Introduction - Control and Stability of Power Systems using Reachability Analysis

There is a paradigm shift with regards to the operation of conventional power plants following the deregulation of the energy sector, the introduction of competitive markets, and the transition towards decentralized generation with considerable share of renewable resources [20, 79, 125]. Particularly, the load-following capabilities of conventional power-producing units became increasingly important in recent years as progressively intermittent and variable generators, such as wind turbines and solar photovoltaics,

are added to the grid. This radical change forces the power plants to adapt their power outputs more regularly to ensure a reliable operation of the transmission network. Typically, each transmission system operator (TSO) preserves the frequency in its control area using a centralized control scheme compensat-ing the deviation of the power grid frequency. This deviation from the specified set-points results from the mismatch between supply and demand of the active power. The control action includes generation units (or loads) that respond to automatic generation control (AGC) signals in the case of secondary frequency control or to manual operator dispatch commands in the event of tertiary control [117]. In Germany, the generation units subjected to this control scheme are obligated to provide active power in both directions (increased/reduced generation) without interruption, with typical limits ranging between 5 MW and 60 MW within a short time-scale of 5−15 minutes [65]. These stringent requirements esca-lated rapidly new challenges that have to be met by the existing process-controllers; in other words, the controllers have to be designed in such a manner that can fulfill frequent load-changes requested by the TSOs, while simultaneously bearing in mind safety and life span of the power plant critical elements, such as the steam turbine and the boiler.

Steam-drum units of the boiler system are known to naturally degrade the load-following capabilities of thermal power plants and limit their flexibility to meet the stringent requirements imposed the corre-sponding TSO; namely during high-load changes (≤40 MW) when subjected to the time constraints of secondary frequency control (5 min). A reason for this is that the regulation of the water level inside the drum is a tedious control task due to the process nonlinearities, strong coupling between its input and output channels, in addition to the process non-minimum phase behaviour associated with the shrink and swell physical phenomena [73].

In this chapter, we consider the realistic configuration of the low-pressure drum unit located within the 450 MW M¨unchen S¨ud GuD 2 power plant owned by Munich City Utilities¹. As reported by the plant operators, the boiler unit previously tripped on multiple occasions as the water level inside the drum exceeded the safety limits (±300 mm), see Fig. 6.1. Simply put, when the water level exceeds the upper limit, the water will be carried over to the superheater leading to an outage of the boiler. Surpassing the lower limit will cause overheating of the water wall tube, resulting in serious tube rupture and severe damage. Clearly, the outage of the boiler has serious technical and economical consequences: the power plant is subjected to drastic economical losses, furthermore the TSO loses one of its generating units, thus, jeopardizing transient and frequency stability in its balancing area. In fact, this problem is reoccurring in thermal power plants where emergency shutdowns of conventional power-producing units are commonly trigged due to poor regulation of the water level, see e.g. [80, 105, 106, 140].

To address this problem, we previously presented the design and successful implementation of a centralized multivariable feedback controller whose control action is based on the inner dynamics of the process,

1SWM Services GmbHhttps://www.swm.de/

tripping of the boiler

emergency shutdown of the gas turbine in occasion (a)

tripping of the boiler

emergency shutdown of the gas turbine in occasion (b)

Figure 6.1: Measurement data from the steam-drum unit illustrating tripping of the gas turbine on multiple occasions while employing the conventional PID-controller in the closed loop.

which are captured via a Luenberger observer, see [41, 45, 46]. The proposed controller replaced in November 2014 the industry-standard PID-controller within the distributed control system (DCS)-Mauell ME-4012¹, which is employed in the power plant M¨unchen S¨ud GuD 2; however, due to the fact that the control action is based on a mathematical model of the real process (observer-based controller), plant operators voiced skepticism about the safety of the new control scheme following the commissioning phase within their DCS. Hence, we additionally present an algorithmic procedure based on reachability analysis in order to verify the control action in real-time control. This work corresponds to the growing body of literature that considers the intersection of formal methods and control theory. To the best of our knowledge, no work exists in the literature that formally analyzes the correctness of the low-level controllers prior to the commissioning stage within the high-level DCS of the power plant; that is, the formal guarantee that the synthesized controller shall meet the performance specifications under all eventualities. Instead, in other work, the control action is either examined via experimental observation or within a simulation environment that does not provide any formal guarantees, i.e. one cannot certify whether the system specifications will always remain within safe limits. Because reachability analysis establishes in advance whether or not a requested load dispatch by the TSO will trigger the water level safe limit, the plant operator can potentially avoid an unnecessary shutdown of the facility; thus maximally exploiting the power plant adaptability and load-following capabilities.

Formal verification of the steam-drum unit was initially proposed in [4] as a benchmark problem for formal analysis and controller synthesis of embedded systems. The benchmark attracted considerable attention as an interesting theoretical problem and became a classical case study for testing and comparing formal

1http://www.mauell.de/index.php?Produktmodul/

methods among computer scientists, see [63,93,132,137]. The main drawback of the benchmark problem, however, is that the modelling is based on elementary assumptions and abstract decisions that do not capture the dynamics of the process associated with the shrink and swell physical phenomena. Thus, we extend the benchmark problem with a well-developed mathematical model, validated against data measurement, which are obtained from a real steam-drum unit, with a very rich excitation covering the entire operational range of the process.

In contrast to any previous work on reachability analysis, we construct an abstract model of the real pro-cess taking the modelling errors into account. The modelling errors are obtained in a systemic procedure based on measurement data, and considered as additional uncertain inputs when computing the reach-able set. This procedure ensures that all behaviours of the system are included within the abstraction.

Furthermore this is the first work to consider formal analysis of a real process in the power industry.

The reachability algorithm we propose is computationally feasible and meets the practical requirements of a real power plant when subjected to the time constraints of secondary frequency control (5 min).

Our algorithm offers the plant operator an opportunity to potentially avoid unnecessary shutdown of the facility since reachability analysis establishes in advance whether a requested load dispatch by the TSO will trigger the safe limits of the water level when considering all eventualities.

6.2 Problem Formulation

The steam-drum system falls under the class of systems modelled as a set of nonlinear, ordinary differential equations (ODEs)

x(t) =f(x(t),u(t)), y(t) =Cx(t),

(6.1) withf :Rⁿ^x⁺ⁿ^u 7→Rⁿ^x,x∈Rⁿ^x, u∈Rⁿ^u andy ∈Rⁿ^y denoting the state, input and output vectors, respectively, and C ∈Rⁿ^y^×n^x as the output matrix. It is assumed that the system is controllable and observable. Furthermore, the functionf(·) is locally Lipschitz continuous thus differentiable inx(t) and u(t). This is a fairly general assumption that holds for many practical problems.

In our previous work [46], we proposed to regulate the pressure and water-level inside the drum using a multivariable feedback controller whose control law is:

u=−Kx, (6.2)

with K ∈Rⁿ^u^×n^x is the controller feedback matrix. Notice that the controller is a special case of the linear-parameter varying controller addressed in Ch. 5. This due to the fact that entries of the matrixK are no longer time-varying, but instead they are kept constant¹. Generally, the drum state variable are

1A gain-scheduling controller was proposed to the plant operators, however, it was rejected in early development due to its complexity and computational difficulties associated with its realization in practice within the DCS of the power plant.

not measurable in real-time control, hence one requires additionally an observer to estimate the system states and employ the proposed control law in the closed-loop. Recall that (6.1) is differentiable in x and u; this makes it possible to design the so-called Luenberger-like nonlinear observer expressed via (see [115])

˙˜

x(t) =Ax(t) +˜ Ω(˜x(t),u(t)) +L C(x(t)−x(t))˜

| {z }

=:e(t)

Here ˜xis the vector of estimated state variables,e is the estimation error, L∈Rⁿ^x^×n^y corresponds to the observer correction matrix, andΩ:Rⁿ^x⁺ⁿ^u 7→Rⁿ^x is a Lipschitz nonlinearity.

The objective of this chapter is to verify safety of the low-pressure drum unit which employs the proposed controller (6.2) in the closed-loop. This task is addressed by computing the reachable set of the drum over a user-defined time horizont∈[0, tf] starting from a set of initial statesR(0) and a set of possible inputs/disturbancesU

R^e([0, tf]) :=

x(t)∈Rⁿ^x : x(t) = Z t

f(x(τ),u(τ))dτ,x(0)∈R(0),u(t)∈U, t∈[0, tf]

. Recall from Ch. 2 that the exact reachable setR^e([0, t_f]) can only be computed in special cases [84]; thus, an over-approximation of the reachable set R([0, tf]) ⊇R^e([0, tf]) is performed as tightly as possible, see Fig. 2.7. Clearly, if the over-approximative reachable set does not intersect with an unsafe set, then the original system is also safe. Naturally in this case study, the unsafe set would be the limits of the water level inside the drum (±300 mm).

With regards to the overall procedure, we propose a generic approach using an abstract model described by a polynomial differential inclusion. The concept of model abstraction is frequently applied in the field of computer science within the context of model checking and software verification. An abstraction basically reduces the complexity associated with a mathematical model, such that the resulting approximated model preserves certain user-defined properties of the original system [35]. The considered polynomial abstraction takes the modelling errors into account, thus ensuring that all behaviours of the system are confined within the following inclusion

˙ˆ

x(t)∈P(ˆx(t),u(t))⊕(L·E). (6.3) HereP :Rⁿ^x⁺ⁿ^u 7→Rⁿ^x is a polynomial vector-field function,E⊂Rⁿ^y is the set of the modelling errors, and ˆx ∈ Rⁿ^x is the vector of the abstract model state variables. The abstraction includes set-based addition (Minkowski sum) and linear transformation, as defined previously in (2.29), see Sec. 2.3.6.

Our approach, illustrated in Fig. 6.2, consists of four main steps: (1) modelling from first-principles, (2) polynomial approximation, (3) abstraction, and (4) computation of the over-approximative reachable set. In the following we describe the modelling of the drum unit in Sec. 6.3, followed by the proposed

polynomial abstraction and the basic procedure to compute the reachable set in Sec. 6.4. Note that the proposed approach can be applied for different systems in many areas, including robotics and autonomous cars, as long as the system is modelled as in (6.1).

Specifications

Formal analysis Measurement data

Reachable set computation München Süd

Process modelling

Abstract model Polynomial approximation

using Taylor expansion

Comparison Estimated output

Modelling errors

Figure 6.2: Overview of the proposed approach to verify safety of the water level inside the drum in real-time control using reachability analysis.

Im Dokument Control and Stability of Power Systems using Reachability Analysis (Seite 121-126)