Fault diagnosis of operational synchronous digital systems by Devaney, M. J. & Zobrist, G. W.
General Disclaimer 
One or more of the Following Statements may affect this Document 
 
 This document has been reproduced from the best copy furnished by the 
organizational source. It is being released in the interest of making available as 
much information as possible. 
 
 This document may contain data, which exceeds the sheet parameters. It was 
furnished in this condition by the organizational source and is the best copy 
available. 
 
 This document may contain tone-on-tone or color graphs, charts and/or pictures, 
which have been reproduced in black and white. 
 
 This document is paginated as submitted by the original source. 
 
 Portions of this document are not fully legible due to the historical nature of some 
of the material. However, it is the best reproduction available from the original 
submission. 
 
 
 
 
 
 
 
Produced by the NASA Center for Aerospace Information (CASI) 
https://ntrs.nasa.gov/search.jsp?R=19700007605 2020-03-12T01:48:59+00:00Z
1	 j
I 1
`	
7
^	 ^	
1	
1( l	 .
1	 ^ }
s
J
r,7 ;c
SU331'AC T: Trt!n,iii
	
of ;'i.qh Nur.ber Con(:relcLor Ronort
`rile: fol.iowi jirf rt-v, ) r t i.:-; s ' ;;At.:teel for am,,lJom-,-, •,:nt:" an 7
a;.) s t is a C L i. n CT	 I^ i '^^,r • 1' .
FPI ll;Is.,::0.^,1., OF OI. i;!,A1 TU;..'?1, S>Yi•C!;RO::OU.,
UTC:'1'T.h FjY:-*'i':.
i ^j tiCt rr., Tlort : a q .,-,zc-parel unc'er contract ;,'7 ' 1 - 6 92+	 the
^i.vcr.:ait:v of,	 i • ., ,,lri - colurtwxa.
T'.le t ec"Illi c al mo)li t.o r 'aho recoriw. , n(IF; a i sscliiin ati.on as a
I i^Yr!-n!I1:u^^.^r co ntr:: ^• t nr- r;;,v , o rt •. i c; 1:, , ^, irc( n<l^'ki r	 ,,n.
Do.30von G. Cr o y i'vJ
nv1.or.11rci-::
.I	 4
c-r :	 DT., .11H. r':irrir.r
DAT/P . 11 A l s
(TNRUI	 ^ ^
IAGGLis10N NUMttR1	 -^^ •.^^.
_	
IGODLI
0
3	 IGATL RY ►
•NUMIlLRI
'	 TMX OR AD
1NASA GR OR
^55
Li
-	 1I
F!'ULT QI^,!'f"^f-IS ''r 0nEl'f," I0"P.L SY"' r" T"OUS DICIT1'.L SYSTEMS*
MICl IML J. DFVP. r;EY AND GEOE'.C,;" W. Z05RIST +
The problem consists of diagnosing faults on operational
synchronous digital sYstmis. The papor presents an
original approach partitionin q the fault d'i acinos is problem
into fault d(Aection and fault location enabling the
detection of s-I ngl e and distinguishable mul ti nle fault,)-
and the location  of these faults clown to tlici r defect-i yr
module or package in order that of fecti vo corrective acti on
can he taken. As the anti ci t)ated application of this
--hnroach is in aeros pace sy stems , effort has been exerted
to ririnimize mrputer tieic anal storage requirr-monts so that
it may onerate effectively on a non-dedicated corimuter in
a time-shared envi ron ni nt. The effect-. veness of the approach
is demonstrated by i t analication to a Boolean model of
the Gemini's Flectronic Timer.
To the authors' knowledne the raver offers a new annroach
in snacehorne systems and tn p material nrerented has not
been published clsew'iere.
This r(asearch was nerformed in p artial ful fi l li'Wnt of the
ronui rements for I'r. Pmney's Ph.D. Degree. and vws sunnortnd
by the I'ati onal Aeronauti c.'> and Snace Administration, Grant
125-0 6 -03-0:3 ( NAS 12-69'') .
+ The authors am affiliated with the Denar lment of Flectrical
Endineerin..j; ,1niversity of Missouri-Coluwbia; Columbia, Missouri
f 5?O1 ;	 ( 31 A -449-91X15 )
I iITRMDUCT IO'N
Recent advances in the des' cin of digital systems have resu i ted in cvvr-
increasing complexity in such systems. Cori comi taut: w i th this ri se i n co,it-
plexity is the groa:ing demand for extending the operational life of these
systems. The combination of these factors, focuses increasing emphasis on
the problem of equipment mz.i ntai nabi 1 i ty. 1
 A requisite condition for cf f(, c-
tive equipment maintainability and the particular phase with ;-rhich this in-
vestipation is concerned is the development of an efficient fault diag-
nosis technique. The technique for error detections any . `atilt diagnosis
described is directed to isolating logic  fai1ures in operati n(i synchronous
digital systems. It is anticipated that this approach is to be utilized
in an enviruomcnt which can tolerate only a very small amount of systeii)
down time. Typical applications for the method include guidance computers.
aircraft collision avoidance systems, navigational time reference systems,
etc.
The technicluc introduces a Model Assisted approach to Bi-Modular Redun-
dancy providing continous error detection, fault diflynosis to the module-
level, and a self- repair capabi' 1 i ty, by wif3ans of t, , hi ch tho systein is auto-
matically reconfigured to bypass the failure and restore operation until
the defective module can be replaced or repaired. The the;,retical basis for
the approach is presented and an algorithm is deve 1 opcd for clenerati nd an
optimal sequence of diagnostic tests. The study c(includes b y de-scribiiiq
the simulation nf 14odp l Arsistcd BIM a,. a pplied to the Electronic Timer of
the Gemini's Time Reference Svstem.
OUTPUT
MI)EL ASSISTED [31-MODULAR REDUNDANCY
The Hiodel Assi sted
 R i - I 1odul ar Redundant auproach to fault diagnosis i s i r,--
troduced fly COII!.idcrir,D an eleMntary Parallel Redundant System, identifying
its shortcomings, and demonstratinq how these shortca,iNgs are overcome
in a Hodel Assist(!d Bi-Modular Redundant System.
Parallel R^dundant Ex?^^1^
Figure ]
Ya;allel Redundant System
A Parallel {redundant System is depicted in Fig. 1. A comparator is used
to inonitor the outputs of subsystci ,,is A and B i-,hich possess a common input.
The system also contains a switching element capab1P of selecting the output
of either subsystem. The s%-,itch as indicated is selecting A as the primary
subsystem v,hile Q functions as a reference. The comparator provides
error detection by computing the boolr?an difference of the subsystem out-
puts and thereby indicates disagreement when a difference is ohserved.
When this condition occurs system operation is interrupted and both suhsys-
2
tees are sut)j-ctnd to a hattery of diagnostic t ►'sts. If these tests are
success Ful in local i zing the fault to suhsystri; ► A, the output switch is
^hro^-.n to R (Ind this system takr.s over the role of the primary system, while
A is repaired or replaced. The converse situation occurs if the. , diagnostics
indicate subsystem G is faulty.
Several shortcowi ngs are ohservabl e in this Parallel Redundant approach
to fault diagnosis. Paramount among these is the dependence of the method
on the set of diagnostic tests. The di fficulty Encountered in developing
efficif, nt diagnostic test sequences for the sequential circuitry preva-
lent in most digital systoms can constitute a major handicap. While ade-
quate methods have been developed for the test synthesis for strictly
combinational circuitry (provided these circuits contain no redundancy),
there is no simple straight-forward method for developing the diagnostic
tests for sequential systems . 2 The methods %-rhi ch have been &F cribed in
the literature  for devising tests for sequential circuitry are usually basod
upon a single fault hypothesis of the logical node "stuck-at-one" or "stuck-
at-zero" variety. 
394 
These methods, while useful in an inspection environ-
ment, very often result in such lengthy test sflquences as to render them
impractical in an operational environment.
An additional shortcoming of this elementary system resul ts from the fact
that a faulty subsystem having been diaenoscd, th-- entire system is depriv-
ed of its error detecting capahility until this subsystem is replaced or
repai red.
3
f^- r♦i ?
3	 ►-
il1P U Q)
E_z-Iiodular kedundancy
IFigure 2	 Qi -1-10c101ar Redundant System
t his latter handicap can be alleviated by decreasing the level of re-
6undancy frail the suhsystem level	 to the module level. riclure 2 depicts
x. Bi -Nodular Redundant System.
	
(Although the figure suggests series con-
;n,ected subsystems composA(I of single input sin g le out put modules neither the
VIR system nor the method tr, be developed for fault diagnosis are restrict-
-r!d to this tvpe Of module or this connection topology.) 1111 intermodular
connections in this system traverse steering net% gorVs which function as
,.P. p.T. switches. Exclusive-or gates have been located at the inputs
.o the modules to provide disagreement detection. When a fault is detect-
j^-:,I and diagnosed to a speci fi c rrodul (' V-10 SWi tches on all outputs from
this module are placed in their alternate nosition. This action isolates
.he defective module -:nd allows its counterpart to perform for both subsys-
;.ems while this moe
	
is out of service. Locating the error -detecting
logic  across the i nj):; side of the switches inhibits the detector imnie-
,ei atel ,y fol l o ,:ii ng a faulty module al 1 ov,# i ng the remainder of the error-
4
I0
detectin g log ic to remain effective. if a fault is 0(-trrted in the switch-
ing log i c or in the comoari Son 1 odi c it can be corrected in the same wannrr
as the intramodular faults.
Sequen tial Vaeh i ne Theor y p ro►vid((.s Fou nd ation for MANMR
The theoretical basis for uti 11 r. i ncl a ilonl p an modol of the Suh system to
assist in f ai 1 ur(^ di cionosi s is couched i n the fundamental theory of synchro-
Woos sequential machines.
CLOCK I
Figure 3
Block Diagram of Geueral Sequential System
Any deterministic synchronous sequential machine may I )e depicted func-
tionally by the block diagram of Figure 3.
5
S(t) -	 rs l (t.), s1(t),...,sn(t))9 (')
is the state wr ctor of the general rwchine.	 This n dimensintiol	 vector
identifies the status of the V internal ntemwy elements t-rithin tho machine
and as such way be viv ,.^!rd as an N hit resister.
I(t) - C i I (t), i2(t),...,iWWI	 (2)
a nd
n(t)	 -1 [ o l (i.),	 o2 (t),...,op(01 (3)
are thn m dimon%ional input vector and the i► diwensionol output vector*
respectively. V(S(t), I(t) is a n-vector valued function defined over
S x I, while_, G(S(t), I(t)) is a p -vector valued function defined over this
same product space. These functions car be real ized by strictly cotnbi •-
national logic. Since the occurrence of transitions in synchronous se-
quential machines are restricted to clock pulses, the exulicit time dif-
ference equation for this rachine may he stated as:
S(t + T) = F(S(t), I (t) )
and
	
	 (4)
0(t) = G(S(t), I(t) )
These equations are reminiscent of the state equation characterization for
Conti sous systems. If the first of thEse equati ons is o perated on by the
bacl:vard shifting w)erat.or so that the dependent vari ahl es coincide in time
the equations become:
S(t) - F(S.(t-T), I(t-'T) )
and
	
	 (5)
0(t) = G(S(i:), T(Q)
Thus if the status of the system during the previous period is kno:-m and
its pre c.ent input it avai 1 ahl P then t ►► e state of its internal memory Pl e-
nrnts and that of its outputs ary ascertainable.
6
^JN
r.
v,
r.
•^iG^
ro
JA-1
ti
.J	 .
Ij
ww^^. ^ I .r-ss
	 •	 ..w..
4
.4
► -r
0
WU
^f)
W
n
Wi
.r^
rl
U
4J
operational Characteristics of the FADA ^y,tew
The Fault Di agi+os i s calwhi 1 i ty of a synchron.xus C i -m-idul ar Redundant
System is dt!picted in the Flock diagrem of Figure 4. The State and Output
vectors from both subsystems arr compared each clocl, cycle. If they coin-
cide the State vector rind the current Input vector are delayed by a singly
cluck period and stored in a M + i1 bit buffer register. The system contin-
ues to function in this manner until the error detection logic detects
disagrcer; ►ent in the subsystem State g rid or Output vectors. 4lhen this sit-
uation occurs the clocl: is inhibited freeing the system in its current
state and an interrupt is rrnerated to a small general purpose computer.
This computer on receiving the interrupt loads the Boolean model of the
interrupting system. This model consists of a sequence of logical equa-
tions which implement the vector valued functions F(S(t -1'),I( t••T1) and
G(S(t),I(t)). With the model loaded, the computer retrieves the contents of
the SMR Buffer register containing the previous State and Input vectors and
evaluates the function F(S(t-T),I(t-1*))	 to obtain	 S 
III 
(t). The current input is
now retrieved and Vic function	 G(S(t) , I (t)) evaluated for 0in (t) .	 The computer
should row contain tho Statc and Output vectors for the faultless system.
The comparison of thr modal generated State and Output vectors (S m (t) and
0 11 (t)) with the corresponding vectors from subsystems 11 and d will indi-
cate the defective subsystem, if all the faulty ►nodules producing the error
condition reside within a single subsystem. This condition is satisfied for
all single defective module situations. This first comparison will he con-
sidered test zero (T o ). /assuming the integrity of the modal generated
r^
res,once. (S r ^ r
 and 0), thi a initiail test. can Wive the following four-
Possible outcomes:
	
I.	 A = 1113
	
Ii.	 ASPS	 B
	
1I1.	 A M B
	
IV. 	 A ;^ HG
If condition I occurs the defect is diagnosable to the error detecting
logic. Condition 11 and III isolate  the defective modal Ps to subsystems
b and A respectively, while condition IV rev(.als defective modules in both
subsystems.
Since the computer utilized in a MAIM,  system is rcgUi red only after a
system error is detected, only a small portion of the computer's time would be
dedicated to failure diagnosis. Thus, this computer could he performing a
num5er of other functions perhaps in a multiprograirnning or time shared en-
vi ranment Until interrupted by the error detF , cti on logic  of the MAhIT system.
A priority interrupt schr_r,e would warrant consideration ►,There two or wore
of these systems are bei ng serviced. If mission requirements are insuffi-
cient to justify the presence of this computer onboard, its capability could
Lme crovided via telemntrt.
Whi p
 ar. appropriate subsystem could be selected undcr conditions I, II,
or III by masking the interrupt, scic!eting the ,,ubsystci;i, and enabling the
clock, a s ►nal l amount of additional system tiwc, %%rill i sol cite the detected
faults to their respective modules as indicated in the next section.
9
Fault piacnos is and Fault Correct ion in a MARMIR
The diagnosis is perforwe' d by i nterOwn(ji ng corres pond i ng modules from
subsystems A and B by actuating pairs or the i ntermodul ar switches pre-
viously described. The circumstances under which the faulty condition was
ori g inally detected are then dut)lirated. Tile, system ►
 diagnosis and restor-
ation procedes according to the fol l o ,.•ri ng 'iterative algorithm.
I. Interchange corresponding modules frow subsystems A and
B as specified by the Test Vector for this iteration.
2. Restore system inputs and memory elements to their status
for the period immediately prior to original error detec»
ti on.
3. Single-cycle the system clock.
4. Apply inputs. occurring during the original error detec-
tiorr period.
S. Compare the responces of both subsystems with the previously
computed response.
6. Return to 1 if the status of any module remains questionable.
7. Actuate switches to isolate faulty modules.
a. Restore system operation.
As indicated in stet) 3 the minimuin time required for each test is slightly
longer than the cycle time of the system clock. Because of this factor the
aluorithm will usually converge quite rapidly yielding all the detectable
faulty modules within the system. The convergence criteria are first,
that there exist at least one of the ? N confi gLWFItions of the subsystem; whi t.h
is non-defective, and second, that the proper set of tests is utilized
10
in stcE; 1. A wethod for determining t..: ontimu;:i se,ucnce of these tests
is developed in the next section.
Once the defective modules have, been isolated and the system restored to
operation, error detection and fault diagnosis continue o , . on that portion
of the original system which remains hi-modularly redundant until those
defective modules have been replaced or repaired. If the y defective modules
are not replaced or repaired as they occur, and as more and more failure,
occur, the fault di &gnosi s algori thin, %-r i l 1 gracefully degrade until either	 t
it will no longer be significantly affective in detecting errors, or there
will no longer exist are effective c011fi qurati on of the system.
Oatimal Tes t Sequences for i-A i l-R	 stems
The diagnostic test sequence resulting from the algorithm developed in this
section is optimal in the sense that i l. yields the minirium number of tests
necessary to distinguish fault conditions c,' a given class. The term
fatal t conditio n denotes the particular , combination of defective modul cis which
produced the detected error, while the term fault order refers to the number
of these modules. All fault conditions of a given order are assumed to have
a nearly uniform probability of occurrence. Alt-hough, th.c algorithm can be
adapted to handle particular situations where there is a gnat disparity
in these values. An additional assumipti on is wade that the lower the fault
order, the more probable the individual fault conditions of this order.
Recalling that the error detecting logic co ,, -ipares the two subsystems at each
clock cycle, this becomes a relatively safe assumption.
Thn algorithmn is itr , rat.ive in n<-+ture.	 It first selects the minimum number
of tests necessary to distinguish all f i rs L ur der faul L condi ti ons . These
are the single defective modulo, situations. The algorithm then on the basis
of previotisly scle.ted tests selects the wir-inium number of additional tests
to distinguish all correctable fault conditions of the second order. 	 if a
81111 system contains 214 modules, then the highest order fault conditions %% ,hi ch
this system, cao tolerate are of order i1. 	 If the algorithm is al'ovied to con-
tinue considering correctable fault conditions of su-^ccssiVcly higher orders
until it completes the Nth order conditions, the resulting test seclucince
wi ll be the shortest able to distinguish all correcti l hl e fault condi ti o ►is .
If the a l dori thin is terminated hrei,raturely, then it will provide the shortest
test sequence able to distinguish	 all fault eonditior;s	 up to the highest order
completed. Under these circumstances th y:	 al uori tlw! will generate the nii ni -
mum number of tests necessary to di st.i rgui sh all fault cond', ti ons v4lose pro-
bability exceeds some lower bound.
The parti cular configuration of the Bi' ,IR systen'I being exanri ned during any
test is determined by the test vector. This vector is referrenced to the
status of the modules prior tr, error detecti on.
 The Rh test vector in the
test sequence is defined as fol lo-,-rs :
Tv	 [Lj.0't....tj^N- 1^ 	 (6)
14here the value of the component for level k (tj k ) is zero if module k,
which under this test configuration is an element of subsystem A, originated
in A and module l:, now residing in L, originated in B. Otherwise t j ,k is
one implying k and I: are rotated from their original status.
►
12	 !o,
SSince after the initial comparison the detected defect is resolved to either
the r	 detecting logic or the reviainder of the system, the possible out-
comes for further tests are conditions 11, III, or IV. These test results
t
can be recorded in ternary; "0" means the e^ ror condition steins from subsystem
B alone (1I), % ,rhilu "2" indicates
A data ("0's","1'S", and "1's")
Dk	[di jlq,r is called the
This ii.utri x has one row for
and a column for each test
A alo. ►e (III), "1" implies that it stem) iron)
that both subsystems are faulty (IV). The te"
tr, i arranged in a matrix form. The inatri x
G#^ Iid1^l,^ for fault cundi tio;is o. orucr I:.
each fault condition of this order fi(1_i<q),
t;(lej-,r). The element d i 
 
of D is zero, if fault condi'Lion f i under test
tj resides in system A alone; one, if' it resides in G alone; or two, if it
resides in both. The rows of U are called Iul. (Ltterns while the columns
of D are called tej,_t ljaj;te s.
The ri;atrix D  is obtained by inserti ng each fault condition of a gi ven order
into a binary model of the system, executing each test, arid recording the
the results as previously described. The binary modal for a 13MR system of
214 modules consists of two N hit words correspondi ng to the A and Q Subsystems.
These words are initially zero. The fault condition is inserted by setting
corresponding bits within each word. The test is executed by interchangi ng
the - - -ropri ate bits from word to word and then testing each word against
zero. A non-zero word denotes the presence of a faulty module within the
corresponding subsystem. The result -is recorded in ternary for the particular
element of Dk.
the complement of a test vector merely cxchangcs  the status of the
subsystems, and as such possesses no additional fault distinguishing capabi .i i ty,
13
0 1	 3
0 0"
0 1
1 0 0
13
I o o
1
13	 1	 2 0 2
r, 0 0 0	 1 2 2 0
1	 2 2 1
0 U 1 1
0 0 2
0 0 0 1 J	 0 1 2
0	 2.
T	 0 1 0 1
2 0 2 1
21.	 2	 1	 0
7.1
1
the coiaplcmr:nt of d selected test is redundant. To avoid this redundancy
the modules 0 and 67
 are restricted to subsystems A and 13 respectively as
indicated in figure 2. Thus, to obtain the glob-il optii, ► um, 2 1N -1 test vectces
crust he considered. If less than this number (ire evaluated, a local optimum
is achieved among those: eonsidored. The objective then is to select Cie
w ini;.wr,, number of additional tests such that every fault pattern is disting-
uishable,
 from every other- fault pattern of this order.
The matrix U may be interpreted graphically in terns of a rooted directed
tree called a decis-ion tree. Figure 5 (a) contains a suLmatrix (t.hree of the
eigl,,t test patterns havE been exclud^d) of the U 1 matrix of the B,11t systein
Of fi gure. 2. The particular test vectors associated with each test pattern
aprlear in 5(b). The decision tree associated with this matrix is depicted
-in 5(c). Each vertex of the tree representc. a decision. The edges emanating
from these vertices Have transi„itt.ances corresponding to the possible outcomes.
In decision trees for distiquishing fault conditions of oru^.r two or greater,
the tern-ary decision rule allo, ,is as many as three edges to exit a given vertex.
However, as indicated in figure 5, first order decision trees can provide
at most binary decision vertices since coirdi ti on IV cannot occur for fault
conditions of this order. The set of edc;es ordered from the root to a (i yen
vertex, is referred to as its branch, while, the number of edges in the branch
determines the vertax, decision level. All vertices of decision level j are
.	
associated with Test Vector T  and the edges leaving these vertices determine
Test Pattern t  .
Each branch of the decision tree may be expressed as a subset of the data
15
matrix D as:
0e rt io' t il •....t is-1,..., t ir ]	 (7)
The col inIIns Of this r(itri y are all cc ► l Lions of t) pernnrted so that the first s
columns coincide with the s selected tests and appear in the order of selec-
tion. The rows of B are all these rows which sh(-► re a co ►nnon pattern e10$
E01E19. s Es-1 in ternary. The D 1 matrix of fig. G(a) has been partitioned
into its branch matrices at each decision level.
The iterative scheme developed for selecting the rniniinum number of additional
tests necessary to distinguish all fault conditions of a given order is based
upon the notion of weighting tests. The approach is consistent with the:: test
selection al gori thin developed by Chance' for optimizing binary decision trees.
The criterion for test weighting depends upon the distribution of the 110's",
"1's", and "2's" in each test pattern. Each test then , p artitions the set of
t
fault conditions within each branch into three disjoint subsets. Therefore,
	 {
any pair of these fault conditions constituted by taking one fault from one	 I
subset and one from either of the other two can be distinguished by the test.
Since the number of pairs of fault conditions that can be selected from two	 I
subsets taking one from one subset and one fro,n the other is the product of
the number of elements in Each subset and since with three subsets there are
three distinct gays in v,-hich this ci.,. n occur, the total number of pairs of
branch fault conditions which a test can distinguish is given by:
	 `
w  (c) = 110 (1 1 4 11 1 1; 2 + N0 N, 2
	(8)	 '
where 11 0 , " I" a"d i1 2 refer to the nurtiber of "0's", "1's", and "2's" respect-
ively in branch matrix Be 's test Dattern t i for branch e. the branch matrix
test pattern with the greatest weight distinguishes the largest  number of pairs
16
of branch fault condi Lions. lheoretici-illy a ternar y decision tree wi i ' have
3s
 branches at the s th level. The sum of w i (e) over all branch matri	 is
called "the Freight of test pattern t i " . This is dL noted by UP Vnccr
35 -1
• 0
The follo-A.-.9 algorithi, m"-,y be U>LJ to sclecL the mininrum number of additional
tests for di s ti nyui shi ng all fault conditions of order k from the data matrix
for this o; .ier.
1. Ford the 3' brunch matric os of Dk , where s is the number of selected
tests.
2. Compute W  for all remai ni iiq tests.
3. Select, a most weightcd test. If its weight is c;,eater than zero,
return to step one. The test selected is t s41 . If its Weight is
equal to zero , the proce,s is completed for fault conditions of
thi s order.
The process completes a given order in a finite numl,.er of' i tcrati ons --i n
the worst case tie number of fault conditions of this ordeer or the number of
unselec"Ced tests, whicht^vor is s ►naller.
Employing the algorithm to the matrix U 1 of figure 5(a) indicates that tests
T 1 and T3 oaf figure 5(b) when coupled with T o ,are sufficient to diagnose all
eight single defective module situations and are optii:iui^1 because the riiiniriu,;i
17
^	 I
I	 I	 1
t.
I 1	 L_I
N1
c:
G
N
is
U
t• 1
w
0)	 c.v
.r.
u
r1
G1
O
U
La
number of binary decisions for eight objects, 10(1 2 a, is three. This three
test sequence wits carried to the U2 matrix, of fig 'j(d) . When the branch matri c-c ,
were formed and a single iteration of the algorithrrr cow!)leteew it was fou!ad
that test pattern t 3 associated with test ^ 4 [ U 1 1 U .I with a tireiyht of
six was sufficient to extend the test sequence to h.rndle all correctable
double fault conditions. Thus three reconfigurations of the SySte:m are Suf-
ficient to diagnose all eight sing1v fault conditions and all twenty-four
double fault conditions.
Simulated 11ARI'k for the Geinini Electronic Tinie r
The functional diagram of the Gemini Electronic. Timer appears in figure G.
The Manual Digital Indicator Unit (110IiI), Computer, Data Transmission System
and Cotwiand Link Encoder are external systems i nt(.^rf aci ng with the E1 ectroni c
Tinier. Physically the electronic tinier consists of seven interconnected mo-
dules. One module contains the power supply while the other ;ix consist en-
tirely of logic  ci rcuitry. These latter six, modules contain approximately
three hundred rates er.d eighty memory (Acments. A Boolean model was developed
for this circuitry and varified by computer simulation. Faults were inserted
into this modul to assist in locating the error detecting logic. With the
de',,-elopment of models for the error detecting logic and intermodular switches,
the Electronic Timer model was adapted to simulate: BHR operation. Tests were
developed for the six module subsystems using the algorithm of the previous
section. The sir,ulat' ii of various fault conditions demonstrated the capa-
bility of the iAPMR system to diagnose detected faults to the module level,
to reconf i nure itself to by-pass the faulty modules, arid to restore system
oneration.
19
SUMMARY AND CONCLUSION
A wodel assisted approach to hi -nodular redundancy has hren drscri i-ed for
application to operational synchronous diclital systems. the manner in which
this approach previcfos continnus error detection, diagnosis of ci11 single
fault conditions and 01 correctable r-Atiple fault conditiors, and self-
repair, by automatic reconfiguration, have been d tailed, The theoretical
basis for the appmach v.,as presented and (ill 	 was developed for
gcneratinU an optimal sequence of diagnostic tests. The study c)ncluded with
a brief description of the simulation of a I ABM11 as applied to the Clec-
tronic Timer of the Gemini Time Reference System.
Ill concluding it is interesting  to compare this approach to fault diagnosis
with the conventional ap proach. Normally a sequence of inputs are applied
to a system whose conf i gura t i ot) remains static during diagnosis, as ill the
parallel redundant example. In the M/1MIR diagnostic procedure, a single
pair of consecutive ir puts are applied repeatedly, to a system which is
undergoing a sequence of confiqurations. One significant advantage of this
latter approach ,s that the testing sequence is largely independent of the
circuitry within a module. Thus the same te eit sequence could be utilizoo
effectively on two entirely different N-module U1-1R systems.
20
It t'.l' L }':t . it (, :.:i
(1) J. 1). Rrule, 1:. A. Johnson, ai i L. Kl etiiky, "Diagnosis of I;gulpl-wilt
fnlltires" II;i: Tr:;tt:;. on Reliability
    and ual.tt:^• Control, vol.
.1112.
RQC-9, pp.23-24; April 1960.
12j D. C. Robe rts, "Increas ing Re]inblllty of Dif, al Cuu ► l ► uterc:,"
Comput( • r Design Magazine, pp44-48; January 1969.
(3] I). B. Armstrong, "On lAnding n Dearly Minimal. Set of P.;ul t Detection
Tests for Combinatorial Logic Nets," IL1:E Trans._ on El ect roni c
Coc. puturs, vol. LC-15, pp.66-73; February 1.966.
[ 4 j K. 1-1-i l ing and L. L. Allen, "A Computer Organiza t ion and ITograuiming
System for Automated;°ialntenance," IEEE Trans. on Flectrunle
Coc . u ters, vOLFC •-12, pp. 887 - 895; *December '9fi3,
[5] 11. Y. Chang, "An Algorithm for Selectinp, an Optimum Set of 1)agnc ►;aft
Tests," I EEE' Transom on_I;lcctronlc Ccmlutc. _;;, vol. 1:C 14, pp. 706-711;
Octobc.r, 196-5.
