IEC 62396-3:2013

IEC 62396-3 ®
Edition 1.0 2013-09
INTERNATIONAL
STANDARD
Process management for avionics – Atmospheric radiation effects –
Part 3: System design optimization to accommodate the single event effects
(SEE) of atmospheric radiation
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.

IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.

IEC 62396-3 ®
Edition 1.0 2013-09
INTERNATIONAL
STANDARD
Process management for avionics – Atmospheric radiation effects –

Part 3: System design optimization to accommodate the single event effects

(SEE) of atmospheric radiation

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
U
ICS 03.100.50; 31.020; 49.060 ISBN 978-2-8322-1095-6

– 2 – 62396-3 © IEC:2013(E)
CONTENTS
FOREWORD . 3
INTRODUCTION . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 Process guidance . 10
5 Atmospheric radiation and electronic system faults . 11
5.1 Atmospheric radiation effects on avionics . 11
5.2 Hard faults . 12
5.3 Soft faults . 13
6 Aircraft safety assessment . 13
6.1 Methodology . 13
6.2 Mitigation . 14
6.3 Specific electronic systems . 14
6.3.1 Level A systems . 14
6.3.2 Level B systems . 17
6.3.3 Level C systems . 18
6.3.4 Levels D and E systems . 18
Annex A (informative) Design process flow diagram for SEE rates . 19
Annex B (informative) Some mitigation method considerations for SEEs . 20
Annex C (informative) Example systems . 24
Bibliography . 28

Figure C.1 – Electronic equipment (flight control computers). 24
Figure C.2 – Electronic equipment (flight director computers) . 25
Figure C.3 – Electronic equipment (engine control) . 26
Figure C.4 – Electronically powered surface . 26
Figure C.5 – Hydro mechanical drive of surface – Electronic valve control . 27

Table 1 – Failure effect and occurrence probability . 14

62396-3 © IEC:2013(E) – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
PROCESS MANAGEMENT FOR AVIONICS –
ATMOSPHERIC RADIATION EFFECTS –

Part 3: System design optimization to accommodate
the single event effects (SEE) of atmospheric radiation

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62396-3 has been prepared by IEC technical committee 107:
Process management for avionics.
This first edition cancels and replaces IEC/TS 62396-3 published in 2008. This edition
constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous
edition:
a) Reference to IEC 62396-1:2012 included.
b) Some definitions in Clause 3 updated in line with IEC 62396-1:2012.
c) Reference to system level A types I and II removed from 6.3 and Annex C.
d) Replacement in key locations of “may” by a more positive statement.

– 4 – 62396-3 © IEC:2013(E)
The text of this international standard is based on the following documents:
FDIS Report on voting
107/210/FDIS 107/220/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts of the IEC 62396 series, under the general title Process management for
avionics – Atmospheric radiation effects, can be found on the IEC website.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.

62396-3 © IEC:2013(E) – 5 –
INTRODUCTION
This industry-wide International Standard provides additional guidance to avionics systems
designers, electronic equipment, component manufacturers and their customers to adopt a
standard approach to optimise system design to accommodate atmospheric radiation single
event effects (SEE). It builds on the information and guidance on the system level approach to
single event effects in IEC 62396-1:2012, considers some avionic systems and provides basic
methods to accommodate SEE so that system hardware assurance levels are met.
Atmospheric radiation effects are one factor that could contribute to equipment hard and soft
fault rates. From a system safety perspective, using derived fault rate values, the existing
methodology described in ARP4754 [1] (accommodation of hard and soft fault rates in
general) will also accommodate atmospheric radiation effect rates.
___________
Numbers in square brackets refer to the Bibliography.

– 6 – 62396-3 © IEC:2013(E)
PROCESS MANAGEMENT FOR AVIONICS –
ATMOSPHERIC RADIATION EFFECTS –

Part 3: System design optimization to accommodate
the single event effects (SEE) of atmospheric radiation

1 Scope
This part of IEC 62396 provides guidance and furthermore it provides necessary requirements
for those involved in the design of avionic systems and equipment and the resultant effects of
atmospheric radiation-induced single event effects (SEE) on those avionic systems. The
outputs of the activities and objectives described in this part of IEC 62396 will become inputs
to higher level certification activities and required evidences. It builds on the initial guidance
on the system level approach to single event effects in IEC 62396-1:2012, considers some
avionic systems and provides basic methods to accommodate SEE so that system
development assurance levels are met.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 62396-1:2012, Process management for avionics – Atmospheric radiation effects – Part 1:
Accommodation of atmospheric radiation effects via single event effects within avionics
electronic equipment
IEC/TS 62239-1, Process management for avionics – Management plan – Part 1: Preparation
and maintenance of an electronic components management plan
3 Terms and definitions
For the purposes of this document, the terms and definitions of IEC 62396-1:2012,
IEC/TS 62239-1 as well as the following apply.
3.1
analogue single event transient
ASET
spurious signal or voltage produced at the output of an analogue device by the deposition of
charge by a single particle
[SOURCE: IEC 62396-1:2012, 3.2]
3.2
could not duplicate
CND
reported outcome of diagnostic testing on a piece of equipment
Note 1 to entry: Following receipt of an error or fault message during operation, the error or fault condition could
not be replicated during subsequent equipment testing.

62396-3 © IEC:2013(E) – 7 –
3.3
double error correction triple error detection
DECTED
system or equipment methodology to test a digital word of information to determine if it has
been corrupted, and if corrupted, to conditionally apply correction
Note 1 to entry: This methodology can correct two bit corruptions and can detect and report three bit corruptions.
3.4
firm error
circuit cell failure within a device that cannot be reset other than
by rebooting the system or by cycling the power
Note 1 to entry: Such a failure could be manifest as a soft fault in that it could provide no fault found during
subsequent test and impact the value for the MTBUR of the LRU.
Note 2 to entry: See also soft error.
3.5
hard error
permanent or semi-permanent damage of a cell by atmospheric radiation that is not
recoverable even by cycling the power off and on
Note 1 to entry: Hard errors could include SEB, SEGR and SEL. Such a fault would be manifest as a hard fault
and could impact the value for the MTBF of the LRU.
[SOURCE: IEC 62396-1:2012, 3.24, modified – a note to entry has been added]
3.6
hard fault
term used at the aircraft function level safety analysis referring to the permanent failure of a
component within an LRU
Note 1 to entry: A hard fault results in the removal of the LRU affected and the replacement of the permanently
damaged component before a system/system architecture can be restored to full functionality. Such a fault could
impact the value for the MTBF of the LRU repaired.
[SOURCE: IEC 62396-1:2012, 3.25]
3.7
latch-up
condition where triggering of a parasitic p-n-p-n circuit in semiconductor materials (including
bulk CMOS) occurs, resulting in a state where the parasitic latched current exceeds the
holding current. This state is maintained while power is applied
Note 1 to entry: Latch-up could be a particular case of a soft fault (firm/soft error) or in the case where it causes
device damage, a hard fault.
[SOURCE: IEC 62396-1:2012, 3.29, modified – a note to entry has been added]
3.8
line replaceable unit
LRU
piece of avionics electronic equipment that may be replaced during the maintenance cycle of
the system
[SOURCE: IEC 62396-1:2012, 3.32]

– 8 – 62396-3 © IEC:2013(E)
3.9
mean time between failure
MTBF
measure of reliability requirements and is the mean time between failure of equipment or a
system in service
Note 1 to entry: Term from the world airlines’ technical glossary referring to the mean time between failure of
equipment or a system in service such that it would require the replacement of a damaged component before a
system/system architecture can be restored to full functionality and thus it is a measure of reliability requirements
for equipment or systems.
[SOURCE: IEC 62396-1:2012, 3.34, modified – a note to entry has been added]
3.10
mean time between unscheduled removals
MTBUR
measure of reliability requirements and is the mean time between unscheduled removal of
equipment or a system in service
Note 1 to entry: Term from the world airlines’ technical glossary referring to the mean time between unscheduled
removal of equipment or a system in service that could be the result of soft faults and thus is a measure of
reliability for equipment or systems. MTBUR values can have a major impact on airline operational costs.
[SOURCE: IEC 62396-1:2012, 3.35, modified – a note to entry has been added]
3.11
multiple bit upset
MBU
the energy deposited in the silicon of an electronic component by a single ionising particle
causes upset to more than one bit in the same word
Note 1 to entry: The definition of MBU has been updated due to the introduction of the definition of MCU.
[SOURCE: IEC 62396-1:2012, 3.36]
3.12
multiple cell upset
MCU
the energy deposited in the silicon of an electronic component by a single ionising particle
induces several bits in an integrated circuit (IC) to upset at one time
[SOURCE: IEC 62396-1:2012, 3.37]
3.13
no fault found
NFF
reported outcome of diagnostic testing on a piece of equipment
Note 1 to entry: Following receipt of an error or fault message during operation, the equipment is found to be fully
functional and within specification during subsequent equipment testing.
3.14
neutron
elementary particle with atomic mass number of one and carries no charge
Note 1 to entry: It is a constituent of every atomic nucleus except hydrogen.
[SOURCE: IEC 62396-1:2012, 3.38]

62396-3 © IEC:2013(E) – 9 –
3.15
single error correction double error detection
SECDED
system or equipment methodology to test a digital word of information to determine if it has
been corrupted, and if corrupted, to conditionally apply correction
Note 1 to entry: This methodology can correct one bit corruption and can detect and report two bit corruptions.
3.16
single event burnout
SEB
burnout of a powered electronic component or part thereof as a result of the energy
absorption triggered by an individual radiation event
[SOURCE: IEC 62396-1:2012, 3.47]
3.17
single event effect
SEE
response of a component to the impact of a single particle (for example cosmic rays, solar
energetic particles, energetic neutrons and protons)
Note 1 to entry: The range of responses can include both non-destructive (for example upset) and destructive (for
example latch-up or gate rupture) phenomena.
[SOURCE: IEC 62396-1:2012, 3.48]
3.18
single event functional interrupt
SEFI
upset, usually in a complex device, for example, a microprocessor, such that a control path is
corrupted, leading the part to cease to function properly
Note 1 to entry: This effect has sometimes been referred to as lockup, indicating that sometimes the part can be
put into a “frozen” state.
Note 2 to entry: SEFI may be recoverable by resetting the configuration register (F/F) to default values.
[SOURCE: IEC 62396-1:2012, 3.49, modified – a note 2 to entry has been added]
3.19
single event gate rupture
SEGR
occurs in the gate of a powered insulated gate component when the radiation charge
absorbed by the device is sufficient to cause gate insulation breakdown which is destructive
[SOURCE: IEC 62396-1:2012, 3.50]
3.20
single event latch-up
SEL
in a device containing a minimum of 4 semiconductor layers (p-n-p-n) when the radiation
absorbed by the device is sufficient to cause a node within the powered semiconductor device
to be held in a fixed state whatever input is applied until the device is de-powered, such latch
up may be destructive or non-destructive
Note 1 to entry: The ionisation deposited by the interaction of a single particle of radiation in a device causes
triggering of a parasitic p-n-p-n circuit in semiconductor materials (including bulk CMOS) to occur, resulting in a
state where the parasitic latched current exceeds the holding current; this state is maintained while power is
applied. Latch-up could be a particular case of a soft fault (firm/soft error) or in the case where it causes device
damage, a hard fault.
– 10 – 62396-3 © IEC:2013(E)
[SOURCE: IEC 62396-1:2012, 3.51, modified – a note to entry has been added]
3.21
single event transient
SET
spurious signal or voltage, induced by the deposition of charge by a single particle that can
propagate through the circuit path during one clock cycle
Note 1 to entry: See 6.3.1.3.3.
[SOURCE: IEC 62396-1:2012, 3.52, modified – the note 1 to entry has been modified to refer
to the present document]
3.22
single event upset
SEU
occurs in a semiconductor device when the radiation absorbed by the device is sufficient to
change a cell’s logic state
Note 1 to entry: After a new write cycle, the original state can be recovered.
Note 2 to entry: A logic cell may be a memory bit cell, register bit cell, latch cell, etc.
[SOURCE: IEC 62396-1:2012, 3.53, modified – a note 2 to entry has been added]
3.23
soft error
change of state of a latched logic state from one to zero or vice-versa
Note 1 to entry: It is also known as a single event upset.
Note 2 to entry: It is non-destructive and can be rewritten or reset.
[SOURCE: IEC 62396-1:2012, 3.55]
3.24
soft fault
term used at the aircraft function level safety analysis that refers to the characteristic of
invalid digital logic cell(s) state changes within digital hardware electronic circuitry
Note 1 to entry: This is a fault that does not involve replacement of a permanently damaged component within an
LRU, but it does involve restoring the logic cells to valid states before a system can be restored to full functionality.
Such a fault condition has been suspected in the "no fault found" syndrome for functions implemented with digital
technology and it would probably impact the value for the MTBUR of the affected LRU. If a soft fault results in the
mistaken replacement of a component within the LRU, the replacement could impact the value for the MTBF of the
LRU repaired.
Note 2 to entry: Logic cell(s) includes logic gates and memory elements.
[SOURCE: IEC 62396-1:2012, 3.56, modified – a note 2 to entry has been added]
4 Process guidance
In an attempt to achieve a high level of confidence in system safety, certification authorities
mandate the use of defined design processes for the purpose of identifying and eliminating
design faults and providing appropriate feedback mechanisms to ensure a continuous and
closed loop development process. This part of IEC 62396 defines methods and guidance to
be appropriately used in accommodating SEE related issues in avionics design. However, this
is only one piece in the development assurance process.

62396-3 © IEC:2013(E) – 11 –
To fully address design methodology as it pertains to SEE and the required evidence needed
to validate designs, several different processes will require revision to address this design
issue. The following is a partial list of the processes that shall be reviewed for revision
depending on how processes are currently structured.
– At a program management level, there are often processes in place. In many cases, it is
necessary to address SEE issues generically at this level.
– System level processes are likely to require addressing SEE issues and providing specific
direction as to how these processes should be handled, communicated and fed back
through the development process. This is important, because SEE issues, in contrast to
standard reliability numbers, have been fed back into the design process that has resulted
in design and requirements changes. These changes have been developed to mitigate
various aspects of the effects and then resulted in revised SEE calculations made against
the new design. This makes SEE an aspect of reliability, and system reliability
determination an iterative process in ways that never happened previously.
– Reliability/safety analysis processes will need (depending on system criticality) to address
SEE issues and develop formal mechanisms to address the iterative design aspects that
have taken place in ways not previously experienced.
– Component management plans will require modification to address SEE issues in initial
parts selection and also as manufacturers revise parts. Some processes will need to be in
place (also depending on system criticality) to ensure that new parts used in the
manufacturing process will perform the same as the original parts from a SEE perspective.
Guidance for the integration of evolving processes to measure SEE rates and the
accommodation of those rates in digital systems (flight controls, avionics, etc.) into existing
safety analysis/system design methodology (component reliability, redundancy, mitigation) is
provided in Clauses 5 and 6.
5 Atmospheric radiation and electronic system faults
5.1 Atmospheric radiation effects on avionics
Atmospheric radiation affects the electronic parts of the system. The high energy secondary
or thermal neutron radiation interacts with the silicon within semiconductor elements of an
electronic component to produce a charge which may cause a single event effect (SEE) in the
localised area within that device. Atmospheric radiation at aircraft altitudes has not been a
significant problem in the past, prior to 1990, due to the relatively large feature sizes (above
1 µm) with similarly large critical charge. Current avionic electronic systems use state-of-the-
art electronic/digital devices with feature sizes well below 1 µm, which makes SEE much more
probable (the energy transfer generated charge required to produce SEE becomes less) in
these devices.
When aircraft functions are implemented using digital technology, atmospheric radiation
effects can show up as digital device failures that in turn can propagate to failures within
systems and possibly, failure of an aircraft function. The failure rate of each piece of
electronic equipment which comprises a system is the aggregate rate of the components
which make up that piece of electronic equipment. The failure rate of each component is the
aggregate rate of all failure mechanisms of that component which dominate that failure rate.
As the feature sizes of individual circuits within digital devices continue to decrease and the
corresponding failure rate due to SEE rises, SEE mechanisms may become a dominant driver
of the failure rates for these devices. The testing of small feature size IC components for
secondary neutron SEE in suitable simulators or with terrestrial facilities is becoming more
commonplace. Although this is more commonplace, it is still difficult and costly.
Although analogue parts are generally considered immune to atmospheric radiation effects,
some device scaling has occurred in the technology. As a result, a neutron SEE event within
the device may be sufficient to cause a short duration transient from the correct output. This
kind of transient is referred to as an analogue single event transient (ASET).

– 12 – 62396-3 © IEC:2013(E)
Reliability engineering can calculate equipment failure rates from component failure rates and
system engineering can design an architecture that will satisfy the reliability and availability
requirements for the function. At a system architectural level, redundancy is a common
strategy to achieve the required function reliability. In order for redundancy to be cost
effective, equipment failure rates cannot exceed certain limits. Naturally, if the failure rates of
electronic devices become too great, equipment failure rates become prohibitively high. In the
past, atmospheric SEE rates have not been a noticeable driver in the failure rate of digital
devices. Where SEE rates become a significant failure rate driver, these rates need to be
included by reliability engineering in the equipment failure rate calculation. It should be
recognized that, since SEE involves unique technology and associated specialists to
determine component SEE rates, another engineering discipline would need to be in place to
provide those rates to reliability and systems engineering.
From a system safety perspective, faults can essentially be categorized as:
– hard, i.e. those which result in permanent failure of the affected LRU(s), and
– soft, i.e. those which may be recovered with no loss of system functionality or redundancy.
These categories arise from the device SEE: the atmospheric radiation effects on components
may result in soft faults where functionality should be recovered or hard faults resulting in
permanent failure of the component. Soft fault effects should be accommodated by corrective
actions within the electronic equipment. As identified in IEC 62396-1:2012, the most frequent
SEE that produces soft faults and associated effects is the single event upset (SEU).
NOTE
– Reliability is determined from the sum of hard fault failure rates.
– Availability is determined from the sum of hard faults and the sum of soft faults.
Hard faults result in a piece of system equipment requiring repair/replacement to clear the
hard fault (see 5.2). Significant hard fault rates can be induced within digital components by
neutrons in the atmosphere.
Availability recognizes that soft faults can occur, but that they can also be corrected and
within a defined period of time, the redundant system element can return to service and be
counted in the original redundancy scheme (see 5.3). It is the inducing of significant soft fault
rates within digital components that adds another dimension to reliability data and system
engineering.
Since electronic technology may be included in all arms of any system using redundancy, it is
important that the SEE rate to be accommodated is low enough to avoid impact on the overall
system redundancy mitigation. Therefore to avoid a common mode failure when operating in
the atmospheric neutron environment, a limit should be established on neutron-induced soft
(soft error, etc) and hard fault rates of any component technology used within the digital
system.
The perspective of this part of IEC 62396 is SEE on aircraft functions due to SEE on the
electronic systems that provide their implementation. In this part of IEC 62396, the terms
‘hard fault’ and ‘soft fault’ from the system safety community will be used. There are a number
of terms commonly used in the semiconductor and radiation effects communities to describe
component errors/failures (for example, hard errors, soft error rate, firm errors, latch-up,
burnout, upset, functional interrupt). All of these component errors/failures types (with their
associated terminology) will be grouped into hard fault or soft fault categories. Those
component failures that would impact the mean time between failure (MTBF) are categorized
as hard faults.
5.2 Hard faults
Hard faults refer to a damaged component whose effects cause a system malfunction and
require repair or replacement of the component to clear the fault. When a repair or
replacement action is taken, it reflects upon the MTBF rate history for that item. Within

62396-3 © IEC:2013(E) – 13 –
electronic equipment, SEE-induced permanent failures (component or device) are considered
in exactly the same way as for other types of failure. For the failure rate criteria of the system
to be met, the aircraft system allowable failure metrics for electronic equipment within that
system shall be met, for example, the MTBF. Atmospheric radiation can produce hard faults
including single event latch (SEL) induced damage, single event burnout (SEB), and single
event gate rupture (SEGR). There are suitable test methods available to determine the SEE-
induced hard fault susceptibilities of devices and electronic components. When rates are
found to be too high, a more tolerant part should be selected.
5.3 Soft faults
Soft faults are digital hardware (counter, register, memory, etc.) issues. A soft fault is a
condition whereby a latch of some form within a digital device becomes set to an incorrect
state. Since the device is not damaged, if the soft fault can be detected and corrected in a
timely manner, then there is no impact on the performance of the system. If the soft fault is
not corrected, there may be a significant impact on system performance or redundancy, which
in turn, when reported will lead to removal of the faulty equipment for repair. However, upon
removal and reapplication of power to the device, soft faults will always clear and therefore no
fault will be found. Such attempted corrective actions negatively impact the MTBUR rate
history for equipment. Unscheduled removals negatively impact system operational cost. A
soft fault could certainly be a contributor to the CND/NFF categories for MTBUR metrics.
As their effects should be and often are mitigated and shall not result in equipment repair, soft
faults associated with SEE could be considered a departure from the traditional reliability
approach. However, because of their potential negative effects on MTBUR and system
functionality, digital device SEE-induced soft fault rates:
– should be characterised and mitigated in the system architecture design;
– along with failure modes, should be obtained by and be available from reliability
engineering.
Components that are subject to SEE-induced soft faults which cannot be reset by hardware or
the software it executes and persist as a fault while power remains applied are becoming
more prevalent. Soft faults of this type and their system effects would need to be managed by
appropriate mitigation. Note that a finite time will be taken for effective recovery of the system
or device from such a fault. An example of this kind of soft fault would be a non-destructive
SEL. In the semiconductor and radiation effects communities, a non-destructive SEL might be
categorized as a firm error. Recovery from SEL could require independent hardware and
software for detection and recycling power.
For the failure rate criteria of the system to be met (which, in turn, results in the aircraft
function meeting allowable failure metrics), failure metrics for electronic equipment within that
system shall be met, for example MTBUR. Without mitigation, soft fault rates could have a
significant negative effect on the ability of a system to meet its allowable MTBUR.
6 Aircraft safety assessment
6.1 Methodology
In IEC 62396-1:2012, it is recognized that, within the systems which implement aircraft
functions, the method of assessing the safety impact of radiation-induced effects on electronic
(particularly digital) components should be identical to that used to assess functional hazards
due to other failure modes and effects traditionally recognized. This is particularly the case for
electronic equipment. This methodology is driven by requirements governing function failure
effects and the probability per flight hour of their occurrence. As an example, Table 1 provides
the probability requirement for the various types of failure effect for Part 23 (general aviation
category airplanes [2]) and Part 25 (transport category airplanes [3]) of the airworthiness
standards.
– 14 – 62396-3 © IEC:2013(E)
Table 1 – Failure effect and occurrence probability
Functional failure condition classification  Probability (per flight hour)
per AC/AMJ 1309 and ARP4754 of occurrence
–9
Catastrophic 10 or less (extremely improbable)
–7
Severe major/hazardous 10 or less
–5
Major 10 or less
–3
Minor 10 or less
No effect No requirement
6.2 Mitigation
Failure effects can manifest themselves in a system as a hard or soft error, as well as a hard
failure. In addition to a thorough evaluation and parts selection process, where SEE occurs
mitigation is necessary to ensure proper system performance. There are various mitigation
techniques that can be employed at the component, circuit and system level to diminish the
effects.
By suitable design at the system architecture and equipment level and also by careful
selection and management (see IEC 62396-1:2012, 7.4 and 9.5.2) of electronic components
employed within the design, the system level impact of SEE can be reduced to acceptable
levels. The approach to system level optimization of design for mitigation of SEE is conducted
by considering the system at three levels:
– system architecture;
– individual electronic equipment within the system architecture;
– components within the electronic equipment.
6.3 Specific electronic systems
System development assurance levels drive the discipline and rigour needed throughout the
development cycle of products associated with that system. Just as the failure effect of a
function implemented by a system (particularly systems based in electronic technology)
determines the required probability of such a failure, it also determines the assurance level
associated with that system. Systems are classified as level A when failures of such systems
may have a catastrophic effect on the aircraft. Level A systems require the most rigorous
approach to single event effects and parts control. In order of reducing degree of requirement
for compliance demonstration, the other significant assurance levels are classified as level B,
level C and level D. Examples of typical systems are given in Annex C, Figures C.1 to C.5.
For additional information regarding assurance levels, refer to IEC 62396-1:2012, Clause 7
and the references within that international standard. Regardless of assurance level,
mitigation considerations will be in terms of hard and soft faults. As detailed in 5.3, soft fault
effects appear as system performance degradation and they consist of faults or errors that
clear (SEFI, SET, SEU, SHE) upon removal and reapplication of power or in some cases,
upon refresh.
6.3.1 Level A systems
6.3.1.1 General
–9
These systems shall be designed so that the failure rate of the function they provide is 10 or
–9
less per flight hour. Level A systems require the most rigorous processes to achieve the 10
function failure criteria. Level A systems would include a primary flight control system that is
completely computer controlled.

62396-3 © IEC:2013(E) – 15 –
Some full authority digital engine controls (FADEC) systems are also classified as level A.
FADEC systems installed on Part 25 aircraft have their software and complex electronic
hardware classified as level A due to the nature of the common mode threat. As to SEE,
FADEC systems that implement certain critical functions (over speed, reverser control, etc.)
should also be considered level A as well.
Level A systems include systems which implement functions in which the pilot is in the control
loop. The pilot closes the control loop through pilot/system information exchange from display
systems, for example closing the flight control loop using information from a primary flight
director (PFD) system. It should be noted that the PFD system could provide catastrophically
misleading information and is categorized as level A. Any other display system that could
provide catastrophically misleading information would also be categorized as level A.
6.3.1.2 Hard faults
6.3.1.2.1 Recovery
Hard faults require device replacement to enable full recovery of system function or
redundancy capability. Their effects can be mitigated at the system architecture, electronic
equipment, or component/device level.
6.3.1.2.2 System architecture
At the architecture level, redundancy and redundancy management techniques are employed
to accommodate failures that would lead to catastrophic failure effects at the aircraft level.
Multiple control surfaces and multiple engines would be examples at the structure and
propulsion aircraft level. Multiple actuators and associated electronic equipment would
manage effector (aircraft control surface, engine valve, etc.) movement. When electronic
system development assurance levels are met, redundancy within the system architecture
ensures that there is no problem from a safety requirements aspect at the aircraft function
level. It is the electronic equipment that is SEE sensitive; mechanical equipment would be
inherently immune and is mentioned only to illustrate the concept of redundancy.
Since monitoring across redundant elements could be relatively easily implemented within
computers, redundancy can be an effective means of detecting the occurrence of faults. The
occurrence of a fault can be detected by monitoring across two or more redundant elements
(e.g. effectors, actuators, computers, microprocessors).
However, the allocation of redundancy has an impact on the aircraft for several reasons.
Redundancy of equipment will add weight and complexity due to the need for a method of
active equipment choice. It will therefore also reduce reliability and increase power
consumption, and thus affect overall cost. However, the impact of increased fault tolerance
and system availability has allowed, for example, the use of twin-engine aircraft in some flight
profiles where in the past three- or four-engine aircraft would have been mandated. Intuitively,
the life cycle cost of a twin-engine aircraft should be significantly lower than a similar aircraft
with three or more engines.
6.3.1.2.3 Electronic equipment
At the electronic equipment level, redundancy may be used as a method of accommodating
failure by removing the failed equipment from contributing to the system output; the pilot may
be within the loop or not.
6.3.1.2.4 Electronic component/device
System design may be optimized by limiting the range of components used. In space
applications, components have been tested for potential latch-up in their radiation
environment and in many applications component types that are subject to SEL have been
avoided. Many other destructive failure modes have been identified, e.g. SEB and SEGR, see
IEC 62396-1:2012. There are suitable test methods to determine non-destructive SEL

– 16 – 62396-3 © IEC:2013(E)
susceptibility of devices. Such parts, once identified, are to be
...