[摘要] Traditional hazard analysis techniques based on failure models of accident causality, such as the probabilistic risk assessment (PRA) method currently used at NASA, are inadequate for analyzing safety at the system level. System-Theoretic Accident Model and Processes (STAMP) shifts the focus of safety from preventing failures to that of a dynamic feedback control system that enforces behavioral constraints. System-Theoretic Process Analysis (STPA), the hazard analysis method based on STAMP, was applied to the launch and mission phases of a NASA/JAXA Global Precipitation Measurement (GPM) Core Observatory-based satellite. Exploiting the fact that nearly all satellites follow similar lifecycles and employ common functional architectures with relatively-decoupled, unique mission payloads, a template for future satellite STPA safety analyses was developed. The template seeks to aid and guide new STPA applications while reducing analysis time by providing the STPA analysis for many common satellite functions. Increasing pressure to reduce satellite mission costs has renewed interest in modular payloads. Traditional hazard analysis methods are dependent on the hardware used, so they must be redone for the entire system if the payload is changed. This repetition of work is time intensive and costly. STPA is the only hazard analysis method that may be performed early in development and without details of the system hardware implementation. Using the GPM-based satellite STPA analysis, the influence of the mission payload on safety at the system-level is considered. Five types of control action mismatch resulting from changing payloads were identified along with the corresponding additional STPA analysis required to ensure safety at the system level.