CN114598413A - Safe distributed control system supporting time sensitive network function - Google Patents

Safe distributed control system supporting time sensitive network function Download PDF

Info

Publication number
CN114598413A
CN114598413A CN202210087624.6A CN202210087624A CN114598413A CN 114598413 A CN114598413 A CN 114598413A CN 202210087624 A CN202210087624 A CN 202210087624A CN 114598413 A CN114598413 A CN 114598413A
Authority
CN
China
Prior art keywords
time
control module
module
sensitive
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210087624.6A
Other languages
Chinese (zh)
Other versions
CN114598413B (en
Inventor
巴静
王文海
李新玲
徐斌
马聪威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Uwntek Automation System Co ltd
Zhejiang University ZJU
Original Assignee
Hangzhou Uwntek Automation System Co ltd
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Uwntek Automation System Co ltd, Zhejiang University ZJU filed Critical Hangzhou Uwntek Automation System Co ltd
Priority to CN202210087624.6A priority Critical patent/CN114598413B/en
Publication of CN114598413A publication Critical patent/CN114598413A/en
Application granted granted Critical
Publication of CN114598413B publication Critical patent/CN114598413B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/02Details
    • H04J3/06Synchronising arrangements
    • H04J3/0635Clock or time synchronisation in a network
    • H04J3/0638Clock or time synchronisation among nodes; Internode synchronisation
    • H04J3/0658Clock or time synchronisation among packet nodes
    • H04J3/0661Clock or time synchronisation among packet nodes using timestamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a safe distributed control system supporting time sensitive network function, comprising: the distributed control module is positioned at the bottom layer of the safe distributed control system and is used for acquiring industrial field state data and receiving field control data; the centralized control module is positioned at the top layer of the safe distributed control system and used for receiving the industrial field state data sent by the distributed control module and sending field control data to the distributed control module through control operation; and the time-sensitive network switching control module group is connected with the distributed control module and the centralized control module and is used for synchronizing the time information of all the modules so as to enable the modules to work under a uniform time reference, setting and executing each network port gate control table according to a flow scheduling algorithm and ensuring that the field control messages sent by the centralized control module reach each bottom control module at the same time after passing through each level of time-sensitive switching control module.

Description

Safe distributed control system supporting time sensitive network function
Technical Field
The application relates to the technical field of industrial control network communication, in particular to a safe distributed control system supporting a time sensitive network function.
Background
A distributed control system is a specially designed control system for controlling complex, large and geographically distributed applications in an industrial process. The current distribution is that the control system communication modes are mainly divided into field bus, traditional industrial ethernet and standard ethernet. The fieldbus arrangement is costly, low bandwidth, resulting in limited large-scale applications. The traditional industrial Ethernet protocols are various in types, most of the traditional industrial Ethernet protocols need respective special hardware support and special integrated circuits, and are incompatible with each other, so that the development of future industrial networks cannot be supported. The standard ethernet is a best effort-based transmission mechanism, and under a complex network environment, transmission delay and jitter are uncontrollable and cannot be applied to a distributed control scenario with high coordination and deterministic transmission requirements.
The distributed control system is also a complex physical information system, and faces the threat of information security and functional security, and an attacker can invade a physical space by attacking the information space. The prior industrial control field usually adopts technologies such as a firewall or a security gateway, the technologies represented by the former are usually realized on a fixed protocol system, the existing loophole of the protocol system cannot be solved, the protection has boundary, the boundary expansion means larger performance consumption, and in addition, the abnormal condition cannot be distinguished from the flow, and the flow attack is easy to be suffered. The latter industrial security gateway is a representative technology, and generally only can support the security isolation of a specific industrial protocol, and has no generality, and the IOT fusion is difficult to realize.
Disclosure of Invention
The embodiment of the application aims to provide a safe distributed control system supporting a time-sensitive network function, which can greatly improve the dynamic cooperative control precision between distributed controllers and the safe reliability of data transmission, and meanwhile, solves the problem that the current non-time-sensitive network controller cannot be accessed, and improves the expandability of the system.
According to a first aspect of embodiments of the present application, there is provided a secure distributed control system supporting a time-sensitive network function, including:
the distributed control module is positioned at the bottom layer of the safety distributed control system and is used for acquiring industrial field state data and receiving field control data;
the centralized control module is positioned at the top layer of the safe distributed control system and used for receiving the industrial field state data sent by the distributed control module and sending field control data to the distributed control module through control operation;
and the time-sensitive network switching control module group is connected with the distributed control module and the centralized control module and is used for synchronizing the time information of all the modules, enabling the modules to work under a uniform time reference, setting and executing gate control tables of all the network ports according to a flow scheduling algorithm and ensuring that field control data sent by the centralized control module reaches all the bottom control modules at the same time after passing through all the time-sensitive switching control modules.
Furthermore, the distributed control module is a trusted control module or an untrusted control module, and the trusted control module or the untrusted control module is divided into a time-sensitive network control module and a non-time-sensitive network control module;
the time sensitive network control module directly performs time synchronization with the time sensitive network exchange control module;
the non-time-sensitive network control module needs to perform time synchronization with the time-sensitive network switching control module through a time synchronization conversion module, and the time synchronization conversion module of the non-time-sensitive network control module is connected with the time synchronization module in the time-sensitive network switching control module.
Further, the time synchronization conversion module comprises a time request module, an error calculation and comparison module, a system time maintenance module and a time correction module; the time request module periodically sends a time request message to the time synchronization module, the time synchronization module sends a time response message containing synchronization time information to the error calculation and comparison module after receiving the request message, the error calculation and comparison module carries out error calculation and jitter filtering on the received synchronization time information and system time in the system time maintenance module and then sends the synchronization time information and the system time information to the time correction module, the time correction module calculates a time correction value and sends the time correction value to the system time maintenance module, and the system time maintenance module completes system time updating according to the time correction value so as to ensure that the distributed control module and the time sensitive network switching control module work under the same time reference, thereby realizing end-to-end deterministic communication and control.
Further, the time-sensitive exchange control module group is further configured to:
monitoring and filtering the flow of the non-trusted control module at a data link layer, and only receiving the flow matched with a specific field of a message, wherein the length of a frame, the arrival time, the speed and the burst byte number all accord with the flow preset with requirements;
and rewriting the priority in a Vlan-Tag field in the data message for mapping to a traffic scheduling gating table inside the system.
Further, the time-sensitive exchange control module group includes a plurality of time-sensitive exchange control modules, and the time-sensitive exchange control modules are connected in a topology manner.
Further, the time-sensitive switching control module includes:
the central control module network interface or the uplink cascade network interface is used for exchanging data with a directly connected central control module or other time-sensitive exchange control modules with smaller series number away from the central control module, wherein the series number is the sum of the number of the time-sensitive exchange control modules contained in the path between the current time-sensitive exchange module and the central control module;
the trusted control module network interface or the downlink cascade network interface is used for exchanging data with a directly connected trusted control module or other time-sensitive exchange control modules with smaller series number from the trusted control module, wherein the series number is the sum of the number of the time-sensitive exchange control modules contained in the path between the current time-sensitive exchange module and the trusted control module;
The non-trusted control module network interface is used for exchanging data with a directly connected non-trusted control module;
the data exchange module is used for exchanging data among all network interfaces of the time-sensitive exchange control module;
the time synchronization module is used for performing time synchronization on all modules in the time-sensitive exchange control module group by adopting a synchronization mechanism based on a hardware timestamp, sending nanosecond-level time information to a non-time-sensitive network control module of an access system by a sending request mechanism, maintaining the system time information of the time-sensitive exchange module by the time synchronization module, and providing time reference for the dynamic cooperative control module and all network ports;
the safety monitoring and filtering module is used for performing real-time data flow identity filtering, data frame size filtering, expected schedule filtering, data flow priority conversion, flow rate and data frame burst size monitoring and filtering on flow and then entering the data exchange module; if the flow comes from the untrusted control module, the flow firstly passes through the security monitoring filtering module and then enters the data exchange module, otherwise, the flow directly enters the data exchange module;
and the dynamic cooperative control module is used for setting and executing the gate control table of each network port according to the flow scheduling algorithm.
Further, the network port gating table is based on a 3-bit priority code in an 802.1Q Vlan tag, and has a value range of 0 to 7, which respectively represents 8 priority queues.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
according to the embodiment, the time-sensitive network with real-time performance and certainty is adopted, and the problems that the field bus technology is high in arrangement cost, low in bandwidth, limited in large-scale application, incapable of compatibility among traditional industrial Ethernet protocols, uncontrollable in standard Ethernet delay and jitter and the like are solved, so that large-scale networked data transmission with high bandwidth, low jitter and protocol universality can be achieved.
The invention adopts the flow scheduling algorithm of dynamic cooperative control, can eliminate the uncertain delay of the best-effort data flow to the key flow such as the field state data, the field control data and the like in the distributed control system, so that the centralized controller can collect the field control message in real time in a preset period and dynamically transmit the field information data message at a preset moment, thereby realizing the accurate cooperative control among the distributed control modules.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and, together with the description, serve to explain the principles of the application.
FIG. 1 is a block diagram illustrating a secure distributed control system supporting time-sensitive network functions in accordance with an exemplary embodiment.
Fig. 2 is a schematic block diagram of a time sensitive network switching control module shown in accordance with an example embodiment.
FIG. 3 is a block diagram illustrating a time-sensitive network based distributed control system networking in accordance with an exemplary embodiment.
FIG. 4 is a flowchart illustrating the operation of a security monitoring module according to an exemplary embodiment.
FIG. 5 is a functional block diagram of a time synchronization interface sub-module of a non-time sensitive network control module shown in accordance with an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Referring to fig. 1, an embodiment of the present invention provides a secure distributed control system supporting a time-sensitive network function, including: the system comprises a distributed control module, a centralized control module and a time-sensitive network exchange control module group.
The distributed control module is positioned at the bottom layer of the safety distributed control system and used for acquiring industrial field state data and receiving field control data.
Specifically, the distributed control module is a trusted control module or an untrusted control module, and for example, the untrusted control module may be a control module of a third party. The trusted control module or the non-trusted control module is divided into a time sensitive network control module and a non-time sensitive network control module; the time sensitive network control module directly performs time synchronization with the time sensitive network exchange control module; the non-time-sensitive network control module needs to perform time synchronization with the time-sensitive network switching control module through a time synchronization conversion module, and the time synchronization conversion module of the non-time-sensitive network control module is connected with the time synchronization module in the time-sensitive network switching control module.
In the embodiment of the invention, the non-time-sensitive network control module can also be accessed into the system through the time synchronization interface sub-module to realize high-precision time synchronization with all equipment in the system, so that the end-to-end deterministic communication is achieved, and the control task of microsecond-level time precision can be cooperatively completed among the distributed control modules under the unified time reference. Therefore, the safe distributed control system supporting the time-sensitive network function can be compatible with TSN (time-sensitive network) end equipment and non-TSN end equipment at the same time, and has expandability.
Further, as shown in fig. 5, the time synchronization conversion module includes a time request module, an error calculation and comparison module, a system time maintenance module, and a time correction module; the time request module periodically sends a time request message to the time synchronization module, the time synchronization module sends a time response message containing synchronization time information to the error calculation and comparison module after receiving the request message, the error calculation and comparison module carries out error calculation and jitter filtering on the received synchronization time information and system time in the system time maintenance module and then sends the synchronization time information and the system time information to the time correction module, the time correction module calculates a time correction value and sends the time correction value to the system time maintenance module, and the system time maintenance module completes system time updating according to the time correction value so as to ensure that the distributed control module and the time sensitive network switching control module work under the same time reference, thereby realizing end-to-end deterministic communication and control.
The centralized control module is positioned at the top layer of the safe distributed control system and is used for receiving industrial field state data sent by the distributed control module and sending field control data to the distributed control module through control operation; for example, industrial field status data is received during odd cycles and field control data is transmitted during even cycles.
The time-sensitive network switching control module group is connected with the distributed control module and the centralized control module and used for synchronizing the time information of all the modules, enabling the modules to work under a uniform time reference, setting and executing each network port gate control table according to a flow scheduling algorithm and ensuring that field control data sent by the centralized control module reaches each bottom control module at the same time after passing through each level of time-sensitive switching control module.
Further, in order to access the untrusted control module to the secure distributed control system without reducing the security of the system, the time-sensitive exchange control module group is further configured to:
monitoring and filtering the flow of the non-trusted control module at a data link layer, and only receiving the flow matched with a specific field of a message, wherein the length of a frame, the arrival time, the speed and the burst byte number all accord with the flow preset with requirements; and rewriting the priority in the Vlan-Tag field in the data message for mapping to a traffic scheduling gating table inside the system to implement more accurate traffic scheduling.
Specifically, the time-sensitive switching control module group includes a plurality of time-sensitive switching control modules, and the time-sensitive switching control modules may be connected in any topology.
Specifically, the time-sensitive switching control module includes: the network interface of the centralized control module or the uplink cascade network interface, the network interface of the trusted control module or the downlink cascade network interface, the network interface of the untrusted control module, the data exchange module, the time synchronization module, the security monitoring and filtering module and the dynamic cooperative control module, and the schematic block diagram is shown in fig. 2 below.
The centralized control module network interface or the uplink cascade network interface is used for exchanging data with a directly connected centralized control module or other time-sensitive exchange control modules with smaller series at a distance from the centralized control module, wherein the series is the sum of the number of the time-sensitive exchange control modules contained in the path between the current time-sensitive exchange module and the centralized control module; and the centralized controller module sends field control messages to the trusted and untrusted control modules through the interface.
The trusted control module network interface or the downlink cascade network interface is used for exchanging data with a directly connected trusted control module or other time-sensitive exchange control modules with smaller series number from the trusted control module, wherein the series number is the sum of the number of the time-sensitive exchange control modules contained in the path between the current time-sensitive exchange module and the trusted control module; the trusted control module sends the field state message to the centralized control module through the interface.
The network interface of the non-trusted control module is used for exchanging data with the directly connected non-trusted control module; and the non-trusted control module sends a field state message to the centralized control module through the interface.
The data exchange module is used for exchanging data among all network interfaces of the time-sensitive exchange control module; and receiving the field control message and the field state message according to a network exchange protocol, and forwarding the field control message and the field state message to a specified network interface.
The time synchronization module is used for performing time synchronization on all modules in the time-sensitive exchange control module group by adopting a synchronization mechanism based on a hardware timestamp, sending nanosecond-level time information to a non-time-sensitive network control module of an access system by a sending request mechanism, maintaining the system time information of the time-sensitive exchange module by the time synchronization module, and providing time reference for the dynamic cooperative control module and all network ports; all equipment nodes in the distributed control system can realize high-precision time synchronization, can work cooperatively under the unified time reference, can quickly integrate a common non-time sensitive controller into a large-scale networked time sensitive network control system, and enables the time sensitive controller to have time sensitive characteristics, so that the applicability and the compatibility of the system are improved.
The safety monitoring and filtering module is used for performing real-time data flow identity filtering, data frame size filtering, expected schedule filtering, data flow priority conversion, flow speed and data frame burst size monitoring and filtering on flow, and then entering the data exchange module; if the flow comes from the untrusted control module, the flow firstly passes through the security monitoring filtering module and then enters the data exchange module, otherwise, the flow directly enters the data exchange module; the module monitors and filters external traffic from multiple dimensions such as data identity, arrival time, sending rate, burst size and single frame size, intercepts traffic which is not in line with expected setting of a system on a data link layer, and greatly improves safety and reliability of data transmission in the system.
The working flow chart of the safety monitoring filtering module is shown in the following figure 4. The data flow identity filtering is to perform flow classification and filtering on the message according to the key fields in the message, so that only the flow classes meeting the system requirements enter the system, and the key fields of the flow identification include, but are not limited to, a destination MAC, a source MAC, a VLAN ID, a source IP, a destination IP, a DSCP port number, a source port number, a destination port number, and the like. Data frame size filtering is the filtering of data frames by setting the maximum data frame size allowed through the control system. Expected schedule filtering further filters unexpected data from the time dimension by configuring the gating queue table to receive data according to expected data transmission periods and phases. The priority conversion sets internal priority for data after passing entrance gating by rewriting the priority in the Vlan-Tag field in the data packet, and is used for mapping to a traffic scheduling gating table inside the system to implement accurate traffic scheduling. The flow rate and data frame burst size monitoring and filtering utilizes a token bucket algorithm to limit the flow and the data packet burst size, and can effectively prevent system paralysis caused by external flow attack.
And the dynamic cooperative control module is used for setting and executing each network port gating table according to a flow scheduling algorithm. The dynamic cooperative control module configures gate control tables of all network ports in the time-sensitive network switching control module group through a flow scheduling algorithm under a unified time reference provided by the time synchronization module, all nodes in the system transmit specific data in a determined time based on a unified scheduling strategy, and the uncertain jitter of non-time-sensitive flow to the time-sensitive flow in a best effort transmission mode is effectively avoided, so that field state messages acquired by all bottom layer control modules can be sent to the centralized control module in real time in a state data reporting period for unified control operation, and meanwhile, in a control data issuing period, the field control messages dynamically sent by the centralized control module can accurately reach all bottom layer control modules at the same time, and high-precision distributed cooperative control is realized.
The network port gating table is based on 3-bit priority codes in 802.1Q Vlan tags, has a numerical range of 0-7 and respectively represents 8 priority queues. Non-time-sensitive flow is mapped to a queue 0, namely, a Vlan tag priority field of a message is assigned with 0, the field state message and the field control message are mapped to queues A and B respectively, wherein 0< A, B < 7, and a network port opens gate control switches of different queues at different time intervals according to a gate control table distributed by a flow scheduling algorithm, so that accurate arrival time of the flow is ensured.
The data transmission period of the safe distributed control system supporting the time sensitive network function can be divided into a state reporting period and a control issuing period. The distributed control module starts to transmit the field state messages at the starting time of the state reporting period, and the centralized control module transmits the field control messages at the starting time of the control issuing period.
The field state message is industrial field state data acquired by each distributed control module. The field state message and other non-time-sensitive flow sent to the centralized control module enter the time-sensitive network exchange control module from the network interface of the trusted or non-trusted control module or the downlink cascade network interface, if the flow comes from the non-trusted control module, the flow firstly passes through the safety monitoring filtering module and then enters the data exchange module, otherwise, the flow directly enters the data exchange module. The data exchange module transmits the flow to a designated network port, and the network port outputs the flow from the network interface of the centralized control module or transmits the flow to the network interface of the centralized control module through the uplink cascade network interface and outputs the flow according to a gate control table distributed by a flow scheduling algorithm in a state reporting period for uniformly controlling operation.
The field control message is field control data which is sent to each distributed control module by the centralized control module after operation processing according to the collected field state information and other related information. The field control messages and other traffic to the distributed controllers enter the data exchange module from the centralized control module network interface or the upstream cascade network interface. The data exchange module transmits the flow to a designated network port, and the network port outputs the flow from the network interface of the distributed control module in a fixed time unit of a control issuing period according to a gating table distributed by a flow scheduling algorithm or transmits the flow to the network interface of the distributed control module through a downlink cascade network interface and outputs the flow. The field control messages sent by the centralized control module can accurately reach each bottom layer control module at the same time, and high-precision distributed cooperative control is realized.
The flow scheduling algorithm calculates the scheduling time and duration of a total scheduling period, a time sensitive flow and a non-time sensitive flow according to the network topology characteristics, the time sensitive network switching control module characteristics and the flow characteristics, and comprises the following steps:
1) calculating the number n of time units for transmitting time-sensitive data streams (namely industrial field state data) in the state reporting time period in the total scheduling period through network topology characteristics state-stThe network topology characteristic is a series array h [ N ] of each distributed control module from the centralized control module]Wherein, the time unit is the minimum time unit t for the time sensitive network switching control module to schedule the flowu. The time unit number for transmitting the field state message is configured to be nstate-st,nstate-stThe calculation steps are as follows
1-1, calculating the maximum stage number of the distributed control modules from the centralized control module, wherein N is the number of the distributed control modules, and the stage number of any distributed control module i from the centralized control module is represented as hiI belongs to N, according to hiThe distributed control modules are sorted into an array h [ N ] according to the numerical value of]={h1…hN},hi∈h[N]And is arbitrary hi>=hi-1If the maximum number of stages in the system is hN
1-2, making j-th calculation, and making j-1, nstate-st=h1After the following 1-2-1 to 1-2-3 are executed in sequence, judging whether j is equal to N, if not, executing againLines 1-2-1 to 1-2-3, if equal, then nstate-stThe final value of (2) is the current calculated value, and the step jumps to the step 2);
1-2-1、nstate-st=nstate-st+1;
1-2-2、nstate-st=Max(nstate-st,hj+1+1), where Max is the larger value on either side of the comma in the small brackets;
1-2-3、j=j+1。
2) calculating the time unit t according to the characteristics of the time sensitive network switching control module and the flow characteristicsu,tu=tmaxsdu=tsend+tpropagate+tprocess,tmaxsduThe time required for transmitting a maximum data packet is the sum of the processing delay, the data propagation delay and the data sending delay of the time sensitive network switching control module and is calculated by the processing time length of system hardware, the length of a network cable, the size of the maximum data packet and the bandwidth;
3) According to the step 1), the number n of time units used for transmitting time-sensitive data streams in the state reporting time periodstate-stAnd 2) step (d) time unit tuCalculating a state reporting period T according to the flow proportion characteristics of the time sensitive flow and the non-time sensitive flowA,TA=nstate-st*(1+mA)*tuWherein m isAReporting period T for configuration stateAActual bandwidth ratio of non-time sensitive traffic to time sensitive traffic within a time period;
4) configuring the gate control table of the uplink network ports of all the time-sensitive network switching control modules in the time-sensitive network switching control module group in fig. 1, at TAIn period, QA/Q0:(0~nstate-st*tu:10)/(nstate-st*t-u~TA01), wherein QA/Q0Represents the above queue A and queue 0, (0 to n)state-st*tu10) represents 0 to nstate-st*t-uOpening the queue A switch and closing the queue 0 switch at any time, (n)state-st*tu~TA01) represents nstate-st*tuTo TAClosing the queue A switch and opening the queue 0 switch at the moment;
5) configuring the number of time units for transmitting time-sensitive data streams (field control data) in a control issuing time period in a total scheduling period to be 1;
6) according to the step 5), the number of time units used for transmitting time-sensitive data streams in the control issuing time period, the step 2) and the time unit tuCalculating and controlling the issuing period T according to the flow rate proportion characteristics of the time sensitive flow and the non-time sensitive flow B,TB=(1+mB)*tuWherein m isBFor controlling the delivery period TBActual bandwidth ratio of non-time sensitive traffic to time sensitive traffic within a time period to hNThe larger of (a) and (b);
7) the total scheduling period T is the sum of the state reporting period and the control issuing period, namely T ═ TA+TB
8) Configuring the gating tables of the network ports directly connected to the N distributed control modules, i.e., the trusted control module network interface and the untrusted control module interface of FIG. 2, at TBIn period, QB/Q0:(0~hN*tu:01)/(hN*tu~TB: 10) wherein Q isB/Q0Represents the above queue B and queue 0, (0 to h)N*tu01) represents 0 to hN*tuClosing the queue B switch at all times, opening the queue 0 switch, hN*tu~TBRepresents hN*tuTo TBOpening a queue B switch and closing a queue 0 switch at the moment;
9) configuring a network port gate control table which is not directly connected with the N distributed control modules, namely a downlink cascade interface in the figure 2, calculating the number p of time-sensitive network switching control modules which are separated from the central control module, and calculating the time-sensitive network switching control module number at TBIn period, QB/Q0:[(p+1)*tu~(p+2)*tu:10]&[0~(p+1)*tu:01]&[(p+2)*tu~TB:01]Wherein Q isB/Q0Represents queue B and queue 0, [ (p +)1)*tu~(p+2)*tu:10]Represents (p +1) × tuTo (p +2) × tuTurn on the queue B switch at any time, turn off the queue 0 switch, [ 0- (p +1) × t-u:01]&[(p+2)*tu~TB:01]Represents 0 to (p +1) × tuTime and (p +2) × tuTo TBAnd closing the queue B switch at any moment and opening the queue 0 switch.
Table 1:
Figure BDA0003487643220000121
Figure BDA0003487643220000131
Table 1 shows a traffic scheduling cycle and a gating table of an exemplary network topology, and the traffic scheduling cycle, the scheduling time of each uplink and downlink network port, and a time length table, i.e., the gating table, are obtained according to the traffic scheduling algorithm. Wherein the field status messages are mapped to the A queue and to the B queue, 1<A,B<And 7, mapping the non-time-sensitive stream to a 0 queue, wherein the gated queue identifier in the field state message reporting period TA is represented as QA/Q0, and the gated queue identifier in the field control message issuing period TB is represented as QB/Q0. According to the flow scheduling algorithm, the distributed control modules are sequenced into h 4 according to the hop number of the distance centralized control module]2,3,4,5, where the maximum hop count is h4Configuring the number of time unit values for transmitting the field state message as c being 6, making the bandwidth ratio of the non-time sensitive flow and the time sensitive flow 1/3, and configuring the state reporting period TAAnd 8u, wherein the port numbers (1-9) -0 in the table 1 are configured as corresponding gating tables. The number of time units for configuring and transmitting the field control message is 1, dB=h4Configuring a control issuing period TB as 6u, wherein the network port is directly connected with 4 distributed control modules, namely the network interfaces of the distributed control modules of the time-sensitive switching control modules 4,5, 8 and 9 in the table 1, the port numbers (4-7) -1 in the table 1 are configured as corresponding gate control tables, and the network is not directly connected with the 4 distributed control modules Network ports, that is, downlink network interfaces of the time-sensitive switching control modules 1, 2, 3, 8, and 9 in fig. 3, and port numbers 1- (1 to 2), 2- (1 to 3), and 3 to 9) -1 in table 1 are configured as corresponding gate control tables.
According to the embodiment, the time-sensitive network with real-time performance and certainty is adopted, and the problems that the field bus technology is high in arrangement cost, low in bandwidth, limited in large-scale application, incapable of compatibility between traditional industrial Ethernet protocols, uncontrollable in standard Ethernet delay and jitter and the like are solved, so that large-scale networked data transmission with high bandwidth, low jitter and protocol universality can be achieved.
The invention adopts the flow scheduling algorithm of dynamic cooperative control, can eliminate uncertain delay caused by best-effort data flow to key flows such as field state data, field control data and the like in the distributed control system, so that the centralized controller can acquire field control messages in real time in a preset period and dynamically issue field information data messages at preset time, thereby realizing accurate cooperative control among distributed control modules.
The invention adopts the safety monitoring and filtering module, can monitor and filter all data streams which accord with the IEEE802.1 standard at a data link layer, the protection strategy is not based on a specific upper layer protocol, the influence of the bug of the protocol on the strategy safety is overcome, the CPU and the memory consumption are increased along with the increase of the interception range, the interception method can only be applied to the specific industrial protocol and other problems, thereby the invention has the advantages of safety and performance relative to the technologies such as a firewall and the like, has wider applicability relative to an industrial security gateway, and is particularly suitable for intercepting flow attacks,
The invention adopts the time synchronization conversion module, overcomes the problem that a non-TSN control module can not be accessed to a TSN network, and the function ensures that the existing common industrial controller can be quickly integrated into a large-scale networked TSN control system, thereby realizing high-precision time synchronization and working cooperatively under the time reference. And (3) accessing the non-time sensitive controller products which are produced in mass into the system, wherein the synchronization precision of the actually measured non-time sensitive controller products is within 1 us.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (7)

1. A secure distributed control system supporting time sensitive network functions, comprising:
the distributed control module is positioned at the bottom layer of the safety distributed control system and is used for acquiring industrial field state data and receiving field control data;
the centralized control module is positioned at the top layer of the safe distributed control system and used for receiving the industrial field state data sent by the distributed control module and sending field control data to the distributed control module through control operation;
and the time-sensitive network switching control module group is connected with the distributed control module and the centralized control module and is used for synchronizing the time information of all the modules, enabling the modules to work under a uniform time reference, setting and executing gate control tables of all the network ports according to a flow scheduling algorithm and ensuring that field control data sent by the centralized control module reaches all the bottom control modules at the same time after passing through all the time-sensitive switching control modules.
2. The secure distributed control system of claim 1, wherein the distributed control module is a trusted control module or an untrusted control module, and the trusted control module or the untrusted control module is divided into a time sensitive network control module and a non-time sensitive network control module;
The time sensitive network control module directly performs time synchronization with the time sensitive network exchange control module;
the non-time-sensitive network control module needs to perform time synchronization with the time-sensitive network switching control module through a time synchronization conversion module, and the time synchronization conversion module of the non-time-sensitive network control module is connected with the time synchronization module in the time-sensitive network switching control module.
3. The safe distributed control system of claim 1, wherein the time synchronization conversion module comprises a time request module, an error calculation and comparison module, a system time maintenance module and a time correction module; the time request module periodically sends a time request message to the time synchronization module, the time synchronization module sends a time response message containing synchronization time information to the error calculation and comparison module after receiving the request message, the error calculation and comparison module carries out error calculation and jitter filtering on the received synchronization time information and system time in the system time maintenance module and then sends the synchronization time information and the system time information to the time correction module, the time correction module calculates a time correction value and sends the time correction value to the system time maintenance module, and the system time maintenance module completes system time updating according to the time correction value so as to ensure that the distributed control module and the time sensitive network switching control module work under the same time reference, thereby realizing end-to-end deterministic communication and control.
4. The secure distributed control system of claim 1, wherein the time-sensitive exchange control module group is further configured to:
monitoring and filtering the flow of the non-trusted control module at a data link layer, and only receiving the flow matched with a specific field of a message, wherein the length of a frame, the arrival time, the speed and the burst byte number all accord with the flow preset with requirements;
and rewriting the priority in a Vlan-Tag field in the data message for mapping to a traffic scheduling gating table inside the system.
5. The secure distributed control system of claim 1, wherein the time-sensitive switching control module group comprises a plurality of time-sensitive switching control modules, each time-sensitive switching control module being topologically connected.
6. The secure distributed control system of claim 1, wherein the time-sensitive switching control module comprises:
the central control module network interface or the uplink cascade network interface is used for exchanging data with a directly connected central control module or other time-sensitive exchange control modules with smaller series number away from the central control module, wherein the series number is the sum of the number of the time-sensitive exchange control modules contained in the path between the current time-sensitive exchange module and the central control module;
The system comprises a trusted control module network interface or a downlink cascade network interface, a trusted control module and other time-sensitive exchange control modules, wherein the trusted control module network interface or the downlink cascade network interface is used for exchanging data with the directly connected trusted control module or other time-sensitive exchange control modules with smaller series from the trusted control module, and the series is the sum of the number of the time-sensitive exchange control modules contained in the paths of the current time-sensitive exchange module and the trusted control module;
the non-trusted control module network interface is used for exchanging data with a directly connected non-trusted control module;
the data exchange module is used for exchanging data among all network interfaces of the time-sensitive exchange control module;
the time synchronization module is used for performing time synchronization on all modules in the time-sensitive exchange control module group by adopting a synchronization mechanism based on a hardware timestamp, sending nanosecond-level time information to a non-time-sensitive network control module of an access system by a sending request mechanism, maintaining the system time information of the time-sensitive exchange module by the time synchronization module, and providing time reference for the dynamic cooperative control module and all network ports;
the safety monitoring and filtering module is used for performing real-time data flow identity filtering, data frame size filtering, expected schedule filtering, data flow priority conversion, flow speed and data frame burst size monitoring and filtering on flow and then entering the data exchange module; if the flow comes from the untrusted control module, the flow firstly passes through the security monitoring filtering module and then enters the data exchange module, otherwise, the flow directly enters the data exchange module;
And the dynamic cooperative control module is used for setting and executing the gate control table of each network port according to the flow scheduling algorithm.
7. The secure distributed control system of claim 1, wherein the network port gating table is based on a 3-bit priority code in an 802.1Q Vlan tag, with values ranging from 0 to 7, representing 8 priority queues, respectively.
CN202210087624.6A 2022-01-25 2022-01-25 Security distributed control system supporting time-sensitive network function Active CN114598413B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210087624.6A CN114598413B (en) 2022-01-25 2022-01-25 Security distributed control system supporting time-sensitive network function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210087624.6A CN114598413B (en) 2022-01-25 2022-01-25 Security distributed control system supporting time-sensitive network function

Publications (2)

Publication Number Publication Date
CN114598413A true CN114598413A (en) 2022-06-07
CN114598413B CN114598413B (en) 2024-04-02

Family

ID=81804292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210087624.6A Active CN114598413B (en) 2022-01-25 2022-01-25 Security distributed control system supporting time-sensitive network function

Country Status (1)

Country Link
CN (1) CN114598413B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115333860A (en) * 2022-10-12 2022-11-11 北京合众方达科技有限公司 TSN network control method based on zero trust
CN116319261A (en) * 2023-05-24 2023-06-23 北京智芯微电子科技有限公司 TSN network scheduling strategy optimization method and device, electronic equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101261518A (en) * 2008-03-28 2008-09-10 华中科技大学 Distributed process control system based on wireless personal area network and industrial ethernet network
CN106855709A (en) * 2015-12-09 2017-06-16 重庆川仪自动化股份有限公司 A kind of industrial management control system and method
CN111147176A (en) * 2019-12-04 2020-05-12 中国航空工业集团公司洛阳电光设备研究所 High-precision time synchronization system based on IEEE1588 protocol
CN111314228A (en) * 2020-05-11 2020-06-19 之江实验室 PLC control system supporting time-sensitive network function
WO2020136487A2 (en) * 2018-12-26 2020-07-02 Abb Schweiz Ag A tsn enabled controller
CN111600754A (en) * 2020-05-11 2020-08-28 重庆邮电大学 Industrial heterogeneous network scheduling method for interconnection of TSN (transmission time network) and non-TSN (non-Transmission time network)
CN112511462A (en) * 2020-12-17 2021-03-16 上海交通大学 Software-defined industrial heterogeneous time-sensitive network system and resource scheduling method
KR20210044683A (en) * 2019-10-15 2021-04-23 한양대학교 에리카산학협력단 Central network cofigurator, and time-sensitive networking control system including the same
CN112769514A (en) * 2020-12-22 2021-05-07 国家电网有限公司 Time-sensitive based communication device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101261518A (en) * 2008-03-28 2008-09-10 华中科技大学 Distributed process control system based on wireless personal area network and industrial ethernet network
CN106855709A (en) * 2015-12-09 2017-06-16 重庆川仪自动化股份有限公司 A kind of industrial management control system and method
WO2020136487A2 (en) * 2018-12-26 2020-07-02 Abb Schweiz Ag A tsn enabled controller
KR20210044683A (en) * 2019-10-15 2021-04-23 한양대학교 에리카산학협력단 Central network cofigurator, and time-sensitive networking control system including the same
CN111147176A (en) * 2019-12-04 2020-05-12 中国航空工业集团公司洛阳电光设备研究所 High-precision time synchronization system based on IEEE1588 protocol
CN111314228A (en) * 2020-05-11 2020-06-19 之江实验室 PLC control system supporting time-sensitive network function
CN111600754A (en) * 2020-05-11 2020-08-28 重庆邮电大学 Industrial heterogeneous network scheduling method for interconnection of TSN (transmission time network) and non-TSN (non-Transmission time network)
CN112511462A (en) * 2020-12-17 2021-03-16 上海交通大学 Software-defined industrial heterogeneous time-sensitive network system and resource scheduling method
CN112769514A (en) * 2020-12-22 2021-05-07 国家电网有限公司 Time-sensitive based communication device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115333860A (en) * 2022-10-12 2022-11-11 北京合众方达科技有限公司 TSN network control method based on zero trust
CN115333860B (en) * 2022-10-12 2023-02-03 北京合众方达科技有限公司 TSN network control method based on zero trust
CN116319261A (en) * 2023-05-24 2023-06-23 北京智芯微电子科技有限公司 TSN network scheduling strategy optimization method and device, electronic equipment and storage medium
CN116319261B (en) * 2023-05-24 2023-08-18 北京智芯微电子科技有限公司 TSN network scheduling strategy optimization method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN114598413B (en) 2024-04-02

Similar Documents

Publication Publication Date Title
Nasrallah et al. Ultra-low latency (ULL) networks: The IEEE TSN and IETF DetNet standards and related 5G ULL research
CN112105080B (en) Time-sensitive network data transmission system and transmission method
Molina et al. Software-defined networking in cyber-physical systems: A survey
Kalør et al. Network slicing in industry 4.0 applications: Abstraction methods and end-to-end analysis
CN108667743B (en) Congestion control in packet data networking
Pahlevan et al. Evaluation of time-triggered traffic in time-sensitive networks using the opnet simulation framework
Pedreiras et al. FTT-Ethernet: A flexible real-time communication protocol that supports dynamic QoS management on Ethernet-based systems
CN114598413B (en) Security distributed control system supporting time-sensitive network function
US20240214323A1 (en) Packet transmission method and apparatus
EP3903454B1 (en) A tsn enabled controller
CN111294291B (en) Protocol message processing method and device
US11316654B2 (en) Communication device and method for operating a communication system for transmitting time critical data
CN105100142A (en) Transmission control method and device of software defined network (SDN) protocol message
CN108881302A (en) Industrial Ethernet and BLVDS bus bar communication device and industrial control system
CN105471907A (en) Openflow based virtual firewall transmission control method and system
CN103973509A (en) Loop detection method and network device
CN101355585B (en) System and method for protecting information of distributed architecture data communication equipment
CN114884811A (en) Method for realizing centralized user configuration of time-sensitive network
CN106341296A (en) Method of avoiding data message collision in communication network within transformer substation
JP5518754B2 (en) Network node
Marchese et al. Simple protocol enhancements of rapid spanning tree protocol over ring topologies
Fischer et al. Security considerations for ieee 802.1 time-sensitive networking in converged industrial networks
Molina et al. Managing path diversity in layer 2 critical networks by using OpenFlow
Cisco Configuring Ethernet LAN Interfaces
Nsaibi Timing Performance Analysis of the Deterministic Ethernet Enhancements Time-Sensitive Networking (TSN) for Use in the Industrial Communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant