Out of interest does a typical engine management system used in a car, make use of an MCU which supports lockstep computing, with multiple cores executing the same instructions simultaneously?
For a car it'd be kind of overkill. The failure mode of the system is usually something like "throttle position sensor value out of range" due to bad wiring or a bad sensor. So multiple cores doesn't do anything, because you still wind up pulling over to the side of road. Some aircraft do something like what you're thinking but it's actually separate computer architectures running the same code.
Now if you go back in time far enough to pre-WWII designed vehicles it was common to have two ignition systems with a massive mechanical lever to switch between "magneto" and "coil" based ignition for gas engines in military engines. Coil driven spark plug systems had advantages but the magneto system was much more reliable by virtue of having no moving parts. Diesels had a slight advantage here in that there was no ignition system as such to fail.
Nope, just automotive grade components and potting goop. A Bosch ECU from a VW New Beetle that I recently repaired has a single Infineon MCU, AMD flash, and Bosch power management ICs.
All Audi and VWs recently have drive by wire system that opens the throttle, drives ignition coils, and triggers fuel injectors electrically. It’s not like there is much to go wrong. I did find a very high accuracy, temperature compensated Crystal resonator which makes sense for sending timing signals in a harsh environment.
There's also a fair amount of open source short of full engine management. Things like read/write into the CAN bus, altering fuel curves without fully taking over the engine computer, burning altered EEPROMs for older ECMs, etc.
Yeah, the kinetic energy associated with a running engine (flywheel to entire vehicle mass) makes it rather difficult to stall from a single cycle problem, especially given that it consistently recalculates and checks everything multiple times before the timing signal is sent.
The engine feels like it’s running fast, but it’s really slow compared to ECU’s ability to observe it and respond to it. A single missed signal would just result in a misfire.
Mapping is not recalculated in flight, it is loaded from flash (or via obd when tuning) and normally not reloaded till restart. You might have some luck with short/long term trim fixing it, or not.
If you're lucky ecu might crash or run rich in that one rpm/load point, if not it might run lean entire highway drive, if say a bitflip happens to flip lambda probe settings to always show mixture being too rich.
I saw a 30 second segment in something I'm sure was about F1 engines that had something on a dyno and they flipped (while running) from the engine map to an ai predicting the engine timing per-firing and you could hear the thing smooth right out.
So no I imagine there's actually quite a lot of wiggle room to be off. Less so if you want it to last a million miles. But 30k?
Well, yeah on top of one in billion chance of bitflip you'd also have one in million chance that the bitflip would cause it doing something incorrectably wrong.
There is a lot of protection in modern engine, like retarding timing when there is a knock or long/short fuel trims to correct for any changes in the sensors.
Now if you go back in time far enough to pre-WWII designed vehicles it was common to have two ignition systems with a massive mechanical lever to switch between "magneto" and "coil" based ignition for gas engines in military engines. Coil driven spark plug systems had advantages but the magneto system was much more reliable by virtue of having no moving parts. Diesels had a slight advantage here in that there was no ignition system as such to fail.