Security of a computer-based system involves verifying that a user has the relevant authority before the user can perform actions such as invoke a program, open a file or perform certain operations on certain entities.
In a computer-based control and manufacturing execution system individual users are defined as members of a group such as operator, engineer, planner or manager. This approach is common in industries such as chemical, pharmaceutical, food, metal, mines, pulp and paper. Other industries and utilities where the same approach is used are automotive, consumer products, power generation, power distribution, waste water handling, oil refineries, gas pipe-lines and off-shore platforms. Traditional methods for security in control and manufacturing systems are based on permissions a certain user has to perform certain operations on certain entities. As an example, in a control and manufacturing system the authority scheme for a traditional human machine interface would allow certain users access to certain entities through certain displays. An operator having supervision and control responsibility of the dryer in a pulp mill would have authority to access graphical displays and control templates for the drying section of a pulp mill. A manager at the same pulp mill could have authority to access and view the same graphical displays for information purposes but that manager would not have access to the corresponding control templates.
A description of a security and authority scheme in a conventional control system is known from U.S. Pat. No. 4,886,590. A hierarchy of authorization keys limits access to the apparatus depending upon the level of the authority of the person seeking access. Different degrees of authority may be delegated for an apparatus operator, a supervisor and servicing personnel. In the lowest authorization level an operator can operate the apparatus. At the next higher authorization level, operating parameters such as target points and batch characteristics may be altered. In the highest authorization level, alterations can be made to the system software. The authorization is static as a user is logged on to the system.
A problem in a conventional control and manufacturing execution system is that the security does not adapt to changes in relationship between different entities. Such changes may for example be caused by the progress of a specific batch between different sections of production equipment, or the progress through different stages of preparation of a production order or a customer invoice. For instance while a real world entity, such as a batch of pharmaceuticals, is in production planning phase it is applicable to get access to a software function for allocation of raw-material. As the batch has been manufactured and goes into the product warehouse it is no longer applicable to allocate raw material for that batch. However, instead security in a conventional control and manufacturing execution system is limited to that certain users have access only to certain predefined views, displays and tools in the system.
Another problem in a conventional control and manufacturing execution system is, in a more efficient way, to arrange software objects and let a user access different perspectives of software objects in a secure manner. The large number of real world entities that are represented in the system is in itself a challenge since they may exist in numbers of thousands up to several millions. Further, each of the real world entities is represented in several software applications. The different software applications in a control and manufacturing execution system is typically between ten and one hundred.
A control system may in itself be regarded as a software application. Examples of functions in control system are a graphical display of process equipment, a list of active alarms, a trend curve display and a configuration of a control program. Another example of a software application is a maintenance software that include functions for fault reports, maintenance history, planned maintenance, list of associated spare parts, down-time analysis etc. Another example of a software application is a simulation package that includes functions such as what-if analysis before introducing changes of set point to a polymer reactor.
A task of a control and manufacturing system is to find a suitable representation of different relations between real world entities. As an example a real world entity such as a vessel belongs to a production plant, it has been installed in specific building on a certain floor. The same vessel is part of a liquid processing line and is a member of a unit the function of which is to mix ingredients. At a certain point in time, the vessel is allocated to the production of a certain batch. To the vessel a number of units are tied, which handle the actual control of the process. Examples of units tied to a real world entity such as a vessel are controllers, Programmable Logical Controllers (PLCs) and intelligent and non-intelligent field devices. The controllers, PLCs and field devices can in turn be tied to other real world entities in addition to the vessel.
Another task of a computer system is to provide a user access and manage different kinds of information about entities at an industrial plant. This is complicated by the fact that information and functionality related to these entities are spread across many different software applications. In a control and manufacturing execution system there is usually some common ground between software applications regarding standards. With the progress of de-facto standards such as Transmission Control Protocol/Internet Protocol (TCP/IP), Hyper Text Meta Language (HTML) and Extensible Markup Language (XML) remote access from one industrial plant to another is increasingly carried out using the Internet technology. Another important standard is published by Microsoft (Trademark) and is called Component Object Model (COM). COM describes a standard for interoperability between parts of one or more software applications. The specification is available in the Microsoft Developer Network (MSDN) online web site. But in a conventional control and manufacturing execution system this common ground in technology is seldom transformed into a substantial degree of integration where the user, for instance the operator of a control system, has access to and in an efficient way can use functions in different software applications at a production plant. One reason why operators and other users of a control system commonly are refused the benefits of integrated systems is that information and access to functions related to a certain real world entity are spread across a number of different software applications.
In a conventional control and manufacturing execution system user authority is tied to a certain software application. One physical person could very well be associated with several users. Each user would have an authority configuration, typically based on membership in a group of users, where authority applies to a certain software system. An example of such authority and software system is the view as engineer for configuration of control templates in a control system. Another example of user authority and associated software system is remote disk access in the current domain of an operating system. Yet another example is authority to create new orders in the order module of an Enterprise Resource Planning system. With commercial software products such as Microsoft's Windows 2000 (Trademark) it has become easier to utilize one workplace or workstation for several purposes. The specifications of the security model for Windows 2000 and Windows NT (Trademark) are available in the Microsoft MSDN online web site. The specification of the NT file system, NTFS (Trademark), is also available on Microsoft's web site. The security in NTFS is focused on handling security of files on one or several disks in a computer network.
Some progress have been made in the field of operating systems in order to facilitate improved security for programs available on a computer system having different security protocols. U.S. Pat. No. 5,604,490 describes an improvement to the security of an operating system. The operating system provides a security system of a computer or network having multiple security subsystems. The operating system unifies security protocols for each user based on unique user credentials. User credentials are associated with a so-called user handle, which is mapped to the unique user's credentials for each program procedure. Once a request to an object accessed through the server is requested, the system then grants access to the object based on the new user credentials associated with the handle.
There are certain problems that need to be addressed in a control and manufacturing execution system. One specific issue in control and manufacturing is that however well planned production is, the plan may need to be changed. There are many reasons why a production plan might not be feasible. For instance, if the allocated raw-material turns out to be of bad quality or of incorrect type, the planned lot cannot be produced. If at this stage the production plan cannot be met it would be beneficial for the operator to have access to the latest information on order stock. This to have a chance to choose the next best product to produce. A problem is that in a conventional production and manufacturing execution system the operator would at this stage either have to wait for information from a colleague or take the risk to run a product of a certain specification that might end up in stock. Even worse, it may not be possible to keep the process on hold and the operator might be forced to re-process or treat the raw material as waste. As an example, an operator may be supposed to produce a certain amount of aluminum of a type called A. The operator finds that the available raw material does not meet the specification required for product type A. But the raw material would allow the operator to produce product B. At this stage it would be beneficial to look in the production plan and search for product B. If product B is not planned for production, a search in the list of new orders may give a match so that production can be made against an order. However, even if this is the only type of search and access that the operator needs to do in the production planning and order system it can be a lengthy and costly procedure to make that possible. In worst case this means that not only would an operator have to learn several log in procedures, but also several different user environments for the software applications involved. In practice the result is that in a conventional control and manufacturing execution system there are only certain individuals that use certain software applications. Even though it would be beneficial for an operator to get an update on what the current order status is, by extracting that information from the order system, that is usually not considered secure and practical.
In the light of the problems mentioned above the inventors have found that there is a need for a system where user authority not only depends on the user who is logged in but also on relations between entities that the user interacts with. The system should adapt to changes in the control and manufacturing execution system during the time of a user log-in.