# Application of Analog & Mixed Signal Simulation Techniques to the Synthesis and Sequencing of Diagnostic Tests

Harry H. Dill Deep Creek Technologies, Inc. Annapolis, MD 21401 USA Phone (410) 757-3315 Fax (410) 757-9504 E-mail:73767,2413@compuserve.com Kyle Bratton, Chris Sparr; 4.8.4.10 Naval Aviation Depot, Cherry Point MCAS Cherry Point, NC USA Phone (919) 464-8541 Fax (919) 464-8177 E-mail:brattonkj@elis.nadepcp.navy.mil

Abstract - This paper describes the fault definition, simulation, test strategy development and validation activities that were accomplished during beta testing of a new CAE tool, Test Designer. It addresses the issues of simulation convergence, component fault models, circuit model implementation, simulation run times and test strategy accuracy. To ensure a realistic test of Test Designer's capabilities, diagnostics were developed for a moderately complex analog and mixed signal UUT which was selected from the Navy's list of CASS TPS offload candidates. These diagnostics were evaluated on the CASS to measure the diagnostic sequence accuracy and to assess the ability of Test Designer to predict the nominal measurement values and fault detection characteristics of each test.

#### I. INTRODUCTION

In late 1996, the SPICE simulation tool manufacturer Intusoft initiated development of a new product tailored to the unique and demanding needs of the test engineer. This product, Test Designer, was to provide an effective, interactive design environment for the synthesis of diagnostic tests, generation of fault dictionaries and the building of diagnostic fault trees. As part of the product testing process, a beta version of Test Designer was used to synthesize diagnostic tests and build diagnostic fault trees for an analog and mixed signal UUT which was selected from the Navy's CASS offload candidate list. This paper describes the process by which the diagnostics were developed and documents the accuracy of these diagnostics as demonstrated in the Navy's Test Integration Facility in Chesapeake, VA.

A seven step process was implemented for development of the diagnostics. In chronological order, they were:

| 1) Circuit Parsing        | 5) Test Synthesis        |
|---------------------------|--------------------------|
| 2) Schematic Entry        | 6) Fault Tree Generation |
| 3) Measurement Definition | 7) Integration           |
| 4) Simulation             |                          |

Details of each step in this process are provided in the sections that follow.

II. CIRCUIT PARSING

The Annunciator Light Control Power Supply (ALCPS) was chosen as the UUT for which diagnostics would be developed because of its complexity. It contains two virtually identical sections, each converting aircraft power input of 16Vdc to 30Vdc into 28Vdc in the "Bright" mode of operation and pulsed dc voltage averaging 7 to 14 Volts in the "Dimmer" mode. Since the two sections of the ALCPS are very similar, only the Emergency section was evaluated. The results are easily transferred to the Essential section of the ALCPS. Figure 1 is a block diagram of the Emergency section of the ALCPS. Subsequent reference to the ALCPS refers only to the Emergency section of the power supply.

The original plan called for simulating the entire supply as a single entity. An initial attempt at such a simulation showed that the runtime to complete diagnostics development would be excessive as far as this paper is concerned. There were several reasons :

While the simulation time increases linearly 1) (approximately 1.2 times [1]) with the size of the circuit, the time constants that are associated with the functional blocks the ALCPS posed a greater problem. They range from approximately 100us in the VGS/minus 5Vdc block to 250ms in the digital block. A transient analysis in SPICE must compute a sufficient number of points on the time line in order to accurately reproduce the circuit waveforms. In the case of the VGS/minus 5Vdc block the time interval for the computations must be in the 1us to 10us range. The digital block must be simulated over a total time period of several seconds in order to accurately capture its behavior since it contains several long time-constant RC delay circuits. Therefore, more than a million computations could be required to simulate the ALCPS behavior for a single test setup.

2) Test Designer computes the fault dictionaries by simulating circuit behavior for each failure mode of each component - one at a time. Approximately 300 failure

Lloyd Pitzen CCI Incorporated Arlington, VA 22202 USA Phone (757) 549-9198 Fax (757) 547-9253 modes must be considered for the entire ALCPS Emergency section. With a simulation time for a single run in excess of 8 hours on a 90Mhz Pentium®, 4 months of processing time would be required to complete the task.

There several ways of overcoming these issues. The first is to use a faster computer or a "farm" of fast computers to make the numerous runs more quickly and in parallel. Current state-of-the-art computers (i.e., 266MHz Pentium® II) would reduce the simulation time for each failure mode by approximately 25% making the problem much more manageable.

A more attractive method for reducing simulation time would be to model the switching elements using a linearization technique called state space averaging [2]. Some faults would not be detected when using this approach, however, the simulation time for the long switching simulations would be reduced by an order of magnitude.

In this case, the solution we adopted was to simulate each block of the ALCPS as a separate entity. By replacing functional blocks that interface with the block under evaluation with voltage sources that emulated both the nominal and failed modes of operation, the behavior of each block was easily simulated. For example, the digital functional block in Figure 1 provides CMOS outputs of +12Vdc or 0Vdc (depending on its



stimuli) to the On/Off Analog circuit. For each digital block stimuli setup, voltage sources can represent the digital block outputs for nominal, Stuck Hi and Stuck Lo failure modes that might exist at those outputs or propagate to those outputs. These voltage sources (emulating the Digital Block outputs) were used as stimuli when evaluating the On/Off Analog block. Subsequent simulation of the digital block showed that for all failures within the block, these were the only failures observed at the digital block outputs. Since there is no clocking associated with these outputs, static voltage levels may be used. Had clocking been an issue, we could have used stimuli that generate timevarying waveforms. The objective of the circuit parsing step was to break the circuit up into functional blocks in such a manner as to reduce simulation time while maintaining the integrity of fault effects propagation across block boundaries. The configuration in Figure 1 accomplished this objective.

#### III. SCHEMATIC ENTRY

Test Designer employs graphical "drag and drop" schematic entry features found in most modern EDA systems. However, there are two significant differences - component parameter data entry and circuit configuration definition.

#### A. Component Parameter Data Entry

Each component on the schematic has an associated graphical dialog that can be accessed to define nominal device and model parameter information, as well as parametric tolerances. The tolerances can be used in subsequent Monte Carlo analyses to assist in the definition of test pass/fail limits. Each component also has an associated failure mode definition dialog that allows you to define the parameters for each of the component's failure modes. Up to 32 failure modes can be assigned to any single component. In addition, Test Designer provides selectable failure modes that are defined in the CASS Red Team Package. Theses failure modes were used for the ALCPS. The fault universe for the modeled portion of the ALCPS consisted of 204 faults that are allocated as follows:

| On/Off Analog block | 66 component failure modes |
|---------------------|----------------------------|
| Dimmer Analog block | 66 component failure modes |
| Digital block       | 72 component failure modes |

## **B.** Circuit Configuration Definition

A test setup provides loads, voltage and current stimuli and instrumentation connections at specific points on the Unit Under Test (UUT). When viewed in a broader context, the combination of the test setup circuitry and the UUT can be considered to be a circuit configuration in and of itself. Indeed, for simulation purposes, the test setup circuitry must be included as part of the circuit. Most Test Program Sets (TPSs) implement multiple setups during the testing sequence. This increases the simulation burden by requiring a separate schematic for every test setup. The ALCPS diagnostics require several different test setups in order to completely test the "Bright" and "Dimmer" functions. Specific setups include the connection of high and low resistance values to the dimmer inputs and changes in the ALCPS primary power and digital inputs.

Test Designer addresses the multiple test setup problem by assigning each setup/UUT combination a unique configuration name and simulating all configurations in a batch operation. In Test Designer, the setup/UUT combination is called a "circuit configuration". The circuit configuration is defined during the schematic entry process. Every circuit configuration is composed of one or more schematic lavers. An active layer can be thought of as a transparency that overlays other transparencies such that as you view them you see the complete circuit configuration schematic. Circuit nodes on the top layer connect with nodes on underlying layers as if the drawing were created on a single page. Test Designer allows mixing and matching of layers to form the required circuit configurations.

Two circuit configurations were defined for the digital block of the ALCPS. Three schematic layers were created in order to implement these two configurations. The first layer, "UUT", contained all circuitry for the digital portion of the ALCPS. The second layer, "MainStim", contained five piecewise linear voltage sources (digital signal stimuli), a pulsed voltage source (Vplus12, the power into the digital functional block), and a pulsed voltage source (Vi, filtered power). Vi and Vplus12 were given associated failure modes which were representative of their respective functional blocks.

The third layer, "MainStim2", was similar to MainStim, however, the definition of the five piecewise linear voltage sources reflected the required digital stimuli for tests that differed significantly from those of MainStim. A circuit configuration was named MainLine and assigned layers "UUT" and "MainStim". Another circuit configuration was named MainLine2 and assigned layers "UUT" and "MainStim2". Circuit configurations were created in a similar manner for the On/Off Analog and Dimmer functional blocks. None of the PWM blocks were included in the analysis. Due to the low component count in these blocks, a manual analysis was performed. A transient analysis was run on the

 
 Dim Reset
 T101 Measurement
 T103 T105

 Inst Lts
 T102 Measurement
 T104 T106

 Lts Test
 T102 Measurement
 T104 T106

 Measurement
 T104

 Jume
 Jume

 Jume
 Jume

 Measurement
 Jume

 Jume
 Jume

 VGS/minus 5Vdc block to gauge the difficulty associated with its simulation. This block contains an SG1524 Pulse Width Modulator and simulation time using a 90Mhz Pentium® was approximately four hours. Techniques exist for reducing this time but were not implemented in the ALCPS circuit model. [3]

The developer of the ALCPS Offload TPS wished to use an existing set of verification tests and prepare diagnostic fault trees that branch from failed verification tests. The setups defined for these verification tests formed the basis for the circuit configurations "MainLine" and "MainLine2".

Figure 2 shows the waveforms for the digital stimuli that are defined in the "MainStim" layer of the "MainLine" circuit configuration. These waveforms were derived directly from the existing ALCPS verification tests and represent digital stimuli as the TPS progresses sequentially through verification tests T1010, T1020, T1030, T1035, T1040, T1050, T1060 and T1080. T1070 applied exactly the same stimuli to the digital block as T1060 and was not repeated in the simulation. Each test toggles only those digital stimulus lines that are needed to achieve the desired 5 bit pattern, then delays 700ms to allow the circuit to settle and makes a voltage measurement at the main output node of the ALCPS. The UUT is not de-energized between tests. Since the digital block contains two simple NOR gate flip flops, it retains the state of the circuit as defined by the stimuli that were applied during previous tests. Therefore, the sequence of these tests is important in the context of the failure modes that each test will detect. The circuit configuration "MainLine" duplicates this scenario by using identical stimuli in the simulation. The simulator was set up to record the circuit parameters at every node in the circuit at the time of each test measurement as performed by the actual At the conclusion of test T1080, power is TPS. removed from the ALCPS, then power is reapplied and testing is resumed using the stimuli duplicated in the "MainLine2" circuit configuration.

#### IV. MEASUREMENT DEFINITION

Test Designer uses the IsSpice4 simulation engine. IsSpice4 is an enhanced version of Berkeley SPICE 3 [4] and XSPICE [5]. This engine offers several simulation analysis options, among them DC Operating Point, AC and Transient. Each of these options provides different information regarding the circuit. Transient analysis was selected for development of the ALCPS since we are interested in dynamic circuit performance over a period of time. A specific type of analysis must be assigned to each circuit configuration before it can be simulated. The association of a simulation analysis type with a circuit configuration is defined as a test configuration by Test Designer. A single circuit configuration can be assigned multiple types of simulation analyses in order to define multiple test configurations. Only transient (time-based) analyses were performed on the ALCPS.

Test Designer records only the simulation information that is relevant to the test measurements that have been defined and selected by the test engineer. The available information includes the voltage at each circuit node (at any specified time for the transient analysis), time relationships between events (rise times, triggered measurements, pulse widths, etc.), the current through any component and the power dissipated by any component. For the ALCPS "MainLine+tran1" test configuration, a total of 224 measurements were recorded. These measurements consist of the node voltage at each of 32 circuit nodes as recorded at 2.8 seconds, 3.7 seconds, 5.5 seconds, 6.7 seconds, 8.5 seconds, 9.8 seconds and 10.8 seconds into the simulation. These measurement times correspond to those of the verification tests T1010 through T1080. The ALCPS provides probe access to every circuit node via the back of the circuit card. Similarly, 192 test measurements were defined for the "MainLine2+tran1" test configuration. This yields a pool of 416 tests from which to choose when isolating a failure in the digital block fault universe of 72 failure modes. Not all of these measurements will necessarily be used in the final fault tree. The objective at this point is to create a large population of tests from which to choose when computing an efficient fault isolation strategy.

A similar process was used to define measurements for the On/Off Analog functional block and the Dimmer Analog functional block. Eighty-seven (87) measurements were defined for the On/Off Analog functional block; 116 were defined for the Dimmer Analog block. Thus, the total measurement pool for the simulated sections of the ALCPS was 619.

## V. SIMULATION

Test Designer generates a value for every defined measurement in every test configuration for every enabled failure mode of the circuit by performing the simulations that are defined in the test configurations. A measurement value is also generated for the No Fault condition. The test engineer may declare any component as "can't fail" in order to exclude special circuitry such as external test equipment interfaces from the fault analysis computations. In addition to this automated "batch simulation" mode, Test Designer permits simulation of individual failure modes in an interactive, manual mode.

Simulation of the ALCPS test configurations posed few problems. It was quickly noted however that the first run of a simulation should be performed in manual mode for the No Faults case to ensure the circuit is correctly configured and the simulation runs to completion.

Convergence problems appeared only once. The digital signal stimuli for the UUT is applied 1 second before power is applied. Application of the power caused a transient in the circuit simulation that resulted in a nonconvergence situation. This situation was quickly resolved by invoking Test Designer's Convergence The Convergence Wizard asks various Wizard. questions and automatically manipulates the IsSpice4 simulation control options in an attempt to mitigate the problem. Once the circuit converged for a test configuration, no additional problems were observed during the fault simulation process. If convergence problems do occur during an individual fault simulation in "batch" mode, the measurement value is flagged as non-convergent and can be subsequently evaluated individually in manual mode by changing simulation parameters.

"Batch" mode simulation times for all faults and all test configurations were as follows:

| Digital block       | 51 minutes |
|---------------------|------------|
| Dimmer Analog block | 25 minutes |
| On/Off Analog block | 42 minutes |

All simulations were performed on a 90Mhz Pentium® processor.

## VI. TEST SYNTHESIS

A test is defined as a set of circuit stimuli, a parametric measurement, a circuit node where the parameter is measured and criteria for determining whether the test passes or fails [6]. At this point in the process 619 parametric measurements have been defined for the ALCPS including stimuli and measurement locations. The next step is to convert these measurements into tests by assigning pass/fail criteria.

| Measurement Results |                                                               | ×                     |
|---------------------|---------------------------------------------------------------|-----------------------|
| All Measurements    | Mainline : tran1 : TRAN T108  V(4) 08 Jun 97, 01:16 fail/tota | al = 17/73            |
|                     | Meter RefDes::Fail Measured Pass/fail Mir                     | n Nominal Max 🔺       |
| V(18)               | ,X1c::OutSt 1.655u Fail 5.58                                  | 31 6.581 7.581        |
|                     | ,, X1b::OutSt 1.655u Fail 5.58                                | 81 6.581 7.581        |
|                     | R11::Open 1.655u Fail 5.58                                    | 31 6.581 7.581        |
|                     | ,, C7::Short 1.655u Fail 5.58                                 | 31 6.581 7.581 🚽      |
| V(22)               | ,, C4::Short 1.655u Fail 5.58                                 | 31 6.581 7.581        |
| V(23)               | R12::Open 1.655u Fail 5.58                                    | 31 6.581 7.581        |
|                     | ,,, Q1::shortBE 1.655u Fail 5.58                              | 31 6.581 7.581        |
|                     | ,, X3c::OutSt 1.655u Fail 5.58                                | 31 6.581 7.581        |
|                     | Dcr13::Open 1.662u Fail 5.58 j                                | 31 6.581 7.581        |
| V(28)               | R9::Open 1.662u Fail 5.58 📕                                   | 31 6.581 7.581        |
| V(29)               | , X3a::OutSt 28.40u Fail 5.58                                 | 31 6.581 7.581        |
| V(2)                | , X1a::OutSt 28.40u Fail 5.58                                 | 31 6.581 7.581        |
| V(3)                | Q1::openBE 476.4u Fail 5.58                                   | 31 6.581 7.581        |
| ···· V(30)          | Q1::openC 11.97m Fail 5.58                                    | 31 6.581 7.581        |
| V(4)                | R20::Open 11.97m Fail 5.58                                    | 31 6.581 7.581        |
| I                   | LDcr14::Short 3.865 Fail 5.58                                 | 31 6.581 7.581        |
| Report View         | Dcr14::Open 6.581 Pass 5.58 ب                                 | 31 6.581 7.581 🗾      |
| Measurement         | ۲ (۱۰)                                                        | • • •                 |
| Precision 4         | Set Limits Copy to Clipboard Options Save Variation           | n No Faults 💌 OK Help |

Figure 3 shows one of the graphical methods Test Designer provides in order to facilitate test limits definition. A description of the methodology that is used to set the ALCPS digital block test limits will illustrate the application. Examination of the digital block topology revealed that most of the circuit nodes connect CMOS digital components and can be expected to fall within ±1volt of +12Vdc or 0Vdc during normal operation. Initially, the limits for all nodes were set to ±1volt about the nominal value using the global set capability in Test Designer. The limits for the non-digital nodes were then set to ±10% of the nominal values. (A more rigorous approach would have been to use the Monte Carlo feature of Test Designer to derive circuit performance). This rough cut converted the 416 measurements into 416 tests. Figure 3 shows the test results for the "MainLine+tran1" test configuration at the T1080 test time for node V(4) for every simulated failure mode.

Note the Meter on the left of the graphic. A short bar in the center of the meter indicates that the associated failure mode is not detected. This bar is colored green on the computer screen. A long bar on the left or right of the meter center indicates that the associated failure mode moves the measured value outside the pass/fail limits by more than 3 times the difference between the upper and lower pass/fail limits (e.g., a very high probability failure detection). This bar is colored bright red. A short bar just to the right or left of center indicates that the failure is detected but is out of limits by less than one tolerance range (e.g. could be an uncertain detection and may merit further investigation using Monte Carlo techniques). This bar is colored purple. A quick scan of this display gives a good indication of the reliability of an individual test in detecting the failures in its fault dictionary. There are two other display types available to display the failure

| Measurement Results     |                  |               |              |              |               |              |       | ×    |
|-------------------------|------------------|---------------|--------------|--------------|---------------|--------------|-------|------|
| All Measurements        | Mainline : tran1 | : TRAN X1d::  | OutStuckLo   | 08 Jun 97, I | 01:16 fail/to | tal = 11/28  |       |      |
| TRAN 🔺                  | Meter            | T108          | Measured     | Pass/fail    | Min           | Nominal      | Max   |      |
| i ⊡ T101                |                  | V(1)          | 11.49        | Pass         | 10.49         | 11.49        | 12.49 |      |
| 📄 🕀 T102                |                  | V(10)         | 12.00        | Fail         | -1.000        | 6.483n       | 1.000 |      |
| i ⊡- T103               |                  | V(11)         | 42.77p       | Pass         | -1.000        | 42.77p       | 1.000 |      |
| i ∰. T104               |                  | V(12)         | 14.00        | Pass         | 13.00         | 14.00        | 15.00 |      |
|                         |                  | V(13)         | 0.4668       | Pass         | -533.2m       | 0.4668       | 1.467 |      |
| . ±. T106               |                  | V(16)         | 12.00        | Fail         | -1.000        | 6.483n       | 1.000 |      |
|                         |                  | V(17)         | 28.00        | Fail         | 10.41         | 11.41        | 12.41 |      |
| 🗄 - Mainln2             |                  | V(18)         | 28.00        | Fail         | 21.81         | 22.81        | 23.81 |      |
| i in tran1              |                  | V(19)         | 28.00        | Pass         | 27.00         | 28.00        | 29.00 |      |
|                         |                  | V(20)         | 145.3n       | Fail         | 10.97         | 11.97        | 12.97 |      |
| ф. T109                 |                  | V(21)         | 12.00        | Fail         | -1.000        | 6.483n       | 1.000 |      |
| T110                    |                  | V(22)         | 299.3n       | Fail         | 11.00         | 12.00        | 13.00 |      |
| T111                    |                  | V(23)         | 12.00        | Fail         | -1.000        | 6.483n       | 1.000 |      |
| □ T112                  |                  | V(24)         | 416.9n       | Pass         | -1.000        | 416.9n       | 1.000 |      |
|                         |                  | V(26)         | 280.3n       | Pass         | -1.000        | 6.483n       | 1.000 |      |
|                         |                  | V(27)         | 12.00        | Pass         | 11.00         | 12.00        | 13.00 |      |
| Report View Measurement |                  | V(28)         | 12.00        | Pass         | 11.00         | 12.00        | 13.00 |      |
| Precision 4             | Set Limits       | Copy to Clipb | oard Options | Save         | Variation X10 | ::OutStuckLo | ▼ ОК  | Help |

| Measurement Results  |                        |                       |                                       |                   |            |          |
|----------------------|------------------------|-----------------------|---------------------------------------|-------------------|------------|----------|
| All Measurements     | Mainline : tran1 : TRA | N 08 Jun 97, 01:1     | 6                                     |                   |            |          |
|                      | Fail < 3T              | F Fail - T            | Pass                                  | Fail + 1T F       | Fail > 3T  | <u> </u> |
| V(24)                | 15                     | 1                     | 56                                    |                   | 1          |          |
| V(26)                | R9::Open               | Dcr14::Short          | R7::Open                              |                   | Rpwm::Open |          |
| V(27)                | Q1::shortBE            |                       | Q1::shortCE                           |                   |            |          |
| V(28)                | U1::openBE             |                       | Dor13::Short                          |                   |            |          |
|                      | UI::openL<br>B20u0=en  |                       | Ucr14::Upen                           |                   |            |          |
|                      | Dor12::Open            |                       | MIC:: UutStuckHi<br>MIb:: OutStuckLio |                   |            |          |
| - V(30)              | X1c::OutStuckLo        |                       | X1b::OutOpen                          |                   |            |          |
|                      | X1b::OutStuckHi        |                       | X3c::OutStuckLo                       |                   |            |          |
|                      | X3c::OutStuckHi        |                       | X3a::OutStuckHi                       |                   |            |          |
| - V(6)               | X3a::OutStuckLo        |                       | X1a::OutStuckHi                       |                   |            |          |
| V(7)                 | X1a::OutStuckLo        |                       | R8::Open                              |                   |            |          |
| V(8)                 | R11::Open              |                       | C7::Open                              |                   |            | _        |
| 1/(9)                | C7::Short              |                       | C4::Open                              |                   |            |          |
|                      | C4::Short              |                       | R4::Open                              |                   |            |          |
|                      | RTZ::Upen              |                       | X1d::UutStuckLo                       |                   |            |          |
|                      |                        |                       | X10::UutStuckHi<br>X2b::OutStuckHi    |                   |            |          |
| Report View Bu Group |                        |                       | X3b::DutStuckLo                       |                   |            | _        |
|                      |                        |                       | D1 0                                  |                   |            | <u> </u> |
| Precision 4          | Set Limits Cop         | py to Clipboard Optic | ons Save Va                           | riation No Faults | •          | IK Help  |

detection characteristics of each test. Figure 4 shows all T1080 test results for the failure mode X1d::OutStuckLo. Figure 5 shows a histogram of test measurements vs. failure modes for the T1080 voltage test at node 4.

Setting limits for the ALCPS tests was an iterative process of selecting highly reliable tests with regard to detection characteristics (created using the rough cut limits) for inclusion in the Fault Tree and adjusting the limits on less than reliable tests in order to improve their detection characteristics when such tests were required to achieve desired isolation metrics.

## VII. FAULT TREE GENERATION

Figure 6 shows the Test Designer dialog that was used to build the diagnostic fault trees for the ALCPS. Test Designer can automatically generate the entire tree from the test pool; it can complete a partial fault tree or the test engineer can create the entire tree manually.

The first step in creating the fault tree is to select the test grouping (located the upper left of the dialog box). This selection is made by assigning a sequence number to each group of tests from which tests are to be drawn. Multiple test groups can be assigned the same sequence number when changing test setups from one test to the next in a sequence does not cause problems in the actual test process (e.g., excessive test setup times).

In the case of the ALCPS we wanted to run tests T1010, T1020, T1030, etc. in a sequential order, so we built the fault trees manually. The fault tree in Figure 6 depicts "go-line" tests as if the measurements were made at node 20 of the digital block. The actual observation point for the "go-line" tests is at the output of the On/Off Analog block. However, since the fault tree for the On/Off Analog block has a callout for digital block failure



| Number of cases | Result                                                                                                                                                                                                                                                                                                                                                                                                                    | Result agrees with model |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|
| 8               | Fault detected and isolated successfully;<br>that is, failed the performance test as<br>expected and fault isolated to the correct<br>component                                                                                                                                                                                                                                                                           | Yes                      |
| 2               | Fault not detected                                                                                                                                                                                                                                                                                                                                                                                                        | Yes                      |
| 4               | Fault detected (a function of the<br>performance test) but not isolated<br>correctly. Component was in Fail<br>Ambiguity Group for a performance test<br>that passed and was not in Fail Ambiguity<br>Group for the subsequent performance<br>test that failed. Test Designer predicted<br>two of these four faults were "soft" detects<br>for the performance tests and may not be<br>detected for some UUTs (see text). | No                       |
| 1               | Fault not detected                                                                                                                                                                                                                                                                                                                                                                                                        | No                       |

modes (recall the digital block was modeled as a voltage source in the On/Off Analog block), entry into the digital block fault tree can be made at the equivalent digital block "go-line" test entry point when the On/Off Analog block fault tree calls out the digital block failure modes. The linkage of fault trees is performed outside of the Test Designer environment and must be completed manually. The "go-line" tests of the digital block are linked instead of presented as independent trees because Test Designer can eliminate from consideration those failure modes which have been cleared from previous "go-line" tests.

To build the fault tree, a Sequence number is selected using the pull-down window on the left side of the dialog. An entropy value is computed for all tests in test groups that have this sequence number and the tests will then be displayed in the lower left of the dialog box in priority order - from best test for the active tree node to least desirable test in the context of diagnosing the highest failure rate components in the minimum number of steps. The test engineer has the option to select any test in this list. Tests that provide no new information regarding the failure modes have an entropy value of zero and are not displayed. The sequence number can be changed at any time during fault tree development in order to control which setups are used at various places in the fault tree.

The ALCPS tests used in the fault tree were selected based on their failure detection reliability. If a review of the detection characteristics for a recommended test showed "soft" detections for unknown failure modes (as indicated for failure mode Dcr14::Short in Figure 3), a different test was selected from the prioritized list. If there were no acceptable tests available, the detection characteristics of the listed tests were examined to see if limit changes would improve their reliability. With a pool of 416 tests for the digital block alone, it was easy to find reliable tests to use in the fault tree.

Fault trees for the simulated blocks of the ALCPS were manually linked together and into the pre-existing "goline" test sequence using a word processor. These diagnostic fault trees were then passed to NADEP Cherry Point representatives for integration.

An interesting side note is that although the test pool was very large, there was substantial room for improvement in the detection characteristics of the digital block tests. Only 59.4% of these failures are detected by the "go-line" tests. Most of the non-detects occur in the RC delay circuits that filter and debounce the digital inputs from the aircraft. All "go-line" tests are designed to make measurements after the RC networks have reached steady state conditions and are not designed to detect open capacitors.

## VIII. INTEGRATION

Results of inserting 15 faults and testing the ALCPS using the first three performance tests and the Test Designer generated diagnostic procedures are shown in Table 1. Results for 10 of the 15 faults were as predicted by Test Designer. The discrepancies between integration results and Test Designer predictions are discussed below.

The pass/fail limits for each test were assigned during the test synthesis phase by inspecting the "distance" of each simulated failure mode value relative to the nominal value for the measurement and selecting a limit

between 5% and 10% of nominal up to a limit of 0.5 Volts. Subsequent Monte Carlo analyses reveals that these limits were well beyond those needed to accept 99.9% of unfailed UUTs as ready for issue. Furthermore, these pass/fail limits provided good discrimination between failure modes and resulted in reliable isolation of low failure count ambiguity groups. However, there was one unanticipated problem that caused many of the simulated nominal values for the On/Off analog block to be roughly 0.5 Volts above the nominal value observed on the actual ALCPS. Consequently, many pass/fail limits were also high by 0.5 Volts and tests failed when they should have passed. Recall that the input to the On/Off Analog block from the digital block was simulated using voltage These voltage sources were assigned a sources. nominal value of 11.91 Volts. On the ALCPS board used for integration, these CMOS outputs were measured at 11.2 Volts. This 0.7 Volt differential caused an adverse effect in the limit definition process. In addition, the power supply voltage for each of the integrated circuits was assumed to be 12.0 Volts. It was closer to 11.4 Volts on the actual ALCPS. This 0.6 Volt difference also contributed to the shift in test pass/fail limits. An alternative and preferable approach would have been to include tolerances on the voltage sources that represent the power supply and digital blocks and setting limits based on a Monte Carlo analysis. Subsequent analyses using more realistic tolerances for the voltage sources matched the performance observed when performing the tests on the CASS.

The fault tree that was generated with Test Designer was computed such that failure modes C20 short and Q4 collector/emitter short were isolated after detection by the T1010 "go-line" test. During integration, T1010 failed to detect C20 short and Q4 collector/emitter short. An inspection of the Test Designer Results dialog (similar to figure 3) indicated that both of these failure modes are "soft" detections for T1010 and may therefore be detected on some UUTs and not others. Expanding the limits of T1010 to  $\pm 1.0$  Volts in order to make these failure modes non-detects for T1010 should eliminate this problem. Both failures can be subsequently detected by T1030.

Test Designer predicted that CR4 short and CR3 short were high probability detections for test T1020. Yet neither failure mode was detected by T1020 during fault insertion. This problem appears to be related to the architecture of the On/Off Analog circuitry. Op amp U6a of the On/Off Analog circuitry acts as a comparator. CR3 short and CR4 short failure modes shift both the positive and negative inputs to the comparator away from their nominal values by a small amount; the negative moves at a faster rate than does the positive

input. For some tolerance accumulations of components feeding the comparator, either of these failure modes will cause the comparator to switch states and will be "hard-over" detections for T1020. For other tolerance accumulations, the comparator will not switch states and the T1020 measurement will yield its nominal, unfailed value. Additional "go-line" tests should be devised for the ALCPS in order to detect CR3 short and CR4 short in the event they are not detected by T1020.

## IX. LABOR EXPENDITURES

Following are man-hour estimates for each of the tasks leading to integration of the fault tree that was prepared using Test Designer. The listed hours are within  $\pm 25\%$  of the actual expended hours.

| Circuit Parsing        | 6.0 hours |
|------------------------|-----------|
| Schematic Entry        |           |
| Digital block          | 4.0 hours |
| On/Off Analog block    | 3.5 hours |
| Dimmer block           | 3.0 hours |
| Measurement Definition |           |
| Digital block          | 3.0 hours |
| On/Off Analog block    | 1.0 hours |
| Dimmer block           | 0.5 hours |

Simulation (Includes reruns due to circuit model errors, stimuli changes. problem solving, etc.)

| Sumun Cha             | anges, problem solvir |
|-----------------------|-----------------------|
| Digital block         | 24.0 hours            |
| On/Off Analog bloc    | ck 10.0 hours         |
| Dimmer block          | 16.0 hours            |
| Test Synthesis        |                       |
| Digital block         | 0.5 hours             |
| On/Off Analog bloc    | ck 2.0 hours          |
| Dimmer block          | 2.5 hours             |
| Fault Tree Generation |                       |
| Digital block         | 0.5 hours             |
| On/Off Analog bloc    | ck 1.0 hours          |
| Dimmer block          | 1.0 hours             |
|                       |                       |

Once these six steps of the process have been completed, changes can be made very quickly. To illustrate, consider that the first set of diagnostics that were generated for NADEP Cherry Point integration contained an error in the stimuli for test T1020. This error invalidated much of the logic in the fault tree so the simulation showed many detections that didn't exist and missed a number of detections that would exist (actually, the simulator results were correct based on the stimuli defined in the model; unfortunately, the model didn't agree with the implementation). This error was discovered at 3pm. By 9pm that evening, a completely new set of diagnostic tests for the ALCPS had been synthesized, sequenced and e-mailed to the Chesapeake Test Integration Facility.

## X. LESSONS LEARNED

#### A. General Comments

1) The simulation techniques which are employed by Test Designer act as a "force multiplier" for development of diagnostics for analog and mixed signal circuits. Over the course of 80 hours it was possible to generate 619 tests, determine the failure mode detection characteristics of each test against a failure universe of 204 failure modes, and sequence a subset of these tests into an effective diagnostic fault tree.

2) Simulation is an effective method for identifying problem areas in fault detection. The beta testing of Test Designer surfaced problems in two ways; first, by identifying the low probability fault detections for individual tests and second, by providing an infrastructure for further circuit analysis when integration results did not match simulator predictions.

3) Reasonable simulation times can be achieved by parsing the circuit into separate subcircuits and linking the simulation results through the use of voltage and current stimuli.

4) Assumptions regarding linkage of separate simulations through the use of voltage or current sources should be validated on actual circuitry. Monte Carlo techniques should be employed to ensure that test limits are valid over the full range of values that these sources can assume.

5) The simulation model should be validated against actual circuit operation in the no fault condition prior to developing diagnostic tests.

## B. NADEP Cherry Point Comments.

As a first time user of Test Designer the engineer came on line very quickly. There was a short learning curve to get an understanding of what information is required.

Accounting for achieved detection and isolation of failure modes is a difficult problem for the TPS developer. While accountability is easy for the developer to achieve in simple circuit analysis, it becomes considerably more difficult as the circuit complexity increases. Test Designer provided an advantage to the ALCPS TPS developer in that it kept track of detection and isolation of failure modes during generation of the fault tree.

Direct application of Test Designer can be made to all stages of avionics design and test program development, and also implementation of design for testability during avionics design. Models developed during this process would be of great value to subsequent test program development.

Test Designer provides the engineer a fault matrix in the form of a Fault Tree .tdf text file. The .tdf file provides an accounting of components and associated fault modes detected by the defined test. This output provides a list of

detectable, undetectable, and destructive fault modes. The information required to develop the Fault Accountability Matrix (FAM) Table [7] as required in the Navy's Red Team Package resides in this .tdf file.

Once confidence is achieved in the circuit model it can be used by both contractor and customer to simplify and shorten the final product validation and acceptance process. Upon delivery of the TPS to the Fleet, the models would be maintained by In-Service-Engineering in order to provide guidance in avionics changes and upgrades to test program capability.

Test Designer is not a replacement for engineering expertise. It does however allow the engineer to focus the TPS development efforts in a fashion that targets high failure areas for additional diagnostics. After becoming familiar with its application, we anticipate that the engineer will include Test Designer as an integral part of the TPS development process.

#### REFERENCES

[1] L.W. Nagel and D.O. Pederson, *Simulation program with integrated circuit emphasis*, ERL Memo No. ERL-M520, University of California, Berkeley, May 1975

[2] L.G. Meares, *New Simulation Techniques Using SPICE*, IEEE APEC, 1986, pp.198-205

[3] Steven M. Sandler, *SMPS Simulation with SPICE,* Mc-Graw-Hill, 1997

[4] B. Johnson, T. Quarles, A.R. Newton, D.O. Pederson, A. Sangiovanni-Vincentelli, *SPICE 3F User's Guide*, University of California, Berkeley, Oct. 1992

[5] F. Cox, W. Kuhn, J. Murray, S. Tynor, *Code-Level Modeling in XSPICE*, Proceedings of the 1992 Intl. Syp. on Circuits and Systems, May 1992, IEEE 0-7803-0593-0/92

[6] Harry H. Dill, "A Comparison of Conventional and Inference Model Based TPS Development Processes", AutoTestCon '95 Proceedings, pp 160-168

[7] CASS Red Team Package data item DI-ATTS-80285B, Fig. 1 - SRA/SRU Fault Accountability Matrix Table, pg 11