REG GSFC-STD-1000 REV F-2013 Rules for the Design Development Verification and Operation of Flight Systems.pdf

1、 GODDARD TECHNICAL STANDARD GSFC-STD-1000F Goddard Space Flight Center Approved: 2/8/2013 - With Administrative Changes Greenbelt, MD 20771 Expiration Date: 2/8/2018 Superseding GSFC-STD-1000E Goddard Space Flight Center Rules for the Design, Development, Verification, and Operation of Flight System

2、s Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Goddard Space Flight Center Rules for the Design, Development, and Operation of Flight Systems GSFC-STD-1000 Revision F Approved Original Signed by: Chief Engineer Goddard Space Flight Center Original

3、 Signed by: Director of Applied Engineering and Technology Goddard Space Flight Center Original Signed by: Director of Flight Projects Goddard Space Flight Center Original Signed by: Director of Safety and Mission Assurance Goddard Space Flight Center Provided by IHSNot for ResaleNo reproduction or

4、networking permitted without license from IHS-,-,-1 Table of Contents Introduction 5 Figure 1: NASA/GSFC Processes and Rules Hierarchy 7 Figure 2: Goddard Open Learning Design (G.O.L.D) Standard Architecture 8 Figure 3: GSFC Project Lifecycle 9 Figure 4: Users Guide 10 GSFC Rules 1.0 Systems Enginee

5、ring 1.01 Reserved 1.02 Reserved 1.03 Reserved 1.04 Reserved 1.05 Single Point Failures 11 1.06 Resource Margins 12 Table 1.06-1 Technical Resource Margins 13 1.07 End-to-End GN power-up of major components or subsystems; deployment of mechanisms and/or mission-critical appendages; and all planned p

6、ropulsive maneuvers required to establish mission orbit and/or achieve safe attitude. After separation from the launch vehicle, continuous command coverage shall be maintained during all following mission-critical events. Rationale: With continuous telemetry and command capability, operators can pre

7、vent anomalous events from propagating to mission loss. Also, flight data will be available for anomaly investigations. Phase: A A B C D E F Activities: 1. Identify and document potential mission-critical events in concept of operations. 2. Identify and document in concept of operations all potentia

8、l needs for communications coverage, such as TDRSS or backup ground stations. 1. Update concept of operations. 2. Identify requirements for critical event coverage in ground system design. 1. Address and document coverage of mission critical events in draft of Mission Operations Concept. 2. Address

9、critical event coverage in requirements for ground system design. 1. In Operation Plan, identify telemetry and command coverage for all mission-critical events. 1. Update Operations Plan. 2. Address telemetry and command coverage of critical events in Operations Procedures. 1. Perform critical event

10、s with telemetry and command capability. N/A Verification: 1. Verify or present exceptions at MCR. 1. Verify or present exceptions at MDR. 1. Verify or present exceptions at PDR. 1. Verify or present exceptions at CDR. 1. Verify or present exceptions at ORR. 1. Verify telemetry capability for events

11、 not excepted in Phase D during mission operations. N/A Revision Status: Rev. F Owner: Mission Systems Engineering Branch(599) Reference: Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-19 1.17 Safe Hold Mode Systems Engineering Rule: All spacecraft

12、shall have a power-positive control mode (Safe Hold) to be entered in spacecraft emergencies. Safe Hold Mode shall have the following characteristics: (1) its safety shall not be compromised by the same credible fault that led to Safe Hold activation; (2) it shall be as simple as practical, employin

13、g the minimum hardware set required to maintain a safe attitude; and (3) it shall require minimal ground intervention for safe operation. Rationale: Safe Hold Mode should behave very predictably while minimizing its demands on the rest of the spacecraft. This facilitates the survival, diagnosis, and

14、 recovery of the larger system. Complexity typically reduces the robustness of Safe Hold, since it increases the risk of failure due to existing spacecraft faults or unpredictable controller behavior. Phase: A A B C D E F Activities: 1. Ensure that requirements document and operations concept includ

15、e Safe Hold Mode. 1. Ensure that requirements document and operations concept include Safe Hold Mode. 1. Identify hardware heating of catalyst bed in air; firing of thrusters after loading propellant) can result in injury to personnel or damage to components. Phase: A A B C D E F Activities: N/A N/A

16、 1. Present design and/or operational plan that preclude unplanned operation of propulsion system components. 1. Present detailed design of electrical disconnect and/or set of restrictive commands to preclude unplanned operation of propulsion system components. 1. Demonstrate the effectiveness of th

17、e disconnect and/or set of restrictive commands by test. N/A N/A Verification: N/A N/A 1. Verify at PDR. 1. Verify at CDR. 1. Verify at PER. N/A N/A Revision Status: Rev. E Owner: Propulsion Branch (597) Reference: Propulsion Handbook Provided by IHSNot for ResaleNo reproduction or networking permit

18、ted without license from IHS-,-,-26 1.25 Redundant Systems Systems Engineering Rule: When redundant systems or functions are implemented for risk mitigation, the redundant components, or functional command paths, shall be independent, such that the failure of one component or command path does not a

19、ffect the other component or command path. Critical single point failures due to electrical, thermal, mechanical and functional dependencies should be documented. Rationale: While redundancy can greatly enhance system reliability and confidence, it also incorporates added complexity to the overall d

20、esign. Design considerations must take into account the complexity that is added by redundant components, in order to mitigate potential negative effects upon the overall system reliability. Phase: A A B C D E F Activities: 1. Complete applicability assessment. 1. Reassess and update applicability.

21、2. Complete initial compliance assessment, based upon applicability. 1. Reassess compliance. 2. Ensure flow-down traceability to appropriate sub-system in draft technical requirements and Design-To specifications. 3. Define verification approach. 1. Reassess compliance. 2. Ensure flow-down traceabil

22、ity to appropriate sub-system in technical requirements and Design-To specification baselines. 3. Update verification approach. 1. Reassess compliance. 2. Perform verification activity. N/A N/A Verification: 1. Verify at MCR. 1. Verify at SRR, MDR, and PNAR. 1. Verify at PDR and NAR. 1. Verify at CD

23、R and SIR. 1. Verify at ORR, SMSR, and FRR. N/A N/A Revision Status: Rev. F Owner: Mission Systems Engineering Branch (599) Reference: Fault Management PG Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-27 1.26 Safety Inhibits & Fault Tolerance Syste

24、ms Engineering Rule: The external leakage of hazardous propellant is a Catastrophic Hazard, and requires three independent inhibits to prevent it. Dynamic seals (e.g. solenoid valves) shall be independently verified as close to propellant loading as possible. Static seals (i.e. crush gaskets, o-ring

25、s, etc) are recognized as non-verifiable at the system level. The integrity of these seals shall be controlled by process or procedures consistent with industry standards. Components where fault tolerance is not credible or practical (e.g., tanks, lines, etc.) shall use design for minimum risk inste

26、ad. Rationale: Adequate control of safety hazards is necessary in order to develop safe hardware and operations. Verification of independence of inhibits is necessary to preclude propagation of failure in safety inhibits that can result in critical or catastrophic threats to personnel, facility, and

27、 hardware. The internal volume between redundant inhibits (seals) shall be limited to the minimal practical volume and designed to limit the external leakage in the event of failures. Phase: A A B C D E F Activities: N/A N/A 1. Identify proposed design inhibits that preclude hazardous condition and

28、document in preliminary hazard analysis. 2. Present compliance with range safety requirements, including fault tolerance to hazardous events. Document in subsystem design and initial MSPSP. 1. Demonstrate by analysis or component test that A) failure in selected inhibit will not cause failure of the

29、 other inhibits, or B) that no single event or software command can open multiple inhibits. 2. Provide implementation details of the fault tolerance requirements of propulsion system. Document in subsystem design and Intermediate MSPSP. 1. Demonstrate by analysis or component test that A) failure in

30、 selected inhibit will not cause failure of the other inhibits, or B) that no single event or software command can open multiple inhibits. 2. Provide hazard control verification details addressing fault tolerance of propulsion system. Document in subsystem design and Final MSPSP. N/A N/A Verificatio

31、n: N/A N/A 1. Verify at PDR and in Preliminary MSPSP/Safety Data Package. 1. Verify at CDR and in Intermediate MSPSP/Safety Data Package. 1. Verify in Final MSPSP Safety Data Package. N/A N/A Revision Status: Rev. F Owner: System Safety Branch (321) & Propulsion Branch (597) Reference: Fault Managem

32、ent PG Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-28 1.27 Propulsion System Overtemp Fuse Systems Engineering Rule: Flight fuses for wetted propulsion system components shall be selected such that overheating of propellant will not occur at the

33、maximum current limit rating of the flight fuse. (Note: See also rule 2.06 “System Fusing Architecture.“) Rationale: Propulsion components such as pressure transducers normally draw very low current, and therefore their fuses are usually oversized. In such cases it may be possible for a malfunctioni

34、ng component to overheat significantly without exceeding the rating of the fuse. Exceeding temperature limits of propellant can result in mission failure or critical/catastrophic hazard to personnel and facility. Phase: A A B C D E F Activities: N/A N/A 1. Present fusing plan for wetted propulsion s

35、ystem components. 1. Demonstrate by analysis that wetted components will not exceed maximum allowable temperature of propellant at the maximum current limit rating for the flight fuse. 1. Verify by inspection of QA records that the correct flight fuse has been installed. N/A N/A Verification: N/A N/A 1. Verify at PDR. 1. Verify at CDR. 1. Verify at PER or PSR. N/A N/A Revision Status: Rev. E Owner: Propulsion Branch (597) Reference: Propulsion Handbook EEE-INST-002 Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-