System and method for authentication and fail-safe transmission of safety messages

US 7,590,848 B2
Filed: 02/07/2003
Issued: 09/15/2009
Est. Priority Date: 02/07/2002
Status: Active Grant

First Claim

Patent Images

1. A system for fail-safe transmission of safety messages in a network environment, said system comprising:

an intelligent sensor apparatus including a sensor, a sensor processor, and a sensor computer readable media including instructions to implement;

a first safety-certified application;

a first safety-certified layer; and

a first non-safety-certified layer wherein said first safety-certified layer is operative to generate a safety message and associated digital signature based upon state information received from said sensor; and

an intelligent actuator apparatus disposed to receive said safety message and said digital signature via a communications network communcatively coupled to said intelligent sensor apparatus, said intelligent actuator apparatus including an actuator, an actuator processor, and an actuator computer readable media including instructions to implement;

a second safety-certified application;

a second safety-certified layer; and

a second non-safety-certified layer wherein said second safety-certified layer is operative to use said digital signature in order to verify authenticity of said safety message and thereby enable said actuator to perform an action in accordance with said state information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for fail-safe transmission of safety messages through communication channels containing non-safety-certified equipment is disclosed herein. Consistent with the disclosed method, digital signatures and/or encryption are used to authenticate both the origin and content of the safety messages. A watchdog timer ensures transition to a safe state if authenticated messages are not received periodically. In a particular implementation, the disclosed method includes generating a safety message indicating the state of a sensor. A digital signature is then generated to sign this safety message. The method further includes communicating the safety message and the digital signature to an actuator. Upon receipt, the safety message is authenticated using the digital signature. A watchdog timer ensures transition to a safe state if authenticated messages are not received periodically.

Citations

36 Claims

1. A system for fail-safe transmission of safety messages in a network environment, said system comprising:
- an intelligent sensor apparatus including a sensor, a sensor processor, and a sensor computer readable media including instructions to implement;
  
  a first safety-certified application;
  
  a first safety-certified layer; and
  
  a first non-safety-certified layer wherein said first safety-certified layer is operative to generate a safety message and associated digital signature based upon state information received from said sensor; and
  
  an intelligent actuator apparatus disposed to receive said safety message and said digital signature via a communications network communcatively coupled to said intelligent sensor apparatus, said intelligent actuator apparatus including an actuator, an actuator processor, and an actuator computer readable media including instructions to implement;
  
  a second safety-certified application;
  
  a second safety-certified layer; and
  
  a second non-safety-certified layer wherein said second safety-certified layer is operative to use said digital signature in order to verify authenticity of said safety message and thereby enable said actuator to perform an action in accordance with said state information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system of claim 1 wherein said sensor computer readable medium includes instructions to generate, in said first safety-certified layer, said digital signature by signing said safety message using a private key associated with said sensor, said digital signature being verifiable using a public key corresponding to said private key.
  - 3. The system of claim 2 wherein said actuator computer readable medium includes instructions to verify said digital signature using said public key.
  - 4. The system of claim 1 wherein said sensor computer readable medium includes instructions to generate said digital signature by:
    - generating a message digest, said message digest generated by condensing said safety message using a hash function; and
      
      signing said message digest using a private key.
  - 5. The system of claim 4 wherein said actuator computer readable medium includes instructions to verify said digital signature by:
    - generating a recovered message digest, said recovered message digest generated by condensing said message digest; and
      
      verifying said digital signature using a public key corresponding to said private key.
  - 6. The system of claim 1 wherein said intelligent actuator apparatus is configured to transition to a safe state if one or more of said safety messages are not received at said intelligent actuator apparatus on a periodic basis.
  - 7. The system of claim 1 wherein said sensor computer readable medium includes instructions to create, in said first safety certified layer, a message digest based upon said state information, said message digest being signed using a private key in order to generate said digital signature.
  - 8. The system of claim 1 wherein said sensor computer readable medium includes instructions to add, in said first safety certified layer, sequence number information to said state information in connection with said safety message.
  - 9. The system of claim 1 wherein said sensor computer readable medium includes instructions to add, in said first safety certified layer, time stamp information to said state information in connection with said safety message.
  - 10. The system of claim 1 wherein said intelligent sensor apparatus comprises a pressure transducer and said state information includes a pressure state sensed by said pressure transducer.
  - 11. The system of claim 1 wherein said intelligent actuator comprises a safety shutoff valve, and said actuator computer readable medium includes instructions for actuating, in said second safety-certified application, said safety shutoff valve responsive to said safety message.
  - 12. The system of claim 11 wherein said actuator computer readable medium includes instructions for closing, in said second safety-certified application, said safety shutoff valve on failure to receive said safety message within a predefined time period.
  - 13. The system of claim 1 wherein said intelligent sensor apparatus comprises a temperature transducer and said state information includes a temperature state sensed by said temperature transducer.
  - 14. The system of claim 1 wherein said intelligent sensor apparatus comprises a flow transducer and said state information includes a flow state sensed by said flow transducer.
  - 15. The system of claim 1 wherein said intelligent actuator apparatus comprises a shutoff switch, and said actuator computer readable medium includes instruction for actuating, in said second safety-certified application, said shutoff switch responsive to said safety message.
  - 16. The system of claim 1 further comprising a communications network communicatively coupled to said intelligent sensor and said intelligent actuator.
  - 17. The system of claim 16 wherein said communications network comprises a local area network (LAN).
  - 18. The system of claim 17 wherein said LAN comprises an Ethernet network.
  - 19. The system of claim 17 wherein said LAN comprises a Fieldbus network.
  - 20. The system of claim 16 wherein said communications network is a safety-certified network.
  - 21. The system of claim 16 wherein said communications network is a non-safety certified network.

22. A method for fail-safe transmission of safety messages in a network environment comprising:
- generating, at an intelligent sensor processor, a safety message and associated digital signature, wherein said safety message is generated in a first safety-certified layer based at least in part on state information received from an intelligent sensor and wherein said first safety-certified layer is operative in a first non-safety certified layer;
  
  sending, via a communications network, said safety message and said digital signature;
  
  receiving said safety message and said digital signature at an intelligent actuator apparatus, said intelligent actuator apparatus including an intelligent actuator processor;
  
  verifying in a second safety-certified layer of said intelligent actuator apparatus, using said intelligent actuator processor, said safety message using said digital signature, wherein said second safety-certified layer is operative in a second non-safety certified layer; and
  
  enabling, responsive to said verifying, an action at said intelligent actuator apparatus, wherein said action is based at least in part on said state information.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 23. The method of claim 22 wherein said digital signature is generated in said first safety-certified layer by signing said safety message using a private key associated with said intelligent sensor.
  - 24. The method of claim 23 wherein said safety message is verified using a public key corresponding to said private key.
  - 25. The method of claim 22 wherein said digital signature is generated by:
    - generating a message digest by condensing said safety message using a hash function; and
      
      signing said message digest using said private key.
  - 26. The method of claim 25 wherein said message digest is based at least in part on said state information.
  - 27. The method of claim 22 wherein said verifying said safety message using a digital signature includes:
    - generating a recovered message digest by condensing said message digest; and
      
      verifying said digital signature using a public key corresponding to said private key.
  - 28. The method of claim 22 further comprising transitioning the intelligent actuator apparatus to a safe state if one or more of said safety messages are not received at said intelligent actuator apparatus on a periodic basis.
  - 29. The method of claim 22 further comprising generating said safety message based in part on sequence number information.
  - 30. The method of claim 22 further comprising generating said safety message based in part on time stamp information.
  - 31. The method of claim 22 wherein said intelligent sensor apparatus comprises a pressure transducer and said state information includes a pressure state sensed by said pressure transducer.
  - 32. The method of claim 22 wherein said intelligent sensor apparatus comprises a temperature transducer and said state information includes a temperature state sensed by said temperature transducer.
  - 33. The method of claim 22 wherein said intelligent sensor apparatus comprises a flow transducer and said state information includes a flow state sensed by said flow transducer.
  - 34. The method of claim 22 wherein said intelligent actuator comprises a safety shutoff valve, and said action comprises actuating said safety shutoff valve.
  - 35. The method of claim 22 wherein said intelligent actuator comprises a shutoff switch, and said action comprises actuating said shutoff switch.

36. A system for fail-safe transmission of safety messages in a network environment, said system comprising:
- an intelligent sensor apparatus including a sensor element and a sensor hardware apparatus configured to provide;
  
  a first safety-certified application;
  
  a first safety-certified layer; and
  
  a first non-safety-certified layer wherein said first safety-certified layer is operative to generate a safety message and associated digital signature based upon state information received from said sensor element; and
  
  an intelligent actuator apparatus disposed to receive said safety message and said digital signature, said intelligent actuator including an actuator element and an actuator hardware apparatus configured to provide;
  
  a second safety-certified application,a second safety-certified layer, anda second non-safety-certified layer wherein said second safety-certified layer is operative to use said digital signature in order to verify authenticity of said safety message and thereby enable said actuator element to perform an action in accordance with said state information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Schneider Electric Systems USA, Inc. (Schneider Electric SE)
Original Assignee
Blackhawk Network Incorporated (Albertsons Cos., Inc.)
Inventors
Powers, Leslie
Primary Examiner(s)
Dada; Beemnet W

Application Number

US10/360,896
Publication Number

US 20040059917A1
Time in Patent Office

2,412 Days
Field of Search

713/176, 713/178, 713/180, 713/181, 713/189, 713/194, 600/323, 726/22, 726/23
US Class Current

713/176
CPC Class Codes

G06F 21/606   by securing the transmissio...

H04L 63/0442   wherein the sending and rec...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 9/3236   using cryptographic hash fu...

System and method for authentication and fail-safe transmission of safety messages

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for authentication and fail-safe transmission of safety messages

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links