top - download
⟦fcdaef7b0⟧ Wang Wps File
Length: 50601 (0xc5a9)
Types: Wang Wps File
Notes: Crossfox tilbud
Names: »1815A «
Derivation
└─⟦03f37a045⟧ Bits:30006227 8" Wang WCS floppy, CR 0138A
└─ ⟦this⟧ »1815A «
WangText
+…07…*…0b…*…0f…* )…0a…)…0d…)…01…)…06…(…0c…(…02…(…07…'…0c…'…00…'…06…&…0b…&…00…&…05…%…0b…%…06…$…0c…$
…0c……01……0c……02……86…1
…02…
…02… …02…
…02…
APPENDIX
1 OF VOL
IV
1982-03-05
MESSAGE
SUBSYSTEM
Page #
TECHNICAL
PROPOSAL
3. G̲E̲N̲E̲R̲A̲L̲ ̲T̲E̲C̲H̲N̲I̲C̲A̲L̲ ̲S̲P̲E̲C̲I̲F̲I̲C̲A̲T̲I̲O̲N̲S̲
The equipment will be designed to comply with the general
technical requirements as stated in chapter 4 of the
IFB.
3.1 T̲e̲c̲h̲n̲i̲c̲a̲l̲ ̲S̲t̲a̲n̲d̲a̲r̲d̲s̲ ̲A̲p̲p̲l̲i̲c̲a̲b̲l̲e̲ ̲f̲o̲r̲ ̲t̲h̲e̲ ̲M̲S̲
3.1.1 G̲e̲n̲e̲r̲a̲l̲
The equipment will be of modern design with due regard
taken to reliability, economy, small size and weight,
and with nonexacting requirements to the quality of
power supplies, and with minimum requirements to maintenance
and environmental control.
It will allow for future modifications e.g. by being
highly modular. It will be designed to meet all the
requirements of the IFB for at least 20 years.
3.1.2 S̲t̲a̲n̲d̲a̲r̲d̲s̲
The equipment and transmitted signals will comply to
CCITT or CCIR recommendations whenever appropriate.
All electric power installations provided by the contractor
will comply to the local national regulations.
The offered equipment is presently being approved by
NATO.
STANAGS will be followed when applicable. The equipment
complies with the IEC standards.
3.1.3 M̲a̲t̲e̲r̲i̲a̲l̲s̲ ̲a̲n̲d̲ ̲F̲i̲n̲i̲s̲h̲
a) Bearings, panels and covers of racks and other
assemblies will largely be made in metal, mainly
anodised aluminium or steel painted with alkydic
enamel.
b) No part of the equipment will liberate noxious
fumes, vapours or gases as a result of its normal
functioning nor as a result of heating.
Fire resistant materials will be used wherever
possible and with due regard to international standards.
Certain standards, however, dictate the use of
insulating materials which liberate fumes, etc.
when subjected to very excessive heating.
3.1.4 M̲o̲d̲u̲l̲a̲r̲ ̲C̲o̲n̲s̲t̲r̲u̲c̲t̲i̲o̲n̲
There will be used a highly modular design based on
adequately designed printed circuit boards installed
in standard IEC-297 19 inch racks.
3.1.5 I̲n̲t̲e̲r̲c̲h̲a̲n̲g̲e̲a̲b̲i̲l̲i̲t̲y̲
A specification of interchangeable items will be provided.
Those items will be interchangeable
- without modification of the equipment or part thereof
- without regard to the source of manufacture and
supply
- without selection or departure from the specified
equipment performance.
3.1.6 D̲i̲s̲s̲i̲m̲i̲l̲a̲r̲ ̲M̲e̲t̲a̲l̲s̲
Dissimilar metals used in intimate contact will be
suitably protected against electrolytic corrosion.
3.1.7 C̲a̲b̲l̲e̲s̲ ̲a̲n̲d̲ ̲F̲i̲t̲t̲i̲n̲g̲s̲
a) All necessary wiring, cabling and fittings will
be supplied.
b) At each end, the cables and wires will carry an
identification in agreement with that specified
in the documentation.
c) If bus bars are used they will be colour coded
for identification. Proper electrical continuity
of conduits etc. will be ensured.
d) The racks are physically adjacent and do not need
a false floor for inter-rack cabling.
Connection externally to the racks will use false floor
cabling etc.
3.1.8 W̲i̲r̲i̲n̲g̲ ̲P̲r̲o̲t̲e̲c̲t̲i̲o̲n̲
Wires and cables will be so placed and protected as
to prevent damage caused by bending, jamming, or contact
with rough or sharp surfaces, or by heat. No connection
will be in tension.
3.1.9 F̲l̲u̲x̲ ̲a̲n̲d̲ ̲S̲o̲l̲d̲e̲r̲i̲n̲g̲
Soldered connections will comply to the requirements
of the IFB para 4.1.9.
3.1.10 P̲r̲o̲t̲e̲c̲t̲i̲o̲n̲ ̲o̲f̲ ̲E̲q̲u̲i̲p̲m̲e̲n̲t̲
a) A.C. Power line switches will break all conductors
simultaneously. The neutral wire in three-phase
circuits will not pass through any fuse.
b) Maximum use of circuit breakers and back-up fuses
will be used.
3.1.11 E̲l̲e̲c̲t̲r̲o̲m̲a̲g̲n̲e̲t̲i̲c̲ ̲I̲n̲t̲e̲r̲f̲e̲r̲e̲n̲c̲e̲
a) There will be no interference problems with radio
circuits or other equipment due to direct radiation.
Coupling will be eliminated by the use of RF power
line filtering and by the fact that signal ground,
A.C. neutral, and safety ground are galvanically
isolated.
b) The level of electrical emission is
- R̲a̲d̲i̲a̲t̲e̲d̲:̲ Conforming to VDE 871 class C and
VDE875 class G.
- C̲o̲n̲d̲u̲c̲t̲e̲d̲:̲ Conforming to VDE875 class G
The electrical susceptibility of the units will
allow for the following levels:
- R̲a̲d̲i̲a̲t̲e̲d̲:̲ Electromagnetic Field Strength less
than 1 V/m with frequencies from 30 MHz to
500 MHz induced from distance of 3 m.
- C̲o̲n̲d̲u̲c̲t̲e̲d̲:̲ Noise pulses on main wires with
amplitude less than 1000 V and risetime longer
than 35 ns. Pulse duration 0.1 to 10 microseconds.
Repetition rate not more than one per second.
The low level signal receiver of the LTUs (Line
Termination Units) and the read/write heads
are by their nature susceptable to EMI. Yet
it is believed that the equipment as a whole
does not contain any unusual or special components
which may pose any EMI-risk.
c) Conditions for TEMPEST cleared units are described
in paragraph 3.6.1.1 (Security of MPF equipment)
and paragraph 8.1 (TEMPEST cleared VDU).
3.1.12 A̲c̲o̲u̲s̲t̲i̲c̲ ̲N̲o̲i̲s̲e̲
This will be kept to a minimum and will not exceed
the following levels at 1 m distance from any part
of the equipment:
For Norway 80 dBa
For Denmark 60 dBa
For UK, Netherlands and Germany 70 dBa
In operator environments it will be below 50 dBa or
less if required by national regulations. Though,
this will depend upon the proper acoustic characteristics
of the operator accomodations
3.1.13 C̲o̲n̲s̲u̲m̲a̲b̲l̲e̲ ̲P̲a̲r̲t̲s̲
The various consumable parts will be kept to a minimum
in number and quantities
3.1.14 C̲o̲v̲e̲r̲ ̲P̲l̲a̲t̲e̲s̲
Adequately fastened cover plates will be supplied wherever
applicable.
3.1.15 U̲t̲i̲l̲i̲t̲y̲ ̲O̲u̲t̲l̲e̲t̲ ̲S̲o̲c̲k̲e̲t̲s̲
Utility Outlet Sockets and plugs will be provided as
required in the IFB.
3.1.16 N̲a̲m̲e̲ ̲P̲l̲a̲t̲e̲s̲
Name plates with the relevant information will be attached
in a prominent position on each major assembly.
3.1.17 C̲o̲n̲t̲r̲o̲l̲s̲
Controls will be designed such as to avoid unintentional
activation.
3.1.18 L̲o̲c̲a̲l̲ ̲C̲o̲o̲l̲i̲n̲g̲ ̲o̲f̲ ̲E̲q̲u̲i̲p̲m̲e̲n̲t̲
The cooling etc. of the equipment will comply to the
requirements for local cooling and filtering.
3.2 E̲n̲v̲i̲r̲o̲n̲m̲e̲n̲t̲a̲l̲ ̲C̲o̲n̲d̲i̲t̲i̲o̲n̲s̲
3.2.1 C̲i̲v̲i̲l̲ ̲E̲n̲g̲i̲n̲e̲e̲r̲i̲n̲g̲ ̲A̲s̲p̲e̲c̲t̲s̲
The consumed power to be cooled by ambient air is approximately
7.4 kW as a total for the racks + disk.
The power per terminal is approximately 0.250 kW.
No closed cooling will be employed.
3.2.2 O̲p̲e̲r̲a̲t̲i̲n̲g̲ ̲C̲o̲n̲d̲i̲t̲i̲o̲n̲s̲
The equipment will be able to operate within specifications,
in the ranges of (10…0e…o…0f… to 40…0e…o…0f…C with maximum rate of
change 6…0e…o…0f…C per hour) and (40% to 90% RH non-condensing
with maximum rate of change 10% RH per hour). For
long term reliability reasons it is not recommended
to operate outside those intervals.
Facilities will be provided for alarming the operator
in the event of an abnormal environmental condition.
Facilities for automatically closing down units can
be provided too, but we recommend that closing down
is done by deliberate action.
No harm will be done to the equipment as a result of
non-active placement in an environment in the range
of -30…0e…o…0f…C to +50…0e…o…0f…C and up to 90% RH non-condensing.
3.2.3 E̲M̲P̲-̲P̲r̲o̲t̲e̲c̲t̲i̲o̲n̲
EMP-protection shall be afforded by the host shelter
when the MPF is installed in it.
Installation of the MPF will in no way compromize the
EMP integrity of the shelter.
3.3 S̲O̲F̲T̲W̲A̲R̲E̲ ̲S̲T̲A̲N̲D̲A̲R̲D̲S̲
3.3.1 G̲e̲n̲e̲r̲a̲l̲ ̲P̲r̲o̲p̲e̲r̲t̲i̲e̲s̲
a) The existing framework of the CR80/DAMOS and supporting
system software is excellently suited for the design
of a well functioning, secure, and flexible system.
b) Attention has been paid to ease of maintenance,
modification and error elimination.
c) A clean, hierachical structure for secure and fault
tolerant processing will be used. It will allow
addition and modification of modules or values
including tables and basic constants.
d) The modular partitioning of the three sub-systems:
(System S/W, Applications S/W, and Support S/W)
is described in sec. 4.6.
e) Error handling depends, of course, on the type
of error. The detection, possible correction, and
reporting of errors are done in various ways and
at various levels.
Yet a focal point in most error handling is the
System Status and Control (SSC) package.
Extensive measures are available for:
- Direct monitoring of all hardware units
- Other means for error detection
- Identification of errors
- Optional automatic error correction or isolation
to maintain maximum degree of operational capabilities
- Fault reporting
- Verification and Testing, e.g. subsequent to
total or partial system error
- Recovery, maintaining the maximum amount of
information of system state and operational
data
The concept ensures that no single hardware fault
will cause an irrecoverable system error.
f) The coupling between units, modules, etc. will
be minimized. Modules correspond to processes or
coroutines within processes. Any offending module
is thus under individual control of system software.
g) The structuring of code, the descriptive data names,
and the use of comments in the source code will
be used to improve comprehension and readability.
h) No code or constants are modified during execution.
In fact, code and data are effectively separated,
so code cannot be modified.
i) The data areas of a module are logically continuous.
System software has facilities implemented for
non-interfering use of shared data areas and for
secure inter module communication.
j) All software design will be largely based on that
of CAMPS (Computer Aided Message Processing System).
For that system, the SWELL language has been validated
and approved.
In compliance with the IFB, existing SWELL-modules
will be used (either directly or with minor modifications).
The few new modules can be written in PASCAL, but
for ease of future maintenance,we recommend that
they also be written in SWELL.
SWELL is an intermediate level programming language.
Its design is based on the principles of PASCAL
for systematic and structured programming.
The SWELL program parts for constant and type definitions
have been adopted almost directly from PASCAL.
As with PASCAL, it uses relocatable code, symbolic
addressing, and a procedure concept.
k) The software will be carefully documented in accordance
with the IFB par. 7.3.2.D as the design proceeds.
It should be noted that ACE ADP Standard 007-3
is part of the internal CHRISTIAN ROVSING A/S documentation
standard.
3.3.2 S̲y̲s̲t̲e̲m̲ ̲S̲o̲f̲t̲w̲a̲r̲e̲ ̲C̲h̲a̲r̲a̲c̲t̲e̲r̲i̲s̲t̲i̲c̲s̲
a) The system software facilities allow the applications
software to be structured in terms of functional
modules.
b) The system software complies with the requirements
for
- Multiprogramming and scheduling at run time
- Store Management
- Device control and interrupt response
- Inter-process communication
- Fault handling
Ref. para 4.6.2 for a brief description.
c) Hardware supported user mode/privileged mode with
16 privilege levels is used.
Applications software is kept in user mode at all
stages of program development.
Certain special systems software and firmware is
kept in "read-only" memory.
For ease of maintenance, most general and special
system software is loaded into RAM memory. However,
effective security facilities will ensure that
no code is modified, that trusted code is not being
misused, and that trusted facilities are not available
to non-trusted code.
d) The support element will be treated in par. 3.3.4.
3.3.3 A̲p̲p̲l̲i̲c̲a̲t̲i̲o̲n̲ ̲S̲o̲f̲t̲w̲a̲r̲e̲ ̲C̲h̲a̲r̲a̲c̲t̲e̲r̲i̲s̲t̲i̲c̲s̲
3.3.3.1 O̲v̲e̲r̲a̲l̲l̲ ̲S̲t̲r̲u̲c̲t̲u̲r̲e̲
a) The application software will be a set of hierarchically
structured modules based on the functional requirements.
Data areas may be allocated from shared pools,
but will be distinct for each transaction at any
one time.
b) The approach for multiprogramming and parallel
processing will be clearly illustrated by the organization
of modules into processes and coroutines.
c) The Crossfox-MPF System Functions (CSF, ref. para
4.6.2.5) provide the necessary facilities for application
packages. Thus the requirements for interprocess
communication etc. are met.
d) Validity checks are part of the systems generation
procedures. Validity checks of the system software
itself are performed by SSC, ref par. 4.6.2.6.
Validity checks, at run time, of internal transactions
are performed by the CSF, ref. par. 4.6.2.5.
Further validity checks are inherent features of
the systems architecture.
3.3.3.2 M̲o̲d̲u̲l̲e̲s̲
Modules will be designed as self-contained programming
tasks based on well defined interfaces. They can be
separately compiled. Every module will be self-contained
so that any interaction with another module is via
a well defined interface.
3.3.3.3 U̲s̲e̲ ̲o̲f̲ ̲L̲a̲n̲g̲u̲a̲g̲e̲s̲
The SWELL language is recommended for use throughout
(however, ref. para 3.3.1.j).
3.3.3.4 P̲r̲o̲g̲r̲a̲m̲s̲
a) Code, including constants, cannot be modified and
is effectively separated from modifiable data.
b) It is a feature of the architecture that code and
data are protected and are only indirectly addressed.
Thus applications have no access to absolute store
addresses.
Synchronization takes place at clearly defined
points in the program.
c) Shared resources are used by explicit reference
in the program.
3.3.3.5 M̲o̲d̲u̲l̲e̲ ̲S̲i̲z̲e̲ ̲C̲o̲n̲s̲t̲r̲a̲i̲n̲t̲s̲
At least 95% of the modules will be limited to 250
statements. The module size constraints related to
systems generation, etc. are well defined and effective
methods for dealing with these constraints exist.
3.3.3.6 M̲a̲n̲/̲M̲a̲c̲h̲i̲n̲e̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The start-up type necessary for incorporation of new
versions of software modules will, by definition,
depend on how radical the changes are. Some types of
changes can be incorporated by "SWITCH-OVER" to the
standby Processing Unit at that site.
This can be done after a short interruption without
affecting operational user facilities, i.e. on-going
transactions, queue states, etc.
The supervisor will have various facilities to record
the current state of the machine in a secure manner
without affecting user operational facilities. Some
of these diagnostics require that the machine be run
in a special trace mode.
This mode will normally only be recommended for use
during the systems development, integration, and tuning
phase, due to the overhead imposed on the system.
The switching to/from trace mode can be done via a
PU "SWITCH-OVER", i.e. with full recovery of the operational
state.
3.3.4 S̲u̲p̲p̲o̲r̲t̲ ̲S̲o̲f̲t̲w̲a̲r̲e̲ ̲C̲h̲a̲r̲a̲c̲t̲e̲r̲i̲s̲t̲i̲c̲s̲
The support software will include all aspects of maintenance
of software including off-line software libraries.
This can be done in a secure manner and with a minimal
and well defined disturbance of the operational system.
3.3.4.1 G̲e̲n̲e̲r̲a̲l̲
a) All necessary support software will be available
at the site designated for development.
As a minimum, the support software for updates
and fault finding will be available at the other
site as well.
b) Any disturbance caused to the operational system
by use of the support software will be minimal
and well defined.
A general characteristic is that the site is set
into "degraded availability mode" where the operational
system is unaffected during the off-line operations,
although the overall reliability is reduced due
to the use of off-line redundant units.
Software updates will be issued on exchangeable
disk packs or on floppy disks.
3.3.4.2 S̲o̲f̲t̲w̲a̲r̲e̲ ̲S̲u̲p̲p̲o̲r̲t̲ ̲F̲u̲n̲c̲t̲i̲o̲n̲s̲
The functions are outlined in section 4.6.4.
In particular the following features are available:
a) Diagnostics related to unsuccessful compilations
The use of comments, e.g. in SWELL, PASCAL, and
Assembler.
b) Appropriate routines for library maintenance.
c) Facilities for disk/floppy disk data conversion.
d) A debugger and facilities for simulation of modules
under test. The debugger allows use of breakpoints
and dump of registers and variables. During test,
the following may be performed:
- Display, etc. of symbolically referenced memory
locations (including registers)
- Update of those contents
- Transcription of those contents to or from
backing store
- loading, initiation, and termination of programs
- deletion of main memory contents.
- Trace of the modules being accessed during
test.
e) The appropriate loaders, editors, etc. as stated
in the IFB.
f) Cross reference listing tool.
3.3.4.3 S̲o̲f̲t̲w̲a̲r̲e̲ ̲S̲u̲p̲p̲o̲r̲t̲ ̲S̲i̲t̲e̲
Maintenance can be performed at any of the operational
sites and there is no need for a dedicated software
support site.
3.3.5 S̲o̲f̲t̲w̲a̲r̲e̲ ̲M̲a̲i̲n̲t̲e̲n̲a̲n̲c̲e̲ ̲a̲n̲d̲ ̲M̲o̲d̲i̲f̲i̲c̲a̲t̲i̲o̲n̲ ̲
The software will be structured to provide flexibility.
Extensive use of symbolic names for constants will
be employed to improve comprehension and flexibility.
Formats, configuration data, and processing information
(e.g. routing information) will be resident in tables.
The tables may be subject to updates. Many of the
tables may be updated on-line.
The Table Management design will allow for deletion
or addition of tables.
3.3.6 S̲o̲f̲t̲w̲a̲r̲e̲ ̲I̲n̲t̲e̲g̲r̲i̲t̲y̲
a) The RAM-software will also reside on the on-line
disks, ready for reload.
b) Each module will make credibility checks of its
input to preclude the effects of errors.
c) It will be a design aim to confine the effect of
a software fault to a single transaction wherever
possible. The detection of inconsistencies will
immediately be reported to System Status and Control
(SSC) for further reporting and error handling.
The appropriate error correction or recovery will
be attempted.
Here it will be a design aim to minimize the amount
of discontinuity and operator intervention.
3.4 A̲V̲A̲I̲L̲A̲B̲I̲L̲I̲T̲Y̲ ̲A̲N̲D̲ ̲R̲E̲L̲I̲A̲B̲I̲L̲I̲T̲Y̲
The MPF reliability as expressed in terms of availability
exceeds each of the requirements of the IFB.
The reliability figures for all units involved will
be presented, system reliability figures shall then
be calculated as expressed in availability.
3.4.1 D̲e̲f̲i̲n̲i̲t̲i̲o̲n̲s̲,̲ ̲F̲o̲r̲m̲u̲l̲a̲s̲ ̲a̲n̲d̲ ̲M̲a̲j̲o̲r̲ ̲A̲s̲s̲u̲m̲p̲t̲i̲o̲n̲s̲
a) D̲e̲f̲i̲n̲i̲t̲i̲o̲n̲s̲ ̲&̲ ̲F̲o̲r̲m̲u̲l̲a̲s̲
The following set of definitions and formulas shall
be used for reliability calculations as expressed via
availability:
- The definition of terms of the IFB, section 4.5.1.
- In further compliance with the IFB, section 4.5,
the following set of definitions and formulas listed
according to the module categories of the IFB:
b) S̲i̲n̲g̲l̲e̲ ̲U̲n̲i̲t̲ ̲o̲r̲ ̲S̲u̲b̲s̲y̲s̲t̲e̲m̲ ̲
Mean Time Between Failure = MTBF = 1/2
Uptime = U = MTBF
Mean Time To Repair = MTTR = D = Downtime
̲ ̲U̲ ̲ ̲ ̲
;
Availability A = U + D
For D/U 1 : A 1 - D/U = 1 - D
c) R̲e̲d̲u̲n̲d̲a̲n̲t̲ ̲U̲n̲i̲t̲s̲ ̲o̲r̲ ̲S̲u̲b̲s̲y̲s̲t̲e̲m̲s̲
1 of 2 redundancy is applicable to these calculations.
Uptime U…0f…s…0e… = (U…0e…2…0f… + 2UD)/2D = 1/ …0f…s…0e…
For D/U 1: U…0f…s…0e… U…0e…2…0f…/2D
Downtime D…0f…s…0e… = D/2
Availability A…0f…s…0e… = U…0f…s…0e…/(U…0f…s…0e… + D…0f…s)
For D/U 1 : A 1 - D…0f…s…0e…/U…0f…s…0e… = 1 - (D )…0e…2…0f…
d) S̲e̲r̲i̲e̲s̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲ ̲o̲f̲ ̲R̲e̲d̲u̲n̲d̲a̲n̲t̲ ̲&̲ ̲N̲o̲n̲-̲R̲e̲d̲u̲n̲d̲a̲n̲t̲ ̲U̲n̲i̲t̲s̲
̲o̲r̲ ̲S̲u̲b̲s̲y̲s̲t̲e̲m̲s̲
Each reliability element in the series has uptime U…0f…s…0e…
= 1/ and downtime D…0f…S…0e….
N
A = A
=1 i
For Ds/Us 1 (D/U 1) :
N N
A (1-Ds s) 1 - Ds s
i=1 i=1
The following usage of the availability definition
is useful in applying the derived result as the availability
for a subsystem in further calculations:
̲ ̲U ̲ ̲
A =
U+D
For D/U 1 : A 1 - D/U = 1 - D
N
Hence D = Ds s.
i=1
Consequently all calculations may be performed by summation
and multiplication of terms D . It is seen that the
downtime and uptime, within the approximation D s
1 which shall always hold for these calculations,
will never have to be known separately except in case
of the basic units.
e) A̲s̲s̲u̲m̲p̲t̲i̲o̲n̲s̲
The following assumptions will apply for the availability
calculations:
- The stand-by MC will not contribute to the availability
- preventive maintenance will be limited to a minimum
(cleaning of air filters, etc.).
- repair will be limited to simple replacement of
units; it is assumed that spares are available
fully adjusted for insertion (refer sections 6.3
and 6.4 for Maintenance and Spare Parts).
- Power sources are assumed available at the sites
(with the quality as defined in section 6.1.10
e) and will have no impact on the availability
calculated here.
- Environmental conditions outside the control of
the equipment manufacturer shall not be considered:
Fire, flood, explosion, etc. Refer section 3.2
for environmental conditions.
- the Unit MTTR is assumed to be 1 hour in all calculations;
this is a conservative assumption which has been
introduced for safety.
The requirement for no equipment being without the
planned degree of redundancy for longer than 6 hours
more than once a year is hereby fulfilled.
3.4.2 A̲&̲R̲ ̲M̲o̲d̲e̲l̲s̲
The presentation of the models will include the following
components.
- overview diagram presenting the main configuration
items of the total system, refer fig. 3.4.2-1
- overview diagrams presenting all the reliability
units of the main configuration items, refer fig.
3.4.2-2 to 3.4.2-5.
The Watchdog Monitor and Control Bus (the Crate
Configuration Bus), and the adaptors in the crates
(the CCAs), have not been shown in the above diagrams
in order to simplify the overview. The corresponding
units have been shown in the reliability block
diagrams, however.
The system configuration includes 11 LTUs out of which
2 LTUs are provided for connectivity expansion (refer
section 4.1.1), hence only 9 LTUs are considered here.
Reliability block diagrams.
2 diagrams exist, fig. 3.4.2-6 A&B: D̲i̲a̲g̲r̲a̲m̲ ̲A̲ ̲ presenting
the units which support all the reliability configurations
to be considered, and D̲i̲a̲g̲r̲a̲m̲ ̲B̲, being dedicated to
the units out of which only a subset shall be considered
in each reliability configuration. Diagram B shall
be used in different versions to indicate the exact
configuration in each case.
In subsection 3.4.3 each of the reliability cases from
the IFB has been considered separately, first considering
the case corresponding to diagram A, which forms the
basis for the other cases.
Special consideration will be given to the following
requirement, however: No single failure shall cause
a total subsystem failure.
Such a failure may not happen within the configuration
corresponding to diagram A , this equipment forming
the subsystem which supports all other configurations.
A single error whereby a single user connection or
external channel is lost is, provided the availability
figures are otherwise sufficient, not included in this
requirement.
In this connection the SS&C unit is of special interest,
this apparently being the only unit which is not redundant.
However, the SS&C, including the watchdog with VDU,
printer and floppy disk, only has to be working in
case of a failure in the rest of the system, i.e. at
least two errors are needed for a failure.
The availability contribution from the SS&C, or rather
unavailability contribution, expressed as Ds s, is
given as the unavailability value D of the SS&C times
the probability of a failure in any part of the rest
of the system, which is the D value for the total
configuration in question including VDUs and printers.
For ease of calculation the worst case value including
all equipment, will be used in all cases.
The FAN in diagram A (in the I/O Bus assembly) is not
a single unit; actually it is composed of 8 fans in
a cluster and the corresponding high reliability is
reflected in the MTBF used for the calculations.
The off-line disk does not contribute to the disk redundancy
and is thus not included in the reliability diagram.
Fig. 3.4.2-1 System Overview.
Fig. 3.4.2-2 Processor Unit
Fig. 3.4.2-3. I/O Bus 1.
Fig. 3.4.2-4 I/O Bus 2.
Fig. 3.4.2-5 Types of LTUs and Connections.
Fig. 3.4.2-6A Reliability Block Diagram A.
Fig. 3.4.2-6B Reliability Block diagram B.
3.4.3 A̲&̲R̲ ̲C̲a̲l̲c̲u̲l̲a̲t̲i̲o̲n̲s̲
The calculations shall be based on the formulas of
section 3.4.1 for D 1 and with the assumption
of section 3.4.2:
D̲ ̲=̲ ̲1̲ (MTTR = 1 hour) for all units.
The results may then be presented in a simple form
(refer table 3.4.3.1-1): In cases of series with a
combination of redundant (always 1 of 2 redundancy)
units and non-redundant items, the s value is equal
to the value for the single units. All values
are in units of FPM = failure per million.
The reliability figures used in the calculations are
listed in table 3.4.3-1.
ITEM MTBF
(Hours) FPM.
SS&C WD SUBSYSTEM 7,782 128.5
CR8087M/010--/00 SFA 10,000,000 0.1
CR8047M/010A3/00 FLOPPY CTRL 59,500 16.8
REQUIRED VDU 5,000 200
REQUIRED PRINTER 3,000 333
CR8050M/-----/00POWER SUPPLY 26,800 37.3
CR8106M/220--/00 MAINS FILTER & DIST. 600,000
1.6
CR8105M/020--/00 FAN 125,000 8.0
CR8089M/----/00 CCA 29,674 33.7
CR8055M/020/00 MBT 286,000 3.5
CR8071M/010--/00 MIA 85,500 11.7
CR802OM/000PC/00 MAP 19,400 51.6
CR8016M/128PC/00 RAM, 128 K 17,000 58.8
CR8003M/040PC/00 CPU+CACHE 26,100 38.3
CR8081M/010--/00 CIA 71,400 14.0
CR8044M/040AB/00 DISK CTRL 32,200 33.1
CR8084M/010--/00 DCA 46,900 21.3
CR8300/--- DISK DRIVE, SMD
40-400 MBytes 4,000 250
CR8086M/010AB/00 LTU, DUAL 27,000 36.9
CR8082M/010--/00 LIA-N 10,000,000 0.1
V24 500,000 2
OMD 500,000 2
Table 3.4.3-1
3.4.3.1 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲a̲l̲l̲ ̲E̲x̲t̲e̲r̲n̲a̲l̲
C̲i̲r̲c̲u̲i̲t̲s̲,̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲ ̲a̲n̲d̲ ̲L̲o̲c̲a̲l̲
T̲e̲r̲m̲i̲n̲a̲l̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲n̲g̲ ̲P̲o̲i̲n̲t̲s̲
The requirements concerning single failures and the
role of the SS&C have been discussed in section 3.4.2.
Further requirements are:
- the availability shall be at least 0.99995
- the MTBF shall be at least 2 years with a MTTR
not to exceed 1 hour.
The subsystem downtime or MTTR is of course less than
the largest MTTR of any unit, i.e. it is less than
one.
By assuming an MTTR of 1 hour and an MTBF of 2 years
the availability requirement is 0.99994, which is a
less strong requirement than the specific availability
requirement calling for 0.99995.
The lower limit for the MTTR is 1/2 hour corresponding
to the MTTR for redundant units each with an MTTR of
1 hour. In this case the availability requirement
is 0.99997 and this is now the stronger requirement.
This requirement is met.
The equipment configuration in question is presented
as the reliability block diagram A of section 3.4.2.
Refer to the tables 3.4.3.1-1 and 3.4.3.1-2 for the
availability calculations.
3.4.3.2 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲S̲u̲p̲e̲r̲v̲i̲s̲o̲r̲y̲ ̲a̲n̲d̲
S̲e̲r̲v̲i̲c̲e̲ ̲P̲o̲s̲i̲t̲i̲o̲n̲s̲
The requirements are:
- availability shall be at least 0.9999
- the MTBF shall be at least 1 year with an MTTR
not to exceed 1 hour
As in section 3.4.3.1 it is found that the availability
requirement corresponding to the minimum MTTR = 1/2
hour and the required MTBF of 1 year is the stronger
namely 0.99994. This requirement is met .
The equipment configuration in question is presented
as the reliability block diagram A of section 3.4.2
plus the equipment indicated by hatching in the diagram
fig. 3.4.3.2-1 (diagram B)
Table 3.4.3.2-1 proves the fulfilment of the requirement
for availability.
Table 3.4.3.1-1 Availability of Equipment Serving All External Channels and Local Terminal
Connecting Points.
Table 3.4.3.1-2 Availability of Equipment Serving All External Channels and Local Terminal/Connecting Points.…86…1
…02… …02… …02… …02…
RELIABILITY BLOCK DIAGRAM B
Table 3.4.3.2-1 Availability for Equipment Serving Supervisory and Service
Positions
3.4.3.3 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲I̲n̲d̲i̲v̲i̲d̲u̲a̲l̲
U̲s̲e̲r̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲n̲g̲ ̲P̲o̲i̲n̲t̲s̲
The requirements are:
- availability shall be at least 0.9995
- the MTBF shall be at least 3 months with a MTTR
not to exceed 40 minutes.
The equipment configuration in question is presented
as the reliability block diagram A of section 3.4.2
plus the equipment indicated by hatching in the diagram
fig. 3.4.3.3-1 (diagram B).
The domining contributors to the MTBF is seen to be
the units in diagram B. As already mentioned in section
3.4.1 the assumption of an MTTR of 1 hour is due to
a conservative assumption: Each of the equipment units
supporting the user connecting point in diagram B will
be replaceable within 40 minutes.
Also in this case, it is found, that the specific availability
requirement is easier to meet than the availability
based on the requirements for MTBF and the minimum
MTTR, of 1/2 hour, namely 0.9998.
Refer to table 3.4.3.3-1 for proof of the fulfilment
of the requirement for availability.
Fig. 3.4.3.3-1 Reliability Block Diagram B
Table 3.4.3.3-1 Availability for Equipment Serving User connecting points.
3.4.3.4 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲I̲n̲d̲i̲v̲i̲d̲u̲a̲l̲ ̲E̲x̲t̲e̲r̲n̲a̲l̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲
The requirements are
- availability shall be at least 0.9995
- The MTBF shall be at least 3 months with a MTTR
not to exceed 40 minutes.
The equipment configuration in question is presented
as the reliability block diagram A of section 3.4.2
plus the equipment indicated by hatching in the diagram
fig. 3.4.3.4-1 (diagram B).
Concerning the specific requirements for MTBF and for
MTTR the same remarks as in section 3.4.3.3 shall apply.
The requirement for availability is again 0.9998.
Refer to table 3.4.3.4-1 for proof of the fulfilment
of the requirement for availability.
Fig. 3.4.3.4-1 Reliability Block Diagram B.
Table 3.4.3.4-1 Availability for Equipment serving individual External
Channels.
3.4.3.5 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲S̲e̲r̲v̲i̲n̲g̲ ̲G̲r̲o̲u̲p̲s̲ ̲o̲f̲ ̲E̲x̲t̲e̲r̲n̲a̲l̲ ̲C̲h̲a̲n̲n̲e̲l̲s̲
The requirements are:
- it shall be possible to divide the outgoing and
incoming external channels into at least two groups
so that no single failure shall cause the loss
of more than one such group.
- the availability of the equipment serving any group
shall be at least 0.9999
- the MTBF of the equipment serving any group shall
be at least 1 year with an MTTR not to exceed 1
hour.
Fig. 3.4.2-5 displays the solution to the first requirement:
Any of the following sets of external channels - Broadcast,
TRC plus MRL, and S/S with the corresponding monitor
lines to the MCUs, have been divided into two groups.
A single failure (say in a LTU) may result in the
loss of only half of the channels for only one of the
above groups of channels.
Fig. 3.4.3.5-1 (diagram B) presents the reliability
block diagram for the equipment (hatched) specific
for this case, the general equipment being presented
in fig. 3.4.2-6A (diagram A). From diagram B it is
deduced that no single failure above the level of the
LTUs shall cause failure of the groups, i.e. half of
the external channels of one set (refer to the discussion
in section 3.4.2).
The specific requirements for MTBF and MTTR are with
a minimum MTTR of 1/2 hour, equivalent to an availability
of 0.99994. This requirement - which is stronger than
the specific availability requirement - is met.
Refer to table 3.4.3.5-1 for proof of the fulfilment
of the availability requirement.
Fig. 3.4.3.5-1 Reliability Block Diagram B
Table 3.4.3.5-1 Availability for Equipment Serving Groups of External
Channels.
3.4.3.6 D̲e̲g̲r̲a̲d̲e̲d̲ ̲M̲o̲d̲e̲s̲ ̲&̲ ̲S̲y̲s̲t̲e̲m̲ ̲D̲e̲g̲r̲a̲d̲a̲t̲i̲o̲n̲
The system may be brought in a degraded mode for the
following reasons:
- repair as a result of failure, i.e. replacement
of modules
- test of part of the equipment during diagnostic
phases
- parts of equipment are made unoperational for maintenance
purposes
- test of new s/w using parts of the equipment
- training and exercises using part of the equipment.
Fig. 3.4.3.6-1 and -2 present the reliability block
diagram for one of the minimum operational configurations,
the corresponding avaiability being calculated in table
3.4.3.6-1 to -3
The system is brought back to a fully configured state
from the engineering position at the SS&C, (refer to
section 4.6.2.6 for a further description).
Redundant items which are temporarely taken out of
operation but still fully serviceable if used may be
brought back into operation within 5 minutes.
An even more degraded configuration may exist where
the SS&C control is without the Watchdog: In this case
the engineering position VDU is connected directly
to the MAP of the PU.
It is seen that the system despite the degradation
of configuration has all the units necessary for normal
operations although degraded performance may be experienced
as discussed below.
The system is designed in such a manner (S/W and H/W)
that the occurrence of a single failure in a unit,
which may be withdrawn from operation as discussed
above, shall not disrupt further operation.
Degraded performance under high traffic load conditions
may be experienced if one mirrored disk is withdrawn
from operation. By means of control via SS&C, however,
it is possible to close down in a controlled manner
the external channel connections to adjust the traffic
load. The S/W will, in case of a disk error, provide
the traffic accounting necessary to restore the information
of not fully received messages and transactions and
to reissue information not fully transmitted.
Similar situations may arise in case of a PU failure,
which are solved in the same way (including switchover,
etc.).
Refer to section 4.6.2.6 for further discussion of
the above subject.
Fig. 3.4.3.6-1 Availability Block Diagram A.
Fig. 3.4.3.6-2 RELIABILITY BLOCK DIAGRAM B
Table 3.4.3.6-1 Availability of the Minimum Operational Configuration for Supervisor
Position.
Table 3.4.3.6-2 Availability of the Minimum Operational Configuration for User
Position (MCSF)
Table 3.4.3.6-3 Availability of the Minimum Operational Configuratin for External
Channel Group.
3.4.3.7 S̲p̲e̲c̲i̲f̲i̲c̲ ̲M̲T̲B̲F̲ ̲a̲n̲d̲ ̲D̲o̲w̲n̲t̲i̲m̲e̲ ̲R̲e̲q̲u̲i̲r̲e̲m̲e̲n̲t̲s̲
It is important to note that the downtime specified
here is different from the MTTR, which is the downtime
per failure. The downtime specified in the following
requirements is the accumulated downtime over a certain
period.
The following specific requirements for MTBF and downtime
have been stated in the IFB. The compliance is described
for each case.
- MPF central processor MTBF shall be at least 10,000
hours. The downtime shall not exceed 8 hours per
year.
The MPF central Processor corresponds to the case
discussed in section 3.4.3.1. The MTBF is found
from the following formula (refer section 3.4.1):
MTTR/MTBF = 1-A = 11 x 10…0e…-6…0f….
The availability is found from taken 3.4.3.1-1:
A = 0.999989
Since the MTTR is never less than 1/2 hour (redundant
units) the result is:
MTBF = 45,450 hours.
Since the MTTR per failure does not exceed 1 hour and
the MTBF is much more than 1 year the downtime requirement
is fulfilled as well.
- the PRINTERS shall have a MTBF of at least 3000
hours and the downtime shall not exceed 30 minutes
per month.
These figures will be fulfilled.
- The VDUs shall have a MTBF of at least 5000 hours
and the downtime shall not exceed 30 minutes per
month.
These figures will be fulfilled.
3.4.4 S̲T̲E̲ ̲a̲n̲d̲ ̲S̲/̲W̲ ̲F̲a̲i̲l̲u̲r̲e̲ ̲R̲a̲t̲e̲s̲
Section 7.2.4 presents the STE (Standard Test Environment).
The S/W defects will be monitored as part of the A&R
program plan. Tests for the assessment of the S/W
failure rates in terms of Mean Time Between Detection
of Software Defects (MDSD) shall be conducted using
the STE as described in section 7.2.5.2.
3.4.5 A̲&̲R̲ ̲A̲n̲a̲l̲y̲s̲i̲s̲ ̲
The A&R analysis shall provide the figures for unit
reliabilities to be used in availability calculations
as presented in section 3.4.3. The method adopted
for the analysis is discussed in section 7.2.5.1.
3.5 M̲A̲I̲N̲T̲A̲I̲N̲A̲B̲I̲L̲I̲T̲Y̲ ̲
The maintenance policy to be adopted for the MS subsystem
will be in full compliance with the IFB. Section 6.3
will contain a description of maintenance.
3.6 S̲E̲C̲U̲R̲I̲T̲Y̲
The system will comply with the security requirements
of the IFB. This section highlights the security feature
as requested for in the IFB sect. 4.7
3.6.1 C̲o̲m̲m̲u̲n̲i̲c̲a̲t̲i̲o̲n̲s̲ ̲a̲n̲d̲ ̲E̲l̲e̲c̲t̲r̲i̲c̲a̲l̲ ̲E̲q̲u̲i̲p̲m̲e̲n̲t̲
3.6.1.1 M̲P̲F̲
The MPF will be implemented to provide processing,
handling and transmission of classified information.
The MPF processors and line termination units are
all placed inside an EMI shielded room.
Data transfer to equipment outside the shielded room
will be compliant with the AMSG 719B.
The equipment of the MPF is very similar to that of
the CAMPS system which is designed to comply with the
TEMPEST requirements.
So an upgrade of the MPF to a TEMPEST solution can
be made without changing the basic hardware that constitutes
the non-TEMPEST MPF.
TEMPEST approval will require the following changes
to the configuration:
1) Replacement of the rack-cabinet with standard CAMPS
racks.
2) Addition of filter-boxes
3) Special TEMPEST shielding of the disc-drives outside
the racks and their connections to the racks.
4) Use of TEMPEST VDU's and MSP's (ref. sec. 8.1,
and sec. 4.3.5.2).
Maintenance and diagnostics will be performed on-site
and confined to the red area.
3.6.1.2 E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲O̲u̲t̲s̲i̲d̲e̲ ̲t̲h̲e̲ ̲M̲P̲F̲ ̲R̲o̲o̲m̲
The MCSF work station (VDU printer) will be connected
to the MPF via opto fiber cables and will meet the
NATO Radiation Standard.
3.6.1.3 I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲o̲f̲ ̲C̲r̲y̲p̲t̲o̲g̲r̲a̲p̲h̲i̲c̲ ̲E̲q̲u̲i̲p̲m̲e̲n̲t̲
The proper low level interface between the MPF and
NICS TARE and the cryptographic equipment will be supplied.
3.6.1.4 S̲e̲c̲u̲r̲e̲ ̲W̲i̲r̲i̲n̲g̲
Cables, specifications and samples as required will
be supplied.
3.6.1.5 P̲o̲w̲e̲r̲ ̲S̲u̲p̲p̲l̲y̲ ̲F̲i̲l̲t̲e̲r̲i̲n̲g̲
Filtering will not affect the proper functioning of
the MPF.
3.6.1.6 I̲n̲s̲t̲a̲l̲l̲a̲t̲i̲o̲n̲ ̲D̲r̲a̲w̲i̲n̲g̲s̲ ̲a̲n̲d̲ ̲E̲q̲u̲i̲p̲m̲e̲n̲t̲ ̲L̲i̲s̲t̲s̲
These specifications will be supplied as required and
are further specified in section 6.1.
3.6.1.7 I̲n̲s̲t̲a̲l̲l̲a̲t̲i̲o̲n̲ ̲I̲n̲s̲p̲e̲c̲t̲i̲o̲n̲
The site installation planning will make provision
for inspection by the ACE COMSEC staff.
3.6.2 G̲r̲a̲d̲i̲n̲g̲ ̲o̲f̲ ̲C̲l̲a̲s̲s̲i̲f̲i̲e̲d̲ ̲I̲n̲f̲o̲r̲m̲a̲t̲i̲o̲n̲
The MPF will be designed for recognizing and handling
of the five security classification categories.
In addition, the basic design will from the outset
allow for 20 different special handling designators
including L, B, P, Y, D, and A.
3.6.3 C̲o̲n̲t̲r̲o̲l̲ ̲o̲f̲ ̲O̲u̲t̲p̲u̲t̲s̲
The supervisor will be able to monitor all security
requirements related to control of outputs ref. IFB,
par. 5.1.2.4.
Procedures for identification of printouts and RSM
will be provided and will be based on the principles
given in the following sub-sections.
3.6.3.1 I̲d̲e̲n̲t̲i̲f̲i̲c̲a̲t̲i̲o̲n̲ ̲o̲f̲ ̲P̲r̲i̲n̲t̲o̲u̲t̲s̲
The pages will be identified as required in the IFB,
para 4.7.3.1, with the following logical limitations:
Ad e) All events determining the contents of a log
report, for example, may not yet have happened
at the printout start time, so the total number
of pages can not always be known then.
Ad d.5) The use of multilayer stationery is outside
the control of the system.
3.6.3.2 R̲e̲m̲o̲v̲a̲b̲l̲e̲ ̲S̲t̲o̲r̲a̲g̲e̲ ̲M̲e̲d̲i̲a̲ ̲(̲R̲S̲M̲)̲
Units of removable storage such as removable disk packs
are controlled logically by specific supervisor commands
(mount, dismount). Thus, units cannot be accessed by
the operational system without the consent of the supervisor.
3.6.4 S̲e̲c̲u̲r̲i̲t̲y̲ ̲a̲s̲p̲e̲c̲t̲s̲ ̲o̲f̲ ̲S̲y̲s̲t̲e̲m̲ ̲D̲e̲s̲i̲g̲n̲
3.6.4.1 H̲a̲r̲d̲w̲a̲r̲e̲
a) Non-assigned instructions will cause a trap.
b) Hardware supported user mode/privileged mode with
16 privilege levels.
Privileged instructions can be executed only when
processing under DAMOS control.
Hardware protected addressing boundaries for each
process.
Memory bound violation or illegal use of a privileged
instruction will cause an interrupt of the highest
priority.
c) MPF-terminals, including the MCSF terminal are
provided with key switches where the key can only
be removed when the terminal is switched off.
d) All MPF-hardware is individually addressable by
the central processor.
Yet the system may be reconfigured to establish
for example, a degraded mode configuration consisting
of two separate systems where all hardware is individually
addressable by the PU to which it is assigned and
where the two systems are isolated from each other.
Moreover, all hardware units are directly, individually,
and periodically monitored by the Watchdog via
the Configuration Control Bus.
e) RAM memory for multiple users is erased prior to
allocation in case of reload, change of mode, etc.
Facilities exist for purging memory locations previously
used for highly sensitive message categories.
f) A general, centralized addressing mechanism is
used whenever objects external to a user process
is referred to.
Object descriptors are used for the indirect addressing
of objects like Processes, Synchronization Elements,
Memory segments, Devices, PUs, CPUs, and Ports.
These objects are furnished with
- A̲ ̲c̲a̲p̲a̲b̲i̲l̲i̲t̲y̲ ̲v̲e̲c̲t̲o̲r̲
to indicate explicitly the operations a process
may perform on the object.
- A̲ ̲s̲e̲c̲u̲r̲i̲t̲y̲ ̲c̲l̲a̲s̲s̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
A general centralized access authorization mechanism
is employed, where the capability and security
level of the object is compared with that of the
subject (the process).
g) The security policy is based on a multilevel, multicompartment
security system.
3.6.4.2 S̲o̲f̲t̲w̲a̲r̲e̲
a) Primary Memory is parity protected and Cyclic Redundancy
Check is used for data on disks.
b) Access to MPF data files is via system calls which
pass through the inherent access control and security
check mechanisms
Further, a set of service systems are provided
by the special system software packages to provide
a simple and secure interface for the application
packages.
c) Recovery procedures will include check-summing
of the operational system software and reloading
if necessary.
d) A system integrity check can be initiated upon
supervisor request. The program will run as a
low priority background job.
3.6.4.3 O̲p̲e̲r̲a̲t̲i̲o̲n̲a̲l̲ ̲S̲e̲c̲u̲r̲i̲t̲y̲
For this aspect refer para 2.9.
3.7 G̲r̲o̲u̲n̲d̲i̲n̲g̲
The internal distribution and proper connections to
the ground terminals will be provided as required in
the IFB.
3.8 P̲e̲r̲s̲o̲n̲n̲e̲l̲ ̲S̲a̲f̲e̲t̲y̲
3.8.1 G̲e̲n̲e̲r̲a̲l̲
The equipment will incorporate all necessary guards
to ensure personnel safety.
3.8.2 M̲e̲c̲h̲a̲n̲i̲c̲a̲l̲ ̲H̲a̲z̲a̲r̲d̲s̲
a) Moving parts will be properly shielded.
b) There will be no projecting or overhanging edges
that imply a hazard to personnel. Edges and corners
will be rounded.
3.8.3 E̲l̲e̲c̲t̲r̲i̲c̲a̲l̲ ̲H̲a̲z̲a̲r̲d̲s̲
a) All necessary safeguards against hazards will be
employed. The equipment will be designed for ease
of access and will allow two persons to be present
during maintenance tasks.
b) A large percentage of the PCBs may be replaced
without the use of tools. However, high tension
voltage parts will only be accessible by deliberate
action and will further require the use of a special
key. Signs, etc. with the relevant warnings will
be included.
c) All units will be properly grounded.
d) At the operational equipment, personnel will be
protected from contact with potentials higher than
30 Volts.
e) Potentials higher than 50 (fifty) Volts will be
warned against by means of an appropriate warning
label.
3.8.4 F̲u̲s̲i̲n̲g̲
a) The individual units will be adequately protected
by fusing devices.
b) All circuits breakers will be readily accessible,
and fuse-failure will be visually identifiable.
c) Fuses will not be used in ground and neutral wires.
d) The main fuses for each rack are resetable. The fuses
comprise an adequate mixture of resetable and non-resetable
fuses.
3.8.5 N̲a̲t̲i̲o̲n̲a̲l̲ ̲S̲a̲f̲e̲t̲y̲ ̲R̲e̲g̲u̲l̲a̲t̲i̲o̲n̲s̲
The installations will comply with the relevant National
Safety regulations.
