jaseg/master-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ma: update text w/ more blurb

Browse source
This commit is contained in:
jaseg 2020-05-15 16:16:25 +02:00
parent 7368a30d66
commit 9cc84c766c
9 changed files with 387 additions and 167 deletions
Download patch file Download diff file Expand all files Collapse all files

43
ma/safety_reset.bib
View file

@ -1121,4 +1121,47 @@
url = {http://pages.silabs.com/rs/634-SLU-379/images/introduction-to-wireless-mbus.pdf},
}
@Article{belega01,
author = {Daniel Belega and Dario Petri},
date = {2013},
journaltitle = {IEEE Transactions on Instrumentation and Measurement},
title = {Accuracy Analysis of the Multicycle Synchrophasor Estimator Provided by the Interpolated DFT Algorithm},
doi = {10.1109/tim.2012.2236777},
issn = {0018-9456},
issue = {5},
pages = {942-953},
volume = {62},
year = {2013},
}
@Article{borkowski01,
author = {Jozef Borkowski and Dariusz Kania and Janusz Mroczka},
date = {2014},
journaltitle = {IEEE Transactions on Industrial Electronics},
title = {Interpolated-DFT-Based Fast and Accurate Frequency Estimation for the Control of Power},
doi = {10.1109/tie.2014.2316225},
issn = {0278-0046},
issue = {12},
pages = {7026-7034},
volume = {61},
year = {2014},
}
@TechReport{semerow01,
author = {Anatoli Semerow and Sebastian Hohn and Matthias Luther and Walter Sattinger and Hans Abildgaard and Agustin Diaz Garcia and Giorgio Giannuzzi},
date = {2015},
institution = {{University of Erlangen-Nuremberg} and ENTSO-E},
title = {Dynamic Study Model for the interconnected power system of Continental Europe in different simulation tools},
doi = {10.1109/ptc.2015.7232578},
year = {2015},
}
@WWW{entsoe05,
author = {ENTSO-E},
date = {2019},
title = {ENTSO-E Initial Dynamic Model of Continental Europe},
url = {https://www.entsoe.eu/publications/system-operations-reports/#entso-e-initial-dynamic-model-of-continental-europe},
urldate = {2020-05-14},
}
@Comment{jabref-meta: databaseType:biblatex;}

481
ma/safety_reset.tex
View file

@ -36,6 +36,7 @@
\usetikzlibrary{shapes}
\usepackage[binary-units]{siunitx}
\DeclareSIUnit{\baud}{Bd}
\usepackage{hyperref}
\usepackage{tabularx}
\usepackage{commath}
@ -93,16 +94,49 @@
\newpage
\chapter{Introduction}
% FIXME
Like in all fields of engineering there is an ongoing diffusion of information systems into industrial control systems
in the power grid. Automation of these control systems has been practised for the better part of a century already.
Until recently this automation was mostly limited to core components of the grid. Generators in power stations are
computer-controlled according to electromechanical and economic models. Switching in substations is automated to allow
for fast failure recovery. Humans are still vital to these systems, but their tasks have shifted from pure operation to
engineering, maintenance and surveillance.
A large-scale trend in power systems is the move from a model of centralized generation built around massive large-scale
fossil and nuclear power plants towards a more heterogenous model. In this new model large-scale fossil power plants
still serve a major role but two new factors come into play. One is the advance of renewable energies. The large-scale
use of wind and solar power in particular from a current standpoint seems unavoidable for our continued existence on
this planet. For the electrical grid however, these systems constitute a significant challenge. Fossil-fueled power
plants can be precisely controlled to match the expected energy consumption at any point in time. This tracking of
production and consumption is vital to the stability of the grid. Renewable energies such as wind and solar power do not
provide the same degree of controllability, and they introduce a large degree of uncertainty due to the
unpredictable way of the forces of nature.
Along with this change in dynamic behavior renewable energies have brought forth the advance of distributed generation.
In distributed generation end-customers that previously only consumed energy have started to feed energy into the grid
from small solar installations on their property. Distributed generation is a chance for customers to gain autonomy and
shift from a purely passive role to being active participants of the electricity market.
To match this new landscape of decentralized generation and unpredictable renewable resources the utility industry has
had to adapt itself in major ways. One aspect of this adaption that is particularly visible to ordinary people is the
computerization of end-user energy metering. Despite the widespread use of industrial control systems inside the
electrical grid and the far-reaching diffusion of computers into people's everyday lifes the energy meter has long been
one of the last remnants of an offline, analog time. Until the 2010s many of the world's households were still served
through electromechanical Ferraris-style meters that have their origin in the late 19th century. % FIXME citation.
Today, under the terms \emph{Smart Grid} and \emph{Smart metering} the shift towards fully computerized, often networked
meters has been largely accomplished.
% FIXME continue here.
\cite{crastan03}
\section{Structure and operation of the electrical grid}
Since this thesis is filed under \emph{computer science} we will provide a very brief overview of some basic aspects of
modern power grids.
\subsection{Structure of the electrical grid}
% FIXME
\subsubsection{Hierarchical structure}
The electical grid is composed of a large number of systems such as distribution systems, power stations and substations
interconnected by long transmission lines. Mostly due to ohmic losses\footnote{
Power dissipation of a resistor of resistance $R [\Omega]$ given current $I [A]$ is $P_\text{loss} [W] =
@ -120,9 +154,37 @@ and the cost increase for the increased volatage rating of components such as tr
considerations have led to a hierarchical structure where large amounts of energy are transmitted over very long
distances (up to thousands of kilometers) at very high voltages (upwards of \SI{200}{\kilo\volt}) and voltages get lower
the closer one gets to end-customer premises. In Germany at the local level a substation will distribute
\SIrange{10}{25}{\kilo\volt} % FIXME citation on this
to large industrial consumers and streets with small transformer substations converting this to the \SI{400}{\volt}
three-phase AC households are usually hooked up with.
\SIrange{10}{30}{\kilo\volt} to large industrial consumers and streets with small transformer substations converting
this to the \SI{400}{\volt} three-phase AC households are usually hooked up with\cite{crastan01}.
\subsubsection{Transmission lines, bus bars and tie lines}
The number one component of the electrical grid are transmission lines. Short transmission lines that tightly couple
parts of a substation are called \emph{bus bars}. Transmission lines that couple otherwise independent grid segments are
called \emph{tie lines}. A tie line often connects grid segments operated by two different operators e.g.\ across a
country border.
\emph{Short} transmission lines can be approximated as a simple lumped-component
RLC\footnote{resistor-inductor-capacitor} circuit. In this case the effect of wave propagation along the line does not
have to be taken into consideration. In this lumped model the transmission line is represented by a circuit of one or
two inductors, one or two capacitors and some resistors. This representation simplifies analysis. For \emph{long}
transmission lines above \SI{50}{\kilo\meter} (cable) or \SI{250}{\kilo\meter} (overhead lines) this approximation
breaks down and wave propagation along the line's length has to be taken into account. The resulting model is what RF
engineering calls a \emph{transmission line} and models the line's parasitics\footnote{stray capacitance, ohmic
resistance and stray inductance} as being uniformly distributed along the length of the line. To approximate this model
in lumped-element evaluations the line is represented as a long chain of small lumped-component RLC sections. This
complex structure makes modelling more difficult in comparison to short lines\cite{crastan01}.
Almost all transmission lines used in the transmission and distribution grid use three-phase AC. Long-distance overland
lines are usually implemented as overhead lines due to their low cost and ease of maintenance. Underground cables are
much more expensive due to their isolation and are only used when overhead lines cannot be used for e.g.\ safety or
aesthetic reasons. In some specialized applications such as long, high-power undersea cables high-voltage DC (HVDC) is
used. In HVDC converter stations at both ends of the line convert between three-phase AC and the line's DC voltage.
These converter stations are controlled electronically and do not exhibit any of the electromechanical effects
generators in a power plant do. Since HVDC re-synthesizes three-phase AC from DC at the receiving end of the line it can
be used to couple non-synchronous grids. This also allows for additional degrees of control over the transmission of
power compared to a regular transmission line. These technical benefits are offset by the high initial cost (mostly due
to the converter stations) leading to HVDC being used in specific situations only\cite{crastan03}.
\subsubsection{Generators}
@ -132,9 +194,14 @@ frequency and generator rotation speed are bidirectionally electromechanically c
the grid it would receive electrical energy from the grid and convert it into mechanical energy, acting as a motor.
Small deviations between rotational speed and grid frequency will be absorbed by the electromechanical coupling between
both. All generators connected to the grid operate synchronously. Maintaining this synchronization over time is the task
of complex control systems within each power station.
of complex control systems within each power station\cite{simon01,crastan01}.
% FIXME influence of non-rotating sources: photovoltaics
Nowadays besides traditional rotating generators the grid also contains a large amount of electronically controlled
inverters. These inverters are used in photovoltaic installations and other setups where either DC or non-synchronous AC
is to be fed into the grid. Setups like this behave differently to rotating generators. In particular \emph{inertia} in
these setups is either absent or a software parameter potentially reducing their overload capacity compared to rotating
generators. The fundamentally different nature of electronically controlled inverters has to be taken into account in
planning and regulation\cite{crastan03}.
\subsubsection{Switchgear}
@ -155,6 +222,7 @@ circuit and extinguish the resulting arc discharge\cite{nelles01,crastan01,simon
% disconnect switches, fuses, breakers -> crastan 1 (ch. 8)
\subsubsection{Transformers}
Along with transmission lines transformers are one of the main components most people will be thinking of when talking
about the electrical grid. Transformers connect grid segments at different voltage levels with one another. In the
distribution grid transformers are used to provide standard end-user voltage levels to the customer (e.g. 230/400V in
@ -175,12 +243,14 @@ adjust secondary voltage under load\cite{simon01}. Tap changers are used in the
specified voltage tolerances at the customer's connection.
\subsubsection{Instrument transformers}
While operating on the exact same physical principles instrument transformers are very different from regular
transformers in an energy system. Instrument transformers are specialized low-power transformers that are used as
transducers to measure voltage or current at very high voltages. They are part of the control and protection systems of
substations\cite{crastan01}.
\subsubsection{Chokes}
Chokes are large inductors. In power grid applications their construction is similar to the construction of a
transformer with the exception that they only have a single winding on the core. They are used for a variety of
purposes. A frequent use is as a series inductor on one of the phases or the neutral connection to limit transient fault
@ -191,6 +261,7 @@ parrallel LC resonant circuit with the transmission line's earth capacitance. Tu
petersen coil reduces earth fault current to levels low enough to quickly extinguish the arc\cite{simon01}.
\subsubsection{Power factor correction}
Reactive power (also referred to as \emph{VAR} after its is unit Volt-Ampère Reactive) an important variable in the
operation of electrical grids (see sec.\ \ref{frequency_estimation}). If reactive power generation and consumption are
mismatched, high currents develop that lead to high transmission losses. For this reason grids include circuits to
@ -198,9 +269,6 @@ compensate reactive power imbalances\cite{crastan01}. These circuits can be as s
connected to a power line but often can be switched to adapt to changing load conditions. Static Var compensators are
particularly fast-acting reactive power compensation devices whose purpose is to maintain bus voltage\cite{rogers01}.
\subsubsection{Transmission lines, bus bars and tie lines}
% cite crastan 1 on transmission lines, bus bars (ch. 8)
\subsubsection{Loads}
Lastly, there is the loads that the electrical grid serves. Loads range from mains-powered indicator lights in devices
@ -225,6 +293,7 @@ that can consume a good fraction of a gigawatt all on their own.
\section{Smart meter technology}
Smart meters were a concept pushed by utility companies throughout the 00's. Smart metering is one component of the
larger societal shift towards digitally interconnected technology. Old analog meters required that service pesonnel
physically come to read the meter. \emph{Smart} meters automatically transmit their readings through modern
@ -284,10 +353,12 @@ for technologists\cite{pierce01,rodden01,lupton01,costanza01,fell01}.
% FIXME continue this.
\subsection{Common components}
\label{sm-cpu} Smart meters usually are built around an off-the-shelf microcontroller. Some meters use specialized smart
metering SOCs\cite{ifixit01} while others use standard microcontrollers with core metering functions implemented in
external circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our demonstration setup). Specialized
SoCs usually contain a segment LCD driver along with some high-resolution analog-to-digital converters for the actual
\label{sm-cpu}
Smart meters usually are built around an off-the-shelf microcontroller. Some meters use specialized smart metering
SOCs\cite{ifixit01} while others use standard microcontrollers with core metering functions implemented in external
circuitry (cf.\ sec.\ \ref{sec-easymeter} where we detail the meter in our demonstration setup). Specialized SoCs
usually contain a segment LCD driver along with some high-resolution analog-to-digital converters for the actual
measurement functions. In many smart meter designs used outside of Germany the metering SoC will be connected to another
full-featured SoC acting as the modem. At a casual glance this might seem to be a security measure, but it may be more
likely that this is done to ease integration of one metering platform with several different communication stacks (e.g.\
@ -379,6 +450,7 @@ transport encryption and other cryptographic services\cite{bsi-tr-03109-2,bsi-tr
\section{Security in smart grids}
The smart grid in practice is nothing more or less than an aggregation of embedded control and measurement devices that
are part of a large control system. This implies that all the same security concerns that apply to embedded systems in
general also apply to most components of a smart grid in some way. Where programmers have been struggling for decades
@ -412,6 +484,7 @@ rooted up one by one with no damage to consumers and very limmited damage to uti
scenarios would be a far cry from the efficiency of an exponentially growing botnet.
\subsection{Smart grid components as embedded devices}
A fundamental challenge in smart grid implementations is the central role smart electricity meters play. Smart meters
are used both for highly-granular load measurement and (in some countries) load switching\cite{zheng01}.
Smart electricity meters are effectively consumer devices. They are built down to a certain price point that is
@ -429,6 +502,7 @@ against attacks and simplify updates. Combined with the small market sizes in sm
this produces a high cost pressure on the software development process for smart electricity meters.
\subsection{The state of the art in embedded security}
Embedded security generally is much harder than security of higher-level systems. This is due to a combination of the
unique constraints of embedded devices (hard to update, usually small quantity) and their lack of capabilities
(processing power, memory protection functions, user interface devices). Even very well-funded companies continue to
@ -469,6 +543,7 @@ resources for the latter.
% FIXME cite some figures on code size in smart meter firmware?
\subsection{Attack avenues in the smart grid}
If we model the smart grid as a control system responding to changes in inputs by regulating outputs, on a very high
level we can see two general categories of attacks: Attacks that directly change the state of the outputs, and attacks
that try to influence the outputs indirectly by changing the system's view of its inputs. The former would be an attack
@ -479,6 +554,7 @@ oscillation in the amount of power generated by the plant according to the contr
% FIXME expand
\subsubsection{Communication channel attacks}
Communication channel attacks are attacks on the communication links between smart grid components. This could be
attacks on IP-connected parts of the core network or attacks on shared busses between smart meters and IP gateways in
substations. Generally, these attacks can be mitigated by securing the aforementioned communication links using modern
@ -497,6 +573,7 @@ attack to have more far-reaching consequences the attacker would need to comprom
infrastructure\cite{kim01,kosut01}.
\subsubsection{Exploiting centralized control systems}
The type of smart grid attack most often cited in popular discourse, and to the author's knowledge % FIXME verify, cite
the only type that has so far been conducted in practice, is a direct attack on centralized control systems. In this
attack, computer components of control systems are compromised by the same techniques used to compromise any other kind
@ -516,6 +593,7 @@ In addition, given political will these systems can readily be secured since the
of them and driving a technician to every one of them in turn to install some security update is perfectly feasible.
\subsubsection{Control function exploits}
Control function exploits are attacks on the mathematical control loops used by the centralized control system. One
example of such an attack would be resonance attacks as described in \textcite{wu01}.
In this kind of attack, inputs from peripheral sensors indicating grid load to the centralized control system are
@ -533,6 +611,7 @@ behavior such as oscillations.
% FIXME cite mitigation approaches
\subsubsection{Endpoint exploits}
One rather interesting attack on smart grid systems is one exploiting the grid's endpoint devices such as smart
electricity meters\footnote{
Though potentially this could also aim at other kinds of devices distributed on a large scale such as sensors in
@ -564,9 +643,16 @@ that was mentioned above, this scenario poses a serious danger to grid stability
% FIXME add small-scale load shedding for heaters etc.
\subsection{Attacker models in the smart grid}
% FIXME
\subsection{Practical attacks}
% FIXME
\subsection{Practical threats}
% FIXME
\subsection{Conclusion, or why we are doomed}
We can conclude that a compromise of a large number of smart electricity meters cannot be ruled out. The complexity of
network-connected smart meter firmware makes it exceedingly unlikely that it is in fact flawless. Large-scale
deployments of these devices under some circumstances such as where they are used with load disconnect relays make them
@ -629,6 +715,7 @@ preferences about this due to fear of copyright infringement.
\section{The theory of endpoint safety}
\label{sec_criteria}
In order to gain anything by adding our reset controller to the smart meter's already complex design we must satisfy two
interrelated conditions.
\begin{enumerate}
@ -683,6 +770,7 @@ Based on the above classification of attack angles and our observations on state
\end{enumerate}
\subsection{Overall structural system security}
Considering overall security, we first introduce the \emph{reset authority}, a trusted party acting as the single
authority for issuing reset commands in our system. In practice this trusted party may be part of the utility company,
part of an external regulatory body or a hybrid setup requiring both to cooperate. We assume this party will be designed
@ -694,8 +782,8 @@ Using an asymmetric cryptographic design centered around the \emph{reset authori
denial-of-service attacks on our system by any of the four attacker types. All reset commands in our system originate
from the \emph{reset authority} and are cryptographically secured to provide authentication and tamper detection.
Under this model, attacks on the electrical grid components between the \emph{reset authority} and the customer device
degrade into man-in-the-middle attacks. To ensure the \textsc{safety} criterion from \ref{sec_criteria} holds we must
% TODO check whether this \ref displays as intended
degrade into man-in-the-middle attacks. To ensure the \textsc{safety} criterion from Section \ref{sec_criteria} holds we
must % TODO check whether this \ref displays as intended
make sure our cryptography is secure against man-in-the-middle attacks and we must try to harden the system against
denial-of-service attacks by the attacker types listed above. Given our attacker model we cannot fully guard against
this sort of attack but we can at least choose a commmunication channel that is resilient against denial of service
@ -708,16 +796,18 @@ out-of-scope.
% FIXME include considerations on production testing somewhere (is the device working? is the right key programmed?)
\subsection{Complex microcontroller firmware}
The \textsc{security} property from \ref{sec_criteria} is in a large part reliant on the security of our reset
controller firmware. The best method to increase firmware security is to reduce attack surface by limiting external
interfaces as much as possible and by reducing code complexity as much as possible.
% FIXME formalize this as something like "Design Goal DG-023-42-1" ?
If we avoid the complexity of most modern microcontroller firmware we gain another benefit beyond implicitly reduced
attack surface: If the resulting design is small enough we may attempt formal verification of our security property.
Though formal verification tools are not yet suitable for highly complex tasks they are already barely adequate for
small amounds of code and simple interfaces.
Though formal verification tools are not yet suitable for highly complex tasks they are already adequate for small
amounts of code and simple interfaces.
\subsection{Modern microcontroller hardware}
Microcontrollers have gained enormously in both performance/efficiency as well as in peripheral support. Alas, these
gains have largely been driven by insatiable customer demand for faster, more powerful chips and for a long time
security has not been considered important outside of some specific niches such as smartcards. Traditionally a
@ -857,7 +947,7 @@ this is unlikely to be a disadvantage since ususally there is only one distribut
Additionally shared resources such as a cellular radio gateway would most likely only be shared within a single building
and within a single building usually all meters are operated by the same provider.
Systems in Europe commonly support Wireless M-Bus, an european standardized protocol\cite{mohan01} that operates on
Systems in Europe commonly support Wireless M-Bus, an european standardized protocol\cite{silabs01} that operates on
several ISM bands\footnote{
Frequency bands that can be used for \emph{Industrial, Scientific and Medical} applications by anyone and that do
not require obtaining a license for transmitter operation. Manufacturers can use whatever protocol they like on
@ -1222,6 +1312,7 @@ part of the private key as the signature, and if we were to publish a signature
derive additional signatures by ``mixing'' the two published signatures.
\subsubsection{Winternitz Signatures}
An improvement to basic Lamport signatures as described above are Winternitz signatures as detailed in
\textcite{merkle01} and \textcite{dods01}. Winternitz signatures reduce public key length as well as signature length
for hash length $n$ from $2n$ to $\mathcal O \left(n/t\right)$ for some choice of parameter $t$ (usually a small number
@ -1243,6 +1334,7 @@ H\left(\sigma_i\right)$ matching $m_i' = m_i + 1$, this scheme is usually paired
\textcite{merkle01}.
\subsubsection{Using hash-based signatures for trigger authentication}
The most basic possible trigger authentication scheme would be to simply generate a random bit string secret key $s$ and
publish $p = H(s)$ for some hash function $H$. To activate the trigger, $\sigma = s$ would be published and listeners
could verify that $H(\sigma) = p = H(s)$. This simplistic scheme has one main disadvantage: It is a fundamentally
@ -1270,9 +1362,6 @@ realistically be up to $\mathcal O\left(10^3\right)$, which is easily enough for
% some sort of scenario definition introducing those terms somewhere.
\chapter{Practical implementation}
\section{Cryptographic validation}
%FIXME
\section{Data collection for channel validation}
@ -1283,6 +1372,7 @@ variable, as opposed to the frequency spectrum of mains voltage $V(t)$ itself).
\subsection{Grid Frequency Estimation}
\label{frequency_estimation}
In commercial power systems Phasor Measurement Units (PMUs) are used to precisely measure parameters of a mains voltage
waveform. One of the parameters PMUs measure is mains frequency. PMUs are used as part of SCADA systems controlling
transmission networks to characterize the operational state of the network.
@ -1354,15 +1444,6 @@ domain knowledge about the expected frequency spectrum of the signal can be empl
techniques to re-construct the precise frequency of the spectrum's main component despite comparatively coarse STFT
resolution and despite numerous distortions.
\begin{figure}
\centering
\includegraphics{../lab-windows/fig_out/mains_voltage_spectrum}
\caption{Fourier transform of a 24 hour capture of mains voltage. Data was captured using our frequency measurement
sensor described in section \ref{sec-fsensor} and FFT'ed after applying a blackman window. Vertical lines indicate
\SI{50}{\hertz} and odd harmonics.}
\label{mains_voltage_spectrum}
\end{figure}
Published grid frequency estimation algorithms such as \textcite{narduzzi01} or \textcite{derviskadic01} are rather
sophisticated and use a combination of techniques to reduce numerical errors in FFT calculation and peak fitting. Given
that we do not need reference standard-grade accuracy for our application we chose to start with a very basic algorithm
@ -1384,6 +1465,7 @@ worse than algorithms involving more complex models under some conditions but th
that more complex perform worse when the input signal deviates from their models.
\subsection{Frequency sensor hardware design}
\label{sec-fsensor}
Our safety reset controller % FIXME is this the right term?
will have to measure mains frequency to later demodulate a reset signal transmitted through it. Since we have decided to
@ -1432,15 +1514,15 @@ the signal processing to a regular computer and concentrating our hardware effor
\label{fmeas-sens-diag}
\end{figure}
An overall block diagram of our system is shown in fig. \ref{fmeas-sens-diag}. The mircrocontroller we chose is an
\texttt{STM32F030F4P6} ARM Cortex-M0 microcontroller made by ST Microelectronics. The ADC in fig. \ref{fmeas-sens-diag}
in our design is the integrated 12-bit ADC of this microcontroller, which is sufficient for our purposes. The USB
interface is a simple USB to serial converter IC (\texttt{CH340G}) and the galvanic digital isolation is accomplished
with a pair of high-speed optocouplers on its \texttt{RX} and \texttt{TX} lines. The analog signal processing is a
simple voltage divider using high-power resistors to get the required creepage along with some high-frequency filter
capacitors and an op-amp buffer. The power supply is an off-the-shelf mains-input power module. The system is
implemented on a single two-layer PCB that is housed in an off-the-shelf industrial plastic case fitted with a printed
label and a few status lights on its front.
An overall block diagram of our system is shown in Figure \ref{fmeas-sens-diag}. The mircrocontroller we chose is an
\texttt{STM32F030F4P6} ARM Cortex-M0 microcontroller made by ST Microelectronics. The ADC in Figure
\ref{fmeas-sens-diag} in our design is the integrated 12-bit ADC of this microcontroller, which is sufficient for our
purposes. The USB interface is a simple USB to serial converter IC (\texttt{CH340G}) and the galvanic digital isolation
is accomplished with a pair of high-speed optocouplers on its \texttt{RX} and \texttt{TX} lines. The analog signal
processing is a simple voltage divider using high-power resistors to get the required creepage along with some
high-frequency filter capacitors and an op-amp buffer. The power supply is an off-the-shelf mains-input power module.
The system is implemented on a single two-layer PCB that is housed in an off-the-shelf industrial plastic case fitted
with a printed label and a few status lights on its front.
\subsection{Clock accuracy considerations}
@ -1532,67 +1614,20 @@ with IO contention on the raspberry PI/linux side causing only 16 skipped sample
\subsection{Frequency sensor measurement results}
\begin{figure}
\centering
\includegraphics{../lab-windows/fig_out/freq_meas_trace_24h}
\caption{Trace of grid frequency over a 24 hour window. One clearly visible feature are large positive and negative
transients at full hours. Times shown are UTC. Note that the european continental synchronous area that this
sensor is placed in covers several time zones which may result in images of daily load peaks appearing in 1 hour
intervals. Fig.\ \ref{freq_meas_trace_mag} contains two magnified intervals from this plot.}
\label{freq_meas_trace}
\end{figure}
\begin{figure}
\begin{subfigure}{\textwidth}
\centering
\includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_1}
\caption{A 2 hour window around 00:00 UTC.}
\end{subfigure}
\begin{subfigure}{\textwidth}
\centering
\includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_2}
\caption{A 2 hour window around 18:30 UTC.}
\end{subfigure}
\caption{Two magnified 2 hour windows of the trace from fig.\ \ref{freq_meas_trace}.}
\label{freq_meas_trace_mag}
\end{figure}
\begin{figure}
\centering
\includegraphics{../lab-windows/fig_out/mains_voltage_spectrum}
\caption{Power spectral density of the mains voltage trace in fig. \ref{freq_meas_trace}. We can see the expected
peak at \SI{50}{\hertz} along with smaller peaks at odd harmonics. We can also see a number of spurious tones both
between harmonics and at low frequencies, as well as some bands containing high noise energy around
\SI{0.1}{\hertz}. This graph demonstrates a high signal-to-noise ratio that is not very demanding on our frequency
estimation algorithm.
}
\label{mains_voltage_spectrum}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_spectrum}
\caption{Power spectral density of the 24 hour grid frequency trace in fig. \ref{freq_meas_trace} with some notable
peaks annotated with the corresponding period in seconds. The $\frac{1}{f}$ line indicates a pink noise spectrum.
Around a period of \SI{20}{\second} the PSD starts to fall off at about $\frac{1}{f^3}$ until we can make out some
bumps at periods around $2$ and \SI{3}{\second}. Starting at at around \SI{1}{Hz} we can see a white noise floor in
the order of \si{\micro\hertz^2\per\hertz}.
% TODO: where does this noise floor come from? Is it a fundamental property of the grid? Is it due to limitations of
% our measurement setup (such as ocxo stability/phase noise) ???
}
\label{freq_meas_spectrum}
\end{figure}
Captured raw waveform data is processed in the Jupyter Lab environment\cite{kluyver01} and grid frequency estimates are
extracted as described in sec. \ref{frequency_estimation} using the \textcite{gasior01} technique. Appendix
\ref{grid_freq_estimation_notebook} contains the Jupyter notebook we used for frequency measurement. In fig.\
Captured raw waveform data has been processed in the Jupyter Lab environment\cite{kluyver01} and grid frequency
estimates are extracted as described in sec. \ref{frequency_estimation} using the \textcite{gasior01} technique.
Appendix \ref{grid_freq_estimation_notebook} contains the Jupyter notebook we used for frequency measurement. In Figure
\ref{freq_meas_feedback} we fed back to the frequency estimator its own output giving us an indication of its numerical
performance. The result was \SI{1.3}{\milli\hertz} of RMS noise over a \SI{3600}{\second} simulation time. This
indicates performance is good enough for our purposes. In addition to this we validated our algorithm's performance by
applying it to the test waveforms from \textcite{wright01}. In this test we got errors of \SI{4.4}{\milli\hertz} for the
\emph{noise} test waveform, \SI{0.027}{\milli\hertz} for the \emph{interharmonics} test waveform and
\SI{46}{\milli\hertz} for the \emph{amplitude and phase step} test waveform. Full results can be found in fig.\
\SI{46}{\milli\hertz} for the \emph{amplitude and phase step} test waveform. Full results can be found in Figure
\ref{freq_meas_rocof_reference}.
Figures \ref{freq_meas_trace} and \ref{freq_meas_trace_mag} show our measurement results over a 24-hour and a 2-hour
window respectively.
\begin{figure}
\centering
\includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_feedback}
@ -1617,6 +1652,44 @@ applying it to the test waveforms from \textcite{wright01}. In this test we got
\label{freq_meas_rocof_reference}
\end{figure}
\begin{figure}
\centering
\includegraphics{../lab-windows/fig_out/freq_meas_trace_24h}
\caption{Trace of grid frequency over a 24 hour window. One clearly visible feature are large positive and negative
transients at full hours. Times shown are UTC. Note that the european continental synchronous area that this
sensor is placed in covers several time zones which may result in images of daily load peaks appearing in 1 hour
intervals. Figure \ref{freq_meas_trace_mag} contains two magnified intervals from this plot.}
\label{freq_meas_trace}
\end{figure}
\begin{figure}
\begin{subfigure}{\textwidth}
\centering
\includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_1}
\caption{A 2 hour window around 00:00 UTC.}
\end{subfigure}
\begin{subfigure}{\textwidth}
\centering
\includegraphics{../lab-windows/fig_out/freq_meas_trace_2h_2}
\caption{A 2 hour window around 18:30 UTC.}
\end{subfigure}
\caption{Two magnified 2 hour windows of the trace from Figure \ref{freq_meas_trace}.}
\label{freq_meas_trace_mag}
\end{figure}
\begin{figure}
\centering
\includegraphics{../lab-windows/fig_out/mains_voltage_spectrum}
\caption{Power spectral density of the mains voltage trace in Figure \ref{freq_meas_trace}. Data was captured using
our frequency measurement sensor (\ref{sec-fsensor}) and FFT'ed after applying a blackman window. Vertical lines
indicate \SI{50}{\hertz} and odd harmonics. We can see the expected peak at \SI{50}{\hertz} along with smaller
peaks at odd harmonics. We can also see a number of spurious tones both between harmonics and at low frequencies, as
well as some bands containing high noise energy around \SI{0.1}{\hertz}. This graph demonstrates a high
signal-to-noise ratio that is not very demanding on our frequency estimation algorithm.
}
\label{mains_voltage_spectrum}
\end{figure}
\section{Channel simulation and parameter validation}
\label{sec-ch-sim}
@ -1636,12 +1709,26 @@ estimate the impact of this problem we re-ran some of our simulations with artif
power spectral density matching that of our capture. To do this, we first measured our capture's PSD, then fitted a
low-resolution spline to the PSD curve in log-log coordinates. We then generated white noise, multiplied the resampled
spline with the DFT of the synthetic noise and performed an iDFT on the result. The resulting time-domain signal is our
synthetic grid frequency data. Fig.\ \ref{freq_meas_spectrum} shows the PSD of our measured grid frequency signal. The
red line indicates the low-resolution log-log spline interpolation used for shaping our artificial noise. Fig.\
synthetic grid frequency data. Figure \ref{freq_meas_spectrum} shows the PSD of our measured grid frequency signal. The
red line indicates the low-resolution log-log spline interpolation used for shaping our artificial noise. Figure
\ref{simulated_noise_spectrum} shows the PSD of our simulated signal overlayed with the same spline as a red line and
shows time-domain traces of both simulated (blue) and reference signals (orange) at various time scales. Visually both
signals look very similar, suggesting we have found a good synthetic approximation of our measurements.
\begin{figure}
\centering
\includegraphics[width=\textwidth]{../lab-windows/fig_out/freq_meas_spectrum}
\caption{Power spectral density of the 24 hour grid frequency trace in Figure \ref{freq_meas_trace} with some notable
peaks annotated with the corresponding period in seconds. The $\frac{1}{f}$ line indicates a pink noise spectrum.
Around a period of \SI{20}{\second} the PSD starts to fall off at about $\frac{1}{f^3}$ until we can make out some
bumps at periods around $2$ and \SI{3}{\second}. Starting at at around \SI{1}{Hz} we can see a white noise floor in
the order of \si{\micro\hertz^2\per\hertz}.
% TODO: where does this noise floor come from? Is it a fundamental property of the grid? Is it due to limitations of
% our measurement setup (such as ocxo stability/phase noise) ???
}
\label{freq_meas_spectrum}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=\textwidth]{../lab-windows/fig_out/simulated_noise_spectrum}
@ -1654,13 +1741,14 @@ signals look very similar, suggesting we have found a good synthetic approximati
In our simulations, we manipulated four main variables of our modulation scheme and demodulation algorithm and observed
their impact on symbol error rate (SER):
\begin{description}
\item[Modulation amplitude.] Higher amplitude should correspond to a lower SER.
\item[Modulation bit count.] Higher bit count $n$ means longer transmissions but yields higher theoretical decoding
gain, and should increase demodulator sensitivity. Ultimately, we want to find a sweet spot of manageable
transmission length at good demodulator sensitivity.
\item[Decimation] or DSSS chip duration. The chip time determines where in the grid frequency spectrum (fig.\
\ref{freq_meas_spectrum} our modulated signal is located. Given our noise spectrum (fig.\
\item[Decimation.] or DSSS chip duration. The chip time determines where in the grid frequency spectrum (Figure
\ref{freq_meas_spectrum} our modulated signal is located. Given our noise spectrum (Figure
\ref{freq_meas_spectrum}) lower chip durations (shifting our signal upwards in the spectrum) should yield lower
in-band background noise which should correspond to lower symbol error rates.
\item[Demodulation correlator peak threshold factor.] The first step of our prototype demodulation algorithm is to
@ -1671,16 +1759,32 @@ their impact on symbol error rate (SER):
following maximum likelihood estimation (MLE) decoding. % FIXME do we actually do MLS?
\end{description}
As indicated by our results, symbol error rate is a good proxy of demodulation performance. With decreasing
signal-to-noise ratio, margins in various parts of the demodulator decrease which statistically leads to an increased
symbol error rate. Our simulations yield smooth, reproducible SER curves with adequately low error bounds. This
indicates SER is related fairly monotonically to the signal-to-noise margins inside our demodulator prototype.
Our results indicate that symbol error rate is a good proxy of demodulation performance. With decreasing signal-to-noise
ratio, margins in various parts of the demodulator decrease which statistically leads to an increased symbol error rate.
Our simulations yield smooth, reproducible SER curves with adequately low error bounds. This shows SER is related
monotonically to the signal-to-noise margins inside our demodulator prototype.
\subsection{Sensitivity as a function of sequency length}
A basic parameter of our DSSS modulation is the length of the Gold codes used. The length of a Gold code is exponential
in the code's bit count. Figure \ref{dsss_gold_nbits_overview} shows a plot of the symbol error rate of our demodulator
prototype depending on amplitude for each of five, six, seven and eigth-bit Gold sequences. In regions where symbol
error rate is between $0$ and $1$ we can see the expected dependency that a $n+1$ bit Gold sequence at roughly twice
the length yields roughly one half the SER. We can also observe a saturation effect: At low amplitudes, increasing the
correlation length does not seem to yield much of a benefit in SER anymore. In particular there seems to be a level of
about \SI{2.5}{\milli\hertz} signal amplitude where even with asymptotically infinite sequence length our demodulator
would still not be able to produce a good demodulation. This is likely due to numerical errors in our demodulator. Since
Gold codes of more than 7 bit would yield unacceptably long transmission times this does not pose a problem in practice.
Figure \ref{dsss_gold_nbits_sensitivity} for each bit count shows the minimum signal amplitude where our demodulator
crossed below $\text{SER}=0.5$. If we have sufficient transmitter power to allocate selecting either a 5 bit or a 6 bit
gold code looks to yield good enough performance at manageable data rates.
\begin{figure}
\centering
\includegraphics{../lab-windows/fig_out/dsss_gold_nbits_overview}
\caption{
Symbol Error Rate (SER) as a function of transmission amplitude. The line indicates the mean of several
Symbol Error Rate (SER) as a function of transmission amplitude. The line represents the mean of several
measurements for each parameter set. The shaded areas indicate one standard deviation from the mean. Background
noise for each trial is a random segment of measured grid frequency. Background noise amplitude is the same for
all trials. Shown are four traces for four different DSSS sequence lengths. Using a 5-bit gold code, one DSSS
@ -1706,42 +1810,72 @@ indicates SER is related fairly monotonically to the signal-to-noise margins ins
\label{dsss_gold_nbits_sensitivity}
\end{figure}
\subsection{Sensitivity versus peak detection threshold factor}
One of the high-level parameters of our demodulation algorithm is the \emph{threshold factor}. This parameter is
an implementation detail specific to our algorithm and not general to all possible DSSS demodulation algorithms. After
correlating the input signal against the template Gold sequences our algorithm runs a single-channel discrete wavelet
transform (DWT) on the correlator output to better discriminate peaks from background noise. The output of this DWT is
then normalized against a running average and then fed into a simple threshold detector. The threshold of this detector
is our threshold factor. This threshold is the ratio that a correlation peak after DWT has to stand out from long-term
average background noise to be considered a peak.
The threshold factor is an empirically-determined parameter Low threshold factors yield many false positives that in the
extreme ultimately overload our MLE estimator's capacity to discard them. Moderate numbers of false positive do not pose
much of a challenge to our MLE since these spurious peaks have a random time distribution and are easily discarded by
our MLE's symbol chain detection. High threshold factors lead the algorithm to completely ignore some valid peaks. To
some degree this can be compensated by our later interpolation step for missing peaks but in the extreme will also break
demodulation. In our simulations good values lie in the range from $4.0$ to $5.5$.
% FIXME algo flow chart
Figure \ref{dsss_thf_amplitude_5678} contains plots of demodulator sensitivity like the one in Figure
\ref{dsss_gold_nbits_overview}. This time there is one color-coded trace for each threshold factor between $1.5$ and
$10.0$ in steps of $0.5$. We can see a clear dependency of demodulation performance from trheshold factor with both very
low and very high values breaking the demodulator. The ``runaway'' traces that we can see at low threshold factors are
artifacts of an implementation issue with our prototype code. We later fixed this issue in the demonstrator firmware
implementation in Section \ref{sec-demo-fw-impl}. For comparison purposes this issue do not matter.
\begin{figure}
\centering
\includegraphics{../lab-windows/fig_out/dsss_thf_amplitude_5678}
\caption{
SER vs.\ amplitude graph similar to fig.\ \ref{dsss_gold_nbits_overview} with dependence on threshold factor
color-coded. Each graph shows traces for a single DSSS symbol length.
SER vs.\ amplitude graph similar to Figure \ref{dsss_gold_nbits_overview} with one color-coded traces for
threshold factors between $1.5$ and $10.0$. Each graph shows traces for a single DSSS symbol length.
}
\label{dsss_thf_amplitude_5678}
\end{figure}
If we again look at the intercept points where the amplitude traces cross $\text{SER}=0.5$ in these graphs we get the
plots in Figure \ref{dsss_thf_sensitivity_all_bits}. From this we can conclude that the range between $4.0$ and $5.0$ will
yield adequate threshold factors for our use case.
\begin{figure}
\ContinuedFloat
\begin{subfigure}{\textwidth}
\centering
\includegraphics{../lab-windows/fig_out/dsss_thf_sensitivity_5678}
\label{dsss_thf_sensitivity_5678}
\caption{
\footnotesize Graphs of amplitude at $SER=0.5$ for each symbol length as well as asymptotic SER for large
amplitudes. Areas shaded red indicate that $SER=0.5$ was not reached for any amplitude in the simulated
range. We can observe that smaller symbol lengths favor lower threshold factors, and that optimal threshold
factors for all symbol lengths are between $4.0$ and $5.0$.
}
\end{subfigure}
\centering
\includegraphics{../lab-windows/fig_out/dsss_thf_sensitivity_5678}
\caption{
Dependence of demodulator sensitivity on the threshold factor used for correlation peak detection in our
DSSS demodulator. This is an empirically-determined parameter specific to our demodulation algorithm. At low
threshold factors our classifier yields lots of spurious peaks that have to be thrown out by our maximum
likelihood estimator. These spurious peaks have a random time distribution and thus do not pose much of a
challenge to our MLE but at very low threshold factors the number of spurious peaks slows down decoding and
does still clog our MLE's internal size-limited candidate lists which leads to failed decodings. At very
high threshold factors decoding performance suffers greatly since many valid correlation peaks get
incorrectly ignored. The glitches at medium threshold factors in the 7- and 8-bit graphs are artifacts of
our prototype decoding algorithm that we have not fixed in the prototype implementation since we wanted to
focus on the final C version.}
\label{dsss_thf_sensitivity}
Graphs of amplitude at $SER=0.5$ for each symbol length as well as asymptotic SER for large amplitudes. Areas
shaded red indicate that $SER=0.5$ was not reached for any amplitude in the simulated range. The bumps in the 7
bit and 8 bit graphs are due to the convergence problem we identified above and do not exist in our demonstrator
implementation. We see that smaller symbol lengths favor lower threshold factors, and that optimal threshold
factors for all symbol lengths are between $4.0$ and $5.0$.
}
\label{dsss_thf_sensitivity_all_bits}
\end{figure}
\subsection{Chip duration and bandwidth}
A parameter of any DSSS system is the frequency band used for transmission. Instead of specifying absolute frequencies
in our simulations we expressed DSSS bandwidth through chip duration and Gold sequence length. In our prototype, chip
duration is specified in grid frequency sampling periods to ease implementation without loss of generalization.
Figure \ref{chip_duration_sensitivity} shows the dependence of symbol error rate at a fixed good threshold factor from
chip duration. The color bars indicate both chip duration translated to seconds real-time and the resulting symbol
duration at the given Gold code length. In the lower graphs we show the trace of ampltude at $\text{SER}=0.5$ over chip
duration like we did in Figure \ref{dsss_thf_sensitivity_all_bits} for threshold facotr. In both graphs we can just about
see an optimum for very short chips with a decrease of sensitivity for long chips. This effect is due to longer chips
moving the signal band into noisier spectral regions (cf.\ Figure \ref{freq_meas_spectrum}).
\begin{figure}
\begin{subfigure}{\textwidth}
\centering
@ -1765,18 +1899,25 @@ indicates SER is related fairly monotonically to the signal-to-noise margins ins
\caption{
Dependence of demodulator sensitivity on DSSS chip duration. Due to computational constraints this simulation is
limited to 5 bit and 6 bit DSSS sequences. There is a clearly visible sensitivity maximum at fairly short chip
lengths around $0.2 \text{s}$. Short chip durations shift the entire transmission band up in frequency. In fig.\
\ref{freq_meas_spectrum} we can see that noise energy is mostly concentrated at lower frequencies, so shifting
our signal up in frequency will reduce the amount of noise the decoder sees behind the correlator by shifting
the band of interest into a lower-noise spectral region. For a practical implementation chip duration is limited
by physical factors such as the maximum modulation slew rate ($\frac{\text{d}P}{\text{d}t}$), the maximum
Rate-Of-Change-Of-Frequency (ROCOF, $\frac{\text{d}f}{\text{d}t}$) the grid can tolerate and possible inertial
effects limiting response of frequency to load changes at certain load levels.
lengths around $0.2 \text{s}$. Short chip durations shift the entire transmission band up in frequency. In
Figure \ref{freq_meas_spectrum} we can see that noise energy is mostly concentrated at lower frequencies, so
shifting our signal up in frequency will reduce the amount of noise the decoder sees behind the correlator by
shifting the band of interest into a lower-noise spectral region. For a practical implementation chip duration
is limited by physical factors such as the maximum modulation slew rate ($\frac{\text{d}P}{\text{d}t}$), the
maximum Rate-Of-Change-Of-Frequency (ROCOF, $\frac{\text{d}f}{\text{d}t}$) the grid can tolerate and possible
inertial effects limiting response of frequency to load changes at certain load levels.
% FIXME are these inertial effects likely? Ask an expert.
}
\label{chip_duration_sensitivity}
\end{figure}
In the previous graphs we have used random clips of measured grid frequency noise as noise in our simulations. Comparing
between a simulation using measured noise and synthetic noise generated as we outlined in the beginning of Section
\label{sec-ch-sim} we get the plots in Figure \ref{chip_duration_sensitivity_cmp}. We can see that while not perfect our
simulated noise is an adequate approximation of reality: Our prototype demodulator shows no significant difference in
behavior between measured and simulated noise. Simulated noise causes slightly worse performance for long chips. Overall
the results for both are very close in absolute value.
\begin{figure}
\begin{subfigure}{\textwidth}
\centering
@ -1798,10 +1939,10 @@ indicates SER is related fairly monotonically to the signal-to-noise margins ins
}
\end{subfigure}
\caption{
Chip duration/sensitivity simulation results like in fig.\ \ref{chip_duration_sensitivity} compared between a
Chip duration/sensitivity simulation results like in Figure \ref{chip_duration_sensitivity} compared between a
simulation using measured frequency data like previous graphs and one using artificially generated noise. There
is almost no visible difference indicating that we have found a good model of reality in our noise synthesizer,
but also that real grid frequency behaves like a frequency-shaped gaussian noise process.
is little visible difference indicating that we have found a good model of reality in our noise synthesizer, but
also that real grid frequency behaves like a frequency-shaped gaussian noise process.
}
\label{chip_duration_sensitivity_cmp}
\end{figure}
@ -1816,7 +1957,8 @@ implementation cost low the reset controller is fed a simulation of a modulated
By generously cutting two PCB traces the meter we chose to use can be easily modified to provide strong galvanic
separation between grid and main application microcontroller. With this modification we have to supply power to its
main application MCU externally along with the JTAG interface.
}.
}. Measurement of actual grid frequency instead would simply require a voltage divider and depending on the setup an
analog optoisolator.
\subsection{Selecting a smart meter for demonstration purposes}
\label{sec-easymeter}
@ -1839,8 +1981,8 @@ marketplaces.
The meter consists of a plastic enclosure with a transparent polycarbonate top part and a grey ABS bottom part that are
ultrasonically welded shut. In the bottom part of the case a PCB we call the \emph{measurement} board is potted in
epoxide resin (see fig.\ \ref{easymeter_composites}). This PCB contains three separate energy measurement ASICs for the
three phases (see fig.\ \ref{easymeter_detail_xrays}). It also contains a capacitive dropper power supply for the meter
epoxide resin (see Figure \ref{easymeter_composites}). This PCB contains three separate energy measurement ASICs for the
three phases (see Figure \ref{easymeter_detail_xrays}). It also contains a capacitive dropper power supply for the meter
circuitry and external modules such as a SMGW. The measurement board through three infrared links (one per phase)
communicates with a smaller unpotted PCB we call the \emph{display} board in the top of the case. This PCB handles
measurement logging and aggregation, controls a small segment LCD displaying totals and handles the externally
@ -1929,14 +2071,14 @@ advertised to support both over-the-air firmware upgrades and a remotely accessi
\end{figure}
\subsection{Firmware implementation}
\label{sec-demo-fw-impl}
We based our safety reset demonstrator firmware on the grid frequency sensor firmware we developed in sec.\
\ref{sec-fsensor}. We implemented DSSS demodulation by translating the python prototype code we developed in sec.\
\ref{sec-ch-sim} to embedded C code. After validating the C translation in extensive simulations we integrated our code
with a reed-solomon implementation and a libsodium-based implementation of the cryptographic protocol we designed in
sec.\ \ref{sec-crypto}. % FIXME WIP
To reprogram the target MSP430 microcontroller we ported over the low-level bitbang JTAG driver of
mspdebug\footnote{\url{https://github.com/dlbeer/mspdebug}}.
sec.\ \ref{sec-crypto}. To reprogram the target MSP430 microcontroller we ported over the low-level bitbang JTAG driver
of mspdebug\footnote{\url{https://github.com/dlbeer/mspdebug}}.
For all computation-heavy high-level modules of our firmware such as the DSSS demodulator or the grid frequency
estimator we wrote test fixtures that allow the same code that runs on the microcontroller to be executed on the host
@ -1944,6 +2086,7 @@ for testing. These test fixtures are very simple C programs that load input data
the algorithm and print results on standard output.
\section{Grid frequency modulation emulation}
To emulate a modulated grid frequency signal we superimposed a DSSS-modulated signal at the proper amplitude with
synthetic grid frequency noise generated according to the measurements we took in sec. \ref{sec-fsensor}. In this
primitive simulation we do not simulate the precise impulse response of the grid to a DSSS-modulated stimulus signal.
@ -1979,7 +2122,7 @@ In the firmware development phase our approach of testing every module individua
decoder, grid frequency estimation) proved to be very useful. In particular debugging benefited greatly from being able
to run a couple thousand tests within seconds. In case of our DSSS demodulator this modular testing and simulation
architecture allowed us to simulate many thousand runs of our implementation on test data and directly compare it to our
Jupyter/Python prototype (see fig.\ \ref{fw_proto_comparison}). Since we spent more time polishing our embedded C
Jupyter/Python prototype (see Figure \ref{fw_proto_comparison}). Since we spent more time polishing our embedded C
implementation it turned out to perform much better than our initial python prototype. At the same time it shows
fundamentally similar response to its parameters. One significant bug we fixed in the embedded C version is the python
version's tendency towards incorrect decodings at even very large amplitudes.
@ -2000,7 +2143,7 @@ version's tendency towards incorrect decodings at even very large amplitudes.
\caption{
Symbol error rate plots versus threshold factor for both our python prototype (above) and our firmware
implementation of our demodulation algorithm. Note the slightly different threshold factor color scales. Cf.\
fig.\ \ref{dsss_thf_amplitude_5678}.
Figure \ref{dsss_thf_amplitude_5678}.
}
\label{fw_proto_comparison}
\end{figure}
@ -2017,13 +2160,49 @@ this total. Overall the most heavy-weight operations by far are the SHA512 imple
from ARM's CMSIS signal processing library.
\chapter{Future work}
\section{Precise grid characterization}
We based our simulations on a linear relationship between generation/consumption power imbalance and grid frequency.
Our literature study suggests that this is an appropriate first-order approximation. %FIXME citation
We kept modulation bandwidth in our simulations inside a \SIrange{1000}{100}{\milli\hertz} frequency band that we reason
is most likely to exibit this linear behavior in practice. At lower frequencies primary control kicks in. With the
frequency delta thresholds specified for primary control systems\cite{entsoe04} this will likely lead to significant
non-linear effects. At higher frequencies grid frequency estimation at the receiver becomes more complex. Higher
frequencies also come close to modes of mechanical oscillation in generators (usually at \SI{5}{\hertz} and
above\cite{crastan03}).
Some limited analysis of the above concerns can be done through established dynamic grid simulation
models\cite{semerow01,entsoe05}. Presumably out of safety concerns these models are only available under non-disclosure
agreements. Integrating even just NDA-encumbered results stemming from such a model in an open-source publication such as
this one poses a logistical challenge which is why we decided to leave this topic for a separate future work.
After detailed model simulation we ultimately aim to validate our results experimentally. Assuming linear grid behavior
even under very small disturbances a small-scale experiment is an option. Such a small-scale experiment would require
very long integration times.
Given a frequency characteristic of \SI{30}{\giga\watt\per\hertz} a stimulus of \SI{10}{\kilo\watt} yields $\Delta f =
\SI{0.33}{\micro\hertz}$. At an estimated \SI{20}{\milli\hertz} of RMS noise over a bandwidth of interest this results
in an SNR slightly better than \SI{-50}{\decibel}. The correlation time necessary to offset this with DSSS processing
gain at a chip rate of \SI{1}{\baud} would be in the order of days. With such long correlation times clock stability
starts to become a problem as during correlation transmitter and receiver must maintain close phase alignment w.r.t.\
one chip period. A $\leq \SI{10}{\degree}$ phase difference requirement over this period of time would translate into
clock stability better than \SI{10}{ppm}. Though certainly not impossible to achieve this does pose an engineering
challenge.
A possible way to maintain clock alignment is to use grid frequency itself as a reference. Instead of keying the DSSS
modulator/demodulator on a local crystal oscillator, chip timings would be described in fractions of a mains voltage
cycle. This would track grid frequency variations synchronously at both ends and would maintain phase alignment even
over long periods of time at cost of a slight increase in system complexity.
\section{Technical standardization}
The description of a safety reset system provided in this work could be translated into a formalized technical standard
with relatively low effort. Our system is very simple compared to e.g. a full smart meter communication standard and
thus can conceivably be described in a single, concise document. The much more complicated side of standardization would
be the standardization of the backend operation including key management, coordination and command authorization.
\section{Regulatory adoption}
Since the proposed system adds significant cost and development overhead at no immediate benefit to either consumer or
utility company it is unlikely that it would be adopted voluntarily. Market forces limit what long-term planning utility
companies can do. An advanced mitigation such as this one might be out of their reach on their own and might require
@ -2098,16 +2277,12 @@ correctly configure than it is to simply use separate hardware and secure the in
%FIXME
\newpage
\appendix
\chapter{Acknowledgements}
%FIXME
\newpage
\chapter{References}
\nocite{*} % FIXME
\printbibliography
\newpage
\appendix
\chapter{Transcripts of Jupyter notebooks used in this thesis}
%\includenotebook{Grid frequency estimation}{grid_freq_estimation}