A fault-tolerant distributed real-time computer system for controlling a physical system, in particular a machine or a motor vehicle, wherein the components of the computer system have access to a global time of known precision, and wherein the node computers and intelligent sensors and the intelligent actuators exchange time-triggered messages and event-triggered messages periodically via the distributor units, and wherein the functions of the user software are contained in real-time software components—RTSC—and the periodic time-triggered data transfer between the RTSC is specified by a time-triggered data flow diagram, and wherein the assignment of the RTSC to a TTVM of a node computer and specific parameters of the TTVM are contained in active local allocation plans for each RTSC, and wherein the time plans for the time-triggered communication in this distributor unit are contained in active local allocation plans for each distributor unit, and wherein a global allocation plan consists of the totality of the local allocation plans, which are adapted to one another, of all RTSC and all distributor units of the user software, and wherein a monitor component periodically receives a copy of messages of the node computers to define the present operating state of the node computers, and wherein after the permanent failure of one or more RTSC, the monitor component activates a passive global allocation plan which specifies the allocation of the RTSC and the data supply thereof on newly installed TTVMs to the still functional node computers, and wherein the RTSC arrive at the newly configured TTVMs for execution at the provided periodic restart point in time in accordance with the selected passive global allocation plan.