The invention relates to a method for providing a fault-tolerant global time via a time server in a distributed real-time computer system, wherein the time server comprises four components which are connected to one another via a bi-directional communication channel. At a priori defined periodic, internal synchronization times, each of the four components transmits an internal synchronization message, which is simultaneously transmitted to the other three components, from which each internal computer of a component determines a correction term for the tick counter contained in its component and corrects the reading of the local tick counter by this correction term.

An information processing device that executes an arithmetic process includes a first processing circuit and a second processing circuit. The first processing circuit executes the arithmetic process N times consecutively. The second processing circuit executes the arithmetic process N times consecutively. N is an integer of 2 or more. The first processing circuit and the second processing circuit continue to operate according to a match between at least one result among the results of the N arithmetic processes executed by the first processing circuit and at least one result among the results of the N arithmetic processes executed by the second processing circuit. As a result, it is possible to suppress an increase in cost required for hardware and to suppress a temporary stop due to a temporary failure.

Methods are provided for supervising a motor control unit with at least two separate channels, each of the two channels including at least: means for executing a given application task AS, the application task AS including a plurality of successively executed computations between which latency periods elapse; a first component capable of performing the computations; a second component capable of storing data; the application tasks AS of the channels being capable of communicating. The method comprising includes the following steps: a) detecting a latency period; b) performing, during this latency period, an operating state test of at least one of the components; and c) determining a state of the component corresponding to a failure state or a healthy state.

A lockstep testing system includes a lockstep controller that generates various control signals. The lockstep testing system further includes various lockstep circuitries, with each lockstep circuitry including primary and redundant functional circuits that are operable in a lockstep mode, and a fault injection circuit that receives a control signal from the lockstep controller and injects a transient fault in the corresponding lockstep circuitry. The transient fault can be injected at one of input and output stages of the primary and redundant functional circuits. Each lockstep circuitry further includes a checker circuit that tests whether the corresponding lockstep circuitry is faulty (i.e., whether the injected fault is accurately detected), and generates and provides, to the lockstep controller, a fault indication signal indicating whether the corresponding lockstep circuitry is faulty.

A first processing element is configured to execute a first thread and one or more second processing elements are configured to execute one or more second threads that are redundant to the first thread. The first thread and the one or more second threads are to selectively bypass one or more comparisons of results of operations performed by the first thread and the one or more second threads depending on whether an event trigger for the comparison has occurred a configurable number of times since a previous comparison of previously encoded values of the results. In some cases the comparison can be performed based on hashed (or encoded) values of the results of a current operation and one or more previous operations.

A method, executed by a computer, includes pairing a first core with a second core to form a first core group, wherein each core of the group has a plurality of functional units, transferring instructions received by the first core to the second core for execution via a first inter-core communication bus, and executing the instructions on the second core. A computer system and computer program product corresponding to the above method are also disclosed herein.

A module health system includes a module health circuit comprising a hardware register that is set to a first value in response to the system starting, an application register that is set to the first value in response to the system starting and a watchdog timer register that is set to the first value in response to the system starting. The system further includes a power on self-test that determines whether the system has passed a plurality of tests and that selectively sets the hardware register to a second value based on the determination, an external software application that determines whether a safety critical system is healthy and selectively sets the application register based on the determination, a watchdog timer application that selectively sets the watchdog timer register, a central processing unit that determines whether to de-assert a module health signal.

A safety I/O module (10) disposed between a network (NW) and a target device (20) is provided. The safety I/O module (10) includes MCUs (121, 122). Further, the each of the MCUs (121, 122) includes a CPU (123) and an RTOS accelerator (124) configured to perform a process for switching a task executed by the CPU (123) and a process for starting the task.

A control device is for controlling an autonomous motor vehicle in order to modify a steering angle of a steered wheel of the autonomous motor vehicle and/or a braking force generated by the brake fitted to a wheel of the autonomous motor vehicle. The control device includes an automatic piloting system, which is configured to generate an automatic driving instruction for automatically driving the vehicle, a primary command chain, which includes a primary controller configured to generate a primary command according to the automatic driving instruction, and at least one primary actuator configured to generate a torque that confers a steering angle to the steered wheel, or configured to actuate the brake based on the primary command obtained directly from the primary controller. A secondary command chain is also included.

The invention relates to a system (1), comprising at least two asynchronous computers (2-i), on each of which at least one application (A) is executed, which provides control data (SD) for at least one actuation system (3), wherein the provided control data (SD) are transmitted by a control-authorized computer (2-i) that assumes a master computer status (M-RS) to the actuation system (3) for the control thereof, wherein the computers (2-i) of the system (1) cyclically exchange state data (ZD) and performance data (LD) with each other by means of a data interface in a data exchange (DAS), wherein the computers (2-i) each determine, on the basis of the state and performance data (ZD.sub.opp, LD.sub.opp) received from other computers (2-j) and on the basis of the computer's own state and performance data (ZD.sub.own, LD.sub.own, in a master/slave selection (MSA) performed on the computer (2-i), a computer status (RS) as a control-authorized or non-control-authorized computer (2-i) to be assumed by the particular computer (2-i) itself.