Chosen hardware

Figure 3.2 Illustration of the FPC+ data communications topology. A Tosibox Key is used to restrict access to authorized users only.

The primary control units communicate with the cabinet automation PLC though a CANopen fieldbus. The fieldbus carries critical signals such as control commands and measurement data between the PLC and the control unit as process data, using the PDO protocol. The primary controls additionally have a standard RS-422 serial communication port, which is used to establish a remote monitoring connection via a serial-to-Ethernet device, Moxa NPort, and the Tosibox Lock remote access device.

These devices will be presented in more detail in the following sections. The RS-422 connection carries monitoring signals between the primary controls and for example a control room computer, and is used for parametrization, firmware updates and diagnostic logging when needed. Being able to do all this remotely over the Internet gives the product great flexibility and saves the time and resources of the client.

3.3 Chosen hardware

The principal topology of all the devices used for the internal and external commu-nications of the cabinet was shown in Figure 3.2. The remote access functionality, as well as local monitoring and operation via Ethernet, is based on the Tosibox remote access device. A serial-to-Ethernet conversion needs to be performed to access the primary controls. The devices affiliated with the communications are presented in detail in this section.

3.3. Chosen hardware 26

3.3.1 Cabinet automation control PLC

Cabinet automation is established using a Beckhoff CX5010 PLC. It is chosen due to its fitting specifications, and the fact that Beckhoff’s technology is the most familiar within the company, and know-how for development is readily available. It also has a built-in Ethernet interface for easy integration with the remote access system of the converter cabinet. Beckhoff PLC’s have a modular structure that allows installing I/O extension cards to fit any application. The modular nature can be seen in Figure 3.3 featuring a CX5010 with multiple I/O extension cards installed. The extension cards are connected to each other and the main unit via an integrated EtherCAT (Ethernet for Control Automation Technology) bus, which is an Ethernet-based fieldbus system developed by Beckhoff. CX5010’s Intel Atom 1.1 GHz processor is seen fit for the task, and practice has shown that it is enough to handle the load without problems. Furthermore, the extended temperature rating of -25–65 ^◦C is suitable in most situations as the air temperature inside the cabinet is never supposed to go over this range. [37]

The CX5010 comes with a TwinCAT 2 runtime and programming environment and although not the newest, it is a very stable and mature environment and fits the purpose. TwinCAT supports all programming languages standardized in the IEC 61131-3, namely LD (Ladder Diagram), FBD (Function Block Diagram), ST (Structured Text), IL (Instruction List), SFC (Sequential Function Chart), and CFC (Continuous Function Chart) [38]. For the most part, ST is used for application development for the FPC+ as it is a high-level, fast and flexible textual programming language allowing complex structures. It is often supplemented with function blocks programmed with FBD, which makes them visually easy to follow and modify. [39]

CX5010 comes pre-installed with Windows Embedded CE 6.0 operating system, which supports enough running processes and virtual memory support needed for FPC+ automation. It has a graphical user interface that is useful during the set-up and when performing diagnostics, and it can be accessed using remote desktop software, or by plugging a monitor and other wanted peripherals to the provided DVI (Digital Video Interface) and USB (Universal Serial Bus) ports. [37]

The 4 installed USB ports can be useful for other purposes than peripheral device connections too. It can be used for example for saving log files on an external hard drive if a logging function is programmed in the application. In the FPC+ such logging feature is planned for the future, including the logging of the grid breaker

3.3. Chosen hardware 27 usage, temperature data, and power histogram. Such information comes handy for example in predictive condition monitoring. This data can then be accessed locally and remotely.

Figure 3.3 Beckhoff CX5010 PLC with modular I/O extension cards attached.

3.3.2 Tosibox remote access and networking system

As briefly explained at the beginning of Section 3.2, Tosibox Lock is an integrated network switch and router with a built-in VPN used for setting up secure connections to the cabinet. At the moment, Tosibox offers two models of their product, the Lock 100 and Lock 200. The Lock 200 is an upgraded version of the product and is said to offer better properties for industrial use, including but not limited to a faster VPN throughput, and PoE (Power over Ethernet) functionality. On the other hand, the Lock 200 has inferior operating temperature ratings. While the Lock 100 is rated to operate in temperatures up to 70^◦C, the Lock 200 can handle temperatures only up to 50 ^◦C. [36][40] For this reason the older Lock 100 model, presented in Figure 3.4, is chosen for the FPC+. Its properties fit the purpose and the information security is on the same level in both products. Both models of the Lock are fully compatible, so choosing the Lock 100 does not restrict future choices in any way.

One of the main reasons for choosing the Tosibox solution over other choices is that in it everything is integrated into one robust device with secure, audited information security measures. The information security measures taken in the Tosibox solution will be discussed in more detail in Section 3.4. The Tosibox solution also works

3.3. Chosen hardware 28 on a plug-and-go basis and should not require any special expertise to use. It is possible to achieve similar functionality without the Tosibox system by combining different communication devices together, but it would increase costs and add more complexity to the configuration process.

The Tosibox Lock 100 has three RJ-45 -type LAN (Local Area Network) ports for device connections and a WAN (Wide Area Network) port for Internet connection.

One port is also provided for service purposes, enabling a direct local connection to the Lock and its settings, which require the administrator password. A wire-less LAN access point is built-in with two antenna connections. Additionally, one multipurpose USB port is provided. [36]

The USB port of the Lock can be fitted with 3G (3rd Generation) or 4G (4th Generation) wireless mobile modems for Internet access. It needs to be supplied with a conventional SIM (Subscriber Identity Module) card from an Internet operator of choice. The Lock supports a large variety of different commercial models, and Tosibox also provides its own industry grade models, 3G and 4G, with a variety of mounting options and an external antenna connector. The Lock is designed to automatically recover from a lost connection or modem problems with automatic error detection, recovery and diagnostics functions to minimize downtime and service needs. [41]

Tosibox Lock is paired with the Tosibox Key, an intelligent small USB device with a secure cryptoprocessor, to establish a secure connection between the Lock and the user’s PC (Personal Computer). Without the Key, the Lock does not accept remote connections to itself, and only local connections are allowed through the service port or inside the LAN. [36] More details about the serialization process is presented later in the thesis.

During initial commissioning, the Lock needs to be serialized with a Key. This happens automatically by inserting the Key to the USB port on the Lock, and waiting until the notification light on the Key turns off. The procedure should take only around 10 seconds. This first serialized Key becomes the Master Key. If needed, several Sub Keys with wanted privileges can be afterwards serialized using a PC with the Master Key. Multiple Locks can be serialized with one Key. [36]

After the serialized Key is inserted into a PC, its driver and user software is auto-matically installed. Through the installed user software, the user can connect to any

3.3. Chosen hardware 29

Figure 3.4 Tosibox Lock 100 with with a Tosibox Key.

of the Locks serialized with it and start using all the connected devices remotely in the same fashion as they would be operated locally, fundamentally only limited by the provided Internet connection speed and given access rights. [36, p. 17]

3.3.3 Moxa NPort serial-to-Ethernet converter

Moxa’s NPort 5200-series serial-to-Ethernet converter device, illustrated in Figure 3.5, handles the conversion of serial inputs to an Ethernet output. NPort 5232I-T model allows a simultaneous conversion of two RS-422 serial connections to one Ethernet connection. Support for two RS-422 serial ports is needed as in most implementations of the FPC+ the primary controls are composed of two separate units with their own RS-422 serial interface. It is possible to connect to the control units directly through the RS-422 interface, but the NPort converter is included to get all connections behind one Ethernet interface, with the help of the Tosibox Lock. The chosen NPort has an operating temperature range on -40–70 ^◦ C, which is suitable for the task in every situation. The device is small and supports multiple straightforward configuration methods. [43]