1. Field of the Invention
The invention relates to a method for verifying an application program in a failsafe programmable logic controller and to a programmable logic controller.
2. Description of the Related Art
Programmable logic controllers are used in all areas of automation technology. Increased demands are imposed on operational safety in those applications in which failure of the programmable logic controller would have serious consequences, such as damage to machines and systems or even personal injuries. The programmable logic controllers used in such scenarios are provided, for this purpose, with measures that lead to increased failure safety or operational safety, such as by a redundant design or better error detection. Such programmable logic controllers are also referred to as “safety-oriented”, “failsafe”, “fault-tolerant”, etc. Criteria for the required functional safety are also laid down in numerous standards, for example, in the European standard EN 61508.
For the failsafe “safety-oriented” programmable logic controllers, a user, for example, must be able to reliably check that the correct safety program has been loaded into the controller, i.e., it must be possible to check that the application program which has been loaded into the main memory of the programmable controller is that program which is intended for the specific task and is not, for instance, another application program or an application program with the wrong version number (version). Here, it must also be ensured that not only the “correct” application program is or has been loaded into the main memory but also that the program is executed and not, for instance, programs or program modules (functional modules) of another application program which was previously executed, for example. The situation may thus arise in which a complete “incorrect” or obsolete application program is executed or else only an individual functional module from a previously executed application program is left over and is then executed in an unwanted manner. The situation may likewise arise in which individual functional modules have been erased or damaged, with the result that the present application program is incomplete or unusable.
In order to exclude such errors, different procedures are customary when “loading” the failsafe programmable logic controllers. It is thus ensured, on the one hand, that a load memory, i.e., a memory card, a hard disk or another mass memory of the programmable logic controller, for example, contains the “correct” application program and thus the “correct” functional modules or program modules by virtue of the programmable logic controller determining a program identification of the application program or the program modules or functional modules in the load memory. This means that, for example, the function names and the respective version number (version) and possibly also the order (arrangement) of these “routines” in the load memory are determined as the program identification. This information is transmitted to an external component, usually the creation system (“engineering system”), and is compared there with a desired value that was determined and stored when creating the application program. In the event of a positive comparison, a confirmation message can be transmitted from the external component to the programmable logic controller, as a result of which the execution of the application program is ultimately enabled. This procedure ensures that the correct application program with all of its associated functional modules and program modules is present in the load memory, to be precise also in the correct order and in the correct version number (version).
Nevertheless, the situation may occur in which parts (fragments) of another application program are still present in the main memory of the programmable logic controller after the application program determined in this manner has been loaded and may thus be executed. As a result, loading regulations must be complied with, i.e., say measures must be taken that ensure program fragments or the like are removed from the main memory before the “correct” application program is loaded. This may mean, for example, or that the programmable logic controller is “reset”, that the entire main memory is filled with standard values (for example, logic “0” or logic “1” in every memory cell).
In particular, heeding the prescribed loading regulations constitutes a mounting problem in practice, because these loading regulations differ in different programmable logic controllers (“target systems”, “targets”) used, sometimes to a very considerable extent. This means that, for example, a simple programmable logic controller having proprietary hardware, which has only a memory card as the load memory and only a contiguous main memory, is loaded and started using different loading regulations from those for a PC-based system, for example, in which the programmable logic controller is operated in a real-time operating system in a parallel manner to a Windows-oriented operating system (for example, Microsoft Windows). Although it is ensured that the “correct” application program has actually been loaded into the main memory and there are additionally no other program parts or the like in the main memory when the respectively valid loading regulations are complied with, errors can easily occur because of the different loading regulations for different systems, which errors are not detected or are often detected only with difficulty and result in the proper state not necessarily having been reached.
Another disadvantage is that, in addition to the necessary knowledge of the loading regulations and the heeding of the latter, accurate knowledge or analysis of the respective programmable logic controller and its memory structures is also necessary.