Space engineering - Interface requirements for electrical actuators

In general terms, the scope of the consolidation of the electrical interface
requirements for electrical (hold down and release or deployment) actuators in
the present ECSS-E-ST-20-21 and the relevant explanation in the handbook
ECSS-E-HB-20-21 is to allow a more recurrent approach both for actuator
electronics (power source) and electrical actuators (power load) offered by the
relevant manufacturers, at the benefit of the system integrators and of the
Agency, thus ensuring:
• better quality,
• stability of performances, and
• independence of the products from specific mission targets.
A recurrent approach enables manufacturing companies to concentrate on
products and a small step improvement approach that is the basis of a high
quality industrial output.

Raumfahrttechnik - Anforderungen an Schnittstellen für elektrische Aktuatoren

This activity will be the joint development of EN 16603-20-21.
This standard identifies the requirements needed to specify, procure or develop the electronics needed for driving release actuators (bot explosive like pyros or nonexplosive like thermal knives) and gives the relevant electrical interface specification, both from source and load perspective.

Ingénierie spatiale - Exigences d'interface pour les actuateurs électriques

D’une manière générale, la consolidation des exigences en matière d'interface électrique pour les actionneurs électriques (à maintien et à déclenchement, ou à déploiement) dans l'actuelle ECSS-E-ST-20-21 et l’explication correspondante qui en est faite dans le manuel ECSS-E-HB-20-21 ont pour but de permettre une approche plus récurrente tant pour les électroniques d’actionneurs (alimentation) que pour les actionneurs électriques (charge) proposés par les fabricants concernés, dans l’intérêt des intégrateurs de système et de l'Agence, assurant ainsi :
- une meilleure qualité ;
- la stabilité des performances ; et
- l’indépendance des produits par rapport à des objectifs de mission spécifiques.
Une approche récurrente permet aux entreprises de fabrication de se concentrer sur les produits et d’adopter une approche d’amélioration par petites étapes à la base d’une production industrielle de haute qualité.

Vesoljska tehnika - Zahteve vmesnika za električne pogone

General Information

Status
Published
Public Enquiry End Date
27-Nov-2019
Publication Date
21-Jun-2020
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
18-Jun-2020
Due Date
23-Aug-2020
Completion Date
22-Jun-2020

Buy Standard

Standard
EN 16603-20-21:2020
English language
37 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN 16603-20-21:2019
English language
37 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN 16603-20-21:2020
01-september-2020
Vesoljska tehnika - Zahteve vmesnika za električne pogone
Space engineering - Interface requirements for electrical actuators
Raumfahrttechnik - Anforderungen an Schnittstellen für elektrische Aktuatoren
Ingénierie spatiale - Exigences d'interface pour les actuateurs électriques
Ta slovenski standard je istoveten z: EN 16603-20-21:2020
ICS:
49.140 Vesoljski sistemi in operacije Space systems and
operations
SIST EN 16603-20-21:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 16603-20-21:2020

---------------------- Page: 2 ----------------------
SIST EN 16603-20-21:2020


EUROPEAN STANDARD
EN 16603-20-21

NORME EUROPÉENNE

EUROPÄISCHE NORM
June 2020
ICS 49.140

English version

Space engineering - Interface requirements for electrical
actuators
Ingénierie spatiale - Exigences d'interface pour les Raumfahrttechnik - Anforderungen an Schnittstellen
actionneurs électriques für elektrische Aktuatoren
This European Standard was approved by CEN on 24 May 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.






















CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN 16603-20-21:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.

---------------------- Page: 3 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
Table of contents
European Foreword . 4
Introduction . 5
Scope . 6
Normative references . 7
Terms, definitions and abbreviated terms . 8
3.1 Terms from other standards . 8
3.2 Terms specific to the present standard . 8
3.3 Abbreviated terms. 10
3.4 Nomenclature . 10
Principles . 11
4.1 Standard assumptions . 11
4.2 Verification . 11
Requirements . 12
5.1 Functional general interface requirements . 12
5.1.1 General . 12
5.1.2 Reliability . 12
5.2 Functional source interface requirements . 13
5.2.1 General . 13
5.2.2 Reliability . 13
5.2.3 Commands . 14
5.2.4 Telemetry . 15
5.3 Functional load interface requirements . 16
5.3.1 General . 16
5.3.2 Reliability . 16
5.4 Performance general interface requirements . 16
5.4.1 General . 16
5.5 Performance source interface requirements . 17
5.5.1 General . 17
5.5.2 Reliability . 17
2

---------------------- Page: 4 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
5.5.3 Telemetry . 18
5.5.4 Recurrent products. 18
5.6 Performance load interface requirements . 18
5.6.1 General . 18
5.6.2 Reliability . 19
5.6.3 Recurrent products. 19
Annex A (informative) Requirements mapping . 20
Bibliography . 37

Tables
Table A-1 : Functional general requirements list . 21
Table A-2 : Functional source requirements list . 23
Table A-3 : Functional load requirements list . 30
Table A-4 : Performance general requirements list . 31
Table A-5 : Performance source requirements list . 32
Table A-6 : Performance load requirements list . 35

3

---------------------- Page: 5 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
European Foreword
This document (EN 16603-20-21:2020) has been prepared by Technical
Committee CEN/CLC/TC 5 “Space”, the secretariat of which is held by DIN.
This standard (EN 16603-20-21:2020) originates from ECSS-E-ST-20-21C.
This European Standard shall be given the status of a national standard, either
by publication of an identical text or by endorsement, at the latest by December
2020, and conflicting national standards shall be withdrawn at the latest by
December 2020.
Attention is drawn to the possibility that some of the elements of this document
may be the subject of patent rights. CEN [and/or CENELEC] shall not be held
responsible for identifying any or all such patent rights.
This document has been prepared under a standardization request given to
CEN by the European Commission and the European Free Trade Association.
This document has been developed to cover specifically space systems and has
therefore precedence over any EN covering the same scope but with a wider
domain of applicability (e.g. : aerospace).
According to the CEN-CENELEC Internal Regulations, the national standards
organizations of the following countries are bound to implement this European
Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United
Kingdom.
4

---------------------- Page: 6 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
Introduction
This standard identifies the requirements needed to specify, procure or develop
the electronics needed for driving release actuators (bot explosive like
pyrotechnic devices or non-explosive like thermal knives) and gives the
relevant electrical interface specification, both from source and load
perspective.
The present standard covers explosive or non-explosive actuators electronics
required to comply with single fault tolerance with respect to actuation success.
For a reference architecture description, it is possible to refer to ECSS-E-HB-20-21.
ECSS-E-HB-20-21 includes a clarification of the principles of operation of the
actuator electronics, identifies important issues related to actuators and
explains the requirements of the present standard.
5

---------------------- Page: 7 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)

Scope
In general terms, the scope of the consolidation of the electrical interface
requirements for electrical (hold down and release or deployment) actuators in
the present ECSS-E-ST-20-21 and the relevant explanation in the handbook
ECSS-E-HB-20-21 is to allow a more recurrent approach both for actuator
electronics (power source) and electrical actuators (power load) offered by the
relevant manufacturers, at the benefit of the system integrators and of the
Agency, thus ensuring:
• better quality,
• stability of performances, and
• independence of the products from specific mission targets.
A recurrent approach enables manufacturing companies to concentrate on
products and a small step improvement approach that is the basis of a high
quality industrial output.
6

---------------------- Page: 8 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)

Normative references
The following normative documents contain provisions which, through
reference in this text, constitute provisions of this ECSS Standard. For dated
references, subsequent amendments to, or revision of any of these publications
do not apply. However, parties to agreements based on this ECSS Standard are
encouraged to investigate the possibility of applying the more recent editions of
the normative documents indicated below. For undated references, the latest
edition of the publication referred to applies.

EN reference Reference in text Title
EN 16601-00-01 ECSS-S-ST-00-01 ECSS system - Glossary of terms
EN 16602-30-02 ECSS-Q-ST-30-02 Space product assurance - Failure modes, effects (and
criticality) analysis (FMEA/FMECA)
EN 16603-33-11 ECSS-E-ST-33-11 Space engineering - Explosive subsystems and devices
7

---------------------- Page: 9 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)

Terms, definitions and abbreviated terms
3.1 Terms from other standards
a. For the purpose of this document, the terms and definitions from ECSS-S-
ST-00-01 apply, in particular for the following terms:
1. redundancy
2. active redundancy
3. hot redundancy
4. cold redundancy
5. fault
6. fault tolerance
b. For the purpose of this document, the terms and definitions ECSS-Q-ST-
30-02 apply, in particular for the following terms:
1. failure propagation
c. For the purpose of this document, the terms and definitions from ECSS-
E-ST-33-11 apply, in particular for the following terms:
1. no fire
2. all fire
3.2 Terms specific to the present standard
3.2.1 actuator
component of a machine that is responsible for
triggering the movement of a mechanism or a system
3.2.2 actuator electronics
electronics supplying an actuator
3.2.3 actuators group
set of actuators sharing the same ARM and the same FIRE block
NOTE The term “actuators group” is synonymous
to the term “group” in this standard
8

---------------------- Page: 10 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
3.2.4 all-fire current
current giving a probability of actuation higher than a specified limit, at a
confidence level higher of a specified limit
3.2.5 no-fire current
current giving a probability of actuation lower than a specified limit, at a
confidence level higher than a specified limit
3.2.6 maximum fire current
maximum current allowed in an actuator in nominal conditions
3.2.7 minimum actuation current
all-fire current plus a margin defined by the system integrator
NOTE The current margin is calculated to guarantee
in worst case the required reliability with a
given confidence level when the actuation
time is above the minimum actuation time.
3.2.8 minimum actuation time
actuation time in the all-fire current reference conditions, plus a margin
established by the manufacturer or by the system integrator
NOTE The margin is calculated to guarantee in
worst case the required reliability with a
given confidence level when the actuation
current is above the minimum actuation
current.
3.2.9 inhibition strap
hardware feature that does not allow firing of the actuator
NOTE The inhibition strap typically contains a
connector and one of more wires to ensure
continuity until strap is opened.
3.2.10 current-driven actuator
actuator that is commanded by a current pulse within a certain range of values
and duration
3.2.11 voltage-driven actuator
actuator that is commanded by a voltage pulse within a certain range of values
and duration
3.2.12 short duration actuator
actuator with actuation duration lasting less than or equal to 1 s
3.2.13 long duration actuator
actuator with actuation duration lasting more than 1 s
9

---------------------- Page: 11 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
3.3 Abbreviated terms
For the purpose of this Standard, the abbreviated terms and symbols from
ECSS-S-ST-00-01 and the following apply:

Meaning
Abbreviation
direct current
DC
electrical, electronic and electromechanical
EEE
failure modes and effects analysis
FMEA
failure modes, effects and criticality analysis
FMECA
review of design
RoD
space segment element
SSE
space segment subsystem
SSS

3.4 Nomenclature
The following nomenclature applies throughout this document:
a. The word “shall” is used in this Standard to express requirements. All
the requirements are expressed with the word “shall”.
b. The word “should” is used in this Standard to express recommendations.
All the recommendations are expressed with the word “should”.
NOTE It is expected that, during tailoring,
recommendations in this document are either
converted into requirements or tailored out.
c. The words “may” and “need not” are used in this Standard to express
positive and negative permissions, respectively. All the positive
permissions are expressed with the word “may”. All the negative
permissions are expressed with the words “need not”.
d. The word “can” is used in this Standard to express capabilities or
possibilities, and therefore, if not accompanied by one of the previous
words, it implies descriptive text.
NOTE In ECSS “may” and “can” have completely
different meanings: “may” is normative
(permission), and “can” is descriptive.
e. The present and past tenses are used in this Standard to express
statements of fact, and therefore they imply descriptive text.
10

---------------------- Page: 12 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)

Principles
4.1 Standard assumptions
a. This standard applies to satellites and does not apply to launchers and
human space flight applications.
b. According to requirement 4.4g of ECSS-E-ST-33-11 this standard covers
explosive or non-explosive actuators electronics required to comply with
single fault tolerance with respect to actuation success.
c. Interfaces to electrical motors (for example solar array drive mechanisms,
reaction wheels, other mechanisms) are not covered by the present
standard.
d. It is assumed that the two fault tolerance approach (as per ECSS-Q-ST-40
clause 6.4.2.1), with respect to premature and unwanted actuation having
catastrophic consequences, when required according to requirement 4.4h
of ECSS-E-ST-33-11, is implemented as a system (SSE and SSS) level
provision and not at equipment level. See ECSS-E-HB-20-21 subclause
5.5.1.
e. Current-driven actuators covered by this standard have an inductance of
1 µH max, not including harness.
f. Voltage-driven actuators covered by this standard have an inductance of
20 mH max.
g. The actuators electronics nominal input voltage, (excluding transients, is
assumed to be within a range of 21 V to 100 V.
4.2 Verification
The indicated requirements verification (see Annex A) identifies the overall
applicable methods to confirm compliance to the requirements, without
explicitly explaining how the verification is split at applicability level
(equipment, SSE, SSS or any combination thereof).
11

---------------------- Page: 13 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)

Requirements
5.1 Functional general interface requirements
5.1.1 General
a. For an actuation sequence, the FIRE event shall be contained within the
SELECT event of the specific actuator line i (i=1…n).
b. The SELECT event shall be contained within the ARM event.
c. With regards to actuation sequence, the selection of different SELECT
lines may be executed within the same ARM event, but with different
FIRE pulses occurrences.
d. An end to end test shall be performed to ensure that the actuator pulses
are effectively present at actuator interface when a system level
verification is done.
NOTE The end to end test is performed with the
actual flight actuator if resettable and safe.
Alternatively, it is performed with a flight
representative actuator or – if not possible for
safety or practical reasons – with a load of
the same impedance as the flight actuator.
5.1.2 Reliability
a. No single failure shall result in unwanted actuator firing.
NOTE For example, in the configuration where one
actuation electronic failure can lead to
unwanted actuation, leading to catastrophic
consequences, the selection switch status is
processed by the system to avoid unwanted
actuation.
b. In case over-current protections are not provided by the Power
Conversion and Distribution Electronics, Actuator Electronics failures,
including relevant harness and connector lines, shall not cause short
circuit or overload of input power lines.
c. The system engineering function shall analyse the effect of anomalies in
the selection configuration, and use the SELECT statuses information not
12

---------------------- Page: 14 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
to start execution of the FIRE command to the nominal or redundant
actuator electronics to avoid catastrophic or undesired consequences.
NOTE See ECSS-HB-20-21 subclause 5.5.2 and
requirement 5.2.2h of the standard.
5.2 Functional source interface requirements
5.2.1 General
a. Actuator electronics shall implement at least three independent safety
barriers ARM, SELECT and FIRE necessary to be released before a
deployment device is actuated.
b. The design of the actuator electronics shall allow testing the functionality
of each single barrier.
c. ARM, FIRE and SELECT switching functions shall be located in the hot
power line of the actuation path.
d. The actuator electronic shall control the FIRE actuation duration as
specified in requirements 5.2.2j, 5.2.3f, 5.3.1c and 5.6.3b.
e. Dedicated connectors dedicated to the actuators electronics outputs shall
be implemented.
f. At power up, the three stages barriers shall be in open state.
g. Each initiator power line shall be distributed to the relevant user with
dedicate return wire except for non-explosive actuators implemented on
satellites with power return on structure.
5.2.2 Reliability
a. To comply with single fault tolerance, with respect to ability to perform
the desired activation, the Actuator Electronics shall be duplicated in a
Nominal and a Redundant section.
NOTE Including duplication (nominal and
redundant) of all relevant commands and
telemetries.
b. With respect to the needed level of segregation among nominal and
redundant sides of electrical actuator circuits, no common failure
mechanism between nominal and redundant part shall exist.
c. No single failure in the actuator electronics shall cause more than one of
the safety barriers to be spuriously or permanently enabled.
d. The actuator electronics shall meet one of the two conditions:
1. Disconnect both the hot and the return lines to the actuators when
ARM and SELECT lines are disabled, or
2. Comply with 5.2.2e.1 and 5.2.2e.2.
13

---------------------- Page: 15 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
e. In case the return lines to the actuators cannot be disconnected as
specified in 5.2.2d, then two following conditions shall be met to avoid
failure propagation due to loss of insulation:
1. The relevant actuator group does not share connectors with other
groups or with other electronic functions having source capability
to trigger the relevant actuators.
2. The harness of the relevant actuator group are not bundled
together with any other wire or bundle carrying a positive or
negative potential sufficient to trigger the relevant actuators.
f. The Actuator Electronics shall not be stressed in case of an output short
circuit.
g. To ensure that no other selector is in short circuit failure and therefore
that no unwanted actuation is taking place, the actuator electronics shall
allow the possibility to check the SELECT statuses before issuing the
FIRE command.
h. Any line that remains floating shall be connected to structure ground
internally to the actuator electronics via bleeding resistors 100 kΩ to
1 MΩ.
i. Insulation among actuator output lines shall be tested.
j. No single failure in the actuator electronic shall lead to the loss at the
same time of the current or voltage limitation and of the actuation
duration control.
k. No cross-strapping shall be present between electronics of nominal and
redundant actuators chains.
5.2.3 Commands
a. Nominal and redundant actuator electronics shall accept commands from
both nominal and redundant command chain.
b. ARM, FIRE and SELECT switching shall be actuated by separate
commands.
c. The commands for ARM and for SELECT/FIRE shall follow completely
independent physical paths, such that no single failure in the complete
command chain can result in a fire action.
NOTE For example, ARM enable is driven by high
power command while SELECT, FIRE and
ARM disable are driven by serial command
interface.
d. The activation of the ARM switch shall be performed:
1. By direct execution of a dedicated and independent command.
2. Without any other interaction from an actuator electronic function.
NOTE Req. 5.2.3d.2 stresses that within the actuator
electronics there is no additional logical
conditioning of the signal leading to the
activation of the ARM switch.
14

---------------------- Page: 16 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
e. The activation of the SELECT and FIRE switches should be performed by
execution of standard serial commands.
f. For long duration actuators, in addition to 5.2.1d, the FIRE OFF
commands should be implemented by a standard serial interface.
g. The fire commands of the actuator electronics shall be inhibited by
dedicated external inhibition straps.
NOTE strap closed equals to commands disable,
strap open equals to commands enable.
5.2.4 Telemetry
a. Telemetries from the nominal and the redundant actuator electronics
shall be provided to both the nominal and the redundant acquisition
chain.
b. The actuator electronics shall provide the indication of the status of each
selection switch.
c. Status telemetries shall indicate the effective condition of the relevant
functionality and not provide indirect information.
NOTE 1 Effective condition includes for example state
when the switch is effectively ON or OFF, if the
line is effectively enabled or disabled, etc.
NOTE 2 For example, in case there is only one selection
switch per line, the circuitry providing status of
the selection switch is fully independent from
the monitored circuit.
NOTE 3 In case a relay is used, spare contacts are used
to provide direct status information.
d. For short duration actuators, the actuator electronics shall provide a peak
firing status which is valid when the monitored firing current is larger
than a threshold of 20 % to 80 % of the expected firing current during a
period of time greater than 0,5 ms to 10 ms.
NOTE The exact current threshold and time
duration are established by trimming in the
actual application.
e. For long duration actuators, a current and voltage telemetry shall be
provided.
f. The status of each inhibition strap shall be available as a standard
telemetry of the actuator electronics.
NOTE Standard telemetry of the actuator electronics
is for example serial standard telemetry.
g. For on-ground test purposes the status of each inhibition strap shall be
available from the actuator electronics as a physical connection or
disconnection.
h. One status telemetry shall be provided for the nominal inhibition strap,
and another for the redundant one.
15

---------------------- Page: 17 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
i. A short circuit between the output of the actuator electronics and the
ground or structure shall not affect the validity of the telemetry of the
actuated line.
j. A status telemetry should be provided via serial telemetry line, to
identify if nominal output current or voltage ranges have been exceeded.
k. If requirement 5.2.4j is applied, the following conditions shall be fulfilled:
1. The requested status is based on a latch to identify the abnormal
conditions even at the end of the firing.
2. The status latch is resettable through serial command.
5.3 Functional load interface requirements
5.3.1 General
a. For current-driven actuators the following shall be specified:
1. The no-fire current and the relevant duration,
2. The maximum fire current,
3. The all-fire current.
b. For voltage-driven actuators, the voltage range for all fire action shall be
specified.
c. The minimum all fire actuation time shall be specified.
5.3.2 Reliability
a. The nominal and redundant electrical actuator paths shall be
independent such that no failure mechanism can cause the loss of the
actuation function.
b. Any abnormal voltage or current emission applied on the nominal
respectively redundant electrical interface of the actuator shall not
propagate failure to the redundant respectively nominal electrical
interface.
NOTE See actual limit specified in requirements
5.5.2a and 5.5.2b.
5.4 Performance general interface requirements
5.4.1 General
a. For current-driven actuators, one of the following two conditions shall be
met:
1. If the actuator maximum resistance as per requirement 5.6.1a is
specified, the actuators electronics is able to provide the specified
current when the load resistance, including actuator plus harness,
16

---------------------- Page: 18 ----------------------
SIST EN 16603-20-21:2020
EN 16603-20-21:2020 (E)
is equal to the maximum value not to exceed the voltage as per
requirement 5.5.1b.
2. Otherwise, the system ensures that the minimum current and
voltage as qualified is applied at actuator level.
b. For voltage-driven actuators, the maximum overall harness resistance of
the actuator line shall guarantee that the voltage into the actuator is
above the specified limit.
c. Parasitic capacitance to structure seen by the actuator electronics, load
plus relevant harness, shall be limited to 1 µF.
d. Parasitic inductance seen by the actuator electronics (load plus relevant
harness) shall be limited to
1. 10 µH for current-driven actuators
2. 20 mH for voltage-driven a
...

SLOVENSKI STANDARD
oSIST prEN 16603-20-21:2019
01-november-2019
Vesoljska tehnika - Zahteve vmesnika za električne pogone
Space engineering - Interface requirements for electrical actuators
Raumfahrttechnik - Anforderungen an Schnittstellen für elektrische Aktuatoren
Ingénierie spatiale - Exigences d'interface pour les actuateurs électriques
Ta slovenski standard je istoveten z: prEN 16603-20-21
ICS:
49.140 Vesoljski sistemi in operacije Space systems and
operations
oSIST prEN 16603-20-21:2019 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 16603-20-21:2019

---------------------- Page: 2 ----------------------
oSIST prEN 16603-20-21:2019


EUROPEAN STANDARD
DRAFT
prEN 16603-20-21
NORME EUROPÉENNE

EUROPÄISCHE NORM

September 2019
ICS 49.140

English version

Space engineering - Interface requirements for electrical
actuators
Ingénierie spatiale - Exigences d'interface pour les Raumfahrttechnik - Anforderungen an Schnittstellen
actuateurs électriques für elektrische Aktuatoren
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 5.

If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.

This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own
language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.














CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2019 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. prEN 16603-20-21:2019 E
reserved worldwide for CEN national Members and for
CENELEC Members.

---------------------- Page: 3 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
Table of contents
European Foreword . 4
Introduction . 5
Scope . 6
Normative references . 7
Terms, definitions and abbreviated terms . 8
3.1 Terms from other standards . 8
3.2 Terms specific to the present standard . 8
3.3 Abbreviated terms. 10
3.4 Nomenclature . 10
Principles . 11
4.1 Standard assumptions . 11
4.2 Verification . 11
Requirements . 12
5.1 Functional general interface requirements . 12
5.1.1 General . 12
5.1.2 Reliability . 12
5.2 Functional source interface requirements . 13
5.2.1 General . 13
5.2.2 Reliability . 13
5.2.3 Commands . 14
5.2.4 Telemetry . 15
5.3 Functional load interface requirements . 16
5.3.1 General . 16
5.3.2 Reliability . 16
5.4 Performance general interface requirements . 16
5.4.1 General . 16
5.5 Performance source interface requirements . 17
5.5.1 General . 17
5.5.2 Reliability . 17
2

---------------------- Page: 4 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
5.5.3 Telemetry . 18
5.5.4 Recurrent products. 18
5.6 Performance load interface requirements . 18
5.6.1 General . 18
5.6.2 Reliability . 19
5.6.3 Recurrent products. 19
Annex A (informative) Requirements mapping . 20
Bibliography . 37

Tables
Table A-1 : Functional general requirements list . 21
Table A-2 : Functional source requirements list . 23
Table A-3 : Functional load requirements list . 30
Table A-4 : Performance general requirements list . 31
Table A-5 : Performance source requirements list . 32
Table A-6 : Performance load requirements list . 35

3

---------------------- Page: 5 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
European Foreword
This document (prEN 16603-20-21:2019) has been prepared by Technical Committee CEN/CLC/TC 5
“Space”, the secretariat of which is held by DIN (Germany).
This document (prEN 16603-20-21:2019) originates from ECSS-E-ST-20-21C.
This document is currently submitted to the ENQUIRY.
This document has been developed to cover specifically space systems and will therefore have
precedence over any EN covering the same scope but with a wider do-main of applicability (e.g. :
aerospace).
4

---------------------- Page: 6 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
Introduction
This standard identifies the requirements needed to specify, procure or develop
the electronics needed for driving release actuators (bot explosive like
pyrotechnic devices or non-explosive like thermal knives) and gives the
relevant electrical interface specification, both from source and load
perspective.
The present standard covers explosive or non-explosive actuators electronics
required to comply with single fault tolerance with respect to actuation success.
For a reference architecture description, it is possible to refer to ECSS-E-HB-20-21.
ECSS-E-HB-20-21 includes a clarification of the principles of operation of the
actuator electronics, identifies important issues related to actuators and
explains the requirements of the present standard.
5

---------------------- Page: 7 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)

Scope
In general terms, the scope of the consolidation of the electrical interface
requirements for electrical (hold down and release or deployment) actuators in
the present ECSS-E-ST-20-21 and the relevant explanation in the handbook
ECSS-E-HB-20-21 is to allow a more recurrent approach both for actuator
electronics (power source) and electrical actuators (power load) offered by the
relevant manufacturers, at the benefit of the system integrators and of the
Agency, thus ensuring:
• better quality,
• stability of performances, and
• independence of the products from specific mission targets.
A recurrent approach enables manufacturing companies to concentrate on
products and a small step improvement approach that is the basis of a high
quality industrial output.
6

---------------------- Page: 8 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)

Normative references
The following normative documents contain provisions which, through
reference in this text, constitute provisions of this ECSS Standard. For dated
references, subsequent amendments to, or revision of any of these publications
do not apply. However, parties to agreements based on this ECSS Standard are
encouraged to investigate the possibility of applying the more recent editions of
the normative documents indicated below. For undated references, the latest
edition of the publication referred to applies.

EN reference Reference in text Title
EN 16601-00-01 ECSS-S-ST-00-01 ECSS system - Glossary of terms
EN 16602-30-02 ECSS-Q-ST-30-02 Space product assurance - Failure modes, effects (and
criticality) analysis (FMEA/FMECA)
EN 16603-33-11 ECSS-E-ST-33-11 Space engineering - Explosive subsystems and devices
7

---------------------- Page: 9 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)

Terms, definitions and abbreviated terms
3.1 Terms from other standards
a. For the purpose of this document, the terms and definitions from ECSS-S-
ST-00-01 apply, in particular for the following terms:
1. redundancy
2. active redundancy
3. hot redundancy
4. cold redundancy
5. fault
6. fault tolerance
b. For the purpose of this document, the terms and definitions ECSS-Q-ST-
30-02 apply, in particular for the following terms:
1. failure propagation
c. For the purpose of this document, the terms and definitions from ECSS-
E-ST-33-11 apply, in particular for the following terms:
1. no fire
2. all fire
3.2 Terms specific to the present standard
3.2.1 actuator
component of a machine that is responsible for
triggering the movement of a mechanism or a system
3.2.2 actuator electronics
electronics supplying an actuator
3.2.3 actuators group
set of actuators sharing the same ARM and the same FIRE block
NOTE The term “actuators group” is synonymous
to the term “group” in this standard
8

---------------------- Page: 10 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
3.2.4 all-fire current
current giving a probability of actuation higher than a specified limit, at a
confidence level higher of a specified limit
3.2.5 no-fire current
current giving a probability of actuation lower than a specified limit, at a
confidence level higher than a specified limit
3.2.6 maximum fire current
maximum current allowed in an actuator in nominal conditions
3.2.7 minimum actuation current
all-fire current plus a margin defined by the system integrator
NOTE The current margin is calculated to guarantee
in worst case the required reliability with a
given confidence level when the actuation
time is above the minimum actuation time.
3.2.8 minimum actuation time
actuation time in the all-fire current reference conditions, plus a margin
established by the manufacturer or by the system integrator
NOTE The margin is calculated to guarantee in
worst case the required reliability with a
given confidence level when the actuation
current is above the minimum actuation
current.
3.2.9 inhibition strap
hardware feature that does not allow firing of the actuator
NOTE The inhibition strap typically contains a
connector and one of more wires to ensure
continuity until strap is opened.
3.2.10 current-driven actuator
actuator that is commanded by a current pulse within a certain range of values
and duration
3.2.11 voltage-driven actuator
actuator that is commanded by a voltage pulse within a certain range of values
and duration
3.2.12 short duration actuator
actuator with actuation duration lasting less than or equal to 1 s
3.2.13 long duration actuator
actuator with actuation duration lasting more than 1 s
9

---------------------- Page: 11 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
3.3 Abbreviated terms
For the purpose of this Standard, the abbreviated terms and symbols from
ECSS-S-ST-00-01 and the following apply:

Meaning
Abbreviation
direct current
DC
electrical, electronic and electromechanical
EEE
failure modes and effects analysis
FMEA
failure modes, effects and criticality analysis
FMECA
review of design
RoD
space segment element
SSE
space segment subsystem
SSS

3.4 Nomenclature
The following nomenclature applies throughout this document:
a. The word “shall” is used in this Standard to express requirements. All
the requirements are expressed with the word “shall”.
b. The word “should” is used in this Standard to express recommendations.
All the recommendations are expressed with the word “should”.
NOTE It is expected that, during tailoring,
recommendations in this document are either
converted into requirements or tailored out.
c. The words “may” and “need not” are used in this Standard to express
positive and negative permissions, respectively. All the positive
permissions are expressed with the word “may”. All the negative
permissions are expressed with the words “need not”.
d. The word “can” is used in this Standard to express capabilities or
possibilities, and therefore, if not accompanied by one of the previous
words, it implies descriptive text.
NOTE In ECSS “may” and “can” have completely
different meanings: “may” is normative
(permission), and “can” is descriptive.
e. The present and past tenses are used in this Standard to express
statements of fact, and therefore they imply descriptive text.
10

---------------------- Page: 12 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)

Principles
4.1 Standard assumptions
a. This standard applies to satellites and does not apply to launchers and
human space flight applications.
b. According to requirement 4.4g of ECSS-E-ST-33-11 this standard covers
explosive or non-explosive actuators electronics required to comply with
single fault tolerance with respect to actuation success.
c. Interfaces to electrical motors (for example solar array drive mechanisms,
reaction wheels, other mechanisms) are not covered by the present
standard.
d. It is assumed that the two fault tolerance approach (as per ECSS-Q-ST-40
clause 6.4.2.1), with respect to premature and unwanted actuation having
catastrophic consequences, when required according to requirement 4.4h
of ECSS-E-ST-33-11, is implemented as a system (SSE and SSS) level
provision and not at equipment level. See ECSS-E-HB-20-21 section 5.5.1.
e. Current-driven actuators covered by this standard have an inductance of
1 µH max, not including harness.
f. Voltage-driven actuators covered by this standard have an inductance of
20 mH max.
g. The actuators electronics nominal input voltage, (excluding transients, is
assumed to be within a range of 21 V to 100 V.
4.2 Verification
The indicated requirements verification (see Annex A) identifies the overall
applicable methods to confirm compliance to the requirements, without
explicitly explaining how the verification is split at applicability level
(equipment, SSE, SSS or any combination thereof).
11

---------------------- Page: 13 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)

Requirements
5.1 Functional general interface requirements
5.1.1 General
a. For an actuation sequence, the FIRE event shall be contained within the
SELECT event of the specific actuator line i (i=1…n).
b. The SELECT event shall be contained within the ARM event.
c. With regards to actuation sequence, the selection of different SELECT
lines may be executed within the same ARM event, but with different
FIRE pulses occurrences.
d. An end to end test shall be performed to ensure that the actuator pulses
are effectively present at actuator interface when a system level
verification is done.
NOTE The end to end test is performed with the
actual flight actuator if resettable and safe.
Alternatively, it is performed with a flight
representative actuator or – if not possible for
safety or practical reasons – with a load of
the same impedance as the flight actuator.
5.1.2 Reliability
a. No single failure shall result in unwanted actuator firing.
NOTE For example, in the configuration where one
actuation electronic failure can lead to
unwanted actuation, leading to catastrophic
consequences, the selection switch status is
processed by the system to avoid unwanted
actuation.
b. In case over-current protections are not provided by the Power
Conversion and Distribution Electronics, Actuator Electronics failures,
including relevant harness and connector lines, shall not cause short
circuit or overload of input power lines.
c. The system engineering function shall analyse the effect of anomalies in
the selection configuration, and use the SELECT statuses information not
12

---------------------- Page: 14 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
to start execution of the FIRE command to the nominal or redundant
actuator electronics to avoid catastrophic or undesired consequences.
NOTE See ECSS-HB-20-21 section 5.5.2 and
requirement 5.2.2h of the standard.
5.2 Functional source interface requirements
5.2.1 General
a. Actuator electronics shall implement at least three independent safety
barriers ARM, SELECT and FIRE necessary to be released before a
deployment device is actuated.
b. The design of the actuator electronics shall allow testing the functionality
of each single barrier.
c. ARM, FIRE and SELECT switching functions shall be located in the hot
power line of the actuation path.
d. The actuator electronic shall control the FIRE actuation duration as
specified in requirements 5.2.2j, 5.2.3f, 5.3.1c and 5.6.3b.
e. Dedicated connectors dedicated to the actuators electronics outputs shall
be implemented.
f. At power up, the three stages barriers shall be in open state.
g. Each initiator power line shall be distributed to the relevant user with
dedicate return wire except for non-explosive actuators implemented on
satellites with power return on structure.
5.2.2 Reliability
a. To comply with single fault tolerance, with respect to ability to perform
the desired activation, the Actuator Electronics shall be duplicated in a
Nominal and a Redundant section.
NOTE Including duplication (nominal and
redundant) of all relevant commands and
telemetries.
b. With respect to the needed level of segregation among nominal and
redundant sides of electrical actuator circuits, no common failure
mechanism between nominal and redundant part shall exist.
c. No single failure in the actuator electronics shall cause more than one of
the safety barriers to be spuriously or permanently enabled.
d. The actuator electronics shall meet one of the two conditions:
1. Disconnect both the hot and the return lines to the actuators when
ARM and SELECT lines are disabled, or
2. Comply with 5.2.2e.1 and 5.2.2e.2.
13

---------------------- Page: 15 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
e. In case the return lines to the actuators cannot be disconnected as
specified in 5.2.2d, then two following conditions shall be met to avoid
failure propagation due to loss of insulation:
1. The relevant actuator group does not share connectors with other
groups or with other electronic functions having source capability
to trigger the relevant actuators.
2. The harness of the relevant actuator group are not bundled
together with any other wire or bundle carrying a positive or
negative potential sufficient to trigger the relevant actuators.
f. The Actuator Electronics shall not be stressed in case of an output short
circuit.
g. To ensure that no other selector is in short circuit failure and therefore
that no unwanted actuation is taking place, the actuator electronics shall
allow the possibility to check the SELECT statuses before issuing the
FIRE command.
h. Any line that remains floating shall be connected to structure ground
internally to the actuator electronics via bleeding resistors 100 kΩ to
1 MΩ.
i. Insulation among actuator output lines shall be tested.
j. No single failure in the actuator electronic shall lead to the loss at the
same time of the current or voltage limitation and of the actuation
duration control.
k. No cross-strapping shall be present between electronics of nominal and
redundant actuators chains.
5.2.3 Commands
a. Nominal and redundant actuator electronics shall accept commands from
both nominal and redundant command chain.
b. ARM, FIRE and SELECT switching shall be actuated by separate
commands.
c. The commands for ARM and for SELECT/FIRE shall follow completely
independent physical paths, such that no single failure in the complete
command chain can result in a fire action.
NOTE For example, ARM enable is driven by high
power command while SELECT, FIRE and
ARM disable are driven by serial command
interface.
d. The activation of the ARM switch shall be performed:
1. By direct execution of a dedicated and independent command.
2. Without any other interaction from an actuator electronic function.
NOTE Req. 5.2.3d.2 stresses that within the actuator
electronics there is no additional logical
conditioning of the signal leading to the
activation of the ARM switch.
14

---------------------- Page: 16 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
e. The activation of the SELECT and FIRE switches should be performed by
execution of standard serial commands.
f. For long duration actuators, in addition to 5.2.1d, the FIRE OFF
commands should be implemented by a standard serial interface.
g. The fire commands of the actuator electronics shall be inhibited by
dedicated external inhibition straps.
NOTE strap closed equals to commands disable,
strap open equals to commands enable.
5.2.4 Telemetry
a. Telemetries from the nominal and the redundant actuator electronics
shall be provided to both the nominal and the redundant acquisition
chain.
b. The actuator electronics shall provide the indication of the status of each
selection switch.
c. Status telemetries shall indicate the effective condition of the relevant
functionality and not provide indirect information.
NOTE 1 Effective condition includes for example state
when the switch is effectively ON or OFF, if the
line is effectively enabled or disabled, etc.
NOTE 2 For example, in case there is only one selection
switch per line, the circuitry providing status of
the selection switch is fully independent from
the monitored circuit.
NOTE 3 In case a relay is used, spare contacts are used
to provide direct status information.
d. For short duration actuators, the actuator electronics shall provide a peak
firing status which is valid when the monitored firing current is larger
than a threshold of 20 % to 80 % of the expected firing current during a
period of time greater than 0,5 ms to 10 ms.
NOTE The exact current threshold and time
duration are established by trimming in the
actual application.
e. For long duration actuators, a current and voltage telemetry shall be
provided.
f. The status of each inhibition strap shall be available as a standard
telemetry of the actuator electronics.
NOTE Standard telemetry of the actuator electronics
is for example serial standard telemetry.
g. For on-ground test purposes the status of each inhibition strap shall be
available from the actuator electronics as a physical connection or
disconnection.
h. One status telemetry shall be provided for the nominal inhibition strap,
and another for the redundant one.
15

---------------------- Page: 17 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
i. A short circuit between the output of the actuator electronics and the
ground or structure shall not affect the validity of the telemetry of the
actuated line.
j. A status telemetry should be provided via serial telemetry line, to
identify if nominal output current or voltage ranges have been exceeded.
k. If requirement 5.2.4j is applied, the following conditions shall be fulfilled:
1. The requested status is based on a latch to identify the abnormal
conditions even at the end of the firing.
2. The status latch is resettable through serial command.
5.3 Functional load interface requirements
5.3.1 General
a. For current-driven actuators the following shall be specified:
1. The no-fire current and the relevant duration,
2. The maximum fire current,
3. The all-fire current.
b. For voltage-driven actuators, the voltage range for all fire action shall be
specified.
c. The minimum all fire actuation time shall be specified.
5.3.2 Reliability
a. The nominal and redundant electrical actuator paths shall be
independent such that no failure mechanism can cause the loss of the
actuation function.
b. Any abnormal voltage or current emission applied on the nominal
respectively redundant electrical interface of the actuator shall not
propagate failure to the redundant respectively nominal electrical
interface.
NOTE See actual limit specified in requirements
5.5.2a and 5.5.2b.
5.4 Performance general interface requirements
5.4.1 General
a. For current-driven actuators, one of the following two conditions shall be
met:
1. If the actuator maximum resistance as per requirement 5.6.1a is
specified, the actuators electronics is able to provide the specified
current when the load resistance, including actuator plus harness,
16

---------------------- Page: 18 ----------------------
oSIST prEN 16603-20-21:2019
prEN 16603-20-21:2019 (E)
is equal to the maximum value not to exceed the voltage as per
requirement 5.5.1b.
2. Otherwise, the system ensures that the minimum current and
voltage as qualified is applied at actuator level.
b. For voltage-driven actuators, the maximum overall harness resistance of
the actuator line shall guarantee that the voltage into the actuator is
above the specified limit.
c. Parasitic capacitance to structure seen by the actuator electronics, load
plus relevant harness, shall be limited to 1 µF.
d. Parasitic inductance seen by the actuator electronics (load plus relevant
harness) shall be limited to
1. 10 µH for current-driven actuators
2. 20 mH for voltage-driven actuators.
e. The current timing profile for voltage-driven actuators shall be provided
by the system integrator.
5.5 Performance source interface requirements
5.5.1 General
a. The nominal current delivered to an actuator shall be verified within the
specified limits.
b. For current-driven actuators, the output maximum voltage, at which the
minimum actuation current is guaranteed, shall be specified.
c. For current-driven actuators, the minimum margin of electronics act
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.