| CPC B60W 50/023 (2013.01) [B60W 50/0205 (2013.01); B60W 60/007 (2020.02); B60W 60/0015 (2020.02)] | 20 Claims |
|
1. A method for operating an automatically driving vehicle, comprising:
executing active software application instances according to a specified configuration over more than two computational nodes, forming a distributed computing setup, wherein the specified configuration provides predefined redundancy conditions and/or predefined segregation conditions with respect to the distributed computing setup;
monitoring the active application instances for a fault;
determine a fault in one of the active application instances;
in response to determining the fault, selectively switching a functionality of the active application instance having the fault to at least one redundant software application instance being executed on the computational nodes and reconfiguring the specified configuration to restore predefined redundancy conditions and/or predefined segregation conditions;
determining a safe state upon at least one of the following conditions:
one or more specified redundancy conditions cannot be met by the reconfiguration,
at least one segregation condition cannot be met by the reconfiguration,
a specified time for reconfiguration is exceeded, and
an unrecoverable malfunction has been recognized; and
in response to the safe state being determined, planning and executing an emergency trajectory.
|