Industrial control systems are for instance applied in manufacturing and process industries, such as chemical plants, oil production plants, refineries, pulp and paper mills, steel mills and automated factories. Industrial control systems are also widely used within the power industry. A standard defining language constructs for an industrial control system is IEC 61131-3. Such an industrial control system may comprise or may be combined with certain devices adding safety features. An example of such a device is a safety controller. Example of processes which requires additional safety features other than what a standard industrial control system provides are processes at off-shore production platforms, certain process sections at nuclear power plants and hazardous areas at chemical plants. Safety features may be used in conjunction with safety shutdown, fire and/or alarm systems as well as for fire-and-gas detection. The use of complex computer systems relating to industrial control systems with added safety features raises challenges in the increased need to detect faults in an industrial controller.
One example of a device in an industrial control system which has increased capability of fault detection is described in GB2277814, which concerns a fault tolerant PLC (Programmable Logic Controller) including a CPU. A pair of first I/O modules are connected between a positive power bus and a load. A pair of second I/O modules are connected between the negative power bus and the load. GB 2 277 814 further describes that power to the load is not disconnected upon failure of one of the I/O modules on either side of the load. A disadvantage of the method is that it does not take in account possible failures in the CPU.
In general computing it is known to let a program execute a test including CPU instructions and compare the result with a predetermined correct result. This can be done once at start-up time or cyclically in runtime. U.S. Pat. No. 6,081,908 describes a method to store and verify a test code. The method concerns test of a one chip micro-computer having at least a CPU and a ROM installed in a single package.
Other known general computing methods to detect faults in a CPU utilizes a watchdog timer. A timer counter receives a clocked input pulse of predetermined frequency and the count of the timer counter is incremented each time a pulse of the clocked input is applied. In the event that the count reaches a pre-set maximum count, the timer counter generates an output pulse. The CPU is programmed with a self-test module which checks whether the computer processor is performing correctly. Periodically, a signal derived from the self-test module is supplied by the CPU to the reset input to reset the counter. If a fault occurs in the CPU the reset will not occur and the counter will reach its maximum value, which indicates a fault. A disadvantage with such a method is that when a fault occurs in the CPU the reset signal may be stuck and the counter might never reach its maximum value despite a fault in the CPU.
EP 1 063 591 describes a method for detecting a fault condition in a computer processor operating a main program. The method comprises the step of sequentially performing a plurality of functions on an initial input value. A disadvantage with this fault detection is that it does not describe how to detect faults in a CPU that otherwise would occur during execution of an application program comprising safety related instructions.
In prior art a CPU intended for safety control may be tested by executing an application program off-line, that is before the safety controller is used for on-line safety control of real world objects. A disadvantage with such an approach is that once the CPU is used for on-line safety control it is during execution of the application program that a possible CPU fault occurs, hence such an approach will not detect CPU faults during on-line safety control. Another disadvantage is that such an off-line test is not automatically performed, hence the off-line test is performed only if a person initiate an off-line test. A more thorough test known in prior art is to run a test program off-line which comprise all main instructions of the CPU. A disadvantage with such a test method is that it is not suitable for on-line test since it tends to become too CPU consuming.