There is an increasing need for instruments that can safely operate critical systems, or systems that present a high risk to human health and environment in the event of a failure. Beyond reducing risk by designing redundant hardware components and ensuring that software is error-free, it may also be desirable to operate critical systems in a manner that ensures failsafe computations. By failsafe computations, what is meant is that no calculation errors will be introduced as a result of a faulty software math library or a hardware-based processor.
Various standards have been created to ensure failsafe computations, which are also referred to as: Safety Integrity Level, Safety Instrumented Level, Safety Instrumented Systems, safety engineering, calculation integrity, or multiple redundant math. Failsafe computations typically include the use of multiple redundant math computations to ensure that any single computation error will be detected. For example, consider the following calculation:x=y*2.0  (Calculation A)Calculation A may be implemented using C or C++ programming languages using the following source code:
float x, y;x=y*2.0f;  (Source Code A)In compiling Source Code A, the compiler may call floating-point emulation math libraries, or if available, a hardware-based floating point co-processor. If an error exists in the math library or co-processor, Calculation A may not be computed correctly. This sort of software math library-based or hardware co-processor based error may not be detected by testing software or hardware errors. In order to fulfill the failsafe computation standards described above, a system must be able to detect math library and co-processor computation errors.
A common method used to meet failsafe computation standards is to complete each calculation twice either using unique math libraries or independent co-processors. For example, the following C or C++ programming language code implements a failsafe computation using two math libraries:
float x, y;
double xd, yd;x=y*2.0f; xd=yd*(double)2.0;if (x!=xd){<code to put device in safe state>}//error detected!  (Source Code B)In Source Code B, Calculation A is performed twice, once using a floating point math library and once using a double precision math library. The variables y and yd have the same value, but different types. The results x and xd are then compared to one another to determine if an error occurred. When Calculation A is performed as provided by Source Code B, single computation faults may be detected and the computation is considered to be failsafe.
There are many disadvantages to the present methodologies for ensuring a failsafe computation. For example, the electronic device that will be used to perform the failsafe computation must incur the additional complexity and overhead of supporting multiple math libraries or multiple co-processors.
A second disadvantage is that math carried out in different data types may support different resolutions, or significant figures. This necessitates complex error-prone analysis to ensure that given the range of inputs, successful coverage is provided to carry out the calculations appropriately.
A third disadvantage is that coding redundant calculations into source code may become a design and maintenance hazard, especially when compared to source code that only includes single calculations.
A fourth disadvantage stems from the fact that failsafe calculations may require memory protection to ensure that memory corruption cannot upset the calculations in an undetectable way. While Source Code A may be able to identify single-bit failures, additional protection may be needed to defend against corrupt pointer failures to provide further failsafe computation protection. For example, the variables x, y, xd, and yd from Source Code A may be co-located in memory, and are thus vulnerable to being collectively overwritten by a corrupt pointer. For example, if zeros were mistakenly written to x, y, xd, and yd by a corrupt pointer, a simple compare between x and xd would not identify this computation failure. To protect against corrupt pointer failure, additional hardware such as a memory protect unit, additional software such as inversion storage of xd, yd, or special compiler/linker commands to ensure diverse locations may also be required to provide a failsafe computation.
What is needed is a failsafe computation method that allows for the elimination of multiple math libraries, multiple hardware math accelerators, error-prone fixed point resolution analysis, and corrupt pointers. Ideally, the failsafe computation method will be easy to implement and maintain, requiring little modification to source code.