| 摘要 |
The invention relates to a method for communicating in a fault-tolerant distributed computer system and to a system of the type in which messages (200) are sent via communications channels (C11 C42) from node computers (K1 K4) using software subsystems (S1a S4c). The temporal correctness of a message is checked by a guardian (GUA) that is independent from the node computers. Each software subsystem (S1a S4c) is marked by a subsystem identifier (210, 220). The guardian (GUA) is informed a priori which system identifier may be output from each of the individual node computers (112 114). In addition, the correctness of the assignment of the software subsystems to the node computers is checked by the guardian during communication, whereby the guardian interrupts the communication in the event that received subsystem identifiers were output by node computers that are not authorized to perform this action. |
