A method for creating a redundant automation system, a computer program and a computer-readable medium, wherein the redundant automation system includes at least one automation installation to be controlled that is installed at an installation location and two control applications that are communicatively interconnected via a synchronization path, and includes a plurality of communication hubs and communication paths connecting these to one another, where one of the control applications operates as the master and the other control application operates as a reserve, such that when the control application operating as the master fails, the control application operating as the reserve function as the master, and where the locations of the computing resources for the control applications are selected such that the control applications are connected to the at least one automation installation via two different communication paths preferably having no or a minimal number of common communication hubs.

A semiconductor device includes first and second CPUs, first and second SPUs for controlling a snoop operation, a controller supporting ASIL D of a functional safety standard and a memory. The controller sets permission of the snoop operation to the first and second SPUs when a software lock-step is not performed. The controller sets prohibition of the snoop operation to the first and second SPUs when the software lock-step is performed. The first CPU executes a first software for the software lock-step, and writes an execution result in a first area for the memory. The second CPU executes a second software for the software lock-step, and writes an execution result in a second area of the memory. The execution result written in the first area is compared with the execution result written in the second area.

A system for executing functionally equivalent applications. The system includes a cloud system including a plurality of cloud instances, the plurality of cloud instances being set up in each case to execute a functionally equivalent application in each case based on the same input data, the respective execution including a processing of the input data by the respective application in order to output an application result in each case, and a comparison device, which is set up to compare the respective application results in order to ascertain a comparison result and to output the comparison result that has been ascertained. A method for executing functionally equivalent applications, a computer program, and a machine-readable storage medium, are also described.

When one of CPUs that perform a lock step operation fails and the failure type is an SW failure, the semiconductor device copies information held by an SR and a GR of the CPU operating normally to the CPU with the SW failure, thereby continuing a process without stopping the lock step operation. On the other hand, when the failure type is an HW failure, the failed CPU is stopped to continue the process with only the normal CPU.

A lockstep testing system includes a lockstep controller that generates various control signals. The lockstep testing system further includes various lockstep circuitries, with each lockstep circuitry including primary and redundant functional circuits that are operable in a lockstep mode, and a fault injection circuit that receives a control signal from the lockstep controller and injects a transient fault in the corresponding lockstep circuitry. The transient fault can be injected at one of input and output stages of the primary and redundant functional circuits. Each lockstep circuitry further includes a checker circuit that tests whether the corresponding lockstep circuitry is faulty (i.e., whether the injected fault is accurately detected), and generates and provides, to the lockstep controller, a fault indication signal indicating whether the corresponding lockstep circuitry is faulty.

An apparatus includes a primary processor and a secondary processor configured to receive a first signal, a second signal and a plurality of input signals, and perform same operations as each other based on the first signal, the second signal and the plurality of input signals, a comparison circuit configured to receive output signals of the primary processor and the secondary processor, and detect a lockstep mismatch between the primary processor and the secondary processor based on the output signals, a fault capturing circuit configured to receive the first signal and the second signal, and capture a fault signal generated by the comparison circuit, and a first glitch absorption device configured to receive the first signal and the second signal, and absorb glitches fed into the first glitch absorption device.

Mechanisms for reducing memory inconsistencies between two synchronized computing devices are provided. A first hypervisor module of a first computing device iteratively determines that content of a memory page of a plurality of memory pages has been modified. The content of the memory page is sent to a second hypervisor module on a second computing device. At least one other memory page of the plurality of memory pages is identified, and a verification value based on the content of the at least one other memory page is generated. The verification value and a memory page identifier that identifies the at least one other memory page is sent to the second hypervisor module on the second computing device.

A communicative building management system (BMS) can enable replication of data from computer systems that may potentially be affected by various external events. The BMS is coupled to environmental sensors and configured to receive sensor signals and communicate with one or more computer systems implementing a service. The BMS notifies a console system administrating a service that one or more computer systems implementing the service are affected by a data center event based on signals received from one or more sensor devices associated with a zone including the affected computer systems. A console system commands replication of data stored on the affected computer systems to separate computer systems based at least in part on the notification from the BMS indicating the computer systems are affected by the data center event.

In a data processing device including two sets of circuit pairs which are respectively duplicated in two clock domains which are asynchronous to each other, an asynchronous transfer circuit that transfers a payload signal is provided between the two sets of circuit pairs. The asynchronous transfer circuit includes two sets of a pair of bridge circuits which are respectively connected to the two sets of circuit pairs, and asynchronously transfers the payload signal and a control signal indicating a timing at which the payload signal is stable on a reception side. The two sets of a pair of bridge circuits and the payload signals can be duplicated, but the control signal is not duplicated, and the received payload signal is used for timing control to supply an expected same time difference, to the pair of duplicated circuits. This enables asynchronous transfer between circuits duplicated in the asynchronous clock domains.

Provided are a computer program product, system, and method for determining processor offsets to synchronize processor time values. A determination is made of a master processor offset from one of a plurality of time values of the master processor and a time value of one of the slave processors. A determination is made of slave processor offsets, wherein each slave processor offset is determined from the master processor offset, one of the time values of the master processor, and a time value of the slave processor. A current time value of the master processor is adjusted by the master processor offset. A current time value of each of the slave processors is adjusted by the slave processor offset for the slave processor whose time value is being adjusted.