Seamless and safe upgrade of software intensive systems during operation

What is claimed: 1 . A computer-implemented method for upgrading at least one service of a plurality of services performed on a technical system, the technical system comprising at least one actuator, wherein the plurality of services is configured to provide an output that controls the at least one actuator in response to an input to the technical system, wherein the computer-implemented method comprises: a. deploying at least one updated version of the at least one service on the technical system while maintaining a previous version of the service on the technical system, wherein the updated version of the at least one service is prevented from controlling the at least one actuator and deploying a test probe module for testing the performance of the at least one updated version of the at least one service on the technical system; b. operating the test probe module on the technical system to test a performance of the at least one updated version of the at least one service on the technical system with respect to predetermined criteria; c. determining that the performance of the at least one updated version of the at least one service complies with the predetermined criteria; d. disabling a control of the previous service for the at least one actuator; and e. enabling the control of the deployed updated version for the at least one actuator. 2 . The computer-implemented method according to claim 1 , wherein the previous service is maintained in the technical system as a fallback. 3 . The computer-implemented method according to claim 1 , wherein the disabling further comprises determining whether performing steps e and f is in accordance with operation limits of the technical system. 4 . The computer-implemented method according to claim 3 , wherein determining whether performing steps e and f is in accordance with operation limits of the technical system comprises determining a predetermined time limit of system downtime, an acceptable impact on availability, or/and an acceptable risk of failure. 5 . The computer-implemented method according to claim 4 , wherein a point in time for performing steps e and f is determined. 6 . The computer-implemented method according to claim 1 , wherein at least two updated versions of the service are employed, and in step d is determined which of the at least two versions complies best with the predetermined criteria and in step f enabling the control of the outputs of the deployed updated version of the at least two deployed updated versions which complies best with the predetermined criteria. 7 . The computer-implemented method according to claim 1 , further comprising disabling control of the at least one actuator by the deployed at least one updated version of the service and enabling control of the at least one actuator by the previous version of the service, when a second set of predetermined criteria are not complied with by the deployed at least one updated version of the service. 8 . The computer-implemented method according to claim 1 , further comprising removing the previous version of the service from the technical system, when a second set of predetermined criteria are complied with by the deployed at least one updated version of the service. 9 . The computer-implemented method according to claim 7 , wherein the second set of criteria relate to the performance of the system when being controlled by the deployed updated version of the service program. 10 . The computer-implemented method according to claim 1 , wherein the test probe module can provide and/or manipulate input data, receive data from an sensor proxy, a control logic and an actuator proxy module of the service. 11 . A data carrier containing instructions to perform the method as defined in claim 1 , when operated on a computer system. 12 . A computer implemented system comprising a processor for performing a plurality of services, wherein the services process input data to output data, the output data controlling the action of at least one actuator, wherein each of the services is configured to comprise: a. a sensor proxy module for receiving input data; b. a control logic module for processing the input data to output data; c. an actuator proxy module for outputting the data to control the at least one actuator; d. a test probe module being operatively connected to data sensors and the data sensors providing data from the sensor proxy module, control logic module, and actuator proxy module to the test probe module, the test probe module configured to manipulate, check, and monitor the data of the sensor proxy module, control logic module, actuator proxy module; e. an authority determination module for determining a performance level of a first service and configured to receive input provided by the test probe module and provided by the authority determination module of a second service of the system, the second service being a different version of the first service; f. a primary activator module for calculating a time point for a handover from the first to the second service and for activating the second service and operatively connected to the authority determination module and the test probe module and configured to receive input from the primary activator module of the second version of the service of the system. 13 . The computer implemented system according to claim 12 , wherein in the first version of the service the sensor proxy module, the control logic module, and the actuator proxy module are functionally connected with each other. 14 . The computer implemented system according to claim 12 , wherein in the second version of the service the sensor proxy module and the control logic module are functionally connected with each other, and the control logic module and the actuator proxy module are not functionally connected with each other. 15 . The computer implemented system according to claim 12 , wherein the test probe module comprises a data commander module, a probe data module, a data area, and a service data module. 16 . The computer implemented system according to claim 12 , configured to perform a method for upgrading at least one service of the plurality of services performed on the system.