GB2550412A - System and method for protecting data integrity - Google Patents
System and method for protecting data integrity Download PDFInfo
- Publication number
- GB2550412A GB2550412A GB1608870.0A GB201608870A GB2550412A GB 2550412 A GB2550412 A GB 2550412A GB 201608870 A GB201608870 A GB 201608870A GB 2550412 A GB2550412 A GB 2550412A
- Authority
- GB
- United Kingdom
- Prior art keywords
- monitor
- data
- system parameter
- checksum
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1637—Error detection by comparing the output of redundant processing systems using additional compare functionality in one or some but not all of the redundant processing components
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
- G06F11/10—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
- G06F11/1004—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's to protect a block of data words, e.g. CRC or checksum
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1654—Error detection by comparing the output of redundant processing systems where the output of only one of the redundant processing components can drive the attached hardware, e.g. memory or I/O
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
- G06F11/3072—Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
- G06F11/3075—Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting the data filtering being achieved in order to maintain consistency among the monitored data, e.g. ensuring that the monitored data belong to the same timeframe, to the same system or component
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Security & Cryptography (AREA)
- Hardware Redundancy (AREA)
- Testing And Monitoring For Control Systems (AREA)
- Detection And Prevention Of Errors In Transmission (AREA)
Abstract
A system 100 has two monitors 110, 120, which monitor the same system parameter 130 independently. They may use the same method or different methods of monitoring. The first monitor creates a message containing the measured parameter and a checksum. The checksum may be a cyclic redundancy check 140. The first monitor sends the message to the second monitor. The second monitor compares the parameter in the message with the value it has measured 150. If they are sufficiently close, the second monitor forwards the message to a downstream component. If they are not, the message is discarded. The second monitor does not have a checksum algorithm and does not generate a checksum.
Description
SYSTEM AND METHOD FOR PROTECTING DATA INTEGRITY
Technical Field
The present application relates to a system and method for protecting data integrity. Background to the Invention
It is common in safety related or high integrity control systems to use redundant systems to protect data integrity, ensuring robustness to one or more faults. In the example of Figure 1, two physically independent monitors (monitors A and B) are used to measure a control parameter or system status, and a comparator is then used to compare the data from the two monitors. Commonly, data will only be communicated onwards into the system if the two monitors agree within pre-determined confidence limits. This design is intended to ensure that data is integrity is not impacted by one or more faults.
The monitoring and comparison functions are often hosted in commercially available microprocessors or complex FPGA logic devices. These are internally complex items and their design is not normally public. It is difficult to know with confidence what effect any conceivable single failure within the microprocessor or FPGA may have on the observable behaviour of that device. Robust safety reasoning assumes that the functions must be segregated onto physically separate microprocessors to ensure that a single fault does not affect more than one function (and therefore the data integrity).
Data is normally protected from corruption in the onwards transmission using a data checksum (e.g. Cyclic Redundancy Check, CRC). Data integrity is normally assessed by either: • a qualitative measure: How many faults are required before integrity is unsatisfactory; or • a quantitative measure: what is the probability (e.g. per operating hour) that data integrity is unsatisfactory.
This approach, while effective, offers a number of opportunities for improvement: 1. This system requires three independent functions to achieve its aims. 2. A single failure of the comparison system could potentially disable the crosscheck and corrupt the data. Effectiveness of the cross-check must be regularly assessed. 3. Designing functions with high confidence of integrity is expensive, requiring progressively more complex assurance checks. As the outputs of the monitors are crosschecked, their design integrity may be less than the required data integrity. However, the integrity of the comparison function must be in excess of the data integrity requirement.
Accordingly, a need exists for a system and method for monitoring data integrity in which the number of independent functions is reduced, and in which the design integrity required for the remaining functions is equal to that required for the monitor function in the prior art system discussed above.
Summary of Invention
According to a first aspect of the present invention there is provided a system for protecting integrity of data in a data system, the system comprising: a first monitor; and a second monitor, independent of the first monitor, wherein: the first monitor is configured to: measure a system parameter to generate first system parameter data; generate a data message, the data message including the first system parameter data and a data checksum for the first system parameter data; and transmit the data message to the second monitor; and wherein the second monitor is configured to: measure the system parameter, independently of the first monitor, to generate second system parameter data; compare the second system parameter data with the first system parameter data in the data message received from the first monitor; and if the result of the comparison is positive, transmit the data message, including the checksum, received from the first monitor to a downstream component of the data system.
The system of the present invention provides an improved method for assuring data integrity, which requires fewer independent components and reduced design integrity, in comparison to prior art systems.
The first monitor may be dissimilar to the second monitor. The use of dissimilar monitor enables the detection of both design errors and failures in the monitors.
Alternatively, the first monitor may be identical to the second monitor. In this case, only failure of the monitors can be detected.
The checksum may comprise a cyclic redundancy check (CRC) checksum.
According to a second aspect of the invention there is provided a method for protecting integrity of data in a data system, the method comprising: measuring a system parameter using a first monitor to generate first system parameter data; generating a data message, the data message including the first system parameter data and a data checksum for the first system parameter data; and transmitting the data message to a second monitor; measuring the system parameter using the second monitor, independently of the monitoring of the system parameter using the first monitor, to generate second system parameter data; comparing the second system parameter data with the first system parameter data in the data message received from the first monitor; and if the result of the comparison is positive, transmitting the data message, including the checksum, received from the first monitor to a downstream component of the data system.
The first monitor may be dissimilar to the second monitor.
Alternatively, the first monitor may be identical to the second monitor.
The checksum may comprise a cyclic redundancy check (CRC) checksum.
Brief Description of the Drawings
Embodiments of the invention will now be described, strictly by way of example only, with reference to the accompanying drawings, of which:
Figure 1 is a schematic representation of a known data integrity monitoring system; and Figure 2 is a schematic representation of a system for protecting data integrity. Description of the Embodiments
Referring first to Figure 2, a system for protecting data integrity is shown generally at 100. The system 100 comprises independent first and second monitors 110, 120 which are operative to monitor, independently, a system parameter 130. The first and second monitors 110, 120 may be identical, or they may be dissimilar. The use of dissimilar first and second monitors 110, 120 reduces the risk that both the first and second monitors 110, 120 will fail in the same manner; if the first and second monitors are dissimilar a design defect in one of the monitors will not be reproduced in the other monitor.
The first monitor 110 measures the system parameter 130 to generate first system parameter data. The first monitor 110 includes a data checksum generator 140 which is operative to generate a data checksum for the first system parameter data, which may be, for example, a cyclic redundancy check (CRC). The first monitor 110 generates a fully encoded (but not encrypted) data message which includes the first system parameter data and the data checksum. This data message is transmitted to the second monitor 120.
The second monitor 120 also measures the system parameter 130, independently of the first monitor 110, and generates second system parameter data. The second monitor 120 includes a comparator 150, which compares the first system parameter data received in the data message from the first monitor 110 to the self-generated second system parameter data. Note that the second monitor 120 does not generate a data checksum for comparison and has no checksum algorithm; the comparator 150 of the second monitor compares only the first system parameter data to the second system parameter data.
If the result of the comparison performed by the comparator 150 is positive, in the sense that the second system parameter data is judged to be the same as the first system parameter data, within acceptable limits, then the data message generated by the first monitor 110, including the original data checksum, is transmitted to a downstream system component. On the other hand, if the second system parameter data is judged not to be the same as the first system parameter data (e.g. the degree of similarity between the first system parameter data and the second system parameter data is outside acceptable limits) then the data message is not passed on.
The system 100 assures the integrity of the system parameter data transmitted to the downstream component as follows.
As the second monitor 120 does not itself generate a data checksum, a valid checksum in the data message transmitted to the downstream component must have come from the first monitor 110.
For a strong checksum such as a CRC, corruption of the message received from the first monitor 110 by the second monitor 120 is highly unlikely to result in an erroneously valid checksum. Thus, a valid checksum transmitted onwards by the second monitor 120 is a reliable indication that the second monitor 120 has not corrupted the data message.
The first monitor 110 has no physical connection to the downstream components, and thus failure at the first monitor 110 cannot result in a direct transmission of incorrect data to the downstream components.
Thus, neither failure of the first monitor 110 alone, nor failure of the second monitor 120 alone, can result in the transmittal of an incorrect message with a valid checksum.
In order for an incorrect message to be sent, the first monitor 110 must generate an incorrect message and the second monitor 120 must incorrectly check the message that it receives from the first monitor.
Thus, in order for the integrity integrity of the data transmitted by the second monitor 120 to be deemed unsatisfactory, both the first monitor 110 and the second monitor 120 must fail. On a quantitative measure, the probability of unsatisfactory data is at least as high as the product of the probability of failure or erroneous operation of the first monitor 110 and the probability of failure of erroneous operation of the second monitor 120.
Additionally, corruption by the second monitor 120 of the message received from the first monitor 110 prior to its onward transmission to the downstream component has exactly the same consequence as corruption of the message during its onward transmission to the downstream component, and will be detectable by an inconsistency between the checksum and the message data received at the downstream component.
Further, because the second monitor 120 compares the first system parameter data (generated by the first monitor 110 and transmitted by the first monitor 110 to the second monitor 120) to the second system parameter data, which is generated by the second monitor 120, in the event that the second system parameter data is out of date, e.g. because the second system parameter data is stored historical data rather than a current measurement, the result of the comparison will be negative and so the message generated by the first monitor 110 will not be forwarded on to the downstream component.
It will be appreciated that the system 100 provides an improved method for assuring data integrity, in comparison to the prior art system described above in relation to Figure 1, as the system 100 requires only two independent components, rather than the three independent components required by the prior art system. Additionally, the design integrity required for the first and second monitors 110, 120, is reduced in comparison to the design integrity required for the comparator of the system of Figure 1. These factors help to reduce the costs involved in assuring data integrity in comparison to prior art systems.
Claims (10)
1. A system for protecting integrity of data in a data system, the system comprising: a first monitor; and a second monitor, independent of the first monitor, wherein: the first monitor is configured to: measure a system parameter to generate first system parameter data; generate a data message, the data message including the first system parameter data and a data checksum for the first system parameter data; and transmit the data message to the second monitor; and wherein the second monitor is configured to: measure the system parameter, independently of the first monitor, to generate second system parameter data; compare the second system parameter data with the first system parameter data in the data message received from the first monitor; and if the result of the comparison is positive, transmit the data message, including the checksum, received from the first monitor to a downstream component of the data system.
2. A system according to claim 1, wherein the first monitor is dissimilar to the second monitor.
3. A system according to claim 1, wherein the first monitor is identical to the second monitor.
4. A system according to any one of the preceding claims wherein the checksum comprises a cyclic redundancy check (CRC) checksum.
5. A system substantially as hereinbefore described with reference to the accompanying drawings.
6. A method for protecting integrity of data in a data system, the method comprising: measuring a system parameter using a first monitor to generate first system parameter data; generating a data message, the data message including the first system parameter data and a data checksum for the first system parameter data; and transmitting the data message to a second monitor; measuring the system parameter using the second monitor, independently of the monitoring of the system parameter using the first monitor, to generate second system parameter data; comparing the second system parameter data with the first system parameter data in the data message received from the first monitor; and if the result of the comparison is positive, transmitting the data message, including the checksum, received from the first monitor to a downstream component of the data system.
7. A method according to claim 6, wherein the first monitor is dissimilar to the second monitor.
8. A method according to claim 6, wherein the first monitor is identical to the second monitor.
9. A method according to any one of the preceding claims wherein the checksum comprises a cyclic redundancy check (CRC) checksum.
10. A method substantially as hereinbefore described with reference to the accompanying drawings.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1608870.0A GB2550412B (en) | 2016-05-20 | 2016-05-20 | System and method for protecting data integrity |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1608870.0A GB2550412B (en) | 2016-05-20 | 2016-05-20 | System and method for protecting data integrity |
Publications (3)
Publication Number | Publication Date |
---|---|
GB201608870D0 GB201608870D0 (en) | 2016-07-06 |
GB2550412A true GB2550412A (en) | 2017-11-22 |
GB2550412B GB2550412B (en) | 2021-09-15 |
Family
ID=56369667
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB1608870.0A Active GB2550412B (en) | 2016-05-20 | 2016-05-20 | System and method for protecting data integrity |
Country Status (1)
Country | Link |
---|---|
GB (1) | GB2550412B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1850229A1 (en) * | 2006-04-28 | 2007-10-31 | Marquardt GmbH | Device and method for controlling a functional unit in a vehicle |
US20080015794A1 (en) * | 2005-10-03 | 2008-01-17 | Building Protection Systems, Inc. | Building protection system and method |
EP2360593A2 (en) * | 2010-01-28 | 2011-08-24 | Honeywell International Inc. | High integrity touch screen system |
EP2719599A1 (en) * | 2011-06-07 | 2014-04-16 | Daesung Electric Co., Ltd. | Device and method for detecting error in dual controller system |
-
2016
- 2016-05-20 GB GB1608870.0A patent/GB2550412B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080015794A1 (en) * | 2005-10-03 | 2008-01-17 | Building Protection Systems, Inc. | Building protection system and method |
EP1850229A1 (en) * | 2006-04-28 | 2007-10-31 | Marquardt GmbH | Device and method for controlling a functional unit in a vehicle |
EP2360593A2 (en) * | 2010-01-28 | 2011-08-24 | Honeywell International Inc. | High integrity touch screen system |
EP2719599A1 (en) * | 2011-06-07 | 2014-04-16 | Daesung Electric Co., Ltd. | Device and method for detecting error in dual controller system |
Also Published As
Publication number | Publication date |
---|---|
GB201608870D0 (en) | 2016-07-06 |
GB2550412B (en) | 2021-09-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9602894B2 (en) | Protected transmission of independent sensor signals | |
US20070021882A1 (en) | Validating control system software variables | |
US9990245B2 (en) | Electronic device having fault monitoring for a memory and associated methods | |
US7990880B2 (en) | Detector and method for detecting abnormality in time synchronization | |
US20210374290A1 (en) | Security device with extended reliability | |
US7590848B2 (en) | System and method for authentication and fail-safe transmission of safety messages | |
US11061783B2 (en) | Error detection circuit | |
EP2680148B1 (en) | Information processing system, output control device, and data generating device | |
US9020684B2 (en) | Method, system and computer programme product for monitoring the function of a safety monitoring system of a control unit | |
GB2550412A (en) | System and method for protecting data integrity | |
US20160124853A1 (en) | Diagnostic apparatus, control unit, integrated circuit, vehicle and method of recording diagnostic data | |
US11416332B2 (en) | Protection for ethernet physical layer | |
US11632111B1 (en) | Redundant control system fault protection using only two controllers | |
JP2017211792A (en) | Interlock circuit | |
US20240013847A1 (en) | Electronic circuit and method for self-diagnosis of a data memory | |
US12040032B2 (en) | Electronic circuit and method for self-diagnosis of a data memory | |
CN114968654B (en) | Error correcting code circuit and error correcting method | |
WO2020179050A1 (en) | Communication monitoring device, communication monitoring method, and communication monitoring program | |
JP6101648B2 (en) | Abnormal transmission detection apparatus and method | |
CA2952318C (en) | Apparatus and method for communications in a safety critical system | |
JP3962956B6 (en) | Information processing apparatus and information processing method | |
JP3962956B2 (en) | Information processing apparatus and information processing method | |
Shishiba | Implementation of a safety instrumented system | |
KR20240092600A (en) | Circuits, systems, and methods for ecc fault detection | |
US20160314853A1 (en) | Method and apparatus for identifying erroneous data in at least one memory element |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
732E | Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977) |
Free format text: REGISTERED BETWEEN 20230216 AND 20230222 |