Meeting the safety requirements of automation systems in a more flexible manner, the invention provides a control and data transmission system for controlling safety-critical processes comprising a plurality of I/O modules connected via a first communication network to a gateway module. The gateway module is connected to a second communication network hierarchically superior to the first communication network and acts as a gateway between the first and the second communication networks. At least one of the I/O modules comprises a diagnosis unit for generating status data relating to the functional state of an input and/or output and/or of a process device. The gateway module and the I/O modules communicate via the first communication network in a safe manner to transfer status data and input and/or output data. The gateway module performs safety processing of the status data and/or of the input and/or output data.

A circuit is provided that has three clock sources, a first processing unit connected to the first clock source, a second processing unit connected to the second clock source, and an input unit. The first processing unit has a first logic circuit and a first memory circuit connected to the first logic circuit, wherein a first set of instructions, which is designed to implement a first control program when executed by the first logic circuit, is stored in the first memory circuit, wherein the first clock source specifies a clock timing of the execution of the first set of instructions. The second processing unit has a second logic circuit and a second memory circuit connected to the second logic circuit, wherein a second set of instructions, which is designed to implement a second control program when executed by the second logic circuit, is stored in the second memory circuit.

According to an aspect, there is provided a method for evaluating safety of a speed of a motor controlled by a frequency converter. The method comprises, first, measuring first, second and third phase currents of three-phase electric power fed from the frequency converter to the motor and forming first, second and third current measurement pairs based thereon. Then, the speed of the motor is estimated separately based on each measurement pair to produce respective first, second and third estimates for the speed of the motor. A voting logic is applied to the first, second and third estimates. An output of the voting logic is fed to a safety logic controlling at least one safety function of the frequency converter. The output of the voting logic comprises an estimate for the speed of the motor and an indication whether or not said final estimate is valid according to the voting logic.

Systems/methods of identifying critical spare parts for equipment aboard a MODU employ a quantitative approach that also accounts for failure probability and potential consequences of a decision whether to stock a spare part. This approach determines whether a loss risk from not having a spare part exceeds a loss risk from having the spare part, and whether a worst case loss risk from not having a spare part exceeds a predefined loss risk limit. The spare part is designated a critical spare part if both of the above conditions are satisfied. In some embodiments, a spare part may also be designated a critical spare part if equipment related to the spare part has a failure probability that exceeds a Safety Integrity Level (SIL) failure probability. Any spare part designated a critical spare part is identified to a supply chain system and/or an inventory tracking system for responsive actions.

An apparatus of a System on Chip (SoC) to implement a one out of two diagnostics (1oo2D) safety system comprises a memory comprising firmware to provide monitoring of the SoC and a second SoC, and a communication interface to provide cross-monitoring between the SoC and the second SoC. The firmware and the communication interface enable the SoC and the second SoC to implement the 1oo2D safety system without significant hardware or software external to the SoC.

A switching device shuts down a machine installation in failsafe fashion. The switching device includes an input for a defined input signal, a first output providing a first current path to the machine installation, a display element capable of assuming first and second states, and a processor having first and second modes of operation. The first current path includes a switching element capable of assuming closed and open operating states. In the first mode, the processor controls the switching element in response to the defined input signal in order to selectively close or interrupt the first current path. In the second mode, the processor controls the switching element into the open operating state regardless of the defined input signal. In the first mode, the display element assumes the first and second display states in response to the switching element being in the closed and open operating states, respectively.

The present disclosure belongs to the field of offshore oil, and in particular relates to a method for assessing the safety integrity level of offshore oil well control equipment. The method for assessing the safety integrity level of the offshore oil well control equipment comprises three major steps: creating a safety instrumented function evaluation module and dividing the related devices for performing the safety instrumented functions into a sensor subsystem; a controller subsystem and an actuator subsystem, establishing a dynamic Bayesian network model for respective subsystems for calculation; and integrating, analyzing and optimizing the safety integrity data of the subsystems.

A safety system for safeguarding a machine is provided, said safety system having at least one safe sensor for producing safe data, wherein the safe sensor also produces non-safe data and/or a non-safe sensor for producing non-safe data is provided, wherein the safety system furthermore has a non-safe evaluation unit for processing the non-safe data and a safe evaluation unit that is configured to test the non-safe evaluation unit in that an evaluation result of the processing of the non-safe data is checked with reference to the safe data, The safe data have a lower accuracy and/or are more rarely available in comparison with the evaluation results.

The present invention relates to a safety controller for the safety-directed monitoring and control of a machine, said safety controller having at least one monitoring input that is configured to receive a detection signal from a protective device; at least one control output that is configured to output a shutdown signal to the machine to be monitored and to be controlled; at least one bypass input that is configured to receive a bypass demand from an independent control system. The invention further relates to a safety system having a safety controller and having at least one protective device connected to the safety controller.

A method operates a safety control in an automation network having a master subscriber which carries out the safety control, at least one first slave subscriber which is assigned a first safety integrity level, and at least one second slave subscriber which is assigned a second safety integrity level. The first safety integrity level and the second safety integrity level differ from each other. A first safety code determination method is assigned to the first slave subscriber and a second safety code determination method is assigned to the second slave subscriber. The first safety code determination method and the second safety code determination method differ from each other. The master subscriber and the first slave subscriber use the first safety code determination method for interchanging a safety data block. The master subscriber and the second slave subscriber use the second safety code determination method for interchanging a safety data block.