1. Patent Search
  2. Details

Method for Payment-Based Execution of a Function of a Field Device to be Performed, Corresponding Field Device and Service Unit

20210312408 · 2021-10-07

    Inventors

    Cpc classification

    International classification

    Abstract

    A method for execution of a function of a field device includes: selecting a function to be performed from a selection list of functions available to a process control system, and communicating the selected function to a service unit; paying a payment amount specified for the function and confirming the payment to the service unit; determining a derived time value of a service unit and an enable code, and transmitting the enable code to the process control system; forwarding the enable code to the field device; determining a derived time value of the field device, and checking the enable code using the derived time value to determine whether the enable code is generated by the service unit, and determining the function from the enable code; and executing an executable code corresponding to the function in the event the enable code is verified as being generated by the service unit.

    Claims

    1. A method for payment-based execution of a function of a field device to be performed, wherein the field device has an identifier and is connected to a process control system via a first communication channel, the process control system is connected to a service unit via a second communication channel, the field device and the service unit each have at least one time-counting device, and the time-counting devices are synchronized with one another and each provide a time value of the field device and a time value of the service unit, the method comprising: a selection step, wherein the process control system selects the function to be performed on the field device from a selection list of executable functions of the field device available to the process control system, and the process control system communicates the selected function to the service unit; a payment step, wherein a payment amount specified for the function to be performed is paid by a payment service and the payment of the payment amount is confirmed by the payment service to the service unit by transmission of confirmation information; a request step, wherein the service unit determines a derived time value of the service unit, which is dependent on the current time value of the service unit, and an enable code, which is dependent on the function to be performed, and transmits the enable code to the process control system; a forwarding step, wherein the process control system forwards the enable code to the field device; a checking step, wherein the field device determines a derived time value of the field device which is dependent on the current time value of the field device, and checks the enable code using the derived time value of the field device to determine whether the enable code is generated by the service unit, and the field device determines the function to be performed from the enable code; and an execution step, wherein the field device executes an executable code corresponding to the function to be performed in the event that the enable code received by the field device is verified as being generated by the service unit.

    2. The method according to claim 1, wherein a plurality of selection lists of executable functions of a plurality of field devices are stored on the service unit; wherein, in the selection step, the process control system requests from the service unit the selection list of executable functions of the field device with the identifier SN; wherein the service unit makes the requested selection list of executable functions of the field device with the identifier SN available to the process control system; and wherein the function to be performed on the field device is selected in the process control system from the selection list of executable functions.

    3. The method according to claim 1, wherein the selection list of executable functions of the field device with the identifier SN is stored in the field device together with a corresponding description of each individual executable function, wherein the selection list of executable functions of the field device is stored in the service unit; wherein the request step, the service unit compiles the enable code from the current derived time value of the service unit and from information about the selected functions of the field device; wherein the checking step, the field device determines a transmitted derived time value of the service unit from the transmitted enable code and determines the current derived time value of the field device and, if the transmitted derived time value of the service unit matches the current derived time value of the field device, verifies the transmitted enable code as having been generated by the service unit; and wherein in the execution step, the field device executes the corresponding executable code of the function to be executed in accordance with the description stored in the field device for the transmitted function to be executed.

    4. The method according to claim 3, wherein the current derived time value on the service unit and the current derived time value on the field device are determined in additional dependence on field device-specific information for the function to be performed; and wherein the selection list of executable functions of the field device with the identifier SN includes the field device-specific information for the executable functions or the field device-specific information for the executable functions is determined in each case from the description of the executable functions and the field device identifier SN of the field device.

    5. The method according to claim 3, wherein the executable code of the function to be performed is itself stored as a description of the function to be performed in the field device; or wherein the executable code of the function to be performed is generated from the description of the function to be performed in the field device, and the description comprises at least one of the following: type of function, time period of executability of the function, prevalence of executability of the function, frequency of executability of the function, resolution of the output value of the function.

    6. The method according to claim 1, wherein, in the request step, the service unit determines the executable code corresponding to the function to be performed from the information about the function to be performed, the service unit determines a hash value from the executable code, and the service unit determines the enable code from the executable code and the hash value from the executable code, wherein at least the hash value or the executable code is encrypted by the service unit with the current derived time value of the service unit as symmetric key.

    7. The method according to claim 6, wherein the current derived time value on the service unit and the current derived time value on the field device are determined in additional dependence on the field device identifier SN of the field device.

    8. The method according to claim 6, wherein the enable code on the service unit is composed of the executable code and of the hash value encrypted with the current derived time value of the service unit as a symmetric key.

    9. The method according to claim 8, wherein, in the checking step, the field device decrypts the encrypted part of the received enable code using the current derived time value of the field device as the corresponding symmetric key; and wherein the field device compares the hash value obtained from the decryption and determined on the service unit with a hash value determined by the field device from the executable code received with the enable code and, if the hash values match, the field device verifies the transmitted enable code as being generated by the service unit and executes the received executable code in the execution step.

    10. The method according to claim 6, wherein the enable code on the service unit is compiled from the value pair encrypted with the current derived time value of the service unit as a symmetric key from the executable code and the hash value from the executable code.

    11. The method according to claim 10, wherein, in the checking step, the field device decrypts the received enable code using the current derived time value of the field device as the corresponding symmetric key; that wherein the field device compares the hash value obtained from the decryption and determined on the service unit with a hash value determined by the field device from the executable code received with the enable code and, if the hash values match, the field device verifies the transmitted enable code as being generated by the service unit and executes the received executable code in the execution step.

    12. The method according to claim 1, wherein the derived time value dependent on the current time value of the service unit is calculated by the service unit and the derived time value dependent on the current time value of the field device is calculated by the field device, both with a cryptographic hash function using a secret key agreed upon between the field device and the service unit.

    13. The method according to claim 1, wherein in the event that, in the checking step, a generation of the transmitted enable code by the field device using the current derived time value of the field device cannot be verified by the service unit, the field device uses at least one preceding time value and the preceding time value derived therefrom for verification and/or the field device uses at least one future time value and the future time value derived therefrom for verification of the generation of the transmitted enable code by the service unit, and if verification of the generation of the transmitted enable code by the service unit with a past or future derived time value is successful, the verification is evaluated as valid.

    14. The method according to claim 13, wherein the time deviation between the current derived time value and the past or future derived time value leading to successful verification is used to correct the time-counting device of the field device for the purpose of synchronization with the time-counting device of the service unit.

    15. The method according to claim 1, wherein the process control system informs the service unit in the selection step not only of the selected function but also of a future validity time, in that the service unit calculates a future current time value from the current time value of its time-counting device and the time difference to the future validity time, and uses this future current time value for determining the enable code as the current time value.

    16. The method according to claim 1, wherein the payment service is implemented on the process control system or on the service unit or as a separate instance that communicates with the process control system and/or with the service unit.

    17. A field device with a computing unit for executing a function of the field device to be performed, with a communication interface for exchanging data with a process control system, wherein the field device has at least one time-counting device which provides a time value of the field device; and wherein the computing unit is programmed such that the field device can execute a method relating to the field device having the following steps: a forwarding step, wherein the field device receives an enable code from the process control system, the enable code which is dependent on the function to be performed; a checking step, wherein the field device determines a derived time value of the field device which is dependent on a current time value of the field device, and checks the enable code using the derived time value of the field device to determine whether the enable code is generated by a service unit, and the field device determines the function to be performed from the enable code; and an execution step, wherein the field device executes an executable code corresponding to the function to be performed in the event that the enable code received by the field device is verified as being generated by the service unit.

    18. A service unit with a computing unit and with a time-counting device, wherein the time-counting device provides a time value of the service unit; and wherein the computing unit is programmed such that the service unit can execute a method having the following steps: a payment step, wherein payment of a payment amount specified for the function to be performed is confirmed by the payment service to the service unit by transmission of confirmation information; a request step, wherein the service unit determines a derived time value of the service unit, which is dependent on the current time value of the service unit, and an enable code, which is dependent on the function to be performed, and transmits the enable code to the process control system.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0041] In detail, there is now a plurality of possibilities for designing and further developing the method according to the invention, the field device according to the invention and the system according to the invention. For this, reference is made to the following description of embodiments in conjunction with the drawings.

    [0042] FIG. 1 schematically illustrates the device structure for carrying out the method for the payment-based execution of a function of a field device to be carried out.

    [0043] FIG. 2 schematically illustrates the interaction between the field device, the process control system, the service unit and the payment service in the manner of a sequence diagram in a general embodiment.

    [0044] FIG. 3 illustrates the embodiment according to FIG. 2 with an addition regarding the communication between the process control system and the service unit.

    [0045] FIG. 4 schematically illustrates the interaction between the field device, the process control system, the service unit and the payment service in the manner of a sequence diagram in an embodiment using a selection list on the field device.

    [0046] FIG. 5 schematically illustrates the interaction between the field device, the process control system, the service unit and the payment service in the manner of a sequence diagram in an embodiment using a transmitted executable code according to a first variation.

    [0047] FIG. 6 schematically illustrates the interaction between the field device, the process control system, the service unit and the payment service in the manner of a sequence diagram in an embodiment using a transmitted executable code according to a second variation.

    DETAILED DESCRIPTION

    [0048] In each of FIGS. 1 to 6, a method 1 for payment-based execution of a function FLi of a field device F to be performed is illustrated, wherein the field device F has an identifier SN. The field device F is connected to a process control system PCS via a first communication channel 4. FIG. 1 shows the basic device arrangement required to be able to carry out the aforementioned process 1. The field device F here has an identifier SN in the form of a serial number which uniquely identifies the device. The field device F has a computing unit 2 for executing a function FLi of the field device F to be performed. The field device F also has a communication interface 3, which in this case is a field bus interface, in this case according to the HART protocol. The field device F interacts with a technical process not shown here. By means of the communication interface 3, the field device F is connected to the process control system PCS via the first communication channel 4. In common applications, a large number of field devices F are connected to the process control system PCS via a field bus system.

    [0049] The method for the payment-based execution of a function FLi of the field device F to be performed, illustrated below in particular with reference to FIGS. 2 to 6, enables the execution of a function FLi of the field device F on an as-needed and intermittent basis without an additional device having to make direct contact with the field device F, which is required by the state of the art, for example in order to transfer an enable code for the relevant function FLi of the field device F into the field device F.

    [0050] For this, the process control system PCS is connected to a service unit S via a second communication channel 5. The service unit S is a database system of the supplier of the field device F. The service unit S also has a computing unit 6 that is programmed accordingly to implement the functionality described below. The second communication channel 5 is internet-based. The field device F and the service unit S each have a time counting device 7, 8, wherein the time counting devices 7, 8 are synchronized with each other and each provide a time value CLF of the field device F and a time value CLS of the service unit S.

    [0051] The basic principle of all the methods 1 illustrated in FIGS. 2 to 6 will now be explained with reference to FIG. 2. The various communication partners, namely the field device F, the process control system PCS, the service unit S and a payment service PAY to be explained in more detail, are shown here as vertical lines in the manner of a sequence diagram. The arrows between the vertical lines indicate which information is exchanged between the communication partners.

    [0052] In a selection step 9, the process control system PCS selects the function FLi(SN) to be executed on the field device F from a selection list of executable functions FL(SN) of the field device F available to the process control system PCS. The process control system PCS then communicates the selected function FLi(SN) to the service unit S. The selection of the function FL(SN) to be performed is made according to the needs of the operator of the system to which the field device F belongs. For this reason, it makes sense that the selection step 9 is applicably localized in the process control system PCS.

    [0053] In a payment step 10, a payment amount predetermined for the function FLi(SN) to be performed is paid by a payment service PAY, and the payment of the payment amount is confirmed by the payment service PAY to the service unit S by transmitting confirmation information PAID(FLi(SN)). In FIGS. 2 to 6, the payment step 10 is indicated by two dashed horizontal lines, and the payment service PAY is indicated by a separate vertical line for clarity. This is to indicate that the functionality of the payment service PAY can also be located in the process control system PCS and/or the service unit S.

    [0054] In a request step 11, the service unit S determines a derived time value CLS′ of the service unit S dependent on the current time value CLS of the service unit S and an enable code FC dependent on the function FLi(SN) to be performed. The service unit S transmits the enable code FC to the process control system PCS.

    [0055] In a forwarding step 12, the process control system PCS then forwards the enable code FC to the field device F.

    [0056] In a checking step 13, the field device F determines a derived time value CLF′ of the field device F that depends on the current time value CLF of the field device F, and the field device F checks the enable code FC using the derived time value CLF′ of the field device F to determine whether the enable code FC is generated by the service unit S (this is indicated in FIG. 2 by the pseudo code “Orig(FC, CLF′)?=S”). Furthermore, the field device F determines the function FLi(SN) to be performed from the enable code FC.

    [0057] In an execution step 14, in case the enable code FC received by the field device F is verified as generated by the service unit S, the field device F executes an executable code FLi(SN)CD corresponding to the function FLi(SN) to be performed (this is indicated in FIG. 2 by the pseudo code “do(FLi(SN)CD)”).

    [0058] The advantage of the method described here with reference to FIG. 2 is that the processing of the payment and the generation of an enable code FC, as well as the transmission of the enable code FC into the field device F, are fully implemented without contacting the field device via an additional communication channel. Due to the generation of the enable code FC using (derived) time information, the enable code functions only with a time limit based on its time reference. A renewed transmission of the enable code from the process control system to the field device is therefore ineffective.

    [0059] The method according to FIG. 3 essentially corresponds to the method shown in FIG. 2, but it is additionally explained here how the process control system PCS comes to know the selection list FLi(SN) of the field device F with the identifier SN. Several selection lists of executable functions FL(SN) of several field devices F are stored in the service unit S, ideally all selection lists of all field devices of the supplier of the field devices are stored in the service unit S. In the selection step 9, the process control system PCS requests from the service unit S the selection list of executable functions FL(SN) of the field device F with the identifier SN. The service unit S then provides the process control system PCS with the requested selection list of executable functions FL(SN) of the field device F with the identifier SN. In the process control system PCS, the function FLi(SN) to be executed on the field device F is then selected from the selection list of executable functions FL(SN). In the present case, the selection list of executable functions FL(SN) also includes corresponding price information for the execution of the functions of the field device F listed in the selection list.

    [0060] FIG. 4 shows an embodiment of the method 1 in which it is assumed that the field device F itself has a complete list of functions FL(SN) that are executable on it. Accordingly, the selection list of executable functions FL(SN) of the field device F is stored in the field device F with the identifier SN, together with a corresponding description p1, p2, . . . , pn of each individual executable function FLi(SN). As already explained in the general embodiment, the service unit S also stores the selection list of executable functions FL(SN) of the field device F.

    [0061] In the request step 11, the service unit S compiles the enable code FC=[FLi(SN); CLS′] from the current derived time value CLS′ of the service unit S and from information about the selected functions FLi(SN) of the field device F. In the checking step 13, the field device F determines a transmitted derived time value CLS′ of the service unit S and the current derived time value CLF′ of the field device F from the transmitted enable code FC. If the transmitted derived time value CLS′ of the service unit S matches the current derived time value CLF′ of the field device F, the transmitted enable code FC is verified as having been generated by the service unit S.

    [0062] In execution step 14, the field device F executes the corresponding executable code FLi(SN)CD of the function FLi(SN) to be executed according to the description stored in the field device F for the transmitted function FLi(SN) to be executed.

    [0063] The list of functions FL(SN) executable on the field device F stored in the field device F indicates two different possibilities for implementing the descriptions of the corresponding functions. One variation is characterized in that the executable code FL1(SN)CD, FLi(SN)CD of the function FL1(SN), FLi(SN) to be performed, itself is stored in the field device F as a description of the function FLi(SN) to be performed. In the other variation, the executable code FLi(SN)CD of the function FLi(SN) to be performed is generated from the description p1, p2, p3 of the function FLi(SN) to be performed in the field device F. In this case, the description p1, p2, p3 includes at least one of the following: type of function, time period of executability of the function, prevalence of executability of the function, frequency of executability of the function, resolution of the output value of the function. It is considered advantageous in this variation of the method 1 that the enable code transmits the selected function FLi to be performed without encryption, so that the process control system PCS has a possibility to check whether the selected function FLi(SN) to be performed transmitted to the field device corresponds to the function actually selected beforehand.

    [0064] The embodiment of the method 1 according to FIG. 4 is further characterized in that the current derived time value CLS′ on the service unit S and the current derived time value CLF′ on the field device F are determined in additional dependence on field device-specific information for the function FLi(SN) to be performed. In the present case, the selection list of executable functions FL(SN) of the field device F with the identifier SN includes the field device-specific information for the executable functions FL(SN), which is not shown in detail but is easily understandable. All in all, this achieves an increased degree of manipulation security

    [0065] The methods 1 illustrated in FIGS. 5 and 6 do not require a selection list of executable functions FL(SN) stored in the field device F. For this, in the request step 11, the service unit (S) determines the executable code FLi(SN)CD corresponding to the function FLi(SN) to be performed from the information about the function FLi(SN) to be performed. The service unit S further determines a hash value Hash.sub.S(FLi(SN)CD) from the executable code (FLi(SN)CD). Finally, the service unit S determines the enable code FC from the executable code FLi(SN)CD and the hash value Hash.sub.S(FLi(SN)CD) from the executable code FLi(SN)CD, wherein at least the hash value Hash.sub.S(FLi(SN)CD) is encrypted by the service unit S with the current derived time value CLS′ of the service unit S as a symmetric key.

    [0066] In addition, it is implemented in the presented methods that the current derived time value CLS′ on the service unit S and the current derived time value CLF′ on the field device F are determined in additional dependence on a unique identifier of the field device F, wherein here the field device identifier SN of the field device F is used as unique identifier of the field device F.

    [0067] It is also conceivable to use the unique identifier of the field device F as the symmetric key instead of the derived time value CLS′ of the service unit S, since this is present both in the service unit S and in the field device F. However, the method would then be vulnerable to replay attacks by the process control system PCS.

    [0068] The embodiment of method 1 shown in FIG. 5 is characterized in that the enable code FC on the service unit S is composed of the executable code FLi(SN)CD and of the hash value Hash.sub.S(FLi(SN)CD)) encrypted with the current derived time value CLS′ of the service unit S as symmetric key, so that the following results as enable code:


    FC=[FLi(SN)CD;EC.sub.CLS′(Hash.sub.S(FLi(SN)CD))].

    [0069] This variation of the method 1 also has the advantage that the enable code contains an unencrypted reference to the function FLi(SN) to be performed, in this case in the form of the corresponding executable code. In any case, the process control system also has the possibility, in this case, to check the enable code FC transmitted to the field device F to see whether it contains the function FLi(SN) actually selected.

    [0070] In the checking step 13, the field device F decrypts the encrypted part EC.sub.CLS′(Hash.sub.S(FLi(SN)CD)) of the received enable code FC with the current derived time value CLF′ of the field device F as the corresponding symmetric key DC.sub.CLF′(EC.sub.CLS′). The field device F then compares the hash value Hash.sub.S(FLi(SN)CD) obtained from the decryption and determined on the service unit S with a hash value Hash.sub.F(FLi(SN)CD) determined by the field device F from the executable code FLi(SN)CD received with the enable code FC. If the hash values Hash.sub.S, Hash.sub.F match, the field device F verifies the transmitted enable code FC as having been generated by the service unit S. In this case, the field device F executes the received executable code FLi(SN)CD from (do(FLi(SN)CD)) in the execution step 14.

    [0071] The variation of the method 1 shown in FIG. 6 is characterized in that the enable code FC on the service unit S is composed of the value pair [Hash.sub.S(FLi(SN)CD); FLi(SN)CD] from the executable code FLi(SN)CD encrypted with the current derived time value CLS′ of the service unit S as a symmetric key, so that as a result the enable code is:


    FC=EC.sub.CLS′[FLi(SN)CD,Hash.sub.S(FLi(SN)CD)].

    [0072] In the checking step 13, the field device F decrypts the received enable code FC using the current derived time value CLF′ of the field device F as the corresponding symmetric key DCCLF′(FC). The field device F compares the hash value Hash.sub.S(FLi(SN)CD) obtained from the decryption and determined on the service unit S with a hash value Hash.sub.F(FLi(SN)CD) determined by the field device F from the executable code FLi(SN)CD received with the enable code (FC). If the hash values Hash.sub.S, Hash.sub.F match, the field device F verifies the transmitted enable code FC as having been generated by the service unit S. In this case, the field device F in turn executes the received executable code FLi(SN)CD in the execution step 14.

    [0073] In the embodiments of the method 1 shown in FIGS. 2 to 6, it is implemented that the derived time value CLS′ dependent on the current time value CLS of the service unit S is calculated by the service unit S and the derived time value CLF′ dependent on the current time value CLF of the field device F is calculated by the field device F with a cryptographic hash function using at least one secret key agreed upon between the field device F and the service unit S.

    [0074] In the embodiments shown in FIGS. 2 to 6, it is also implemented that in the event that, in the checking step 13, a generation of the transmitted enable code FC by the service unit S cannot be verified by the field device F using the current derived time value CLF′ of the field device F, the field device uses at least one previous time value CLF and the previous time value CLF′ derived therefrom for verification and/or the field device uses at least one future time value CLF and the future time value CLF′ derived therefrom for verification of the generation of the transmitted enable code FC by the service unit S, and if verification of the generation of the transmitted enable code FC by the service unit S with a past or future derived time value CLF′ is successful, the verification is deemed valid. This measure allows for the method to be used even if the time counting devices 7,8 on the field device and on the service unit have diverged slightly, for example, with increasing operating time.

    [0075] This procedure also offers the advantage that the time deviation between the current derived time value CLF′ and the past or future derived time value CLF′ leading to successful verification is used to correct the time counting device 7 of the field device F for synchronization with the time counting device 8 of the service unit S.