The invention relates to a method, in particular a time-controlled error-tolerant method, for periodically transporting real-time data in a computer system, in particular in a distributed computer system, said computer system comprising node computers (111 - 116), in particular a plurality of node computers (111 - 116), and distributor units (131, 132, 133, 151), in particular a plurality of distributor units (131, 132, 133, 151). The node computers and the distributor units have access to a global time, and real-time data is transported by means of messages, preferably by means of time-controlled real-time messages. The topology of the computer system corresponds to an intree, and node computers (111 - 116) are arranged on the leaves of the intree. One or more sensors (101 - 106) is assigned to each node computer (111 - 116), and the node computers (111 - 116) arranged on the leaves of the intree transmit sensor data in the payload of messages in the direction of a control center (100) located at the root of the intree at points in time, preferably at synchronized points in time. The payload of one or more incoming messages in a distributor unit is transported out of the distributor unit with an outgoing message, and an individual time plan is generated a priori for each distributor unit, wherein the time plan contains a periodically repeating starting time (391) for transmitting a message (390) going out of the respective distributor unit, said starting time being calculated a priori from - the a priori known time of arrival of a controlling payload to be transported, which is specified a priori for example, of one of the incoming messages, in particular a time-critical payload to be transported of one of the incoming messages, - minus the a priori known lead-time interval ([391, 393]) of the outgoing message (390), - plus at least one time interval ([393, 393)] required to copy a data element of the controlling payload, in particular the time-critical payload of the incoming message (320), into a data element of the payload of the outgoing message (390); and the payloads of the incoming messages are copied into the payload of the outgoing message by carrying out the a priori generated time plan.
The invention relates to a method for debugging software components of a distributed real-time software system, wherein the target hardware comprises computer nodes and the development system comprises one or more computers. According to the invention, an enhanced development system is formed, in which enhanced development system the computer nodes of the target hardware are connected to the computers of the development system via one or more time-controlled distributer units, wherein the enhanced development system has a sparse global time of known precision, wherein the computer nodes of the target hardware exchange messages with the computers of the development system via one or more distributer units, and wherein, in a frame, a software component on the target hardware and, temporally parallel thereto, a software component in the development system are supplied with the same input data and executed, wherein the activation signals are triggered at the start of the two executions of the software component in the same sparse tick of the global time, and wherein the software component executed in the development system is enhanced in such a way that, during its execution, selected intermediate results are written on an external data memory.
The invention relates to a device for integrating software components of a distributed real-time software system, said components being ran on target hardware and on a development system. The target hardware comprises computing nodes, and the development system comprises one or more computers. The device is designed as an expanded development system in which the computing nodes of the target hardware are connected to the computers of the development system via one or more time-controlled distributor units. The expanded development system has a sparse global time of known precision, and the computing nodes of the target hardware are connected to the computers of the development system via the one or more time-control distributor units such that the data content of a TT message template of a TT platform of the target hardware can be provided both by a simulation process of the development system as well as by an operative process of the target hardware in a timely manner.
The invention relates to a method for synchronizing the clocks of the node computers of a distributed real-time system with an external time reference, such as GPS time, requiring minimal energy expenditure, and for structuring a sparse time-base. By considering the influence of changing physical environmental parameters on the period of oscillation of local oscillators, the holdover interval, according to which an external synchronization must occur, can be dynamically determined and the frequency of the energy-intensive external synchronization processes can be significantly reduced.
A method to improve the quality of service in a computer network consisting of nodes and starcouplers and/or access points and wireless and/or wired connections, by changing a current configuration (CUR_CONF) of the computer network to a new configuration (NEW_CONF) of the computer network, whereby - the computer network in the current configuration (CUR_CONF) communicates one message or a multitude of messages (1101a, 1101b, 1101c, 1102a, 1102b) and - a monitor (M) observes at least some traffic pattern (TP) that the message or multitude of messages (1101a, 1101b, 1101c, 1102a, 1102b) generate and - an extractor (E) formulates the traffic pattern (TP) of the message or multitude of messages (1101a, 1101b, 1101c, 1102a, 1102b) and - the extractor (E) following said analysis generates one or many traffic parameters (T_PAR) to the message or multitude of messages (1101a, 1101b, 1101c, 1102a, 1102b) and - an optimizer (O) uses the traffic parameters (T_PAR) to generate the new configuration (NEW_CONF) and/or to generate recommendations (RECOM) for a new configuration (NEW_CONF).
Method for monitoring a computer vision system (CVS), said computer vision system (CVS) being part of a vehicle control system (VCS) of a vehicle (1000) that is used to maneuver said vehicle (1000) in 3D-space (3000), said computer vision system (CVS) being configured to monitor a surrounding area of the vehicle in real time and said computer vision monitor (CVM) monitoring the behavior of the computer vision system (C VS), comprising the steps of a.) providing the computer vision monitor (CVM) with information concerning a position (LM_POS) of at least one landmark (2000) in the 3D-space (3000), wherein said information is provided by a source, said source being independent of the computer vision system (CVS), b.) providing the computer vision monitor (CVM) with information concerning a current position (CUR_POS) of the vehicle (1000), c.) selecting based on steps a.) and b.) at least one landmark which falls within the range of vision of the computer vision system (CVS), d.) classifying the computer vision system (CVS) as being faulty when the computer vision system (CVS) fails to detect a configurable number of selected landmarks (2000).
The invention relates to a time-controlled distribution unit (30, 31) for the distribution of messages in a distributed computer system for safety-critical applications. Said distribution unit is designed as a self-testing functional unit and comprises input channels (201 … 222) for receiving time-controlled periodic input messages from node computers (20, 21, 22) upstream in the data flow, and output channels (301 … 313) for transmitting time-controlled periodic output messages to the node computers (50, 51, 52) downstream in the data flow, a comparator (40) being provided in the distribution unit and being designed to analyze, by means of a "simple" software, useful information contained in the input messages, and to decide whether output messages are output and, if so, which useful information is contained in the output messages.
An information exchange between at least two processes (FEED_PROC-1, FEED_PROC-2, CONSUME _PROC-1) communicating with each other using at least one queue (QUEUE-001) uses a placement plan for determining the order in which messages are placed into the queue. The information feeding processes (FEED_PROC-1, FEED_PROC-2) place pieces of information (MESG-001, MESG-002) into the queue (QUEUE-001), from where an information consuming process (CONSUME_PROC-1) sequentially consumes the pieces of information. The placement plan describes, for at least one possible value of identifying information contained in each of the pieces of information, a respective position (POS-001, POS-002) in the queue (QUEUE-001), such that the pieces of information (MESG-001, MESCG-002) or respective references thereto are placed into the queue according to positions in the queue (QUEUE-001) corresponding to the respective values of the identifying information in the pieces of information.
The invention relates to a computer system for carrying out safety-critical applications, said computer system comprising a plurality of node computers and a communications system. Sensor data are supplied in parallel to one or more node computers, the node computers calculating an optimized result, preferably using an optimization algorithm, in order to solve a given problem, and transmitting said optimized result, preferably for checking the safety, to a node computer which is designed as an SCFCU, said SCFCU being directly connected to the actuator controller, and the SCFCU furthermore calculating from the sensor data a simple result, which preferably meets all safety requirements, and an envelope of the simple result, and the SCFCU checking whether the resulting values, particularly those relevant to safety, of the optimized result lie within the envelope of the simple result, and, if this is the case, directly forwarding the optimized result to the actuator controller, and, if this is not the case, forwarding the simple result calculated by the SCFCU directly to the actuator control.
The invention relates to a fault-tolerant, serviceable automation system comprising two central computers, a process peripheral area and gateway computers, wherein the central computers and the gateway computers are fail-silent FCUs and represent autonomous exchange units, and the central computers and the gateway computers exchangetime-controlled state messages via communication channels, and wherein each gateway computer sets up the connection to the process peripheral area associated with the gateway computer and stores the current state of the process peripheral area associated with the gateway computer, and wherein one central computer takes on the role of an active central computer and another central computer takes on the role of a passive central computer, and wherein the active central computer exercises control over the gateway computers, and wherein the active central computer, preferably periodically, sends a sign-of-life message to the passive central computer, and wherein the passive central computer acknowledges the arrival of a sign-of-life message from the active central computer in a periodic sign-of-life message and monitors it using a timeout, and wherein the passive central computer, given absence of these sign-of-life messages after the timeout, performs the role of the active central computer , and wherein the failed, previously active central computer autonomously attempts a restart and, following a successful restart, observes the message traffic within a cluster, which cluster comprises the central computers and the gateway computers, in order to learn the current state of the cluster, and wherein it performs the role of the passive central computer and communicates to the now active central computer, by means of, preferably periodic, sign-of-life messages, that it is performing the role of the passive central computer, and wherein, if the restart is not successful, the failed central computer indicates the permanent error by means of a display means.
The invention relates to a method for the deterministic wireless transfer of time-controlled real-time messages in a distributed real-time system comprising a plurality of node computers and one or more base stations arranged in an arena, wherein all node computers and base stations have a global time, wherein one or more real-time message sequences are periodically transferred in the arena, wherein a real-time message sequence consists of a time-controlled header message with variable length and a sequence of one or more time-controlled real-time messages with a priori known length, and wherein, at an a priori determined transmission time, the software of a T-node issues to a communication controller thereof the command for the header message to be sent, and wherein the communication controller of the T-node begins to send the header message as soon as no activity is determined in the arena during an IFS, and wherein transmission of the header message aborts at an a priori determined time-controlled abort time of the T-nodes, and wherein in a command interval before the abort time of the header message, the software of the computer node that has to send the first real-time message of the real-time message sequence issues, to the communication controller thereof, the command for the first real-time message of the real-time message sequence to be sent, and wherein, in the command interval before the first real-time message is terminated, the software of the computer node that has to send the following real-time message of the real-time message sequence issues, to the communication controller thereof, the command for the following real-time message to be sent, and wherein the procedure is repeated until all the real-time messages of a real-time message sequence are sent.
The invention relates to a method for flexibly controlling data flows in a distributed computer system which comprises a plurality of node computers and a plurality of connectors, at least one portion and preferably all of the connectors being time-triggered connectors (TTK), all node computers and all time-triggered connectors (TTK) having access to a global time, the clock synchronisation of said time-triggered connectors (TTK) being assisted or implemented by hardware mechanisms, particularly by hardware mechanisms of said time-triggered connectors (TTK), and the clock synchronisation of the time-triggered connectors (TTK) being more accurate than 1 μsec, all TT data flows (TTDF) that are to be flexibly controlled, whether incoming or outgoing from a node computer, being transported on one or more physical channels between one or more ports of said node computer and one or more ports of one or more time-triggered connectors (TTK), and each time-triggered connector (TTK) determining, on the basis of a parameter list it has received a priori, how long a message of a TTDF (DF message) is to be temporarily stored in the time-triggered connector (TTK) and at which, particularly future, point in time and at which port of said time-triggered connector (TTK) this temporarily-stored DF message is to be issued. The invention also relates to a computer system for carrying out such a method.
The invention relates to a method for the wireless fault-tolerant synchronization of clocks of node computers in a distributed real-time system, which distributed real-time system comprises a number of arenas, wherein a multiplicity of node computers communicate with base stations in each arena using time-controlled wireless data messages, wherein one or more base stations are arranged in each arena, and wherein at least one Global Navigation System Signal Generator (GNSSG) is present in each arena, wherein all GNSSGs communicate with one another via a wired time-controlled communication system (ZKS) using time-controlled messages, and wherein each GNSSG transmits at least one GNS message exactly at the beginning of each full and half minute of the global ZKS time provided by the time-controlled communication system, and wherein a node computer disciplines the oscillator of the clock thereof using at least one received GNS message and therefore participates in the global ZKS time, and wherein trigger signals for transmitting time-controlled data messages between the node computers and the base stations on one or preferably more wireless bidirectional data channels are derived from the progression of the global ZKS time according to a schedule individually created a priori for each node computer and each base station.
The invention relates to an apparatus and to a method for the distributed development of process programs of a distributed real-time system, in particular a comprehensive distributed real-time system, on a distributed development hardware, wherein a given task is divided up into a multiplicity of processes capable of running in parallel, the dependencies of which are represented in the form of a marked process graph, and wherein there is a functional process specifications for each process, and wherein a maximum number of instructions N WC is provided for each process. According to the invention, a maximum process durationd WCE on the target hardware is calculated for each process from N WC /L ZH . L ZH indicates the capability of the target hardware (in instructions/unit time), and the transmission time UD of the output data A (measured in bytes) from an upstream process to a downstream process of the target hardware is calculated from UD = A/L C . L C indicates the capability of the communication system (in bytes/unit time), and each process of the process graph is annotated with the process timed WCE thereof. Each edge of the process graph is annotated with the transmission timeUD on the target hardware, and, starting from a starting time of a starting node, which for example is assigned the time t=0, each mark of the process graph is allocated the time which is given by addition of the process times and transmission times on the path from the starting node as far as said mark. In the case of a plurality of paths leading to the same mark, the respectively highest time is chosen, and the development of a process program is carried out on the basis of the functional process specification and the times determined from the process graph, of the start mark and end mark of the process of a development system, independently of the development of each other process program.
G05B 17/00 - Systems involving the use of models or simulators of said systems
G06F 9/44 - Arrangements for executing specific programs
G06F 9/48 - Program initiatingProgram switching, e.g. by interrupt
G05B 19/18 - Numerical control [NC], i.e. automatically operating machines, in particular machine tools, e.g. in a manufacturing environment, so as to execute positioning, movement or co-ordinated operations by means of programme data in numerical form
G06F 11/36 - Prevention of errors by analysis, debugging or testing of software
15.
METHOD AND COMPUTER NETWORK FOR TRANSMITTING MESSAGES
The invention relates to a method for transmitting messages in a computer network of a real-time system comprising components in the form of computing nodes and star couplers. A first group of components sends, relays or receives time-controlled messages according to a communication schedule, and a second group of components does not communicate according to a communication schedule. For example, the computing node 104 does not execute a communication schedule, i.e. the computing node 104 does not send time-controlled messages. Instead, the computing node 104 reacts to receiving a message 1-201a by sending a message 1-104a in response. According to the invention, the message 1-201a is sent in a time-controlled manner, for example by a star coupler 201. The computing node 104 receives the message 1-201a at time 17-104a and reacts to receiving the message 1-201a by sending the message 1-104a at time 17-104b to the star coupler 201. The star coupler 201 receives the message 1-104a at time 14-201b. Preferably an upper limit OBS of the maximum time interval between the receiving time 17-104a and the sending time 17-104b is determined in the computing node 104. In this way, the star coupler 201 can schedule the relaying time 14-201c, at which the message 1-104a is relayed in the network, as a time-controlled time. Alternatively, the computing node 104 reacts by reading a current value from a local sensor, by altering the state of an actuator, or by carrying out an application-specific task. In addition or alternatively, every star coupler belonging to the second group of components reacts to receiving a time-controlled message by sending a new message, or relaying the received time-controlled message, said relaying not being carried out according to a communication schedule.
The invention relates to a method for transmitting messages in a computer network and a corresponding computer network. A first group of components is provided, wherein the components of the first group transmit and/or forward and/or receive messages via one or more wired connection(s) (110), wherein each component of the first group is either a computer node (101, 102, 103, 104, 105, X108), a star coupler (201, 203, 205, 207, 210, 211, X201), or a star coupler of a multi-hop network (1000), and wherein a second group of components is provided, wherein the components of the second group transmit and/or forward and/or receive messages via one or more wireless connections (110a, 110b, 110c, 110d), wherein each component of the second group is either a computer node (107, 108, X107, X109) or a star coupler (201, 210, 211, X201, X202), and wherein each component of the first and the second group has a local clock, and wherein the clocks of the components of the first and the second groups are synchronized to each other or are synchronized with each other, and wherein the components of the first and the second groups transmit and/or forward and/or receive messages coordinated according to a common communication schedule.
The invention relates to the observation of the environment in front of a vehicle by means of a device having at least two image-recording apparatuses (110, 120). A first image-recording apparatus (110) that records a first image-recording angle and a second image-recording apparatus (120) that records a second, larger image-recording angle are provided. A first partial area (111) of the environment in front of the vehicle is recorded by means of the first image-recording apparatus (110), and a second partial area (121) of the environment in front of the vehicle is simultaneously recorded by means of the second image-recording apparatus (120). The two image-recording apparatuses (110, 120) are arranged at a lateral distance from each other in such a way that a central environment (140) is recorded by both the first and the second image-recording apparatus (110, 120). By fusing the data determined by the image-recording apparatuses (110, 120), a stereo image of the central environment is generated, and a monoscopic image of each of the areas that are recorded only by a first or a second image-recording apparatus is generated.
The invention relates to a method for transmitting messages in a computer network and to a computer network of this kind. The computer network comprises computation nodes (101-105), which computation nodes (101-105) are connected to one another via at least one star coupler (201) and/or at least one multi-hop network (1000), each computation node (101-105) being connected to the at least one star coupler (201) and/or to the at least one multi-hop network (1000) via at least one communication line (110), and the computation nodes (101-105) exchanging Ethernet messages with one another and with the at least one star coupler (201) and/or the at least one multi-hop network (1000). Provision is made for a set of two or more components each to be directly connected to one another by two or more communication lines (110, 111), each component in the set being either a computation node (101-105) or a star coupler (201), and sending components in the set of components sending at least some of the Ethernet messages that are to be sent to at least two of the two or more communication lines (110, 111), and receiving components in the set of components accepting and/or forwarding at least some of the Ethernet messages that are received via the two or more communication lines (110, 111) only if at least two identical messages are received via at least two different communication lines.
Method for executing tasks in a computer network, wherein said computer network comprises nodes and optionally at least one starcoupler, wherein said nodes are connected to each other, directly, for example via a bus or a bus system, and/or by said at least one starcoupler and/or by at least one multi-hop network, and wherein in said computer network nodes exchange time-triggered messages.
The invention relates to a method for detecting a failure of a constituent system (110...113) in a system of systems (1), consisting of a number of constituent systems (111...113) which exchange messages via a communication system (120), wherein a global time with a known granularity g is provided in each constituent system (111...113); at least one constituent system generates a time-controlled sign-of-life message at periodic generation times (210, 211), which are determined a priori from the progression of the global time; the transmission time (211, 221) of the sign-of-life message, said transmission time being determined in the time-controlled communication system (120) a priori from the progression of the global time, is synchronized with the generation time of said sign-of-life message; and the reception time (212, 222) of the sign-of-life message, said reception time being determined a priori from the progression of the global time, is synchronized with the timeout time (213, 223) of a sign-of-life message monitor (130), which monitors the arrival of the sign-of-life message, said timeout time being determined a priori from the progression of the global time. An error message is triggered at the timeout time if no sign-of-life message is encountered at the expected reception time (222).
The invention relates to a method for verifying generated software (1), in particular a computer program, said software (1) being generated by means of a software generator (2) on the basis of a system description (3). The invention further relates to a verifying device for carrying out such a method. In order to verify the software (1), a verifying device (4) is provided, wherein a) the system description (3) is read into the verifying device (4), b) the verifying device (4) generates one or more software code patterns (5) using the system description (3), c) the source text of the generated software (1) is read into the verifying device (4), and d) the verifying device (4) checks the source text (1) for the presence of all of the software code patterns (5).
The invention relates to a method for transmitting messages in a computer network and to a computer network, wherein the computer network comprises a first set of computing nodes (101 - 105), which computing nodes (101 - 105) are connected to each other by means of at least one star coupler (201, 202) and/or at least one multi-hop network (1000), wherein each computing node of the first set of computing nodes (101 - 105) is connected to the at least one star coupler (201, 201) or the at least one multi-hop network (1000) by means of at least one communication line (110), and wherein the computing nodes (101 - 105) exchange Ethernet messages among each other and the exchange of at least some of the Ethernet messages of the computing nodes (101 - 105) occurs in a time-controlled manner. According to the invention, a) the computer network comprises a second set of computing nodes (106 - 108), which are connected to each other by means of a bus (210), wherein the bus (210) is connected to the at least one star coupler (201) and/or the at least one multi-hop network (1000), and wherein b) the computing nodes of the second set of computing nodes (106 - 108) exchange Ethernet messages among each other and the exchange of at least some of the Ethernet messages of the computing nodes (106 - 108) occurs in a time-controlled manner, and wherein preferably c) the computing nodes of the second set of computing nodes (106 - 108) exchange Ethernet messages with the computing nodes of the first set of computing nodes (101 - 105) and the exchange of at least some of the Ethernet messages of the computing nodes (101 - 108) occurs in a time-controlled manner.
The invention relates to a method for error detection for at least one image processing system for detecting the surroundings of a motor vehicle, the method comprising the following steps: a) Capturing at least one first primary image (PB1); b) generating at least one first reference image (RB1) by inputting at least one reference feature (RM) into the at least one first primary image (PB1); c) processing the at least one first reference image (RB1) with the aid of at least one algorithm to be checked; d) extracting at least one test feature (TM) dedicated to the at least one reference feature (RM) from the processed at least one reference image (RB1); e) comparing the at least one test feature (TM) to the at least one reference feature (RM) and using the result of the comparison to determine the presence of at least one error.
The invention relates to a method for error detection for at least one system (1), characterized by a) at least partially optically measuring at least one system variable S1 at least at a time t1 or at least in a time interval Δt1, b) creating at least one predicted value Px for at least one system variable Sx for at least one time t2 following the time t1 or for at least one time interval Δt2 following the time interval Δt1 by means of at least one computer model (4), c) comparing the at least one predicted value Px with at least one value of the at least one system variable Sx associated with the time t2 or the time interval Δt2, and d) using the result of the comparison of step c) to determine the presence of at least one error.
The invention relates to a method for detecting errors for at least one image processing system for detecting the surroundings of a motor vehicle, wherein the following steps can be carried out in any sequence unless otherwise indicated: a) detecting at least one first primary image (PB1) on the basis of a primary image source (PBU), b) processing the at least one first primary image (PB1) using at least one algorithm to be checked, after step a), c) extracting at least one primary image feature (PBM) on the basis of the processed at least one primary image (PB1), after step b), d) generating or detecting at least one reference image (RB1) by moving and/or rotating the at least one first primary image (PB1) or the primary image source (PBU), after step a), e) processing the at least one reference image (RB1) using the at least one algorithm to be checked, after step d), f) extracting at least one reference image feature (RBM) from the at least one processed reference image (RB1), after step e), and g) comparing the at least one primary image feature (PBM) with the at least one reference image feature (RBM) and using the result of the comparison to determine the presence of at least one error, after step c) and f).
The invention relates to a method for data transfer between cyclic tasks in a distributed real-time system at the correct time, which real-time system comprises a real-time communication system and a multiplicity of computer nodes, wherein a local real-time clock in each computer node is in sync with the global time, wherein all periodic trigger signals z i b for the beginning of a new cycle i are derived in each computer node simultaneously from the advance of the global time, these periodic trigger signals starting the tasks, and wherein a task reads the output data of the other tasks from local input memory areas to which the real-time communication system writes information, and wherein a task writes the result data from the current cycle to a local output memory area, which is associated with the real-time communication system, at an a priori determined individual production instant z i f before the end of a cycle, and wherein the schedules for the time-controlled real-time communication system are configured such that the result data for a task that are existent in the local output memory area are transported to the local input memory areas of the tasks requiring the data during the time interval < z i f , z i+1 b >, so that at the beginning of the following cycle these result data are available in the local input memory areas of the tasks that require these result data.
The invention relates to a method for integration of calculations having a variable running time into a distributed time-controlled real-time computer architecture, which real-time computer architecture consists of a plurality of computing nodes, wherein a global time having known precision is available to the computing nodes, wherein at least part of the computing nodes is equipped with sensor systems, in particular different sensor systems for observation of the environment, and wherein the computing nodes exchange messages via a communication system, wherein at the start of each cyclical frame Fi having the duration d the computing nodes collect raw input data by means of a sensor system, wherein the start times of the frame Fi are deduced from the progress of the global time, and wherein the pre-processing of the raw input data is carried out by means of algorithms, the running times of which depend upon the input data, and wherein the value of the ageing index AI=0 is assigned to a pre-processing result which is produced within the frame Fi at the start of which the input data were collected, and wherein the value of the ageing index AI=1 is assigned to a pre-processing result which is produced within the frame F following the frame in which the input data were collected, and wherein the value AI=n is assigned to a pre-processing result which is produced in the nth frame after the data collection, and wherein the ageing indices of the pre-processing results are taken into consideration in the computing nodes which carry out the fusion of the pre-processing results of the sensor system.
G06F 9/48 - Program initiatingProgram switching, e.g. by interrupt
G01S 13/86 - Combinations of radar systems with non-radar systems, e.g. sonar, direction finder
G06K 9/00 - Methods or arrangements for reading or recognising printed or written characters or for recognising patterns, e.g. fingerprints
H04N 19/436 - Methods or arrangements for coding, decoding, compressing or decompressing digital video signals characterised by implementation details or hardware specially adapted for video compression or decompression, e.g. dedicated software implementation using parallelised computational arrangements
G06F 17/18 - Complex mathematical operations for evaluating statistical data
28.
METHOD FOR LIMITING THE RISK OF ERRORS IN A REDUNDANT, SAFETY-RELATED CONTROL SYSTEM FOR A MOTOR VEHICLE
The invention relates to a method and a device for limiting the risk of errors in a control system with heterogeneous redundancy, in particular for a braking system (autonomous emergency braking AEB) for a motor vehicle, in which method two fault-containment units (FCU) with heterogeneous redundancy determine an adjustable variable and if said variables differ, an actuator control (AST) applies different weightings to the adjustable variables using a weighted mean value algorithm and calculates a new adjustable value from said process. The new adjustable variable guides the object to be controlled into a safe state.
The invention relates to a device for controlling the braking and/or steering and/or acceleration in a motor vehicle, said device comprising a number of different sensor components, two heterogeneous sensor fusion components, a man-machine interface component and a preferably intelligent actuator control component, each of said components forming a fault-containment unit and having a TTEthernet communication interface. All the components are connected to a central TTEthernet message buffer unit , the components communicate with one another exclusively by using standardized Ethernet messages and a diagnostic unit for the real time observation of the switched messages can be connected to the TTEthernet message buffer unit.
The invention relates to a method for allocating control in a system-of-systems, in particular in a dynamic system-of-systems, said system consisting of a physical system (PS), an autonomous control system (CS), a human operator (HO), a monitor component (MK) and an actuator control (AST), or comprising a physical system (PS), an autonomous control system (CS), a human operator (HO), a monitor component (MK) and an actuator control (AST). The (CS) observes an environment and/or the physical system cyclically using an associated sensor system, creates an internal model of the environment and/or the (PS) on the basis of said observation and analyzes the model in order to determine adjustable variables for the (AST) and a criticality index (KI) of the scenario in a cycle, in particular in the current cycle. The (MK) observes the (HO) and/or their actions cyclically, in particular their current actions, in order to determine on the basis of said observations an engagement index (EI) for the (HO) in a cycle, in particular in the current cycle, and control of the (PS) is allocated to the (HO) if EI > KI.
The invention relates to a method for handling faults in a central control device, wherein the control device comprises a distributed computer system (100), to which distributed computer system (100) sensors (112, 113, 122, 123) are connected or can be connected, wherein the distributed computer system (100), in particular all components of the computer system, is/are divided between a first fault containment unit FCU1 (101) and a second fault containment unit FCU2 (102), wherein the FCU1 (101) and the FCU2 (102) are each supplied via a separate, independent power supply, and wherein the FCU1 (101) and the FCU2 (102) interchange data solely via DC-isolated lines, and wherein some of the sensors are connected at least to the FCU1 (101) and the others of the sensors are connected at least to the FCU2 (102), and wherein the FCU1 (101) and the FCU2 (102) are connected to a redundantly designed communication system (131, 132) having one or more actuators, with the result that, if the FCU1 fails, the FCU2 maintains a limited functionality using the sensors assigned to the FCU2, and, if the FCU2 fails, the FCU1 maintains a limited functionality using the sensors assigned to the FCU1.
The invention relates to a method for the redundant transmission of messages in a distributed real-time system. The real-time system comprises two or more computing nodes (101-108) and one or more star couplers (201-209). The computing nodes (101-108) are connected to the star couplers (201-209) by means of bidirectional communication lines (301, 302, 303), and the star couplers (201-209) are connected to one another by means of bidirectional communication lines (310). The star couplers (201-209) connected by means of the communication lines (310) form a network infrastructure (200), wherein one or more star couplers (201-209) of the network infrastructure (200) carry out one or more activity rasters (1000). An activity raster (1000) consists of alternating active phases (502) and rest phases (501), and precisely one activity raster (1000) is assigned to each message transmitted in the network infrastructure. The invention further relates to an infrastructure and to a real-time system with such a network infrastructure.
The invention relates to a method for increasing security in a distributed real‑time system, comprising a multiplicity of computer nodes and distributing units, wherein at least one incremental scheduler can dynamically plan deterministic time‑controlled channels between the computer nodes. At least one trusted Certification and Monitoring Authority (CMA) stipulates the maximum share of the bandwidth of each distributor unit that a scheduler is permitted to plan, wherein these stipulations are communicated to the distributor units and the schedulers by the CMA by means of messages, and wherein a distributor unit that receives from a scheduler a schedule that takes up more bandwidth than this maximum share rejects this schedule. In addition, the invention relates to a computer system for carrying out such a method.
The invention relates to a method for transmitting communications in a computer network consisting of compute nodes that are interconnected via active components. The compute nodes exchange real-time communications (402), wherein the real-time communications (402) are assigned defined CM-time intervals (CMI) of constant duration. The bandwidth available for real-time communications (402) within a CM time interval (CMI) is limited to a defined real-time bandwidth. Further, time-controlled communications (401, 403) are sent from compute nodes, wherein the time-controlled communications (401, 403) are sent periodically from the compute nodes. The cycle duration of the time-controlled communications (401, 403) is a function of the duration of the CM-time intervals and the transmit times of time-controlled communications (401, 403) that are sent from different compute nodes to the same active components are out-of-phase with respect to each other, such that time-controlled communications (401, 403) from different compute nodes are received in the active components at different times (601, 602). In addition, the sum of the bandwidths occupied by time-controlled communications (401, 403) and by real-time communications (402) within a CM-time interval (CMI) does not exceed the value for the real-time bandwidth.
Method for the dynamic creation of time-controlled paths (TT paths) in a large computer network consisting of a plurality of computer nodes, distribution modules and communication channels, wherein all distribution modules have access to a global time base. A scheduling instance, which is aimed at establishing a TT path with specified path time characteristics from a transmitter node to a receiver node along an existing virtual connection, requests all the TT path descriptor lists (TTPDL) already confirmed by said distribution modules from each distribution module arranged in this connection, and transmits the specified path time characteristics and all confirmed TTPDLs to a dynamic scheduler. The scheduler creates a new TTPDL for each of the distribution modules arranged in the virtual connection, wherein the existing reserved TTPDLs of the distribution modules affected remain unchanged and the corresponding new TTPDLs are sent to each distribution module arranged in the virtual connection. Each of these distribution modules reserves the TT path requested and confirms the successful reservation to the scheduling instance.
The invention relates to a method for distributing event-triggered (ET) and time-triggered (TT) communications in a distributed real-time system by means of a distributor unit that comprises a low-level relay unit (LLVME) and a high-level relay unit (HLVME), distributor unit communication ports to other relay units and/or end systems of the real-time system being attached to said LLVME. The invention also relates to such a distributor unit and to a real-time system comprising at least one such distributor unit. According to the invention, the LLVME has access to a global time base and is configured to differentiate between ET communications and TT communications, the LLVME forwarding an ET communication that is incoming to one of its ports to the HLVME such that said HLVME can carry out the analysis and temporal scheduling of said ET communication before it delivers this ET communication back to the LLVME for it to be issued at the designated output port of the LLVME, and, prior to the known issuing of a TT communication, said LLVME transmitting a pause-frame to the HLVME such that no ET communication is scheduled to be transmitted by the HLVME during this anticipated and scheduled TT communication transmission slot, and the LLVME delivers an incoming TT communication directly for issue at the designated output port in accordance with the known time plan.
The invention relates to a method for establishing deterministic communication routes in a large computer network, wherein all affected end systems and switches of the computer network have a global time and a deterministic communication route is generated on the basis of an existing communication route between two or more end systems of the computer network in that a time-triggered connection manager (TTCM) of an end system reserves the deterministic communication route in a reservation phase by sending a reservation message to each network switch of the existing communication route up to the reservation commitment time (KZPT), and then confirms this deterministic communication route in an accept phase by sending an accept message to the network switches of the existing communication route before the KZPT.
The invention relates to a method for dynamic modification of the schedules in a time-controlled switch for relaying time-controlled messages in a real-time computer system, wherein at least one active schedule and at least one new schedule are stored at a point in time in a switch, wherein, at a specified changeover time in the active interval of a sparse time base, the active schedule is deactivated and a new schedule is activated.
The invention relates to a method for the reliable switching of synchronization messages in a distributed computer system consisting of a number of node computers. In said method the management of a transparent clock conforming to IEEE Standard 1588 is supported and a switching unit consists of four separate FCUs.
The invention relates to a method for generating fail-silent synchronization messages in a distributed real-time system, said method using the following functional units: a satellite receiver (110) for receiving a time signal (S-signal) from a navigation satellite system, a precision reference clock (130) which generates an actual time signal (R-signal), a central computer (140), a monitor (120), and a data block (210) for storing configuration parameters. The satellite receiver (110) periodically generates an S-signal and the reference clock (130) periodically produces an R-signal, the nominal frequency and phase of the R-signal being identical to the frequency and phase of the S-signal and the difference between the nominal and actual R-signal being used to minimize said difference. In the event of a fault in the satellite receiver (110), the periodic synchronization message (220), which is to be generated by the central computer (140) in accordance with the configuration parameters (210), is generated on the basis of the R-signal and the monitor (120) checks whether the transmission time contained in the synchronization message matches the actual transmission time and the interval between two successive synchronization messages (220) lies within an a priori fixed tolerance interval. If this is not the case, the synchronization message (220) is modified such that each receiver identifies the synchronization message (220) as erroneous.
The invention relates to a method for limiting the effects of software errors in a distributed real-time system in which a plurality of distributed application systems are executed simultaneously, wherein each application system forms an encapsulated software fault containment unit (SWFCU), wherein an SWFCU comprises the software of a distributed application system, said software being executed on one or more virtual computer nodes and one or more dedicated computer nodes, and exchanging messages via one or more encapsulated virtual communication systems, wherein a communication system consists of communication controllers, switching units and physical connections, and wherein the direct effects of a software error of an SWFCU remain limited to the SWFCU.
The invention relates to a method for fault recognition in a distributed real-time computer system comprising fault containment units (FCUs), more particularly a fault-tolerant system of systems (SoS), having a global timebase, wherein the fault containment units communicate by means of messages via at least one message distribution unit, wherein a commitment time is associated with a message formed by a fault containment unit, and wherein a message distribution unit that receives a message relays the message to one or more fault containment units operating in parallel, and wherein a processing fault containment unit (VFCU) does not transmit any of its results that are influenced by one or more of the received messages to the environment of the processing fault containment unit or use them for changing the inner state of the processing fault containment unit before the commitment times associated with the received messages.
A method for monitoring the short-circuiting switching device of a three-phase motor (3) for the drive for vehicles, which switching device is fed from a DC voltage source (1) via a controlled converter (2), wherein the short-circuiting switching device (5) actuated by control logic (6) is connected to the inputs of the motor, and the motor current and/or motor voltages are measured, and a predetermined test pattern, which is different than the voltage/current profile during operation, is generated with the aid of the controlled converter (2) during a test phase and supplied to the motor (3), the short-circuiting switching device is actuated for the activation thereof, the current and/or voltage profile is detected during the test phase by opening and closing of short-circuiting contacts and, on the basis of the current and/or voltage distribution in the individual motor phases, the correct opening/closing of the short-circuiting contacts is detected and evaluated.
H02P 3/12 - Arrangements for stopping or slowing electric motors, generators, or dynamo-electric converters for stopping or slowing an individual dynamo-electric motor or dynamo-electric converter for stopping or slowing a DC motor by short-circuit or resistive braking
H02H 7/00 - Emergency protective circuit arrangements specially adapted for specific types of electric machines or apparatus or for sectionalised protection of cable or line systems, and effecting automatic switching in the event of an undesired change from normal working conditions
H02P 29/02 - Providing protection against overload without automatic interruption of supply
H02P 3/22 - Arrangements for stopping or slowing electric motors, generators, or dynamo-electric converters for stopping or slowing an individual dynamo-electric motor or dynamo-electric converter for stopping or slowing an AC motor by short-circuit or resistive braking
B60L 3/00 - Electric devices on electrically-propelled vehicles for safety purposesMonitoring operating variables, e.g. speed, deceleration or energy consumption
G01R 31/02 - Testing of electric apparatus, lines, or components for short-circuits, discontinuities, leakage, or incorrect line connection
44.
METHOD FOR COMBINING RESULTS OF PERIODICALLY OPERATING EDP COMPONENTS AT THE CORRECT TIME
The invention relates to a method for combining results of a multiplicity of periodically operating components of a distributed computer system at the correct time, wherein the components communicate solely by means of messages via at least one communication system, and wherein each component has a global time with the precision P. Provision is made for each component to be unambiguously associated with one of n hierarchical levels, preferably in system design, wherein the durations of the periods of the components, which are derived from the progression of the global time, are an integer multiple of one another, and wherein the phase of transmitting each message is synchronized with the corresponding phase of receiving each transmitted message within each longest period of the entire distributed computer system even if the transmitting components and the receiving components are arranged on different hierarchical levels and are spatially distributed. The invention also relates to a computer system for carrying out such a method.
The invention relates to a method for monitoring, at the correct time, TTEthernet (TT) messages communicated by a TTEthernet switch (TTE switch) in a distributed real-time computer system. According to the invention, the TTE switch has a global time having precision P and accuracy A, and the TTE switch has a plurality of communication channels and one or more monitoring channels, and the TTE switch contains a selection data structure that specifies which TT message classes are to be monitored, and a copy of a TT message which belongs to a TT message class selected for monitoring is formed in the TTE switch and is transmitted by the TTE switch via an monitoring channel to an monitoring node, and the TTE switch subsequently autonomously transmits an ET message containing an identifier and the exact transmission time of the monitored TT message via an monitoring channel to an monitoring node.
The invention relates to a method for statically or dynamically integrating a quantity of EDP systems into a system-of-systems (SoS), in which according to the invention all EDP systems participating in the SoS have a global time with precision P, wherein a service providing system ("SPS") (151) in an interface specifying the service manages a validity time field that specifies the future validity time up to which the syntax and semantics of an interface specification and the information contained therein will be valid, and wherein the SPS (151) ensures that before said validity time no changes in the interface specification and to the information contained therein will be made.
In a network based on IEEE 1588, comprising a plurality of nodes (201, 501) and a plurality of connections where each connection connects at least two nodes to allow communication between nodes including the exchange of messages according to a network protocol, the the synchronization of IEEE 1588 is improved by allowing multiple grandmaster clocks (701) to operate simultaneously in the system. Thus, the re-election protocol of IEEE 1588 is made obsolete. For this, a multitude of nodes form a subsystem implementing a high-availability grand master clock (301) according to the IEEE 1588 Standard, wherein the subsystem is configured to tolerate the failure of at least one of said nodes forming said subsystem. Bi-directional communication link (401) are configured for physically connecting a IEEE 1588 Master clocks (201) and/or IEEE 1588 Slave clocks (201) to the subsystem implementing a high-availability grand master clock (301).
The invention relates to a method for providing guaranteed quality of service in distributed computing platforms for execution of distributed applications, by combining: i) a partitioned operating system (POS) or a hypervisor (101) executed on at least two computers (300,301); where said POS/hypervisor allocates the CPU, memory and I/O hardware resources to computer partitions in said computers; where said computers are capable of executing different computer partitions (104, 105, 106) with different application tasks within one said computer partition or executing different operating systems (in case of hypervisor) within one said computer partition; wherein the said POS/hypervisor ensures that the application tasks executed in different partitions within the same said computer get their allocated hardware resources; wherein said POS/hypervisor performs a time-driven scheduling for a subset of computer partitions based on a given configuration (136), ii) means, for example network communication technology, for implementing partitioning of Ethernet communication resources and creating virtualized networks out of one physical network.
The aim of the invention is to establish a fault-tolerant global time in a fault-tolerant communication system of a distributed real-time system. For this purpose, a fault-tolerant message-conveying unit (200) is presented, which comprises four independent conveying units (211, 212, 213, 214). Said four independent conveying units (211, 212, 213, 214) together establish a fault-tolerant time. The end systems (221, 222) are connected to a fault-tolerant message-conveying unit (200) by means of two independent fail-silent communication channels (251, 252, 253, 254) so that the clock synchronization and the network connections are maintained even if a part of the fault-tolerant unit (200) or a communication channel fails.
A coupling circuit for a bus subscriber (101) on a bus line (102) of a field bus with DC-voltage-free and differential, EIA-485/EIA-422-compliant, signal transmission on the basis of a TTP protocol, in which the two inputs/outputs (108, 109) of a transmission/reception component (104) of the bus subscriber (101) are connected to a first winding of a signal transformer (103) and the two poles of the bus line (102) are connected to a second winding of the signal transformer, and the first winding has a centre tap (107), wherein the centre tap (107) is connected to the local reference-earth potential of the bus subscriber (101) via a capacitor (105), the capacitance of which is at least 100 times the parasitic capacitance (110) of the transformer (103).
The invention relates to a method for executing security-relevant and non-security-relevant software components (SAFET, STANT) on a hardware platform, wherein the hardware platform comprises at least one central processing unit (CPU) and at least one memory (SPE) and wherein the at least one non-security-relevant software component (STANT) is executed together with the at least one security-relevant software component (SAFET) on the same central processing unit (CPU), and wherein the hardware platform comprises a monitoring component (MOD) or is connected to said monitoring component, and wherein said monitoring component (MOD) operates independently of the at least one processor (CPU) of the hardware platform. According to the invention, the hardware platform has write-protection mechanisms for at least a part (SPE, SPE2) of the at least one memory (SPE), wherein the security-relevant software component (SAFET) has full write access to certain ranges (SPE1 - SPE4) or to the entire memory (SPE), or the security-relevant software component (SAFET) has access to a certain range of the memory that is separated from a range of the memory intended for non-security-relevant functions. Before the non-security-relevant software component (STANT) is executed, the security-relevant software component (SAFET) establishes a memory protection against access of a non-security-relevant function (STANT) to at least one range (SPE1, SPE2) of the memory of the security-relevant function (SAFET) such that the non-security-relevant software component (STANT) has write access only in limited ranges (SPE3, SPE4, SPE5) of the memory (SPE) and in particular does not have access to the ranges (SPE, SPE2) of the memory (SPE) separated for security-relevant components, and wherein after the return from the non-security-relevant component (STANT), the memory protection is shut down again, and wherein the monitoring component (MOD) monitors the security-relevant function to determine if the security-relevant function is running properly.
G06F 21/74 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
The invention relates to a method for fault identification in a System-on-Chip (SoC) consisting of a number of IP cores, wherein each IP core is a fault containment unit, and where the IP cores communicate with one another by means of messages via a Network-on-Chip, and wherein an excellent IP core provides a TRM (Trusted Resource Monitor), wherein a faulty control message which is sent from one non-privileged IP core to another non-privileged IP core is identified and projected by an (independent) fault container unit, as a result of which this faulty control message cannot cause any failure of the message receiver.
The invention relates to a communication method for transmitting TT Ethernet messages in a distributed real-time system, comprising a plurality of node computers (112, 122), wherein each node computer has at least one Ethernet controller, which by way of a data line (111, 121) is directly connected to a port of a TTE star coupler (110), said port being uniquely associated with the node computer, and wherein a plurality of TTE star couplers are directly or indirectly connected among each other by way of one or more data lines (131) in order to form a TTE network, wherein according to the invention a TTE message scheduler dynamically calculates the conflict-free schedules for a number of time-controlled messages and signs the schedule provided for each node with a secret part of a public-key signature before it transmits said schedule to the corresponding node computer, and wherein each node computer integrates the signed periodic schedule, which is transmitted to the node computer in the form of a TTE message header (320) of an ETE message, into each dynamically calculated TTE message, and wherein the TTE star couplers check whether each dynamically calculated TTE message contains an authentically signed schedule.
The invention relates to a method for increasing the robustness of a distributed computer system, comprising a number of components (110, 120, 130), wherein each component (110, 120, 130) can transmit messages to the other components via a communication system (100). According to the invention, at least one of the components (110, 120, 130) is a processing component (HO), and at least one of the components (110, 120, 130) is a ground state checking component (120), wherein the at least one processing component (110) periodically, at a periodically recurring restart time, transmits a ground state (GS) message, which comprises a ground state of the processing component (110) relevant immediately before the time of transmission, to the at least one ground state checking component (120), and wherein the ground state checking component (120) checks the value range and time range of the incoming ground state message, and wherein in the event a fault is detected in the ground state message the ground state checking component (120) corrects the fault in the ground state and before the next restart time transmits the corrected ground state in a corrected ground state message to that processing component (110) from which the faulty ground stage message originated, and wherein upon receipt of the corrected GS message by the processing component (110) said processing component (110) at the next restart time performs a restart, using the corrected ground state present in the corrected GS message.
The aim of the invention is to secure the authenticity and integrity of real-time data in a distributed real-time computer system. Said aim is achieved by a method that takes into account the special requirements of real-time data processing such as the timeliness of real-time data transmission and the limited availability of resources. Frequently changing an asymmetrical pair of keys prevents hackers from cracking a key before said key is no longer valid. Said method can also be extended to ensure confidentiality of real-time data and can likewise be efficiently implemented on a multiprocessor system-on-chip (MPSoC).
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/64 - Protecting data integrity, e.g. using checksums, certificates or signatures
H04L 12/407 - Bus networks with decentralised control
H04L 9/16 - Arrangements for secret or secure communicationsNetwork security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
58.
COMMUNICATION METHOD AND DEVICE FOR EFFICIENT AND SECURE TRANSMISSION OF TT ETHERNET MESSAGES
The aim of the present invention is to improve user data efficiency and security in a distributed real-time computer system, in which a number of node computers communicate by means of TT Ethernet messages via one or more communications channels, using commercially available Ethernet controllers. In order to achieve the aim, differentiation is made between the node computer transmission time (KNSZPKT) and the network transmission time (NWSZPKT) for a message. The KNSZPKT, interpreted by the clock of the transmitting node computer, must be before NWSZPKT in time, such that under all circumstances (even if the clocks of the node computer and the TT star coupler are at the limits of the precision interval) the start of the message has arrived at the TT star coupler by NWSZPKT, as interpreted by the clock in the TT star coupler. The invention proposes that the TT star coupler be modified such that a message arriving from a node computer is delayed at an intelligent port of the TT star coupler until NWSZPKT, so that it can then be transmitted to the TT network at precisely NWSZPKT.
patents