• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A method (200) of controlling a display apparatus (110) for displaying security critical contents (A) and non-critical security contents (B), the method (200) comprises processing (210) the data of recorded images (C, D)) by separating security critical image data (C) and non-critical security image data (D) and / or separately processing them to generate display elements critical for security (E) and non-critical display elements for security (F). The security critical display elements (E) are graphically superimposed on the non-critical security display elements (F) by the display apparatus (110).
    公开号:FR3031619A1
    申请号:FR1650237
    申请日:2016-01-13
    公开日:2016-07-15
    发明作者:Marc Westphal;Alexander Rathfelder;Bernd Lutz;Christian Plappert
    申请人:Robert Bosch GmbH;
    IPC主号:
    专利说明:

    [0001] FIELD OF THE INVENTION The present invention relates to a method of controlling a display apparatus, to a device for its application and to a display system equipped with such a device as well as to a computer program, in particular for displaying security-critical image contents and non-critical image contents for the security of means of transport in accordance with ISO 26262. State of the art In particular, the display devices fitted to motor vehicles, such as fully programmed combined instruments, must make it possible to signal the status and warning messages in a secure manner. To guarantee the representation of graphic content and the non-representation, the functions must comply with the ISO 26262 ASIL B standard. Document DE 10 2004 032 807 A1 describes a process device making it possible to increase the systematic security of the displays by vehicle instruments and vehicle control devices.
    [0002] DISCLOSURE AND ADVANTAGES OF THE INVENTION In this context, the subject of the invention is a method of controlling a display apparatus for displaying critical security contents and non-critical security content, the method of processing the data recorded images by separating safety critical image data and non-critical security image data and / or processing them separately to generate safety critical display elements and display elements non-critical for security, the security critical display elements being graphically superimposed on non-critical display elements for security by the display apparatus. Thus, according to the invention, the security critical display elements such as, for example, fault messages, status messages or information of this type can be processed separately from the non-critical display elements for security for They are calcu- lated and presented in a separate layer over the non-critical display elements for safety. Thus, for example, security procedures for critical safety programs according to ISO 26262 can be applied by presenting graphical data in superimposed optical planes or graphical planes below to enable the visible representation of critical information for security or hide it. Thus, in particular, a display is made on a non-display of the safety contents according to the ISO 26262 standard, for example for combined instruments 10 equipping the vehicles and for other displays based on a display, to present information concerning Security. The security critical display elements such as for example fault messages, status messages or the like may also be processed separately from the other 15 display elements, to be calculated and presented in a separate layer at the same time. above the critical display elements for security. Such separation achieves ASIL compliance (ASIL level of integrity and automotive safety) and allows a secure representation and where appropriate the non-representation of display elements 20 critical for safety without risk of recovery or unwanted safety. Critical display elements for security. For example, the ISO 26262 standard, which defines the ASIL security conditions, provides two solutions for separating the elements concerning the security of those which do not concern it or only in a limited way in a global system. One solution is freedom of return. According to this notion, security-related parties are sufficiently protected against non-security-critical parts by so-called QM measures (QM corresponds to the non-presence of security conditions) to ensure separation. A second purpose is to break down the components that are classified in ASIL-A or ASIL-B class according to the security rules or according to an ASIL-A component or an ASIL-B component and in QM element. The combination of the two proposals according to embodiments of the invention makes it possible in particular to leave substantially the entire program of a product of the QM part and thus to establish it more efficiently. Since the volume of the critical safety component is small, it can be qualified and certified according to ASIL-B. Advantageously, according to the embodiments of the invention, it is in particular an economical and secure way to present information critical for security, reliably, graphically on the background of a display. In particular, for display devices of the automotive field such as, for example, fully programmed combined instruments, it will be possible to display a critical state for security and warning messages. To realize a representation and non-representation of the graphic contents, one can for example apply a function that meets the requirements of ISO 26262 ASIL-B. While the usual graphics stacks and additional libraries may appear to be too complex to third parties, to qualify for the ISO 26262 standard, embodiments of the invention as presented in accordance with ISO 26262-09, can arrive at an ASIL level by decomposing in accordance with ISO 26262, security conditions and achieve freedom of recovery. For this, for example, a graphics stack can be left at the QM security level, which does not correspond to an ASIL classification and add a safer independent return path, in accordance with ISO 26262, which achieves the necessary ASIL level for displaying critical content for security. In particular, it is possible to realize the freedom of recovery of components on the ASIL level for the components of the QM plane in that insecure elements can not interfere with secure elements or in space, for example by memory zones. nor in time, for example by the time of the CPU unit. The subject of the invention is a method of controlling a display apparatus which displays security critical contents and non-critical contents for security, the method applies the steps developed above. The display apparatus may be associated with a vehicle, such as, for example, a road vehicle or such vehicle for displaying security-critical contents, image data and display elements, safety, functions relating to safety or other functions related to the display apparatus and applying the method, for example the safety functions of a vehicle, especially those relating to operating incidents. The concept "critical for safety" corresponds to the classification of a safety ladder. Non-critical content for security, image data and display elements of this type are functions of no importance for the security of the system; they are connected to the display apparatus and are executed by the method, for example the comfort functions of the vehicle. The display element includes image data. In other words, the display element is generated with image data. The image data may be raw image data, sensor data, or the like. Thus, a display element may correspond to image data to be displayed or that can be displayed. The security-critical display elements can be graphically superimposed with the non-critical display elements for security in that the security-critical display elements will appear in the foreground of the display. The method may also include storing the image data and, in addition or alternatively, outputting the display element to an interface with the display apparatus. Security-critical image data and non-critical image data for security are recorded separately; alternatively or additionally, these data are extracted separately. The critical display elements for security and the non-critical display elements for security are issued separately and additionally or alternatively, they are issued independently. According to one development, the processing of security critical image data and non-critical image data for security as well as critical display elements for security and non-critical display elements for security are done separately in time, in space and in addition or as an alternative to the resources and these data are processed independently of each other. A separate treatment in time is in process times, different processing times. Separate processing in space involves using separate memory areas, memory devices, methods, or the like. Treatment with separate resources is in separate circuits or additionally or alternatively with separate processes. Such an embodiment has the advantage of providing separate processing of security-critical and non-security-critical contents in a diversified and reliable manner to meet security levels for handling critical content for security purposes. security in an economical way.
    [0003] In the processing step, the security critical display elements are generated so that these display elements are presented by the display apparatus in the display position in a graphically superimposed plane at any other plane. graphic. Alternatively, in the processing step, the security critical display elements are generated so that these display elements graphically replace in the display apparatus the non-critical display elements for the display. security. Thus, a plurality of so-called circuit layers correspond to the different memory areas or it is possible to use the oversubscription of non-critical display elements for security by security critical display elements. This embodiment has the advantage of allowing in a simple and reliable manner, to ensure a separate treatment in space and / or time or independent treatment to the contents subject to the condition ASIL and those not subject to this condition.
    [0004] Furthermore, in the processing step, the security critical image data and the non-critical image data for security as well as the critical display elements for security and the security elements can be managed. non-critical display for security in memory areas separated from one of the areas and furthermore, from each other, address spaces and / or process spaces under the same conditions. This embodiment has the advantage of producing a particularly reliable processing, in particular separated in space for the image data and the display elements according to the required level of security. The security conditions for the critical security contents can also be resected in a particularly reliable manner. In the step of the method for avoiding unauthorized memory access to separate and or more secure memory areas with respect to each other, the secure address spaces, in addition or alternatively, detects process spaces and in addition or alternatively avoids access. Thus, in the processing step, a memory management unit is used to detect such unauthorized memory access. Such an embodiment has the advantage of implementing for the guarantee of the separation of the data corresponding to different levels of security, a guaranteed protection of the memory. It is thus possible to respect a security level that is characteristic for content that is critical for security, and this in an even more reliable manner. According to a development, in the processing step, at least one processing resource is continuously checked to determine whether the state is correct or if it is a fault state of this processing resource. . This processing resource may be a circuit resource or a program resource. A processing resource may include program code, program data, data bus, or the like. This embodiment has the advantage of reliably adhering to the security levels for the critical security contents through the security applied to the processing resources. According to another feature, in the step of processing the register values which correspond to security critical image data and additionally or alternatively or which represent security critical display elements, one compares to reference register values stored in a protected memory area. In the case of a deviation, a fault treatment is applied.
    [0005] The fault processing is applied when a discrepancy is found between register values and reference register values. This embodiment has the advantage that, by monitoring the registers, the security levels valid for the critical security contents are particularly reliably respected.
    [0006] According to another feature, in the processing step, during the translation time, the security critical image data is assembled in a library and protected. Security and reference data can be generated and stored in the library. During the travel time, the security data can be calculated and compared with the reference security data. In case of discrepancy, a fault or error treatment is applied. The fault processing is executed if there is a discrepancy between the security data and the reference security data. This embodiment has the advantage of securing the critical security contents and thus ensuring the respect of the security level. The invention also relates to a device for applying the steps of the method in installations for controlling and applying the method. This variant of the information in the form of a device makes it possible to respond quickly and effectively to the problem of the invention. The device controls a display apparatus for displaying critical security contents and non-critical security contents. The device according to the invention is an electrical apparatus 20 which processes the image data signals and as a function of this process generates control and / or data signals. The device comprises an interface in the form of a circuit and / or a program. The embodiment in the form of a (hardware) circuit consists of seeing interfaces which are part of an ASIC system, for example, which contain the different functions of the device. It is also possible that the interfaces have their own integrated circuits or are formed at least partially of discrete components. In the case of implementation in the form of a program, the interfaces are program modules and present for example on a microcontroller alongside other program modules. The invention also relates to a display system for displaying the critical security content and non-critical security contents and having a display apparatus for displaying critical contents for security and non-critical content for security purposes. and according to which a device is connected for exchanging data with the display apparatus, the device providing separately to a display apparatus, the critical display elements for security and the display elements. not critical for security. In connection with the display system, one embodiment of the device for controlling the display apparatus is advantageously used. The display system thus comprises a control device of a display apparatus which displays the security critical contents and the non-critical security contents. The display system may be in a main overall system, for example a vehicle or the like which it uses or may be applied in addition or alternatively. The device has at least one interface with the overall main system using the display system and at least one interface with the display apparatus or a control facility upstream of the display apparatus.
    [0007] Advantageously, a subject of the invention is a computer program product or computer program with a program code recorded on a machine readable medium such as a semiconductor memory, a hard disk or an optical memory for carrying out the steps of the method described above.
    [0008] Embodiments of the invention relate for example to displays based on pixels or displays. The different displays may be dynamic display surfaces or parts of a display such as vehicle status displays, warning messages, an on-board computer, a navigation system, a fault display or video displays. Between the displays one can have a dynamic change of state with contents that repel each other. The different contents can be presented by dynamic animations such as translation, rotation, scaling and modification of transparency or color levels. Regardless of the respective rendering technique, for example scenic graphs, code generations or coding, one can see a human-machine interface application (or HMI application) with a complex program. The design of the display may depend on brand developments and the conditions may be modified. In order to arrive at the ASIL ranking for such displays, it is avoided, for example, to choose one of the following three propositions: a first proposal, that of an ASIL-based fault message or fault displays such as for example the display of the speed report, ESP mode, ASIL system part failure, display part. In the event of a fault, one can have a fault detection. For this purpose, the image screen is monitored and the display system or the emission of pixels is checked by a monitoring system. But there are also embodiments of the invention in that in response to a fault detection the fault is remedied instead of going into the secure state, for example by cutting off the display. This solution would drive the display systems alone so that for example a vehicle could no longer be driven by its own training means. One can thus circumvent a defect. The complexity of the state changes for the time conditions can also be taken into account. This prevents a system-overloaded reaction delay caused by complex animations and user interactions so that the display can no longer be prepared in the time required by the monitoring system and would translate by default. Also, a high frequency of changes, related to changes in market-generated display frequencies, puts the surveillance system in a state of development which is more easily adaptable or reduces the means of development. adaptation to implement. In addition, the secure display animations can be monitored more simply, which makes it possible to avoid monitoring tolerances and facilitates compliance with the security conditions. A second solution consists in applying the ASIL condition, not to the display, but to a program stack which, in the event of a fault, connects a warning led and cuts off the display, thereby circumventing embodiments. of the invention because then the number of detail messages and / or fault messages would be physically limited since the LEDs could not be renewed; it would also avoid additional costs associated with leds in accordance with ASIL modes. Finally, it would be possible to bypass a third proposal which does not require compliance with the conditions, for example ASIL B for a complete display system and which would not be economically feasible for the programs according to the forms of the present invention. Drawings The present invention will be described hereinafter with the aid of examples of control methods of a display apparatus and a display device and system for its implementation, shown in the accompanying drawings. in which: FIG. 1 is a diagram of a display system comprising a device according to an exemplary embodiment of the invention, FIG. 2 shows a very simplified flow chart of a method according to an exemplary embodiment of FIG. 3A-3D are very simplified diagrams of displays according to an exemplary embodiment of the invention, FIG. 4 shows a schematic representation of the method for generating the combined display according to FIG. 3C or 3D, FIG. 5 is a context diagram of a human-machine interface according to an exemplary embodiment of the invention, FIG. 6 is a very diagrammatic representation of the address spaces of a man-machine interface according to an example of FIG. 7 is a diagrammatic representation of a display system according to an exemplary embodiment of the present invention, and FIG. 8 is a schematic representation of a display system according to another example. embodiment of the invention. As a remark, in the various figures, the identical elements or of the same function bear the same references. DESCRIPTION OF EMBODIMENTS FIG. 1 schematically shows a display system 100 having a device according to an exemplary embodiment of the present invention. The display system 100 allows or ensures the display of content A critical from the point of view of security (hereinafter abbreviated as critical contents) and content B not critical for security (abbreviated hereinafter referred to as content). non-critical). The display system 100 is used and / or applied to a vehicle such as for example a road vehicle. The critical content A is for example a warning symbol or a warning indication of a state critical for security. The non-critical content B represents, for example, a tachometric display or a display of rotational speed of the visualization of a circular instrument. According to the exemplary embodiment shown in FIG. 1 of the present invention, the display system 100 comprises a display apparatus 110 and a control device 120 or device serving to control the display apparatus 110. Display apparatus 110 exhibits critical contents A and non-critical contents B. Display apparatus 110 thus displays critical contents A and non-critical contents B for security. In particular, the display apparatus 110 presents the critical contents A and / or the non-critical contents B in a time segment or in different time segments. The display device 110 is for example a combined instrument of a motor vehicle, including a passenger vehicle, a commercial vehicle or other such vehicle. The controller 120 records or receives security critical image data C and non-critical image data D. These data are hereinafter abbreviated as "critical image data C" and "non-critical image data D". The controller 120 uses the critical image data C and non-critical image data D to generate and / or transmit security critical display elements E and non-critical display elements for security F; these elements will be abbreviated and hereinafter referred to as "critical display elements E" and "non-critical display elements F". The controller 120 exchanges data with the display apparatus 110. The controller 120 provides the display apparatus 110 with the critical display elements E and the non-critical display elements F for the display units. display. The display apparatus 110 uses the critical display elements E to display the critical contents A and / or uses the non-critical display elements F to display the non-critical contents B.
    [0009] The controller 120 includes a processing facility 130. The processing facility 130 processes the read image data C and D. The processing plant 130 separates the critical image data C from each other. the non-critical image data D and / or processes them independently. The processing facility 130 generates the critical display elements E using the critical image data C. The processing plant 130 also generates the critical display elements F using the critical image data D. Specifically, the processing facility 130 generates the critical display elements E for these critical display elements E to be displayed by the display apparatus 110 in a graphical overlay of the non-critical display elements F. The controller 120 records or receives the critical image data C and / or the non-critical image data D in a time interval or in different time intervals. The control device 120 provides in particular the critical display data E and the non-critical display data F in the same time interval or in different time intervals. Thus, within the same time interval, the critical contents A are displayed using the critical image data C and the critical display elements E and / or the non-critical contents B are displayed using the image data. non-critical D and non-critical display elements F. The display of contents A and / or B depends, for example, on the presence of image data C and / or D.
    [0010] According to an exemplary embodiment, the control device 120 is part of the display apparatus 110 or is the same display apparatus. Figure 1 shows a separate representation solely for presentation purposes. Figure 2 shows a very simplified flow chart of a method 200 according to the exemplary embodiment of the present invention. This method 200 is a method of controlling a display apparatus for displaying security critical content and non-security critical content. The method 200 controls the display apparatus. The method 200 is performed in combination with a display system such as the display system of FIG. 1. In particular, the method 200 is executed in combination with a controller, such as the control device of FIG. Figure 1. The method 200 has a step 210 of processing the received image data. The critical image data for security and non-critical image data for security is then separated and processed independently of each other to generate security critical display elements and display elements. not critical for security. The security-critical display elements are generated in the processing step 210 so that the security-critical display elements are displayed in the display state of the display apparatus in graphically superimposed manner. non-critical display elements for security. According to an exemplary embodiment, the security critical image data and the non-critical image data for security as well as the security critical display elements and the non-security critical display elements are treated in the processing step 210 separately or independently in time, in space and / or from the point of view of the resources. The method 200 according to an exemplary embodiment also has a step 220 of recording the image data. Optionally, image data critical to security and non-critical image data for security are recorded separately, ie independently of each other. The method 200 also additionally or alternatively includes a step 230 of transmitting the display elements to an interface for the display apparatus. As an option, safety-critical display elements and non-critical display elements for safety can be separately or independently issued. FIG. 3A very schematically shows non-critical contents B in a first graphic plane 301 according to an exemplary embodiment of the present invention. The non-critical contents B (non-critical contents for security) are for example non-critical contents according to Fig. 1. The non-critical contents B are displayed on the display apparatus by means of the control device of the display. figure; it is for example the display apparatus shown in FIG. 1. More specifically, the non-critical contents B (non-critical contents for safety) represent a symbolic visualization of the onboard instruments of an aircraft. vehicle. The non-critical contents B correspond, for example, to the QM level beyond the classification 5 according to ASIL (Automotive Safely Integrity Level) or the ISO 26262 standard. FIG. 3B shows a schematic representation of critical content A in a second plane. graph 302 according to an exemplary embodiment of the present invention. The critical contents 10 A (security critical contents) are, for example, the critical contents according to FIG. 1. The critical contents A are displayed on the display apparatus by using the control device of FIG. The display apparatus shown in FIG. 1. More specifically, the critical contents A represent a warning symbol or a symbolic display of a warning message for the driver of the vehicle. The critical contents A correspond for example to a security class according to the ASIL classification or the ISO 26262 standard, in particular the ASIL class B. Thus, FIG. 3A and FIG. 3B show displays calculated separately, that is, to say graphic plans 301, 302 distinct. The first graphic plane 301 shows the background and the second graphic plane 302 shows the foreground. FIG. 3C shows very schematically the combined display 303 according to an exemplary embodiment of the present invention.
    [0011] The combined display 303 includes the first graphic plane 301 of Fig. 3A in the background and the second graphic plane 302 shown in Fig. 3B in the foreground. More precisely, FIG. 3C shows the combination or the stratification of the graphic planes 301, 302; the graphical plans 301, 302 are shown separated from each other for purposes of schematizing the presentation. Figure 3D schematically shows the combined display 303 of Figure 3C in a representation showing the combined display 303 appearing to an observer. The second graphic plane 302 is superimposed on the first graphic plane 301 by an optical graphic overlay.
    [0012] With reference to the figures above, the control device 120 is independent of the drawing process used to place the critical contents A or a guaranteed part of the display or the representation, graphically on or over the contents. no 5 critical B or the general part. For example, a regular HMI or QM-HMI man-machine interface can be used to compute and animate non-critical B content or display it in the background. An ASIL-HMI interface is made to allow the display in the foreground of the critical contents A. With particular reference to the method 200 of FIG. 2, according to an exemplary embodiment, in the step 210 of the processing can generate critical display elements E so that these elements E are displayed by the display apparatus 110, in the state displayed in another graphical plane 301, superimposed graphically on the graphical plane 302. It can be use the hardware layer which corresponds to separate memory areas, interpreted by the display controller as a superimposed plane. These plans can cover each time the plans below or let them appear by partial transparency. The contents of a plan can rely graphically on both 2D and 3D. This allows the critical display elements E or ASIL information to be recorded in the topmost graphic plane 302 facing the observer so that it is not covered by other image information. For ASIL, there is thus a spatial separation of the contents A and B. Alternatively, in the processing step 210, the critical display elements E can be generated so that these display elements E replace or cover the elements of the display elements. display F in the display state. In systems without a hardware layer, the drawing can be done in two steps: first, the calculation of the non-critical display elements F or display elements derived therefrom so that the result data serves as the additional input as ASIL component to which the critical display elements E are added. Such a proposal makes it possible to use the global principle for the display system with less powerful circuits. Fig. 4 shows a schematic representation of the method for generating the combined display 303 from Fig. 3C or 3031619 16 of Fig. 3D with the aid of the display system 100. The combined display 303 has the bottom first graphical plane 301 shown in FIG. 3A and in the foreground the second graphical plane 302 of FIG. 3B. The combined display 303 and the one displayed in FIG. 3C. The first graphic plane 301 thus comprises the non-critical contents that are displayed using the display system 100 using the non-critical display elements F. The second graphic plane 302 includes the critical contents that are displayed by the display. In other words, Fig. 4 specifically shows in particular the abstract representation of program layers participating in the display system 100 to achieve the display. guaranteed by the means ASIL according to ISO 26262; The display system 100 comprises for this purpose the program facilities. A first group of program installations includes facilities for static data 401, dynamic data 402, code 403 and display 404. The use of the first program installation group generates the data elements 401. Non-critical display F. A second program installation group 405 separate from the first program installation group represents the protection mechanisms according to ISO 26262. The second group 405 includes facilities for qualified static data 406, data 407, a qualifying code 408 and a protected display 409. The second program installation group 405 generates the critical display elements E. FIG. 5 shows a context diagram 500 of an interface human-machine (interface abbreviated as HMI) or an HMI context diagram according to an embodiment of the present invention. In other words, FIG. 5 gives an overall view of a program module of a display system such as the display system of FIG. 1. A secure HMI address space 501 and FIG. a regular HMI address space or QM-HMI address space 502. The secure HMI address space 501 and the QM-HMI address space 502 are separated from each other. In particular, this separation is in the sense of a program separation. The secure HMI address space 501 is used for image data critical for security, display elements, or contents; the QM-HMI address space 502 is used for non-critical image data, display elements or contents. The secure HMI address space 501 and the QM-HMI address space 502 allow separate processing of the critical image data, the display elements and contents concerning the non-critical image data, the data elements. display or other contents. Figure 6 shows an overall view 600 of the address spaces of a man-machine interface according to an exemplary embodiment of the present invention. The figure shows a regular address space 601 or regular virtual address space (VAS = virtual address space) for the human machine interface (HMI interface) as well as a secure address space 602 or secure virtual address space (VAS) for 15 the HMI man-machine interface. The figure also shows the kernel 603 on which the regular address space 601 and the secure address space 602 are based. In other words, Figure 6 gives an overview or translation of a stack of programs. or a program concept for a secure human machine interface.
    [0013] With reference to FIGS. 1 to 6, the description below relates to exemplary embodiments of the invention for securing (protection against interference) that are critical from the point of view of security for other display logic. Such security is realized by the combination of several processes. A first method is for memory protection, a second method is for protecting program code and program or variable data, and a third method is for monitoring registers; a fourth method is to protect the image data. These four methods will be detailed below.
    [0014] The first method realizes memory protection. According to an exemplary embodiment, for the execution of the method 200, in the step 210 of the processing of the critical image data C for the security and the image data critical for the operation as well as for the critical display elements for security E and the non-security critical display elements F are separately managed and / or in secure memory areas relative to each other, address spaces and / or spaces Alternatively, in step 210 of the processing, it is possible to detect and / or prohibit any unauthorized access to the memory for memory areas separated from each other. other and / or protected from each other, the address spaces and / or process spaces 501 and 502 or 601, 602 and 603. To ensure the separation regarding security with respect to another display logic can be managed the data C and D or the display elements E and F for the respective display in separate and separately protected memory areas 501 and 502 or 601 and 602, 603. For example, the three memory areas 601, 602 and 603 separated from one another can be used as shown in FIG. 6. The mechanisms provided by the operating system can be used for this purpose to protect the memories, for example process spaces, virtual address space, etc. and where appropriate extend with additional security mechanisms. As an additional security mechanism, the detection of unauthorized memory access so that the memory of the address space 501, 602 regarding security is not impaired by another address space, by the use of a memory management unit or MMU unit; the optional invalid MMU memory port can detect the separate address space, cyclically monitor MMU or determine whether MMU is active or not active, cyclic test to determine if the MMU table is consistent or has been modified, cyclically validated and reset the memories, for example level 1 and level 2 of cache memory, record variables in a guaranteed way by a cyclic redundancy check (CRC cyclic checks) and use the redundancy in the secure address space 501, 602 and / or proceed in a similar manner. The second method is to secure the processing resources or program code or program data or variables. According to an exemplary embodiment, in the execution of the method 200, in the step 210, the processing of at least one processing resource 35 is continuously checked to determine whether the situation is correct or if it is 3031619 19 a default state of at least one processing resource. At system startup, an application, a program can check the loading, for example by a CRC code. After the program starts, before the data is displayed, a RAM test (random access RAM test) is performed to ensure correct operation of the data and address bus or to detect faults. program. In addition, one can verify an invariable part of the programs, for example the source code, the constant data, etc. by cyclic checks and compare to a reference value, for example by the CRC code. In the case of a gap, we can go into a secure state. The third method monitors the registers. According to an exemplary embodiment, during the execution of the method 200, in the step 210 of processing the values of the registers which represent the critical image data C and / or the critical display elements E, the following are compared: reference register values stored in a protected memory area; in case of deviation, a fault treatment is applied. After starting the system, the display controller can be initialized. The initialized values should no longer change during the system run time. The values of the reference registers can be held in a protected memory area for the graphic plane 302 concerning the security or the graphic layer; the combination of the two above methods is possible. When the system is started, the register values read by the display controller can be cyclically recorded and compared with reference values. In the case of a deviation, it is possible to perform a fault or error processing, for example, restore three times, go to the secure state, etc. irrespective of the result of the comparison, the reference values for the display controller can be re-entered to avoid any replay error. A fourth method is to secure the image data. For this purpose, according to an exemplary embodiment, during the execution of the method 200, in the processing step 210, during the translation time, the critical image data C is assembled in a library and it secures generating reference security data 3031619 and storing them in the library and during the travel time security data is calculated and compared to the reference security data; in case of deviation, an error processing is applied. The image data C for the secure display, for example icons and textures can be assembled at the time of translation or compilation into a library (domain library). The contents of the library can be secured by a CRC code when generated. Such security data can be stored as a reference value in the library. The library can also be transferred to a target system, for example by storing the library in a flash memory of the combined instrument of the vehicle. The security data can be calculated again for the travel time, for example in a secure area of the target system, if necessary in combination with one of the processes developed above. The data characterized for the travel time can be compared to the reference data stored in the library. In the event of a discrepancy, error processing can be applied, for example by repeating three times, going into a security state, etc.
    [0015] Fig. 7 is a schematic representation of a display system 100 according to an exemplary embodiment of the present invention. The display system 100 is similar to or corresponds to the display system shown in FIG. The display system 100 has a display apparatus 110 and a controller 120 with a first processor 721 and a second processor 722. A separator line separates the first processor 721 and the second processor 722 from FIG. symbolically or for reasons of clarity of the drawing; they are subdivided into an HW circuit segment and a SW program segment.
    [0016] In the HW circuit segment, the first processor 721 has a microcontroller unit or a microcontroller unit 740. The microcontroller unit 740 behaves according to the exemplary embodiment of the present invention in FIG. 741 or central processing unit (CPU), a CAN bus 742, a LIN bus 743 35 (Local Interconnection Network) and a random access memory 3031619 21 or RAM memory (random access memory) and a memory ROM (read only memory). In the program segment SW, the first processor 721 comprises for example a management system 751, a program driver 752 as well as applications 753.
    [0017] In the HW circuit segment, the second processor 722 includes a system chip 760 (SOC chip system). The chip system 760 in the exemplary embodiment of the invention shown in FIG. 7 comprises at least one other central processing unit 761 or central processing unit, at least one graphic processing unit 762 (GPU unit) and a unit 763 display control or display control. In the program segment SW, the second processor 722 has, for example, another management system 771, other program drivers 772, an HMI application 773, a security stack 774 and a secure HMI installation 775.
    [0018] The microcontroller unit 740 of the first processor 721 and the chip system 760 of the second processor 722 are connected to exchange data. The microcontroller unit 740 of the first processor 721 makes it possible to exchange data with the network X of the vehicle, for example by the CAN bus and / or by the LIN bus. The chip system 760 of the second processor 722 is connected to exchange the data with a random access memory external to the RAM processor and a ROM external to the ROM processor. The chip system 760 of the second processor 722 exchanges the data with the display apparatus 110.
    [0019] Figure 8 is a schematic representation of a display system 100 according to another embodiment of the invention. The display system 100 is similar or identical to the display system of FIG. 1. Specifically, the display system 100 corresponds to the display system of FIG. 7, except that the display system 100 of FIG. FIG. 8 comprises a display apparatus 110 and a control device 120 having only a processor 820. The separation line also symbolically divides in FIG. 8, the processor 820 into a circuit segment HW and a program segment SW for easy presentation.
    [0020] The processor 820 of the circuit segment HW has a microcontroller unit 840. The microcontroller unit 840 comprises, according to the exemplary embodiment of the invention shown in FIG. 8, a central unit 841 or a central unit. 5, a CAN bus 842, a bus 843, a graphics processing unit 844 (GPU) and a display control unit 845. The program segment SW of the processor 820 comprises, for example, a management system 851. a program driver 852, applications 853, an HMI interface application 854, a security stack 855, and a secure HMI installation 856. The microcontroller unit 840 of the processor 820 exchanges the data with the vehicle network X , for example by a CAN bus and / or a LIN Bus. The microcontroller unit 840 exchanges the data with a random access memory, external to the RAM processor or random access memory as well as with a fixed memory ROM, external to the processor. The microcontroller unit 840 exchanges data with the display apparatus 110. An exemplary embodiment of the present invention will be described hereinafter, summarized with reference to Figs. 1 to 8. The display system 100 vehicle comprises a microcontroller with interfaces for the vehicle. It is connected to a graphics controller and the frame buffer which supports the display in several planes or graphic planes (graphic layers) being connected to a display apparatus 110 of the vehicle, for example, a TFT LCD 25 and an installation for the particular secure display of the display contents by separating the processing of the critical contents for the security A and non-critical contents for the security B. The display of the critical contents A is done in the upper graphic plane 302 which can not be covered by other graphic plans. Partial or total transparency of these graphic planes 302 may be used to ensure unrestricted readability of other non-critical contents B if the critical, secure content A requires only a portion of the surface under the upper graphic plane 302. One or more of the above methods of protecting the memory or processing of the secure content A in a memory area, or securing the program code, monitoring the registrar and / or securing the data, may also be applied. images. The examples of embodiment described and presented in the figures correspond only to examples. The various examples can be combined in whole or in part. Some examples may also be supplemented by features of other examples. In addition, the process steps presented above may be performed in another order.
    [0021] 10 3031619 24 NOMENCLATURE OF THE MAIN ELEMENTS 100 Display system 110 Display device 5 120 Control unit 200 Control method of a display unit 201-220 Process step 200 301-302 Graphical drawing 303 Combined display 10 401 Static data 402 Dynamic data 403 Code 404 Display 405 Second group 15 406 Static data 407 Dynamic data 408 Qualified code 409 Secure display 500 Context diagram 20 501 HMI address space 502 QM-HMI address space 600 Overall representation of address spaces 601 Space regular address 602 Secure address space 25 721 First processor 722 Second processor 740 Microcontroller unit 741 Central unit 742 CAN bus 30 743 LIN bus 751 Management system 752 Program driver 753 Application 760 Chip of system / system on chip / system on chip 35 761 CPU 3031619 25,762 Graphics Processor GPU 763 Display Control Unit 771 Unit 772 Program driver 5 773 HMI application 774 Security stack 775 Secure HMI installation 820 Processor 840 Microcontroller unit 10 841 Central unit 842 CAN bus 843 LIN bus 844 Graphic processing unit 851 Management system 15 852 Program driver 853 Application 854 HMI application 855 Security stack 856 Secure HMI installation 20 A Critical security content B Non-critical content for security C Security critical image data D Non-critical image data for security E Critical display element for safety 25 F Non-critical display element for safety 30
    权利要求:
    Claims (3)
    [0001]
    CLAIMS1) A method (200) for controlling a display apparatus (110) for displaying security critical contents (A) and non-critical security contents (B), method (200) of: processing (210) ) the recorded image data (C, D) by separating the safety critical image data (C) and the non-critical security image data (D) and / or processing them separately to generate data elements security critical display (E) and non-critical display elements for security (F), the security critical display elements (E) being graphically superimposed on the non-critical display elements; critical for security (F) by the display apparatus (110).
    [0002]
    Method (200) according to claim 1, characterized in that in the processing step (210) the security critical image data (C) and the non-critical image data are processed for security. (D) as well as the safety critical display elements (E) and the non-critical safety display elements (F) separately and / or independently in time or space and / or for resources.
    [0003]
    Method (200) according to claim 1, characterized in that in the processing step (210) the security critical display elements (E) are generated so that these display elements (E) to the display state of the display apparatus (110) is displayed in a graphical plane (302) which graphically covers any other graphical plane (301) or the critical display element for security (E ) replaces non-critical display elements for security (F) when the display apparatus (110) is in the display state. 4) Method (200) according to claim 1, characterized in that in the processing step (210) the security-critical image data (C) and the non-critical image data are managed for security (D) as well as security critical display elements (E) and security non-critical display elements (F) in separate and / or secured memory ranges, one for each relative to each other in address spaces and / or process spaces (501, 502; 601, 602, 603). Method (200) according to Claim 4, characterized in that processing step (210) detects and / or avoids unauthorized memory access to the memory areas at the address spaces and / or The process spaces (501-502; 601, 602, 603) which are separated and / or secured to one another. Method (200) according to claim 1, characterized in that in the processing step (210) at least one continuous processing resource is checked to determine whether the state is correct or whether it is is a default state of at least one processing resource. Method (200) according to claim 1, characterized in that in the processing step (210) the register values which represent security-critical image data (C) and / or safety critical display elements (E) to reference register values stored in a protected memory area and in case of deviation a fault processing is applied. Method (200) according to claim 1, characterized in that in the processing step (210) during a translation time these security-critical image data (C) in the form of 3031619 28 of a library and they are protected, this reference security data is generated and stored in the library, and for a transit time, the security data are calculated and compared to the reference security data. and in case of deviation 5, an error processing is applied. 9) Device (120) for performing all the steps of the method (200) of controlling a display apparatus (110) according to any one of claims 1 to 8 for displaying critical security contents 10 (A). ) and non-critical security contents (B), comprising: - processing (210) the stored image data (C, D) by separating the security critical image data (C) and the image data non-critical security (D) and / or separately processing them to generate security critical display elements (E) and non-critical security display elements (F); security critical displays (E) being graphically superimposed on the non-critical display elements for security (F) by the display apparatus (110). 10 °) Display system (100) for displaying security critical contents (A) and non-critical security contents (B), the display system (100) being characterized by: a display apparatus (110) for displaying critical security contents (A) and non-critical security contents (B), and - a device (120) according to claim 9 for connecting data with the display apparatus (110), the device (120) separately supplying to a display apparatus (110), the safety critical display elements (E) and the non-critical safety display elements ( F). 11) A computer program comprising program code instructions for executing the method steps (200) according to any one of claims 1 to 8 when this program is executed on a computer.
    类似技术:
    公开号 | 公开日 | 专利标题
    FR3031619A1|2016-07-15|METHOD AND DEVICE FOR CONTROLLING A DISPLAY APPARATUS AND DISPLAY SYSTEM FOR ITS APPLICATION
    EP1975840B1|2018-09-05|Security viewing method and device
    JP6296928B2|2018-03-20|Driving multi-layer transmissive displays
    FR2983600A1|2013-06-07|Method for monitoring graphic interface in computer system of cockpit of aircraft, involves defining set of critical areas, and only operating graphic objects associated with set of critical areas by utilizing client application
    CN105026212A|2015-11-04|Fault tolerant display
    EP1875439B1|2008-08-20|Device for graphic generation comprising means for monitoring the operation thereof
    US9658814B2|2017-05-23|Display of dynamic safety-relevant three-dimensional contents on a display device
    FR3054684A1|2018-02-02|SYSTEM FOR CONTROLLING AN AUTONOMOUS VEHICLE
    FR2964236A1|2012-03-02|DEVICE AND METHOD FOR GENERATING VARIABLE PRIORITY MULTIFERENCE IMAGES
    FR3025633A1|2016-03-11|METHODS FOR CONTROLLING DIGITAL DISPLAY DATA INTEGRITY AND DISPLAY SYSTEM
    CN103003863A|2013-03-27|Disuplay controlling unit, image disuplaying system and method for outputting image data
    EP1876425A2|2008-01-09|Reliable maintenance emergency instrument for the instrument panel of an aircraft
    WO2008058965A1|2008-05-22|System for processing graphic objects including a secured graphic manager
    FR2978859A1|2013-02-08|SMART-DUAL DISPLAY SYSTEM
    US11030970B2|2021-06-08|Method and device for displaying a notification for a user and working device
    JP5819488B2|2015-11-24|Adjusting a transmissive display with an image capture device
    US11243797B2|2022-02-08|Method for operating a control device, control device and computer program product
    JP6355444B2|2018-07-11|Adjusting a transmissive display with an image capture device
    FR3031202A1|2016-07-01|SYSTEM AND METHOD FOR CONTROLLING DIGITAL DISPLAY DATA INTEGRITY
    US20150201189A1|2015-07-16|Visualizing Specified Safety-Critical Information in a Vehicle
    EP2372673A1|2011-10-05|Method and device for developing and qualifying training simulators for piloting an aircraft and resulting simulation device
    EP2839405B1|2016-03-16|System for managing secure and nonsecure applications on one and the same microcontroller
    FR2992086A1|2013-12-20|Image composition device for use in information system of nuclear power plant, has generation module to aggregate priority video stream and non-priority video streams to obtain combined video stream to be displayed on shared display screen
    WO2020140901A1|2020-07-09|Separate operating systems for dashboard display
    WO2021160783A1|2021-08-19|Electronic computer, electronic system, method for monitoring the execution of an application and associated computer program
    同族专利:
    公开号 | 公开日
    CN105786426A|2016-07-20|
    DE102015200292A1|2016-07-14|
    FR3031619B1|2019-04-05|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    DE102004032807A1|2004-07-07|2006-02-16|Adam Opel Ag|Device for improving safety of vehicle instruments or devices e.g. anti lock brake systems , has inspection device connected to display controller|
    CN2789845Y|2005-04-30|2006-06-21|刘向阳|Vehicle running recorder|
    JP2008176661A|2007-01-19|2008-07-31|Fujitsu Ltd|Information processor, control method, control program and display device|
    CN102194505A|2011-05-13|2011-09-21|广州国联通信有限公司|Vehicle-mounted media play system|
    DE102012217291A1|2012-09-25|2014-03-27|Siemens Aktiengesellschaft|Method for error disclosure in an interlocking computer system and interlocking computer system|
    DE102012222877A1|2012-12-12|2014-06-12|Robert Bosch Gmbh|Method for outputting two images on picture screen of e.g. motor car, involves changing data representing control signal for pixels to output images representing occupants of vehicle according to corresponding processing instructions|DE102016003359A1|2016-03-18|2017-09-21|Daimler Ag|display device|
    CN108153610B|2017-12-21|2020-10-30|浙江汽车仪表有限公司|Image security detection method based on hardware heterogeneous multi-core|
    DE102019202862A1|2019-03-04|2020-09-10|Audi Ag|Device for providing image data|
    DE102019205237A1|2019-04-11|2020-10-15|Audi Ag|Displaying ASIL-D information using a less secure device|
    法律状态:
    2017-01-24| PLFP| Fee payment|Year of fee payment: 2 |
    2018-01-24| PLFP| Fee payment|Year of fee payment: 3 |
    2018-08-17| PLSC| Publication of the preliminary search report|Effective date: 20180817 |
    2020-01-23| PLFP| Fee payment|Year of fee payment: 5 |
    2021-01-20| PLFP| Fee payment|Year of fee payment: 6 |
    2022-01-18| PLFP| Fee payment|Year of fee payment: 7 |
    优先权:
    申请号 | 申请日 | 专利标题
    DE102015200292.6A|DE102015200292A1|2015-01-13|2015-01-13|Method and device for driving a display device and display system|
    DE1020152002926|2015-01-13|
    [返回顶部]