https://ntrs.nasa.gov/search.jsp?R=19660017748 2020-03-16T19:12:49+00:00Z

1.11

# CIRCUITS AND CIRCUIT TESTING

# FOR SPACEBORNE REDUNDANT DIGITAL SYSTEMS



Contract Nasw-572 Reference WGD-38521 September 1963

| GPO PRICE      | S        |                |                                        |
|----------------|----------|----------------|----------------------------------------|
| CFSTI PRICE(S) | \$       |                |                                        |
| Hard copy (H   |          | -              |                                        |
| Microfiche (M  | F) 1 [ 3 | - 72-          |                                        |
|                |          |                |                                        |
|                |          |                | 2                                      |
|                |          |                | •                                      |
|                | W        | Electro        | Electric Corporation<br>onics Division |
|                |          | P. D. Box 1897 | Baltimore 3. Md.                       |





|      |                        |                                        | Page       |
|------|------------------------|----------------------------------------|------------|
| I.   | INT                    | TRO DUCTI ON                           | 1          |
| II.  | MAC                    | 5                                      |            |
|      | Å.                     | Introduction                           | 5          |
|      | B.                     | Dynamic Storage and Sequential Logic   | 6          |
|      | C.                     | Hybrid Devices                         | 7          |
|      | $\mathbb{D}_{\bullet}$ | All-Magnetic Logic                     | 13         |
|      | E.                     | Summary and Conclusions                | 21         |
| III. | SE                     | ICONDUCTOR LOGIC                       | 25         |
|      | A.                     | Introduction                           | <b>2</b> 5 |
|      | В.                     | Classification of Basic Types of Logic | 26         |
|      | C.                     | Comparison of Logic Types              | 31         |
|      | D.                     | Description of Logic Types             | 34         |
|      | E.                     | Logic Selection                        | Ll         |
|      | F.                     | Majority Voter Design                  | <b>հ3</b>  |
|      | G.                     | Comparison of Suppliers                | եե         |
| IV.  | FAI                    | LURE TESTING OF REDUNDANT SYSTEMS      | 49         |
|      | A.                     | Introduction                           | 49         |
|      | B.                     | Singular Rank Testing                  | 65         |
|      | C.                     | Interwoven Rank Testing                | 75         |
|      | D.                     | Circuit Implementations                | 83         |
| V.   | SUM                    | MARY & CONCLUSIONS                     | 88         |

ii

#### ABSTRACT

This report describes the results of the study on the implementation of majority logic redundancy. Most of the work concerns spaceborne systems, but some portions are more applicable to ground support equipment. The report is concerned with the initial design of the system as well as the testing of redundant systems.

The possible use of magnetic logic to reduce the total power consumption and provide non-volatile storage is discussed. Magnetics seems to be most useful for non-volatile memory and simple forms of logic where the data rate is very low. Various types of semiconductor logic are described and compared for use in redundant systems. Integrated Diode-Transistor Logic elements are chosen as the most suitable for general use with Signetics the most appropriate supplier of these elements.

Several methods of testing redundant systems are discussed and described in the section on detection and location of failures. Various solutions to the failure detection problem are discussed in this section. Some are more suitable for simple failure detection; others also provide information concerning the location of any failures. It is shown that maintenance of a redundant system greatly increases system reliability and reduces the test equipment and operator skill which are usually required to maintain a conventional system. Techniques are described which permit a major portion of the maintenance to be performed during normal system operation.

i

### LIST OF FIGURES

| Figure | TITLE                                                   | Page       |
|--------|---------------------------------------------------------|------------|
| l      | CR Gate                                                 | 9          |
| 2      | Negation                                                | 10         |
| 3      | Block Diagram, AND Function                             | 11         |
| L;     | SRI MAD Shift Register                                  | 14         |
| 5      | AMP-MAD Flux States                                     | 17         |
| 6      | ANP-MAD Shift Registor                                  | 19         |
| 7      | R-TL Resistor-Transistor Logic (+NCR)                   | 27         |
| 3      | <pre>PC-TL Direct Coupled-Transistor Logic (+NOR)</pre> | 28         |
| 9      | R-DC-TL Resistor-Direct Coupled-Transistor Logic        | 28         |
| 10     | NS-DC-TL Non-Saturated-Firect Coupled-Transistor        |            |
|        | Lofic                                                   | 29         |
| 11     | D-TL Dicde-Transistor Logic (+NAND)                     | 30         |
| 12     | NS-D-TL Non-Saturated-Diode-Transistor Logic            | <b>3</b> 0 |
| 13     | T-TL Transistor-Transistor Logic                        | 31         |
| 14     | Speed-Power Performance                                 | 37         |
| 15     | Majority Element with Input Isolation                   | 43         |
| 16     | Reliability of Conventional vs. Redundant Systems       | 49         |
| 17     | Singular Rank Testing                                   | 66         |
| 18     | Interwoven Rank Testing                                 | 77         |
| 19     | Interwoven Rank Testing                                 | 78         |
| 20     | Signal Processor Cutput Control                         | 81         |
| 21     | Difference Detector                                     | <b>6</b> 3 |

iii

Circuits for redundant systems, however, must be designed so that the effects of individual component failures are minimized, and usually limited to the circuits in which the failure occurs. This does not imply, however, that redundancy includes "useless" parts. Each part of the system must contribute to the assurance that the system will perform all of its functions properly.

The use of redundancy will alter the characteristics and performance of the system. Redundancy will usually increase design complexity, power requirements and dissipation, signal propagation time, size and weight, number of interconnections, and initial cost. Redundancy, therefore, emphasizes the need for continuing development of low-power circuitry. micro-miniaturization, and interconnection techniques. The type of circuitry which is used to implement a redundant system must be carefully chosen to meet the system requirements without incurring excessive costs. Whenever there is a need for high reliability, the circuitry should be chosen to have a high basic reliability, low sensitivity to parameter variations, and low power dissipation to minimize temperature stress. In addition, specific systems have special requirements which must be considered in the system design as well as the choice and design of the circuitry. For example, the total available power is often severely limited for spaceborne equipment. although the processing rate is usually quite low. It is usually desirable to provide some means of testing to verify that all parts of the redundant system are working to insure that all of the reliability initially designed

#### I. Introduction

Past studies of redundancy techniques and consideration of the basic characteristics of some redundancy techniques have yielded interesting insights and problems. Many of these considerations are in the area of engineering method. Others concern the design of redundant systems with high reliability and other desirable characteristics. This section is intended to review some of these considerations and to preview some of the thoughts behind the discussion in later sections.

The report itself deals primarily with some of the problems which are encountered in designing and testing useful redundant digital systems. Some of these problems are at least comparable to non-redundant design; others are rather unique to redundant systems. Possible solutions for these problems, as well as more detailed problem descriptions, are contained in appropriate sections of the report.

Circuit and system design must reflect the fact that redundancy is only a tool to realize reliability. The proper use of redundancy is often a more efficient and powerful technique to realize a reliability requirement than are the more conventional techniques such as conservative design or component selection. Redundancy is, however, most powerful when used in conjunction with techniques that increase basic reliability.

It is important to recognize that a redundant system is expected to operate with relatively large numbers of random failures. Since conventional systems usually fail when any of their parts fail, it is relatively unimportant what effects these failures have, except when repair is desired.

detection, maintenance and repair procedures may be accomplished during operation of the system.

The following sections of this report will discuss the problems associated with circuit design, choice of the type of circuitry, failure detection, and maintenance of redundant systems. This report describes the results of the study of these problems and possible solutions. The results are summarized in the Summary and Conclusions section of this report. into the system is available for the duration of the mission. The system and the circuitry therefore must be designed so that accurate and meaningful tests may be applied to verify that the parts are working. When extended lifetime is desired and repair is possible, a redundant system may be systematically repaired to greatly increase the expected time between system failures. If a system is completely repaired prior to each mission in which it is used, it will exhibit the high mission reliability characteristic for each mission. Such systems must be designed so that complete, efficient tests may be periodically applied to these systems which will verify that all the parts are working properly, or that will facilitate maintenance procedures which will return the system to the initially perfect condition. It is important for this type of maintenance that all failures be detectable, otherwise these undetectable failures will tend to accumulate. These accumulated failures will eventually tend to dominate the system behavior by causing additional system failures.

Many failures may be detected as they occur in a redundant system. These may be repaired while the system is in operation to obtain a very low system failure rate compared to the failure rate for the parts of the system. Periodic maintenance must be performed in addition to the continuous monitor and repair described above to detect those failures which cannot be detected during regular operation of the system.

Systems which will be maintained must therefore be designed both with the capability for detecting all failures and **facilitating** the maintenance and repair procedures. With proper design, many of these failure

reasonable therefore to restrict the detailed discussion to the more popular approaches and to provide references for other. Of particular interest are those devices which utilize magnetic componets which are either commercially available or in an advanced state of development.

B. Dynamic Storage and Sequential Logic

The state of a magnetic device is determined by the direction of remanent flux. Information stored is not directly accessible and a clock or read pulse must be used to determine the state. The read process in most schemes also destroys the information which was stored. An output signal is available only for that portion of the read cycle during which dynamic flux change is in progress and thus level output and asynchronous operation is not obtainable. The ripple-carry binary counter, the parallel adder, and many familiar digital configurations are not directly amenable to magnetic implementation. In contrast, the powerful combinational logic approach utilized in conventional computers consists of a cascade of compatible logic modules which form complex functions simultaneously during the interim between clock pulses. In a magnetic logic machine using dynamic logic this is not possible and operations involving OR, AND, transfer, buffering, negation and delay require several clock periods to generate a particular function. This step by step process usually consumes considerable time which may be further extended if the magnetic logic modules are limited in fan-in and fan-out and thus require additional operations.

#### II. Magnetic Logic

#### A. Introduction

The past decade has witnessed the development of a variety of magnetic devices suitable for performing storage and logic in digital computers. Perhaps the most important application of magnetics to digital technology has been provided by the development of large capacity, random access memory systems composed of ferrite cores. Advances in techniques for performing logic have received some attention, but to date magnetic logic does not appear to be widely accepted as a superior replacement for the conventional transistorized counterpart. This general reluctance to utilize the special attributes of magnetic logic is often justified by several difficulties inherent to the device characteristics and system configuration.

Much of the magnetic logic research has been motivated by the potential ability of magnetic devices to provide higher reliability at lower cost while consuming negligible standby power. These attributes are understandably important in any large electronic system, especially in space applications where reliability must be high and available power is invariably low. To evaluate the potential ability of magnetic logic schemes to provide these advantages a discussion of some of the more promising approaches appears to be in order. An all inclusive survey and treatment of the myriad of suggested approaches could easily fill a book.<sup>\*</sup> It appeared

<sup>\*</sup> Edited by Meyerhoff, A. J., Digital Applications of Magnetic Devices, New York; John Wiley and Sons, Inc., (1960).

flow. Obvious limitations in impedance levels, fan-in and fan-cut drive capabilities necessitated in many cases the further inclusion of resistors for tailoring impedance levels, capacitors for temporary storage and transistors for power gain. Although this hybrid logic approach led to the development of a number of clever magnetic devices, the potential of achieving high reliability at low cost is seriously challenged by the requirement for using non-magnetic components and the more complex wiring and system organization which becomes necessary. An excellent survey of a wide variety of hybrid devices has been provided by Haynes.<sup>1</sup> One such approach, parallel transfer core-diode logic, will be used as a vehicle for describing the principles of dynamic logic and to indicate the operation of a typical practical device.

Shown in figure 1 is the OR gate, the simplest of logical functions which may be implemented with magnetic cores and diodes. The and O notations denote cores of the same rank, i.e. threaded by a series connected, current driven clock line. The two phase clock system effects readout and transfer of data by driving the core to the "O" state. If a core was previously in the "1" state the clock, in driving the core to the "O" state, causes the core to switch and provides an output sufficient to drive the next core to the "1" state. If a core was previously in the "O" state a negligibly small output occurs when the clock drive is applied. Diodes are shown pointing in the direction of unilateral data transfer. Additional components such as resistors for tailoring impedance levels and

#### C. Hybrid Devices

The principle involved in using square loop material to store a remanent flux has been known for some time. With the development of small torroidal structures employing sintered ceramic ferrites and ferromagnetic tape materials, magnetic devices began to demonstrate practical utility. The magnetic shift register has received the most attention primarily because of its general utility and simple configuration and has been the subject of much of the magnetic literature. Although playing an important part in most digital systems, several additional devices are required in order to provide the variety of logical operations required by typical computer systems.

The task of performing general logic requires circuitry capable of being arranged to perform any Boolean output function of a set of input variables. In order to provide this operation a complex function is usually formed by using logic modules to perform OR, AND, negation, storage, delay, etc. If gates are to be connected in various configurations the devices used must provide a clearly identifiable "1" and "0" state, unilateral information transfer and the capability for fan-in and fan-out. To meet these requirements with magnetic devices has not been an easy task.

A major difficulty which impeded rapid development of devices to meet these requirements has been the inherent bilateral nature of simple magnetic structures. In the early devices this was largely overcome by combining diodes with simple torroids to achieve unilateral information

any of the transmitting input cores, a readout signal is generated when the storage core is reset by the phase B clock.

The AND function is not as easily implemented unless a coincident current threshold technique is employed to set the storage core. This technique does not appear to be sufficiently reliable however, due to the associated threshold and drive tolerances normally encountered in a typical system. A more conventional system employs the principle of logical negation in combination with the OR gate to provide the AND function. For example, consider the negation arrangement of figure 2.



Figure 2 Negation

diodes to prevent reverse data transfer may be required in a practical design. It should be noted also that the core output windings must contain more turns than core inputs in order to allow a transmitting core to set a receiving core.





Operation is initiated by reading inputs X and Y into the cores. The phase A clock then transmits the state of each of the input cores into a dual winding storage core. If the storage core was set by Since each of the logic modules require two clock periods and each operation is performed in sequence, the output signal is seen to appear six clock periods after the inputs were applied. If the resultant output of the AND function is to be further combined with other AND-OR operations it becomes evident that the total number of clock periods required may become prohibitive.

In view of the system complexity and speed limitations suggested by the simple example described, magnetic logic is seen to introduce problems of system organization which are alien to conventional DC level logic. As far as cost and reliability are concerned, the prospect of winding cores with several turns and the large number of cores and connections required do not appear to provide a significant cost advantage. In the hybrid approach the use of additional components such as diodes and resistors appear to seriously negate the basic reliability inherent to the magnetic material. These difficulties not withstanding, several companies are active in the manufacture of magnetic logic modules. The major emphasis has been placed on the usefulness of the magnetic shift register to provide cost, size and power advantages over the conventional approach. Magnetic shift registers employing the hybrid approach have been successfully applied to a wide range of airborne equipment. Sequential programmers, counters and timers operating at low clock rates represent the majority of applications. When operating at shifting rates higher than 10 kc however, the

The upper core is used as a "l" generator which in the absence of an input from the X core causes the inhibit core to be set by the phase A clock. The phase B clock will then generate an output whenever the X signal is absent and thus represents the negation of the input. When both the "l" generator and X input signal appear simultaneously at the inhibit windings they effectively cancel each other and the inhibit core remains in the "O" state. The phase B clock in driving the inhibit core to the "O" state will not generate an output signal for this case.

The principle by which the AND function may be performed is based on the well known logic relation X + Y = XY. A block diagram of a typical AND gate scheme is shown in figure 3.



#### Figure 3 Block Diagram, AND Function



## Figure 4 S.R.I. MAD Shift Register

An advance current is applied to the parallel connection of output and input aperture windings in order to effect information transfer from the transmitting core to the receiving core. In accordance with the state of the flux stored around the transmitting aperture and the resultant magnetic threshold thereby established, the advance current will divide between the input and output windings. If the transmitting aperture is in the "O" or cleared state the advance current will divide equally thus not exceeding the magnetic threshold of either apertures. If a "1" were stored the output aperture with its lower threshold is swamped by the advance current and the transmitter switches flux locally about its output aperture with low values

1]

advantage that the magnetic shift register has in consuming negligible standby power is obscured by a power requirement which is often greater than the solid state counterpart. A leading supplier of hybrid magnetic logic modules and shift registers is currently marketing a 10 bit shift register which requires a maximum average power of .4 watts to operate at 10 kc and 3.7 watts at 750 kc. Since it appears reasonable to assume that these power requirements are reflected also to general logic systems, the application of hybrid magnetic logic to power-limited environments is limited to systems whose shift rate is very low.

D. All-Magnetic Logic

The obvious limitations of the hybrid approaches in reliability and cost has to some extent motivated an effort to develop systems using only magnetic material and connecting wire. Several novel approaches were developed which made use of magnetic device geometry to achieve coupling isolation, flux gain and unilateral information flow. Perhaps the most popular of these devices is the Multi-Aperture Device (MAD),<sup>2,3</sup> a three aperture ferrite structure similar to the Transfluxor.<sup>4</sup> Input-output isolation is possible because the flux stored around the minor output aperture may be sensed non-destructively without affecting stored flux about the input aperture.

Shown in figure 4 is a typical MAD shift register developed at Stanford Research Institute.

in a practical sense with the simple transfer scheme previously discussed. H.D. Crane has done much of the work in arousing interest in the allmagnetic MAD approach. In a paper<sup>5</sup> describing the design of a moderate sized computing system using S.R.I.-MAD devices however, the basic transfer gate had to be sericusly modified in order to operate in the system. Problems inherent to the flux threshold relationship between receiving and transmitting apertures, flux gain, fan-out as well as flux decay and build-up in circulating loops made such modifications necessary. As a consequence the revised gate module required flux doubling and clipping operations in addition to the previously described clear and advance cycles. The complexity involved in the resultant device implementation appears to be a serious encumberance. The system chosen to demonstrate the ability of all-magnetic devices took the form of a decimal arithmetic unit with the ability of performing addition, subtraction, and multiplication. The system was made exclusively of modules which perform either the two input OR function or the two input OR with negation (NOR).

Rather than describe the complex details of the S.R.I.-MAD logic gates it appears more reasonable to present the simpler, more practical approach to the design of MAD devices developed by Amp., Inc. In this approach a priming operation is performed to reverse the flux stored about the transmitting aperture prior to readout. The readout process in this case is destructive and resets the core. The priming operation provides an adequate flux level which, when reversed by the clear or transfer

of current. By voltage or impedance steering the majority of advance current will flow through the receiver input aperture causing it to exceed its setting threshold and be set. In time as the flux switching is completed, both currents will return to their nominally equal values.

Since the read-out and transfer process is nondestructive to the state of the core, a clear line threading the major aperture is required to return the core to the reset condition. In order to provide information flow from left to right a basic four clock cycle is required with the following sequence: ...., ADV.O $\rightarrow$ E, CL.O, ADV.E $\rightarrow$ O, CL.E, ... The ADV O $\rightarrow$ E pulse switches flux locally about the output aperture of the O element and causes the E element to be set. The CL O pulse then clears the O element and in so doing switches flux through the output winding. This results in a loop current flow that negatively sets the E element receiver without affecting the flux state about the output aperture of the E element. Note that neither the ADV. O $\rightarrow$ E nor CL. O pulse causes any flux to be switched in the output leg of the E element thus eliminating the need for a diode to prevent backward data transfer. In this manner unilateral data transfer is possible using only MAD devices and conducting wire.

Thus far our discussion has been devoted to techniques for achieving unilateral data transfer with the S.R.I.-MAD approach. The problem of achieving reasonable flux gain and fan-out is one which could not be solved

In the cleared state (figure 5a) the core is saturated in the clockwise direction by a previously generated advance current which threads the major aperture. Upon application of an input signal threading the inner portion of the major aperture, the flux nearest the major aperture is reversed thus providing the set condition shown in figure 5b. This read-in operation does not affect the flux linking the output aperture and thus a diode is not required to block data transfer to receiving cores. In order to obtain an output from a properly set core it is necessary to provide a prime current as shown in figure 5c to reverse the flux stored about the output aperture. Priming current is of a lower magnitude than the advance current and because of its slow rate of change is not sufficient to cause the core linked by the output winding to be distrubed. Once a core has been set and primed, the application of an advance current causes a flux reversal about the output aperture. This in turn, provides an induced voltage of sufficient magnitude to drive the next core to the set condition. If the core was initially in the reset condition it will remain in this condition after priming (figure 5d). For this case, the application of the advance current does not provide a flux reversal and thus no output occurs.

AMP-MAD elements may be connected in a variety of shift register configurations including parallel input-parallel output, parallel input-serial output, serial input-serial output, etc. Such shift registers take the form of 2 core-per-bit arrays and require a two clock system in combination with

operation, delivers an output pulse to set the next core through its major aperture. Since data flow is from minor aperture to major aperture and since the state of a core is not disturbed by reverse currents flowing through a minor aperture, the possibility of reverse data flow is prevented.

The flux conditions present for the various states of a typical AMP-MAD element is shown in Figure 5.



Figure 5 AMP-MAD Flux States

shift registers are limited to repetition rates of 10 Kc. A typical driver, which utilizes a capacitive storage-discharge scheme and dual Shockley diodes for triggering the advance currents, requires an average power of 5.3 watts to drive a 10 bit shift register at 10 Kc. A 10 bit shift register with its associated driver requires a package occupying approximately 9 cubic inches.

The implementation of general logic operations using MAD devices is not easily accomplished, due to the difficulty of achieving logical inversion and reasonable fan-out without an imposing complexity. The treatment of much of the general logic capabilities of MAD devices is reported in rather implicit terms by the current literature. The OR function may be provided relatively simply by threading additional windings about the input aperture if care is taken in preventing reverse information transfer. The negation operation may be achieved by extending the current inhibiting and "one" generator technique described in the hybrid approach to the MAD topology. Perhaps the most difficult problem which faces the all-magnetic logic designer is that of providing fan-out. This arises from the fact that all the power which is used to provide inputs to receiving cores comes from the clock source. Power gain in the ordinary sense is not available except in those hybrid schemes which use transistors to provide regeneration. A MAD device with a reliable fan-out of two is sufficient, however, to allow the performance of general logical operations requiring much greater fan-out. This may be accomplished by utilizing additional clock pulses to

a priming source. A typical serial input-serial output shift register section is shown in figure 6.



#### Figure 6 AMP-MAD Shift Register

The propagation of a "l" from left to right proceeds by activating clock and prime signals in the following sequence: ... PRIME, ADV  $0 \rightarrow E$ , PRIME, ADV  $E \rightarrow 0$ , PRIME, ADV  $0 \rightarrow E$ , .... AMP-MAD shift registers require relatively high values of pulse current for performing advance, prime and set operations. Nominal operating level for the advance current is 2 to 3 amperes in a typical design. Prime and set pulse currents are lower being 100 ma and 250 ma respectively. Because of the requirement for slow priming and in order to keep average power dissipation at reasonable levels, AMP-MAD trivial. In general, magnetic devices do not display a natural ability for performing logic. The primary attribute of magnetic devices is that of non-volatile storage, the ability of a core to remain in a particular state indefinitely without further application of energy. This feature is an important consideration in power limited environments such as space vehicles where the standby power between clock pulses may be made to approach negligible values. If the clock processing rate exceeds approximately 10 Kc however, the average power required often exceeds that of a conventional transistorized counterpart. This limits the application of magnetic shift registers, timers, etc. to equipment with low clock rates.

Recent advances in low power microminiaturized devices are seriously challenging the magnetic attribute of zero standby power while providing higher speed, smaller size and the greater utility of combinational DC logic. NASA's Lewis Research Center is sponsoring much of the work in this important area. Operating speeds of several newly developed circuits are approaching 100 Kc at power levels in the microwatt range. A complete logic system with a power consumption of 10 microwatts per stage is anticipated for space application using micropower logic circuits. With the basic reliability of microminiaturized devices constantly improving by virtue of an industry wide effort, the role of magnetic logic appears to be fading.

Another advantage claimed for magnetic devices is the reliability inherent in the use of magnetic material and connecting wire. It is assumed here that magnetic parameters affected by temperature have been compensated

sequentially transfer data in a "tree" wiring arrangement until the original single core data is available simultaneously in several cores. As far as fan-out is concerned, it appears that the hybrid approach using transistors provides an important advantage over the all-magnetic techniques which necessarily require considerable device and system complexity to achieve the same result.

E. Summary and Conclusions

The foregoing description of magnetic logic has not attempted to describe the variety of possible approaches. The techniques for accomplishing general logical operations have been implicit, reflecting the treatment of the current literature. Examples from two general classes of magnetic devices have been described to provide a basic understanding of the techniques involved. If the approaches described may be regarded as typical, then some conclusions about their utility may reasonable be expected to apply in a general sense.

Information regarding transfer and shifting operations are covered in considerable detail by current literature, but the treatment of general magnetic logic schemes has been seriously neglected. This suggests the degree of difficulty which has been encountered in the design of practical devices. Complex clock programming and device configurations are necessary to achieve operations which conventional designers have come to consider as

DC logic systems is evidently superior because of the power gain and the inherent signal level standarization.

After considering the attributes of magnetic devices for performing general logic, the popular core techniques do not appear to provide an evident superiority in power consumption, reliability, simplicity, cost, size and flexibility over the conventional solid state circuit approach. Indeed, the requirements of performing the logical operations characteristic of digital computers appear to be at variance with the capabilities of magnetic logic. The applications which are best suited to magnetic implementation are those in which the operations to be performed are not clearly separated into "logic" and "memory". A strong case can be made for magnetic circuits applied to the performance of integrated storage and transfer operations required by a variety of digital processing functions. Most appropriate are the low speed operations inherent in input-output, interface and peripheral equipment. Typical applications include shift registers, programmers, timers, sequencers, etc. where the magnetic modules perform entire functions rather than discrete operations of storage and logic. In these special applications where speed is low, the advantages in simplicity, reliability, cost and power to be gained through the use of magnetic circuits should not be neglected. In general applications, however, the presently developed magnetic circuits do not appear satisfactory due to the several problems inherent in their use.

for by proper design and that clock current amplitude and rise time are within the limits of proper operation. Under these conditions the basic mechanism of magnetic storage and switching appears devoid of any known failure mode. This reliability is however obscured by the large number of connections required by the device configuration and the complexity inherent to the system organization. The reliability of a magnetic system depends upon the connective paths and the clock pulse drivers.

Simplicity and low cost is often claimed as a virtue for magnetic devices because of the simplicity and cost of the basic cores utilized. It should be noted however that the task of providing several turns about the various apertures and connecting cores in a configuration to perform the basic logical operations of AND, OR and negation is not generally amenable to automated assembly. The extensive amount of hand wiring and soldering appears to represent an item of considerable cost.

The physical size of magnetic devices are generally one or two orders of magnitude larger than their microminiaturized counterparts. Advances in thin film magnetic logic hold some promise for a significant size reduction, but developments in this area have not been extensively reported to date.

The flexibility of magnetic devices is seen to be severely limited by the dynamic logic approach and the difficulty of achieving reliable fanout in the absence of active devices. The flexibility of conventional

and industry effort devoted to research and development of new and improved integrated circuits.

The low weight and power consumption of integrated circuits offers an important compensation for the increase in the number of circuits required for redundant design of spaceborne equipment. It is expected that advances in integrated circuit technology will allow more complex circuits to be included within a single package to further decrease size and weight. Integrated circuits also offer significantly improved reliability performance; it is expected that the reliability of single chip containing an entire function can be shown to approach that of a single discrete transistor. The low power consumption characteristic also tends to increase reliability by reducing temperature stress. The significant reduction in the number of interconnections is also an important factor in reliability improvement.

Most integrated logic modules are available in the form of a universal gate function (NAND or NOR) These logic elements are quite appropriate for the construction of the restoring function required for a multiple line majority voted redundant system. Several types of logic available for the universal gate function have been studied. Each basic type is described below; those commonly available are compared for suitability for use in spaceborne redundant systems. One of these is chosen as particularly suitable.

B. Classification of Basic Types of Logic

It appears that most of the common types of transistor logic (TL) may be classified according to three basic coupling schemes used for the

#### III. Semiconductor Logic

A. Introduction

In contrast with the numerous disadvantages and the general unavailability of magnetic logic devices, conventional semiconductor logic has been used widely. Logic modules are commercially available for construction of general logic systems. Integrated semiconductor circuits offer an order of magnitude reduction in size compared to magnetic logic modules; they do not require high voltage or high peak power pulses. They operate at frequencies many times greater than comparable magnetic logic requiring the same average power, and provide the convenience of steady voltage outputs.

Integrated semiconductor circuits offer a significant size and power reduction compared to discrete component semiconductor circuits. The rapid acceptance of integrated and semiconductor logic elements attests to the advantages of their use. Therefore, integrated circuits have been chosen as more suitable for spaceborne digital applications than the discrete component circuitry. The circuit design problem is then translated to the problem of the choice of suitable types of circuitry and logic. A variety of such elements is available with predictable characteristics for a wide range of operating environments. The selection by the Air Force of integrated circuitry for use in the improved Minuteman is a significant factor in the availability of reliable integrated circuits and appropriate reliability data. There is also a large amount of governent



Figure 8 DC-TL Direct Coupled-Transistor Logic (+NOR)



**.** 7

Figure 9 R-DC-TL Resistor-Direct Coupled-Transistor Logic

universal gate function. They are described below.

I. Linear impedance coupling to an input transistor may be used to form R-TL, as shown in figure 7. This type of logic is generally not available in integrated circuit form.



Figure 7 R-TL Resistor-Transistor Logic (+NOR)

II. Direct coupling to a multiple output transistor array (DC-TL), may be used as shown in figure 8. It is commonly used in the more practical modified forms, such as R-DC-TL (type II-A) shown in figure 9. An impedance is inserted in each input line to improve operational characteristics. Although this type of logic is sometimes referred to as resistor coupledtransistor logic, its operation is not the same as R-TL, described above. transient response, by reducing stored charge effects during turn-off.



Figure 11 D-TL Diode-Transistor Logic (+ NAND)



Figure 12 NS-D-TL Non-Saturated-Diode-Transistor Logic

Type II-B coupling involves current switching and output buffering to prevent saturation of the input transistors. This type of logic is sometimes referred to as emitter coupled-transistor logic (EC-TL) or current mode-transistor logic (CM-TL). One type of non-saturated-direct coupledtransistor logic (NS-DC-TL), which uses an emitter-follower output buffer, is shown in figure 10.



Figure 10 NS-DC-TL Non-Saturated-Direct Coupled-Transistor Logic

III. Diode coupling uses non-linear input summing to form the logical AND or OR function. The most common form of D-TL is shown in figure 11, which performs the positive logic NAND (AND-NOT) function. Saturation of the output transistor may be prevented by limiting the minimum saturation voltage, as shown in figure 12. This results in a more constant "zero" output voltage, and diverts excess base current to improve power dissipation. The general characteristics of these logic configurations are discussed and compared in the paragraphs following the table.

The isolation and speed-power rankings for the three saturated logic types were obtained from "The Changing Prospective in Microcircuits", <u>Electronic Design</u>, February 15, 1963, p. 56. This article describes the result of a study of different types of logic for single substances conducted by PSI. They observe that no one logic type is superior to all others for every application, but rather that the characteristics of each type must be considered according to the particular over-all system requirements.

The isolation ranking is a qualitative measure of the input loading, the isolation between inputs, noise immunity, and variation of input loading with parameter changes, internal failures, and output loading. Logic types with the highest isolation are ranked first; those with lower isolation are ranked in increasing order. The nonsaturated logic types are inserted into the original ranking by a comparison of their general characteristics with those of the three saturated logic types.

The speed-power ranking is a quantitative measure of the product of propagation delay and power dissipation of the different logic types when similar components and techniques are used in fabrication. This

Type II-A coupling, shown in figure 13, is a variation referred to as T-TL which uses transistor coupling to obtain improved response. Logic operation is equivalent to D-TL when inverse transistor gain ( $\beta_{I}$ ) is low; coupling transistor action removes stored change during turn-off, and generally permits the elimination of the output transistor base bias resistor.



Figure 13 T-TL Transistor-Transistor Logic

C. Comparison of Logic Types

A comparison of the types of circuits described above is shown in the table below for five types which are commercially available. They are arranged in the table in increasing order of the number of equivalent components required for a 3-input universal gate function. A larger number of components generally increases fabrication complexity and increases

## D. Description of Logic Types

Resistor-transistor logic (R-TL) is a basic scheme for providing the NOR function for NPN positive logic. The resistors are used for linear input summing into the output transistor, which is normally biased off unless at least one input is present. The bias may be increased to provide either the inverse majority or the NAND output. The addition of speed-up capacitors to the input resistors, although significantly increasing transient response, is not sufficient to reduce the power-speed product to that available with other types of logic. The bilateral interconnection may create interaction problems between inputs; performance of the device is sensitive to variations of the input resistors, biasing, and transistor gain. The difficulty of fabricating an integrated resistor-capacitor combination for each input further decreases the suitability of this type of logic.

Direct coupled-transistor logic (DC-TL) is a theoretically simple method of performing the NOR function for NPN positive logic. Inputs are applied directly to transistor bases; the common collector is the output. Actual operation, however, is limited by the high sensitivity to parameter variations, input current "hogging" and low input impedance which limits fan-in and fan-out, and the low noise margin. These severe limitations have resulted in the actual use of a modified version (R-DC-TL) which includes a low impedance resistor-capacitor combination on each input to reduce the sensitivity to noise, parameter variations, and current "hogging". This modification increases power dissipation, propagation delay, and fabrication complexity. Since the fan-out capability of most NPN positive logic NOR

characteristic varies considerably according to the design and technology used for the construction of actual circuits. Logic types with the lowest power-speed product are ranked first; those with higher power-speed products are ranked in increasing order. The non-saturating logic types are inserted into the ranking order indicated according to available data.

## TABLE I COMPARATIVE RANKING OF AVAILABLE LOGIC TYPES

| NAME     | Function for<br>+ Logic | Type of<br>Coupling | Number of<br>Commonents | Speed-<br>Power<br>Ranking | Isolation<br>Ranking |
|----------|-------------------------|---------------------|-------------------------|----------------------------|----------------------|
| T-TL     | NAND                    | III-A               | 3                       | 1                          | 4                    |
| D-TL     | NAND                    | III                 | 5                       | 3                          | 2                    |
| NS-D-TL  | N AND                   | III                 | 6                       | 2                          | 3                    |
| R-DC-TL  | NOR                     | II_A                | 7                       | 5                          | 5                    |
| NS-DC-TL | NOR                     | II-B                | 9                       | 4                          | 1                    |

The newer versions of commercially available D-TL circuits offer about the lowest power-speed product available for circuits operating at moderate speeds and with good noise margins. Consideration of integrated circuit characteristics has significantly reduced the number of individual isolated components compared to the number of discrete components required for an equivalent circuit. The entire input diode array, as well as one level-shifting diode, may be constructed as one multiple-emitter transistor. Each additional input merely requires an additional emitter connection.

Transistor-transistor logic (T-TL) is a simplified variation of D-TL employing transistor coupling directly to the base of the output transistor. The elimination of one coupling diode reduces the noise margin and voltage swing to about the equivalent of DC-TL. Input isolation is similar to D-TL, except that inverse gain of the coupling transistor allows some "hogging" of input current. The inverse gain cannot be reduced without increasing the offset voltage of the coupling transistor<sup>\*</sup>; increased offset voltage, in turn, decreases DC stability and noise margin. Increased speed at low power levels is possible because the coupling transistor removes stored change from the output transistor to reduce turn-off time.

The output inverter of D-TL may be designed to prevent saturation to reduce excess drive and stored-change effects. This may be accomplished by limiting the minimum "O" output voltage by a base to collector clamp to prevent saturation of the output transistor, as shown above for nonsaturated diode-transistor logic (NS-D-TL). The increased "O" output voltage will, however, be more constant with increases in output loading,

 $V_{CE}(sat) \sim \ln \alpha_{I} = \ln \frac{\beta_{I}-1}{\beta_{I}}$ 

schemes is derived from the output collector resistor, the power dissipation must be increased to allow fan-out capability regardless of whether the fan-out is used or not.

The basic DC-TL scheme may be modified to provide non-saturated input logic (NS-DC-TL). The common emitter resistor reduces the problems of input current "hogging", and increases input impedance so that this type of logic offers high input isolation. Various methods may be used to provide outputs; both the OR and NOR may be provided conveniently. Good matching of components and close tolerance on a special reference voltage supply are required. The clocking function may be obtained by controlling the negative voltage supply by gating or a sinusoidal voltage. A two phase clock is required for flip-flop functions more complex than simple storage. An additional transistor, which shares a common collector with other input transistors, is required for each input. The voltage difference between the "1" and "0" level is usually very small, resulting in reduced DC stability and noise margin. NS-DC-TL offers high speed operation at the expense of high power dissipation.

Diode-transistor logic (D-TL) is probably the most popular type of integrated circuit logic, due to its similarity to discrete component circuitry and the excellent operating characteristics. D-TL circuitry operates with wide parameter variations to minimize the possibility of malfunction due to drift failure. Actual failure testing has shown that redundant D-TL is not sensitive to most catastrophic failures. D-TL is most commonly available as NPN positive logic NAND integrated circuits.

The wide variation of performance characteristics for different suppliers of the same logic types is due to several causes: differences of circuit parameter design, lack of standard test conditions (temperature, fan-out, voltages, etc.), as well as the rapidly improving technology in this field. Two recently announced improved versions of previous elements (Westinghouse D-TL and Fairchild R-DC-TL) are indicated in the figure. The rapid rate at which improvements have been made in the field of integrated circuits makes it impractical to make an arbitrary decision to use only one logic element for all future spaceborne redundant systems. General characteristics, as well as the specific requirements of redundant systems, may be used to make recommendations, however, based on available information. The general characteristics discussed below may be used as a guide to the choice of circuits, even through exact requirements may vary.

Since systematic redundancy is most efficient and powerful when the basic elements are highly reliable, the realization of high system reliability with minimum weight and power penalties requires circuitry with high basic reliability. High circuit reliability, especially for extended periods of time, is usually realized when the circuit configuration is such that proper operation is not excessively sensitive to parameter variation or environmental extremes. High speed performance does not appear to be a particular requirement for most spaceborne systems; low power dissipation

if sufficient gain is available. Logic operation is equivalent to D-TL with increased speed and lower nower dissipation under comparable conditions. Additional gain may be easily obtained for D-TL by substituting an emitter follower for the final level shifting diode.

The speed-power performance of some of the commonly available logic elements currently available are shown in figure 14. This figure shows the advertised performance characteristics of different logic types available from different suppliers.



## Figure 14 Speed-Power Performance

input must be able to provide sufficient drive to cause the output to be "O" for proper operation. Fan-out capability is obtained by providing each output with the ability to drive several inputs. If actual failures may cause all of the inputs to a circuit to be overloaded, then any other circuit receiving any of these inputs are also effectively failed. Additional fan-out capability is usually reflected in increased power consumtion, which, in turn, increases reliability problems.

In contrast, the turn-on current for positive NAND logic is obtained within each logic element. This drive current is diverted to a low impedance input whenever any input is "O". Fan-out capability is provided by the output transistor gain, and may be increased without significantly increased power requirements. Since drive current is provided by each circuit, rather than by inputs, failures within an NAND circuit usually do not affect proper operation of inputs. The back-to-back diode coupling also offers good isolation characteristics. Actual failure testing has verified that failure effects in D-TL is usually limited to the circuit in which the failure occurs.

Limited testing for the effects of both transient effect of high gamma radiation and the permanent effect of integrated neutron flux has shown that D-TL integrated circuits are more resistant to radiation than forms of DC-TL.<sup>6</sup> The transient effects of high gamma radiation appear to be primarily due to the leakage of the collector isolation diode. DC-TL is more susceptible because the larger number of common-collector transistors used creates a larger junction area. DC-TL was seriously affected at

is a much more desirable characteristic. Available power (and total energy) is often limited on space missions; the additional circuitry required to reduce the probability of system failure will further emphasize this problem. The power required by individual circuits must be held to a minimum to keep total power within available limits. The reliability performance of most integrated circuits depend on the temperature stress. The use of low power circuitry is an important factor in reducing the temperature stress, which, in turn, improves the basic reliability and performance characteristics of the individual elements.

Although T-TL offers high speed at low power levels, its sensitivity to parameter variation, noise, and input current "hogging" has reduced the general suitability of T-TL. This sensitivity appears to be a major disadvantage because the individual circuits in a redundant spaceborne system are required to operate reliably despite severe environmental variations and the occurrence of failures within the system. Since inverse transistor action can limit the input voltage signal, failures within the circuit or on the output may affect the inputs. This transfer of failure effects to inputs would be a serious disadvantage in redundant systems, where the effect of failures must be minimized.

DC-TL appears to be even more sensitive to parameter variations and failure effects, except for the various modifications which are used to reduce this problem. Positive NOR logic appears to be particularly vulnerable to output failures resulting in failure of input signals. This occurs because the transistor turn-on current is obtained from inputs; any

available integrated D-TL circuits appears to exceed the requirements of most spaceborne systems. Some of this excess speed capability may be traded for lower power requirements by reducing the power supply voltages. Power dissipation could be further reduced by a redesign of present D-TL circuits to use higher resistance values. High resistance is a difficult problem in present circuits, since the characteristically low resistivity of diffused resistors requires a large area for high resistance values. The use of thin film resistors and capacitors on the silicon block in which the semiconductors are diffused, as planned by Westinghouse for the near future, would permit circuit design for significantly lower power dissipation without the large areas and narrow strip layout required for totally diffused circuitry. Such single-chip hybrid circuits are not presently available for general logic use.

It is expected that the positive logic NAND function will be used, since this permits logic design of functions as the sum of products, which is convenient for reduction and simplification by familiar methods. The NAND circuits shown are particularly versatile, since the collector outputs may be connected together to form AND-OR-NOT logic functions directly. R-S flip-flops may be formed by interconnected NAND elements; formation of more complex functions such as a compatible counter element require a large number of NAND elements and a two-phase clock. The majority voter is not a commercially available element, but it is easily constructed from NAND elements.

gamma levels of  $10^6$  to  $10^7$  R/sec., while Signetics D-TL withstood an order of magnitude increase. Signetics D-TL also showed more resistance to integrated neutron flux, but no microcircuits showed damage at ordinarily expected dosages. At a flux dose of 2.8 x  $10^{11}$  neutrons/cm.<sup>2</sup> (equivalent to about 100 years of continuous exposure in the Van Allen belts), Texas Instrument elements failed; Fairchild elements showed some waveshape deteriroation: Signetics and discrete component D-TL showed no noticeable effects.

E. Logic Selection

Integrated D-TL circuitry appears to be the most appropriate type of logic for general use in redundant logic systems for spacecraft missions. It has been chosen for the general advantages of features described above, and particularly for its suitability for use in redundant spaceborne ecuipment, which requires both high immunity to noise and parameter variation, as well as reasonably low power dissapation. These requirements are generally not available in the various forms of DC-TL. Although T-TL logic is equivalent to D-TL, currently available elements are too sensitive to input current "hogging" to be suitable for use in redundant systems.

D-TL is known to have high noise immunity, good input-to-output isolation, good capability with other circuitry and relatively low power consumption. D-TL is particularly insensitive to drift failures; failure testing had shown that the effect of most catastrophic failures is not especially harmful in redundant logic networks. The speed capability of

The NAND implementation shown utilizes common output logic so that the voter requires only two more gates than conventional majority voters, and retains a two element input to output propagation delay. NOR implementation, however, would require a total of eight gates and four element input to output propagation delay to obtain input isolation for NPN positive logic. It is expected that the isolated input majority element shown will be more reliable in normal operation (all inputs alike) than a more conventional configuration, since very few single failure modes can cause the output to disagree with the inputs when all inputs are identical.

If higher orders of redundancy are used, then each input is provided with isolation gates. Since component redundancy is not used to protect against single failures, a simple test consisting of monitoring the logic output while applying all combinations of logic inputs will completely test the operation of the circuit. A custom-packaged majority voter would significantly reduce the size and weight of a redundant system when compared to one using individual packages. The packaging of this majority voter is of particular importance because it is used repetitively in a redundant system.

G. Comparison of Suppliers

Integrated, single-chip D-TL NAND elements are available from Sylvania, Siliconix, Westinghouse, and Signetics, among others. Advertised power-speed performance and power dissipation at comparable voltages are shown below in Table II. It is noted that Siliconix offers the best powerspeed performance; the Signetics gate with low power connection offers the

## F. Majority Voter Design

Failure testing has shown that particular care must be used for the design of restoring elements so that failures on one input to the restorer do not cause failures on other inputs, and the failures in the restoring elements do not cause failure of a majority of inputs. This testing has shown that a conventional majority element (whether constructed as the minimum discrete component circuit, or of interconnected NOR or NAND elements) may experience failures which either cause immediate failure of the entire set of restorers, or which would cause the same result if a single input error occurs? If such effects are overlooked, the system reliability may be seriously degraded. Shown in figure 15 is a three input majority element using NAND elements which cannot cause an entire set of restorers to fail due to any single failures.



Figure 15 Majority Element with Input Isolation

redundancy when power is limited, and will increase basic reliability by reducing temperature stress. Due to the high power requirement, the Sylvaina NAND element is not recommended for general use in spaceborne redundant systems. The Sylvania NAND is most useful as a high speed element with high fan-out capability. Although Siliconix offers superior performance characteristics for the NAND function, when commared to Westinghouse and Signetics, the advantage is primarily that of increased speed, which is not necessarily required for most space missions. Accurate reliability data appears to be lacking, due to the limited production of Siliconix elements. The Siliconix NS-D-TL circuit merits further study into other potential advantages, such as operation with parameter change, greater fan-out capability, and compatibility with redundancy testing techniques.

The operational characteristics of the Signetics and Westinghouse NAND gate are quite similar; the Signetics gate can operate at somewhat lower power dissipation when this mode of operation is chosen. Although reliability data is available for both suppliers, Westinghouse has the more extensive reliability testing program for their integrated circuits. The availability of accurate reliability data is an important requirement for the efficient design of high reliability redundant systems. Westinghouse operating life tests of early models at 25°C has indicated a failure rate better than .053% per 10<sup>3</sup> hours per element at 50% confidence. It is expected that continued improvements and increased sample size will verify a failure rate of better than .001% per 10<sup>3</sup> hours per element with a high confidence, as required by the Air Force improved Minuteman program. West-

lowest total power dissipation at the same power supply voltages.

TABLE II COMPARISON OF D-TL SUPPLIERS

| i.                        | Power<br>Dissipation | Power-Speed<br>Product@25 <sup>0</sup> C |  |
|---------------------------|----------------------|------------------------------------------|--|
| Siliconix +4V             | 5 mw                 | 60 x10 <sup>-9</sup> watt-sec            |  |
| Siliconix +3V             | 2                    | 38                                       |  |
| Signetics +4V,-2V         | 6                    | 180                                      |  |
| Signetics (low power) +4V | 2.8                  | 168                                      |  |
| Westinghouse +4V          | 3.7                  | 190                                      |  |
| Westinghouse +6V          | 8.5                  | 255                                      |  |
| Sylvania                  | 15.0                 | 195                                      |  |

Delay and binary counter elements are available from Westinghouse and Signetics. The current Westinghouse binary element requires considerably more power than the Signetics because the Westinghouse element (which dissipates 75 mw.) consists of interconnected NAND functions on the silicon chip. The Signetics counter requires 16 milliwatts, and uses canacitive coupling and steering. Westinghouse plans to have a canacitor-steered binary counter available soon. The Westinghouse direct-coupled elements would not be as sensitive to input rise and fall time as the capacitor coupled elements, although either type will count at frequencies in excess of 1 megacycle.

The use of low power circuitry is considered to be an important consideration, since it will allow greater flexibility on the use of

characteristic. This is expected to be used to reduce power requirements. In addition, the base bias resistor is brought to a separate lead so that a negative voltage may be used to improve transient response. Access to this point is particularly important for the testing procedures described in the next section of this report.

It appears from currently available catalog information that Signetics is presently the most suitable single supplier for integrated circuit elements for the construction of redundant spaceborne equipment. Signetics offers a relatively complete catalog line of elements required for digital system design, and generally offers significantly lower power requirements. The use of a separate connection for the transistor base return is particularly suited for the application of the testing procedures to be described later. Independent circuit testing has generally observed that the Signetics circuits are ouite suitable for general use, and are not particularly sensitive to parameter variation, noise, temperature, or the effects of radiation.

The choice of Signetics as the most suitable supplier is not based on a single parameter, but is based on the several characteristics described above. The more important characteristics applicable to Signetics' circuits which are expected to be important for redundant systems include: low power dissipation, single power supply operation, complete line of D-TL logic modules available, compatibility with testing techniques for redundant systems, and availability of reliability testing data.

inghouse is a major supplier of integrated circuits for the Minuteman program (Texas Instruments is the only other major supplier), which is the first high volume integrated circuit contract. Circuits supplied by Westinghouse include drivers, sense amplifiers, several types of switches, and various general amplifiers, as well as common logic elements. Westinghouse is currently manufacturing R-DC-TL and T-TL logic elements in addition to D-TL, and has extensive capability for custom circuits and variations of current elements. A 50 NAND gate element on a single silicon chip has been developed for JPL. Combining the functions per package would be a significant factor in the reduction of the size and weight of redundant equipment when compared to individual package designs.

Signetics offers a variety of integrated D-TL circuits and integrated components for laboratory evaluation. They have conducted noise sensitivity and life tests. The operating life tests of the NAND element at  $25^{\circ}$ C have indicated a failure rate as low as .12% per  $10^{3}$  hours per element at 50% confidence. The circuits appear to be compatible with most input-output equipment, as well as the redundancy testing techniques described in the next section of this report. Performance testing and evaluation of most of the <sup>S</sup>ignetics circuits have been performed by the U.S. Naval Air Development Center<sup> $\xi$ </sup>. Their tests indicate that Signetics circuits generally meet advertised specifications and seem quite suitable for building logic systems. The standard circuit and lead arrangement of the Signetics gate allow a considerable degree of flexibility in the choice of the particular characteristics. A change in the connections to the gate alters the speed-power

The statistical relationship between reliability and operating time is derived by assuming that failures occur at constant rate and are inherently random and independent. After some period of operation without maintenance, the reliability of a typical multiple line, majority voted redundant system falls off and becomes less reliable than the non-redundant version. This behavior is normal since the greater number of components subject to statistical failure eventually cause the majority voters to have incorrect outputs. The initially flat portion of the redundant system reliability curve is the characteristic which is exploited to provide high mission reliability.

Since current spaceborne equipment is unattended after mission commencement, it is important to assure that the equipment is in perfect working order "before launch". It may not always be practical to completely test each part of a redundant system after final assembly and installation into a space vehicle, and thus the term "before launch" includes diagnostic testing before final assembly. It will be shown that a redundant system may be conveniently diagnosed for the presence of failures after final assembly and installation in a space vehicle. This may be accomplished during the pre-launch test period when the vehicle is about to begin its mission. Essentially the technique employed is that of removing the failure masking effects of redundancy and testing the replicated systems separately.

The function of these tests is initially to detect the occurrence of a failure and secondly to determine its location. The tests would be

IV. Failure Testing of Redundant Systems

A. Introduction

1. Characteristics of Redundant Systems

The outstanding attribute of a redundant system is that of providing high reliability for a longer period of time than the nonredundant counterpart. Typical reliability curves depicting this relationship for a simple system shown in figure 16. It is assumed here that both systems begin operation with all circuits, subsystems, wiring, etc. in a failure free condition.



Figure 16 Reliability of Conventional vs. Redundant Systems

period between maintenance checks should be sufficiently short so that the reliability for the maintenance period is high. The probability of operation repeatedly traverses the initially flat portion of the redundant reliability curve.

The general problem of diagnostic testing is to provide suitable test facilities and methods which are effective in determining whether a failure has occurred, and to determine its location. In a redundant system the implementation of test facilities entails many considerations, ranging from basic system configuration to the details of circuit design. In a conventional non-redundant system, test provisions are all too often given only token consideration. Although the test features provided may be ineffective or inconvenient, the diagnosis, failure location and remain of the equipment is often made possible through the ingenuity of an experienced technician. A redundant system similarly encumbered imposes a much more difficult task. Thus the need for integrating system configuration and test facilities in the initial design stages becomes extremely important.

2. Testing of Conventional Systems

The techniques for detecting a failure in a redundant system represents a problem which is alien to the test philosophy of conventional systems. In a non-redundant system the effect of a failure is rather dramatic and is usually evidenced by either partial or total system failure, or obvious changes in operational behavior. This simplifies the problem of detecting an error, but is small consolation to the user who loses the service of a system without warning, perhaps at some crucial moment. Total

useful in deciding whether the equipment should be finally assembled and installed into the space vehicle or if the equipment is free of failures and ready for launch. The goal here is to assure that all of the initial failure protection which has been designed into the system is available.

In a non-redundant system the best one can do is to test the system and then hope that no failures occur. The statistical nature of failure occurence, however, offers little assurance that a failure will not occur just after mission commencement. This occurrence often precipitates total mission failure in a non-redundant system. The redundant counter-art is obvicusly better suited to tolerate random failures. Further, a typical order three redundant system which has been diagnosed to be free of failures prior to mission commencement is not vulnerable to single failures and thus offers a high degree of assurance of mission success.

Further tests would be utilized to isolate and locate the failure. The goal here is to effect repair and thus return the system to perfect working order. Since this may consume considerable time and involve special repair or replacement facilities, a duplicate system, which has been found free from failure, may be required to expedite scheduled installation into the space vehicle.

For redundant systems which receive maintenance the purpose of diagnostic testing is again to detect and locate failures. The goal, however, is to return the system to perfect working order and thus assure the highest possible reliability during the entire operational life of the equipment. In order for periodic maintenance to be effective it follows that the

be detected at the circuit test point level by changes in normal wave-shape. At the component level the degradation may be considered as a failure. At the circuit level this condition represents an impending failure. Understandably it is important to detect and repair impending failures since it is very likely that the circuit will soon fail. This is one of the more important aspects of periodic maintenance of non-redundant systems. Often the system may be operated normally and the various test points monitored to detect marginal voltages, wave shapes or rise times. This represents a very time consuming procedure and is severely limited in effectiveness by the number of test points which are provided. Many marginal components are then essentially undetectable.

Another problem which often arises is when a failure in circuit operation becomes sporadic. In this case the system may operate normally for most of the time making the location of the fault a difficult task. As so often happens, just as maintenance personnel are in the process of converging on the fault location, the fault disappears and the system operates normally. The problem here is that the fault is not present long encugh to allow an adequate diagnosis of the difficulty.

A more powerful approach for locating impending and sporadic failures involves the application of stress to the system. This will often precipitate a circuit failure by subjecting components to a condition which magnifies any degradation. Consider now the two general classes of approaches for imposing system stress--environmental and electrical. Environmental

system failure usually indicates the failure of a major function, such as a power supply or clock generator. Changes in operational behavior and partial failures normally provide symptoms which, when analyzed, are valuable in converging on the failure location. In a redundant system the effect of a non-critical failure is not evidenced by any change in system behavior. This means that the effect of a failure does not provide gross symptoms which may be used to indicate its occurrence or determine its location. The solution to this unique problem is suggested through several avenues of approach which represent diagnostic routines and implementation schemes unique to redundant systems.

Before considering the unique demands which a redundant system imposes on the required test facilities, it is useful to consider some amproaches which are applicable to digital systems in general. These general approaches include waveshape monitoring and the application of various stresses to enhance the chance of detecting present or potential failures. The combination of general approaches with the specific approaches to be suggested appear to offer a more inclusive repertoire of techniques from which to choose.

In a conventional system a failure of some circuit or sub-system normally provides an indication of its occurrence by the resultant changes in operational behavior. These are usually designated as catastrophic failures. Degraded components which are not sufficiently marginal to cause circuit failure are more difficult to detect because there is no indication of a change in system behavior. Often, however, a degraded component may

they are not readily amenable to system testing but find greater utility at the component or sub-system level. A case in point is the development of highly reliable components, i.e., by carefully controlled production followed by extensive testing under a variety of environmental and electrical conditions.

Electrical stress is a more convenient method for detecting marginal components and impending failures. A convenient method for stressing an entire system simultaneously is that of marginal voltage testing. In this approach the system power supply voltages are varied to combinations of maximum and minimum levels for which the circuits were designed. When all defective components, modules or sub-systems have been detected and replaced the system power supplies are returned to their nominal values. Marginal voltage testing is often combined with simulation routines and static and dynamic measuring techniques to provide an inclusive test program.

Simulation programs provide a form of electrical stress which is seen to exercise the variety of operational functions which a system may be required to perform under actual operating conditions. Often however, a simulation technique may subject the system to operational speeds which are not encountered in normal system operation. This might be accomplished by varying the frequency of system clock generators to either increase or decrease the speed of operation. In a spaceborne sequencer, for example, it may be necessary to speed up the occurrence of time events by several orders of magnitude in order to test all functions in some reasonable test period. In other applications increasing the speed of operations to the

stress may be typically sub-divided into température, humidity, pressure vibration, shock, radiation, etc. The application of one or combination of these environmental stresses is seen to present three main problems; 1) the size, complexity and cost of the facilities required, 2) the difficulty of performing measurements in an alien and often dangerous environment, and 3) the possibility of subjecting components to unnecessary stresses and thus causing unwarranted damage or destruction.

Temperature stress is perhaps the most popular approach because of its utility in causing parameter changes in resistance, capacitance, leakage, gain, threshold, etc. A second advantage is the small amount of additional facilities which are required. Often, temperature stress may be conveniently applied by controlling the system cooling to increase or decrease operational temperature. Component variations caused by temperature stress often make circuit operation marginal when such changes are beyond the normal specified design limits. Thus a component which has become only slightly marginal at normal operating temperature, and is indicative of impending failure, may be magnified by temperature stress to precipitate circuit failure. This method is often used, for example, in testing transistors for leakage current degradation at elevated temperatures. In a system test the increased leakage current of degraded transistors causes circuits to become sufficiently marginal to effect circuit failure.

The remaining types of environmental stress are difficult to impose on a system without test facilities of vast complexity. For this reason

by the vast improvement in reliability which a redundant system provides.

17

Since a conventional system normally provides little indication of an impending failure, the only available resort by which the system quality may be diagnosed is by the application of stress. It is, however, an inconclusive test of the systems ability to perform reliably. In a redundant system the application of stress to components and circuits for the purpose of detecting impending failures is not of significant value because the effects of individual failures are masked by the system configuration. Although redundant systems are able to tolerate failures without causing total system failure, it is often desirable to diagnose the system to detect any internal failures. It will be shown that the application of conditions which reduce the ability of a redundant system to withstand internal failure acts like stress by modifying the configuration so that the failure masking effects are removed. In this manner, failures which are present will be indicated by the behavior of the system. The following paragraphs will describe techniques for detecting and locating failures in redundant systems.

An order-three, multiple-line, majority-voted redundant shift register system will be used to demonstrate basic approaches. This is done for ease of explanation and is not intended to suggest that the approaches may not be extended directly to more general system configurations, or to higher-order redundant systems. It may be noted that the testing of redundant systems will involve a hierarchy of tests involved with first testing the signal processing parts, then the testing of the restoring elements, and finally the testing of the hardware added for the initial testing function

maximum design limit is often useful for magnifying the effect of marginal components. For example this technique is seen to be useful in determining degradation in caracitive coupling circuits.

A reduction in operating speed does not usually subject the system to stress but is useful in ascertaining that some normally fast sequence of operations is being performed correctly. Here, the reduction of clock rate is utilized to allow operation sequence to be conveniently monitored. The general approaches discussed are primarily useful in precipitating static failures which are impending or sporadic. DC failures and catastrophic failures are usually immediately apparent from the manner in which the system behaves. When only a portion of the system fails in the static state it often provides symptoms which may be used in diagnosing the location of the failure. If a failure occurs near the "front end" of a system, the majority of outputs will usually become static. In this case the symptoms are not sufficiently explicit to allow an adequate diagnosis. Simulation equipment then becomes useful in determining the failure location. This is accomplished by applying suitable signals at the various subsystem inputs and monitoring outputs for the presence of the correct response.

3. Failure Detection in Redundant Systems

The problem of detecting a failure in a redundant system is usually more difficult than in the conventional counterpart, because the effect of non-critical failures do not provide gross symptoms of their occurrence. This difficulty in diagnosing a failure is amply compensated

present in a maintained redundant system, so that further corrective action may be undertaken. It is important that all failures be detectable in a maintained redundant system, so that failures are not allowed to accumulate and degrade system reliability.

4. Failure Location in Redundant Systems

If a failure is known to exist in a redundant system, it is often desirable to obtain further information concerning the location of the failure. This is generally required so that the module containing the failure may be repaired or replaced. Although it is very desirable to be able to detect any failure to permit maintenance, it is only necessary to locate failures to within the smallest replaceable module. Therefore, the requirements of failure detection depend strongly on the contents of the smallest replaceable module. If entire subsystems are contained in a module, then each subsystem could be provided with independent failure detection hardware. This would be sufficient to locate failures within the replaceable module. It is possible that the requirement for test points at each replaceable module to permit failure location may in turn determine the practical size and contents of the module. If the test points and connections occupy a large space compared to the basic module, then the volume efficiency is rather poor, and a larger replaceable module might be more practical.

If repairs are expected to be made while the system remains in operation, then the module which contains the failure must not include the remaining replications of that function. This is necessary to permit the system to operate while the module containing the failure is removed.

itself. The extent and complexity of this hierarchy will depend on the confidence which is required of the tests and the degree of automation desired. It appears impossible, however, that perfectly reliable operation can ever be expected from any hierarchy of imperfect equipment monitoring other equipment. Although these testing methods are intended to make a significant contribution to the techniques available for testing redundant equipment, it is expected that further work in this area will result in further improvements. The accuracy and complexity of the tests should be balanced to obtain efficient system operation.

Often, the problem of failure detection is directly connected with the requirement for determining the location to facilitate maintenance repairs. Therefore, some of the more complete testing methods will include combined detection and location. Although failure location techniques are usually more complex than the basic failure detection techniques they often include complete failure detection capability in order to locate all failures which might exist in a redundant system. Failure location techniques also provide effective methods to detect and locate failures in the failure detection and location circuitry itself.

Dasic failure detection will probably be most useful as a verification technique to indicate that at least a major portion of a redundant system is failure free. This will assure that the failure protection which has been designed into a redundant system is available to prevent system failure. Simple failure detection techniques are also expected to be a preliminary technique which will indicate if any failures are

a redundant configuration may be conveniently removed by controlling the outputs of the signal processors. This is essentially a gross system approach thereby the occurrence of a failure is indicated by forcing the system to assume various vulnerable configurations. If the system is allowed to either operate normally, or in some configuration for which all operations are performed correctly, the detection and location of failures may be conveniently accomplished by examining replicated elements for signal disagreement.

In many respects, the location of failures in a redundant system is a much easier task than in the conventional system counterpart. This is because an improper signal may be determined by comparison with its replicated versions. If a redundant system is operating correctly in an overall system sense, then the correct signal of each monitored element is available at least at a majority of associated test points. This is seen to eliminate the tedicus task of monitoring elaborate wave shapes and sequences. Maintenance personnel are then presented with a system which, in principle, contains an integral handbock of normal signals to be expected at the various locations. The system may be permitted to operate normally, without simulation equipment, performing operations whose binary sequence at any single location is so complex that one could not hope to describe them adequately in any handbook. This suggests the possibility that maintenance personnel need not be completely familiar with the detailed operation of the system.

If the entire module is to be replaced if it contains a failure, then the failure location technique must be sufficiently accurate to determine which module contains the failure. This module may then be replaced without interruption of normal system operation. Maintained redundant systems which are continuously monitored and repaired require a combined failure detection and location technique which may be applied without altering the operational characteristics of the system. It will be shown that relatively complete testing may be accomplished during system operation. This is possible because the most frequent and harmful failures usually cause signal disagreements at the inputs to the voters. These signals may then be compared, either automatically or with the use of test points, to detect and locate these failures. Certain system configurations are amenable to controls which allow complete failure detection and location with access only to the signals at the inputs to the voters. More generally applicable techniques require access both to the voter inputs and outputs. These techniques, as well as the implementation circuitry required, are described in the following paragraphs.

5. Signal Comparison in Maintained Systems

The location of a failure in a conventional system requires that a handbook be provided to indicate the correct wave shape and binary sequence to be expected at each location. This is in addition to simulation equipment which may be required to place portions of the system into dynamic operation. The redundant system masks the effect of individual failures and thereby makes the task of detecting their occurrence more difficult. It will be shown, however, that the masking effects of a

oscilloscope or voltmeter is used in a conventional system. As indicated previously, it may be undesirable to provide these test points at every signal processor and voter output in the system. This may be due to the lack of access to the signals, the physical size of the test points in comparison to the circuitry being monitored, or the signal loading caused by test point leads. In some applications it may therefore be desirable to provide error detection and display as an integral part of the system. Integral signal comparators may be desirable for example, in a maintained redundant system which is continuously monitored during operation and each failure is repaired as soon as it is detected. This maintenance philosophy allows a much higher system reliability than available with periodic maintenance. With proper design it appears feasible to remove and replace defective modules without disturbing the operation of the system.

Since signal comparators will indicate only when signal disagreement occurs during the normal system operation, more extensive tests are required to detect and locate such failures as might occur in signal processors which are not to be used for some modes of system operation, some of the failures in voters, and failures that might occur in the control and signal comparison circuitry. This suggests a maintenance philosophy of continuous monitoring combined with periodic complete testing as follows: Signal processor outputs are continuously monitored during the operation of the system for the indication of the more frequent and harmful failures which cause incorrect signals. These failures are located and may be repaired without interrupting normal system operation. Periodically the normal

The determination of an error could be provided by a difference detector in combination with a suitable indicator. A technician would be required only to monitor the various test points in some prescribed sequence until arriving at the location of a signal disagreement. He would not be required to possess any special knowledge of what constitutes a correct or incorrect wave shape, binary sequence or repetition rate. Also, most difference detector devices which might be employed will signal any large departure from normal signals, and may include memory to indicate the location of transient or sporadic failures. From this we may conclude that the training requirements for maintenance personnel may be appreciably reduced, thus providing redundant systems with a distinct maintenance cost advantage over the more conventional counterpart. This attribute alone might become a significant factor in evaluating the total utility of a redundant system which is periodically maintained.

In order to reduce the total system failure rate, periodic maintenance must be conducted at a sufficiently short interval so that individual failures are not so probable that system reliability is appreciably degraded. In addition, if system failure occurs it might be necessary to employ simulation equipment to place portions of the system back into operation. The advantage of not requiring simulation equipment to locate individual failures is an important feature of a maintained redundant system. Thus the function of periodic maintenance is not only to assure high system reliability during the life of the equipment, but also to eliminate the requirement for simulation equipment to locate failures.

Thus far in our discussion of maintained redundant systems, it has been implied that the signal comparison equipment is usually externally applied to the appropriate test points in much the same manner as an



Figure 17 Singular Rank Testing

consists of the components of the non-redundant equivalent system, separated by the majority-voting restorers. Each of the signal processing elements (indicated by blocks) within the same rank are designated with the same capital letters; each of the majority voting restorers (indicated by circles) within the same rank are designated with the same lower case letters.

The corresponding replications of the same signal processors are hereafter referred to as being on the same <u>file</u> of the system. Each element in the file normally performs the same function, and is designated with the same number. Each signal processor file corresponds to individual functions at the non-redundant system. If a signal processor file has a restoring file associated with it, the restoring file may be assigned the same number.

operation of the system is shut down to allow the system to be completely exercised and the otherwise undetectable failures to be located and repaired. In contrast, the periodically maintained system is allowed to accumulate failures, even though they may be easily detectable, until the end of a scheduled maintenance period. Continuous monitoring and repairing is therefore a very powerful technique for detecting and repairing most failures as they occur, without seriously impairing the ability of the system to operate continuously while individual failures are repaired.

F. Singular Rank Testing

1. Detection of Signal Processor Failures

An obvious method for detecting failures in a typical redundant system is to separate and reconnect the replicated parts to create individual, independent systems. Each system may then be separately diagnosed for the presence of failures in the conventional manner. This would require that the basic system be provided with a large number of special switching circuits which accomplish a separation. Such an approach is somewhat impractical because of the expense, complexity and reliability degradation which the additional circuitry and wiring would impose. As will be shown, a much simpler means is available to provide a pseudo-separation of replicated systems without requiring an elaborate switching mechanization.

As an example, consider the simple redundant configuration shown in figure 17. Each of the complete replications of the non-redundant system are hereafter referred to as a <u>rank</u> of the system. Each rank normally

complimentary states of the A and B rank blocks are reversed. If an incorrect final output results for both tests it indicates that at least one failure is present in the C signal processors, the c voters or combinations of both. If only one test is successful, then a failure is evidently present in one or more of the c voters.

Success of either of the above tests is sufficient to verify that all C rank signal processors are failure free. It should be noted that the presence of a correct output for both complimentary test conditions does not verify with certainty that the c voters are failure free. This is because each voter was subjected to less than the maximum mossible number of input signal combinations. Consider the various combinations of input signals and the correct response of a three input majority voter in the table below. States 1 and 2 represent the case when A="1", B="0", and C="N"; states 3 and 4 represent the case when the static signals on A and E are reversed. All signals are the same for states 5 and 6. States 7 and 8 occur when C disagrees with the other two inputs.

| State No. | <u>A</u> | B | <u>c</u> | Output |
|-----------|----------|---|----------|--------|
| 1)        | 1        | 0 | 1        | 1      |
| 2)        | 1        | 0 | 0        | 0      |
| 3)        | 0        | 1 | 1        | 1      |
| 4)        | 0        | 1 | 0        | 0      |
| 5)        | 0        | 0 | 0        | 0      |
| 6)        | 1        | 1 | 1        | l      |
| 7)        | 1        | 1 | 0        | 1      |
| 8)        | 0        | Ō | 1        | 0      |

It will be assumed that the order of redundancy is uniform throughout the portion of the system which is being tested and that the only interconnections between ranks occur at the inputs to restorers. Singular rank testing will assume that there is no restrictions on system size, configuration, or uniformity of direction of signal flow. These characteristics are chosen to be compatible with current redundancy synthesis techniques.

Suppose that the control lines shown in figure 17 provide a means of causing each output of the rank signal processors to assume either the "l" state, the "O" state or "N" (normal operation). In effect, the output of the A and B rank blocks have been forced to assume definite DC failure states. The mechanization to accomplish this is described in part D of this section, and will be shown to entail only slight modification to the normal circuitry. Consider the effect of causing all the A and B rank signal processors to assume a static complimentary state, allowing the C rank signal processors to operate normally, and that the system is allowed to operate with its normal inputs. Under the conditions that all A and P blocks are im a complimentary state the input to each voter consists of "l", "O" and the output of the preceding C rank signal processor output. This means that the dynamic signal predominates and causes this signal to appear at the cutout of the voters. If all voters operate correctly, the system is equivalent to a non-redundant system, and may be completely exercised in the same manner as the non-redundant system to verify that all signal processing blocks in rank C are functioning correctly. This test should also yield identical results if the

condition of the voters as was described by the example of the C rank tests. However, the following voter input-output operation has been verified with certainty: All voters will make correct decisions if the input from the rank in which the voter is located agrees with at least one of the other inputs.

The condition which has not been verified is the uncertainty that a voter will make a correct decision when the input from the rank in which the voter is located is in disagreement with the majority of the remaining inputs (both remaining inputs for order three redundancy). It should be noted, however, that the complete set of singular rank tests will result in the application of all possible combinations of inputs to the voters. These tests are therefore sufficient to verify that any undetectable voter failures cannot combine with further single failures to cause an order three system to fail.

There are, however, a very limited number of component failures which can occur in the majority voter which cannot be detected with singular rank testing. These involve the failure of two of the input diodes for the three input D-TL voter. If the voter has a conventional minimum design, singular rank testing will indicate if either of these diodes is shorted. Due to the additional input isolation, the occurrence of these input diode shorts cannot be detected in the isolated input voter which has been shown in figure 15. If either of these undetectable diode shorts has occurred in the isolated input voter, the result is that the voter output is a "l" whenever the input from the rank in which the voter is located is a "l". The majority function is performed for all other inputs. The occurrence of either one of these

Only the first four of the eight combinations were verified by the test conditions described. States 5 and 6 are trivial however, since they contain the combinational states of 2, 4 and 1, 3 respectively. If a majority voter makes a "1" output decision for inputs consisting of two "1"'s and a "0" it will make the same decision for an input of three "1"'s. Similarly, if a majority voter makes a "0" output decision for inputs consisting of two "0"'s and a "1" it will make the same decision for an input of three "0"'s. From this it appears reasonable to assume that if the majority voter operates correctly for the first four states it will operate correctly for states 5 and 6. Thus the combinations which have not been tested and hence explicitly verified are states 7 and 8.

The tests conducted thus far have verified that all <sup>C</sup> rank blocks operate correctly and that the voters operate correctly for six of the eight possible input signal conditions. The A and B ranks may be similarly tested with the result that the correct operation of all signal processing blocks may be verified. This test philosophy is seen to be an approach for isolating each rank of a multiple line configuration and thus determining the presence of any failures which would jeopardize the ability of the system to mask out future failures. Each rank is not operated simultaneously and independently, but rather one rank at a time is effectively removed from the multiple line configuration and separately diagnosed for the presence of failures.

The success of all of these tests has verified the proper operation of all signal processors. These tests have not completely verified the

## 2. Detection and Location of Voter Failures

It may be desirable to have some means for detecting the presence of any failures within the system. One such example in which some method of complete testing is desirable is a maintained system which is expected to operate reliably for extended periods of time. If such a method is convenient, signal comparison may be combined with singular rank testing to detect and locate all voter failures. Since the combined singular rank tests result in the application of all possible inputs to the voter, the outputs of all voters in a restoring file may be compared for agreement while the inputs are applied. All voters are failure free if no output disagreements occur while all combinations of input signals are applied.

Since the only purpose of reversing the complementary states of the two ranks not being tested in an order three system was to gain additional information concerning the voters, voter comparison testing eliminates the need for interchanging the complementary states associated with each rank test. This requires, however, that a systematic method be used to assure that the complete set of tests results in the application of all possible combination of inputs to the voters, except the trivial cases when all inputs are the same. This condition will be met if the following rule is followed during singular rank testing: As each of the ranks is completely exercised as an individual non-redundant system, the particular pair of complementary DC states of the remaining two signal processors is chosen so that the state of either rank does not duplicate the DC state during any previous testing of the other ranks. Since the choice of which pair of

diodes being open cannot be detected for either the minimal design or the isolated input voters. The result of this condition is that the output of the isolated input voter is "O" whenever the input from the rank in which the voter is located is a "O"; if the input to a minimal design voter is a "l", the voter output is a "l". If one of the diodes shorts and the other opens, then the voter cutput is controlled by the input from the rank in which the voter is located, although the diode short could be detected if the minimal design voter is used. Therefore the existence of undetectable failures cannot introduce additional errors, but may cause signal processor errors to propagate through the restorers.

The above analysis has shown that the occurrence of undetectable failures tends to cause the output of the voter to be dominated by the signal from the rank in which it is located. In the worst possible case (complete dominance caused by the one diode open and the other diode short in every voter in restoring file when these failures are undetectable). The restorers have been effectively replaced by conductive paths from the output signal processors in the previous file to the input of each following signal processors in the same rank. The result is equivalent to eliminating the restoring file completely (except that the reliability of the signal processors is reduced by the additional voter circuitry). Although it is extremely improbable that such conditions would predominate in a system recently constructed from completely tested parts, the system becomes more vulnerable to further failures if they are allowed to accumulate.

processors is accomplished while complementary DC states are amplied to each pair of ranks, as described above, all possible input combinations involving disagreements are applied, and the difference detectors should give a continuous indication. If signal disagreements are noted for each signal processing file while all of the ranks are being controlled (either individually, in pairs, or for all possible input combinations involving disagreements, but not when the entire system is allowed to operate without signal processor failures) then the associated singular rank control circuitry is verified to be failure free.

## 4. Summary

It may be concluded that singular rank testing techniques are a very powerful tool for verifying that a redundant system does not contain internal failures. This testing would be valuable for use in acceptance tests which verify that all the reliability designed into a redundant system is available, or as the failure testing for continuously monitored and repaired systems with periodic complete verification, or in a system which is only periodically diagnosed to determine if any repairs are needed. The basic singular rank testing is a simple and effective method to allow a redundant system to be tested as if it were a non-redundant system to verify that all signal processors are operating correctly, and that the restorers will introduce no additional errors. This is equivalent to verifying that an order three system is not vulnerable to single failures. Basic singular rank testing techniques may combine with signal comparison to detect and locate failures which may exist in the signal processors, the restorers, the

complementary FC states for the testing of the first rank is arbitrary, either of two alternate sequences may be used for the complementary FC states; these states will be complements of those in the alternate sequence. Thus it may be shown that only three tests (one for each rank) are required for complete singular rank testing with signal comparison. If each test is successful in demonstrating that the system will perform the entire set of functions for which it was designed, all signal processors are verified to be failure free and the voters are capable of transmitting a correct dynamic signal for some of the possible input states. If, in addition, all voters make the same decision while the proper sequence of controls is applied during the above tests, the voters are verified to be failure free.

3. Detection and Location of Control and Comparator Failures

The basic concepts of singular rank testing may be extended to verifying that the controls used for singular rank testing are operating correctly. Rather than allowing each rank to operate individually, each rank is individually controlled by the singular rank testing controls. If the controls are working properly, a signal comparison on the output of each signal processing file should indicate a disagreement whenever the dynamic signal on the remaining ranks is in disagreement with the DC state of the rank being controlled. In the case where difference detectors are used on the output of all signal processor files, this testing will also test these difference detectors. The detectors should indicate a difference at each signal processor file whenever the signal on the controlled rank disagrees with the dynamic signals. If the signal comparison of the signal

in the following paragraphs, is referred to as interwoven rank testing. It represents an extension of the singular rank testing, since the signal paths are interwoven between the ranks to form an equivalent non-redundant system the signal is switched from one rank to another at the restoring files. This is possible only if the system configuration has a sufficient The example will assume that the system has restorers degree of regularity. on the output of every signal processing file, and that these files may be assigned odd and even numbers in such a manner that odd files receive inputs only from even files, and likewise that even files receive inputs only from odd files. These restrictions are in addition to the assumptions on which singular rank testing is based. It will also be shown that the controls used for failure detection may be used to locate voter failures without requiring test points or difference detectors on the output of the voters. Comparison of signal processor outputs is sufficient to locate all voter failures during special tests, as well as to continually monitor signal Shown in figure 18 and 19 are six replications of a redundant processors. configuration which is identical with previously discussed model except that two control lines for each rank determine the state of the odd and even numbered signal processors. If the two control lines for each rank were connected, the system would be identical to the one used in describing singular rank testing. Consider that the control lines and associated signal processors are placed in the following states: AO="0", AE="1", BO="N", BE="0", CO="1", CE="N", as shown in figure 18a. If an input signal is applied to the first file of signal processors, the signal flow will take the path shown by the arrows. This is because the two remaining signal processors in each file have been placed in complimentary static states. If all signal

control equipment, and any signal processor difference detectors.

Failure detection and location are often directly associated problems; failure location techniques are also effective failure detection techniques when they are available. It is expected that basic singular rank testing will be used as an effective and efficient technique for verifying that a redundant system is nearly failure free for regularly scheduled maintenance, or for relatively simple acceptance tests. The more complete detection and location techniques are expected to be used for the more thorough maintenance checks where any failures would be repaired, or for complete final tests after assembly. Signal comparison on all signal processor outputs may be used to continuously monitor and locate most failures in a continuously maintained system. These tests can be designed as part of almost any majority voted, multiple line system with a uniform order of redundancy throughout the portion being tested. No special signal simulation equipment is required, except the normally required inputs. The equipment required for the tests is described in more detail in part D of this section.

C. Interwoven Rank Testing

1. Complete Failure Detection

In some systems it may be desirable to completely diagnose a redundant system without the use of the signal comparison and failure location technique described above. In some cases, it is possible to perform this diagnosis without the requirement for any of the test points necessary for signal comparison. One such technique, which will be described



Figure 19 Interwoven Rank Testing



Figure 18 Interwoven Rank Testing

figure 18b. The a rank voters are verified by the arrangement shown in figure 18c and figure 19a. This is seen to be a mirror image extension of B-C rank tests.

At this point in the tests, the correct operation of all signal processors has been verified. An examination of the various input signal combinations which the voters were subject to is tabulated as follows:

| Rank a voters |   |          | Rank b voters |   |          | Rank c voters |   |          |
|---------------|---|----------|---------------|---|----------|---------------|---|----------|
| A             | B | <u>c</u> | A             | B | <u>c</u> | A             | B | <u>c</u> |
| 0             | 1 | 1        | 0             | 1 | 1        | C             | 1 | 1        |
| 0             | 0 | 1        | 0             | 0 | 1        | 0             | 0 | 1        |
| l             | 1 | 0        | 1             | 1 | 0        | 1             | l | 0        |
| 1             | 0 | 0        | 1             | 0 | 0        | l             | 0 | 0        |
|               |   |          | 1             | 0 | 1        |               |   |          |
|               |   |          | 0             | 1 | 0        |               |   |          |

Note that the b rank voters have been verified for six of the eight possible signal combinations while the a and c ranks were examined for only four. Since the signal condition of all "l"s or all "O"s was previously shown to be trivial, it is evident that the b rank voters have been completely tested for proper operation under all combinations of input signals. The reason that only the b rank voters have been completely verified and not the a or c rank voters is due to the fact that the b rank voters provided a common signal path in the tests involving the c rank voters and the rank voters. The a and c rank voters may be completely verified by the tests shown in

processors and voters in the math operate correctly the final output of the Nth processor (NC) will be the correct output signal. Reversing the states of control lines AO, AE, BE, CO should also provide the same result since this causes the pairs of signal processors in each file to assume the opposite complementary condition. The system may be completely exercised as a non-redundant system for either of the above DC states.

Consider now the various combinations of input signals which the lc voter was subjected to as a result of the above tests. An examination of figure 18a reveals that these combinations are as follows:

| State No. | A | B | <u>C</u> | Output |
|-----------|---|---|----------|--------|
| 3)        | 0 | 1 | l        | l      |
| 8)        | 0 | 0 | 1        | 0      |
| 7)        | l | l | 0        | 1      |
| 2)        | 1 | 0 | 0        | 0      |

Note that the tests have verified that the voter operated correctly for the two signal states which could not be confirmed by the basic singular rank tests. This was the uncertain condition that a voter will make a correct decision when the signal processor proceeding it in the same rank is in disagreement with the other two signal processors. Thus far our tests have verified the above uncertain condition for all odd numbered c rank voters, as well as all even numbered b rank voters. A total of four different input states have been verified for each of these voters. The remaining voters ir these ranks may be similarly verified by the test conditions shown in

If a difference detector is integrally connected with each processor file, then the correct operation of the signal processors may be continuously monitored for maintenance purposes. If only test points are available, they may be periodically tested for signal disagreement. Any disagreement on the output of a signal processor will indicate that there is a failure in that signal processor or the voter which proceeds it. This failure may be repaired during system operation if the other replicated signal processor and voters in that file continue to operate correctly. If a module consists of one signal processor and the voter which provides its input, then repair is accomplished by replacing that module. This procedure is useful for detecting and locating failures which cause errors, but is not sufficient for determining the location of some failures within the voters. If all signal processors are failure free, the voter portion of the modules may be completely tested by imposing various combinations of signals at the voter inputs and examing the associated signal processor outputs for signal disagreement. To locate all possible voter failures, it is necessary to provide a means of examining signal processor outputs while subjecting the associated voters to the various combinations of input signals. This may be accomplished by controlling separately the odd and even files of the system or sub-system under test. as described in the previous paragraphs and illustrated in figure  $1^{\circ}$ . For example, suppose that the odd files are allowed to operate normally and that each one of the three signal processors in the even files are in turn placed in each of the static DC states. The outputs of the odd files are monitored for signal disagreement during each

figures '9b and 19c. This is seen to cause the dynamic signal math to be interwoven between the a and c ranks.

Interwoven rank testing may therefore be used as an all inclusive procedure for detecting any failures of voters or signal processors without requiring access to any test points within the system. The system is reduced to sets of equivalent non-redundant systems by appropriate controls. It is then completely excercised and tested to determine if all functions are performed correctly. The success of all tests verifies that all signal processors and voters are failure free. If any of the tests result in an incorrect output, then some failure is present in the system. The detection of a failure gives very little information concerning its location within the system.

Although interwoven rank testing does not require access to test points within the system, it is a more elaborate approach which requires a degree of regularity in the system configuration as well as the establishment of twelve separate test conditions for an order three system, instead of the three required for singular rank testing and voter signal comparison. The system should be completely exercised for each of these tests to verify that the system is failure free if all tests are successful.

2. Failure Detection and Location for Maintenance

The alternate file controls described above may be used to detect and locate failures during normal system operation. Signal comparators are required only on the output of every signal processing file.

connective path, it is a relatively simple matter to provide  ${\rm R}_{\rm B}$  with a separate external connection.



Figure 20 Signal Processor Output Control

of the successive tests. Any disagreement on the output of an odd file signal processor will indicate that there is a failure in the voter which provides the input to that processor. Similarly, the outputs of the even files are monitored for each of the successive tests. Signal disagreement should be indicated whenever the control signal disagrees with the correct signal on the other processors in that file. If this indication does not occur, then either the control to that file is not effective, or there is a failure in the difference detector. The above testing is then repeated with the role of the odd and even files interchanged, each successive test examining the signal processors for disagreement. With proper design, any failures in the voters, the difference detectors, or the control hardware may be repaired while the system is in operation. Removal or disablement of one replicated voter or processor will not seriously jeopardize system reliability if the remaining replications of voters and processors continue to overate correctly.

- D. Circuit Implementations
  - 1. Control Circuitry

Consider new the mechanization for controlling the output of several signal processors with a single control line. A typical signal processor output is shown in figure 20. The circuitry shown is seen to be in the usual form of D-TL NAND gates. The base return resistor  $R_B$  may be connected to the emitter ground return if the associated transistor is representative of the low leakage silicon devices found in integrated circuitry. Since this resistor is rormally connected to ground by a discrete

configuration or values and the test power supplies, but requires two separate control lines, both of which are grounded in normal operation.

2. Difference Detector Circuit

Shown in figure 21 is a typical discrete component difference detector which may be utilized in the foregoing tests. The output level is a logical "O" only if all inputs are identical. Any disagreement of input signals will cause the first transistor to conduct and thus cause the second transistor to assume the "1" state (cut off). The circuit is seen to perform the functional operation of "exclusive OR" for two inputs.



Figure 21 Difference Detector

Suppose further that  $R_B$  is chosen to be equal to or less than  $R_A$ . If  $R_E$  is connected to ground potential the circuitry will operate normally. If  $R_B$  is connected to the + E supply  $Q_0$  will conduct and saturate regardless of the signals present on the inputs 1, 2, - - - N. This is seen to be the condition where the control line potential forces the signal processor output to assume the "O" state. If the control line is connected to an equal notential of opposite polarity (-E), transistor  $Q_0$  will be cut off thus causing it to assume the "l" state regardless of the signals present on inputs 1, 2, - - N. The method described to implement the required control function is one of several possible approaches. It is an approach which represents a simple modification to existing circuitry and requires only a single control line which is grounded in normal operation.

Another alternative requires control of both the base return line and the emitter ground line, but does not restrict the value of the base return resistor,  $R_B$ , and does not require a negative voltage supply. The same method described above is used to cause the "O" output, i.e., to connect the control line to a voltage which is sufficiently positive to cause the output to saturate. For most circuits, + E will be of sufficient magnitude for this nurnose. To effect a "l" output, the emitter ground line may be removed, so that the output cannot be a low impedance to ground, regardless of input signals. This approach may be rarticularly useful when it would be undesirable to reduce  $R_B$  less than  $R_A$ , or in circuits where the base input diode,  $D_B$ , is replaced by an emitter follower to increase base current drive. This approach places little restriction on circuit

## V. Summary and Conclusions

1. General

It has been shown that the special features of a redundant configuration impose unique requirements on the design of functional circuitry and the facilities required for test. Redundancy is a powerful tool for achieving extended reliability, but it should not be encumbered with circuitry which is inherently unreliable or contain particular failure modes which prevent the associated system configuration from operating independently. An appreciation of this philosophy allows the achievement of reliability goals with a minimum of additional complexity. Effective circuit design is required to obtain the desired balance between complexity and reliability in redundant systems.

2. Magnetic Logic

Although magnetic logic is often cited as having several features particularly applicable to spaceborne computers, the disadvantages of magnetic logic strictly limit their usefulness in general logic systems, and particularly for redundant spaceborne systems. Some basic disadvantages are listed below:

- 1) Lack of compatible steady output signals
- 2) Excessive power consumption for speeds comparable to low-power microcircuitry.
- 3) Extensive peripheral equipment, including high current drivers.
- 4) Limited fan-out and gain characteristics

The cutrut of the difference detector may be used to trigger a flipflop in order that any momentary disagreement of input signals may be displayed. This would be useful in detecting any sporadic errors which might otherwise remain unnoticed. As previously mentioned, the difference detectors might be combined with suitable indicators and packaged as an integral part of the system circuitry. This would eliminate any loading effects due to the use of test leads and external test equipment in monitoring test points. In addition this would provide maintenance personnel with a simultaneous display of the condition of the system and the location of faulty modules.

- 5. Extensive research and development for new integrated circuits.
- 6. High frequency capability.
- 7. Compatibility with synthesis and testing techniques for redundant systems.

• A comparison of the currently available integrated logic elements indicates that diode-transistor logic (D-TL) is the most suitable for use in redundant spaceborne systems. D-TL offers excellent operating characteristics, such as easily distinguished "l" and "O" states resulting in high DC stability and compatible output signals, high noise immunity, self contained drive current, allowable parameter tolerances, input isolation, and other characteristics which permit efficient redundant design. D-TL frequency capability exceeds the requirements of most spaceborne systems, and requires relatively low power, so that total power dissipation and temperature stress are minimized.

A majority voting restorer, designed using interconnected NAND elements, has been described which is not subject to the detrimental failures of conventional majority voters. Signetics is chosen as the most suitable supplier for commercially available D-TL integrated semiconductor logic elements. Characteristics of the Signetics circuits include: Low power dissipation, single power supply operation, complete general logic line, compatibility with testing techniques for redundant systems, and availability of reliability data.

4. Failure Testing

It is a characteristic of redundant systems that they offer a

- 5. High peak power requirements.
- 6. Indeterminate reliability performance due to extensive hand wiring with fine wire and numerous connections, as well as unavailability of accurate reliability data.
- 7. Complexity required for general logic functions.
- 8. Lack of suitable restoring element for use in redundant systems.

Magnetic logic does, however, offer non-volatile storage and reduced average power for low computing speeds. Magnetic devices appear to be suited to special applications where certain logic functions, such as transfer and OR, are intermixed with the memory function, and very low speed canability is acceptable.

3. Integrated Semiconductor Logic

Integrated semiconductor circuitry offers many characteristics which are desirable for circuits to be used in redundant spaceborne systems. Some general features of integrated semiconductor logic when compared to other commonly available logic systems are:

- 1. Significantly reduced size, weight, and power consumption.
- 2. Availability of general logic elements, as well as special purpose circuits.
- 3. Predictable operating characteristics over wide environmental variations.
- 4. Availability of accurate reliability data.

redundant system by forcing each remaining pair of replicated ranks to have static complementary binary outputs. System output is monitored to determine if each individual rank is able to perform all system functions correctly, in a manner similar to the verification of a non-redundant system. Singular rank testing is expected to be the most efficient and effective method for diagnosing equipment which has been recently assembled from completely tested modules, since the probability that the few undetectable failures might have occurred since complete testing is very low.

A somewhat more complicated testing procedure, referred to as interwoven rank testing, has been described which will completely test all voters to insure that they will make correct decisions for all possible input combinations. It has been shown that the failure detection procedures may be accomplished by controlling one or more normally grounded common lines for each of the replicated ranks of the system, without altering the logic design or including any additional hardware except to provide access to these lines. Singular rank testing places no restrictions on system size or configuration.

The characteristics of redundant systems have been shown to introduce unique properties to the problem of failure location and faulty module replacement. Although a redundant system is more complex that its conventional counterpart, failure location within an operating system does not require the operator skill and simulation equipment usually required to locate failures in a non-redundant system. Since an operating redundant system always has at least one correct signal available at every point in the system, these correct signals may be used as a basis of comparison to

high reliability for a period of time after the initially failure free condition, and that the system reliability decreases rapidly when internal failures are present. It is therefore important to insure that no initial failures exist in a redundant system to obtain maximum system reliability. This reliability may be required for a single time interval without further maintenance, such as for spaceborne systems, or it may be required for a repeated time intervals, where the system is restored to the initially nerfect condition prior to each interval. The later method may be used to obtain high mission reliability by maintaining a redundant system which is used repetitively, such as the ground support and launch equipment used prior to and during each mission. Since an initially failure free order three system can withstand any single failure, as well as a relatively large number of randomly scattered failures, it offers high reliability for the period of time when the probability of individual failures is low. Techniques are described which permit even higher reliability by combining periodic maintenance with continuous maintenance of a redundant system.

It has been shown that a relatively simple test referred to as singular rank testing may be used to determine that all of the replicated signal processors are working properly. If the signal processor fails whenever any of its parts fail, success of the singular rank tests will verify that all signal processors are failure free. Success of singular rank testing will also verify that the majority voters are sufficiently failure free to insure that the system is not vulnerable to single failures. Singular rank testing effectively isolates each rank of the replicated non-

## **BIBLIOGRAPHY**

- Haynes, J. L., "Logic Circuits Using Square-Loop Magnetic Devices: A Survey", IRE Trans. on Elec. Computers, Vol. EC-10, No. 2 (June 1961)
- 2. H. D. Crane, "A High Speed Logic System Using Magnetic Elements and Connecting Wire Only," Proc. IRE, Vol. 47, pp. 63-73; (Jan. 1959).
- D. R. Bennion and H. D. Crane, "Design and Analysis of MAD Transfer Circuitry," Proc. 1959 Western Joint Computer Conf., San Francisco, Calif., pp. 21-36, (March 1959).
- 4. J. A. Rajchman, "The Transfluxor," Proc. IRE, Vol. 44, pp. 321-332; (March 1956).
- 5. H. D. Crane, "Design of an All-Magnetic Computing System," IRE Trans. on Elec. Computers, Vol. EC-10, No. 2 (June 1961).
- 6. "Aviation Week and Space Technology," Aug. 19, 1963 pp. 93-103
- 7. A. R. Helland and W. C. Mann," Failure Effects in Redundant Systems" Westinghouse Report EE-3351. (March, 1963)
- Report No. NADC-EL-6319, Micro-Notes No. 3, "Information on Micro Electronics for Navy Avionics Equipment" (June, 1963)

other versions of the nominally identical signal. A difference detector on the signal processor outputs to restorers may be used to indicate failures among these signal processors. If the detector includes memory, it will also detect and locate transient or sporadic failures. These same difference detectors may be used for the somewhat more difficult task of locating such failures in the voters as do not cause errors when all voter inputs are identical, as well as verification that the test controls are actually capable of proper operation. The method which has been described uses the same types of control as singular and interwoven rank testing, and does not jeopardize system operation if all signal processors are operating correctly.