On Integration of Model Predictive Control with Safety System: Preventing Thermal Runaway

Mario R. Eden, Marianthi Ierapetritou and Gavin P. Towler (Editors) Proceedings of the 13th International Symposium on Process Systems Engineering – PSE 2018 July 1-5, 2018, San Diego, California, USA © 2018 Elsevier B.V. All rights reserved. https://doi.org/10.1016/B978-0-444-64241-7.50330-X

On Integration of Model Predictive Control with Safety System: Preventing Thermal Runaway Zhihao Zhanga, Zhe Wua, Helen Duranda, Fahad Albalawib, Panagiotis D. Christofidesa,b,* a

Department of Chemical and Biomolecular Engineering, University of California, Los Angeles, CA, 90095-1592, USA b Department of Electrical and Computer Engineering, University of California, Los Angeles, CA 90095-1592, USA [email protected]

Abstract In this paper, the methyl isocyanate (MIC) hydrolysis reaction in a CSTR is used as an example to demonstrate the performance of a Lyapunov-based model predictive control (LMPC) system integrated with the activation of a safety system. Initially, in the presence of small disturbances, it is demonstrated that the closed-loop system state under LMPC is able to stay close to the operating steady-state and within the stability region. However, in the presence of a significant disturbance in the feed, the control system cannot maintain the closed-loop state inside the stability region, and thus, it has to be integrated with the reactor safety system to avoid thermal runaway. Keywords: Predictive control; Process control; Process safety; Reaction runaway

1. Introduction Process operational safety is a critical element of chemical plant operation due to the severe consequences for both lives and property when safe process operation is not maintained. Despite the very significant efforts to develop safe process/plant design and operation procedures, accidents continue to occur. Innovative operating strategies such as integrating directly the actions of process control and safety systems are required to prevent unsafe process operation which may lead to catastrophic events. In particular, coordinating the control system actions with the ones of the safety systems, while maintaining their independence for redundancy purposes, would represent a significant paradigm shift in both control and safety system design that has the potential to impact process operational safety. Motivated by the above considerations, in the present work, we investigate how the activation of the safety system should be accounted for in conjunction with model predictive control (MPC) design because the actions of the safety system change the process dynamics, and thus, they should be accounted for in the MPC implementation. To demonstrate for the first time the integration of MPC with a safety system, we focus on the methyl isocyanate (MIC) hydrolysis reaction in a CSTR; MIC is the principal chemical involved in the Bhopal disaster (Toro et al., 2016).

2. Process description The exothermic hydrolysis reaction of methyl isocyanate to the corresponding amine and carbon dioxide is given as follows:

Z. Zhang et al.

2012

CH 3 NCO(l )  H 2O(l )  o CH 3 NH 2( aq )  CO2( aq ) The MIC hydrolysis reaction in a CSTR is considered (Ball, 2011). By applying mass and energy balances, the dynamic model of the process can be described as follows:  Ea dC A mk0e RT C A  F (C A0  C A ) dt  Ea dT mCP ( 'H )mk0e RT C A  FCP (T0  T )  L(T  T j ) dt

m

(1)

where ‫ܥ‬஺ is the concentration of MIC in the reactor,  is the total mass of the mixture in the reactor, and  is the temperature of the reactor. The concentration of reactant MIC, the temperature and the mass flow rate of the feed are denoted as ‫ܥ‬஺଴ , ܶ଴ and ‫ܨ‬, respectively. The reacting liquid has a constant heat capacity of ‫ܥ‬௉ . ݇଴ , ‫ܧ‬௔ and ο‫ ܪ‬are the reaction pre-exponential factor, activation energy and the enthalpy of the reaction, respectively. The CSTR is equipped with a cooling jacket where ‫ ܮ‬is the heat transfer coefficient and ܶ௝ is the cooling jacket temperature. The reactor is simulated at the conditions reported for the Bhopal catastrophe (Toro et al., 2016). Process parameter values are listed in Table 1. Table 1: Parameter values of the CSTR. ܶ଴ ൌ ʹͻ͵‫ܭ‬

‫ ܨ‬ൌ ͷ͹Ǥͷ݇݃Ȁ‫ݏ‬

݉ ൌ ͶǤͳ ൈ ͳͲସ ݇݃

‫ܧ‬௔ ൌ ͸ǤͷͶ ൈ ͳͲସ ‫ܬ‬Ȁ݉‫݈݋‬

݇଴ ൌ ͶǤͳ͵ ൈ ͳͲ଼ Ȁ‫ݏ‬

ο‫ ܪ‬ൌ െͺǤͲͶ ൈ ͳͲସ ‫ܬ‬Ȁ݉‫݈݋‬

‫ܥ‬௉ ൌ ͵ ൈ ͳͲଷ ‫ܬ‬Ȁሺ݇݃‫ܭ‬ሻ

ܴ ൌ ͺǤ͵ͳͶ‫ܬ‬Ȁሺ݉‫ܭ݈݋‬ሻ

‫ ܮ‬ൌ ͹Ǥͳ ൈ ͳͲ଺ ‫ܬ‬Ȁሺ‫ܭݏ‬ሻ

‫ܥ‬஺଴ ൌ ʹͻǤ͵ͷ݉‫݈݋‬Ȁ݇݃

ܶ௝௦ ൌ ʹͻ͵‫ܭ‬

‫ܥ‬஺௦ ൌ ͳͲǤͳ͹͸͹݉‫݈݋‬Ȁ݇݃

ܶ௦ ൌ ͵ͲͷǤͳͺͺͳ‫ܭ‬

3. LMPC design and thermal runaway 3.1. LMPC control design The control objective is to stabilize the reactor at its steady-state by adjusting the manipulated input (denoted by ‫ ) ݑ‬which is the cooling jacket temperature ܶ௝ . The LMPC scheme is formulated as the following optimization problem: ‫ݐ‬

݉݅݊ ‫݇ ׬‬൅ܰሺԡ‫ݔ‬෤ ሺ߬ሻԡʹܳܿ ൅ ԡ‫ݑ‬ሺ߬ሻԡʹܴܿ ሻ݀߬

‫ܵאݑ‬ሺοሻ ‫݇ݐ‬

s.t.

‫ݔ‬෤ሶ ሺ‫ݐ‬ሻ ൌ ݂ሺ‫ݔ‬෤ ሺ‫ݐ‬ሻǡ ‫ݑ‬ሺ‫ݐ‬ሻሻ

(2b)

‫ݔ‬෤ ሺ‫ ݇ݐ‬ሻ ൌ ‫ݔ‬ሺ‫ ݇ݐ‬ሻ ‫ݑ‬ሺ‫ݐ‬ሻ ‫ܷ א‬ǡ ‫߳ݐ׊‬ሾ‫ݐ‬௞ ǡ ‫ݐ‬௞ାே ሻ ߲ܸሺ‫ݔ‬ሺ‫ ݇ݐ‬ሻሻ ߲‫ݔ‬

݂ሺ‫ݔ‬ሺ‫ ݇ݐ‬ሻǡ ‫ݑ‬ሺ‫ ݇ݐ‬ሻሻ ൑

߲ܸሺ‫ݔ‬ሺ‫ ݇ݐ‬ሻሻ ߲‫ݔ‬

݂ሺ‫ݔ‬ሺ‫ ݇ݐ‬ሻǡ ݄ሺ‫ ݇ݐ‬ሻሻ

(2e)

where ‫ݔ‬෤ is the predicted state trajectory, ܵሺοሻ is the set of piecewise constant functions with period ο, and ܰ is the number of sampling periods in the prediction horizon. The

On Integration of Model Predictive Control with Safety System

2013

optimal input trajectory of the LMPC optimization problem is ‫ כݑ‬ሺ‫ݐ‬ሻ, which is calculated over the entire prediction horizon ‫߳ݐ‬ሾ‫ݐ‬௞ ǡ ‫ݐ‬௞ାே ሻ. The control action computed for the first sampling period in the prediction horizon ‫ כݑ‬ሺ‫ݐ‬ሻ is applied over the first sampling period, and the LMPC problem is resolved at the next sampling period. The objective function Eq.(2a) is minimizing the integral of ԡ‫ݔ‬෤ሺ߬ሻԡଶொ೎ ൅ ԡ‫ݑ‬ሺ߬ሻԡଶோ೎ over the prediction horizon. The constraint of Eq.(2b) is the deviation form of Eq.(1) that is used to predict the states of the closed-loop system. Eq.(2c) defines the initial condition ‫ݔ‬෤ሺ‫ݐ‬௞ ሻ of the optimization problem which is the state measurement ‫ݔ‬ሺ‫ݐ‬௞ ሻ at ‫ ݐ‬ൌ ‫ݐ‬௞ . Eq.(2d) defines the input constraints applied over the entire prediction horizon. The constraint of Eq.(2e) is to decrease ܸሺ‫ݔ‬ሻ such that ‫ݔ‬ሺ‫ݐ‬ሻ will move towards the origin at least at the worst-case rate achieved by the Lyapunov-based controller ݄ሺ‫ݔ‬ሻ, which will be defined later. The explicit Euler method with an integration time step of ݄௖ ൌ ͳͲିଶ ‫ ݏ‬was applied to numerically simulate the dynamic model of Eq.(1) under the LMPC. The nonlinear optimization problem of the LMPC of Eq.(2) was solved using the IPOPT software package with the following parameters: sampling period οൌ ͳ‫ ;ݏ‬prediction horizon ܰ ൌ ͳͲ. ܳ௖ ൌ ሾ͵ͲǢ Ͳͷሿ and ܴ௖ ൌ ͳ are chosen such that the term related to the states and the term related to the input are on the same order of magnitude in ԡ‫ݔ‬෤ሺ߬ሻԡଶொ೎ ൅ ԡ‫ݑ‬ሺ߬ሻԡଶோ೎ . The manipulated input is the cooling jacket temperature ܶ௝ , which is bounded as follows: ʹͺͲ‫ ܭ‬൑ ܶ௝ ൑ ͵ͲͲ‫ܭ‬. The CSTR is initially operated at the steady-state ሾ‫ܥ‬஺௦ ܶ௦ ሿ ൌ ሾͳͲǤͳͺ݉‫݈݋‬Ȁ݇݃͵ͲͷǤͳͻ‫ܭ‬ሿ, with steady-state ܶ௝௦ ൌ ʹͻ͵‫ܭ‬. Therefore, the states and the input of the closed-loop system are represented in deviation form as ‫ ் ݔ‬ൌ ሾ‫ܥ‬஺ െ ‫ܥ‬஺௦ ܶ െ ܶ௦ ሿ and ‫ ݑ‬ൌ ܶ௝ െ ܶ௝௦ , such that the equilibrium point of the system is at the origin of the state-space. The Lyapunov function is designed using the standard quadratic form ܸሺ‫ݔ‬ሻ ൌ ‫ ݔܲ ் ݔ‬, where the positive definite matrix ܲ is as follows: ሾʹͲͲ͵͵Ǣ ͵͵ͶͲሿ . The stability region ȳఘ is characterized as ȳఘ ൌ ሼ‫א ݔ‬ ܴଶ ȁܸሺ‫ݔ‬ሻ ൑ ߩሽ. For the system of Eq.(1), the stability region ȳఘ with ߩ ൌ ͺͲͲͲ is found based on the above Lyapunov function ܸ and the following controller ݄ሺ‫ݔ‬ሻ (Lin and Sontag, 1991) for the system of form ‫ݔ‬ሶ ൌ ݂ሺ‫ݔ‬ǡ ‫ݑ‬ሻ ൌ ݂ሺ‫ݔ‬ሻ ൅ ݃ሺ‫ݔ‬ሻ‫ݑ‬:

­ L V  L V2 L V4 f g ° f LgV ° h( x ) ® LgV 2 ° 0 ° ¯ 3.2. Simulation results

if

LgV z 0

if

LgV

(3)

0

A small feed disturbance (i.e., change of feed concentration from ʹͻǤ͵ͷ݉‫݈݋‬Ȁ݇݃ to ͵ͷ݉‫݈݋‬Ȁ݇݃) is initially considered and Figs. 1a and 1b demonstrate that the closed-loop system under the LMPC is robust to the small disturbance by stabilizing the system state at another steady-state within the stability region. However, when there exists a large disturbance (i.e., the change of feed concentration is from ʹͻǤ͵ͷ݉‫݈݋‬Ȁ݇݃ to ͹Ͳ݉‫݈݋‬Ȁ݇݃) due to, for example, device failure, it is shown in Fig. 1c that the state goes out of the stability region and the manipulated input hits its lower bound to cool down the reactor as much as possible. However, after 150 seconds of implementation of maximum cooling, the reactor temperature starts to increase significantly. The reason for this increasing value of the temperature is that when the reactor temperature rises, the exothermic reaction rate also increases, causing further increase in temperature, which is a dangerous phenomenon called thermal runaway. Therefore, it can be concluded that in the presence of large disturbances, the reactor

Z. Zhang et al.

2014

may operate in an unsafe region due to the restriction of the control actuator, which motivates the development of a safety system to maintain reactor safety.

(a) State-space profile under small disturbance

(c) State-space profile under large disturbance

(b) Input trajectory under small disturbance

(d) Input trajectory under large disturbance

Figure 1: (a) and (b) demonstrate that the LMPC can stabilize the closed-loop state at another steady-state when there is a small disturbance. (c) and (d) demonstrate that the LMPC fails to keep the closed-loop state inside the stability region when there is a large disturbance.

4. Integration of MPC with safety system In this section, the safety system is first designed using two different safety mechanisms: (a) safety relief valve; (b) cool water injection. Then, the entire process control/safety system which integrates the safety system with the LMPC is developed to guarantee closed-loop safety and stability. Finally, the MIC reaction example is used to demonstrate the application of the proposed control/safety scheme. 4.1. Components of safety system 4.1.1. Safety relief valve The valve is activated to reduce the temperature and pressure of the reactor by discharging material when the temperature or pressure is extremely high in the reactor. In industry, reaction runaway may occur due to different failures, such as mis-charging reactant, loss of cooling temperature and so on. Since the above unsafe operating conditions are unpredictable and uncontrollable, a suitable and correctly sized relief system is crucially important as a backup method to prevent fatal accidents (Hace, 2013). The size of the relief valve is carefully chosen. Specifically, if the relief valve is under-sized, high pressure and equipment failure may occur; if the relief device is oversized, the relief system may become unstable during the operation and too much material may be wasted (Crowl and Tipler, 2013). 4.1.2. Cool water injection A direct cool solvent injection can cool down the reaction mixture temperature. It has been demonstrated in both simulation and experiment (Vernières-Hassimi and Leveneur, 2015) that cool water injection can lower the reactor temperature very fast.

On Integration of Model Predictive Control with Safety System

2015

4.1.3. Safety system for simulation In our simulation, high temperature is the trigger of the opening of the relief valve. Specifically, the valve opens once the temperature is higher than ͵ʹͲ‫ܭ‬. To simplify the development, we assume that the relief recharge flow is in liquid phase. The relief valve size is ͲǤͲͲͶ݉ଶ and the relief flow is determined by the equation in (Hace, 2013):

Grelief

0.9 u144 u

dP 32.2 T u( u ) dT 778.16 CP

(4)

Cool water is injected at 280 K, and the flow rate is the same as the relief valve flow rate, thus the total mass in the reactor remains unchanged. 4.2. Logic integrating control and safety systems LMPC integrated with the activation of the safety system is developed to help the closed-loop system state to avoid thermal runaway when the LMPC fails to maintain the state inside the stability region in the presence of large disturbances. A schematic of different regions and an example closed-loop trajectory is shown in Fig. 2, where different control schemes will be activated in the following three regions.

Figure 2: A schematic showing the stability region (green), unsafe operating region (orange), and the thermal runaway region (red), together with an example trajectory starting from the origin.

Region 1: When the closed-loop state is inside the stability region, the LMPC is implemented to stabilize the system at the origin or at another steady-state if there continuously exist small disturbances. At this stage, the safety system is not activated. Region 2: If large disturbances are introduced into the reactor, the state comes out of the stability region. In order to ensure process operational safety, the manipulated input (i.e., ܶ௝ ) is set to its lower bound, namely the lowest cooling jacket temperature, since the control system fails to work outside of the stability region. Region 3: If large disturbances keep affecting the reactor and the maximum cooling is not able to lower the temperature, then the reactor temperature reaches a high value (i.e., the lower boundary of Region 3). Safety actions are taken in Region 3. Specifically, the relief valve opens immediately after the state enters Region 3 and stays open until the state goes back to Region 1. Meanwhile, cold water is injected into the reactor, cooling down the reactor. Injection stops once the relief valve is closed (state goes back into Region 1). At the same time, the jacket temperature stays at its lower bound to apply maximum cooling. 4.3. Simulation results In Fig. 3, it is demonstrated that in the presence of a large disturbance, LMPC integrated with the safety system via the above logic succeeds to avoid thermal runaway and to drive the state back to the origin. At the beginning of the simulation, a large disturbance

2016

Z. Zhang et al.

is introduced into the reactor, resulting in the failure of LMPC to keep the system state within the stability region. After about 600 seconds, since the heat generated by the reaction is much more than the heat that the cooling system can remove, the concentration of the reactant is accumulated to such a great extent that the temperature starts to increase rapidly and reaches the safety limit of ͵ʹͲ‫ܭ‬. Once the temperature exceeds the safety limit, the relief valve opens to discharge hot fluid from the reactor and an additional stream is employed to feed fresh water into the reactor. Liquid relief flow rapidly decreases the total internal energy and the reactant concentration in the reactor. Cool water promptly cools down the reactor temperature and it dilutes the reactant concentration. The safety system is activated for about 10 seconds to drive the closed-loop state back to Region 1. Once the closed-loop state goes back to Region 1, the LMPC replaces the safety system to stabilize the system state to the origin. Inside Region 1, a well-designed LMPC is guaranteed to stabilize the system state to the origin when there is no disturbance. It should be noted that if the large disturbance still exists after the closed-loop system state goes back into Region 1, then the overall process control system with the safety system is implemented again to avoid thermal runaway as discussed above.

Figure 3: State-space plot and input plot of LMPC integrated with the safety system.

5. Conclusion In this work, an LMPC system integrated with the activation of a safety system was developed for the MIC reaction in a CSTR to avoid thermal runaway. Specifically, in the presence of large disturbances, it was demonstrated that the closed-loop system under LMPC integrated with a safety system achieved process safety by avoiding thermal runaway and driving the state back into the stability region.

References R. Ball. Oscillatory thermal instability and the bhopal disaster. Process Safety and Environmental Protection, 89:317–322, 2011. D. Crowl and S. Tipler. Sizing pressure-relief devices. Chemical Engineering Progress, 109:68– 76, 2013. I. Hace. The pressure relief system design for industrial reactors. Journal of Industrial Engineering, 2013:1–14, 2013. Y. Lin and E. Sontag. A universal formula for stabilization with bounded controls. Systems & Control Letters, 16:393–397, 1991. J. Toro, I. Dobrosz-Gómez, and M. García. Dynamic modeling and bifurcation analysis for themethyl isocyanate hydrolysis reaction. Journal of Loss Prevention in the Process Industries, 39:106–111, 2016. L. Vernières-Hassimi and S. Leveneur. Alternative method to prevent thermal runaway in case of error on operating conditions continuous reactor. Process Safety and Environmental Protection, 98:365–373, 2015.