A plant control system is known which includes a safety control apparatus for performing a stop operation of a plant in response to an abnormal signal from the plant at the time of occurrence of abnormality for safe operation of the plant.
FIG. 5 is a functional block diagram showing one example of a plant control system in which a safety control apparatus is combined with a distributed control apparatus. Reference numeral 1 is a plant as a controlled object, and reference numeral 2 is a control apparatus of the distributed control apparatus and performs control of a field device of the plant 1.
The control apparatus 2 communicates with a host operation monitoring apparatus 4 through a control bus 3. The operation monitoring apparatus 4 is connected to a global communication bus 5 and can communicate with an external PC 6 through this global communication bus 5.
Reference numeral 10 is an engineering apparatus for changing definition information (security level) about a system, and is connected to the control bus 3. This engineering apparatus 10 is also connected to the global communication bus 5 and can communicate with the operation monitoring apparatus 4 and the external PC 6.
Reference numeral 20 is a safety control apparatus connected to the control bus 3. This safety control apparatus 20 communicates with the engineering apparatus 10 through the control bus 3 and also communicates with the field device of the plant 1 and performs shutdown processing for performing a stop operation of the plant in response to an abnormal signal from the plant 1.
In the safety control apparatus 20, reference numeral 21 is a communication interface part, and a data change request and a security change request downloaded from the engineering apparatus 10 are accepted and the security change request is passed to a security management part 22 and also the data change request is passed to a request acceptance task 23.
Reference numeral 24 is a security level holding part, and holds the present security state (security level) of the safety control apparatus 20. The contents in which a database or a program described below can be rewritten depend on the security level.
Only the security management part 22 has the authority to change a security state held by the security level holding part 24. The security management part 22 refers to the contents of a password holding part 25 in the case of acquiring a security change request from the engineering apparatus 10 and changing the security state of the security level holding part 24.
The request acceptance task 23 is constructed of a group of tasks of accepting various change requests with respect to the safety control apparatus 20, and refers to the present security information held by the security level holding part 24 in the case of performing acceptance processing.
Each of the request acceptance tasks 23 decides whether or not to pass a change request to a request processing task 26 based on the security information referred. The request processing task 26 refers to or sets a program 27 or a database 28 based on the change request passed from the request acceptance task 23.
A user first performs a security change operation from the engineering apparatus 10 in the case of changing data of the database 28 or the contents of the program 27 of the safety control apparatus 20. At this time, in order to change a security state of the safety control apparatus 20 from the engineering apparatus 10, a password corresponding to its security state is required.
The safety control apparatus 20 can change the security state only when a proper password is set from the engineering apparatus 10. That is, the safety control apparatus 20 construes knowledge of the password as a special user having the change authority.
A process control apparatus comprising a security management function is described in Patent Reference 1.
See Patent Reference 1: JP-A-2005-301935