Bdale: Your asssessment of how we should do the risk analysis is EXACTLY the level I seek -- we're not doing the space shuttle replacement. ' In my mind (?) when we have a few more systems and interfaces defined, I'd like to convene a team who's SOLE responsibility would be to do the "what if" on each failure, and somehow rank risk, probability, and consequences. Then they'd suggest mitigations that aren't already there.
Thanks & 73, Jim wb4gcs@amsat.org
Bdale Garbee wrote:
On Tue, 2006-10-03 at 12:25 -0400, Louis McFadin wrote:
Martin is exactly right. Two of the same things is only partial redundancy. In order to be fully redundant the two systems must be independent, built by different teams and have different technology.
I think we should also remind ourselves that redundancy exists at different levels of granularity. For example, we might build more than one unit of Eagle, P3E provides redundancy with Eagle and vice versa, etc.
It's important that we think through the various possible failure modes and "do the right thing" to mitigate each, and maximize the probability that we're left with something useful even if various important parts fail. However, if we insist on a mil-aero level of absolute redundancy at too fine a level of granularity on a single satellite, we run a real risk of specifying something we can't afford to build or fly. Our prior and future success hinge heavily, I think, on our collective ability to be smart about these sorts of tradeoffs.
Howard, if I were the one giving your talk this weekend I'd be inclined to assert that reliability and redundancy are being considered at every level of the Eagle project, but I wouldn't be inclined to commit us to any particular technology path like promising an analog transponder as backup.
73 - Bdale, KB0G
Via the Eagle mailing list courtesy of AMSAT-NA Eagle@amsat.org http://amsat.org/mailman/listinfo/eagle