top - download
⟦a71300cdc⟧ Wang Wps File
Length: 23900 (0x5d5c)
Types: Wang Wps File
Notes: Spelunked
Names: »~ORPHAN67.00«
Derivation
└─⟦17da89677⟧ Bits:30006229 8" Wang WCS floppy, CR 0126A
└─ ⟦this⟧ »~ORPHAN67.00«
WangText
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲
3.4 AVAILABILITY AND RELIABILITY ..............
3.4.1 Definitions, Formulas and Major
Assumptions, Definitions and Formulas ..
3.4.2 A&R Models ............................
3.4.3 A&R Calculations .....................
3.4.3.1 Equipment Serving all External
Circuits, Channels and Load
Terminal Connecting Prints
3.4.3.2 Equipment Serving Supervisory and
Service Position
3.4.3.3 Equipment Serving Individual
User onnecting Point 3.4.3.4 Equipment
Serving
Individual
External
3.4.3.5 Equipment Serving Groups of External
3.4.3.6 Degraded Modes & System Degradation
3.4.3.7 Specific MTBF and Downtime Requireme
3.4.4 STE an S/W Failure Rates .............
3.4.5 A&R Analysis .........................
…86…1 …02… …02… …02… …02…
3.4 A̲V̲A̲I̲L̲A̲B̲I̲L̲I̲T̲Y̲ ̲A̲N̲D̲ ̲R̲E̲L̲I̲A̲B̲I̲L̲I̲T̲Y̲
The MPF reliability as expressed in terms of availability
exceeds each of the requirements of the IFB.
The reliability figures for all units ivolved will
be presented, system reliability figures shall then
be calculated as expressed in availability.
3.4.1 D̲e̲f̲i̲n̲i̲t̲i̲o̲n̲s̲,̲ ̲F̲o̲r̲m̲u̲l̲a̲s̲ ̲a̲n̲d̲ ̲M̲a̲j̲o̲r̲ ̲A̲s̲s̲u̲m̲p̲t̲i̲o̲n̲s̲
a) D̲e̲f̲i̲n̲i̲t̲i̲o̲n̲s̲ ̲&̲ ̲F̲o̲r̲m̲u̲l̲a̲s̲
The following set of definitions and formulas shall
e used for reliability calculations as expressed via
availability:
- The definition of terms of the IFB, section 4.5.1.
- In further compliance with the IFB, section 4.5,
the following set of definitions and formulas listed
according to the modle categories of the IFB:
b) S̲i̲n̲g̲l̲e̲ ̲U̲n̲i̲t̲ ̲o̲r̲ ̲S̲u̲b̲s̲y̲s̲t̲e̲m̲ ̲
Mean Time Between Failure = MTBF = 1/2
Uptime = U = MTBF
Mean Time To Repair = MTTR = D = Downtime
̲ ̲u̲ ̲ ̲ ̲
;
Availability A = U + D
For D/U 1 : A 1 - D/U = 1 - D
c) R̲e̲d̲u̲n̲d̲a̲n̲t̲ ̲U̲n̲i̲t̲s̲ ̲o̲r̲ ̲S̲u̲b̲s̲y̲s̲e̲m̲s̲
1 of 2 redundancy is applicable to these calculations.
Uptime..........
For.............
Downtime........
Availability....
F...............
d) S̲e̲r̲i̲e̲s̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲ ̲o̲f̲ ̲R̲e̲d̲u̲n̲a̲d̲a̲n̲t̲ ̲&̲ ̲N̲o̲n̲-̲R̲e̲d̲u̲n̲d̲a̲n̲t̲
U̲n̲i̲t̲s̲ ̲o̲r̲ ̲S̲u̲b̲s̲y̲t̲e̲m̲s̲
Each reliability element in the series has uptime U…0f…s…0e…
= 1/ and downtime D…0f…S…0e….
̲N̲
A = A
=1 z i
For Ds/Us 1 (D/U 1) :
̲N̲ N
A (1-Ds s) 1 - Ds s
i=1 i=1
The following usage of the availability definition
is useful in applying the derived result as the availability
for a subsystem in further calculations:
̲ ̲u̲ ̲ ̲
A =
U+D
For D/U 1 : A 1 - D/U = 1- D
N
Hence D = Ds s.
i=1
Consequently all calculations may be performed by summation
nd multiplication of terms D . It is seen that the
downtime and uptime within the approximation D s
1 which shall always hold for these calculations,
will never have to be known separately except in case
of the basic units.
e) A̲s̲s̲u̲m̲p̲t̲i̲o̲n̲
The following assumptions will apply for the availability
calculations:
- The stand-by MC will not contribute to the availability
- preventive maintenance will be limited to a minimum
(cleaning of air filters, etc.).
- repair will be limited to simple replacement of
units; it is assumed that spares are available
fully adjusted for insertion (refer sections 6.4
and 6.5 for Maintenance and Spar Parts).
- Power sources are assumed available at the sites
(with the quality as defined in section 6.1.10
e) and will have no impact on the availability
calculated here.
- Environmental conditions outside the control of
the equipment manufactuer shall not be considered:
Fire, fload, explosion, etc. Refer section 3.2
for environmental conditions.
- the Unit MTTR is assumed to be 1 hour in all calculations;
this is a conservative assumption which has been
introduced partly for safety nd partly for ease
of calculations.
The requirement for no equipment being without the
planned degree of redundancy for longer than 6 hours
more than once a year is hereby fulfilled.
3.4.2 A̲&̲R̲ ̲M̲o̲d̲e̲l̲s̲
The presentation of the models will inclue the folowing
components.
- overview diagram presenting the main configuration
items of the total system, refer fig. 3.4.2-1
- overview diagrams presenting all the reliability
units of the main configuration items, refer fig.
3.4.2-2 to 3.4.2-.
The Watchdog Monitor and Control Bus (the Crate Configuration
Bus), and the adaptors in the crates (the CCAs), have
not been shown in the above diagrams in order to simplify
the oerview. The corresponding units have been shown
in the reliability block diagrams, however.
Reliability block diagrams.
2 diagrams exist, fig. 3.4.2-6 A&B: D̲i̲a̲g̲r̲a̲m̲ ̲A̲ ̲ presents
the units which support all the reliability configurations
to be conidered, and D̲i̲a̲g̲r̲a̲m̲ ̲B̲, dedicated to the units
out of which only a subset shall be considered in each
reliability configuration. Diagram B shall be used
in different versions to indicate the exact configuration
in each case.
In subsection 3.4.3 ech of the reliability cases from
the IFB has been considered separately, first considering
case corresponding to diagram A, which forms the basis
for the other cases.
Special consideration will be given to the following
requirement, however: No ingle failure shall cause
a total subssystem failure.
Such a failure may not happen within the configuration
corresponding to diagram A , this equipment forming
the subsystem which supports all other configurations.
A single error whereby a singl user connection or external
channel is lost is, provided the availability figures
are otherwise sufficient, not included in this requirement.
In this connection the SS&C unit is of special interest,
this apparently being the only unit which is nt redundant.
However, the SS&C, including the watchdog with VDU,
printer and floppy disk, only has to be working in
case of a failure in the rest of the system, i.e. at
least two errors are needed for a failure.
The availability contribution from the SS&C, or rather
unavailability contribution, expressed as Ds s is
given as the value D of the SS&C times the probability
of a failure in ny part of the rest of the system,
which is the D value for the total configuration
in question including VDUs and printers. For ease
of calculation the worst case value including all equipment,
will be used in all cases.
The FAN in diagram (in I/O Bus) is not a single unit;
actually it is composed of 8 fans in a cluster and
the corresponding high reliability is reflected in
the MTBF used for the calculations.
The off-line disk does not contribute to the disk redundancy
and is thusnot included in the reliability diagram.…86…1
…02… …02… …02… …02…
Fig. 3.4.2-1 System Overview.…86…1 …02… …02… …02… …02…
Fig. 3.4.2-2 Processor Unit…86…1 …02… …02… …02… …02…
Fig. 3.4.2-3. I/O Bus 1.…86…1 …02… …02… …02… …02…
Fig. 3.4.2-4 I/O Bus 2.…86…1 …02… …02… …02… …02…
Fig. 3.4.2-5 Types of LTUs and Connections.…86…1 …02… …02… …02… …02…
Fig. 3.4.2-6A Reliability Block Diagram A.…86…1 …02… …02… …02… …02…
Fig. 3.4.2-6B Reliability Block diagram B.…86…1 …02… …02… …02… …02…
3.4.3 A̲&̲R̲ ̲C̲a̲l̲c̲u̲l̲a̲t̲i̲o̲n̲s̲
The calculations shall be based on the formulas of
sectio 3.4.1 for D x 1 and with the assumption of
section 3.4.2:
D̲ ̲=̲ ̲1̲ (MTTR = 1 hour) for all unis.
The results may then be presented in a clear and simple
form (refer table 3.4.3.1-1): In cases of series with
redundant (always 1 of 2 redundancy) units and non-redundant
items, the s value is equal to the value for the
single units. All values are in units of FPM = failure
per million.
The reliability figures used in the calculations are
listed in table 3.4.3-1.
ITEM MTBF
(Hours) FPM.
SS&C WD SUBSYSTEM 7782 128.5
CR8087MM/010--/00 SFA 10,000,000 0.1
CR8047M/010A-/00 FLOP CTRL 59500 16.8
REQUIRED VDU 5000 200
REQUIRE PRINTER 3000 333
CR8050M/-----/00POWER SUPPLY 26800 37.3
CR8106M/220--/00 MAINS FILTER & DIST. 600.000
1.6
CR8105M/020--/00 FAN 5000.000 20.0
CR8089M/----/00 CCA 29674 33.7
CR8055M/010PC/00 MBT 286000 3.5
CR8071M/010--/00 M1A 85500 11.7
CR802OM/000PC/00 MAP 19400 51.6
CR8016M/128PC/00 RAM, 128 K 17000 58.8
CR8003M/040PC/00 CPU+CACHE 26100 38.3
CR8081M/010--/00 CIA 71400 14.0
CR8044M/040AB/00 DISK CTRL 32200 33.1
CR8084M/010--/00 DCA 46900 21.3
R8400/--- DISK DRIVE, SMD
40-400 MB 4000
250
CR8086M/010AB/00 LTU, DUAL 36.9 36.9
CR8082M/010--/00 LIA-N 10,000,000 01
V24 500.000 2
OMD 500.000 2
Table 3.4.3-1…86…1 …02… …02… …02… …02…
3.4.3.1 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲a̲l̲l̲ ̲E̲x̲t̲e̲r̲n̲a̲l̲
C̲i̲r̲c̲u̲i̲t̲s̲,̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲ ̲a̲n̲d̲ ̲L̲o̲c̲a̲l̲
T̲e̲r̲m̲i̲n̲a̲l̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲n̲g̲ ̲P̲o̲i̲n̲t̲s̲
The requirements concerning single failures and the
role of the SS&C have been dicussed in section 3.4.2.
Further requirements are:
- the availability shall
be at least 0.99995
- the MTBF shall be at least
2 years with a MTTR not
to exceed 1 hour.
The subsystem downtime or MTTR is of course less than
the largest MTTR ofany unit, i.e. it is less than one.
By assuming an MTTR of 1 hour and an MTRF of 2 years
the availability requirement is 0.99994, which is a
less strong requirement than the first requirement
calling for 0.99995.
The lower limit for the MTTR is1/2 hour for redundant
units each with an MTTR of 1 hour. In this case the
availability requirement is 0.99997 and this is now
the stronger requirement. This requirement is met.
The equipment configuration in question is presented
as the reliablity block diagram A of section 3.4.2.
Refer to the tables 3.4.3.1-1 and 3.4.3.1-2 for the
availability calculations.
3.4.3.2 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲S̲u̲p̲e̲r̲v̲i̲s̲o̲r̲y̲ ̲a̲n̲d̲
S̲e̲r̲v̲i̲c̲e̲ ̲P̲o̲s̲i̲t̲i̲o̲n̲
The requirements are:
- availability shall be at
least 0.9999
- the MTBF shall be at least 1 year with an MTTR not
to exceed 1 hour…86…1 …02… …02… …02… …02…
As in section 3.4.3.2 it is found that the availability
requirement corresponding to MTTR = 1/2 hour is the
stronger namely 0.99994. This requirement is met .
Table 3.4.3.1-1 Aailability of Equipment Serving all
External Channels and Local Terminal Connecting Points.
Table 3.4.3.1-2 Availability of Equipment Serving all
External Channels and Local Terminal Connecting Points.
The equipment configuration in question ispresented
as the reliability block diagram A of section 3.4.2
plus the equipment indicated in the diagram fig. 3.4.3.2-1
(diagram B)
Table 3.4.3.2-1 proves the fulfilment of the requirement
for availability.
Fig. 3.4.3.2-1 Reliability Block Diagram B.…86…1 …02… …02… …02… …02…
Table 3.4.3.2-1 Availability for Equipment Serving Supervisory and Service Positions.…86…1 …02… …02… …02… …02…
3.4.3.3 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲I̲n̲d̲i̲v̲i̲d̲u̲a̲l̲
U̲s̲e̲r̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲n̲g̲ ̲P̲o̲i̲n̲t̲
The requirements are:
- availability shall be at least 0.9995
- the MTBF shall be at least 3 months with a MTTR
no to exceed 40 minutes.
The equipment configuration in question is presented
as the reliability block diagram A of section 3.4.2
plus the equipment indicated in the diagram fig. 3.4.3.3-1
(diagram B).
The key dominating contribution to the MTBF s seen
to be the units the diagram B. As alredy mentioned
in section 3.4.1 the assumption of an MTTR of 1 hour
is due to conservative assumption: The equipment supporting
the user connecting point in diagram B will be replaceable
within 40 minute.
Also in this case, with a MTTR of 1/2 hour, it is found
that the availability requirement is harder to meet
than the one resulting from calculating the availability
based on the requirements for MTBF and MTTR, namely
0.9998.
Refer to table 3..3.3-1 for proof of the fulfilment
of the requirement for availability.…86…1 …02… …02…
…02… …02…
Fig. 3.4.3.3-1 Reliability Block Diagram B…86…1 …02… …02… …02… …02…
Table 3.4.3.3-1 Availability for Equipment Serving user connecting points.…86…1 …02… …02… …02… …02…
3.4.3.4 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲I̲n̲d̲i̲v̲i̲d̲u̲a̲l̲ ̲E̲x̲t̲e̲r̲n̲a̲l̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲
The requirements are
- availability shall be at least 0.9995
- The MTBF shall be at least 3 months with a MTTR
not to xceed 40 minutes.
The equipment configuration in question is presented
as the reliability block diagram A of section 3.4.2
plus the equipment indicated in the diagram fig. 3.4.3.4-1
(diagram B).
Concerning the specific requirements for MTBF andfor
MTTR the same remarks as in section 3.4.3.3 shall apply.
The requirement for availability is again 0.9998.
Refer to table 3.4.3.4-1 for proof of the fulfilment
of the requirement for availability.…86…1 …02… …02…
…02… …02…
Fig. 3.4.3.4-1 Reliability Block Diagram B.…86…1 …02… …02… …02… …02…
Table 3.4.3.4-1 Availability for Equipment serving individual External Channels.…86…1 …02… …02… …02… …02…
3.4.3.5 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲G̲r̲o̲u̲p̲s̲ ̲o̲f̲ ̲E̲x̲t̲e̲r̲n̲a̲l̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲
The requirements are:
- it shall be possible to divide the outgoing and
incoming external channels into at least two grous
so that no single failure shall cause the loss
of more than one such group.
- the availability of the equipment serving any group
shall be at least 0.9999
- the MTBF of the equipment serving any group shall
be at least 1 year with an MTTR notto exceed 1
hour.
Fig. 3.4.2-5 displays the solution to the first requirement:
Any of the following sets of external channels - Broadcast,
TRC plus MRL, and S/S with the corresponding monitor
lines to the MCUs, have been divided into two groups.
A single failure (say in a LTU) may result in the loss
of only half of the channels for only one of the above
groups of channels.
Fig. 3.4.3.5-1 (diagram B) presents the reliability
block diagram for the equipment specific for this case,
the genral equipment being presented in fig. 3.4.2-6A
(diagram A). From diagram B it is deducted that no
single failure above the level of the LTUs shall cause
failure of the groups, i.e. half of the external channels
of one set (refer to the discussion n section 3.4.2).
The equipment serving a group of external channels
is indicated in diagram B.
The fulfilment of the specific requirements for MTBF
and MTTR is with a minimum MTTR of 1/2 hour, equivalent
to an availability of 0.99994. This requirement -
which is stronger tan the availability requirement
- is met.
Refer to table 3.4.3.5-1 for proof of the fulfilment
of the availability requirement.…86…1 …02… …02… …02…
…02…
Fig. 3.4.3.5-1 Reliable Block Diagram B…86…1 …02… …02… …02… …02…
Table 3.4.3.5-1 Availability for Equipment Serving Groups of External Channels.…86…1 …02… …02… …02… …02…
3.4.3.6 D̲e̲g̲r̲a̲d̲e̲d̲ ̲M̲o̲d̲e̲s̲ ̲&̲ ̲S̲y̲s̲t̲e̲m̲ ̲D̲e̲g̲r̲a̲d̲a̲t̲i̲o̲n̲
The system may be brought in a degraded mode for the
following reasons:
- repair as a result of failure, i.e. replacement
of module
- test of part of the equipment during diagnostic
phases
- parts of equipment are made unoperational for maintenance
purposes
- test of new s/w using parts of the equipment
- training and exercises using part of the equipment.
Fig. 3.4.36-1 and -2 present the reliability block
diagram for one of the minimum operational configurations,
the corresponding avaiability being calculated in table
3.4.3.6-1 to -3
The system is brought back to a fully configured state
from the engineerin position at the SS&C, (refer to
section 4.6.2.6 for a further description).
Redundant items which are temporarely taken out of
operation but still fully serviceable if used may be
brought back into operation within 5 minutes.
An even more degrded configuration may exist where
the SS&C control is without the Watchdog: In this case
the engineering position VDU is connected directly
to the MAP of the PU.
It is seen that the system despite the degradation
of configuration has all the unit necessary for normal
operations.
The system is designed in such a manner (S/W and H/W)
that the occurence of a single failure in a unit, which
may be withdrawn from operation as discussed above,
shall not disruptfurther operation.
Degraded performance under high traffic conditions
may be experienced if one mirrored disk is withdrawn
from operation. B means of control via SS&C, however,
it is possible to configure the external channel connections
to adjut the traffic load. The S/W will, in case of
a disk error, provide the traffic accounting necessary
to restore the information of not fully received messages
and transactions and to reissue information not fully
transmitted.
Similar situations my arise in case of PU failure,
which are solved in the same way (including switchover,
etc.).
Refer to section 4.6.2-6 for further discusson of the
above subject.…86…1 …02… …02… …02… …02…
Fig. 3.4.3.6-1 Availability Block Diagram A.…86…1 …02… …02… …02… …02…
Fig. 3.4.3.6-1 Availability Block Diagram B…86…1 …02… …02… …02… …02…
Table 3.4.3.6-1 Availability of the Minimum Operational Configuration for Supervisor Position.…86…1 …02… …02… …02…
…02…
Table 3.4.3.6-2 Availability of the Minimum Operational Configuration for User Position (MCSF)…86…1 …02… …02… …02…
…02…
Table 3.4.3.6-3 Availability of the Minimum Operational Configuratin for External Channel Group.…86…1 …02… …02… …02…
…02…
3.4.3.7 S̲p̲e̲c̲i̲f̲i̲c̲ ̲M̲T̲B̲F̲ ̲a̲n̲d̲ ̲D̲o̲w̲n̲t̲i̲m̲e̲ ̲R̲e̲q̲u̲i̲r̲e̲m̲e̲n̲t̲s̲
It is important to note that the downtime specified
here is different from the MTTR, which is the downtime
per failure. The downime specified in this requirement
is the accumulated downtime over a certain period.
The following specific requirements for MTBF and downtime
have been stated in the IFB. The compliance is described
for each case.
- MPF central processor MTBFshall be at least 10,000
hours. The downtime shall not exceed 8 hours per
year.
The MPF central Processor corresponds to the case
discussed in section 3.4.3.1. The MTBF is found
from the following formula (refer section 3.4.1):
MTTR/MTBF 1-A = 11 x 10…0e…-6…0f….
The availability is found from table 3.4.3.1-1.…86…1
…02… …02… …02… …02…
Since the MTTR is never less than 1/2 hour (redundant
units) the result is:
MTBF = 45,450 hours.
Since the MTTR per failure does not exceed 1 hour and
the MTBF is much more tan 1 year the downtime requirement
is fulfileld as well.
- the PRINTERS shall have a MTBF of at least 3000
hours and the downtime shall not exceed 30 minutes
per month.
These figures will be fulfilled.
- The VDUs shall have a MTBF of at least5000 hours
and the downtime shall not exceed 30 minutes per
month.
These figures will be fulfilled.
3.4.4 S̲T̲E̲ ̲a̲n̲d̲ ̲S̲/̲W̲ ̲F̲a̲i̲l̲u̲r̲e̲ ̲R̲a̲t̲e̲s̲
Sectin 7.2.4 presents the STE.
The S/W defects will be monitored as part of the A&R
program plan. Assessent of the S/W failure rates in
terms of Mean Time Between Detection of Software Defects
(MDSD) shall be conducted using the STE as described
in section 7.2.5.2.
3.4.5 A̲&̲R̲ ̲A̲n̲a̲l̲y̲s̲i̲s̲ ̲
The A&R analysis shall provide the figure for unit
reliabilities to be used in availability calculations
as presented in section 3.4.3. The method adapted
fr the analysis is discussed in section 7.2.5.1.
