Fault-tolerant method and device for controlling an autonomous technical system through diversified trajectory planning

We claim: 1. A method for controlling a technical process that is embedded in a changing environment, wherein the electronic system that implements the control system includes sensors, actuators and node computers, in particular a plurality of sensors, actuators and node computers, in particular a plurality of node computers, which exchange data via a real-time communication system, the method comprising: differentiating between complex and simple software; and implementing the complex software simultaneously on at least two independent data flow paths (DFP) ( 110 , 120 ), wherein each DFP cyclically monitors the technical process and its environment via sensors and builds a model of the technical process and its environment from the observed data using algorithms and conducts trajectory planning in order to create one or more possible trajectories that correspond to the predetermined destination setting under the given environmental conditions, wherein: the observed data are diverse and the algorithms used in the DFP are diverse, or the observed data are not diverse and the algorithms used in the DFP are diverse, or the observed data are diverse and the algorithms used in the DFP are not diverse, and wherein: the trajectories developed by the DFPs are given to a decider ( 150 ) for deciding, the decider ( 150 ) is executed using simple software, the decider ( 150 ) chooses a trajectory that is proposed by the majority of the DFPs, the decider ( 150 ) transmits the chosen trajectory to an actuator control, and the decider ( 150 ) is implemented on error-tolerant hardware. 2. The method according to claim 1 , wherein the trajectories given to the decider ( 150 ) are evaluated with respect to safety and effectiveness. 3. The method according to claim 1 , wherein the at least two independent data flow paths (DFP) ( 110 , 120 ) execute software processes that correspond to the predetermined destination setting and an additional DFP ( 130 ) has the task of guiding the technical process into a safe state, and wherein, in the event that the decider ( 150 ) finds no trajectory that corresponds to the predetermined destination, the trajectory is chosen that guides the technical process into a safe state. 4. The method according to claim 1 , wherein assemblies, meaning, for example, the node computers, the communications system, sensors, actuators, preferably all assemblies, have access to an error-tolerant global time and control of the data flow between the node computers is derived from the progression of the global time. 5. The method according to claim 1 , wherein data diversity in the DFPs is eliminated and the data received by the sensors is transmitted to a plurality of DFPs. 6. The method according to claim 1 , wherein algorithm diversity in the DFPs is eliminated and the same algorithms are used in all DFPs. 7. The method according to claim 1 , wherein the data diversity is improved by using different coordinate systems to represent the trajectories. 8. An electronic system for controlling a technical process that is embedded in a changing environment, the electronic system comprising: a plurality of sensors; a plurality of actuators; and a plurality of node computers, which exchange data via a real-time communication system, wherein: the system is configured to differentiate between complex and simple software, the complex software is configured to be simultaneously implemented on at least two independent data flow paths (DFP) ( 110 , 120 ), each DFP is configured to cyclically monitor the technical process and its environment via the sensors and to build a model of the technical process and its environment from the observed data using algorithms and to conduct trajectory planning in order to create one or more possible trajectories that correspond to the predetermined destination setting under the given environmental conditions, wherein the observed data are diverse and the algorithms used in the DFP are diverse, or the observed data are not diverse and the algorithms used in the DFP are diverse, or the observed data are diverse and the algorithms used in the DFP are not diverse, and a decider ( 150 ), which is implemented on error-tolerant hardware and executed using simple software, is configured to receive the trajectories developed by the DFPs, to choose a trajectory that is proposed by the majority of the DFPs, and to transmit the chosen trajectory to an actuator control.