1 Overview With the development of science and technology, the maturity of power plant process control theory, the continuous improvement of control instrument manufacturing process, the widespread application of distributed distributed control system (DDCS) in power plants, and the procedural, modular, and intelligent control of power plant processes. The self-tuning of adjustment parameters, fault self-diagnosis alarms, etc., all provide great convenience for the optimization of the unit process control. The maintenance of the instrument in normal operation has dropped to the extreme. The convenient human-machine interface and intuitive process display make the operator's contact with the production process control more convenient and intuitive. 
The focus of attention has been focused on the security of DDCS, fearing that once the entire DDCS fails, it is catastrophic. This concern is normal, and this is a particular issue to be considered during the design phase. For power plants with higher levels of control, the availability and reliability indicators of the control system have become one of the main factors for evaluating the performance of the power plant. 
2 Basic Concepts of Monitoring System Safety 2.1 Failure rate λ: The frequency of failure of a component or system. It is not constant and depends on the operating time of the component and is sensitive to environmental conditions. During the life of the component, the failure rate curve resembles a bathtub. 
2.2 Reliability R: The probability that a system or component will not fail within a given time period in a given working environment.
2.3 MTBF: The average time interval between normal operation of the system or component and no failure. Is the reciprocal of the failure rate. That is: MTBF=1/λ 
2.4 Finding Fault Time Under MTTD: It refers to the time from the fault of the system or component to the fault finding. (Since the system has a self-diagnostic function, this time is generally not considered for most major components.)
2.5 MTTR: ​​The time from fault finding to repair. 
2.6 Average Deactivation Time MTD: Time from failure to repair. MDT=MTTD+MTTR
2.7 Instant availability A(t): The probability that a component or system will operate without failure at a certain time in a specific operating environment. 
2.8 Progressive Availability A: The ratio of the average time between failure of a component or system to the total process time (no failure + deactivation). A=MTBF/(MTBF+MDT)
2.9 Instant unavailability U(t): The probability that a part or system will not work at a certain time in a specific operating environment. It is a complement of A(t). U(t)=IA(t)
2.10 Asymptotic Unavailability U: Refers to the ratio of the average dead time of a component or system to the total process time. It is the complement of A U=MDT/(MTBF+MDT)=lA
3 basic structure of reliability calculation:
3.1 series structure:
Let the failure rates of the two components C1 and C2 be λ1 and λ2, respectively.
Then: λ0=λ1+λ2; MTBF0=1/(λ1+λ2)
If λ1=10MTBF1=11.4;
Λ2=100MTBF2=1.14
Then λ0=110MTBF0=1.04
The above calculations show that in the series structure, the component with the highest failure rate plays a dominant role in the reliability of the structure. Therefore, if there are one or more components with high failure rates in the structure, even if the selected other components are reliable, the reliability of the system cannot be significantly changed. 
3.2 Parallel (redundant) structure:
as shown in picture 2:
The parallel configuration has two or more components (usually two). Only one of them implements system functions, and the others are in hot standby state.
The parallel structure is generally used only for the more important control units, communication buses, couplers, process operator stations, servers, and the like. 
3.2.1 Redundant structure without thermal maintenance:
That is, when a module fails, maintenance is not performed until all the parallel modules fail and the system stops working. 
Let the failure rate of the two modules be λ1 and λ2 respectively.
Then 1/λ0=1/λ1+1/λ2-1/(λ1+λ2)
Λ0=(λ1+λ2)/(1+λ1/λ2+λ2/λ1)
If λ1 = 10 λ2 = 100 
Then λ0=9.9MTBF0=11.5
The above analysis shows that the reliability of the system mainly depends on the module with low failure rate. 
3.2.2 redundant structure with thermal maintenance:
With the help of DDCS's self-diagnosis and alarm function, it can discover and replace faulty modules in time. Can greatly improve the reliability of redundant structures. 
Let the failure rate of the components be λ1λ2.
Then λ0=2λ1*λ2*MDTMTBF0=1/2λ1*λ2*MDT
If λ1=10, λ2=100, MDT=6 hours
Then λ0=0.012MTBF0=9513
The above analysis results show that, as long as there are spare parts, maintenance personnel can correctly grasp the module configuration method and replacement program (decided MDT), timely replacement of faulty components, the reliability of the entire redundant structure will be greatly improved. Redundant structures do not affect the operation of the system throughout its useful life. 
3.3 string - parallel structure shown in Figure 3:
In the series-parallel configuration, the failure rate of the series component G3 should be much less than the failure rate of C1 and C2. Otherwise, G3 should also adopt a redundant structure. In order to ensure the reliability of the entire circuit.
3.3.1 The failure rate of the series-parallel configuration without thermal repair is C1, G2, and G3, which can be derived from the previous calculations:
Λ0=(λ1+λ2)/(1+λ1/λ2+λ2/λ1)+λ3
If λ1=10, λ2=100, λ3=1,
Then λ0=10.9, MTBF0=10.5
3.3.2 The series-parallel connection with thermal maintenance can be derived from the previous calculation: λ0 = 2λ1 * λ2 * MDE + λ3  Since the failure rate of the parallel structure with thermal maintenance 2λ1 * λ2 * MDE is very low, so with the series Comparing component C3, 2λ1*λ2*MDT can be completely ignored. 
So we get: λ0≈λ3
If λ1 = 10, λ2 = 100, λ3 = 1, (MTBF3 = 114.2), MTD = 6 hours 
Then λ0=1.012≈1, MTBF0=112.8≈114.2
From the above analysis, it is shown that the failure rate of the series-parallel structure mainly depends on the series components, and the failure rate of the redundant parallel components is negligible. This kind of structure is used more in the control loop. In the above, only three simpler structures were analyzed and calculated. In fact, DDCS is far more complex than these structures. Similar to the sequence controlled ladder diagram. There are many cross-connects, but the calculation results of the above three structures are very effective for the part with less cross-connects. For a complex system configuration, light using the above three structural adjustments is powerless. The Markov model is used for calculation, which is a powerful tool for analyzing the reliability of complex control systems. However, there are also disadvantages in that the number of states increases exponentially. If the system has n components, its number of states can reach 2n. And a DDCS has hundreds of thousands of parts. If the reliability of the Mackerk model calculation system is still used, the workload is imaginable. Therefore, it is not necessary for the reliability and comparative system configuration scheme for qualitative analysis system configuration only.
For the qualitative analysis of the reliability of a complex control system, it is to simplify the complexity of the system as much as possible and make full use of the above simple calculation methods. The method to reduce the complexity of the problem is the decomposition of the system structure. That is, the complex system is divided into several subsystems that are easy to analyze and calculate (generally divided into process stations). Resolving these subsystems separately and combining the subsystems' answers with the reliability block diagram can easily calculate the reliability index of the entire complex system. 
4 System Reliability and Availability Analysis:
The reliability and availability of the monitoring system are an important factor in the performance evaluation of a power plant. It is directly related to the long-term stable economic operation of the unit. The Procontrol-P control instrument manufactured by ABB-K in Germany is used to analyze the reliability and availability of the monitoring system. 
Figure 4 shows the minimum configuration of the system without redundancy. 
Figure 5 shows the system minimum configuration of a redundant process station. 
Procontrol-P features are as follows:
1 level structure: unit control level; coordination selection, switching control level; driver level control level. 
2 Dispersion structure: All important actuators and actuators are controlled by independent control modules. 
3 Split Structure: Assigns control tasks to several independent control modules or control stations. 
4 Distribution principle: The hardware is physically distributed to several different process stations or cabinets. 
5 fault self-diagnosis and alarm. 
6 pre-set the consequences of failure.
According to Figure 4, Figure 5, the reliability of the three components of the system are analyzed. 
4.1 Inbound Interface (MAN-MACHINEINTERFACE)
The incoming interface is the channel for the exchange of information between the operator and the control process. The configuration method is redundant configuration. The operation of MMI only reduces the redundancy of the system. It consists of two servers and connectors (n+1 redundancy), two independent LAN LAN and inter-network bridges. 4 operator terminals. 
◠Every two operator terminals are assigned to a server, and each server is connected to a remote bus through a connector. In this way, if one server or connector fails, as long as the corresponding LAN and bridge run normally, the normal operation of the four terminals will not be affected, and only the redundancy will be reduced. 
◠If one server fails and the LAN or bridge on the same side fails, the system can operate normally. Because MMI is configured in 100% redundancy. This failure only reduces the system's redundancy. When considering the configuration scheme, it is considered that two operator terminals have completed the human-machine contact task. 
◠A LAN fault affects only two operator terminals, but it does not affect the functionality of the human interface and only reduces redundancy. 
• If the bridge fails, the MMI is decomposed into 2 separate MMI systems, 1 server per system and 2 operator terminals. The full functionality and performance of MMI is still valid. This means that it does not actually affect the reliability of the MMI system. 
Due to the redundant configuration of the MMI, its reliability can be seen from the calculation of the front parallel and tandem structure. 
Only when the following faults occur will the MMI be prevented from operating. 
(1) 2 server failures
(2) One server failure and LAN failure on the other side
(3) Two LAN failures
(4) One operator terminal and the other LAN malfunction, so that only one operator terminal is operating. 
4.2 Remote Bus (REMOTEBUS)
MMI is a button belt connected to a process station and is an important data highway. Its importance in the system is first, so it adopts redundant configuration. It connects directly with servers and process stations. Failure of one remote station will not affect any function or performance of the system. Failure of the server or process station will not affect the normal operation of the remote station. Therefore, its reliability is very high. This can be seen from the calculation of the previous parallel structure.
In the normal analysis, the failure rate of the individually redundant subsystems can be completely ignored. 
4.3 Process Station (PROCESSSTATION)
A process station can accommodate 7 input modules, 13 control modules, each input module can have up to 16 digital or analog signals, and a control module can control up to 4 digital or analog process parameters. 
4.3.1 Non-redundant process station The process station bus is connected to the redundant remote bus via redundant connectors. Both ends of the station bus are connected with surge impedance through terminal modules to ensure that there is no reflection during data transmission. Two terminals The built-in DC/DC converters of the modules are mutually redundant. Impedance failure rate can be ignored. Failure of the terminal module does not affect the reliability of the station bus. A single connector failure will not hinder the operation of the connector. A single remote bus failure will not hinder the operation of the connector. Any module failure will not hinder the operation of the station bus. 
4.3.2 Redundant process station The redundant process station is composed of two identical units that are hot spares. This configuration is suitable for more important control systems. The failure of any module in the activation station is automatically performed by the same module in the hot standby station. Each unit is connected to a redundant remote bus via a connector. Therefore, failure of a single remote bus does not hinder the operation of the entire unit. Each unit contains a redundant control module that is responsible for supervising the operation of the modules and the switching of functions.
The instrument-control function of the redundant process station is lost when the following problems occur:
◠An undetected fault has occurred in the input or control module and the activation unit connector. 
◠The above fault occurred in the standby unit, and the active unit failed again. 
◠Activation or failure of the hot spare unit's redundant control module is not detected, and input or control module or connector failure occurs in the active unit. 
According to the above simple analysis of a typical system configuration, it is not difficult to conclude that the configuration of the system is very reliable, and the redundant parts are involved in the entire station and the entire system safety part, and it is easy to meet the requirements of the normal operation of the system. That is:
(1) The control loop operation is not limited.
(2) The control loop is subject to at least two process operator station supervisory controls.
Through the simple division of the system, the availability and failure rate of each part are calculated, and then the reliability of the system is analyzed and calculated using the Markov model. In order to simplify the calculation, it is assumed that the failure rate is less than the maintenance rate. MDT = 6 hours, the calculation result is as follows:
Note: Each process station has 4 control loops. One input module. 
5.0 Concluding remarks Although the above calculations are only for the safety indicators of a single process station configuration system, the safety performance of the entire system will not be affected for multiple process stations because the stations are basically independent and have a significant impact on the overall system safety. Only the remote bus and man-machine interface can be seen through the above table, the failure rate of these two parts is completely negligible. Only to fully consider the bus communication load rate.
As long as the parameters (events, messages, and word lengths) provided by the control instrument manufacturer and the maximum number of communication events required by the unit during the accident and the number of information exchanged through the bus are routinely used, the communication load rate can be obtained. Generally should not exceed 40%. 
The data used in the calculation is based on the long-term results of the mathematical statistics of the control instrument and the data measured under the ideal working environment. Therefore, to ensure the safety performance of the system, it is necessary to ensure an ideal instrument working environment, prevent accumulation of dust on the modules, prevent high-voltage interference signals from entering the control system, and improve the maintenance personnel's working skills.
The focus of attention has been focused on the security of DDCS, fearing that once the entire DDCS fails, it is catastrophic. This concern is normal, and this is a particular issue to be considered during the design phase. For power plants with higher levels of control, the availability and reliability indicators of the control system have become one of the main factors for evaluating the performance of the power plant. 
2 Basic Concepts of Monitoring System Safety 2.1 Failure rate λ: The frequency of failure of a component or system. It is not constant and depends on the operating time of the component and is sensitive to environmental conditions. During the life of the component, the failure rate curve resembles a bathtub. 
2.2 Reliability R: The probability that a system or component will not fail within a given time period in a given working environment.
2.3 MTBF: The average time interval between normal operation of the system or component and no failure. Is the reciprocal of the failure rate. That is: MTBF=1/λ 
2.4 Finding Fault Time Under MTTD: It refers to the time from the fault of the system or component to the fault finding. (Since the system has a self-diagnostic function, this time is generally not considered for most major components.)
2.5 MTTR: ​​The time from fault finding to repair. 
2.6 Average Deactivation Time MTD: Time from failure to repair. MDT=MTTD+MTTR
2.7 Instant availability A(t): The probability that a component or system will operate without failure at a certain time in a specific operating environment. 
2.8 Progressive Availability A: The ratio of the average time between failure of a component or system to the total process time (no failure + deactivation). A=MTBF/(MTBF+MDT)
2.9 Instant unavailability U(t): The probability that a part or system will not work at a certain time in a specific operating environment. It is a complement of A(t). U(t)=IA(t)
2.10 Asymptotic Unavailability U: Refers to the ratio of the average dead time of a component or system to the total process time. It is the complement of A U=MDT/(MTBF+MDT)=lA
3 basic structure of reliability calculation:
3.1 series structure:
Let the failure rates of the two components C1 and C2 be λ1 and λ2, respectively.
Then: λ0=λ1+λ2; MTBF0=1/(λ1+λ2)
If λ1=10MTBF1=11.4;
Λ2=100MTBF2=1.14
Then λ0=110MTBF0=1.04
The above calculations show that in the series structure, the component with the highest failure rate plays a dominant role in the reliability of the structure. Therefore, if there are one or more components with high failure rates in the structure, even if the selected other components are reliable, the reliability of the system cannot be significantly changed. 
3.2 Parallel (redundant) structure:
as shown in picture 2:
The parallel configuration has two or more components (usually two). Only one of them implements system functions, and the others are in hot standby state.
The parallel structure is generally used only for the more important control units, communication buses, couplers, process operator stations, servers, and the like. 
3.2.1 Redundant structure without thermal maintenance:
That is, when a module fails, maintenance is not performed until all the parallel modules fail and the system stops working. 
Let the failure rate of the two modules be λ1 and λ2 respectively.
Then 1/λ0=1/λ1+1/λ2-1/(λ1+λ2)
Λ0=(λ1+λ2)/(1+λ1/λ2+λ2/λ1)
If λ1 = 10 λ2 = 100 
Then λ0=9.9MTBF0=11.5
The above analysis shows that the reliability of the system mainly depends on the module with low failure rate. 
3.2.2 redundant structure with thermal maintenance:
With the help of DDCS's self-diagnosis and alarm function, it can discover and replace faulty modules in time. Can greatly improve the reliability of redundant structures. 
Let the failure rate of the components be λ1λ2.
Then λ0=2λ1*λ2*MDTMTBF0=1/2λ1*λ2*MDT
If λ1=10, λ2=100, MDT=6 hours
Then λ0=0.012MTBF0=9513
The above analysis results show that, as long as there are spare parts, maintenance personnel can correctly grasp the module configuration method and replacement program (decided MDT), timely replacement of faulty components, the reliability of the entire redundant structure will be greatly improved. Redundant structures do not affect the operation of the system throughout its useful life. 
3.3 string - parallel structure shown in Figure 3:
In the series-parallel configuration, the failure rate of the series component G3 should be much less than the failure rate of C1 and C2. Otherwise, G3 should also adopt a redundant structure. In order to ensure the reliability of the entire circuit.
3.3.1 The failure rate of the series-parallel configuration without thermal repair is C1, G2, and G3, which can be derived from the previous calculations:
Λ0=(λ1+λ2)/(1+λ1/λ2+λ2/λ1)+λ3
If λ1=10, λ2=100, λ3=1,
Then λ0=10.9, MTBF0=10.5
3.3.2 The series-parallel connection with thermal maintenance can be derived from the previous calculation: λ0 = 2λ1 * λ2 * MDE + λ3  Since the failure rate of the parallel structure with thermal maintenance 2λ1 * λ2 * MDE is very low, so with the series Comparing component C3, 2λ1*λ2*MDT can be completely ignored. 
So we get: λ0≈λ3
If λ1 = 10, λ2 = 100, λ3 = 1, (MTBF3 = 114.2), MTD = 6 hours 
Then λ0=1.012≈1, MTBF0=112.8≈114.2
From the above analysis, it is shown that the failure rate of the series-parallel structure mainly depends on the series components, and the failure rate of the redundant parallel components is negligible. This kind of structure is used more in the control loop. In the above, only three simpler structures were analyzed and calculated. In fact, DDCS is far more complex than these structures. Similar to the sequence controlled ladder diagram. There are many cross-connects, but the calculation results of the above three structures are very effective for the part with less cross-connects. For a complex system configuration, light using the above three structural adjustments is powerless. The Markov model is used for calculation, which is a powerful tool for analyzing the reliability of complex control systems. However, there are also disadvantages in that the number of states increases exponentially. If the system has n components, its number of states can reach 2n. And a DDCS has hundreds of thousands of parts. If the reliability of the Mackerk model calculation system is still used, the workload is imaginable. Therefore, it is not necessary for the reliability and comparative system configuration scheme for qualitative analysis system configuration only.
For the qualitative analysis of the reliability of a complex control system, it is to simplify the complexity of the system as much as possible and make full use of the above simple calculation methods. The method to reduce the complexity of the problem is the decomposition of the system structure. That is, the complex system is divided into several subsystems that are easy to analyze and calculate (generally divided into process stations). Resolving these subsystems separately and combining the subsystems' answers with the reliability block diagram can easily calculate the reliability index of the entire complex system. 
4 System Reliability and Availability Analysis:
The reliability and availability of the monitoring system are an important factor in the performance evaluation of a power plant. It is directly related to the long-term stable economic operation of the unit. The Procontrol-P control instrument manufactured by ABB-K in Germany is used to analyze the reliability and availability of the monitoring system. 
Figure 4 shows the minimum configuration of the system without redundancy. 
Figure 5 shows the system minimum configuration of a redundant process station. 
Procontrol-P features are as follows:
1 level structure: unit control level; coordination selection, switching control level; driver level control level. 
2 Dispersion structure: All important actuators and actuators are controlled by independent control modules. 
3 Split Structure: Assigns control tasks to several independent control modules or control stations. 
4 Distribution principle: The hardware is physically distributed to several different process stations or cabinets. 
5 fault self-diagnosis and alarm. 
6 pre-set the consequences of failure.
According to Figure 4, Figure 5, the reliability of the three components of the system are analyzed. 
4.1 Inbound Interface (MAN-MACHINEINTERFACE)
The incoming interface is the channel for the exchange of information between the operator and the control process. The configuration method is redundant configuration. The operation of MMI only reduces the redundancy of the system. It consists of two servers and connectors (n+1 redundancy), two independent LAN LAN and inter-network bridges. 4 operator terminals. 
◠Every two operator terminals are assigned to a server, and each server is connected to a remote bus through a connector. In this way, if one server or connector fails, as long as the corresponding LAN and bridge run normally, the normal operation of the four terminals will not be affected, and only the redundancy will be reduced. 
◠If one server fails and the LAN or bridge on the same side fails, the system can operate normally. Because MMI is configured in 100% redundancy. This failure only reduces the system's redundancy. When considering the configuration scheme, it is considered that two operator terminals have completed the human-machine contact task. 
◠A LAN fault affects only two operator terminals, but it does not affect the functionality of the human interface and only reduces redundancy. 
• If the bridge fails, the MMI is decomposed into 2 separate MMI systems, 1 server per system and 2 operator terminals. The full functionality and performance of MMI is still valid. This means that it does not actually affect the reliability of the MMI system. 
Due to the redundant configuration of the MMI, its reliability can be seen from the calculation of the front parallel and tandem structure. 
Only when the following faults occur will the MMI be prevented from operating. 
(1) 2 server failures
(2) One server failure and LAN failure on the other side
(3) Two LAN failures
(4) One operator terminal and the other LAN malfunction, so that only one operator terminal is operating. 
4.2 Remote Bus (REMOTEBUS)
MMI is a button belt connected to a process station and is an important data highway. Its importance in the system is first, so it adopts redundant configuration. It connects directly with servers and process stations. Failure of one remote station will not affect any function or performance of the system. Failure of the server or process station will not affect the normal operation of the remote station. Therefore, its reliability is very high. This can be seen from the calculation of the previous parallel structure.
In the normal analysis, the failure rate of the individually redundant subsystems can be completely ignored. 
4.3 Process Station (PROCESSSTATION)
A process station can accommodate 7 input modules, 13 control modules, each input module can have up to 16 digital or analog signals, and a control module can control up to 4 digital or analog process parameters. 
4.3.1 Non-redundant process station The process station bus is connected to the redundant remote bus via redundant connectors. Both ends of the station bus are connected with surge impedance through terminal modules to ensure that there is no reflection during data transmission. Two terminals The built-in DC/DC converters of the modules are mutually redundant. Impedance failure rate can be ignored. Failure of the terminal module does not affect the reliability of the station bus. A single connector failure will not hinder the operation of the connector. A single remote bus failure will not hinder the operation of the connector. Any module failure will not hinder the operation of the station bus. 
4.3.2 Redundant process station The redundant process station is composed of two identical units that are hot spares. This configuration is suitable for more important control systems. The failure of any module in the activation station is automatically performed by the same module in the hot standby station. Each unit is connected to a redundant remote bus via a connector. Therefore, failure of a single remote bus does not hinder the operation of the entire unit. Each unit contains a redundant control module that is responsible for supervising the operation of the modules and the switching of functions.
The instrument-control function of the redundant process station is lost when the following problems occur:
◠An undetected fault has occurred in the input or control module and the activation unit connector. 
◠The above fault occurred in the standby unit, and the active unit failed again. 
◠Activation or failure of the hot spare unit's redundant control module is not detected, and input or control module or connector failure occurs in the active unit. 
According to the above simple analysis of a typical system configuration, it is not difficult to conclude that the configuration of the system is very reliable, and the redundant parts are involved in the entire station and the entire system safety part, and it is easy to meet the requirements of the normal operation of the system. That is:
(1) The control loop operation is not limited.
(2) The control loop is subject to at least two process operator station supervisory controls.
Through the simple division of the system, the availability and failure rate of each part are calculated, and then the reliability of the system is analyzed and calculated using the Markov model. In order to simplify the calculation, it is assumed that the failure rate is less than the maintenance rate. MDT = 6 hours, the calculation result is as follows:
Note: Each process station has 4 control loops. One input module. 
5.0 Concluding remarks Although the above calculations are only for the safety indicators of a single process station configuration system, the safety performance of the entire system will not be affected for multiple process stations because the stations are basically independent and have a significant impact on the overall system safety. Only the remote bus and man-machine interface can be seen through the above table, the failure rate of these two parts is completely negligible. Only to fully consider the bus communication load rate.
As long as the parameters (events, messages, and word lengths) provided by the control instrument manufacturer and the maximum number of communication events required by the unit during the accident and the number of information exchanged through the bus are routinely used, the communication load rate can be obtained. Generally should not exceed 40%. 
The data used in the calculation is based on the long-term results of the mathematical statistics of the control instrument and the data measured under the ideal working environment. Therefore, to ensure the safety performance of the system, it is necessary to ensure an ideal instrument working environment, prevent accumulation of dust on the modules, prevent high-voltage interference signals from entering the control system, and improve the maintenance personnel's working skills.
Air Accumulator,Piston Accumulator,Water Pressure Accumulator,Accumulator For Water Pump
Foshan Hairan Machinery And equipment Co.,LTD , https://www.hairannozzle.com