A monitoring device is mounted in each of a plurality of operational systems constituting a fault-tolerant system. The plurality of operational systems have an identical configuration including a processor system. The monitoring device includes a processor. The processor executes instruction to read data from a predetermined storage area in a memory of an accessory device to be monitored, connected to the processor system. The processor further executes instruction to compare the read data with reference data held in advance. The processor further executes instruction to separate the processor system connected to the accessory device to be monitored from the fault-tolerant system when the read data is different from the reference data.

A control device is for controlling an autonomous motor vehicle in order to modify a steering angle of a steered wheel of the autonomous motor vehicle and/or a braking force generated by the brake fitted to a wheel of the autonomous motor vehicle. The control device includes an automatic piloting system, which is configured to generate an automatic driving instruction for automatically driving the vehicle, a primary command chain, which includes a primary controller configured to generate a primary command according to the automatic driving instruction, and at least one primary actuator configured to generate a torque that confers a steering angle to the steered wheel, or configured to actuate the brake based on the primary command obtained directly from the primary controller. A secondary command chain is also included.

Conventional semiconductor devices are problematic in that an operation cannot be continued in the event of a failure of one of CPU cores performing a lock step operation and, as a result, reliability cannot be improved. The semiconductor device according to the present invention includes a computing unit including a first CPU core and a second CPU core that perform a lock step operation, wherein the first CPU core and the second CPU core respectively diagnose failures of internal logic circuits, and a sequence control circuit switches the CPU core that outputs data to a shared resource, in the computing unit based on the diagnose result.

The invention relates to a time-controlled distribution unit (30, 31) for the distribution of messages in a distributed computer system for safety-critical applications. Said distribution unit is designed as a self-testing functional unit and comprises input channels (201 . . . 222) for receiving time-controlled periodic input messages from node computers (20, 21, 22) upstream in the data flow, and output channels (301 . . . 333) for transmitting time-controlled periodic output messages to the node computers (50, 51, 52) downstream in the data flow, a computer (40) being provided in the distribution unit and being designed to analyze, by means of a “simple” software, useful information contained in the input messages, and to decide whether output messages are output and, if so, which useful information is contained in the output messages.

A subsea production system for producing fluids from a subsea well in a subsea field. The production system includes a production facility and a production umbilical connecting the subsea well with the production facility. The production system also includes a control system for controlling production from the subsea well. The control system includes a first redundant master control station system (redundant MCS) at a first location, the redundant MCS capable of controlling production from the subsea well. The control system also includes a second redundant MCS at a second location, the second redundant MCS capable of controlling production from the subsea well. The redundant MCSs are synchronized to keep the same electronic data at both locations and to prevent conflicts in control signals from the redundant MCSs.

A method of operating a storage device may include determining a fault condition of the storage device, selecting a fault resilient mode based on the fault condition of the storage device, and operating the storage device in the selected fault resilient mode. The selected fault resilient mode may include one of a power cycle mode, a reformat mode, a reduced capacity read-only mode, a reduced capacity mode, a reduced performance mode, a read-only mode, a partial read-only mode, a temporary read-only mode, a temporary partial read-only mode, or a vulnerable mode. The storage device may be configured to perform a namespace capacity management command received from the host. The namespace capacity management command may include a resize subcommand and/or a zero-size namespace subcommand. The storage device may report the selected fault resilient mode to a host.

A data processing system includes a system interconnect, a first master, and a bridge circuit. The bridge circuit is coupled between the first master and the system interconnect. The bridge circuit is configured to, in response to occurrence of an error in the first master, isolate the first master from the system interconnect, wherein the isolating by the bridge circuit is performed while the first master has one or more outstanding issued write commands to the system interconnect which have not been completed. The bridge circuit is further configured to, after isolating the first master from the system interconnect, complete the one or more outstanding issued write commands while the first master remains isolated from the system interconnect.

The present invention provides a microcontroller which can continue operation even at the time of a failure without making a memory redundant to suppress increase in chip area. The microcontroller includes three or more processors executing the same process in parallel and a storage device. The storage device includes a memory mat having a storage region which is not redundant, an address selection part, a data output part, and a failure recovery part. The address selection part selects a storage region in the memory mat on the basis of three or more addresses issued at the time of an access by the processors. The data output part reads data from the storage region in the memory mat selected by the address selection part. The failure recovery part corrects or masks a failure of predetermined number or less which occurs in the memory mat, the address selection part, and the data output part.

A system and method for monitoring processors operating in lockstep to detect mismatches in pending pipelined instructions being executed by the processors. A lockstep monitor implemented in hardware is provided to detect the mismatches in the pending pipelined instructions executing on the lockstep processors and to initiate an auto-recovery operation at the processors if a mismatch is detected.

A vehicle safety electronic control system includes a first microcontroller having a lockstep architecture with a lockstep core and a second microcontroller having at least two processing cores. The lockstep core of the first microcontroller is configured to monitor and control outputs of said at least two cores of the second microcontroller.