An embodiment of the invention provides a method for changing a multi-processor system from a performance mode to a safety mode while the system continues to run software. When an external event or exception occurs, context is switched from the performance mode to the safety mode. After context is switched, at least one pair of CPUs is synchronized to operate in the safety mode. In addition, a multi-processor system may be switched form the safety mode to the performance mode while the software continues to operate.

Provided is a processor system including a first processor driven by a first driving voltage and a first driving clock, a second processor driven by a second driving voltage and a second driving clock and configured to perform an identical task to the first processor, and a defect detector configured to perform level synchronization or clock domain synchronization on a first output signal provided from the first processor and a second output signal provided from the second processor to compare the first and second output signals, wherein the first and second driving voltages are respectively provided from mutually independent power supply sources and the first and second driving clocks are respectively provided from mutually independent clock generators.

A fault tolerant multi-threaded processor uses the temporal and/or spatial separation of instructions running in two or more different threads. An instruction is fetched, decoded and executed by each of two or more threads to generate a result for each of the two or more threads. These results are then compared using comparison hardware logic and if there is a mismatch between the results obtained, then an error or event is raised. The comparison is performed on an instruction by instruction basis so that errors are identified (and hence can be resolved) quickly.

A transmitting computer for a vehicle is disclosed, and includes a command circuit, a monitor circuit, and a master circuit. The command circuit receives a real-time signal and executes a first set of instructions to analyze the real-time signal, and generates a plurality of command signals based on executing the first set of instructions. The monitor circuit receives the command signals and the real-time signal. The monitor circuit executes a second set of instructions to analyze the real-time signal and generates a plurality of replica signals based on executing the second set of instructions. The monitor circuit generates an initial reset command in response to determining an initial miscompare between one of the plurality of command signals and the plurality of replica signals. The master circuit is in communication with both the command circuit and the monitor circuit and receives an indication that the initial reset command is generated.

A system and method that detects hardware and software errors in an embedded system that includes detecting or measuring an operating state; causing one or more computation engines to operates in group synchrony; causing one or more active monitors that monitor the computation engines to an automotive integrity level to operate in group synchrony; synchronizing the communication between and from the plurality of computation engines and the plurality of active monitors, respectively; and arbitrating the output generated by the computation engines and the active monitors.

Circuitry comprises control circuitry to control an operating state of a data handling device of a set of two or more redundant data handling devices configured to perform identical data handling functions; the control circuitry being configured to control an operating state of the respective controlled data handling device as a state transition from a current operating state of that data handling device to a target operating state in response to the issue of a respective state change signal; the control circuitry comprising a detector responsive to issue of the state change signal in respect of a first threshold number representing some but not all of the data handling devices, to detect whether the state change signal is issued in respect of a further one or more of the devices so that a second threshold number of data handling devices is reached.

An apparatus and a method for the parallel and independent operation of a normal program and a secure program on the basis of a runtime system structure have all components that are relevant to the control integrated on a hardware component with a specific hardware architecture and be isolated from one another by a runtime system structure for two dual runtime systems for making changes to non-security-relevant components without restriction. The isolation can be provided by prioritizing one of the runtime systems. Such a runtime system structure or hardware architecture eliminates the need for follow-up certification of user-programmable controllers and the certification of the security-critical component is valid even when changes to the non-security-relevant components are made.

A method of ensuring a correct program sequence in a dual-Processor module that includes Processor A and Processor B. Processor A and Processor B are both coupled to a common memory. Processor A and Processor B each execute a first safety program and each generate an instruction stream therefrom. At one or more points in time while running the first safety program, Processor A reads its program counter value from a current instruction being executed and generates therefrom a current Processor A CRC value, and Processor B reading its program counter value from the same current instruction being executed generates therefrom a current Processor B CRC value. Processor A transfers its current CRC value to Processor B and/or Processor B transfers its current CRC value to Processor A, and these CRC values are compared. A safety action is triggered if the comparing determines non-matching current CRC values.

In a data processing device including two sets of circuit pairs which are respectively duplicated in two clock domains which are asynchronous to each other, an asynchronous transfer circuit that transfers a payload signal is provided between the two sets of circuit pairs. The asynchronous transfer circuit includes two sets of a pair of bridge circuits which are respectively connected to the two sets of circuit pairs, and asynchronously transfers the payload signal and a control signal indicating a timing at which the payload signal is stable on a reception side. The two sets of a pair of bridge circuits and the payload signals can be duplicated, but the control signal is not duplicated, and the received payload signal is used for timing control to supply an expected same time difference, to the pair of duplicated circuits. This enables asynchronous transfer between circuits duplicated in the asynchronous clock domains.

A data synchronization method includes checking first to-be-checked information stored in an active area of a first board to obtain a first check result and second to-be-checked information stored in an active area of a second board to obtain a second check result before data synchronization, where the first board and the second board are include in an out-of-band management device, determining an active board and a standby board from the first board and the second board according to the first check result and the second check result, and synchronizing data in an active area of the active board to a standby area of the standby board. Hence, the method can be implemented to ensure validity of data synchronization.