CN103019904A - Non-destructive fault injection method for supporting fault tolerance verification of on-board redundancy computer - Google Patents
Non-destructive fault injection method for supporting fault tolerance verification of on-board redundancy computer Download PDFInfo
- Publication number
- CN103019904A CN103019904A CN2012105794840A CN201210579484A CN103019904A CN 103019904 A CN103019904 A CN 103019904A CN 2012105794840 A CN2012105794840 A CN 2012105794840A CN 201210579484 A CN201210579484 A CN 201210579484A CN 103019904 A CN103019904 A CN 103019904A
- Authority
- CN
- China
- Prior art keywords
- fault
- fault injection
- handling routine
- instruction
- interrupt handling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Hardware Redundancy (AREA)
- Test And Diagnosis Of Digital Computers (AREA)
Abstract
The invention provides a non-destructive fault injection method for supporting fault tolerance verification of an on-board redundancy computer. A main program of a channel of the on-board redundancy computer is taken as the target object for injecting a fault. The non-destructive fault injection method includes the steps that a fault injection interaction terminal edits fault content and sends a fault injection command to a fault injection interrupt handling routine; the fault injection interaction terminal sends a fault injection interrupt request and enables the fault injection interrupt handling routine through interrupt interlock control; and the fault injection interrupt handling routine is executed. The non-destructive fault injection method enables the on-board redundancy computer to have the capability of supporting fault tolerance verification and can realize non-destructive fault injection in a fault simulation experiment on the basis of not causing any physical damage and not destructing the reliability and the safe performance characteristic of a product.
Description
Technical field
The present invention relates to the fault filling method of the fault-tolerant checking of a kind of airborne remaining computer supported.
Background technology
The aircraft mounted control system that flight safety is closely related has the multichannel redundancy computer realization of fault-tolerant ability to the reliable execution of Core Feature for improving common employing of functional reliability, as have the triple channel remaining computing machine of primary fault/ability to work, a four-way remaining computing machine of secondary failure/ability to work, the failure tolerance of multichannel redundancy computer platform need to verify by fault simulation, the fault simulation test: some calculating passages inject the ability of faults to verify that it switches Fault Identification, inhibition, isolation and redundant component in the remaining computing machine.Can how to inject fault be the key that determines carry out the fault simulation test, general method has method 1: the physical damage type injects, method 2: realize the fault injection by the fault injection circuit of remaining computing machine self design, method 3: utilize computing machine break in service functionality change internal data to realize the fault injection.Wherein method 1 genus product destructive test cost is higher, although having direct destructiveness, method 2 must not increase (directly reduction product basic reliability MTBF index) owing to designed the failure number calculated value of fault injection circuit product, the system resources such as the power of while additive decrementation product, weight, space, method 3 more front 2 kinds of methods have advantage but have potential safety hazard, if when work interrupt service routine caused real-time valid data destroyed then consequence is hardly imaginable by exception-triggered.Therefore towards the operating characteristic of mobile system, the fault of remaining computing machine inject should be can not cause physically impaired, " not can't harm " the fault injection mode take loss product reliability and trouble free service characteristic as cost.
Summary of the invention
The present invention seeks to provide a kind of harmless fault filling method for the failure tolerance of verifying multichannel redundancy computing machine in the airborne security ststem.The method 3 of the method in the background technology is the thinking of basis to combine by design of hardware and software as approach by eliminating security hidden danger, and interrupt service routine adopts the mode of instruction communication to realize the remaining computing machine " can't harm " the fault injection of changing.
The harmless fault filling method of the fault-tolerant checking of this airborne remaining computer supported, airborne remaining computer access master routine is as the destination object that is implemented the fault injection, and this harmless fault filling method comprises:
Fault is injected interactive terminal editor's fault content and is injected interrupt handling routine to fault and sends the process that fault is injected instruction;
Fault is injected the interactive terminal and is sent fault injection interrupt request, enables the process that fault is injected interrupt handling routine through interrupting interlocked control;
Carry out fault and inject the process of interrupt handling routine, mainly carry out following three steps:
At first, differentiate the interlocking hardware condition that allows fault to inject and whether satisfy, continue to carry out down-stream if condition is set up, otherwise by directly withdrawing from interrupt handling routine after the communication interface output state information;
Then, after interrupt handling routine receives the fault injection instruction of sending fault injection interactive terminal through communication interface, command content is carried out verification to be differentiated, if the instruction verification correctly then continue to carry out down-stream, otherwise by directly withdrawing from interrupt handling routine after the communication interface output state information;
At last, instruction identification is further carried out in the fault instruction of differentiating by verification, if identify successfully, then injected to carrying out fault; If what sent fault injection interactive terminal is " withdrawing from interruption " instruction or illegal command, then by communication interface output state information backed off after random interrupt handling routine.
Further can do following optimization to said method limits:
Whether above-mentioned interlocking hardware condition satisfies, to differentiate by described interruption interlocked control, so that only have in the situation that fault interrupting enables effectively, the wheel carrying signal indication state of ground is effective, enable signal effective these three kinds of states in ground satisfy jointly, just allow continuation execution down-stream.
The present invention has the following advantages:
1. can make airborne remaining computing machine possess the ability of supporting fault-tolerant checking, in the fault simulation test, can realize not to cause physical damnification, not change the fault injection take loss product reliability and trouble free service characteristic as cost " can't harm ";
2. the design proposal structure is simple and clear, has the engineering realizability, can be widely used.
Description of drawings
Fig. 1 is principle schematic of the present invention (wherein any passage).
Embodiment
Technical scheme of the present invention is comprised of 4 parts as shown in the figure: remaining computer access master routine is to be implemented the destination object that fault is injected, fault injection interrupt service routine with security mechanism is to reside in to carry out the embedded software instrument that fault is injected in the remaining computer access, the fault injection interactive terminal that is used for editor's fault content sends the server formation fault injection simulated environment that fault is injected instruction and interrupt request with carrying out, and fault is injected and interrupted interlocked control.
This programme mainly adopts the double protection strategy of design of hardware and software combination to guarantee that fault injection interruption executive routine can safe and reliable operation.Hardware aspect is the false triggering that prevents interrupt request, in the remaining computer access, adopt " enabling/shield " mechanism control fault to inject the generation of interrupt request, only working as fault interrupting enables effectively, the wheel carrying signal indication state of ground is effective, the fault that allows the external fault simulated environment is sent below the ground enable signal situation that effectively these three kinds of states satisfy is jointly injected the interruptable controller that interrupt request is sent to remaining computer access inside, otherwise shield this outside interrupt request singal, this can prevent that effectively fault from injecting interrupt service routine and being triggered by accident and start execution from the hardware input stage.Interrupt service routine is mainly injected in the software aspect by strengthening fault flow process guarantees the trouble free service characteristic, comprise from suppressing false triggering, miscommunication, these three aspect reinforcement schedule safety of illegal command: 1. whether satisfy at the initial interlocking hardware condition of at first differentiating the injection of permission fault of interrupt service routine such as figure, if by directly withdrawing from interrupt service routine after the communication interface output state information (indicate fault interrupting to server and withdraw from reason), this is to interrupt false triggering in 1 the security hardening measure that increases aspect the software for preventing that hardware input stage interlocked control fault from causing then fault implant operation program is carried out in continuation in the condition establishment; 2. interrupt service routine is after communication interface receives fault that server sends and injects instruction, command content is carried out verification to be differentiated, if the instruction verification correctly then continue to carry out down-stream, otherwise by directly withdrawing from interrupt service routine after the communication interface output state information (indicate fault interrupting to server and withdraw from reason), this step can avoid unusually causing because of communication link the fault instruction of down-stream execution error; 3. instruction identification is further carried out in the fault instruction of differentiating by verification, if what server sent is " withdrawing from interruption " instruction or illegal command (failure definition injection instruction list in the fault interrupting service routine, if the instruction of receiving not in the tabulation scope be considered as illegal command) then by communication interface output state information (indicate fault interrupting to server and withdraw from reason) backed off after random interrupt service routine, can effectively avoid disable instruction to cause operation to be transfinited.Interrupt service routine is through carrying out the fault implant operation after above 3 steps.
Show by above-mentioned technological means, adopt the present invention that the security of injection object-remaining computing machine itself is incurred loss.
Relating to the hardware relevant with the remaining computing machine among the present invention has: interrupting input, (interruption enables in the discrete magnitude input, the wheel carrying, ground enables), the interlocked control logical circuit, fault is injected the instruction communication link, wherein discrete magnitude input and interrupting input are the intrinsic resources of airborne remaining computer access self, the interlocked control logic can directly realize in the intrinsic large scale programming logical circuit of computer-internal, the instruction communication link also can directly use the intrinsic debugging of computing machine self exploitation communication interface, so realizes that present technique does not need to increase extra hardware circuit resource and can not increase the failure number calculated value of remaining computing machine self that the basic reliability index of remaining computing machine is incurred loss.
Claims (2)
1. the harmless fault filling method of the fault-tolerant checking of airborne remaining computer supported, airborne remaining computer access master routine is as the destination object that is implemented fault and injects, and this harmless fault filling method comprises:
Fault is injected interactive terminal editor's fault content and is injected interrupt handling routine to fault and sends the process that fault is injected instruction;
Fault is injected the interactive terminal and is sent fault injection interrupt request, enables the process that fault is injected interrupt handling routine through interrupting interlocked control;
Carry out fault and inject the process of interrupt handling routine, mainly carry out following three steps:
At first, differentiate the interlocking hardware condition that allows fault to inject and whether satisfy, continue to carry out down-stream if condition is set up, otherwise by directly withdrawing from interrupt handling routine after the communication interface output state information;
Then, after interrupt handling routine receives the fault injection instruction of sending fault injection interactive terminal through communication interface, command content is carried out verification to be differentiated, if the instruction verification correctly then continue to carry out down-stream, otherwise by directly withdrawing from interrupt handling routine after the communication interface output state information;
At last, instruction identification is further carried out in the fault instruction of differentiating by verification, if identify successfully, then injected to carrying out fault; If what sent fault injection interactive terminal is " withdrawing from interruption " instruction or illegal command, then by communication interface output state information backed off after random interrupt handling routine.
2. harmless fault filling method according to claim 1, it is characterized in that: whether described interlocking hardware condition satisfies, to differentiate by described interruption interlocked control, so that only have in the situation that fault interrupting enables effectively, the wheel carrying signal indication state of ground is effective, enable signal effective these three kinds of states in ground satisfy jointly, just allow continuation execution down-stream.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210579484.0A CN103019904B (en) | 2012-12-27 | 2012-12-27 | On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210579484.0A CN103019904B (en) | 2012-12-27 | 2012-12-27 | On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103019904A true CN103019904A (en) | 2013-04-03 |
| CN103019904B CN103019904B (en) | 2015-09-30 |
Family
ID=47968533
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210579484.0A Active CN103019904B (en) | 2012-12-27 | 2012-12-27 | On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103019904B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105446887A (en) * | 2016-01-11 | 2016-03-30 | 中国科学院光电研究院 | Satellite-borne embedded data communication fault dynamic injection system and method based on digital virtual technology |
| CN105528284A (en) * | 2014-09-28 | 2016-04-27 | 华为技术有限公司 | Kernel fault injection method and electronic device |
| CN108226662A (en) * | 2016-12-14 | 2018-06-29 | 中国航空工业集团公司西安航空计算技术研究所 | A kind of airborne computer failure prediction method |
| CN114374894A (en) * | 2022-01-21 | 2022-04-19 | 北京航空航天大学东营研究院 | Method for improving flight verification data integrity of unmanned aerial vehicle |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102760098A (en) * | 2012-06-13 | 2012-10-31 | 北京航空航天大学 | Processor fault injection method oriented to BIT software test and simulator thereof |
-
2012
- 2012-12-27 CN CN201210579484.0A patent/CN103019904B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102760098A (en) * | 2012-06-13 | 2012-10-31 | 北京航空航天大学 | Processor fault injection method oriented to BIT software test and simulator thereof |
Non-Patent Citations (2)
| Title |
|---|
| 朱鹏: "星载SAR控制软件故障注入技术研究", 《中国优秀硕士学位论文全文数据库•信息科技辑》, no. 1, 15 March 2005 (2005-03-15) * |
| 罗宗扬: "基于JTAG的CPU故障注入工具的设计与实现", 《中国优秀硕士学位论文全文数据库•信息科技辑》, no. 5, 15 May 2012 (2012-05-15) * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105528284A (en) * | 2014-09-28 | 2016-04-27 | 华为技术有限公司 | Kernel fault injection method and electronic device |
| CN105528284B (en) * | 2014-09-28 | 2018-09-28 | 华为技术有限公司 | A kind of kernel fault filling method and electronic equipment |
| CN105446887A (en) * | 2016-01-11 | 2016-03-30 | 中国科学院光电研究院 | Satellite-borne embedded data communication fault dynamic injection system and method based on digital virtual technology |
| CN108226662A (en) * | 2016-12-14 | 2018-06-29 | 中国航空工业集团公司西安航空计算技术研究所 | A kind of airborne computer failure prediction method |
| CN114374894A (en) * | 2022-01-21 | 2022-04-19 | 北京航空航天大学东营研究院 | Method for improving flight verification data integrity of unmanned aerial vehicle |
| CN114374894B (en) * | 2022-01-21 | 2024-02-02 | 东营航空产业技术研究院 | Method for improving flight verification data integrity of unmanned aerial vehicle |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103019904B (en) | 2015-09-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111614157B (en) | Sequence control system and method for switching operation of transformer substation | |
| McLaughlin | CPS: Stateful policy enforcement for control system device usage | |
| CN103019904B (en) | On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking | |
| CN102708013B (en) | For equipment, signature blocks and method that the instruction stream of program statement control controls | |
| CN102841828B (en) | Fault detect in logical circuit and alleviating | |
| CN101369141B (en) | Protection unit for a programmable data processing unit | |
| Park et al. | Probabilistic safety assessment-based importance analysis of cyber-attacks on nuclear power plants | |
| CN109802355B (en) | Method and device for preventing misoperation of relay protection soft pressing plate | |
| CN102556120B (en) | Interlock access control method | |
| Xie et al. | Safety and reliability estimation of automatic train protection and block system | |
| CN101707351B (en) | Protection circuit for preventing microcomputer protection device against interference and error actions | |
| Rástočný et al. | Safety of signalling systems-opinions and reality | |
| Lee et al. | Application of system-theoretic process analysis to engineered safety features-component control system | |
| Song et al. | A new software failure analysis method based on the system reliability modeling | |
| CN114816863A (en) | Burr suppression device and method | |
| Oh et al. | Fault-tolerant design for advanced diverse protection system | |
| Du et al. | A safety requirement elicitation technique of safety-critical system based on scenario | |
| CN102494324A (en) | Main protection control system for boiler in heat-engine plant | |
| CN104966158A (en) | Screening method for influencing operator nonintervention time sensitive accident | |
| CN109408975A (en) | Satellite soft error communication process modeling and simulation method based on Finite State Machine | |
| Li et al. | Safety-oriented Testing for High-speed Rail Onboard Equipment Using Petri Nets | |
| Liu et al. | Application of Internal Fire PRA in Elimination of Fire Common Modes | |
| CN105636891A (en) | Management of safety and non-safety software in an elevator system | |
| CN101513885A (en) | Version check device for computer interlock system | |
| Pan et al. | The FTA based safety analysis method for urban transit signal system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |