The invention relates to a method and an apparatus for monitoring data processing and data transmission in a data processing unit, for example in an automation system, in a programmable logic controller or in a personal computer.
Normally, a distinction is drawn between data processing units on the basis of their use in safety-relevant systems, so-called “failsafe” systems, and non-safety-relevant systems. The general aim in “safe computer systems”, or so-called “failsafe” systems, is that data is processed at the right time and without being corrupted. In the event of communication, that is to say when data is interchanged between software modules in an individual data processing unit or between different data processing units, care is taken in particular to ensure that the data arrives at the correct time and that the data sequence is correct. The arrival of the data at the correct time may, for example, be checked by confirming the arrival of a data signal when data communication takes place by sending back so-called “acknowledgement” to the transmitter of the data signal.
In order to check whether an error may have occurred during the data transmission, a checksum is normally associated with a data packet, and is transmitted with it. This may be, for example, a so-called CRC (“Cyclic Redundancy Check”), which may be a test signal that has been produced by a scrambling code on the basis of a polynomial.
Furthermore, an individual data processing unit may comprise “safe” and “non-safe” software modules, and a computer system may comprise “safe” assemblies with a “non-safe” assembly connected between them. The “non-safe” software module or the “non-safe” assembly in this case has so-called “firmware”, for example a manufacturer-specific operating system and/or a user program. This “firmware” in this case does not have certification in accordance with the safety requirements for the relevant data processing unit or the relevant computer system, with regard to its reliability and/or availability. Thus, if the safety requirements are particularly stringent, even after safety certification has already been carried out, a software change and/or hardware change resulting from a product change may need to be recertified, which may lead to a restriction to the availability of the data processing unit or of the entire computer system. Furthermore, such recertification processes are particularly time-consuming and costly.
DE 694 06 571 T2 discloses a method for monitoring the correct execution of a multitask computer program by at least one processor, in which the tasks in the program transmit messages and are executed taking account of such messages, with each message containing a time marker and each task which transmits a message working out an execution key, which is associated with this message and identifies a causal dependency relationship with the message, which is defined by the chronological sequence of the execution of the tasks and the chronological sequence of taking account of the messages by these tasks which have led to the transmission of this message by this transmitting task, characterized in that each execution key (formed bit-by-bit by an exclusive-OR logic operation from binary words which each contain the binary representation of a task identification or of a message identification, or of a message time marker, with the bits in each binary word having been permutated previously and cyclically with different starts for each word, and with at least one of the tasks transmitting one or more such messages as a response to taking into account at least one input message, and a comparison being carried out between the execution key which is worked out in the final place by a task of the program and a reference key which is worked out on the basis of the input message and allows detection of an execution error.