If each of the components, in turn, can continue to function when one of its subcomponents fails, this will allow the system to continue functioning. Using a passenger vehicle such as, a car may have "flat" tires, each of which contains a solid rubber core, allowing them to be used even if a tire goes flat. A flat flat tire can be used for a limited amount of time at a reduced speed.

Redundancy is the provision of functions that would be unnecessary in a failure-free environment.[2]​

This may be a backup component that is automatically discarded in the event of a component failure. For example, large trucks can lose a tire without major consequences. They have many tires, and none of the tires are critical (with the exception of the front tires, which are used for steering). The idea of ​​incorporating redundancy in order to improve the reliability of a system was introduced by John von Neumann in the 1950s.[3]​.

Two possible types of redundancy are:[4] space redundancy and time redundancy. Spatial redundancy provides additional components, functions, or data elements that are not necessary for fault-free operations. Spatial redundancy is classified into hardware, software and information redundancy, depending on the type of redundant resources added to the system. When replicating, the calculation or data transmission is repeated and the result is compared with a stored copy of the previous result.

Providing a fault-tolerant design for each component does not always have to be an option. Redundancy is associated with a series of penalties: increased weight, size, energy consumption, cost, as well as time to design, verify, and test. Therefore, a number of options have to be examined to determine which components should be fault tolerant:[5]​.

• - How ​​important is the component? In a car, the radio is not critical, so this component has less need to be fault tolerant.

• - What is the probability that this component will fail? Some components, such as the driveshaft in a car, are not likely to fail, so they do not need to be fault tolerant.

• - What is the cost to make the component fault tolerant? Does it require redundancy of the car engine, for example, it is probably too expensive both financially and in terms of weight and space to be considered as an option.

An example of a component that passes all of the car's tests is a passenger restraint system. While the main passenger restraint system, gravity, is not normally believed. In the event of a vehicle rollover or severe g-forces, this primary method of passenger restraint may fail. Retaining passengers during such an accident is absolutely critical to their safety, so this component passes the first test. Accidents resulting in passenger ejection were quite common before seat belts, so it passes the second test as well. The cost of a redundant restraint method like seat belts is quite low, both economically and in terms of weight and space, so it passes the third test. Therefore, adding seat belts to all vehicles is a great idea. Other "supplementary restraint systems," such as air bags, are more expensive and pass tests by a smaller margin.

The basic characteristics of fault tolerance:

1. • No single point of failure - If a system experiences a failure, it must continue to operate without interruption during the repair process.

2. • Isolation of faults in the component that is failing, when an error occurs, the system must be able to isolate the fault from recurrence. This requires the addition of dedicated failure detection mechanisms that exist solely for the purpose of failure isolation. Recovery from a failure condition requires classification of the breakdown or failure in the component. The National Institute of Standards and Technology (NIST) classifies failures based on location, cause, duration, and effect.

3. • Fault containment to prevent propagation) - some failure mechanisms can cause system failures by propagating the failure to the rest of the system. An example of this type of failure is the "rogue transmitter" which can collapse legitimate communication in a global system and cause system failures. Mechanisms that protect the system and isolate a rogue transmitter or failing components are required.

4. • Availability of rollback modes.

On the other hand, fault-tolerant systems are characterized in terms of service interruptions and unplanned service interruptions. These are generally measured at the application level and not just at the hardware level. The figure of merit is called availability and is expressed as a percentage. For example, a “five nines” system would statistically provide 99.999% availability.

Fault-tolerant systems are generally based on the concept of redundancy.

Fault tolerance is fundamentally dealt with in the following three ways:

• - Replication: provide multiple identical instances on the same system or subsystem, addressing tasks or requests from all of them in parallel, and choosing the correct outcome based on a quorum;

• - Redundancy: provide multiple identical cases on the same system and the ability to switch to one of the remaining cases in case of failure;

• - Diversity: provide multiple different implementations of the same specification, and use them as duplicate systems to address bugs in a particular application.

All RAID implementations, except RAID 0, are examples of a fault-tolerant data storage device that uses data redundancy.

A rigid fault-tolerant machine uses replicated elements running in parallel. At any time, all repetitions of each element must be in the same state. The same inputs are provided to each replica, always expecting the same expected results. The outputs of the replications are compared using an electoral circuit. A machine with two repetitions of each element is called dual modular redundancy (RMD). Circuit voting can only detect a discrepancy and recovery depends on other methods. A machine with three repetitions of each element is called triple modular redundancy (RMT). The circuit voting result can determine which replication is in error state when a two-to-one vote is observed. In this case, the circuit voting result may result in the correct result and reject the wrong version. After this, the internal state of the faulty mirror is assumed to be different from that of the other two, and the voting result of the circuit can change to a faulty mode. This model can be applied to any larger number of replications.

Rigid fault-tolerant machines are easier to make fully synchronous, with each of the gates of each of the replicas having the same state transition on the same clock edge, and the replicas' clocks being exactly in phase. However, it is possible to build systems that preach without this requirement.

Replaying in sync requires making your internal saved states the same. Which can be started from a fixed initial state, such as the reset state. Furthermore, the internal state of a replica can be copied to another replica.

A variant of RMD is pair and spare. Two replicated elements operate synchronously in tandem, with circuit voting detecting mismatches between their operations and issuing a signal indicating an error. Another couple works exactly the same way. A final circuit selects the output of the pair that is not proclaimed to be a mistake. Spare Pair requires four replicas instead of the RMT's three, but has been used commercially.

The advantages of fault-oriented designs are obvious, while many of their drawbacks are not:

• - Interference with fault detection in the same component. To continue with the previous passenger vehicle example, it may not be obvious to the driver to realize when a tire has gone flat, with any of the fault-tolerant systems. This is usually handled with an "automatic fault detection system". In the case of the tire, an air pressure monitor detects the loss of pressure and notifies the driver. The alternative is "manual fault detection system", such as manually inspecting all tires at each stop.

• - Interference with fault detection in another component. Another variant of this problem is when fault tolerance in one component prevents fault detection in a different component. For example, if component B performs some operations based on the production of component A, fault tolerance in B may hide a problem in A. If component B is later changed (to a less fault-tolerant design), the system may suddenly fail, giving the impression that the new component B is the problem. Only after the system has been carefully studied will it become clear that the problem is actually with component A.

• - Reduced priority of error correction. Even if the operator realizes the fault, having a fault-tolerant system is likely to reduce the importance of fixing the fault. If faults are not corrected, this will lead to future system failures, when fault tolerance or the component fails completely when all redundant components have failed.

• - Difficulty of testing. For some critics of fault-tolerant systems, such as a nuclear reactor, there is no easy way to verify that backup components are functional. The most famous example of this is the Chernobyl disaster, where operators tested emergency backup by disabling primary cooling and secondary cooling. The backup failed, resulting in a nuclear meltdown of the reactor and massive release of radiation.

• - Cost. Both fault-tolerant components and redundant components tend to increase. This may be a simple economic cost or may include other measures, such as weight. Manned spacecraft, for example, have so many redundant and fault-tolerant components that their weight increases dramatically in unmanned systems, which do not require the same level of safety.

• - Substandard components. A fault-tolerant design may allow the use of substandard components, which could make the system inoperable. While this practice has the potential to mitigate increased costs, the use of multiple substandard components can reduce system reliability to a level equal to or even worse than a non-fault tolerant system.

Fault-tolerant hardware sometimes requires that broken parts can be removed and replaced with new parts while the system continues to operate (known in computing as hot swapping). Such a system with a single backup is known as a single point tolerant and represents the vast majority of fault tolerant systems. In these types of systems the mean time between failures must be long enough so that operators can fix broken devices (mean time to repair) before the backup also fails. It is recommended that the time between failures be as long as possible, but it is not strictly necessary in a fault-tolerant system.

Fault tolerance works very well in computer applications. The first fault-tolerant computer was SAPO "SAPO (computer)") in the Czech Republic. The company Tandem Computers has based its entire business on this type of equipment, which uses a single point of tolerance to create its NonStop systems, whose operating periods can be measured in years.

Computer programs can also use fault-free architectures, for example in process replication.

Data formats can also be designed to degrade correctly. The HTML language, for example, is designed to be compatible, allowing web browsers to ignore new HTML entities that they do not understand without rendering the document unusable.

There is a difference between fault tolerance and systems that rarely have problems. For example, Western Electric crossbar systems had failure rates of two hours per forty years and were therefore highly failure-resistant. But when the failure occurred, the systems stopped working completely, and therefore, were not fault tolerant.

• - Cluster "Cluster (computing)").

• - Defense in depth.

• - Detection and correction of errors.

• - Progressive improvement.

• - Resilience (ecology) "Resilience (ecology)").

• - Rhizome (philosophy) "Rhizome (philosophy)").

• - Rollback.

• - Solidity (informatics) "Solidity (informatics)").

• - Implementation and evaluation of failsafe computer-controlled systems.

• - Seminar on Self-Healing Systems.

• - Article about TMR with reference to TMR usage in avionics and industry.

• - EU funded research project HPC4U addressing development of fault tolerant technologies for Grid computing environments.

• - Fault Tolerance and High Availability Systems.

• - High Availability Software.

• - Graceful Degradation in the RKBExplorer.

• - Fault Tolerance and High Availability Systems for Check Point Firewall and VPN networks with Resilience line of FCR appliances.

If each of the components, in turn, can continue to function when one of its subcomponents fails, this will allow the system to continue functioning. Using a passenger vehicle such as, a car may have "flat" tires, each of which contains a solid rubber core, allowing them to be used even if a tire goes flat. A flat flat tire can be used for a limited amount of time at a reduced speed.

Redundancy is the provision of functions that would be unnecessary in a failure-free environment.[2]​

This may be a backup component that is automatically discarded in the event of a component failure. For example, large trucks can lose a tire without major consequences. They have many tires, and none of the tires are critical (with the exception of the front tires, which are used for steering). The idea of ​​incorporating redundancy in order to improve the reliability of a system was introduced by John von Neumann in the 1950s.[3]​.

Two possible types of redundancy are:[4] space redundancy and time redundancy. Spatial redundancy provides additional components, functions, or data elements that are not necessary for fault-free operations. Spatial redundancy is classified into hardware, software and information redundancy, depending on the type of redundant resources added to the system. When replicating, the calculation or data transmission is repeated and the result is compared with a stored copy of the previous result.

Providing a fault-tolerant design for each component does not always have to be an option. Redundancy is associated with a series of penalties: increased weight, size, energy consumption, cost, as well as time to design, verify, and test. Therefore, a number of options have to be examined to determine which components should be fault tolerant:[5]​.

• - How ​​important is the component? In a car, the radio is not critical, so this component has less need to be fault tolerant.

• - What is the probability that this component will fail? Some components, such as the driveshaft in a car, are not likely to fail, so they do not need to be fault tolerant.

• - What is the cost to make the component fault tolerant? Does it require redundancy of the car engine, for example, it is probably too expensive both financially and in terms of weight and space to be considered as an option.

An example of a component that passes all of the car's tests is a passenger restraint system. While the main passenger restraint system, gravity, is not normally believed. In the event of a vehicle rollover or severe g-forces, this primary method of passenger restraint may fail. Retaining passengers during such an accident is absolutely critical to their safety, so this component passes the first test. Accidents resulting in passenger ejection were quite common before seat belts, so it passes the second test as well. The cost of a redundant restraint method like seat belts is quite low, both economically and in terms of weight and space, so it passes the third test. Therefore, adding seat belts to all vehicles is a great idea. Other "supplementary restraint systems," such as air bags, are more expensive and pass tests by a smaller margin.

The basic characteristics of fault tolerance:

1. • No single point of failure - If a system experiences a failure, it must continue to operate without interruption during the repair process.

2. • Isolation of faults in the component that is failing, when an error occurs, the system must be able to isolate the fault from recurrence. This requires the addition of dedicated failure detection mechanisms that exist solely for the purpose of failure isolation. Recovery from a failure condition requires classification of the breakdown or failure in the component. The National Institute of Standards and Technology (NIST) classifies failures based on location, cause, duration, and effect.

3. • Fault containment to prevent propagation) - some failure mechanisms can cause system failures by propagating the failure to the rest of the system. An example of this type of failure is the "rogue transmitter" which can collapse legitimate communication in a global system and cause system failures. Mechanisms that protect the system and isolate a rogue transmitter or failing components are required.

4. • Availability of rollback modes.

On the other hand, fault-tolerant systems are characterized in terms of service interruptions and unplanned service interruptions. These are generally measured at the application level and not just at the hardware level. The figure of merit is called availability and is expressed as a percentage. For example, a “five nines” system would statistically provide 99.999% availability.

Fault-tolerant systems are generally based on the concept of redundancy.

Fault tolerance is fundamentally dealt with in the following three ways:

• - Replication: provide multiple identical instances on the same system or subsystem, addressing tasks or requests from all of them in parallel, and choosing the correct outcome based on a quorum;

• - Redundancy: provide multiple identical cases on the same system and the ability to switch to one of the remaining cases in case of failure;

• - Diversity: provide multiple different implementations of the same specification, and use them as duplicate systems to address bugs in a particular application.

All RAID implementations, except RAID 0, are examples of a fault-tolerant data storage device that uses data redundancy.

A rigid fault-tolerant machine uses replicated elements running in parallel. At any time, all repetitions of each element must be in the same state. The same inputs are provided to each replica, always expecting the same expected results. The outputs of the replications are compared using an electoral circuit. A machine with two repetitions of each element is called dual modular redundancy (RMD). Circuit voting can only detect a discrepancy and recovery depends on other methods. A machine with three repetitions of each element is called triple modular redundancy (RMT). The circuit voting result can determine which replication is in error state when a two-to-one vote is observed. In this case, the circuit voting result may result in the correct result and reject the wrong version. After this, the internal state of the faulty mirror is assumed to be different from that of the other two, and the voting result of the circuit can change to a faulty mode. This model can be applied to any larger number of replications.

Rigid fault-tolerant machines are easier to make fully synchronous, with each of the gates of each of the replicas having the same state transition on the same clock edge, and the replicas' clocks being exactly in phase. However, it is possible to build systems that preach without this requirement.

Replaying in sync requires making your internal saved states the same. Which can be started from a fixed initial state, such as the reset state. Furthermore, the internal state of a replica can be copied to another replica.

A variant of RMD is pair and spare. Two replicated elements operate synchronously in tandem, with circuit voting detecting mismatches between their operations and issuing a signal indicating an error. Another couple works exactly the same way. A final circuit selects the output of the pair that is not proclaimed to be a mistake. Spare Pair requires four replicas instead of the RMT's three, but has been used commercially.

The advantages of fault-oriented designs are obvious, while many of their drawbacks are not:

• - Interference with fault detection in the same component. To continue with the previous passenger vehicle example, it may not be obvious to the driver to realize when a tire has gone flat, with any of the fault-tolerant systems. This is usually handled with an "automatic fault detection system". In the case of the tire, an air pressure monitor detects the loss of pressure and notifies the driver. The alternative is "manual fault detection system", such as manually inspecting all tires at each stop.

• - Interference with fault detection in another component. Another variant of this problem is when fault tolerance in one component prevents fault detection in a different component. For example, if component B performs some operations based on the production of component A, fault tolerance in B may hide a problem in A. If component B is later changed (to a less fault-tolerant design), the system may suddenly fail, giving the impression that the new component B is the problem. Only after the system has been carefully studied will it become clear that the problem is actually with component A.

• - Reduced priority of error correction. Even if the operator realizes the fault, having a fault-tolerant system is likely to reduce the importance of fixing the fault. If faults are not corrected, this will lead to future system failures, when fault tolerance or the component fails completely when all redundant components have failed.

• - Difficulty of testing. For some critics of fault-tolerant systems, such as a nuclear reactor, there is no easy way to verify that backup components are functional. The most famous example of this is the Chernobyl disaster, where operators tested emergency backup by disabling primary cooling and secondary cooling. The backup failed, resulting in a nuclear meltdown of the reactor and massive release of radiation.

• - Cost. Both fault-tolerant components and redundant components tend to increase. This may be a simple economic cost or may include other measures, such as weight. Manned spacecraft, for example, have so many redundant and fault-tolerant components that their weight increases dramatically in unmanned systems, which do not require the same level of safety.

• - Substandard components. A fault-tolerant design may allow the use of substandard components, which could make the system inoperable. While this practice has the potential to mitigate increased costs, the use of multiple substandard components can reduce system reliability to a level equal to or even worse than a non-fault tolerant system.

Fault-tolerant hardware sometimes requires that broken parts can be removed and replaced with new parts while the system continues to operate (known in computing as hot swapping). Such a system with a single backup is known as a single point tolerant and represents the vast majority of fault tolerant systems. In these types of systems the mean time between failures must be long enough so that operators can fix broken devices (mean time to repair) before the backup also fails. It is recommended that the time between failures be as long as possible, but it is not strictly necessary in a fault-tolerant system.

Fault tolerance works very well in computer applications. The first fault-tolerant computer was SAPO "SAPO (computer)") in the Czech Republic. The company Tandem Computers has based its entire business on this type of equipment, which uses a single point of tolerance to create its NonStop systems, whose operating periods can be measured in years.

Computer programs can also use fault-free architectures, for example in process replication.

Data formats can also be designed to degrade correctly. The HTML language, for example, is designed to be compatible, allowing web browsers to ignore new HTML entities that they do not understand without rendering the document unusable.

There is a difference between fault tolerance and systems that rarely have problems. For example, Western Electric crossbar systems had failure rates of two hours per forty years and were therefore highly failure-resistant. But when the failure occurred, the systems stopped working completely, and therefore, were not fault tolerant.

• - Cluster "Cluster (computing)").

• - Defense in depth.

• - Detection and correction of errors.

• - Progressive improvement.

• - Resilience (ecology) "Resilience (ecology)").

• - Rhizome (philosophy) "Rhizome (philosophy)").

• - Rollback.

• - Solidity (informatics) "Solidity (informatics)").

• - Implementation and evaluation of failsafe computer-controlled systems.

• - Seminar on Self-Healing Systems.

• - Article about TMR with reference to TMR usage in avionics and industry.

• - EU funded research project HPC4U addressing development of fault tolerant technologies for Grid computing environments.

• - Fault Tolerance and High Availability Systems.

• - High Availability Software.

• - Graceful Degradation in the RKBExplorer.

• - Fault Tolerance and High Availability Systems for Check Point Firewall and VPN networks with Resilience line of FCR appliances.