EP4355633A1 - Détection et correction automatiques d'erreurs de mémoire dans un ordinateur multicanal sécurisé - Google Patents

Détection et correction automatiques d'erreurs de mémoire dans un ordinateur multicanal sécurisé

Info

Publication number
EP4355633A1
EP4355633A1 EP22758465.3A EP22758465A EP4355633A1 EP 4355633 A1 EP4355633 A1 EP 4355633A1 EP 22758465 A EP22758465 A EP 22758465A EP 4355633 A1 EP4355633 A1 EP 4355633A1
Authority
EP
European Patent Office
Prior art keywords
test value
data
memory
memory device
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP22758465.3A
Other languages
German (de)
English (en)
Inventor
Wolfgang Ebeling
Alexander Priebe
Nils Weiss
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Mobility GmbH
Original Assignee
Siemens Mobility GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Mobility GmbH filed Critical Siemens Mobility GmbH
Publication of EP4355633A1 publication Critical patent/EP4355633A1/fr
Pending legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/30Trackside multiple control systems, e.g. switch-over between different systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or train for signalling purposes
    • B61L15/0063Multiple on-board control systems, e.g. "2 out of 3"-systems

Definitions

  • the invention relates to a method for automatically detecting and correcting storage errors in a secure multi-channel computer of a railway system, each channel of the computer having at least one memory device and data being stored in parallel in the memory devices of the channels.
  • SIL Safety Integrity Level
  • SIL 3 or SIL 4 safety Integrity Level
  • secure computer refers, for example, to special industrial computers which, thanks to their redundant design, have sufficient error disclosure and thus meet the necessary security requirements.
  • Such a secure computer is described in DE 10 2004 035 901 A1, for example.
  • Randomly occurring memory errors which can be triggered by external influences such as soft errors or a lack of signal-to-noise ratio in the memory components, can lead to malfunctions in electrical devices and are problematic in the safety-relevant environment of a railway system. Random memory errors such as bit tipping occur statistically everywhere in the memory devices used, for example RAM memories, independently of the use of memory devices. Therefore, these memory errors can occur with both highly dynamic data content, constant data content and in unused memory areas. Such memory errors meant here are not motivated by defects in the memory components.
  • the random memory errors described are of course already taken into account in the design of a railway system and are typically revealed by comparing two independent memory devices in different channels of a computer. A memory error detected in this way usually leads to the system being switched off because it is not immediately known which channel is showing the correct data. However, this shutdown leads to a reduction in the availability of such a two-out-of-two system.
  • Shadow memories or so-called ECC memories Error Correcting Code
  • ECC memories Error Correcting Code
  • the object is achieved in that s a first check value is calculated for data in a subarea of the first memory device, a second check value is calculated for identical data in a subarea of the second memory device, the first and second check values are compared with one another, if the first and the second test value are different, the first test value and/or the second test value are compared with an old test value, the data of the sub-area of the first memory device are replaced by the data of the sub-area of the second memory device if the second test value corresponds to the old test value and the data of the sub-area of the second memory device are replaced by the data of the sub-area of the first memory device if the first test value corresponds to the old test value.
  • the solution according to the invention has the advantage that the method can be implemented in a purely software-based manner and only a limited amount of hardware is required.
  • the method according to the invention is particularly suitable in two-of-two systems, that is to say in secure computers with exactly two redundant channels.
  • the first check value is calculated for the data of a partial area of the first memory device.
  • a check value is to be understood here, for example, as a hash value or a checksum that is calculated using the stored data. In principle, any type of checksum can be used. However, it is advantageous that the checksum converges to a residual error probability independently of the data volume.
  • the first memory device is located in a first channel of the secure computer.
  • the second check value is calculated for the data of the corresponding subarea of the second memory device. In the error-free state, the same data is stored redundantly in these partial areas of the first and second memory device.
  • the first and the second test value are then compared with one another. If there is no memory error, the test values should be the same. However, if the first and the second test value are different, according to the invention the first test value and/or the second test value are compared with the old test value.
  • the old test value is, for example, also stored in the memory devices of each channel and was calculated at an earlier point in time.
  • the old check value is equal to first and second check values at the earlier point in time that were recognized as belonging to uncorrupted data. Thus, if no data has been altered, due to intentional alteration or memory errors, the first and second check values based on uncorrupted data must match the old check value. In the following, faulty test values are sometimes referred to.
  • test values based on falsified data are actually calculated correctly from the data on which they are based. Only the underlying data is corrupted and therefore incorrect. By comparing with the old test value, it can be recognized in a very simple manner according to the invention in which memory device the memory error is present and the data must be replaced.
  • the data of the partial area of the first memory device is replaced by the data of the partial area of the second memory device if the second check value corresponds to the old check value.
  • the data of the partial area of the second memory device is replaced by the data of the partial area of the first memory device if the first check value corresponds to the old check value. Only one old check value is used, although of course an old first check value and an old second check value originally existed. However, since these were recognized as being based on correct data, they are the same and can therefore be saved and used as a single old test value.
  • the method according to the invention is characterized in that it can be implemented purely by software and that it can be carried out independently of the application, e.g. by an operating system background process.
  • the solution according to the invention can be further developed by advantageous configurations that are described below.
  • the check values can be determined by means of a cyclic redundancy check - CRC, in particular CRC32, or by hash calculation.
  • CRC stands for Cyclic Redundancy Check, meaning cyclic redundancy check. This known method is particularly suitable here because it reliably confirms the integrity of data and can be carried out easily.
  • Proper CRC algorithms are advantageous here because their checksum converges to a residual error probability regardless of the data volume.
  • CRC32 is the 32-bit version that meets higher requirements and therefore higher security.
  • the alternative hash calculation is widely used and allows efficient calculation of strong check values.
  • the method can be carried out independently of one another for a large number of subareas of the memory device. This can also happen simultaneously.
  • the method can be repeated cyclically and, if the first test value and the second test value are the same in the current cycle, they can be stored as the old first test value and the old second test value for the next cycle. This has the advantage that the memory devices are continuously checked for memory errors and the old test values are continuously stored.
  • the memory size of the partial areas can be less than 5%, in particular less than 1%, of the available memory size of the memory devices.
  • the aim is to choose a sufficiently small memory size. It is advantageous here to subdivide the storage devices into as many relatively small partial areas as possible, in which the method according to the invention is carried out in each case becomes . This increases the probability that the data can be corrected because no operational data changes took place in the sub-areas.
  • the old test value can be stored in a test value memory of the first memory device and/or in a test value memory of the second memory device.
  • the invention further relates to a secure multi-channel computer for a railway system, with at least one storage device per channel for synchronous storage of data.
  • the computer is designed to carry out the method according to one of the aforementioned embodiments.
  • the computer according to the invention can be designed as part of an interlocking device of a railway system.
  • the computer according to the invention z. B. can also be used in vehicles and other safety equipment.
  • a provision device for storing and/or providing the computer program product.
  • the provision device is, for example, a data carrier that stores and/or provides the computer program product.
  • the provisioning device is, for example, a network service, a computer system, a server system, in particular a distributed computer system, a cloud-based computer system and/or virtual computer system which stores and/or provides the computer program product preferably in the form of a data stream.
  • the provision takes place, for example, as a download in the form of a program data block and/or command data block, preferably as a file, in particular as a download file, or as a data stream, in particular as a download data stream, of the complete computer program product.
  • this provision can also be made, for example, as a partial download, which consists of several parts and is downloaded in particular via a peer-to-peer network or provided as a data stream.
  • Such a computer program product is, for example, read into a system using the provision device in the form of the data carrier and executes the program instructions so that the method according to the invention is executed on a computer or the creation device is configured in such a way that it creates the workpiece according to the invention.
  • FIG. 1 shows a schematic representation of a railway system with a secure computer according to the invention in an exemplary embodiment
  • FIG. 2 shows a schematic representation of an exemplary embodiment of the method according to the invention, which runs on the computer in FIG.
  • An exemplary embodiment of a railway system 1 in FIG. 1 includes vehicles 2, routes 3, field elements 4 and signal box devices 5. For the sake of clarity, only one example is shown in FIG. shown game for the different components of the railway system 1 mentioned.
  • the field element 4 shown in FIG. 1 is a light signal here, for example. Other field elements such as switches, level crossings, axle counters or the like can of course also be included.
  • the field element 4 in FIG. 1 also includes a control module 6 which in turn includes a secure computer 7 and which is controlled by the control device 5 .
  • the secure computer 7 according to the invention could alternatively or additionally also be used in other parts of the railway system, for example the interlocking device 5 .
  • the secure computer 7 is shown enlarged in the upper part of FIG.
  • the secure computer 7 is a so-called two-of-two system in the exemplary embodiment in Figure 1, that is, the secure computer 7 includes a first channel 8 and a redundant second channel 9.
  • the two channels 8, 9 are each with connected to a data bus system 10, which in turn are each connected to processing logic that is not described in detail.
  • the processing logic is designed to control field elements 4, such as the light signal shown in FIG.
  • the first channel 8 and the second channel 9 of the secure computer 7 each comprise separate controllers 12. Furthermore, the first channel 8 comprises a first memory device 13 and the second channel 9 comprises a second memory device 14. The first channel 8 and the second channel 9 are further connected to one another via interfaces 15, so that data can be exchanged and compared.
  • the memory devices 13, 14 are in the form of RAM memories.
  • Such memory errors can be, for example, bit tipping, which can be triggered by external influences, for example.
  • the memory errors mean that the redundantly stored data in the memory devices 13 , 14 are no longer completely identical and can lead to an unsafe state. Such memory errors can be recognized and automatically corrected by the method according to the invention.
  • the memory devices 13 , 14 are each divided into many sub-areas which are checked separately using the method according to the invention.
  • these sub-areas have, for example, a memory size of 1024 bytes, which is less than 1% of the available memory size of the memory devices 13 , 14 .
  • Other memory sizes are of course also possible.
  • relatively small sub-areas in relation to the memory size are advantageous because only a few sub-areas are affected by operational data writing during operation and the remaining areas can be checked for memory errors.
  • a first test value 17 is calculated for the data of the partial area of the first memory device 13 .
  • a checksum or a hash value determined using a hash function can be viewed as a check value.
  • a CRC32 checksum is used as the check value.
  • a second check value 19 is calculated for the corresponding redundant subarea of the second memory device 14 .
  • the partial areas in the memory devices 13, 14 have the same data if there is no memory error.
  • the first test value 17 and the second test value 19 are compared with one another. In order to be able to carry out the comparison, it may be necessary for the test values 17, 19 to be exchanged between the channels 8, 9 via the interfaces 15.
  • step 21 the first test value 17 is stored as the old first test value 22 and the second test value 19 as the old second test value 23 . Since the first test value 17 and the second test value 19 are the same, only an old test value 22, 23 can be stored.
  • the method can then be started again with step 16.
  • the method according to the invention can be run through continuously in order to be able to identify and rectify memory errors quickly after they occur.
  • step 20 shows that the first test value 17 and the second test value 19 are different, a memory error has been detected as a result. However, this does not yet make it clear in which of the two memory devices 13, 14 the memory error is present. In order to recognize this and to automatically correct the memory error, the method according to the invention is continued with step 24 .
  • step 24 the first test value 17 is compared with the old test value 22, 23 that was stored. At the same time or alternatively, the second test value 19 is compared with the old test value 22, 23.
  • the old test value 22, 23 has been calculated and stored from a previous test cycle in which the test values 17, 19 were the same and there was therefore no memory error.
  • the second check value 19 is the same as the old check value 22, 23, this means that the data in the relevant sub-area are correct in the second storage device 14, ie there is no storage error.
  • the data of the sub-area of the first memory device 13, which were consequently recognized as the data corrupted by the memory error, are replaced by the data of the sub-area of the second memory device 14. This is done in step 25.
  • step 26 the data of the partial area of the second memory device 14 are automatically replaced by the data of the partial area of the first memory device 13 .
  • step 27 the method according to the invention can be ended or started again in step 16. In this case, it is not absolutely necessary to store the old test value 22, 23 since it has not changed compared to the previous old test value.
  • the inventive method described can be carried out in parallel for many or even all sub-areas of the memory devices 13, 14.
  • FIG. 1 also shows a partial area 28 of the first memory device 13 by way of example and schematically.
  • the representation of the partial area 28 also applies to the partial areas of the second memory device 14 that are not shown.
  • Each memory device 13, 14 comprises a large number of sub-areas 28.
  • the method according to the invention is carried out independently of one another in the secure computer 7, as described above and illustrated in FIG.
  • subarea 28 is 1024 bytes in size, for example.
  • Section 28 in this case comprises a usable memory 29 and a test value memory 30.
  • the usable data are stored in the usable memory 29.
  • the normal data to be stored during operation of the computer 7 are under user data.
  • each sub-area 28 in the first channel 8 therefore has a sub-area 28 in the second channel 9 in which the same user data is stored.
  • the old test value 22 or 23 is stored in the test value memory 30 in order to be able to use it for the method according to the invention. This has the advantage that no other storage location for storing the old test value 22, 23 is required.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Hardware Redundancy (AREA)
  • Techniques For Improving Reliability Of Storages (AREA)

Abstract

L'invention concerne un procédé de détection et de correction automatiques d'erreurs de mémoire dans un ordinateur multicanal sécurisé (7) d'un système ferroviaire (1), chaque canal (8, 9) de l'ordinateur (7) ayant au moins un dispositif mémoire (13, 14) et les mêmes données étant stockées en parallèle dans les dispositifs mémoire (13, 14) des canaux (8, 9). Afin de fournir un procédé fiable sans nécessiter de matériel supplémentaire, selon l'invention : une première valeur de contrôle (17) est calculée pour des données dans une sous-région (28) du premier dispositif mémoire (13) ; une seconde valeur de contrôle (19) est calculée pour les mêmes données dans une sous-région (28) du second dispositif mémoire (14) ; la première et la seconde valeur de contrôle (17, 19) sont comparées l'une à l'autre ; si la première et la seconde valeur de contrôle (17, 19) sont différentes, la première valeur de contrôle (17) et/ou la seconde valeur de contrôle (19) sont comparées à une ancienne valeur de contrôle (23) ; les données dans la sous-région (28) du premier dispositif mémoire (13) sont remplacées par les données dans la sous-région (28) du second dispositif mémoire (14) si la seconde valeur de contrôle (19) correspond à l'ancienne valeur de contrôle (23) ; et les données dans la sous-région (28) du second dispositif mémoire (14) sont remplacées par les données dans la sous-région (28) du premier dispositif de mémoire (13) si la première valeur de contrôle (17) correspond à l'ancienne valeur de contrôle (22).
EP22758465.3A 2021-08-18 2022-07-29 Détection et correction automatiques d'erreurs de mémoire dans un ordinateur multicanal sécurisé Pending EP4355633A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102021209038.9A DE102021209038A1 (de) 2021-08-18 2021-08-18 Verfahren zum automatischen Erkennen und Korrigieren von Speicherfehlern in einem sicheren mehrkanaligen Rechner
PCT/EP2022/071326 WO2023020807A1 (fr) 2021-08-18 2022-07-29 Détection et correction automatiques d'erreurs de mémoire dans un ordinateur multicanal sécurisé

Publications (1)

Publication Number Publication Date
EP4355633A1 true EP4355633A1 (fr) 2024-04-24

Family

ID=83059221

Family Applications (1)

Application Number Title Priority Date Filing Date
EP22758465.3A Pending EP4355633A1 (fr) 2021-08-18 2022-07-29 Détection et correction automatiques d'erreurs de mémoire dans un ordinateur multicanal sécurisé

Country Status (4)

Country Link
EP (1) EP4355633A1 (fr)
CN (1) CN117769698A (fr)
DE (1) DE102021209038A1 (fr)
WO (1) WO2023020807A1 (fr)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102004035901B4 (de) 2004-07-19 2016-02-04 Siemens Aktiengesellschaft Einrichtung zum Steuern eines sicherheitskritischen Prozesses
DE102005023296B4 (de) * 2005-05-12 2007-07-12 Siemens Ag Zugbeeinflussungssystem
DE102016206988A1 (de) * 2016-04-25 2017-10-26 Thales Deutschland Gmbh Servereinrichtung betreibend eine Software zur Steuerung einer Funktion eines schienengebundenen Transportsicherungssystems

Also Published As

Publication number Publication date
WO2023020807A1 (fr) 2023-02-23
CN117769698A (zh) 2024-03-26
DE102021209038A1 (de) 2023-02-23

Similar Documents

Publication Publication Date Title
EP2447843B1 (fr) Procédé de vérification d'un programme d'application d'une commande par programme enregistré protégée contre les erreurs et commande par programme enregistré destinée à l'exécution du procédé
DE19509150C2 (de) Verfahren zum Steuern und Regeln von Fahrzeug-Bremsanlagen sowie Fahrzeug-Bremsanlage
DE19927657A1 (de) Partitionierung und Überwachung von softwaregesteuerten Systemen
EP1043641A2 (fr) Système d'automatisation à sécurité intrinsèque avec un processeur standard et méthode pour un système d'automatisation à sécurité intrinsèque
EP1588380B1 (fr) Procede de reconnaissance et/ou de correction d'erreurs d'acces a la memoire et circuit electronique destine a effectuer le procede
WO2008014940A1 (fr) Dispositif de commande et procédé pour la commande de fonctions
DE3786853T2 (de) Gerät zur Erkennung und Klassifizierung von Steuerwortfehlern.
DE102005016801B4 (de) Verfahren und Rechnereinheit zur Fehlererkennung und Fehlerprotokollierung in einem Speicher
EP4355633A1 (fr) Détection et correction automatiques d'erreurs de mémoire dans un ordinateur multicanal sécurisé
DE102013021231A1 (de) Verfahren zum Betrieb eines Assistenzsystems eines Fahrzeugs und Fahrzeugsteuergerät
DE1937259C3 (de) Selbstprüf ende Fehlererkennungsschaltung
EP3550748A1 (fr) Procédé de détection des contaminations des données lors d'une transmission de données à l'aide d'une liaison de communication sécurisée
DE102009015683A1 (de) Sicherheitssystem zur Sicherung einer fehlersicheren Steuerung elektrischer Anlagen und Sicherheitssteuerung damit
DE10340236B4 (de) Anordnung mit einer Datenverarbeitungseinrichtung und einem Speicher
DE102005040917A1 (de) Datenverarbeitungssystem und Betriebsverfahren dafür
DE10148157B4 (de) Programmgesteuerte Einheit
EP1248965B1 (fr) Procede pour eviter des dysfonctionnements dans un systeme de traitement de signaux et systeme de processeur
EP1774417B1 (fr) Procede et dispositif pour surveiller le deroulement d'un programme de commande dans un ordinateur
EP1176508B1 (fr) Dispositif visant la surveillance du bon fonctionnement de composants exécutant la même action ou des actions correspondantes dans un système électrique
DE102018214980A1 (de) Rechnersystem und Betriebsverfahren dafür mit verbesserter Zuverlässigkeit
WO2013016831A1 (fr) Système commandé par tableau
DE10135285A1 (de) Speichereinrichtung und Verfahren zum Betreiben eines eine Speichereinrichtung enthaltenden Systems
DE102021204460A1 (de) Verfahren und Hardwarevorrichtung für diverse Redundanz aus nicht diversem Software-Quellcode
EP1246066A2 (fr) Procédé d'opération d'un système commandé par processeur
WO2022263416A1 (fr) Système de commande pour au moins un dispositif de réception dans des applications critiques en termes de sécurité

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20240116

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR