[go: up one dir, main page]

WO2009138137A1 - Procédé et dispositif de surveillance des erreurs dans un système informatique - Google Patents

Procédé et dispositif de surveillance des erreurs dans un système informatique Download PDF

Info

Publication number
WO2009138137A1
WO2009138137A1 PCT/EP2008/066407 EP2008066407W WO2009138137A1 WO 2009138137 A1 WO2009138137 A1 WO 2009138137A1 EP 2008066407 W EP2008066407 W EP 2008066407W WO 2009138137 A1 WO2009138137 A1 WO 2009138137A1
Authority
WO
WIPO (PCT)
Prior art keywords
mode
pattern recognition
recognition algorithm
monitored
comparison
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2008/066407
Other languages
German (de)
English (en)
Inventor
Eberhard Boehl
Bernd Mueller
Markus Ferch
Yorck Collani
Holger Banski
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of WO2009138137A1 publication Critical patent/WO2009138137A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • G06F11/0757Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/845Systems in which the redundancy can be transformed in increased performance

Definitions

  • the invention relates to a method for error monitoring of a computer system having at least two arithmetic units, wherein the computer system is switched between a first and a second operating mode and the first operating mode corresponds to a performance mode and the second operating mode corresponds to a comparison mode and an apparatus for performing the method.
  • a method and a device for generating a signal in a computer system with a plurality of components are known in which is switched between two operating modes.
  • the computer system works with two arithmetic units.
  • the different operating modes are aimed at operating the processor unit at least in a so-called performance mode as well as in a comparison mode.
  • the performance mode the computing units included in the computer system execute different programs.
  • comparison mode however, identical programs are executed by both arithmetic units and the result of both arithmetic units is compared with one another. If there is a difference in the results, an error signal is triggered.
  • the invention is based on the object of specifying a method and a device in which the computer system with at least two arithmetic units, the can work in different operating modes, regularly assumes a safe state.
  • the advantage of the invention is that both the comparison mode and the performance mode are monitored for errors. It is checked whether the computer system switches back to the comparison mode in a timely manner in which it is determined whether the arithmetic units are working correctly.
  • a pattern recognition algorithm that monitors the timing of the operating modes, an error is detected when a temporal condition monitored by the pattern recognition algorithm is not maintained in the sequence of operating modes. Since the pattern recognition algorithm permits simultaneous monitoring of several variables which characterize the respective operating mode, it is possible, due to the multiplicity of conditions to be monitored, to conclude an error in good time already with the deviation of only one condition.
  • the invention also detects an error in the performance mode, which prevents a return to the comparison mode, and a safe state is assumed.
  • the method according to the invention allows as many program parts as possible to be run in the efficient performance method, since thereby a high computing power is achieved. At the same time, all program parts are monitored with a high level of error detection, which is particularly important for safety-relevant applications.
  • a particularly simple monitoring option is provided if the pattern recognition algorithm monitors the occurrence of the comparison mode in which the occurrence of a mode signal is evaluated.
  • This mode signal is set active during the operation of the comparison mode and is inactive in the performance mode. The mode signal is therefore always active when the data of the two arithmetic units are compared.
  • the monitoring of the mode signal as such but not sufficient, but the temporal behavior of the mode signal must also be monitored.
  • the computer system changes more or less regularly between performance and comparison mode back and forth.
  • a faulty behavior in the temporal sequence of the mode signal can be achieved by comparison with predetermined reference values. be known.
  • predetermined reference values be known.
  • the comparison mode is considered to be a particularly secure mode in a computer system, then the security objectives of the given application can be achieved by always accepting the comparison mode in good time. The duration of the comparison mode and / or the performance mode is monitored. If there is a difference to a given reference value, an error is also detected here.
  • a check is carried out in that the maximum time in which the performance and / or the comparison mode are not interrupted is monitored by the pattern recognition algorithm.
  • lower and upper limits can be specified for these periods.
  • monitoring of periodic sequences of changing periods is possible.
  • the number of monitoring patterns is very diverse and can always be tailored to the particular application. This realization is particularly easy to set by a combination of hardware and software.
  • the number of activations of the performance and / or comparison mode is monitored by the pattern recognition algorithm.
  • the error monitoring by the pattern recognition algorithm is particularly easy to implement by monitoring the periodic occurrence of the comparison mode.
  • the computer system always assumes the comparison mode after a fixed period in the error-free case.
  • the pattern recognition algorithm monitors the relationship between comparison mode and performance mode. within a given period of time. This period should advantageously correspond to a period.
  • a so-called budget is set, which specifies upper and / or lower limits for a number of variables to be measured, which are monitored by the pattern recognition algorithm.
  • the budget may limit the maximum duration of the computing system remaining in the compare mode as well as the maximum duration of operating the computer system in the performance mode. The same applies to a minimum duration.
  • the number of mode changes or the number of changes in a certain direction are limited. With this configuration, you must monitor compliance with the time period, ie the period for which a budget is specified. On the other hand, compliance with the budget must be monitored within the period.
  • a device for error monitoring of a computer system is shown with at least two computing units, wherein the computer system switches between a first and a second operating mode and the first operating mode corresponds to a performance mode and the second operating mode a comparison mode.
  • the regular assumption of a safe state is ensured if it contains a monitoring logic with a pattern recognition algorithm monitoring the operating modes, the monitoring logic outputting an error signal if at least one operating mode of the Pattern recognition algorithm deviates.
  • the pattern recognition algorithm monitors the monitoring logic in which the occurrence of a mode signal is counted.
  • the temporal behavior of the performance and / or comparison mode can be easily evaluated by the pattern recognition algorithm of the monitoring logic.
  • the monitoring logic has an interface to which the input data that is evaluated by the pattern recognition algorithm is applied.
  • FIG. 1 Monitoring logic for a computer system with at least two arithmetic units
  • FIG. 4 monitoring pattern for a first budget
  • FIG. 5 Monitoring pattern for a second budget
  • FIG. 1 shows a monitoring logic 100 in which, in terms of hardware, a pattern recognition algorithm is stored, which monitors the work of unrepresented computing units which operate once in the performance mode and on the other hand in a comparison mode.
  • a pattern recognition algorithm To implement the pattern recognition algorithm, one or more timers 101 are needed, which are incremented with each rising edge of the system clock or a clock derived from the system clock.
  • a counter 102 In order to register the change of a mode signal, a counter 102 is present.
  • a memory 103 registers reference values, configuration parameters and timer values. For comparison of actual values with desired values, a comparator 104 is necessary.
  • a logic 105 for averaging is integrated into the monitoring logic 100.
  • the monitoring logic 100 receives the system clock 106, a signal 107 for the system reset and the mode signal 108 as input signals. Furthermore, a connection 109 to the internal system bus (not shown further) is present.
  • the output signal of the monitoring logic 100 which is output via the connection 109 to the internal system bus, is a 1-bit wide error signal, via which a deviation from the expected time behavior of the mode signal is signaled. Error signal active means that an error has occurred in the time sequence of the mode signal. In addition to a 1-bit wide signal, a dual rail or other implementation capable of transmitting this information is also possible.
  • the error signal is advantageously activated during the configuration, since no monitoring takes place during the configuration.
  • a configuration bit is set which represents protection against incorrect configuration accesses. A reconfiguration of the monitoring logic 100 during operation is therefore not possible without setting the configuration bit. Should a configuration be inadvertently made during the operation of the monitoring logic 100, the error signal of the monitoring logic 100 is automatically activated the moment the configuration bit is set. The monitoring logic 100 begins monitoring the mode signal 108 as soon as the configuration bit is cleared.
  • the monitoring logic starts with an unsetting configuration bit and thus an active error signal. Once a fault signal has been set, it can not be reconfigured until it has been reconfigured, i. after setting and then deleting the configuration bit, be reset.
  • a buffer time is kept between the completion of the configuration of the monitoring logic 100 and the start of monitoring by the monitoring logic 100.
  • the monitoring logic 100 is intended to check, by monitoring the temporal behavior of the mode signal, whether the computer system is operating in the desired manner.
  • three working modes are to be differentiated for which the monitoring of the mode signal has to be carried out differently.
  • the computer system In a permanent performance mode, the computer system is operated exclusively in the performance mode. A switch to the comparison mode never takes place instead of. The mode signal is therefore never activated. The activation of the mode signal thus represents an error case.
  • the mode signal is therefore permanently activated.
  • An error state to be detected in this case is the deactivation of the mode signal.
  • the computer system changes more or less regularly between the performance and comparison modes.
  • An erroneous behavior in the temporal sequence of the mode signal is detected by comparison with stored reference values.
  • the monitoring of the mode signal in the permanent performance or comparison mode is realized by comparing the mode signal with the constant values "0" and "1".
  • the monitoring logic When monitoring the change between the performance and comparison modes, the monitoring logic must ensure, in addition to observing the mode signal, that all transitions between performance and comparison modes occur at the correct time and, if possible, that the correct software tasks are performed.
  • the monitoring logic 100 can now monitor various monitoring patterns. Assuming that the compare mode is a particularly secure mode, the security objectives of the application can be achieved by ensuring that the compare mode is always timely accepted. It is checked whether the comparison mode is adopted at the latest after a certain duration, for example every x ms. This means that the maximum duration is monitored in which the performance mode is not interrupted. This is realized by a timer which is periodically incremented or decremented. A timer is used which expires when a certain value (eg0) is reached and outputs a corresponding signal.
  • the monitoring is shown in FIG.
  • the starting point in block 200 is the performance mode in which the computer system is located. In block 201, the timer is initialized and begins to run in block 202. Thereupon, a query is made in block 203 as to whether the comparison mode is accepted before the timer expires, which can be determined simply by the presence of the mode signal. If this is not the case, the monitoring logic 100 outputs an error signal in block 204.
  • the timer is paused with the transition to compare mode (block 205).
  • the computer system now operates in compare mode (block 206).
  • the computer system jumps into the performance mode. In this state transition, the timer is rebuilt in block 208. Return to block 202 where the timer expires and monitoring begins again.
  • Another monitoring pattern is that the monitoring ensures that the comparison mode is always accepted after a fixed period in the error-free case. This is particularly advantageous when all tasks of the comparison mode are periodic. It is checked whether the comparison mode after the last time of its activation is exactly accepted at a certain time again. This time is provided with a so-called jitter, which means that the specific time may be within a predetermined time window.
  • the computer system is initially in performance mode (block 300).
  • a timer is initialized, with the timer running in block 302.
  • block 303 it is queried whether the comparison mode was accepted in the correct time window. If this is not the case, the monitoring logic 100 outputs an error message in block 304.
  • the timer is stopped with the transition of the computer system from the performance mode to the comparison mode (block 305).
  • the computer system operates in block 306 in comparison mode.
  • it jumps back into the performance mode, with this state change of the computer system, the timer is rearmed (block 308).
  • the Timer starts to run again in block 302 and monitoring starts again. The timer does not monitor here for a maximum length but for a period.
  • a budget compliance of the ratio of comparison mode and performance mode within a period.
  • the performance mode should be used for 39 ms and the comparison mode for 1 ms.
  • the first check is to check whether there is a budget update every 40 ms, that is, a re-assessment of the budget, whereby the budget is released periodically by the software.
  • the second check is whether the ratio of performance mode to comparison mode is within an acceptable range, advantageously 39: 1.
  • the basic form of a budget is explained in FIG.
  • the budget 400 indicates upper bounds for a number of quantities measured by the monitoring logic 100.
  • the maximum duration e.g. B. x ms
  • the maximum duration, z. B y ms, for the performance mode is limited in the budget unit 402.
  • the maximum duration can also be specified in clock cycles or a multiple of clock cycles.
  • the maximum number of mode changes n is set in the budget unit 404, while in the budget unit 405, the maximum number m of switching from the compare mode to the performance mode is set.
  • the budget 500 consists of the budget unit 501, in which the minimum xl and the maximum x2 for the whereabouts of the computer system in comparison mode is determined.
  • the minumum yl and the maximum y2 for the whereabouts of the computer system in the performance mode are described.
  • the period (minimum zl and maximum z2) until the next budget update is listed in the budget unit 503.
  • the change of the mode signal, which is monitored with the budget unit 504 is a number of minimum nl to maximum n2.
  • the number of changes from the comparison mode to the performance mode can be from minimum ml to maximum m2 (budget unit 505). In addition to the conditions listed, other conditions may be added depending on the application.
  • the budget of a budget unit such as the budget unit 401, where the maximum x values of the stay are limited in a compare mode, is managed using this counter.
  • the counter associated with budget unit 401 is incremented at each system clock at which the system is in compare mode.
  • the counter associated with budget unit 402 is incremented on system clocks when the system is in performance mode.
  • the counter associated with budget unit 403 is incremented at each system clock.
  • a mode change counter (budget units 404 or 504) is incremented each time the mode is changed. If, as with the budget units 405 and 505, only a certain direction of the mode change is to be counted, this is selected accordingly.
  • the monitoring logic 100 outputs an error message.
  • next budget update within monitor logic 100 is to define a given time.
  • the budget is updated again after a fixed number of mode changes.
  • next mode change triggers the budget update.
  • the counters can also be implemented via decrementing. Then a budget update will set to a new maximum value. Instead of everyone System clock to perform a decrement or increment, can also be counted in a coarser unit, for example every 8 bars.
  • the budget update may be enabled by software accessing the monitoring logic 100.
  • the monitoring logic 100 requires an interface, which is shown in FIG. It consists of a configuration interface 110 for the budget, in which all values of the budget units 401 to 405 or 501 to 505 are stored, and a user interface 111 for the budget update.
  • This user interface 111 is addressed by the software. One bit is sufficient, which is regularly set within the budget or changes its value.
  • the software budget update provides an additional monitoring option that ensures that within the correct time window, the part of the software necessary to operate the budget update actually runs.
  • the corresponding maximum value of the budget share is set to 0.
  • a further optimization is that, for example, not stored in the budget unit 501 xl and x2, but only xl and the fixed difference to x2.
  • Patterns are monitored during these periods, such as periodic sequences 1 ms comparison mode, 5 ms performance mode, 2 ms comparison mode, 10 ms performance mode, etc.
  • a timer and one or two counters can be used to measure the number of activations of comparison mode or performance mode or both per unit of time.
  • the monitoring is deactivated by a corresponding configuration.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un procédé de surveillance des erreurs d'un système informatique comprenant au moins deux unités arithmétiques et qui peut passer d'un premier mode à un second mode de fonctionnement. Le premier mode de fonctionnement correspond à un mode de performances, alors que le second mode de fonctionnement correspond à un mode comparatif. Dans un procédé, selon lequel, le système informatique, qui comprend au moins deux unités arithmétiques et qui peut fonctionner dans des modes de fonctionnement différents, est de manière régulière à l'état sécurisé, un algorithme d'identification des modèles surveille les modes de fonctionnement, une erreur pouvant être identifiée, lorsqu'au moins un mode de fonctionnement diffère de l'algorithme d'identification de modèles.
PCT/EP2008/066407 2008-05-15 2008-11-28 Procédé et dispositif de surveillance des erreurs dans un système informatique Ceased WO2009138137A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102008001806.6 2008-05-15
DE200810001806 DE102008001806A1 (de) 2008-05-15 2008-05-15 Verfahren und Vorrichtung zur Fehlerüberwachung eines Rechnersystems

Publications (1)

Publication Number Publication Date
WO2009138137A1 true WO2009138137A1 (fr) 2009-11-19

Family

ID=40843259

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2008/066407 Ceased WO2009138137A1 (fr) 2008-05-15 2008-11-28 Procédé et dispositif de surveillance des erreurs dans un système informatique

Country Status (2)

Country Link
DE (1) DE102008001806A1 (fr)
WO (1) WO2009138137A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102011107104B4 (de) * 2011-07-12 2020-11-12 Giesecke+Devrient Mobile Security Gmbh Tragbares Sicherheitsmodul und Verfahren zu dessen Betrieb zur Abwehr eines Angriffs in Echtzeit per Mustererkennung

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6615366B1 (en) * 1999-12-21 2003-09-02 Intel Corporation Microprocessor with dual execution core operable in high reliability mode
WO2006045782A2 (fr) * 2004-10-25 2006-05-04 Robert Bosch Gmbh Procede et dispositif de commutation de mode de fonctionnement d'un systeme multiprocesseur par l'intermediaire d'au moins un signal externe
WO2006045781A2 (fr) * 2004-10-25 2006-05-04 Robert Bosch Gmbh Procede et dispositif de commutation dans un systeme d'ordinateur comportant au moins deux unites d'execution
US20060242517A1 (en) * 2005-04-26 2006-10-26 Christopher Pedley Monitoring a data processor to detect abnormal operation

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102005037261A1 (de) 2005-08-08 2007-02-15 Robert Bosch Gmbh Verfahren und Vorrichtung zur Erzeugung eines Signals bei einem Rechnersystem mit mehreren Komponenten

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6615366B1 (en) * 1999-12-21 2003-09-02 Intel Corporation Microprocessor with dual execution core operable in high reliability mode
WO2006045782A2 (fr) * 2004-10-25 2006-05-04 Robert Bosch Gmbh Procede et dispositif de commutation de mode de fonctionnement d'un systeme multiprocesseur par l'intermediaire d'au moins un signal externe
WO2006045781A2 (fr) * 2004-10-25 2006-05-04 Robert Bosch Gmbh Procede et dispositif de commutation dans un systeme d'ordinateur comportant au moins deux unites d'execution
US20060242517A1 (en) * 2005-04-26 2006-10-26 Christopher Pedley Monitoring a data processor to detect abnormal operation

Also Published As

Publication number Publication date
DE102008001806A1 (de) 2009-11-19

Similar Documents

Publication Publication Date Title
DE60019038T2 (de) Intelligente Fehlerverwaltung
DE60130830T2 (de) Gerät und Verfahren zur Erzeugnung von Unterbrechungssignalen
EP2202592B1 (fr) Dispositif de sécurité destiné à la commande à plusieurs canaux d'un dispositif de sécurité
DE102013015172A1 (de) Challenge-and-response-Verfahren für Sicherheitssystem unter Verwendung eines modifizierten Watchdog-Zeitgebers
WO1998043164A1 (fr) Circuit de surveillance
DE10049441A1 (de) Verfahren zum Betrieb eines von einem Prozessor gesteuerten Systems
EP0007579B1 (fr) Circuit de surveillance de l'état de systèmes de signalisation, spécialement de systèmes lumineux de signalisation de circulation routière
DE102004016929A1 (de) Auswahllogikblock mit Ausblendungsfunktionen für Betrieb und Wartung für ein Prozesssteuerungssystem
DE102008048876A1 (de) Schaltungsanordnung und Verfahren zum Überwachen einer Versorgungsspannung
EP3110061A1 (fr) Système informatique en temps réel distribué et procédé de forçage de défaillance
WO2001079948A1 (fr) Systeme et procede pour controler un dispositif de mesure, de commande et de regulation
DE10336585B4 (de) Echtzeit-Interruptmodul für Betriebssysteme und zeitgetriggerte Anwendungen
WO2009138137A1 (fr) Procédé et dispositif de surveillance des erreurs dans un système informatique
WO2017080793A2 (fr) Procédé de fonctionnement d'un processeur multicœur
DE102005037228A1 (de) Verfahren und Vorrichtung zur Steuerung eines Rechnersystems
DE10134215A1 (de) Verfahren zum Umschalten von einem ersten Betriebszustand einer integrierten Schaltung zu einem zweiten Betriebszustand der integrierten Schaltung
DE102004051991A1 (de) Verfahren, Betriebssystem und Rechengerät zum Abarbeiten eines Computerprogramms
EP1817662B1 (fr) Procede et dispositif de commutation de mode de fonctionnement d'un systeme multiprocesseur par l'intermediaire d'au moins un signal externe
DE102009027369A1 (de) Verfahren sowie System zur Ansteuerung von mindestens einem Aktuator
DE112017002556T5 (de) Steuerungssystem
DE10131135B4 (de) Verfahren zum Betreiben eines Netzwerkknotens
DE4303048C2 (de) Verfahren und Umschalteinrichtung zum Umschalten zwischen einem Betriebssystem und mindestens einem Reservesystem innerhalb redunant aufgebauten Schaltungen
DE102009000874A1 (de) Verfahren zur Verbesserung der Analysierbarkeit von Softwarefehlern in einem Mikrocontroller
EP2018604B1 (fr) Procédé pour faire fonctionner un appareil de commande
DE102006001805A1 (de) Sicherheitsvorrichtung zum mehrkanaligen Steuern einer sicherheitstechnischen Einrichtung

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08874258

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 08874258

Country of ref document: EP

Kind code of ref document: A1