Reliability Analysis of External Optimized Control System for Thermal Power Unit

With the construction of intelligent power plants and the development of clean energy, the application of external optimized control system of thermal power plant will be more and more common, and its reliability will be more and more important. The mainstream external optimized control systems were investigated, and the reliability of three typical systems were analyzed which including an import system, a redevelop system and a domestic system. Based on the analysis, some technical measures were put forward to improve the reliability of external optimized control system for thermal power unit, which including hardware configuration, communication mode, the way in which signals work, software design, check and test. It has meaningful reference for the selection and optimization of external optimized control system.


Introduction
External optimized control system for thermal power unit which is independent of generator unit DCS generally adopts some advanced control algorithm such as adaptive control, predictive control, fuzzy control, etc., exchange date with DCS via communication or hard wiring, and can realize special control functions or optimization control functions that are difficult for conventional DCS. In recent years, the applications of external optimized control system have become more and more common with the gradual clearness of the concepts of digital power plants and intelligent power plants [1][2][3][4]. However, before large-scale application, its own reliability and impact on the unit should be taken into consideration. Therefore, this paper investigated the current major thermal power unit external optimization control system, analyzed of the reliability of some typical systems, and proposed the technical measures to improve the reliability of externally optimized control systems.

Reliability
Analysis. The PROFI system adopts some technical measures to improve the reliability, mainly including: (1) "Incremental" control instructions. Namely, the control instruction output by the PROFI system superimposed with DCS original control instruction rather than replacing it, then acted on the control object. Meanwhile, the control instruction output by the PROFI system has also been limited. In this way, even if abnormal conditions such as communication interruptions occur, the unit safety will not be jeopardized.
(2) Putting into/out of operation without disturbance. The PROFI control mode is only allowed to be put into operation when a series of conditions such as normal communication are satisfied, and the change rate of its output instructions is limited. When exiting PROFI control mode, either normal or abnormal, the increment of control command output from PROFI system will slowly change to 0, thus, realize no distractions.
(3) Communication "Heartbeat" monitoring. The PROFI system continuously sends regularly switched digital signals to DCS. DCS will automatically exit the PROFI control mode once detecting that the signal is abnormal, and change to DCS original instruction control without disturbance.
However, in order to reduce hardware costs, the PROFI system is generally equipped with a single communication operation card and a single control operation card rather than redundancy configuration. As a result, its reliability has declined. (1) Communication "Heartbeat" monitoring. INFIT system continuously sends heartbeat signals to DCS. The relevant switching logic has been made on DCS side. Once the correct "heartbeat" signal is not detected in time, it will immediately switch back to the conventional control system [5].

INFIT
(2) Input signal detection. INFIT system performs real-time detection of important signals acquired from DCS including whether the value exceeds the normal range, the change rate is too large, etc. Once it is determined that any of the input signals is abnormal, all the output optimized control commands will keep their original values, and the control system will automatically switch back to the conventional control system.
(3) Output signal detection. Each optimization control instruction output from INFIT system will accept limit detection and rate detection on the DCS side, and its upper and lower value will be limited according to the unit power and other related signals to ensure that the control instructions acting on site will not change greatly when communication failed.
After analysis, the main security risks in the INFIT system are: (1) After INFIT control mode put into operation, the original instruction signals generated by DCS will be replaced by the optimized signals, which is sent to DCS through communication, such as Fuel instruction, feedwater flow instruction, turbine control instruction, etc. This "replacement" has greater security risks than "incremental" of PROFI system. In extreme cases, it may cause a large disturbance in the control system and even cause the unit to trip.
(2) In order to save costs, in its typical configuration, there are no redundant configurations for major hardware devices such as CPU modules and modbus communication modules.
(3) When exiting the INFIT control mode, the fuel master control will switch to manual mode, but the water master control will not. Thus, there is a risk of significant fluctuations in feedwater flow instructions under special conditions.
(4) Due to the large numbers of speed limit and range limit of input and output signals, there is a certain risk when the system is put into operation for the first time or online. If the configuration is modified, the default value of most speed limit, range limit, and function blocks is 0. If it is not set correctly before being put into operation, it may cause a large disturbance or even cause the unit to trip.

TOP System
2.3.1. System composition. TOP (Thermal Optimized-control Platform) is an optimization control system for thermal power plant integrated and developed by State Grid Zhejiang Electric Power Corporation Research Institute, has been put into operation on more than a dozen units in china currently. The main function modules include coordinated optimization control, steam temperature optimization control, mill group start without breakpoint, condenser water flow control, denitrification optimization control, combustion optimization control, etc.
TOP system adopts data hierarchical management and real-time interactive architecture that upperlevel online modeling, lower-level real-time control, low-level multiple Interface [6]. The main hardware includes dual redundant controllers, switches, communication modules, power supply modules, servers, input and output modules, etc. The software mainly includes control operation software and integrated communication software, in which, the standard function blocks can be used for control logic configuration in control operation software, and the advanced algorithms written in C language or MATLAB can also be introduced into the system for control operation. The main functions of integrated communication software are backup and switch between dual redundant There are three ways of data interaction between TOP and DCS system: hard wiring, serial-based modbus communication and OPC communication. The hard wiring method is mainly used for important protection signals and signals that have high requirements on the response rate such as TOP system input/exit, fault protection, control deviation of important signal, etc. Modbus mode is the main mode of communication, which has taken on most of the data transfer tasks required for optimal control of the TOP system. And its refresh rate within 1 second. OPC mode is mainly used for functional modules with relatively low real-time requirements and large data exchange capacity such as energy consumption diagnosis, data searching, etc.

Reliability
Analysis. The reliability of TOP system is relatively comprehensive, and its main measures ensure reliability include: (1) Before leaving the factory, multiple functional and performance tests on the hardware of TOP system have been performed [7], which include over 30 days load tests.
(2) The controllers, communication modules, power modules and other major hardware of TOP system are redundantly configured and can be switched without disturbance.
(3) The communication of important interaction signals with the DCS is hard-wiring and the I/O channels use independent three-channel configurations.
(4) Digital signals between TOP system and DCS adopt pulse instructions. Analog signals adopt "incremental" instructions, and adopt rate monitoring on the DCS side. It will be considered that the instruction is invalid as soon as rate change is exceeded.
(5) When the watchdog logic detects a communication anomaly, it will automatically exit the TOP system. The optimized instructions added on the original DCS control instruction will be eliminated at a slow rate, and the switching process is undisturbed.
Similar to the INFIT system, the TOP system has a certain safety risk when it is put into operation for the first time due to the large numbers of speed limit and range limit of input and output signals.

Comparative analysis
In thermal power unit external optimization control system, PROFI system is a typical representative of imported systems, INFIT system is a typical representative of the assembly and secondary development based on imported hardware, TOP system is a typical representative of domestic systems. Three systems are currently wildly used. They are compared and analyzed as shown in Table 1.

Technical measures to improve reliability
Based on research and analysis, the following technical measures are proposed to improve the reliability of the external optimized control system: (1) The external optimized control system should be installed in the DCS equipment room for being uniformly powered by DCS power cabinet and running in the same working environment as DCS cabinets. The controller, power module, network communication module, switch, etc. should adopt dual redundant configuration [8].
(2) Important control signals, such as optimizing control system input/exit instruction, system failure, feedwater flow command, fuel command, steam turbine total valve position command, etc. should adopt independently-configured three-redundant hard wiring to achieve data exchange with DCS.
(3) Analog control instructions output from optimize control system should be "incremental" and be put into the conventional control system rather than replacing the original control signal of DCS to reduce disturbances to the unit caused by communication anomalies.
(4) Optimized control system should detect incoming analog input signals' change rate and upper/lower limits. Once the limit is exceeded, the communication failure is determined and the optimization system is exited. The change rate and upper/lower limits of output analog control instructions should also be detected on DCS side. The upper and lower limits should be adaptively changed according to the current unit power, DCS original control instructions and other signals. Therefore, disturbances to the unit can be reduced in the event of a communication failure.
(5) The output digital signals from optimized control system should adopt pulse instructions, which should only be effective after "optimize control system input", then merge into the conventional control system. When long instructions must be used, DCS side will be maintained.
(6) During the process of optimized control system input and exit, related analog signals should be set to track or rate limit to ensure that the system input or exit will not generate disturbance on the unit. (7) In the phases of factory acceptance, on-site recovery and routine maintenance, all relevant inspections and tests for external optimization control system shall be performed with reference to relevant regulations [9][10][11]. In the phases of factory acceptance, the testing items should include but not limited to system configuration check, appearance and structure inspection, software installation inspection, anti-jamming test, redundant power switching test, redundant controller switching test, system load test, input/output card accuracy test, system stability inspection, etc. In the phases of recovery, the testing items should include but not limited to grounding inspection, insulation resistance test, communication function test, communication speed test, communication abnormality test, logic loop verification test, etc. In the phases of routine maintenance, the testing items should include but not limited to grounding inspection, insulation resistance test, anti-interference test, redundant power supply switching test, redundant controller switching test, system load rate test, input/output card accuracy test, etc.

Conclusion
The construction of intelligent power plants and the development of clean energy put forward higher requirements for optimal control of thermal power units. The application of external optimized control system of thermal power plant must be more and more common. This article selects an imported system, an imported secondary development system and a domestic system as typical objects of thermal power unit external optimization control system to analyze the reliability in depth. Based on the analysis result, from several aspects such as hardware system configuration, communication interaction mode, signal action mode, software design, inspection test, etc., put forward technical measures to improve the reliability of external optimized control system, which is a good reference for the selection and optimization of this type of system.