Abstract-A totally self-checking digital system uses error detecting codes at subsystem interfaces to detect faults before they can lead to harmful undetected errors. This paper develops a formal model for studying totally self-checking systems.Totally self-checking systems are first defined, and, because the propagation of errors is of critical interest, properties characterizing error propagation are defined. For a given subsystem the "propagation graph" is used to represent the error propagation characteristics. The model is completed by defining a system's "interconnection graph" which is formed by connecting the propagation graphs of the subsystems. Then sufficient conditions for which a system is totally selfchecking are stated in terms of the model. The paper concludes with applications of the model including system design, checker placement, data contamination analysis, and fault diagnosis.