WO2009155993A1 - A safety system for a machine - Google Patents

A safety system for a machine Download PDF

Info

Publication number
WO2009155993A1
WO2009155993A1 PCT/EP2008/058301 EP2008058301W WO2009155993A1 WO 2009155993 A1 WO2009155993 A1 WO 2009155993A1 EP 2008058301 W EP2008058301 W EP 2008058301W WO 2009155993 A1 WO2009155993 A1 WO 2009155993A1
Authority
WO
WIPO (PCT)
Prior art keywords
safety
computing units
logic
safety system
building components
Prior art date
Application number
PCT/EP2008/058301
Other languages
French (fr)
Inventor
Roger Mellander
Johnny ÖBERG
Mats X KÄLLMAN
Per V Carlsson
Original Assignee
Abb Research Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abb Research Ltd. filed Critical Abb Research Ltd.
Priority to PCT/EP2008/058301 priority Critical patent/WO2009155993A1/en
Publication of WO2009155993A1 publication Critical patent/WO2009155993A1/en

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B25HAND TOOLS; PORTABLE POWER-DRIVEN TOOLS; MANIPULATORS
    • B25JMANIPULATORS; CHAMBERS PROVIDED WITH MANIPULATION DEVICES
    • B25J9/00Programme-controlled manipulators
    • B25J9/16Programme controls
    • B25J9/1674Programme controls characterised by safety, monitoring, diagnostic
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0428Safety, monitoring
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24186Redundant processors are synchronised
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24187Redundant processors run identical programs
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24189Redundant processors monitor same point, common parameters
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24192Configurable redundancy
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25163Transmit twice, redundant, same data on different channels, check each channel
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25268PLD programmable logic device

Definitions

  • the present invention relates to a safety system for a machine.
  • the system comprises two independent logic computing units for executing a safety function based on input data from two redundant data transmission channels providing the same safety inputs to each of the logic computing units, and a fault detecting unit configured to compare the outputs from each of the logic computing units and based on the result of the comparison detecting faults and sending safety control inputs to the machine.
  • a safety system for a machine performs one or more safety functions to ensure the safety of human working in the environment of an industrial process, and the machine as well.
  • a system may include safety elements, one or more logic computing units for executing the safety functions.
  • Typical safety ele- ments are, for example, sensors, switches or emergency push buttons.
  • the logic computing units are, for example, general- purpose computers, microprocessors, and a set of electric circuits.
  • a safety control input will be sent to the machine, for example, a stop input can be sent to the driving system of the machine to stop the operation of the machine.
  • a machine could be a valve, a pump, or a robot.
  • Reliability is a desired feature for such safety control systems and can be measured by so-called safety levels.
  • safety levels are defined in corresponding standards.
  • SIL safety integrity levels
  • EN 954-1 various safety categories are defined.
  • a high reliability of a safety system for example defined as SIL 2 in IEC 61508 or safety category 3 in EN 954-1 , is usually achieved by using two separate logic computing units to simultaneously execute the same safety function based on the same safety inputs from the safety elements. The operation results are then compared by a fault defecting unit in order to detect faults.
  • the system generates a control input for controlling the operation of a machine, for example a stop signal may be sent to stop the operation of the machine.
  • a safety system comprising two separate logic computing units and data inputs, transmitted via two redundant data channels, is denoted a safety system with dual data processing channels. Such a safety system enables a high level of safety because the system will continue to operate even in the event of a fault.
  • the system is further extended with supervision/monitoring modules to be able to feed back safety inputs coming from the logic computing units to the safety functions.
  • a recent patent application DE102006012042 presents a solution based on dual core processor architecture.
  • the application proposes a solution that uses a dual core processor as the logic computing units, the safety function carried out on each logic computing unit being implemented and executed on each core of the dual core processor.
  • the problem with the solution is that a main storage is commonly used by the processor cores for storing the safety function and some intermediate results, which creates a single failure point in the system.
  • the dual core architecture on which the system based is still quite expensive.
  • One object of the present invention is to provide a safety system for a machine which is compact and economic in construction.
  • Such a safety system comprises a programmable logic device comprising a plurality of independent programmable building components, two of which are programmed to implement two independent logic computing units for executing a safety function based on safety inputs from two redundant data transmission channels.
  • a programmable logic device is an electronic component including a plurality of independent programmable building components which can be used to build reconfigurable digital circuits.
  • a PLD has an undefined function at the time of manufacture and before it can be used it must be programmed.
  • Examples of PLD devices are a complex programmable logic device, denoted CPLD, and a field- programmable gate array, denoted FPGA.
  • the building components of a PLD can be hard processor units embedded in the PLD, soft processor units, and programmable logic blocks and interconnects which can be hardware programmed to perform logic functions. Most of PLD devices include memory.
  • a safety function is one or more logic operations performed on the inputs, such as safety signals, to the safety function and the output of the safety function is the result of the logic operations on the safety signals.
  • One of the advantages with the programmable logic device is compactness since it makes it possible to implement a safety system with two independent logic computing units on a single chip.
  • Another advantage is economic, meaning that a highly reliable safety system with dual data processing channels can be achieved at a cheaper hardware cost.
  • Such a safety control sys- tern according to invention is cost-effective per hardware.
  • Yet another advantage is, compared with a general-purpose computer or a microprocessor which usually has an operating system, that a programmable logic device has much less instructions, which means programming the safety function is easier than the one built on the general-purpose computer or a microprocessor.
  • each of the building components programmed to implement the logic computing units has its own memory.
  • PLD devices including the above mentioned building blocks having embedded memories.
  • a hard processor usually includes a program memory and a data memory
  • a soft processor may be configured to have its own memory too.
  • Even logic blocks have memory elements, for example, simple flip- flops or more complete blocks of memory. Having separate memories for the logic computing units achieves two totally separate logic computing units. Therefore, the problem with single failure point of a common used memory is eliminated.
  • the building component configured to implement each of the logic computing units is any of the following types: a hard processor unit, a soft processor unit, or at least one logic block programmed by hardware description language.
  • a hard processor unit can be, for example, an embedded microprocessor.
  • a soft processor is implemented within the programmable logic device and such a soft processor is reconfigurable to suit a specific program.
  • the third variant is when a hardware description language, denoted HDL, is used to create a hardware implementation of the software ap- plication.
  • two different types of building components are used to program the safety logic on each of the logic computing units.
  • one of the building components, implementing one of the com- puting units may include one or more logic blocks programmed by hardware description language, and the other building com- ponent, implementing the other computing unit, can be a soft processor, or the building components programmed to implement the two computing units can be a soft processor unit and a hard processor unit, or any combination of the above mentioned types of building components.
  • Using two different types of building components to implement the safety logic increases the safety of the system.
  • the system provides an ability to detect common mode faults/failures or systematic faults such as software design, coding defects that could be repro- cuted on both computing units. Therefore a high reliability is achieved.
  • one of the building components is configured to implement the fault detecting unit.
  • one of building components on the same programmable logic device is configured to perform a fault detecting function.
  • one of the building components on the same programmable logic device is programmed to synchronize the logic computing units.
  • the execution of the safety function on the two logic computing units is parallel, which means that the generated outputs from the two logic computing units may not come out simultaneously.
  • the synchronization unit ensures that the fault detecting unit compares the results generated by the computing units based on the same safety inputs.
  • two of the building components are configured as monitoring units for monitoring the current safety states from the computing units, each of the monitoring unit is configured to receive safety inputs from one of the computing units and provide feedback to the other computing unit. Since a computing unit itself can also generate faults, one building component is configured to monitor the faults coming from one computing unit. The safety inputs then will be sent back to another computing unit, which enables two computing units to monitor each other. Due to the fact that the programmable logic device includes a plurality of building components, the monitoring units can also be programmed on the same pro- grammable logic device. Therefore, the safety system may achieve high reliability and be compact in size.
  • the machine is an industrial robot comprising a control unit configured to generate safety inputs including an emergency stop input as the safety input to the logic computing units. Consequently such a safety system can be used as an industrial robot safety system to provide a solution that is highly reliable and economic and flexible as well. This feature increases the competition capability of a robot system.
  • a control unit for controlling an industrial robot comprising a safety system of the present invention.
  • the control unit is configured to gen- erate safety inputs including an emergency stop input to the logic computing units.
  • the safety system according to the invention is very suitable for use in a control unit of an industrial robot. Due to the fact that the safety system built on a programmable logic device has a compact size, it makes it easier to in- tegrate such a safety system into the control unit of a robot.
  • the programmable logic device is a field-programmable gate array, denoted FPGA, device.
  • a cyclic redundancy check is implemented to verify the contents on the whole or on parts of the field-programmable gate array in order to detect faults.
  • Parts that can be verified with the CRC can for example be the soft processor instead of jogging the instruction set as is done in a hard processor to verify if the hard processor is working as expected.
  • an FGPA chip it is even possible to partially reconfigure the FPGA chip to correct errors that has been detected by the cyclic CRC.
  • a cyclic CRC check on the entire FPGA can be implemented with, for example, an external small CPLD, or an internal CRC macro may be used to ensure a reliable safety system built on the FPGA chip.
  • At least one of the programmable building components is a soft processor.
  • the soft processor is provided with an internal register, and a parity check is implemented to detect bit errors on the internal register.
  • a parity check is implemented to detect bit errors on the internal register.
  • FPGA chip With an FPGA chip, it is possible to add one or more parity bits together with a parity check to detect bit errors on the inter- nal registers used by the soft processor, which enables to instantly detect any soft errors and eventually take corrective measures. This is yet another advantage over a safety system based on multi-core architecture where essentially two hard processors are used, and it is not possible today to perform a parity check to detect bit errors within the hard processors.
  • a programmable logic device comprises a plurality of building components, it can be used to build a safety system with a compact size but it is still at least as reliable as the prior art.
  • a safety system can be integrated with a control unit of a machinery system, for example an industrial robot system.
  • Fig. 1 shows a safety system for a machine implemented on a programmable logic device, according to an embodiment of the invention.
  • Fig. 2 shows an FPGA chip that includes a plurality of pro- grammable logic blocks and interconnects, and a periphery of input and output blocks.
  • Fig. 3 shows one possible combination of building components on a PLD device.
  • Fig. 4 shows another example of a proposed safety system, implemented on a programmable logic device, where the safety system is extended with two monitoring units implemented by the building components on the same programmable logic device.
  • FPGA field-programmable gate array
  • CPLD complex programmable logic device
  • Fig. 1 shows a safety system for a machine according to an embodiment of the invention implemented on a programmable logic device 1 , in this example an FPGA device.
  • the system comprises a first logic computing unit 2 and a second logic comput- ing unit 2', a fault detecting unit 4, and a synchronization unit 6.
  • Fig. 1 shows also a signal generation unit 12 that generates the safety inputs to the safety system and a machine 14 that is the safety controlling target of the system.
  • the machine 14 is, for example, an industrial robot.
  • the signal generation unit 12 can be, for example, be a teach pedant unit (TPU) connected to the control unit of the industrial robot.
  • the TPU may include an emergency stop button generating an emergency stop signal and an enabling button generating an enabling signal.
  • the safety input to the safety system includes the emergency stop signal and enabling signal from the TPU.
  • Other safety inputs can be a protective stop or other types of safety inputs.
  • the emergency stop signal is transmitted via dual redundant data channels 10, 10' to each of the computing units 2, 2', which means the same safety input is simultaneously transmitted through the data channels 10 and 10', to both computing units, and both computing units receive the same safety inputs when both channels work correctly. Dual data channels prevent loss of data when being transmitted via a single data channel. For example, if the channel 10 fails to transmit the safety inputs, the safety inputs may still be transmitted thorough the channel 10'.
  • the computing units 2, 2' are programmed to execute the same safety function. Upon receiving the safety input, the logic computing units 2, 2' execute the same safety function in parallel based on the same safety inputs.
  • a safety function may be, for example, a logic calculation of the states of several safety inputs, for example, an emergency stop button may be repre- sented in two states: ON or OFF. The output of the safety function is the result of the logic calculation.
  • the function of the fault detecting unit 4 is to compare the results generated by the computing units. If the generated result from one of the computing units is not the same as from the other one, a fault is detected, and consequently a safety control signal may be sent to the machine 14, for example a stop signal to stop the operation of the machine. Because the execution of the computing units is performed in parallel, the results generated by the computing units are synchronized by the synchroni- zation unit 6, which ensures that the results compared by fault detecting unit 4 are generated by the computing units 2, 2' based on the same safety inputs. To synchronize the results, for example, a timer may be used, meaning that the results should be compared within the time limit that the timer is set.
  • safety control signals are sent to the machine 14 via dual data channels 8, 8'.
  • the function of the dual data channels 8, 8' is similar to that of the dual data channels 10, 10', meaning that the same safety con- trol signal is redundantly transmitted to the machine 14 to retain the safety function.
  • a PLD comprises a plurality of building components. Building components used to implement the computing units 2,2', the synchronization unit 6, and the fault detecting unit 4 can be any of the following types: a hard processor embedded in the PLD, a soft processor, or hardware implementation though hardware description language.
  • Fig.2 shows an FPGA chip 50 that includes a plurality of programmable logic blocks 52 and programmable interconnects 54, as well as a periphery of input and output blocks 56.
  • Logic blocks can be programmed to perform the functions of basic logic gates such as AND, XOR, or more complex combinational functions such as decoders or mathematical functions. In most FPGAs, the logic blocks also include memory elements, for example simple flip-flops.
  • a hierarchy of programmable interconnections allows logic blocks to be interconnected as needed in the field by the system designer to perform desired functions. To program a desired function, a hardware description language is used to specify how to interconnect a set of logic blocks by working with the logic circuit diagram, or the source code of the function.
  • the logic blocks and programmable interconnects form a building block to perform the desired function.
  • a building component is configured to perform the de- sired safety function.
  • a cyclic redundancy check denoted CRC, may be implemented on the FPGA device to verify the contents on the whole or on parts of the FPGA in order to detect faults.
  • Fig. 3 shows one possible combination of building components on a PLD device 26, wherein the PLD device comprises an embedded hard processor 20, two reconfigurable soft processor 22, 22', and one building components 24 configured by a plurality of programmable logic blocks interconnected by a plurality of pro- grammable interconnects on a single chip. There may be still a plurality of unconfigured logic blocks and programmable interconnects on the same chip, and they can be programmed as building components, for example, the building components 24', 24" to perform some other logic functions if needed. How a building component is configured by a plurality of programmable logic blocks interconnected by a plurality of programmable interconnects depends on the function of the logic implements. Fig.
  • a PLD device may have other combinations; for example, it may comprise a soft processor and one and more building components configured by a plurality of programmable logic blocks interconnected by a plurality of programmable interconnects on a single chip; or two embedded hard processors and an array of soft processors and one and more building components configured by a plurality of programmable logic blocks interconnected by a plurality of programmable interconnects on a single chip.
  • the configuration is depending on the need of a system.
  • a soft processor commonly uses an internal register. If at least one of the programmable building components is a soft proces- sor, it is advantageous that the soft processor is provided with a parity check is implemented to detect bit errors on the internal register.
  • the soft processor 22 can be configured as the first computing logic unit 2, and the building components 24 can be configured as the second computing logic unit 2'; the fault detecting unit 4 can be implemented by another soft processor 22', and the synchronization unit 6 can be implemented on the hard processor 20.
  • the PLD device may be an FPGA chip, which itself is in the form of a complementary metal-oxide-semiconductor denoted CMOS.
  • CMOS complementary metal-oxide-semiconductor
  • Fig. 4 shows another example of a proposed safety system, implemented on a PLD device, according to an embodiment of the invention, where the safety system is extended with two monitoring units 40, 40'.
  • the safety system may program another two building components on the same PLD device, for example the building blocks 24' 24" shown in Fig. 3 to implement the monitoring units 40, 40'.
  • the other building components shown in the Fig. 3 are configured as the same as the example shown in Fig .1 .
  • the function of the monitoring units is to detect if there is any fault coming from the computing units themselves.
  • each of the monitoring units is configured to receive the outputs from one of the computing units 2, 2' and feed back the results to the other computing unit.
  • the results could be the same safety inputs as received by the computing units or the signals generated by the monitoring units based on the safety inputs.
  • the computing units can monitor each other to enable detecting more types of faults.

Abstract

The present invention relates to a safety system for a machine (14), the system comprising two independent logic computing units (2, 2') for executing a safety function based on safety inputs from two redundant data transmission channels (10, 10') providing the same safety inputs to each of the logic computing units, and a fault detecting unit (4) configured to compare the outputs from each of the logic computing units and based on the result of the comparison detecting faults and sending safety control signal to the machine via another two redundant data transmission channels (8, 8'). The system comprises a programmable logic device (1) comprising a plurality of independent programmable building components, two of which are programmed to implement said logic computing units.

Description

ABB Technology AB
A SAFETY SYSTEM FOR A MACHINE
FIELD OF THE INVENTION
The present invention relates to a safety system for a machine. The system comprises two independent logic computing units for executing a safety function based on input data from two redundant data transmission channels providing the same safety inputs to each of the logic computing units, and a fault detecting unit configured to compare the outputs from each of the logic computing units and based on the result of the comparison detecting faults and sending safety control inputs to the machine.
PRIOR ART
A safety system for a machine performs one or more safety functions to ensure the safety of human working in the environment of an industrial process, and the machine as well. Such a system may include safety elements, one or more logic computing units for executing the safety functions. Typical safety ele- ments are, for example, sensors, switches or emergency push buttons. The logic computing units are, for example, general- purpose computers, microprocessors, and a set of electric circuits. When safety inputs from the safety elements are sent to the logic computing units, the safety functions on the computing units are carried out and depending on the result of the safety functions, a safety control input will be sent to the machine, for example, a stop input can be sent to the driving system of the machine to stop the operation of the machine. Such a machine could be a valve, a pump, or a robot.
Reliability is a desired feature for such safety control systems and can be measured by so-called safety levels. Such safety levels are defined in corresponding standards. For example, in standard IEC 61508 various safety integrity levels (SIL) are defined, whereas in standard EN 954-1 various safety categories are defined. A high reliability of a safety system, for example defined as SIL 2 in IEC 61508 or safety category 3 in EN 954-1 , is usually achieved by using two separate logic computing units to simultaneously execute the same safety function based on the same safety inputs from the safety elements. The operation results are then compared by a fault defecting unit in order to detect faults. Eventually the system generates a control input for controlling the operation of a machine, for example a stop signal may be sent to stop the operation of the machine. To achieve a high reliability, safety inputs to each of logic computing units are transmitted through two redundant data transmission channels. A safety system comprising two separate logic computing units and data inputs, transmitted via two redundant data channels, is denoted a safety system with dual data processing channels. Such a safety system enables a high level of safety because the system will continue to operate even in the event of a fault.
If a higher reliability is desired in order to detect more types of faults, the system is further extended with supervision/monitoring modules to be able to feed back safety inputs coming from the logic computing units to the safety functions.
Using two separate hardware logic computing units, such as two general-purpose computers or microprocessors to achieve a higher reliable safety system, is an expensive and complex solution due to the cost per hardware and the implementation cost of the safety system. Furthermore, such a safety system is not flexible in the way that it may take space, and consequently it could be difficult to be integrated into an industrial control system.
The recent development of computer architecture with multi-core provides another opportunity to implement such a safety system based on a multi-core architecture, which means that the safety system is not implemented on two separate hardware logic computing units. But such a solution is still complex and expensive.
A recent patent application DE102006012042 presents a solution based on dual core processor architecture. The application proposes a solution that uses a dual core processor as the logic computing units, the safety function carried out on each logic computing unit being implemented and executed on each core of the dual core processor. The problem with the solution is that a main storage is commonly used by the processor cores for storing the safety function and some intermediate results, which creates a single failure point in the system. Further, the dual core architecture on which the system based is still quite expensive.
OBJECTS AND SUMMARY OF THE INVENTION
One object of the present invention is to provide a safety system for a machine which is compact and economic in construction.
This object is achieved by a system as defined in claim 1 .
Such a safety system comprises a programmable logic device comprising a plurality of independent programmable building components, two of which are programmed to implement two independent logic computing units for executing a safety function based on safety inputs from two redundant data transmission channels.
A programmable logic device, denoted PLD, is an electronic component including a plurality of independent programmable building components which can be used to build reconfigurable digital circuits. Commonly, a PLD has an undefined function at the time of manufacture and before it can be used it must be programmed. Examples of PLD devices are a complex programmable logic device, denoted CPLD, and a field- programmable gate array, denoted FPGA. The building components of a PLD can be hard processor units embedded in the PLD, soft processor units, and programmable logic blocks and interconnects which can be hardware programmed to perform logic functions. Most of PLD devices include memory.
A safety function is one or more logic operations performed on the inputs, such as safety signals, to the safety function and the output of the safety function is the result of the logic operations on the safety signals.
By implementing the computing units on two independent programmable building components on a programmable logic device, it is possible to provide two redundant computing units on a single chip, and still achieve the same safety integrity level or safety category as the prior art, in this case a safety integrity level 2 defined in IEC 61508 or safety category 3 in EN 954-1 .
One of the advantages with the programmable logic device is compactness since it makes it possible to implement a safety system with two independent logic computing units on a single chip. Another advantage is economic, meaning that a highly reliable safety system with dual data processing channels can be achieved at a cheaper hardware cost. Such a safety control sys- tern according to invention is cost-effective per hardware. Yet another advantage is, compared with a general-purpose computer or a microprocessor which usually has an operating system, that a programmable logic device has much less instructions, which means programming the safety function is easier than the one built on the general-purpose computer or a microprocessor.
According to an embodiment of the invention, each of the building components programmed to implement the logic computing units has its own memory. On the market there are some PLD devices including the above mentioned building blocks having embedded memories. For example, a hard processor usually includes a program memory and a data memory, whereas, a soft processor may be configured to have its own memory too. Even logic blocks have memory elements, for example, simple flip- flops or more complete blocks of memory. Having separate memories for the logic computing units achieves two totally separate logic computing units. Therefore, the problem with single failure point of a common used memory is eliminated.
According to an embodiment of the invention, the building component configured to implement each of the logic computing units is any of the following types: a hard processor unit, a soft processor unit, or at least one logic block programmed by hardware description language. A hard processor unit can be, for example, an embedded microprocessor. A soft processor is implemented within the programmable logic device and such a soft processor is reconfigurable to suit a specific program. The third variant is when a hardware description language, denoted HDL, is used to create a hardware implementation of the software ap- plication.
Different variants of building components provide the possibility of building independent and different implementations of a safety function. With the third variant, a designer or developer of the safety function can get down to the hardware level of the system to implement hardware in the way he wants exactly, therefore the generated code will be safer and simpler compared with a software implementation. This is particularly critical for a safety system.
According to a preferred embodiment of the invention, two different types of building components are used to program the safety logic on each of the logic computing units. For example, one of the building components, implementing one of the com- puting units, may include one or more logic blocks programmed by hardware description language, and the other building com- ponent, implementing the other computing unit, can be a soft processor, or the building components programmed to implement the two computing units can be a soft processor unit and a hard processor unit, or any combination of the above mentioned types of building components. Using two different types of building components to implement the safety logic increases the safety of the system. For example, the system provides an ability to detect common mode faults/failures or systematic faults such as software design, coding defects that could be repro- duced on both computing units. Therefore a high reliability is achieved.
According to an embodiment of the invention, one of the building components is configured to implement the fault detecting unit. To be able to detect faults, one of building components on the same programmable logic device is configured to perform a fault detecting function.
According to an embodiment of the invention, one of the building components on the same programmable logic device is programmed to synchronize the logic computing units. The execution of the safety function on the two logic computing units is parallel, which means that the generated outputs from the two logic computing units may not come out simultaneously. The synchronization unit ensures that the fault detecting unit compares the results generated by the computing units based on the same safety inputs.
According to an embodiment of the invention, two of the building components are configured as monitoring units for monitoring the current safety states from the computing units, each of the monitoring unit is configured to receive safety inputs from one of the computing units and provide feedback to the other computing unit. Since a computing unit itself can also generate faults, one building component is configured to monitor the faults coming from one computing unit. The safety inputs then will be sent back to another computing unit, which enables two computing units to monitor each other. Due to the fact that the programmable logic device includes a plurality of building components, the monitoring units can also be programmed on the same pro- grammable logic device. Therefore, the safety system may achieve high reliability and be compact in size.
According to an embodiment of the invention, the machine is an industrial robot comprising a control unit configured to generate safety inputs including an emergency stop input as the safety input to the logic computing units. Consequently such a safety system can be used as an industrial robot safety system to provide a solution that is highly reliable and economic and flexible as well. This feature increases the competition capability of a robot system.
According to one aspect of the invention, a control unit for controlling an industrial robot comprising a safety system of the present invention is provided. The control unit is configured to gen- erate safety inputs including an emergency stop input to the logic computing units. The safety system according to the invention is very suitable for use in a control unit of an industrial robot. Due to the fact that the safety system built on a programmable logic device has a compact size, it makes it easier to in- tegrate such a safety system into the control unit of a robot.
According to a preferred embodiment of the invention, the programmable logic device is a field-programmable gate array, denoted FPGA, device.
According to an embodiment of the invention, a cyclic redundancy check, denoted CRC, is implemented to verify the contents on the whole or on parts of the field-programmable gate array in order to detect faults. Parts that can be verified with the CRC can for example be the soft processor instead of jogging the instruction set as is done in a hard processor to verify if the hard processor is working as expected. With an FGPA chip it is even possible to partially reconfigure the FPGA chip to correct errors that has been detected by the cyclic CRC. Furthermore, a cyclic CRC check on the entire FPGA can be implemented with, for example, an external small CPLD, or an internal CRC macro may be used to ensure a reliable safety system built on the FPGA chip.
According to an embodiment of the invention, at least one of the programmable building components is a soft processor. The soft processor is provided with an internal register, and a parity check is implemented to detect bit errors on the internal register. With an FPGA chip, it is possible to add one or more parity bits together with a parity check to detect bit errors on the inter- nal registers used by the soft processor, which enables to instantly detect any soft errors and eventually take corrective measures. This is yet another advantage over a safety system based on multi-core architecture where essentially two hard processors are used, and it is not possible today to perform a parity check to detect bit errors within the hard processors. This means that by using such a feature existing with an FPGA chip, it is possible to build a safety system that has higher reliability based on a single FPGA chip than the one based on hard processors, since the safety system built on an FPGA chip has a higher fault tolerance.
Because a programmable logic device comprises a plurality of building components, it can be used to build a safety system with a compact size but it is still at least as reliable as the prior art. Such a safety system can be integrated with a control unit of a machinery system, for example an industrial robot system.
BRIEF DESCRIPTION OF THE DRAWINGS The invention will now be explained more closely by the description of different embodiments of the invention and with reference to the appended figures.
Fig. 1 shows a safety system for a machine implemented on a programmable logic device, according to an embodiment of the invention.
Fig. 2 shows an FPGA chip that includes a plurality of pro- grammable logic blocks and interconnects, and a periphery of input and output blocks.
Fig. 3 shows one possible combination of building components on a PLD device.
Fig. 4 shows another example of a proposed safety system, implemented on a programmable logic device, where the safety system is extended with two monitoring units implemented by the building components on the same programmable logic device.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS OF THE INVENTION
In the following the safety system of the invention will be explained in connection with a field-programmable gate array, denoted FPGA, implementation; however the invention can also be implemented on other types of programmable logic device, such as a complex programmable logic device, denoted CPLD.
Fig. 1 shows a safety system for a machine according to an embodiment of the invention implemented on a programmable logic device 1 , in this example an FPGA device. The system comprises a first logic computing unit 2 and a second logic comput- ing unit 2', a fault detecting unit 4, and a synchronization unit 6. Fig. 1 shows also a signal generation unit 12 that generates the safety inputs to the safety system and a machine 14 that is the safety controlling target of the system. The machine 14 is, for example, an industrial robot. The signal generation unit 12 can be, for example, be a teach pedant unit (TPU) connected to the control unit of the industrial robot. The TPU may include an emergency stop button generating an emergency stop signal and an enabling button generating an enabling signal. In this case the safety input to the safety system includes the emergency stop signal and enabling signal from the TPU. Other safety inputs can be a protective stop or other types of safety inputs.
When a safety input is generated by the signal generation unit, for example, an emergency stop button has been pressed by an operator; the emergency stop signal is transmitted via dual redundant data channels 10, 10' to each of the computing units 2, 2', which means the same safety input is simultaneously transmitted through the data channels 10 and 10', to both computing units, and both computing units receive the same safety inputs when both channels work correctly. Dual data channels prevent loss of data when being transmitted via a single data channel. For example, if the channel 10 fails to transmit the safety inputs, the safety inputs may still be transmitted thorough the channel 10'. The computing units 2, 2' are programmed to execute the same safety function. Upon receiving the safety input, the logic computing units 2, 2' execute the same safety function in parallel based on the same safety inputs. A safety function may be, for example, a logic calculation of the states of several safety inputs, for example, an emergency stop button may be repre- sented in two states: ON or OFF. The output of the safety function is the result of the logic calculation.
The function of the fault detecting unit 4 is to compare the results generated by the computing units. If the generated result from one of the computing units is not the same as from the other one, a fault is detected, and consequently a safety control signal may be sent to the machine 14, for example a stop signal to stop the operation of the machine. Because the execution of the computing units is performed in parallel, the results generated by the computing units are synchronized by the synchroni- zation unit 6, which ensures that the results compared by fault detecting unit 4 are generated by the computing units 2, 2' based on the same safety inputs. To synchronize the results, for example, a timer may be used, meaning that the results should be compared within the time limit that the timer is set. Other- wise, a fault is considered to occur and a safety control signal could be generated. As shown in Fig. 1 , safety control signals are sent to the machine 14 via dual data channels 8, 8'. The function of the dual data channels 8, 8' is similar to that of the dual data channels 10, 10', meaning that the same safety con- trol signal is redundantly transmitted to the machine 14 to retain the safety function.
A PLD comprises a plurality of building components. Building components used to implement the computing units 2,2', the synchronization unit 6, and the fault detecting unit 4 can be any of the following types: a hard processor embedded in the PLD, a soft processor, or hardware implementation though hardware description language.
Fig.2 shows an FPGA chip 50 that includes a plurality of programmable logic blocks 52 and programmable interconnects 54, as well as a periphery of input and output blocks 56. Logic blocks can be programmed to perform the functions of basic logic gates such as AND, XOR, or more complex combinational functions such as decoders or mathematical functions. In most FPGAs, the logic blocks also include memory elements, for example simple flip-flops. A hierarchy of programmable interconnections allows logic blocks to be interconnected as needed in the field by the system designer to perform desired functions. To program a desired function, a hardware description language is used to specify how to interconnect a set of logic blocks by working with the logic circuit diagram, or the source code of the function. Therefore the logic blocks and programmable interconnects form a building block to perform the desired function. In this way a building component is configured to perform the de- sired safety function. Further, a cyclic redundancy check, denoted CRC, may be implemented on the FPGA device to verify the contents on the whole or on parts of the FPGA in order to detect faults.
Fig. 3 shows one possible combination of building components on a PLD device 26, wherein the PLD device comprises an embedded hard processor 20, two reconfigurable soft processor 22, 22', and one building components 24 configured by a plurality of programmable logic blocks interconnected by a plurality of pro- grammable interconnects on a single chip. There may be still a plurality of unconfigured logic blocks and programmable interconnects on the same chip, and they can be programmed as building components, for example, the building components 24', 24" to perform some other logic functions if needed. How a building component is configured by a plurality of programmable logic blocks interconnected by a plurality of programmable interconnects depends on the function of the logic implements. Fig. 3 just gives one example of how a PLD device can be configured with a plurality of building components. However, a PLD device may have other combinations; for example, it may comprise a soft processor and one and more building components configured by a plurality of programmable logic blocks interconnected by a plurality of programmable interconnects on a single chip; or two embedded hard processors and an array of soft processors and one and more building components configured by a plurality of programmable logic blocks interconnected by a plurality of programmable interconnects on a single chip. The configuration is depending on the need of a system.
A soft processor commonly uses an internal register. If at least one of the programmable building components is a soft proces- sor, it is advantageous that the soft processor is provided with a parity check is implemented to detect bit errors on the internal register.
With such an architecture, to implement the safety system shown in Fig. 1 , the soft processor 22 can be configured as the first computing logic unit 2, and the building components 24 can be configured as the second computing logic unit 2'; the fault detecting unit 4 can be implemented by another soft processor 22', and the synchronization unit 6 can be implemented on the hard processor 20.
The PLD device may be an FPGA chip, which itself is in the form of a complementary metal-oxide-semiconductor denoted CMOS. The advantage with CMOS is that it is energy-efficient and allows a high density of logic functions on a single chip.
Fig. 4 shows another example of a proposed safety system, implemented on a PLD device, according to an embodiment of the invention, where the safety system is extended with two monitoring units 40, 40'. To implement this example, the safety system may program another two building components on the same PLD device, for example the building blocks 24' 24" shown in Fig. 3 to implement the monitoring units 40, 40'. The other building components shown in the Fig. 3 are configured as the same as the example shown in Fig .1 . The function of the monitoring units is to detect if there is any fault coming from the computing units themselves. As shown in Fig. 4, each of the monitoring units is configured to receive the outputs from one of the computing units 2, 2' and feed back the results to the other computing unit. The results could be the same safety inputs as received by the computing units or the signals generated by the monitoring units based on the safety inputs. With the monitoring units, the computing units can monitor each other to enable detecting more types of faults.

Claims

1 . A safety system for a machine (14), wherein the system comprises two independent logic computing units (2, 2') for execut- ing a safety function based on safety inputs from two redundant data transmission channels (10, 10') providing the same safety inputs to each of the logic computing units, and a fault detecting unit (4) configured to compare the outputs from each of the logic computing units and based on the result of the comparison de- tecting faults and sending safety control signals to the machine, characterized in that the system comprises a programmable logic device (1 ;26) comprising a plurality of independent programmable building components (20,22,24), two of which are programmed to implement said logic computing units.
2. A safety system according to claim 1 , wherein each of said two building components programmed as said logic computing units has its own memory.
3. A safety system according to claim 1 or 2, wherein each of said two building components programmed to implement said logic computing units is any of the following types: a hard processor unit embedded on the programmable logic device (20), a soft processor unit (22), or at least one logic block (24;52) pro- grammed by a hardware description language.
4. A safety system according to any of claims 1 -3, wherein each of said two building components programmed to implement said logic computing units is of a different type.
5. A safety system according to any of previous claims, wherein one of said building components (20,22,24) is configured to implement said fault detecting unit (4).
6. A safety system according to any of previous claims, wherein one of said building components (6) is configured to synchronize said logic computing units.
7. A safety system according to any of previous claims, wherein two of said building components (20,22,24) are configured as monitoring units (40, 40') for monitoring the current safety states from said computing units, wherein each of the monitoring units is configured to receive safety inputs from one of said computing units (2,2') and feed back the safety inputs to the other computing unit.
8. A safety system according to any of previous claims, wherein said machine (14) is an industrial robot comprising a control unit configured to generate safety inputs including an emergency stop input as said input data to said logic computing units.
9. A safety system according to any of the previous claims, wherein said programmable logic device is a field-programmable gate array device.
10. A safety system according to claim 9, wherein a cyclic redundancy check is implemented to perform an error check on said field-programmable gate array.
1 1 . A safety system according to claim 9 or 10, wherein at least one of said programmable building components is a soft processor (22, 22') having an internal register, and a parity check is implemented to detect bit errors on said internal register.
12. A control unit for controlling an industrial robot comprising a safety system according to any of claims 1 -1 1 , wherein said control unit is configured to generate safety inputs including an emergency stop input as said safety input to said logic comput- ing units.
PCT/EP2008/058301 2008-06-27 2008-06-27 A safety system for a machine WO2009155993A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2008/058301 WO2009155993A1 (en) 2008-06-27 2008-06-27 A safety system for a machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2008/058301 WO2009155993A1 (en) 2008-06-27 2008-06-27 A safety system for a machine

Publications (1)

Publication Number Publication Date
WO2009155993A1 true WO2009155993A1 (en) 2009-12-30

Family

ID=40349974

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2008/058301 WO2009155993A1 (en) 2008-06-27 2008-06-27 A safety system for a machine

Country Status (1)

Country Link
WO (1) WO2009155993A1 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2478178A (en) * 2010-02-25 2011-08-31 Endress & Hauser Gmbh & Co Kg Field device for determining or monitoring a physical or chemical process variable
WO2012004161A1 (en) * 2010-07-05 2012-01-12 Endress+Hauser Gmbh+Co.Kg Field device for determining or monitoring a physical or chemical process variable
WO2012159850A3 (en) * 2011-05-23 2013-01-24 Pilz Gmbh & Co. Kg Method for operating a safety control device
EP2595018A2 (en) * 2011-11-17 2013-05-22 Rockwell Automation Limited Method and apparatus for analogue output current control
US8712727B2 (en) 2009-10-12 2014-04-29 Endress + Hauser Gmbh + Co. Kg Field device for determining or monitoring a physical or chemical process variable
WO2016048627A1 (en) * 2014-09-24 2016-03-31 Xilinx, Inc. Programmable ic with safety sub-system
US20170199299A1 (en) * 2016-01-07 2017-07-13 Sick Ag Method of Configuring and of Operating a Monitored Automated Work Cell and Configuration Apparatus
EP2672339A4 (en) * 2011-01-31 2018-01-24 Mitsubishi Heavy Industries, Ltd. Safety device, and safety device computation method
WO2019055257A1 (en) * 2017-09-14 2019-03-21 Bae Systems Controls Inc. Use of multicore processor to mitigate common mode computing faults
EP3483675A1 (en) * 2017-11-14 2019-05-15 Pilz GmbH & Co. KG Input circuit for the fail-safe reading of an analog input signal
EP3581343A1 (en) * 2018-06-14 2019-12-18 Siemens Aktiengesellschaft A safety control system for an industrial robot and the industrial robot
CN111331619A (en) * 2020-04-26 2020-06-26 珠海格力电器股份有限公司 Safety control device for robot, control method for robot, and robot
WO2020176473A1 (en) * 2019-02-27 2020-09-03 Veo Robotics, Inc. System architecture for safety applications

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020099455A1 (en) * 2000-11-09 2002-07-25 Derek Ward Programmable controller
WO2007057390A2 (en) * 2005-11-16 2007-05-24 Abb Ab Method and device for controlling motion of an industrial robot with a position switch
US20080147206A1 (en) * 2004-08-30 2008-06-19 Abb Ab Control system for Real Time Applications for Cooperative Industrial Robots

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020099455A1 (en) * 2000-11-09 2002-07-25 Derek Ward Programmable controller
US20080147206A1 (en) * 2004-08-30 2008-06-19 Abb Ab Control system for Real Time Applications for Cooperative Industrial Robots
WO2007057390A2 (en) * 2005-11-16 2007-05-24 Abb Ab Method and device for controlling motion of an industrial robot with a position switch

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DOBIAS R ET AL: "FPGA based design of the railway's interlocking equipments", DIGITAL SYSTEM DESIGN, 2004. DSD 2004. EUROMICRO SYMPOSIUM ON RENNES, FRANCE AUG. 31 - SEPT. 3, 2004, PISCATAWAY, NJ, USA,IEEE, 31 August 2004 (2004-08-31), pages 467 - 473, XP010723534, ISBN: 978-0-7695-2203-6 *
JOSEF BORCSOK ET AL: "Implementation of a 1oo2-RISC-architecture on FPGA for safety systems", COMPUTER SYSTEMS AND APPLICATIONS, 2008. AICCSA 2008. IEEE/ACS INTERNATIONAL CONFERENCE ON, IEEE, PISCATAWAY, NJ, USA, 31 March 2008 (2008-03-31), pages 1046 - 1051, XP031245085, ISBN: 978-1-4244-1967-8 *

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8712727B2 (en) 2009-10-12 2014-04-29 Endress + Hauser Gmbh + Co. Kg Field device for determining or monitoring a physical or chemical process variable
GB2478178B (en) * 2010-02-25 2014-10-01 Endress & Hauser Gmbh & Co Kg Field device for determining or monitoring a physical or chemical process variable
GB2478178A (en) * 2010-02-25 2011-08-31 Endress & Hauser Gmbh & Co Kg Field device for determining or monitoring a physical or chemical process variable
WO2012004161A1 (en) * 2010-07-05 2012-01-12 Endress+Hauser Gmbh+Co.Kg Field device for determining or monitoring a physical or chemical process variable
US9720386B2 (en) 2010-07-05 2017-08-01 Endress + Hauser Gmbh + Co. Kg Field device for determining or monitoring a physical or chemical, process variable
EP2672339A4 (en) * 2011-01-31 2018-01-24 Mitsubishi Heavy Industries, Ltd. Safety device, and safety device computation method
US9405278B2 (en) 2011-05-23 2016-08-02 Pilz Gmbh & Co. Kg Method for operating a safety control device
WO2012159850A3 (en) * 2011-05-23 2013-01-24 Pilz Gmbh & Co. Kg Method for operating a safety control device
CN103703423A (en) * 2011-05-23 2014-04-02 皮尔茨公司 Method for operating a safety control device
EP2595018A3 (en) * 2011-11-17 2014-12-03 Rockwell Automation Limited Method and apparatus for analogue output current control
US10222770B2 (en) 2011-11-17 2019-03-05 Rockwell Automation Limited Method and apparatus for analogue output current control
US9182754B2 (en) 2011-11-17 2015-11-10 Rockwell Automation Limited Method and apparatus for analogue output current control
EP2595019A3 (en) * 2011-11-17 2014-12-03 Rockwell Automation Limited Method and apparatus for analogue output current control
EP2595018A2 (en) * 2011-11-17 2013-05-22 Rockwell Automation Limited Method and apparatus for analogue output current control
EP2595019A2 (en) * 2011-11-17 2013-05-22 Rockwell Automation Limited Method and apparatus for analogue output current control
KR20170060028A (en) * 2014-09-24 2017-05-31 자일링크스 인코포레이티드 Programmable ic with safety sub-system
CN106716843A (en) * 2014-09-24 2017-05-24 赛灵思公司 Programmable ic with safety sub-system
CN106716843B (en) * 2014-09-24 2018-08-17 赛灵思公司 Programmable IC with secure subsystem
KR102386719B1 (en) 2014-09-24 2022-04-13 자일링크스 인코포레이티드 Programmable ic with safety sub-system
WO2016048627A1 (en) * 2014-09-24 2016-03-31 Xilinx, Inc. Programmable ic with safety sub-system
US20170199299A1 (en) * 2016-01-07 2017-07-13 Sick Ag Method of Configuring and of Operating a Monitored Automated Work Cell and Configuration Apparatus
US10353767B2 (en) 2017-09-14 2019-07-16 Bae Systems Controls Inc. Use of multicore processor to mitigate common mode computing faults
WO2019055257A1 (en) * 2017-09-14 2019-03-21 Bae Systems Controls Inc. Use of multicore processor to mitigate common mode computing faults
CN111213062A (en) * 2017-09-14 2020-05-29 Bae系统控制有限公司 Mitigating common mode computation failures using a multi-core processor
CN109787573A (en) * 2017-11-14 2019-05-21 皮尔茨有限及两合公司 For failure safe read the input circuit of the input signal of simulation
JP2019091452A (en) * 2017-11-14 2019-06-13 ピルツ ゲーエムベーハー ウント コー.カーゲーPilz GmbH & Co.KG Input circuit for fail safe reading of analog input signal
EP3483675A1 (en) * 2017-11-14 2019-05-15 Pilz GmbH & Co. KG Input circuit for the fail-safe reading of an analog input signal
JP7202151B2 (en) 2017-11-14 2023-01-11 ピルツ ゲーエムベーハー ウント コー.カーゲー Input circuitry for fail-safe reading of analog input signals
EP3581343A1 (en) * 2018-06-14 2019-12-18 Siemens Aktiengesellschaft A safety control system for an industrial robot and the industrial robot
WO2020176473A1 (en) * 2019-02-27 2020-09-03 Veo Robotics, Inc. System architecture for safety applications
US11543798B2 (en) 2019-02-27 2023-01-03 Veo Robotics, Inc. System architecture for safety applications
US11846916B2 (en) 2019-02-27 2023-12-19 Veo Robotics, Inc. System architecture for safety applications
CN111331619A (en) * 2020-04-26 2020-06-26 珠海格力电器股份有限公司 Safety control device for robot, control method for robot, and robot
CN111331619B (en) * 2020-04-26 2023-08-25 珠海格力电器股份有限公司 Safety control device for robot, control method for robot, and robot

Similar Documents

Publication Publication Date Title
WO2009155993A1 (en) A safety system for a machine
JP5014899B2 (en) Reconfigurable device
US20060200278A1 (en) Generic software fault mitigation
US11105845B2 (en) Apparatus having signal chain lock step for high integrity functional safety applications
JP7202448B2 (en) Automated system for monitoring safety-critical processes
US20170242809A1 (en) Abnormal interrupt request processing
CN102841828B (en) Fault detect in logical circuit and alleviating
CN1942839A (en) Safety-oriented control system
KR20170060028A (en) Programmable ic with safety sub-system
JP5368926B2 (en) Programmable logic controller and fault diagnosis method in programmable logic controller
RU2597472C2 (en) Method and device for monitoring of the device equipped with a microprocessor
Györök et al. Duplicated control unit based embedded fault-masking systems
Baig et al. An island-style-routing compatible fault-tolerant FPGA architecture with self-repairing capabilities
US20120030524A1 (en) High reliability method of data processing, and controller unit
JP2011185875A (en) Control device
JP6934346B2 (en) Computerized and redundant systems
US10120742B2 (en) Power supply controller system and semiconductor device
JP2014052781A (en) Fpga monitoring control circuit
Sundaram et al. Controller integrity in automotive failsafe system architectures
JP7267400B2 (en) Automated system for monitoring safety-critical processes
Baig et al. A low-overhead multiple-SEU mitigation approach for SRAM-based FPGAs with increased reliability
JP4477739B2 (en) Redundant information processing system
Hayek et al. Design and implementation of an FPGA-based 1oo4-architecture for safety-related system-on-chips
Gericota et al. A self-healing real-time system based on run-time self-reconfiguration
WO2020090034A1 (en) Processing device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08774463

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08774463

Country of ref document: EP

Kind code of ref document: A1