Page 68 - July-August 2012
Basic HTML Version
68
Nuclear Plant Journal, July-August 2012
other clients are asking for the other
extreme: full computer control. That
choice opens a wealth of options:
Electronic sensors, operating at a
convenient 24 VDC, can monitor bearing
temperatures, water and oil pressures with
corresponding temperatures, and much
more—all of which can be displayed,
automatically logged, and acted upon.
In commercial systems, all of this data
would be handled by programmable logic
controllers (PLCs). However, the very
quality that makes PLCs wonderfully
suited for nonnuclear commercial
applications—their adaptability—makes
them equally unsuited to nuclear EDG
applications.
Fairbanks Morse has been designing
PLC-basedcontrolsystemsforcommercial
engine generators for many years, but the
current regulatory requirements, which
are prudent, have required us to alter our
practice when designing nuclear systems.
We now offer EDG control systems that
provide full computer control without
using a PLC.
Our supplier uses our logic designs
to adapt a custom computer control
with an embedded processor. While
this control unit outwardly resembles
a PLC, it satisfies the most exacting
interpretations of applicable codes
and standards. This approach provides
high immunity to tampering or cyber
attack. The logic remains the same as in
traditional systems.
Challenges
The introduction of digital control
opens many exciting possibilities for
more flexible control, but let’s look first
at some of the challenges:
Configuration control
PLCs are well known for lack of
configuration control, being subject to
impromptu changes to the application
program (software), undocumented
component changes, and even changes
to the manufacturing process for the
components. We address this issue by
using nonvolatile memory for safety-
qualified controls; the firmware and
the application software program for
the EDG main control, the governor
system, and the voltage regulator system
are all “burned in.” Any changes must
be documented and tested and then
implemented by physical replacement of
a chip on the controller card. There is no
means to make an impromptu change to
the program.
Cyber threat
The topic of cyber threat is a rapidly
evolving new area for controls. In
addition to the inherent security of having
a burned-in program inside the processor,
we use another mitigating measure: The
sole digital serial link to connect outside
the safety envelope is arranged so that it
can only broadcast; it is not capable of
listening.
Interpretation of codes and standards
The regulatory codes and standards
that encompass designing, testing, and
qualifying a system are known. Applying
those codes and standards to an application
that includes a processor is, arguably,
a work in progress. Fairbanks Morse
is seeing a variety of interpretations in
customer specs—all of which are good
designs—and continues to work to clarify
this issue with agencies and customers.
Opportunities
The hallmark of current digital
designs is their greatly expanded list of
control features and the flexibility for
changes.
Factory reset
Digital control offers the capability
to restore all of the optimization
adjustments, such as the proportional-
integral-derivative (PID) settings, to
Evolution of...
Specifying digital EDG controls?
Consider these new options and issues
:
Do you want a minimalist or a
“maximalist” system?
That is, do you want to use processors
only where absolutely necessary, or do
you want to exploit a full range of sensor
capability?
Which data do you want to use and
how?
Engines can now report data on
bearings, exhaust, air, oil, water, fuel,
cooling water, and pneumatics. Generator
systems can send data feeds of electrical
power parameters; the list goes on!
How will you plan for new
regulations?
Requirements for qualification of
control equipment may become more
demanding in the near future.
