A control system includes a computing channel and an object control channel. The computing channel includes command and monitor lanes. The command lane has a first processor core with a first core architecture receiving input data and generating first data based on the input data. The monitor lane has a second processor core with second core architecture receiving the input data and generating second data based on the input data. The first core architecture and the second core architecture are dissimilar and implemented in a single system-on chip device. The computing channel outputs the first data as command data responsive to determining the first data is matched to the second data. The object control channel corresponds to the computing channel and includes an object control system receiving the command data and generating an object control signal based on the command data to control operation of at least one part of an object system.

A method of ensuring a correct program sequence in a dual-Processor module that includes Processor A and Processor B. Processor A and Processor B are both coupled to a common memory. Processor A and Processor B each execute a first safety program and each generate an instruction stream therefrom. At one or more points in time while running the first safety program, Processor A reads its program counter value from a current instruction being executed and generates therefrom a current Processor A CRC value, and Processor B reading its program counter value from the same current instruction being executed generates therefrom a current Processor B CRC value. Processor A transfers its current CRC value to Processor B and/or Processor B transfers its current CRC value to Processor A, and these CRC values are compared. A safety action is triggered if the comparing determines non-matching current CRC values.

A programmable electronic computer embedded in an avionics environment on board an aircraft for implementing at least one critical function and associated electronic device, method and computer program are disclosed. In one aspect, the electronic computer includes at least one control module configured to implement a respective critical function and configured to deliver at least one output data item associated with the critical function, and at least one monitoring module of a control module of another electronic computer. Each monitoring module configured to implement the same respective critical function as the one implemented by the monitored control module.

A control system includes an arithmetic device configured of an A system arithmetic unit including a data dividing unit, a B system arithmetic unit including a data dividing unit, and an A system communication control unit including a data combining unit and a collation unit, wherein the A system arithmetic unit and the B system arithmetic unit have a duplex configuration, the A system arithmetic unit and the B system arithmetic unit are separated by a gap, a frame output from the A system arithmetic unit is transmitted to a B system communication control unit through the A system communication control unit and an interface element, and a frame output from the B system arithmetic unit is transmitted to the A system communication control unit through the B system communication control unit and an interface element.

A method to check for redundancy in two or more data lines comprises receiving data on a first data line, computing a first cyclic redundancy check (CRC) value on the data of the first data line, performing an exclusive OR (XOR) function on the first CRC value with a stored memory value, and updating the stored memory value with a result of the XOR function, and repeating on additional data lines until a last line is processed such that an error is indicated if a final stored memory value is not zero. An apparatus to check that two cores are operating in lockstep comprises a first core comprising a first data checker, a second core comprising a second data checker, and a lockstep checker to compare an output of the first data checker with an output of the second data checker.

A system includes a central processing unit (CPU), a first input/output (I/O) module, and a second I/O module. The first I/O module includes a first module health controller operatively connected to the CPU. The second I/O module includes a second module health controller operatively connected to the first module health controller and the CPU. One of the first module health controller and the second module health controller is configured to assert a paired module health signal to the CPU indicating that the first I/O module and the second I/O module are health.

A control system includes a computing channel and an object control channel. The computing channel includes command and monitor lanes. The command lane has a first processor core with a first core architecture receiving input data and generating first data based on the input data. The monitor lane has a second processor core with second core architecture receiving the input data and generating second data based on the input data. The first core architecture and the second core architecture are dissimilar and implemented in a single system-on chip device. The computing channel outputs the first data as command data responsive to determining the first data is matched to the second data. The object control channel corresponds to the computing channel and includes an object control system receiving the command data and generating an object control signal based on the command data to control operation of at least one part of an object system.

A redundant computer system utilizing comparison diagnostics and voting techniques includes a plurality of redundant channels. Each pair of the processors receives/obtains process information from I/O modules via dual redundant sensors (DRS). The processors execute an application program, whereby output module is utilized for comparing output data of the two processors. Output module receives output data from neighboring modules, if there is a deviation or other disparity in the output data. Each pair of processors, a voter and an improper sequence detector component disables the output module, if a majority of signals vote that output module fails. In addition, the system uses 2-of-3 voting, the system remains operational in the presence of up two transient or hard failures.

A method of ensuring a correct program sequence in a dual-Processor module that includes Processor A and Processor B. Processor A and Processor B are both coupled to a common memory. Processor A and Processor B each execute a first safety program and each generate an instruction stream therefrom. At one or more points in time while running the first safety program, Processor A reads its program counter value from a current instruction being executed and generates therefrom a current Processor A CRC value, and Processor B reading its program counter value from the same current instruction being executed generates therefrom a current Processor B CRC value. Processor A transfers its current CRC value to Processor B and/or Processor B transfers its current CRC value to Processor A, and these CRC values are compared. A safety action is triggered if the comparing determines non-matching current CRC values.

A circuit for controlling an acceleration, braking and steering system of a vehicle having at least two separate motors for actuating the acceleration and braking system, at least two separate motors for actuating the steering system and at least one electronic control unit for controlling the motors. The control unit comprises three identical CPUs and one programmable logic component. Each of the CPUs generates control signals for the motors depending on input control signals and sensor signals of the motors and forwards these control signals to the programmable logic component. The programmable logic component, depending on its programming, forwards the control signals of one of the CPUs to the motors.