Industrial processes are governed by international standards relating to safety and risk reduction. For example, IEC 61508 addresses functional safety of electrical, electronic, and programmable electronic devices, such as microcontrollers or other computers used to control industrial processes. IEC 61508 defines Safety Integrity Levels (SIL) based on a probabilistic analysis of a particular device. To achieve a given SIL, the device must meet targets for the maximum probability of “dangerous failure” and a minimum “safe failure fraction.” The concept of “dangerous failure” is defined on an application-specific basis, but is based on requirement constraints that are verified for their integrity during the development of the industrial system or application. The “safe failure fraction” determines how fail-safe the system is and compares the likelihood of safe failures with the likelihood of dangerous failures. Ultimately, an electronic device's certification to a particular SIL requires that the electronic device provide a certain level of resilience to failures as well as enable the industrial process to transition to a safe state after a failure.
Current electronic devices control aspects of an industrial process (e.g., motors, power conversion devices such as DC/DC converting systems, or energy conversion systems such as solar or wind) via the input/output (I/O) interface of a processor. For example, the processor of a microcontroller receives an indication of position, speed, and/or torque from a motor through its I/O interface. The processor then uses that information to generate, for example, a pulse-width modulated (PWM) signal to control a switch that provides power to the motor and transmits this signal to the switch through the I/O interface. As a result, the motor operates in a manner desired for the particular application.
However, processors and, in particular, their I/O interfaces may experience failures during operation. For example, the processor may be exposed to out-of-tolerance voltages or currents, radiation may cause unacceptable leakage currents in transistors causing a logic element to flip, or the I/O interface itself may fail as a result of its interaction with large external voltages or biases relative to what the processor is subjected to. If the processor or I/O interface fails, then there is no way to ensure that the industrial process being controlled (a motor, in the above example) can be transitioned to a safe state. In other words, fail-safe operation is not guaranteed, which is not acceptable for certain SIL certification.
Certain controllers utilize multiple redundant processors, each with its own I/O interface, to control the industrial process. This increases the likelihood of at least one processor remaining functional in the event that another processor fails, for example due to exposure to an out-of-tolerance voltage or current. Thus, the functional processor with its own I/O interface may cause the industrial process to transition to a safe state. However, controllers with multiple processors require additional components on the board (e.g., sockets and interconnects), which is costly and increases the complexity of board design. Furthermore, failure causes such as external radiation may impact all of the processors similarly and at the same time, which would prevent transitioning the industrial process to a safe state.