A safety communication scheme for a safety-critical system which includes two or more higher level units that have voting capabilities and one or two sets of lower level units that do not have voting capabilities, involves using one channel between the high and low level units for safety and two channels for redundancy.

A method, an apparatus, and a computer-readable storage medium having instructions for cancelling a redundancy of two or more redundant modules. Results of the two or more redundant modules are received; reliabilities of the results are ascertained; and, based on the ascertained reliabilities, an overall result is determined from the results. The overall result is output for further processing.

An abnormality is diagnosed in a control system including a plurality of controllers adopting a redundant configuration, a diagnosing apparatus that diagnoses a control system. The control system includes a plurality of controllers adopting a redundant configuration; and an interface apparatus that outputs control output data, which is based on a plurality of redundant pieces of control data received from the plurality of controllers, to a device under control. The diagnosing apparatus includes a statistical information acquiring section that acquires statistical information including adoption/non-adoption of the control data from each of the plurality of controllers in the interface apparatus; and a diagnosing section that diagnoses the control system based on the statistical information.

A redundant processing fabric in an autonomous vehicle may include processing, by a first processing unit of a plurality of processing units, sensor data from a first sensor of a plurality of sensors, where the plurality of processing units are coupled to the plurality of sensors via a switched fabric, wherein the plurality of processing units and plurality of sensors are included in the autonomous vehicle; determining a failure in processing the sensor data by the first processing unit; and redirecting, via the switched fabric, sensor data from the first sensor a redundant processing unit.

In a self-driving autonomous vehicle, a controller architecture includes multiple processors within the same box. Each processor monitors the others and takes appropriate safe action when needed. Some processors may run dormant or low priority redundant functions that become active when another processor is detected to have failed. The processors are independently powered and independently execute redundant algorithms from sensor data processing to actuation commands using different hardware capabilities (GPUs, processing cores, different input signals, etc.). Intentional hardware and software diversity improves fault tolerance. The resulting fault-tolerant/fail-operational system meets ISO26262 ASIL D specifications based on a single electronic controller unit platform that can be used for self-driving vehicles.

A system, in particular for controlling signal towers in rail traffic, includes at least a plurality of redundant replicants for generating redundant control signals. A voter structure having a plurality of majority voters is also provided. Each majority voter has a respective output and inputs that are connected to the outputs of the plurality of redundant replicants. The voter structure and the plurality of redundant replicants are separated from one another in terms of hardware, the outputs of the plurality of majority voters are connected to the inputs of a discriminator voter and the output of the discriminator voter provides a control signal, in particular for controlling signal towers. The discriminator voter only emits a control signal when the inputs thereof are not at variance.

A system, in particular for controlling signal towers in rail traffic, includes at least a plurality of redundant replicants for generating redundant control signals. A voter structure having a plurality of majority voters is also provided. Each majority voter has a respective output and inputs that are connected to the outputs of the plurality of redundant replicants. The voter structure and the plurality of redundant replicants are separated from one another in terms of hardware, the outputs of the plurality of majority voters are connected to the inputs of a discriminator voter and the output of the discriminator voter provides a control signal, in particular for controlling signal towers. The discriminator voter only emits a control signal when the inputs thereof are not at variance.

Techniques for system recovery using a failover processor are disclosed. A first processor, with a first instruction set, is configured to execute operations of a first type; and a second processor, with a second instruction set different from the first instruction set, is configured to execute operations of a second type. A determination is made that the second processor has failed to execute at least one operation of the second type within a particular period of time. Responsive to determining that the second processor has failed to execute at least one operation of the second type within the particular period of time, the first processor is configured to execute both the operations of the first type and the operations of the second type.

A redundant processing fabric in an autonomous vehicle may include: processing, by a first processing unit of a plurality of processing units, sensor data from a first sensor of a plurality of sensors, where the plurality of processing units are coupled to the plurality of sensors via a switched fabric, wherein the plurality of processing units and plurality of sensors are included in the autonomous vehicle, wherein the sensor data corresponds to an environment external to the autonomous vehicle; determining a failure in processing the sensor data by the first processing unit; and severing, in the switched fabric, a first communications path between the first sensor and the first processing unit; and establishing, in the switched fabric, a second communications path between the first sensor and a redundant processing unit.

A computer system installed on board a carrier, communicating in a network with a data concentrator and with a monitor, and implementing at least one service that is critical for the operating safety of the carrier, the critical service being redundant in at least two instances (δ.sub.1, . . . δ.sub.m) on different respective computers (C.sub.1, . . . , C.sub.m) connected to the network, each computer (C.sub.k) implementing at least one software task implementing an instance (δ.sub.k) of the critical service being configured to implement the critical service by way of time control.