EN ISO 14620-1:2002

SLOVENSKI STANDARD
01-maj-2004
Space systems - Safety requirements - Part 1: System safety (ISO 14620-1:2002)
Space systems - Safety requirements - Part 1: System safety (ISO 14620-1:2002)
Raumfahrtsysteme - Sicherheitsanforderungen - Teil 1: Systemsicherheit (ISO 14620-
1:2002)
Systemes spatiaux - Exigences de sécurité - Partie 1: Sécurité systeme (ISO 14620-
1:2002)
Ta slovenski standard je istoveten z: EN ISO 14620-1:2002
ICS:
49.140 Vesoljski sistemi in operacije Space systems and
operations
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO 14620-1
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2002
ICS 49.140
English version
Space systems - Safety requirements - Part 1: System safety
(ISO 14620-1:2002)
Systèmes spatiaux - Exigences de sécurité - Partie 1: Raumfahrtsysteme - Sicherheitsanforderungen - Teil 1:
Sécurité système (ISO 14620-1:2002) Systemsicherheit (ISO 14620-1:2002)
This European Standard was approved by CEN on 24 June 2002.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the Management Centre or to any CEN member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the Management Centre has the same status as the official
versions.
CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,
Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Spain, Sweden, Switzerland and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2002 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 14620-1:2002 E
worldwide for CEN national Members.

Contents
page
Foreword.5
Introduction .6
1 Scope .6
1.1 General.6
1.2 Field of application .7
1.3 Tailoring.7
2 Normative references .7
3 Terms, definitions and abbreviated terms .7
3.1 Terms and definitions.7
3.2 Abbreviated terms .12
4 System safety programme.12
4.1 Scope .12
4.2 Safety organization.13
4.2.1 General.13
4.2.2 Safety representative.13
4.2.3 Reporting lines.13
4.2.4 Safety integration.13
4.2.5 Coordination with others .13
4.3 Safety representative access and authority.13
4.3.1 Access.13
4.3.2 Delegated authority to reject - stop work.13
4.3.3 Delegated authority to interrupt operations.13
4.3.4 Conformance.13
4.3.5 Approval of reports.14
4.3.6 Review.14
4.3.7 Representation on boards .14
4.4 Safety risk management.14
4.4.1 Risks.14
4.4.2 Hazard assessment .14
4.4.3 Preferred measures .14
4.5 Project phases and safety review cycle .14
4.5.1 Progress meetings.14
4.5.2 Project reviews.15
4.5.3 Safety programme review .17
4.5.4 Safety data package .17
4.6 Safety programme plan .17
4.6.1 Implementation.17
4.6.2 Safety activities.17
4.6.3 Definition.17
4.6.4 Description .18
4.6.5 Safety and project engineering activities.18
4.6.6 Supplier and sub-supplier premises.18
4.6.7 Conformance.18
4.7 Safety certification.18
4.8 Safety training .18
4.8.1 Overall training.18
4.8.2 Participation .19
4.8.3 Detailed technical training .19
4.8.4 Product specific training.19
4.8.5 Records.19
4.8.6 Identification.19
4.9 Accident/incident reporting and investigation .19
4.10 Safety documentation .19
4.10.1 General.19
4.10.2 Customer access .19
4.10.3 Supplier review .19
4.10.4 Documentation.20
4.10.5 Safety data package .20
4.10.6 Safety deviations and waivers.20
4.10.7 Verification tracking log.21
4.10.8 Lessons-learned file .21
5 Safety engineering.21
5.1 Safety engineering policy .21
5.1.1 General.21
5.1.2 Elements.21
5.1.3 Lessons learned.22
5.2 Safety design principles .22
5.2.1 Human life consideration.22
5.2.2 Design selection .22
5.2.3 System safety order of precedence.22
5.2.4 Environmental compatibility.23
5.2.5 Safe without services .23
5.2.6 Fail safe design.23
5.2.7 Hazard detection - Signalling and safing .23
5.2.8 Access .24
5.3 Safety risk reduction and control.24
5.3.1 Severity .24
5.3.2 Failure tolerance requirements .26
5.3.3 Design for minimum risk.27
5.3.4 Probabilistic safety targets.27
5.4 Identification and control of safety critical functions.28
5.4.1 Identification.28
5.4.2 Inadvertent operation .28
5.4.3 Provisions.28
5.4.4 Safe shutdown and failure tolerance requirements.28
5.4.5 Electronic, electrical, electromechanical .28
6 Safety analysis requirements and techniques .29
6.1 General.29
6.2 Assessment and allocation of requirements .29
6.2.1 Safety requirements .29
6.2.2 Additional safety requirements.29
6.2.3 Define safety requirements - functions .29
6.2.4 Define safety requirements - subsystems .29
6.2.5 Justification.29
6.2.6 Functional and subsystem specification .30
6.3 Safety analysis.30
6.3.1 General.30
6.3.2 Mission analysis .30
6.3.3 Feasibility .30
6.3.4 Preliminary definition .30
6.3.5 Detailed definition, production and qualification .30
6.3.6 Utilization.30
6.3.7 Disposal .30
6.4 Specific safety analysis .30
6.4.1 General.30
6.4.2 Hazard analysis.31
6.4.3 Safety risk assessment .31
6.4.4 Safety analysis for hardware-software systems .32
6.5 Supporting assessment and analysis .32
6.5.1 General.32
6.5.2 Warning time analysis .32
6.5.3 Caution and warning analysis .33
6.5.4 Common cause and common mode failure analysis.33
6.5.5 Fault tree analysis.34
6.5.6 Human dependability analysis .34
6.5.7 Failure modes, effects and criticality analysis .34
6.5.8 Sneak analysis .34
6.5.9 Zonal analysis .35
6.5.10 Energy trace analysis .35
7 Safety verification .35
7.1 General.35
7.2 Tracking of hazards .36
7.2.1 Hazard reporting system.36
7.2.2 Status .36
7.2.3 Safety progress meeting.36
7.2.4 Review and disposition.36
7.2.5 Documentation.36
7.2.6 Mandatory inspection points.36
7.3 Safety verification methods.36
7.3.1 Verification engineering and planning .36
7.3.2 Methods and reports .36
7.3.3 Verification requirements.37
7.3.4 Analysis .37
7.3.5 Inspections .37
7.3.6 Tests.37
7.3.7 Verification and approval.37
7.4 Qualification of safety critical functions .37
7.4.1 Validation.37
7.4.2 Qualification .37
7.4.3 Failure tests.38
7.4.4 Verification of design or operational characteristics.38
7.4.5 Safety verification testing .38
7.5 Hazard close-out .38
7.5.1 Safety assurance verification .38
7.5.2 Safety approval authority.38
7.6 Residual risk reduction .38
8 Operational safety.39
8.1 Basic requirements.39
8.2 Flight operations and mission control .39
8.2.1 Launcher operations .39
8.2.2 Contamination.39
8.2.3 Flight rules.39
8.2.4 Hazardous commanding control.39
8.2.5 Mission operation change control .40
8.2.6 Safety surveillance and anomaly control .40
8.3 Ground operations.40
8.3.1 Applicability.40
8.3.2 Initiation .40
8.3.3 Review and inspection .40
8.3.4 Hazardous operations .40
8.3.5 Launch and landing site requirements.41
8.3.6 GSE requirements.41
Bibliography .42
Foreword
This document EN ISO 14620-1:2002 has been prepared by Technical Committee CEN/SS T02 "Aerospace", the
secretariat of which is held by CMC, in collaboration with Technical Committee ISO/TC 20 "Aircraft and space
vehicles".
This European Standard shall be given the status of a national standard, either by publication of an identical text or
by endorsement, at the latest by June 2003, and conflicting national standards shall be withdrawn at the latest by
June 2003.
The European Standard EN ISO 14620-1 was prepared by the European Cooperation for Space Standardization
(ECSS) Product Assurance Working Group for CEN in close collaboration with ISO Technical Committee
ISO/TC 20, Aircraft and space vehicles, Subcommittee SC 14, Space systems and operations, WG 5, Program
management.
EN ISO 14620 consists of the following parts, under the general title Space systems — Safety requirements:
 Part 1: System safety
 Part 2: Launch site operations
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to implement this European Standard: Austria, Belgium, Czech Republic, Denmark, Finland,
France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Spain,
Sweden, Switzerland and the United Kingdom.
Introduction
This European Standard is one of the series of space standards intended to be applied together for the
management, engineering and product assurance in space projects and applications.
1 Scope
1.1 General
This European Standard defines the safety programme and the technical safety requirements that are implemented
in order to comply with the safety policy as defined in ISO 14300-2. It is intended to protect flight and ground
personnel, the launch vehicle, associated payloads, ground support equipment, the general public, public and
private property, and the environment from hazards associated with space systems. Launch site operations are
described by ISO 14620-2.
The safety policy is applied by implementing a system safety programme, supported by risk assessment, which can
be summarized as follows:
a) hazardous characteristics (system and environmental hazards) and functions with potentially hazardous failure
effects are identified and progressively evaluated by iteratively performing systematic safety analyses;
b) the potential hazardous consequences associated with the system characteristics and functional failures are
subjected to a hazard reduction sequence whereby:
1) hazards are eliminated from the system design and operations;
2) hazards are minimized;
3) hazard controls are applied and verified.
c) the risks that remain after the application of a hazard elimination and reduction process are progressively
assessed and subjected to risk assessment, in order to:
1) show compliance with safety targets;
2) support design trades;
3) identify and rank risk contributors;
4) support apportionment of project resources for risk reduction;
5) assess risk reduction progress;
6) support the safety and project decision-making process (e.g. waiver approval, residual risk
acceptance).
d) the adequacy of the hazard and risk control measures applied are formally verified in order to support safety
validation and risk acceptance;
e) safety compliance is assessed by the project and safety approval obtained from the relevant authorities.
1.2 Field of application
This European Standard is applicable to all space projects where during any project phase there exists the
potential for hazards to personnel or the general public, space flight systems, ground support equipment, facilities,
public or private property, or the environment.
The imposition of these requirements on the project suppliers’ activities requires that the customer’s project product
assurance and safety organization also respond to these requirements in a manner which is commensurate with
the project’s safety criticality.
1.3 Tailoring
When viewed from the perspective of a specific programme or project context, the requirements defined in this
European Standard should be tailored to match the genuine requirements of a particular profile and circumstances
of a programme or project.
NOTE Tailoring is the process by which individual requirements of specifications, standards and related documents are
evaluated, and made applicable to a specific programme or project by selection, and in some exceptional cases, modification of
existing or addition of new requirements.
2 Normative references
This European Standard incorporates by dated or undated reference, provisions from other publications. These
normative references are cited at the appropriate places in the text, and the publications are listed hereafter. For
dated references, subsequent amendments to or revisions of any of these publications apply to this European
Standard only when incorporated in it by amendment or revision. For undated references the latest edition of the
publication referred to applies (including amendments).
ISO 14300-1, Space systems – Programme management – Part 1: Structuring of a programme.
ISO 14300-2, Space systems – Programme management – Part 2: Product assurance.
ISO 14620-2, Space systems – Safety requirements – Part 2: Launch site operations.
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
For the purposes of this European Standard, the following terms and definitions apply.
3.1.1
accident
undesired event arising from operation of any project-specific items which results in:
a) human death or injury;
b) loss of, or damage to, hardware, software or facilities which could then affect the accomplishment of the
mission;
c) loss of, or damage to, public or private property; or
d) detrimental effects on the environment
[EN 13701:2001]
NOTE Accident and mishap are synonymous.
3.1.2
cause
that which produces an effect; that which gives rise to any action, phenomenon or condition
NOTE 1 Cause and effect are correlative terms (Oxford English Dictionary).
NOTE 2 Specific to this European Standard, cause, when used in the context of hazard analysis, is the action or condition by
which a hazardous event is initiated (an initiating event). The cause can arise as the result of failure, human error, design
inadequacy, induced or natural environment, system configuration or operational mode(s).
NOTE 3 Adapted from EN 13701:2001.
3.1.3
caution condition
condition which has the potential to degrade into a warning condition, and which might require specific action,
including the implementation of special procedures or restrictions on the operation of the system
[EN 13701:2001]
3.1.4
common cause failure
failure of multiple items occurring from a single cause which is common to all of them
[NUREG/CR-2300 PRA:1982]
3.1.5
common mode failure
failure of multiple identical items that fail in the same mode
NOTE 1 Common mode failures are a particular case of common cause failures.
NOTE 2 Adapted from NUREG/CR-2300 PRA:1982.
3.1.6
contingency procedure
pre-planned procedure to be executed in response to a departure from specified behaviour
[EN 13701:2001]
3.1.7
critical fault
fault which is assessed as likely to result in injury to persons, significant material damage, or other unacceptable
consequences
[IEC 60050:1992]
3.1.8
emergency
condition when potentially catastrophic or critical hazardous events have occurred, where immediate and pre-
planned safing action is possible and is mandatory in order to protect personnel
NOTE Adapted from EN 13701:2001.
3.1.9
fail safe
design property of an item which prevents its failures from resulting in critical faults
[IEC 60050:1992]
3.1.10
failure
termination of the ability of an item to perform a required function
[IEC 60050:1992]
3.1.11
fault, noun
the state of an item characterized by inability to perform as required, excluding the inability during
preventative maintenance or other planned actions, or due to lack of external resources
NOTE 1 A fault is often the result of a failure of the item itself, but can exist without prior failure.
NOTE 2 Adapted from IEC 60050:1992.
3.1.12
fault, noun
an unplanned occurrence or defect in an item which may result in one or more failures of the item itself or
of other associated equipment
[IEC 60050:1992]
NOTE An item may contain a sub-element fault, which is a defect that can manifest itself only under certain circumstances.
When those circumstances occur, the defect in the sub-element will cause the item to fail, resulting in an error. This error can
propagate to other items causing them, in turn, to fail. After the failure occurs, the item as a whole is said to have a fault or to be
in a faulty state [definition 3.1.11 above].
[EN 13701:2001]
3.1.13
hazard
existing or potential condition of an item that can result in a mishap
NOTE This condition can be associated with the design, fabrication, operation or environment of the item, and has the
potential for mishaps.
[ISO 14620-2]
3.1.14
hazardous event
occurrence leading to undesired consequences and arising from the triggering by one (or more) initiator events of
one (or more) hazards
NOTE Adapted from EN 13701:2001.
3.1.15
incident
unplanned event that could have been an accident but was not
[EN 13701:2001]
3.1.16
inhibit
a design feature that provides a physical interruption between an energy source and a function actuator
EXAMPLE A relay or transistor between a battery and a pyrotechnic initiator, a latch valve between a propellant tank and
thruster.
NOTE 1 Two inhibits are independent if no single failure can eliminate more than one inhibit.
NOTE 2 Adapted from EN 13701:2001.
3.1.17
operator error
failure of an operator to perform an action as required or trained or the inadvertent or incorrect action of an operator
3.1.18
organization
group of people and facilities with an arrangement of responsibilities, authorities and relationships
EXAMPLE Company, corporation, firm, enterprise, institution, charity, sole trader, association, or parts or
combination thereof.
NOTE 1 The arrangement is generally orderly.
NOTE 2 An organization can be public or private.
NOTE 3 This definition is valid for the purposes of quality management system standards. The term "organization" is defined
differently in ISO/IEC Guide 2.
[EN ISO 9000:2000]
3.1.19
programme
coordinated set of activities, not necessarily interdependent, that continue over a period of time and are designed
to accomplish broad scientific or technical goals or increased knowledge in a specific subject
EXAMPLE The defence programme; The Apollo programme; Earth observation programme; Manned space and
mirogravity programme.
NOTE 1 A programme can comprise several projects.
NOTE 2 A programme can last several years.
NOTE 3 "program" is American Standard English spelling for "programme".
NOTE 4 "program" is British Standard English for 'a series of coded instructions to control the operation of a computer or
other machine' – Oxford English Dictionary.
3.1.20
project
unique set of coordinated activities, with definite starting and finishing points, undertaken by an individual or
organization to meet specific objectives within defined schedule, cost and performance parameters
[BS 6079:1996]
3.1.21
purchaser
customer in a contractual situation
NOTE The purchaser is sometimes referred to as the "business second party".
3.1.22
residual risk
risk remaining in a system after completion of the hazard reduction and control process
[EN 13701:2001]
3.1.23
risk
quantitative measure of the magnitude of a potential loss and the probability of incurring that loss
[EN 13701:2001]
3.1.24
safe state
state that does not lead to critical or catastrophic consequences
3.1.25
safety critical function
function that, if lost or degraded, or as a result of incorrect or inadvertent operation, would result in catastrophic or
critical consequences
NOTE Adapted from EN 13701:2001.
3.1.26
safing
action of containment or control of emergency and warning situations or placing a system (or part thereof) in a
predetermined safe condition
NOTE Adapted from EN 13701:2001.
3.1.27
supplier
organization or person that provides a product
EXAMPLE Producer, distributor, retailer or vendor of a product, or provider of a service or information.
NOTE 1 A supplier can be internal or external to the organization.
NOTE 2 In a contractual situation a supplier is sometimes called "contractor".
[EN ISO 9000:2000]
3.1.28
system
set of interdependent elements constituted to achieve a given objective by performing a specified function
NOTE The system is considered to be separated from the environment and other external systems by an imaginary
surface which cuts the links between them and the considered system. Through these links, the system is affected by the
environment, is acted upon by the external systems, or acts itself on the environment or the external systems.
[IEC 60050:1992]
3.1.29
system safety
application of engineering and management principles, criteria, and techniques to optimize all aspects of safety
within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle
3.1.30
warning condition
condition where potentially catastrophic or critical hazardous events are imminent and where pre-planned safing
action is required within a limited time
NOTE Adapted from EN 13701:2001.
3.1.31
zonal analysis
systematic inspection of the geographical locations of the components and interactions of a system, evaluation of
potential subsystem-to-subsystem interactions with and without failure, and assessment of the severity of potential
hazards inherent in the system installation.
3.2 Abbreviated terms
The following abbreviated terms are used within this European Standard.
Abbreviation Meaning
CCB configuration control board
ECSS European Cooperation for Space Standardization
EEE electronic, electrical, electromechanical
FMECA failure modes, effects and criticality analysis
FTA fault free analysis
GEO geostationary orbit
GSE ground support equipment
IEC International Electrotechnical Commission
LEO low Earth orbit
MIL STD military standard (US Department of Defense)
MIP mandatory inspection point
NRB nonconformance review board
NUREG-CR US Nuclear Regulatory Commission contractor report
TRB test review board
VTL verification tracking log
4 System safety programme
4.1 Scope
a) The scope and content of the safety programme is to establish a safety management system to implement
provisions of this European Standard commensurate with the programme requirements.
b) The system safety programme should be tailored by the customer in accordance with the type of project, safety
criticality, complexity, and phase of development in accordance with the requirements of ISO 14300-1 and ISO
14300-2.
1) The supplier shall establish and maintain a system safety programme.
2) The supplier shall apply launch site and launch vehicle safety requirements regulations as defined in
the project requirements to support efficient and effective achievement of system safety objectives.
3) The appropriate system safety programme requirements of this European Standard shall be applied for
the implementation of the applicable launch site and launch vehicle requirements and regulations.
c) Compli
...