Industrial Control System in Automation Technology with Independently Operating Modules

Abstract

A control system in industrial automation technology includes hardware having at least one processor and at least one storage device, in which applications to be executed by the control system are stored. The control system is configured such that at least two and preferably a plurality of mutually isolated execution environments are provided and/or configured. At least two, and preferably a plurality, of independently executable and/or operating functional modules are included, each of which can be executed and/or operate, in particular exclusively, in an isolated execution environment. The functional modules are characteristic of functions of the control system.

Claims

1. A control system in industrial automation technology, comprising: hardware including at least one processor and at least one storage device in which applications to be executed by the control system are stored; a plurality of mutually isolated execution environments; and a plurality independently executable and/or operating functional modules each of which is executed and/or operated in an isolated execution environment of the plurality of mutually isolated execution environments, wherein the functional modules of the plurality of functional modules are characteristic of functions of the control system.

2. The control system according to claim 1, wherein the functions of the control system include at least one of a controller core, an operating system core, applications, and communication.

3. The control system according to claim 1, further comprising: at least one specified communications channel through which communication and/or interaction between two functional modules of the plurality of functional modules occurs.

4. The control system according to claim 1, further comprising: at least one central module configured to execute and/or to perform at least one function relating to a functional module of the plurality of functional modules, wherein the at least one function executed and/or performed by the at least one central module is delegated to the at least one central module by one of the functional modules of the plurality of functional modules, and wherein the at least one central module executes and/or performs the at least one function in one of the mutually isolated execution environments of the plurality of mutually isolated execution environments.

5. The control system according to claim 4, wherein: the at least one central module is configured to ensure security of at least one functional module of the plurality of functional modules and/or the control system, and/or the at least one central module is suitable and/or configured to execute at least one function relating to transport encryption, administration of users and/or groups, and/or enforcement of access restrictions.

6. The control system according to claim 5, further comprising: an adapter through which at least one functional module of the plurality of functional modules is configured to provide and/or transfer configuration data to the at least one central module, wherein the configuration data are preferably characteristic of a security measure.

7. The control system according to claim 6, wherein the at least one central module is configured as a proxy for communication requests, for access requests to the applications, and/or for granting access to the applications.

8. The control system according to claim 4, wherein the control system is configured such that one of the functional modules of the plurality of functional modules performs a function that can be delegated to the at least one central module.

9. The control system according to claim 4, wherein the control system is configured to verify a trustworthiness of one of the functional modules of the plurality of functional modules that is to be installed and/or executed.

10. The control system according to claim 1, wherein the control system is included in an automation device.

11. The control system according to claim 10, wherein the automation device is included in an automation system.

12. A method in industrial automation technology for operating a control system having hardware including at least one processor and at least one storage device, in which applications to be executed by the control system are stored, the method comprising: executing at least one application of the applications in an isolated execution environment as a functional module; executing at least one central module in another isolated execution environment; and implementing at least one security measure for the functional module with the at least one central module.

13. The method according to claim 12, wherein a computer program includes commands which cause the control system to execute the method.

14. The method according to claim 13, wherein the computer program is stored on a machine-readable storage medium.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0052] Further advantages and embodiments are obtained from the attached drawings.

[0053] In the drawings:

[0054] FIG. 1 shows a schematic representation of a structure of a monolithic control system according to an embodiment from the prior art; and

[0055] FIG. 2 shows a schematic representation of a structure of a control system according to the disclosure according to one embodiment.

DETAILED DESCRIPTION

[0056] FIG. 1 shows a schematic representation of a structure of a conventional monolithic automation system or control system. Reference sign 1 indicates an automation device. This automation device 1 can comprise (at least partially or completely) a control system, or can also be part of an automation system that has a control system.

[0057] Reference sign 10 indicates a (physical) hardware device of the industrial control system. Reference sign 30 indicates the operating system layer, for example, a real-time operating system running on the hardware 10. The hardware has, in particular, (at least) one processor and at least one storage device.

[0058] Reference sign 20 indicates the firmware of the control system. During an update, the section (firmware) labeled with reference sign 20 must be completely replaced, even if an error has occurred in only one component, for example Communication Module #1.

[0059] FIG. 1 also shows that each application offers services beyond the device boundaries. In FIG. 1, for example, the single-line double arrows illustrate a communication or the data transfer between different components, for example between the individual components 22, 24, 26, 28 and 32 and the external computer 40. Here reference sign 22 indicates a Communication Component #1, reference sign 24 indicates a Real-time Application Component, reference sign 26 indicates a Communication Component #2, reference sign 28 an Application Component #1, and reference sign 32 an Application Component #2. Only the real-time communication component labeled 34 does not have a (direct) communication connection to an external device, the computer 40.

[0060] FIG. 1 also illustrates the fact that a plurality of components, namely the components labeled with the reference signs 22, 26, 28 and 24, each have a security device indicated by reference sign 5. This security device 5 ensures an (IT) security of the respective component (for example, the communication connection to an external device).

[0061] The (broader) single arrows illustrate the fact that different components, in this case the Real-time Application Component 24, the Real-time Communication Component 33, the Communication Component #1 labeled by reference sign 22, the Communication Component #2 labeled by reference sign 26, the Application Component #1 labeled by reference sign 28 and the Application Component #2 labeled by reference sign 32, each depend on the operating system module 30. In addition, there are dependencies between the different components, which are also illustrated by (broader) single arrows. For example, the Communication Component #1 (reference sign 22) depends on the Real-time Application Component 24, which in turn depends on the Real-time Communication Component 34.

[0062] FIG. 2 shows a schematic representation of a structure of a control system according to the disclosure according to one embodiment. In this case an exemplary implementation of a modular (control) system is illustrated. This control system can be arranged in an automation device 1.

[0063] The individual functional modules, indicated by the reference signs 25, 35, 23, 27, 29 and 33, which here are the Real-time Application Module 25, the Real-time Communication Module 35, the Communication Module #1 labeled with reference sign 23, the Communication Module #2 labeled with reference sign 27, the Application Module #1 labeled with reference sign 29 and the Application Module #2 labeled with reference sign 33, optionally provide the Security Module 40 (generally referred to above as a central module) with configuration data via an adapter 7. The security module 40 (generally referred to above as a central module) provides security functions in return. In FIG. 2, the single-line double arrows illustrate a communication (connection) and/or a loose coupling between different modules, in particular between the individual functional modules 23, 35, 23, 27, 29 and 33 on the one hand and the central module, here Security Module 40.

[0064] The (broader) single arrows, indicated for example by the reference sign 52, illustrate that the central module (in this case the security module 40), and the functional modules, in this case the Real-time Application Module 25, the Real-time Communication Module 35, the Communication Module #1 labeled with reference sign 23, the Communication Module #2 labeled with reference sign 27, the Application Module #1 labeled with reference sign 29 and the Application Module #2 labeled with reference sign 33, although in each case being dependent on the operating system module 30, are not dependent on any other module or any other functional module. In contrast to the monolithic prior-art control system (e.g. FIG. 1), the individual functional modules are (executable) independently of each other and can be run stand-alone.

[0065] Access via an external interface, e.g. using a computer 40 via an engineering port, to the applications which use the security module 40 is possible exclusively via one (or more) secured communication channels (labeled by reference sign 50, for instance). If this is not possible, an application can continue to provide (for legacy reasons, for example) a separate communication channel (see the module shown at the right-hand edge of FIG. 2, which shows a direct communication connection to the computer 40 shown by a double arrow).

[0066] The applicant reserves the right to claim all features disclosed in the application documents as essential to the disclosure, provided they are novel compared to the prior art, whether individually or in combination. It is also noted that in the individual figures features have also been described, which may be advantageous in isolation. The person skilled in the art will recognize immediately that a particular feature described in a figure may be advantageous even without the incorporation of additional features from the same figure. The person skilled in the art will also recognize that advantages can be obtained by a combination of a plurality of features shown in the drawing.