page 178
n – m |
|
|
|
|
|
|
Rm;n( t) = ∑ |
|
n |
( R( t) ) |
( n – i) |
( 1 – R( t) ) |
i |
|
|
|
|
|||
|
|
i |
|
|
|
|
i = 0 |
|
|
|
|
|
|
where, |
|
|
|
|
|
|
Rm;n( t) |
= |
reliability of a system that contains m of n parallel modules |
||||
|
R( t) |
|
n |
= |
|
i |
||
|
= the reliability of the modules at time t
n!
--------------------
( n – i) !i!
•keep in mind that many systems are a combination of series and parallel units, to find the total reliability, calculate the reliability of the parallel units first, and then calculate the series reliability, replacing the parallel units with their grouped reliability.
•availability is the chance that at any time a system will be operational. This can be determined experimentally, or estimated. For a system that is into it’s useful lifetime, this can be a good measure. Note that at the beginning, and end of its life, this value will be changing, and will not be reliable.
A( t) |
|
to |
|
MTTF |
|
MTTF |
|
1 |
|
= |
------------- |
= |
-------------------------------------- |
= |
---------------- |
= |
------------ |
||
to + tr |
MTTF + MTTR |
MTBF |
|
λ |
|||||
|
|
|
|
|
|
|
|
1 + |
µ-- |
where,
A( t) = probability that a system will be available at any time
to = hours miotpedniarvtr
tr = hoursmpiotidaervpairn
8.1.4 Design For Reliability (DFR)
page 179
8.1.4.1 - Passive Redundant
• three identical, yet independent systems are used to produce three outputs. The three outputs are compared and a voting procedure is used to select one. This method is called Triple Modular Redundancy (TMR)
|
Module 1 |
|
|
system |
|
|
|
state |
|
|
|
and |
|
|
control |
set-points |
Module 1 |
vote for |
output |
|
|
||
|
best 2 out |
|
|
|
|
|
|
|
|
of 3 |
|
|
Module 1 |
|
|
•In this event, if there is a random failure in any of the modules, it will be outvoted by the others, and the system will continue to operate as normal.
•This type of module does not protect against design failures, where all three modules are making the same error. For example if all three had Intel Pentium chips with the same math mistake, they would all be in error, and the wrong control output would result.
•This module design is best used when it is expected that one of the modules will fail randomly with an unrecoverable state.
•This type of system can be used easily with computer algorithms and digital electronics.
8.1.4.2 - Active Redundant
• A separate monitoring system tracks the progress of separate modules. In the event one of the modules is believed to have failed, it is taken off line, and replaced with a new module.
page 180
Prime |
MONITOR |
|
|
|
|
||
system |
|
|
|
state |
examine |
|
|
and |
|
||
prime module, |
control |
||
set-points |
|||
if error is |
|||
Backup 1 |
output |
||
detected, swap |
|||
|
|
||
|
the prime for |
|
|
|
a backup |
|
|
|
module |
|
|
Backup 2 |
|
|
•This method depends upon a good design of the monitor module.
•As with the passive redundant module, this module is also best used to compensate for complete module failure.
•This type of system can be used easily with analog electronics and mechanics, as well as with switched modules.
8.1.4.3 - Hybrid Active
•A combination of the voting system and the reconfiguration system
•the voting modules continue to make decisions, but voting members can be replaced with backup units.
page 181
Module 1 |
MONITOR/ |
|
VOTER |
||
|
||
system |
|
|
state |
|
|
and |
control |
|
set-points |
||
Module 2 |
output |
|
Module 3 |
|
|
Backup 1 |
|
|
Backup 2 |
|
8.1.4.4 - Other Design Points
•Parity and check bits can be used to detects errors in calculations. Checksums can be used for blocks of data, and grey code can be used for detecting errors in sequential numbers.
•The amount of redundant hardware can be reduced by doing the same calculation twice, at different points in time on the same processor. If the results are compared, and found to be different. This would indicate a transient fault. This can be important in irradiated environments where bits can be flipped randomly.
•Software redundancy involves writing multiple versions of the same algorithm/program. All of the algorithm versions are executed simultaneously. If a separate acceptance algorithm estimates that the primary version is in err, it is disabled, and the secondary version is enabled.