ICS Regent
®
PD-6045
Software Validation Package for
W
INTERPRET
Integrity Checking and Validation Software
for Application Programs and Guarded P
eer
Link Configuration
(T3835)
Issue 1,
The Software Validation Package for WINTERPRET
based software system designed to help assure the integrity of
Regent application programs by providing a high degree of
fault detection, covering:
March, 06
is a PC
-
-
·
errors in entering and editing application programs
·
transient or permanent faults in the PDS (PC) hardware
(including disk, RAM, CPU and communications) or
operating s
·
transient or permanent faults in the serial
communications between the PDS and the Regent
controller
·
potential faults or errors in the WINTERPRET
executable files.
By applying the tools in the Integrity Checker System the
application developer assures to a high degree of certainty
that:
·
the application program is an accurate implementation of
the specified application functions
·
the application program is securely downloaded into the
Regent triplicated memories
The Software Validation Package for WINTERPRET
for safety critical applications that require TÜV certification
to Safety Risk Class 5.
ystem software
program
is required
Industrial Control Services
1
Software Validation Package for
W
INTERPRET
(T3835)
Theory of Operation
The Integrity Checker comprises four different programs: the
Validator, the Checker, the GPL Checker and the GPL
Printer. The Validator and the Checker are used to validate
the compilation and
application programs, including those implemented with
Ladder Logic and Scaling function block types.
The GPL Checker and the GPL Printer are used to validate
the compilation and downloading of Guarded Peer Link data
templates to assure that the link variables are configured
correctly.
Checking application programs with the Validator and Checker:
Figure 1 is a data flow of the integrity check for the
W
INTERPRET
flow has two loops, one showing the check for the Editor, and
the other, the check for the Compiler and the download
process. Both loops use the application Source File, which is
CRC-protected on disk, as their reference.
Editor, Compilers, and download process. The
download process of safety-related
2
Industrial Control Services
Software Validation Package for Winterpret (T3835)
PD-6045
March, 06
Figure 1. Application Source Integrity Checker Operation.
W
INTERPRET
W
INTERPRET
hard copy representation of the
Editor Integrity Check
will provide a
Print
function that produces a
Source File
. After entering
a logic specification into the WINTERPRET Editor, a Regent
user can make a hard copy of the
produced and see that it reflects the original specification.
3
Source File
the editor
Software Validation Package for
W
INTERPRET
Application Compiler/Download Integrity Check
The method for checking the integrity of the Application
Compilers and download process has these steps:
W
INTERPRET
(T3835)
1. The compiler generates from the application
an application
instructions. The separate
a
Check F
Object File
of MC68000 machine
Validator
ile
derived from the same
program generates
Source File
Source File
. The
Check File is an assembly code representation of the
source program (as opposed to the machine-coded Object
File).
Having diverse representations of the application program
deriving from the same source ensures that there is little
likelihood of a common-cause corruption that would go
undetected. Independent generation of machine code and
assembly text provides a supplemental check of the
compiler's code generation.
2. The application
Object File
is downloaded
into triplicated
memories in the Regent. This is the actual executable
application code that is run in the Regent controller.
3. To provide integrity checking of the compile and download
process, the application
Regent and disassembled, creating an
Object File
is uploaded from the
Echo File.
4
The disassembler is a "third-party" product developed by
an agent not connected with Triplex. This gives it the
advantage of having been made in a different environment
than Triplex tools, thus providing a level o
check loop.
4. The
Echo File
Checker
program then compares the disassembled
with the application
Check File
f diversity in the
instruction
by-instruction to see that they match, closing the loop.
The
Checker
program will report any discrepancies
between instructions in the two files. Once the match is
verified, it can be assumed the compile/load process is
error-free.
Industrial Control Services
-
Software Validation Package for Winterpret (T3835)
Checking Guarded Peer-Link Compiler/Download Integrity
Figure 2 is a data flow of the integrity check for the Guarded
Peer-Link Compiler and download.
PD-6045
March, 06
Figure 2. Guarded Peer-Link Integrity Checker Operation.
The Integrity Checker functions described above provide
error detection for application programs implemented in
Ladder Logic and Scaling function block types. The other
safety-related application program type is the Guarded Peer
5
Software Validation Package for
Link. To validate the download of Guarded Peer Link
templates, the GPL Checker and GPL Printer are used.
The GPL Checker uploads the Guarded Peer Link template
files from the Regent controller and re-converts the template
data into readable form in the GPL Echo File. The re
converted GPL Echo Files are then printed using the GPL
Printer and compared by the application programmer to the
original template specification, thus providing a complete,
closed-loop validation of the template compilation and
download process.
GPL Checker also automatically checks the power up value
and time out action for each GPL variable.
W
INTERPRET
(T3835)
-
Failu
re Modes and Effects Analysis
By using the Integrity Checker tools, the application
programmer can assure with a high degree of certainty that
faults in the creation, compilation and download of application
programs will be caught. Table 1 provides a brief Failure
Modes and Effects Analysis of this data path.
6
Industrial Control Services
Software Validation Package for Winterpret (T3835)
Failure Mode (due
to random or
systematic faults)
Method of Detec
tion for
Application Programs
Method of Detection
for GPL Templates
Editing / entry error
Mis-compare of readable
Source to original
specification
Mis-compare of Echo
File to original template
specification
Source File corrupted
CRC error upon attempt at
source file retrieval, &/or
mis-compare of readable
Source to original
specification
CRC error upon attempt
at source file retrieval,
&/or mis-compare of
Echo File to original
template specification
Compiler error
Mis-compare of Check
File an
d Echo File
Mis-compare of Echo
File to original template
specification
Download corruption
Mis-compare of Check
File and Echo File
Mis-compare of Echo
File to original template
specification
Application alteration
due to Regent
memory error
Caught by triplicated
voting / processing of data
Caught by triplicated
voting / processing of
data
Important!
Table 1.
Failure Modes and Effects Analysis of Application Program
Creation and Download Path.
Software Installation
The Software Validation Package is installed on the PC
running the WINTERPRET
W
INTERPRET
software to install this add-in validation package. The
validation package should be installed at the same time or
after you have installed the WINTERPRET
Installation Procedure
The files on the validation package diskette are in compressed
form. You cannot simply copy the files to your hard drive —
they must be decompressed before they will run. You must
have the WINTERPRET base package distribution disk in order
to run the setup procedure to install the validation package.
To install the Software Validation Package, use the following
sequence:
base package pr
application software. The
ovides the necessary installation
base package.
PD-6045
March, 06
7
Software Validation Package for
1. Insert the WINTERPRET base package distribution disk into
drive A: or B:
W
INTERPRET
(T3835)
2. Start Windows (if it isn’t already running).
3. Choose Run from the Program Manager’s File menu.
4. Type a:\
W
INTERPRET base package disk in drive B: type
b:\setup.exe
5. In the WINTERPRET Setup dialog box enter the name of the
directory in whic
base package (This assumes that you have already
installed WINTERPRET). Choose Continue.
6. In the WINTERPRET Installation dialog box check the
Validation Package box and the Create Validation Icon
box..
7. Choose OK to have the setup program install the Software
Validation Package.
When the installation is completed, you can run the Validator
application (from Windows) and Check, Gplcheck and Gplprint
(from DOS). The operating instructions for each of these
applicat
setup.exe
.) Choose OK or press ENTER.
ions is described below.
in the text box. (if you inserted the
h you have installed the WINTERPRET
Application Source Integrity Checker
8
Operation Description
The application source integrity checker has two programs,
Validator and Checker. Validator produces the assembly code
listing files for program function blocks. Checker retrieves a
program from the Regent, disassembles the binary to an
assembly code listing, and compares the disassembled code to
the assembly code listing. Both programs are stored in the
W
INTERPRET system directory. Validator is a Windows
program that
with
W
INTERPRET. Validator duplicates the functionality
provided by
block compiler output. Checker is a DOS program. These
programs are installed as part of the validation package.
Application program validation requires two steps; first use
has its own DLLs and shares non-critical DLLs
W
INTERPRET, and differs only in the function
Industrial Control Services
Software Validation Package for Winterpret (T3835)
Validator and create the assembly code listings for each
program function block, then run Checker to retrieve and
compare the Regent’s version of the program to WINTERPRET
version.
’s
Operation Instructions for Validator
Start Validator by selecting the program icon for the
application or run the program from the Windows Program
Manager. Log on using a
W
INTERPRET
user name and
password. Recompile the program for validation by selecting
the project and opening the program for validation. Create
the assembly code listings for the function blocks by compiling
all program function blocks.
Operation Instructions for CHECKER
Start check.exe from DOS in the
dir
ectory and provide the names of the project and program
for validation. These names appear in the
W
INTERPRET
system
W
INTERPRET
project selection and program editor menus. Also provide the
PC serial communication port as COM1 or COM2. The
following are prompts displayed from check.exe. Check.exe
text is shown in bold letters and user responses are in italics.
PD-6045
March, 06
9
Software Validation Package for
W
INTERPRET
(T3835)
check <project name> <program name> <communication port>
program path: <program path>
Attempting to get the function block list...
OK
Uploading: <function
OK
Comparing...
Compiled file: <compiled assembly listing file name>
Uploaded file: <uploaded disassembled file name>
Function Block 1 <function block name>
<function block type> : All instructions match.
OK
Uploading: <function block name>
.
.
.
Version 3 Integrity Checker
Project: <project name>
Program: <program name>
Number of function blocks: <function block count>
Integrity Check: PASSED on <date and time>
block name>
Gu
Figure 3. Messages displayed by CHECKER.
arded Peer Link Integrity Checker
The Guarded Peer Link integrity checker is a collection of
programs; gplcheck.exe for uploading and disassembling, and
gplprint.exe for printing a
configuration. Both DOS programs reside in the
system directory. The programs are part of the
validation package and are installed by the
installation program.
Operation Description for GPLCHECK
Gplcheck.exe is a DOS program that requires the name of the
W
INTERPRET
for communication with the Regent, a file name to receive the
disassembled import templates, and a file name to receive the
disassembled export template. The
project
for validation, the PC serial port to use
W
INTERPRET
network
W
W
INTERPRET
W
INTERPRET
W
INTERPRET
INTERPRET
project
10
Industrial Control Services
Software Validation Package for Winterpret (T3835)
provides tag names for the imported and exported variables.
The project also provides the variable types, and values for
comparison to the template values. The export file is an
ASCII text file containing the name and timestamp of the
W
INTERPRET network binary image, the GPL node number of
the export template uploaded from the Regent, the export
template ID or template CRC, and a list of exported variables
by tag name and variable type in the order that they are
exported. The import file is also an ASCII text file and it lists
each of the import templates retrieved from the Regent. The
import listings include the exporting template ID and a
variable list. Each import variable has a tag name, variable
type, value assigned to the variable when the network is
started, the value assigned to t
he variable when the network
has an error, and whether the variable is assigned the time
out value or maintains its last commanded value when a
network error occurs.
Operation Instructions for GPLCHECK
Start gplcheck.exe from DOS in the
W
INTERPRET
system
directory. Following are the prompts displayed by gplcheck.
Gplcheck messages are in bold text and user inputs are
displayed in italics.
PD-6045
March, 06
11
Software Validation Package for
gplcheck <comm port> <project name> <import file name>
<export file name>
Loading project dictionary.
OK
R
eading import templates.
OK
Creating import file.
OK
Processing import templates.
OK
Reading export template.
OK
Processing export template.
Computing template CRC.
OK
OK
Template checking completed.
Successful.
W
INTERPRET
(T3835)
Figure 4. Messages Displayed by GPLCHECK.
Export template definitions for REGENTA Tue Mar 15 15:24:31 1994
Binary image: C:\WINTERP\REGENTA\2NETWORK\2NWIMAGE.BIN Mon Mar 14 10:24:31 1994
Export node 3
Template CRC = 0x9f41
Name Type
CR10 SHCR
WORD8 SHW
FP9 SHFP
Summary: All addresses found.
Figure 5. Sample Listings for GPLCHECK Export File.
12
Industrial Control Services
Software Validation Package for Winterpret (T3835)
Import template definitions for REGENTA Tue Mar 15 15:24:31 1994
Binary image: C:\WINTERP\REGENTA\2NETWORK\2NWIMAGE.BIN Mon Mar 14 10:24:31 1994
Provider node 2
Provider template CRC = 0x9f41
Name Type Power Up Val Timeout Val Timeout Action
No imports from this node.
Provider Node 5
Prov
ider template CRC = 0xe8b5
Name Type Power Up Val Timeout Val Timeout Action
CR1 SHCR 0
CR10 SHCR 0
CR2 SHCR 0 1 USE TIMEOUT DEFAULT
FP9 SHFP 2.0032 -2.0032 USE TIMEOUT DEFAULT
Summary: All addresses found.
---
HOLD LAST VALUE
---
HOLD LAST VALUE
Figure 6. Sample Listings for GPLCHECK Import File.
Operation Description for GPLPRINT
Gp
lprint.exe creates an ASCII text file listing the
W
INTERPRET network configuration. The name of the
configuration file and its timestamp are listed in the file,
followed by a list of projects participating in the network, and
finally a list of variables provided by each of the participating
projects. The program needs the name of the output file
receiving the configuration listing.
Operation Instructions for GPLPRINT
Start gplprint.exe from DOS in the
directory and provide the listing
program prompts; gplprint messages are shown in bold text
and user inputs are show in italics.
W
INTERPRET
file name. Following are
system
PD-6045
March, 06
13
Software Validation Package for
W
INTERPRET
(T3835)
gplprint <listing file name>
Network listing file successfully written.
Figure 7. Messages Displayed by GPLPRINT.
Network configuration for:
C:\
WINTERP\2NET_DIR\2NETWORK.DAT Tue Mar 15 11:35:22 1994
Participating projects:
REGENTA
REGENTB
Variables provided by REGENTA:
CR1
CR10
CR2
FP9
Variables provided by REGENTB:
No variabl
es provided by this project.
Figure 8. Sample Listings for GPLPRINT.
14
Industrial Control Services
Loading...