CN112417453A - Safety device for automatic system - Google Patents

Safety device for automatic system Download PDF

Info

Publication number
CN112417453A
CN112417453A CN202010847466.0A CN202010847466A CN112417453A CN 112417453 A CN112417453 A CN 112417453A CN 202010847466 A CN202010847466 A CN 202010847466A CN 112417453 A CN112417453 A CN 112417453A
Authority
CN
China
Prior art keywords
secure channel
secure
output
input
system network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010847466.0A
Other languages
Chinese (zh)
Inventor
M·赫莱维尔塔
J·海迈莱伊宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Valmet Automation Oy
Original Assignee
Metso Automation Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Metso Automation Oy filed Critical Metso Automation Oy
Publication of CN112417453A publication Critical patent/CN112417453A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/048Monitoring; Safety
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0428Safety, monitoring
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/18Numerical control [NC], i.e. automatically operating machines, in particular machine tools, e.g. in a manufacturing environment, so as to execute positioning, movement or co-ordinated operations by means of programme data in numerical form
    • G05B19/406Numerical control [NC], i.e. automatically operating machines, in particular machine tools, e.g. in a manufacturing environment, so as to execute positioning, movement or co-ordinated operations by means of programme data in numerical form characterised by monitoring or safety
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0275Fault isolation and identification, e.g. classify fault; estimate cause or root of failure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Manufacturing & Machinery (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Safety Devices In Control Systems (AREA)
  • Hardware Redundancy (AREA)

Abstract

According to an example aspect of the invention, there is provided a method comprising: receiving input from an automation system network over a first secure channel; receiving input from the automation system network over a second secure channel; processing the received input through a first secure application included in the first secure channel; processing the received input through a second secure application included in the second secure channel; transmitting a first output to the system network over the first secure channel based on processing the received input; performing a supervisory operation over the second secure channel based on the processing of the input by the second secure application and the first output from the first secure channel; and transitioning at least the first secure channel into a secure state in response to the supervisory operation indicating an error.

Description

Safety device for automatic system
Technical Field
The present invention relates to safety devices for automation systems, and more particularly to a safety system architecture with diagnostic functionality.
Background
Industrial automation systems control industrial processes through various field devices connected to the system, such as regulatory devices, control devices, sensors, and transmitters. A typical field device is a control valve with a valve controller. The field devices are typically controlled by a process controller using appropriate control algorithms based on measurements and settings obtained from the process.
Functional safety systems may be employed in automation systems to detect potentially dangerous conditions and generate output for activating protective or corrective devices or programs/mechanisms to prevent dangerous events or to provide mitigating action to reduce the consequences of such events. Computer-based security systems, commonly referred to as programmable electronic security systems, have been used in many fields of application to perform security functions. Safety instrumented (or integrity) systems (SIS) generally refer to systems consisting of components (e.g., sensors, logic solvers, and final elements) designed to automatically bring an industrial process into a safe state when a prescribed condition is violated, and to allow the process to proceed in a safe manner when the prescribed condition allows (allowed functionality); and/or taking measures to mitigate the consequences of an industrial hazard.
Standards have been defined for functional safety systems, such as ISO 13849 and IEC 61508, which specify requirements to ensure that a system is designed, implemented, operated, and maintained to provide a desired level of Safety Integrity (SIL) or safety class. For example, IEC 61508 defines four SILs according to the risks involved in system applications, where the SIL4 is used to prevent the highest risk.
To achieve various reliability and safety goals, safety system mechanisms have been developed that define the configuration of safety system components (e.g., a Programmable Electronic Controller (PEC)), e.g., an architecture based on two of two (2oo2) and one of two (1oo 2).
Disclosure of Invention
The invention is defined by the features of the independent claims. Some specific embodiments are defined in the dependent claims.
According to a first aspect of the invention, there is provided an apparatus comprising: an interface for connecting to an automation system network; a first secure channel connected to the interface for receiving input from the system network and transmitting output to the system network; and a second secure channel configured to receive at least input from the system network, wherein the first secure channel includes a first secure application configured to process input from the system network and to transmit first output to the system network based on the processing of the input, the second secure channel includes a second secure application configured to process input from the system network and configured to: the method further includes performing a supervisory operation based on the processing of the input and the first output sent by the first secure channel, and transitioning at least the first secure channel into a secure state in response to the supervisory operation indicating an error.
According to a second aspect of the invention, there is provided a method for controlling safety system outputs in an automation system, the method comprising: receiving input from an automation system network over a first secure channel; receiving input from the automation system network over a second secure channel; processing the received input through a first secure application included in the first secure channel; processing the received input through a second secure application included in the second secure channel; transmitting a first output to the system network over the first secure channel based on processing the received input; performing a supervisory operation over the second secure channel based on the processing of the input by the second secure application and the first output from the first secure channel; and transitioning at least the first secure channel into a secure state in response to the supervisory operation indicating an error.
According to a third aspect, there is provided an apparatus comprising: at least one processing core; at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processing core, cause the apparatus at least to perform the method or an embodiment of the method according to the second aspect.
According to a fourth aspect, there is provided a computer program product, a computer-readable medium or a non-transitory computer-readable medium comprising program instructions for causing an apparatus to perform at least a method according to the second aspect or an embodiment of said method.
According to an embodiment of any of the aspects, the second security application generates a second output based on processing of the input, the supervising operation includes comparing the first output and the second output, and the supervising operation indicates the error in response to the first output and the second output not matching.
According to an embodiment of any of the aspects, the input is an input message and the (first/second) output is an output safety message.
According to an embodiment of any of the aspects, the security system is a 1oo 2D-based security system.
According to an embodiment of any of the aspects, the first secure channel and the second secure channel are connected by a synchronous interface.
Drawings
Figure 1 shows an example of an industrial automation system,
figure 2 illustrates an example of a safety system or device for an automation system according to an embodiment,
figures 3a and 3b illustrate additional security system architectures according to some embodiments,
figure 4 illustrates the interaction between instances of a first secure channel and a second secure channel according to an embodiment,
figure 5 illustrates a method according to some embodiments,
FIGS. 6a and 6b illustrate additional security system examples; and
fig. 7 shows an apparatus according to an embodiment.
Detailed Description
Industrial automation systems may be used to control industrial processes such as manufacturing processes, production processes, power generation processes, processing, and refining processes. The controlled process may be fixed in geographic location or may be mobile, such as like a ship. Industrial processes may be run in a continuous, batch, repetitive, or discrete manner. Industrial automation systems may also be used to monitor shipments or transports associated with industrial processes. Industrial automation systems may be distributed into several layers or levels, such as an automation platform level and an automation application level.
FIG. 1 provides an overall view of an example automation system. The automation system comprises field devices 1 and IO systems 2, which are connected to a (process) controller 6 by wiring. The wiring may be direct wiring 3, star network 4 or ring network 5. The controllers are connected to a system bus 7, which bus 7 may be redundant. An operator station 8, a security system or subsystem 9, and a configuration server 10 may be connected to the system and system bus 7. It should be understood that there may be multiple security (sub) systems or units/modules in an automation system, and that security system features may be implemented by/within the automation system device. The system may comprise other means, such as a history database connected to the bus 7.
A firewall 11 may be used to protect the system bus 7 from other networks 12, and the firewall 11 may be redundant. For example, maintenance, Enterprise Resource Planning (ERP), configuration and/or simulation servers 13 may be located in these networks. These networks may be based on standard internet protocols over ethernet technology. Another firewall 14 may be used to connect to other networks 15.
Automation platforms are generally generic and may be similarly used in many deployments. The automation platform may contain engineering and configuration tools through which engineers may design automation applications. In another aspect, the automation platform may also include runtime components such as a process control station (PLC) and a Human Machine Interface (HMI) that may be used to execute and visualize automation applications to users.
In another aspect, an automation application may include a configuration that has been created using tools of an automation platform. The automation application may include at least one of: functional block diagrams, structured text programs, and user interface designs. Depending on the embodiment, the automation application may be unique and completely dedicated to the customer deployment, or the automation application may be reused between different customers and deployments.
The operational components of an automation system, such as the system of fig. 1, may include user interface components, process components, and components supporting both. The process components may include one or more process controllers 6, and the user interface components may be implemented in and for the user devices 8. The user device may provide a user interface for an operator to initiate a user session in the automation system and perform operations for components of the automation system.
The security system 9 may comprise two (or even more) parallel security channels to perform one or more security functions. 1oo2D is a functional security system architecture, biased towards security over availability. 1oo2D may generally mean that only a single input or two checks need to be satisfied to perform a security action. For example, in the case of a dual secure channel system, determining a hazardous event by only one of the channels triggers a secure action. D refers to diagnostics or self-checks performed on the secure channel to verify proper operation. A failure in one channel (or the security system unit providing the channel) may be detected by another channel and the failed channel may be deactivated. In the 1oo2D system, an external comparison or voting component monitors the secure channel. Such components represent additional component cost and may impact the performance of the system.
An improved security system architecture is now provided that helps avoid external comparison or voting components and minimizes messaging between entities. In some embodiments, the security system includes a 1oo 2D-based architecture. However, it will be appreciated that the application of the presently disclosed features is not limited to this architecture.
Fig. 2 shows a security system or arrangement 20 for providing security services in an automation system, for example as the security (sub) system 9 of fig. 1 or a part thereof.
System or device 20 includes an interface 30 or is connected to an interface 30 (in some embodiments, a network Switch (SW)), which interface 30 is for connecting to an automation system network 80, e.g., similar to the system of fig. 1. A first secure channel 40 is connected to the interface 30 for receiving input from and sending output to the system network. The second secure channel 50 may be connected to the interface 30 and configured to receive at least input from the system network. Although a switch is mentioned in this example embodiment, it should be understood that the input and output between the secure channel and the system network 80 may be arranged by another type of interface.
First secure channel 40 includes a first secure application SA 142, the first secure application SA 142 configured to process input from system network 80 and to send first output to the system network based on the processing of the input.
The second secure channel 50 includes a second secure application SA 252, the second secure application SA 252 configured to process input from the system network. The SA 252 is configured to receive an input from the system network and a first output from the first secure channel 40.
The first secure channel 40 may be a primary secure channel and the second secure channel 50 may be a secondary secure channel. Thus, the first secure channel 40 may be the only secure channel used for system network security control and using the system network for system security control. Both channels 40, 50 may be configured to receive messages from the system network 80. It is noted that the channels 40, 50 may be implemented by a particular security system processing unit, which may be connected to other units via a bus (e.g., by ethernet-based communication).
The second secure channel 50 is configured to perform a supervisory operation based on the processing of the input and the first output. At least the first secure channel is controlled by the second secure channel 50 to transition into a secure state in response to the supervisory operation indicating an error. The supervision operation may be implemented by or in a specific (diagnostic) module connected to the SA 252, or by a diagnostic instance of the SA 252. The input may include one or more input messages received by the security system 20 from the automation system network 80, and the first output may be an output security (action) message. Thus, external comparison or voting components are now avoided and appropriate diagnostic functions are integrated in the secure channel.
As further shown in fig. 2, an interface 44 may exist between channels 40 and 50, such as a synchronization path for exchanging information between the channels. Thus, both security applications 40, 50 may check the status of the other security application via the synchronization path. However, in some embodiments, no such interface exists between channels 40, 50.
As shown in fig. 3a, the second secure channel 50 may be connected to a deactivation or shutdown unit, module or path 60 to disconnect the first secure channel from the system network. Such an entity may be referred to as a Secondary Shutdown Path (SSP). Thus, in response to detection of the second secure channel 50 and its supervisory operation indicating an error, the channel may send a control signal to the disabling entity 60.
As shown in fig. 3b, the second secure channel 50 may be directly connected to the output interface of the first secure channel 40 or a path from the first secure channel 40 and configured to intercept the output (message) of the SA 142 to perform a supervisory operation.
In some embodiments, the SA 252 is configured to generate a second output based on processing of the input. The supervision operation includes comparing the first output and the second output. In response to the first output and the second output not matching, the supervisory operation indicates an error. Thus, the SA 252 may be configured to perform the same input processing operations as the SA 142 and prepare a second output that is not sent to the system network, but is used only to diagnose operation of the SA1 through a supervision operation. For example, SA2 may be configured to compute a complete datagram for transmission to system network 80 based on output from system network 80, the complete datagram being pre-equipped with appropriate fields. The supervision operation may compare the datagram with the datagram from SA 1.
In some embodiments, the first secure channel 40 includes a diagnostic or inspection module or instance connected to the interface 44 configured to inspect the output of the second secure channel 40 to further increase the security level. In an example embodiment, the second cyclic check value based on the processing of the first input by the SA 252 is sent to the first secure channel 40. The first secure channel 40 is configured to compare the first cyclic check value with the second cyclic check value based on the processing of the input by the SA 142. The first secure channel 40 is configured to transmit the first output to the system network in response to the first cyclic check value matching the second cyclic check value. If the check values do not match, the first secure channel may cause a transition to a secure state. In some embodiments, this is performed by ceasing communication (and outputting messages) to the system network 80.
The cyclic value check may be configured to be performed before the SA1 sends the output to the system network 80, and thus the output associated with a non-matching check value may be prevented. The cyclic check value may be a Cyclic Redundancy Check (CRC) value. Thus, through such CRC checking and/or other checking procedures, the first secure channel may detect anomalies in the operation of the second secure channel.
Referring to the example embodiment of FIG. 4, the supervision operations may be performed by a communication monitoring stack module or instance 54, the communication monitoring stack module or instance 54 being connected to an application I/O, the application I/O being connected to the SA2 runtime instance 56. The monitoring stack instance 54 may be connected to a bus to which the first secure channel 40 is connected and/or to a network switch (30), the network switch (30) connecting the first secure channel 40 and the second secure channel 50 to the system network 80. The monitoring stack instance 54 is configured to receive inputs from the system network 80 and a first output of the SA1 (based on processing of the inputs) to perform supervisory operations. The monitoring stack instance 54 may also be connected to the first secure channel 40 and its communication stack instance to provide a CRC.
FIG. 5 illustrates a method according to some embodiments. The method may be performed by an apparatus (e.g., the apparatus 20 or another controller or computing unit thereof) configured to provide a secure application for an automated system.
The method comprises the following steps:
-receiving (500) an input from an automation system network over a first secure channel,
-receiving (502) an input from the system network over a second secure channel,
-processing (504) the received input through a first secure application comprised by the first secure channel,
-processing (506) the received input through a second secure application comprised by the second secure channel,
-sending (508) a first output to the system network over the first secure channel based on the processing of the input,
-performing (510) a supervision operation over the second secure channel based on the processing of the input by the second secure application and the first output from the first secure channel, and
-causing (512) at least a first secure channel to transition into a secure state in response to the supervision operation indicating an error.
It will be appreciated that the method of fig. 5 may be applied with various further embodiments, some of which are shown above. Further, it should be understood that some blocks of the method may be performed in a different order, e.g., block 506 may precede block 504, or they may be performed substantially simultaneously. Further, blocks 500 and 502 may occur substantially simultaneously or in a different order. The second channel 50 may be configured to perform blocks 502 and 506 by the runtime instance 56 and blocks 508 to 512 by the monitoring stack instance 54 in the example configuration of fig. 4.
Fig. 6a and 6b show some further exemplary embodiments of a system with redundant automation networks, in which redundant networks are applied. The redundancy used may be based on a Parallel Redundancy Protocol (PRP), wherein the automation system network 80 is made redundant by applying another physical network 82. In the example embodiment of fig. 6a, the security system comprises a further switch 32, via which switch 32 the first secure channel 40 and the second secure channel 50 are connected to a further physical network 82. In the example embodiment of fig. 6b, first secure channel 40 and second secure channel 50 are connected to automation system network 80 and other physical networks 82 via switch 30 using different virtual LANs.
The presently disclosed features can be applied in conjunction with various types and configurations of automation systems in a safety system, for example, to provide SIS function safety programs for industrial automation systems of the type described at the outset of this section. Some other application examples include: a) level control, wherein the safety system controls the closing of the input valve, and b) the stopping of the mobile machine due to the tripping of the channel control unit (e.g., an electro-optical trip device).
An electronic device comprising electronic circuitry may be a device for implementing at least some embodiments. Fig. 7 shows a schematic view of an apparatus 700 according to an embodiment. The apparatus may be configured to operate as a security system 9, 20 or consist of a security system 9, 20. The apparatus includes a computing unit 701 and may include or be connected to other units, such as one or more User Interface (UI) units 707. The device may be connected to an (other) automation system control unit 708, other locally or remotely connectable devices 709, and/or a network/service 710, such as a cloud service. Examples of processors suitable for implementing the above described features and architecture include ARM A5 (or higher) level processors, such as Atmel SAMA5D 3.
The computing unit 701 may include a processor 702, a communication unit 703 and a memory 704. The communication unit 703 may comprise at least one transmitter and receiver, which may be configured to operate according to a wired or wireless communication standard, e.g. a cellular communication system, a wireless local area network, an industrial bus and/or an ethernet standard.
The memory 704 may store computer program code 705 and parameters 706 such that when the computer program code is executed by the processor, the computing unit performs at least some of the presently disclosed features, such as the second secure channel 50 and the features shown in fig. 5 and further embodiments thereof. Thus, the memory, processor and computer program code may be means for causing the computing unit 701 to perform at least some of the presently disclosed security system diagnostic functions, such as performing the method in block 508 and 512.
The UI unit 707 may include one or more user interface devices, such as a display and devices, such as one or more of a keyboard, touch screen, mouse, gesture input device, or other type of input/output device. The UI unit may be configured to provide user input for controlling the computing unit 701, e.g., setting parameters that affect one or more of the operations shown in fig. 1-5. It should be appreciated that various information related to the security system (and possibly the automation system 80) such as trends, reports, alarms, etc. may be displayed and/or controlled via the UI unit 707.
It is to be understood that the disclosed embodiments of the invention are not limited to the particular structures, process steps, or materials disclosed herein, but extend to equivalents thereof as would be recognized by those ordinarily skilled in the relevant arts. It is also to be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be limiting.
The various described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. While the above examples illustrate the principles of the invention in one or more particular applications, it will be apparent to those of ordinary skill in the art that numerous modifications in form, usage and implementation details can be made without the exercise of inventive faculty, and without departing from the principles and concepts of the invention. Accordingly, it is not intended that the invention be limited, except as by the claims set forth below.
The verb "to comprise" is used herein as an open-ended limitation that neither excludes nor requires the presence of unrecited features. The features recited in the dependent claims may be freely combined with each other, unless explicitly stated otherwise. Furthermore, it should be understood that the use of the singular forms "a," "an," and "the" throughout this document do not exclude a plurality.

Claims (15)

1. A security system apparatus, comprising:
an interface for connecting to an automation system network (80),
-a first secure channel (40) connected to the interface for receiving input from and sending output to the system network, and
a second secure channel (50) configured to receive at least input from a system network, wherein,
the first secure channel includes a first secure application (42) configured to process input from the system network and to send first output to the system network based on the processing of the input, an
The second secure channel includes a second secure application (52) configured to process input from the system network and configured to:
-performing (510) a supervision operation based on the processing of the input and the first output of the first secure channel transmission, and
-causing (512) at least a first secure channel to transition into a secure state in response to the supervision operation indicating an error.
2. The apparatus of claim 1, wherein the second security application is configured to generate a second output based on processing of the input, the supervision operation comprises comparing the first output and the second output, and the supervision operation indicates an error in response to the first output and the second output not matching.
3. The apparatus of claim 1 or 2, wherein the second secure channel is configured to transmit a second cyclic check value to the first secure channel based on processing of the input by a second secure application,
the first secure channel is configured to compare the first cyclic check value to the second cyclic check value based on processing of the input by the first secure application, and
the first secure channel is configured to transmit a first output to a system network in response to the first cyclic check value matching the second cyclic check value.
4. The apparatus according to claim 1 or 2, wherein the apparatus is configured to send a signal from the second secure channel to a closing unit (60) to disconnect the first secure channel from the system network in response to the supervision operation indicating an error.
5. The apparatus of claim 1 or 2, wherein the security system is a 1oo2D based security system, and the first and second secure channels are connected through a synchronization interface (44).
6. The apparatus of claim 1 or 2, wherein the supervision operation is configured to be performed by a communication monitoring instance or module (54) connected to the second application and for receiving the first output, to a bus connected to the first secure channel, or to a network switch connecting the first and second secure channels to the system network.
7. An automation system comprising an automation system network and the safety system arrangement of any preceding claim.
8. A method for controlling safety system outputs in an automation system, comprising:
-receiving (500) an input from an automation system network over a first secure channel,
-receiving (502) an input from the system network over a second secure channel,
-processing (504) the received input through a first secure application comprised by the first secure channel,
-processing (506) the received input through a second secure application comprised by the second secure channel,
-sending (508) a first output to the system network over the first secure channel based on the processing of the received input,
-performing (510) a supervision operation over the second secure channel based on the processing of the input by the second secure application and the first output from the first secure channel, and
-causing (512) at least a first secure channel to transition into a secure state in response to the supervision operation indicating an error.
9. The method of claim 8, wherein the second security application generates a second output based on processing of the input, the supervisory operation includes comparing the first output and the second output, and the supervisory operation indicates an error in response to the first output and the second output not matching.
10. The method of claim 8 or 9, further comprising:
-sending the second cyclic check value to the first secure channel by the second secure application based on the processing of the input by the second secure application,
-comparing the first cyclic check value with the second cyclic check value based on the processing of the input by the first secure application, and
-sending the first output to the system network in response to the first cyclic check value matching the second cyclic check value.
11. A method according to claim 8 or 9, wherein a signal from the second secure channel is sent to the shutdown unit to disconnect the first secure channel from the system network in response to the supervision operation indicating an error.
12. The method of claim 8 or 9, wherein the supervision operation is performed by a communication monitoring instance or module connected to the second application and for receiving the first output, to a bus connected to the first secure channel, or to a network switch connecting the first secure channel and the second secure channel to the system network.
13. The method of claim 8 or 9, wherein the input is an input message and the output is an output security message.
14. A computing device comprising a processor and a memory storing computer program code which, when executed in the processor, causes the computing device to at least perform the method of any of claims 8 to 13.
15. A non-transitory computer-readable medium comprising computer program code for causing a computing device to perform at least the method of any of claims 8 to 13 when executed in a processor of the computing device.
CN202010847466.0A 2019-08-23 2020-08-21 Safety device for automatic system Pending CN112417453A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20195696 2019-08-23
FI20195696A FI129898B (en) 2019-08-23 2019-08-23 Automation system safety arrangement

Publications (1)

Publication Number Publication Date
CN112417453A true CN112417453A (en) 2021-02-26

Family

ID=74854081

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010847466.0A Pending CN112417453A (en) 2019-08-23 2020-08-21 Safety device for automatic system

Country Status (2)

Country Link
CN (1) CN112417453A (en)
FI (1) FI129898B (en)

Also Published As

Publication number Publication date
FI129898B (en) 2022-10-31
FI20195696A1 (en) 2021-02-24

Similar Documents

Publication Publication Date Title
US7813820B2 (en) Method to increase the safety integrity level of a control system
US9912733B2 (en) System and method for maintaining the health of a control system
US10574671B2 (en) Method for monitoring security in an automation network, and automation network
US20150295944A1 (en) Control system, control method, and controller
US9507336B2 (en) Apparatus and method for determining an aggregate control connection status of a field device in a process control system
JP2013229053A (en) Testing entity, system and device test execution method
US20200072707A1 (en) Management monitoring system
CN104252164B (en) For shutting down the system and method for field device
US20180190403A1 (en) Plant operation system and plant operation method
US9141103B2 (en) Method and controller for controlling a safety-oriented industrial automation component
US20110264396A1 (en) Electrical circuit with physical layer diagnostics system
Babeshko et al. Applying F (I) MEA-technique for SCADA-based industrial control systems dependability assessment and ensuring
JP6808588B2 (en) Elevator system
US12019743B2 (en) Controller system
CN112417453A (en) Safety device for automatic system
US10698676B2 (en) Increasing the reliability of software
EP3885853A1 (en) I/o mesh architecture for a safety instrumented system
CN114791830B (en) Method for controlling and automatically restarting a technical device
US20240219879A1 (en) Method, System and Inspection Device for Securely Executing Control Applications
JP6743553B2 (en) Abnormality detection system and abnormality detection method
CN107315953B (en) Equipment safety detection system and detection method
Florea et al. Emerging technologies-the base for the next goal of process control-risk and hazard control
EP4242847A2 (en) Using software encoded processing to achieve a sil rating for safety applications executed in the cloud or in non-safety rated servers
ENGİN FUNCTIONAL SAFETY IN PROGRAMMABLE LOGIC CONTROLLERS
US20220187816A1 (en) Security-Relevant Diagnostic Messages

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination