied to the device shall be prepared. This detail specification should be supplied with the associated PAD for approval.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 57/106



This specification should consider the following elements; Method of calibration, i.e. verify that the programmer equipment passes all the diagnostic

checks Verification of status of the program of the programming equipment Method of configuration, i.e. by using data from computer mass memory and use of

reference devices Method of identification of each program configuration, i.e. the part number to be assigned to

each device Use of Manufacturer’s 100% serialization to maintain traceability Programming procedure, i.e. current / voltage waveform to be applied. Only 1 programming

cycle is allowed Method of verification of the contents of the programmed device Corrective actions in case of a programming failure. An analysis shall be carried out if the

number of failures for each lot/date code that are programmed relying on the same programmer calibration exceeds 15%

Electrical measurements, in accordance with the part specification (read and record optional) Burn-in test, according chart III of ESCC Generic Specification No. 9000 Electrical verification of correct programming and electrical measurements pre- and post-

burn-in. The maximum PDA shall be 5% for each lot/date code. If the PDA is higher than 5% the lot

shall be rejected and submitted to Material Review Board disposition.. Prior to incorporating the programmable parts into flight hardware, they are programmed according to the specific requirements of circuit in which the part will be used. The up-screening sequence (subgroup 1) and programming/post programming sequence (subgroup 2) shall be performed according to Note 24 of Table A1. The full test sequence shall be agreed during the PAD approval process.

9.9.3.3 GaAs FETs

9.9.3.3.1 Small signal GaAs FETs Small signal GaAs Field-Effect Transistor (FETs) testing shall be in accordance with the requirements of Appendix B supplemented by the manufacturer's tests that are specific to the characteristics of this process.

As a minimum, the tests on packaged devices shall include:

1. Sample wafer lot acceptance test to evaluate the reliability of the multi-layer metallization under accelerated conditions prior to committing the wafer to production. If the device is qualified or if reliability data are available, the sample wafer lot acceptance test need not to be performed.

2. One hundred percent screening tests shall include burn-in at a ambient temperature of +125°C under DC conditions or equivalent.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 58/106



3. A 1000-hour life test on packaged devices at a ambient temperature of +125°C or equivalent will be performed on a representative sample. A time temperature regression may be applied to the life test provided the testing is consistent with the activation energy at the part being evaluated.

Proposed screening shall be agreed during the PAD approval process.

9.9.3.3.2 Power GaAs FETs Power GaAs FETs with power rating greater than 1.0 watt, testing shall be in accordance with the requirements of Appendix B, supplemented by the manufacturer's tests that are specific to the characteristics of this process.

As a minimum, the tests on packaged devices shall include: a. Sample wafer lot acceptance testing shall be performed, prior to committing the wafer to

production. It will evaluate the reliability of the multi-layer metallization, and conductivity of semi-insulating wafer substrate material. If the device is qualified or if reliability data are available the sample wafer lot acceptance testing need not to be performed.

b. One hundred percent screening tests shall include as a minimum:

1. DC Burn-in at 125°C minimum ambient or maximum rated channel temperature,

2. Thermal resistance on a sample basis shall be measured on all GaAs FETs part types.

3. DC and RF electrical measurements shall be performed.

c. Sample accelerated life test shall be performed on each lot after completion of the screening at a channel temperature of +200°C at the rated DC bias conditions for 168 hours minimum or equivalent conditions. The test will verify the Mean-Time-To-Failure (MTTF) of the wafer under the maximum ratings of the part and correlate the results with the manufacturer's data for the same part type.

The power GaAs FETs shall be selected with sufficient margins so that the maximum ratings are not exceeded during the tuning operations. Also, the tuning set-up must incorporate controls to limit the level of the input power applied during the tuning operation. In case the maximum ratings are exceeded, the user of the power GaAs FET shall maintain a record for the tuning parameters and power levels and the duration at which the part is operating under these levels. The power GaAs FETs will be selected and acceptance criteria defined to demonstrate unconditional performance stability after manufacturing and burn-in (operating in a safe area in overdrive conditions). Proposed screening shall be agreed during the PAD approval process.

9.9.3.4 In-house manufactured parts

In-house manufactured parts are defined as All EEE parts that are manufactured by the User (e.g. coils and transformers) in accordance with user processes and internal process procedures. Examples of in-house manufactured parts are hybrids and magnetics (coils and transformers) shall be documented through specifications / source control drawings.

In Minimum screening requirements shall be those of the nearest applicable ESCC or space


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 59/106



level MIL specification; for other in-house parts the screening sequence and the lot acceptance shall be defined and submitted via PAD to ASI for information.

9.9.3.4.1 In house manufactured Hybrids

All in-house hybrids are considered as EEE parts and shall be hermetically sealed. All in-house manufactured hybrids shall be qualified, manufactured, and screened in accordance with ECSS Q-60-05A level 1 or MIL-PRF-38534 Class K (for non European sources only) or alternate document, approved by Alcatel Alenia Space and ESA. The qualification of the die mounting shall be performed by the hybrid manufacturer in order to validate and demonstrate ( see § 9.13 ) the compatibility between the micro component and the hybrid manufacturer processes . A complementary qualification shall be performed whenever micro component definition (design, processes, mask ) has changed. Each micro component (active or passive) lot shall undergo a User Lot Acceptance Test (LAT) or element evaluation in accordance with ECSS Q-60-05A level 1 or MIL-PRF-38534 Class K (for non European sources only) or alternate document, approved by Alcatel Alenia Space and ESA. Bondability test and shear test or SAM (Scanning Acoustic Microscope) shall be performed on at least 4 assembled (with hybrid manufacturer process) micro component (active and passive) per lot according to MIL-STD-883 Method 2011and 2019. For selection and procurement of MMIC and RF discrete dice the ECSS-Q-60-12 shall be applied. A PAD sheet shall be issued for each in-house manufactured part or family Each micro component ( active or passive ) contained in an in-house manufactured hybrid shall be documented either in a PAD sheet or in a list attached to associated PAD hybrid. A PAD sheet shall be issued for each in-house manufactured part or family. Each element contained in an in -house manufactured hybrid shall be documented either in PAD sheet or in a list attached to associated PAD hybrid.

9.9.3.4.2 Magnetics ( Inductors and transformers)

All in-house manufactured magnetics shall be manufactured according to PID, qualified and screened as defined in MIL-STD-981. A PAD sheet shall be issued by Sub-Contractors for each in-house manufactured part or family. Choke inductors used in power supply as common mode EMC filter , shall not use adjacent enamel wires for V+ and V- lines.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 60/106



9.9.3.5 Procured hybrids

All procured hybrids are considered as EEE parts and shall be sealed hermetically.They shall be manufactured in a validated hybrid line, qualified and screened in accordance with ECSS Q-60-05A level 1 or MIL-PRF-38534 Class K (for non European sources only) or alternate document, approved by Alcatel Alenia Space and ESA. The qualification of the die mounting shall be performed by the hybrid manufacturer in order to validate and demonstrate ( see § 9.13 ) the compatibility between the micro component and the hybrid manufacturer processes . Complementary qualification shall be performed whenever micro component definition (design, processes, mask ) has changed. Each micro component (Active or Passive) lot shall undergo a User Lot Acceptance Test or element evaluation in accordance with ECSS Q-60-05A level 1 or MIL-PRF-38534 Class K (for non European sources only) or alternate document, approved by Alcatel Alenia Space and ESA. Screening shall be performed as defined in paragraph 9.9.1.: Minimum screening requirements. A PAD sheet shall be issued for each procured hybrid Each micro component ( active or passive ) contained in a procured hybrid shall be documented either in PAD sheets or in a list attached to associated PAD hybrid and be available no later than the Precap Inspection event.

9.9.3.6 RF switches

The RF switches, coaxial or waveguide types, shall be considered as an equipment and, in this case, the user shall follow the equipment requirements.

9.9.3.7 Ancillary RF Components

Ancillary RF components (e.g. coaxial coupler, directional divider, isolator …) that are embodied within other equipment units are considered as EEE parts. For these components, parts, materials and processes lists will be available from Manufacturer file data documentation (on request ) or from part evaluation (see § 9.13.1: Part evaluation).

9.9.3.8 Non Qualified, low ESR, Solid Tantalum Chip Capacitors

When ESA/ESCC or MIL High Reliability parts does not allow to meet DC converters performances, non extended ranges of commercially available low ESR, high CxV, Solid Tantalum Chip Capacitors may be used in flight hardware, providing :

• Successful results on all steps of §9.13.1 : Part Evaluation Program


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 61/106



• Granted lot homogeneity and availability of minimum Weibull B or ESA/ ESCC/ C reliability level

• Description, results, and approval of screening flow performed by the manufacturer

• Successful life test on each lot ( by CxV Value and by Date code) with zero

• 100% surge current screening for all surface mounted tantalum capacitors as defined in MIL-PRF- 55365 Issue F, §1.2.1.7 condition B or C or as defined in ESA/ESCC 3002, § 9.22

The above data shall be presented together with the PAD sheet for approval. Life test results and Surge current testing results shall be available before parts assembly.

9.9.3.9 Qualified, Surface mounted tantalum capacitors .

100% surge current screening shall be performed for all surface mounted tantalum capacitors as defined in MIL-PRF- 55365 Issue F, §1.2.1.7 condition B or C , or as defined in ESA/ESCC 3002, § 9.22

Surge current screening results shall be available before parts assembly.

9.9.3.10 ELECTRO-OPTICAL DEVICES

These devices are considered non-standard and shall be approved via PAD submission procedure.

For components not covered by a generic specification the supplier shall propose specifications and procedures which shall be coherent with the general quality/reliability and control requirements of the project.

9.9.4 Radiation lot acceptance testing (RADLAT)

EEE components shall be submitted to RVT when and as defined in paragraph 13 to meet the Sentinel 1 requirements.

9.9.5 Procurement specification

EEE parts intended for use on flight hardware shall be procured to controlled specifications. The users or agency shall use, to the maximum extent, the ESA/ESCC or MIL procurement specifications with the additional screening tests or details identified in Appendix B. When using other systems, they shall be able to demonstrate that the specification fulfills the applicable


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 62/106



requirements. New specifications shall be based on ESA/ESCC or MIL formats. These shall include at least the following:

• Specification of primary and critical electrical and mechanical parameters. • Screening requirements, burn-in, and acceptance requirements. • Delta limits when applicable. • Criteria for percent defective allowable (PDA). • Lot Acceptance Tests/Quality Conformance Inspections/Technology Conformance

Inspections. • Marking. • Storage requirements. • Requirements for lot homogeneity. • Serialization (when applicable). • Protective packaging and handling requirements.

The users or agency specifications shall include control requirements that ensure that any change of the product that affects qualification, performance, quality, reliability, and interchangeability is communicated by the manufacturers to the part user or agency.

9.9.5.1 Upgrading/Screening

Parts with a screening not compliant to minimum screening requirements as defined in paragraph 9.9.1. but which are manufactured with constructions acceptable to flight hardware may be upgrade screened for use in flight programs.

For parts to be upgraded Customer Source Inspections (CSI) are not mandatory and Destructive Physical Analysis (DPA) shall be performed in accordance with paragraph 9.13.1 for qualified and non qualified parts.

The upgrade tests (screening and lot acceptance) shall be agreed during the PAD approval process.

9.9.6 Off-the-shelf parts

When necessary, parts from existing stocks may be used, provided the following requirements are met:

a) The parts must be from a bonded store (including manufacturers stock). b) Lot homogeneity and traceability can be demonstrated. c) The EEE Parts documentation including qualification, LAT, QCI, or TCI documentation of the

parts concerned is available and the content is acceptable (Radiation test results to be included if necessary).

d) Minimum screening requirements are in accordance with Appendix B. e) No alerts exist against the relevant lot/date code.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 63/106



Re-lifeing of stock parts requires electrical measurement of critical electrical parameters, hermeticity ( when applicable), solderability and visual inspection performed by sampling on parts with lot date code which indicates more than 6 yrs will have elapsed from date of manufacture to date of intended installation. Alcatel Alenia Space procedure RTE-ASPI-PN-14-E defines criteria for re-lifeing operations by parts family depending on parts date code of manufacture to date of installation in equipment. Sub-contractors shall either use Alcatel Alenia Space procedure or submit for approval an equivalent internal re-lifeing procedure with applicability criteria No parts shall be used which exceeds 15 years from the date of intended installation in an equipment.

9.10 Parts approval

9.10.1 Approval process

The EEE documents (PAD, DPL, parts radiation data review) shall be submitted to Alcatel . The following documents shall be approved by Alcatel Alenia Space prior to delivery of flight hardware :

• PAD • DPL

• Radiation Approval Documents ( If not treated in PAD )

9.10.2 Parts Control Board (PCB)

The user shall establish internal procedures to select and approve all parts for use. Representatives from the PA and design disciplines and parts specialists as necessary shall be involved in this task. A PCB or equivalent internal procedure shall be established by each of the subcontractors and shall be operated independently. The main objectives of the system PCB is to achieve:

a. Parts types reduction. b. Identification of tasks to be performed, such as:

1. Part evaluation. 2. Specification writing. 3. Specification amendment writing. 4. Manufacturer evaluation. 5. Approval, recommendation and special instruction to users or agency. 6. Management and control of the part procurement programmes at all levels 7. To review the procurement status and to identify risks, e.g U.S. parts under Export license

restrictions (ITAR) The PCB shall operate on a regular basis.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 64/106



Periodical dedicated meeting, Sentinel 1 Parts Control Board, are convened between users, TAS-I and ESA. The PCB members have the following tasks:

- To manage and control the part procurement program at all levels - To implement the Parts Approval cycle through PAD approval including review of

part/manufacturer evaluation/qualification plan and test reports (if applicable), status of qualification, approval of procurement specifications, quality and lot acceptance levels and procurement inspections, DPA, radiation sensitivity assessment.

- To review the procurement status and to identify risks like U.S. parts under Export license restrictions, ITAR.

- To assess parts technical issues such as Nonconformances, Waivers, Deviations and alerts.

PCBs will be held as a minimum until the approval of all parts has been finalized and the procurement of most critical items successful concluded.

9.10.3 Parts Approval Document PAD

Approval of parts shall take place through a PAD (Parts Approval Document).

The user shall issue PAD sheets for all self procured parts, all Agency procured and all in-house manufactured parts (refer, for guideline as a minimum to PAD sheet forms in appendix B) and shall submit them for approval to Alcatel Alenia Space and ESA.

PAD are required for all EEE Parts , including:

• ESA/ESCC qualified parts;

• qualified Military class level S parts, Class V parts, Class K parts, Jan S parts;

• QPL listed ER (level R, exponential, or level C ,Weibull) MIL passive parts;

• QPL listed Military specifications passive parts (allowed if listed in NPSL).

The above list defines the Standard parts. For Standard parts the PAD approval is not required.

All PAD field shall be documented. PAD Technology/Characteristic field and NSPAR field 15 shall provide information regarding material and warn for any Pure Tin finish. Lack of such information is a PAD rejection criteria.

9.10.4 Declared Components list (D.C.L)

The user shall provide a D.C.L. to Alcatel Alenia Space for approval.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 65/106



The D.C.L. shall show only parts used or mounted on flight hardware. This shall be provided in hard copy paper format and in electronic sortable format (Excel or Acces for example). The D.C.L. shall cover the following items :

• generic designation • part number (as shown in detail specification) • part type (commercial reference) • manufacturer (name, country) • specification reference • quality level • PAD sheet number • Identification of parts subjected to radiation lot testing. Single Event Effects Linear Energy

Transfer (SEE LET) threshold and/or total dose sensitivity level (when applicable) must be reported.

• Remark field: in this field “standard part” shall be reported if the part is Standard. • Date Code. In case of procurement from stock, date of relife activities if applicable.

9.10.5 Radiation Approval Document

The user/agency shall issue Radiation Approval Document sheets as defined in paragraph 13.

9.11 Quality assurance for parts

9.12 General

A special chapter of the user Product Assurance plan shall describe the implementation of these requirements including methods, organizations, and documents used to control the selection and procurement of parts. An organization chart shall be included, which illustrates the user parts organization and the interface relationships with other functional groups. A description of PCB membership and responsibility including designation of personnel responsible for parts engineering tasks shall be included.

9.13 Manufacturer and part selection

The user or agency shall ensure that the parts are procured from the selected manufacturer with compliance to the requirements defined in this document.

In case that a valid and acceptable qualification cannot be demonstrated, a Part Evaluation program, as defined here below, shall be implemented.

The content and extent of such a program requires approval as defined in the Parts approval section of this document

Sample parts used for evaluation shall be representative of flight model parts.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 66/106



9.13.1 Part evaluation program

The evaluation program shall cover the following elements:

• Constructional analysis.

• Manufacturer assessment.

• Evaluation testing.

When several part types from a single part family are considered for use, the evaluation program may be conducted on a representative sample of part types from the part family.

9.13.1.1 Constructional analysis

Constructional analysis on parts shall be carried out. The primary aim of constructional analysis is to provide an early indication of the probability that the selected part will meet the qualification requirements and the operational goals of the concerned program. It is therefore essential that:

a) The standard of fabrication and assembly is fully assessed to identify any area where modifications are required or where specific tests or inspection points should be included within the procurement specification or during procurement.

b) All potential failure modes are identified in order to assess the need for additional tests. c) Assurance is obtained that no materials or processes have been employed that are likely to

deteriorate over time and cause malfunction. The findings of the analysis shall be contained within a Constructional Analysis Report and shall be included as an independent section of the overall Evaluation Report and shall be available for review.

9.13.1.2 Manufacturer assessment The purpose of the evaluation of a manufacturer is to assess his capability, to ensure the adequacy of his organization plant and facilities, and to ascertain his fitness to supply parts to the appropriate specifications for space application. This evaluation shall include, but not necessarily be limited to, a survey of: a) The overall manufacturing facility and its organization and management. b) The production line used for the part. c) The manufacturer's system for inspection and manufacturing control including all relevant

specifications, procedures, and documents. The complete manufacturer evaluation shall be included as a section of the evaluation report and shall be available for review.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 67/106



9.13.1.3 Evaluation testing After successful completion of the constructional analysis and manufacturer evaluation, evaluation testing shall be performed. This assessment shall determine which inspections or tests are required to provide the confidence that the part type under evaluation will, when assembled and tested in accordance with the procurement specification, successfully meet the mission requirements.

Sufficient data must be available upon completion of the evaluation program to demonstrate part stability. In addition, evaluation testing will be required where any of the previous stages have identified any anomaly reflecting a design, material, or process weakness that could shorten the active life of the concerned part and that may not be identified during the final production testing or screening tests included in the procurement specifications.

Because of the wide range of possible anomalies or weaknesses that would require evaluation testing, it is not possible to define the precise test program to be followed; however, the types of testing to be considered would include: a. Electrical stress, such as accelerated life testing, high temperature reverse bias, or

endurance testing, normally used to assess stability. b. Mechanical stress, including shock, vibration, and centrifuge, to evaluate the robustness of

the assembly. c. Environmental stress, such as thermal shock or cycling, high- or low-temperature storage,

and seal tests, etc., to evaluate package integrity or a particular facet of the design expected to be susceptible to temperature extremes.

d. Radiation testing, (see paragraph 13).

The proposed test program, the test methods, and sample size shall be approved as defined in the Parts Approval section of this document, before test commencement, and shall be available for review. After completion of the evaluation testing, a final review of the proposed procurement specification shall be carried out to determine if the obtained results will have an impact on the content of the procurement specification.

9.13.1.4 Evaluation report

The full details of the evaluation testing, the results achieved, and an overall assessment of the complete evaluation program shall be included within the evaluation report, which, once complete, shall be available for approval as defined in the Parts Approval section of this document.

9.14 Radiation characterization

Radiation tests shall be performed to assess the parts sensitivity for the program environment as indicated in paragraph 13.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 68/106



9.15 Procurement control

The user for self procurement parts or the agency for the other parts is responsible for the maintenance of manufacturer surveillance and control throughout the procurement program. The requirements defined within the present document shall be met, through any surveillance or control measures considered necessary to ensure that the manufacturer meets the obligations of the purchase order and procurement specification(s). All major inspection points shall be identified within the PAD.

These source inspections, including precap and test witnessing, shall be carried out in accordance with Appendix B by the user or agency inspectors or their approved representatives.

Final source inspection of delivery lots will be conducted before shipment to ensure conformance with requirements of the POs, procurement specification(s) and data requirements. This source inspection shall include final acceptance test witnessing as required. The final source inspection may be replaced by analysis of data package during incoming inspection. Surveillance visits may be extended by spot checks and LAT/QCI/TCI monitors as appropriate to ensure conformance with process identification document and procurement specification(s). For qualified Military class level S parts, class V parts, class K parts, JANS parts, QPL listed Military specifications passive parts and ESA/ESCC qualified parts, as defined in table A1 including the required quality level, the customer source inspections (precap and final source inspections) are not required.

But the following exceptions shall be applied : for crystal units, procured hybrids, relays and oscillators controlled (in each case for qualified and non qualified parts), the precap source inspections shall be performed by the users or agency or their approved representatives.

9.16 Incoming Inspection

9.16.1 General

Incoming inspection shall be performed on parts to verify compliance with the procurement specifications and purchase order requirements. This inspection shall include as a minimum:

a. Review of the delivered manufacturer documentation. b. External visual inspection. c. Destructive Physical Analysis required for part types specified in Appendix B.

Any part or lot of parts not accepted at incoming inspection shall be dispositioned in accordance with the program non conformance system defined in paragraph 6.3 of this plan.

The results of the incoming inspection and any additional performed test shall be documented and held on file at the user/agency facility for a duration determined by the contract.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 69/106



9.16.2 Destructive Physical Analysis (DPA)

DPA shall be performed by the user or by agency for part types specified in Appendix B.

DPA shall not be required for qualified Military class level S parts, class V parts, class K parts, Jan S parts, QPL listed ER MIL passive parts, QPL listed Military specifications passive parts and ESA/ESCC qualified parts, as defined in table A1 including the required quality level.

But the following exceptions shall be applied : for crystal units, relays, fuses , procured hybrids, oscillators controlled and tantalum capacitors .The DPA shall be performed , in each case, for qualified and non qualified parts.

DPA quantity may be reduced for expensive parts.

The user/agency shall prepare and implement DPA procedures that define the methods and accept/reject criteria for inspecting the materials ( Pure Tin identification ) , design, construction, and workmanship of the part. These procedures shall be available for review by Alcatel Alenia Space/ESA.

The user/agency or independent laboratories (test houses) (when approved by the user/agency) shall perform DPA. DPA may be performed by the manufacturer of a part if witnessed by the user/agency (or approved representative).

The DPA reports shall be available to Alcatel Alenia Space for review. These reports shall contain original photographs.

9.17 Receiving inspection for agency procured parts

In case of parts procured by an agency, receiving inspection at user’s facility shall include as a minimum :

• documentation review, • verification of parts conformance to purchase order and delivered documentation,

• external visual inspection on a sample basis.

9.18 Parts non conformances

Part Non Conformances shall be dispositioned in accordance with this plan (para 6.3) which defines the notification conditions, the classification rules (minor/major) and the applicable methodology. ECSS-Q-20-09B shall apply for NCR related to EEE parts, except that. 4.2.b.9 shall be replaced by the following requirements: NCR’s related to EEE components shall be classified as major or minor, based on their consequences on the program: MAJOR NCR Major NCR’s are those which may have an impact in the following areas:


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 70/106



a) Lot or batch rejection during manufacturing, screening or testing at the manufacturer's facilities, if the contractor proposes:

To use as is the rejected lot or batch, or To continue processing, rework or testing, although the lot or batch does not conform to

the specified requirements; b) Non-conformances detected after delivery from the EEE parts manufacturer (if the lot /

batch is used); c) Fit, Form and Function; d) Any failure during lot validation at procurement responsible level (LAT, QCI, DPA, PDA,

RVT …); e) EEE part failures in use at equipment level (manufacturing or testing). MINOR NCR Minor NCR’s are those which cannot be classified as major. Minor inconsistencies in the accompanying documentation may be classified as minor.

9.19 Problem notifications/alerts

All users and agency shall initiate and distribute any problem notifications including alerts received from external sources, regarding quality and application problems identified during all phases of the program. All users and agency shall review any problem or alert notification immediately to propose necessary corrective actions.

9.20 Handling and storage

All users and agency shall establish and implement procedures for handling and storage of parts in order to prevent possible degradation. As a minimum, the following areas shall be covered:

a. Control of environment such as temperature and humidity. b. Appropriate measures and facilities to segregate and protect parts during receiving/incoming

inspection, storage, and delivery to manufacturing. c. Control measures to ensure that electrostatic discharge susceptible parts are identified and

handled only by properly trained personnel using antistatic packaging and tools.

9.21 Traceability

Traceability during parts manufacturing and testing is covered by the procurement specifications in accordance with the relevant specifications listed in APPENDIX C. Traceability during installation shall be performed in accordance with this plan and shall be only related to manufacturing lot or date code or batch number.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 71/106



9.22 parts manufacturer's documentation requirements

As a minimum, the following documentation is required from the manufacturer for each delivery lot:

a. Certificate of Conformance verifying that all requirements of the applicable purchase orders are met.

b. Recorded values of measured parameters and calculated deltas related to serial numbers (if applicable).

c. Recorded data and documentation are not required to be supplied to the user for qualified Military class level S parts, class V parts, class K parts, JANS parts, QPL listed ER MIL passive parts, QPL listed Military specifications passive parts and ESA/ESCC qualified parts, as defined in table A1 including the required quality level.

The originals of the documentation shall be stored at the facilities of the responsible procurement and Alcatel Alenia Space and ESA must have access to these originals on request. For non-standard parts (i.e. with PAD) it is anticipated that checks will be made on this documentation at least on a sample basis.

9.23 FLOWDOWN OF REQUIREMENTS

The user shall ensure that all parts requirements are flowdown to all subcontractor levels and ensure that all subcontractors are compliant to these parts requirements.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 72/106



10. MATERIALS, MECHANICAL PARTS & PROCESSES

Each supplier shall define in his Product Assurance and Safety Plan the Materials, Parts and Processes related organisation and tasks. ECSS-Q-70B shall be applicable with the following modifications.

10.1 Technical Requirements for Selection of Materials

This section 10.1 supplements clause 5.1 of ECSS-Q-70B. . The data of ECSS-Q-70-71 shall be used preferentially for the selection of materials with a previous history of space use.

10.1.1 VACUUM

The acceptance criteria for materials used in space application (vacuum compatibility is also applicable to GSE to be installed in the chamber) shall be as follows: · Recovered Mass Loss (RML) < 1.00 % · Total Mass Loss (TML) (in case that water is a problem) < 1.00 % · Collected Volatile Condensable Material (CVCM) < 0.10 % Materials, for which no relevant outgassing data are available, or that have shown batch variability, shall be subjected to an outgassing test as per ECSS-Q-70-02. Note: It could be that more stringent requirements or more detailed material information, such as dynamic outgassing data is required in general or for specific applications (e.g. amount of material used, location).

10.1.2 FORBIDDEN MATERIALS

The use of pure tin, pure mercury, cadmium, zinc or polyvinyl chloride is prohibited. The use of these materials is also forbidden for GSE to be installed in the vacuum chambers and clean rooms.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 73/106



10.1.3 THERMAL CYCLING

Materials (incl. non-flight hardware) subject to thermal cycling shall be assessed to ensure their capability to withstand the induced thermal stresses. Materials used at cryogenic temperatures (40 K or lower) shall be qualified for the worst case conditions.

10.1.4 ATOMIC OXYGEN

The effects of atomic oxygen in the outer surfaces shall be assessed on the basis of the orbit parameters and mission duration.

10.1.5 METEORITIC/DEBRIS ENVIRONMENT

The influence of a Meteoritic/Debris Environment on the materials shall be examined on a case-by-case basis.

10.1.6 ELECTROCHEMICAL COMPATIBILITY

When bimetallic contacts are used, the choice of the pair of metallic materials used shall take into account ECSS-Q-70-71 or MSFC-Spec 250 data. Maximum allowed couple is 0.5 V in controlled and 0.25 V in uncontrolled environments (no temperature or humidity controls).

10.1.7 CORROSION

Aluminium surfaces shall be treated for corrosion protection with a chemical conversion coating if necessary. Mechanical parts made of stainless steel shall be passivated. Mechanical parts made of Titanium alloys shall be anodised.

10.1.8 STRESS CORROSION

Metallic materials used in structural applications shall have a high resistance to Stress Corrosion Cracking (SCC) and shall be chosen from Table 1 of ECSS-Q-70-36. Metallic materials and welds that are not listed in ECSS-Q-70-36 or whose SCC resistance is unknown shall be tested and categorised according to the requirements of ECSS-Q-70-37.

10.1.9 FLUID COMPATIBILITY

Materials that will be in contact with an identified fluid shall be compatible with that fluid. If compatibility data are not available, then testing shall be performed according to NASA-STD-6001.

10.1.10 UV AND PARTICLE RADIATION

Materials exposed to the sun shall comply with ECSS-Q-70-06 for UV radiation and, if applicable, or particle radiation. Materials exposed to space but not to the sun shall comply with ECSS-Q-70-06 for particle radiation; this includes transmissive optics, coatings, etc.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 74/106



10.1.11 ALLOWABLE STRESS

Allowable stresses for materials shall be derived from MIL-HDBK-5. Other sources shall be subject to approval. Composite structure allowable stresses shall conservatively allow for degradation due to moisture, temperature and process variables. The material justification shall prove hardware structural integrity during storage and on-orbit life time. Fracture sensitive materials shall be subjected to fracture control as in ECSS-E-30-01, ECSS-Q-70-36 and ECSS-Q-70-37.

10.1.12 LIMITED LIFE TIME

Materials with limited-life characteristics shall be subject to lot/ batch acceptance tests, according to ECSS-Q-70-22, when required, and shall have their date of manufacture and shelf-life expiration date marked on each lot/ batch.

10.2 Processes

This section is a supplement to clause 7 of ECSS-Q-70B. The Sub-contractor shall maximise the use of existing ESA specifications. The following specifications shall be applicable: ECSS-Q-70-08 for soldering ECSS-Q-70-18A for coaxial cable assembly ECSS-Q-70-26A for crimping ECSS-Q-70-28A for repair and modification of PCB’s PSS-01-738 for surface-mounting technology assembly Critical processes shall be identified by the Sub-contractor and reported to TAS-I through a critical process list. Any process that involves critical or catastrophic hazards shall be identified as critical.

10.3 Materials, Parts and Processes Lists

The Sub-contractor shall provide: · Declared Material List (DML) · Declared Mechanical Part List (DMPL) · Declared Process List (DPL) A breakdown of such lists and suitable examples are given in ECSS-Q-70B. The Sub-contractor shall establish a DML, DMPL and DPL in accordance with the requirements of ECSS-Q-70B, clauses 5.3, 6.3 and 7.4.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 75/106



The Sub-contractor shall prepare and submit materials, parts and processes lists in the early development phase and identify those materials, parts and processes for which insufficient data and experience is available to assure the required properties for the intended application and for which evaluation and qualification programmes need to be carried out. These lists shall be updated at least for every design review. The Sub-contractor shall issue a system level material and processes list that will integrate lists generated at lower level. The lists shall be provided in a form that is exchangeable, searchable, sortable and suitable for storage and retrieval. An acceptable format is for instance provided by the ESA DML/DPL management software controlled by the ESA Materials & Processes Division. This software is available free of charge. For stress corrosion sensitive materials the form in ECSS-Q-70-36 shall be used (not for ceramics). Ceramics and lubricants shall be declared as non-conventional.

11. SOFTWARE PRODUCT ASSURANCE

The Sub-contractor shall develop software in accordance with the tailored ECSS-Q-80B as per S1-RS-TASI-PA-0096 issue 1 and the ECSS-E-40.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 76/106



12. OFF-THE-SHELF SPACE EQUIPMENT AND SOFTWARE

Hardware and software designed and qualified for use on other space programmes shall be considered for use on the Sentinel-1 programme. To be accepted for use on the Sentinel-1 programme such items shall be demonstrated by the Sub-contractor to be suitable for the Sentinel-1 mission in all respects, including applicable Product Assurance requirements. The request to use OTS equipment shall be submitted for TAS-I approval. A justification file containing the documented evidence that the proposed item is suitable to the intended use shall be provided as part of the Qualification Status Report. Modifications to OTS equipment necessary to meet the applicable requirements, including any supplementary qualification activity, shall be minimized and reported in the justification file. For software OTS the requirements of ECSS-Q-80B, clause 6.2.7 are applicable.

13. RADIATION HARDNESS

13.1 GENERAL

The unit shall be designed to survive the space radiation environment during the Radiation Design Lifetime. The purpose of this section is to provide Space Radiation Hardness Assurance Requirements that shall be implemented during the program in order to prove that the equipment will continue to perform its function throughout its Radiation Design Life.

13.2 SCOPE

General damage mechanisms to which the satellite will be subjected include: • Total dose damage of electronics and solar arrays due to electrons and protons.

• Single event phenomena (upsets, latchups, burnouts, transients, ....) of electronics due to the cosmic ray, solar flare environments and trapped protons.

• Physical damage to external components and solar arrays due to debris and micrometeoroid environment

• Displacement damage induced by protons.

The major factors that will affect the design of the electronic systems are total dose ionization damage, single event phenomena and Displacement damages. This document presents the requirements that shall be used to ensure that the equipment will be designed to survive the radiation environment.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 77/106



13.3 SPACE RADIATION ENVIRONMENT

The Space Radiation Environment applicable for this mission is given in Applicable Document [S1-RS-TASI-PA-0084 Spacecraft radiation, meteoroids and debris environment].

13.4 TOTAL DOSE EVALUATION AND HARDNESS

The equipment unit shall be designed to account for the Total Dose Effect, during the Radiation Design Lifetime (RDL), as specified in applicable document [S1-RS-TASI-PA-0084]. The Space Radiation Hardness activities shall proceed through these non-chronological tasks:

• Parts selection, characterization and Radiation Lot Acceptance Testing

• Radiation Review at sub-contractor facility (RR)

• Deposited doses calculations

• Equipment worst case analysis (WCA)

• Corrective actions.

13.4.1 Parts selection

Parts shall be selected in order to survive the on-orbit space radiation environment for the specified mission time as well as still permitting the units in which they are installed to meet all their performance specifications. The minimum radiation hardness for parts is the Total Dose Threshold (TDT) level defined behind 15 mm of Aluminium of a Solid Sphere shielding: this Total Dose Threshold (TDT) level is 5 Krad, inclusive of a safety margin of two. The subcontractor shall justify the use of EEE parts, according to Total Dose Evaluation data to be submitted, during the Radiation Review, to TAS for validation.

13.4.2 Total dose radiation Lot Acceptance Test ( RADLAT )

13.4.2.1 Unhardened Parts

For Evaluation and RADLAT reports, the following information shall be provided: part type, Manufacturer, Technology, Isolation Layer nature, Wafer Fab and Diffusion Mask number. Otherwise, RADLAT is required. Total Dose testing shall be performed under static worst case bias conditions and submitted to TAS approval during radiation review. Due to the lot-to-lot variability in Total Dose effect, all active parts, shall be submitted to Radiation Lot Acceptance Tests (RADLAT) according to the following table:


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 78/106



MOS / BiCMOS BIPOLAR

Family Test Criteria

Test Method

Dose Rate Test Criteria

Test Method

Dose Rate Sample size

Zener Diodes 10 (1) High or Low

5

Transistors All (1) or (3) High or Low 2 (1) or (3) Low 5

Analog Ics All (1) or (3) Low (*) All (3) Low 5

Logic Ics 1 (2) or (3) Low (*) 4 (3) Low 5

ASICs, FPGA All (2) or (3) Low (*) All (3) Low 2-3

RAM, PROM, Processors

2 (2) or (3) Low (*) 6 (3) Low 2

Optoel., CCD, All (2) or (3) Low (*) All (3) Low 5 (*) For fully MOS technology devices High Dose Rate can be used. (1) MIL-STD-883C, METHOD 1019.3 (2) MIL-STD-883D, METHOD 1019.5 & 1019.6 (3) Total Dose Steady State Irradiation Test Method ESA/SCC Basic Specification” N° 22900, issue 3

Table1: Total Dose Screening Matrix

Category Test Criteria All All diffusion lot tested 1 Lot tested if flight diffusion lot number different of data diffusion lot

number and data date code older than 1 year. 2 Lot tested if flight diffusion lot number different of data diffusion lot

number and data date code older than 2 years. 4 Lot tested if flight diffusion lot number different of data diffusion lot



number and data date code older than 10 years.

Table 2: RADLAT Test Criteria

Low Dose Rate is lower or equal to 360 rad/hour (0.1 rad/sec). Silicon Nitride layer shall be avoided unless RADLAT data demonstrates an acceptable total dose behaviour. Some device technologies are inherently hard to total dose ionizing dose effects. The following classes of parts are considered as total dose insensitive:

Non Zener Diodes

Not sensitive up to 300 Krad(si)


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 79/106



GaAs Gallium Arsenide devices such as FETs and HEMTs show little parametric variation.

Std TTL Logic Extensive testing on 54XX, 54L, 54S devices show these parts to be only marginally degraded

ECL Emitter Coupled Logic devices exhibit little parametric shift out to several Mrad(si)

Microwave Devices

Step Recovery, Varactor, Schottky, Microwave Mixer and Multiplier Diodes exhibit negligible shifts

Quartz No Total Dose testing required unless in Swept technology

For these parts, deposited dose levels shall be lower than 300 Krad(si).

If not, experimental data shall be provided during the Radiation Review for review and approval.

A Radiation Review shall be held in order to validate Device Under Test bias conditions (worst case), irradiation facility and sources, test conditions, parameters to measure, dose steps, dose rate, .....

Radiation Lot Acceptance Tests (RADLAT) and/or Characterisation /Evaluation tests shall be defined during the Radiation Review, according to Evaluation Database available and Radiation Screening Matrix given in Table 1. Total Dose Irradiation Test plans will be submitted to TAS and ESA for approval, prior to testing.

13.4.2.2 Hardened Parts

All lots shall be Total Dose tested and RADLAT data shall be provided by the part manufacturer.

13.4.3 Use of Teflon

Teflon can be used, under the following conditions : • Evaluation experimental data are provided to demonstrate a sufficient hardness level • It is shielded to meet the following total dose requirements


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 80/106



13.4.4 Deposited Dose Calculation

The subcontractor shall perform an accurate deposited dose calculation on the equipment. The subcontractor is required to perform a 3D modeling of the equipment, including part case models as detector points. The subcontractor shall describe the calculation method used for these deposited doses calculations. The subcontractor will use the following preliminary simple 3D spacecraft model. The satellite structure will be modeled by an aluminum cubical box of 2 meters size. Thicknesses to take into account are as follows:

Equipment Location Mounting Surface

mm Al

Other Surfaces

mm Al

Inside 0.8 0.8

Outside 1.6 0.1

Table 3: Preliminary Satellite Radiation model

In case of mass out of specification, a more detailed ray tracing analysis at spacecraft level will be provided to the subcontractor in order to optimize the mechanical design, and deposited dose calculation shall be re-issued. Two Deposited Dose calculation methods are allowed:

• Ray Tracing: In order to carry out Solid Angle Sectoring Analysis, particle fluxes are converted into Dose Depth Curves for Solid Sphere Shielding. If necessary, Dose Depth

TOTAL DOSE ALLOWABLE MATERIALMrad

> 500 Kapton only (no Teflon)

80 - 500 Kapton, ETFE (1)

20 - 80 Unconditionally : Kapton, ETFE :Conditionally (4) : PTFE (2) & FEP (3)

< = 20 Kapton, ETFE, PTFE & FEP

(1) : ETFE Ethylene Tetra Fluoro Ethylene (DuPont Tefzel, Raychem x-linked)(2) : PTFE : Poly Tetra Fluoro Ethylene(3) : FEP Fluorinated Ethylene Propylene(4) : Use of PTFE and FEP Teflon above 20 Mrad is restricted to applications where are no mevements of the wire during trhe mission.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 81/106



Curves for other target material could be provided. This calculation method is based on the straight ahead approximation. Solid Angle Sectoring Analysis are performed taking into account the angle of incidence between the ray and the shielding (Slant Path). The Dose Depth Curve for a Solid Sphere shielding shall be applied. A minimum sectoring resolution of 800 elementary solid angles is required.

• 3D Monte Carlo: This accurate calculation method may be used, but taking into account the problem to have an accurate resolution versus the complexity of the model, the TAS approval is required before calculation.

The subcontractor shall demonstrate compliance to the following rule: Dose received by each sensitive device ≤ device hardness /2 This means that all equipment performance (including WCA) shall be demonstrated with a radiation design margin of 2.

13.4.5 Worst Case Analysis

Circuit WCA is needed to evaluate equipment susceptibility to the radiation environment. The specific details describing the objectives, methods, and requirements need to be described. WCA includes the effects of temperature, ageing, and radiation degradation. This equipment WCA is a valuable tool to identify clearly critical parts. Because there is a ‘within one lot variability’, it is necessary to use statitical tools in order to estimate the Post-Rad parameters values. This Post-Rad value, for each electrical parameter shift, shall use the 3 sigma approach :

Delta XL = <delta x > + 3 σ for increasing total dose shift

Delta XL = <delta x > - 3 σ for decreasing total dose shift. Delta XL shall be computed at the “dose received by each sensitive device * 2” (Radiation Design Margin = 2). Equipment Worst Case Analysis shall be performed according to the Evaluation Total Dose Database validated during the Radiation Review. Equipment Worst Case Analysis shall be updated according to RADLAT results, if necessary.

13.5 SINGLE EVENT PHENOMENA HARDNESS ASSURANCE

Cosmic rays, solar flares and high energy trapped protons can induce various effects, caused by the energy deposited by a high energy particle as it interacts with the sensitive portions of an electrical device. These effects are:

• Single Event Upset (SEU): SEUs are any disturbance of a circuit. The response could be a soft error (a bit flip that can be reset). This is a non destructive effect.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 82/106



• Single Event Latch-Up (SEL): This phenomenon can occur in CMOS BULK or EPI parts. It turns out that the CMOS fabrication process results in parasitic PNPN paths that are well known and have been studied for conventional radiation induced latchup. This is a destructive effect.

• Single Event Burnout (SEB): This phenomenon can occur in power MOSFET N-channel transistors. The parasitic bipolar NPN transistor is switched on, and induces a short circuit between drain and source. This is a destructive effect.

• Single Event Gate Rupture (SEGR): This phenomenon can occur in power MOSFET. This is a destructive event.

• Single Event Transient (SET): This phenomenon can occur on Linear Bipolar devices. This is a non destructive effect.

• Single Event Hard Error (SHE): This is a permanent bit flip, due to a local micro-dose deposited by the ion within the memory cell. Non-destrutive effect for the device, but permanent damage for the memory cell.

13.5.1 Non Destructive Single Event: parts selection and characterisation

For all NON Distructive Single Event phenomena, the following criteria holds:

a) if the LETth>100 MeV.cm2/mg no further actions shall be taken.

13.5.1.1 Single Event Upset

Taking into account that the SEU is a nondestructive effect, there is no requirement in terms of minimum LET threshold or maximum cross section. The subcontractor is requested to analyse the effect and the criticality of SEU for the equipment. For digital technologies, the subcontractor shall use parts with a well known SEU sensitivity in terms of LET threshold and cross section (refer to paragraph «Single Event Phenomena (SEP) Rate Calculation»). If no data is available, the subcontractor is responsible to perform a Single Event Upset test:

• An Heavy Ions testing shall be performed in order to determine the Device Cross Section versus LET response of the device,

• If the orbit is exposed to proton environment and if the Heavy Ions LET threshold is lower than 15 MeV.cm2/mg, then there are two options :

⇒ A Proton induced SEU testing shall be performed

⇒ Prediction tools (PROFIT, SIMPA, … ) can be used and shall be submitted to TAS for approval.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 83/106



The test plan covering the parts application require express approval from TAS and ESA. There is no lot-to-lot variability, there is no lot testing requirements. Data collected for ‘similar parts’ (i.e. same technology) will be acceptable.

13.5.1.2 Single Event Transient

This includes such devices as Linear integrated circuits that do not suffer logic upset as such, but may produce a large output spike that can appear as a false command. Experimental data shall be provided in order to justify the use of selected parts, and SET frequencies shall be determined. If no data exists, SET behaviour as in para. 13.5.8 can be assumed.

13.5.2 Destructive Single Event

13.5.2.1 Parts Characterisation

Heavy ion testing shall be performed in agreement with the following documents “Single Event Effects Test Method and Guidelines ESA/SCC Basic Specification” N°25100, Draft A and JEDEC Test Standard # 57, “Procedures for the Measurement of Single Event Effects in Semiconductor Devices from Heavy Ion Irradiation”, May 1996. Main characteristics are: LET values shall be calculated as follow :

• Identify the device depth of sensitive volume “d” in µm,

• calculate the deposited charge Qdep , in pC, over this depth, then 0

. LQ

LET dequ = in pC/µm

Heavy ion species and energies (range) shall be selected in order to make sure that:

• The ion range will be greater than the sensitive volume depth,

• The saturated device cross section is obtained. If not, 50% of the die surface shall be considered.

A part will be Destructive Single Event Free (SEL, SED, SEGR, etc) if no event is observed, at LETequ. > 70 MeV.cm²/mg, up to a fluence of 107 ions/cm².

13.5.3 Single Event Latchup: Part Selection

As a preferred baseline approach, only Single Event Latchup Free parts shall be used. Parts showing an LETth < 3.7 MeV.mg / cm2 shall in principle not be used Single Event Latchup sensitive parts could be used on a case by case basis and require TAS


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 84/106



and ESA approval.

13.5.4 Single Event Burnout: Part Selection

As a preferred baseline approach, only Single Event Burnout free parts shall be used. In order to prevent permanent damage, bias requirement is as follows:

o For N-Channel Power MOSFETs from International Rectifier, design requirements are:

VDS < 50 % BVDSS @ BVDSS < 200 Volts

o For VDS above 50% or BVDSS > 200 Volts or other manufacturers, Heavy Ions data shall be provided in order to demonstrate SEB free behaviour.

POWER MOSFET P-CHANNEL and BIPOLAR POWER transistors are SEB free. Single Event Burnout sensitive parts could be used on a case by case basis and require TAS and ESA approval.

13.5.5 Single Event Gate Rupture: Part Selection

As a preferred baseline approach, only Single Event Gate Rupture free parts shall be used. For Power MOSFETs from International Rectifier, design requirements are as follows: N Channel: VG > 0 Volt & P Channel : VG < 0 Volt. Single Event Gate Rupture sensitive parts could be used on a case by case basis and require TAS and ESA approval.

13.5.5.1 Single Event Hard Error ( stuck bit ): Part Selection

These hard errors are due to total dose effects from a few ions impinging on the gate oxide of sensitive transistors. Up to date, hard errors have been seen only in commercial SRAM cells as well as in DRAMs. Experimental data shall be provided in order to justify the use of selected parts.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 85/106



13.5.6 Single Event Effect Rate Calculation

For a given phenomenon, the part cosmic rays response is a curve of Device Cross Section versus LET of incident ions. Heavy Ions Induced SEE

The Heavy Ions SEE rate λhi shall be calculated for each active part. The sub-contractor shall submit its SEE rate calculation method to TAS and ESA for approval. Recommended tools are as follows: OMERE, SPENVIS & SPACE RADIATION. Protons Induced SEE

The Proton SEE rate λpr shall be calculated for each active part having an Heavy Ion SEE LET threshold lower than 15 MeV.cm

2/mg, and if the orbit is exposed to proton environment. The

sub-contractor shall submit its SEE rate calculation method to TAS and ESA for approval.

The Total SEE rate wil be λseu = λhi + λpr.

13.5.7 Single Event Upset Effects Analysis

The subcontractor is required to perform a SEU effects analysis in order to identify the SEU effects and criticality.

13.5.8 Single Event Transient Effects Analysis

The subcontractor is required to perform a SET effects analysis in order to demonstrate to determine the effects of SET on equipment performance. It is required to determine the following effects on performance:

OP-amps ΔVmax =+/- VCC & Δtmax =15 µs Comparators ΔVmax =+/- VCC & Δtmax =10 µs Voltage Regul. ΔVmax =+/- Vcc & Δtmax =10 µs Voltage Ref. ΔVmax =+/- VCC & Δtmax =10 µs PWMs Double Pulses, two missing pulses, multiple

missing pulses in a row, device shut off. For those applications, demonstrate that a SET will not produce an out of specification.

13.5.9 Destructive Single Effects Acceptance Criteria

Parts sensitive to Destructive Single Event Effects (Latchup, Gate Rupture, Burnout, Hard Errors, .....) may be used, after the following acceptance process :


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 86/106



Step 1:

• To perform an heavy ion testing in order to get the accurate device cross section vs LETequ. characterization curve

• Tests shall be performed at the application bias conditions

• The LETth is the last point for which no destructive event is observed.

Step 2: Calculate Destructive Single Event equivalent Rate λeq, taking into account experimental device cross section vs LET curve. The calculation rate method shall be submitted to TAS for approval.

Step 3 : The Destructive Single Event device application will be accepted only if : 10λλ ≤eq

where λ is the reliability failure rate of the part @ 25°C.

Step 4 : if : 10λλ >eq , then the Destructive Single Event device application will be accepted

only if there is no impact on the equipment and/or satellite reliability analysis. This reliability impact analysis will be submitted to TAS for approval.

13.6 DISPLACEMENT DAMAGES

Sentinel-1 is a polar orbit sensitive to the proton environment which can induce the displacement damage effect causing serious problems to electronic devices.

13.6.1 Environment

Both protons and electrons can induce displacement damage in semiconductor devices. The part of deposited energy involved in displacement defects creation is called NonIonizing Energy Loss (NIEL). The trapped proton flux spectrum is converted into a fluence of monoenergetic particles producing the same amount of defects (typically 1 MeV neutrons or 10 MeV protons). This correlation between different particles with different energies is based on the energetic dependency of the NIEL for the considered particles and materials. For convenience an equivalent fluence of 10 MeV protons in silicon is selected.

The hardness of the environment will be expressed as a fluence of 10 MeV(Si) equivalent protons behind aluminum spherical shields of various thicknesses (0 to 20 mm). This curve provides a lower Displacement Damage Equivalent Fluence for the mission:

Φeq.(10 Mev, Si) = DDEF p/cm² @ 10 MeV protons


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 87/106



13.6.2 Parts Selection

Parts shall survive the lower displacement equivalent proton fluence calculated for the mission. At the DDEF level to be considered for the mission, only Bipolar and Optoelectronic devices are displacement damage sensitive. For MOS devices, this effect can be ignored because the sensitivity threshold is high enough. The acceptance of the parts will be based on displacement damage test data. The data will be taken from neutron testing databases and proton test results. Equivalence between protons and neutrons can be deduced from environment specification. If no data are available, proton irradiation evaluation tests must be performed. The test plan will be submitted to TAS for approval. RADLAT testing shall be performed as follows:

Radiation Sources :

• Protons @ energy > 150 MeV

• Neutrons @ 1 Mev

Displacement Damage Test Criteria :

FAMILY TEST CRITERIA

Optronic

(CCD, Optocouplers, ....)

All diffusion lots tested

Linear Ics Lot tested if flight diffusion lot number different of data diffusion lot number and data date code older than 4 years.

Transistors Lot tested if flight diffusion lot number different of data diffusion lot number and data date code older than 10 year.

The electrical parameters drifts induced by displacement damage must be added to the Total Dose drifts in the Worst Case Analysis. These drifts shall be computed at the “dose received by each sensitive device * 2” (Radiation Design Margin = 2). All designs must account for the Displacement Damage produced by the Equivalent Fluence (DDEF), as specified in Applicable Document [S1-RS-TASI-PA-0084]. The subcontractor shall to justify the use of EEE parts, according to Displacement Damage Evaluation data. Displacement Damage Degradation Database shall be submitted, during the Radiation Review, to TAS for validation. Equipment Worst Case Analysis shall be performed using this Displacement Damage Database.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 88/106



13.7 RADIATION REVIEW

A Radiation Review shall be held, at Design Reviews time frame (PDR, EQSR, ...) in order to address the following points:

• To review total dose test reports, in order to validate the subcontractor radiation database. These data will be used for equipment circuit WCA

• To determine part types that shall be submitted to a characterization and/or a RADLAT, selected parameters to be measured and to review radiation test plan for such parts

• To review proposed packaging design approach to achieve maximum inherent shielding

• To review preliminary shielding analysis

• To review preliminary circuit design analysis

• To review SEU parts data, in order to validate the subcontractor radiation database. These data will be used for equipment SEU effects analysis

• To determine part types that shall be submitted to a Single Event Upset testing, and to review radiation test plan for such parts

• To review circuit SEU effects analysis

• To review the assessment on displacement damage on electronics if significant

• As a minimum, one Radiation Review meeting will be held at sub-contractor facility.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 89/106



Annex A - FIXED FAILURE RATE ITEMS

RF ITEMS DESCRIPTION FAILURE RATE (10-9.h-1)

Adapter 0.6

Attenuator, Coaxial/WG (fixed resistive type)* 0.6/0.15

Circulator, Coaxial/WG* 1.1/0.3

Coaxial Connector* 0.27

Coupler, Coaxial/WG* 0.8/0.3

Diplexer, Coaxial/WG* 2.1/1.3

Equaliser, Coaxial/WG* 1/0.5

Ferrite Bead 0.2

Ferrite Junction/Element 0.1

Filter, Coaxial/WG* 0.6/0.1

--(each additional section) 0.1

Hybrid (splitter/combiner) coaxial (3 way)* 1.0

--(each additional port) 0.27

Hybrid, Waveguide 0.2

Load Element 0.05

Isolator, Coaxial/WG* 1.1/0.3

RF Switch, coaxial (per port, standby)* 0.5

--and for switching 10/operation

RF Switch, waveguide (per port) 0.5

--and for waveguide, ferrite, for switching 10/operation

--and for waveguide, motor type, for switching 50/operation

Termination, coax/WG* 0.9/0.6

Waveguide Section (with flanges) 0.1

Waveguide Section, Flexible (with flanges) 1

Waveguide Tuning Screw (unstaked) 0.1

Waveguide Tuning Screw (epoxy staked) 0.01 (*): mated pair coaxial connection


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 90/106



ANNEX A - FIXED FAILURE RATE ITEMS (Cont’d)

MECHANICAL ITEMS DESCRIPTION FAILURE RATE (10-9.h-1)

Accelerometer (MECH) 50

Bearing (1 set, with low load) 10

Boom Hinge Assembly 60/cycle

Cable Tension Device 5.0

Catalyst Bed Thruster 166/cycle

Compression Spring 10

Electrothermal/Arcjet/Ion Thruster 500/cycle

Fill/Drain Valve (or Cap) 56/seal

Gear 2

Gimbal 50

Gyro (use manufacturer's data when justified) 2.000 per axis

Hinge Joint 100

Hold Down Arm 100

Hold Down Latch 100

Momentum Wheels/Reaction Wheel Assemblies 100

Motor (low speed) 100

Nozzle, Hot Gas 510/cycle

Nozzle, Cold Gas 17/cycle

Pin Puller Device 4800/cycle

Pulley 5

Resolver 100

Separation Nut/Explosive 4800/cycle

Shaft (Rotating) 2

Shear Pin Puller 50/cycle

Solenoid Valve 160/cycle

Squib 900000/cycle

Tanks, Propellant 50

Tanks and Plumbing (per inch of weld) 0.6

Thruster, operate 50/cycle

Thruster, close 60/cycle

Torsion Wire 50

Torsional Spring 10


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 91/106



ANNEX A - FIXED FAILURE RATE ITEMS (Cont’d)

OTHER ITEMS DESCRIPTION FAILURE RATE (10-9.h-1)Antenna (Reflector) 1 Antenna (Horn) 1 Antenna (Reflector Absorber) 0.5 Antenna (Feed Horn) 0.1 Antenna (Polarizer) 0.1 Antenna (OMT) 1.0 Battery cell, NiH (use test/flight data when available, 2% open/98% short)

32 for Geo orbit (Note 3)

Bolometer 100 Crystal, General Purpose Quartz 20 Fuse 0.5 Fusistor 10 Heater (all types) 5 Interconnections (solder, crimped connection, surface mounted technology, connector active pin)

0.035 (Note 1)

Magnetic Amplifier 14 Positioner Transducer 10 Slip Rings and Brushes 10/brush/slip ring contact Solar Cell (20% open, 80% short) 1 Strain Gauge (Resistance Type) 10 Thermostat 25/cycle Travelling Wave Tubes (use manufacturer's data) (Note 2) GaAs FET Use manufacturer data if

available Notes: 1. Plated through hole failure rate included in associated solders.

2. The use of any failure rate for TWT shall be justified by supporting analysis based on operational history of the specific TWT design (with 60% confidence level).

This failure rate is resulting from the application of a duty cycle equal to 90 days (eclipse periods)/year to an initial failure rate equal to 100 fit. Failure rates in the tables are given for high-rel parts.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 92/106



Appendix B :

Minimum Screening and Inspection Requirements

Minimum Screening, Customer Source Inspection and DPA requirements are listed in the Table A1. Any deviation from this table shall be identified in the PAD/NSPAR.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 93/106



Table A1 Minimum Screening and Inspection Requirements

(--) = Not Applicable

( X ) = Required (see applicable note)

( XX ) = Systematically Required for Non Qualified and Qualified Parts

CSI and DPA requirements

Ref. Part Family Applicable Screening Requirements Note 1

Note Precap Note 2

Final Notes 2, 3

DPA Note 4

Number of unit (Note)

1. Diodes (Low Frequency)

ESA/ESCC 5000 Level B

11

X

X

X

3 (18)

MIL-PRF-19500-Jan S 2. Diodes (High Frequency)


—

X

X

X

3 (18)

MIL- PRF -19500-Jan S 3. Transistors (Low Frequency)


—

X

X

X

3 (18)

MIL- PRF -19500-Jan S 4. Transistors HF (Bipolar - GaAs)

ESA/ESCC 5010 Level B 12

X

X

X

3 (18)

MIL- PRF -19500-Jan S 5. Monolithic Microwave integrated Circuits (MMICs)


X

X

X

3 (18)

(procured items, packaged devices)

MIL-PRF-38535, Class level S or class V

6. Integrated Circuits, ESA/ESCC 9000 Level B ASICs, and Memories ( Except One time programmable types)

MIL-PRF-38535, Class level S or Class V

13 13 A

X X X 3 (18)

7. FPGA and Memories ( One time Programmable)

ESA/ESCC 9000 Level B X X X 3 (18)

MIL-PRF-38535,Class Level S or QML-V +programming , post programming flow

24 Sub

Group 2

X X X 1 (24)

MIL-PRF-38535 ,Class level B or QML-Q +Upscreening ,programming and post programming flow

24 Sub

Group

1&2

X X X 1 (24)

8. Opto Couplers

ESA/ESCC 5000 Level B MIL-PRF-19500 Jan S MIL-PRF-38534 Class K

__

X

X

X

3 (18)

9. Capacitors Fixed Ceramic Dielectric Molded

ESA/ESCC 3001 Level C _ _ 3x3


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 94/106





Note Precap Note 2

Final Notes 2, 3

DPA Note 4


MIL-PRF-123 MIL-PRF-20 FRL R MIL-PRF-39014 FRL S

22

X

X

(17)

10. Capacitors Fixed Ceramic Dielectric Chips

ESA/ESCC 3009 Level C _ _ X

X

3x3 (17)

MIL-PRF-123 MIL-PRF-55681FRL R

22

11. Capacitors fixed ceramic dielectric, stacked

ESA/ESCC 3009 Level C _

_ X X 3x3

MIL-PRF-49470- level T 22 (17)

12.Capacitors Fixed Electrolyte (Solid electrolyte) Tantalum

ESA/ESCC 3002 Level C

6 A

—

X

XX

3 (18)

MIL-PRF-39003 Weibull C 13.Capacitors Fixed Electrolyte (nonsolid electrolyte) Tantalum


—

—

X

XX

3

(18) Use only MIL-PRF-39006

/22,25,30,31 “H” designated devices

14. Deleted part family 15.Capacitors Chips Fixed Tantalum

ESA/ESCC 3011 Level C ESA/ESCC 3012 Level C

6 B

—

X

XX

3 (18)

MIL-PRF-55365 Weibull C 16.Capacitors Variable (piston type and tubular trimmer)- Avoid for New Design

ESA/ESCC 3010 Level C No MIL spec applicable

7

—

X

—

— 17.Capacitors Fixed Glass Dielectric

ESA/ESCC 3004 Level C 5

—

X

—

—

MIL-PRF-23269 FRL R 18.Capacitors Fixed MICA Dielectric

ESA/ESCC 3007 Level C —

—

X

X

3X3 (17)

MIL-PRF-87164 FRL R 19.Capacitors Fixed ESA/ESCC 3006 Level C metallized plastic film Dielectric style CRH (ac and dc current)

MIL-PRF-83421 FRL R —

—

X

X

3X3 (17)

20.Capacitors Fixed Supermetallized plasticfilm Dielectric style CHS (dc current for low energy, high impedance)


—

—

X

X

3X3 (17)


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 95/106





Note Precap Note 2

Final Notes 2, 3

DPA Note 4


MIL-PRF-87217 21.Capacitors Fixed ESA/ESCC 3006 Level C 3X3 Plastic or paper dielectric style CQR (direct current)

MIL-PRF-19978 FRL.R — — X X (17)

22.Resistors Fixed ESA/ESCC 4002 Level C wire-wound accurate (RBR type)

MIL-PRF-39005 FRL R — — X — —

23.Resistors Fixed ESA/ESCC 4002 Level C wire-wound power type (RWR type)

MIL-PRF-39007 FRL R — — X — —

24.Resistors Fixed ESA/ESCC 4003 Level C Wire-wound power type chassis mounted (RER type)

MIL-PRF-39009 FRL R — — X — —

25.Resistors Fixed ESA/ESCC 4001 Level C — — X — — Film insulated (RLR type) MIL-PRF-39017 FRL R 26.Resistors Fixed ESA/ESCC 4001 Level C high precision film (RNC type except RNC 90)

MIL-PRF-55182 FRL R — — X — —

27.Resistors Fixed ESA/ESCC 4001 Level C 3X3 high precision film (RNC 90 type)

MIL-PRF-55182/9 FRL R — — X X (17)

28.Deleted Part Family 29.Resistors TC precision high voltage


—

X

—

—

GSFC - S311-P-XXX 30.Resistors network thick films


—

X

X

3X3 (17)

MIL-PRF-83401 M part number level

31.Resistors Fixed thick-film chips - Fixed thin - film chips


—

X

—

—

MIL-PRF-55342 FRL R 32.Deleted Part Family 33.Thermistors (thermally sensitive resistors)


—

X

—

—

MIL-PRF-23648 34. Deleted Part Family 35.Coils fixed molded ESA/ESCC 3201 Level C __

X

X __ __

MIL-PRF-39010 MIL-STD-981 Eq Class S


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 96/106





Note Precap Note 2

Final Notes 2, 3

DPA Note 4


36.Coils fixed Non molded

ESA/ESCC 3201 Level C _________________________ MIL-STD-981 Eq Class S

__

__

X

__

__

37.EMI filters ESA/ESCC 3008 Level B —

—

X

X

3 (18)

MIL-PRF-28861 Class S

38.Crystal units, quartz ESA/ESCC 3501 Level B 15 XX XX XX 1 (18)

MIL-PRF-3098 Class S 39.RELAYS Electromagnetic (latching and non latching relays)

ESA/ESCC 3601 Level B ESA/ESCC 3602 Level B

16

XX

XX

XX

3

MIL-PRF-39016 + SCD corresponding to FRL S

16 + 23

(18)

40.Connectors, RF coaxial

ESA/ESCC 3402 Level B — — X — —

MIL-PRF-39012 + Out-gassing SpecAmendment

41.Connectors, electrical circular and rectangular


MIL-DTL-24308 - Class M (rectangular) MIL-DTL-38999 - Classes G and H (circular) MIL-PRF-83513 - Class M

— — X — —

42.Connectors, electrical-RF filters

ESA/ESCC 3401 Level B ESA/ESCC 3405 Level B

—

—

X

X

1 (18)

MIL-DTL-24308 - Class M 43.FUSES (miniature insulated case)

ESA/ESCC 4008 Level C 9

—

X

XX

3 (18)

MIL-PRF-23419

43Bis. Fuses style FM12 MIL-PRF-23419/12 — — X XX 3 (18)

44.FUSISTORS ESA/ESCC 4008 Level C 10 — X X 3 (18)

45.Heaters ESA/ESCC 4009 Level C — — X — —

46.Thermostat (Switches


Thermostatic) MIL PRF-24236 FRL S 20 X X X (18)


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 97/106





Note Precap Note 2

Final Notes 2, 3

DPA Note 4


47.Switches Mechanical (non RF) sensitive and push snap action

ESA/ESCC 3701 Level B — — X X 3 (18)

MIL-PRF-8805 FRL S

48.Microwave passive parts (isolators and power

ESA/ESCC 3202 Level B ESA/ESCC 3404 Level B — — X — —

divider coupler coaxial) MIL-PRF-23971 49.Microwave passive parts (attenuators and loads)


MIL-A-3933 Attenuators

S Part number level

— — X — —

MIL-PRF-39030 loads S Part number level

50. Surface Acoustic ESA/ESCC 3502 Level B — X X X 1 waves filters (SAW) (18)

51.Transformers molded ESA/ESCC 3201 Level C _________________________ MIL-STD-981 Eq Class S SSQ 22676 Rev C

__

X

X

__

__

51Bis .Transformers Non molded

ESA/ESCC 3201 Level C _________________________ MIL-STD-981 Eq Class S SSQ 22676 Rev C

__

__

X

__

__

52. Procured hybrids ESA/PSS-01-608 Level B __ XX XX XX 1 MIL-PRF-38534, Class K (18)

53. Oscillator Controlled MIL-PRF-55310 Class S — XX XX XX 1 (18)

54. Cables - Wires ESA/ESCC 3901 Level B

Low Frequency MIL-W-22759 MIL-DTL-27500

19 — X — —

55. Coaxial ESA/ESCC 3902 Level B

Cables MIL-C-17 19 — X — —

56. Solar cells ESA PSS.01.604 21 — — — —


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 98/106



NOTES

1. Minimum screening requirements may be used as guidelines, variations implemented by high reliability manufacturers and documented, are allowed pending a PAD/NSPAR approval (see paragraph 9.10: Parts approval).

2. For qualified Military class level S parts, class V parts, class K parts, JANS parts, QPL listed ER MIL passive parts, QPL listed Military specifications passive parts and ESA/ESCC qualified parts, as defined in table A1 including the required quality level, the customer source inspections (precap and final source inspections) are not required. But the following exceptions (identified XX in table A1) shall be applied : for crystal units (part family 38), relays (part family 39 ), procured hybrids (part family 52) and oscillators controlled (part family 53), (in each case for qualified and non qualified parts) the precap source inspections shall be performed by the users or agency or their approved representatives (see paragraph 9.15 : procurement control).

3. Final source inspection of delivery lots will be conducted before shipment to ensure conformance with requirements of the POs, procurement specification(s) and data requirements. This source inspection shall include final acceptance test witnessing as required. It may be replaced by incoming inspection (see paragraph 9.15: Procurement control).

4. DPA shall not be required for qualified Military class level S parts, class V parts, class K parts, JANS parts, QPL listed ER MIL passive parts, QPL listed Military specifications passive parts and ESA/ESCC qualified parts, as defined in table A1 including the required quality level. But the following exceptions ( identified XX in Table A1) shall be applied : for Tantalum Capacitors (Part Family 12,13,15), crystal units (part family 38), relays (part family 39), fuses (family 43 and 43 bis) procured hybrids (part family 52) and oscillators controlled (part family 53) the DPA shall be performed, in each case for qualified and non qualified parts – (see paragraph 9.16.2 Destructive physical analysis).

5. Applicable for styles CYR51, 52 and 53 only

6A. Capacitors Fixed Electrolyte ( Solid Electrolyte ) tantalum CSS Types must be 100% Surge Current screened in accordance with MIL-PRF-39003/10B as defined in Group A inspection


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 99/106



6B. 100% Surge Current screening shall be performed for all surface mounted tantalum capacitors types in accordance with MIL-PRF-55365 issue F, § 1.2.1. • Stock parts procured with surge current test option A, no additional test is

required • Stock parts procured with no surge current test, 100% surge current test option

B is required • For new procurement, 100% surge current test, option B or option C is required

Or, 100% Surge Current screening shall be performed for all surface mounted tantalum capacitors types in accordance with ESA/ESCC 3002, § 9.22

7. Burn-in for variable capacitors is not required. Temperature cycling, vibration (only on air dielectric types) and driving torque will be performed on a 100 % basis with critical parameters verified. Air variable capacitors shall be internally inspected, cleaned and lubricated in lieu of radiographic inspection and destructive physical analysis (DPA). Parameter drift screening applies only to air dielectric type variable capacitors from pre-to post-vibration.

8. 168 hours burn in on PTC thermistors is performed at maximum power rating of part and on NTC thermistors the test is non-operating (storage).

9. Wire link fuses are forbidden for new designs. Wire link fuses shall be burned-in at 50% of the current rating of part for 168 hours minimum.

10. Fusistors shall be burned-in at 50% of the current rating of part for 168 hours minimum.

11. Parts procured as Jan S or ESA level B, from qualified manufacturers, are acceptable for flight use upon successful completion of the screening specified in the Jan S or ESA/ESCC level B screening sequence. Diodes procured to Source Control Specifications that are rated at greater than 1 Amp of current or 1 Watt of power shall be considered as power diodes. In this case, the 100 % screening sequence shall include a thermal impedance test based thermal transient method of MIL-STD-750 test method 3101 and a sample surge current test shall also be imposed.

12. MIL-PRF-19500 JANS and ESA/ESCC 5010 level B screening are used as a guideline,

variations may be used by high reliability manufacturers provided they are approved and documented.

Proposed screening shall be agreed during the PAD/NSPAR approval process.

• For small signal GaAs FETS see paragraph 9.9.3.3.1. • For power GaAs FETS see paragraph 9.9.3.3.2.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 100/106



13. ASIC - Additional qualification Conformance Testing or lot Acceptance Testing (LAT) may be required for parts of these type categories as defined in section 9.9.3.2.

13A For EEPROMs, data retention tests with the appropriate electrical charge (ie "0" or

"1") shall be performed under the following conditions :

• 12 hrs at +150°C (100% of the devices - devices programmed with ~97% of “0”s)

• Static burn during 72 hrs at +125°C, + dynamic burn during 240 hrs at +125°C (100% of the devices - devices programmed with ~97% of “0”s)

14. For MMIC procured items packaged devices ESA/ESCC 9010 or MIL-PRF-38535 may be used as a guideline. Proposed screening shall be agreed during the PAD/NSPAR approval process.

15. For crystals units, the raw materials must be cultured premium Q swept for high

stability application.

For crystals units, the temperature and duration of the aging test shall be adequate to demonstrate and document that the frequency stability of the crystal meets the program life requirements. The demonstration of the frequency stability of the crystal may be documented by the use of an equation of the form f (t) = A (ln(Bt+1)) + fo.

Where f (t) is the frequency of the crystal unit t days after the start of the aging cycle, and A, B and fo are constants to be determined from the least square fit. The calculated frequency fo is the beginning of the aging cycle.

16. Recent successfully life test data (<12 months) shall be available or lot acceptance testing (life test) shall be performed on relays to show that the devices pass a minimum of 100 000 cycles 125°C operational test at the maximum rated voltage and current.

17. 3 values (lowest-middle-highest values) by lot/date code or periodically in order

to verify processes stability. 18. By lot/date code.

19. If the silver thickness is less than 2 μm a corrosion test shall be performed to determine the suitability of silver plated wire/cable materials. Proposed test shall be agreed during the PAD/NSPAR approval process.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 101/106



20. Thermostats procured in accordance with MIL-PRF-24236 shall be considered as non qualified parts. In this case, PAD/NSPAR and CSI shall be mandatory.

- For each purchase order the primary elements shall be from the same manufacturing lot and only one sealing lot shall be required.

- Successfully life test data (< 36 months), endurance test 100.000 cycles with voltage/current conditions covering the application shall be available. If not, the endurance test 100.000 cycles with voltage /current conditions covering the application shall be performed on 6 sample units.

In this case, DPA shall be only performed after endurance test on 3 sample units out of the 6 sample units.

21. For solar cells, the following information shall be delivered with the certificate of

compliance :

• Electrical grading

• quantity of solar cells assemblies for which ISC>ISC minimum at Vtest (test voltage) [ISC = current short circuit]

22. Multi-layer Ceramic Capacitors procured with MIL–PRF Spec shall be submitted to

LAT or QCI testing including Steady State Low Voltage Test according to MIL-PRF-123 , Group B, Subgroup 2 (85Rh/85°C)

23. Procurement of Relays ( in particular TO5 Types ) according to MIL-PRF-39016 only

is not allowed. For Latching and Non Latching Types , a spec Amendment shall include : Millipore Cleaning, Random Vibration , 2500 Miss-Test Cycles. In addition, for Latching types ,100% neutral screening test is required.

24. Applicable flow for One time programmable devices.


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 102/106



N° TEST CONDITIONS SAMPLING

PLAN REMARKS

Sub grp 1 1 Serialization 100% Note A 2 External Visual Inspection MIL-STD-883 method 2009 100% Note C 3 Temperature Cycling MIL-STD-883 method 1010

test condition C 100% Note A and Note C

4 PIND Test MIL-STD-883 method 2020 cond. A

100% Note A and Note C

5 Radiographic MIL-STD-883 method 2012 100% Note A and Note C

6 Seal, Fine and Gross MIL-STD-883 method 1014 100% Note A and Note C

7 DPA 1 part minimum

Sub grp 2 8 Virginity Test 100% if applicable

9 Programming 100% Note B

10 Checksum Control 100%

11 Electrical Measurements, static, dynamic and functional

Ta = +25°C Ta = -55°C, +125°C

100%

100%

Read and Record Go-no-Go

12 Burn-In Ta = +125°C, 168h min 100% Dynamic bias


Ta = +25°C 100% Read and Record

14 Drift calculation (@ +25°C) 100%


Ta = -55°C and +125°C 100% Go-no-Go

16 Percentage Defective calculation

Rejects on tests 13 and 14, PDA = 5% (*)

Whole lot (*) Rounded upwards to the nearest whole number

17 External Visual Inspection MIL-STD-883 method 2009 100% Note C

Note A : Not to be performed if already performed by the manufacturer during initial screening Note B : Only one programming run is allowed for each part Note C: Use of an alternate procedure is allowed pending prior approval from Alcatel Alenia Space


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 103/106



14. QUALITY ASSURANCE FOR GROUND SUPPORT EQUIPMENT (GSE)

14.1 Design, Configuration, Production and Test

Quality assurance activities shall be performed according to ECSS-Q-20B, Annex A; in particular the following requirements shall be met: - Safety provisions including assurance that the flight hardware shall not be exposed to potentially hazardous

conditions during handling or testing (section 8; § 8.5) - Reliability of the interface to the flight hardware by FMECA (section 7; § 7.2 and § 7.6) - Configuration Control according to ECSS-Q-20B, Annex A3 - Non-conformance control according to ECSS-Q-20-09B - Identification/Marking according to section 6; § 6.9. - Parts for GSE and other non-flight parts which interface with flight hardware during assembly and test shall be selected and procured at a standard compatible with flight hardware, i.e. at the same level as those for EM, as minimum. Savers for connectors shall be used to ensure that the flight hardware integrity is not degraded. - Mechanical parts and materials of GSE and other non-flight parts and materials which interface with flight hardware during assembly and test shall be selected and procured to a standard compatible with flight hardware and shall respect the requirements recalled in section 10. Material like cleaning agents shall be subjected to compatibility evaluation and/or test, in order to assure that their use does not degrade the flight hardware performances. - Software Quality Assurance according to section 10

14.2 Acceptance Data Package (ADP) and Manuals

Acceptance Data Packages, in similar format to those requested for Flight H/W, shall be provided complete of Certificate of Conformity to all contractual requirements and associated specifications including CE Certifications. For acceptance review of deliverable GSE, one copy of ADP shall always accompany the hardware and updated when necessary due to recalibration , reworking, maintenance. ADP's are to be maintained and to be integrated into higher level ADP's during Subsystem/System integration and testing. The GSE ADP content is included in the table 14.3.1 here below unless other specific items are requested by the applicable EGSE/MGSE specification or SOW (business agreement):


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 104/106



Section Content Description

1 Shipping Documents All documentation of packing ,shipment, inspection including external packing list of deliverable items

2 DRB Minutes of Meeting Document which report the status of the delivery documentation, hardware end action outstanding if any

3 Certificate of Conformity MGSE Item definition and Declaration of conformance with the TAS-I documentation: Contract Nr., Technical Specification, CE and proof loads certification

4 CIDL including SW CIDL (if any) Configuration item data list and software

5 Drawings package Assembly drawings with evidenced dimension information, quotes and accuracies of all MGSE item interfaces, envelope, dismountable parts, maintenance accesses and instruction. Part list complete of id. number, commercial information, part number, materials and treatments, standard UNI-ISO. Manufacturing drawings of not-standard built parts, complete of quotes and accuracies/tolerances. All drawings are required in sheet and also in AutoCAD file format.

6 Request for Waiver list & copy If any

7 NCR list and copy of Major Non conformance Report (if any)

8 Interface FMECA & Hazard Analyses

For EGSE that interface with onboard flight hardware

9 Design Report Structural Computation with numerical evaluation of the minimum MoS (See Tech. Spec. Section 3) in all structural parts. Computation method shall be evidenced with theoretical formulations and methods. In case of FEM, the model file is required to be provided to TASI in NASTRAN format. WHERE APPLICABLE: Dynamic Analysis and results (FEM required also in NASTRAN file format)

10 MGSE Component list Detailed list of MGSE components and number for each item set provvision, spare parts list

11 Materials and Standard Equipment Certification

Required certification of adopted materials, performed threatments, and standard equipment, with warrantee, technical specifications, nominal performances.

12 NDI Certification Certification of NDI controls performed during MGSE manufactoring, complete of results, photos, etc.

13 Acceptance Documentation Acceptance Test Procedure with the definiton of test phases, set-up and instrumentation Acceptance Test report with results table, expected and effective numerical values, validation signatures, etc.

14 Operations and Maintenance Manual

MGSE operating and storage instructions and procedures, recommendations and warnings, warranty limitations in case of misuse, etc. Maintenance instructions and schedule for complete MGSE item and for each standard equipment listed in section 11.

Table 14.3.1: GSE ADP Required Content


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 105/106



Distribution List Name Q.ty Name Q.ty ESA 1* * Distribution via FTP


DATE :

S1-RS-TASI-PA-0059 12-09-2007

ISSUE : 5 Page : 106/106



END OF DOCUMENT