JP2011086240A - Verification device and software updating system for field equipment using the same - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a verification device verifying software that field equipment down-loads to prevent update of the software, which an operator does not intend, and to provide a software updating system for field equipment provided with the verification device. <P>SOLUTION: The verification device transmits software whose validity is secured to the field equipment via a field bus among enciphered software for field equipment, which are received via a network. The verification device includes a decoding key which is previously stored in a storage means, a validity determination means determining that software is legal when software can be decoded based on the decoding key, and a software transmitting means transmitting the software determined to be legal to the field equipment in a decoded state via the field bus. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a verification device for verifying software of a field device to be exchanged via a field bus, and a field device software update system using the verification device.

  Conventional field devices are installed in water purification plants, plants, etc., measure physical quantities (for example, flow rate, water level, pressure, temperature, etc.) and output electrical signals according to the measurement results. Pressure transmitters, various flow meters, thermometers, valve positioners, etc. For example, field devices are often used in automation and process control techniques to measure process variables as sensors and to control control variables as actuators.

  Also, for example, as a process control system in industrial automation, field devices including sensors, actuators, and controllers such as flow meters and thermometers that constitute control loops such as feedback control are installed in Foundation Fieldbus FF-H1 ( It has been proposed to construct a field control system by connecting to each other via a network such as a two-wire bus-fed field bus such as a registered trademark and PROFIBUS-PA (registered trademark).

  The field control system is configured such that an operation schedule of field devices is set, and a control loop composed of the field devices operates as planned. At this time, the field device performs an operation corresponding to a predetermined function block (analog input function block AI, PID function block PID, etc.) based on a function block execution time (FB execution time) of a product specification set in advance.

  In such field control systems, in order to promote functional distribution for the purpose of process improvement, etc., field devices including sensors, actuators, and controllers such as flow meters and thermometers that constitute a control loop for feedback control, etc. Replacing software or software implemented in field devices using the fieldbus communication function for the purpose of expansion such as self-diagnosis function or to correct bugs that are likely to occur due to rich functions (fieldbus communication function) (Updating) Field device software update system is under consideration.

  FIG. 5 is a block diagram of a conventional field device software update system. In FIG. 5, the conventional field device software update system is a device that supervises communication between devices connected to the FF-H1 bus, and is a link master. It comprises a host device 1 that plays a role, and field devices 2 and 3 that are connected to the FF-H1 bus 100 and can communicate with the host device 1 and other field devices via the FF-H1 bus 100.

  Here, the field devices 2 and 3 include, for example, sensors for measuring a process amount, communication means for data communication with other field devices or other devices via the FF-H1 bus 100, and each of the field devices 2 and 3 A calculation control means for executing a software download function (SoftDL function) for controlling functions and replacing software, and a plurality of software or software, a calculation part program for converting a measurement signal from a sensor into an output signal, and the like Storage means having a program storage area.

  The SoftDL function executed by the arithmetic control means of the field devices 2 and 3 is a function for receiving and updating the software of the own device (usually a field device) from another device (usually a host device) via FF-H1 communication. is there. This function makes it possible to update the field device software while it is installed in the plant.

  With such a configuration, the conventional software update system updates the software of the field device as described in (1) to (3) below. Hereinafter, in order to simplify the description, the field device 2 will be described as a target device (target device) whose software is updated.

(1) The host device 1 transmits software to the field device 2.
(2) The field device 2 receives the new software data from the host device 1 via the FF-H1 bus 100, and stores the received new software in a storage area in the storage means in which the operating software is not stored. To do.
(3) When all the software is received and stored in the device, the target device 2 starts to operate with the received software. Specifically, the field device 2 restarts after downloading and operates the new software stored in the program storage area. That is, in the field device 2, rewriting of operating software is performed.

As described above, the conventional field device can replace software or software installed in the field device by using the communication function of the field bus.

  As a prior art document related to a field device software update system for updating software / software of a conventional field device, there is Patent Document 1 below.

JP 2005-173747 A

  However, in the conventional field device software update system, an unconfirmed device can be joined to the FF-H1 bus by an unconfirmed device that is not known by the operator if communication according to the FF-H1 protocol is possible. Has a SoftDL function, software can be transmitted to any field device that supports the SoftDL function, and software transmission unintended by the operator is executed. there were.

  FIG. 6 is an explanatory diagram for explaining the problems of the conventional field device software update system. In FIG. 6, communication according to the FF-H1 protocol is possible on the FF-H1 bus 100 of the software update system of FIG. An unconfirmed device 50 that is not recognized by an operator is connected.

  The host device 1 and the field devices 2 and 3 communicate via the FF-H1 bus 100. The unconfirmed device 50 is connected to the FF-H1 bus 100 and communicates with the host device 1 and the field devices 2 and 3.

  In this case (FIG. 6), the unconfirmed device 50 may transmit software whose operation is not guaranteed to the field device 2. The operation of the conventional field device software update system in such a case will be described below.

(1) The unconfirmed device 50 transmits software to the field device 2 (starts software download).
(2) The field device 2 receives (downloads) the transmitted software because the unconfirmed device 50 is executing processing according to the specifications.
(3) The field device 2 receives the new software data from the host device 1 via the FF-H1 bus 100, and stores the received new software in a storage area in the storage means in which the operating software is not stored. To do.
(4) When all the software is received and stored in the device, the target device 2 starts to operate with the software received from the unconfirmed device 50. Specifically, the field device 2 restarts after downloading and operates new software stored in the program storage area. That is, the field device 2 rewrites the operating software.

  As described above, the field device 2 normally downloads software whose operation is not guaranteed from the unconfirmed device 50 capable of communication in accordance with the FF-H1 protocol, and rewrites the software. The problem is that it may not work. Specifically, there are problems in the following points.

(A) Software (firmware) unintended by the operator is written The unconfirmed device 50 makes it possible to write software (firmware) not intended by the operator into the installed field devices 2 and 3. There was a problem.
For example, an unconfirmed device 50 that provides software that behaves in such a way as to interfere with the operation of another field device (not shown) connected to the FF-H1 bus 100 by a third party having an injurious purpose is used as the FF-H1 bus 100. By connecting to the FF-H1 bus 100 and connecting them to the field devices 2 and 3, communication between the devices connected to the FF-H1 bus 100 cannot be performed normally, and the system is confused.

(B) The software (firmware) is erased The software (firmware) downloaded to the existing field devices 2 and 3 is made empty by the unconfirmed device 50 to operate the device that sent the software (firmware). There is a problem that it becomes possible to make it impossible. In this case, in order to recover, it is necessary to remove each field device from the control system (FF-H1 bus) and replace the internal substrate, resulting in a problem of enormous damage.

  In addition, when software is transmitted to a plurality of field devices, the conventional technique places a load on the host device 1 and may impair the operation of the (main) control system. There was also a problem that the software could not be updated reliably.

  The present invention solves the above-described problems, and an object thereof is to provide a verification device capable of preventing software updates unintended by an operator (only allowing verified software to be downloaded to a field device) and the verification device. To implement a field device software update system.

In order to achieve such a problem, the invention according to claim 1 of the present invention is:
Among the encrypted field device software received via the network, the verification device transmits the software with a guaranteed validity to the field device via the field bus,
A decryption key stored in advance in the storage means;
If the software can be decrypted based on the decryption key, legitimacy judging means for judging that the software is legitimate,
A verification apparatus, comprising: software transmission means for transmitting the software determined to be valid to the field device via the field bus in a decrypted state.

The invention according to claim 2
Among the software for field devices encrypted by the host device received via the field bus, the verification device transmits the guaranteed software to the field device via the field bus,
A decryption key corresponding to an encryption key stored in advance in the storage means and held by the host device;
If the software can be decrypted based on the decryption key, legitimacy judging means for judging that the software is legitimate,
A verification apparatus, comprising: software transmission means for transmitting the software determined to be valid to the field device via the field bus in a decrypted state.

Invention of Claim 3 is a verification apparatus of Claim 1 or 2, Comprising:
Normality determining means for determining whether or not the software determined to be valid is normal;
The software transmission means for transmitting the software determined to be normal by the normality determination means to the field device via the fieldbus.

Invention of Claim 4 is a verification apparatus of Claim 3, Comprising:
The normality determining means is
If the software format determined to be valid is based on software specification information stored in advance, it is determined that the software is normal.

Invention of Claim 5 is a verification apparatus in any one of Claims 1-4, Comprising:
An external communication interface for receiving encrypted software is provided.

The invention described in claim 6
A verification device according to any one of claims 1 to 5;
A field device that acquires software via the fieldbus and updates the software to be executed;
A host device connected to the field device and the verification device via the field bus, and encrypting and transmitting the software to the verification device;
A field device software update system characterized by comprising:

As described above, according to the verification device of the present invention and the field device software update system using the verification device, the validity determination unit of the verification device stores the encrypted field device software received via the network. If the software can be decrypted based on the decryption key stored in advance in the means, it is determined that the software is valid, and the software determined by the verification device software transmission means is decrypted. By transmitting to the field device via the field bus, it is possible to update only the software whose legality is guaranteed.
For this reason, the field device does not perform an abnormal operation caused by software update, and the stability of the entire control system (FF-H1 bus) can be improved.

  In addition, since the verification apparatus according to the present invention is a dedicated apparatus related to the field device software update system, it is possible to easily replace programs in the verification apparatus. As a result, the function of the verification apparatus (software verification function) can be easily improved.

  In addition, since the verification apparatus according to the present invention transmits the software received from the host device and guaranteed to the target field device, the host device transmits the software directly to the field device as in the prior art. Disappears. For this reason, according to the present invention, even when software is transmitted to a plurality of field devices, the host device only needs to transmit software once to the verification device, and the load on the host device can be reduced.

It is a block diagram of one Example of the verification apparatus of this invention and the field apparatus software update system using the same. It is operation | movement explanatory drawing of the verification apparatus of FIG. 1, and a field apparatus software update system provided with the same. It is other operation | movement explanatory drawing of the verification apparatus of FIG. 1, and the field apparatus software update system using the same. It is a block diagram of the field device software update system at the time of adding another network interface to the verification apparatus which concerns on FIG. It is a block diagram of the conventional field device software update system. It is explanatory drawing explaining the problem of the conventional field device software update system.

<Example 1>
FIG. 1 is a block diagram of an embodiment of a verification apparatus according to the present invention and a field device software update system using the same, and the same reference numerals are given to portions common to FIG. 5 and description thereof is omitted as appropriate. The difference between FIG. 1 and FIG. 5 is that the validity of the encrypted field device software data (data including field device software; hereinafter referred to as software) received via the network is ensured. It is different in that a verification device for transmitting the software to the field device via the field bus is provided.

(Configuration of field device software update system)
In FIG. 1, the field device software update system of the present invention includes a host device 1 that plays a role of a link master in a device that controls communication between devices connected to the FF-H1 bus 100, and an FF-H1 bus 100. Field devices 2 and 3 that can be connected to and communicate with the host device 1 and other field devices and the verification device 4 via the FF-H1 bus 100, and encrypted field devices 2 and 3 that are received via the network. The verification device 4 is configured to transmit software of which software is secured to the field devices 2 and 3 via the field bus 100.

  Note that the field device software that is verified and updated by the verification apparatus of the present invention and the field device software update system using the verification device also covers firmware, and any firmware or software as long as it is a program or application for a field device It may be.

  The host device 1, the field devices 2, 3 and the verification device 4 are each connected to the FF-H1 bus 100 and perform data communication via the FF-H1 bus 100.

  The host device 1, the field devices 2, 3 and the verification device 4 are each connected to the FF-H1 bus 100. However, the host device 1, the field devices 2, 3 and the verification device 4 are not particularly limited, and can perform data communication related to field control. Any fieldbus or IP (internet protocol) network may be used.

(Configuration of host device 1)
Although not specifically shown, the host device 1 encrypts the software for the field device 2 or 3 via the FF-H1 bus 100 and transmits the encrypted software to the verification device 4, and the decryption key of the verification device 4 A storage unit that stores a corresponding (common) encryption key and a communication unit that performs data communication with the verification device 4 and the field devices 2 and 3 via a field bus such as the FF-H1 bus 100 are provided.
Specifically, the calculation control means of the host device 1 encrypts the software for the field device 2 or 3 based on the encryption key stored in the storage means, and controls the communication means to control the FF-H1 bus 100. To the verification device 4.

(Configuration of field devices 2 and 3)
The field devices 2 and 3 are set so that software can be received (downloaded) only from the verification device 4 and hold information necessary for the determination. For example, the operation control means of the field devices 2 and 3 receives only data (software) from the address (network address) of the verification device stored in the storage means.

  Specifically, the field devices 2 and 3 are not particularly illustrated, but, for example, a sensor that measures a process amount, a communication unit that performs data communication with other field devices or other devices via the FF-H1 bus 100, and a field Arithmetic control means for controlling each function (execution function of the function block) of the devices 2 and 3 and executing a software download function (SoftDL function) for receiving only software from the verification device 4 and replacing the software; And a storage means having a plurality of program storage areas for storing a program of an arithmetic part for converting a measurement signal from the sensor into an output signal.

  The SoftDL function executed by the arithmetic control means of the field devices 2 and 3 is a function for receiving and updating the software of its own device (usually a field device) from the verification device 4 via FF-H1 communication. This function makes it possible to update the field device software while it is installed in the plant. In addition, by receiving only the software from the verification device 4 and performing replacement, it is possible to prevent software updates that are not intended by the operator (in other words, only verified software can be downloaded).

(Configuration of the verification device 4)
The verification device 4 executes verification of software downloaded by the field device 2 or 3 and transmission of the software to the target field device 2 or 3.
All devices can transmit software data to the verification device 4. The verification device 4 verifies the received data (software) and transmits only the software that has passed the verification to the target field device 2 or 3.

  Data (software) received by the verification device 4 is encrypted. The verification device 4 holds a common decryption key corresponding to the encryption key held by the host device 1 in advance. By decrypting data (software) received from the host device 1 using this decryption key and collating the decrypted software, it is possible to determine whether the software download is intended by the operator.

  Specifically, the verification apparatus 4 determines whether the software stored mainly in the storage unit 43 is normal, and the validity determination unit 41 that mainly determines the validity of the software stored in the storage unit 43. The storage unit 43 for storing software received via the normality determination unit 42 and the communication unit 44, the communication unit 44 for receiving software from the host device 1 via the FF-H1 bus 100, and the communication unit 44 are controlled. A software transmission unit 45 that transmits to the field device 2 or 3 that is a target device for updating software via the FF-H1 bus 100, and an arithmetic control unit that controls the operation of each unit.

  The communication unit 44 is connected to the FF-H1 bus (not shown) and is also connected to the calculation control unit, and the storage unit 43 is also connected to the calculation control unit. The validity determination unit 41, the normality determination unit 42, and the software transmission unit 45 are also connected to each other, and are connected to the communication unit 44, the storage unit 43, and the calculation control unit.

  The correctness determining means 41, the normality determining means 42, and the software transmitting means 45 start up the OS stored in the storage means 43 by the arithmetic processing means and read the program stored in the storage means on this OS. The function blocks developed in the storage means may be used, and these are represented as function blocks in FIG.

  The validity determination means 41 determines that the software is valid if it can decrypt the encrypted field device software received via the network based on the decryption key stored in the storage means 42. To do.

  The normality determination means 42 determines whether the software determined to be valid by the validity determination means 41 is normal. Specifically, the normality determination unit 42 determines that the software format determined to be valid by the validity determination unit 41 matches that based on the software specification information stored in the storage unit 42 in advance. The software is determined to be normal.

  The storage unit 43 includes a hard disk, a RAM, a ROM, and the like that store programs and applications for operating as the verification device 4. The storage unit 43 stores a decryption key corresponding to the encryption key held by the host device 1 or a decryption key corresponding to an encryption key prepared in advance by the user. The storage unit 43 stores software acquired (downloaded) via the FF-H1 bus 100.

  The communication unit 44 plays a role of an interface for communicating with the host device 1 and the field devices 2, 3 or other devices via the FF-H1 bus 100.

  The software transmission unit 45 controls the communication unit 44 to transmit the software determined to be valid to the field devices 2 and 3 via the FF-H1 bus 100 in a decrypted state.

  The arithmetic control means (not shown) may be composed of a CPU (Central Processing Unit) that controls the operation of each means. Specifically, the arithmetic control means activates an OS or the like stored in the storage means 43. The verification device 4 is controlled by reading and executing the program stored in the storage means on the OS, and the validity of the encrypted field device software received via the network is ensured. Software to the field device via the fieldbus.

  In addition, when the communication unit 44 receives the encrypted software from the host device 1, the arithmetic control unit controls the validity determination unit 41 to determine the validity of the software. The arithmetic control unit controls the software transmission unit 45 to transmit the software whose validity is ensured as a result of the determination to the field device 2 or 3.

  With such a configuration, the verification apparatus according to the present invention and the field device software update system including the same perform the following operations (1-1) to (1-7), for example. FIG. 2 is an operation explanatory diagram of the verification device of FIG. 1 and a field device software update system provided with the verification device, and (1-1) to (1-7) in FIG. 2 correspond to the following operation descriptions. .

  (1-1) In order to notify the verification device 4 of the address of the field device that is the target device (target device) whose software is to be updated, the host device 1 includes data including address information of the field device 2 (hereinafter, target device information Send).

  (1-2) The host device 1 transmits the software for the field device 2 encrypted based on the encryption key stored in the storage unit to the verification device 4.

  The host device 1 may transmit the target device information to the verification device 4 together with the encrypted software. If the encrypted software and the target device information are to be transmitted, the host device 1 may be transmitted in the order of transmission ((1-1), ( The process after 1-2)) is not limited.

(1-3) The verification device 4 receives the encrypted software data from the host device 1 via the FF-H1 bus 100 and stores it in the storage unit.
Specifically, the arithmetic control unit of the verification device 4 stores the encrypted software received from the host device 1 in the storage unit.

(1-4) The validity determination means 41 of the verification device 4 decrypts the received data and verifies the decrypted software. If it is determined that the software is intended by the operator, the operation proceeds to (1-5). If it is determined to be incorrect, the subsequent processing is not executed.
Specifically, the validity determination unit 41 of the verification device 4 can decrypt the encrypted field device software received via the network based on the decryption key stored in the storage unit 42. And determine that the software is valid. As a result, it is possible to grasp that the software intended by the worker has been received.

(1-5) The software transmission unit 45 of the verification device 4 transmits the software transmitted to the verification device 4 to the field device 2 that is the target of this software based on the target device information notified from the host device 1.
Specifically, the software transmission unit 45 of the verification device 4 controls the communication unit 44 and is determined to be valid by the validity determination unit 41 (or normal by the normality determination unit 42 (described later)). The software is transmitted to the field device 2 that is the target device via the FF-H1 bus 100 in a decrypted state.
The software transmission unit 45 of the verification device 4 adds the address of the verification device 4 or the verification device unique ID to the software and transmits the software to the target field device.

(1-6) The field device 2 determines the verification device 4 based on the address or the device unique ID, receives only the software transmitted from the verification device 4, and stores it in the storage unit. At this time, the software to be transmitted is not encrypted.
Specifically, when the arithmetic control unit of the field device 2 receives the software from the verification device 4, the address or device unique ID added to the received data is the address of the verification device 4 stored in the storage unit or If it matches the device unique ID of the verification device 4, only the software transmitted from the verification device 4 is accepted and stored in the storage means.
The field device receives only data from the verification device 4 when receiving software, but also receives data from other field devices when receiving data related to field control communication.

  (1-7) When the field device 2 receives all of the software and stores it in the device, the field device 2 starts to operate with the received software. Specifically, the field device 2 restarts after downloading and operates the new software stored in the program storage area. That is, in the field device 2, rewriting of operating software is performed.

  The verification device of the present invention and the field device software update system using the verification device transmit only the normal and correct software among the field device software received from the host device to the target field device. You may do it.

Specifically, the following operation (A) may be performed between the above-described operation processes (1-4) and (1-5).
(A) The normality determination means 42 of the verification device 4 determines whether or not the software determined to be valid by the validity determination means 41 is normal. If it is determined that the software is normal (intended by the operator), the operation proceeds to (1-5). ) If it is determined that the software is normal, the subsequent processing is not executed.
Specifically, the normality determination unit 42 determines that the software format determined to be valid by the validity determination unit 41 matches that based on the software specification information stored in the storage unit 42 in advance. Is determined to be normal.

Further, the normality determination means 42 may determine that the software is normal when there is predetermined data at a specific location in the software.
For example, the verification device 4 stores information (definition information) serving as a reference for determining as normal software defined by the user in advance in the storage means, and the normality determination means 42 is a method defined by the user based on the definition information. Thus, the software to be transmitted to the target device may be checked. Further, the normality determination means 42 of the verification device 4 checks whether there is specific data in a specific location in the software received from the host device 1 and decrypted based on the definition information, and specifies in the software. If there is predetermined data at the location, this software is determined to be normal. As a result, the verification apparatus 4 of the present invention can prevent software updates that are out of the user definition information and are not intended by the user (only the software whose field device has been verified is downloaded).

Further, the normality determination means 42 may determine that the software is normal when the hash value calculated based on the encrypted software matches the hash value of the software received together with the encrypted software.
For example, when the host device 1 encrypts software, a hash is calculated, and the hash value is transmitted to the verification device 4 together with the encrypted data. The normality determining means 42 collates these hash values and determines that the matching software is normal. As a result, the verification device 4 of the present invention can check communication errors such as garbled data on the communication path and the like, and can prevent the field device from being updated to software including garbled data.

  As described above, the verification device of the present invention and the field device software update system using the same are stored in the storage unit among the encrypted field device software received by the verification unit of the verification device via the network. When the software can be decrypted based on the decryption key stored in advance, the software determines that the software is valid, and the field device is in a state where the software determined by the verification device software transmission means is decrypted. Can be transmitted via the fieldbus to prevent software updates unintended by the operator.

  In addition, the verification device of the present invention and the field device software update system using the verification device update software that is not intended by the operator using the unconfirmed device even when an unconfirmed device that the worker does not know participates in the FF-H1 bus 100. Can be prevented. FIG. 3 is another operation explanatory diagram of the verification apparatus of FIG. 1 and the field device software update system using the verification apparatus. The following operation will be described for each of cases (Case A) to (Case C) in FIG.

(Case A): When transmitting software from the unconfirmed device to the field device 2 (target) (executing SoftDL) The field device 2 is set to accept software download (reception) only from the verification device 4. . In this case, since the field device 2 can determine that the software transmission source is an unconfirmed device from the address or the like, the field device 2 rejects the download request (reception request).

  Specifically, when the arithmetic control unit of the field device 2 receives the software from the unconfirmed device, the address or the device unique ID added to the received data is the address or verification of the verification device 4 stored in the storage unit Since it does not match the device unique ID of the device 4, the software download request (reception request) transmitted from the unconfirmed device is rejected.

(Case B): When transmitting software (execution of SoftDL) from the host device 1 to the field device 2 (target) Since the field device 2 does not accept a software download request (reception) from other than the verification device 4, the case Similarly to A, the field device 2 rejects the software download request (reception request) from the host device 1.

  Specifically, when the arithmetic control unit of the field device 2 receives software from the host device 1, the address or device unique ID added to the received data is the address of the verification device 4 stored in the storage unit or Since it does not match the device unique ID of the verification device 4, the software download request (reception request) transmitted from the host device 1 is rejected.

(Case C): When software transmitted from the unconfirmed device to the field device 2 (target) via the verification device 4 (executes SoftDL) is not normal The unconfirmed device performs data transmission to the verification device 4. The verification device 4 receives software from an unconfirmed device. When the verification apparatus 4 has received all the software, the validity determination means 41 decrypts the software and executes verification of the transmission validity.
When it is determined to be legitimate (when legitimacy is ensured), the normality determination means 42 of the verification device 4 performs normality determination of the downloaded software. Since this software is determined not to be normal by the normality determination means 41 of the verification device 4, the verification does not pass and the process does not shift to the above-described (1-5) software transmission processing.

  As described above, the verification device of the present invention and the field device software update system using the verification device are not intended by the operator using the unconfirmed device even when the unconfirmed device that the worker does not know participates in the FF-H1 bus 100. Software update can be prevented.

As a result, the verification device of the present invention and the field device software update system using the verification device previously store in the storage means among the encrypted field device software received by the validity determination unit of the verification device via the network. If the software can be decrypted based on the stored decryption key, it is determined that the software is valid, and the software determined by the verification device software transmission means is decrypted to the field device in a decrypted state. By transmitting via the fieldbus, the correctness is ensured and only normal software can be updated.
For this reason, the field device does not perform an abnormal operation caused by software update, so that the stability of the entire control system (FF-H1 bus 100) can be improved.

  In addition, since the verification apparatus according to the present invention is a dedicated apparatus related to the field device software update system, it is possible to easily replace programs in the verification apparatus. This is effective in that the function of the verification apparatus (software verification function) can be easily improved.

  In addition, since the verification apparatus according to the present invention transmits the software received from the host device and guaranteed to the target field device, the host device can directly perform the software on the field device as in the prior art. Disappear. Therefore, according to the present invention, even when software is transmitted to a plurality of field devices, the host device only needs to send the software to the verification device once, and the load on the host device can be reduced. It is valid.

<Other Example 1>
Note that the verification apparatus of the present invention prevents the verification process from being affected by the communication process (such as processing delay), so that the communication calculation control means (communication CPU) and the verification calculation control means (verification) CPU) may be provided.

In this case, the communication CPU is a CPU that controls the communication unit 44 and the software transmission unit 45 to control communication with the host device 1 and the field devices 2 and 3 via the FF-H1 bus 100. Specifically, the communication CPU controls each means to receive the software transmitted from the host device 1 to the verification device 4 and to transmit the verified software to the field device 2 or 3 that is the target device. Execute.
The verification CPU controls the validity determination means 41 and the normality determination means 42 to execute verification of the software downloaded and stored in the storage means 43.

<Other Example 2>
The verification device and the field device software update system using the same according to the present invention transmit the software encrypted by the host device 1 to the verification device 4. However, the present invention is not particularly limited to this, and a separate operator The software of the target device (field device 2 or 3) encrypted separately by the terminal device or the like based on the encryption key managed and held by the device is input to the verification device 4 via an input means (such as a dedicated interface) not shown. It may be input. According to this method, it is possible to eliminate the influence of the communication path failure caused by the FF-H1 bus 100, which is effective in that normal software can be more reliably input to the verification device.

<Other Example 3>
The verification apparatus according to the present invention and the field device software update system using the verification apparatus verify the validity of the software using the encryption key and the decryption key. For example, a secret key cryptosystem is introduced. It may be realized.
Specifically, the storage unit of the verification device 4 and the storage unit of the host device 1 store a common encryption key (secret key) in advance.

  The host device 1 encrypts and transmits the software for the field device 2 or 3 based on the common encryption key. The validity determination means 41 of the verification device 4 decrypts the encrypted software from the host device 1 using a common encryption key and determines the validity.

Since the common encryption key stored in the verification device 4 and the host device 1 is not disclosed, the unconfirmed device cannot encrypt the software based on this encryption key. Therefore, even if a third party transmits some data to the verification device 4 using an unconfirmed device, the verification device 4 is not encrypted because the transmitted data is not encrypted. It is determined that there is no justification.
For this reason, the verification apparatus of this invention and the field apparatus software update system using the same can prevent the software update which the operator does not intend by the unconfirmed apparatus.

<Other Example 4>
The verification device according to the present invention and the field device software update system using the verification device add a network interface that can be connected to a general-purpose network such as the Internet to the verification device 4, thereby It may be one that enables verification.

  FIG. 4 is a configuration diagram of the field device software update system when another network interface is added to the verification apparatus according to FIG. 1, and the same reference numerals are given to portions common to FIG. 1 and description thereof is omitted as appropriate.

  In FIG. 4, the verification device 4 includes a network interface 46, is connected to a general-purpose network 200 such as the Internet via the network interface 46, and is connected to a verification information management server via the network 200.

  The verification information management server stores storage information for verifying pre-calculated software to be updated (CRC, hash, etc.) and software information (ID, revision, etc.) input via the network And a calculation control means for transmitting the data including the verification information to the verification device 4 via a communication means (not shown).

  The calculation control means of the verification information management server can access these verification information by a unique address that can be generated from software information (ID, revision, etc.), and the verification information corresponding to this address can be sent via the network. It may provide an Internet site to be provided.

  The normality determination means 42 of the verification device 4 transmits data including software information (ID, revision, etc.) from the host device 1 to the verification information management server via the network, and verifies the software acquired from the verification information management server. Determine whether software is normal or abnormal based on the information.

  The normality determination means 42 of the verification device 4 generates an address or the like from software information (ID, revision, etc.), controls the communication means, acquires software verification information via the network based on this address, and normalizes the software -What determines an abnormality may be used.

  With such a configuration, the verification apparatus of the present invention and the field device software update system using the same acquire software verification information via the network and determine whether the software is normal or abnormal. For example, the following operations (2-1) to (2-6) are performed.

(2-1) The host device 1 transmits the software for the field device 2 encrypted based on the encryption key stored in the storage unit to the verification device 4.
(2-2) The verification device 4 receives the encrypted software data from the host device 1 via the FF-H1 bus 100 and stores it in the storage means.

  (2-3) The validity determination unit 41 of the verification device 4 decrypts the received data and verifies the decrypted software. If it is determined that the software is intended by the operator, the operation proceeds to (3-4). If it is determined to be incorrect, the subsequent processing is not executed.

  (2-4) The normality determination unit 42 of the authentication device 4 transmits data including the received software information (ID, revision, etc.) to the verification information management server via the network.

(2-5) The verification information management server sends data including software verification information that matches the software information (ID, revision) received via the network stored in the storage unit via a communication unit (not shown). It transmits to the verification device 4.
The authentication device 4 generates an Internet site address from the received software information (ID, revision, etc.), accesses the Internet site provided by the verification information management server based on the generated address, and posts it there. The verification information may be acquired.

  (2-6) The normality determination means 42 of the authentication device 4 collates the unique information of the software acquired from the Internet site with the unique information of the software received from the host device 1, and can determine that the verification has passed if they match. .

  As a result, the verification apparatus of the present invention and the field device software update system using the same can acquire software verification information via the network and determine whether the software is normal or abnormal. It is effective in that the update can be prevented.

<Other Example 5>
In addition, the verification device according to the present invention and the field device software update system using the verification device 4 may include an external communication interface that allows the verification device 4 to communicate with the outside by infrared communication or the like in addition to the communication means. In this case, processing for transmitting software to the verification device 4 via the FF-H1 bus may be unnecessary. In this case, the field device software update system performs, for example, the following operation.

  In particular, the terminal device (not shown) uses the software of the target device (field device 2 or 3) encrypted separately by the terminal device or the like based on the encryption key separately managed and held by the operator, on the network and the verification device 4. Input via an external communication interface (such as a dedicated interface).

  The arithmetic control means of the verification device 4 stores the data including the encrypted software received via the external communication interface in the storage means.

  The validity determination unit 41 and the normality determination unit 42 of the authentication device 4 decrypt and verify the input software, and if the verification is passed, the software is transmitted to the designated field device (target device).

  As a result, if the data can be decoded, it can be confirmed that the software is intended to be transmitted to the field device by the operator, and it can be confirmed that the software operates correctly by the verification, which is effective in ensuring safety. is there.

<Other Example 6>
In addition, the verification device according to the present invention and the field device software update system using the verification device temporarily prepare the software downloaded to the verification device 4 by providing a virtual software execution environment inside the verification device 4. It may be executed.

  Specifically, the arithmetic control unit of the verification device 4 may execute software received from the host device 1 or the like, decrypted and verified by the validity determination unit 41 and the normality determination unit 42, and passed the verification.

  In this case, the authentication device 4 operates as a virtual field device and communicates with the field device connected to the FF-H1 bus 100.

  The host device 1 may transmit an execution request signal for requesting the verification device 4 to execute the software via the FF-H1 bus 100, and the verification device 4 may execute the software when receiving the execution request signal.

  Thereby, even if a field device for operating software is not connected to the FF-H1 bus 100, it is possible to operate the device virtually.

  As described above, the verification device according to the present invention and the field device software update system using the verification device field the software for which the validity is ensured among the encrypted field device software received via the network. A verification device that transmits to the field device via a bus, and that the software is valid if the software can be decrypted based on the decryption key stored in advance in the storage means and the decryption key Validity is ensured by including a legitimacy judging means for judging and software sending means for sending the software judged to be legitimate via the fieldbus to the field device in a decrypted state, Only normal software can be updated, so field devices It is not possible to abnormal operation caused by updates, it can contribute to improve the stability of the overall control system (FF-H1 bus).

(Additional item 1)
4. The verification apparatus according to claim 3, wherein the normality determining unit determines that the software is normal when there is predetermined data at a specific location in the software.
(Appendix 2)
The normality determining means determines that the software is normal when the hash value calculated based on the encrypted software matches the hash value of the software received together with the encrypted software. The verification device according to claim 3.

DESCRIPTION OF SYMBOLS 1 Host apparatus 2, 3 Field apparatus 4 Verification apparatus 41 Validity determination means 42 Normality determination means 43 Storage means 44 Communication means 45 Software transmission means 46 Network interface 50 Unconfirmed apparatus 100 FF-H1 bus

Claims (6)

Among the software for field devices received and encrypted via the network, the verification device transmits the software with the ensured validity to the field devices via the field bus,
Storage means for storing a decryption key in advance;
If the software can be decrypted based on the decryption key, legitimacy judging means for judging that the software is legitimate,
A verification apparatus comprising: a software transmission unit configured to transmit the software determined to be valid to the field device via the field bus in a decrypted state. Among the software for field devices encrypted by the host device received via the field bus, the verification device transmits the guaranteed software to the field device via the field bus,
Storage means for storing in advance a decryption key corresponding to the encryption key held by the host device;
If the software can be decrypted based on the decryption key, legitimacy judging means for judging that the software is legitimate,
A verification apparatus comprising: a software transmission unit configured to transmit the software determined to be valid to the field device via the field bus in a decrypted state. A normal determination means for determining whether the software determined to be valid is normal;
3. The verification apparatus according to claim 1, wherein the software transmission unit transmits the software determined to be normal by the normality determination unit to the field device via the field bus. The normality determining means is
4. The verification apparatus according to claim 3, wherein if the format of the software determined to be valid is based on software specification information stored in advance, the software is determined to be normal. .   The verification apparatus according to claim 1, further comprising an external communication interface that receives the encrypted software. A verification device according to any one of claims 1 to 5;
A field device that acquires software via the fieldbus and updates the software to be executed;
A host device connected to the field device and the verification device via the field bus, and encrypting and transmitting the software to the verification device;
A field device software update system characterized by comprising:

Images