Existing processor monitoring systems can implement watchdog timers (sometimes also called heartbeat monitors) to reset a system if a program, due to some hardware or software fault condition, neglects to regularly provide a service pulse to the “watchdog” timer. If the watchdog timer does not receive a service pulse within specific timing constraints, then the watchdog timer resets the system. While a conventional watchdog mechanism can catch gross problems with the processor, many subtle processor faults could go undetected. Examples of microprocessor faults likely to escape detection with a conventional watchdog mechanism would be arithmetic computation errors, logic instruction errors and even some branching errors. This means that while a conventional watchdog mechanism does provide some gross protection against hardware faults, it cannot provide a high level of assurance that the microprocessor is healthy.
Often, when outputs from a microprocessor are deemed to be highly safety critical, these outputs are checked by a monitor, running in separate hardware, to avoid a failure that would both cause an erroneous output and disable the monitor. This is an effective but potentially costly strategy, as the monitor function may be almost as complex as the function being monitored. It may also need most, if not all, of the inputs that the main processor needs, but they must be provided in a way that maintains the separation between the main channel and the monitor.