Ideally, it’s so good that it barely needs to be in the first place.
Two redundant processors, typically sourced from different vendors, based on different designs. The code running on each processor has to be developed by two teams working in isolated conditions. The output of both processors has to agree or else the safety relay faults.
Source: How Is Critical ‘Life or Death’ Software Tested? | Motherboard