HighWind

There are many cases where a bit flip might not be overwritten with the correct value the next control scan. E.g. if a filter or timer value is flipped to an out of range value, it can take hours to return to a normal value. Another example are state derived from ‘history’ e.g. incremental encoders or manual toggle buttons.
The only protection against this is a controller with lock-stepping (bit-flip protection), in automation systems this is seen in SIL rated safety systems.

You need two fail silent computers (Typ. 4 CPU’s).. A fail-silent system is a type of system that either provides the correct service, or provides no service at all. This ensure that an incorrect calculation is newer propagated out of the box.
A fail-silent system can be implemented by having two CPU’s in the same box, usually named COM and MON, COM is commanding, and MON is monitoring.
Inputs are connected to both CPU’s, and MON has inputs check the outputs generated by COM, if they disagree, they fail silent.
https://www.irit.fr/torrents/seminar...8.pdf#page=120

So both Flight Controller A and B, each need a COM and MON CPU. (Or at least a lockstep CPU like TMS570)
Each Flight Controller might have their own AoA sensor, that may differ in values, this in itself might not be a problem.
What is important is when the two Flight Controllers share their AoA values, they agree on what to do with them, or in rare cases one controller fails-silent. Otherwise we have a Byzantine fault.
Adding a 3’rd Flight Controller might improve dispatch reliability, by being able to MEL a Flight Controller.