Integrated assurance assessment of a reconfigurable digital flight control system by Davis, R. M. et al.
  
 
 
N O T I C E 
 
THIS DOCUMENT HAS BEEN REPRODUCED FROM 
MICROFICHE. ALTHOUGH IT IS RECOGNIZED THAT 
CERTAIN PORTIONS ARE ILLEGIBLE, IT IS BEING RELEASED 
IN THE INTEREST OF MAKING AVAILABLE AS MUCH 
INFORMATION AS POSSIBLE 
https://ntrs.nasa.gov/search.jsp?R=19830016244 2020-03-21T04:16:18+00:00Z
w
L.^
DOT/FAA>CT-82/154
Olt
a•
	
^^	 a
	
1	 ,¢
_i
Integrated  Assurance
Assessment of a
Reconfigurable Digital Flight
Control System
W. G. Ness
R. M. Davis
J. W. Benson
M. K Smith
Lockheed -Georgia Company
Marietta, Georgia 30063
D. Eldredge
FAA Technical Center
Atlantic City Airport, New Jorsey 08405
^' pTlC
ELECrE^
JUN 7 1983
A
April 1983
Final Report
This document Is availzble to the U.S. public
through the National Technical Information
Service, Springfield, Virgin!a 22161.
a
US DepWrnent or Wurmpor Wai
Pedwai Awlulkm AdndrAstivllon
Technical Connor
Atlantic City Airport, NJ. OSA05
-83 or, 06 027
NDTICE
This document is disseminated under the sponsorship of
the Department of Transportation in the interest of
information exchange. The United States +:overniment
assumes no liability for the contents or use thereof.
The United States Government does not endorse products
or manufacturers. Trade or manufacturer's names appear
herein solely because they are considered essential to
the object of this report.
1. Ro►ort No.	 2. Co.errement Accession Nt. r
DOT/FM /CT-82 /154 	
_b-^ '1 _A5 _!P^4
A. Title rind Subtitle	 ^t
INTEGRATED ASSURANCE ASSESSMENT OF A RECONFIGURABLE
DIGITAL FLIGHT CONTROL SYSTEM
A-1,604W. G. Ness, R. M. Davis, J. W. Benson,
M. K. Smith, and D. Eld redge
9. Performing Orgon; lotion Noss end Addeest	 --	 — -_ -	 ---
Lockheed-Georgia Company
	
FAA Technical Center
Marietta, GA 30063	 Atlantic City Airport,
NJ 08405
12. Sponsoring Agency Name and Address -	 -- -_-	 --- --
U.S. Departnvant of Transportation
Federal Aviation Administration
Technical Center
Atlantic City Airport, NJ
­
 08405
1S ---	 N	
^ 
fftlteDtai kOHti Ooti yt>t^erttNlM
RecipieM't CNr►Ih 11w `_ ^^^+ -^
1. Report Aoto 
_ ..._. --. ..- .	 . .. -....
April 1963
no orstniteiion
182-340-100
Perlorn.ing orlonicotion Repent Me.
Work Unit No. (TRAIS)
I r. t_oneroci or uront no.
NAS2=11.17 
17 Ty; a el Rcp	 end Per;od Co•sred
F iral
Feb. - Oct. 1982
11. Sponsoring Agency eodt _--.- - .—.
t
Supplemcntary otes
This contract was funded through interagency agreement NASA NMI 1052.151 to NASA
Ames Research Center through task order DOT-FA77WAL-738, Modification Numbers 5 and
6 from the FAA Technical Center (ACT-340).
16. A6srroct
FAA Advisory Circular AC 25.1309-1 provides guidance material for demonstrating
ccgmpliance with the requirements of Pat 25 of the Federal Aviation Regulations for
flight-essential'•3 and ^"flight-critical" avionics aystems. This advisory circular
outlines the use of quantitative safety analyses which may include: a) Probability
analysis; b) fault tree analysis; c) failure modes and effects analysis; and d) other
comparable techniques for determining compliance with the requirements of
FAR 25.1309(b).
The objective of this study was to explore and d-:onstrate the integrated application
of reliability, failure effects and system simulator methods in establishing the
airworthiness of a ("Thight-critical" digital flight control system (DFCS). The
emphasis was on the mutual reinforcement of the methods in demonstrating the system
safety.	 /	 it '4c' 4')- 74.1 : u, e-- C
Tt was concluded from this study that: a) The integrted approach can be used for the
validation of 'blight-essential't)rnd ('flight-critical ) digital systems; b) the quanti-
tative assessment of r liability (system failure prooability) can be accurately pre-
dicted at less than (Ix10 by the use of both the fault tree analysis and the analyti-
cal reliability prediction analysis; c) fault tree analysis must be augmented by
failure :Modes and effects analysis which mast be used below the circuit card level
because of the complexities of the lower level cuialysls; :Intl (1) ';y:;tu111 r,i;unl:tl its"
(fault insertion) confirms the correct implementation of the fault detecti(n and fault'
c^-x weaa^.apabiliti4s-af the--systesl ands	 ---y	 To	 is rr ution S lelement
Integrated Assurance Assessment 	 Document is available to the U.S. public
Failure Modes and Effects Analysis	 through the National Technical Information
Fault Tree	 Fault Insertion	 Service, Springfield, Virginia 22161
Failure Rates
	
RDFCS Pallet
Digital Flight Con trol Syst em
19. Security elessil. (of this report)	 70. Security Classif. (o1 this P ogo)	 21. No. of Poger	 22. Price	 -
UNCLASSIFIED	 UNCLASSIFIED
Form DO I F 1700 .7 (8 -72)	 Reproduction of completed post OUO'orlsed
n 	 ON
I,,.t,	
"ll N, of	 |s,nN	 `
!$ | |	 !!
^^ !!!^! |^^| |^! !I!t!! ^ @
a ®^
^ n n
^
^	 ^
® ^;::; ^ `	 ^ §2: ^ ;^f^ , n ^ n
$
^
| &	 n
^
§
n ©
}
^ n ^! ,
§|^^
7§!!!
It
||!
|
§f^
f
}72:\\ 3 °!
^I9
it	 It	 .
.
tt	 2	 'at fit.,_ illm m ;_ .,	 e j	 i ;,, .
a »» am? ' ddl «. mk\79mm ]\£I / A% Ii l l i|||| |^ n4cc
re | (	 | | (	 |'%m'f2m$TmmYƒ'f$ y|	 | | | |	 | |	 ( |\'ƒ$7'yH"| |	 ,	 |	 ("| "| "'7|	 | I "|^ ( (
¥n , . _ . , . .! , . _
^
i^%,
_k|^ kƒ|
§^
}kkk^k
t.n
. R
^	 A, a ^ ®	 - }	 ©©	 ^ . n !| n ^%^ n n m2	 f ) |}
2	 ^ ^l^^ | !! ^;.
^'^ ''!|s ^	 |!
^!, n ||||| |!| '^^lls^! ! ^ n!
T|
5_!, % n !. |.a,»%,^ ^ |r,
vn
NX
FOREWORD
This report describes an assurance assessment of a representative con-
temporary digital slight control system stressing the use of various
methods in a complementary manner.; The work was performed between
February 1, 1983, and Septemm.-I 1982, under contract nimber NAS2-
11179. The work -da:s sponsored and directed by the Federal Aviation
Administration Technical Center, with the contract administered through
the National Aeronautics and Space Administration - Ames Research Center
under interagency agreement NAS NMI 1052.51 (Task Order DOT-FAA-77WAI-738).
^— --. sion For	 t
i^
i
f
TABU OF CONTENTS
3eetion Title P_^e
1 Introduction and Summary 1
2 Objectives and Scope 5
3 Contract Task Summary 6
4 RDFCS and Simulator Descriptions 8
5 Fault Tree Analysis 19
6 Failure Mode and Effect Analysis 41
T Fault Insertion 49
8 Failure Rate Development 58
9 Reliability Prediction Using CARSRA 63
10 Conclusions 79
11 Ri!fAr-nc,?s 82
APPENDIX A FMEA Results A-1
APPENDIX B Fault Simulation Results B-1
APPENDIX C Processor Schematic Diagrams C-1
r
R
f
St
P
LIST OF FIGURES
Figure Title Past
1 RDFCS Dual -Dual Configuration 9
2 RDFCS Simulator 12
3 CAPS Test Adapter and Computer Breakout Panel 14
4 Servo Simulator Panel 16
5 Discrete Switch Panel 17
6 Fault Tree Top Level 21
7 Sensing Function 23
8 Normal Acceleration Sensing 24
9 NO DUAL Annunciation 27
10 Computing Function 29
11 Channel 1A Rudder Command 30
12 FCC Processor Control Card 31
13 FCC Processor Data Path Card 32
14 Yaw Autopilot Servo Command Warning 34
15 Servo Functions 37
16 No. 1 Yaw Autopilot Servo 38
17 Multiple Failures During Crucial Phase 39
18 One Output, Two Input Conditions 44
19 Two Output, One Input Conditions 45
20 Processor Block Diagram 46
21 CAPS Test Adapter and Computer Breakout Panel 50
22 Servo Simulator Panel 51
23 Discrete Switch Panel 53
.;^ffl.
iii
Fi ure Title Page
24 FCC with Processor Card Extended 55
25 FCC Processor Data Path Card 56
26 Markov Model of a Dual Stage 65
27 Markov Mode? Coding for RDFCS Sensor Stages 71
28 CARSRA Input 73
C1 Control Card Schematic Diagram C-2
C2 Data Path Card Schematic Diagram C-5
IV
LIST OF TABLES
Table	 Title	 Pa e
'	 Assurance Method Functions
2	 System Failure Probability 	 40
3	 Pin—Level FMEA	 A-2
k
4	 Faults Simulated	 B-2
5	 FCC Control Caud Failure Rate	 60
6	 Predicted FCC Card Failure Rates 	 61
7	 Predicted Failure Rates for Major RDFCS CraMnAnts 	 62
dj
7
t
v
1. INTIODUCTION AND 3UMIARI
i
	
ar	 Under the FAA Technical Center's Digital system Program (182-340-100),
an integrated assurance assessment of a contemporary digital flight control
i 
system was performed. The assurance methods of fault tree analysis,
automated reliability prediction, failure mode and effect analysis, and
fault insertion were applied in a complementary way to address the need for
a workable approach to confirming the airworthiness of a critical digital
system. The resulting assessment satisfied the requirements of Advisory
Circular 25.1309 -1 (Ref. 1), and is consistent with the validation
.
	 requirements of RTCA Document DO-178 (Ref. 2).
The digital system used in the analysis was the Redundant Digital
Flight Control System (RDFCS) procured jointly by the FAA and NASA -Ames
Research Center in 1979. The RDFCS facility is located at NASA-Ames as a
central part of the Digital Flight Control Systems Verification Laboratory,
a unique facility for research into the assurance issues of digital
Systems. Volume II of this report describes the RDFCS as it would be in a
production configuration, including sensors and servos. The sensors and
servos are not production-configuration equipment, and in fact, they are
simulated in the RDFCS.
The assessment consisted of the following major tasks:
o Application of fault tree analysis, starting at the highest
system functional level, proceeding to the hardware circuit card
level, and to the module level for the processors.
o
	
	
Development of a representative set of failure rates for the
relevant hardware items.
•	 Application of an automated reliability prediction program,
CARSRA, to the system failure modes affecting airworthiness.
•
	
	 Application of failure mode and effect analysis to integrated
circuit pin faults of three processor modules.
o
	
	
Definition of faults to be inserted in the RDFCS to determine the
effect of the fault when analysis wtis not feasible, and of other
faults to confirm the manual analysis. 	 'these faults were
subsequently inserted and the effects recorded.
Am,ng the conclusions and observations resulting from this study are
that:
' o The integrated approach used here is apable, with di:'jent
application, of establishing the airworthiness of a Digital
Flight Contrh? System (DFCS) within the context of AC 25.1309-1.
Specifically, this approach addresses those system aspevts shown
'	 in Table 1, including freedom from single—point failure modes and
system failure probability.
o The integrated assurance approach used in this study should be
considered for uxe in validating other digital systems, including
DFCS, in ^ompliance with AC 25.1309-1.
o The quantitative assessment of system failure probability by two
methods (fault tree analysis and analytical reliability pre-
diction) offers increased assurance tha t. the system meets the
quantitative requirements of AC 25.1309-1. For a flight—critical
system, this requ-Vement is that the system failure probability
not exceed 1 x 10 per hour of flight for each critical function
the system performs.
o Fault insertion confirm3 that the fault detection capability and
the fault tolerance capability described in the system documen-
tation are actually implemented in the system. Since the fault
tree analysis is based largely on the system response to faults
as described in the system documentation, the fault insertion
confirms that the fault tree analysis correctly reflects the
behavior of the actual system in the presence of faults.
0	 !fie fault tree analysis generates software test requirements in
terms of functions which the software must perform. These,
in turn, provide a check of function criticality and of test
requirements generated in accordance with RTCA Document DO-1118.
Fault tree analysis proved unwieldy below the circuit card level,
because at lower levels many more functions are being performed
than there are hardware failure modes. Failure mode ane effect
analysis was accumplished successfully at the integrated circuit
pin level.
o As a training facility and a Reconfigurable Test Bed, the RDFCS
facility has significant and valuable capabilities for
investigating assurance issues of currently definable DFCS
architectures. It also has potential enhanced capability in
certain areas, such as automated insertion of pin-level faults,
for confirmation of analytically determined failure effects.
0 The compariso n of the time or cost required for the integrated
approach re , ted here with that required for other possible
assurance approaches was not specifically addressed in this
study. Powever, the time required for the integrated approach is
2
tn W
*1-4
t
.
W
z z z z
s 0 0 0
E-1 E- k- war W
w w
w
x
LL;	 4.1
1.1
w w P-4
W	 FA V)
z z z
0.4	 )-4 0-4 1-4
rr
E-4	H E-4
a i d ^ ^c
z
rAd
z0
u
m	 11;
tl
>
ra;
e
I
0-4
z0 Lol.2
az W ^-4 w x
W	 z AL.
<
(_4 I= E-
w --i	 C16
ru
w
oc 
rjw
PW W f16 rAd In
w0. 1
tr.
z
0
z
rA
z
O
z
rn.4
0 Z
z 0- 0 J-!	 Ln
W W0 z E-
u
x
w
U. z -4"J
U.
z 0 z 19
~::0
J) 96
>d11) rn
expected to compare favorably with that for other approalthes,
assuming the same depth of analysis. The cost should also
compare favorably, provided a facility suitable for fault
insertion is r.vailable.
4
i
prow
I	 ---- -
Z, MICTIM an Wort
OdJLCTZM
Thi primary objective of this contract was to explore and demonstrwte
the integrated application of reliabilitu, failure effects, and System
simulator methods in establishing the airworthiness of a f11_1t— crittoal
digital flight control system. The emphasis was on the out-tal
reinforcement of the methods, with results oriented toward inclusion in an
FAA Data Aare .
SCOPE
The scope of the effort was primarily limited to assessment of the
RDFCS in the automatic landing maneuver under Category IIIa conditions as
defined in AC 120-28C (Ref. 3). Application of methods below the system
level was or_ a selective basis and focused within the digital portions of
the syste+n. Installation—dependent effects, such as failure of RWCS
coWxnents induced by failure of components in other systems, were not
considered.
r
S
R.
3. COWMACT' TASK 31fMWY
,i
	 ST3TCh CCSCRI°TIOF
A baseline configuration of the RDFCS shall bo defined, and a
corresponding analytical description shall be prepared as necessary to
perform the integ: ated assessment. This description may lnclade eniating
documentation for the RDFCS, and as necessary, it shall include additional
components (e.g., arcondary flight control) needed to reflect a realistic
DFCS.
FAULT TREE ANALTSIS
i
a A fault tree analysis beginning at the system level is required. The
analysis shall be extended the integrated circuit pin level for at least
three digital modules.
t
FAILURE RATES
s
A set of representative failure rates for the components and parts of
the RDFCS shall be developed as necessary to evaluate the fault tree for
failu.s probability.
i
FAULT SIMULATION CASE3
A number of simulated fault conditions shall be defined for insertion
in the RDFCS simulator. These faults shall be for two purposes: to
confirm the assumptions underlying the fault tree analysis, and to resolve
uncertainty of the effect of the fault when analysis is not tractable.
FLIGHT CASE TRANSITIONS
A go-around flight case shall be installed on the RDFCS simulator, and
transition capability shall be installed to transition the airplane from
approach to landing and landine to go-around flight canes.
6
MIN.	 0
Ulm RMIABILM PROGRAM
The CARSRA reliability program shall be applied to the RDFCS. The
application shall be made in such a w&7 as to be instructive for future
applications Of CAR31A to other system.
I
4. RDFCS AND SMUTOR XMIPTIOU
i RDFC3
The RDFCS is Jescribed in considerable detail in Voleme II of this
report. The description prasent*d here summarises the system architooture.
In most operational modes. the system is fail passive, with a dual ehwnel
configuration. For automatic landings under Category IIls conditions, the
system can be brought into a dual-dual fail-operational, fail-passive
configuration. The classification dual-dual relaters primarily to the four
computer channels in the system. Each of the two flight control computers
(FCC) has two channels which run fraee-synchronously, with each channel
driving one coil of a dual-coil servo in each axis. Any  indication of
disagreement between the two channels in an FCC causes the servo connected
to that FCC to be disengaged by removing hydraulic pressure. Figure 1
summarises the dual-dual configuratioa.
Monitoring Configuration and Implemientations
Extensive monitoring is employed in the RDFCS for fault detection.
Coil current comparators for Etch servo provide coverage of faults
resulting in erroneous commands to the servo coils. They also provide
coverage for broken wire faults between the FCC and the servo or failuA-es
of the coils themselves. These monitors. which are described in Volume II.
Sections 5.1.1.6.2 through 5.1.1.6.5, are made more effective by the
insertion of opposing 5 ma bias currents. The bias currents permit circuit
integrity to be monitored even when the FCC is not commanding the servo to
a new position, such as when the aircraft is flying through very calm air
at a stable attitude. It may be noted that this type of monitoring is
equally applicable to analog and digital systems.
Response of the autopilot servos to commands from the servo amplifiers
is monitored by modulator piston position signals fed back to the FCC (Vol.
II. Sections 5.1.1.6.3 through 5.1.1.6.5). The feedback signals are
averaged and Passed through a high-pass filter to get a modulator rate tnat
1s compared with coil current. This comparison is used to detect ,damming
8
hi	 I
f
i
J
n
t
7
^aa
Figure 1, RDFCS Dual-Dual Configuration
9
`A
Croa
-tau
al
NOo^l
a
i
-t
of the modulator piston, runaway conditions, or lose of hydraulic power.
This type of monitoring also can be applied to either 	 analog er digital
Systems.
In	 *.te	 pitch-axis	 servos,	 modulator	 piston	 position	 monitoring	 is
implemented	 in	 hardware.	 In	 the	 other	 two	 axes,	 it	 is	 implc^ment.F	 to
30ftbMt--'.	 Togt-thlrr,	 th. • 	soil	 current	 monitoring	 : ►ant	 twmhilAor	 ptAoll
monitoring detect any servo fault which prevents the servo from responding
to commands.	 They also	 detect	 any fault	 in	 a computer	 channel	 which
prevents that channel from generating a reasonable command for the servos
in each of the three axes.	 All monitors and feedback sensors are dual to
increase reliability.
Each computer channel has an iteration monitcr implemented in hardware
(Vol.	 II, Figures 5.1.2.1.2 through 5.1.2.1.3). 	 This monitor observes the
state of a discrete software variable which is changed at the end of each
iteration of the foreground software.	 Since this software executes at a 20
Hz	 rate.	 the	 result	 is	 a	 10	 Hz	 square	 wave.	 Should	 the	 processor
short-loop	 or	 hang	 up,	 the	 10	 Hz	 wave	 will	 not	 be	 presented	 and	 the
iteration monitor will withdraw its input to the engage logic and the FCC
will disengage.
Sensor	 monitoring	 is	 primarily	 accomplished	 by	 comparison	 and	 by
validity discretes generated by the sensors CVol. 	 II, Sec. 5.1.2.0 through
5.1.2.5).	 There is no one place that sensor monitoring takes place, since
all	 four	 computer	 channels	 incorporate	 the	 monitoring	 function.	 This
ensures that the circuitry involved in getting the sensor signals to each
K channel is included in the monitoring.
The gyro and	 accelerometer discretes are generated 	 as described	 in
_ Volume	 II.	 Sections	 5.11 through	 5.12.	 The accelerometers are tested as
described	 in Section	 5,11	 each timR the	 system is powered	 up with the
t
r airplane on the ground.
The ILS receivers are checked using the s quare wave test of Volume II,
Section	 5.1.2.3.1.1.5.	 This test checks	 for	 failure of the localizer Lnd
glideslope	 beam	 deviation	 inputs.	 During	 landing,	 the	 outputs	 of both
receivers	 are	 compared,	 with reliance on the	 self-monitoring to	 identify
which receiver is bad if the signals disagree. 	 The comparison monitoring
is	 used	 to	 check	 wire	 integrity	 between	 the	 receiver	 and	 the	 computer
channels.	 The other dual sensors are comparison monitored in the same way.
10
^s
W
Even though each channel monitors sensors individually, any channel
can initiate the NO DUAL annunciation, which is the primary indieatto» that
the system is not fail-operational. If any channel detects a seoWW
failure of a sensor type, it will cause its FCC to disengage, but the other
FCC will remain engaged.
Although NO DUAL is the primary warning of loss of one sensor, NO
ALIGN will be annunciated if the course signals from the two compass
systems do not agree.
Other monitoring within the FCC involves comparison of active
operatitii modes. If the two channels within an FCC disagree on which modes
are engaged, and the disagreement lasts for mere than 0 . 1 sec. the FCC will
disengage. If the two FCC's disagree, SPLIT will be displayed on the
Warning Annunciator Indicators. This monitoring, together with the sensor
data transfers. will detect most faults of the cross-channel data transfer
circuitry.
SIMGI.ATOR DESCRIPTION
The RDFC3 simulator is comprised primarily of the RDFCS pallet, shown
in Figure 2, and a PDP 11/60 computer. The RDFCS pallet includes the
Flight Control Computers ( FCC), core memory, Modular Digital Interface
Control Unit (MDICU), Servo Simulator Panel (SSP), Discrete Switch Panel
(DSP), CAPS Test Adapters ( CTA), and Computer Breakout Panels. 	 The
functions of these items are described in the remainder of this section.
PDP 11/60 Computer/Airplane Model
The PDP 11/60 computer hosts a discrete-state model of the airplane in
which the RDFCS is installed. This airplane is a representative wide-body
transport, and the model coefficien t s are changed according to flight case
being simulated. Each flight case, then, is a pois:, simulation of the
airplane in a particular configuration and operating in a specific portion
of the flight envelope. The airplane model executes at a 50 Hz rate.
As part of this study, a go-around case was added to the library of
cases available. These cases are described and discussed in Reference 4.
The go-around case is characterized as follows:
Figure 2. RDFCS Simulator
12
ia
Airplane Weight	 314,500 lb
Altitude	 35 ft
Angle of Attack	 10.910
Indicated Air speed
	 168 kts
Flap Deployment
	
220
Center of Gravity
	
25% of C
Transition capability was added to go from approach conditions to
landing conditions, and from landing to the new go-around ease. The
transitions involve changing the model coefficients and establishing new
trim values. The transition capability has been installed and checked out
sucoessfully.
MoMer Digital 2mterface Control Unit
The Modular Digital Interface Control Unit (MDICU) receives the output
of the airplane discrete-state model through a communication link with the
PDP 11/60 computer. The MDICU converts the variouz pieces of information
into the form needed by the FCC's. For example, roll angle and pitch angle
are converted to three-w!re AC signals, properly scaled, while localizer
deviation is coded in ARINIC serial digital format. The MDICU is described
more fully in Reference 5.
The MDICU incorporates provisions for the signal for the No. 1 sensor
of each type to be ramped up or down. This facility is accessed by means
of the HP 2645A terminal physically located in the pallet.
Computer Breakout Panels
Each sensor signal going from the MDICU to the FCC's can be
interrupted at the Computer Breakout Panels by removing the appropriate
jumper plug. Every FCC back connector pin is routed through one of these
plugs. The lower portion of Figure 3 shows the rows of plugs for connector
P1 and the "A" half of connector P2. Each FCC has its own breakout panel.
OR
13
Ffture	 CAPS Test Adapter and Computer Breakout ^anel
14
CAPS Test Adapters
Figure 3 also shows the CAPS) Test Adapter (CTA) for one :)f the FCC's.
The upper half of the CTA includes, on the right-hand si&j, four address
and four data windows. An address can be loaded in eacl address window.
and the corresponding data window used to display the data on the FCC A-
side processor bus data lines every time the address appears on the address
tines. fie CTA also has other capabilities, such as providing a history of
the last 16 bus transfers and changing the contents Of a specific meuory
location within the FCC, but during the study only the address monitoring
was used. Discrete variaoles representing sensor voter status were
monitored visually via the data windows. Continuous variables, such as
inputs to `.he servo amplifiers, were monitored by using the analog output
r
Posts belo the appropriate data window to drive a strip-chart recorder.
The over half of the CTA performs the same functions as the
upper half, but for the B side of the FCC.
Servo Simulator Panel
The servo amplifier outputs from the FCC's are routed to the Servo
Simulator Panel (SSP), shown in Figure u. The SSP ;imuli.ces the dynMics
of the autopilot and power servos, and generates the required feedback
e
	 signals such as modulator piston position. The SSP has circuits which can
simulate a hardover or alowover command to a servo coil. It can also
simulate a hardover or slowover of a modulator piston, including the
modulator piston position feedback signal and the command to the power
servo. All of these apply to the No. 1 servo of each type.
Discrete Switch Panel
The Discrete Switch Panel (DSP), Figure 5, is lc^._-;ed just below the
SSP. This panel provides a centralized location for switches such as
hydraulic pressure switches and autopilot disconnect switches. The panel
also includes switches that can be used to insert sensor validity faults.
'These faults can also be inserted by pulling the apprcpriate jumper plug on
the FCC Breakout Panel.
15

FJ.gure S. Discrete Switch Panel
17
R	 f
F
Core Memory
The pallet also contains core memory for the FCC's. This is used for
both data and program memory to provide flexibility and convenience in
using the pallet to simulate other airplanes or DFCS architectures. As
used in in airplane, the FCC's have the- flight software stored in
programmable read—only memory (PROM) and use random accers memory (RAM)
chips for data memory.
Glare—Shield Panel
The pallet also has a glare—shield panel, which is the control panel
for the system as installed in an airplane. It includes the engage (bat
handle) switches, mode select switches, altitude select knob, and other
controls. itte pallet also has a single ADI, HSI, radio altitude display,
Moce Indicator, and Warning Annunciator Indicator.
1P
i
9 t
S.	 FAULT TM ANALYSIS
i
FAULT TM AM IN IMMIAT&D ASSOUNC[
The integrated assurance assessment of the AMFCS begins with a ltiult
tree anal;	 )i of the system function. 	 Referring back to Table 1, the fault
tree anal-
	 iL has several functions.	 The first function is to aware that
no	 system	 component	 has	 any	 failure mode
	
which	 can	 result	 in	 system
failure.	 Most of t;a components, such as the sensors and servos, have only
a few failure modes which can be observed at the interfaces with the rest
of the system.	 For these components, the	 fault tree analysis provides
i
assurance that no failure modes can cause system failure. 	 The assurance is
obtained	 by reviewing	 the	 completed	 tree	 and	 determining
	 that	 system
failure can only occur as a result of multiple failures.
In general,	 digital modules
	 (and	 therefore digital	 components)	 can
have a substantial number of different failure modes. 	 In such cases, it
becomes quite laborious to continue the fault tree development to a level
of detail sufficient to confirm that none of those failure modes can cause
system failure.	 The second function of fault tree analysis is to identify
which digital modules are involved in performi,% critical functions.
	 The
task of assuring that no 	 single module	 level	 failure can cause system
failure is performed with failure mode and effect analysis MEAL
A major benefit of fault tree analysis is that it focuses on the
functions performer by the system elements, including those system elements
involved in detecting faults and providing appropriate annunciation to the
flight crew.	 Consequently, the third ftmetion of fault tree analysis is to
confirm the adequacy of monitoring (i.e., fault dets:stion and annunciation)
in the system.
Fault	 tree	 analylsia	 is	 also	 used	 to	 identify	 specific	 software
functions required	 for system operation,	 inc l uding fault monitoring
implemented in software.	 The	 software test requirements for these
functions are then specifically reviewed to confirm that the*4 requirements
are adequate.	 This four-th function of fault trees is discussed more fully
and illustrated subsequently as the tree for the RDFCS is developed.
i
19
The fifth function of fault tree analysis is to provide an alternate
means of computing the probability of system failure. This provides a
check of the probability obtained from the CARSRA program to ensure that
the CARSRA input does not have errors which would produce a false low
probability of system failure.
FAULT TRU DLYt1. PNW
The fault tree analysis is based on the undesired event that the
airplane has an unacceptable deviation from the desired night profile
during the last 150 feet of descent while executing an automatic landing,
as shown in Figure 6. This portion of flight, which is the only night
phase during which the RDFCS performs a critical function, is termed the
"crucial flight phase" in this report. Category IIIs conditions are
assumed, so thrt the human pilot cannot complete the landing using visual
cues should the RDFCS fail.
The analysis begins with the RDFCS in the dual—dual configuration. It
should be noted that this configuration is available only after the
Instrument Landing System (ILS) push—button has been used to select the
Approach/Land (A/L) mode (Ref. Vol. II, Section 4.3.6.1). After this
switch has been momentarily depressed, the A/L mode is transmitted to the
FCC's and latched in. The switch is no longer needed, and therefo-e does
not enter into the analysis.
The top event of Figure 6 can be caused by any of three conditions. or
subevents. For convenience, these can be referred to as Lrvel .-2 events,
with the top event considered to be at Level 1. The Level-2 eventz are
shown as the middle row in Figure 6. The first of these is that the system
design is in some manner deficient for the environmental conditions
encountered. This includes the possibility that the conditions encountered
are outside of the system design requirements; it also includes the
Possibility that the control laws are deficient for some conditions which
may be expected. This possibility is outside the scope of this project and
is not pursued here. References 6 and 7 address this subject. In parti-
cular. Section 3.3.1.3 of Reference 6 discusses establishing an upper bound
on the probability of a deficient control law by statistical methods.
20
ti^
a	 !
"	 ^	 E
1
3
W
U
N A
m 1
Om	 .ia x
^ J !+
< M J 1^1
s16.!. 0
M^Gef
Y H Z SC1 •"• ! V
^'q =	 to
J	 a• O
► a o.
m	 MJ F J W
< ! r
V H < J
U 6i < <
U .•. U i
M •e
m	 F ICwow
< P.
 J
r 0 r x
w m "
s	 0
.•• V	 V N
m 10 Z O
<
m ► F•a
r J
J H J r
Ir Q ^ ►
V m <
aMA.0
U.V Ur
a
	C 	 10
	
W	 —
Z W J
	
p 96	 x
	H ^ 	U	 n
r pY
m F
a .•v
H Z
m H ►+ mJ!< BY
0-a<
<sas
H H ^.
d•tW
W d Ji-
U z ► Vl00r
: KetJ
die. ►
•P
m ^
F ^ —
►+ J
PI -3 r	 x
H N r <
<MO ► 	 ,sS W <
iJiG!	 N
< Z
F = V rS F H
V r ► <
r 390  HJ	 a a•
yj ►^ ar
J r •E II
6 < ► W H
r r O0
V P4 Za
aw<av
06 ZS.Z VU r M < O
gm :c
WHF	 1
Mi r 	O
<`J
!+ O le 07	 x
ZV aa
a v
m 1Z O
N J <
<" m
4wF3H .1
-4 0 <
.00  • i
U a !
DFiC!
as ►+ ! Z
U'.^ V r
N
ZS O
W rH Hh m rroaN i Z
O
mcHu
O z
^ m a
t/1 r <
Z U H O
< -+ Z 00J i m m
01 ImJasH0 oz
fC U cc
w •^-^ oZ 0 > QO O Z zU J m W
1	 ^F
H O H	 —
< N J	 xMme. r
HW^IA
►^NWm O
a ^ N
^+ d U
—	 oavW	 WizON J <
< M m
s<rac
O+ i H^
N J
-C 	 A
r O m i
vz!
7 H 0. ^7
Di g-•
 <7.
U s U .s
Figure b. Fault Tree Top Level
I
'r
21
,p
The second of the Level-2 events occurs if the airplane enters the
crucial
	 phase with the RDFCS not
	 fail-operational,	 and then a component
failure occurs which prevents the system from completing the landing.
The third of the Level-2 *rents is that the crucial phase 1„ entered
with a fail-operational RDFCS, but multiple component failures occur before
the end of the phase, and these failures result in RDFCS system failure.
The second of the Level-2 events, that the crucial phase is initiated
without fail-operational capability, is expanded into three relevant
functional
	 areas.	 or	 Level-3
	
events:	 sensing	 aircraft	 attitude	 and
position, computation of required outputs, and servo response to computed
commands.	 The first of these, the sensing function, is expanded in Figure
7 into the various parameters needed by the FCC's in the automatic landing
control laws.	 At this and higher levels. the fault tree is functionally
oriented:	 failures are in terms of loss of function rather than toes of
hardware.
The
	
fault tree	 stub of Figure	 8 extends the	 sensing	 function	 for
normal acceleration to the individual hardware elements used to measure the
acceleration and transmit it to the computers. 	 The failure of the normal
acceleration	 signal	 No.	 1 to ba present in all computer channels can be
caused	 by loss of the	 sensor	 itself,	 associated	 wiring,	 or one of the
circuit cards involved in receiving the signal and transmitting it to all
channels.	 Volume II,	 Figure 5.1.1.3.1 shows the functional flow of these
cards. The A24 Autoland Sensor Input and A27 Discrete Input Cards are both
involved:	 lbe A24 card handles the analog acceleration signal and the A27
card	 handles the validity discrete 	 signal.	 The	 processor itself is not
involved in the data acquisition process and so 	 is not shown.	 At this
z:
level, the transition has been made from required funciions to the hardware
which performs those functions.
Failure of the system to provide a NO DUAL annunciation is shown in
Figure 9.
	 This figure is of particular interest because of the explicit
software
	 function	 identified.	 A	 failure	 rate	 of	 zero	 is	 assigned	 to
failure of this
	 function,	 because it can be	 explicitly and	 exhaustively
tested.	 Once	 it has	 been
	
so	 tested,	 the	 probability	 of both	 NO	 DUAL
annunciations failing because of a generic~ software error is taken to be
zero.	 A generic software error is a discrepancy in the software which will
22
A,r
i
Figure 7. Sensing Function
23
WARM
T8
m .
Figure S. norml Accalarati^+ Fvagias
24
:t
•i~	 N A
Nf4	 ^<
^ yy
N .i
4C Od
a	 N
N
.^ O	 OI
►r r+
saw
mZi
a	 e^
s M
n
N
<
.
^ w
•e aN .,
<w
1	 ^^
t
w
a	
e 3
w' '^	 a m
zeew
Figure 8.	 Dorsal ACCeleration Sensing (Coat°A
25
F igure 8
• 
Normal Acceleration Sensing (Cont'd.)
26
Figure 9. NO DUAL Annunciation
i
27
icause all computer channels which use that software to produce the stimw,
but wrong, result. Mult;-,le computer channels do not provide redundancy
with respect to generic software errors as long as the same software is
used in all channels, as it is in most contemporary systems, including the
RDFCS. Reference 7 may be consulted for a discussion of software errors,
and RTCA Document DO-178 should be consulted for a discussion of software
test requirements.
Fault tree stubs similar to the' shown in Figure 8 were developed for
the other sensors of Figure 7. These are very much like the stub shown in
Figure 8 and so are not included in the report.
The second of the Level-3 events of Figure 6 is that the crucial
flight phase is initiated without fail-operational computing capability and
that an additional component failure causes system failure before the phase
is complete. This is shown in Figure 10 as four Level-4 events. The first
of these, that channel A of FCC No. 1 fails above alert height, can be
caused by either channel of the FCC failing to produce a required output,
as shown by the eight events at the lowest level (Level-5) in Figure 10.
Figure 11 continues the development of the fault tree for one of the
Level-5 events of Figure 10. This evert, failure of the A channel of FCC
No. 1 to produce a rudder command, can be caused by failure of any one of
several cards within the channel. In this study, the two cards which make
up the processor were considered in more depth than the others. These two,
the A13 Control Card and the A14 Data Path Card, are shown in Figures 12
and 13, respectively, in terms of the modules described in Section 5.1.1.1,
Volume II. Also shown in each of Figures 12 and 13 is a subevent for
failure of a miscellaneous part, such as the circuit board, the edge
connector, or other part which is not included in one of the modules named
in the other blocks.
Theoretically, the fault tree ar,-' "13 of the failure of the processor
to compute the rudder command can be continued below the module level to
the individual integrated circuit pins or discrete piece-parts. The
desirability of doing this is questionable, however, because of the nature
of the processor.	 The processor is not designed to perform a single
specific func', {nn, such as computing rudder commands.	 It is designed to
efficiently perform a number of simple functions, such as addition,
28
j
i
N_
1=
n
r
k
N
^O
Figure 10, Compu ' ing Function
29
CHNL. IA FAILS TO
OUTPUT RUDDER C14D.
NO RUDDER
CMD.
6.79 x 10 -5
NO WARNING
TO PILOT
22.46 x IG-12
CHNL A OF YAW	 RAM MEMORY
SERVO AMP FAILS	 CONTROL CARD
(CARD A32)	 (Al2) FAILS
D/A SERVO CMD
	
PROGRAM MEMORY
CARD (A18) FAIL	 CARD FAILS
A CHANNEL
CAPS BUS	 PROCESSOR
F' T '•S, CHNL	 (A13/A14) FAILS
In	 I	 I TO COMPUTE CMD.
A13 CARD	 A-i4 CARD
FAILS IN
	 FAILS IN
FCC NO. 1 I	 I FCC NO. 1
68
FIGURE 11. CHANNEL IA .UDDER COMMAND
d
K W
W ^
^u g^
J
O
•L
r
^uK
W
N ^ N
y^ J
Vf 0N
1W^
O J
^O
W O <Zug
o
W ^
V<Z
J
171 ~
W	 {K
rY
Vj
W: <
H m OL Y.
F K
L
J
O p ^ K
H N_ OZ	 u `,
ueWC^^W
J <
OLL.
J
uu-
N <	 K K W
g	 DI NS.RC N
u	
W H L6
U^ K
o W
6K.
O is
UO
K oW
N U.
^0
K
K W yt
Z U.
Figure 12. FCC Processor Control Card
31
'i
i n0 ac
^^ {Ky3 W
O <
U. O
vu^ two
r<J
NJ
0
A
V
ns<z.a a
x^ aF W dt
Y^ ^N pw^F•Lyi
C	 •+N > s o
F
ad
C N S 4Cy
O
U N
J
a ¢
z	 a
O	 w
_ Wi z F m	 m
1	 ^. y ^m Fa
7. (; .-. N a a U ^+ to
:.7 G'. ^ s lyj ^Zi y (A ^ 4i
Q
N 1 N CAc^.^_ assp a
wX m o w ^ S yU
-'
^
a
6iN
fU^ m <tU.7Fn
G ma<Fi+< E.xFX OtnTd
O wa .^
F N N
co
m F .^
Ul N^ < 6.NF W O..i
N t7 a 0
F^••^...7
F U G
a
^aa7
G7 ato
FZ ►a+
N `^`	 _ z0<
tt
a
ai^ tj
N N
? U —O<z w w	 N
m^ 80.4 .Fa- zU3
F
^G^i7F adF
..^yyGG F U aN V7
z w F ►+ .4y ^ V1 O ^ .] Vl U .-1 cc
aa^:+ a Vtwi, Zo^w
O
CA
n rr < N
ca 0
O Ka<
- wOwO
pC n
v — a
-
r^ o
1 7C O
rA
U O ^a
r N
^
. M
w N d Ai
0 a0 U =
N 91. W
h Z
to
(
h7
N (^ H
tai N p. Ow
a m
6. tY ly
a u, r Ci
3C A
Figure	 13. FCC PROCESSOR DATA PATH CARD
32
..—^ AM
multiplication. and logic operations. A suitable sequence of such
operations (i.e., the flight software) is used to make the processor
generate the rudder command. the aileron command, and so forth. It is such
easier to relate the modules and integrated circuits (IC) to the simple
functions (add, multiply, etc.) than to the much more complicated functions
of computing the command for a particular servo.
It is also iaaier, in general, to relate a specific failure mode of an
integrated circuit within the processor to its effect on the processor
operation than to start with the effect and then work in the other
direction to the IC failure modes which would produo . the effect. In other
words, it is easier to do an FHEA than a fault tree analysis at this level.
Mother reason for preferring FMEA to fault trees at this level is
4 that in the course of performing the fault tree analysis, the analyst must
account for all of the ways the processor can fail; that is, all of the
ways in which the processor output can be wrong.
These ways are the failure modes of the processor. Each of these
modes must then be traced to all possible combinations of IC pin failures
which could produce the processor failure mode. Because processors have
many different possible outputs, there are a high number of ways that the
output could be wrong. There is no practical way of assuring that all of
these possibilities have actually been covered in the fault tree. The FNEA
require i that all pin-level IC failure modes be considered. 'these modes
are such better understood, and there are less of them, so that it is amh
easier to be certain that they have all been covered. This is not meant to
imply that a complete pin-level FMEA is easy or inexpensive; it is neither.
In light of the foregoing considerations, the fault tree analysis of
the processor was not continued below the level developed in Figures 12 and
13. Instead, the FMEA approach was used as described in Section 6.
To continue with the development of other branches of the fault tree,
Figure 14 develops the event of Figure 11 that the pilot is not warned that
FCC No. 1 A channel is not generating a correct rudder command. This
portion of the fault tree includes several software functions. In a
production program, the test requirements of each of these functions should
be reviewed to confirm that they satisfy the criteria of RTCA Document
DO-178 (Reference 2).	 In this project, conaucted for illustrative
purpmaes, this review was not made.
33
Figure 14.	 Yaw Autopilot
 Servo command Warning
34
e
c^
PA z
w
m
>w
Un a
,o O
..
'X a Cd• H
H N O Q
.Z V
k"^z
y
i	 Nz zHtn0 z
yy
.4
d M w
z z M
O ti. Z ^-+ a
a
c.^
w cn
0
c^
W d
.-.
—x
w	 ae
o
e+i
w
^O
c^ a
3
w
wziQ a .+
a
e	 p
k
Q
0.4
U
V
E. Z
HU
M a z N ca M
cn	 7G
In
a H
xya zv^
'"
_
s,"w
1-4
 
a
d
H
1-4
Z
rn 0-4
ww
a cn
I H
L
Figure ,4% Yaw Autopilot Servo Command Warning
35
owl
iSimilar tree stubs to that developed in Figures 11x-14 were developed
' for the ether required outputs from Channel A of FCC No. 1 and the other
three channels (Figure 9). They are not included here because they are
quite repetitive of the analysis shown.
The last of the Level-3 events of Figure 6 is that the crucial phase
is initiated without fail-operational servo capability and a debilitating
failure occurs. This is expanded in Figure 15 into the three aircraft
control axes: roll, pitch, and yaw. Figure 16 shows the fault tree for
fc:l;z a of the No. 1 yaw autopilot servo, with the servo failure not
annunciated to the crew.
Fault tree stubs for the other 5 servos of Figure 15 were developed to
F complete the analysis of the Level-3 events of Figure 6. These are quite
similar to the stub shown for the rudder servo and are not included in the
report. This completes the discussion of the second of the Level-2 events
of Figure 6.
The third of the Level-2 events of Figure 6 is that multiple failures
occur during the crucial flight phase and these occur in a combination
which causes system failure. Figure 17 shows the initial development of
this event to lower levels. Continuing this development produces a major
branch of the fault tree quite similar but simpler to that for the second
of the Level-2 events. It differs primarily in that the NO DUAL
annunciation does not appear, since that particular warning is suppressed
during the crucial phase. Since that major branch is so similar to that
already discussed. it is not describedd further here.
QUANTITATIVE FAULT TREE ANALYSIS
System failure probability Was computed from the fault tree using the
hardware failure rates presented in Section 8. A failure rate of zero was
used for e,.--h software function, since there is currently no acceptable way
of predicting DFCS software failure rates (Reference 2, Section 2.2.1).
Considering hardware failure modes only, the probability of initiating
the crucial phase with less than fail-operational capability and a seeone+
failure debilitating the system was calculated to be 2.46 x 10 1q . This is
based on a flight time of 4.0 hours prior to the crucial phase and a
crucial phase duration of 0.02 hours.
36
a
a
-o
^k^	 •
k^§ 2
n \^§ ^
2^§
«k§q
'e
G
2	 ^
2C.-
!
7;—^25 e
\
2C
^ < n
§^4C
_-_<
n s n e
2 16 § e
-%Ca9
^ o§
n §^^us_^
-
.o
§ G k }
LAJ
-CE
)_§
0
^®^ k
_—§
}
e
^ ^ kn ^§ «
72^
a.C§
^
§ § §
^aM ^
§--
^—§
Figure e, Servo Functions
,^
\ 04
^^ \
d^
$
§ ^116 
^
@ ^
§$mss
§
§®^
§c
§§^
a
§^^
FA
^
B	 k^
§Jf4m
^
^ §
^$&k^M_.^.
LA §2	 §k$ .f
_V-.
@§^ ^
«
o$&§f ^ §.
s ^
8k
C4 B2 §^
96B^
O
a
k-
0
§	 _
^ ^	 2
§al.c
m
^
'E
§-
^ -q NN-
^ ^k n
S$§
o _
2IC
^$§
§§
^
k
a
§
Figure m. No. lx	 Au topilot Servo
38
e^
^ay
°^ a	 n
A
a 0	 ^o
^^	 o
H N
^O
N1
^ ^ r
Z
V^
JJ
I
,Oy
a
J J
Figure 17. Multiple Failures During Crucial Phase
39
sg
The probability of the system failing because of multiple failures
during the crucial phase was calculated to be 0.638 x 1 90 . This is based
on a crucial phase duration of 0.02 hours.
The system failure probabilities computed are actually upper bounds on
the actual failure probabilities. This is because the fault trees are
based on the assumption, for many items, that all failure modes of the item
render the item incapable of performing any of its functions. For example,
certain buffers on the A26 Data Acquisition Card are used for sensor data
which is not required for automatic landing;' apd so at least some of the
failures of these buffers would not prevent the card from correctly
handling required data. However, the failure rates used in the analysis
are for the entire card, including these buffers, so that the failure
probability calculated for the card includes card failure modes which would
not affect automatic landing.
TABLE 2. QUANTITATIVE RESULTS
Fault
Tree
Probability Of	 Result
Unannunciated Failure
	 2.46 x 10-14
in Cruise and Second
Failure in Landing
Multiple Failures	 0.64 x 10
In Landing
CARSRA
Result
3.36 4x 1 e-14 
0.0 x 10 9
40
_v-a^^--^	 sip	 r. sil^'i^`^^-^^ts #1^.^ -i.^..^	 _.	 r^z ^vâ^c_-a_ .^-	 --
6. FAILUM MN AND EFFECT UTALT3I3
M" IN 11TN(iUTED ASSURANCE
As stated in Section 5, fault tree analysis provides assurance that
most system components, such as analog sensors and servos, have no single
failure mode which produces system failure. This is because such
components have only a few possible failure modes, and it frequently is not
necessary to distinguish in the fault tree among these modes. When it is
necessary to distinguish among modes, it is usually fairly simple to
identify the modes which are relevant in the branch of the tree being
developed. The analysis can often be extended below the component level to
the failure modes of the individual piece-parts which comprise the
component. Analysis to this very detailed level is sometimes necessary to
ascertain that a component has no failure modes which could remain
undetected until a second failure occurs elsewhere in the system.
Fault tree analysis is cumbersome and inefficient if extended from
system level to the integrated circuit pin level in tha processor of a
digital system, however. Basically, this is a result of two basic
characteristics of digital systems:
1. Functions which are described very simply at a higher level
(e.g.. sensor monitoring) require a myriad of sequential
operations at the integrated circuit level. These operations are
required to obtain the proper data, route it to the proper
registers within the arithmetic logic unit (ALU) where arithmetic
and login operations are actually performed, and route the
results too the proper storage register or output port. Kathy
Cifferent integrated circuits are involved in each of these
operations.
2. Many interfaces between integrated circuits involve several
pins,and it is the combination of pin states (electrically high
or low) which is significant. That is, each combination of pin
states represents a different data value or instruction, and the
effect of a single pin being in the wrong (faulted) state depends
on the state of the other (non-faulted) pins.
41
The net result of these characteristics of digital hardware is that
there are many more integrated-circuit-level operations performed in
# executing the flight software than there are pin-level failure modes. In
extending a fault tree analysis from failure of system-level functions to
failure of integrated circuit pins, all of these detailed operations must
be included and accounted for, an extremely inefficient process.' Onee the
fault tree „ad been fully developed, another extremely laborious . task would
remain: reviewing the tree to make certain (1) that all of the failure
modes of the integrated circuits had been accounted for, and that no
failure mode could remOm undetecte+ until a second failure occurred, idth
the combined effect of both faults rroduoing a hazardous condition; and (2)
that no failure mode could by itself produce a hazardous condition.
Failure mode and effect analysis provides a means of systematically
examining all of the potential failure modes of the integrated circuits to
confirm that none of them could cause a hazard directly or remain latent
and subsequently cause a hazard in conjunction with a second failure.
GMIERAL CONSIDERATIONS
In conducting the pin-level failure mode and effect analysis of a
processor, three factors greatly reduce the effort. The first factor is
that propagation of most faults under all conditions does not have to be
considered.	 A single effect can usually be found which wi.Ll totally
sdebilitate the processor. For example, a faulted processor output pin will
result in the processor trying to read about half of the data'and machine
level instructions from the wrong memory addresses. This will result in
tie coil current comparators tripping, sensor comparisons failing, and in
the case of the RDFCS, the iteration monitor will fail. In a system using
check-sums to monitor program memory 	 these tests will fail.
The second factor which reduces the effort is that many pairs of
faults will have the same effect. There are numerous instances of all
output pin on one IC being connected only to one other pin. If either pin
fails open, the effect will be the same.	 Similarly, a ground fault in
either pin will produce the same effect.
The third factor which reduces the effort is that there are many
instances in which three pins are connected so that one output pin drives
two input pins on different circuits. An open fault at each of the input
pins can be evaluated first. An open fault at the out put pin is than
equivalent to both input pins failing open simultaneously, and in most
oases the effect is the "sun" of the effects of the input pins failing
open; that is, both effects occur. If both input pins are on the some
chip, the effect of both being open is more likely to differ from the sum
of the individual effects. See Figure 18.
The effect of any of the three pins failing shorted to ground is the
same in either of the two cases of Figure 18.
Another frequently encountered condition involving three pins is two
outputs connected to a single input (Figure 19). In such a case, chips A
and B will have three—state Outputs, and one or both outputs should bo in
the high—impedance state at all times. An open fault on the output pin of
chip A will then only affect chip C when A has its output enabled. 3imi-
larly, an open fault on the output pin of chip B will only affect chip C
when B has its output enabled. An open fault• on the chip C input pin will
usualy produce the sum of the effects of open faults on the two output
pins. A ground fault on any of the three pins will have the same effect.
Still referring to Figure 19, if a fault should occur which results in
,. both enable pins being in the enable state, there is a possibility of
damage to the A or B chip. If one output is high and the other low, there
could be a low impedance path to ground, through the output pins, which
could burn out the A or B chip. This depends on the technology used in the
individual chips. Frequently, the effect of the original ground fault can
be judged to be a total processor failure whether or not the secondary
damage occurs.
APPLICATION OF RDPCS
In this study, I-hree modules of the processor (Figure 20) were
considered at pin level (Ref. vo:, &I, Section 5.1.1.1):
o
	
	 The instruction mapper prom, which consists of three prom chips
in parallel
I
43
I
W	 • 1.4	 M S
	
U
	
'	 I	 ^
Figure 1 ou. One Outputw Two Input Conditions
44
Waw
^o
V1 U
W
?^ W
^ N
`z
c w
zo0
cn
w =°0a
O O Z
^^ R7
C6 0
prZ-+U
O O C
U3 :D
1
N
7+ 1
Z
^. H
pM GO ^
e^
F^
a
o_
H i
O ^
00
W H
O UW
W
W twi7
m^
i
t
I
C
.z
hd BOTH "A" AND " B" ENnBLED SIM[1 TA11BWSLY
MAY DAMAGE CHIP.
ENBL
	
ENBL
i OUT
	
OUT
B
r--
Figure 19. TWO Output, One input Condition
45
i`tai'
Nl-
I
i I
in
too
s
T
o	
	 The microprogram sequencer, which consists of three 2911
sequencer chips in parallel
o
	
	 The microprocessor module, which consists of 4 chips in parallel.
Each of these Chips t3 a 2901A.
The instruction manner prom chips are read-only memory chips. The
inputs to the chip are machine-level operation codes and the depth of the
stack maintained in the 2901 microprocessors. These are connected to the
address pins of the mapper. The data stored in the prom is the control
store prom address of the first microcode instruction required to execute
the machine level instruction with the processor stack at a particular
depth. The mapper output pins are only active at the beginning of a
microcode sequence, at which time a chip enable signal is sent to the
mapper from the next address control prom.
The microcode address from the mapper prom is routed to the
microprogram sequencer module. This module generates a sequence of
microcode addresses, beginning with the starting address from the mapper
pr". Some microcode routines involve Jumps to a new address rather than
sequential progression only. In such cases, the microprogram sequencer
receives the jump address from the control store proms and resumes
sequential generation of addresses.
The microprocessor module is composed of four 2901A microprocessor
chips. Each chip has a word size of 4 bits, so that the four chips in
parallel are used to provide the processor 16-bit word size. This requires
that carry signals be passed between 2901A'3 during arithmetic operations.
Other interconnections between 2901A's are used for data shift operations.
The 2901A'3 are controlled primarily by control signals from the
control store prams in conjunction with the outputs from various registers.
Section 5.1.1.1 of Volume II should be consulted for further information on
the functions of these registers and other processor modules.
The failure mode and effect analysis, summarized ir. Table 3, (in
Appendix A) considered three types of pin-level faults: open, grounded,
and shorted to supply voltage. In most Cases, the effect of a fault can be
assessed by using the chip logic diagrams, a description of chip/module
functions and the schematic diagrams (Volume II, Sections 5.1,1.1, -
5.1.1.5). Thor schematic diagrams are reproduced in Appendix C.
47
r
AW	 ;. .
The effect of certain pin faults cannot be determined by analysis
using ,just the information mentioned above. In particular, the contents of
specific prom addresses is needed in some cases. In other oases the
machine-level code is needed along with the microcode sequences and
addresses. Alternatively, the faults can be inserted and the effect
observed. This approach was taken in this study and the results are
presented in Section 7. For example, it was known that failure of one of
the processor pins used in data shifts (R0, R3, Q0, Q3 stuck high or low),
there would be an immediate disconnect if certain of the integer words made
up of packed Boolean variables were shifted. It was determinable from the
available information that such shifts might occur, but it was not
determinable that they definitely would occur. Volume 11. Tables
5.1. 4
-3-3.3 and 5.1.4.3.3.4 show examples of such packed wards. Similarly,
if certain fixed-point numbers were shifted during computation, the
commands to the servos would be in error and the coil current oomparators
would trip.	 While both left and right-shifts are normally used in
multiplication algorithms, it was not determinable that a stuck shift bit
would definitely cause such a trip. When the faults were actually
inserted, the processor stopped immediately. ("Immediately," as viewed by
the human observers.) In this way, fault insertion confirmed the overall
effect, massive processor failure and disengagement of the servos, but the
exact mechanism by which it occurred was not determined.
48
AN
I	 T. FAULT INSERTION
WU Ill INTNUTO APPROACH
Fault insertion is used in the integrated assurance approach for three
purposes as shown in Table 1. 7h*se are:
1. Faults are inserted, on a sampling basis, to confirm the faidt
effects reflected in the fault tree analysis and fault effects
deterain*1 during failure erode and effect analysis, This inclvides
faults of components (sensors and servos in this study) and faults
of integrated circuits (pin-level favilts in the i5lgital proces-
sor).
2. Faults are inserted, also on a sampling Weis, to confirm fault
detection and annunciation functions implemented in the system.
Many of these are also inserted to confirm effects, so that they
are inserted for two specific purposes.
3. Faults are inserted to determine the effect when the analysis is
intractable or when there is some uncertainty in the analysis
result.
APPLICATION TO UFC3
The RDPC3 simulator at NASA-Ames was used to insert the faults ohm
in Table 4 (in Appendix V . The faults were of two general types:
component level faults and integrated circvit pin faults. The component
level faults were inserted using the FCC breakout panels (Figure , 21), the
Servo Simulator Panel (Figure 22), and the MLICU. Single-sensor faults are
those numbered 1 through 19 in Table 4.
Faults representing a dead sensor ar a broken wire from the sensor to
the FCC were inserted by pulling the appropriate jumper plug at the break-
out panel. Faults represonting missing sensor validity diseretes were also
inserted in this way, although they can also be inserted via the Discrete
49
Y
V
7
3
Figure 21. CAPS Test Adapter and Computer Breakout Pant:
50
^+^	 IMI&
taigure 22. Servo Simulator Panel
51
nor
Switch Panel (Figure 23). Sensor hardovers and ramps were inserted using
the MDICU. Servo faults were inserted using the Servo Simulator Panel.
For -4onitoring the processor detection of sensor faults, the CAPS test
Adapters (CTA) were used. One of the CTA address windows Was set to the
adddress of the Executive Failure ( Status) fiord (EFW) in each computer
channel. The EFW is a 16-it word with each bit representing a discrete
piece of information and there is one EFW for each sensor type in each
computer channel. The 4 low -order bits (0-3) represent respectively
failure of the My A (EFMA), My B (EFMB), Other A (EFOA), and Other B (EFMB)
sensor signals. The other 12 bits have functions as described in Volume
II, Table 5.1.2.4.2, which are not of concern here. The data window of the
CTA shows the status of the EFW as four hexadecimal characters, with the
right-most character representing the bits of interest, 0-3.
The effect of a sensor signal being detected bad by the software sen-
sor monitor is that certain bits are changed from 0 to 1. With no failures
detected, EFMA, EFMB, EFOA, and EFOB are all 0, which is represented in
hexadecimal notation as 0. (0000 binary = 0 hexadecimal.) When the number
1 sensor of a triple sensor complement is detected to have failed, bit 0
(EFMA) is set to 1 in both channels of FCC No. 1. Bit 1 is also set to 1
so ':hat the comparison monitoring will work properly on the two remaining
3enxtir3. The EFW low order bits will then be 0011, which is 3 in hexa-
decimal. The net effect, then, of the number 1 sensor of a triple sensor
set failing is that the value displayed in the CTA window changes from 0000
to 0003• The left-most three hexadecimal digits each remains at 0 since
each of the corresponding binary bits (4-15) of the EFW remains at 0.
Fault cases 1 through 8 were used to show that the software sensor
monitor subroutine is implemented correctly in the RDFCS by subjecting it
to a number of different faults in the same sensor *-type. These cases were
also used to show that the results of the sensor monitoring are accounted
for in the implementation of the NO DUAL equation, which is 8130 in soft-
ware. Ca3e3 9 through 16 w-re then used to show that the voter is involved
for various sensor types. Rigorous validation of the system by testing
would require that faults be inserted for all sensor ty-^3 used in
automatic landing. In this study, performed for illustrative purposes, the
full complement of sensor types was not faulted.
Figure 23. Discrete Switch Panel
53
In case 2E, NO DUAL did not annunciate even though the fault was in-
serted with the airplane inbo •and to the ILS beam intercept point. It is
believed to be the result of the inbound leg being flown at an unrealia-
tically low altitude, so that the airplane did not track the glideslope
beam for 25 seconds before passing through 150 ft altitude. A review f
the NO DUAL annunciation logic (Volume II, Section 5.1.2.3.1.3) shows that
this is the most likely cause, since AP.ONEFAIL was set to true. Low
approaches (1500 ft) were being simulated in the interest of time. Approach
altitude was subsequently raised to 2000 ft.
Faults 17 through 19 were used to confirm the servo monitoring and the
tie-in of the servo monitor outputs to the NO DUAL and disconnect logic.
The servo monitors, in particular the coil current comparators, are quite
'
	
	 important in ensuring that the airplane does not enter the crucial phase
with a faulty computer or servo.
Fault cases 43 through 45 were used to confirm that the FCC's will
both disengage upon loss of the second sensor, with the AP.DISC warning
displayed, in accordance with the system description, Volume II, Section
4.3. 6.1.
At the integrated circuit pin level, a number of open and ground
faults were inserted to confirm the FMEA results of Section 6. For this
activity. one of the FCC's was removed from the pallet and the card
containing the chip to be faulted wai extended for access as shown in
Figure 24. Figure 25 shows the processor Data Path card.
Open pin faults, Cases 20 through 23, were inserted by using multiple
sockets between the chip and the circuit card, with a ,jumper wire replacing
the normal pin-to-socket connection. Each fault was inserted by physically
pulling the ,jumper to open the connection. This is a slow procedure, since
the chip must be removed and the jumper wire rigged on the desired pin. The
chip and sockets must then be installed and the processors brought back up.
This means of inserting open pin faults is only marginally satisfactory.
It would be much easier to do if a stack of 5 or 6 sockets could be used
between the chip and the circuit card. However, the processor will not
come up with more than three sockets stacked. `be longer electrical paths
resulting from the use of the extender cad apparently come close to
exhausting the available tolerance in the timing of the individur.l micro-
54
Figure 24. FCC With Processor Card Extended
55
Ad
a
steps, any+
 the extra path length and capacitance caused by more than three
sockets disables the processor.
Grounded pin faults are much easier to insert, since the chip does not
have to be removed to set up each ease. The processor does have to be
• brought back up each time, but this is a fairly rapid step. Before each
fault was inserted, the data sheets from the chip manufacturer were
reviewed, along with the card schematics, to determine that the fault would
not damage any chips. No chips were damaged by the ground faults. The
gro,.ald pin faults are eases 24 through 42 in Table 3.
The chip pin faults all disabled the processor, with the exception of
open pin fault 21. This fault involves a pin of a quad 2-input NOR gate.
The fault had no effect on the processor operation.
FAULT INSERTION RESULTS
The faults inserted in the RDFCS simulator achieved the desired re-
sults in the assurance assessment of this study , and more importantly
confirmed that fault insertion is anpable of providing the results required
of it in the integrated assurance approach. Specifically, the faults
inserted confirmed (1) that the NO DUAL warning appears when it should, (2)
that all sensor types faulted and required for automatic landing are
monitored, (3) that the servo monitoring functions correctly, (4) that the
effect of pin--level faults in the processor is in agreement with the
failure mode and effect analysis, and (5) that fault insertion is ai
reasonable way of resolving uncertainty of the effect of open and grounded
i pin faults in digital hardware. While these results were obtained on a
particular system, the approach is fudged to be viable for validating other
digital systems.
57
i	 boor-
38. FAILURE RATE 'DEVELOPMLMT
The failure rates for servos, sensors, and indicators were taken from
the data base maintained by the Lockheed-Georgia Company Pallabillty
Engineering Department. They are composite values for representative
components of comparable oomplerity and construction.
The failure rats for the integrated circuits of the Data Path and
Control Cards were estimated using the formulas and tables of Military
Handbook 217C (Ref, 8). The formulas provide a means of accounting for a
significant number of factors:
1. Device technology
1
2. Device complexity
3. Junction temperature
4. Package technology
5. Applicaiton environment (voltage)
6. Usage environment
7. Quality level
For example, the equation for the failure rate of a monolithic bipolar
device is:
f = K0 [C 1 KTKV + (C2 + C 3 ) K E I K 
where:
f is the device failure rate
KC is the quality factor
KT is the temperature adjustment factor for ,junctions
K  is the voltage derating stress factor
K  is the applicaiton environment factor
C 1
 and C 2 are complexity factors based or transistor count
C 3
 is a complexity factor based on package technology and number of
pins
K  is a learning factor.
58
j
The quality factor, K0 , has a value of 1 for devices procured in full
accordance with MIL-M-36510 (Ref. 9), Class B requirements. This valet was
used for all circuits in this project. It should be noted that the quality
factor is a direct multiplier, so that the predicted rate is proportional
to it. More or 1633 stringent quality factors can therefore greatly
influence the prediction for any individual circuit, circuit board, or an
entire component.
Junction temperatures are used in determing the adjustment factors KT.
The junction temperature is ambient temperature plus the differential
resulting from power dissipation through the case. An ambient of 6eC
was used, with the power dissipation taken from the circuit specification.
The voltage derating stress factor is 1 for the bipolar circuits used
	
?	 in the CAPS processor. The application environment factor is 3.5 for the
airborne, inhabited, transport environment of the aircraft underdeck
avionics rack. Failure rates for the circuit cards of the FCC's were
obtained by summing the failur e rates for the card and its components.
Table 5 summarizes the failure rate predicti^n for the A13 control card.
Failure rates for the other cards are shown in Table 6.
Table 7 presents failure rates for the system components other than
ttz FCC's.
In using these rates in the fault tree and CARSRA analyses, an
adjustment was frequently required to include only a portion of the rate,
4 since only certain failure modes are of interest. For example, each dual
current comparator has a predicted failure rate of 0.03. Each half of the
comparator is given a rate of .01 for the failure mode of failing to trip
when the threshold difference is exceeded. This is a very conservative
r:
	
n	 rate for this mode.
59
TABLE 5. FCC CONTROL CARD FAILURE RATE
ITEM	 FAILURE RATE*
Integrated circuits 1.788
Resisters .0018
Capaci+:ors .214
Oscillator .25
Coil .0007
Circuit Board .023
Edge Connector .16
Control Card	 2.45
F
*All failure rates in failures per million hours.
60
TABLE 6.	 PREDICTED FCC CARD FAILURE RATES
CARD N0. FAILURE RATE%
Al	 Pover Supply Monitor 0.555
A2-A3 Prom Card .809 each
A6 Pover Supply Monitor .55
A7 - A10 Prom Card .809 each
All Terminator/Test Access .555
Al2 RAM Memory Cortrol 1.18
A13 CAPS Control 2.45
A14	 CAPS Data Path 1.98
A?6 Cross-channel Receiver .70
A17 DITS Transmitter 1.75
A18 D/A Servo Command 1.75
A19 Terminator/Time Synch 1.40
A20 Discrete Jurput 2.79
A21 Data Transmitter/Receiver .70
A22 Serial Digital
	 Input No.	 1 1.65
A23 Serial Digital
	 Input Nu.	 2 1.80
A24 Autoland Sensor Input 1.80
A25 Cruise Sensor Input 1.12
A26	 Data Acquisition 1.20
t
A27 Discrete	 Input_ 1.30
A38 Servo Engage Logic 2.61
A29 Crass Channel %MTR 1.20
A30 - A32 Servo Ampliiier 3-00
A33 Speed Servo Amp 1.70
A300 Speed Command %MTR 1.70
A400 Power Supply 21.0
A500 Pover Supply 21.0
s
a
*All
	 failure	 rates
	 in	 failures
	 per million hours.
TABLE 7, FAILURE RATES FOR MAJOR RDFCS COMPONENTS
COMPONENT	 UNIT FAILURE SLATE *
Pitch Angle Gyro 303
Roll Angle Gyro 303
Yaw Rate Gyro 200
Accelerometer 74
Radio Altimeter 756
ILS Receiver 252
Air Data System 167
Roll Autopilot Servo 14
Pitch Autopilot Servo 15
Yaw Autopilot Servo 14
EE Valve Drive Coil 1.0
LVDT .72
Dual Current Comparator (Hardware) .03
Warning Annunciator (per	 function) 8.3
*These are NOT actual failure rates for any particular air-
plane or for any single component produced by a particular
manufacturer. Tiny are representative rates determined by
a review of generic component types on a number of airplane
models in a variety of commercial and military applications.
All failure rates per million hours.
i
Y
A
62
i
4
r9. RELIABILITY PROIC710N 03M CA1k3RA
CARSRA, which stands for Computer -Aided Redundant System Reliability
Analysis ( Ref. 10), is an analytical reliability prediction program used in
the integrated assurance approach to obtain the probabilitty of system
failure. In this study, the probability of failure is only considered dur-
ing the ^-ucisl flight phase, which has a duration of 0.02 hours.
The use of CARSRA, along with the quantitative assessment produced by
evaluating the fault tree analys t , provides two independent computations
Of system failure probability. This reduces the risk of a false, low
probability of failure being produced by a single method and the error
remaining undetected.
Although CARSRA is identified specifically in the integrated assurance
approach used in this study, some other method (except fault tree analysis)
could be used. If an alternate method is used, it should have sufficient
configuration adaptability to produce the predicted probability of system
failure without requiring simplifying assumptions which would produce a
false, low prediction. Manual analysis is a feasible alternative to CARSRA
for many systems.
CARSRA APPLICATION
i
i
Configuration Description
Three levels of organization are implicit in the CARSRA inputs, and
these levels must be adhered to by the user. At the top level is the
system, in this case the RDFCS. System failure probabilities constitute
the rri-nry output provided by CARSRA. The intermediate level is comprised
of stages. Each stage consists of one or more identical nodules, which are
zt the lowest level. In the RDFC.i, each sensor is a module, and like
sensors form stages. For example, each of the three normal accelerometers
(NA) is a module, and the three NA together comprise a stage.
61
Markov Models
Markov models were selected by the CARSRA developers as a major part
of the program's analytical framework. The following discussion of these
models includes some material on applying CARSRA to systems other than the
RDFCS. This material is intended to benefit readers not familar with the
rationale of developing the input peraretera for Markov models as used in
CARSRA.
A Markov model is used to describe the number of failed and operating
modules within each stage. The transition rates from state to state are
used to CARSRA in computing state occupancy probabilities. A separate
Markov model is used for each stage. State 1 is the no-failure state in
each model, and the two states with the highest numbers correspond to stage
failure. The Model always starts in State 1. For example, a dual stage
(one o: two identical modules required for the stage to function) might
have 4 states, as shown in Figure 26. State 1 represents both modules
working, State 2 represents one module failed and one working, and States 3
and 4 represent both modules failed. The highest numbered state, 4 in this
case, represents undetected stage failure, while State 3 represents
detected failure. Note that State 2 does not distinguish which module has
failed.
State transition rates must be supplied to CARSRA by the user. These
are generally functions of the module failure rates. and possibly other
parameters. Returning to the example of the dual stage used previously,
the Marko+ state diagram would be as in Figure 26. Transition rate f 1 is
rate at which transitions occur from State 1 to State 2. That is, if the
system is in State 1. the probabil'_ty that it will transition to State 2
during a short increment of time dt is f12dt. The other transition rates
are similarly defined.
If there is no --aniroring or switching required when the first module
fails, and if there is no possibility r" the stage failing undetected, the
transition from State 1 will always be to State 2, and the transition from
State 2 will always be to State 3. Transition rate f 12 will be simply 2f
and f.,, will be f, where f is the failure rate of a single module. The
other transition rates will be 0. Note that this means that State 4 will
never be oc^upied, consistent with undetected stage failure being impos,-
sitle.
i
64
t1	 .,
JO FAILURES
NE FAILURE
1 WO FAILURES
DETECTED	 UNDETECMD
Figure 2 6. Mark ov Model of Dual Stage
t
r
i	 1
I
i
g
b
t
f13
65
In Many instances encountered in real systems, digital or otherwise, a
reconfiguration must occur before the redundancy can be availed. In the
example dual case, an output monitor could be used on each module. If the
monitor can detect 17% of module failures, e.g. no output or unreasonable
output, the monitor provides "coverage", c, of 97%. 1be transition rate
f 12 is then 2fc, so that 97% of the transitions from State 1 go to State 2.
Of the remaining 3% of the transitions from State 1, some fraction.
e.g. 2/3, could go to State 3 and the rest to State 4. lids would result
in f 13 being 2f(1-c)(2/3), or 2f(.02), and f t4 being 2f(1-c) (1/3), or
1	 2f(.01).
Note the distinctions between coverage, which relates to module fail-
ure detection, and undetected stare failure. Note also that the function
of a particular stage could be such that it cannot fail undetected, even
though individual modules within the stage may fail with coverage less than
1. In other cases, stage failure may be detected only by multiple module
failures being detected.
It should also be noted that the sum of transition rates out of State
1 is 2f. In general, if any state corresponds to N modules working, the
sum of transition rates Out of that state will be Nf.
I. should be noted also that stages can fail for two reasons, spares
exhaustion or coverage failure. In contemporary aircraft systems having
critical functions to perform, coverage failures are of as much concern as
spares exhaustion.
"	 In the previous dual stage example with 97% coverage of the first
3	 module failure, no consideration was included of the failure rate of the
monitor itself. The coverage factor of 97% mea►,z th^: 97% of the module
faults are Of such a nature that they can be detected by an unCailed
t
monitor. The rest are outside of the monitors capability. In cases where
I	 dedicated hardware monitors are used, it is appropriate to consider their
failure rates and failure modes. A two-state monitor is the type most
frequently encountered. It provides only a GOOD/BAD signal. Such a
monitor has or,:y two failure states: false indication of BAD when the
module is good, and false indication of GOOD when the module is bad.
The simplest way of treating such monitors in CARSRA is to combine the
monitors with the modules as a single stage. The transition rate from
State 1 to State 2 is then 2fcr m + 2faa, where f and c are as before, r  is
the reliability of the monitor over the entire flight time, f is the
n
monitor failure rate, and a is the fraction of monitor failures resulting
in a good nodule being declared bad. The oche-. transition sates would be
similarly defined, recognizing the relation between detection of stage
failure and component monitors. Each instance of such a stage avast be
evaluated individually in determining the applicable rate formulas.
Frequently, certain terms in a rate equation can be ignored because
they are numerically negligi.le. For example, if f = 120 x 10 f a s
0.1 x 10-6. the term 2fma can be ignored in the formula
f 12 : 2fcrm
 + 2f Ma,
provided c is not absurdly small. If c is 90%, a is 50%, and the flight
time is 10 hours,
f 12 = 2020 x 10-6 )(.90) exp(-.1 x 10-6 x 10)
+2(.1 x 10-6)(.50)
216 x 10 6 + .1 x 10-6.
Inclusion of the term yields a rate of 216.1; ignoring it yields 216.
The difference is such less than that caused by uncerta i nty in the module
failure rate, 120 x 10 6.
Dependencies
CARSRA permits the user to describe instances in which failures of a
module in one stage will prevent a module in another stage from being used.
An example of this in the RfFCS is the portion of each FCC channel which
receives sensor data and makes it available to the other channels. Date
Acquisition Card A26 i:. &CC No. 1 receives data from the No. 1 unit of each
triple sensor type, and relays it to another card for transmission to the
other three channels and for use by its own channel.
	 (Ref. Vol. II,
67
1
Section 5.1.1.3.1.5). There are 5 triple-sensor types involved in the
autoland mode: pitch, roll, and yaw rate gyros; and lateral and normal
accelerometers. (The A26 card also handles data from other sensors, but
only these rive will be used for disc--ib' i here.) If the A26 card fails
in FCC No. 1, the data will be lost from pitch gyro No. 1, roll gyro No. 1,
yaw rate gyro No. 1, lateral accelerometer No. 1, and normal accelerometer
No. 1, just as if all 5 of these sensors had failed. The A26 card is
called a dependency module, and its stage a dependency stage. Each of the
affected sensors is called a non-dependency module, and the corresponding
stage a non-dependency stage.
Coverage for sensor failures is provided by comparison monitoring and
reconfiguration (Vol. II, Sec. 5.1.2.4). Each channel independently per-
forms the sensor monitoring functions on the data it Will use in control
law computations. When a channel detects a failed sensor, it does not
tranmit the identity of the individual sensor to the other channels. When
a B channel detects a failure, it does transmit a discrete variable,
AP.ONEFAIL, to the A channel in the same FCC. The A channel will turn on
p=ie NO DUAL annunciation based on its receipt of AP.ONEFAIL from B, or its
own detection of a sensor failure. The NO DUAL indication is provided to
inform the crew that the RDFCS is not fail-operational. The No. 1 FCC
drives the No. 1 Warning Annunciator Indicator (WAI) and the No. 2 FCC
drives the No. 2 WAI, so that warning will be provided if either channel of
either FCC detects the failure.
The sensor monitoring is part of the foreground flight software. Con-
sequently, for a channel to detect a fault, the CAPS processor must func-
tion, as must the CAPS bus and portions of the rogram and data memory.
These are the same hardware elements which perform other functions, such as
control law computations and mode logic computatiton. Most faults in these
circuit will result in a totally debilitated processor, so that the in-
ability to the monitor sensors is inconsequential. Note also that even if
one channel does lose the ability to monitor sensors, any one of the other
three channels can force the NO DUAL warning.
In light of the foregoing, the only appreciable probability that the
loss of fail-operational sensor capability will not be annunciated results
from loss of both WAI. The multiple-function WAI (Ref. Vol. II, Section
68
i
5. 16. 1) has a unit fai l ure rate prediction of 33 per million hours. The
failure rate of any one of the 8 warning mesaagea is conservatively taken
to be one-fourth the unit rate. or 8.3 per million. It may he noted from
Vol. II, Table 5.1.4.6 that the FCC activates the NO DUAL message by pro-
viding a ground to the WAI, so that a broken wire or bad connector contact
would prevent annunciation. A rate of 1.3 per million hours is included
for such failures. Also, the Dlserete Output (A20) and Servo Engage Logic
(A28) cards are involved, with failure rates of 2.79 and 2.61 per million
hours. respectively. Even though only a portion of the failures of these
cards will affect NO DUAL. the full rate is used. Further analysis could
reduce this rate substantially. The failure rate for NO DUAL is then
WAI	 8.3 x 10-6
Wiring	 1.3
A20 Card
	 2.79
A28 Card	 2.61
15.0 x 10-6
The probability of fail° , e in a 4-hour time period is then 60 x 10-6. The
Probability of both NO DUAL warnings being lost is the square of this
number, 3.6 x 10-9. It may be noted from Vol. II, Sec. 5.1.2.3. 1.1.3 that
the test button on the WAI in the FCC circuitry and the wiring
being tested as well as the WAI itself. Thus latent failures are nct a
problem. provided the indicators are tested prior to autoland.
The factor 3.6 x 10-9 is used as the probability that the first
failure of a sensor type will not be covered. This does not constitute
stage failure, either detected or undetected. Undetected stage failure is
assumed to occur on second failure, provided the first failure was un-
detected. This is somewhat a misuse of the term "undetected"; the stage
failure itself is not necessarily undetected, but the increased likelihood
Of its occurrence, following first failure, is not annunciated.
This treatment Of sensor failures allows the availability feature of
CARSRA to be used in computing the probability of loss of one sensor prior
to 150 ft., failure of the NO DUAL annunciation, and another failure below
150 ft. The asilability feature is discussed in the next section.
69
Availability
CARSRA permits system reliability to be computed for a mission phase
which follows a period of operation with less stringent failure criteria.
An obvious example of this is the RDFCS, which is fail-passive in cruise,
but must be fail-operational in autoland below 150 ft. The availability
feature allows the user to specify which modules may be failed at th*
beginning of autoland without forcing diversion to an alternate landing
site. Each such availability configuration must provide adequate re-
liability for the landing, although not as much as if everything is work-
ing, The RDFCS requires all of the modules used in autoland to be oper-
ational, so that the availability feature might seem not needed in this
assessment. It is needed, though, to compensate for a capability which
CARSRA lacks.
The reliability of the RDFCS for automatic landing is predicated on
the system being fail-operational as the alert height is passed. There-
fore, the probability of the system having a latent failure at 150 ft. and
a second failure below that point must be quite small.
By setting up the CARSRA input to allow one sensor of each type to
fail during cruise, with the transition rate frcxm State 2 to the undetected
failure state including the coverage factor of 3.6 x 10-9, the undetected
system failure probability computed by CARSRA will give the probability of
i
	
	
an undetected latent failure at 150 ft. and a second failure before touch-
down. (See Figure 2T)
What CARSRA will actually compute is:
NO failures at 4 hours) x P(andetected failure
and detected failure between 4 and 4.02 hrs.)
+P(1 undetected failure at 4 hours)
x P (second failure between 4 and 4.02 hrs.)
Since .:-.e probability of bath an undetected and a detected failure
between 4 and 4.02 hours is very small, the first term is negligible and
70
j
JO FAILURES
NE FAILURE
TWO FAILURES
f13
DETECTED	 UNDETECTED
DUAL SENSOR	 TRIPLE SENSOR
f 12	 2f	 3f
f 13	 0	 0
f 14	 0	 0
f23	 f	 2f
f24	 fa	 2fa
f = MODULE FAILURE RATE
a = ANNUNCIATION FACTOR 3.6 x 10-9
F i g u r e 2 7. Markav ModuI Coding for S*nsor Stoga
71
gg
the output will be equal
	 to	 the	 second	 term,	 which is the	 probability
desired.	 This approach is used for the undetected (unannunciated) failures
r"
throughout the system.
	 The definition of stages and the transition rates
are shown in Figure 28.
The CARSRA program computed some negative probabilities for the un-
`. annunciated failures. 	 It is suspected that this may have been caused by
the program being run on a Univac 1100-3eries computer, which has a 36-bit
word length.	 The transition rates to the unannuneiated failure states are
quite	 small	 in	 some cases	 (1	 x	 10 13 ),	 and addition and 	 subtraction	 of
numbers of this magnitude
	 with numbers	 close to	 1.0 could	 produce some
numerical accuracy problems on a 36-bit machine.	 At NASA-Ames, the program
is run on a CDC computer, which has a much larger word size, 64 bits,
	 so
+ that the problem is thought to be unlikely there.	 Time was not available
during th, study to investigate and resolve the problem, but this will be
done when possible.
Because of the numerical problem encountered with the CARSRA output,
the	 system failure	 probabilities reported	 herein	 were	 actually manually
calculated.	 This	 was	 dons	 by	 manually	 computing	 the	 stage	 occupancy
probabilities,	 and	 then	 combining	 these	 probabilities	 to	 account	 for
dependencies between stages, using the same logic that the CARSRA program
uses.
The probability of an undetected failure prior to the crucial phase,
followed by a second failure in the crucial phase, is 3.36 x 10-14.
compared to 2.46 x 10 14 from the fault trees. The probability of multiple
failures in the crucial phase, if everything is working ,just prior to the
phase, i s 0.658 x 10-3 . compared with 0.638 x 10 -9 from the fault trees.
72
i
i
10 .
ry
TT
1	 16 It	 Il	 is .4	 I lblib It''. , ,J	 T,,] _^'l	 T	 t,
it	 k Asao ! FWR, sap
-	 - -	 ' . I ..; 2 _^	 _
+	
^ r	 - ^;	 _! ' '_	 ' . 2!	 ^94+oa PAR, syp.I_	 ,	 ^
A-, p	 rtlt*-v SOP.
_717
2.dl
s IA z I C.4Ab I
1 1 0,	 .'0000010
WA z 4 CAt b. 5
&AIMS
T , 2 0
S. to . 000666/
FIGURE 28. CARSRA INPUT
73
RDFC S 2.16
- ,T-^  I T
13	 coo
RAO a T e,4mos
-to .0600001
;--:_,_^^- i 2 •iii
422123 C4905
10-39 .'0606061
'- 10 ,0 D!o o 64
L
I	 Z3 3 Yho
00,0061 '1
FIGURF 28. CARSRA INPUT (Contld)
74
R,bFC,S 316
Fl
r
I
tArl Aces L.
1 
404'
J-i
26.E
167.
30
	 y
Rc VIZ
FIGURE 2o. CARSKA INPUT (Cunt'd)
	 Al
7t $1
7 y s3
2SZ 2`l1
2v i 29/ 
11F 2.	 9/
g ^ 1`
_	 _R Dl_c_..s
	
1 
	 _
1 ! • f • /l^^	 ., ^^^^: ^11^. 1^:^a^^'^•.^^si: .^i^^.•IT.. .I:-T r,l
	
;I 
Zg.
^-
	
-	 ; I I I 	 i.
III	 i	 ^;^^	 ^	 I	 ^
't	 OI ^ ^ ^
	 I^ , b I- 	I ^ ^ obi	
i .	 1
IS
_-_
	 f	
_	 !^_ ;_	 t
+	 1j	 t	 ^,	 513±	 s	 G3  ; e^	 ^7
12,	 X : 1 1 123;' 2^!
	 25^
12' 2. 1 2 j°	 2 x Z Z3 2, 2- 1 Z 2-r?
5	 1!	 i 2 i 1	 ;L 2 i	 I	 I o	 a f	 r13'2 2 1 2 22 a 23 . 2 2'^ ^. ^S2
!	 '43 12:13 223: 1233 2' Y3 2S3
'^ I '2;1 I 2-2 1 : 43 1	 2-1 1 	 2S 1	 26 1 2-71
2.7 v 128 i . 29
222 i 2 3 2 2 I L 2 04- 2 2 6 2 2.72.
i 4q Z Z 2 7 2 2Y2 12
1 S
	
1 ! 2 1 t31 24 1 Zs1 261 271
P/7"' .1 exp4a
r
FIGUKE 28. CAR3ItA INPUT (Cont'd)
76
,
-	 - - ---
^s
212 2t'2
271 26t
2'7Z 292
,i
r
272
29 1
212
	
27	 2.71
	
{ 2'1^ 16%	 232, 2 I2 25`7 2623 I_,
,
	C4 ^2'^ 12i .. 12! 282^ 2^2	 1	 .
1	
i
! 911 ;1.j ?02!il I2 3 1	 2 11	 2S1	 i,
3 i1 12' ,22 ,2! 1232: 2f 2 292
1 74 121 1 22..1: ,231 , 21 1
 
Z51 ;261
	
7'2' :26 1' 27-1' ^2'^ I.;_ 29 1	 , i
2 .S z 2422
lit 212.1
	
I$IZ; lZ^E j IJi71 - 1 - l'tl M--24)	 f
IZZI
	
I	 {^
i9 i	 31	 321	 t
1213
,
23f
FIGURE 28. CARS&A INPUT (Cont`d)
77
1
I>Fc- s 616
4
 1 
L-^4,
1-2i
2 !2
ll
	 I	 I ^_^_
'	 Ii	 I^l;j!^)
- i71- 14'i
r I
FIGURE 28. C—►RSKA INPUT (Cont' d)
78
--I
10. CQQCL33MR3
The conclusions resulting from this study relate to the benefits and
limitations of the integrated assurance approach used and the RDFCS Simula-
tor. Certain of the conclu31cn3 lead to recommendations, as discussed sub-
sequently.
The primary conelus' n drawn from this study is that the integrated
assurance approach used is workable for a system, such as the RDFC3, which
employs monitoring totally separate from the hardware / software being
monitored. In the RDFCS, this monitoring includes the servo coil current
comparators and the modulator piston follow-up monitoring. It also
includes the warning annunciations which one FCC can generate following a
failure in 'the other FCC. A single-string, self-monitored System might be
much less amenable to this approach, depending on the monitoring approaches
used. Ttzis possibility is outside the scope of this study.
Fault tree analysis is a feasible analytical method for system level
.faults. One benefit is that specific software failures are identified as
the analysis progresses. These can be, and should be, used as a check on
the validation test case selection to assure that the software function is
rigorously tested. Fault trees can be extended to the circuit card level
in a well organized computer such as used in the RDFCS. In general, the
analysis is facilitated by a design with clearly partitioned and Identifi-
able functions arsd interface structure which is consistent for all card
inputs and outputs
Failure mode and effect analysis is more easily accomplished than
fault trees uithin the processor itself. This is because of the processor
V
being invol •.ed in a diverse set of functions defined by the flia3t
software, Most ind"ridual pin-level faults have :zany effects. Usually,
each fault y.an be traced to an effect which totally debilitates the
c^eess;.:r. Othvr effects which weld also cause massive processor failure,
or err: nt, p us ras ?.41t3 only u;,der certain conditions do not have to be
anzlyzeA In detail, provided their effects will not propagate across
x
uiiannels. Ln contrast, a fault tree analysis based on loss of required
Myatem funct.icrss would result in identification of the s&-re hardware faults
time a. er in"S.
}
The FMEA and fault insertion sessions should be on an iterative basis.
After beginning the FMEA, a fault insertion session should be used to
confirm the analysis to that point. The results should then be incorpor-
ated in the F4EA and the entire FMEA reviewed in light of those results.
This review may lead to identification of additional fault oases which
should be simulated to resolve uncertainty which may have arisen. This
iterative approach was not feasible in this study because of limitations on
the availability of the simulator, which was being used on other projects.
The RDFCS simulator has substantial capability for research investiga-
tions of digital flight control system validation issues. This capability
would be significantly improved by an automated fault insertion and data
recording capability. Such a capability should be preprogrammable with a
list of faults to be inserted. It should include means of recording the
impact of each fault (e.g.. changes in the values of discrete variables)
for many more variables than the 4 accessible through the CTA's. It should
allow variables in channels other than the faulted one to be accessed and
recorded.
CARSRA, in its present form, should be used with caution when small
failure rates are involved and when execution is to be on a computer with a
shorter word length than the 64 bits used in Control Data computers. The
Possibility of erroneous system failure probability values being output
exists under such conditions. This needs to be explored further.
Fault tree analysis and CARSRA provide comparable results for rela-
tively straightforward redundancy conditions, such as the probability of
rultiple• failures during the crucial phase when all components are working
at the beginning of the phase.. For more complicated situations, the two
methods do not agree as cicsely. This is a result of different simplifica-
tions acrd assumptions being sale to iw rjnture the problem to the two
methods. For, exeemple, thf. third „ r.,nsor of a triple sensor set (Figure 1)
h< s redundant input ,viths to the computer s, (the data input sections of the
two computer B channels) but the other ne.-,sors t. sve only a sit:gle data path
(the A channel input sections). '3bitj 1 ,3 treated correctly in the fault
trees, bu'r the redundancy cannot bo scacunted for in CARSRA. The conserva-
tive a331:^,ptior. is therefc-r°e mec a tb,^^ loss of either B channel sensor
3;}
3
..w„.,
	 ,sue_..,....
input capability will cause of the third sensor in all triple sensor
sets. :n validation work. any assumptions required can be made conserva-
tively so that the computed failure probability is actually an upper bound
on the true probability.
c
81
t
REFERENCES
1.	 Federal. Aviation Administration, Advisory Circular 25, 1309 - 1, Sub-
ject: Airplane System Design Analysis.
RTCA Document W-178 "Software Considerations in Airborne Systems and
Equipment Certification," November 1981.
3. Federal Aviation Administration, Advisory Circular 120-28C, Subject:
Criteria for Approval of Category III Landing Veather Minimal, (Draft)
May 1 3, 1982.
4. Lockheed-Georgia Company Engineering Report LG81E0126, "Simulator
Investigation Plan for Digital Flight Controls Validation Technology,"
as revised 10 April 1981.
5. NASA RDFCS System Interface Document, April 8, 1981.
6. Mulcare, D.B. et al: " Industry Perspective on Simulation Methods for
Validation and Failure Effects Analysis of Digital Flight Control/
Avionics," NASA CR-152234, Moffett Field, California, February 1979.
7. Federal Aviation Administration Report, DOTiFAA/CT-82/140, "Digital
Flight Control System Velidation Technology Assessment," July 1982.
8. Military Standardization Handbcok 217C, "Reliability Prec;Iction of
Electronic Equipment," United States Air Force, Hume Air Development
Center, 9 April 1979, with Notice 1, Supplement, ' ^kag 1980.
9. Military Specification 11L-M-38510, "Microci.,:.,,_ ;, General Specifi-
cation for."
10. Bjurman, B.E., et al., "Airborne Advanced Reconfigurable Computer
System (AKCS)," NASA-CR-•145024, Prepared for Langley Research Center,
Ne'+SA by Boeing Commercial Airplane Company under contract NAS1-13654.
August 1976.
82
APPEMIX A. F'MEI RESULTS
A-1
9
ZL
O V T O ^	
a1
S
r• N
Q v O
d
d
W
w J
•
7 4
y
1
G
a
t+1
c9H
M r
L	 Y •
•
^
Y	 O O r J t
u
LJ Y p^ •+ Y 00 Y • Y 4 V
Y
W uV O Y p r 7 6 V0 : y W•^
Yl
Y•
= u
.'+ O y	 Y
r 7 6
Y
6
6
^
Y^
c s •
u= y
•	 a
^.^
M Y
Y
a
u
YM . . •
•
:a u M as^ • •°
s M Y n M Q'•• 6r•^
• J LY^
Yb^..^y OC• •r
Y ^ V	 •Y Q 1.1 n• G J Z M^ YV Y
^ ••WL r Y 7r G y b Y! O r+ •.V1 ,A •. M1Y• Y Y Q• I6 O u i^ Ce'OY .0081
Y N n^. Y -C • 0 Y• )O W .A M1 C^^^ O O •	 • Y G •+ O L
• m 'CO e•1 TY	 0 6 V • r	 4• a w C••r1
O 60^ O Y J O7 M Y• Y  C !• ! • C Y u6 Y 7O M... y0^•^ v `• •
'A p •rQ. V aO •y -O 6 y .•.Y • • Vy	 Y ..QiV O •+ C J Y ^ j a.	 •
O• u ..^. ?. A A
a: q J YY Y	 r C r 0♦ Y .pr Y
'OO u • ^ O • • J 'p
r
w •
fm
a y < d • 6 J .w O
O6	 w .+	 77; YQ( • 6. Ou V • O	 6 Y Y •	 Y W r V• tl iY• • u ••^ Y 7 u C YOY6^O Q Vs ^.n Mpp •Y yyY' G'°"
^
 • •e
O ^ C M J Y i •^ W pM
o 
10* '++U
•
U O w i • u•rC6 1 Y Ol " 3 • $	 UO
C
0.O
e
0
11 I
! O
p
I Y
u T
.r Y
Y ^ •
M
Or .w Y 7
O •
V
J Y Y
r ^
v ^ e
YV O N7 V Y
I ^ O Yy W o.
O
u ^FYVI (^
^ J a
• VJ M
p Y u
O r
^=a
C .. M
. O d
Y tl
u J Y
o O O
Y U M
u
a v ^ •
uW •
7 ! Y Y
oa
•r M
u 6
7 Y
J 6n 6M1
d
A-2
•	 L	 u • Y
• 00
	
• A	 •	 • • w Y Y	 •
• O	 •+ r	 •^	 A Y J ^•	 >^	 O
Y O
	 ^	 •• 7A	 Y Y •^	 •	 •	 •p Y	 r^	 M	 yq +• Y	 >	 •
01• ^	 S	 • ^	 q •Y SY	 •	 ^ 9x 	 r	 Y	 4
Y Q	 Y 9• • ••	 N•y O Y	 u	 •
p u •	 •• q Y •• q Y	 p	 Y S
• • w	 Y V.	 Y •M 7	 • Y	 ! •	 O	 •! S O	 w • i•^ v Y ^.+	 • ^	 +• •	 w	 •b• '• Y	 p w• M	 y • M	 •	 Y
•• V	 y Y w ±^ Y• O^ S ^ Y Y	 6•	 y
p Y 4
	 O w Y• Y• C' •	 • r	 Y W	 A Pp ° Y •	 Y • ! • 7 Y • ! ^«•	 p •
•	 u	 Y > {•u^
	
Y >	 Y	 °^	 Q1 •
O •O+ .°i	 N O	 • M A	 A	 M• 	 ti
• 4e..	 '^ r.w • A ri •.^~ .. Yw .04 {•	 a
y o O	 y o s y o s	 !•	 J	 Y O	 •I Su w 0
	
u w O M Y >ti yy iii!!!
	 . w
O Y= M	 u O Aa • u O Y q V Y	 6 Q Y	 A 6	 A •+
A O-C 8	 A +	 A	 Y M .q{ f-I r a O	 O
u i
	
w q 1•	 w• M	 6 1	 •
M a• r	 Y s 6 •> _M 6 J w
g( 
S• 0  A	 w	 Y
	
0i ^e O^ ci Sa 15 +•-L^	 eya	 as
11	 CO rA
<	 CAS/ vs	 O
Y
S O • u1 Y Y Y
Y y
Y w 6
A
 I
.• „
n r
V •
i	 • °L Y u
Q • p
-r Y p •
•r u	 •
V • u CY Y ai dY ^ y
O u •
c w •
u !e C
6 Y
7 V Y^ L •1
n•
o • r
4 •°• 6 Y
oa
.^ Y
Y b
u
7 Y
Y
° A
• 6^
1!2a
t
T
L
G
OU
6
cz7
i•W
v
^J
G
a
C•1
C1
t°
F
1
A-3
wo Mal-
iL
C
OU
d
w
[z.
y
v
a§
c
•a
7
r-1
p
H
L	 •Y+ Y	 yyO. YT • OO	 Y
y	 S u .>• •	 W•C	 •+ O O
• ^ M Y a n •^n • r Y M ^
u
_ y	 ^ O
n w V Y• Q C• C i O	 Y
u O Y > • •r YY•ir I!	 Y yyyp
O •^ r +^ •
• O A yy Q Y
O
.r O	 O n
+ U A y .6	 Q W Q.	 Y a u	 Y•
• • J O
• a of
•
V	 + •.• t1
Y WO •r C Z	 •
• Y
• H^Y 0
Y	 - . V
• O w QC QV •+ V O•
Y	 Y	
a .t c •r r	 s o a	 • u o
• Y s
-^ x u d • Y	 ^ Y u•> r	 •• n P'••Y
•
W
7 6 0 w
P•	 O w
^ V n 	 •
O
W •J yY y
•r N^ Y•	 y
_ 
• Y
O •
Y • •
Y Q•Y	 ^ - yY
• L	 r i o	 o J1 y O	 Yyy yy L ••• V• uOW U
	 • C ^[	 V V V O O ^ M •r	 y M
•	 •r
y
• -" V d • O Y Y O `^+ Y p uf•f Y	 a C Y	 • O U tf .+ —Y ia--
C	 ^ O
^ O
7 Y n V
V Q 6 C	 C
n •
i t •.+
Y
M
O•^•
y Y Y Q r
_
q 7-0 ^ 7
•
n ~ ^M 66 •.^ • • n 9 6 O •
•	 1 o vv a6 .. m v .^	 •v u	 C .+p• • 0• o t Y = Y • •	 .	 •
-9 7
	 0 Q ••• •r	 O ^+ O M r.	 •Q.	 •	 . Y .+ • w C•	 YC• +n 	 7 p
00 O • ru 0 Y Y Y •w Y C •• V. V •r Y • • 7 n• •. r =1	 ^ N	 O
•] 
•1
d r Y• r•« 7	 O	 .r + 71 Y• w O
°ao g °^. W ► a so C6 of we c3	 {JIr •	 m
m•°
o° o° ^ s o	 c3
o g V
c	 •
o	 •a
o .• e^ e i ^
o c o Y mU Y•+ U • 1
u u c
n C Y YY •o•o s..
wO u e Y •t o
M • 0
• o 10 160o
u '•• e a .
c r' YY • n 	 • Y
Y	 •r Y
• v Y a
Y •
 r Y Y OY • M Y .n Y
v o uQ Y N
e • Y n
Y
rY
a r
Y u
6 C
O Y
Y ^ a
V P ^•
J1
CI0
u
O
c
0
u
u M
Y
'J U
A-4
.c
0
u
a_
L o.Y , 6	 . J^ {Y^' Y
r ^ „^^
^
^• • Y QN O Y S'. Y
	
.wS : 	w
y
d Y
Y
^^
Y
G9 O d M
. •{^Y
r ^ • M L• M Ct
96-
°
gL
°•S C S C Y o n
ppp Q
it M VpOy J
.^
w Y1 r Y • ^•
Y	 3 M Y•
•+ G O 7 w s.° elu i
:^^ •s :o a°Y eve u s°r^•^
Y ^
00
Y
• u • J + •. O. • Y ^+ Y • Cy6
Y U
	 •E. U 7•U w y YY r • MY•y w
^ D°
C
^
J 0 ^ c Y r WC..+ J .•
u ^ 0•	 O • M• O'7 OLC M
MY ^ ^^ pO
•••+ • C U iQ• r t w OU A w • O OG: 6
i C
	 PJ O•• • Y•7'^ O•Y O •> r5.00
•
 >
YO
•"
• v w
. . Y Y> Os M
C	 •. J 7 W
•
r 0 u N• Y
Mn Y w r D • YU Y°Y r M•• J^ W w Y O U• Y
yY
 r	 Y • 6 f7
W
•
Y O Y •
•
M••
.i JO • Y
•
M
W .•
• OC
• Y
Y CC
•
^1 r••6 .4O 7O
O .J{ .^Y U•U. •
O 
• . .^•YU 0 w8 U
r A
q
°< ^
.0. t•! iN N
YYN = •••q
Z ^ S io1 = O• u+
V ^
° ec
Q•
a
OY Y O •O Y Y
s
Oo Yu 6o Yu m o v A o o s
m
O y h.
b
L
C
OU
Q
LLI
w
Q
Cj
a
C
A.
[•1
v
p
H
U
A-5
4v+
+
^r Y	 AY	 A O
O f	 •^	 r	 (,	 V	 Y	 Y
y Y	
YS ^rJ ^	
OY	 Q 6	 u	 u i
o^	 O•	 6 M	 `	 a Y	 • 2	 • i
y•	 s	 Q u	 •	 ss 
a	 0 .s	 O •+	 i
r ti	 ^.	 S a	 Y	 Q Y	 u.	 L r	 '•^ '^
Y ^
	 ^	 6^ •	 Y	 ^^	 y y	 ^ ^ •	 Y My	 u 7 r .Qi	 V 1^1	 0.	 O• u	 O S
j•Q Y	 JL	 O• P1 *ri	 r •. ^yV
	 y	 o/ q	 • i
re	
iV V 
as	
i; w
3 g	 Sa	 4di so
16
^4
A ;	 ni	 :s:+ a. $i e48^	 $i
9"6 i Y e y i w	 1 ! u	 +• 1 .+
.d .•+ 2	 O Q	 •	 •	 C f/ • f^	 • Ay w * M Q A y r	 M	 gY N A Y.	 Y f	
.w M
Q	 Q
Y a
au	 :3 P.
.a
c0v
a
Q^
H
IY V
rY^
O •^
I O
v • y
clY !!—
m a s
A-6
L
Ce
G
W
aa
a.
f'•1
v
F
•
i y r S r
3%	 A1 ^	 Y M	 • Y .• Y • Y•	 •r O 
1y 
7 ^ ^ 9
^ V y ^ O ySy D r_ i W p M s +^ ^ tr•
W• •	 • I, jya
Y•M Y	 7 Y• O M T. O O Y r
Oaf n e p p a+.$ MM!¢
°i eC3 aQ$ s is °a:: 4^
^
oQ7 W	 u +1
^
^	 r•
^ ^
^ O ^a Op Q4Y • I. F!a ^ • r	 A ^ •	 C .	 . • .
•
Y
^ Y` u^i•` 7 v • : 9 yy YO] • O A^^ Y Y •	 1 ^ Y YA ." ^••• 9 • • R• O •• a
o dy ^' $ 3 38u
e Z >:
O U a
v0
u • Y >A O
^^•WAs
^ w ^ • ^ u
•	 Y r < Y'•
• ♦1
p • u06 < C
6CC u Y O
• Y •+ Y • Y
• S ] . r •
• . • ♦ wY •..	 a
v Y	 • •••
g oC.++vY •J
• •.;^Lv
•	 u	 •
f 6 • Y • J •
Y M^ O Y 7
C C e v Q 0
tai u
S
Y
rY
o •
Y U
6 6
O •r ] ^n
_U P
Z 1/•l t^7
A-7
7v
r
E
y p A Y M•
w• ^ M ^; ^ y y oY
i
^ Y
O
Y r 3 ;N :^ :Er M Z;
Y •.•, eQl^YwI aW g ^
^
Y	 O 6 a
`^
7 w S`
y
•
p	 e• . O• w 7 w w • s Vy f
.+•
Y
V •
r	 •
s•
4
• O
S•
"i
r X i • i° •Y y M Y `
r s
Y;
Y^
`
b S
y
YY
y
Y''
Y Qtl t L O ^ `3 ..^ ^E_
Y E S ^ w r $ i r ^ r^ '^ rv.
g^^ x
r^ r^
a^ ^' a^ a^v $^ a^
Y
Q Q
•
a
aO • s 	 •
• i s.•^	 .Oi •
M
.`
t"1
tl Y	 ^i8
S
EE!	 -/jy r
3	 Y Y+
b
...1	• b y • •^
Y O YM •r9
Y O•	 V
^d	 • rEs•
s
r A y: 1p y	 Y
^r •Qs p pr : : Q	 OV	 • ^'r+ Y .O	 ^•	 7
C y • t Y3 ssY 6•
O ^! M
itn:u
SY
Y Y
.r	 O. Q•
Y	 'w
O •
YuY	 V S^ b
A-8
,^	 }	 -. n §	 ^	 .§^	 &&	 -^^n 	 ;|	 ^^	 !|
._IL
^.	 Z ^^2^
	
, n ^ ^^^	 ^^	 a^^4 2
	 ^2 7^^-	 ^^ , .2	 §
•^ -	 n .	 n"4
^^	 ^§ ^.•§	 ^§ | ;^^	 ..^	
.g^:
	
n ^-	 _. n |
Q^	 ^k u§
n q
	
 
0 
_ a ^	 k	 22^k
^^	 ^ n ^^'`	
- ^f	 ^ 	 ' ^:-A
^^	 ' ^` ^^ 2^ I j ^ ^ ^^k ^ ^ n } ^ ^2§^
^ ®! •	 .Z_	 .,
ƒ^-
^^	 | ^	 ^^§_-	
§^	 t|§	 ^ ^ n
a	 •	 . ^ .	 _	 ©	 o s
0	 2	 -- 2 2	
.. 4.4.^^
2
\	 \	 a s	 ^
^
3
4
^
w
\
^
/
Q
2
q
^
(.
§ §§_
aua
A-9
\
lila
Y
•
M
r•
M •
•
N
y y
^ W ^ Y 3• .rM
,^ Y ^	 f
^
y y 17 {
w Y y
y
^ y W Y M
Y • +(^ Y
S Y
V !.^1
y
•
•
Y Y
.. A Y
w•
Ma ia •
a
b =^ Yo Q:`
ob
rY^
a
^
s
`
on
Y 3'" ^Ar
•	 y i^ asy ''^Y 	 • •i^ a•
a a3 ^: ;^" ° ° g
' t=
°p.. n• _ » .°^ y i ••e en -• a
^; ^ ^^ ^^ q ^^+ AMA+ ^A^
s ^a
sk
P•
O
n
• YOa .
4
Aa1 0
^
O
Y
O	
• M YY '^
^ • t
•
o G7 • A
Y
^ ^ M
tt^^ M • v• v M
•Y•
!
^• W •J W Y
.•I Al ^ .A ti Yy ^Id a
'^'^ wN Y
N•
• Y •
 •Y M Y
.r	 •IL
Y Y •
.+ .•
•
^$
a y e ^ ^ • assY Y A
• Y Y
Q
V M
Y a
Y .•t • y^r Y A O V' Y Y•Y !	 • Y Y YV •+ Y^ O! Y Y MM O O • • Y•
Id
1.1
O u y M W V S Y Y
^ 
° V N\ V W W Vrr ! •C
g
! 
v
•
^
•
,r
3
^ O u•
•^^
A i r
•.
•^, u O
O S 8•
•y Ye
tj
wl^ ^
0Y Y O Y Y .^	 • .M	 M 61 •^ Y VY V
.A	 M H Y rl ^ v
^"^
v	 '0 ^ a ^ • ^ M ^^• O C
^3 • ^$ y^ (^ Y VM	 • YqZ r O C C
i1 • u YV ~V• W +I y W W	 YY.r W	 Y•Y	 V ~i d •Ir1 •A M .A .•/ ^ „^^WA Al A W	 •
^ ^ • M W A 'I •	 Y Yfb
rl • • ! Y • •
1•^
Y Y
^L	 1 tY
	
M
!Y	 • • • •9
•,
^ ^ ^ • y ! C • .^O M • ^v V W V
A
M Y
g
	 9 9 9
so
	 i	 c
	
a
b
LGO
V
v
Q
W
w
v
v
a
C
w
r^
v
.aA
H
n
b8
M • w
X.8X ud
A-11
b
w
c0U
d
N
a
1c
a y •
Y Y W M
• Y ° Q 8 Y
1 •IV4WY°„^
^ ^ •wI M
•8.
1 ^ ^ • I ^ ybj 1i
Y Y S r^Y •
	
Y.1
Q a y W sa
Y ^ Y s Y r
1J ^ • g • w aii .a. u +.•.,
O
•
O IM 4 ^
s 9`
rl
4)
14
p
^	 YY
W	 I Y YV S	 .3 S^^•QMY a O	 Y 0^' ^ Y Y Mw• 'A ..1 Y M	 Y M Y aW, w 	 O b . S f M
3b
• YM W . 'N ^ ^1+.	 S Y'/ ^ b b
rl i •b .^.r •^ `mss ^	 +^ .^1 S
^iir ,^ Y
W
^'n ^+^•Y^Y+ I^ y:^O M1Y
B A= -^i:;
Yr
gla^^^xa^s
^ ^ w
S
"25.4i"
{•	 P Yp Y i Y.+	 YQ
.bi
Iyyp O	 Y Y
-Z
	
b., O SY N	 r3I -'m W.a^
p O
O	 Y W i_
S y y Y	 O M
Y
Y^
Y 1
Y	 Q	 S'	 Mt
e y	 C6 =^ M GY i W Y=
Y
1e	 O
S	 •
•	 1 .
u	 Y M
s•	 ss^
A-12
APPENDIX B. FAULT gMUTION RESULTS
Ii to	 II
O a ^+ 0 v b Q d O ^ O	 ^ O ^ O
8^ 88^ $^ 8^8 8^	 88 8^
n
Cd
'•1 N
J
14
L i/
k" M
dl
i
d Oa
^ O
'^ v
t0
E
a,
Mad W.
n
G ^O
n r
S V
Ir i
4O^i
H E
r
n ..
^+ a ate.
^Y	 b a
C u Y
11 V M
Y
.^
Y
M ••1 r	 a
ess
e,ff,,g C up
7 p>=
a
be
w bw	 u
GW W u O
"'Q
Y
L
b	 .+p (^
A- Y 3:3$
a`
^<
a^
c
wog e^ off ► 	 r x
g
;^p^pp
o^ 8^
^
oY O O	 C
k 1C b y
^ W yM •b
u u C^ 
.p
;
2 G^	 7."
p
Y Y
2-0 S O aP1	 1 Y 7 Y b> Y Y '^
M O b •
• a
0 c
^. Y +b+
16 r
9-6	 i g
r	 a& oa i w C•
.m
N
1'1	 Y
N ,a
rl
S
J
— o
= Y C 0	 12 2Yy w
'-1.
y
-3
0
1j
V Ib>
GO{^
a
.^ Olh O u y Yu ^
sn
y N, Y^i w Y 1 "'..^.
>>K ^C >r >r.w
I a ^ N
^d Q	 u Y ^ ^1
N H F N N M T T
`0 b .,i w • ^
^
. 4
^ ^ L p> Y rl
oN vN r^N riN
B-2
_.
kB§
-
Q d§§
\
§	 ^^j )
n 	 e/ (
_;ft.
d
. 9:2
^
\ _
§	 e
k
^ §.
^a
^
^
(k
-
?^
u^) § }^
)a ak-C
$§ § ° I^
§I § t^
§§ §	 §^
!
.	 ^
)
^	 t ,
^ §
kk
;^ )
B/ \^
§a a^
§ §°
§ §
I §
t $
)
)
&
k
^
{
]§
aIc
§
$
.	 ^ \ 2 /7 !} 7f^ | n § &\_ ^\
<
.	 ^ ; z
\ }}\ }^\ k}^^ 7^^^ !! ^2
B-]
ul
Y y Y`{
pq
^
4q
Y•
O O	
y
O
• 
M
^
?^ U f
..al
O 6 O 6'J
YCY^^y Y^ 8 YCSY r iiiiii Y Yy r	 C Y G G y 6y ^ s M > dr ?7 ►. aO
p
t
CO
S
w
P-4
ro
'
j
O
r 	 H
• u1
Y	 r	 ~ •
S	
M^pp
.•	 Y	 (^1 F
ro	 •"r	 i
"	 3	 Yro	 r Y
ro	
3
^ v ro
all
•
'
fig
.u9 'O •
W	 Y C Y W
u
r Q ^ •
3^'' 3 SS  30
a u .r+ e - v
.m
.A
t^
•o
^ Y M
^\	 o
0	 ^ Y
U
v	 ^
d
u 3
s
^ J 0O	
• JL	 ^
N ^ Jn ^
d
ob
i
_. 17	
_	
_. ^..L
1 041 10 0000
p m P 1 10,	 Q N N Q N M
I 
n n O" I N" 1""
1-0 Q- Q - 0 1-0
jY
u
B	 g•
^	 s	 00 u
^ ^	 Y
^I	
V
u	 YY
o	 a^ y 8
N	 4
 '4 	
M•
M
<	 • O ^ L
¢	 Mw	 y Y .^ G
evv .m
y \
	 ^
c a	 • •
n
U
•b ^
Q)
a+
N
r
^ ^	 M
mip a 9b z
O <
E °'
N
2w
O ^ —
^ c=o
T+. z0
o.
s
r^-1 =
A
cC
H
a
r.
m
a z
W
U° I - I
1 0
	
I
I° 1^ I
ouv
< v
Cp^B
i C ^
m
o ^
<
e
N V
W
w
< Yy¢
^< N O
WN
U a
B-5
F-
r
F	
/4
t
Y	 Y	 Y	 Y	 Y	 ^^ S
^	 a
10	 10 10 10
 
s	 e^ w^.:	 o
6'.
?f
^p
r	 ^^
w
o
^ r
a9^	 ^
^ < ^ ^ ' ^ ^ ^ ^r V	 11 ^ O G v O v
N ^
<x <^ ^ O^ O O^ ^^ ^rr.
^^ r
E
sg^^
YJ
^
^	 i
:^ 
`Y
w ^..7 ^
^
Y ^ ^
^
Y
sa
^ ^
s
r
^^
p
e
r ^ ^Tpl	 C`^ S7 K
H!-
fff^...
^ ^
^ ^
ii ^
h
q
I
• y
Us 3f
4 .
•^	 Y
V	 O YY ^	 Y ^	
' 7 Ye	 ,j	 ^ W
,;	 ^	 y• y ^^^ Y y S	 S	 ^	 Y
Y	 Y` ^=^ Q N^ Q Q	 Y	 Y`
eQ
	 Y	
aQ
9
.	
^a	 8^ 88 88 $8	 8 8	 ^t^:8
a
M
-	 s
v	 !1 tp,^	 O
th
j r
	
^i!
^ ^ v 
o	
8Q	
apQ 8
 (
8^
8Q 
8Q 
Q
0Q	 8Q 8Q	 .Q `
ad pQQ
rl J ^ i^	 O O	 O G O O O G	 O O	 r1 S A O
s
u ,
	 a
^ r
r	 as
'1	
^ c4=a	
M	 ,i
01	 ^ p
z
Ja	
n^{	 R{
	
pp	 pp
ma i 	 s	 f^i^YYi ^Mr	 Z~ i ••	 y
so
me
6A	 • Y 
^ • Q	 • 6 ^ 4 Q	 +^ .w +1 .w	 •
e
%A
-
a
W IL C4
^^ ^ ^ ^^a n =
^^ ^^n^a |	 ^^ ^ n . $ ^§
$2 ^k ^§I n ^k ^	 g ' ^ ^ ^^
a n ^	 Y^ ^ ^a }.
^^ ^^^^
^-
^k^^ ^2	 a^ < 2
^
^
^^ n ^ § §§
^
^
2 a§i§ § §§
_
^ § §
. ^
\ ^ §
^
n
\
§
^^^§ § @§
^
q
<
\
;.a» 2$ §^ ^	 2 2^ n2-
^	 §	 ^!§	 ^| .§ | |^^^^ jig^^ ^^| a.
22-
a-	 n ^ ^^^
^.
j^ig
s
§^tea_ ^^^
B4
^ §
^ •
7 ^
2
e
\
^
J
k
^
^	 |^
- ! ^ | e " n Ik%
2 \^
^
0 c
§ § | -	 • ^k3 I ` | 2^^_
§ k ( \ ^ ^k J ^
'
^
^
2 ^
-
^	 ^
@	 ^
a
^	 §
'
@ § } 2
§^ 2 %
I a Aso a< _^ n @ n |
^ ^' § t K ^2 ^^^ n ^
^
16 . a|
" In < < f§ ^^u (AU
'^ %j\2|
§ is
§
0-3
^^
-22
&^ §!
^ !^ ^;
§k
Z.
^~° ^^I
2 tks
))
i
)d ] n
^
§2 |}L
, n .^%^ 14. 1	
I
.
_A
16
^^-
^
^ 2	 a	 !	 A	 7
B-9
-^ :, p•= 2
}a^ |
^^' I ^| n
^ q ^.
n t| n .^
'
f ^-
^§•-
}. ^^n .^^ . ^^a: ^ 2^^^ a
^ ^^`^ ^^^^ ! ^a a
I kff^ |-^ •}f.
§.a n ^'^ {^:2 n ^In !•^!
a|a ,^ n ^; n a
--
96 a ^ ^
k ^^1 n
\ ^ ^__^ |
2. x °11 -§k 7	 u0 44
._.
^
--
%
.
n 	 2.l
^ ®k!^ ^2 ^^^^ n 22
-©
^^§-
n ^|
^§ -	 ^
.	 a IL
^_§ ^^e n
^	 k	 n 	 n;	 2
^ ^ } 2
	
k ^ t	 ^	 2	 ! 2
_	 n |
^ 7	 §J(Im
P4
	 d	 04	 2	 !	 d	 3
L
S-10
t1
!	 o
r	
Y Y
p	 {YV/r Y ^	 Y i
^	 y	 rY	
0 Y ^	 6 •Q ^
w
V	 V^ ^	
Y
w	 •	 ^	
a	 w w
O	 N	 3	 ^^ C»
N	 r	 A ^	 " OY7	 ^	 Y
w	 5
^ r
0
Y !
^ ^3	 usi
•	 • r e
	
•
VV •Y ^^ Y	 b^ a
	
^^ jY y
^v
'C • M O 7	 w	
n`
•:	 •; = 	3
ss
VV a Y^ Grz$ ^ ^ ^	 •
Y	 ^ Y !
u
=4&u	 ^•'^	 asi
Y	 °	
s.. rrus7
N
^1
^ d w 0	 °	 •	 ° Y
5	 Y
^ s a01. j.e	 a•	 •Y
H ^$^	 »f. a 	 3 0
lb	 u	 lb 96
-^
•'.
Y	 • u u r	 u Y 0YY N
op 
^ y
pp
	 y	 ^	 y Y
ooaa
r
-^ =	 A sy^U	 OAr+O	 Y ^ L
6
3
rY	 r r
y
J	 •1 Y
v	 ^s N
.* J	
N	
N	 N
«	 ji
a
\
^0
-
2
R .
^
\ °
^
J
\
^
^-^ }3	 k^^	 k	 ^^	 2
^^§ 2^ ^^k
	 "a ^ t	}
^^2 ^^ ^[• ^|^ % j	-|2^	 ^a	 |^7	 ^:; ^^
	
|
^^k	 ^"]
^^^ ^^^ ^^" ^ n ] ^^
&a	 k^
7e n ^_^ ^§2 ^^^ ^^
	
^aa	 ^^ n ^^^	 ^a.	 a	 ^^
	
.-:{	 - aa:	 aas 	 _,.
lee
$'
	
 } 
n 7! § ^ ^^^	 ^ n
	
 
'00 	 ^§I 	
!-
^^:§
	
a ^^^ 2^^ ^I- - ^I| ^ ^	 ^ ♦§^	 |	 ^ n
	
kI^7 ^i	 ; nn ^I/ lb
	!1	 •^	 -^	 -^	 ^	 \\
lb ^2	 22	 22	 !k	 k-ts
z i
$ .
: «	 ,^.ti
)Jk %^	 kid kia k^wiB
m7	 = a
B-12
C
OU
1
d
LJ
Q)
rl
SM
L7
mu
Q
01
r-1
a
^	 F
•V
7
Q
a
^ V .r ^ N
^1 t
w O v
p
y
e
Y ]
Y
s
Q YC
p Y yy V y
.
O
^ w
Y
• 6
a ;
M tr ^
s ° Y+
Yy Y Op s S
a st i ^ a
a .^
r
^ p ♦ hh r
v 7A w ` Y
Gi
y
!• V dQ
s
_. O w
•
^
~
Y
Y
O 7V
V
~ V u3
^ ^
a
4
w ^
OQ
V
CQ
8	 ^	 n ^	 Cp	 M1 O 	 O _
G
i
ems.	 n	 M ^+	 n	 n	 n n	 n	
^n
n	 a
n	 1++	 n
Y YO
Y
+
Y
^
^ b e ^ • ^ °y ^ w uu ,^ Y
pp °
.q Y ^
.u»
^
^
v Q$'y o u o^s a
V 4 Y 6 _ ^
.
Q N
^ n
8-13
ii
QY w
w . .
'
S M ~ N
^Yj > .Qi O O r+ M
IL
.Ti h Y^ ^+ N • • ^•	 V Y YbY y j • Y L • • •
• Y
O
^~ Y r
'^
w •
^jl Y
n
w y
V
•
y
S
9 Jy
^ OS 8^ o Y O O y
Y y Yb • u
. •
41
x••••11y	 a1 O W
Q
S y ^ ^•	 •
y" S S S
`'•
Y
••
c Y C tJ Y•ry9 Gi Y••
Y Ya
L u
•u
w
"O S
y 709 Y
CL b. 	 y
7oy y C6 6 O .;
^V n y
r 
y w
• Y ~
0.• •
4J Q^ y^ • ••1Q
w Y G Y Y Q• •
••^U N Y	 • Y N
' Y Y 2 a 2Y b •Y • Yn
9•Y U .n Y • •1lbN n Y
n
G N d•
n
^^En yc N N L by O• Y Yq ry
ca
4 1	 e I r y 9 Y
s-
Y Z Y Y
ee r Y	 O 0L O xd •O ^A
Y^+ y wU•• w u .^ Y Y
^C.7^1 t.^^e7V
^ oy ..3 a Q a
Q) ^
'p
• • S • q3• • yy 11 E
'
.-I u vN Y • Ap
u .r lNom'•
w y
•Yi i t y
a
•Yr M
w•
•yi Y
• wy ob • C •
n R.9	 1.. K9	 la Im ?
_
> > Y+ M
NN
Qw6
O N	 J1 N	 Y1 ^` ^ ^ ^ N M N"13 M	 Pf ^+1	 M 1^
y y y 4Y b
O S p > n+Y
• 1	 • •• Y O
y
1p
rr ^. Y •f y V 4 v V
y y
O • ^! ^YL 4 0
^! 6 Z O• ^Z O.
CF
^A V T
M M
f
7
A
B-14
ir
S
l iy SA OA
" o`
w ^
Y
3
y
y
3
w 7 •
w ►`.
o •• r
+ r.
O N Y r
.83 . 3 . x ^
^
y y
^ Y «
O
• g Y
A Y S
Y
•
^ y
°'^
^
'^
Wy w wY
C ^ ! ^ Sw Y .^ S w wY ^w w B• !+
^ •y j. • wa y . y .L
Q«
V	 Y
a
^ wi .. 7 w
Y a+
a
YY Q
o Y^3
«rye e^ 3 31
co
.-1 O i ~ pw0 • O pa Yw
all
a^ ^e(n y	 " «Y a• y d y r Y Y Y Y7
•'
p77 O
L 6
^ '^ •
i` i	 6 V • i In y
to
N V r Y M S
Y
YY YY16
M
_
Y
q piY"R D
Id
Y r	 C Q
IOL
^~Bl i. aE^ °g^ M ^ v Y^ 4.^Y
aY
o
Y
td
'
IL
H (/	 yy^ u M 7 p	 y
•	 S yM y• y^ ^ w r •
O A Y•
e
S•
e
.•
Y Y
. Y
'y
• wQ O Q
i w 'r w •, w dr •. ► . . p' 6 A. l
Y y
p
O	 4• Y• Y•
6 aa	 ..^
r g
1 -9 0
•
N C
tl
• S
r^ O g
3
• A
J6
" wi^r
aw
i.+
i
w H !.^'1 N
MN
YY .
Y
Y 0
u + r.`.a
s=se
1y^  fV	 N	 H	 H	 N	 N
G7 ♦ 	 w	 a	 a	 a
8-15
<5yy _
Oo O ai
Y< Y y Jy
0{ ),U J r U Y	 Y <
.Uri ^ w Q^^
N	 U
r
.Qi
r y 6 r	 N
y
^
N Y ^ ^	 AL
8
W
Ya
U, U,^ r Q r
m
of
S a wa a a
o •-Y
TY Q
w q Y
O
d
Oo
w i
p
DpI
A•
Y
W
A
E
S Y
A N
Y
Su
_
ggg
Aw Y8 25 8 ^Yn w
4	 u vQd a
J • O
^
O	 Y
i	 >
O M
iQ
^p^p
ll
^S JQ^ Of'1 Y t MO
^ aO n
V
v
61 nL
C13
rl
= M
14
0
N O
a
L = e
^
^
M
k+ U
U
•
a F
^ ^
Gl <
O O O
F m
s
P1 ^ ^ N
<
y H ^
< i
QQQ Q
QG O
N
i
B- 16
APPMII< C . PROCESSOR SCHRM ATIC DIAGI Ml3
C -1
,Ilk
Cl)
4.40
CO
I 
J'j 
j
i ^ I +''^ ^ ;a.il. 1.
i L
C- -2
4S
:.:	
!. t	 t . t^.Tt-. •r,ntttlnitt .:: r. ,'•{ r	 i ::	 t' ^•} }^yt17i ^ 	 . n ,-..Try,-^in• —.,.._--.-'	 t
I 	 _.-•^-; --+'1-^1-  ^ jam,--
^ ^i i ^' r ;_^ :I
	 ^^
I	 ^	 I i^. + •-.^. ^ •r ^ ', I 1 r.:r:rr.	 j^^,^ it	 ,il
R'
Y	 f r....^^ * I ^ti ^ l^r► 	 ^	 I ^	 I
I 	 `'	r` I	 _^	 ..	 ^11.a	 • ^	 i i
II 'I ► 	 I	 'iiiiT+iTi.9	 I	 I	 ^ ^	 '^1	 ^, I
—_- ... ..	 ^I I	 gill r
A
w
0
N
N
V
Q
UM
WUy
U
.a
a
Z
H
U
{s7
CS
H
tsa
I
I
C-3
i
t
Ef
i
:e
i^
i
a^
i^
g
3aa:	 1FE!!E!E	 i
s7rr	 taR7e
i 	 ^I	 I	 II	 I	 `	 ^I
II^^	 Lill	 ^!'!	 I^I^^:_	 -	 I1
d	 {	
i	
io•
{ , ; l:j^aa.	 ^aa i^ I, Maas I^' ^
{- 	 ^^ L(^• i^ i^ ^o iJrr`^P
{	 It7r7i. ry'..^	 -	 °Ri T33.
{	 3^ eRf4 $3 l SJ^  ^	 ^fl Rf T73T3 ;^1 {
{	 u^iiil	 uiili1^
• a
w0
xyti
A
U
4
U
a
6
sU
H
^	 I
Vii&
C-4
C-5
FE
Y
r^
y^yy
H
I++
A
h
V
V
w
ir^.:w.^rwr^r
C4
6
r,Tr
IL
	
I. - ^i i^---- j l	 I'Ij'III^I^
; 
L
I' i ^ 	 l	 I I I i i q.
	
......	
^t^Ll
	
I	 , I II	 I 
t,h 	 :s^:=	
.N
	
I II i 	 I I'	 _	 ^, I ^ ^ (J--^t I II fl I ^	 .a 1	 I
	
I i i Imo___--	 ..^^';^, ^(^
	
^ I
	
j ^ I ^ ;	 T	 ^^	 III
	
L4	
II
T	 Ili.
of
0-1C"
1-4
cn
C-S
ly
too
1-4
ok
II
a-7
Ll
