Safe-Parking of a Hydrogen Production Unit - Industrial & Engineering

In the literature, the problem of handling faults in process control systems has been ... The control reconfiguration method relies on an availability...
0 downloads 0 Views 553KB Size
Download PDF
Article pubs.acs.org/IECR

Safe-Parking of a Hydrogen Production Unit Miao Du,† Prashant Mhaskar,*,† Yu Zhu,‡ and Jesus Flores-Cerrillo‡ †

Department of Chemical Engineering, McMaster University, Hamilton, Ontario L8S 4L7, Canada Praxair, Inc., Tonawanda, New York 14150, United States



ABSTRACT: This work considers the problem of handling the failure of purification equipment in a hydrogen production process. In this process, natural gas and superheated steam are fed to a heated chemical reactor termed a reformer to produce hydrogen. The effluent gas is further processed and finally purified in a pressure swing adsorber (PSA). The off-gas out of the PSA is used to provide heat to the reformer. The failure of the PSA results in the loss of the off-gas, precluding the possibility of the continuation of nominal operation. If not properly handled, this fault can lead to a shutdown of the entire plant. To achieve stable operation while meeting operating requirements, a model predictive control (MPC) based safe-parking framework is designed for the handling of the fault. The key idea is to drive the process to a feasible operating point that enables stable operation in the faulty mode. MPC is used to handle the multivariable nature of the process and operating constraints. It also guides the process to a different operating region while meeting operating requirements. The effectiveness of the safe-parking design is demonstrated through simulations using a first-principles model of the hydrogen production unit.

1. INTRODUCTION Hydrogen is an important chemical species used in petroleum and chemical industries. Commercially, an economic way to produce bulk hydrogen is to utilize steam methane reforming.1 This process consists of numerous material and heat flows, forming an intricate network of material and energy. In this process, natural gas (NG) and superheated steam are fed to a chemical reactor termed a reformer. The reformer contains catalyst tubes filled with nickel reforming catalyst, where the majority of hydrogen is produced through the following reactions: y⎞ ⎛ Cx Hy + x H 2O ⇄ xCO + ⎜x + ⎟H 2 ⎝ 2⎠

(1)

CO + H 2O ⇄ CO2 + H 2

(2)

fuel. If not properly handled, the fault could result in certain process variables breaching their limits and ultimately an expensive shutdown of the entire plant. Therefore, a stable operation of the process is desired for the handling of the fault. It is also desired that the reformer exit temperature be maintained at its nominal value in the faulty mode. The reformer exit temperature can be affected by several process variables. For example, because the chemical reactions in the reformer are overall endothermic, reducing the NG feed flow rate can help increase the reformer exit temperature. Besides, the temperature is affected by the flow rates of the combustion air and the superheated steam. Because of the multivariable nature of the process, it is difficult to manually stabilize the reformer exit temperature while meeting operating constraints under faulty conditions. For the production of hydrogen, there have been results on control designs for normal operating conditions.2 In contrast, limited results exist on control designs for faulty conditions. Therefore, it is desired that an automated fault-handling strategy be designed, which can take into account the multivariable nature of the control problem and operating constraints. In the literature, the problem of handling faults in process control systems has been studied in the area of fault-detection and fault-tolerant control (FTC) using a variety of approaches.3−15 The existing results on FTC can be broadly categorized into a passive approach and an active approach. The passive approach studies the cases where there still exists sufficient residual control effort allowing continued nominal operation in the presence of faults. The key idea is to design reliable control structures such that the controller is able to preserve nominal operation in the absence of certain control loops resulting from faults (see, for example, refs 4−7). This

The gas out of the reformer is then processed through another reactor for further production of hydrogen. The hydrogen flow is finally purified in a pressure swing adsorber (PSA), where high purity hydrogen is produced. For this process, the reformer exit temperature is an important process variable and is expected to stay at a desired value by heating the reformer. The heat is provided by burning the off-gas (the gas flow after the hydrogen product is separated) from the PSA and a NG fuel stream. The majority of the heat is provided by the off-gas. The NG fuel stream is used to regulate the reformer exit temperature under normal operating conditions. The continuous production of hydrogen, however, is subject to failures of the PSA, which are often due to failures in the control valves. In some cases, an upstream disturbance, such as hydrogen flow oscillations, can propagate to the PSA and make it fail. Without the PSA working properly, the off-gas out of the PSA, which is the major source of heat provided to the reformer, becomes unavailable. If the control system still tries to maintain nominal operation in the faulty mode of the process, the reformer exit temperature would decrease and finally deviate away from the set point because of insufficient © 2014 American Chemical Society

Received: Revised: Accepted: Published: 8147

December 26, 2013 March 12, 2014 April 4, 2014 April 4, 2014 dx.doi.org/10.1021/ie4043938 | Ind. Eng. Chem. Res. 2014, 53, 8147−8154

Industrial & Engineering Chemistry Research

Article

principles model of a hydrogen production unit. The objective of the safe-parking design is to devise a control strategy that is able to drive the process to a feasible temporary operating point subject to the fault while meeting operating requirements and constraints. Challenges in this problem are the multivariable nature of the process and the typical unavailability of a mechanistic model. Given the ability of handling multiple-input and multiple-output processes and successful applications in process industries,27 model predictive control (MPC) is chosen as the control design used in the safe-parking framework. A process model is identified as the prediction model used in the MPC design. The application of the safe-parking design is demonstrated through dynamic simulations of a first-principles model of the hydrogen production unit. The rest of the manuscript is organized as follows. In section 2, the hydrogen production unit is described in detail. In section 3, a safeparking framework is designed for the hydrogen production unit. In section 4, the safe-parking framework is applied to the first-principles based simulation model (only limited details on the simulation platform are provided due to confidentiality reasons). Finally, section 5 gives some concluding remarks.

approach has been studied for linear systems using robust pole region assignment5 and modified linear-quadratic regulator,4 and systems having unknown nonlinear dynamics (e.g., as a result of linearization of a nonlinear plant) with a boundedness condition.6,7 The passive approach typically dictates the use of as many control loops as possible (i.e., control equipment redundancy) at the same time so that the failure of one control loop does not lead to the failure of the entire control system. Economic considerations, however, often require the use of only as many control loops as necessary to minimize the cost of control action, which may invalidate the passive methods. For the latter case, the problem of FTC has been studied using an active approach, such as control reconfiguration. The control reconfiguration method relies on an availability of backup control configurations. The continuation of nominal operation is achieved by switching to an appropriate back control configuration which does not include the failed control equipment. This approach has been studied for the handling of actuator (see, for example, refs 16−21) and sensor (see, for example, refs 19 and 22) faults. In practice, numerous situations exist where faults can significantly impair the available control ability, and an appropriate backup control configuration may not always be available. In these cases, faults can preclude the possibility of the continuation of nominal operation regardless of the control law used. If the controller or control system still tried to maintain nominal operation, it could result in suboptimal operation or even process instability. A safe-parking framework has recently been proposed to handle such severe faults (i.e., those that preclude the possibility of the continuation of nominal operation) in the context of nonlinear process systems.23 The key idea is to operate the plant at an appropriately chosen temporary operating point (the so-called safe-park point) that enables safe and stable operation in the presence of a fault and a smooth resumption of nominal operation after the fault is repaired (see Figure 1 for an

2. PROCESS DESCRIPTION In this section, we present a process flow diagram and describe the hydrogen production process in more detail. NG is first purified by removing any liquid that may have condensed due to low ambient temperature. It is then split into two streams, as shown in Figure 2. Most of the NG is compressed as the feed to the reformer. A small amount is used as fuel to provide heat for the reformer. The NG feed stream is heated using downstream process heat, and further processed by removing any unfavorable compounds to the reformer catalyst. Under normal conditions, the pressure of NG fuel is controlled by an upstream valve, and the flow rate of NG fuel is controlled by a downstream valve, as shown in Figure 3a. The feed gas is mixed with superheated steam and further heated. The steam is produced from water by a steam system in the heat recovery block (see Figure 2). The heated mixed feed enters the tubes in the reformer. The majority of the hydrogen is produced in the reformer through reactions 1 and 2. Reaction 1 is reforming, and reaction 2 is shift conversion. Both reactions are reversible, and the equilibriums are based on the outlet temperature and pressure. The overall reaction is endothermic. Most of the heat is provided by the off-gas from the PSA. The rest is provided by the NG fuel to control the reformer exit temperature. The reformer effluent process gas passes through a reactor, where additional hydrogen is produced by shifting most of the carbon monoxide in the process gas to carbon dioxide and hydrogen through reaction 2. The reactor effluent stream then passes through the heat recovery and is sent to the PSA, where the hydrogen product is produced. The PSA process is based on physical adsorption phenomena. High volatile compounds with low polarity, such as hydrogen, are practically nonadsorbable compared to water, nitrogen, carbon monoxide, carbon dioxide, ammonia, methane, sulfur compounds, and hydrocarbons. Most of impurities in the gas can be selectively adsorbed, resulting in high-purity hydrogen. The off-gas out of the PSA is used as the primary fuel that provides heat for the reformer. The combustion heat resulting from the ignition of air and fuel in burners heats the reformer tubes. A fan (fan 1 in Figure 2) is used to supply air to the burners, and another fan (fan 2 in

Figure 1. Illustration of the idea of safe-parking for fault-tolerant control. The absence of safe-parking may result in process variables breaching the operating limits (dashed lines) and a possible shutdown of the entire plant (see the dash-dot line). In contrast, operating at a safe-park point xsafe−park can lead to a stable operation between the fault occurrence time tfault and the fault repair time trepair, and a smooth resumption of the operation at the nominal operating point xnominal after the fault is repaired (see the solid line).

illustration). The effectiveness of this approach has been demonstrated through an application to a styrene polymerization process.24 More recently, the idea of safe-parking has been generalized to handle the case where an actuator seizes at an arbitrary position25 and deal with faults in transport-reaction processes.26 Motivated by the theoretical results and the successful simulation studies for small scale processes, this work explores the application of the safe-parking framework to a first8148

dx.doi.org/10.1021/ie4043938 | Ind. Eng. Chem. Res. 2014, 53, 8147−8154

Industrial & Engineering Chemistry Research

Article

Figure 2. Process flow diagram of the hydrogen production process.

Figure 3. Schematic of controlling the pressure and flow rate of natural gas fuel. (a) Under normal conditions, the upstream valve controls the pressure of natural gas, and the downstream valve controls the flow rate of natural gas, working in an automatic (Auto) mode. (b) Upon a failure of the PSA, the two controllers are switched to manual mode to ensure that sufficient natural gas passes to the firebox by appropriately increasing their openings.

under consideration. Second, with the available control ability in the faulty mode, it should be possible to drive the process to the aforementioned equilibrium point while satisfying operating constraints. Third, with the recovered control ability, it should be possible to drive the process back to the nominal operating point while satisfying operating constraints. These requirements ensure a feasible operation at the safe-park point in the faulty mode and a smooth resumption of nominal operation after the fault is repaired. In addition, performance criteria can be considered in the safe-parking approach. A detailed discussion on these requirements can be found in ref 23. The design of safe-park points can be conducted off-line. In the context of constrained nonlinear systems, a bank of potential safe-park points are designed by solving the steadystate equation of a faulty system and characterizing stability regions (for example, ref 23). In particular, a potential safe-park point should be within the stability region of the nominal operating point. This ensures that after the fault is repaired, the process can go back to the nominal operating point. In other words, the satisfaction of the first and third requirements is ensured in the off-line design of the safe-parking framework. In the online implementation, once a fault is detected and isolated, the safe-parking approach decides if the current system state belongs to the stability region of potential safe-park points, subject to the known/now estimated magnitude of the fault, and selects one that meets the second requirement and performance criteria (if applicable). While developing potential safe-parking points requires the knowledge of faults, such as the location of a fault, the key idea behind safe-parking, however, is the recognition that instead of trying to pursue nominal operation upon an occurrence of severe faults, the controller should try to move the operation to a different operating point. The online implementation of this

Figure 2) draws the combustion products, which are termed flue gas, out of the reformer firebox. The firebox pressure should not breach its lower and upper limits for safety. If the pressure is too low, the fire can be extinguished. It it is too high, it may impose safety hazards to facility and personnel. The pressure is controlled by adjusting the position of the suction louvers of fan 2. As the louvers open, the fan draws more flow, resulting in a lower pressure. Conversely, as the louvers close, the fan draws less flow to increase the pressure. A failure of the PSA, if not adequately handled, may result in some critical process variables violating their limits and possibly a shutdown of the entire plant. A direct consequence of the loss of the primary fuel source is that the pressure of the mixed gas fuel and the pressure in the firebox decrease drastically. The fault also leads to a decrease in the firebox temperature and subsequently a decrease in the reformer exit temperature. Because of the multivariable nature of the process, however, it is hard to manually take timely and appropriate control action to deal with such a severe faulty scenario. This severe fault is handled by a safe-parking framework in this work.

3. SAFE-PARKING FRAMEWORK DESIGN FOR THE HYDROGEN PRODUCTION UNIT In this section, we briefly review the safe-parking approach and design a safe-parking framework for the hydrogen production process. The safe-parking approach finds such points (if they exist) that enable safe-parking and a smooth resumption of nominal operation. In general, the existence of a safe-park point is determined by the process dynamics, the available control ability, and the operating constraints. Specifically, a safe-park point must satisfy three requirements. First, it should be a feasible equilibrium point for the process subject to the fault 8149

dx.doi.org/10.1021/ie4043938 | Ind. Eng. Chem. Res. 2014, 53, 8147−8154

Industrial & Engineering Chemistry Research

Article

Figure 4. Schematic of the closed-loop control system. The notations u and y denote the inputs (the set points of the flow rates of NG fuel, combustion air, NG feed, and superheated steam) and the output (the reformer exit temperature) of the process, respectively.

idea does not require that we know the potential faults ahead of time. It does require that we are able to diagnose the fault when it happens. The safe-parking approach then dictates that the plant be moved to a different operating point and operated there until the fault is repaired. In the case of the hydrogen production unit, because the PSA can give an alarm once it fails, a fault detection and isolation design is not needed. The key task is to design an FTC strategy to deal with the fault. Having reviewed the safe-parking approach, we present a safe-parking framework for the hydrogen production process. In contrast to the previous work focusing on stability guarantees, this work focuses more on the aspect of the control design for a practical application (see Remark 3 for a discussion). Specifically, the safe-parking framework includes two parts. In the first part, we address process variables of fast dynamics, and the objective is to prevent the fuel and firebox pressures breaching their lower limits right after the occurrence of the fault. In the second part, we consider process variables of slow dynamics, and the objective is to stabilize the reformer exit temperature at a desired value. Because the dynamics of the reformer exit temperature are much slower than those of the pressures, the temperature would not change much before the pressures enter a safe operating range. Therefore, the fast and slow process variables can be handled separately. We first present procedures to maintain the fuel and firebox pressures in safe operating ranges. In this application, it was found that fully opening the flow rate valve (the downstream valve in Figure 3b) itself cannot prevent the fuel pressure from breaching its lower limit. This is because the upstream fuel pressure is not large enough to provide enough NG fuel. Therefore, it was decided to increase the opening of the pressure valve (the upstream valve in Figure 3b) upon the failure of the PSA to provide enough NG fuel. At the same time, the flow rate valve is switched from automatic mode to manual mode, and its opening is appropriately increased (see Figure 3b for an illustration). Following these procedures, the fuel pressure can ultimately be stabilized until further actions are taken. The decrease in the fuel pressure also affects the firebox pressure. Because of the sufficient control ability provided by fan 2, the desired firebox pressure can be kept at

its nominal value, and a proportional-integral-derivative (PID) controller is used to maintain this pressure at its set point. To handle the process variables of slow dynamics, we design an operating point that preserves a stable operation in the presence of the failure of PSA (i.e., a safe-park point). For the purpose of this study, it is desired to maintain the reformer exit temperature at its nominal value, albeit by moving the process to a different operating region. Therefore, an operating point for the faulty mode could be a safe-park point such that the reformer exit temperature is its nominal value in the faulty mode. To maintain the nominal temperature, additional control ability is required besides the input of NG fuel. From the operational perspective, this could be achieved by appropriately changing flow rates of the NG fuel, the combustion air, the NG feed, and the superheated steam. On the basis of these considerations, we devise a control strategy that enables a transition of the process to an aforementioned safe-park point while meeting operating constraints. To handle the multivariable nature of the process, MPC is chosen as the control law to drive the process to a safepark point. The controlled and manipulated variables are chosen based on the operating requirements and process characteristics. Because at a safe-park point it is desired that the reformer exit temperature be at its nominal value, the reformer exit temperature is chosen as the controlled variable or the output of the plant (see Figure 4). From the knowledge of the process, it is known that the flow rates of NG fuel, combustion air, NG feed, and superheated steam all affect the reformer exit temperature. Note that each of these process variables is controlled by a PID controller in a feedback loop. Therefore, the set points of the flow rates of NG fuel, combustion air, NG feed, and superheated steam are chosen as manipulated variables (see Figure 4). During the transient, it is required that the reformer exit temperature be below its upper limit, and the steam-to-carbon ratio (S/C) in the reformer be above its lower limit. These are incorporated as constraints in the MPC design. Another component of the MPC design is a prediction model. In this study, a first-principles model is used as the plant, and an empirical model is used as the prediction model. Note that the structures of the system are different in the 8150

dx.doi.org/10.1021/ie4043938 | Ind. Eng. Chem. Res. 2014, 53, 8147−8154

Industrial & Engineering Chemistry Research

Article

4. APPLICATION OF THE SAFE-PARKING FRAMEWORK In this section, we illustrate the implementation of the safeparking framework designed in section 3 to a first-principles based simulation model of the hydrogen production unit. This includes the process model identification, the handling of the NG fuel and firebox pressure drops, and the transition of the process to a safe-park point where the reformer exit temperature is at its nominal value. Throughout this section, process variables are reported by percentages: xpercentage = (xactual − xlower)/(xupper − xlower) × 100%, where xactual is the actual value of a process variable x, xlower and xupper are the lower and upper bounds used to scale the process variable, and xpercentage is the scaled value. The process model is first identified by making step tests to the process at an operating point in the presence of a PSA failure. The step changes are made to the set points of the flow rates. At the operating point where the step tests are made, the reformer exit temperature y = 88.5%, the NG fuel flow rate u1 = 100%, the combustion air flow rate u2 = 44.0%, the NG feed flow rate u3 = 52.7%, and the superheated steam flow rate u4 = 43.1%. The magnitudes of step changes are −4%, 4%, 4%, and 10% for ui, i = 1, ..., 4, respectively. Note that the plant inputs considered in the MPC design are the set points of the flow rates. Any significant delay in the response of the process to the step change in each input will be captured by the dead-time in the identified model. Therefore, the delays due to tracking the reference inputs in the closed-loop subsystems (see Figure 4) are inherently considered in the process model identification and therefore the design of MPC. The step changes and the responses of the process and model in the reformer exit temperature are shown in Figures 6−9. It can be seen from Figure 6 that as the set point of the

normal and faulty modes depending on whether the off-gas from the PSA is available (the recycle of the off-gas fuel is unavailable in the faulty model). Therefore, a process model identified around a feasible operating point in the faulty mode would represent the dynamics of the process better in the faulty mode. A first order plus dead-time model is used for process model identification. Remark 1. Note that the output value of the plant at a safepark point can be the same as that at the nominal operating point (see Figure 5 for an illustration). For the problem under

Figure 5. Illustration of the nominal operating point, a safe-park point, and the corresponding outputs. While the outputs are the same at both operating points, the safe-park point is not the same as the nominal operating point in the state space.

consideration, it is desired that the output of the plant at a safepark point be the nominal value of the reformer exit temperature. In general, however, a safe-park point is characterized by the state of a plant,23 and the safe-park points characterized by the nominal exit temperature in essence correspond to different safe-park points (in the state space). Remark 2. Note that the concept of safe-parking is fundamentally different from control reconfiguration and is meant to achieve differing objectives with differing means. The idea of control reconfiguration is to switch to a backup control configuration, such as a different set of control actuators or inputs not including the failed one, that is able to preserve nominal operation in the presence of a fault. In contrast, safeparking is employed to move the process to a different operating point while the fault is being recovered. For the process under consideration, the use of additional manipulated inputs enables moving the process to a different operating point. However, it is not intended to operate the plant at the nominal operating point (defined in the state space). For example, the firebox temperature, a process variable in the state space, at a safe-park point can be different from that at the nominal operating point. Instead, it is intended to provide additional control ability to enable a transition to a safe-park point that satisfies the operating requirement of maintaining the reformer exit temperature at its nominal value. Remark 3. For the process under consideration, the stability requirements23 for a safe-park point are not pertinent. However, performance criteria dictate the choice of a safepark point. In particular, performance criteria dictate the nominal values of the flow rates of the manipulated inputs at the safe-park point and are also manifested as constraints during the safe-parking process, such as maintaining process variables within certain bounds and keeping the S/C above its lower limit. Note also that the safe-parking approach is implemented using a linear model identified from step test data to replicate typical model building in an industrial setup (see section 4 for a discussion on the handling of the plantmodel mismatch in the implementation of MPC).

Figure 6. Step change in the set point of the NG fuel flow rate (u1) and the responses (y) of the process (solid line) and model (dashed line).

NG fuel flow rate decreases, the reformer exit temperature decreases because of the fuel reduction. It can be seen from Figure 7 that as the set point of the combustion air flow rate increases, an inverse response in the reformer exit temperature is observed. Because the steam and mixed feed are heated by the flue gas in the heat recovery, the increase in the combustion air flow rate first leads to an increase in the temperatures of the superheated steam and the mixed feed to the reformer. This then leads to an initial increase in the reformer exit temperature. On the other hand, the increased combustion 8151

dx.doi.org/10.1021/ie4043938 | Ind. Eng. Chem. Res. 2014, 53, 8147−8154

Industrial & Engineering Chemistry Research

Article

Figure 7. Step change in the set point of the combustion air flow rate (u2) and the responses (y) of the process (solid line) and model (dashed line).

Figure 9. Step change in the set point of the superheated steam flow rate (u4) and the responses (y) of the process (solid line) and model (dashed line).

air lowers the firebox temperature. Due to the relatively slow dynamics, this leads to a later decrease in the reformer exit temperature. Because the effect of the reduced firebox temperature is dominating, overall the reformer exit temperature decreases. It can be seen from Figure 8 that as the set

Figure 8. Step change in the set point of the NG feed flow rate (u3) and the responses (y) of the process (solid line) and model (dashed line).

point of the NG feed flow rate increases, the reformer exit temperature decreases because the overall reaction is endothermic. It can be seen from Figure 9 that as the set point of the superheated steam flow rate increases, the reformer exit temperature decreases because the steam temperature is lower than the temperature in the reactor and steam promotes the forward reactions. We then consider a situation where the process is initially at its nominal operating point, and the PSA fails at 10 min. To compensate the reduction in the NG fuel pressure, the opening of the pressure valve (the upstream valve in Figure 3b) is manually increased, and the flow rate valve (the downstream valve in Figure 3b) is manually increased to 70% from where it is at the time of failure. The response of the fuel pressure and the evolution of the flow rate valve opening profile are shown in Figure 10. It can be seen that due to the fast complement of NG fuel, the fuel pressure does not breach its lower limit 0.5%. The response of the firebox pressure and the evolution of the inlet guide vane (IGV) position for fan 2 are shown in Figure 11. It can be seen that the firebox pressure does not violate its lower limit 33.3% and upper limit 66.0%.

Figure 10. Evolution of (a) the NG fuel pressure profile and (b) the opening profile of the NG fuel flow rate valve. To compensate the reduction in the NG fuel pressure due to the failure of the PSA at 10 min, the pressure valve is manually opened to an appropriate position by a certain amount, and the flow rate valve is manually opened to 70% from where it is at the time of the failure. The pressure does not violate its lower limit 0.5%. The predictive controller is activated at 11.5 min.

We finally show the application of MPC to drive the plant to a safe-park point while maintaining the reformer exit temperature at its set point. The MPC strategy was implemented using the Matlab MPC Toolbox. The sampling period is chosen as 0.5 min, the predictive horizon 60 sampling periods, and the control horizon 20 sampling periods. In the optimization problem of MPC, the objective function is defined as a weighted sum of deviations of the output from its steady-state 8152

dx.doi.org/10.1021/ie4043938 | Ind. Eng. Chem. Res. 2014, 53, 8147−8154

Industrial & Engineering Chemistry Research

Article

Figure 11. Evolution of the firebox pressure profile and the profile of the inlet guide vane (IGV) position for fan 2 (solid lines). The pressure does not violate its lower or upper limit (dashed lines).

value and increments in inputs, for which the weight or weighting matrix is Q = 0.1 and

RΔu

⎡1 ⎢ 0 =⎢ ⎢0 ⎢⎣ 0

0 1 0 0

0 0 1 0

Figure 12. Evolution of the closed-loop input profiles for the hydrogen production unit. Before the PSA fails at 10 min, ui, i = 1, ..., 4, denotes the actual flow rate of NG fuel, combustion air, NG feed, and superheated steam, respectively. After the PSA fails, ui denotes the set point of the corresponding flow rate.

0⎤ ⎥ 0⎥ 0⎥ ⎥ 1⎦

respectively. Note that the plant-model mismatch due to the use of a single linear model is accounted for by the implementation of MPC consisting of a plant model and a disturbance model. The plant model is the first order plus deadtime model. The disturbance model is used to account for the effect of differences between the actual plant and the plant model on predicting the process output. The performance of the controller can certainly be improved by using a combination of linear models “along” the transient path, which in general might not be readily available. The predictive controller is activated after the NG fuel pressure is stabilized and remains unchanged within a given tolerance for a period of 30 s. As shown in Figure 10, the predictive controller is activated at 11.5 min in the simulation study. In the period between the failure of the PSA and the activation of the predictive controller, NG fuel flow rate increases due to the requirement of compensating fuel and firebox pressures, which also helps prevent the reformer exit temperature from dropping further from the set point. However, no other actions are taken until the activation of the predictive controller. After the predictive controller is activated, the controller dictates decreases in the set points of the combustion air, NG feed, and superheated steam flow rates (see Figure 12), which all help prevent the reformer exit temperature from dropping and drive it back to the set point. Because of the consideration of the plant-model mismatch, the controller is able to drive the process to the desired operating point. As shown in Figure 13, the reformer exit temperature goes back to its set point at around 50 min (i.e., 40 min after the PSA fails), and does not breach its upper limit, which is 100%. It can be seen from Figure 14 that the S/C does not violate its lower limit (dashed line) during the transition and at the safe-park point. This implies that the hydrogen production unit has been successfully safe-parked. After the PSA is repaired, the control system can be switched to its normal operating mode. Because nominal operation can be continued with the control design for the normal operating mode, the results following the repair of the PSA are omitted.

Figure 13. Evolution of the closed-loop output profile for the hydrogen production unit. The notation y denotes the reformer exit temperature, which is stabilized at its set point (see the dashed line) at around 50 min (about 40 min after the PSA fails) in the presence of the failure of the PSA. The temperature does not breach its upper limit 100%.

Figure 14. Evolution of the closed-loop steam-to-carbon ratio (S/C) profile for the hydrogen production unit (solid line). The S/C does not violate its lower limit (dashed line).

5. CONCLUSIONS This work considered the problem of handling the failure of purification equipment in a hydrogen production process. In 8153

dx.doi.org/10.1021/ie4043938 | Ind. Eng. Chem. Res. 2014, 53, 8147−8154

Industrial & Engineering Chemistry Research

Article

(13) Perk, S.; Shao, Q. M.; Teymour, F.; Cinar, A. An adaptive faulttolerant control framework with agent-based systems. Int. J. Robust Nonlinear Control 2012, 22, 43−67. (14) Hua, C. C.; Ding, S. X.; Guan, X. P. Robust controller design for uncertain multiple-delay systems with unknown actuator parameters. Automatica 2012, 48, 211−218. (15) Yin, S.; Luo, H.; Ding, S. X. Real-time implementation of faulttolerant control systems with performance optimization. IEEE Trans. Ind. Electron. 2014, 61, 2402−2411. (16) Mhaskar, P.; Gani, A.; El-Farra, N. H.; McFall, C.; Christofides, P. D.; Davis, J. F. Integrated fault-detection and fault-tolerant control of process systems. AIChE J. 2006, 52, 2129−2148. (17) El-Farra, N. H. Integrated fault detection and fault-tolerant control architectures for distributed processes. Ind. Eng. Chem. Res. 2006, 45, 8338−8351. (18) Mhaskar, P. Robust model predictive control design for faulttolerant control of process systems. Ind. Eng. Chem. Res. 2006, 45, 8565−8574. (19) Mhaskar, P.; Gani, A.; McFall, C.; Christofides, P. D.; Davis, J. F. Fault-tolerant control of nonlinear process systems subject to sensor faults. AIChE J. 2007, 53, 654−668. (20) Armaou, A.; Demetriou, M. A. Robust detection and accommodation of incipient component and actuator faults in nonlinear distributed processes. AIChE J. 2008, 54, 2651−2662. (21) Mhaskar, P.; McFall, C.; Gani, A.; Christofides, P. D.; Davis, J. F. Isolation and handling of actuator faults in nonlinear systems. Automatica 2008, 44, 53−62. (22) Martini, R. A.; Chylla, R. W., Jr.; Cinar, A. Fault-tolerant computer control of a time delay system: sensor failure tolerance by controller reconguration. Comput. Chem. Eng. 1987, 11, 481−488. (23) Gandhi, R.; Mhaskar, P. Safe-parking of nonlinear process systems. Comput. Chem. Eng. 2008, 32, 2113−2122. (24) Gandhi, R.; Baldwin, D.; Mhaskar, P. Safe-parking of a styrene polymerization process. Ind. Eng. Chem. Res. 2009, 48, 7205−7213. (25) Du, M.; Nease, J.; Mhaskar, P. An integrated fault diagnosis and safe-parking framework for fault-tolerant control of nonlinear systems. Int. J. Robust Nonlinear Control 2012, 22, 105−122. (26) Mahmood, M.; Mhaskar, P. Safe-parking framework for faulttolerant control of transport-reaction processes. Ind. Eng. Chem. Res. 2010, 49, 4285−4296. (27) Morari, M.; Lee, H. J. Model predictive control: Past, present and future. Comput. Chem. Eng. 1999, 23, 667−682.

this process, NG and superheated steam are fed to a reformer to produce hydrogen. The effluent gas is further processed and finally purified in a PSA. The off-gas out of the PSA is used to provide heat to the reformer. The failure of the PSA results in the loss of the off-gas, precluding the possibility of the continuation of nominal operation. If not properly handled, this fault can lead to a shutdown of the entire plant. To achieve stable operation while meeting operating requirements, an MPC based safe-parking framework was designed for the handling of the fault. The key idea is to drive the process to a feasible operating point that enables stable operation in the faulty mode. MPC is used to handle the multivariable nature of the process and operating constraints. It also guides the process to a different operating region while meeting operating requirements. The effectiveness of the safe-parking design was demonstrated through simulations using a first-principles model of the hydrogen production unit.



AUTHOR INFORMATION

Corresponding Author

*E-mail: [email protected]. Notes

The authors declare no competing financial interest.



ACKNOWLEDGMENTS Financial support from the Natural Sciences and Engineering Research Council of Canada and the McMaster Advanced Control Consortium is gratefully acknowledged.



REFERENCES

(1) Baade, W. F.; Parekh, U. N.; Raman, V. S. Kirk-Othmer Encyclopedia of Chemical Technology; John Wiley & Sons, Inc.: New York, 2000; Vol. 13, pp 759−808. (2) Wu, W.; Wang, C.-Y. Design and control of stand-alone hydrogen production systems with maximum waste heat recovery. Ind. Eng. Chem. Res. 2013, 52, 14601−14612. (3) Basila, M. R., Jr.; Stefanek, G.; Cinar, A. A model-object based supervisory expert system for fault tolerant chemical reactor control. Comput. Chem. Eng. 1990, 14, 551−560. (4) Veillette, R. J. Reliable linear-quadratic state-feedback control. Automatica 1995, 31, 137−143. (5) Zhao, Q.; Jiang, J. Reliable state feedback control system design against actuator failures. Automatica 1998, 34, 1267−1272. (6) Wang, Z. D.; Huang, B.; Unbehauen, H. Robust reliable control for a class of uncertain nonlinear state-delayed systems. Automatica 1999, 35, 955−963. (7) Wang, Z. D.; Huang, B.; Burnham, K. J. Stochastic reliable control of a class of uncertain time-delay systems with unknown nonlinearities. IEEE Trans. Circuits Syst. I 2001, 48, 646−650. (8) Mehranbod, N.; Soroush, M.; Piovoso, M.; Ogunnaike, B. A. Probabilistic model for sensor fault detection and identication. AIChE J. 2003, 49, 1787−1802. (9) Mehranbod, N.; Soroush, M.; Panjapornpon, C. A method of sensor fault detection and identication. J. Proc. Contr. 2005, 15, 321− 339. (10) Chilin, D.; Liu, J.; Muñoz de la Peña, D.; Christofides, P. D.; Davis, J. F. Detection, isolation and handling of actuator faults in distributed model predictive control systems. J. Proc. Control. 2010, 20, 1059−1075. (11) Hu, Y.; El-Farra, N. H. Robust fault detection and monitoring of hybrid process systems with uncertain mode transitions. AIChE J. 2011, 57, 2783−2794. (12) Chilin, D.; Liu, J.; Chen, X.; Christofides, P. D. Fault detection and isolation and fault tolerant control of a catalytic alkylation of benzene process. Chem. Eng. Sci. 2012, 78, 155−166. 8154

dx.doi.org/10.1021/ie4043938 | Ind. Eng. Chem. Res. 2014, 53, 8147−8154