1. Patent Search
  2. Details

Method for Operating a Segment of Cycle-Oriented Control Software

20250110465 · 2025-04-03

    Inventors

    Cpc classification

    International classification

    Abstract

    Method for operating a segment of cycle-oriented control software, wherein to test, in a virtual control system, execution of a cold start mechanism, on a start-up of a runtime environment, a random number is generated, stored in a storage region and added to the storage region upon every further request for a safety time, where at the start of a new cycle, the deviation of the time differences is calculated and, in each cycle, the storage region is accessed and before calculation of the time differences, the random number is re-subtracted from the safety time, when a new start-up of the runtime environment has occurred, this is diagnosable via the tolerance being exceeded, because the second time difference now has an offset that results from the safety time with a new random number of the current cycle and the safety time with the old random number of the previous cycle.

    Claims

    1. A method for operating a segment of cycle-oriented control software for controlling a process, the control software executing on a computer system within a runtime environment, in order to secure a system time of the computer system, a further safety time independent of the system time being requested in each cycle, a first time difference being formed from the system time of a current cycle and the system time of a previous cycle and a second time difference being formed from the safety time of the current cycle and the safety time of the previous cycle and a comparison of the first and second time differences with a pre-determined tolerance being performed and, in an event the deviation of the time differences exceeds the tolerance, an error signal being generated, the method comprising: generating a random number upon a start-up of the runtime environment, the generated random number being stored in a storage region and added to the storage region upon every further request for the safety time; calculating, in a control component, a deviation between the time differences at a start of a new cycle in the control software; and accessing, during each new cycle, the storage region by the control component, the random number being subtracted out of the safety time in the control component again before the calculation of the time differences, for an eventuality that a new start-up of the runtime environment has occurred, the new start-up of the runtime environment being diagnoseable based on the tolerance being exceeded, and the second time difference having an offset which is given by the safety time with a new random number of the current cycle and the safety time with the old random number of the previous cycle.

    2. The method as claimed in claim 1, wherein the control software is operated as a fail-safe control system with a safety program and a standard user program and unwanted influencing of the safety program is revealable.

    3. The method as claimed in claim 2, wherein a cold start mechanism is performed on the computer system during a start-up of the fail-safe control system after a power failure such that the cold start mechanism ensures the start-up always occurs with initial values and not with current values of the last cycle; wherein in an event that the cold start mechanism has failed, this failure is recognized during a difference calculation in the control component via an exceeding of the tolerance, such that a failure of the cold start mechanism is recognized.

    4. The method as claimed in claim 1, wherein the safety time is read out by a hardware component installed in the computer system.

    5. The method as claimed in claim 2, wherein the safety time is read out by a hardware component installed in the computer system.

    6. The method as claimed in claim 3, wherein the safety time is read out by a hardware component installed in the computer system.

    7. The method as claimed in claim 4, wherein the hardware component comprises a network card.

    8. The method as claimed in one of claim 1, wherein after the request for the safety time to an integer value, and a standard frequency of 32.768 kHz is replicated.

    9. A computer system comprising: a runtime environment configured to cause a segmented of cycle-oriented control software to execute to control a process; a random number generator; a processor with a system time; a hardware component with an external time source for providing a safety time; a storage region; wherein the computer system is configured to: generating a random number upon a start-up of the runtime environment, the generated random number being stored in a storage region and added to the storage region upon every further request for the safety time; calculating, in a control component, a deviation between the time differences at a start of a new cycle in the control software; and accessing, during each new cycle, the storage region by the control component, the random number being subtracted out of the safety time in the control component again before the calculation of the time differences, for an eventuality that a new start-up of the runtime environment has occurred, the new start-up of the runtime environment being diagnoseable based on the tolerance being exceeded, and the second time difference having an offset which is given by the safety time with a new random number of the current cycle and the safety time with the old random number of the previous cycle.

    10. The computer system as claimed in claim 9, wherein the computer system is configured as one of a multifunctional control platform, an industry PC, an edge computing platform and a cloud computing platform.

    11. The computer system as claimed in claim 9, wherein the control software has a fail-safe control system with a safety program and a standard user program.

    12. The computer system as claimed in claim 10, wherein the control software has a fail-safe control system with a safety program and a standard user program.

    13. The computer system as claimed in claim 9, wherein the fail-safe control system has a cold start mechanism which is configured to perform a start-up of the fail-safe control system after a power failure on the computer system; and wherein the cold start mechanism is configured to pre-configure the fail-safe control system with initial values and not with current values of the last cycle, the computer system further comprising a control component configured to recognize a failure of the cold start mechanism via a difference calculation based on exceeding the tolerance.

    14. The computer system as claimed in claim 10, wherein the fail-safe control system has a cold start mechanism which is configured to perform a start-up of the fail-safe control system after a power failure on the computer system; and wherein the cold start mechanism is configured to pre-configure the fail-safe control system with initial values and not with current values of the last cycle, the computer system further comprising a control component configured to recognize a failure of the cold start mechanism via a difference calculation based on exceeding the tolerance.

    15. The computer system as claimed in claim 11, wherein the fail-safe control system has a cold start mechanism which is configured to perform a start-up of the fail-safe control system after a power failure on the computer system; and wherein the cold start mechanism is configured to pre-configure the fail-safe control system with initial values and not with current values of the last cycle, the computer system further comprising a control component configured to recognize a failure of the cold start mechanism via a difference calculation based on exceeding the tolerance.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0028] The drawings show an exemplary embodiment, in which:

    [0029] FIG. 1 shows a computer system on which a runtime environment for a piece of control software is accommodated in accordance with the invention;

    [0030] FIG. 2 shows a safety program with a cold start mechanism in accordance with the invention;

    [0031] FIG. 3 shows a control component for difference calculation of times in accordance with the invention;

    [0032] FIG. 4 shows the principle of the access to two different times via the runtime environment in accordance with the invention;

    [0033] FIG. 5 shows a diagram to illustrate the patterns over time of the system time and the safety time in accordance with the invention;

    [0034] FIG. 6 shows the principle of a fail-safe control system with a possible retrieval sequence in accordance with the invention; and

    [0035] FIG. 7 is a flowchart of the method in accordance with the invention.

    DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

    [0036] With reference to FIG. 1, shown therein is a computer system 1, which can be, for example, an industrial PC or an edge computing platform. In the computer system 1, a hypervisor 7 is installed that enables an operating system 8, for example, a Windows operating system, to be operated alongside a runtime environment FW. The runtime environment FW is configured to cause a segment of cycle-oriented control software SOFT-PLC to execute to control a process as a fail-safe control system. The control software SOFT-PLC is equipped with a safety program F-PROG and with a standard application program S-PROG. For the fail-safe control system F-CPU, it is necessary that to secure a system time SZ of the computer system 1, a further independent safety time eZQ independent of the system time SZ is requested in each cycle Z.

    [0037] A processor 5 of the computer system makes the system time SZ available. The safety time eZQ is read out by a hardware component 4, in particular a network card NIC installed in the computer system 1. A requestor 9 in the runtime environment FW provides for a continual requesting of the safety time eZQ. In order to secure the system time SZ, a first time difference S-Diff is formed from the system time SZ of the previous cycle Zn-1 and a second time difference F-Diff is formed from the safety time eZQ of the current cycle and the safety time eZQ of the previous cycle Zn-1. A comparison of the time differences S-Diff, F-Diff is performed with a predetermined tolerance TOL and, in the event that the deviation of the time differences S-Diff, F-Diff exceeds the tolerance TOL, an error signal is generated.

    [0038] Thus, the elapsed time between the current and the previous cycle is now established via the differences between the two timers. In order now to recognize whether during a start-up after a mains off/on, it is ensured that the starting up always takes place with the initial values IW and not with the current values AW of the last safety program cycle (for example before the mains off), during a start-up of the runtime environment FW, a random number ZZ is generated. This random number ZZ is stored in a storage region 2 and, upon every further request of the safety time eZQ, the random number ZZ is added to the storage region 2. At the start of a new cycle Zn in the control software Soft-PLC, in a control component F-CRT, the storage region 2 is accessed and before the calculation of the time differences S-Diff, F-Diff, the random number ZZ is again subtracted out of the safety time eZQ in the control component F-CRT. The random number ZZ is generated via the random number generator 3. The converter 10 provides for the addition of the random number ZZ to the externally requested safety time eZQ.

    [0039] With the fail-safe control system of the prior art, it has previously always been possible to ensure that the behavior of the two timers in the mains off state is different, because both were situated on one device and the timers were defined by the manufacturer.

    [0040] If, however, it is desired to realize a control with a piece of control software Soft-PLC on any desired platform, then the second time can be retrieved, for example, from a network card NIC, but this network card NIC has an undefined behavior during a mains off. In order further to ensure a failure of a cold start mechanism KM, with this solution, the random number ZZ is added to the value of the safety time eZQ. This random number ZZ is formed once on each start-up, for example, after a power failure.

    [0041] When the cold start mechanism KM is functioning, during the difference calculation of the times, the random number ZZ is subtracted out, if the cold start mechanism KM has failed. The calculation occurs with two different random numbers ZZ in the cycle Z, once with the random number ZZ before a mains off and once with the new random number ZZ after a mains on. The execution of the safety program F-PROG can therefore be stopped, because this is an indicator that the cold start mechanism KM has failed and the current values AW have not been reset to initial values IW.

    [0042] The computer system 1 also has additional reserved hardware 6 specifically for the fail-safe control system F-CPU.

    [0043] In FIG. 2, it is made clear that at the start of a safety program F-PROG, a cold start mechanism KM is performed that resets the current values AW to initial values IW. With each cycle Z in the safety program F-PROG, the time is recalculated via the control component F-CRT.

    [0044] FIG. 3 shows the time calculation algorithm implemented in the control component F-CRT. The control component F-CRT receives, as input variables, the system time SZ, the random number ZZ from the storage region 2 and the safety time eZQ converted with the converter 10 to a safety time eZQ into which the random number ZZ is added. In the control component F-CRT, however, the random number ZZ is subtracted out again from the safety time eZQ and the safety time eZQ (Zn) is obtained. Now, the differences S-Diff and F-Diff of the respective old and new time are formed. If the differences exceed a tolerance TOL, then an error signal is generated.

    [0045] FIG. 4 shows a block circuit diagram for illustration the different time formations. In the runtime environment FW, a system call 13, for example, a Linux SysCall is implemented to the network register of the network card NIC. This system call 13 continuously retrieves the safety time eZQ from the network card NIC. The network card NIC makes a time basis available via a local clock time 11, where this time basis is normalized via a normalization 12 to a normalized 64-bit counter. This 64-bit counter is given in nanoseconds. The random number generator 3 is also implemented in the runtime environment FW. The converter 10 receives the random number ZZ generated by the random number generator 3 and, with the aid of a time converter 14, the random number ZZ is calculated into the time and simultaneously, this calculated time is converted to a standard time of 32.768 kHz. In this way, the safety time eZQ with the random number ZZ applied to it is obtained. Via a basis timer access 16, the system time SZ of the processor 5 is made available in a conventional manner to the runtime environment FW. Via a divider 15, the system time SZ can be adapted in accordance with the specifications. Ultimately, the time needed for the control of the process is made available to the safety program F-PROG and the user program S-PROG via a standard basis timer 17.

    [0046] FIG. 5 shows a diagram 50 of the patterns over time of the system time SZ and the safety time eZQ. At a start time point, the system time SZ, shown via the temporal variation 51 and the safety time eZQ, shown via the temporal variation 52, start running. At a time point NA (mains off), the power fails. In general, a processor and/or its system time SZ is configured so that it is remanent. This means that after the return of the voltage and/or after ending of the power failure, at the time point NE (mains on), the time continues running with the last value. The behavior of the additionally obtained safety time eZQ is not known and/or is typically not remanent. As a result, no defined behavior is obtained and it is not possible to react thereto in a safety-compliant manner. If, at the time point NE (mains on), a cold start of the computer system 1 were to be performed and if, arbitrarily, the cold start mechanism KM was not implemented in the safety program F-PROG, then this would be revealed by an offset V in the time difference F-Diff for the safety time eZQ. The offset V results from the difference between the new random number ZZ-neu and the old random number ZZ-alt.

    [0047] FIG. 6 shows the principle of the start-up upon starting a fail-safe control system F-CPU. Firstly, the cold start mechanism KM is performed. In the cold start mechanism KM, inter alia, user data is deleted and the current process map of the inputs and the current process map of the outputs is deleted. Remanent and non-remanent markers are deleted. Times and counters are deleted. All DBs are initialized with initial values. During this phase, peripheral outputs are switched into a safe state.

    [0048] During a cold start, it is necessary, in particular, for a fail-safe control system F-CPU, that starting occurs with initial values IW. Thereafter, the actual safety program F-PROG starts from a safety OB, F-OB, different safety components F1, F2, F-CRT . . . to Fn are gradually called. All these safety components provide for the functional safety required of the fail-safe control system F-CPU. In the control component F-CRT, in order to secure the system time SZ to the safety time eZQ, a random number ZZ is added. As such, if the cold start mechanism KM has failed, then calculation occurs later with an old value in the storage region 2 and the failure of the cold start mechanism KM would be revealed. In the safety program F-PROG, in the standard user program S-PROG, a standard basis timer unit 17 is made available for the calling of an GB1.

    [0049] FIG. 7 is a flowchart of the method for operating a segment of cycle-oriented control software Soft-PLC for controlling a process, where the control software Soft-PLC executes on a computer system 1 within a runtime environment FW, in order to secure the system time SZ of the computer system 1, a further safety time eZQ independent of the system time SZ is requested in each cycle Z, a first time difference S-Diff is formed from the system time SZ of a current cycle Zn and the system time SZ of a previous cycle Zn-1 and a second time difference F-Diff is formed from the safety time eZQ of the current cycle Zn and the safety time eZQ of the previous cycle Zn-1 and a comparison of the first and second time differences S-Diff, F-Diff with a pre-determined tolerance TOL is performed and, in an event the deviation of the time differences S-Diff, F-Diff exceeds the tolerance TOL, an error signal is generated.

    [0050] The method comprises generating a random number ZZ upon a start-up of the runtime environment FW, as indicated in step 710. In accordance with the method, the generated random number ZZ is stored in a storage region 2 and added to the storage region 2 upon every further request for the safety time eZQ.

    [0051] Next, a deviation between the time differences S-Diff, F-Diff, is calculated in a control component F-CRT at the start of a new cycle Zn in the control software Soft-PLC, as indicated in step 720.

    [0052] Next, the storage region 2 is accessed by the control component F-CRT during each new cycle Zn, as indicated in step 730. Here, the random number ZZ is subtracted out of the safety time eZQ in the control component F-CRT again before the calculation of the time differences S-Diff, F-Diff, for the eventuality that a new start-up of the runtime environment FW has occurred, where the new start-up of the runtime environment FW is diagnoseable based on the tolerance TOL being exceeded, because the second time difference F-Diff has an offset V that is given by the safety time eZQ with a new random number ZZ of the current cycle Zn and the safety time eZQ with the old random number ZZ of the previous cycle Zn-1.

    [0053] Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps that perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.