ISO 28701:2021 – Space Systems — Safety Principles and Requirements

Safety principles, requirements, and risk management framework for space systems throughout the mission lifecycle

Scope and Foundational Safety Principles

ISO 28701:2021 provides a comprehensive safety framework applicable to all space systems including launch vehicles, spacecraft, payloads, and supporting ground equipment throughout their entire lifecycle. The standard recognizes that space operations present unique safety challenges — the extreme physical environments of launch and orbital flight, the irreversibility of many failure modes, and the potential for catastrophic consequences affecting both地面上人员和轨道资产. Three foundational principles underpin the standard: absolute priority of human safety, systematic hazard identification and control, and defense-in-depth through multiple independent safety barriers.

The defense-in-depth principle requires that no single failure — whether hardware, software, or human error — shall lead to a catastrophic event. This means every critical hazard must be controlled by at least two independent, verifiable safety barriers.

The safety lifecycle defined in ISO 28701 spans seven phases: conceptual study, preliminary design, detailed design, manufacturing and integration, testing and verification, launch and operations, and disposal. At each phase, specific safety reviews are mandated with formal gate approvals. The standard emphasizes that safety engineering cannot be retroactively applied — it must be integrated from the earliest conceptual stages. Hazard analyses initiated during conceptual design inform architectural decisions that fundamentally shape the system’s safety posture.

Hazard Analysis and Risk Assessment Methodology

ISO 28701 mandates a structured hazard analysis process employing multiple complementary techniques. Preliminary Hazard Analysis (PHA) identifies top-level hazards during conceptual design. Subsystem Hazard Analyses (SSHA) and System Hazard Analyses (SHA) progressively refine the hazard inventory as design details mature. The standard requires classification of hazards by severity — from negligible (no injury, minor system damage) to catastrophic (loss of life, loss of mission). Probability categories range from extremely improbable to frequent, and the combination of severity and probability defines risk acceptability using an established risk matrix.

Severity Category Definition Examples Maximum Acceptable Probability
Catastrophic Loss of life, permanent disability, loss of system Launch vehicle explosion, crew capsule depressurization Extremely improbable (≤ 10⁻⁷ per flight)
Critical Severe injury, major system damage, environmental harm Toxic propellant release, parachute deployment failure Improbable (≤ 10⁻⁵ per flight)
Marginal Minor injury, moderate system damage Communication link dropout, minor electrical fire contained Remote (≤ 10⁻³ per flight)
Negligible No injury, minimal system impact Single sensor anomaly, non-critical software glitch Frequent (acceptable with monitoring)
Modern launch vehicles applying ISO 28701 principles have achieved catastrophic failure probabilities below 1 in 500 for crew-rated missions, a two-order-of-magnitude improvement over uncrewed vehicles not designed under systematic safety frameworks.

Safety Requirements Across Lifecycle Phases

The standard establishes detailed safety requirements organized by engineering domain. Structural safety requirements mandate positive safety margins under all loading conditions including a 1.25 ultimate factor of safety. Propulsion system safety addresses pressure vessel burst protection, propellant leak detection, and thrust termination capabilities. Electrical safety covers fault-tolerant power distribution, bonding and grounding, and arc prevention in partial vacuum environments. Software safety requirements are particularly rigorous, mandating a development assurance level commensurate with hazard severity and requiring verified compliance with DO-178C or equivalent guidelines for safety-critical functions.

A recurring finding from space system anomaly investigations is inadequate separation between redundant safety-critical functions. ISO 28701 requires physical and functional segregation with verified independence — common-cause failures from single events (e.g., meteoroid impact, fire, electrical fault) must not defeat all redundant paths.

Range safety requirements address the unique hazards of launch operations including flight termination systems capable of destroying a malfunctioning launch vehicle within 250 milliseconds of command issuance. Orbital safety requirements cover collision avoidance, end-of-life disposal within 25 years per ISO 24113 space debris mitigation guidelines, and passivation of stored energy sources (batteries, pressure vessels, flywheels) to prevent post-mission fragmentation.

Propellant system operations represent the highest residual risk in space systems. ISO 28701 requires that all propellant handling operations be conducted under approved procedures with real-time monitoring of temperature, pressure, and leak detection. Hypergolic propellant transfer operations demand full remote operation capability with blast-resistant barriers.

Safety Verification and Certification

ISO 28701 requires a comprehensive safety verification program combining analysis, inspection, and testing. Verification methods include demonstration (qualitative functional checks), test (quantitative performance measurement under specified conditions), analysis (engineering calculations and simulations), and inspection (physical examination of hardware). The safety verification matrix must trace each hazard control to its verification method and demonstrate closure. A safety data package documenting all hazard analyses, risk assessments, verification results, and unresolved risks is delivered at each major program milestone. Third-party independent safety assessment is recommended for crewed missions and high-value robotic missions.

FAQ

Q: How does ISO 28701 relate to other space safety standards like ECSS and NASA-STD-8719?
A: ISO 28701 serves as an umbrella framework harmonizing concepts from ECSS-Q-ST-40 (space safety), NASA-STD-8719 (range safety), and MIL-STD-882 (system safety). It provides internationally-agreed requirements suitable for cross-border space programs and commercial launch services.
Q: Is ISO 28701 applicable to small satellites and CubeSats?
A: Yes, though the rigor of application should be proportional to risk. Small satellite developers should implement the hazard analysis framework at minimum, with full requirements application for systems carrying hazardous materials (propellants, high-pressure vessels, batteries) or with significant orbital debris potential.
Q: What is the most common non-compliance found in safety reviews?
A: Incomplete or inadequately verified independence between redundant safety functions. Segregation requirements are often violated by shared power supplies, common structural attachments, or software running on the same processor without sufficient partitioning.
Q: When should the first safety review occur in a space program?
A: The preliminary safety review should occur before the end of Phase A (conceptual design), typically 3-6 months after program initiation. Delaying safety review until detailed design often necessitates expensive rework when safety requirements force architectural changes.
© 2026 TNLab — This article is for educational and technical reference purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

IEC 60300-3-7: Reliability Stress Screening — Exposing Hidden Defects Before They Reach Your Customer
IEC 60309-4: Industrial Plugs and Sockets — How Colour Coding and Keying Prevent Fatal Wiring Errors
IEC 60310: Traction Transformers — The Heartbeat Device Powering High-Speed Trains and Metros
IEC 60318-2: Acoustic Couplers — The “Artificial Ear” Calibrating Hearing Aids and Headphones