Safety controller and method for loading a new operating program onto the safety controller

US 7,286,886 B2
Filed: 02/23/2005
Issued: 10/23/2007
Est. Priority Date: 08/28/2002
Status: Expired due to Term

First Claim

Patent Images

1. A safety controller for failsafe disconnection of a machine or a machine system in response to process signals from the machine or machine system, the safety controller comprisingan input module for automatically reading the process signals,a failsafe signal processing module for fail-safely processing the process signals, anda failsafe output module for producing control signals in response to the signal processing module, the control signals controlling the disconnection of the machine or machine system,wherein the signal processing module comprises at least one programmable processor and at least a first operating program stored in a non-volatile form in a first read only memory,wherein a second read only memory is provided in which a first hardware information item is stored which is characteristic at least of a current hardware configuration of the signal processing module, andwherein a download device is provided, the download device being designed to transfer a second operating program into the first read only memory,wherein the second operating program comprises a second hardware information item which is characteristic of a minimum required hardware configuration, andwherein the download device is designed to fail-safely inhibit the transfer of the second operating program into the first read only memory as a function of a comparison of the minimum required hardware configuration for said second operating program as defined by said second hardware information item, with the current hardware configuration of the signal processing module as defined by the first hardware information item.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a safety controller and to a method for loading a new operating program onto such a safety controller. The safety controller has an input module for automatically reading process signals, a failsafe signal processing module for automatically processing the process signals, and a failsafe output module which produces control signals as a function of the signal processing module. The signal processing module comprises at least one programmable processor and at least one read only memory. A current operating program for the processor is stored in a non-volatile form in the read only memory. A download device for transferring a new operating program is provided in the safety controller, with the download device enabling or inhibiting the transfer of a new operating program in a failsafe manner as a function of enabling information.

Citations

18 Claims

1. A safety controller for failsafe disconnection of a machine or a machine system in response to process signals from the machine or machine system, the safety controller comprisingan input module for automatically reading the process signals,a failsafe signal processing module for fail-safely processing the process signals, anda failsafe output module for producing control signals in response to the signal processing module, the control signals controlling the disconnection of the machine or machine system,wherein the signal processing module comprises at least one programmable processor and at least a first operating program stored in a non-volatile form in a first read only memory,wherein a second read only memory is provided in which a first hardware information item is stored which is characteristic at least of a current hardware configuration of the signal processing module, andwherein a download device is provided, the download device being designed to transfer a second operating program into the first read only memory,wherein the second operating program comprises a second hardware information item which is characteristic of a minimum required hardware configuration, andwherein the download device is designed to fail-safely inhibit the transfer of the second operating program into the first read only memory as a function of a comparison of the minimum required hardware configuration for said second operating program as defined by said second hardware information item, with the current hardware configuration of the signal processing module as defined by the first hardware information item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The safety controller of claim 1, wherein the enabling information further comprises a first and a second item of a sequential version information, with the first sequential version information item being associated with the first operating program, and the second sequential version information item being associated with the second operating program.
  - 3. The safety controller of claim 2, wherein the download device comprises a comparator for comparing the first and second sequential version information items, and comprises an enabling device, with the enabling device inhibiting the transfer of the new operating program in a failsafe manner in response to the comparator when the second sequential version information item is lower than the first sequential version information item.
  - 4. The safety controller of claim 3, wherein the enabling device enables the transfer of the second operating program only when the second sequential version information item is higher than the first sequential version information item.
  - 5. The safety controller of claim 2, wherein the first and the second sequential version information items are stored in a failsafe manner in the first and the second operating programs, respectively.
  - 6. The safety controller of claim 1, wherein at least the second operating program comprises program code which implements safety control rules in the processing module when the second operating program is run on the processor.
  - 7. The safety controller of claim 1, wherein the first and the second hardware information items comprise items of a sequential hardware version information.
  - 8. The safety controller of claim 1, wherein the first and the second hardware information items comprise hardware type information.

9. A method for loading a new operating program onto a safety controller, comprising the steps of:
- providing a safety controller having a first and a second read only memory, wherein a current operating program is stored in the first read only memory,providing a first hardware information item, which is characteristic of the safety controller, in the second read only memory,providing a new operating program including a second hardware information item, with the second hardware information item being characteristic of a minimum required hardware for the new operating program, andtransferring the new operating program into the first read only memory as a function of enabling information which contains the first and the second hardware information items, andfail-safely inhibiting the transferring step if the first and the second hardware information items do not match each other.

10. A safety controller for failsafe control of a safety-critical process, having an input module for automatically reading process signals, a failsafe signal processing module for automatically processing the process signals, and a failsafe output module for producing control signals in response to the signal processing module, with the signal processing module comprising at least one programmable processor and at least a first read only memory in which a current operating program for the processor is stored in a non-volatile form, and having a download device for transferring a new operating program into the first read only memory, with the download device enabling or inhibiting the transfer of the new operating program in a failsafe manner as a function of enabling information;
- wherein a second read only memory is provided in which a first item of hardware information is stored which is characteristic at least of a current hardware configuration of the signal processing module, the new operating program comprises a second item of hardware information which is characteristic of a minimum required hardware configuration, and the download device is adapted to enable or inhibit the transfer of the new operating program as a function of a comparison of the first and the second hardware information items.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The safety controller of claim 10, wherein the enabling information is at least partially integrated in the new operating program in a machine-legible form.
  - 12. The safety controller of claim 10, wherein the enabling information comprises a first and a second item of a sequential version information, with the first sequential version information item being associated with the current operating program, and the second sequential version information item being associated with the new operating program.
  - 13. The safety controller of claim 12, wherein the download device comprises a comparator for comparing the first and second sequential version information items, and comprises an enabling device, with the enabling device inhibiting the loading of the new operating program in a failsafe manner as a function of the comparator when the second sequential version information item is lower than the first sequential version information item.
  - 14. The safety controller of claim 13, wherein the enabling device is adapted to enable the transfer of the new operating program only when the sequential second version information item is higher than the sequential first version information item.
  - 15. The safety controller of claim 12, wherein the first and the second sequential version information items are stored in a failsafe manner in the respective operating program in a failsafe manner.
  - 16. The safety controller of claim 10, wherein at least the new operating program comprises program code which implements safety control rules in the processing module when the new operating program is run on the processor.
  - 17. The safety controller of claim 10, wherein the first and the second hardware information items each comprise items of a sequential hardware version information.
  - 18. The safety controller of claim 10, wherein the first and the second hardware information items each comprise hardware type information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PILZ GmbH & Company
Original Assignee
PILZ GmbH & Company
Inventors
Wohnhaas, Klaus, Klopfer, Johannes
Primary Examiner(s)
Vincent; David
Assistant Examiner(s)
Chang; Sunray

Application Number

US11/063,392
Publication Number

US 20050203645A1
Time in Patent Office

972 Days
Field of Search

361100-106, 713/2, 711/170, 715/531, 700/79, 700/86, 700/87
US Class Current

700/79
CPC Class Codes

G05B 15/02   electric

G05B 9/02   electric

G06F 21/572   Secure firmware programming...

Safety controller and method for loading a new operating program onto the safety controller

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Safety controller and method for loading a new operating program onto the safety controller

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links