HK1078143B - Safety control system for fail-safe control of safety-critical processes and method for running a new operating program therein - Google Patents
Safety control system for fail-safe control of safety-critical processes and method for running a new operating program therein Download PDFInfo
- Publication number
- HK1078143B HK1078143B HK06100849.7A HK06100849A HK1078143B HK 1078143 B HK1078143 B HK 1078143B HK 06100849 A HK06100849 A HK 06100849A HK 1078143 B HK1078143 B HK 1078143B
- Authority
- HK
- Hong Kong
- Prior art keywords
- operating program
- version information
- safety controller
- new operating
- hardware
- Prior art date
Links
Description
Technical Field
The invention relates to a safety controller for the failsafe control of safety-critical processes, and more particularly for the failsafe disconnection of a machine or a machine system, having: an input module for automatically reading a process signal; a fail-safe signal processing module for automatically processing the process signal; and a fail-safe output module that generates the control signal using the signal processing module, wherein the signal processing module includes at least one programmable processor and at least a first read-only memory in which a current operating program for the processor is stored in a non-volatile form.
The invention also relates to a method for loading a new operating program onto such a safety controller and to a corresponding operating program.
Background
A safety controller of the above-mentioned type is known, for example, from WO 98/44399.
For the purposes of the present invention, a safety controller is a device or combination of interconnected devices that receives process signals from sensors and uses these signals to generate output signals by performing logical operations, and may use other signal or data processing steps to generate output signals. The output signal is sent to an actuator that performs a specific action or reaction within the surrounding area. One preferred field of application of safety controllers is the field of machine safety, i.e. monitoring emergency stop buttons, two-hand controllers, guard doors, light barriers, static condition monitoring, etc. For example, the use of these sensors to protect machinery, which may injure an operator during operation. When the protective door is opened or when the emergency stop button is actuated, a process signal is generated and sent as an input signal to the safety controller. In reaction to the input signal, the safety controller, by means of the connected actuator, opens the hazardous part of the machine in a fail-safe manner.
One characteristic feature of safety controllers that differs from "conventional" controllers is that the safety controller must always ensure that the process being controlled (e.g., a hazardous machine) is in a safe state. This requirement needs to be applied even when the safety controller or a device connected to the safety controller malfunctions. Safety controllers must therefore meet very stringent requirements for their own failsafe, which significantly increases the effort during development and manufacture. Usually, before using them, the safety controllers require special permission from the authorities in charge, for example in germany from the professional college or so-called TUV (technical supervision association of some kind). The safety controller must comply with a defined safety standard, for example, the safety standard defined in european standard EN 954-1. The present invention takes these particular requirements into account. In this case, the term "safety controller" therefore relates only to a device or a combination of devices approved at least according to level 3 of the above-mentioned european standard for controlling machines, machine systems or the like.
The programmable safety controller enables the user to individually determine the logical operation to be performed on the input signal by means of software, in particular a so-called user program, according to his/her requirements. Thus, the programmable safety controller utilizes logic switching elements to replace the conventional wiring previously to each sensor. To enable this functionality, the programmable safety controller has an operating program, which is separate from the user program and which defines the basic functional scope of the safety controller. In particular, the operating program contains program code with which the hardware component of the safety controller can be addressed directly and thus "activated".
For example, a preliminary function module for fail-safe evaluation of the two-channel emergency stop button and the two-channel guard gate may be included in the operating program.
For security reasons, the user cannot access the operating program, i.e. he cannot either replace or modify the operating program. This operating program is commonly referred to in the art as firmware.
WO 98/44399, which has already been mentioned above, describes a method for programming a safety controller, in which safety control rules are stored in the form of functional modules in the safety controller. With its user program, the user can select the function modules, he can configure them, and he can link them to each other with a logical method. This is achieved by means of a programmer, with which commands concerning the selection, configuration and logical operations of functional modules can be transmitted to the security controller. However, as mentioned above, it is not possible for the user to access the security control rules implemented within the functional module, i.e. he can neither replace them nor modify them.
The prohibition of access to the operating program corresponds to a practical practice of the safety controller, since the operating program in combination with the hardware of the safety controller is to be granted by the responsible supervising authority. According to common opinion, the manufacturer of the security controller cannot ensure fail-safety based on approved credentials if the user has access to a combination of hardware and operating procedures.
However, the prescribed procedure has the disadvantage that the function changes can only be carried out by the manufacturer of the safety controller itself within the operating program of the safety controller. If a change of function or some other action is required in the operating program, the user must either send the security controller to the manufacturer or ask for an expert and approved service personnel from the manufacturer. This requires cumbersome and expensive work and, in addition, has disadvantages in view of the shut-down times of the machine system in which the safety controller is used.
When the security factor is not considered, for example, in the case of a commercially available personal computer, it is a conventional practice that a user can take the responsibility of himself to perform software update by obtaining new software from the manufacturer and loading it onto the personal computer after issuing an instruction. This also applies to so-called operating systems, which represent operating programs in the sense of the present invention. However, from a general point of view, such a process is not feasible for security applications, as it may result in the manufacturer of the security controller losing sole control over the combination of hardware and operating programs. Thus, a combination of unchecked hardware and operating procedures may occur, presenting a security risk.
Disclosure of Invention
It is an object of the invention to specify a safety controller of the initially described type which allows a more flexible and cost-effective adaptation to the requirements of the customer.
This object is achieved with a safety controller of the initially described type having a downloading device for transmitting a new operating program, wherein the downloading device uses the start information to start or to inhibit the transmission of the new operating program in a failsafe manner.
This object is also achieved with a method for loading a new operating program onto a safety controller of the initially described type, which method has the following steps:
a safety controller is provided with a current operating program,
a new operating program is provided for the operation of the system,
providing start-up information, an
The new operating program is transferred to the read-only memory of the safety controller on the basis of the start-up information.
The invention is thus distinguished from the basic principle used up to now, in which actions relating to safety control rules can only be carried out by the manufacturer responsible for the supervision authority.
This may be different from the previous approach, since it was surprisingly found that the seamless control of the safety controller by the manufacturer can still be maintained with specific and additional start-up information. The manufacturer still has control over the selection and definition of the start-up information. With this start-up information, the manufacturer of the safety controller can limit the number of possible combinations of hardware and operating programs on the user side "automatically" or "by machine", since loading of new operating programs is prohibited in a fail-safe manner. The downloading means may be designed to transfer the new operating program only when it is identified, on the basis of the required start-up information, that the manufacturer has started the transfer onto the existing hardware platform. The start information, for example, containing a list of permissible hardware platforms, can be checked in a fail-safe manner using programming or circuitry devices known per se and commonly used in the field of machine safety, in particular using two-way and preferably mutually exclusive checking of the start information and/or two-way and preferably mutually exclusive inhibiting of the transmission.
The new safety controller is more flexible in terms of logic monitoring because of the ability of the user to update the software that operates the program. The production and service costs of the manufacturer can be reduced. On the other hand, the shutdown time of the machine system because the safety controller is modified at the operating program level can be reduced because there is no need to wait for the manufacturer to send a service technician. Furthermore, it is helpful for the user to use the existing safety controller to a greater extent, since he can update his safety controller by loading a new operating program with a new range of functions. However, these advantages do not have any negative impact on security because, as before, the user has no access to the internal security control rules.
Thus, the above object is fully achieved.
In a development of the invention, the start-up information is at least partially integrated in a machine-recognizable manner in the new operating program.
This improvement makes it very simple and convenient for the user to make a selection, to evaluate the start-up information in a fail-safe manner and to carry out or to inhibit the transfer of a new operating program in a fail-safe manner. Furthermore, with at least partially integrated start-up information, the operation can be better reduced, which can improve safety.
In a further refinement, the start-up information comprises a first sequential version information item and a second sequential version information item, wherein the first sequential version information item is associated with the current operating program and the second sequential version information item is associated with the new operating program.
The sequential version information items, i.e. the version information items that can be arranged at only one specific position within the sequence, enable or disable the failsafe in a particularly simple manner. This is because theoretically, the manufacturer transmits the safety controller and the operation program loaded thereon. Thus, as before, the combination of the hardware platform and the current operating program is under the complete control of the manufacturer within its own organization. The sequential version information items may then enable the manufacturer to easily ensure that the user can only load updated operating programs, that is, operating programs with higher sequential version information items. Thus, in any circumstance, it is not possible for the user to provide the "old" operating program to the transferring security controller. In practice, therefore, most of the combinations of hardware platforms and operating programs that are not verified and therefore unacceptable are eliminated in a simple manner.
For the manufacturer, he can verify with a supervising authority that a new version of an operating program with a higher version of information items can run properly on the previously used hardware platform in a fail-safe manner. The work to do so can be kept low because new versions of operating programs are typically built on previous versions and therefore include only a limited range of modifications.
By means of the fail-safe checking of the sequential version information items, the possibility is eliminated that, in theory, the user loads the old operating program not checked in the combination onto the new safety controller.
In a further development, the downloading device comprises a comparator for comparing the first and second version information items, and the downloading device further comprises an enabling device for disabling loading of the new operating program in a fail-safe manner by means of the comparator when the sequential second version information item is lower than the sequential first version information item.
In particular, the improvement evaluates sequential version information items, either automatically or with a machine, in an advantageous manner to enable or disable delivery. In this case, it is clear that the comparator and the starting means can likewise be in the form of hardware modules or in the form of software, i.e. they can be implemented within the current operating program.
In a further refinement, the start-up means start loading the new operating program only when the sequential second version information item is higher than the sequential first version information item.
In other words, when the sequential second version information item is identical to the sequential first version information item, downloading of the new operation program is also prohibited.
In this modification, reloading of the same operating program is inhibited in addition to the method explained above. For example, if a user of the safety controller encounters a fault, causing him to believe that the correction can be made by reloading an existing operating program, the user may have an incentive to do so. However, such "self-help" is often unreliable. It is therefore advantageous for the sake of security if the user himself can only load operating programs with higher version information items onto his security controller.
In a further refinement, the first and second version information items are stored in a failsafe manner in the respective operating programs.
In particular, the fail-safe protection of the version information is implemented using a redundant storage and/or signature formation process known per se, for example in the form of a CRC check (cyclic redundancy check). In this modification, since it is possible to prevent a new operation program from being undesirably loaded if there is a defect or operation version information itself, the new operation program can be loaded more reliably. This further enhances the control of the safety controller by the manufacturer.
In a further refinement, at least the new operating program comprises program code which implements the safety control rules on the safety controller when the new operating program is run on the safety controller.
This measure makes it possible to modify the full functional range of the safety controller in a particularly advantageous manner without the manufacturer of the safety controller losing control over it. In this refinement, the advantages of the invention are apparent. In this case, the user can modify the safety control rules by loading a new operation program. However, the user is restricted from replacing the "entire package" of all security control rules implemented, which are controlled by the manufacturer. He cannot modify or manipulate the safety control rules himself, otherwise there is a safety risk.
In a further refinement, a second read-only memory is provided, in which a first item of hardware information is stored, which is characteristic of at least the signal processing module. Further, the new operating program includes a second item of hardware information that is characteristic of the least required hardware configuration, and the initiating means initiates or inhibits loading of the new operating program by comparing the first and second items of hardware information. In other words, the enabling means inhibits the storing by comparing the first and second items of hardware information.
The improvement of the invention also enables the manufacturer of the safety controller to ensure that the new operating program is only run on the hardware platform that meets the minimum preconditions for his testing. Therefore, at the user end, the manufacturer of the security controller can further limit the combination range of the hardware platform and the operation program. From the manufacturer's point of view, this reduces the effort to verify the permissible combination of hardware platform and operating program without generating any errors. This may further reduce the risk of a safety-critical combination of hardware and operating program from the user's point of view.
In a further refinement, the first and second items of hardware information comprise sequential version information items.
In particular, the permissibility of the combination of hardware platform and operating program may be easily and reliably verified on a user's premise.
In a further refinement, the first and second items of hardware information each contain type information.
This may allow to check whether there is a permissible combination of hardware platform and operating program that is simpler and more reliable to implement. The type information may distinguish between different families of hardware platforms so that version information may not be considered to prevent loading of operating programs that are not suitable for that particular type. In addition, duplicate checking capability may be obtained in conjunction with sequential version information, thus providing additional security.
It is obvious that the features described above and those yet to be described below can be used within the scope of the present invention not only in the respectively indicated combination but also in other combinations or alone.
Drawings
Exemplary embodiments of the invention will be described in more detail in the following description and the accompanying drawings, which illustrate exemplary embodiments of the invention, wherein:
fig. 1 shows a schematic diagram of a safety controller according to the invention, an
Fig. 2 shows a flow chart for explaining the method according to the invention.
Detailed Description
In fig. 1, a safety controller according to the invention is denoted by reference numeral 10.
In this case, according to a preferred embodiment of the present invention, the safety controller 10 is used to safely disconnect a machine system, particularly a machine system in an industrial production environment. In this case, by way of example, the machine system is shown with 3 electric drives 12 which can be switched off individually or jointly by the safety controller 10. In this application example, the safety controller 10 evaluates two emergency stop switches 14 and a guard door 16 as input signals. The emergency stop switch 14 and the guard door 16 are arranged in a manner known per se in the field of machine systems to ensure the safety of the operator who is working.
The safety controller 10 of the present embodiment is a proprietary device which is solely responsible for protecting the machine system, i.e. it switches off the drive 12 in preparation when the emergency stop switch 14 or the guard door 16 outputs a corresponding switch-off signal. In this case, the operational control of the machine, i.e. for example the acceleration or braking of the drive 12 by the work process device, is not the task of the safety controller 10. An autonomous operation controller, known per se, is provided for this purpose, but is not shown here for the sake of simplicity. Alternatively, however, in other exemplary embodiments, the safety controller 10 may also provide operational control to the machine system. It goes without saying that in this case the safety controller 10 is more complex and, in addition to the input and output signals shown, it also receives and transmits control signals of other machine types.
Furthermore, it goes without saying that, in addition to the signal transmitters shown here for the input signals, i.e. the emergency stop switch 14 and the protective door 16, any other desired signal transmitters, for example, two-hand buttons, a standstill monitor, a light barrier or a position switch, can also be connected to the inputs of the safety controller 10. The safety controller 10 performs a failsafe evaluation of these signal transmitters in a manner known per se, using an operating program and a user program.
Other electrically operated loads can likewise be connected to the output of the safety controller 10, which must be disconnected in a failsafe manner by means of a signal at the input of the safety controller 10.
Finally, it should be noted that the user can program the safety controller 10 in a manner known per se by means of a user program. However, the advantages of the present invention may also be applied to those safety controllers where the user cannot program with a user program and where there is an operating program in the sense described above, the applicant of the present invention sells such safety controllers within the product family PNOZelogTM as an example, in which case the user of these devices has not been able to replace the operating program so far.
To receive process variables from the signal transmitters, i.e. the emergency stop switch 14 and the protective door 16, the safety controller 10 has an input module 18. Because of the required failsafe, the input module 18 is typically based on a dual channel redundancy design, which is indicated in fig. 1 with dashed lines. However, in individual cases it is sufficient to design the input module 18 or at least a part thereof with one channel. Furthermore, for the sake of brevity, the input modules in the block diagram of FIG. 1 are shown with dedicated function blocks. However, it is partly in software form and can be embedded in the operating program in a suitable form.
Reference numeral 20 denotes a signal processing module within the safety controller 10. This links the process signals received from the input modules 18 in a manner known per se and uses them to generate control signals which are sent via the output modules 22. The output module 22 usually contains relays, contactors or other electronic switches, with which the drive or, in general, the machine system is supplied, which open the output module 22 in a failsafe manner. Failsafe is again represented by a diagonal line representing the appropriate redundant design of the output module 22. Signals flowing from the input module 18 to the output module 22 through the signal processing module 20 are indicated by appropriate block arrows in fig. 1.
The signal processing module 20 contains at least one programmable processor 24 as well as a read only memory 26 and a main memory 28. In a manner known per se, the operating program 30 of the processor 24 is stored in a non-volatile form in the read-only memory 26. This is the sum of the program instructions in machine-recognizable form that allows the basic functions of the safety controller 10 to be implemented. Specifically, the operating program 30 in the exemplary embodiment contains program instructions by which the processor 24 can read and send signals. These program instructions effectively "activate" the hardware of the security controller 10.
In addition, in this case, the operating program 30 contains a set of safety control rules that are prepared, with which, for example, a failsafe evaluation of the two-way emergency stop switch is provided. The failsafe evaluation algorithm is likewise provided for all other permissible signal transmitters and all permissible actuators at the output of the safety controller 10.
If the safety controller 10 is a proprietary device, the operating program 30 also includes associations between safety control rules and input and output connections. In this case, the user has no influence or at most only a very limited influence on the functional range. However, as described above, alternatively, the safety controller 10 may be produced in such a manner that a user can select the safety control rules and configure the safety control rules using a user program established by the user.
The main memory 28 is used for temporarily storing intermediate variables and may also be used for storing user programs, which are located in the operating program 30.
By way of example, it can be seen from the redundant implementation that mutual checking and verification can be performed that the signal processing module 20 within the safety controller 10 is designed to be entirely inherently fail-safe. In this case, the processor 24, the read only memory 26, and the main memory 28 are represented in pairs.
Reference numeral 32 in the block diagram denotes a downloading device for loading a new operating program 34. In this case, "loading" means storing the new operating program 34 in the read only memory 26 in such a way that the new operating program 34 determines the functional range of the safety controller 10 together with the first operating program 30 and/or instead of the first operating program 30. Specifically, loading a new operating program 34 may include completely replacing an existing operating program 30. Thus, the previously provided safety control rules may be replaced, inter alia, by modifying the safety control rules.
In this case, the downloading means 32 contain, according to the invention, a comparator 36 and an activating means 38, furthermore, the sequential version information items are provided within both the existing operating program 30 and the new operating program 34 and are indicated in fig. 1 by reference numerals 40 and 42, respectively, the comparator 36 reads the version information item 40 of the existing operating program 30 and the version information item 42 of the new operating program 34, based on the result of this comparison, the enabling means 38 either disables or enables the ability to load the new operating program 34, specifically, only when the version information of the new operating program 34 is higher than that of the existing operating program 30, the downloading device 32 will allow the new operating program 34 to be loaded, in other words, only if the new operating program 34 is newer than the existing operating program 30, the new operating program 34 is loaded into the safety controller 10 and this is determined by comparing the version information items.
It is clear that the schematic shown in fig. 1 with the comparator 36 and the starter 38 has been chosen primarily for illustrative reasons. In actual implementation, the version information items are compared and the loading process is disabled or initiated by way of a program, i.e., by way of appropriate program instructions stored in read only memory 26 as part of existing operating program 30 and processed by processor 24. The hardware of the downloading device 32 further comprises an interface known per se, for example an RS232 interface, through which the new operating program 34 can be read in if suitably activated.
According to a preferred exemplary embodiment of the present invention, in the case of multiple redundancies, version information items 40 and 42 of operating programs 30 and 34 are embedded in the operating programs and/or protected with error-proof measures, for example CRC checks or some other signature formation procedure. The startup device 38 allows the new operating program 34 to be loaded only if the fail-safe comparison of the two version information items 40, 42 indicates that the version information of the new operating program 34 is indeed higher than the version information of the existing operating program 30.
According to a preferred exemplary embodiment, at least hardware information items 44 characteristic of the signal processing module 20 are also stored in the safety controller 10. In other words, the hardware information 44 provides information on the development standard of the hardware platform of the safety controller 10. According to a particular exemplary preferred embodiment, the hardware information also includes type information 46, by means of which type information 46 different hardware platforms can be identified more accurately. In addition, the new operating program 34 contains a second item of hardware information 48, which second item of hardware information 48 can be used at least to identify the required hardware preconditions. The hardware information items 44, 48 are preferably also sequential version information items, which may allow existing hardware platforms and minimum required preconditions to be inserted in only one location of the development sequence.
In the preferred exemplary embodiment, hardware information 44, 46, 48 may also be considered for verification to determine whether to start or shut down loading for a new operating program 34. Specifically, loading of the new operating program 34 is initiated only when there is indeed a minimum requirement (encoded within the operating program 34) for the hardware platform of the safety controller 10 based on the stored hardware information 44, 46.
According to a further exemplary preferred embodiment, further version information items 50 are also stored in a non-volatile form within the safety controller 10 to define the lowest permissible version of the new operating program 34. Thus, in the exemplary embodiment, the process of initiating loading of the new operating program 34 also depends on the version information item 42 being higher than the defined lowest version information item 50. The further comparison criterion is such that loading the new operating program 34 is dependent on further verification. However, this check may be omitted if the manufacturer of the safety controller 10 ensures that the safety controller 10 always transmits with one operating program 30 only one version information item 40 included. Then, by utilizing the fact that the new operating program 34 is loaded only when its version information item is higher than the existing version information item, the minimum requirements of the new operating program 34 can be ensured.
Fig. 2 illustrates schematically, by means of a flow chart, how the new operating program 34 is recorded. It can be readily seen that the respective method can be implemented well in the form of suitable program code of the processor 24.
First, the download mode is activated at step 60. To prevent false control actions and inadvertent activation, it is advantageous to implement this process by operating a key operated switch (not shown here) on the safety controller 10, which is additionally provided for this purpose. However, the download mode may also be activated in the form of a program by entering a password or the like.
The current version information item 40 of the existing operating program 30 is then read at step 62, the version information item 42 of the new operating program 34 is then read at step 64 the two version information items 40, 42 are then compared at step 66 if the version information item 40 of the existing operating program 30 is greater than or higher than the version information item 42 of the new operating program 34 the method is terminated at step 68 and the download mode is preferably ended.
If the comparison of the two version information items 40, 42 shows that a new operating program 34 is permissible to be added or that an existing operating program 30 can be replaced therewith, the hardware information 44, 46 of the safety controller 10 is read in step 70. Hardware information 48 is then read at step 72, which defines the minimum hardware preconditions for the performance and tolerability of the new operating program 34. In the exemplary preferred embodiment described herein, a type comparison is first performed, i.e., a check is made to determine whether the operating program 34 is permitted to run on the safety controller 10 based on the type information, at step 74. If this is not the case, the download mode is again finally ended at step 76.
Conversely, if the type comparison is positive, then at step 78 a further criterion is checked to determine if the hardware information 44 of the safety controller 10 is higher than or at least equal to the lowest hardware information 48 contained within the operating program 34. If the comparison indicates that the security controller 10 does not meet the minimum hardware preconditions, the download mode is terminated again at step 80.
On the other hand, if the hardware precondition check based on the hardware information is also positive, the operating program 34 is loaded in step 82. In other words, the operating program 34 is then stored in the read only memory 26. Once this stored procedure is completed, a new operating program 34 is available which replaces the existing operating program 30 or is external to the existing operating program 30 for operation of the safety controller 10.
The new operating program 34 may be transferred to the safety controller 10 in various ways. As described above, once the operation program 34 is activated, the operation program 34 may be transferred to the security controller 10 through the serial interface. But also by means of a field bus or an exchangeable storage medium. In principle, the new operating program 34 can also be transmitted via the internet.
To further increase the failsafe, it is advantageous for the operating program 34, in particular the version information items 42 and 48, to use cryptographic algorithms known per se to prevent disadvantageous manipulations and failures. An appropriate decryption program (not shown here) is then set in the secure controller 10.
In the exemplary preferred embodiment described so far, for example, the version information item contains a combination of numbers and/or letters that allows only a single position within the insertion sequence. Alternatively, however, the version information items may also be provided not in a "complete manner", but in the manner of an algorithm which produces a unique result and thus allows the final determination of the sequential version information. This is also sequential version information for the purposes of the present invention.
Claims (12)
1. A safety controller for fail-safe disconnection of a machine (12) or a machine system, the safety controller having: an input module (18) for automatically reading a process signal; a fail-safe signal processing module (20) for automatically processing the process signal; and a fail-safe output module (22) which generates the control signal by means of the signal processing module (20), wherein the signal processing module (20) comprises at least one programmable processor (24) and at least a first read-only memory (26) in which a current operating program (30) for the processor (24) is stored in a non-volatile form, characterized in that the safety controller comprises a download means (32) for transferring a new operating program (34) and a second read-only memory in which a first hardware information item (44) is stored, which first hardware information item (44) is at least characteristic of the signal processing module (20), wherein the new operating program (34) comprises a second hardware information item (48), which second hardware information item (48) is characteristic of the minimum required hardware configuration, and the download means (32) utilize start-up information (40) containing the first and second hardware information items, 42, 44, 48) to enable or disable the transfer of the new operating program (34) in a failsafe manner.
2. A safety controller as claimed in claim 1, characterized in that the start-up information (40, 42, 44, 48) is at least partially integrated in the new operating program (34) in machine-recognizable form.
3. A safety controller as claimed in claim 1 or 2, characterized in that the start-up information (40, 42, 44, 48) further comprises a first sequential version information item (40) and a second sequential version information item (42), wherein the first sequential version information item (40) is associated with the current operating program (30) and the second sequential version information item (42) is associated with the new operating program (34).
4. A safety controller as claimed in claim 3, characterized in that the downloading means (32) comprise a comparator (36) for comparing a first sequential version information item (40) with a second sequential version information item (42), and comprise activating means (38), wherein the activating means (38) disable loading of the new operating program (34) in a failsafe manner by means of the comparator (36) when the second sequential version information item (42) is lower than the first sequential version information item (40).
5. A safety controller according to claim 4, wherein the initiating means (38) initiates loading of the new operating program (34) only when the second sequential version information item (42) is higher than the first sequential version information item (40).
6. A safety controller as claimed in claim 3, characterised in that the first and second sequential version information items (40, 42, 44, 48) are stored in a fail-safe manner in the respective operating programs (30, 34).
7. A safety controller as claimed in claim 1, characterized in that at least the new operating program (42) comprises program code which implements the safety control rules in the safety controller (10) when the new operating program (42) is run on the safety controller (10).
8. A security controller as claimed in claim 1, characterised in that the first and second items of hardware information (44, 48) comprise sequential items of hardware version information.
9. A security controller as claimed in claim 1, characterised in that the first and second items of hardware information (44, 48) comprise hardware type information (46).
10. A method for loading a new operating program on a safety controller as claimed in any one of claims 1 to 9, the method having the steps of:
providing a safety controller (10) having a first read-only memory (26), a current operating program (30) being stored in the first read-only memory (26),
providing a first item of hardware information (44) in a second read-only memory of the security controller (10), the first item of hardware information (44) being a feature of the security controller (10),
a new operating program (34) is provided,
providing a second item of hardware information (48) within the new operating program (34), wherein the second item of hardware information (48) is characteristic of a minimum required hardware requirement of the new operating program (34), and
the new operating program (34) is transferred to the first read-only memory (26) using start-up information (40, 42, 44, 48) including the first and second items of hardware information.
11. The method of claim 10, wherein the startup information (40, 42, 44, 48) further comprises a first sequential version information item (40) and a second sequential version information item (42), wherein the first sequential version information item (40) is associated with a current operating program (30) and the second sequential version information item (42) is associated with a new operating program (34).
12. A method as claimed in claim 11, characterized in that the transmission is inhibited when the second sequential version information item (42) is lower than the first sequential version information item (40).
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE10240584.0 | 2002-08-28 | ||
| DE10240584A DE10240584A1 (en) | 2002-08-28 | 2002-08-28 | Safety control system for fault protected operation of critical process such as occurs in machine system operation |
| PCT/EP2003/009196 WO2004025382A1 (en) | 2002-08-28 | 2003-08-20 | Safety control system for fail-safe control of safety-critical processes and method for running a new operating program therein |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1078143A1 HK1078143A1 (en) | 2006-03-03 |
| HK1078143B true HK1078143B (en) | 2010-10-22 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1678963B (en) | Safety controller for the failsafe control of safety-critical processes and method for loading a new operating program onto such a safety controller | |
| JP4729561B2 (en) | Safety circuit and safety switch applied thereto | |
| JP5348499B2 (en) | I/O units and industrial controllers | |
| CN102460397B (en) | For creating the method and apparatus of the application program of safety control | |
| KR20180005690A (en) | How to update safety-related software | |
| JP5450644B2 (en) | Safety controller for controlling automation system and control method thereof | |
| CN102460316B (en) | Safety-related control unit, and method for controlling an automated system | |
| KR101773315B1 (en) | Electronic control device having power supply voltage monitoring function and vehicle steering control device equipped with same | |
| CN114007906B (en) | safe handling device | |
| JP2020101526A (en) | Voltage monitoring device and method | |
| JP5216377B2 (en) | Protection unit for programmable data processing equipment | |
| JP4550760B2 (en) | Engine start / stop control device | |
| JP5944243B2 (en) | Plant safety device and operation method thereof | |
| JP2009538114A (en) | Electronic control device for electric drive system, electronic drive unit for electric drive system, and electric drive system | |
| US11022948B2 (en) | Safety control device and method for changing a range of functions of a safety control device | |
| JP2009104246A (en) | PROGRAMMABLE CONTROLLER AND ITS ERROR RECOVERY METHOD | |
| HK1078143B (en) | Safety control system for fail-safe control of safety-critical processes and method for running a new operating program therein | |
| JP6824447B2 (en) | Signal control device and abnormality detection method | |
| JP2011180665A (en) | Fault tolerant device, control module thereof, and program | |
| JP3595661B2 (en) | Nuclear power plant safety protection system controller | |
| TWI836901B (en) | Firmware switching method for system security and electrical device using the same | |
| US20230177894A1 (en) | Information processing apparatus and information processing method | |
| US7689874B2 (en) | Data processing device and method for monitoring correct operation of a data processing device | |
| US11609999B2 (en) | Control system | |
| JP2003223201A (en) | Interlock device |