Fail-Safe EE Architecture for Automated Driving

What is claimed is: 1 . A system comprising: a first computer unit having an first interface configured to connect to a sensor and to an actuator; a second computer unit having an second interface configured to connect to the sensor and to the actuator; and an third interface configured to connect the first computer unit and the second computer unit to each other, wherein at least one of the first computer unit, the second computer unit, and the actuator are configured to determine whether one of the first computer unit and the second computer unit can effectively activate the actuator. 2 . The system as claimed in claim 1 , wherein the actuator has a fourth interface, the fourth interface being configured to control, based on one of a first operating state and a second operating state, whether a control command for a driving function from one of the first computer unit and the second computer unit is adopted, such that in the first operating state only the first computer unit can activate the actuator and in the second operating state only the second computer unit can activate the actuator. 3 . The system as claimed in claim 1 , wherein: during correct operation of the first computer unit, a first operating state is active and only the first computer unit can effectively activate the actuator; and in the event of a malfunction of the first computer unit, a second operating state is active and only the second computer unit can effectively activate the actuator. 4 . The system as claimed in claim 1 , wherein, in a first operating state, the second computer unit is configured to perform a test method. 5 . The system as claimed in claim 4 , wherein the test method tests a communication between the second computer unit and the first computer unit. 6 . The system as claimed in claim 4 , wherein the test method tests a communication between the second computer unit and the actuator. 7 . The system as claimed in claim 4 , wherein the test method checks an operation of the second computer unit. 8 . The system as claimed in claim 1 , wherein the actuator is configured to, in the response to a malfunction of at least one of the first computer unit and the second computer unit, operate in one of a safety function and a safety position. 9 . The system as claimed in claim 1 , further comprising: two actuator controllers, the two actuator controllers being configured to work in conjunction with the actuator, each actuator controller being connected to the first computer unit and the second computer unit. 10 . The system as claimed in claim 1 , wherein the first computer unit and the second computer unit are configured to be supplied with electrical power from separate electrical power supply systems. 11 . The system as claimed in claim 1 , wherein the first computer unit is configured to provide at least input data to the second computer unit for a test method for checking for correct operation. 12 . The system as claimed in claim 1 , wherein: the first computer unit is configured to (i) compute an automated driving function and (ii) transmit the computed automated driving function to the second computer unit; and the second computer unit is configured to (i) independently compute a automated driving function that is the same as the automated driving function that was computed by the first computer unit, (ii) compare the independently computed automated driving function with the automated driving function that was transmitted by the first computer unit, and (iii) check for a malfunction of the second computer unit based on the comparison. 13 . The system as claimed in claim 1 , further comprising: at least a first sensor and a second sensor configured to redundantly measure a same parameter, the first computer unit being connected to the first sensor and the second computer unit being connected to the second sensor. 14 . The system as claimed in claim 13 , further comprising: a plurality of sensors are provided, the first computer unit and the second computer unit each being connected to an overlapping set of the plurality of sensors, all of the plurality of sensors being connected at least one of the first computer unit and the second computer unit. 15 . The system as claimed in claim 1 , further comprising: a human-machine interface configured to transfer a handover request for performance of an automated driving function by means of separate interfaces to the first computer unit and the second computer unit, the first computer unit and the second computer unit being configured to mutually and separately indicate a takeover of the automated driving function to the human-machine interface, the human-machine interface being configured to only transfer the automated driving function to the first computer unit if each of first computer unit and the second computer unit indicate that they are operating correctly and can perform the automated driving function. 16 . The system as claimed in claim 15 , wherein: the first computer unit is configured to send a takeover to the human-machine interface if (i) the first computer unit assesses itself to be operational and (ii) the first computer unit has received from the second computer unit an indication that the second computer unit also assesses itself to be operational; and the second computer unit is configured to send a takeover to the human-machine interface if (i) the second computer unit assesses itself to be operational and (ii) the second computer unit receives from the first computer unit an indication that the first computer unit also assesses itself to be operational. 17 . The system as claimed in claim 1 , wherein, in a second operating state in which the second computer unit is performing an automated driving function, the performance of the automated driving function is handed back to the first computer unit if the first computer unit indicates that it is operational again. 18 . The system as claimed in claim 17 , wherein the handing back of the automated driving function to the first computer unit is limited to at least one of specified malfunctions and specified driving functions. 19 . A method for the operation of a system having a first computer unit and a second computer unit, the first computer unit having an first interface configured to connect to a sensor and to an actuator, the second computer unit having an second interface configured to connect to the sensor and to the actuator, the system further having a third interface configured to connect the first computer unit and the second computer unit to each other, the method comprising: controlling, with at least one of the first computer unit, the second computer unit, and the actuator, whether one of the first computer unit and the second computer unit can effectively activate the actuator.