Abstract: The invention relates to an interface system, which is arranged between a technical system and the cloud and which prevents malware originating from the cloud or errors in the data delivered by the cloud from causing essential functions of the technical system to fail. The interface system comprises two fault containment units (FCUs), FCU_1 and FCU_2, and a restrictive data connection between these two FCUs. Using this restrictive data connection, a well-defined periodic data flow is realized between the two FCUs. The stringent restrictions in the data flow from FCU_2 to FCU_1 make it technically impossible for an intruder to transmit malware from FCU_2 to FCU_1 even if they have assumed complete control over FCU_2. This provides protection of the FCU_1 and, therefore, the technical system from attacks from the cloud.

Abstract: The invention is located in the field of computer technology and relates to a subsystem, the decision system, of a distributed fault-tolerant computer architecture for fully autonomous control of a technical system. A possible architecture of such a distributed fault-tolerant control system was published by H. Kopetz in the Springer Lecture Notes on Computer Science (LNCS) Vol. 13660, Chapter 4, pp. 61-84 under the title An Architecture for Safe Driving Automation in December 2022 [Kop22]. This safe control system consists of four subsystems, each of which is an independent hardware/software system and where each of the four subsystems forms a fault-containment unit. The four independent subsystems of the described architecture are a Primary Control System, a Monitoring System (MS), a Fallback System and a Decision System. Provided that the functioning of the decision system is always fault-free, the control system presented by H.

Abstract: The invention relates to a real-time computer system for controlling a technical device, the real-time computer system comprising data acquisition components which are independent of each other, as well as non-secure data processing components for processing sensor data. A time server as well as a first communication system and a second communication system independent of it are provided, the time server periodically sending global time signals to the communication systems. Each data acquisition component has two communication controllers, wherein each data acquisition component is connected by two communication controllers via a communication line to the first communication system, and is connected by another communication controller to the second communication system via a communication line, such that each data acquisition component can transmit its sensor data to each of the two communication systems.

Abstract: The architecture includes four largely independent subsystems which are arranged hierarchically and each form an isolated Fault-Containment Unit (FCU). At the top of the hierarchy is a secure subsystem, the Fault-Tolerant Decision Subsystem, which executes simple software on fault-tolerant hardware. The other three subsystems are insecure because they contain complex software executed on non-fault-tolerant hardware. Experience has shown that it is difficult to find all design errors in a complex software system and to prevent an intrusion. The redundancy and diversity inherent in this architecture masks every error—even a Byzantine error—of an insecure subsystem in such a way that no safety-critical failure can occur.

Abstract: The invention is part of the field of computer technology. It describes the architecture of a secure automation system and a method for safe autonomous operation of a technical apparatus, in particular a motor vehicle. The architecture disclosed herein solves the problem that any Byzantine error in one of the complex subsystems of a distributed real-time computer system, regardless of whether the error was triggered by a random hardware failure, a design error in the software or an intrusion, must be recognized and controlled in such a way that no security-relevant incident occurs. The architecture includes four largely independent subsystems which are arranged hierarchically and each form an isolated Fault-Containment Unit (FCU). At the top of the hierarchy is a secure subsystem, which executes simple software on fault-tolerant hardware. The other three subsystems are insecure because they contain complex software executed on non-fault-tolerant hardware.

Abstract: The invention relates to a method for providing a fault-tolerant global time via a time server in a distributed real-time computer system, wherein the time server comprises four components which are connected to one another via a bi-directional communication channel. At a priori defined periodic, internal synchronization times, each of the four components transmits an internal synchronization message, which is simultaneously transmitted to the other three components, from which each internal computer of a component determines a correction term for the tick counter contained in its component and corrects the reading of the local tick counter by this correction term.

Abstract: The invention relates to a method for providing a fault-tolerant global time and for the fault-tolerant transport of time-controlled messages in a distributed real-time computer system which comprises external computers and a fault-tolerant message distribution unit, FTMDU. The FTMDU comprises at least four components which supply the global time to the external computers by means of periodic external synchronization messages, wherein the external computers each set their local clock to the received global time, wherein each external sender of a time-controlled message transmits two message copies of the message to be sent via two different communication channels to two different components of the FTMDU at periodic sending times defined a priori in timetables, wherein these two message copies are delivered within the FTMDU via two independent communication paths to those two components of the FTMDU which are connected to an external receiver of the message via communication channels.

Abstract: A distributed maintainable real-time computer system is provided, wherein the real-time computer system includes at least two central computers and one, two or a plurality of peripheral computers.

Abstract: The invention is part of the field of computer technology. It describes the architecture of a secure automation system and a method for safe autonomous operation of a technical apparatus, in particular a motor vehicle. The architecture disclosed herein solves the problem that any Byzantine error in one of the complex subsystems of a distributed real-time computer system, regardless of whether the error was triggered by a random hardware failure, a design error in the software or an intrusion, must be recognized and controlled in such a way that no security-relevant incident occurs. The architecture includes four largely independent subsystems which are arranged hierarchically and each form an isolated Fault-Containment Unit (FCU). At the top of the hierarchy is a secure subsystem, which executes simple software on fault-tolerant hardware. The other three subsystems are insecure because they contain complex software executed on non-fault-tolerant hardware.

Abstract: The architecture includes four largely independent subsystems which are arranged hierarchically and each form an isolated Fault-Containment Unit (FCU). At the top of the hierarchy is a secure subsystem, the Fault-Tolerant Decision Subsystem, which executes simple software on fault-tolerant hardware. The other three subsystems are insecure because they contain complex software executed on non-fault-tolerant hardware. Experience has shown that it is difficult to find all design errors in a complex software system and to prevent an intrusion. The redundancy and diversity inherent in this architecture masks every error—even a Byzantine error—of an insecure subsystem in such a way that no safety-critical failure can occur.

Abstract: The invention relates to a method for providing a fault-tolerant global time and for the fault-tolerant transport of time-controlled messages in a distributed real-time computer system which comprises external computers and a fault-tolerant message distribution unit, FTMDU. The FTMDU comprises at least four components which supply the global time to the external computers by means of periodic external synchronization messages, wherein the external computers each set their local clock to the received global time, wherein each external sender of a time-controlled message transmits two message copies of the message to be sent via two different communication channels to two different components of the FTMDU at periodic sending times defined a priori in timetables, wherein these two message copies are delivered within the FTMDU via two independent communication paths to those two components of the FTMDU which are connected to an external receiver of the message via communication channels.

Abstract: The invention relates to a method for providing a fault-tolerant global time via a time server in a distributed real-time computer system, wherein the time server comprises four components which are connected to one another via a bi-directional communication channel. At a priori defined periodic, internal synchronization times, each of the four components transmits an internal synchronization message, which is simultaneously transmitted to the other three components, from which each internal computer of a component determines a correction term for the tick counter contained in its component and corrects the reading of the local tick counter by this correction term.

Abstract: The invention relates to a real-time computer system for controlling a technical device, the real-time computer system comprising data acquisition components which are independent of each other, as well as non-secure data processing components for processing sensor data. A time server as well as a first communication system and a second communication system independent of it are provided, the time server periodically sending global time signals to the communication systems. Each data acquisition component has two communication controllers, wherein each data acquisition component is connected by two communication controllers via a communication line to the first communication system, and is connected by another communication controller to the second communication system via a communication line, such that each data acquisition component can transmit its sensor data to each of the two communication systems.

Abstract: A method and a fault-tolerant computer architecture (FCTA) for fail-safe trajectory planning for a moving entity (MOV). The method and FCTA uses a commander (COM), a monitor (MON), and a safe envelope generating stage (ENV). Based on sensor input, the commander (COM) and the monitor (MON) produce real-time images of objects (OBJ1, OBJ2) detected. A trajectory planning stage (TRJ-PLN) generates trajectories (COM-TRJ1, COM-TRJ2), and the safe envelope generating stage (ENV) generates a safety envelope. The commander (COM) provides the one or more trajectories (COM-TRJ1, COM-TRJ2) to the monitor (MON) and the decision subsystem (DECIDE). A trajectory verification stage (TRJ-VRFY) verifies a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only if said trajectory (COM-TRJ1, COM-TRJ2) is completely located inside said safety envelope. A moving entity (MOV) uses a trajectory (COM-TRJ1, COM-TRJ2) generated by the commander (COM) only when said trajectory is verified by the monitor (MON).

Abstract: A fault-tolerant computer system (FTCS) for generating safe trajectories for a vehicle. The FTCS includes: a sensor part (SENSE), a primary part (PRIM), a secondary part (SEC), a tertiary part (TER), and a decide part (DECIDE). The PRIM and TER are configured to produce trajectories by interpreting information of the real world as perceived by the SENSE. The SEC is configured to produce a safe space estimate (FSE) by interpreting information of the real world as perceived by SENSE. The DECIDE and/or SEC are configured to execute correctness checks that take trajectories and FSE as inputs, and qualify a trajectory (TRJ) as safe when said TRJ is inside the FSE, and qualify a trajectory (UTRJ) as unsafe when said UTRJ is not inside the FSE.

Abstract: A distributed maintainable real-time computer system is provided, wherein the real-time computer system includes at least two central computers and one, two or a plurality of peripheral computers.

Abstract: A method for operating a controlled object that is embedded in a changing environment. The controlled object and its environment are periodically observed using sensors. Independent data flow paths (“DFP”) are executed based on the data recorded through the observation of the controlled object and its environment. A first DFP determines a model of the controlled object and the environment of the controlled object and carries out a trajectory planning in order to create possible trajectories that, under the given environmental conditions, correspond to a specified task assignment. A second DFP determines a model of the controlled object and of the environment of the controlled object and determines a safe space-time domain (“SRZD”) in which all safe trajectories must be located. The results of the first and the second DFP are transmitted to a deciding instance to verify whether at least one of the trajectories is safe.

Abstract: A method for a determination of the optimal duration of a time slot for computational actions in a time-triggered controller. The controller includes a sensor subsystem, a computational subsystem, an actuator subsystem, and a time-triggered communication system. The time-triggered communication system is placed between the sensor subsystem, the computational subsystem, the actuator subsystem, and a monitor subsystem. An anytime algorithms is executed in the computational subsystem. A plurality of execution slot durations of the anytime algorithms is probed during the development phase, starting from the minimum execution slot duration, increasing this slot duration by the execution slot granularity until the maximum execution slot duration is reached. In each of the execution slot durations, a multitude of frames is executed in a destined application environment.

Abstract: The invention relates to a method for detecting faults that occur or are present in an operating system of a computer, wherein an in particular independent audit task (106) is carried out during the run time before a starting time (102, 112) of the requested application task (107), wherein the control registers define the properties of the run time environment of the requested application task (107) and have reading access to the contents and validate these contents. Furthermore, the invention relates to a computer, on which such a method is carried out.

Abstract: The invention relates to a device for integrating software components of a distributed real-time software system, said components being run on target hardware and on a development system, wherein the target hardware comprises computing nodes, and the development system comprises one or more computers. The device is designed as an expanded development system in which the computing nodes of the target hardware are connected to the computers of the development system via one or more time-controlled distributor units, wherein the expanded development system has a sparse global time of known precision, and wherein the computing nodes of the target hardware are connected to the computers of the development system via the one or more time-controlled distributor units such that the data content of a TT message template of a TT platform of the target hardware can be provided both by a simulation process of the development system as well as by an operative process of the target hardware in a timely manner.