A method for creating a redundant automation system, a computer program and a computer-readable medium, wherein the redundant automation system includes at least one automation installation to be controlled that is installed at an installation location and two control applications that are communicatively interconnected via a synchronization path, and includes a plurality of communication hubs and communication paths connecting these to one another, where one of the control applications operates as the master and the other control application operates as a reserve, such that when the control application operating as the master fails, the control application operating as the reserve function as the master, and where the locations of the computing resources for the control applications are selected such that the control applications are connected to the at least one automation installation via two different communication paths preferably having no or a minimal number of common communication hubs.

A device, comprising: a main module; a plurality of secondary modules; and a data bus configured to enable data transmission between the main module and the plurality of secondary modules over a data line of the data bus; wherein each of the plurality of secondary modules is configured with a unique secondary address used by the main module to communicate with the respective secondary module over the data line, wherein the main module is operable to configure a first two or more of the plurality of secondary modules with a first common secondary address for simultaneous data transmission from the main module to the first two or more of the plurality of secondary modules over the data line.

Techniques for system recovery using a failover processor are disclosed. A first processor, with a first instruction set, is configured to execute operations of a first type; and a second processor, with a second instruction set different from the first instruction set, is configured to execute operations of a second type. A determination is made that the second processor has failed to execute at least one operation of the second type within a particular period of time. Responsive to determining that the second processor has failed to execute at least one operation of the second type within the particular period of time, the first processor is configured to execute both the operations of the first type and the operations of the second type.

An error recovery method and apparatus, and a system are disclosed. At least two CPUs in a lockstep mode can exit the lockstep mode when an error occurs in at least one CPU, and the CPU in which the error occurs and a type of the error are determined. When the error can be recovered, the CPU in which the error occurs can be recovered according to a correctly running CPU. This helps the at least two CPUs run again at a position at which a service program is interrupted.

Methods of guaranteed reception and of processing of a digital signal in an avionics system comprise a plurality of computers, each computer comprising processing electronics and a software layer, which, on receipt of an event, carries out the following steps: at a first instant, sending to each of the other computers of a first signal (ACK) of reception of the event; at a second instant termed “TimeOut ACK”, if the electronic computer has not received one of the first signals emanating from one of the other computers, sending of a second failure signal (FAIL) to each of the other computers; at a third instant termed “TimeOut GARANTEED”, if a second failure signal has been received by the computer, absence of taking into account of the event by the computer and if no failure signal has been received by the computer, taking into account of the event by the data processing electronics of the computer.

A processor system includes a master processor that successively processes a plurality of tasks, a checker processor that successively processes at least one of the plurality of tasks, and a control circuit that performs control so that the checker processor operates when the master processor and the checker processor perform a lock-step operation, and the checker processor stops its operation when the master processor and the checker processor do not perform the lock-step operation, the lock-step operation being an operation in which each of the master and checker processors processes the same task, in which the control circuit performs control so that a period from when a task is processed by the lock-step operation to when another task is processed in the next lock-step operation is equal to or shorter than a maximum test period, the maximum test period being a test period acceptable to the processor system.

A safety I/O module (10) disposed between a network (NW) and a target device (20) is provided. The safety I/O module (10) includes MCUs (121, 122). Further, the each of the MCUs (121, 122) includes a CPU (123) and an RTOS accelerator (124) configured to perform a process for switching a task executed by the CPU (123) and a process for starting the task.

The invention relates to a system (1), comprising at least two asynchronous computers (2-i), on each of which at least one application (A) is executed, which provides control data (SD) for at least one actuation system (3), wherein the provided control data (SD) are transmitted by a control-authorized computer (2-i) that assumes a master computer status (M-RS) to the actuation system (3) for the control thereof, wherein the computers (2-i) of the system (1) cyclically exchange state data (ZD) and performance data (LD) with each other by means of a data interface in a data exchange (DAS), wherein the computers (2-i) each determine, on the basis of the state and performance data (ZD.sub.opp, LD.sub.opp) received from other computers (2-j) and on the basis of the computer's own state and performance data (ZD.sub.own, LD.sub.own, in a master/slave selection (MSA) performed on the computer (2-i), a computer status (RS) as a control-authorized or non-control-authorized computer (2-i) to be assumed by the particular computer (2-i) itself.

A method, system, and computer program product for maintaining data centers obtain input data; communicate an update request associated with the input data to a node of a plurality of nodes; receive an indication that the update request failed; communicate a result request for result data associated with processing of the input data to the node of the plurality of nodes until the result data associated with processing of the input data is received; and in response to receiving the result data associated with processing of the input data from the node, process the result data.

A device, comprising: a main module; a plurality of secondary modules; and a data bus configured to enable data transmission between the main module and the plurality of secondary modules over a data line of the data bus; wherein each of the plurality of secondary modules is configured with a unique secondary address used by the main module to communicate with the respective secondary module over the data line, wherein the main module is operable to configure a first two or more of the plurality of secondary modules with a first common secondary address for simultaneous data transmission from the main module to the first two or more of the plurality of secondary modules over the data line.