A processor system includes a master processor that successively processes a plurality of tasks, a checker processor that successively processes at least one of the plurality of tasks, and a control circuit that performs control so that the checker processor operates when the master processor and the checker processor perform a lock-step operation, and the checker processor stops its operation when the master processor and the checker processor do not perform the lock-step operation, the lock-step operation being an operation in which each of the master and checker processors processes the same task, in which the control circuit performs control so that a period from when a task is processed by the lock-step operation to when another task is processed in the next lock-step operation is equal to or shorter than a maximum test period, the maximum test period being a test period acceptable to the processor system.

An apparatus has a processing pipeline (2) comprising an execute stage (30) and at least one front end stage (10), (20), (25) for controlling which micro operations are issued to the execute stage. The pipeline has an intra-core lockstep mode of operation in which the at least one front end stage (10), (20), (25) issues micro operations for controlling the execute stage (30) to perform main processing and checker processing. The checker processing comprises redundant operations corresponding to associated main operations of at least part of the main processing. Error handling circuitry (200), (210) is responsive to the detection of a mismatch between information associated with given checker and main operations to trigger a recovery operation to correct an error and continue forward progress of the main processing.

A computing apparatus includes a transaction-record memory and a comparator. The transaction-record memory is to receive and store one or more sequences of transaction records, each transaction record including a unique transaction ID and a transaction payload. The comparator is to compare the payloads of transaction records having the same transaction ID, and to initiate a responsive action in response to a discrepancy between the compared transaction payloads.

A graphics processing system for operation with a data store, comprising: one or more processing units for processing tasks; a check unit operable to form a signature which is characteristic of an output from processing a task on a processing unit; and a fault detection unit operable to compare signatures formed at the check unit; wherein the graphics processing system is operable to process each task first and second times at the one or more processing units so as to, respectively, generate first and second processed outputs, the graphics processing system being configured to: write out the first processed output to the data store; read back the first processed output from the data store and form at the check unit a first signature which is characteristic of the first processed output as read back from the data store; form at the check unit a second signature which is characteristic of the second processed output; compare the first and second signatures at the fault detection unit; and raise a fault signal if the first and second signatures do not match.

Techniques are provided for metadata management for enabling automated switchover. An initial quorum vote may be performed before a node executes an operation associated with metadata comprising operational information and switchover information. After the initial quorum vote is performed, the node executes the operation upon one or more mailbox storage devices. Once the operation has executed, a final quorum vote is performed. The final quorum vote and the initial quorum vote are compared to determine whether the operation is to be designated as successful or failed, and whether any additional actions are to be performed.

An electronic control device includes a processing control unit and an information acquisition unit. The information acquisition unit collects external environment information and transfers the external environment information to the processing control unit, the processing control unit includes a first processor, a second processor, and a storage unit, the processing control unit executes arithmetic processing by a non-redundant processing configuration that executes non-redundant processing using the first processor and the second processor, and arithmetic processing by a redundant processing configuration that executes redundant processing using the first processor and the second processor, and the processing control unit stores a result of arithmetic processing by the non-redundant processing configuration in the storage unit, individually performs arithmetic processing using the stored result in both the first processor and the second processor by arithmetic processing by the redundant processing configuration, and performs determination for an arithmetic processing result by the non-redundant processing configuration based on an arithmetic result by the first processor and an arithmetic result by the second processor.

A control apparatus includes a first controller configured to generate control signals for controlling an engine or other machine, a second controller configured to generate the control signals for controlling the machine, a transfer circuit, and an arbiter circuit. The transfer circuit is coupled between the machine and the controllers, and is configured to switch from a first state, where the transfer circuit passes the control signals from the first controller to the machine, to a second state, where the transfer circuit passes the control signals from the second controller to the machine, responsive to receiving a first failure signal from the first controller. The arbiter circuit includes three (or more) arbiters, and is configured to control the transfer circuit from the first state to the second state responsive to any two of the three arbiters generating second signals indicative of failure of the first controller.

A fault detection system includes a sensor configured to measure a physical quantity and generate a measurement of the physical quantity; a first processor configured to receive the measurement, execute a first firmware based on the measurement, and output a first result of the executed first firmware; a second processor configured to receive the measurement from the sensor, execute a second firmware based on the measurement, and output a second result of the executed second firmware, wherein the first firmware and the second firmware provide a same nominal function in a diverse manner for calculating the first result and the second result, respectively, such that the first result and the second result are expected to be within a predetermined margin; and a fault detection circuit configured to detect a fault when the first result and the second result are not within the predetermined margin.

An electronic fault detection unit is provided that has a first register, a second register, a comparator circuit, and a timer circuit. The first and second register can be written from a first software portion, and a second software portion, respectively. The comparator circuit is arranged to detect that both the first and second register have been written, verify a relationship between first data written to the first register and second data written to the second register, and signal a fault upon said verification failing. The timer circuit is arranged to signal a fault if said verification of the comparator circuit does not occur within a time limit.

A head worn display system (e.g., helmet mounted (HMD) display system, and an eye wear mounted display system,) can include a combiner, a head position sensor and a computer. The computer provides symbology in response to first sensor input values associated with the head position. The symbology can be conformal with a real world scene. A monitoring system includes a redundant head position sensor for providing second sensor input values associated with head position. The computer monitors for positional accuracy of the symbology by comparing symbology calculated using the first and second input sensor values or by using an inverse function to compare sensor values.