Control System Design—Gas Turbine Machinery The Use of a Corporate Model for Control System Design

This paper describes a systematic, consistent approach to control design developed over years of theoretical design and field testing. The Gas Turbine Generator Set control (with some Hover-craft Lift control variations) is discussed both as an example of the design method and as a project on its own merit. This control ideology is not dependent on imple-menting hardware, high level languages. It is an organic method based on an example of "human" organization, the corporation. The Gas Turbine control is an interactive corporate team; member personalities and duties are the logic. The rationalized I-T-E (if-then-else) method of defining and programming the control (corporate) per- sonalities is used by the turbine and controls engineers to efficiently produce the final turbine and machinery control algorithms. A simple integrated software/hardware scheme facilitates recording and executing these algorithms. Last but not least, reliable control performance must be achieved through an inherently fail-safe "systems" approach.


INTRODUCTION
The fundamental theoretical concepts for our control method were invented in early 1975, and had some basis in the real-time operating principles of large scale computer sytems (Sperry Univac 1100 series) and in state-machine theory for sequential controllers. Then came a decade and a half of continuous development toward a rationalized and consistent control system for unattended supervision and automatic operation of machinery. The result has been a practical field-tested approach to producing a control -from specification, through analysis and design, to production.
Over time, this control philosophy has evolved from complex, abstract, artificial, to simpler, organic, sophisticated. The overriding ideology is based on a straightforward premise: what do we really want to do, not, how will a computer do it! The language used to describe the control and its tasks must be primarily the turbine engineer's, not the system analyst's.
Our analysis should not be straight-jacketed by thinking "computers", or "programming language", or even "hardware". What should the machine and its operator accomplish? Include all aspects, physical and administrative, engineering, and even paperwork.
The Gas Turbine Control monitoring and operating a gas turbine and any driven machinery is an excellent example of the efficiency of our design method. We will illustrate this method by examining key aspects of the n 0 D control, and finish by reviewing its effectiveness in a brief summary. We begin with a realistic analysis of the machine operator's responsibilities and functions, in a situation where there is no automatic control whatsoever.

THE TURBINE OPERATOR'S JOB DESCRIPTION
Normal control duties -start per schedule, stop per schedule, operate maintenance sequences, operate driven machinery; schedules are step by step procedures prescribing the step duration, actions, and expected feedback from the instrument data and sensing indicators (switches).
Engineering duties -read, calibrate raw sensor data, and tabulate results as engineering or instrument data.
Monitor/supervisory duties -observe and interpret instrument data, sensed indicators, operational status or requirements, and make "executive" decisions to initiate normal, corrective, or emergency procedures.
Emergency/fault control duties -quickly perform any emergency procedures per schedules.
Communications duties -advise and announce status of turbine, ancillary and driven machinery to proper channels, answer specific information requests; receive operating instructions.
Administrative and planning duties -generate and log statistical data, detect and interpret trends in turbine behaviour, weigh collective factors to modify stress setpoints for example for overload, "overtemp", warn of approaching maintenance schedule milestones.
Such a list is hardly very original; however, augmented by the specific operation details, it completely describes the job requirements, and, does so in terms the turbine or machinery engineers understand. Yet it is seldom in this fashion that an equivalent control is specified and even more rarely that it is so programmed.
Actually, for ideal performance in human terms, we would choose to have a team perform this job. And this, in fact, is the best method for process controlling as well: a modern corporate team is an excellent model for the structure of the turbine or other machinery control.

THE CORPORATE CONTROL MODEL
The main rules developed to express a control requirement in terms of a corporate operation are the following: -The corporate structure concept is rigourously applied to all levels of operations.
-The overall task is first analysed, then divided up and assigned to the various team members.
-The personality of each team member or operator Is defined, i.e., what inherently can do (is by design most effective at), what can't, expected reactions.
-The duties or functions of each team member are assigned, i.e., what will be the actual tasks, job schedules, responsibilities.
-Special rules or capabilities for the corporate services are outlined, i.e., special tools required, pacing (reaction time) assigned to each corporate activity, corporate security, redundancy.
The personalities or programmed capabilities of, and the types of functions performed by, the principal categories of the corporate team members: -The operator is a tradesman personality, characterized to follow schedules, strictly one at a time, calling and controlling services as required. The operators perform the detailed sequences reacting both to predetermined routine and to variable data, actuating the mechanisms operating the machines. An operator may have several procedures in his repertoire but will select only one to perform at any one time.
-The monitor Is an executive personality, characterized to overview all data relevant to his department and make operational decisions. A true executive, the monitor handles his responsibilities "in parallel", keeping track of all data whilst initiating or even doing some procedures himself. On a timed or priority basis, he may take on extra tasks or yet cut back.
-The engineer is a technical personality, capable of directing resources to gather and treat machine status information continuously, and generate valid data and some extrapolations.
-A service is a specialized department complete with a supervisor, individual specialists (operators) that handle all aspects of that particular service, and the customized tools, etc., required.
-Other "members" are defined in similar terms, corresponding to their outlined functions. Personality defines the scope of a team member's abilities, and functions are his assigned tasks; by this discipline both initial analysis and subsequent documentation are more clearly structured.
Operator -Codename: START Interactive, responsive startup procedure: besides the usual timing and instrument data setpoints, considers cumulative factors, transients, acceleration. Operator -Codename: COMOT Continuously broadcasts instrument data to any Operator's panel or remote system, interspersed with any other communications specified by a monitor or operator. Each outgoing channel has its own operator.
Monitor -Codename: GENMON Generation of statistical data, elapsed running hours, overview of performance of some system (corporate) services. Monitors performance of communication lines (circuits) and performs corrective procedures. The Turbine control corporate team members outlined are those which directly concern the turbine and machinery engineer. The full corporation consists of 15 to 25 members, depending on equipment controlled: single or dual turbines, driven machinery, integrated or remote Operator's panel. The Executive members, not included in the list above, are administrative personalities, ensuring corporate discipline and security, allocating resources, performing services such as orderly turn-on, providing virtually unlimited time-keeping: in effect they pace the operation of this "flat" corporate organization.

ANALYSIS AND DOCUMENTATION
At this point or earlier in the discussion of a turbine control system there usually follows a detailed description of the control hardware: so many circuit modules doing such and such, processor crunching so many mips equivalent, memory of so many thousands bits or bytes capacity. The turbine or machinery engineer's attention surely lapses during this recitation and so it should; at this stage that tedious material is, if not irrelevant, then certainly premature. An assessment of a service oriented corporation (the Turbine control) would deal first with its human resources (the team members, i.e., application programs, software), next with the management and organization (the executive and the corporate services, i.e., operating system, firmware), and finally with the offices and facilities (physical plant, i.e., the hardware).
Our corporate team method outlined is not just a "fun" explanation, a convenience, an illustrative analog.
It is rigourously applied to all levels of the analysis and of the resulting system structure.
Because the structures are evident, the "personas" of the modules understandable, and the overall view and interactions never lost, there is less room for "psychosis" or software instabilities. Just as importantly, if any occur, the failures are inherently localized, fault analysis is fast and logical.
The language used for initial specification of the 02 = > • lse°C ALTYM 102, TYM-S* (its secs) system, for clarification and tuning of the system requirements between the turbine engineer and the con-     This process is carried out on a word processing system, using any word processing language that has a macro facility, i.e., the possibility to create functions that will automatically format and generate repetitive text.
As the design progresses the I-T-E for the duties or functions of each team member or operator gets more detailed, resource references become specific.
Finally, when all are agreed on a I-T-E draft, the I-T-E statements are compiled or implemented as either assembler mnemonics or as actual computer codes in text format (see Fig. 4) This process is accomplished interactively and semi-automatically using the word processor and a library of specifically prepared word processing macros.
The final document is therefore the I-T-E outline with the corresponding list of computer system calls and/or codes beside each statement. Updates by both the turbine engineer and the control specialist are accomplished by changing the I-T-E. The defined personalities of the various monitors and operators guide and discipline the revisions.
The compiled I-T-E can be directly assembled from its text code representation into executable program files, and the monitors and operators can now be repeatedly tested and optimized in an actual control attached to a machinery simulator, and later on a working turbine and machinery installation.
Throughout the process the control operational requirements and behaviour have been hammered out between the machine engineering and controls people over drafts of the I-T-E outline, which has now become system specification, actual software, and "legal" document! CONTROLLING A MULTIPLE GAS TURBINE INSTALLATION For a single installation the "corporate" model for control structure is efficient and secure by virtue of its modularity. In fact, for ultimate performance, the control would consist of separate processing elements for every personality.
For a multiple turbine installation an attempt to control all the units with one control would surely be a reactionary approach. There are many reasons why a distributed network of dedicated controls for every turbine unit makes better sense: -Efficiency. Ordinary economical hardware can more than adequately handle each turbine; no additional software required, all units use more copies of the same. In the "corporate team" there are already adaptable operators capable of receiving and servicing requests from any central supervisory control.
-Silicity. Simpler physical installation, as the bulk of the interconnections between control and machinery are intimate and direct, a major cost saving.
-Reliability. A modular installation, inherently simpler and with built-in redundancy, less exposed interconnects, better sensor performance; faults localized, easier to trace, faster to repair.
-Maintainability. Normal or emergency maintenance easier, certainly control itself simpler to repair and maintain, control always available locally to aid with maintenance operations. Additionally the control can remain with the individual turbine set: the whole can then be installed or replaced as one unit, turbine and control.

THE CORPORATE RESOURCES -CONTROL HARDWARE AND FIRMWARE
In our corporate model, the control computer is equivalent to the corporation's physical plant and equipment, allowing the corporate members to carry on their functions. The firmware or operating system is equivalent to the executive support staff and services and is clearly programmed as such in our system.
The control processor is in fact a device for "playing back" or sequencing the stored personalities or decision algorithms, and having them interact with incoming data patterns. The control system as we conceive and program it, is a natural evolution of the ingenious clockworks, player pianos, numerical controls, and other sequencing and control mechanisms of yesteryear, and would seem to draw little inspiration from the currently fashionable "Babbage's Analytical Engine".
Obviously the requirement here is for a hardware/ firmware implementation that allows any and all the monitors, operators, etc., to operate freely per their individual characteristics within our corporate model setup. Primarily, this means that the system must be able to handle concurrently executing programs with a predictable level of performance and must in addition always perform the support services with clockwork precision and absolute predictability.
The novel solution we have developed over many years of philosophical evolution and critical usage is primarily a firmware (software) solution; however its performance is improved by (but doesn't rely on) computer hardware with a few rather basic sensible features: an internal (to the processor) register file or fast "scratch-pad" memory, fast bit or flag handling instructions, relative addressing capability, Harvard architecture.
Our process controller for the gas turbine is apparently simpler, "leaner", with a lot less hardware than equivalent systems, because of the totally integrated hardware/software nature of our corporate structure. The heart of the hardware is a modular processor: a single board computer with all input/output facilities except analog data capture, the analog to digital board itself (with 32 analog inputs), and a video board for driving a CRT or Plasma display. The heart of the software is our operating system named "EGO", which includes operators that manipulate the hardware modules in a way that replaces much of the usual hardware "glue" (the logic that controls and sychronizes these physical components). As well, to ensure ruggedness and best sensor data capture, great care is taken in power supply construction to adequately supply and completely isolate the process controller from the power sources. c) Two Remote Maintenance Control Panels, one for each pair of turbine engines (Twin-Pac); d) Two sets of cables, controls to turbines, reduction gearboxes, maintenance control boxes; e) Two sets of cables, supervisor panel to engine controls; f) TRIM Corporate Firmware, configured for controlling P&W ST6 Turbines, auxiliaries, and reduction gearboxes.
The TRIM Supervisor Panel is located in the hovercraft pilot's room (bridge) while the TRIM Engine Controls and their associated remote maintenance control panels are located in machinery rooms adjacent to the engines.
Communication between the supervisor panel and the two engine controls is by dual redundant serial lines to each control. The primary control functions (STOP, START, IDLE) for each of the four engines or power sections are in addition directly hard-wired from the panel to the engine controls.

TRIM Supervisor Panel
The TRIM Supervisor (operator's) Panel provides the interface between the operator and the control units for the monitoring and complete (automatic and manual) operation of up to four turbine and machinery sets.
Data and informative announcements are displayed on one to four 32-character, 8-line plasma display screens, supplemented If desired by "percent full-speed" analog gauges (Nf and Ng) driven directly from the control units.
The primary control functions (start, stop, idle and emergency stop) are provided by individual pushbuttons, or, if preferred, other types of switches; secondary functions (manual control and programming, calibration of control parameters), by a function and data keypad.
The pushbuttons for the primary control functions, the LED indicators associated with these pushbuttons, and the Ng and Nf gauges are all hard-wired directly to the control unit. This ensures that in the event of a supervisor panel malfunction or an interruption of communications between the engine controls and the panel, the engine(s) can be operated directly and safely. As well, the function pushbuttons have a second (redundant) set of contacts that are sensed by the supervisor panel; this enables full operation of the Turbine sets if the direct function cables were damaged.
The Trim Supervisor Panel contains the same (interchangeable) processor module as the control plus the Video Board to operate the screens. The software is a "corporate subsidiary" of the control TRIM firmware.

TRIM Engine Control
Each TRIM Engine Control is situated as close as possible to the engine it is controlling. This control provides the sequencing and monitoring functions, previously described, required for engine operation; and it communicates continuously with any supervisory or operator's panel to update displayed parameter data and receive commands initiating power section operations.
The inputs to the control are from sensors providing analog signals or contact closures. The analog inputs are calibrated directly from the TRIM Supervisor Panel display and keyboard, and the parameter values in the operational schedules (operation setpoints, alarm limits, and sequence timing) are programmed likewise.
The output drivers are all "solid-state", isolated, except for some relays for the "dry contact" outputs. The solid-state outputs are protected against both intermittent and continuous short circuit and are wired to a common negative return.
The TRIM Engine Control, input and output, is electrically fully isolated from the power source. Additionally it can provide isolated power in standard voltages to any sensors or transducers that would otherwise provide an unwanted electrical path or connection to the power source. TURBINE CONTROL PERFORMANCE our corporate "umbrella", the proprietary firmware operating system -EGO -even in a single 8 bit processor configuration (SOS-Thomson 3870, Motorola 6800), provides adequate performance: -typically 30 primary "corporate personalities" in parallel operation, hundreds of specialist operators in services, enough to operate two turbines and driven machinery simultaneously.
-1 millisec response, worst case, to direct inputs with no system performance penalty when responding, e.g. pulse inputs are counted directly and asynchronously at up to 1 khz. rates on any or all inputs.
-35 millisec delay on typical analog filtered data trip, worst case.
-up to 19200 baud communications on two serial lines simultaneously.
-400 millisec refresh, worst case, on any and all paramater data on video display.
The operating system is the major contributor to system performance as it initially facilitates the use of I-T-E structures to setup the control corporation, and, subsequently ensures that the personalities effectively do operate in parallel.
In the PAW ST6 version of the control, the appropriate personalities, operators and monitors, after having been designed to work a single engine and auxiliaries, were simply "cloned" (an ideal corporate manoeuvre), and the second set was "told" to operate the second engine, referencing a parallel set of inputs and outputs. The one control, with two sets of personalities, now handles a Twin-Pac configuration with essentially no software changes or performance penalties.
Another example of the effectiveness of the operating system, coupled with this organic technique (separate operators, etc.), is demonstrated by the following. When we initially set up our first Solar Saturn control, for convenience, all the system functions including those of the operator's panel were installed and debugged in the control proper. Later, the appropriate personalities were simply moved to the separate operator's panel where they perform correctly with no software changes except the addition of the communication operators (see COMOT and COMIN above).
The control now has more spare facilities to service any additional control-type corporate members the turbine and machinery engineer might require.

TURBINE CONTROL RELIABILITY CONSIDERATIONS
Simply, the original purpose of all standards and quality specifications was to ensure that a product is of the best reliability and safety reasonable for the use and abuse it is likely to get. in fact, more often than not, the standards are satisfied to the "letter" rather than to the "intent", e.g., is it a cabinet full of "MIL-spec" components, and does the whole still function to the specified temperature or to any other stress limits, precisely. The very nature of standards dictates that their provisions need only to be just met: the degree of stress in a system operating to these standards is often "bureaucratically" disregarded.
The objective should be: design for absolute minimum stress; test the system in its entirety, exactingly, with limited regard for the "paper" credentials of the constituent components; pinpoint the most highly stressed components under worst case conditions; set standards for tighter margins in these worst case factors. A properly designed system, relying on passive and inherent features, made using normal industrial components, but built to withstand testing of worst case stress points, will be tougher, safer, and more economical than many a military-spec'd system of proper pedigree.
Just so, though not as evident, is the situation with software. Two software designs both work precisely to the stated requirements: one is complex, abstruse, though probably produced on a current development system with all manner of "programming aids"; the other is structured, understandable, can be adjusted and maintained with ordinary tools, an office computer with word processing software. The latter software design, typified by our corporate firmware, can be said to be inherently less "stressed", and will generally outperform the former when subjected to unforseen control demands.

EFFECTIVENESS OF METHOD -A SUMMARY
Against the background provided by the foregoing descriptions of the basic structures, hardware and more particularly software of our turbine control system, we can assess, perhaps more intelligently, the important consequences of using a flat corporation model for process control design.
The fundamental theory or premise behind this method is that an automatic control replaces and emulates a human operator. A critical analysis of the performance requirements for most control situations indicates that a team of operators, with appropriate management and support services, would most effectively carry out the coordinated tasks required.
Whether for a human team or a machine, we propose that a most effective structure for the service providing the control functions would be that of an independent corporation with precise but adaptable responsibilities. In addition we propose this corporation be analyzed and its members and services be precisely described in a natural language (English, etc.).
The consequences of designing and building a computerized control using such a model are, at the very least, that the structures and interactions of the control functions are evident to all concerned. The documentation for the system is perforce up to date, since this documentation is effectively the program.
When new system functions are added, or old ones simply tuned, this can be done with more security and confidence. The hardware, or control algorithm playback system, built to service the modular corporation, is necessarily modular or organic too, and is consequently readily understood, reliable, and serviceable.
Obviously, over time we have developed a myriad of software and hardware devices that allow us to use this method most effectively in the design and operation of a control. However, the need for and the structure of these devices are but the natural outcome of the use of our "flat corporation" model. The controls we are building today use the same microprocessors and hardware component types as did our own designs nearly a decade ago. However, by the disciplined application of our design philosophy, we have step by step cut the hardware in half and increased the performance levels of the systems nearly twenty fold! What of competitive designs and products? These range from control packages made up of separate instrumentation and logic systems, to adapted personal computers, and to dedicated customized process controllers. Our control incorporates some aspects of all of these, and shares with the best of these products the good design practice of a "structured" approach; but, our corporate model imposes an additional discipline and perspective, ensuring an extremely efficient design.
Typically, comparisons of our control to competitive systems equivalent in scope and purpose demonstrate that without a doubt we achieve equal or better performance, but, with only 10% to 40% of the hardware, with a much shorter controller program, and with much slower (10%-20%) internal clock rates. Because of the latter differences, one can reasonably expect that our design method provides more reliability, better economy, lots of spare capabilities for expansion, but, most of all, a rational, manageable process control system.

CONCLUSION
Certainly, in the controls industry over the past decade, there have been many improvements, particularly in the quality and speed performance of hardware components, and some setbacks, particularly in the domain of computer and software design, where "fashion" rules. Our approach has been to improve and stabilize control performance by facilitating both analysis and programming, and this by making these processes more natural, organic, both for the machinery engineer and us, the controls specialists. In our experience the Corporate model by itself has been a major contributor to system performance, largely because it so greatly increases the efficiency of specification and design.
We hope that the discussion presented raises as many questions as it answers; it deals primarily with a matter of philosophy, and touches on but the "tip" of the subject. More than all else the Turbine control (or any other) must be reliable as a total system, and viewing the ensemble, hardware and software as a corporate entity can only help. The control methodology described might be perceived by some as an eccentric approach to computerized controls, but it is based on fundamental operating principles applying to any stable and interacting system, be it a living organic cell, an insect hive colony, an organized human social enterprise, or a cybernetic control. ACKNOWLEDGEMENTS I would like to acknowledge the participation by several people particularly in the specific development of our TRIM Turbine Controls.
Ivan Mose has carried the banner for and coordinated the TRIM project from the outset, and contributed, besides other items, the groundwork in the turbine process analysis, the instrumentation package design, and the word processor/compiler implementation. Philippe Lemieux programmed and refined with ingenuity (and humor) much of the early personality structures in the prototypes. Rob Ferguson "cut his teeth" and proceeded to make substantial development contributions in the Hovercraft controls project.
A special thanks goes to Peter Cheney, Department of National Defence, Canada, for the contribution of major insights concerning the Solar Saturn package specifically and turbine and machinery control logistics generally.
Finally, for the P&W ST6 Hovercraft Liftfan powertrain control, we thank the entire Pratt and Whitney Industrial Marine division project group, for their invaluable contributions to the development and refinement of that impressive controls package.