The present invention relates to a redundant process control system including a control unit performing a control function; however, provision is often made to use a plurality of identical control units for performing said control function.
The field of the invention is that of high-integrity applications in which safety is of prime importance, thereby justifying duplication of the control units in order to combat any random errors that may occur in any one of the units. The processes concerned are of a wide variety of types and are often industrial. By way of example, mention may be made of controlling nuclear power plants, rail signalling, and controlling chemical reactors.
Currently, such a safe system often includes at least three qualified programmable logic controllers. Such a programmable logic controller essentially comprises a processor and a working memory in which a program for performing the process is recorded, the program being executed by the processor. The programmable logic controllers are qualified, i.e. firstly the processor is subjected to extremely tough tests and secondly the program satisfies very stringent development standards, such as, for example, the IEC 880 Standard in nuclear applications.
All three programmable logic controllers are identical, in particular as regards the processor and the program, and each of them produces a respective output signal.
Furthermore, the system frequently includes a security member which produces a control signal resulting from majority voting being applied to the adjustment signals derived from the signals output by the processors. In other words, the control signal takes the value of the majority adjustment signals. It is thus possible to overcome the problem of random error in one of the programmable logic controllers provided that the other two programmable logic controllers produce output signals that are identical.
Unfortunately, the complexity of the very large scale integration components such as the processors of the programmable logic controllers makes it impossible to perform end-of-manufacture testing that is absolutely reliable. During use, design or manufacturing defects can be observed that were not detected during testing. There is a high probability of such defects appearing in several components from the same manufacturing batch, for example, and so all three of the processors of the safe system can produce erroneous output signals, thereby reducing the effectiveness of the security member to zero. That type of defect is generally referred to as a xe2x80x9cgeneric failurexe2x80x9d.
Similarly, a defect that is not detected in developing the program gives rise to equivalent consequences in the safe system. The whole purpose of qualifying a program strictly is to reduce the number of defects to as low a number as possible, but that requires the program to be limited to one identified process. Therefore, since the program is not used widely, it is even less likely for the hidden defects to show up quickly in use and to be corrected through feedback from users.
An object of the present invention is thus to combat the common causes of failure in a safe process control system.
In the invention, a redundant process control system includes at least one control unit which produces an output signal resulting from a control function being applied to a set of input signals, and said system includes at least one test member that is different from said control unit, which test member produces a test signal resulting from said control function being applied to the set of input signals and generates an alarm whenever there is a difference between the test signal and the output signal.
Preferably, the system includes a plurality of identical control units, each control unit producing a respective output signal resulting from the control function being applied to a respective set of input signals.
Since the test member is different from the control units, it is highly unlikely for it to be affected by a generic failure of the units, and the alarm thus generated makes it possible to identify such a defect.
Optionally, the system further includes a security member for producing a control signal, in particular whenever there is a difference between the adjustment signals derived from the output signals.
In an advantageous embodiment, the control signal corresponds to majority voting being applied to the adjustment signals.
By way of example, with each of the control units and the test member including a processor associated with a working memory in which a program for performing the process is recorded, the program or the processor of the test member is different from the corresponding program or processor in each of the control units.
Preferably, the test member produces the test signal at the same time as said control units produce the corresponding output signals.
In order to increase safety further, it is possible to make provision for the system to include a corresponding plurality of test members, each of which receives a distinct output signal, and for the system also to include a supervision member for producing a warning signal resulting from majority voting being applied to the alarms generated by said test members.