A fault tolerant controller system includes a first controller and a second controller. One of the first and second controllers designated as a primary controller for generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, and the other of the first and second controllers designated as a secondary controller generating control signals intended to control actuation devices on the vehicle. The actuation devices are responsive only to the designated primary controller. An error is detected in the primary controller and a message is transmitted from the faulty controller to the non-faulty controller identifying the error. The non-faulty controller is subsequently designated as the primary controller. The control signals including an identifier that identifies the non-faulty controller as the designated primary controller. In response to detecting the error, the faulty controller is reset to operate in a safe operating mode as the secondary controller.

An illustrative example embodiment of a method of communicating between controllers on a vehicle includes communicating a first operation request from a first controller to a second controller. The first operation request is indicative of the second controller performing a first operation. The second controller attempts to perform the first operation at a time when it cannot be performed, determines that the first operation cannot be performed, and communicates an indication that the first operation request cannot currently be satisfied. The second controller continues to attempt to perform the first operation at a subsequent time.

Embodiments of the present invention provide a method (300, 400), comprising communicating (310, 410), from first control means (110) to a second control means (120), a first operation request indicative of the second control means (120) performing a first operation, determining (320, 420), at the second control means, whether the first operation can be performed, communicating (330, 430), if the operation cannot be performed, from the second control means to the first control means, an indication that the first operation request cannot currently be satisfied, and continuing (320, 330), by the second control means, to attempt to perform the first operation.

Provided in some embodiments are systems and methods for emergency shutdown (ESD) systems. Embodiments provide for receiving, from a central logic solver (CLS) of an emergency shutdown (ESD) system for a plant via a first communication channel, a command indicative of a first state for an ESD valve, in response to receiving the command, controlling the ESD valve to operate in the first state, obtaining, from a central status monitor (CSM) of the ESD system via a second communication channel, current status information for the plant, determining a second state for the ESD valve based at least in part on the current status information obtained from the CSM, and controlling the ESD valve to operate in the second state.

Provided in some embodiments are systems and methods for emergency shutdown (ESD) systems. Embodiments provide for receiving, from a central logic solver (CLS) of an emergency shutdown (ESD) system for a plant via a first communication channel, a command indicative of a first state for an ESD valve, in response to receiving the command, controlling the ESD valve to operate in the first state, obtaining, from a central status monitor (CSM) of the ESD system via a second communication channel, current status information for the plant, determining a second state for the ESD valve based at least in part on the current status information obtained from the CSM, and controlling the ESD valve to operate in the second state.

A servo press line operation method operates a servo press line in which a servo press and a servo transfer device are disposed in a workpiece transfer direction. The servo press line operation method includes causing a transfer controller to receive a master signal that causes the servo transfer device to make a motion in synchronization with the servo press, the transfer controller controlling a motor of the servo transfer device using a motor instruction, causing the transfer controller to determine whether or not an abnormality in the master signal has occurred, and causing the transfer controller to generate the motor instruction based on a stop signal that stops the motor of the servo transfer device, instead of the master signal, when the transfer controller has determined that an abnormality in the master signal has occurred.