Method for functionally secure connection identification

Abstract

A method for functionally secure connection identification for data exchange via a telegram between a source data service and a sink data service, wherein whether the time stamp of an incoming telegram is older than the time stamp of a predecessor telegram is determined, upon receipt of the predecessor telegram a monitoring counter being started and whether the currently incoming telegram has arrived within a monitoring time is additionally determined, where a local time stamp of a local time basis is compared with the associated time stamp of the incoming telegram and whether a comparison difference does not exceed a period of time is determined, a telegram arriving only being accepted as valid if the time stamp of the arriving telegram is greater than the time stamp of the telegram most recently accepted as valid, and data is valid if the checks are positive, otherwise a fail-safe reaction is triggered.

Claims

1. A method for functionally secure connection identification for a data exchange via a telegram between a source data service and a sink data service via a communication channel in a communication system, the source data service being assigned a unique identifier, and a time stamp being allocated to each telegram to be transmitted in the source data service, the method comprising: performing a check in the sink data service to determine whether a time stamp of a currently incoming telegram is older than a time stamp of a predecessor telegram, upon receipt of the predecessor telegram a monitoring counter being started and a check being additionally performed to determine whether the currently incoming telegram has arrived within a predeterminable monitoring time; comparing a local time stamp of a local time basis in the sink data service with the time stamp of the currently incoming telegram and performing a check to determine whether a difference resulting from the comparison does not exceed a predeterminable period of time, a telegram arriving in the sink data service being then only accepted as valid if the time stamp of the arriving telegram is greater than the time stamp of the telegram most recently accepted as valid is additionally fulfilled; declaring the data valid if said preceding checks are positive, otherwise triggering a fail-safe reaction.

2. The method as claimed in claim 1, wherein the allocation of the sink data service to the correct source data service is ensured via the unique identifier; and wherein the identifier is known to the source data service and also known at the sink data service, and the sink data service must perform a check to determine whether the data originates from a desired source data service.

3. The method as claimed in claim 1, wherein the local time basis in the sink data service for determining the local time stamp is synchronized with the time basis in the source data service via a safety-oriented time server.

4. The method as claimed in claim 2, wherein the local time basis in the sink data service for determining the local time stamp is synchronized with the time basis in the source data service via a safety-oriented time server.

5. The method as claimed in claim 1, wherein the method is implemented in an automation installation, in which communication between automation devices occurs in a functionally secure manner and operates in accordance with a publisher/subscriber, broadcast or multitask mechanism; a safety protocol being implemented.

6. The method as claimed in claim 2, wherein the method is implemented in an automation installation, in which communication between automation devices occurs in a functionally secure manner and operates in accordance with a publisher/subscriber, broadcast or multitask mechanism; a safety protocol being implemented.

7. The method as claimed in claim 3, wherein the method is implemented in an automation installation, in which communication between automation devices occurs in a functionally secure manner and operates in accordance with a publisher/subscriber, broadcast or multitask mechanism; a safety protocol being implemented.

8. An automation system comprising: an automation controller, in which a source data service provides telegrams for each automation device with a sink data service in each case, the automation controller being configured such that a unique identifier is assigned to the source data service; a device which allocates a time stamp to each telegram to be transmitted; wherein the automation devices are each configured such that they comprise a checking device, with which a check is performed in the sink data service to determine whether the time stamp of a currently incoming telegram is older than a time stamp of a predecessor telegram, wherein upon receipt of the predecessor telegram a monitoring counter is started and a check is additionally performed to determine whether the currently incoming telegram has arrived within a predeterminable monitoring time; a local time stamp of a local time basis is additionally compared with the associated time stamp of the currently incoming telegram in the sink data service and a check is performed to determine whether a difference resulting from the comparison does not exceed a predeterminable period of time, a telegram arriving in the sink data service then only being accepted as valid if the time stamp of the arriving telegram is greater than the time stamp of the telegram most recently accepted as valid is additionally fulfilled; and wherein the data is declared valid if the preceding checks are positive, otherwise a fail-safe reaction is triggered.

9. The automation system as claimed in claim 8, wherein the device is further configured to allocate the unique identifier for ensuring allocation of the sink data service to the correct source data service, and wherein the checking device is further configured to check said allocation.

10. The automation system as claimed in claim 8, further comprising: a safety-oriented time server which is connected to the automation controller and the automation devices to synchronize the local time basis in the sink data service for determining the local time stamp via a time basis in the source data service.

11. The automation system as claimed in claim 9, further comprising: a safety-oriented time server which is connected to the automation controller and the automation devices to synchronize the local time basis in the sink data service for determining the local time stamp via a time basis in the source data service.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) One exemplary embodiment of the method according to the invention and the automation system according to the invention is explained below with reference to the drawing, in which:

(2) FIG. 1 shows a secure connection identification in accordance with the invention,

(3) FIG. 2 shows a schematic representation of an automation system in a broadcast operation in accordance with the invention;

(4) FIG. 3 shows a detailed representation of a source data service and a sink data service in accordance with the invention; and

(5) FIG. 4 is a flowchart of the method in accordance with the invention.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

(6) In accordance with FIG. 1, a source data service Q and a sink data service S are represented, with which a method for functionally secure connection identification for a data exchange via a telegram T is performed. The source data service Q is assigned a unique identifier ID.sub.Q and each telegram T to be transmitted is allocated a time stamp TS.sub.Q. By way of example, a second telegram T2 is currently being sent via the communication channel 10 from the source data service Q, where a first telegram T1 has already arrived previously at the sink data service S. The second telegram T2 has the identifier ID.sub.Q and a second time stamp TS.sub.QT2.

(7) In the dashed box above the sink data service S, the telegrams T are indicated. The first telegram T1 has already arrived, the second telegram T2 and the third telegram T3 are still yet to arrive in the future.

(8) A check is now performed in the sink data service S to determine whether the time stamp TS.sub.QT2 of the currently incoming second telegram T2 is older than the time stamp TS.sub.QT1 of the predecessor telegram T1, where upon receipt of the predecessor telegram T1 a monitoring counter WD is started and a check is additionally performed to determine whether the currently incoming telegram T2 has arrived within a predeterminable monitoring time Z1.

(9) Moreover, in the sink data service S a local time stamp TS.sub.Si of a local time basis CLs is compared with the associated time stamp TS.sub.QT2 of the currently incoming telegram T2 and a check is performed to determine whether a difference resulting from the comparison does not exceed a predeterminable period of time CT1.

(10) A telegram T1,T2,T3 arriving in the sink data service S is then only perceived as valid if it is additionally fulfilled that the time stamp TS.sub.T2 of the arriving telegram T2 is greater than the time stamp TS.sub.QT1 of the telegram T1 most recently accepted as valid, where during a final step the data is declared valid if the preceding checks have turned out positively, otherwise a fail-safe reaction is triggered.

(11) The sink data service S checks whether the data originates from a desired source data service Q. This is ensured via the unique identifier ID.sub.Q. To this end, the identifier ID.sub.Q is both known at the source data service Q and also at the sink data service S.

(12) The local time basis CL.sub.S of the sink data service S is synchronized with the local time basis CL.sub.Q of the source data service Q via a safety-oriented time server sNT.

(13) FIG. 2 shows a schematic representation of the principle of a broadcast mechanism between a source data service Q and a first sink data service S1, a second sink data service S2, a third sink data service S3, a fourth sink data service S4 and a fifth sink data service S5. All communication participants cited previously are connected to the communication channel 10. The communication channel 10 is configured as a safety protocol layer SPL. If the source data service Q now sends a telegram T to all sink data services S1,S2,S3,S4,S5 in a broadcast service, then the method explained in FIG. 1 proceeds in each sink data service S1,S2,S3,S4,S5. It is now advantageous that a safety-oriented connection can be established here without the sink data services S1,S2,S3,S4,S5 having to acknowledge the receipt of a telegram T at the source data service Q, because all information is already contained in the received telegram T for checking and, particularly via the synchronization of the safety-oriented time server (dashed lines), the checks with regard to the monitoring time can proceed.

(14) A source data service Q and a sink data service Si is shown in FIG. 3. The source data service Q is implemented in an automation controller 1, for example. The automation controller 1 is then configured such that a unique identifier ID.sub.Q is assigned in the source data service Q, and the device 30 is present, which allocates a time stamp TS.sub.QT1 to each telegram T1 to be transmitted.

(15) An associated automation device S1 is configured here such that it comprises a checking device 40, with which a check is performed in the sink data service S to determine whether the time stamp TS.sub.QT2 of a telegram currently incoming is older than the time stamp of a predecessor telegram, where upon receipt of the predecessor telegram, a monitoring counter WD is started and it is additionally performed to determine whether the telegram T currently incoming has arrived within a predeterminable monitoring time Z1. Moreover, in the sink data service S, a local time stamp TS.sub.QT1, TS.sub.QT2 of the telegram T currently incoming is compared with that of a predecessor telegraph and a check is performed to determine whether a difference resulting from the comparison does not exceed a predeterminable period of time. A telegram arriving in the sink data service S is then only accepted as valid, if it is additionally fulfilled that the time stamp of the arriving telegram T is greater than the time stamp of the telegram most recently accepted as valid, where during a final step the data is declared valid if the preceding checks have turned out positively, otherwise a fail-safe reaction is triggered.

(16) FIG. 4 is a flowchart of the method for functionally secure connection identification for a data exchange via a telegram T between a source data service Q and a sink data service S via a communication channel 10 in a communication system 11, where the source data service Q is assigned a unique identifier ID.sub.Q, and a time stamp TS.sub.QT1, TS.sub.QT2 is allocated to each telegram T1,T2,T3 to be transmitted in the source data service Q. The method comprises performing a check in the sink data service S to determine whether a time stamp TS.sub.QT2 of a currently incoming telegram T2 is older than a time stamp TS.sub.QT1 n of a predecessor telegram T1, as indicated in step 410. In accordance with the invention, upon receipt of the predecessor telegram T1 a monitoring counter WD is started and a check is additionally performed to determine whether the currently incoming telegram T2 has arrived within a predeterminable monitoring time Z1.

(17) Next, a local time stamp TS.sub.Si of a local time basis CL.sub.S in the sink data service S is compared with the time stamp TS.sub.QT2 of the currently incoming telegram T2 and performing a check is performed to determine whether a difference resulting from the comparison does not exceed a predeterminable period of time CT1, as indicated in step 420. Here, a telegram T1,T2,T3 arriving in the sink data service S is then only accepted as valid if the time stamp TS.sub.T2 of the arriving telegram T2 is greater than the time stamp TS.sub.T1 of the telegram T1 most recently accepted as valid is additionally fulfilled.

(18) Next, the data valid is declared valid if the preceding checks are positive, as indicated in step 430 otherwise a fail-safe reaction is triggered, as indicated in step 435.

(19) Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.

Method for functionally secure connection identification

Assignee

Inventors

Cpc classification

Classification Explorer

H04L2463/121

ELECTRICITY

Classification Explorer

H04J3/0661

ELECTRICITY

Classification Explorer

H04J3/0673

ELECTRICITY

Classification Explorer

H04L63/0485

ELECTRICITY

Classification Explorer

H04L12/40

ELECTRICITY

Classification Explorer

H04L2012/40221

ELECTRICITY

Classification Explorer

H04L67/12

ELECTRICITY

Classification Explorer

H04L63/123

ELECTRICITY

International classification

Classification Explorer

H04J3/06

ELECTRICITY

Classification Explorer

H04L29/06

ELECTRICITY

Abstract

Claims

Description