KR102190196B1 - Safety class controller and method for managing configuration information thereof - Google Patents

Abstract

According to an embodiment of the present invention, provided is a safety class controller which comprises: a master sub-rack including a plurality of slots, a processor module and a plurality of first input/output modules respectively mounted in the plurality of slots; and at least one slave sub-rack including the plurality of slots and a plurality of second input/output modules respectively mounted on the plurality of slots. The processor module sequentially accesses all the slots set to be mounted with the input/output module, and requests configuration information while providing a random number to the input/output module when the input/output module is mounted in the accessed slot. The input/output module provides the configuration information including the random number, and the processor module determines an error in the configuration information by comparing the provided random number with the random number included in the configuration information.

Description

Safety class controller and its configuration information management method {SAFETY CLASS CONTROLLER AND METHOD FOR MANAGING CONFIGURATION INFORMATION THEREOF}

The present invention relates to a safety level controller, and more particularly, to a safety level controller capable of enhancing security and a method for managing configuration information thereof.

The safety level controller is a controller used in the nuclear power plant safety system (system) related to safety such as the measurement control system of nuclear power plants. The nuclear power plant system is divided into a safety system and a non-safety system. The safety system is a system that takes measures to prevent leakage of radioactive materials from exceeding the permitted safety standards in the event of an accident. Safety systems include Reactor Protection System (RPS), Engineered Safety Features Actuation System (ESFAS), and I&C System.

The safety level controller applied to this safety system is a processor module that calculates user application programs, an output module that outputs calculation results, an input module that receives input data from sensors in the field, a communication module for configuring a communication network, and supplies power. It may be configured of a power supply module and a bus module serving as a path for transmitting the operation result of the processor module to the output module or the input data of the input module to the processor module.

As digital-based technology controls are applied to the nuclear power plant system, they are becoming the target of cyber attacks. In the event of a nuclear power plant accident caused by a cyber attack, the public safety is threatened and the economic loss is also very large. In particular, if the safety level controller, which is a key device applied to the nuclear power plant safety system, unexpectedly operates due to a cyber attack, a fatal accident may occur in a nuclear power plant.

The processor module of the safety-grade controller is equipped with a real-time operating system (software) and performs functions such as calculation, diagnosis, and configuration information management. For example, the processor module performs initial storage and periodic inspection of the configuration information for the input/output module.The configuration information of the input/output module is important data when configuring and operating the system.If the configuration information is changed during operation, normal operation It cannot be done.

Whether the I/O module is normal or not can be determined based on the inspection of the configuration information of the I/O module, and conventionally, it is determined whether the configuration information has been changed or not based only on the ID of the I/O module, and there is an error in the configuration information. I judged whether there was. As described above, since only the ID of the input/output module was checked in the related art, even if the hardware or software of the input/output module is changed, if the previous information of the ID of the input/output module and the current information are the same, there is a problem that the change of hardware or software cannot be detected. have. Therefore, even if a cyber intrusion occurs through hardware or software of the input/output module, there is a problem that it cannot be detected.

An embodiment of the present invention for solving the above problems is a safety that can enhance security against cyber infringement by determining the change of the configuration information of the module by performing a check on hardware and software as well as the ID of the module. It aims to provide a class controller and its composition information management method.

In addition, an embodiment of the present invention aims to provide a safety level controller capable of enhancing the security of information and a method for managing configuration information thereof by encrypting and decrypting information using a public key and a private key when transmitting and receiving information. .

In addition, in an embodiment of the present invention, a processor module provides a random number when requesting information, and a module provides a random number when providing information, thereby enhancing the security of information, and a method for managing configuration information thereof. It aims to provide.

Another object of the present invention is to provide a safety level controller capable of enhancing the security of information in both an inspection operation and an update operation for configuration information, and a method for managing configuration information thereof.

In addition, an embodiment of the present invention is to provide a safety level controller and a method for managing configuration information thereof, which can simplify the operation and enhance security for information by allowing the inspection operation and the update operation to be performed through one route. do.

The problems to be solved according to the embodiments of the present invention are not limited to the above-mentioned problems, and other problems that are not mentioned are those of ordinary skill in the technical field to which the technical idea of the embodiment of the present invention belongs from the following description. It will be able to be clearly understood by the person.

A safety level controller according to an embodiment of the present invention for achieving the above-described technical problem includes: a master subrack including a plurality of slots and a processor module and a plurality of first input/output modules respectively mounted on the plurality of slots; And at least one slave sub-rack including a plurality of slots and a plurality of second input/output modules respectively mounted to the plurality of slots.

According to an embodiment of the present invention, the processor module sequentially accesses all slots set to be equipped with the input/output module, and when the input/output module is mounted in the accessed slot, requests configuration information while providing a random number to the input/output module. , The input/output module provides configuration information including a random number, and the processor module may determine an error in the configuration information by comparing the provided random number with the random number included in the configuration information.

According to an embodiment of the present invention, the processor module sequentially accesses all slots set to be equipped with the input/output module, and when the input/output module is mounted in the accessed slot, requests configuration information while providing a random number to the input/output module. , The mounted input/output module may provide configuration information including random numbers.

According to an embodiment of the present invention, the processor module may operate in a first mode that performs at least one of checking and updating configuration information, or a second mode that performs both checking and updating of configuration information. .

A method for managing configuration information of a safety level controller according to an embodiment of the present invention is implemented so that the processor module of the master subrack manages configuration information for the first input/output module of the master subrack and the second input/output module of the slave subrack. This is a method of managing the configuration information of the safety level controller.

According to an embodiment of the present invention, a method for managing configuration information of a safety-level controller is, when the processor module sequentially accesses all slots set to be equipped with the input/output module to perform inspection on the configuration information of the input/output module, the accessed slot Determining whether an input/output module is mounted on the device; If the input/output module is mounted in the slot, requesting configuration information while providing a random number to the input/output module; Receiving configuration information including a random number from the input/output module; Determining whether the provided random number and the random number included in the configuration information are the same; And recording a configuration information error if the two random numbers are different.

According to an embodiment of the present invention, a method for managing configuration information of a safety level controller includes: when a processor module updates configuration information of an input/output module, determining whether an input/output module is mounted in an accessed slot; If the input/output module is mounted in the slot, requesting configuration information while providing a random number to the input/output module; Receiving configuration information including a random number from the input/output module; Determining whether the provided random number and the random number included in the configuration information are the same; And recording a configuration information error if the two random numbers are different, and storing the configuration information in a memory if the two random numbers are the same.

According to an embodiment of the present invention, the method for managing configuration information of a safety level controller is, when the processor module sequentially accesses all slots set to be equipped with the input/output module to inspect and update the configuration information of the input/output module. Determining whether an input/output module is mounted in one slot; If the input/output module is mounted in the slot, requesting configuration information while providing a random number to the input/output module; Receiving configuration information including a random number from the input/output module; Determining whether the provided random number and the random number included in the configuration information are the same; And recording a configuration information error if the two random numbers are different, and storing the configuration information in a memory if the two random numbers are the same.

Specific matters according to various examples of the present invention other than the means for solving the problems mentioned above are included in the description and drawings below.

According to an embodiment of the present invention, since it is determined that the configuration information of the module is changed by performing an inspection on the hardware and software as well as the ID of the module, it is possible to determine the change of the configuration information of the module through inspection from various aspects As a result, it is possible to strengthen the security against cyber intrusion through the module.

In addition, according to an embodiment of the present invention, since the module encrypts and provides information using a public key, and the processor module decrypts the encrypted information using a private key, the information is inspected. Changes can be prevented and the security of information can be reinforced accordingly.

In addition, according to an embodiment of the present invention, the processor module provides a random number when requesting information, and when the module provides information, including a random number, the processor module can determine the change of information through inspection of the random number. Because there is, it is possible to strengthen the security of information.

In addition, by using the configuration information management method according to an embodiment of the present invention, it is possible to enhance the security of information for both the inspection operation and the update operation on the configuration information.

In addition, when the configuration information management method according to an embodiment of the present invention is used, since inspection and update operations are performed through one route, the operation can be simplified and security for information can be enhanced.

Since the content of the problem to be solved, the problem solving means, and the effect mentioned above does not specify the essential features of the claim, the scope of the claim is not limited by the matters described in the specification.

The accompanying drawings are provided to aid understanding of the present embodiment, and provide the embodiments together with a detailed description. However, the technical features of the present embodiment are not limited to a specific drawing, and features disclosed in each drawing may be combined with each other to constitute a new embodiment.
1 is a view showing the configuration of an example of a safety level controller according to an embodiment of the present invention.
2 is a diagram showing the configuration of an example of the master sub-rack of the safety level controller of FIG.
FIG. 3 is a diagram illustrating an example configuration of a slave subrack of the safety level controller of FIG. 1.
4 is a view for explaining an operation of a safety level controller according to an embodiment of the present invention to check configuration information during a first mode operation.
FIG. 5 is a diagram for describing detailed operations of steps S430 and S440 of FIG. 4.
6 is a diagram for explaining an operation of updating configuration information when a safety level controller according to an embodiment of the present invention operates in a first mode.
7 is a diagram for explaining a detailed operation of step S630 of FIG. 6.
8 is a diagram illustrating an operation of a safety level controller in a second mode according to an embodiment of the present invention.
9 is a diagram for describing a detailed operation of step S830 of FIG. 8.

Advantages and features of the present invention, and a method of achieving them will become apparent with reference to the embodiments described below in detail together with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but will be implemented in a variety of different forms, only the present embodiments make the disclosure of the present invention complete, and common knowledge in the technical field to which the present invention pertains. It is provided to inform the possessor of the scope of the invention. The invention is only defined by the scope of the claims.

The shape, size, ratio, angle, number, etc. disclosed in the drawings for explaining the embodiments of the present invention are exemplary, and the present invention is not limited to the items shown in the drawings. The same components may be referred to by the same reference numerals throughout the specification. In addition, in describing the present invention, when it is determined that a detailed description of a related known technology may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.

When "include", "have", "consists of" and the like mentioned in the present specification are used, other parts may be added unless the expression "only" is used. When a constituent element is expressed in the singular, it includes the plural unless specifically stated otherwise.

First, second, etc. are used to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish one component from another component. Accordingly, the first component mentioned below may be a second component within the technical idea of the present invention.

The term “at least one” is to be understood as including all possible combinations from one or more related items. For example, the meaning of “at least one of the first item, the second item, and the third item” means 2 among the first item, the second item, and the third item as well as each of the first item, the second item, or the third item. It may mean a combination of all items that can be presented from more than one.

Each of the features of the various embodiments of the present invention can be partially or entirely combined or combined with each other, technically various interlocking and driving are possible, and each embodiment may be independently implemented with respect to each other or may be implemented together in a related relationship. May be.

In adding reference numerals to elements of each drawing describing the embodiments of the present invention, the same elements may have the same numerals as possible even if they are indicated on different drawings.

Hereinafter, a safety level controller and a method for managing configuration information thereof according to an embodiment of the present invention will be described with reference to the accompanying drawings.

1 is a view showing the configuration of an example of a safety level controller according to an embodiment of the present invention, Figure 2 is a view showing the configuration of an example of the master subrack of the safety level controller of Figure 1, Figure 3 is It is a diagram showing the configuration of an example of the slave sub-rack of the safety level controller of 1.

1 to 3, the safety grade controller 1 is composed of a plurality of sub-racks 100 that are sequentially connected, and may be a controller used to protect a nuclear reactor in a nuclear power plant.

The safety level controller 1 satisfies the nuclear power plant safety level standard (e.g., Safety class 1), and the reactor protection system RPS (Reactor Protection System), the engineered safety system ESF-CCS (Engineered Safety Feature-Core Cooling System), And it may be a facility for power generation constituting the CPCS (Core Protection Calculator System).

Here, RPS refers to a system that continuously monitors safety-related variables of a nuclear power plant and generates a reactor stop signal and an engineered safety facility start signal when it is out of a preset safe operation range. In addition, ESF-CCS refers to a system that operates various engineering safety facilities for the purpose of mitigating the impact of accidents when an accident occurs based on the design of a nuclear power plant. CPCS refers to a system that monitors the state and nuclear reactivity of the reactor core and protects the reactor core from unstable conditions.

The sub-rack 100 is located at the first stage (or'basic stage') in the configuration of the safety level controller 1 and serves as a master sub-rack 200 and a master sub-rack 200 in terms of data flow and functionality. ) May be formed of at least one slave sub-rack 300 that is sequentially positioned at the rear end (or'extension end') and controlled by the master sub-rack 200.

The master sub-rack 200 and the slave sub-rack 300 of the next stage, and between the slave sub-rack 300 and the slave sub-rack 300 of the next stage may be connected through a cable for bus expansion. In addition, the number of slave sub-racks 300 may be variously selected depending on the purpose of implementation of the safety grade controller 1, the number of devices to be controlled, and the like.

The master subrack 200 may transmit transmission data to the slave subrack 300 and receive received data from the slave subrack 300. In addition, the master sub-rack 200 may request configuration information from the slave sub-rack 300 and receive and manage configuration information from the slave sub-rack 300.

The master sub-rack 200 is composed of a rack base 201, a plurality of slots 202 installed in the rack base 201, and a plurality of functional modules mounted in each slot 202, and the function module is a power module 210, a processor module 230, an input/output module 250, and an expansion module (or a communication module, hereinafter referred to as an expansion module) 270 may be included, but a module performing other functions may be further included. . At this time, each slot 202 may be set for which function module the slot is for.

One or a plurality of functional modules constituting the master sub-rack 200 may be included in the master sub-rack 200 according to the type, for example, the power module 210, the processor module 230, and the input/output module 250 ) Is a plurality, and the number of expansion modules 270 may be one, but the number of each functional module is not limited to the present embodiment and may be changed.

Some or all of the functional modules of the master subrack 200 perform at least one processing means (ex, microprocessor) for performing a function, a program (software) for performing a function, information necessary for performing a function, and a function It may include at least one memory for storing information generated while performing communication, data received through communication with the outside, and communication means such as a bus for communication with the outside.

The power module 210 receives an external AC voltage and converts it, and then outputs a DC voltage for the operation of the modules 230 to 270 in the master subrack 200. For example, the AC voltage input to the power module 210 may be 85V to 264V, and the DC voltage output from the power module 210 may be 5V, but the AC voltage and the DC voltage are limited to this embodiment. It is not.

For example, the power module 210 may be implemented in a redundant structure for stable power supply and may include two power modules 211 and 213, but the configuration of the power module 210 is limited to this embodiment. no.

The power module 210 may be expressed as a first power module, a master power module, or the like, to distinguish it from the power module 310 provided in the slave subrack 300.

The processor module 230 is a module responsible for the core function of the safety level controller 1, and provides an application program for performing the operation of the safety level controller 1 in a continuous loop during the run mode. In addition to execution, operation, self-diagnosis, system configuration management (ex, configuration information management of input/output modules, etc.), monitoring and controlling of modules in the master sub-rack 200 and modules in the slave sub-rack 300 are performed. do.

The processor module 230 transmits transmission data (ex, control data, etc.) to the input/output module 250 in the master subrack 200, and receives data (ex, field device status data, etc.) from the input/output module 250 Can receive.

In addition, the processor module 230 may monitor and control functional modules of the slave sub-racks 300, transmit transmission data to the slave sub-racks 300, and transmit data to the slave sub-racks 300. It can receive received data from the field.

For example, the processor module 230 may directly access the input/output module 250 in the master sub-rack 200 and the input/output module 330 in the slave sub-rack 300 to transmit and receive data. At this time, the processor module 230 accesses the input/output module 330 of the slave sub-rack 300 through the expansion module 270 of the master sub-rack 200 and the expansion module 350 of the slave sub-rack 300 can do.

On the other hand, the processor module 230 requests and stores configuration information from modules at the beginning of the operation of the safety level controller 1, and performs inspection on the configuration information while the safety level controller 1 is operating, It is possible to perform an update operation of periodically storing configuration information.

For example, the processor module 230 stores configuration information on the input/output module 250 in the master sub-rack 200 and the input/output module 330 in the slave sub-rack 300 to each input/output module 250 and 330. Can be provided upon request.

In addition, the processor module 230 requests configuration information for the expansion module 270 in the master sub-rack 200 and the expansion module 350 of the slave sub-rack 300 to each of the expansion modules 270 and 350 Can be provided.

Further, the processor module 230 manages the configuration information for the input/output modules 250 and 330 and the expansion modules 270 and 350 based on the provided configuration information, and determines whether the corresponding module is normal based on the configuration information. I can judge.

A detailed description of how the processor module 230 manages the configuration information will be described later.

The processor module 230 may include two processor modules 231 and 233 as implemented in a redundant structure in order to prepare for an operation error. In this embodiment, the master sub-rack 200 includes two processor modules 231 and 233, but is not limited thereto, and may include three or more processor modules.

According to an embodiment, when the first processor module 231 operates as a master, the second processor module 233 operates as a slave, and when the first processor module 231 operates as a slave, the second processor module 233 ) Acts as a master. In describing an embodiment of the present invention, the processor module 230 refers to a processor module operating as a master among the first and second processor modules 231 and 233.

The input/output module 250 may operate by receiving transmission data from the processor module 230, receive data received from a field device, and provide it to the processor module 230.

When there is a request for configuration information from the processor module 230, the input/output module 250 provides configuration information to the processor module 230. Here, the configuration information includes the ID of the module, and may further include at least one or more of a hardware version, a software version, and a serial number of the module. In the present invention, the configuration information includes an ID, a hardware version, a software version, and a serial number as an example.

According to an embodiment, when the processor module 230 provides a random number together with the configuration information request, the input/output module 250 may include the random number in the configuration information.

According to an embodiment, the input/output module 250 may encrypt the configuration information using a public key and provide it to the processor module 230.

The input/output module 250 may be expressed as a first input/output module, a master input/output module, or the like to distinguish it from the input/output module 330 provided in the slave subrack 300.

The input/output module 250 may operate as an input module and an output module depending on which of an input function or an output function is performed, and the input/output module 250 is divided into a digital module and an analog module depending on whether the type of data received or output is digital or analog. Can be distinguished. That is, the input/output module 250 may be implemented as one of an analog input module, a digital input module, an analog output module, and a digital output module.

Specifically, when the input/output module 250 is an analog input module, the voltage input value, which is analog data transmitted from a field device, is converted into digital data that can be recognized by the processor module 230 and transmitted to the processor module 230. do.

When the input/output module 250 is a digital input module, the on/off contact status of the field device is converted into digital data that can be recognized by the processor module 230 and transmitted to the processor module 230.

When the input/output module 250 is an analog output module, digital data ('digital result value'), which is an execution result value of the processor module 230, is converted into an analog value in a form suitable for a field device and transmitted to the field device.

When the input/output module 250 is a digital output module, the digital result value of the processor module 230 is converted into a digital value suitable for the field device and transmitted to the field device.

The expansion module 270 serves as a passage for allowing the processor module 230 to access the slave sub-rack 300 of the next stage, and through an expansion module and a cable of the sub-rack of the next stage. Connected.

When there is a request for configuration information from the processor module 230, the expansion module 270 provides configuration information to the processor module 230. Here, the configuration information may include a module ID, a hardware version, a software version, and a serial number of the module.

According to an embodiment, when the processor module 230 provides a random number together with the configuration information request, the expansion module 270 may include the random number in the configuration information.

According to an embodiment, the expansion module 270 may encrypt configuration information using a public key and provide it to the processor module 230.

The expansion module 270 may be expressed as a first expansion module, a master expansion module, or the like to distinguish it from the expansion module 350 provided in the slave sub-rack 300.

The slave sub-rack 300 is composed of a rack base 301, a plurality of slots 302 installed in the rack base 301, and a plurality of functional modules mounted in each slot 302, and the function module is a power module 310, the input/output module 330 and the expansion module 350, but may further include a module that performs other functions.

One or a plurality of functional modules constituting the slave sub-rack 300 may be included in the slave sub-rack 300 depending on the type, for example, a power module 310, an input/output module 330, and an expansion module ( 350) may be a plurality, but the number of each functional module is not limited thereto and may be changed.

For example, the remaining slave subracks other than the last stage include two expansion modules to connect the subracks in the front stage and the subracks in the next stage, and the subrack in the last stage is It may include one expansion module for connection.

Some or all of the function modules of the slave subrack 300 include at least one processing means (ex, microprocessor) that performs a function, information necessary for performing a function, information generated while performing a function, and communication with the outside. It may include at least one memory for storing data received through or the like, and communication means such as a bus for communication with the outside.

The power module 310 receives an external AC voltage and converts it, and then outputs a DC voltage for operation of the modules 330 and 350 in the slave subrack 300. For example, the AC voltage input to the power module 310 may be 85V to 264V, and the DC voltage output from the power module 310 may be 5V, but the AC voltage and the DC voltage are limited to this embodiment. It is not.

For example, the power module 310 may be implemented in a redundant structure for stable power supply and may include two power modules 311 and 313, but the configuration of the power module 310 is limited to this embodiment. no.

The power module 310 may be expressed as a second power module, a slave power module, or the like, to distinguish it from the power module 210 provided in the master subrack 200.

The input/output module 330 may operate by receiving transmission data from the processor module 230, receive data received from a field device, and provide it to the processor module 230.

When there is a request for configuration information from the processor module 230, the input/output module 330 provides configuration information to the processor module 230. Here, the configuration information may include a module ID, a hardware version, a software version, and a serial number of the module.

According to an embodiment, when the processor module 230 provides a random number together with the configuration information request, the input/output module 330 may include the random number in the configuration information.

According to an embodiment, the input/output module 330 may encrypt configuration information using a public key and provide it to the processor module 230.

The input/output module 330 may be expressed as a second input/output module, a slave input/output module, or the like to distinguish it from the input/output module 250 provided in the master sub-rack 200.

Since the operation of the input/output module 330 is the same as the operation of the input/output module 250 of the master sub-rack 200, a detailed description thereof will be omitted.

The expansion module 350 serves as a passage for allowing the processor module 230 to access the slave sub-rack 300, and the remaining slave sub-racks other than the last stage are It includes two expansion modules for connection to the sub-rack, and the sub-rack at the last stage may include one expansion module for connection to the sub-rack at the front stage.

When there is a request for configuration information from the processor module 230, the expansion module 350 provides configuration information to the processor module 230. Here, the configuration information may include a module ID, a hardware version, a software version, and a serial number of the module.

According to an embodiment, when the processor module 230 provides a random number together with a configuration information request, the expansion module 350 may include a random number in the configuration information.

According to an embodiment, the expansion module 350 may encrypt configuration information using a public key and provide it to the processor module 230.

The expansion module 350 may be expressed as a second expansion module, a slave expansion module, or the like, to distinguish it from the expansion module 270 provided in the master sub-rack 200.

In the above, the configuration of the safety level controller according to an embodiment of the present invention and functions of each configuration have been described. Hereinafter, a method for managing configuration information of a safety level controller according to an embodiment of the present invention will be described in detail.

The safety level controller according to an embodiment of the present invention can operate in two modes depending on whether the configuration information inspection process and the configuration information update process are performed in one loop or another loop.

First, a first mode operation in which the safety level controller according to an embodiment of the present invention performs a configuration information inspection process and a configuration information update process in different loops will be described.

The safety level controller according to an embodiment of the present invention may perform only a configuration information check operation or only a configuration information update operation according to a setting during the first mode operation. Alternatively, the safety level controller may perform a configuration information update operation after performing a configuration information check operation, or perform a configuration information check operation after performing a configuration information update operation.

4 is a diagram for explaining an operation of a safety level controller according to an embodiment of the present invention to check configuration information during a first mode operation, and FIG. 5 is a diagram for describing detailed operations for steps S430 and S440 of FIG. 4 It is a drawing for.

First, referring to FIG. 4, the processor module 230 initializes the number of the slot to be inspected mounted on the safety level controller (S400).

The initialization in step S400 is to assign a number to the slot ('inspection target slot') in which the module to be inspected (ex, input/output module, expansion module) is mounted, sequentially increasing by 1 from 0, and the slots to be inspected The number assigned to the last scan target slot is inevitably smaller than the total number of scan target slots. Here, the module to be inspected may be an input/output module, and may be an input/output module and an expansion module.

For example, if there are 128 scan target slots, the number of the last scan target slot is 127, which is less than the total number of scan target slots 128. Therefore, if the number of the slots to be inspected is equal to or greater than the total number of slots to be inspected, the processor module 230 may determine that all of the slots to be inspected have been inspected and terminate the inspection.

After the step S400, the processor module 230 accesses the first inspection target slot, checks the slot number, and determines whether the slot number is less than a preset threshold (S410). Here, the threshold value may be the total number of slots to be inspected. In addition, the processor module 230 may be set to access the test target slot having the number 0 for the first time.

As a result of the determination in step S410, if the slot number is not less than the threshold value, that is, if the slot number is greater than or equal to the threshold value (S410-No), the processor module 230 terminates the configuration check operation, and before the termination, the configuration Information may be provided (S420).

As a result of the determination in step S410, if the slot number is less than the threshold value (S410-Yes), the processor module 230 acquires configuration information for the module to be inspected (S430), and the obtained configuration information and previous configuration information By comparing them, it is determined whether the two configuration information is the same (S440).

As a result of the determination in step S440, if the two configuration information are the same (S440-Yes), the processor module 230 increases the slot number by 1 (S450), and then operates according to step S410, whereby the increased slot number by 1 is critical. Determine whether it is less than the value.

These steps S410 to S450 proceed until the slot number equals the threshold value. That is, the steps S410 to S450 are performed until all inspection target modules are inspected.

As a result of the determination in step S440, if the two configuration information are not the same (S440-No), the processor module 230 records that there is an error in the configuration information of the corresponding module (S460), and the slot number is 1 according to step 450. After increasing, step 410 proceeds.

These steps S410 to S460 proceed until the slot number equals the threshold value. That is, the steps S410 to S460 are performed until all inspection target modules are inspected.

Referring to FIG. 5, steps S430 and S440 will be described in detail, and the processor module 230 determines whether the test target module is mounted in the accessed test target slot (S431).

As a result of the determination in step S431, if it is determined that the test target module is not mounted (S431-No), the processor module 230 determines whether the test target module is mounted in the corresponding test target slot from the previous configuration information. (S432).

As a result of the determination in step S432, if it is determined that the module to be inspected is installed in the corresponding slot (S432-Yes), the processor module 230 records the configuration information error according to step S460, and then proceeds with the subsequent steps. If it is determined that the test target module is not installed (S432-No), the processor module 230 proceeds to step S450 and subsequent steps.

As a result of the determination in step S431, if it is determined that the module to be tested is installed (S431-Yes), the processor module 230 requests the configuration information from the module to be tested, and provides it from the module to be tested in response. Configuration information is received (S433).

In step S432, the processor module 230 may provide a random number ('random number of the processor module') together with the configuration information request.

In step S432, the configuration information may include an ID of a module to be inspected, a hardware version, a software version, a serial number, and a random number provided from the processor module 230.

When the configuration information received by the processor module 230 in step S432 is encrypted using the public key, the processor module 230 may decrypt the received configuration information using the private key.

After the step S432, the processor module 230 determines whether the random number provided to the test target module ('random number of the processor module') and the random number included in the received configuration information are the same (S441).

As a result of the determination in step S441, if it is determined that the two random numbers are not the same (S441-No), the processor module 230 records that there is an error in the configuration information of the module according to step S460, and proceeds with the subsequent process. do.

As a result of the determination in step S441, if it is determined that the two random numbers are the same (S441-Yes), the processor module 230 determines whether the received configuration information and the previous configuration information are the same (S442). In this case, the received configuration information and the ID, hardware version, software version, and serial number included in the previous configuration information may be compared.

As a result of the determination in step S442, if it is determined that the two configuration information is the same (S442-Yes), the processor module 230 proceeds to step S450 and subsequent steps, and if it is determined that the two configuration information are not the same (S442- No), the processor module 230 proceeds to step S460 and subsequent steps.

6 is a diagram for explaining an operation of updating configuration information in a first mode operation by a safety level controller according to an embodiment of the present invention, and FIG. 7 is a view for explaining a detailed operation of step S630 of FIG. 6 to be.

An operation of updating the configuration information will be described with reference to FIGS. 6 and 7, but a description of the same operation as the operation of checking the configuration information will be omitted or simplified.

First, referring to FIG. 6, the processor module 230 initializes a number for an update target slot mounted on a safety level controller (S600). Here, update means storing configuration information of a module in a memory, and a module mounted in an update target slot may be expressed as an'update target module'.

The update target slot in step S600 may be the same as the inspection target slot described above, and since the initialization in step S600 is the same as the initialization in step S400, a description thereof will be omitted.

After the step S600, the processor module 230 accesses the first update target slot, checks the slot number, and determines whether the slot number is less than a preset threshold (S610). Here, the threshold value may be the total number of slots to be updated. In addition, the processor module 230 may be configured to first access an update target slot whose number is 0.

As a result of the determination in step S610, if the slot number is not smaller than the threshold value, that is, if the slot number is greater than or equal to the threshold value (S610-No), the processor module 230 terminates the update operation, and before termination, configuration information Can be provided (S620).

As a result of the determination in step S610, if the slot number is less than the threshold value (S610-Yes), the processor module 230 obtains configuration information for the module to be updated (S630), and the random number included in the configuration information is It is determined whether it is equal to the random number of the module (S640).

As a result of the determination in step S640, if it is determined that the two random numbers are the same (S640-Yes), the processor module 230 stores the obtained configuration information in the memory (S650), and if it is determined that the two random numbers are not the same (S640 -No), the processor module 230 records that there is an error in the configuration information (S660).

After the step S650 or S660, the processor module 230 increases the slot number by 1 (S670), and then proceeds to the step S610 and the subsequent steps. That is, the steps S610 to S670 are performed until all update target modules are updated.

Referring to FIG. 7, step S630 will be described in detail, and the processor module 230 determines whether an update target module is mounted in the accessed update target slot (S631).

As a result of the determination in step S631, if it is determined that the module to be updated is not mounted (S631-No), the processor module 230 proceeds to step S670 and subsequent steps.

As a result of the determination in step S631, if it is determined that the module to be updated is installed (S631-Yes), the processor module 230 requests the configuration information from the module to be updated (S632), and in response thereto Configuration information provided from the module is received (S633).

In step S632, the processor module 230 may provide a random number together with the configuration information request.

In step S633, the configuration information may include an ID of the module to be updated, a hardware version, a software version, a serial number, and a random number provided from the processor module 230, and may be encrypted by a public key.

Thereafter, the processor module 230 decrypts the received configuration information using a private key (S634), and obtains an ID, a hardware version, a software version, a serial number, and a random number included in the configuration information.

Next, a second mode operation in which the safety level controller according to an embodiment of the present invention performs a configuration information inspection process and a configuration information update process in one loop will be described.

FIG. 8 is a view for explaining the operation of the safety level controller in a second mode according to an embodiment of the present invention, and FIG. 9 is a view for explaining detailed operation of step S830 of FIG. 8.

The operation of the safety level controller in the second mode will be described with reference to FIGS. 8 and 9, but a description of the same operation as the operation in the first mode will be omitted or simplified.

First, referring to FIG. 8, the processor module 230 initializes the number of the target slot mounted on the safety level controller (S800). Here, the target slot is a slot that is subject to inspection and update, and a module mounted on the target slot may be expressed as a'target module'.

Since the initialization in step S800 is the same as the initialization in the first mode operation, a description thereof will be omitted.

After the step S800, the processor module 230 accesses the first target slot, checks the slot number, and determines whether the slot number is less than a preset threshold (S810). Here, the threshold value may be the total number of target slots. In addition, the processor module 230 may be set to access the target slot having the number 0 for the first time.

As a result of the determination in step S810, if the slot number is not less than the threshold value, that is, if the slot number is greater than or equal to the threshold value (S810-No), the processor module 230 terminates the operation, and before terminating, the configuration information It can be provided (S820).

As a result of the determination in step S810, if the slot number is less than the threshold value (S810-Yes), the processor module 230 obtains configuration information for the target module (S830), and the random number and processor module included in the configuration information It is determined whether the random numbers of are the same (S840).

As a result of the determination in step S840, if it is determined that the two random numbers are not the same (S840-No), the processor module 23 records that there is an error in the configuration information (S870), and increases the slot number by 1 according to step S880. After making it, proceed to the next step.

As a result of the determination in step S840, if it is determined that the two random numbers are the same (S840-Yes), the processor module 230 stores the acquired configuration information in the memory (S850), and whether the acquired configuration information and the previous configuration information are the same. It is determined (S860).

As a result of the determination in step S860, if the two configuration information are the same (S860-Yes), the processor module 230 proceeds to step S880 and subsequent steps, and if the two configuration information is not the same (S860-No), the processor The module 230 proceeds to step S870 and subsequent steps.

That is, the steps S810 to S880 are performed until all target modules are inspected and updated.

Referring to FIG. 9, step S830 will be described in detail, and the processor module 230 determines whether the target module is mounted in the accessed target slot (S831).

As a result of the determination in step S831, if it is determined that the target module is not mounted (S831-No), the processor module 230 determines whether the target module is mounted in the corresponding slot from the previous configuration information (S832).

As a result of the determination in step S832, if it is determined that the target module is mounted (S832-Yes), the processor module 230 records the configuration information error according to step S870, and then proceeds to the subsequent steps, and the target module is If it is determined that it is not mounted (S832-No), the processor module 230 proceeds to step S880 and subsequent steps.

As a result of the determination in step S831, if it is determined that the target module is installed (S831-Yes), the processor module 230 requests configuration information from the target module (S833), and is provided from the target module in response thereto. Configuration information is received (S834).

In step S833, the processor module 230 may provide a random number together with a request for configuration information.

In step S834, the configuration information may include an ID of the target module, a hardware version, a software version, a serial number, and a random number provided from the processor module 230, and may be encrypted by a public key.

Thereafter, the processor module 230 decrypts the received configuration information using a private key (S835), and obtains an ID, a hardware version, a software version, a serial number, and a random number included in the configuration information.

According to an embodiment of the present invention, since it is determined that the configuration information of the module is changed by performing an inspection on the hardware and software as well as the ID of the module, it is possible to determine the change of the configuration information of the module through inspection from various aspects As a result, it is possible to strengthen the security against cyber intrusion through the module.

In addition, according to an embodiment of the present invention, since the module encrypts and provides information using a public key, and the processor module decrypts the encrypted information using a private key, the information is inspected. Changes can be prevented and the security of information can be reinforced accordingly.

In addition, according to an embodiment of the present invention, the processor module provides a random number when requesting information, and when the module provides information, including a random number, the processor module can determine the change of information through inspection of the random number. Because there is, it is possible to strengthen the security of information.

In addition, by using the configuration information management method according to an embodiment of the present invention, it is possible to enhance the security of information for both the inspection operation and the update operation on the configuration information.

In addition, when the configuration information management method according to an embodiment of the present invention is used, since inspection and update operations are performed through one route, the operation can be simplified and security for information can be enhanced.

Features, structures, effects, and the like described in various examples of the present invention described above are included in at least one example of the present invention, and are not necessarily limited to one example. Further, the features, structures, effects, etc. illustrated in at least one example of the present invention may be combined or modified for other examples by a person having ordinary knowledge in the field to which the technical idea of the present invention belongs. Accordingly, contents related to such combinations and modifications should be construed as being included in the technical scope or scope of the present specification.

The present invention described above is not limited to the above-described embodiments and the accompanying drawings, and various substitutions, modifications, and changes are possible within the scope of the technical spirit of the present invention. It will be obvious to those who have the knowledge of. Therefore, the scope of the present invention is indicated by the claims to be described later, and all changes or modified forms derived from the meaning and scope of the claims and their equivalent concepts should be interpreted as being included in the scope of the present invention.

1: safety level controller 100: sub rack
200: master subrack 210: power module
230: processor module 250: input/output module
270: expansion module 300: slave subrack
310: power module 330: input/output module
350: expansion module

Claims (26)

A master sub-rack including a plurality of slots and a processor module and a plurality of first input/output modules respectively mounted on the plurality of slots; And
Including a plurality of slots and at least one slave sub-rack including a plurality of second input/output modules respectively mounted to the plurality of slots,
The processor module sequentially accesses all the slots set to be mounted to the input/output module, and when the input/output module is installed in the accessed slot, The input/output module requests configuration information while providing a random number, and the input/output module provides configuration information including the random number,
The processor module compares the provided random number with the random number included in the configuration information to determine an error in the configuration information,
When the processor module checks the configuration information, if the input/output module is not installed in the accessed slot, the processor module determines whether the input/output module is installed in the corresponding slot from the previous configuration information, and the previous configuration information If it is determined that the I/O module is installed in the corresponding slot, it records the configuration information error. The method of claim 1,
The processor module compares the ID included in the configuration information and the ID included in the previous configuration information, and includes at least one of a hardware version, a software version, and a serial number included in the configuration information, and a hardware included in the previous configuration information. A safety level controller that further compares at least one of a version, a software version, and a serial number to determine an error in the configuration information. The method of claim 1,
The input/output module encrypts and provides the configuration information using a public key, and the processor module decrypts the encrypted configuration information using a private key. delete The method of claim 1,
If the processor module determines that the input/output module is not installed in the corresponding slot from the previous configuration information, the processor module increases the slot number by 1, and if the increased slot number by 1 is less than the threshold value, the processor module has an increased slot number by 1. Safety class controller with slot access. The method of claim 1,
When the processor module checks the configuration information, if the provided random number and the random number included in the configuration information are different, it records a configuration information error, and if they are the same, determines whether the configuration information and the previous configuration information are the same. If the configuration information is different, a safety class controller that records configuration information errors. The method of claim 1,
When the processor module performs an update on the configuration information, if the I/O module is not installed in the accessed slot, the slot number is increased by 1, and if the increased slot number is less than the threshold value by 1, the increased slot Safety class controller, accessed by numbered slot. The method of claim 1,
The processor module records a configuration information error if the provided random number and the random number included in the configuration information are different from each other, and stores the configuration information if they are the same. A master sub-rack including a plurality of slots and a processor module and a plurality of first input/output modules respectively mounted on the plurality of slots; And
Including a plurality of slots and at least one slave sub-rack including a plurality of second input/output modules respectively mounted to the plurality of slots,
The processor module sequentially accesses all slots set to be equipped with the input/output module, and when the input/output module is installed in the accessed slot, requests configuration information while providing a random number to the input/output module, and the input/output module receives the random number. Provide configuration information including,
The processor module operates in a first mode that performs at least one of checking and updating the configuration information, or operates in a second mode that performs both checking and updating of the configuration information,
When the processor module operates in the first mode and performs a check on the configuration information, if the provided random number and the random number included in the configuration information are different, a configuration information error is recorded, and if the same, the configuration information and the transfer A safety level controller that determines whether the configuration information is the same and records a configuration information error if the two configuration information is different. delete The method of claim 9,
The processor module, if the two configuration information is the same, increases the slot number by 1, and then accesses the slot having the increased slot number by 1 when the increased slot number is less than a threshold value. The method of claim 9,
When the processor module operates in the first mode and updates the configuration information, if the provided random number and the random number included in the configuration information are different, a configuration information error is recorded, and if the same, the configuration information is stored. That is, safety grade controller. A master sub-rack including a plurality of slots and a processor module and a plurality of first input/output modules respectively mounted on the plurality of slots; And
Including a plurality of slots and at least one slave sub-rack including a plurality of second input/output modules respectively mounted to the plurality of slots,
The processor module sequentially accesses all slots set to be equipped with the input/output module, and when the input/output module is installed in the accessed slot, requests configuration information while providing a random number to the input/output module, and the input/output module receives the random number. Provide configuration information including,
The processor module operates in a first mode that performs at least one of checking and updating the configuration information, or operates in a second mode that performs both checking and updating of the configuration information,
When the processor module is operated in the second mode, if the provided random number and the random number included in the configuration information are different, a configuration information error is recorded, and if the same, the configuration information is stored, and the configuration information and previous configuration information A safety level controller that determines whether is the same and records a configuration information error if the two configuration information is different. The method of claim 13,
The processor module, if the two configuration information are the same, increases the slot number by 1, and then accesses the slot having the increased slot number by 1 when the increased slot number is less than a threshold value. The method of claim 9 or 13,
The input/output module encrypts and provides the configuration information using a public key, and the processor module decrypts the encrypted configuration information using a private key. The method of claim 9 or 13,
The processor module compares the ID included in the configuration information and the ID included in the previous configuration information, and includes at least one of a hardware version, a software version, and a serial number included in the configuration information, and a hardware included in the previous configuration information. A safety level controller that further compares at least one of a version, a software version, and a serial number to determine an error in the configuration information. In the configuration information management method of a safety class controller implemented so that the processor module of the master subrack manages configuration information for the first input/output module of the master subrack and the second input/output module of the slave subrack,
When the processor module sequentially accesses all slots set to mount the input/output module and performs inspection on the configuration information of the input/output module,
Determining whether an input/output module is mounted in the accessed slot;
If the input/output module is mounted in the slot, requesting configuration information while providing a random number to the input/output module;
Receiving configuration information including a random number from the input/output module;
Determining whether the provided random number and the random number included in the configuration information are the same; And
If the two random numbers are different, the method for managing configuration information of a safety level controller comprising the step of recording a configuration information error. The method of claim 17,
If the two random numbers are the same, determining whether the configuration information and previous configuration information are the same; And
If the two configuration information are different, a configuration information error is recorded, and if the two information are the same, the slot number is increased by 1, and if the increased slot number by 1 is less than the threshold value, accessing the slot having the increased slot number by 1 is performed. Containing, a method for managing configuration information of a safety level controller. The method of claim 17,
If the input/output module is not installed in the slot, determining whether the input/output module is installed in the corresponding slot from previous configuration information;
Recording a configuration information error if an input/output module is mounted in the corresponding slot; And
If the input/output module is not installed in the corresponding slot, increasing the slot number by 1, and then accessing the slot having the increased slot number by 1 when the increased slot number is less than the threshold value by 1 How to manage configuration information. The method of claim 17,
When the processor module updates the configuration information of the input/output module,
Determining whether an input/output module is mounted in the accessed slot;
If the input/output module is mounted in the slot, requesting configuration information while providing a random number to the input/output module;
Receiving configuration information including a random number from the input/output module;
Determining whether the provided random number and the random number included in the configuration information are the same; And
And recording a configuration information error if the two random numbers are different, and storing the configuration information in a memory if the two random numbers are the same. The method of claim 20,
If the input/output module is not installed in the slot, increasing the slot number by 1, and then accessing the slot having the increased slot number by 1 when the increased slot number is less than the threshold value by 1, How to manage configuration information. In the configuration information management method of a safety class controller implemented so that the processor module of the master subrack manages configuration information for the first input/output module of the master subrack and the second input/output module of the slave subrack,
When the processor module sequentially accesses all slots set to mount the input/output module to check and update the configuration information of the input/output module,
Determining whether an input/output module is mounted in the accessed slot;
If the input/output module is mounted in the slot, requesting configuration information while providing a random number to the input/output module;
Receiving configuration information including a random number from the input/output module;
Determining whether the provided random number and the random number included in the configuration information are the same; And
And recording a configuration information error if the two random numbers are different, and storing the configuration information in a memory if the two random numbers are the same. The method of claim 22,
After storing the configuration information in a memory, determining whether the configuration information and previous configuration information are the same; And
If the two configuration information are different, a configuration information error is recorded, and if the two information are the same, the slot number is increased by 1, and if the increased slot number by 1 is less than the threshold value, accessing the slot having the increased slot number by 1 is performed. Containing, a method for managing configuration information of a safety level controller. The method of claim 22,
If the input/output module is not installed in the slot, determining whether the input/output module is installed in the corresponding slot from previous configuration information;
Recording a configuration information error if an input/output module is mounted in the corresponding slot; And
If the input/output module is not installed in the corresponding slot, increasing the slot number by 1, and then accessing the slot having the increased slot number by 1 when the increased slot number is less than the threshold value by 1 How to manage configuration information. The method of claim 17 or 22,
When the configuration information from the input/output module is encrypted with a public key, the method further comprising the step of decrypting the encrypted configuration information using a private key. The method of claim 17 or 23,
Determining whether the configuration information and the previous configuration information are the same includes comparing the ID included in the configuration information and the ID included in the previous configuration information, and at least one of a hardware version, a software version, and a serial number included in the configuration information. One, comprising further comparing at least one of a hardware version, a software version, and a serial number included in the previous configuration information, the safety level controller configuration information management method.

Images