An apparatus and a method for the parallel and independent operation of a normal program and a secure program on the basis of a runtime system structure have all components that are relevant to the control integrated on a hardware component with a specific hardware architecture and be isolated from one another by a runtime system structure for two dual runtime systems for making changes to non-security-relevant components without restriction. The isolation can be provided by prioritizing one of the runtime systems. Such a runtime system structure or hardware architecture eliminates the need for follow-up certification of user-programmable controllers and the certification of the security-critical component is valid even when changes to the non-security-relevant components are made.

A process control system is provided which has at least one OPC client and one OPC server which communicate via a standardized OPC interface. Furthermore the process control system has at least two redundantly operated control devices which each communicate with the OPC server by means of a coupling device. Each control device is designed to provide process variables and status information. The status information contains the current role of the respective control device, wherein the current role is either that of a main control device or an auxiliary control device. The OPC server is designed to detect the main control device in response to the status information of at least one control device, to register a list of variables generated by the OPC client at the main control device and/or to transmit to the OPC client only the process variables which have been provided by the main control device.

A system and method for protecting memory instructions against faults are described. The system and method include converting the slave instructions to dummy operations, modifying memory arbiter to issue up to N master and N slave global/shared memory instructions per cycle, sending master memory requests to memory system, using slave requests for error checking, entering master requests to the GM/LM FIFO, storing slave requests in a register, and comparing the entered master requests with the stored slave requests.

Data is sent from a memory buffer device to a host device over a link. An error in the data is determined. A read response cancellation signal is sent to the host device to indicate the error to the host device, where the read response cancellation signal is to be sent subsequent to the data being sent from the memory buffer device to the host device.

A monitoring device is mounted in each of a plurality of operational systems constituting a fault-tolerant system. The plurality of operational systems have an identical configuration including a processor system. The monitoring device includes a processor. The processor executes instruction to read data from a predetermined storage area in a memory of an accessory device to be monitored, connected to the processor system. The processor further executes instruction to compare the read data with reference data held in advance. The processor further executes instruction to separate the processor system connected to the accessory device to be monitored from the fault-tolerant system when the read data is different from the reference data.

A system and method for protecting memory instructions against faults are described. The system and method include converting the slave instructions to dummy operations, modifying memory arbiter to issue up to N master and N slave global/shared memory instructions per cycle, sending master memory requests to memory system, using slave requests for error checking, entering master requests to the GM/LM FIFO, storing slave requests in a register, and comparing the entered master requests with the stored slave requests.

There is a need to detect faults on a path between a memory access circuit and a shared resource, faults in a logic circuit, and faults in the shared resource. A semiconductor device includes: a first memory access circuit; a second memory access circuit to check the first memory access circuit; a memory that outputs a memory address based on a first access address input from the first memory access circuit; a duplexing comparison circuit that compares the first access address with a second access address output from the second memory access circuit; a first address comparison circuit that compares the first access address with the memory address; and an error control circuit that outputs a control signal based on a comparison result from the duplexing comparison circuit and a comparison result from the first address comparison circuit.

A management system for a plant facility is disclosed. The system includes a first field device that measures a process value, a first control node that calculates a first control value based on the process value, a second field device that operates according to the first control value, and an application node that configures one or more parameters for calculating the first control value. The first control node compares the first control value with a second control value calculated by one of the first field device, a second control node, and the application node. When determining that the first and the second control value are identical, the first control node sets the first control value to the second field device.

A management system for a plant facility is disclosed. The system includes a first field device that measures a process value, a first control node that calculates a first control value based on the process value, a second field device that operates according to the first control value, and an application node that configures one or more parameters for calculating the first control value. The first control node compares the first control value with a second control value calculated by one of the first field device, a second control node, and the application node. When determining that the first and the second control value are identical, the first control node sets the first control value to the second field device.

A system includes a central processing unit (CPU), a first input/output (I/O) module, and a second I/O module. The first I/O module includes a first module health controller operatively connected to the CPU. The second I/O module includes a second module health controller operatively connected to the first module health controller and the CPU. One of the first module health controller and the second module health controller is configured to assert a paired module health signal to the CPU indicating that the first I/O module and the second I/O module are health.