Closed-Loop Performance Measures for Flight Controllers Subject to ...

Proceedings of the 42nd IEEE Conference on Decision and Control Maui, Hawaii USA, December 2003

WeM14-3

Closed-Loop Performance Measures for Flight Controllers Subject to Neutron-Induced Upsets W. Steven Gray Hong Zhang Oscar R. Gonz´ alez Department of Electrical and Computer Engineering Old Dominion University Norfolk, Virginia 23529-0246, U.S.A. [email protected] [email protected] [email protected]

Abstract

veloped with the general goal of quantifying the nature of the risk and to produce guidelines for the aerospace industry and chip manufacturers. A set of experiments is underway at the Los Alamos Neutron Science Center (LANSCE) in Los Alamos, New Mexico to provide data [9]. While a variety of different technologies will be tested, our interest here is specifically on an experimental Recoverable Computer System (RCS) developed by Honeywell, Inc. Its error recovery system is implemented using multiple dual-lock-step processors together with new fault tolerant architectures and communication subsystems [7, 8]. The error recovery technique implemented on the RCS is a variation of rollback recovery [12, 15]; it has the following steps: checkpointing, fault-tolerant comparison, rollback, and retry. During a checkpoint, the state of each microprocessor module is stored. When an upset is detected, rollback of both microprocessor modules to a previous checkpoint takes place, and then the system is allowed to proceed with normal execution. But once the execution of the normal control program is interrupted, the execution of a different control law takes place, one that has significantly different dynamics and is on a time scale that can alter the overall closed-loop dynamics of the flight control system. Therefore, the general goal of our analysis is to provide analytical predictions of the observed tracking error caused by neutron-induced upsets.

It has been observed that atmospheric neutrons can produce single event upsets in digital flight control hardware. The phenomenon has been studied extensively at the chip level, and now system level experiments are underway. In this paper analytical closedloop performance measures for the tracking error are developed for a plant that is stabilized by a recoverable computer system subject to neutron induced upsets. The underlying model is a Markov jump-linear system with process noise. The steady-state tracking error is expressed in terms of a generalized observability Gramian. 1 Introduction When cosmic rays collide with oxygen and nitrogen atoms in the earth’s upper atmosphere, free neutrons are produced with energies varying from 10 MeV to 1 GeV [18]. The higher the altitude, the higher the neutron flux and energy [13]. When a neutron passes through a solid state device, it has been observed that stored electric charge can be locally redistributed, which may cause a single event effect (SEE). If this charge resides in a solid state memory device, for example a computer’s cache memory, a binary ‘one’ can be flipped to a ‘zero’ or vice versa. It is also possible for dielectric material in the device to rupture and create short circuits, which can burn out neighboring devices if sufficient electric potential exists [10, 17]. These single event effects are normally classified into two categories: soft errors and hard errors [11, 14]. Soft errors by their nature are nondestructive to the hardware but alter memory contents and/or computer logic. Their effects are usually transient in nature. Hard faults, on the other hand, may be destructive. Chip burnouts cause permanent malfunctioning of the hardware. Another hard fault is latchup, which can usually be corrected by resetting the hardware. Single event upsets (SEU’s) are defined as soft faults, induced by radiation, that produce a malfunction at some level in the system.

The paper is organized as follows. In Section 2 the LANSCE experiments are briefly described. In the subsequent section, the upset disturbance model for the RCS is presented. In Section 4, the tracking error analysis is done. Simulation results are presented in the final section. The mathematical notation used throughout is largely consistent with [2]. The symbol Z+ denotes the set of all non-negative integers. Rn is the n-dimension real vector space, and M(Rn ) is the normed linear space of all n × n real matrices. The subset of all symmetric positive semi-definite matrices is M(Rn )+ . Hn = {V = (V1 , . . . , VN ) : Vi ∈ M(Rn )} will be used to denote the space of all N -tuples of n × n real matrices. If every Vi of a given V in Hn is positive definite or positive semi-definite, this is indicated, respectively, by V > 0 and V ≥ 0. Hn+ denotes the set {V ∈ Hn : V ≥ 0}. For U = (U1 , . . . , UN ) and V = (V1 , . . . , VN ) in Hn+ , the notation U ≤ V

As more commercial aircraft control systems and avionics are implemented using embedded digital hardware, SEU’s have recently come to the attention of the Federal Aviation Administration (FAA) as a potential safety hazard. In response, a program has been de-

0-7803-7924-1/03/$17.00 ©2003 IEEE

2465

Beam Source

Flight Control Computer

Flux Sensor

ate control signals to the aircraft simulation model for maintaining straight and level flight at a cruising altitude of 34,000 feet. This interconnection between the flight control computer and the flight simulation host computer constitutes a closed-loop feedback control system, which is the unique feature of these experiments. The data acquisition system is maintained on a third computer system. It collects the flight data from the simulation as well as the measurements from the flux sensor for off-line analysis. Should the aircraft deviate from the nominal flight path at any time, it will be possible to determine the total radiation dose the flight control computer received up to that instant. When neutrons collide with the flight control computer, the specific effects of any disturbance will depend on the particular nature of the control computer’s internal hardware and any fault-tolerant features it possesses. This is discussed in the next section.

Barrier

.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ...................

Data Acquisition Host Computer

Flight Simulation Host Computer

Figure 1: The testbed for the LANSCE experiments. 5

10

Experimental Neutron Flux at LANSCE 4

Neutron Intensity (n/MeV/cm2/sec)

10

3 An Upset Disturbance Model for the RCS A conceptual diagram of the RCS in a closed-loop configuration is shown in Figure 3. The neutron interactions are modeled by the upset generator, a random process whose statistics are a function of the neutron flux and energy, as well as the specific chip technologies which the control computer employs. The recovery logic maps the upset process, ν(k), to the state of the recovery process, θ(k). In the simplest case, when θ(k) = 1, the nominal control system is engaged. When θ(k) = 2, a recovery process is active. The discretized closed-loop output error system is then the jump-linear dynamical system      Aθ(k) 0 x(k) x(k + 1) = + Ge w(k), xn (k) xn (k + 1)  0  A1  x(0) x0 = xn (0) xn,0   x(k) y e (k) = [C −C] , xn (k)

3

10

2

10

Normalized Atmospheric Neutron Flux (Multiplied by 2.62×105) 1

10

Integrated Neutron Flux Above 1 MeV is 4.18×105 n/cm2/sec

0

10 0 10

1

10

2

Neutron Energy (MeV)

10

3

10

Figure 2: The neutron energy spectrum at LANSCE. (U < V ) denotes that Ui ≤ Vi (Ui < Vi ) for every i = 1, . . . , N . The inner on Hn is assumed to   T product
N be U, V  = i=1 tr Ui Vi , and V 2 = V, V  is the norm squared of V when V ∈ Hn . (· will also be used for representing the standard norm on Rn .) B(Hn ) is the space of all bounded linear operators on Hn un) der the induced operator norm L = supV
=0 L(V V  , where L ∈ B(Hn ). We use rσ (L) to denote the spectral radius of L, specifically, rσ (L) = L.

where A1 is the A matrix of the nominal closed-loop system, and A2 will depend on the recovery algorithm used (see [4, 16]). w(k) ∈ Rm is a white noise process used to model wind and gust disturbances. DefinT  ing xe (k) = xT (k) xT n (k) , Ae,1 = diag(A1 , A1 ), Ae,2 = diag(A2 , A1 ), and Ce = [C −C], the error system

2 The LANSCE Experiments The FAA/NASA research program is centered around the analysis of experimental data collected from a series of experiments conducted at LANSCE which started in December of 2002. A conceptual diagram of the testbed for the LANSCE experiments is shown in Figure 1. A beam of free neutrons is directed through a flux sensor at the device under test, in this case a flight control computer. The energy spectrum of the neutron source is shown in Figure 2. Its shape is very similar to that produced by atmospheric neutrons, but the flux is 2.62 × 105 times larger on average. The flight control computer in this setup runs a control program which processes outputs from a Boeing 737 flight simulation system running on a separate host computer. The flight control computer generates the appropri-

xe (k + 1) y e (k)

= Ae,θ(k) xe (k) + Ge w(k), xe (0) = xe,0 , θ(0) = θ 0 = Ce xe (k)

(1a) (1b)

can be characterized by the behavior of the recovery process θ(k), normally assumed to be an aperiodic, homogeneous Markov chain with a transition matrix Πe . In the case of the accelerated neutron experiments, the flux scaling factor of 2.62 × 105 simply means that the rate of upset arrivals is scaled by the same factor. This maps directly to an increase in the upset probability of making a transition from θ(k) = 1 to θ(k) = 2 to produce an accelerated transition matrix Πa (see [5] for details).

2466

w(k) r(k) + + + _

yp(k)

Aircraft Dynamics

D/A

tracking error defined by

∞  2 y e (k) = tr(Xe,0 Q0 ), J0 := E

A/D

k=0

where Q0 is closely related to the observability Gramian in [2, 3]. On the other hand, if winds and gusts are present, i.e. w(k) = 0, and system (1a) is MSS, then y e (k) has finite power. Let w(k) be a zero mean white noise process with covariance matrix equal to Im . If w(k) is independent of the mode process θ(k) and xe,0 , the claim is that the mean-square tracking error is given by  Jw := lim E y e (k)2 = tr(Ge,w Qw ),

Recoverable System

1

Nominal Controller

1

2

Upset Controller

2

yc(k)

θ(k) Recovery Logic

k→∞

where Ge,w := Ge GT e , and Qw is a type of generalized Gramian matrix to be described shortly. Thus, the proposed tracking error measure is

J0 : w = 0 J= Jw : w = 0.

ν(k) Upset Generator

Figure 3: The closed-loop flight control system with a recoverable flight control computer.

Using these analytical expressions, it is then possible to plot J as a function of the upset probabilities, the recovery system parameters or the plant parameters.

Once a valid upset disturbance model is available, it can be used to study stability and performance characteristics of the closed-loop system in Figure 3. In this context, the following notion of stability is employed.

The supporting analysis is as follows. Consider the general stochastic system below over a probability space (Ω, F, Pr) x(k + 1)

Definition 3.1 [3] System (1a) with w(k) = 0 is mean-square stable (MSS ) if E xe (k)2 → 0 as k → ∞ for any initial condition xe,0 and any initial distribution for θ 0 .

y(k)

= Aθ(k) x(k) + Gw(k), x(0) = x0 , θ(0) = θ 0 = Cθ(k) x(k),

(2a) (2b)

where {θ(k); k = 0, 1, 2, . . . } is a discrete-time aperiodic Markov chain with states {1, 2, . . . , N } and transition probability matrix Π = [πij ]; x0 is a second-order random variable; and {w(k); k = 0, 1, 2, . . . } is a stationary zero mean white noise process with covariance and x0 . Let A matrix Im and independent of θ(k)  =  T CN ∈ (A1 , . . . , AN ) ∈ Hn and C = C1T C1 , . . . , CN Hn+ . For any S = (S1 , . . . , SN ) ∈ Hn , define an operator T ∈ B(Hn ) by T (S) = (T1 (S), . . . , TN (S)), where

A mean-square stability analysis procedure for rollback recovery systems in closed-loop has been presented in [4, 16] under some simplifying assumptions, such as an upset can not occur during an active recovery process. This model is accurate for low levels of disturbances, but begins to breakdown as the transition probability from nominal to upset mode increases. The essential limitation in this approach is that the jump-linear model employed does not permit complex recovery algorithms to be easily encoded into the model’s structure. An alternative method has been proposed in [6] using a finite-state machine to model the logic in the recovery algorithm. For mean-square stable systems, it is proposed in this paper to go a step further and compute an estimate of the mean-square tracking performance error. This analysis is described in the next section.

Tj (S) =

N 

πij Ai Si AT i .

i=1

It is easy to verify that on the Hilbert space Hn its adjoint L := T ∗ is given by L(S) = (L1 (S), . . . , LN (S)), where   N   Li (S) = AT πij Sj  Ai . i j=1

Thus, rσ (L) = rσ (T ). (See [2] for additional details.) The following theorem describes the connection between these two operators and mean-square stability.

4 Tracking Error Performance Analysis The basic approach to quantify tracking error performance is to generalize the definition of the observability Gramian for a MSS switched-linear system described in [2, 3]. Specifically, if the system (1a) is MSS, there are no winds and gusts, and xe,0 is zero mean with covariance matrix Xe,0 , then the error signal y e (k) has finite energy. A suitable metric for y e (k) is the mean-square

Theorem 4.1 [2] The following statements are equivalent: (a) System (2) with w(k) = 0 is MSS. (b) rσ (T ) < 1. (c) rσ (L) < 1.

2467

(b) For any k ∈ Z+ ,  E  xT (k + 1)Pθ(k+1) x(k + 1) T  = E Aθ(k) x(k) + Gw(k) Pθ(k+1)   · Aθ(k) x(k) + Gw(k)  = E xT (k)AT θ(k) Pθ(k+1) Aθ(k) x(k)

(d) (Coupled Lyapunov Equations) Given any S = (S1 , . . . , SN ) > 0 in Hn+ there exists P = n+ satisfying P − T (P ) = S (P1 , . . . , P
N ) > 0 in H ∞ k with P = k=0 T (S). (e) (Adjoint Coupled Lyapunov Equations) Given any S = (S1 , . . . , SN ) > 0 in Hn+ there exists P = n+ satisfying P − L(P ) = S (P1 , . . . , P
N ) > 0 in H ∞ k with P = k=0 L (S).

+xT (k)AT θ(k) Pθ(k+1) Gw(k) T +w (k)GT Pθ(k+1) Aθ(k) x(k) 

In addition, if system (2) is MSS, then for any S ∈ Hn there exists a unique P ∈ Hn such that P − T (P ) = S and P − L(P ) = S. If S ≥ T ≥ 0(> 0, respectively) and P − T (P ) = S, L − T (L) = T or P − L(P ) = S, L − L(L) = T then P ≥ L ≥ 0(> 0). To derive the main result of this section, the following lemma is essential.

+wT (k)GT Pθ(k+1) Gw(k) .

Using assumption and the fact that  the independence E w(k)wT (l) = Im · 1{k=l} , both the second and the third terms in the above expression are zero. Thus,  E  xT (k + 1)Pθ(k+1) x(k + 1) = E xT (k)AT θ(k) Pθ(k+1) Aθ(k) x(k)  T +w (k)GT Pθ(k+1) Gw(k)    = E xT (k)Lθ(k) (P )x(k) + tr GT Pθ(k+1) G ,

Lemma 4.1 For a MSS system (2), given any P = (P1 , . . . , PN ) ∈ Hn : (a) if w = 0, and for any k ∈ Z+ x0 and θ(k) are independent, then  E xT (k + 1)Pθ(k+1) x(k + 1) = E xT (k)Lθ(k) (P )x(k) ;

which proves the lemma.

(b) if x0 = 0, and for any k ∈ Z+ w(k) and θ(k) are independent, then  E xT (k + 1)Pθ(k+1) x(k + 1)   = E xT (k)Lθ(k) (P )x(k) + E tr GT Pθ(k+1) G . Proof : (a) For any k ∈ Z+ ,  E xT (k + 1)Pθ(k+1) x(k + 1)  = E xT (k)AT θ(k) Pθ(k+1) Aθ(k) x(k) = =

N  i,j=1 N 

=

=

=

 E xT (k)AT i Pj Ai x(k)1{θ(k)=i} 1{θ(k+1)=j}   E E xT (k)AT i Pj Ai x(k)

·1{θ(k)=i} 1{θ(k+1)=j} | x(k), θ(k) N   E xT (k)AT i Pj Ai x(k)1{θ(k)=i} i,j=1  ·E 1{θ(k+1)=j} | x(k), θ(k) = i N   E xT (k)AT i Pj Ai x(k)1{θ(k)=i} i,j=1  ·E 1{θ(k+1)=j} | θ(k) = i N   E xT (k)AT i Pj Ai x(k)1{θ(k)=i} πij i,j=1     N N     E xT (k) AT πij Pj Ai  x(k)1{θ(k)=i} i   i=1

j=1

N 

 E xT (k)Li (P )x(k)1{θ(k)=i} i=1  = E xT (k)Lθ(k) (P )x(k) .

=

Theorem 4.2 For a MSS system (2), where θ(k) is aperiodic and ergodic, the following identities hold: (a) if w = 0, and for any k ∈ Z+ x0 and θ(k) are independent, then the mean output energy is

∞   T k Lθ0 (C) x0 = tr(X0 Q0 ), (3) J0 = E x0

Here 1{·} denotes the Dirac measure.

2468

k=0


∞ k where X0 := E x0 xT 0 , Q0 := E k=0 Lθ 0 (C) , and Li denotes the composition of L i times (L0 (C) := C). (b) if for any k ∈ Z+ x0 , w(k) and θ(k) are independent, then the mean output power is k−1

    T i Lθ(k−i) (C) G (4) Jw = lim E tr G k→∞ 

 ∞ i=0    = tr E GT Lkθs (C) G 

i,j=1

=

The main result of the paper is stated below.

=

tr(Gw Qw ),

k=0

(5)

where θ s is the unique stationary vector, Gw := GGT 
∞ k and Qw := E k=0 Lθ s (C) . Proof : (a) Noting that x0 is independent of θ 0 , the result is immediate once it is proven that for any k ∈ Z+   k (6) E y(k)2 = E xT 0 Lθ 0 (C)x0 .   T = When k = 0, E y(0)2 = E xT 0 Cθ 0 Cθ 0 x0  T 0  T E x0 Cθ0 x0 = E x0 Lθ0 (C)x0 . For any k ≥ 1 observe that   E y(k)2 = E xT (k)Cθ(k) x(k)  = E xT (k)L0θ(k) (C)x(k) .

Now since Lk (C) ∈ Hn , equation (6) follows directly by repeatedly applying Lemma 4.1(a) k times. (b) Since the natural response of any stable linear system (switched or not) has zero average power, there is no loss of in assuming that x0 = 0. Trivially  generality then E y(0)2 = 0. When k = 1,  E y(1)2

 E wT (0)GT Cθ(1) Gw(0)  E  tr w(0)wT (0) · GT Cθ(1) G  · E GT Cθ(1) G tr E w(0)wT (0)  E tr GT Cθ(1) G 

= = = =

= E tr GT L0θ(1) (C)G

.

=

 · Pr{θ s = j}

Lkθs (C)

=

N 

(Qi · Pr{θ s = i}) ,

i=1

Figure 4 illustrates precisely the relationships between T and A1 , and L and A2 . T

S −−−−→ T (S) & &   ϕ( ϕ−1 ϕ−1  (ϕ A

1 ϕ(S) −−−− → ϕ(T (S))



L

S −−−−→ L(S) & &   ϕ( ϕ−1 ϕ−1  (ϕ A

2 ϕ(S) −−−− → ϕ(L(S))

Figure 4: The relationships between T and A1 , and L and A2 .

5 A Simple Example

Lkθs (C) .

= E

Qw = E

∞ 

   Pr{θ s = 1} Pr{θ s = 1}    .. .. T  =Π · .  . . Pr{θ s = N } Pr{θ s = N }

Lij (C)

j=1 i=0

∞ 





Therefore it follows, with some details omitted, that

k−1  i lim E Lθ(k−i) (C) k→∞ i=0    k−1 N   = lim Lij (C) · Pr{θ(k − i) = j} i=0

and

where Pr{θ s = i} is determined by solving the eigenequation

Finally, to validate equation (5), observe that for any fixed j = 1, 2, . . . , N , when i → ∞ then Lij (C) → 0. Furthermore, when (k − i) → ∞ then θ(k − i) → θ s .

 j=1 N ∞   

i=1

k=0

k=0

For any k > 1, simply apply Lemma 4.1(b) (k − 1) times, and under the given conditions equation (4) holds. The fact that θ(k) is aperiodic and ergodic (i.e., the states of θ(k) form a single ergodic class) insures that the limit with respect to k is well defined and independent of θ 0 .

k→∞

  −1 and hence Q = ϕ−1 (IN n2 − A2 ) · ϕ(C) . Therefore, our tracking error measures can be written in terms of

∞ N   k Q0 = E Lθ0 (C) = (Qi · Pr{θ 0 = i})

k=0

The following example demonstrates the theory described in the previous section. Consider a pair of first order systems (Ai , G, Ci ), i = 1, 2 driven by a Markovian jump-linear system with the parameters given in Table 1. Here the transition probability π12 is varied between [0, 0.90] (which insures the system is MSS). The plots of J0 and Jw with respect to π12 are shown in Figure 5. When π12 = 0.05, Q = [Q1 Q2 ] = [126.1912 131.5214] so Q0 = Q1 · Pr{θ 0 =1} + Q 0 = 2} = 128.8563. Moreover, 2 · Pr{θ 1 = , so by equation (3) J0 = 42.9521. X0 = E x0 xT 0 3 The simulation estimate for this case is J0 = 42.6461. When x0 = 0, it follows that Pr{θ s = 1} = 0.9474 and Pr{θ s = 2} = 0.0526, so that Qw = Q1 · Pr{θ s = 1} + Q2 · Pr{θ s = 2} = 126.4718. Since Gw = 4, it follows from equation (5) that Jw = 505.8870. The simulated estimate of Jw (k) shown in Figure 6 is in agreement with this statistic.

This completes the proof. When system (2) is MSS, Theorem 4.1 (e) can be used It is clear that to calculate J0 and Jw numerically.
∞ k L (C) is the unique Q = (Q1 , Q2 , . . . , QN ) := k=0 solution to Q − L(Q) = C (the observability Gramian in [2]). This adjoint coupled Lyapunov equation can be solved by using the matrix representation of L   T T T A2 := diag AT 1 ⊗ A1 , . . . , AN ⊗ AN · (Π ⊗ In2 ) , where ⊗ denotes the Kronecker product. Correspondingly,   T A1 := AT 2 = Π ⊗ In2 · diag (A1 ⊗ A1 , . . . , AN ⊗ AN ) is a matrix representation of T (see [1] and [2] for details). Let Qi := [qi1 qi2 . . . qin ], where qij ∈ Rn for i = 1, 2, . . . , N and j = 1, 2, . . . , n.   T T T T and ϕ(Q) := If vec(Qi ) := qi1 qi2 . . . qin T  T 2 T T ∈ RN n vec (Q1 ) vec (Q2 ) . . . vec (QN ) then the adjoint coupled Lyapunov equation can be written as the matrix equation ϕ(Q)−A2 ·ϕ(Q) = ϕ(C),

Acknowledgements This research was supported by the NASA Langley Research Center under contracts NCC-1-392 and NCC-103026, and by the National Science Foundation under grant CCR-0209094.

2469

550

Table 1: Parameters for the simulation example Values 0.99 1.01 1.50 1.50 2.00 0.50 0.50 0 or uniform on [0, 1]

450 400

E{||y(k)||2}

Parameters A1 A2 C1 C2 G Pr{θ 0 = 1} Pr{θ 0 = 2} x0   1 − π12 π12 Π= 0.90 0.10

505.8870 500

350

E{||y(k)||2}

Jw 300 250 200 150 100 50

π12 ∈ [0, 0.9]

0

0

500

1000

4

12

x 10

2003 American Control Conference, Denver, Colorado, 2003, pp. 2240–2245.

10

[7] R. Hess, ‘Computing Platform Architectures for Robust Operation in the Presence of Lightning and Other Electromagnetic Threats,’ Proc. 16th Digital Avionics Systems Conference, Philadelphia, Pennsylvania, 1997, pp. 4.3–9–16.

8

J

1500

k

Figure 6: A plot of E
y(k)
2 and Jw when x0 = 0 and π12 = 0.05. 

Jw

6

J

0

4

[8] R. Hess, ‘Options for Aircraft Function Preservation in the Presence of Lightning,’ Proc. 1999 International Conference on Lightning and Static Electricity, Toulouse, France, Paper No. 106, 1999.

2

0

[9] LANSCE website: http://wnr.lanl.gov/see/. 0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

[10] G. C. Messenger and M. S. Ash, The Effects of Radiation on Electronic Systems, 2nd ed., Van Nostrand Reinhard, New York, 1992.

π

12

Figure 5: Plots of J0 and Jw with respect to the transition probability π12 .

[11] G. C. Messenger and M. S. Ash, Single Event Phenomena, Chapman & Hall, New York, 1997.

References [1] O. L. V. Costa and M. D. Fragoso, ‘Stability Results for Discrete-Time Linear Systems with Markovian Jumping Parameters,’ Journal of Mathematical Analysis and Applications, vol. 179, 1993, pp. 154–178.

[12] R. Narasimhan, D. J. Rosenkrantz, and S. S. Ravi, ‘Early Comparison and Decision Strategies for Datapaths that Recover from Transient Faults,’ IEEE Trans. Circuits & Systems I-Fundamental Theory & Applications, vol. 44, no. 5, 1997, pp. 435–438.

[2] O. L. V. Costa and R. P. Marques, ‘Mixed H2 /H∞ Control of Discrete-Time Markovian Jump Linear Systems,’ IEEE Trans. Automatic Control, vol. AC-43, no. 1, 1998, pp. 95–100.

[13] E. Normand and T. J. Baker, ‘Altitude and Latitude Variations in Avionics SEU and Atmospheric Neutron Flux,’ IEEE Trans. Nuclear Science, vol. 40, no. 6, 1993, pp. 1484–1490.

[3] O. L. V. Costa and R. P. Marques, ‘Robust H2 -Control for Discrete-Time Markovian Jump Linear Systems,’ International Journal of Control, vol. 73, no. 1, 2000, pp. 11–21.

[14] E. Normand, ‘Single-Event Effects in Avionics,’ IEEE Trans. Nuclear Science, vol. 43, no. 2, 1996, pp. 461– 474. [15] A. Ranganathan and S. Upadhyaya, ‘Performance Evaluation of Rollback-Recovery Techniques in Computer Programs,’ IEEE Trans. Reliability, vol. 42, 1993, pp. 220–226.

[4] O. R. Gonz´ alez, W. S. Gray and A. Tejada, ‘Analytical Tools for the Design and Verification of Safety Critical Control Systems,’ 2001 SAE Transactions — Journal of Aerospace, vol. 110, Section 1, 2002, pp. 481–490.

[16] A. Tejada, ‘Analysis of Error Recovery Effects on Digital Flight Control Systems,’ M.S. Thesis, Old Dominion University, 2002.

[5] W. S. Gray, O. R. Gonz´ alez and M. Do˘ gan, ‘Stability Analysis of Digital Linear Flight Controllers Subject to Electromagnetic Disturbances,’ IEEE Trans. Aerospace and Electronic Systems, vol. 36, no. 4, 2000, pp. 1204–1218.

[17] A. C. Tribble, The Space Environment: Implications for Spacecraft Design, Princeton University Press, Princeton, NJ, 1995.

[6] W. S. Gray, S. Patilkulkarni and O. R. Gonz´ alez, ‘Stochastic Stability of a Recoverable Computer Control System Modeled as a Finite-State Machine,’ Proc.

[18] J. F. Ziegler, ‘Terrestrial Cosmic Rays,’ IBM J. Research and Development, vol. 40, no. 1, 1996, pp. 19– 35.

2470