A method of arbitrating conflicting outputs in a redundant control system. Execution data of a task executed by each controller in the redundant control system is recorded. The execution data includes an initial timestamp of each execution stream, identification of critical functions in each execution stream, and parameter values used by the critical functions. A path executed by each controller is identified based only on the critical functions executed for each execution stream. The recorded execution data of each executed path is applied to an arbitration module. An output result from one of the respective controllers selecting, by an arbitration module, based on the recorded execution data of each executed path. The output result of the selected controller is communicated to a next module for further processing.

A fault-tolerant distributed real-time computer system for controlling a physical system, in particular a machine or a motor vehicle, wherein the components of the computer system have access to a global time of known precision, and wherein the node computers and intelligent sensors and the intelligent actuators exchange time-triggered messages and event-triggered messages periodically via the distributor units, and wherein the functions of the user software are contained in real-time software components—RTSC—and the periodic time-triggered data transfer between the RTSC is specified by a time-triggered data flow diagram, and wherein the assignment of the RTSC to a TTVM of a node computer and specific parameters of the TTVM are contained in active local allocation plans for each RTSC, and wherein the time plans for the time-triggered communication in this distributor unit are contained in active local allocation plans for each distributor unit, and wherein a global allocation plan consists of the totality of the local allocation plans, which are adapted to one another, of all RTSC and all distributor units of the user software, and wherein a monitor component periodically receives a copy of messages of the node computers to define the present operating state of the node computers, and wherein after the permanent failure of one or more RTSC, the monitor component activates a passive global allocation plan which specifies the allocation of the RTSC and the data supply thereof on newly installed TTVMs to the still functional node computers, and wherein the RTSC arrive at the newly configured TTVMs for execution at the provided periodic restart point in time in accordance with the selected passive global allocation plan.

A processing subsystem for providing diagnostic of a processing system is provided. The processing subsystem includes a real-time processing unit that receives a first input that includes data from one or more sensors and processes the first input to generate first output that controls an actuator. The processing subsystem also includes a power and safety management unit that receives a second input and processes the second input to generate second output for testing of the first output. A method and a system for providing diagnostic for a processing system are provided as well.

A consensus building method suitable when f Byzantine failure nodes (f is an integer equal to or larger than 1 and smaller than N/3) are assumed in a network having N nodes (N is an integer equal to or larger than 1) participating in consensus building, comprising the steps of: receiving a first message from other node which communicates that the other node determined a message including data subject to consensus building valid as a proposal, when the number of received first messages reach a predetermined value Q, transmitting a second message to each node which communicates that it is accepting the proposal, and when the number of received first messages do not reach the predetermined value Q, transmitting a third message to each node which communicates that it is dismissing the proposal, when the number of received second messages reach a predetermined value Q, transmitting a fourth message to each note which communicates that it is treating the proposal as agreed in the network, and when the number of received third messages reach a predetermined value Q, transmitting a fifth message for proceeding to a next round (a unit of consensus building process is called “round”.) to each node, wherein the predetermined value Q is an integer equal to or larger than (f+N+1)/2 when a value of f is known, and wherein when the number of received first message reaches a predetermined value Q, a lock is set to limit behaviors thereafter.

A plurality of signal lines connects a first controller and a second controller to each other. The first controller supplies a plurality of first control signals for controlling an actuator for controlling the second controller through a plurality of signal lines and performs an abnormality diagnosis of each of the plurality of first control signals. The second controller outputs a second control signal for controlling the actuator based on a plurality of first control signals supplied from the first controller through the signal lines and diagnosis results of the plurality of first control signals obtained by the first controller.

High availability and data migration in a distributed process control computing environment. Allocation algorithms distribute data and applications among available compute nodes, such as controllers in a process control system. In the process control system, an input/output device, such as a fieldbus module, can be used by any controller. Databases store critical execution information for immediate takeover by a backup compute element. The compute nodes are configured to execute algorithms for mitigating dead time in the distributed computing environment.

A processing system encompasses several processing devices and a comparison device. A method for controlling the processing system encompasses: processing of identical information items by the processing devices using associated processing processes; furnishing a characteristic value of each processing process, respectively as a function of the processing that has occurred; and comparing the characteristic values by way of the comparison device and determining a defectively operating processing process on the basis of the comparison. The defectively operating processing process is replaced by a processing process restarted on the same processing device.

The present disclosure provides for synchronization of multi-core systems by monitoring a plurality of debug trace data streams for a redundantly operating system including a corresponding plurality of cores performing a task in parallel; in response to detecting a state difference on one debug trace data stream of the plurality of debug trace data streams relative to other debug trace data streams of the plurality of debug trace data streams: marking a given core associated with the one debug trace data stream as an affected core; and restarting the affected core.

A method for establishing consensus between distributed nodes connected via a data communication network is executed by a leader node. The distributed nodes include active nodes which include the leader node. The method comprises preparing a proposal, constructing a first communication topology and propagating the proposal to the active nodes according to the first communication topology. In case of receiving a sufficient set of vote aggregations from the active nodes, a proposal commitment is created using the vote aggregations and the proposal is accepted. In case of determining that the first communication topology is not reliable to reach consensus on the proposal due to active node faults, an updated communication topology different from the first communication topology is created and the same proposal is continued to be propagated down to the active nodes according to the updated communication topology.

A method detects and localizes a failure of a measurement acquisition channel in an acquisition system including two redundant acquisition channels for the measurement of a physical quantity in an environment. The method uses a processor with a memory storing a model including modeled values of the physical quantity based on measurements of other physical quantities in the environment. The method includes detecting a symptomatic error of a defective acquisition channel when a deviation between the measured values of the two channels reaches a detection threshold, waiting to let the acquisition system evolve for a certain period, and localizing the defective channel among the two channels, when the deviation of the values measured between the channels reaches a localization threshold different from the detection threshold. The localization is made from the comparison of the measured value of each of the channels with a modeled value of the physical quantity.