ECSS-EST & HB-20-20 C – A POWER INTERFACE STANDARD & HANDBOOK FOR PRODUCTS DEVELOPMENT

With progression of space experience, the need of more stable and repeatable interfaces definition becomes clear. Especially for satellite platform needs, some electrical interfaces need a more reproducible application frame, to ensure at the same time the necessary and undisputable quality and reliability needed for institutional and non-institutional missions, and the containment of costs that nowadays is overall requested. The prerequisite to be able to establish a wide and agreed basis for the definition of the power electrical interfaces on board of a spacecraft is the existence of a consolidated reference architecture. Such consolidated reference architecture indeed exists for the power subsystem of ESA satellites: due to a number of practical reasons, the concept of using Latching Current Limiters (or LCLs) for the satellite onboard power distribution has consolidated over many decades. This allowed a global European agreement on the relevant interface definition, which culminated in the drafting, reviewing and publication of the ECSS-EST-20-20C standard (STD) and of the relevant handbook ECSS-E-HB-20-20A (HB). 1 STD AND HB GENESIS The idea of preparing a guideline on the subject of power distribution by LCLs started long ago in TECEPM section in ESTEC. The idea was to collect and harmonise all the experience around this specific interface, in order to provide a reasoned baseline at the advantage of all the ESA programs. A first technical note ([1]) was prepared in 2009, and just after the first drafting a workshop was called in ESTEC for exchanging the initially consolidated ideas with industry. The workshop took place in May 2010, it saw interested and pro-active participation from power electronics European community. Notably, the requirement set was established after the consolidation of the initial technical note: in fact the technical note contained the description of the LCL power interface, the explanation of the relevant issues, both from source and load side, and the requirements were derived accordingly. This process allowed understanding some aspects that at that moment were not yet consolidated, and triggered specific research actions on unresolved technical issues (for example, relevant to stability of the LCL sourceload interface [2]). In 2014, an ECSS New Work Item Proposal was approved for the drafting of a standard and of a relevant handbook, with the main objective to give a rationale of the standard requirements. A dedicated working group (WG) was set-up accordingly, with representatives selected from Satellite Primes, power distribution equipment manufacturers and ESA. The authors of the present paper are the members of the ECSS WG. The draft versions of the STD and the HB were ready in December 2014, the public review took place mid-2015, and the amended version of both documents have been provided to the ECSS secretariat in November of the same year. The final ECSS publication took place in April 2016. 2 INTRODUCTION Following the original development chronology, the HB is presented first, after a brief recap of what the power distribution by LCLs is. Then the STD is explained, especially in relation to its structure, to the relevant key assumptions and to the main (in a certain sense, historical) agreements achieved for what regards the LCL classes. Some of the most critical power interface requirements are then explained and discussed. 2.1 The Power Distribution by LCLs The power distribution by Latching Current Limiters, or LCLs, has been widely used in almost all European DOI: 10.1051/ , 71613001 16 E3S Web of Conferences e3sconf/201 ESPC 2016 13001 (2017) © The Authors, published by EDP Sciences. This is an open access article distributed under the terms of the Creative Commons Attribution License 4.0 (http://creativecommons.org/licenses/by/4.0/). satellites for some decades as an effective way to achieve a very controlled and reliable load connection and disconnection from the satellite main bus, including power management in case of overload and load short circuit failures. Additionally, power distribution by LCLs minimises inrush current events due to load filters charging, and for this reason effectively allows the reduction of the loads filters themselves. A generic architecture for a Latching Current Limiter, or LCL, is shown in Figure 1. Note that the diagram in Figure 1 is given only as a reference, without losing generality, and some of the features thereby reported can be actually realised differently. Figure 1, LCL generic block diagram The Latching Current Limiter, or LCL, is a switch-able, latching, resettable over-current/overload protection placed between a power source and the relevant load. The LCL can be commanded ON and OFF and a relevant memory cell normally latches its status. Typically, an LCL presents a minimum residual resistance between power input and power output during nominal operation (i.e. when the switch is commanded closed). In case of an overload, e.g. when the load current request exceeds a prefixed threshold, the LCL enters current limitation and a time counter is activated. If the overload condition persists for a given time duration (called trip-OFF time), the time counter commands the LCL OFF. Normally there should be an external command activation to reset the LCL into its original ON state. The basic elements of an LCL are the following: the section containing the switch, the driver and the current sensor, the section relevant to the trip-OFF timer, the section relevant to the memory cell and switch supply section, the under-voltage protection (UVP) section, the auxiliary supply section (not shown in Figure 1), and the telemetry section. For a detailed description of each basic element, refer to chapter 5.2 of the HB [3]. Typical timing diagrams of the reaction of an LCL to an overload are shown in Figure 2 and in Figure 3. The reaction shown in Figure 3 is normally associated with a (very) abrupt overload and/or with some saturation effects in the current sensor/driver section of the LCL itself. Trip-off time Current Overshoot


ABSTRACT
With progression of space experience, the need of more stable and repeatable interfaces definition becomes clear.Especially for satellite platform needs, some electrical interfaces need a more reproducible application frame, to ensure at the same time the necessary and undisputable quality and reliability needed for institutional and non-institutional missions, and the containment of costs that nowadays is overall requested.The prerequisite to be able to establish a wide and agreed basis for the definition of the power electrical interfaces on board of a spacecraft is the existence of a consolidated reference architecture.Such consolidated reference architecture indeed exists for the power subsystem of ESA satellites: due to a number of practical reasons, the concept of using Latching Current Limiters (or LCLs) for the satellite onboard power distribution has consolidated over many decades.This allowed a global European agreement on the relevant interface definition, which culminated in the drafting, reviewing and publication of the ECSS-E-ST-20-20C standard (STD) and of the relevant handbook ECSS-E-HB-20-20A (HB).

STD AND HB GENESIS
The idea of preparing a guideline on the subject of power distribution by LCLs started long ago in TEC-EPM section in ESTEC.The idea was to collect and harmonise all the experience around this specific interface, in order to provide a reasoned baseline at the advantage of all the ESA programs.A first technical note ([1]) was prepared in 2009, and just after the first drafting a workshop was called in ESTEC for exchanging the initially consolidated ideas with industry.The workshop took place in May 2010, it saw interested and pro-active participation from power electronics European community.Notably, the requirement set was established after the consolidation of the initial technical note: in fact the technical note contained the description of the LCL power interface, the explanation of the relevant issues, both from source and load side, and the requirements were derived accordingly.This process allowed understanding some aspects that at that moment were not yet consolidated, and triggered specific research actions on unresolved technical issues (for example, relevant to stability of the LCL sourceload interface [2]).
In 2014, an ECSS New Work Item Proposal was approved for the drafting of a standard and of a relevant handbook, with the main objective to give a rationale of the standard requirements.A dedicated working group (WG) was set-up accordingly, with representatives selected from Satellite Primes, power distribution equipment manufacturers and ESA.The authors of the present paper are the members of the ECSS WG.
The draft versions of the STD and the HB were ready in December 2014, the public review took place mid-2015, and the amended version of both documents have been provided to the ECSS secretariat in November of the same year.The final ECSS publication took place in April 2016.

INTRODUCTION
Following the original development chronology, the HB is presented first, after a brief recap of what the power distribution by LCLs is.Then the STD is explained, especially in relation to its structure, to the relevant key assumptions and to the main (in a certain sense, historical) agreements achieved for what regards the LCL classes.Some of the most critical power interface requirements are then explained and discussed.

2.1
The Power Distribution by LCLs The power distribution by Latching Current Limiters, or LCLs, has been widely used in almost all European satellites for some decades as an effective way to achieve a very controlled and reliable load connection and disconnection from the satellite main bus, including power management in case of overload and load short circuit failures.Additionally, power distribution by LCLs minimises inrush current events due to load filters charging, and for this reason effectively allows the reduction of the loads filters themselves.A generic architecture for a Latching Current Limiter, or LCL, is shown in Figure 1.Note that the diagram in Figure 1 is given only as a reference, without losing generality, and some of the features thereby reported can be actually realised differently.

Figure 1, LCL generic block diagram
The Latching Current Limiter, or LCL, is a switch-able, latching, resettable over-current/overload protection placed between a power source and the relevant load.The LCL can be commanded ON and OFF and a relevant memory cell normally latches its status.Typically, an LCL presents a minimum residual resistance between power input and power output during nominal operation (i.e. when the switch is commanded closed).In case of an overload, e.g. when the load current request exceeds a prefixed threshold, the LCL enters current limitation and a time counter is activated.If the overload condition persists for a given time duration (called trip-OFF time), the time counter commands the LCL OFF.Normally there should be an external command activation to reset the LCL into its original ON state.The basic elements of an LCL are the following: -the section containing the switch, the driver and the current sensor, -the section relevant to the trip-OFF timer, -the section relevant to the memory cell and switch supply section, -the under-voltage protection (UVP) section, -the auxiliary supply section (not shown in Figure 1), and -the telemetry section.For a detailed description of each basic element, refer to chapter 5.2 of the HB [3].Typical timing diagrams of the reaction of an LCL to an overload are shown in Figure 2 and in Figure 3.The reaction shown in Figure 3 is normally associated with a (very) abrupt overload and/or with some saturation effects in the current sensor/driver section of the LCL itself.The LCL behaviour in overload conditions is explained in detail in chapter 5.1.There are different variants of LCLs: apart the generic LCL described in Figure 1, both the STD and the HB mention the Retriggerable LCL, or RLCL, and the Heater LCL, or HLCL.The RLCL is an LCL including additional features.
It is basically an LCL not provided with an OFF command, which is set in any case in ON condition during start up, and performing an automatic start up, repeated switch ON sequence after an overload occurred, as long as the overload is present.
In case the overload is removed, the RLCL automatically ends up in ON conditions, e.g.delivering power to the load.The RLCL is normally used for supplying essential satellite loads, e.g. the ones that are essential for mission success (e.g.receivers and decoders).An example of RLCL timing diagram is given in Figure 5.
The HLCL is an LCL that is dedicated to the supply and the protection of a group of heaters, as shown in Figure 4.

Figure 4, HLCL application
The HLCL has the same functionality of a generic LCL, but its performances are relaxed because the nature of the load is resistive.That is why in the STD the HLCL classes differ from the LCL ones, and not all the requirements valid to the LCLs are also applicable to the HLCLs.

THE HANDBOOK
The HB [3] is derived directly from the initial ESA technical note [1] mentioned previously.
The scope of the HB is:  to explain the principles of operation of power distribution based on LCLs;  to identify important issues related to LCLs;  to give some explanations of the requirements set up in the STD for power distribution based on LCLs, for both source and load sides.Key aspects treated in the HB are the interactions between LCL and load (at start up, overload, switch-off conditions, both in time and in frequency domain, considering normal operational conditions but also failure cases).
The HB complements the STD, and it is directed at the same time to power system engineers, who are specifying and procuring units containing LCLs for power distribution and protection, and to power electronics design engineers, who are in charge of designing and verifying power distribution by LCLs.
For the system engineers, this document explains the detailed issues at circuit level and the impacts of the requirements for the design of LCLs.
For design engineers, this document gives insight and understanding on the rationales of the requirements on their designs.
It is important to notice that the best understanding of the topic of Power Distribution based by LCLs is achieved by the contextual reading of both the HB and the STD: the STD requirements are recalled in the HB with the same numbering and titles, so that a document search can quickly bring the reader to the required explanations.

Structure
The STD [4] has the typical structure of an ECSS standard (Introduction, Scope, Normative References, Terms, Definitions and Abbreviated Terms, Nomenclature, Principles an Requirements), but it provides in Annex A (Requirements Mapping) an informative table recalling all the requirements, indicating the feature or sub-feature the requirements refer to, the relevant conditions of application -nominal and/or fault case, LCL, RLCL and/or HLCL -, the applicability level (system, subsystem or equipment), and the verification method.Having a global synoptic has been considered essential for a better understanding of all the LCL distribution specification and its subtleties.An example is given in Figure 6.The test verification at design qualification level (T*) is intended to be performed on an electrical representative version of the hardware, on a set up not necessarily equal to the final flight one, to be established for the LCL distribution product line by the relevant manufacturer.

Content and coverage
After a chapter identifying the reference power bus specifications within the perimeter of which the LCL requirements are applicable, the LCL requirements are presented.They have been grouped in the following categories:  Functional, source (STD section 5.2)  Functional, load (STD section 5.3)  Performance, source (STD section 5.4)  Performance, load (STD section 5.5) A particular attention has been paid to identify requirements of the LCL source-load interface in order to ensure an optimum matching and anticipate or resolve the need of a late validation by test (specifically for behaviour at switch ON, when the LCL is used to charge the load input filter, and for stability purposessee later discussion in section 5.2 -).The target applications covered by the STD are all missions traditionally provided with power distribution and protection by LCLs/RLCLs (science, earth observation, navigation), with exclusion of applications for which the power distribution and protection is provided by fuses (e.g.most of the geostationary telecom satellites).The STD applies to power distribution by LCLs/RLCLs for power systems, and in general for satellites, required to be Single Point Failure Free.The STD applies exclusively to the main bus power distribution by LCLs/RLCLs to external satellite loads.Internal power system protections by LCLs/RLCLs are not covered.Note additionally that paralleling of LCLs to increase power supply line reliability is not covered by the present standard, since this choice does not appreciably change the reliability of the overall function (i.e.LCL plus load).In fact, a typical reliability figure of the LCL (limited to the loss of its switch ON capability) is 20 FIT or less.If the load to be connected to the LCL line has a substantially higher failure rate than this, it is not necessary to duplicate the LCL to supply that load.

4.3
Reference Power Bus Specifications and other assumptions To ensure the development of recurrent power distribution LCL/RLCLs for a number of applications, it is essential to define the envelope of the applicable power bus specifications (see table 1).The relevant assumptions are derived from state of the art satellite applications, for nominal or abnormal cases.Additional assumptions that have been made refer to the maximum qualification temperature of the unit hosting the power distribution LCLs/RLCLs/HLCLs (70 °C) and to expected main bus voltage time derivative (bus application or removal), considered to be variable between 0 to 0.1 V/ µs.The MOSFET is supposed to be at LCL class current before a hard short circuit is applied -Use the MOSFET manufacturer Safe Operating Area (SOA) to derive the maximum allowable trip off time especially for trip off time > 10 ms.The maximum load capacitance per class is also provided, according to the minimum limitation current and trip-off time, and maximum DC bus voltage value (both for regulated and unregulated bus).An additional factor of 70% is applied, leaving a 10% margin to comply with the maximum allowed input filter charge time of 80% of LCL/RLCL class minimum trip off time.The 10% margin is the allowance for covering a specific effect affecting LCL performance, the so-called dragging effect, which is explained in Annex D of the HB.

5
CRITICAL REQUIREMENTS Some critical requirements (indicated by the following subsections) are reported and explained hereafter.In any case, all these requirements are widely covered and explained in the HB.

LCL dynamic behaviour in overload
In case of a (very) abrupt overload, the LCL presents a transient behaviour as shown in Figure 2 and Figure 3.The so called current limitation response time is a critical performance for an LCL: it has to be fast enough in order to prevent that a dangerous stress level is reached before the LCL enters current limitation.In order to assess properly this issue, the STD defines: -the current overshoot -50Amps -: the maximum peak current that can be reached (see req. 5.4.1.1.1a)-the time to current overshoot -5µs -: the maximum time from actual current limitation to current overshoot peak (see req. 5.4.1.1.1c)-the current overshoot decay time: the maximum time constant delay from current overshoot peak to actual current limitation (assumption of exponential law for the decay time) and finally, -the current overshoot recovery time -300µs-, the maximum time needed for the current to reduce from its maximum value down to +10% of excess current above actual current limitation (see req. 5.4.1.1.1dand refer to Figure 2 and Figure 3).These characteristics have to be verified especially in the most critical overload case, when a short-circuit is applied at the output of the LCL (req.5.4.1.1.1b).Another reason to properly control the current limitation response time is to respect a maximum energy limit during abrupt overload; this allows ensuring a maximum bus voltage transient (within 5%) due to the LCL overload.The STD introduces therefore the maximum overshoot charge -1mC -: the charge requested at LCL input for current in excess of the actual limitation current (see req. 5.4.1.1.1e).One could think that increasing the bandwidth of the current limitation loop is the solution to improve the LCL current limitation time response but this could be detrimental to the LCL stability; a good compromise has to be found between speed of reaction and stability.The requirements in the STD are applicable also if the LCL presents a characteristic like the one shown in Figure 3 (compared to Figure 2) due to non-linear saturation effects in the control loop.

5.2
Stability of LCL source -load interface One of the critical areas to cover in the STD is indeed related to stability.The main problem with is that the LCL stability depends on the load, but the load might have a wide variability, being not necessarily known to the system integrator when a generic satellite power distribution unit is procured, or to the LCL manufacturer when the design of the LCL needs to be consolidated.
For small-signal stability, the idea was then to identify, and develop, a non conventional approach where the check of the stability is performed in two steps, resorting to a Norton equivalent circuit for the LCL, and addressing separately the stability of the LCL on a voltage sink (e.g. on a zero impedance load), followed by the LCL output impedance -load input impedance matching check, according to [2].
The verification of the LCL control loop stability on a voltage sink is performed for DC voltage of 4 ±1V being this condition a typical worst-case one for the overall MOSFET contribution to the loop stability (in the current MOSFET technology the worst -largestparasitic capacitance range is expected at low drainsource voltages).
The condition for the stability on the source and load impedance makes use of the revised Bode approach or other criteria as shown in [2], requires a phase margin of at least 30° for any point in frequency where the source and load impedance magnitudes are equal, and a gain margin of at least 5dB for any point in frequency where the source and load impedance phase difference is equal to -180°±n*360° (see req. 5.5.3.1.1aand 5.5.3.2.1a).
It is clear that the LCL output impedance shall be characterised in current limitation conditions (and for a LCL DC input -output voltage drop of 4±1 V, for the same reasons explained above).
The load impedance instead shall be evaluated considering both nominal load conditions requiring current limitation (e.g.input filter charging) and failure conditions (for example when the load fails in short circuit and the LCL sees an inductive load).Some additional stability checks are also required in time domain, for a sudden overload with inductive nature (being this the typical worst case stability condition -see req.5.4.6.3.1a and b) and for start up transients in current limitation mode (for any specified inductive or capacitive load -see req.5.4.6.4.1a and b).
For time domain transients it is required that the period of the observed oscillation is greater or equal to the envelope decay time (see Figure 7), which is equivalent to say that the number of visible "oscillations" periods in the relevant time domain transient is not higher than 3-4 to be sure to have the requested stability margins.
Much more details and explanations on the LCL stability are provided in the HB chapter 5.7.2.5, where additional hints are also provided for correct requirements verification.

5.3
Repetitive overload Especially in case of complex loads, it is virtually impossible to exclude that specific failure modes at load level do not result into a cyclic entry to and exit from LCL current limitation.This is particularly true when the load converter is provided with local under-voltage protection.If a failure occurs on the secondary side of the converter, causing a local overload, the LCL enters current limitation; the input voltage to the converter decreases and triggers the local under-voltage protection.As a result, the overload disappears, and therefore the input voltage to the converter increases, releasing the under-voltage and enabling the converter operation again.This cyclic entry and exit from current limitation scenario is called hiccup mode.The main issue of the LCL in hiccup mode is that the internal LCL timer can be periodically reset when the LCL exits current limitation, and for particular hiccup frequencies and duty cycles the timer could never command the LCL OFF.In this case, the junction temperature of the switch can easily achieve dangerous levels over rating and there is a chance for the switch to fail in short circuit, with catastrophic consequences, possibly main bus short and loss of mission.Therefore, the standard is requiring that RLCL and LCL ensure a reliable reaction under repetitive overload, i.e. either to switch-off or to maintain the switch junction temperature within derating/rating conditions.This can be resolved rather efficiently by implementing the LCL timer in the trip-off section with different time constants for counting up (during overload duration, and switch current limiting mode) and for counting down (when the switch goes back to ohmic conditions); as an illustration, a ratio of 30 between the count down and count up time constant is an indicative design choice verified on typical LCL design circuit under square wave overload profile and different duty cycles.The design suitability against repetitive overload requirement is expected to be verified by analysis, in the worst case conditions and for different overload repetition frequencies and duty cycles, the most critical conditions being verified by test at design qualification level.

Stress conditions
The overall principle behind a number of requirements addressing allowable stress limits (both for nominal LCL/RLCL/HLCL operation and for overload one) is the following, in accordance with the applicable ECSS derating standard ECSS-Q-ST-30-11C.For steady state or unlimited repetition of stress conditions, the LCL/HLCL/RLCL components shall respect the applicable voltage, current, power and temperature derating limits.This is the case for example of the junction temperature of the RLCL switch in overload conditions: there is the possibility to disable the periodical restart of the current limitation, but since this operation is only allowed by operator command, the thermal stress might remain for an uncontrolled duration.For single transients, or events of limited duration, the LCL/HLCL/RLCL components shall respect the applicable voltage, current, power and temperature rating limits.This is the case for LCL overloads: the temperature of the LCL switch shall respect the applicable rated limit, in worst-case conditions (including max overload, e.g.short circuit at the output for all expected trip-off time duration).Note that the stress conditions applicable to the load input filter charge stem directly from the example made above: the temperature reached by the LCL switch during input filter charging will be surely below rated limits since  the filter has to be fully charged within 80% max of the minimum trip-off time, with the minimum LCL class limitation current (req.5.4.2.3.1a); the output LC voltage is not zero, but increases as long as the filter charging takes place.

RLCL retrigger disable
The RLCLs are supposed to continuously provide power to the satellite essential loads after start-up.In case of a load malfunction with continuous overload, RLCL would enter current limitation mode for the given trip-off time duration, switch off and attempt to re-start after a given retrigger interval, thereby creating "hiccup" condition on the power bus.Therefore, it is practical to stop this repeated switch-on sequence after an overload occurred.In order to achieve this, the possibility of disabling the RLCLs retrigger function has to be foreseen.The disable functionality is initially disabled by default.Due to potential criticality of a spurious or unwanted disabling of the RLCLs retrigger function, the following measures are required: -No on-board automatism can disable the retrigger function i.e. this command can only be received as a (hazardous) ground command (req.5.2.6.4.1a); -The RLCLs retrigger disable cannot be caused by noise, EMC, ESD, SEE or other unexpected reasons with the exception of hardware failures (req.5.2.16.1.1 a).In particular, robustness "by design" of the RLCL against unexpected retrigger disable shall be ensured (req.5.2.18.2.1a).One potential implementation idea is to "force" the memory cell responsible for the RLCL retrigger status to deliver an enabled signal as long as the number of RLCL retriggering cycles have not reached a specified minimum value.In this way it becomes impossible for a spurious glitch to disable the retrigger function.Another possibility is to configure the retrigger disable circuit as a mono-stable feature: if an external command is received periodically within maximum time intervals, then the retrigger disable is maintained, on the contrary the retrigger restarts autonomously.

FUTURE WORK
The scope of the work started with the STD is not only limited to the power distribution interface by LCLs: the electrical power interfaces standardisation within ECSS continues, with the aim to cover, as far as practical, all power interfaces that are ready and that can benefit from standardisation.
The following effort (2016-2017) will focus on pyro/thermal knife/non explosive actuators interfaces.

7
CONCLUSIONS An ECSS STD and a HB covering the power distribution interface by LCLs/RLCLs has been presented.Both the STD and the HB are conceived to facilitate the diffusion of recurrent power distribution products in Europe, and it is expected that this would impact positively both on the quality (reliability, robustness, repeatability) of the different manufacturer's solutions, and on their cost/availability.Finally, power distribution manufacturers will have the chance to develop their products "irrespective" of a specific mission opportunity, and this will be a global benefit for them, for the primes, and for the Agency.Trip-off min [ms] 0,5 0,5 0,5 0,5 0,5 0,5 0,5 0,5 0,5 0,5 0,5 0,5 0,5 0,5 0,5 0,5

Example of requirements mapping (from STD, Annex A)
One of the major standardisation outcomes is the definition of LCL classes (see table 2 for LCLs, table 3 for RLCLs and table 4 for HLCLs).The present LCL/RLCL/HLCL classes definition have been elaborated to ensure an adequate capability to charge load input filters for most of practical applications, to enhance the chances to use single MOSFETs for LCL of lower current classes, and under environmental/application conditions that should be normally respected in all LCL practical design cases.