1、Best Practices Entry: Best Practice Info:a71 Committee Approval Date: 2000-03-06a71 Center Point of Contact: KSCa71 Submitted by: Wil HarkinsSubject: Redundancy Considerations for Ground Communication Systems Practice: Designing a fail-safe ground communication system requires attention to hardware
2、and policy decisions. Ensuring a fail-safe system normally requires some use of redundancy. It also requires safe operating procedures. It further requires a reliable source of power. This practice considers what operating procedures are needed, what level of hardware redundancy is required, and bac
3、kup power considerations.Programs that Certify Usage: This practice has been used on the Space Shuttle Program, Ground Support Equipment including the Operational Intercommunication System Digital (OIS-D) at the Kennedy Space Center.Center to Contact for Information: KSCImplementation Method: This L
4、esson Learned is based on Reliability Practice number GSE-3007 from NASA Technical Memorandum 4322A, NASA Reliability Preferred Practices for Design and Test.Benefit:In most instances it is not practical to be fail-safe at any cost. This practice provides guidelines on using redundancy only where it
5、 is required. Too much redundancy leads to failures resulting from increased complexity. Mean Time Before Failure (MTBF) is estimated as a function of the number Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-of parts. Minimizing redundancy reduces
6、the number of parts and therefore increases the MTBF. This practice illustrates how to design a system that satisfies the technical requirements but contains cost by minimizing the level of redundancy.Implementation Method:The Operational Intercommunication System - Digital (OIS-D) at the Vehicle As
7、sembly Building (VAB) serves as the mechanism for discussing this practice. The OIS-D is a controlled access, multiuser, multichannel communications system used in support of vehicle test and launch operations. It is a fully digital system that provides 500 user channels of duplex voice communicatio
8、ns. OIS-D equipment in the VAB interfaces with the Central Summing Network (CSN) in the Launch Control Center (LCC). OIS-D equipment in the VAB consists of the following:a71 Group Processor Assembly (GPA) Racksa71 Transmission Equipment (DTE) Racka71 Power Rack, D.C. Chargers, Battery Banks, Battery
9、 Disconnects, and D.C. Disconnectsa71 End Instruments (EI)The OIS-D will be referred to in the remainder of the report as the voice communication system.System Operation:The telephone system (Figure 1) provides a loose analogy to the voice communication system (Figure 2). The EI is a unit in which o
10、ne connects a headset and dials up a voice channel. The user can talk and listen over this channel. As a communication device, the EI is analogous to the telephone. The EI is a user-operated, microcomputer-based, communication device.The GPA is the principal rack assembly of the voice communication
11、system. Each GPA transmits and receives voice, status, and signaling data from its associated EIs. The GPA is analogous to a central office. It provides the interface between the End Instruments and the Central Summing Network (CSN).The CSN gathers information from multiple GPAs and sums the informa
12、tion for redistribution. The CSN is analogous to the toll office.Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-refer to D descriptionD refer to D descriptionD Power Distribution:Provided by IHSNot for ResaleNo reproduction or networking permitted w
13、ithout license from IHS-,-,-The voice communication system operates on a floating 48V DC power source. This power is first converted from 480V AC to 48V DC by a battery charger. It is then routed through circuit breaker distribution panels, and to battery banks where it is stored in case of a power
14、failure. From there the power is distributed to the power supplies used by each chassis, and to the fans used for rack cooling, through power control modules that reside on each of the GPA racks. If 480V AC power fails, the battery banks supply 48V DC for a minimum of one hour. EI operating power (4
15、8V DC) is normally supplied by its associated GPA over the data transmission lines. The data transmission lines act as a medium for both the data transmission and power transmission to the EI.Redundancy Policy:The design must satisfy the Ground Support Equipment (GSE) Fail Safe requirement of NSTS 0
16、7700, Volume X. The requirement states that all GSE (except primary structure and pressure vessels) shall be designed to sustain a failure without causing loss of vehicle systems or loss of personnel capability. One of the requirements for support of hazardous operations is to have co-located EIs in
17、 areas of hazardous operations.The requirement for co-located EIs implies redundant EIs. Furthermore, the fail-safe requirement points towards a redundant implementation. That is, redundant GPAs, redundant power, and redundant Data Transmission Equipment (DTE). The data transmission equipment consis
18、ts of Fiber Optic Transmitters (FO TX) and Fiber Optic Receivers (FO RX).The power requirements and data transmission equipment requirements are best satisfied through use of redundancy. The GPA requires additional consideration. Figure 3 is an implementation that utilizes redundant GPAs. For illust
19、ration purposes assume that each GPA can support four EIs (actually each GPA supports 119 EIs). This implementation satisfies the fail-safe requirement but it is very expensive. The GPA is the most expensive item in the system. Figure 4 introduces an alternative implementation. Observe that in this
20、implementation neighboring EIs have different GPAs. Simply by requiring that co-located EIs have connections to independent GPAs eliminates the need for redundant GPAs. In the event of a failure, the operator could move to a neighboring EI and “safe“ the system. Therefore Figure 4 is cost effective
21、while also satisfying the fail-safe requirements.Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-refer to D descriptionD Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-refer to D descriptionD Both im
22、plementations were considered during the design of OIS-D. Many existing designs conform to Figure 3. The cost of the GPAs made the figure 3 implementation too costly for OIS-D. The Figure 4 implementation was acceptable to the design team because it fit within the cost profile of the system and sati
23、sfied the fail-safe requirements. In practice the system has proved to be very reliable.Technical Rationale:In attempting to determine if complete redundancy is needed or if policy decisions can be implemented to alleviate many of the fail-safe concerns, two questions need to be answered:Provided by
24、 IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-a71 Will it decrease cost?a71 Will it improve the product?The answer to both questions is yes. Eliminating unnecessary redundancy reduces cost. The product is improved because the system MTBF increases with the re
25、moval of unnecessary redundancy. These are quantifiable justifications for the implementation of this practice. This practice should also be adhered to when designing Local Area Networks (LANs) and Wide Area Networks (WANs).References:1. SAA009CU08-026 (Revision A) - System Assurance Analysis of the
26、 Operational Intercommunication System - Digital at the Vehicle Assembly Building (VAB).Impact of Non-Practice: Incorrectly applying redundancy can result in higher cost and reduced MTBF.Related Practices: N/AAdditional Info: Approval Info: a71 Approval Date: 2000-03-06a71 Approval Name: Eric Raynora71 Approval Organization: QSa71 Approval Phone Number: 202-358-4738Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
