JPWO2015037116A1 - Control device and control system - Google Patents

Abstract

An object of the present invention is to flexibly switch to an alternative system while suppressing the influence on an operating system. In order to solve the above problems, in the present invention, a communication control unit that acquires control information from a field device connected via a network, and a main program that monitors or controls the field device based on the acquired control information And a memory for storing setting information necessary for monitoring or control of the field device, and the arithmetic processing unit includes: The operation state is monitored and the operation state stored in the memory is sequentially updated, and the alternative program can be switched to the main program from the operation state in the memory and the setting information at a predetermined timing. And constructing and switching from the main program to the alternative program.

Description

  The present invention relates to a control system and a control program switching method.

  In field device monitoring and control, as a method to improve system reliability, the processing device (processor) that controls the control is duplicated, and the operating processor is made redundant and the processor that switches in the event of a failure is made redundant. There is a method to operate.

  As a method for preventing temporary interruption of service in such software update of a processor in a redundant system, for example, there is a technique disclosed in Patent Document 1.

  In Patent Document 1, a new version software is set by driving a software update unit for a standby processor, and the control state data of the active system is gradually reflected in the standby system. It is described that the standby processor is switched to the active system when all the data is reflected in the standby system.

Japanese Patent Laid-Open No. 2002-49502

  Here, in the switching method as described in Patent Document 1, it is necessary to construct and operate a standby system with the same hardware configuration as that of the active system so that the system can be switched to the active system. There was a problem of being inferior.

  It is an object of the present invention to provide a control system and a control program switching method capable of flexibly switching to an alternative system while suppressing the influence on an operating system.

  In order to solve the above problems, the present invention provides a communication control unit that acquires control information from a field device connected via a network, and a main system that performs monitoring control of the field device based on the acquired control information An arithmetic processing unit that executes a program; and an operation state of the main program, and a memory that stores setting information necessary for monitoring or controlling the field device, the arithmetic processing unit including the main program The operation state stored in the memory is sequentially updated, and the alternative program can be switched to the main program from the operation state in the memory and the setting information at a predetermined timing. And the monitoring control subject of the field device is switched from the main system program to the alternative system program.

In the present invention, it is possible to flexibly switch to an alternative system while suppressing the influence on the operating system.

It is the figure which showed an example of the structure of the control system in 1st Embodiment. It is the figure which showed an example of the structure of the control system in 1st Embodiment. It is the figure which showed an example of the detailed structure of the communication path switching part in 1st Embodiment. It is the figure which showed an example of the operation | movement switching process flow of the control apparatus in 1st Embodiment. It is the figure which showed an example of the error process of the control apparatus in 1st Embodiment. It is the figure which showed an example of the structure of the control system in 2nd Embodiment. It is the figure which showed an example of the structure of the control system in 2nd Embodiment. It is the figure which showed an example of the operation verification / switching process flow of the control apparatus in 2nd Embodiment. It is the figure which showed an example of the structure of the control system in 3rd Embodiment. It is the figure which showed an example of the structure of the control system in 3rd Embodiment. It is the figure which showed an example of the operation verification / switching process flow of the control apparatus in 3rd Embodiment.

  In the field of ICT (Information and Communication Technology), the use of cloud technologies and virtualization technologies represented by SDN (Software Defined Networking) is spreading. In the field of control systems, a technology for executing hardware processing by a conventional controller in a virtual environment such as a software PLC (Programmable Logic Controller) has become widespread. In the future, the fusion of both fields will progress further, and it is expected that technology to execute field device monitoring control from a virtual environment will become widespread.

  In the following embodiments, an example will be described in which a monitoring control program such as PLC (Programmable Logic Controller) and SCADA (Supervisory Control And Data Acquisition) is constructed by software, and field devices are monitored and controlled by these.

  Hereinafter, a mode for carrying out the present invention (hereinafter referred to as “the present embodiment”) will be described in detail with reference to the drawings as appropriate.

The contents described in the embodiments described below include control devices such as DCS (distributed control system) and PLC (Programmable Logic Controller) used for factory automation (FA) and process automation (PA), and SCADA ( It can be applied to control systems such as Supervisory Control And Data Acquisition.
(First embodiment)
FIG. 1 is a diagram illustrating an example of a configuration of a control system in the first embodiment. The control system according to the present embodiment includes a field device 4, a control device 1 that monitors and controls the field device, a network 2 that connects the control device 1 and the field device 4, and communication data between the control device 1 and the field device 4. It is comprised from the communication path switching part 3 to relay.

The control device 1 has a communication function with an arithmetic processing unit 100 that performs monitoring and control calculations using control information acquired from a field device, a storage unit 110 that stores various DBs (databases), and a network 2. And a communication control unit 120 that transmits and receives data to and from the field device. The arithmetic processing unit 100 transfers the program from the storage unit 110 to a main storage device (not shown) and executes the program. As a program to be executed, there are an operating system (hereinafter referred to as “OS”) and an application program operating on the OS.

  The arithmetic processing unit 100, the storage unit 110, and the communication control unit 120 are connected to each other via a bus (not shown). For example, a PCI bus, an ISA bus, a PCI Express bus, a system bus, and a memory bus are used as the bus. it can.

The storage unit 110 stores a communication path setting DB 9 and an information update DB 7. The arithmetic processing unit 100 includes an operation program 5-1, an alternative program 5-2, a state monitoring unit 6, an information update DB 7, and an operation switching unit 8. Execute.

  The operation program 5-1 is a program for executing monitoring and control of the field device 4, and is, for example, a software PLC or SCADA application. The substitute program 5-2 is a program having a function for executing monitoring and control of the field device 4 in place of the operation program 5-1, and, for example, a software PLC or SCADA application is used in the same manner as the operation program 5-1. is there.

  The state monitoring unit 6 has a function of acquiring the operation state, setting information, and control information of the operation program 5-1, and transmitting the acquired operation state to the information update DB 7. Here, the operation state is, for example, status information or diagnostic information indicating that the operation program 5-1 is starting, being processed, waiting, stopped, or abnormal. The setting information is, for example, configuration data necessary for monitoring and control of the field device 4, the type and version information of the operation program 5-1. The configuration data is, for example, address information of the field device 4, initial setting values for monitoring / control, calibration information, and the like. Further, the control information is sensor information, contact information, trend data, etc. acquired by the operation program 5-1 for monitoring and controlling the field device 4. The state monitoring unit 6 has a function for synchronizing the processing timing of the operation program 5-1 and the processing timing of the alternative program 5-2.

  The information update DB 7 stores the setting information and control information acquired by the state monitoring unit 6 and is updated to that information when new information is acquired. For storage of information, for example, a storage device such as a memory or a hard disk is used. In addition, the control information may be time-sequentially added with a time stamp, and the control information that has passed a predetermined storage period may be discarded and updated to the latest information sequentially.

  In the communication path setting DB 9, the alternative program 5-2 accesses the above-mentioned field device 4 from the information specifying the address information of the field device 4 that is monitored and controlled by the operation program 5-1 and the specified address information. The communication path and communication method (communication protocol) for storing the information are stored. As a means for acquiring information of the field device 4 that is monitored and controlled by the operation program 5-1, for example, a method of referring to the configuration data of the operation program 5-1 via the state monitoring unit 6 or the information update DB 7 There is.

  The operation switching unit 8 acquires the operation state, setting information, and control information of the operation program 5-1 from the information update DB 7, and acquires a communication path and a communication method for accessing the field device 4 from the communication path setting DB 9. Based on the acquired information, the operation method of the alternative program 5-2 is set, and the program for monitoring and controlling the field device 4 is switched from the operation program 5-1 to the alternative program 5-2. It has a function of setting the communication path of the switching unit 3 so that the alternative program 5-2 can access the target field device 4.

  The communication path switching unit 3 has a function of switching a communication path and a communication method for connecting the control device 1 and the field device 4 in accordance with an instruction from the operation switching unit 8. The communication path switching unit 3 can be realized by, for example, a combination of various gateways and switches, Open Flow technology, or the like. An implementation example of the communication path switching unit 3 will be described later.

  The field device 4 is a sensor, an actuator, or the like that is controlled according to an instruction from the control device 1, and is connected to the control device 1 via the network 2. Here, the number and types of field devices 4 actually handled by the control system are not limited to this example.

  Moreover, the control apparatus 1 may be comprised with hardware, such as PC, a server, and a controller, and may be comprised on virtual environments, such as a cloud system.

  FIG. 2 shows an example in which the operation program 5-1 and the alternative program 5-2 are mounted on separate hardware as applications to be executed on the OS.

  In this example, the control device 1A includes an operation program 5-1 and a state monitoring unit 6, and the control device 1B includes an alternative program 5-2, an operation switching unit 8, an operation switching unit 8, and an information update DB 7. The control device 1A and the control device 1B are connected via the network 20, and information from the state monitoring unit 6 is transmitted to the control device 1B via the network 20. Here, the network 20 may be a different type of network from the network 2 for connecting the control device and the field device, or may be the same type of network.

  When the control device 1 is built on a virtual environment such as a cloud system, the operation program 5-1, the alternative program 5-2, the state monitoring unit 6, and the operation switching unit 8 are each executed on the virtual system. Operates as a process. These execution processes may be implemented on the same hardware (server) and interconnected by internal inter-process communication, or may be implemented on different hardware and interconnected by a network connection such as Ethernet. Also good. Hereinafter, a case where the control device 1 is constructed on a virtual environment such as a cloud system will be described as an example. However, the present invention can be similarly implemented even when implemented on real hardware. FIG. 3 is a diagram for explaining the operation of the communication path switching unit 3. In FIG. 3, some components are omitted from the control system shown in FIG. The control device 1 shown in FIG. 3 has a communication interface 10A (communication IF10-A) for connecting to the network 2A as a communication control 120 using a communication method A (communication protocol A), and a network using a communication method B (communication protocol B). It is assumed that a communication interface 10B (communication IF 10-B) for connecting to 2B is provided.

  The field device 4A is connected to the network 2A by the communication method A, and similarly, the field device 4B and the field device 4C are connected to the network 2B and the network 2C by the communication method B and the communication method C, respectively.

  Further, communication between the network 2A and the network 2B is performed via a gateway 11 (communication method A⇔B) that can convert a protocol between the communication method A and the communication method B. Similarly, communication between the network 2A and the network 2C is performed via the gateway 11 (communication method A⇔C) that can convert the protocol between the communication method A and the communication method C. Further, it is assumed that the network 2 is configured to perform communication between the network 2B and the network 2C via the gateway 11 (communication method A 方式 B) and the gateway 11 (communication method A⇔C).

  In accordance with the information acquired from the communication path setting DB 9, the operation switching unit 8 controls the gateway 11 (communication method A⇔B) and the gateway 11 (communication method A⇔) according to the field device 4A to be monitored and controlled. Set the action of C). Here, the information transmission for setting the operation may use another communication path exclusively for control, or may be performed via the network 2A or the network 2B. When the control device 1 accesses the field device 4A by the communication IF 10-A or accesses the field device 4B by the communication IF 10-B, the communication route switching unit 3 is set to a route that does not pass through any gateway 11.

  On the other hand, when the field device 4B or the field device 4C is accessed by the communication IF 10-A, the communication path switching unit 3 passes through the gateway 11 (communication method A⇔B) or the gateway 11 (communication method A⇔C). Set the route. When the field device 4C is accessed by the communication IF 10-B, the communication path switching unit 3 passes through the gateway 11 (communication method A⇔B) and then passes through the gateway 11 (communication method A⇔C). Set as follows. Here, the types and number of control devices 1, networks 2, and communication methods handled by the communication path switching unit 3 are not limited to the settings shown in this example.

  FIG. 4 is a diagram showing a processing flow for the operation switching unit 8 to switch the program for monitoring and controlling the field device 4 from the operation program 5-1 to the alternative program 5-2 in the control system of the present embodiment. It is.

  First, the operation switching unit 8 determines whether it is necessary to switch the operation program 5-1 based on information from the information update DB 7 (step S401). Examples of the determination method include a method of using the operation state of the operation program 5-1 acquired by the state monitoring unit 6, and a method of following a user instruction from the outside.

  If it is determined in step S401 that the program needs to be switched, it is determined whether the connectable network 2 can be prepared between the field device 4 targeted by the operation program 5-1 and the alternative program 5-2. (Step S402). Here, when the connectable network 2 cannot be prepared, it is possible to wait until the preparation is completed. When the preparation cannot be completed even after a predetermined time elapses, an error process of step S407 is executed. Also good. The preparation for switching the communication path includes, for example, setting a protocol for the network 2 and creating a routing table.

  Next, it is determined whether or not the alternative program 5-2 is actually ready for operation (step S403). Here, when the preparation of the alternative program 5-2 cannot be completed, it is possible to wait until the preparation is completed. When the preparation cannot be completed even after a predetermined time has elapsed, an error process is executed in step S407. May be. Specifically, the preparation of the alternative program 5-2 is performed by setting the setting of the alternative program 5-2 to be equivalent to the operation program based on the setting information acquired from the state monitoring unit 6 via the information update DB 7. An alternative program 5-2 is constructed so as to be switchable with the operation program 5-1.

  Next, it is determined whether or not the operation program 5-1 can be switched to the alternative program 5-2 at a timing that does not hinder the monitoring / control of the field device 4 being executed by the operation program 5-1. Specifically, the timing for taking over the control information from the operation program 5-1 is determined in accordance with the control information update cycle. For example, when processing with low real-time characteristics such as monitoring of the field device 4 is being executed, switching of immediate programs is performed, and during high-precision real-time processing, the switching timing is set until a series of real-time processing is completed. put off. When feedback control or the like is being executed, the same processing as the operation program 5-1 is executed in parallel based on the control information from the operation program 5-1, so that the control is not affected. The method of switching the execution of the program may be used.

  If it is determined in step S405 that the program can be synchronized, the processing is immediately switched from the operation program 5-1 to the alternative program 5-2, and at the same time, the communication path switching unit 3 also controls the target. The communication path to the field device 4 is switched (step S405). As a communication path switching method, there is the method shown in FIG.

  Next, in step S404, it is determined whether switching between the program and the communication path has been executed normally (step S406). If the switching is not completed normally, error processing is executed (step S407).

  FIG. 5 is a diagram for explaining an example of the processing in step S406 and step S407. For example, if an error occurs in the operation of the program, if an error occurs in communication between the control device 1 and the field device 4, or if switching between the program and the communication path in step S405 is not performed simultaneously, Judge that the program could not be switched. In this case, the details of each error cause are verified, and error processing corresponding to the error cause is executed.

  For example, as shown in the first row of FIG. 5, when an error occurs in the program setting information, the setting information is acquired / updated again and the processing is continued. If the error processing (1) 14 is executed but the error cannot be corrected, the program switching is stopped and the original operation program 5-1 is written as described in the error processing (2) 15. Return to.

  As shown in the second row of FIG. 5, when an error occurs in the control information of the program, the processing is continued after re-acquiring / updating the control information. If the error processing (1) 14 is executed but the error cannot be corrected, the program switching is stopped and the original operation program 5-1 is written as described in the error processing (2) 15. Return to.

  As shown in the third row of FIG. 5, when a communication error occurs due to the protocol setting, the processing is continued after re-obtaining / updating the protocol setting. If the error processing (1) 14 is executed but the error cannot be corrected, the program switching is stopped and the original operation program 5-1 is written as described in the error processing (2) 15. Return to.

  As shown in the fourth row of FIG. 5, when a communication error occurs due to route disconnection, the processing is continued after re-searching and switching the route. If the error processing (1) 14 is executed but the error cannot be corrected, the program switching is stopped and the original operation program 5-1 is written as described in the error processing (2) 15. Return to.

  As shown in the fifth row of FIG. 5, when the switching timing becomes inconsistent due to the delay of program switching, the control information is re-acquired and the processing is continued from the next cycle. If the error cannot be corrected despite the execution of error processing (1) 14, error processing 1 is retried as described in error processing (2) 15.

  As shown in the sixth row of FIG. 5, when the switching timing becomes inconsistent due to the delay of the path switching, the processing is continued from the next cycle. If the error cannot be corrected despite the execution of error processing (1) 14, error processing 1 is retried as described in error processing (2) 15.

  When it is determined that the program cannot be switched normally as described above, the details of each error cause are verified, and error processing corresponding to the error cause is executed. The items and combinations of error cause 12, detailed error cause 13, error processing (1) 14 error processing (2) 15 shown in FIG. 5 are merely examples, and depend on the target field device 4 and the monitoring / control method. The processing content and combination may be changed.

  As described above, according to the present embodiment, in the control system, it is possible to switch from the active program to the standby program without affecting the monitoring / control of the controller 1 being executed.

  In addition, in the case of a control system for monitoring and controlling field devices via various types of networks as described in this embodiment, switching of the monitoring control program and switching of communication paths to the field devices are also considered. I have to do it. In the present embodiment, the alternative program accesses the field device from the communication method (communication protocol, etc.) and communication path that the operation program uses to access the field device, and the communication method and communication path that the alternative program can use. Therefore, it is possible to switch the monitoring control program that appropriately controls the communication path.

Also, in this embodiment, an operation program such as PLC or SCADA is constructed by software, and if necessary, an alternative program can be switched so that a standby system is constructed and operated in advance with the same hardware configuration as the operation system. This makes it possible to switch programs flexibly.

(Second Embodiment)
FIG. 6 is a diagram illustrating an example of a configuration of a control system in the second embodiment. The control system according to the second embodiment includes a field device 4 connected by a control device 21, a network 2, and a communication path switching unit 3. Moreover, the control apparatus 21 has the arithmetic processing part 100, the memory | storage part 110, and the communication control part 120 similarly to 1st Embodiment.

  The arithmetic processing unit 100 according to the present embodiment executes a plurality of control programs 25, an operation verification / switching unit 22, and an update unit 24. In addition, the storage unit 110 stores an information update DB 23 and a communication path setting DB 9.

  The control program 25 is a program for executing monitoring and control of the field device 4 in the same manner as the operation program 5-1 and the alternative program 5-2 in the control device 21 of the first embodiment. For example, the control program 25 is a software PLC or SCADA. Application.

  The operation verification / switching unit 22 has the same function as the state monitoring unit 6 in the first embodiment. That is, it has a function of acquiring the operation state, setting information, and control information of the control program 25 and transmitting the acquired operation state to the information update DB 7. In addition, the operation verification / switching unit 22 has the same function as the operation switching unit 8 in the first embodiment. That is, information is acquired from the information update DB 7 and the communication path setting DB 9, the operation method of the control program 25 is set, the program for monitoring and controlling the field device 4 is switched, and at the same time, the communication path of the communication path switching unit 3 And has a function of switching a communication path for accessing the field device 4. In addition, the operation verification / switching unit 22 changes the operation method of the control program 25 according to the information from the update unit 24 and the information update DB 23, and determines whether or not the processing of the control program 25 is normally executed. Has a function to verify. Here, the function of the operation verification / switching unit 22 is divided into a function corresponding to the state monitoring unit 6 in the first embodiment, a function corresponding to the operation switching unit 8, and a function for performing the operation verification. May be implemented. A detailed processing flow of the operation verification / switching unit 22 will be described later.

  The information update DB 23 has the same function as the information update DB 3 in the first embodiment. That is, the setting information and control information acquired by the operation verification / switching unit 22 are stored, and when new information is acquired, it is updated to that information.

  The communication path setting DB 9 has the same function as the communication path setting DB 9 in the first embodiment. That is, the address information of the field device 4 to be monitored and controlled by the predetermined control program 25 is stored. Then, the operation verification / switching unit 22 sets a communication path and a communication method (communication protocol) for the other control program 25 to access the field device 4 from the address information stored in the communication path setting DB 9, Switch communication using the set communication path and communication method.

  The update unit 24 has a function of checking the version of a program installed in the control device 21 and installing an additional program in the control device 21. Here, in addition to the control program 25, the program may target applications such as firmware of the control device 21, device driver, OS (operating system), and user interface. Further, the additional programs include a bug correction program, an update program for upgrading, a security patch, a program for adding a new function, and a virus scan program.

  The communication path switching unit 3 has the same function as the communication path switching unit 3 in the first embodiment. That is, according to the instruction | indication of the operation verification / switching part 22, it has the function to switch the communication path and communication system which connect the control apparatus 21 and the field apparatus 4. FIG.

  Similarly to the first embodiment, the field device 4 is a sensor, an actuator, or the like that is controlled in accordance with an instruction from the control device 21, and is connected to the control device 21 via the network 2. Here, the number and types of field devices 4 actually handled by the control system are not limited to this example.

  The control device 21 may be configured by hardware such as a PC, a server, and a controller as in the first embodiment, or may be configured on a virtual environment such as a cloud system. In the former case, as shown in FIG. 7, for example, the control program 25 may be implemented on separate hardware as an application executed on the OS. Further, the communication path setting DB 9, the information update DB 23, the operation verification / switching unit 22, and the update unit 24 may also be implemented in each control device 21, or may be installed on separate hardware as shown in FIG. And may be connected via the network 20. Here, the network 20 may be a different type of network from the network 2 for connecting the control device and the field device, or may be the same type of network.

  When the control device 21 is constructed on a virtual environment such as a cloud system, the control program 25 and the operation verification / switching unit 22 each operate as one execution process on the virtual system. These execution processes may be implemented on the same hardware (server) and interconnected by internal inter-process communication, or may be implemented on different hardware and interconnected by a network connection such as Ethernet. Also good.

  FIG. 7 is a diagram illustrating an example in which the control device 21 is mounted on different actual hardware. The plurality of control programs 25 are mounted on individual control devices 21A to 21C, respectively. The control devices 21 </ b> A to 21 </ b> C are connected via the network 2 and the network 20. The operation verification / switching unit 22 and the update unit 24 are executed by arithmetic processing units on different hardware, and the information update DB 23 and the communication path setting DB 9 are also stored in different hardware storage units. Remembered. These are connected via the network 20. As shown in the figure, the present invention can be similarly implemented even when implemented on actual hardware. In the following description, the case where the control device 21 is constructed on a virtual environment such as a cloud system will be described as an example instead of the example shown in FIG.

  FIG. 8 is a diagram showing a processing flow for the operation verification / switching unit 22 in the control system of the present embodiment to execute the operation verification and switching of the program for monitoring and controlling the field device 4.

  First, based on the information from the update unit 24, the operation verification / switching unit 22 determines whether it is necessary to update the program that monitors and controls the field device 4 (step S801). For example, the update unit 24 determines whether there is a version update program or a security patch of the target program. Here, the update unit 24 may be connected to an external network such as the Internet and determine whether or not there is update information, or may follow command input and information transmission from the outside. Also, it may be determined whether it is necessary to check for security threats such as viruses and malware instead of program updates (security checks).

  Next, when it is determined in step S801 that program update or security check is necessary, the operation verification / switching unit 22 uses the control program 25B having the same execution environment as the control program 25A to be updated as an alternative program. Preparation is made (step S802). As an alternative program preparation method, for example, there is a procedure (step S403) similar to the preparation of the alternative program 5-2 in the first embodiment. That is, based on the information stored in the information update DB 23, an alternative control program 25B is prepared from the setting information and control information of the operating control program 25A. However, the control information is not essential, and it is sufficient that the control program 25A and the control program 25B can be set to have the same operation execution environment.

  Next, the control program 25B, which is an alternative program, is updated (step S803). For example, a version update program or a security patch is acquired from the update unit 24 and installed. Here, when the purpose of the security check is not the update of the control program 25, it is not always necessary to execute the update program, but a virus scan program or the like is executed instead.

  Next, it is verified whether or not the control program 25B updated in step S803 can operate normally, or whether or not a problem has been detected in the security check (step S804). For example, when the control program 25A is a program for monitoring and controlling the field device 4, it is verified whether or not the updated control program 25B can operate normally in the same manner as the control program 25A before update. As a verification method, for example, a simulator for monitoring and controlling the field device 4 or a field device 4 for actual verification may be used. When the security check is intended, a security scan may be executed on the control program 25B that duplicates the operating environment of the control program 25A to verify the presence or absence of viruses or malware that hinder the normal operation of the program.

  If it is determined in step S804 that there is no abnormality in the operation of the updated program, preparation is made to switch the program for monitoring control of the field device 4 from the control program 25A to the control program 25B (step S805). For example, the same processing as in Step S402, Step S403, and Step S404 in the first embodiment is executed. However, similarly to step S402, after the communication path switching preparation of the control device 21 is performed, the control information of the operating control program 25A is taken over to the alternative control program 25B, and the control is performed in the same manner as the processing of step 404. The timing of the cycle is matched, and the timing at which the program can be switched without affecting the monitoring control of the control device 21 is matched.

  If it is determined in step S804 that the operation of the updated program is abnormal, error processing in step S808 is executed. However, instead of the error processing in step S808, it may be redone from the preparation of the alternative program in step S802. If the security check is intended, if no abnormality is detected in step S804, the security check is completed and the process is terminated.

  If it is determined in step S805 that the control program 25A and the control program 25B can be switched synchronously, the operation verification / switching unit immediately switches the program to be operated, and at the same time, the communication path switching unit 3 The communication path from the control device 21 to the target field device 4 and the communication method are switched (step S806).

  Next, in step 806, it is determined whether or not switching between the program and the communication path has been executed normally (step S807). If the switching is not completed normally, error processing is executed (step S808). An example of error processing includes the error processing shown in FIG. 5 in the first embodiment. In addition, processing such as reacquisition and renewal of the update program, and virus removal may be executed.

  As described above, according to the present embodiment, in the control system, the operating program is updated and the security patch is applied without affecting the monitoring control for the field device 4 being executed by the control device 21. It is possible. It is also possible to duplicate the same execution environment as the running program as an alternative program and execute load processing such as virus scanning without affecting the operation of the control system.

  Also, in this embodiment, switching is performed after confirming the operation of the system update etc. on an alternative system constructed separately from the system that is operating in advance, so that replacement is performed without affecting the operation of the control system. It is possible to switch to the system.

(Third embodiment)
FIG. 9 is a diagram illustrating a control system according to the third embodiment. The control system according to the third embodiment includes a field device 4 connected by a control device 31, a network 2, and a communication path switching unit 3.

  Moreover, the control apparatus 31 has the arithmetic processing part 100, the memory | storage part 110, and the communication control part 120 similarly to 1st, 2 embodiment. The arithmetic processing unit 100 of the present embodiment executes one or more operating systems 30 (hereinafter abbreviated as OS 30), a plurality of control programs 35, an operation verification / switching unit 32, a state monitoring unit 36, and an updating unit 34. The storage unit 110 stores an information update DB 33 and a communication path setting DB 9.

  The OS 30 is an execution environment for operating the control program 35, and a plurality of different types may be installed according to the control program 35, or one OS 30 may execute all the control programs 35. In the present embodiment, description will be made assuming that the OS is composed of a plurality of OSs 30. The OS 30 is composed of an operating OS 30-1 that is actually involved in the execution of monitoring control of the field device 4, and an alternative OS 30-2 that is in a standby state.

  The control program 35 is a program for monitoring and controlling the field device 4 as in the control device 21 of the first embodiment and the control device 31 of the second embodiment. For example, the control program 35 is a software PLC or SCADA application. is there. The control program 35 is classified into an active control program 35 (operation program 35-1) that is actually executing the monitoring control of the field device 4 and a control program (alternative program 35-2) in a standby state. .

  The operation verification / switching unit 32 has the same function as the operation switching unit 8 in the first embodiment. That is, based on the information stored in the information update DB 33 and the communication path setting DB 9, the operation method of the control program 35 is set, the program for monitoring and controlling the field device 4 is switched, and at the same time, the communication of the communication path switching unit 3 It has a function of setting a route and switching a communication route and a communication method for accessing the field device 4. Further, the operation verification / switching unit 32 has a function of changing the operation method of the control program 35 according to the information stored in the information update DB 33 and verifying whether the process of the control program 35 is normally executed. Here, the function corresponding to the above-described operation switching unit 8 and the function for performing the operation verification may be separately mounted.

  The state monitoring unit 36 has the same function as the state monitoring unit 6 in the first embodiment. That is, it has a function of acquiring operation states, setting information, and control information of a plurality of operation programs 35-1 and transmitting the acquired information to the information update DB 33. The function of the state monitoring unit 36 may be included in the operation verification / switching unit 32.

  The information update DB 33 has the same function as the information update DB 7 in the first embodiment and the information update DB 23 in the second embodiment, and has a function of acquiring information related to the update of the OS 30 or the control program 35 from the update unit 34. The communication path setting DB 9 has the same function as the communication path setting DB 9 in the first embodiment.

  The update unit 34 has the same function as the update unit 24 in the second embodiment. That is, it has a function of checking the version of various OSs 30 and various programs installed in the control device 31 and installing an additional program in the control device 31. Here, the update unit 34 may execute the program update process via the information update DB 33 or directly.

  The communication path switching unit 3 has the same function as the communication path switching unit 3 in the first embodiment or the second embodiment. That is, according to the instruction | indication of the operation verification / switching part 32, it has the function to switch the communication path and communication system which connect the control apparatus 31 and the field apparatus 4. FIG.

  The field device 4 is a sensor, an actuator, or the like that is controlled in accordance with an instruction from the control device 31 as in the first embodiment and the second embodiment, and is connected to the control device 31 via the network 2. Here, the number and types of field devices 4 actually handled by the control system are not limited to this example.

  As in the first and second embodiments, the control device 31 may be configured by hardware such as a PC, a server, or a controller, or may be configured on a virtual environment such as a cloud system. . In the former case, as shown in FIG. 10, for example, the control program 35 may be implemented on separate hardware as an application executed on the OS 30. In addition, the communication path setting DB 9, the information update DB 33, the operation verification / switching unit 32, the update unit 34, and the state monitoring unit 36 may also be implemented in each control device 31, or on separate hardware. It may be mounted and connected via the network 20, or may be constructed on the same hardware or software environment as the control device management unit 37 as shown in FIG. Here, the network 20 may be a different type of network from the network 2 for connecting the control device and the field device, or may be the same type of network.

Here, the OS 30 and programs installed in each control device 31 may be configured by the same type and number, or may be configured differently as shown in FIG.

  FIG. 10 is a diagram illustrating an example in which each program is mounted on different real hardware. The control device 31A is equipped with an alternative OS 30-2, an alternative program 35-2, an operation OS 30-1, and an operation program 35-1, and the control device 31B has two operation programs 35-1 on one operation OS 30-1. And two sets of operating OS 30-1 and operating program 35-1 are mounted on the control device 31C, which are connected via the network 20. A control device management unit 37 that manages the control devices 31A to 31C via the network 20 stores a communication path setting DB 9 and an information update DB 33, and includes an update unit 34, a state monitoring unit 36, and an operation verification / switching unit. 32 is executed. By configuring as in the example of this figure, program switching can be flexibly performed even for control programs mounted on different hardware. Note that the present invention is effective even with configurations other than those shown in this example.

  FIG. 11 is a processing flow for the operation verification / switching unit 32 in the control system of the present embodiment to execute operation verification and switching of a program for monitoring and controlling the field device 4. Note that the operation verification / switching unit 32 of this embodiment includes the processing flow of the operation switching unit 8 in the first embodiment shown in FIG. 4 and the operation verification / switching unit 22 in the second embodiment shown in FIG. A processing flow similar to the processing flow can also be executed.

  First, the operation verification / switching unit 32 uses information from the state monitoring unit 36 to determine whether an abnormality has occurred in the running program (step S1101). If an abnormality is detected in step S1101, preparation of an alternative program 35-2 to be executed instead of the operation program 35-1 in which an abnormality has occurred and preparation for switching between the program and the communication path are executed (step S1102). ). For example, there are processing methods similar to the processing in steps S403 and S404 shown in FIG. 4 and the processing in steps S802 to S805 shown in FIG.

  Next, when preparation for switching to the alternative program 5-2 is completed in step S1102, switching from the operation program 35-1 in which an abnormality has occurred to the alternative program 35-2 is executed (step S1103). Here, a process for synchronizing the control timing with the control information takeover of the operation program 35-1 may be executed, or the control information of the operation program 35-1 whose reliability has decreased due to the occurrence of an abnormality may be used. Instead, the control processing of the alternative program 35-2 may be newly started immediately. In addition, for example, information at a time point before the occurrence of an abnormality may be acquired from control information stored in time series with a time stamp added, and reflected in the alternative program 35-1. Further, the same processing as step S405 in FIG. 4 or step S806 in FIG. 8 may be executed.

  Next, in step S1103, it is determined whether switching between the program and the communication path has been completed normally (step S1104). If the operation is normally completed, the original operation program 35-1 in which the abnormality has occurred is corrected, and it is determined whether or not it is necessary to return by executing switching between the program and the communication path again (step S1105). On the other hand, if the process of step S1103 is not completed normally, an error process is executed (step S1107). As the error process, for example, the same process as in step S407 shown in FIG. 4 or step S808 shown in FIG. 8 is executed.

  If it is determined in step S1105 that the program needs to be restored, the original operation program 35-1 in which an abnormality has occurred is corrected or updated (step S1106). For example, an update program or a security patch is acquired from the update unit 34, applied to a program in which an abnormality has occurred, and then operation verification is executed.

  When the program correction or update is normally completed, preparation for returning the operation to the original operation program 35-1 is executed. In this processing, although the switching source program and the switching destination program are switched, the processing method is exactly the same as in step S1102. Thereafter, the process of step S1103 is similarly executed. On the other hand, if the program correction or update is not normally completed in step S1106, error processing in step S1107 is executed.

  As described above, according to the present embodiment, in the control system, backups in the event of an abnormality are prepared not for one-to-one but for N-to-one for a plurality of OSs and programs for monitoring and controlling field devices. Therefore, it is possible to save processing resources of the entire control system. In addition, if an error occurs in some OS or program, the error is corrected and the original system state is restored by temporarily switching to the alternative OS or program without affecting the availability of the control system. It can be restored.

  In addition, this invention is not limited to an above-described Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.

Information such as programs, tables, and files for realizing each function may be stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, SD card, or DVD. it can.
Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

1,21,31 Controller 2,20 Network
3 Communication path switching unit 4 Field device 100 Arithmetic processing unit 110 Storage unit 120 Communication control unit 5, 25, 35 Control program 5-1, 35-1 Operation program 5-2, 35-2 Alternative program 6, 36 Status monitoring unit 7, 23, 33 Information update DB
8 Operation switching unit 9 Communication path setting DB
10 Communication interface (communication IF)
11 Gateway 12 Error cause 13 Detailed error cause 14 Error handling (1)
15 Error handling (2)
22, 32 Operation verification / switching unit 24, 34 Update unit 37 Control device management unit

Claims (11)

A communication control unit for obtaining control information from a field device connected via a network;
An arithmetic processing unit that executes a main program for monitoring or controlling the field device based on the acquired control information;
An operation state of the main system program, and a memory for storing setting information necessary for monitoring or controlling the field device,
The arithmetic processing unit monitors the operation of the main system program and sequentially updates the operation state stored in the memory. From the operation state in the memory and the setting information at a predetermined timing A control system, wherein an alternative program is constructed so as to be switchable with the main program, and the main program is switched to the alternative program. In claim 1,
The memory stores a communication protocol necessary for the alternative program to communicate with the field device,
The arithmetic processing unit sets a communication protocol conversion method necessary for the alternative program to access the field device based on the communication protocol stored in the memory, and switches from the main program to the alternative program. A control system characterized by that. In claim 2,
A communication path switching device for relaying communication between the communication control unit and the field device;
The communication path switching device converts a communication protocol of communication data received from one network into a different communication protocol and transmits it to the other network,
The arithmetic processing unit determines a communication protocol conversion path necessary for communication between the alternative program and the field device from a communication protocol used for communication by the alternative program and a communication protocol used by the field device for communication. A control system which is set in the communication path switching device and switches from the main program to the alternative program. In claim 1,
The arithmetic processing unit that executes the main program and the arithmetic processing unit that executes the alternative program are provided in different control devices, respectively, and the control device that executes the alternative program stores the operation in the memory. A control system, wherein the alternative program is constructed so as to be switchable with a control device that executes the main program from the state and the setting information, and is switched from the main program to the alternative program.
In claim 1,
The arithmetic processing unit checks whether or not the main program being executed needs to be updated. When the arithmetic processing unit determines that the program needs to be updated, the arithmetic processing unit executes the program update on the constructed alternative program, A control system comprising: checking whether the substitute program operates normally and switching from the main program to the substitute program. The control system according to claim 1 operates a plurality of main programs to monitor and control a plurality of field devices,
The arithmetic processing unit checks whether it is necessary to update a plurality of active main programs, and determines that any of the main programs needs to be updated. The alternative program is constructed so that it can be switched to the main program from the operation state and the setting information with respect to the main program, the program is updated with respect to the constructed alternative program, and the main program determined to be updated A control system for switching from a program to the alternative program. In claim 6,
The main system program and the alternative program are programmable logic controllers configured by software. In claim 1,
The control system according to claim 1 operates a plurality of main programs to monitor and control a plurality of field devices,
The arithmetic processing unit checks a plurality of active main programs and determines that any one of the main programs needs to be updated. The operation state relating to the main program determined to be updated and The alternative program is constructed so that it can be switched to the main program from the setting information, the monitoring control subject of the field device is switched from the main program determined to be updated to the alternative program, and the main program is switched to A control system, wherein the program is updated, and further, the replacement program is switched to the updated main program. Obtaining control information from a field device connected via a network;
Executing a main program for monitoring and controlling the field device based on the acquired control information;
Monitoring the operation of the main program and storing the operation state of the main program in a memory;
Setting information necessary for monitoring or control of the field device to be stored in a memory in advance at a predetermined timing, and constructing an alternative program that can be switched to the main system program from the operation state stored in the memory;
Switching operation from the main program to the alternative program;
Control program switching method including: Further in claim 9,
Checking whether the main program being executed needs to be updated;
If it is determined that a program update is necessary, executing the program update on the constructed alternative program; and
A step of confirming whether the alternative program after the update normally operates;
Switching operation from the main program to the alternative program;
Control program switching method including: In claim 9, further comprising the step of operating a plurality of main programs to monitor and control a plurality of field devices;
Checking a plurality of said main programs in operation;
If it is determined that any of the main programs needs to be updated, the alternative program is constructed so as to be switchable to the main program from the operation state and the setting information regarding the main program determined to be updated. Steps,
Executing a program update on the constructed alternative program;
Switching operation from the main program determined to be updated to the alternative program;
Control program switching method including:

Images