The invention relates to a device and a method for a parallel and independent operation of a normal and a secure program for safety-critical applications, particularly in a machine environment.
In the field of freely programmable electronic controls it is common that the controls are adjusted by a configuration of multifunctional inputs and outputs, e.g. for the use in mobile work machines and particularly in respect to customer-specific tasks, which shall be fulfilled by such machines. For this purpose, particular adjustment programs (AWP) are prepared by the producers of work machines based on a programming system, which comprises e.g. the program preparation, a program test, a program translation and/or the uploading of the program into the control. Here, in many cases a run-time system (LZS) is implemented, with it being possible in its environment for the AWP, generated by the programming system and uploaded into the control, to start and operate. The LZS controls the communication between a computer and a control system.
In order to fulfill safety requirements the AWPs must be certified before they can be classified functionally safe and may be used in the work machines for respective applications. In the event a technical program adjustment is necessary at an AWP, e.g. because the tasks to be performed shall be changed in their sequence or duration or speed, upon a technical program change, usually another certification is required, even in case of minimal changes. This leads to work processes or functionalities being not always improved, even when it is known how such an improvement can be achieved. The more secure an AWP has to be, the more difficult it is for an operator or manufacturer of a machine to implement any changes at all, without here a new certification being required. This circumstance is obstructive, primarily when a certain control generally is suitable for a plurality of different applications and their functionality is not fully utilized.
Accordingly, there is a need for software applications in such freely programmable controls, which can be operated parallel and independent from each other without mutually influencing each other, even when they control processes which must comply with different safety requirements. In particular, here the exchange of input and/or output information must be possible to a single-channel hardware, which is certified with regards to a certain safety standard.
The publication DE 10 2006 037 153 A1 shows a method for the secure, technical signal control and monitoring of a vehicle, in which an application software is implemented for processing sensor data on a first relatively more secure computer, and the first computer is released by a second, less secure computer, on which such sensor data can be processed, which are not used for secure purposes, and the two computers communicate via an interface and software for the software diagnostics.
The publication DE 10 2009 011 679 A1 shows a method and a device for the preparation of an application program for a safety control, with a separation occurring into at least two program parts with
different requirements with regards to safety. Based on a repeatedly allocated momentary value, conditions for allocating the momentary value, and an allocation in the form of conversion instructions, here an interaction occurs between less secure variables from a first program part and more secure variables from a second program part in order to yield a conversion of a non-safety relevant program variable into a safety-relevant program variable, with here a sensor, embodied in an error-safe fashion, no longer being required for providing the momentary value. In this method a secure program code can be separated from a less secure program code, in order to allow a user program to run on a microprocessor based on the more secure functions.
The patent publication DE 10 2009 019 087 A1 shows a security control and a method for controlling an automatic facility, with it here being possible for test values to be determined for program variables, particularly based on momentary values characterizing program variables. Here, a redundant control with two independent processors may be provided for respectively one type of program variables, with a comparison of the results occurring, particularly a momentary value comparison, in order to allow performing an initialization of the safety control with regards to a momentary safety situation.
The patent publication DE 10 2009 019 089 A1 shows a method and a device for the production of an application program for safety controls, with a source code with control and diagnostics instructions being prepared and based on the source code a machine code being generated, in order to determine a check sum for a part of the machine code independent from the diagnostics instructions. Here, the safety control is based on a certain type of determining this check sum depending on certain safety codes.
From the above-mentioned publications it is discernible that the independence of the process of the safety-critical program component is ensured for the safety controls when the applications requiring a higher safety standard operate separated from the applications with less secure applications.
Furthermore, in DE 10 2005 007 477 A1 a machine control device is shown based on a PC operated with an operating system, in which in addition to a standard control, a safety control is provided as well, and a separation can occur of the safety-relevant functions from the functions not relevant for safety by a modular distribution within the machine control device into at least one safety module, particularly by a separation on the hardware level, with safety-relevant functions exclusively being processed in the safety modules, and a separate certification of the safety-relevant assemblies being possible, here. It is provided that an interface towards the outside is formed via the part which is not secure. The safety module may be embodied as a PC-plug in module, which communicates via a PCI-interface with the standard control.
DE 102 12 151 B4 shows a method for safety-critical applications, in which data in two differently processing environments is deciphered respectively using a safety time interval, so that, thanks to the given redundancy, the deciphered data can be issued at various times or also in the form of various data, and the failure risk is thus reduced.
In 10 2005 009 795 A1 a microprocessor system is shown for a machine control in applications that can be provided with safety certifications, in which, in addition to a primary processor, at least one safety processor is used with a separate program/data storage, with both processors using the same communication bus. Program data can be stored in program memories of the safety processors, without
the primary processor being able to access this data, particularly by a secure transmission path being used comprising a general bus and mailbox with a state machine for loading the data into the safety processor.
DE 10 2006 001 805 A1 shows a safety device for a multi-channel control of a technical safety device in case of a malfunction, by which a technical safety device can be operated in the secured state, with two control devices being connected to each other via an input stage, which performs a signal modulation.
In DE 10 2009 047 025 B3 a real-time run-time system and a functional module are shown for a purpose, in which at certain status transitions, particularly between the test operation and the real-time operation, the functional module can be activated and/or deactivated.
DE 10 2010 038 484 A1 shows a method for a device to control a facility, in which an error monitoring can occur.
The above-stated prior art therefore relates generally to memory-programmable controls, which show a separate architecture in reference to individual computers, program parts, or controls, or allow a temporary decoupling of functional modules, and which are suitable for applications, which must meet certain safety requirements. In such architectures a normal run-time system (LZS) may be integrated on hardware, which is capable of starting an application program (AWP) and have it operate, with the LZS reading data from the physical inputs and bus systems and providing this data to the AWP for processing, and with the LZS starting a cycle of the AWP and connecting to each other the input data and potentially
saved data, and with at the end of the AWP-cycle output data being provided, which is issued by the LZS at the physical outputs and bus systems, which represents the general functionality of a memory-programmable control (SPS). In such architectures, optionally a secure LZS can be integrated on hardware, which operates in the same fashion as a normal LZS, and which additionally fulfills various safety standards, e.g. 61508 or 13849. Commonly, here an operating system is provided, which must be implemented as well, and in which a change of individual safety-relevant functions would lead to an expensive subsequent certification. It is already pointed out in the above-mentioned DE 10 2005 007 477 A1 that a machine control with individual safety-certifiable safety-modules offers advantages for the certification, however here a certain PC-infrastructure is required, and the safety modules must be integrated via an operating system and a PCI-bus.