Consider, as an example, a monitoring system for monitoring the condition of equipment or machinery such as a wind turbine, a locomotive, one or more railway vehicles, a ship, a power plant, etc. The system monitors the state of one or more components, e.g., bearings, of the machinery. The term “monitoring” is used in this description in the sense of “systematically or regularly keeping track of the machinery's condition”. As known, a bearing is a device that reduces the friction between mechanically coupled machine parts that move with respect to one another. The operational state of a ball bearing or a roller bearing can be determined by means of, e.g., comparing the bearing's current acoustic fingerprint to the fingerprint of the bearing when new. The monitoring system has an interface for receiving a signal from one or more sensors that sense the acoustic fingerprint of the bearings. The monitoring system further has a data processing system for processing input data indicative of the sensor signal. Assume that the data processing system is configured for the processing of data in order to perform a time-critical monitoring task and for the processing of data in order to perform a monitoring task that is not time-critical. The term “critical” is used in this text at least in the meaning of: being in, or verging on, a state of crisis or emergency, fraught with danger or risk, or perilous. An example of a critical monitoring task is raising an alarm as a result of an impending failure of (part of) the monitored machinery, a bearing in the example above. The fact that a failure is imminent is then inferred from the data representative of the current or most recent sensor signal. The alarm is used to invoke an automatic safety procedure. Such a procedure involves, e.g., inactivating the machinery or reducing its load or its speed, etc., or warning a human operator. A non-critical task is a task that does not immediately jeopardize the operational use of the machinery when the data processing system fails to properly or timely execute the task. An example of a non-critical monitoring task is the gathering of data over time for diagnostic or prognostic purposes.
A failure of the machinery may have severe consequences in terms of, e.g., casualties or costs involved in repairing the machinery and repairing the damage done to the environment. Consider, for example, an offshore wind turbine park. A wind turbine has a rotor mounted on a main shaft carried in bearings. In operational use, these bearings are subjected to cyclic stresses that may cause wear and material fatigue. The wear may result in a fluctuating torque being applied to the rotating rotor-main axle combination. The torque rapidly increases in magnitude, possibly leading to the bearings flying apart, and the rotor-axle combination being torn away from its support, further damaging the rotor blades, axle, support, and possibly other turbines nearby. Another example is railway vehicles, where bogie instability and/or a hot axle box can cause derailment. Accordingly, in view of possible loss of life(s), injuries, costs involved in repair and downtime, it is advisable to have monitoring systems in place. Such monitoring system monitors the condition of the railway vehicles or wind turbines and, if it determines the condition as being critical, raises an alarm in time so as to invoke a safety procedure.
The monitoring system as a whole, or the data processing system of the monitoring system, can be subjected to safety-certification. The system is then tested under pre-determined conditions, in order to be able to guarantee, to a high degree of certainty, the system's reliability in operational use. A monitoring system certified as a whole, or a certified data processing system, will function correctly under the applicable conditions. A certified product complies with pre-determined standards designed to ensure the safety and functionality of the product.
An example of a safety standard is IEC 61508. This standard provides functional safety requirements, requirements to help a system either work properly or fail in a predictable manner. These requirements can be used for many different types of systems including those with electrical, electronic and programmable electronic components. Requirements cover general safety management systems, specific product design requirements and design process requirements. The requirements provide coverage for both random hardware failures and systematic design faults. Another example of a safety standard is UIC 515, which describes safety functions such as hot axle box detection and bogie instability (hunting) detection. Other examples of standards are EN50126, EN50128 and EN50129.
A safety-related application is often part of a more complex control process. For example, a safety program is run together with a standard control program on common hardware. The standard control program addresses portions of the control process, wherein high reliability is not required. One obstacle to such a combination is the risk that the standard control program may corrupt the execution of the safety program, for example, by a misdirected reading or writing of the safety data or safety instructions. This then may modify the safety program in unexpected ways. Accordingly, the data processing system or monitoring system executing the control process is to be certified in its entirety. If the monitoring system or the data processing system were upgraded, a new certification would be required. A reason for this is that an upgrade may possibly interfere with carrying out the critical tasks. However, certification is a costly and time-consuming process. Note that failure of the product in operational use can cause severe material damages many orders of magnitude higher than the costs of the product or of the machinery of which the product is a component, failure of the product could possibly even lead to casualties. The certifying authority or the manufacturer then has to subject the product to rigorous tests in order to be (practically) certain that the product is reliable.
Within the field of monitoring machinery, e.g. railway vehicles and wind turbines, various different approaches are known in the public domain with regard to the design of a microprocessor system or microcontroller system, some of which are discussed below.
EP 1 973 017 discloses a safety-related control mechanism that is programmed in a memory and that has a central processing unit (CPU). The CPU has a multi-core processor with two or more processor cores. One of the processor cores is furnished for processing of conventional control software or automation software, and another processor core is furnished for the processing of the software for safety-related functions. This publication also mentions a conventional memory-programmed control system that comprises a CPU for usual control tasks and another CPU for processing under safety-related conditions. This publication also refers to other known control embodiments, among which the ones disclosed in EP 1 517 200 (corresponding to US 2005/060606, referred to further below).
US patent application publication 2006/0200257, incorporated herein by reference, relates to a microprocessor system for a machine controller in safety-certifiable applications. The microprocessor system is in the form of a system-on-chip (SoC) and includes a main processor, a program and/or data store, an input/output unit and a bus. The bus couples the components and at least one safety processor together. The safety processor has a dedicated program/data store. A safe transmission link is provided for loading programs and data into the safety processor. The transmission link includes the general bus and a mailbox. The mailbox has a state machine whose input is connected to the general bus and whose output is connected to the safety processor. As a result, program data can be written to the safety processor's program store without the risk of being manipulated. This makes it possible for the program data to be loaded into the safety processor safely using the bus which is not safe per se. The bus thus does not need to belong to the safe area. Certification of the microprocessor controller is thus simplified. The microprocessor system of US patent application publication 2006/0200257 is based on the idea of providing a transmission channel, which is protected against unauthorized corruption on the generally used bus which is not safe, and thus to enable safe communication with the safety processor. The system thus enables safe communication with the safety processor without the need for additional hardware for this purpose. This protected transmission channel is formed via the bus which is not safe per se and to which, on the one hand, the data source, which contains data which are to be protected and are intended for the safety processor's dedicated memory, in the unsafe area and, on the other hand, the mailbox at the junction to the safe area are connected. Accordingly, US patent application publication 2006/0200257 teaches using a system with a main processor and a safety processor coupled to each others and to peripherals via a bus system for bi-directional communication. The system is provided with a safe transmission channel for loading programs and data to the safety processor.
US application publication 2005/0060606, incorporated herein by reference, relates to a safety controller that may execute both standard programs and safety programs. The safety controller uses shared hardware with reduced risk of corruption of the safety program by the standard program. This reduced risk of corruption is obtained by executing the safety program on two processors but executing the standard program on only one of these processors. Any corruption of the safety program by the standard program will be confined to a single processor and will thus be easily detected in a comparison of the execution of the two processors. Specifically, the safety controller has a primary processing unit having a first processor communicating with a first memory holding both the safety program and a separate standard program. A partner processing unit has a second processor, independent from the first processor that communicates with a second memory independent from the first memory and holds the safety program and not the separate standard program. Synchronization programs executable by the primary and partner processing units execute the standard program in the primary processing unit and execute the safety programs in the primary and partner processing units and compare execution of the safety programs to enter a safety state when this execution differs. The primary processing unit may be in a first housing and the partner processing unit may be in a second housing independent from the first housing. A communication bus may communicate between the first and second housings to allow intercommunication between the primary and partner processing units.