Fault-tolerant method and device for controlling an autonomous technical system based on a consolidated model of the environment

We claim: 1. A method for controlling a technical process that is embedded in a changing environment, wherein an electronic system of an autonomous vehicle that implements a control system includes a plurality of sensors, actuators, and node computers, wherein the plurality of node computers exchange data in real-time, the method comprising: differentiating between complex software and simple software, wherein simple software comprises software in which an error rate required for ASIL D is attainable, and wherein complex software comprises software in which a probability for an occurrence of design errors corresponds to ASIL B; executing the complex software simultaneously on at least two independent data flow paths (DFP) ( 110 , 120 ), wherein each independent DFP cyclically monitors a technical process and the changing environment using the plurality of sensors and builds a model of the technical process and the changing environment from observed data by algorithms, wherein the observed data are diverse and the algorithms used in each independent DFP are diverse, or the observed data are not diverse and the algorithms used in each independent DFP are diverse, or the observed data are diverse and the algorithms used in each independent DFP are not diverse; and building, in a subsequent processing step, a single consolidated environmental model for trajectory planning, from a plurality of different environmental models using the simple software, which is executed on error-tolerant hardware. 2. The method according to claim 1 , wherein, if software for trajectory planning is simple, then non-redundant trajectory planning defines a trajectory in the single consolidated environmental model and target values corresponding to the trajectory planning are transmitted to an intelligent actuator control. 3. The method according to claim 1 , wherein, if software for trajectory planning is complex, then at least two different trajectory plannings ( 241 , 242 , 243 ) in the consolidated environmental model define one or more trajectories for achieving an objective and transmit these trajectories to a simple decider ( 250 ) for selection. 4. The method according to claim 3 , wherein the at least two trajectory plannings ( 241 , 242 , 243 ) evaluate the trajectories from the standpoint of achieving the objective and safety. 5. The method according to claim 3 , wherein the decider ( 250 ) selects a trajectory that has been proposed by the at least two trajectory plannings, and the decider ( 250 ) evaluates the target values for the actuators and transmits them to an intelligent actuator control ( 160 ). 6. The method according to claim 3 , wherein the trajectory planning and the decider ( 250 ) are executed on error-tolerant hardware. 7. The method according to claim 3 , wherein the decider ( 250 ) is executed on error-tolerant hardware. 8. The method according to claim 1 , wherein data diversity in each of the independent DFPs is eliminated and data received by the sensors is transmitted to a plurality of the at least two independent DFPs. 9. The method according to claim 1 , wherein algorithm diversity in the at least two independent DFPs is omitted and the same algorithms are used in all of the at least two independent DFPs. 10. The method according to claim 8 , wherein the data diversity is improved by using different coordinate systems to represent the trajectories. 11. The method according to claim 1 , wherein the plurality of the sensors, the actuators, and the node computers have access to an error-tolerant global time and control of the data flow between the plurality of node computers is derived from the progression of the global time. 12. An electronic system of an autonomous vehicle for controlling a technical process that is embedded in a changing environment, the electronic system comprising: a plurality of sensors; a plurality of actuators; and a plurality of node computers, which exchange data in real-time, wherein: the electronic system is configured to differentiate between complex and simple software, wherein simple software comprises software in which an error rate required for ASIL D is attainable, and wherein complex software comprises software in which a probability for an occurrence of design errors corresponds to ASIL B, the complex software is configured to be simultaneously executed on at least two independent data flow paths (DFP) ( 110 , 120 ), each DFP is configured to cyclically monitor the technical process and the changing environment using the sensors and to build a model of the technical process and the changing environment from observed data by algorithms, wherein the observed data are diverse and the algorithms used in each DFP are diverse, or the observed data are not diverse and the algorithms used in each DFP are diverse, or the observed data are diverse and the algorithms used in each DFP are not diverse, and the system is configured to build, in a subsequent processing step, a single consolidated environmental model for trajectory planning, from a plurality of different environmental models, using the simple software which is executed on error-tolerant hardware. 13. A method for controlling a trajectory of a controllable autonomous vehicle in a changing environment, the method comprising: providing an electronic system that implements a control system for controlling the controllable autonomous vehicle, wherein the electronic system includes a plurality of sensors, actuators, and node computers which are configured to exchange data in real-time, and wherein the electronic system includes both complex software and simple software and is configured to differentiate between the complex software and the simple software, wherein simple software comprises software in which an error rate required for ASIL D is attainable, and wherein complex software comprises software in which a probability for an occurrence of design errors corresponds to ASIL B; executing the complex software simultaneously on at least two independent data flow paths, wherein each independent data flow path (DFP) cyclically monitors a technical process of the control system and the changing environment using the plurality of sensors and builds a model of the technical process and the changing environment from observed data using algorithms, wherein (i) the observed data are diverse and the algorithms used in each independent DFP are diverse, (ii) the observed data are not diverse and the algorithms used in each independent DFP are diverse, or (iii) the observed data are diverse and the algorithms used in each independent DFP are not diverse; and building a single consolidated environmental model for planning a trajectory of the controllable autonomous vehicle from a plurality of different environmental models using the simple software, which is executed on error-tolerant hardware. 14. The method of claim 13 , further comprising implementing a plurality of different versions of trajectory planning to produce two or more proposals for a trajectory for the controllable autonomous vehicle, and then using a decider to select, based on the proposals, a trajectory for the controllable autonomous vehicle. 15. The method of claim 14 , further comprising calculating target values for implementing the selected trajectory and submitting the target values to actuators.