Reliability techniques for flight systems by Heffner, P.
X-560-70-323 
PREPRINT, 
NASA TMX- bs3o9 
RELIABILITY TECHNIQUES
 
FOR FLIGHT SYSTEMS
 
PAUL HEFFNER.-
APRIL 1970 0, 
GODDARD SPACE FLIGHT CENTER 
GREENBELT, MARYLAND 
(ACCESSION NUMBER) (THT 
(NASA CR OR TMX OR AD NUMBER) (CATEGORY) Reproduced by 
NATIONAL TECHNICAL 
INFORMATION SERVICE 
Spnngfiold, Va. 22151 
https://ntrs.nasa.gov/search.jsp?R=19700027642 2020-03-23T18:55:07+00:00Z
X-560-70-323
 
RELIABILITY TECHNIQUES
 
FOR FLIGHT SYSTEMS
 
by
 
Paul Heffner
 
April 1970
 
Information Processing Division
 
Tracking and Data Systems Directorate
 
Goddard Space Flight Center
 
Greenbelt, Maryland
 
E OT FILMED.RGAGE BLANKNIPREGEDIU 
CONTENTS
 
Page 
ABSTRACT .......................................... v
 
PART I-COMPARING TECHNIQUES OF REDUNDANCY ............ 1
 
INTRODUCTION ............................ ..... ......... 

PARALLEL REDUNDANCY................................... 3
 
1
 
SUBDIVIDING............................................. 12
 
COLUMNIZING ................................. ... 15
 
SUMMARY ....................................... .. 20
 
PART 2-APPLYING REDUNDANCY TO EXISTING SUBSYSTEMS ..... 25
 
25INTRODUCTION ...................................... 

CPU AND I/O RELIABILITY ............................. 26
 
MEMORY RELIABILITY ................................ 29
 
CONCLUSION .. ...................................... 38
 
References ......................................... 40
 
APPENDIX A-Choice of P(S) ............................ 41
 
APPENDIX B-Support Curves ............................ 43
 
iii 
FILMED. 
- AGE BLANK NOT 
RELIABILITY TECHNIQUES 
FOR FLIGHT SYSTEMS 
by 
Paul Heffner 
Goddard Space Flight Center 
ABSTRACT 
When high reliability is required for a spacecraft electronic system, it is 
desirable to have a good perspective of various approaches to redundancy during 
both conceptual and design phases. The intent of this document is to contribute to 
such a perspective. The document is divided into two parts. Part 1 is a result 
of a generalized study, and Part 2 is one of application to a real system. 
In Part 1, three fundamental techniques of applying redundancy are dis­
cussed. The discussion for each technique leads to the development of resultant 
curves that show the improvement given by that technique over one that u~es only 
a simplex system. Each of these curves is plotted against the number of addi­
tional circuits required to implement the redundancy. Finally, as a conclusion 
to Part 1, the three techniques are compared to each other by reviewing their 
with consideration given to the implementationmission-lifetime improvements, 

penalty of additional circuits. For the various techniques, -certain general con­
ditions had to be made and maintained throughout the discussions to allow for rea­
sonable comparisons. The conditions used for these comparisons are included.
 
In Part 2, some application work involving improving the reliability of an 
existing system is given. The system is the On-Board Processor, a spacecraft 
computer for the Orbiting Astronomical Observatory. This part provides for a 
deviation from the generalized discussions of Part 1 and for further insight into 
the potential mission-lifetime benefits afforded by redundancy. 
v 
IABIL4 1TECHj QUESrITIT SYST!EMS 
PART 1
 
COMPARING TECHNIQUES OF REDUNDANCY
 
INTRODUCTION 
Redundancy techniques are investigated when a need develops to improve a 
given system's reliability, or, in other words, when a need develops for extend­
ing the lifetime -of a system for a given degree of confidence. Initially, the 
elements that make up the system will have been selected with consideration of 
their individual failure rates, or, their mean-time-between-failures (MTBF). 
Tradeoffs among power, size, weight, utility, bandwidth, availability, cost, 
etc., will have been made along with reliability considerations during the se­
lection of components, modules, parts, and assembly. Reliability then suffers 
because of other equally important factors. Therefore, it is not unusual for a 
simplex system to have a reliability that is less than desirable. * 
When redundancy is considered, numerous tradeoffs require a perspective 
of the various techniques. This document considers three general redundancy 
techniques for improving system reliability: (1) paralleling, (2) subdi­
viding, and (3) oolumnizing. These techniques will be discussed separately and 
*The simplex system is defined to be a system in which any single-point failure will cause a failed 
system. In reality, many failures within a system will cause a degraded system rather than a useless sys­
tem. For a given specified system, a great deal of qualification is required when this consideration is 
brought into discussion. When general techniques are compared, the simplex system condition given first 
is appropriate. 
1 
then compared. All three techniques may not be choices available to the designer 
for all typ6s of systems. 
Each technique can be divided into three categories: (1) "active" (or "hot") 
redundancy, (2) standby "tepid" redundancy, and (3) standby "cold" redundancy. 
A powered-on system in standby is said to be active, and its failure rate is the 
same whether it is "in the loop" or not. A tepid system, when powered off, has 
a smaller (but not zero) failure rate than its powered-on failure rate. A cold 
system has a failure rate of zerowhen powered off (an unrealistic case-yet a 
useful consideration). In the following discussions, all "in-the-loop" powered­
on systems have elements with the same failure rate as the original main system 
(that failed). 
Further, it is assumed (1) that the system is composed of homogeneous ele­
ments (so far as reliability is concerned), (2) that additions or modifications to 
the system to effect redundancy are made with elements of similar reliability, 
-and (3) that these elements are equally distributed on each unit used in-re­
dundancy, including the main operating unit. * These assumptions are not wholly 
realistic, but they allow for reasonable comparisons between general approaches, 
as will be shown. 
The word "unit", used throughout the discussions, could represent a system, 
subsystem, or a smaller functional unit. The word "circuit" isalso used 
*For the technique of columnizing, a further condition is stipulated. It is discussed in tat section of the
 
paper. .
 
2 
throughout the discussion; it could be any "element" such as a circuit chip and 
its average number of wiring contacts-again, as long as it can be assunmedthat 
all elements are alike regarding reliability. 
All reliability calculations leading to the resultant curves were based on 
models whose elements have constant failure rates when powered on. A simplex 
system made up of such elements exhibits a reliability curve that is exponential 
with time. 
PARALLEL REDUNDANCY 
The first of the three techniques that will be discussed is parallel redundancy, 
as shown in Figure 1.. 
con­The.original simplex unit, before being placed in parallel redundancy, 

tains n circuits (k = 1) and exhibits the familiar exponential reliability curve
 
given-by (t) = e with Xequal to the failure rate of each circuit (or ele­
ment). The system failure rate is nX, and the system MTBF is I/n? . This
 
kn k kn MAIN 
CKTS CKTS UNIT* 
SjCkkn_ REDUNDANT 
SCKTS UNITS 
(a) kn CKTS knCT 
CKTS 
*Main unit: k = I prior to applying redundancy 
(c) 
Figure 1-Parallel redundancy employing one, two, and three additional units. 
3 
curve is plotted in Figure, 2, curve A. It conveys that there is only a 37-percent 
probability for the system to operate without failure for a period of time equal 
to the system's MTBF. The probability that the system will operate success­
fully for 0.11 times its MTBF is 0.9. For example, if a simplex system is to 
have a 90-percent probability of operating without failure for 1 year, it should 
have a MTBF of at least 9.1 years. 
=0.38 
0.9P(S) --90% (2) ACTIVE PARALLEL REDUNDANCY FOR TOTAL 
~OF TWO UNITS (CURVES B, C, D, E) 
.I t PROBABILITY OF MISSION SUCCESS FOR TIME t FOR­
0.7 t= O 'l 74 " 
PI S/4,S0.6- Oif 
-o.* 12 
I II 
0.1 0.2 0.4 0.8 SIMPLEX 1.2 1.4 16r' - NVP37%~ (S t / 
n~t MTBF 
Figure 2-Active parallel redundancy for one unit in standby. 
System reliability, when using one additional urnit in active redundancy, for 
which there would be 2n circuits in all is given as 
where 
4
 
and. 
k= ratio of the number of.circuits in each unit for the redundant system, 
to the number of circuits in the original simplex unit. 
A plot of this is given by curve B in Figure 2. Assuming the criterion for 
mission lifetime is based on a 90-percent probability of success fP(S)I, the 
system will operate without failure for 0.38 of the simplex MTBF, thus provid­
ing a gain of 3.45 in mission lifetime. * 
Realistically, there is a penalty in the way of additional circuits necessary 
to implement the total system so that more than precisely 2n circuits will be re­
quired. For a large unit, the percentage is likely to be small. Curve C gives 
the reliability of a system when each of the two parallel units contain 10 percent 
more circuits (k = 1. 1) so that the total system has 120 percent more circuits 
than the simplex unit. Similarly, curve D gives the reliability for' 1$ = 1. 5, or 
200 percent more circuits than simplex. For a small simplex unit, the per­
centage of additional circuits is likely to be high. To apply redundancy to one 
logic gate, as an extreme example, may require three additional circuits, or a 
300-percent increase over the simplex gate. Curve E is plotted for this case, 
where l = 2. The reliability return begins to diminish as the circuit penalty 
increases. From this small family of curves for active parallel redundancy 
when employing a total of two units, a more meaningful curve can beplotted. 
In Figure 3, the total system gain in mission lifetime, relative to the 
simplex unit, where lifetime is based on the 90-percent probability of success, 
*See Appendix A for a discussion of mission lifetime gain as a function of different choices of P(S). 
5"
 
0 
-
to
 
0
 
z 
0 120 200 300 
INCREASE IN CKTS RELATIVE TO SIMPLEX (%) 
Figure 3-One unit in active standby. 
is plotted against the percentage of additional circuits used to implement re­
dundancy. For example, the mission lifetime can be increased threefold over 
that of the simplex unit if the implementation of one additional parallel and 
switchable unit does not require more than 125 percent more circuits. 
An upper bound on reliability improvement through the use of spare ufnits is 
provided by the same analysis but with the assumption of "cold redundancy." 
Here a unit is powered off when it is not in use, and its failure rate is assumed 
to be zero until turned on. When using one additional unit in cold standby, 
system reliability is expressed as 
R(t) = e'k(i + kr), 
6 
where 
r = nAt 
and 
= ratio of the number of circuits in each unit for the redundant system, to 
the number of circuits in the original simplex unit. 
A family of reliability curves for this case is shown in Figure 4. Four 
curves are given for k = 1, 1. 1, 1. 5, and 2. This represents a system increase 
in circuits of 100, 120, 200, and 300 percent, respectively. Figure 5 gives the 
mission lifetime gain relative to simplex for F(S) = 90 percent. 
For the more realistic case, where a powered-off unit does have some 
failure rate (but less than the powered-on unit), the relationship for T"tepid 
1.0 
0.9 
0.8 1009 
0.7 

0.4 -0/ 
0.3 
)ON0.2 
PROBABILITY OF MISSION SUCCESS FOR TIME t FOR 
COLD STANDBY PARALLEL REDUNDANCY FOR A 
0.1] TOTAL OF TWO UNITS 
LI I I I. I - I 
0.2 0.4 0.6 0.8 1.0 SIMPLEX
nA t MTBF 
1.2 1.4 1.6 
Figure 4-Cold parallel standby redundancy for one unit in standby. 
7 
Xi
 
0­
0 
>-

Ii 
0U­ 2 
L­
z 
0 
z 
z 
160 120 200 
INCREASE IN CKTS RELATIVE TO SIMPLEX (%) 
300 
Figure 5-One unit in cold standby. 
standby" is used. For a reasonable choice of powered-off failure rate being 1/5 
that of the powered-on failure rate, the following expression can be used: 
kr
R(t) = + 5 (e- e1.2kr),±kr ­
with the variables defined as given previously, The resulting family of 
reliability curves for k = 1, 1.1, 1. 5, and 2 are given in Figure 6. From these, 
the mission lifetime gain for F(S) = 90 percent is plotted in Figure 7; curve C, 
with the curves for cold standby and active standby included for comparison. 
not a heavy penalty in the wayIt can be observed from these plots that there is 
of decreased lifetime gain as more circuits are used. 
The discussion thus far has-led to the generation of a set of curves for ac­
tive, cold, and tepid standby where, in total, two units are used. For the case 
8
 
1.0 
A10.9 
0.8­
10 OF F A15l, 
0.7 -4 
0.5 - _ IT 
0.4 
0.3 
0.2 
0,1 
PROBABILITY OF MISSION SUCCESS FOR 
TIME t FOR TEPID STANDBY PARALLEL 
REDUNDNACY FOR TOTAL OF TWO UNITS 
12 
0.1 0.2 0.4 0.6 0.8 
nXt 
1SIMPLEX 
MTBF 
1.2 1.4 1.6 
Figure 6-Tepid parallel redundancy for total of two units. 
x 5 
0 
I­
00
_U . 
tsu 
I I OI I N C , 7 111........
 
,-I 
z 
o 
z 
z 
100 120 200 300 
INCREASE IN CKTS RELATIVE TO SIMPLEX (%) 
Figure 7-Tepid parallel redundancy for one unit in standby. 
9. 
of two standby units, for which three units would be in parallel, another set of 
curves can be generated. The reliability curves that support the gain curves 
are included in Appendix B. Hereafter, all support curves will be included in 
this appendix. The following expressions for parallel redundancy of three units 
are then used: 
For active standby, 
R(t) = 1- (1 - C- 3. 
For cold standby, 
R(t)=e'kr[ + kT + ( 2]. 
For tepid staidby where the off-failure rate is 1/5 of the on-failure rate, 
R(t) = ekr[+ 5(1 - e 0.2kr) + 15(1 -e'°sk7)2]. 
Figure 8 gives the gain in mission lifetime relative to simplex for P(S) = 90 per­
cent, 
When three units are placed in standby with the first unit for a total of four 
units, the following set of expressions are employed: 
For active standby, 
4.
 R(t) =1- (-- 'O
For cold standby, 
R(t)=ekr[1+kr+4t+LQj. 
For tepid standby where off-to-on failure rate is 1/5, 
R(t) = -kr1i + 5(1 - e-0.2 k?) + 15(1 - 0-k2+ 35(1 -02' 
Gains in mission lifetime for this redundancy are shown in Figure 9. 
10
 
-0Z 
12 
In 
0 
8- Two UISI 
z 
(OF IN 
,< 20 
S18 
'm6 
0 zz 
0 
12 
200 250 300 350 
INCREASE IN CKTS RELAt[E to SIMPLEX (%) 
Figure 8-Parallel redundancy for a total of three units. 
~ R47EEPIFAIURERAI aV/ 
ON FAILUR.TE81/ R-ThREE UNI "TSIN LA rIay 
200 250 50035 
z 1600 
0 
INCREASE IN CTS RELATIVE TO SIMPLEX (%) 
Figure 9-Parallel redundancy for a total of four units. 
11 
SUBDIVIDING 
In the second technique, the simplex unit is subdivided. Each subdivision, 
or subunit, is made redundant by paralleling it with a like subunit. Again, for 
weighing advantages and disadvantages of such a technique, it is assumed that 
the original simplex unit can be divided into subunits where each subunit has an 
equal number of circuits (an unrealistic but informative approach). Figure 10 
presents a,block representation of a few such subdivisions. For example, in 
block E, the simplex unit is divided into four subunits, each having n/4 circuits, 
and each subunit is paralleled by an equivalent subunit. For this ideal case, a 
total of 2n circuits are employed. Realistically, a penalty of additional circuits 
will be required to implement the redundancy of each pair of subunits. This is 
shown in block F for the case of using 10 percent more circuits with each sub­
unit, which would result in a 120-percent circuit increase over the original sim­
plex unit. 
In a like routine, a family of different numbers of subdivisions, each for 
several penalty percentages of additional circuits, are considered. To-plot re­
liability as a function of time for such a system in which each paralleled sub­
system comprises a redundant pair, the following expression was used to give. 
resultant reliability for active redundancy: 
R(t) = (2e-kr/P - e2kr/P)P 
where 
r = nAt, 
12 
APPLICATION 100% MORE CKTS 120% MORE CKTS 
Placing 
one unit n ].In 
in parallel 
with the 
original 
unit, as 
discussed 
in first 
technique. 
(a) (b) 
Subdividing 2 2 
the unit into 1.ln 
two subunits -
and applying 2 2 
redundancy toL1. 
each subunit, 2n -7 
in 
for second 
technique. i 
2 2 
(c) (d) 
Subdividing 
the unit into .__. 
four subunits 
and applying 
redundancy to 
each subunit, n n . 
for second 
technique. -- .[1. n II­
(e) (f) 
Figure 10-Subdividing to achieve gain in mission lifetime. 
13 
= ratio of number of circuits in each unit for the redundant-system to 
the number of circuits in the original simplex unit, 
and 
P = number of subdivisions. 
In Figure 11 a set of plots is given for subdividing the unit into 2, 4, 8, 16, 
and 32 subunits when each paralleled subunit is active. As in previous curves, 
the ordinate gives the gain in mission lifetime (for 90-percent probability of 
success) over that of the simplex unit. The supporting curves are given in 
Appendix B, from which similar data may be plotted for other probabilities of 
success. [Also see Appendix A for a discussion of mission lifetime gain as a 
function of different choices ofF(S).) 
24 
x 22 
20 P = NUMBER OF PARALLELED 
O PAIRS OF SUBUNITS. 
4 -P4 
0 2
 
-4 
2 
loG 200 30 
INCREASE IN CKCTS To SIMPLEX (%)RELATIVE 
Figure 11-Subdividing and using active redundancy with each subunit. 
14
 
For cold standby, the following expression gives system reliability: 
R- ,,k P /W)i 
A family of curves for 2, 4, 8, 16-, and 32 subdivisions is given in Figure 
12, and the supporting curves in Appendix B. 
COLUMNIZING 
The third and last technique in Part 1 is columnizing. Not all functional 
units lend themselves to this technique, especially to efficient columnizing. In 
this technique, a unit is divided into several columns. An ideal unit for this 
technique is one in which there is a large number of parallel operations and data 
transfers. Figure 13 presents a simplified example of columnizing without 
column switching circuitry. When bit n is independent of bit n + 1 during an 
24 
X< 22 
P= NUMBER OF PARALLELED 
M 200 
:E PAIRS OF SUBUNITS 
16 -
0 
:214­
P=32
 
20030 
100 
NCREASE IN'CKTS REL.ATVE TO SMP'LX () 
with each subunt. 
Figure 12Subdividing and using cold standby redundancy 
15 
DATA 
giI , *,I, I P I 
1I i2~ 1 1 I- IIIIII 
ZI0 1 
III II I, 
L.Li _ L L____ 
I ---- -7----J 
ORIGINAL UNIT IN COLUMNS SPARE COLUMN 
Note: Penalty ckts to implement column switching are not shown. 
Figure 13-Simptlfied example of columnizing. 
operation or data transfer to another register or through gating, then these 
registers can be readily columnized into one-bit columns. 
A failure in the -unit is repaired by switching out the column that contains 
the malfunction and switching in the spare column. Ideally, column switching 
only requires switching circuitry at the inputs and ouuts of each column, In 
practice, specialized extra circuits would be required within the columns to 
effect column separation because, in areas, there is dependence of one bit to 
another, such as in a parallel adder. 
Consider a simplex unit of n circuits that can be columnized.into 1/k ± 
columns as shown in Figure 14, The column then contains kin circuits. The 
16
 
n CKTS 
IMPLEMENTATION m O( = k2n) I
PENALTY 
COLUMNIZED UNIT SPARE COLUMN 
Figure 14-Representation of columnized simplex unit, spare column, and implementation penalty. 
expected penalty in the way of additional circuits required to implement switch­
ing capability is represented by 77 for the original unit and k I for the spare 
column. Let m = k2n, where the implemented columnized unit contains the 
following total circuits: 
Total unit circuits = n +;r 
= n(1+k2 ). 
For the column 
Total column circuits 	= 1 1(n+r) 
= k (n+k2n) 
The reliability expression for active columnizing can be derived from the 
general expression for a system having two unequal portions in parallel re­
dundancy so that a failure in the main unit can, by some means, be replaced 
by the second portion. It is given as 
"Xit -x2t -(?X1 + X2)R(t) = e + - e 
17 
'where xi and X2 are the total failure rates for each portion. Let X1 equal total 
failure rate of the main unit (with its additional implementation circuits), 
X1 =--n(f,+ k2 )A4, 
and let X2 equal total failure rate of the added spare column,
 
A2 = k n(1 + k2) X
 
then the reliability for the columnized system becomes 
R(t) = ( l + k 2) t + e nX k1 (1 2 ) t - e [ n '( l 2) + n (1+ k t e-n - + k + k k1 2 )] 
Then
 
R(t)=e-(1+k2)r+ e-k (1+ k2)r_ -(+ k1) (1I+ k2)r
 
where 
ki = column size relative to main unit, 
7r2 = additional implementation circuits per column relative to the un­
modified column, 
and 
r = nAt. 
The total additional circuitry relative to the original simplex unit is then 
k + k2+ kk 2 . 
Families of reliability curves were plotted for selected values of k1 and 
and are included in Appendix B. From these, the 90-percent P (S) intersections 
were taken, and the curves of Figure 15 were plotted. The samile type of scaling 
is used as in previous curves. The solid lines represent the column size, and 
18
 
22 
=0 k = COLUMN SIZE RELATIVE TO UNIT. 
20 = 0. 1 = IMPLEMENTATION PENALTY INk2 

t, ADDITIONAL CKTS IN EACH COLUMN, 
O RELATIVE TO ORIGINAL COLUMN 
> 1 k2 0.3 
Ck6 02=0.5 
14 yI 
12\
 
0 10 
o\\
 
0 kk =0.21 
!nz *5kjIc 0.4 
z 
SI I 
20 40 60 s0 100 120 
TOTAL INCREASE IN CKTS RELATIVE TO SIMPLEX (%) 
Figure 15-Active columnizing. 
the dashed lines represent the implementation penalty of additional circuits. 
The ideal but unachievable curve for k2 = 0 is included as an upper bound. 
For a standby cold column, another set of curves can be generated. The 
expression is derived from the general expression of reliability for a parallel 
redundant system having a cold (A = 0) standby portion. It is given by 
R(t) = x -X2 At 
As previously explained for the columnized model, 
A1 = nX (1 + k2) 
A2 = nPkI (I +k2. 
Letting r = nXt, the above expression reduces to 
19 
(+k" -k 1 (1 + k 2 )r 2 )( -(+1 + )c2)rk 1 (1 + k2) e .(1 + k ) e (1+( ­R(t) (I - k ) (I + k2) 
Curve families for this expression are given in Appendix B. The resultant 
curves for mission lifetime gain at the expense of total extra circuits for this 
case are given in Figure 16. 
SUMMARY 
For comparison with the foregoing techniques, a composite set of most of 
the curves is given in Figure V7. To avoid clutter, the subdividing technique 
does not include curves for 2, 4, or 8 subunits. Also excluded are some of the 
curves that were presented in the columnizing technique. The simplex unit is 
8 
26 -
2=0 
I 
k -COLUMN SIZE RELATIVETO UNIT. 
k2 IMPLEMENTATION PENALTY IN 
ADDITIONAL CKTSIN EACHCOLUMN 
-2 4 
I ~RELATIVE TO ORIGINAL COLUMN. 
-
k22=0.3 I 
20E t
 
6O I 
2 
1 2 
1(1=0.2 
z \6 k,=0. 
z 
(4 
2­
20 40 60 00 100 120 
TOTAL INCREASEIN CTS RELATIVETO SIMPLEXI%) 
Figure 16-Cold columnizing. 
20 
.0 
C
 
7 
2 
A
-
Z 
'Si 
C
 
I-. 
A.
C-, 
C
~ 
tJj
F.-
L
i 
D
 
Ce 
-ti 
Z 
-Jo 0 
0 it. 
-
.
 
.
.'2 
-
I-
Z 
$ (4 
'a
 
La 
-t 
A. 
-
L'S 
"aCe
z 
F.-LL
Jtfl 
C
 
0 
CA 
F.-. 
-n
 
C) 
C
 
-c U 
A
-
0 2 
0 Z 
C)
-
(4 
C 
Ia 
~
 
U
, 
o
 
C 
01~ 
C-) 
-a
 
-
I-. 
<
 
E 
-4 
0 
U.' 
U~ 
C
 
-
I-
U
 
'~
 
-r 
>
-
00 
z 
0 -
Z
Q
<
o
 
04 
ua 
~
 
tc 
C-' 
0 C-
E 
A
. 
0 
(-.3 
_
 
I­
(54 
-
2 
C) 
-
-
-
Li-. 
00
2E 
~
L
4
J
 
L
a 
~j 
a
, 
A. 
t0~ 
w
aO
~ 
cP 
~
.
 
&
~
ke
t 
4 t&
t 
-
5010 
~
 
cP 
~
 
,p:- 84~
 
-C 
C
C
 
e-I 
'0 
(N 
~
 
Cl 
(N04 
C
 
C
M
 
C
C
 
-
'0 
-
t -
Cl 
-
0 -
O
~ 
to 
~
 
-
-
-
­
04 
C
 
XBldW
IS Di. 
~AI1V1flU (%06 
(S)d 
~iO~) JVJI.lSdIl NOISSIW
 NI NIVO 
21
 
represented by point A, where its 90-percent probability of success is normalized 
to one. All other curves then represent the obtainable gain in mission lifetime, 
at the expense of additional circuits, relative to the simplex unit. It is, of 
course, desirable to be to the left and up on the graph. Clearly, this is best 
accomplished by columnizing-if it can be efficiently implemented and if other 
factors do not create offsetting problems. 
It is worth realizing when a portion of a curve is applicable and when it is 
not. For example, in subdividing, if the subunits have few circuits, then the 
left portion of the curve could not be achieved. Also, if the subunits are large 
and have relatively few inputs and outputs, then the left portion of the curve 
might be achievable. For paralleled units, if the units are relatively large, then 
the right portion of these curves are not realizable. The curves for cold stand­
by and active parallel serve as upper and lower bounds for each case, where 
the powe-ed-off failure rate of a standby could lie anywhere within, depending 
on the ratio of off-to-on failure rate. 
Presentation of the foregoing material is intended to provide some measure 
of comparison between three general techniques of redundancy. The merits of 
one technique over another for a particular system depend on such factors as­
(1) Whether it can be done. (Can, for example, the unit or part of the unit 
be columnized?) 
(2) Whether it is expedient (or cost effective). 
(3) Whether fault isolation and self-repair require human intervention. 
22 
(4) Whether it will impact scheduling. (For example, will longer and more 
intricate testing and evaluation be required to prove operational status ?) 
(5) Whether a single-point failure manifests itself in a degraded rather 
than a failed system. If so, what are the rules now for comparing? 
In any final, real system employing redundancy, the ideal conditions that 
were assumed for thesake of comparing techniques will not present themselves. 
Judgment on design approaches to achieve acceptable reliability will have to in­
clude the expected functional and hardware inconsistencies that will deviate from 
these conditions. However, a basic understanding of the foregoing should pro­
vide considerable insight into designing for reliability. 
23
 
PRECEDING PAGE BLANK MOT FILMED. 
PART 2 
APPLYING REDUNDANCY TO EXISTING SUBSYSTEMS 
INTRODUCTION 
Part 2 is devoted to applying reliability models to a real system in different 
configurations to determine the optimum configuration for a long-mission lifetime. 
The use of existing simplex units and devices that have predicted failure rates 
enables calculations to be made that yield absolute reliability predictions for the 
various configurations. 
The subsystem disetassed is the On-Board Processor (OBP) that has been 
The OBP is a general purpose, stored program spacecraftdeveloped by GSFC. 
acomputer. It consists of three functionally and physically separate units: 
central processing unit (CPU), a memory unit, and an input-output unit (I/O). 
It is an 18-bit parallel machine with 2 ps memory cycle time. The memory unit 
scheduled to fly on the Orbiting Astronomicalis fabricated in 4K modules and is 
The OBP for this flight will be a simplex sys-Observatory, Flight C, in 1971. 
tem and will fly as an experiment. It will provide selected backup and work­
around functions to other on-board subsystems such as the stabilization and 
control subsystem and the data handling subsystem. In future flights, the OBP 
will take on more responsible tasks. 
25
 
The present design of the OBP provides for improving reliability by adding 
up to two spare CPU's, two spare I/O's, and 16 memory units. Thus, the first 
approach discussed in Part 1, that is, spare units, could be used to obtain 
higher confidence in the success of future missions where the OBP would take­
on line functional responsibilities. The following analyses predict the mission 
lifetimes that can be obtained through the use of those configurations that are 
within the present design, plus a few other design approaches. 
CPU AND I/O RELIABILITY 
Considered first is improvement of the CPU and I/O as a working pair of 
units, the purpose being to bring these up to long lifetimes and later to look into 
Both the CPU and the I/O units have very nearlyimproving memory lifetime. 
the same failure rate because they both contain approximately equal amounts of 
The CPU failure rate is based on the Fairchild 9040the same type of chip. * 
series screened chips, which yield a failure rate per chip of 0.003 percent 
failures per 1000 hours. t Each unit contains close to 800 chips, Vhich gives 
an MTBF of 4. 75 years per unit. 
When a failed unit is defined as any single point failure in the unit, the 
simplex pair reliability will be the product of the reliability functions of both the 
*Other conditions, such as wiring contacts, affect reliability, but for the purpose of making coarse improve-
It has been estimated, for example,that the aver­ments in reliability, these conditions were not included. 
not alter the chip failure rate by more than 10 percent.age number of wiring contacts used per chip would 
tAs used by Westinghouse Defense and Space Center. 
26 
CPU and the I/O. The resultant.MTBF for the working pair is then 2.38 years. 
The 90-percent probability of success predicts a mission lifetime of less than 
one year. 
When redundancy is applied, the following configurations are evaluated: 
(a) One spare working pair. 
(b) Two spare working pairs. 
(c) Three spare working pairs. 
(d) One spare CPU and one spare I/O, each independent of the other.* 
(e) Two spare CPU's and two spare I/O's, each independent of the others. * 
(f) Three spare CPU's and three spare I/O's, each independent of the others. 
These configurations are represented in Figure 18. In a, b, and c, each I/O is 
slaved to a particular CPU. In d, e, and f, each CPU and each I/O can be cross 
strapped to any other. To increase reliability and, more important, to conserve 
power, only the operating pair would be powered on. The failure rate of the 
powered-off units was estimated at Xoff = 1/5 4on. Reliability was calculated 
with the tepid parallel redundancy expressions previously given in Part 1 and 
modified by a joint product for cases d, e, and f. In cases a, b, and c, the 
failure rate used for each pair was 4. 8 x 10 -5 failures per hour (f/hr), or 0.42 
failure per year (f/yr). In d, e, and f, 2.4 X10 - 5 f/hr or 0.21 f/yr was used 
separately for each unit. 
*This configuration may now be implemented by the present design. 
27 
C() 
M -Vo 
Figure 18-Redundant configurctions for im­
proving mission lifetime of CPU and I/0. 
Figure 19 gives resultant curves for all cases, including the simplex. 
(See Table 1 for expressions for the curves.) At this early stage, a tentative 
goal was established to achieve a mission lifetime of at least 3 years for F(S) 
= 90%. Because of the close proximity of the two curves, C and F, which just 
met this condition, the investigation of these two cases was continued. It was 
necessary to determine the effect of active redundancy as well as cold re­
dundancy because these serve as upper and lower bounds for all possible values 
of off-to-on failure-rate ratios. Figures 20 and 21 show the resulting curves. 
The bar charts high-light the need to know the true failure rates with reasonable 
accuracy if the mission lifetime must be predicted to better than a 1-year accuracy 
for these particular design configurations. 
28
 
YEARS 
2 3 4 5 
1 I I 	 OFF = I/S'ON 
THREE SPARE CPU AND THREE SPARE /O 
0.0 
gk i 4. 	 (F)P=, 
0.2 	 I 0.8 1.6 
5 CPU MTBF CPU ONLY - 4.75 YR 
0.1I I 0.4 	 I SIMPLEX 
•"Figure 19-Reiiability curves for OBP, CPU, and I/O configurations of Figure 17. 
MEMORY RELIABILITY 
The OBP memory system is now fabricated in 4K modules. It is presently 
anticipated that a future flight will require that 32K of core be operational over 
the entire mission. Consideration has been given to the idea of flying 64K of 
°memory, from which the 32K would be selected by round command. Again, it 
should be remembered that the worst case failure conditions are being assumed 
29
 
wherein a single-point failure renders a failed unit. Mission-lifetime pre­
dictions begin with the following expression: 
M 
E" M!
 
P(S)j x! (m-x)! P (1-- 0-, 
x=k 
where 
x = number of units that must be operational, 
m = total number of units that are available, 
and 
p = probability of success for one unit. 
Table 1 - Expressions for reliability curves for Figure 20. 
CONFIGURATION APPLICABLE RELIABILITY 
(f/yr) EXPRESSION 
Simplex CPU and I/O 0.42 R(t) = e "At 
(a) 	One spare t
 
CPU & 1/o pair 0.42 R(t) = & + 5 (0 -At ­
"° ' 	 k t) (b) 	 Two spare R(t) = e-Xt11 + 5(1 - e 
A -CPU & /o pairs 0.42 	 [ e"0' 2t)
+ ±5(1 - e.A) 
(c) 	Three spare R(t) = e' + 5(1 -0, MC)11Opt)CPU & I/O pairs 0.42 
+ 15(1 -r'.2 + 51-e02k3 
(d) 	 One spare CPU + At - 1,2h 2
 
and one spare I/O 0.21 R(t) 5(et)]
 
(e) 	Two spare CPU's R(t) = eAt Fl± 5(1 -e " 2Xt)
+ 1 20.21 	 ] ­and 	two spare I/O's 2 
. .At)
-+ 15(1 
- 0(f) 	 Three spare CPU's R(t)--e " Xt [1 + 5(1 - e . At)
 
and three spare I/O's 0.21
 
0.003% 8760 hr
 
= = yr 0.21 f/yr
-=O--800 Chips×X1000 hr-chip × 
3o
 
YEARS 
1 2 3 4 5 
PU 1/0 
:-3 'jT/~//~fjOFF . 
= Z' ZCp 	 OFF 15)ON 1/0 
0. ////////////// OFF : ON 
1.0 	 C uo _ 
0.9 	 OBP, LESS MEMORIES 
0.8 
XoOOFF1/5XON0.7 
0.6 
0.5 
0.4 
ACTIVE, OFF = ON 
0.2 	­
- 5
1:" / 0O 2.4 10 F/HR0.1 - ) CPU 
S I II 
0.1 	 0.2 0.4 0.8 f 1.6 
SIMPLEX 
PU MTBF 
1 2 3 4 5
 
YEARS
 
Figure 20-Upper and lower bounds for CPU and I/0 reliability for joined CPU's and I/0's. 
31
 
YEARS 
1 2 3 4 5 
_ yN. .O F ..OPU. . , 
I- I 
FOBP, LESS MEMORIES­
0.9 
0.6 
0.7 
0.6 
0.3 
= "ACPU xI 0 2.4 x 10 5 FAHR 
0.1
 
0.1 0.2 0.4 0.8 t SIMPLEX 1.6 
"tMTBFt XCPU 
I I I I 
1 2 2 4 5 
YEARS 
Figure 21-Upper and lower bounds for CPU and I/0 reliability for separate CPU's and I/O's. 
32
 
Note that P(S) here is not a function of time and does not represent system reli­
ability. 
In Figure 22, the effect of this expression is shown for three configurations: 
(a) Employing sixteen 4K modules to provide the required 64K of memory. 
(b) Employing eight 8K modules to provide the 64K of memory. 
(c) Employing four 16K modules. 
1.0 
/ 
/

0.9 	 . / 
/ 
0.8 	 /
/ 
0,7 	 / 
=
/ (1) M = 16, X 8 (USING 4K MEM)./ (2)M= 8,X= 4 (USING 8K MEM).>"_. 	 (3) M = 4, X =2 (USING 16K MEM)° 
0.6 0,6 	 / 
M = 	NUMBER OF MEM 
UNITS IN TOTAL.X=NUMBER OF MEM 
0.5 	 / UNITS "ON"AT / 	 ALL TIMES. 
0.4 (C) 	 SYSTEM P(S) ." M!x' 1-P)m -, 
(A) r-kc 
/(B) WHERE p =MEM UNITS p(S) 
I I I I I0.3 
0.2 	 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 
MEMORY UNIT p(S) 
Figure 22-System P(S) as a function of unit p(S) when more units are available for use than the 
several that must be in use at any one time. 
33 
The abscissa is the module P(S) and the ordinate is the resulting system 
F(S) when 32K must operate.. If a particular model P(S) intersects with the curve 
above the dashed line, a system P (S) gain is realized. These gains are appreci­
able when the module P(S) exceeds 0.6 or 0.7. 
Since each module will be a simplex unit, the expression for the total 
memory-system reliability as a function of time can be represented as 
= xi (O x, (m-_ -e-) 
x~k
 
where 
X = failure rate of one memory module. 
The memory-module failure rate will not be linear with module size if some 
redesign of the module is performed. A cursory look into the present 4K module 
employed by the OBP shows that the sum of all failure rates multiplied by their 
number of parts is 242 X 10-7 f/hr (which gives a MTBF of 41,000 hr). Two 
types of components account for about 70 percent of the failure rate of the module. 
They are switching transistors and steering diodes. Of these, the steering diodes 
account for 120 x 10- 7 f/hr. Thus, if some redesign can enlarge core capacity 
with minimal impact on the use of additional diodes and transistors, an appreci­
able failure savings can be effected. 
If a 4K module can be enlarged to 8K by enlarging each bit plane without re­
quiring different circuit components or techniques, then the following extra com­
ponents would be expected in the fabrication of 64 x 128 planes: 
34­
Failure rate Sub -total 
Part Quantity (10 - 1 f/hr) (10 - 1 f/hr) 
Switching transistors 
Transformers 
16 
8 
.45 
.3 
7.2 
2.4 
Steering diodes 
Cores 
128 
4K X18 
.34 
.00004 
43.5 
3 
Solder connections 4000 .00005 2 
58.1 
The new failure rate then would be 
242 + 58 •242 1. 3 x present 4K module failure rate. 
For a 16K module under the same conditions of being able to use the same 
components and techniques, the following increases would be expected: 
(1) For 128 X 128 planes, 
Failure rate Sub-total 
Part Quantity (10- 7 f/hr) (10 - 1 f/hr) 
Switching transistors 32 .45 14.4 
Transformers 16 .3 4.8 
Steering diodes 256 .34 87 
Cores 12K X 18 .00004 9 
Solder connections 12,000 .00005 6 
121.2 
The new failure rate would then be 
S"242 + 121. 
X 242 1 1.5 X present 4K module failure rate. 
35
 
(2) For 64 x 256 planes, 
Part Quantity 
Failure rate 
(10- ' f/hr) 
Sub-total 
(10 - 7 f/hr) 
Switching transistors 
Transformers 
32 
16 
.45 
.3 
14. 4 
4.8 
Steering diodes 128 .34 43.5 
Cores 12K X 18 .00004 9 
Solder connections 12,000 .00005 6 
77. 7 
The new failure rate would then be 
S__242 + 7__ 1.4 x present 4K module failure rate.242 
Curves for active redundancy for several configurations are shown in Figure 
23. It is recognized that the powered-off units would not exhibit a failure rate 
equal to a powered-on unit, but these curves serve as lower bounds on mission 
lifetime under the above conditions of cursory redesign to larger memory mod­
ules. A curve is included that represents the use of eight 4K modules without 
any spares. It emphasizes the gains given by redundancy as well as the need 
for redundancy. 
Predicted reliability for the powered-off memory modules in cold standby, 
which will now be an upper bound, was achieved by using the following expression: 
=/o
 
36
 
ACTIVE REDUNDANCY 
80X= 	 1.3 
EIGHT 
8K UNITS 
70 	 X= 1.5), X=X I 
SIXTEEN 4K UNITSEIGHT4K UNITS 
(NO SPARES) 
60 
X 1.4X 
1t ­50 R(t)_e- R (t)_=1, I ( It(1e t 
x = 	 FOUR 
WHERE 	 m= NO. OF UNITS IN64K 16K UNITS 
I NO OF UNITS IN 32K 
40 --
 FAILURE 
A1 5 YEARS=4 
4 5 YEARS - 40,000 HOURS 
30I I I I I I 1 
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 
X,1t 
10 	 12 13 
YEARS 
Figure 23-OBP memory reliability when 32K of memory must operate from an available 64K of 
memory (active standby). 
where 
m = number of units that are in standby, 
N - number of units that must operate, 
and 
. X = failure rate per unit. 
The resultant curves for this case are given in Figure 24. A curve is included 
that represents the flying of only 32K of memory without any spares. As might 
be expected, the configuration employing sixteen 4K modules exceeds the other 
37
 
14 
100 
STANDBY (COLD) REDUNDANCY 
90 
so-EIGHT 8K UNITS SIXTEEN 4K UNITS 
EIGHT4K UNITS 
(NO SPARES) 
RO)- 8A I'FUR1K NT 
, (Af tR Ct). 
50 -
WHEREm NO OF UNITSTHAT AREiN STANDBY 
.NO OF UNITS THAT MUSTOPERATE 
1 FAILURE 
14 5 YEARS 
4 5 YEARS. 4O0 HOURS 
A = 0 FOR POWERED-OFF UNITS 
30 0.1 I0.2 I0.3 0.4 0.5 0.6 - 0.7 
I 
0.8 0.9 
I 
SIMPLEX 
i0o1 12 Alt 13 14 MTF (4.5 YR) 
YEARS 
Figure 24-GBP memory reliability when 32K of memory must operate from an available 64K of 
memory (cold standby). 
configurations despite the improvement of failure rate in proportion to memory 
expansion for the modified module. This is similar to the technique of subdi­
viding, as presented in Part 1 of this paper; that is, the smaller the subdivisions 
the greater the return in reliability without a large penalty in additional circuits. 
On the other hand, unacceptable problems, such as interface cabling and greater 
control requirements, would eventually appear as the unit is subdivided further. 
CONCLUSION 
In Part 2 of this document, the discussions of configurations and their re­
sultant reliabilities depart from the generalized discussions of Part 1 and serve 
38
 
to show absolute predictions based on existing designs or design techniques. In­
spection of the reliability curves for the given limiting conditions of Xoff = 0 and' 
Xoff = Xon indicates the amount of variance that can result in mission lifetimes, 
depending upon the ratio of powered-off failure rate to powered-on failure rate 
that is. used. 
The necessity for caution in making absolute predictions based on well­
understood groundlines cannot be overemphasized. However, regardless of 
whether -ornot all exacting conditions are known, the need for redundancy be­
comes a requirement if, with reasonable confidence, acceptable mission life­
times are to be achieved. 
39
 
REFERENCES
 
1. 	 Bazovsky, I., "Reliability Theory and Practice," New Jersey: Prentice-
Hall, Inc., 1961. 
2. 	 Polovko, A.M., ,,Fundamentals of Reliability Theory," New York: 
Academic Press, Inc., 1968. 
3. 	 Dummer, G.W.., and Griffin, N. B., "Electronics Reliability," New York: 
Pergamon Press Ltd., 1966. 
40
 
APPENDIX A 
Choice of P(S) 
It is of practical interest to discuss the effect of different choices of P (s), 
and the resulting gains in mission lifetime, when a simplex system is made re­
dundant. System improvement will appear to be better if a higher P(S) for 
mission lifetime is specified. That is, the higher the specification of P(S), the 
greater will be the lifetime gain when a second system (or subsystem) is placed 
in parallel redundancy with the simplex system. 
It was shown earlier in this document in the discussion on parallel redun­
dancy that if the lifetime is based on P(S) = 90 percent, then a gain of 3.45 is 
attained under the conditions that provided curve B, Figure 2. If, instead, 
P(S) was specified as 99 percent, then a gain of 10. 5 is realized. On the other 
hand, if a low F (S) of 80 percent were used, then a system gain of only 2. 53 
would result. This effect is shown in Figure IA. The reason for this equivalent 
greater gain for higher P (S) isthat the exponential reliability curve for the 
simplex system begins at to with a slope of -1/[system MTBF], whereas the 
parallel redundant reliability curve begins at to with a slope of zero. In fact, 
all redundant techniques discussed in this document have reliability curves that 
begin with a zero slope. 
41
 
It is understood thatP (S) is not a design variable. It is normally first 
specified, and then the system is designed to meet that specification. The 
improvement in mission lifetime will be a natural fallout from the reliability 
curves commensurate with the redundant configuration used. But it is of 
practical interest to point out that the effectiveness of various redundant con­
figurations in providing increased mission lifetimes is contingent on the P(S) 
chosen. P(S) = 90 percent is used throughout this document because it is a 
reasonable choice upon which to compare techniques. 
I0 
z. 	 INCREASE IN CIRCUITS
 
OVER SIMPLEX = 100%
 
8­
0 
>- 6 	 GAIN - I [(14-1 ) I 
_ I1InkI
 
z
 
0 
20 40 60 80 4oo 
P(S) W 
Figure 1A-Goin in mission lifetime for an active paral­
lel pair of units, relative "t0the simplex unit', as a 
function-J2of specified P(S). 
APPENDIX B 
Support Curves 
This appendix contains supporting curves for the mission-lifetime gain curves 
of Part 1. By including these curves, mission-lifetime gains for levels of con­
fidence other than 90 percent can be obtained. 
Appendix-curves 1 through 6 are curves that support parallel redundancy 
but are not included within Part 1: 
(a) Curves 1 and 2 support active standby. 
(b) Curves 3 and 4 support cold standby. 
(c) Curves 5 and 6 support tepid standby.
 
Curves 7 through 10 support active-standby subdividing.
 
Curves 11 through 14 support cold-standby subdividing.
 
Curves 15 through 18 support active-standby columnizing.
 
Curves 19 through 22 support cold-standby columnizing.
 
43
 
1.0 F 
0.9 
PARALLEL REDUNDANCY 
(THREE UNITS IN ALL) 
- TWO UNITS IN ACTIVE STANDBY 
0.8 
0.7 
0.6 -k=I 
S0.5 - k=1.1 
0.4 
0.3 -
0.2 k 1.5 
0.1 
0.2 0.4 0.8 SIMPLEX 
- MTBF 
1.6 
nxt 
2.6 3.2 
Curve 1 
1.0 
0.9 
PARALLEL REDUNDANCY 
(FOUR UNITS IN ALL) 
- THREE UNITS IN ACTIVE STANDBY 
0.8 
0.7 
0.6 
0;5 
0.4 
0.3 
0.2 
0.1 
I 
0.2 
I 
0.4 
I 
0.8 SIMPLEX 
I MTBF 
1.6 
nAt 
I 
2.6 3.2 
Curve 2 
44 
1.0 
0.9 
PARALLEL REDUNDANCY - TWO UNITS IN COLD 
STANDBY (THREE UNITS IN ALL) 
hAFSOFF =0= 0 
0.8 
0.7 k=l 
0.6 k=1.1 
0.5 
0.4 k= 1.5 
0,3 
0.2 
0.1 
0.2 0.4 0.8 tSIMPLEX 
MTBF 
1.6 
n~t 
Curve 3 
2.6 3.2 
1.0 
0.9 
0.8 
k I 
0.7 
k= .5'k =1.1"*"­
0.5 
0.4 
0.3 
0.2 
0.1 
PARALLEL REDUNDANCY 
(FOUR UNITS IN ALL) 
OFF =0 
I I II 
0.2 0.4 0.8 
- THREE UNITS IN COLD STANDBY 
SIMPLEX 1.6 
MTBF 
n-t 
2.6 3.2 
Curve 4 
45 
1.0 
PARALLEL REDUNDANCY - TWO UNITSIN TEPID STANDBY 
0.9 -(THREE 	 UNITS IN ALL)0OFF 115 ON 
0.8 
0.7 
0.6 
0.5 
0.4 
0.3 
0.2 
0.1
 
0 0.2 0.4 I 0.8 tSIMPLEX 
'MTBF 
1.6 2.0 2.4 2.6 2.8 3.2 
nAf 
Curve 5 
1.0 
0.9 
0.8 
­
0.7 
0.6 
kk=°
 
0.4 
0.3 
0.2 	 - PARALLEL REDUNDANCY- THREE UNITS IN TEPID STANDBY k 1.-5 (FOUR UNITS IN ALL) 
0.1 	 'OFF =1/5 ON 
I I 	 I ' 
0.2 	 0.4 0.8 tSIMPLEX 1.6 2.0 2.4" 2.6 3.2 
I MTBF 
n~tl 
I 
Curve 6 
46 
1.0 
0.9 
0.8 
0.7 p=4 
0.6 
0.5 
0.4 
0.3 
0.2 
0.1 
SUBDIVIDING WITH ACTIVE PARALLEL REDUNDANCY 
USING 1000/ OVERALL CKT INCREASE 
k = 1 
p =NUMBER OF SUBUNITS THAT ARE PARALLELED 
S I 
II 
0.1 0.2 0.4 0.8 
n),t 
Curve 7 
tSIMPLEX 
tMTBF 
1.6 
1.0 
0.9 
0.8 
0,7 
0.6 
p=4 
S0.5 
0.4 SUBDIVIDING WITH ACTIVE PARALLELUSING 120% OVERALL 
CKT INCREASE REDUNDANCY 
0.3 p= NUMBER OF SUBUNITS THAT ARE PARALLELED 
0.2 
0.1 
0.1 0.2 0.4 0.8 
n~t 
SIMPLEX
/MTBF 
1.6 
Curve 8 
47 
0.9 3 
0.8 
0.7 
0.86 
0.6 
0.5 
0.4 
0.3 
0.2 
SUBDIVIDING WITH ACTIVE PARALLEL REDUNDANCY 
USING 200% OVERALL CKT INCREASE 
k= 1.5 
p= NUMBER OF SUBUNITS THAT ARE PARALLELED 
0.1 
0.1 0.2 0.4 0.8 
nXt. 
SIMPLEX 
IMTBF 
1.6 
Curve 9 
1.0 
0.9 
0.8 P =32 
0.7 p=1 
0.6 
0.5 P=1 
0.4 
0.3 
0.2 
0.1 
SUBDIVIDING WITH ACTIVE PARALLEL REDUNDANCY 
USING 300% OVERALL CKT INCREASE 
.k=2 
P = NUMBER OF SUBUNITS THAT ARE PARALLELED 
I I I I 
0.1 0.2 0.4 0.8 
n-t 
SIMPLEX 
t MTBF 
p=4 
1.6 
Curve 10 
48 
0.9 
0.8 
0.7 
0.6 
£0.5 
0.4 
0.3 
0.2 -=I 
0. 1 
SUBDIVIDING WITH COLD STANDBY REDUNDANCYUSING 100% MORE CKTS THAN SIMPLEX 
p = NUMBER OF SUBUNITS THAT ARE PARALLELED 
I I I 
0.2 0.4 0.8 * 1.6 1.0 
n~t 
3. 
3.2 
Curve 11 
1.0 
0.9 I = 32 
0.8 
0.7 
0.6 
j0.5 
0.4­
0.3 -
0.2 -
0. 1 
0.2 
SUBDIVIDING WITH COLD STANDBY REDUNDANCY 
USING 120% MORE CKTS THAN SIMPLEX 
k=1.l 
p = NUMBER OF SUBUNITS THAT ARE PARALLELED 
S I I 
0.4 0.8, 1.6 
1.0 
nft 
3.2 
Curve 12 
49 
1.0 
0.9 
0.8 
0.7 
0.6 
05. 
0.4 
0.3 
0.2 
SUBDIVIDING WITH COLD STANDBY REDUNDANCY 
USING 200% MORE CKTS THAN SIMPLEX 
k-- 1.5p= 
p = NUMBER OF SUBUNITS THAT ARE PARALLELED 
0.1 
I 
0.2 
I 
0.4 0.8 +1.0 
1.6 
nxt 
Curve 13 
3.2 
1.0 
0.9 
0.8 
0.7 
0,6 
"0.5-
0.4 
0.3 
0.2 
0.1 
SUBDIVIDING WITH COLD STANDBY REDUNDANCY 
USING 300% MORE CKTS THAN SIMPLEX 
k=2 
p = NUMBER OF SUBUNITS THAT ARE PARALLELED 
I I I 
0.2 0.4 0.8 4 1.6 
1.0 
n;t 
p 
3.2 
Curve 14 
50 
0. ­
77 7 
L2 
0.872 
0,7 
0.8 -k2 = 0­0,2 =0.2 
=0.3 
0.6 1 
0.4 
0.9 
0.1 
0-2 2.0 2.2 2.4 
0.2 COLUMNIZING 
kI 0.05 
I I 
0.1 0.2 
USING ACTIVE REDUNDANCY 
I I I 
0.4 0.6 0.8 SIMPLEX MTBF 
I 
1.2 
I 
1.4 1.6 1.8 2.0 
nt 
Curve 15 
1.0 
0.9 
0.8 
0.7 
1 2 =0. 
3 
Ic = 
0 k2= 0.5_ 
2 =0.1 
0.5 
0. COLUMNIZING USING ACTIVI REDUNDANCY 
0.4 k1 
0.3 
0.2 
0.1 
0.1 0.2 0.4 0.6 0.8 fSIAPLEX 
xt 
1.2 1.4 1.6 
Curve 16 
51
 
1.0 
0 .9 
I~~~e 
, , 
=k0 
-
-k=0.2 
k 2 0.I k 0 .. 
0.8 
0.7 
0.6 
-023=0.  
=0.5 
0.5 
0.4 
0.3 
0.2 
COLUMNIZING USING ACTIVE REDUNDANCY 
k I= 0.2 
0.1 
I 
0.! 0.2 
I 
0.4 
I 
0.6 
I 
0.8 . tSIMPLEX 
EMIBF 
n~t 
f 
1.2 1.4 1.6 1.8 2.0 
Curve 17 
1.0 
0.9 
0.8 k2=0 
0.7 k2 -0.5= " 
0.6 k 0 
0.5 
0.4 
COLUMNIZING 
kc1 =0.4 
USING ACTIVE REDUNDANCY k2 = 0.1 
0.3 
0.2 
0.1 
I 
0.1 
I 
0.2 
I 
0.4 
I 
0.6 0.8 
n;t 
Curve 18 
"SIMPLEX 
MTBF 
1.6 
52 
0. ­ k 0 ,,lk 
0.8 
.9k2 = .3 'k2 0.5 / 
. 
0.7 
0.6 
COLUMNIZING USING COLD STANDBY REDUNDANCY 
ki 0. 05 
,a 0.5 
0.4 
0.3­
0.2 
0.1[ 
2 = 1 
0.2 0.4 0.8 SIMPLEX 
MTBF 
91.6 
1.5 
2 
nXt 
Curve 19 
2.4 
2.5 
3.0 3.2 93.6 
3.5 
4.0 
1.0 
0.9 0 
0.8 
0,7 2 1 
0.6 k 
S50.5 
0.4 
0.3 
0.2 
COLUMNIZING USING COLD STANDBY 
I =0. 1 
REDUNDANCY 
0.1 
I 
0.2 
I 
0.4 
I I 
0.8 * 1.2 
SIMPLEX 
MTUF 
I 
1.6 
n.t 
PI 
2 $ 
2.5 
3,0 3.2 3.5 4.0 
Curve 20 
53
 
0.9• 
0 8 -
0.8 
0.7 -12=0*1 
= 0 
0.6 
0.5 ' k 0°3" 
0.4k2 
0. 
0.3 
0.2 0=02 
0.1 
I 
0.2 
COLUMNIZING USING COLD STANDBY REDUNDANCY k 1 =0.2 
I I I IrP 
0.4 - 0.8 SIMPLEX 1.6 2.0/MTBF 
n.t 
2.5 3.0 3.2 
I 
3.5 4.0 
Curve 21 
1.0 
0.9 
0.8 k2 =0.1 
0.7 -
0.6 
k2 0 
0.5 
0.4 k2 0.4 
0.3 
0.2 -
COLUMNIZING USING COLD STANDBY REDUNDANCY 
k=0.4 
0.1 
I 
0.2 
I 
0.4 
I 
0.8 f SIMPLEX 
MTBF 
I 
1.6 
n"t 
Curve 22 
2.0 2.5 
1 -
3.0 
- -i 
3.2 
54 
