LiVe: Timely error detection in light-lockstep safety critical systems

Safety-critical systems rely on features such as lockstep execution for error detection, and reset and reexecution for error correction. In particular, light lockstep is an attractive choice since it does not require redesigning cores but, instead, comparing off-core activities (i.e. data/addresses sent). While this approach suffices to guarantee functional correctness of the system, as needed for certification against safety standards (e.g., ISO26262), it fails to provide any timing guarantee as the time elapsed since the error occurs until lockstep detects it can be inordinately large. In this paper (i) we analyse the timing behaviour of errors in light lockstep systems, showing that a significant fraction of errors may remain undetected for long periods. Then, (ii) we put this problem in the context of certification against safety standards. Finally, (iii) we propose LiVe (Lightly Verbose), an approach to guarantee timely detection of errors at low cost in the context of light lockstep systems.