Classifications

• • B—PERFORMING OPERATIONS; TRANSPORTING
  • B61—RAILWAYS
  • B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
  • B61L27/00—Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
  • B61L27/30—Trackside multiple control systems, e.g. switch-over between different systems
• • B—PERFORMING OPERATIONS; TRANSPORTING
  • B61—RAILWAYS
  • B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
  • B61L15/00—Indicators provided on the vehicle or train for signalling purposes
  • B61L15/0063—Multiple on-board control systems, e.g. "2 out of 3"-systems

Definitions

• the invention relates to a method for automatically detecting and correcting storage errors in a secure multi-channel computer of a railway system, each channel of the computer having at least one memory device and data being stored in parallel in the memory devices of the channels.
• SIL Safety Integrity Level
• SIL 3 or SIL 4 safety Integrity Level
• secure computer refers, for example, to special industrial computers which, thanks to their redundant design, have sufficient error disclosure and thus meet the necessary security requirements.
• Such a secure computer is described in DE 10 2004 035 901 A1, for example.
• Randomly occurring memory errors which can be triggered by external influences such as soft errors or a lack of signal-to-noise ratio in the memory components, can lead to malfunctions in electrical devices and are problematic in the safety-relevant environment of a railway system. Random memory errors such as bit tipping occur statistically everywhere in the memory devices used, for example RAM memories, independently of the use of memory devices. Therefore, these memory errors can occur with both highly dynamic data content, constant data content and in unused memory areas. Such memory errors meant here are not motivated by defects in the memory components.
• the random memory errors described are of course already taken into account in the design of a railway system and are typically revealed by comparing two independent memory devices in different channels of a computer. A memory error detected in this way usually leads to the system being switched off because it is not immediately known which channel is showing the correct data. However, this shutdown leads to a reduction in the availability of such a two-out-of-two system.
• Shadow memories or so-called ECC memories Error Correcting Code
• ECC memories Error Correcting Code
• the object is achieved in that s a first check value is calculated for data in a subarea of the first memory device, a second check value is calculated for identical data in a subarea of the second memory device, the first and second check values are compared with one another, if the first and the second test value are different, the first test value and/or the second test value are compared with an old test value, the data of the sub-area of the first memory device are replaced by the data of the sub-area of the second memory device if the second test value corresponds to the old test value and the data of the sub-area of the second memory device are replaced by the data of the sub-area of the first memory device if the first test value corresponds to the old test value.
• the solution according to the invention has the advantage that the method can be implemented in a purely software-based manner and only a limited amount of hardware is required.
• the method according to the invention is particularly suitable in two-of-two systems, that is to say in secure computers with exactly two redundant channels.
• the first check value is calculated for the data of a partial area of the first memory device.
• a check value is to be understood here, for example, as a hash value or a checksum that is calculated using the stored data. In principle, any type of checksum can be used. However, it is advantageous that the checksum converges to a residual error probability independently of the data volume.
• the first memory device is located in a first channel of the secure computer.
• the second check value is calculated for the data of the corresponding subarea of the second memory device. In the error-free state, the same data is stored redundantly in these partial areas of the first and second memory device.
• the first and the second test value are then compared with one another. If there is no memory error, the test values should be the same. However, if the first and the second test value are different, according to the invention the first test value and/or the second test value are compared with the old test value.
• the old test value is, for example, also stored in the memory devices of each channel and was calculated at an earlier point in time.
• the old check value is equal to first and second check values at the earlier point in time that were recognized as belonging to uncorrupted data. Thus, if no data has been altered, due to intentional alteration or memory errors, the first and second check values based on uncorrupted data must match the old check value. In the following, faulty test values are sometimes referred to.
• test values based on falsified data are actually calculated correctly from the data on which they are based. Only the underlying data is corrupted and therefore incorrect. By comparing with the old test value, it can be recognized in a very simple manner according to the invention in which memory device the memory error is present and the data must be replaced.
• the data of the partial area of the first memory device is replaced by the data of the partial area of the second memory device if the second check value corresponds to the old check value.
• the data of the partial area of the second memory device is replaced by the data of the partial area of the first memory device if the first check value corresponds to the old check value. Only one old check value is used, although of course an old first check value and an old second check value originally existed. However, since these were recognized as being based on correct data, they are the same and can therefore be saved and used as a single old test value.
• the method according to the invention is characterized in that it can be implemented purely by software and that it can be carried out independently of the application, e.g. by an operating system background process.
• the solution according to the invention can be further developed by advantageous configurations that are described below.
• the check values can be determined by means of a cyclic redundancy check - CRC, in particular CRC32, or by hash calculation.
• CRC stands for Cyclic Redundancy Check, meaning cyclic redundancy check. This known method is particularly suitable here because it reliably confirms the integrity of data and can be carried out easily.
• Proper CRC algorithms are advantageous here because their checksum converges to a residual error probability regardless of the data volume.
• CRC32 is the 32-bit version that meets higher requirements and therefore higher security.
• the alternative hash calculation is widely used and allows efficient calculation of strong check values.
• the method can be carried out independently of one another for a large number of subareas of the memory device. This can also happen simultaneously.
• the method can be repeated cyclically and, if the first test value and the second test value are the same in the current cycle, they can be stored as the old first test value and the old second test value for the next cycle. This has the advantage that the memory devices are continuously checked for memory errors and the old test values are continuously stored.
• the memory size of the partial areas can be less than 5%, in particular less than 1%, of the available memory size of the memory devices.
• the aim is to choose a sufficiently small memory size. It is advantageous here to subdivide the storage devices into as many relatively small partial areas as possible, in which the method according to the invention is carried out in each case becomes . This increases the probability that the data can be corrected because no operational data changes took place in the sub-areas.
• the old test value can be stored in a test value memory of the first memory device and/or in a test value memory of the second memory device.
• the invention further relates to a secure multi-channel computer for a railway system, with at least one storage device per channel for synchronous storage of data.
• the computer is designed to carry out the method according to one of the aforementioned embodiments.
• the computer according to the invention can be designed as part of an interlocking device of a railway system.
• the computer according to the invention z. B. can also be used in vehicles and other safety equipment.
• a provision device for storing and/or providing the computer program product.
• the provision device is, for example, a data carrier that stores and/or provides the computer program product.
• the provisioning device is, for example, a network service, a computer system, a server system, in particular a distributed computer system, a cloud-based computer system and/or virtual computer system which stores and/or provides the computer program product preferably in the form of a data stream.
• the provision takes place, for example, as a download in the form of a program data block and/or command data block, preferably as a file, in particular as a download file, or as a data stream, in particular as a download data stream, of the complete computer program product.
• this provision can also be made, for example, as a partial download, which consists of several parts and is downloaded in particular via a peer-to-peer network or provided as a data stream.
• Such a computer program product is, for example, read into a system using the provision device in the form of the data carrier and executes the program instructions so that the method according to the invention is executed on a computer or the creation device is configured in such a way that it creates the workpiece according to the invention.
• FIG. 1 shows a schematic representation of a railway system with a secure computer according to the invention in an exemplary embodiment
• FIG. 2 shows a schematic representation of an exemplary embodiment of the method according to the invention, which runs on the computer in FIG.
• An exemplary embodiment of a railway system 1 in FIG. 1 includes vehicles 2, routes 3, field elements 4 and signal box devices 5. For the sake of clarity, only one example is shown in FIG. shown game for the different components of the railway system 1 mentioned.
• the field element 4 shown in FIG. 1 is a light signal here, for example. Other field elements such as switches, level crossings, axle counters or the like can of course also be included.
• the field element 4 in FIG. 1 also includes a control module 6 which in turn includes a secure computer 7 and which is controlled by the control device 5 .
• the secure computer 7 according to the invention could alternatively or additionally also be used in other parts of the railway system, for example the interlocking device 5 .
• the secure computer 7 is shown enlarged in the upper part of FIG.
• the secure computer 7 is a so-called two-of-two system in the exemplary embodiment in Figure 1, that is, the secure computer 7 includes a first channel 8 and a redundant second channel 9.
• the two channels 8, 9 are each with connected to a data bus system 10, which in turn are each connected to processing logic that is not described in detail.
• the processing logic is designed to control field elements 4, such as the light signal shown in FIG.
• the first channel 8 and the second channel 9 of the secure computer 7 each comprise separate controllers 12. Furthermore, the first channel 8 comprises a first memory device 13 and the second channel 9 comprises a second memory device 14. The first channel 8 and the second channel 9 are further connected to one another via interfaces 15, so that data can be exchanged and compared.
• the memory devices 13, 14 are in the form of RAM memories.
• Such memory errors can be, for example, bit tipping, which can be triggered by external influences, for example.
• the memory errors mean that the redundantly stored data in the memory devices 13 , 14 are no longer completely identical and can lead to an unsafe state. Such memory errors can be recognized and automatically corrected by the method according to the invention.
• the memory devices 13 , 14 are each divided into many sub-areas which are checked separately using the method according to the invention.
• these sub-areas have, for example, a memory size of 1024 bytes, which is less than 1% of the available memory size of the memory devices 13 , 14 .
• Other memory sizes are of course also possible.
• relatively small sub-areas in relation to the memory size are advantageous because only a few sub-areas are affected by operational data writing during operation and the remaining areas can be checked for memory errors.
• a first test value 17 is calculated for the data of the partial area of the first memory device 13 .
• a checksum or a hash value determined using a hash function can be viewed as a check value.
• a CRC32 checksum is used as the check value.
• a second check value 19 is calculated for the corresponding redundant subarea of the second memory device 14 .
• the partial areas in the memory devices 13, 14 have the same data if there is no memory error.
• the first test value 17 and the second test value 19 are compared with one another. In order to be able to carry out the comparison, it may be necessary for the test values 17, 19 to be exchanged between the channels 8, 9 via the interfaces 15.
• step 21 the first test value 17 is stored as the old first test value 22 and the second test value 19 as the old second test value 23 . Since the first test value 17 and the second test value 19 are the same, only an old test value 22, 23 can be stored.
• the method can then be started again with step 16.
• the method according to the invention can be run through continuously in order to be able to identify and rectify memory errors quickly after they occur.
• step 20 shows that the first test value 17 and the second test value 19 are different, a memory error has been detected as a result. However, this does not yet make it clear in which of the two memory devices 13, 14 the memory error is present. In order to recognize this and to automatically correct the memory error, the method according to the invention is continued with step 24 .
• step 24 the first test value 17 is compared with the old test value 22, 23 that was stored. At the same time or alternatively, the second test value 19 is compared with the old test value 22, 23.
• the old test value 22, 23 has been calculated and stored from a previous test cycle in which the test values 17, 19 were the same and there was therefore no memory error.
• the second check value 19 is the same as the old check value 22, 23, this means that the data in the relevant sub-area are correct in the second storage device 14, ie there is no storage error.
• the data of the sub-area of the first memory device 13, which were consequently recognized as the data corrupted by the memory error, are replaced by the data of the sub-area of the second memory device 14. This is done in step 25.
• step 26 the data of the partial area of the second memory device 14 are automatically replaced by the data of the partial area of the first memory device 13 .
• step 27 the method according to the invention can be ended or started again in step 16. In this case, it is not absolutely necessary to store the old test value 22, 23 since it has not changed compared to the previous old test value.
• the inventive method described can be carried out in parallel for many or even all sub-areas of the memory devices 13, 14.
• FIG. 1 also shows a partial area 28 of the first memory device 13 by way of example and schematically.
• the representation of the partial area 28 also applies to the partial areas of the second memory device 14 that are not shown.
• Each memory device 13, 14 comprises a large number of sub-areas 28.
• the method according to the invention is carried out independently of one another in the secure computer 7, as described above and illustrated in FIG.
• subarea 28 is 1024 bytes in size, for example.
• Section 28 in this case comprises a usable memory 29 and a test value memory 30.
• the usable data are stored in the usable memory 29.
• the normal data to be stored during operation of the computer 7 are under user data.
• each sub-area 28 in the first channel 8 therefore has a sub-area 28 in the second channel 9 in which the same user data is stored.
• the old test value 22 or 23 is stored in the test value memory 30 in order to be able to use it for the method according to the invention. This has the advantage that no other storage location for storing the old test value 22, 23 is required.

Landscapes

• Engineering & Computer Science (AREA)
• Mechanical Engineering (AREA)
• Hardware Redundancy (AREA)
• Techniques For Improving Reliability Of Storages (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=83059221

Family Applications (1)

Country Status (4)

Family Cites Families (3)

• 2021
  • 2021-08-18 DE DE102021209038.9A patent/DE102021209038A1/de not_active Withdrawn
• 2022
  • 2022-07-29 CN CN202280053317.4A patent/CN117769698A/zh active Pending
  • 2022-07-29 EP EP22758465.3A patent/EP4355633A1/de active Pending
  • 2022-07-29 WO PCT/EP2022/071326 patent/WO2023020807A1/de active Application Filing

Also Published As

Similar Documents

Legal Events