A fault-tolerant scheme is presented which is based on two copies of a self-checking module and a fail-safe interface. The interface preserves the modules' safety and becomes fault-tolerant by embedding appropriate self-testing capabilities. We show that, for self-checking module area overheads not exceeding the theoretical upper bound of square root 3-1 (73%), our fault-tolerant scheme is more reliable than the triplicated modular redundant structure.