High-integrity processing platforms, e.g., flight deck, auto flight platforms, or the like, typically employ cross-comparing of computation outputs from two or more processors in order to detect and/or mitigate random faults. For applications such as Fly-By-Wire (FBW), two or more dissimilar commercial-off-the-shelf (COTS) processors are generally used to compute independent outputs which may be cross-compared to detect potential common-mode errors and random faults. The cross-comparison may either be bit-for-bit or a threshold comparison that may allow for small differences in the computation outputs within certain predefined tolerance values. Bit-for-bit comparisons may avoid the need to allocate tolerance values that might inadvertently compromise system safety. Typically, it is assumed that if two similar COTS processors use bit-for-bit identical input data in their respective calculations, then their results will be bit-for-bit identical as well.
However, in applications such as fly-by-wire where dissimilar COTS processors are used, it may not be guaranteed that bit-for-bit identical results will be obtained from computations, due to round-off errors and/or design choices in the implementations of the COTS processors, despite the processors' being designed to follow conventional mathematical standards (e.g., IEEE floating point specification). Detailed processors design data that might be used to analytically identify potential differences and/or confirm identical results is generally not available, due to the design data being proprietary to the developers of the processors and/or the supporting software.
Although bit-for-bit comparisons (at the output level) are currently being incorporated in existing systems, customers and certification agencies (e.g., Federal Aviation Administration, Transport Canada, European Aviation Safety Agency) may question the viability of this approach where dissimilar processors are used. An area of concern is the ability of the processors to produce the same output at each processor based on identical inputs, due to different round-off or other processor design features. In the absence of detailed design data, analytical techniques are not available to assert identical results from each processor. Although it can be shown that identical inputs result in identical outputs from each processor for specific test cases, the number of test cases that can be executed in any practical time is a small fraction of the data combinations a processor may encounter in operation. Without a means to define and execute a test suite (e.g., processing test inputs to obtain outputs) and, thereby, confirm the capability of the processors, customers and certification agencies may not confident of the product.
What is needed, then, is a method for testing two or more dissimilar processors in order to confirm that, given the same inputs at the same time, the two or more dissimilar processors produce the same outputs with a level of certainty that is shown to be commensurate with the expectations of the system in which the dissimilar processors are used.