EP4127934A1 - Procédé et système de sécurité pour l'exécution de fonctions de sécurité - Google Patents

Procédé et système de sécurité pour l'exécution de fonctions de sécurité

Info

Publication number
EP4127934A1
EP4127934A1 EP21721402.2A EP21721402A EP4127934A1 EP 4127934 A1 EP4127934 A1 EP 4127934A1 EP 21721402 A EP21721402 A EP 21721402A EP 4127934 A1 EP4127934 A1 EP 4127934A1
Authority
EP
European Patent Office
Prior art keywords
result data
data stream
forwarding device
result
link
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP21721402.2A
Other languages
German (de)
English (en)
Inventor
Rainer Mattes
Thomas Waschulzik
Reiner Heilmann
Frank Poignee
Igor ARNDT
Vitali Schneider
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Mobility GmbH
Original Assignee
Siemens Mobility GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Mobility GmbH filed Critical Siemens Mobility GmbH
Publication of EP4127934A1 publication Critical patent/EP4127934A1/fr
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • G06F11/1645Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components and the comparison itself uses redundant hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the project that led to this application received support from Shift2Rail Joint Undertaking (JU) under Grant Agreement No. 826098.
  • JU receives support from the European Union's Horizon 2020 research and development program and from members of the Shift2Rail Joint Undertaking that are not members of the European Union.
  • the invention relates to a method for performing safety functions of a safety-related system.
  • the safety-oriented system comprises two computing devices, a forwarding device and a communication network.
  • the procedure includes:
  • the link logic being a bit-wise link.
  • the invention is based on the knowledge that in previous solutions to achieve a safety-oriented system, individual hardware expansions were provided and dependencies with regard to the electrical wiring of these expansions had to be taken into account.
  • the extensions and dependencies are usually very complex.
  • the invention is based on the knowledge that previous solutions for processing security functions with high security requirements have the disadvantage that the hardware fault tolerance (HFT) of the computing devices is often insufficient.
  • HFT hardware fault tolerance
  • proving the reliability of error monitoring measures against random errors is often complex. This means that the proof of safety has to be repeated with every expansion or change to the hardware, software and the associated operating system. While this repetition of the Proof of safety in microcontrollers can be carried out with reasonable effort, the renewed verification in microprocessor systems is highly complex and can rarely be carried out in a simplified manner.
  • a core concept of the invention is to replace a single hardware component that meets high security requirements with at least two computing devices that only have to meet a lower security requirement.
  • the high security requirement is met by the overall system in that the calculation result data streams are linked bit by bit. The bit-by-bit link ensures systematic error propagation in the event that the two computation result data streams are different (although they would have to be the same if the computation was error-free).
  • the solution according to the invention has the significant advantage that previous systems are simplified in structure (or the complexity is reduced). This reduces development effort and systems with a high level of security can be produced cost-effectively and with less development risk. This also reduces the costs for approval, since the structure of the overall system can be conveyed to the expert more easily and therefore with less effort and the correct function can be verified.
  • Another essential advantage of the solution according to the invention is that the network bandwidth does not have to be increased by using two simpler subsystems.
  • the forwarding device only has to store the received computation result data streams for a short time with a suitable system configuration and consequently any costs for the storage are comparatively low.
  • the computing devices are preferably each designed as terminal devices that are connected to the communication network in terms of data technology. More preferably, the computing devices are designed as a control unit, more preferably as a central control unit (CCU: Central Control Unit).
  • CCU Central Control Unit
  • the computing devices are data-technically connected to the forwarding device, for example via the communication network.
  • the calculation by the computing devices is preferably used to perform the task as part or object of one of the safety functions of the safety-related system.
  • the computing devices preferably perform the task independently and in parallel.
  • the computing devices are designed essentially the same, for example.
  • the computation result data stream is preferably implemented according to the rules of so-called Safe Data Transmission (SDT). Version 2 of the Safe Data Transmission Protocol is described, for example, in Appendix B of IEC 61375-2-3.
  • the computation result data stream is preferably carried out according to the rules of version 4 of the Safe Data Transmission Protocol. Version 4 enables a safety integrity level 4 and is described, for example, on page 12 of the document available at https: // safe4rail .eu / downloads / technical-seminar-brussels / 03-Drive-by-Data .pdf.
  • the forwarding device provides the link result data stream to the communication network, preferably to the effect that the link result data stream is transmitted to a further communication subscriber via the communication network.
  • the forwarding device does not provide any of the computation result data streams if the link is executed correctly.
  • the forwarding device preferably processes the first incoming computation result data stream and temporarily stores it.
  • the forwarding device also preferably processes the second incoming arithmetic result data stream and temporarily stores it.
  • the buffered computation result data streams are then linked bit by bit.
  • the above-mentioned object is also achieved by a further method according to the invention for executing safety functions of a safety-oriented system.
  • the safety-oriented system comprises two computing devices, a forwarding device and a receiving device.
  • the procedure includes:
  • Each computing device falsifies the result in such a way that o the receiving device recognizes this falsification and o the falsification is canceled when linking according to the linking logic.
  • This further method according to the invention is based on the knowledge that an error can occur in the link.
  • the forwarding device transmits one of the two computation result data streams to the receiving device instead of the link result data stream.
  • the above-described error can be recognized by the receiving device.
  • the falsification is not canceled by linking in accordance with the linking, the falsified computation result data stream is forwarded to the receiving device.
  • the receiving device can recognize or detect the falsification with a residual error probability.
  • the further method according to the invention also has the advantage that an error in the link is recognized by the receiving device.
  • the forwarding device must therefore achieve a lower level of reliability than in previous solutions. This results in further technical and organizational advantages.
  • the forwarding device must be a component of the system, which is to achieve a certain security level, cannot itself be approved for this security level.
  • the receiving device preferably detects the falsification in the event that the forwarding device forwards one of the two calculation result data streams instead of the linkage result data stream for transmission to the receiving device.
  • the computation result data stream is preferably implemented according to the rules of so-called Safe Data Transmission (SDT). Version 2 of the Safe Data Transmission Protocol is described, for example, in Appendix B of IEC 61375-2-3.
  • the computation result data stream is preferably carried out according to the rules of version 4 of the Safe Data Transmission Protocol.
  • a special feature of this safety protocol is that a reserved area is provided in which the falsification can be made.
  • the reserved area is, for example, the area of the SDTv4 VDP called "reservedO1" on page 12 of the document available at https: // safe4rail .eu / downloads / technical-seminar-brussels / 03-Drive-by-Data .pdf ( VDP: Vital Data Packet) In other words: when SDTv4 is used, a corruption is made in the safety trailer or safety header.
  • the user data area can be expanded by one or more bytes.
  • the falsification can be carried out in this expanded area.
  • the additional bytes are pre-assigned with zeros.
  • the various bits are marked (i.e. falsified or masked).
  • the logic operation is a bit-wise AND operation.
  • the application of the bitwise AND operation is for the above-mentioned method according to the invention be particularly advantageous and expedient, since a cancellation of the falsification is achieved with this type of link.
  • the falsification comprises setting a reserved bit assigned to the computing device.
  • the reserved bit is set to 0 in the undistorted state. Setting the reserved bit in the event of corruption means that a 1 is set in the place of the reserved bit.
  • a significant advantage of this embodiment is that the corruption is canceled again by setting the reserved bit at a position assigned to the computing device in the bit-by-bit AND operation. This is of particular importance in the event that the forwarding device does not link the computation result data streams due to an error. If the forwarding device forwards one of the computation result data streams, for example, the receiving device is able to recognize the set bit and thus the corruption.
  • the forwarding device is a network device, preferably a network switch, in particular a TSN switch or a communication card in a PC.
  • a network device is already present in a communication network. This means that no additional hardware is required and the resulting complexity is lower than in a scenario in which additional hardware is introduced to implement the comparison, signing and communication of the result.
  • network device preferably to the effect that it is part of the communication network.
  • network components is also often used.
  • terminals are connected to the communication network, but not part of the communication network itself.
  • TSN Time Sensitive Networking
  • the switch is also preferably a so-called Consist Switch (CS), as mentioned on page 15 of the document which can be accessed at https: // safe4rail .eu / downloads / technical-seminar-brussels / 03-Drive-by-Data.pdf.
  • CS Consist Switch
  • the two computing devices are formed by a first computing device that generates a first computation result data stream and a second computing device that generates a second computation result data stream.
  • the safety-related system has at least one third computing device, which calculates a result of the same task as calculated by the first and second computing device and generates a computational result data stream which represents the result of the computation.
  • the respective calculation result data stream is transmitted to the forwarding device.
  • the calculated computational result data streams are logically linked by means of a linking unit of the forwarding device in accordance with a link.
  • the falsification comprises setting a reserved bit at a first position in a reserved area of the computation result data stream by means of the first computation device.
  • the falsification also includes setting a reserved bit at a second position in the reserved area of the arithmetic result data stream by means of the second arithmetic unit.
  • the falsification also includes setting a reserved bit at a third position in the reserved area of the computational result data stream by means of the third computing device.
  • Each of the plurality of computing devices is assigned a location in the reserved area at which a bit can be "falsified” by setting on the basis of the point in the reserved fourth area at which the falsification is present, it can be deduced from which of the computing devices the data stream (incorrectly) forwarded by the forwarding device originates.
  • the logic logic is a bit-wise AND operation of the first, second and / or third arithmetic result data stream.
  • Two of the calculation result data streams are linked to one another.
  • the bit-by-bit AND link is particularly advantageous for a falsification in which a 1 is set at a place in a reserved area provided for the computing device, which consists of a sequence of zeros.
  • An example illustrates this:
  • the calculation result data streams have a reserved area with zeros.
  • the bit sequence B N lies in the region of the arithmetic result data stream generated by the first arithmetic unit.
  • the bit sequence B M is located in the reserved area of the arithmetic result data stream calculated by the second arithmetic unit.
  • the reserved area therefore has a 0 at all positions after the bit-wise AND operation. The corruption in the form of the set bit has been removed. If the first, second or third arithmetic result data stream fails, the AND link still generates a valid link result data stream, since only one bit is set in each data stream, which is deleted by the AND link. Any data stream is thus made truly redundant and by linking the two valid data streams, an unadulterated data stream can still be generated.
  • the receiving device is formed by at least two computing devices, which each calculate a result of the same task and each generate a computational result data stream that represents the result of the respective calculation, the task receiving processing of the from the forwarding device nen link result data stream.
  • the receiving device is formed by two computing devices that can be operated according to the method according to the invention.
  • the receiving device itself is a combination of two computing devices according to the method according to the invention and can provide two computation result data streams within the meaning of the invention to a further forwarding device and, if necessary, a further receiving device.
  • the computing devices each have a hardware component which is designed to meet the safety integrity level 2 (SIL2) during operation.
  • the computing devices preferably each have a software component which is designed to meet the safety integrity level 4 (SIL4) when executed by means of the computing device.
  • the safety-related system is designed to meet safety integrity level 3 or safety integrity level 4 during operation.
  • the method according to the invention makes it possible to use computing devices whose hardware component has a lower security integrity level (than the required security integrity level). This is made possible, in particular, by the redundancy of the computing devices: With previous solutions, the probability of random errors, systematic errors or a combination of both types of errors was too great to form a system of the required SIL level on its own.
  • the safety integrity levels 2, 3 and 4 are defined in IEC61508, for example.
  • the computing devices are series-produced products, in particular components-off-the-shelf.
  • the respective hardware component of the computing devices is preferably a series-produced product.
  • the safety-oriented system is a safety-oriented system of a vehicle, in particular a lane-bound vehicle.
  • a vehicle in particular a lane-bound vehicle.
  • the use of one of the methods according to the invention in a vehicle is particularly expedient, in particular when the vehicle is being operated in an automated or partially automated manner.
  • the track-bound vehicle is, for example, a rail vehicle, in particular a multiple unit or a locomotive.
  • the respective computation result data stream is transmitted to a first forwarding device and to a second forwarding device.
  • the calculated arithmetic result data streams are each logically linked by means of a linking unit of the first and second forwarding device in accordance with a linking logic.
  • a first link result data stream which represents the result of the link, is generated by means of the first forwarding device.
  • a second link result data stream which represents the result of the link, is generated by means of the second forwarding device.
  • the first link result data stream and the second link data stream are transmitted to a receiving device.
  • This embodiment achieves a multiple, in particular redundant, design of the forwarding device in the system.
  • Each forwarding device provides its own output stream (first and second linkage result data stream).
  • first and second linkage result data stream first and second linkage result data stream.
  • the availability of the overall system can be increased, since the receiving device can receive both link result data streams and can use the other link result data stream in the event of a failure of one forwarding device.
  • hardware costs can remain constant as a result of this embodiment, with increased availability being achieved at the same time.
  • the invention also relates to a computer program, comprising commands which, when the program is executed by at least two computing devices, a forwarding device and / or a receiving device, cause them to execute the method of the type described above.
  • the invention also relates to a computer-readable storage medium, comprising instructions which, when executed by at least two computing devices, a forwarding device and / or a receiving device, cause them to execute the method of the type described above.
  • the invention also relates to a safety-related system for performing safety functions.
  • the safety-oriented system comprises at least two computing devices, a forwarding device and a communication network.
  • the computing devices are designed to each calculate a result of the same task and each generate a computation result data stream which represents the result of the respective calculation.
  • the communication network is designed to transmit the respective computation result data stream to the forwarding device.
  • the forwarding device comprises a linking unit which is designed to link the computed computation result data streams in accordance with a linking logic.
  • the forwarding device is designed to generate a link result data stream, which represents the result of the link, and to generate the link result data stream to provide to the communication network.
  • the link is a bit-wise link.
  • the bit-wise link is preferably a bit-wise AND link.
  • the invention also relates to a safety-related system for performing safety functions.
  • the safety-oriented system comprises at least two computing devices, a forwarding device and a receiving device.
  • the computing devices are designed to each calculate a result of the same task and each generate a computing result data stream which represents the result of the respective calculation.
  • the safety-oriented system is designed to transmit the respective arithmetic result data stream to the forwarding device.
  • the forwarding device comprises a linking unit which is designed to link the computed calculation result data streams according to a link.
  • the forwarding device is designed to generate a link result data stream which represents the result of the link and to send the link result data stream to the receiving device.
  • the computing devices are designed to falsify the result in such a way that this falsification can be recognized by means of the receiving device and the falsification can be canceled when linking in accordance with the linking logic.
  • FIG. 2 schematically shows the structure of a first exemplary embodiment of a safety-related system according to the invention
  • FIG. 3 schematically shows the structure of a second exemplary embodiment of the safety-related system according to the invention
  • FIG. 4 schematically shows the structure of a third exemplary embodiment of the safety-related system according to the invention.
  • FIG. 5 schematically shows the sequence of a second exemplary embodiment of the two methods according to the invention.
  • FIG. 1 shows a schematic flow diagram which represents the sequence of an exemplary embodiment of the two methods according to the invention for increasing the reliability of safety functions of a safety-oriented one.
  • FIG. 2 shows schematically the structure of a safety-oriented system 1 in which the reliability of the safety functions is increased in accordance with the exemplary embodiment of the two methods according to the invention shown in FIG.
  • the system 1 has two computing devices 12 and 14, which are designed as terminals 13 and 15 and are connected to a communication network 16.
  • a forwarding device 18 of the safety-related system 1 is formed as a network component 19 of the communication network 16 from.
  • the network component 19 is a network switch 20 (so-called switch), in particular a TSN switch (TSN: Time Sensitive Networking).
  • the computing devices 12 and 14 each have a hardware component which is designed to meet the safety integrity level 2 (SIL2) during operation.
  • the hardware component can be derived from a series-produced product (so-called. Component-Off-The-Shelf).
  • the computing devices 12 and 14 each have a software component which is designed to meet the safety integrity level 4 (SIL4) when executed by means of the computing device 12 and 14.
  • the safety-related system 1 is designed to meet safety integrity level 3 or safety integrity level 4 during operation, which is achieved in particular by the two methods according to the invention.
  • the computing devices 12 and 14 calculate in a procedural step A a result of the same task.
  • the calculation A is used to perform the task as part or object of one of the safety functions of the safety-related system 1.
  • the computing devices 12 and 14 perform the task independently and in parallel.
  • the computing devices 12 and 14 are, for example, designed essentially the same.
  • a method step B the computing devices 12 and 14 each generate a computation result data stream 22 and 24, which represents the result of the respective computation A.
  • the arithmetic result data stream 22 and 24 is implemented according to the rules of the so-called Safe Data Protocol (SDT). Version 4 of the SDT protocol (SDTv4) enables a security integrity level 4 and is available, for example, on page 12 of the document available at https://safe4rail.eu/downloads/technical-seminar- brussels / 03-Drive-by-Data .pdf described.
  • the calculation result data stream 22 and 24 can be implemented according to the rules of Safety over OPC UA.
  • the falsification C takes place in which, according to a method step CI, a bit is sent to one of the computing devices in a reserved area of the computation result data stream 22 or 24 12 or 14 assigned position is set.
  • a bit is sent to one of the computing devices in a reserved area of the computation result data stream 22 or 24 12 or 14 assigned position is set.
  • the reserved area is set to 0 in all places before the corruption. Setting the bit for corruption means that a 1 is set at this point.
  • the reserved area is, for example, the area of the SDTv4 VDP called "reservedOl" on page 12 of the document available at https://safe4rail.eu/downloads/technical-seminar- brussels / 03-Drive-by-Data .pdf ( VDP: Vital Data Packet)
  • the user data area can be expanded by one or more bytes and corruption can be carried out in this area.
  • a method step D the respective arithmetic result data stream 22 and 24 is transmitted to the forwarding device 18 via the communication network 16.
  • the forwarding device 18 has a linking unit 32.
  • the linking unit 32 is part of the so-called switching fabric of the network switch 20.
  • the forwarding device 18 processes the received computing result data stream 22 and temporarily stores it.
  • the forwarding device 18 processes the received computing result data stream 24 and temporarily stores it.
  • the linking unit 32 links the calculated computing result data streams 22 and 24 in a method step E according to a linking logic.
  • the logic operation is a bit-wise AND operation, in which of two bit sequences of the same length, namely the arithmetic result data streams 22 and 24, each pair of corresponding bits is linked in such a way that the result bit is 1 if both bits are 1 or 0 otherwise.
  • a method step F the forwarding device 18 generates a link result data stream 26 which represents the result of the link E.
  • the forwarding device 18 provides the linking result data stream 26 in a method step G to the communication network 16 in order to be transmitted via the communication network 16 to further communication participants.
  • the link result data stream 26 provided is transmitted in a method step H via the communication network 16 to a receiving device 30 of the system 1 that is safety-oriented.
  • the receiving device 30 is designed to meet the safety integrity level 4 in operation. In the structure shown in FIG. 2, the receiving device 30 is formed by a single hardware component with software, each of which fulfills the security integrity level 4.
  • the receiving device 30 detects the falsification in the form of the set in a method step J Bits in the reserved area.
  • FIG. 3 shows schematically the structure of the second embodiment example of the safety-related system 1. Identical or functionally identical elements are given the same reference numerals. Chen, as used in relation to Figure 2, verse hen.
  • the receiving device 130 is formed by two computing devices 112 and 114, which are constructed and operated analogously to the computing devices 12 and 14.
  • the computing devices 112 and 114 receive the link result data stream 26, which is transmitted to them by multicast, and process it. During the processing by means of the computing devices 112 and 114, a result of the same task is calculated in each case and a computation result data stream 122 and 124 is generated in each case. The linking of the generated calculation result data streams 122 and 124 is carried out in a downstream forwarding device.
  • FIG. 4 schematically shows the structure of the third exemplary embodiment of the safety-related system 1. Identical or functionally identical elements are given the same reference characters as are used in relation to FIG. 2. In contrast to the exemplary embodiment shown in FIG a third calculation result data stream 226 is generated in a method step BB.
  • a reserved bit is set at a first position in a reserved area of the arithmetic result data stream 222 by means of the first arithmetic unit 212.
  • a reserved bit is stored in a second position in the reserved area of the computing result data stream 224 is set by means of the second computing device 214.
  • a reserved bit is set at a third position in the reserved area of the arithmetic result data stream 226 by means of the third arithmetic unit 216.
  • arithmetic result data streams 222, 224 and 226 are transmitted to the forwarding device 18.
  • the computation result data streams 222, 224 and 226 are linked by means of the linking unit 32 of the forwarding device 18 in a method step EE as a bitwise AND link.
  • any one of the three calculation result data streams can fail and the linking operation is still carried out.
  • the third arithmetic unit could then possibly only introduce an error with a certain probability into the calculation and would rather reduce the availability than increase it.
  • the forwarding device 18 In a method step FF, the forwarding device 18 generates a link result data stream 326 which represents the result of the link EE.
  • the forwarding device 18 provides the link result data stream 326 in a method step GG to the communication network Maschinen 16 ready to be transmitted via the communication network 16 to further communication participants.
  • the forwarding device 18 In the event of a faulty operation of the forwarding device 18, there is the risk that, for example, one of the computing result data streams 222, 224 or 226 will be provided by the forwarding device 18 in method step GG.
  • the set bit at the first, second or third digit of the reserved area Bi, B 2 or B 3 can be used to identify that there is a faulty operation.
  • the exemplary embodiment shown in FIG. 2 shows two computing devices 12 and 14.
  • the exemplary embodiment shown in FIG. 4 shows three computing devices 212, 214 and 216. This makes it clear that the invention can also be easily scaled to more than three computing devices.
  • the forwarding device 18 shown in FIGS. 2, 3 and 4 can be provided multiple times or redundantly.
  • the respective computation result data stream is transmitted to a first forwarding device and to a second forwarding device.
  • the computed result data streams are each logically linked by means of a linking unit of the first and second forwarding device in accordance with a linking logic.
  • a first link result data stream, which represents the result of the link is generated by means of the first forwarding device.
  • a second link result data stream, which represents the result of the link is generated by means of the second forwarding device.
  • the first link result data stream and the second link data stream are transmitted to a receiving device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Hardware Redundancy (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Hydroponics (AREA)
  • Emergency Lowering Means (AREA)
  • Devices Affording Protection Of Roads Or Walls For Sound Insulation (AREA)

Abstract

L'invention concerne un procédé d'exécution de fonctions de sécurité d'un système de sécurité (1) comportant au moins deux dispositifs informatiques (12, 14, 212, 214), un dispositif de transfert (18) et un réseau de communication (16). Pour simplifier le système de sécurité (1) tout en augmentant la flexibilité lors de l'utilisation et du développement du système (1), le procédé comporte les étapes suivantes : calcul (A, AA) d'un résultat respectif de la même tâche au moyen des dispositifs informatiques (12, 14, 212, 214), génération (B) d'un flux de données de résultat de calcul (22, 24, 222, 224) respectif représentant le résultat du calcul respectif, au moyen des dispositifs informatiques (12, 14, 212, 214), transmission (D) du flux de données de résultat de calcul (22, 24, 222, 224) respectif au dispositif de transfert (18), combinaison logique (E) des flux de données de résultat de calcul (22, 24, 222, 224) calculés au moyen d'une unité de combinaison (32) du dispositif de transfert (18) selon une logique de combinaison, génération (F) d'un flux de données de résultat de combinaison (26, 326) représentant le résultat de la combinaison, au moyen du dispositif de transfert (18), fourniture (G) du flux de données de résultat de combinaison (26, 326) au moyen du dispositif de transfert (18) au réseau de communication (16), la combinaison logique étant une combinaison par bits.
EP21721402.2A 2020-04-30 2021-04-06 Procédé et système de sécurité pour l'exécution de fonctions de sécurité Pending EP4127934A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE102020205502 2020-04-30
DE102020209363.6A DE102020209363A1 (de) 2020-04-30 2020-07-24 Verfahren und sicherheitsgerichtetes System zum Ausführen von Sicherheitsfunktionen
PCT/EP2021/058906 WO2021219329A1 (fr) 2020-04-30 2021-04-06 Procédé et système de sécurité pour l'exécution de fonctions de sécurité

Publications (1)

Publication Number Publication Date
EP4127934A1 true EP4127934A1 (fr) 2023-02-08

Family

ID=78267635

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21721402.2A Pending EP4127934A1 (fr) 2020-04-30 2021-04-06 Procédé et système de sécurité pour l'exécution de fonctions de sécurité

Country Status (4)

Country Link
EP (1) EP4127934A1 (fr)
DE (1) DE102020209363A1 (fr)
IL (1) IL297685A (fr)
WO (1) WO2021219329A1 (fr)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10008434A1 (de) 2000-02-23 2001-09-20 Phoenix Contact Gmbh & Co Verfahren und Vorrichtung zur Sicherheitsüberwachung einer Steuereinrichtung
DE102006007844A1 (de) * 2004-08-17 2007-08-23 Phoenix Contact Gmbh & Co. Kg Verfahren und Vorrichtung zur Busankopplung sicherheitsrelevanter Prozesse
US10514683B2 (en) * 2015-09-16 2019-12-24 Profire Energy, Inc. Distributed networking system and method to implement a safety state environment

Also Published As

Publication number Publication date
DE102020209363A1 (de) 2021-11-04
WO2021219329A1 (fr) 2021-11-04
IL297685A (en) 2022-12-01

Similar Documents

Publication Publication Date Title
EP2160857B1 (fr) Procédé de contrôle et circuit électronique de transmission série sécurisée de données
DE102006054124B4 (de) Verfahren und System zur sicheren Datenübertragung
EP2814193B1 (fr) Procédé et système de détection d'erreurs lors de la transmission de données d'un émetteur à au moins un récepteur
DE102014110017A1 (de) Steuer- und Datenübertragungssystem, Gateway-Modul, E/A-Modul und Verfahren zur Prozesssteuerung
DE102011082969A1 (de) Verfahren zum Betreiben eines Kommunikationsnetzwerkes und Netzwerkanordnung
DE10152235A1 (de) Verfahren zum Erkennen von Fehlern bei der Datenübertragung innerhalb eines CAN-Controllers und ein CAN-Controller zur Durchführung dieses Verfahrens
DE102014111361A1 (de) Verfahren zum Betreiben einer Sicherheitssteuerung und Automatisierungsnetzwerk mit einer solchen Sicherheitssteuerung
WO2020173682A1 (fr) Système de sécurité et procédé de fonctionnement d'un système de sécurité
EP3110061A1 (fr) Système informatique en temps réel distribué et procédé de forçage de défaillance
EP3659317B1 (fr) Procédé pour produire un télégramme fiable
EP4127934A1 (fr) Procédé et système de sécurité pour l'exécution de fonctions de sécurité
EP2837142A1 (fr) Procédé de transmission de données de processus de données dans une installation à commande automatique
EP1596517B1 (fr) Procédé de transmission sur un seul canal de données fournies sous forme redondante
EP3550748A1 (fr) Procédé de détection des contaminations des données lors d'une transmission de données à l'aide d'une liaison de communication sécurisée
EP4232905A1 (fr) Réseau de traitement de données destiné à effectuer un traitement de données
EP1133096B1 (fr) Procédé et système de transmission de données a sûreté intégrée entre des ordinateurs à sécurité intrinsèque
DE102015218882A1 (de) Verfahren und Vorrichtung zum Prüfen von Berechnungsergebnissen in einem System mit mehreren Recheneinheiten
DE102021127310B4 (de) System und Verfahren zur Datenübertragung
DE102019201728A1 (de) Verfahren zum Absichern von Daten unter Verwendung von wenigstens zwei Recheneinheiten und einer mit den wenigstens zwei Recheneinheiten in Kommunikationsverbindung stehenden Entscheidungseinheit
DE102019109353B3 (de) Dynamische Anomalieerkennung und -behandlung
DE102004046292A1 (de) Verfahren zur Durchführung eines Votings von redundanten Informationen
WO2016138956A1 (fr) Commande à l'épreuve des erreurs pour une installation automatisée
EP3002652B1 (fr) Procédé de surveillance d'état dans un système d'automatisation industriel et programme de commande
WO2021151612A1 (fr) Procédé de vérification d'une liaison de signaux
WO2022207213A1 (fr) Procédé de traitement de données

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20221026

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)