Flight-critical avionics systems require high integrity (e.g., 2e−10) computation, as a control system fault inflight may have catastrophic results. The classical approach to providing an application-transparent high integrity computing platform has been hardware lockstep. Such a cycle-for-cycle lockstep approach requires two physically independent processor instances (cores) operating in unison with an external function that provides control and monitoring for each processor's transactions with clock-cycle granularity. A processing error is indicated through a divergence in the compared transactions between the two processing cores, requiring that the inputs and outputs for each processing channel remain completely synchronized at the granular instruction level. Any asynchronous events must be synchronized to the processing cores, and some performance features of the cores may need to be disabled in order to maintain the cycle accuracy of the cores over long periods of execution.
Modern processor architectures have greatly changed since the early 2000s and the adoption of multicore computing architectures and System on Chip (SoC) based designs. Due to this high level of integration of multiple cores, hardware accelerators and peripherals, creating a high integrity architecture is nowhere near as straightforward. Higher levels of integration complicate the synchronization of asynchronous hardware events within the multicore SoC devices. The interconnect architectures used to connect all of the multiple cores, peripherals, accelerators and memory controllers result in numerous internal clock domain crossings and interference latencies through arbitration of shared resources which result in system jitter. These challenges are further compounded in modern processor architectures which leverage branch prediction, Translation Lookaside Buffers, multi-level caches, out-of-order/speculative execution and unexpected machine state interrupts. Processing architectures will continue to advance by adopting more performance-driven architectures that are not designed with determinism in mind, making the task of granular lockstep at the hardware level increasingly difficult. Accordingly, modern processing architectures may not support instruction level lockstep unless designed in by the silicon manufacturer, and general purpose processor elements with COTS devices do not support high integrity operation without some form of custom hardware or software. In order to continue to leverage commercial off-the-shelf (COTS) devices for high integrity general purpose processing, system designers will need to adopt new processing architectures and approaches that leverage the capabilities of current multicore SoC devices in order to achieve a comparable level of synchronization.