The present disclosure relates to a verification apparatus for a vehicle-mounted control apparatus having a first program processing unit that executes a current program, based on an output of a sensor and outputs a processing result to an actuator unit. Because the verification apparatus has a second program processing unit that executes the current program and outputs a processing result, a third program processing unit that shares the output of the sensor unit with the second program processing unit and that executes a new program and outputs a processing result, and a comparison determination unit that compares the respective outputs, it is made possible to perform a regression test effective for the new program at low cost, without affecting operation of the vehicle-mounted control apparatus.

A fault tolerant processing environment wherein multiple processors are configured as worker nodes and redundant nodes, with a failed worker node replaced programmatically by a manager node. Each of the processing nodes may include a processor and memory associated with the processor and communicate with other processing nodes using a network. A manager node creates a message passing interface (MPI) communication group having worker nodes and redundant nodes, instructs the worker nodes to perform lockstep processing of tasks for an application, and monitors execution of the tasks. If a node fails, the manager node creates a replacement worker node from one of the redundant processing nodes and creates a new communications group. It then instructs those nodes in the new communications group to resume processing based on the application state and checkpoint backup data.

In a self-driving autonomous vehicle, a controller architecture includes multiple processors within the same box. Each processor monitors the others and takes appropriate safe action when needed. Some processors may run dormant or low priority redundant functions that become active when another processor is detected to have failed. The processors are independently powered and independently execute redundant algorithms from sensor data processing to actuation commands using different hardware capabilities (GPUs, processing cores, different input signals, etc.). Intentional hardware and software diversity improves fault tolerance. The resulting fault-tolerant/fail-operational system meets ISO26262 ASIL-D specifications based on a single electronic controller unit platform that can be used for self-driving vehicles.

Methods and apparatus for dynamic instruction set selection for producing an output parameter based on one or more available input parameters are presented. In an example method, a device selects, from different candidate instruction sets that are each configured to produce a same output parameter, an instruction set that requires one or more input parameters that are each available at the device. In addition, in the example method, the device obtains the output parameter by executing the selected instruction set using the input parameters required by that instruction set. In some examples where more than one candidate instruction sets could be selected based on the available input parameters, the device may select the highest-ranking instruction set for execution.

An error detection and correction device and a method thereof are provided. The method for error detection and correction includes the following steps. Converting an operation program into a two's complement inverse operation program. Converting the variables of the operation program into a two's complement variables. Executing the operation program to obtain a first operation result according to variables. Executing the operation program to obtain a second operation result according to the two's complement variables. Calculating the checksum result corresponding to the variables, and calculating the checksum result corresponding to the two's complement variables. Performing at least one of comparing the first operation result with the second operation result, comparing the checksum result corresponding to the variables, and comparing the checksum result corresponding to the two's complement variables. Outputting the first operation result, the second operation result or an error message according to the above comparison results.

A head worn display system (e.g., helmet mounted (HMD) display system, and an eye wear mounted display system,) can include a combiner, a head position sensor and a computer. The computer provides symbology in response to first sensor input values associated with the head position. The symbology can be conformal with a real world scene. A monitoring system includes a redundant head position sensor for providing second sensor input values associated with head position. The computer monitors for positional accuracy of the symbology by comparing symbology calculated using the first and second input sensor values or by using an inverse function to compare sensor values.

A control system for controlling an apparatus or installation, wherein at least one first safety function controls the apparatus or installation, where the control system includes a first safety-oriented control device that is configured to perform the at least one first safety function, where the first safety-oriented control device is also configured as a first safety-oriented control application that is implemented in a cloud, and where the first safety oriented control application and the apparatus or installation are communicatively coupled via a first safety-oriented communication connection.

In a self-driving autonomous vehicle, a controller architecture includes multiple processors within the same box. Each processor monitors the others and takes appropriate safe action when needed. Some processors may run dormant or low priority redundant functions that become active when another processor is detected to have failed. The processors are independently powered and independently execute redundant algorithms from sensor data processing to actuation commands using different hardware capabilities (GPUs, processing cores, different input signals, etc.). Intentional hardware and software diversity improves fault tolerance. The resulting fault-tolerant/fail-operational system meets ISO26262 ASIL D specifications based on a single electronic controller unit platform that can be used for self-driving vehicles.

A method of improving integrity of a computer system includes executing certifiable and qualifiable software applications. The certifiable software application is composed of static program instructions executed sequentially to process input data to produce an output, and the qualifiable software application uses a model iteratively built using a machine learning algorithm to process the input data to produce a corresponding output. The certifiable software application is certifiable for the computer system according to a certification standard, and the qualifiable software application being non-certifiable for the computer system according to the certification standard. The method also includes cross-checking the output by comparison with the corresponding output to verify the output, and thereby improve integrity of the computer system. And the method includes generating an alert that the output is unverified when the comparison indicates that the output differs from the corresponding output by more than a threshold.

In a self-driving autonomous vehicle, a controller architecture includes multiple processors within the same box. Each processor monitors the others and takes appropriate safe action when needed, Some processors may run dormant or low priority redundant functions that become active when another processor is detected to have failed. The processors are independently powered and independently execute redundant algorithms from sensor data processing to actuation commands using different hardware capabilities (GPUs, processing cores, different input signals, etc.). Intentional hardware and software diversity improves fault tolerance. The resulting fault-tolerant/fail-operational system meets ISO26262 ASIL-D specifications based on a single electronic controller unit platform that can be used for self-driving vehicles.