EA034974B1 - Method of providing functional safety of central processor module of industrial controller and microprocessor system for carrying out this method (variants) - Google Patents

Abstract

The invention relates to the architecture of a central processor module (hereinafter referred to as CPU module) of an industrial programmable logic controller and a method aiming at safe operation of such CPU module. The method focuses on the fact that the CPU module (2) uses a microprocessor system consisting of a central microprocessor (8) (hereinafter referred to as CM), an additional microprocessor (9) (hereinafter referred to as AM) and a safety microcontroller (10) (hereinafter referred to as SM). CM and AM perform the same tasks with the same input from sensors and transmit the results of processing these input data to the SM, which compares these results. The SM decides whether to permit the transfer of output data from CPU module to actuators, depending on the result of comparing the processed data from the CM and the AM, the result of monitoring of the task execution time in the CM and the AM performed by the SM, or the result of the SM software or hardware self-diagnostics. Hardware self-diagnostics of the SM is carried out using hardware mechanisms implemented on its chip.

Description

The invention relates to the architecture of a central processor module (CPU module) of an industrial controller with programmable logic and a method focused on the safe operation of the CPU module. Industrial controller (hereinafter controller) is a computing and control unit in automated process control systems (ACS TP).

The rapid growth of control systems used in areas (industry, medicine, automobile and railway transport), where their failure can lead to dangerous situations that lead to personal injury or death, damage to the environment, damage to equipment or disruption to the production process, led to the development of a series of standards GOST R IEC 61508 Functional safety of electrical, electronic, programmable electronic safety-related systems.

With the advent of microprocessor systems, they began to be used to implement functional safety functions. The idea of these microprocessor-based security systems is based on hardware redundancy, which consists in using several computing tools (for example, processors) in parallel and in comparing their data processing (computing) results using hardware elements or software.

For example, the central processor module of a programmable logic controller with advanced Quantum series security functions is known (Manual on Quantum Security PLC No. 33003879 dated 06/2007, pp. 33-38, section Security CPU Module, Schneider Electric, http: //schneider.nt- rt.ru/images/manuals/33003879RU.pdf), which includes two different processors - the Intel Pentium model and the application processor. Each of these processors independently performs calculations, and at the end of each cycle, each processor compares its result with the result of another processor. If an error is detected or if the results do not match, any of the processors can turn off the system, i.e. put it in a safe state. The operation of such a microprocessor system, consisting of two different processors, for which two executable codes are developed independently, allows us to identify systematic failures due to errors in the source code of programs and random failures that occur during the operation of the CPU module.

Similar solutions for having a redundant processor interacting with the main processor for mutual control are known from the following patent sources:

US 9,244,454 B2, entitled Control System for Monitoring Critically Safe and Critically Insecure Processes, ABB AG;

US 7,715,932 B2 entitled Method and apparatus for controlling a safety critical process, Pilz GmbH &Co;

US 6,832,343 B2 called Critical Process Control Device, Pilz GmbH &Co;

WO 2015/113994 A1, entitled Pilz GmbH & Co. Method and device for safely disconnecting an electrical load. KG;

US 9,098,074 B2, entitled Security Related Management System and Method for Managing an Automated System, Pilz GmbH & Co. KG, Moosmann Peter.

Known solutions of microprocessor systems for implementing security functions, comprising a central processor, a redundant processor and a third processor, designed to compare and identify inconsistencies in the results of the first two processors.

Thus, the Microprocessor safety system is known, applicable, in particular, in the field of railway transport (patent application RU 94013455 A1), adopted as the closest analogue for the claimed microprocessor systems. Known microprocessor system contains at least two parallel microprocessors that run the same application program. The same input from the sensors is fed to the inputs of these microprocessors. Each of them processes the input data according to the application program with a certain time offset in relation to the other to prevent failures due to common mode interference. Each of the processors sends the processing results to the third comparison processor. The comparison processor compares the results. If this comparison is correct, the comparison processor generates a signature that feeds to the dynamic controller. Upon receipt of the signature, which is a sign of normal operation of the comparison processor, the dynamic controller authorizes the general transfer of output data by microprocessors. Only the output of one of the microprocessors is actually used. In addition, each of the microprocessors performs a self-test, the results of which are sent to the comparison processor. There are various versions of the microprocessor system, for example, from using the same software located on two identical hardware to using two different software located on two different hardware.

The hardware redundancy solutions described above are also used to ensure security in processor technologies, since modern processors or microcontrollers can include many cores on a single chip (dual-core, four-core, multi-core versions). Such solutions are described in EP 1,973,017 A2 called Programmable

- 1,034,974 security-oriented logic controller, ABB AG; EP 2,237,118 A1 Security system to ensure error-free control of electrical devices and safety devices, Robert Bosch GMBH group of companies.

Recently, microcontrollers have appeared that are intended for use in systems with safety requirements. For example, Hercules microcontrollers, (Karl Gleb, Dev Pradhan, Hercules microcontrollers: real-time microcontrollers for equipment with special safety requirements // Bulletin of scientific and technical information Components. Full range of applications, issue 3 (35) 2012. - С.1 -8, https://www.ti.com/graphics/reserved/eugraphics/ 35_ALL.pdf).

The fundamental difference between such a microcontroller and previously known microcontrollers is that in addition to software self-diagnosis, it also implements hardware self-diagnosis mechanisms implemented on a microcontroller chip for diagnosing failures.

Hercules ™ microcontrollers developed by Texas Instrument Corporation use a security architecture concept called a security island. It lies in the fact that for a number of key elements, continuously working hardware-implemented security mechanisms are distinguished. This set of key elements includes a power / clock / reset device, CPU, flash memory, RAM, and associated interconnections. Implementation of hardware testing of these elements gives confidence that these elements work correctly. In this case, software running on these elements can be used to provide software-based diagnostics of other elements, such as peripherals.

To diagnose common failures, the following hardware implemented mechanisms are used in Hercules ™ microcontrollers:

for power control, a voltage control device implemented on a chip was used; To control the timing, a low-power generator implemented on a chip was used; error detection in generated and distributed clock signals is diagnosed using a window watchdog timer;

To control the cores of the microcontroller, a system of parallel cores is used, which implies the presence of a functional core and a control core. At the same time, the same input data is supplied both to the functional core and to the control core. The comparison module monitors the outputs of two cores made with the same logic and signals any errors in the system. The separation of the two cores in time is implemented, so that the cores do not work in phase, but with a difference of 1.5 or 2 cycles, in order to reduce the likelihood of failure for a common reason related to clocking. The crystal of the control core is physically mirrored and deployed relative to the functional core. A built-in logic self-test has been implemented, which provides coverage by core diagnostics at the transistor level when the power is turned on or during periodic inspection intervals during normal operation.

The ECC controller for flash memory and static RAM is located inside the kernel for guaranteed detection of data corruption in memory and the ability to fix single bit errors.

Hercules ™ microcontrollers are not limited to security island logic, which provides hardware-based security mechanisms for key elements. There are hardware-based security mechanisms for peripheral devices that serve to control random errors that are not easily detected using software.

The hardware diagnostics listed above in Hercules ™ microcontrollers reduced the amount of diagnostic software by 30%.

The manufacturers of such a microcontroller guarantee that it works safely and meets the requirements established by GOST R IEC 61508 for functional safety.

The use of such a microcontroller for security purposes allows you to get away from hardware redundancy.

However, such safety microcontrollers, i.e. microcontrollers, which in addition to software diagnostics use hardware testing tools, today have low performance, which does not allow their use in industrial controllers designed to control a large amount of equipment.

So, the MFK5000 (Multifunctional Controller 5000) developed by us should provide control of an object where the number of signals can reach five thousand. At the same time, it is necessary to ensure speed and functional safety requirements.

Specifically, in this application, the CPU850 central processor module is considered, in which the listed requirements must be provided.

The US Pat. No. 9,696,692 B2, ROCKWELL AUTOMATION TECHNOLOGIES, INC. Is dedicated to solving the security problem in an industrial automation control system. The same patent describes the method of operation of the control system, which is adopted as the closest analogue

- 2 034974 for the claimed methods. A control system in a programmable logic controller controls industrial equipment. Industrial equipment can be dangerous to people in the event of a failure in the control system. Therefore, it is necessary to ensure the rapid detection of errors in the control system and the correction of this error. The control system includes a primary control process, a secondary control process and an output process. The method consists in the fact that the primary control process and the secondary control process are configured to process the same input data in one or more control programs. Programs in the primary control process and the secondary control process run simultaneously. During normal operation, the output process is configured to control industrial equipment by using control signals and data received from the primary control process, which are then transmitted to the network and further to the industrial equipment. The secondary control process periodically generates a secondary data control value, while the primary control process periodically generates a primary data control value. These may be cyclic redundancy code (CRC) values. The main thing is that these data verification values are compact (in terms of the number of bits and bytes), which can be quickly compared to determine the status of control processes. The output process compares these two values to detect failure in the primary control process. If the CRC values do not match, it is likely that the primary control process has failed, and the output process may switch the control of industrial equipment to a secondary control process or take measures to shut down the industrial equipment. Information about the diagnosis in the description of the control system of the patent US 9,696,692 B2 not used. It is known that a significant advantage in achieving the functional safety of an electrical / electronic / programmable electronic system (E / E / PE system) related to safety can be provided by diagnostic testing. The diagnostic coverage of each element in the E / E / PE safety-related system should be taken into account when evaluating the achieved failure measure for safety functions (GOST R IEC 61508-2-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 2. System Requirements Appendix C (Mandatory) Diagnostic Coverage and Safe Failure Rate).

The objective of the invention is to ensure the functional safety of the module of the central processor of the industrial controller.

The technical result in the proposed inventions is achieved by the fact that in the implementation of the necessary measures on which the safe operation of the CPU module depends, an excess microprocessor system is used, in which control checks (checking the integrity of the transmitted and processed data, the runtime of the application program or its parts) and a high level diagnostic coverage, failure of any of the devices in the system is detected, and measures are taken to stop the output of output from the CPU module.

To this end, a way to ensure the functional safety of the central processor module of an industrial controller is to use a microprocessor system located in the central processor module and consisting of a central microprocessor, an additional microprocessor, with a kernel architecture different from the core architecture of the central microprocessor, and a safety microcontroller, with In this case, the central microprocessor and the additional microprocessor perform the same tasks with the same input data from the sensors and then transmit the results of processing the input data to the safety microcontroller, which compares these results, while the security microcontroller decides whether to allow the output data from the central processor module to actuators depending on the result of comparing the results from the central and additional microprocessors or depending on the results carried out by the microcontroller security of monitoring the execution time of the task by the central and additional microprocessors or depending on the results of software or hardware self-diagnosis, while the hardware self-diagnosis of the safety microcontroller is carried out using hardware mechanisms implemented on its chip.

When comparing the results obtained in the central and additional microprocessors, the security microcontroller can compare the values of the output data or the values of the verification of the output data, for example, cyclic redundancy codes. In the central microprocessor and in the additional microprocessor, different source codes of the application program can be used to solve the same problems.

To implement the method, a microprocessor system is proposed comprising a central microprocessor, an additional microprocessor made with a core architecture different from the core microprocessor architecture, and designed to perform the same task with the same input data from sensors as the central microprocessor and the security microcontroller, having on-chip hardware mechanisms for self-diagnosis, designed to compare the results of the task performed by the central and additional microprocessors and designed to decide on the resolution of the transfer of output data received in the central microprocessor to executive mechanisms, depending on the result of comparing the results of the central and additional microprocessors of the task or depending on the results of the function it performs to control the execution time of the task in the central and additional microprocessors or depending on the results of it about hardware or software self-diagnosis. The security microcontroller may contain two cores, one of which is functional, and the other control and a comparison module, which is configured to control the outputs of two cores and has the ability to signal any errors.

Instead of a safety microcontroller, a microprocessor can be used to implement the method and to manufacture a microprocessor system.

For the following description of the feasibility of the claimed device and method, the following drawings:

FIG. 1 is a block diagram of a controller, sensor, contactor and motor;

FIG. 2 - the first version of the structural diagram of the microprocessor system of the CPU module; FIG. 3 - the second variant of the structural diagram of the microprocessor system of the CPU module.

The accompanying drawings, showing preferred embodiments of the present invention, are provided as an illustration and not limitation of information disclosure, and may be changed in the scope of the attached claims along with its full scope of equivalents. For example, the phrase output is transferred from the central microprocessor to the actuators is not limited to direct communication, but includes communication through other structural elements (bus controller, bus, output module, etc.), which is understood by specialists in the field of electronics.

When describing the operation of the microprocessor system of the CPU module, the following concepts and conditions used in this application should be stipulated.

The functional safety of a device (CPU module) in this application is understood to mean security, which depends on the correct functioning of a device based on electrical and / or electronic and / or programmable electronic technology.

In ACS TP, a safe state is understood to mean a state of controller outputs in which the actuators connected to them are in the state that is most secure for the control object, namely, the state that does not lead to a breakdown of the control object.

This application describes the operation of an unreserved CPU module, a malfunction of which will lead to the disappearance (shutdown) of the control signal at the controller output. This will lead to the contactor contacts being brought into a safe state, i.e. the contacts will be open, while the control and shut-off valves will occupy a safe position for the process in accordance with the requirements of the technological regulations, and the engines will be stopped. For explanation, FIG. 1, where controller 1 (in the PLC drawing) contains an unreserved CPU module 2 (in the CPU drawing). The input / output modules 3 (in the I / O drawing) communicate with the CPU module 2 via the serial bus 4. Sensor 5 is connected to the input module. The motor 6 is controlled through the contactor 7. If a malfunction occurs in the operation of the CPU module 2, the outputs of the output module will assume the state as if the power was off. This will lead to the opening of the contacts of the contactor 7, the cessation of power supply to the motor 6 and its stop.

The application deals with non-redundant I / O modules.

The controller is designed to collect and process large amounts of data received from instrumentation (sensors), including receiving information from other subsystems of automated control, as well as generating control actions according to programmed control algorithms and transferring these actions to actuators. Algorithm blocks of the controller application software include analog, discrete, and digital signal processing blocks, valve and valve control blocks, automatic control blocks, technological protection and signaling blocks, and logic control blocks. Therefore, the application program is implemented in the form of many independent tasks. The operation of the microprocessor system in this application is described as part of the solution to one of the many independent tasks in which data related to technological protection is processed. The microprocessor system of the CPU module (Fig. 2 and Fig. 3) consists of a central microprocessor 8 (in the drawing MPU1), an additional microprocessor 9 (in the drawing MPU2) and a safety microcontroller 10 (in the MCU drawing). The connection between the central microprocessor 8, the additional microprocessor 9 and the security microcontroller 10 can occur through the FPGA 11, in which areas of the dual-port DPRAM memory are organized. In the same FPGA 11, a controller 12 can be organized that supports the exchange of data between the CPU module 2 and the input-output modules 3 (hereinafter, the bus controller). The bus controller 12 may also be integrated in the safety microcontroller 10. The physical (hardware) level of the interface 13 is shown at the border of the CPU module 2 and bus 4. The microcontroller 10 contains a watchdog timer 14. The watchdog timer 14 requires the response of the microcontroller core to be within the specified time interval, which indicates that the microcontroller remains in working condition and works with the correct values of time pairs

- 4,034,974 meters.

The central microprocessor 8 is designed to execute the application (technological) program of the controller. To describe the operation of the inventive microprocessor system, the operation of the central microprocessor is defined as part of its solution to one independent problem. As part of this task, input from the sensor (s) is processed, and the output is output for controlling the actuator (s).

The additional microprocessor 9 is designed to execute the application (technological) program of the controller in order to verify the correct operation of the central microprocessor 8. The additional microprocessor 9 is made with a core architecture (s) different from the core architecture (s) of the central microprocessor 8.

To describe the operation of the inventive microprocessor system, the operation of an additional microprocessor is defined as solving it exactly the same problem as the central microprocessor solves with the same input data.

In the central microprocessor and additional microprocessor, different source codes of the application program (different machine codes) can be used to solve the same problems.

The application program in the central microprocessor and the application program in the additional microprocessor can operate under the same or different operating systems, or without operating systems at all.

The use of two different microprocessors in a microprocessor system working with different texts of an application program in different operating systems or without operating systems is used to reduce the number of general systematic failures.

The safety microcontroller 10 is designed to control the operation of the central microprocessor 8 and the additional microprocessor 9. Instead of the safety microcontroller, a microprocessor can be used, the design and software capabilities of which allow it to perform the functions listed below. Hereinafter, the term security microcontroller will be used. The microcontroller 10 security has implemented on a chip hardware self-diagnosis mechanisms. So, for example, in the security microcontroller 10, a parallel core system is used, which implies the presence of a functional core and a control core. At the same time, the same input data is supplied both to the functional core and to the control core. The comparison module monitors the outputs of two cores made with the same logic and signals any errors in the system.

The safety microcontroller carries out the following activities:

the security microcontroller compares the results obtained by solving problems in the central microprocessor and in the additional microprocessor and, depending on the result of this comparison, decides whether to allow the transfer of output data from the CPU module to the actuators, in the preferred embodiment, the security microcontroller compares the values of the output data verification (for example , CRC);

the security microcontroller controls the execution time of the task by the central and additional microprocessors and, as a result of this control, makes a decision on the permission to transfer output data from the CPU module to the actuators;

the security microcontroller receives the results of periodically executed software diagnostics from the central microprocessor and the additional microprocessor and, depending on the results, makes a decision on the permission to transfer output data from the CPU module to the actuators;

The microcontroller of safety carries out periodically executed software and hardware self-diagnostics.

The security microcontroller decides to stop the transfer of output from the CPU module to the actuators when a failure is detected in any of the above measures (if a failure is detected in any of the control checks and if a failure is detected in any of the diagnostics).

More detailed listed activities will be disclosed below.

The microprocessor system is as follows.

The sequence of actions is shown in FIG. 2 letters from a to n:

Input data from the bus 4 is transmitted to the bus controller 12 (action a). Next, the input from the bus controller 12 is transmitted to the central microprocessor 8 (step b). In the central microprocessor 8, the input data is fixed. Then this fixed array of input data is transferred from the central microprocessor 8 to the additional microprocessor 9 (action c). After the input data array arrives at the additional microprocessor 9 in both microprocessors 8 and 9, one of the many independent tasks of the application program begins to be executed. As part of this task, input data is processed. Processing results (this can be, like the output data, and only the values of the verification of the output data, for example, cyclic redundant codes

- 5,034,974

CRC) from the central microprocessor 8 and from the additional microprocessor 9 are transmitted to the safety microcontroller 10 (action d and action e). The security microcontroller 10 programmatically compares these results, and, depending on the result of this comparison, enables or disables the output of the central microprocessor 8 to the bus 4. Preferably, the security microcontroller 10 compares the cyclic redundant CRC codes. The main thing is that these values, designed to verify the output, are compact (in terms of the number of bits and bytes) that can be compared quickly. If the cyclic redundancy codes of the results of the central and additional microprocessors are equal, then the security microcontroller 10 authorizes (permits) (step F) the output data from the central microprocessor 8 to the bus controller 12 (step h) and then to bus 4 (step k). If the values of cyclic redundancy codes (CRC) are not equal, then a failure has occurred in one of the microprocessors (central or secondary). In this case, the security microcontroller 10 initiates the termination of the output from the CPU module 2. For this, the security microcontroller 10 generates a RESET signal, which directs (action G) to the central microprocessor 8, which stops the execution of instructions, and / or sends it to the bus controller 12 ( action t), which stops the data exchange on bus 4, and / or generates a prohibiting signal to the physical layer of interface 13 (action p), where the channel for transmitting output data to bus 4 is opened.

Additionally, the security microcontroller 10 receives the results of periodically executed software diagnostics (diagnostics of the serviceability of services, network interfaces, etc.) from the central microprocessor 8 and the additional microprocessor 9. If any of the microprocessors fails, the actions of the security microcontroller 10 will be aimed at stopping the output from the module CPU 2 to bus 4, namely, action G and / or action m and / or action n.

Additionally, the security microcontroller 10 programmatically monitors the task execution time by each of the microprocessors 8 and 9. The task execution time should be in a specified interval (time window), determined for each task based on the amount of processed / transmitted data. If the execution time of a task by one of the microprocessors is outside such an interval, this is perceived as a failure. In this case, the actions of the safety microcontroller 10 will be aimed at stopping the transfer of output data from the CPU module 2 to the bus 4, namely, the action G and / or the action m and / or the action n.

The security microcontroller 10 conducts periodically executed software and hardware self-diagnostics. In the event of a dangerous failure, the watchdog timer 14 does not receive the reset signal of the timer 14 in time. In this case, the timer 14 will issue a RESET signal to the safety microcontroller. According to this signal, all the conclusions of the microcontroller 10 security are automatically transferred to the reset state. This state of the terminals of the safety microcontroller 10 is the active state of the reset signal for the central microprocessor 8, and such a state of the conclusions of the safety microcontroller 10 is prohibiting the bus controller 12 and the hardware of the interface 13 from transmitting data.

The use of a third device (microcontroller) in a microprocessor system, which, using software, controls the first and second devices (microprocessors), in contrast to the use of simple logic elements for control checks, allows one to provide various behaviors of the microprocessor system. So, the actions of the safety microcontroller 10, aimed at stopping the transfer of output data from the CPU module 2, do not always have to stop the operation of the microprocessor system. It is possible to envisage any other further actions, for example, resetting the microprocessors and the microcontroller, their further diagnostics, issuing the diagnostic data to the operator’s monitor, and the decision by the operator to terminate the microprocessor system.

The following devices may be used to implement the described microprocessor system.

As a central microprocessor, the four-core T1040 QorIQ® processor manufactured by NXP SEMICONDUCTORS, with the core architecture Power Architecture e5500, with a clock frequency of 1200 MHz and DMIPS 3600 per core can be used.

As an additional microprocessor, a dual-core QorIQ® LS1020 processor, manufactured by NXP SEMICONDUCTORS, with an ARM Cortex ™ -A7 core architecture, with a clock frequency of 1000 MHz and DMIPS 2500 per core can be used.

As a safety microcontroller, the Hercules microcontroller, TMS570 with the ARM® Cortex-R5F ^™ core architecture, designed for transportation (automobile, rail and aerospace), can be used. Such a microcontroller does not have high performance requirements that are necessary for the controller to work in large process control systems, but such a microcontroller has a high level of diagnostics, which makes it a highly reliable device. So, the Hercules microcontroller, TMS570 ARM® Cortex-R5F, has a clock frequency of up to 300 MHz and DMIPS 500. In addition, the Hercules microcontroller, TMS570 ARM® Cortex-R5F has a FlexRay protocol controller that can be used to exchange data between the bus my

- 6,034,974 by the CPU muzzle and I / O modules.

It should be noted that the above sequence of actions in a microprocessor system can be implemented differently. So, for example, the input from the sensors can enter the central microprocessor through the safety microcontroller. And the output from the central microprocessor can be transmitted to the actuators via the safety microcontroller. Such a sequence of actions is described in the closest analogue (US 9,696,692 B2). For a more detailed description of such an embodiment of the microprocessor system, FIG. 3. Input data from the bus 4 is transmitted to the bus controller 12 (action a), which in this embodiment is shown as integrated into the safety microcontroller 10. Then, the input from the safety microcontroller 10 is transmitted to the central microprocessor 8 (action p). In the central microprocessor 8, the input data is fixed. Then this fixed array of input data is transferred from the central microprocessor 8 to the additional microprocessor 9 (action c). After the input data array arrives at the additional microprocessor 9 in both microprocessors 8 and 9, one of the many independent tasks of the application program begins to be executed. As part of this task, input data is processed. The processing results from the central microprocessor 8 and from the additional microprocessor 9 are transmitted to the safety microcontroller 10 (action x and action y). Preferably, cyclic redundancy code (CRC) output is transmitted from the central microprocessor to the safety microcontroller 10, and only cyclic redundancy codes (CRC) are transmitted from the secondary microprocessor to the safety microcontroller 10. Then, the security microcontroller 10 programmatically compares the CRC of the output from the central microprocessor 8 with the CRC of the output from the additional microprocessor 9. If the cyclic redundancy codes are equal, then the security microcontroller 10 allows the output of the data received in the security microcontroller 10 from the central microprocessor 8 to the bus 4 (action k). If the values of cyclic redundancy codes (CRC) are not equal, then a failure has occurred in one of the microprocessors (central or secondary). In this case, the security microcontroller 10 stops transmitting output data from the CPU module 2. For this, the security microcontroller 10 stops the bus controller 12 and / or generates a inhibit signal (action p) to the physical layer of interface 13, where the channel for transmitting output data to the bus 4 is opened In this embodiment of the microprocessor system in case of failure of the microcontroller 10 security, the output is not guaranteed to be transmitted to the bus 4.

Claims (4)

CLAIM 1. A method of ensuring functional safety of a central processor module of an industrial controller, namely, that a microprocessor system is used in the central processor module for processing input from sensors and for deciding whether to allow output to be transmitted to control actuators from the module the central processor or the termination of the transfer of output data from the central processor module, characterized in that they use a microprocessor system consisting of a central microprocessor, an additional microprocessor with a kernel architecture different from the core architecture of the central microprocessor, and a safety microcontroller configured for hardware self-diagnosis for which it contains two parallel cores made with the same logic, to which the same input data is supplied, and a comparison module designed to control the outputs of two x cores and for signaling errors in their operation, while the same hard data from the sensors is fed to the central microprocessor and to an additional microprocessor, in which they perform the same tasks for processing the input data, the results of which are transmitted to the safety microcontroller, which compares the results from the central microprocessor and from the additional microprocessor and control the execution time of the task in each of the microprocessors, which should be in a predetermined time interval, which is determined based on the amount of data being processed, after which a decision is made in the security microcontroller on allowing the output of data from the central module processor in case there are no errors in the operation of the cores of the microcontroller of safety, and the equality of results from the central and from additional microprocessors is observed, and the execution time of the task in each of the microprocessors was in a given time interval. 2. The method according to claim 1, characterized in that the security microcontroller compares the results of processing the input data from the central and additional microprocessors, which can be used as the values of the output data and the values of the output data, for example, the value of the cyclic redundant code . 3. The method according to claim 1, characterized in that, in the central microprocessor and in the additional microprocessor, different source codes of the application program are used to solve the same problems. - 7 034974 4. The microprocessor system of a central processor module of an industrial controller for implementing the method according to claim 1, comprising a central microprocessor designed to perform a task that processes input data from sensors, an additional microprocessor configured with a kernel architecture different from the core architecture of the central microprocessor, and designed to perform the same task with the same input data from the sensors as the central microprocessor, and a security microcontroller that has two parallel cores for the hardware self-diagnosis, made with the same logic, to which the same input data is supplied, and a comparison module, designed to control the outputs of two cores and to signal errors in their operation, and intended to compare the processing results from the central microprocessor and from the additional microprocessor and to control the execution time of tasks in each of the microprocessors, which must be in a predetermined time interval, which is determined based on the volume of data being processed, and capable of allowing the transfer of output data intended for controlling actuators from the central microprocessor if there are no errors in the operation of the cores of the safety microcontroller, and the equality of processing results in central and in additional microprocessors, and the task execution time in each of the microprocessors is in a given time interval.