s2 1005 pathfinder issue page 1 of - european space...

I

LlSA Pathfinder

CI CODE: 1240000

S2 ASU RS 1005 Issue 05

of 58

UK Export Control Rating: Not Listed Rated by: G. Adams

Prepared by:

Checked by:

Approved by:

Authorised by:

G. Adarns - LISA Pathfinder PA Manager

N. Dunbar - LPF Engineering Manager

A.G. Jones -‘LPF Industrial Manager

Date:

Date:

Date:

Date: .~~~~~~~~~~ ~ ............... ~~~ .....................................

~ ~~

M. Backler - LlSA Pathfinder Project Manager

0 EADS Astrium Limited 2W5 3G 4

EADS Astrium Ltd owns the copyright of this document which is supplied in confidence and which shall not be used for any purpose other than that for which it is supplied and shall not in whole or in part be reproduced, copied, or communicated to any person without written permission from the owner.

EADS Astrium Limited, Registered in England 8 Wales No. 2449259. Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SGI 2AS, England

WILSON_R

LISA Pathfinder S2.ASU.RS.1005

Issue: 05 of 58


01x00384.doc

Intentionally blank


Issue: 05 of 58


01x00384.doc

TABLE OF CONTENTS

1 GENERAL 8 1.1 Scope 8 1.2 Applicability 8 1.3 Applicable Documents 8 1.4 Reference Documents 11 1.5 Document Hierarchy 11

2 PRODUCT ASSURANCE 12 2.1 General 12 2.2 Right of Access 12 2.3 Participation 12 2.4 Qualification Status List (QSL) 12 2.5 Critical Item List 13 2.6 Ranking of Critical Items 13 2.7 Risks Management 13 2.8 Receiving Inspection 13 2.9 Reporting 14 2.10 PA databases 14 2.11 Lower Tier Sub-Contractor Management 14 2.12 Deviations and Waivers 14

2.12.1 Deviations 14 2.12.2 Waivers 15

2.13 Review Definitions 15 2.13.1 Preliminary Design Review (PDR) 15 2.13.2 Critical Design Review (CDR) 15 2.13.3 Equipment Qualification & Suitability Review (EQSR) 15 2.13.4 Manufacturing Readiness Review (MRR) 15 2.13.5 Test Readiness Review (TRR) 16 2.13.6 Test Review Board (TRB) 16 2.13.7 Qualification Review (QR) 16 2.13.8 Material Review Board (MRB) 16 2.13.9 Delivery Review Board (DRB) 16

3 QUALITY ASSURANCE 17 3.1 PA Programme Audits 17 3.2 Manufacturing Flow Chart and Mandatory / Key Inspection Points (KIP’s & MIP’s) 17 3.3 Inspections 17 3.4 Connector Savers, Temporary Installations & Removals 17 3.5 Logbooks 18 3.6 Manufacturing assembly and Integration Records 18


Issue: 05 of 58


01x00384.doc

3.7 Non-Conformance Control 18 3.8 Contamination and Cleanliness Control 18 3.9 Production 19

3.9.1 Pyrotechnic Initiators 19 3.10 Metrology, Calibration and Tooling Control 19 3.11 Test Reviews 19

3.11.1 Test Readiness Review 20 3.11.2 Test Review Board 20

3.12 Test reports 20 3.13 Acceptance and Delivery 20 3.14 Packaging, Marking, Labelling and Handling 21 3.15 Transportation and Shipping Control 22

4 RELIABILITY / DEPENDABILITY 23 4.1 General 23 4.2 Consequence Severity Categories: 23

4.2.1 Sub-System Level: Consequence Severity Categories 23 4.2.2 Unit Level: Consequence Severity Categories 23

4.3 Failure Tolerance 23 4.4 Failure Propagation 24 4.5 Failure Modes, Effects and Criticality Analysis (FMECA) 24

4.5.1 Hardware / Software Interaction Analysis (HSIA) 24 4.5.2 Worst Case Analysis 24 4.5.3 Part Stress Analysis 24 4.5.4 Maintainability Assessment: 25 4.5.5 Dependability Critical Items 25

5 SAFETY 26 5.1 General 26 5.2 Safety Risk Management 26 5.3 Safety Documentation Review and Maintenance 26 5.4 Deviations and Waivers Affecting Safety 26 5.5 Safety Design Principles 27

5.5.1 Design Selection 27 5.5.2 Hazard Reduction Precedence 27 5.5.3 Environmental Compatibility 28 5.5.4 Hazard Detection – Signalling and Safing 28 5.5.5 Fail-safe design 28 5.5.6 Safe Without Services 28

5.6 Safety Risk Reduction and Control 28 5.6.1 Severity 28 5.6.2 Multiple Failures 29 5.6.3 Redundancy Management and Separation 29 5.6.4 Failure Propagation 29 5.6.5 Design to minimum risk 29

5.7 Safety Analysis Requirements and Techniques 29 5.7.1 Safety Analyses 29 5.7.2 Safety Critical Items 30


Issue: 05 of 58


01x00384.doc

5.7.3 Qualification of Safety Critical Functions 30 5.7.4 Safety Risk Assessment 30

5.8 GSE Requirements 30

6 EEE COMPONENTS 31 6.1 General 31

6.1.1 Purpose 31 6.1.2 Applicability 31

6.2 Procurement Control 31 6.3 Declared Components List (DCL) 31 6.4 Modification to AD 5 31

6.4.1 EEE Screening Levels 34 6.4.2 Radiation Sensitive Components 35

6.5 Additions to AD 5 35 6.5.1 ON/OFF cycling 35

6.5.1.1 Definition of the two ON/OFF cycling modes 35 6.5.1.2 Estimate of temperature variations 35

6.5.2 Final source inspection (final CSI) 36 6.5.3 Mounting of Electrical Component parts 36

7 MATERIALS, MECHANICAL PARTS AND PROCESSES 37 7.1 Organisation 37 7.2 Criticality Analysis 37

7.2.1 Critical Materials 37 7.2.2 Critical Mechanical Part 37 7.2.3 Critical Processes 37

7.3 Technical Requirements for the Selection of Materials 38 7.3.1 Vacuum 38 7.3.2 Restricted Materials 39

7.3.2.1 Magnetic Materials 39 7.3.3 Thermal cycling 39 7.3.4 Atomic Oxygen (ATOX) 39 7.3.5 Meteoritic/Debris Environment 39 7.3.6 Electrochemical Compatibility 40 7.3.7 Corrosion 40 7.3.8 Stress Corrosion 40 7.3.9 Fluid Compatibility 40 7.3.10 UV Radiation 40 7.3.11 Allowable Stress 40 7.3.12 Limited Life Time 41 7.3.13 Electrostatic Discharge Protection 41 7.3.14 Hydrogen Embrittlement 41

7.4 Materials and Mechanical Parts Procurement 41 7.4.1 Materials and Mechanical Parts for Structural Applications 41 7.4.2 Materials and Mechanical Parts for Non-Structural Applications 42 7.4.3 Films and Tapes 42 7.4.4 Procurement of Materials with Limited Shelf Life 42 7.4.5 Procurement of Printed Circuit Boards 42

7.5 Mechanical Parts 43 7.6 Processes 43 7.7 Traceability 43


Issue: 05 of 58


01x00384.doc

7.8 Materials and Process Review 44 7.9 Proprietary Materials, Parts and Processes 44 7.10 Configuration Management 44 7.11 Materials, Parts and Processes List 45

8 SOFTWARE PRODUCT ASSURANCE 46

9 CONFIGURATION AND DOCUMENT MANAGEMENT (CADM) 46

10 GROUND SUPPORT EQUIPMENT (GSE) – EGSE & MGSE 47 10.1 GSE Product Assurance 47 10.2 GSE Quality Assurance 47 10.3 GSE Materials Control 47 10.4 GSE Dependability 47 10.5 GSE EEE Parts 47 10.6 GSE Configuration Management 48

11 PRODUCT LIABILITY 48

12 PRODUCT ASSURANCE DOCUMENT REQUIREMENTS 49 12.1 Sub-Contractor PA plan 49 12.2 End Item Data Pack 49

12.2.1 General 49 12.2.2 Content 49

13 ANNEX 51 13.1 Request For Waiver Form 52 13.2 Parts Approval Document (PAD) 53

13.2.1 Page 1 of PAD 53 13.2.2 Page 2 of PAD 54 13.2.3 Guidance Notes for PAD 55

13.3 Format for ALL Compliance Matrices 56


Issue: 05 of 58


01x00384.doc

Intentionally blank


Issue: 05 of 58


01x00384.doc

1 GENERAL

1.1 Scope

This specification defines the Sub-Contractors Product Assurance requirements and disciplines necessary for its implementation. All products (equipment, software or services) procured in the frame of LISA Pathfinder are required to conform to these Product Assurance Requirements. The requirements are based on the ECSS series of documents, or in ESA specific documents as the PSS series when no equivalent ECSS is available. This specification defines the applicability of the various PA fields; furthermore, it amends the applicable documents where necessary to address specific issues for LISA Pathfinder. Sub-Contractors shall impose these requirements upon their lower tier sub-contractors and suppliers as appropriate to the procured item. The prime objectives of the PA requirements are the following:

�� To establish and demonstrate confidence in the design �� To assure the safety of the system and its operations �� To have a uniform approach to Product Assurance across the programme �� To ensure delivery of compliant product and assure that LISA Pathfinder will accomplish its

mission objectives 1.2 Applicability

These requirements are applicable to: �� All delivered H/W and S/W models of the product �� Element of the GSE which interface directly with flight hardware (e.g. connectors, cooling

devices…) or which can have an impact on safety (e.g. EGSE, lifting devices) The requirements defined here are applicable to the LISA Pathfinder project phases B & C/D. If specific requirements are considered as non-applicable, impracticable or inefficient for implementation, the Sub-Contractor may propose alternative procedures to achieve the same objectives. These procedures are subject to approval by Astrium on a case-by-case basis. As part of their Proposal, each competing Sub-Contractor shall submit a configured and issue controlled Compliance Matrix against this, and any other LISA Pathfinder, Requirement Specification; the matrix issued as part of the proposal shall constitute the baseline for future negotiation. All Compliance Matrices shall be in the format, with the notation, defined in section 13.3. 1.3 Applicable Documents

The following documents (at the latest issue at contract signature, unless otherwise specified) shall be applicable to the extent and with the modifications specified in this document.

AD 1 ECSS-Q-00A Space Product Assurance: Policy and principles

AD 2 ECSS-Q-20B Space Product Assurance: Quality Assurance

AD 3 ECSS-Q-30B Space Product Assurance: Dependability

AD 4 ECSS-Q-40B Space Product Assurance: Safety

AD 5 ECSS-Q-60A Space Product Assurance: EEE Components

AD 6 ECSS-Q-70A Space Product Assurance: Materials, Mechanical Parts and Processes


Issue: 05 of 58


01x00384.doc

AD 7 S2.SYS.RS.1001 Software Requirements Specification

AD 8 ECSS-M-00B Space Project Management: Policy and Principles

AD 9 ECSS-M-00-03A Space Project Management: Risk Management

AD 10 ECSS-M-30-01A Space Project Management: Organisation and conduct of Reviews

AD 11 S2.ASU.RS.1034 Configuration and Documentation Requirements Specification

AD 12 ECSS-M-50A Space Project Management: Information/Documentation Management

AD 13 ECSS-E-30-01A Space Engineering: Fracture Control

AD 14 ECSS-Q-70-01A Space Product Assurance: Contamination and Cleanliness Control

AD 15 PSS-01-202 Preservation, storage, handling and transportation of ESA spacecraft hardware

AD 16 ECSS-Q-60-11A + TEC-Q/04-6649/QCT

Space Product Assurance: De-rating and end-of-life parameter drifts – EEE Components + Tailoring Requirements for ECSS-Q-60-11A

AD 17 ECSS-Q-60-01A Space Product Assurance: European Preferred parts list (EPPL) and its management

AD 18 PSS-01-605 The capability approval programme for the hermetic thin-film hybrid microcircuit

AD 19 PSS-01-606 The capability approval programme for hermetic thick-film hybrid microcircuits

AD 20 PSS-01-608 Generic specification for hybrid microcircuits

AD 21 PSS-01-700 The technical reporting and procedures for materials and processes

AD 22 ECSS-Q-70-02A Space Product Assurance: Thermal vacuum out-gassing test for the screening of Space materials

AD 23 ECSS-Q-70-04 Space Product Assurance: Thermal Cycling Test for the screening of Space Materials & Processes

AD 24 ECSS-Q-70-07A Space Product Assurance: Verification and approval of automatic machine wave soldering.

AD 25 ECSS-Q-70-08A Space Product Assurance: The Manual Soldering of High-Reliability Electrical Connections

AD 26 ECSS-Q-70-10A Space Product Assurance: Qualification of Printed Circuit Boards

AD 27 ECSS-Q-70-26A Space Product Assurance: The crimping of high reliability electrical connections


Issue: 05 of 58


01x00384.doc

AD 28 ECSS-Q-70-28A Space Product Assurance: The Repair and Modification of PCB Assemblies for Space Use

AD 29 ECSS-Q-70-36A Space Product Assurance: Material selection for controlling stress corrosion cracking

AD 30 ECSS-Q-70-37A Space Product Assurance: Determination of susceptibility of metals to stress corrosion cracking

AD 31 PSS-01-738 High-reliability soldering for surface-mount and mixed-technology PCB

AD 32 ECSS-Q-70-46A General requirements for threaded fasteners

AD 33 ECSS-Q-20-07A Space Product Assurance: Quality Assurance of Test Facilities

AD 34 ECSS-Q-20-09B Space Product Assurance: Non-Conformance Control System

AD 35 PSS-01-302 Failure Rates for ESA spacecraft and approved equipment

AD 36 MIL-PRF-38535 Integrated Circuits (microcircuits) manufacturing

AD 37 MIL-PRF-19500 Semiconductor Devices, general specification for

AD 38 MIL-PRF-38534 Hybrid Microcircuits

AD 39 ASTM E595-90 Collected Volatile Condensable Materials (CVCM) from out-gassing in a vacuum environment

AD 40 MSFC-Spec 250 Protective finishes for space vehicles

AD 41 NASA-STD-6001 Flammability, Odour and Offgassing, Compatibility Requirements And Test Procedures For Materials In Environments That Support Combustion

AD 42 ECSS-Q-70-71A Space Product Assurance: Data for Selection of Space Materials and Processes

AD 43 PSS-01-706 Particle and Ultra Violet Radiation Testing of Space Materials

AD 44 MIL HDBK 5 Metallic materials and elements for aerospace vehicle structures

AD 45 ECSS-Q-70-18A The preparation, assembly and mounting of RF coaxial cables

AD 46 ECSS-Q-30-02A Space Product Assurance: Failure Modes, Effects & Criticality Analysis

AD 47 ECSS-Q-40-02A Space Product Assurance: Hazard analysis

AD 48 ECSS-E-10-05A Space Engineering: Functional Analysis

AD 49 ESA/QPL EA/SCC Qualified Parts List

AD 50 QML-38535 Military Standard for Advanced Microcircuits

AD 51 QPL-11 Military Standard for Resistors, Fixed, Composition


Issue: 05 of 58


01x00384.doc

AD 52 QML-19500 Military Standard for Semiconductor Devices

AD 53 QPL-39016 Military Standard for Relays, Electro-magnetics

AD 54 MIL-HDBK-217F + Notice 2 Reliability Prediction for Electronic Equipment

AD 55 ESA WDN / PS / 700 Issue2 ASIC Design and Manufacturing Requirements

AD 56 ESA ASIC/001 Issue 1 VHDL Modelling Guidelines

AD 57 ECSS-E-40, Part 1B Software Engineering Standard

AD 58 IEC standard 825-1 Safety of Laser Products, Geneva, International Electro-technical Commission, 1993

AD 59 S2.ASU.RS.2031 LISA Pathfinder: General Design & Interface Requirements

AD 60 ECSS-Q-70-22A The control of Limited Shelf-Life Materials

AD 61 PSS-01-705 Detection of Organic Contamination of Surfaces by IR Spectroscopy

AD 62 ECSS-Q-70-11A Space Product Assurance: Procurement of Printed Circuit Boards

1.4 Reference Documents

The following documents provide reference material for understanding of these PA requirements. They do not constitute requirements as such.

RD 1 ISO 9001:2000 Quality Management System: Requirements

RD 2 ECSS-M-40A Space Project Management: Configuration Management

RD 3 ECSS Q-80B Space Product Assurance: Software Product Assurance

RD 4 S2.EST.PR.1001 LISA Pathfinder Project References

RD 5 S2.ASU.PL.1017 Audit and Surveillance Plan

RD 6 S2.ASU.LI.2008 Hardware & Software Procurement Matrix

RD 7 S2.ASU.TN.2023 LISA Pathfinder: Radiation Analysis

1.5 Document Hierarchy

The following documents are applicable to the Product Assurance Requirement Document, and are hierarchically superior to it:

1. Unit Contract 2. Unit SOW 3. Unit Requirements Document 4. This PA Requirement Document 5. The relevant ECSS document


Issue: 05 of 58


01x00384.doc

2 PRODUCT ASSURANCE

2.1 General

AD 1 shall apply. The Sub-Contractor shall nominate an experienced PA Manager / Engineer responsible as the focal point of contact for EADS Astrium and the customer, ESA; the nominated person shall have the necessary organisational authority and independence to implement and manage the PA Programme. The Sub-Contractor shall prepare, submit, implement and maintain an effective PA and Safety program in accordance with the requirements of this document for the duration of the LISA Pathfinder project. A Product Assurance and Safety (PA&S) Plan shall describe in detail (resources, tasks, responsibilities, methods and procedures, lower tier Sub-Contractors and suppliers monitoring) the program to be implemented to satisfy the requirements of this specification. The Plan will be submitted to Astrium for approval. Sub-Contractors internal procedures may be referenced in the PA&S Plan, in this case they shall be provided on request. Sub-Contractors should be aware that referencing internal company procedures in the PA&S Plan will limit the company’s ability to unilaterally change the procedures. All modifications to these procedures shall be considered as modification to the PA&S Plan, which requires Astrium approval as stated above. Experienced personnel from the Sub-Contractors’ Quality Assurance Organisation shall be involved in tasks that require specific or more detailed knowledge (for example Parts, Materials & Processes, EEE, and Dependability expertise). 2.2 Right of Access

Astrium and ESA shall have the right of access to all technical and programmatic documentation, all areas and operations within the Sub-Contractor’s facilities and his low tier sub-contractor’s facilities in which they perform work related to the project or store items used for the project. If deemed necessary, Astrium shall have the right to have a resident within the Sub-Contractor’s facilities. The Sub-Contractor shall make arrangements to allow ESA and Astrium personnel such access any time when requested, with appropriate notification. 2.3 Participation

Astrium and ESA shall have the right to perform or participate in audits, surveys, source inspections, test reviews, Mandatory and Key inspections, Test Reviews, Delivery Review Boards, Non-conformance Review Board, etc… at the Sub-Contractor facilities and the lower tier Sub-Contractors and suppliers. Astrium and ESA participation shall not in any way replace or relieve the Sub-Contractor of their responsibilities in meeting their contractual terms; rather, it will aim at contributing to the identification of problem areas and assessing satisfactory progress. 2.4 Qualification Status List (QSL)

For each equipment / unit, a Qualification Status List shall be produced specifying the Flight, or otherwise, heritage of the hardware. This shall be used to highlight areas for Qualification Development and reviewed at major design milestones (PDR, CDR etc) and during the TRB and/or DRB. For any particular item, the Qualification Status shall be closed with a reference to heritage that may be directly comparable to the LISA Pathfinder mission or to a test programme / report that confirms it’s suitability to meet the LISA Pathfinder requirements. Hardware shall be categorised by heritage to Flight programmes comparable with LISA Pathfinder; these categories are in the relevant Statement of Work and reflected in RD 5 and RD 6.


Issue: 05 of 58


01x00384.doc

2.5 Critical Item List

A Critical Item List (CIL) shall be prepared and kept up to date. It shall list critical items from the equipment design, hardware and software with appropriate risk reduction means defined for the various phases of the project (i.e. design reviews, special procedures / inspections, double verification of highly critical items, single point failure of category catastrophic critical or major, general recording of single point failure connectors…). This list shall be used to finally close out all the above critical items and their associated risk reduction measures after being verified and recorded. 2.6 Ranking of Critical Items

The Sub-Contractor shall establish a ranking list in order to effectively plan and organise the resources for the PA programme. This list shall present, sequentially in the order of critically, items of the equipment, which present specific risks to the project (See AD 1 clause 3.3.5, and AD 2 clause 4.8). The list shall be an aid to establish priorities of PA, and other related areas of effort, early in the programme and to plan surveillance, Parts Control Boards (PCB’s) KIP’s & MIP’s etc, to address any associated risk reduction measures. The Sub-Contractor shall analyse all unit/development items of the equipment against criticality relative to:

�� Safety �� Reliability, Single Point Failure (SPF) �� Limited life items �� Procurement, manufacturing, assembly, inspection, test, handling, storage and transportation

constraint �� Processes or activities subcontracted to Lower Tier Sub-Contractors involving two or more

levels of subcontracting �� New industrial processes, technology (not qualified or not standard) �� New technology for the Sub-Contractor �� New development versus qualified and flown �� History of non-conformance

2.7 Risks Management

The Contractor shall establish and maintain a Risk Management System in coherence with AD 9, as defined in the SOW and Project Management Requirements. The Contractor shall draw up a list of critical elements and associated actions for risk mitigation, and shall guarantee their implementation. The risk management process shall include the inputs from all Product Assurance disciplines. 2.8 Receiving Inspection

The Sub-Contractor shall take appropriate actions to ensure that all incoming supplies, including documentation and packaging, whether delivered on his own premises or elsewhere, conform to the requirements of the procurement documents, according to the principles of AD 2, clause 7.5. Inspections shall be performed in accordance with established procedures and instructions, to ensure that quality level is properly determined. The resultant Incoming inspection records shall be maintained to ensure traceability and the availability of historical data to monitor Contractor performance.


Issue: 05 of 58


01x00384.doc

2.9 Reporting

The Sub-Contractor shall prepare and submit a PA report as part of the overall project progress report as defined in the Sub-Contractor Statement Of Work and Project Management Requirements. It shall cover all the programme tasks under the Sub-Contractor responsibility, including lower Tier sub-contractors. The report shall address the following topics, as a minimum:

�� Progress and accomplishment of each major PA task (KIP’s, MIP’s etc) �� Problem areas, major risks and solutions �� Parts, Material & Process Qualification activities and status, as appropriate �� Status of and Request for Deviations (part of Configuration Management) �� Status of Waivers, Non-Conformances and impact of any Warning Notices / Alerts �� Identification and listing of critical items and their resolution / closeout. �� Future planning of major activities / events �� Statement of any change (i.e. organisation, personnel etc) in the period at the Sub-Contractor

or lower tier sub-contractor level. 2.10 PA databases

All PA-related data and analysis (such as NCR, RFW, RFD, EEE components list, materials and processes list) shall be managed by means of electronic databases. The database format and content shall be agreed with Astrium in order to allow the import and export data at Astrium and ESA level. 2.11 Lower Tier Sub-Contractor Management

If the Sub-Contractor intends to sub-contract a part of the work to a lower tier sub-contractor, this shall be formally notified to Astrium for approval. The Sub-Contractor shall identify all lower tier sub-contractors down to the lowest level in a list identifying the name, the location, the part of the work sub-contracted and the heritage. Astrium will approve the contracting proposal on the basis of:

�� Clear evidence that all requirements, applicable to the project and part being sub-contracted, are transmitted to the lower tier sub-contractor.

�� The ability of the lower tier sub-contractor to do the work and to fulfil the requirements has been evaluated and a validation file is available for review by Astrium; if needed, Astrium may request an audit.

�� The Sub-Contractor has defined a surveillance plan of the lower tier sub-contractors that includes the right of Astrium and ESA to participate and contribute.

Any change to the list of lower tier sub-contractors shall be submitted to Astrium. The Sub-Contractor shall audit his lower tier sub-contractors to ensure their compliance with the requirements. Astrium shall be notified of the Sub-Contractor’s intention to audit a lower tier sub-contractor by Fax or E-mail (with configuration reference) and the Sub-Contractor shall produce an audit report one month after the audit. 2.12 Deviations and Waivers

Sub-Contractors shall issue Deviations and Waivers according to the definitions and requirements detailed in the following sub-sections 2.12.1 Deviations

A Deviation is written authorisation to depart from the originally specified requirements for a product prior to its production, i.e. it is a difference between project requirements and the design standard identified prior to manufacture or test. It is a relaxation of the requirements in a specific instance and not a change of the requirement.

Note: All approved deviations will be entered in the ‘As Designed’ Configuration.


Issue: 05 of 58


01x00384.doc

On contract award, each selected Sub-Contractor shall submit a deviation against each ‘generic’ project specification placed on them for the LISA Pathfinder Programme (e.g. PA Requirements, Sub-Contractor Management Requirements, Configuration and Documentation Requirements etc); this deviation shall list all partial or non-compliances against the specification. The purpose of the deviation, per ‘generic’ specification, is to establish a ‘Requirement Baseline’ (i.e. the specification plus deviation) that is then listed in the CIDL for the design. 2.12.2 Waivers

A waiver is written authorisation to use or release a product which does not conform to the specified requirements, identified during or after, manufacture or test which affects function, mass, mission objectives, safety, performance, strength, reliability or inter-changeability and, if agreed, will not be rectified thereby, rendering the item permanently non-conforming. The proposed use or repair of items which do not conform to requirements specified by the approved design baseline shall be handled in accordance with the waiver approval process defined AD 11, using the form shown in Section 13.1. Waivers will be entered in the ‘As-Built’ definition of the relevant hardware. AD 11 also specifies the numbering format that Sub-Contractors shall use for Deviations and Waivers. 2.13 Review Definitions

The following sections define the objectives of the various reviews that may be required of the Sub-Contractor when executing their contract. 2.13.1 Preliminary Design Review (PDR)

The main objective of this review is to approve the design of a unit / equipment at a relatively high level prior to detailed design or design changes required of the Flight Design for LISA Pathfinder. 2.13.2 Critical Design Review (CDR)

When performing the CDR, the design is reviewed in detail prior to its release for manufacture. The main objective is to confirm the maturity of the design in readiness for Flight Model manufacture. 2.13.3 Equipment Qualification & Suitability Review (EQSR)

When proposing ‘off-the-shelf’ units / equipment, an EQSR could be performed. This review may take place in lieu of a PDR and CDR when the unit / equipment is deemed ‘Qualified’ for the LISA Pathfinder mission or any changes to the ‘Qualified’ design and / or manufacture are considered minor. It is the responsibility of the Sub-Contractor to propose this approach in their proposal; the Sub-Contractor shall provide evidence of the Qualification standard and show that it meets the requirements of the LISA Pathfinder mission. 2.13.4 Manufacturing Readiness Review (MRR)

Flight Model manufacture is not permitted before an MRR has been undertaken. However, should the Sub-Contractor shown a conflict between development needs, in terms of scheduling, and the dates of the CDR for the relevant unit / equipment, the Sub-Contractor shall plan a specific MRR for the part of the unit by advanced release. The main objective of this review is to release the Flight Model units to manufacture. Note: Should it acceptable to the pertinent parties, the CDR and MRR can be merged.


Issue: 05 of 58


01x00384.doc

2.13.5 Test Readiness Review (TRR)

When appropriate, the Test Readiness Review shall be convened to review the status of test plans and procedures; the status of the manufacturing documentation shall be confirmed (MIP’s and KIP’s actions, NCR and RFW status). The objective of the TRR is to provide authorisation for the formal test programme to commence. For each TRR there will be a corresponding TRB as defined below. 2.13.6 Test Review Board (TRB)

Test Review Boards examine and evaluate unit and equipment level test results prior to formal acceptance of the hardware. At equipment and instrument level, TRB’s can occur on completion of the test programme of the unit. The objective of all TRB’s is to accept and approve the test results obtained during the relevant test phase or programme. 2.13.7 Qualification Review (QR)

The objective of this review is to confirm the Qualification Status of the hardware design and manufacture, whether this involves testing or not, on completion of a Qualification programme; the QR shall verify that the design and performance of each equipment / instrument are compatible with the specified requirements. The sub-system and system level QR shall occur on completion of each phase of testing, prior to formal completion of qualification. For the purpose of efficiency, the QR may replace the TRB for Qualification Model items, whilst enveloping the objectives of the TRB. 2.13.8 Material Review Board (MRB)

An MRB defines and authorises the disposition of major non-conforming items, and determines future corrective and preventive measures. In reaching their conclusions, the Board shall examine the available data and initiate such actions as may be considered necessary to determine the cause of the non-conformance. All MRB decisions and dispositions shall be made by consensus of all members. In case of conflict, higher management level involvement shall be invited. 2.13.9 Delivery Review Board (DRB)

The Delivery Review Board accepts hardware and software, and authorizes the shipment of hardware / software from one facility to another one. In order to give such authorization, the Board shall review the conclusions and satisfactory completion of actions raised during preceding TRB’s and any associated MRB’s. Furthermore, the Board shall review the declared conformity of the ‘As-Built’ hardware and interfaces with the requirements, any non-conformance and the completeness of documents and data required for delivery. Formal acceptance of the unit, equipment or sub-system shall be contingent on the closure of any specified outstanding action and the successful performance of agreed incoming inspection and or test at the receiving organisation. Where it is considered appropriate, DRB’s may be combined with TRB’s whilst meeting the objectives of both.


Issue: 05 of 58


01x00384.doc

3 QUALITY ASSURANCE

AD 2 shall apply. The Sub-Contractor shall establish, implement and maintain a QA programme in accordance with AD 2 and describe its contents in their Product Assurance Plan or, if convenient, in a self-standing document. 3.1 PA Programme Audits

This chapter supersedes clause 4.6 of AD 2. The Sub-Contractor shall identify, in a separate Audit and Surveillance Plan, the external and internal PA and Safety audits & surveillance activities which shall be planned to:

�� Verify the implementation and effectiveness of the PA&S programme �� Assess the capability of low tier sub-contractors or suppliers to perform the required tasks �� Perform mitigation activities resulting from project risk analysis

3.2 Manufacturing Flow Chart and Mandatory / Key Inspection Points (KIP’s & MIP’s)

Manufacturing, assembly and integration operations and inspections shall be reflected in flow charts for the product; the charts shall clearly depict the sequence of operations and associated inspections and tests. Manufacturing flow charts will be supplied at the CDR or before commencing Flight standard manufacture. It shall include the identification of KIP’s & MIP’s, together with the reference to the procedures by which the various activities are to be performed and the required cleanliness levels of facilities. 3.3 Inspections

Inspection and tests shall be defined at the points of the manufacture, assembly and integration flow where maximum assurance for correct processing and prevention of unrecoverable or costly non-conformances can be obtained, according to the principles of AD 2, clause 8.9 Among the inspections and tests, as part of the manufacturing, assembly and integration flow, some selected inspections, KIP’s & MIP’s (Key & Mandatory Inspection Points) shall be performed with customer participation. KIP’s & MIP’s shall be identified on the manufacturing and Inspection flow chart and agreed upon with Astrium & ESA before Flight, or Proto-Flight model manufacture. A MIP shall confirm that the design has been implemented and the requirements met; this shall include any agreed design updates from those originally specified and Qualification baseline. Any deviations to the design shall be identified (e.g. NCR’s, Waivers etc.) together with the appropriate authorisation. The top level MIP (i.e. the MIP performed just prior to a formal test programme or hardware delivery) shall form the basis of the ‘As-Built’ definition. A visual examination of the hardware shall always form part of the MIP. Five (5) working days formal notice (e-mail or fax) of MIP's / KIP’s will be given to Astrium / ESA in order to confirm participation or delegate accordingly. Astrium and ESA will attend MIP’s unless written authority (e-mail or fax) is provided to proceed without their participation; in these instances, the MIP shall proceed and the Sub-Contractor will provide a written report to Astrium & ESA for review. KIP’s require the same notice period but the inspection can take place without the presence of ESA or Astrium. However, the inspection activities for KIP’s and MIP’s are the same. 3.4 Connector Savers, Temporary Installations & Removals

All Sub-Contractors shall formally control (for example, via the logbook or manufacturing card) any temporarily removed flight items, or any temporarily installed non-flight items, as detailed in clause 8.10.1 of AD 2. The use of connector savers is encouraged during test, integration & AIV phases to facilitate longevity of Flight Connectors, but the use of mate / de-mate logs is optional. However, qualified personnel


Issue: 05 of 58


01x00384.doc

shall visually inspect all Flight Connectors prior to final installation, or shipment (if shipped in an uninstalled configuration), and sign / stamp the manufacturing card or logbook to confirm the flight worthiness of the connector to fulfil it’s design purpose for the mission duration; this must also include further ground-based integration and test activities, even if under the control of another organisation, i.e. higher level integration. 3.5 Logbooks

The Sub-Contractor shall prepare and maintain equipment logbooks for all operations and tests performed on the item during the period covered by the test programme, according to the principles of AD 2, clause 8.10.2. Equipment logbooks shall start with the first qualification or flight acceptance test after assembly. The logbooks shall contain historical and quality data and information, which is significant for operation of the item, including Non-Conformances, Waivers and open tasks. 3.6 Manufacturing assembly and Integration Records

Manufacturing, assembly and integration records shall be established and maintained, to provide all data required for traceability, as specified in AD 2, clause 8.11. 3.7 Non-Conformance Control

The Sub-Contractor shall establish and maintain a Non-Conformance control system in accordance with the principles of AD 34 and AD 5 chapter 5, which supersedes paragraph 3.6 of AD 2. NCR reporting procedures shall be applicable to hardware and software which contributes to the achievement of qualification, e.g. structural model, alignment model, spares etc, and to the Flight standard hardware and software. A summary list of all NCR’s (major and minor) shall be provided to Astrium monthly (e.g. together with the progress report). To assist with Non-Conformance Control and its management, the Sub-Contractor shall utilise ESA’s ‘Non-Conformance Tracking System’ (NCTS) available through the Internet. Full instruction on its use and management is available, and it is intended to use the NCTS system throughout the LISA Pathfinder Sub-Contractors for the duration of the programme. Classification of Non-Conformances shall be in accordance with clause 4.2 of AD 34. However, clause 5.4.5 b of AD 34 is replaced by the following: ‘the Sub-Contractor shall notify Astrium and ESA of all major non-conformances within two (2) working days of their detection and confirmation. The NCR report shall be provided within five (5) working days. 3.8 Contamination and Cleanliness Control

AD 14 shall apply. Sub-Contractors shall minimize potential sources of contaminants, to facilitate the cleaning of hardware, and the removal of any contaminants that may occur, and protect sensitive elements as far as possible. The Sub-Contractor shall identify the hardware and facilities requiring specific controls for molecular or particulate contamination, ensure that cleanliness levels are maintained, by implementing preventive controls, and demonstrate the successful achievement of the required cleanliness level as specified herein, or any specific requirements detailed within the unit / equipment requirements and design documentation. At delivery, all hardware shall meet the cleanliness requirements detailed below; the cleanliness condition of the hardware shall be confirmed by the Sub-Contractors Quality Department, and an inspection report/ certificate issued as part the of the items End Item Data Pack (see section 12.2). Allowable contamination levels, at the time of delivery, are presented in the table below: -


Issue: 05 of 58


01x00384.doc

Molecular Level * Particulate Level

Sensitive optical surfaces � 0.5 � 10-7 g/cm2 � 100 ppm

General surfaces � 1 � 10-6 g/cm2 � 1,274 ppm (class 400, as per MIL-STD-1246)

*Molecular contamination shall be measured in accordance with AD 61. For contamination sensitive components (e.g. optical surfaces) a contamination analysis shall be delivered to Astrium as part of a Cleanliness and Contamination Control Plan. Methods, procedures and responsibilities shall be defined in an Astrium approved Cleanliness and Contamination Control Plan; the Plan shall provide a contamination analysis to define the cleanliness conditions of the hardware environment during manufacture, assembly and test (clean room class), the associated measurement of cleanliness (particle counter, witness samples), protective clothing, any protective devices (covers, bags.), and any cleaning methods. 3.9 Production

The Sub-Contractor PA&S plan shall describe the policies procedures and documentation to be utilized to control procurement, manufacturing, assembly, testing and delivery operations in order to ensure that applicable drawings and specifications are compliant with the completed article and to ensure that production activities do not degrade the quality designed into the product. A traceability system shall be maintained for the Flight standard model and for other models if they participate to qualification justification. 3.9.1 Pyrotechnic Initiators

When procuring, allocating and installing Pyrotechnic initiators, Sub-Contractors shall ensure that the Prime and Redundant initiators, for any unit, are selected from different manufactured batches, as per ESA’s ‘Hipparcos’ recommendation. 3.10 Metrology, Calibration and Tooling Control

The Sub-Contractor shall control, calibrate, validate and maintain inspection, measuring and test equipment to demonstrate the conformance of product, according to the principles of AD 2, clause 5.5. The Sub-Contractor shall make provisions for accountability, identification, calibration and maintenance of manufacture, assembly and integration tooling. Manufacture, assembly and integration tooling shall be checked for its dimensional accuracy, regarding the product drawings and correct function. 3.11 Test Reviews

Test Reviews shall include the following representatives from the Sub-Contractor: �� Product Assurance (chairman) �� Engineering �� AIT and / or facility representative

The Sub-Contractor shall invite Astrium and ESA to attend Test Reviews, with a notification of at least five (5) working days before the event.


Issue: 05 of 58


01x00384.doc

3.11.1 Test Readiness Review

A Test Readiness Review (TRR) shall be held prior to any formal qualification and / or acceptance tests, to determine the following:

�� That the ‘as-built’ configuration status of the test specimen (including flight and EGSE software) conforms to the released baseline and that any differences to the baseline are acceptable and documented to assure that test objectives can be met (the final level MIP may be used to assist this determination)

�� Status of existing Non-Conformances / failures, Request For Waivers and that any open activities do not have an adverse impact the objectives of the test,

�� Availability and approval of test procedures, including acceptance, rejection and retest criteria, �� Verification that hazards and hazardous operations have been clearly identified within the test

procedure and appropriate actions are implemented, �� Readiness of the test facilities and associated equipment (cleanliness of test facility,

calibration status and validity of all test equipment, including any software), �� Schedule of key events and milestones, �� Assignment of responsibility during the test, �� Conclusion whether to release for testing.

A similar review shall be held prior to major development tests. 3.11.2 Test Review Board

After each major portion of qualification and / or acceptance tests a Test Review Board (TRB) shall be held to determine that:

�� All portions and steps of the applicable procedure have been properly executed, and the test specimen and test equipment have been brought to safe condition.

�� All deviations from or modifications to the test procedure, which had to be made during the test, were properly documented and authorised.

�� All required data records are complete and, at least, a first assessment has been made to determine whether the parameters were within required limits, or whether there is a need for additional testing and / or further analysis of the results before a conclusion can be reached.

�� Non-conformances / failures have been recorded and at least initial dispositions affecting continuation / completion of the test have been made by the appropriate Non-Conformance Review Board.

�� Conclude whether the test article can be released to the next step and the test set-up can be dismantled.

3.12 Test reports

This chapter is a supplement to clause 9.3.2 of AD 2: Tests report shall include reference to NCR’s relevant for the test subject of the test report. The test report shall provide a conclusion if the test objectives have been achieved. 3.13 Acceptance and Delivery

The Sub-Contractor shall establish, in accordance with the principles of clause 10 of AD 2, a formal acceptance process for all deliverable items, at any contractual level, to ensure that conformance of the delivered items is fully assessed and documented. The Sub-Contractor shall also ensure that the preparation of the items for delivery and the physical delivery itself are performed in such a way that quality degradation is prevented.


Issue: 05 of 58


01x00384.doc

The Contractor shall provide an End Item Data Pack (EIDP) for each deliverable ‘end’ item, according to the principles of AD 2, clause 10.2. An EIDP shall constitute the basis for formal acceptance reviews; the contents and advanced delivery of which is defined in section 12.2. Astrium will maintain and integrate the EIDP’s into higher-level packs during integration and test at sub-system / system level. The Contractor shall ensure that a DRB is convened prior to the delivery of units, separately assembled sub-systems or other hardware according to the principles of AD 2, clause 10.3. If acceptable to all pertinent parties, the DRB may be performed together with TRB. The DRB shall be responsible for reviewing the tests results and authorizing the shipment of the items under acceptance, and certifying in writing that:

�� The items conform to the contractual requirements and to an approved design configuration. �� All Non-Conformances are closed-out, or corresponding plans, compatible with the delivery,

are accepted. �� The relevant EIDP is complete and accurate.

The DRB shall authorise delivery In special circumstances, where contract schedule is at risk, the following procedure may be used when Astrium, in advance of a formal TRB and/or DRB, requests delivery. This process shall be conducted under formal control.

1. Test results shall be reviewed and accepted by Astrium. 2. All open activities e.g. incomplete manufacturing records, open NCR’s, non-approved concessions,

incomplete review board actions, shall be reviewed to establish status and “close-ability” in the absence of the hardware.

3. On successful completion of the above, a “transfer” NCR shall be raised stating “This equipment is released to Astrium prior to TRB/DRB and is fit for the purpose of integration to the next stage of build”. The NCR shall be signed by:

a) Supplier Project Manager b) Supplier PA Manager c) Astrium Equipment Project Manager d) Astrium Project PA Manager or delegated authority

4. The NCR shall be retained and progressed by the Supplier and shall stay open until TRB/DRB’s have been completed and all actions closed. Wherever possible waivers/deviations shall be closed out at Astrium and ownership taken up by Astrium.

It must be noted that this special procedure is at the sole discretion of Astrium Ltd. In the case this procedure is used, the equipment shall be delivered with the following documentation: NCR list (including the “transfer” NCR raised for the shipment review), RFW list, Test Results, User Manual, Packing & Handling procedure, Government authorisation list and copy of relevant Export Licence and provisos (if any), accountability plans, and ICD as a minimum 3.14 Packaging, Marking, Labelling and Handling

The detailed requirements for Packaging, Marking and Labelling are detailed in paragraphs 10.4 of AD 2. Each hardware item shall be permanently marked, either directly or with an identification label including, at least, the following:

�� Name of product and product designation (e.g. internal design number). �� Manufacturer. �� CIDL reference and CI number. �� Model type. �� Serial number.

If an item is physically too small to carry a permanent identification label, it shall be suitably bagged (as detailed below) and the bag shall be labelled with the information itemized above. In addition, any identification for the unit shall be reflected in the relevant interface drawing and/or document. Furthermore, the identification label shall be legible for the unaided eye from a distance of 0.5m. Flight Unit containers shall be controlled and monitored/instrumented to ensure that the environments encountered during shipping & storage (mechanical, thermal, pressure, electrical & contamination) do not exceed expected


Issue: 05 of 58


01x00384.doc

flight (acceptance) levels. Where necessary, blanking caps may be fitted to any ports; these shall be red in colour (e.g. red anodised) and instructions necessary for removal shall be included in the Handling and Packing procedures to ‘Remove Before Flight and Test’. All Flight Items shall be doubled bagged in clean room conditions to meet the cleanliness requirements of the hardware. Both bags shall be sealed and contain a dry, inert and non-contaminating atmosphere; the outer bag shall contain a dehydrating agent and humidity indicator. The Handling & Packing procedure shall state the environment in which the packaging must be opened, e.g “ONLY TO BE OPENED IN CLEAN ROOM CONDITIONS, CLASS 100,000”. If wooden containers are proposed for packing and despatching goods of any kind to an international destination, then any wood used MUST COMPLY with International Standards For Phytosanitary Measures: Guidelines for Regulating Wood Packing Material in International Trade, Publication No. 15, and certified accordingly. More information can be found on the following Web Address http://www.ippc.int. Units weighing more than 10kg shall be equipped with handling points (e.g. threaded bushes) to enable the connection of special handles, provided by the supplier, for use during the integration phase of the unit. Non-Flight hardware (e.g. special handles) shall be clearly identified as such (e.g. red anodised and labelled as “NOT FOR FLIGHT”) and will be clearly identified on the relevant Interface Control Drawing and/ or Document. Any other non-flight equipment needed for the unit shall also be clearly identified as such and referenced in the relevant documentation. 3.15 Transportation and Shipping Control

Hardware shall be transported using a container specifically designed to protect the unit during ground or air transportation. In addition, the units identification, as specified in section 3.14, shall be translated to the outside of the transport container. The Sub-Contractor shall ensure that the items are inspected before release and found to be complete, adequately preserved and packaged (to prevent damage), correctly marked (as detailed in section 3.14) and accompanied by all the required documentation; accompanying documentation shall include the hardware copy of the EIDP and, attached to the outside of the shipping container, the handling and packing / unpacking procedure and any relevant Hazard Documentation and Safety Procedures (for the use by the Transportation and receiving organisation). Using e-mail, the supplier shall inform Astrium and the receiving organisation of the date of shipment, expected time of arrival and travel information (e.g. waybill number, courier etc.) within 24 hours of shipment. The Supplier shall notify Astrium of the contents, method of transport and appropriate date of any shipment, within the timescale agreed in the Schedule and Milestone bar chart prior to dispatch. Within 24 hours of dispatch, the Supplier shall detail the following information to Astrium Ltd by e-mail or fax: - Name of Carrier - Route, including frontier crossing points - Port of departure - Port of entry - Flight number - Air Waybill Number - Estimated Time of Arrival (ETA) - Items forming the consignment - Purchase order or contract reference

http://www.ippc.int/


Issue: 05 of 58


01x00384.doc

4 RELIABILITY / DEPENDABILITY

4.1 General

This chapter defines Reliability, Availability and Maintainability requirements. The Sub-Contractor shall implement design criteria to ensure that dependability is built into the design through the use of: a) failure tolerance, and b) design margins. In addition, the Contractor shall perform dependability analyses to support the design and qualification process, and to show compliance with the dependability requirements. AD 3 shall be used as a guideline to cover areas not explicitly dealt with in this document. 4.2 Consequence Severity Categories:

Failure events shall be classified on the basis of the severity of their consequences, according to the categories defined below: 4.2.1 Sub-System Level: Consequence Severity Categories

Criticality level and Description 1. Loss or major degradation of mission performance 2. Degraded system/mission performance outside of specified limits 3. Loss of hardware redundancy 4. No effect on mission

4.2.2 Unit Level: Consequence Severity Categories

Criticality level and Description 1. The failure effect is not confined to the unit. 2. Loss or degradation of the unit’s function and the effect is confined to the unit. 3. Minor internal unit failure. 4. No effect

The number identifying the severity category shall be followed by a suffix as defined below:

�� Suffix S shall be used to indicate safety impacts / safety hazards. �� Suffix R shall be used to indicate redundancy. �� Suffix SP will be added when relevant to indicate a Single Point Failure

Safety hazards identified in the FMECA shall be cross-referenced to the relevant paragraph of the Hazard Analysis; for the draft / first issue of the FMECA, when the Hazard Analysis may not be available, this cross-reference shall be to the Hazard Analysis document. 4.3 Failure Tolerance

Designs shall be able to sustain single failure or operator error without critical or catastrophic safety consequences or loss or major degradation of mission; the designs shall also be able to sustain any combination of two failures or two operator errors, or one of both, without catastrophic safety consequences. The failure tolerance approach does not need to be applied to primary structures, load carrying structures, structural fasteners, and load-carrying elements of mechanisms or pressure vessels. In these cases, the requirement of design for minimum risk shall be applied.


Issue: 05 of 58


01x00384.doc

4.4 Failure Propagation

Hardware or software failures shall not propagate to cause additional failures or the hazardous operation of interfacing hardware. 4.5 Failure Modes, Effects and Criticality Analysis (FMECA)

Sub-Contractors shall develop a Functional Block Diagram which shall include all functional elements and the functional paths among these elements; it shall indicate whether a function is performed by hardware, software, requires operator intervention and where back-up modes are employed A FMECA shall be performed on the functional and physical design; it shall identify how each failure mode is detected. All potential failure modes shall be identified and classified according to severity of their consequences. Measures shall be recommended to render all such consequences acceptable for the project. Common mode and common cause failure shall be considered. Multiple failures resulting from common cause or common mode failures shall be considered as single failures when determining failure tolerance. Single Failure Points shall be identified and are subject to approval. The FMECA procedure described in AD 46 shall be followed; as a minimum, the following failure modes shall be considered:

�� Premature operation; �� Failure to operate at a prescribed time; �� Failure to stop operation at a prescribed time; �� Failure during operation; �� Degradation or out-of-tolerance operation; �� For EEE parts: short circuit, open circuit, incorrect function (such as SEU, latch-up). Please

refer to AD 35. �� Incorrect commands or command sequence; �� Incorrect software functions.

For separate redundant units, the FMECA shall be at the functional level of the unit, except for any interfaces to the redundant units, where the FMECA shall be performed at the part level of the detail. Where the redundancy is embedded within the unit, the FMECA shall be performed at the part level of detail. FMECA items identified as a safety hazard shall include a cross reference to the corresponding paragraph in the Hazard Analysis, where those particular items are treated. 4.5.1 Hardware / Software Interaction Analysis (HSIA)

Hardware / Software Interaction Analysis shall be performed to ensure that the software is designed to react in an acceptable way to hardware failures (ref. clause 8.2.2 b of AD 3); the analysis shall support, and may be included in, the FMECA. 4.5.2 Worst Case Analysis

Worst Case Analysis shall be performed for every electronic unit. Critical performance parameters will be shown to meet the requirements under worse case assumptions of temperature, power, voltage, current, ageing, radiation and part tolerances. Note: all opto-coupler & opto-electronic circuits shall be analysed using their predicted degradation under proton radiation. 4.5.3 Part Stress Analysis

Each electronic unit shall be subject to derating analysis to ensure that the stress levels applied to all EEE parts are within the tolerances specified in AD 16; those components exceeding the de-rating requirements shall be highlighted in the subsequent report for acceptance by Astrium & ESA.


Issue: 05 of 58


01x00384.doc

4.5.4 Maintainability Assessment:

The Sub-Contractor shall identify the preventive and corrective maintenance actions (including the corresponding repair mean times and frequencies) for ground operations, including storage, emergency restoration or repair activities necessary to sustain system capabilities crucial to mission success. Furthermore, the Sub-Contractor shall identify, in a Maintainability Report:

�� items that cannot be checked after integration, �� items that require late servicing, access or replacement, �� limited-life items or consumables.

Such items are subject to agreement by Astrium. 4.5.5 Dependability Critical Items

The retention of Single Point Failures (SPFs) resulting in failure modes of category 1 or 2 shall be justified. Single Point Failures shall be critical items and any failure modes resulting in safety hazards shall also be critical items. When failure rates are used to quantify Single Point Failures and Safety Hazards, AD 54 shall be used for EEE parts, and AD 35 may be used for other items. The Sub-Contractor shall justify and track SPFs and Safety Hazards in the Critical Items List, which shall be subject to Astrium and ESA approval.


Issue: 05 of 58


01x00384.doc

5 SAFETY

5.1 General

The Sub-Contractor shall implement a safety assurance programme to assure compliance with safety requirements as well as national / international safety regulations. The objectives of safety requirements are to identify hazards and implement hazard reduction measures to ensure that the risk of hazardous consequences to personnel, flight hardware and facilities are minimised. Sub-Contractors are responsible for ensuring the safety of their products. Furthermore, no hazardous operation shall be permitted to proceed without prior review and approval by the Sub-Contractor’s safety representative. AD 4 shall be used as a guideline to cover the areas not explicitly dealt with in this document 5.2 Safety Risk Management

Risk to human life, investments made, mission and environment shall be managed throughout the project by performing the following activities:

�� Allocation of safety requirements �� Hazard identification �� Hazard evaluation �� Hazard prevention, reduction and control �� Hazard close out, including residual risk acceptance

All hazard assessments shall consider primarily the hazard potential and categorise all hazards according to the consequence severity defined in section 5.6.1 of this document; corresponding controls shall be proposed. The initial design shall be chosen such that the hazard potential and its related consequence severity are minimised. The probability of a hazardous event shall consequently be taken into account whenever hazard consequence severity reduction methods alone are considered insufficient to adequately reduce the risk. The probability of occurrence shall be reduced by considering all areas of design for minimum risk, by increasing the reliability of safety devices, by providing warning devices, protective clothing, or by using procedural controls and training. 5.3 Safety Documentation Review and Maintenance

The Sub-Contractor shall review project documentation including specifications, drawings, analyses, procedures and reports, Non-Conformance reports, failure reports, waivers, and documentation changes in order to verify or assess impacts on:

�� The implementation of safety requirements and hazard and risk controls �� Incorporation of hazard and risk controls into the design or the verification programme. �� Completion of verification activities �� The design and operation of the sub-system and system �� The validity of safety analyses performed and documented

Records shall be maintained of the documents reviewed and the safety documentation shall be updated to maintain currency. Furthermore, the Sub-Contractor shall certify, by signing the documents, that the safety documentation is accurate, valid, comprehensive and complete prior to delivery of their hardware. 5.4 Deviations and Waivers Affecting Safety

The Sub-Contractor shall identify all deviations / waivers that affect the applicable project safety requirements; their safety representative shall review these deviations / waivers to ensure that all possible impacts on safety are fully analysed.


Issue: 05 of 58


01x00384.doc

For any deviation / waiver which affects safety, the document shall be annotated with pertinent safety information and forwarded to Astrium and ESA for approval. The deviation / waiver shall describe why the requirement cannot be met and provide sufficient analysis and rational to support an exception to the safety requirement. The accumulated deviations & waivers that affect safety shall be assessed to ensure that the effects of individual deviations / waivers do not invalidate the rationale used for the acceptance of other deviations / waivers. The Sub-Contractor shall maintain a tracking list that identifies all safety-related waivers. 5.5 Safety Design Principles

5.5.1 Design Selection

The safety of human life is mandatory and shall be the overriding consideration. The design of all products shall be such that:

�� The least hazardous design is chosen �� Environment compatibility is assured �� The product is safe without relying on external services �� Failures that have been considered in relevant analysis bring the system into a defined

operational safe mode �� Hazard detection, signalling and ‘Safing’ is duly considered

5.5.2 Hazard Reduction Precedence

The following reduction precedence shall be applied to identified hazards, hazardous conditions and functions whose failures have hazardous consequences: Hazard elimination: Hazards and hazardous conditions shall, consistent with the project constraints and mission objectives, be eliminated from the design and operational concepts by the selection of design technology, architecture and operational characteristics. Hazard minimisation: Where hazards and hazardous conditions are not eliminated, the severity of the associated hazardous events and consequences shall, consistent with the project constraints and mission objectives, be minimised through safety factors and the selection of the least hazardous design architecture, proven design techniques and operational characteristics. Hazard control-Safety devices: Hazards that are not eliminated through design selection shall de reduced and made controllable through the use of automatic safety devices as part of the equipment. Safety inhibits shall be independent and verifiable. Hazard control-Warning devices: When it is not practical to preclude the existence or occurrence of known hazards or to use automatic safety devices, devices shall be used for the timely detection of the condition and the generation of an appropriate warning signal. This shall be coupled with emergency controls of corrective action for operators to safe or shut down the affected sub-system. Hazard control-Special procedures: When it is not possible to reduce the magnitude of a hazard through the design, the use of safety devices or the use of warning devices, protective clothing, special procedures shall be developed to control the hazardous conditions for the enhancement of safety. Special procedures shall be verified by test and appropriate training shall be provided for personnel. The requirement for hazard detection, signalling and safing by the ground personnel to control time-critical hazards shall be minimised and shall not be implemented if an alternative means of reducing or control of hazardous conditions can be used. Acceptable safing procedures shall be developed, verified and the personnel trained. Physical barriers, safe separation distances, access control, remote monitoring, tagout / lockout methods, and time limited exposure shall be considered as means of hazard mitigation and risk reduction.


Issue: 05 of 58


01x00384.doc

5.5.3 Environmental Compatibility

The equipment design shall meet the applicable safety requirements under the worst-case natural and induced environments as defined by AD 59. Design and performance margins shall be established and applied considering worst-case combinations of induced and natural environments and operating characteristics. 5.5.4 Hazard Detection – Signalling and Safing

The Sub-Contractors design shall provide the capability for detecting failures that result in degradation of failure tolerance with respect to the hazard detection, signalling and safing function. The performance of these functions shall be verifiable during flight and ground operational phases. No single failure or single human error shall cause loss of the emergency and warning functions together with the monitored functions. Emergency, warning and caution data, out of limit annunciation and safing commands shall be given priority over other data processing and commend functions. 5.5.5 Fail-safe design

Whenever feasible, a fail-safe design approach shall be used such that a failure brings the equipment in to a safe state. 5.5.6 Safe Without Services

When the safe operation of the system depends on externally-provided services, (such as power), the design shall prevent hazards with catastrophic or critical consequences for a period of time, to be agreed with Astrium and ESA, after the loss of those services. 5.6 Safety Risk Reduction and Control

5.6.1 Severity

The severity consequence of identified hazardous events shall be classified as follows: Catastrophic: �� Loss of life or life-threatening, Permanent disabling injury to personnel or occupational illness; �� Loss of, or damage to, launcher or launch site facilities; �� Loss of spacecraft for safety related consequences; �� Propagation of failures to launcher or other payloads; �� Long term detrimental environmental effects

Critical: �� Loss of the LISA Pathfinder mission; �� Loss or major damage to private or public property, or ground facilities; �� Temporary disabling but not life-threatening injury, or temporary occupational illness; �� Short term detrimental environmental effects.

Major: �� Minor injury, minor disability, minor occupational illness, mission degradation or minor system

or environmental damage.

Negligible: �� Events not categorised above.


Issue: 05 of 58


01x00384.doc

5.6.2 Multiple Failures

Failure tolerance is a basic safety requirement that shall be used to control hazards. The failure tolerance requirements are defined in sections 4.2 and 4.3. However, multiple failures resulting from common-cause or common failure mechanisms shall be considered as single failures for determining failure tolerance. 5.6.3 Redundancy Management and Separation

Alternate or redundant safety-critical functions shall be physically and functionally separated or protected in such a way that any event that causes the loss of one path shall not result in the loss of alternative or redundant paths. 5.6.4 Failure Propagation

Hardware or software failures shall not cause additional failures with hazardous effects or propagate to cause the hazardous operation of interfacing hardware. 5.6.5 Design to minimum risk

Hazards related to mechanisms, structures, pressure vessels, pressurised lines and fittings, material compatibility and material flammability shall be controlled by the safety-related properties and characteristics of the design, such as margin or factors of safety. Positive safety margins shall exist when considering the worst credible combination of environmental conditions. 5.7 Safety Analysis Requirements and Techniques

Safety analysis shall be performed in a systematic manner. Safety analysis shall be refined and updated in an iterative manner as the design process proceeds, to ensure that hazards and hazardous events are assessed, and that the relevant detailed design and operational requirements, hazard controls and verification activities are defined and implemented. Safety analysis shall be initiated early in the design phase and shall provide concurrent support to project engineering in the selection of least hazardous design and operational options that are compatible with the project requirements. 5.7.1 Safety Analyses

Hazard analysis shall be performed in accordance with AD 4, clause 6.4 documented in Hazard Reports to support the hazard reduction process. All identified Hazards shall be tracked and reported in accordance with AD 4, clause 7.2 and finally closed out as detailed in clause 7.5 of AD 4. Consequential hazard reports shall conform to Annex B of AD 4, in order to identify and evaluate:

�� Hazards associated with the equipment design, its operation and the operation environment �� Hazardous effects resulting from the physical and functional propagation of initiator events �� Hazardous events resulting from the failure of equipment functions �� Time critical situations

The following potential initiators events shall be considered:

�� Hardware failure (random or time dependent) �� Latent software error �� Operator error �� Design inadequacies, including:

o Inadequate margins


Issue: 05 of 58


01x00384.doc

o Unintended operating modes caused by sneak-circuits o Material inadequacies and incompatibilities

�� Hardware/software interactions �� Natural and induced environmental effects �� Procedural deficiency

The Contractor shall perform additional safety analyses (such as venting analysis, leak-before-burst analysis, dedicated thermal analysis), as required by the launcher authority, Astrium or ESA, to support the safety review process. The outcome of these analyses shall be documented as requested by Astrium or ESA. 5.7.2 Safety Critical Items

Functions that if lost or degraded, or through incorrect or inadvertent operation, would result in a catastrophic or critical hazard consequence shall be identified as safety critical. Hardware, software or firmware items or procedures which support a safety critical function and which do not comply to the applicable safety technical requirements or which cannot be verified as complying with those requirements, shall be identified as safety critical items. Those items shall be reported in the Critical Items List and subjected to management and control. Each Critical Item that is retained shall be supported with a justification for retention which shall be subject to ESA / launcher authorities approval. 5.7.3 Qualification of Safety Critical Functions

Adequate end-to-end validation tests on safety critical functions to determine or demonstrate the margin of safety or degree of hazard shall be implemented where appropriate. Where failure effects or failure tolerance in safety critical functions is not clear induced failure tests shall be conducted to collect data. 5.7.4 Safety Risk Assessment

Safety risk assessment shall be used to �� Support design trades �� Rank risk contributor �� Identify major risk contributors �� Support the safety decision-making process �� Monitor the effectiveness of the hazard control and risk reduction process by assessing trends

The results of safety risk assessment shall not be used as the sole basis for acceptance or rejection of residual risks. Sources of data and rational used for safety risk assessment shall be identified. When an ‘Item’ is passed to any party, the Sub-Contractor shall provide a Safety Assessment document in compliance with AD 4. 5.8 GSE Requirements

This section is a supplement to clause 8.3.6 of AD 4. Ground support equipment shall be subject to safety analysis to extent necessary to demonstrate compliance with applicable international and national regulations, in the countries where the GSE is designed and manufactured and will or may be used. As a minimum, all GSE shall be supplied with a ‘CE’ mark in accordance with European Safety Legislation and Directives.


Issue: 05 of 58


01x00384.doc

6 EEE COMPONENTS

6.1 General

6.1.1 Purpose

The purpose of the EEE Components process to is to assure that the parts used in the flight hardware are acceptable and possess adequate functional, radiation, quality, reliability, schedule and cost characteristics to meet the LISA Pathfinder programme requirements. 6.1.2 Applicability

This specification is applicable to all Component parts for qualification hardware, flight hardware and flight spares used on LISA Pathfinder. The full requirements of AD 5 shall apply, supplemented or modified by additional requirements defined within this chapter. The Sub-Contractors are considered fully responsible for the selection and use of EEE Components with respect to their equipment specified within the contract for LISA Pathfinder. 6.2 Procurement Control

All Sub-Contractors to LISA Pathfinder have the option of participating in a Coordinated EEE Parts Procurement scheme; the baseline assumption is that all Sub-Contractors will participate unless otherwise stated in their proposal. If a Sub-Contractor does NOT wish to participate in the scheme, then they must show capability of procuring their own EEE parts in accordance with the requirements laid down in this document. As part of their Product Assurance Plan, each Sub-Contractor shall explicitly specify the mechanism by which they intend to procure EEE parts, whether this may be by self-procurement, via an agent acting on their behalf or through the LISA Pathfinder Coordinated Parts Procurement Agent (CPPA). The Sub-Contractors preferred EEE procurement mechanism shall be reported through their compliance matrix to this document as part of their bid. If a Sub-Contractor chooses, and is authorised, to self-procure their EEE parts, then they shall submit a Component Procurement Plan for approval by Astrium. Each Sub-Contractor, as applicable, shall participate in Parts Control Boards (PCB’s) to review the EEE parts intended, and procured, for the LISA pathfinder mission 6.3 Declared Components List (DCL)

For each equipment, the Sub-Contractor responsible shall establish a Declared Component List for all EEE parts procured and used in their unit/equipment; the DCL shall include items specified for attrition and spares. The required DCL format is given in AD 5. 6.4 Modification to AD 5

Clause 1.2: “Standardisation of types” is to be considered in the frame of self-procurement only Clause 1.5: For De-Rating Requirements and European Preferred Parts List replace “ECSS-Q-30-xx” with AD 16 and replace “ECSS-Q-60-xx “ with AD 17. Clause 2.4.2:Replace “…as well as at flight hardware delivery (as built)“ by “Traceability of EEE parts during installation in equipment, shall be ensured by the Sub-Contractor to allow the traceability of the manufacturer lot / date code number of the Electrical Component parts actually mounted. The Sub-Contractor shall be able to provide this information (part type actually installed with its relevant lot / date code number) within 1 day (when the flight system is on launch pad) or within 1 week (in the other cases).”


Issue: 05 of 58


01x00384.doc

Add: “Each Sub-Contractor shall provide their DCL to Astrium, in an agreed electronic format for ease of consolidation at Prime Level”. The format shall be TBD at time of Sub-Contractor selection” Clause 2.4.3: Replace “ PPL reference” by “EPPL reference” Clause 3.2.8 shall be superseded by: The phase B design of electrical/electronic equipment shall take into account the selection criteria for components to be used in flight hardware. The European Preferred Parts List (EPPL – ref. AD 17), the MIL-QPL / QMLs (ref: AD 50, AD 51, AD 52, AD 53 or any equivalent MIL QPL/QML) and the ESA / SCC QPL (ref. AD 49) shall be used as the primary basis for components selection. Preference shall be given to European parts. The selection of components not mentioned in the above lists may be permitted. Selection shall be based on knowledge regarding technical performance, qualification status, and history of previous use in similar application. In such cases the contractor shall provide a justification for the selection of a specific component type or manufacturer in association with the Parts Approval Document (PAD) shown in section 13.2, and numbered as required by AD 11. The components used for Bread Boards (BB’s) shall meet the same functional requirements as those proposed for Flight, although they do not have to meet the same quality requirements. It is the responsibility of the developer of the equipment to select components that assure that the results of Bread Board tests are valid for design progression. Components used on Engineering Models shall be from the same design type and manufacturer as those intended for used on flight standard models. For QM the same quality level of components shall be selected as for flight. For Proto-Flight equipment the requirements for Flight hardware shall apply. Clause 3.3 shall be amended by: EEE components used in LISA Pathfinder flight hardware require approval by Astrium and ESA prior to usage. The approval process is described below. In addition to the component approval requirements described in chapter 3.3 of AD 5, approval will be given without PAD submittal, provided the manufacturer and procurement specification is exactly as listed in the EPPL and the quality levels and any additional screening are compliant with the LISA Pathfinder project requirements. For such parts the DCL shall identify the approval status and list the remark “standard EPPL/QPL”, together with the following procurement details:

�� Procurement inspections by customer (pre-cap inspection, etc.) if any �� Single Event Effects Linear Energy Transfer (SEE LET) threshold and/or total dose sensitivity

level, if applicable �� Date code: in case of procurement from stock date of re-life activities, if applicable �� DPA confirmation, if applicable �� PIND testing confirmation, if applicable.

Specific components (Hybrid circuits, ASICS, etc.) of which the technology is qualified by Capability Approval (or similarity), but which are newly developed and for which a specific Detail Specification is not listed in the EPPL and QPL, the item shall be covered by an individual PAD. Replace “5 years” of clause 3.4.5 of AD 5 with “6 years” and add “Components shall have been stored under controlled conditions [see below], during the entire storage period” to clause 4.5. In addition, add to clause 4.5: “For stock components that have a lot/date code which indicates that more than 9 years will have elapsed from date of manufacture to date of intended installation in equipment, proposed re-life may only be considered with prior approval of Astrium Ltd and ESA.” Furthermore, all Sub-Contractors shall establish and implement procedures for handling and storing EEE parts in order to prevent any degradation. These procedures shall be available for review by Astrium and ESA. As a minimum the following areas shall be covered:

�� Control of storage environment such as temperature (22°+5°C), humidity (RH 65% max) and cleanliness,

�� Appropriate measures and facilities for segregating and protecting components during incoming inspection, storage and delivery to manufacturing,


Issue: 05 of 58


01x00384.doc

�� Control measures to ensure that components susceptible to electrostatic discharge (ESD) are identified and handled only by properly trained personnel using anti-static packaging, tools and other means, including procedures.

�� Traceability of components to delivery documentation and supplier manufacturing data. Clause 3.5 shall be superseded by: for specific components for which the referenced ECSS level 3 documents are not available, the Sub-Contractor shall propose specifications and procedures; they shall be coherent with the general quality/reliability and control requirements of the project. Furthermore, they shall be referenced in the Components Procurement Specification and made available for review and approval by Astrium and ESA. Application specific components: the Sub-Contractor shall select Application Specific Integrated Circuits (ASICs) only when their technology is available prior to the end of phase B. Only such ASIC technologies shall be selected which have been completed the design/development phase, and of which prototypes have been successfully produced, tested and validated. The prototypes must be representative for the flight components and identical with the exception of package and quality aspects. Other strategic components: for other components, such as specific Hybrid circuits, electro-optical devices, MMIC, Electro-magnetic components etc, which are crucial for the design and function and which are not readily available, and which need development/design at the level of manufacturer of the components, the same limitation for selection apply as for ASIC’s Clause 4.4.2b: Add: ”DPA tests may be omitted for ESA/SCC qualified or EPPL part 1 components. These include:

�� Components included in recognised QPL’s issued by o ESA o U.S. Defence Supply Center, Columbus – MIL (class S, ER level R) o NASDA (class S, ER level R)

�� Components belonging to QML, class V. �� Components included in NASA NPSL, level 1. �� Components that have been evaluated successfully according to ESA/SCC, ECSS-Q-60A or

equivalent requirements for which a recognised procurement specification is available It should also be noted that parts procured for redundant units in the lower quality level will require a DPA; such cases shall be signified in the DCL or PAD sheet, if applicable. For any other component a DPA shall be performed and identified in the relevant PAD sheet”.


Issue: 05 of 58


01x00384.doc

6.4.1 EEE Screening Levels

The following shall supersede clause 3.4.2 of AD 5. Any Electrical Component part incorporated into flight hardware shall be submitted to screening tests. These screening tests shall be designed so that accumulated stress will not jeopardise the part reliability. Complementary to the component screening requirements as described in clause 3.4.2 of AD 5, the test level shall be as follows:

Microcircuits MIL-PRF-38535 class Q, or ESA SCC level C Transistors/diodes/opto-couplers MIL-PRF-19500 JANTXV, or ESA SCC level C

Hybrids ESA-PSS-01-608 level C or MIL-PRF-38534 class H

Passives ER-MIL failure rate P (exponential law)

failure rate B (Weibull law) or ESA SCC level C

or CECC generic spec class B

Switches MIL-STD-1132, or ESA SCC level B Crystals ESA SCC 3501 level B Relays MIL-PRF-39016F, Failure Rate R, or ESA SCC level B

Component Quality Levels for Redundant Units

Microcircuits MIL-PRF-38535 class V, or ESA SCC level B Transistors/diodes/opto-couplers MIL-PRF-19500 JANS, or ESA SCC level B

Hybrids ESA-PSS-01-608 level B or MIL-PRF-38534 class K

Passives ER-MIL failure rate R or S (exponential law)

failure rate B (Weibull law) or ESA SCC level B

or CECC generic spec class B

Switches MIL-STD-1132, or ESA SCC level B Crystals ESA SCC 3501 level B Relays MIL-PRF-39016F, Failure Rate R, or ESA SCC level B

Component Quality Levels for Non-Redundant Units In addition the following has to be applied for components procured with MIL specifications: LF/RF diodes and transistors, Integrated circuits (i.e. cavity devices): Pind test method 2020/2052 Condition A 100% on all semiconductors with cavities The Sub-Contractor, and any lower tier sub-contractor or supplier, shall NOT USE FUSES. Tantalum capacitors, chips and Tantalum capacitors with solid electrolyte: surge current test required Clause 3.4.3: add “Level LAT3 tests are mandatory for relays in TOx package”. Add “As a minimum, the customer precap inspection shall be maintained, by the Sub-Contractor, for qualified parts belonging to the following families:

�� Relays �� CERMET fuses �� Quartz �� Oscillators

The results of this inspection shall be documented by a summary report.”


Issue: 05 of 58


01x00384.doc

6.4.2 Radiation Sensitive Components

Clause 3.4.4 is superseded by “The subcontractor shall perform a radiation analysis (part of the Design Justification file) to evaluate all environmental effects for all components used in flight hardware. Whenever possible, technologies shall be selected which are inherently insensitive to single event effects and latch-up; devices with a LETth for SEL less than 60 MeV-cm2/mg shall not be used; devices with a LETth for SEL between 60 and 100 MeV-cm2/mg may be used if the Latch Up Rate (LUR) < 10% ldev, where ldev is the intrinsic device failure rate, as determined using MIL HDBK217, or based on experimental set of reliability data to be submitted to Astrium for approval. Latch up protection circuitry may only be used after acceptance by Project Prime. The LISA Pathfinder GDIR will provide a dose depth curve for use by Sub-Contractors. Radiation test plans shall ensure that any protective measures taken are adequate for selected components. For guidance, the anticipated radiation TID is 44 krads (Ref. RD 7), which includes a safety factor of 2, provided the conditions specified within the LPF GDIR are met. When the component radiation sensitivity, as calculated either from radiation characterisation test or from existing radiation resistance data, is inadequate with respect to the anticipated radiation environment, samples from the lot or wafer under procurement shall be subjected to Radiation Verification Testing (RVT). This testing shall be planned in the Radiation Test Plan. For this assessment, the following rules apply for total dose radiation:

�� For components for which the total dose radiation sensitivity is demonstrated by data to meet or exceed the expected dose detailed above, no testing will be required on component level

�� Where no valid data exists, or the radiation analysis shows the total dose margin is less than the applicable TID level (typically 44 krads as detailed above), a sample, of at least 3 from the procured Flight lot, shall be radiation tested to double their expected TID, after which all 3 shall meet their specification requirement for the application.

6.5 Additions to AD 5

6.5.1 ON/OFF cycling

6.5.1.1 Definition of the two ON/OFF cycling modes

Mode 1: power supply switched at part level. This mode may concern any EEE part in any equipment: �� Parts when the power supply is switched OFF to save consumption, �� Parts from the thermal control (fuses, heaters), periodically switched ON, �� Parts used to limit energy (filters, diodes, …).

These cycling have ON and OFF periods from µs to several seconds. Mode 2: open / close of contacts. This mode may concern any part with mechanical contacts, which can be open or closed under pressure (micro-switches), coil voltage (relays) or temperature variation (thermo-switches). 6.5.1.2 Estimate of temperature variations

During an ON/OFF cycle, a part is submitted to 2 associated constraints: a power cycling (due to its own dissipated power) and a thermal cycling due to the dissipation of the part environment. The thermal variation seen at junction level, between ON and OFF modes may be estimated by:

�� DTj = DTj-b + DTb-p + DTp where �� DTj-b: temperature difference between junction and case (after stabilisation in ON mode) �� DTb-p: temperature difference between case and equipment wall (after stabilisation in ON

mode) �� DTp: temperature variation of the equipment wall between ON mode and OFF mode.


Issue: 05 of 58


01x00384.doc

6.5.2 Final source inspection (final CSI)

The final CSI consists in data review and test witnessing. For all relays (qualified or not), oscillators and fuses which are not qualified (not belonging to ESA QPL or MIL QML/QPL in space level), as part of the control of the EEE parts procurement, the procurement responsible has to carry out, at manufacturer’s premises, prior shipment, a final source inspection. For any other part, this final CSI may be replaced by an incoming inspection at procurement responsible facilities 6.5.3 Mounting of Electrical Component parts

The Sub-Contractor shall be able to demonstrate the adequacy of his mounting and assembly rules with respect to use of various package technologies and materials. As a minimum, the relevant procedures shall address:

�� Design of PCBs or any support receiving Electrical Component parts (thermal requirements, rules for implantation of Electrical Component parts)

�� Storage and handling on the assembly line, �� Preparation of Electrical Component parts before mounting, �� Mounting process, �� Criteria for visual inspection, �� Storage conditions of PCBs or any support receiving Electrical Component parts. �� These procedures shall be available for review during PRB.


Issue: 05 of 58


01x00384.doc

7 MATERIALS, MECHANICAL PARTS AND PROCESSES

7.1 Organisation

The materials, mechanical parts and processes organisation shall be defined in the Sub-Contractors PA&S Plan. It shall be the responsibility of each Sub-Contractor, and their lower tier contractors, to ensure that materials, mechanical parts and processes used in all their equipment and during the assembly, integration and testing (AIT) of flight hardware, comply with all contractual, design, quality and performance requirements. Furthermore, as a result of manufacture, assembly, test, transportation and operating conditions, the materials shall not degrade. The materials, mechanical parts and processes shall satisfy ground and flight environmental constraints concerning:

�� Resistance to mechanical environment (shocks and vibrations during tests and launch…) �� Resistance to vacuum �� Resistance to radiation and atomic oxygen �� Resistance to thermal cycling

7.2 Criticality Analysis

The Critical Items List detailed in sections 2.5 and 2.6 of this document shall include all critical materials, mechanical parts and processes. The definition of a critical material, mechanical part or process is detailed in the sub-sections below, as reflected in AD 6: 7.2.1 Critical Materials

A material is to be considered critical if: �� It is new, has no previous space use or is not qualified for the LISA Pathfinder environmental /

operational envelope, for the intended application. �� Previous use has highlighted technical problems that may cause design and validation

problems for LISA Pathfinder. 7.2.2 Critical Mechanical Part

A mechanical part is considered critical if: �� It is new, has no previous space use or is not qualified for the LISA Pathfinder environmental /

operational envelope, for the specified application. �� Previous use has highlighted technical issues. �� Failure of the mechanical part can adversely affect the performance or destroy a major part or

function of the spacecraft. �� The quality of the mechanical part cannot be assessed by ‘simple’ tests.

7.2.3 Critical Processes

A process is considered critical if: �� It is new, has no previous space use or is not qualified, in the application for LISA Pathfinder. �� Previous use has highlighted technical difficulties. �� Failure of the process can adversely affect the performance or destroy a major part or function

of the spacecraft. �� The contractor has no prior application experience. �� The quality of the process cannot be assessed by examining the end product.

Materials, mechanical parts and processes identified as critical should be subject to the Request for Approval (RFA) procedure detailed in AD 6 which shall be submitted to Astrium for approval and to ESA for


Issue: 05 of 58


01x00384.doc

review. All critical materials, mechanical parts and processes shall be evaluated and validated / qualified, with the resulting acceptance & use identified in the Declared Materials List (DML), Declared Mechanical Parts List (DMPL) and Declared Processes List (DPL); Qualification Reports shall be reviewed by Astrium Ltd. Prior to formal issue. The validation or qualification of all critical materials, mechanical parts or processes shall be completed and accepted by Astrium before the materials, mechanical parts or processes are used on either Qualification or Flight Model hardware. 7.3 Technical Requirements for the Selection of Materials

The selection, evaluation and validation of materials for the LISA Pathfinder mission shall be conducted in accordance with the general technical requirements of AD 6. The requirements of this section replace clause 3.1.1 of AD 6. The data provided in AD 42 can be used as a guide, for the selection of materials with a previous history of space use. Materials not listed in AD 42 and selected for use on the basis of prior space use by the Sub-Contractor must have been used in a directly comparable application with identical, or ‘worse’, environmental and lifetime requirements. However, materials specified for use without previous space use or materials with previous space use in non-relevant applications (critical materials) shall be qualified to demonstrate full compliance with this clause of this document and the requirements of the LISA Pathfinder mission. The qualification validation shall be documented and referenced in the DML. 7.3.1 Vacuum

The acceptance criteria for materials and equipments/units designated for LISA Pathfinder are as follows: �� Total Mass Loss < 1.00% by weight �� Collected Volatile Condensable Material < 0.10% by weight

Note: The normal rationale that TML is largely water will not be a justifiable reason for acceptance on LISA Pathfinder due to the science requirement of the mission.

�� The Total Mass Loss for each supplied unit / equipment < 0.30% NOTE: The unit/equipment Total Mass Loss will be a calculated value from the individual material values comprising the unit / equipment being supplied.

For LISA Pathfinder, Out-gassing is important on this mission for two reasons

1. LISA Pathfinder has typical concerns over molecular contamination arising from the condensation of volatile components that emanate from organic based materials; these are the same as for all space missions.

2. LISA Pathfinder has very direct concern over changes in mass during in-orbit operation. This is a mission specific attribute and is related to Total Mass Loss of material; the effect it will have on the mass distribution, and hence un-modelled gravity effects, within the science module, not the potential for out-gassing products to contaminate other items on the spacecraft.

To adequately cover both concerns, the Out-gassing Requirements for this mission are expressed in terms of TML and CVCM. Where the contamination and cleanliness analysis highlights a requirement for more stringent out-gassing controls i.e. materials in the vicinity of optical surfaces, then the maximum values above will be modified to suit the specific requirements. This shall be addressed on a case-by-case basis as and when the contamination and cleanliness analysis indicates a potential problem. Materials which do not meet the above requirements, or which are considered as critical from the contamination analysis, shall be submitted to vacuum bake out. The bake out parameters shall be agreed with Astrium on a case-by-case basis; these parameters must be identified in the Declared Material List. An out-gassing test must be performed on the materials after vacuum bake-out to demonstrate compliance with the requirements of this section. It must also be demonstrated that the vacuum bake-out has not adversely affected the performance or function of the materials or parts. In addition, Materials for which no


Issue: 05 of 58


01x00384.doc

relevant out-gassing data are available, or that have shown batch variability, shall be subjected to an out-gassing test as per AD 22 or AD 39. The test samples must be processed and cured under the same conditions as the items intended for the Qualification and / or Flight Hardware. In all other instances, a test reference from an ESA or NASA approved source must be provided to assure the accuracy of the data and the same cure / processing conditions; a MAPTIS reference does not constitute an acceptable test reference for Out-Gassing properties on the LISA pathfinder programme. 7.3.2 Restricted Materials

The use of pure mercury, cadmium, pure electrodeposited or hot dipped tin-plated surface coatings and tin coated wire, zinc and PVC is prohibited. If there is no other alternative, these materials may only be utilised for LISA Pathfinder with the prior authorisation of Astrium & ESA via the Deviation process shown in section 2.12.1. The use of beryllium-oxide, low alloy steels, carcinogens, friable materials, radioactive materials or magnetic materials (for structural applications) is restricted. Where the use of any of these materials is unavoidable, the material’s use should be evaluated on a case-by-case basis through the use of the RFA procedure, with the agreement of Astrium. The justification for use should be documented and referenced in the DML. 7.3.2.1 Magnetic Materials

The use of ferromagnetic materials & devices exhibiting magnetic properties shall be restricted for LISA Pathfinder; if the use of such materials and devices is considered mandatory, an assessment shall be made through the Request for Deviation process, and approved by Astrium (ref. section 2.12.1). Subsequently, the item shall be considered critical, highlighted in the Critical Items List, and controlled as a Critical Item. 7.3.3 Thermal cycling

Tests to assess the effect of thermal cycling on the performance of the materials used shall be conducted in accordance with AD 23. The number of cycles and the temperature extremes shall be selected, with the agreement of Astrium, to accurately reflect the predicted mission environment. [This is to ensure that the effect of CTE differences over the mission temperature range do not cause degradation of materials or structures i.e. bonded joints during in-orbit service]. This must also cover temperature cycling during ground test that the equipments will see, prior to launch. 7.3.4 Atomic Oxygen (ATOX)

The effects of atomic oxygen on the outer surfaces of the spacecraft shall be assessed on the basis of the orbit parameters and mission duration (TBC). It shall be demonstrated, either by test or by the presentation of previous data, which thermal control materials, subject to an ATOX environment, shall conform, as a minimum, to End Of Life (EOL) thermo-optical requirements. All other materials exposed to atomic oxygen should be either selected to be resistant to attack or protected to avoid in-orbit degradation of the material’s performance 7.3.5 Meteoritic/Debris Environment

The influence of a meteoritic/debris environment on the materials shall be assessed on a case-by-case basis.


Issue: 05 of 58


01x00384.doc

7.3.6 Electrochemical Compatibility

Where an equipment / sub-system design requires dissimilar metals to be in contact, the choice of the pair of metallic materials used shall take into account the data in AD 40 or AD 42; galvanic compatibilities shall be selected in accordance with the approved lists and procedure in AD 42. 7.3.7 Corrosion

Aluminium surfaces shall be treated for corrosion protection with an approved chemical conversion coating, anodic treatment or surface primer. Mechanical parts made of stainless steel shall be passivated and Mechanical parts made of titanium alloys shall be anodised. Where non-corrosion resistant steels are specified, an approved surface coating shall be applied to the material surface. This requirement shall apply to GSE as well as flight equipment. For all other materials, their ability to perform satisfactorily with respect to corrosion resistance in the untreated state over the life cycle of the mission (manufacture, storage, transportation and launch) shall be supported by acceptable data (i.e. MSFC-HDBK-527); otherwise appropriate surface treatments shall be applied and qualified for use on LISA Pathfinder mission. All surface coatings and treatments applied must be identified in the DML and are subject to the technical requirements for selection of materials detailed in this document. The application processes must also be identified in the DPL and are subject to the technical requirements for approval and use of processes detailed in this document. 7.3.8 Stress Corrosion

Metallic materials used in structural applications shall have a high resistance to Stress Corrosion Cracking (SCC) and shall be chosen from Table 1 of AD 29. Metallic materials and welds that are not listed in AD 29 or whose SCC resistance is unknown shall be tested and categorised according to the requirements of AD 30. SCC evaluation shall be initiated through the submission of an SCC evaluation form as detailed in Annex A of AD 29. Where a material listed in Table 2 of AD 29 is specified for use, it must be subject to a Request for Deviation prior to incorporation into qualification or flight model hardware. However, the proposed use of any Table 3 materials for structural purposes shall need a Request for Deviation supported by a full SCC evaluation in accordance with AD 29. 7.3.9 Fluid Compatibility

Materials that will be in contact with an identified fluid shall be compatible with that fluid. If compatibility data is not available, then tests shall be performed in accordance with AD 41, test number 15. 7.3.10 UV Radiation

Where applicable, materials shall be evaluated for UV / particle radiation to AD 43. The specific radiation environment for the LISA Pathfinder mission is defined in AD 59 7.3.11 Allowable Stress

Allowable stresses for metallic materials shall be derived from AD 44; other sources shall be subject to acceptance by Astrium & ESA. For composite structures, especially adhesively bonded joints, the allowable design shall be determined as “A basis allowables” as defined in AD 44. These shall conservatively take into account any degradation due to moisture, temperature, thermal cycling, both in-orbit and terrestrial, and process variables. The method used for the determination of allowable material shall be documented and referenced in the strength summary.


Issue: 05 of 58


01x00384.doc

The materials justification shall prove hardware structural integrity during storage, ground testing and in-orbit life. 7.3.12 Limited Life Time

Materials with limited life characteristics shall be subject to lot/batch acceptance tests and shall have the date of manufacture and shelf-life expiration date marked on each lot/batch. Storage conditions must be controlled to avoid degradation of the material. Storage conditions and shelf life should be stated in the procurement specification. Sub-Contractors shall provide systems that meet the requirements of AD 60 for monitoring and controlling the time that limited life materials are exposed to normal working conditions i.e. ambient temperature, in addition to refrigerator or freezer conditions. 7.3.13 Electrostatic Discharge Protection

Materials used in areas sensitive to electrostatic discharge shall be selected to ensure that the maximum potential difference between any two points on the spacecraft are within the limits of the ESD/EMC specification for the mission; these are defined in AD 59. 7.3.14 Hydrogen Embrittlement

Metallic materials, in particular high strength steels, commercially pure titanium and titanium alloys, which will be exposed to a hydrogen rich atmosphere during service or subject to processes capable of introducing hydrogen or hydrogen related features (metal hydrides) into the metal, shall be evaluated to determine susceptibility to embrittlement. Where a material is considered susceptible, the material and / or processes to which the material is subjected shall be optimised to completely eliminate the risk of embrittlement. 7.4 Materials and Mechanical Parts Procurement

The controls and requirements applicable to the procurement of Materials and Mechanical Parts shall take in to account the specific application for which those items were qualified and their proposed use. Controls shall range from fully configured Procurement Specifications to Manufacturers’ Data Sheets, depending on the application. The level of control shall be determined by careful assessment of the following factors:

�� The application in which the Material or Mechanical Part was qualified and is now being considered for use.

�� The extent of receipt inspection test data. �� In-process Quality Control tests. �� Heritage of the Material and Mechanical Part in the wider Space Industry.

Where fully configured Procurement Specifications are not used, a justification shall be included in the entry on the Declared Materials List and this justification will be reviewed as part of the Design Review Process. 7.4.1 Materials and Mechanical Parts for Structural Applications

All Materials and Mechanical Parts designated for structural applications shall be procured to a fully configured procurement specification (refer to AD 6, sections 3.2 and 4.2) with the technical content and delivery conditions, including inspection and certification, agreed by both the supplier and procuring body. The procurement specification shall define the critical material properties, requirements, test methods and acceptance criteria, including sampling frequency and test sample definition to ensure consistent performance in the material’s specific application. This requirement shall ensure that Materials and


Issue: 05 of 58


01x00384.doc

Mechanical Parts are traceable to a defined standard and are of a consistent performance with respect to the critical parameters required by the intended application. Note:

1. Catalogue numbers, manufacturers data sheets, material designations and specifications, which only define material composition, are not considered Procurement Specifications for structural applications.

2. If configured drawings are used as a means of Material or Mechanical Part procurement, then the same details that would be in the procurement specification (defined above) shall be included on the design drawings.

7.4.2 Materials and Mechanical Parts for Non-Structural Applications

For non structural applications, the method of procurement shall be considered together with the amount of in-house test data generated since the Material, or Mechanical Part was originally qualified. If there is in-house receipt inspection and / or in-process Quality Control test data available for a Material or Mechanical Part, and such testing is on-going, then Procurement against the data specified in Manufacturers’ Data Sheets will provide an acceptable level of control to ensure that qualification status is maintained. Note:

1. In the case of adhesives, receipt inspection data and in-process Quality Control data is to include mechanical tests. A simple review of paperwork, quantity checks and physical appearance inspection shall not suffice.

7.4.3 Films and Tapes

A third procurement option, where manufacturers’ Data Sheets can be used as a means of procurement, applies to materials which are used in the same basic condition as they were at the time of delivery, and which are widely used throughout the Space Industry. For this category, the increased risk associated with not using a formal procurement specification is minimized by the widespread use of the material across the Space Industry, the consistent nature of the product and the limited extent of further in-house processing. This specifically applies to films and tapes used in the manufacture of MLI. Factors to be considered are: -

�� Procurement from a recognised Space Industry supplier �� The use of a recognised Space Industry material. i.e. ECSS-Q-70-71 listed. �� Whether or not the Material and/or Mechanical Part is used by other companies for the

manufacture of space hardware. An essential part of this process shall be that certificates of conformance shall reference the specification / data sheet against which it was procured and be issued against performance values specified in the relevant specification / data sheet and not against the Material and Mechanical Part designation. 7.4.4 Procurement of Materials with Limited Shelf Life

For materials with a limited shelf life, packaging, shipping and storage conditions shall be specified to ensure the material does not degrade during shipping or storage. The shelf life, optimum storage and working conditions shall be defined by the procurement specification. 7.4.5 Procurement of Printed Circuit Boards

All Printed Circuit Boards (PCB’s) shall be manufactured from materials that have been procured to a current procurement specification and the manufacturer of the PCBs shall hold a current approval for the manufacture of Space Qualified PCBs. Where this approval is not in accordance with AD 26, the specific differences between the proposed qualification standard and AD 26 shall be defined in the form of a compliance matrix, for prior approval by Astrium Ltd. AD 62 shall form the basis for procuring Printed Circuit Boards for LISA Pathfinder.


Issue: 05 of 58


01x00384.doc

7.5 Mechanical Parts

The selection, evaluation and qualification of mechanical parts for LISA Pathfinder shall be conducted in accordance with the general technical requirements of AD 6; this chapter supplements clause 4.1 of AD 6. The Sub-Contractor shall maximise the use of existing ESA specifications. All mechanical parts shall be selected on the basis of previous space use in an identical application; where a part does not have prior space use or was used in an alternative application, the part shall be deemed critical, and will be subject to the RFA procedure. The part shall be subject to an evaluation and qualification process and the approval for use referenced in the DMPL. Where a mechanical part is not controlled by an ECSS specification, current and fully configured specifications applicable to the relevant Sub-Contractor should be used to ensure full control over the procurement and performance of the mechanical part. All specifications should be referenced in the DMPL. All materials that comprise a mechanical part must be individually assessed in accordance with the requirements of this document and listed on the DML. If required, they are to be evaluated through the submission of a RFA. 7.6 Processes

The selection, evaluation and qualification of processes for LISA Pathfinder shall be conducted in accordance with the general technical requirements of AD 6. This chapter supplements clause 5.2 of AD 6 and the Sub-Contractor shall maximise the use of existing ESA specifications where possible. All processes shall be selected on the basis of previous space use. Any critical process shall be subject to an RFA and evaluated to demonstrate a capability to meet the mission requirements with an acceptable margin. The evaluation shall be documented and reference in the DPL. Where a process is not controlled by an ECSS specification, current and fully configured specifications applicable to the relevant Sub-Contractor should be used to ensure process control. All specifications should be referenced in the DPL. In particular, the following specifications shall be used for the appropriate processes:

Activity Process Specification No.

Soldering AD 25

Coaxial Cable Assembly AD 45

Crimping AD 27

Repair and Modification of PCB’s AD 28

Surface Mount Technology Assembly AD 31

Where a Sub-Contractor / Supplier uses other specifications for the specific activities listed above they shall provide a statement that the alternative process complies with the requirements of the above documents. 7.7 Traceability

A unique reference number or code and a lot number shall identify materials and parts. Should there be an incident or Non-Conformance, the Sub-Contractor shall ensure that it is possible, for the purposes of technical investigations, to reconstitute the material or mechanical part’s history, either individually (individual traceability) or by the manufacturing lot (lot traceability) from which it was procured. The Sub-


Issue: 05 of 58


01x00384.doc

Contractor shall ensure that the full traceability of materials and parts is maintained and recorded throughout the build and test programme of the Qualification / Flight hardware. 7.8 Materials and Process Review

Materials, Mechanical Parts and Processes shall be reviewed on a regular basis throughout the life of the contract using the Design Review Process (PDR’s, CDR’s etc) and / or Product Assurance Reviews (Surveillance, audits, KIP’s MIP’s etc). Astrium shall chair the Design / Product Assurance Review meetings and ESA will be informed, and reserve the right to participate. In regard to PMP, the function of the review is to ensure that each of the following is carried out:

�� Evaluate and approve the DML, DMPL and DPL and where possible, prior to the submission of these documents to PDR, CDR.

�� Ensure that PMP management is conducted in accordance with this document. �� Evaluate the RFAs submitted for approval of critical materials, mechanical parts and

processes. �� Ensure that PMP implementation is performed in accordance with design and manufacturing

documents (KIP’s & MIP’s) and to request technical reviews where considered necessary. �� Support investigations to resolve PMP Non-Conformances. �� Provide Astrium and ESA with regular PMP updates.

The following documentation should be made available to support any reviews concerning PMP:

�� DML, DMPL, DPL �� CIL �� PMP qualification programme and associated reports �� Surveillance / audit reports (where applicable) �� Top level drawings �� RFA documentation �� Non-conformance reports / Deviations and requests for Waivers

7.9 Proprietary Materials, Parts and Processes

Where there are proprietary concerns surrounding PMP by the Sub-Contractor and / or supplier, Astrium will respect the right of the third party to withhold certain details. However sufficient information must be made available to Astrium and / or ESA to allow a full evaluation of the Material, Part or Process with respect to the mission environment and lifetime requirements and to allow a full risk assessment to be carried out. The level of information exchange will be defined on a case-by-case basis dependant on the sensitivity of the requested information 7.10 Configuration Management

The Sub-Contractor shall implement a configuration system to control process change for his own processes and for the processes of his lower tier sub-contractors; these changes shall be notified through the monthly reporting process. In this case, Astrium can organise a Material and Processes Control Board (MPCB) to analyse impacts of the process change on the qualification status of the process.


Issue: 05 of 58


01x00384.doc

7.11 Materials, Parts and Processes List

The Sub-Contractor shall provide the following lists: �� Declared Material List (DML) �� Declared Mechanical Part List (DMPL) �� Declared Process List (DPL) �� Add to the Critical Items List (CIL), any PMP critical items.

DML’s, DMPL’s and DPL’s shall be compiled using the ESA PMP Software tool; this is free issued Software from ESA and training in its use can be provided. When ESA software is used, it shall be configured for the LISA Pathfinder Programme; this can only be obtained from the LPF Prime team. This software will form an integral part of the approval mechanism for Mechanical Parts, Materials and Processes. The lists shall cover all Mechanical Parts, Materials and Processes used in the Flight unit / equipment, including those used at lower tier Sub-Contractor level, and each entry in the Process, Materials & Mechanical Parts List shall contain the relevant procurement details. Furthermore, the Sub-Contractor shall provide a justification to define how the ‘entry’ is Qualified for the LISA Pathfinder application; references to MAPTIS or ECSS-Q-70-71 listings WILL NOT be considered as justification. It is important to note that previous flight programmes where the Material, Mechanical Part or Process has been used for the same application, or qualification test, under the same, or worse, environmental conditions is required as justification for use on LISA Pathfinder. All Materials, Mechanical Parts and Process Lists shall be submitted for consolidation across the programme, hence the use of the ESA software. In the Declared lists, Materials, Mechanical Parts and Processes shall be classified and grouped together in accordance with the exact classification / identification that is given in AD 21. This requirement is essential for full electronic consolidation to be carried out. The QSL will be used to track, record and periodically report on the status of all deliverable items and the progress of any Qualification Programmes.


Issue: 05 of 58


01x00384.doc

8 SOFTWARE PRODUCT ASSURANCE

All software requirements are defined in Software Requirements Specification, AD 7, which is based on the ECSS document RD 3; RD 3 may be used as a guide when producing the organisation’s Software PA Plan. 9 CONFIGURATION AND DOCUMENT MANAGEMENT (CADM)

AD 11 shall apply to the Sub-Contractors Configuration Management, using RD 2 as a guiding document. The Sub-Contractor Configuration Management organisation, disciplines and procedures shall guarantee an effective control over the design and built definition of all deliverable systems, equipments, units and their related software, including Electrical, Optical and Mechanical ground support equipments, from the initial definition throughout the entire life cycle of the project. Consequently, each Sub-Contractor shall submit a CADM plan to comply with the requirements of AD 11 for LISA Pathfinder, and may use RD 4 for further guidance. The Sub-Contractor shall establish, implement and operate an efficient change control system by which any change or limited relaxation to configuration identification of a Configured Item after formal establishment of its baseline will be identified, evaluated, classified, justified, approved and implemented or rejected throughout the complete project life cycle. The change control process may be an annex of Configuration Management Plan; each Sub-Contractor shall be responsible for the configuration reconciliation of each deliverable Configured Item unit, that is:

�� The comparison between the approved design standard and the “as-built and tested” configuration, and the reconciliation of any differences by means of approved waivers or change proposals.

�� The comparison between the different delivered models.


Issue: 05 of 58


01x00384.doc

10 GROUND SUPPORT EQUIPMENT (GSE) – EGSE & MGSE

This PA Requirements Document shall be made applicable to Mechanical Ground Support Equipment (MGSE) and Electrical Ground Support Equipment (EGSE) (grouped together as GSE) to the extent necessary to ensure the hardware meets legislative requirements, design definition and does not propagate contamination or failures to flight hardware. 10.1 GSE Product Assurance

In addition to Development, Qualification and Flight hardware, PA Reporting activity shall cover GSE, and rights of access will apply as detailed in this document. All GSE will be subject to a design review process, although the detail required should be suitable for the purpose of the equipment. 10.2 GSE Quality Assurance

GSE will be subject to Non-Conformance Management to the extent necessary to understand the ‘as-built’ condition. NCR’s will be considered minor except in the instance where there is a direct impact on Flight Hardware interfacing (including cleanliness and functional performance) or schedule impact to deliverables. These will be considered major and include customer involvement (to the level who specified the requirement) in agreeing the disposition via an MRB. Should a customer, interfacing, operational requirement not be met, the waiver process detailed in section 2.12.2 will apply. 10.3 GSE Materials Control

Materials will be selected such that they will not contaminate, when in direct contact or close proximity to, Flight hardware; consequently, materials that are used in vacuum with Flight hardware will be subject to the Out-Gassing requirements shown in section 7.3.1. 10.4 GSE Dependability

Dependability Analyses shall apply to interfacing aspects of the GSE to flight hardware; a FMECA will be undertaken on the interface detail. The analysis shall ensure that faults do not propagate through the interface and cause damage to the flight equipment and shall include software. Any failure mode identified will also ‘fail safe’. Parts that have a long procurement lead-times shall be considered critical items and reported through the Critical Items List; they will managed to ensure that should such a part fail during a Qualification / Flight test campaign, sufficient spares exist to perform a repair without significant impact to the test schedule. 10.5 GSE EEE Parts

Components selected for GSE may be of ‘MIL’ standard (suggest commercial except for critical interface circuits) as a minimum; those components used in vacuum with flight hardware shall also meet the Materials Control clause shown above,10.3. Provided the quality level can be proven and traceable, it is acceptable to use existing stock of ‘MIL’ or ‘space flight’ standard components.


Issue: 05 of 58


01x00384.doc

10.6 GSE Configuration Management

Configuration Management will apply to the extent that the design definition of the GSE is understood to perform the various tasks within this section. A CIDL will be presented specifying the design at the time of the relevant review. This will be updated to an ‘as-built’ definition, containing relevant NCR’s and Waivers against the respective design criteria. The purpose of this approach is that the hardware is sufficiently understood that should a failure occur, the cause can be determined and rectified in as short a time period as possible. Furthermore, should repeat builds be necessary, then sufficient information exists to ensure the resulting hardware exhibits the same interface and functional characteristics of the original, accepted design. 11 PRODUCT LIABILITY

All products and equipment(s) delivered to EADS Astrium, whether a single item or a system, must comply with all applicable UK and European Legislation, specifically with regard to Health and Safety. As a minimum all ground based (EGSE/MGSE) products and equipment(s), where applicable, must have a CE Mark. As required by UK and European Law, a ‘Declaration of Conformity’ (DoC) shall accompany all CE marked products and equipments; furthermore, the DoC must reference all applicable European Directives and also the Standards applied in order to prove compliance. Safety Engineering, as specified in section 5, shall apply and Safety Non-Compliance Control shall be performed. Safety critical electrical components must have independent third party approval, for example (but not limited to) BEAB, VDE, GS, or UL. Telephones and associated equipment must have BABT approval. All products and equipment(s) containing voltages between 50V-1000V AC and 75V-1500V DC must comply with the ‘essential requirements’ of the Low Voltage Directive (LVD) 73/23/EEC. The preferred standard to show compliance with the LVD is EN 60950 (latest issue). All products and equipment(s), where applicable, must as a minimum comply with the ‘essential requirements’ of the EMC Directive 89/336/EEC. Where military EMC standards are quoted, such as MIL STD 461 E or DEF STAN 59-41, the supplier shall demonstrate the compliance of products and equipment(s) to the quoted standards, by presentation of test results of the finished equipment/system. Before starting any such test work, the supplier shall provide a ‘test plan’ to demonstrate how EMC compliance will be demonstrated to Astrium. All products and equipment(s) must be suitable for the appropriate environmental conditions in which they will be used; in particular, all external electrical equipment must be suitably protected and of the appropriate IP (Ingress Protection) rating.


Issue: 05 of 58


01x00384.doc

12 PRODUCT ASSURANCE DOCUMENT REQUIREMENTS

12.1 Sub-Contractor PA plan

The Sub-Contractor PA plan shall describe the overall PA programme including reliability, quality, safety, parts, materials and software; it shall include:

�� Statement of policy �� Product Assurance Organisation �� Schedule �� Documentation �� Reporting �� A Key Inspection Point and Mandatory Inspection Point (KIP & MIP) policy detailing criteria for

KIP’s and MIP’s. �� Non-Conformance Control and Reporting �� Cleanliness and Contamination Control �� Critical Items Control Programme �� Reliability inputs/planning �� Safety inputs/planning �� EEE Control Plan �� Software PA plan (if not a self standing document) �� Compliance matrix against this set of requirements (preferably as a separate document) �� Information Flow plan including:

o Task Definition o Activity Network o Data Exchange

12.2 End Item Data Pack

12.2.1 General

A complete copy of a deliverable items EIDP shall be submitted to Astrium and ESA at least five (5) working days prior to the Delivery Review (final updates may be given at the review) in accordance with the statement of work for the Sub-Contract. The EIDP content is subject to Astrium approval. 12.2.2 Content

The EIDP is a collection of the data related to the manufacturing, assembly, integration and test of a deliverable configuration item. It shall constitute the basis to support the acceptance of the product. A paper copy shall always accompany the Hardware and / or Software. The following subjects in the form of documents shall constitute the EIDP:

�� Content of EIDP. �� Statement of Compliance / Certificate of Conformance �� List of deliverable items (hardware and paperwork) including loose & spare items and any

GSE. �� CE certificate of compliance (‘Declaration of Conformity’) and relevant Safety Assessments �� List Temporary installations, Open or Deferred Work �� ‘Red Flag’ Items List (any items that should be removed just prior to formal test and launch) �� Operating and Maintenance Manuals, including operational constraints and relevant safety

issues �� Packing, Handling and Shipping Instructions, including safety specific instructions/warnings �� Configured Item Data List (CIDL) and As-Built Configuration List (including software) �� Interface Control Drawings and Documents �� Verification Control Matrix


Issue: 05 of 58


01x00384.doc

�� Copies of MRB close out summary (cross referencing pertinent documentation), copies of major NCR’s, open Waivers and a status list of all waivers and all NCR’s

�� High Level Inspection Reports (final MIP & TRR undertaken prior to test campaign and TRB minutes, if separate meeting)

�� Test reports and records (including ‘as-run’ test plan) �� Hazard Analysis and Safety Assessment �� Proof Load Certificates, as applicable. �� Flight Hardware Log Book, as applicable* �� Cleanliness Report/Certificate �� Review and statement concerning Limited Life Items �� Authorise shipment (DRB Minutes)

During the DRB, the following will also be reviewed: -

�� Qualification status list �� Review of relevant change proposals and confirmation of their implementation �� Evaluation of project actions and confirmation of their closure, or otherwise, that may affect

delivery. �� Review of Critical Items List

(*) A logbook shall be delivered with each end item identifying the chronological sequence of operations, including tests performed on the unit, starting at least from the beginning of the first acceptance test sequence.


Issue: 05 of 58


01x00384.doc

13 ANNEX

Note: Electronic copies of the following forms can be made available on request.


Issue: 05 of 58


01x00384.doc

13.1 Request For Waiver Form


Issue: 05 of 58


01x00384.doc

13.2 Parts Approval Document (PAD)

13.2.1 Page 1 of PAD


Issue: 05 of 58


01x00384.doc

13.2.2 Page 2 of PAD


Issue: 05 of 58


01x00384.doc

13.2.3 Guidance Notes for PAD


Issue: 05 of 58


01x00384.doc

13.3 Format for ALL Compliance Matrices

Requirement Document Title, Number and Issue to which Compliance Matrix applies

Unique Req. ID

Section / Sub-Section No Requirement Compliance

Statement Remarks and Justifications

See Note 1 See Note 2 See Note 3 See Note 4 See Note 5

Notes:

1. A unique identification number identifies all LISA Pathfinder Engineering and Technical Requirements; where the compliance matrix applies to such requirements, this number shall be reflected in this column.

2. The requirement document section or sub-section number shall be reflected here. 3. The first few words of the requirement shall be written here; it should be borne in mind that several

requirements may be specified within a sub-section and / or paragraph of a document. 4. Statement of Compliance: -

H: ‘Header’; forms the title of the section/sub-section. S: ‘Statement’: the Bidder / Sub-Contractor does not infer any requirement within the

section of the text indicated. C: ‘Compliant’. PC: ‘Partially Compliant’. NC: ‘Non-Compliant’.

5. The Bidder / Sub-Contractor must justify their compliance statement: – PC: the Bidder / Sub-Contractor shall detail in which manner they are or are not compliant

with the requirement. This shall be used to determine the degree of ‘compliancy’ of a Bidder / Sub-Contractor to a specific requirement.

NC: the Bidder / Sub-Contractor shall specify why they intend to be non-compliant to a requirement and may detail an alternative in the form of a remark.

C: Where the Bidder / Sub-Contractor has specified compliancy to a requirement, they should add a remake to justify the statement and provide any further information that may assist their position. This information may be confirmed during subsequent phases.

Header Rows to repeat on each page of the Compliance Matrix


Issue: 05 of 58


01x00384.doc

Intentionally blank


Issue: 05 of 58


01x00384.doc

CHANGE RECORD

ISSUE CHANGE AUTHORITY RELEVANT INFORMATION / INSTRUCTIONS

01 - Initial Issue for review

02 S2CA008 Issued following SRR actions and updates as a result of re-issue of ESA’s PA Requirements and Astrium’s PA Plan

03 S2CA028 Updated following further discussion and clarification with ESA

04 S2CA036 Updated following CPPA and Internal review of documentation

05 S2CA038 Update following final review prior to release for CPPA ITT

DISTRIBUTION LIST

Internal External

G. Adams M. Kasper ESA

CADM