Safety control device and method for changing a range of functions of a safety control device

Abstract

A safety control device comprises: at least one input module having a number of input interfaces; at least one output module having a number of output interfaces; and a computing unit that includes: a programmable processor; a read-only memory to store an operating program for the processor with program code in machine-readable form for providing a function library with a number of functions of the safety control device; and a non-volatile, overwritable storage medium. A number of function activation codes are stored downloadably in the storage medium, and each of the function activation codes is capable of being assigned a function of the function library such that by logically linking the function activation codes to their associated functions of the function library only those functions of the function library can be activated whose function activation codes are stored in the storage medium.

Claims

1. A safety control device, comprising: at least one input module having a number of input interfaces; at least one output module having a number of output interfaces; and a computing unit connected to the at least one input module and to the at least one output module, the computing unit including: a programmable processor; a read-only memory to non-volatilely store an operating program for the processor with program code in machine-readable form for providing a function library with a number n of functions (F.sub.1-F.sub.n) of the safety control device; and a non-volatile, overwritable storage medium that is integrated in the computing unit or is accommodated interchangeably in a storage medium interface of the computing unit, wherein: a number of function activation codes (FAC.sub.i) are stored downloadably in the storage medium; and each of the function activation codes (FAC.sub.i) is capable of being assigned a function (F.sub.i) of the function library (F) such that by logically linking the function activation codes (FAC.sub.i) to their associated functions (F.sub.i) of the function library (F) only those functions (F.sub.i) of the function library (F) can be activated whose function activation codes (FAC.sub.i) are stored in the storage medium; wherein the function library (F) comprises a first function group (FG1), which, after activation by the associated function activation codes (FAC.sub.i) in a first basic configuration, makes available to the safety control device function ranges for a signal processing-free signal input and signal output; wherein the function library (F) comprises a second function group (FG2), which, after activation by the associated function activation codes (FAC.sub.i) in a second basic configuration, makes available to the safety control device function ranges of a programmable logic controller; wherein the function library (F) comprises a third function group (FG3), which, after activation by the associated function activation codes (FAC.sub.i) in a third basic configuration, makes available to the safety control device function ranges of a safety control device with safety-related control rules.

2. The safety control device of claim 1, wherein the function ranges of the first, second, and/or third basic configuration is expandable by overwriting the storage medium and storing function activation codes (FAC.sub.i) that are least partially different from the basic configurations.

3. The safety control device of claim 1, wherein, in the non-volatile, overwritable storage medium, at least one hardware identification data record (ID) is stored downloadably that is configured to link unequivocally the storage medium and the functions (F.sub.i), unlocked by the function activation codes (FAC.sub.i), to a hardware of the safety control device.

4. The safety control device of claim 1, wherein the function activation codes (FAC.sub.i) are stored in a cryptographically protected storage area of the storage medium.

5. The safety control device of claim 1, wherein the functions (F.sub.1-F.sub.n) of the function library (F) are stored downloadably in a function table within the read-only memory.

6. The safety control device of claim 1, wherein the safety control device is expandable by one or more additional input modules and/or by one or more additional output modules, wherein functions associated with the one or more additional input modules and/or functions associated with the one or more additional output modules are included in the function library (F) of the operating program.

7. A method for changing a function range of a safety control device, the safety control device comprising: at least one input module having a number of input interfaces; at least one output module having a number of output interfaces; and a computing unit connected to the at least one input module and to the at least one output module, the computing unit including: a programmable processor; a read-only memory to non-volatilely store an operating program for the processor with program code in machine-readable form for providing a function library with a number n of functions (F.sub.1-F.sub.n) of the safety control device; and a non-volatile, overwritable storage medium that is integrated in the computing unit or is accommodated interchangeably in a storage medium interface of the computing unit, wherein: a number of function activation codes (FAC.sub.i) are stored downloadably in the storage medium; and each of the function activation codes (FAC.sub.i) is capable of being assigned a function (F.sub.i) of the function library (F) such that by logically linking the function activation codes (FAC.sub.i) to their associated functions (F.sub.i) of the function library (F) only those functions (F.sub.i) of the function library (F) can be activated whose function activation codes (FAC.sub.i) are stored in the storage medium; wherein the function library (F) comprises a first function group (FG1), which, after activation by the associated function activation codes (FAC.sub.i) in a first basic configuration, makes available to the safety control device function ranges for a signal processing-free signal input and signal output; wherein the function library (F) comprises a second function group (FG2), which, after activation by the associated function activation codes (FAC.sub.i) in a second basic configuration, makes available to the safety control device function ranges of a programmable logic controller; wherein the function library (F) comprises a third function group (FG3), which, after activation by the associated function activation codes (FAC.sub.i) in a third basic configuration, makes available to the safety control device function ranges of a safety control device with safety-related control rules; the method comprising: non-volatilely storing the operating program for the processor in the read-only memory; downloadably storing the function activation codes (FAC.sub.i) in the overwritable, non-volatile storage medium; and linking the stored function activation codes (FAC.sub.i) to their associated functions (F.sub.i) of the function library (F) of the operating program in the safety control device.

8. The method of claim 7, wherein, after linking the stored function activation codes (FAC.sub.i) to the functions (F.sub.i) of the function library (F), at least one hardware identification data record (ID) is stored downloadably in the overwritable, non-volatile storage medium.

9. The method of claim 7, wherein the function activation codes (FAC.sub.i) are stored in a cryptographically protected storage area of the overwritable, non-volatile storage medium.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Other features and advantages of the present invention will become apparent from the following description of a preferred exemplary embodiment with reference to the accompanying FIG. 1, which shows in schematic form a highly simplified representation of a safety control device 1.

DETAILED DESCRIPTION

(2) In this exemplary embodiment the safety control device 1 comprises at least one input module 2, at least one output module 3 and a computing unit 4, which is connected to the input module 2 and to the output module 3. The input module 2 comprises a number of input interfaces 20, 21, 22, which can be selectively activated or deactivated. As a result, individual or all input interfaces 20, 21, 22 can be activated in an application-specific manner, so that they can receive input signals. A sensor 50, 51, 52 can be connected to each of the input interfaces 20, 21, 22. Each of these sensors 50, 51, 52 may provide the input interfaces 20, 21, 22 with input signals, which may provide, for example, information about an operating status of a machine or machine plant. Examples of such sensors 50, 51, 52 include, inter alia, pushbuttons, switches, proximity sensors, temperature sensors, position sensors, speed sensors, pressure sensors and light barriers.

(3) The safety control device 1 is designed, in principle, such that the input signals, received over the input interfaces 20, 21, 22, can be processed by the computing unit 4, the configuration and mode of operation of which will be described in more detail below. The output module 3 comprises a number of output interfaces 30, 31, 32, which can also be selectively activated or deactivated. As a result, individual or all output interfaces 30, 31, 32 can be activated in an application-specific manner, so that the output signals can be transmitted over the interfaces. An actuator 60, 61, 62 can be connected to each of the output interfaces 30, 31, 32. These actuators 60, 61, 62 may execute certain actions in response to the output signals that are provided over the output interfaces 30, 31, 32. Examples of such actuators 60, 61, 62 are, inter alia, contactors, relays, electronic switches as well as optical and/or acoustic signaling devices. The computing unit 4 lends itself to evaluating the input signals, received over the input interfaces 20, 21, 22, according to specific rules, in particular, by logic operations and optionally additional signal processing and/or data processing steps, and to providing the output interfaces 30, 31, 32 with corresponding output signals, which are forwarded to the actuators 60, 61, 62 in order to control them.

(4) The computing unit 4 comprises a programmable processor 40, a read-only memory 41 and a main memory 42. An operating program 5 for operating the processor 40 is stored in the read-only memory 41 in a non-volatile form. This operating program 5, which is often referred to as firmware, has program code in machine-readable form and provides the safety control device 1 with a function library F having a number n of available functions F.sub.1 to F.sub.n. These functions F.sub.1 to F.sub.n form the basic functions, for the execution of which the safety control device 1 is basically designed from a hardware and software perspective. For example, a user program as well as intermediate variables, which may be obtained, for example, in the course of processing the input signals, may be stored temporarily in the main memory 42.

(5) The basic idea of the present invention is to provide now the safety control device 1 in an application-specific manner only with such functions F.sub.i from the function library F that the user of the safety control device 1 actually needs or for which he has acquired the corresponding user rights from the manufacturer of the safety control device 1, that allow the user to use these functions F.sub.i. For example, in a first basic configuration, which may be preconfigured by the manufacturer, the safety control device 1 can have only the functions F.sub.i of an input and output device, where the functions are combined, in particular, to form a first function group FG1. In the input and output device the input signals are received over the input interfaces 20, 21, 22 of the input module 2, and these input signals—without signal processing by the computing unit 4—are outputted as output signals to the output interfaces 30, 31, 32 of the output module 3.

(6) In a second basic configuration, which may also be preconfigured by the manufacturer of the safety control device 1, the safety control device 1 may have the typical functions F.sub.i of a programmable logic controller, where in this case the functions may be combined by the manufacturer, for example, to form a second function group FG2. After the corresponding function activation codes FAC.sub.i have been provided in a machine-readable form and have been logically linked to the functions F.sub.i for the purpose of activating these functions F.sub.i, the safety control device 1 can acquire the input signals from the sensors 50, 51, 52 over the enabled input interfaces 20, 21, 22 of the input module 2. The computing unit 4 processes these input signals according to certain rules and generates the output signals that are outputted over the output interfaces 30, 31, 32 of the output module 3 and made available to the actuators 60, 61, 62, which can execute certain actions in response to the output signals.

(7) In a third basic configuration, which may also be preconfigured by the manufacturer of the safety control device 1 and the functions F.sub.i thereof may be combined to form a third function group FG3, the safety control device 1 may have the typical functions for controlling in a fail-safe manner safety-critical processes, in particular, for shutting down a machine or a machine plant in a fail-safe manner. In this case certain functions are provided, for example, that have the effect that the process, controlled by the safety control device 1, can be converted into a safe state in the event of a fault.

(8) The modification or expansion of the function range of the safety control device 1 is carried out in a different way than in the prior art, not by installing a new operating program 5, which is stored in the read-only memory 41 of the computing unit 4 in a downloadable manner. In the present case the function activation codes FAC.sub.i are provided in a machine-readable form; and the function activation codes can be logically linked to the individual functions F.sub.i of the function library F, in order to effect in this way the unlocking and activation of the functions. In this case a function F.sub.i of the function library F can be assigned a defined function activation code FAC.sub.i. By logically linking the individual function activation codes FAC.sub.i to their associated functions F.sub.i of the function library F, it is possible to selectively unlock individual functions F.sub.i from the function library F of the operating program 5, in order to define in this way the function range of the safety control device 1.

(9) In this exemplary embodiment the computing unit 4 comprises a storage medium interface 43, in which an overwritable, non-volatile storage medium 6 can be accommodated. This storage medium 6 may be preferably an SD card or a USB storage medium. In this context it is preferred that the function activation codes FAC.sub.i are stored in a cryptographically protected storage area of the storage medium 6. In this way, it is possible to prevent, in the case of an interchangeable storage medium 6, the function activation codes FAC.sub.i from being copied or manipulated without authorization. Furthermore, this feature also makes it possible in an advantageous way to use the once acquired function activation codes FAC.sub.i at a later date with other safety control devices 1 provided for this purpose.

(10) In an alternative embodiment, there is also the possibility that the overwritable, non-volatile storage medium 6 is permanently integrated into the computing unit 4. This permanently integrated storage medium may also comprise a cryptographically protected storage area, in which the function activation codes FAC.sub.i are stored in a downloadable manner.

(11) A number of function activation codes FAC.sub.i are stored in the storage medium 6 in a downloadable manner. In this case, each of the function activation codes FAC.sub.i, which have been acquired by the user in a licensing process, is assigned one of the functions F.sub.i of the function library F such that by logically linking the function activation codes FAC.sub.i to the functions F.sub.i of the function library F only those functions F.sub.i can be activated whose function activation codes FAC.sub.i are stored in the storage medium 6. The aggregate of the functions F.sub.1 to F.sub.n of the function library F, where for the execution thereof the safety control device 1 is basically configured from both a hardware and software perspective, can be stored in the read-only memory 5, for example in the form of a function table. When inserting the overwritable, non-volatile storage medium 6 into the storage medium interface 43 provided for this purpose, the function activation codes FAC.sub.i, stored therein, can be read out by the processor 40. Furthermore, the associated functions F.sub.i, which can be activated by the provided function activation codes FAC.sub.i, can be read from the function table of the function library F. At the same time the function activation codes FAC.sub.i are logically linked to the associated functions F.sub.i and, as a result, are activated and unlocked for use. In the course of this authorization process it is possible to generate, for example, at least one hardware identification data record ID, which is then stored in the non-volatile, overwritable storage medium 6 in a downloadable manner. In this way the storage medium 6 and the functions F.sub.i, which are unlocked by the function activation codes FAC.sub.i, are linked unequivocally to the hardware of the safety control device 1. As a result, it is possible to prevent, for example, an unauthorized use of the function activation codes FAC.sub.i by linking the codes unequivocally to the hardware of the safety control device 1. The use of the safety control device 1 is only possible by the storage medium 6 that is authorized in this way. The unambiguous allocation of the hardware of the safety control device 1 to the storage medium 6 with the function activation codes FAC.sub.i, stored therein, is not absolutely necessary. When the function activation codes FAC.sub.i are stored in a cryptographically protected storage area of the storage medium 6, the copying and/or manipulation of the function activation codes FAC.sub.i can be effectively prevented. Therefore, in the case of an interchangeable storage medium 6, such as, for example, an SD card or a USB storage medium, there is the possibility of using in an advantageous way the once acquired function activation codes FAC.sub.i at a later time with other safety control devices 1 that are provided for this purpose.

(12) For example, it is possible to obtain a safety control device 1 in the second basic configuration from a safety control device 1 in the first basic configuration by unlocking the functions of the second function group FG2 without the hardware of the safety control device 1 having to be replaced and without a new operating program 5 having to be installed. Furthermore, it is possible to obtain a safety control device 1 in the third basic configuration from a safety control device 1 in the first or second basic configuration by unlocking the functions of the third function group FG3, without the hardware of the safety control device 1 also having to be replaced in this case and without a new operating program 5 having to be installed.

(13) It goes without saying that by providing the function activation codes FAC.sub.i it is also possible to specifically unlock and activate within the three basic configurations of the safety control device 1 certain functions F.sub.i from the function library F, in order to adapt, in particular, to expand, the function range of the safety control device 1, without a new operating program 5 having to be installed for this purpose.

(14) In addition, there is also the possibility that the safety control device 1 can be expanded to include one or more input modules 2 and/or one or more output modules 3, where in this case additional functions F.sub.i of the input module(s) and/or the output module(s) are already included in the function library F of the operating program 5. As a result, this aspect makes possible a hardware scaling of the safety control device 1 in an advantageous way. Since the functions of the additional input modules 2 and/or output modules 3 are already integrated into the function library F of the operating program 5 and can be activated and, as a result, unlocked in the manner described herein, it is advantageously not necessary, when the hardware is being expanded, to install a completely new operating program 5 in the safety control device 1, so that the additional functions can be used.

Safety control device and method for changing a range of functions of a safety control device

Assignee

Inventors

Cpc classification

Classification Explorer

G06F9/445

PHYSICS

Classification Explorer

G06F9/4484

PHYSICS

Classification Explorer

G05B19/058

PHYSICS

Classification Explorer

G05B2219/24024

PHYSICS

Classification Explorer

G06F9/44505

PHYSICS

Classification Explorer

G05B2219/24165

PHYSICS

Classification Explorer

G06F21/76

PHYSICS

Classification Explorer

G06F21/78

PHYSICS

Classification Explorer

G06F21/629

PHYSICS

Classification Explorer

G06F21/57

PHYSICS

International classification

Classification Explorer

G05B19/05

PHYSICS

Classification Explorer

G06F21/76

PHYSICS

Classification Explorer

G06F21/78

PHYSICS

Classification Explorer

G06F21/62

PHYSICS

Classification Explorer

G06F21/57

PHYSICS

Classification Explorer

G06F9/448

PHYSICS

Classification Explorer

G06F9/445

PHYSICS

Abstract

Claims

Description