REG NASA-LLIS-0707-2000 Lessons Learned Fault Tolerant Design.pdf

1、Best Practices Entry: Best Practice Info:a71 Committee Approval Date: 2000-03-16a71 Center Point of Contact: JPLa71 Submitted by: Wil HarkinsSubject: Fault Tolerant Design Practice: Incorporate hardware and software features in the design of spacecraft equipment which tolerate the effects of minor f

2、ailures and minimize switching from the primary to the secondary string. This increases the potential availability and reliability of the primary string.Abstract: Preferred Practice for Design its current validity relies on the current iteration of the FMECA and FTA and their corresponding criticali

3、ties and probabilities of occurrence. The iteration cycle ceases when either the cost of the next design iteration is programmatically unacceptable or when the risk has been reduced below a stated goal. It is assumed that all of the normal reliability design tools such as part stress derating, worst

4、 case performance analysis, qualification testing, life demonstration, quality control, etc., have already been used to preclude any design or material deficiencies. The FTD process also assumes that, in spite of the above practices, an in-flight failure may occur in a given set of manufactured hard

5、ware.This process flow is illustrated in Figure 1. The diagram illustrates that FTD is a top-level system design philosophy covering other NASA preferred reliability practices, including analytical design disciplines, FMECA and FTA studies, fault protection plans, and test results. The FTD process a

6、t JPL includes four phases beginning with analytical design.Provided by IHSNot for Resale-,-,-refer to D descriptionD Technical Rationale:Provided by IHSNot for Resale-,-,-To increase the reliability of a spacecraft system, two complementary but fundamentally different approaches are taken:1. Fault

7、prevention (fault intolerance), and2. Fault tolerance.Fault prevention deals with the objective of increasing reliability by elimination of all faults, which is not feasible in reality. Therefore, the goal of fault prevention is to reduce the probability of system failure to an acceptably low value.

8、The fault tolerance approach expects failures to occur. However, their effects will be automatically counteracted by incorporating either redundancy or other types of compensation.A fault tolerant design approach differs from a pure design redundancy approach in that provisions are made for planned

9、degraded modes of operation where acceptable. For example, the high gain antenna of a spacecraft is usually non-redundant because of its size. An FTD would favor the use of a backup medium gain antenna operating at reduced data rates as a degraded but acceptable operating mode. Similarly, a partiall

10、y failed power source within a solar panel array or a failure of one of three radioisotope thermoelectric generators (RTGs) could be accommodated: an appropriate failure detection circuit and a software fault protection algorithm would be provided to shed low priority electrical loads or instruments

11、, while maintaining most mission capabilities.Also, FTD may be preferable to mere hardware redundancy in that higher probability multiple failures can be identified and accommodated. For example, the common design practice for inertial sensors (gyros) is the use of three packages of orthogonally loc

12、ated dual axis sensors (i.e., the X-Y, Y-Z, and Z-X axes). This scheme is tolerant of the loss of any one gyro but can be extended to accommodate the loss of any two gyros by the use of a pair of two-axis positionally adjustable gyros insertable by command or by detection algorithms. It can be place

13、d in the X-Y or X-Z directions, thereby providing at least one signal on each axis even if two pairs of fixed mounted gyros are lost. In this case, dual failures are accommodated with only a short interruption of service and some additional mechanical complexity, but with no significant loss in syst

14、em performance.The essential ingredients to achieving a fault tolerant design are the performance of a thorough FMECA and FTA, the detailed communication of these identified failure modes and effects to the fault protection design engineers, and strong participation by the project engineer and progr

15、am management in assessing design cost/benefit trade-off iterations. An FTD will be limited by either weight, volume, schedule, or cost constraints. Presentation of fault tolerant design options to program management requires a skilled engineering team with intimate knowledge of system operation and

16、 close communication with system designers.An FTD can provide dramatic improvements in system reliability and lead to a substantial reduction in flight failures as a consequence of fewer disabling system failures.Provided by IHSNot for Resale-,-,-References:1. Fault Protection System Design and Oper

17、ations, JPL Document D625-505, Vol. 8, Galileo Project, October 1989.2. Fault Protection Requirements, JPL Document 699-CAS-3-330, Cassini Project, March 1994.3. System Fault Protection Algorithms, JPL Document 699-CAS-3-331, Cassini Project, January 1995.4. Fault Protection, Reliability Preferred P

18、ractice No. PD-ED-12435. Active Redundancy, Reliability Preferred Practice No. PD-ED-12166. Failure Modes, Effects, and Criticality Analysis (FMECA), Reliability Preferred Practice No. PD-AP-1307Impact of Non-Practice: Systems which do not incorporate FTD as a part of their development process will

19、experience a higher risk of a severely degraded or prematurely terminated mission, or it may result in excessively large weight volume, or high cost to achieve an acceptable level of performance by using non-optimized redundancy or overdesign.Related Practices: N/AAdditional Info: Approval Info: a71 Approval Date: 2000-03-16a71 Approval Name: Eric Raynora71 Approval Organization: QSa71 Approval Phone Number: 202-358-4738Provided by IHSNot for Resale-,-,-