Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fault-Tolerant Design

Similar presentations


Presentation on theme: "Fault-Tolerant Design"— Presentation transcript:

1 Fault-Tolerant Design
EE141 Chapter 3 Fault-Tolerant Design

2 What is this chapter about?
Gives Overview of Fault-Tolerant Design Focus on Basic Concepts in Fault-Tolerant Design Metrics Used to Specify and Evaluate Dependability Review of Coding Theory Fault-Tolerant Design Schemes Hardware Redundancy Information Redundancy Time Redundancy Examples of Fault-Tolerant Applications in Industry

3 Fault-Tolerant Design
Introduction Fundamentals of Fault Tolerance Fundamentals of Coding Theory Fault Tolerant Schemes Industry Practices Concluding Remarks

4 Introduction Fault Tolerance
Ability of system to continue error-free operation in presence of unexpected fault Important in mission-critical applications E.g., medical, aviation, banking, etc. Errors very costly Becoming important in mainstream applications Technology scaling causing circuit behavior to become less predictable and more prone to failures Needing fault tolerance to keep failure rate within acceptable levels

5 Faults Permanent Faults Temporary Faults
Due to manufacturing defects, early life failures, wearout failures Wearout failures due to various mechanisms e.g., electromigration, hot carrier degradation, dielectric breakdown, etc. Temporary Faults Only present for short period of time Caused by external disturbance or marginal design parameters

6 Temporary Faults Transient Errors (Non-recurring errors)
Cause by external disturbance e.g., radiation, noise, power disturbance, etc. Intermittent Errors (Recurring errors) Cause by marginal design parameters Timing problems e.g., races, hazards, skew Signal integrity problems e.g., crosstalk, ground bounce, etc.

7 Redundancy Fault Tolerance requires some form of redundancy
Time Redundancy Hardware Redundancy Information Redundancy

8 Time Redundancy Perform Same Operation Twice Advantage Disadvantage
See if get same result both times If not, then fault occurred Can detect temporary faults Cannot detect permanent faults Would affect both computations Advantage Little to no hardware overhead Disadvantage Impacts system or circuit performance

9 Hardware Redundancy Replicate hardware and compare outputs Advantage
From two or more modules Detects both permanent and temporary faults Advantage Little or no performance impact Disadvantage Area and power for redundant hardware

10 Information Redundancy
Encode outputs with error detecting or correcting code Code selected to minimize redundancy for class of faults Advantage Less hardware to generate redundant information than replicating module Drawback Added complexity in design

11 Failure Rate (t) = Component failure rate
Measured in FITS (failures per 109 hours)

12 System Failure Rate System constructed from components
No Fault Tolerance Any component fails, whole system fails

13 Reliability If component working at time 0 Exponential Failure Law
R(t) = Probability still working at time t Exponential Failure Law If failure rate assumed constant Good approximation if past infant mortality period

14 Reliability for Series System
All components need to work for system to work

15 System Reliability with Redundancy
System reliability with component B in Parallel Can tolerate one component B failing

16 Mean-Time-to-Failure (MTTF)
Average time before system fails Equal to area under reliability curve For Exponential Failure Law

17 Maintainability If system failed at time 0
M(t) = Probability repaired and operational at time t System repair time divided into Passive repair time Time for service engineer to travel to site Active repair time Time to locate failing component, repair/replace, and verify system operational Can be improved through designing system so easy to locate failed component and verify

18 Repair Rate and MTTR  = rate at which system repaired
Analogous to failure rate  Maintainability often modeled as Mean-Time-to-Repair (MTTR) = 1/

19 Availability System Availability
t t1 t t t t S 1 failures Normal system operation System Availability Fraction of time system is operational

20 Availability Telephone Systems High-Reliability Systems
Required to have system availability of (“four nines”) High-Reliability Systems May require 7 or more nines Fault-Tolerant Design Needed to achieve such high availability from less reliable components

21 Coding Theory Coding Error Detecting Codes
Using more bits than necessary to represent data Provides way to detect errors Errors occur when bits get flipped Error Detecting Codes Many types Detect different classes of errors Use different amounts of redundancy Ease of encoding and decoding data varies

22 Block Code Message = Data Being Encoded Block code If no redundancy
Encodes m messages with n-bit codeword If no redundancy m messages encoded with log2(m) bits minimum possible

23 Block Code To detect errors, some redundancy needed
Space of distinct 2n blocks partitioned into codewords and non-codewords Can detect errors that cause codeword to become non-codeword Cannot detect errors that cause codeword to become another codeword

24 Separable Block Code Separable Advantage
n-bit blocks partitioned into k information bits directly representing message (n-k) check bits Denoted (n,k) Block Code Advantage k-bit message directly extracted without decoding Rate of Separable Block Code = k/n

25 Example of Separable Block Code
(4,3) Parity Code Check bit is XOR of 3 message bits message 101  codeword 1010 Single Bit Parity

26 Example of Non-Separable Block Code
One-Hot Code Each Codeword has single 1 Example of 8-bit one-hot , , , , , , Redundancy = 1 - log2(8)/8 = 5/8

27 Linear Block Codes Special class For any n-bit codeword c
Modulo-2 sum of any 2 codewords also codeword Null space of (n-k)xn Boolean matrix Called Parity Check Matrix, H For any n-bit codeword c cHT = 0 All 0 codeword exists in any linear code

28 Linear Block Codes Generator Matrix, G Codeword c for message m
kxn Matrix Codeword c for message m c = mG GHT = 0

29 Systematic Block Code First k-bits correspond to message
Last n-k bits correspond to check bits For Systematic Code G = [Ikxk : Pkx(n-k)] H = [I(n-k)x(n-k) : PT(n-k)xk] Example

30 Distance of Code Distance between two codewords Distance of Code
Number of bits in which they differ Distance of Code Minimum distance between any two codewords in code If n=k (no redundancy), distance = 1 Single-bit parity, distance = 2 Code with distance d Detect d-1 errors Correct up to (d-1)/2 errors

31 Error Correcting Codes
Code with distance 3 Called single error correcting (SEC) code Code with distance 4 Called single error correcting and double error detecting (SEC-DED) code Procedure for constructing SEC code Described in [Hamming 1950] Any H-matrix with all columns distinct and no all-0 column is SEC

32 Hamming Code For any value of n Example of SEC Hamming Code for n=7
SEC code constructed by setting each column in H equal to binary representation of column number (starting from 1) Number of rows in H equal to log2(n+1) Example of SEC Hamming Code for n=7

33 Error Correction in Hamming Code
Syndrome, s s = HvT for received vector v If v is codeword Syndrome = 0 If v non-codeword and single-bit error Syndrome will match one of columns of H Will contain binary value of bit position in error

34 Example of Error Correction
For (7,3) Hamming Code Suppose codeword has one-bit error changing it to

35 SEC-DED Code Make SEC Hamming Code SEC-DED
By adding parity check over all bits Extra parity bit 1 for single-bit error 0 for double-bit error Makes possible to detect double bit error Avoid assuming single-bit error and miscorrecting it

36 Example of Error Correction
For (7,4) SEC-DED Hamming Code Suppose codeword has two-bit error changing it to Doesn’t match any column in H

37 Hsiao Code Weight of column Constructing n-bit SEC-DED Hsiao Code
Number of 1’s in column Constructing n-bit SEC-DED Hsiao Code First use all possible weight-1 columns Then all possible weight-3 columns Then weight-5 columns, etc. Until n columns formed Number check bits is log2(n+1) Minimizes number of 1’s in H-matrix Less hardware and delay for computing syndrome Disadvantage: Correction logic more complex

38 Example of Hsiao Code (7,3) Hsiao Code
Uses weight-1 and weight-3 columns

39 Unidirectional Errors
Errors in block of data which only cause 01 or 10, but not both Any number of bits in error in one direction Example Correct codeword Unidirectional errors could cause 001000, , (only 10 errors) Non-unidirectional errors 101001, , (both10 and 01)

40 Unidirectional Error Detecting Codes
All unidirectional error detecting (AUED) Codes Detect all unidirectional errors in codeword Single-bit parity is not AUED Cannot detect even number of errors No linear code is AUED All linear codes must contain all-0 vector, so cannot detect all 10 errors

41 Two-Rail Code Two-Rail Code Example of (6,3) Two-Rail Code
One check bit for each information bit Equal to complement of information bit Two-Rail Code is AEUD 50% Redundancy Example of (6,3) Two-Rail Code Message 101 has Codeword Set of all codewords 000111, , , , , , ,

42 Berger Codes Lowest redundancy of separable AUED codes Example
For k information bits, log2(k+1) check bits Check bits equal to binary representation of number of 0’s in information bits Example Information bits log2(7+1)=3 check bits Check bits equal to 100 (4 zero’s)

43 Berger Codes Codewords for (5,3) Berger Code If unidirectional errors
00011, 00110, 01010, 01101, 10010, 10101, 11001, 11100 If unidirectional errors Contain 10 errors increase 0’s in information bits can only decrease binary number in check bits Contain 01 errors decrease 0’s in information bits can only increase binary number in check bits

44 Berger Codes If 8 information bits (16,8) Two-Rail Code
Berger code requires log28+1=4 check bits (16,8) Two-Rail Code Requires 50% redundancy Redundancy advantage of Berger Code Increases as k increased

45 Constant Weight Codes Constant Weight Codes
Non-separable, but lower redundancy than Berger Each codeword has same number of 1’s Example 2-out-of-3 constant weight code 110, 011, 101 AEUD code Unidirectional errors always change number of 1’s

46 Constant Weight Codes Number codewords in m-out-of-n code
Codewords maximized when m close to n/2 as possible n/2-out-of-n when n even (n/2-0.5 or n/2+0.5)-out-of-n when n odd Minimizes redundancy of code

47 Example 6-out-of-12 constant weight code 12-bit Berger Code
Only 28 = 256 codewords

48 Constant Weight Codes Advantage Disadvantage
Less redundancy than Berger codes Disadvantage Non-separable Need decoding logic to convert codeword back to binary message

49 Burst Error Burst Error Example: Original codeword 00000000
Common, multi-bit errors tend to be clustered Noise source affects contiguous set of bus lines Length of burst error number of bits between first and last error Wrap around from last to first bit of codeword Example: Original codeword is burst error length 4 is burst error length 4 Any number of errors between first and last error

50 Cyclic Codes Special class of linear code
Any codeword shifted cyclically is another codeword Used to detect burst errors Less redundancy required to detect burst error than general multi-bit errors Some distance 2 codes can detect all burst errors of length 4 detecting all possible 4-bit errors requires distance 5 code

51 Cyclic Redundancy Check (CRC) Code
Most widely used cyclic code Uses binary alphabet based on GF(2) CRC code is (n,k) block code Formed using generator polynomial, g(x) called code generator degree n-k polynomial (same degree as number of check bits)

52 Message m(x) g(x) c(x) Codeword 0000 x2 + 1 000000 0001 1 000101 0010 x x3 + x 001010 0011 x + 1 x3 + x2 + x + 1 001111 0100 x2 x4 + x2 010100 0101 x4 + 1 010001 0110 x2 + x x4 + x3 + x2 + x 011110 0111 x2 + x + 1 x4 + x3 + x + 1 011011 1000 x3 x5 + x3 101000 1001 x3 + 1 x5 + x3 + x2 + 1 101101 1010 x5 + x 100010 1011 x3 + x + 1 x5 + x2 + x + 1 100111 1100 x3 + x2 x5 + x4 + x3 + x2 111100 1101 x3 + x2 + 1 x5 + x4 + x3 + 1 111001 1110 x3 + x2 + x x5 + x4 + x2 + x 110110 1111 x5 + x4 + x + 1 110011

53 CRC Code Linear block code Has G-matrix and H-matrix
G-matrix shifted version of generator polynomial

54 CRC Code Example (6,4) CRC code generated by g(x)=x2+1

55 Systematic CRC Codes To obtain systematic CRC code
codewords formed using Galois division nice because LFSR can be used for performing division

56 Galois Division Example
Encode m(x)=x2+x with g(x)=x2+1 Requires dividing m(x)xn-k =x4+x3 by g(x) Remainder r(x)=x+1 c(x) = m(x)xn-k+r(x) = (x2+x)(x2)+x+1 = x4+x3+x+1

57 Message m(x) g(x) r(x) c(x) Codeword 0000 x2 + 1 000000 0001 1 000101 0010 x x3 + x 001010 0011 x + 1 x3 + x2 + x + 1 001111 0100 x2 x4 + 1 010001 0101 x4 + x2 010100 0110 x2 + x x4 + x3 + x + 1 011011 0111 x2 + x + 1 011110 1000 x3 100010 1001 x3 + 1 100111 1010 101000 1011 x3 + x + 1 101101 1100 x3 + x2 110011 1101 x3 + x2 + 1 110110 1110 x3 + x2 + x 111001 1111 x4 + x3 + x2 + x 111100

58 Generating Check Bits for CRC Code
Use LFSR With characteristic polynomial equal to g(x) Append n-k 0’s to end of message Example: m(x)=x2+x+1 and g(x)=x3+x+1

59 Checking CRC Codeword Checking Received Codeword for Errors
Shift codeword into LFSR with same characteristic polynomial as used to generate it If final state of LFSR non-zero, then error

60 Selecting Generator Polynomial
Key issue for CRC Codes If first and last bit of polynomial are 1 Will detect burst errors of length n-k or less If generator polynomial is multiple of (x+1) Will detect any odd number of errors If g(x) = (x+1)p(x) where p(x) primitive of degree n-k-1 and n < 2n-k-1 Will detect single, double, triple, and odd errors

61 Commonly Used CRC Generators
CRC code Generator Polynomial CRC-5 (USB token packets) x5+x2+1 CRC-12 (Telecom systems) x12+x11+x3+x2+x+1 CRC-16-CCITT (X25, Bluetooth) x16+x12+x5+1 CRC-32 (Ethernet) x32+x26+x23+x22+x16+x12+x11+x10+x8 +x7+x5+x4+x+1 CRC-64 (ISO) x64+x4+x3+x+1

62 Fault Tolerance Schemes
Adding Fault Tolerance to Design Improves dependability of system Requires redundancy Hardware Time Information

63 Hardware Redundancy Involves replicating hardware units
At any level of design gate-level, module-level, chip-level, board-level Three Basic Forms Static (also called Passive) Masks faults rather than detects them Dynamic (also called Active) Detects faults and reconfigures to spare hardware Hybrid Combines active and passive approaches

64 Static Redundancy Masks faults so no erroneous outputs
Provides uninterrupted operation Important for real-time systems No time to reconfigure or retry operation Simple self-contained No need to update or rollback system state

65 Triple Module Redundancy (TMR)
Well-known static redundancy scheme Three copies of module Use majority voter to determine final output Error in one module out-voted by other two

66 TMR Reliability and MTTF
TMR works if any 2 modules work Rm = reliability of each module Rv = reliability of voter MTTF for TMR

67 Comparison with Simplex
Neglecting fault rate of voter TMR has lower MTTF, but Can tolerate temporary faults Higher reliability for short mission times

68 Comparison with Simplex
Crossover point RTMR > Rsimplex when Mission time shorter than 70% of MTTF

69 N-Modular Redundancy (NMR)
N modules along with majority voter TMR special case Number of failed modules masked = (N-1)/2 As N increases, MTTF decreases But, reliability for short missions increases If goal only to tolerate temporary faults TMR sufficient

70 Interwoven Logic Replace each gate
with 4 gates using inconnection pattern that automatically corrects errors Traditionally not as attractive as TMR Requires lots of area overhead Renewed interest by researchers investigating emerging nanoelectronic technologies

71 Interwoven Logic with 4 NOR Gates

72 Example of Error on Third Y Input

73 Dynamic Redundancy Involves Detecting fault
Locating faulty hardware unit Reconfiguring system to use spare fault-free hardware unit

74 Unpowered (Cold) Spares
Advantage Extends lifetime of spares Equations Assume spare not failing until powered Perfect reconfiguration capability

75 Unpowered (Cold) Spares
One cold spare doubles MTTF Assuming faults always detected and reconfiguration circuitry never fails Drawback of cold spare Extra time to power and initialize Cannot be used to help in detecting faults Fault detection requires either periodic offline testing online testing using time or information redundancy

76 Powered (Hot) Spares Can use spares for online fault detection
One approach is duplicate-and-compare If outputs mismatch then fault occurred Run diagnostic procedure to determine which module is faulty and replace with spare Any number of spares can be used

77 Pair-and-a-Spare Avoids halting system to run diagnostic procedure when fault occurs

78 TMR/Simplex When one module in TMR fails TMR/Simplex
Disconnect one of remaining modules Improves MTTF while retaining advantages of TMR when 3 good modules TMR/Simplex Reliability always better than either TMR or Simplex alone

79 Comparison of Reliability vs Time

80 Hybrid Redundancy Combines both static and dynamic redundancy
Masks faults like static Detects and reconfigures like dynamic

81 TMR with Spares If TMR module fails Replace with spare
can be either hot or cold spare While system has three working modules TMR will provide fault masking for uninterrupted operation

82 Self-Purging Redundancy
Uses threshold voter instead of majority voter Threshold voter outputs 1 if number of input that are 1 greater than threshold Otherwise outputs 0 Requires hot spares

83 Self-Purging Redundancy

84 Self-Purging Redundancy
Compared with 5MR Self-purging with 5 modules Tolerate up to 3 failing modules (5MR cannot) Cannot tolerate two modules simultaneously failing (5MR can) Compared with TMR with 2 spares simpler reconfiguration circuitry requires hot spares (3MR w/spares can use either hot or cold spares)

85 Time Redundancy Advantage Drawback If error detected Less hardware
Cannot detect permanent faults If error detected System needs to rollback to known good state before resuming operation

86 Repeated Execution Repeat operation twice
Simplest time redundancy approach Detects temporary faults occurring during one execution (but not both) Causes mismatch in results Can reuse same hardware for both executions Only one copy of functional hardware needed

87 Repeated Execution Requires mechanism for storing and comparing results of both executions In processor, can store in memory or on disk and use software to compare Main cost Additional time for redundant execution and comparison

88 Multi-threaded Redundant Execution
Can use in processor-based system that can run multiple threads Two copies of thread executed concurrently Results compared when both complete Take advantage of processor’s built-in capability to exploit processing resources Reduce execution time Can significantly reduce performance penalty

89 Multiple Sampling of Outputs
Done at circuit-level Sample once at end of normal clock cycle Same again after delay of t Two samples compared to detect mismatch Indicates error occurred Detect fault whose duration is less than t Performance overhead depends on Size of t relative to normal clock period

90 Multiple Sampling of Outputs
Simple approach using two latches

91 Multiple Sampling of Outputs
Approach using stability checker at output

92 Diverse Recomputation
Use same hardware, but perform computation differently second time Can detect permanent faults that affects only one computation For arithmetic or logical operations Shift operands when performing second computation [Patel 1982] Detects permanent fault affecting only one bit-slice

93 Information Redundancy
Based on Error Detecting and Correcting Codes Advantage Detects both permanent and temporary faults Implemented with less hardware overhead than using multiple copies of module Disadvantage More complex design

94 Error Detection Error detecting codes used to detect errors
If error detected Rollback to previous known error-free state Retry operation

95 Rollback Requires adding storage to save previous state
Amount of rollback depends on latency of error detection mechanism Zero-latency error detection rollback implemented by preventing system state from updating If errors detected after n cycles need rollback restoring system to state at least n clock cycles earlier

96 Checkpoint Execution divided into set of operations
Before each operation executed checkpoint created where system state saved If any error detected during operation rollback to last checkpoint and retry operation If multiple retries fail operation halts and system flags that permanent fault has occurred

97 Error Detection Encode outputs of circuit with error detecting code
Non-codeword output indicates error

98 Self-Checking Checker
Has two outputs Normal error-free case (1,0) or (0,1) If equal to each other, then error (0,0) or (1,1) Cannot have single error indicator output Stuck-at 0 fault on output could never be detected

99 Totally Self-Checking Checker
Requires three properties Code Disjoint all codeword inputs mapped to codeword outputs Fault Secure for all codeword inputs, checker in presence of fault will either procedure correct codeword output or non-codeword output (not incorrect codeword) Self-Testing For each fault, at least one codeword input gives error indication

100 Duplicate-and-Compare
Equality checker indicates error Undetected error can occur only if common-mode fault affecting both copies Only faults after stems detected Over 100% overhead (including checker)

101 Single-Bit Parity Code
Totally self-checking checker formed by removing final gate from XOR tree

102 Single-Bit Parity Code
Cannot detect even bit errors Can ensure no even bit errors by generating each output with independent cone of logic Only single bit errors can occur due to single point fault Typically requires a lot of overhead

103 Parity-Check Codes Each check bit is parity for some set of output bits Example: 6 outputs and 3 check bits

104 Parity-Check Codes For c check bits and k functional outputs
2ck possible parity check codes Can choose code based on structure of circuit to minimize undetected error combinations Fanouts in circuit determine possible error combinations due to single-point fault

105 Checker for Parity-Check Codes
Constructed from single-bit parity checkers and two-rail checkers

106 Two-Rail Checkers Totally self-checking two-rail checker

107 Berger Codes Inverter-free circuit Inverters only at primary inputs
Can be synthesized using only algebraic factoring [Jha 1993] Only unidirectional errors possible for single point faults Can use unidirectional code Berger code gives 100% coverage

108 Constant Weight Codes Non-separable with lower redundancy
Drawback: need decoding logic to convert codeword back to its original binary value Can use for encoding states of FSM No need for decoding logic

109 Error Correction Information redundancy can also be used to mask errors Not as attractive as TMR because logic for predicting check bits very complex However, very good for memories Check bits stored with data Error do not propagate in memories as in logic circuits, so SEC-DED usually sufficient

110 Error Correction Memories very dense and prone to errors
Especially due to single-event upsets (SEUs) from radiation SEC-DED check bits stored in memory 32-bit word, SEC-DED requires 7 check bits Increases size of memory by 7/32=21.9% 64-bit word, SEC-DED requires 8 check bits Increases size of memory by 8/64=12.5%

111 Memory ECC Architecture

112 Hamming Code for ECC RAM
Z Z Z Z Z Z Z Z c c c c 1 2 3 4 5 6 7 8 1 2 3 4 Parity Group 1 1 1 1 1 1 1 Parity Group 2 1 1 1 1 1 1 Parity Group 3 1 1 1 1 1 Parity Group 4 1 1 1 1 1

113 Memory ECC SEC-DED generally very effective
Memory bit-flips tend to be independent and uniformly distributed If bit-flip occurs, gets corrected next time memory location accessed Main risk is if memory word not access for long time Multiple bit-flips could accumulate

114 Memory Scrubbing Every location in memory read on periodic basis
Reduces chance of multiple errors accumulating in a memory word Can be implemented by having memory controller cycle through memory during idle periods

115 Multiple-Bit Upsets (MBU)
Can occur due to single SEU Typically occur in adjacent memory cells Memory interleaving used To prevent MBUs from resulting in multiple bit errors in same word

116 Error or Delay Catastrophic Fault Masking Capability Aircraft
Type Issues Goal Examples Techniques Long-Life Systems Difficult or Expensive to Repair Maximize MTTF Satellites Spacecraft Implanted Biomedical Dynamic Redundancy Reliable Real-Time Error or Delay Catastrophic Fault Masking Capability Aircraft Nuclear Power Plant Air Bag Electronics Radar TMR High Availability Systems Downtime Very Costly High Availability Reservation System Stock Exchange Telephone Systems No Single Point of Failure; Self-Checking Pairs; Fault Isolation High Integrity Systems Data Corruption Data Integrity Banking Transaction Processing Database Checkpointing, Time Redundancy; ECC; Redundant Disks Mainstream Low-Cost Systems Reasonable Level of Failures Acceptable Meet Failure Rate Expectations at Low Cost Consumer Electronics Personal Computers Often None; Memory ECC; Bus Parity; Changing as Technology Scales

117 Concluding Remarks Many different fault-tolerant schemes
Choosing scheme depends on Types of faults to be tolerated Temporary or permanent Single or multiple point failures etc. Design constraints Area, performance, power, etc.

118 Concluding Remarks As technology scales
Circuits increasingly prone to failure Achieving sufficient fault tolerance will be major design issue


Download ppt "Fault-Tolerant Design"

Similar presentations


Ads by Google