Appendix F
Digital Instrumentation and Control System Features

In the Phase 1 report of this study (NRC, 1995), the committee noted that care must be exercised to take into account inherent characteristics of digital systems and the effect of these characteristics on the processes with which the digital systems interface. Key characteristics of the digital systems include real-time processing, data communications, sequential operation, multiplexing, multitasking, memory sharing, and diverse data transmission and storage media, each of which is discussed below.

REAL-TIME PROCESSING

Real-time systems are defined as those systems in which the correctness of the system response depends not only on the logical results of the computation but also on the time at which the results are produced (Stankovic and Ramamrithan, 1988). A typical real-time system includes a controlling system and a controlled system. The controlling system periodically receives and processes information about the controlled system and the environment and generates control commands in response to this information, which are applied to the controlled system. For this operation to be stable and meet performance requirements, the timing relationship between the controlling system and the controlled system must be such that the complete control sequence (parameter sampling, transmission process, control command generation, and control command transmission back to the process) must be faster than the response time of the controlled process. For critical systems, timing analysis of the controlling system typically considers the worst (rather than average) values for communication delays and execution time. Such worst case analysis often places important constraints on the design to ensure that timing bounds can be met. Such constraints include the use of a special-purpose real-time operating system kernel, nonpreemptive scheduling, and simple data and control flow structures in order to reduce the unpredictability of the response. Interrupts are frequently disabled or are anticipated in the schedule and handled expediently. Real-time systems, because they must provide guaranteed response in the worst case, are typically underutilized when analyzed for average behavior.

Failure modes of real-time systems include the typical failure modes of the controlling system, augmented by timing failures. A timing failure occurs when a deadline is missed. The result of a missed deadline depends on the controlled process. In some cases, a real-time system may tolerate missing several consecutive deadlines if the output parameters are held steady. However, there is often a hard limit to the number of missed deadlines that can be tolerated.

In large applications such as power plants, the real-time processing systems are usually not written from scratch using general-purpose computers. Rather, many vendors offer off-the-shelf systems, and these are widely used in distributed control systems in industrial applications (see, e.g., Sudduth, 1995). As a result, real-time distributed computer systems designed for industrial process control are often a collection of microprocessor-based modules interconnected through a communication network, which execute well-defined process control functions. Function modules are provided for data acquisition, control of process variables, operator communication, and supervisory functions. Programming of such commercially available process control systems often involves the selection and interconnection of functional blocks from a library of modules. Usually this interaction is programmed by the system designer using a graphic interface. Many potential problems associated with constructing real-time systems from scratch are avoided or minimized by restrictions enforced by the use of these special-purpose process control systems. For example, they often rely on the predefined standard function modules, rather than requiring custom programming in general-purpose software languages. This, plus the use of a real-time operating system kernel (e.g., effects of cache memory), simplifies the task of timing analysis and helps ensure predictability. Hardware execution time variation is also an issue that must be addressed. Of course, this does not eliminate all the potential problems (e.g., software quality assurance).



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 108
Appendix F Digital Instrumentation and Control System Features In the Phase 1 report of this study (NRC, 1995), the committee noted that care must be exercised to take into account inherent characteristics of digital systems and the effect of these characteristics on the processes with which the digital systems interface. Key characteristics of the digital systems include real-time processing, data communications, sequential operation, multiplexing, multitasking, memory sharing, and diverse data transmission and storage media, each of which is discussed below. REAL-TIME PROCESSING Real-time systems are defined as those systems in which the correctness of the system response depends not only on the logical results of the computation but also on the time at which the results are produced (Stankovic and Ramamrithan, 1988). A typical real-time system includes a controlling system and a controlled system. The controlling system periodically receives and processes information about the controlled system and the environment and generates control commands in response to this information, which are applied to the controlled system. For this operation to be stable and meet performance requirements, the timing relationship between the controlling system and the controlled system must be such that the complete control sequence (parameter sampling, transmission process, control command generation, and control command transmission back to the process) must be faster than the response time of the controlled process. For critical systems, timing analysis of the controlling system typically considers the worst (rather than average) values for communication delays and execution time. Such worst case analysis often places important constraints on the design to ensure that timing bounds can be met. Such constraints include the use of a special-purpose real-time operating system kernel, nonpreemptive scheduling, and simple data and control flow structures in order to reduce the unpredictability of the response. Interrupts are frequently disabled or are anticipated in the schedule and handled expediently. Real-time systems, because they must provide guaranteed response in the worst case, are typically underutilized when analyzed for average behavior. Failure modes of real-time systems include the typical failure modes of the controlling system, augmented by timing failures. A timing failure occurs when a deadline is missed. The result of a missed deadline depends on the controlled process. In some cases, a real-time system may tolerate missing several consecutive deadlines if the output parameters are held steady. However, there is often a hard limit to the number of missed deadlines that can be tolerated. In large applications such as power plants, the real-time processing systems are usually not written from scratch using general-purpose computers. Rather, many vendors offer off-the-shelf systems, and these are widely used in distributed control systems in industrial applications (see, e.g., Sudduth, 1995). As a result, real-time distributed computer systems designed for industrial process control are often a collection of microprocessor-based modules interconnected through a communication network, which execute well-defined process control functions. Function modules are provided for data acquisition, control of process variables, operator communication, and supervisory functions. Programming of such commercially available process control systems often involves the selection and interconnection of functional blocks from a library of modules. Usually this interaction is programmed by the system designer using a graphic interface. Many potential problems associated with constructing real-time systems from scratch are avoided or minimized by restrictions enforced by the use of these special-purpose process control systems. For example, they often rely on the predefined standard function modules, rather than requiring custom programming in general-purpose software languages. This, plus the use of a real-time operating system kernel (e.g., effects of cache memory), simplifies the task of timing analysis and helps ensure predictability. Hardware execution time variation is also an issue that must be addressed. Of course, this does not eliminate all the potential problems (e.g., software quality assurance).

OCR for page 108
DATA COMMUNICATIONS A distributed process-control system requires a reliable communication network to link the control nodes together. Reliable communication systems must provide a guaranteed level of performance, even when heavily loaded, and must be able to detect and recover when a message is lost or erroneous. The critical nature of the communication system has led to the development of architectures (and associated protocols) for data-highway communication networks for distributed process-control systems. In a data-highway-based communication system there is a data-link level but no higher level of ISO network protocols (Schoeffler, 1984). Architectures vary throughout the industry, but three types are common: the token passing ring-based, broadcast-based, and cluster-based systems. Well-defined architectures and algorithms for reliable communication have been developed for each type of communication network (Jalote, 1994). Failure modes associated with communication systems include (a) lost and late messages; (b) misdirected messages; (c) messages that lose meaning after being sent because the sending processor rolls back to a previously saved checkpoint owing to an error (commonly known as orphan messages; see Jalote, 1994); and (d) inconsistent messages to other processes, which can cause the receivers to act inconsistently (commonly known as Byzantine messages; see Lamport et al., 1982). Failure modes associated with shared resources must also be considered. Multiplexers that sample and combine the data at the transmitting end and multiplexers that decode the signals at the receiving end represent points of vulnerability in the system because multiple signals are sequentially processed by these devices. SEQUENTIAL OPERATION Microprocessors in digital instrumentation and control (I&C) systems execute all software commands sequentially. This sequential operation must be considered in addressing the timing and scheduling considerations discussed above. Implications of sequential operations include: The sequential processing capacity of the modules in a control loop needs to be such that loop control response is several times faster than process response time. This is based on closed-loop control stability theory. Although this requirement applies to all control systems, it must be carefully considered in digital control loops. In digital systems additional delays may occur because of interrupts or preemptions of a higher priority. As a result, closed-loop control algorithms should be implemented so that they are executed in a predictable manner, without timing uncertainties introduced by unpredictable interruptions or preemptions. The use of dedicated and separate buses for closed-loop control, for control and alarm operator interfaces, and for performance calculations is highly desirable. This approach reduces the introduction of unnecessary delays into the control loops. MULTIPLEXING Digital systems have the capability of sampling multiple plant process parameters and then bringing the sampled data sequentially into digital memory over a single physical communication channel. Similarly, digital systems have the capability of transmitting multiple command control signals to plant processes one at a time over a single channel. Although "multiplexing" is a term that has traditionally been applied to the transmission of these types of process parameter signals, communication links in digital I&C systems also carry multiplexed information of a broader nature, such as performance analysis results, historical data files, and display data files. These multiplexing capabilities introduce common paths in the transmission of information. Also, the multiplexers are themselves sequential devices, which must be considered in addressing the timing and scheduling considerations and the communications considerations discussed previously. Multiplexing must be coordinated throughout the plant so that all data are acquired and used in a consistent way. Multiplexing of time-sensitive data critical to plant performance or protection against hazards is best handled via deterministic data buses or data links, which handle data in a predictable manner that is easy to verify and validate in design reviews and testing. Most importantly, multiplexing of independent channels, such as those used in safety systems, must be avoided since it would destroy their independence. Good guidance on this subject is provided in NUREG/CR-6082, Data Communications. MULTITASKING Multitasking involves the ability to interrupt a task in progress and initiate or resume a different task that needs to be performed on a higher priority. It is actually a feature of the software but it can affect the performance of a digital system and needs to be accounted for. Multitasking must be considered in addressing the timing and scheduling considerations discussed above. In time-sensitive applications, preemptive multitasking is not desirable as it may introduce uncertain delays. In this case, handling tasks in a deterministic manner is preferred, so that critical tasks are always scheduled and performed in a predictable manner. Multitasking is more generally acceptable in functions that are not time-sensitive and do not interfere with time-sensitive functions. For example, multitasking may be useful in off-line functions such as historical data trending analysis or diagnostics calculations.

OCR for page 108
MEMORY SHARING Digital systems make use of historical data values to perform control actions, to make performance calculations, and to generate displays. These data are stored so that the data may be accessible to multiple processors. One processor may deposit in memory data sampled from a plant process while other processors use these stored data for other functions. For example, the level of water in a tank may be periodically sampled and stored in memory by one processor while a second processor uses the stored value to vary the opening of a drain valve that regulates water level. A third processor may use the same stored value to start a transfer of water to another tank, and a fourth processor may use it to display the level in the control room. Memory sharing introduces the need to manage and protect the flow of data in and out of shared memories so that data are valid and consistent at all times. This is a complex subject and there is an extensive literature that should be consulted (see, e.g., Suri et al., 1995; Tannenbaum, 1995; and Jalote, 1994). The impact of memory sharing also must be considered in addressing timing and scheduling considerations. DIVERSE DATA TRANSMISSION AND STORAGE MEDIA Digital signals can be stored and can travel on media that are different from those used in analog systems. For example, data may be stored on different types of magnetic media or transmitted over optical data highways. The important differences, both pro and con, need to be recognized. For example, optical signal transmission media are often used in digital systems. Optical media are more robust than traditional electric conductors. Optical media are immune to all forms of electromagnetic interference and eliminate problems introduced by ground loops in electric circuits. Optical cable offers complete electrical isolation and is resistant to most chemicals. It also generates relatively low noise and produces low signal attenuation. However, the installation of optical fiber cable requires special training and tools. The use of diverse transmission and storage media in digital I&C systems does not present insurmountable challenges. The media must be environmentally qualified in a manner similar to that in which analog and digital equipment has been qualified in the past. REFERENCES Jalote, P. 1994. Fault Tolerance in Distributed Systems. Upper Saddle River, N.J.: Prentice-Hall. Lamport, L., R. Shostak, and M. Pease. 1982. The Byzantine generals problem. ACM Transactions on Programming Languages and Systems 4(3):382–401. NRC (National Research Council). 1995. Digital Instrumentation and Control Systems in Nuclear Power Plant Operations and Safety: Safety and Reliability Issues, Phase 1. Board on Energy and Environmental Systems, National Research Council. Washington, D.C.: National Academy Press. Schoeffler, J.D. 1984. Distributed computer systems for industrial process control. IEEE Computer 17(2):11–18. Stankovic, J., and K. Ramamrithan. 1988. Tutorial: Hard Real-Time Systems. Los Alamitos, Calif.: IEEE Computer Society Press. Sudduth, A.1995. Presentation to the committee, Washington, D.C., December. Suri, N., C.J. Walter, and M.M. Hugue. 1995. Advances in Ultra-Dependable Distributed Systems. Los Alamitos, Calif.: IEEE Computer Society Press. Tannenbaum, A. 1995. Distributed Operating Systems. Upper Saddle River, N.J.: Prentice-Hall.