GB2550412A - System and method for protecting data integrity - Google Patents

System and method for protecting data integrity Download PDF

Info

Publication number
GB2550412A
GB2550412A GB1608870.0A GB201608870A GB2550412A GB 2550412 A GB2550412 A GB 2550412A GB 201608870 A GB201608870 A GB 201608870A GB 2550412 A GB2550412 A GB 2550412A
Authority
GB
United Kingdom
Prior art keywords
monitor
data
system parameter
checksum
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1608870.0A
Other versions
GB201608870D0 (en
GB2550412B (en
Inventor
Davis Andrew
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ultra Electronics Ltd
Original Assignee
Ultra Electronics Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ultra Electronics Ltd filed Critical Ultra Electronics Ltd
Priority to GB1608870.0A priority Critical patent/GB2550412B/en
Publication of GB201608870D0 publication Critical patent/GB201608870D0/en
Publication of GB2550412A publication Critical patent/GB2550412A/en
Application granted granted Critical
Publication of GB2550412B publication Critical patent/GB2550412B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1637Error detection by comparing the output of redundant processing systems using additional compare functionality in one or some but not all of the redundant processing components
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/08Error detection or correction by redundancy in data representation, e.g. by using checking codes
    • G06F11/10Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
    • G06F11/1004Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's to protect a block of data words, e.g. CRC or checksum
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1654Error detection by comparing the output of redundant processing systems where the output of only one of the redundant processing components can drive the attached hardware, e.g. memory or I/O
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • G06F11/3072Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
    • G06F11/3075Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting the data filtering being achieved in order to maintain consistency among the monitored data, e.g. ensuring that the monitored data belong to the same timeframe, to the same system or component

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Security & Cryptography (AREA)
  • Hardware Redundancy (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • Detection And Prevention Of Errors In Transmission (AREA)

Abstract

A system 100 has two monitors 110, 120, which monitor the same system parameter 130 independently. They may use the same method or different methods of monitoring. The first monitor creates a message containing the measured parameter and a checksum. The checksum may be a cyclic redundancy check 140. The first monitor sends the message to the second monitor. The second monitor compares the parameter in the message with the value it has measured 150. If they are sufficiently close, the second monitor forwards the message to a downstream component. If they are not, the message is discarded. The second monitor does not have a checksum algorithm and does not generate a checksum.

Description

SYSTEM AND METHOD FOR PROTECTING DATA INTEGRITY
Technical Field
The present application relates to a system and method for protecting data integrity. Background to the Invention
It is common in safety related or high integrity control systems to use redundant systems to protect data integrity, ensuring robustness to one or more faults. In the example of Figure 1, two physically independent monitors (monitors A and B) are used to measure a control parameter or system status, and a comparator is then used to compare the data from the two monitors. Commonly, data will only be communicated onwards into the system if the two monitors agree within pre-determined confidence limits. This design is intended to ensure that data is integrity is not impacted by one or more faults.
The monitoring and comparison functions are often hosted in commercially available microprocessors or complex FPGA logic devices. These are internally complex items and their design is not normally public. It is difficult to know with confidence what effect any conceivable single failure within the microprocessor or FPGA may have on the observable behaviour of that device. Robust safety reasoning assumes that the functions must be segregated onto physically separate microprocessors to ensure that a single fault does not affect more than one function (and therefore the data integrity).
Data is normally protected from corruption in the onwards transmission using a data checksum (e.g. Cyclic Redundancy Check, CRC). Data integrity is normally assessed by either: • a qualitative measure: How many faults are required before integrity is unsatisfactory; or • a quantitative measure: what is the probability (e.g. per operating hour) that data integrity is unsatisfactory.
This approach, while effective, offers a number of opportunities for improvement: 1. This system requires three independent functions to achieve its aims. 2. A single failure of the comparison system could potentially disable the crosscheck and corrupt the data. Effectiveness of the cross-check must be regularly assessed. 3. Designing functions with high confidence of integrity is expensive, requiring progressively more complex assurance checks. As the outputs of the monitors are crosschecked, their design integrity may be less than the required data integrity. However, the integrity of the comparison function must be in excess of the data integrity requirement.
Accordingly, a need exists for a system and method for monitoring data integrity in which the number of independent functions is reduced, and in which the design integrity required for the remaining functions is equal to that required for the monitor function in the prior art system discussed above.
Summary of Invention
According to a first aspect of the present invention there is provided a system for protecting integrity of data in a data system, the system comprising: a first monitor; and a second monitor, independent of the first monitor, wherein: the first monitor is configured to: measure a system parameter to generate first system parameter data; generate a data message, the data message including the first system parameter data and a data checksum for the first system parameter data; and transmit the data message to the second monitor; and wherein the second monitor is configured to: measure the system parameter, independently of the first monitor, to generate second system parameter data; compare the second system parameter data with the first system parameter data in the data message received from the first monitor; and if the result of the comparison is positive, transmit the data message, including the checksum, received from the first monitor to a downstream component of the data system.
The system of the present invention provides an improved method for assuring data integrity, which requires fewer independent components and reduced design integrity, in comparison to prior art systems.
The first monitor may be dissimilar to the second monitor. The use of dissimilar monitor enables the detection of both design errors and failures in the monitors.
Alternatively, the first monitor may be identical to the second monitor. In this case, only failure of the monitors can be detected.
The checksum may comprise a cyclic redundancy check (CRC) checksum.
According to a second aspect of the invention there is provided a method for protecting integrity of data in a data system, the method comprising: measuring a system parameter using a first monitor to generate first system parameter data; generating a data message, the data message including the first system parameter data and a data checksum for the first system parameter data; and transmitting the data message to a second monitor; measuring the system parameter using the second monitor, independently of the monitoring of the system parameter using the first monitor, to generate second system parameter data; comparing the second system parameter data with the first system parameter data in the data message received from the first monitor; and if the result of the comparison is positive, transmitting the data message, including the checksum, received from the first monitor to a downstream component of the data system.
The first monitor may be dissimilar to the second monitor.
Alternatively, the first monitor may be identical to the second monitor.
The checksum may comprise a cyclic redundancy check (CRC) checksum.
Brief Description of the Drawings
Embodiments of the invention will now be described, strictly by way of example only, with reference to the accompanying drawings, of which:
Figure 1 is a schematic representation of a known data integrity monitoring system; and Figure 2 is a schematic representation of a system for protecting data integrity. Description of the Embodiments
Referring first to Figure 2, a system for protecting data integrity is shown generally at 100. The system 100 comprises independent first and second monitors 110, 120 which are operative to monitor, independently, a system parameter 130. The first and second monitors 110, 120 may be identical, or they may be dissimilar. The use of dissimilar first and second monitors 110, 120 reduces the risk that both the first and second monitors 110, 120 will fail in the same manner; if the first and second monitors are dissimilar a design defect in one of the monitors will not be reproduced in the other monitor.
The first monitor 110 measures the system parameter 130 to generate first system parameter data. The first monitor 110 includes a data checksum generator 140 which is operative to generate a data checksum for the first system parameter data, which may be, for example, a cyclic redundancy check (CRC). The first monitor 110 generates a fully encoded (but not encrypted) data message which includes the first system parameter data and the data checksum. This data message is transmitted to the second monitor 120.
The second monitor 120 also measures the system parameter 130, independently of the first monitor 110, and generates second system parameter data. The second monitor 120 includes a comparator 150, which compares the first system parameter data received in the data message from the first monitor 110 to the self-generated second system parameter data. Note that the second monitor 120 does not generate a data checksum for comparison and has no checksum algorithm; the comparator 150 of the second monitor compares only the first system parameter data to the second system parameter data.
If the result of the comparison performed by the comparator 150 is positive, in the sense that the second system parameter data is judged to be the same as the first system parameter data, within acceptable limits, then the data message generated by the first monitor 110, including the original data checksum, is transmitted to a downstream system component. On the other hand, if the second system parameter data is judged not to be the same as the first system parameter data (e.g. the degree of similarity between the first system parameter data and the second system parameter data is outside acceptable limits) then the data message is not passed on.
The system 100 assures the integrity of the system parameter data transmitted to the downstream component as follows.
As the second monitor 120 does not itself generate a data checksum, a valid checksum in the data message transmitted to the downstream component must have come from the first monitor 110.
For a strong checksum such as a CRC, corruption of the message received from the first monitor 110 by the second monitor 120 is highly unlikely to result in an erroneously valid checksum. Thus, a valid checksum transmitted onwards by the second monitor 120 is a reliable indication that the second monitor 120 has not corrupted the data message.
The first monitor 110 has no physical connection to the downstream components, and thus failure at the first monitor 110 cannot result in a direct transmission of incorrect data to the downstream components.
Thus, neither failure of the first monitor 110 alone, nor failure of the second monitor 120 alone, can result in the transmittal of an incorrect message with a valid checksum.
In order for an incorrect message to be sent, the first monitor 110 must generate an incorrect message and the second monitor 120 must incorrectly check the message that it receives from the first monitor.
Thus, in order for the integrity integrity of the data transmitted by the second monitor 120 to be deemed unsatisfactory, both the first monitor 110 and the second monitor 120 must fail. On a quantitative measure, the probability of unsatisfactory data is at least as high as the product of the probability of failure or erroneous operation of the first monitor 110 and the probability of failure of erroneous operation of the second monitor 120.
Additionally, corruption by the second monitor 120 of the message received from the first monitor 110 prior to its onward transmission to the downstream component has exactly the same consequence as corruption of the message during its onward transmission to the downstream component, and will be detectable by an inconsistency between the checksum and the message data received at the downstream component.
Further, because the second monitor 120 compares the first system parameter data (generated by the first monitor 110 and transmitted by the first monitor 110 to the second monitor 120) to the second system parameter data, which is generated by the second monitor 120, in the event that the second system parameter data is out of date, e.g. because the second system parameter data is stored historical data rather than a current measurement, the result of the comparison will be negative and so the message generated by the first monitor 110 will not be forwarded on to the downstream component.
It will be appreciated that the system 100 provides an improved method for assuring data integrity, in comparison to the prior art system described above in relation to Figure 1, as the system 100 requires only two independent components, rather than the three independent components required by the prior art system. Additionally, the design integrity required for the first and second monitors 110, 120, is reduced in comparison to the design integrity required for the comparator of the system of Figure 1. These factors help to reduce the costs involved in assuring data integrity in comparison to prior art systems.

Claims (10)

1. A system for protecting integrity of data in a data system, the system comprising: a first monitor; and a second monitor, independent of the first monitor, wherein: the first monitor is configured to: measure a system parameter to generate first system parameter data; generate a data message, the data message including the first system parameter data and a data checksum for the first system parameter data; and transmit the data message to the second monitor; and wherein the second monitor is configured to: measure the system parameter, independently of the first monitor, to generate second system parameter data; compare the second system parameter data with the first system parameter data in the data message received from the first monitor; and if the result of the comparison is positive, transmit the data message, including the checksum, received from the first monitor to a downstream component of the data system.
2. A system according to claim 1, wherein the first monitor is dissimilar to the second monitor.
3. A system according to claim 1, wherein the first monitor is identical to the second monitor.
4. A system according to any one of the preceding claims wherein the checksum comprises a cyclic redundancy check (CRC) checksum.
5. A system substantially as hereinbefore described with reference to the accompanying drawings.
6. A method for protecting integrity of data in a data system, the method comprising: measuring a system parameter using a first monitor to generate first system parameter data; generating a data message, the data message including the first system parameter data and a data checksum for the first system parameter data; and transmitting the data message to a second monitor; measuring the system parameter using the second monitor, independently of the monitoring of the system parameter using the first monitor, to generate second system parameter data; comparing the second system parameter data with the first system parameter data in the data message received from the first monitor; and if the result of the comparison is positive, transmitting the data message, including the checksum, received from the first monitor to a downstream component of the data system.
7. A method according to claim 6, wherein the first monitor is dissimilar to the second monitor.
8. A method according to claim 6, wherein the first monitor is identical to the second monitor.
9. A method according to any one of the preceding claims wherein the checksum comprises a cyclic redundancy check (CRC) checksum.
10. A method substantially as hereinbefore described with reference to the accompanying drawings.
GB1608870.0A 2016-05-20 2016-05-20 System and method for protecting data integrity Active GB2550412B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1608870.0A GB2550412B (en) 2016-05-20 2016-05-20 System and method for protecting data integrity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1608870.0A GB2550412B (en) 2016-05-20 2016-05-20 System and method for protecting data integrity

Publications (3)

Publication Number Publication Date
GB201608870D0 GB201608870D0 (en) 2016-07-06
GB2550412A true GB2550412A (en) 2017-11-22
GB2550412B GB2550412B (en) 2021-09-15

Family

ID=56369667

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1608870.0A Active GB2550412B (en) 2016-05-20 2016-05-20 System and method for protecting data integrity

Country Status (1)

Country Link
GB (1) GB2550412B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1850229A1 (en) * 2006-04-28 2007-10-31 Marquardt GmbH Device and method for controlling a functional unit in a vehicle
US20080015794A1 (en) * 2005-10-03 2008-01-17 Building Protection Systems, Inc. Building protection system and method
EP2360593A2 (en) * 2010-01-28 2011-08-24 Honeywell International Inc. High integrity touch screen system
EP2719599A1 (en) * 2011-06-07 2014-04-16 Daesung Electric Co., Ltd. Device and method for detecting error in dual controller system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080015794A1 (en) * 2005-10-03 2008-01-17 Building Protection Systems, Inc. Building protection system and method
EP1850229A1 (en) * 2006-04-28 2007-10-31 Marquardt GmbH Device and method for controlling a functional unit in a vehicle
EP2360593A2 (en) * 2010-01-28 2011-08-24 Honeywell International Inc. High integrity touch screen system
EP2719599A1 (en) * 2011-06-07 2014-04-16 Daesung Electric Co., Ltd. Device and method for detecting error in dual controller system

Also Published As

Publication number Publication date
GB201608870D0 (en) 2016-07-06
GB2550412B (en) 2021-09-15

Similar Documents

Publication Publication Date Title
US9602894B2 (en) Protected transmission of independent sensor signals
US20070021882A1 (en) Validating control system software variables
US9990245B2 (en) Electronic device having fault monitoring for a memory and associated methods
US7990880B2 (en) Detector and method for detecting abnormality in time synchronization
US20210374290A1 (en) Security device with extended reliability
US7590848B2 (en) System and method for authentication and fail-safe transmission of safety messages
US11061783B2 (en) Error detection circuit
EP2680148B1 (en) Information processing system, output control device, and data generating device
US9020684B2 (en) Method, system and computer programme product for monitoring the function of a safety monitoring system of a control unit
GB2550412A (en) System and method for protecting data integrity
US20160124853A1 (en) Diagnostic apparatus, control unit, integrated circuit, vehicle and method of recording diagnostic data
US11416332B2 (en) Protection for ethernet physical layer
US11632111B1 (en) Redundant control system fault protection using only two controllers
JP2017211792A (en) Interlock circuit
US20240013847A1 (en) Electronic circuit and method for self-diagnosis of a data memory
US12040032B2 (en) Electronic circuit and method for self-diagnosis of a data memory
CN114968654B (en) Error correcting code circuit and error correcting method
WO2020179050A1 (en) Communication monitoring device, communication monitoring method, and communication monitoring program
JP6101648B2 (en) Abnormal transmission detection apparatus and method
CA2952318C (en) Apparatus and method for communications in a safety critical system
JP3962956B6 (en) Information processing apparatus and information processing method
JP3962956B2 (en) Information processing apparatus and information processing method
Shishiba Implementation of a safety instrumented system
KR20240092600A (en) Circuits, systems, and methods for ecc fault detection
US20160314853A1 (en) Method and apparatus for identifying erroneous data in at least one memory element

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20230216 AND 20230222