International standards related to functional safety, such as the IEC 61508 series or the like, require that a system is designed such that a safety-related unit which executes a safety function is not affected by failure of a non-safety-related unit which executes a normal function, or by design errors.
IEC 61508-3:2010 defines that, when software executes safety functions having different levels of safety, it must be proven either that independency is achieved in both time space regions, or that invasion of the independency is controlled. An attachment to the standard shows examples of methods for achieving non-interference between software elements on the same computer. Because of this, in general, in a control apparatus having a safety-related unit, a higher privilege level is assigned to safety-related software so that only the safety-related software can access and write in a RAM or a safety-related register which stores safety-related variables, and a memory administration unit or a memory protection unit specifies, for each privilege level, a space in which write access is allowed. Meanwhile, most types of installation-usage CPUs of recent years do not have the memory administration unit or the memory protection unit. Thus, the protection method using the privilege mode cannot be easily utilized.
JP 2013-148999 A (“Patent Document 1”) discloses a method of providing a function to prevent write access from a non-safety-related unit on a safety-related unit register in an external integrated circuit, even for a control apparatus which uses a CPU which does not have a privilege mode for system protection.
Further, JP 2000-76135 A (“Patent Document 2”) discloses a method of preventing execution of an unintended memory access instruction, by adding small-size hardware which judges a program counter and an access destination memory address, during decoding of the memory access instruction, in a CPU which does not have the privilege mode.
However, the protection method of Patent Document 2 cannot be used in a CPU which does not have the hardware which judges both the program counter and the access destination memory address during instruction decoding by the CPU.
On the other hand, for example, for an internal register of the CPU, there is a demand for preventing write access from the non-safety-related unit, in units of bits. However, with the privilege mode which designates an access region in units of addresses, the protection method of Patent Document 2, and the protection method of Patent Document 1 in which the safety-related unit register and the non-safety-related unit register are separated by an external integrated circuit and the safety-related unit register is then protected, the protection in units of bits cannot be executed. Because of this, for example, when both a safety-related I/O terminal and a non-safety-related I/O terminal exist as I/O terminals of the CPU, it is necessary to apply a particular measure such as, for example, designing CPU peripheral circuits so that the terminals can be set independently in different registers, or executing an output process for the non-safety-related I/O terminal with safety-related firmware. In the related art, such restriction on the design occurs in the hardware and the firmware.
An advantage of the present disclosure lies in provision, in a control apparatus having a safety-related unit designed in accordance with a functional safety standard, of a non-safety-related unit write detection function, equipped with a function in which the system transitions to a safe state even when there is an unexpected write to a RAM or a control register used by a safety-related unit program executed on a CPU in a safety-related unit, or an arbitrary bit in the RAM or the control register, by a non-safety-related unit program executed on the same CPU, using a CPU which does not have hardware for memory protection.