ECSS-Q-TM-40
Contents
1. Clue Text Are the turn on and turn off times for the transistor low compared with the stable state time Explanation During a commutation in a power transistor the power dissipation partly comes from the switching times as both voltage and current are applied to the transistor during the switching To improve the efficiency turn on and turn off times shall be as small as possible use commutation accelerators To reduce the switching times also allows to lower the transistor case temperature 50 ECSS Q TM 40 04 Part 2A 16 April 2010 Clue type _ path component component only Item latchtregister flip flop monoflop bistable JK RS counter transistor rectifiert breakert limitert relay monostable switch contact buttontfusetinterlock Clue Text Can switching lead to an unstable state Explanation Feedback around a loop of digital components can lead to instability if the number of signal reversals is zero or even 109A unstable or irreversible state Clue type path component component only Item relay Clue Text Can a switching lead to an unstable irreversible state Explanation The switching of a relay can activate an unwanted series of events in which another relay changes of state and subsequently activates the first one If the relays are monostable this situation leads to an unstable state If one relay is bistable the switching leads to an irreversible state Identifier continuous cu2. 19 ECSS Q TM 40 04 Part 2A 16 April 2010 32A filtering of a power source Clue type component only Item power supply battery Is there a filter at the output s of the power source Explanation Filters shall be added in order to smooth ripple and avoid spikes to propagate outside the power source through the wiring 32AA filtering of a power source Clue type Item power supply battery Is there a filter at the output s of the power source Explanation Filters shall be added in order to smooth ripple and avoid spikes to propagate outside the power source through the wiring filtering of cables and long lines Clue type Item buffer connector Clue Text Is there a radio frequency RF filter provided on circuit output s interfacing cables and long lines Explanation A RF filter shall be added in order to avoid RF to propagate through the wiring Note you will need to check wire or cable length for this clue frequency pass band for measurement Clue type sensortOpAmp tcomparator Clue Text Is the frequency pass band of the measurement circuit adapted to the physical phenomenon Explanation The acquisition frequency of a measurement instrumentation circuit shall be at least twice the frequency of the measured phenomenon Shannon theorem 20 ECSS Q TM 40 04 Part 2A 16 April 2010 delay of a signal Clue type Item signalt cable connectortoffpage malecon femcon Cl
3. Explanation Tying unused inputs to used inputs of the same circuit is not advisable as it reduces AC noise immunity due to increased input coupling capacitance Identifier protection against transient voltage Clue type Item power supply battery Clue Text Is there a protection against transient voltages Explanation Fast protective diodes TRANSIL can be used to protect against transient overvoltages which may cause latch up or even permanent failure Zener diodes can also be used A voltage protective device on each voltage source shall be implemented to prevent the circuits using these voltages from being damaged due to overvoltage Clue type Item countertshifttadder Clue Text Is there an overflow detection circuit Explanation The out of limits detection circuit should ensure detection if the nominal range of measurement is saturated Identifier protection against transient currents Clue type component only Item powertsupply battery Clue Text _ Is there a protection against current transients Explanation During switching high currents may flow especially if the load is partly capacitative or if there are large motors Sneak conditions may mean that more than the planned number of loads of this type are connected at one time 25 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier tristate outputs for multi user line bus Clue type component only Item buffer driver Clue
4. path clues see ECSS Q TM 40 04 Part 1 4 1 can be derived according to the approach described in Annex B of ECSS Q TM 40 04 Part 1 from the causal relation between source and target that is of interest Therefore the path clues are not listed in this document The coding of an entry of the clue list is illustrated by the following example EXAMPLE Identifier protection against reverse voltage Clue type Item regulatortOpAmp Clue Text Is a regulator protected against reverse voltage Explanation If a voltage drop or a short circuit occurs at the regulator input the reverse voltage applied to the regulator can exceed the breakdown voltage If the regulator has no internal protection diode an external protection diode shall be added The table entries are O univocal alphanumeric identifier clue short title clue type items to which the question applies the question pointing at a possible way through which design errors can lead to a system malfunction clue explanation EGS ECSS Q TM 40 04 Part 2A 16 April 2010 Annex A informative Taxonomy This Annex presents the taxonomy of three classes of item EEE and hydraulic components ADA language instructions to which the clues contained in this document apply The taxonomy is present in the form of a tree in which the hierarchical level currently ranging from 0 till 7 is given next to
5. ECSS Q TM 40 04 Part 2A 16 April 2010 reference potential for chassis Clue type Item chassis Clue Text Is the chassis reference tied to the adequate reference potential Explanation If the chassis ground is not tied to the equipment ground some components using the chassis as a heat sink and current return path may not be operational The metallic case of transistors is sometimes used for a current path as it is tied to the transistor collector 153A reference potential for power supply Clue type Item battery power Is the power supply reference tied to the adequate ground Explanation If the power return is not tied to the equipment ground some components using the chassis as a heat sink and current return path may not be operational The metallic case of transistors is sometimes used for a current path as it is tied to the transistor collector Clue type Item relay Clue Text Has a protection against reverse current been implemented in series with a relay coil command Explanation A relay coil may receive several commands through a wired OR To avoid unexpected reverse current from one command to another a diode is generally added in series with the relay coil on the current path of the command signal bias polarization signal Clue type component only transistor Zenert MOS FET OpAmpz analogue Is a bias polarization signal correct Explanation Part of the current used to fi
6. explosive bolt 4 Speaker 5 Loudspeaker 5 Buzzer 5 Bell 12 ECSS Q TM 40 04 Part 2A E 16 A 4 Microphone 4 Detector 4 Sensor 5 CSens current sensor 5 FSens fire sensor 5 VSens voltage sensor 5 TSens temperature sensor 5 PSens pressure sensor 5 PoSens position sensor 5 XSens concentration sensor 5 LSens level sensor 4 Threshold 2 Electric 3 Binding 4 Fuse 4 Connector 5 Multiconnector Interlock Malecon male connector Femalecon female connector Plug Terminal Strap Testpoint Testgap aon oO oo MN 4 Wire 4 Cable 4 Bundle 4 Splice 4 Node node of the electrical schematic 3 Transformation 4 Transformer trafo is a synonym of transformer 4 Autotransfo auto transformer 4 Lamp 5 Neon 5 Indicator 4 Tube 4 Antenna 3 Earth 4 Ground 4 Chassis 3 Energy 4 power 13 EGS ECSS Q TM 40 04 Part 2A 16 April 2010 5 Battery 5 Supply 4 Load 4 Regulator 1 Software mm nw np pr BOX ASSIGN DIAMOND OUTPUT OUTREG INPUT INREG LOOP output register input register 3 FOR 3 REVERSE 3 E
7. for instance 57 ECSS Q TM 40 04 Part 2A 16 April 2010 129 drawing consistency with part list Clue type component only Item part Clue Text Does the parts list correspond to the components used in the circuit Explanation As CAD tools are usually generating automatically the parts list each component of the circuit shall be listed in the parts list The acronym associated to each part shall also correspond to the expected symbol in nomade Clue Text Is the component implemented with the correct polarisation on the drawing Explanation Some components are not polarised resistor inductor not polarized capacitor they are bidirectional On the other hand some components can only be used in one way polarized capacitors diode transistor integrated circuit transformer with primary and secondary windings Explanation Whatever the considered load a short circuit shall trigger the current limiting circuit No load pattern should exist which can mask a short circuit operating range of a limiting device Clue type Item fusetbreaker Zener regulator Is the operating range of a limiting device correctly adjusted Explanation Spurious activation of a limiting device shall be avoided during power switching of an equipment the spike of inrush current shall not trigger the current limiter otherwise the equipment shall never be turned on On the other hand any permanent short cir
8. path component component only Item lamptindicatort switch button Does the label of the indicator reflect the function of the TARGET Explanation If the label does not properly reflect the function the TARGET may be activated or deactivated at the wrong time indicator for a unique function Clue type _ path component component only Item lamptindicatort switch button Clue Text Does the label of the indicator reflect other functions than the one s intended Explanation If the label reflects other functions some equipment may be activated or deactivated at the wrong time 69 ECSS Q TM 40 04 Part 2A 16 April 2010 Annex C normative Clues for software in ADA language 1001 memory mapped register Clue type _ path component component only Item outreg Clue Text Is the register memory mapped If so can it be addressed in error as a result of array Identifier errors Explanation Memory addressing errors can cause false output and require data flow tracing to potential erroneous array addressing locations and pointer assignments path component component only Clue Text Are the codes addressing the register modifiable by several parts of the software Explanation If the address codes are present in other places or can be created by modification the register values could be modified erroneously 1008 register number modification Clue type _ path component component only Clue
9. 04 Part 2A 16 April 2010 well Normally bias conditions should not be dependent to circuit configuration and switching modes except after particular and careful study The collector junction of a bipolar transistor shall not be inadvertently forward biased under some switching operational or testing modes fan out fan in rating Clue type I Item C and ortnand nortnot RSt K flipfloptregistertlatch buffer activetEED Clue Text _ Does the component loading remain within the specified ratings Explanation The common assumption that a TTL device can drive ten devices is not always true Fan out limits should be calculated by summing input current requirements and comparing with the output source current spike on the initialization signal Clue type Item digital IC and nand or nor not gate RS JK flipflop registertlatc h tristate Clue Text Cana spike occur on the initialization signal Explanation The initialization signal shall be protected against spikes to prevent spurious initialization of the equipment transient current through a relay contact Clue type Item relay contact Clue Text Is an unregulated flow of current through the relay contacts acceptable Explanation During power transition or switching for instance high inrush current may occur when capacitive loads are switched The relay shall be operated within the manufacturer s specified ratings 32 ECSS Q TM 40 04 Part 2A 16 April 20
10. Text Are interface circuits of tristate type when used on a bus Explanation To avoid a short circuit between the different users sharing a single line or bus tristate outputs shall be used Identifier 45A tristate outputs for multi user line bus Clue type Item buffer driver Clue Text Can tristate outputs to a bus be activated at the same time Explanation To avoid a short circuit between the different users sharing a single line or bus tristate outputs shall be only be activated one at a time pull up resistor for multi user line bus Clue type buffertand ortnand nor nottIC RAM ROM Is there one pull up down resistor attached to tristate outputs Explanation There shall be a pull up down resistor attached to tristate outputs in order to polarize the line output during the high impedance state When there is a bus only one pull up down resistor is necessary per bus line in complex circuits duplicate pull up down resistors may have been implemented on separated drawing sheets pull up resistor impedance Clue type Item buffer driver Clue Text Is the pull up resistor value low compared with the high impedance value of the line bus Explanation If the pull up resistor value is high or close to the high impedance value of the line bus the tri state outputs connected to the line bus may be polarized to a middle voltage value during the high impedance state of the bus and it may lead to a short circuit
11. arrays Clue Text For the FOR loop Identifier is the Identifier limit value fixed or can it vary and if so can the variation result in a loop Identifier error Explanation Changing the limit value for a for loop can often result in difficult logic in which it is not clear whether a final limit will be reached The usual result is an array Identifier overflow error but in some cases the program may request all available memory before an exception occurs Identifier 1046 Title control transfer into a loop Clue type _ path component component only while fortloop Clue Text Are there labels within the loop and can control transfer into the loop Explanation Transfer of control into a program loop will in virtually all cases result in errors due to lack of loop initialization Some programs allow for transfer of control out of a loop and 81 ECSS Q TM 40 04 Part 2A 16 April 2010 then back again but this is generally bad practice since some compilers produce undefined results in such cases 1047 Clue type path component component only while fortloop Clue Text Is the loop Identifier used outside the loop and if so is its value also undefined outside the loop Explanation Some languages and some compilers allow an Identifier in a FOR loop to be incremented and the resulting value to be available on leaving the loop This is not always the case though and for some compilers the loop Identifi
12. be guaranteed it can lead to a sneak timing For CMOS digital circuits rise and fall time shall not exceed 15 microseconds otherwise an erroneous output can be generated and power dissipation increases 27 ECSS Q TM 40 04 Part 2A 16 April 2010 energy storage release Clue type path component component only Clue Text Can the energy stored by the component be released without damage Explanation As capacitors may retain stored charge once the power is removed capacitors can lead to latch up destroy sensitive circuits delay the power off of the function or create sneak current paths A discharge circuit bleed resistor in parallel with a high value capacitor may be provided to drain away the charge after the circuit is switched off The system or circuit shall be designed such that the connection between the capacitor and its bleed resistor cannot be broken except during repair When a circuit output connected to a capacitor changes state digital circuit the capacitor may generate an unexpected voltage spike dangerous for the components receiving this spike A capacitor may keep circuit inputs powered while the circuit is not powered This can induce sneak current paths through internal circuits protection diodes resistors transistors energy storage release Clue type _ path component component only inductor coilt relay transformert motorttrafo Clue Text Can the energy stored by the component
13. be released without causing damage Explanation A magnetic field is the energy source that can produce large voltage transients when it collapses particularly when an equipment is shut down or switched to standby lack of surge resistor Clue type _ path component component only Item capacitor Clue Text No surge resistor to protect an IC Explanation Integrated circuits should be protected against large capacitances connected to their input by placing a resistor in series 28 ECSS Q TM 40 04 Part 2A 16 April 2010 diode prevents energy release Clue type _ path component component only Clue Text _ Can a diode prevent energy release from the component Explanation If a diode is connected in series with a capacitor to protect it against reverse voltage perhaps check that it does not prevent the capacitor from releasing its energy Identifier activation by leakage current Clue type path component component only diode resistor transistor gate and or nand nor capacitor Clue Text Can the leakage current of the component activate or inhibit digital devices and lead to un expected functions or loss of function Explanation For instance during unusual operating modes the relay coil may be fed from a low voltage or a high impedance source and can lead to a sneak current path Sensitive amplifiers FETs and high input impedance devices are particularly susceptible to problems Identifier Title accep
14. character Explanation Some string handling systems allow free indexing to access particular characters in a string A typical error is to access the zeroth character Generally such an error will cause an exception but in some cases it may corrupt program or data 1020 Clue type path component component only Item assignt tbox Clue Text For strings is there a proper string termination Explanation Strings should preferably have a termination character or a string length counter which prevents access beyond the end of the string Otherwise the program may access invalid characters or corrupt data or program 1021 Clue type _ path component component only Item assigntbox For arrays is it possible to address beyond the array limit Explanation Addressing beyond array limits will retrieve erroneous data or corrupt data or programs Some compilers prevent addressing outside the array limits in which case an exception will result 1022 Clue type _ path component component only For arrays is the zero the element addressed without being defined Explanation The addressing convention for arrays shall be well defined Addressing a non existent zeroth element in an array is a typical error especially if programmers work in a multi language environment 75 ECSS Q TM 40 04 Part 2A 16 April 2010 1023 multidimensional arrays Clue type path component component only Item assign b
15. ensures a stable reference voltage However the power dissipated in the Zener diode should not exceed the maximum permitted value Identifier inductance of a wire wound resistor Gei Item resistor Clue Text Has the inductive effect of the wound wire resistor been taken into account Explanation For a quasi direct current signal the inductance should have negligible effect At high frequencies the inductance will not be negligible and will add to the impedance of the resistor possibly leading to unexpected results 115A Clue type path component component only Item powertsupply tbattery Clue Text Is it acceptable to connect one reference voltage of the power source to a reference voltage of an other power source Explanation Some power sources may be separated by galvanic isolation To connect these power sources power to power or ground to ground may undo the benefit of galvanic isolation It can also create unexpected high current paths as the reference point of each power source may not have exactly the same voltage 52 ECSS Q TM 40 04 Part 2A 16 April 2010 maximum signal frequency Clue type component only Item IC gate and or nand nor not Clue Text Have the maximum signal frequency been taken into account Explanation There may be problems of low output signal levels if the expected signal frequency is close to the component maximum frequency limit location of the protection
16. function c ccceeeeeeees 56 high switching current for tantalum multidimensional arrays 78 CAPAC OLS aiiora e 30 multiple earth returns for a signal 46 high value resistor sich cavszenacatascianrencaseias 67 47 hysteresis for noise immunity 51 multiple paths of a signal 04 46 ICs needing external component 57 HU TAU inie E 59 impedance MACHINE sscisepeisiseertancrceonas 43 non linear transfer function 19 indication stability during transition 24 numeric constants spissanidinnssisesensvbicnesess 79 EGS ECSS Q TM 40 04 Part 2A 16 April 2010 one earth path for separate power register sequence dependency 73 SOUTCE saira a E 56 register MINE esiseinas 74 one path for separate power returns 55 register use coordination 74 one path for separate signal returns 56 operating range of a limiting device 60 OV EIT OW savedcstisanstacvaiesdeansdnceaseuveanntecce 26 76 overload data LOSS voscsriotunnansoumennecwneseres 87 overload delay of espouse 004 87 overload delay of response 87 overloading soisctisiansstsnunntesinccicatensayes 79 parallel diodes for redundancy power E E E 53 parallel MOS FET transistors 18 permanent electrical link through a CONG cans A E A 17 place of the switching items 16 PlU perirent 52 pointer data access sejaincccsivauimnuste 78 power and signal lines in s
17. often occur as a result of the separating and later recombining of digital signals having a common source and load 66 ECSS Q TM 40 04 Part 2A 16 April 2010 Glitches may results in false logic causing sneak timing Glitches are usually detected by drawing a timing diagram switch function for target Clue type path component component only switch breaker fuse buttont relay contact path Clue Text Is the switch function directly related to the target operation Explanation The switch may have other functions not related to the target or may be intended for some other purpose entirely The other function can be activated deactivated at a time when the target is required not required Identifier correct polarization with coupling capacitor Clue type component only Item capacitor Clue Text Are circuits using a signal coming through a joining coupling capacitor correctly polarized Explanation Sometimes coupling capacitors are used between circuits to transmit an a c signal without any direct current component In such cases the direct current component shall be restored by connecting the secondary side of the capacitor to ground via a suitable resistor location of the protection device Clue type Item load Clue Text Is the circuit located upstream of protection device s on a power bus Explanation When power is distributed to circuits the first item on the power path shall be a protectiv
18. open as is a battery or generator supply 125A Clue type Item EED squib detonator Clue Text Is a static energy protection for electroexplosive device implemented Explanation Without static energy protection the electroexplosive device may ignite or detonate without being commanded For instance a pull down resistor to ground of 100kW may be used 56 ECSS Q TM 40 04 Part 2A 16 April 2010 1258 disconnection of a static energy protect Clue type Item EED squib detonato Clue Text Can a static energy protection for electroexplosive device be disconnected Explanation Without static energy protection the electroexplosive device may ignite or detonate without being commanded Unintended disconnection or switching out the protection for test purposes may introduce a hazard Explanation Depending on the duty EED s may require an out of line firing chain a separate mechanical arming device diverse redundant switches in the firing chain sterilisation or guaranteed cut out circuits Explanation Some rectifiers need a command to turn on thyristor triac and to turn off GTO Turn on occurs in the presence of a short duration low valued gate current Such low valued current shall not be generated by a spike However they can also activate without being commanded if for instance they see a significant voltage transition dV dt too high Such conditions may be obtained during testing
19. rise time of a digital signal is short compared with the propagation time of the signal on a long line or through an interface signal reflections may induce parasite voltages and erroneous information Explanation The truth table allows an exhaustive check of every possible input state Explanation For instance resetting a counter may be undesired due to its effects on the equipment consequently the counter reset shall be inhibited and additional circuits may be necessary to prevent the counter from passing by the 0 state when counting Identifier simultaneous activation of mutually exclusive inputs Clue type component only bistable flip floptregister latcht counter JK RS bistabrel Can mutually exclusive commands STOP START amp RESET SET be generated at the same time Explanation The RESET SET amp STOP START shall not occur at the same time otherwise the item state will be undetermined 42 ECSS Q TM 40 04 Part 2A 16 April 2010 transient current through a fuse or breaker Clue type Item fuset breaker Clue Text Is a transient current flowing through a fuse a breaker within specified limits Explanation A fuse shall withstand without rapturing the high transient currents which may occur during power switching or during a power transition The fuse should be chosen in accordance with the manufacturer s recommendations Clue type Item sensor fsenstpsenst tsens vsens C
20. so the wrong register may be addressed 71 ECSS Q TM 40 04 Part 2A 16 April 2010 1008 Clue type _ path component component only Item inreg Clue Text Is it possible to read register values while they are partially updated Explanation In some cases registers are updated gradually for example one bit at a time If this occurs then it is important to synchronise read operations so that they occur when an input cycle has been completed 1009 Clue type _ path component component only Item inreg Clue Text Are there two programs which read the same register values Explanation If so are the read operations coordinated or can the programs disagree about the register value due to differences in the read time path component component only Clue Text For data acquisition is the cycle of data reading fixed Is the delay time between read operations fixed Explanation If not then data series will not be made according to a fixed time base and noise will be introduced into data Interrupts and variable length loops can cause variations in read cycle 1011 data read frequency Clue type _ path component component only Clue Text Is the delay time between read operations always short compared with the natural time constants for the system being monitored Explanation As a rule of thumb the delay should be less than one tenth of the shortest significant time constant in the controlled syste
21. stability during transition Clue type sensortindicatortlamp detector Clue Text Is the information delivered by the monitoring circuit stable and consistent during signal or state transitions Explanation During power or mode transitions the monitoring circuit shall give appropriate information to the system Explanation For instance if a clock signal is distributed to many circuits the input capacitances of each circuit add and the clock generator may deliver a degraded clock signal with a slow leading and trailing edges and possibly a distorted waveform and no clear leading edge Clue type IC and or nand nor not JK RS flipflop registertlatch Clue Text Are integrated circuits unused inputs correctly polarized or grounded Explanation Some integrated circuits include internal polarization on their inputs outputs For others integrated circuit unused inputs shall not be left floating open inputs cause decreased noise immunity unnecessary power dissipation due to instability For instance un feedback between the output correctly polarized through a resistor of an OpAmp and unused digital circuit inputs connected to the ground power through a resistor 24 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier unused inputs tied to other inputs Clue type component only Item IC and or nand nor not tJK RS flipfloptregister latch Clue Text Are unused inputs tied to other inputs
22. the efficiency the efficiency will be maximum or not depending on its characteristic graph 89 ECSS Q TM 40 04 Part 2A 16 April 2010 2004 Clue type Item pump turbine Clue Text Are there any regions where the vapour pressure is lower than the vapour tension of a liquid Explanation If pressure is lower than the vapour tension vapour bubbles are produced within the liquid These bubbles are drag down with the liquid to a region where a higher pressure is reached If the bubbles are close to a wall the pressure that the liquid produces when it enters the cavities might create very high local pressures which could damage the solid surface Additionally vibration noise and a decrease of efficiency of the hydraulic engine occur 2005 Clue type Item cvalvetvalve Clue Text Has the water hammer effect caused by the sudden closure of a valve been considered Explanation When a flow is quickly decelerated due to the closure of a valve the liquid compressibility and the elasticity of the pipe walls might produce a phenomenon called a water hammer This produces a wave of high pressure downstream that could damage the piping and the equipment mounted on it 2006 Clue type Item checkv cvalve draint tpumptsv tank tankbladder tankprest turbine valvetvessel Clue Text Has the wear out of mechanical components and piping in hydraulic systems been considered Explanation With use piping
23. when not desired or inhibited when expected Explanation During power transition the transient current which flows for instance to charge capacitors can briefly activate a switch command If a part of a circuit is powered while another part is not it can inhibit a current path or create new ones Unexpected sequences testing check out contingency can lead to an unscheduled switch combination Conduction may be required for one load but may be unwanted for other loads 140AA un expected switch command activation Clue type path component component only Item transistor rectifier breaker relay switch contact button interlock plug Clue Text Can a switch or its command be activated when not desired or inhibited when expected Explanation During power transition the transient current which flows for instance to charge capacitors can briefly activate a switch command If a part of a circuit is powered while another part is not it can inhibit a current path or create new ones Unexpected sequences testing check out contingency can lead to an unscheduled switch combination Conduction may be required for one load but may be unwanted for other loads 61 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier 140AAA Title un expected switch command activation Clue type _ path component component only Item Clue Text Can a switch or its command be activated when not desired or inhibited when
24. 10 58AA Clue type Item IC and or nand nor not RS K flipflop register latch buffer activetEED Clue Text _ Does the component load remain within the specified ratings Explanation Is the fan out rating exceeded Identifier 58A elias flipflop registertlatcht buffertOpAmp tIC Clue Text Are load ratings exceeded during abnormal or unusual operational states Explanation During unscheduled sequences and modes e g testing or switching a load with an impedance lower than expected or with different characteristics inductive instead of resistive can lead to permanent failure or a sneak current path with potential hazards Particular attention should be paid to integrated circuits e g OpAmp comparator or semiconductors connected to capacitors during power transition for instance if a capacitor is used as a feedback with an OpAmp comparator the drive capability of the OpAmp comparator output may be exceeded The same is true if the capacitor is connected from input to ground or from output to ground To provide a series limiting resistance is a solution in some cases SBAAA Clue type Item flipflop registertlatcht buffertOpAmp tIC Clue Text Are load ratings exceeded during abnormal or unusual operational states Explanation During unscheduled sequences and modes testing or switching a load with an impedance lower than expected or with different characteristics inductive instead of resist
25. 6 April 2010 1016 Clue type path component component only Item assignt box Clue Text Does expression evaluation or assignment involve type coercion Explanation If so is there any loss of precision or potential for overflow 1017 Clue type _ path component component only Item assignt tbox Clue Text Can evaluation of the expression cause arithmetic overflow or underflow Explanation Overflow or underflow may cause errors in output spikes or steps in control signals and delays in output or loss of processing 1018 Clue type path component component only Item assigntbox Clue Text Is there divide operation in the statement Can division by zero occur Explanation Division by zero will cause an exception which could lead to delay loss of processing or erroneous results 1019 Clue type _ path component component only Item assignt tbox Clue Text For strings is it possible to address before the first string character Explanation Some string handling systems allow free indexing to access particular characters in a string A typical error is to access the zeroth character Generally such an error will cause an exception but in some cases it may corrupt program or data 74 ECSS Q TM 40 04 Part 2A 16 April 2010 1019 string length Clue type _ path component component only Item assignt tbox Clue Text For strings is it possible to address beyond the last string
26. ECSS Q TM 40 04 Part 2A 16 April 2010 EUROPEAN COOPERATION IICSs FOR SPACE STANDARDIZATION Space product assurance Sneak analysis Part 2 Clue list ECSS Secretariat ESA ESTEC Requirements amp Standards Division Noordwijk The Netherlands ECSS Q TM 40 04 Part 2A E 16 a Foreword This document is one of the series of ECSS Technical Memoranda Its Technical Memorandum status indicates that it is a non normative document providing useful information to the space systems developers community on a specific subject It is made available to record and present non normative data which are not relevant for a Standard or a Handbook Note that these data are non normative even if expressed in the language normally used for requirements Therefore a Technical Memorandum is not considered by ECSS as suitable for direct use in Invitation To Tender ITT or business agreements for space systems development Disclaimer ECSS does not provide any warranty whatsoever whether expressed implied or statutory including but not limited to any warranty of merchantability or fitness for a particular purpose or any warranty that the contents of the item are error free In no respect shall ECSS incur any liability for any damages including but not limited to direct indirect special or consequential damages arising out of resulting from or in any way connected to the use of this Document whether or not based upon warr
27. ND LOOP 3 EXIT 3 EXIT WHEN RETURN CALL PACKAGE END PROCEDURE FUNCTION EXCEPTION RAISE TASK BEGIN GENERIC SEPARATE SEMAPHORE WW WWW WW WW WW W Ww software instruction that assign values to variables 3 IF 3 ELSE IF 3 CASE 3 WHEN 3 WHILE 3 OTHERS ENDCONDITIONAL 3 ELSE 3 END IF 3 END CASE 3 END LOOP 3 NULL software instruction implementing algorithmic operations e g additions 14 ES ECSS Q TM 40 04 Part 2A 16 April 2010 2 2 THEN DECLARATION 3 CONSTANT 3 TYPE NEW DIGITS DELTA RANGE SUBTYPE g RECORD ACCESS PRIVATE RANGE RENAME IS SEPARATE wa w 1 hydraulic 2 M MPM NEN MN tank oo tankpres sealed container tankbladder vessel wo w valve 3 sv relief valve 3 cvalve control valve 3 checkv check valve pump turbine vent drain pregulator pressure regulator 15 ECSS Q TM 40 04 Part 2A 16 April 2010 Annex B normative Clues for electrical electromechanical and electronic equipment place of the switching items Clue type _ component only path component Item switch co
28. Text Are any register numbers treated as parameters or used as updatable table entries Explanation If so it may be possible to modify the number so that the register is addressed wrongly or is not addressed when it should be 70 ECSS Q TM 40 04 Part 2A 16 April 2010 1004 synthesis of control codes Clue type _ path component component only Clue Text Are the operation codes for the register fixed codes or are they constructed from constants by bit manipulation Explanation If they are constructed they may be incorrect resulting in the incorrect output signal 1005A register sequence dependency Clue type path component component only Item outreg Clue Text Are there constraints on the register operation sequence Explanation It is often the case that separate outputs to the same device shall be in the correct sequence in order to establish the correct sequence of system states If this is not done it may lead to stop of operations or to incorrect system operation 1006 path component component only Clue Text Is the register memory mapped If so is it possible to read from the wrong register due to an addressing error Explanation If so a spurious input value will be obtained 1007 register address modification Clue type _ path component component only Clue Text Are the register addresses hard coded or are they stored in a table Is the table updated Explanation If
29. abbreviated terms 3 1 Terms from other standards For the purpose of this document the terms and definitions from ECSS S ST 00 01 ECSS Q ST 30 ECSS Q ST 40 and ECSS Q ST 40 04 apply 3 2 Abbreviated terms For the purpose of this Standard the abbreviated terms from ECSS S ST 00 01 and ECSS Q ST 40 04 apply ECSS Q TM 40 04 Part 2A E 16 a 4 Clue list structure 4 1 Taxonomy of items Annex A contains the taxonomy of items namely EEE and hydraulic components software instructions relevant to the clues listed in this document For EEE equipment and software written in the ADA language the clues contained in Annexes B and C shall be used When Sneak Analysis is to be applied to a hydraulic system or subsystem the clues contained in Annex D may be used The Annexes of this document may be obtained upon request from the ECSS secretariat either as word processor file or as a database for personal computers 4 2 Structure of the entries of the clue list A clue is defined in ECSS Q TM 40 04A Part 1 3 2 1 as a question pointing at a possible way through which design errors associated with one or more items of a system can lead to a system malfunction To apply a particular clue it is necessary to clearly identify the text of the question to which items the questions applies the taxonomy of these items is contained in Annex A To facilitate the management of the clue list and its appli
30. anty business agreement tort or otherwise whether or not injury was sustained by persons or property or otherwise and whether or not loss was sustained from or arose out of the results of the item or any services that may be provided by ECSS Published by ESA Requirements and Standards Division ESTEC P O Box 299 2200 AG Noordwijk The Netherlands Copyright 2010 by the European Space Agency for the members of ECSS E ECSS Q TM 40 04 Part 2A 16 April 2010 Change log ESS Q 40 04A Part 1 First issue 14 October 1997 ECSS Q TM 40 04 Part 2A Second issue 16 April 2010 Conversion of ECSS Q 40 04A Part 2 Clue list 14 October 1997 into a Technical Memorandum according to ECSS drafting rules for Technical Memorandum ECSS Q TM 40 04 Part 2A 16 April 2010 Table of contents GIANG G NOG assists taenctenitnanessinnanrstantianstensannsateineretakencnsientaaestandaenedededdassduvanniansdansasaacaniaans 3 SCOPE ee ae a ES AEE EE a EE aE aR 5 2 Normative refereCeS sssini aaan 6 3 Terms definitions and abbreviated terms c c sssccccsessseeeeecenseeeseeenseeeeeeensees 7 3 1 Terms from other Standards cccccececeeeeeeeeeeeeeeeeeeeeeeeee sees a aS a REER 7 3 2 Abbreviated ters cccccccccccccceccceeeeeeeeeceeeeeeeceaeecaeceaeceneceeaeceaeceaeeaaeeeaeeeaeeeaeenaeeaas 7 CBee 0 nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnan n nnmnnn n
31. ator the saturation of the feedback capacitor induces a saturated signal and an erroneous output signal self healing of plastic film capacitors Clue type Item capacitor Is there enough energy in the capacitor for self healing Explanation Recommended minimum energy for self healing is about 500mJ IC latch flipflop Clue Text During power on or initialization is each item circuit in a correct predefined state Explanation During initialization latch register inputs shall have appropriate polarization resistors in order to retain the correct logic state when the initialization phase is completed and the computer has still not accessed to the latch register or they shall be initialised dynamically Identifier 66 Cid correct initialization time Clue type component only JK RS latch register counter flipfloptand RAM ROM micropro Clue Text Is the initialization time long enough to be compatible with each component signal specification and the longest transition time of the power sources Explanation Some circuit pins need a minimum initialization time RESET CLEAR SET A too short initialization time may not correctly reset a microcontroller or a register state it 37 ECSS Q TM 40 04 Part 2A 16 April 2010 may enable outputs which are connected to circuits not still nominally powered Clue type JK RS latch register counter flipfloptand RAM ROM micropro Clue Text Is the init
32. cation other attributes are attached to each clue i e an unambiguous alphanumeric identifier clues for EEE equipment have identifiers in the range 1 999 clues for software have identifiers in the range 1000 1999 clues for hydraulic equipment have identifiers in the range 2000 2999 a clue short title which provides a short description of the content of the clue the clue explanation i e a short explanation of the clue text To restrict the use of the various clues to the sneak analysis procedure for which they are intended see ECSS Q TM 40 04 Part 1 4 1 the attribute clue type has been associated to each entry of the list ECSS Q TM 40 04 Part 2A E 16 a If a clue type is path component then it is intended for use during the application of the sneak path analysis If a clue type is component only then it is intended for use during the application of the design concern analysis It is noted that some clues are intended for use both during sneak path analysis and design concern analysis and these are typed by two keywords path component and component only Some component only clues need to be applied only once to each member of the taxonomy and not to each component in the system under analysis These clues are identified by the keyword once only and are to be used only during the design concern analysis For an example see clue 60 in Annex B The
33. comes comparable to a natural frequency of the controlled system Explanation If the delay grows to approach the time constant for a controlled system then oscillation can result With large delays this can lead to an equivalent problem in transaction processing where queries are returned faster than the system can process the original request 1062 overload delay of espouse Clue type _ path component component only Item inputttask Can overload delay an output so that a critical deadline is missed Explanation Critical deadlines are typical of cyclic or one shot controlled systems in which there is a time window for correct input or output to the computer 1063 error handling interruption Clue type _ path component component only Item exceptiontassign Does error handling stop processing IF so is the stop hazardous Explanation Exception handling cannot always lead to system restart or recovery 85 ECSS Q TM 40 04 Part 2A 16 April 2010 1064 error handling lockout Clue type path component component only Item exceptiontassign box Clue Text Can reserved data or memory be frozen due to error handling Explanation Semaphores which are not released can lead to lock out as can bus contention and memory contention lines Identifier 1065 Clue type path component component only Item exceptiontassign box Clue Text Are all data values reinitialized on error recovery Expla
34. cuit shall be detected 58 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier 136A response time of a monitoring circuit Clue type component only Item sensor threshold Clue Text Is the response time of the monitoring circuit acceptable for the system Explanation If a capacitor voltage is used directly or not as a status information by a monitoring circuit the capacity may induce a delay If a monitoring circuit checks the status of a relay just after the relay has changed of state erroneous information may be transmitted if the relay contacts suffer contact bounce after switching A delay for the status acquisition is necessary to monitor a stable status 1368 Clue type Item sensor threshold Is the start up latency of the sensor acceptable for the system Explanation Many sensors for physical variables particularly concentration and temperature have a latency time before they register correctly transient current path through switches Clue type path component component only Item transistor rectifier breaker relay switch contact button interlock plug Clue Text During change of state of switches can transient current paths exist Explanation As switches have not the same speed when switching a switch can still be in the same position whereas another has already changed of state a switch can be Open during changing of state whereas another has c
35. cument ECSS Q TM 40 04 Sneak analysis Clue list that contains a basic clue list to be used during sneak analysis This technical memorandum is applicable when the performance of sneak analysis is required by ECSS Q ST 40 or by the business agreement between the customer and the supplier Alternative sneak analysis procedures proposed by the supplier may be accepted by the customer provided that equivalence for the intended application with the one presented in this Technical Memorandum is shown by the supplier This Technical Memorandum may be tailored for the specific characteristic and constrains of a space project in conformance with ECSS S ST 00 ECSS Q TM 40 04 Part 2A E 16 a 2 Normative references The following normative documents contain provisions which through reference in this text constitute provisions of this ECSS Standard For dated references subsequent amendments to or revision of any of these publications do not apply However parties to agreements based on this ECSS Standard are encouraged to investigate the possibility of applying the more recent editions of the normative documents indicated below For undated references the latest edition of the publication referred to applies ECSS ST S 00 01 ECSS system Glossary of terms ECSS Q TM 40 04 Space product assurance Sneak analysis Part 1 Principles and requirements ECSS Q TM 40 04 Part 2A 16 April 2010 3 Terms definitions and
36. d 1074 Clue type _ path component component only Item goto return Clue Text Can random control transfers be made into critical sections of code Explanation Go to statements can lead to unexpected transfers of control particularly if label or procedure arrays switches are used Erroneous control transfers can also arise due to hardware error in calculating jump addresses 1075 computed address error Clue type path component component only Item return goto Clue Text Is the address for the control transfer computed or taken from an array If so can the address be corrupted Explanation A corrupted address will lead to a random transfer of control 87 ECSS Q TM 40 04 Part 2A 16 April 2010 107 use of access types and pointers Clue type _ path component component only Item assignt box Clue Text Does the assignment make use of access types Explanation Access types and pointers are one of the biggest sources of errors in delivered software and in safety related software should be used only where strictly necessary e g in list processing packages The dangers with the use of pointers is that simple arithmetic initialization and usage errors can lead to corruption of data and programs in an untraceable and seemingly random fashion 1078 Clue type _ path component component only Item assign box Clue Text _ Is it possible to activate predefined exceptions Explanation The proc
37. d excessive power 22 ECSS Q TM 40 04 Part 2A 16 April 2010 dissipation due to imprecise switching caused by excessive input time constants Identifier voltage protection on inputs Clue type component only Item OpAmp tcomparator Clue Text Is the component protected against erroneous voltages on its inputs Explanation When multiple signals are connected to the same input through resistors summator subtractor a sneak current path can occur between these multiple signals if one of them delivers a voltage higher than expected Zener diodes can be connected across each signal input Protection diodes can also be implemented to limit the differential voltage between inputs Clue type Item sensor detectortindicator lamp psens fsens tsenstxsens lsens pos ens Clue Text Is a monitoring circuit located and connected so that it delivers the status of the function to be monitored Explanation The monitoring circuit shall indicate only the status of the monitored function not the status of another function disconnection from signal source Clue type _ path component component only sensor detectortlamp indicator psens fsenstxsenstlsenst csens Clue Text Can the monitoring circuit be disconnected from the monitored signal or device Explanation The monitoring circuit should not indicate the opposite state of the monitored function 23 ECSS Q TM 40 04 Part 2A 16 April 2010 indication
38. device Clue type Item load Clue Text Are the protection devices missing Explanation When a signal or input is distributed to circuits the first component attached to the input line shall be a protective device in order to protect the input against a short circuit on the component correct signal attachment on drawing Clue type signalt connectortlabel offpage Clue Text Is each circuit using the right signal on its inputs and delivering the right signal at the correct output Explanation As asystem is usually documented on several drawings flags are used to identify corresponding signal lines on the various drawing When using a register to latch the data of a bus for instance the input lt i gt of the latch shall deliver on the corresponding output a signal with the same number lt i gt Sometimes labels seem to be at the correct place on the drawing but within computer labels may be mis attached In case of hierarchical design the flags of a level shall be coherent with the flags of the upper and lower level 53 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier 117A one path for separate power returns Clue type component only earth ground chassis Clue Text Are independent power supplies sharing a current return path or chassis return Explanation The return lines for digital and low level analogue signals shall be kept separate Spikes due to digital circuits will
39. e and the relations between variable values may then be inconsistent 1053 shared table processing Clue type path component component only Clue Text Can the current task address a table element which has been deleted by another Explanation Deletion is a particularly difficult operation in a multitasking environment particularly if tasks maintain their own Identifier variables into a table or array 1054 semaphore lock matching Clue type path component component only Item assignt tsemaphore Can a program reserve or lock data and fail to free it Explanation Matching of requesting and releasing commands s essential Release may be missing on some program paths or if an exception arises in a program 83 ECSS Q TM 40 04 Part 2A 16 April 2010 1055 Clue type path component component only Item assignt tboxtsemaphore Clue Text Can the program fail to free reserved data due to exceptions or errors Explanation Matching of requesting and releasing commands s essential Release may be missing on some program paths or if an exception arises in a program 1056 deadlock Clue type path component component only Item semaphorettask Can deadlock arise Explanation Deadlock arises when two or more tasks are competing for two or more resources If task A has resource X and waits for resource Y and task B has resource Y and waits for X neither task can proceed Solutions to the prob
40. e device in order to protect the power bus against a short circuit in the sensor 67 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier 9 resynchronization of a sequential logic Clue type component only IC and or nand nor not flipflop JK RS Is a sequential digital signal safely resynchronized Explanation When a digital signal passes through many logic gates a delay occurs Within systems circuits using a common clock sequential digital signals shall be resynchronized as soon as the propagation time uncertainty may lead to sneak timing problems The resynchronisation signal may be missing in some modes Is a sequential digital signal safely resynchronized for a long logic train Explanation When a digital signal passes through many logic gates a delay occurs Within systems circuits using a common clock sequential digital signals shall be resynchronized as soon as the propagation time uncertainty may lead to sneak timing problems This is especially true if the logic train is very long explicit wording of a label Clue type component only Item labelHamp tindicator Is each label wording explicit Explanation Instead of writing for example function 2 for a label it is preferable to identify the function precisely door opening This is important for indicators or command 68 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier indicator correct function label Clue type _
41. e path Explanation If the drains are used to control the pressure in a branch of the circuit the loss of drains after switching of a valve for 91 ECSS Q TM 40 04 Part 2A 16 April 2010 instance will let the junction point in a floating state and might induce an unintended current to flow in other branches of the circuit 2011 protection against reverse flow Clue type path component cvalvet tank tankprestvalvetvessel Clue Text Is each branch of the circuit protected against potential reverse flow Explanation For instance during the switching from one branch to another there may be a reverse current between branches This applies especially if there are multiple fluid sources that are connected or branches originating from the same source that have different pressure drops and later reconnect When no protection against reverse flow is implemented downstream to each flow source there might be current flowing from other sources to the unprotected one s Usually check valves are used to eliminate this problem identifier _ 2012 valve used for different functions Clue type tem___fevalvewwalve o Clue Text Is the valve used to implement different functions in different operating modes Explanation If a valve implements different functions e g isolation and flow control in different operating modes of the system there is the possibility that a specific function might be unint
42. entionally activated or deactivated in some operating modes of the system 2013 pressure level during different operating modes Clue type cvalvettank tankprestvalve vessel Clue Text Does the pressure level remain in its expected range s during the various operating modes Explanation During particular phase e g testing or changes of operating mode some unforeseen switching combinations might be triggered and this could lead the pressure of the system to exit from the expected range 92 ECSS Q TM 40 04 Part 2A 16 April 2010 2014A temporal gap between switching of valves Clue type Item cvalve valve Clue Text Is the temporal gap between the activation and deactivation of different valves in a system justified Explanation When multiple valves shall be activated or deactivated care should be taken that the temporal gap between their activation and deactivation does not lead to unintended effects e g reverse flow flow at the wrong time 20148 switching sequence of valves Clue type Item sveltet valve Clue Text Is the activation or deactivation sequence of different valves in a system the proper one Explanation When multiple valves in system shall be activated or deactivated the proper sequence of activation needs to be ensured either automatically or by manual procedures otherwise unintended or untimely flow can occur 2015 Clue type component only path component Item cvalvetp
43. eparated CONN A E E EET 48 power transient s ssssessseesesesssseresee 64 predefined SX CEPTONS asisdssanisudsoanesnass 90 pressure level during different operating modes jxjscassassishearcncsiisncaces 94 pre ss re relief ennienni 91 protection against reverse flow 94 protection against reverse voltage 20 31 32 protection against transient currents 26 protection against transient voltage 25 protective and polarization device 69 pull up resistor for multi user line bus EE EE E aaa aN 27 pull up resistor impedance 00 27 RC LC time constant ceeeeeeeeeeeeeee 22 reaction delay of one shot items 68 reaction of corrosion products 93 PS CUR SIV SC a cinsassiempeceborseencimepaasneanas 80 reference potential for chassis 67 reference potential for power supply 67 register address modification 73 register number modification 72 register OV ERELOW nsasineasecidentsorsvnnnsetivenses 75 response time of a monitoring circuit61 resynchronization of a sequential logic resynchronization of sequential logic with long logic train visoviidenshsntdnontvras 71 reverse current in a relay coil 68 reverse current through collector 17 reverse voltage on a polarized capacitor sinartanan 50 saturated or clipped signal 37 saturated or clipped signal input 38 saturation detection eid csiseninenswadanoane
44. er value is undefined when the loop is excited Clue Text Are there exits from inside the loop If so are the loop terminations identical or are they separated on purpose completion success failure with appropriate processing Explanation Flags or labelled exit points are two alternative ways of implementing multiple exits from loops 1049 Clue type _ path component component only Clue Text For event driven programs does the processing depend on the sequence of events If so are all sequences allowed Explanation Event driven programs can be difficult to write because the programmer has one step by step sequence in mind for example that described in the program user manual However alternative sequences will generally occur and if the program is sequence dependent the alternative sequences shall be catered for 82 ECSS Q TM 40 04 Part 2A 16 April 2010 1051 shared data processing Clue type _ path component component only Item assignt tbox Clue Text Are shared variables semaphore protected Explanation If not it may be possible for two tasks to attempt to update shared variables at the same time so corrupting the values Identifier 1052 Clue type path component component only Item assignt box Clue Text Are groups of variables which shall be updated consistently semaphore protected Explanation If not multiple tasks may attempt to update records at the same tim
45. especially for CMOS 26 ECSS Q TM 40 04 Part 2A 16 April 2010 devices The pull up resistor value shall be lower than one tenth of the high impedance value of the line bus pull up resistor impedance Clue type buffer driver Clue Text Is the pull up resistor value low compared with the high impedance value of the line bus Explanation If the pull up resistor value is high or close to the high impedance value of the line bus the tri state outputs connected to the line bus may be polarized to a middle voltage value during the high impedance state of the bus and it may lead to a short circuit especially for CMOS devices The pull up resistor value shall be lower than one tenth of the high impedance value of the line bus Has a decoupling capacitor been provided Explanation The high processing frequency of the logic circuits leads to current spikes and then to voltage spikes because of the inductive coupling between conductors at high frequency Only a decoupling capacitor close to the power pins can prevent the spikes from propagating to the other circuits timing compatibility Clue type component only IC and nand or nor not JK RS flipflop registertlatch Clue Text _ Is the timing compatibility between circuits respected Explanation This problem is likely to occur between circuits of different families or when an analogue output is connected to a digital input If one of the specified parameters cannot
46. essing of predefined exceptions is often wrong for safety related programs e g the reporting and termination of tasks which often takes place is generally wrong The program needs to be able either to take safety action or to continue monitoring 88 ECSS Q TM 40 04 Part 2A 16 April 2010 Annex D informative Clues for hydraulic equipment 2000 evaporation of a liquid Clue type _ component only path component tank tankbladder tankpres vessel Is there any device which protects against the decrease of pressure Explanation If the pressure decreases below the liquid steam pressure it would produce a change of phase which could have catastrophic consequences if the necessary measures are not taken into account for instance part of the obtained vapour could circulate upstream the tank and mix with other liquids or vapours 2001 Clue type Item checkv cvalvetpregulatortsv Clue Text Has any device been foreseen in order to quickly reduce overpressure peaks Explanation To avoid the failure in a hydraulic system a safety valve or device should be installed to relieve overpressure 2008 engine s efficiency Clue type component only Item pump turbine Clue Text Are the characteristic parameters the correct ones Explanation An engine has optimum efficiency in some specific conditions of its parameters for instance in the case of a pump for a specific height flow work pressure
47. expected Explanation During power transition the transient current which flows for instance to charge capacitors can briefly activate a switch command If a part of a circuit is powered while another part is not it can inhibit a current path or create new ones Unexpected sequences testing check out contingency can lead to an unscheduled switch combination Conduction may be required for one load but may be unwanted for other loads Identifier 141A Title Clue type path component component only Item gatetAND mux Clue Text Cana transient pick up or drop out voltage unintentionally energize de energize a load or a switching item Explanation During a power transition a capacitor behaves as a low impedance a capacitor implemented as a static protection against direct current may allow an unexpected current flow through a load in dynamic transient conditions Voltage differences within a circuit often occur during power on off some parts of the circuit may have reached their operational voltage while others are still changing during power on off within a circuit supplied with separated voltages one voltage may have reached its operational value while others are still changing separated parts of a circuit can be independently supplied one being powered while the others are not Such voltage differences normal or unexpected can create sneak current paths through diodes transistor base col
48. f these devices should be envisaged during the power off phase of the circuit 94 EGS ECSS Q TM 40 04 Part 2A 16 April 2010 Index un expected switch command connector in earth return line 47 activation sienen 63 64 contacts and inductive load switching acceptable charge discharge current 30 nesssssssesesrssssssssrenrsrsesnsnsststsrerenesesrsrsrestnts 50 activation by leakage current 30 continuous current path via an auto address code control csacicsnsssvienrssonieconsss 72 transforme cinta tndanssvinnvontenesiiennson 53 adjustment of input impedance 51 control transfer into a loop 83 aliassi ig setscoanceangonanueasntaninarecous ay aoneaee 78 correct bias for Zener eee 53 array WMS ineine eig 77 correct initialization time 38 array zero element 77 correct polarization with joining assignment to constants 80 CAPOCUOP inen aeons 70 balanced push pull transistors 36 correct power settling time 39 bias polarization signal c0 68 correct signal attachment on drawing buffer overflow sser OO E A E E N 55 capacitive feedback within an correct signal for mode eeeees 32 SUDO sesiis iii 51 correct state during initialization 36 37 capacitor used as status indicator 31 38 case coverage in nested IP 81 current limiter shared by multiple cavitatioN socso raioni 92 OAA Sirian annmecasinnarieinatens 60 coherence between label
49. functions Clue type path component component only switcht button relay gatetand Clue Text Is independent timing of switching items justified Explanation When multiple switches shall be activated if a confusion in the activation order can have critical impacts then the temporal independence between these switches shall be suppressed or safety barriers shall be added If several switches shall be activated at the same moment to cut off of the 3 phases of the main power for instance these switches should be activated by the same command or signal coherent labelling of inter board leads Clue type Item label connector Clue Text Is an interface label used on separated boards the same on all boards Explanation If the labels are different there may be problems during the routing on the board signals may not be connected together Clue type Item lamp switcht button Clue Text Do the indications provided by all the monitoring circuits following the same common logic conventions Explanation Usually the level 1 corresponds to power presence and the level 0 to lack of power A red lamp lights up for a problem and a green lamp indicated that the monitored function is OK 41 ECSS Q TM 40 04 Part 2A 16 April 2010 impedance matching Clue type component only Item buffertamplifiert driver Clue Text Are interface lines terminated correctly Explanation If the
50. h board to ensure a clean power supply free of spikes mF and radio frequency parasites nF 47 ECSS Q TM 40 04 Part 2A 16 April 2010 decoupling capacitor for each board Clue type connector multiconnectortmalecont femcon Clue Text Has a decoupling capacitor been provided for each direct current power signal at the entrance of each board Explanation To install a decoupling capacitor for each power signal at the point where it enters each board ensure a clean power supply free of spikes mF and radio frequency nF Clue Text Is the contact material correctly chosen with respect to the signal characteristics and the relay application Explanation For low loads e g 1 mA 5 V gold plated contacts are required For very low loads e g a few mA 1 Volt use gold or silver gold contacts e g thermo couple switching For repetitive functioning use silver cadmium contacts contacts and inductive load switching Clue type Item switch contactt tbreaker Are the contacts protected against high voltage spikes Explanation If the load seen by the contacts is inductive a resistor with a capacitor in series or a voltage suppression diode can be added in parallel to the relay contacts but magnetic blowing relays or high cut distance relays are preferable identifier 98 o O low impedance between power sources Clue type path component component only Item power supply battery Clue Tex
51. ialization time long enough to be compatible with the settling time of the power supply Explanation The initialization signal RESET CLEAR SET needs to be held until the power supply level is steady at all parts of the circuit A too short initialization time may not correctly reset a microcontroller or a register state it may enable outputs which are connected to circuits not still nominally powered path component component only Clue Text Is a change of state of a switching item for one function acceptable for correct performance off other functions Explanation A switching item can be shared through a same contact or through multiple contacts activated at the same time If a circuit breaker is triggered its change of state will affect all the functions connected to it Check that it does not steal power from a function that should still be powered sufficient available power Clue type component only Item transformert powert supply battery Clue Text Can the power source meet the maximum demand Explanation Under some particular conditions eg test reconfiguration more power than expected may be consumed by the loads in the case where multiple loads are to be supplied an unfavourable combination of loads may exceed the capability of the power supply 38 ECSS Q TM 40 04 Part 2A 16 April 2010 a load may draw much more power than normal under anomalous circumstances resistive to
52. ift with time teflon polyethylene or polycarbonate capacitors are the best suited 34 ECSS Q TM 40 04 Part 2A 16 April 2010 temperature stability problems Clue type once only Clue Text Is an appropriate capacitor type used if the circuit needs a good temperature stability Explanation For instance for low passing active filter needing a good temperature stability silvered mica capacitors are the best suited balanced pair of transistors Clue type transistor PNP NPN Clue Text If there are differential instrumentation entrance or push pull output stage made with transistors are the transistors perfectly balanced Explanation The transistors shall be balanced to avoid saturation or clamping connected tristate outputs enabled Clue type Item buffer driver Clue Text Can connected tristate outputs be enabled at the same time Explanation On multi user line bus only one user provide an output to the line otherwise if two users provide simultaneous outputs erroneous information may be transmitted and a short circuit may also occur Tying totem pole outputs together may cause a power to ground short circuit if one output drives a 1 logic level and another a 0 logic level Identifier correct state during initialization Clue type component only Item breaker relay switch Clue Text During power on or initialization is the component in a correct predefined state E
53. ilies and it may lead to a sneak current path Particular attention should be paid during power transition or when different voltage values are used at interfaces Voltage differences at interface often occur during power on off some parts of the circuit may have reached their operational voltage while others are still changing during power on off within a circuit supplied with separated voltages one voltage may have reached its operational value while others are still changing separated parts of a circuit can be independently supplied one being powered while the others are not collector base junction reverse biased Clue type Item transistor Clue Text Can the collector base junction be reverse biased Explanation A transistor receiving on its base an active signal while it is not nominally powered may induce a sneak current path towards a load a power source or the ground through the collector base junction if reverse biased Particular attention should be paid during power transition or when different voltage values are used at interface Voltage differences at interface often occur during power on off some parts of the circuit may have reached their operational voltage while others are still changing during power on off within a circuit supplied with separated voltages one voltage may have reached its operational value while others are still changing separated parts of a circuit can be independen
54. ive can lead to the circuit destruction or a sneak current path with potential hazards Particular attention should be paid to integrated circuits OpAmp comparator or semiconductors connected to capacitors during power transition for instance if a capacitor is used as a feedback with an 33 ECSS Q TM 40 04 Part 2A 16 April 2010 OpAmp comparator the drive capability of the OpAmp comparator output may be exceeded The same is true if the capacitor is connected from input to ground or from output to ground To provide a series limiting resistance is a solution in some cases load ratings for EED Clue type Item activetEED Clue Text Can the circuit supply sufficient energy to blow the EED under all operational conditions Explanation For a squib component sufficient energy shall be delivered by the output to blow it For some switching conditions there may be too much resistance or inductance in the activating circuit Clue Text Has a possible internal link of ICs pins been taken into account for the design Explanation An unexpected internal link between pins of an integrated circuit can lead to a circuit malfunction or a sneak current path identifier Joo o low voltage drift with time Clue type Item capacitor Clue Text Have appropriate capacitors been used when a circuit needs a low voltage drift with time Explanation For instance for sample amp hold amplifiers with low voltage dr
55. l Explanation When a signal contains extraneous noise its upper and lower bounds may exceed specified limits making the signal unacceptable To increase the noise immunity of a receiver Schmitt trigger gates may be used on inputs On the same principle a hysteresis cycle may be implemented in comparators In any case a noise margin should always be maintained 55 ECSS Q TM 40 04 Part 2A 16 April 2010 123 internally unsuppressed pins Clue type component only Item IC Clue Text For ICs with internally unsuppressed pins has a suppression device been implemented Explanation Some integrated circuits do not have internal protection diodes fitted to the inputs and outputs These integrated circuits are vulnerable to transient voltages which may exceed maximum permitted limits causing latch up or even permanent damages External protection devices diodes resistors in series shall be attached to pins with such dangerous signals path component component only Clue Text Are the after use EED characteristics compatible with the circuit implementation Explanation After firing squib components may be open or short circuited Depending of this state the circuit implementation will not be the same nor the protection devices current limiter A short circuit in a squib shall not cause damage other circuit components Capacitor voltage discharge sources are not as likely to burn a squib
56. lator 5 Processing 6 micropro 6 ASIC microprocessor Application specific IC 6 DAC ADC digital to analog converter analog to digital 6 regulator voltage regulator 6 communication 5 Analogue 6 amplifier 6 OpAmp operational amplifier 6 comparator 4 Transistor 5 bipolar 6 PNP 6 NPN 5 Darlington 5 MOS 5 FET 4 Diode 5 Zener 5 LED metal oxide semiconductor field effect transistor light emitting diode 11 EGS ECSS Q TM 40 04 Part 2A 16 April 2010 5 optocoupler 4 Rectifier 5 Thyristor 5 Triac 5 GTO gate turn off thyristor 5 Thyratron 3 Passive 4 Resistor Capacitor Heater Thermistor Potentiometer Varistor variable resistor Inductor 5 coil FP A A fF fF A 2 Electromechanic 3 Contactor 4 Breaker 4 Limiter 4 Relay 5 bistabrel bistable relay 5 monostable monostable relay 5 monofloprel monoflop relay 5 Relaycoil 5 Relaypole 6 Singlepole 6 Multipole 4 Switch 4 Contact 4 Button 3 Transducer 4 Motor 5 Motorcoil 5 Actuator 4 EED electroexplosive device 5 Squib 5 Explosive 5 Detonator 5 Initiator 5 Exbolt
57. lector junction circuit interfaces where the voltage difference occurs rectifier due to a high dV dT transformer internal protections diodes or connected pins of integrated circuits 62 ECSS Q TM 40 04 Part 2A 16 April 2010 disconnection of electrical interlocks Clue type path component component only Item interlock connector switch contact Clue Text Can the disconnection arising from electrical interlocks create sneak current paths depending of the disconnection order Explanation If simultaneous disconnections are scheduled one disconnection may occur before others creating for a brief moment unexpected current paths for instance suppression of a ground return path Identifier Clue type path component component only Item testpoint connector Clue Text Can external testing circuits energize parts other than those intended to be tested Explanation Usually protective devices are installed on lines carrying test signals e g diodes connected to VCC either externally or internally to integrated circuits If an erroneous voltage is applied to the test signal input a sneak current path through the test interface and the protective devices may energize unexpected functions 146A loss of ground Clue type _ path component component only Item ground earth chassis Does loss of ground allow feedback into the path Explanation If the ground is used to determine the potential of a branch
58. lem are to request resources in groups or to use a fixed order for resource requests Typical resources are memory data areas data base records indexes buffers and peripheral devices 1056 shared data access protection Clue type _ path component component only Item assignt box Clue Text Are all program data interactions synchronised by semaphores or rendezvous or are some dependent on timing Explanation If dependent on timing is the timing insensitive to load processor type or priority changes 1059 buffer overflow Clue type _ path component component only Item input output Can the pipe buffer or queue be overfilled if input load increases Explanation Heavy input bus or transaction loads can lead to queue or buffer overfilling This can in turn lead to addressing errors to loss of input or to corruption of entries 84 ECSS Q TM 40 04 Part 2A 16 April 2010 1060 overload data loss Clue type path component component only Clue Text Can processing overload delay response so that short inputs are missed Explanation Input signals which only exist for a short time may be lost completely if the computer is overloaded and does not scan inputs fast enough Interrupts maybe missed if interrupt processing is slow 1061 overload delay of response Clue type path component component only Item inputttask Clue Text Can overload delay response so that response frequency be
59. lue Text Is there an out of limits or saturation detection circuit Explanation The sensors should be selected in such a way that the detection circuit ensures detection of the out of limits or saturation in the system discharge circuit for a power source Clue type path component component only powersbattery supply Clue Text Is the power source provided with a circuit that can isolate it from its load Explanation For safety reasons and to avoid sneak current paths at interface between circuits with different supplies once an equipment has been switched off the power source shall be prevented from continuing to supply power Identifier Clue type component only IC and or nand nor not flipflop JK RS registertlatch Clue Text Are circuits using capacitors at pF levels sensitive to the capacitor tolerance Explanation When the circuit is to be implemented on a PCB the parasitic capacitance of the PCB tracks may alter the proper functioning of the circuit The input capacitance of circuits may also induce parasitic capacitance Parasitic capacitance 43 ECSS Q TM 40 04 Part 2A 16 April 2010 may cause delay in functioning failure to switch poor signal form oscillation secondary load viewed from the transformer primary Clue type Clue Text Is the secondary load viewed from the transformer primary acceptable Explanation To determine the load seen by the transformer primary the t
60. m 72 ECSS Q TM 40 04 Part 2A 16 April 2010 1012 input register read timing Clue type _ path component component only Clue Text Can exceptions overflows or special handling upset the timing or sequence of input Explanation If there are unusual operations there may be excessive time delays in treating time critical input or in providing safety critical outputs 1013 Clue type path component component only Item inreg Clue Text Can the input register overflow Explanation Register overflow will cause erroneous input data values 1015 function side effects Clue type _ path component component only Item assignt tbox Clue Text Can expression evaluation order cause variations in function side effects Explanation Is the order of evaluation of parts of the expression fixed If not does the sequence of evaluation of terms in the expression affect the result This can occur if there are functions in the expression which have side effects 1015A exception side effects Clue type path component component only Item assign box Clue Text Can exceptions cause variations in function side effects Explanation Is the order of evaluation of parts of the expression fixed If not does the sequence of evaluation of terms in the expression affect the result This can occur if there evaluation can result in exceptions are functions in the expression 73 ECSS Q TM 40 04 Part 2A 1
61. nation If a restart occurs reinitialization is necessary 1066 Clue type path component component only Item exceptiontassignt box Clue Text Does error handling restore data consistency Explanation In some cases stored or shared data will be corrupted In this case restart programs should at least restore consistency so that further software exceptions do not occur and the data can be accessed reliably 1067 deep level errors Clue type path component component only Item proceduretfunction call Clue Text Can the procedure terminate the task Explanation A typical example arises in error processing especially when a low level subroutine terminates on error 86 ECSS Q TM 40 04 Part 2A 16 April 2010 1068 Clue type path component component only proceduret functiontcall Clue Text Are there any error conditions and codes on procedure exit comparable to a natural frequency of the controlled system Explanation A consistent philosophy for treating exceptions is necessary This is particularly difficult to achieve if library or generic routines are used 1075 Clue type path component component only Item assignt tbox Clue Text Can memory be corrupted so that wrong data values are used Explanation Corruption can arise due to addressing errors data transmission errors or memory failure Transient memory failure may not always be detectable even when redundancy is use
62. ndent indicators commands and signals shall be avoided 39 ECSS Q TM 40 04 Part 2A 16 April 2010 Clue type component only electrictelectromechanical electronic Clue Text Are there any open ended or nonterminated outputs Explanation In a circuit each extremity of a wire shall normally be connected to a component If a lead is connected to a flag that makes it available for another sheet of the drawing the lead shall continue on the new sheet under the same label Clue Text Is there any open ended or nonterminated outputs for some switching state Explanation Component terminal wires shall be connected in all switch states Explanation The wording labels should have uniform style be unique and identifiable As a suggestion the master equipment which delivers the signal can be used as a common root for the label wording exhaustive labelling Clue type Item labelHamp tindicator speaker Are all the circuit applications clearly indicated in a label name Explanation To allow an easier management of the electrical drawing and sneak label detection each indicator command and signal shall be clearly labelled to indicate all of its functions For instance if a switch is on a ground return of several loads Y pattern or power dome configuration its command label shall indicate all of the loads affected 40 ECSS Q TM 40 04 Part 2A 16 April 2010 independence of timing of switching
63. nmnnn nnmnnn 8 41 Taxonomy of tems cota sics sg sees ces idexacaaaeenid vcd esuetdneeid deeb a AEA E KEA aaia 8 4 2 Structure of the entries of the clue list cccccceccceeeeceeseeeeeeeeeeeeesesseteaeeeeeeeeseeeseees 8 Annex A informative TAXONOMY seseeesseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 10 Annex B normative Clues for electrical electromechanical and electronic equipment oie sicninces isc ee crc neta un necasiitcsiieun adaniohsneniiinincinteiod nn nnmnnn 16 Annex C normative Clues for software in ADA language ccccsssssssseeeees 70 Annex D informative Clues for hydraulic equipment ecceeeeeeeeeeeeeeeees 89 el eee emer 95 EGS ECSS Q TM 40 04 Part 2A 16 April 2010 1 Scope The aim of sneak analysis is to identify sneak circuits i e unexpected paths for a flow of mass energy data or logical sequence that under certain conditions can initiate an undesired function or inhibit a desired function Sneak circuits are not the result of failure but are latent conditions inadvertently designed into the system This Technical Memorandum establishes a procedure for performing sneak analysis and specifies the required output The Technical Memorandum is composed of two parts Part 1 i e this document ECSS Q TM 40 04 Sneak analysis Methods and procedures that contains the methods and procedures for performing sneak analysis Part 2 i e the do
64. not then propagate to analogue circuits through a common power line High inrush currents due to power switching will not affect the voltage stability of other sensitive circuits 1178 one earth path for separate power source Clue type Item earth chassis Clue Text Are separate power source lines mixed Explanation Independent power supplies should not share a common line conductor to supply their loads The return lines for digital and low level analogue signals shall be kept separate Spikes due to digital circuits will not then propagate to analogue circuits through a common power line High inrush currents due to power switching will not affect the voltage stability of other sensitive circuits Usually CAD provides the designer with a star component It allows several separate signals with different labels to be created from a single signal It shall be used to distribute a power source with a star net 1170 one path for separate signal returns Clue type component only Item earth ground chassis Clue Text Is a single earth return long or high resistance Explanation Independent signal return paths should be kept separate to avoid cross talk until they reach a common low resistance earth point Cross talk can in some cases lead to feedback oscillations 54 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier 119A monitoring circuit independent of monitored function Clue type component
65. nse 44 self healing of plastic film capacitors 38 semaphore lock matching 00 85 shared data access protection 86 shared data processing 85 shared table processing s 85 signal noise compatible with noise ITUNE csser pines 57 signal on a power line Jpiconwoussssnnierane 47 simultaneous activation of exclusive MPU ESen arina R a AEREE 43 spike on the initialization signal 33 splitting and recombining of a digital SIO MAS enaren 69 stack overflow asacvenmuiedicsscansicuees 80 start up latency cea tvinaes indchetncetesjaiiingestes 61 static energy protection 58 ST TA E viiei ya KEE EERS 96 stray capacitance xi ccstaincsiniaranare 44 string character UO is hanitatnnisnedunarinaass 76 string leng ENG scncansaccnsnssiianecasursneeintiennnsaed 77 string termination cists aienasseivnanrinise 77 sufficient resources for the loads 39 switch function for target ee 69 switch command activation 64 switching item dedicated to a function sau E E aah iaua tanimaauss 37 switching item shared by several PUMICE ON steht aheatelaihiercaune et denaii 39 EGS ECSS Q TM 40 04 Part 2A 16 April 2010 switching sequence of valves 95 TRUE and FALSE representation 82 synthesis of control codes 0004 73 truth table for digital function 43 temperature limit for multi layer turn on delay of a diode 0 67 tan
66. ntact breaker Clue Text Is the switch placed in the lower branch that closes the circuit for two or more upper power dome branches Explanation If a switching item is placed in the common branch it may lead to a general current interruption in the multiple branches Identifier transient exceeding max current Clue type component only Item transistor Clue Text Can a current transient exceed transistor max current Explanation During power transition or switching for instance high inrush current may occur capacitor charging this current transient can induce a voltage transient exceeding a breakdown voltage of the transistor If a transistor is used to switch an inductive load without appropriate transient suppression measures being taken there is a risk that the transistor may fail When a resistor is used as a current path and is connected in parallel with the emitter and the base of a transistor if a reverse current flows through the resistor temporary short circuit the reverse base emitter breakdown voltage can easily be exceeded about 5 Volts 16 ECSS Q TM 40 04 Part 2A 16 April 2010 24A transient exceeding breakdown voltage Clue type component only Item transistor Clue Text Can a voltage transient exceed transistor breakdown voltage Explanation If a transistor is used to switch off an inductive load without appropriate transient suppression measures being taken there is a
67. oating point numbers If so how is equality guaranteed Explanation Two real numbers will in general never be equal unless values are assigned identically 1040 Clue type path component component only Item iftdiamond case Clue Text Are both positive and negative zero values possible Explanation On some computers there is a possibility for a sign difference even when the numbers represent zero This can make equality comparison incorrect 1041 TRUE and FALSE representation Clue type _ path component component only Item iftdiamond case assigntbox Clue Text Is the coding for TRUE and FALSE values consistent and used consistently Explanation Bit coding for representation TRUE and FALSE varies from system to system and programmers often make errors when transferring between systems 80 ECSS Q TM 40 04 Part 2A 16 April 2010 1043 Clue type _ path component component only while fortloop Explanation An endless loop can cause a stop of all processing on a processor or if time slicing is used it can cause a single task to fail Clue Text Does the loop deal with precisely all elements of an array For loops that deal with arrays does the loop Identifier track the array precisely and deal with all loop elements including the zero th and the last Explanation Take special care on loops which relate the i th and the i 1 th array elements or similar offset access to
68. only Item connectort tmalecon femalecon Clue Text Is there a connector in the earth return line and a parallel path which bypasses it Explanation This arrangement shall be avoided as the parallel earth return can cause a sneak timing or a sneak circuit 8256 Clue type path component component only Item earth chassistground Clue Text Is there a connector in the earth return line and a parallel path which bypasses it Explanation This arrangement shall be avoided as the parallel earth return can cause a sneak timing or a sneak circuit signal on a power line Clue type path component component only Item and ortnand nor gatetflipflop RS K registertamplifier transistor comparator Is the signal perturbation due to the power line acceptable Explanation Spikes occurring on a power line can generate high frequency interference which can alter signal characteristics The potential difference due to the interference current flowing through the line may not be negligible compared to the signal Identifier power and signal lines in separated connectors Clue type component only Item multiconnector Clue Text Does the connector contain both power and signal lines Explanation It is necessary to route signal and power lines through separate connectors It can lead to the complete destruction of the equipment if a short circuit between a signal and a power line occurs The electromagnetic interfe
69. only Item sensor psenstfsenst tsens lsens Clue Text Does the monitoring circuit depend upon the function it monitors Explanation A failure of the monitored circuit shall not prevent the monitoring circuit from operating correctly for instance through a common power source if the monitored function is shorted The monitoring circuit should not depend on the monitored function for its proper functioning On the other hand means shall be provided to detect a failure of the monitoring circuit Identifier ICs needing external component Item IC gatetand or nand nor not buffert clock JK RS flipflop register drivert counter Clue Text For ICs needing an external component has the appropriate component been implemented Explanation Some TTL outputs are open collector A pull up resistor shall be added between the output transistor collector and VCC Some TTL outputs are also sometimes open emitter a pull down resistor then shall be added The value of the resistor depends of the load to drive Tristate outputs also require a pull up or pull down resistor A transistor base driven by an open collector transistor should also have a pull up down resistor to assure proper switching If an open collector TTL output drives a CMOS input a pull up resistor shall be added C noise compatible with device noise immunity component only Clue Text Is the signal noise acceptable for the circuit dealing with this signa
70. ontacts touching Make before break switches create a transient current path between contacts during switching If a short circuit occurs through contacts during a transitory current path it may weld the contacts and maintain the short circuit If there is a switch in an upper branch and in a lower branch a short circuit may appear if both switches let the current flow at the same time due to the switching reaction delay 59 ECSS Q TM 40 04 Part 2A 16 April 2010 138A transient current path through switches Clue type path component component only Item transistor rectifier breakertrelay switcht contactt button interlock plug Clue Text During change of state of switches can transient current paths exist Explanation As switches have not the same speed when switching a switch can still be in the same position whereas another has already changed of state a switch can be Open during changing of state whereas another has contacts touching Make before break switches create a transient current path between contacts during switching If a short circuit occurs through contacts during a transient current path it may weld the contacts and maintain the short circuit If there is a switch in an upper branch and in a lower branch a short circuit may appear if both switches let the current flow at the same time due to the switching reaction delay 139 transient current gap while switching Clue type
71. ource 24 indicator for a unique function 71 disconnection of a static energy protect inductance of a wire wound resistor 54 pian uae 58 initialisation of Values ce 78 disconnection of electrical interlocks 65 input register read timing 00 75 division by Zero 4s sachearsonieaiieacamnines 76 internal unexpected link of ICs pins 35 drawing consistency with part list 59 internally unsuppressed pins 57 endless recursion eccccesceesseeeesteeeees 81 irreversible state after switching 48 energy received by an indicator 45 label arn Dig wily aissiccusancsisrnsstewndiieas 40 energy storage release 004 28 29 label coherence between separated engine s efficiency siveasssinteconsniveeaneiernes 91 TOA Sinnenas 42 erroneous control transfer 89 lack of surge resistor siidiniitiieaiitinninds 29 error codes on procedure exit 89 leakage TOW sevsassatiniatiencuiencsaal icin 96 error handling interruption 87 load characteristic after use 58 error handling lockout 88 load TUS ceccguvietncechbnr oapomenatieoorasantpinas 33 error recovery reinitialisation 88 load ratings ip aiicacapanieriantontetstacenengnainiasity 34 evaporation Of a liquid ssssssissassrannnasvos 91 load ratings for EED sissssceiisesteponssscive 35 event processing ia iscniavriconederaarniavean 84 86 load seen by the transformer p
72. ox Clue Text For multi dimensional arrays is the array Identifier sequence clear Explanation A common error is to confuse the order of array indexes Identifier 1025 Clue type path component component only Item assign box Clue Text Are any data elements aliassed or overloaded Explanation If so the mapping between data types may be in error with shifts of byte boundaries or value representation 1026 Clue type _ path component component only Item assign box Clue Text Are any data elements aliassed or addressed by assembler code or by pointers Explanation If so and all possible bit patterns are allowed some patterns may not be relevant for both aliases 1027 initialization of values Clue type _ path component component only assigntbox Clue Text Are data values entering into the expression initialized along every flow path leading to the statement Explanation Uninitialized data may contribute to an erroneous calculation The problem may be missed in a test environment where data has a fixed default value and then show the error during actual operation 76 ECSS Q TM 40 04 Part 2A 16 April 2010 1028 Clue type _ path component component only Item assignt tbox Clue Text Are numeric constants formatted properly avoiding commas and with the correct number of zeros Explanation Numeric constants can be given different internal values depending on format e
73. panessuasnrareeassenteene 61 62 Wear Aas vaannynaus ncweebd gon eieeasaaservneeyeleay 92 tristate outputs for multi user line bus zero representation wisuiesaniissinicumiins 82 E E E E avian 26 98
74. path component component only Item transistor rectifiertbreakertrelay switch contactt button interlock plug Clue Text During change of state of switches can transient current gap exist Explanation While the pole of the relay moving piece is in transit between two contacts both contacts are momentarily floating Then the load may not be supplied during a brief moment which may not be acceptable or may create the possibility for another current path to occur un expected switch command activation Clue type path component component only Item transistor rectifiertbreakertrelay switch contactt button interlock plug Clue Text Can a switch or its command be activated when not desired or inhibited when expected Explanation During power transition the transient current which flows for instance to charge capacitors can briefly activate a switch command If a part of a circuit is powered while 60 ECSS Q TM 40 04 Part 2A 16 April 2010 another part is not it can inhibit a current path or create new ones Unexpected sequences testing check out contingency can lead to an unscheduled switch combination Conduction may be required for one load but may be unwanted for other loads 140A un expected switch command activation Clue type path component component only Item transistor rectifiertbreakertrelay switch contactt button interlock plug Clue Text Can a switch or its command be activated
75. predictable 1037 Title case coverage in nested IF Clue type _ path component component only Item iftdiamond case Clue Text For a nested If or case statement is the list of conditions exhaustive Explanation For safety related programs the list of possible cases should be made explicit rather than relying on a final other or else clause Then any non allowed condition can lead to error handling 1036 test sequence and priority Clue type _ path component component only Item if tdiamond case Clue Text For nested IF statements is the sequence or priority of tests correct or consistent Explanation The actual sequence of condition nesting may be irrelevant provided that the logic is completely correct However lack of clarity and consistency often lead to error for example neglecting some special case 79 ECSS Q TM 40 04 Part 2A 16 April 2010 1039 function calls in IF test Clue type _ path component component only Item assign box tcall Clue Text Are there repeated function calls within the IF condition Does the function allow side effects Explanation Function calls with side effects within conditional statements are almost guaranteed to give erroneous values for side effect variables at some stage of processing 1040 floating point equality Clue type path component component only Item if tdiamond case Clue Text Are there tests for equality between fl
76. pril 2010 command input implementation Clue type bistable flip floptregister latcht counter JK RS bistabrel Are both the SET START command and the RESET STOP command implemented Explanation As an example if only the SET START command is implemented once the function has been activated it will always remain in the same state as the RESET STOP command is not available Clue Text Have the propagation time the rise time and fall time been taken into account for the maximum frequency calculation Explanation There may be sneak timing problems if the expected signal frequency is close to a component maximum frequency limit delay due to parasitic capacitance Clue type path component component only Item diode Clue Text Can the time constant of a signal path induce a critical delay for the signal due to parasitic capacitance Explanation The forward resistance and the parasitic capacitance of a diode can induce a delay on the signal path delay of a signal high output resistance Clue type _ path component component only battery powert supply psensttsens lsens fsenst xsens Clue Text Can the time constant of a signal path induce a critical delay for the signal due to high output resistance Explanation A high output impedance state can cause slow operation due to the long RC time constant Digital devices analog switches comparators and transistors may exhibit unpredictable switching times an
77. ransformation ratio shall be taken into account If a capacitor is connected in parallel with a secondary winding of a transformer filter in a direct current converter during power on the capacitor charging induces a short circuit at the transformer primary a current limiter may be implemented to cancel this problem Explanation If a low current flows through a lamp or LED the indicator may not be seen if lights up depending of the room brightness An audible alarm loud speaker buzzer shall have enough power available for the transducer especially if it is placed in a noisy room This may have critical effects if it is an alarm indicator On the other hand a limitation resistor may sometimes be implemented LED command duration adapted to circuit characteristics Clue type relay flipflop JK RStregistertmonoflop Clue Text Is the command duration matched to the circuit characteristic Explanation For monostable relays the command shall be maintained as long as the change of state is desired For bistable relays once the state has changed the command is no longer needed but to change state of bistable relay a minimum duration command is necessary to reach a sufficient magnetic field on the coil 44 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier Clue type component only limiter fuse relay breaker Clue Text Are current limiters in series correctly set Explanation Both the maximum cu
78. rences may induce random false data on digital signals and modify an analogue signal characteristic 46 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier disconnecting separated connectors Clue type component only multiconnector connectortinterlock malecont femalecon Clue Text Is it possible to disconnect power lines in separated connectors Explanation Opening just one connector from a set of power and earth or return connectors is a frequent cause of sneaks irreversible state after switching Clue type path component component only Item relay and nortflipflop Clue Text Can switching lead to an irreversible state Explanation For instance the command circuit of a relay may be powered through the relay once the relay has been activated the command circuit is no more powered and can no longer be activated so the relay remains in an irreversible state A relay contact or gate on a single path branch shall not be commanded by a circuit supplied through another branch once the relay contact is open the command circuit of the relay is no more supplied and the relay contact can never be closed Identifier 89 o O decoupling capacitor for each board Clue type supply battery power Clue Text Has a decoupling capacitor been provided for each direct current power signal at the entrance of each board Explanation Install a decoupling capacitor for each power line at the point where it enters eac
79. rimary exception side ClECISimisiaietnianaiads fi Pipe RR 45 excessive reverse DiaS eeseeeseeeeeee 19 location of monitoring circuit signal so exhaustive labelling sstssssisenncdssinenas A A E 24 explicit wording of a label 71 location of the protection device 55 70 false indication during switching 40 loop TERRA OD sc deiisaaceeansnonseien 83 84 fan out fan in rating sacecsccssciaterurtesamiee 33 loss Of Crain ceeeeeescceeeseeessesseeeeeeees 93 feedback network on separated boards l ss Of gr nnd pciaisccassssarortseasnaveisieniins 66 E O 19 loss of power Source s s s 66 filtering of a power Source s s 20 low impedance between power filtering of cables and long lines 20 SOULCES Gidicinrwidiedassoammatinleadinlaal 50 fixed data read cycle sanidesesaritonnsotivenens 74 low voltage drift with time 35 floating point equality ssvecasssincesevsennesees 82 material quality of the contact 49 freeing MEMOTY saacsiesancnteanininmmnceds 81 maximum frequency delays 22 frequency pass band for measurement maximum frequency signal levels 54 jabvidus eben cjadev ines ais saxpaiea sons R 21 memory mapped register 72 73 function calls in IF test eee 82 mismatch in parameter list 0 79 function side CHOCIS ssessicssncieceeucsicemeanne 75 monitoring circuit independent of heap space exhaustion wiscarssicrssonrecerss 80 monitored
80. risk that the transistor may fail reverse current through collector Clue type Item transistor Clue Text Can a voltage transient exceed emitter breakdown voltage Explanation When a resistor is used as a current path and is connected in parallel with the emitter and the base of a transistor if a reverse current flows through the resistor temporary short circuit the reverse base emitter breakdown voltage can easily be exceeded about 5 Volts Identifier permanent electrical link across a contact Clue type Item relay switch contact button Clue Text _ Does a permanent low current flow through the contact Explanation The contact resistance may become significant if the current is low and the current won t be sufficient for the contact regeneration RESET and SET cycles shall be scheduled for the contact regeneration if no other possibility exists parallel MOSFET transistors Clue type Item transistor Clue Text Are the oscillations generated by two parallel MOSFET transistors damped out by an appropriate circuit Explanation Two parallel MOSFET transistors can create an oscillating circuit 17 ECSS Q TM 40 04 Part 2A 16 April 2010 27A voltage compatibility between different IC families Clue type Item IC Clue Text Is the voltage compatibility between circuits of different families respected Explanation A problem of voltage compatibility can occur between different circuit fam
81. rque on a motor If the power equipment contains a current limiter the power source shall also be able to support the activation of the current limiter specially if the source is shared by other equipments Identifier p o O false indication during switching Clue type Item relay switch breaker button Clue Text During switching can a false indication occur or an unintended function be activated Explanation If the contact chatters or bounces during switching the signal may be detected as multiple inputs Using an electronic switch such as a transistor instead of a relay may provide a solution If a monitoring circuit checks a relay status just after the relay has changed of state erroneous information may be transmitted as the relay contacts can rebound for a short time after switching A delay in the status acquisition is necessary to monitor a stable status A capacitance filter or a monostable circuit may be fitted to produce a reliable deterministic switching signal label ambiguity Clue type Item labelHamp tindicator Clue Text Have each electrical indicator command and signal its own unique label Explanation To allow an easier management of the electrical drawing and sneak label detection each signal and connection shall have its own unique label Labelling shall be precise for instance the wires attached to either side of a fuse shall have different labels Quasi similar labels for indepe
82. rrent limit and the reaction delay shall be considered Normally down stream current limiter shall first react before other up stream current limiters multiple paths of a signal Clue type path component component only Item connectort tmalecont femcon Clue Text Does the same signal flow through separated lines or connectors Explanation This arrangement shall be avoided as the separated wires of the signal can recombine through other boards and it can lead to sneak current paths Also low current and high current returns connected in parallel shall be avoided in case of the high current disconnection multiple earth returns for a signal Clue type path component component only Item earth chassis Clue Text Is there an earth return flow through separated lines or connectors Explanation This arrangement shall be avoided as the separated wires in the earth return can lead to inductance effects conduction path overload and errors during disconnection S2AA multiple earth returns for a signal Clue type _ path component component only Item earth chassis Clue Text Is there an earth return flow through separated lines or connectors Explanation This arrangement shall be avoided as the separated wires in the earth return can lead to inductance effects conduction path overload and errors during disconnection 45 ECSS Q TM 40 04 Part 2A 16 April 2010 Clue type _ path component component
83. rrent path via an autotransformer Clue type _ path component component only Item autotransfo Clue Text Can an unexpected continuous current flow through the autotransformer Explanation An autotransformer has no galvanic isolation between input and output A continuous current can flow through the windings and create an unexpected sneak current path parallel diodes for redundancy power sharing Clue type Item diode Clue Text Is the current flowing through parallel diodes equally divided or does it flow only through one diode Explanation Either one diode can carry all the current itself and the other diode is for redundancy then no current should 51 ECSS Q TM 40 04 Part 2A 16 April 2010 not obligatory flow through the second diode to improve its life time as a cold redundancy Or one diode cannot carry all the current itself and the current shall be shared with the other diode half the current flowing through the two diodes and then a balance device shall be implemented as the two diodes will not have the same diode voltage One shall insure that unequal division will not occur correct biasing of Zener diodes Clue type Item Zener Is the Zener diode correctly biased Explanation When a Zener diode is used as voltage reference it shall conduct a sufficiently large current to ensure that it operates in the breakdown region of its characteristic sufficiently far from the knee This
84. rror which is very difficult to locate with erroneous calculation in later unrelated functions 1038 Clue type _ path component component only Item assign box call Clue Text If a function in the statement is recursive or indirectly recursive is data space allocated dynamically Explanation Recursive functions may accidentally reuse a fixed data area Runaway or excessive recursion may also lead to running out of stack or heap space 1034 Title stack overflow Clue type path component component only assignt boxtcall Is there a possibility for stack overflow on assignment or call Explanation If so memory exceptions may be raised or misaddressing may occur 1084A heap space exhaustion Clue type path component component only Item assign box call Clue Text Is there a possibility for exhaustion of heap space when memory is allocated dynamically Explanation If so a memory allocation exception will occur 78 ECSS Q TM 40 04 Part 2A 16 April 2010 1035 Clue type path component component only Item assign box tcall Is all dynamically allocated memory also freed Explanation Memory which is not freed may be needed by other procedures This can arise because the free instruction is omitted the free instruction can be bypassed exception exits from the procedure Identifier 1036 path component component onl Explanation The number of recursion levels shall be
85. s the amplifier input capacitance been compensated Explanation Capacitive feedback compensates for input capacitance of an OpAmp or a transistor FET but also increases the risk of instability A check is necessary to prevent this risk 49 ECSS Q TM 40 04 Part 2A 16 April 2010 hysteresis for noise immunity Clue type component only Item comparatortOpAmp Clue Text Has hysteresis been implemented to improve noise immunity Explanation For a comparator an hysteresis can be implemented by positive feedback usually a resistor between the output and the non inverting input If no hysteresis is implemented depending of the signal noise at the inputs the output may bounce during the change of state adjustment of input impedance Clue type component only Item OpAmpttransistortamplifier Has the input impedance been adjusted Explanation For instance to compensate the input offset errors of an amplifier equalizing input resistors shall be implemented to allow adjustment If the offset has an effect on the correct circuit processing these input resistors are imperative Voltage converters or current converters made with OpAmps should have a resistor on the non inverting input adjusted with the feedback resistor If the feedback is made via a complex network a complex network should also be provided on the input impedance Identifier commutation time of transistor Glue ype Item transistor
86. t Can a low impedance tie two power sources Explanation Under some switching conditions a low impedance load may be connected between two power sources and create a short circuit relay coil inductor motor transformer diode wire 48 ECSS Q TM 40 04 Part 2A 16 April 2010 identifier 99 temperature limit for multi layer tantalum capacitors Clue type Clue Text Can the temperature of a multi layer tantalum capacitor exceed 38 C Explanation The anode wire of multi layer tantalum capacitors intersects when temperature is above 38 C reverse voltage on a polarized capacitor Clue type Item capacitor Can a reverse voltage be applied to the polarized capacitor Explanation If a reverse voltage is applied to a polarized capacitor the capacitor will burst A protection diode against reverse voltage in parallel with the capacitor can be added capacitive feedback between an amplifier s input and output Clue type Item OpAmptamplifier Clue Text For an amplifier with a capacitive feedback does the amplifier output remain stable Explanation Capacitive feedback between the input and the output of an OpAmp can lead to instability in an unexpected frequency range These oscillations may superpose upon the nominal signal and induce an erroneous processing Identifier compensation of amplifier input capacitance Clue type component only Item OpAmpttransistor amplifier Clue Text Ha
87. table charge discharge current Clue type capacitor Clue Text Is the charge discharge current flowing through the capacitor within the specified rating of the capacitor and other involved components to which it is connected Explanation Depending on the capacitor technology the current flowing through the capacitor shall not exceed a specified value As this current may reach high intensity its influence on other items fuses transistor voltage spikes shall be carefully studied in order to respect the appropriate ratings 29 ECSS Q TM 40 04 Part 2A 16 April 2010 high switching current for tantalum capacitors Clue type Clue Text Is there a possibility for a high switching current and is the capacitor a tantalum type Explanation For polarized solid tantalum capacitors the charge and the discharge current flowing through the capacitor should be limited under 0 1 W V a resistor can be used to limit the current Current through ceramic capacitors should not exceed 50mA voltage delay during power transition Clue type Item capacitor Clue Text Are different capacitor charge and discharge times within a circuit acceptable Explanation If some capacitors reach operating voltage before others the designer shall ensure that it will not lead to an unexpected current path or a temporary wrong processing of a function Identifier capacitor used as status indicator Clue type component onl
88. talum capacitors s sssisonissereecess 50 LY PO COErCION sisisrseseresserisesin sndiri 76 temperature stability problems 35 unconnected signals sscisisiascosiessessensatens 41 temporal gap between switching of unconnected signals due to switching Ael ba e E S E E e E EE E tate eae 41 temporal independence between undesired state inhibition 43 SWIMA S a na 42 unexpected activation cee 59 test sequence and priority 81 uniform logical indication 0 42 timing compatibility csicsaiicosesiicecoasstvnss 28 unstable or irreversible state 52 transient current through a fuse or unused DUS x iatincionmaiuimaieane 25 reaket cniancansnmaaaiiaianiuns 44 unused inputs tied to other inputs 25 transient current through a relay use of access types and pointers 90 COT CAC aee bane 33 valve used for different functions 94 transient exceeding breakdown variable loop index limit 00 83 Voltage sisrusterssricaesinantamamaenuiee 17 voltage compatibility between transient exceeding max curren 16 different anica 18 transient flow paths iasiisimintasni 95 voltage delay during power transition transitory current gap while switching ashisiamsitibianiiaiitiandiaiananieneean 31 ATEEN EAEE ENEKEN EEEN EON EE EAR E a 62 voltage protection on inputs 23 transitory current path through water haMmMer vgs ccesctarinntenieiiodwtaseneciee 92 SW LEC TIE Suds acto saincua
89. tched off in inductors coils or transformers an unlimited reverse voltage is generated with possible oscillations This reverse overvoltage is likely to destroy any sensitive components located nearby To suppress this overvoltage a diode with a reverse coupled Zener diode in series is usually implemented in parallel as a protection The Zener diode increases the forward resistance of the diode in order to lower the oscillation time constant Without Zener diode the time constant is increased by a factor of 5 to 10 and the reverse voltage burn out of the diode shall be carefully considered switch capacitortbattery powertsupply Clue Text Does the signal remain within its expected voltage range for the expected switching conditions Explanation During particular phases e g testing or change of modes some switching combinations may be activated with a sequence or order quite different from that expected by the designer Then the signal may 1 exceed positive or negative the voltage supply of a circuit dealing with this signal leading to a sneak current path or an erroneous processing operational amplifier comparator digital circuit transistor 2 remain within a medium voltage range unacceptable for the circuit digital circuit MOSFET 3 remain floating indeterminate 4 simply activate the wrong function s for this mode Reference signal or polarization signals shall be checked as 31 ECSS Q TM 40
90. the loss of a ground contact after switching or disconnection for instance will leave the junction point floating allowing an unexpected current to flow through the other branches It may also mis bias some circuits and destroy them 63 ECSS Q TM 40 04 Part 2A 16 April 2010 1468 loss of ground Clue type path component component only Item node Does loss of ground allow feedback into the path Explanation If the ground is used to determine the potential of a branch the loss of a ground contract after switching or disconnection for instance will leave the junction point floating allowing an unexpected current to flow through the other branches It may also mis bias some circuits and destroy them Explanation Losing a power source unexpected switching or disconnection may create an intermediate bias voltage allowing an unwanted current path in the other branches or component malfunction 148 resistor Clue Text Is a high value resistor compatible with a low parasitic capacitance Explanation Parasitic capacitor is generated by a circuit input and the board wiring which when combined with a high value resistor can create an unexpected time constant turn on delay of a diode Clue type component only Item diode Is the turn on delay acceptable for the diode Explanation Sometimes a current versus time curve gives information on a necessary turn on delay for the diode 64
91. the name of the item The level of a particular item within the hierarchy is shown by the amount of indentation from the left hand margin lower level items being more indented than an item in the level above When a clue pertains to a parent item it also pertains to the daughter items 0 Component 1 Part 2 signal 2 label 3 Offpage connection symbol between different drawings 2 Electronic 3 Active 4 1C integrated circuits 5 Digital 6 driver 6 tristate 6 gate 7 buffer 7 and 7 nand negated AND 7 or 7 nor negated OR 7 not 7 xor exclusive OR 6 memory 7 RAM random access memory 8 DRAM dynamic RAM 8 SRAM static RAM 7 ROM read only memory 10 EGS ECSS Q TM 40 04 Part 2A 16 April 2010 6 Array device 7 6 Static latch JK J K flipflop register flipflop monoflop bistable RS Reset Set flipflop N N N N N NNI 5 Counting PLA LCA EPLD 8 PROM 8 EPROM 8 EEPROM Programmable ROM Erasable PROM Electrically EPROM Programmable logic array Logic cell array Electrically programmable logic PAL Programmable array logic 6 counter 6 mux 6 shift 6 adder 6 Clock multiplexer 6 Oscil
92. tly supplied one being powered while the others are not 18 ECSS Q TM 40 04 Part 2A 16 April 2010 Clue type Item diode Can the diode junction be biased beyond breakdown Explanation This can particularly occur if there are multiple voltages or possibilities for voltage spikes Identifier 28 eE Item OpAmp transistor Clue Text Is a compensation network implemented to correct a non linear transfer pattern that supplies the lower branches Explanation Either a non linear function is designed to be non linear pre accentuation of high frequencies for instance either the non linearity is unexpected and then a compensation network should be added Multiple circuits in series OpAmp generally induce non linear transfer functions Is the feedback network implemented on separated boards Explanation The wire length used to connect the separated boards can induce variable inductive and capacitative effects modifying the feedback characteristics The response for the circuit may be altered and oscillation may arise protection against reverse voltage Clue type Item regulatortOpAmp Clue Text Is a regulator protected against reverse voltage Explanation If a voltage drop or a short circuit occurs at the regulator input the reverse voltage applied to the regulator can exceed the breakdown voltage If the regulator has no internal protection diode an external protection diode shall be added
93. ue Text Can the time constant of a signal path induce a critical delay for the signal Explanation A long signal path between circuit boards can cause signal delays and resultant timing sneaks Digital devices analog switches comparators and transistors may exhibit unpredictable behaviour due resulting glitches SHA Clue Text Can the time constant of a signal path induce a critical delay for the signal Explanation A long signal path between circuit boards can cause signal delays and resultant timing sneaks Digital devices analog switches comparators and transistors may exhibit unpredictable behaviour due resulting glitches 34A RC LC time constant Clue type path component component only Item capacitor inductor Clue Text Can the time constant of a resistor capacitor or inductor capacitor circuit induce a critical delay for the signal Explanation If a resistor capacitor network is implemented on the signal path a delay is induced that may introduce a sneak timing The rise and fall times may be affected especially for digital circuits and the operating frequency may not be achieved Moreover with low rise and fall times digital circuit may deliver erroneous signals Digital devices analog switches comparators and transistors may exhibit unpredictable switching times and excessive power dissipation due to imprecise switching caused by excessive input time constants 21 ECSS Q TM 40 04 Part 2A 16 A
94. ump turbinetvalve Clue Text Has the flow transient time when an item changes state been taken into account Explanation When a valve is opened or closed a certain time is needed for the flow to be fully established or stopped as the case may be This transient time could cause problems of synchronization with other equipment e g other valves in the circuit that have different response times Similar considerations apply also to other items e g pumps turbines etc The synchronisation problems could cause unintended flow or no flow to occur during the transient 93 ECSS Q TM 40 04 Part 2A 16 April 2010 2016 leakage flow Clue type Item checkvt cvalve draint tpumptsv tank tankbladder tankprest turbine valvetventtvessel Clue Text Can the leakage flow of the component lead to an undesired activation or inhibition of other equipment in the circuit Explanation For instance when a circuit segment should be nominally isolated internal leakage from the above segment can cause an unintended flow to other parts of the circuit 2017 Clue type Item tank tankpres vessel Clue Text Has the presence of internal storage devices been taken into account when designing the power off sequence of the system Explanation As internal storage devices e g vessels containers accumulators might contain significant masses of fluids after external supply sources are removed or isolated a proper isolation sequence o
95. valves tanks etc are affected by corrosion incrustations and deposit of material on their walls This could also impact the friction coefficients and therefore the characteristics of the fluid flow 90 ECSS Q TM 40 04 Part 2A 16 April 2010 2007 Clue type Item checkv draintpump sv tank tankbladder tankpres turbinet valvetventtvessel Clue Text Can corrosion products catalyse a reaction Explanation Some corrosion products might catalyse a reaction with the fluid contained in the hydraulic system 2008A Clue type Item drain vent Clue Text Do common drain vent pressurisation blanketing connect several sources Explanation If several fluid sources are connected through common lines the unintended mixture or reaction of two or more of them could damage the system or affect the required performance of the system If the common lines are unavoidable precautions e g installation of valve allowing only one way flow should be taken to prevent unintended mass flow trough these common lines Clue Text Have sources of different fluids and or at different pressures temperatures been connected together Explanation Some flow sources might require to be isolated from other sources If this is not done undesired chemical reaction and or an unintended change of the characteristic of the fluid flow might occur 2009 Clue type Item drain Does loss of drains allow backfeeding into th
96. ven for nominally identical numbers 1029 decimal point placement Clue type _ path component component only Item assignt tbox Clue Text Are commas and decimal points confused Explanation This can be a problem especially if there is an interchange between English speaking and European programming environments path component component only Clue Text Does the call parameter list match the function definition list In number types and number of array indices Explanation Mismatch between the call and declaration of a procedure in number and type of parameters is a_ typical programming error It is especially prevalent when procedures shall be extended 1031 Clue type _ path component component only Item assign box call Clue Text Is a function name or operator symbol overloaded Can confusion of type then occur Explanation Overloading multiple typing of procedures operators etc can systematically lead to error if the code is not modified accurately to reflect the change in operand or parameter types 77 ECSS Q TM 40 04 Part 2A 16 April 2010 1032 Clue type path component component only assign box tcall Clue Text Can new values be assigned to constants when they are used in the parameter list Explanation When constants are used in a parameter list for a procedure or function call it may be possible to assign a new value to the constant This can cause an e
97. wordings 41 current limiters in series 00 46 collector base junction reverse biased data consistency on error recovery 88 Aeara Ea eE e EAE AEE EA 18 data corruption s s s OF command duration adapted to circuit data read frequency si jccsssnroiiarriens 74 Chat enerreaconiein aana e 45 deadlock pcviceiciswanh consmiteneamencs 86 command input implementation 22 decimal point placement 0 79 common drain or venting lines 93 decoupling capacitor for each board 49 commutation time of transistor 52 decoupling capacitor values 28 compensation of amplifier input deep level CHT ONS istscassiidecsnntenenssileunsis 88 capacitance sis sintonsisscasinsusduanuestansaniiehinen 51 delay due to parasitic capacitance 23 component direction sairsccsosssnencosedenonciess 60 delay of a signal sr aivicensnentannidengeawedioathien 21 computed address error s s s 89 delay of a signal high output connected flow SOUrCeS s ssssenessseees 93 WOSISUAIICE isisisi 23 connected power SOULCES n s 54 digital distributed signal 24 connected tristate outputs enabled 36 diode prevents energy release 29 connection of testing circuits 65 discharge circuit for a power source 44 95 ECSS Q TM 40 04 Part 2A 16 April 2010 disconnecting separated connectors 48 indicator correct function label 71 disconnection from signal s
98. x a bias polarization signal may be derived by a component using this reference signal 65 ECSS Q TM 40 04 Part 2A 16 April 2010 transistor OpAmp Zener diode The bias polarization current shall be high enough to provide a stable reference with the correct voltage A capacitor may also be added for decoupling Ensure that a scheduled disconnection or switching will not modify the correct functioning of the circuit Item E Clue Text Has delay time of one shot items or electroexplosive devices been considered during design Explanation The following topics should e checked sufficient pulse duration explosion duration Clue Text Have interfaces with the outside world a protective and polarization device Explanation To prevent component damage or erroneous information unterminated inputs at interface may require a polarization resistor pull up or pull down Resistor in series with the inputs outputs shall protect the components from static discharge Protection diodes may also be added on unsuppressed inputs outputs In case an erroneous signal is applied to the circuit through a test interface a protection shall prevent the circuit from being damaged splitting and recombining of a digital signals Clue type path component component only digital connectortinterlock Clue Text Does a digital signal sharing a common source and load split and later recombine Explanation Glitches
99. xplanation During initialization the relay state shall be clearly established 35 ECSS Q TM 40 04 Part 2A 16 April 2010 Identifier Clue type Item transistor Clue Text During power on or initialization is the component in a correct predefined state Explanation During initialization high impedance outputs shall have appropriate polarization resistors e g not to bias a NPN base switching item dedicated to a function Clue type Item switch contactt tbreaker Clue Text Whena protective device is activated are other functions than those expected affected Explanation With elaborate equipments some combinations may lead to unexpected behaviour of functions or inhibition of functions saturated or clipped signal Clue type Item OpAmp tamplifierttransistor Can an output signal be saturated or clipped Explanation For instance with an integrator the saturation of the feedback capacitor induces a saturated signal and an erroneous output signal When amplifiers are used OpAmp transistor if the gain is not correctly adjusted the output signal may be saturated If the amplifier polarization is not symmetrical the output signal may saturate asymmetrically 36 ECSS Q TM 40 04 Part 2A 16 April 2010 saturated or clipped signal input Clue type component only OpAmp tamplifiert transistor Can an input signal be saturated or clipped Explanation For instance with an integr
100. y Item capacitor Clue Text Is a capacitor voltage used to feed a status indicator or sensor Explanation If a capacitor voltage is used directly or not as a status information by a monitoring circuit the capacity may induce a delay in monitoring Identifier protection against reverse voltage Clue type component only inductor coil relay transformer motor Clue Text Is the overvoltage generated when switching a winding suppressed Explanation If the current drift direction changes or if the current is switched off in inductors coils or transformers an unlimited reverse voltage is generated with possible oscillations This reverse overvoltage is likely to destroy any 30 ECSS Q TM 40 04 Part 2A 16 April 2010 sensitive components located nearby To suppress this overvoltage a diode with a reverse coupled Zener diode in series is usually implemented in parallel as a protection The Zener diode increases the forward resistance of the diode in order to lower the oscillation time constant Without Zener diode the time constant is increased by a factor of 5 to 10 and the reverse voltage burn out of the diode shall be carefully considered Identifier protection against reverse voltage Clue type component only inductor coilt relay transformertmotor Clue Text Is the overvoltage generated when switching a winding suppressed Explanation If the current drift direction changes or if the current is swi
Download Pdf Manuals
Related Search
ECSS Q TM 40 ecss q st 40 ecss-q-st-70-04c ecss-q-st-60-13 ecss-q-st-20-07c ecss-q-st-60-13c ecss-q-st-60-02c ecss-q-st-70-02 ecss q st 70 38c ecss-q-st-30-02c ecss-q-st-70-08 ecss-q-st-70-02c ecss-q-st-70-60c ecss q st 70 61c ecss-q-st-70-01c ecss-q-st-70-06c ecss-q-st-30-11 ecss-q-st-70-08c 10.4.41.240 tms