ABSTRACT

Today, the certification process for onboard electro-electronic systems against nonionizing radiation can be considered mature and independent, having its own set of requirements. In turn, the current proposal for this process with regard to ionizing radiation is relatively recent and is in the process of improvement and discussion by industry and regulatory bodies, and presents important differences in approach. In this work these two processes are presented comparatively in detail, pointing out similarities and differences in order to contribute to this ongoing discussion, which should, in the medium term, result in regulation for the effects of ionizing radiation.

Keywords
Ionizing radiation; Single event upsets; Certification; Aeronautics; Management

INTRODUCTION

Ionizing Radiation

With the trend of projects aimed at high altitude commercial flights (> 60,000 ft), both supersonic and hypersonic, there was a growing concern about the effects of ionizing radiation in the onboard electro-electronic systems, also known as SEEs (single event effects). At these altitudes, the flow of this class of radiation is about three times greater than at the altitude of current commercial flights. These, in turn, have a flow 300 times greater than at ground level (Koops 2017Koops L (2017) Cosmic radiation exposure of future hypersonic flight missions. Radiat Prot Dosimetry 175(2): 267-278. https://doi.org/10.1093/rpd/ncw298
https://doi.org/10.1093/rpd/ncw298... ).

The ionizing radiation present in the atmosphere is produced through interactions of the primary high-energy cosmic radiation, coming from the sun or deep space, with the atoms of the atmosphere. These interactions create secondary radiation showers formed mainly in the troposphere and lower stratosphere. At typical commercial flight altitudes (~ 40,000 ft), the neutron component has the greatest influence. At high altitudes, the neutron component decreases and protons and heavy ions become more relevant. All of these particles impact sensitive regions of integrated circuits, causing the rapid collection of the released electrical charges and consequently the SEEs. Single event effects can occur mainly in aircraft onboard computers, resulting from the change in the logical state of memory cells or in functional interruptions, which can compromise flight safety (Prado et al. 2015Prado ACM, Pereira MA, Federico CA, Gonçalez OL (2015) Estudo de caso sobre o efeito da radiação cósmica em sistemas embarcados em aeronaves. Braz J Radiat Sci 3(1A):1-22. https://doi.org/10.15392/bjrs.v3i1A.164
https://doi.org/10.15392/bjrs.v3i1A.164... ).

Muons, pions, electrons and gamma rays are also generated as secondary cosmic radiation in the atmosphere. These particles interact weakly with silicon and apparently did not cause significant SEE when compared to neutrons, protons and heavy ions. However, with the advent of integrated circuit (IC) technologies below 90 nm, it was noticed that these particles really have significant influence for SEEs in a way that is still under investigation. The recent reference (IEC 2020[IEC] International Electrotechnical Commission (2020) Process management for avionics - Atmospheric effects - Part 8: Proton, electron, pion, muon, alpha-ray fluxes and single event effects in avionics electronic equipment - Awareness guidelines. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC TR 62396-8:2020.) provides more information on the subject and a suggested topic for future articles and postgraduate work.

Although both primary and secondary particles contribute to total ionizing dose (TID), this is a nonsignificant ionizing radiation effect on commercial or high-altitude flights, only being considered in satellites and spacecraft due to long mission duration, or strategic military applications due to high radiation exposure (IEC 2016[IEC] International Electrotechnical Commission (2016) Process management for cavionics – Atmospheric radiation effects - Part 1: Accommodation of atmospheric radiation effects via single event effects within avionics electronic equipment. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC 62396-1:2016.).

The effects of ionizing radiation on electronics have been known since the 1960s, but, at first, it was treated as a subject focused on spaceships and satellites. The aviation community had its interest aroused since the 1990s, simultaneously with nonionizing radiation, due to the increase in SEE events as the result of the widespread use of onboard electronics and the increasing miniaturization of ICs (Hands et al. 2016Hands A, Lei F, Ryden K, Dyer C, Underwood C, Mertens C (2016) New data and modelling for single event effects in the stratospheric radiation environment. IEEE Trans Nucl Sci 64(1):587-595. https://doi.org/10.1109/TNS.2016.2612000
https://doi.org/10.1109/TNS.2016.2612000... ). However, as the cost and complexity of the tests was (and still is) very high, in addition to the lack of data on the component radiation characterization, the regulations have not been developed, unlike the case of the nonionizing radiation.

Nonionizing radiation

What is called nonionizing radiation is a modality of low frequency (< 40 GHz) and low energy radiation, also called the electromagnetic field, which propagates through an electromagnetic wave, consisting of an electric field and a magnetic field, which can come from natural and artificial sources. An example of a natural source is the atmospheric discharge, commonly known as lightning. There are many examples of artificial sources: radio and TV transmitting antennas, ground radars, cell phone antennas, transmitting antennas and radars on aircraft, ships etc. The radiation from this set of artificial sources is commonly called high-intensity radiated fields (HIRF) (FAA 2011[FAA] Federal Aviation Administration (2011) Advisory Circular AC20-136B, Aircraft Electrical and Electronic System Lightning Protection. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-136B.; 2014[FAA] Federal Aviation Administration (2014) Advisory Circular AC20-158A, The Certification of Aircraft Electrical and Electronic Systems for Operation in the High-intensity Radiated Fields (HIRF) Environment. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-158A.).

For ease reference, from now nonionizing radiation will be named as HIRF and lightning (HIRF/L).

High-intensity radiated fields and lightning can also cause unwanted transient or permanent effects on embedded systems, which may affect flight safety. These effects come from two frequency ranges:

Low frequency (from 10 KHz to 100 MHz): originated from lightning and conducted HIRF, they are electromagnetic fields that are coupled in cables and connectors, generating spurious currents and voltages that are charged into the equipment.

High frequency (from 100 MHz to 40 GHz): originated from the radiated HIRF, they penetrate directly through the material of the boxes or the equipment openings and reach the internal components, both passive and active, analog or digital, having p-n junctions.

In the last 30 years, with the advent of ICs with high integration scale, the widespread use of full-authority computers in embedded electronics, in addition to the replacement of aluminum by composite materials, the effects of HIRF/L have been studied by scientific committees, leading aeronautical approval bodies to generate extensive regulations and guidance that are regularly updated.

Real cases of radiation effects on avionics

The risk of SEE is a primary concern for designers of spacecraft, partly due to the very high levels of reliability required by such autonomous and costly systems. Accordingly, spacecraft SEE is better understood and more widely studied than ground or atmospheric SEE. The prevalence of transient SEE on commercial avionics equipment is not well studied or recorded for several reasons, but it is estimated that a significant part of all commercial nonfault found (NFF) events are due to SEEs (ATSB 2008[ATSB] Australian Transport Safety Bureau (2008) In-flight upset - Airbus A330-303, VH-QPA, 154 km west of Learmonth, WA, 7 October 2008. Australian Transport Safety Bureau (ATSB), Canberra (Australia). Aviation Occurrence Investigation AO-2008-070.).

An example of a real accident where the investigation concluded that the SEE was a possible cause was the one occurred in 2008 with Airbus A330, operated by Qantas. While the aircraft was in cruise at 37,000 ft, the air data inertial unit started providing intermittent, incorrect values (spikes) on all flight parameters to other aircraft systems. Soon after, the autopilot disconnected and the crew started receiving numerous warning and caution messages (most of them spurious). Following that, the aircraft suddenly pitched nose down. The flight control computer commanded the pitch-down in response to angle-of-attack data spikes from the inertial unit. The resulting forces were sufficient for almost all the unrestrained occupants to be thrown to the aircraft’s ceiling. At least 110 of the 303 passengers and 9 of the 12 crew members were injured; 12 of the occupants were seriously injured and another 39 received hospital medical treatment (ATSB 2008[ATSB] Australian Transport Safety Bureau (2008) In-flight upset - Airbus A330-303, VH-QPA, 154 km west of Learmonth, WA, 7 October 2008. Australian Transport Safety Bureau (ATSB), Canberra (Australia). Aviation Occurrence Investigation AO-2008-070.).

Although HIRF/L has been an ongoing issue in aircraft design and has been very well known and documented to regularly cause anomalous behavior in airborne electrical/electronic systems, relatively few aircraft accidents have been attributed to it. This is in part due to the difficulty of proving whether it was a factor if the affected system is damaged or destroyed (especially for HIRF), and in part due to the usually indirect effect of HIRF/L on safety (that is, communication and navigation systems may be disrupted, but the integrity of the aircraft’s structure and control systems are rarely affected) (ATSB 2008[ATSB] Australian Transport Safety Bureau (2008) In-flight upset - Airbus A330-303, VH-QPA, 154 km west of Learmonth, WA, 7 October 2008. Australian Transport Safety Bureau (ATSB), Canberra (Australia). Aviation Occurrence Investigation AO-2008-070.).

OBJECTIVE

The objective of this work is to comparatively analyze the certification process for nonionizing radiation (HIRF/L) and the process currently proposed for ionizing radiation (SEE), to detail the differences and similarities between them and contribute to the understanding and future evolution of the proposed regulation for the SEE process.

This work is based on the lessons learned by the author in more than 20 years of experience with the HIRF/L certification process in the aerospace industry, in addition to the theoretical foundation that has been acquired in the Master in ionizing radiation at the Technological Institute of Aeronautics/Institute for Advanced Studies (ITA/IEAv).

HIGH-INTENSITY RADIATED FIELDS AND LIGHTNING CERTIFICATION PROCESS

The HIRF/L certification regulations are listed by the FAA in 14CFR part 23, 25, 27 and 29, depending on the type and size of the aircraft. Other authorities around the world follow these regulations almost identically. The HIRF/L certification process is guided by the FAA Advisory Circulars, AC20-158A (FAA 2014[FAA] Federal Aviation Administration (2014) Advisory Circular AC20-158A, The Certification of Aircraft Electrical and Electronic Systems for Operation in the High-intensity Radiated Fields (HIRF) Environment. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-158A.) for HIRF and AC201-136B (FAA 2011[FAA] Federal Aviation Administration (2011) Advisory Circular AC20-136B, Aircraft Electrical and Electronic System Lightning Protection. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-136B.) for lightning. Although these documents are not regulations in themselves, they are the means of compliance (MOC) with the regulations most accepted by certification authorities worldwide. There are many other documents that support the HIRF/L certification process, in addition to guidance developed by the aircraft manufacturers themselves.

In general, the steps for demonstrating compliance with the regulations are similar and described in detail by FAA (2011[FAA] Federal Aviation Administration (2011) Advisory Circular AC20-136B, Aircraft Electrical and Electronic System Lightning Protection. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-136B.; 2014)[FAA] Federal Aviation Administration (2014) Advisory Circular AC20-158A, The Certification of Aircraft Electrical and Electronic Systems for Operation in the High-intensity Radiated Fields (HIRF) Environment. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-158A., can be seen in Fig. 1 and are presented briefly below.

1. Identify the systems to be analyzed

The electro-electronic systems of the aircraft whose failure, due to HIRF/L, can cause or contribute to adverse effects on the aircraft, must be identified. This analysis must take into account all modes of operation, flight stages, operating conditions and effects on the crew. A careful safety assessment should be developed to classify each system according to the degree of severity of the failure conditions due to HIRF/L. FAA (2011; 2014) and SAE (2018) are the guidance used in this analysis. Table 1 shows how this classification is made for HIRF.

2. Establish the applicable external HIRF/L environment

The HIRF environment outside the aircraft is established in tables relating frequency bands (from 10 KHz to 40 GHz) and electric field strength, and is mapped in the HIRF regulation itself. The external lightning environment is obtained through a zoning analysis of the aircraft, indicating points of entry, sweeping and exit of the lightning current, in addition to its intensities. This environment will depend on operational factors, geometry and materials of the aircraft.

3. Establish the test environment for embedded systems

The test environment is nothing else than the internal environment of the aircraft, experienced by electro-electronic systems, due to the external HIRF/L environment. For both HIRF and lightning, this internal environment consists of voltage and current transients that appear in the system wiring as a result of various types of electromagnetic couplings. Additionally, HIRF, especially at frequencies above 400 MHz, produces an internal RF environment capable of direct coupling through box openings.

4. Apply the appropriate method of verifying compliance with HIRF/L

The criticality rating of the equipment/system established by Table 1 establishes the rigor to be applied in demonstrating compliance with the HIRF/L requirement. In general, systems/equipment classified as level A will require a more rigorous demonstration, almost always involving system-level tests along with aircraft verification, higher test levels, more stringent pass/fail criteria, and will not be accepted hard-errors or hard-faults. Demonstration of a minimum 100% safety margins is also required. In most cases, the entire process is usually closely monitored by experts from the certifying authority.

For systems/equipment classified as B and C, in some cases, analyses or tests at the equipment level may be acceptable. Hard-errors or hard-faults are acceptable as long as the system can be restarted or reenergized. Safety margins are generally not required. The requirement compliance verification process is usually delegated to an accredited project professional (DER).

The HIRF/L qualification of systems/equipment classified with D (minor) or E (nonsafety effect) is optional, does not affect compliance with the requirements and depends on a choice, by the aircraft manufacturer, to improve the quality of its product.

5. Check the effectiveness of protections against HIRF/L

It must be demonstrated that the spurious RF currents that couples into the systems and equipment wiring, and the RF fields internal to the aircraft due to HIRF/L, are lower than the qualification test levels of the systems and equipment. This comparison is especially rigorous for level A systems, where extensive aircraft-level testing is required, considering the expected safety margins. In the particular case of level A display systems (where the pilot is in the control loop), it is possible to replace the aircraft test with the use of attenuation curves and generic transfer functions found in FAA (2011[FAA] Federal Aviation Administration (2011) Advisory Circular AC20-136B, Aircraft Electrical and Electronic System Lightning Protection. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-136B.; 2014)[FAA] Federal Aviation Administration (2014) Advisory Circular AC20-158A, The Certification of Aircraft Electrical and Electronic Systems for Operation in the High-intensity Radiated Fields (HIRF) Environment. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-158A..

In the case of level B and C systems, there is the option of using databases from previous tests carried out on aircraft and similar systems or applying standardized test levels in specific regulations and standards.

CURRENT STAGE OF THE SEE AERONAUTICAL MANAGEMENT PROCESS

Despite the extensive scientific literature on SEE and hundreds of characterized electronic devices (mostly for space applications), there are currently few documents addressing the SEE issue through the safety assessment process aspect, which would be the way to lead to future aeronautical regulation.

There are two main documents that provide guidance in this area when it comes to commercial aviation:

• SAE AIR6219 - Development of Atmospheric Neutron Single Event Effects Analysis for Use in Safety Assessments (SAE 2018[SAE] Society of Automotive Engineers (2018) Development of Atmospheric Neutron Single Event Effects Analysis for Use in Safety Assessments. Society of Automotive Engineers (SAE), Warrendale, PA (United States). Report No.: AIR6219–2018.). This document, issued in 2018, is an aerospace information report (AIR) from SAE and does not have the status of a standard.

• IEC TS 62396-7: Part 7: Management of SEE analysis process in avionics design (IEC 2017[IEC] International Electrotechnical Commission (2017) Process management for avionics - Atmospheric radiation effects - Part 7: Management of single event effects (SEE) analysis process in avionics design. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC TR 62396-7:2017.). An IEC technical specification (TS), approaches an international standard in terms of detail and completeness, but has not yet passed through all approval stages.

Both documents were written aiming mainly at the qualification of equipment or components used in commercial aviation, with a flight ceiling of 40,000 ft. Because of this, only neutron-related SEEs are addressed, a consequence of the fact that these particles are the majority up to this level of flight. The extent of applicability of these documents for high altitude flights is possible and depends only on the definition of the radiation environment of these flights (which include protons and heavy ions) and on the approach options for calculating the SEEs rate. This subject will be the theme of a future article by the author.

A more in-depth study of the SEE process interface with the current safety assessment process, in addition to the analysis of various aeronautical and space standards, and recommendations can be found in Machado (2014)Machado SRF (2014) Estudo de um processo de garantia da confiabilidade de sistemas eletrônicos embarcados a single event upsets causados por partículas ionizantes (Master’s thesis). São José dos Campos: Instituto Nacional de Pesquisas Espaciais. In Portuguese..

The flowcharts of the SEE analysis process proposed in IEC (2017)[IEC] International Electrotechnical Commission (2017) Process management for avionics - Atmospheric radiation effects - Part 7: Management of single event effects (SEE) analysis process in avionics design. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC TR 62396-7:2017. and SAE (2018)[SAE] Society of Automotive Engineers (2018) Development of Atmospheric Neutron Single Event Effects Analysis for Use in Safety Assessments. Society of Automotive Engineers (SAE), Warrendale, PA (United States). Report No.: AIR6219–2018. are equivalent. Figure 2 was adapted from IEC (2017)[IEC] International Electrotechnical Commission (2017) Process management for avionics - Atmospheric radiation effects - Part 7: Management of single event effects (SEE) analysis process in avionics design. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC TR 62396-7:2017. and will be used here because it is more summarized and easier to follow.

Let’s go through each step:

1. Determine inputs for SEE analysis

Entries for the SEE analysis include:

• List of materials (schematics, specs, existing SEE rates);

• Operational requirements of the mission;

• Neutron flux density based on the operational envelope;

• Expected performance of equipment;

• Reliability and criticality level of each equipment.

It is important to note that, from that point on, the guidelines detailed in section 6 of IEC (2013) should have been considered with respect to the rigor in the process of demonstrating compliance with the requirements, according to the equipment criticality level. For some reason IEC (2017)[IEC] International Electrotechnical Commission (2017) Process management for avionics - Atmospheric radiation effects - Part 7: Management of single event effects (SEE) analysis process in avionics design. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC TR 62396-7:2017. (from the IEC series itself) and SAE (2018)[SAE] Society of Automotive Engineers (2018) Development of Atmospheric Neutron Single Event Effects Analysis for Use in Safety Assessments. Society of Automotive Engineers (SAE), Warrendale, PA (United States). Report No.: AIR6219–2018. ignore these guidelines. We will return to this point later in the comparative study section.

2. Analysis of the component’s SEE susceptibility

All components from the list of materials are analyzed for susceptibility to SEE and classified according to the type of SEE (single event upset [SEU], single event latch-up [SEL], etc.). All components that are susceptible are added to a database with their respective cross-section (or conservative estimate) for each type of SEE and the utilized neutron flux.

3. Identify and record mitigations and effects on electronic equipment

Using step (2), determine the impact of SEEs on the functionality of electronic equipment, taking into account mitigations/protections/uses that must be properly recorded.

4. Calculate SEE rates and perform risk analysis

The final SEE rates for each component and equipment are calculated taking into account the factors identified in step (3). These rates are compared with the reliability and safety requirements of the equipment and decisions are made as to whether or not to accept these rates. If conservative estimates lead to too high rates, radiation testing or design change may be chosen. On the other hand, if the SEE rates are very low compared to the conventional equipment failure rate, they can be considered negligible.

5. Conduct radiation tests

The risk analysis carried out in step (4) may point to the need for radiation testing at the component or equipment level to obtain more reliable cross-sections, especially when dealing with highly criticality components and equipment that are susceptible to SEE. Tests may also be necessary to assess a component change due to obsolescence or redesign of the equipment to include mitigations/protections against SEE.

6. Design change

If a design change is made due to risk analysis or the result of the radiation test, then an incremental analysis cycle is necessary to update the SEE rates.

7. Radiation report

All information collected in the previous sections must be compiled in this report.

8. SEE impact analysis

The purpose of the SEE impact analysis is to ensure that all possible effects on the equipment have been considered. If the safety/reliability requirements have not been met then the SEE analysis will have to be performed again.

The information developed will be used as input to the preliminary system safety assessment (PSSA).

The process described in the steps above is undoubtedly efficient and perfectly applicable to the industry. However, there are some points where deficiencies not explained in these documents appear. In the following comparative study, we will seek these points and try to apply additional measures to improve the process as a whole so that, in the future, we will have a solid guide that supports compliance with future certification regulations in the SEE area.

COMPARATIVE STUDY OF THE HIRF/L CERTIFICATION PROCESS WITH THE PROPOSED PROCESS FOR SEE

The first step of the SEE process is to obtain a list of system components and their respective SEE rates, if possible (see Table B.1 from IEC [2016]). It also brings the need to define the external environment of ionizing radiation (corresponding to step [2] in HIRF/L) for the components in question and the reliability requirements of the equipment. This external environment can be obtained through several public domain softwares, such as EXPACS (https://phits.jaea.go.jp/expacs). It is important to note that, for the SEE, the most critical environment is the cruise part, while for HIRF/L it is the takeoff and landing approach.

In this first step, a criticism is needed regarding the absence—in the main guidance of the subject (IEC 2017[IEC] International Electrotechnical Commission (2017) Process management for avionics - Atmospheric radiation effects - Part 7: Management of single event effects (SEE) analysis process in avionics design. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC TR 62396-7:2017.; SAE 2018[SAE] Society of Automotive Engineers (2018) Development of Atmospheric Neutron Single Event Effects Analysis for Use in Safety Assessments. Society of Automotive Engineers (SAE), Warrendale, PA (United States). Report No.: AIR6219–2018.)—of guidelines as to the rigor applicable in the certification process. It is expected that this process will be more rigorous and disciplined in the case of components involved with functions whose failure may result in catastrophic scenarios (functions level A and level A display) and less rigorous in other scenarios (functions levels B and C). At this point, the guidelines contained in section 6 of IEC (2013) are fundamental. These guidelines are summarized in Fig. 3.

Step 1 of the HIRF/L certification process is to carry out the safety assessment, with the objective of identifying the criticality of the systems/equipment involved, based on the functions performed by these equipment/systems. The guidance for this process FAA (2011[FAA] Federal Aviation Administration (2011) Advisory Circular AC20-136B, Aircraft Electrical and Electronic System Lightning Protection. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-136B.; 2014)[FAA] Federal Aviation Administration (2014) Advisory Circular AC20-158A, The Certification of Aircraft Electrical and Electronic Systems for Operation in the High-intensity Radiated Fields (HIRF) Environment. U.S. Department of Transportation, Federal Aviation Administration (FAA), Washington, DC (United States). Advisory Circular AC20-158A. and SAE (1996)[SAE] Society of Automotive Engineers (1996) Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. Warrendale: SAE. are in a high maturity stage, although some adaptations usually have to be made specifically for HIRF/L.

Step (1) of the SEE process also refers to step (2) of the HIRF/L certification process, where the external environment, already widely known and tabulated (at least in the case of commercial aviation), is established. In the case of the SEE, the neutron environment has well-known values (IEC 2016[IEC] International Electrotechnical Commission (2016) Process management for cavionics – Atmospheric radiation effects - Part 1: Accommodation of atmospheric radiation effects via single event effects within avionics electronic equipment. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC 62396-1:2016.). This environment is perfectly applicable to commercial aviation, but deficient when faced with high-altitude flights (supersonic and hypersonic), where neutrons are no longer the majority and the radiation profile starts to be influenced by heavy protons and ions (Annex E of IEC 2016) capable of significantly increasing the rate of SEEs. The study of this complex radiation profile and how to approach it to obtain SEEs will be the subject of a future article by the author.

In step (2) of the SEE process, the susceptibility analysis is a little more complex than in the HIRF/L process, where practically every component with p-n junctions can be sensitive to nonionizing radiation, the only exception being made to those who perform levels D and E functions, which can be excluded from the process due to low criticality. In the case of the SEE process, account should also be taken of whether the cross-section is significant, whether the component is immune or radiation tolerant etc.

The component SEE type classification (SEU, MBU, SEFI, etc.) has no equivalence in the HIRF/L process.

Step (3) of the SEE process is extremely complex and one of the weaknesses of the management process proposed in IEC (2017)[IEC] International Electrotechnical Commission (2017) Process management for avionics - Atmospheric radiation effects - Part 7: Management of single event effects (SEE) analysis process in avionics design. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC TR 62396-7:2017. and SAE (2018)[SAE] Society of Automotive Engineers (2018) Development of Atmospheric Neutron Single Event Effects Analysis for Use in Safety Assessments. Society of Automotive Engineers (SAE), Warrendale, PA (United States). Report No.: AIR6219–2018.. As the SEE analysis is focused on failures at the component level, the attempt to propagate the effect of that level to the equipment or system level is extremely tricky, depending on multiple physical, electrical and digital computer simulations to try to understand, for example, what a multiple change of bits in a word of the RAM memory can provoke in the function of a complex equipment or system (Anghel 2007Anghel L, Rebaudengo M, Reorda MS, Violante M (2007) Multi-level Fault Effects Evaluation. In: Velazco R, Fouillat P, Reis R, editors. Radiation Effects on Embedded Systems. Dordrecht: Springer. p.69-88. https://doi.org/10.1007/978-1-4020-5646-8_4
https://doi.org/10.1007/978-1-4020-5646-... ). An attempt to simplify this process, claiming that any effect at the component level would lead to the failure of the equipment or system function would result in high and unrealistic SEE rates. On the other hand, taking for granted components called “hardened” or that use radiation tolerance techniques would result in rates that are too optimistic for SEEs.

In the HIRF/L process, this problem is usually solved by doing equipment and systems level tests. These tests are part of the certification campaign and are expected to occur. In them, it is possible to record the exact behavior of the equipment/system when submitted to HIRF/L threats and whether this behavior is compatible with the safety assessment performed. For non-level A functions, there is also the possibility of reusing test data previously performed by suppliers.

A proposal for simplifying the SEE process would be to subject equipment or even systems to ionizing radiation testing. Due to cost limitations and geometric limitations of particle beams in this type of test (for neutrons, possible beam diameters are between 1 and 120 cm and for protons and heavy ions between 0.5 and 40 cm, according to research on the sites of several installations [IEC 2016[IEC] International Electrotechnical Commission (2016) Process management for cavionics – Atmospheric radiation effects - Part 1: Accommodation of atmospheric radiation effects via single event effects within avionics electronic equipment. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC 62396-1:2016.]), it seems unlikely the hypothesis of tests at the system level. Anyway, the author believes that this is an interesting subject for future studies in this area.

Part of SEE steps (3) and (4) are somewhat related to step (3) of the HIRF/L process, which finds its equivalence in the SEE process in determining the aircraft’s internal radiation profile, taking into account geometric factors and shields. An interesting dissertation on that subject, although limited to neutrons, can be found in Prado (2020)Prado ACM, Pazianotto MT, Molina JMQ, Cortes-Giraldo MA, Guillaume H, Pereira MA, Federico CA (2020) Simulation of cosmic radiation transport inside aircraft for safety applications. IEEE Trans Aerosp Electron Syst 56(5):3462-3475. https://doi.org/10.1109/TAES.2020.2985304
https://doi.org/10.1109/TAES.2020.298530... .

Step (4) of the SEE process deals with the verification of compliance with the reliability requirements of the equipment, based on the data from the obtained SEE rates. These rates can be obtained in manual calculations, or through specialized public domain software, such as MAIRE (https://www.radmod.co.uk/maire) (Hands et al. 2016Hands A, Lei F, Ryden K, Dyer C, Underwood C, Mertens C (2016) New data and modelling for single event effects in the stratospheric radiation environment. IEEE Trans Nucl Sci 64(1):587-595. https://doi.org/10.1109/TNS.2016.2612000
https://doi.org/10.1109/TNS.2016.2612000... ). This step differs substantially from the HIRF/L process, where there are no reliability requirements, but rather equipment/system performance requirements. These performances are translated into a complete set of pass/fail conditions set out in the regulations, guidelines and plans for laboratory tests and aircraft tests.

A point that is still problematic for the SEE process is step (5). While for HIRF/L, tests are planned from the beginning of the certification campaign, equipment and labor are reasonably priced due to competition from test laboratories, and approval authorities, suppliers and integrators are fully aware of the process, with the SEE is the opposite: tests are unpredictable at the beginning of the project, costly in terms of time and money, facilities are scarce so their use sometimes requires long waiting times, and those involved are generally unaware of the process.

As an example of the problems mentioned above, Table 2 presents a comparison of costs for HIRF/L and SEE tests of an equipment composed of one simple microprocessor, one SRAM memory, one ROM memory and an analog-digital converter. The costs of the HIRF/L test come from the author’s experience, the costs of the SEE tests are estimated through cases tested in the IEAv, Annex C from IEC (2016)[IEC] International Electrotechnical Commission (2016) Process management for cavionics – Atmospheric radiation effects - Part 1: Accommodation of atmospheric radiation effects via single event effects within avionics electronic equipment. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC 62396-1:2016. and Schwank et al. (2013)Schwank JR, Shaneyfelt MR, Dodd PE (2013) Radiation hardness assurance testing of microelectronic devices and integrated circuits: Test guideline for proton and heavy ion single-event effects. IEEE Trans Nucl Sci 60(3):2101-2118. https://doi.org/10.1109/TNS.2013.2261317
https://doi.org/10.1109/TNS.2013.2261317... .

It is estimated that SEE beam costs above only respond for 15% of total test costs (NASEM 2018[NASEM] National Academies of Sciences, Engineering, and Medicine (2018) Testing at the Speed of Light: The State of U.S. Electronic Parts Space Radiation Testing Infrastructure. Washington, DC: The National Academies Press. https://doi.org/10.17226/24993
https://doi.org/10.17226/24993... ). Therefore, in the example above, the total equipment SEE test for high altitude cost would be about US$ 480,000 and SEE test for standard altitude would be US$ 96,000. Regarding HIRF/L, the same proportion applies, so the total cost for the HIRF/L test would be US$ 60,000.

The obvious solution to overcome those huge expenses related to SEE characterization would be to avoid carrying out tests and using existing databases, but the few databases of ionizing radiation open to the public bring data that are almost always incomplete and difficult to use, due to the fact that there is no standardization in the data presentation. Suppliers do not seem to be convinced that they need to generate and make this data accessible to their customers, especially while they are not part of mandatory certification requirements.

A proposal to solve the problem above would be the existence of a guidance for standardized ionizing radiation tests for the aeronautical industry, generating information that is really relevant to the process. This guidance could be issued by the certification authorities or by a regulatory institution linked to the industry, such as RTCA or IEC. Today, the closest to it that can be found in the literature are articles like in Schwank et al. (2013)Schwank JR, Shaneyfelt MR, Dodd PE (2013) Radiation hardness assurance testing of microelectronic devices and integrated circuits: Test guideline for proton and heavy ion single-event effects. IEEE Trans Nucl Sci 60(3):2101-2118. https://doi.org/10.1109/TNS.2013.2261317
https://doi.org/10.1109/TNS.2013.2261317... .

There are no additional comments for step (6).

Step (7) concerns the generation of a report with all the collected data necessary to demonstrate compliance with future SEE requirements, which would facilitate the analysis by the certifying authority. In the HIRF/L process, this statement is usually spread over dozens of reports and, in some cases, is condensed into a compliance summary.

A gap that must be filled would be the generation of a SEE certification plan in the initial phase of the project. This plan should show the authorities the proposed compliance with each of the steps in the SEE process. Even at the current stage where this is not mandatory, the existence of this report is highly recommended for project integrators.

Step (8) seems redundant with steps (7) and (4). It is also not necessary to say that the information generated in step (8) will be entered into the PSSA. The SEE process, as well as the HIRF/L process, runs in parallel with the PSSA and, in a project schedule, when it evolves from PSSA to SSA, those processes will already be well advanced. In case of discrepancies between the SSA and the data generated in the SEE process, it will have to be reviewed and some steps will have to be redone. It is not the ideal situation, but, from the author’s experience, it is what actually occurs in most projects with the HIRF/L process, which we are using as a reference.

Table 3 provides a summary of what was developed in this section.

DISCUSSION AND CONCLUSION

Although the IEC has done extensive work on the SEE management process, it is still missing a clearer link between this process and compliance with existing or future feasible certification regulations, specially concerning high-altitude flights.

As an example of what is told above, it was seen in Table 2 that the costs of SEE tests for future high-altitude flights can be five times higher when compared to SEE tests for commercial flights or one order of magnitude higher when compared to the respective HIRF/L tests. That means that the overall certification costs for high-altitude aircraft could become significantly more expensive than for regular aircraft.

In addition to Table 3, a general recommendation for the SEE process would be to consider the radiation environment of high-altitude flights. Today there is a trend towards the return of supersonic commercial flights and towards the hypersonic flight. The radiation environment at these altitudes is significantly more dangerous for crews and equipment, being more complex than in current commercial flights, and also different from the space environment. Defining this environment would also benefit military aircraft designs (especially supersonic fighters) that operate at altitudes between 49,000 and 65,000 ft.

The author recently addressed the radiation environment of high-altitude flights (Ferreira et al. 2021Ferreira MTM, Federico CA, Gonçalvez OL (2021) Exemplo de aplicação de softwares no cálculo de single event upsets em grandes altitudes. Paper presented XXIII SIGE Simpósio de Aplicações Operacionais em Áreas de Defesa. São José dos Campos, São Paulo, Brazil.) using public-domain softwares for calculating SEU rates in high-altitude radiation environment. Some interesting conclusions were found that are complimentary to the present article:

• The SEU rate (SEU/h) of electronic components for hypersonic flights, when compared to subsonic ones, increases significantly, as expected. However, the exposition time per flight is usually lower in hypersonic flights due to the higher speeds, so there is a number of trade-offs that are not so evident.

• Public domain softwares, like MAIRE, may be used to obtain radiation environment and SEU rates. But, in the middle of the process, it is paramount to have access to the electronic component specifications, like cross-sections and sensitive volumes.

Anyway, the radiation environment at high-altitude flights is a subject still barely addressed in scientific literature or in industry standards and remains as a potential topic for future studies. This knowledge gap, as well as the rapid evolution of new electronic device technologies, indicates the pressing need to accelerate the acquisition of knowledge through projects that foster the development of assessment and testing skills.

Regarding the link between the SEE process and SSA, from discussions of the author with safety assessment experts, it seems that SEE failure rates are already being used in SSA, as inputs to failure mode effects and criticality analysis (FMECA) and to the fault tree analysis (FTA) safety budgets. In this case, it is usual that the SEE rates be obtained from databases or generic values presented in Annex B from IEC (2016)[IEC] International Electrotechnical Commission (2016) Process management for cavionics – Atmospheric radiation effects - Part 1: Accommodation of atmospheric radiation effects via single event effects within avionics electronic equipment. International Electrotechnical Commission (IEC), Geneva (Switzerland). Report No.: IEC 62396-1:2016.. However, that incorporation is still unknown to many safety specialists. Even when known, the data used is too generic and lacks a standardized process (see recommendation in Table 3, step [8]).

From the author experience of working along with certification authorities as a DER for many years, the usual approach in the absence of a regulation about a subject would be opening a discussion with the project holder through specific documents called certification action items (CAI) or issue papers.

Today it is understood that SEE is a particular risk (like HIRF/L) and, for the process, there is a chain of references starting in the existing safety regulation and going down to the industry guidance: 14CR/CS 2X.1309 > AC/AMJ 1309 / CM-AS-004 > ARP 4761 > AIR 6219 / IEC 62396-7.

Nevertheless, that chain is not always clear for people working with SEE and safety assessment in the aviation industry.

The comparative analysis of the SEE approach with the HIRF/L process presented in this article resulted in some recommendations to improve the SEE process and how it may evolve into future studies and regulations.

ACKNOWLEDGEMENTS

The authors acknowledge the ERISA-D (Efeitos Nocivos da Radiação Ionizante em Tripulações, Sistemas Aeroespaciais e Defesa) and CITAR (Componentes Integrados Tolerantes à Radiação) Projects due to indirect foment and support on the discussion and thematic.

REFERENCES

Edited by

Publication Dates

History