Method For Updating Process Objects In An Engineering System

Abstract

A method for updating process objects of an automation project stored in an engineering system, wherein an automation device is designed and/or configured via the engineering system to control a technical process and wherein, furthermore, the technical process to be controlled can be operated and monitored via an operator system in which changes to process objects made during the run-time are not lost but secured and are automatically “updated” or “traced” in the engineering system.

Claims

1. A method for updating process objects of an automation project stored in an engineering system, wherein an automation device being at least one of (i) designed and (ii) configured via the engineering system to control a technical process, and the technical process to be controlled being operable and monitored via an operator system, in cases where a change to at least one process object of the process objects is effected during the process control via the operator system, the method comprising: generating an operating alarm via the operator system and storing the alarm in a process image of the operator system, the operating alarm comprising (a) the change and at least one of (i) user object-based values, (ii) action object-based values and (iii) process object-based values to protect against unauthorized changes at the at least one process object of the process objects and (b) an integrity feature to protect the operating alarm against manipulations; supplying the operating alarm to an archive server and storing the supplied operating alarm in the archive server; reading the operating alarm from the archive server via the engineering system; verifying the integrity feature via the engineering system and comparing at least one of (i) the user object-based values, (ii) the action object-based values and (iii) process object-based values with predefined values stored in the engineering system via the engineering system; adopting the change at the at least one process object in the automation project via the engineering system as a function of results of the verification and the comparison.

2. The method as claimed in claim 1, further comprising: supplementing the operating alarm by a marker alarm via the operator system, said marker alarm signaling a grouping of changes.

3. The method as claimed in claim 1, wherein a change adopted in the automation project by the engineering system is acknowledged by the archive server.

4. The method as claimed in claim 2, wherein a change adopted in the automation project by the engineering system is acknowledged by the archive server.

5. The method as claimed in claim 3, wherein a change of the archive servers (7) for an OS client of the operator system is not adopted in the automation project.

6. The method as claimed in claim 1, wherein changes adopted in the automation project and changes not adopted in the automation project are stored in a Security Information and Event Management (SIEM) system.

7. An arrangement having an engineering system and an operator system, an automation project having process objects being stored in the engineering system and an automation device is at least one of designable and configurable via the engineering system to control a technical process, and the technical process to be controlled being operable and monitored via an operator system; wherein, in order to update at least one of the process objects in the automation project for the case of a change to the at least one process object, the operator system being configured to generate an operating alarm and store said generated operating alarm in a process image of the operator system, said operating alarm comprising (a) the change and at least one of (i) user object-based values, (ii) action object-based values and (iii) process object-based values to protect against unauthorized changes at the at least one process object and (b) an integrity feature to protect the operating alarm against manipulations, the operator system being further configured to supply the operating alarm to an archive server, the engineering system being configured to read the operating alarm from the archive server, the engineering system being further configured to verify the integrity feature and compare at least one of (i) the user object-based values, (ii) the action object-based values and (iii) process object-based values with predefined values stored in the engineering system; and wherein the engineering system adopts the change to the at least one process object in the automation project as a function of results of the verification and the comparison.

8. The arrangement as claimed in claim 7, wherein the operator system is configured to supplement the operating alarm by a marker alarm which signals a grouping of changes.

9. The arrangement as claimed in claim 7, wherein the engineering system is configured to acknowledge a change adopted in the automation project by the archive server.

10. The arrangement as claimed in claim 9, wherein the engineering system is configured to acknowledge a change adopted in the automation project by the archive server.

11. The arrangement as claimed in claim 9, wherein the archive server is configured to display a change in the automation project for an OS client of the operator system which is not adopted.

12. The arrangement as claimed in claim 7, wherein the engineering system is configured to store changes adopted in the automation project and changes not adopted in the automation project in a Security Information and Event Management system (SIEM).

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0041] The invention, its embodiments and advantages will be described in more detail below with reference to the drawings, in which an exemplary embodiment of the invention is illustrate, in which:

[0042] FIG. 1 shows a process control system in accordance with the invention;

[0043] FIG. 2 shows a sequence diagram in accordance with the invention;

[0044] FIG. 3 shows the construction of an alarm; in accordance with the invention; and

[0045] FIG. 4 is a flowchart of the method in accordance with the invention.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

[0046] The identical parts shown in FIGS. 1 to 3 are provided with identical reference numerals.

[0047] In FIG. 1, reference numeral 1 denotes components of a process control system that comprises an engineering system 2, an operator system provided with an OS client 3 and an OS server 4 as well as a large number of automation components of an automation device. In the present exemplary embodiment, for the sake of simplicity and a better overview, only one automation component is shown in the form of an automation device 5. It should be understood the automation device comprises a large number of automation components to control a system or a technical process, such as a large number of automation devices or a large number of decentralized peripherals, which are connected to the automation devices by a field bus. The automation devices and the decentralized peripherals have intelligent CPU- and/or interface assemblies and a large number of process input and process output assemblies, with sensors being connected to the respective process input assemblies and actuators being connected to the respective process output assemblies. The automation device 5, the further automation devices (not shown here) and decentralized peripherals as well as the engineering system 2 and the OS server 4 are connected to a system bus 6, where the engineering system 2, the operator system 3, 4 and an archive server 7 are moreover connected together by a terminal bus 8.

[0048] With the engineering system 2, a project manager creates an automation project in accordance with an automation task to be achieved, with the project manager designing, configuring and parameterizing the automation device via suitable software of the engineering system 2. In the present exemplary embodiment, it is assumed that an appropriately designed, configured and parameterized process object is stored in the automation device 5 as a controller module 9 that is processed during the process control by a CPU of the automation device 5.

[0049] The operator system 3, 4 enables convenient and safe process monitoring and process management for an operator, where, if required, the operator can intervene in the control of the process sequence, and this means that in the present example the operator can “operate and monitor” the controller module 9 that is to be processed by the automation device 5. For this purpose, the operator accesses via the OS client 3 operating and monitoring software stored in the OS server which is configured in such a way so as to be able to read and/or write access a process image 10 stored in the OS server 4, in order to change or influence, for example, parameters (threshold values, desired values, . . . ) of the controller module 9.

[0050] In the following, it is assumed that the operator changes a parameter in the controller module 9 during the run operation of the automation device 5 via a faceplate 11 of the OS client 3. To “update” this change in the automation project of the engineering system 2. as well as to thereby update the controller module 9 in the automation project, the process image 10 has what is known as a stateless alarm 12 in which, owing to the change in parameter, a BA notifier 13 of a Visualization Service 14 of the operator and monitoring software of the OS server 4 generates an operating alarm 15 and a marker alarm 16 and writes the change into the process image 10. The marker alarm 16 is only generated if the operator triggered these operating alarms, “logically” connected for structuring, via a button and a corresponding dialog in the graphic operator interface of the OS client 3.

[0051] The OS server 4 has lettering means which provide the operating and marker alarm 15, 16 with an integrity feature in the form of a digital signature, with a signature generating method 17 (Sig_Gen) and a Private Key 19 required for signature generation being provided on the OS server 4. The Private Key is of course kept confidential, so that it cannot be compromised. The operating and marker alarms 15, 16 are protected against unauthorized manipulations via an integrity feature of this kind. Safekeeping can be implemented via a highly secure database. In addition to this integrity feature, user-, action- and/or process object-based values are associated with the operating and marker alarms 15, 16 to protect against unauthorized changes to the controller module, for example, associated values in the form of an operator name (who triggered the change or action?), a time stamp (when was the change or action triggered?) and/or a controller identifier. The operating and marker alarms 15, 16 provided with the integrity feature and with associated values are supplied via a Storage Framework 19 of the OS server 4 to the archive server 7 and archived there.

[0052] To transmit the change in parameter stored on the archive server into the engineering system 2 at any time and to adopt the change there in the automation project (so the change made during the run time is not lost when the automation project is next downloaded into the automation device 5 by the engineering system 2) the engineering system 2 has a software component PH engineering client 20. This is designed to implement requests in the archive server 7 to read out the change made during the run time (engineering-relevant date) in the form of the operating and marker alarms 15, 16 and to acknowledge reading out (double arrow 21). For the case where the engineering system 2 has adopted the change in the automation project, the PH engineering client 20 acknowledges the adoption (arrow 22), so that the operating and marker alarms 15, 16 are prevented from being read in again at a later time.

[0053] The archive server 2 indicates to the OS client 3 and therefore the operator whether the change has already been adopted by the engineering system 2. For this purpose, the archive server 7 transmits a message sequence 23, which comprises changes not yet acknowledged by the engineering system 2, to the OS client 3. A graphic display of the unacknowledged operating and marker alarms is possible via this message sequence display.

[0054] The PH engineering client 20 comprises, moreover, two further software components 24, 25 (Inconsistency Handler and Online Verification) that effect the following measures when the change (the engineering-relevant date) is read into the engineering system 2:

[0055] 1) The software component 24 (Inconsistency Handler) checks via the verification of the integrity feature (using the verification method 26 (Sig_Ver) and the Public Key 27 available to it) whether the operating and marker alarms 15, 16 have not been manipulated.

[0056] 2) The software-component 25 then checks by comparing the user-, action- and/or process object-based values of the operating alarm 15 with the predefined values stored in the engineering system 2. Here, the users together with their authorization are stored in the engineering system 2, whereby it is possible to check whether the operator even has the appropriate rights to change the parameter. This rules out unauthorized changes.

[0057] 3) To improve operator rights checking the engineering system can optionally also decode the change and compare or verify the change (arrow 28) online with the corresponding controller module 19 of the automation device 5.

[0058] 4) For the case where the results of verification and comparison are consistent, the change is adopted in the automation project in the engineering system 2 and acknowledged by the archive server 7 (arrow 22).

[0059] 5) If, by contrast, the results are contradictory or inconsistent, the change is not adopted in the automation project, with the rejected change being shown to the operator (arrow 23).

[0060] As already described, the results of implementation of steps (1) to (5), in particular the results of the tests performed are mapped on corresponding security events that are transmitted to a Security Information and Event Management (SIEM) system 29. This enables, in particular, an appropriate response to deviations and/or guidelines infringements of this kind.

[0061] With reference to FIG. 2, shown therein is an exemplary sequence diagram of the process optimization by the operator via the OS client 3 of the operator system 3, 4 and the automation device 5, generation and archiving of operating and marker alarms through to secured and decoupled updating (back annotation) of the changes in parameter in the engineering system 2. With any relevant change in the parameters of the process (e.g., change in a default valve setting of VLVS) by the operator system 3, 4, the corresponding operating alarm is simultaneously generated that comprises (as associated values) all information (process object, parameter, value) to be able to transmit this change at a subsequent time from the archive server 7 into the engineering system 2. During the course of the optimization, which can include a large number of changes in parameter, the operator can generate a marker alarm that marks the optimization made as a section and as information contains a description as to which background the optimization had. The protection of the marker alarms and the sections enclosed between two marker alarms against unnoticed manipulations is achieved (as described) by the generation of an integrity feature in which a sequence diagram and the construction of an alarm are displayed.

[0062] In the present exemplary embodiment, it is assumed that an operator has made a change to a parameter at a controller module (PID), a motor module (MOT) and a valve module (VLSV), and this is illustrated in FIG. 2 by reference numerals 30 to 32. These changes are transmitted to the automation device 5 and simultaneously therewith an operating alarm 33 to 35 is transmitted to the archive server 7 for each change which is stored in the archive server 7 in memory areas 37, 38, 39. Furthermore, the operator generated a marker alarm 36 up to a time and this is stored in a memory area 40 of the archive servers 7. At a subsequent time, the engineering system 2 reads out the memory areas 37, 38, 39, 40 and therefore the operating and marker alarms and acknowledges in the described manner reading out of the alarms and (for the case where the changes were adopted in the automation project) the adoption of these changes.

[0063] FIG. 3 shows a detail of the construction in sections of the engineering-relevant operating alarms 37 to 41 separated by the marker alarms 40, 42. These marker alarms 40, 42 are used not only for structuring, in order to be able to distinguish between different optimization processes during the run time, but also to create the possibility of dedicated rollbacks of individual optimizations in the engineering system 2. In order to prevent a back annotation of engineering-relevant data from the archive server 7 into the engineering system 2 from occurring multiple times, an acknowledgement is written back into the archive server 7 following each reading of a section into the engineering system 2.

[0064] FIG. 4 is a flowchart of the method for updating process objects of an automation project stored in an engineering system 2, where an automation device 5 is either (i) designed and/or (ii) configured via the engineering system 2 to control a technical process, and the technical process to be controlled is operable and monitored via an operator system 3, 4. In cases where a change to at least one process object of the process objects is effected during the process control via the operator system 3, 4, the method comprising generating an operating alarm 15 via the operator system 3, 4 and storing the alarm in a process image 10 of the operator system 3, 4, as indicated in step 410. In accordance with the invention, the operating alarm 15 comprises (a) the change and at least one of (i) user object-based values, (ii) action object-based values and (iii) process object-based values to protect against unauthorized changes at the at least one process object of the process objects and (b) an integrity feature to protect the operating alarm 15 against manipulations.

[0065] Next, the operating alarm 15 is supplied to an archive server 7 and storing the supplied operating alarm 15 in the archive server 7, as indicated in step 420.

[0066] Next, the supplied operating alarm 15 is read from the archive server 7 via the engineering system 2, as indicated in step 430.

[0067] The integrity feature is now verified via the engineering system 2 at least one of (i) the user object-based values, (ii) the action object-based values and (iii) process object-based values is compared with predefined values stored in the engineering system 2 via the engineering system 2, as indicated in step 440.

[0068] Next, the change at the at least one process object in the automation project is adopted via the engineering system (2) as a function of results of the verification and the comparison, as indicated in step 450.

[0069] Thus, while there have shown and described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.