Abstract: The invention relates to a method for periodic transmission of real time data in a computer system, particularly a distributed computer system, which computer system is comprised of node computers (201-208), particularly an appreciable number of node computers (201-208), and distributor units (211-215), particularly an appreciable number of distributor units (211-215), wherein the node computers (201-208) and the distributor units (211-215) have access to a global time, and wherein real time data are transmitted by means of time-triggered real time messages, wherein selected distributor units (212, 213, 214, 215) form a central structure of distributor units; and wherein during a periodic communication round (PCR), in the error-free case, at least two copies of each real time message to be sent are transmitted via at least two independent routes through the central structure, by executing a satisfying or an optimal time plan, from a start distributor unit in the central structure to a target distributor unit

Abstract: The invention relates to a method for forcing fail-silent behavior of a periodically functioning, distributed real-time computer system, which real-time computer system comprises at least two redundant NSCFCUs. At the beginning of a frame, the at least two redundant NSCFCUs (110, 111) are supplied with the same input data, wherein each of the redundant NSCFCUs calculates a result, preferably by means of a deterministic algorithm, particularly from the input data, and wherein this result is packed into a CSDP with an end-to-end signature, and wherein the CSDPs of the NSCFCUs (110, 111) are transmitted to an SCFCU (130), and wherein the SCFCU (130) checks whether the bit patterns of the received CSDPs are identical, and, if disparity of the bit patterns is found, prevents further transmission of the CSDPs, particularly those CSDPs in which disparity was found. Furthermore, the invention relates to a periodically functioning, distributed real-time computer system.

Abstract: An innovative method is provided by which a complex electronic system for controlling a safety-critical technical process, for example driving an autonomous vehicle, can be implemented. A decision is made between simple and complex software, wherein the simple software is implemented on error-tolerant hardware and wherein a plurality of different versions of the complex software are simultaneously implemented in independent fault containment units (FCU) and wherein a result that is to be transmitted to the actuators is selected by a decider from the results of the complex software that is implemented using the simple software.

Abstract: The invention relates to a time-controlled distribution unit (30, 31) for the distribution of messages in a distributed computer system for safety-critical applications. Said distribution unit is designed as a self-testing functional unit and comprises input channels (201 . . . 222) for receiving time-controlled periodic input messages from node computers (20, 21, 22) upstream in the data flow, and output channels (301 . . . 333) for transmitting time-controlled periodic output messages to the node computers (50, 51, 52) downstream in the data flow, a computer (40) being provided in the distribution unit and being designed to analyze, by means of a “simple” software, useful information contained in the input messages, and to decide whether output messages are output and, if so, which useful information is contained in the output messages.

Abstract: A fault-tolerant computer system (FTCS) for generating safe trajectories for a vehicle. The FTCS includes: a sensor part (SENSE), a primary part (PRIM), a secondary part (SEC), a tertiary part (TER), and a decide part (DECIDE). The PRIM and TER are configured to produce trajectories by interpreting information of the real world as perceived by the SENSE. The SEC is configured to produce a safe space estimate (FSE) by interpreting information of the real world as perceived by SENSE. The DECIDE and/or SEC are configured to execute correctness checks that take trajectories and FSE as inputs, and qualify a trajectory (TRJ) as safe when said TRJ is inside the FSE, and qualify a trajectory (UTRJ) as unsafe when said UTRJ is not inside the FSE.

Abstract: The invention relates to a method for the periodic transport of real-time data in a distributed computer system, which computer system comprises node machines (100, 101, 102, 103), in particular a plurality of node machines (100, 101, 102, 103), and distributor units (121, 122), in particular a plurality of distributor units (121, 122), wherein the node machines (100, 101, 102, 103) and the distributor units (121, 122) have access to a global time, and wherein real-time data is transported by means of time-triggered real-time messages.

Abstract: The invention relates to a method for processing real-time data in a distribution unit of a distributed computer system, the computer system comprising a plurality of node computers and distribution units, the distribution unit containing, in addition to a switching engine (SE) and a switching memory (SM), one or more application computers each with one or more application central processing units and each with one or more application memories (AM), wherein the switching engine of the distribution unit, when it receives, at one of its ports, a message intended for an application computer, forwards this message to the addressed application computer through a direct memory access (DMA) unit that is arranged between the switching memory and the application memory of the addressed application computer and that is under the control of the switching engine. The invention also relates to an expanded distribution unit and a computer system with such expanded distribution units.

Abstract: The invention relates to a method for shortening the response time in a node computer (120) of a distributed time-controlled real-time computer system. An operating system task (205) of the node computer (120) computes the contents of control registers of the node computer (120), which characterize the properties of a runtime environment of the application task (207) in the node computer (120), prior to a start time (213), known a priori, of an application task (207) of the node computer (120), and writes these contents into the control registers of the node computer (120).

Abstract: The invention relates to a method for detecting faults that occur or are present in an operating system of a computer, wherein an in particular independent audit task (106) is carried out during the run time before a starting time (102, 112) of the requested application task (107), wherein the control registers define the properties of the run time environment of the requested application task (107) and have reading access to the contents and validate these contents. Furthermore, the invention relates to a computer, on which such a method is carried out.

Abstract: The invention relates to a method, in particular a time controlled error-tolerant method, for periodically transporting real-time data in a computer system, in particular in a distributed computer system, said computer system comprising node computers (111-116), in particular a plurality of node computers (111-116), and distributor units (131, 132, 133, 151), in particular a plurality of distributor units (131, 132, 133, 151). The node computers and the distributor units have access to a global time, and real-time data is transported by means of messages, preferably by means of time-controlled real-time messages. The topology of the computer system corresponds to an intree, and node computers (111-116), are arranged on the leaves of the intree.

Abstract: A fault-tolerant high-performance computer system is provided for executing control processes for autonomous maneuvering of a vehicle.

Abstract: The invention relates to a method for operating a controlled object that is embedded in a changing environment, wherein the controlled object and its environment are periodically observed using sensors and in each frame at least two independent data flow paths, DFPs, are executed based on the data recorded through the observation of the controlled object and its environment, and wherein a first DFP determines from the data recorded by the observation of the controlled object and its environment via complex software a model of the controlled object and the environment of the controlled object and, on the basis of this model, carries out a trajectory planning in order to create one or more possible trajectories that, under the given environmental conditions, correspond to a specified task assignment, and wherein a second DFP determines from the data recorded by the observation of the controlled object and its environment via a, preferably diversitary, complex software program a model of the controlled object an

Abstract: The invention relates to a method for operating a controlled object, that is embedded in a changing environment, wherein the controlled object and its environment are periodically observed using sensors, and, in each frame, at least three independent data flow paths (DFPs) are executed based on the data recorded through the observation of the controlled object and its environment.

Abstract: The invention relates to a method for debugging software components of a distributed real-time software system, wherein the target hardware comprises computer nodes and the development system comprises one or more computers.

Abstract: A method for executing a comprehensive real-time computer application including an application software including a description of functions on a distributed real-time computer system including sensors, actuators, computing nodes, and distributor units having access to a global time. The application software including a number of real-time software components (RTSWCs). When executed, the RTSWCs exchange information by time-triggered messages. Each RTSWC is allocated a time-triggered virtual machine TTVM, wherein, during a service interval SI, an operating system running on a computing node provides a TTVM realized on the computing node with protected access to the network resources and memory resources of the computing node assigned to the TTVM, and wherein, during the SI, a defined computing power for processing the RTSWCs running in the TTVM is allocated to the TTVM by the operating system of the computing node such that the RTSWCs provide a result before the end of the SI.

Abstract: The invention relates to a device for integrating software components of a distributed real-time software system, said components being run on target hardware and on a development system, wherein the target hardware comprises computing nodes, and the development system comprises one or more computers. The device is designed as an expanded development system in which the computing nodes of the target hardware are connected to the computers of the development system via one or more time-controlled distributor units, wherein the expanded development system has a sparse global time of known precision, and wherein the computing nodes of the target hardware are connected to the computers of the development system via the one or more time-controlled distributor units such that the data content of a TT message template of a TT platform of the target hardware can be provided both by a simulation process of the development system as well as by an operative process of the target hardware in a timely manner.

Abstract: An innovative method is provided by which a complex electronic system for controlling a safety-critical technical process, for example driving an autonomous vehicle, can be implemented. A distinction is made between simple and complex software, wherein the simple software is executed on error-tolerant hardware and wherein a plurality of diverse versions of the complex software are implemented simultaneously on independent fault containment units (FCU). A consolidated environmental model is developed from a number of different environmental models and represents the basis for trajectory planning.

Abstract: An innovative method is provided by which a complex electronic system for controlling a safety-critical technical process, for example driving an autonomous vehicle, can be implemented. A decision is made between simple and complex software, wherein the simple software is implemented on error-tolerant hardware and wherein a plurality of different versions of the complex software are simultaneously implemented in independent fault containment units (FCU) and wherein a result that is to be transmitted to the actuators is selected by a decider from the results of the complex software that is implemented using the simple software.

Abstract: The invention relates to monitoring the area in front of a vehicle by means of an apparatus that comprises at least two imaging devices (110, 120). Provided are a first imaging device (110), which covers a first imaging angle, and a second imaging device (120), which covers a second, greater imaging angle. The first imaging device (110) covers a first zone (111) of the area in front of the vehicle, while at the same time, the second imaging device (120) covers a second zone (121) of the area in front of the vehicle. The two imaging devices (110, 120) are positioned spaced, in particular spaced laterally, from one another such that a central area (140) is covered by both the first and the second imaging devices (110, 120). By fusing the data acquired by the imaging devices (110, 120), a stereo image of the central area is generated, while monoscopic images are generated of those zones that are each covered by only a first or a second imaging device.

Abstract: The invention relates to a method for handling faults in a central control device, wherein the control device comprises a distributed computer system (100), to which distributed computer system (100) sensors (112, 113, 122, 123) are connected or can be connected, wherein the distributed computer system (100), particularly all the components of the computer system, is distributed to a first fault containment unit FCU1 (101) and a second fault containment unit FCU2 (102), wherein FCU1 (101) and FCU2 (102) are each supplied with power via a separate, independent power supply, and wherein FCU1 (101) and FCU2 (102) interchange data solely via galvanically separated lines, and wherein some of the sensors are connected at least to FCU1 (101) and the remainder of the sensors are connected at least to FCU2 (102), and wherein FCU1 (101) and FCU2 (102) are connected to a redundantly designed communication system (131, 132) having one or more actuators, so that, if FCU1 fails, FCU2 will maintain a limited functionality u