A method for fault tolerant controller readiness. Executing functions by a first controller operating in a primary status mode. Operating in a hot standby status mode by a second controller and mirroring the first controller by executing functions to operate as a redundant controller. Operating in a cold standby status mode by at least one backup controller under normal operating conditions. The second controller is reconfigured while operating under normal operating conditions from the hot standby status mode to the primary standby status mode if a failure occurs in the first controller. Reconfiguring the at least one backup controller operating under normal operating conditions from cold standby status mode to hot standby status mode to operate as a redundant controller in response to the reconfiguring the second controller from the hot standby status mode to the primary status mode.

A fault-tolerant distributed real-time computer system for controlling a physical system, in particular a machine or a motor vehicle, wherein the components of the computer system have access to a global time of known precision, and wherein the node computers and intelligent sensors and the intelligent actuators exchange time-triggered messages and event-triggered messages periodically via the distributor units, and wherein the functions of the user software are contained in real-time software components—RTSC—and the periodic time-triggered data transfer between the RTSC is specified by a time-triggered data flow diagram, and wherein the assignment of the RTSC to a TTVM of a node computer and specific parameters of the TTVM are contained in active local allocation plans for each RTSC, and wherein the time plans for the time-triggered communication in this distributor unit are contained in active local allocation plans for each distributor unit, and wherein a global allocation plan consists of the totality of the local allocation plans, which are adapted to one another, of all RTSC and all distributor units of the user software, and wherein a monitor component periodically receives a copy of messages of the node computers to define the present operating state of the node computers, and wherein after the permanent failure of one or more RTSC, the monitor component activates a passive global allocation plan which specifies the allocation of the RTSC and the data supply thereof on newly installed TTVMs to the still functional node computers, and wherein the RTSC arrive at the newly configured TTVMs for execution at the provided periodic restart point in time in accordance with the selected passive global allocation plan.

A monitoring device is mounted in each of a plurality of operational systems constituting a fault-tolerant system. The plurality of operational systems have an identical configuration including a processor system. The monitoring device includes a processor. The processor executes instruction to read data from a predetermined storage area in a memory of an accessory device to be monitored, connected to the processor system. The processor further executes instruction to compare the read data with reference data held in advance. The processor further executes instruction to separate the processor system connected to the accessory device to be monitored from the fault-tolerant system when the read data is different from the reference data.

According to embodiments of the present invention, machines, systems, methods and computer program products for controlling two or more remote sessions are provided. Two or more remote sessions are synchronized to control each session using a common interface. One or more executable commands are sent to each remote session at substantially the same time using the common interface to control operation of that remote session. Data generated by each remote session from executing the commands is received and analyzed to identify one or more differences in data generated by each remote session. The one or more identified differences in the data are displayed on the common interface. An indication may be provided regarding possible root causes of the differences in the data generated by each remote session. Each remote session includes a program debug session. A report comprising the one or more identified differences in the data may be generated.

A method for operating a computer system including identical first and second processors operated in parallel and having at least two processor cores each, includes operating one processor core of each processor securely based on a secure operating system achieving or exceeding a specified security level, each executing at least one application program securely by achieving the specified security level. The processor cores securely execute the same application program or programs. Remaining processor cores of the first processor are switched off or operated securely, based on the secure operating system or one or more other secure operating systems under the secure execution of the same and/or other application programs. At least one processor core in the second processor is operated nonsecurely based on a nonsecure operating system not achieving the specified security level and executes at least one application program nonsecurely, falling short of the specified security level.

A method and apparatus of performing fault tolerance in a fault tolerant computer system comprising: a primary node having a primary node processor; a secondary node having a secondary node processor, each node further comprising a respective memory; a respective checkpoint shim; each of the primary and secondary node further comprising: a respective non-virtual operating system (OS), the non-virtual OS comprising a respective; network driver; storage driver; and checkpoint engine; the method comprising the steps of: acting upon a request from a client by the respective OS of the primary and the secondary node, comparing the result obtained by the OS of the primary node and the secondary node by the network driver of the primary node for similarity, and if the comparison of indicates similarity less than a predetermined amount, the primary node network driver informs the primary node checkpoint engine to begin a checkpoint process.

In a data processing device including two sets of circuit pairs which are respectively duplicated in two clock domains which are asynchronous to each other, an asynchronous transfer circuit that transfers a payload signal is provided between the two sets of circuit pairs. The asynchronous transfer circuit includes two sets of a pair of bridge circuits which are respectively connected to the two sets of circuit pairs, and asynchronously transfers the payload signal and a control signal indicating a timing at which the payload signal is stable on a reception side. The two sets of a pair of bridge circuits and the payload signals can be duplicated, but the control signal is not duplicated, and the received payload signal is used for timing control to supply an expected same time difference, to the pair of duplicated circuits. This enables asynchronous transfer between circuits duplicated in the asynchronous clock domains.

A data processing system includes a system interconnect, a first master, and a bridge circuit. The bridge circuit is coupled between the first master and the system interconnect. The bridge circuit is configured to, in response to occurrence of an error in the first master, isolate the first master from the system interconnect, wherein the isolating by the bridge circuit is performed while the first master has one or more outstanding issued write commands to the system interconnect which have not been completed. The bridge circuit is further configured to, after isolating the first master from the system interconnect, complete the one or more outstanding issued write commands while the first master remains isolated from the system interconnect.

A semiconductor device performs a software lock-step. The semiconductor device includes a first circuit group including a first Intellectual Property (IP) to be operated in a first address space, a first bus, and a first memory, a second circuit group including a second IP to be operated in a second address space, a second bus, and a second memory, a third bus connectable to a third memory, and a transfer control circuit coupled to the first to third buses. when the software lock-step is performed, the second circuit group converts an access address from the second IP to the second memory such that an address assigned to the second memory in the second address space is a same as an address assigned to the first memory in the first address space.

The present invention provides a microcontroller which can continue operation even at the time of a failure without making a memory redundant to suppress increase in chip area. The microcontroller includes three or more processors executing the same process in parallel and a storage device. The storage device includes a memory mat having a storage region which is not redundant, an address selection part, a data output part, and a failure recovery part. The address selection part selects a storage region in the memory mat on the basis of three or more addresses issued at the time of an access by the processors. The data output part reads data from the storage region in the memory mat selected by the address selection part. The failure recovery part corrects or masks a failure of predetermined number or less which occurs in the memory mat, the address selection part, and the data output part.