JP6197014B2 - Approval control method, approval control system and approval control program for remote operation - Google Patents

Description

  The present invention relates to control of approval regarding remote operation.

  A configuration for obtaining approval by a specific approver is known for remote operation of a device via a communication network. For example, when performing a remote maintenance operation on a factory production line or the like, it is possible to perform an approval process by communicating with a computer used by an approver. An example of such a configuration is described in Patent Document 1.

Japanese Patent Laid-Open No. 2005-100087

  However, the conventional system has a problem that the approval condition for the remote operation cannot be defined flexibly.

  For example, in the system of Patent Document 1, approval authority is concentrated on only one approver, and the authority cannot be distributed to a plurality of persons.

  The present invention has been made in order to solve such problems, and provides an approval control method, an approval control system, and an approval control program that can more flexibly define approval conditions for remote operation. Objective.

To solve the problems described above, according to the present invention, admission control method is related to the remote operation, the computer executes,
Receiving an approval request notification related to the remote operation;
Receiving a request video relating to the remote operation from an operator terminal ;
Transmitting an approval request notification related to the remote operation to a plurality of approver terminals;
Transmitting the request video to a plurality of approver terminals;
Receiving an approval notification or non-approval notification from each approver terminal;
A permission step of permitting the remote operation by the operator terminal, on condition that the number of approver terminals is equal to or greater than a terminal number threshold and the number of approval notifications is equal to or greater than an approval number threshold;
Is provided.
The non-approval notification may be a prohibition notification or a non-prohibition notification,
The method may further include a step of prohibiting the remote operation when at least one of the prohibition notifications is received.
The approval request notification includes operation identification information that identifies the content of the remote operation,
The method may further include a step of determining the terminal number threshold or the approval number threshold according to the operation identification information.
The approval request notification includes terminal identification information that identifies the operator terminal,
The method may further include the step of determining the terminal number threshold or the approval number threshold according to the terminal identification information.
Receiving an operation video representing the operation content of the remote operation after executing the permission step;
Transmitting the operation video to the approver terminal;
After executing the permission step, the remote operation by the operator terminal is prohibited when the number of approver terminals is less than the terminal number threshold or when the number of approval notifications is less than the approval number threshold. And the step of performing.
The approver terminal can be a first level approver terminal or a second level approver terminal,
The permission step includes:
-The number of first level approver terminals is greater than or equal to a first level terminal count threshold;
-The number of approval notifications received from the first level approver terminal is greater than or equal to a first level approval number threshold;
-The number of second level approver terminals is greater than or equal to the second level terminal number threshold; and-the number of approval notifications received from the second level approver terminal is greater than or equal to the second level approval number threshold. This may be a permission step for permitting the remote operation by the operator terminal.
The approval control system according to the present invention executes the above-described method.
The approval control program according to the present invention causes a computer to execute the above-described method.

  According to the approval control method, the approval control system, and the approval control program according to the present invention, by setting threshold values for the number of approver terminals and the number of approval notifications, the approval conditions for remote operation can be more flexibly defined. Can do.

It is a figure which shows the example of a structure containing the approval control system which concerns on Embodiment 1 of this invention. It is a figure which shows the example of a structure of the approval control apparatus of FIG. It is a figure which shows the example of a structure of the approval condition data which concern on Embodiment 1. FIG. It is a figure which shows the example of the TV conference screen displayed on the TV conference participation terminal of FIG. It is a part of flowchart explaining the flow of processing by the approval control system etc. of FIG. It is a part of flowchart explaining the flow of processing by the approval control system etc. of FIG. It is a part of flowchart explaining the flow of processing by the approval control system etc. of FIG. It is a figure which shows the example of the reply input screen displayed on the approver terminal of FIG. It is a figure which shows the example of a structure of the approval condition data which concern on Embodiment 2. FIG. It is a figure which shows the example of a structure of the approval authority level data which concern on Embodiment 2. FIG.

Embodiments of the present invention will be described below with reference to the accompanying drawings.
Embodiment 1 FIG.
FIG. 1 shows an example of a configuration including an approval control system 10 according to Embodiment 1 of the present invention. The approval control system 10 includes a TV conference device 11 and an approval control device 12, and executes an approval control method related to remote operation as described below.

  In this specification, “remote operation” refers to an operation performed remotely (that is, remotely or via a communication network). The operation is, for example, a maintenance operation of the device or the like, but may be another operation (operation related to control, management, etc.).

  The TV conference is, for example, a video (still image or moving image, audio may be included) between a plurality of computers (TV conference participation terminals) participating in the TV conference via the TV conference device 11. The same applies hereinafter. ) To realize or support communication between users using each computer. The TV conference participation terminal is a computer that transmits / receives or plays back such video, and includes one or more operator terminals 20 and a plurality of approver terminals 30. The operator terminal 20 and each approver terminal 30 are all geographically distributed, for example, but are not limited to such a configuration.

  The operator terminal 20 is a computer for performing a remote operation on one or more devices to be controlled (in the example of FIG. 1, a factory production line 41 or the like). The remote operation is performed via the production line control system 40. For example, a maintenance person in charge of the production line 41 can perform a desired operation on the production line 41 by performing an appropriate operation on the operator terminal 20 and transmitting a request to the production line control system 40. It is configured to be able to.

  A camera 21 is connected to the operator terminal 20. The camera 21 has a function of capturing a video in response to an operation and transmitting it to the operator terminal 20. The maintenance staff can take a picture of performing maintenance work on the operator terminal 20 with the camera 21 and obtain it as video data. The camera 21 may be integrated with the operator terminal 20, and in this case, the operator terminal 20 may be a tablet smart device.

  The approver terminal 30 is a computer for performing processing for giving approval for remote operation on the production line 41. For example, when there are a plurality of approvers for remote operation on the production line 41, one approver terminal 30 can be provided for each approver. As will be described later with reference to FIG. 8 and the like, the approver can permit or prohibit remote operation of the production line 41 from the operator terminal 20 by performing an appropriate operation on the approver terminal 30. .

  The approval control system 10, the operator terminal 20, the approver terminal 30, and the production line control system 40 are all connected to the communication network C and can communicate with each other via the communication network C. The communication network C is, for example, the Internet, but may be another communication network.

  In FIG. 2, the example of a structure of the approval control apparatus 12 which comprises some approval control systems 10 is shown. The approval control device 12 includes a configuration as a computer, and includes a calculation unit 50 that performs a calculation and a storage unit 51 that stores information. Although not particularly shown, the apparatus includes an input unit that receives a user's operation, an output unit that outputs information, and a communication unit that inputs and outputs information to an external communication network.

  Arithmetic means 50 includes, for example, a CPU (central processing unit), and storage means 51 includes, for example, a storage medium such as a semiconductor memory and an HDD (hard disk drive). The input means includes, for example, a keyboard and a mouse. The output means includes, for example, a liquid crystal display, a speaker, and a printer. The communication means includes, for example, a network interface device or a wireless interface device.

  The storage unit 51 of the approval control device 12 stores approval condition data 52. The storage unit 51 stores an approval control program (not shown). This approval control program causes the computer to function as the approval control device 12 by causing the computer to execute the method described in this specification. That is, the approval control device 12 implements the functions described in the present specification by the calculation means 50 executing this approval control program.

  Similarly, the TV conference apparatus 11, the operator terminal 20, the approver terminal 30, and the production line control system 40 include a configuration as a computer. The storage means of the TV conference device 11, the operator terminal 20, the approver terminal 30, and the production line control system 40 is a computer that uses the TV conference device 11, the operator terminal 20, the approver terminal 30, and the production line control system 40, respectively. Stores the program that functions as When the computing means of each computer executes the respective programs, the TV conference device 11, the operator terminal 20, the approver terminal 30, and the production line control system 40 realize the functions described in this specification. These programs may constitute a part of the approval control program or may be independent programs that cooperate with the approval control program.

  FIG. 3 shows an example of the configuration of the approval condition data 52. The approval condition data 52 associates an approval condition necessary for executing the operation with respect to each remote operation (approval target operation) to be approved. The approval target operation is represented, for example, by a set of operator terminal identification information that identifies the operator terminal 20 and operation identification information that identifies the content of the remote operation to be executed.

  The operation terminal identification information is, for example, a user name of a maintenance person who uses the operator terminal 20. In the example of FIG. 1, all maintenance staff may be configured to share the same operator terminal 20, and in that case, the user name may be specified by a login process or the like. A plurality of operator terminals 20 may be provided. In that case, operator terminal identification information may be set for each operator terminal 20, or a user name may be specified by a login process or the like.

  The operation identification information represents a remote operation for the production line control system 40 or the production line 41. Examples of remote operations include a login process for the production line control system 40 or the production line 41, a process for displaying an interface screen used for an operation for the production line 41 on the operator terminal 20, a process for executing a specific operation for the production line 41, A process for starting a specific operation on the production line 41, a process for stopping a specific operation on the production line 41, and the like.

  The approval condition is represented by a set of a required number of approver terminals and a required number of approval notifications. “Number of approver terminals” refers to, for example, the number of approver terminals 30 participating in a TV conference related to an approval process for a certain remote operation. This number can be measured, for example, as the number of approver terminals 30 to which the video conference apparatus 11 is transmitting video related to the video conference, but the standard for measuring this may be arbitrarily designed by those skilled in the art. “Necessary approver terminal number” refers to the minimum threshold value of the number of approver terminals required for permitting a certain remote operation. In the example of FIG. 3, in order for the user A to log in to the production line control system 40, it is necessary that at least five approver terminals 30 participate in the TV conference.

  The number of approval notifications refers to, for example, the number of approval notifications received from the approver terminal 30 by the approval control device 12 for a certain remote operation (or the number of approval notifications that have not been canceled after being received). The “necessary number of approval notifications” refers to the minimum threshold value of the number of approval notifications required for permitting a certain remote operation. In the example of FIG. 3, in order for the user A to log in to the production line control system 40, at least three approver terminals 30 need to transmit an approval notification to the approval control device 12.

  Hereinafter, the number of approver terminals (terminal number threshold) necessary for permitting remote operation is represented by a variable N, and the number of approval notifications necessary (approval number threshold) is represented by a variable M. As described above, in order to allow each remote operation, it is necessary to receive an approval notification from M of N approval terminals. This can be expressed as “MofN” authentication.

  FIG. 4 shows an example of the TV conference screen I1 displayed on each TV conference participation terminal (including the operator terminal 20 and the approver terminal 30) in association with the TV conference. The video conference screen I1 displays the video I2. In this example, the video I2 is a moving image of a maintenance person photographed by the camera 21. The video conference screen I1 may display other videos I3 to I7.

  In this example, the operator terminal 20 and the three approver terminals 30 participate in the TV conference, the video I2 is a video from the operator terminal 20, and the videos I3 to I5 are from each approver terminal 30. It is a picture. The TV conference screen I1 may display video from a computer or a camera other than the TV conference participation terminals (the operator terminal 20 and the approver terminal 30). In the example of FIG. 4, the video I6 is a video shot by a camera in the factory, and the video I7 is a monitor screen generated by a control system (for example, the production line 41) in the factory. The video I7 may be transmitted from the production line control system 40.

  This TV conference may be started in any way, but for example, a maintenance person can hold it as necessary. For example, when maintenance by remote operation is required for the production line 41, the maintenance person first specifies the operator terminal 20, all approver terminals 30 to participate in, and the start time. Make a reservation for a TV conference. When the reserved time comes, the TV conference device 11 starts a TV conference, and transmission / reception of images and the like is started among the operator terminal 20, the approver terminal 30, and the TV conference device 11.

The operation of the approval control system 10 configured as described above will be described below.
5 to 7 are flowcharts for explaining the flow of processing by the approval control system 10 and the like. It is assumed that a TV conference is started before this process is started, and the operator terminal 20 and a plurality of approver terminals 30 participate in the TV conference.

  The maintenance staff inputs an operation for starting a remote operation on the production line control system 40 or the production line 41 at the operator terminal 20. This operation includes, for example, input of operation identification information. In response to this input, the operator terminal 20 starts transmitting a request video to the TV conference device 11 (step S101).

  The expression “start transmission” corresponds to a case where the requested video includes a moving image. In this case, the requested video is continuously transmitted after step S101. When the requested video does not include a moving image and is composed of a still image, a process expressed as “send requested video” may be executed. In this case, transmission of the requested video is completed in step S101. May be. The same applies to the processing related to video transmission / reception.

  The request video means a video that is presented when requesting approval of a remote operation from an approver, for example, as will be described later. The specific content of the requested video may be anything, but may include, for example, a video of a maintenance person (face, upper body, hand at work, etc.) photographed by the camera 21.

  In addition, the timing which performs this step S101 can be changed arbitrarily, for example, may be started when the operator terminal 20 participates in the TV conference, or may be executed after step S204 described later. The request video may be transmitted / received independently of the video transmitted / received in association with the TV conference, or the video transmitted / received in association with the TV conference may be treated as the request video. When the video transmitted / received in relation to the TV conference is handled as the request video, it can be interpreted that step S101 is executed when the operator terminal 20 participates in the TV conference.

  In response to this, the TV conference device 11 starts receiving the requested video (step S401) and starts transmitting the requested video to each approver terminal 30 (step S402). In response to this, each approver terminal 30 starts receiving and displaying the request video (step S502). The video transmitted / received here does not need to be exactly the same as the video transmitted in step S101, but is at least partially matched. When only a part matches, the matching part may be defined as the requested video.

  Here, for example, each approver terminal 30 displays the TV conference screen I1 of FIG. This screen is displayed when, for example, the approver terminal 30 participates in the TV conference, but may be displayed for the first time in step S502.

  In this example, the video I2 is a moving image of the maintenance staff photographed by the camera 21, and the video I2 becomes the requested video at the time of execution of step S502. The TV conference screen I1 is displayed on each approver terminal 30 in step S502, but may be displayed on the operator terminal 20 or another computer in addition to this. The description of the transmission / reception processing of the images I3 to I7 is omitted, but may be performed in the same manner as a known TV conference, for example.

  The operator terminal 20 executes step S101 as described above in response to an input of an operation for starting a remote operation, and transmits an approval request notification related to the remote operation to the production line control system 40. (Step S103). The approval request notification includes operator terminal identification information and operation identification information as shown in FIG. In response, the production line control system 40 receives an approval request notification (step S203).

  Next, the production line control system 40 determines whether or not the manufacturing line control system 40 itself is an object of the approval process (step S204). This determination may be made in any way. For example, a flag or the like indicating whether or not the production line control system 40 is subject to approval processing is stored in advance in the storage means of the production line control system 40, and the determination may be made with reference to this flag or the like. Good.

  The process when the production line control system 40 itself is not the target of the approval process is not shown in FIGS. 5 to 7, but for example, a process for permitting the operator terminal 20 to perform a remote operation may be executed. “Permit remote operation” may be interpreted with the same meaning as in the past. Alternatively, for example, an operation instruction that is input at the operator terminal 20 and transmitted to the production line control system 40 may be executed in the production line control system 40 or in the production line 41. When the remote operation is permitted, the production line control system 40 may transmit a permission notice indicating that the remote operation is permitted to the operator terminal 20, and the operator terminal 20 receives and displays the notification. Also good.

  If the production line control system 40 itself is the target of the approval process, the production line control system 40 does not permit remote operation at the time of step S204, and transmits an approval request notification to the approval control device 12 (step S205). . This approval request notification includes operator terminal identification information and operation identification information as shown in FIG. 3 in the same manner as that received in step S203. In response to this, the approval control device 12 receives an approval request notification (step S305).

  Next, the approval control device 12 acquires an approval condition corresponding to the approval request notification (step S306). This is performed, for example, by searching the approval condition data 52 based on the operator terminal identification information and the operation identification information included in the approval request notification. Here, it can be said that the approval control device 12 determines the terminal number threshold value (N) and the approval number threshold value (M) related to MofN authentication according to the operator terminal identification information and the operation identification information.

  Next, the approval control device 12 acquires the number of approver terminals. In this process, for example, the approval control device 12 inquires the TV conference device 11 about the number of approver terminals 30 participating in the TV conference (step S307), and the TV conference device 11 answers this (step S407). Is realized. The acquisition of the number of approver terminals may be performed at a timing other than this, or may be performed by a method other than this. For example, the TV conference device 11 may periodically notify the approval control device 12 of the number of approver terminals regardless of receiving the approval request notification.

  Next, the approval control device 12 determines whether or not the number of approver terminals is equal to or greater than the terminal number threshold (N) based on the approval conditions (step S308). For example, in the case of “XX operation execution” shown in FIG. 3, it is determined whether four or more approver terminals 30 are participating in the TV conference.

  If the number of approver terminals is less than the terminal number threshold (N), the approval control device 12 ends the process without permitting the operator terminal 20 to perform a remote operation (step S309). In this case, the approval control device 12 may execute processing for prohibiting remote operation of the operator terminal 20.

  The process of prohibiting remote operation may include, for example, a process of transmitting a prohibition notification to the operator terminal 20. The operator terminal 20 may display a screen indicating that the remote operation is not permitted in response to receiving the prohibition notification. This screen may include a message indicating that remote operation is not permitted or the number of approver terminals is insufficient. Further, the processing for prohibiting remote operation may include making an operation instruction input at the operator terminal 20 and transmitted to the production line control system 40 impossible to execute at the production line control system 40 or at the production line 41. Good.

  If the number of approver terminals is greater than or equal to the terminal number threshold (N) in step S308, the approval control device 12 transmits an approval request notification to all approver terminals 30 participating in the TV conference. (Step S310). This approval request notification includes operator terminal identification information and operation identification information as shown in FIG. 3 in the same manner as that received in step S305. In response, each approver terminal 30 receives an approval request notification (step S510). Next, as shown in FIG. 6, the approver terminal 30 receives an input of a response to the approval request notification (step S511).

  FIG. 8 shows an example of an answer input screen R1 displayed on each approver terminal 30 in relation to step S511. As in this example, the approver terminal 30 may display a character string (“user A”) corresponding to the operator terminal identification information and a character string (“ΔΔ operation”) corresponding to the operation identification information. .

  Here, the approver terminal 30 selectively accepts “approval”, “rejection”, or “prohibition” as an answer to the approval request notification. In the example of FIG. 8, this is realized by an answer selection process by operating a radio button and an answer confirmation process by operating a decision button. “Rejected” and “prohibited” both indicate non-approval. Also, “approval” and “rejection” can be interpreted as non-deterministic responses, that is, “non-prohibited” that remote operation may be permitted depending on the responses of other approvers, "Can be interpreted as a decisive disapproval that remote operation is not permitted regardless of the responses of other approvers.

  Here, since the approver can select an answer while viewing the request video displayed in step S502, it is easy to appropriately determine the answer. For example, if the request video includes the face, upper body, hand, etc. of the maintenance staff, it becomes difficult for a malicious person to impersonate the maintenance staff and perform unauthorized access. In addition, when the request video is configured to include sound, not only the person in charge of maintenance is a legitimate person in charge but also the necessity of remote operation should be confirmed by explanations by voice of the person in charge of maintenance. Can do.

  In the example of FIG. 8, the answer input screen R1 includes a cancel button in addition to the enter button. The processing when the cancel button is operated can be appropriately designed by those skilled in the art. For example, the approval control device 12 may delete the display of the answer input screen R1 and stop inputting the answer. Further, the answer input screen R1 may not include a cancel button.

  When receiving the input of the answer, the approval control apparatus 12 transmits an answer notification to the approval control apparatus 12 (step S512). The response notification includes different information depending on the content of the response. If the answer is "approved", the answer notice is an approval notice, if the answer is "rejected", the answer notice is a rejection notice, and if the answer is "prohibited", the answer The notification is a prohibition notification. It can be said that both the approval notification and the rejection notification are non-prohibition notifications, and that both the rejection notification and the prohibition notification are non-approval notifications.

  After executing step S512, the approver terminal 30 returns the process to step S511 and accepts an input of a reply. For example, the answer input screen R1 shown in FIG. 8 is continuously displayed without being erased so that a new answer can be input. Thereby, the approver can correct the answer once inputted later.

  The approval control device 12 receives this answer notification (step S312). Next, the approval control device 12 performs approval determination based on the answer notification (step S313). This step S313 may be executed every time an answer notification is received from the approver terminal 30.

  FIG. 7 shows details of step S313. In step S313, the approval control device 12 first determines whether or not a prohibition notification has been received (step S3131). If the prohibition notification has been received from any of the approver terminals 30, the approval control device 12 prohibits the operator terminal 20 from performing a remote operation (step S3132). That is, it can be said that the approval control device 12 prohibits the remote operation when receiving at least one prohibition notification.

  The process of prohibiting remote operation may include, for example, a process of transmitting a prohibition notification to the operator terminal 20. The operator terminal 20 may display a screen indicating that the remote operation is not permitted in response to receiving the prohibition notification. This screen may include a message indicating that remote operation has not been permitted or a prohibition notification has been transmitted. Further, the processing for prohibiting remote operation may include making an operation instruction input at the operator terminal 20 and transmitted to the production line control system 40 impossible to execute at the production line control system 40 or at the production line 41. Good.

  If no prohibition notification is received from any approver terminal 30, the approval control device 12 determines whether the number of approval notifications is equal to or greater than the approval number threshold (M) based on the approval conditions. (Step S3133). For example, in the case of “XX operation execution” shown in FIG. 3, it is determined whether or not an approval notification is received from three or more approver terminals 30.

  If the number of approval notifications is less than the approval number threshold (M), the approval control device 12 does not permit the remote operation to the operator terminal 20 or prohibits the remote operation (step S3134). The process of prohibiting remote operation may include, for example, a process of transmitting a prohibition notification to the operator terminal 20. Further, in response to receiving the prohibition notification, the operator terminal 20 may display a screen indicating that the remote operation is not permitted (or not permitted at the present time). This screen shows that remote operation was not permitted (or not permitted at this time), the number of approval notifications received so far, the approval number threshold (M), and the number of approval notifications are insufficient , Etc. may be included. Further, the processing for prohibiting remote operation may include making an operation instruction input at the operator terminal 20 and transmitted to the production line control system 40 impossible to execute at the production line control system 40 or at the production line 41. Good.

  If the number of approval notifications is greater than or equal to the approval number threshold (M) in step S3133, the approval control device 12 ends the approval determination and transmits an approval notification to the manufacturing line control system 40 (step S314, permission). Step). In this way, MofN authentication is realized.

  Note that the process of step S3134 may be executed not when the number of approval notifications is less than the approval number threshold (M) but when the number of rejection notifications exceeds the allowable range. The upper limit of the allowable range is, for example, a value obtained by subtracting the approval number threshold (M) from the terminal number threshold (N). That is, in step S3133, when the number of approval notifications is less than M and the number of rejection notifications is NM or less, the approval control device 12 ends the processing for the response notification and receives the next response notification (step S3133). You may wait for S312). In step S3133, step S3134 may be executed when the number of rejection notifications exceeds NM. Even in this case, the MofN authentication can be similarly realized.

  The approval notification transmitted in step S314 may include operator terminal identification information and operation identification information as shown in FIG. 3 in the same manner as that received in step S305, or the approval request notification received in step S305. The identification information to identify may be included.

  Here, considering the determinations of step S308 and step S3133 in combination, the approval control apparatus 12 has the number of approver terminals 30 equal to or greater than the terminal number threshold (N) and the number of approval notifications is the approval number threshold ( M) It can be said that the remote operation by the operator terminal 20 is permitted on the condition that it is above. In the present embodiment, this condition is a necessary condition and is not a sufficient condition. For example, when a prohibition notification is received in the determination in step S3131, remote control is performed regardless of the number of approver terminals 30 and approval notifications. Operation will be prohibited.

  Thus, since the terminal number threshold (N) and the approval number threshold (M) can be arbitrarily designated for each remote operation included in the approval condition data 52, the approval condition can be flexibly defined, and the SLA (Service Level Security settings according to (Agreement) etc. can be easily realized. For example, for important remote operations, remote operations that require strict security management, remote operations with high risk, etc., one or both of the terminal number threshold (N) and the approval number threshold (M) are set to a large value. By setting it, the security level can be set according to the type of remote operation.

  Even if the approval condition is satisfied, the remote operation is prohibited if there is only one approver who selects the prohibition, so that the safety of management is improved. For example, even if a malicious party conspires with multiple people and performs unauthorized approval in response to an unauthorized approval request notification, even one good-willed (authorized) approver participates in the TV conference. If so, unauthorized remote operation can be prohibited.

  After step S314, the production line control system 40 receives this approval notification (step S214). When receiving the approval notification, the production line control system 40 permits the remote operation by the operator terminal 20 and transmits an operation permission notification to the operator terminal 20 (step S215, permission step).

  The remote operation permission may be performed in the same manner as in the case where the production line control system 40 is not the target of the approval process in step S204, for example. Further, the operation permission notification may include operator terminal identification information and operation identification information as shown in FIG. 3 as in the approval request notification received in step S203, or the approval request notification received in step S203. The identification information to identify may be included.

  The operator terminal 20 receives this operation permission notification (step S115). The operator terminal 20 may display a screen indicating that the remote operation is permitted in response to receiving the operation permission notification. This screen may include a message indicating that remote operation is permitted.

  Next, the operator terminal 20 starts transmitting an operation video to the TV conference device 11 (step S116). The operation video means a video representing the operation content of the remote operation, and is used, for example, to transmit the actual content of the remote operation to the approver. The specific content of the operation image may be anything. For example, the image (face, upper body, hand, etc.) of the person in charge of maintenance taken by the camera 21 or the production line 41 to be remotely operated. May include a monitor screen or the like generated by.

  In response to this, the TV conference apparatus 11 starts receiving the operation video (step S416) and starts transmitting the operation video to each approver terminal 30 (step S417). In response to this, each approver terminal 30 starts receiving and displaying the operation video (step S517). The video transmitted / received here does not need to be exactly the same as the video transmitted in step S116, but is at least partially matched. When only a part matches, the matching part may be defined as an operation video. After step S517, the approver terminal returns the process to step S511.

  In this way, since the operation video is displayed on each of the plurality of approver terminals 30, the plurality of approvers can monitor the actual situation of the remote operation. In addition, since the operator terminal 20 and the approver terminal 30 both participate in the same TV conference, the approver communicates with the person in charge of maintenance by video, audio, etc. as necessary, and gives instructions and consultations. It can be carried out. In the example of FIG. 4, since the monitor screen generated by the control system in the factory (for example, the production line 41) is displayed as the video I7, the approver can also monitor the remote operation status using this monitor screen. Can do.

  Note that the operation video may be the same video (for example, video I2 in FIG. 4) as the request video (step S101 or the like). In this case, it can be said that this same image functions as a request image before step S215 and functions as an operation image after step S215. In this case, no special process is required when starting transmission / reception of the operation video, and transmission / reception of the operation video can be realized simply by continuing transmission / reception of the request video.

  After step S214 or step S215, the production line control system 40 receives and executes a remote operation from the operator terminal 20 (steps S118 and S218). That is, the maintenance person can operate the operator terminal 20 to execute a remote operation on the production line control system 40 or the production line 41.

  As described above, after the approver terminal 30 executes step S512, the process returns to step S511 to accept input of an answer, so that the approver can change the answer. When the answer is changed, step S512 is executed in response to the input of the changed answer, and the approval control device 12 receives a new answer notification and executes the approval judgment in step S313 again.

  The approval determination in step S313 is performed based on the latest answer notification received from each approver terminal 30. For example, when a prohibition notification is transmitted from a certain approver terminal 30, and then an approval notification is transmitted from the approver terminal 30, the previous prohibition notification is not considered in the determination in step S3131 (that is, the prohibition notification is withdrawn). Can be said).

  Further, when an approval notification is transmitted from an approver terminal 30 and then a rejection notification is transmitted from the approver terminal 30, the previous approval notification is not considered in the determination in step S3133 (that is, the approval notification is withdrawn). Can be said). Accordingly, even after the number of approvals is sufficient and step S314 and the subsequent steps are executed, the number of approvals may be insufficient again and remote operation may be prohibited. In such a case, the approval control apparatus 12 and the production line control system 40 perform the case where the number of the approver terminals 30 becomes less than the terminal number threshold (N) after executing Step 314 and Step S215, or the approval notification. It can be said that the remote operation by the operator terminal 20 is prohibited when the number is less than the approval number threshold (M). In this way, even if the inappropriate operation is performed even within the range of the approved remote operation, it becomes easy for the approver to immediately cancel the approval for the remote operation, and the safety is improved.

  If a non-prohibition notification (approval notification or rejection notification) is transmitted from a certain approver terminal 30, and then a prohibition notification is transmitted from the approver terminal 30, step S3132 is executed to prohibit remote operation. . In such a case, the approval control device 12 can prohibit remote operation when it receives at least one prohibition notification after executing step 314. As described above, it becomes easy for the approver to immediately prohibit the remote operation when an inappropriate operation is performed even within the range of the approved remote operation, and the safety is improved.

  Further, the number of approver terminals 30 may be updated at any time (for example, by periodically executing steps S307 and S407). In this case, the number of approver terminals 30 may be determined (step S308) in response to the number of approver terminals 30 being updated. In this way, the remote operation by the operator terminal 20 is performed when the approver terminal 30 leaves the TV conference after the remote operation is permitted and the number of the approver terminals 30 becomes less than the terminal number threshold (N). Can be prohibited.

  5 to 7 may be executed in parallel for a plurality of remote operations in the same TV conference. In this case, the request video and the operation video may use a common video for each remote operation. In this way, a plurality of remote operations can be sequentially approved in accordance with the progress of the maintenance work in the same TV conference.

  As described above, according to the approval control system 10 according to Embodiment 1 of the present invention, the terminal number threshold value and the approval number threshold value can be set for each remote operation, so that the approval conditions for the remote operation can be made more flexible. Can be defined.

  As conventional security measures for remote operation, it is conceivable to use a VPN (virtual private network), encrypt data using a digital signature, provide network connection authentication, and system login authentication. However, such conventional security measures have a risk of spoofing due to leakage of user information, etc., and are not necessarily effective for cases where a malicious person impersonates a maintenance person and gains unauthorized access. . On the other hand, according to the above-described approval control system 10, since approval by an approver other than the person in charge of maintenance is required, and it is possible to set a plurality of approvers, it is difficult to impersonate and safety is improved. Rise.

  Further, as a conventional security measure for remote operation, it is conceivable to perform permission switching for communication, operation, etc. by direct input operation to the control system body of the factory line. However, in such a configuration, when the factory line control system is provided in the restricted access area and entry of the approver is restricted, or when the approver is not close to the factory line control system, suddenly May not be able to handle remote maintenance in case of trouble. On the other hand, according to the above-described approval control system 10, the approver does not need to directly operate the production line control system 40 or the production line 41, and the approval is performed using the approver terminal 30 away from the factory. Therefore, the possibility of appropriately responding to sudden remote operation requests increases.

Embodiment 2. FIG.
In the second embodiment, the approval condition is configured by a plurality of levels in the first embodiment.
FIG. 9 shows an example of the configuration of the approval condition data in the second embodiment. In the second embodiment, the approval condition includes a plurality of levels (two levels in this example), and each level is represented by a set of a terminal number threshold value and an approval number threshold value. Moreover, it can be set as a 1st level approver terminal or a 2nd level approver terminal by giving a level to each approver terminal. For example, the first level approver terminal is an approver terminal used by a section manager staff, and the second level approver terminal is an approver terminal used by a department manager staff.

  In the second embodiment, the determination in step S3133 is executed for each of a plurality of levels, and remote operation is permitted only when approval conditions for all levels are satisfied. For example, in the example of FIG. 9, in order for the user A to execute the XX operation, at least four first level approver terminals and at least one second level approver terminal participate in the TV conference. In addition, at least three first level approver terminals and at least one second level approver terminal need to send an approval notification to the approval control device 12.

  Note that the second level approval condition may be omitted. In the example of FIG. 9, the second level approval condition is omitted for the login operation of the user A and the login operation of the user B. In this case, as in the first embodiment, remote operation is permitted if the first level approval condition is satisfied.

  In the second embodiment, considering the determinations in step S308 and step S3133 in combination, the approval control apparatus 12 has the number of first level approver terminals equal to or greater than the first level terminal number threshold (N1), and The number of approval notifications received from the first level approver terminal is equal to or greater than the first level approval number threshold (M1), and the number of second level approver terminals is equal to or greater than the second level terminal number threshold (N2). And the remote operation by the operator terminal 20 is permitted on the condition that the number of approval notifications received from the second level approver terminal is equal to or greater than the second level approval number threshold (M2). Can do.

  The level setting of each approver terminal may be implemented in any way, but can be implemented by defining approval authority level data as shown in FIG. 10, for example. In the example of FIG. 10, the approver terminal used by the user E, the approver terminal used by the user F, and the approver terminal used by the user G are all first-level approver terminals and used by the user H. The approver terminal that is the second level approver terminal. The approval authority level data can be stored in the storage means of the approval control device 12, for example.

  Moreover, the level of each approver terminal may be determined by an approver's operation (login processing or the like). For example, when the user E logs in to a certain approver terminal 30, the approver terminal 30 may be the first level approver terminal.

  As described above, according to the approval control system according to the second embodiment of the present invention, as in the first embodiment, the terminal number threshold and the approval number threshold can be set for each remote operation. Approval conditions for operations can be defined more flexibly.

  Furthermore, in the second embodiment, since the approval condition can be defined for each level, the approval condition for the remote operation can be defined more flexibly. For example, for important remote operations, remote operations that require strict security control, and remote operations that are highly dangerous, the second level approval conditions can be set appropriately to change the type of remote operation. The security level can be set accordingly.

  Note that the number of levels may be three or more. Further, the level does not need to represent a hierarchical relationship, and may be defined in any way as long as it corresponds to a different type of approver terminal.

In the first and second embodiments described above, the following modifications can be made.
Answer options that can be input at the approver terminal 30 may not include “prohibited”. That is, the answer options may be only “approval” and “rejection”. In such a configuration, it is necessary and sufficient for permitting remote operation that the number of approver terminals is greater than or equal to the terminal number threshold (N) and the number of approval notifications is greater than or equal to the approval number threshold (M). It can be said that it is a condition. In this case, the processes in steps S3131 and S3132 can be omitted.

  In Embodiments 1 and 2, both the terminal number threshold (N) and the approval number threshold (M) can be changed according to the operation identification information, but either one may be fixed. That is, the terminal number threshold (N) may be fixed and only the approval number threshold (M) may be determined according to the operation identification information, or the approval number threshold (M) may be fixed and the terminal number threshold (N) May be determined according to the operation identification information.

  The remote operation to be approved may be specified only by either the operator terminal identification information or the operation identification information, instead of the set of the terminal and the operation content as shown in FIGS.

  Processing related to the operation video may be omitted. For example, the TV conference may be ended when the remote operation is permitted. Even in this case, an appropriate approval process can be performed for the permission at the start of the remote operation.

  The request video and the operation video may be video transmitted from a computer other than the operator terminal 20. For example, the video I7 transmitted from the production line control system 40 may be a request video or an operation video.

  The video transmitted and received in the video conference can be arbitrarily designed. For example, in the example of FIG. 4, the images I3 to I5 from all the approver terminals 30 are displayed, but any or all of these may be omitted. Further, either or both of the images I6 and I7 may be omitted. Furthermore, other videos may be added.

  The unit of the component included in the approval control system can be arbitrarily designed. For example, in the first embodiment, the TV conference apparatus 11 and the approval control apparatus 12 are configured as separate computers, but they may be configured using the same computer.

  The scope of the approval control system can be arbitrarily defined. For example, in the first embodiment, the approval control system 10 does not include the approver terminal 30, but may include the approver terminal 30 as a modification.

  In the first embodiment, the approval control system 10 does not include the production line control system 40. In this case, the approval control system 10 receives an approval request notification from the production line control system 40 as shown in FIG. In this case, step S314 is a permission step, and the approval control system 10 permits the remote operation to the production line control system 40 in step S314. As a modification, in the first or second embodiment, the approval control system may include a production line control system 40. In this modification, it can be said that the approval control system directly receives an approval request notification from the operator terminal 20. In this modification, the approval control system permits the operator terminal 20 to perform a remote operation in step S215.

  10. Approval control system (11 TV conference device, 12 approval control device), 20 operator terminal, 30 approver terminal, I2 video (request video, operation video).

Claims (8)

It was about the remote operation, a authorization control method executed by a computer,
Receiving an approval request notification related to the remote operation;
Receiving a request video relating to the remote operation from an operator terminal ;
Transmitting an approval request notification related to the remote operation to a plurality of approver terminals;
Transmitting the request video to a plurality of approver terminals;
Receiving an approval notification or non-approval notification from each approver terminal;
A permission step of permitting the remote operation by the operator terminal, on condition that the number of approver terminals is equal to or greater than a terminal number threshold and the number of approval notifications is equal to or greater than an approval number threshold;
A method comprising: The non-approval notification may be a prohibition notification or a non-prohibition notification,
The method further comprises the step of prohibiting the remote operation when receiving at least one prohibition notification.
The method of claim 1. The approval request notification includes operation identification information that identifies the content of the remote operation,
The method further comprises the step of determining the terminal number threshold or the approval number threshold according to the operation identification information.
The method according to claim 1 or 2. The approval request notification includes terminal identification information that identifies the operator terminal,
The method further comprises determining the terminal number threshold or the approval number threshold according to the terminal identification information.
The method as described in any one of Claims 1-3. Receiving an operation video representing the operation content of the remote operation after executing the permission step;
Transmitting the operation video to the approver terminal;
After executing the permission step, the remote operation by the operator terminal is prohibited when the number of approver terminals is less than the terminal number threshold or when the number of approval notifications is less than the approval number threshold. And further comprising:
The method as described in any one of Claims 1-4. The approver terminal can be a first level approver terminal or a second level approver terminal,
The permission step includes
-The number of first level approver terminals is greater than or equal to a first level terminal count threshold;
-The number of approval notifications received from the first level approver terminal is greater than or equal to a first level approval number threshold;
-The number of second level approver terminals is greater than or equal to the second level terminal number threshold; and-the number of approval notifications received from the second level approver terminal is greater than or equal to the second level approval number threshold. This is a permission step for permitting the remote operation by the operator terminal as a necessary condition.
The method according to any one of claims 1 to 5.   The approval control system which performs the method as described in any one of Claims 1-6. The approval control program which makes the said computer perform the method as described in any one of Claims 1-6.

Images