REG NASA-LLIS-0799-2000 Lessons Learned Redundancy Switching Analysis.pdf

《REG NASA-LLIS-0799-2000 Lessons Learned Redundancy Switching Analysis.pdf》由会员分享，可在线阅读，更多相关《REG NASA-LLIS-0799-2000 Lessons Learned Redundancy Switching Analysis.pdf（5页珍藏版）》请在麦多课文档分享上搜索。

1、Best Practices Entry: Best Practice Info:a71 Committee Approval Date: 2000-04-17a71 Center Point of Contact: JPLa71 Submitted by: Wil HarkinsSubject: Redundancy Switching Analysis Practice: To verify that the failure of one of two redundant functions does not impair the ability to transfer to the se

2、cond function, a rigorous failure modes, effects, and criticality analysis (FMECA) at the piece part-level is performed for all interfacing circuits.Abstract: Preferred Practice for Design & Test. The long-term survival of complex systems is usually achieved through the practice of design redundancy

3、. There are often unforeseen deficiencies in the redundancy switching which result in non-independence, thereby defeating the intent. Failure to use this practice will very probably result in several instances of defective switching in a complex system such as a spacecraft. To verify that the failur

4、e of one of two redundant functions does not impair the ability to transfer to the second function, a rigorous failure modes, effects, and criticality analysis (FMECA) at the piece part-level is performed for all interfacing circuits.Programs that Certify Usage: This practice has been used on the Vo

5、yager, Galileo and Magellan programs.Center to Contact for Information: JPLImplementation Method: This Lesson Learned is based on Reliability Practice number PD-AP-1315, from NASA Technical Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Memorandum 4

6、322A, Reliability Preferred Practices for Design and Test.Benefit:By using a systematic method to assure the switching functionality of designed-in redundancy, the long-term performance of complex systems can be assured.Implementation Method:Redundancy switching analysis (RSA) is a subset of the gen

7、eral FMECA process, but it is performed in greater detail because of its criticality. RSA includes the following steps:1. Identify and diagram all functional blocks which involve the two redundant elements.2. Expand the functional blocks to show the interface circuitry at the piece part level.3. Pos

8、tulate all credible part failures (viz, shorts, opens, saturated high or low, etc.) and determine the effect on the functional redundant path. Verify design compliance with the following objectives: a. Hardware failures do not propagate across inter-unit interfaces to produce hardware failures in ot

9、her units.b. There is sufficient isolation that the postulated failure does not produce a functional failure capable of disturbing the transfer to, or operation of, the redundant function.Technical Rationale:There have been numerous instances of presumably redundant systems which have failed to succ

10、essfully transfer to the backup path when the primary path is non-functional. A rigorous, systematic search could have foretold the failure and, through design change, averted the problem.The first objective- preventing failure propagation- is of most value in a repairable system. Non-propagation mi

11、nimizes the number of units requiring repair. In spacecraft, this would correspond to the preflight phases of either subsystem or system testing. The key to this investigation is a complete diagram of the involved interface circuits which penetrates each unit to a circuit depth sufficient to prove t

12、hat no possible failures in Unit 1 can propagate to become irreversible hardware failures in Unit 2. The second key ingredient is a complete list of part or assembly failure modes for hypothesis.The second objective- guaranteeing successful transfer (or equivalently independence of the primary and b

13、ack-up functions)- is a necessity for either repairable or non-repairable systems and requires the same complete interface diagram and complete list of failure modes. The list includes such items as:a71 Part failure (viz, opens, shorts, “stuck-ats“),a71 Single event effects (viz, latch-up, transfer)

14、, andProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-a71 EMI (viz, latch-up, transfer, overvoltage).These last two items are critical since they can effect both sides of a redundant pair.Figures 1 and 2 are illustrations of the process of a redundanc

15、y switching analysis for several typical interfaceObservation:If the postulated short exists and source A is unpowered, its “off“-state load resistance must be high compared to the “on“-state source resistance of source B to assure that adequate VA voltage will be received at LOAD A. If not, the dio

16、des must be made series redundant.refer to D descriptionD Figure 1: Example of Passive Redundancy Switching for Cross-Strapped Dual Sources and Dual Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Loads Observation:If the postulated short exists, the

17、 isolation resistor R1 must be large compared to the output source resistance of amplifier A1 to assure that adequate VB voltage is received at LOAD B.refer to D descriptionD Figure 2: Example of Passive Redundancy Switching for Single Source and Dual Load References:1. Polovko, A.M. (1968). Fundame

18、ntals of Reliability Theory, (Chapter 5-4). New York: Academic Press, Inc.2. Feduccia, A.J. (1993). Reliability Engineers Toolkit. Griffiss Air Force Base, New York: Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Rome Laboratory.Impact of Non-Practi

19、ce: The long-term survival of complex systems is usually achieved through the practice of design redundancy. There are often unforeseen deficiencies in the redundancy switching which result in non-independence, thereby defeating the intent.Failure to use this practice will very probably result in se

20、veral instances of defective switching in a complex system such as a spacecraft. Experience has shown that initial designs have about a 10 percent chance of non-independence. Just one such defect reduces a presumed redundant system to a single channel system with its inherently shorter life expectancy.Related Practices: N/AAdditional Info: Approval Info: a71 Approval Date: 2000-04-17a71 Approval Name: Eric Raynora71 Approval Organization: QSa71 Approval Phone Number: 202-358-4738Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-