Fault-tolerant high-performance computer system for autonomous vehicle maneuvering

US 10,089,199 B2
Filed: 03/15/2017
Issued: 10/02/2018
Est. Priority Date: 03/16/2016
Status: Active Grant

First Claim

Patent Images

1. A fault-tolerant high-performance computer system (CS) for executing control processes for autonomous maneuvering of a vehicle, wherein a control process (COP) comprises tasks, the computer system (CS) comprising:

processors (S1, P1;

S2, P2) for executing the tasks of the control process (COP); and

a number n of fault-containment regions (FCR1, FCR2), with n≥

2, wherein each fault-containment region (FCR1, FCR2) comprises at least one processor constructed as safety-processor (S1, S2), and wherein at least one fault-containment region (FCR1, FCR2) additionally comprises at least one processor constructed as performance processor (P1, P2), and wherein in the case of a failure of one fault-containment region (FCR1, FCR2), or, for n≥

3, of the failure of one or more, at maximum n−

1, fault-containment regions, the computer system (CS) is configured to execute at least a specific set of tasks on the remaining, non-faulty fault-containment region or non-faulty fault-containment regions, wherein the tasks of said specific set of tasks are elected in such a way thatthe computer system (CS) remains capable of autonomous maneuvering or at least partially maneuvering the vehicle, orthe computer system (CS) is at least capable of bringing the vehicle into a safe state.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A fault-tolerant high-performance computer system is provided for executing control processes for autonomous maneuvering of a vehicle.

5 Citations

17 Claims

1. A fault-tolerant high-performance computer system (CS) for executing control processes for autonomous maneuvering of a vehicle, wherein a control process (COP) comprises tasks, the computer system (CS) comprising:
- processors (S1, P1;
  
  S2, P2) for executing the tasks of the control process (COP); and
  
  a number n of fault-containment regions (FCR1, FCR2), with n≥
  
  2, wherein each fault-containment region (FCR1, FCR2) comprises at least one processor constructed as safety-processor (S1, S2), and wherein at least one fault-containment region (FCR1, FCR2) additionally comprises at least one processor constructed as performance processor (P1, P2), and wherein in the case of a failure of one fault-containment region (FCR1, FCR2), or, for n≥
  
  3, of the failure of one or more, at maximum n−
  
  1, fault-containment regions, the computer system (CS) is configured to execute at least a specific set of tasks on the remaining, non-faulty fault-containment region or non-faulty fault-containment regions, wherein the tasks of said specific set of tasks are elected in such a way thatthe computer system (CS) remains capable of autonomous maneuvering or at least partially maneuvering the vehicle, orthe computer system (CS) is at least capable of bringing the vehicle into a safe state.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer system of claim 1, which comprises exactly two fault-containment regions (FCR1, FCR2).
  - 3. The computer system of claim 1, wherein exactly one of the fault-containment regions (FCR1) comprises a performance processor.
  - 4. The computer system of claim 1, wherein when the computer system (CS) does not exhibit a failure the processors (P1, S1) of at least one, so-called first, fault-containment region, preferably of exactly one, so-called first, fault-containment region (FCR1), which at least one first fault-containment region comprises at least one performance processor (P1) additionally to at least one safety processor (S1), execute specific tasks (Tp11, Tp12, Tp13;
    - Ts11, Ts12, Ts13), which tasks are completely describing the control process (COP) for autonomous maneuvering, and wherein said at least one performance processor (P1), when executing its tasks (Tp11, Tp12, Tp13), provides a specific functionality, the so-called first performance functionality, and said at least one safety processor (S1), when executing its tasks (Ts11, Ts12, Ts13), provides another functionality, the so-called first safety functionality.
  - 5. The computer system of claim 4, wherein the tasks of said specific set of tasks are elected such, that in the case that the at least one first fault-containment region (FCR1) is faulty,at least one, so-called second, safety-processor (S2) of at least one non-faulty, so-called second, fault-containment region (FCR2), by executing said specific set of tasks, delivers a functionality corresponding or identical to the first safety functionality, orat least one, so-called second, safety-processor (S2) of at least one non-faulty, so-called second, fault-containment region (FCR2), by executing said specific set of tasks, delivers a functionality corresponding or identical to the first safety functionality and part of the first performance functionality, orin the case that the at least one non-faulty, so-called second, fault-containment region (FCR2) comprises in addition to the at least one, so-called second, safety processor (S2) at least one, so-called second, performance processor (P2), the tasks of said specific set of tasks are elected such that by executing said specific set of tasks the processors (S2, P2) of the second fault-containment region (FCR2) can deliver the first safety functionality and part of the or the complete first performance functionality, wherein preferably the at least one second safety processor (S2) delivers the first safety functionality and the at least one second performance processor (P2) delivers the first performance functionality or part of the first performance functionality.
  - 6. The computer system of claim 1, wherein when the computer system (CS) does not exhibit a failure the processors (P1, S1) of at least one, so-called first, fault-containment region, preferably of exactly one, so-called first, fault-containment region (FCR1), which at least one first fault-containment region comprises at least one performance processor (P1) additionally to at least one safety processor (S1), together with at least one processor (S2, P2) of at least one, so-called second, fault-containment region (FCR2) execute specific tasks (Tp11, Tp12, Tp13;
    - Ts11, Ts12, Ts13, Ts21, Ts22, Ts23), which tasks are completely describing the control process (COP) for autonomous maneuvering, and wherein said at least one performance processor (P1), when executing its tasks (Tp11, Tp12, Tp13), provides a specific functionality, the so-called first performance functionality, and said at least one safety processor (S1), when executing its tasks (Ts11, Ts12, Ts13), provides another functionality, the so-called first safety functionality, and wherein the at least one safety processor (S2) of said at least one second fault-containment region (FCR2), when executing its tasks, provides a third functionality, the so-called second safety functionality, and wherein optionally said at least one second fault-containment region (FCR2) comprises at least one, so-called second, performance processor (P2), which at least one second performance processor (P2) delivers, when executing its tasks, a second performance functionality.
  - 7. The computer system of claim 6, wherein the tasks of said specific set of tasks are elected such, that in the case that the at least one second fault-containment region (FCR2) is faulty, the at least one first non-faulty fault-containment region (FCR1), by executing said specific set of tasks, delivers, in addition to the first safety functionality and to the first performance functionality, a functionality corresponding or identical to the second safety functionality.
  - 8. The computer system of claim 7, wherein the tasks of said specific task set are elected such that the at least one safety processor (S1) delivers, in addition to the first safety functionality, the second safety functionality.
  - 9. The computer system of claim 7, wherein the at least one second fault-containment region (FCR2) comprises in addition to the at least one second safety processor (S2) at least one second performance processor (P2), which at least one second performance processor (P2) delivers, when executing its tasks, a second performance functionality, in the case that said at least one second fault-containment region (FCR2) is faulty, the at least one first non-faulty fault-containment region (FCR1), by executing said specific set of tasks, delivers, in addition to the first safety functionality and in addition to the first performance functionality, a functionality corresponding or identical to the second safety functionality, and preferably an additional functionality, which is corresponding or identical to the second performance functionality, or which additional functionality delivers at least a part of the second performance functionality, wherein preferably the tasks of said specific task set are elected such that the at least one performance processor (P1) of the at least one non-faulty first fault-containment region (FCR1) delivers said additional functionality.
  - 10. The computer system of claim 6, wherein the tasks of said specific set of tasks are elected such, that in the case that the at least one first fault-containment region (FCR1) is faulty, the at least one second non-faulty fault-containment region (FCR2), by executing said specific set of tasks, in addition to the functionality or functionalities of its at least one processor (S2, P2), is configured to deliver a functionality corresponding or identical to the first safety functionality, wherein preferably the at least one second safety processor (S2), in addition to its second functionality, is configured to deliver the functionality corresponding or identical to the first safety functionality, wherein preferably the at least one second safety processor (S2) is configured to deliver part of the functionality of the first performance processor (P1) of the at least one first fault-containment region (FCR1).
  - 11. The computer system of claim 10, wherein the at least one second fault-containment region (FCR2) comprises in addition to the at least one second safety processor (S2) at least one second performance processor (P2) wherein the second performance processor (P2), in addition to its functionality, is configured to deliver at least part of the functionality of the first performance processor (P1) or the full functionality of the first performance processor (P1).
  - 12. The computer system of claim 1, wherein at least one of the fault-containment regions (FCR1, FCR2) is configured to exchange information with sensors and actuators in the vehicle via communication channels (104, 204).
  - 13. The computer system of claim 1, which comprises a communication subsystem (103, 203) for the exchange of information between the fault-containment regions (FCR1, FCR2).
  - 14. The computer system of claim 1, wherein the safety processors (S1, S2) of different fault-containment regions (FCR1, FCR2) are identical.
  - 15. The computer system of claim 1, wherein the performance processors (P1, P2) of different fault-containment regions (FCR1, FCR2) are identical.
  - 16. The computer system of claim 1, wherein the safety processors (S1, S2) of at least two different fault-containment regions (FCR1, FCR2) are different.
  - 17. The computer system that of claim 1, wherein the performance processors (P1, P2) of at least two different fault-containment regions (FCR1, FCR2) are different.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TTTech Auto AG (TTTech Computertechnik AG)
Original Assignee
FTS Computertechnik GmbH
Inventors
Poledna, Stefan, Niedrist, Georg, Schmidt, Eric, Hoefler, Martin
Primary Examiner(s)
Butler, Sarai E

Application Number

US15/459,363
Publication Number

US 20170270014A1
Time in Patent Office

566 Days
Field of Search

714 11
US Class Current
CPC Class Codes

B60R 16/0232   for measuring vehicle param...

B60W 2050/0005   Processor details or data h...

B60W 2050/0006   Digital architecture hierarchy

B60W 50/00   Details of control systems ...

B60W 50/029   Adapting to failures or wor...

B60W 50/045   Monitoring control system p...

G05D 1/00   Control of position, course...

G05D 1/0077   using redundant signals or ...

G06F 11/0796   Safety measures, i.e. ensur...

G06F 11/203   using migration

G06F 11/2035   without idle spare hardware

G06F 11/2041   with more than one idle spa...

G06F 2201/805   Real-time

Fault-tolerant high-performance computer system for autonomous vehicle maneuvering

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Fault-tolerant high-performance computer system for autonomous vehicle maneuvering

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links