It is generally known that control devices working with safety-relevant data have particular control and checking steps provided for changing such data. In this case, safety means industrial safety or personal safety. A control device of this kind may be the control apparatus for monitoring a robot or a device for controlling and monitoring the sequences in a production cell, for example. During the execution of robot movements, the people in its operating area may quite generally be at risk, for example. This needs to be avoided, however. By way of example, safety-relevant data for such a robot are, by way of example, data which monitor or restrict the robot's sequence of movement using a control device or directly in the robot control and hence accordingly protect the area potentially at risk as a result of the robot movement. However, safety-relevant data are also programs and data which are processed in a control device, for example, in order to prevent the risk to a machine operator by producing signals for actuating protection devices. These signals are produced on the basis of further signals which are emitted by at least one safety-oriented device, for example by a door switch or a laser scanner, and on the basis of the safety-relevant data which are processed in the control device (principle of programmable logic controllers).
It is known from safety engineering that most accidents are caused not by failure of the safety devices but rather by conscious manipulation thereof by operating or maintenance personnel. For this reason, it should always be ensured that the manipulation of safety-oriented control data is prevented as far as possible or that the complexity of manipulation thereof is made as high as possible by suitable methods (which corresponds to the term “security”).
The appearance of configurable and programmable control devices presents the additional risk of the start-up engineer activating incorrect programs and data, so that additional protection would be desirable which prevents programs and configuration data from being transposed and erroneously activated.
To create or change safety-relevant data for such control devices, it is generally known practice for a special user program initially to be started on a configuration computer. This program is then used to make inputs or changes which are downloaded to the control device. Next, the data are loaded back onto the configuration computer by the control device, and when the safety-relevant data are loaded back the configuration computer uses the configuration program to compare whether the program loaded back corresponds to the original program, for safety reasons. In this way, it is established whether errors have occurred during the transmission of the program or whether the changes can be accepted. In a final step, the user gives the control device the instruction to accept and execute the new data.