Redundant computer system utilizing comparison diagnostics and voting techniques

What is claimed is: 1. A redundant computer system comprising: a first channel, a second channel, and a third channel each channel comprising: a primary processor module (PPM); a secondary processor module (SPM), wherein said primary processor module (PPM) is in operative communication with said secondary processor module (SPM), said primary processor module (SPM) and secondary processor module (SPM) operate in parallel redundancy; said primary processor module (PPM) in the first channel, said primary processor in the second channel, and said primary processor module (PPM) in the third channel are in operative communication with each other; said secondary processor module (SPM) in the first channel, said secondary processor module (SPM) in the second channel, and said secondary processor module (SPM) in the third channel are in operative communication with each other; an input module includes in each channel a first and a second interface to provide operative communication of said input module with said primary processor module (PPM) and secondary processor module (SPM), wherein said input module in each channel is in operative communication with a first and a second section of a dual redundant sensor (DRS) for each controlled point that delivers input data to said input module; said input module including means for calculating a deviation between values of said input data produced by said first and second section of the DRS for each controlled point to indicate whether said deviation is within a predetermined limit; said input module can be digital or analog; said primary processor module (PPM) and said secondary processor module (SPM) in each channel configured to receive said input data from said input module to synchronously execute an application program and to transfer output data as a result of said application program execution to an output module via a first and a second interface; said output module in each channel includes an output controller that is in operative communication with primary processor module (PPM) and with said secondary processor module (SPM) for receiving said output data from the primary processor module (PPM) and from the secondary processor module (SPM); said output module further includes a voter component and an improper sequence detector (ISD) component; said output module can be digital or analog; said voter component is in operative communication with said primary processor module (PPM) and said secondary processor module (SPM), said improper sequence detector (ISD) component is in operative communication with said voter component and with said output controller; means in said improper sequence detector that verifies an absence or presence a fault in timetable and verifies consistency of program operations in said output controller; a comparing diagnostic in said primary processor module (PPM) and said secondary processor module (SPM) in each channel for monitoring a condition of said output module; said comparison diagnostic allows the system to disable said output module if at least two elements among the primary processor module (PPM), the secondary processor module (SPM), and the improper sequence detector (ISD) vote that said output controller has failed; said comparison diagnostic having no single point of failure to allow the system to operate with one operational output module in the event that two neighboring output modules fail concurrently; said output controller connected via a read only bus with a neighboring output controller to receive or send said output data from or to said neighboring output controllers; means wherein said output controller includes for activating a disparity signal on an input of said logic circuit for some controlled points if the associated primary processor module (PPM) and secondary processor module (SPM) produce said output data that are different due to occurrence of transient faults, or due to said deviation that is out of said predetermined limits for said controlled points; said disparity signal being activated as a result of an exclusive NOR (XNOR) operation between single-bit output data that said output controller receives from the associated primary processor module (PPM) and secondary processor module (SPM); said output data is substituted by the output data produced by neighboring output controllers for some controlled points if said disparity signal is activated for said controlled points; said logic circuit includes in each channel an arrangement of a plurality of logic gates that are coupled through isolated drivers with inputs of said voting network for each controlled point; said logic circuit in said first channel providing the outputs of the associated voting network as a product of said output data that is received from said output controller in the first channel and a sum of said output data received from output controllers in said second and third channels; said logic circuit in said second channel providing outputs of the associated voting network as a product of said output data that is received from said output controller in said second channel and a sum of said output data received from said output controllers in said first and third channels; said logic circuit in said third channel providing outputs of the associated voting network as a product of said output data that is received from said output controller in said third channel and a sum of said output data received from said output controllers in said first and second channels; said logic circuit and voting network performing a logic operation with said output data to provide 2-of-3 voting among output data produced by said first, second, and third channel; said voting network including a fault recovery valve for each controlled point to allow said voting network to remain operational in the presence of up two faults; the system continuing to perform 2-of-3 voting even though three primary processor module (PPM)s or three secondary processor module (SPM)s concurrently fail, thereby, allowing the system to continue to remain operational in the presence of multiple faults in the primary processor module (PPM) and in the secondary processor module (SPM); the system energizes a controlled process in the fault free operation when a majority of system channels operate properly and de-energizes said process in the presence of multiple dangerous failures in the system; the system continues to operate in the presence of any two faults in one or two channels, the system providing a safe shutdown for the process if hard faults occurs in all channels; each PPM uses same hardware and same software, which are different with hardware and software that each secondary processor module (SPM) uses, said hardware and software diversity allows the system decreasing the probability of common cause failure. 2. The redundant computer system of claim 1 , wherein: said voter component includes a plurality of parallel voting groups that are coupled between a voltage source and a ground node, with each voting group including at least two low power switches, such as a MOSFET or any other suitable transistor or relay for example, connected in series; said primary processor module (PPM) and secondary processor module (SPM) in each channel continually controlling said switches in two groups by the associated lines, while the switches in the third group is controlled by said improper sequence detector (ISD); said voter component produces an output signal as a result of a majority of two-out-of-three voting among signals, which the primary processor module (PPM) and a secondary processor module (SPM) and the improper sequence detector (ISD) produce on the inputs of said voter component; said output signal in each channel is connected to a corresponding input of said logic circuit that disconnects output of the associate