WO2022117379A1 - Verfahren zur bereitstellung eines sicheren zeitsignals - Google Patents
Verfahren zur bereitstellung eines sicheren zeitsignals Download PDFInfo
- Publication number
- WO2022117379A1 WO2022117379A1 PCT/EP2021/082418 EP2021082418W WO2022117379A1 WO 2022117379 A1 WO2022117379 A1 WO 2022117379A1 EP 2021082418 W EP2021082418 W EP 2021082418W WO 2022117379 A1 WO2022117379 A1 WO 2022117379A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- time
- signal
- signals
- unit
- source
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000011156 evaluation Methods 0.000 claims abstract description 3
- 238000006243 chemical reaction Methods 0.000 claims description 5
- 230000008014 freezing Effects 0.000 claims description 4
- 238000007710 freezing Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 description 6
- 230000001960 triggered effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0766—Error or fault reporting or storing
- G06F11/0772—Means for error signaling, e.g. using interrupts, exception flags, dedicated error registers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
- G06F11/0736—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
- G06F11/0739—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function in a data processing system embedded in automotive or aircraft systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
- G06F1/04—Generating or distributing clock signals or signals derived directly therefrom
- G06F1/14—Time supervision arrangements, e.g. real time clock
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0796—Safety measures, i.e. ensuring safe condition in the event of error, e.g. for controlling element
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
- G06F21/725—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits operating on a secure reference time value
Definitions
- the invention relates to a method for providing a safe time signal, in particular for safety-related applications, and an arrangement for carrying out the method.
- a time signal is a signal that carries the current time and possibly the current date as information.
- electronic controls and control devices especially in embedded systems (embedded systems), z. B. for use in the vehicle sector, systems and software are increasingly being used that require an absolute time and date specification for safety-related functions.
- These signals are used, for example, in connection with file/data storage systems with indication of a date/time stamp for stored files or data whose "age” is relevant. This can be the case if this data is not permanently programmed once during production, but is also replaced or supplemented by "newer” data simply, several times or frequently over the service life.
- the OS timer, clock generator and time clocks derived therefrom can be secured by a redundant and independently clocked module, usually in conjunction with a watchdog.
- this only applies to relative time values, e.g. B. a clock, with very short periods, typically 1 ms up to 1 see and therefore with relatively large tolerances of z. B. +/- 10 or +/- '20%. This means that these security measures are not sufficient or suitable for generating an absolute time signal.
- a signal derived from a source e.g. B. from a GPS receiver (GPS: global positioning system) or an RTC module, does not offer sufficient security.
- GPS global positioning system
- RTC radio frequency
- the method presented is used to provide a particularly secure absolute time signal for security-related applications.
- the method provides that a first time signal from a first time source and a second time signal from a second time source are received and evaluated by an arrangement for performing the method, the first time source and the second time source being independent of one another. This means that the operation of the first time source has no effect whatsoever on the operation of the second time source and vice versa.
- the two time signals provided are therefore also independent of one another and there is no dependency between these two signals.
- a first unit in the arrangement fulfills an observer and comparator function. This means that this first unit observes or monitors the two time signals or the data or information carried by these two time signals, which in particular represent time values, and compares them with one another. A detected deviation between the two time signals is then evaluated. The safe time signal is output on the basis of this evaluation. Tolerances or
- An independent time base can be assigned to the first unit, which is used in performing the observer and compare function. In this way, the comparison can be carried out reliably and independently of any errors that may be transmitted with the two time signals.
- the observer and comparator function is cyclic in the embodiment, i. H. be carried out on a regular basis.
- a second unit can also be provided, with which the different formats of the data that carry the two time signals can be matched to one another. In this way, time signals can be processed independently of their formats.
- a third unit can be provided, which triggers an error reaction in the event that the comparison results in a discrepancy between the two time signals that lies outside a specified tolerance. This third unit can also issue a status signal. However, this status signal can also be output by the described arrangement independently of the presence of this third unit.
- the presented method consequently makes it possible to remedy the initially explained lack of a reliable time signal in a network system, in particular within a vehicle, by taking appropriate measures, so that a sufficiently reliable absolute time signal is available for a safety-relevant application or function can be asked.
- a freezing of one of the two time sources can be detected.
- a fourth unit can be provided for this purpose.
- the method provides, at least in some of the versions:
- time signal z. B. is provided by a cloud server system via Wi-Fi connections. This is known, for example, as so-called “UTC time” (UTC: Coordinated Universal Time) and is used according to simple QM systems.
- UTC time UTC: Coordinated Universal Time
- GPS time GPS time
- the coordinated world time is the world time valid today, which is used everywhere for time indications where a worldwide uniform time scale is required.
- two GPS receivers are used, which are structurally separate and redundant, with modules from different manufacturers being used.
- a more independent time source such.
- a further embodiment provides for a combination of an aforementioned time source with a radio clock receiver. This can typically provide a universal time atomic time.
- the time signals are available in such a way that the technology does not typically include special measures with regard to security for safeguarding or detecting errors in the signals or their transmission. Therefore, an undetected error and falsification of the time value can occur on one time source.
- the two time values which are available in different representations, e.g. B. UTC "Universal Time Code", “GPS time” etc., converted in a first step to a common, identical type of representation.
- Known deviations e.g. B. Leap seconds
- counter overflows such as in the GPS time format every 1024 weeks, time zones or the like are taken into account and corrected accordingly.
- the two time signals are observed and evaluated by a cyclically executed observer and comparator function.
- This observer function can be performed on a third and independent time base, e.g. B. the CPU timing and SW version of the control unit.
- B. the CPU timing and SW version of the control unit.
- Small deviations of both clocks, e.g. B. in size of +/- 5 see, corresponding to the inaccuracy of the signal Sources and transmission routes are tolerated as "normal". In the case of larger and therefore erroneous deviations, a suitable error response can be initiated.
- the error response can also be graded and consist in the last safe time value continuing to be used for a further small tolerance time, or else the dependent functions or the entire system being put into a safe error state.
- the observer function also recognizes the freezing or no longer running (stuck-at error) of one or, in particular, both clocks.
- a sufficiently short "standstill" time of the clocks can be tolerated in accordance with the use of the reliable time signal. If the tolerance is exceeded, a suitable error response can be triggered as an alternative or in addition.
- the observer function also supplies at least one further status signal which indicates the integrity/correctness/degradation status of the time signal. There is also the option of triggering a further error reaction in the respective functions that use the time signal.
- the observer function can also tolerate initial “failures” of the signal sources, which are typically initially present after the system is started up, and display them by means of a corresponding status.
- initial “failures” of the signal sources which are typically initially present after the system is started up, and display them by means of a corresponding status.
- first time source and a second time source is described above and in the description of the figures. Of course, the method can also be carried out with more than these two time sources.
- FIG. 1 shows a schematic representation of an embodiment of the arrangement for carrying out the method presented.
- FIG. 2 shows a possible sequence of the presented method in a flowchart.
- FIG. 3 shows a further possible course of the presented method in a flowchart.
- FIG. 1 shows a schematic representation of an embodiment of the arrangement for carrying out the method described herein, which is denoted overall by reference number 10 .
- the representation also symbolically shows a globe 12, which is a real world time 14, which is transmitted once via satellite 16 and independently via radio links 18.
- the two time signals 22 and 26 are input variables of the arrangement 10.
- the arrangement 10 performs an observer and compare function. This means that the arrangement observes or monitors the two time signals 22, 26 or the information that the two time signals 22, 26 carry, in particular cyclically, and compares them with one another.
- a first unit 30 is provided for this purpose, which compares the two time signals 22, 26 with one another and detects deviations, with tolerances being able to be taken into account. Since in this case the two time signals 22, 26 or the time values which they transmit are present in different representations, a second unit 32 is provided which converts the time values to a common type of representation.
- An absolute time specification can be represented in different ways.
- the UTC Unix timestamp which represents the current time as the number of seconds that have elapsed since January 1, 1970, is widely used.
- a time specification can also be stored, transmitted or agreed in "human” form as "year-month-day-hour:minute:second", both as “text” or in a data structure encoded by numbers, or as is the case with the "GPS time” is used as the number of weeks since January 6, 1980 plus the "seconds of the current week” as numerical values.
- systematic, known deviations e.g. B. in the form of leap seconds are corrected.
- a third independent time base 34 is also provided, on the basis of which the observer and comparator function is carried out. This separate time base is also required in order to implement tolerance times during which invalid deviations or the failure of one or both signals are briefly tolerated.
- a third unit 36 triggers an error response 40 if detected deviations lie outside predetermined tolerances.
- a status signal 42 is output as a function of the comparison.
- a fourth unit 42 is provided, which is provided for recognizing in particular the freezing of the two time signals on a plausible pair of values 22, 26.
- the first unit 30 then outputs the safe time signal 46 as a function of the comparison made between the two time signals 22, 26.
- FIG. 2 shows a possible course of the method described in a flow chart.
- an arrangement for carrying out the method receives a first time signal, which has a first time value, and a second time signal, which has a second time value.
- the two time signals or time values are compared with one another.
- the safe time signal is formed and output from the result of the comparison, taking tolerances into account, together with a status signal that indicates the correctness or error state.
- an error reaction is triggered in a fourth step 56 after a tolerance time has elapsed.
- this safe-time function always outputs a time together with a separate status signal.
- FIG. 3 shows a further possible course of the method presented, in which case optional steps in particular are highlighted.
- an optional startup phase 70 times are received in a first step 72. These are compared with one another in a second step 74 . Then, in a third step 76, the times are verified several times and it is checked whether they are stable. If this is not the case, the execution jumps back (arrow 78) to the first step 72. If this is the case (arrow 80), the startup phase 70 ends and the process continues with a fourth step 82. In this fourth step 82 times are received. In a fifth step 84, these times are compared with one another. If the comparison is successful and the times are within the tolerance (arrow 86), a safe time is output in a sixth step 88.
- a tolerance time is checked. If this is not exceeded (arrow 94), a jump back to the fourth step 82 takes place. If the tolerance time is exceeded, then in an eighth step 96, a transition to a safe state takes place.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Computer Hardware Design (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Electric Clocks (AREA)
- Synchronisation In Digital Transmission Systems (AREA)
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020237022468A KR20230110641A (ko) | 2020-12-03 | 2021-11-22 | 안전한 시간 신호의 제공 방법 |
US18/245,593 US20230367666A1 (en) | 2020-12-03 | 2021-11-22 | Method for providing a reliable time signal |
JP2023533860A JP2024505610A (ja) | 2020-12-03 | 2021-11-22 | 安全な時間信号の提供方法 |
CN202180081284.XA CN116547628A (zh) | 2020-12-03 | 2021-11-22 | 用于提供安全的时间信号的方法 |
EP21819094.0A EP4256435A1 (de) | 2020-12-03 | 2021-11-22 | Verfahren zur bereitstellung eines sicheren zeitsignals |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102020215301.9A DE102020215301A1 (de) | 2020-12-03 | 2020-12-03 | Verfahren zur Bereitstellung eines sicheren Zeitsignals |
DE102020215301.9 | 2020-12-03 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022117379A1 true WO2022117379A1 (de) | 2022-06-09 |
Family
ID=78820372
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2021/082418 WO2022117379A1 (de) | 2020-12-03 | 2021-11-22 | Verfahren zur bereitstellung eines sicheren zeitsignals |
Country Status (7)
Country | Link |
---|---|
US (1) | US20230367666A1 (de) |
EP (1) | EP4256435A1 (de) |
JP (1) | JP2024505610A (de) |
KR (1) | KR20230110641A (de) |
CN (1) | CN116547628A (de) |
DE (1) | DE102020215301A1 (de) |
WO (1) | WO2022117379A1 (de) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9645553B1 (en) * | 2016-01-28 | 2017-05-09 | Raytheon Bbn Technologies Corp. | Secure time reference using multiple time sources |
-
2020
- 2020-12-03 DE DE102020215301.9A patent/DE102020215301A1/de active Pending
-
2021
- 2021-11-22 CN CN202180081284.XA patent/CN116547628A/zh active Pending
- 2021-11-22 WO PCT/EP2021/082418 patent/WO2022117379A1/de active Application Filing
- 2021-11-22 JP JP2023533860A patent/JP2024505610A/ja active Pending
- 2021-11-22 KR KR1020237022468A patent/KR20230110641A/ko unknown
- 2021-11-22 US US18/245,593 patent/US20230367666A1/en active Pending
- 2021-11-22 EP EP21819094.0A patent/EP4256435A1/de active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9645553B1 (en) * | 2016-01-28 | 2017-05-09 | Raytheon Bbn Technologies Corp. | Secure time reference using multiple time sources |
Also Published As
Publication number | Publication date |
---|---|
KR20230110641A (ko) | 2023-07-24 |
CN116547628A (zh) | 2023-08-04 |
DE102020215301A1 (de) | 2022-06-09 |
US20230367666A1 (en) | 2023-11-16 |
EP4256435A1 (de) | 2023-10-11 |
JP2024505610A (ja) | 2024-02-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102011121620B4 (de) | Verfahren und Systeme zum Diagnostizieren von Hardware- und Softwarefehlern unter Verwendung von mit Zeitstempeln versehenen Ereignissen | |
EP2803154B1 (de) | Verfahren und masterclock zur erstellung von fail-silent synchronisationsnachrichten | |
EP1743225B1 (de) | Redundantes automatisierungssystem umfassend ein master- und ein stand-by-automatisierungsgerät | |
EP1966695A1 (de) | Bus-guardian eines teilnehmers eines kommunikationssystems, sowie teilnehmer für ein kommunikationssystem | |
WO2013096986A2 (de) | Verfahren zur zeitrichtigen zusammenführung von ergebnissen von periodisch arbeitenden edv-komponenten | |
WO2022117379A1 (de) | Verfahren zur bereitstellung eines sicheren zeitsignals | |
EP3273352B1 (de) | Computerisiertes system | |
WO2016049670A1 (de) | Verteiltes echtzeitcomputersystem und zeitgesteuerte verteilereinheit | |
EP1046109B1 (de) | Verfahren und vorrichtung zur synchronisation und überprüfung von prozessor und überwachungsschaltung | |
EP2520989B1 (de) | Verfahren zum Betrieb eines hochverfügbaren Systems mit funktionaler Sicherheit sowie ein hochverfügbares System mit funktionaler Sicherheit | |
EP0907919B1 (de) | Vorrichtung zum betreiben von zwei funktionsmässig parallelgeschalteten prozessoren | |
EP1025501B1 (de) | Verfahren und vorrichtung zur überprüfung einer fehlerüberwachung einer schaltung | |
DE102015218898A1 (de) | Verfahren zur redundanten Verarbeitung von Daten | |
DE102007010886B3 (de) | Steuergerät für ein Fahrzeug | |
EP1287435B1 (de) | Vorrichtung und verfahren zur synchronisation eines systems von gekoppelten datenverarbeitungsanlagen | |
EP3669278A1 (de) | Verfahren und vorrichtung zum rückwirkungsfreien und integritätsgeschützten synchronisieren von log-daten | |
WO2009010321A1 (de) | Redundantes mikroprozessorsystem mit taktüberprüfung | |
EP2133762B1 (de) | Verfahren zum Überwachen einer Zeitbasis einer Datenverarbeitungseinheit und Datenverarbeitungseinheit | |
DE10319903B4 (de) | Eigensichere Rechneranordnung | |
WO2012019617A1 (de) | Verfahren und vorrichtung zum synchronisieren von ereignissen autarker systeme | |
DE10329116B3 (de) | Verfahren und Vorrichtung zur Zeitbildung in einer Datenverarbeitungseinheit | |
DD234510A1 (de) | Anordnung zum testen und zur isolierung defekter rechnerknoten | |
DE102017203479A1 (de) | Schaltungsanordnung zum Überwachen einer Zustandsbasis in einem Zeitgeber | |
DE19803824A1 (de) | Verfahren und Vorrichtung zur Überprüfung einer Fehlerüberwachung einer Schaltung |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21819094 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202180081284.X Country of ref document: CN Ref document number: 2023533860 Country of ref document: JP |
|
ENP | Entry into the national phase |
Ref document number: 20237022468 Country of ref document: KR Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2021819094 Country of ref document: EP Effective date: 20230703 |