JP5990927B2 - Control system, control device, and program execution control method - Google Patents

Description

  The present invention relates to a control device and a control system for controlling execution of a program, and more particularly to a control system, a control device, and a control method for controlling execution of a PLC program executed on a PLC (Programmable Logic Controller).

  Conventionally, a programmable controller (hereinafter referred to as PLC) has been used as an industrial general-purpose computer in FA (Factory Automation) or the like. When the PLC performs sequence control on the device to be controlled, for example, the user connects a detection unit such as a sensor or switch of the device to be controlled to an input terminal of the PLC, and sets an operation device such as a motor of the device to be controlled to Connect to the output terminal. Then, the PLC controls the device to be controlled by outputting an output signal corresponding to the input signal to the input terminal from the output terminal according to the control program to be executed.

  Here, for example, Patent Documents 1 and 2 are known as techniques for preventing unauthorized use of a program executed on the PLC. Patent Documents 1 and 2 describe a control device that realizes prevention of unauthorized use of a control program by allowing the control program to operate only on a specific control device.

  More specifically, the control device described in Patent Document 1 embeds an authentication ladder based on a specific value (for example, serial ID) of a specific PLC that is permitted to be executed in the control program. And when operating a control program on specific PLC, it authenticates using an authentication ladder. Since the control device permits the execution of the control program only when the authentication is successful, even if the control program leaks, the control program does not operate on another control device. Thereby, even if the control program leaks, since the control program does not operate on another control device, unauthorized use of the program can be prevented.

JP 2011-165041 A JP 2009-70144 A

  Here, if the control device fails, the production activity of the factory stops while the failed control device is being repaired. A technique to continue production activities may be used.

  However, in the inventions described in Patent Documents 1 and 2, authentication is performed using authentication information based on a unique value of the control device such as a serial ID, and execution of the control program is permitted only when the authentication is successful. To do. Therefore, when the control device fails, the control program used by the failed control device cannot be used as it is by the alternative device. In this case, by embedding an authentication ladder based on the unique value (for example, serial ID) of the alternative device in the control program, a new control program for the alternative device must be recreated (compilation, etc.), and the control device is restored. That is, there is a problem that it takes time to resume the production activity of the factory.

  The present invention is for solving such problems, and prevents unauthorized use of the control program from the viewpoint of security for the control program operating on the PLC while considering the operation and maintainability of the control program. A main object is to provide a control system, a control apparatus, and a program execution control method.

  In order to solve the above-described problems, the present invention employs means for solving the problems having the following characteristics.

A control system according to an aspect of the present invention is a control system including a security file issuing device, a security code registration device, a support loader, and a control device, wherein the security file issuing device receives a first security code. Security file generation means for generating a security file including the security code registration device, wherein the security code registration device stores the first security code acquired from the security file, and the storage means stores the first security code. Code conversion means for converting one security code into a second security code that can be used in common regardless of the control device by a predetermined algorithm , and registering security information including the second security code in the control device Security information registration And the support loader has a program creation means for creating a user program including the first security code and a predetermined program code, and the control device stores a first program storing the user program. 1 memory, a second memory storing security information including the second security code registered by the security information registering means, and an execution permission means for permitting execution of the user program stored in the first memory And program execution means for executing the user program permitted to be executed by the execution permission means, wherein the execution permission means adds the predetermined program code to the user program stored in the first memory. Is included, the first security code included in the user program Was converted by the predetermined algorithm, and a third security code that can be used in common regardless of the control unit compares the second security code obtained from the security information stored in the second memory, if a match The execution of the user program is permitted.

The control device according to one aspect of the present invention includes a first memory storing a user program including a first security code and a predetermined program code, and the first security code stored in the security code registration device. Is received by the security code registration device according to a predetermined algorithm, and receives a registration of security information including the second security code that can be used in common regardless of the control device, and the reception unit A second memory storing the security information for which registration has been accepted, an execution permission means for permitting execution of the user program stored in the first memory, and the user program permitted to be executed by the execution permission means. Program execution means for executing, and the execution permission Stage, when the predetermined program code is included in the first said user program stored in the memory, the first security code included in the user program and converted by the predetermined algorithm, irrespective of the control device The third security code that can be used in common and the second security code acquired from the security information stored in the second memory are compared, and if they match, the execution of the user program is permitted.

The program execution control method in one aspect of the present invention, the security code registration device has a first security code which is stored in the memory means for the security code registration device has converts a predetermined algorithm, the control device The security information including the second security code that can be used in common is created and input to the control device, and the support loader creates a user program including the predetermined program code and the first security code. The control device that is input to the control device , and the control device converts the first security code input from the support loader by the predetermined algorithm when the user program includes the predetermined program code. the third security code that can be used in common regardless of the On condition that the second and the security code coincides with, permits execution of the user program.

  In addition, what applied the component, the expression, or arbitrary combinations of the component of this invention to an apparatus, a method, a computer program, a recording medium, etc. is also effective as an aspect of this invention.

  According to the present invention, there is provided a control system, a control device, and a program execution control method for preventing unauthorized use of a control program from the viewpoint of security for a control program operating on a PLC while taking into consideration the operation and maintainability of the control program. Can be provided.

An example of the control system block diagram (schematic diagram) concerning this embodiment is shown. It is an example of functional composition of a control system block diagram concerning this embodiment. The example (the 1) of operation screens of the security file issuing apparatus which concerns on this embodiment is shown. The example (2) of the operation screen of the security file issuing apparatus which concerns on this embodiment is shown. An example of an operation screen of the security code registration device according to the present embodiment is shown. The example of a programming editor screen of the support loader concerning this embodiment is shown. It is a sequence diagram which shows the flow of the information processing 1 which concerns on this embodiment. It is a sequence diagram which shows the flow of the information processing 2 which concerns on this embodiment. It is a flowchart which shows the flow of the PLC program execution control process of the program execution part 205 which concerns on this embodiment. It is a flowchart which shows the flow of the security code check process of the SFB function part 206 which concerns on this embodiment. It is a functional structural example of the control system block diagram which concerns on this application example. An example of specifying “valid position information” is shown below. It is a flowchart which shows the flow of the security code check process of the SFB function part 206 which concerns on this application example.

  DESCRIPTION OF EMBODIMENTS Hereinafter, embodiments for carrying out the present invention will be described with reference to the accompanying drawings.

[System configuration]
FIG. 1 shows an example of a control system configuration diagram (schematic diagram) according to the present embodiment. As shown in FIG. 1, the system according to the present embodiment includes a support loader 100, a PLC 200, a security file issuing device 300, and a security code registration device 400.

  The support loader 100 is a computer apparatus for supporting creation of a PLC program (control program) that operates on the main body of the PLC 200. Therefore, the support loader 100 includes a programming editor for creating a PLC program. Since a program creation screen is displayed on the display by the programming editor, the user can develop a desired PLC program on this screen. The PLC program developed by the user is downloaded from the support loader 100 to the PLC 200.

  The PLC 200 is a programmable controller (Programmable Logic Controller) used as a factory automation (FA) control device. The PLC 200 fetches a signal input from the input module into an I / O (Input / Output) memory, and performs a logical operation based on a PLC program registered in the program memory 201 in advance. Further, the calculation result is written in the I / O memory and sent to the output module. Thereafter, so-called peripheral system processing (loader processing, various system processing) is executed. The PLC 200 controls the target control device by repeating these processes.

  The security file issuing device 300 is a terminal device that generates and outputs a security file. This security file is used when the security code registration device 400 registers a “security code” in the PLC 200.

  The security code registration device 400 is a terminal device for registering security information including “security code” and “trial period” in the PLC 200. That is, the security code registration device 400 acquires a security file from the security file issuing device 300, extracts the security code contained in the security file, and registers it in the PLC 200. In addition to the security code, the security code registration device 400 registers the trial period input by the user in the PLC 200.

  The control system configuration example according to the present embodiment has been described above. In a normal case, when the PLC 200 is in operation, the support loader 100, the security file issuing device 300, and the security code registration device 400 are removed from the PLC 200 and used. The security file issuing device 300, the security code registration device 400, and the like are preferably stored and managed by, for example, a manufacturer who develops a PLC program, and is not left in a place where the user PLC 200 is placed.

[Function configuration]
FIG. 2 is a functional configuration example of the control system configuration diagram according to the present embodiment. A description will be given below step by step for each device.

(Security file issuing device)
The security file issuing device 300 according to the present embodiment includes a security file generation unit 301. Upon receiving the “security code” (shown as SC-A in the figure) input from the keyboard or the like (input unit) by the user, the security file generation unit 301 uses the public key of the security code registration device 300 to perform security. A file (shown as SF in the figure) is encrypted and output. The security file includes a “security code” input by the user. The security code registration device 400 acquires the “security code” by decrypting the encrypted security file. The security code can include the data size (for example, 64 bits) of the security code in addition to the value of the security code itself.

(Security code registration device)
The security code registration device 400 according to the present embodiment includes a security file fetch unit 401, a memory 402, a security information registration unit 403, and a code conversion unit 404.

  The security file fetch unit 401 fetches a security file issued from the security file issuing device 300. Further, since the security file is encrypted, the security file fetch unit 401 decrypts the security file using a secret key corresponding to the public key described above. Then, the security file fetch unit 401 extracts the “security code” (SC-A) from the decrypted security file and stores it in the memory 402.

  The security information registration unit 403 acquires a “security code” from the memory 402. Then, the security information registration unit 403 requests the code conversion unit 404 to convert the “security code” (SC-A) into a different “security code” (SC-B in the figure).

  In addition, the security information registration unit 403 receives an input of “trial period” from the user. The “trial period” is information for designating a period in which the PLC 200 can be temporarily used without using a license or the like when using the PLC 200. The “trial period” can be entered in a specific period such as 10 hours, 1 day, or 1 month, or on a specific date such as March 1, 2011 (until). sell. Then, the security information registration unit 403 generates security information (only “security code” is acceptable) including the converted “security code” (SC-B) and “trial period”, and sends the security information to the PLC 200. Register information. The registration of security information is realized by transmitting the security information to the PLC 200 via a network or through a cable connected to the PLC 200 such as a USB (Universal Serial Bus) port or a serial port. The PLC 200 accepts registration of security information only from the security code registration device 400 (security information registration unit 403), and does not accept registration of security information from other devices. Note that the security information registration unit 403 may store the generated security information in the memory 402.

  In response to a request from the security information registration unit 403, the code conversion unit 404 converts the acquired security code into another different security code using a predetermined algorithm. In this embodiment, specifically, “security code A” (SC-A) is converted to “security code B” (SC-B).

(Support loader)
The support loader 100 according to the present embodiment includes a program creation unit 101 and a memory 102.

  The program creation unit 101 is realized by a programming editor for creating a PLC program, and creates (creates support) a PLC program that operates on the main body of the PLC 200. The program creation unit 101 creates a PLC program desired by the user while providing a programming editor and various tools to the user.

  Further, when creating a PLC program, when the user wants to protect the program being created, the user performs a predetermined operation from the programming editor, for example. In response to this predetermined operation, the program creation unit 101 performs the following processing on the program being created. That is, the program creation unit 101 creates a program code so as to call a security function check system function block (referred to as SFB) at the time of initialization processing or execution processing of a PLC program.

  More specifically, the program creation unit 101 adds a code that calls the security code check SFB function unit 206 to a part of the user-created program code when the PLC program is executed by the PLC 200. In addition, “security code” is set as a parameter for the SFB 206 for checking the security code. It is necessary to set the same security code as the “security code A” (SC-A) input by the user in the security file issuing device 300.

  Then, the program creation unit 101 compiles a user-created program code to which a code for calling the security code check SFB function unit 206 is added, and creates a PLC program. The created PLC program is stored in the memory 102. Further, the created PLC program is transmitted (downloaded) to the PLC 200.

(PLC)
Next, the PLC 200 according to the present embodiment includes a security information registration receiving unit 201, a secure memory 202, an operation time measuring unit 203, a program memory 204, a program execution unit 205, an SFB function unit 206 (comparison / collation unit 207, code conversion unit). 208), and a notification unit 209.

  The security information registration receiving unit 201 receives security information from the security code registration device 400 (security information registration unit 403) and registers (saves) the received security information in the secure memory 202. Since the security information includes the “security code” (SC-B) and the “trial period” as described above, these pieces of information are extracted and stored in the secure memory 202. Note that the security information registration receiving unit 201 registers only the security information received from the security code registration device 400 (security information registration unit 403) in the secure memory 202, and does not accept registration of security information from other devices.

  The secure memory 202 is realized by a security chip or flash memory with high tamper resistance, and is a memory with limited access. In the present embodiment, only the security information registration accepting unit 201 and the operation time measuring unit 203 have a write authority for the secure memory 202, and only the comparison and collation unit 207 has a read authority for the secure memory 202. On the other hand, the user cannot access the secure memory 202. In the case of the present embodiment, as shown in FIG. 2, the secure memory 202 stores “security code B”, “trial period”, and “operation time”.

  The operating time measuring unit 203 starts measuring the “operating time” of the PLC 200 at the timing when the “trial period” is stored in the secure memory 202. The operating time measuring unit 203 measures the operating time of the PLC 200 using an independent clock separately from the standard clock (internal clock) of the PLC 200 (for example, the PLC scanning period (from input data reading to the next input data reading). PLC operation time is measured based on the period). The reason why the operating time of the PLC 200 is measured by an independent clock is to prevent the operating time from being falsified due to the act of returning the time of the user's standard clock. For this reason, the user can access the standard timepiece of the PLC 200, but cannot access the operating time measuring unit 203. The operating time measuring unit 203 stores the measured “operating time (information)” in the secure memory 202 every time it measures.

  The program memory 204 is a memory for storing a PLC program that is generated by the support loader 100 and is operated on the main body of the PLC 200. The secure memory 202 is prohibited from user access as described above, while the program memory 204 is user memory permitted to be accessed by the user.

  The user can store the PLC program created by the support loader 100 in a recording medium, and can insert the recording medium storing the PLC program into the user ROM card slot 210 of the PLC 200. In this case, the PLC 200 transfers the PLC program stored in the recording medium to the program memory 204.

  The program execution unit 205 executes the PLC program stored in the program memory 204. However, when the PLC program includes a code for calling the SFB function unit 206 for checking the security code, the SFB function unit 206 is called according to the code. Then, the program execution unit 205 continues the execution of the PLC program only when the execution permission of the PLC program is obtained from the SFB function unit 206, and executes the execution of the PLC program when the execution permission of the PLC program is obtained. Prohibit (stop). Note that this process may be performed not only during the execution process of the PLC program but also during the initialization process of the PLC program, for example. In this case, the subsequent execution of the PLC program is prohibited.

  The SFB function unit 206 is an SFB for security code check, and corresponds to an execution permission unit. Specifically, a comparison / collation unit 207 and a code conversion unit 208 are included. In response to the call from the program execution unit 205, the comparison / collation unit 207 performs the following processing.

  First, the comparison and collation unit 207 acquires “trial period” and “operation time” stored in the secure memory 202. As described above, the “trial period” is information for designating a period in which the PLC 200 can be temporarily used without purchasing a valid license or the like, so that the “operation time” of the PLC 200 is within the “trial period”. In the case of, the program execution unit 205 is allowed to execute the PLC program that is the target of the security code check.

  On the other hand, when the “operating time” of the PLC 200 is not within the “trial period” (when the “operating time” has passed the “trial period”), the PLC subjected to the security code check is sent to the program execution unit 205. Prohibit program execution (do not allow).

  On the other hand, when the “trial period” is not stored in the secure memory 202, the comparison and collation unit 207 checks the security code included in the PLC program.

  First, the comparison and collation unit 207 acquires a “security code” (for example, SC-A) set as a parameter in the PLC program that is the target of the security code check. Then, the code conversion unit 208 is requested to convert the “security code”.

  The code conversion unit 208 converts the “security code” in response to a request from the comparison / collation unit 207. The code conversion unit 208 converts the code into a security code using the same algorithm as the code conversion unit 404 of the security code registration device 400. In the present embodiment, “security code A” is converted to “security code B”. The code conversion unit 208 passes the converted “security code” to the comparison and collation unit 207.

  After obtaining the converted “security code”, the comparison / collation unit 207 obtains the “security code” (for example, SC-B) stored in the secure memory 202 this time. Then, the “security code” converted by the code conversion unit 208 and the “security code” in the secure memory 202 are compared (or verified). If the two security codes match, the security code is sent to the program execution unit 205. Permits execution of the PLC program subject to check.

  On the other hand, if the two security codes do not match, the program execution unit 205 is not permitted (not permitted) to execute the PLC program subjected to the security code check.

  The notification unit 209 notifies the user or the like of the execution result of the PLC program. A specific notification method is to notify the display of each device, log output to a log file, or notify a predetermined terminal by e-mail or the like.

  The above is a functional configuration example of the control system configuration diagram according to the present embodiment. Each of these functional units can actually be realized by a computer by a program executed by the CPU of each device. Further, these functional blocks need not be realized by a clearly separated program, and may be called from other programs as a subroutine or a function. Further, a part of the functional blocks may be hardware means such as an IC (Integrated Circuit) or an FPGA (Field Programmable Gate Array).

  In addition to the normal program memory 204 area, programs related to each of these functional units are stored in a security-enhanced area (not shown) in which the user cannot directly access the area. .

[Operation screen example]
Next, an example of the operation screen of each device will be described.

(Security file issuing device)
FIG. 3 shows an operation screen example (part 1) of the security file issuing apparatus according to the present embodiment. As described above, the security file issuing device 300 is a terminal device that generates and outputs a security file.

  The user can generate and output a security file by operating an operation screen displayed on the display screen of the security file issuing device 300. As shown in FIG. 3, the user first inputs a password for logging in to the security file issuing device 300 on the user authentication screen (a). If the user authentication is successful, the process proceeds to the menu screen (b). When the user presses “issue security file” on the menu screen (b), the process proceeds to the security file issue screen (c).

  On the security file issuance screen (c), the user inputs an arbitrary “security code” and then presses “Add”. The entered security code is added to the “list”. In addition, an arbitrary memo can be attached to the “issued memo” for each security file to be issued.

  Next, the user presses “issue”. Thereafter, the confirmation screen (d) is displayed, and the output of the security file including the security code added to the “list” is completed.

  The security file generated and output in this way is used when the security code registration device 400 registers a security code with the PLC 200. For example, the user can store a security file in a portable recording medium and move the security file to the security code registration device 400 via the recording medium. Alternatively, the security file may be moved to the security code registration device 400 via a network.

  FIG. 4 shows an operation screen example (part 2) of the security file issuing apparatus according to the present embodiment. Specifically, when the “issue history display” in FIG. 3B is pressed, the “security file issue history display” is displayed. As shown in FIG. 4, in the security file issuing device 300, details of security files issued in the past (“issue date”, “security code”, “issue memo”, etc.) are displayed.

(Security code registration device)
FIG. 5 shows an example of an operation screen of the security code registration device according to the present embodiment. As described above, the security code registration device 400 is a terminal device for registering security information including “security code” and “trial period” in the PLC 200. The user acquires the security file by operating the operation screen displayed on the display screen of the security code registration device 400. In addition, the security code included in the security file is extracted and registered in the PLC 200.

  As shown in FIG. 5, the user first inputs a password for logging in to the security code registration device 400 on the user authentication screen (a). If the user authentication is successful, the process proceeds to the menu screen (b). When the user presses “Security Information Registration” on the menu screen (b), the process proceeds to the security information registration screen (c).

  On the security information registration screen (c), the user first designates a PLC to which security information is registered. In the example shown in the figure, the PLC is assumed to be connected via a USB port or connected via a network. The user can register the security information by either method. The (destination) PLC can be specified.

  Next, the user takes in the security file to the security code registration device 400 by pressing “fetch security file”. Specifically, the user connects the recording medium storing the security file generated by the security file issuing device 300 to the security code registration device 400. After that, the “security file import” is pressed, the security file stored in the recording medium is designated, and the security file is captured.

  When the user takes in the security file, the security code in the security file is displayed in the “security code” column. If there are a plurality of security codes in the security file, the plurality of security codes are displayed in the “security code” column. The user selects one security code registered in the PLC.

  Next, the user performs “registration of trial period”. Specifically, when “registration of trial period” is performed, check “Yes” in the example and input and specify “time”. If you do not want to register “trial period”, check “No” (registration of “trial period” is optional).

  “Reset operating time” specifies whether or not to reset the operating time. Since the “trial period” can be re-registered for the PLC, it is possible to specify whether or not to reset the operating time measured up to the time of re-registration at the time of re-registration. When registering the “trial period” for the first time, specify that “working time reset” should not be performed (default value).

  After the above settings, the user presses “Register”. Thereafter, a confirmation screen (d) is displayed, and the registration of the selected “security code” and “trial period” is completed for the PLC to which the security information is registered. That is, in the case of the illustrated example, at this time, “security code”: 006BZ-dpAo2wTsb83amk and “trial period”: 10 (hours) are registered in the secure memory 202 of the PLC 200. In the case where “trial period registration” is not performed, registration of only the selected “security code” is completed with respect to the PLC of the security information registration destination.

(Support loader)
FIG. 6 shows an example of a programming editor screen of the support loader according to the present embodiment. As described above, the support loader is a computer apparatus for supporting the creation of a PLC program. The user develops a desired PLC program on this screen. The PLC program developed by the user is downloaded from the support loader 100 to the PLC 200.

  When protecting the program to be protected being created, the user performs a predetermined operation from the programming editor, for example. As a result, “program code for SFB” for calling SFB for security code check on the PLC 200 side is added to “program code to be protected” created by the user. Thereafter, the user compiles the program code including the “program code to be protected” and the “program code for SFB” on the programming editor to create a PLC program. The created PLC program is transmitted to the PLC 200.

[Information processing]
Next, an information processing example of each device will be described.

(Information processing 1)
FIG. 7 is a sequence diagram showing a flow of information processing 1 according to the present embodiment. Specifically, first, in the information processing 1, the security file issuing device 300 generates and outputs a security file, and the security code registration device 400 sends security information including “security code” and “trial period” to the PLC 200. A process for registration will be described (refer to FIG. 2 together).

  S1: First, “security code A” is input by the user to the security file issuing device 300 (see, for example, FIG. 3C).

  S2: Upon receiving the “security code” (for example, SC-A) input by the user, the security file generating unit 301 of the security file issuing device 300 receives the security file including the “security code” (for example, SC-A). Generate.

  S3: The security file generation unit 301 encrypts the generated security file using the public key of the security code registration device 300.

  S4: The security file generation unit 301 outputs an encrypted security file (see, for example, (d) in FIG. 3). As an output method, for example, there is a method in which a security file is stored in a portable recording medium, and the security file is moved to the security code registration device 400 via this recording medium. Alternatively, the security file may be transmitted to the security code registration device 400 via a network.

  S5: Next, the security file capturing unit 401 of the security code registration device 400 captures the security file issued by the security file issuing device 300 (see, for example, FIG. 5C).

  S6: The security file fetch unit 401 decrypts the encrypted security file using a secret key corresponding to the above-described public key.

  S 7: The security file fetching unit 401 extracts a “security code” (for example, SC-A) from the decrypted security file and stores it in the memory 402.

  S8: Upon receiving an instruction to register security information from the user, the security information registration unit 403 sends one “security code” (for example, SC-A) selected by the user to the code conversion unit 404 as “security code”. Request to convert to (for example, SC-B). In response to a request from the security information registration unit 403, the code conversion unit 404 converts the acquired security code into another different security code using a predetermined algorithm. In this embodiment, “security code A” is converted to “security code B”. The reason why the “security code” is converted in this way is to enhance the security. For example, even if the “security code A” is leaked, the “security code A” cannot be used as it is, and there is no “security code B” that is finally used for comparison (or verification). The program cannot be executed.

  S9: Here, when the “trial period” is input from the user, the security information registration unit 403 acquires the “trial period” (see, for example, FIG. 5C).

  S10: The security information registration unit 403 generates security information including the converted “security code” (for example, SC-B) and the input “trial period”. Further, the security information is registered in the PLC 200 designated as the security information registration destination (see, for example, FIG. 5D). Specifically, as described above, the security information is transmitted to the PLC 200 via a network such as a USB or LAN, and is registered (saved) in the secure memory 202 on the PLC 200 side.

  As described above, the “trial period” can be re-registered with respect to the PLC 200, and it can be specified at the time of re-registration whether or not to reset the operation time measured until the time of re-registration (for example, ( c)). Therefore, when the “trial period” is re-registered and “operating time reset” is specified as “yes”, the security information registration unit 403 also registers “operating time reset” when registering security information. ”Is sent to the PLC 200.

  Further, the user cannot freely register an arbitrary security code in the PLC 200 using only the security code registration device 400. That is, the security file output by the security file issuing device 300 needs to be taken into the security code registration device 400 (S5). Even if the security code registration device 400 is leaked, the user who intends to use the PLC program illegally sets the security code that matches the security code (parameter) in the PLC program. This is to prevent free registration in the secure memory 202 of the PLC.

  S11: Next, the security information registration receiving unit 201 of the PLC 200 obtains “security code” (for example, SC-B) and “trial period” which are security information acquired from the security code registration device 400 (security information registration unit 403). And stored in the secure memory 202. As described above, since the secure memory 202 is a memory whose access is restricted, the user cannot access the secure memory 202.

  As described above, the security information registration receiving unit 201 registers only the security information received from the security code registration device 400 (security information registration unit 403) in the secure memory 202, and registers security information from other devices. Will not be accepted. Therefore, after confirming that the security information registration source (transmission source) is the security code registration device 400, the PLC 200 registers the security information. On the other hand, if the PLC 200 cannot confirm that the security information registration source (transmission source) is the security code registration device 400, the PLC 200 discards the security information.

  As a specific confirmation method of the registration source, for example, when sending and receiving security information, the PLC 200 confirms the registration source by authentication using a key (predetermined data, password, etc.) that only the security code registration device 400 has. Can do. Further, for example, a common key cryptosystem (also referred to as a secret key cryptosystem) can be used. The security code registration device 400 encrypts the security information using the common key (secret key) of the security code registration device 400, and transmits the encrypted security information to the PLC 200. The PLC 200 has the same common key (secret key) as that of the security code registration device 400, and the registration source can be confirmed by decrypting the security information using the common key (secret key). .

  S12: The operating time measurement unit 203 starts measuring the operating time of the PLC 200 at the timing when the “trial period” is stored in the secure memory 202. The operating time measuring unit 203 measures the operating time of the PLC 200 using an independent clock separately from the standard clock (internal clock) of the PLC 200 in order to prevent falsification of the operating time. The operating time measuring unit 203 stores the measured operating time in the secure memory 202 every time it measures.

  When the previous “trial period” already exists in the secure memory 202, it means that the operating time measuring unit 203 has already started measuring the operating time of the PLC 200. As described above, the “trial period” can be re-registered. However, if a flag indicating “reset operating time” is transmitted from the security code registration device 400 (security information registration unit 403), S11. Thus, the security information receiving unit 201 overwrites (updates) the “trial period” already existing in the secure memory 202. Moreover, the operating time measuring unit 203 starts measuring the operating time of the new PLC 200.

(Information processing 2)
FIG. 8 is a sequence diagram showing a flow of information processing 2 according to the present embodiment. Specifically, in the information processing 2, a PLC program creation process of the support loader 100, a PLC program download process of the support loader 100, and a PLC program execution control process of the PLC 200 will be described (refer to FIG. 2 together).

  S21: First, the program creation unit 101 of the support loader 100 creates a program code of a PLC program that operates on the main body of the PLC 200 (see, for example, FIG. 6). That is, when the user creates a user program code desired by the user using the programming editor, the program creation unit 101 adds a program code for calling the security code check SFB 206 to a part of the user program code. In addition, a “security code” (for example, SC-A) is set as a parameter for the SFB 206. This security code is given by the user, and the same “security code” (for example, SC-A) input to the security file issuing device 300 is set.

  S22: Next, when creating the program code including the user program code and the program code for calling the SFB 206, the program creation unit 101 compiles and creates a PLC program. Further, the program creation unit 101 stores the created PLC program in the memory 102.

  S23: Next, the program creation unit 101 transmits the created PLC program to the PLC 200 by a user operation or an automatic operation.

  S24: The program execution unit 205 of the PLC 200 controls the execution of the PLC program stored in the program memory 204. When executing the execution process of the PLC program, the program execution unit 205 calls the SFB function unit 206 according to the code if the PLC program includes a code for calling the SFB function unit 206. Then, the program execution unit 205 controls to continue execution of the PLC program or prohibit (stop) execution of the PLC program in accordance with a return value (“execution permission” or “execution disapproval”) from the SFB function unit 206. I do. Details of this point will be described later again. When the PLC program does not include a code for calling the SFB function unit 206, the program execution unit 205 may execute the PLC program as it is.

  S25: The notification unit 209 notifies the user or the like of the execution result of the PLC program. As a specific notification method, it is possible to notify a display or the like of each device, output a log to a log file, or notify a predetermined terminal by e-mail or the like. This notification may be notified only when execution of the PLC program is prohibited.

(PLC program execution control processing)
FIG. 9 is a flowchart showing the flow of the PLC program execution control process of the program execution unit 205 according to this embodiment. Specifically, the above-described PLC program execution control (S24 in FIG. 8) will be described below with reference to the drawings.

  S31: The program execution unit 205 of the PLC 200 executes the PLC program stored in the program memory 204. At this time, it is determined whether or not the PLC program includes a code for calling the SFB function unit 206 for checking the security code. Here, if the PLC program does not include a code for calling the SFB function unit 206 for checking the security code, the program execution unit 205 proceeds to S34 because the PLC program is not specially protected. The PLC program is executed as it is.

  S32: If the PLC program includes a code for calling the SFB function unit 206 for checking the security code, the program execution unit 205 calls the SFB function unit 206 according to the code. Here, the program execution unit 205 passes the “security code” (for example, SC-A) set as a parameter for the SFB 206 in the PLC program to the SFB function unit 206 when the SFB function unit 206 is called. .

  S33: The program execution unit 205 acquires a return value (“execution permission” or “execution permission”) from the SFB function unit 206. If the return value is “permission allowed”, the process proceeds to S34. On the other hand, if the return value is “permission not allowed”, the process proceeds to S35.

  S34: The program execution unit 205 executes the PLC program when the return value from the SFB function unit 206 is “execution permitted”. Thereby, the PLC 200 main body performs a user-desired operation by the PLC program.

  S35: On the other hand, when the return value from the SFB function unit 206 is “execution not permitted”, the program execution unit 205 regards this PLC program as not a valid PLC program and prohibits (stops) execution.

(SFB function processing)
FIG. 10 is a flowchart showing the flow of the security code check process of the SFB function unit 206 according to the present embodiment. Specifically, the above-described PLC program execution control (S32 in FIG. 9) will be described below with reference to the drawings.

  S 41: When the program execution unit 205 calls the SFB function unit 206 in S 32 of FIG. 9, the comparison and collation unit 207 of the SFB function unit 206 acquires a “trial period” from the secure memory 202. If the “trial period” can be acquired, the process proceeds to S42. On the other hand, if the “trial period” cannot be acquired, the process proceeds to S45. The case where the “trial period” cannot be acquired is a case where the “trial period” is not registered in the secure memory 202.

  S <b> 42: If the “trial period” can be acquired, the comparison and collation unit 207 acquires “operating time” from the secure memory 202 this time. Since the “operating time” is measured at the timing when the “trial period” is stored, when the “trial period” is registered in the secure memory 202, the “operating time” is also stored in the secure memory 202. Will be.

  S43: The comparison and collation unit 207, when acquiring the “operation time” and the “trial period” from the secure memory 202, determines whether or not the “trial period” is within the usable period based on the “operation time”. . As described above, the “trial period” indicates a period in which the PLC 200 can be used, and the “operation time” indicates the “operation time” of the PLC 200. Therefore, the comparison and collation unit 207 can determine whether or not the PLC 200 is within the “trial period” based on the “operation time” and the “trial period”. If the PLC 200 is within the “trial period”, the process proceeds to S44. On the other hand, if the PLC 200 is not within the “trial period”, the process proceeds to S51.

  For example, when 5 hours have elapsed since the start of the operation of the PLC 200, the “operation time” is 5 (H), and the “trial period” is 10 (H). It is determined that the period is within. Further, for example, when 12 hours have elapsed since the start of the operation of the PLC 200, the “operation time” is 12 (H), and the “trial period” is 10 (H). It is determined that it is not within the “trial period”.

  S44: The comparison / collation unit 207 issues a return value: “execution permission” to the program execution unit 205 in order to permit execution of the PLC program subjected to the security code check.

  S45: On the other hand, when the “trial period” cannot be acquired from the secure memory 202 (S41), the comparison / collation unit 207 requests the code conversion unit 208 to convert the parameter: “security code” (for example, SC-A). . As the “security code”, what is set as a parameter for the SFB 206 in the PLC program when the program execution unit 205 calls the SFB function unit 206 is acquired (S32 in FIG. 9).

  S46: The code conversion unit 208 converts the “security code” in response to the request from the comparison and collation unit 207. The code conversion unit 208 converts the code into a security code using the same algorithm as the code conversion unit 404 of the security code registration device 400. Therefore, in the present embodiment, “security code A” is converted to “security code B”. The code conversion unit 208 passes the converted “security code” to the comparison and collation unit 207.

  S 47: If the comparison / collation unit 207 can obtain the converted “security code” from the code conversion unit 208, the process proceeds to S 48. On the other hand, if the converted “security code” cannot be acquired from the code conversion unit 208, the process proceeds to S51.

  S <b> 48: The comparison / collation unit 207 acquires a “security code” (for example, SC-B) from the secure memory 202. If the “security code” has been acquired, the process proceeds to S49. On the other hand, if the “security code” cannot be acquired, the process proceeds to S51. The case where the “security code” cannot be acquired is a case where the “security code” is not registered in the secure memory 202.

  S49: Upon obtaining the converted parameter “security code” and the “security code” of the secure memory 202, the comparison / collation unit 207 compares (or collates) both security codes.

  S50: If both security codes match, the process proceeds to S44. That is, the comparison / collation unit 207 issues a return value: “execution permission” to the program execution unit 205 in order to permit the execution of the PLC program subjected to the security code check. On the other hand, if the two security codes do not match, the process proceeds to S51.

  S51: The comparison / collation unit 207 issues a return value: “execution disapproval” to the program execution unit 205 in order to disallow execution of the PLC program subjected to the security code check.

[Summary]
As described above, in the information processing example according to the present embodiment, when the PLC program is executed by the PLC 200, the SFB function unit 206 is called by the SFB calling code added to the PLC program, and the security code check process in the PLC program is performed. Is implemented. On the other hand, a “security code” is stored in advance in the secure memory 202 to which the access restriction of the PLC 200 is made via the security file issuing device 300 and the security code registration device 400. Then, when both security codes match by comparison (or verification) with the converted security code in the PLC program, it is determined that the PLC program is a valid PLC program, and the PLC 200 executes the PLC program. Allowed. On the other hand, if the two security codes do not match, it is determined that the PLC program is not a valid PLC program (i.e., unauthorized use of the PLC program), and the PLC 200 is not allowed to execute the PLC program.

  As described above, according to the present embodiment, the PLC program can be moved only by a valid PLC, so that it is possible to prevent unauthorized use of the PLC program. For a set manufacturer or the like that develops a product using a PLC, it is possible to prevent a counterfeit product of a PLC or PLC program or a pirated product from entering the market.

  Here, for example, when the PLC 200 according to the present embodiment fails, the production activity of the factory is stopped while the failed PLC 200 is being repaired, so the alternative PLC (PLC 200-2) is used. Consider a case where it is temporarily installed to continue production activities in the factory. At this time, the recovery work using a specific alternative machine is as follows.

  First, a maintenance worker (etc.) physically installs the alternative machine PLC 200-2. Next, the maintenance worker registers security information from the security code registration device 400 to the alternative PLC 200-2. This security information is the same as the security information registered for the failed PLC 200. What is stored in the memory 402 of the security code registration device 400 may be registered as it is. As a result, the “security code” (for example, SC-B) is stored in the secure memory 202 of the alternative device PLC 200-2.

  Next, the maintenance worker stores (downloads) the PLC program in the program memory 204 of the alternative PLC 200-2. This PLC program is the same as the PLC program used for the failed PLC 200. What is stored in the memory 102 of the support loader 100 may be stored as it is. Alternatively, as described above, when the PLC program created by the support loader 100 is stored in the recording medium inserted into the user ROM card slot 210, the maintenance worker removes the recording medium from the failed PLC 200, The recording medium is inserted into the user ROM card slot 210 of the alternative PLC 200-2. As a result, the PLC program used so far is stored (transferred) in the program memory 204 of the alternative PLC 200-2.

  Thereafter, in the alternative machine PLC 200-2, the maintenance worker only needs to execute the PLC program. When executing the PLC program, also in the security code check process of the SFB function unit 206 (comparison / collation unit 207), the “security code” (for example, SC-B) in which the parameter in the PLC program is converted and the “security code” of the secure memory 202 are displayed. Since it matches the “code” (for example, SC-B), the execution of the PLC program is permitted.

  Through the simple recovery operation as described above, the alternative PLC 200-2 can execute the same PLC program as that executed by the failed PLC 200. That is, the production activity similar to that of the failed PLC 200 can be quickly resumed by using the alternative device PLC 200-2.

  Also, in the information processing example according to the present embodiment, when the PLC program is executed by the PLC 200, the security code check process is performed. The PLC program can be executed without necessity.

  As described above, the security information is registered from the security code registration device 400 to the alternative PLC 200-2. However, if the security code registration device 400 is not at hand, the maintenance worker replaces the security code registration device 400 with the security code registration device 400. The same security information as that registered in the failed PLC 200 cannot be registered in the machine PLC 200-2.

  However, even in such a case, the maintenance worker can replace the security file issuing device (assumed to be the security file issuing device 300-2) of the alternative device and the security code registration device (security code registration device 400-2) of the alternative device. Prepare). Even if the maintenance machine does not know a valid "security code" in the alternative machine security file issuing device 300-2 and the alternative machine security code registration device 400-2, the maintenance worker can provide an arbitrary (dummy: Dammy) "security code". Input (for example, see FIG. 3C and FIG. 5C). Then, a period of time until the repair of the failed PLC 200 is completed is registered as a “trial period” (see, for example, FIG. 5C), and an optional (dummy) “security code” is assigned to the alternative PLC 200-2. As long as the security information including “and the trial period” is registered, the PLC program can be temporarily executed even if the two “security codes” do not match. That is, the production activity similar to that of the failed PLC 200 can be quickly resumed by using the alternative device PLC 200-2.

  In addition, before storing the PLC program in the PLC 200 (including the PLC 200-2), by registering a “trial period” such as one month or one week as an initial value of the “trial period” in advance, the above-described maintenance is performed. Registration of “trial period” by workers is not necessary.

  Further, when the PLC 200 is lent to the user during the “trial period”, the “security period” and the “trial period” are registered in advance and rented to the PLC 200, so that the “trial period” check becomes effective. Thereafter, if the user wishes to purchase the PLC 200 during the trial period, the registered “trial period” is deleted, and thereafter, the “security code” check becomes valid.

  As described above, according to the PLC according to the present embodiment, it is possible to prevent unauthorized use of the control program from the viewpoint of security with respect to the control program operating on the PLC while considering the operation and maintainability of the control program. It has become.

[Application example]
Next, an example in which the PLC 200 includes a GPS (Global Positioning System) sensor and performs authentication for a position where the PLC is used will be described. That is, when the PLC 200 executes the PLC program, it is authenticated whether or not the PLC is installed at a use position where the use of the PLC program is permitted. And when PLC200 is located in the use position, PLC200 permits execution of the PLC program. Thereby, the security for the control program operating on the PLC is further improved. This will be described below.

  FIG. 11 is a functional configuration example of the control system configuration diagram according to this application example. Compared to the functional configuration example of FIG. 2 described above, the support loader 100 and the PLC 200 are different in some points. Hereinafter, different points will be mainly described.

(Support loader)
In the support loader 100 according to this application example, the program creation unit 101 creates (creates support) a PLC program that operates in the PLC 200 main body. At this time, the program creation unit 101 adds a code for calling the security code check SFB function unit 206 to a part of the user creation program for the user program code created by the user as described above. In addition, “security code A” is set as a parameter for the security code check SFB 206. Further, in this application example, “valid position information” is set as a parameter for the SFB 206 for security code check.

  The “effective position information” is information for designating a use position (installation position) of the PLC 200 that permits execution of the PLC program. That is, when the PLC 200 is located at the use position specified by the “effective position information”, the PLC 200 permits the execution of the PLC program. Therefore, the user needs to designate the use position (for example, the position of the factory) of the PLC 200 as “effective position information”.

  FIG. 12 shows an example of designation of “effective position information”. “Effective position information” is input in the form of position coordinates acquired from GPS, such as (latitude x.longitude y), such as north latitude a degree b minutes c seconds, east longitude d degrees e minutes f seconds, etc. Can do.

  For example, as shown in (a), the user can designate “effective position information” by the position coordinates of two points. In this case, since the effective range is within the rectangular range, for example, a site such as a factory may be designated as the effective range.

  Further, for example, as shown in (b), the user can designate “effective position information” by the position coordinates of the polygon point. In this case, since the inside of the polygon is the effective position range, for example, the inside of a building such as a factory may be specified to be the effective position range.

  Further, for example, as shown in (c), the user can designate “effective position information” by the position coordinates of one point. In this case, the effective position range is within the peripheral circle range of one central point. The predetermined radius z may be determined in advance on the PLC 200 side as to the extent of the circle range from the center point as the effective position range, and the user can specify the radius z together with the position coordinates of the center point. It may be.

(PLC)
Next, as shown in FIG. 11, a position information acquisition unit 211 is added to the PLC 200 according to this application example. The position information acquisition unit 211 is realized by a GPS sensor or the like, receives a signal from a GPS satellite, and acquires “current position information” where the PLC 200 is located. The position information acquisition unit 211 passes the acquired “current position information” to the security information registration reception unit 201. The security information registration receiving unit 201 stores the “current position information” in the secure memory 202. Saving the “current position information” in the secure memory 202 via the security information registration receiving unit 201 is limited in access to the secure memory 202, and the security information registration receiving unit 201 writes to the secure memory 202. This is to have authority. “Current position information” is also one piece of information related to security.

  The program execution unit 205 executes the PLC program stored in the program memory 204. When the PLC program includes a code for calling the SFB function unit 206 for checking the security code, the program execution unit 205 calls the SFB function unit 206 according to the code. Then, the program execution unit 205 continues the execution of the PLC program only when the execution permission of the PLC program is obtained from the SFB function unit 206, and executes the execution of the PLC program when the execution permission of the PLC program is obtained. Prohibit (stop).

  When the SFB function unit 206 is called by the program execution unit 205, the comparison and collation unit 207, as described above, permits the execution of the PLC program based on the “trial period”, “operation time”, and “security code”. In this application example, whether or not to execute the PLC program is further determined based on “current position information”.

  That is, the comparison and collation unit 207 acquires “current position information” stored in the secure memory 202. As described above, the “current position information” of the secure memory 202 indicates position information where the PLC 200 is installed. Further, the comparison and collation unit 207 acquires “valid position information” set as a parameter in the PLC program that is the target of the security code check. Then, the comparison / collation unit 207 compares (or collates) the “current position information” with the “effective position information”, and if both position information matches (“current position information” is designated as “valid position information”). In order to permit the execution of the PLC program subjected to the security code check, a return value “execution permission” is issued to the program execution unit 205. On the other hand, the comparison / collation unit 207 does not permit the execution of the PLC program subjected to the security code check when the two pieces of position information do not match. Issue.

(SFB function processing)
FIG. 13 is a flowchart showing the flow of the security code check process of the SFB function unit 206 according to this application example. Compared with FIG. 10 described above, steps S52 to S54 following S50 are added, and the other steps are the same. Hereinafter, S52 to 54 will be described with reference to the drawings.

  S52: If the two security codes match in S50, the comparison / collation unit 207 acquires “current position information” from the secure memory 202 this time. If “current position information” can be acquired, the process proceeds to S53. On the other hand, if “current position information” cannot be acquired, the process proceeds to S51. The case where “current position information” cannot be acquired means, for example, that the position information cannot be acquired by a GPS sensor. In this case, it is recommended to notify that the “current position information” cannot be acquired and to urge review of the installation position of the PLC so that the position information can be acquired by the GPS sensor (S25 in FIG. 8).

  S53: The comparison / collation unit 207 compares (or collates) the “current position information” with the “effective position information”. Regarding “effective position information”, the comparison and collation unit 207 acquires “valid position information” set as a parameter for the SFB 206 in the PLC program when the program execution unit 205 calls the SFB function unit 206. (S32 in FIG. 9).

  S54: When “current position information” and “valid position information” match (when “current position information” is within the range specified by “valid position information”), the comparison / collation unit 207 proceeds to S44. .

  Then, the comparison / collation unit 207 issues a return value: “execution permission” to the program execution unit 205 in order to permit execution of the PLC program subjected to the security code check (S44).

  On the other hand, the comparison / collation unit 207 proceeds to S51 when the two pieces of position information do not match. Then, the comparison / collation unit 207 issues a return value: “execution disapproval” to the program execution unit 205 in order to disallow execution of the PLC program subjected to the security code check.

  As described above, in this application example, by storing “effective position information” that enables use of the program in the PLC program, based on the “current position information” acquired from the GPS sensor of the PLC 200, Only the PLC 200 installed in an area (place) where the PLC program can be used can execute the PLC program. For this reason, for example, when the PLC 200 itself is taken out after the PLC 200 is installed, the PLC program cannot be executed at a position other than the position specified by the “effective position information”. Can be prevented). That is, it is possible to further improve the security for the control program operating on the PLC 200.

  As described above, according to the present embodiment and application examples, a control system that prevents unauthorized use of a control program from the viewpoint of security with respect to the control program operating on the PLC while considering the operation and maintainability of the control program. A control device and a control method can be provided.

  It should be noted that the present invention is not limited to such specific embodiments, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims.

100 Support loader 101 Program creation unit 102 Memory 200 PLC
DESCRIPTION OF SYMBOLS 201 Security information registration reception part 202 Secure memory 203 Operation time measurement part 204 Program memory 205 Program execution part 206 SFB function part 206
207 Comparison / verification unit 208 Code conversion unit 209 Notification unit 210 User ROM card slot 211 Location information acquisition unit 300 Security file issuing device 301 Security file generation unit 400 Security code registration device 401 Security file fetch unit 402 Memory 403 Security information registration unit 404 Code converter

Claims (12)

A control system including a security file issuing device, a security code registration device, a support loader, and a control device,
The security file issuing device is:
Security file generating means for generating a security file including the first security code;
The security code registration device
Storage means for storing the first security code acquired from the security file;
Code conversion means for converting the first security code stored in the storage means into a second security code that can be used in common regardless of a control device by a predetermined algorithm;
Security information registration means for registering security information including the second security code in the control device;
The support loader is
A program creation means for creating a user program including the first security code and a predetermined program code;
The control device includes:
A first memory storing the user program;
A second memory storing security information including the second security code registered by the security information registration means;
Execution permission means for permitting execution of the user program stored in the first memory;
Program execution means for executing the user program whose execution is permitted by the execution permission means,
The execution permission means, when included said predetermined program code to the user program stored in said first memory, and the first security code included in the user program and converted by the predetermined algorithm, the control device The third security code that can be used in common regardless of the second security code acquired from the security information stored in the second memory is compared, and if they match, the execution of the user program is permitted. ,
Control system characterized by. The security information registration means includes:
When trial period information is input, security information including the trial period information and the second security code is registered in the control device;
The control device includes:
Security information including the trial period information registered by the security information registration means and the second security code is stored in the second memory,
The execution permission means permits the execution of the user program stored in the first memory during the trial period when the trial period information is included in the security information stored in the second memory;
The control system according to claim 1. The control device includes:
Having measuring means for measuring the operating time of the control device;
The measuring means includes
When security information including the trial period information is stored in the second memory, measurement of the operation time of the control device is started,
The execution permission unit compares the operation time with the trial period information, and if the operation time at the current time is within the trial period, the execution permission unit regards the user program stored in the first memory as being in the trial period. Allow execution,
The control system according to claim 2. The program creation means of the support loader includes:
Creating a user program including predetermined position information in addition to the first security code and the predetermined program code;
The control device includes:
Having position information acquisition means for acquiring the current position information of the control device;
The execution permission means, when the predetermined position information is included in the user program stored in the first memory, when the current position information is outside the position range specified by the predetermined position information, Disabling execution of the user program stored in the first memory;
The control system according to any one of claims 1 to 3. A first memory storing a user program including a first security code and a predetermined program code;
A second security code that is generated by converting the first security code stored in the security code registration device by a predetermined algorithm in the security code registration device and that can be used in common regardless of the control device. A reception unit that accepts registration of security information including,
A second memory storing the security information received by the receiving unit;
Execution permission means for permitting execution of the user program stored in the first memory;
Program execution means for executing the user program whose execution is permitted by the execution permission means,
The execution permission means, when included said predetermined program code to the user program stored in said first memory, and the first security code included in the user program and converted by the predetermined algorithm, the control device The third security code that can be used in common regardless of the second security code acquired from the security information stored in the second memory is compared, and if they match, the execution of the user program is permitted. ,
A control device characterized by. In a security-enhanced area different from the normal program memory area, the function block is called by a predetermined program code input from the support loader and determines whether the user program execution is permitted or not permitted.
The functional block is
When a user program including the predetermined program code and the first security code is input from the support loader, based on the first security code and the security code information input from the security code registration device, the Determining permission or disapproval of user program execution;
The control device according to claim 5. Security information including trial period information registered by the security code registration device and the second security code is stored in the second memory,
The execution permission means permits the execution of the user program stored in the first memory during the trial period when the trial period information is included in the security information stored in the second memory;
The control device according to claim 5. Having measuring means for measuring the operating time of the control device;
The measuring means includes
When security information including the trial period information is stored in the second memory, measurement of the operation time of the control device is started,
The execution permission unit compares the operation time with the trial period information, and if the operation time at the current time is within the trial period, the execution permission unit regards the user program stored in the first memory as being in the trial period. Allow execution,
The control device according to claim 7. Having position information acquisition means for acquiring the current position information of the control device;
The first memory stores a user program including predetermined position information in addition to the first security code and the predetermined program code,
The execution permission means, when the predetermined position information is included in the user program stored in the first memory, when the current position information is outside the position range specified by the predetermined position information, Disabling execution of the user program stored in the first memory;
The control device according to claim 5, wherein: The security code registration device includes a second security code that can be commonly used regardless of the control device, in which the first security code stored in advance in the storage means of the security code registration device is converted by a predetermined algorithm. Create security information and enter it into the control unit,
The support loader creates a user program including a predetermined program code and the first security code and inputs the user program to the control device,
When the predetermined program code is included in the user program , the control device can use the first security code input from the support loader by the predetermined algorithm regardless of the control device. Permitting execution of the user program on the condition that a third security code and the second security code match;
A program execution control method. The security code registration device adds trial period information to the security information input to the control device,
The control device permits the execution of the user program during a trial period;
The program execution control method according to claim 10. The support loader adds effective position information permitting execution of the user program to the user program input to the control device,
The control device disallows execution of the user program when the current position information is outside a position range specified by the effective position information;
12. The program execution control method according to claim 10 or 11, wherein:

Images