The present invention relates to the operation of steam turbines and electric power plants and more particularly to the implementation of a multiple digital computer control system in the operation of steam turbines and electric power plants.
One highly significant factor in the security and safety of steam turbine and electric power plant operation is the reliability with which the turbine and plant controls function to make the turbine and steam generator operate at desired levels. Thus, if turbine or steam generator control becomes inoperative, the plant must be shut down with resultant loss of system power generation capacity, a corresponding loss of system security against blackouts and brownouts, cyclic stress damage to the expensive power generation equipment and possible loss of customer service and revenues where system loads must be cut back to match the resultant system power generation capacity. Therefore, electric power companies are especially interesting in purchasing highly secure control equipment.
In U.S. Pat. 3,552,872, issued to T. Giras and W. Barnes and in an improvement patent application W. E. Case 42,389, filed by A. Braytenbah on Oct. 14, 1970, there is disclosed a control system which operates a steam turbine with high reliability. The control system includes a digital control computer which is interfaced with a manual backup control so as normally to provide automatic turbine operation and so as to transfer automatically and bumplessly to manual backup control in the event of certain contingencies. In the above-referenced U.S. Pat. it is suggested that a digital computer control can be used as a backup turbine controller if it is economically justifiable, but the manner in which this can be done and the desirability of backup computer control are not considered. Similarly, in a paper entitled "Steps To Automation" presented by J. Rocca at the Nov. 16-20, 1969 meeting of the Power Division of The American Society of Mechanical Engineers and a paper entitled "The Control Computer Installation At The Moss Landing Power Plant" presented by J. Rocca to the prospective fact of redundant backup computer control is set forth but means for providing such control are not disclosed. While multiple computer configurations have been used in hierarchical arrangements for operating various types of processes including electric power plants, and while multiple computers may have been used in various configurations with varying degrees of backup capability among the computers in some industrial processes, no multiple computer configuration is known to have been applied to power generation plants for computer backup for the whole of or a substantial portion of primary turbine and or steam generator control loops in a primary computer.
In fact, a power plant or turbine control system with one or more backup computers is desirable for a number of reasons. For example, with a backup computer control, completely automatic backup control is possible even though the main computer controller is down. With manual backup control only, failure of the on-line automatic control system can result in reliable plant and turbine operation but the backup operation requires operator attention and it is limited in flexibility and control function. Another factor that makes backup computers desirable is that the standby or off-line computer or computers can be used for other purposes at various times in the plant life. Thus, the standby computer(s) can be used off-line to process data in accordance with programs loadable into the standby computer(s) for that purpose. Further, the standby computer(s) can be used for plant simulation for plant installation and maintenance purposes and for operator training as disclosed in various papers including a paper entitled "A Training Simulator For A Digitally Controlled 750 MW Thermopower Generating Unit" presented by R. F. Hawes, L. M. Koskela, J. R. Smith and U. G. Ronnen to the April 1970 Chicago American Power Conference, a paper entitled "The Real-Time Simulation Of A Once-Through Supercritical Generating Unit" presented by U. G. Ronnen at the July 9, 1972 IEEE Power Engineering Society Symosium on Adequacy and Philosophy of Modeling: System Dynamic Performance in San Francisco California, a paper entitled "Systems Engineering Considerations In The Development Of Industrial Training Simulators" presented by J. R. Smith and U. G. Ronnen to the April 1971 Pittsburgh Conference on Modeling Simulation, a paper entitled "Design And Modeling Considerations For On-Site Real-Time Training Simulators For Power Plants" presented by J. R. Smith and U. G. Ronnen to the June 1972 San Diego Simulation Conference, and an article entitled "Simulator Helps Train Plant Operators" published in the June 1971 issue of "Power Magazine".
It is also especially noteworthy that extended turbine and plant security can be realized with multiple computer plant and turbine operation. Thus, the primary computer and the standby computer(s) may be interfaced with a manual backup control and thereby provide for turbine and plant operation with a control failure probability defined by the combined failure probability of the multiple computer controls and the manual backup control. Further, and nearly as importantly, an automatic control failure probability is then defined by the combined failure probabilities of the multiple computer control. In a dual computer configuration of P2000 computers for example, the probable failure rate for the computer control portion of the control system is specified to be 6000 HR MTBF where the idividual failure rates are specified to be 4000 HR MTBF (Hours Mean Time Between Failures). With the provision of advanced system operating techniques not possible with a single computer control system, the MTBF of the dual computer configuration can be raised to values up to 35,000 HR or more.
One of the principal problems associated with implementing backup computer control in an electric power plant is that associated with poviding a system which provides for reliable and secure automatic transfer without disturbing the electric power generation process. If the transfer mechanism is inaccurate or unreliable, there may be a failure in the object to achieve increased plant and turbine security through backup computer control. The fact that in the typical power plant application a large number of manual/automatic control loops must be switched on a transfer makes it especially difficult to obtain relatively improved overall reliability.
Further, and most importantly, the potential for multi-million dollar turbine wrecks or boiler explosions and consequential personnel injuries exists in accordance with the likelihood that a major disturbance would be induced during a transfer between control computers by the very act of the transfer. It is accordingly especially important that the transfer mechanism be reliable. There is no progress if the allegedly improved system apparently produces better plant security but in fact causes extensive damage at some point in time when it fails in a destructive manner. For example, the on-line computer may be operating the plant at a 250 MW level when it fails and a transfer is made to a backup controller. If some additional malfunction has occurred so as to cause the backup control to call for a 500 MW level of plant operation, responsive opening turbine valve movement to this new demand could be so fast that all of the stored energy would be drawn out of the steam generator to cause wet steam to enter the turbine and machine off or wreck the front row or rows of blades in any one or any combination of the high pressure, intermediate pressure and low pressure sections.
A great variety of malfunction conditions could occur at the time of transfer to cause the extreme consequences of immediate boiler or turbine damage or, as would more often tend to be the case, the less extreme but highly undesirable consequences of a boiler or turbine trip or an undesirable equipment stress cycle without a trip. An unnecessary trip and associated stress cycling could occur, for example, if a controller malfunction occurs such that at the time of transfer the on-line computer is calling for 70% load and the backup controller calls for 40% load resulting in closing movement of the turbine valves which restricts the boiler flow and causes a boiler overpressure trip.
Among other significant problems associated with implementation of backup computer control in an electric plant is that of determining what types of contingencies and what specific contingencies should initiate automatic protection transfers between control computers and devising a protective transfer system for triggering control computer transfers.
In the present application, no representation is made that any cited prior patent or other art is the best prior art not that the interpretation placed on such art herein is the only interpretation that can be placed on that art.