Reliability Engineering and System Safety 21 (1988) 77-89

Reliability Analysis of the Control System of a

Conventional Power Plant

Arja Toola*

Imatran Voima Oy, PO Box 138, 00101 Helsinki, Finland

(Received 22 July 1987)

ABSTRACT

This paper deals with a reliability study of the control system of a

conventional power plant. The study is based on a reliability model of the
control system. The structure of the model, the ways of utilizing it and the
experience gained are discussed.

INTRODUCTION

The vast n u m b e r of functions and the importance of protective and safety

functions are typical o f the control of a power plant. Losses due to
unavailability can also be high in money, especially if the power plant
supplies industry with process steam or electricity.
Because there have been discussions about the reliability o f digital
automation systems, the designers and the operating personnel found it
interesting and necessary to perform some reliability comparisons.
Direct losses o f process availability due to the control system are rare. But
because o f the role of the control system in disturbance situations of the
process, the proper functioning of the control system becomes important.

* Present address: Technical Research Centre of Finland, P(3 Box 656, 33101 Tampere,
Finland.
A version of this paper was presented at Reliability '87, 14-16 April 1987, Birmingham, UK
and is reproduced by kind permission of the organisers.
77
Reliability Engineering and System Safety 0951-8320/88/$03"50 © 1988 Elsevier Applied
Science Publishers Ltd, England. Printed in Great Britain
78 Arja Toola

A quantitative reliability study was made for the control system of a

power plant. The plant was under construction when the study started, and
the commercial use of the plant began in summer 1986. It is possible to burn
coal, peat and oil in the plant.

PURPOSE

The purpose of the study was to find the way to analyze the reliability of
automation systems and control actions and to find ways of utilizing the
reliability studies in the design and operation phases of the plant.

DESCRIPTION OF THE CONTROL SYSTEM

The control system of the power plant is shown in Fig. 1. The main
automation system of the power plant covers the control of the boiler plant
and the turbine plant with the exception of the turbine controller and the
control of some minor subsystems. Besides the digital control system, the
system includes wired electronic logics for protective functions of the final
controlling elements and the drive groups. A back-up control desk for
manual control of the plant (an auxiliary operation system for shutting the
plant down safely if the main system is out of order) is also situated in the
control room.
The main automation system of the power plant is a microprocessor-
based distributed control system. The system consists of process stations,
control room stations and communication stations. The process stations
perform the measurement and control actions of the process function
groups. The control room stations handle supervisory actions and the
communication stations provide communication between different
stations. All the process stations, control room stations and important
communication stations are duplicated. The main automation system is
shown in Fig. 2.
The main automation system is a complex of two automation systems,
both of which have ten process stations. Of the twenty process stations ten
are for the boiler plant, seven for the turbine plant, two for the control of
electrical supply and one is specially for fast alarms.
The degree of automation in the power plant is function group level or in
some cases drive group level. This means that function groups operate
independently and they can be turned on/off by one operator action.
The design of the automation system and its software was made by the
supplier. The buyer designed the application of the system together with the
 Conventional power plant control system 79

rr"
tO h i
CO ~--

0 :£
re 0
e~ ¢.9

~EE~

X ~

I
>
t.O ea _j .d
: >

0
e~
~D

t--
7~
W
kd
¢g.

<r.
LO
:K

tt~ W
> [-
t.J

tl
er
t.3
.a
>
0

O I--
0 t.~
rr"

...J t~
iv. (:3
_.J
Z
(:3
¢,.J o E
7"
t73 (D
t.O
80 Arja Toola

~ F'-
.e
~:~
I

~ ~.~
I
I

0
.,~

2
e-

. . . . I__

I
I

F
 Conventional power plant control system 81

supplier, i.e. the configuration of the racks and the software for the control
actions.

THE RELIABILITY MODEL

A reliability model was made for the control system. The model is a kind of
block diagram in a form suitable for the R E L V E C reliability analysis tool,
by which the quantitative calculations were made.
R E L V E C is a computer code for quantitative reliability analysis
developed in the Technical Research Centre of Finland (VTT). The code is
especially suitable for reliability studies of hierarchic automation systems
and other electronic systems.
Functionally the reliability model of the control system comprises the
model of the automation system, the model of the connections to the process
and the model of the control functions.
The automation system was modelled to the circuit board level. The
model covers process stations, traffic stations, control room stations and the
equipment in the operation room. The power suppliers inside the racks and
the fans are also included.
The connections to the process were combined with the reliability model
of the automation system. Practically this means that process components
and sensors were connected to the input and output circuit boards of the
automation system. At the same time the control loops are defined by
combining the process components of a control loop. The functions of the
automation system can be studied with this larger model so that the effects of
the process components on the reliability can be included. This model is
easier to handle for those who are familiar with the process, but do not know
the automation system itself. This is because the analyst now deals with
process components and measurements, not with inputs and outputs of the
automation system. If the analyst does not want to include the process
components in the quantitative study, a zero failure rate can be given for
them.
In some cases it would be interesting to study the reliability of the control
operations of a specific process status. This is made possible by a list of
process function groups, which includes the control loops (protective
functions and alarms included) needed for the operation of the function
group. When a reliability study is made, those control loops which are
needed for the status of the plant under consideration can be selected. When
the name of a control loop is entered in the R E L V E C the program searches
the process components and measurements, and further the circuit boards of
the automation system, needed for the proper operation of the process. This
82 Arja Toola

way of studying is 'to study the reliability and availability of the automation
system from the process point of view', i.e. the unavailability of the process
due to the failures of the automation system.
The safety functions of the actuators were modelled separately.
Functionally they are separated from other control functions of the system,
but they are located in connection with the main automation system and use
the same I/O-interfaces as the other automation functions do. This kind of
structure of the reliability model makes it possible to perform a risk analysis
on the basis of the question: What is the probability of this protective
function not functioning when needed?
A summary of the reliability model is shown in Fig. 3.

Potential uses of the reliability model

The model enables the automation system to be studied separately from the
process or the system can be studied from the process point of view. In both
cases the model is easy to modify. This means that the effect of system
modifications on the total reliability can be studied, or in the design phase
the reliability of different alternatives can be compared.

Potential uses of the computer code

A lot of different outputs are available from RELVEC. Their usefulness in a

specific analysis depends on the reliability model and on the system being
analyzed. Each component in the model may have the following numerical
reliability parameters:

--failure rate, which is assumed to be constant;

--unavailability;
- - m e a n time to repair (or unrepairable);
--allowed down time (constant or exponentially distributed);
- - C o m m o n Cause Failure (CCF) data
beta factors for double, triple and quadruple failures for the following
dependencies:

- - r o o m number
--type number
--maintenance group number
--manufacture number
----extra CCF class number.
 Conventional power plant control system 83

mE" I
QJ
"0
Q

w
E

,.Q
A
. I
~OC

/ O
~j

" I
i O
(J

0 1 E-

.4

c~
N I
. . . . . -~ X I

.. . ~ - -
/
P~31SAS NOIIV~NOlfIV
3H1 -40 73001N ,~II718VI73H

SS3OO~d 3 H 1 0 l NOI133NNO3

SNOII3Nn3 SS3OO~d 3H1 ~0 N O I I ~ N I N ~ 3 1 3 0

84 Arja Toola

The following outputs give us an overview of the general reliability

characteristics of the model:
--(un)reliability over the mission time;
- - m e a n (un)availability over the mission time;
- - m e a n time between failures;
- - m e a n down time;
-----equivalent failure rate and mean time to repair;
-----component importance measures (for reliability and availability);
-----cut set importance measures (for reliability and availability);
---duration curve based on a demand curve.
The following outputs can be used for in-depth analysis of the system:
--sensitivity analysis of:
- - m e a n time to repair;
--failure rate or unavailability;
--allowed down time;
--mission time;
- - C C F beta factors;
--indirect sensitivity analysis of the previous parameters (e.g. sensitivity
analysis of failure rate for components in room 33);
--versatile CCF analysis (e.g. we can find all cut sets including at least
three components maintained by the same maintenance group or by a
given group);
- - a n y number of components may be declared failed;
- - d a t a and system modification and recalculation are simple;
---cut sets can be searched and computed with a search mask (it is possible
to examine interesting cut sets only);
--importance measures for CCF dependencies (rooms, manufacturers,
maintenance groups, component types and extra field) for reliability
and availability.

Data

The reliability data of the components (circuit boards) of the automation

system were formed from the operating experience data gathered by the
system supplier. The data were incomplete. There were new kinds of circuit
boards as a result of the development work of the supplier, especially those
modified as a result of product development, but also those modified to meet
the demands of this specific application. Besides, only few data were
available on the circuit boards of the wired logic, because the operating
 Conventional power plant control system 85

personnel have been capable of fixing the circuit boards themselves. The
information on the failures are thus not sent to the system supplier.
For some circuit boards a MIL-HDBK-217D value was also calculated so
that a relation could be formed between the calculated value and the value
from the operating experience. This information was used when predicting
with the help of MIL-HDBK-217 the failure rates of those components with
which only little operating experience was available.
Reliability data were easily available on process components and
measurements. In the beginning the data are quite general. More accurate
data will be written when more information has been gathered on the system
or more accurate data are needed.

UTILIZATION OF THE RELIABILITY ANALYSIS

Use of the reliability analysis

Reliability analysis can be used for the design phase of the system, and also
for the operation period of the power plant. In this case the design of the
control system was almost completed when it was possible to utilize the
reliability model. However, the decisions made in the design phase could be
considered again afterwards. Obviously, the same decisions are to be made
in the future power plant projects, too. Furthermore, a lot of experience has
been gained for the future.
The personnel of the power plant have the possibility of utilizing the
reliability model made especially for the control system of their plant. The
utilization at the plant continues, and no exact conclusions about it have
been received yet. Anyway, it is thought that they can use the model for
modifications, and while designing the maintenance policy.

Example of a reliability study made with the reliability model

Let us study the reliability of a simplified process function. The process is the
system for drying the peat and carrying it from the raw peat silo to the
burners. The process is shown in Fig. 4.
The peat is carried from the raw peat silo to the peat mill. From the mill
the drying gas carries the peat to the burners. Some of the peat-gas flow goes
via cyclones. The cyclones separate the peat from the drying gas.
When studying the reliability of the control of the process function, the
task is formed using the control actions which are needed for the proper
functioning of the process.
The system has the following control actions: speed control of the peat
86 Arja Toola

i I

~0
~w

Q~

~0 .=_

>
z~
o ~c
J
 Conventional power plant control system 87

mill, speed control of the peat flow from the silo, temperature and flow
control of the drying gas, on/offcontrol for the peat flow to the peat mill, for
the flow to the burners, for the flow of the drying gas and for the flow from
the cyclones. All these control actions should function properly for the
proper functioning of the process. It can be considered to form a reliability
structure of serial system. The measurements are included in the reliability
assessment of the example, but not the actuators.
An example of the calculations and results is shown in Fig. 5. It can be
seen that there are one-length and two-length cut sets in the control system.
There will be a failure in the system about five times in a year. The most
troublesome units will be the VC-units and the BC-units, which are control
output units of the automation system. Speed measures of the peat feeder
(HGBxxCGx) and the gas analyzers of the boiler (HNIxxCQx) are the next
important component groups causing unreliability.
A sensitivity analysis has been done for the failure rates of the VC-units.
The graph shows that if the failure rate is ten times bigger than expected, the
unavailability will be about three times higher than the number obtained
from the analysis.

EXPERIENCE

Being the first large scale reliability study of an automation system in the
company, plenty of experience has been gained from the study, e.g. the
following.

HG CONTROL - SPEED HGB • ON/OFF_HGB • TEMPER HGD • FLOW HGD • SPEED HGN
-- • ON/OFF HGN • ON/OFF HGL • ON/OFF HGMI • ON/OFF H G M 2 --
• ON/OFF~HGPI • ON/OFF_HGP2 • ON/OFF_HGP3 • ON/OFF HGP4

MIN,HG_CONTROL,4

MINIMUM CUT-SETS OF THE PEAT SYSTEM

SET SIZE 1 2 3 4
AMOUNT 206 226 0 0

Total number of cut sets 432

RELIABILITY PARAMETERS

R E L I A B I L I T Y T - 8760.0
*********************

**************************************************************************
R - 0.005182 1-R - 9.9482E-01 MTBF 1.6645E+03 H Fr 6.0075E-04 1/H
A - 0.997063 1-A - 2.9373E-03 DT 25.73 H/YEAR Mttr 4.89 H
**************************************************************************

Fig. 5. Example of a study made with the reliability model.

88 Arja Toola

RELIABILITY I M P 0 R T A N C E T = 8760.0
**********************************

COMPONENT IMPORTANCE % GROUP IMPORTANCE AMNT CUMUL.

VC1074 2.57E-02 2.57 VC 2.31E-01 23.10 9 23.10

VC1075 2.57E-02 2.57 BC 8.83E-02 8.82 8 31.92
VCI076 2.57E-02 2.57 HGB 6.88E-02 6.87 7 38.79
VCIO77 2.57E-02 2.57 HNI 6.80E-02 6.80 3 45.59
VCI080 2.57E-02 2.57 HGM 5.03E-02 5.02 5 50.61
VCi082 2.57E-02 2.57 HLA 4.21E-02 4.21 5 54.82
VC2082 2.57E-02 2.57 MC 4.07E-02 4.06 14 58.88
VC3081 2.57E-02 2.57 RTR 3.53E-02 3.53 8 62.41
VC4081 2.57E-02 2.57 BNA 3.11E-02 3.11 2 65.51
HNA50CQ1 2 27E-02 2.27 DMU 3.08E-02 3 08 15 68.59
HNI01CQ1 2 27E-02 2.27 UNI 2.69E-02 2 68 14 71.27
HNI01CQ2 2 27E-02 2.27 ADU 2.55E-02 2 55 6 73.83
HNI01CQ3 2 27E-02 2 27 HGN 2.53E-02 2 52 3 76.35
BC1116 1 10E-02 1 i0 AMU 2.23E-02 2 23 13 78.57
BCIII7 i 10E-02 1 i0 PUD 2.06E-02 2 06 20 80.63
BClI20 1 IOE-02 1 i0 HGL 2.01E-02 2 01 2 82.64
BCI121 1 10E-02 i i0 HFG 2.01E-02 2 01 2 84.65
BCI122 1.10E-02 i i0 BJ 1.70E-02 1.70 4 86.35
BCI124 1.10E-02 1 i0 LBA 1.52E-02 1.52 2 87.87
BCI125 1.10E-02 1 i0 DLY 1.32E-02 1.32 5 89.19
BCI126 1.10E-02 1 i0 AI 1.25E-02 1.25 22 90.44
HFGI0CSI 1.01E-02 1 00 BI 1.23E-02 1.23 ii 91.66
HFGI0CSI 1.01E-02 i 00 BUS 1.20E-02 1.20 7 92.86
HGBI0CGI 1.01E-02 1.00 HGY 1.01E-02 1.00 1 93.87
HGBI0CSI 1.01E-02 1.00 HGK 1.01E-02 1.00 1 94.87
HGBI0CS2 1.01E-02 1.00 RTT 8.85E-03 0.88 2 95.76
HGBIOCS3 1.01E-02 1.00 HGA 8.42E-03 0.84 1 96.60
HGBIOCS4 1.01E-02 1.00 HGD 8.42E-03 0.84 1 97.44
HGB20CSI 1.01E-02 1.00 PU 6.88E-03 0.69 9 98.13
HGKI2CG1 1.01E-02 1.00 CPU 5.33E-03 0.53 17 98.66
HGLIICSI 1.01E-02 1.00 CS 4.42E-03 0.44 1 99.10
HGLIICS2 1.01E-02 1.00 PUC 3.51E-03 0.35 17 99.45
HGMI2CGI 1.01E-02 1.00 SCU 3.14E-03 0.31 17 99.76
HGMI2CG2 1.01E-02 1.00 SW 1.12E-03 0.11 8 q9.~7
HGMI2CG3 1.01E-02 1.00 PUE 1.03E-03 0.i0 !
HGMI2CSI 1.01E-02 1.00 BMUP 1.45E-04 0.01 14
HGM12CS2 1.01E-02 1.00 MEMP 7.89E-05 0.01 14 1Nh II~l

Sensitivity analysis of the failure rate of V C - u n i t s

S E N S I TIVI TY T = 8760.0 SHORTEST

*********************

Fr of VC
UNREL UNAVAIL MTBF
0.i- +* - 9.84E-01 2.55E-03 2.12E+03
I I
0.2- +* I 9.86E-01 2.60E-03 2.05E+03
I I
0.5- +* I 9.90E-01 2.71E-03 1.91E+03
I I
1.0- +* - 9.95E-01 2.94E-03 1.66E+03
I I
2.2- *+ I 9.99E-01 3.44E-03 1.30E+03
I I
4.6- * + I 1.00E+00 4.51E-03 8.89E+02
I I
* + 1.00E+00 6.83E-03 5.27E+02
lOI - . . . . . . . . . . I . . . . . . . . . . I ....... ---I . . . . . . . . . . I
0.i 0.3 1.0 3.0 10
RELATIVE UNAVAIL (+) AND U N R E L (*)

SENSITIVITY OF RELIABILITY 0.0016 SENSITIVITY{ OF A V A I L A B I L I T Y 0.1471

Fig. 5---contd.
 Conventional power plant control system 89

There is a need for methods with which it is possible to compare the

reliability of the automation systems of various suppliers during trade-off.
The mean time between failures, or unavailability of control functions can
be used as a comparison parameter. The control function can be the
operation of a control station, operator control or the control of a part of
the process.
The analysis described above was based on an availability model and the
analysis was a quantitative one. In many cases a small failure rate does not
make the control system reliable. Failure tolerance, self-diagnostics and
maintainability of hardware and software should be considered, too. In
some cases transmitted failures, reflective failures, and human factors might
also have a great influence on the reliability of control systems. These are
aspects which cannot be studied with the kind of analysis described above.
This kind of quantitative analysis gives us information about the
reliability of automation systems. More information is obtained if the
analysis is fulfilled by studying those aspects which cannot be considered
with the kind of method described.