Fully self-checking processing is the operation of processors in lock-step such that they perform identical operations at the same time. Each processor, or each lane of processors, has redundant detection circuitry that ensures that a processor or lane's operation is identical to that of the cross lane. Any discrepancy causes the operation of both processing lanes to be shutdown or pacified. This “self-checking” technique provides a very high level of assurance that any malfunction is automatically detected and pacified—on the order of a 10−9 probability of an undetected malfunction per hour—and can also allow the rapid detection and pacification of the malfunction—e.g., in less than 100 ns.
Fully self-checking processing may be very useful for guaranteeing the integrity of high-criticality computing applications such as avionics. A key advantage of the self-checking design is that software applications can be hosted onto the platform, and high integrity achieved, without incorporating any special architectural mitigation (e.g. performance monitoring or custom cross monitoring).
The downside of full self-checking is that it requires two identical processing platforms, and thus resource allocation, like cost, board area, and heat dissipation, may as much as double relative to a single-string design approach. Further, every application that executes on the platform incurs these costs, regardless of its particular level of criticality. Therefore, a fully self-checking platform is most efficient when it exclusively executes high-criticality applications.
A non-self-checking “single-string” processing design is an alternative to the fully self-checking platform. The single-string design is generally less costly in terms of expense, board area, and heat dissipation than a self-checking design, assuming the same amount of processing power. However, this design is limited to an integrity level on the order of a probability of undetected malfunction of 10−6 per hour, precluding its use for high-integrity computations.