top - download
⟦a45f9a556⟧ Wang Wps File
Length: 33471 (0x82bf)
Types: Wang Wps File
Notes: CPS/210/SYS/001 ISSUE 2.1
Names: »0399A «
Derivation
└─⟦ad67f9f62⟧ Bits:30006075 8" Wang WCS floppy, CR 0032A
└─ ⟦this⟧ »0399A «
WangText
<…05……14…
…14……06……13……08……13……86…1
…02…
…02… …02…
…02…
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲ ̲
S̲e̲c̲t̲i̲o̲n̲ ̲3̲.̲4̲.̲2̲
…02……02……02…3.4.2 Physical Characteristics ............ 238
…02……02……02……02…3.4.2.1 Size, Weight, Power Consumption
and Heat Dissipation ............
238
…02……02……02……02…3.4.2.2 Power Input ..................... 238
3.4.2…02…P̲h̲y̲s̲i̲c̲a̲l̲ ̲C̲h̲a̲r̲a̲c̲t̲e̲r̲i̲s̲t̲i̲c̲s̲
3.4.2.1 S̲i̲z̲e̲,̲ ̲W̲e̲i̲g̲h̲t̲,̲ ̲P̲o̲w̲e̲r̲ ̲C̲o̲n̲s̲u̲m̲p̲t̲i̲o̲n̲ ̲a̲n̲d̲ ̲H̲e̲a̲t̲ ̲D̲i̲s̲s̲i̲p̲a̲t̲i̲o̲n̲
The site equipments consist of a number of terminals
and one or two multi-bay rack assemblies.
The racks of each site equipment will be equipped with
subassemblies and modules according to the actual connectivity.
3.4.2.2 P̲o̲w̲e̲r̲ ̲I̲n̲p̲u̲t̲
The equipments shall be capable of satisfying the specified
performance requirements when operating with following
power input:
a) Phases: Single- or 3-phase, and ground. (For
supply of redundant elements within
the equipment, the power input shall
be established with 2 independent
sources as a minimum).
b) Voltage: Nominal value 380/220 V AC
Tolerances: +10%/-15%
Except UKAIR where nominal value
is 405/240 V AC.
c) Frequency: Nominal value: 50 Hz
Tolerances: +10/-10%
d) Harmonic
distortion: Max. 5%
e) Transients: Non-repetitive impulsive interference
with a magnitude not to exceed 500
volts, pulse rise and fall times
not faster than 10 microseconds and
a total duration of maximum 1 millisecond.
The available impulse energy at the
equipment power inlet shall not exceed
5J.
f) Exemptions: Each site equipment will contain
three disk drives. These will not
operate within the tolerances of
section b) and c) above, but:
1) Voltage: Nominal value 380/220V AC
Tolerances: +6%/-10%
2) Frequency: Nominal value: 50 Hz
Tolerance: +0,5 Hz/-1.0 Hz
For UKAIR see para 3.7.1.2.4. and 3.4.1.7.b.
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲
S̲e̲c̲t̲i̲o̲n̲ ̲3̲.̲4̲.̲3̲
…02……02……02…3.4.3 Environmental Conditions ............ 241
…02……02……02……02…3.4.3.1 Temperature and Humidity ........ 241
…02……02……02……02…3.4.3.2 Dust, Fumes ..................... 242
3.4.3…02…E̲n̲v̲i̲r̲o̲n̲m̲e̲n̲t̲a̲l̲ ̲C̲o̲n̲d̲i̲t̲i̲o̲n̲s̲
In designing the equipment to meet the specified requirements
no account need be taken of catastrophic events such
as fire, flood, explosion, etc., which are beyond the
control of an equipment manufacturer.
The equipment will normally operate within accomodation
suitable for the operation of similar equipment produced
for commercial use.
After initial adjustments have been made, the equipment
shall maintain normal operation under all specified
environmental and power supply conditions.
3.4.3.1 …02…T̲e̲m̲p̲e̲r̲a̲t̲u̲r̲e̲ ̲a̲n̲d̲ ̲H̲u̲m̲i̲d̲i̲t̲y̲
The equipment shall continue to function when the humidity
and temperature of its environment are within the ranges
and cycling specified below.
The equipment shall continue to operate in a fully
satisfactory manner even under the worst conditions
specified below.
…02…a) T̲e̲m̲p̲e̲r̲a̲t̲u̲r̲e̲
…02……02…Range : 10 to 40 deg.C
…02……02…Change : max 10 deg. C per hour
…02…b) H̲u̲m̲i̲d̲i̲t̲y̲ ̲(̲R̲e̲l̲a̲t̲i̲v̲e̲ ̲H̲u̲m̲i̲d̲i̲t̲y̲ ̲=̲ ̲R̲H̲)̲
…02……02…Range : 40 to 90% RH, non-condensing
…02……02…Change : max. 6% RH per hour, non-condensing
…02…c) A̲l̲t̲i̲t̲u̲d̲e̲
…02……02…Range : Sea level to 2000 meter
The equipment shall be so designed that the loss of
site air conditioning or heating will not cause a catastrophic
failure within 15 minutes after the loss.
An alarm indication shall be given, when the environmental
temperature reaches a value which will require intervention
of supervisory personnel.
3.4.3.2 D̲u̲s̲t̲,̲ ̲F̲u̲m̲e̲s̲
The equipment shall be able to operate continuously
and with normal scheduled preventive maintenance in
the following air environment:
a) Ai̲r̲ ̲c̲l̲e̲a̲n̲n̲e̲s̲s̲
Particle size Max. allowable number
(̲m̲i̲c̲r̲o̲n̲s̲)̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲(̲p̲a̲r̲t̲i̲c̲l̲e̲s̲/̲c̲u̲b̲i̲c̲m̲e̲t̲e̲r̲)̲
greater than 5 4* (10 5)
greater than 1.5 4* (10 6)
greater than 1 4* (10 7)
b) F̲u̲m̲e̲s̲
sulphur dioxide max. 14 ppm.
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲…01…S̲e̲c̲t̲i̲o̲n̲ ̲3̲.̲4̲.̲4̲
…02……02……02…3.4.4 Availability and Maintainability .... 244
…02……02……02……02…3.4.4.1 General ......................... 244
…02……02……02……02…3.4.4.2 Reliability Characteristics ..... 244
…02……02……02……02…3.4.4.3 Availability Calculation ........ 244
…02……02……02……02…3.4.4.4 Availability and Reliability
Performance Requirements ........
245
…02……02……02……02……02…3.4.4.4.1 User Connecting Point ....... 245
…02……02……02……02……02…3.4.4.4.2 Individual User Connecting
Points ......................
246
…02……02……02……02……02…3.4.4.4.3 Groups of User Connecting
Points ......................
246
…02……02……02……02……02…3.4.4.4.4 User Connecting Points to
Supervisory and Service
Terminals ...................
246
…02……02……02……02……02…3.4.4.4.5 External Channels and
Circuits ....................
247
…02……02……02……02……02…3.4.4.4.6 Individual Channels ......... 247
…02……02……02……02……02…3.4.4.4.7 Groups of Channels .......... 247
…02……02……02……02……02…3.4.4.4.8 All Circuits, Channels and
User Connecting Points ......
247
…02……02……02……02…3.4.4.5 Equipment Redundancy ............ 248
…02……02……02……02……02…3.4.4.5.1 Withdrawal of Redundant
Items .......................
248
…02……02……02……02……02…3.4.4.5.2 Loss of Redundancy .......... 249
…02……02……02……02…3.4.4.6 Specific Equipment Availability
Requirements ....................
249
…02……02……02……02…3.4.4.7 Terms ........................... 249
3.4.4 A̲v̲a̲i̲l̲a̲b̲i̲l̲i̲t̲y̲ ̲a̲n̲d̲ ̲M̲a̲i̲n̲t̲a̲i̲n̲a̲b̲i̲l̲i̲t̲y̲
3.4.4.1 G̲e̲n̲e̲r̲a̲l̲
Availability and maintainability requirements apply
to the equipment excluding environmental control equipment,
primary power supply to the equipment, and other purchaser
supplied equipment.
The equipment will meet the specified requirements:
a) When operating in a support environment which lies
within the limits of the specified operating requirements
of the equipment.
b) When tools, repair parts, manuals, manpower, etc.
required for maintenance are available.
In designing the equipment to meet the specified requirements
no account need to be taken to catastrophic events
such as fire, flood, explosion, etc. which are beyond
the control of the equipment manufacturer.
The definitions of the terms used in this section are
given in section 3.4.4.7.
3.4.4.2 R̲e̲l̲i̲a̲b̲i̲l̲i̲t̲y̲ ̲C̲h̲a̲r̲a̲c̲t̲e̲r̲i̲c̲t̲i̲c̲s̲
The reliability of the equipment is specified in terms
of its availability. The equipment is partitioned into
modules and units, which are used for construction
of the R & M models and block diagrams. A separate
analysis shall be conducted for each module performance
requirement specified below.
3.4.4.3 A̲v̲a̲i̲l̲a̲b̲i̲l̲i̲t̲y̲ ̲C̲a̲l̲c̲u̲l̲a̲t̲i̲o̲n̲
The inherent availability of a module or unit shall
be measured in terms of two parameters:
- Mean time between failure (MTBF)
- Mean time to repair (MTTR)
The availability of a module or unit shall be determined
from the formula
Ai = ̲ ̲ ̲ ̲ ̲M̲T̲B̲F̲i̲ ̲ ̲ ̲ ̲ ̲
MTBFi + MTTRi
The availability value associated with each reliability
performance requirements, specified in succeeding paragraphs
of this section, shall be determined from a R&M model
and block diagram by combining the availability co-efficients
for the modules and units affecting that availability
performance requirement. The availability co-efficient
for a series configuration shall be calculated by:
elements ̲ ̲
A (system)= ll Ai
i=1
where Ai is the availability co-efficient of the i…09…th
element.
In the case of modules and units provided for the purpose
of redundancy (e.g. duplicated units) the availability
co-efficient shall be calculated by:
a) For (N-1) out of N redundancy is the availability
for (N-1) out of N being operative:
…0f…MTTR…0e…
A(N-1 out of N operative) = 1 - N * (N-1) * (------)…0e…2…0f…
…0e…MTBF…0f…
where MTTR MTBF.
b) For other types of redundancy the availability
shall be calculated using the R&M model. Assumptions
made shall be justified.
3.4.4.4 A̲v̲a̲i̲l̲a̲b̲i̲l̲i̲t̲y̲ ̲a̲n̲d̲ ̲R̲e̲l̲i̲a̲b̲i̲l̲i̲t̲y̲ ̲P̲e̲r̲f̲o̲r̲m̲a̲n̲c̲e̲ ̲R̲e̲q̲u̲i̲r̲e̲m̲e̲n̲t̲s̲
3.4.4.4.1 U̲s̲e̲r̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲n̲g̲ ̲P̲o̲i̲n̲t̲
The demarcation point between terminals and the equipment
is the user connecting point. The availability of
service shall be measured at the user connecting point
of the equipment, to which each terminal is attached.
3.4.4.4.2 I̲n̲d̲i̲v̲i̲d̲u̲a̲l̲ ̲U̲s̲e̲r̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲n̲g̲ ̲P̲o̲i̲n̲t̲s̲
a) The availability of the subset of the equipment
which provides service to each user connecting
point shall be at least .9995.
b) The MTBF of a failure which causes loss of service
to a single user connecting point shall be at least
3 months with an MTTR not to exceed 40 mins.
3.4.4.4.3 G̲r̲o̲u̲p̲s̲ ̲o̲f̲ ̲U̲s̲e̲r̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲n̲g̲ ̲P̲o̲i̲n̲t̲s̲
It shall be possible to select user connecting points
in groups in such a way that no single failure shall
cause loss of service to more than one such group.
Within the expansion capacity specified in this document,
the maximum number of user connecting points in such
a group is 8.
The equipment shall be designed such that no single
failure can cause loss of service to 25% or more user
connecting points.
a) The availability of the subset of the equipment
at the maximum expanded configuration which provides
service to 75% or more of the user connecting points
shall be at least 0.9999.
b) The MTBF of a failure which causes loss of service
to 25% or more user connecting points of the maximum
expanded configuration shall be at least 1 year
with an MTTR not to exceed 1 hour.
3.4.4.4.4 U̲s̲e̲r̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲n̲g̲ ̲P̲o̲i̲n̲t̲s̲ ̲t̲o̲ ̲S̲u̲p̲e̲r̲v̲i̲s̲o̲r̲y̲ ̲a̲n̲d̲ ̲S̲e̲r̲v̲i̲c̲e̲
̲T̲e̲r̲m̲i̲n̲a̲l̲s̲
It shall be possible to divide the connecting points
providing service to the terminals of the supervisory
and service positions into more than one group.
a) The availability of the subset of the equipment
which provides service to any such group shall
be at least 0.9999.
b) The MTBF of a failure which causes loss of service
to such a group shall be at least 1 year with an
MTTR not to exceed 1 hour.
3.4.4.4.5 E̲x̲t̲e̲r̲n̲a̲l̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲ ̲a̲n̲d̲ ̲C̲i̲r̲c̲u̲i̲t̲s̲
Availability of service to external channels circuits
shall be measured at the connection point of the equipment,
to which each circuit is attached.
3.4.4.4.6 I̲n̲d̲i̲v̲i̲d̲u̲a̲l̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲
1) The availability of the subset of the equipment
which provides service to each incoming or outgoing
channel shall be at least .9995.
2) The MTBF of a failure which causes loss of service
to a single incoming or outgoing channel shall
be at least 3 months with an MTTR not to exceed
40 mins.
3.4.4.4.7 G̲r̲o̲u̲p̲s̲ ̲o̲f̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲
It shall be possible to divide outgoing channels and
incoming channels each into at least two groups such
that no single failure shall cause loss of service
to more than one such group.
a) The availability of the subset of the equipment
which provides service to any such group of external
connections of the maximum configuration shall
be at least 0.9999. The requirement shall be met
separately for incoming and outgoing channels.
b) The MTBF of a failure which causes loss of service
to any such group of external connections shall
be at least 1 year with an MTTR not to exceed 1
hour.
3.4.4.4.8 A̲l̲l̲ ̲C̲i̲r̲c̲u̲i̲t̲s̲,̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲ ̲a̲n̲d̲ ̲U̲s̲e̲r̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲n̲g̲ ̲P̲o̲i̲n̲t̲s̲
No single failure shall cause a total system failure.
a) The availability of the subset of the equipment
which provides service to all user connecting
points and external circuits shall be at least
0.99995.
b) The MTBF of a failure which causes loss of service
to all external circuits and user connecting points
shall be at least 2 years with an MTTR not to exceed
1 hour.
3.4.4.5 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲R̲e̲d̲u̲n̲d̲a̲n̲c̲y̲
3.4.4.5.1 W̲i̲t̲h̲d̲r̲a̲w̲a̲l̲ ̲o̲f̲ ̲R̲e̲d̲u̲n̲d̲a̲n̲t̲ ̲I̲t̲e̲m̲s̲
It is acceptable that redundant modules and units can
be withdrawn from use by the operational configuration
in order to perform:
a) Preventive maintenance
b) Execution of test programmes
c) Loading and check-out of new software
d) On-job training
e) Training/exercise with alternative procedures.
provided that:
- a failure, while in the degraded availability state,
shall not result in the loss of operational messages
and transaction accountability.
- the capability is maintained to re-integrate such
redundant items into the operational configuration
and return them to service within 5 minutes.
3.4.4.5.2 L̲o̲s̲s̲ ̲o̲f̲ ̲R̲e̲d̲u̲n̲d̲a̲n̲c̲y̲
With respect to redundant modules or units provided
to meet the availability and reliability requiremens,
no failure shall result in the equipment being without
the complete planned degree of redundancy for longer
than 6 hours more than once a year.
3.4.4.6 S̲p̲e̲c̲i̲f̲i̲c̲ ̲E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲A̲v̲a̲i̲l̲a̲b̲i̲l̲i̲t̲y̲ ̲R̲e̲q̲u̲i̲r̲e̲m̲e̲n̲t̲
a) The reliability requirements with respect to contractor
supplied terminal equipment connected to the processor
equipment shall be as follows:
1) M̲e̲d̲i̲u̲m̲ ̲S̲p̲e̲e̲d̲ ̲P̲r̲i̲n̲t̲e̲r̲
MTBF: 3000 hrs
Downtime: not to exceed 30 mins. per month
including preventive maintenance.
2) V̲D̲U̲
MTBF: 5000 hrs.
Downtime: not to exceed 30 mins. per month
including preventive maintenance.
3.4.4.7 T̲e̲r̲m̲s̲
In interpreting specification and verification sections
in this paper on reliability and availability the following
terms shall apply:
a) A̲v̲a̲i̲l̲a̲b̲i̲l̲i̲t̲y̲. The probability of finding an item
(system, subsystem, unit and part thereof) in a
functioning condition at a given time.
b) C̲o̲r̲r̲e̲c̲t̲i̲v̲e̲ ̲M̲a̲i̲n̲t̲e̲n̲a̲n̲c̲e̲. The maintenance undertaken
to restore an item to a specified condition after
a failure has occurred.
c) D̲o̲w̲n̲ ̲T̲i̲m̲e̲. The time during which any of the facilities
or functions to be provided by the item is not
available, for whatever reason.
d) F̲a̲i̲l̲u̲r̲e̲. The inability of any item to carry out
its specified function within the tolerance allowed
under its normal operating conditions.
Following failure situations shall be disregarded
in availability calculation:
1) The item is or has been exposed to conditions,
which are not within the tolerances allowed
under its normal operating conditions.
2) The item is or has been exposed to violence.
e) I̲t̲e̲m̲. An item is defined as system, sub-system,
unit and part thereof.
f) M̲e̲a̲n̲ ̲T̲i̲m̲e̲ ̲B̲e̲t̲w̲e̲e̲n̲ ̲F̲a̲i̲l̲u̲r̲e̲ ̲(̲M̲T̲B̲F̲)̲. The statistical
mean of the functioning time between failures.
For a given interval, the total measured functioning
time of the item divided by the total number of
failures of that item during the interval. Agreed
scheduled preventive maintenance of subsystems
of the equipment shall not be counted when estimating
mean time between failure of such sub-systems.
g) M̲e̲a̲n̲ ̲T̲i̲m̲e̲ ̲t̲o̲ ̲R̲e̲p̲a̲i̲r̲ ̲(̲M̲T̲T̲R̲)̲. The statistical mean
of the distribution of times-to-repair. The summation
of active repair times during a given period of
time divided by the total number of malfunctions
during the same time interval. This repair time
shall include all actions required to detect, locate
and repair the fault.
h) P̲r̲e̲v̲e̲n̲t̲i̲v̲e̲ ̲M̲a̲i̲n̲t̲e̲n̲a̲n̲c̲e̲. The maintenance undertaken
systematically with the intention of keeping an
item in a specified condition, reducing the occurrence
of failures, and prolonging the useful life of
the equipment.
i) R̲e̲l̲i̲a̲b̲i̲l̲i̲t̲y̲. The probability that an item will
perform a required function under stated conditions
for a stated period of time.
k) R̲e̲p̲a̲i̲r̲. A repair is the restoration of an item
to the state in which it can provide its specified
functions.
When the item is a replaceable module or includes
replaceable modules, the exchange operation is
considered as the repair operation.
l) M̲o̲d̲u̲l̲e̲. A collection of one or more units as defined
in this section which satisfy the following conditions:
1) It has a functional significance in the context
of R&M.
2) Individual failures can be localised to the
specific module.
3) The module is capable of removal and replacement.
4) The module operational condition has a simple
two state classification (operative or inoperative)
in the availability calculation.
m) U̲n̲i̲t̲. This has an exclusively functional significance
in this R&M context. The smallest hardware or
software element utilized in the Reliability and
Maintainability (R&M) models. The set of all units,
taken together make up the equipment. Each unit
shall satisfy the following conditions:
1) It does not contain any portion of any other
unit.
2) The failure of the unit is independent of the
failure of any other unit.
3) The unit operational condition has a simple
two-state classification (operative or in-operative)
in the availability calculation.
4) Corrective maintenance on failed redundant
parts of a unit is performed only when the
unit containing these parts has failed.
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲ ̲…01…S̲e̲c̲t̲i̲o̲n̲ ̲3̲.̲4̲.̲5̲
…02……02……02…3.4.5 Security ............................ 253
…02……02……02……02…3.4.5.1 Communication and Electrical
Requirements ....................
253
…02……02……02……02…3.4.5.2 Control of Record Output ........ 258
…02……02……02……02……02…3.4.5.2.1 Print-Out ................... 258
…02……02……02……02……02…3.4.5.2.2 Punched Paper Tape .......... 258
…02……02……02……02……02…3.4.5.2.3 Removable Storage Media ..... 259
…02……02……02……02…3.4.5.3 Accountability of Transaction ... 259
…02……02……02……02…3.4.5.4 Supervisory Security Monitoring . 259
…02……02……02……02…3.4.5.5 Terminal Access Control ......... 259
…02……02……02……02…3.4.5.6 Security Classification and
Special Handling ................
260
…02……02……02……02…3.4.5.7 System Design Requirements ...... 260
3.4.5 S̲e̲c̲u̲r̲i̲t̲y̲
This section addresses or references all requirements
related to security.
3.4.5.1 C̲o̲m̲m̲u̲n̲i̲c̲a̲t̲i̲o̲n̲s̲ ̲a̲n̲d̲ ̲E̲l̲e̲c̲t̲r̲i̲c̲a̲l̲ ̲R̲e̲q̲u̲i̲r̲e̲m̲e̲n̲t̲s̲
The typical CAMPS layout, fig. 3.4.2.1.1 shows the
components of an equipment:
1) 1 or 2 multi-bay rack assemblies in a shielded
enclosure.
2) a number of terminals for maintenance and supervisory
positions, i.e. VDU's, medium speed printers, paper
tape reader/puncher and line printer.
During short periods of corrective and preventive maintenance,
the emanation requirements are degraded.
It must be within the operational procedures, that
the supervisor is currently informed on activities
concerning corrective and preventive maintenance and
thus is able to decide whether it is accpetable to
continue operation or not.
Transfer and transmission within the installation means
transfer and transmission between the components.
a) To meet the NATO Security requirements, the equipment,
including ancillaries and peripherals, must conform
to the design parameters laid down in AMSG 720A
and also be installed in accordance with criteria
laid down in AMSG 719B. The production equipments
shall be subject to inspection and testing by ACE
COMSEC Radiation Team at the factory premises prior
to despatch/distribution to locations. After installation,
a final COMSEC Radiation Survey will be carried
out at each location prior to operational approval
being given. Rectification of the equipment characteristics
shortcomings shall be the responsibility of the
contractor.
b) All hardware including opto/electrical interfaces
must be individually cleared by ACE COMSEC to ensure
"TEMPEST" acceptance. During the contract phase,
technical information will be supplied to ACE COMSEC
for evaluation and, where required, a production
model shall be delivered for testing purposes.
c) S̲p̲e̲c̲i̲a̲l̲ ̲e̲a̲r̲t̲h̲i̲n̲g̲ ̲a̲r̲r̲a̲n̲g̲e̲m̲e̲n̲t̲s̲ are necessary within
the complete system in order to comply with criteria
laid down in AMSG 719B. In the terminal equipments
signal common returns s̲h̲a̲l̲l̲ ̲b̲e̲ ̲s̲e̲p̲a̲r̲a̲t̲e̲ ̲a̲n̲d̲ ̲i̲n̲s̲u̲l̲a̲t̲e̲d̲
̲f̲r̲o̲m̲ ̲a̲l̲l̲ ̲o̲t̲h̲e̲r̲ ̲e̲a̲r̲t̲h̲s̲ or metal chassis (this includes
protective earth which is usually derived from
the station's main supply).
d) All electrical interconnections for data between
the equipments will use low level keying systems,
i.e. 6-0-6 volts at currents less than one milli-ampere.
All remaining control lines should conform to CCITT
Recommendation V28.
e) All electrical wiring on the red side shall be
run in a screened cable, consisting of twisted
pairs and an overall continuous n̲o̲n̲-̲f̲e̲r̲r̲o̲u̲s̲ ̲s̲c̲r̲e̲e̲n̲.
When installed, the cable will carry classified
information in telegraph and data form in the clear
text and must have been approved for this purpose
by the NATO Communications Security Authority.
The cables must receive COMSEC approval before
installation. Cable specifications and sample lengths
of not less than three metres shall be supplied
to A̲C̲E̲ ̲C̲O̲M̲S̲E̲C̲ for approval prior to installation.
1)-7) below lists the specifications, which should
be used for selection of the cable.
1) C̲a̲b̲l̲e̲
The cable shall contain 12 stranded conductors
in PVC insulated cores with a single collective
copper braid screen and overall PVC insulation.
It shall conform to the following parameters:
1) Number of strands in each conductor 7
2) Diameter of wires in core 0.2
mm nominal
3) Thickness of core insulation 0.3
mm nominal
4) Overall diameter of cable minimum 6.6
mm
maximum 7.2
mm
5) Capacitance, wire to wire, and each
wire to sheath 50
pF/metre max.
2) C̲o̲n̲d̲u̲c̲t̲o̲r̲s̲
There shall be no kinks, broken wires or other
irregularities in the conductors.
The PVC insulation is to be extruded on to the
conductors.
3) S̲c̲r̲e̲e̲n̲
The screen shall be of braided construction
and shall be formed of uniformly tinned copper
wires.
The screen shall be close fitting but it shall
be possible to slide back the screen by hand.
There shall be not more than one break in the
wires from any individual bobbin in any 25
mm length of cable.
There will be no joints in the complete braid.
The filling factor shall be not less than 0.7.
4) C̲o̲n̲s̲t̲r̲u̲c̲t̲i̲o̲n̲
A polyester film not thicker than 0.025 mm
shall be applied over the laid up cores in
such a manner that each turn of the tape shall
overlap the preceding turn by at least 15%.
Successive layers of cores shall be laid up
in the same direction with the layer short
enough to ensure reasonable flexibility to
the cable.
PVC filling may be used to assist in obtaining
a circular formation to the cable.
Overall insulation shall be of black PVC and
be free from inclusion and extrusion defects.
The sheath shall be easily removable from the
other component parts of the cable.
Colour coding shall be used for identification
of conductors.
5) E̲n̲v̲i̲r̲o̲n̲m̲e̲n̲t̲a̲l̲
The cable shall meet the following environmental
conditions:
Installation and operation: 0 C to 40
C, RH 10% - 88%
Storage and transportation: -30 C to 55
C, RH 10% - 98%
6) I̲n̲s̲u̲l̲a̲t̲i̲o̲n̲
The completed cable, in the dry state, shall
withstand for 1 min 1000 V rms. at 50 Hz applied
between all of the conductors connected together
and the screen.
7) P̲a̲c̲k̲a̲g̲i̲n̲g̲ ̲a̲n̲d̲ ̲M̲a̲r̲k̲i̲n̲g̲
The cable shall be delivered on disposable
drums.
Each drum shall carry 500 meters (+/-5%) of
cable in one piece and both ends of the cable
shall be suitably sealed to prevent the ingress
of moisture.
Each drum shall carry a printed label containing,
as a minimum, the following data:
1) NATO Property
2) 12W cable. CAMPS project
3) 500 metres
4) Date of manufacture (month and year)
5) NATO stock number
f) Installation of optical fibers shall be in accordance
with AMSG 719B.
g) As-built drawings and all circuit diagrams of the
first operational system, and similar material
for any variations in subsequent system to be delivered,
showing all electrical interfaces and voltages,
shall be supplied to ACE COMSEC before factory
inspection.
h) To assist in the assessment of physical security
and guarding of classified information, a list
of all items of equipment which will store, display
or record classified information shall be supplied
to ACE COMSEC by the contractor, both local and
remote. From the list, an assessment will be made
for physical security in accordance with AMSG 293D.
i) Installation work will be witnessed by local COMSEC
staff to ensure that all installation conforms
to COMSEC requirements.
j) External traffic circuits connected to the central
processor will normally be equipped with on-line
synchronous cryptographic equipment to be supplied,
installed and maintained by the purchaser.
k) The central processor will be installed in an area
designated as a Red Area. Within the Red Area classified
information may be handled in plain language; the
transfer of information in an electrical form within
this area shall be subject to and comply with the
criteria laid down in AMSG 719B.
l) The crosstalk attenuation between any circuit carrying
classified information and any other circuit within
the installation shall be not less than 100 dB.
m) Send and receive data circuits and release pulse
circuits shall be capable of producing or interpreting
signals when the pulse shape is such that the rise
and fall times, defined as the time required for
the voltage to rise or fall to 80% of its peak-to-peak
value, shall be within 5% to 15% of the unit interval
at the applicable modulation rate. Transitions
in both directions shall be approximately equal
with these limits and be equally affected by shunt
capacitance. Pulse forms shall exhibit smooth exponential
curves and contain no points of inflexion during
reversals.
n) On send circuits the pulse form shall be measured
at the line tag blocks at the Patch Test and Monitor
Facility. Limits shall be met at this reference
plan with the circuits terminated with a 5000 and
7000 ohm resistive load for the tests and repeated
with an additional shunt capacitance of 2500 picofarads.
o) The power supply to all the equipment in the Red
Area will enter via a filter or a group of filters
which will be supplied by the purchaser. The function
of these filters is to ensure that no compromising
signals are able to reach a Black Area via the
power supply leads. The equipment shall function
satisfactorily with these filters present in the
power leads.
p) The design of any maintenance facility shall incorporate
suitable security features which as a minimum shall
prevent:
1) B̲y̲p̲a̲s̲s̲i̲n̲g̲ ̲t̲h̲e̲ ̲E̲n̲c̲r̲y̲p̲t̲i̲o̲n̲ ̲D̲e̲v̲i̲c̲e̲
Any test procedure incorporating the bypassing
of the Data Encryption Devices and Isolators
shall include a positive hardware feature which
prevents the simultaneous bypassing of the
Panel Switching Equipment and the connection
of the DCE to an external telephone line.
2) I̲n̲a̲d̲v̲e̲r̲t̲e̲n̲t̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲o̲n̲ ̲o̲f̲ ̲R̲e̲d̲ ̲a̲n̲d̲ ̲B̲l̲a̲c̲k̲ ̲W̲i̲r̲i̲n̲g̲
The test and patching facilities shall be designed
so that there is no possibility of inadvertently
connecting red and black wiring.
3.4.5.2 C̲o̲n̲t̲r̲o̲l̲ ̲o̲f̲ ̲R̲e̲c̲o̲r̲d̲ ̲O̲u̲t̲p̲u̲t̲
To facilitate control, procedures shall be implemented
which provide means for identification of:
1) Print out
2) Punched paper tapes
3) Removable storage media
3.4.5.2.1 P̲r̲i̲n̲t̲-̲O̲u̲t̲
Print-out shall carry document control number as defined
in section 3.2.3.7.3.
3.4.5.2.2 P̲u̲n̲c̲h̲e̲d̲ ̲P̲a̲p̲e̲r̲ ̲T̲a̲p̲e̲
Messages punched out shall be preceeded by 20 cms blank
tape and succeeded by 20 cms blank tape. A document
control number shall be punched in front of the message
punched out. (Max. 10 digits).
3.4.5.2.3 R̲e̲m̲o̲v̲a̲b̲l̲e̲ ̲s̲t̲o̲r̲a̲g̲e̲ ̲m̲e̲d̲i̲a̲
a) Units of removable storage such as a removable
disk pack shall be controlled logically by the
supervisor.
b) Logically controlled means that the supervisor
shall have commands available to control the removable
media after it has been physically mounted. Logically
controlled is as opposed to physical control, which
in principle can be performed by anyone having
physical access to the diskdrive.
c) The following procedures are implemented (refer
to supervisory functions, (section 3.2.4. 1.1.11).
1) Unit identification
2) Removal of previous stored information
3) Action on loading a unit for retrieval purposes
4) Unit directory
5) Display/print-out of stored information
3.4.5.3 A̲c̲c̲o̲u̲n̲t̲a̲b̲i̲l̲i̲t̲y̲ ̲o̲f̲ ̲T̲r̲a̲n̲s̲a̲c̲t̲i̲o̲n̲s̲
Requirement related log and statistical information
to be complied by the system are given in sections
3.2.5 and 3.2.6 respectively.
3.4.5.4 S̲u̲p̲e̲r̲v̲i̲s̲o̲r̲y̲ ̲S̲e̲c̲u̲r̲i̲t̲y̲ ̲M̲o̲n̲i̲t̲o̲r̲i̲n̲g̲
All requirements related to supervisory security monitoring
are specified in detail in section 3.2.4.1.1.5.
3.4.5.5 T̲e̲r̲m̲i̲n̲a̲l̲ ̲A̲c̲c̲e̲s̲s̲ ̲C̲o̲n̲t̲r̲o̲l̲
All requirements related to terminal access control
are specified in detail in section 3.2.3.2.
3.4.5.6 S̲e̲c̲u̲r̲i̲t̲y̲ ̲C̲l̲a̲s̲s̲i̲f̲i̲c̲a̲t̲i̲o̲n̲ ̲a̲n̲d̲ ̲S̲p̲e̲c̲i̲a̲l̲ ̲H̲a̲n̲d̲l̲i̲n̲g̲
The classification applicable to CAMPS are the NATO
classifications specified below:
- COSMIC TOP SECRET
- NATO SECRET
- NATO CONFIDENTIEL
- NATO RESTRICTED
- NATO UNCLASSIFIED
S̲p̲e̲c̲i̲a̲l̲ ̲H̲a̲n̲d̲l̲i̲n̲g̲
The number of special handling designators shall be
as specified in section 3.4.1.1.1.
The following designators applies:
Special Category Warnings:
N̲A̲M̲E̲ D̲E̲S̲I̲G̲N̲A̲T̲O̲R̲
ATOMAL .............................. L
CTS ................................. B
EXCLUSIVE ........................... P
CRYPTO SECURITY ..................... Y
DATE MESSAGE DESIGNATOR ............. D
Other, e.g. for exercise traffic may be specified up
to the maximum.
3.4.5.7 S̲y̲s̲t̲e̲m̲ ̲D̲e̲s̲i̲g̲n̲ ̲R̲e̲q̲u̲i̲r̲e̲m̲e̲n̲t̲s̲
In this section requirements with respect to hardware
and software aspects of equipment design are given.
a) H̲a̲r̲d̲w̲a̲r̲e̲
1) A clean architectural design where unassigned
codes must cause a trap.
2) Memory bound mechanisms shall exist. The MAP
module prevents programs from being able to
write in memory occupied by the operating system
or by other application programs.
Attempt to illegally access occupied data areas
shall give rise to a warning to the supervisor.
3) Two classes of instructions, one for the privileged
use of the operating system and a user mode
used by both operating system and application
programs shall exist.
A set of privileged instructions exclusively
reserved for the operating system. These instructions
must control all I/O, the setting of memory
bounds mechanism, the setting of the system
state - privileged or user problem.
Sensitive instructions which could divert,
disrupt or inadvertently change the state of
the application software provided with CAMPS
shall not be available for execution unless
the processor is in a "privileged" state.
4) Every instruction code shall result in a prescribed
action. The occurence and/or attempted execution
of any illegal code or bit-pattern shall be
signalled and shall result in an abort procedure.
5) Key switches shall be provided on all VDU's
and medium speed teleprinters.
6) A read/write memory erase function feature
shall be provided. HW/SW techniques must be
available to the accomplishment of this function.
7) All hardware shall be individually addressable
by the computer.
b) S̲o̲f̲t̲w̲a̲r̲e̲
The following software features shall be provided:
1) All programmes and data files loaded into the
system shall carry block parity check sums
to allow the detection of corrupted data.
2) Access to CAMPS data files shall be made through
system calls which pass through the authorisation
mechanism.
3) Recovery procedures after system failure shall
include checksumming of the operating system
software, reloading if this is necessary.
4) The supervisor shall have facilities to cause
a system integrity check (i.e. checksumming
of system software) to be performed at any
time he sees fit. This shall be done without
disrupting the functioning of the system.
5) To the extent possible, the operating system
shall run in the non-privileged user state.
