JP6138591B2 - Control system - Google Patents

Description

The present invention relates to a control system.

  In order to ensure the safe and stable operation of the control target equipment, it is required to diagnose the soundness of various functions in the control device and to detect the abnormality of the function in advance or at an early stage to take countermeasures.

As a background art related to this technical field, [Patent Document 1] describes a diagnosis for implementing a safe and accurate diagnosis by preventing a module malfunction or a diagnosis report error due to a test pattern in a shared bus diagnosis. A control technique is disclosed.

JP 2007-293678 A

  In particular, the control system in the social infrastructure field is closely related to the maintenance of social life, so if the security of the control device is violated by a malicious person, it can be operated while ensuring the safety of the controlled equipment. It is required to maintain as much as possible. Therefore, from the viewpoint of preventing damage expansion, the control system requires a defense function including a state change such as partial degeneration of the function, and is regularly performed to ensure that it operates correctly when necessary. Diagnosis is required.

  However, when performing functional diagnosis that actually changes the control state, it does not impair the operating state of the controlled equipment in normal times, and the control state before diagnosis is maintained after diagnosis. It is necessary.

  The configuration of the prior art (Patent Document 1) instructs diagnosis for other functions in the control process, and does not disclose a method for performing function diagnosis that involves changing the state of the control function itself.

An object of this invention is to provide the control system which can implement the functional diagnosis accompanying the change of a control state, maintaining the operating state of the control object equipment in normal times.

  In order to solve the above-described problems, the present invention provides a control function unit for controlling control target equipment, a control function unit capable of temporarily stopping control and inputting test data for diagnosing the soundness of control, and the control A storage unit capable of saving control data of the function unit, a diagnosis execution control unit for saving the control data to the storage unit and diagnosing the soundness of the control function unit, and an output unit capable of outputting the diagnosis result It is characterized by performing functional diagnosis.

  Furthermore, the present invention includes a diagnostic analysis unit that collects and analyzes responses of the control function unit in the control system, and the diagnostic analysis unit analyzes changes in the control command value for the control target equipment before and after the diagnosis. It is characterized by.

  The present invention further includes a state acquisition / setting unit that acquires and sets an internal state of the control function unit in the control system, and the diagnosis execution control unit acquires the state in order to monitor, save, or restore the control state. -It is connected to the setting unit, and the internal state of the control function unit can be acquired and set.

  Furthermore, the present invention is characterized in that the control system includes an alternative output generation unit for stabilizing the control output for the control target equipment, and a control output switching unit for switching an output source of the control output for the control target equipment. It is what.

  Furthermore, the present invention is characterized in that in the control system, the test data can be updated.

Furthermore, the present invention is characterized in that, in the control system, when the control is temporarily stopped, a stop state signal is output to the outside.

ADVANTAGE OF THE INVENTION According to this invention, the control system which can implement the function diagnosis accompanying the change of a control state can be provided, maintaining the operation state of controlled object equipment.

The figure which shows the example of whole structure of the control system which is 1st invention of this application. The figure explaining the operation | movement from the time of normal operation of the control system which is 1st invention of this application to the start of a diagnosis. The figure explaining operation | movement during diagnosis execution of the control system which is 1st invention of this application. The figure explaining operation | movement at the time of the completion of a diagnosis of the control system which is 1st invention of this application. The figure which shows the example of whole structure of the control system which is 2nd invention of this application. The figure explaining operation | movement from the time of normal operation of the control system which is 2nd invention of this application to the start of a diagnosis.

  Embodiments of the present invention will be described below with reference to the drawings.

  In this embodiment, a control system according to the first invention of the present application will be described.

<Configuration and function of each part>
FIG. 1 is an overall configuration diagram of a control system 1 in the present embodiment.

  The control device 10 is a device that calculates a control command value for the control target equipment 2 according to a control program (not shown), such as a control function unit 11 that executes the control program, and a degeneration of the control function when security is compromised. The protection function unit 12 that generates a protection command, the state acquisition / setting unit 13 that acquires and sets the internal state of the control function unit 11, and the responses of the protection function unit 12 and the control function unit 11 to the test data input at the time of diagnosis A diagnostic analysis unit 14 that collects and analyzes data, a control output switching unit 15 that switches an output source of control output for the control target equipment 2, and an alternative output generation unit 16 for stabilizing the control output for the control target equipment 2 To do.

  The function diagnosis device 20 is a device that inputs test data to the control device 10 when the control device 10 can stop control, and performs a soundness diagnosis of the protection function unit 12 in the control device 10. The diagnosis execution control unit 21 for monitoring the control state in the control device 10 and instructing the execution of diagnosis, and the diagnostic input generation for generating test data and inputting the test data to the control device 10 based on the command from the diagnosis execution control unit 21 Unit 22, a save memory 23 for saving the internal state of the control function unit 11, and a diagnosis result verification unit 24 that receives and verifies a diagnosis report generated by the control device 10 for the test data.

  The diagnosis execution apparatus 20 is connected to a management terminal 25 for setting / updating a test data generation pattern and monitoring / recording a diagnosis execution result.

  The control device 10 and the function diagnosis device 20 are connected to each other via the control network 30. The diagnosis execution control unit 21 is connected to the state acquisition / setting unit 13 in order to monitor / save / restore the control state of the control device 10 and can be configured to acquire / set the internal state of the control function unit 11. Is done. The connection means between the diagnosis execution control unit 21 and the state acquisition / setting unit 13 may use a dedicated line or the control network 30 described above.

  In addition, the diagnosis execution control unit 21 receives a control output switching command during diagnosis of the control device 10 and a diagnosis result connected to the control output switching unit 15 and the diagnosis analysis unit 14 in order to obtain an analysis result after the diagnosis is executed. Each is connected to the verification unit 24.

In addition, regarding the connection mode described above, various connection means for connecting an arbitrary number of control devices 10 to one function diagnosis device 20 may be configured.
<Overall operation>
Next, the overall operation will be described with reference to FIGS.

  FIG. 2 is a diagram for explaining the operation from the normal operation to the start of diagnosis in the present embodiment.

  The control function unit 11 calculates a control command value 100 by executing a control program at a predetermined control cycle such as 10 ms. At this time, the internal state of the control function unit 11 is also updated every control cycle by executing the control program. When the control system 1 is in a normal state, the control output switching unit 15 is connected to the control function unit 11 side, and the control command value 100 is output to the control target equipment 2.

  The diagnosis execution control unit 21 acquires the internal state of the control function unit 11 via the state acquisition / setting unit 13 for each control cycle, and determines whether the control device 10 can temporarily stop the control. For example, when the control target equipment 2 is a boiler, it is possible to determine that the control is stopped when the steam pressure has a sufficient margin with respect to the allowable upper and lower limit values and the flow rate fluctuation is small.

  When the diagnosis execution control unit 21 determines that the control can be temporarily stopped, the diagnosis execution control unit 21 stores the acquired internal state of the control function unit 11 in the save memory 23. Next, the diagnosis execution control unit 21 outputs an output switching command 200 to the control output switching unit 15 so as to connect to the alternative output generation unit 16. The output switching command 200 may be output to the outside of the control system 1 as a signal indicating that the diagnosis is being executed.

  FIG. 3 is a diagram for explaining an operation during execution of diagnosis in the present embodiment.

  The diagnostic execution control unit 21 instructs the diagnostic input generation unit 22 to generate test data after saving the internal state of the control unit 11 in the save memory 23. The diagnostic input generation unit 22 generates a series of test data 27 based on the test data generation pattern 26 and sends it to the control device 10. The test data generation pattern 26 is created according to the purpose of diagnosis and is set from the management terminal 25.

  For example, when diagnosing a defense function against a security breach with respect to the protection function unit 12, the test data generation pattern 26 is a known attack pattern (an intrusion code is sent to a specific communication port and placed on a memory, and Create an attack code that can be reproduced from the outside via an intrusion code.

  The test data 27 to be transmitted confirms that the protection function unit 12 operates properly by changing parameters such as the communication port number, intrusion code length, and address within a predetermined range based on the above attack pattern, for example. Generate as possible.

  The protection function unit 12 that has received the test data 27 recognizes this as an actual attack on the control input, and issues a predetermined protection output corresponding to the attack content, for example, a function degeneration command 101 for the control function unit 11. When the control function unit 11 receives the function degeneration command 101 and restricts a part of its own control function, the content of the control command value 100 calculated by the control function unit 11 also changes.

  The diagnosis analysis unit 14 analyzes the contents of the issued function degeneration command 101 and the change contents of the control command value 100 before and after the diagnosis, and transmits the result as a diagnosis report 102 to the diagnosis result verification unit 24. Note that the return means for the diagnosis report 102 may be a dedicated line or one using the control network 30.

  FIG. 4 is a diagram for explaining the operation when the diagnosis is completed in the present embodiment.

  The diagnostic result verification unit 24 compares the diagnostic report 102 received from the diagnostic analysis unit 14 with the expected value 201 of the diagnostic report for the transmitted test data 27 and shows the behavior expected by the protection function unit 12 and the control function unit 11. Verify whether or not The expected value 201 is generated by the diagnosis result verification unit 24 based on the test data 27 prior to verification.

  As a result of the verification of the diagnostic report 102, when a mismatch with the expected value 201 is detected, a function abnormality of the protection function unit 12 or the control function unit 11 is suspected, so an alarm signal is transmitted to the management terminal 25 and displayed. The operation staff is encouraged to take necessary actions to maintain the soundness of the control system 1.

  Subsequently, regardless of the verification result, the diagnosis result verification unit 24 provides the diagnosis execution date and time, the test data 27 used for the diagnosis, the internal state of the control function unit 11 saved in the save memory 23, the diagnosis The contents of the report 102 are output to the management terminal 25 as a diagnostic record 202, and further a diagnostic report verification completion notification 203 is issued to the diagnostic execution control unit 21.

  The diagnosis execution control unit 21 detects the internal state before the diagnosis execution of the control function unit 11 stored in the save memory 23 after detecting the diagnosis report verification completion notification 203 via the state acquisition / setting unit 13. 11 is restored, and the control state that may have been changed by the test data 27 is restored, then the output switching command 200 is canceled, and the control output switching unit 15 and the control function unit 11 are reconnected to continue control. Let

By the operation described above, the control system of the present embodiment performs the function diagnosis by retracting the internal state of the control function unit 11 when the control can be paused, and the internal state that is retracted after the diagnosis is performed. Is reset in the control function unit 11 to continue the control. Therefore, it is possible to execute the function diagnosis accompanied with the change of the control state while maintaining the control state.

  In this embodiment, a control system according to the second invention of the present application will be described.

<Configuration and function of each part>
FIG. 5 is an overall configuration diagram of the control system 1-2 in the present embodiment.
The control devices 10-2a and 10-2b have substantially the same configuration as the control device 10 in the first embodiment, and have a function of calculating a control command value for the control target equipment 2 according to a control program. However, the diagnosis execution unit 14 and the alternative output generation unit 16 in the control device 10 are omitted. The control output switching unit 15 is provided outside the control device and is connected to the outputs of the control function units 11 of the control devices 10-2a and 10-2b. With this configuration, the control devices 10-2a and 10-2b function as a standby redundant system. In this embodiment, it is assumed that the control device 10-2a is a main system (active system) and the control device 10-2b is a subordinate system (standby system).

  The function diagnosis apparatus 20-2 is the same as the function diagnosis apparatus 20 according to the first embodiment except the save memory 23. The function diagnostic device 20-2 may be built in the control devices 10-2a and 10-2b.

  In addition, the constituent elements without the suffix in the first embodiment and the constituent elements with the suffixes a and b added to the same number in the present embodiment have the same function.

<Overall operation>
The control devices 10-2a and 10-2b constitute a standby redundant system as described above. In either case, as in the first embodiment, the control function units 11a and 11b execute a control program at a predetermined control cycle to calculate a control command value 100. During normal operation, the control output switching unit 15 is configured to output a control command value from the control device 10-2a to the control target equipment 2.

  FIG. 6 is a diagram for explaining the operation up to the start of diagnosis in the control system of the present embodiment.

  When the diagnosis execution control unit 21-2 determines that the function diagnosis is necessary, for example, at every predetermined time, the diagnosis execution control unit 21-2 causes the internal state from the control device 10-2a to the control device 10-2b with respect to the state acquisition / setting units 13a and 13b. Instructs to save the state. The state acquisition / setting unit 13a acquires the internal state of the control function unit 11a and transmits it to the state acquisition / setting unit 13b. The state acquisition / setting unit 13b sets the received internal state in the control function unit 11b. Next, the diagnosis execution control unit 21 outputs an output switching command 200 to the control output switching unit 15 so as to connect to the control function unit 11b. According to the above procedure, the control output is switched to the slave side after the control states of the master and slave are strictly matched.

  Thereafter, as in the first embodiment, the test data is sent to the protection function unit 12a, and as a result, the diagnosis report 102 generated by the diagnosis analysis unit 14b is compared with the expected value by the diagnosis result verification unit 24, thereby providing the protection function. Verify soundness.

  After the diagnosis is completed, the diagnosis execution control unit 21-2 instructs the state acquisition / setting units 13a and 13b to restore the internal state from the control device 10-2b to the control device 10-2a. The state acquisition / setting unit 13b acquires the internal state of the control function unit 11b and transmits it to the state acquisition / setting unit 13a. The state acquisition / setting unit 13a sets the received internal state in the control function unit 11a. Next, the diagnosis execution control unit 21 outputs an output switching command 200 to the control output switching unit 15 so as to connect to the control function unit 11a.

  With the above operation, it is possible to take over the control state of the master controller at the start of diagnosis by the slave controller and perform the function diagnosis of the master controller without stopping the control of the controlled equipment 2 as a whole. It becomes.

  In addition, this invention is not limited to an above-described Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described.

Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.
Each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files for realizing each function can be placed in a semiconductor memory, a recording device such as a hard disk, or a recording medium using magnetism or light.
Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

DESCRIPTION OF SYMBOLS 1 Control system 2 Control object equipment 10 Control apparatus 11 Control function part 12 Protection function part 13 State acquisition and setting part 14 Diagnosis result analysis part 20 Function diagnosis apparatus 21 Diagnosis execution control part 22 Diagnosis input generation part 23 Saved memory 24 Diagnosis result verification Part 25 Management terminal 30 Control network

Claims (6)

In the control system that controls the equipment to be controlled,
A control function unit that can temporarily stop control and inputs test data for diagnosing the soundness of control;
A storage unit capable of saving control data of the control function unit;
A diagnosis execution control unit for evacuating the control data to the storage unit and diagnosing the soundness of the control function unit;
An output unit capable of outputting the diagnosis result ;
A state acquisition / setting unit for acquiring and setting the internal state of the control function unit;
The diagnosis execution control unit is connected to the state acquisition / setting unit and acquires / sets the internal state of the control function unit in order to monitor / save / restore the control state .
The control system of claim 1,
The test data input to the control function unit and the control command value output from the control function unit are collected, the change contents of the control command value corresponding to before and after the input of the test data are extracted, and the extraction A control system, comprising: a diagnostic analysis / verification unit that compares the change contents of the control command value with a predetermined expected value corresponding to the test data .
The control system of claim 1,
An alternative output generation unit for stabilizing the control output for the equipment to be controlled;
A control system comprising: a control output switching unit that switches an output source of control output for the equipment to be controlled.
The control system of claim 1,
A control system characterized in that the test data can be updated.
The control system of claim 1,
A control system that outputs a stop state signal to the outside when control is temporarily stopped.
The control system according to any one of claims 1 to 5 ,
A control system comprising a main control function unit and a subordinate control function unit, wherein control data of the main control function unit is saved to the subordinate control function unit.