Abstract: A method and a fault-tolerant computer architecture (FCTA) for fail-safe trajectory planning for a moving entity (MOV). The method and FCTA uses a commander (COM), a monitor (MON), and a safe envelope generating stage (ENV). Based on sensor input, the commander (COM) and the monitor (MON) produce real-time images of objects (OBJ1, OBJ2) detected. A trajectory planning stage (TRJ-PLN) generates trajectories (COM-TRJ1, COM-TRJ2), and the safe envelope generating stage (ENV) generates a safety envelope. The commander (COM) provides the one or more trajectories (COM-TRJ1, COM-TRJ2) to the monitor (MON) and the decision subsystem (DECIDE). A trajectory verification stage (TRJ-VRFY) verifies a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only if said trajectory (COM-TRJ1, COM-TRJ2) is completely located inside said safety envelope. A moving entity (MOV) uses a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only when said trajectory is verified by the monitor (MON).