Parameters and assumptions of critical systems

On this edition’s cover, we’re trying to stir controversy, suggesting that PICMG’s ruggedized MicroTCA might well go head-to-head with VITA’s 3U VPX. According to military contractor BAE, speaking of the cards inside a MicroTCA chassis: "COTS Advanced Mezzanine Cards (AMC) processor cards meet [the] Army’s Rugged Requirements." BAE asserts that the AMC connector - an edge style that may use a different vendor for the male and female sides - is suitable for WIN-T Radio applications as a result of "rigorous vibration tests (operating and nonoperating)." Targeting a chassis similar to the one shown (on the cover) for the JC4ISR Radio Architecture on WIN-T, BAE is working on a case study detailing the specific tests. Quite favorable results from these tests have been shared with the PICMG Rugged MicroTCA Working Group.

My concern is not with the AMC itself nor the conduction-cooled modifications needed for rugged service. Rather, I worry about that connector, which might see, say, + 3 percent "looseness" tolerance and only a single point of electrical contact. VME’s DIN connector, on the other hand, uses up to three beams per post and comes in joint tolerance-controlled male/female pairs from up to 60 vendors. I am doing some digging to find shock/vibration data on the AMC connector, and on VME’s DIN connectors. Strictly from the connector standpoint, I say let’s look at the data before we declare a "winner" in this chassis shootout.1

Assumption #2: Individual x,y,z axis testing is not multi-axis testing

At the heart of this connector problem is multi-axis vibration. Wayne Tustin of the Equipment Reliability Institute (www.equipment-reliability.com) has been shaking chassis since they held vacuum tubes. In a recent seminar entitled "Simultaneous Multi-axis Vibration Testing & Stress Screening," he points out that Detroit automakers routinely screen for vertical, lateral, and fore-and-aft motion using multi-axis and torsional testers. Why, then, do we still do three-axis electronic testing one axis at a time? The answer, says Wayne, stems from our 1950 assumption that begat MIL-STD-810 in 1962. Due to legacy history, the "F" revision of 810 still calls for "single-axis-at-a-time" shaking. He argues - and I agree - that this is antiquated and wholly inadequate.

Assumption #3: Not all COTS LRUs are created equal

Could under-vibration electrical failures have prompted the December 6, 2007 U.S. Army memorandum "Reliability of U.S. Army Materiel Systems" that now mandates establishing a "System Development and Demonstration (SDD) phase … and reliability test threshold"? This was prompted by a significant number of Army systems "failing to demonstrate established reliability requirements during operational testing." Army regulations 70-1 and 73-1 seek to implement these changes.

Assumption #4: Have we learned nothing about thermal stress?

Meanwhile, should you still be tempted by the post-CES consumer world, Microsoft continues to experience higher-than-acceptable failures on Xbox 360 game consoles. As recently reported by EDN senior technical editor Brian Dipert in his blog (www.edn.com/blog/400000040/post/1480020748.html), some of the problems can be traced to a common critical system mechanical parameter called the Thermal Coefficient of Expansion (TCE).

All rugged VME designers try to match the TCE of large components to that of the PCB, else under-temperature cycling solder joints become stressed and fracture, causing components to exhibit intermittent "opens." In extreme cases where accompanied by shock and vibration, components can eventually shear off. This problem isn’t new at all; it was the reason VME designers soldered "J" leads on LCC and BGA packages back in the 1990s.

Assumption #5: Are fly-by-wire, avionics networks, and DO-178B a good idea?

On January 19, 2008 while descending through 600 feet about 2 miles from London’s Heathrow Airport, a British Airways Boeing 777 lost thrust in both engines and struck the ground 1,000 feet short of the runway. Miraculously, there were few injuries and no one died; however, speculation points to the plane’s fly-by-wire, networked computer avionicssystem - or bad fuel taken aboard in Beijing. While it would be convenient to cite "bad gas" sucked from the bottom of the nearly empty fuel tanks, the FAA is growing steadily concerned about increasingly sophisticated avionics networks.

Although this is the first crash ever of Boeing’s flagship aircraft, the FAA wants assurances that Boeing’s next-generation 787 aircraft’s network design is "secure from intrusion by hackers" and other conditions. We’ve come to accept that RTCA/DO-178B software architectures are sufficient to assure safety-critical systems such as civilian and military aircraft - but are they? The FAA published 10 "special conditions" for the 787 aircraft pertaining to its networks, and RTCA Special Committee No. 216 is responsible for establishing avionics and network systems security. Stay tuned on this one as it could ripple into many digital safety-critical systems.

Chris A. Ciufo VME and Critical Systems magazine cciufo@opensystems-publishing.com