Industrial control systems are for instance applied in manufacturing and process industries, such as chemical plants, oil production plants, refineries, pulp and paper mills, steel mills and automated factories. Industrial control systems are also widely used within the power industry. Such an industrial control system may comprise or may be combined with certain devices adding safety features. An example of such a device is a safety controller. Example of processes which requires additional safety features other than what a standard industrial control system provides are processes at off-shore production platforms, certain process sections at nuclear power plants and hazardous areas at chemical plants. Safety features may be used in conjunction with safety shutdown, fire and/or alarm systems as well as for fire-and-gas detection.
The use of complex computer systems relating to industrial control systems with added safety features raises challenges in the increased need for error-free execution of software in an industrial controller.
The standard IEC 61508 outlines requirements for systems consisting of hardware and software, grouped into the following equipment failure categories:
Random hardware failures can be either permanent or transient. Permanent failures exist until repaired. Transient failures can be resolved by measures to control failures (by employing detection and correction mechanisms).
Systematic failures can exist in hardware and software. In general terms, systematic failures can only be eliminated if found during system (home) or proof (site) testing. Measures on how to avoid systematic failures are specified in the above referenced standard. Typically avoidance of systematic failures is handled through good design procedures and measures for detecting design flaws, while control of systematic failures can be achieved with diversity etc.
Common cause failures are the result of one or more events, causing concurrent failures of two or more separate channels in a multiple channel system, leading to system failure. Common cause failures are typically caused by environmental issues (such as temperature, EMC, etc.) at the same time in redundant hardware (safety function carried out more than once). In general terms, diversity introducing differences in hardware, design, or technology, may reduce this kind of errors.
Current multicore processors do not satisfy HFT=1 according to Appendix E in IEC 61508-2. It may be possible to enable internal core to core redundancy, but issues concerning diversity still remain when executing two copies of the safety critical application on the same silicon. This can to some extent be solved by using different design principles or completely different technology to carry out the same safety critical functionality.
When using multicore processors for safety applications there is thus a need for on-line diagnostic testing of the processors, and in particular of the processor cores. The diagnostic software normally runs as a background task and thus competes for the processing power with the safety application. Thereby the benefits of using a multicore processor may be lost.
Hence there is still a need for improved safety considerations for safety critical software applications in industrial control systems.