REN Xiangwen,CHEN Baifeng

DFH Satellite Co.,LTD.,Beijing 100094

Abstract:A safety design applies to every stage in a satellite system development life cycle to identify and analyze hazards in the satellite at a system level,eliminating or controlling various safety risks,while verifying the functions of the satellite system have safety characteristics,so as to optimize the satellite system for the best performance in terms of time and cost.This article comprehensively leverages such factors as satellite reliability,complexity and life cycle by considering the overall satellite safety work plan,hazard analysis,hazard sources,pyrotechnic devices and other module safety critical designs.Safety design measures were formulated to review and verify the effectiveness of system functions including a safe power supply to a satellite and pyrotechnic explosives to achieve the safety requirements of the satellite from a development stage.Safety design activities for each subsystem will ensure meeting the development requirements of the satellite system as a whole,and ensure the satellite system cannot be the cause of casualties,equipment damage,property loss,or have a health-threatening impact or detrimental impact on the environment.

Key words:satellite system,development project,safety design,functional verification

1 INTRODUCTION

The development of a satellite system is a complex system engineering task.In general,safety designs including designs for minimum risks and safety countermeasures are used to eliminate and reduce safety risks such as a single-point failure of a satellite system from a source in accordance with the user’s development requirements,relevant safety design standard requirements,mission functions,system environmental factors,and changes of safety technology.Considering factors such as satellite reliability,complexity and life cycle from the perspective of the satellite safety work plan,hazard analysis,hazard sources and pyrotechnic devices and other module safety designs,we formulated safety design measures to review and validate the effectiveness of system functions from that of a safe power supply to the whole satellite and pyrotechnic explosives to meet the safety requirements from the satellite development stage.

2 DESIGN SAFETY PROCEDURES FOR A SATELLITE DEVELOPMENT PROJECT

2.1 Design Safety Procedural Items for a Satellite

In order to achieve the goals of the whole satellite development mission,the satellite prime contractor formulates a safety design work plan in accordance with the Spacecraft Product Safety Assurance Requirements,planning the safety design work items that need to be implemented in the satellite development phase,and extended to the constituent parts of each subsystem for confirmation and inspection according to the processes of the development phase.The safety design work items for the whole satellite development are shown in Table 1.

The satellite prime contractor determines a list of general hazards and malfunction hazards of the satellite effecting safety through risk analysis of the design.A satellite has two kinds of hazard sources,i.e.,general hazards such as hydrazine propellant,lithium-ion batteries and pyrotechnic cutters plus hazards caused by failures of propellant storage tanks,power supply circuits etc.The two kinds of hazards are shown in Table 2 and Table 3.

Table 1 Safety design work items for the whole satellite development

Table 2 List of satellite general hazards

Table 3 List of dangerous sources of satellite failure

2.2 Safety Design for Satellite Pyrotechnic Devices

Satellites generally use pyrotechnics as the power element for unlocking the solar wing and antenna.In terms of safety design,insensitive pyrotechnics are mainly used.The pyrotechnics bus is controlled by a separation switch to ensure that the pyrotechnics can only be switched on after the satellite and rocket are separated.At the same time,the detonating relay enables power on and off through the unlocking command.The detonating relay uses a non-magnetic holding relay,when the command pulse disappears,the contact is disconnected,and the power supply to the pyrotechnic device is automatically cut off.In order to eliminate any unknown short-circuit hazard of the bridge wire shell after the initiation of the pyrotechnic device,a suitable current-limiting resistor is selected,which plays the role of current-limiting and fuse to protect the safety of the battery pack.During the storage,transportation,and testing of the satellite,unless the work related to pyrotechnics is conducted,the pressure point switch is completely disconnected by a pressure point switch limiter,and all the positive and negative lines of the pyrotechnic device are short-circuited through a positive line protection plug.

2.3 Satellite Bus Safety Protection Design

In general,a satellite uses a centralized and decentralized power supply and distribution system.The interfaces between the complete satellite’s equipment and the primary power supply bus must be absolutely safe to prevent the failure of one equipment from affecting other equipment or the entire satellite’s power supply.Each equipment is monitored for correct operational status enabled with a control switch at the primary power supply input.When the equipment has a soft fault,it can be restored and rescued,and when a permanent fault occurs,it can be completely shut off.All equipment adopts fuses,current-limiting resistors or other current-limiting devices at the input terminals of their DC-DC modules to prevent a short circuit of the equipment from affecting the primary power bus.The wired measurement signal of the primary power supply voltage is connected to ground via a protective resistor connected in series in the satellite.The current measurement uses a Hall current sensor to ensure that when the detection circuit fails,it will not affect the normal operation of the equipment or other circuits.A miss-operation prevention output circuit is designed to prevent a command error output when the distributor is powered on and off,the master/standby of the lower computer switches,and for program hot starts.In the cable network design,a female connector should generally be used at the incoming end,and a pin connector should be used at the power receiving end.The busbar is designed with an emergency power-off circuit to ensure that the battery discharge switch can be quickly turned off when the satellite cannot be powered off by unplugging,and the satellite can be powered off.In order to prevent the relay contact sticking caused by the instantaneous high current when the equipment is started,it is required that high-power electrical equipment be installed with a surge current suppression circuit at the power input end to ensure the initial current is less than 1.5 times the normal working current.The distributor is designed with a self-check circuit.After the equipment is powered on,it will automatically inspect whether there is a short circuit after the power supply switch in the attitude control and load area.If a short circuit is found,the remote measurement parameter will trigger an alarm,and the internal power cable will be further isolated.The power-up and power-off control relay adopts this additional isolation feature while being grounded through high resistance.

2.4 Safety Design for the Propulsion Subsystem

In order to prevent incorrect ignition of the thruster within the thrust assembly,a two-level control system is adopted for the electrical path of the propulsion subsystem:the power supply of the solenoid valve of the propulsion device is controlled by a separation switch and requires a command to the solenoid valve to enable the launch position and the active section of the carrier.In addition,the action of the propulsion device is controlled by acontrol computer.Only after the separation of the satellite and rocket,the a ttitude of control computer (AOCC)will allow the thrusters to work.

The propulsion drive circuit in default state (unpowered),attitude laser target unit (ALTU) or emergent control manager(ECM) emits the instruction of “propulsion primary power relay on” which enables 2 relays to open after the isolated switch (including ground analog switch disconnector).When the disconnect switch or ground analog disconnect switch is closed,the command “propulsion relay on” signal is output by ALTU and ECM is output,otherwise the signal will be blocked.

As the hydrazine propulsion subsystem is under high pressure,preventing leakage becomes critical,mainly to prevent leakages from various valves,pipelines,and connections of hydrazine bottles.In the design of the hydrazine propulsion system,strict control is carried out in the selection of materials(to ensure the compatibility of the joint connection materials),manufacturing,inspection and assembly.In particular,strict leak detection tests are carried out after the product is delivered to ensure that there is no leakage with installed equipment.

2.5 Safety Design for Lithium-ion Batteries

The safety design for lithium-ion batteries includes the battery casing safety design,overcharge and over-discharge protection measures for the battery pack,and the safety design for the battery under short-circuit conditions in the event of a fault.

2.5.1 Hardware battery pack over-discharge protection design

The power controller hardware circuit protects the lithium-ion battery pack from over-discharge,as shown in Figure 1.

Figure 1 Schematic diagram of hardware over-discharge protection ciruit

The working principle of the hardware over-discharge protection circuit is to sample the battery pack voltage and compare it with a reference.When the sampled voltage is lower than the reference value,it outputs a high level,operating the relay,and disconnects the battery pack from the bus.In order to ensure the reliability of the circuit,an enable switch is added to the circuit design,and the access and disconnection of this switch can be controlled through indirect commands to control and intervene with the hardware protection circuit.Under normal circumstances,the over-discharge protection of the power supply controller is completed by the power supply lower computer,and hardware over-discharge protection is usually prohibited.

2.5.2 Battery pack overcharge protection

The BEA charging control constant voltage section sets 4 constant voltage files,which can adjust the charging voltage value of the battery pack.In order to prevent hardware constant voltage charging control problems or overcharging of a single battery voltage,a software overcharge protection function is added,as shown in Figure 2.

Figure 2 Schematic diagram of hardware overcharge protection ciruit

The power supply lower computer monitors the remote measurement parameters “battery pack voltage” and “battery cell voltage” every second;when the battery pack voltage is greater than or equal to 30 V or any battery cell voltage is greater than or equal to 4 V and the continuous duration is greater than or equal to 30 s,a charging termination instruction is issued.

2.5.3 Software battery pack over-discharge protection

The lower-level computer of the power supply monitors the remote measurement parameters “battery group voltage”and “battery cell voltage” every second;when the “battery group voltage” is less than or equal to 21 V and the voltage of any three or more battery cells is less than or equal to 3 V and the continuous duration is greater than or equal to 30 s,it firstly sets the “battery over-discharge flag” to 1,and issues a “battery disconnect” command after a delay of 32 s .

2.5.4 Battery pack balance control

Lithium-ion batteries have the advantages of high specific energy,high average discharge voltage,low self-discharge,no memory effect,and long cycle life.In practical engineering applications,lithium-ion batteries work in combination.After multiple cycles of charging and discharging with a combined battery pack,a discrete phenomenon will occur,that is to say,the unbalanced voltage of each cell affects the service life of the lithium-ion battery pack.For this reason,it is necessary to design an equalization circuit,and use parallel shunt resistor equalization measures for batteries whose cell voltages are higher than a certain value of other cell voltages in the battery pack to reduce the charging current of this single cell,thereby achieving a balancing effect.

The single battery voltage is transformed and sent to the lower computer where the voltage of each battery is compared with the lowest voltage,and where a single battery greater than 60 mV connects to an equalizing resistance until the voltage difference is less than 20 mV to achieve the purpose of voltage equalization.

2.5.5 Anti-open circuit and short circuit design

The short-circuit-proof design of the lithium-ion battery pack for satellites adopts the same measures as for the nickel-cadmium battery and the nickel-hydrogen battery,and both use the method of backing up one battery.Because the lithium-ion battery is the same as the nickel-cadmium battery and the nickel-hydrogen battery,when a discharge short circuit fails,the battery becomes a resistor with a small resistance value,which does not affect the current conduction of the battery pack,but the working voltage of the battery pack will be significantly lower,as the battery pack loses the energy of one battery.In order to enable the battery pack to meet the energy demand of the satellite,a backup battery approach is added in the design.The satellite uses 7 batteries in series to meet the voltage requirements of the satellite load.Considering that a battery may fail in short circuit,when a battery is short-circuited,only 6 lithium-ion batteries are connected in series to supply power to the satellite.At this time,the lithium-ion battery pack provides the power supply to satellite payload normally,but the depth of discharge of the battery pack will increase.In order to prevent the open circuit failure of a single battery from causing the entire battery pack to fail,an anti-open circuit design of the lithium-ion battery pack adopts the following measures:taking advantage of the characteristics of the parallel design of lithium-ion batteries,the parallel combination method is adopted to prevent an open circuit failure of the battery pack.That is,the capacity of the 150 Ah battery pack required for the battery pack is obtained by connecting five 30 Ah batteries in parallel.When a battery fails due to an open circuit,the current is conducted through the other four batteries connected in parallel with it,which will not cause the entire battery pack to fail.

2.6 Design of Internal Safety Spacing of Equipment

According to the requirements of the Space Electronic and Electrical Products Used Machine Fitted with Unicom Process Specifications,Printed Circuit Board Design Specifications,Aerospace Components Electronic and Electrical Products Through Hole Technical Requirements and other related requirements,the requirements for safety spacing and secondary insulation satisfaction are proposed in the design for all electronic and electrical products in the subsystems.The appraised products shall be inspected before being put into production,with covers off after testing.This inspection will include safety gaps between positive and negative lines,wiring thickness and current size,safe isolation between the edge of the PCB board and the box structure,secondary insulation protection and the installations of relays and live parts on the housing.

2.7 Safety Design for Cable Network

For the general assembly layout,the battery charging and discharging cables,solar wing power transmission cables,power controller to distributor power transmission cables are routed separately from each other,and they are not tied together with other cables to prevent the cables from over heating.For power transmission cables outside the satellite,their path is subjected to secondary insulation treatment,and the pressure point switch solder joint is subjected to dispensing insulation treatment.

3 FUNCTIONAL SAFETY VERIFICATION OF SATELLITE SYSTEM

3.1 Unlocking Deployment Test of Solar Wings,Data Transmission Antennae and Data Transmission Relay Antennae

The ability and deployment characteristics of solar wings,data transmission antennae,and data transmission relay antennae will be inspected after completing the whole-satellite acceptance level mechanical testing.The safety of satellite solar wings,data transmission antennae,data transmission relay antennae during unlocking and deployment will be reviewed and verified by tests.The impact of the initiation process of the pyrotechnic devices on the pointing accuracy of the antenna’s zero position will be assessed.

3.2 Special Inspection of Pyrotechnic Cutters

The batch number of the pyrotechnic cutters for the satellite solar wing flight test,the data transmission antennae and the data transmission relay flight test are checked and a determination of whether or not the pyrotechnic cutters meet the safety requirements based on the quality inspection results is conducted.

3.3 Leak Detection Test

After the complete satellite mechanical test,the propulsion subsystem is tested for leaks.The actual total leakage rate of the propulsion subsystem must meet the index requirements.

3.4 Safety Inspection of the Complete Satellite Power Supply and Distribution

By concluding the inspection of the satellite power supply and distribution subsystem,the status of designs,processes and products,ensuring verification status related to the reliability and safety,the complete satellite’s power supply and distribution subsystem is checked.A comprehensive inspection is carried out on technology state changes,especially the physical inspection of the reliability and safety of the power supply and distribution of all equipment onboard the satellite,and to confirm that the satellite’s electrical equipment adopts effective overcurrent protection measures.The safety separations and related protective measures,the secondary insulation state and the entire satellite power supply and distribution link design are checked to ensure that they all meet the requirements.

3.5 Design and Verification of Autonomous Emergency Safety Countermeasures for Satellites in Orbit

The satellite is designed with in-orbit autonomous emergency safety countermeasures to increase its in-orbit survivability and reliability,and improve its autonomous emergency response capability.Telemetry parameters are used to determine whether the satellite is in a dangerous state,if the conditions are met,an autonomous emergency command will be automatically sent to the satellite,aiming at saving its energy,ensuring its attitude,protecting the payload,and ultimately ensuring its safety and life.The satellite conducts tests during the comprehensive test of the entire satellite,subsystem or unit acceptance testing,single-board debugging phase testing,and during the software confirmation testing phase testing.Through each test in all testing phases,all the safety modes of the entire satellite are covered,which is required for autonomous operation in orbit.The relative time program-controlled instructions consolidated on the satellite have 100% coverage.

3.6 Software Reliability and Safety Design Verification

The reliability and safety measures taken by the satellite and software design of each subsystem have been directly or indirectly verified in a software walkthrough,unit test,functional test,and in subsystem joint tests.

4 CONCLUSION

The safety design for the satellite overall development stage is a verification analysis and evaluation carried out according to set safety indicators and requirements.It extends through the product life cycle control.From the system to the subsystems,the software must fully consider whether it meets the requirements of the task and matches the reliability data collection and management system for the project.Considering the batch production mode of satellites,the safety design measures of the satellite system should be further consolidated,taking into account the safety-related equipment,protective devices and other alternative methods to eliminate or reduce related risks to improve the overall development efficiency of satellites to achieve rapid and sustainable development in project development.