A management system for a plant facility is disclosed. The system includes a first field device that measures a process value, a first control node that calculates a first control value based on the process value, a second field device that operates according to the first control value, and an application node that configures one or more parameters for calculating the first control value. The first control node compares the first control value with a second control value calculated by one of the first field device, a second control node, and the application node. When determining that the first and the second control value are identical, the first control node sets the first control value to the second field device.

An error recovery system includes a memory, a processor in communication with the memory, a primary device, a backup device, a hypervisor executing on the processor, and a virtual machine. The virtual machine includes a guest operating system (OS) executing on the hypervisor, a pass-through device, and a guest driver. The hypervisor executes to detect an error associated with the primary device and to send a request to save a device state to the guest driver. The hypervisor also grants the guest OS access to the backup device. The guest driver receives the request from the hypervisor, and responsive to receiving the request, saves a state signature in the memory. The state signature includes a device signature and the device state of the primary device. Additionally, the guest driver determines a status of the device signature as one of matching and mismatching the backup device.

A method and a fault-tolerant computer architecture (FCTA) to improve the performance in fail-safe trajectory planning for a moving entity (MOV). The method and FCTA uses a commander (COM), a monitor (MON), and a safe envelope generating stage (ENV). Based on sensor data input, the commander (COM) and the monitor (MON) produce as output real-time images (COM-OBJ1, COM-OBJ2, MON-OBJ1, MON-OBJ2) of objects (OBJ1, OBJ2) detected due to the monitoring of one or more sensors. A trajectory planning stage (TRJ-PLN) generates trajectories (COM-TRJ1, COM-TRJ2), and the safe envelope generating stage (ENV) generates a safety envelope. A trajectory verification stage (TRJ-VRFY) verifies a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only if said trajectory (COM-TRJ1, COM-TRJ2) is completely located inside said safety envelope. A moving entity (MOV) uses a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only when said trajectory is verified by the monitor (MON).

A method and a fault-tolerant computer architecture (FCTA) for fail-safe trajectory planning for a moving entity (MOV). The method and FCTA uses a commander (COM), a monitor (MON), and a safe envelope generating stage (ENV). Based on sensor input, the commander (COM) and the monitor (MON) produce real-time images of objects (OBJ1, OBJ2) detected. A trajectory planning stage (TRJ-PLN) generates trajectories (COM-TRJ1, COM-TRJ2), and the safe envelope generating stage (ENV) generates a safety envelope. The commander (COM) provides the one or more trajectories (COM-TRJ1, COM-TRJ2) to the monitor (MON) and the decision subsystem (DECIDE). A trajectory verification stage (TRJ-VRFY) verifies a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only if said trajectory (COM-TRJ1, COM-TRJ2) is completely located inside said safety envelope. A moving entity (MOV) uses a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only when said trajectory is verified by the monitor (MON).

Fail-safe and Fail-operational behavior can be achieved by providing two fully-redundant execution channels comprising at least first and second chiplet dies on a single SoC that are in communication with one another via a D2D interface. At least first and second instances of a first automotive safety integrity level (ASIL) domain circuit disposed on the at least first and second chiplet dies, respectively, perform at least a first ASIL domain process on one or more automotive sensor output signals to produce first and second output signals, respectively. A fault monitoring system monitors at least the first chiplet die for faults and assigns a first value to a selector signal if it detects a fault in the first chiplet die. A selector circuit outputs the second output signal from the system if the selector signal has the first value.

A system includes a first fail-safe chassis (FSC) receives module health signals from a plurality of modules and generates a first chassis health signal. The chassis health signal includes first and second portions. A plurality of modules receives the chassis health signal. The FSC determines whether one or more of the module heals signals indicates an associated module is unhealthy by comparing the module health signals and a predetermined health value. The FSC selectively de-asserts the first chassis health signal based on the comparison. A second FSC operates similarly. A safety relay box determines the health of the system in accordance with the first and second chassis health signals.

An error recovery system includes a memory, a processor in communication with the memory, a primary device, a backup device, a hypervisor executing on the processor, and a virtual machine. The virtual machine includes a guest operating system (OS) executing on the hypervisor, a pass-through device, and a guest driver. The hypervisor executes to detect an error associated with the primary device and to send a request to save a device state to the guest driver. The hypervisor also grants the guest OS access to the backup device. The guest driver receives the request from the hypervisor, and responsive to receiving the request, saves a state signature in the memory. The state signature includes a device signature and the device state of the primary device. Additionally, the guest driver determines a status of the device signature as one of matching and mismatching the backup device.

Systems, apparatuses, and methods for implementing a safety framework for safety-critical Convolutional Neural Networks inference applications and related convolution and matrix multiplication-based systems are disclosed. An example system includes a safety-critical application, a hardware accelerator, and additional hardware to perform verification of the hardware accelerator. The verification hardware has a lower bandwidth than the hardware accelerator, so more machine cycles are required per calculation. A mismatch in the result indicates a faulty processing element.

A processor system comprises at least a program counter structure, an interrupt control device, a memory, and an apparatus. The interrupt control device is configured to respond to an interrupt request by providing the program counter structure with an address associated with the interrupt request. The program counter structure is configured to output the address to the memory via a memory interface. The apparatus is configured to protect the program counter structure in case of an interrupt request, the apparatus includes an interface, a comparing device, and an outputting device.

A method for monitoring the flight trajectory of an aircraft comprises the steps reiterated in time consisting in receiving and comparing two trajectory objects, the trajectory objects being associated with two initially identical flight trajectories determined independently of each other over time; and, in case of difference between the two trajectory objects, determining a failed trajectory from the two flight trajectories by comparison with the last known state without fault, the last known state without fault corresponding to two identical trajectory objects. Developments describe the use of flight plan segments, of signatures, fault isolation simultaneously to a change of current leg, the use of levels of operational safety according to an RNP-AR procedure and the notification of the pilot of the trajectory determined as having failed. Software and system aspects are also described.