Thermal power stations are currently riding a wave of modernization. Replacing or renewing process control systems is one option to achieving enhanced process efficiency. Integrated analysis of all sub-systems helps to avoid faults in control processes when implementing these modernization measures, meaning damage to equipment triggered by process control systems can be prevented.


H. C. Schröder, K. Klingler & T. Leidel, TÜV SÜD Industrie Service, Germany

The innovation cycles of process control systems are generally significantly shorter than those of process and machinery components. Normally, process control systems are replaced at least once during the intended service life of a thermal power station. Owing to stricter climate protection standards, many power stations have scheduled further modernization measures. Retrofit measures are aimed at unlocking potential for optimization and helping to enhance the efficiency and cost-effectiveness of power station operation – an area in which process control systems offer particularly high potential.

Click here to enlarge image

Modernized instrumentation and control (I&C) systems enhance the efficiency of plant operations, e. g. through optimized control of the air-fuel ratio, while reducing inspection efforts. Depending on the power station’s age and location, advanced burner technology and innovative control systems can yeild savings of up to 20 per cent, particularly in Asia and Russia.

The complex interactions between the sub-systems must be taken into account when process control systems are integrated into power stations. Switching faults cause mechanical damage in equipment time and again, occasionally with major losses in material value. To prevent damage, the complete electrical system and the turbine-generator unit must be designed and dimensioned in accordance with the requirements. Critical criteria in this context are an expertly designed system architecture and a power station complex aligned to safety integrity level (SIL) requirements (EN 61508, EN 61511 and ISO 13849).

Defining process requirements at an early stage

Technological progress in process control systems and the resulting enhanced flexibility present an opportunity for existing power stations. In contrast to previous wiring technology, process control systems can now be easily extended and modified even during or after initial commissioning without the need to interrupt operations. All electrical, instrumentation and control functions can be re-programmed in situ, simulated and tested before they ‘go live’ in the power stations. Important measures in this context are a systematic weakness analysis of the process engineering environment and prevention of technological overload in the processes.

Owners and operators aiming to cut operating costs while enhancing efficiency must ensure that the application, functions and interconnection of system performance in the fields of mechanical, process and process control engineering are perfectly aligned to each other. If necessary, experts from companies such as TÜV SÜD’s can simulate system behaviour in various physical states or chemical reactions in model studies. The requirements to be fulfilled by the systems must also be defined at an early stage. This also applies to functional safety requirements.

Certification alone is no guarantee for safety

As risk increases, so do the standards imposed on the reliability of systems and components. The intended functioning of these systems and components must be ensured under defined fault conditions with a defined level of probability. Nevertheless, focusing exclusively on SIL certification is not enough. In systems with an overall function in particular, qualitative analysis and the establishment of a sensible system architecture should be given priority over quantitative component certification. To reduce risk, protective systems should be based on a redundant structure, i.e. individual elements should compensate for the failure of others.

At present, there is increased demand for SIL-certified products. Users, designers and approval companies without an integrated perspective or the necessary expertise in particular occasionally attempt to establish functional safety via components that offer an especially high level of operational reliability.

But how does this impact on the functional safety of the entire installation or power unit? Apart from this, owners/operators cannot shirk their responsibility by forcing manufacturers to submit special SIL certificates. The problem per se cannot be solved by means of individual mechanical, electronic, hydraulic or pneumatic parts; parts such as magnetic valves or fittings are only classified as components and therefore not considered to be systems in line with the definition in EN 61508 or EN 61511. Strictly speaking, these simple ‘components’ would actually not even be eligible for the issue of an SIL certificate.

The requirements for “Functional safety of electrical/electronic/programmable electronic safety-related systems” are set forth in EN 61508 and EN 61511. These standards generate appropriate requirements for avoiding and controlling failures in electrical, electronic and/or programmable electronic equipment.

Taking risk reduction measures into account, an overall system must also satisfy various safety integrity levels classified as SIL 1 to 4, where SIL 1 stands for low risk and SIL 4 for very high risk. In practice, the term “functional safety” is often used vaguely. The ultimate objective must be the safety and reliability of the overall system, which calls for engineering requirements, including physical and process engineering criteria, to be implemented in a qualified manner.

Mechanical breakdown in the turbine-generator system

Following a mechanical breakdown, the owner/operator of a German thermal power station commissioned TÜV SÜD Industrie Service to analyze the damage. A failure in the emergency power supply had resulted in irreversible damage to the power station’s turbine, generator and gear system.

At that time, the entire energy supply of the control systems and the equipment depended on one of the two emergency supply systems. In the course of the battery test, the power supply was switched from one battery system to the other. During switching, the voltage dropped. An incorrectly designed undervoltage protection caused the failure of all electrical switchgear. Only the turbine was not reliably removed from service.

When the mains voltage was switched on again, it caused reverse power in the generator, which, in turn, continued to drive the turbine-generator system which had been slowing down. The lubricating oil system had been deactivated, so the bearings of the turbine, generator and gears were destroyed.

The root causes of the damage were an incorrectly designed power supply system and loss-of-voltage protection. Undervoltage protection removes electrical consumers from service when the voltage drops below a certain level. This prevents machines, from starting up automatically and unchecked once the mains voltage returns after a power failure.

In this case study, not only was the important equipment protected against undervoltage but so was, inappropriately, the emergency-power system itself – a measure that ultimately cancelled out the turbine’s undervoltage protection. In addition, the switching process between the battery systems should have been electronically protected and monitored. In this case, only a conventional contactor had been installed, which did not even fulfil the minimum safety requirements for these components, i.e. SIL >2.

An integrated approach is crucial

The case study shows that a system architecture can be both highly prone to failure and highly safety relevant at the same time. Most faults in the design of process control systems and inadequately dimensioned components can be attributed to the fact that interactions are being identified too late. This applies in particular to power stations built by several suppliers without integrated planning.

To counteract problems arising out of interactions and at interfaces, engineers responsible for processes, operation and process control systems should co-operate cross-functionally right from the design stage.

TÜV SÜD can contribute experience in power station and plant engineering to the practical implementation and modernization of process control systems. Its expertise includes the integrated and efficient linking of processes for enhanced efficiency in operations.

Hans Christian Schröder is head of Power Plant and Energy Services and Power Station Sector manager at TÜV SÜD Industrie Service. Karsten Klingler and Thomas Leidel are project engineers for electrical, instrumentation and control systems at TÜV SÜD Industrie Service.

Checklist for process control systems

In practice, the key questions associated with the modernization of existing process control systems are: How do individual modernization measures influence the service life of the entire plant? And how can these measures be implemented cost-effectively and reliably?

Criteria for use:

  • Are the systems sufficiently automated to control them with simple, safe and reliable regulating units?
  • Is there a clearly formulated correlation between the input and the manipulated variable?
  • Are process parameters easy to measure and can they be transmitted within a reasonable timeframe?
  • Are elementary systems, sub-systems and system complexes functioning reliably with low-maintenance?
  • Does automation enhance functioning, operational safety and reliability, availability, and thus ultimately also overall efficiency?
  • Do instrumentation and automation offer a reasonable cost/benefit ratio?
  • Are the workload of operating staff, costs and efforts reduced noticeably?


Target definitions:

  • What load ranges (rapid/instantaneous startup, base load) must be regulated?
  • What degree of availability is to be reached?
  • Are resource-efficient operation and environmental impacts possible?
  • What is the manpower requirement for plant operation?
  • What qualifications do the staff need?



  • Hardware concept: How does the equipment used affect process complexity and dynamics? How must the devices be designed in terms of their numbers, computation and transmission rates and equipment structure (centralized/decentralized)?
  • Software solutions: Is the description of the technical processes complete and comprehensible? Can algorithms for control and regulation processes be developed on this basis?
  • Operation and maintenance: How do hardware and software solutions influence life cycle costs?
  • Engineering: What modifications and extensions are possible?



More Power Engineering International Issue Articles



Power Engineering International Archives



View Power Generation Articles on