A process controller can comprise a Programmable Logic Controller (PLC) which includes various components that work together to bring information into the PLC from the field devices, evaluate that information, and then send control information via outputs 10 modules back out to various the field devices such as actuators. These basic PLC components comprise a power supply, central processing unit (CPU) or other processor (e.g., microcontroller), co-processor modules and input and output modules (I/O). The CPU evaluates the status of inputs, outputs, and other variables as it executes a stored program. The CPU then sends control signals to update the status of outputs.
The failure of an industrial control system can lead to costly downtime. There is expense involved in restarting an industrial process along with the actual production losses resulting from a failure. If the process is designed to operate without supervisory or service personnel, all of the components in the process control system generally need to be fault-tolerant.
A safety controller may employ a dual-processor architecture where there is a “master” (or primary) and “checker” (or secondary) processor that both execute the same safety function. Periodically the results of executing the safety program are exchanged over a memory device shared between the processors. These results are compared to ensure no single hardware fault has caused one of the processors to deviate in the safety function. There are two levels of fault tolerance, the tolerance described above to ensure safety in a single controller by checking for aberrant hardware behavior, and the tolerance for maintaining a running control system in the presence of a fault.
In a known redundant control system there are separate controllers having separate IO modules that each process field values received from field devices such as sensors including converting the received data signals into logic signals that correspond to measured signals as inputs that the CPU can use. The measured signals do not have to be equal for the respective process controllers due to hardware and timing differences. However when used in an industrial application each controller must use synchronized input values because otherwise the respective controller applications can take a different control path.
In one safety system arrangement, for an increased safety level or extra reliability there is a redundant control system having first and second parallel connected safety controllers each with a dual-processor architecture in each controller, where the two processors in each controller that share a common memory and simultaneously execute the same safety program. Every caller/callee combination regarding program control transfer between subroutines of a program in the safety program are generally enumerated for checking by the programmer referred to as logical monitoring which compares the program sequence obtained from the respective processors in the dual-processor architecture. The goal of this logical monitoring is to ensure that the safety functions intended to be executed by the program are in fact executed, and executed in the desired order.
This logical monitoring process protects against hardware faults in the processors that can cause process or safety problems that would otherwise cause divergence in execution from the programmer's intention which can remain undetected and thus cause process problems. This monitoring can also detect systematic software faults that exhibit some non-determinism (i.e., can also detect systematic software faults that show a random variation in effects).