A method and device for performing failsafe computation, and a method of compiling code to perform a failsafe computation are provided. The method includes performing a first calculation (212) to generate a first result (214). A second calculation (218) is performed using a scalar (216) and the first calculation (212) to generate a second result (220). The second calculation (218) includes multiplying the first calculation (212) by the scalar (216) to generate a scaled result, and dividing the scaled result by the scalar (216) to generate the second result (220). The first result (214) and the second result (220) are compared to determine if they are equivalent.

A Data Synchronization and Failover Management (DSFM) system monitors simultaneous execution of non-identical instances of a software application and may label as a particular result of the software application the earliest output corresponding to that result produced by one of the instances. The DSFM may label one of the instances as a primary instance and the other instances as secondary instances and, if the primary instance fails, may re-label one of the secondary instances that computed all of the operations associated with the last result produced prior to the failure of the primary instance, as a new primary instance.

In a self-driving autonomous vehicle, a controller architecture includes multiple processors within the same box. Each processor monitors the others and takes appropriate safe action when needed. Some processors may run dormant or low priority redundant functions that become active when another processor is detected to have failed. The processors are independently powered and independently execute redundant algorithms from sensor data processing to actuation commands using different hardware capabilities (GPUs, processing cores, different input signals, etc.). Intentional hardware and software diversity improves fault tolerance. The resulting fault-tolerant/fail-operational system meets ISO26262 ASIL D specifications based on a single electronic controller unit platform that can be used for self-driving vehicles.

A method for manipulating a first function of a control program of an electronic control device, using a second function. The control program is processed using a first calculation kernel of a processor, and the second function is processed by a second calculation kernel during the processing of the control program. The first function assigns a first value to a variable and writes the first value to the storage address of the variable at a first time. The second function assigns a second value to the variable, which value is written to the storage address of the variable at a second time, wherein the second value written by the first function is overwritten. At a third time, the control program reads the second value from the storage address of the variable. A control entity coordinates the times at which the storage address of the variable is accessed.

A redundant and diverse secondary control system mirrors a primary control system but has some fundamental structural difference as compared to the primary control system to prevent a spread of a security breach from the primary control system to the secondary control system. The secondary control system may operate on different hardware built on different software written with different programming language as compared to the primary control system while performing the same function as that of the primary system. By hardware coding the algorithm to produce actuation signals, software based viruses and worms cannot interfere with the secondary control system's operation. A monitor device receives actuation signals from both the primary and secondary controls signals to determine whether an error occurred and to provide correct actuation signals to the controlled system.

Methods and apparatus for dynamic instruction set selection for producing an output parameter based on one or more available input parameters are presented. In an example method, a device selects, from different candidate instruction sets that are each configured to produce a same output parameter, an instruction set that requires one or more input parameters that are each available at the device. In addition, in the example method, the device obtains the output parameter by executing the selected instruction set using the input parameters required by that instruction set. In some examples where more than one candidate instruction sets could be selected based on the available input parameters, the device may select the highest-ranking instruction set for execution.

The invention relates to a method for operating a controlled object that is embedded in a changing environment, wherein the controlled object and its environment are periodically observed using sensors and in each frame at least two independent data flow paths, DFPs, are executed based on the data recorded through the observation of the controlled object and its environment, and wherein a first DFP determines from the data recorded by the observation of the controlled object and its environment via complex software a model of the controlled object and the environment of the controlled object and, on the basis of this model, carries out a trajectory planning in order to create one or more possible trajectories that, under the given environmental conditions, correspond to a specified task assignment, and wherein a second DFP determines from the data recorded by the observation of the controlled object and its environment via a, preferably diversitary, complex software program a model of the controlled object and of the environment of the controlled object and, on the basis of this model, determines a safe space-time domain, SRZD, within which SRZD all safe trajectories must be located, and wherein the results of the first and the second DFP are transmitted to a deciding instance, wherein the deciding instance is realized via simple software, and wherein the deciding instance verifies whether at least one of the trajectories determined by the DFP is safe, meaning located within the SRZD that was determined by the second DFP, and wherein, in the case that these match, one of the safe trajectories determined by the first DFP is selected and wherein the deciding instance transmits the target values corresponding to the selected trajectory to an actuator control, and wherein, in the case that these do not match, it waits for the results of at least one following frame, and wherein, in the case that there is also no safe trajectory available in the following frame or the one after that, the deciding instance switches to an emergency trajectory.

A method for identifying and isolating faults in versioned microservices includes a request replicator receiving an original request, and determining whether to replicate the original request. The request replicator replicates the original request creating one or more replicated requests, including a first replicated request. In an example, the request replicator dispatches the original request to a stable production system, and dispatches the first replicated request to a first modified production system. The stable production system produces a first reply to the original request. The first modified production system produces a second reply to the first replicated request. A fault detector performs a comparison of the second reply and the first reply and determines, based on the comparison, that the first modified production system has a verification status. Then, the stable production system is replaced with first modified production system.

A system and method that detects hardware and software errors in an embedded system that includes detecting or measuring an operating state; causing one or more computation engines to operates in group synchrony; causing one or more active monitors that monitor the computation engines to an automotive integrity level to operate in group synchrony; synchronizing the communication between and from the plurality of computation engines and the plurality of active monitors, respectively; and arbitrating the output generated by the computation engines and the active monitors.

An innovative method is provided by which a complex electronic system for controlling a safety-critical technical process, for example driving an autonomous vehicle, can be implemented. A distinction is made between simple and complex software, wherein the simple software is executed on error-tolerant hardware and wherein a plurality of diverse versions of the complex software are implemented simultaneously on independent fault containment units (FCU). A consolidated environmental model is developed from a number of different environmental models and represents the basis for trajectory planning.