WO2011066857A1 - A method for detecting a voltage fault in a safety related system comprising a programmable device - Google Patents

A method for detecting a voltage fault in a safety related system comprising a programmable device Download PDF

Info

Publication number
WO2011066857A1
WO2011066857A1 PCT/EP2009/066298 EP2009066298W WO2011066857A1 WO 2011066857 A1 WO2011066857 A1 WO 2011066857A1 EP 2009066298 W EP2009066298 W EP 2009066298W WO 2011066857 A1 WO2011066857 A1 WO 2011066857A1
Authority
WO
WIPO (PCT)
Prior art keywords
failure
identification
value
stored
failure identification
Prior art date
Application number
PCT/EP2009/066298
Other languages
French (fr)
Inventor
Frank Reichenbach
Kai Hansen
Original Assignee
Abb Research Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abb Research Ltd. filed Critical Abb Research Ltd.
Priority to PCT/EP2009/066298 priority Critical patent/WO2011066857A1/en
Publication of WO2011066857A1 publication Critical patent/WO2011066857A1/en

Links

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C5/00Details of stores covered by group G11C11/00
    • G11C5/14Power supply arrangements, e.g. power down, chip selection or deselection, layout of wirings or power grids, or multiple supply levels

Definitions

  • a method for detecting a voltage fault in a safety related system comprising a programmable device
  • the present invention is concerned with a method for fault detection in safety related systems operated in industry generally.
  • a detecting a voltage fault in a system comprising one or more programmable devices .
  • Safety related systems commonly include devices such as switches, actuators, sensors, transmitters, valves, and controllers such as PLCs.
  • Such safety related systems are commonly used in industry for applications in the oil & gas industry, railway signaling, process control in industry, and automated processes in manufacturing plants.
  • Such safety systems may comply with Safety Integrity Level (SIL) standards SIL 2-4.
  • the present specification provides a solution to a very specific problem in the technical field of safety related systems, which is described in the following.
  • the EEPE system usually must be equipped with an under/over voltage detection circuit which is able to detect an under/over voltages from the power supply.
  • the EEPE system In case of a slow voltage change the EEPE system has enough time to react to that change with proper safety measures (e.g. system power-down with safety shut-off) .
  • proper safety measures e.g. system power-down with safety shut-off
  • a so called failure identification number (ID) can be saved in non-volatile memory.
  • Another solution is to use redundant hardware (e.g. 2 power supplies) , where, if one channel fails, the other channel executes the safety shut-down and saves the failure ID again. Nevertheless, an external voltage glitch will probably effect both channels similarly.
  • redundant hardware e.g. 2 power supplies
  • the aim of the present invention is to remedy one or more of the above mentioned problems. This and other aims are obtained by a method characterised by claim 1.
  • a method for detecting a voltage fault in a safety related system, said system comprising an electronically programmable device, said device being configured before use, the method comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device in which is recorded a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory in which is recorded a placeholder value for a second failure
  • a method for detecting a voltage fault in a safety related system comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
  • a method for detecting a voltage fault in a safety related system comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
  • the method comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
  • the basic principles in this disclosure comprise the following: again, after an under/over voltage failure has occurred either there is no more power delivered to the system or one cannot trust the system due to possible damages that may have happened. Thus it is unknown if there is enough time and a constant voltage to safely store a failure identification number in a non-volatile memory and so that the device is able to recognize the error after a restart. However, failure recognition can take place in advance of the failure occurring. Instead of saving the actual failure ID after a hazard occurred which is the normal traditional practice, a standard failure ID can be saved before (in normal operation) the hazard has occurred. After restart the system checks the last failure ID in memory. If the standard failure ID was NOT changed, then the system had not time to do so and an under/over voltage failure can be recognized.
  • the invention has a number of advantages, including that
  • a method for detecting a voltage fault in a safety related system comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
  • a method for detecting a voltage fault in a safety related system comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
  • a method for detecting a voltage fault in a safety related system comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
  • the stored integrity result for the first identification failure is equal to the stored integrity result for the second failure identification and recording that no voltage fault has been detected after restart; or that the stored integrity result for the first identification failure is not equal to the stored integrity result for the second failure identification and recording that a voltage fault is detected.
  • a data integrity function is used to ensure that data has not been corrupted by e.g. an over-voltage.
  • failure ID' s may be protected using a data verification function or data
  • CRC checksum
  • the strength of the CRC for example in terms of data verification using a 32-bit CRC or another technology, can be selected and then configured on basis of the safety integrity level needed. High reliability for a safety system is provided by this additional feature of data integrity checking.
  • Many hardware solutions can store such event-related information by using one capacity or a flip-flop (sometimes only one bit) . This is vulnerable to errors (e.g. bit flip due to environmental influences, such as an over-voltage) .
  • errors e.g. bit flip due to environmental influences, such as an over-voltage
  • a known and recognized data integrity function such as a checksum or CRC-protected pattern in the memory (some bits) is used to ensure that the data recorded has not been corrupted by an over/under voltage event. That means the probability of having an error in this safety system solution is very low in comparison to some existing hardware solutions.
  • a device being a device in a safety related system, said device being an electronically programmable device, said device comprising at least one non-volatile memory which is configured before use with at least one reserved part in the non-volatile memory, wherein a first reserved part of the nonvolatile memory of said device is configured to contain a placeholder value for a first identified failure, a second reserved part of the non-volatile memory is configured to contain a placeholder value for a second identified failure, and that said device is arranged with hardware and/or software code to store a standard value to the first identified failure upon start up and arranged with hardware and/or software code to store a value for failure type identification, or shutdown normal, to the second identified failure.
  • said device is arranged with hardware and/or software code to calculate or re-calculate a data integrity value or data verification value of a stored value for the first identified failure and the second identified failure.
  • a computer program for carrying out one or more methods of the invention, and a computer program recorded on a computer- readable medium or in a memory storage device is disclosed in another aspect of the invention.
  • Figure 1 shows method steps and a schematic diagram according 1 an embodiment of the invention
  • Figure 2 shows the invention of Figure 1 and in particular an embodiment comprising an added data integrity checking feature according to an embodiment of the invention
  • Figure 3 shows a flowchart of the invention of Figure 1 and in particular a diagram over the method steps according to an embodiment of the invention. DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • FIG. 1 shows a combined block diagram and flow chart
  • Non volatile memory be ore first start up of the system or device at step 10 shows the unchanged bits as written for Failure_ID_l (11) before start up and the bits (again unchanged) that would be recorded in the case of a failure, (12)
  • the process proceeds as follows.
  • the EEPE system or device starts for the first time (sometimes called a "cold start") .
  • the system also allocates 4n Bits of memory. For example, all 4n Bits may be set to hexadecimal "FF".
  • non volatile memory after first start up at step 14 show the bits written to show a standard or placeholder value representing Failure_ID_l (reference number 22) and the standard or placeholder value representing Failure_ID_2
  • step 16b the process is shown first at step 16b. After a crash, the
  • failure identification value representing a predetermined type of failure is first written in to failure identification one, ie Failure_ID_l and then subsequently copied over to Failure_ID_2.
  • FIG. 2 shows a preferred embodiment in which the stored
  • the EEPE system starts the first time 10 (cold start) .
  • the system allocates 4n Bits of memory. All 4n Bits may for example be set to hexadecimal "FF".
  • the EEPE system starts normal execution.
  • step 16a comparing both failure IDs in step 27 showed they are equal, so Failure_ID_2 value 24 was overwritten to the standard placeholder value OxOA (24') thus a normal shutdown was most likely the cause of controlled shut down.
  • step 16b comparing both failure ID' s in step 28 showed they are NOT equal, ( Failure_ID_2 value 24 was not overwritten to 24') so a voltage fault and thus a system crash was most likely the cause of uncontrolled shut down.
  • a check at step 29 or 30 reveals that the data integrity is ensured (or verified) (29) or it has been lost (30) .
  • the advantage in situation 18a and step 29 is that the data can be relied upon.
  • the data integrity is found to have been verified in 18b step 30 then that failure data can be relied upon.
  • the system has still detected that a either crash or another serious disturbance has happened, which enables the event to be noted and reported and thus investigated and appropriate action taken.
  • FIG 7 shows a flowchart for one or more methods according to another aspect of the invention. The figure shows that
  • Failure_ID_l On normal shut down Failure_ID_l , (22), retains original placeholder value, and a standard or placeholder failure identification code or value is written to Failure_ID_2 , (24') where the number 24' (24 prime) is used to indicate that the values after start up OxFF has been replaced by another value, in this case OxAD;
  • Failure_ID_l (22) or Failure_ID_2 , (24);
  • Failure_ID_2 (24) are not the same so that it is determined 35 that the system did not shut down normally, it crashed, thus a voltage fault has been detected.
  • the functions of the fault detection method for a safety related system may be carried out by processing digital functions, algorithms and/or computer programs and/or by analogue
  • the methods of the invention may, as previously described, be carried out by means of one or more computer programs comprising computer program code or software portions running on a computer or a processor.
  • the microprocessor (or processors) comprises a central processing unit CPU performing the steps of the method according to one or more facets of the invention.
  • the processor may be embodied as a processor, microprocessor, as hardware or configurable hardware such as a Field-Programmable Gate Array (FPGA) or an other type of processor including a Complex
  • CPLD Programmable Logic Device
  • ASIC Application Specific Integrated Circuit
  • the or each processor may be in a memory storage unit of a device in a safety related system or safety related control unit such as a PLC
  • the computer program comprises computer program code elements or software code portions that make the computer perform the method using equations, algorithms, data, stored values and
  • a part of the program may be stored in a processor as above, but also in a ROM, RAM, PROM, EPROM or EEPROM chip or similar memory means.
  • the program in part or in whole may also be stored on, or in, other suitable computer readable medium such as a magnetic disk, CD-ROM or DVD disk, hard disk, magneto-optical memory storage means, in volatile memory, in flash memory, as firmware, stored on a data server or on one or more arrays of data servers.
  • Other known and suitable media including removable memory media such as USB memory and other removable flash memories, hard drives etc. may also be used.

Abstract

The invention is a method for detecting a voltage fault in a safety related system comprising an electronically programmable device. In safety related systems operated according to recognised standards the safety related system must be constructed to return to a safe state if a serious or critical fault occurs. The inventive method comprises storing a first and a second failure identification value FailureID1 and FailureID2 in a reserved part of a non-volatile memory storage part of a programmable device. The values of the first and second FailureIDs are configured prior to use, or with a factory default. After start up and during a shutdown a value of the first or second FailureID is over-written. Upon restart, a comparison (27) or (28) is carried out which determines whether the last shutdown of the device was normal or was due to a voltage fault. In other aspects of the invention a device and a computer program for carrying out the method are described.

Description

A method for detecting a voltage fault in a safety related system comprising a programmable device
TECHNICAL FIELD.
The present invention is concerned with a method for fault detection in safety related systems operated in industry generally. In particular it is concerned with a detecting a voltage fault in a system comprising one or more programmable devices .
TECHNICAL BACKGROUND
Electrical/electronic/programmable electronic (EEPE) systems that are compliant to functional safety standards (e.g. IEC 61508) must fulfill a set of defined safety requirements. Safety related systems commonly include devices such as switches, actuators, sensors, transmitters, valves, and controllers such as PLCs. Such safety related systems are commonly used in industry for applications in the oil & gas industry, railway signaling, process control in industry, and automated processes in manufacturing plants. Such safety systems may comply with Safety Integrity Level (SIL) standards SIL 2-4. These
requirements aim to lower the probability of serious accidents by considering all significant hazards in the system and create convenient barriers against them. One general requirement for safety-related systems operating in a high demand or continuous mode of operation demands that an EEPE system must be able to detect serious hardware/software errors (e.g. memory error, under/over voltage events) to react on them with specific actions, which is mostly to bring the system into a safe state, where no harm to humans or environment can happen. A patent from another technical field, the field of high end servers for data processing systems used in normal commercial applications, addresses the technical area of maintenance and repair of such commercial data servers. US6,892,159 entitled "Method and system for storing field replaceable unit repair history information" and assigned to Sun Microsystems Inc., describes a method for tracking repair histories which includes providing a field replaceable unit having a memory device, generating a repair history record associated with a repair request for the field replaceable unit, and storing the repair history record in the memory device.
The present specification provides a solution to a very specific problem in the technical field of safety related systems, which is described in the following. The EEPE system usually must be equipped with an under/over voltage detection circuit which is able to detect an under/over voltages from the power supply. In case of a slow voltage change the EEPE system has enough time to react to that change with proper safety measures (e.g. system power-down with safety shut-off) . Within the safety shut-off procedure a so called failure identification number (ID) can be saved in non-volatile memory. Thus, when the EEPE system restarts/boots up again this failure can be recognized and further steps can be taken (e.g. check modules if damaged and replace them) . Then, the EEPE system can proceed with its normal operation .
However, when the voltage changes too fast (e.g. power supply stops immediately with providing energy) there will be not enough time for the safety system to react on this specific failure. The system will most likely crash and restart. After this restart, the system cannot manage to recognize the occurred voltage failure and the system is not safe anymore. As a result either the failure remains undetected, which can lead to serious accidents. Since a "slow voltage change" can usually be detected without complications, the focus of this patent disclosure is set on "fast voltage changes" that lead to uncontrolled
reactions. Here two different hazards can be distinguished:
1. Over voltage (exceeding the maximal tolerable voltage the system can stand)
2. Under voltage (down to zero, e.g. abrupt energy loss)
Both hazards have in common that there wil 1 be either not time to react on them with a safe state (under voltage) or one cannot trust the reaction (over voltage), because the effect of the hazard on the hardware is unpredictable.
1. Under voltage is often solved hardware wise by using a capacitance or other power storage device which has enough energy being stored to supply the system for some milliseconds with energy. Within this time the system executes a safety shutdown and saves the failure ID as required.
2. Another solution is to use redundant hardware (e.g. 2 power supplies) , where, if one channel fails, the other channel executes the safety shut-down and saves the failure ID again. Nevertheless, an external voltage glitch will probably effect both channels similarly.
SUMMARY OF THE INVENTION
The aim of the present invention is to remedy one or more of the above mentioned problems. This and other aims are obtained by a method characterised by claim 1.
According to first aspect of the invention a method is disclosed for detecting a voltage fault in a safety related system, said system comprising an electronically programmable device, said device being configured before use, the method comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device in which is recorded a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory in which is recorded a placeholder value for a second failure
identification, which has the same value as the first failure identification; and writing on start up, a standard value to the first failure identification, and writing on shut down, a shutdown normal or failure type identification (24') to the second failure identification.
According to another embodiment of the invention a method is disclosed for detecting a voltage fault in a safety related system, the method comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
identification which has the same value as the first failure identification; and writing on start up, a standard value to the first failure identification, and writing on shut down, a shutdown normal or failure type identification to the second failure identification and by comparing on restart the stored value for the first identification failure with the stored value for the second failure identification.
According to another embodiment of the invention a method is disclosed for detecting a voltage fault in a safety related system, the method comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
identification which has the same value as the first failure identification; and writing on start up, a standard value to the first failure identification, and writing on shut down, a shutdown normal or failure type identification to the second failure identification and by determining after restart that the stored value for the first failure identification is equal to the stored value for the second failure identification and recording that no voltage fault for last shutdown has been detected after restart.
According to an embodiment of the invention a method is
disclosed for detecting a voltage fault in a safety related system, the method comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
identification which has the same value as the first failure identification; and writing on start up, a standard value to the first failure identification, and writing on shut down, a shutdown normal or failure type identification to the second failure identification and by determining after restart that the stored value for the first failure identification is not equal to the stored value for the second failure identification and recording that a voltage fault during the last shutdown has been detected after restart.
The basic principles in this disclosure comprise the following: again, after an under/over voltage failure has occurred either there is no more power delivered to the system or one cannot trust the system due to possible damages that may have happened. Thus it is unknown if there is enough time and a constant voltage to safely store a failure identification number in a non-volatile memory and so that the device is able to recognize the error after a restart. However, failure recognition can take place in advance of the failure occurring. Instead of saving the actual failure ID after a hazard occurred which is the normal traditional practice, a standard failure ID can be saved before (in normal operation) the hazard has occurred. After restart the system checks the last failure ID in memory. If the standard failure ID was NOT changed, then the system had not time to do so and an under/over voltage failure can be recognized. If the failure ID was overwritten properly, the last failure was most likely not an under/over voltage failure. Nevertheless, this works only if all other safety functions provoking a safe shut down in any case overwrite this standard failure ID, so that the system can distinguish between standard and non-standard failure ID. The invention has a number of advantages, including that
- There is no need for an extra circuit, which needs additional hardware design, testing, development and costs
- Retrofit and update of devices that are already designed is made possible by software updates only, which may be limited to simply changing (or updating) code and/or data in the firmware of the device.
According to another embodiment of the invention a method is disclosed for detecting a voltage fault in a safety related system, the method comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
identification which has the same value as the first failure identification; and writing on start up, a standard value to the first failure identification, and writing on shut down, a shutdown normal or failure type identification to the second failure identification and by calculating a data integrity check on the first failure identification value and on the second failure identification value and storing each result in a reserved part of non-volatile memory of said device.
According to another embodiment of the invention a method is disclosed for detecting a voltage fault in a safety related system, the method comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
identification which has the same value as the first failure identification; and writing on start up, a standard value to the first failure identification, and writing on shut down, a shutdown normal or failure type identification to the second failure identification and by comparing after restart the stored calculated data integrity result for the first failure
identification with the stored results for the second failure identification . According to another embodiment of the invention a method is disclosed for detecting a voltage fault in a safety related system, the method comprising configuring in said device before first use; a first reserved part of a non-volatile memory of said device with a placeholder value for a first failure identification; and a second reserved part of the non-volatile memory with a placeholder value for a second failure
identification which has the same value as the first failure identification; and writing on start up, a standard value to the first failure identification, and writing on shut down, a shutdown normal or failure type identification to the second failure identification and by determining that either
the stored integrity result for the first identification failure is equal to the stored integrity result for the second failure identification and recording that no voltage fault has been detected after restart; or that the stored integrity result for the first identification failure is not equal to the stored integrity result for the second failure identification and recording that a voltage fault is detected. In a preferred embodiment a data integrity function is used to ensure that data has not been corrupted by e.g. an over-voltage. Optionally or in addition to the above method, failure ID' s may be protected using a data verification function or data
integrity function such as being recorded with a checksum (CRC) , which is thus able to validate the correctness of the stored data. This is particularly important in the case of an over- voltage, during which is common for data values such as single bits to be disturbed or corrupted by the environmental
fluctuations. The strength of the CRC, for example in terms of data verification using a 32-bit CRC or another technology, can be selected and then configured on basis of the safety integrity level needed. High reliability for a safety system is provided by this additional feature of data integrity checking. Many hardware solutions can store such event-related information by using one capacity or a flip-flop (sometimes only one bit) . This is vulnerable to errors (e.g. bit flip due to environmental influences, such as an over-voltage) . In the preferred
embodiment a known and recognized data integrity function such as a checksum or CRC-protected pattern in the memory (some bits) is used to ensure that the data recorded has not been corrupted by an over/under voltage event. That means the probability of having an error in this safety system solution is very low in comparison to some existing hardware solutions.
According to another aspect of the invention, a device is disclosed, said device being a device in a safety related system, said device being an electronically programmable device, said device comprising at least one non-volatile memory which is configured before use with at least one reserved part in the non-volatile memory, wherein a first reserved part of the nonvolatile memory of said device is configured to contain a placeholder value for a first identified failure, a second reserved part of the non-volatile memory is configured to contain a placeholder value for a second identified failure, and that said device is arranged with hardware and/or software code to store a standard value to the first identified failure upon start up and arranged with hardware and/or software code to store a value for failure type identification, or shutdown normal, to the second identified failure.
According to another embodiment of the inventive device, said device is arranged with hardware and/or software code to calculate or re-calculate a data integrity value or data verification value of a stored value for the first identified failure and the second identified failure.
A computer program for carrying out one or more methods of the invention, and a computer program recorded on a computer- readable medium or in a memory storage device is disclosed in another aspect of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
A more complete understanding of the method and system of the present invention may be had by reference to the following detailed description when taken in conjunction with the
accompanying drawings wherein:
Figure 1 shows method steps and a schematic diagram according 1 an embodiment of the invention;
Figure 2 shows the invention of Figure 1 and in particular an embodiment comprising an added data integrity checking feature according to an embodiment of the invention;
Figure 3 shows a flowchart of the invention of Figure 1 and in particular a diagram over the method steps according to an embodiment of the invention. DESCRIPTION OF THE PREFERRED EMBODIMENTS
Figure 1 shows a combined block diagram and flow chart
illustrating an embodiment of the invention. It shows, for a device in a safety-related system, memory space and memory contents in a non-volatile memory for a series of events or stages. Non volatile memory be ore first start up of the system or device at step 10 shows the unchanged bits as written for Failure_ID_l (11) before start up and the bits (again unchanged) that would be recorded in the case of a failure, (12)
Failure_ID_2. The process proceeds as follows. The EEPE system or device starts for the first time (sometimes called a "cold start") . Beside normal initialization, the system also allocates 4n Bits of memory. For example, all 4n Bits may be set to hexadecimal "FF".
In this example, non volatile memory after first start up at step 14 show the bits written to show a standard or placeholder value representing Failure_ID_l (reference number 22) and the standard or placeholder value representing Failure_ID_2
(reference number 24) .' (These are the data bits that bits that would be left in memory following an actual failure event.) At this stage, after power on, the two values 22 and 24 are not the same .
The follow up to this this is shown in detail after normal shut down at step 16a, called Memory after a normal shut down. During normal shutdown the failure identification value in Failure_ID_l is written to Failure_ID_2 , shown in the diagram as value 24' in the case a normal shutdown. The flowchart shows that the hexadecimal value in memory for Failure_ID_l 22' (value OxAD) is the same as for Failure_ID_2 24' (value OxAD) . Following a restart when the values in non-volatile memory are checked for the two Failure IDs for the normal case, in step 18a, the Failure_ID_l = Failure_ID_2 (comparison step 27) and no voltage fault is detected at step 33.
For the other case when the shutdown is not normal, for example an over voltage or an under voltage causing a system crash, the process is shown first at step 16b. After a crash, the
hexadecimal values in memory for Failure_ID_l 22' (value OxAD) are not the same as for Failure_ID_2 26 (value OxFF) . Because the shutdown was not normal, the standard placeholder value for Failure_ID_2 was not overwritten from OxFF (24) to placeholder value OxAD (24'). Thus after the not-normal or crash case, during the restart at step 18b the values in non-volatile memory are checked for the two Failure IDs (for the crash case shown in step 16b) , the Failure_ID_l ≠ Failure_ID_2 ie 0xAD 0xFF
(comparison step 28) and a voltage fault is detected at step 35.
In the general case of a shutdown any failure identification value representing a predetermined type of failure is first written in to failure identification one, ie Failure_ID_l and then subsequently copied over to Failure_ID_2. Thus an
additional advantage of this approach is that while a controlled shut down is executed the pattern of failure ID 1 and failure ID 2 can be both replaced according to the type of failure that occurred. Thus it is possible to use this memory to distinguish between different failures that provoked a controlled shut down in addition to detecting an uncontrolled shutdown due to a voltage fault.
Figure 2 shows a preferred embodiment in which the stored
Failure ID values are checked to ensure data integrity providing an additional level of security against possible errors or failures. The reference numbers used in Figure 2 correspond to those used in Figure 1 for the same functions, with the main difference being the stored data from the data integrity checks at step 10; 11c, 12c, step 14; 22c, 24c, step 16a; 22ca, 24ca and step 16b 22cb, 24cb. As well as for the previous embodiment, it is assumed that space in a non-volatile memory (e.g. Flash memory) can be reserved by the EEPE system. Then, the process is the following (see Figure 2) :
1. The EEPE system starts the first time 10 (cold start) .
Beside normal initialization, the system allocates 4n Bits of memory. All 4n Bits may for example be set to hexadecimal "FF".
The EEPE system stores a Failure_ID_l (11) (here an exemplary n=8 Bit) as well as the CRC1 (11c) (here exemplary a standard 8 Bit CRC-8-CCITT) of this Failure_ID_l (here exemplary n=8 Bit) . The EEPE system starts normal execution.
First case - a failure or controlled shut down occurred due to one of the safety requirements or to an operator request, the system shuts down in a controlled way. A second Failure_ID_2 (24') (here exemplary n=8 Bit), the standard or placeholder value OxAD as well as CRC2 (24c) of this Failure_ID__2 is stored to memory overwriting the value after start-up of OxFF.
Second case - due to any kind of voltage failure, over voltage or under voltage, the system crashes immediately - and none of the failure ID' s can be changed.
System restarts:
At step 16a, comparing both failure IDs in step 27 showed they are equal, so Failure_ID_2 value 24 was overwritten to the standard placeholder value OxOA (24') thus a normal shutdown was most likely the cause of controlled shut down.
At step 16b, comparing both failure ID' s in step 28 showed they are NOT equal, ( Failure_ID_2 value 24 was not overwritten to 24') so a voltage fault and thus a system crash was most likely the cause of uncontrolled shut down.
In addition at step 18a or 18b, a check at step 29 or 30 reveals that the data integrity is ensured (or verified) (29) or it has been lost (30) . When the data integrity is ensured then the advantage in situation 18a and step 29 is that the data can be relied upon. Also if the data integrity is found to have been verified in 18b step 30 then that failure data can be relied upon. In addition, in situation 18b when at step 28 if the failures IDs are the same but the data integrity at step 30 is not the same, then the system has still detected that a either crash or another serious disturbance has happened, which enables the event to be noted and reported and thus investigated and appropriate action taken.
Figure 7 shows a flowchart for one or more methods according to another aspect of the invention. The figure shows that
information in the reserved parts of the non-volatile memory of the device may change according to this sequence:
10 Placeholder value stored in reserved memory in non-volatile memory for Failure_ID_l , (11) and Failure_ID_2 , (12),
Startup
14 New value written after first start up to the reserved memory addresses in non-volatile memory for Failure_ID_l , (22), and Failure_ID_2 , (24) retains original OxFF value,
Shutdown
16a On normal shut down Failure_ID_l , (22), retains original placeholder value, and a standard or placeholder failure identification code or value is written to Failure_ID_2 , (24') where the number 24' (24 prime) is used to indicate that the values after start up OxFF has been replaced by another value, in this case OxAD;
Restart
18a On restart after normal shutdown comparison 27 failure identification values Failure_ID_l , (22) and Failure_ID_2 , (24') whereupon it is determined 33 that the system shut down
normally, it did not crash, so no voltage fault,
OR
16b On not-normal shutdown or crash, no changes to either
Failure_ID_l, (22) or Failure_ID_2 , (24);
18b On restart after not-normal shutdown or crash, comparison 28 of failure identification values Failure_ID_l , (22') and
Failure_ID_2 , (24) are not the same so that it is determined 35 that the system did not shut down normally, it crashed, thus a voltage fault has been detected.
The methods of fault detection in a safety related system as described above in relation to Fig 3 and elsewhere in this specification may be carried out by a computer application comprising computer program elements or software code which, when loaded in a processor or computer, causes the computer or processor to carry out the method steps.
The functions of the fault detection method for a safety related system may be carried out by processing digital functions, algorithms and/or computer programs and/or by analogue
components or analogue circuits or by a combination of both digital and analogue functions.
The methods of the invention may, as previously described, be carried out by means of one or more computer programs comprising computer program code or software portions running on a computer or a processor. The microprocessor (or processors) comprises a central processing unit CPU performing the steps of the method according to one or more facets of the invention. The processor may be embodied as a processor, microprocessor, as hardware or configurable hardware such as a Field-Programmable Gate Array (FPGA) or an other type of processor including a Complex
Programmable Logic Device (CPLD) or an Application Specific Integrated Circuit (ASIC) may be used. The or each processor may be in a memory storage unit of a device in a safety related system or safety related control unit such as a PLC
(Programmable Logic Controller) or other system part thereof.
The computer program comprises computer program code elements or software code portions that make the computer perform the method using equations, algorithms, data, stored values and
calculations previously described. A part of the program may be stored in a processor as above, but also in a ROM, RAM, PROM, EPROM or EEPROM chip or similar memory means. The program in part or in whole may also be stored on, or in, other suitable computer readable medium such as a magnetic disk, CD-ROM or DVD disk, hard disk, magneto-optical memory storage means, in volatile memory, in flash memory, as firmware, stored on a data server or on one or more arrays of data servers. Other known and suitable media, including removable memory media such as USB memory and other removable flash memories, hard drives etc. may also be used.
It should be noted that while the above describes exemplifying embodiments of the invention, there are variations and
modifications that may be made to the method of fault detection and to storage in a memory storage device of the failure identification values which may be made to the disclosed solution without departing from the scope of the present invention as defined in the appended claims.

Claims

1. A method for detecting a voltage fault in a safety related system comprising an electronically programmable device, said device being configured before use, characterized by
configuring in said device before first use a first reserved part of a non-volatile memory of said device in which is recorded a placeholder value for a first failure identification (11, 22) and a second reserved part of the non-volatile memory in which is recorded a placeholder value for a second failure identification (12, 24), which has the same value as the first failure identification; and writing on start up, a standard value (11, 22) to the first failure identification, and writing on shut down, a shutdown normal or failure type identification (24' ) to the second failure identification.
2. A method according to claim 1, characterised by comparing (27, 28) on restart the stored value (11, 22) for the first identification failure with the stored value (12, 24, 24') for the second failure identification.
3. A method according to claim 2, characterised by determining that the stored value (11, 22) for the first failure
identification is equal to the stored value (24) for the second failure identification and recording that no voltage fault (33) for last shutdown has been detected after restart.
4. A method according to claim 2, characterised by determining that the stored value (11, 22) for the first failure
identification is not equal to the stored value (12, 24') for the second failure identification and recording that a voltage fault (35) during the last shutdown has been detected after restart .
5. A method according to claim 1, characterised by calculating a data integrity check on the first failure identification value and on the second failure identification value and storing each result (11c, 12c) in a reserved part of non-volatile memory of said device.
6. A method according to claim 5, characterised by comparing (29, 30) on restart the stored calculated data integrity result for the first failure identification (22ca, 24ca) with the stored results for the second failure identification (22cb, 24cb) .
7. A method according to claim 6, characterised by determining that the stored integrity result (22ca, 24ca) for the first identification failure is equal (29) to the stored integrity result (22ca, 24ca) for the second failure identification and recording that no voltage fault (33) has been detected after restart .
8. A method according to claim 6, characterised by determining that the stored integrity result (22ca, 24ca) for the first identification failure is not equal (30) to the stored integrity result (22ca, 24ca) for the second failure identification and recording that a voltage fault (35) is detected.
9. A method according to claim 6, characterised by determining that the stored integrity result for the first failure
identification (22ca, 24ca) is not equal (30) to the stored integrity result for the second failure identification (22ca, 24ca) and despite that the stored value (11, 22) for the first identification failure is equal to the stored value (24' ) for the second failure identification, that a voltage fault (35) is detected .
10. A method according to any of claims 1-9, characterized by recording a determination that a voltage fault detected (35) for said device and taking a predetermined action to return the safety related system to a safe state.
11. A device in a safety related system, said device being an electronically programmable device, said device comprising at least one non-volatile memory which is configured before use with at least one reserved part in the non-volatile memory, characterized in that a first reserved part of the non-volatile memory of said device is configured to contain a placeholder value for a first identified failure (11, 22), a second reserved part of the non-volatile memory is configured to contain a placeholder value for a second identified failure (12, 24), and that said device is arranged with hardware and/or software code to store a standard value (11, 22) to the first identified failure upon start up and arranged with hardware and/or software code to store a value for failure type identification (24' ), or shutdown normal, to the second identified failure.
12. A device according to claim 10, characterised in that said device is arranged with hardware and/or software code to calculate or re-calculate a data integrity value (11, 22) of a stored value for the first identified failure and the second identified failure.
13. A device according to claim 10, characterised in that a memory storage part of said device contains computer program code or software portions which when loaded into a processor makes said processor carry out the steps of a method according any of claims 1-9.
14. A computer program product recorded on a computer useable medium for detecting a voltage fault in a safety related system comprising an electronically programmable device comprising software code portions or computer code to cause a computer or processor to carry out the steps of a method according any of claims 1-9.
15. Use of an electronically programmable device according to any of claims 10-13 in a safety related system, said system being applied in any from the group of: an oil & gas extraction, production, distribution or processing system; a railway signalling system; an automated industrial process, an
industrial process.
PCT/EP2009/066298 2009-12-03 2009-12-03 A method for detecting a voltage fault in a safety related system comprising a programmable device WO2011066857A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/066298 WO2011066857A1 (en) 2009-12-03 2009-12-03 A method for detecting a voltage fault in a safety related system comprising a programmable device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/066298 WO2011066857A1 (en) 2009-12-03 2009-12-03 A method for detecting a voltage fault in a safety related system comprising a programmable device

Publications (1)

Publication Number Publication Date
WO2011066857A1 true WO2011066857A1 (en) 2011-06-09

Family

ID=42112212

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/066298 WO2011066857A1 (en) 2009-12-03 2009-12-03 A method for detecting a voltage fault in a safety related system comprising a programmable device

Country Status (1)

Country Link
WO (1) WO2011066857A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4044929A (en) 1973-10-30 1977-08-30 Caruso Albert P Holster belt
US20040044929A1 (en) * 2002-08-29 2004-03-04 Fujitsu Limited Fault information collection program and apparatus

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4044929A (en) 1973-10-30 1977-08-30 Caruso Albert P Holster belt
US20040044929A1 (en) * 2002-08-29 2004-03-04 Fujitsu Limited Fault information collection program and apparatus

Similar Documents

Publication Publication Date Title
CN100451967C (en) Document switching method of basic input output system and controller capable of supporting switching thereof
CN102298545B (en) System startup boot processing method and device
CN108062259B (en) MCU internal data storage ECC processing system and processing method thereof
US9728276B2 (en) Integrated circuits with built-in self test mechanism
EP2770507B1 (en) Memory circuits, method for accessing a memory and method for repairing a memory
US8856595B2 (en) Method for verifying an application program in a failsafe programmable logic controller, and programmable logic controller for performing the method
KR101805234B1 (en) Method, non-transitory computer readable storage medium, and auxiliary memory for monitoring a data memory
EP2715541B1 (en) Mram field disturb detection and recovery
CN1971536A (en) Correcting system and method of basic in-out system
US9063851B2 (en) Fail safe code functionality
CN100395713C (en) Method of automatic repairing basic input output system element and module
US8255769B2 (en) Control apparatus and control method
CN101253485A (en) Memory arrangement and method for the operation thereof
US9230687B2 (en) Implementing ECC redundancy using reconfigurable logic blocks
US20140229796A1 (en) Electronic Control Apparatus
WO2011066857A1 (en) A method for detecting a voltage fault in a safety related system comprising a programmable device
JP5910356B2 (en) Electronic device, electronic device control method, and electronic device control program
US20190034252A1 (en) Processor error event handler
JP4867557B2 (en) Programmable controller
US8108740B2 (en) Method for operating a memory device
JP2013065261A (en) Memory management device
JP5563700B2 (en) Control device
JP2023104466A (en) In-vehicle electronic control device and memory control method
JP2006258453A (en) Encoder device, its parameter destruction self resetting device and parameter destruction self resetting method
KR20060050595A (en) Circuit arrangement and method for operating such a circuit arrangement

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09802123

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09802123

Country of ref document: EP

Kind code of ref document: A1