A vehicle control device includes a controller configured to control an actuator and generate state information representing a state of the actuator, a request arbitration unit configured to arbitrate requests from a plurality of application execution units, and a request generation unit configured to generate a drive request signal to the controller. The controller includes a detection unit configured to detect whether or not the request arbitration unit is abnormal, a first transmission unit configured to transmit the state information to the request arbitration unit, and a second transmission unit configured to, when the detection unit detects that the request arbitration unit is abnormal, transmit the state information to the application execution units such that the state information does not pass through the request arbitration unit.

A system and method for managing an update of an electronic control unit (ECU) of a vehicle are configured to provide an ECU update service to a vehicle to which an over the air (OTA) technology is not applied regardless of time. The system includes a first communication device that transmits a vehicle ECU update guide message to a user terminal, a second communication device that transmits an update file to the vehicle as the vehicle enters a short-range communication area, and a controller that manages updating of the ECU of the vehicle.

A substitution apparatus for installation in a vehicle in which a plurality of in-vehicle control apparatuses are implemented, the substitution apparatus including a control unit and a substitute unit. The control unit is configured to control the substitute unit based on transmission data transmitted from the in-vehicle control apparatuses, specify an abnormal in-vehicle control apparatus based on the transmission data, disable the specified abnormal in-vehicle control apparatus, and apply, to the substitute unit, a program for exhibiting functions otherwise normally executed by the specified abnormal in-vehicle control apparatus. The substitute unit is configured to substitute for the disabled in-vehicle control apparatus by executing the applied program.

The invention is part of the field of computer technology. It describes the architecture of a secure automation system and a method for safe autonomous operation of a technical apparatus, in particular a motor vehicle. The architecture disclosed herein solves the problem that any Byzantine error in one of the complex subsystems of a distributed real-time computer system, regardless of whether the error was triggered by a random hardware failure, a design error in the software or an intrusion, must be recognized and controlled in such a way that no security-relevant incident occurs. The architecture includes four largely independent subsystems which are arranged hierarchically and each form an isolated Fault-Containment Unit (FCU). At the top of the hierarchy is a secure subsystem, which executes simple software on fault-tolerant hardware. The other three subsystems are insecure because they contain complex software executed on non-fault-tolerant hardware.

A method for determining a part to be checked of a mechatronic system includes providing a graph database having at least one first sub-level with first nodes, a second sub-level with second nodes, a third sub-level with third nodes and a fourth sub-level with fourth nodes, wherein directly adjacent sub-levels are connected by directed edges. The method also includes determining at least one of the fourth nodes which is output as faulty during a check of the mechatronic system, and inverting the directed edges. The method further includes determining at least one first node to be checked of the first nodes which is representative of at least one of the group consisting of at least one component and at least one part of the mechatronic system, starting from the determined fourth node, depending on a range.

Methods and systems for creating and modifying fault models, as well as methods and systems for generating and deploying diagnostic tools based on a fault model. The fault model may be edited in a logical and highly configurable manner based on the needs and preferences of a domain expert or other operator. The diagnostic tool can then be generated based on the fault model, and provides and enhanced process flow for use in maintenance operations.

Examples described herein provide a method for testing a memory associated with a processing system of an aircraft. The method includes performing, during operation of the processing system, an operational built-in test on the memory. The method further includes, responsive to detecting an error in the memory during the operational built-in test, performing a focused memory test at a location in the memory of the error. The method further includes, responsive the error being confirmed by the focused memory test, causing the processing system to be taken offline.

A method and system for protecting an aircraft against an incoherent command instruction. The system has a generation unit generating a command instruction transmitted to an evaluation unit that evaluates whether or not the command instruction is incoherent and generates and transmits a validation order if the command instruction is coherent or an arbitration request if not, the arbitration request being transmitted by an arbitration unit, where applicable, to an operator who sends a confirmation response or a cancellation response. The arbitration unit generates and transmits a validation order to an execution unit in the event of receiving a confirmation response and a cancellation order in the event of receiving a cancellation response, the system allowing the execution unit to execute only the command instructions evaluated and confirmed as not being incoherent.

An abnormality determination system includes first data acquisition circuitry configured to acquire time-series data relating to an operation of a device, sample data creation circuitry configured to create sample data based on abnormality time-series data which the first data acquisition circuitry acquires while an abnormality occurs in the operation of the device, and first abnormality determination circuitry configured to determine the abnormality in the operation of the device based on the time-series data and the sample data.

This method for generating graphic surfaces to be displayed on a screen is implemented by a graphics processor and comprises: generating a first graphic surface to be displayed on the screen; switching between generating the first graphic surface and generating a second graphic surface; generating the second graphic surface to be displayed on the screen; the switching including saving a graphic execution context of the first graphic surface; and if the generation of the second graphic surface had been interrupted during a preceding switch with the generation of another graphic surface, restoring a graphic execution context of the second graphic surface, the restored context having been saved during said preceding switch.