	US 11,755,436 B2
	Computer system installed on board a carrier implementing at least one service critical for the operating safety of the carrier
Etienne Hamelin, Gif-sur-Yvette (FR)
Assigned to COMMISSARIAT A L'ENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES, Paris (FR)
Appl. No. 17/777,967
Filed by COMMISSARIAT A L'ENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES, Paris (FR)
PCT Filed Nov. 12, 2020, PCT No. PCT/EP2020/081922 § 371(c)(1), (2) Date May 18, 2022, PCT Pub. No. WO2021/110380, PCT Pub. Date Jun. 10, 2021.
Claims priority of application No. 1913853 (FR), filed on Dec. 6, 2019.
Prior Publication US 2023/0012925 A1, Jan. 19, 2023
Int. Cl. G06F 11/00 (2006.01); G06F 11/20 (2006.01); G06F 11/16 (2006.01); G06F 11/18 (2006.01); G06F 11/07 (2006.01)

CPC G06F 11/2048 (2013.01) [G06F 11/0754 (2013.01); G06F 11/1629 (2013.01); G06F 11/183 (2013.01); G06F 2201/85 (2013.01)]

10 Claims

1. A computer system installed on board a carrier, communicating in a network with a data concentrator and with a monitor (M), and implementing at least one service that is critical for the operating safety of the carrier, the critical service being redundant in at least two instances (δ₁, . . . δ_m) on different respective computers (C₁, . . . , C_m) connected to said network,

each computer (C_k) implementing at least one software task implementing an instance (δ_k) of the critical service and being configured to implement the critical service by way of time control by using:

an increasing sequence of task activation dates (R_n) and a sequence of corresponding task latest end dates (D_n), relating to the starting (0) of the system, with a gap between an end date and the corresponding activation date above or equal to a threshold corresponding to an estimate of the execution time or of the response time of the task (WCET);

a backup of an internal state (s_n) of the computer between two successive activations of the service by way of modeling by recording the memory states of the task;

an update of the internal state (s_n+1) of the computer on each activation (n) of the service, starting after the corresponding activation date (R_n), reads the input data (in) of the service and computes the output data (o_n) of the service and provides them to the data concentrator, the dependency between firstly the updated internal state and the computed output data (s_n+1, on) and secondly the previous internal state and the read input data (s_n, i_n) being represented by a transfer function (f); and

a relay server (SR_k) configured to compute a signature (h_n+1^k), which is characteristic of the execution of the instance (δk) of the service from the initial activation (0) of the system to the current latest end date (D_n), by way of a hash chain dependent on a hash function (H) on nb bits, and to transmit the signature (h_n+1^k) to the monitor (M);

the monitor (M) detecting a fault by analyzing the signatures (h_n+1¹. . . h_n+1^m) of the instances (δ₁, . . . , δ_m).