Systems, methods, and apparatuses relating to circuitry to implement lockstep of processor cores are described. In one embodiment, a hardware processor comprises a first processor core comprising a first control flow signature register and a first execution circuit, a second processor core comprising a second control flow signature register and a second execution circuit, and at least one signature circuit to perform a first state history compression operation on a first instruction that executes on the first execution circuit of the first processor core to produce a first result, store the first result in the first control flow signature register, perform a second state history compression operation on a second instruction that executes on the second execution circuit of the second processor core to produce a second result, and store the second result in the second control flow signature register.

Methods and apparatus for detecting that a processing node, in a network including a plurality of processing nodes, is reporting invalid results and for taking corrective actions in response to the detection are described.

A programmable electronic computer embedded in an avionics environment on board an aircraft for implementing at least one critical function and associated electronic device, method and computer program are disclosed. In one aspect, the electronic computer includes at least one control module configured to implement a respective critical function and configured to deliver at least one output data item associated with the critical function, and at least one monitoring module of a control module of another electronic computer. Each monitoring module configured to implement the same respective critical function as the one implemented by the monitored control module.

Technologies for ensuring functional safety of an electronic device include receiving data by a primary and secondary hardware unit and performing a function on the data. Each of the primary and secondary hardware unit perform the same function on their respective set of data to generate corresponding results. A determination is made whether the hardware units are synchronized and the results can be compared. If so, the results are compared and an alert is generated if the results do not match.

A method and a fault-tolerant computer architecture (FCTA) for fail-safe trajectory planning for a moving entity (MOV). The method and FCTA uses a commander (COM), a monitor (MON), and a safe envelope generating stage (ENV). Based on sensor input, the commander (COM) and the monitor (MON) produce real-time images of objects (OBJ1, OBJ2) detected. A trajectory planning stage (TRJ-PLN) generates trajectories (COM-TRJ1, COM-TRJ2), and the safe envelope generating stage (ENV) generates a safety envelope. The commander (COM) provides the one or more trajectories (COM-TRJ1, COM-TRJ2) to the monitor (MON) and the decision subsystem (DECIDE). A trajectory verification stage (TRJ-VRFY) verifies a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only if said trajectory (COM-TRJ1, COM-TRJ2) is completely located inside said safety envelope. A moving entity (MOV) uses a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only when said trajectory is verified by the monitor (MON).

A computer system that has two or more processing engines (PE), each capable of performing one or more operations on one or more operands but one or more of the PEs performs the operations unreliably. Initial results of each operation are debiased to create a debiased result used by the system instead of the initial result. The debiased result has an expected value equal to a correct output where the correct output is the initial result the respective operation would have produced if the respective operation performed was reliable.

Systems and methods may be used for monitoring and identifying failure in flight management systems. For example, a method may include: calculating, using a first flight management system, a first value of a guidance command for controlling an aircraft for an RNP AP procedure; receiving a second value of the guidance command from a second flight management system; comparing the first value with the second value to determine whether the first value matches the second value; upon determining that the first value does not match the second value, using a flight management system monitor to determine, from the first flight management system and the second flight management system, a flight management system that has computed a correct value of the guidance command; and generating a message indicating that the determined flight management system is to be used to guide the aircraft.

Methods and apparatus for detecting that a processing node, in a network including a plurality of processing nodes, is reporting invalid results and for taking corrective actions in response to the detection are described.

A geographical hot redundancy method includes: a first master computer transmitting to a second slave computer first input data items and a first execution context for the n.sup.th execution cycle of an application, first and second replicas being respectively executed on the first and second computers; execution of the first replica, updating the first execution context at the n.sup.th cycle end and transmission to the second computer; recovering the first input data items and the first execution context for the n.sup.th cycle as the second input data items and second execution context for the n.sup.th cycle; executing the second replica in the second execution context for the n.sup.th cycle, on the second input data items of the n.sup.th cycle, and updating the second execution context at the end of the n.sup.th cycle; and checking and verifying consistency by comparing first and second execution contexts at the n.sup.th cycle end.

A method for controlling operation of a medical device in a medical system having a medical device, a communication device including a remote control for the medical device, and a safety device adapted for data communication with the communication device. Input data is provided and processed by a first calculation to thereby provide a first calculation result. The input data is processed by a second calculation executed separately from first calculation to thereby provide a second calculation result. The first and second calculation results are compared. When the first and second calculation results are found equal, remote control of the medical device by a medical device application running on the communication device is allowed. When the first and second calculation results are found not equal, the medical device application running on the communication device for remote control of the medical device is prevented.