The present invention relates to a method in a computer system for recoding a coded intermediate variable into a recoded result variable, a computer program, and a data processing system.
The following discussion of related art is provided to assist the reader in understanding the advantages of the invention, and is not to be construed as an admission that this related art is prior art to this invention.
Functionally safe systems are used to reduce risks to life and health and to avoid environmental damage. As well as secure recording and communication of process information, these systems require secure processing, e.g. in programmable logic controllers or in the industrial PC.
When processing functionally secure data, internal errors in the safety function must be detected and must lead to a safety response (e.g. output of safe substitute values). This is traditionally achieved by hardware replication and result comparison. An alternative is the coding of the safety function by means of arithmetic codes.
A frequently used coding is ANBD coding in which a variable xf is coded by multiplying it by an input constant A and by adding a static, variable-dependent input signature B_x and a dynamic, cycle-dependent input operand D. Thus all numerical variables are coded according to a specification of the form:z=A*xf+B_x+D and the arithmetic operations (+, −, *, /, etc.) are adapted so that processing in the coded area delivers consistent results to the original area (wherein it is quite possible for B or D also to have zero value).
In the art, checking a coded variable and recoding a variable from an ANBD code into another A′NB′D′ code is only possible by completely decoding the coded variable. The decoding is done by means of: xf=(z-B_x-D)/A. A coded variable is checked by: ((z-B_x-D) MOD A==0). The result of this check is itself an uncoded variable, so that the check must be carried out on an independent item of hardware. If the method is used for recoding, an uncoded interim result is produced. Errors that affect this interim result may not always be detected. Furthermore, the error information contained in the original coded variable is lost as a result of the decoding, i.e. even an invalidly coded entry is mapped to a validly coded code word. The validity of the input operand must therefore be checked separately.
It would therefore be desirable and advantageous to address these problems and to obviate other prior art shortcomings.