The invention relates to a system (1), comprising at least two asynchronous computers (2-i), on each of which at least one application (A) is executed, which provides control data (SD) for at least one actuation system (3), wherein the provided control data (SD) are transmitted by a control-authorized computer (2-i) that assumes a master computer status (M-RS) to the actuation system (3) for the control thereof, wherein the computers (2-i) of the system (1) cyclically exchange state data (ZD) and performance data (LD) with each other by means of a data interface in a data exchange (DAS), wherein the computers (2-i) each determine, on the basis of the state and performance data (ZD.sub.opp, LD.sub.opp) received from other computers (2-j) and on the basis of the computer's own state and performance data (ZD.sub.own, LD.sub.own, in a master/slave selection (MSA) performed on the computer (2-i), a computer status (RS) as a control-authorized or non-control-authorized computer (2-i) to be assumed by the particular computer (2-i) itself.

The invention relates to a method for forcing fail-silent behavior of a periodically functioning, distributed real-time computer system, which real-time computer system comprises at least two redundant NSCFCUs. At the beginning of a frame, the at least two redundant NSCFCUs (110, 111) are supplied with the same input data, wherein each of the redundant NSCFCUs calculates a result, preferably by means of a deterministic algorithm, particularly from the input data, and wherein this result is packed into a CSDP with an end-to-end signature, and wherein the CSDPs of the NSCFCUs (110, 111) are transmitted to an SCFCU (130), and wherein the SCFCU (130) checks whether the bit patterns of the received CSDPs are identical, and, if disparity of the bit patterns is found, prevents further transmission of the CSDPs, particularly those CSDPs in which disparity was found. Furthermore, the invention relates to a periodically functioning, distributed real-time computer system.

An output module comprises two management units each of which calculates the current demand for the module independently from one another. One management unit controls an output current, controller whilst the other unit monitors the current produced by the output current controller against an independently calculated demand. The output module has multiple output modules. In normal operation, each module provides a portion of the required output current, the total output current being equal to the sum of the currents output by each module. in the event of failure on one of the, modules, the other module or modules switch to providing the total current required and the failed module is switched to a fail safe mode by using an isolation circuit to switch off the output current from that module.

A programmable safety unit for monitoring and controlling safety functions of a hazardous environment, for example an environment including hazardous machines, processes, materials, and so forth and safety equipment associated with the hazardous environment. A safety unit is adapted for external mounting, and includes a programmable safety module and a connection part that are interconnectable enabling mounting/demounting and replacement of the programmable safety module and/or the connection part. The safety unit further includes at least two connections that are programmable as safe inputs and/or outputs for direct connection to at least a number of the safety functions or equipment of the hazardous environment, and for example the machines and/or processes.

A safety device includes a first computation unit, a second computation unit, an output control unit, and a first central processing device. The first computation unit is configured to perform a first computation on a detected value detected from a subject to be controlled, thus obtaining a first result value. The second computation unit is configured to perform a second computation on the detected value, thus obtaining a second result value which is to be determined if equal to the first result value. The output control unit is configured to output the first result value in a case that the second computation unit determines that the first result value is equal to the second result value, and not to output the first result value in a case that the second computation unit determines that the first result value is not equal to the second result value.