ECSS DFMECA: Earth Observation Satellite

This example demonstrates a quantitative Design FMECA for an Earth observation satellite using the ECSS library. Design FMECA extends Design FMEA with probability ratings on Additional-origin failure modes and automatic criticality calculation (CN = SN × PN). It is used when flight heritage or reliability prediction data is available.

The model covers three satellite subsystems: Power, Communication, and Attitude Control, analysed at three hierarchy levels (satellite → subsystem → component).

Model Structure

The example consists of three SysML v2 model files:

• Derisker_ECSS_ExampleDFMECA_Design.sysml — Satellite system architecture

• Derisker_ECSS_ExampleDFMECA.sysml — Design FMECA analysis worksheet

• Derisker_ECSS_ExampleDFMECA_Customizations.sysml — Project-specific extensions

System Architecture

The satellite follows a three-tier hierarchy: TopLevelSystem → Subsystem → Component.

Satellite system hierarchy

part def DesignContext {
    part satellite : TopLevelSystem {
        action providePower         subsets functions;
        action provideCommunication subsets functions;
        action maintainAttitude     subsets functions;

        part powerSubsystem : Subsystem {
            action generatePower   subsets functions;
            action storePower      subsets functions;
            action distributePower subsets functions;

            part solarArray         : Component { /* solar energy conversion */ }
            part battery            : Component { /* eclipse energy storage  */ }
            part powerControlUnit   : Component { /* power regulation/distribution */ }
        }

        part communicationSubsystem : Subsystem {
            part transponder        : Component { /* RF up/downlink */ }
            part antenna            : Component { /* signal radiation */ }
            part dataHandlingUnit   : Component { /* telemetry processing */ }
        }

        part attitudeControlSubsystem : Subsystem {
            part reactionWheels     : Component { /* attitude actuation */ }
            part starTrackers       : Component { /* attitude determination */ }
            part gyroscopes         : Component { /* rate sensing */ }
        }
    }
}

Analysis Setup

Cover Sheet

Analysis project — Design FMECA type

part analysisProject subsets ECSS_ProjectTypes::DesignFMECA {
    alias TopLevelSystem for DesignContext::satellite;
    occurrence failureModeInitial : FailureModeExtension subsets ECSS_FailureMode;

    part redefines coverSheet {
        attribute :>> fmeaTitle    = "Earth Observation Satellite Design FMECA";
        attribute :>> fmeaRefNo    = "SAT-DFMECA-001";
        attribute :>> companyName  = "Example Space Systems";
        attribute :>> customerName = "Earth Observation Agency";
        attribute :>> fmeaStartDate.date   = "2026-01-15";
        attribute :>> crossFunctionalTeam  =
            "Systems Engineering, Power, Communication, AOCS, Reliability";
        attribute :>> approvalAuthority    = "Chief Systems Engineer";
        attribute :>> confidentialityLevel = ConfidentialityLevels::BusinessUse;
    }
}

Failure Mode Organization

workSheet
├── 'FMs: Satellite'              ← 3 top-level FMs (FromIntegration)
├── 'FMs: PowerSubsystem'         ← subsystem FMs (FromIntegration)
├── 'FMs: CommunicationSubsystem'
├── 'FMs: AttitudeControlSubsystem'
├── 'FMs: SolarArray'             ← component FMs (Additional — carry PN)
├── 'FMs: Battery'
├── 'FMs: Transponder'
├── 'FMs: ReactionWheels'
└── ...                           (30+ failure modes total)

Failure Mode Examples

Top-Level FM (FromIntegration)

Top-level FMs have rating_Severity_TOP. Probability is not set here — it is inherited automatically from component-level Additional FMs via causal links.

Top-level failure mode — catastrophic mission loss

occurrence Satellite_Power_FM1 subsets failureModeInitial {
    ref part   :>> focusItem     = SOI;
    ref action :>> focusFunction = SOI.providePower;

    attribute :>> origin          = FailureModeOrigins::FromIntegration;
    attribute :>> failureModeType = FailureModeTypes::SuddenLossOfFunction;
    attribute :>> description     = "Complete loss of satellite electrical power";
    attribute :>> missionPhaseOpMode = "All mission phases";

    #causation connection : CausalLinkDef connect
        'FMs: PowerSubsystem'::Power_Generation_FM1 to this;
    #causation connection : CausalLinkDef connect
        'FMs: PowerSubsystem'::Power_Storage_FM1 to this;

    attribute :>> failureCauses_Comments =
        "Solar array failure OR battery failure causing complete power loss";
    attribute :>> rating_Severity_TOP = Severity::Catastrophic_1_SP;
    attribute :>> failureEffects_TOP_Comments =
        "Mission complete loss; satellite becomes inoperable dead mass in orbit";
    // DO NOT SET: rating_Probability — inherited from lower-level causes

    attribute :>> detection_ObservableSymptoms =
        "Loss of telemetry; satellite non-responsive; beacon signal absent";
    attribute :>> documentation = "Satellite Power Budget SPB-001";
    ref action :>> recommendations = compensatingProvisions::CP_001;
}

Component FM (Additional — carries probability)

Component-level Additional FMs are the root causes that drive criticality calculations. Only these FMs set rating_Probability and rating_Probability_Comments.

Component failure mode with probability rating

occurrence SolarArray_Conversion_FM1 subsets failureModeInitial {
    ref part   :>> focusItem     = SOI_SolarArray;
    ref action :>> focusFunction = SOI_SolarArray.convertSolarEnergy;

    attribute :>> origin          = FailureModeOrigins::Additional;
    attribute :>> failureModeType = FailureModeTypes::SuddenLossOfFunction;
    attribute :>> description     = "Solar array catastrophic failure — complete loss of power generation";

    attribute :>> failureCauses_Comments =
        "Deployment mechanism failure, meteoroid impact, radiation damage, structural failure";
    attribute :>> failureEffects_Local_Comments =
        "Zero power generation; satellite dependent on battery only";
    // rating_Severity_TOP inherited from Satellite_Power_FM1 via causal chain

    // Additional origin: MUST set probability
    attribute :>> rating_Probability = Probability::PN1_ExtremelyRemote;
    attribute :>> rating_Probability_Comments =
        "Space heritage data: solar array failure rate ~10⁻⁷/hour; " +
        "redundant string design; qualified deployment mechanism";

    attribute :>> detection_ObservableSymptoms =
        "Solar array current zero; bus voltage declining; battery discharging in sunlight";
    attribute :>> detection_ExistingMethods =
        "Solar array current/voltage monitoring; power budget tracking";
    attribute :>> documentation = "Solar Array Design SAD-001";
    ref action :>> recommendations = compensatingProvisions::CP_001;
}

Criticality Calculation

Derisker automatically computes criticality for each failure mode:

Failure Mode	SN	PN	CN	Critical?
Loss of satellite power	4	1	4	Yes (SN=4)
Solar array catastrophic failure	4	1	4	Yes (SN=4)
Battery storage failure	4	2	8	Yes (CN≥6)
Attitude control loss	3	2	6	Yes (CN≥6)
Transponder failure	4	1	4	Yes (SN=4)

Critical threshold: SN = 4 (Catastrophic) OR CN ≥ 6.

Notable Features

Probability only on Additional FMs

FromIntegration failure modes at all levels inherit probability upward from their Additional root causes via causal links. Never set rating_Probability on a FromIntegration mode.

Space-domain severity criteria

The ECSS severity scale maps directly to mission outcomes: SN=4 (Catastrophic) = loss of mission/system, SN=3 (Critical) = loss of mission performance, SN=2 (Major) = major degradation, SN=1 (Minor) = minor impact.

Flight heritage probability basis

rating_Probability_Comments traces each rating to its data source (MIL-HDBK-217F, ECSS-Q-ST-30-11C, supplier test data, or heritage statistics).

N+1 redundancy reflected in compensating provisions

Compensating provisions document redundancy strategies (redundant solar string, cold standby transponder, pyramid reaction wheel configuration) that are referenced from the relevant failure modes.

Related Topics

• ECSS-Q-ST-30-02C: FMEA/FMECA — Design FMECA workflow (step-by-step)

• ECSS DFMEA: Electric Vehicle — Qualitative variant without probability ratings

• ECSS DFMECA: Drone Hardware — Hardware FMECA with circuit-level detail

• ECSS-Q-ST-30-02C: FMEA/FMECA — ECSS library reference