Abstract: A method and system to generate safe control data to control and/or to supervise a local machine, wherein a local software application is executed on a safe hardware device and executes calculations based input data to generate said safe control data, wherein a software application is executed on a hardware external to the safe device and sends a request to the cloud application to execute one or more defined calculations and said specific input data, which is to be used by the at least one cloud application for the execution of the one or more defined calculations, wherein the control data is determined to be safe or unsafe, and wherein if the control data are not received timely they will not be used to control and/or supervise the local machine.

Abstract: A method for configuring a real-time computer system including resources for executing tasks, wherein at least one task is a real time task, wherein the resources include at least first and second processors and a communication subsystem interconnecting the processors and at least a first memory accessible by the first processor and at least a second memory accessible by the second processor, includes the steps: providing an estimate for an individual resource utilization of the tasks, providing for each resource a resource model; determining a configuration allocating each task to at least one of the resources according to a prediction at least based on the estimate for an individual resource utilization of the tasks and the resource model; measuring the real resource utilization of the tasks during execution, and refining of the prediction according to a result of the measuring and refining the configuration according to the refined prediction.

Abstract: The invention relates to a real-time computer system for controlling a technical device, the real-time computer system comprising data acquisition components which are independent of each other, as well as non-secure data processing components for processing sensor data. A time server as well as a first communication system and a second communication system independent of it are provided, the time server periodically sending global time signals to the communication systems. Each data acquisition component has two communication controllers, wherein each data acquisition component is connected by two communication controllers via a communication line to the first communication system, and is connected by another communication controller to the second communication system via a communication line, such that each data acquisition component can transmit its sensor data to each of the two communication systems.

Abstract: A method for integrating infrastructure software functions and automotive applications on an automotive electronic control unit (ECU) device. The ECU device includes a hardware architecture and a software architecture, wherein the hardware architecture includes two or more system-on-chips, at least two of which each comprise two or more processing cores and means to communicate with at least one other system-on-chip. The hardware architecture includes memory and means to communicate with other ECU devices. The software architecture includes one, two, or more virtual machine monitors, each of which executes one, two, or more virtual machines. At least two of said virtual machines each execute an operating system, which executes one, two, or more tasks, and the execution of two or more of the tasks uses the time-triggered paradigm. The tasks are tasks of automotive applications from at least two different automotive domains and are tasks of infrastructure software functions.

Abstract: A method and system to generate safe control data to control and/or to supervise a local machine, wherein a local software application is executed on a safe hardware device and executes calculations based input data to generate said safe control data, wherein a software application is executed on a hardware external to the safe device and sends a request to the cloud application to execute one or more defined calculations and said specific input data, which is to be used by the at least one cloud application for the execution of the one or more defined calculations, wherein the control data is determined to be safe or unsafe, and wherein if the control data are not received timely they will not be used to control and/or supervise the local machine.

Abstract: A method to generate configuration data to enable and/or to enhance real-time communication in a cyber-physical system or in a cyber-physical system of systems. The system includes components connected to each other by a communication infrastructure. The components each execute at least one application, which applications exchange information with at least one application being executed on another component. The components are configured to send and/or receive said information according to configuration data: The first configuration data for two or more of the components, on each of which at least one application is executed, is generated by execution of a publish-subscribe protocol, which is executed by two or more of the components, for which the first configuration data are provided.

Abstract: A method to maneuver a supervised vehicle based on an output of a software in development, wherein the software in development is part of an ASIL-classified function, and the software in development has not completed a software development process for ASIL classification of the ASIL-classified function. A safe device includes a safety monitor, wherein the safety monitor is implemented according to specific software development requirements, which are requirements for the ASIL classification of the ASIL-classified function. The safety monitor (i) monitors the output of the software in development, and (ii) classifies the output as either safe or unsafe, wherein the safe device executes a safety mechanism if the safety monitor classifies the output as unsafe, wherein the safety mechanism causes the supervised vehicle not to maneuver in accordance with the output, and if the safety monitor classifies the output as safe, the supervised vehicle is maneuvered based on the output.

Abstract: The invention relates to a real-time computer system for controlling a technical device, the real-time computer system comprising data acquisition components which are independent of each other, as well as non-secure data processing components for processing sensor data. A time server as well as a first communication system and a second communication system independent of it are provided, the time server periodically sending global time signals to the communication systems. Each data acquisition component has two communication controllers, wherein each data acquisition component is connected by two communication controllers via a communication line to the first communication system, and is connected by another communication controller to the second communication system via a communication line, such that each data acquisition component can transmit its sensor data to each of the two communication systems.

Abstract: A method to generate configuration data to enable and/or to enhance real-time communication in a cyber-physical system or in a cyber-physical system of systems. The system includes components connected to each other by a communication infrastructure. The components each execute at least one application, which applications exchange information with at least one application being executed on another component. The components are configured to send and/or receive said information according to configuration data: The first configuration data for two or more of the components, on each of which at least one application is executed, is generated by execution of a publish-subscribe protocol, which is executed by two or more of the components, for which the first configuration data are provided.

Abstract: A method to maneuver a supervised vehicle (SV) based on or using an output (SID-OUT) of a software in development (SID), wherein the software in development is part of an ASIL-classified function, and the software in development has not completed a software development process required or highly required for ASIL classification of said ASIL-classified function. A safe device (S-DEV) includes a safety monitor (MON), wherein the safety monitor is implemented according to specific software development requirements, which are requirements for the ASIL classification of the ASIL-classified function.

Abstract: A fault-tolerant computer system (FTCS) for generating safe trajectories for a vehicle. The FTCS includes: a sensor part (SENSE), a primary part (PRIM), a secondary part (SEC), a tertiary part (TER), and a decide part (DECIDE). The PRIM and TER are configured to produce trajectories by interpreting information of the real world as perceived by the SENSE. The SEC is configured to produce a safe space estimate (FSE) by interpreting information of the real world as perceived by SENSE. The DECIDE and/or SEC are configured to execute correctness checks that take trajectories and FSE as inputs, and qualify a trajectory (TRJ) as safe when said TRJ is inside the FSE, and qualify a trajectory (UTRJ) as unsafe when said UTRJ is not inside the FSE.

Abstract: A method to select one trajectory, the so-called Selected Trajectory (ST), out of a set of trajectories (T1-T3) to be used by an autonomous or semi-autonomous ground vehicle (GV), wherein the method includes the following steps: (i) assessing said set of trajectories (T1-T3) with one, two, or a multitude of verification modules (VM1-VM4) and returning Quality Assessments (Q11-Q43) for each of the trajectories (T1-T3); (ii) ranking said trajectories (T1-T3) with a Ranking Scheme (RS), wherein the Quality Assessments (Q11-Q43) are taken into account when ranking the trajectories (T1-T3), and (iii) selecting exactly one trajectory, the Selected Trajectory (TR), based on the rank of the trajectories (T1-T3).

Abstract: A method for operating a controlled object that is embedded in a changing environment. The controlled object and its environment are periodically observed using sensors. Independent data flow paths (“DFP”) are executed based on the data recorded through the observation of the controlled object and its environment. A first DFP determines a model of the controlled object and the environment of the controlled object and carries out a trajectory planning in order to create possible trajectories that, under the given environmental conditions, correspond to a specified task assignment. A second DFP determines a model of the controlled object and of the environment of the controlled object and determines a safe space-time domain (“SRZD”) in which all safe trajectories must be located. The results of the first and the second DFP are transmitted to a deciding instance to verify whether at least one of the trajectories is safe.

Abstract: The invention relates to a method for detecting faults that occur or are present in an operating system of a computer, wherein an in particular independent audit task (106) is carried out during the run time before a starting time (102, 112) of the requested application task (107), wherein the control registers define the properties of the run time environment of the requested application task (107) and have reading access to the contents and validate these contents. Furthermore, the invention relates to a computer, on which such a method is carried out.

Abstract: The invention relates to a device for integrating software components of a distributed real-time software system, said components being run on target hardware and on a development system, wherein the target hardware comprises computing nodes, and the development system comprises one or more computers. The device is designed as an expanded development system in which the computing nodes of the target hardware are connected to the computers of the development system via one or more time-controlled distributor units, wherein the expanded development system has a sparse global time of known precision, and wherein the computing nodes of the target hardware are connected to the computers of the development system via the one or more time-controlled distributor units such that the data content of a TT message template of a TT platform of the target hardware can be provided both by a simulation process of the development system as well as by an operative process of the target hardware in a timely manner.

Abstract: The invention relates to a method for debugging software components of a distributed real-time software system, wherein the target hardware comprises computer nodes and the development system comprises one or more computers.

Abstract: A method is provided by which a complex electronic system for controlling a safety-critical technical process, for example driving an autonomous vehicle, can be implemented. A distinction is made between simple and complex software, wherein the simple software is executed on error-tolerant hardware and wherein a plurality of diverse versions of the complex software are implemented simultaneously on independent fault containment units (FCU). A consolidated environmental model is developed from a number of different environmental models and represents the basis for trajectory planning.

Abstract: The invention relates to a method, in particular a time controlled error-tolerant method, for periodically transporting real-time data in a computer system, in particular in a distributed computer system, said computer system comprising node computers (111-116), in particular a plurality of node computers (111-116), and distributor units (131, 132, 133, 151), in particular a plurality of distributor units (131, 132, 133, 151). The node computers and the distributor units have access to a global time, and real-time data is transported by means of messages, preferably by means of time-controlled real-time messages. The topology of the computer system corresponds to an intree, and node computers (111-116), are arranged on the leaves of the intree.

Abstract: A method for integrating infrastructure software functions and automotive applications on an automotive electronic control unit (ECU) device. The ECU device includes a hardware architecture and a software architecture, wherein the hardware architecture includes two or more system-on-chips, at least two of which each comprise two or more processing cores and means to communicate with at least one other system-on-chip. The hardware architecture includes memory and means to communicate with other ECU devices. The software architecture includes one, two, or more virtual machine monitors, each of which executes one, two, or more virtual machines. At least two of said virtual machines each execute an operating system, which executes one, two, or more tasks, and the execution of two or more of the tasks uses the time-triggered paradigm. The tasks are tasks of automotive applications from at least two different automotive domains and are tasks of infrastructure software functions.

Abstract: The invention relates to a method for operating a controlled object, that is embedded in a changing environment, wherein the controlled object and its environment are periodically observed using sensors, and, in each frame, at least three independent data flow paths (DFPs) are executed based on the data recorded through the observation of the controlled object and its environment.