Self-testing and -repairing fault-tolerance infrastructure for computer systems

US 20020046365A1
Filed: 06/20/2001
Published: 04/18/2002
Est. Priority Date: 06/23/2000
Status: Active Grant

First Claim

Patent Images

1. Apparatus for deterring failure of a computing system;

said apparatus comprising;

an exclusively hardware network of components, having substantially no software;

terminals of the network for connection to such system; and

fabrication-preprogrammed hardware circuits of the network for guarding such system from failure.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

ASICs or like fabrication-preprogrammed hardware provide controlled power and recovery signals to a computing system that is made up of commercial, off-the-shelf components—and that has its own conventional hardware and software fault-protection systems, but these are vulnerable to failure due to external and internal events, bugs, human malice and operator error. The computing system preferably includes processors and programming that are diverse in design and source. The hardware infrastructure uses triple modular redundancy to test itself as well as the computing system, and to remove failed elements—powering up and loading data into spares. The hardware is very simplified in design and programs, so that bugs can be thoroughly rooted out. Communications between the protected system and the hardware are protected by very simple circuits with duplex redundancy.

63 Citations

View as Search Results

66 Claims

1. Apparatus for deterring failure of a computing system;
- said apparatus comprising;
  
  an exclusively hardware network of components, having substantially no software;
  
  terminals of the network for connection to such system; and
  
  fabrication-preprogrammed hardware circuits of the network for guarding such system from failure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 26, 27, 28, 29, 30, 31, 32)
- - 2. The apparatus of claim 1, particularly for use with such system that is substantially exclusively made up of substantially commercial, off-the-shelf components;
    - and wherein;
      
      at least one of the network terminals is connected to receive at least one error signal generated by such system in event of incipient failure of such system; and
      
      at least one of the network terminals is connected to provide at least one recovery signal to such system upon receipt of the error signal.
  - 3. The apparatus of claim 2, wherein:
    - the circuits comprise portions fabrication-preprogrammed to evaluate the at least one error signal to establish characteristics of the at least one recovery signal.
  - 4. The apparatus of claim 1, further comprising:
    - such computing system.
  - 5. The apparatus of claim 1, wherein:
    - the circuits comprise portions for identifying failure of any of the circuits and correcting for the identified failure.
  - 6. The apparatus of claim 1, particularly for use with a computing system that has at least one software subsystem for conferring resistance to failure of the system;
    - and wherein;
      
      the circuits comprise substantially no portion that interferes with such failure-resistance software subsystem.
  - 7. The apparatus of claim 1, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one hardware subsystem for generating a response of the system to failure;
    - and wherein;
      
      the circuits comprise portions for reacting to said response of such hardware subsystem.
  - 8. The apparatus of claim 1, particularly for use with a computing system that has plural generally parallel computing channels;
    - and wherein;
      
      the circuits comprise portions for comparing computational results from such parallel channels.
  - 9. The apparatus of claim 8, wherein:
    - the parallel channels of the computing system are of diverse design or origin.
  - 10. The apparatus of claim 1, particularly for use with a computing system that has plural processors;
    - and wherein;
      
      the circuits comprise portions for identifying failure of any of such processors and correcting for identified failure.
  - 11. The apparatus of claim 1, wherein:
    - the circuits comprise modules for collecting and responding to data received from at least one of the terminals, said modules comprising;
      
      at least three data-collecting and -responding modules, and processing sections for conferring among the modules to determine whether any of the modules has failed.
  - 12. The apparatus of claim 1, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one subsystem for generating a response of the system to failure, and that also has at least one subsystem for receiving recovery commands;
    - and wherein;
      
      the circuits comprise portions for interposing analysis and a corrective reaction between the response-generating subsystem and the command-receiving subsystem.
  - 14. The apparatus of claim 13, wherein:
    - the program-operating portions comprise a section that corrects for the identified failure by taking a failed circuit out of operation.
  - 15. The apparatus of claim 14, wherein:
    - the program-operating portions comprise a section that substitutes and powers up a spare circuit for a circuit taken out of operation.
  - 16. The apparatus of claim 13, further comprising:
    - such computing system.
  - 17. The apparatus of claim 13, wherein:
    - the program-operating portions comprise at least three of the circuits; and
      
      failure is identified at least in part by majority vote among the at least three circuits.
  - 18. The apparatus of claim 13, particularly for use with a computing system that has at least one software subsystem for conferring resistance to failure of the system;
    - and wherein;
      
      the circuits comprise substantially no portion that interferes with such failure-resistance software subsystem.
  - 19. The apparatus of claim 13, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one hardware subsystem for generating a response of the system to failure;
    - and wherein;
      
      the circuits comprise portions for reacting to said response of such hardware subsystem.
  - 20. The apparatus of claim 13, particularly for use with a computing system that has plural generally parallel computing channels;
    - and wherein;
      
      the circuits comprise portions for comparing computational results from such parallel channels.
  - 21. The apparatus of claim 20, wherein:
    - the parallel channels of the computing system are of diverse design or origin.
  - 22. The apparatus of claim 13, particularly for use with a computing system that has plural processors;
    - and wherein;
      
      the circuits comprise portions for identifying failure of any of such processors and correcting for identified failure.
  - 23. The apparatus of claim 13, wherein:
    - the circuits comprise modules for collecting and responding to data received from at least one of the terminals, said modules comprising;
      
      at least three data-collecting and -responding modules, and processing sections for conferring among the modules to determine whether any of the modules has failed.
  - 24. The apparatus of claim 13, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one subsystem for generating a response of the system to failure, and that also has at least one subsystem for receiving recovery commands;
    - and wherein;
      
      the circuits comprise portions for interposing analysis and a corrective reaction between the response-generating subsystem and the command-receiving subsystem.
  - 26. The apparatus of claim 25, further comprising:
    - such computing system, including such at least one software subsystem.
  - 27. The apparatus of claim 25, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one hardware subsystem for generating a response of the system to failure;
    - and wherein;
      
      the circuits comprise portions for reacting to said response of such hardware subsystem.
  - 28. The apparatus of claim 25, particularly for use with a computing system that has plural generally parallel computing channels;
    - and wherein;
      
      the circuits comprise portions for comparing computational results from such parallel channels.
  - 29. The apparatus of claim 28, wherein:
    - the parallel channels of the computing system are of diverse design or origin.
  - 30. The apparatus of claim 25, particularly for use with a computing system that has plural processors;
    - and wherein;
      
      the circuits comprise portions for identifying failure of any of such processors and correcting for identified failure.
  - 31. The apparatus of claim 25, wherein:
    - the circuits comprise modules for collecting and responding to data received from at least one of the terminals, said modules comprising;
      
      at least three data-collecting and -responding modules, and processing sections for conferring among the modules to determine whether any of the modules has failed.
  - 32. The apparatus of claim 25, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one subsystem for generating a response of the system to failure, and that also has at least one subsystem for receiving recovery commands;
    - and wherein;
      
      the circuits comprise portions for interposing analysis and a corrective reaction between the response-generating subsystem and the command-receiving subsystem.

13. Apparatus for deterring failure of a computing system;
- said apparatus comprising;
  
  a network of components having terminals for connection to such system; and
  
  circuits of the network for operating programs to guard such system from failure;
  
  the circuits comprising portions for identifying failure of any of the circuits and correcting for the identified failure.

25. Apparatus for deterring failure of a computing system that has at least one software subsystem for conferring resistance to failure of the system;
- said apparatus comprising;
  
  a network of components having terminals for connection to such system; and
  
  circuits of the network for operating programs to guard such system from failure;
  
  the circuits comprising substantially no portion that interferes with such failure-resistance software subsystem.

33. Apparatus for deterring failure of a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one hardware subsystem for generating a response of the system to failure;
- said apparatus comprising;
  
  a network of components having terminals for connection to such system; and
  
  circuits of the network for operating programs to guard such system from failure;
  
  the circuits comprising portions for reacting to said response of such hardware subsystem.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41)
- - 34. The apparatus of claim 33, wherein:
    - the reacting portions comprise sections for evaluating the hardware-subsystem response to establish characteristics of at least one recovery signal.
  - 35. The apparatus of claim 34, wherein:
    - the reacting portions comprise sections for applying the at least one recovery signal to such system.
  - 36. The apparatus of claim 33, further comprising:
    - such computing system, including such hardware subsystem.
  - 37. The apparatus of claim 33, particularly for use with a computing system that has plural generally parallel computing channels;
    - and wherein;
      
      the circuits comprise portions for comparing computational results from such parallel channels.
  - 38. The apparatus of claim 37, wherein:
    - the parallel channels of the computing system are of diverse design or origin.
  - 39. The apparatus of claim 33, particularly for use with a computing system that has plural processors;
    - and wherein;
      
      the circuits comprise portions for identifying failure of any of such processors and correcting for identified failure.
  - 40. The apparatus of claim 33, wherein:
    - the circuits comprise modules for collecting and responding to data received from at least one of the terminals, said modules comprising;
      
      at least three data-collecting and -responding modules, and processing sections for conferring among the modules to determine whether any of the modules has failed.
  - 41. The apparatus of claim 33, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one subsystem for generating a response of the system to failure, and that also has at least one subsystem for receiving recovery commands;
    - and wherein;
      
      the circuits comprise portions for interposing analysis and a corrective reaction between the response-generating subsystem and the command-receiving subsystem.

42. Apparatus for deterring failure of a computing system that is distinct from the apparatus and that has plural generally parallel computing channels;
- said apparatus comprising;
  
  a network of components having terminals for connection to such system; and
  
  circuits of the network for operating programs to guard such system from failure;
  
  the circuits comprising portions for comparing computational results from such parallel channels.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 43. The apparatus of claim 42, wherein:
    - the parallel channels of the computing system are of diverse design or origin.
  - 44. The apparatus of claim 42, wherein:
    - the comparing portions comprise at least one section for analyzing discrepancies between the results from such parallel channels.
  - 45. The apparatus of claim 44, wherein:
    - the comparing portions further comprise at least one section for imposing corrective action on such system in view of the analyzed discrepancies.
  - 46. The apparatus of claim 45, wherein:
    - the at least one discrepancy-analyzing section uses a majority voting criterion for resolving discrepancies.
  - 47. The apparatus of claim 42, further comprising:
    - such computing system.
  - 48. The apparatus of claim 47, wherein:
    - the parallel channels of the computing system are of diverse design or origin.
  - 49. The apparatus of claim 48, wherein:
    - the comparing portions comprise circuitry for performing an algorithm to validate a match that is inexact.
  - 50. The apparatus of claim 49, wherein:
    - the algorithm-performing circuitry employs a degree of inexactness suited to a type of computation under comparison.
  - 51. The apparatus of claim 49, wherein:
    - the algorithm-performing circuitry performs an algorithm that selects a degree of inexactness based on type of computation under comparison.
  - 52. The apparatus of claim 42, particularly for use with a computing system that has plural processors;
    - and wherein;
      
      the circuits comprise portions for identifying failure of any of such processors and correcting for identified failure.
  - 53. The apparatus of claim 42, wherein:
    - the circuits comprise modules for collecting and responding to data received from at least one of the terminals, said modules comprising;
      
      at least three data-collecting and -responding modules, and processing sections for conferring among the modules to determine whether any of the modules has failed.
  - 54. The apparatus of claim 42, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one subsystem for generating a response of the system to failure, and that also has at least one subsystem for receiving recovery commands;
    - and wherein;
      
      the circuits comprise portions for interposing analysis and a corrective reaction between the response-generating subsystem and the command-receiving subsystem.

55. Apparatus for deterring failure of a computing system that has plural processors;
- said apparatus comprising;
  
  a network of components having terminals for connection to such system; and
  
  circuits of the network for operating programs to guard such system from failure;
  
  the circuits comprising portions for identifying failure of any of such processors and correcting for identified failure.
- View Dependent Claims (56, 57, 58, 59, 60, 61)
- - 56. The apparatus of claim 55, wherein:
    - the identifying portions comprise a section that corrects for the identified failure by taking a failed processor out of operation.
  - 57. The apparatus of claim 56, wherein:
    - the section comprises parts for taking a processor out of operation only in case of signals indicating that the processor has failed permanently.
  - 58. The apparatus of claim 55, wherein:
    - the identifying portions comprise a section that substitutes and powers up a spare circuit for a processor taken out of operation.
  - 59. The apparatus of claim 55, further comprising:
    - such computing system.
  - 60. The apparatus of claim 55, wherein:
    - the circuits comprise modules for collecting and responding to data received from at least one of the terminals, said modules comprising;
      
      at least three data-collecting and -responding modules, and processing sections for conferring among the modules to determine whether any of the modules has failed.
  - 61. The apparatus of claim 55, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one subsystem for generating a response of the system to failure, and that also has at least one subsystem for receiving recovery commands;
    - and wherein;
      
      the circuits comprise portions for interposing analysis and a corrective reaction between the response-generating subsystem and the command-receiving subsystem.

62. Apparatus for deterring failure of a computing system;
- said apparatus comprising;
  
  a network of components having terminals for connection to such system; and
  
  circuits of the network for operating programs to guard such system from failure;
  
  the circuits comprising modules for collecting and responding to data received from at least one of the terminals, said modules comprising;
  
  at least three data-collecting and -responding modules, and processing sections for conferring among the modules to determine whether any of the modules has failed.
- View Dependent Claims (63, 64, 66)
- - 63. The apparatus of claim 62, further comprising:
    - such computing system.
  - 64. The apparatus of claim 62, particularly for use with a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one subsystem for generating a response of the system to failure, and that also has at least one subsystem for receiving recovery commands;
    - and wherein;
      
      the circuits comprise portions for interposing analysis and a corrective reaction between the response-generating subsystem and the command-receiving subsystem.
  - 66. The apparatus of claim 62, further comprising:
    - such computing system.

65. Apparatus for deterring failure of a computing system that is substantially exclusively made of substantially commercial, off-the-shelf components and that has at least one subsystem for generating a response of the system to failure, and that also has at least one subsystem for receiving recovery commands;
- said apparatus comprising;
  
  a network of components having terminals for connection to such system between the response-generating subsystem and the recovery-command-receiving subsystem; and
  
  circuits of the network for operating programs to guard such system from failure;
  
  the circuits comprising portions for interposing analysis and a corrective reaction between the response-generating subsystem and the command-receiving subsystem.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Algirdas Avizienis
Original Assignee
Algirdas Avizienis
Inventors
Avizienis, Algirdas

Granted Patent

US 7,908,520 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/43
CPC Class Codes

G06F 11/183 by voting, the voting not b...

G06F 11/2028 eliminating a faulty proces...

Self-testing and -repairing fault-tolerance infrastructure for computer systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Self-testing and -repairing fault-tolerance infrastructure for computer systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links