International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human-Machine Interface Technologies (NPIC&HMIT 2000), Washington, DC, November, 2000.
DESIGN OF NETWORKS FOR DISTRIBUTED DIGITAL CONTROL SYSTEMS IN NUCLEAR POWER PLANTS
Hyung Seok Kim, Jae Min Lee, Taerim Park, Wook Hyun Kwon #003, School of Electrical Engineering and ERC-ACI, Seoul National University, San 56-1, Shillimdong, Kwanakgu, Seoul, 151-742, Korea
[email protected] ljmpaul@cisl snu.ac.kr
[email protected] [email protected] Keywords: networks, distributed control system (DCS), control network, communication independence ABSTRACT In this paper, networks for distributed digital control systems in the nuclear power plant (NPP) are proposed. Three levels of hierarchical networks, that is, information networks, control networks and field networks, are described. Especially, the importance of the control network is emphasized and its architecture and structure are proposed. The implementation of the communication independence that is essential for the safety system of nuclear power plants, is described. Several design methodologies considering the safety characteristics of the NPP are suggested. 1. INTRODUCTION The nuclear power plants have continued to generate much electric power for many decades. In traditional instrumentation and control (I&C) systems for nuclear power plants (NPPs), most connections are of hardwired point-to-point types. Since they are based on analog technologies, they are fragile to noise and slow due to a little long analog-to-digital conversion time. The modern digital communication networks are fast and stronger to channel noise. It is greatly immune to channel noise in case of a fiber optic cable. Therefore, it plays a key part of upgrading performance among equipments of I&C systems. In safety-critical systems like control systems of a nuclear power plant, distributed control systems (DCS) are used. In the DCS, distributed controllers communicate with each other by networks. The architecture of the networks is different from office LAN in many points. It has a structure similar to a general industrial network, but has many special characteristics. When using digital communication networks to NPPs, much consideration must be included to its architecture design Figure 1 is a hierarchical view of proposed communication networks of DCS, which connect many nodes by a digital communication. The networks are classified as an information network, a control network, and a fieldbus network according to bandwidth and target level. The information network is responsible for exchange of data or command among operator interface stations (OIS) and engineering interface stations (EIS). Through the field network, field controllers share input and output (I/O) data
collected in other parts of field controllers. Control network should guarantee real-time property and distributes group controllers as major cells. Gateways make communication between the safety system and the non-safety one independent. In section 2, control network, a core network in DCS, is described through its protocol, implementation and performance analysis. In section 3, design methodology for the real implementation of communication independence is proposed. In section 4, as other networks, field network and information network are suggested. Section 5 is the conclusion.
Fig 1. Hierarchical architecture of the DCS network.
2. CONTROL NETWORK The control network is a core communication network in the nuclear power plant. It is a high-reliable network used in the system for protection and control. It also plays a role of the source for monitoring and alarm in the information network. The control network connects distributed controllers and makes communication between them possible. It can affect the overall operation of the DCS. Therefore, the safe and stable operation of a control network is very important for a DCS used in nuclear power plant systems. Network protocols that can be used as control network require real-time property, high-speed, reliability, and maintainability. As well-known high-speed networks, there are IEEE 802.3u Fast Ethernet (or Gigabit Ethernet), Fiber-channel, ATM, and FDDI.
(2)
FDDI can support real-time communication using a token mechanism, however, the number of its vendors is decreasing sharply. Ethernet is the most popular high-speed network protocol because it is very cheap and easy to implement. So, it has a largest number of vendors than other kinds of network protocols. Reliability of the Ethernet is very important requirement. It has been studied by many studies and has been verified by test of many vendors and use of users. Maintainability is also very important requirement because it affects availability of the system. When a problem happens in the nuclear power plant, prompt recovery can protect a heavy loss. Though the Fast Ethernet has many advantages, it is known that it cannot guarantee real-time communication since it is based on CSMA/CD (carrier sense multiple access / collision detection) protocol. So, in order to apply it to control network, we have developed a control network interface card (CNIC) based on the microprocessor MPC8260 with Fast Ethernet controller. By adding a reliable token passing algorithm, it can support a real-time data exchange. The additive token passing method does not produce a non-deterministic delay at a loss of the token since it is treated by predefined restoration mechanism for the token loss.
3. COMMUNICATION INDEPENDENCE According to IEEE Std. 7-4.3.2 – 1993, communication independence must be made in safety systems of nuclear power generating stations of safety systems. The use of computers in safety systems has provided an opportunity for a high level of data communication between computers within a single safety channel, between safety channels, and between safety and non-safety computers. Improper use of this communication ability could result in the loss of a computer’s ability to perform its function or multiple functions and thereby inhibit the safety system from performing its function. Isolation needs to be considered in order to prevent fault propagation between safety channels and from a non-safety computer to a safety computer. z m
j p
z j
i j
l p
uz j
Fig. 2. Electrical and communication isolation for communication independence. For proper independence of the safety computer from non-safety equipment, both electrical and communication isolation need to be ensured. Electrical isolation requirements are provided in IEEE std. 384, IEEE standard Criteria for Independence of Class 1E Equipments and Circuits. Figure 2 depicts a method with two separate points of isolation, one electrical and one communications. This method allows two-way (3)
communication between the safety computer and the non-safety computer, as long as a buffering circuit is employed in the safety computer. To implement the independence of communication in the proposed network, ‘data gateway’ is defined as a system that supports the communication interface of two different protocols and the function of data buffering. Two data gateways are necessary. The data gateway separating INW in nonsafety system and CNW in safety system and. one separating CNW in non-safety system and CNW in a safety system are necessary for communication independence. The optical fiber cable makes electrical isolation satisfied. Separation of TX, RX cables for two-way communication satisfy communication isolation. Buffers in the gateway classified as the protected system store frames in order to control the permission to transmit them. Information Network
EWS
OIS
D G C
DGW-CI
G N M
C N M
G N M
G N M
OIS
OIS
G N M
Control Network
Fig. 3. Architecture of the data gateway.
4. OTHER NETWORKS The field network connects field control module to give the collection of field inputs and outputs to the control network. It is employing HDLC as its data link layer and uses RS-485 scheme that has multi-drop as a physical connection. The RS-485 communication can provide about 2Mbps bandwidth. As mentioned in section 1, EIS executes engineer functions and OIS supports monitoring functions. The information network is a load to transfer information between EIS and OIS and between OISs. Since the information network is treated as a non-safety computer network, it does not need redundancy of channels. Its protocol is based on TCP/IP, general computer network protocol. The information network nodes exchange data with control network nodes via DGW-CI mentioned in section 3. The information network receives frames from the DGW-CI in order to monitor states of lower level of nodes. If it is thought to be unsafe that the OIS gives important control commands through digital communication path, use of exceptional soft controls or hardwired panels could be better since they does not give interruption due to the overloaded traffic. (4)
5. CONCLUSIONS This paper described control network, gateway for communication independence, field network and information network after introducing global network architecture. It showed that much consideration is required when applying the digital communication to nuclear power plants. Detail design of real-time communication protocol, fault-tolerance, safety system is being processed. This research has ended for a real installation to a nuclear power plant in Korea as a site for application of the proposed network REFERENCES IEEE inc., 1998, IEEE std.802.3 Part 3: carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specification. IEEE power engineering society, 1993, IEEE Std. 7-4.3.2 – 1993 IEEE standard criteria for digital computers in safety systems of nuclear power generating station. IEEE power engineering society, 1991, IEEE Std.603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations. IEEE power engineering society, 1992, IEEE Std. 384-1992, IEEE Standard criteria for independence of class 1E equipment and circuits.
(5)
