UPSET SUSCEPTIBILITY STUDY EMPLOYING CIRCUIT ANALYSIS AND DIGITAL SIMULATION

VICTOR A. CARRENO

JUNE 1984
This paper describes an approach to predicting the susceptibility of digital systems to signal disturbances. Electrical disturbances on a digital system's input and output lines can be induced by activities and conditions including static electricity, lightning discharge, Electromagnetic Interference (EMI) and Electromagnetic Pulsation (EMP). The electrical signal disturbances employed for the susceptibility study were limited to nondestructive levels, i.e., the system does not sustain partial or total physical damage and reset and/or reload will bring the system to an operational status. The front-end transition from the electrical disturbances to the equivalent digital signals was accomplished.
ABSTRACT

This paper describes an approach to predicting the susceptibility of digital systems to signal disturbances. Electrical disturbances on a digital system's input and output lines can be induced by activities and conditions including static electricity, lightning discharge, Electromagnetic Interference (EMI) and Electromagnetic Pulsation (EMP). The electrical signal disturbances employed for the susceptibility study were limited to nondestructive levels, i.e., the system does not sustain partial or total physical damage and reset and/or reload will bring the system to an operational status. The front-end transition from the electrical disturbances to the equivalent digital signals was accomplished by computer-aided circuit analysis. The SCEPTRE (system for circuit evaluation of transient radiation effects) Program was used. Gate models were developed according to manufacturers' performance specifications and parameters resulting from construction processes characteristic of the technology. Digital simulation at the gate and functional level was employed to determine the impact of the abnormal signals on system performance and to study the propagation characteristics of these signals through the system architecture. Example results are included for an Intel 8080 processor configuration.
INTRODUCTION

The use of digital electronic systems onboard aircraft is increasing and these systems are eventually expected to perform flight-critical functions on new generation aircraft, thus creating the necessity for ultrareliable digital systems. Various approaches are being taken to achieve ultrareliable fault-tolerant systems that will survive the occurrence of component/subsystem failure. A different threat to digital systems comes from internal state changes caused by external disturbances such as lightning. Aircraft flying in adverse weather conditions can be subjected to lightning discharge which will produce transients on system lines, data buses, etc. Work has been conducted to establish the interaction between the lightning produced electromagnetic environment and the aircraft (refs. 1, 2). This work is expected to determine the induced voltage energy spectrum and levels inside the aircraft as a result of lightning discharge and the effects of various parameters (electronic system location, cable length, cable type, shielding, etc.) on the induced voltages.

The inherent characteristics of digital systems make these induced transients a major threat since, unlike analog computational systems, a transient on a digital system can cause a logic state change preventing the machine from performing as intended after the transient. In most cases after the machine has entered into an erroneous operation, a reset and/or reload is necessary to bring it to normal operation. This erroneous operation is called an upset mode and no component or subsystem failure exists.

Studies of possible changes in program flow (due to upset) and its relation to program structure have been underway for several years (ref. 3). The purpose of the work described in this paper is to develop a methodology through which the susceptibility of a digital system to induced transients can
be evaluated. A possible by-product is the identification of system design procedures that increase or decrease the vulnerability of the system to threats as described above. Since the susceptibility study deals with nondestructive transient levels, investigation and tests of component failures caused by excess voltage levels were performed. Upper bounds were established for transient voltage levels to avoid failure of the system under test.

The study is divided into two parts: (1) translation of transients into digital equivalents using component-level circuit analysis by associating logic levels with the transient disturbance, and (2) functional level digital system simulation and transient injection using "digital equivalent transients" produced by the above circuit analysis. Figure 1 illustrates the methodology described in this paper.

CIRCUIT ANALYSIS

The waveshapes used for transient injection are shown in figure 2. These waveshapes are recommended by SAE subcommittee AE4L (ref. 4) for lightning induced transient studies. They are representative of the form of voltages and currents that may be present in cables in a lightning-produced electromagnetic environment. The waveshapes are intended for direct injection on system pins and lines and levels of the waveshapes are restricted to nondestructive levels.

When analog transients are injected on digital system lines or pins they reach the interfacing circuitry in the system devices. A prediction of the behavior of the interfacing circuitry when driven with the analog transient was performed by analyzing the circuitry at the component level using the SCEPTRE
Circuit topology is converted to an equivalent SCEPTRE circuit description to be used as input data for the SCEPTRE program. Transistors and diodes are modeled using the basic elements necessary for the SCEPTRE equivalent circuits, including resistors, capacitors, inductors, current, and voltage sources. Values for the Ebers-Moll transistor model and the diode model were obtained from manufacturers' data and from information of typical fabrication processes for monolithic integrated circuits. A family of component-level logic models for use in SCEPTRE analysis including gates, flip-flops, and tri-state devices, has been developed for this study for TTL and CMOS technology.

A typical transient injection circuit used to generate transients coupled to digital devices and shown in figure 3 was designed, breadboarded, and tested to compare its operation with SCEPTRE analysis of the such a circuitry. The tank circuit is connected to the injection point through a parallel RC circuit for isolation. Since the injection point of the circuit under test has a nonlinear input impedance, the waveshape at the injection point is clipped, nonsinusoidal, and thus unlike the sinusoidal tank output. The SCEPTRE code accurately models this circuit as shown in figures 4 and 5. To achieve the nonclipped, SAE recommended waveshape at the injection point, an idealized injection circuit was defined for use with SCEPTRE in the upset susceptibility study. The idealized circuit is accomplished in the SCEPTRE code via a mathematical function and has a low impedance source, perfect switches, and very high frequency response.
Figures 6 and 7 are examples of the response of a D-type flip-flop used in a latch circuit to the modeled injection circuit and the idealized transient signal. The transient was injected on the data input line while the flip-flop was disabled and in a high state. In the first example, using the oscillating tank injection circuit, the flip-flop state was changed from a high to low state. In the second example, using the ideal injection source, the flip-flop does not experience a state change. Thus, the injected signal harmonic content as well as the coupling circuit have an impact on the circuit analysis results.

SYSTEM SIMULATION

An 8080 microprocessor-based computer system was simulated in the functional level simulation study. This system was chosen to provide comparison with a similar hardware-based study (ref. 5). Functional level simulation was accomplished with the General Simulation Program (GSP) (ref. 6) running on a CDC Cyber 170-730 computer. This program has the capability for 16 functional models such as counters, microprocessors, latches, etc. The modeling is performed with a microcode instruction set. Variable propagation delay and internal registers can be implemented in the simulation. An example of a flip-flop model described with the microcode is listed in table 1.

Figure 8 shows the system block diagram used in the upset susceptibility study. An extra module was designed and added to the model system to access the system lines for injection purposes. The injection module is inserted in the line on which injection is intended. Under normal operation, the system signal propagates through the injection module unaltered with no time delay. Therefore, this module, when disabled, is completely transparent to the
remaining modules. When the injection module is enabled, the affected line signal is controlled by the user running the simulation. The digital equivalent signal, derived from the SCEPTRE circuit analysis using the idealized transient signal, was used to control the affected line. State changes of latches at either end of the affected line are used to introduce logic errors into the digital signals transmitted over the line according to the results of the circuit analysis.

The program executed during injection studies is in table 2. The program loads a byte from memory into the accumulator, stores the accumulator into memory and jumps to the first instruction at memory location \((1000)_{16}\) in a continuous loop. This program exercises three of a possible ten machine cycles (table 3) and is intended to provide a correlation of the machine cycles with the upset conditions. The first set of hardware tests were performed and reported in reference 5 using this program.

The program is loaded in RAM starting at memory location \((1000)_{16}\). When the simulation starts, the microprocessor is initialized equivalent to a power on reset. It loads and executes a jump instruction in ROM location \((0000)_{16}\) and after 6500 nanoseconds the microprocessor starts executing the program in RAM address \((1000)_{16}\).

The time of the transient injection into the system was determined by selecting a random number between 0 and 15000 and adding it to 6500. The time required by the microprocessor to execute the program in RAM once is 15000 nanoseconds. Therefore, the injection can occur with equal probability at any point in the program. The random numbers were obtained from a table of random numbers (ref. 7) and normalized to meet the boundary requirement.
TEST RESULTS

During initial upset test runs, operation codes (op-codes) that are undefined in the microprocessor instruction set were loaded in the instruction register as a result of the injected transients. The simulation microprocessor model treated these undefined op-codes as "no operation" instructions. A program that makes use of the undefined op-codes was written and executed in hardware to determine the response of the microprocessor to such codes and modifications were made to the microprocessor model accordingly. Of the 12 undefined codes 7 acted as one byte instruction and execution continued with the next immediate byte and 5 acted as control instructions with the next two bytes as part of the instruction. No attempt was made to reproduce with the microprocessor model the control output signals generated when the hardware microprocessor is executing the undefined opcodes.

Sixty-six transient injections were performed during program execution. Each transient injection was performed on a single line at a time and in all 66 cases the injected signal was the digital equivalent of a 1 MHz damped sinusoid. The points of the injections in the system were MDI₀, MDI₃, and MDI₇ of the input data bus, DB₀ of the output data bus, D₀ of the bidirectional data bus, and MAD₀ of the memory address bus.

During execution, the microprocessor bidirectional data bus, high and low address bus, system output data bus, and chip selection control lines were monitored, as well as the pins and internal registers of the microprocessor model. Locations in memory that were not used for the program were loaded with zero (00)₁₆ in the simulation as opposed to the hardware test (ref. 5) where unused memory locations had random content. Therefore, when program control was transferred to a memory location out of the defined program, the no
operation instruction NOP (00)$\text{16}$ was loaded and no undefined status word was observed during any of the transient injection runs. Forty-one system anomalies were registered including 24 errors and 17 upsets. System anomalies, errors and upsets for each injection line are summarized in table 4. In the error case, the microprocessor stored or loaded erroneous data, stored data in a nonspecified location or skipped an instruction but went back to the normal program loop. In the upset case, the microprocessor went out of the program loop to empty or nonexistent memory locations. Simulation test results on system errors and upsets as a function of injection lines were comparable with hardware results with the exception of the memory address line (MAD) where no errors or upsets were registered in 346 injections in the hardware test and seven errors and four upsets were recorded in 11 injections in the simulation test. Further tests are presently being performed to resolve the difference between hardware and simulation upsets caused by injections on the MAD$\text{0}$ line. Of 17 upsets, 13 were caused when the injection was performed during the jump instruction. These results point to an apparent higher susceptibility to upset of the program control instruction. Table 5 shows the classification of upsets and errors when the injections were performed during load (MVIA), store (STA) and jump (JMP).

SUMMARY AND CONCLUSIONS

The simplicity of the program executed during transient runs permitted observation of the patterns that lead to the upset condition. The upset susceptibility is highly dependent on program structure (ref. 3). When 1-bit of a 3-byte instruction is changed, the instruction could become a 1-byte instruction, and the two next immediate data bytes are then loaded as
instructions. This condition was observed 12 times during the 66 upset test
runs and three of those cases led to upset. In total, 29 data bytes were read
as instructions and the effect on the program flow depended on the data value,
its location in the program, and the instruction immediately after the data
byte or bytes.

Although none of the test runs caused the original program in RAM to be
partially or totally overwritten, the potential for overwriting programs was
identified in the error cases when the microprocessor stored data in memory
locations different from those specified.

Results of the study can be used to obtain the parameters necessary for a
stochastic model, similar to the stochastic model in reference 5, to compute
susceptibility of the system. The methodology described provides the
capability of performing upset tests and establishing an upset susceptibility
level for a system using models developed during design stages.
REFERENCES


TABLE 1 - FLIP-FLOP MODEL WITH GSP MICROCODE

; MODEL J K
;
; DECLARATION OF INTERNAL REGISTERS
; NO INTERNAL REGISTERS ARE NEEDED IN J K MODEL
;
  REG(1) DUMMY
;
; DECLARATION OF ALL EXTERNAL CONNECTIONS
; PIN EX(150) FOR SIMULATION CONTROL PURPOSES
;
  PIN J(1), K(2), Q(3), QBAR(4), CLK(5), EX(150)
;
; PROPAGATION DELAY SPECIFICATION
;
  EVW  OUT(15)
;
  BEQ  CLK, LATCH ; IF CLK EQUAL ZERO JUMP TO LATCH
  BEQ  J, K, INT  ; IF J EQUAL K JUMP TO INT
  MOV(OUT) J, Q  ; GIVE Q THE VALUE OF J AFTER A 15
                 ; NANO SECOND DELAY
  MOV(OUT) K, QBAR ; GIVE QBAR THE VALUE OF K AFTER A 15
                 ; NANO SECOND DELAY
  MOV  #0, EX     ; TERMINATE THE EXECUTION OF
                 ; THIS MODULE

INT:  BEQ  J, LATCH
       COM(OUT) Q  ; COMPLEMENT THE VALUE OF Q
                 ; INSTRUCTION IS EXECUTED WHEN J=K

LATCH: MOV  #0, EX
      END
<table>
<thead>
<tr>
<th>CLOCK CYCLES</th>
<th>ADDRESS</th>
<th>INSTRUCTION</th>
<th>MNEMONIC</th>
</tr>
</thead>
<tbody>
<tr>
<td>7</td>
<td>10 00</td>
<td>3E</td>
<td>MVIA</td>
</tr>
<tr>
<td></td>
<td>01</td>
<td>CB</td>
<td></td>
</tr>
<tr>
<td>13</td>
<td>02</td>
<td>32</td>
<td>STA</td>
</tr>
<tr>
<td></td>
<td>03</td>
<td>19</td>
<td></td>
</tr>
<tr>
<td></td>
<td>04</td>
<td>10</td>
<td></td>
</tr>
<tr>
<td>10</td>
<td>05</td>
<td>C3</td>
<td>JMP</td>
</tr>
<tr>
<td></td>
<td>06</td>
<td>00</td>
<td></td>
</tr>
<tr>
<td></td>
<td>07</td>
<td>10</td>
<td></td>
</tr>
<tr>
<td>MACHINE CYCLE</td>
<td>STATUS SIGNAL</td>
<td></td>
<td></td>
</tr>
<tr>
<td>-----------------------------</td>
<td>---------------</td>
<td></td>
<td></td>
</tr>
<tr>
<td>INSTRUCTION FETCH</td>
<td>A2</td>
<td></td>
<td></td>
</tr>
<tr>
<td>MEMORY READ</td>
<td>82</td>
<td></td>
<td></td>
</tr>
<tr>
<td>MEMORY WRITE</td>
<td>00</td>
<td></td>
<td></td>
</tr>
<tr>
<td>STACK READ</td>
<td>86</td>
<td></td>
<td></td>
</tr>
<tr>
<td>STACK WRITE</td>
<td>04</td>
<td></td>
<td></td>
</tr>
<tr>
<td>INPUT</td>
<td>42</td>
<td></td>
<td></td>
</tr>
<tr>
<td>OUTPUT</td>
<td>10</td>
<td></td>
<td></td>
</tr>
<tr>
<td>INTERRUPT</td>
<td>23</td>
<td></td>
<td></td>
</tr>
<tr>
<td>HALT</td>
<td>8A</td>
<td></td>
<td></td>
</tr>
<tr>
<td>INTERRUPT WHILE HALT</td>
<td>2B</td>
<td></td>
<td></td>
</tr>
<tr>
<td>INPUT POINTS</td>
<td>INJECTIONS</td>
<td>SYSTEM ANOMALIES</td>
<td>ERRORS</td>
</tr>
<tr>
<td>--------------</td>
<td>------------</td>
<td>------------------</td>
<td>--------</td>
</tr>
<tr>
<td>MDI₀</td>
<td>11 (11)</td>
<td>6 (11)</td>
<td>2 (3)</td>
</tr>
<tr>
<td>MDI₃</td>
<td>11 (11)</td>
<td>4 (11)</td>
<td>2 (0)</td>
</tr>
<tr>
<td>MDI₇</td>
<td>11 (11)</td>
<td>10 (11)</td>
<td>7 (1)</td>
</tr>
<tr>
<td>D₀</td>
<td>11 (2)</td>
<td>11 (2)</td>
<td>6 (1)</td>
</tr>
<tr>
<td>MAD₀</td>
<td>11 (346)</td>
<td>11 (0)</td>
<td>7 (0)</td>
</tr>
<tr>
<td>DB₀</td>
<td>11 (720)</td>
<td>1 (0)</td>
<td>1 (0)</td>
</tr>
</tbody>
</table>

<p>| | | | | |</p>
<table>
<thead>
<tr>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>66</td>
<td>43</td>
<td>25</td>
<td>18</td>
<td></td>
</tr>
</tbody>
</table>

( ) Hardware test results.
<table>
<thead>
<tr>
<th></th>
<th>MVIA</th>
<th>STA</th>
<th>JMP</th>
<th>TOTAL</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>NO UPSET</strong></td>
<td>11</td>
<td>10</td>
<td>4</td>
<td>25</td>
</tr>
<tr>
<td><strong>ERRORS</strong></td>
<td>14</td>
<td>10</td>
<td>0</td>
<td>24</td>
</tr>
<tr>
<td><strong>UPSET</strong></td>
<td>1</td>
<td>3</td>
<td>13</td>
<td>17</td>
</tr>
<tr>
<td><strong>TOTAL</strong></td>
<td>26</td>
<td>23</td>
<td>17</td>
<td>66</td>
</tr>
</tbody>
</table>
SAE DISTURBANCE WAVE FORMS OCCURRENCE STATISTIC CIRCUIT FUNCTIONAL STOCHASTIC ANALYSIS LEVEL MODEL SUSCEPTIBILITY SIMULATION TO UPSET EXPERIMENTAL WAVE FORMS

FIG. 1 - METHODOLOGY FOR SUSCEPTIBILITY STUDY
DAMPED SINUSOIDAL WAVEFORM

$V_1, V_2$

RISE TIME, ns

<table>
<thead>
<tr>
<th>WAVEFORM</th>
<th>FREQUENCY</th>
<th>DAMPING</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>1 MHz ($\pm$ 20%)</td>
<td>50 MAX AMPLITUDE DECREASES</td>
</tr>
<tr>
<td>2</td>
<td>10 MHz ($\pm$ 20%)</td>
<td>5 MAX 25-50% IN 4 CYCLES</td>
</tr>
</tbody>
</table>

DECAYING EXPONENTIAL WAVEFORM

$V_3, I_4$

<table>
<thead>
<tr>
<th>WAVEFORM</th>
<th>$t_r$ (ns)</th>
<th>$t_d$ (µs)</th>
</tr>
</thead>
<tbody>
<tr>
<td>3</td>
<td>500 MAX</td>
<td>170 ($\pm$ 20%)</td>
</tr>
<tr>
<td>4</td>
<td>100 MAX</td>
<td>2 ($\pm$ 20%)</td>
</tr>
</tbody>
</table>

Fig. 2 - S.A.E. waveforms recommended for lightning-induced effects testing.
Fig. 3 - Transient generator circuit.
Fig. 4 - Transient input signal on the flip-flop D line of a hardware setup using a tank injection circuit.
Fig. 5 - Transient input signal on the flip-flop D line of a modeled configuration using a modeled tank injection circuit.
Fig. 6 - Flip-flop response to the modeled transient injection circuit.
Fig. 7 - Flip-flop response to the idealized transient signal.
FIG. 8 - SYSTEM UNDER TEST
**Abstract**

This paper describes an approach to predicting the susceptibility of digital systems to signal disturbances. Electrical disturbances on a digital system's input and output lines can be induced by activities and conditions including static electricity, lightning discharge, Electromagnetic Interference (EMI) and Electromagnetic Pulsation (EMP).

The electrical signal disturbances employed for the susceptibility study were limited to nondestructive levels, i.e., the system does not sustain partial or total physical damage and reset and/or reload will bring the system to an operational status.

The front-end transition from the electrical disturbances to the equivalent digital signals was accomplished by computer-aided circuit analysis. The Super-Sceptre (system for circuit evaluation of transient radiation effects) Program was used. Gate models were developed according to manufacturers' performance specifications and parameters resulting from construction processes characteristic of the technology.

Digital simulation at the gate and functional level was employed to determine the impact of the abnormal signals on system performance and to study the propagation characteristics of these signals through the system architecture. Example results are included for an Intel 8080 processor configuration.

**Key Words (Suggested by Author(s))**

Upset  
Overwritten memory  
Op-codes

**Distribution Statement**

Unclassified - Unlimited  
Subject Category 47