[time-nuts] Frequency Stability of Trimble Mini-T

Lux, James P james.p.lux at jpl.nasa.gov
Thu Oct 16 23:15:40 UTC 2008 


James Lux, P.E.
Task Manager, SOMD Software Defined Radios
Flight Communications Systems Section
Jet Propulsion Laboratory
4800 Oak Grove Drive, Mail Stop 161-213
Pasadena, CA, 91109
+1(818)354-2075 phone
+1(818)393-6875 fax

> -----Original Message-----
> From: time-nuts-bounces at febo.com
> [mailto:time-nuts-bounces at febo.com] On Behalf Of Mike Monett
> Sent: Thursday, October 16, 2008 3:51 PM
> To: time-nuts at febo.com
> Subject: Re: [time-nuts] Frequency Stability of Trimble Mini-T
>
>   "Lux, James P" <james.p.lux at jpl.nasa.gov> wrote:
>
>   [...]
>
>   > Even without  TMR  or other similar  schemes,  the  probability of
>   > upset IS  pretty low. However, as Black or Scholes  said  (I can't
>   > remember which), "One should not confuse very low probability with
>   > impossible". If it absolutely, positively can't take any hit, then
>   > some more work is involved.
>
>   > James Lux, P.E.
>
>   How do you do that? Any web links to study?
Do what? Drive the rates really, really low? There's a whole literature of failure tolerance where you trade off probability of failure in a box against how many boxes against failures in the voting mechanism, etc.  Then, there's the whole class of algorithms pertaining to the "Byzantine Generals Problem" (unreliable, uncooperative actors communicating by unreliable links)
>
>   As far  as I know, it is impossible to absolutely  guarantee against
>   metastability. Do you wait a week for the metastability to settle?
>
>   If zero probability of failure is so important, you would  also have
>   to include  the  probability of a solder joint  opening,  or  a chip
>   failing due  to metal migration or latent ESD damage. That  is never
>   zero.

Indeed.. That's what the whole shake and bake and egregious margin testing is all about for flight hardware. You hope that the testing will find the latent defects. If you're sending it to Jupiter, you don't get a chance to get it back for repair.  And, when you're only building one unit, all the statistics in the world saying that it's a 1E-6 or 1E-12 chance of failure doesn't necessarily give the folks at the launch readiness review a warm fuzzy feeling. So they obssess.. "just in case".. And it still doesn't always work right (Galileo High Gain Antenna, Mars Observer Orbit insertion, Mars Polar Lander entry/descent/landing, etc.)



>
>   Of course, after the system is perfect, someone will take it and put
>   it on a destroyer running Windows:)

Or send you data in pounds when you expect (and the interface document says) Newtons, or you get a solar flare at just the wrong time..

Stuff happens..

More information about the Time-nuts_lists.febo.com mailing list