Bdale:
Your asssessment of how we should do the risk analysis is EXACTLY the level I seek  -- we're not doing the space shuttle replacement.
'
In my mind (?) when we have a few more systems and interfaces defined, I'd like to convene a team who's SOLE responsibility would be to do the "what if" on each failure, and somehow rank risk, probability, and consequences.  Then they'd suggest mitigations that aren't already there. 

Thanks & 73,
Jim
[email protected]


Bdale Garbee wrote: 
On Tue, 2006-10-03 at 12:25 -0400, Louis McFadin wrote:
  
Martin is exactly right. Two of the same things is only partial
redundancy. In order to be fully redundant the two systems must be
independent, built by different teams and have different technology. 
    

I think we should also remind ourselves that redundancy exists at
different levels of granularity.  For example, we might build more than
one unit of Eagle, P3E provides redundancy with Eagle and vice versa,
etc.

It's important that we think through the various possible failure modes
and "do the right thing" to mitigate each, and maximize the probability
that we're left with something useful even if various important parts
fail.  However, if we insist on a mil-aero level of absolute redundancy
at too fine a level of granularity on a single satellite, we run a real
risk of specifying something we can't afford to build or fly.  Our prior
and future success hinge heavily, I think, on our collective ability to
be smart about these sorts of tradeoffs.

Howard, if I were the one giving your talk this weekend I'd be inclined
to assert that reliability and redundancy are being considered at every
level of the Eagle project, but I wouldn't be inclined to commit us to
any particular technology path like promising an analog transponder as
backup.

73 - Bdale, KB0G

_______________________________________________
Via the Eagle mailing list courtesy of AMSAT-NA
[email protected]
http://amsat.org/mailman/listinfo/eagle