Title of Invention | A FIELD DEVICE FOR POWER SUPPLY INSTALLATIONS |
---|---|
Abstract | The invention relates to a field device (10), in particular a protective device, having a microprocessor arrangement (20) which executes a program module (PM), which defines the device function, during opertion of the field device. The invention provides for the field device to have a protection device (40) which is configured in such a manner that it checks whether a funchtion description block (FB), which has been input and describes a desired device function, describes an enabled device function and, in the case of a device function which has not been enabled, blocks execution of said functio and, in the case of a device function which has been enables execution of said function. |
Full Text | Description Field Device The invention relates to a field device, in particular for use in power installations, for example in power supply installations, having the features as claimed in the precharacterizing clause of claim 1. A field device such as this is formed, for example, by the SIPROTEC 7SA511 or 7SA513 protective device from SIEMENS AG. This protective device is equipped with a microprocessor arrangement which carries out a program module, which defines the device function, during operation of the field device. Nowadays, field devices in power installations carry out a multiplicity of functions relating to protection and control. The performance and the functionality of the devices are rising continuously. One problem that is occurring increasingly from the point of view of the field device manufacturers is to provide the respectively appropriate device for every customer requirement: in this case, of course, the devices must provide all the functions which the respective customer requires; at the same time, however, care must be taken because of cost and pricing aspects to ensure that the devices are not overdesigned for their functions and cannot carry out more functions than the customer needs and is prepared to pay for. The invention is therefore based on the object of specifying a field device which can be configured easily and quickly such that predetermined device functions can be carried out and other functions are not available, or are available only to a restricted extent. According to the invention, this object is achieved by a field device having the features of claim 1. Advantageous refinements of the field device according to the invention are specified in dependent claims. The invention accordingly provides for the field device to have a protection device which is designed such that it checks whether an input function description block, which describes a desired device function, describes an enabled device function and, if a device function is not enabled, prevents it from being carried out and, if a device function is enabled, allows it to be carried out. By way of example, the function description block may be input in the form of a file - for example using the XML format. One major advantage of the field device according to the invention is that the functional scope, which can be used by the user, of the device can be set very simply and at low cost just by enabling or inhibiting device functions which are provided in the device. The functional scope which is actually available to the user may therefore be less than the functional scope which the device would in principle be able to provide if further device functions were enabled. The configuration accessed by the manufacture can therefore be carried out just by enabling and inhibiting device functions which, for example, are in the form of software. A further major advantage of the field device according to the invention is that this considerably simplifies storage at the manufacturer's premises. Ideally, in theory, it will be sufficient to produce hardware for just a single field device type and to define the final functional scope of the device and the final device type solely by software enabling and inhibiting. A third major advantage of the field device according to the invention is that, despite the presence of the protection device, it can be operated very easily: the device function which is desired by the user is defined - within the scope of the enabled device functions - just by inputting a function description block which describes the device function - for example using the XML format. Bγ way of example, an input such as this can be entered using a configuration tool which is provided by the manufacturer. In order, as reliably as possible, to prevent the user from overcoming a device function inhibit by misuse, it is considered to be advantageous for the projection device to have an interpreter module which interprets the function description block which has been input by the user or manufacturer and then produces the appropriate program module using a plurality of function modules which are preinstailed in firmware, preferably hardware, in the field device, only if the input function description block describes an enabled device function. This advantageous refinement of the field device makes it harder for the user to access the internal function, and reduces the possibilities for misuse. Furthermore, the program module which is required for operation of the device is not yet available, so that the user cannot read and copy it or modify it by misuse - for example in order to enable inhibited device functions. Device functions can be enabled and inhibited particularly easily and therefore advantageously if the protection device is designed such that it compares a feature block which is contained in the function description block with an identification block, which is stored in the field device or is accessible to the field device and describes the enabled functional scope of the field device, and prevents the device function which is described in the function description block from being carried out if the features which are described in the feature block are not present or are defined as inhibited in the identification block. The identification block is preferably stored in the field device. In this case, the identification block preferably has a device identification which identifies the field device for which the identification block is intended. Alternatively, the identification block can be stored in an external memory module which is connected to the field device for its operation. In this case, the identification block preferably contains a memory identification which identifies the external memory with which the identification block is associated. In this embodiment, although the identification block is suitable for a multiplicity of field devices, copy protection nevertheless remains ensured. The identification block is particularly preferably signed with an electronic signature, and the protection device is designed such that it prevents the further processing of the function description block if the check of the electronic signature gives a negative result. A signature for the identification block such as this makes it possible to prevent a user being able to modify the identification block by misuse, in order retrospectively to extend the device functions. By way of example, the protection device is designed such that it decrypts the identification block, which has been encrypted using a first key of a key pair, in order to check the electronic signature using a second key of the key pair. The second key of the key pair is preferably stored in a memory area, which is protected against unauthorized reading, of the field device. The protection device can also be designed such that it checks the feature block for the presence of a valid electronic signature, and prevents the further processing of the function description block if the check of the electronic signature gives a negative result. By way of example, it is recommended that function blocks have a signature when the aim is to ensure that an input can be made to function description blocks only by using a manufacturer's configuration tool. By way of example, a restriction to a manufacturer's configuration tool such as this makes it possible to ensure that the only function description blocks and feature blocks which can be used are those which have been checked by the manufacturer and have been classified as safe in terms of guarantee and reliability. The protection device is preferably designed such that it decrypts the feature block, which is being encrypted using a first key of a further key pair, in order to check the electronic signature, using a second key of the further key pair. The second key of the further key pair is preferably stored in a memory area which is protected against unauthorized reading. The memory area or areas which is or are protected against unauthorized reading is or are preferably integrated in a module, or in each case in one module which carries out an essential, indispensable basic function of the field device. This makes it possible to prevent the possibility of modules with keys being replaced by any other electrical modules with different keys in order, for example, to overcome the signature protection. For example, the modules control a data bus or an interface of the field device. By way of example, the modules with protected memory areas may be integrated in ASIC, FPGA or CPLD modules. Furthermore, with regard to the maximum possible level of user- friendliness, it is considered to be advantageous for the identification block to contain a basic function block and an option block, with the basic function block defining an enabled basic functional scope of the field device, and with the option block defining an enabled option scope within which further additional functions may be added to the basic functional scope by the user without this leading to the field device being blocked by the protection device. A value number is in each case preferably stored in the option block for each optional additional function, and the enabled option scope is preferably defined by a maximum value (referred to in the following text as a prepaid variant). For example the protection device adds the value numbers of the additional functions which have been selected by the user and prevents the resultant device function from being carried out if the sum value is more than the maximum value. Alternatively, the identification block may describe only a single device function, and may not allow any options if the customer requires only a simple version of the field device. In this case, the function description block including the feature block is preferably already stored in the field device at the manufacturer's premises. The invention will be explained in more detail in the following text with reference to exemplary embodiments; in this case, by way of example: Figure 1 shows one exemplary embodiment of a field device according to the invention, Figure 2 shows the design of a protection module for a protection device for the field device as shown in Figure 1, Figure 3 shows one exemplary embodiment for the production of an identification block for the field device as shown in Figure 1, and Figure 4 shows one exemplary embodiment for the production of a function description block for the field device as shown in Figure 1. Figure 1 shows a field device 10 which is equipped with a microprocessor unit 20 as well as a main memory 30 and a protection device 40. The microprocessor unit 20, the main memory 3 0 and the protection device 40 are connected via a device-internal data bus 50 to one another and to an external connection A10 of the field device 10. As can be seen from Figure 1, the protection device 40 is equipped with an interpreter module 60, a protection module 70 and a memory area 80 in which function modules FM are stored. The protection module 7 0 is connected via the connection A7 0a to the data bus 50, and via the connection A70b to the interpreter module 60. By way of example, the field device 10 illustrated in Figure 1 is operated as follows: In a first step, which is carried out even during the production and/or configuration of the field device 10, an identification block KB is stored in the main memory 3 0 of the field device 10; a storage process such as this can be carried out, for example, via the connection AlO on the field device 10. The functional scope which is permissible for operation of the field device is described in the identification block KB. For example, it is possible to state in the identification block KB that the field device 10 may be operated as a distance protective device, as a power-quality measurement device or as a differential-protective measurement device. After the initial installation of the identification block KB and delivery of the field device 10 to a final customer, this also referred to in the following text as a user, a function description block FB is stored in the main memory 3 0 at the user's premises by means of a configuration tool, which is not illustrated in Figure 1 (for the sake of clarity) but is connected to the connection AlO of the field device. In the function description block FB, the user inputs to the field device 10 how he wishes to use the device and what device functions the field device is intended to carry out. The device functions to be carried out are contained in a feature block MB of the function description block FB; alternatively, the function description block. FB may also be defined solely by the feature block MB. When the field device 10 is now used by the user, then the protection device 40 first of all checks whether the function description block FB which has been input at the user's premises, to be precise the feature block MB contained in it, describes a device function which is enabled for the field device 10. If the protection device 40 in this case finds that the device function required by the user is defined in the identification block KB as being enabled, then it enables device operation, as a result of which the microprocessor unit 20 can carry out the device function. Furthermore, it checks whether the identification block KB which is contained in the field device 10 contains the ID stored in the protection device 40 of the field device, and the signature of the identification block KB and of the feature block MB can be checked using the public key Key OSK which is stored in the memory area 80. The program module PM which can be run and is required for control of the microprocessor unit 2 0 is supplied by the interpreter module 60, which evaluates the device function described in the feature block MB or the; function description block FB, and uses the function modules FM which are stored in the memory area 80 to produce the program module PM. If, in contrast, the protection device 40 finds that no device function which is enabled for the field device. 10 is described in the function block FB, then it blocks the interpreter module 60 and/or the microprocessor unit 2 0 in order to prevent the field device 10 from being started up with the unapproved device function. If, for example, the identification block KB contains the stipulation that the field device 10 may be operated only as a distance protective device, as a power-quality measurement device or as a differential-protective device, then starting up with a different device function is prevented even if, in principle, the interpreter module 60 were able to simulate this device function using the function modules FM stored in the memory area 80. Thus, in other words, because of the function modules FM which are stored in the memory area 80 and the method of operation of the interpreter module 60, the field device 10 can always be suitable for carrying out device functions other than those defined in the identification block KB; however, nevertheless such functions cannot be carried out since the protection device 40 first of all checks whether the device function required by the user is described and enabled in the identification block KB. In order to prevent the identification block KB from being corrupted by the user and, for example, having the permissible device functions extended, the identification block KB is preferably signed at the manufacturer's premises with an electronic signature in that, for example, it is encrypted using a first key of a first key pair; furthermore, the device identification number ID of the field device 1.0 is used in the encryption process. The encrypted identification block KB' is then stored in the main memory 30. The function description block FB and the encrypted feature block MB contained in it are also preferably signed with an electronic signature, and are stored in an encrypted form. Encryption of the feature block MB is advantageous in order to prevent the user from installing function description blocks in the field device 10 which have not been produced and tested by the manufacturer of the field device 10. The encryption of the blocks FB and MB is carried out, for example, using a first key of a second key pair, forming an encrypted function description block FB' and an encrypted feature block MB' contained therein. An encryption technique based on key pairs is preferably used for the encryption and the decryption of the identification block KB, of the function description block FB and of the feature block MB contained in it. In this case, the encryption is carried out using a first key and can be reversed only using the second key of the key pair. Encryption such as this therefore allows an encrypted file to be read only when the second key is available. The holder of the second key can at the same time also check the authenticity of the file because sensitive decryption using the second key is possible only when the source file has actually been encrypted using the first key of the key pair, which the key-pair holder keeps secret and which is therefore unknown by third parties, and therefore by the second-key holder himself. The described encryption process can be carried out, for example, on the basis of the RSA or triple-DES method. Alternatively, a so-called message digest can be calculated over the feature block MB and the identification block KB by means of a hash-code method, for example using the MD5 or SHA1 algorithm, can then be encrypted and then added to the blocks KB and MB as a signature. This signature can be checked in the field device 10 by decryption of the message digest using the public key Key OSK contained in the memory 80, followed by completion of the calculation of the message digest using the SHA1 or MD5 algorithm. A match between the decrypted and the completed message digest is obtained only if the blocks KB and MB have not been changed between the time of signature and the time of the check. The method of operation of the protection module 7 0 of the protection device 40 as shown in Figure 1 will now be explained below in more detail with reference to Figure 2, by way of example. Figure 2 shows a first unit 100, which cannot be monitored, and a second unit 110, which cannot be monitored, which units are connected to one another via a comparison device 120. The expression a unit which cannot be monitored means a unit which cannot be eavesdropped on during its operation, such that its method of operation cannot be understood from the outside. The two units 100 and 110 which cannot be monitored may, for example, be in the form of protected hardware blocks, for example in the form of an ASIC, FPGA or gate-array module. The object of the unit 100 which cannot be monitored is first of all to check whether the encrypted identification block KB' stored in the main memory 30 of the field device 10 is the original identification block as produced at the manufacturer's premises; this check prevents the protection, module 70 from using an identification block KB' which is being corrupted by the user where possible for its further check. In order to check the authenticity of the encrypted identification block KB' , the unit 100 first of all checks the device identification number ID of the field device 70 and decrypts the identification block KB' using a second key, which is stored in it in the form of hardware and "concealed", of the already mentioned first key pair. The decrypted identification block KB is passed to the comparison device 12 0, which compares the decrypted identification block KB with the feature block MB. As already mentioned, the function description block FB and the feature block MB contained in it are also preferably stored in encrypted form, as is indicated by the reference symbol MB' in Figure 2. The decryption process is carried out using a second key, which is stored in hardware and concealed in the second unit 110, of the second key pair in the second unit 110. As in the case of the encryption and decryption of the identification block KB which has already been described, it is also possible to use the RSA or 3DES method in this case. Alternatively, the electronic signature of the blocks can be checked as already described. On the output side, the unit 110 produces the decrypted feature block MB and transmits this to the comparison device 12 0 which compares the contents of the decrypted feature block MB and the contents of the decrypted identification block KB with one another and produces an enable signal S1 with a logic 1 if the comparison result is positive, and the device function as defined in the decrypted feature block MB corresponds to an enabled device function which is described in the decrypted identification block KB. If, during decryption of the encrypted identification block KB' , the unit 100 which cannot be monitored finds that this cannot be decrypted using the second key of the first key pair, then on its output side it produces a control signal S2 with a logic 0, thus indicating that the identification block KB has been modified and can no longer be decrypted. Only if a legible and comprehensible identification block KB is formed on decryption of the encrypted identification block KB' does the unit 100 produce on its output side the control signal S2 with a logic 1, thus indicating that the encrypted identification block KB' is an original, to be precise an identification block KB produced by the manufacturer. In a corresponding manner, the unit 110 produces a control signal S3 with a logic 1 on its output side when it finds during decryption of the encrypted feature block MB' that decryption can be carried out successfully using the second key, stored in the unit 110, of the second key pair. In contrast, it produces the control signal S3 with a logic 0 when decryption cannot be carried out using the stored second key of the second key pair. A control device 150 for the protection module 70 enables the field device 10 only when all three control signals S1, S2 and S3 are in a logic 1 state, as a result of which the interpreter module 60 can use the function description block FB to produce the program module PM with the assistance of the function modules FB. Figure 3 shows an exemplary embodiment for the production and storage of the identification block KB shown in Figure 1. As can be seen, a device function list L which has been preset at the manufacturer's premises as being permissible is encrypted in an encryption device 200 by means of a coding method using the first key SL1 of the first key pair; the device identification number ID of the field device 70 is also taken into account, thus resulting in the formation of an encrypted identification block KB' which is suitable for only one specific field device 70. The identification block KB' therefore cannot be run on other devices whose device identification number ID does not match the device identification number stored in the identification block KB'. The encrypted identification block KB' formed in this way is stored in the main memory 3 0 of the field device 10, as shown in Figure 1. Figure 4 shows one exemplary embodiment of a configuration process for the field device 10 as shown in Figure 1. By way of example, a configuration process such as this is carried out by the user using a configuration tool. For this purpose, the configuration tool is equipped with configuration software 3 00 which is available at the manufacturer's premises. The configuration software accesses a multiplicity of preferably signed function modules FM which, for example, are stored in a database 310 and can be used to form a function description block FB for the field device 10. The user selects the function modules FM' which he requires and uses the configuration software to produce the appropriate function description block FB, containing the feature block MB which describes the device function required for the field device 10. The configuration software 300 preferably processes only correctly signed function modules FM, in order to ensure that only function modules FM which have been released by the manufacturer can be used. In order also to ensure that only function blocks FB and feature blocks MB which have been tested by the device manufacturer and classified as reliable and have been processed further by the device software 3 00 can be used in the field device, the device software 3 00 contains an encryption module which carries out an encryption process - for example based on a hash code - during the production of the function description block FB and the feature block MB. An encrypted function description block FB' and an encrypted feature block MB' are therefore produced on the output side and are checked for authenticity by the protection module 70 of the field device 10 while the device is being started up. By way of example, the above statements have been based on the assumption that one or more permissible device functions which can subsequently be selected by the user is or are defined in the identification block KB. Alternatively, for example, it is also possible to define in the identification block KB one or more basic functions which can be added by optional additional functions by the user. The option scope within which the user can select such options can, for example, be stored in the identification block KB such that each optional additional function has an associated value number. At the same time, the identification block KB defines which total value number the additional options required by the user may have in total (prepaid function). If the functional scope of the field device 10 is stored in the described manner in the identification block KB, then the protection module 70 checks, after the field device 10 has been started up, whether the total value of the additional options required by the user is more than the maximum value defined in the identification block KB or not. If the total number is more than the predetermined maximum value, then the protection module 7 0 inhibits the operation of the field device 10. In this situation, the user of the field device is forced to ensure by application of a new function description block FB that a functional scope which is- permissible for the field device 10 is requested. Alternatively, the two second keys of the first and second key pair can also be stored in the main memory 3 0 in the field device 10 provided that the keys are in turn themselves encrypted, for example using an X.509 certificate. By way of example, using the XML format, a feature block MB may appear as follows: An exemplary embodiment of an identification block KB as shown in Figure 1 with a variable application (or device function) which can be selected by the user and with a prepaid function may, using the XML format by way of example, appear as follows: For comparison purposes, the following text shows another exemplary embodiment of an identification block KB with a fixed-defined application using the XML format: Patent Claims 1. A field device (10), in particular a protective device, having a microprocessor arrangement (20) which carries out a program module (PM), which defines the device function, during operation of the field device, characterized in that the field device has a protection device (40) which is designed such that it checks whether an input function description block (FB), which describes a desired device function, describes an enabled device function and, if a device function is not enabled, prevents it from being carried out and, if a device function is enabled, allows it to be carried out. 2. The field device as claimed in claim 1, characterized in that the protection device has an interpreter module (60) which interprets the input function description block (FB) and produces the appropriate program module (PM) using a plurality of function modules (FM) which are preinstalled in firmware in the field device, if the input function description block describes an enabled device function. 3. The field device as claimed in claim 1 or 2, characterized in that the protection device is designed such that it compares a feature block (MB) which is contained in the function description block with an identificatior. block (KB), which is stored in the field device or is accessible to the field device and describes the enabled functional scope of the field device, and prevents the device function which is described in the function description block from being carried out if the features which are described in the feature block are not present or are defined as inhibited in the identification block. 4. The field device as claimed in claim 3, characterized in that the identification block is stored in the field device. 5. The field device as claimed in claim 4, characterized in that the identification block contains a device identification (ID) which identifies the field device for which the identification block is intended. 6. The. field device as claimed in claim 3, characterized in that the identification block is stored in an external memory module which is connected to the field device for its operation. 7. The field device as claimed in claim 6, characterized in that the identification block contains a memory identification which identifies the external memory with which the identification block is associated. 8. The field device as claimed in one of the preceding claims 3-7, characterized in that the identification block is signed with an electronic signature, and the protection device is designed such that it prevents the further processing of the function description block if the check of the electronic signature gives a negative result (S2). 9. The field device as claimed in claim 8, characterized in that the protection device is designed such that it decrypts the identification block, which has been encrypted using a first key of a key pair, in order to check the electronic signature using a second key of the key pair. 10. The field device as claimed in claim 9, characterized in that the second key of the key pair is stored in a memory area, which is protected against unauthorized reading, of the field device. 11. The field device as claimed in one of the preceding claims 3-10, characterized in that the protection device is designed such that it checks the feature block for the presence of a valid electronic signature, and prevents the further processing of the function description block if the check of the electronic signature gives a negative result (S3). 12. The field device as claimed in claim 11, characterized in that the protection device is designed such that it decrypts the feature block, which is being encrypted using a first key of a further key pair, in order to check the electronic signature, using a second key of the further key pair. 13. The field device as claimed in claim 12, characterized in that the second key of the further key pair is stored in a memory area which is protected against unauthorized reading. 14. The field device as claimed in one of the preceding claims 10-13, characterized in that the memory area which is protected against unauthorized reading is integrated in an ASIC, FPGA or CPLD module. 15. The field device as claimed in one of the preceding claims 10-14, characterized in that the memory area which is protected against unauthorized reading is integrated in a module which controls a data bus or an interface of the field device. 16. The field device as claimed in one of the preceding claims, characterized in that the identification block contains a basic function block and an option block, with the basic function block defining an enabled basic functional scope of the field device, and with the option block defining an enabled option scope within which further additional functions may be added to the basic functional scope by the user without this leading to the field device being blocked by the protection device. 17. The field device as claimed in claim 16, characterized in that a value number is in each case stored in the option block for each optional additional function, and the enabled option scope is defined by a maximum value, with the protection device adding the value numbers of the additional functions which have been selected by the user and preventing the resultant device function from being carried out if the sum value is more than the maximum value. 18. The field device as claimed in one of the preceding claims 3-17, characterized in that the identification block describes only a single device function, and does not allow any options. The invention relates to a field device (10), in particular a protective device, having a microprocessor arrangement (20) which executes a program module (PM), which defines the device function, during opertion of the field device. The invention provides for the field device to have a protection device (40) which is configured in such a manner that it checks whether a funchtion description block (FB), which has been input and describes a desired device function, describes an enabled device function and, in the case of a device function which has not been enabled, blocks execution of said functio and, in the case of a device function which has been enables execution of said function. |
---|
3877-KOLNP-2008-(11-07-2013)-ABSTRACT.pdf
3877-KOLNP-2008-(11-07-2013)-CLAIMS.pdf
3877-KOLNP-2008-(11-07-2013)-CORRESPONDENCE.pdf
3877-KOLNP-2008-(11-07-2013)-DESCRIPTION (COMPLETE).pdf
3877-KOLNP-2008-(11-07-2013)-FORM-1.pdf
3877-KOLNP-2008-(11-07-2013)-FORM-2.pdf
3877-KOLNP-2008-(11-07-2013)-FORM-3.pdf
3877-KOLNP-2008-(11-07-2013)-OTHERS.pdf
3877-KOLNP-2008-(11-07-2013)-PETITION UNDER RULE 137.pdf
3877-kolnp-2008-correspondence.pdf
3877-kolnp-2008-description (complete).pdf
3877-kolnp-2008-international publication.pdf
3877-kolnp-2008-international search report.pdf
3877-kolnp-2008-pct request form.pdf
3877-kolnp-2008-specification.pdf
Patent Number | 259350 | |||||||||
---|---|---|---|---|---|---|---|---|---|---|
Indian Patent Application Number | 3877/KOLNP/2008 | |||||||||
PG Journal Number | 11/2014 | |||||||||
Publication Date | 14-Mar-2014 | |||||||||
Grant Date | 10-Mar-2014 | |||||||||
Date of Filing | 23-Sep-2008 | |||||||||
Name of Patentee | SIEMENS AKTIENGESELLSCHAFT | |||||||||
Applicant Address | WITTELSBACHERPLATZ 2, 80333 MUNCHEN | |||||||||
Inventors:
|
||||||||||
PCT International Classification Number | G05B 19/042 | |||||||||
PCT International Application Number | PCT/DE2006/000575 | |||||||||
PCT International Filing date | 2006-03-29 | |||||||||
PCT Conventions:
|