On the Risk of Fault Coupling over the Chip Substrate

Duplication and comparison has proven to be an efficient method for error detection. Based on this generic principle dual core processor architectures with output comparison are being proposed for safety critical applications. Placing two instances of the same (arbitrary) processor on one die yields a very cost efficient "single chip" implementation of this principle. At the same time, however, the physical coupling of the two replica creates the potential for certain types of faults to affect both cores in the same way, such that the mutual checking will fail. The key question here is how this type of coverage leakage relates to other imperfections of the duplication and comparison approach that would also be found using two cores on separate dies (such as coupling over a common power supply or clock). In this paper we analyze several of the relevant physical coupling mechanisms and elaborate a model to decompose the genesis of a common cause fault into several steps. We present an experimental study showing that a very tight local and temporal coincidence of the fault effect in both replica is a crucial prerequisite for a common cause fault. Based on this quantitative input we can conclude from our decomposition model that the risk of common cause faults is low for physical coupling mechanisms with relatively slow propagation speed, such as thermal and mechanical effects. The role of asymmetry for mitigating common cause faults is discussed in the light of these findings.