A redundancy device which is configured to communicate with a redundancy opposite device and perform a redundancy execution, the redundancy device includes receivers configured to receive individually HB signals transmitted from the redundancy opposite device, a calculator configured to calculate a number of normal communication paths among communication paths of the HB signals based on a reception result of the receivers, a comparator configured to compare a calculation result of the calculator with a predetermined threshold value, and a changer configured to change the redundancy device from a standby state to an operating state, or change the redundancy device from the standby state to a not-standby state in which the redundancy execution is released, based on the calculation result of the calculator and a comparison result of the comparator.

A semiconductor device includes a plurality of processing units, a shared resource shared by the plurality of processing units, and a guard unit. The guard unit restricts and thereby controls access to the shared resource by a processing unit, and changes, when a processing unit has failed, control of access so that another processing unit that takes over a process of the failed processing unit is permitted to access at least a part of an access destination which the failed processing unit has been permitted to access.

A facility control system comprises a selection processing portion that selects, based on a manual operation and when an abnormal condition occurs in a first-layer computer that executes a first-layer program which issues an apparatus operating command to an apparatus controller, whether to cause a second-layer computer to execute the first-layer program that had been executed by the first-layer computer, and a substitute command output processing portion which outputs a substitute command in accordance with selection information selected by the selection processing portion. The second-layer computer executes the first-layer program that had been executed by the first-layer computer in which the abnormal condition occurred based on a substitute command outputted by the substitute command output processing portion.

A facility control system comprises a selection processing portion that selects, based on a manual operation and when an abnormal condition occurs in a second-layer computer that issues a task command to a first-layer program which issues an apparatus operating command to an apparatus controller, whether to cause a first-layer computer to execute a second-layer program that had been executed by the second-layer computer, and a substitute command output processing portion which outputs a substitute command in accordance with selection information selected by the selection processing portion. The first-layer computer executes the second-layer program that had been executed by the second-layer computer in which the abnormal condition occurred based on a substitute command outputted by the substitute command output processing portion.

The present invention concerns a method for switching, by a local processing unit (1,2) of a flight control system of an aircraft, configured to control at least one local actuator, connected to at least one local sensor and connected via at least one link (3,4) to an opposite processing unit (2,1) configured to control at least one opposite actuator and be connected to at least one opposite sensor, said local processing unit (1,2) being further configured to be connected to backup communication means (13,14) enabling data exchanges between the local processing unit (1,2) and the opposite processing unit (2,1) in the case of failures of the links connecting same (3,4), said backup communication means comprising an array of sensors or actuators (13) and/or a secure onboard network for the avionics (14), comprising steps of: •—sending, to the opposite processing unit (2,1), acquisition data relative to the at least one local sensor and actuator data relative to the at least one local actuator, •—receiving, from the opposite processing unit (2,1), acquisition data relative to the at least one opposite sensor and actuator data relative to the at least one opposite actuator, •—receiving an item of opposite health data and determining an item of local health data, •—switching said local processing unit (1,2) from a first state to a second state chosen from an active state (15), a passive state (16) and a slave state (18), depending on the opposite health data received and the local health data determined.

A method for fault tolerant controller readiness. Executing functions by a first controller operating in a primary status mode. Operating in a hot standby status mode by a second controller and mirroring the first controller by executing functions to operate as a redundant controller. Operating in a cold standby status mode by at least one backup controller under normal operating conditions. The second controller is reconfigured while operating under normal operating conditions from the hot standby status mode to the primary standby status mode if a failure occurs in the first controller. Reconfiguring the at least one backup controller operating under normal operating conditions from cold standby status mode to hot standby status mode to operate as a redundant controller in response to the reconfiguring the second controller from the hot standby status mode to the primary status mode.

Embodiments are described for systems and methods that facilitate control of virtual endpoint failover/failback during an administrative SCSI target port disable or enable operation. In this case, SCSI target virtual endpoints may failover to a secondary SCSI target port when the primary port fails. When the primary port is corrected and enabled by the administrator the failover method pulls virtual endpoints on secondary ports back to the primary port under administrator control; and if an administrator wishes to manually disable a SCSI target port the failover operation pushes (failover) all virtual endpoints currently using the port as a primary to a secondary port.

Methods, systems, and computer readable media for managing suspect subscriber bindings. In some examples, a method is performed by a Diameter signaling router (DSR) for a telecommunications network. The method includes binding a subscriber to a first policy and charging rules function (PCRF) server selected from a plurality of PCRF servers for the telecommunications network. The method includes determining that one or more messages destined to the first PCRF server have failed according to one or more user-configurable rules defining failure. The method includes tearing down the binding between the subscriber and the first PCRF server.

An information processing device that are capable of continuing access to an I/O device by operational computers even when a failure has occurred in a management computer is provided. A virtualization bridge (300) includes a monitoring unit (307) and a backup control unit (308). The virtualization bridge (300) provides operational computers (200) with virtual functions of an I/O device (400). The monitoring unit (307) detects failures in a management computer (100). The backup control unit (308) generates backup management information (341) on the basis of packets transmitted and received between the management computer (100) and the I/O device (400), and, when a failure in the management computer (100) is detected by the monitoring unit (307), controls the I/O device 400 on the basis of the backup management information (341) in place of the management computer (100).

Methods and systems are provided for rapid failure recovery for a distributed storage system for failures by one or more nodes.