Uninterruptible power systems meet factory automation security
Harsh industrial power environments demand high-level power protection: The right UPS can meet that demand
By Michael Stout and Michael Gibson
Factory automation security is all-encompassing. It includes traditional security and surveillance activities.
In addition, it includes data and systems security of the information technology (IT) and communications operations.
Lastly, there is the security of the factory floor operations and equipment in areas of safety, reliability, and productivity. Without reliable power, all of these vital operations are unreliable and unsecured.
When the discussion of uninterruptible power systems (UPS) arises, most people think of the little box they purchased to provide backup power to their home or office computers. They do not think of industrial-grade power protection. However, its incorporation into factory automation systems is a necessary security element.
As with other types of security systems, the UPS is available in different grades that provide differing levels of protection.
Three standards and a flywheel
There are three commonly accepted and one newly emerging UPS design topologies. They list as offline, line-interactive, double conversion online, and flywheel.
The offline UPS is the least common topology found today. It is a very inexpensive backup solution for personal computers used in the home environment. It is available in output capacities from 100VA to 3kVA. The offline UPS will only provide basic battery backup and limited high voltage transient protection.
When utility power is present, it passes directly through to the UPS output without any voltage regulation. Should the utility voltage drop to a sustained brown out level of 105Vac, the output voltage of the UPS will be at the same 105Vac level.
It is only when the utility voltage drops below 100Vac level that the UPS switches to battery-powered inverter mode. It is only in battery mode that the UPS inverter powers the connected load.
The total backup time is typically limited to less than 10 minutes. During the utility and inverter switchover, there is typically a 4- to 25-millisecond duration power loss created at the output of the UPS.
If the offline UPS were in a factory or industrial environment, it would not provide the level of protection needed. First, the power sensitive equipment would connect directly to raw unconditioned utility power. Low voltage levels on the factory floor are quite common and the offline UPS would subject factory automation equipment to the same low voltage conditions.
Factory voltage levels commonly fluctuate due to the high power demands of large motors and other production equipment operating on the factory floor. It is common for the voltage levels to drop to a level that would cause the UPS to continually transfer to battery operation.
This could cause the internal UPS batteries to completely discharge while not allowing enough time for them to recharge. Another area of concern is the 4- to 25-millisecond power loss experienced during transfers. This may be acceptable for some PC computers, and it can render programmable logic controllers (PLCs) and fully configured file-servers brain dead.
The line-interactive UPS is the most common system. These can range from inexpensive to moderately priced and are available in sizes from 100VA up to 6kVA. They are for backup and give limited power protection. They are primarily for home and business based computers, file-servers, and networks. In addition, they offer limited output voltage regulation (±5 to ±12% typical) while being powered from the utility.
In the line-interactive design, utility power feeds to an autotransformer having differing taps that switch automatically using a utility voltage sensing circuit. In the event the utility voltage drops too low, the transformer tap switches to increase the UPS output voltage.
In the event the utility voltage increases too high, another tap reduces the UPS output voltage. Before the taps can switch over, most line-interactive designs require the UPS to switch to battery mode operation.
After the tap-switch, the UPS switches back to utility mode operation. Like the offline UPS, when the utility and inverter switchover occurs, there is typically a 4- to 25-millisecond-duration power loss at the output of the UPS.
Again, if used in a factory or industrial environment, the line-interactive UPS would not be the best choice. Power sensitive equipment would connect directly to raw unconditioned utility power.
Even though the UPS has basic output voltage regulation, the utility voltage sensing circuit can become a problem. In a harsh power environment, utility voltage fluctuations could cause the UPS to continuously switch taps in an attempt to regulate.
This would again result in the batteries discharging completely without allowing sufficient time for them to recharge. Additionally, the increased battery cycling of the line-interactive UPS results in greatly reducing battery life and causing costly unscheduled battery replacements.
As with the offline, the line-interactive UPS suffers from the same 4- to 25-millisecond-output dropout problem, except the dropouts would be much more numerous due to the tap-switch regulation design.
The double conversion online UPS provides the highest level of power protection available. This system costs a bit more than the line-interactive. They are available in sizes from 500VA to well over 100kVA.
The online design provides a much higher level of power protection and is the best choice for protecting servers, networks, medical, industrial, factory automation, and other mission-critical equipment. The online UPS uses active electronics to continuously regenerate new AC power while operating from both utility and battery sources. The incoming AC power rectifies to a regulated DC, removing voltage transients, noise, harmonics, and frequency-related problems.
The continuous duty inverter circuit then uses this regulated DC power to regenerate clean, new AC power. The output voltage regulation is a superior +/-3%.
When operating from a utility or generator source, the +/-3% output voltage regulation is maintained over the entire input -20% to +15% voltage range of the UPS.
This provides total protection from sustained utility brown outs, over voltage conditions, noise, transients, harmonics, and frequency drift. It is like installing a firewall between the sensitive equipment and the utility power.
The optimum voltage, frequency, and power levels are always there for the sensitive, microprocessor-based equipment. This continues to be the case when utility power is lost.
The internal UPS battery supply simply takes over as the energy source without any of the switchover voltage dropouts associated with the offline or line-interactive UPS designs.
The online UPS design places several layers of active electronic circuitry between the incoming utility power and the connected equipment. In the event utility voltage reaches catastrophically high levels, the UPS will give up its life and protect the connected equipment.
Most online UPS manufacturers ship their units configured with the UPS output frequency synchronized with the frequency of the incoming utility power. In applications where backup generator power is at work, this may not be desirable due to frequency instability problems inherent with some generators. Some UPS models are available that provide a fixed output frequency. This prevents the frequency drift from passing through the online UPS.
Some online UPS manufacturers carry the non-synchronized, fixed-output frequency mode operation further. They have designed their UPS to operate as a true frequency converter.
Models are available that are 50, 60, or 400Hz frequency converters. When configured for this mode of operation, the UPS bypass circuitry is also disabled.
Some models even allow for the removal of the UPS batteries. This is a very cost-effective solution should European 50Hz production equipment be required to operate from U.S. 60Hz power.
As the online UPS incorporates a continuous-duty inverter circuit, it can support extended or long-term battery mode operation. Extended battery operation of up to several hours is possible with the addition of extended battery bank options. Offline and most line-interactive UPS designs use limited duty inverter circuitry and will not accept additional external battery banks.
The online UPS is the ideal solution to solve localized power quality problems common in industrial applications.
The flywheel UPS is a newly emerging technology and now has limited distribution. Due to its high initial cost and limited backup time capability, it is not cost-effective for installations of under 100kVA. Most flywheel UPS units available are rated 100kVA and above.
The UPS works on the principal of stored kinetic energy. It is a motor-generator with a large, high-mass flywheel attached. The flywheel turns at a very high rate of speed, typically over 25,000 RPM.
It is typically of composite materials that will safely self-destruct in a containment enclosure in the event of a failure. The flywheel sits on magnetic bearings that greatly reduce friction and heat. Additionally, the flywheel is in a vacuum to reduce friction losses even further.
The flywheel connects to a motor/generator capable of turning the flywheel up to speed in less than 15 seconds. When the flywheel is turning at full speed, very little energy is necessary to keep it at speed.
When utility power is lost, the motor becomes a generator that continues to power the connected load until the flywheel stops. The UPS usually provides short-term ride through backup for an entire facility. The backup time at full load is typically less than two minutes. Longer backup times are possible by selecting a larger capacity flywheel UPS.
The flywheel UPS does not incorporate batteries, and the substantial cost of battery replacements over the life of the UPS is eliminated. However, because there are no batteries, long term or sustained backup is not an option with this design.
Most flywheel UPS products available do not perform any power conditioning. There are one or two companies incorporating an electronic inverter stage on the output of their flywheel UPS.
The inverter is similar to that of the online UPS and continuously conditions the output power when operating both from utility and flywheel power.
Presently, this type of UPS is too large and costly to solve quality problems at the equipment level on the factory floor.
Galvanic isolation, grounding
The factory floor can be a hostile power environment. Large motors, power switching, and robotics are often in abundance.
The normal operation of factory production equipment is often a major source of power pollution. Microprocessor-based controllers, PLCs, and production machines are often networked or interconnected.
Computerized numeric control machines hook up to the company’s IT network and computer aided design workstations. Material handling and usage monitoring equipment is feeding data to the company’s real-time materials requirements planning or JIT (just in time) management computers. With all of this interconnectivity, the chance of computer and network reliability problems is increased.
Many of these problems come from common mode noise or stray current flow across the interconnecting network, data, control, communications, and equipment cabling. All North American (NA) 120Vac power circuits bond (connect) the white neutral and green ground wires together at their associated electrical sub-panels, which are located throughout the factory.
This can result in part of the neutral current sharing with the ground wiring. Substandard building wiring, loose wiring connections, differing ground potentials between electrical sub-panels, or even other high-power equipment running off the panels can cause the problem.
When these currents are present on the ground wiring, they may also find a path to flow on the cables interconnecting networks, controllers, and any other process equipment running off the facility’s electrical panels. This can result in network-data reliability issues, computer, and PLC lockups. If the current flow is high enough, it can result in equipment failure.
A solution to this is galvanic isolation. Galvanic isolation is nothing more than an isolation transformer. If the transformers sit at strategic locations, they can reduce or eliminate the troublesome current paths. In the large factory, numerous computer/server installations or IT rooms may be located throughout the facility.
At each of these locations, a dedicated isolation transformer should go between the incoming utility power and the sensitive equipment. Further, the neutral leg of the transformers secondary winding must tie into the ground, deriving a new neutral line. This breaks the neutral and ground current path in addition to greatly reducing the common mode noise levels seen by the sensitive equipment.
An alternate solution would be to install an isolation transformer local to the piece of equipment. Should localized galvanic isolation be required, several online UPS manufacturers offer models with internal galvanic isolation inside the UPS. This approach yields all of the benefits of the online UPS and galvanic isolation, providing a solid comprehensive solution.
Good grounding practices in accordance with the National Electrical Code (NEC) are essential.
Additionally, the main building electrical panel must connect to the buildings central grounding rod. Never use multiple ground rods in the building. This is not only a code violation, but it will assure your company has computer and network problems. The problems can reach a destructive level if the company is located in areas with severe lightning and storm activity. Per the NEC, if multiple ground rods are used, they must all hook up to the main building grounding rod. A single-point star grounding scheme is always the most desirable.
Centralized UPS monitoring
Large factories can have large populations of UPS units installed. They can be located in a single facility or multiple facilities located around the world. Without network or Internet connectivity, the remote monitoring and management of their UPS units would be a daunting and costly process. To solve this, UPS manufacturers offer SNMP/HTTP agent options.
The agent may consist of a circuit card that installs inside a communications slot located somewhere on the UPS or a standalone box that connects to the UPS RS-232 DB-9 port. The agent then connects the UPS to any 10/100 compatible Ethernet network. As the agent is TCP/IP addressable, it facilitates the remote monitoring and management of the UPS from a central location over a LAN, WAN, or the Internet.
The agent supports Simple Network Management Protocol (SNMP). An application layer protocol facilitates the exchange of management information between network devices and is part of the TCP/IP suite. There are three released versions of SNMP to date: SNMPv1, SNMPv2, and the latest higher security version, SNMPv3.
It is a standardized collection of information specific to the UPS. Years ago, the UPS industry formed a committee to develop a set of objects (commands) that comprise the UPS MIB (RFC 1628). The RFC 1628 standard UPS MIB may install into any standard Network Management Software (NMS) such as IBM NetView or HP OpenView. This allows for the direct monitoring and management of any compliant UPS, without regard to manufacturer, topology, or model.
As an option to SNMP, the UPS agents also support HTTP format communications. Any web browser may serve to remotely monitor and manage the UPS. The UPS agent contains an entire web site that one can see on the web browser.
UPS network security
There is a noteworthy advancement in SNMP security. The present level of network security available in SNMPv1 and SNMPv2 is less than desirable for high security applications. It consists of a single user name and password scheme. When the user name and password go in, it allows access to the agent’s setup parameters as well as the UPS parameters. Any unauthorized person gaining access to the user name and password could gain access and could shut down a UPS powering a critical process, or worse change the programming of the UPS agent device and deny access.
To address these issues, we developed SNMPv3, and it is a vast improvement. It incorporates a user table that facilitates the entry of a user name, security level, authentication protocol to be used (HMAC-MD5 or HMAC-SHA), authentication key (password), privacy protocol, and privacy key (password). The local agent security has improved vastly, and we recommend you verify the SNMP agent the user purchases incorporates SNMPv3.
The security of TCP\IP has also improved. This significant improvement in network security is now available—IPv6. As the world is rapidly running out of IP addresses due to the 32-bit architecture of the present IPv4, IPv6 with its 128-bit architecture has arrived. You will recognize IPv4 as those numbered addresses that sometimes have to enter on the browser URL line—192.168.100.1 for example.
This is changing, but it will not be painless. The U.S. government and Department of Defense (DOD) have set a deadline for full IPv6 implementation by June 2008. The change over has been so extensive the DOD was reported to state in January that the date of full implementation is “not written in stone.” IPv6 is supposedly fully transparent to the present IPv4, but to accomplish a full IPv6 implementation into a company may be a bit of an IT challenge.
Hardware, software, and firmware are all at risk of non-compatibility, and retrofit and replacement may be necessary. One thing is sure, due to the ultra levels of security built into IPv6, the government and DOD will be looking toward their suppliers to be compliance also. Like it or not, IPv6 is the way of the future.
The level of security and improvements in IPv6 are a real asset. Here is a brief list of the changes.
IPv4 only supports 4.3 billion (232) unique IP addresses, IPv6 supports 2128 addresses. That is a whopping 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.
IPSec security built-in allows confidentiality, authentication, and data integrity.
The support of authentication and encryption headers is built-in, unlike IPv4.
Stateless and stateful address configuration.
Better support for quality of service allows routers to identify and provide special handling for packets.
Extensibility: IPv6 can take on new features by adding extension headers after the IPv6 header.
New protocol for neighboring node interaction.
Since IPV6 may or may not be transparent with IPv4 when installed in differing networks, some UPS agents allow the turning off of IPv6 if conflicts arise. Since IPv6 is the future, we suggest purchasing a UPS or agent that supports it.
Finally, the implementation of multiple online UPS units in the factory automation environment provides a high level of security against the localized power quality problems typically encountered.
When used in conjunction with properly distributed galvanic isolation, the combination gives the highest level of protection against the widest spectrum of factory-floor power problems.
Tied with the secure high level of advanced communications, remote UPS monitoring and the ability to centralize all of the UPS management, the double conversion online UPS goes far beyond battery backup.
It offers secure power protection, maximizes equipment productivity and service life, while providing necessary power data and minimizing its own management costs.
ABOUT THE AUTHORS
Michael Stout (firstname.lastname@example.org) is vice president of engineering at Falcon Electric (www.falconups.com). Michael Gibson (email@example.com) is president of CareBase, which is involved in electric power quality systems. He also is a founding director of the non-profit Colorado Electric Service Network.
VA: Volt-amperes, which is applied voltage multiplied by current. This is the power utilized by a load or electrical system.
Vac: Volts alternating current
Galvanic isolation is the principle of isolating functional sections of electric systems so electric current cannot move from one section to another.