The redundancy control device includes three controllers that output status signals, a majority voting circuit to which a first voltage or a second voltage is supplied as an output signal through an output line of each controller, a switch provided in each output line, a voltage supply unit provided for each output line to supply the second voltage to the output line when the first voltage is lost, a latch circuit provided for each output line to latch the second voltage when the second voltage is supplied thereto and continue to output the second voltage, a comparison circuit provided for each controller to output a comparison signal based on a comparison of the status signals, and a switch control unit provided for each switch to outputs a switch signal to the switch in response to the comparison signal from the comparison circuit.

A fault tolerant processing environment wherein multiple processors are configured as worker nodes and redundant nodes, with a failed worker node replaced programmatically by a manager node. Each of the processing nodes may include a processor and memory associated with the processor and communicate with other processing nodes using a network. A manager node creates a message passing interface (MPI) communication group having worker nodes and redundant nodes, instructs the worker nodes to perform lockstep processing of tasks for an application, and monitors execution of the tasks. If a node fails, the manager node creates a replacement worker node from one of the redundant processing nodes and creates a new communications group. It then instructs those nodes in the new communications group to resume processing based on the application state and checkpoint backup data.

Techniques for system recovery using a failover processor are disclosed. A first processor, with a first instruction set, is configured to execute operations of a first type; and a second processor, with a second instruction set different from the first instruction set, is configured to execute operations of a second type. A determination is made that the second processor has failed to execute at least one operation of the second type within a particular period of time. Responsive to determining that the second processor has failed to execute at least one operation of the second type within the particular period of time, the first processor is configured to execute both the operations of the first type and the operations of the second type.

Techniques are disclosed for processor synchronization within a reconfigurable computing environment for processor array redundancy. Processing elements are configured within a reconfigurable fabric to implement two or more redundant processors, where the two or more redundant processors are enabled for coincident operation. An agent is loaded on each of the two or more redundant processors, where the agent performs a function requiring data validation. The agent is fired on each of the two or more redundant processors to commence coincident operation. The coincident operation can include a lockstep operation. An output data result from each of the two or more redundant processors is compared to enable a data validation result. The data validation result is propagated. The propagating the data validation result can be based on comparing valid output data or can be based on comparing invalid output data.

A computing system in data communication with a plurality of nodes that make up a distributed computing cluster can detect an absence of communication from a node of the plurality of nodes over a time period that exceeds a predefined threshold time period. The computing system can query an instance of a central topology manager for the plurality of nodes regarding liveness of the node from which the absence of communication was detected and can attempting to re-initiate communication with the node when the instance of the central topology manager indicates that the node is live.

The present invention realizes a functional safety of a multiprocessor system without tightly coupling processor elements. When causing a plurality of processor elements to execute the same data processing and realizing a functional safety of the processor element, there is adopted a bus interface unit that performs control of performing safety measure processing when the non-coincidence of access requests issued from the processor elements has been fixed, and of starting access processing responding the access request when these access requests coincide with one another.

The disclosure relates to an apparatus and method for false pass detection in lockstep dual processing core systems, triple modular redundancy (TMR) systems, or other redundant processing systems. A false pass occurs when two processing cores generate matching data outputs, both of which are in error. A false pass may occur when the processing core are both subjected to substantially the same adverse condition, such as a supply voltage drop or a sudden temperature change or gradient. The apparatus includes processing cores configured to generate first and second data outputs and first and second timing violation signals. A voter-comparator validates the first and second data outputs if they match and the first and second timing violation signals indicate no timing violations. Otherwise, the voter comparator invalidates the first and second data outputs. Validated data outputs are used for performing additional operations, and invalidated data outputs may be discarded.

A voter-based method of controlling a redundancy is provided, including acquiring a processing element array in a target hardware, wherein the processing element array includes a plurality of processing elements, selecting a plurality of groups of processing elements from the processing element array so as to generate a voter set, wherein a corresponding voter is generated for each group of the plurality of groups of processing elements, and the corresponding voter configured to perform a voting operation in a redundancy control, acquiring, in response to a message indicating a fault state of a detected voter, a target voter from the voter set so as to replace the detected voter, and re-performing the voting operation in the redundancy control by using the target voter. An electronic device and a storage medium are further provided, which are implemented based on the processing element array of the target hardware.

In one embodiment, a multiplex control device includes three or more control modules to execute same operations for same input signals, and a majority decision module to output an output signal that matches majority of output signals outputted by the control modules. Each control module includes an input module to convert an input signal into an input value, a first determination module to obtain input values from input modules of respective control modules to determine whether majority of input values among the obtained input values match, an operation executing module to execute an operation using the matched input value to generate an output value, a second determination module to obtain output values from operation executing modules of respective control modules to determine whether majority of output values among the obtained output values match, and an output module to convert the matched output value to generate an output signal.

A control apparatus includes a first controller configured to generate control signals for controlling an engine or other machine, a second controller configured to generate the control signals for controlling the machine, a transfer circuit, and an arbiter circuit. The transfer circuit is coupled between the machine and the controllers, and is configured to switch from a first state, where the transfer circuit passes the control signals from the first controller to the machine, to a second state, where the transfer circuit passes the control signals from the second controller to the machine, responsive to receiving a first failure signal from the first controller. The arbiter circuit includes three (or more) arbiters, and is configured to control the transfer circuit from the first state to the second state responsive to any two of the three arbiters generating second signals indicative of failure of the first controller.