--<Start of Puzzle Box Provisional Patent Application>--

ROSS N WILLIAMS
COMMONWEALTH OF AUSTRALIA
PATENTS ACT 1952
PROVISIONAL SPECIFICATION FOR THE INVENTION ENTITLED:
"INTERFACE APPARATUS FOR CRITICAL DEVICE ACTUATION"

This invention is described in the following statement:


INTRODUCTION

This patent describes an interface means for connecting a complex
controlling device such as a computer system to a critical boolean control
line such as might be used to ignite a rocket motor.  Use of the interface
means instead of a more conventional means decreases the risk of accidental
activation by increasing the complexity of behaviour required of the
controlling device in order to effect an activation.

DEFINITION OF TERMS

Activation - Strictly, by "activation" is meant the act of turning "ON" the
device being controlled.  However, in this document the term is ALSO used in
the generic sense to mean "effect a change on the controlled device."

Computer - Here the term "computer" is used to refer to any complex
controlling device.  In practice, this will most usually be a microprocessor
chip.

Critical system - Here this term is used to refer to any system for which
there is a high cost associated with system failure.

Finite State Automaton - A finite state automaton is a theoretical device
used to describe real world devices. A finite state automaton has a finite
number of states. At any point of time the automaton is "in" one of its
states. The automaton receives inputs that cause it to change from one state
to another. Theoretical finite state automata often have a start state and a
goal state which together with the rest of the machine define a regular
grammar. However, here we are concerned only with the states and transition
aspects of finite state machines.

DESCRIPTION OF PROBLEM

Computers and other complex controlling devices are most simply interfaced
to the outside world by amplifying a latched boolean output signal until
there is sufficient power to drive the controlled device (Figure 1).  This
simple interface, while suitable for non-critical systems, is vulnerable to
a variety of low level failures that make it unsuitable for critical
systems.

By "critical system" is meant any system where the costs of an incorrect
output are extremely high.  In some systems, the cost of a failure may run
to billions of dollars and thousands of lives.  In general, the interface
means is applicable in any application where the potential cost of failure
justifies the cost of the interface means.

In many systems, a boolean output control line will have a safe side and a
dangerous side.  For example, the control line which is used to fire an
explosive device will have a safe side (false = don't fire) and a dangerous
side (true = fire).  In such systems, it is generally safer to err on the
safe side and it is desirable to construct the system in such a way that it
will tend to fail to a safe side.

In contrast, the output line of Figure 1 is extremely vulnerable.  Being an
ordinary two state line, the line itself is not predisposed to one or other
state.  To make matters worse, the line may be connected to an extremely
complex computer system whose state may be changing millions of times a
second.  The ease and speed with which a computer system can change an
output line, coupled with the complexity and speed of modern computer
systems subjects the line to a variety of low level failures which can be
divided into two classes.

The first class of failures covers any direct hardware effect that has to
the potential to change the value on the vulnerable output line.  A power
supply spike, a faulty output driver transistor, or even a passing magnetic
field may be capable of changing the output.  This vulnerability is enhanced
by the low voltage levels typical of digital circuitry.

The second class of failures covers any hardware or software failure that
causes the computer to present an incorrect output.  Such failures can be
caused by hardware effects such as radiation-corrupted memory, design
errors, stochastic hardware faults, power spikes and magnetic fields.  In
addition, the faults can also be caused by low level software errors such as
stack and pointer corruptions, and off-by-one errors.  In particular, low
level software faults are likely to send the processor into a chaotic state
in which there is a good chance that unpredictable values will be written at
random to memory and IO.  This makes output lines extremely vulnerable to
low level software failures.

In summary, any single boolean output line emanating from a complex
controlling device is subject to a variety of failures that could cause it
to hold an incorrect output value.  These failures can be divided into two
classes:  hardware failure of the line itself, and hardware and software
failures that cause the complex controlling device to present the wrong
output value.  The interface means to be described is capable of reducing
the risk of both of these classes of failure, but is mainly directed towards
failures of the second class.


PREVIOUS SOLUTIONS TO THE PROBLEM

With the proliferation of computer controlled systems, the problem of
interfacing critical devices has been tackled before.  This section
discusses some of the techniques currently in use.

Software Sanity Checking --- Computers perform sanity checks on themselves
as a first level of defence against failures.  When a computer system fails,
it often fails so catastrophically that the simplest of internal consistency
checks can often give an early warning that something is wrong.
        These checks can be performed by both hardware and software.  For
example, computer hardware can perform checksums whenever memory is accessed
and halt the processor if an illegal instruction is encountered.  Software
can perform checksums on itself and a variety of other checks at various
levels of abstraction.  By performing frequent sanity checks, computers can
sometimes catch failures before they have a chance to manifest themselves in
incorrect outputs.  Unfortunately there is no guarantee of this.

Output Retardation --- A problem with software sanity checks is that they
can only be performed intermittently.  If a failure occurs between a sanity
check and an output operation the failure may not be detected.  One way to
avoid this is to introduce hardware that delays the output signal, thus
giving the processor time to react if an error is detected.  For example, by
placing a capacitor on an output line, the line can be rendered impossible
to change quickly.

Input Output Wraparound --- In IO wraparound, the processor reads its own
outputs through its inputs.  After writing each output, the processor
samples the output value through its inputs to ensure that the value has
been propagated correctly.

Duplication --- A widely used reliability technique is to use more than one
processor and to feed all their individual output signals into an
arbitrator.  The arbitrator, a simple device, then tallies up the "votes"
and makes a decision.  This technique allows the system to continue to
operate in the face of one or more processor failures.

Simple Hardware Interlocking --- Finally, incorrect output values may be
blocked by using some sort of hardware interlocking.  For example, a rocket
motor controller may have an ARM input and a FIRE input and be arranged so
that the controller will not act on a FIRE signal unless it has first
received an ARM signal.

While the techniques described above are all valuable, most of them are
vulnerable to failures of one kind or another.  The techniques of sanity
checking, output retardation and IO wraparound all assume that the software
is functioning correctly.  Processor duplication avoids this assumption, but
remains vulnerable to a deterministic low level failure in which two or more
processors enter a chaotic state because their identical software has
encountered a low level error (e.g.  a stack corruption).  To an extent this
risk can be reduced by using different processors running different
programs.  However, as studies have shown, the risk of identical errors
appearing in independently developed software is still high.  Simple
hardware interlocking is vulnerable to attack by random numbers which are
quite likely to be generated by a processor in a chaotic state.

OVERVIEW OF THE INVENTION

Nearly all of the techniques described in the previous section attempt to
prevent an incorrect output value from ever being generated.  In the light
of the complexity of modern computers, this is an ambitious goal.  In
contrast to the other techniques the simple hardware interlocking technique
does not attempt to prevent the generation of incorrect outputs, but rather
attempts to filter out incorrect outputs by presenting a very simple puzzle
that the processor must solve in order to effect action.  The puzzle is so
simple that we might not even notice it; but it is there.

By taking the concept of puzzle to its extreme we arrive at the concept of
an interface means specially contrived to make it difficult for the
controlling processor to effect any action.  Whereas the rocket interface
requires that the processor first send an ARM signal and then a FIRE signal,
the interface proposed here would require the controlling computer to
transmit a long string of data or in some other way exhibit a complex
behaviour before causing an activation.

The extremity of the puzzle concept illustrates an important difference
between the concept and the simple hardware interlocking scheme found on our
hypothetical rocket. Although both interfaces provide a measure of hardware
interlocking, the interlocking in the rocket was probably necessary for
hardware reasons.  For example, it is possible that arming the rocket mixes
its fuel and that firing the rocket before such fuel is mixed will cause an
explosion.  While the hardware interlocking may have originally been
designed to catch a high level logic failure in the controlling processor,
it also serves to catch a variety of low level failures as well.

By attacking the low level interface problem directly using puzzle devices,
puzzles many orders of magnitude more complex than the rocket interface can
be created.  Such extra complexity can significantly lower the probability
of an accidental activation.

As stated earlier, the puzzle makes no attempt to prevent the processor from
failing.  Rather it presents so many obstacles to activation that only a
processor that is functioning correctly can have a chance of effecting an
activation.  By requiring that the processor exhibit a specific complex
behaviour the puzzle challenges the processor to show that it is working
properly.

In a puzzle that requires a complex sequence of inputs in order to effect an
action, the complex sequence of inputs may be viewed as a kind of password.
However, such sequences differ from conventional passwords because in this
case the "opponent" is not an intelligent entity.  The password of a puzzle
need not be secret, nor hard to remember.  The only requirement is that the
password be unlikely to be generated by a malfunctioning computer.  This
means that designers of puzzle devices should ensure not only that the
puzzle password is long enough to have a low probability of being present in
a "long" stream of random numbers, but also that the password does not
contain sequences that chaotic software is likely to generate.  Long runs of
identical bytes (especially 0 and 255), for example, would be unwise.

In summary, puzzle devices do not attempt to prevent computers from
presenting incorrect output values.  Instead, they attempt to prevent such
output values from being acted upon.

CONSISTORY STATEMENT

In its broadest form the invention consists of a critical interface means
for controlling the conductivity between two ports comprising, one or more
signal inputs, a finite state automaton, wherein, the state of the automaton
is changed by the signal inputs and determines the conductivity between the
ports, whereby, there exists at least one pair of states such that from the
first state the probability is low that the application of a sequence of
random inputs will cause a traversal to the second state.


EXPLANATION OF CONSISTORY STATEMENT

The consistory statement above outlines a device having a number of inputs,
two output ports, and a number of internal states (Figure 2).  Typically the
device will have only two states of conductivity between the ports and the
states will be partitioned into two sets, members of which correspond to the
different states of conductivity.

In an aspect of the invention there should be at least one state from which
it is hard to get to a state that would change the output.  In puzzle
devices that are oriented towards preventing an accidental activation this
means that the puzzle will probably have its states arranged in a linear
string such that it is hard to move towards the activation state but easy to
move away from it (Figure 3).

By "hard" is meant that only one of many input values can move the automaton
closer to the activation state; all other inputs would "reset" it to the
initial state.  Puzzle devices that must be capable of holding themselves in
one of two states will tend to be structured as shown in Figure 4.  Here the
string is divided at the middle into two groups.  The ends of the string
represent the safe resting states of the device and it is very hard to move
from one end to the other.

In general however, the important thing is that the automaton have a set of
states corresponding to different output conductivities and that it be
"hard" to move between particular pairs of states corresponding to different
conductivities.

DISCUSSION

This section contains a discussion of various aspects of the puzzle concept.

Importance of Sequence --- At the core of the puzzle concept is the notion
of a sequential feeding of data over time.  The requirement for sequence is
very important because it means that the computer must behave in a
particular manner over a period of time.

Complexity of Puzzle Hardware --- Although the exact implementation of the
puzzle does not matter, the puzzle hardware must be significantly simpler
than the device controlling it, otherwise there is no real gain.  For
example, a microprocessor implementation will usually not suffice.  Puzzle
devices must be complex enough to recognise an intricate password, but
simple enough to allow a convincing proof of correctness.

Input Complexity vs N-point Vulnerability --- Puzzle device can provide two
kinds of protection from errors.  First, the puzzle device can provide
statistical protection against randomly generated inputs.  Second, through
careful design, the entire interface can be rendered immune to N-point
hardware errors.  That is, up to N switches could fail without causing an
erroneous output.  This second aspect is not an essential part of the puzzle
device concept, but is closely related.  It is discussed separately in a
later section.

Markov Chain Analysis --- Whereas the broadest statement of the invention
refers to the probability of activation by a random input sequence as being
"low", the probabilities involved may be completely quantified using the
theory of Markov chains.  This can be done by equating states of the puzzle
device with states of a Markov chain and assigning probability transitions
based on the expected probabilities of various input values under a random
or nearly random input regime.  The resulting chain can then be represented
as a probability transition matrix.  To calculate the probability of getting
from state A to state B within T time units, all transitions from B should
be removed from the matrix which is then taken to the power of T.  Row A,
column B of the resultant matrix then gives the desired probability.

Simplified Device Interface --- In the two state (arm,fire) rocket example
given earlier, we saw how the interlocking that was constructed for the
purposes of detecting high level logic errors (must arm before firing) also
served to prevent low level errors.  It is quite likely that designers who
have not mentally separated these two kinds of error have constructed
interlocked interfaces whose complexity is artificial and bears no
relationship to any physical constraints, but which has been included as a
misguided attempt to provide low level protection.  Such protection is
likely to be far less effective than a puzzle device specifically designed
for this purpose.  Thus by using puzzle devices to catch low level errors,
the high level interface could probably be simplified.  This twin advance
would be a consequence of the separation of two concerns.

Divide Inputs Between Processors --- In order to provide extra safe-side
protection, the input lines of a puzzle device could be split between two or
more communicating processors.  Thus, in order to activate the device, the
processors would have to cooperate to synchronize their outputs.

Timing Constraints --- Puzzle devices could be made harder by introducing
timing constraints.  For example, a lower and/or upper bound could be placed
on the time between state transitions.  Constraints could also be placed on
the time to solve the entire puzzle.  Another possibility is to arrange for
the puzzle to reset itself every T seconds thus preventing the puzzle from
being solved outside of each T second window.

Software Trigger --- A danger arises in systems that use puzzle devices if
the controlling computer contains a software procedure whose job is to
activate the puzzle device.  The existence of such a procedure implies that
the system is only as safe as the address in the program counter register of
the computer.  This may not be acceptable.  This problem can be countered by
using the results of calculations (performed in the computer) leading up to
the decision to activate in the actual puzzle device activation sequence
itself.

Response Time --- By forcing a transition through a number of states before
reaching the activation state, puzzle devices introduce a delay which,
depending on the implementation, may be unacceptable.  However, if there is
warning that a rapid activation may soon be required, the puzzle could be
run up to a near-activation state and held there.  Activation would then be
instantaneous.  From moment to moment, the controlling device can choose
whatever trade-off between risk and speed that it requires.

State Creep --- An extremely dangerous possibility with puzzle devices is
state creep.  If, for some reason, the puzzle device does not reset itself
whenever an erroneous input arrived, it will tend to creep down the
activation path, moving one step closer to activation whenever a correct
input arrives.  Although this will not normally be a problem in a working
puzzle device, it is such a potential danger that it might be wise to
organize for the hardware or software to reset the puzzle device at regular
intervals.

Serial or Parallel Input --- In the general case, puzzle devices have a
number of boolean inputs.  However, there is no reason why the input to the
puzzle device shouldn't be a serial channel.

Parallel Output --- So far, we have considered only puzzle devices with one
pair of output ports.  However there is no reason why a puzzle device could
not have more.

Interactive Puzzle Device --- So far we have seen only puzzle devices that
receive commands from the processor and act upon them.  However, there is no
reason why information couldn't be fed back to the processor.  For example,
a puzzle device could present the processor with simple arithmetic problems
that the processor must solve.  The main constraint is that the puzzle
device must be kept simple or it becomes a processor itself.

Analog Puzzle Device --- Puzzle devices are not necessarily  restricted to
the digital domain, although they are probably best implemented digitally.
In an embodiment, an analog puzzle device could be constructed by digitizing
a sine way and feeding it into a computer.  The computer could then output a
waveform through a digital to analog device.  A transformation on the two
waveforms (e.g. modulo addition) could be performed and the result fed into
a decaying accumulator.  Finally the voltage from the accumulator could be
fed into a threshold trigger (Figure 5).  This arrangement would make it
difficult for the processor to fire the trigger unless it had successfully
processed the waveform, a rather complex operation.

On Chip Puzzle Device --- As we have seen, puzzle devices have the capacity
to avoid low level software failures and N-point hardware failures.
Although it will not provide protection against line attacks (e.g.  power
spike), puzzle devices could be placed at the edge of integrated circuits as
output drivers.  A further embodiment could comprise a dedicated puzzle
device on a chip having five pins:  1) Power, 2) Ground, 3) Port one, 4)
Port two, 5) Signal input.  The signal input could be an asynchronous serial
channel requiring complex sequences in order to change the conductivity
between the ports of the chip.


DESIGNING FOR HARDWARE FAILURES

Previous sections have shown how puzzle devices can protect against random
output from a chaotic computer.  However, with good design they are also
capable of protecting against a further class of hardware errors.

This section is concerned with protecting against hardware errors in the
puzzle device itself.  As stated earlier, this aspect of puzzle devices is
not central.  However, the ability for puzzle devices to withstand an N-
point failure is important in practice and warrants investigation.  Here we
are concerned primarily with the effects of hardware switch failures.

In this section, we refine the internal puzzle device architecture by
separating it into a switch unit and an automaton unit (Figure 6).  The
purpose of the switch unit is to provide protection against N-point errors.
The purpose of the automaton is to impose the requirement for complicated
behaviour on the part of the controlling computer.

To protect against at most N switch failures, a puzzle device must be
designed with at least N+1 switches connected in series.  In the OFF state
(i.e.  with all switches in the off state), N+1 switch failures will be
required to cause an activation.

A serial arrangement is suitable for avoiding unwanted activations.
However, many critical systems must activate reliability as well as avoiding
accidental activations.  Furthermore, it may be desirable to hold the system
in a state of activation for a long time.  To reduce the chance of a failure
to activate, there must be an aspect of parallelism in the circuitry.

Figure 7 shows an array of p groups of s serially connected switches with
the groups arranged in parallel.  If the probability of a given switch
failing (i.e.  changing state without being commanded to do so) within a
unit time period is f, the following equations give the probability of
accidental activation (assuming the device is in the deactivated state) and
accidental deactivation (assuming the device is in the activated state)
within a unit time period:

        p(accidental activation) = 1 - (1-f^s)^p

        p(accidental deactivation) = (1 - (1-f)^s)^p

where ^ represents exponentiation.

Although the goals of minimizing these probabilities conflict, it is
possible to find  attractive trade-offs. For example, for f=0.001, a choice
of (p=5,s=4) reduces both probabilities to about 10^-11.  A choice of
(p=10,s=6) yields probabilities lower than 10^-17.  For smaller f, the
probabilities are even smaller.

Having found switch structures that permit low failure probabilities, we
consider the problem of interfacing the switch array to the controlling
computer.  One way is to construct an array of single switch puzzle devices,
one for each switch.  To move all the switches, the processor would have to
solve all of the puzzles.

Another way is to construct an automaton that reflects its internal state in
its outputs controlling the switches.  Each internal state determines the
entire configuration of switches, with the configurations corresponding to
the different states, varying from all switches open to all switches closed.

Despite all the effort to enhance reliability, it could be argued that even
a serial line of switches is subject to a single point failure.  If the
switches are implemented using standard digital logic chips, each switch
would have its own power connection which could feed into its output if the
switch failed.  Thus, a failure of the last switch in the series could cause
an activation.

The solution to this problem is to isolate the controlled switch circuit of
each switch from the rest of the working of the switch.  Relays do this well
because their coil circuit is well isolated from their output switch
circuit.  If the only power that can possibly escape through one output port
must come from the other port, then failure of "the last switch" on its own
cannot be enough to cause an activation.

Another factor affecting resistance to hardware faults is the voltage and
current at which the puzzle device operates.  All other factors aside, a 5V
20mA line is more liable to be influenced by power supply spikes, magnetic
fields and other disturbances than a 500V 20A line.  It therefore makes
sense in critical systems to perform the amplification stage between the
processor and the puzzle device so that the workings of the puzzle device
are operating at the less vulnerable high voltage level.

EXAMPLE:  A GRAY CODE PUZZLE DEVICE

This section presents a simple puzzle device based on the Gray code.  This
so called "Gray Code Puzzle Device" provides very good protection against
accidental activations, but makes no attempt to provide reliable
activations.  However, reliability can be improved by placing these puzzle
devices in parallel.

A Gray code puzzle device consists of a line of N switches wired in series
(Figure 8).  The two ends of the switch line are the two output ports.  This
architecture provides a basic safety because all of the switches must be ON
in order to effect an activation.

Controlling the switches are N flip flops, one for each switch.  The puzzle
device has N+1 boolean input lines, each of which is connected to a flip
flop except for one line which acts as a RESET line.  Whenever an input line
makes a transition from 0 to 1, its corresponding flip flop changes state.

If the reset line is raised, all the flip flops drop back to the OFF state.

So far we have a very simple puzzle that can be solved simply by raising the
reset line and then raising all the lines to the high state.  However, to
obtain a Gray code puzzle device, further circuitry is added so that:

        * The puzzle resets if more than one input line is high
                at a time.

        * The puzzle resets if an attempt is made to change a flip flop
whose right neighbour flip flops' states do not match one of the following
strings exactly: ("","1","10","100","1000","10000",...).

The result of these two changes is a puzzle that is isomorphic to the famous
Chinese rings puzzle whose solution is given by the differences between
consecutive values of an N-bit Gray code.

Figure 9 gives a table describing the operation of a four bit Gray code
puzzle device.  The first column lists the decimal numbers from 0 to 15.
The second column gives the equivalent four bit binary Gray code.  The third
column gives the difference between the current and next Gray code.  The
fourth and fifth columns list the number of flip flops turned on and off in
each state and so gives a measure of the vulnerability of the puzzle device
to failures in each state.

A close inspection of the table and the rules given earlier shows that in
each state, the puzzle device can "legally" move only to adjacent states.
Any attempt to move to a non-adjacent state will result in the puzzle device
resetting itself to the initial state.  If we let 0 represents OFF and 1
represents ON, the OFF state of the puzzle device is 0000 and the ON state
is 1111.  Thus, the states form a string of states starting with 0000,
passing through 1111 and ending with 1000.  The actual path length is
(1/3)(2^(N+1)-2) if N is even and (1/3)(2^(N+1)-1) if N is odd.  Thus the
puzzle device only uses about 2/3 of the states available to it.

The Gray code puzzle device offers good protection against switch failures.
In the resting state (0000) the device could sustain three (or in general
N+1) failures without causing an activation.  Furthermore the device does
not become vulnerable to a single point failure until is has moved half way
down its activation path.  In general, it can be shown that a Gray code
puzzle device of d+trunc(1+log_2 (3p/2)) bits will have to move p steps down
its activation path before becoming vulnerable to a d-point error.

Although it would be possible to reverse the semantics of 0 and 1 and run
the puzzle device in reverse from 1000 to 0000, this would be unwise because
the resting state of 1000 would be subject to a single point failure.  In
fact, it would be desirable to design a puzzle device whose activation path
has the various states arranged in order of their vulnerability (Figure 10).

In summary, the N-bit Gray code puzzle device has much to recommend it.  It
is simple and can be implemented with O(N) components.  It provides a path
length complexity of O(2^N) and requires a complicated sequence in order to
move along the path.  It provides protection against N-1 point errors.
Finally, it is organized so that only one flip flop is changed at a time.
This makes it easier to implement because it lessens the chance of race
conditions arising.

SUMMARY

This patent specification introduces the concept of an interface means that
can be placed between a complex controlling device and a critical device in
order to protect the critical device from erroneous outputs caused by
failures in the complex controlling device.  The interface means provides
protection by requiring that the complex controlling device exhibit a
predefined complex behaviour before the interface means will activate the
controlled device. In addition to protecting against chaotic complex
controlling device behaviour, the interface means can be designed so as to
make the entire interface resistant to n-point hardware failures.

A particular puzzle device embodiment called the Gray code puzzle device is
described.  An N-bit Gray code puzzle device has a number of desirable
properties including simplicity of implementation, complexity of activation
path, resistance to N-1 point errors and absence of race conditions.

                Dated this 29th day of January 1991.

                                  ROSS N WILLIAMS
                                  By his Patent Attorneys
                                  R K MADDERN & ASSOCIATES

--------------------------------------------------------------------------------


                      |\
   +----------+       | \
   | Computer |  TTL  |A \
   |   Chip   |--->---|m /-----> High voltage
   +----------+       |p/        and current
                      |/

Figure 1: Simple conventional interface


--------------------------------------------------------------------------------


                             Ports
                         /\          /\
                  +---------------------------+
                  |                           |
                  |     Internal states       |
                  |         O---O---\         |
                  |        / \ /     \        |
                  |       /   X       O       |
                  |      /   / \     /        |
                  |     /   O   -\  /         |
                  |     O--/ \----O-          |
                  |                           |
                  +---------------------------+
                      ^   ^   ^   ^   ^   ^
                      |   |   |   |   |   |
                      |   |   |   |   |   |
                             Inputs

Figure 2: Puzzle outline.


--------------------------------------------------------------------------------


                   Off (Deactivated)                     On (Activated)
   -------------------------------------------------     ----

   O--->---O--->---O--->---O--->---O--->---O--->---O--->---O
   |       |       |       |       |       |       |       |
   ^       v       v       v       v       v       v       v
   |       |       |       |       |       |       |       |
   +---<---+---<---+---<---+---<---+---<---+---<---+---<---+
                    Reset or error arcs


Figure 3: Typical state structure of a puzzle designed to avoid
accidental activations.


--------------------------------------------------------------------------------


       Off (Deactivated)                                     On (Activated)
   -------------------------       -------------------------

   O--->---O--->---O--->---O--<->--O---<---O---<---O---<---O
   |       |       |       |       |       |       |       |
   ^       v       v       v       v       v       v       ^
   |       |       |       |       |       |       |       |
   +---<---+---<---+---<---+       +--->---+--->---+--->---+

Figure 4: Typical state structure of a puzzle designed to avoid both
accidental activation and deactivations.


--------------------------------------------------------------------------------


                       +-----+
                        \ ~ /
                         \ /
+---+                     +
| C |==<==+----\          |
| o |==<==| A/D >----<----+
| m |==<==+----/          |
| p |                     v
| u |                     |
| t |==>==+----\        /---\
| e |==>==| D/A >---<---| * |
| r |==>==+----/        \---/
+---+                     |
                          v
                          |
                        -----
                       / Sum \
                       |Decay|
                       \     /
                        -----
                          |
                          v
                          |
                     +---------+
                     |    +--- |
                     |    |    |
                     | ---+    |
                     +---------+
                          |
                          v
                        Device

Figure 5: An analog puzzle



--------------------------------------------------------------------------------


                     /\                     /\
                  +-----------------------------+
                  |  |                       |  |
                  |  |  +-----------------+  |  |
                  |  +--|   Switch Unit   |--+  |
                  |     +-----------------+     |
                  |      |   |   |   |   |      |
                  |     +-----------------+     |
                  |     |  Automaton Unit |     |
                  |     +-----------------+     |
                  |      |   |   |   |   |      |
                  +------+---+---+---+---+------+
                         |   |   |   |   |
                         |   |   |   |   |


Figure 6: Refinement of internal puzzle structure


--------------------------------------------------------------------------------


                                  S=4
                  /------------------------------------\
                  |                                    |

                     /         /         /         /
  /          +------O  O------O  O------O  O------O  O------+
 |           |                                              |
 |           |       /         /         /         /        |
P=3    ------+------O  O------O  O------O  O------O  O------+------
 |           |                                              |
 |           |       /         /         /         /        |
  \          +------O  O------O  O------O  O------O  O------+


Figure 7: A matrix switch unit designed to resist both accidental
activations and deactivations.


--------------------------------------------------------------------------------


     ^                                                             ^
     |                                                             |
     |     +-------+     +-------+     +-------+     +-------+     |
     |     |  /    |     |  /    |     |  /    |     |  /    |     |
     +-----|-o   o-|-----|-o   o-|-----|-o   o-|-----|-o   o-|-----+
           |       |     |       |     |       |     |       |
           +-------+     +-------+     +-------+     +-------+
               ^             ^             ^             ^
               |             |             |             |
               |             |             |             |

Figure 8: Serial architecture of Gray code puzzle box.


--------------------------------------------------------------------------------


Num  Gray  Diff  0  1  Name of State
---- ----  ----  -  -  -------------
  0: 0000  0001  4  0  Initial State
  1: 0001  0010  3  1
  2: 0011  0001  2  2
  3: 0010  0100  3  1
  4: 0110  0001  2  2
  5: 0111  0010  1  3
  6: 0101  0001  2  2
  7: 0100  1000  3  1
  8: 1100  0001  2  2
  9: 1101  0010  1  3
 10: 1111        0  4  Activation State
 11: 1110        1  3
 12: 1010        2  2
 13: 1011        1  3
 14: 1001        2  2
 15: 1000        3  1

Figure 9


--------------------------------------------------------------------------------


Num Code   1   Name
--- ----   -   ----
 0: 0000   0   Initial state

 1: 0001   1
 2: 0010   1
 3: 0100   1
 4: 1000   1

 5: 0011   2
 6: 0110   2
 7: 1100   2
 8: 0101   2
 9: 1010   2
10: 1001   2

11: 0111   3
12: 1110   3
13: 1011   3
14: 1101   3

15: 1111   4   Activation state


Figure 10

--------------------------------------------------------------------------------

--<End of Puzzle Box Provisional Patent Application>--
