SYSTEM AND METHOD FOR MANAGING SWITCHED HIERARCHICAL CONTROL STATES

Abstract

An input-output apparatus is provided. The apparatus includes a lower-level layer interface connected to a field device, a higher-layer interface connected to a controller, a maintenance interface connected to a setting apparatus, a switch, and a control device. The switch switches between a first connection and a second connection. The control device, in an engineering mode, permits the switch to transition freely between the first connection and the second connection, and in an operation mode, controls the switch to switch to the first connection and prohibits communication through the maintenance interface. In response to a permission command received through the higher-level layer interface, the control device permits communication through the maintenance interface, and in response to a connection request received through the maintenance interface when the control device permits communication with the maintenance interface, the control device controls the switch to switch from the first connection to the second connection.

Claims

1. An input-output apparatus comprising: a lower-level layer interface to which a field device in the plant is connected; a higher-level layer interface to which a controller that is configured to control the field device in the plant is connected; a maintenance interface to which an external setting apparatus is connected; a switch which switches between a first connection of the higher-level layer interface to the lower-level layer interface and a second connection of the maintenance interface to the lower-level layer interface; and a control device which: in an engineering mode for engineering of the process control system permits the switch to transition freely between the first connection and the second connection, and in an operation mode for performing maintenance of the process control system while the process control system is performing process control, controls the switch to switch to the first connection and prohibits communication through the maintenance interface, in response to a permission command received through the higher-level layer interface, permits communication through the maintenance interface, and in response to a connection request received through the maintenance interface when the control device permits communication with the maintenance interface, controls the switch to switch from the first connection to the second connection.

2. An input-output apparatus comprising: a lower-level layer interface to which a field device in the plant is connected; a higher-level layer interface to which a controller that is configured to control the field device in the plant is connected; a maintenance interface to which an external setting apparatus is connected; a first switch which switches between a first connection of the higher-level layer interface to the lower-level layer interface and a second connection of the maintenance interface to the lower-level layer interface; a second switch that permits or restricts access to the input-output apparatus through the maintenance interface; and a control device which: in an engineering mode for engineering of the process control system controls the second switch to permit access and controls the first switch to transition freely between the first connection and the second connection, and in an operation mode for performing maintenance of the process control system while the process control system is performing process control, controls the first switch to switch to the first connection and controls the second switch to restrict access, in response to a permission command received through the higher-level layer interface, controls the second switch to permit access, and in response to a connection request received through the maintenance interface when the second switch permits access, controls the first switch to switch from the first connection to the second connection.

3. The input-output apparatus according to claim 2, wherein the control device sets the second switch to an open state to restrict access, and sets the second switch to a closed state to permit access.

4. An input-output apparatus comprising: a lower-level layer interface to which a field device in the plant is connected; a higher-level layer interface to which a controller that is configured to control the field device in the plant is connected; a maintenance interface to which an external setting apparatus is connected; a first switch which switches between a first connection of the higher-level layer interface to the lower-level layer interface and a second connection of the maintenance interface to the lower-level layer interface; a second switch that permits or restricts access to the input-output apparatus through the maintenance interface; and a control device which: in an engineering mode for engineering of the process control system controls the second switch to permit access and controls the first switch to transition freely between the first connection and the second connection, and in an operation mode for performing maintenance of the process control system while the process control system is performing process control, controls the input-output apparatus to transition among a first state, and second state and a third state, in the first state, the second switch restricts access and the first switch is switched to the first connection, in the second state, the second switch permits access and the first switch is switched to the first connection, and in the third state, the second switch permits access and the first switch is switched to the second connection. wherein in the operation mode, the control device: changes from the first state to the second state in response to a permission command received through the higher-level layer interface, changes from the second state to the first state in response to a connection request from the higher-level layer interface, changes from the second state to the third state in response to a connection request from the maintenance interface, and changes from the third state to the second state in response to blocking of communication with the external setting apparatus.

5. The input-output apparatus according to claim 4, wherein the control device sets the second switch to an open state to restrict access, and sets the second switch to a closed state to permit access.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0037] FIG. 1 is a block diagram showing an overall configuration of a process control system in which an input-output apparatus is used according to a first embodiment of the present invention;

[0038] FIG. 2 is a diagram showing switch states in each of transition states of an I/O module according to the first embodiment of the present invention;

[0039] FIG. 3 is a state transition diagram for a case where an operation mode of the I/O module is set to an engineering mode according to the first embodiment of the present invention;

[0040] FIG. 4 is a state transition diagram for a case where the operation mode of the I/O module is set to an operating mode according to the first embodiment of the present invention;

[0041] FIG. 5 is a block diagram showing a configuration of main parts of the input-output apparatus according to a second embodiment of the present invention;

[0042] FIG. 6 is a diagram showing switch states in each of the transition states of the I/O module according to the second embodiment of the present invention; FIG. 7 is a state transition diagram for a case where the operation mode of the I/O module is set to an operating mode according to the second embodiment of the present invention; and

[0043] FIG. 8 is a block diagram showing an example configuration of the process control system including a plurality of controllers and I/O modules.

DETAILED DESCRIPTION OF THE INVENTION

[0044] Details of an input-output apparatus according to some embodiments of the present invention are described below with reference to the drawings.

First Embodiment

[0045] FIG. 1 is a block diagram showing an overall configuration of a process control system in which an input-output apparatus according to an embodiment is used. As shown in FIG. 1, a process control system 1 may include a field device 11, an I/O module (input-output apparatus) 12, a controller 13, an operation monitoring terminal 14, and an engineering terminal 15. In response to instructions and the like from the operation monitoring terminal 14, the controller 13 controls the field device 11, thus performing control of industrial processes which are realized in a plant (not shown). A setting apparatus 16 shown, details of which are described below, is an apparatus used for performing a variety of settings, etc., on the field device 11 and the I/O module 12 at the time of launching and maintenance of the process control system 1.

[0046] Here, the field device 11 and the I/O module 12 are connected by a transmission line C1, and the I/O module 12 and the controller 13 are connected by a cable C2. Moreover, the controller 13, the operation monitoring terminal 14, and the engineering terminal 15 are connected to a control network N. The control network N may be a network that connects a plant site and a monitoring room, for example.

[0047] The field device 11 may include, for example, sensor devices such as a flow rate meter, a temperature sensor, etc., valve devices such as a flow rate control valve, an on-off valve, etc., actuator devices such as a fan, a motor, etc., and other devices installed at a plant site. In the present embodiment, for ease of understanding, an example is taken of a case in which a state amount in an industrial process to be controlled is a fluid flow rate. Accordingly, of a plurality of field devices 11 installed at the plant, one sensor device 11a for measuring the fluid flow rate and one valve device 11b for controlling (operating) the fluid flow rate are illustrated in FIG. 1.

[0048] The I/O module 12 is provided between the field device 11 and the controller 13, and a plurality of field devices 11 can be connected thereto. The I/O module 12 processes signals input and output between the connected field device 11 and the controller 13. For example, the I/O module 12 performs a process of converting a signal acquired from the field device 11 to a signal which can be received by the controller 13. The I/O module 12 connects the plurality of field devices 11 to the controller 13, and also relays signals input and output by the field device 11, as well as signals input and output by the controller 13. Details of the I/O module 12 are explained below.

[0049] The controller 13 communicates with the field device 11 in response to instructions and the like from the operation monitoring terminal 14 to control the field device 11. Specifically, the controller 13 acquires process values measured by a certain field device 11 (a sensor device 11a, for example), operates on an operation amount of another field device 11 (a valve device 11b, for example) to transmit the operated result, thus controlling the other field device 11 (the valve device 11b, for example).

[0050] The operation monitoring terminal 14 is a terminal which is operated by a plant operator, for example, to be used for monitoring processes. Specifically, the operation monitoring terminal 14 acquires input and output data of the field device 11 from the controller 13 to convey the behavior of the field device 11 and the controller 13, which configure the process control system 1, to the operator, and operates the controller 13 based on instructions from the operator.

[0051] The engineering terminal 15 generates information to be set to the field device 11, the I/O module 12, and the controller 13, based on process design information, which is design information of the process control system 1. The information generated by the engineering terminal 15 includes information relating to input and output between the field device 11 and the I/O module 12.

[0052] The setting apparatus 16 is connected to the I/O module 12 at the time of launching and maintenance of the process control system 1. The setting apparatus 16 uses information acquired from the engineering terminal 15 to make a variety of settings on the field device 11 and the I/O module 12. The setting apparatus 16 can be used to make settings on and adjustments to the field device 11 and the I/O module 12 even in states in which the controller 13 is not connected to the I/O module 12 or states in which the controller 13 is not operating though connected to the I/O module 12.

[0053] Next, the internal configuration of the I/O module 12 is explained in detail. As shown in FIG. 1, the I/O module 12 includes a lower-level layer interface 21 (first interface), a higher-level layer interface 22 (second interface), a maintenance port 23 (third interface), a switch 24 (switcher), a switch 25, a control device 26, and a memory 27.

[0054] The lower-level layer interface 21 includes a plurality of I/O ports P connected to the field device 11 (lower-level apparatus), and transmits and receives a variety of signals to and from the field device 11 connected to the I/O ports P. Here, the I/O ports P can make an analog signal input from the field device 11, an analog signal output to the field device 11, a digital signal input (discrete input) from the field device 11, and a digital signal output (discrete output) to the field device 11. Which of the above-described inputs and outputs is performed by the I/O ports P is set by instructions from the setting apparatus 16.

[0055] The higher-level layer interface 22 is connected to the controller 13 (higher-level apparatus) through a cable C2, and transmits and receives various signals to and from the controller 13. The maintenance port 23 transmits and receives various signals to and from the setting apparatus 16 via a connection cable (not shown) or by a wireless connection. Wired interfaces such as USB (Universal Serial Bus), Ethernet (registered trademark), etc., as well as wireless interfaces that perform wireless communications in compliance with wireless communications standards such as Wi-Fi (registered trademark), Bluetooth (registered trademark), etc., for example, may be used as the maintenance port 23.

[0056] Under a control of the control device 26, the switch 24 switches between connecting the higher-level layer interface 22 to the lower-level layer interface 21 and connecting the maintenance port 23 to the lower-level layer interface 21. Specifically, the switch 24 includes a terminal (terminal O, meaning online) connected to the higher-level layer interface 22 and a terminal (terminal M, meaning maintenance) connected to the maintenance port 23. When the switch 24 is connected to the terminal O, the higher-level layer interface 22 is connected to the lower-level layer interface 21. When the switch 24 is connected to the terminal M, the maintenance port 23 is connected to the lower-level layer interface 21.

[0057] Under a control of the control device 26, the switch 25 sets a space between the maintenance port 23 and the controller 26 to be an on state (closed state) or an off state (open state). The switch 25 is provided for restricting access to the maintenance port 23 (more precisely, access to the I/O module 12 through the maintenance port 23). Here, it is desirable that the switches 24 and 25 be hardware switches from a viewpoint of maintaining security.

[0058] The controller 26 controls the switches 24 and 25 based on a signal input through the higher-level layer interface 22 or a signal input through the maintenance port 23. The memory 27 is a non-volatile memory such as a flash ROM (Read Only Memory) or an EEPROM (Electrically Erasable and Programmable ROM), for example, and stores information that shows the operation mode and the transition state of the I/O module 12. Information stored in the memory 27 may be referenced by the engineering terminal 15 or the setting apparatus 16, for example, to check the operation mode and the transition state of the I/O module 12.

[0059] Here, the operation mode of the I/O module 12 includes an engineering mode and an operating mode. The engineering mode is an operation mode which is envisioned for use at the time of engineering (launching) when process control is not being performed with the controller 13, etc., being not yet connected or running. The operating mode is an operation mode which is envisioned for a case in which maintenance of the device that makes up the process control system 1 is carried out while operating (while process control is being performed). The operation mode of the I/O module 12 is set to the engineering mode at the time of factory shipment. After incorporating the I/O module 12 into the process control system 1, the operation mode of the I/O module 12 is switched based on instructions from the engineering terminal 15 (or the operation monitoring terminal 14).

[0060] The I/O module 12 can transition to the following two states (see FIG. 3) when the operation mode thereof is set to the engineering mode:

[0061] an online state ST11 (first state); and

[0062] a maintenance state ST12 (second state).

[0063] Moreover, the I/O module 12 can transition to the following three states (see FIG. 4) when the operation mode thereof is set to the operating mode:

[0064] an online/M-port disable state ST13 (third state);

[0065] an online/M-port enable state ST14 (first state); and

[0066] the maintenance state ST12 (second state).

[0067] The online state ST11 is a state in which the lower-level layer interface 21 and the higher-level layer interface 22 can be connected to conduct communications between the field device 11 and the controller 13. The maintenance state ST12 is a state in which the lower-level layer interface 21 and the maintenance port 23 can be connected to conduct communications between the setting apparatus 16 and the field device 11.

[0068] The online/M-port disable state ST13 is a state in which the lower-level layer interface 21 and the higher-level layer interface 22 can be connected to conduct communications between the field device 11 and the controller 13, and access to the maintenance port 23 is disabled. The online/M-port enable state ST14 is a state in which the lower-level layer interface 21 and the higher-level layer interface 22 can be connected to conduct communications between the field device 11 and the controller 13, and access to the maintenance port 23 is enabled.

[0069] The above-described state transitioning is performed by the control device 26 controlling the switches 24 and 25. FIG. 2 is a diagram showing switch states in each of the transition states of the I/O module according to the first embodiment of the present invention. Moreover, FIG. 3 is a state transition diagram for a case where the operation mode of the I/O module is set to the engineering mode according to the first embodiment of the present invention. Furthermore, FIG. 4 is a state transition diagram for a case where the operation mode of the I/O module is set to the operating mode according to the first embodiment of the present invention.

[0070] As illustrated in FIG. 2, when the operation mode is set to the engineering mode, control of the control device 26 causes the switch 25 to be in an always on state (a state where access to the maintenance port 23 is permitted). Then, a control of the control device 26 causes the switch 24 to be connected to the terminal O to transition to the online state (the online state ST11 in FIG. 3) and causes the switch 24 to be connected to the terminal M to transition to the maintenance state (the maintenance state ST12 in FIG. 3).

[0071] Here, as shown in FIG. 3, transitioning from the online state ST11 to the maintenance state ST12 is made when a connection request from the maintenance port 23 (a connection request from the setting apparatus 16 to the lower-level layer interface 21) is input. Moreover, transitioning from the maintenance state ST12 to the online state ST11 is made when communications with the setting apparatus 16 through the maintenance port 23 are blocked, or when there is a transition instruction (instruction to transition to the online state ST11) from the setting apparatus 16. Examples in which communications with the setting apparatus 16 are blocked include when the setting apparatus 16 stops functioning, when the setting apparatus 16 is removed from the maintenance port 23, etc.

[0072] As shown in FIG. 2, when the operation mode is set to the operating mode, a control of the control device 26 causes the switch 25 to be in an off state (a state in which access to the maintenance port 23 is disabled), and causes the switch 24 to be connected to the terminal O, causing transitioning to the online/M-port disable state (the online/M-port disable state ST13 in FIG. 4). Moreover, control of the control device 26 causes the switch 25 to be in an on state, causes the switch 24 to be connected to the terminal O, causing transitioning to the online/M-port permission state (the online/M-port permission state ST14 in FIG. 4), and causes the switch 24 to be connected to the terminal M, causing transitioning to the maintenance state (the maintenance state ST12 in FIG. 4).

[0073] Here, as shown in FIG. 4, transitioning from the online/M-port disable state ST13 to the online/M-port enable state ST14 is made when a permission command (a command from the higher-level layer interface 22 (or a command from the engineering terminal 15 (or the operation monitoring terminal 14) that indicates that access to the maintenance port 23 be permitted via the controller 13) is input. Transitioning from the online/M-port permission state ST14 to the maintenance state ST12 is performed when a connection request from the maintenance port 23 (a connection request from the setting apparatus 16 to the lower-level layer interface 21) is input.

[0074] Moreover, transitioning from the maintenance state ST12 to the online/M-port permission state ST14 is made when communications with the setting apparatus 16 through the maintenance port 23 is blocked, or when a transition instruction from the setting apparatus 16 (an instruction to cause transitioning to the online/M-port permission state ST14) is made. Transitioning from the online/M-port permission state ST14 to the online/M-port disable state ST13 is performed when a connection request from the higher-level layer interface 22 (for example, a connection request from the engineering terminal 15 to the lower-level layer interface 21) is input.

[0075] Next, operations of the I/O module 12 configured as described above is explained. Below, an operation at the time of launching the process control system 1 (launching operation) is explained, after which an operation at the time of performing maintenance on devices that make up the process control system 1 (maintenance operation) is explained.

[0076] (Launching Operation)

[0077] At the time of launching the process control system 1, the field device 11 and the I/O module 12 that are factory shipped are installed at a site (plant site), wired in, and connected by the transmission line C1. During the initial launching stage of the process control system 1, the I/O module 12 and the controller 13 are not connected. Once the above-described wiring is completed, the setting apparatus 16 is connected to the maintenance port 23 of the I/O module 12 to perform various settings on the field device 11 and the I/O module 12.

[0078] Here, as described above, the I/O module 12 has the operation mode at the time of factory shipment set to the engineering mode, and the switch 25 thereof set to an on state (see FIG. 2). Therefore, when a connection request from the setting apparatus 16, which is connected to the maintenance port 23, to the lower-level layer interface 21 is output, the connection request is input to the control device 26 through the maintenance port 23 and the switch 25 in order. Then, a control of the control device 26 causes the switch 24 to be connected to the terminal M. In this way, the I/O module 12 transitions from the online state ST11 to the maintenance state 12 as shown in FIG. 3.

[0079] Transitioning of the I/O module 12 to the maintenance state ST12 makes possible communications between the setting apparatus 16 and the field device 11. Therefore, an operator operates the setting apparatus 16 to perform various settings, adjustments, etc., on the field device 11 and the I/O module 12. When such settings are completed and the operator stops functioning of the setting apparatus 16, or when the operator removes the setting apparatus 16 from the maintenance port 23, the I/O module 12 transitions from the maintenance state ST12 to the online state ST11 as shown in FIG. 3. The I/O module 12 also transitions from the maintenance state ST12 to the online state ST11 when there is a transition instruction from the setting apparatus 16.

[0080] In this way, the I/O module 12 has the operation mode at the time of factory shipment set to the engineering mode, so that access to the maintenance port 23 is permitted (the switch 25 is in an on state). Accordingly, the setting apparatus 16 may be connected to the maintenance port 23 of the I/O module 12 and a connection request to the lower-level layer interface 21 is made to cause the I/O module 12 to transition from the online state ST11 to the maintenance state ST12. Therefore, various settings on the field device 11 and the I/O module 12 that need to be made at the time of launching the process control system 1 may be carried out efficiently.

[0081] (Maintenance Operation)

[0082] The operation mode of the I/O module 12 is set to the operating mode while process control is being performed by the process control system 1. The state of the I/O module 12 is basically the online/M-port disable state ST13 (see FIG. 4). In other words, the lower-level layer interface 21 and the higher-level layer interface 22 can be connected to make communications between the field device 11 and the controller 13 possible and to disable access to the maintenance port 23 (the switch 25 is in an off state).

[0083] When performing maintenance on the device that makes up the process control system 1, first a permission command (a command indicating that access to the maintenance port 23 of the I/O module 12 be permitted) from the engineering terminal 15 (or from the operation monitoring terminal 14) to the I/O module 12 is transmitted. This permission command is input to the control device 26 through the controller 13 and the higher-level layer interface 22 of the I/O module 12. Then, a control of the control device 26 causes the switch 25 to be in an on state. The I/O module 12 thus transitions from the online/M-port disable state ST13 to the online/M-port enable state ST14 as shown in FIG. 4.

[0084] Here, when the setting apparatus 16 is connected to the maintenance port 23 of the I/O module 12, and a connection request to the lower order interface 21 is output from the setting apparatus 16, a control of the control device 26 causes the switch 24 to be connected to the terminal M. In this way, the I/O module 12 transitions from the online/M-port enable state ST14 to the maintenance state ST12 as illustrated in FIG. 4.

[0085] The I/O module 12 transitioning to the maintenance state ST12 makes communications possible between the setting apparatus 16 and the field device 11. Therefore, the operator operates the setting apparatus 16 to make various settings, adjustments, etc., to the field apparatus 11, the I/O module 12, etc. Once such settings, etc., are completed, and the operator stops the setting apparatus 16 from functioning, or removes the setting apparatus 16 from the maintenance port 23, the I/O module 12 transitions from the maintenance state 12 to the online/M-port enable state ST14 as illustrated in FIG. 4. A transition instruction from the setting apparatus 16 may also cause a transition from the maintenance state ST12 to the online/M-port enable state ST14.

[0086] When a connection request (for example, a connection request from the engineering terminal 15 to the lower-level layer interface 21) is input from the higher-level layer interface 22 while the I/O module 12 is in the online/M-port enable state ST14, the I/O module 12 transitions from the online/M-port enable state ST14 to the online/M-port disable state ST13 as illustrated in FIG. 4. If the I/O module 12 transitions from the online/M-port disable state ST13 to the online/M-port enable state ST14, even when a connection request from the higher-level layer interface 22 is input before a connection request (a connection request to the lower-level layer interface 21) from the setting apparatus 16 is input, the I/O module 12 transitions from the online/M-port enable state ST14 to the online/M-port disable state ST13.

[0087] In this way, while process control is being carried out by the process control system 1, the I/O module 12 has the operation mode set to the operating mode and is basically in the online/M-port disable state ST13, during which access to the maintenance port 23 is disabled. Therefore, even if a malicious third party connects an apparatus corresponding to the setting apparatus 16 to the maintenance port 23 of the I/O module 12, the setting content of the field device 11 and the like cannot be changed. Further, malware cannot be introduced into the process control system 1. A high level of security can thus be ensured.

[0088] On the other hand, when performing maintenance on the device which makes up the process control system 1, a permission command from the engineering terminal 15 (or the operation monitoring terminal 14) causes the I/O module 12 to transition to the online/M-port enable state ST14 in which access to the maintenance port 23 is enabled. Therefore, the setting apparatus 16 may be connected to the maintenance port 23 of the I/O module 12 and a connection request may be made to the lower-level layer interface 21 to cause the I/O module 12 to transition from the online/M-port enable state ST14 to the maintenance state ST12. Thus, a variety of settings on the field device 11 and the I/O module 12 that are needed at the time of maintenance of the process control system 1 may be made efficiently.

[0089] Moreover, when a connection request from the higher-level layer interface 22 (for example, a connection request to the lower-level layer interface 21 from the engineering terminal 15) is input while the I/O module 12 is in the online/M-port enable state ST14, the I/O module 12 transitions to the online/M-port disable state ST13. Thus, access to the maintenance port 23 by a connection request from the higher-level layer interface 22 may be intentionally disabled, increasing the level of security.

[0090] For example, the engineering terminal 15 refers to the content of the memory 27 of the I/O module 12 through the controller 13 to measure the time in which the online/M-port enable state ST14 is continued and, when the measured time is greater than or equal to a predefined amount of time (one hour, for example), the above-described connection request may be transmitted to cause the I/O module 12 to be transitioned to the online/M-port disable state ST13. In this way, an unnecessarily prolonged state in which access to the maintenance port 23 is permitted may be prevented and the level of security may be increased.

Second Embodiment

[0091] FIG. 5 is a block diagram showing a configuration of main portions of the input-output apparatus according to a second embodiment of the present invention. In FIG. 5, the same letters are given for the same blocks as those shown in FIG. 1. Moreover, while illustrations of the controller 13, the operation monitoring terminal 14, and the engineering terminal 15 in FIG. 1 are omitted in FIG. 5, an I/O module 30 as an input-output apparatus according to the present embodiment is provided between the field device 11 and the controller 13 here, similar to the I/O module 12 illustrated in FIG. 1.

[0092] The I/O module 30 illustrated in FIG. 5 differs from the I/O module 12 illustrated in FIG. 1 in that a switch 31 (switcher) is provided as a substitute for the switch 24, and a timer 32 has been added. In addition to the terminal O for connecting to the higher-level layer interface 22 and the terminal M for connecting to the maintenance port 23, the switch 31 also includes a neutral terminal (a neutral terminal N, meaning neutral). Connecting the switch 24 to the neutral terminal N results in a neutral state in which neither the higher-level layer interface 22 nor the maintenance port 23 are connected to the lower-level layer interface 21. The timer 32 measures a predefined time (one hour, for example) under a control of the control device 26.

[0093] Here, similar to the I/O module 12 illustrated in FIG. 1, the I/O module 30 includes an engineering mode and an operating mode as operation modes. The operating mode of the I/O module 30 differs from the operating mode of the I/O module 12 shown in FIG. 1 in that it is capable of transitioning to the four states shown below (see FIG. 7):

[0094] an online state ST21 (third state),

[0095] an M-port enable state ST22 (first state),

[0096] a maintenance state ST23 (second state), and

[0097] an online wait state ST24 (fourth state).

[0098] Similar to the online state ST11 illustrated in FIG. 3, in the online state ST21, which is a state during which the lower-level layer interface 21 and the higher-level layer interface 22 are connected to make possible communications between the field device 11 and the controller 13, access to the maintenance port 23 is disabled. Similar to the online/M-port enable state ST14 illustrated in FIG. 4, the M-port enable state ST22 is a state during which the lower-level layer interface 21 and the higher-level layer interface 22 are connected to make possible communications between the field device 11 and the controller 13, and access to the maintenance port 23 is permitted. The M-port enable state ST22 is a transient state for transitioning to the maintenance state ST23.

[0099] Similar to the maintenance state ST12 illustrated in FIGS. 3 and 4, the maintenance state ST23 is a state during which the lower-level layer interface 21 and the maintenance port 23 are connected to make possible communications between the setting apparatus 16 and the field device 11. The online wait state ST24 is a neutral state where neither the higher-level interface 22 nor the maintenance port 23 is connected to the lower-level interface 21, but access to the maintenance port 23 is permitted. The online wait state ST24 is a transient state for transitioning to the online state ST21 or to the maintenance state ST21 after a maintenance task (maintenance) is completed.

[0100] The above-described state transitioning is performed by the control device 26 controlling the switch 25 and the switch 31. FIG. 6 is a diagram showing switch states in each of transition states of the I/O module in the second embodiment of the present invention. Moreover, FIG. 7 is a state transition diagram for a case where the operation mode of the I/O module is set to the operating mode in the second embodiment of the present invention. Switch states and state transitions for a case in which the operation mode of the I/O module is set to the engineering mode are similar to those described for the first embodiment, so that repeated explanations are omitted.

[0101] As illustrated in FIG. 6, when the operation mode is set to the operating mode, a control of the control device 26 causes the switch 25 to be in an off state (a state where access to the maintenance port 23 is disabled) and causes the switch 31 to be connected to the terminal O to cause transitioning to the online state (the online state ST21 illustrated in FIG. 7). Moreover, a control of the control device 26 causes the switch 25 to be in an on state and causes the switch 31 to be connected to the terminal O to cause transitioning to the M-port enable state (the M-port enable state ST22 illustrated in FIG. 7), causes the switch 31 to be connected to the terminal M to cause transitioning to the maintenance state (the maintenance state ST23 illustrated in FIG. 7), and causes the switch 31 to be connected to the terminal N to cause transitioning to the online wait state (the online wait state ST24 illustrated in FIG. 7).

[0102] Here, as shown in FIG. 7, transitioning from the online state ST21 to the M-port enable state ST22 is performed when a permission command (a command from the engineering terminal 15 (or the operation monitoring terminal 14) indicating that access to the maintenance port 23 be permitted) is input from the higher-level layer interface 22. Transitioning from the M-port enable state ST22 to the maintenance state 23 is performed when a connection request from the maintenance port 23 (connection request from the setting apparatus 16 to the lower-level layer interface 21) is input.

[0103] Moreover, transitioning from the maintenance state STS23 to the online wait state ST24 is performed when communications with the setting apparatus 16 through the maintenance port 23 are blocked, or when there is a transition instruction (an instruction to cause transitioning to the online wait state ST24) from the setting apparatus 16. Moreover, transitioning from the M-port enable state ST22 to the online wait state ST24 is performed when a predefined time has elapsed during the M-port enable state ST22 from when transitioning to the M-port enable state ST22 (when the predefined time is measured by the timer 32). Moreover, for a case of being in the online wait state ST24, transitioning to the maintenance state ST23 is made when a connection request is input from the maintenance port 23 and transitioning to the online state ST21 is made when a connection request from the higher-level layer interface 22 is input.

[0104] Next, operations of the I/O module 30 configured as described above are explained. An operation for launching the process control system (launching operation) is similar to that for the first embodiment, so that an operation for a case in which maintenance of devices which make up the process control system 1 (maintenance operation) is conducted is explained below.

[0105] (Maintenance Operation)

[0106] The operation mode of the I/O module 30 is set to the operating mode during the time process control is performed by the process control system, and a state in which the I/O module 30 is in is basically the online state ST21 (see FIG. 7). In other words, the state in which the I/O module 30 is in is a state in which the lower-level layer interface 21 and the higher-level layer interface 22 are connected to make possible communications between the field device 11 and the controller 13 and access to the maintenance port 23 is disabled (the switch 25 is in an off state).

[0107] When performing maintenance of the devices that make up the process control system, similar to the first embodiment, a permission command (a command indicating that access to the maintenance port 23 of the I/O module 30 be permitted) is transmitted from the engineering terminal 15 (or the operation monitoring terminal 14) to the I/O module 30 through the controller 13. When the permission command is input to the control device 26 of the I/O module 30, a control of the control device 26 causes the switch 25 to be in an on state, causing the I/O module 30 to transition from the online state ST21 to the M-port enable state ST22 as illustrated in FIG. 7. Upon transitioning to the M-port enable state ST22, measurement of time by the timer 32 begins. When the setting apparatus 16 is connected to the maintenance port 23 of the I/O module 30 and, if a connection request from the setting apparatus 16 to the lower-level layer interface 21 is output before a predefined time elapses for time measurement of the timer 32, control of the control device 26 causes the switch 31 to be connected to the terminal M. As shown in FIG. 7, this causes the I/O module 30 to transition from the M-port enable state ST22 to the maintenance state ST23.

[0108] The I/O module 30 can transition to the maintenance state ST23 to make possible communications between the setting apparatus 16 and the field device 11. Therefore, an operator operates the setting apparatus 16 to perform various settings, adjustments, etc., to the field device 11 and to the I/O module 30. The control device 26 detects when such settings are completed and an operator stops functioning of the setting apparatus 16 or removes the setting apparatus 16 from the maintenance port 23 and, as illustrated in FIG. 7, the I/O module 30 transitions from the maintenance state ST23 to the online wait state ST24. Even if there is a transition instruction from the setting apparatus 16, the I/O module 30 transitions from the maintenance state ST23 to the online wait state ST24.

[0109] If time measurement by the timer 32 is completed after the I/O module 30 transitions to the M-port enable state ST22, the control device 26 of the I/O module 30 causes transitioning from the M-port enable state ST22 to the online wait state ST24 as illustrated in FIG. 7.

[0110] When the I/O module 30 is in the online wait state ST24, if a connection request from the maintenance port 23 (a connection request to the lower-level layer interface 21 from the setting apparatus 16) is input, the I/O module 30 transitions from the online wait state ST24 to the maintenance state ST23 as illustrated in FIG. 7. On the other hand, when the I/O module 30 is in the online wait state ST24, when a connection request from the higher-level layer interface 22 (for example, a connection request to the lower-level layer interface 21 from the engineering terminal 15) is input, the I/O module 30 transitions from the online wait state ST24 to the online state ST21 as illustrated in FIG. 7.

[0111] In this way, while the process control by the process control system is performed, the I/O module 30 has the operation mode set to the operating mode and is basically in a state where access to the maintenance port 23 is disabled (the online state ST21), similar to the I/O module 12 of the first embodiment. Therefore, even if a malicious third party connects an apparatus which corresponds to the setting apparatus 16 to the maintenance port 23 of the I/O module 30, the setting content of the field device 11 cannot be changed. Further, malware cannot be introduced into the process system 1. A high level of security can thus be ensured.

[0112] On the other hand, when performing maintenance on the devices that makes up the process control system 1, the I/O module 30 transitions to a state where access to the maintenance port 23 is permitted (the M-port enable state ST22) by a permission command from the engineering terminal 15 (or the operation monitoring terminal 14), similar to the first embodiment. Therefore, the setting apparatus 16 may be connected to the maintenance port 23 of the I/O module 30 and a connection request to the lower-level layer interface 21 may be made to cause the I/O module 30 to transition from the M-port permission state ST22 to the maintenance state ST23. Thus, various settings on the field device 11 and the I/O module 30 that are necessary at the time of maintaining the process control system may be efficiently performed.

[0113] Moreover, when predetermined time has elapsed from transitioning to the M-port enable state ST22, or when communications with the setting apparatus 16 through the maintenance port 23 is blocked (or when there is a transition instruction from the setting apparatus 16), the I/O module 30 transitions to the online wait state ST24. In this way, an unnecessarily prolonged state in which access to the maintenance port 23 is permitted while the lower-level layer interface 21 and the higher-level layer interface 22 are connected may be prevented. The security level can thus be increased.

[0114] In order to simplify the explanations of the above-described first and second embodiments, examples of using one each of the controller 13 and the I/O module 12 (I/O module 30) that are provided in the process control system are explained. As shown in FIG. 8, a plurality of the controller 13 and the I/O module 12 (I/O module 30) are generally provided in the process control system 1. FIG. 8 is a block diagram showing an example configuration of a process control system having a plurality of controllers and I/O modules.

[0115] In such a process control system, permission commands (commands indicating that access to the maintenance port 23 be permitted) from the engineering terminal 15 (or the operation monitoring terminal 14), are transmitted only to the I/O module 12 (I/O module 30) which requires maintenance. Then, as shown in FIG. 8, the setting apparatus 16 is connected to the maintenance port 23 of the I/O module 12 (I/O module 30) that requires maintenance to make various settings, adjustments, etc., on the field device 11 and the I/O module 12. In this way, a plurality of the setting apparatuses 16 are used to simultaneously conduct maintenance on a plurality of the I/O modules 12 (I/O modules 30). When the I/O module 30 is provided in the process control system shown in FIG. 8, the I/O modules 30 transition to the online wait state if the setting apparatuses 16 are not connected to the I/O modules 30, to which access is permitted, within a predefined time period. Security is thus ensured.

[0116] While preferred embodiments of the invention have been described and illustrated above, it should be understood that these are exemplary of the invention and are not to be considered as limiting. Additions, omissions, substitutions, and other modifications can be made without departing from the scope of the present invention. Accordingly, the invention is not to be considered as being limited by the foregoing description, and is only limited by the scope of the appended claims. For example, although examples of using the I/O module 12 (1/0 module 30) as an input-output apparatus are explained in the above-described embodiments, embodiments of the present invention may also be applied to input-output apparatuses such as controllers, network repeaters, remote I/O apparatuses, wireless gateways, and the like.

SYSTEM AND METHOD FOR MANAGING SWITCHED HIERARCHICAL CONTROL STATES

Assignee

Inventors

Cpc classification

Classification Explorer

G05B2219/1138

PHYSICS

Classification Explorer

G05B2219/25369

PHYSICS

Classification Explorer

G05B19/0423

PHYSICS

International classification

Classification Explorer

G05B19/042

PHYSICS

Abstract

Claims

Description