The present invention includes a drawing data generating unit, a variation pattern that varies at regular intervals to be displayed, a display unit that displays drawing data, and a comparator that compares whether input signals are coincident, and the drawing data generating unit includes a receiver that receives data from a higher-level device, a drawing control unit that converts the data received from the higher-level device to drawing data, and a drawing memory that stores the drawing data. The drawing data generating unit and the variation pattern are redundantly configured, and the variation pattern is input to the drawing data generating unit. One output signal of the drawing data generating unit regarding drawing data including the variation pattern is transmitted to the display unit, a plurality of output signals from the drawing data generating unit are input to the comparator, and the comparator outputs a comparison result as a detection signal outside. This improves safety and reliability when severe safety criteria are required such as in a case of monitor-display in industrial plant equipment.

A circuit is provided that has three clock sources, a first processing unit connected to the first clock source, a second processing unit connected to the second clock source, and an input unit. The first processing unit has a first logic circuit and a first memory circuit connected to the first logic circuit, wherein a first set of instructions, which is designed to implement a first control program when executed by the first logic circuit, is stored in the first memory circuit, wherein the first clock source specifies a clock timing of the execution of the first set of instructions. The second processing unit has a second logic circuit and a second memory circuit connected to the second logic circuit, wherein a second set of instructions, which is designed to implement a second control program when executed by the second logic circuit, is stored in the second memory circuit.

The invention relates to a method for forcing fail-silent behavior of a periodically functioning, distributed real-time computer system, which real-time computer system comprises at least two redundant NSCFCUs. At the beginning of a frame, the at least two redundant NSCFCUs (110, 111) are supplied with the same input data, wherein each of the redundant NSCFCUs calculates a result, preferably by means of a deterministic algorithm, particularly from the input data, and wherein this result is packed into a CSDP with an end-to-end signature, and wherein the CSDPs of the NSCFCUs (110, 111) are transmitted to an SCFCU (130), and wherein the SCFCU (130) checks whether the bit patterns of the received CSDPs are identical, and, if disparity of the bit patterns is found, prevents further transmission of the CSDPs, particularly those CSDPs in which disparity was found. Furthermore, the invention relates to a periodically functioning, distributed real-time computer system.

A high-availability control system for an industrial process including operator stations displaying information, and an interface including a pair of computers for each model, each collecting each item of data received by each controller having the model and eliminating the duplicates, wherein the computers operate in asynchronous redundancy. The system also includes a processor including a pair of computers that each receive the collected data, sort the data received as a function of their acquisition time, eliminate the duplicates and calculate an information group by acquisition time, wherein the computers operate in active redundancy. The system also includes managing the operator stations including one computer per operator station, each receiving each calculated information group and sending to the operator station each information group corresponding to the subset of information. The system also includes a duplicate communication network comprising a distributed redundancy module that manages the message exchanges between the computers.

An output module comprises two management units each of which calculates the current demand for the module independently from one another. One management unit controls an output current, controller whilst the other unit monitors the current produced by the output current controller against an independently calculated demand. The output module has multiple output modules. In normal operation, each module provides a portion of the required output current, the total output current being equal to the sum of the currents output by each module. in the event of failure on one of the, modules, the other module or modules switch to providing the total current required and the failed module is switched to a fail safe mode by using an isolation circuit to switch off the output current from that module.

An apparatus of a System on Chip (SoC) to implement a one out of two diagnostics (1oo2D) safety system comprises a memory comprising firmware to provide monitoring of the SoC and a second SoC, and a communication interface to provide cross-monitoring between the SoC and the second SoC. The firmware and the communication interface enable the SoC and the second SoC to implement the 1oo2D safety system without significant hardware or software external to the SoC.

To simplify and/or improve error monitoring in a control and data transmission system for redundant process control, provided is a method for error monitoring in which errors detected by a first control device are stored locally as well as transmitted to at least one redundant second control device, which is arranged remotely, and also stored there so that in each case the error history of both control devices and is available locally for diagnosing the whole redundant system. Further provided is a control and data transmission system designed to carry out the method and a control device for use therein.

A programmable safety unit for monitoring and controlling safety functions of a hazardous environment, for example an environment including hazardous machines, processes, materials, and so forth and safety equipment associated with the hazardous environment. A safety unit is adapted for external mounting, and includes a programmable safety module and a connection part that are interconnectable enabling mounting/demounting and replacement of the programmable safety module and/or the connection part. The safety unit further includes at least two connections that are programmable as safe inputs and/or outputs for direct connection to at least a number of the safety functions or equipment of the hazardous environment, and for example the machines and/or processes.

Methods and Nodes for Controlling a Physical Entity A method (100) is disclosed for controlling a physical entity. The method is performed by a controller node running at least two instances of a logical control function. The method comprises receiving over an input mechanism node input data relating to the physical entity (110) and providing, to each of the at least two instances of the control function, instance input data generated from the node input data. The method further comprises causing at least one of the instances to process the received instance input data and generate instance output data, and providing, over an output mechanism, instance output data from at least one of the instances of the control function, wherein the output mechanism is operably connected to the physical entity. The method further comprising synchronizing an internal state of each of the at least two instances of the control function.