OKABE Nobuo1
The changes in social environment, such as globalization of enterprise activities, depletion of natural resources, and eco-oriented movement will affect the structure of mass production. Control systems require flexibility and scalability in both size and function to adjust to the changes. Our goal is to free the systems from the controller- centric model where all field instruments must be accessed via controllers, as well as to achieve flexibility and scalability with the latest network technologies. The author proposes a virtual wiring technology, which consists of a network security mechanism and a plug- and-play mechanism. This technology can be applied to resource-limited devices such as field instruments. This paper describes our activities toward creating the virtual wiring technology.
- Ubiquitous Field Computing Research Center, Corporate R&D Headquarters
INTRODUCTION
Figure 1 The architecture of existing control systems |
The changes in social environment, such as globalization of enterprise activities, depletion of natural resources, and eco-oriented movement will affect the structure of mass production. Control systems must be prepared with flexibility and scalability in both size and function to adjust to the changes. On the other hand, the further development of computer technology and communication technology is expected to lead to the commoditization of distributed computing technology. In order to realize the flexibility and scalability required for control systems within a reasonable time and cost, commoditized technologies should be utilized effectively.
As shown in Figure 1, with existing control systems, every access to a field device is through a controller, and so the controller acts as a bottleneck to performance, functionality and cost. In this paper, we call this the "controller centric model."
Figure 2 Proposed flat architecture |
In contrast, as shown in Figure 2, networks simplify the role of a controller to its intrinsic functions and make it easy to add functions. Furthermore, high-speed broadband network technologies reduce many input-output cables and enable the emergence of intelligent devices by consolidating numerous input-output ports.
In this paper, we propose a virtual wiring technology to free the system from the controller centric model and create a flat network architecture as shown in Figure 2.
There are several restrictions for realizing such network architecture, the most severe of which is the limited computational resources (CPU power, memory size, etc.). The power to field devices often must be supplied through signal lines. Also, with restrictions such as IEC60079, the amount of electric power consumed at hazardous locations such as where flammable gas exists must be minimized. For these reasons, the amount of electric power consumed by field devices is limited, and so computational resources are also inevitably restricted.
This paper introduces virtual wiring technology for application to devices whose computational resources are restricted.
VIRTUAL WIRING TECHNOLOGY
When configuring a network over the field domain, physical signal lines used to connect controllers and devices need to be made virtual. That is, a controller has to identify the proper one from the group of devices distributed over the network and establish a virtual wiring connection with the identified device. In this paper, we call this virtual wiring connection "virtual wiring."
We achieve this virtual wiring by combining our original network security mechanism with plug-and-play as described below. The former can be applied to devices with limited computational resources unlike usual security mechanisms, while the latter provides secure and autonomous automated configuration for devices with limited computational resources.
Network Security Mechanism
Figure 3 Network security mechanism using KINK and IPsec |
Currently, many types of network security for control systems rely on a firewall model. Since the model premises a specific network topology, it is difficult to apply to cases where the network topology cannot be predetermined such as in wireless and mobile communication. On the other hand, the network security mechanism proposed in this paper protects End-to-End communication with IPsec (Security Architecture for Internet Protocol)1 as shown in Figure 3. Since IPsec ensures security independently from the application, it hardly affects existing applications and is suitable for long-lasting industrial systems.
IPsec requires both communicating ends to share confidential information. Since devices installed in the field do not have a powerful user interface like a PC, manual key setting is difficult and auto-setting called "key exchange protocol" is necessary. Because existing IPsec key exchange protocols such as IKE (Internet Key Exchange)2 require public key cryptography, its application to devices with limited computational resources has been difficult. We therefore decided to adopt the IPsec key exchange protocol, KINK (Kerberized Internet Negotiation of Keys)3, which was developed and standardized as an international standard by us. KINK is based on the Kerberos Authentication System and does not require public key cryptography.
Plug-and-play mechanism
Figure 4 Virtual wiring sequence with chain of trust |
A control system consists of many controllers and devices. Conventionally, each of them has to be configured and connected with an input-out put cable, which takes time and effort. Although a network can reduce such work, controllers have to deal with input-output cable virtually. That is, a controller has to identify the proper one from the group of devices distributed over the network, and establish a virtual wiring connection with the identified device. In this paper, we propose a method of establishing virtual wiring utilizing the plug-and-play mechanism4 5 which we have proposed. From the perspective of security, it is difficult to apply existing plug-and-play technology, such as Jini6 and UPnP (Universal Plug and Play)7, to devices with limited computational resources. On the other hand, since the proposed plug-and- play technology is based on the network security mechanism described above, it can be applied to such devices. The sequence called "Chain of Trust" indicated in Figure 4 enables virtual wiring.
- DHCP (Dynamic Host Configuration Protocol) broadcasts address information of Kerberos server.
- Devices and controllers confirm whether they belong to the broadcast Kerberos server or not. When confirmed, mutual authentication between Kerberos server and devices/ controllers is completed. Devices and controllers then obtain the address information of the database server from the trusted Kerberos server.
- Devices and controllers register their own information to the trusted database server.
- Devices and controllers trust the configuration information provided by the trusted database server. With this configuration information, devices and controllers autonomously complete the configuration.
- Based on the information provided by the database server, controllers establish virtual wirings with the devices to be controlled.
Even though controllers and database servers are assigned to different entities, controllers can find the database server which they trust by the sequence 1) and 2) above. Usually, a control system consists of multiple controllers distributed over a network, but with the sequence 3) and 4), controllers can configure themselves autonomously.
Evaluation by prototype
We have evaluated the feasibility through the prototype of the proposed mechanism. We implemented functions including HSE (High Speed Ethernet) of FOUNDATION Fieldbus (hereinafter referred to as FF) in the prototype. Table 1 shows the configuration of the prototype and the object code sizes of implemented modules. The total object code size of the initial version partly utilizing open source was more than one megabyte, but with optimization of specifications and implementation, it was reduced to 270 Kbytes. Especially, we successfully reduced the size of the KINK part to one fifth of the original one.8 To reduce the code size further and increase the speed, we are now investigating using hardware to cover the IP/IPsec part which accounts for almost half of the entire code.
Table 2 shows the processing time of the prototype. Because the overhead for virtual wiring processing is required only at the time of system start up, the penalty for automating the configuration of each device is considered to be sufficiently small. On the other hand, the key exchange processing is required not only at the time of system start up, but also at the time when the shared confidential information expires. However, since the amount of communications between controllers and devices is not so much, the influence caused by the key exchange processing can be suppressed by extending the valid time limit (for example, for a few weeks) or in other ways.
Table 1 Component and object code size of the prototype
Classification | Component | Source | Object code size (Kbyte) |
---|---|---|---|
Hardware | CPU | H8/3029 | - |
Software | RTOS | iTRON | - |
IPv4/IPv6 | Original | 132 | |
Original | Original | 15 | |
KINK | Original | 45 | |
FF HSE | Original | 80 | |
Total | 272 |
Table 2 Processing time of the prototype
Processing | Processing time (msec) |
---|---|
Virtual wiring processing | 511 |
KINK key exchange processing | 65 |
SUPPLYING POWER TO DEVICES AND INSTALLING THEM AT HAZARDOUS LOCATIONS
The last one hop is always a challenge for the network. A part of the field domain environment susceptible to fire is called a "hazardous location." Since communication traffic increases along with networking of the field domain, the performance of the data link in hazardous locations must be improved. However, Ethernet itself cannot satisfy the regulation for hazardous locations. Also, it is impossible to supply power to field devices through standard Ethernet.
Figure 5 Data link topology at hazardous locations |
Table 3 shows the characteristics of FF H1, the data link which can be used in hazardous locations and can supply power, and Ethernet. If FF H1 is to be expanded to improve the performance of the data link, the improvements of FF H1 in bandwidth, maximum transmission unit and full/half duplex are required in order to transmit relatively large packets as IP does. At the same time, the features of supplying power through a cable, maximum cable length and low power consumption conforming to the regulation for hazardous locations, must still be provided.
Figure 5 indicates the current data link and the topology proposed in this paper. To improve the performance of the data link, it is effective to exclude the bus configuration and restrict to a P2P (Point-to-Point) configuration like Ethernet. The simplified topology helps to simplify the wiring design. Even though the topology of the data link is restricted to P2P, an Ethernet switch provides the capability equivalent to the existing multi-drop data link.
Table 3 Comparison between FF H1 and Ethernet
Items | FF H1 | 100B-T Ethernet |
---|---|---|
Topology | Bus | Bus, P2P |
Bandwidth | 32 Kbps | 100 Mbps |
Maximum Transmission Unit (MTU) | 256 byte | 1500 byte |
Full / half duplex | half duplex | full duplex |
Maximum cable length | 1.9 km | 100 m |
Power consumption at physical layer | 100 mW | 150 mW |
When considering the latest Ether net physical layer (PH Y), high bandwidth is not a major factor of power consumption as shown in Table 3 . However, it is clear that just applying Ethernet technology is not enough to achieve the maximum cable length equivalent to FF H1.
Figure 6 Evaluation system including prototype bridge and device |
Figure 6 shows the evaluating system including the prototype bridge for the data link layer to verify the function described above and the prototype device described in the "Evaluation by prototype" section. This evaluating system has the following features.
By improving encoding and other technologies, the communication bandwidth has been widened to about 8 times that of the original one (from half duplex 32 kbps to full duplex 128 kbps) while maintaining the equivalent electrical characteristic and maximum cable length of existing FF H1. This means that it can be used at hazardous locations under the constraint of the FISCO (Fieldbus Intrinsically Safe Concept) model based on IEC60079-27.9
- Direct transfer of IP packets is enabled using HDLC (High- 2 ) Level Data Link Control).
- Power supply capability is provided like FF H1.
With this bridge, controllers and devices located at hazardous locations can directly exchange IP packets. We are now investigating ways to increase the performance and the reliability.
CONCLUSION
To prepare for major changes in production systems in the future, it is necessary to move control systems away from the controller centric model and to provide them with flexibility and scalability in both size and function. As a basic technology to realize this, we proposed virtual wiring technology in this paper, which offers the following advantages.
- Secure networking in the field domain
- Freeing controllers from a bottleneck to performance, functionality and cost
- Reduction in number of ports and wires in the field domain
- Reduction of engineering works for the field domain
An evaluation using the prototypes showed that these advantages can be realized within feasible code size and performance.
In order to extend networking into the field domain, it is necessary to improve the performance of the data link used in hazardous locations. In this paper, we described an initial prototype of a new data link for solving such issues and indicated that the performance can indeed be improved.
REFERENCES
- S. Kent, K. Seo, "Security Architecture for the Internet Protocol," IETF RFC4301, 2005, pp. 101
- D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)," IETF RFC2409, 1998, pp. 41
- S. Sakane, K. Kamada, et al., "Kerberized Internet Negotiation of Keys (KINK)," IETF RFC4430, 2006, pp. 40
- N. Okabe, S. Sakane, et al., "Secure Plug and Play Architecture for Field Devices," Proceedings of 5th IEEE International Conference on Industrial Informatics (INDIN2007), 2007, pp. 873-878
- N. Okabe, S. Sakane, et al., "Implementing a Secure Autonomous Bootstrap Mechanism for Control Networks," The IEICE Transactions on Information and Systems, Vol. E89-D, No. 12, 2006, pp. 2822-2830 Sun Microsystems, "Jini Specifications Archive - v2.1,"
- Sun Microsystems, Inc., 2005, http://www.jini.org/ UPnP Forum, "UPnP Device Architecture 1.0, Version 1.0.1,"
- UPnP Forum, 2003, http://www.upnp.org/
- Kazunori Miyazawa, Shouichi Sakane, et al., "Designing and Implementing of Kerberos Version 5 for Embedded Devices," Proceedings of Embedded Systems Symposium (ESS2007), No. 2007-8, IPSJ Symposium Series, 2007, pp. 168-175, in Japanese
- Kaoru Onodera, "FOUNDATION Fieldbus Explosion Protection Systems in Japan," Yokogawa Technical Report, Vol. 51, No. 2, 2007, pp. 69- 70 in Japanese * "F OU NDATION Fieldbus" is the registered trademark of Fieldbus FOUNDATION.
업종
-
벌크화학
석유 화학 제품, 무기물 또는 중간체를 생산하든 관계없이 화학 회사는 안전하고 호환되는 작업을 유지하면서 적시에 효율적인 방법으로 제품을 제공하는 비용과 마진 압박에 시달리고 있습니다. 또한 화학 회사들은 공급 원료 및 에너지 가격의 변동에 적응하고 가장 수익성 높은 제품 혼합을 시장에 제공해야 합니다.
Yokogawa는 벌크 화학 시장의 자동화 요구 사항을 세계적으로 지원해 왔으며 이 시장에서 인정받는 선두 주자입니다. Yokogawa는 제품, 솔루션 및 업계 전문 기술을 통해 시장 및 생산 요구 사항을 이해하고 플랜트의 수명주기를 통해 안정적이고 비용 효율적인 솔루션을 제공하기 위해 협력합니다.
-
전력
1970년대 중반, Yokogawa는 EBS 전기 제어 시스템 (EBS Electric Control System)의 출시와 함께 전력 사업에 진출했습니다. 그 이후로 Yokogawa는 전 세계 고객에게 최상의 서비스와 솔루션을 제공하기 위한 기술과 역량의 개발을 꾸준히 지속해 왔습니다.
Yokogawa는 역동적인 글로벌 전력 시장에서 더욱 적극적인 역할을 수행하기 위해 글로벌 전력 솔루션 네트워크를 운영했습니다. 이로 인해 Yokogawa 내에서 보다 긴밀한 팀워크가 가능해져서 글로벌 리소스와 업계 노하우를 하나로 모았습니다. Yokogawa의 전력 산업 전문가들은 각 고객에게 정교한 요구 사항에 가장 적합한 솔루션을 제공하기 위해 협력합니다.
-
정수 및 하수 처리
Yokogawa는 보다 효율적인 사회를 만들기 위하여 에너지 최적화 기술 개발, 온실가스 감축, 오염 물질로부터 환경을 보호하는 견고한 제품 제작 등을 통해 지속 가능한 수자원 생산을 위한 제어 솔루션을 제공하고 있습니다. Yokogawa의 첨단 기술과 폭넓은 애플리케이션 노하우를 통해 고객과 협력하여 사업을 활성화하고 플랜트 수명주기 전반에 걸쳐 높은 가치를 제공할 수 있는 지속 가능한 솔루션을 제공합니다. 당사의 기술과 제품은 플랜트의 성능을 향상시키고 오늘날의 수자원 시장에서 경쟁적으로 운영할 수 있도록 보장하며 운영비를 절감합니다. Yokogawa는 지자체 및 공업용수 처리 시장에서 광범위한 수처리 응용 분야를 지원합니다.