IN A PROFISAFE ENVIRONMENT AT RUNTIME

TECHNICAL FIELD

Embodiments presented herein relate to methods, an F-Host, an F-Device, computer programs, and a computer program product for updating parameters in a PROFIsafe environment at runtime.

BACKGROUND

In general terms, PROFINET short for (Process Field Net) is an industry technical standard for data communication over Industrial Ethernet, designed for collecting data from, and controlling, equipment in industrial systems, with a particular strength in delivering data under tight time constraints (on the order of tms or less). Interfacing to peripherals is implemented by PROFINET 10.

PROFIsafe (short for PROFIBUS safety or PROFINET safety) is a safety communication technology for distributed automation. Its specification for PROFIBUS DP and PROFIBUS PA was published first in 1999 and extensions for the Ethernet based PROFINET 10 were published in 2005. ROFIsafe is designed as a separate layer on top of the fieldbus application layer to reduce the probability of data transmission errors. PROFIsafe messages use standard fieldbus cables and messages. PROFIsafe does not depend on error detection mechanisms of underlying transmission channels, and thus supports securing of whole communication paths, including backplanes inside controllers or remote I/O. A system description of PROFIsafe is available here:

https://www.profibus. com/index. php?eID=dumpFile&t=f&f=5i7i9&token= 3ddbi3f2i5c62bfc35ca8a5e4C407ieoc4bdoo6c (accessed and available as of 20 June 2018).

In PROFIsafe standard version 2.6.1 it is not allowed to change parameters at runtime (this includes both PROFIsafe so-called fail-safe parameters (F- Parameters) and device-specific so-called individual parameters (iParameters). If new parameters are downloaded then the so-called fail-safe host (F-Host; e.g., a safety controller) and the so-called fail-safe device (F- Device; e.g., a safety device) shall either go to fail-safe state or ignore the new parameters. An optional feature has been proposed that would allow parameters to be changed, but this requires that cyclic communication is temporarily frozen (i.e., inputs and outputs keep their last valid values).

Hence, there is still a need for an improved update of parameters in a PROFIsafe .

SUMMARY

An object of embodiments herein is to provide mechanisms for efficient update of parameters in a PROFIsafe that does not suffer from the above noted issues, or at least where the above noted issues are mitigated or reduced.

According to a first aspect there is presented a method for updating parameters in a PROFIsafe environment at runtime, the PROFIsafe environment at least comprising a failsafe host (F-Host) and a failsafe device (F-Device), the method being performed by the F-Host, the method comprising: detecting, upon downloading a configuration, that the configuration comprises at least one parameter to be updated; initiating a configure in runtime procedure by starting a watchdog timer; indicating to the F-Device to also initiate its own configure in runtime procedure;

obtaining an indication from the F-Device that the F-Device has updated the at least one parameter; switching to using the at least one updated

parameter; and resetting its monitoring numbers for communication with the F-Device based on the at least one updated parameter only when the indication from the F-Device is obtained before expiration of the watchdog timer.

According to a second aspect there is presented an F-Host configured to perform the method according to the first aspect. The F-Host comprises processing circuitry. The processing circuitry is configured to cause the F- Host to detect, upon downloading a configuration, that the configuration comprises at least one parameter to be updated; initiate a configure in runtime procedure by starting a watchdog timer; indicate to the F- Device to also initiate its own configure in runtime procedure; obtain an indication from the F-Device that the F-Device has updated the at least one parameter; switch to using the at least one updated parameter; and reset its monitoring numbers for communication with the F-Device based on the at least one updated parameter only when the indication from the F-Device is obtained before expiration of the watchdog timer.

According to a third aspect there is presented a computer program for updating parameters in a PROFIsafe environment at runtime, the computer program comprising computer program code which, when run on processing circuitry of an F-Host, causes the F-Host to perform a method according to the first aspect.

According to a fourth aspect there is presented a method for updating parameters in a PROFIsafe environment at runtime, the PROFIsafe environment at least comprising a failsafe host (F-Host) and a failsafe device (F-Device), the method being performed by the F-Device, the method comprising: detecting, upon downloading a configuration, that the

configuration comprises at least one parameter to be updated; obtaining an indication from the F-Host to initiate its own configure in runtime procedure; initiating its own configure in runtime procedure; updating the at least one parameter; providing an indication to the F-Host that the F-Device has updated the at least one parameter; switching to using the at least one updated parameter only when having obtained an indication from the F-Host to do so; and resetting its monitoring numbers for communication with the F-Host based on the at least one updated parameter after having switched to the at least one updated parameter.

According to a fifth aspect there is presented an F-Device configured to perform the method according to the fourth aspect. The F-Device comprises processing circuitry. The processing circuitry is configured to cause the F- Device to detect, upon downloading a configuration, that the configuration comprises at least one parameter to be updated; obtain an indication from the F-Host to initiate its own configure in runtime procedure; initiate its own configure in runtime procedure; update the at least one parameter; provide an indication to the F-Host that the F- Device has updated the at least one parameter; switch to using the at least one updated parameter only when having obtained an indication from the F-Host to do so; and reset its monitoring numbers for communication with the F-Host based on the at least one updated parameter after having switched to the at least one updated parameter.

According to a sixth aspect there is presented a computer program for updating parameters in a PROFIsafe environment at runtime, the computer program comprising computer program code which, when run on processing circuitry of an F-Device, causes the F- Device to perform a method according to the fourth aspect.

According to a seventh aspect there is presented a computer program product comprising a computer program according to at least one of the third aspect and the sixth aspect and a computer readable storage medium on which the computer program is stored. The computer readable storage medium could be a non-transitory computer readable storage medium.

According to an eight aspect there is presented a PROFIsafe environment comprising an F-Host according to the second aspect and at least one F- Device according to the fifth aspect.

Advantageously these methods, this F-Host and this F-Device provide efficient update of parameters in a PROFIsafe.

Advantageously these methods, this F-Host and this F-Device do not suffer from the above noted issues. Advantageously these methods, this F-Host and this F- Device enable update of parameters in a PROFIsafe in runtime without any interruption to ongoing cyclic communication between the F-Host and the F-Device.

Other objectives, features and advantages of the enclosed embodiments will be apparent from the following detailed disclosure, from the attached dependent claims as well as from the drawings.

Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the element, apparatus, component, means, module, step, etc." are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, module, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

BRIEF DESCRIPTION OF THE DRAWINGS

The inventive concept is now described, by way of example, with reference to the accompanying drawings, in which:

Fig. l is a schematic diagram illustrating a PROFIsafe environment according to embodiments;

Figs. 2 and 3 are flowcharts of methods according to embodiments;

Fig. 4 is a signalling diagram according to an embodiment;

Fig. 5 is a schematic diagram showing functional units of an F-Host according to an embodiment;

Fig. 6 is a schematic diagram showing functional modules of an F-Host according to an embodiment;

Fig. 7 is a schematic diagram showing functional units of an F-Device according to an embodiment; Fig. 8 is a schematic diagram showing functional modules of an F- Device according to an embodiment; and

Fig. 9 shows one example of a computer program product comprising computer readable means according to an embodiment.

DETAILED DESCRIPTION

The inventive concept will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the inventive concept are shown. This inventive concept may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the inventive concept to those skilled in the art. Like numbers refer to like elements throughout the description. Any step or feature illustrated by dashed lines should be regarded as optional.

Fig. l schematically illustrates a PROFIsafe environment 100 wherein the herein disclosed embodiments apply. The PROFIsafe environment 100 at least comprises an F-Host 200 and at least one F- Device 300.

The herein disclosed embodiments allow an F-Host 200 and F- Device 300 to change parameters at runtime without any interruption to the ongoing cyclic communication. This is accomplished by using existing components of the PROFIsafe standard in a new way.

The embodiments disclosed herein thus relate to mechanisms for updating parameters in a PROFIsafe environment at runtime. In order to obtain such mechanisms there is provided an F-Host 200, a method performed by the F- Host 200, a computer program product comprising code, for example in the form of a computer program, that when run on processing circuitry of the F- Host 200, causes the F-Host 200 to perform the method. In order to obtain such mechanisms there is further provided an F-Device 300, a method performed by the F-Device 300, and a computer program product comprising code, for example in the form of a computer program, that when run on processing circuitry of the F-Device 300, causes the F-Device 300 to perform the method.

Reference is now made to Fig. 2 illustrating a method for updating parameters in a PROFIsafe environment 100 at runtime as performed by the F-Host 200 according to embodiments.

S102: The F-Host 200 detects, upon downloading a configuration, that the configuration comprises at least one parameter to be updated.

S104: The F-Host 200 initiates a configure in runtime procedure by starting a watchdog timer. S106: The F-Host 200 indicates to the F-Device 300 to also initiate its own configure in runtime procedure.

S112: The F-Host 200 obtains an indication from the F-Device 300 that the F-Device 300 has updated the at least one parameter;

S114: The F-Host 200 switches to using the at least one updated parameter. S116: The F-Host 200 resets its monitoring numbers for communication with the F-Device 300 based on the at least one updated parameter only when the indication from the F-Device 300 is obtained before expiration of the watchdog timer.

Embodiments relating to further details of updating parameters in a

PROFIsafe environmentioo at runtime as performed by the F-Host 200 will now be disclosed.

S108: The F-Host 200 obtains verification from the F-Device 300 that the F- Device 300 has initiated its own configure in runtime procedure.

In some aspects each of the at least one parameter to be updated before being updated has a respective current value, Sno: The F-Host 200, while waiting to obtain the indication from the F- Device 300 that it has updated the at least one parameter, obtains process values from the F-Device 300 using the respective current value of the at least one parameter. S118: The F-Host 200 indicates to the F-Device 300 to switch to the at least one updated parameter only when the indication from the F-Device 300 is obtained before expiration of the watchdog timer.

S120: The F-Host 200 ends the configure in runtime procedure and enters a fail-safe state when the indication from the F-Device 300 is obtained after expiration of the watchdog timer.

Reference is now made to Fig. 3 illustrating a method for updating

parameters in a PROFIsafe environment at runtime too as performed by the F-Device 300 according to embodiments.

S202: The F-Device 300 detects, upon downloading a configuration, that the configuration comprises at least one parameter to be updated.

S204: The F-Device 300 obtains an indication from the F-Host 200 to initiate its own configure in runtime procedure.

S206: The F-Device 300 initiates its own configure in runtime procedure.

S210: The F-Device 300 updates the at least one parameter. S212: The F-Device 300 provides an indication to the F-Host 200 that the F-

Device 300 has updated the at least one parameter.

S214: The F-Device 300 switches to using the at least one updated parameter only when having obtained an indication from the F-Host 200 to do so.

S216: The F-Device 300 resets its monitoring numbers for communication with the F-Host 200 based on the at least one updated parameter after having switched to the at least one updated parameter. Embodiments relating to further details of updating parameters in a

PROFIsafe environment too at runtime as performed by the F- Device 300 will now be disclosed.

S208: The F-Device 300 provides verification to the F-Host 200 that the F- Device 300 has initiated its own configure in runtime procedure before updating the at least one parameter.

In some aspects each of the at least one parameter to be updated before being updated has a respective current value.

S212: The F-Device 300, while waiting to obtain the indication from the F- Host 200 to switch to the at least one updated parameter, provides process values to the F-Host 200 using the respective current value of the at least one parameter.

S218: The F-Device 300 ends the configure in runtime procedure after having reset the monitoring numbers. Reference is now made to the signalling diagram of Fig. 4 disclosing a method for updating parameters in a PROFIsafe environment at runtime as performed by the F-Host 200 and the F-Device 300.

When a new valid configuration has been downloaded to the F-Host 200 and F-Device 300 they independently of each other check if the included new parameters are allowed to be changed or not. If allowed to be changed, the F- Host 200 and F-Device 300 prepare to start the PROFIsafe related

Configure-In-Runtime procedure (hereinafter denoted CiR for short). The download and consistency check of a new configuration is outside the scope of the herein disclosed embodiments. It is expected that this has successfully been performed before the sequence to change parameters is initiated.

The F-Host 200 initiates the CiR by starting a watchdog timer to supervise that the change of parameters does not take longer than two times the configured FDRT diagnostic cycle (step 1.0). Next it sets iPar_EN to 1 in the Control Byte to instruct the F-Device 300 to also start CiR (step 1.1). This setting is included in the next protocol data unit (PDU) sent from the F-Host 200 to the F-Device 300. When the F-Device 300 detects that iPar_EN is set to 1 in the Control Byte it initiates CiR in the F-Device 300 (step 1.2) by setting iPar_OKto 1 in the Status Byte (step 1.3). The F-Device 300 also initiates the update of any new device-specific parameters, iParameters, in the F-Device 300. How the device specific parameters are updated is outside the scope of the herein disclosed embodiments. It is noted that the response with iPar_OK set to 1 does not have to be the first incoming PDU after iPar_EN has been set to 1.

When the F-Host 200 receives the safety PDU with iPar_OK set to 1 this is an indication that the CiR has been started in the F-Device 300, and the F-Host 200 waits for the F-Device 300 to finish the update of iParameters. While waiting for this, the normal PROFIsafe cyclic communication is ongoing with exchange of process values between F-Host 200 and F-Device 300, both of which are still using the old set of F-Parameters (step 1.4, step 1.5). The standard timeout value, F_WD_Time, is used for this communication and the iPar_EN remains set to 1 in the Control Byte while waiting for the F- Device 300 to finish (step 1.6). If the F-Device 300 does not respond with iPar_OK set to o within the watchdog time, then the F-Host 200 ends CiR, switches to the new F-Parameters, and goes to a fail-safe state using the same state transition as for a normal PROFIsafe related timeout.

When the iParameters have been updated the F-Device 300 sets iPar_OK to o and the F-Host 200 detects this in the received safety PDU (step 1.7). The F-Host 200 now stops the watchdog timer, switches to the new F-Parameters that were downloaded as part of the new configuration, and resets the monitoring number (MNR) (step 1.8). The new MNR is based on the new F- Parameters and is used to calculate the cyclic redundancy check (CRC) for the next PDU sent to the F-Device 300. This makes sure that the communication between the F-Host 200 and F-Device 300 can only be successful if they both use the same F-Parameters. The F-Host 200 sets iPar_EN to o and

R_cons_nr to 1 in the Control Byte to instruct the F-Device 300 to also switch F-Parameters (step 1.9). One difference to the normal PROFIsafe handling at a restart of MNR is that activate_FV is not set in the Control Byte.

The F- Device 300 detects that iPar_EN is set to o and R_cons_nr is set to 1 and switches to using the new F-Parameters and resets the MNR (step 1.10). Using the MNR based on the new F-Parameters allows the F-Device 300 to decode the safety PDU from the F-Host 200 successfully and the cyclic communication can continue without any interruption. The F-Device 300 sets cons_nr_R to 1 to indicate that it also has restarted MNR and when the F-Host 200 detects this in the next safety PDU then CiR is finished (step 1.11).

If any errors are detected during CiR then the F-Host 200 ends CiR, switches to the new F-Parameters, and goes to a fail-safe state using the same state transition as for a normal PROFIsafe related error. If the F-Host 200 is already in a fail-safe state when new parameters are downloaded then the change of parameters takes place immediately without any CiR. The same applies for the F-Device 300. The end result always is that the F-Host 200 and F-Device 300 change to new valid F-Parameters, which is followed by an unconditional reset of MNR.

The used sequence of the iPar_EN, iPar_OK, and R_cons_nr bits ensures that it is the F-Host 200 that begins and finishes the CiR. The reset of MNR when changing F-Parameters ensures that the cyclic communication can only continue successfully if the F-Host 200 and F-Device 300 use the same F- Parameters.

Fig. 5 schematically illustrates, in terms of a number of functional units, the components of an F-Host 200 according to an embodiment. Processing circuitry 210 is provided using any combination of one or more of a suitable central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions stored in a computer program product 910a (as in Fig. 9), e.g. in the form of a storage medium 230. The processing circuitry 210 may further be provided as at least one application specific integrated circuit (ASIC), or field programmable gate array (FPGA).

Particularly, the processing circuitry 210 is configured to cause the F-Host 200 to perform a set of operations, or steps, as disclosed above. For example, the storage medium 230 may store the set of operations, and the processing circuitry 210 may be configured to retrieve the set of operations from the storage medium 230 to cause the F-Host 200 to perform the set of operations. The set of operations may be provided as a set of executable instructions. Thus the processing circuitry 210 is thereby arranged to execute methods as herein disclosed.

The storage medium 230 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.

The F-Host 200 may further comprise a communications interface 220 for communications with other entities, nodes, functions, and devices, such as the F-Device 300, of the PROFIsafe environment 100. As such the communications interface 220 may comprise one or more transmitters and receivers, comprising analogue and digital components.

The processing circuitry 210 controls the general operation of the F-Host 200 e.g. by sending data and control signals to the communications interface 220 and the storage medium 230, by receiving data and reports from the communications interface 220, and by retrieving data and instructions from the storage medium 230. Other components, as well as the related functionality, of the F-Host 200 are omitted in order not to obscure the concepts presented herein.

Fig. 6 schematically illustrates, in terms of a number of functional modules, the components of an F-Host 200 according to an embodiment. The F-Host 200 of Fig. 6 comprises a detect module 210a configured to perform step S102, an initiate module 210b configured to perform step S104, an indicate module 210c configured to perform step S106, an obtain module 2iod configured to perform step Sio8, an obtain module 2ioe configured to perform step Sno, an obtain module 2iof configured to perform step S112, a switch module 2iog configured to perform step S114, a reset module 2ioh configured to perform step S116, an indicate module 2101 configured to perform step S118, an enter module 2ioj configured to perform step S120.

In general terms, each functional module 2ioa-2ioj may be implemented in hardware or in software. Preferably, one or more or all functional modules 2ioa-2ioj may be implemented by the processing circuitry 210, possibly in cooperation with the communications interface 220 and/or the storage medium 230. The processing circuitry 210 may thus be arranged to from the storage medium 230 fetch instructions as provided by a functional module 2ioa-2ioj and to execute these instructions, thereby performing any steps of the F-Host 200 as disclosed herein.

Fig. 7 schematically illustrates, in terms of a number of functional units, the components of an F-Device 300 according to an embodiment. Processing circuitry 310 is provided using any combination of one or more of a suitable central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions stored in a computer program product 910b (as in Fig. 9), e.g. in the form of a storage medium 330. The processing circuitry 310 may further be provided as at least one application specific integrated circuit (ASIC), or field programmable gate array (FPGA).

Particularly, the processing circuitry 310 is configured to cause the F-Device 300 to perform a set of operations, or steps, as disclosed above. For example, the storage medium 330 may store the set of operations, and the processing circuitry 310 may be configured to retrieve the set of operations from the storage medium 330 to cause the F-Device 300 to perform the set of operations. The set of operations may be provided as a set of executable instructions. Thus the processing circuitry 310 is thereby arranged to execute methods as herein disclosed. The storage medium 330 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.

The F-Device 300 may further comprise a communications interface 320 for communications with other entities, nodes, functions, and devices, such as the F-Host 200, of the PROFIsafe environment 100. As such the

communications interface 320 may comprise one or more transmitters and receivers, comprising analogue and digital components.

The processing circuitry 310 controls the general operation of the F-Device 300 e.g. by sending data and control signals to the communications interface 320 and the storage medium 330, by receiving data and reports from the communications interface 320, and by retrieving data and instructions from the storage medium 330. Other components, as well as the related functionality, of the F-Device 300 are omitted in order not to obscure the concepts presented herein.

Fig. 8 schematically illustrates, in terms of a number of functional modules, the components of an F-Device 300 according to an embodiment. The F- Device 300 of Fig. 8 comprises a detect module 310a configured to perform step S202, an obtain module 310b configured to perform step S204, an initiate module 310c configured to perform step S206, a provide module 3iod configured to perform step S206, an update module 3ioe configured to perform step S208, a provide module 3iof configured to perform step S210, a switch module 3iog configured to perform step S212, a reset module 310I1 configured to perform step S214, an end module 3101 configured to perform step S216.

In general terms, each functional module 3ioa-3ioi may be implemented in hardware or in software. Preferably, one or more or all functional modules 3ioa-3ioi may be implemented by the processing circuitry 310, possibly in cooperation with the communications interface 320 and/or the storage medium 330. The processing circuitry 310 may thus be arranged to from the storage medium 330 fetch instructions as provided by a functional module 3ioa-3ioi and to execute these instructions, thereby performing any steps of the F- Device 300 as disclosed herein.

Fig. 9 shows one example of a computer program product 910a, 910b comprising computer readable means 930. On this computer readable means 930, a computer program 920a can be stored, which computer program 920a can cause the processing circuitry 210 and thereto operatively coupled entities and devices, such as the communications interface 220 and the storage medium 230, to execute methods according to embodiments described herein. The computer program 920a and/or computer program product 910a may thus provide means for performing any steps of the F-Host 200 as herein disclosed. On this computer readable means 930, a computer program 920b can be stored, which computer program 920b can cause the processing circuitry 310 and thereto operatively coupled entities and devices, such as the communications interface 320 and the storage medium 330, to execute methods according to embodiments described herein. The computer program 920b and/or computer program product 910b may thus provide means for performing any steps of the F- Device 300 as herein disclosed.

In the example of Fig. 9, the computer program product 910a, 910b is illustrated as an optical disc, such as a CD (compact disc) or a DVD (digital versatile disc) or a Blu-Ray disc. The computer program product 910a, 910b could also be embodied as a memory, such as a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or an electrically erasable programmable read-only memory (EEPROM) and more particularly as a non-volatile storage medium of a device in an external memory such as a USB (Universal Serial Bus) memory or a Flash memory, such as a compact Flash memory. Thus, while the computer program 920a, 920b is here schematically shown as a track on the depicted optical disk, the computer program 920a, 920b can be stored in any way which is suitable for the computer program product 910a, 910b. The inventive concept has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the inventive concept, as defined by the appended patent claims.