VERIFICATION METHOD FOR AN OXYGEN REDUCTION SYSTEM

Abstract

A method for verifying system functions of an oxygen reduction system, said functions being used during operation. The oxygen reduction system reduces or maintains an oxygen concentration level in a protection region by supplying inert gas and to monitor or increase the oxygen concentration level, which has been previously reduced in the protection region or in a monitoring region. The method comprises: Detecting system functions being used during the operation of the oxygen reduction system. generating a license data set which contains licenses used by the system functions being used. reading a verification data set provided on a storage medium, wherein the verification data set contains at least one existing license— determining a license violation if each license used is not contained in the verification data set. outputting an error message, or deactivating at least one system function if a license violation is determined.

Claims

1. A verification method (200) for verifying system functions (110, 111, 112, 113, 114) of an oxygen reduction system (100), said functions being used during the operation of the oxygen reduction system (100), wherein the oxygen reduction system (100) reduces or maintains an oxygen concentration level in at least one protection region (121) by supplying inert gas (131) originating from at least one inert gas source (130) and to monitor or increase the oxygen concentration level in the protection region (121) or in a monitoring region (122), which has the following method steps: detecting (201) system functions (110, 111, 112, 113, 114) being used during the operation of the oxygen reduction system (100). generating (202) a license data set (210), wherein the license data set (210) contains licenses (l.sub.1y, l.sub.2y . . . , l.sub.ny) used by the system functions (110, 111, 112, 113, 114) being used. reading (203) a verification data set (220) provided on a storage medium (340), wherein the verification data set (220) contains at least one existing license (L.sub.1x, L.sub.2x, . . . L.sub.nx). determining (204) a license violation if each license (l.sub.1y, l.sub.2y, . . . , l.sub.ny) used is not contained in the verification data set (220). outputting (205) or deactivating (206) at least one system function (110, 111, 112, 113, 114) if a license violation is detected.

2. The verification method (200) according to claim 1, characterized in that the verification method (200) is implemented on at least one programmable control module (300, 310, 320, 330) and the system functions (110, 111, 112, 113, 114) used are detected based on a specific assignment of signal input and signal output channels (301, 302) of the at least one programmable control module (300, 310, 320, 330).

3. The verification method (200) according to claim 1 or 2, characterized in that each license (l.sub.1y, l.sub.2y, . . . , l.sub.ny) used of the license data set (210) comprises at least two parameters: a respective license type (1, 2, . . . , n) and a first number of licenses (y.sub.l1, y.sub.l2, . . . y.sub.in) assigned to the respective license type (1, 2, . . . , n), and each existing license (L.sub.1x, L.sub.2x . . . L.sub.nx) of the verification data set (220) comprises at least two parameters: a respective license type (1, 2, . . . , n) and a second number of licenses (x.sub.L1, x.sub.L2, . . . x.sub.Ln) assigned to the respective license type (1, 2, . . . , n) and, in order to determine (204) a license violation, a matrix-like assignment (230) of the licenses (l.sub.1y, l.sub.2y, . . . , l.sub.ny) used is made for the existing licenses (L.sub.1x, L.sub.2x . . . L.sub.nx).

4. The verification method (200) according to claim 3, characterized in that, in order to determine (204) a license violation, at least one license value (z.sub.1, z.sub.2, . . . , z.sub.n) is determined for mutually assigned license types (1, 2, . . . , n) in that the first number of licenses (y.sub.l1, y.sub.l2, . . . y.sub.ln) of the licenses (l.sub.1y, l.sub.2y, . . . , l.sub.ny) used is subtracted from the second number of licenses (x.sub.L1, x.sub.L2, . . . x.sub.Ln) of the existing licenses (L.sub.1x, L.sub.2x . . . L.sub.nx), and wherein a license violation is determined if one of the determined license values (z.sub.1, z.sub.2, . . . , z.sub.n) is <0.

5. The verification method (200) according to claim 1, characterized by checking (207) whether the verification data set (220) contains an activation code, wherein a message is output (205) or at least one system function (110, 111, 112, 113, 114) is deactivated (206) if the activation code is not recognized.

6. The verification method (200) according to claim 1, characterized in that the verification data set is read in (203) via an interface (303) connected or connectable to the storage medium (340) in a signal-transmitting manner, wherein a message is output (205) or at least one system function (110, 111, 112, 113, 114) is deactivated (206) if the signal-transmitting connection between the storage medium (340) and the interface (303) is not detected.

7. The verification method (200) according to claim 5, characterized in that the verification method (200) is repeated at specific or regular time intervals, and at the same time when the message (205) is output, a timer (304) is started (208) to detect the period of time during which the message is output (205).

8. The verification method (200) according to claim 7, characterized in that, upon reaching or after expiry of a predetermined period of time during which the message is output (205), a fault message is output (209) and/or at least one system function (110, 111, 112, 113, 114) of the oxygen reduction system (100) is deactivated (206).

9. The verification method (200) according to claim 7, characterized in that, upon reaching or after expiry of a predetermined period of time during which the message, in particular the fault message, is output (205), at least one system function (110, 111, 112, 113, 114) of the oxygen reduction system (100) is deactivated (206).

10. The verification method (200) according to claim 1, characterized in that the verification method (200) is implemented on several programmable and signal-connected control modules (300, 310, 320, 330), wherein at least one control module (300) is provided as a region control module (310), which is assigned to at least one protection region (121) or monitoring region (122) or at least one control module (300) is provided as a process control module (320), which is assigned to at least one inert gas source (130) and/or at least one control module (300) is provided as a master control module (330).

11. The verification method (200) according to claim 10, characterized in that the detecting (201) of system functions (110, 111, 112, 113, 114) used is implemented on the at least one region control module (310) and/or the at least one process control module (320) and/or the at least one master control module (330), wherein system functions (110, 111, 112, 113, 114) locally assigned to the respective control module (310, 320, 330) are detected based on a specific assignment of signal input and signal output channels (301, 302) of the respective region control module (310) or process control module (320) or master control module (330).

12. The verification method (200) according to claim 10, characterized by local generation (202) of at least one license data set (210) containing licenses (l.sub.1y, l.sub.2y . . . , l.sub.ny) used by the respective control module (310, 320, 330), wherein each license (l.sub.1y, l.sub.2y . . . , l.sub.ny) used therein is assigned to at least one locally used system function (110, 111, 112, 113, 114) and comprises at least two parameters: a respective license type (1, 2, . . . , n) and a first number of licenses (y.sub.l1, y.sub.l2, . . . y.sub.ln) assigned to the respective license type (1, 2, . . . , n).

13. The verification method (200) according to claim 12, characterized in that a generating (202) of a global license data set (240) is implemented on the at least one master control module (330), and the global license data set (240) is formed by combining the locally generated license data sets (210) in that the first number of licenses (y.sub.l1, y.sub.l2, . . . y.sub.ln) of the licenses (l.sub.1y, l.sub.2y, . . . , l.sub.ny) used locally by the respective control modules (310, 320, 330) are added to the mutually assigned license types (1, 2, . . . , n) and wherein the licenses (l.sub.11y, l.sub.22y . . . , l.sub.nmy) used locally by the respective control modules (310, 320, 330) are assigned an origin indicator (1, 2, . . . , m) corresponding to the respective control module (310, 320, 330).

14. The verification method (200) according to claim 11, characterized in that the reading (203) of the verification data set (220) is implemented on the at least one master control module (330).

15. The verification method (200) according to claim 14, characterized in that the verification data set (220) contains at least one existing control module license (SL.sub.Bx, SL.sub.Px, SL.sub.Mx) and the license data set (210) contains control module licenses (sl.sub.By, sl.sub.Py, sl.sub.My) used by the respective control modules (310, 320, 330), wherein a license violation is determined unless every control module license (sl.sub.By, sl.sub.Py, sl.sub.My) used is included in the verification data set (220).

16. The verification method (200) according to claim 15, characterized in that each control module license (sl.sub.By, sl.sub.Py, sl.sub.My) used of the license data set (210) comprises at least two parameters: a respective control module type (B, P, M) and a first number of control module licenses (y.sub.ds, y.sub.slp, y.sub.slM) assigned to the respective control module type (B, P, M), and each existing control module license (SL.sub.Bx, SL.sub.Px, SL.sub.Mx) of the verification data set (220) comprises at least two parameters: a respective control module type (B, P, M) and a second number of control module licenses (x.sub.SLB, x.sub.SLP, x.sub.SLM) assigned to the respective control module type (B, P, M), and at least one control module license value (z.sub.SL1, z.sub.SL2, . . . , z.sub.SLn) of respectively mutually assigned control module types (B, P, M) is determined in order to determine (204) a license violation in that the first number of control module licenses (y.sub.slB, y.sub.slP, y.sub.slM) of the control module licenses (sl.sub.By, sl.sub.Py, sl.sub.My) used is subtracted from the second number of control module licenses (x.sub.SLB, x.sub.SLP, x.sub.SLM) of the existing control module licenses (SL.sub.Bx, SL.sub.Px, SL.sub.Mx), and wherein a license violation is determined if one of the determined control module license values (z.sub.SL1, z.sub.SL2, . . . , z.sub.SLn) is <0.

17. The verification method (200) according to claim 1, characterized in that at least one stored system function (110, 111, 112, 113, 114) can be selected manually by a user via a user interface (250).

18. A programmable control module (300) for an oxygen reduction system (100), wherein the oxygen reduction system (100) is formed for lowering or maintaining an oxygen concentration level in at least one protection region (121) by supplying inert gas (131) from at least one inert gas source (130) and for monitoring or increasing the oxygen concentration level in the protection region (121) or a monitoring region (122), and is configured to carry out a verification method (200) with one or more signal input channels (301) and one or several signal output channels (302) and with at least one interface (303) for the transmission of data and/or for connection to a storage medium (340).

19. The control module (300) according to claim 18, characterized in that the number of signal input channels (301) or signal output channels (302) can be expanded by adding hardware components (305).

20. An oxygen reduction system (100) with at least one programmable control module (300) and suitable for carrying out a verification method (200), wherein one or more signal input channels (301) of the at least one control module (300) are connected to sensors (140) of the oxygen reduction system (100) and one or more signal output channels (302) are connected to actuators (150) of the oxygen reduction system (100).

Description

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

[0058] Further details, features, (sub)combinations of features, advantages, and effects of the invention will be apparent from the following description of a preferred exemplary embodiment of the invention and from the set of drawings. The following is shown:

[0059] FIG. 1 a schematic representation of an oxygen reduction system with a decentralized control and regulation system.

[0060] FIG. 2 a schematic representation of an exemplary embodiment of two control modules according to the invention.

[0061] FIG. 3 a block diagram for schematically illustrating an exemplary sequence of the verification method according to the invention.

[0062] FIG. 4 a schematic representation of an exemplary embodiment of the invention in which several programmable control modules are connected to one another in a signal-conducting manner.

[0063] FIG. 5 a schematic representation of an exemplary embodiment of the assignment implemented in a control module, in which assignment the licenses used are assigned to existing licenses.

[0064] FIG. 6 a schematic representation of an exemplary embodiment of a global license data set.

[0065] FIG. 7 a schematic representation of an exemplary embodiment of the assignment implemented in a control module, in which assignment the control licenses used are assigned to existing control licenses.

[0066] FIG. 8 a first exemplary representation of information displayed on a user interface; and

[0067] FIG. 9 a second exemplary representation of information displayed on a user interface.

[0068] The figures are merely exemplary in nature and are only used for understanding the invention. Equivalent elements are provided with the same reference numerals and are usually only described once.

DETAILED DESCRIPTION OF THE INVENTION

[0069] FIG. 1 shows an exemplary embodiment of an oxygen reduction system 100 according to the invention, which is equipped with a decentralized control and regulation system. The oxygen reduction system 100 comprises two inert gas sources designed as inert gas generators 130, which inert gas sources are connected to two protection regions 121 via line connections conducting inert gas 131. A monitoring region 122 is arranged adjacent one of the protection regions 121. The inert gas generators 130 are each assigned a process control module 320 configured to control and regulate the corresponding inert gas generator 130, with the signal input channels 301, not shown here, of the process control module being connected to sensors 140, in particular pressure and oxygen concentration sensors, and the signal output channels 302, also not shown here, of the process control module being connected to actuators 150, in particular valves and compressors of the inert gas generator 130. In a corresponding manner, a region control module 310 configured for lowering and/or maintaining as well as for monitoring or increasing a possibly previously lowered oxygen concentration level within the corresponding protection region 121 is also assigned to the protection regions 121. A monitoring region 122 is also assigned to one of the region control modules 310. The signal input channels 301, not shown here, of the region control modules 310 are connected to sensors 140, in particular oxygen concentration sensors, which are arranged within the respectively assigned protection regions 121 or within the monitoring region 122. The signal output channels 302, which are likewise not shown here, are correspondingly connected to actuators 150, in particular to section valves and/or alarm means, which are arranged within the respectively assigned protection regions 121 or within the monitoring region 122.

[0070] The region control modules 310 and the process control modules 320 do not communicate with one another directly, but are instead connected, in a signal-conducting manner, to two redundant master controllers 330, preferably via a bus or ring bus system. The region control modules 310, the process control modules 320, and the master control modules 330 are each configured to carry out the verification method 200 according to the invention, in which detection 201 of the system functions 110 used locally is implemented particularly on the region controllers 310 and the process controllers 320 and reading of a verification data set 220 is implemented on the master controllers 330. A user interface 250 for displaying the information ascertained in the verification method 200 can also be displayed via a control and display panel 160 that is signal-connected to one of the master control modules 330.

[0071] FIG. 2 shows a schematic representation of an exemplary embodiment of two control modules 300 according to the invention. The two control modules 300 are preferably each configured as master control modules 330, have an identical structure, and preferably form a redundancy to increase reliability. A control module 300 here comprises, for example, three hardware components 350, each of which has particularly four signal input channels 301 for connection to sensors 140 of the oxygen reduction system 100, and four signal output channels 302 for connection to actuators 150 of the oxygen reduction system 100. The number of hardware components 350 can, if necessary, be expanded in a modular manner. The system functions 110 used by the oxygen reduction system 100 can be recognized and detected on the basis of the assignment of the signal input channels 301 and/or the signal output channels 302. The control module 300 further comprises a timer 304 and, e.g., three interfaces 303, in which one of the interfaces 303 is signal-connected to an external storage medium 340. A second interface 303 can be provided for the signal-conducting connection to an input and output device, for example a computer or laptop, with a corresponding user interface 250. Finally, a third interface 303 is provided for the signal-conducting connection to a bus system, in particular a ring bus system, or to another network. In the figure shown here, a signal-conducting connection between the interface 303 and the redundant control module 300 is shown as an example.

[0072] A block diagram to schematically illustrate an exemplary method sequence of the verification method 200 according to the invention can be seen in FIG. 3 and is explained in more detail below with reference to FIG. 4, which illustrates an exemplary arrangement of several control modules 300 for an oxygen reduction system 100. The verification method 200 is preferably carried out during operation of the oxygen reduction system 100, i.e. while one or more system functions 110 are being used by the oxygen reduction system 100. According to FIG. 4, the verification method 200 is implemented on, e.g., six mutually signal-connected, programmable control modules 300, in which one of the control modules 300 is configured as a master control module 330, three further control modules 300 are configured as region control modules 310, and the remaining two control modules 300 are configured as process control modules 320. The region control modules 310 are configured to control and/or regulate system functions 110 to be carried out locally in an assigned protection or monitoring region 121, 122, and the process control modules 320 are configured accordingly to control and/or regulate the system functions 110 of respectively assigned inert gas sources, which in this example is an inert gas generator 130. The master control module 330 can also be configured to control and/or regulate locally used system functions 110.

[0073] Returning to FIG. 3, the system functions 110 used by the oxygen reduction system 100 are detected in a first method step 201. The detection 201 of the system functions 100 is expediently implemented on each of the control modules 300, 310, 320, 330, so that the system functions 110 respectively used therein are detected locally based on the individual input and output channel assignment of the respective control module 300, 310, 320, 330.

[0074] In a second method step 202, a license data set 210 is generated on the basis of the detected system functions 110. The second method step 202 is preferably also implemented locally on each control module 300, 310, 320, 330, so that an individual license data set 210 can be generated locally on each control module 300, 310, 320, 330. To this end, the system functions 110 are first of all differentiated into system functions 111 requiring a license and license-free system functions 112. In principle, a license l.sub.ny, the license type n of which corresponds to the system function 111 (e.g. n=9: air circulation), said license being used for each system function 111 requiring a license, and the first number of licenses y of which corresponds to the number of licenses (e.g. y=1) used for the system function 111, are stored in the license data set 210. The air circulation is also a so-called optional system function 114 which, unlike the so-called basic system functions 113, is not absolutely necessary for the operation of the oxygen reduction system 100. Appropriately, a single license l.sub.ny used for several basic system functions 113 and a basic license, the license type n of which corresponds to the basic system functions 113 (e.g. n=6: region control module (standard functions) or n=22: process control module (standard functions)), can be stored in the license data set 210.

[0075] In the present exemplary embodiment according to FIG. 4, if more than one license data set 210 is generated locally, the locally generated license data sets 210 are combined into a single, global license data set 240 (see also FIG. 6). This method step is expediently implemented on the master control module 330. The global license data set 240 comprises the respective sum of the total licenses (l.sub.1y, l.sub.2y . . . , l.sub.ny) used of the respective license type n and the local number of licenses y assigned to the corresponding control module 310, 320, 330. To this end, the respective licenses (l.sub.1my, l.sub.2my . . . , l.sub.nmy) used are provided with an additional origin indicator m (see also FIG. 6). The global license data set 240 accordingly contains a license l.sub.6,3 used of the region control module (standard functions) license type and with the first number of licenses y=3, a license l.sub.22,2 used from the process control module (standard functions) license type and with the first number of licenses y=2, as well as a license l.sub.9,1 used of the air circulation license type and with the first number of licenses y=1. In addition, information is included regarding which control module 300, 310, 320, 330 is using the respective licenses.

[0076] According to FIGS. 3 and 4, in a third method step 203, a verification data set 220 which is provided on a storage medium 340 and which contains a number of existing licenses (L.sub.1x, L.sub.2x . . . L.sub.nx) is read, and a license violation is determined in a fourth method step 204 if not every license (l.sub.1y, l.sub.2y, . . . , l.sub.ny) used of the license data set 210 (license type n and respective number of licenses y) or, according to the present exemplary embodiment, of the global license data set 240 is comprised of the licenses l.sub.6,3, l.sub.22,2, l.sub.9,1 used by the verification data set 220. For example, in the case of a verification data set 220 that only contains the existing licenses L.sub.6,3, L.sub.22,2 or only the existing licenses L.sub.6,2, L.sub.22,2, L.sub.9,1, a license violation would be found in each case.

[0077] Depending on the method variant, if there is a license violation in a fifth method step 205, 206, either a message, in particular an error message, can be output 205 or the license violation results in a deactivation 206 of at least one system function, in particular an optional and/or licensed system function 111, 114, or alternatively all of the system functions 110, 111, 112, 113, 114. According to the exemplary embodiment, if the verification data set 220 contains at least the existing licenses L.sub.6,3, L.sub.22,2, L.sub.9,1, a license violation is not determined and the verification method 200 is repeated beginning with the first method step 201. The verification data set 220 can expediently also contain other existing licenses L, as shown here, for example, an existing license L.sub.13,1 of the license type n=13: monitoring access doors with the second number of licenses x=1, which allow a user or the service personnel to use additional system functions 110, which are included, for example, in the intended scope of the license and the use thereof should therefore not lead to the determination of a license violation.

[0078] Even after a message, in particular an error message or a fault message, has been output 205, the verification method 200 according to the invention is carried out repeatedly. Regardless of the determination of a license violation, the operation of the oxygen reduction system 100 will (initially) continue. The verification method 200 according to the invention is preferably repeated at regular time intervals, in which merely deactivating 206 all system functions 110, 111, 112, 113, 114 also leads to an end of the verification method 200 according to the invention. In order to resume operation of the oxygen reduction system 100 and to continue to carry out the verification method 200, a manual restart of the oxygen reduction system 100 and possibly also of the verification method 200 is necessary.

[0079] According to a variant of the method, in an optional method step 208, a timer 304 can be started upon detection 204 of a license violation, which timer measures the elapsed time interval between the first detection 204 of a license violation until a license violation check is negative for the first time in a subsequent method cycle, i.e. the license violation is no longer present. According to a further variant of the method, an error message is output 209 after expiry, i.e. if the timer 304 measures backwards starting from a first predetermined time interval (e.g. 60 minutes) or when the first predetermined time interval has been reached, i.e. if the timer measures forwards starting from a time value zero, in which time interval an error message is output continuously 205. After expiry or when a second time interval has been reached (for example 72 hours) in which the fault message is output without interruption, all system functions can then preferably be deactivated 206 and the verification method 200 terminated.

[0080] If it is determined at a point in time of the verification method 200 that there is no license violation and if an error message and/or fault message is issued 205, 209, the error message and/or fault message can be reset in an optional method step 205a, 209a before a subsequent run of the verification method 200 is started. Correspondingly, the timer 304 can be reset in an optional method step 208a if it is determined 204 at a point in time of the verification method 200 that there is no license violation and the timer 304 has been started to detect a time interval or outputs a time value other than zero.

[0081] In an optional method step 207, to increase security, there can also be a check to determine whether the verification data set 220 contains an activation code, in which a message, in particular a fault message, is output 209 and/or at least one system function 110 is deactivated 206 if the activation code is not recognized. Method step 207 is preferably carried out after the third method step 203 but can also be carried out before or at the same time.

[0082] The verification data set 210 is read 203 preferably via an interface 303 connected or connectable to the storage medium 340 in a signal-transmitting manner. Finally, provision can optionally also be made for a message, in particular a fault message, to be output 209 and/or at least one system function 110 to be deactivated if the signal-transmitting connection between the storage medium 340 and the interface 303 is not detected.

[0083] FIG. 5 shows a matrix-like, i.e. in columns and rows, assignment 230 of the licenses (l.sub.1y, l.sub.2y . . . , l.sub.ny) used, which are contained in the license data set 210, to the existing licenses (L.sub.1x, L.sub.2x . . . L.sub.nx) contained in the verification data set 220. The licenses (l.sub.1y, l.sub.2y . . . , l.sub.ny) used are listed here as an example in column one, and the existing licenses (L.sub.1x, L.sub.2x . . . L.sub.nx) are in column three. Each row corresponds to a specific license type n, so that licenses of the same license type n are assigned to one another in rows. In the second or middle column, the license value z formed from the difference in the respective number of licenses x.sub.Ln−y.sub.ln is listed in rows. If one of the license values formed is z<0, a license violation is determined.

[0084] A schematic representation of an exemplary global license data set 240 is shown in FIG. 6. The sum of all numbers of licenses y.sub.lnm assigned to a respective license type n is formed in the first column. The other columns contain, broken down according to different control modules 300, the locally used licenses l.sub.my, in which an origin indicator m is additionally assigned to each license l.sub.nmy used in the global license data set 240 so that licenses l.sub.nmy used by the same control module 300 are assigned to each other in columns and licenses l.sub.nmy of the same license type n are assigned to each other in rows.

[0085] According to FIG. 5, FIG. 7 shows a table-like and/or matrix-like assignment 230, i.e. in columns and rows, of the control module licenses (sl.sub.By, sl.sub.Py, sl.sub.My) contained in license data set 210 to the existing control module licenses (SL.sub.Bx, SL.sub.Px, SL.sub.Mx) contained in license data set 220. Instead of the license type n, the control module licenses (sl.sub.By, sl.sub.Py, sl.sub.My) used and the existing control module licenses (SL.sub.Bx, SL.sub.Px, SL.sub.Mx) are each provided with a parameter to identify the control module type, in which “B” is a region control module 310, “P” denotes a process control module 320, and “M” denotes a master control module 330. In the middle column, three control module license values z.sub.SL are formed which reflect the difference between the control module licenses (sl.sub.By, sl.sub.Py, sl.sub.My) used and the existing control module licenses (SL.sub.Bx, SL.sub.Px, SL.sub.Mx). A license violation is determined if one of the control module license values z.sub.SL is <0.

[0086] FIGS. 8 and 9 show an assignment 230 in columns and rows, as shown in general form in FIG. 5, using the exemplary embodiment according to FIG. 3 that was already used previously. The license types n=6, 9, 13, 22 stored for the verification method 200 are listed in the first column of the table. Column two shows how the real names of the system functions 110 assigned to the respective license types n can be displayed to a user or the operating personnel of the oxygen reduction system 100, by means of a user interface 250: n=6: region control module (standard functions), n=9: air circulation, n=13: monitoring of access doors, and n=22: process control module (standard functions). The respective first number of licenses y of the licenses l used is then stored in column three and can be displayed to the user as a specific value. The respective second number of licenses x of the existing licenses L is stored in column five and is likewise output as a specific value on the user interface 250 to a user or the service personnel. The difference formed from the first number of licenses y of the licenses l used and the second number of licenses x of the existing licenses L is stored as a license value z and informs the user or the service personnel, via the user interface 250, about the number of currently available licenses. According to the exemplary embodiment, all of the licenses L present in the verification data set 220 are being used, with the exception of one license for monitoring the access doors. The license for monitoring the access doors is freely available and could be used to carry out a corresponding system function 110 in that the user manually selects the corresponding system function 110 stored on a control module 300.

[0087] The table shown in FIG. 9 contains essentially identical information but represents a later point in time during the operation of the oxygen reduction system 100. In addition to the previously used system functions 110, the air circulation system function 110 was selected by a user or the service personnel on a control module 300. In column 3, the value of the first number of licenses y, which reflects the number of air circulation licenses used, has increased accordingly by 1; two air circulation licenses are being used. According to the exemplary embodiment, the same verification data set 220 is also available at this point in time, which is why a corresponding license value of −1 results with regard to the air circulation system function 110. In the verification method 200, a license violation is determined 204 and a message is output 205 accordingly. On the basis of the information displayed on the user interface 250, the user can identify the system function 110 that caused the license violation and, if necessary, correct it.

LIST OF REFERENCE NUMERALS

[0088] 100 Oxygen reduction system [0089] 110 System functions [0090] 111 System functions requiring a license [0091] 112 License-free system functions [0092] 113 Basic system functions [0093] 114 Optional system functions [0094] 121 Protection region [0095] 122 Monitoring region [0096] 130 Inert gas source, particularly inert gas generator [0097] 131 Inert gas [0098] 140 Sensor [0099] 150 Actuator [0100] 160 Control and display panel [0101] 200 Verification method [0102] 201 Detecting system functions, first method step [0103] 202 Generating a license data set, second method step [0104] 203 Reading in a verification data set, third method step [0105] 204 Determining a license violation, fourth method step [0106] 205 Outputting a message, in particular an error message, fifth method step [0107] 205a Resetting an error message [0108] 206 Deactivating at least one system function, fifth method step [0109] 207 Checking for activation code [0110] 208 Starting a timer [0111] 208a Resetting a timer [0112] 208b Expiry of or reaching a first time interval [0113] 208c Expiry of or reaching a second time interval [0114] 209 Outputting a fault message [0115] 209a Resetting a fault message [0116] 210 License data set [0117] 220 Verification data set [0118] 230 Assignment [0119] 240 Global license data set [0120] 250 User interface [0121] 300 Programmable control module [0122] 301 Signal input channel [0123] 302 Signal output channel [0124] 303 Interface [0125] 304 Timer [0126] 310 Region control module [0127] 320 Process control module [0128] 330 Master control module [0129] 340 Storage medium [0130] 350 Hardware component [0131] l Licenses used (l.sub.1y, l.sub.2y . . . , l.sub.ny) [0132] L Existing licenses (L.sub.1x, L.sub.2x . . . L.sub.nx) [0133] sl Control module licenses used (sl.sub.By, sl.sub.Py, sl.sub.My) [0134] SL Existing control module licenses (SL.sub.Bx, SL.sub.Px, SL.sub.Mx) [0135] n License type [0136] m Origin indicator [0137] x Second number of licenses (x=0, 1, n) [0138] y First number of licenses (y=0, 1, n) [0139] z License value (z=−n, −1, 0, 1, n) [0140] x.sub.SL Second number of control module licenses (x=0, 1, n) [0141] y.sub.sl First number of control module licenses (y=0, 1, . . . , n) [0142] z.sub.SL Control module license value (z.sub.SL1, z.sub.SL2, . . . , z.sub.SLn)