Computer system that tolerates transient errors and method for management in a system of this type

US 20030135790A1
Filed: 11/25/2002
Published: 07/17/2003
Est. Priority Date: 12/22/1999
Status: Active Grant

First Claim

Patent Images

1. Computer system tolerating transient errors made up by a processing unit, characterised by the fact that it includes:

at least two processing units (50, 51) with each one including;

a microprocessor (54, 57), a memory (53, 56) protected by a device generating and controlling a code for the detection and correction of errors, a device (55, 58) for monitoring memory accesses, mainly including;

means for segmentation of the memory and the verification of the access rights to each segment (53, 56), means for specific protection of the memory segments (53, 56) allocated to saving the recovery context, means for generating a correction demand signal to the device (52) for controlling the processing units and the inputs/outputs, a centralised control device (52) for the processing units and for inputs/outputs, including;

macro-synchronisation means for the processing units (50, 51), comparison/vote means for the data generated by the processing units (50,51), correction demand means, decision-making means arising from the memory access watch devices (55, 58) means for decision-making so as to initialise a correction phase in the event of an error and means allowing the demand to be transmitted simultaneously to all the processing units (50, 51), means allowing the inputs/outputs to be made. some links (60, 61) respectively linking each processing unit to the processing units and inputs/outputs control device (52)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention concerns a software system that tolerates transient errors made up by a processing unit, including:

at least two processing units (50, 51) with each one including:

a microprocessor (54, 57),

a memory (53, 56) protected by a device generating and controlling a code for the detection and correction of errors,

a device (55, 58) for monitoring memory accesses,

A centralised control device (52) for the processing units and for inputs/outputs, including:

macro-synchronisation means,

data comparison/vote means,

correction demand means,

decision-making means,

means allowing the inputs/outputs to be made.

Some links (60, 61) respectively linking each processing unit to the device (52) for controlling the processing units and the inputs/outputs.

23 Citations

View as Search Results

14 Claims

1. Computer system tolerating transient errors made up by a processing unit, characterised by the fact that it includes:
- at least two processing units (50, 51) with each one including;
  
  a microprocessor (54, 57), a memory (53, 56) protected by a device generating and controlling a code for the detection and correction of errors, a device (55, 58) for monitoring memory accesses, mainly including;
  
  means for segmentation of the memory and the verification of the access rights to each segment (53, 56), means for specific protection of the memory segments (53, 56) allocated to saving the recovery context, means for generating a correction demand signal to the device (52) for controlling the processing units and the inputs/outputs, a centralised control device (52) for the processing units and for inputs/outputs, including;
  
  macro-synchronisation means for the processing units (50, 51), comparison/vote means for the data generated by the processing units (50,51), correction demand means, decision-making means arising from the memory access watch devices (55, 58) means for decision-making so as to initialise a correction phase in the event of an error and means allowing the demand to be transmitted simultaneously to all the processing units (50, 51), means allowing the inputs/outputs to be made. some links (60, 61) respectively linking each processing unit to the processing units and inputs/outputs control device (52)
- View Dependent Claims (2, 3, 4)
- - 2. System according to claim 1, in which the memory access watch device (55, 58) includes the means for allowing:
    - memory zones for each task to be differentiated, the accesses to the memory zone affected by the current task to be authorised, the accesses to the memory zones involved in other tasks to be forbidden.
  - 3. System according to claim 1, in which the memory access watch device (55, 58) includes the means for allowing:
    - this context to be memorised in a shared and centralised memory (53, 56) without needing any specific storage device. the memory zones involved in saving the context from each task to be differentiated, each zone used for memorising this context to be controlled in a double “
      
      Old” and
      
      “
      
      New”
      
      bank, to make the double “
      
      Old” and
      
      “
      
      New”
      
      banks work in flip-flop, the double banks to be flip-flopped by simply inverting a set of “
      
      Old” and
      
      “
      
      New”
      
      indexes, the “
      
      Old”
      
      zones to be authorised in reading whilst prohibiting them in writing.
  - 4. System according to any one of the preceding claims, which is used in an onboard electronic system and/or in the spatial field.

5. Process to make a computer system tolerant to transient faults, made up by a processing unit, characterised by the fact that it allows:
- identical software applications to be run simultaneously on at least two processing units (50, 51) independently and asynchronously, and complying with the following functioning;
  
  the transient errors affecting the memory (53, 56) in the processing units (50, 51) are detected and corrected thanks to the use of a detection and correction code stored in the memory associated to a software scanning task, the proper functioning of the microprocessor (54, 57) of the processing units (50, 51) is verified thanks to a segmentation of the memory associated to monitoring of the memory accesses which ensures that the microprocessor really holds the access rights for the current segment of the memory (53, 56), the memory segments allocated to saving the recovery context are extremely secure thanks to specific monitoring of the memory accesses so as to ensure that a faulty microprocessor (54, 57) cannot generate any error in these critical zones, a correction demand is transmitted to the control function for the processing units and the inputs/outputs in the event of a violation of the access rights, the following operations to be centralised in the control function for the processing units and the inputs/outputs, macro-synchronisation of the different simultaneous executions of the software, comparison/vote of all the data generated by the different executions of the software, reception of the correction demands arising from the memory access watch functions following an error detection, when an error is detected, whatever its source may be, decision-making in order to initialise a correction phase and transmission of this demand simultaneously to the different executions of the software, performing the inputs/outputs upon demand from the software applications, the interface to be made between the software programs being executed simultaneously and the control function for the processing units and the inputs/outputs.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. Process according to claim 5, in which there is a confinement zone for errors between software tasks, in such a way that a faulty microprocessor (54, 57) can only disturb the variables of the current task but not those of the other tasks.
  - 7. Process according to claim 5, in which, in the event of error detection, a recovery is possible thanks to the vote then the memorisation of the preceding context of the software tasks, and thanks to it specific protection allowing to guarantee that it is healthy, with this context being memorised in a shared and centralised memory (53,56) in each processing unit (50, 51), in some memory zones specific to each task in a double “
    - Old” and
      
      “
      
      New”
      
      bank working in flip-flop, the flip-flop for these double banks is performed by simply inverting an “
      
      Old” and
      
      “
      
      New”
      
      index set so that the current context will thus become the preceding context, with the “
      
      Old”
      
      zones being authorised in reading to be used as input data for the tasks but forbidden in writing and so protected even in the event of a malfunction of the microprocessors (54, 57).
  - 8. Process according to claim 7, in which the error recovery based on a restoration of the preceding context is performed thanks to the fact that the index stating the preceding context deemed to be healthy is not changed, when it is systematically flip-flopped at the end of the period corresponding to the detection/recovery granularity when no error is detected.
  - 9. Process according to claim 5, in which the error detection/recovery granularity is the control/command cycle for each one of the software tasks being executed on the processing units (50, 51) and in which a recovery may be only be performed on the faulty software task without the execution of the other tasks being affected by it.
  - 10. Process according to claim 5, in which an error detection entails the microprocessor going into standby mode, thereby producing a “
    - hole”
      
      in a period in the usual execution cycle.
  - 11. Process according to claim 5, in which the comparison/vote of the context may be performed optionally in two ways:
    - either, the application software explicitly demands a grouped comparison/vote of the context data so as to save them only if they are deemed to be healthy, with this demand being made systematically at the end of the period corresponding to the detection/recovery granularity;
      
      or, as their calculation progresses, the hardware device for monitoring memory accesses (55, 58) in each processing unit (50, 51) detects any attempt at writing in the context zones and systematically subjects it to a comparison/vote to verify its veracity.
  - 12. Process according to claim 5, in which three error confinement zone levels are defined:
    - spatial, temporal and software levels.
  - 13. Process according to one of claims 5 to 12 which is independent from the choice of the microprocessor and which may be used with all commercial microprocessors.
  - 14. Process according to any one of claims 5 to 12, which is used in an onboard electronic system and/or in the space field.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centre National D'Etudes Spatiales
Original Assignee
Centre National D'Etudes Spatiales
Inventors
Pignol, Michel

Granted Patent

US 7,024,594 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/38
CPC Class Codes

G06F 11/1471   involving logging of persis...

G06F 11/1641   where the comparison is not...

G06F 11/1683   at instruction level

Computer system that tolerates transient errors and method for management in a system of this type

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system that tolerates transient errors and method for management in a system of this type

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links