“At-most-once, requiring authorization” operations are special high consequence activities that must be executed as part of the device operation, but that must not be executed prematurely, repeatedly, or without authorization. Examples may include space or automotive applications that result in an irreversible operation or decision that, if executed in a premature or unauthorized fashion, could cause injury, loss of life, or significant property destruction. Embedded systems that operate in hazardous or unpredictable environments must be designed to withstand those environments, but occasionally abnormally strong physical effects occur that exceed the design envelope. Under these circumstances, an abnormal physical environment will produce enough disruption to cause unintended behavior.

The probability of an environment induced fault, or combination of faults, causing premature execution of high consequence code can be reduced by designing the hardware and software portions of an embedded system in a way that ensures a triple-fault condition is required to produce the undesired outcome. This paper introduces the strategy of "command interleaving", a design technique for embedded systems that uses formal logic to harden the high consequence portion of the code to predictable double fault conditions.