Agentic FMEA Generator

Automate the creation of industry-aligned DFMEA and PFMEA reports. Transform your technical documents into structured Failure Mode and Effects Analysis and export to Excel effortlessly.

Built by QA & AI Experts

Developed by Quality and AI engineers to ensure deep risk analysis accuracy and strict industry standard compliance.

Sign up today and get 25 free credits instantly. Test our agentic workflow and generate real FMEA reports without any commitment.

From Technical Docs to Structured FMEA

Examples Created by

logo

Toggle below to view a generated Design FMEA (DFMEA) example or a Process FMEA (PFMEA) example. See how raw technical PDFs are transformed into structured, AIAG & VDA compliant risk analysis tables ready for Excel export.

Configuration

Design FMEA
Process FMEA
25200
Upload Image-Heavy PDFs

Helpful documents to upload:

  • Product requirements / specifications
  • Design description documents
  • Architecture / functional diagrams
  • Schematics and mechanical drawings
  • Bill of materials
  • Validation plans and test procedures
  • Issue logs and lessons learned from similar products
Start Free Trial

Design FMEA Results

Items are prioritized by Action Priority (High to Low) rather than numerical ID order.

 Continuous ImprovementSTRUCTURE ANALYSIS (STEP 2)FUNCTION ANALYSIS (STEP 3)FAILURE ANALYSIS (STEP 4)RISK ANALYSIS (STEP 5)OPTIMIZATION (STEP 6)
Issue #History / Change Authorization1. Next Higher Level2. Focus Element3. Next Lower Level or Characteristic Type1. Next Higher Level Function and Requirement2. Focus Element Function and Requirement3. Next Lower Level Function and Requirement or Characteristic1. Failure Effects (FE) to the Next Higher Level Element and/or End UserSeverity (S) of FE2. Failure Mode (FM) of the Focus Element3. Failure Cause (FC) of the Next Lower Element or CharacteristicCurrent Prevention Control (PC) of FCOccurrence (O) of FCCurrent Detection Controls (DC) of FC or FMDetection (D) of FC/FMDFMEA APFilter Code (Optional)DFMEA Preventive ActionDFMEA Detection ActionResponsible Person's NameTarget Completion DateStatusAction Taken with Pointer to EvidenceCompletion DateSeverity (S)Occurrence (O)Detection (D)DFMEA APFilter Code (Optional)Remarks
FC_011HOTDOCK Mechanical Locking MechanismPeripheral Locking ElementsSteel BallsImplement a locking mechanism that acts on the form-fit geometry to provide high load transfer capabilities.Engage with the form-fit geometry of the mated HOTDOCK to create a secure, preloaded mechanical connection.Roll into position and act as a locking key, transferring shear and bending loads between the two interfaces.A steel ball fractures or is missing | The locking mechanism has reduced load capacity at that location | Connection is weak and may fail under operational loads | Structural failure of the interface, potential liberation of a module.10Fails to transfer mechanical loadBrittle fracture of a steel ball due to an undetected material defect (e.g., inclusion) combined with shock loading during a mating event.The mass budget specifies the material for the balls (Table 7-1 implies a standard material). Design Requirement DesR_005 mandates a robust design.3The mechanical interface is required to withstand operational loads, verified by testing (FuncR_008).7HProcure steel balls with certified material quality (e.g., vacuum-arc remelted steel) and perform lot-level NDT (non-destructive testing) to screen for material defects.Implement a proof-load test on the fully assembled locking ring to a level exceeding the maximum expected operational loads to screen for any weak components.D2.5, DesR_005, page 18, D2.5, FuncR_008, page 12
FC_171Spacecraft Module (SM3-BAT)Battery PayloadBattery ControllerEnable storage and delivery of electrical power.Manage the balance, charge, and discharge of the internal Lithium-ion battery pack.Control the charging/discharging circuitry (DC/DC converters) and monitor cell voltages.Controller fails to terminate charge | A battery cell is overcharged | The cell undergoes thermal runaway, leading to fire or explosion | Catastrophic destruction of the module and potential damage to the entire spacecraft.10Causes thermal runawayA firmware hang or component failure in the battery controller prevents it from stopping the charging process when the battery reaches full capacity.The battery controller manages the charging/discharging circuitry. It's based on the OG5 design. (D2.4, Section 6.4.4)4The battery controller telemetry includes voltage, current, and temperature, which would show anomalous readings before a catastrophic failure.4HImplement multiple, independent layers of protection, including firmware limits, a hardware voltage comparator cutoff, and a one-time thermal fuse on the battery pack.Perform fault injection testing on the battery controller to verify that all protection mechanisms function correctly under overcharge and over-temperature conditions.MOSAR D2.4, page 81, MOSAR D2.4, Table 6-4, page 82
FC_004HOTDOCK Actuation AssemblyBarrel-Cam MechanismCam Follower (e.g., on locking ring)Translate motor rotation into axial motion of the connector plate and rotational motion of the locking ring.Convert rotational input from the gearing system into the prescribed motion profile for the locking ring and connector plate.Follow the cam groove profile to guide the moving element, with contact stress below material yield limits (per DesR_015).Cam follower fractures | Follower is no longer constrained by the cam groove | Locking ring and connector plate motion becomes uncontrolled or jammed | Actuation fails | Inability to connect/disconnect module.9Fails to constrain motion (fracture)Fatigue fracture of the cam follower due to high cycle stress accumulated over the mission lifetime (target 100-1000 cycles).Design requirement DesR_015 specifies that peak hertzian contact stress shall be below 93% of yield. Minimum design safety factors are required per DesR_014.4Verification for safety factors (DesR_014) is by Analysis and Test. Life testing is implied by reusability requirement OpR_002.5HPerform a detailed Finite Element Analysis (FEA) on the cam follower, including a fatigue analysis, to verify positive design margin over the required life.Implement a test-to-failure or accelerated life test on the barrel-cam mechanism to identify the high-stress points and validate the fatigue life prediction.D2.5, DesR_015 & DesR_014, page 21, D2.5, OpR_002, page 25
FC_007HOTDOCK ControllerMicrocontroller (e.g., SAMV71)Internal Memory (SRAM)Control all HOTDOCK functionalities, including motor control, sensor processing, and communication.Execute firmware to process commands, run the motor control state machine, and handle telemetry, storing status in internal memory.Store and retrieve transient data, such as sensor readings, state machine status, and communication buffers, with low latency.Bit flip in a critical memory location | State machine enters an invalid state, or a critical variable is corrupted | Uncommanded motor activation, failure to respond to commands, or system crash | Loss of control over HOTDOCK | Mission failure or damage to hardware.9Firmware enters fault state or hangsSingle Event Upset (SEU) caused by a charged particle strike on an SRAM cell in the space radiation environment.The design must withstand 'space environment conditions' (EnvR_001). However, the document does not specify radiation hardening requirements or mitigation strategies.7The state machine includes a 'Fault' state (Figure 4-2) to detect anomalies. A reset command (TC_3) exists.5HImplement a watchdog timer that must be periodically reset by the firmware; if the firmware hangs, the watchdog will trigger a hardware reset of the microcontroller.Perform fault injection testing (e.g., via a debugger or targeted radiation exposure) to verify that the watchdog timer and fault recovery logic correctly reset and restore the system from an SEU-induced hang.D2.5, EnvR_001, page 28, D2.5, Figure 4-2, page 34
FC_010HOTDOCK Mechanical StructureForm-Fit Guidance GeometryTooth-like Geometries on CircumferenceProvide mechanical alignment, connection, and load transfer between two HOTDOCKs, withstanding 400N axial/radial forces.Enable self-guidance and positioning during final approach, compensating for misalignments and supporting diagonal engagement.Provide guiding surfaces machined from high-strain aluminum alloy to align and bear mechanical loads upon mating.Surface of a guidance tooth is severely galled or deformed | Increased friction and potential for jamming during mating/de-mating | Failure to achieve a successful mate, or inability to de-mate | Module is stuck or cannot be attached.9Fails to guide mating (jams)Galling (adhesive wear) between aluminum surfaces under high contact pressure in vacuum, particularly during a misaligned engagement.The body is machined from high-strain aluminum alloy with a surface coating (D2.5, pg 37). DesR_012 requires lubrication on sliding surfaces. DesR_009 allows for dissimilar materials.4Mating/de-mating force is minimized and subject to testing (FuncR_009). The process is tested for diagonal engagement (DesR_007).5HSpecify and apply a hard, low-friction surface coating (e.g., hard anodize with PTFE impregnation) to all form-fit guidance surfaces to prevent galling.Perform abuse testing by forcing mating at the maximum specified misalignment limits for multiple cycles, then inspect surfaces for any signs of galling or excessive wear.D2.5, DesR_012, page 20, D2.5, FuncR_009, page 12
FC_026HOTDOCK StructureHousingSurface CoatingProvide the main structure and enclosure for all internal components.Maintain dimensional stability and provide a protective enclosure.Provide thermal control, corrosion resistance, and specific electrical properties to the aluminum structure.Coating flakes or delaminates | Flakes become conductive debris | Debris causes a short circuit on the controller PCB or connector plate | Loss of controller or entire interface.9Generates Foreign Object Debris (FOD)Poor surface preparation of the aluminum alloy before coating application leads to a weak bond and flaking due to thermal cycling stress.The body is specified to have a surface coating (D2.5, pg 37). Material selection and processing must meet space standards (implied).4Visual inspection post-manufacturing. The document does not specify thermal cycling tests for the housing.8HSpecify a detailed surface preparation and coating application process specification (e.g., based on NASA or ESA standards) and require supplier certification.Perform thermal vacuum cycling on a coated structural coupon and perform tape-pull tests to verify coating adhesion before and after cycling.D2.5, Section 5.1.2, page 37, No specific test identified in documents
FC_035HOTDOCK Mechanical Locking MechanismUnlockable Secondary MechanismSecondary Actuation FeatureAllow two attached interfaces to unlock by a secondary mechanism.The standard interface shall be unlockable (FuncR_011).Provide a feature, different from the standard actuation approach, to release the locking mechanism.Secondary unlock mechanism fails to operate | The interfaces cannot be separated if the primary motor has failed | The module is permanently stuck | Loss of servicer asset, inability to complete mission.9Fails to unlockThe secondary mechanism, being rarely used, seizes due to vacuum welding or contamination over a long mission duration.FuncR_011 requires the feature. The design is detailed in document RD4 (not provided).6Verification is by Testing. This would be a specific contingency test.7HDesign the secondary mechanism with robust, space-proven principles, using dissimilar metals and appropriate coatings to prevent seizure.Perform a ground test of the secondary unlock mechanism after an extended period in thermal vacuum to verify its reliability.D2.5, FuncR_011, page 12, No specific test plan cited
FC_042HOTDOCK ControllerFirmwareBootloaderControl all HOTDOCK functionalities.Execute firmware to process commands and control hardware.Initialize the microcontroller hardware upon power-up and load the main application firmware.Bootloader code is corrupted | The microcontroller fails to boot and load the main application | The controller is unresponsive | Loss of all HOTDOCK functionality.9Fails to bootCorruption of the bootloader section of the flash memory due to a Single Event Effect (SEE) or an error during a firmware update attempt.None identified in documents. Robust bootloader design is standard practice but not explicitly required.4The device would fail to respond to any command upon power-up, which would be detected during system initialization.7HImplement a redundant bootloader design with a checksum verification. If the primary bootloader is corrupt, the system can attempt to boot from a protected, secondary copy.Perform radiation testing on the microcontroller's flash memory to characterize its susceptibility to SEEs and validate the robustness of the bootloader design.No evidence, No evidence
FC_059HOTDOCK Power & Data InterfacePOGO Pin ConnectorDielectric SeparationProvide a separable interface for power and data.Transfer power with voltage >100V (D2.5, pg 41).Maintain sufficient distance and insulation between conductors to prevent arcing in vacuum.Arcing occurs between two high-voltage pins | A plasma channel shorts the two conductors | Catastrophic failure of power supplies, potential damage to the entire connector.9Short circuit between pinsPaschen's Law breakdown: arcing occurs between two conductors in a partial vacuum (e.g., during ascent or due to outgassing) at a voltage lower than would be required in full vacuum or at sea level.The 'Dielectric separation distance between the POGO pins allows to transfer power with voltage >100V'.4Analysis is the primary method. No specific high-voltage test is mentioned.7HPerform a detailed analysis of pin spacing according to NASA/ESA standards for high-voltage design in space, considering creepage and clearance distances. Potentially add a conformal coating to the PCB.Perform a high-voltage standoff test (Hipot test) between all adjacent pins in a vacuum chamber, stepping through various pressure levels to check for Paschen curve susceptibility.D2.5, Section 5.2.1, page 41, No specific test plan cited
FC_061HOTDOCK Actuation AssemblyMotor Drive CircuitryGate Driver ICControl the brushless DC motor.Drive the 3-phase H-bridge by switching current to the windings.Rapidly charge and discharge the gates of the power MOSFETs to ensure efficient switching.Gate driver fails to turn a MOSFET off | Shoot-through condition occurs where high-side and low-side MOSFETs are on simultaneously | A dead short across the power bus is created | Catastrophic failure of the H-bridge, potential damage to power supply.9Creates short circuit on power busA Single Event Latch-up (SEL) in the gate driver IC causes it to lose control and turn on both MOSFETs in a half-bridge.The design must withstand the space environment (EnvR_001). Overcurrent protection (FuncR_015) is implemented.5Overcurrent would be detected by current monitoring. Verification of FuncR_015 is by Testing.4HSelect a radiation-hardened gate driver IC. Implement latch-up protection circuitry (a current-limiting switch that is cycled) for all non-hardened ICs.Perform heavy ion testing (latch-up screening) on the selected gate driver IC to verify its robustness to SEL.D2.5, EnvR_001, page 28, D2.5, FuncR_015, page 13
FC_069HOTDOCK Mechanical StructureHousingFasteners (internal)Provide the main structure and enclosure.Hold internal components (PCB, motor) in place.Provide clamping force to secure components against vibration and shock.A fastener backs out due to vibration | The component it was holding (e.g., controller PCB) becomes loose | The loose component can be damaged or cause damage to other parts. It may create a short circuit.9Fails to secure internal componentLoss of preload on an internal fastener due to vibration because no locking feature was used.The interface must be compliant with launch loads (FuncR_007).4Post-vibration inspection could potentially find loose hardware, but it might be internal and not visible.8HAll internal fasteners must use a positive locking feature, such as lock-wire, thread-locking inserts (e.g., Helicoil), or a space-qualified thread-locking compound.During assembly, require an independent quality inspection step to verify that all fasteners have been correctly torqued and that locking features have been properly applied.D2.5, FuncR_007, page 11, No specific workmanship standard cited
FC_077HOTDOCK Mechanical Locking MechanismUnlockable Secondary MechanismInterface for External ToolAllow two attached interfaces to unlock.The interface shall be unlockable by a secondary mechanism.Provide a feature that can be actuated by an external tool (e.g., another robot's gripper, an astronaut's tool).The interface feature is inaccessible or incompatible with the available tool | The contingency unlock procedure cannot be performed | The modules remain permanently stuck.9Fails to allow external actuationThe design of the secondary unlock feature requires a specific custom tool that is not available on the servicing spacecraft.The requirement for a secondary mechanism is defined (FuncR_011).5The design would be reviewed for compatibility with standard robotic or EVA tools.5HDesign the secondary unlock mechanism interface to be compatible with a widely available standard, such as a simple hex drive or a standard robotic micro-gripper interface.Perform a fit-check and functional test of the secondary unlock mechanism using a mock-up of the intended tool as part of the ground validation program.D2.5, FuncR_011, page 12, No specific tool standard cited
FC_088HOTDOCK StructureMain Housing and CoverVenting PathProvide the main structure and enclosure.Maintain structural integrity during ascent.Allow trapped air to escape during ascent to prevent pressure-induced structural loads.A venting path is blocked (e.g., by sealant) | A large internal pressure differential develops during launch | The housing or cover deforms or fractures | Catastrophic structural failure of the unit.9Structural failure during launchAn assembly error, such as misapplication of staking compound, blocks a designed vent path.The interface must be compliant with launch loads (FuncR_007). Standard space design practices include venting analysis.3This would only be detected by a failure during launch, or by a specific vacuum ascent test.9HPerform a venting analysis to identify all trapped volumes and specify the required vent paths and sizes. Clearly mark all vent paths on the engineering drawings as 'DO NOT OBSTRUCT'.Add a specific inspection step to the pre-launch closeout procedure to verify that all designed vent paths are clear and unobstructed.D2.5, FuncR_007, page 11, No specific venting analysis document cited
FC_090HOTDOCK ControllerFirmwareTelecommand (TC) ParserControl all HOTDOCK functionalities.Send and receive TM/TC from the host OBC (FuncR_030).Parse incoming command packets to determine the requested action and parameters.A bug in the parser misinterprets a command | The controller executes the wrong action (e.g., 'unlock' instead of 'report status') | Uncommanded, potentially hazardous operation | Loss of control, damage to hardware.9Executes incorrect commandA software bug in the TC parser logic causes it to misinterpret the arguments of a valid command.The TC list is defined (Table 4-1). The interface must be tested.4Verification is by Testing (FuncR_030).5HUse a formal method or automated tool to generate the TC parsing code directly from the ICD to eliminate manual coding errors.Develop a comprehensive test suite that sends every possible command with both valid and invalid parameters and verifies that the system responds correctly and safely in all cases.D2.5, Table 4-1, page 34, No interface control document (ICD) cited
FC_133HOTDOCK ControllerReset CircuitryPower-On-Reset (POR) circuitControl all HOTDOCK functionalities.Ensure the microcontroller starts in a known state on power-up.Hold the microcontroller in a reset state until all voltage rails are stable.POR circuit releases reset prematurely | Microcontroller begins executing code with unstable power | Brown-out condition corrupts memory or causes unpredictable code execution | Controller fails to boot or hangs.9Fails to boot correctlyThe threshold of the internal Power-On-Reset circuit is too low for a slow-ramping power supply.None identified in documents. Use of an internal POR is standard practice.5Failure may be intermittent and difficult to reproduce, only occurring with certain power supplies or temperatures.8HImplement an external, high-precision reset supervisor IC with an adjustable delay to ensure a robust and reliable power-on reset.Perform power-up testing with various voltage ramp rates at temperature extremes to verify reset reliability.no evidence, no evidence
FC_134HOTDOCK ControllerFirmwareStack MemoryControl all HOTDOCK functionalities.Execute firmware functions and handle interrupts.Allocate memory for local variables and function call return addresses.Stack overflows | Critical data (return addresses, other variables) is overwritten | Firmware crashes or enters an unpredictable state | Loss of control over HOTDOCK.9Firmware crashes or hangsA deep chain of nested function calls, combined with a high-frequency interrupt service routine, consumes all available stack memory.None identified in documents. Stack size is typically set by the linker script.6None identified in documents. This is a difficult failure to detect as it depends on a specific sequence of events.8HUse static analysis tools to calculate the worst-case stack depth. Implement stack canaries and memory protection unit (MPU) regions to detect stack overflows at runtime.Perform stress testing that exercises the deepest possible function call paths and highest interrupt loads to measure the stack high-water mark and verify sufficient margin.no evidence, no evidence
FC_136HOTDOCK Power & Data InterfacePOGO Pin ConnectorPin PlungerProvide a separable interface for power and data.Establish and maintain a compliant electrical connection by pressing a pin against a pad.Provide a conductive path from the internal spring to the contact tip.A bent pin plunger makes contact with an adjacent pin's barrel | A short-circuit occurs between two signal or power lines | Power bus is shorted, or data signals are corrupted | Loss of power or data link, potential for cascading damage.9Short circuit between pinsA POGO pin plunger is bent during a severely misaligned mating attempt, causing it to short against a neighboring pin.The design is 'particularly tolerant to misalignment' (D2.5, pg 40) and has form-fit guidance.5A short circuit on the power bus would be detected by overcurrent protection (FuncR_015). A data line short would be harder to diagnose.7HIncrease the pin-to-pin spacing in the layout. Implement an insulator shroud around each POGO pin to physically prevent bent plungers from contacting adjacent pins.Perform 'abuse' testing by attempting to mate the interface at the extreme limits of misalignment and inspect for any pin damage.D2.5, Section 5.2, page 40, D2.5, FuncR_015, page 13
FC_146HOTDOCK ControllerFirmwareInterrupt Service Routine (ISR)Control all HOTDOCK functionalities.Respond to hardware events in real-time.Handle asynchronous hardware interrupts (e.g., from a timer or CAN controller) with low latency.A bug in an ISR fails to clear the interrupt flag | The processor immediately re-enters the same ISR upon exit | The system is stuck in an interrupt loop | Main application code never runs, controller hangs.9Firmware hangsA software bug in an ISR (Interrupt Service Routine) prevents it from correctly clearing the hardware interrupt source, leading to an infinite interrupt loop.None identified in documents. This is a common embedded software bug class.5This failure would be detected during hardware/software integration testing when the specific interrupt is enabled.5HEnforce a strict code review checklist for all ISRs, which includes verification that the interrupt source is cleared correctly. Keep ISRs as short as possible.During unit testing, develop test harnesses that trigger each interrupt and verify that the system remains responsive and that the interrupt does not re-trigger unexpectedly.no evidence, no evidence
FC_150HOTDOCK ControllerFirmwareBootloaderControl all HOTDOCK functionalities.Initialize the system on power-up.Perform a checksum of the main application firmware before booting it.Bootloader has a bug and fails to detect a corrupt application | The bootloader jumps to a corrupt application image | The controller crashes or behaves erratically.9Fails to boot correctlyA software bug in the bootloader's checksum validation routine causes it to incorrectly validate a corrupt firmware image.None identified in documents. A validating bootloader is standard practice for high-reliability systems.4This would be tested by intentionally loading a corrupt application image and verifying the bootloader refuses to boot it.3HThe bootloader must be subject to the same rigorous code review and testing process as the main application. The checksum algorithm (e.g., CRC-32) must be a robust, industry-standard implementation.Develop a specific test case that flashes a known-bad application image (e.g., with a single bit flipped) and verifies that the bootloader enters its recovery mode instead of attempting to boot.no evidence, no evidence
FC_155Servicer Spacecraft (SVC)On-Board Computer (OBC-S) SoftwareAutonomy Agent (ERGO)Manage all operations of the servicer spacecraft during reconfiguration.Execute the operation plan by triggering successive actions on components like the WM and HOTDOCK.Send a high-level command (e.g., 'Update SI State') to the R-ICU/WM Controller via the Component Management layer.A logic error in the Agent sends an incorrect command | HOTDOCK is commanded to lock when not aligned | High mechanical loads on the interface | Damage to form-fit geometry or POGO pins | Mission failure.9Sends incorrect command sequenceA bug in the planner or a fault in the state estimation causes the Autonomy Agent to send a 'lock' command before the 'approach' routine has successfully completed.The Autonomy Agent manages the execution of the plan by sending commands to the Functional Layer (SM/WM Managers). (D2.4, Figure 6-6)5The plan is validated by simulation on the ground. Proximity sensors (OpR_008) provide a hardware interlock against this failure.4HThe HOTDOCK controller firmware should include a pre-condition check, verifying proximity sensor feedback confirms alignment before executing a lock command.Develop a specific hardware-in-the-loop test case where the Autonomy Agent is commanded to lock a misaligned interface, and verify that the local controller rejects the command.MOSAR D2.4, Figure 6-6, page 70, D2.5, OpR_008, page 26
FC_158HOTDOCK ControllerFirmwareReal-Time Operating System (RTOS)Control all HOTDOCK functionalities.Execute firmware to process commands, run motor control, and handle telemetry.Manage concurrent tasks and protect shared resources (e.g., hardware peripherals).A deadlock condition occurs | Two tasks are each waiting for a resource held by the other | Both tasks halt, and the system becomes unresponsive | Controller hangs and must be reset by watchdog or power cycle | Loss of control.9Firmware hangsA software bug in resource locking logic where the CAN command task and the motor control task request mutexes in a different order, leading to a deadlock.None identified in documents. This is a classic concurrency bug in multi-threaded software.5None identified in documents. Deadlocks are timing-dependent and notoriously difficult to find in standard functional tests.9HImplement a strict resource allocation hierarchy (lock ordering) to prevent circular waits. Use a watchdog timer as a fail-safe to recover from hangs.Perform static code analysis to detect potential deadlock conditions. Implement long-duration stress testing with randomized command timing to try and trigger the race condition.No evidence, No evidence
FC_161HOTDOCK ControllerController PCBSolder Finish (on traces/pads)Provide interconnection for all electronic components.Route electrical signals and power between components reliably.Provide a conductive path with a protective surface finish.A tin whisker grows from a solder-finished trace | The whisker grows to contact an adjacent trace | A low-resistance short circuit is created | Unpredictable circuit behavior or catastrophic failure of a component.9Creates short circuit on PCBA microscopic filament of tin (a 'whisker') grows from a pure tin or high-tin-content solder finish over time, causing a short circuit.None identified in documents. Mitigation of tin whiskers is a standard practice in high-reliability electronics design but not explicitly mentioned.4None identified in documents. Whisker growth is unpredictable and a failure may not occur for years.10HProhibit the use of pure tin plating. Mandate the use of leaded solder or other qualified tin whisker mitigation strategies (e.g., nickel underplating, conformal coating) per space agency standards.Perform long-term, powered life testing in a humid environment (for ground qualification) to accelerate whisker growth, followed by detailed microscopic inspection.No evidence, No evidence
FC_165HOTDOCK ControllerClock Generation CircuitryCrystal OscillatorControl all HOTDOCK functionalities.Execute firmware at a defined speed to perform real-time tasks.Provide a stable high-frequency clock signal to the microcontroller.Crystal oscillator fails to start or stops oscillating | Microcontroller loses its clock signal | The entire controller hangs | Loss of all HOTDOCK functionality.9Firmware hangsFracture of the quartz crystal element or its mounting due to high-G mechanical shock during launch.None identified in documents. An external crystal is standard practice for providing a stable clock for peripherals like CAN.3The controller would be completely unresponsive, which would be detected during post-shock functional testing.7HSelect a space-qualified, high-shock-rated crystal oscillator. The microcontroller should be configured to use its internal RC oscillator as a backup clock source if the external crystal fails.Perform mechanical shock testing on the controller board and verify full functionality, including checking the clock frequency for stability.No evidence, No evidence
FC_170Client Satellite (CLT)SM1-DMS On-Board Computer (OBC-C)Reconfiguration Management SoftwareManage the client satellite during nominal operations.Manage the modes of the software according to which SMs are available, and support data/power routing.Execute logic to isolate a faulty SM by commanding upstream cPDUs to cut power.Software fails to detect and isolate a faulty SM | A fault (e.g., a short circuit) on one SM propagates through the power bus | The entire spacecraft bus may brown out or fail | Loss of the client satellite.9Fails to isolate faultA software bug in the fault detection and isolation recovery (FDIR) logic prevents it from correctly identifying the location of a fault and taking the proper recovery action.The OBC-C includes Data and Power Management for FDIR. The network can be reconfigured to handle faults. (D2.4, Section 3.2.2.1 & 4.1.2.2)5The failure of the FDIR would be demonstrated by the loss of the system after a fault is injected.6HImplement a robust FDIR architecture with clear separation of detection, isolation, and recovery functions. Use a watchdog system to ensure the FDIR task itself is running.Perform extensive fault injection testing at the system level, creating faults on various SMs and verifying that the OBC-C correctly isolates them.MOSAR D2.4, page 19, MOSAR D2.4, page 25
FC_174Walking Manipulator (WM)WM On-Board Computer (OBC)USB-to-SpaceWire BridgeInterface with the main spacecraft OBC-S.Manage control of the arm, end-effectors, and cPDU, and interface with the SpW bus.Convert data between the WM OBC's native bus (e.g., USB) and the system SpaceWire network.The bridge hardware hangs or fails | All communication between the OBC-S and the WM is lost | The WM cannot be commanded or monitored | Loss of all robotic capability.9Fails to communicate with system OBCA component failure or firmware crash within the external USB/SpW brick.The WM OBC interfaces the SpW bus through a USB/SpW brick. (D2.4, Section 6.5.1 and Figure 6-18)5The OBC-S would immediately detect the loss of communication (e.g., RMAP timeout) and declare the WM as failed.4HSelect a high-reliability, space-qualified interface converter. Implement a hardware watchdog in the converter. The system should have a plan for how to safe the spacecraft if the WM is lost.Perform extensive environmental and life testing on the USB/SpW bridge to ensure its reliability.MOSAR D2.4, page 86, MOSAR D2.4, page 87
FC_175Walking Manipulator (WM)Internal HarnessingEtherCAT BusProvide data communication between internal components.Interconnect all seven joint controllers with the WM OBC.Provide a real-time, deterministic, high-speed communication link for joint commands and feedback.A break occurs in the EtherCAT cable or a connector fails | The communication ring is broken | All joint controllers downstream of the break lose communication | Multiple joints become uncontrollable | Catastrophic loss of manipulator control.9Loses control of multiple jointsFatigue failure of a wire in a harness that flexes repeatedly as the manipulator moves.An EtherCAT bus connects the joint controllers to the WM OBC. (D2.4, Section 6.5.1 and Figure 6-18)4The WM OBC would detect the loss of communication with multiple EtherCAT slaves and trigger an emergency stop.4HUse high-flex-life cabling and strain relief for all harnesses that cross moving joints. Implement a redundant EtherCAT ring topology if supported by the hardware.Perform a life test on the complete WM, cycling all joints through their full range of motion for thousands of cycles, while monitoring the EtherCAT bus for errors.MOSAR D2.4, page 86, MOSAR D2.4, page 87
FC_178HOTDOCK ControllerFirmwareFirmware Update LogicControl all HOTDOCK functionalities.Allow for in-flight or on-ground firmware updates.Receive a new firmware image and write it to flash memory, overwriting the old image.A power loss occurs during the flash writing process | The firmware image in flash is incomplete or corrupted | The bootloader detects the corruption on next boot and cannot load an application | The device is 'bricked' and unresponsive.9Fails to boot after firmware updateAn unexpected power interruption occurs while the new firmware image is being written to flash memory.None identified in documents. A robust firmware update process is critical for high-reliability systems.4The failure would be apparent on the next power-up when the device fails to respond.8HImplement a dual-bank flash memory architecture. The new firmware is written to a secondary bank, and only after it is fully written and verified is the bootloader configured to boot from the new bank.Perform a test where power is cut at various points during the firmware update process to verify that the system can always recover by booting the last known-good image.No evidence, No evidence
FC_182HOTDOCK Mechanical Locking MechanismUnlockable Secondary MechanismSliding ComponentsAllow two attached interfaces to unlock by a secondary mechanism.Provide a contingency method to unlock the interface if the primary actuator fails.Allow mechanical parts to move when actuated by an external tool.Mechanism seizes | The secondary unlock mechanism cannot be actuated | The interfaces are permanently mated | Loss of the module or servicing asset.9Fails to unlock (secondary mechanism)Cold welding occurs between two clean, metallic sliding surfaces in vacuum after a long period of inactivity.FuncR_011 requires the interface to be unlockable. DesR_012 requires lubrication for sliding surfaces.5Verification is by Testing. This would likely be a one-time ground test.7HDesign the secondary mechanism using dissimilar metals for all contact surfaces. Apply a space-rated dry film lubricant (e.g., MoS2) to all sliding surfaces.Perform a functional test of the secondary unlock mechanism after a long-duration thermal vacuum exposure to verify it has not seized.D2.5, FuncR_011, page 12, D2.5, DesR_012, page 20
FC_185HOTDOCK ControllerFirmwareCAN DriverProvide command and telemetry exchange.Handle TM/TC exchange with the host system over the CAN bus.Process incoming CAN messages from a hardware buffer and pass them to the application layer.A buffer overflow occurs in the receive handler | Critical data in memory is overwritten | The firmware crashes or enters an unpredictable state | Loss of communication and control.9Firmware hangsA 'babbling node' on the CAN bus sends a high-rate burst of messages that overwhelms the receive interrupt handler, causing its data buffer to overflow.CAN bus is the main TM/TC interface. (D2.5, pg 46)4A watchdog timer would eventually reset the hung controller.5HImplement a robust CAN driver architecture using DMA and circular buffers to handle high message rates without data loss or overflow. The system-level bus design should include bus-off recovery.Perform stress testing by connecting a CAN traffic generator that sends messages at the maximum possible bus rate and verifies that the controller remains stable.D2.5, Section 6.2, page 46, No evidence
FC_189HOTDOCK ControllerH-Bridge Motor DriverGate Driver ICDrive the 3-phase brushless motor.Switch current to the windings based on PWM signals.Control the switching of the power MOSFETs, including ensuring dead-time between high-side and low-side switching.Dead-time generation fails | High-side and low-side MOSFETs are briefly turned on at the same time (shoot-through) | A large current pulse flows through the half-bridge | Component stress, high EMI, potential for catastrophic H-bridge failure.9Creates short circuit on power busA fault in the gate driver's internal logic or a timing glitch from the microcontroller causes a loss of dead-time.The controller design includes a H-bridge and gate driver. (D2.5, pg 46). Overcurrent protection (FuncR_015) provides some mitigation.4A fast-acting overcurrent protection circuit could detect the current spikes. This is a very difficult fault to detect non-destructively.8HSelect a gate driver with robust, guaranteed dead-time generation. Perform a Worst Case Timing Analysis on the PWM signals from the microcontroller.Use an oscilloscope to carefully measure the dead-time on the MOSFET gates under all operating conditions during design verification.D2.5, Section 6.2, page 46, D2.5, FuncR_015, page 13
FC_002HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Hall Effect Sensors (Position)Rotate locking ring to engage/disengage mechanical latches within specified time and torque limits.Provide rotor position feedback to the controller for correct commutation sequence of the brushless motor.Detect magnetic field orientation of rotor magnets and output a digital signal representing the rotor's angular sector.Incorrect or no signal from Hall sensor | Controller applies current to wrong windings (commutation error) | Motor stalls, jitters, or runs inefficiently with high current | Inability to rotate locking mechanism | Mission failure.8Provides incorrect or intermittent position signalSignal degradation or failure due to total ionizing dose (TID) radiation effects on the semiconductor sensor in the space environment.Design requirement EnvR_001 requires withstanding space environment conditions, but the document notes 'No testing in the current activity under space conditions'.6Functional testing of the motor actuation sequence. Telemetry from Hall sensors is listed in Table 4-2.7HSelect a radiation-hardened or radiation-tolerant Hall effect sensor variant. If not feasible, perform a radiation analysis and add localized shielding to the motor assembly.Perform radiation beam testing on the selected motor's Hall effect sensors to characterize performance degradation versus dose.D2.5, EnvR_001, page 28, D2.5, Table 4-2, page 35
FC_005HOTDOCK Power & Data InterfacePOGO Pin ConnectorSpring ElementProvide a separable interface for power and data transfer between two HOTDOCKs, compliant up to 100Mbps.Establish and maintain a compliant electrical connection by pressing a pin against a pad, transferring up to 3A per pin.Provide a specified contact force over the operational stroke of the pin to ensure low contact resistance.Spring yields or breaks | Pin does not make contact or has insufficient force | Open circuit or high resistance on a power or data line | Loss of power or data to a module, or data corruption | Mission failure.8Fails to provide contact force (Open circuit)Mechanical yielding of the spring element due to over-compression caused by misalignment and tolerance stack-up during mating.The design is 'particularly tolerant to misalignment' (D2.5, pg 40). Androgynous design with 90-degree symmetry helps mitigate some alignment issues. Form-fit geometry provides final guidance.6System-level mating and de-mating tests are specified (FuncR_009). The connector plate is part of the integrated system.7HPerform a detailed worst-case tolerance analysis of the mating interface to ensure POGO pin stroke is never exceeded under maximum specified misalignment.Develop a specific test using instrumented POGO pins or pressure-sensitive film to measure contact force distribution across the connector plate during a misaligned mating test.D2.5, Section 5.2, page 40, D2.5, FuncR_009 Verification, page 12
FC_008HOTDOCK ControllerH-Bridge Motor DriverPower MOSFETControl all HOTDOCK functionalities, including motor control, sensor processing, and communication.Drive the 3-phase brushless motor by switching current to the windings based on PWM signals from the microcontroller.Act as a high-power switch to control current flow into a motor phase, with low on-state resistance and high off-state impedance.MOSFET fails short (drain-to-source) | A motor winding is permanently energized, creating a braking torque and drawing high current | Motor stalls and cannot be driven, high current may damage power supply or other driver components | Actuation mechanism is inoperable.8Fails to switch motor phase currentSingle Event Burnout (SEB) or Single Event Gate Rupture (SEGR) in a power MOSFET due to a heavy ion strike while in a high-voltage blocking state.The controller includes overcurrent protection (FuncR_015), which might mitigate the effect of a short. The components must withstand the space environment (EnvR_001).6Motor current is monitored (FuncR_029), which could detect the overcurrent condition. A fault state exists in the controller logic.4HSelect radiation-hardened power MOSFETs with a known resistance to SEB/SEGR up to a specified LET threshold. Implement a fast-acting, latching overcurrent protection circuit.Perform heavy ion testing on the selected MOSFETs to verify their single-event effect performance and ensure they meet mission reliability requirements.D2.5, FuncR_015, page 13, D2.5, FuncR_029, page 17
FC_009HOTDOCK Data InterfaceLVDS Crosspoint SwitchInternal Routing MatrixProvide a re-routable data interface for SpaceWire communication, supporting the 90-degree androgynous design.Dynamically route LVDS signal pairs based on commands from the controller to maintain correct data links regardless of mated orientation.Connect a specific input differential pair to a specific output differential pair with controlled impedance to maintain signal integrity.Routing matrix fails to establish a connection | Data link is broken | No SpaceWire communication between mated interfaces | Inability to command or receive data from downstream modules | Mission failure.8Fails to route data signalsConfiguration register corrupted by a Single Event Upset (SEU), causing the switch to route signals incorrectly or not at all.The controller detects the orientation and commands the switch accordingly (D2.5, pg 42). This is a new design feature, so prevention is based on component selection.7End-to-end data link testing is the only way to detect this. No specific self-test for the switch is mentioned.8HSelect a crosspoint switch with built-in error detection/correction on its configuration memory, or implement a periodic refresh of the switch's configuration by the controller.Develop a specific built-in self-test (BIST) where the controller can command a loopback path through the crosspoint switch and verify data integrity to confirm the switch is configured correctly.D2.5, Section 5.2.2, page 41, No specific test identified in documents
FC_015HOTDOCK Dust ProtectionRetractable Shutter MechanismShutter Drive LinkageProvide dust protection to avoid internal contamination and ensure correct mechanical and data/power connection.Drive a double motion of shutters (translation and rotation) to open a path for the connector plate during deployment.Transmit force from the main actuation mechanism to the shutters.Linkage jams or breaks | Shutters fail to retract | Connector plate path is blocked | Mating sequence fails, power and data connection cannot be made | Mission failure.8Fails to retractJamming of the shutter mechanism due to dust ingress from the planetary environment, preventing motion.The purpose of the mechanism is dust protection (FuncR_012). The design is an initial concept targeting simplification.7Verification for dust protection is ROD/Testing (FuncR_012).8HDesign the shutter mechanism with labyrinth seals and high driving torque to overcome potential dust-induced friction.Perform functional testing of the dust shutter mechanism in a vacuum chamber with simulated planetary dust (e.g., JSC-1A lunar simulant) to assess reliability.D2.5, FuncR_012, page 13, D2.5, Section 5.4, page 43
FC_016HOTDOCK ControllerDC/DC ConverterOutput CapacitorProvide local low-level bus generation from the supplied 24V for the microcontroller and circuitry.Convert the main 24V bus to stable low-level voltages (e.g., 3.3V/5V) required by the controller electronics.Filter the output voltage to reduce ripple and provide stable power to digital components.Output capacitor fails short | The regulated voltage rail (e.g., 3.3V) is shorted to ground | Microcontroller and other components on the rail lose power | Controller ceases to function | Loss of all HOTDOCK functionality.8Fails to provide regulated voltageShort circuit failure of a ceramic capacitor due to cracking induced by mechanical stress during launch vibration.The interface must be compliant with launch loads (FuncR_007). Use of space-grade electronic components is standard practice, though not explicitly stated.4Verification for launch loads is by testing (FuncR_007). The controller would fail during post-vibration functional checks.7HSelect ceramic capacitors with flexible terminations or other stress-relieving features. Ensure PCB layout avoids placing large capacitors in high-flexure areas of the board.Perform a Design Verification (DV) test including vibration testing followed by a full functional test of the controller board to screen for component failures.D2.5, FuncR_007, page 11, No specific component selection criteria in documents
FC_019HOTDOCK ControllerCAN TransceiverDriver/Receiver CircuitryAllow command and telemetry exchange between HOTDOCK and the host system over a standard CAN bus.Transmit and receive differential signals on the CAN bus, compliant with the physical layer standard.Convert logic-level signals from the microcontroller's CAN peripheral to differential bus signals, and vice-versa.Transceiver is damaged | No signals are transmitted or received on the CAN bus | Loss of all communication with the host OBC | HOTDOCK cannot be commanded or monitored | Inability to perform mission.8Fails to communicateElectrical overstress damage to the transceiver from an electrostatic discharge (ESD) event during ground handling and assembly.Requirement OpR_012 states the mechanism shall be maintenance-free during storage and ground operation, implying robust handling procedures are needed.4End-to-end communication check during system integration testing.7HImplement a strict ESD control program for all phases of assembly and handling, including the use of wrist straps, grounded work surfaces, and ESD-safe packaging.Perform a comprehensive functional test of all interfaces, including CAN communication, as part of the final acceptance testing before delivery.D2.5, OpR_012, page 27, No specific ESD control plan cited
FC_020HOTDOCK Power & Data InterfaceConnector Plate PCBPCB Substrate (FR-4 or similar)Provide a common mounting and interconnection platform for all POGO pins, pads, and associated sense circuitry.Maintain the precise physical arrangement of 128 POGO connections and provide the electrical traces for power and data routing.Provide a rigid, dielectrically stable base for mounting components and routing copper traces with controlled impedance for high-speed signals.PCB delaminates or cracks | An internal trace is broken | Open circuit on a data or power line | Loss of function for that specific line | Potential loss of entire interface if a critical power line is severed.8Fails to provide electrical continuity (open circuit)Delamination of PCB layers due to mismatched CTE (Coefficient of Thermal Expansion) and stress from repeated thermal cycling from -55°C to +85°C.The interface must withstand the specified temperature range (EnvR_003). Materials must be space-compatible (low outgassing per DesR_019, flame retardant per DesR_018).5Verification for EnvR_003 is 'Analysis', with a comment that 'The current activity doesn't foresee verification by testing for this requirement'.9HSelect a PCB substrate material with a high glass transition temperature (Tg) and low Z-axis CTE (e.g., polyimide) suitable for space applications and wide temperature ranges.Perform thermal cycling tests on a representative coupon or prototype of the Connector Plate PCB to screen for delamination, cracking, or plated-through-hole failures.D2.5, EnvR_003, page 28, D2.5, DesR_019, page 22
FC_023HOTDOCK Power & Data InterfacePOGO Pin ConnectorPin Barrel/Plunger AssemblyProvide a separable interface for power and data.Establish and maintain a compliant electrical connection.Allow the pin to slide compliantly while maintaining electrical continuity from the spring to the pin tip.Debris enters the barrel | Plunger movement is impeded or jammed | Pin does not make contact or retract properly | Open circuit or damage to pin/pad on de-mating.8Fails to make contact (jammed)Particulate contamination (e.g., metallic dust from assembly) enters the POGO pin barrel and causes the plunger to jam.FuncR_012 requires dust protection for planetary applications. General cleanliness during assembly is standard practice.5A final visual inspection and functional check would be performed. No specific cleanliness plan is mentioned.7HSpecify and perform all assembly operations in a certified cleanroom environment with strict FOD (Foreign Object Debris) controls.Add a step to the assembly procedure to actuate every POGO pin with a force gauge to verify smooth travel and correct spring force before final closeout.D2.5, FuncR_012, page 13, No specific procedure document cited
FC_024HOTDOCK ControllerFirmwareState Machine LogicControl all HOTDOCK functionalities.Execute firmware to process commands, run the motor control state machine, and handle telemetry.Transition between Idle, Moving, and Fault states based on commands and sensor inputs, as defined in Figure 4-2.Logic error in firmware | System transitions to an incorrect state (e.g., tries to move when already moving) | Unpredictable behavior, potential for mechanical damage | Loss of control, failed operation.8Executes incorrect command sequenceA latent software bug (e.g., race condition, unhandled state) is triggered by an unusual sequence of commands or sensor readings.The state machine is defined in the design document. Code reviews and structured programming are standard practice. Source of verification is 'System architecture'.6FuncR_027 verification is by Testing. The control logic will be tested during system integration.6HImplement a rigorous peer code review process for all firmware. Develop a comprehensive unit testing framework to validate each state transition and logic path.Develop a comprehensive hardware-in-the-loop (HIL) test suite that simulates a wide range of nominal and off-nominal scenarios, including command race conditions and sensor faults.D2.5, Figure 4-2, page 34, D2.5, FuncR_027, page 16
FC_030HOTDOCK Actuation AssemblyMechanical TransmissionBearingsTransmit torque from motor to barrel-cam.Support rotating shafts within the geartrain and actuation mechanism.Allow low-friction rotation of shafts while supporting radial and axial loads.Bearing cage fractures | Rolling elements bunch up, causing the bearing to seize | Mechanism jams | Actuation fails.8Mechanism jamsFracture of the bearing cage due to embrittlement from exposure to atomic oxygen in a LEO (Low Earth Orbit) environment (if applicable).EnvR_001 requires the design to withstand the space environment. Materials must be space-grade. DesR_012 requires space-grade lubricants.4The document notes 'No testing in the current activity under space conditions', so this specific failure cause would not be found.9HFor LEO applications, specify bearings with metallic cages (e.g., steel or bronze) instead of polymeric cages (e.g., Torlon) which can be susceptible to atomic oxygen.Add an Atomic Oxygen exposure test to the environmental test campaign for any external or vented mechanisms intended for LEO operation.D2.5, EnvR_001, page 28, No specific LEO environment test cited
FC_037HOTDOCK ControllerPower ConversionInput FilterProvide local low-level bus generation.Convert the main 24V bus to stable low-level voltages.Filter electromagnetic interference (EMI) from the main power bus to protect the converter.Input filter inductor fails open | Power is cut off to the DC/DC converter | The entire controller loses power.8Fails to provide powerVibration-induced fatigue failure of the inductor's solder joint due to the component's mass.The interface must be compliant with launch loads (FuncR_007).4Verification for launch loads is by Testing.7HLarge magnetic components like inductors must be mechanically staked to the PCB with a space-grade adhesive (e.g., epoxy) in addition to soldering to relieve stress on the leads.Perform vibration testing followed by a full functional test and visual inspection of all large components for solder joint integrity.D2.5, FuncR_007, page 11, No specific workmanship standard cited
FC_043HOTDOCK Power & Data InterfacePOGO Pin ConnectorPOGO Pin BodyProvide a separable interface for power and data.Establish and maintain a compliant electrical connection.House the spring and plunger, providing a conductive path and mounting to the PCB.Solder joint between POGO pin body and PCB fails | Electrical connection to the pin is lost | Open circuit on a power or data line | Loss of function for that line.8Fails to provide electrical continuity (open circuit)Fatigue failure of the solder joint due to stress from repeated thermal cycling (-55°C to +85°C) and CTE mismatch between the pin body, solder, and PCB.The interface must withstand the specified temperature range (EnvR_003).5The document notes that testing for this requirement is not foreseen in the current activity.9HSelect POGO pins with flange designs that maximize solder fillet area. Use a high-reliability, space-grade solder alloy and implement underfill or corner staking for additional mechanical support.Perform a thermal cycling test on a populated connector PCB coupon, followed by dye-and-pry or cross-section analysis to inspect solder joint integrity.D2.5, EnvR_003, page 28, D2.5, EnvR_003 comment, page 28
FC_053HOTDOCK Power & Data InterfaceConnector Plate PCBPlated Through-Hole (Via)Provide interconnection for all POGO pins and circuitry.Route electrical signals between different layers of the PCB.Provide a conductive path between layers of the circuit board.Barrel of the via cracks | Electrical connection between layers is broken | Open circuit on a power or data line | Loss of function for that line.8Fails to provide electrical continuity (open circuit)Fatigue cracking of the copper plating in the via barrel due to Z-axis expansion stress during thermal cycling (-55°C to +85°C).The interface must withstand the specified temperature range (EnvR_003). PCB fabrication must meet space-grade standards.5Testing for EnvR_003 is not foreseen in the current activity, making this failure difficult to detect pre-flight.9HSpecify PCB fabrication according to a high-reliability space standard (e.g., ECSS-Q-ST-70-10C) which controls via aspect ratios and plating quality to ensure thermal cycle survivability.Perform thermal cycling on test coupons from each PCB manufacturing lot, followed by microsection analysis to verify the integrity of the plated through-holes.D2.5, EnvR_003, page 28, D2.5, EnvR_003 comment, page 28
FC_070HOTDOCK Data InterfaceLVDS Crosspoint SwitchPower SupplyProvide a re-routable data interface.Dynamically route LVDS signal pairs.Provide stable power to the switch IC.Switch loses power | All routed data links are broken | Loss of all SpaceWire communication through the interface.8Fails to route data signalsThe local voltage regulator powering the crosspoint switch fails.The controller design includes power conversion for all its components.4Failure would be detected by a total loss of communication.7HDesign the power supply for the crosspoint switch with high-reliability components and sufficient derating. Consider providing a redundant, cross-strapped power feed if analysis shows it is a critical point of failure.Perform a stress screening (e.g., thermal cycling and burn-in) on the assembled controller boards to precipitate early failures in components like voltage regulators.D2.5, Section 6.1, page 45, No specific redundancy is mentioned
FC_087HOTDOCK Dust ProtectionRotative CoverDrive System InterfaceProvide dust protection.Protect the connector plate from dust.Be driven directly by the HOTDOCK drive system (Table 2, pg 44).Interface between main drive and cover shears | Main drive moves but the cover does not | Connector plate is not exposed | Mating fails.8Fails to openThe mechanical interface (e.g., a drive dog) between the main barrel-cam and the rotative cover fails due to overload if the cover is jammed by dust.This is one of the considered mitigation strategies, noted as having the con of an 'additional mechanism and motion transmission'.6A failure to open would be detected by the absolute position sensor not reaching its expected final state.4HDesign the drive interface for the dust cover with a torque-limiting clutch to prevent overload failure of the primary drive train if the cover becomes jammed.If this design is chosen, perform functional testing in a dust environment to characterize the loads on the drive interface and verify its robustness.D2.5, Table 2, page 44, This is a conceptual design
FC_125HOTDOCK HarnessingInternal Wiring HarnessBend RadiusConnect internal components.Route electrical signals and power reliably.Maintain a bend radius that does not over-stress the wire conductors or insulation.A wire is bent too sharply | The conductor is fatigued and breaks inside the insulation | An intermittent or open circuit develops.8Fails to provide electrical continuity (open circuit)The harness is routed around a sharp corner with a bend radius smaller than the wire's specified minimum, leading to fatigue failure under vibration.Standard workmanship practices should prevent this. No specific harness standard is cited.4An intermittent failure would be very difficult to detect and diagnose. A hard failure would be found during continuity testing.8HThe harness design drawings must specify minimum bend radii for all wires and cables. The assembly procedure must be followed to implement this routing.Perform a detailed inspection of the harness routing on the first article to ensure all minimum bend radius requirements have been met.No evidence, No evidence
FC_135HOTDOCK ControllerFirmwareTask SchedulerControl all HOTDOCK functionalities.Execute real-time tasks according to their priority.Manage the execution of multiple concurrent tasks, such as motor control, telemetry, and command handling.A race condition occurs | Two tasks access a shared resource (e.g., a global variable) without proper protection, leading to data corruption | State machine enters an invalid state, or a command is misinterpreted | Unpredictable behavior, potential for damage.8Executes incorrect command sequenceA race condition between the command-handling task and the motor control task causes a state variable to be updated incorrectly.None identified in documents. Use of an RTOS scheduler is implied for complex systems.6None identified in documents. Race conditions are notoriously difficult to detect as they are timing-dependent.9HImplement a strict coding standard that requires all shared resources to be protected by mutual exclusion mechanisms (e.g., mutexes or semaphores). Perform a detailed code review focusing on concurrency.Perform long-duration, randomized stress testing to increase the probability of triggering timing-dependent race conditions. Use a real-time trace tool to analyze task interactions.no evidence, no evidence
FC_145HOTDOCK Power & Data InterfacePOGO Pin ConnectorSolder Joint (Pin-to-PCB)Provide a separable interface for power and data.Maintain the precise physical arrangement of 128 POGO connections.Provide a reliable electro-mechanical connection between the POGO pin body and the PCB pad.A solder joint cracks and fails | An intermittent or open circuit is created | Loss of a signal or power line.8Fails to provide electrical continuity (open circuit)Low-cycle fatigue of a POGO pin solder joint due to stress induced by CTE mismatch between the PCB and housing during thermal cycling (-55°C to +85°C).The interface must withstand the specified temperature range (EnvR_003).5The document notes that testing for EnvR_003 is not foreseen, making this hard to detect.9HImplement mechanical stress relief for the PCB mounting. Apply underfill or corner staking to the POGO pins to reinforce the solder joints and distribute mechanical stress.Perform a thermal cycling test on a fully assembled prototype, periodically checking continuity of all pins to detect intermittent failures. Follow with dye-and-pry to inspect joints for cracks.D2.5, EnvR_003, page 28, No workmanship standard cited
FC_151HOTDOCK ControllerLocal Power Regulator (LDO)Regulator ICProvide local low-level bus generation.Provide stable low-level voltages (e.g., 3.3V) to controller electronics.Regulate an input voltage down to a stable, lower output voltage.LDO fails short (input-to-output) | A high voltage (e.g., 5V) is applied to a low-voltage rail (3.3V) | All components on the 3.3V rail are destroyed by electrical overstress | Catastrophic failure of the controller.8Fails to provide regulated voltageElectrical overstress or a radiation-induced event causes an internal short circuit in the LDO pass element.Controller architecture includes linear voltage regulators (D2.5, page 46). Component selection assumed to be appropriate.4None identified in documents. This failure is instantaneous and destructive.10HAdd an over-voltage protection device (e.g., a crowbar circuit or Zener diode) on the output of all critical LDOs to protect downstream components.Perform a Failure Modes, Effects, and Criticality Analysis (FMECA) at the circuit level to identify critical single-point failures like LDO shorts.D2.5, Section 6.2, page 46, no evidence
FC_152HOTDOCK Electrical InterfaceConducted Emissions FilterCommon-Mode ChokeProvide a reliable electrical interface compliant with EMC standards.Not cause electro-magnetic interference (EMI) in coupled modules (FuncR_016).Filter conducted common-mode noise on power and data lines.Choke winding fails open | The signal or power path is broken | Loss of communication or power to the interface.8Fails to provide electrical continuity (open circuit)Vibration-induced fatigue failure of a fine-wire winding or its termination to the component lead.The interface must be compliant with launch loads (FuncR_007).4Post-vibration functional testing would detect the open circuit.7HSelect robust, space-qualified magnetic components. Ensure all large magnetic components are staked to the PCB with epoxy to prevent stress on solder joints.Perform vibration testing followed by a full continuity and functional check of all power and data lines.D2.5, FuncR_007, page 11, no evidence
FC_157HOTDOCK ControllerDC/DC ConverterCeramic CapacitorProvide local low-level bus generation from the supplied 24V.Convert the main 24V bus to stable low-level voltages (e.g., 3.3V/5V).Filter input/output voltage to reduce ripple and ensure stability.Capacitor cracks and fails short | The regulated voltage rail is shorted to ground | Loss of power to the microcontroller and other ICs | Controller ceases to function | Loss of all HOTDOCK functionality.8Fails to provide regulated voltageBrittle fracture of a ceramic capacitor due to high-G mechanical shock (pyroshock) from launch vehicle stage separation.The interface must be compliant with launch loads (FuncR_007). Standard space-grade component selection and PCB layout practices are assumed to mitigate shock.4Verification for launch loads is by Testing. The failure would be detected in post-shock functional tests.7HSelect ceramic capacitors with flexible terminations. Ensure PCB layout avoids placing large, stiff components in high-flexure areas. Analyze and potentially add damping to the PCB mounting.Perform pyroshock testing on the integrated HOTDOCK assembly, followed by a full functional test to screen for component failures.D2.5, FuncR_007, page 11, No specific shock requirement cited
FC_167HOTDOCK ControllerController PCBDecoupling CapacitorProvide a stable operating environment for all electronic components.Provide stable power to the microcontroller.Provide a local source of charge to handle high-frequency current demands from the microcontroller.A decoupling capacitor fails open (e.g., solder joint fracture) | The local power supply impedance for the MCU increases | Power rail noise causes logic upsets or spurious resets of the microcontroller | Controller behaves erratically or hangs.8Firmware behaves erratically or resetsA solder joint on a small decoupling capacitor, placed close to an MCU power pin, fractures due to vibration-induced fatigue.The interface must be compliant with launch loads (FuncR_007). Standard high-reliability PCB design practices are assumed.4This failure can be intermittent and very difficult to diagnose, as it may only occur under specific vibration frequencies or temperatures.8HUse multiple parallel decoupling capacitors to provide redundancy. Follow space-grade PCB layout guidelines for placement and soldering of decoupling capacitors.Perform highly accelerated life testing (HALT) which combines vibration and thermal cycling to precipitate latent failures like solder joint fatigue.D2.5, FuncR_007, page 11, No specific workmanship standard cited
FC_169MOSAR DemonstratorVisual Processing SystemPose Estimation AlgorithmSupport autonomous reconfiguration operations.Provide 3D pose estimation of the walking manipulator or Spacecraft Modules.Compute the position and orientation of a target (e.g., SM) from camera images with a mean error < 1cm and < 5 deg.Algorithm provides an incorrect pose estimate | The Autonomy Agent plans a trajectory based on the wrong location | The WM collides with the target SM or misses the HOTDOCK interface | Damage to hardware, failed operation.8Causes collision with targetPoor lighting conditions or reflections cause the vision algorithm to incorrectly identify features, resulting in a large error in the calculated pose.FuncR_A115 and FuncR_A116 define the requirements for camera localization. This is an optional/desirable feature, not in the primary control loop.6The plan is validated by simulation. The primary system relies on known geometry, not vision.5HThe robotic control system must incorporate cross-checks and sanity limits on vision system data before using it for motion planning. Proximity sensors on the HOTDOCK provide a final verification.Characterize the performance of the vision system under a wide range of lighting conditions to define its operational limits.MOSAR D1.4, page 36, no evidence
FC_181HOTDOCK Electrical InterfaceExternal ConnectorsConnector ShellProvide a reliable electrical connection to the spacecraft harness.Connect internal harnessing to the spacecraft-side harness.Provide electrical shielding and a grounding path for the harness.A large electrostatic charge builds up on the spacecraft | An arc discharges from the structure to a connector pin | The high voltage transient damages the CAN transceiver or other interface electronics | Loss of communication.8Fails to communicateSurface charging in the GEO environment leads to a large differential potential, causing an electrostatic discharge (ESD) event on an external connector.The design must withstand the space environment (EnvR_001). This includes plasma/charging effects.5None identified in documents. This is typically verified by analysis.8HEnsure all external surfaces and connector shells have a conductive path to the spacecraft chassis ground to prevent charge buildup. Add TVS diodes to all external interface pins.Perform a spacecraft charging analysis to predict the worst-case potentials. Test the interface electronics for susceptibility to system-level ESD events.D2.5, EnvR_001, page 28, No specific spacecraft charging analysis cited
FC_194HOTDOCK Dust ProtectionRetractable Shutter MechanismShutter PanelProvide dust protection to avoid internal contamination.Drive a double motion of shutters to open a path for the connector plate.Provide a physical barrier against dust.Shutter panel binds in its track | Mechanism jams | Shutters fail to retract, blocking the connector plate path | Mating sequence fails.8Fails to retractBinding of the shutter panel in its guide tracks due to differential thermal expansion between the aluminum shutter and a steel housing.An initial concept for dust protection is based on retractable shutters. (D2.5, Section 5.4)6Motor current telemetry would detect the high torque of a jam. The absolute position sensor would show a failure to reach the open position.4HPerform a detailed thermal analysis of the shutter mechanism. Select materials with compatible CTEs and ensure sufficient clearance is maintained at all temperatures.Perform functional testing of the dust shutter mechanism in a thermal chamber at the operational temperature extremes.D2.5, Figure 5-11, page 43, No specific material choices cited
FC_052HOTDOCK Actuation AssemblyGearing SystemLubricant (Space-Grade)Transmit and amplify torque.Transmit torque with minimal backlash and friction.Reduce friction and prevent wear/galling between moving gear teeth.Lubricant is expelled from the gearbox due to over-application | Expelled lubricant contaminates nearby optical sensors or thermal surfaces | Mission science is degraded or thermal control is compromised.7Contaminates external surfacesExcessive lubricant applied during assembly is flung out of the unsealed gearbox by centrifugal force during operation in vacuum.DesR_012 requires space-grade lubricants. Low outgassing is a key property.4Visual inspection after testing might show evidence of creep. No specific contamination test is mentioned.7HDevelop a detailed lubrication procedure specifying the exact type, quantity, and application method of lubricant to prevent over-application. Design the gearbox with labyrinth seals to help contain lubricant.During thermal vacuum life testing, place witness plates (e.g., silicon wafers) near the gearbox to collect any outgassed or expelled contaminants for analysis.D2.5, DesR_012, page 20, No specific procedure document cited
FC_098HOTDOCK Power & Data InterfacePOGO Pin ConnectorGrounding PinsProvide a separable interface for power and data.Provide a common ground reference between mated interfaces.Establish a low-impedance connection for the ground return path.A ground pin has high contact resistance | The ground reference shifts between the two interfaces | Common-mode noise is created, data communication becomes unreliable | Data corruption.7Communication is intermittentContamination or wear on one of the few designated ground pins leads to a high-resistance ground connection.The design includes 128 connections that can be freely configured, including for power transmission (D2.5, pg 40). This allows for multiple ground pins.5This can be a difficult problem to diagnose, manifesting as random data errors.8HDesignate a significant number of POGO pins (e.g., >10%) as ground pins and distribute them evenly across the connector plate to ensure a robust, low-impedance ground connection.During integration testing, use a network analyzer to perform a ground impedance measurement between the two mated interfaces to verify a low impedance connection across a wide frequency range.D2.5, Section 5.2, page 40, No specific pinout defined
FC_132HOTDOCK ControllerMicrocontrollerInternal OscillatorControl all HOTDOCK functionalities.Execute firmware at a defined speed for real-time tasks.Provide a stable clock signal within tolerance over the mission life and temperature range.Clock frequency drifts out of tolerance | CAN bus baud rate is incorrect, communication fails. PWM timings are incorrect | Loss of communication, inefficient or unstable motor control.7Fails to communicate on CAN busFrequency drift of the internal RC oscillator due to temperature variation and long-term aging.Controller electrical specifications (D2.5, page 46) imply standard components are used.6None identified in documents. This failure is difficult to detect as it may be intermittent with temperature.8HUse a temperature-compensated crystal oscillator (TCXO) as the primary clock source for the microcontroller to ensure frequency stability.Perform a frequency vs. temperature characterization of the microcontroller clock during thermal vacuum testing.D2.5, page 46, no evidence
FC_139HOTDOCK Actuation AssemblyGearing SystemGear LubricantTransmit and amplify torque.Transmit torque with minimal friction and wear.Reduce friction and prevent wear, rated for space environment per DesR_012.Lubricant degrades | Viscosity increases due to polymerization from radiation exposure or high temperature | Gearbox friction increases significantly | Motor current increases, mechanism may stall.7Requires excessive torque to actuatePolymerization of the gear lubricant due to long-term exposure to the space radiation environment, causing it to become gummy.DesR_012 requires space-grade lubricants. EnvR_001 requires withstanding space environment.6None identified in documents. This is a long-term aging effect not typically caught in standard life tests.9HSelect a lubricant with known radiation stability (e.g., a perfluoropolyether like Braycote). Perform a torque budget analysis that accounts for end-of-life lubricant properties.Perform an accelerated aging test on lubricant samples (radiation and thermal) and measure viscosity changes. Test gearbox performance with the aged lubricant.D2.5, DesR_012, page 20, D2.5, EnvR_001, page 28
FC_142HOTDOCK Thermal InterfaceHydraulic FluidFluid Chemical PropertiesProvide an active thermal interface for fluid transfer.Circulate fluid for heat exchange up to 1400 W.Maintain stable thermal properties and chemical composition over the mission lifetime.Fluid breaks down chemically | The fluid's thermal properties (specific heat, viscosity) change, or it becomes corrosive | Thermal transfer performance is degraded, or internal components are corroded | Overheating of payloads, potential for leaks.7Thermal performance degradedChemical breakdown of the coolant fluid due to long-term exposure to high temperatures and radiation.The thermal interface is based on a previously developed design (D2.5, pg 42). This implies a proven fluid was used.5None identified in documents. This is a long-term aging effect.9HSelect a heat transfer fluid with a proven history of long-term stability in the space environment. Ensure all wetted materials in the fluid loop are compatible with the fluid.Perform an accelerated aging test on the fluid (thermal and radiation) and then run it through a prototype thermal loop to verify performance has not degraded.D2.5, Section 5.3, page 42, no evidence
FC_149HOTDOCK ControllerMicrocontrollerGPIO PinControl all HOTDOCK functionalities.Control various hardware functions.Drive a digital output pin to a high or low logic level.GPIO pin is stuck high | A peripheral is permanently enabled | Potential for high power consumption or unintended operation | System may enter an unsafe state.7Fails to disable a peripheralA Single Event Latch-up (SEL) in a GPIO output driver causes it to become stuck in a high-current state.None identified in documents. This is a known risk for standard CMOS components in radiation environments.6A functional test of the specific peripheral would fail to turn off. Current consumption would be high.5HUse a radiation-tolerant microcontroller or implement external latch-up detection and power-cycling circuitry for the controller's power domain.Perform heavy ion testing to characterize the SEL susceptibility of the chosen microcontroller.no evidence, no evidence
FC_159HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Hall Effect SensorsRotate locking ring.Provide rotor position feedback to the controller for commutation.Detect magnetic field orientation and output a digital signal.Hall sensor output voltage shifts or becomes noisy | Commutation logic sees incorrect timing | Motor runs inefficiently, with torque ripple or reduced torque output | Actuation performance is degraded.7Provides degraded position signalDisplacement Damage Dose (DDD) from proton radiation in the space environment causes lattice defects in the Hall sensor semiconductor, altering its electrical characteristics.Design must withstand space environment (EnvR_001), but this is a more subtle long-term aging effect than total dose failure.5None identified in documents. This slow degradation would be difficult to detect without detailed motor characterization.8HSelect Hall effect sensors with known tolerance to proton-induced displacement damage. Perform a radiation analysis and add localized shielding if necessary.Perform proton radiation testing on the sensors to characterize parameter degradation versus fluence and ensure end-of-life performance meets requirements.D2.5, EnvR_001, page 28, No specific radiation analysis cited
FC_160HOTDOCK Power & Data InterfacePOGO Pin PadContact SurfaceProvide a separable interface for power and data transfer.Provide a contact surface for the POGO pin to establish electrical connection.Provide a low-resistance, non-corroding contact surface.A thin, insulating film forms on the contact pad | Contact resistance increases significantly | Localized heating on power pins, or high bit error rate on data lines | Degraded performance or loss of function for that line.7Contact resistance too highVolatile Condensable Material (VCM) from a nearby component (e.g., adhesive, cable jacket) outgasses in vacuum and re-condenses on the cold POGO pad surface.Materials must have low outgassing (DesR_019). The design is intended to prevent accumulation of dirt (D2.5, pg 40).4None identified in documents. This failure may only appear after extended time in vacuum.8HMaintain a strict materials and processes list, selecting only low-VCM materials per ECSS-Q-ST-70-01. Perform vacuum bake-out on subassemblies to remove volatiles.During system thermal vacuum testing, place a Quartz Crystal Microbalance (QCM) near the connector plate to measure VCM deposition rates.D2.5, DesR_019, page 22, D2.5, Section 5.2, page 40
FC_188HOTDOCK ControllerNon-Volatile Memory (Flash)Calibration Data SectorControl all HOTDOCK functionalities.Store persistent configuration and calibration data.Store calibration coefficients for the absolute position sensor.Calibration data is corrupted | The controller uses incorrect scaling or offset for the position sensor | The reported position is wrong | The controller may drive the mechanism past its limits or fail to confirm lock.7Reports incorrect position telemetryA single-bit upset (SEU) corrupts a byte in the flash memory sector where calibration data is stored.The controller has 2048 KBytes of flash for programming and logging. (D2.5, pg 46)4The error may not be detected until the mechanism behaves incorrectly at a specific position.7HStore a checksum (e.g., CRC) along with the calibration data. The firmware must validate the checksum at boot-up before using the data.Add a specific built-in test that can be commanded to re-calculate and verify the checksum of all non-volatile data storage areas.D2.5, Section 6.2, page 46, No specific data integrity check cited
FC_191MOSAR DemonstratorSystem GroundingGround Return PathProvide a safe and reliable electrical system.Provide a common ground reference for all interconnected components (WM, SMs, SVC).Ensure a low-impedance path for all signal and power return currents.A ground loop is created due to multiple ground paths | Noise currents from the WM motors circulate through the system ground | The ground reference becomes noisy, corrupting sensitive analog signals and digital communication | Unreliable sensor readings, communication errors.7Signal integrity is degradedAn incorrect grounding scheme where a data cable shield is connected to chassis at both ends, creating a large ground loop.None identified in documents. A grounding philosophy is a critical part of the system-level electrical design.5These issues are often difficult to diagnose, appearing as intermittent 'gremlins'.8HDevelop and enforce a strict system grounding and bonding plan (e.g., a single-point star ground system). All cable shields should be grounded at one end only.During system integration, perform ground impedance and bonding resistance measurements to verify the grounding scheme was implemented correctly.No evidence, No evidence
FC_197MOSAR DemonstratorOn-Board Software (OBSW)TASTE MiddlewareProvide a model-based framework for the OBSW.Provide the underlying software framework for modeling components and their interactions.Manage inter-process communication between software components.A bug in the TASTE middleware | Communication between two software components fails | The system deadlocks or a component fails to receive a command | Loss of function.7Software component fails to communicateA subtle bug in the TASTE framework's message passing implementation causes message corruption under high load.The OBSW is modeled in TASTE. (D2.4, Section 5.5)4This would be a difficult, low-level bug to find, likely requiring extensive stress testing.8HUse a mature, well-tested version of the TASTE framework. The project must have a plan for debugging and patching the middleware if issues are found.Perform long-duration, system-level stress testing to look for any rare, middleware-related failures.MOSAR D2.4, page 52, No evidence
FC_198HOTDOCK Power & Data InterfacePOGO Pin ConnectorSpring ElementProvide a separable interface for power and data.Establish and maintain a compliant electrical connection.Provide a specified contact force over the operational stroke of the pin.Spring force decreases over time | Pin does not make contact with sufficient force | Contact resistance increases | Overheating on power pins or poor signal integrity on data lines.7Contact force too lowStress relaxation of the spring material after being held in a compressed state at high temperature for a long duration.The interface must be reusable and operate over a wide temperature range. (OpR_002, EnvR_003)4None identified in documents. This is a long-term aging effect not typically found in short-term tests.8HSelect a high-performance spring alloy (e.g., Beryllium Copper) known for its resistance to stress relaxation at high temperatures.Perform an accelerated aging test by holding a set of POGO pins compressed at the maximum operating temperature for an extended period, then measure the resulting spring force.D2.5, OpR_002, page 25, D2.5, EnvR_003, page 28
FC_018HOTDOCK StructureMounting InterfaceM3 Mounting BoltsProvide a mechanical connection to the module, spacecraft bus, or robotic end-effector.Transfer all operational and launch loads between the HOTDOCK and the parent structure.Provide clamping force to secure the HOTDOCK interface, with sufficient strength to withstand shear and tensile loads.Mounting bolt fails due to fatigue | Clamping force is lost | The interface becomes loose and can no longer transfer loads correctly | Catastrophic structural failure, liberation of the HOTDOCK unit from the spacecraft.10Fails to maintain structural connectionFatigue failure of a mounting bolt due to under-torquing during assembly, leading to excessive cyclic loading during launch vibration.The interface is required to withstand launch loads (FuncR_007) and operational loads (FuncR_008). Design safety factors are required (DesR_014).3Verification is by Analysis and Test. A static pull test or vibration test would be part of the verification.6MCreate a detailed assembly procedure that specifies the use of a calibrated torque wrench for all structural fasteners and includes independent inspection verification of torque application.Perform a modal survey and sine vibration test on the integrated assembly to validate the structural analysis and ensure the mounting interface performs as expected.D2.5, FuncR_007, page 11, No assembly procedure document cited
FC_055HOTDOCK Mechanical Locking MechanismPeripheral Locking ElementsActuated Internal RingImplement a locking mechanism.Engage with the mated HOTDOCK to create a secure connection.Move the steel balls radially into their locking positions.Ring fractures due to overload | Locking balls are no longer constrained | The locking mechanism fails and cannot support loads | Catastrophic failure of the interface, separation of modules.10Fails to transfer mechanical loadUltimate stress failure of the actuated internal ring due to an extreme, un-commanded torque event from the robotic manipulator arm.The interface is required to withstand 250Nm bending moment and 400N forces (FuncR_008).3Verification is by Analysis and Testing. A proof load test would be performed.5MThe robotic manipulator control system must include torque/force limiting functions to prevent it from applying loads that exceed the structural limits of the HOTDOCK interface.Perform a combined load test on the mated interface, applying axial, radial, and bending loads simultaneously up to proof levels to verify structural integrity.D2.5, FuncR_008, page 12, No specific robotic fault analysis cited
FC_100HOTDOCK Mechanical StructureHousingMaterial FlammabilityProvide the main structure and enclosure.Safely contain all internal components.Materials shall be flame retardant (DesR_018).A non-metallic internal component is not flame retardant | In the event of an electrical short circuit that causes ignition, the fire propagates | Catastrophic loss of the module, and a major safety hazard, especially in a manned environment.10Propagates fireAn internal non-metallic component (e.g., a plastic insulator or cable jacket) does not meet the required flammability rating.DesR_018 requires materials to be flame retardant for all components (harness, electronics, lubricants). Verification is by Analysis.2Material properties are reviewed as part of the design process.5MMaintain a detailed materials and processes list for the entire design, and require that all selected materials be verified against NASA or ESA flammability standards.Perform flammability testing on any non-standard materials that do not have existing flight qualification data.D2.5, DesR_018, page 22, No specific materials list cited
FC_028HOTDOCK Electrical InterfaceOvercurrent Protection CircuitryCurrent Sense ResistorProvide electrical protection and power switching.Incorporate overcurrent, overvoltage, and thermal protection (FuncR_015).Provide a voltage proportional to the current flowing through it for measurement by the controller.Sense resistor fractures (fails open) | The controller reads zero current, disabling the overcurrent protection | A subsequent short circuit or motor stall will not be detected | Uncontrolled current flow could cause catastrophic damage to the motor, harness, or power source.9Fails to detect overcurrent conditionFracture of the resistive element due to thermal shock from a rapid, high-current event exceeding its pulse rating.FuncR_015 requires overcurrent protection. This implies selection of components rated for the application.3Verification is by Testing. A specific test would be needed to validate the protection feature.6MSelect a current sense resistor with a high pulse-withstanding capability and perform an analysis to ensure it can survive worst-case inrush and short-circuit current for the time it takes the protection to act.Perform destructive testing on a prototype controller board to validate the overcurrent protection works as designed and components fail safely.D2.5, FuncR_015, page 13, No specific test plan cited
FC_044HOTDOCK ControllerMicrocontrollerInternal Oscillator/ClockControl all HOTDOCK functionalities.Execute firmware at a defined speed to perform real-time tasks.Provide a stable clock signal for the processor core and peripherals.Clock signal becomes unstable or stops | Processor halts or operates at an incorrect speed | Controller hangs or behaves erratically | Loss of all HOTDOCK functionality.9Firmware hangsFailure of the internal oscillator circuit due to aging or a radiation-induced latch-up event.Component selection is critical. Use of space-qualified microcontrollers is implied by EnvR_001.3A watchdog timer would detect the hang and reset the device. The device would fail to respond to commands.5MImplement an external, radiation-hardened oscillator as the primary clock source for the microcontroller, in addition to the internal one, with a clock-failure-detection circuit.Perform a failure modes and effects analysis (FMEA) at the component level for the microcontroller to identify all critical internal blocks and assess their reliability.D2.5, EnvR_001, page 28, No specific component selection criteria in documents
FC_073HOTDOCK Mechanical StructureMain Housing and CoverStructural Material (Aluminum Alloy)Provide the main structure and enclosure.Maintain structural integrity throughout the mission.Provide high strength-to-weight ratio and resistance to corrosion cracking.A crack initiates and propagates through the structure | Structural failure | Loss of component alignment, potential liberation of parts.9Structural integrity is lostStress corrosion cracking (SCC) of a high-strength aluminum alloy due to exposure to a corrosive environment (e.g., ground storage in humid air) while under sustained stress from assembly.DesR_017 requires selected materials to be crack resistant. Verification is by Analysis.3Analysis is performed. Non-destructive inspection (e.g., dye penetrant) after manufacturing would find initial flaws.6MSelect an aluminum alloy with high resistance to stress corrosion cracking (e.g., 6061-T6 or 7075-T73 instead of 7075-T6) for all primary structural components.Implement proper long-term storage procedures, including controlled humidity environments and periodic inspections, for all flight hardware.D2.5, DesR_017, page 22, No specific material selection cited
FC_001HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Motor WindingsRotate locking ring to engage/disengage mechanical latches within specified time and torque limits.Generate rotational torque by converting electrical energy into a magnetic field, providing a minimum torque for worst-case lifetime conditions.Conduct current through insulated copper coils to create a rotating magnetic field, with insulation rated for max operating voltage and temperature.Motor winding shorts | Motor cannot produce required torque or draws excessive current | Locking mechanism fails to engage or disengage | Inability to connect/disconnect a spacecraft module | Mission failure.8Fails to generate sufficient torqueInter-turn short circuit in stator winding due to insulation breakdown from thermal stress cycling (-55°C to +85°C).Motor selected based on manufacturer's specifications for operating temperature range. Design Requirement DesR_013 specifies motorization must provide minimum torque for worst lifetime conditions.5Functional testing of the actuation sequence is specified as the verification method for multiple requirements (e.g., FuncR_005, FuncR_006). Motor current telemetry is available per FuncR_029.4MImplement a motor derating analysis based on ECSS standards for thermal and voltage margins to ensure insulation longevity.Perform a motor characterization test over the full temperature range (-55°C to +85°C) in a thermal vacuum chamber, monitoring for torque degradation and current anomalies.D2.5, DesR_013, page 21, D2.5, FuncR_005/006 Verification, page 11
FC_003HOTDOCK Actuation AssemblyGearing SystemGear Teeth SurfacesRotate locking ring to engage/disengage mechanical latches within specified time and torque limits.Transmit and amplify torque from the motor to the barrel-cam mechanism with minimal backlash.Maintain surface integrity to engage mating gear teeth and transfer load without slipping or binding, designed with lubrication per DesR_012.Gear teeth wear or galling | Increased friction and backlash in the geartrain | Motor requires higher current, mechanism becomes imprecise or jams | Locking mechanism fails to fully engage or disengage | Inability to connect/disconnect a spacecraft module.8Mechanism jamsCold welding (adhesive wear) between gear teeth surfaces due to lubricant outgassing and failure in the vacuum environment.Design requirement DesR_012 states that sliding surfaces should have lubrication and only space-grade lubricants must be used. Material selection intended to be compatible.5Requirement for reusability (OpR_002) implies life testing. Verification is listed as 'Testing'.6MSpecify and verify the use of a vacuum-rated dry film lubricant (e.g., MoS2) on all gear contact surfaces, with application process control.Perform a life test of the actuation mechanism (1000 cycles per OpR_002) in a thermal vacuum chamber, followed by disassembly and inspection of gear teeth for wear.D2.5, DesR_012, page 20, D2.5, OpR_002, page 25
FC_013HOTDOCK Thermal InterfaceHydraulic Fluid ConnectorInternal SealProvide an active thermal interface for fluid transfer, enabling heat exchange up to 1400 W.Form a leak-tight connection for fluid circulation between two mated HOTDOCKs.Deform upon connection to create a seal that prevents fluid leakage in the vacuum and temperature environment of space.Seal fails to form a tight connection | Fluid leaks from the connector | Loss of coolant, contamination of nearby surfaces | Inability to perform thermal transfer, potential damage to sensitive optics or electronics from contamination.8Fails to seal fluid (leaks)Loss of seal elasticity and compliance at extreme low temperature (-55°C), preventing proper sealing.The design must withstand a temperature range between -55°C and +85°C (EnvR_003). The thermal interface is based on a previously developed design (D2.5, pg 42).5Leakage testing has been successfully performed on the baseline connector design (D2.5, pg 42).4MSelect a seal material specifically rated for space applications with a glass transition temperature well below the minimum operating temperature of -55°C.Perform mate/de-mate and leakage testing of the hydraulic connectors within a thermal chamber at the temperature extremes of -55°C and +85°C.D2.5, EnvR_003, page 28, D2.5, Section 5.3, page 42
FC_014HOTDOCK Thermal InterfaceFlexible Metallic BellowsBellows WallProvide an active thermal interface for fluid transfer, enabling heat exchange up to 1400 W.Accommodate the required stroke for connection of the whole HOTDOCK while maintaining a sealed fluid path.Flex and extend to allow connector motion while being fatigue-resistant and impermeable to the working fluid.Fatigue crack develops in the bellows wall | Fluid leaks from the thermal interface | Loss of coolant, contamination | Loss of thermal control function.8Fails to contain fluid (leaks)High-cycle fatigue cracking due to vibration during launch, exceeding the design life of the bellows.The interface must be compliant with launch loads (FuncR_007). The design is based on existing hardware from OG5/SIROM.4Verification for launch loads is by testing (FuncR_007).5MPerform a fatigue analysis on the bellows design based on the expected launch vibration spectrum and required stroke cycles to verify design margin.Conduct a vibration test on the thermal interface assembly followed by a helium leak check to verify the integrity of the bellows and seals.D2.5, FuncR_007, page 11, D2.5, Section 5.3, page 42
FC_017HOTDOCK HarnessingInternal Wiring HarnessWire InsulationConnect power and data buses between the controller, motor, sensors, and connector plate.Route electrical signals and power between internal components reliably.Provide dielectric separation between conductors and prevent short circuits to the chassis.Insulation is breached by chafing against a sharp edge | Conductor shorts to chassis | Power supply shorts, blowing a fuse or triggering overcurrent protection | Loss of power to the entire HOTDOCK unit.8Short circuit to chassisAbrasion of wire insulation due to vibration-induced chafing against an un-deburred edge of the aluminum housing.Human Factors requirement HumR_001 requires no sharp edges or corners, which implies good manufacturing practice. Materials must have low outgassing (DesR_019).4Verification for HumR_001 is by Inspection. A final assembly inspection would check for proper harness routing.4MImplement a formal harness design and routing plan. All harness pass-throughs in the structure must be fitted with protective grommets. All wires must be secured with space-grade cable ties.Perform a post-vibration continuity and insulation resistance test (Hipot test) between all conductors and the chassis to detect any insulation damage.D2.5, HumR_001, page 29, No specific harness standard cited
FC_021HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Rotor BearingsRotate locking ring to engage/disengage mechanical latches within specified time and torque limits.Generate rotational torque by converting electrical energy into a magnetic field.Support the motor rotor, allowing low-friction rotation while maintaining alignment.Bearing lubricant degrades or is expelled in vacuum | Bearing friction increases significantly or seizes | Motor stalls or draws excessive current to overcome friction | Locking mechanism fails to operate.8Fails to rotate freely (seizure)Degradation and outgassing of bearing grease in the space vacuum environment, leading to seizure.Design requirement DesR_012 specifies the use of space-grade lubricants for sliding surfaces, which applies to bearings as well.5Life testing (implied by OpR_002) would uncover premature wear.6MProcure motors with bearings specifically prepared for vacuum service, using dry lubricants (e.g., MoS2) or very low outgassing grease (e.g., Braycote).Perform a vacuum bake-out and residual gas analysis (RGA) on the motor to verify low outgassing characteristics prior to integration.D2.5, DesR_012, page 20, D2.5, OpR_002, page 25
FC_033HOTDOCK Power InterfacePower Distribution Unit (PDU)Low-level Voltage RailsProvide power to internal components.Provide low-level voltage power rails to supply the controller, sensors, and motor drive (FuncR_013).Maintain stable voltage (e.g. 5V) under varying load conditions.Voltage rail becomes unstable or drops out | Controller or sensors reset or behave erratically | Loss of control or telemetry.8Voltage out of regulationInstability in the DC/DC converter's control loop caused by aging of output capacitors (ESR increase) over the mission life.FuncR_013 mandates the provision of these rails.4Verification by Testing. Controller supply voltage is monitored per FuncR_029.3MPerform a Worst Case Circuit Analysis (WCCA) on the power supply design, including end-of-life component tolerances, to ensure stability margin.Perform an accelerated life test on the controller, periodically checking the stability and regulation of all power rails.D2.5, FuncR_013, page 13, D2.5, FuncR_029, page 17
FC_038HOTDOCK Power & Data InterfaceConnector Plate ActuationDrive Mechanism LinkageProvide a separable interface for power and data.Translate the connector plate through the same drive mechanism as the locking system.Ensure correct timing sequence of deployment relative to the locking ring.Linkage for connector plate jams | Connector plate fails to deploy or retract | No electrical connection is made, or pins are damaged if locking occurs before retraction.8Fails to deploy connector plateBinding in the linkage due to thermal distortion across the assembly (differential expansion) at temperature extremes.DesR_005 requires the design to account for worst-case combinations of transient temperature and differential expansion.5Analysis and Testing are listed as verification for DesR_005.5MPerform a detailed thermal and structural analysis of the actuation mechanism to ensure clearances are maintained at temperature extremes.Execute the full mating and de-mating sequence in a thermal chamber at the hot and cold operational limits to verify function.D2.5, DesR_005, page 18-19, No specific test plan cited
FC_041HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Motor ShaftRotate locking ring to engage/disengage mechanical latches.Generate and transmit rotational torque to the gearing system.Transmit torque without yielding or fracturing under worst-case loads.Motor shaft fractures | Mechanical link between motor and gearbox is broken | Motor spins freely but no torque is transmitted | Locking mechanism is inoperable.8Fails to transmit torqueFatigue failure of the motor shaft due to high cycle stress from repeated actuation cycles combined with vibrational loads.DesR_013 requires the motorization to provide minimum required torque, implying a robust design. Safety factors are required per DesR_014.3Life testing is specified (OpR_002).5MPerform a fatigue life analysis on the motor shaft based on expected torque profiles and cycle counts to ensure a positive margin of safety.During life testing, periodically monitor motor current and acoustic emissions to detect any early signs of mechanical degradation.D2.5, DesR_013, page 21, D2.5, OpR_002, page 25
FC_046HOTDOCK Power InterfaceOvervoltage ProtectionTransient Voltage Suppressor (TVS)Provide electrical protection.Incorporate an overcurrent and overvoltage protection (FuncR_015).Clamp the input voltage to a safe level during transient events.TVS diode fails short | The main power input is shorted to ground | A fuse blows or the main power system trips off-line | Loss of power to the HOTDOCK unit.8Fails to provide power (input short)Failure of the TVS diode due to an energy transient that exceeds its maximum rated absorption capability.FuncR_015 requires the protection. This implies the circuit is designed to handle expected transients.4Verification is by Testing.6MPerform a power system transient analysis to define the worst-case voltage and energy transients, and select a TVS diode with sufficient margin.Conduct transient susceptibility testing by injecting specified voltage spikes onto the power line and verifying that the unit survives and the protection clamps correctly.D2.5, FuncR_015, page 13, No specific transient specification cited
FC_067HOTDOCK Thermal InterfaceHydraulic Fluid ConnectorConnector BodyProvide an active thermal interface.Form a leak-tight connection for fluid circulation.Provide the structural housing for the seals and valves.Connector body cracks | Fluid leak | Loss of coolant, contamination.8Fails to contain fluid (leaks)Stress corrosion cracking of the aluminum connector body material due to long-term exposure to the coolant fluid and mechanical stress.DesR_017 requires selected materials to be crack resistant. The baseline design has been tested for leakage.3Verification for DesR_017 is by Analysis.6MSelect a coolant fluid and an aluminum alloy that are known to be compatible and not susceptible to stress corrosion cracking, based on NASA/ESA material databases.Perform an accelerated aging test by exposing a stressed connector body to the selected coolant at elevated temperature for an extended period, followed by inspection for micro-cracks.D2.5, DesR_017, page 22, D2.5, Section 5.3, page 42
FC_068HOTDOCK Power InterfaceBidirectional Power SwitchMOSFETsControl current flow at the interface.Incorporate a bidirectional power switch.Act as solid-state relays to control current flow.MOSFET fails open | The switch cannot conduct current | Power cannot be transferred through the interface.8Fails to conduct current (open circuit)Wire bond failure inside the MOSFET package due to thermo-mechanical stress from power cycling.FuncR_017 requires the switch. Components are selected to meet requirements.4Verification is by Testing. A failure to power up a module would be detected.5MSelect power MOSFETs in hermetically sealed or space-qualified packages with a proven history of reliability in power cycling applications.Perform a power cycling life test on the switch component to validate its reliability for the expected number of cycles and temperature swing.D2.5, FuncR_017, page 14, No specific component selection criteria in documents
FC_074HOTDOCK Power & Data InterfacePOGO Pin ConnectorPin-to-Pad AlignmentProvide a separable interface for power and data.Establish a compliant electrical connection.Ensure each pin lands on the center of its corresponding pad.Pin lands on the edge of a pad, or on the solder mask between pads | High contact resistance, potential for shorting to adjacent pad | Intermittent connection, data errors, or short circuits.8Fails to establish reliable connectionExcessive misalignment during mating that exceeds the capture range of the form-fit geometry, caused by a robotic arm control error.The form-fit geometry provides self-guidance (D2.5, pg 31). The POGO design is tolerant to misalignment (D2.5, pg 40).5Proximity sensors are used to detect good alignment before mating (OpR_008).4MEnlarge the diameter of the PCB pads to provide a larger landing zone for the POGO pins, increasing tolerance to misalignment.During robotic mating tests, use a camera to visually monitor the pin-to-pad alignment at the moment of contact to characterize the actual performance.D2.5, Section 3.1, page 30, D2.5, OpR_008, page 26
FC_085HOTDOCK Actuation AssemblyGearing SystemPlanetary Gear StageTransmit and amplify torque.Provide a high gear reduction ratio in a compact volume.Distribute the load among multiple planet gears to increase torque capacity.A planet gear tooth fractures | Debris from the fracture jams the rest of the gearbox | The mechanism seizes instantly.8Mechanism jamsOverload failure of a gear tooth due to a sudden shock load (e.g., from a robotic arm collision) that exceeds the material's ultimate strength.DesR_005 requires a robust design. The interface must withstand operational loads (FuncR_008).3Verification by Analysis and Testing.6MSelect a gearbox with a high shock load rating. Perform a system-level analysis to determine the maximum credible shock load and ensure the gearbox provides sufficient margin.Implement a shock test as part of the qualification program to verify the robustness of the actuation mechanism.D2.5, DesR_005, page 18, D2.5, FuncR_008, page 12
FC_101HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Commutation LogicRotate locking ring to engage/disengage mechanical latches.Generate rotational torque by converting electrical energy into a magnetic field.Sequentially energize motor windings based on Hall sensor feedback to create continuous rotation.Incorrect commutation sequence implemented in firmware | Motor runs backward, jitters, or has very low torque | Mechanism cannot be actuated.8Fails to rotate in commanded directionA software bug in the firmware maps the Hall sensor states to the incorrect motor phase outputs.The controller is designed for field-oriented control which requires correct commutation. The design is based on the motor's datasheet.4The failure would be immediately obvious during the first functional test of the motor.2MDevelop a specific unit test for the commutation logic that uses a simulated set of Hall sensor inputs and verifies the correct phase outputs are generated.Create a documented procedure for the initial motor integration test, which includes verifying the direction of rotation and the correct phasing of all sensors and motor leads.D2.5, Section 6.1, page 45, No specific firmware test plan cited
FC_103HOTDOCK ControllerMicrocontrollerGPIO PinControl all HOTDOCK functionalities.Control various hardware functions like motor driver enables, sensor selects, etc.Drive a digital output pin to a high or low logic level.GPIO pin fails (e.g., due to ESD) and is stuck low | The signal it controls (e.g., 'motor_enable') is permanently disabled | The motor cannot be activated | Actuation mechanism is inoperable.8Fails to enable a peripheralElectrical overstress from an ESD event during handling damages the output driver of a GPIO pin.The controller has 114 GPIOs (D2.5, pg 46). Standard ESD handling procedures are assumed.4A functional test of the specific peripheral would fail.5MImplement strict ESD control measures during all stages of assembly and handling. Add current-limiting resistors in series with critical GPIO signals to provide some protection.Develop a comprehensive BIST routine that toggles and reads back non-critical GPIO pins to check for functionality at startup.D2.5, Section 6.2, page 46, No ESD control plan cited
FC_105HOTDOCK Thermal InterfaceHydraulic Fluid ConnectorFluid PathProvide an active thermal interface.Allow for circulation of coolant fluid.Provide an unobstructed path for fluid flow.A blockage occurs in the fluid path | Fluid flow is restricted or stopped | Heat cannot be transferred | The component being cooled (e.g., PWS) overheats.8Fails to circulate fluid (blocked)A piece of contamination (e.g., a burr from machining, a piece of sealant) breaks loose and becomes lodged in a narrow channel within the fluid connector.The thermal transfer testing was performed on a separate setup (D2.5, pg 42). This implies the design is functional. Clean assembly is required.4A flow test with pressure drop measurement would detect a blockage.3MImplement a rigorous cleaning and inspection procedure for all components of the fluid loop before final assembly. The loop should be assembled in a cleanroom environment.After assembly, perform a full flow test of the thermal loop while monitoring the pressure drop. A higher-than-expected pressure drop indicates a restriction.D2.5, Section 5.3, page 42, No specific cleanliness procedure cited
FC_112HOTDOCK ControllerFirmwareFault Recovery LogicControl all HOTDOCK functionalities.Recover from a fault state upon command.Upon receiving a 'Fault Recovery' command, trigger automatic recovery mechanisms to return to a known state (D2.5, pg 34).The recovery logic contains a bug | Attempting to recover from a fault puts the system into a worse, unrecoverable state | The interface is permanently disabled until a full power cycle.8Fails to recover from faultThe fault recovery sequence does not properly re-initialize all hardware peripherals, leaving one in an invalid state that prevents normal operation.The state machine includes a fault state and recovery path.5This would be tested as part of the fault injection test plan.5MDesign the fault recovery path to perform a full hardware re-initialization sequence, identical to the power-on boot sequence, to ensure a known good state.For every fault condition tested in the fault injection plan, verify that the 'Fault Recovery' command successfully returns the system to a fully operational Idle state.D2.5, Section 4.2, page 34, No specific test plan cited
FC_115HOTDOCK Actuation AssemblyGearing SystemGear MaterialTransmit and amplify torque.Transmit torque reliably throughout the mission life.The gear material must have sufficient fatigue strength to withstand the cyclic loading.A gear tooth fails due to fatigue | The gearbox jams or fails to transmit torque | Actuation fails.8Fails to transmit torque (gear fracture)Fatigue failure of a gear tooth after accumulating more stress cycles than the material was designed for.The interface is required to be reusable for 100-1000 cycles (OpR_002), which sets the life requirement.4A life test is the primary verification method.6MSelect a gear material (e.g., hardened steel) with a known S-N (stress vs. number of cycles) curve. Perform a fatigue analysis to verify a positive life margin of at least 4x the required cycles.Perform a life test for at least 2x the maximum required cycles (2000 cycles), followed by disassembly and non-destructive inspection (e.g., dye penetrant) of the gear teeth.D2.5, OpR_002, page 25, No specific material list cited
FC_119HOTDOCK StructureMain Housing and CoverAlignment FeaturesProvide the main structure and enclosure.Ensure precise alignment of all sub-assemblies.Use dowel pins or machined features to locate components relative to each other.Alignment features are missing or out of tolerance | Internal assemblies (e.g., gearbox, barrel-cam) are misaligned | Mechanism binds or jams.8Mechanism bindsTolerance stack-up across multiple components prevents alignment pins from engaging, leading to a forced assembly that is internally stressed and misaligned.A robust design is required (DesR_005). Proper manufacturing and assembly are assumed.4The problem would be discovered during assembly when parts do not fit together correctly.2MPerform a full geometric dimensioning and tolerancing (GD&T) analysis of the entire mechanical assembly to ensure that all parts will fit together under worst-case tolerance conditions.Use functional gauges during inspection of machined parts to verify that critical interface features and alignment holes are in the correct position.D2.5, DesR_005, page 18, No specific assembly drawings cited
FC_129HOTDOCK Mechanical Locking MechanismLocking RingPosition Sensor TargetImplement a locking mechanism.Provide a target for the absolute position sensor to read.A feature (e.g., a magnet, a patterned disc) attached to the locking ring that is read by the sensor.The sensor target detaches from the locking ring | The sensor can no longer read the ring's position | The controller loses position feedback | The system is inoperable.8Fails to provide position feedbackFailure of the adhesive bond holding a magnet onto the locking ring due to thermal cycling stress.The design includes an absolute sensor driven by the gearing system (D2.5, pg 37).4A failure would be immediately detected by the controller as a loss of valid sensor signal.3MIn addition to adhesive, design a mechanical feature (e.g., a pocket or a clip) to positively retain the sensor target on the locking ring.Perform a spin test or vibration test on the locking ring assembly to verify the retention of the sensor target.D2.5, Section 5.1.2, page 37, No specific assembly procedure cited
FC_138HOTDOCK Actuation AssemblyGearing SystemGear ToothTransmit and amplify torque.Transmit torque from the motor to the barrel-cam mechanism.Transfer load between mating gears without failure.A gear tooth fractures at the root | The gear can no longer transmit torque, and the debris can jam the gearbox | The mechanism seizes instantly.8Mechanism jamsHigh-cycle fatigue crack initiation at the gear tooth root due to cyclic bending stress exceeding the material's endurance limit.The interface must be reusable for 100-1000 cycles (OpR_002). Safety factors are required (DesR_014).4A life test is the primary method to detect fatigue failures.6MPerform a gear tooth bending fatigue analysis (e.g., using AGMA standards) to verify sufficient life margin. Use shot peening to induce compressive residual stress at the tooth root.Perform a life test to at least 2x the required cycles, followed by non-destructive inspection (e.g., magnetic particle) of gear teeth to look for fatigue cracks.D2.5, OpR_002, page 25, D2.5, DesR_014, page 21
FC_140HOTDOCK HarnessingExternal ConnectorsContact Retention ClipProvide interface for control, data, and power harnessing.Provide a reliable, separable connection to the spacecraft harness.Securely hold each electrical contact within the connector housing.A contact retention clip fails | The contact is pushed back into the housing during mating ('pin push-back') | No electrical connection is made | Open circuit on a critical power or data line.8Fails to make electrical contact (open circuit)The plastic retention clip for a connector contact fractures due to embrittlement from radiation exposure or improper assembly.None identified in documents. Use of space-grade connectors is standard practice.4A post-mate continuity check would detect the open circuit. A visual inspection of the connector face might show the pushed-back pin.5MUse high-reliability space-grade connectors with robust contact retention systems. Perform a contact retention test (push/pull force) on a sample of contacts as part of incoming inspection.Add a specific visual inspection step to check for any pushed-back or recessed contacts after every mating operation during ground testing.no evidence, no evidence
FC_153Spacecraft Module (e.g., SM3-BAT)Central Power Distribution Unit (cPDU)Latching RelayProvide a standard interface for power and data transfer within the modular spacecraft.Route main 28V power from one HOTDOCK interface to another based on commands from the R-ICU, enabling power reconfiguration.Maintain a selected power connection (on/off) with low resistance and without continuous power consumption.Relay fails to change state (stuck open) | Power cannot be routed to a downstream module | The downstream module cannot be powered on | Inability to complete spacecraft assembly or use module's function | Mission failure.8Fails to route powerWelding of relay contacts due to switching under a high inrush current or short-circuit condition.The cPDU is a core component for power reconfiguration. Its design includes relays controlled by the R-ICU via CAN bus. (D2.4, Figure 4-1)4The failure would be detected when the downstream module fails to power on and its voltage telemetry reads zero. cPDU TM includes channel status (D2.4, Table 4-1).4MImplement a soft-start circuit in the cPDU to limit inrush current during switching. Select relays with high current ratings and proven space heritage.Perform a fault-insertion test by shorting a power output and commanding the relay to close, verifying that protection trips and the relay does not weld.MOSAR D2.4, Figure 4-1, page 26, MOSAR D2.4, Table 4-1, page 27
FC_154Spacecraft Module (e.g., SM1-DMS)Reduced Instrument Control Unit (R-ICU)SpaceWire Router IP (in MPSoC)Provide command, telemetry, data, and power interfaces for the spacecraft module.Manage SpW routing and data communication functions, directing packets according to the network topology.Forward incoming SpaceWire packets from one port to another based on the internal routing table.Router hangs or routing table is corrupted | Packets are lost or mis-routed | The OBC-S loses communication with the SM's payloads and HOTDOCK controller | Inability to command or monitor the module | Mission failure.8Fails to route data packetsA Single Event Upset (SEU) in the FPGA/MPSoC memory corrupts the routing table or control registers of the software-defined SpW router.The R-ICU is the local intelligence in the SM and manages SpW routing. The OBC-S updates routing tables via RMAP. (D2.4, Section 3.2.2.2 & 4.1.2)5A communication failure would be detected by the OBC-S via RMAP reply timeouts. (D2.4, Section 4.1.2.2)5MImplement error detection and correction (EDAC) or memory scrubbing on the router's configuration memory. The OBC-S could periodically refresh the routing tables.Perform fault injection testing on the R-ICU, corrupting its memory to verify that the system can detect the communication loss and attempt recovery.MOSAR D2.4, pages 19-20, MOSAR D2.4, page 25
FC_156Walking Manipulator (WM)WM ControllerImpedance Control AlgorithmManipulate Spacecraft Modules and relocate the WM between HOTDOCK interfaces.Perform fine motion of the WM extremity with impedance control to align and mate an SI with another SI.Modulate joint torques based on position and force feedback to achieve a compliant behavior at the end-effector.Control loop becomes unstable | The WM oscillates or vibrates with high amplitude during the approach phase | High impact loads are imparted to the HOTDOCK interfaces | Structural damage to HOTDOCK or WM.8Exerts excessive force on interfaceIncorrect tuning of the impedance control gains leads to instability when in contact with the stiff structure of the target HOTDOCK.The WM uses impedance control for the 'Approach' phase. (D2.4, Table 5-4)5The plan is validated in a multi-physics simulator. Joint torque sensors in the WM would detect the high loads.5MPerform system identification on the WM and HOTDOCK structure to create an accurate model for tuning control gains. Implement force-limiting safety cutoffs in the WM controller.Use an instrumented test fixture with the same stiffness as a real HOTDOCK to test the approach sequence and validate the stability of the impedance controller.MOSAR D2.4, Table 5-4, page 55, no evidence
FC_162HOTDOCK Actuation AssemblyBarrel-Cam MechanismHousing and Cam AssemblyTranslate motor rotation into axial and rotational motion.Convert rotational input into the prescribed motion profile.Maintain clearances between moving and stationary parts over the temperature range.Clearances are lost due to differential thermal expansion | The rotating barrel cam binds against the stationary housing | Actuation torque increases dramatically, motor stalls | Mechanism jams.8Mechanism binds or jamsA large thermal gradient across the assembly (e.g., one side seeing sun, the other deep space) causes differential thermal expansion that eliminates critical internal clearances.DesR_005 requires the design to account for worst-case combinations including transient temperature and differential expansion.5Verification is by Analysis and Testing. Motor current telemetry would detect the high torque.5MPerform a detailed thermal-structural analysis to predict internal clearances under worst-case thermal gradients. Select materials with compatible CTEs or design in features to accommodate expansion.Perform a functional test in a thermal vacuum chamber while applying a thermal gradient across the HOTDOCK body to verify smooth operation.D2.5, DesR_005, page 18-19, No specific thermal gradient test cited
FC_164Spacecraft Module (e.g. SM1-DMS)R-ICU ControllerRMAP Protocol Handler (Firmware)Provide local control of the Spacecraft Module's components.Interface with the OBC-S via SpaceWire, receiving commands and providing telemetry.Process incoming RMAP (Remote Memory Access Protocol) command packets from the OBC-S to read/write local memory.R-ICU firmware misinterprets an RMAP command | A write command is executed at the wrong memory address | Critical configuration data or code is corrupted | R-ICU crashes or behaves erratically | Loss of control over the SM.8Executes incorrect commandA software bug in the RMAP command parser of the R-ICU firmware incorrectly calculates the target memory address for a write command.The RMAP protocol is used for communication between the OBC and SMs (D2.4, Section 3.2.2.6).5The failure would likely manifest during integration testing, but could be subtle and hard to trigger.6MImplement memory protection (using the MPSoC's MPU) to prevent critical memory regions from being overwritten. The bootloader should verify a checksum of the application before running.Develop a comprehensive test suite for the R-ICU that sends a wide variety of valid and invalid RMAP commands and verifies correct memory access and error handling.MOSAR D2.4, page 20, No evidence
FC_168HOTDOCK Data InterfaceLVDS Crosspoint SwitchConfiguration LogicProvide a re-routable data interface.Dynamically route LVDS signal pairs based on commands to support the androgynous design.Accept a command from the controller and configure the internal routing matrix accordingly.Controller sends a valid command but the switch does not configure | Data signals are not routed correctly for the mated orientation | No SpaceWire communication link is established | Loss of data transfer.8Fails to route data signalsA timing violation on the switch's command interface (e.g., SPI bus) due to signal integrity issues causes the command to be ignored or misinterpreted.The controller commands the switch to route signals based on the detected orientation (D2.5, pg 42).4The failure is detected when the end-to-end data link fails to initialize.6MPerform a signal integrity analysis on the command bus to the crosspoint switch. Implement a read-back capability where the controller can verify the switch's configuration registers.During DV testing, perform functional tests of the data routing at temperature extremes to check for any timing-related issues.D2.5, Section 5.2.2, page 42, No specific test identified in documents
FC_173Walking Manipulator (WM)Joint ControllerLocal Controller (EtherCAT node)Provide seven active revolute joints for manipulation.Provide local closed-loop position/current control for a single joint actuator.Receive commands from the WM OBC via EtherCAT and drive the joint motor accordingly.A joint controller hangs or resets | The joint goes limp or becomes unresponsive | The WM OBC loses control of that joint | The entire manipulator may become unstable or uncontrollable | Inability to perform mission tasks.8Loses control of a jointA software bug or transient hardware fault causes the local joint controller's firmware to crash.Each joint has a local controller, interfaced via an EtherCAT bus to the WM OBC. (D2.4, Section 6.5.1)5The WM OBC would detect the loss of communication with the EtherCAT node and declare a system fault.4MImplement a robust watchdog timer in each joint controller. The WM OBC software must have a fault-tolerant control mode that can safely stop the arm if a joint fails.Perform extensive fault injection testing by forcing joint controllers to reset or stop communicating, and verify that the system-level safety logic performs as designed.MOSAR D2.4, page 86, MOSAR D2.4, Figure 6-18, page 87
FC_176MOSAR SystemTM/TC ServicePUS PacketEnable command and control of the demonstrator from the MCC.Use PUS services for TM/TC exchange between the MCC and the OBCs.Encapsulate a command or telemetry data in a standardized packet structure.Incorrect APID is used in a telecommand packet | The command is routed to the wrong OBC (e.g., a command for the WM goes to the CLT) | The command is rejected or, worse, executed by the wrong system | Unpredictable and potentially hazardous behavior.8Executes incorrect commandA human error or software bug in the MCC ground software assigns the wrong Application Process Identifier (APID) to a telecommand packet.The system uses three PUS nodes with unique APIDs: SVC-OBC, CLT-OBC, and MCC. (D2.4, Section 6.3)4The receiving OBC should reject commands that are not applicable to it, but this relies on robust software checks.5MImplement strict validation checks on both the ground and flight side. The OBCs should only accept commands that are on their predefined list of valid commands.During system validation, intentionally send commands with incorrect APIDs and verify that they are safely rejected and an error event is generated.MOSAR D2.4, page 74, No evidence
FC_177HOTDOCK ControllerFirmwareField Oriented Control (FOC) AlgorithmControl the brushless DC motor.Provide field oriented control of the brushless motor. (D2.5, pg 45)Perform mathematical calculations (e.g., Park/Clarke transforms) to control the motor.A floating point exception occurs (e.g., divide by zero) | The FOC task crashes | The motor is no longer actively controlled and coasts to a stop | The controller enters a fault state.8Motor control task crashesA transient sensor error (e.g., a noisy current reading of zero) leads to a divide-by-zero error in the FOC algorithm calculations.None identified in documents. This is a common issue in complex control algorithms.5The crash would be caught by the RTOS and the system would enter the 'Fault' state. A watchdog would eventually reset the controller.4MImplement defensive programming practices, including input validation and protection against divide-by-zero for all calculations in the FOC algorithm.Perform static code analysis to find potential floating point exceptions. Use fault injection to feed invalid sensor data into the algorithm and verify it handles the errors gracefully.D2.5, Section 6.1, page 45, D2.5, Figure 4-2, page 34
FC_184Spacecraft Module (e.g., SM3-BAT)Central Power Distribution Unit (cPDU)Relay Driver CircuitProvide power routing within the module.Route main 28V power between HOTDOCK interfaces.Provide the current pulse needed to switch the state of a latching relay.The driver circuit fails open | No current pulse can be delivered to the relay coil | The relay cannot change state | Power cannot be re-routed.8Fails to switch power routeFailure of the transistor used to drive the relay coil.The cPDU contains relays controlled by a cPDU controller via CAN bus. (D2.4, Figure 4-1)4The failure would be detected when a power routing command is sent but telemetry shows the power channel status has not changed.4MUse high-reliability, radiation-tolerant driver transistors with sufficient derating. Implement redundant driver circuits for critical relays.Perform stress screening (burn-in) of the cPDU electronics to precipitate early failures.MOSAR D2.4, page 26, MOSAR D2.4, Table 4-1, page 27
FC_190HOTDOCK ControllerWatchdog TimerTimer HardwareEnsure reliable operation of the controller.Recover the system if the firmware hangs.Trigger a hardware reset of the microcontroller if it is not periodically 'patted' by the software.The watchdog timer itself fails (e.g., stops counting) | The watchdog never triggers a reset | A subsequent firmware hang will not be recovered from | The controller is permanently unresponsive until a power cycle.8Fails to recover from firmware hangA hardware fault in the watchdog timer peripheral of the microcontroller prevents it from operating.None identified in documents. A watchdog timer is a standard feature for high-reliability systems.3This failure is undetectable until the system hangs for other reasons and fails to recover.10MUse an external watchdog timer IC in addition to the microcontroller's internal watchdog. The external watchdog would monitor a toggling GPIO pin from the MCU.Develop a specific test mode where the firmware intentionally stops patting the watchdog, and verify that a reset occurs within the specified timeout.No evidence, No evidence
FC_193Spacecraft Module R-ICUSpaceWire InterfaceLVDS Transceiver ICProvide data communication for the module.Manage SpW routing and data communication.Transmit and receive low-voltage differential signals for the SpaceWire link.The LVDS driver fails | No signals are transmitted on the SpW link | The R-ICU is isolated from the network | OBC-S loses communication with the module.8Fails to communicate on SpaceWireElectrical overstress damage to the LVDS transceiver from an ESD event during ground handling.The R-ICU is the core of the data system in each SM. (D2.4, pg 19)4The communication failure would be detected immediately by the OBC-S.5MImplement a strict ESD control program for all assembly and handling. Select LVDS transceivers with high ESD tolerance.Perform a full functional test of all R-ICU interfaces as part of acceptance testing.MOSAR D2.4, Section 3.2.2.2, page 19, No specific ESD control plan cited
FC_196Servicer Spacecraft (SVC)On-Board Computer (OBC-S)Client Management SoftwareManage all operations of the servicer.Manage the states of the CLT during reconfiguration, including transitioning it to safe mode.Send a command to the OBC-C to hand over control of its peripherals.A bug prevents the handover of control | The OBC-S and OBC-C both attempt to control the same hardware | Bus contention or conflicting commands cause unpredictable behavior | Potential for hardware damage.8Fails to establish exclusive controlA software bug in the Client Management state machine on the OBC-S causes it to start robotic operations before receiving confirmation that the OBC-C has entered safe mode.The Client Management component on the OBC-S manages the state of the CLT and arbitrates control hand-over. (D2.4, Section 3.2.2.1)5This would be a critical failure scenario to test during software integration.5MImplement a robust handshaking protocol between the OBC-S and OBC-C to ensure control authority is unambiguously transferred.Perform integration testing that specifically validates the control handover sequence under nominal and fault conditions (e.g., if the OBC-C fails to respond).MOSAR D2.4, page 19, No evidence
FC_006HOTDOCK Power & Data InterfacePOGO Pin ConnectorPin Contact Surface (Gold Plating)Provide a separable interface for power and data transfer between two HOTDOCKs, compliant up to 100Mbps.Establish and maintain a compliant electrical connection by pressing a pin against a pad, transferring up to 3A per pin.Provide a low-resistance, corrosion-resistant contact surface to ensure signal integrity and low voltage drop.Contact plating wears away | Base metal is exposed, leading to oxidation and high resistance | Increased voltage drop, overheating on power pins, or signal reflection/attenuation on data pins | Data corruption or power loss to module.7Contact resistance too highFretting corrosion at the contact interface due to micro-motion induced by launch vibration, leading to wear of the gold plating.The operational requirement OpR_002 states the interface shall be reusable for 100-1000 cycles, implying a durable design. FuncR_007 requires compliance with launch loads.5Verification for launch load compliance is 'Testing' (FuncR_007). Functional tests post-vibration would detect gross failures.6MSpecify a thicker, hardened gold plating on POGO pins and pads per relevant space-grade connector standards to increase wear resistance.Perform a vibration test that simulates the launch profile with the interfaces mated, followed by a micro-ohm resistance measurement across all contacts to detect degradation.D2.5, OpR_002, page 25, D2.5, FuncR_007, page 11
FC_012HOTDOCK SensorsAbsolute Position SensorSensor ShaftProvide telemetry and sensor data for monitoring and control of the HOTDOCK state.Detect the motion and absolute position of the locking ring for feedback to the controller.Mechanically couple the gearing system to the sensor element to translate locking ring motion into sensor rotation.Sensor shaft slips or shears | Sensor no longer tracks the true position of the locking ring | Controller receives incorrect position, may drive motor past limits or fail to confirm latch | Inability to confirm locked state, or damage to mechanism by over-driving.7Provides incorrect position readingShear failure of the sensor shaft due to over-torque condition if the main locking mechanism jams and the motor continues to drive.The motorization assembly torque is designed for worst-case conditions (DesR_013). The controller monitors motor current which can be used to infer torque.5The controller uses the sensor to detect motion and position of the locking ring (D2.5, pg 37). A mismatch between commanded motor current and expected motion could be detected.4MDesign the sensor shaft with a shear-pin or other mechanical fuse feature that fails predictably without damaging the more expensive sensor or gearbox if the system jams.Perform a locked-rotor test where the mechanism is intentionally jammed, and verify that the motor current limit trips before any damage occurs to the sensor shaft or geartrain.D2.5, DesR_013, page 21, D2.5, Section 5.1.2, page 37
FC_022HOTDOCK Actuation AssemblyGearing SystemGearbox HousingTransmit and amplify torque from motor to barrel-cam.Maintain precise alignment of all gears in the geartrain under load.Provide rigid structural support and mounting points for gear shafts and bearings.Housing deforms due to thermal expansion mismatch | Gear alignment is lost, causing binding | Increased friction, motor stall | Locking mechanism fails.7Mechanism bindsDifferential thermal expansion between an aluminum housing and steel gear shafts over the -55C to +85C temperature range causes bearing misalignment and binding.DesR_005 requires a robust design, taking into account worst-case combinations including temperature gradients and differential expansion.4Verification of DesR_005 is by Analysis / Testing.5MSelect materials with compatible Coefficients of Thermal Expansion (CTE) for the gearbox housing and internal components, or design for compliance (e.g., using specific bearing mounts).Perform functional testing of the actuation assembly at the operational temperature extremes to verify smooth operation without binding.D2.5, DesR_005, page 18-19, No specific test identified
FC_025HOTDOCK Power InterfaceBidirectional Power SwitchControl LogicControl current flow at the interface.Incorporate a bidirectional power switch to enable or disable power transfer.Interpret a command from the R-ICU to turn the switch on or off.Switch fails to respond to command | Power cannot be enabled or disabled | Inability to power up a module, or inability to isolate a faulty module | Mission constraint violation or safety hazard.7Fails to switch on/offA logic fault in the cPDU controller prevents the command from being processed and sent to the switch hardware.FuncR_017 requires this switch. It is a key feature of the power management system.5Verification is by Testing (FuncR_017).4MImplement a clear status feedback mechanism in the control logic, so the OBC can verify that the switch has entered the commanded state.Create a specific test case in the validation plan to cycle the bidirectional switch and verify its state change through telemetry under various load conditions.D2.5, FuncR_017, page 14, D2.5, FuncR_017 Verification, page 14
FC_027HOTDOCK SensorsProximity Sensor (Hall effect)Sensor MountingProvide telemetry and sensor data for monitoring and control.Detect good alignment before starting the mating process (OpR_008).Maintain a fixed, known position relative to the housing to ensure accurate proximity readings.Sensor becomes mechanically loose | Sensor provides inaccurate or no proximity reading | Controller allows mating to be attempted with excessive misalignment | Mechanical damage to the form-fit geometry or POGO pins.7Provides incorrect proximity signalCreep or cracking of the adhesive bond holding the sensor in place, caused by differential thermal expansion over many cycles.The design includes proximity sensors (Figure 3-1). Assembly processes are assumed to be robust.5End-to-end alignment detection is tested per OpR_008.5MIn addition to adhesive, design a mechanical staking or clamping feature to secure the proximity sensors against movement.Perform a thermal cycling test on the assembly and then perform a functional check of the proximity sensor calibration to detect any shift.D2.5, OpR_008, page 26, No specific assembly document cited
FC_029HOTDOCK Data InterfaceConnector Plate PCBSpaceWire (LVDS) TracesProvide a re-routable data interface for SpaceWire.Maintain the precise physical arrangement and electrical characteristics for SpaceWire signals.Provide a controlled impedance transmission line (100 Ohms) for high-speed differential signals.Trace impedance is out of tolerance | Signal reflections and degradation occur | High bit error rate on the SpaceWire link | Data corruption, loss of communication.7Signal integrity is degradedVariation in PCB manufacturing processes (e.g., trace width, dielectric thickness) causes the differential impedance to deviate from the required 100 Ohms.The data characteristics table specifies 100 Ohm characteristic impedance (Table 5-1).4A prototype design allows SpaceWire transfer of 100Mbps (D2.5, pg 41). This implies testing was done.4MSpecify impedance control requirements on the PCB fabrication drawing and require the manufacturer to provide Time Domain Reflectometry (TDR) test coupons with each lot.Perform a signal integrity analysis using simulation tools (e.g., HyperLynx) early in the design phase to optimize the trace layout. Validate with a network analyzer during DV testing.D2.5, Table 5-1, page 42, D2.5, Section 5.2.1, page 41
FC_032HOTDOCK ControllerFirmwareSensor Processing AlgorithmControl all HOTDOCK functionalities.Process associated sensors to determine system state (FuncR_027).Convert raw analog sensor signals to digital values and store them (FuncR_028).Incorrect scaling factor or offset applied in firmware | Controller calculates an incorrect motor position or temperature | Faulty logic decisions, e.g., stopping motion too early or too late | Damage to mechanism, failed operation.7Reports incorrect telemetryA software coding error applies the wrong calibration coefficient when converting the ADC reading from the absolute position sensor to an angle.Firmware development is based on the system architecture. Peer reviews are assumed.5Verification by Testing (FuncR_027, FuncR_028). End-to-end calibration check would be required.4MStore all calibration coefficients as configurable parameters rather than hard-coding them, and implement a checksum to ensure their integrity.Develop a formal calibration procedure and test script that commands the mechanism to known positions and verifies that the reported telemetry matches within tolerance.D2.5, FuncR_027 & FuncR_028, page 16, No specific software development plan cited
FC_036HOTDOCK Actuation AssemblyBarrel-Cam MechanismCam Groove SurfaceTranslate motor rotation into axial and rotational motion.Convert rotational input into the prescribed motion profile.Provide a hardened, low-friction surface to guide the cam follower.Cam groove surface is damaged by particulate contamination | High friction, jerky motion | Motor current increases, mechanism may jam.7Actuation is jerky or jamsAbrasive wear of the cam groove surface caused by trapped hard particulate (e.g., metallic debris from assembly).DesR_012 requires lubrication. Clean assembly practices are assumed.4Functional testing would detect gross jamming. Motor current telemetry (FuncR_029) could show anomalies.5MSpecify a hard, lubricious coating for the cam groove (e.g., hard anodize) and implement stringent FOD controls during assembly of the mechanism.During assembly, perform a 'break-in' run of the mechanism, then flush with clean solvent and inspect for any generated particulates before final lubrication.D2.5, DesR_012, page 20, No specific procedure document cited
FC_045HOTDOCK Mechanical Locking MechanismLocking RingInterface to Barrel-Cam FollowerImplement a locking mechanism that acts on the form-fit geometry.Rotate to drive the steel balls into their locked position.Transfer force from the barrel-cam mechanism to the ring body to induce rotation.High localized stress at the follower interface causes yielding | The mechanical connection becomes loose or sloppy | Ring may not rotate correctly or may jam | Failure to lock/unlock.7Fails to rotate smoothlyLocalized plastic deformation (yielding) at the cam follower contact point due to an over-torque event during a jammed condition.DesR_015 requires contact stress to be below 93% of yield. The controller monitors motor current to limit torque.4Analysis is the primary verification method for DesR_015.5MIncorporate a hardened steel insert into the aluminum locking ring at the point of contact with the cam follower to increase local strength and wear resistance.After a locked-rotor test, perform a detailed inspection of the cam and follower contact surfaces for any signs of permanent deformation.D2.5, DesR_015, page 21, No specific test identified
FC_048HOTDOCK Electrical InterfaceEMI CompatibilityGrounding/ShieldingProvide a reliable electrical interface.Not cause electro-magnetic interference (EMI) in coupled modules (FuncR_016).Provide a low-impedance path for noise currents to ground and shield sensitive signals.Poor grounding design creates a ground loop | Noise from the motor driver couples onto the data lines | Data corruption on the SpaceWire or CAN bus | Loss of communication, erroneous commands.7Causes electromagnetic interferenceHigh-frequency noise from the PWM motor driver couples onto the SpaceWire data lines due to inadequate shielding or a shared ground return path.FuncR_016 requires EMC. The design separates power and signal grounds conceptually.5Verification is by Testing.5MImplement a robust grounding scheme with separate ground returns for motor power and digital logic. Use shielded twisted-pair cabling for all high-speed data lines.Perform a formal EMC test, including radiated and conducted emissions testing while the motor is running, to verify compliance with space application standards.D2.5, FuncR_016, page 14, No specific EMC test plan cited
FC_051HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Permanent Magnets (Rotor)Rotate locking ring.Generate rotational torque by converting electrical energy into a magnetic field.Provide a constant magnetic field that interacts with the stator's electromagnetic field to produce torque.Rotor magnet is cracked | Magnetic field is weakened | Motor torque constant (Kt) is reduced | Motor cannot produce required torque, even with increased current.7Fails to generate sufficient torqueBrittle fracture of a rotor magnet due to mechanical shock during a mishandling (drop) event.DesR_005 requires a robust design. Handling procedures should be in place.2A motor performance test (measuring Kt) would detect the degradation. A simple functional test might not if the margin is large.6MEncapsulate the motor assembly in protective fixtures during all transport and integration steps to mitigate drop/shock risks.Perform a back-EMF test on every motor as part of incoming inspection to verify the torque constant is within specification.D2.5, DesR_005, page 18, No specific handling procedures document
FC_054HOTDOCK ControllerFirmwareError Handling RoutineControl all HOTDOCK functionalities.Execute firmware including a fault state for anomaly detection.Upon detecting an error, transition to the Fault state, stop motor operation, and report the error code.Error handling routine itself has a bug (e.g., null pointer deference) | Attempting to handle a minor error causes a critical system crash | The controller hangs and must be reset | Loss of control and telemetry during a fault condition.7Firmware hangs when handling a faultA software bug in a fault logging function is triggered only when a specific, rare error occurs, causing a buffer overflow and crashing the system.The fault state is part of the defined state machine (Figure 4-2). Robust coding practices are assumed.4Testing is the primary verification method. This requires specific fault injection to test.6MAll error handling paths in the firmware must be explicitly designed and peer-reviewed. Avoid complex operations like dynamic memory allocation within fault handlers.Implement a comprehensive fault injection test plan, using a debugger or other means to trigger every possible error condition and verify that the system responds correctly without crashing.D2.5, Figure 4-2, page 34, No specific software test plan cited
FC_057HOTDOCK Actuation AssemblyMechanical TransmissionHard StopTransmit torque from motor to barrel-cam.Limit the range of motion of the actuation mechanism.Provide a physical barrier to prevent over-rotation of the locking ring.Hard stop fails or is incorrectly positioned | Locking ring can be driven past its intended range | Damage to the barrel-cam, sensor shaft, or other internal components.7Fails to limit motionA design error in the placement of the hard stop allows the absolute position sensor to rotate past its own internal stops, causing damage to the sensor.The design includes a state machine with position feedback (Figure 4-2) which should stop the motor before hitting the hard stop.4Functional testing would verify the range of motion.4MPerform a detailed design review of the mechanical assembly in CAD to ensure the hard stops are correctly placed to protect all components, especially sensors, from over-travel.During first article testing, manually rotate the mechanism through its full range of motion to physically verify the hard stops function correctly before applying motor power.D2.5, Figure 4-2, page 34, No specific mechanical drawing cited
FC_058HOTDOCK ControllerMicrocontrollerAnalog-to-Digital Converter (ADC)Control all HOTDOCK functionalities.Convert required analog sensor signals to digital values (FuncR_028).Measure analog voltages from sensors (thermistors, current sensors) and convert them to a digital number.ADC reference voltage drifts | All analog measurements become inaccurate by a proportional amount | Incorrect temperature, voltage, and current readings | Faulty protection trips or failure to detect real faults.7Reports incorrect telemetryDrift in the ADC's voltage reference due to temperature changes or radiation aging.Use of space-qualified components with stable characteristics is assumed. The controller must support the operating temperature range.4FuncR_028 is verified by Testing. Calibration would be required.5MUse an external, high-precision, radiation-tolerant voltage reference for the ADC instead of relying on the microcontroller's internal reference.During thermal testing, monitor a stable, known voltage source with one of the ADC channels to characterize the thermal drift of the entire measurement system.D2.5, FuncR_028, page 16, No specific component selection criteria cited
FC_060HOTDOCK Mechanical StructureForm-Fit Guidance GeometryInterface with Locking BallsProvide mechanical alignment and load transfer.Provide a surface for the steel locking balls to act upon.Withstand high contact stress from the steel balls to create a preloaded connection.Surface under the locking ball yields (brinelling) | A permanent indentation is formed | The preload of the connection is reduced or lost; the connection may become loose under vibration | Reduced load transfer capability.7Fails to maintain preloadExceeding the material's compressive yield strength under the point load of a steel ball, causing plastic deformation.DesR_015 requires peak hertzian contact stress to be below 93% of yield.4Verification is by Analysis. This requires accurate modeling of the contact mechanics.5MIncorporate hardened steel inserts into the aluminum form-fit geometry at the ball contact points to distribute the load and prevent yielding of the softer aluminum.After a proof load test, disassemble the interface and inspect the ball contact surfaces for any signs of brinelling or permanent deformation.D2.5, DesR_015, page 21, No specific test identified
FC_072HOTDOCK ControllerSensor InterfaceAnalog BufferRead and process signals from sensors.Remove the sensor impedance effect on readings (D2.5, pg 46).Provide a high-impedance input to the sensor and a low-impedance output to the ADC.Buffer amplifier fails | Sensor signal does not reach the ADC, or is loaded down and inaccurate | Loss of a telemetry channel or feedback signal.7Fails to process sensor signalsLatch-up (SEL) of the operational amplifier IC used as the buffer due to a heavy ion strike.The design includes buffers. The design must withstand the space environment (EnvR_001).5The telemetry reading would flat-line or go to a rail, which would be detected.4MSelect radiation-tolerant op-amps. Implement latch-up protection (current limiting and power cycling) for the analog sensor front-end circuitry.Perform heavy ion testing on the selected op-amp to characterize its SEL cross-section and verify the effectiveness of the latch-up protection circuit.D2.5, Section 6.2, page 46, No specific latch-up protection mentioned
FC_076HOTDOCK Electrical InterfaceThermal ProtectionTemperature Sensor (MCU)Provide electrical protection.Incorporate thermal protection (FuncR_015).Measure the temperature of the controller PCB.Temperature sensor is inaccurate or fails | The controller cannot detect an over-temperature condition | A fault causing overheating will not be caught, leading to component damage or board delamination.7Fails to detect over-temperature conditionThe temperature sensor is placed on a part of the PCB that does not get hot, and therefore does not accurately reflect the temperature of the hottest components (e.g., motor driver).FuncR_015 requires thermal protection. A thermistor for the MCU is listed in telemetry (Table 4-2).4Verification is by Analysis and Testing.5MPerform a thermal analysis of the controller PCB to identify the hot spots under worst-case load, and place the temperature sensor at that location.During thermal testing, use a thermal camera to verify the results of the thermal analysis and confirm that the onboard temperature sensor is accurately tracking the hot spot temperature.D2.5, FuncR_015, page 13, D2.5, Table 4-2, page 35
FC_078HOTDOCK Power InterfacePOGO PadPad Surface (Gold Plating)Provide a separable interface for power.Provide a contact surface for the POGO pin.Provide a low-resistance, corrosion-resistant contact surface.Contamination on the pad surface | High contact resistance is formed | Localized overheating (I^2*R) at the contact point | Pad may de-laminate from PCB, surrounding material may be damaged.7Contact resistance too highContamination of the contact pad by a fingerprint during assembly, which then carbonizes from heat, creating a high-resistance layer.The design is intended to prevent accumulation of dirt or dust (D2.5, pg 40). Clean assembly is standard practice.4Functional testing would detect a high-resistance connection if the effect is large enough.6MMandate the use of gloves and finger cots during all manual assembly stages of the connector plate to prevent contamination of contact surfaces.Add a high-magnification visual inspection and cleaning step for the connector plate contact surfaces as the final step before integration into the housing.D2.5, Section 5.2, page 40, No specific procedure document cited
FC_081HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Motor HousingRotate locking ring.Generate rotational torque.Provide structural support and heat dissipation path for the stator.Poor thermal contact between motor and HOTDOCK housing | Heat from the motor is not conducted away efficiently | Motor windings overheat during operation | Insulation breakdown, motor failure.7OverheatsAn air gap between the motor body and the main HOTDOCK housing, due to mounting tolerances, creates a high thermal resistance path.DesR_005 requires the design to account for mechanism heat dissipation.4Analysis and testing are the verification methods. Motor temperature telemetry is available (THM_1).4MSpecify the use of a thermal interface material (TIM), such as a gap pad or thermal grease, between the motor body and the housing to ensure a low-resistance heat path.During thermal vacuum testing, operate the motor under a high-duty cycle load and monitor the motor temperature telemetry to verify it remains within its specified limits.D2.5, DesR_005, page 19, D2.5, Table 4-2, page 35
FC_082HOTDOCK Mechanical StructureFixation LayoutM3 Bolt HolesProvide mechanical connection to the parent structure.Transfer loads between HOTDOCK and the parent structure.Provide threaded holes for mounting bolts.Threads in an aluminum hole are stripped | Bolt cannot be torqued correctly, clamping force is not achieved | Reduced structural capability, potential for failure under load.7Fails to provide secure mountingThreads in the aluminum housing are stripped due to cross-threading or over-torquing during assembly.The fixation layout uses M3 bolts (D2.5, pg 38). Robust design is required.4The issue would be found during assembly when the bolt fails to reach its target torque.3MInstall threaded inserts (e.g., Helicoils) made of a harder material like steel into all structural threaded holes in the aluminum housing to increase strength and prevent stripping.Mandate the use of a calibrated torque wrench for all structural fasteners and require that all bolts be started by hand to prevent cross-threading.D2.5, Section 5.1.3, page 38, No specific assembly procedure cited
FC_084HOTDOCK Power & Data InterfacePOGO Pin ConnectorOrientation Sense PinsProvide data for rerouting capability.Detect the orientation of the HOTDOCK with respect to its mate (D2.5, pg 42).Provide a voltage level that indicates the relative 90-degree orientation.Orientation pin fails to make contact | The controller cannot determine the mated orientation | The crosspoint switch is not commanded, or commanded incorrectly | No SpaceWire data link is established.7Fails to detect mated orientationAn open circuit on one of the orientation sense pins due to a failed POGO pin or broken trace.The orientation is detected by reading a voltage on dedicated pins.5The failure would be apparent when the SpaceWire link fails to initialize post-mating.5MImplement a redundant scheme for orientation sensing, using multiple pins or a different sensing method as a backup.During ground testing, mate the interfaces in all four possible orientations and verify that the controller correctly reports the orientation and establishes a data link each time.D2.5, Section 5.2.2, page 42, No specific test plan cited
FC_086HOTDOCK ControllerH-Bridge Motor DriverCharge PumpDrive the 3-phase brushless motor.Switch current to the windings based on PWM signals.Generate a voltage higher than the main supply to properly turn on the high-side N-channel MOSFETs.Charge pump fails | The gate voltage for the high-side MOSFETs is insufficient | High-side MOSFETs operate in the linear region with high resistance | High power dissipation in the MOSFETs, leading to failure; motor runs poorly or not at all.7Fails to drive motor efficientlyFailure of a capacitor or diode in the charge pump circuit due to electrical stress or aging.The design includes a proper front end chain (H-bridge, gate drive) (D2.5, pg 46).4A failure would manifest as high motor current and low torque, which would be detectable during functional testing.5MUse high-reliability ceramic capacitors and diodes in the charge pump circuit. Perform a WCCA to ensure all components are operated with sufficient derating.During design verification, probe the gate voltage of the high-side MOSFETs to confirm that the charge pump is providing sufficient overdrive under all load conditions.D2.5, Section 6.2, page 46, No specific component selection criteria cited
FC_091HOTDOCK Power & Data InterfacePOGO Pin ConnectorConnector Body MaterialProvide a separable interface for power and data.Maintain the precise physical arrangement of POGO connections.Provide a structurally and dimensionally stable insulating body to hold the pins.Material absorbs moisture on the ground, then outgasses in vacuum | Outgassed water vapor can cause arcing or contaminate surfaces | Arcing can cause short circuits; contamination can degrade sensor or thermal performance.7Causes contaminationThe plastic used for the connector body has high outgassing properties, violating space material requirements.DesR_019 requires materials to have low outgassing and toxicity. Verification is by Analysis.3Analysis is performed based on material data sheets. A vacuum bake-out test would be a more thorough detection method.6MSelect only materials that are listed in approved space-grade material databases (e.g., NASA MAPTIS) and meet outgassing requirements (TML < 1.0%, CVCM < 0.1%).Perform a vacuum bake-out and residual gas analysis (RGA) on the assembled connector plate to verify that the overall outgassing performance meets requirements.D2.5, DesR_019, page 22, No specific material list cited
FC_092HOTDOCK Actuation AssemblyMotor BrakeBrake MechanismHold the mechanism in a fixed position.Hold the position of the locking ring when the motor is unpowered.Provide a static holding torque to prevent back-driving of the geartrain.Brake fails to engage | The locking ring is not held in position and can be back-driven by external forces | The mechanical connection may loosen under vibration or load | Loss of preload, potential for connection failure.7Fails to hold positionA mechanical failure (e.g., broken spring) in a power-off brake mechanism prevents it from engaging.None identified in documents. A brake is not explicitly mentioned but is common practice in such mechanisms.5A functional test where an external torque is applied to the locked mechanism would detect this failure.5MSelect a high-reliability, space-proven power-off brake for the motor. The barrel-cam design should also be non-backdrivable to provide redundancy.Add a back-driving torque test to the acceptance test procedure to verify the holding torque of the brake and non-backdrivability of the geartrain.No evidence, No evidence
FC_095HOTDOCK Mechanical StructureForm-Fit Guidance GeometryRange of Attraction (ROA)Provide mechanical alignment and connection.Enable self-guidance and positioning during final approach.The geometry must capture and align the interface from an initial misalignment of up to 15mm and 10 degrees (Figure 5-6).Initial misalignment exceeds the ROA | The form-fit features collide instead of engaging | High impact loads on the interface, potential for structural damage | Mating fails.7Fails to capture and alignThe robotic arm positioning error is larger than specified, presenting the interface with a misalignment that exceeds its capture range.The ROA is defined by the form-fit geometry design.5Preliminary motion studies were performed by DLR to define the ROA. This is verified by analysis and testing.4MThe host system (robotic arm) must have a control system that guarantees its end-effector positioning accuracy is within the specified ROA of the HOTDOCK.Perform robotic mating tests at the boundaries of the specified ROA to validate the capture performance of the form-fit geometry.D2.5, Figure 5-6, page 39, No specific test plan cited
FC_104HOTDOCK Mechanical Locking MechanismLocking ElementsMaterial HardnessImplement a locking mechanism.Engage with the mated HOTDOCK to create a secure connection.The steel balls and their contact surfaces must be sufficiently hard to resist plastic deformation under load.Contact surfaces are too soft | Surfaces yield under load (brinelling) | Preload is lost, connection becomes loose.7Fails to maintain preloadAn error in the heat treatment process for the steel balls or locking ring inserts results in a lower-than-specified material hardness.DesR_015 requires contact stress below yield. This implies material properties are controlled.3A proof load test might reveal the issue, but it could be missed if the load is not high enough to cause gross failure.7MRequire material certifications and hardness test results from the supplier for all critical, heat-treated mechanical components.Perform hardness testing on a sample of components from each manufacturing lot as part of incoming quality inspection.D2.5, DesR_015, page 21, No manufacturing document cited
FC_111HOTDOCK Power & Data InterfaceData Transfer InterfaceDuplex CommunicationAllow exchange of data between modules.The data interface shall provide duplex communication abilities (FuncR_021).Provide separate physical paths for transmitting and receiving data simultaneously.A fault couples the transmit and receive paths | The receiver is saturated by its own transmitter's signal | Communication is lost.7Fails to communicateA short circuit between adjacent POGO pins for transmit and receive pairs due to conductive debris.FuncR_021 requires duplex communication. Verification is by Review of Design.3A functional test of the data link would fail. This would be hard to diagnose.6MIn the connector plate layout, maximize the physical separation between transmit and receive differential pairs. Place ground pins between them to provide shielding.Perform a crosstalk analysis in simulation and verify with a network analyzer during DV testing to measure the isolation between transmit and receive channels.D2.5, FuncR_021, page 15, No specific test plan cited
FC_113HOTDOCK Mechanical StructureForm-Fit Guidance GeometryDiagonal Engagement FeatureProvide mechanical alignment and connection.The standard interface shall allow diagonal engagement up to 65 degrees (DesR_007).The guiding surfaces are shaped to allow mating from a wide approach angle.The feature does not work as designed | The interfaces jam or are damaged when a diagonal engagement is attempted | Mating fails, potential damage to the interfaces.7Fails to mate from a diagonal approachThe final geometry, when manufactured, has sharp edges or incorrect draft angles that prevent the surfaces from sliding correctly during a diagonal approach.DesR_007 requires diagonal engagement. The form-fit is designed to support this (D2.5, pg 37).4Verification is by Testing.4MUse CAD motion simulation extensively during the design phase to analyze the engagement kinematics from all approach angles and refine the surface geometries.Perform a series of robotic mating tests that specifically command approaches from various angles up to the 65-degree limit to validate the diagonal engagement capability.D2.5, DesR_007, page 19, No specific test plan cited
FC_117HOTDOCK Power & Data InterfaceData Transfer InterfaceEthernet/EtherCAT supportAllow exchange of data between modules.The data interface shall support Ethernet or EtherCAT bus (FuncR_022).The physical layer (POGO pins, PCB traces) must support the signal characteristics of Ethernet.Signal integrity is poor for Ethernet signals | High bit error rate, frequent packet loss | Unreliable communication.7Data interface has high error rateThe impedance of the signal path through the POGO pins and PCB is not well-controlled, causing reflections and degrading the Ethernet signal.FuncR_022 requires this support. The design allows various data protocols to be implemented (D2.5, pg 41).5Verification is by Testing.4MPerform a detailed signal integrity analysis of the entire data path for the Ethernet protocol. This may require a custom PCB layout with optimized trace routing and impedance control.During design verification, use a network analyzer to measure the insertion loss, return loss, and impedance profile of the data channel. Perform an Ethernet eye diagram test.D2.5, FuncR_022, page 15, No specific Ethernet performance data cited
FC_122HOTDOCK ControllerPower ConversionInput Voltage RangeProvide local low-level bus generation.Operate from a regulated 24V bus (Table 6-1).The DC/DC converters must operate over the full input voltage range of 23.5V to 24.5V.Bus voltage sags below 23.5V | The DC/DC converter shuts down due to undervoltage lockout | The controller loses power.7Fails to operate at low input voltageThe input bus voltage drops below the specified minimum due to a brownout on the spacecraft power system.The operating voltage range is specified in Table 6-1.4Testing would verify operation over the specified range.4MSelect DC/DC converters with a wider input voltage range to provide more margin against bus voltage fluctuations.Perform a power supply corner test, verifying full functionality of the HOTDOCK at the minimum and maximum specified input voltages and temperatures.D2.5, Table 6-1, page 46, No specific spacecraft bus specification cited
FC_124HOTDOCK Mechanical StructureMax Gap Before LockingInterface GapProvide mechanical alignment and connection.The coupling procedure can be initiated with an acceptable remaining distance.The maximum acceptable gap before locking is 2mm (Figure 5-7).Locking is attempted with a gap > 2mm | The locking balls cannot engage the form-fit geometry correctly | The mechanism jams or is damaged.7Fails to lockThe robotic arm stops the approach prematurely, leaving a gap larger than 2mm, but the lock command is still issued.The maximum gap is defined by the design. Proximity sensors are used to detect alignment (OpR_008).5The proximity sensors should prevent this, but their range and accuracy are key.5MThe control logic must include a pre-condition check that verifies the proximity sensors report a gap of less than 2mm before allowing the locking sequence to begin.Characterize the proximity sensor output versus distance to ensure it can reliably and accurately measure the gap and enable a robust go/no-go decision.D2.5, Figure 5-7, page 40, D2.5, OpR_008, page 26
FC_137HOTDOCK Power & Data InterfacePOGO Pin ConnectorPin Contact Surface (Gold Plating)Provide a separable interface for power and data.Establish and maintain a low-resistance connection over the mission lifetime.Provide a durable, low-resistance contact surface for 100-1000 mating cycles (OpR_002).Gold plating wears through | The underlying nickel and base metal are exposed | Contact resistance increases significantly due to oxidation | High voltage drop on power pins, or poor signal integrity on data lines.7Contact resistance too highAbrasive wear of the thin gold plating on the pin tip and pad after exceeding the specified number of mating cycles.OpR_002 requires reusability for 100-1000 cycles, implying a durable plating selection.5Life testing is the primary verification. Verification for OpR_002 is 'Testing'.6MSpecify a hard gold plating of sufficient thickness per space industry standards for high-mating-cycle connectors.Perform a mating cycle life test for the maximum specified number of cycles, periodically measuring contact resistance to characterize degradation.D2.5, OpR_002, page 25, no evidence
FC_143HOTDOCK Electrical InterfaceEMI ShieldingHousing ConductivityProvide a reliable electrical interface.Not cause electro-magnetic interference (EMI) in coupled modules per FuncR_016.The housing must act as a Faraday cage to contain radiated emissions and protect from radiated susceptibility.The surface coating on the housing is non-conductive (e.g., standard anodize) | The housing does not provide effective EMI shielding | Internal noise from the motor driver radiates out, interfering with other spacecraft systems.7Causes electromagnetic interferenceThe aluminum housing has a non-conductive anodize coating, which electrically isolates the different parts of the housing and prevents it from acting as an effective Faraday cage.FuncR_016 requires EMC.5Verification is by Testing. A radiated emissions test would detect this.5MSpecify a conductive surface coating for the housing (e.g., chemical conversion coating like Alodine/Iridite) and ensure electrical bonding between all housing components with EMI gaskets.Perform a radiated emissions test (e.g., per MIL-STD-461) to verify the shielding effectiveness of the housing.D2.5, FuncR_016, page 14, No specific coating type cited
FC_144HOTDOCK ControllerH-Bridge Motor DriverThermal Interface Material (TIM)Control the brushless DC motor.Drive the 3-phase motor by switching current to the windings.Provide a low thermal resistance path from the power MOSFETs to the housing/heatsink.TIM is omitted or incorrectly applied | Thermal resistance is high | MOSFETs overheat during operation | The driver enters thermal shutdown or fails permanently.7Fails to drive motor (thermal shutdown)The thermal interface material (e.g., thermal grease or gap pad) between the motor driver IC and the main housing is omitted during assembly.IntR_006 requires a thermal connection to the module structure. This implies a heat path for all components.4A thermal analysis would identify this need. A final inspection should verify its presence. A thermal test under load would detect the failure.5MMake the application of TIM a formal, inspected step in the assembly procedure. Use a thermal pad instead of grease to ensure consistent application.During functional testing, run the motor under load for an extended period and use a thermal camera or thermocouples to verify the motor driver temperature remains within safe limits.D2.5, IntR_006, page 24, No specific assembly procedure cited
FC_148HOTDOCK Actuation AssemblyGearing SystemGear Teeth SurfacesTransmit and amplify torque.Transmit torque reliably over mission life.Maintain surface integrity to transfer load without failure.Gear tooth surface experiences pitting | Increased noise and vibration, accelerated wear | The gearbox fails prematurely.7Actuation is noisy or fails prematurelySurface fatigue (micropitting) of gear teeth due to high contact stress cycles exceeding the material's surface endurance limit.DesR_015 requires peak hertzian contact stress to be below 93% of yield, which limits static overload but not necessarily fatigue.5A life test is the primary verification method.6MPerform a gear surface fatigue analysis (e.g., per AGMA standards). Select materials and heat treatments with high surface durability and use a lubricant with appropriate anti-wear additives.During life testing, perform periodic oil sample analysis (if oil lubricated) or visual inspection of gear teeth for signs of pitting.D2.5, DesR_015, page 21, no evidence
FC_163Servicer Spacecraft (SVC)On-Board Computer (OBC-S)PUS Service SoftwareManage all operations of the servicer spacecraft.Provide Telemetry and Telecommand (TTC) service for communication with the MCC.Process incoming PUS telecommand packets and generate PUS telemetry packets.A bug in the PUS service corrupts a telemetry packet | The MCC receives a malformed packet and cannot parse it | Ground loses visibility into HOTDOCK status | Inability to safely monitor and control the reconfiguration.7Fails to send valid telemetryA buffer-handling error in the PUS telemetry generation service causes it to send a packet with an incorrect length field.The TTC service is based on the ESROCOS PUS Services library (D2.4, Section 6.3). This provides a robust starting point.4This would be detected during ground software/flight software integration testing.4MDevelop a formal Interface Control Document (ICD) for all PUS packets. Use a protocol validation tool to verify all transmitted packets against the ICD.Perform extensive integration testing between the OBC-S and the MCC software, exercising all TM/TC types.MOSAR D2.4, page 74, No evidence
FC_166Spacecraft Module (SM2-PWS)Thermal PayloadFluid PumpProvide power and thermal services for the modular spacecraft.Provide a dedicated SI with a thermal interface to perform forced heat exchange with another module (e.g., SM4-THS).Circulate coolant fluid through the thermal loop to transfer heat.Pump seizes or fails to operate | Coolant fluid does not circulate | Heat cannot be transferred from the PWS to the THS | The HOTDOCK thermal interface function is lost; PWS module may overheat.7Fails to provide thermal transferMechanical failure of the pump motor or impeller due to wear-out over the mission life.The SM2-PWS contains the pump for the thermal payload. The thermal interface is based on the OG5 design. (D2.4, Section 6.4.3)4Failure would be detected by monitoring flowmeter telemetry and temperature readings from the thermal payload. (D2.4, Table 6-3)3MSelect a high-reliability, space-qualified fluid pump with a design life that exceeds the mission requirements. Implement redundant pumps in the thermal loop design.Perform an accelerated life test on the fluid pump to validate its lifetime and identify wear-out mechanisms.MOSAR D2.4, page 79, MOSAR D2.4, Table 6-3, page 80
FC_180HOTDOCK Mechanical StructureHousingExternal SurfaceProvide the main structure and enclosure.Protect internal components from the space environment.Withstand exposure to the space environment, including micrometeoroids.A micrometeoroid or orbital debris (MMOD) particle impacts the housing | A crater is formed, or in a high-energy impact, the housing is perforated | If perforated, internal components are exposed to vacuum and radiation | Potential for damage to internal electronics or mechanisms.7Loss of protective enclosureHypervelocity impact from a micrometeoroid or piece of orbital debris that exceeds the ballistic limit of the aluminum housing.The design must withstand the space environment (EnvR_001), which implicitly includes MMOD.3None identified in documents. This is a probabilistic event that is designed against by analysis.10MPerform an MMOD risk analysis based on the mission orbit and duration. If required, add external shielding (e.g., a Whipple shield) to protect critical areas.Post-mission (if returned) or via remote camera inspection, visually inspect external surfaces for signs of MMOD impacts.D2.5, EnvR_001, page 28, No specific MMOD analysis cited
FC_200HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Permanent Magnets (Rotor)Rotate locking ring to engage/disengage.Generate rotational torque and hold position when unpowered.Provide a magnetic field for torque generation and detent torque.Motor has high residual magnetism | A high residual torque exists even when unpowered | The mechanism is difficult to backdrive, even when commanded to be free | Inability to separate interfaces if the secondary unlock mechanism relies on back-driving.7Fails to allow de-matingA high current event (like a stall or short circuit) partially remagnetizes the stator, creating a strong residual torque or 'cogging' that acts like a brake.None identified in documents. This is a subtle motor physics failure.3The failure would be detected as abnormally high torque required to back-drive the mechanism.6MImplement a degaussing step in the motor control firmware that can be commanded after a high current fault, applying a decaying AC signal to the windings.After a locked-rotor test, measure the unpowered back-drive torque of the mechanism to check for any increase in residual torque.No evidence, No evidence
FC_080HOTDOCK ControllerMemoryFlash Memory for LoggingControl all HOTDOCK functionalities.Log the system's state (D2.5, pg 46).Store data persistently in non-volatile memory.Logging function causes excessive writes to flash | Flash memory endurance is exceeded | Inability to write new log data, or worse, corruption of firmware area if memory is shared | Loss of diagnostic data, or controller failure.6Fails to store logsA software bug in a logging routine writes data to flash memory too frequently (e.g., in a tight loop instead of on state change), causing premature wear-out.The controller has 2048 KBytes of flash for programming and logging.5This would likely be discovered during long-duration testing.7MImplement a firmware architecture where logging to flash is strictly controlled, buffered in RAM, and only written when necessary (e.g., on significant events or before shutdown). Implement wear-leveling.During software validation, perform a code path analysis to identify all functions that write to flash memory and verify their execution frequency against the endurance limits of the memory.D2.5, Section 6.2, page 46, No specific software development plan cited
FC_130HOTDOCK Power & Data InterfaceConnector Plate PCBGround PlaneProvide a common interconnection platform.Provide a stable ground reference and shielding.A large copper layer in the PCB that serves as the ground return path.A split or break in the ground plane | Ground return paths become long and inductive | Increased noise and ground bounce, potential for EMI problems | Unreliable data communication.6Signal integrity is degradedA PCB layout design choice creates a split in the ground plane that a critical high-speed signal must cross.Good PCB layout practice is assumed. The design must meet EMC requirements (FuncR_016).4This is a subtle design flaw that may not be caught by basic functional testing.7MEstablish a formal PCB layout design rule that mandates the use of a continuous, solid ground plane under all high-speed signal traces.Use a PCB layout analysis tool to automatically check for any instances where high-speed traces cross splits in the ground or power planes.D2.5, FuncR_016, page 14, No specific layout rules cited
FC_131HOTDOCK ControllerMicrocontrollerAnalog-to-Digital Converter (ADC)Control all HOTDOCK functionalities and provide telemetry.Convert analog sensor signals to digital values with specified accuracy per FuncR_028.Maintain a linear voltage-to-digital transfer function over the operating range.ADC has poor linearity | Sensor readings are non-linearly distorted | Incorrect telemetry reported, motor control loop may become unstable at certain operating points | Unreliable operation, potential for incorrect fault detection.6Reports inaccurate telemetry (non-linear error)Degradation of the ADC's differential non-linearity (DNL) or integral non-linearity (INL) due to total ionizing dose (TID) radiation effects.Controller uses 24 ADC inputs (D2.5, page 46). EnvR_001 requires withstanding space environment.5None identified in documents. A simple functional test would not detect subtle non-linearity.8MSelect a microcontroller with a radiation-characterized ADC or provide shielding. Implement software calibration routines to correct for known non-linearities.Perform a full characterization of the ADC's INL/DNL over the full temperature range before and after radiation exposure testing.D2.5, page 46, EnvR_001, page 28
FC_183MOSAR DemonstratorDesign and Simulation ToolThermal ModelEnable ground-based validation of reconfiguration plans.Simulate the system to verify the reconfiguration plan before upload.Model the thermal properties of the SMs and the heat transfer between them.The thermal model in the simulator is inaccurate | The simulation incorrectly predicts that the PWS will not overheat | The plan is approved and executed | The real PWS overheats, causing a fault or damage.6Causes in-space failure due to incorrect planThe thermal resistance across the HOTDOCK thermal interface is modeled with an incorrect (too low) value in the simulator.The simulator is used to validate the plan before execution. It includes thermal models. (D2.4, Section 6.1.3.3)5The model inaccuracy would only be discovered by comparison with data from the real hardware.7MCreate a 'digital twin' approach where the simulation models are continuously updated and validated with telemetry data from the actual hardware.Perform a dedicated test on the hardware to characterize the thermal resistance of the HOTDOCK interface, and use this data to validate the simulation model.MOSAR D2.4, page 65, No specific model validation plan cited
FC_097HOTDOCK ControllerCAN TransceiverCommon Mode ChokeAllow command and telemetry exchange.Transmit and receive differential signals on the CAN bus.Filter common-mode noise from the CAN bus to improve signal integrity and emissions.Choke saturates due to a large common-mode current | The choke is no longer effective as a filter | Increased susceptibility to common-mode noise, potential for communication errors.4Communication is intermittentA large common-mode noise event from another subsystem on the spacecraft couples onto the bus and exceeds the choke's rating.FuncR_016 requires EMC. Standard design practice includes filtering.4This would be difficult to diagnose, manifesting as random communication errors.8MAnalyze the system-level grounding and noise environment to select a common-mode choke with sufficient impedance and current rating to handle worst-case noise.Perform common-mode injection testing on the CAN bus interface to verify its immunity to noise up to the required system-level specification.D2.5, FuncR_016, page 14, No specific design schematic provided
FC_102HOTDOCK Power & Data InterfacePOGO Pin ConnectorNumber of ConnectionsProvide a separable interface for power and data.Provide 128 connections for data and power transmission.Maintain sufficient pins to support all required signals and power, including redundancy.A single pin fails open-circuit | Redundancy for that signal is lost | The system continues to operate on the primary line | No immediate effect, but the system is no longer single-fault tolerant.4Loss of redundancyA single POGO pin fails to make contact due to a manufacturing defect or contamination.The current version includes 128 connections, allowing for signal redundancy (D2.5, pg 40). DesR_003 requires one-failure-tolerance redundancy.5Detecting the failure of a single redundant line is not possible without a specific test.9MFor critical redundant signals, implement a circuit that allows each line to be tested independently (e.g., by disabling the primary driver and checking for a signal on the secondary line).Develop a 'redundancy check' mode as part of the built-in self-test (BIST) that can be run on the ground to verify the health of all redundant paths.D2.5, Section 5.2, page 40, D2.5, DesR_003, page 18
FC_064HOTDOCK ControllerMicrocontrollerNon-Volatile Memory (Flash)Control all HOTDOCK functionalities.Execute firmware and store persistent data.Store the executable firmware code and configuration parameters.Flash memory cell fails (stuck bit) | A critical instruction in the firmware is corrupted | Firmware execution fails, checksum error on boot | Controller fails to boot or crashes.9Firmware is corruptedExceeding the limited write/erase endurance of the flash memory cell during extensive ground testing and repeated firmware uploads.The controller has 2048 KBytes of flash (D2.5, pg 46). Component is chosen for the application.3A checksum or CRC is typically used at boot-up to verify firmware integrity.3LImplement wear-leveling algorithms if configuration data is frequently written. Track the number of firmware uploads on each unit during development to ensure endurance limits are not approached.The bootloader must perform a full CRC-32 check of the application firmware before attempting to boot it. If the check fails, it should enter a safe recovery mode.D2.5, Section 6.2, page 45, No specific test procedure cited
FC_094HOTDOCK Power & Data InterfaceConnector Plate PCBConformal CoatingProvide a common mounting and interconnection platform.Protect the PCB assembly from the environment.Provide a protective dielectric layer over the circuit board to prevent short circuits from conductive debris.Conformal coating is not applied | A loose piece of conductive debris (e.g., wire strand, fastener) lands on the PCB | A short circuit occurs between two traces | Failure of the controller.9Fails to protect from short circuitsProcedural error during assembly where the conformal coating step is missed.None identified in documents. Conformal coating is standard practice for space-grade electronics but not explicitly required.3A dedicated quality inspection step is required to detect this.3LMandate the application of a space-qualified conformal coating (e.g., acrylic or urethane) to all PCB assemblies, and specify masking requirements for connectors and test points.Incorporate a UV-light inspection step into the quality assurance plan to verify the presence and uniform application of the conformal coating (which typically contains a UV tracer).No evidence, No evidence
FC_099HOTDOCK Thermal InterfaceHydraulic Fluid ConnectorFluid TypeProvide an active thermal interface.Circulate fluid for heat exchange.The fluid must have appropriate thermal properties and remain liquid over the entire operating temperature range.The coolant fluid freezes | The fluid expands, potentially rupturing the bellows or connector body. Flow is blocked. | Catastrophic failure of the thermal loop, coolant leak.9Fails to circulate fluidThe selected coolant fluid has a freezing point higher than the minimum survival temperature of the spacecraft, and the loop is inactive during a cold soak.The interface must operate from -55C to +85C (EnvR_003). The design has been successfully tested for fluid type (D2.5, pg 42).3Analysis and testing verify the design.4LSelect a coolant fluid (e.g., a specific formula of Galden or Fluorinert) with a freezing point well below the -55C minimum operating temperature.Perform thermal vacuum testing where the entire thermal loop is allowed to cold-soak to the minimum survival temperature, and then verify that the pump can be started and flow can be initiated.D2.5, EnvR_003, page 28, D2.5, Section 5.3, page 42
FC_107HOTDOCK ControllerFirmwareEmergency Stop LogicControl all HOTDOCK functionalities.Provide a 'Stop' command to halt the operation of the device (D2.5, pg 34).Immediately cease all motor PWM signals upon receiving the STOP_1 telecommand.Emergency stop command is ignored | The mechanism continues to move when commanded to stop | Potential for collision or damage if the stop was issued to prevent a hazard.9Fails to stop on commandA software bug in the command handling logic prioritizes an ongoing motion command over the emergency stop command.The STOP_1 command (TC_2) is a defined part of the telecommand interface.3This would be a specific test case in the functional validation.3LDesign the firmware so that the emergency stop command is handled at the highest priority interrupt level, bypassing any normal state machine logic.Perform a specific test where the emergency stop command is issued in the middle of every possible type of motion to verify it works reliably.D2.5, Table 4-1, page 34, No specific software architecture cited
FC_116HOTDOCK ControllerMemoryWait StatesControl all HOTDOCK functionalities.Execute firmware at a defined speed.The memory (flash) access time must be compatible with the processor clock speed.Incorrect number of wait states configured | The processor tries to read from flash memory before the data is ready | Corrupt instructions are fetched, leading to a hard fault or crash.9Firmware crashesThe flash memory wait states are incorrectly configured in the microcontroller's startup code for the given clock frequency.This is a fundamental aspect of embedded system design. It is assumed to be done correctly.2The failure would occur immediately at startup during initial board bring-up.2LThe firmware startup code must be carefully reviewed to ensure it correctly configures the flash memory controller based on the system clock speed and the memory's datasheet specifications.Perform a corner analysis test, running the system at the maximum and minimum specified clock frequencies and temperatures to verify stable operation.No evidence, No evidence
FC_179HOTDOCK ControllerFirmwareBootloaderControl all HOTDOCK functionalities.Initialize the system on power-up.Perform a checksum/CRC of the main application firmware before booting it.A bug in the bootloader's CRC calculation | The bootloader incorrectly calculates the CRC of a valid image and fails the check | The bootloader refuses to boot a valid application | The device fails to start.9Fails to bootA software bug in the bootloader's CRC32 algorithm implementation (e.g., incorrect polynomial or endianness handling).None identified in documents. A validating bootloader is a standard feature.3This would be found during initial software development and testing.3LUse a standard, well-verified library implementation of the CRC algorithm. The ground tools that generate the firmware image must use the exact same algorithm.Perform end-to-end testing where a valid image is generated by the ground tools, loaded onto the hardware, and the bootloader's calculated CRC is read out via a debug port to verify it matches the expected value.No evidence, No evidence
FC_031HOTDOCK Mechanical StructureMovable Locking RingRing StructureProvide mechanical alignment, connection, and load transfer.Rotate to drive the steel balls into their locked position.Maintain its circular profile and structural integrity while rotating and under external loads.Locking ring yields or cracks | Ring jams against the housing or can no longer actuate the locking balls correctly | Mechanism fails to lock or unlock.8Fails to rotateYielding of the aluminum ring structure due to a high-energy impact from a mishandling event during ground operations.HumR_001 implies safe handling. DesR_005 mandates a robust design.3Final inspection and functional testing would detect a pre-existing jam.4LDesign and fabricate dedicated ground support equipment (GSE), including handling fixtures and protective covers, to be used whenever the HOTDOCK is moved or transported.Perform a detailed dimensional inspection of all critical mechanical components upon receipt from the machine shop and before starting assembly.D2.5, HumR_001, page 29, D2.5, DesR_005, page 18
FC_063HOTDOCK Power & Data InterfaceConnector Plate PCBManufacturing StencilProvide a common mounting and interconnection platform.Maintain the correct position and height of the POGO pins (D2.5, pg 42).Control the volume and placement of solder paste for attaching the POGO pins.Stencil aperture is incorrect | Insufficient solder paste is deposited | A weak or 'cold' solder joint is formed | The POGO pin detaches from the PCB under mechanical stress | Open circuit.8Fails to provide structural support for POGO pinIncorrect stencil design or manufacturing process leads to insufficient solder paste deposition for the POGO pin pads.The manufacturing process requires custom-made stencils. This implies process control.3Automated Optical Inspection (AOI) after solder reflow can detect insufficient solder fillets.3LDevelop and qualify the PCB assembly process, including stencil design and solder paste inspection (SPI), according to a recognized space-grade standard like NASA-STD-8739.Perform shear testing on witness POGO pins on a sample board from the production lot to verify the mechanical strength of the solder joints.D2.5, Section 5.2.3, page 42, No specific manufacturing standard cited
FC_065HOTDOCK HarnessingExternal ConnectorsConnector PinsProvide interface for control, data, and power harnessing.Connect internal harnessing to the spacecraft-side harness.Provide a separable, low-resistance electrical contact.A pin is bent during mating/de-mating | Pin fails to engage with socket | Open circuit for that line | Loss of power or communication to the entire HOTDOCK.8Fails to make electrical contact (open circuit)A pin is bent due to misalignment during connector mating during ground integration.The back-side features openings for harnessing with connectors facing out (D2.5, pg 37). Use of robust, space-grade connectors is assumed.3A post-mate continuity check (or 'ring-out') is standard procedure.2LUse connectors with more robust, scoop-proof designs. Implement mandatory use of guide pins and a defined, controlled mating procedure.Mandate a full pin-to-pin continuity check immediately after mating any connector during integration activities.D2.5, Section 5.1.2, page 37, No specific procedure document cited
FC_079HOTDOCK Actuation AssemblyBarrel-Cam MechanismTiming SequenceTranslate motor rotation into motion.Ensure the timing sequence of the connector plate deployment relative to the locking system (D2.5, pg 41).The cam profile is shaped to first rotate the locking ring, then extend the connector plate.Incorrect cam profile | Connector plate extends before locking is complete, or locking occurs before plate is retracted | POGO pins are damaged by being driven into an unaligned/moving target | Damage to connector plate.8Incorrect actuation sequenceA manufacturing error in the machining of the barrel cam results in an incorrect motion profile and timing sequence.The barrel cam is configured to ensure the timing sequence.3Functional testing of the first article would detect this.3LDevelop a detailed inspection plan for the barrel cam, including CMM (Coordinate Measuring Machine) checks of the cam profile against the CAD model.Create a test fixture that allows the actuation mechanism to be cycled slowly by hand, with indicators to measure the relative position of the locking ring and connector plate to verify the timing sequence.D2.5, Section 5.2, page 41, No manufacturing document cited
FC_126HOTDOCK Actuation AssemblyGearing SystemGear RatioTransmit and amplify torque.Amplify torque from the motor to the barrel-cam.Provide a specific, fixed ratio between input and output speed.Gear ratio is too low | The motor cannot produce enough torque at the output to overcome friction and lock the mechanism | Actuation fails.8Fails to generate sufficient torqueA design error in the selection of the gear ratio results in insufficient output torque for worst-case friction and load.DesR_013 requires the motorization to provide the minimum required torque. This is a primary driver for the gear ratio selection.3Verification is by Analysis and Testing. The failure would be found during loaded functional testing.3LPerform a detailed torque budget analysis for the entire actuation train, including all sources of friction and external loads, and apply a safety margin (e.g., 2x) to determine the required gear ratio.During design verification, use a torque transducer to measure the output torque of the mechanism and verify that it meets or exceeds the requirements with margin.D2.5, DesR_013, page 21, No specific torque margin cited
FC_186MOSAR SystemHOTDOCK 'Fixed' DeclinationInternal Pass-through HarnessProvide a permanent connection between two static components.Provide a pass-through connection between two static components (e.g., SM1-DMS and CLT).Route power and data lines directly from one side of the interface to the other.A wire breaks in the internal harness | An open circuit is created | The permanent link for power or data is lost | Loss of function for the connected module.8Fails to provide electrical continuity (open circuit)Fatigue failure of a solder joint on the internal pass-through PCB due to vibration.The 'Fixed' declination provides a pass-through connection. (D2.4, Table 6-7)3The failure would be detected during system integration testing as a complete loss of function for the connected module.4LUse high-reliability connectors and workmanship standards for the internal harness. Stake all internal PCBs and connectors to provide support against vibration.Perform a vibration test on the 'Fixed' HOTDOCK, followed by a full pin-to-pin continuity check.MOSAR D2.4, Table 6-7, page 90, No evidence
FC_040HOTDOCK Mechanical StructurePassive/Mechanical DeclinationsMechanical Structure without ActuatorAllow for lower cost, simpler versions for specific applications.Provide a passive interface that can receive an active one, supporting mechanical, data, and power transfer without actuation.Maintain the same external form-fit geometry and connector plate position as an active unit.A passive unit is mistakenly installed where an active unit is required | The system cannot be actuated | Mission assembly plan cannot be executed.7Fails to actuate (by design)Procedural error during ground integration where a passive HOTDOCK is installed on a robotic arm's end-effector instead of an active one.The different declinations are clearly defined (Table 3-1). Configuration management and assembly procedures should prevent this.2A functional check of the robotic arm before the mission would immediately detect the inability to actuate the end-effector.2LImplement a poka-yoke (error-proofing) design feature, such as a different connector or a mechanical keying feature, to physically prevent a passive unit from being installed on a component requiring an active one.Add a mandatory electronic ID check to the system start-up sequence, where the host computer verifies the type of HOTDOCK attached before permitting operations.D2.5, Table 3-1, page 31, No specific procedure document cited
FC_118HOTDOCK Mechanical Locking MechanismActuated Internal RingLubricationImplement a locking mechanism.Rotate to drive the steel balls.Slide with low friction against stationary parts of the housing.Lubricant is not applied or is incorrect | High friction during rotation | Motor requires excessive current, may stall.7Requires excessive torque to actuateThe dry film lubricant on the sliding surfaces of the actuated ring was omitted during assembly.DesR_012 requires lubrication for contact surfaces in relative motion.3Functional testing while monitoring motor current would detect the high friction.3LCreate a detailed assembly and lubrication plan that clearly shows which surfaces require lubricant and what type to use. Make lubrication a formal, inspected step in the process.Measure the no-load running current of the actuation mechanism as a standard acceptance test. A high current indicates a friction problem.D2.5, DesR_012, page 20, No specific assembly procedure cited
FC_187MOSAR DemonstratorSystem IntegrationHOTDOCK Declination SelectionAssemble the modular spacecraft demonstrator.Use different HOTDOCK declinations (Active, Passive, Mechanical) to connect components.Install the correct type of HOTDOCK at each interface location per the assembly plan.The wrong declination is installed (e.g., 'Mechanical' instead of 'Passive') | Data and power pins are missing | The system cannot route power or data to the module | Assembly sequence fails.7Fails to provide power/data connectionHuman error during assembly, where a 'Mechanical' only HOTDOCK is installed in a location that requires a 'Passive' data/power interface.The different declinations are defined in Table 3-1. Configuration management should prevent this.3The failure would be detected during the first power-on or communication test with the affected module.3LImplement clear, unambiguous labeling on all HOTDOCK declinations. Use a keying system (poka-yoke) with different connectors for each declination to make incorrect installation physically impossible.Use a 'smart' assembly procedure with barcode scanners to verify each component's part number is correct before it is installed.D2.5, Table 3-1, page 31, No assembly procedure document cited
FC_195HOTDOCK SensorsProximity Sensor (Hall effect)Sensor ICProvide telemetry and sensor data for control.Detect good alignment before starting the mating process (OpR_008).Generate a signal based on the proximity of a magnet on the mating interface.The sensor IC fails (e.g. no output) | The controller receives no proximity signal | The controller logic prevents mating from being initiated | The mission is inhibited.7Fails to provide proximity signalA failure of the internal oscillator or other circuitry within the Hall effect sensor IC.The design includes proximity sensors (Figure 3-1, Table 4-2). Four redundant sensors are listed.3The controller would detect the lack of a valid signal from one sensor and could rely on the other three.3LUse four redundant sensors and implement a voting logic in the firmware to tolerate the failure of at least one sensor.Develop a test procedure that can verify the functionality of each proximity sensor independently.D2.5, Figure 3-1, page 30, D2.5, Table 4-2, page 35
FC_034HOTDOCK InterfaceAndrogynous Design FeatureSymmetric Characteristic of Connector PlateAllow any HOTDOCK to mate with any other HOTDOCK.Have an androgynous design on both mechanical and electrical connections (DesR_001).Arrange pogo pins and pads in mirror to ensure connectivity regardless of orientation.An error in the PCB layout breaks the mirror symmetry | One quadrant's connections are incorrect when mated | Data or power links fail to establish in certain orientations | Loss of 90-degree symmetry redundancy, potential mission impact if a specific orientation is required.6Fails to connect in all valid orientationsA layout error in the connector plate PCB swaps two pins, violating the androgynous design symmetry.DesR_001 requires an androgynous design. Verification is by Review of Design.3A full physical fit-check and electrical continuity test with two prototype units would reveal the error.4LImplement a formal design rule check (DRC) script that specifically verifies the pinout symmetry of the connector plate layout against the design specification.Create a dedicated 'pinout checker' test fixture that can be attached to the connector plate to rapidly verify the correct wiring of all 128 connections.D2.5, DesR_001, page 17, No specific test plan cited
FC_047HOTDOCK Thermal InterfaceNTC Temperature SensorSensor ElementProvide thermal sensing capabilities.Measure the temperature before connection (D2.5, pg 43).Exhibit a change in electrical resistance that is a known function of temperature.Sensor de-bonds from the surface it is measuring | Sensor measures its own temperature, not the interface's | Incorrect temperature telemetry | A decision to mate may be made when there is a dangerously large thermal gradient, causing thermal shock.6Provides inaccurate temperature readingFailure of the thermally conductive epoxy bond holding the sensor to the connector body, due to stress from CTE mismatch during thermal cycling.Two redundant NTC sensors are integrated. The design must withstand the -55C to +85C temperature range (EnvR_003).5Verification is by testing. Cross-comparison of the two redundant sensors could detect a de-bond.3LSelect a space-qualified, low-outgassing, thermally conductive epoxy and develop a controlled process for sensor bonding, including surface prep and curing schedule.During thermal vacuum testing, compare the readings of the integrated NTC sensors to a calibrated reference thermocouple attached to the same point to verify accuracy and bonding integrity.D2.5, Section 5.3, page 43, D2.5, EnvR_003, page 28
FC_049HOTDOCK Mechanical StructureHousingDissimilar Metal InterfaceProvide the main structure and enclosure.Maintain structural integrity throughout the mission.Ensure galvanic compatibility between dissimilar metals in contact (DesR_016).Dissimilar metals are in direct contact | Galvanic corrosion occurs at the interface over time, especially if any residual moisture is present | The structural integrity of the interface is weakened | Potential for structural failure.6Structural integrity degradedGalvanic corrosion between a steel fastener and the aluminum housing due to an omitted or damaged surface coating (e.g., anodize or chromate conversion).DesR_016 requires dissimilar metals to have galvanic compatibility. Verification is by Analysis.3The design is reviewed for this compatibility. Inspection would verify coatings.4LAll interfaces between dissimilar metals must be designed with appropriate protective schemes, such as plating, conversion coatings, or wet-installed with a corrosion-inhibiting compound, per ECSS-Q-ST-70.Add a specific check to the assembly inspection procedure to verify that all required coatings and protective measures are in place at dissimilar metal interfaces.D2.5, DesR_016, page 21, No specific test identified
FC_056HOTDOCK Data InterfaceCAN Bus InterfaceBus TerminationProvide a re-routable data interface.Allow command and telemetry exchange over a standard CAN bus.Provide correct impedance at the ends of the bus to prevent signal reflections.Termination resistor is missing or has incorrect value | Signal integrity on the bus is compromised by reflections | Intermittent communication errors, reduced noise margin | Loss of reliable command and control.6Communication is intermittentAn assembly error leads to the omission of the 120-ohm termination resistor on the harness or PCB.The controller uses a CAN bus (D2.5, pg 45, 48). Proper implementation is assumed.3A communications functional test would be performed. Signal integrity issues can be hard to diagnose.5LThe system-level CAN bus network diagram must clearly define which units are at the ends of the bus and are responsible for providing termination. Make termination resistors easily inspectable.During integration, measure the DC resistance across the CAN high and low lines to verify it is approximately 60 ohms (two 120-ohm terminators in parallel).D2.5, Section 6.2, page 45, No specific network design document cited
FC_062HOTDOCK SensorsThermistor (Motor)Thermistor ElementProvide telemetry for monitoring.Provide temperature telemetry from local power buses (FuncR_018).Exhibit a change in resistance corresponding to the motor temperature.Thermistor fails open-circuit | Controller reads an out-of-range (e.g., very cold) temperature | Thermal protection logic is disabled | A subsequent motor overheat condition will not be detected, leading to winding insulation failure.6Fails to detect over-temperatureFatigue failure of the thermistor lead wire due to vibration.FuncR_018 requires temperature telemetry. THM_1 (Motor) is listed in the telemetry list (Table 4-2).4The open circuit would result in an obviously incorrect reading (e.g. -273C), which would be flagged by ground software.3LEnsure all sensor leads are properly strain-relieved using S-bends and are staked to the structure with space-grade epoxy.During vibration testing, monitor all telemetry channels for intermittent signals or dropouts that could indicate a developing wire fatigue issue.D2.5, Table 4-2, page 35, D2.5, FuncR_018, page 14
FC_066HOTDOCK Actuation AssemblyAbsolute Position SensorSensor ElectronicsProvide feedback for control.Detect the absolute position of the locking ring.Convert physical rotation into an electrical signal.Sensor output becomes noisy | Controller receives erratic position data | The control loop may become unstable, causing motor jitter | Poor control precision, potential for fault trips.6Provides noisy/unstable position signalElectromagnetic interference (EMI) from the nearby motor's switching currents couples into the sensitive analog sensor wiring.FuncR_016 requires EMC. The design shows motor and sensor signals routed to the same controller.5Functional testing under load would reveal jitter or instability.4LUse shielded cables for the analog sensor signals and ensure the shield is properly grounded at one end. Route sensor cables separately from high-current motor cables.During EMC testing, monitor the noise floor on the position sensor output while the motor is operating under various loads.D2.5, FuncR_016, page 14, D2.5, Figure 3-1, page 30
FC_071HOTDOCK Actuation AssemblyGearing SystemBacklashTransmit torque.Transmit torque with minimal backlash.Ensure tight meshing of gear teeth to minimize free play in the geartrain.Excessive backlash in the geartrain | The locking ring has rotational free play | Impact loading on gear teeth during direction changes, reduced positional accuracy | Accelerated wear, potential for tooth fracture.6Positional accuracy is degradedWear of the gear teeth over many actuation cycles increases the clearance between them, leading to excessive backlash.The interface must be reusable for 100-1000 cycles (OpR_002).5Life testing would be the primary verification method.6LSpecify and use anti-backlash gears (e.g., spring-loaded split gears) in critical stages of the geartrain to maintain precision over the product's lifetime.Measure the output backlash of the gearbox at the beginning and end of the life test to quantify the degradation and verify it remains within acceptable limits.D2.5, OpR_002, page 25, No specific backlash limit defined
FC_075HOTDOCK Actuation AssemblyMotor ControllerField Oriented Control (FOC) AlgorithmControl the brushless DC motor.Provide field oriented control of the brushless motor (D2.5, pg 45).Precisely control the stator magnetic field vector to achieve smooth and efficient torque production.Tuning parameters for the FOC algorithm are incorrect | The control loop becomes unstable, causing oscillations or high current draw | Audible noise, vibration, inefficient operation, potential for stalling.6Motor control is unstableThe PI loop gains for the FOC algorithm are not correctly tuned for the inertia and friction of the actual mechanical load.The design specifies FOC. The firmware must implement this.5Functional testing under load would reveal instability. Motor current telemetry could show oscillations.4LDevelop a system identification model of the motor and mechanism to allow for analytical tuning of the FOC control loop parameters before implementation.Create a specific test procedure for tuning the FOC gains on the actual hardware, with instrumentation to measure stability and performance margins.D2.5, Section 6.1, page 45, No specific tuning procedure cited
FC_083HOTDOCK ControllerFirmwareTelemetry Packet GenerationControl all HOTDOCK functionalities.Send and receive TM/TC from the host OBC (FuncR_030).Assemble sensor data and status information into a defined packet structure for transmission.A bug causes the telemetry packet to be malformed (e.g., incorrect length or CRC) | The host OBC rejects the packet | Ground control loses all telemetry from the HOTDOCK | Inability to monitor the health and status of the interface.6Fails to send valid telemetryA software bug related to data alignment (e.g., padding bytes) causes the telemetry packet's checksum to be calculated incorrectly.The telemetry list is defined (Table 4-2). The TM/TC interface must be tested.4Verification is by Testing (FuncR_030).4LDevelop a formal Interface Control Document (ICD) that precisely defines the byte-by-byte structure of all TM/TC packets, and use this ICD to generate code automatically for packet serialization/deserialization.Use a bus analyzer (e.g., CAN analyzer) during testing to capture and validate the structure and content of every telemetry packet against the ICD.D2.5, FuncR_030, page 17, No interface control document (ICD) cited
FC_089HOTDOCK Mechanical Locking Mechanism90-degree Rotational SymmetryMechanical SymmetryProvide redundancy and increase possible positions for mating.Present a 90-degree rotational symmetry (DesR_006).The form-fit geometry and locking features are identical in each of the four quadrants.A manufacturing defect breaks the symmetry in one quadrant | Mating in that specific orientation is not possible or causes jamming | Loss of a redundant orientation; may prevent mission completion if a specific orientation is required.6Fails to mate in one orientationA CNC machining error results in one of the four quadrants having an out-of-tolerance feature.DesR_006 requires 90-degree symmetry. Verification is by Review of Design.2First article inspection with a CMM would detect the geometric error. A functional test with another unit would detect the mating failure.2LDevelop a comprehensive quality control plan including 100% CMM inspection of all critical features on the first article, and statistical process control for production units.During acceptance testing, perform a test mate with a golden standard master part in all four possible orientations to verify interchangeability and symmetry.D2.5, DesR_006, page 19, No manufacturing document cited
FC_110HOTDOCK Actuation AssemblyBarrel-Cam MechanismDetentTranslate motor rotation into motion.Provide a stable locked and unlocked position.A feature in the cam profile that provides a stable resting point at the end of travel.No detent feature exists | The mechanism can be back-driven away from the end-of-travel position by vibration | The connection could loosen over time.6Fails to hold position securelyThe cam profile is designed without a detent, relying solely on the motor brake to hold the final locked position.The locking mechanism is designed to provide a secure connection.4A vibration test would reveal if the connection loosens.5LDesign the barrel cam profile with a positive detent feature (e.g., a small depression or flattened area) at the fully locked position to provide a mechanically stable state.During functional testing, verify that a positive torque is required to move the mechanism out of its locked state, even with the motor unpowered.D2.5, Section 3.1, page 31, No specific detent feature mentioned
FC_114HOTDOCK Thermal InterfaceThermal Conduction PathInterface Thermal ResistanceEnable thermal connection to the module structure (IntR_006).Provide a path for conductive heat transfer from internal components to the housing.Ensure low thermal resistance between heat-generating components (like the motor driver) and the main structure.A high thermal resistance path exists | Heat is trapped in the controller PCB | The controller overheats, leading to premature failure.6OverheatsThe thermal interface material between the controller PCB and the housing is omitted during assembly.IntR_006 requires thermal connection to the module structure.4A thermal analysis would define the need for a TIM. A thermal vacuum test would detect the overheating.4LClearly specify the type and location of all required thermal interface materials on the assembly drawing and in the assembly procedure.During thermal vacuum testing, place thermocouples on critical components (e.g., motor driver, microcontroller) to verify that their temperatures match the predictions from the thermal analysis.D2.5, IntR_006, page 24, No specific assembly procedure cited
FC_123HOTDOCK Power & Data InterfacePOGO Pin ConnectorRedundant Signal RoutingProvide a separable interface for power and data.Feature one-failure-tolerance redundancy (DesR_003).Route primary and redundant signal pairs through physically separate paths.Primary and redundant signals are routed on adjacent pins | A single piece of conductive debris can short both lines | The redundancy is defeated | A single failure now leads to loss of function.6Loss of redundancyThe connector plate PCB layout places primary and redundant data pairs next to each other, creating a common-cause failure vulnerability.DesR_003 requires one-failure-tolerance redundancy.5Verification is by Review of Design.4LEstablish formal layout rules that require maximum physical separation of redundant signal paths on all PCBs and in all harnesses.Make redundant path separation a mandatory item on the design review checklist for all PCBs and harnesses.D2.5, DesR_003, page 18, No specific layout guidelines cited
FC_127HOTDOCK ControllerPower ConversionLinear RegulatorProvide local low-level bus generation.Provide stable low-level voltages for sensitive analog circuits.Provide a low-noise regulated voltage.Linear regulator overheats | The regulator enters thermal shutdown | The analog circuit it powers loses power | Loss of sensor readings.6Fails to provide regulated voltageExcessive power dissipation in the linear regulator due to a high input-to-output voltage differential and insufficient heat sinking.The power budget is considered (Table 7-2). Thermal design is part of the overall robust design (DesR_005).4A thermal analysis should find this. A thermal vacuum test would confirm it.4LPerform a detailed power dissipation and thermal analysis for all linear regulators. Ensure adequate PCB copper area is provided for heat sinking.Use a thermal camera to inspect the controller PCB under full load to verify that no components are exceeding their temperature limits.D2.5, Table 7-2, page 47, D2.5, DesR_005, page 19
FC_141HOTDOCK HarnessingWiring HarnessWire Insulation (e.g., Teflon)Connect internal components.Route electrical signals and power reliably.Provide dielectric separation with low outgassing properties per DesR_019.Insulation outgasses volatile materials | The outgassed materials condense on cold surfaces like optics or thermal radiators | Contamination degrades optical or thermal performance.6Contaminates external surfacesSelection of a wire insulation material that does not meet the low outgassing requirements for space applications (TML > 1%).DesR_019 requires materials to have low outgassing and toxicity. Verification is by Analysis.3The material properties would be reviewed. A thermal vacuum bake-out with a cold finger would detect high outgassing.4LSelect only wire and cable with insulation materials approved for space use and with certified low-outgassing properties (e.g., Teflon variants like FEP, PFA, or TFE).Perform a Residual Gas Analysis (RGA) during a system-level thermal vacuum test to identify and quantify any outgassed species.D2.5, DesR_019, page 22, no evidence
FC_147HOTDOCK Actuation AssemblyRotor BearingsBearing RaceSupport the motor rotor and geartrain shafts.Allow low-friction rotation of shafts.Provide a hardened, smooth surface for rolling elements to travel on.Bearing race is damaged by false brinelling | High stiction and vibration when rotating | Higher torque is required to start motion, positional accuracy is degraded.6Actuation is jerky or noisyFalse brinelling (fretting wear) of the bearing races caused by small-amplitude oscillations during launch vibration while the mechanism is stationary.The interface must be compliant with launch loads (FuncR_007).5Verification is by Testing. Post-vibration functional checks may notice increased friction or noise.6LImplement a launch lock mechanism that rigidly secures the actuation drive train to prevent any micro-motion in the bearings during launch.After vibration testing, perform a detailed characterization of the actuator's running torque and compare it to pre-vibration data to detect any increase in friction or stiction.D2.5, FuncR_007, page 11, No specific launch lock mechanism cited
FC_172Spacecraft Module (SM4-THS)Thermal PayloadRadiator FanProvide thermal management for the CLT SMs.Dissipate heat transferred from the SM2-PWS via the fluid loop.Force air over the radiator to dissipate heat into the surrounding environment (for ground demo).Fan motor seizes | Airflow over the radiator stops | Heat is not dissipated effectively from the fluid loop | The fluid temperature rises, leading to overheating of the SM2-PWS | PWS may shut down or be damaged.6Fails to dissipate heatBearing failure in the fan motor due to lubricant degradation over time.The SM4-THS includes a radiator and fan. The thermal controller manages the fan. (D2.4, Section 6.4.5)4The failure would be detected by monitoring the THS and PWS temperature telemetry, which would show a rapid rise. (D2.4, Table 6-3)3LSelect a high-reliability fan with a long-life bearing system suitable for the application. Implement a redundant fan in the design.Perform an accelerated life test on the fan assembly to validate its operational lifetime.MOSAR D2.4, page 83, MOSAR D2.4, Table 6-3, page 80
FC_199HOTDOCK StructureMounting InterfaceM3 Mounting Bolt ThreadsProvide a mechanical connection to the module or robotic end-effector.Transfer all operational and launch loads to the parent structure.Provide secure threaded engagement to achieve clamping force.Threads gall during assembly | Bolt seizes in the threaded hole | The bolt cannot be torqued to the correct value or cannot be removed | Improper preload, or inability to service the unit.6Fails to achieve correct preloadGalling (adhesive wear) between the threads of a stainless steel bolt and a tapped aluminum housing during installation.DesR_009 allows for dissimilar materials and DesR_016 requires galvanic compatibility, which often drives material choices leading to galling risk.4The issue would be detected during assembly when the torque wrench 'clicks' prematurely or the torque continues to increase without rotation.3LInstall stainless steel threaded inserts (e.g., Helicoils) into the aluminum housing. Use a silver-plated fastener or apply a space-rated anti-galling lubricant to the threads.Mandate the use of a calibrated torque-angle wrench during assembly to detect galling, which is characterized by a low stiffness prior to reaching the target torque.D2.5, DesR_009, page 19, D2.5, DesR_016, page 21
FC_039HOTDOCK Power InterfaceSense CircuitryVoltage Divider ResistorsProvide telemetry for current and voltage (D2.5, pg 42).Provide telemetry for voltage passed through the interface.Scale down the bus voltage to a range readable by the microcontroller's ADC.Resistor value drifts significantly over time | Voltage telemetry becomes inaccurate | Ground control makes incorrect decisions based on faulty telemetry, or automated protections trip unnecessarily.5Reports incorrect voltage telemetryResistance value shifts due to long-term aging and exposure to the radiation environment.FuncR_018 requires voltage telemetry. Use of high-reliability, space-qualified resistors is assumed.3Verification is by Testing. Calibration would be part of this.4LSpecify the use of high-precision, low-temperature-coefficient, and established-reliability (space-grade) resistors for all critical analog measurement circuits.Perform a calibration check of all telemetry channels at the beginning and end of a thermal vacuum life test to characterize any drift.D2.5, FuncR_018, page 14, No specific component grade is cited
FC_050HOTDOCK ControllerFirmwareQuiescent Power Mode LogicControl all HOTDOCK functionalities.Draw less than TBC mW of quiescent power in passive state (FuncR_019).Place the microcontroller and peripherals into a low-power sleep mode when idle.Firmware fails to enter sleep mode | Quiescent power draw is much higher than specified | The spacecraft power budget is exceeded, especially if many HOTDOCKs are installed | Drains batteries, may cause system to shut down.5Power consumption too high in passive stateA software bug prevents a peripheral (e.g., a timer or UART) from being properly shut down before the microcontroller enters its main sleep mode.FuncR_019 requires low quiescent power. Power budget is provided in Table 7-2.5Verification is by Testing. The power budget is an input to this testing.3LCreate a detailed power state diagram in the firmware design, and use a code checklist to ensure every peripheral is explicitly managed upon entry/exit from low-power modes.Perform a detailed power consumption measurement of the controller in all operational states, particularly the passive state, to verify compliance with the power budget.D2.5, FuncR_019, page 14, D2.5, Table 7-2, page 47
FC_096HOTDOCK Actuation AssemblyAbsolute Position SensorMulti-turn CounterProvide feedback for control.Detect the absolute position of the locking ring.Keep track of the number of full rotations if the sensor is not absolute over the full range.Power loss causes the multi-turn counter to reset | The controller loses the absolute position of the locking ring | The system must perform a re-homing sequence, or it may operate with an incorrect position offset.5Loses absolute position referenceA power interruption to the sensor or controller causes the volatile turn counter to be lost.The telemetry list includes 'Absolute position sensor' (HK_2, POSI_2), implying a truly absolute sensor is intended.4A re-homing sequence or comparison with other sensors (if available) would be needed to detect the offset after a power cycle.6LSelect a truly absolute position sensor that does not require a battery or external power to maintain its position information (e.g., a resolver or a modern magnetic absolute encoder).Perform a power-cycle test where the mechanism is stopped at various intermediate positions, and verify that the reported position is correct immediately after power is restored.D2.5, Table 4-2, page 35, No specific sensor type cited
FC_108HOTDOCK Power & Data InterfacePOGO Pin ConnectorContact WipeProvide a separable interface for power and data.Establish a compliant electrical connection.The pin tip must slide a short distance across the pad surface during mating to clear away any light contamination.No wiping action occurs | The pin makes contact but does not wipe | Light oxide layers or contaminants are not cleared | Higher probability of a high-resistance connection.5Contact resistance is highThe kinematics of the mating process result in a purely vertical engagement with no lateral motion, preventing any contact wipe.The form-fit geometry guides the final approach. This implicitly defines the mating kinematics.5High-resistance connections would be detected during electrical testing.6LAnalyze and refine the cam profiles and form-fit geometry to ensure a small amount of lateral motion (wipe) is induced on the connector plate during the final stage of engagement.Use high-speed video to observe the POGO pin engagement on a microscopic level to verify that a wiping action is occurring.D2.5, Section 3.1, page 30, No specific requirement for contact wipe
FC_120HOTDOCK Power InterfacePower ConsumptionActive Mode PowerProvide power to internal components.Power consumption shall be minimized, with a max of 10W in active mode (OpR_010).The combined power draw of the controller and motor must not exceed 10W.Power consumption exceeds the 10W limit | The spacecraft power budget is violated | May cause the upstream power regulator to trip, or drain batteries faster than planned.5Power consumption too high in active modeHigh mechanical friction in the mechanism forces the motor to draw more current (and thus power) than anticipated to complete the actuation.OpR_010 sets the power limit. The power budget (Table 7-2) estimates 2.7W total.5Verification is by Testing.3LRefine the mechanical design to minimize friction. Select a high-efficiency motor and gearbox combination.Measure the power consumption of the interface during a full actuation cycle under worst-case load and temperature conditions to verify compliance with the 10W requirement.D2.5, OpR_010, page 27, D2.5, Table 7-2, page 47
FC_192HOTDOCK SensorsNTC Temperature SensorThermistor ElementProvide telemetry for monitoring.Measure temperature of various components (motor, MCU, PCB).Exhibit a known change in resistance with temperature.Thermistor resistance drifts out of specification | The reported temperature is inaccurate | Thermal protection may trip too early or too late | Inaccurate system health monitoring.5Reports incorrect temperature telemetryAging of the thermistor material causes its resistance-temperature characteristic to drift over many years and thermal cycles.Temperature telemetry is required (FuncR_018) and specific thermistors are listed in telemetry (Table 4-2).3This slow drift is very difficult to detect without periodic re-calibration against a known standard.8LSelect high-stability, space-qualified thermistors. Use high-precision reference resistors in the measurement circuit to minimize other sources of drift.Perform an accelerated aging test (thermal cycling and bake) on a sample of thermistors and characterize their long-term drift.D2.5, FuncR_018, page 14, D2.5, Table 4-2, page 35
FC_109HOTDOCK StructureHousingMassProvide the main structure and enclosure.The standard interface shall be optimized regarding the mass (PhysR_001).The component mass must be within the allocated budget of 1.56 kg (Table 7-1).The final design is overweight | The overall system mass budget is exceeded | Launch cost increases, or other components must be lightened.4Exceeds mass budgetAn unforeseen design change (e.g., adding structural reinforcement) increases the mass of the housing beyond the budgeted amount.PhysR_001 requires mass optimization. A detailed mass budget is provided in Table 7-1, including a 10% margin.4Verification is by Testing (weighing the part). The mass is tracked throughout the design process.2LMaintain a live mass roll-up report throughout the design process, and hold regular reviews to track any deviations from the budget.Weigh all components and sub-assemblies at key stages of the manufacturing and integration process to validate the mass model.D2.5, PhysR_001, page 23, D2.5, Table 7-1, page 47
FC_128HOTDOCK Power & Data InterfaceData Transfer InterfaceData RateAllow exchange of data.The data interface shall allow a data rate of minimum 100Mbit/s (FuncR_020).The physical layer must support the required bandwidth.The physical layer does not support 100Mbit/s | The data link can only be operated at a lower speed | The requirement is not met, throughput for large data transfers is reduced.4Data rate is below specificationThe combination of POGO pin capacitance and trace length creates a low-pass filter effect that degrades the signal at 100Mbit/s.The prototype design allows SpaceWire transfer of 100Mbps over 5.5m (D2.5, pg 41).4Verification is by Testing.3LPerform a detailed signal integrity simulation of the entire end-to-end channel to verify performance at 100Mbit/s before committing to the PCB design.During verification testing, perform a bit error rate test (BERT) on the data link at the required speed to confirm error-free operation.D2.5, FuncR_020, page 15, D2.5, Section 5.2.1, page 41
FC_106HOTDOCK Actuation AssemblyMechanical TransmissionActuation SpeedRotate locking ring.Minimize the coupling time between two interfaces (OpR_011).Operate at the maximum speed allowed by the motor and control system.Actuation is too slow | Coupling time is longer than specified | Mission timelines may be impacted.3Coupling time too longThe motor speed is intentionally limited in firmware to a very conservative value to ensure stability, resulting in slow operation.OpR_011 requires minimized coupling time.4Verification is by Testing. The coupling time will be measured.2LPerform a trade study and testing to determine the optimal motor speed that balances speed of operation with control stability and power consumption.Characterize the actuation time as a function of motor speed and load during design verification testing.D2.5, OpR_011, page 27, No specific time requirement defined
FC_121HOTDOCK Actuation AssemblyBrushless DC Motor (MAXON EC 32 flat)Motor Cogging TorqueRotate locking ring.Generate smooth rotational torque.Minimize torque ripple caused by the interaction of the rotor magnets and stator teeth.High cogging torque | The motor has a 'lumpy' feel and requires more torque to start moving | The control loop must work harder, may be less stable at low speeds.3Motor control is unstable at low speedThe selected motor has a high intrinsic cogging torque.The motor is a coreless design ('flat'), which typically have low cogging torque. This is an inherent design choice.3This would be characterized during initial motor testing.3LFor future designs, specify a maximum cogging torque as a motor selection criterion. Implement a feed-forward compensation algorithm in the firmware to cancel out known cogging torque.Measure the cogging torque of the selected motor on a dynamometer to provide data for control loop tuning and future component selection.D2.5, Figure 3-1, page 30, No specific requirement on cogging torque
FC_093HOTDOCK ControllerLED Pattern ControlLED Driver CircuitProvide visual status indication.Control LED patterns (TC_4).Drive current through the status LEDs.LED driver fails | No visual status is provided | An operator (e.g., astronaut or ground tele-operator) cannot visually confirm the state of the interface | Increased risk of incorrect operation.2Fails to provide visual statusA burned-out LED or a failed driver transistor.TC_4 is a defined telecommand for LED control.4A functional test during ground operations would identify the failure.2LUse high-reliability LEDs and ensure the driver circuit design includes current-limiting resistors with proper derating.Incorporate a check of all LED patterns into the standard pre-operation checkout sequence.D2.5, Table 4-1, page 34, No specific design details given

Engineered for Precision & Compliance

We bridge the gap between AI efficiency and strict industry standards, delivering reliable risk analysis outcomes that engineering teams can trust.

Expert Engineered

Developed by experienced FMEA practitioners and AI engineers to reflect established DFMEA and PFMEA practices.

Scalable Analysis

Supports large, structured FMEA analyses (up to 200 entries) in a single run, maintaining hierarchy and consistency.

Industry Compliant

Produces Excel outputs compatible with industry practices and AIAG & VDA conventions without manual reformatting.

Agentic Quality Checks

Applies an agentic workflow with quality gates to support logical rigor, consistency, and disciplined FMEA development.

Strict Data Privacy

Documents are deleted after processing, ensuring you retain full control over sensitive data.

Process Failure Mode and Effects Analysis

Manufacturing and Process Engineers envision a process is free of errors. Unfortunately, errors and especially errors propagated when people are present can be quite catastrophic. Process Failure Mode and Effects Analysis (PFMEA) looks at each process step to identify risks and possible errors from many different sources.

Process Failure Mode and Effects Analysis

Manufacturing and Process Engineers envision a process is free of errors. Unfortunately, errors and especially errors propagated when people are present can be quite catastrophic. Process Failure Mode and Effects Analysis (PFMEA) looks at each process step to identify risks and possible errors from many different sources.

PRICING

Get started instantly with our Standard plan or contact us for custom volume licensing and dedicated support.

Standard
LAUNCH SALE: LIMITED TIME

1 Credit = 1 Complete FMEA Entry

What's Included
Advanced agentic analysis workflow with deep internal quality checks
Supports both Design (DFMEA) & Process (PFMEA)
Supports input formats: PDF, JPEG, WebP, CSV, XLSX, XLS, TXT
Industry-aligned downloadable Excel output & email delivery
Customer support backed by Quality Engineers
Generate up to 200 complete fmea entries in a single run
Strict data privacy & security protocols
Custom
enterprise

Get a Quote

Enterprise solutions for high-volume needs, on-premise solutions, dedicated support, and custom requirements.

What's Included
Includes all Standard features
On-premise (local) deployment options
Custom FMEA template integration
Tailored solutions for advanced requirements
Dedicated account manager & SLA

Do you have any question?

Upload any documents that describe your product design or manufacturing process, product design or manufacturing process, at any maturity level.

For Design FMEA (DFMEA):

  • Product requirements and specifications
  • Design descriptions, drawings, schematics, and interfaces
  • Known issues, discrepancy reports, or lessons learned

For Process FMEA (PFMEA):

  • Work instructions and standard operating procedures
  • Process flow diagrams and layouts
  • Product descriptions or datasheets for functional context

More detailed and structured inputs lead to more accurate and relevant FMEA results.

You receive a complete FMEA Excel file, structured according to AIAG & VDA industry practices.

  • Supports both Design FMEA (DFMEA) and Process FMEA (PFMEA)
  • Delivered in a review-ready Excel format
  • Includes structure, functions, failure chains, current controls, ratings, and recommended actions

The output is intended to accelerate engineering work and support structured FMEA reviews.

  • Severity, Occurrence, and Detection (S/O/D) ratings are generated by the AI based on embedded AIAG & VDA rating logic.
  • Action Priority (AP) is automatically assigned using the official AIAG & VDA Action Priority tables.

All values in the Excel file are fully editable and should be reviewed, adjusted, and approved by your cross-functional team.

FMEA is most effective when performed early in design and process development.

Early DFMEA and PFMEA help:

  • Identify risks before they become costly
  • Drive requirements and controls early in the project lifecycle
  • Improve schedule predictability and cost efficiency

FMEA performed later can still add value, but design and process changes become significantly more expensive.

No. For security and data-privacy reasons, the app does not function as a long-term FMEA management system.

  • Uploaded documents are deleted immediately after analysis
  • Generated FMEA files are not stored after download

This approach minimizes data retention and ensures your intellectual property remains under your control.

Each FMEA entry includes explicit AI rationale in the Excel output, with a strong focus on grounding current prevention and detection controls in the uploaded documents.

This allows you to:

  • Verify whether identified controls are objectively supported by your documentation
  • Review the logic behind failure modes and effects in the context of the provided information
  • Quickly identify assumptions, gaps, or areas requiring engineering judgment

While the AI accelerates analysis and highlights risk areas, final validation and approval must always be performed by qualified engineers.

No. The generated FMEA is a high-quality draft, not a final certification record.

Before any audit or submission:

  • Human review and approval are required
  • Ratings, actions, and responsibilities must be confirmed
  • Internal FMEA procedures must be applied

The app accelerates FMEA creation and improves consistency, but final responsibility remains with your organization.

Yes. We offer 25 free credits to every new user upon registration—no credit card required. You can use these credits to generate your first FMEA entries and test the full capabilities of our AI workflow before purchasing a plan.

Get in Touch

Have questions? Our team is on standby to help you with the platform or discuss any custom requirements.

Contact Us
Address
Maudlin Works, LLC1111B S Governors Ave, STE 21109Dover, DE 19904 US