One strategy for assuring integrity in high-integrity systems uses a “self-checking pair.” A self-checking pair is a logical grouping of two devices, subsystems, or systems (generally referred to here as “modules”) that perform the same operations and that cross-check each other in order to assure correct operation. As a result of the cross-checking performed in the self-checking pair, a single fault in one of the modules will be detected by its partner and an appropriate action can be taken to handle the fault and to assure that the fault does not propagate.
The most tightly coupled and detailed approach to implementing a self-checking pair uses strict cycle-for-cycle lockstep where each module operates off of the same clock and performs the same action on each clock cycle. In this way all results, outputs, and operations can be checked on each clock cycle. Some challenges that can arise with such a strict cycle-for-cycle lockstep approach include the synchronization of the local clock in each of the modules with the primary clock, the generation of internal clocking resources at each module that are derived from the primary clock, and alignment of the internal clocking resources between the modules, and the generation, assertion, and negation of resets at both modules in lockstep.
In typical implementations, both modules of such a self-checking pair are provided with a primary clock signal from the same external clocking source and exchange all parent and derivative clock signals and reset signals in order to establish and maintain lock step alignment. This can result in module designs in which a large number of pins are dedicated to the exchange of such signals, which does not scale well with larger module designs having high numbers of internal clock and reset domains.