Digital system upset.  The effects of simulated lightning-induced transients on a general-purpose microprocessor by Belcastro, C. M.
3 1176 01346 2420
NASA-TM-84652 19830015941
NASA Technical Memorandum 84652
DIGITAL SYSTEM UPSET- THE EFFECTS OF
SIMULATED LIGHTNING-INDUCED TRANSIENTS
ON A GENERAL-PURPOSE MICROPROCESSOR
CELESTE M. BELCASTRO
APRIL 1983
Jl|t / 1990
_L',-"! ;, .,_
N/ A
NationalAeronauticsand
Space Administration
Langley ResearchCenter
Hampton,Virginia23665
https://ntrs.nasa.gov/search.jsp?R=19830015941 2020-03-21T04:39:28+00:00Z

DIGITAL SYSTEM UPSET--THE EFFECTS OF SIMULATED
LIGHTNING-INDUCED TRANSIENTS ON A GENERAL
PURPOSE MICROPROCESSOR
by
Celeste M. Belcastro
NASA Langley Research Center
Hampton, Virginia 23665
ABSTRACT
Flight-crltlcal computer-based control systems designed for advanced
aircraft must exhibit ultrareliable performance in lightning-charged
environments. Digital system upset can occur as a result of lightning-induced
electrical transients, and a methodology has been developed to test specific
digital systems for upset susceptibility. Initial upset data indicates that
there are several distinct upset modes and that the occurrence of upset is
related to the relative synchronization of the transient input with the
processing state of the digital system. A large upset test data base will aid
in the formulation and verification of analytical upset reliability modeling
techniques which are being developed.
INTRODUCTION
ADVANCED AIRCRAFT of the 1990"s will be designed with composite
structures and computer-based digital control systems capable of performing
fllght-crltlcal functions. These digital systems will be required to be
ultrareliable whether the aircraft is flying through a normal or adverse
environment--such as a thunderstorm. There is, therefore, a need for a better
understanding of the in-fllght llghtnlng-charged environment as well as the
development of techniques for assessing the performance/rellability of digital
systems on composite aircraft in that environment.
When an aircraft is struck by lightning, exterior electromagnetic fields
are formed that are dependent on the geometry and structural material of the
aircraft. These exterior fields are coupled to the interior of the aircraft
causing transient voltages and currents to be induced on electrical cables
throughout the aircraft. Onboard electronic equipment are subjected to the
analog electrical transients that manage to propagate to interface circuitry,
power lines, etc., despite shielding and protection devices (I)*.
Lightnlng-induced electrical transients can impair the operation of
digital systems by either damaging components or by causing functional error
modes--or upsets--in which no component damage is involved. Digital system
upset is permanent in that it requires corrective action, such as resetting the
system or reloading the software, to restore normal system function. Upset can
be viewed from a hardware or software perspective. The hardware viewpoint is
in terms of logic states, whereas the software viewpoint is in terms of program
flow. There has been some ongoing work for several years to predict erroneous
loop program execution using linear difference equations (2). However, there
are no standard guidelines or criteria for performing upset tests or analysis
of digital systems.
This paper describes a methodology whereby a microcomputer is tested in
the laboratory for its susceptibility to entering upset modes and presents data
obtained to date. The objectives of these tests are to investigate the
*Numbers in parentheses designate References at end of paper.
2
statistical nature of digital system response to analog transients and to
verify potential analytical techniques for generating upset statistics for use
in upset reliability models. An analytical approach for generating such
statistics is based on the utilization of a special-purpose computer
specifically designed to emulate and perform error mode diagnostics on a target
computer (3). Once these statistics are generated and an upset model is
designed, a reliability prediction can be made for the performance of the
target computer, assuming that lightnlng-lnduced transients have entered the
system. This reliability prediction could be generated by using existing
reliability estimation programs, such as the Computer-Aided Reliability
Estimation code, CARE III (4). In order to predict the reliability of the
target system on an aircraft flying in a lightnlng-charged environment,
in-flight data is needed to aid in defining the characteristics of that
i
environment. This data is currently being obtained by tests in which a
specially-instrumented aircraft is flown through thunderstorms to elicit
lightning strikes (5). This lightning data, as well as data obtained through
upset testing described in this paper, will aid in providing a basis from which
analytical reliability prediction techniques can evolve.
UPSET TEST METHODOLOGY
The digital unit under test is the Intel Intellec 8/Mod 80 microcomputer.
It is based on an 8080 microprocessor and was chosen because it is a typical,
general-purpose microcomputer and comprises a small enough network to
facilitate instrumentation. A simplified block diagram of the digital unit
under test is shown in Figure I. The analog electrical transients being input
into the digital unit under test are designed to model voltages and currents
that are likely to be induced by electromagnetic fields in a llghtning-charged
environment; the waveshapes are based on those recommended for direct
application to electronic equipment pins by avionics subcommittee AE4L of the
Society of Automotive Engineers (6). These waveshapes, shown in Figure 2, are
representative of lightning-induced voltages and currents and it is recommended
that both positive and negative polarity versions of the waveforms be applied
to the test unit. The amplitude of these waveforms is restricted, in this
case, by the damage threshold of components within the unit under test. The
analog transients are input into the digital unit under test randomly with
respect to time and with respect to internal processing state of the unit being
tested. Randomness is desired so that transient signal inputs are not
synchronized with processing actlvity--thus, more realistically simulating the
random process that might take place in the actual lightning-charged
environment. Upset statistics collected under these conditions will enable
statistical cross-tabulations to be made and will enhance a stochastic upset
model in which digital system response to lightning-induced transients is
modeled statistically.
The upset test hardware configuration shown in Figure 3 is based on
comparison monitoring of two identical Intel microcomputers that are
synchronized and executing the same program code concurrently. One
microcomputer, the unit under test, is perturbed by analog electrical
transients while the second one serves as an unperturbed reference unit.
Thirty-two of the forty pins from each microcomputer's central processing unit
(CPU) are compared via error detection circuitry, in a bitwise fashion. These
lines include the 8-bit bidirectional data bus, the 16-bit address bus, and
eight CPU control lines. The analog electrical transients are generated when a
relay is opened causing a capacitor in an RLC circuit to discharge; closing the
relay causes the capacitor to agalnbecome charged, which is required for
generating another transient signal. The random generation of the electrical
transient is provided by circuitry that controls the opening and closing of the
relay independently of either the unit under test or the reference unit.
Transient signals can also be generated in a free-running manner in which the
time between transients varies pseudo-randomly from about 5 seconds to
1.5 minutes with a resolution of approximately 350 ms. This time interval
between transients can be adjusted and was chosen somewhat arbitrarily. The
lower limit of 5 seconds, however, was chosen to provide enough time for a
program of moderate size (about 500 instructions) to be executed in a
continuous loop at least I000 times. It is assumed that if the unit under test
can correctly execute the program code I000 times, once the transient signal
has entered the system, then an error due to that transient signal will
probably not occur. If no error is detected, the electrical transient is again
input to the unit under test. If an error is detected, no more transient
signals are generated, error data is recorded, and the test is finished.
The error data being recorded is obtained from the CPU lines that are
monitored from the unit under test. These data comprise the memory addresses
accessed, instructions fetched from memory, CPU data input/output (I/0), eight
5
CPU control signal logic states during CPU-memory data bus transactions, and
the CPU status signal. The status signal is output onto the data bus by the
CPU to identify the subsequent machine cycle. The 8080 microprocessor machine
cycles and corresponding 8-bit status signals are shown in Table I.
In order to statistically evaluate the effects of analog transients on
the unit under test, data is generated and recorded to provide a means of
determining the CPU processing state when each electrical transient was input
into the test unit. This data is obtained using a 28-bit counter that is
clocked by _I from the reference unit. Since processing activity is
organized in the 8080 as shown in Table 2 (7), a count of the number of clock
cycles that occur between transient signal inputs can be used to determine the
instruction, machine cycle, and machine cycle state in progress when each
transient input occurs. The clock cycle count is initialized when the
microcomputers begin executing the program code. When the electrical transient
is input into the unit under test, the clock cycle count is latched, the
counter is reinitialized, and the clock cycle data is recorded. This process
continues until an error is detected. Once the detection of an error occurs,
the number of clock cycles that elapsed since the electrical transient was
input into the test unit is latched, and the error data described previously is
recorded.
Clock cycle data and error data are recorded on 8 x 8K bit nonvolatile
random access memory cards. After each test is completed, the data on these
memory cards is transcribed for permanent record onto magnetic tape and become
data files. The data in these files is then processed using a specially
written FORTRAN program. Error data from the CPU data bus, address bus, and
control lines of the unit under test are disassembled, formatted, and listed so
that concurrent activity on these lines can be tracked. Clock cycle data is
used to calculate the 8080 instruction, machine cycle, and machine cycle state
in progress when each transient signal was injected and when the error was
detected.
UPSET TESTS AND RESULTS
Upset tests completed to date have been performed utilizing a I-MHz
damped sinusoid of negative polarity as the perturbing electrical transient.
No provisions have been made, at this time, to achieve the rise time of the
S.A.E. recommended waveform. During each individual test, the analog transient
signal was input on a single llne in the unit under test, rather than on
multiple lines throughout the unit. The program being executed in a continuous
loop by the microcomputers during each test is shown in Table 3; the machine
cycle, machine cycle states, and control signal corresponding to each
instruction are indicated. The program causes data byte (CB)I 6 to be
retrieved from random access memory location (0011)16 and input into the
accumulator register of the CPU. The data byte is then stored in random access
memory location (0023)i 6. This program is extremely simplistic and was
chosen to minimize the number of processing states to which the input of
electrical transients could be correlated in a statistical analysis.
Minimizing the number of processing states reduces the amount of data needed
for a statisticallysignificantdata base. Thus, a precursoryanalysis can be
performed in a relativelyshort period of time to determinewhether or not a
correlationmay exist.
The transientsignal has been input into the unit under test II01 times
on lines MDI0, MDI3, and MDI7 of the input data bus, DB0 of the output data
bus, DO of the bidirectionaldata bus, and MAD0 of the memory address bus.
Thirty-fiveof these analog transientinputs caused the unit under test to
exhibit anomalousbehavior,and in 30 of these cases the systemwas upset. The
remainingfive cases involvederrors that have been termed as benign. Benign
errors include contaminateddata, temporarydivergencefrom correct program
flow, and slight instructionchanges that do not prevent the system from
performing the desiredactivity. Data recordedduring the 30 tests in which
the unit under test was operatingin an upset mode can be categorizedinto
three types. Type I upset data is characterizedby the CPU data bus, and
sometimesthe address bus and/or controllines, being "stuck"at some valid or
invalid sequence. Type II upset data indicatesthat the CPU of the unit under
test was "babbling"erroneousinformationon the data bus, control lines, and
usually the address bus as well. Table A of the appendix shows Type II upset
data. Type III upset data suggests that the CPU exhibits a pattern of behavior
during which it completesseveral programcycles correctlyand then "babbles"
or becomes"stuck"during several cycles. The amount of processingactivity,
such as CPU-RAMinteraction,taking place during each upset mode is yet to be
determined. The number of times that the transientsignal was input on each
line in the unit under test as well as the correspondingnumber of anomalies,
benign errors,upset modes, and upset types detectedare shown in Table 4.
8
Several general observations can be made from the upset data recorded
thus far. Eight-bit signals are input into the CPU during some instruction
fetch cycles that do not correspond to instructions in the test program or even
represent the op-code for any of the 8080"s 244 instructions. Similarly, the
CPU issues status signals that do not correspond to the machine cycles which
constitute execution of the test program and often do not signify any of the
ten 8080 machine cycles. The CPU also issues signals on the address bus which
represent memory locations in RAM other than those that should be accessed
during execution of the program, memory locations in ROM, and sometimes
locations outside the boundary of available hardware. In addition, control
signals are issued by the CPU that either should not occur during execution of
the test program or that should not occur during CPU-memory data bus
transactions. This undefined CPU activity has not yet been investigated. In
18 of the 30 upset cases recorded, normal function was restored by resetting
the system. In the remaining 12 cases, some or all of the memory locations
allocated for the test program were overwritten requiring that the program be
reloaded and initialized to restore normal system function. This information,
as it relates to the number of upsets detected and the number of times the
transient was input on each line of the unit under test, is included in
Table 5.
The data base obtained to date is insufficient for performing a
comprehensive statistical analysis to determine if the occurrence of upset can
be correlated to the 8080 processing state in progress when the analog
transient signal is input into the system. Nonetheless, several rudimentary
cross-tabulations were performed in which the number of observed upsets was
arranged in contingency tables with several processing state subdivisions and
the occurrence or nonoccurrence of upset as the random variables. The initial
hypothesis being tested by each cross-tabulation is that the occurrence of
upset is equi-probable for each processing state in progress when the
electrical transient was input into the system. Calculating the chi-square
statistic and comparing it to the appropriate value of the chi-square
distribution determines whether or not the initial hypothesis should be
rejected (8). Since the occurrence, rather than nonoccurrence, of upset is of
primary interest, the chi-square statistic for the data in each contingency
table was calculated using only the number of upsets observed and the number of
upsets that would be expected to occur under the initial hypothesis for each
processing state. An assumption that is implicit in the chi-square calculation
for the data in each contingency table is that upset occurred with equal
probability for each transient signal input point that yielded an observed
upset. This assumption cannot be tested at this time due to the small quantity
of data that has been obtained thus far. Tables 6-10 show the number of
observed upsets, the number of upsets expected under the initial hypothesis,
the calculated chi-square statistic, and appropriate values of the chi-square
distribution asapplied to various processing levels. Since the calculated
chi-square statistic for the data in contingency Table 6 is less than the value
of the chi-square distribution for an _ = 0.I0 level of significance, the
initial hypothesis--that the occurrence of upset is equi-probable when the
transient signal is input during execution of any instruction of the test
I0
program--cannot be rejected. On the other hand, the calculated chi-square
statistic for the data as arranged in contingency Tables 7, 8, and 9 for
various machine cycle categories indicates that the initial hypothesis of there
being an equal probability that upset will occur when the transient signal is
input during the various machine cycles, irrespective of the associated program
instruction being executed, can be rejected at an _ = 0.005 level of
significance. This level of significance means that the probability of having
rejected the initial hypothesis when, in actuality, it should not be rejected
is 0.005. Rejecting the initial hypothesis for the data in contingency Table 7
can primarily be attributed to the much smaller than expected number of
observed upsets that occurred when the transient signal was input during memory
write machine cycles. Rejection of the initial hypothesis for the data as
arranged in contingency Tables 8 and 9 can primarily be attributed to the
larger than expected number of upsets observed when the transient signal was
input during instruction fetch machine cycles. The chi-square statistic
calculated for the data in contingency Table I0 indicates that there is no
basis on which to reject the initial hypothesis of there being an equal
probability of upset occurring when the transient signal is input during
various machine cycle states, irrespective of the associated machine cycle or
instruction. A more complete statistical analysis associating instruction,
machine cycle, and machine cycle state will be performed once a larger data
base has been obtained.
11
A preliminary upset model has been developed and is presented in
Figure 4. The probability of being in each of the defined states can be
determined once the probability density functions (pdf's) 0(t), _(t), B(T) and
_(T) are determined for a specific digital system being considered. Function
0(t) is the pdf of the time it takes for upset to occur, once the transient
signal has entered the system. Similarly, _(t) is the pdf of the time
required, once the transient signal has entered the system, for benign errors
to be generated. Functions _(T) and _(T) are the pdf's of the time
required for system recovery or system failure, respectively, once system upset
has occurred. Probability density functions 0(t) and _(t) will be
determined for the 8080-based microcomputer using upset test data currently
being obtained. The clock cycle counter in the upset test circuitry is
reinitialized when the transient signal is input into the test system, and the
clock cycle count is latched and recorded upon detection of an error. Since
the clock frequency is 2 MHz, the time required for upset to occur or benign
errors to be generated, once the transient signal has entered the system, can
be calculated by multiplying the clock cycle count by 500 ns. The upset
propagation times calculated from each test in which upset occurred will be
used to generate a histogram showing frequency of upset occurrence versus
various upset propagation time intervals. Function 0(t) is then determined
by approximating the histogram with a known distribution or deriving the
equation of the curve which best fits the envelope of the histogram. Figure 5
shows the upset propagation time histogram formulated from the upset data
obtained to date. Since the data base is small, no attempt has yet been made
12
to determine p(t). Probability density function _(t) for benign error
generation time will be determined in a similar manner. The pdf°s o(T) and
B(T) for recovery time and failure time, respectively, cannot be determined
unless upset recovery mechanisms are designed and implemented in the
microcomputer system. If this is undertaken, pdf's o(T) and 8(T) will be
determined similarly.
SUMMARY ANDCONCLUSIONS
A methodology has been developed to test a general-purpose microcomputer
for susceptibility to upset caused by analog transient signals which model
lightning induced effects waveforms. Upset data has been obtained during 30 of
II01 transient signal injection tests and indicates that there are several
distinct upset modes. Type I upset involves CPU lines and/or buses being stuck
at some logic state sequence whereas, during Type II upset, the CPU "babbles"
erroneous and/or undefined information on its lines and buses. Type III upset
occurs when the CPU exhibits a pattern of behavior during which it completes
several program cycles correctly and then "babbles" or becomes "stuck" during
several cycles. Processing activity taking place during upset modes is yet to
be investigated. Statistics performed thus far do not refute the claim that
upset occurs with equal probability when the transient signal is input during
each instruction cycle. However, there is evidence against the occurrence of
upset being equl-probable when the transient signal is input during the machine
cycles that occur throughout execution of the test program, irrespective of the
instruction cycle in progress. At this time, there is no evidence to disclaim
13
the assertionthat upset occurs with equal probabilitywhen the transientis
input during the variousmachine cycle states,irrespectiveof the associated
machine cycle or instructioncycle. A more comprehensivestatisticalanalysis
will be performedonce a sufficientdata base has been obtained. Upset test
datawillalso be used to determineprobabilitydensity functionsof the time
it takes for upset to occur and benign errors to be generatedin the 8080-based
microcomputer,once the analog electricaltransienthas entered the system.
These probabilitydensity functionswill be used to determinethe upset
susceptlbilltyof the 8080 microcomputervia a preliminaryupset rellability
model that has been developed. Although extensiveupset testinghas not been
completed,the primary conclusionthat can be made at this time is that dlgltal
system upset may best be characterizedat the machine cycle level of processing
activity.
14
REFERENCES
I. Rodney A. Perala, Terence Rudolph, and Frederick Eriksen,
"Electromagnetic Interaction of Lightning with Aircraft." IEEE Transactions on
Electromagnetic Compatability, Vol. EMC-24, No. 2, May 1982.
2. Gerald M. Masson and Robert E. Glaser, "Intermlttent/Transient Faults
in Digital Systems." NASA CR 169022, May 1982.
3. Gerard E. Migneault, "Emulation Applied to Reliability Analysis of
Reconfigurable, Highly Reliable, Fault Tolerant Computing Systems for
Avionics." NASA TM 80090, April 1979.
4. J. J. Stiffler and L. A. Bryant, "CARE III Phase II Report,
Mathematical Description." Raytheon Co., Sudbury, Ma., NASA CR-3566, 1982.
5. Felix L. Pitts, "Electromagnetic Measurement of Lightning Strikes to
Aircraft." AIAA Journal of Aircraft, Vol. 19, No. 3, March 1982, pp. 246-250.
6. "Test Waveforms and Techniques for Assessing the Effects of
Lightning-Induced Transients." AE4L Committee Report AE4L-81-2, Society of
Automotive Engineers, December 1981.
7. Intellec 8/Mod 80 Microcomputer Development System Reference Manual,
Intel Corp., 1974.
8. S. Wilks, "Mathematical Statistics." John Wiley and Sons, Inc.,
New York, 1962.
15
Table 1 - 8080 Machine Cycles and Corresponding 8-Bit
Status Signals in Hexidecimal Format
MACHINECYCLE STATUSSIGNAL
INSTRUCTION FETCH A2
MEMORY READ 82
MEMORY WRITE O0
STACK READ 86
STACK WRITE 04.
INPUT 42
OUTPUT I0
INTERRUPT 23
HALT 8A
INTERRUPTWHILEHALT 2B
Table2 - ProcessingLevelsfor the 8080Microprocessor
PROCESSINGLEVEL COMMENTS
INSTRUCTION CYCLE i. Defined by op-code for each
1-3 byte instruction
2. Consists of 1-5 machine cycles
MACHINE CYCLE I. Identifiedby status signal for
type of CPU-memoryor CPU-I/O
port transaction
2. Consists of 3-5 states
MACHINE CYCLE STATES i. Defined by single cycle of clock
signal _1
2. Smallest unit of processing
activity
Table3 -Address Bus,DataBus,and ControlSiEnal
ActivityDuringExecutionof the Upset
Test ProgramCode
DATABUS CPU CONTROLSIGNAL
ADD&. NO.OF
BUS OP.CODE/INSTo STATUSSIG./MACH.CYC. STATES WAIT RDY HLDA SYNC _ DB_N _NTE HLD
0010 3E: MVIA A2:INST.FETCH 5 I I 0 0 I I 0 0
0011 CB: C8 82: HEM. READ 4 1 1 0 0 1 1 0 0
0012 32: STA A2:INST.FETCH 5 1 I 0 0 I 1 0 0
0013 23: 23 82:MEM.EEAD 4 I I 0 0 I I 0 0
0014 00: 00 82:HEM°READ 4 1 I 0 0 I I 0 0
0023 CB 00:MEM.WEITE 4 I I 0 0 0 0 0 0
0015 C3: JMP A2:INST.FETCH 5 1 I 0 0 I I 0 0
0016 I0: I0 82:MEM.READ 4 I I 0 0 I I 0 0
oo 0017 00: 00 82: HEM. READ 4 1 1 0 0 1 1 0 0
Table 4 - Breakdown of System Anomalies Observed Per Number
of Transient Signal Inputs at Each Input Point in
the Unit Under Test
NO.OF
TRANSIENT TRANSIENT SYSTEM BENIGN SYSTEMUPSETS
INPUTPOINT INPUTS ANOMALIES EEEORS TOTAL TYPEI TYPEII TYPEIll
MDI0 II II 3 8 2 4 2
(MEM. DATA IN.-LSB)
MDI3 II II 0 II 0 U 0
(MEM°DATAIN°-4thLSB)
,-, MDI 7 11 11 1 10 1 9 0
_o
(MEM.DATA IN°-MSB)
DO 2 2 1 1 0 0 1
(CPUDATA BUS-LSB)
DB0 720 0 0 0 0 0 0
(DATA BUS OUT.-LSB)
MAD0 346 0 0 0 0 0 0
DR. BUS-LSB)
Table5 - UpsetsInvolvingOverwrittenProgramMemory
Per TotalNumberof UpsetsObservedfrom
TransientSignalInputsat Each InputPointin
theUnit UnderTest
NO.OF TOTAL UPSETSINVOLVING
TRANSIENT TRANSIENT NO.OF OVERWRITTEN
INPUTPOINT INPUTS UPSETS PROGRAMEMORY
MDI0 II 8 3
MDI3 11 11 2
MDI7 11 10 7
DO 2 1 0
ro
o
Table 6 - Contlngency Table and Chi-Square Statistic
£or the Occurrence of Upset When the
TransientSignalis InputDuringInstruction
Cycles
MVIA STA JMP
NO UPSET 245 473 353 1071
UPSET 12 9 9 30
(EXPECTED) 410.0) (lO.0) (I0.0)
TOTAL 257 482 362 II01
CALCULATEDX2 - 0.6
X2 X2_= 4.61 = 5.99
- 0.10 - 0.05
Table 7 - Contingency Table and Chl-Square Statistic
for the Occurrence of Upset When the Transient
Signal Is Input During Machine Cycles
INST. MEM. MEM.
FETCH READ WRITE
NO UPSET 392 562 117 1071
UPSET 15 14 1 30
(EXPECTED) (I0.0) (I0.0) (i0.0)
TOTAL 407 576 118 1101
ro CALCULATED X2 = 12.2
X2 X2a = 0.05= 5.99 = 10.6a = 0.005
Table 8 - Contingency Table and Chi-Square Statistic for the Occurrence of
Upset Nhen the Transient Signal is Input During Hachine Cycles
(Memory Read Cycles are Subclassified Into Data and Addresses
Read from Memory)
INST. HEH. RD. HEH. RD. HEH.
FETCH (DATA) (ADDR.) NRITE
NO UPSET 392 110 452 117 1071
UPSET 15 6 8 i 30
(EXPECTED) (7.5) (7.5) (7.5) (7.5)
TOTAL 407 116 460 118 1101
CALCULATED X2 ffi13.43
X2 = 7.81 X2 = 12.8
= 0.05 a = 0.005
Table 9 - Contingency Table and Chi-Square Statistic for the
Occurrence of Upset When the Transient is Input
During Machine Cycles (Memory Read Cycles are
Subclassified into Data, Low Address Bytes, and
High Address Bytes Read from Memory)
HEM. RD. HEM. RD.
INST. MEM. RD. (LOWBYTE (HIGHBYTE MEM.
FETCH (DATA) OF ADDR.) OF ADDR,) WRITEl
UPSET [ 392 110 218 234 117 1071
l
NO UPSET I 15 6 3 5 1 30
(EXPECTED)I (6.0) (6.O) (6.0) (6.0) (6.0)
TOTAL 407 116 221 239 118 1101
CALCULATEDX2 ffi19.37
X2 = 9.49 X2 = 14.9a = 0.05 ffi0.005
Table 10 - Contingency Table and Chi-Square Statistic for the
Occurrence of Upset When the Transient Signal is
Input During Machine Cycle States
T1 T2 TW T3 T4
NO UPSET 249 268 255 223 76 1071
UPSET 9 7 6 5 3 30
(EXPECTED (6.0) (6.0) (6.0) (6.0) (6.0)
TOTAL 258 275 261 228 79 II01
CALCULATEDX2 ffi3.34
_o
(21
X2 ffi 7.78 X2 = 9.49
_ _,0.i ct- 0.05
iICRYSTALIAOORESS0USMA00OSC. F "
DATABUS _ OUTPUTDATA Eu _ RIW
F DB0CLOCK DO F MEMORY
•
CKTS. " E DB7R
--- STATUS
o_ INPUT
READY MUX
LINE
)1
CONTROL
FROMCPU
MDlo
.
MDI7. INPUTDATA
i
Figure i. - Overview of digital unit under test (8080-based microcomputer).
DAMPEDSINUSOIDALWAVEFORMi i
VI,
t
s
RISETIME,
WAVEFORMFREQUENCY ns DAMPING
I 1MHz(+ 20"1o) 50MAX AMPLITUDEDECREASES
2 10MHz(+20"1o) 5 MAX 25-50%IN 4 CYCLES
DECAYINGEXPONENTIALWAVEFORM
V3, 14
0.9
O. t
d _-s!
WAVEFORM tr (ns) td (ITS)i
3 .500MAX 170(+20%)
4 100MAX 2(+20"/o)
Figure 2. - S.A.E. waveforms recommended for lightning-induced effects testing.
P i' I.AM] I.AMI I.AMI
soo.c I,ATC.I IMuxI IMoxK
IIc,_,T_H UNDERTEST I_k-_'
, I"' 11( INTELIjPSYSTEM)J_l,8 _16 __
ICONTROUERII I_ ' IAoo ' t 28 f J CRYSTAL DATABUS
DDRESSBUS ICONTROLINEI
iI.AT_._-_CLOCKCYCLEIIOSCILLATORIMONITOR MON,TORI MON'TORi
I":" rv_ COUNTERI' '1' ' ' "_"'_ "_16 ,',_828 i , T 8_: _"I I UNPERTURBED32L_'.J L. _ EFERENCEUNITL \
l_uxI I _,m_,_psYs_,I•
i
Figure 3. - Overview of upset test hardware configurations.
TRANSIENTS
ENTERED SYSTEM SYSTEM
SYSTEM- UPSET-_ FAILED-I\
O(T)AT
a(t)At
IN.)
fBENIGN ERRORS SYSTEMRECOVERED( ()'-
p (t) A t = PROBABILITYTHATERRORSCAUSESYSTEMUPSETIN TIMEA t
a (t)A t = PROBABILITYTHATERRORSWILL BEBENIGNIN TIMEA t
o (1;)A'_= PROBABILITYTHATSYSTEMWILLRECOVERIN TIMEA
13(T) A'_= PROBABILITYTHATSYSTEMWILLFAIL IN TIMEA'_
Figure 4. - Preliminary stochastic upset model.
UPSET PROPAGATION TIME HISTOGRAM
FREQUENCY
OF
OCCURRENCE
20-
17
o
10- 9
m
1 1 1 1
_ --3 F--I I I I I I I ["-"1 i I ! F'-7
0 200 300 400 500 600 700 800 900 1000 >1050
TIME INTERVALS,laS
Figure 5. - Upset detection/propagation time histogram.
APPENDIX ! TAHLE A . LIPSET TYPE I] DATA EXCERPT (TRANSIENT INPUT POINT - MDZO! CPU
STATE ntJ_TNG TNANSTENT TNPUT - ,IMP 0010,TNET,FETCH,TWl upSeT
OETFCTION/PRDPAGAT]ON TIME - 228,S UE! PROGRAM MEMORY WAS NOT
t}VER_RZTTEN)
MFHnRY CnNTROL SIGNAL
STATUS _nR[) Anl)_EgS raTA BUS I/O WAIT RDY HL_A SYNC WRNOT DBIN INTE HLD
8R! HEM, READ 001 a 001NOP 0 t 0 0 | 0 0 0
O{)i MEM, NHITE 00P_ CHI ****** 0 t 0 0 I t 0 0
A_l INST,FETCH 0015 C51 JMR t 0 0 t 0 0 0 0
H_l MEM, READ ()()|_ 101 ****** I 0 0 _ 0 } 0 t
H_l MFM. READ 00|7 001NOP I 0 0 | 0 0 0 0
A21 INST.FETCH 0018 201 ****w, l 0 0 1 0 l 0 1
A2| INST,FETCH 00|() 011 LXI B 1. 0 O I 0 0 0 0
_FI ********** OOPO 2()I ****** t 0 0 1 0 1 0 1
B_I MECH, READ 011_a 01.1 LXI B I 0 0 t 0 0 0 0
__A2i ]NBT.FETCH 001C 201 ****** I 0 0 1 0 l 0 l
"FF'I ********** OOIN 011 LXI B ! 0 0 1 0 0 0 0
FOI ********** O01D _21 ADD D | 0 0 I. 0 I 0 I
AEI ********** O(_IF 0111. XI B ! 0 0 1 0 0 0 0
FFf ********** 0_1F CH! ****** t 0 0 | 0 I 0 !
__CAt ********** 00_n _2| A{)() D t 0 0 1 0 0 0 0
C|}I ********** 00P1 CHI ****** 1 0 0 | 0 1 0 1
CMI ********** Oc)Pp FFI RBT 7 | 0 0 _ 0 O 0 0
FFI ********** ()()CA OQI TNR B I 0 0 I 0 1 0 |
CH! ********** _l_q 0_! TNR B l 0 0 | 0 0 0 0
"CCI ********** 21C_ A21 ANA D t O 0 ! 0 | 0 1
201 ********** 2138 FFI RBT 7 1 0 0 | 0 0 0 0
011 ********** 003q FFI RST 7 t 0 0 | 0 l 0 1
2_)! ********** ()03A 201 ****** t 0 0 1 0 0 0 0
011 ********** O0_R (101 NOP 1 0 0 I 0 1 0 |
201 *****w**** (103C FF! RST 7 ! O 0 I 0 0 0 0
Oil w*w******* 003() 001 NOB _ 0 0 | 0 ! 0 |
201 ********** DOfF POI ****** 1 0 0 1 0 0 0 0
0|I ********** 003F U(}I NOP t O 0 t 0 t 0 1
201 ********** 00_0 201 ****** i O 0 1 0 0 0 0
A_I INRTqF_TCH Q_i OOl NOP 1 0 0 t 0 _ 0 !
A2I TNST.FETCH ()N_2 2NI w,e*** 1 0 0 1 0 0 0 0
FFI ********** ON3_ 011LXI B i 0 0 1 0 i 0 I-
F'El ********** 00_ A_I ANA D 1 0 0 1 0 0 0 0
AFI ********** 00_I A_I ANA D | ! 0 0 ! I 0 0
0|1 ********** ()O_S FFI RST 7 1 0 0 t 0 o 0 0
201 ********** O(l_h H2! ADD D 1 0 0 1 0 t 0 !
Oli ********** 00_7 A21 ANA D 1 0 0 1 0 0 0 0
201 ********** ()O_R FF'_T T 1 ! U 0 1 l () 0
011 ********** O0_g O()l NOP 1 0 0 1 0 0 0 0
_01 ********** DOrA _01 ****** t 0 0 1 0 1 0 I
-----_-i-"T-_T_-, F'E'F_ oo_B o1¥--L-W-IB I o o t o o o o
--TFI ********** 00_0 _t)l ****_, 1 ! 0 0 _ | 0 0
_21 MEM. REAl3 01_ NOt NUP I 0 0 1 0 0 0 0
Aa! ,INST'_-F-E'T-CH (}O_E 2(): ****** 1 0 0 1 0 I 0 t--
A_I I,_ST,FET'C_ O.(14F 0oi NUP l 0 0 1 0 0 0 0
FFI ******w_** 003_ _01 ****** ! O 0 | 0 t 0 1
.AEI ********** 0050 A_I ANA D t 0 0 I 0 0 0 0
o(11MEM, WRI'TF 00SI FFI RBT 7 0 0 0 0 0 t) 0 0
_01 **1,****** O()SP R_I A()D D ! 0 0 | 0 0 0 0
Ull ********** 005'_ A_! ANA 0 t 1 0 0 1 1 0 0
201 ********** 00Sd FFI RST ? t 0 0 l 0 0 0 0
3Z
1. ReportNo. 2. GovernmentAccessionNo. 3. Recipient'sCatalogNo.
NASA TM-84652
4. Title andSubtitle 5. ReportDate
Digital System Upset--The Effects of Simulated April 1983
Lightning-Induced Transients on a General-Purpose 6.PerformingOrganizationCode
Microprocessor 505-34-13-34
7. Author(s) 8. PerformingOrgan;zationReportNo.
Celeste M. Belcastro
., 10. WorkUnit No.
9. Performing Organization Name andAddreu
National Aeronautics and Space Administration
Langley Research Center 11.ContractorGrantNo.
Hampton, Virginia 23665
13. Typeof ReportandPeriodCovered
12. SponsoringAgencyNameandAddress TechnicalMemorandum
National Aeronauticsand Space Administration "14. SponsoringAgencyCode
Washington,DC 20546
15. SupplementaryNotes
16. Abstract
Fllght-crltical computer-based control systems designed for advanced aircraft
must exhibit ultrarellable performance in llghtnlng-charged environments.
Digital system upset can occur as a result of lightning-lnduced electrical
transients, and a methodology has been developed to test specific digital
systems for upset susceptibility. Initial upset data indicates that there are
several distinct upset modes and that the occurrence of upset is _elated to the
relative synchronization of the transient input with the processing state of
the digital system. A large upset test data base will aid in the formulation
and verification of analytical upset reliability modeling techniques which are
being developed.
i
17. Key Words(Suggestedby Author(s)) 18. DistributionStatement
Microprocessor; digital system upset; UNCLASSIFIED - UNLIMITED
electromagnetic interference; lightning;
reliability modeling; processing state; Subject Category 62
upset susceptibility
19. SecurityClassif.(ofthisreport) 20. SecurityClassif.(of thispage) 21. No. of Pages 22. Price
UNCLAS SIFlED UNCLAS SIFlED 32 AO 3
N-305 Forsale bythe NationalTechnicalInformationService,Springfield,Virginia 22161

3 1176 01346 2420
O
DO NOT REMOVE SLIP FROM MATERIAL
Delete your name from this slip when returning material
to the library.
NAME MS
NASALangley (Rev. May 1988) RIAD N-75
