Abstract: A method for configuring a real-time computer system including resources for executing tasks, wherein at least one task is a real time task, wherein the resources include at least first and second processors and a communication subsystem interconnecting the processors and at least a first memory accessible by the first processor and at least a second memory accessible by the second processor, includes the steps: providing an estimate for an individual resource utilization of the tasks, providing for each resource a resource model; determining a configuration allocating each task to at least one of the resources according to a prediction at least based on the estimate for an individual resource utilization of the tasks and the resource model; measuring the real resource utilization of the tasks during execution, and refining of the prediction according to a result of the measuring and refining the configuration according to the refined prediction.

Abstract: The invention relates to a real-time computer system for controlling a technical device, the real-time computer system comprising data acquisition components which are independent of each other, as well as non-secure data processing components for processing sensor data. A time server as well as a first communication system and a second communication system independent of it are provided, the time server periodically sending global time signals to the communication systems. Each data acquisition component has two communication controllers, wherein each data acquisition component is connected by two communication controllers via a communication line to the first communication system, and is connected by another communication controller to the second communication system via a communication line, such that each data acquisition component can transmit its sensor data to each of the two communication systems.

Abstract: A method monitors data traffic between control devices of a motor vehicle. In the method, at least one data pattern of a packet type and/or data content to be monitored and/or detected is stored in an associative memory such that in response to input data, which contains the respective data pattern, an associated hit signal is generated by the associative memory, and a network processor reads out detection data from received data packets in predetermined monitoring positions and forms input data for the associative memory therefrom. The network processor examines whether a hit signal results by inputting the input data into the associative memory, and a microprocessor recognizes based on transmission schedule data, which describes an intended transmission scheme of the control devices, by a predetermined comparison routine whether the hit signals deviate from the transmission scheme.

Abstract: The architecture includes four largely independent subsystems which are arranged hierarchically and each form an isolated Fault-Containment Unit (FCU). At the top of the hierarchy is a secure subsystem, the Fault-Tolerant Decision Subsystem, which executes simple software on fault-tolerant hardware. The other three subsystems are insecure because they contain complex software executed on non-fault-tolerant hardware. Experience has shown that it is difficult to find all design errors in a complex software system and to prevent an intrusion. The redundancy and diversity inherent in this architecture masks every error—even a Byzantine error—of an insecure subsystem in such a way that no safety-critical failure can occur.

Abstract: The invention is part of the field of computer technology. It describes the architecture of a secure automation system and a method for safe autonomous operation of a technical apparatus, in particular a motor vehicle. The architecture disclosed herein solves the problem that any Byzantine error in one of the complex subsystems of a distributed real-time computer system, regardless of whether the error was triggered by a random hardware failure, a design error in the software or an intrusion, must be recognized and controlled in such a way that no security-relevant incident occurs. The architecture includes four largely independent subsystems which are arranged hierarchically and each form an isolated Fault-Containment Unit (FCU). At the top of the hierarchy is a secure subsystem, which executes simple software on fault-tolerant hardware. The other three subsystems are insecure because they contain complex software executed on non-fault-tolerant hardware.

Abstract: A method for integrating infrastructure software functions and automotive applications on an automotive electronic control unit (ECU) device. The ECU device includes a hardware architecture and a software architecture, wherein the hardware architecture includes two or more system-on-chips, at least two of which each comprise two or more processing cores and means to communicate with at least one other system-on-chip. The hardware architecture includes memory and means to communicate with other ECU devices. The software architecture includes one, two, or more virtual machine monitors, each of which executes one, two, or more virtual machines. At least two of said virtual machines each execute an operating system, which executes one, two, or more tasks, and the execution of two or more of the tasks uses the time-triggered paradigm. The tasks are tasks of automotive applications from at least two different automotive domains and are tasks of infrastructure software functions.

Abstract: A method to generate configuration data to enable and/or to enhance real-time communication in a cyber-physical system or in a cyber-physical system of systems. The system includes components connected to each other by a communication infrastructure. The components each execute at least one application, which applications exchange information with at least one application being executed on another component. The components are configured to send and/or receive said information according to configuration data: The first configuration data for two or more of the components, on each of which at least one application is executed, is generated by execution of a publish-subscribe protocol, which is executed by two or more of the components, for which the first configuration data are provided.

Abstract: A method to maneuver a supervised vehicle based on an output of a software in development, wherein the software in development is part of an ASIL-classified function, and the software in development has not completed a software development process for ASIL classification of the ASIL-classified function. A safe device includes a safety monitor, wherein the safety monitor is implemented according to specific software development requirements, which are requirements for the ASIL classification of the ASIL-classified function. The safety monitor (i) monitors the output of the software in development, and (ii) classifies the output as either safe or unsafe, wherein the safe device executes a safety mechanism if the safety monitor classifies the output as unsafe, wherein the safety mechanism causes the supervised vehicle not to maneuver in accordance with the output, and if the safety monitor classifies the output as safe, the supervised vehicle is maneuvered based on the output.

Abstract: A method for fault tolerant data integrity verification of safety-related data in a safety-related computer system is disclosed. The method includes a) randomly generating a set of at least two or more initial values; b) calculating, for each of the initial values, one specific CRC reference value, wherein each specific CRC reference value is calculated jointly from the safety-related data to be verified and the initial value associated with the specific CRC reference value; c) storing the pairs of initial value and associated specific CRC reference value; and d) following the steps a)-c), d1) randomly choosing an initial value out of the set of initial values generated in step a), d2) the non-safety-related hardware-engine calculating a CRC value jointly from the randomly chosen initial value and the safety-related data to be verified, and d3) comparing the calculated CRC value from step d2) to the reference CRC value.

Abstract: A fault-tolerant computer system (FTCS) for generating safe trajectories for a vehicle. The FTCS includes: a sensor part (SENSE), a primary part (PRIM), a secondary part (SEC), a tertiary part (TER), and a decide part (DECIDE). The PRIM and TER are configured to produce trajectories by interpreting information of the real world as perceived by the SENSE. The SEC is configured to produce a safe space estimate (FSE) by interpreting information of the real world as perceived by SENSE. The DECIDE and/or SEC are configured to execute correctness checks that take trajectories and FSE as inputs, and qualify a trajectory (TRJ) as safe when said TRJ is inside the FSE, and qualify a trajectory (UTRJ) as unsafe when said UTRJ is not inside the FSE.

Abstract: A method for operating a controlled object that is embedded in a changing environment. The controlled object and its environment are periodically observed using sensors. Independent data flow paths (“DFP”) are executed based on the data recorded through the observation of the controlled object and its environment. A first DFP determines a model of the controlled object and the environment of the controlled object and carries out a trajectory planning in order to create possible trajectories that, under the given environmental conditions, correspond to a specified task assignment. A second DFP determines a model of the controlled object and of the environment of the controlled object and determines a safe space-time domain (“SRZD”) in which all safe trajectories must be located. The results of the first and the second DFP are transmitted to a deciding instance to verify whether at least one of the trajectories is safe.

Abstract: The invention relates to a method for detecting faults that occur or are present in an operating system of a computer, wherein an in particular independent audit task (106) is carried out during the run time before a starting time (102, 112) of the requested application task (107), wherein the control registers define the properties of the run time environment of the requested application task (107) and have reading access to the contents and validate these contents. Furthermore, the invention relates to a computer, on which such a method is carried out.

Abstract: The invention relates to a device for integrating software components of a distributed real-time software system, said components being run on target hardware and on a development system, wherein the target hardware comprises computing nodes, and the development system comprises one or more computers. The device is designed as an expanded development system in which the computing nodes of the target hardware are connected to the computers of the development system via one or more time-controlled distributor units, wherein the expanded development system has a sparse global time of known precision, and wherein the computing nodes of the target hardware are connected to the computers of the development system via the one or more time-controlled distributor units such that the data content of a TT message template of a TT platform of the target hardware can be provided both by a simulation process of the development system as well as by an operative process of the target hardware in a timely manner.

Abstract: The invention relates to a method for debugging software components of a distributed real-time software system, wherein the target hardware comprises computer nodes and the development system comprises one or more computers.

Abstract: A method is provided by which a complex electronic system for controlling a safety-critical technical process, for example driving an autonomous vehicle, can be implemented. A distinction is made between simple and complex software, wherein the simple software is executed on error-tolerant hardware and wherein a plurality of diverse versions of the complex software are implemented simultaneously on independent fault containment units (FCU). A consolidated environmental model is developed from a number of different environmental models and represents the basis for trajectory planning.

Abstract: A method for fault tolerant data integrity verification of safety-related data in a safety-related computer system is disclosed. The method includes a) randomly generating a set of at least two or more initial values, b) calculating, for each of the initial values, one specific CRC reference value, wherein each specific CRC reference value is calculated jointly from the safety-related data to be verified and the initial value associated with the specific CRC reference value, c) storing the pairs of initial value and associated specific CRC reference value, and d) following the steps a)-c), d1) randomly choosing an initial value out of the set of initial values generated in step a), d2) the non-safety-related hardware-engine calculating a CRC value jointly from the randomly chosen initial value and the safety-related data to be verified, d3) comparing the in step d2) calculated CRC value to the reference CRC value.

Abstract: The invention relates to a method for operating a controlled object, that is embedded in a changing environment, wherein the controlled object and its environment are periodically observed using sensors, and, in each frame, at least three independent data flow paths (DFPs) are executed based on the data recorded through the observation of the controlled object and its environment.

Abstract: The invention relates to a method for forcing fail-silent behavior of a periodically functioning, distributed real-time computer system, which real-time computer system comprises at least two redundant NSCFCUs. At the beginning of a frame, the at least two redundant NSCFCUs (110, 111) are supplied with the same input data, wherein each of the redundant NSCFCUs calculates a result, preferably by means of a deterministic algorithm, particularly from the input data, and wherein this result is packed into a CSDP with an end-to-end signature, and wherein the CSDPs of the NSCFCUs (110, 111) are transmitted to an SCFCU (130), and wherein the SCFCU (130) checks whether the bit patterns of the received CSDPs are identical, and, if disparity of the bit patterns is found, prevents further transmission of the CSDPs, particularly those CSDPs in which disparity was found. Furthermore, the invention relates to a periodically functioning, distributed real-time computer system.

Abstract: An innovative method is provided by which a complex electronic system for controlling a safety-critical technical process, for example driving an autonomous vehicle, can be implemented. A decision is made between simple and complex software, wherein the simple software is implemented on error-tolerant hardware and wherein a plurality of different versions of the complex software are simultaneously implemented in independent fault containment units (FCU) and wherein a result that is to be transmitted to the actuators is selected by a decider from the results of the complex software that is implemented using the simple software.

Abstract: A fault-tolerant distributed real-time computer system for controlling a physical system, in particular a machine or a motor vehicle, wherein the components of the computer system have access to a global time of known precision, and wherein the node computers and intelligent sensors and the intelligent actuators exchange time-triggered messages and event-triggered messages periodically via the distributor units, and wherein the functions of the user software are contained in real-time software components—RTSC—and the periodic time-triggered data transfer between the RTSC is specified by a time-triggered data flow diagram, and wherein the assignment of the RTSC to a TTVM of a node computer and specific parameters of the TTVM are contained in active local allocation plans for each RTSC, and wherein the time plans for the time-triggered communication in this distributor unit are contained in active local allocation plans for each distributor unit, and wherein a global allocation plan consists of the totality of