For decades, programmable logic controllers were the classic example of an extremely reliable embedded system. The need for a well-functioning, reliable programmable logic controller (PLC) is readily apparent. With programmable logic controllers, no allowance needs to be made for the types of system failures with which we are familiar when working with PCs on an everyday basis.
Every time a Windows PC crashed, the PLC community longed for a PC designed for use in the office but which was able to offer the reliability of a PLC. It was therefore all the more incomprehensible that anyone would choose a Windows PC as a control platform with the functionality of a PLC. Against this background, long-time PLC developers and users are wondering why a soft PLC is necessary alongside the conventional embedded control concept with PLCs; the answer is simple, the soft PLC offers a wide range of advantages.
Buyers of a soft PLC will know that, in principle, they will be able to use any industrial PC as a hardware platform. As a result, the system hardware is no longer semi-proprietary, but becomes a standard product that is subject to market forces.
Since PC hardware is produced in far larger quantities than other computing platforms, purchasers can buy what they need at significantly better prices. In addition, PC specifications and the interfaces are already precisely defined or standardized, and further improvements and innovations are also guaranteed due to the rapid rate at which (industrial) PCs themselves are changing. This eliminates the problems that may otherwise occur when proprietary or limited product lines are discontinued, since the PCs are, in principle, fully compatible with each other. A guarantee of hardware supply going beyond the standard ten-year period thus entails no risk for soft PLC suppliers.
Moreover, the processing capacity can be flexibly adjusted to suit each individual application. If a faster system is required, it may be sufficient in some cases to merely replace the processor with a faster CPU of the same type. With the standard embedded control systems, the extent to which the hardware has been improved depends largely on the manufacturers, since they will decide when to convert to a new generation of processors, how many scaling options there will be in the interim, and what the general price level for the hardware should be.
A PLC system that uses a PC platform also offers particular advantages when the overall application is used for operation or visualization purposes in addition to the actual control functions, or when other specialized tasks need to be completed, such as image recording, image evaluation or complex control processes.
With the switch from proprietary embedded hardware to industrial PCs, a supplier of PLC solutions becomes a special type of system house providing high-quality hardware in a bundle together with the appropriate control software. An overall hardware/software system of this type, which also contains hardware developed or configured by the supplier itself, alongside software developed in-house, can then be optimally designed for the application and any possible scenarios that may arise in connection with it.
A Soft PLC offers the convenience of the Windows XP interface on the user side, while at the same time providing hard real-time by utilizing the Windows CE real-time operating system—all running on a single x86-based computer (Figure 1). These two operating systems are bridged by Kuka CeWin real-time virtualization software. The key element that makes the new industrial PC solution able to operate in hard real-time is the real-time extension technology. This enables Windows XP to operate on the same CPU in parallel with the Windows CE real-time operating system, without Windows XP negatively affecting the ability of the system to operate in real-time.
Avoiding Problems from the Past
For several years, real-time extensions have been available for Windows; the real-time function being realized at the Windows XP kernel mode driver level. In principle, this has made real-time control possible and extensions are available on the market based on this concept.
These real-time drivers are an extension of Windows and are stored in the same memory as Windows, resulting in a certain degree of protection against a Windows blue screen. However, it is always possible that a faulty driver running under Windows will disable the entire real-time function. In theory, all the drivers in such a system should be custom-written in order to provide the necessary degree of operating safety. Usually, however, a driver will be used that is neither written by the real-time supplier nor by Microsoft. As a result, errors can easily occur that can cause the real-time application to crash.
This issue causes problems with regard to product liability. If a machine is operated using a real-time extension running in the Windows memory space, a driver error may result in the machine crashing when the motor is running at full capacity. For this reason, machine developers have always avoided using Windows XP when it came to critical control systems, since they had already experienced crashes of this nature on their own office computers.
When developers program a real-time extension for Windows XP at the driver level, they are not working with a well-accepted, open and standard operating system, but a niche product. Furthermore, only very few programmers are available who are familiar with the finer points of real-time extensions of this type. Due to the subsequent high support costs, this solution is unsuitable.
A New Look at Real-Time Virtualization Solutions
Instead of using one of these conventional real-time extensions for Windows XP, a real-time virtualization technology brings hard real-time to Windows XP using Microsoft Windows CE to perform the real-time processing. In this context, Windows CE runs as a “headless device,” leaving out the display and keypad control, since this function is provided by Windows XP. As an added benefit, the full capabilities of both operating systems are supported; including all development environments and debugging tools. Full binary compatibility is maintained with their stand-alone versions.
In contrast to conventional real-time extensions, the real-time Windows CE operating system runs in parallel with standard Windows XP. Both Windows XP and Windows CE run in separate and protected memory areas. An important factor here is that neither of the two operating systems has access to the memory of the other. Thanks to the clear separation of the memory areas, any blue screen that may occur under Windows XP, will not influence the real-time functioning of Windows CE. Alternately, a Windows CE thread will not be able to accidentally write to Windows XP memory (Figure 2).
As far as Windows XP is concerned, the memory occupied by Windows CE does not exist. This therefore provides complete protection. If one of the drivers within Windows XP were to try to access this memory, an exception error message would be generated by Windows XP. Hardware protection is also provided, since CeWin uses the x86 MMU to ensure that both operating systems are completely separated from each other in memory. Even when Windows XP has been completely disabled, the real-time environment continues to run properly, so that defined states can be restored in due course.
Windows Exceptions No Longer a Problem
In the PLC environment, not only are interrupt latency and determinism important, but also reliability and stability. It must be possible to handle all exceptions from the Windows XP environment in a well-defined manner. In addition, if Windows XP enters an unrecoverable state, the operation of the PLC should not be affected.
This problem is addressed using the standard fault handler capabilities of the real-time virtualization software. At the point at which Windows XP enters a blue screen, the exception is intercepted and the processor context is switched to Windows CE; the blue screen handler is frozen and an event is triggered to which the application is able to react. The application is able to decide how to continue. The machine can therefore continue its production process through to the end of the shift in the normal way. At the end of the shift, the machine can then be restarted. The application can also decide to bring the machine into a safe state before initiating a full restart. The decision as to what should be done after a blue screen is determined by the Windows CE application.
Scalability can be achieved by using modular firmware in which certain functions are realized using dedicated modules. The module firmware enables device configurations to scale down to a highly embedded PLC without the Windows XP front end. Since, in effect, the Windows CE RTOS is virtualized, no changes are required to run the same PLC software in a stand-alone Windows CE-only environment (Figure 3). The real-time virtualization solution offers far more options than competing solutions. As a result, flexible solutions can be provided to meet the needs of customers, and to adapt product range to the market in each case, or even, if appropriate, to individual requirements.
These dual-OS systems communicate with the outside world via plug-in cards or Ethernet. A variety of possible network cards can be used for the real-time application so that the computer then has two network connections: one for Windows XP and one for Windows CE. This is necessary because the control systems also process real-time Ethernet protocols, which need to continue running under all circumstances, even during a blue screen event.
The firmware can be structured in such a way that when operating on a real-time system, the files are accessed simultaneously: the computer accesses them, and can either read them, or receive a read error in response. As a result, these calls are no longer deterministic when they have been conducted via the network drive. It could therefore take an indeterminate amount of time, in theory, before the function call returns. In this case, the firmware would simply block and therefore the real-time behavior would be partially lost. To address this, an interim layer can be inserted to make each of these calls asynchronous. An “asynchronous mechanism” is created for the access to the network drive; if the calls have not been completed within a specified time period, the call always returns to the firmware.
Such an open and versatile communication platform provides support for a wide range of automation systems, by virtue of being based on internationally recognized standards. The use of innovative real-time operating system virtualization technology makes it possible to bring a reliable and cost-effective Soft PLC to market to provide a solution to the demand for an economically viable automation system.