The Aim of this paper is to ensure the compliance of the requirements for the durability of long-life space technology with the fact that regulatory documents for microcircuitry do not contain durability indicators. Thus, in accordance with OST V 11 0998-99, the dependability requirements only contain indicators of reliability and storability. On the other hand, along with the requirements for reliability and storability, the dependability specifications for space technology feature requirements for durability in operation that are usually equal to the gamma-percentile life Тl.г = 100 000 h and more if г = 99.9%. Therefore, for such long-life systems one must define durability indicators that are now absent in the technical conditions or other delivery documents. The definition of such indicators by means of durability testing is costly and time-consuming. Thus, an analytical method was proposed, according to which the lower estimate boundary for the gamma-percentile life Тl.г of microcircuitry can be obtained by equalizing the probability of no-failure of the microcircuit over time Тl.г to the probability of non-occurrence of life failures that put the microcircuit into the limit state, upon which its operation shall be terminated. In this case, in order to obtain Тl.г = 99.9% = 100 000 h, a nonredundant microcircuit or another product must have the failure rate of 10-8 1/h. In the case of more complex microcircuits, it does not appear to be possible to obtain the required value of Тl.г=99.9% = 100 000 h. The paper suggests extending the use of the proposed method of durability indicator identification taking into consideration the fact that in the systems under consideration the failure of any one product is not allowed and, in this view, various ways of ensuring equipment redundancy are used. Hot standby is understood as a redundancy with one or several backup modules that operate similarly to the main module. Warm standby is understood as a redundancy with one or several modules that operate at a lower rate that the main module until they start functioning as the main module. The paper considers a number of redundancy architectures of a complex microcircuit that enable the specified high durability indicators. The formula was obtained for calculation of the durability indicator for more general cases, when the microcircuit is part of a module backed-up by another identical module. In this case, if the second module is in warm standby, a high durability indicator can be ensured for the microcircuit. If the second module is in hot standby, the specified durability indicator of the microcircuit is not ensured. The considered method of durability indicator identification can be used for other redundancy architectures of modules in a system.

It is common practice to estimate the values of dependability indicators (point estimation). Normally, the probability of no-failure (PNF) is used as the dependability indicator. Due to economic reasons, determinative dependability tests of highly dependable and costly products involve minimal numbers of products, expecting failure-free testing (acceptance number Q = 0) or testing with one failure (Q = 1), thus minimizing the number of tested products. The latter case is most interesting. By selecting specific values of the acceptance number and number of tested products, the tester performs a preliminary estimation of the planned PNF, while selecting Q = 1 the tester minimizes the risks caused by an unlikely random failure. However, as the value Q grows, the number of tested products does so as well, which makes the testing costly. That is why the reduction of the number of products tested for dependability is of paramount importance. Preparation of the plan of tests with addition. We will consider binomial tests (original sample) with addition of one product (oversampling) to testing in case of failure of any of the initially submitted products. Testing ends when all submitted products have been tested with any outcome (original sampling and oversampling). Hereinafter it is understood that the testing time is identical for all products. Testing with the acceptance number of failures greater than zero (Q > 0) conducted with addition allows reducing the number of tested products through successful testing of the original sample. The Aim of the paper consists in preparing and examining PNF estimates for the plan of tests with addition. Methods of research of dependability indicator estimates. Efficient estimation is based on the integral approach formulated in [6, 8-10]. The integrative approach is based on the formulation of the rule of efficient estimate selection specified on the vertical sum of absolute (or relative) biases of estimates selected out of a certain set based on the distribution law parameter, where, in our case, n is the number of products initially submitted to testing. Criterion of selection of efficient estimation for PNF. The criterion of selection of an efficient estimate of the probability of failure (or PNF) at a set of estimates is based on the total square of absolute (or relative) bias of the mathematical expectation of estimates E Ѳ (n,k,m) from probability of failure p for all possible values of p, n. Conclusions. PNF estimates for the plan of tests with addition was prepared and examined. For the case n > 3, the PNF estimate P (n,k,m) =1– p (n,k,m)=1–(k+m)/(n+k) in comparison with the implicit estimate V (n,k,m) =1– v (n,k,m) is bias efficient. Testing with the acceptance number of failures greater than zero (Q > 0) conducted with addition allows reducing the number of tested products through successful testing of the original sample. Estimates p₂, w₂ and w₃, and are unbiassed and, as a consequence, bias efficient for the cases n = 2 and n = 3 respectively.

We discuss safety principles of autonomous driving road vehicles. First, we provide a comparison between principles and experience of autonomous or automatic systems on rails and on the road. An automatic metro operates in a controlled and well-defined environment, passengers and third persons are separated from driving trains by fences, tunnels, etc. A road vehicle operates in a much more complex environment. Further, we discuss safety principles. The application of safety principles (e.g. fail-safe or safe-life) is used to design and implement a safe system that eventually fulfils the requirements of the functional safety standards. The different responsibility of human driver and technical driving system in different automation levels for autonomous driving vehicles require the application of safety principles. We consider, which safety principles have to be applied using general safety principles and analysing the relevant SAE level based on the experience from projects for the five levels of automated driving as defined by the SAE. Depending on the level of automation, the technical systems are implemented as fail-silent, fails-safe or as safe-life.

Aim. According to the Russian freight car crash/derailment investigation records for the period between 2013 and 2016., derailments and crashes during train operations were mostly caused by rolling stock malfunctions, while about a third of such derailments were due to bogie solebar fracture. The average number of derailed units of rolling stock is 4.16 in case of derailment due to solebar fracture against 1.73 in case of derailments due to other rolling stock malfunctions. Previously, a method was developed that allows making decisions to discard a batch of solebars. On the other hand, solebars from batches exempt from discarding can be subject to fractures over time. In this context, it appears to be of relevance to develop a method that would enable timely uncoupling of a car for its submission to depot/full repairs in order to avoid solebar fracture. For this purpose, factor models of fracture hazard estimation should be considered. Such factors may include the number of kilometers travelled from the last maintenance depot (MD), as well as the number of kilometers and days until the next scheduled full/depot repairs. The probability of solebar fracture can be used as the quantitative characteristic of the hazard of solebar fracture. However, probability estimation in the form of, for instance, the frequency of solebar fracture is only possible when observation data is available on when fracture or critical defect of solebar did not occur, yet such data is not collected. Therefore, the hazard index of solebar fracture should be developed. As it is difficult to manage the frequency of car submission to MD, the hazard index must depend only on the number of days and kilometers to repairs. Using the constructed index, the ranges of (non) acceptable factor values must be defined in order to enable decision-making regarding car uncoupling and submission to repairs, should the MD car inspector have doubts regarding the necessity of uncoupling. Methods. Methods of mathematical programming were used in this paper. Results. Conclusions. An impact index was built that characterizes the probability of freight car solebar fracture depending on the number of days and kilometers until the next scheduled repairs of such car. Based on that index, two methods of definition of ranges of (non)acceptable factor values were proposed. The first method was based on the values of the impact index. The second one was based on the identification of some parameters of ranges of (non)acceptable factor values and selection – out of all ranges – of the best ones in terms the lowest hazard of solebar fracture. Such selection was made by solving problems of mixed integer programming with quadratic constraint.