Browse Prior Art Database

Fault Tolerant Means of Code Module Selection

IP.com Disclosure Number: IPCOM000103787D
Original Publication Date: 1993-Jan-01
Included in the Prior Art Database: 2005-Mar-18
Document File: 1 page(s) / 45K

Publishing Venue

IBM

Related People

Furtney, DA: AUTHOR [+4]

Abstract

A method to safely select one (if any) of multiple redundant code modules to transfer system control to, assuming any or all of the code modules may have corrupted code, is disclosed. Execution of code in a corrupted module is assumed to be unsafe.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 98% of the total text.

Fault Tolerant Means of Code Module Selection

      A method to safely select one (if any) of multiple redundant
code modules to transfer system control to, assuming any or all of
the code modules may have corrupted code, is disclosed.  Execution of
code in a corrupted module is assumed to be unsafe.

      The use of redundant alterable code modules (e.g., EEPROM) with
identical code loads provides the capability to alter all code and
maintain full functionality even while being altered.  This, however,
introduces the problem of which module to transfer initial control
to, given that any or all may be damaged.

      Our method is to use a highly reliable code module (e.g.,
unalterable EPROM) to control the selection of the less reliable
alterable system control modules.  This selection module contains
minimal code that performs an integrity check of the candidate code
modules (CRC or checksum) and then selects one of the candidate
modules whose integrity has been verified.  This may be done by
choosing one with the latest timestamp/level and/or scanning for an
execute me marker. If none of the candidate modules pass the
integrity check, the selection module does not transfer control to
any of them.  In such a case, the selection module may halt, loop, or
report an error.

      This method can tolerate failure in any or all of the candidate
modules.  Corrupted code is not executed even in the case in which
all the candidate modules are corrupted.

  ...