IT201800005767A1 - System, device and method for the remote management and / or maintenance of machines - Google Patents

Description

Description of the industrial invention entitled "System, device and method for the remote management and / or maintenance of machines"

The present invention refers to a system, a device and a management method for operating remote connections, from outside a local data network to machines, especially of the industrial type, for example printing machines, connected to the local data network. with their own control system.

In particular, the solution covered by the patent provides the possibility of operating a remote management and / or maintenance of machines (especially of an industrial type, for example printing machines or other machines whose operation is governed by a control system) to allow for example, an intervention on the machine remotely by assistance personnel, for example to view and possibly set machine operating parameters, view the machine history, production data, malfunctions, etc.

In the known art, the machines with a computerized control (for example the printing machines, in particular of the industrial type) usually comprise an interface for connection to a data network in order to be able to exchange information and commands with a suitable terminal. Generally, through this terminal it is local and through it the personnel can access the control system of the machine to program or collect information about the operation of the machine. For example, it is possible to detect the production data performed by the machine and check the progress of the operations carried out by the machine during its normal operation or in any case to set the operating parameters of the machine. In particular, in the case of a printing machine it is possible to check the progress of a print job, the number of prints produced, the time required / remaining to finish a scheduled print, etc. Through the terminal, the technical assistance staff can also access the control system of the machine to be able, for example, to diagnose faults or malfunctions and possibly remedy them.

The connection between the machine control system and the terminal often takes place through a suitable local data network. In the technique, and in particular in the field of maintenance of industrial machines, it has also been proposed to be able to access the machine remotely through a data network (for example through the Internet) which is external to the local network, so as to be able to perform operations remote control, maintenance and / or diagnosis.

The technical assistance staff can thus remotely access the computer control system of the machine without the need (at least for initial assistance) to physically go to the machine. Remotely, the assistance staff can often identify the origins of a fault or malfunction and possibly remedy it without the need to work directly on the machine. Remote assistance is also useful for the assistance staff in order to estimate the necessary interventions to be performed on the machine and to be able to arrive prepared at the machine, thus reducing machine downtime and fault repairs. In addition to assistance, remote access can also be useful for remotely monitoring the normal operation of the machine.

In any case, to remotely access the local data network to which the machine is connected, however, connection setting problems often arise.

For example, the remote access parameters to the local network must be appropriately set to allow access to the local network from the outside and this can undermine the security of the local network.

Furthermore, the company where the machine is installed may also consider that granting indiscriminate access to its local data network, even if by authorized service personnel (but always external to the company), may be a procedure contrary to its IT security and data privacy policy.

Even when remote access is allowed, the technical assistance staff must still go to the site at least once to set all the parameters for remote access to the machine, generally working together with the local network managers. This can be time-consuming, cumbersome and costly.

The general purpose of the present invention is to provide a method and a system which allow to remotely access a machine with computerized control, in a simple and efficient way, obviating the problems of the known art.

In view of this purpose, according to the invention, it was thought to provide a method for accessing, through an external data network to a local data network, to a control system of a machine connected to the local data network, comprising the phases of :

- connect to the local data network a connection device separate from the machine and able to initiate a connection to a web application server on the external network upon receipt of a connection command and able to make a data connection through the local network with the control system of the car;

- arrange on the external data network at least one web application server able to receive the connection from the connection device; And

- upon receipt of the connection command, the connection device by establishing a connection tunnel from within the local data network to the at least one web application server on the external data network and by exchanging data between the web application server and the system control of the machine using said tunnel.

Always according to the principles of the present invention, it was also thought to realize a system comprising a local data network on which the control system of a machine can be connected, a connection device that can be controlled through a connection command and connected to the local data network through a connection interface, at least one web application server connected to a data network external to the local data network and connected to this local data network, the system being able to operate according to the aforementioned method.

Still according to the principles of the present invention, it has also been thought of realizing a connection device suitable for operating according to the aforementioned method and comprising a microprocessor, a memory, a network interface and a button for entering a connection command for command the microprocessor of the connection device to connect to an external data network through a local data network connected to the network interface.

In order to clarify the explanation of the innovative principles of the present invention and its advantages with respect to the known art, exemplary embodiments applying these principles will be described below, with the help of the attached drawings. In the drawings:

figure 1 represents a schematic view of a system according to the present invention for the remote connection to a machine;

figure 2 represents a block diagram of a connection device used in the system of figure 1;

-figure 3 schematically represents a possible structure of the data connections according to the invention;

-figure 4 schematically represents a possible scheme of a first phase of setting up the system according to the invention;

-figure 5 schematically represents a possible scheme of a second phase of setting up the system according to the invention.

With reference to the figures, figure 1 schematically shows a system 10, made according to the present invention, for the remote connection to a machine 11 by a system and / or a remote terminal 12 through an external data network 17, for example for example a geographic network and, in particular, the Internet.

The machine 10 (which can be any industrial machine with local computerized control, for example a printing machine) comprises its own computerized control system 13. The computerized control 13 can be connected to a local command and data display terminal for local machine management. Furthermore, the machine has a connection 15 towards a local data network 16 to exchange data and commands on this local network, for example to have the terminal 14 connected to the control system 13 through this local network instead of directly. This machine structure is well known to those skilled in the art in various fields of industrial machines and is therefore not further described or shown here, as it can be easily imagined by the skilled person.

Through the terminal 14, a technician can, for example, check the operation of the machine, carry out analyzes of this operation, estimate or detect faults and malfunctions, carry out various known maintenance and setting activities, etc., also depending on the specific type of machine.

Usually the local network is connected to an external data network 17 (typically a geographic network and, in particular, the Internet) through a suitable known router 18. This router 18 can usually include or be enslaved to a firewall set to try to maintain security of the local network towards connections coming from outside.

In the traditional structure of a connection for remote assistance, the local network 16 should be specifically set to allow access from the outside to the local network, and therefore to the machine, by a remote system 19 and / or a remote terminal 12.

For this reason, according to the most commonly used known technique, it would be necessary to act on the settings of the router and / or the associated firewall to allow the remote system to access the local network.

However, this need for access can generate the aforementioned security problems of the local network, in addition to the need for a specialized intervention on the local network to appropriately set the access parameters.

According to the structure of the system object of the present invention, a special connection device 20 is connected to the local network, equipped with a control 21 (in particular, it can advantageously be a simple electric button) through which the device can be controlled to activate a connection to the external network 17 when you want to request remote assistance or in any case authorize access to your local network by an external system.

The connection device 10 is an electronic device (advantageously with a suitably programmed microprocessor, as will be further clarified below) which when the command 21 is activated is able to initiate a connection from inside the local network towards the outside, typically towards the external system realized with a web application server, creating a tunnel 22. The tunnel 22, being activated from inside the local network 16, will pass unscathed by the firewall (unless a specific rule), thus allowing to reach the local network 16 from 'external regardless of the addresses and / or FQDN of the firewall. In other words, this connection is not affected by the normal settings of the router and firewall, since the connection starts from within the local network like any normal connection from the local network to the outside.

The connection device 10 can comprise itself a VPN client or a WSS (Secure Web Socket) Client which connects to the Web Server 19 establishing, following an appropriate known authentication process, the tunnel 22 through which the requests will be routed. coming from the remote system (for example terminal 12) and the relative replies. Advantageously, the terminal 12 can use a normal browser which connects to the web server through a normal communication channel 27 on the network to display the interface provided by the device 20 and / or by the server 19. For example, the pages shown by the browser can be made using the HTML language, as easily imaginable by the skilled technician.

Preferably, the requests from the terminal 12 will be advantageously processed by a Web Server present in the device 20.

Furthermore, the device 20 can also be set (as will be clear from the following) for displaying services such as remote control via a "remote frame buffer" (VNC = Virtual Network Computing), as easily imagined by the technician skilled in based on the description given here.

The commands sent by the terminal 12 and arriving at the device 20 will then be routed by the device 20, through the local network, to the control system 13 of the machine 11, for example in a substantially similar way to what would happen if these commands came from a terminal 14 connected to the local network. In the same way, the responses and data emitted by the control system 13 of the machine will reach the device 20 which will forward them to the terminal 12 through the tunnel 22 and the Web server 19. It is thus possible to use the terminal 12 to access the machine 11 from the outside. . In use, when an operation is required that requires access to the machine from an external terminal, it will be sufficient for a person in charge to activate the command 21 on the device 20. The device 20 will consequently establish the tunnel 22 and an operator (for example a service technician) can connect to the machine using an external terminal 12.

Advantageously, using the web server 19, the terminal 12 can be any suitable terminal (for example a normal personal computer, a tablet, a smartphone, etc.), connected for access in any part of the external network and which, by accessing the web server 19 with a normal browser can interface with the machine 11.

For example, if a person in charge of the company where the machine 11 operates detects a problem or malfunction of the machine, he can call the technical assistance of the machine. After receiving the call, a technical assistance technician can ask the company representative to simply press the button 21 of the device 20 associated with the machine. The device 20 thus establishes the tunnel with the web server 19 and the service technician can remotely connect with a personal computer to the corresponding web page on the web server, possibly authenticating with a user name and a security password. The technician can thus operate remotely on the machine, using the interface made available by the web server, solving the problem on the machine, remotely if possible, or making a diagnosis that can be useful for planning a possible intervention of the technician at the machine . After remote access to the machine, the technician can command the device 20, via the web server, to terminate the connection and delete the tunnel 22.

Figure 2 schematically shows a possible structure of the device 20. This device can itself be a substantially known microprocessor device suitably programmed and comprise a microprocessor control unit 23, a volatile memory 24, a non-volatile memory or program memory 25 and a network interface 26 for connection to the local network. The network interface can be a known wired network interface in itself or even a wireless network interface for a WIFI connection to the local network 16 through a WIFI access point possibly present in this local network. The device 20 can be powered through the same wired local network, have internal batteries or be connected to an external energy source, as easily imagined by the technician.

The device may comprise some warning lights that indicate its operation, such as an on light, a light indicating correct connection to the local data network, a light indicating successful connection to the external remote system through the tunnel.

The device 20 can for example comprise or be formed by a suitably programmed so-called "single-board computer". For example, suitable single board computers can be “Rasberry Pi”, “Arduino”, “FriendlyARM” or their equivalent or compatible, suitably programmed. For example, a version of an operating system (advantageously Linux) suitably adapted to implement a suitable VPN or WSS client can be installed on the device 20, which activates the connection with the server 19 and the remote terminal 12 when it receives a command signal by means of command 21.

Alternatively, the device 20 can also be a different known device suitably programmed and connected to the local network. For example, the device 20 can also be realized by means of a smartphone or a tablet suitably programmed with a suitable application which implements the aforementioned functions in it according to the present invention. The command 21 can be a physical button (connected for example to a suitable input port of the "single-board computer") or a "virtual" button that can be activated by means of a command sent to the device 20 or even a command entered by means of a touch screen if necessary present in the device 20.

Figure 3 further schematically shows a possible advantageous structure of the data connections that can be formed between the remote terminal 12, the device 20 and the machine 11.

As can be seen in this figure, a browser 42 on the terminal 12 connects through the connection 27 to the web server application 19 which is in turn connected through the tunnel 22 (which passes the router and firewall 18) to the device 20 on the local network 16 and, through it, to the known control system 13 of the machine 11.

As can be seen schematically again in Figure 3, the device 20 can implement via software the VPN / WSS client 28 (which creates the tunnel 22), a web server 29 (which draws on data and / or data flows), such as for example the aforementioned VNC connection, and a dataproxy 30 (suitable for the specific connected machine and which will manage the connection 31 between device 20 and machine 11 on the local network 16).

If desired, thanks to the principles of the present invention, it is also possible to simplify the initial setting steps of the system 10 and at the same time also to increase its safety.

For example, Figure 4 shows a possible scheme of an initial procedure or first or single phase of setting up the system according to the invention. According to this scheme, the setting procedure can provide that the system administrator connects to a web server application 32 and enters configuration data 33, for example for configuration on the local network, indicating the machine to be associated with the device, and any other data deemed useful for the management of the system. This connection can take place for example by means of a suitable browser 34 on a terminal or personal computer 35, which can also be the same browser and / or the same terminal or personal computer 12 which are used in the subsequent use of the system.

The Web application server can essentially be a management software that allows you to perform all the system setting and control operations, and also be the same that is then used in the use of the system as described above with reference to the web server 19.

On the basis of the data 33 entered, the web application server can process and return a file 36 (possibly encrypted) for the device 20 and containing the image of the operating system already configured at the network level (DHCP or pre-assigned static IP) and with useful data to identify the machine 11 on the local network, a possible digital certificate with relative private key that allows to uniquely identify the device 20 that is associated with the specific machine 11, etc. The processing of file 36 is easily imaginable by the expert technician on the basis of the description made here. The operating system used will obviously depend on the actual structure of the device 20 and on the specific needs and practical preferences. For example, the operating system can be a version of Linux, as easily imagined by the technician based on the description of the invention made here.

The image file can be loaded into device 20, which is thus set up to operate with the assigned machine and local network. For example, it can be provided that the memory 25 of the device 20 is or comprises a removable mass memory (typically but not exclusively an SD card or a USB stick) on which the image file is saved and which is then inserted into the device 20 to set its operation.

This procedure can be carried out, for example, by the personnel who must subsequently provide remote technical assistance or other suitable personnel, and the device 20 can be delivered to the company in which the machine 11 is present, ready with the image of the operating system. configured, so that this company only has to connect the device 20 to its local network 16. Alternatively, the device can be delivered "blank" (or already in the possession of the user) and the image file can be sent in various ways (for example as an attachment to an email, to be downloaded from an appropriate website and saved in the device, saved on a support such as an SD or a USB stick - and sent to be inserted into the device, etc.) to be subsequently installed on the device. In order to ensure greater safety, the system according to the invention can also advantageously provide a two-phase setting procedure, with a first pre-setting phase and a second final system setting phase.

According to this alternative way of proceeding, the operating system that is set up and installed in the first phase, with a procedure similar to that described above, is not ready to operate according to the invention and allow the use of a remote terminal in connection with the machine on the local network, but it is suitable for starting the device 20 to pass to the second setting phase where the device 20 becomes definitively operative.

In particular, as shown schematically in Figure 5, the first phase can produce the activation of the device 20 with software installed in the first phase (for example in the memory 25) which operates to enable it to verify the consistency of the configuration data received. (for example, possibly the correct connection with the machine 11 and the connection with the local network to connect to the web application server) and connect to the web application server as described above. The connection to the web application server can also advantageously take place through an authentication procedure 40 known per se, for example by means of a digital certificate installed on the device 20 and preferably received in the first phase, for example installed in the removable memory.

After authentication 40, the device receives from the web application server 32 the software 41 necessary to perform the required tasks. In particular, such software can be the final version of the operating system or parts of it initially missing in the image installed in the first phase and necessary for the full operation of the system according to the invention (for example, the VPN and / or the dataproxy suitably set, or other necessary parts). The software downloaded in the second phase may also depend on the specific activities required (eg log collection, remote control) and on the nature of the machine to be controlled.

Advantageously, the software that the device receives from the web application server in the second phase can be saved from the device on a partition residing in the volatile memory 24 of the device (for example a tmpfs partition of the Linux operating system).

This adds further protection to the system, as the operating software is protected from reverse engineering attempts. In fact, it is not possible to access the software by removing the memory from the device as this would lead to the loss of the software in the volatile memory, making it impossible for malicious people to access the software. When the device is switched on again, the software of the first phase could in any case repeat the procedure to re-download the software of the second phase from the external network and reinstall it in volatile memory, so that the device would resume normal operation.

As a further advantage, since the device 20 receives the software from the web application server, the system is always updated to the latest version of the software available on the web application server.

At this point it is clear how the intended purposes have been achieved.

Thanks to the invention it is possible to remotely access a machine with computerized control, avoiding the connection problems that are generated with the known technique to connect from the outside to a local network. Moreover, thanks to the invention it is easy and fast to provide remote assistance service to machines with computerized control, maintaining, if desired, a strict control of the hardware and / or software necessary for the operation of the system. Again thanks to the principles of the invention, a substantially self-installing system can be created. It is also easy to create a "cloud based" system.

As is clear to the technician from the description given, the terminal 12 and / or 35 can be any device equipped with a browser, such as for example even a simple smartphone or tablet.

Thanks to the invention, installation and intervention costs are also reduced and easily controlled.

The system according to the invention allows secure access to industrial local networks for the remote control and diagnosis of machinery and the system can be used by companies offering support and / or maintenance services to connect various types of machinery, avoiding the need for installation of software and the intervention of specialized personnel for the configuration of the network and machines.

Naturally, the above description of an embodiment applying the innovative principles of the present invention is given by way of example of such innovative principles and must therefore not be taken as a limitation of the patent scope claimed herein.

For example, the physical structures of the network and of the device may be different from those shown as an example, also depending on specific needs and operational preferences. Furthermore, the first phase can be different from what has been described or even be missing, and the device can be supplied directly with a simple bootloader integrated in it to operate the steps of the second phase and download the complete and already set software. Similarly, the first phase can directly download the complete image instead of a useful image only to start a second phase as described above and the second phase may therefore be missing. As can now be easily imagined by the technician, the connection device 10 can be simple and inexpensive in itself and can simply be made in the form of a small box with an external button for the command 21 and, if desired, the operating lights and the data network socket (unless providing only the wireless connection) and an input for the electrical power supply 8 (unless battery powered or through the data network socket itself).

Of course, a plurality of devices 20 can also be provided, each associated with a machine to which one wants to remotely connect or a device for several machines on the same local network. Furthermore, several remote terminals can be provided that access the same web server or different web servers, or a single remote terminal and / or a single web server that access multiple devices 20. The remote system can also operate without a remote terminal, for example for the purpose of collecting a database of information on the machine, such as operating histories, malfunctions, etc., possibly to be provided at a later time to a remote terminal that connects to the remote system. With the solution according to the invention it is therefore easy to create an even very extensive remote assistance network for a plurality of machines even for a multitude of different assistance service customers.

Claims (14)

Claims 1. Method for accessing, through an external data network (17) external to a local data network (16), to a control system (13) of a machine (11) connected to the local data network, comprising the steps of: - connect to the local data network (16) a connection device (20) separate from the machine (11) and able to initiate a connection to a web application server (19) on the external data network (17) upon receipt of a connection command (21) and suitable for making a data connection through the local data network (16) with the control system (13) of the machine (11); - arranging on the external data network (17) at least one web application server (19) able to receive the connection from the connection device (20); and - upon receipt of the connection command (21), the connection device (20) establishing a connection tunnel (22) from within the local data network (16) towards the at least one web application server (19) on the network external data (17) and by carrying out a data exchange between the web application server (19) and the control system (13) of the machine using said tunnel (22). 2. Method according to claim 1, characterized in that it comprises the further step of connecting a terminal (12) set up with a browser to the external data network (17), and accessing the web application server (19) with said browser for one exchange of data between the browser and the control system of the machine with intermediation of the web application server (19) and the connection device (20) and through the said tunnel (22) created by the connection device (20). Method according to claim 1, characterized in that the connecting device (20) is programmed to provide a web server (29) and a VPN / WSS client (28) to the external data network (17) using the tunnel ( 22). Method according to claim 1, characterized in that the connection device (20) is programmed to provide a dataProxy (30) to the control system (13) of the machine using the said local data network (16). 5. Method according to claim 1, characterized in that it comprises at least a first setting step in which an image file of a software or operating system is created for the connection device (20) with at least first settings for the creation of a connection to at least one web application server (19 or 32) and this image file is sent and installed on the connection device. 6. Method according to claim 5, characterized in that the first setting phase is followed by a second setting phase during which the device after connecting to the web application server downloads from it a software (41) forming a second operating system or integrating the first operating system to make the connection device able to operate with full operation according to the method. Method according to claim 5, characterized in that the operating system of the first phase is installed on a non-volatile memory (25) of the connecting device (20). Method according to claim 7, characterized in that the non-volatile memory (25) is a memory of the removable type to be inserted in the device after having saved in said memory at least the operating system of the first phase. Method according to claim 6, characterized in that the software (41) is saved on a volatile memory (24) of the connection device. Method according to claim 1 characterized in that the machine (11) is a printing machine. 11. Method according to claim 1 characterized in that the data exchange is used for remote maintenance / assistance of the machine. Method according to claim 1, characterized in that the external data network (17) is the Internet network. 13. System comprising a local data network (16) on which the control system of a machine can be connected, a connection device (10) that can be controlled through a connection command (21) and connected to the local data network (16) through a connection interface (26), at least one web application server (19, 34) connected to an external data network (17) external to the local data network and connected to this local data network, the system being able to operate according to the method of a any of the preceding claims. Connection device (10) suitable for operating according to the method of any one of claims 1 to 12, comprising a microprocessor (23), a memory (24, 25), a network interface (26) and a button ( 21) intended for entering a connection device connection command via a local data network connected to the network interface (26).