Continued proper operation of a digital system following a software fault is highly desirable in modern computer systems and becomes mandatory in a life critical digital system, such as those employed in aircraft primary flight control systems. A software error may manifest itself by the processor becoming mired within the program and not completing its tasks, or by the processor completing its tasks too rapidly by not executing all of its program. Redundant hardware and voting schemes provide hardware fault protection but do not provide safeguards against software faults when the redundant computers are programmed with identical software. Thus, each of the redundant channels can suffer the same software fault, at virtually the same instant. The present state of the art in software verification and validation does not provide any tool or technique which can guarantee the absence of software faults; on the contrary, experience has shown that software errors continue to exist even in exhaustively verified and validated software.
Backup systems have been provided by simple analog systems, additional digital systems which are dissimilarly programmed, or by mechanical means. Reversion to these backups generally occurs following disagreement between the redundant channels of the prime digital system. These backup systems require significant additional hardware with the attendant disadvantages of cost, weight, power demand and heat dissipation. The analog and mechanical backups are additionally constrained to be simple derivatives of the usually highly complex and nonlinear implementation of the prime digital system.