A control system mounted on vehicles such as railroads or automobiles and plants requires high safety, and needs a safety system for stopping the system for emergency or leading it to fail-safe.
Since when the safety system does not function due to some failure at a time of control system abnormality, a disaster can be lead, high reliability is required for the safety system. Thus, when the control system actually function abnormally, it is necessary to periodically confirm whether the safety system functions as expected.
In order to confirm the operation of the safety system, there is known a method for giving a simulated abnormality to an input part of the safety system and periodically confirming whether an output (operation) as expected can be obtained, thereby ensuring reliability. There is conventionally known a method for giving a simulated abnormality and diagnosing whether a diagnosing device functions normally.
Failures of the safety system are broadly divided into safe failure and dangerous failure. The safe failure is a failure leading the control system to shutdown (that is, safety state), and the dangerous failure is a failure by which the safety system does not function as needed. Further, the dangerous failure is divided into a dangerous failure in which a failure can be detected by self-diagnosis and a dangerous failure in which a failure cannot be detected.
If a failure can be detected by self-diagnosis even if it is a dangerous failure, the failure can be regarded as equivalent to the safe failure, and it is essential to reduce the rate of dangerous failures in which a failure cannot be detected for increasing safety performance of the safety system.
The safety system is configured of a sensor, a controller and an actuator, for example. The sensor detects states of the systems (controlled device and control system), the controller judges whether the system functions normally or abnormally, and if abnormally, the actuator stops the system.
In this case, if a pseudo abnormal value is generated in the sensor, and whether a shutdown signal from the controller can be received in front of the actuator is periodically diagnosed, a self-diagnosis rate of the safety system can be enhanced. At this time, a shutdown signal for self-diagnosis and an original shutdown signal must be discriminated from each other such that the system is not shut down due to the pseudo abnormal value for self-diagnosis.
As a method for discriminating a shutdown signal for self-diagnosis and an original shutdown signal, there is proposed, for example, a method for discriminating both the signals based on pulse widths of the shutdown signals. A self-diagnosis processor within the controller sends a signal for notifying the self-diagnosis to the sensor, and the sensor receives the signal and then generates a shutdown signal having a pulse width as short as a time width t1, for example. The shutdown signal output from the sensor is supplied to the self-diagnosis processor and the self-diagnosis processor detects that the shutdown signal is activated. When the sensor detects an actual abnormality, the shutdown signal is continuously being activated.
A filter is arranged in front of the actuator, and the filter sends an activated signal to the actuator after a time width t2 (t1<t2) since the shutdown signal was actuated. There is proposed a method for not detecting a failure state until a certain period of time elapses.