2.1. Process Description, Control Specifications, and Project Definition
The studied process is represented by a hydroelectric power plant located in the Alto Adige region (Italy). 
Figure 1 shows the geographic characterization of the overall plant. Two artificial water collection reservoirs characterize the process: an upstream reservoir and a downstream reservoir. The downstream reservoir is located in a valley. At the outlet of the downstream reservoir, a tunnel (see 
Figure 1) takes the water towards a penstock that leads to the power plant (see 
Figure 2). The electric energy is generated by the rotation of the involved turbines. The water flow between the two reservoirs is controlled through a regulation gate, named the Beikircher gate (see 
Figure 1). The regulation gate, activated by a butterfly valve, controls the water flow of a pipeline connecting the two reservoirs. The overall process is schematically reported in 
Figure 3.
The power plant is characterized by a double group of Francis-type turbines capable of providing an overall efficient power of 22 MW and an average annual electric energy production of 86.81 GWh. In the water catchment area, different rivers are present (see 
Figure 1). As shown in 
Figure 3, the reservoirs are characterized by two inlet water flows and one outlet water flow. The reservoirs’ level and inlet/outlet water flow rates are measured by suitable sensors. The water flows entering the upstream reservoir consist of the main stream of a river from the intake structure and a set of subsidiary intakes (see 
Figure 3). Through two side-by-side deicing tanks and two subsequent sand traps, the incoming water from the intake structures flows into the upstream reservoir. The maximum derivable flow rate from the intake structure with clean grids is equal to about 9 m
3/s. On the other hand, the subsidiary intakes can provide a maximum flow rate equal to 1.4 m
3/s. The two inlet water flows of the upstream reservoir are measured by a level transducer located near the reservoir inlet.
The upstream reservoir was constructed on the right bank of a river and has a maximum length of 280 m and a maximum width of 150 m, with a usable capacity of about 135,500 m
3. The bottom level of the reservoir is at 1216 m above sea level (asl), while the overflow level is 1223.60 m asl. The minimum level detectable by the level sensor is 1216.80 m asl; below this level, the operation of the upstream reservoir has to be considered run-of-river. The maximum detectable level is equal to about 1221.85 m. At the outlet of the upstream reservoir, the Beikircher gate regulates the water flow, which enters a tunnel. The length of the tunnel that connects the upstream and downstream reservoirs is equal to 5534 m. The butterfly valve of the regulation gate is controlled by a built-in programmable logic controller (PLC). A hydraulic control unit, placed in a structure near the valve, operates the gate. The flow rate setpoint can be manipulated between 0 and 8 m
3/s. According to the plant’s needs, the maximum value is typically limited to 7 m
3/s. The downstream reservoir was constructed on the right bank of the associated river and has a maximum length of 165 m and a maximum width of 80 m, with a usable capacity of about 52,500 m
3. The downstream reservoir’s capacity is lower than the upstream reservoir’s capacity. The downstream reservoir (see 
Figure 3), similarly to the upstream reservoir, is characterized by two inlet flows and a single outlet flow. The downstream reservoir’s inlet flows are the water flow from the upstream reservoir (regulated by the Beikircher gate) and the intake structure. The intake structure is represented by the water flowing in a gravel reservoir and in a sand trap (see 
Figure 3). The bottom level of the reservoir is at 1197.20 m asl, while the overflow level is 1203.50 m asl. The minimum level detectable by the level sensor is 1197.40 m asl; below this level, the operation of the downstream reservoir has to be considered run-of-river. The maximum detectable level is equal to about 1202.77 m. At the outlet of the downstream reservoir, the water is conveyed towards the power plant through a tunnel and a penstock. The tunnel is characterized by a length equal to about 7000 m, while the penstock, which consists of a metal pipe, has a length of about 500 m. A jump equal to about 270 m is observed. After passing through the power plant and transferring energy to the turbines, the water flows into a free surface drainage channel, intercepted by two flat gates. The water released by the downstream reservoir is subjected to a flow rate setpoint regulation. The regulation and the flow rate measurement are located not at the outlet of the downstream reservoir, but a few meters downstream. The flow rate regulation is based on the electric energy production plan of the power plant. The electric energy production plan is known a priori with significant confidence. The production plan is sent daily to the managers of the plant and determines how much energy the plant will have to produce hourly during the day. The provided electric power (MW) measurements, together with the related setpoints, are available for the turbines.
Based on tailored plant inspections and plant operators’/managers’ interviews/reports, different considerations were made for the process in order to plan the project phases. A list of the manipulated variables (MVs), controlled variables (CVs), and measured disturbance variables (DVs) was obtained [
38]. The flow rate setpoint (m
3/s) of the regulation gate represents the only MV for the APC system. The CVs are represented by the volume (m
3) of the upstream and downstream reservoirs, while the measured DVs are represented by the remaining water inlet/outlet flow rates (m
3/s) reported in 
Figure 3: the upstream reservoir intake, the subsidiary intakes, the downstream reservoir sand trap, and the outlet flow rate from the downstream reservoir. Measured DVs are manipulated by other controllers or related to the natural flow of rivers. All of the reported MVs and DVs were measured, while the CVs were not directly measured. CVs’ indirect measurement computation was performed using the measurements of the reservoirs’ level.
The previous conduction of the plant was represented by manual and semiautomatic control logics. This conduction was based on empirical laws and experience with the process. The main control specifications were as follows:
- Constrained control of the reservoirs’ volume (level). This type of control is usually referred to as zone control [ 39- ]. 
- Avoid water overflow on the reservoirs: the upstream reservoir has a lower priority than the downstream one, since the downstream reservoir is closer to the town. 
- Avoid water shortages in the reservoirs: the downstream reservoir has a higher priority, since a lack of water in downstream reservoir could cause a violation of the electric energy production plan of the hydroelectric power plant. 
- Compliance with the physical constraints and with the technical operative constraints of the Beikircher regulation gate. 
The zone control strategy, resulting from the first specification, is intended for the constrained control of the reservoirs’ volume (level), respecting the priorities previously reported in [
39]. The constraints can help in avoiding water overflow and water shortages, ensuring the safe conduction of the plant. An efficient zone control is not always achievable in the process under study, because only an MV may be available—for example, the inlet flow rates of the upstream reservoir are not manipulable. The electric energy production plan of the hydroelectric power plant must be respected, because a violation (in excess or in deficit) usually causes an economic penalty for the plant [
21]. As explained below, the physical constraints are mainly focused on the Torricelli law [
23,
24,
25] and on the effective capacity of the plant devices. The technical operative constraints of the Beikircher regulation gate are intended to avoid (if possible) too-frequent control moves in order to minimize the wear damage. In this context, an automatic APC system for real-time control must guarantee an optimal solution for the flow rate setpoint of the regulation gate (MV) under all process conditions. Furthermore, smart alarms highlighting abnormal plant conditions could improve the plant’s conduction. In this way, plant operators can play roles at a supervisory level. The control specifications and the proposed control strategy are summarized in 
Figure 4, while 
Figure 5 reports the main project phases described below. The accurate definition of the inputs and outputs to be obtained in each project phase represents a critical step.
  2.3. Data Analysis
Following data selection, acquisition, and storage, data analysis was performed [
40,
41,
42]. The data analysis sub-phases were difficult to define in the present work. The data analysis phase was divided into three main sub-phases:
- Analysis and processing of process variables and setpoints; 
- Performance evaluation of local control loops; 
- Assessment related to the electric energy production plan data and the compliance with the electric energy production plan. 
The sub-phase consisting in the analysis and processing of process variables and setpoints involved the measurement of the process variables by sensors and the setpoints commanded on the local controllers. The sensors’ acquisition/measurement and the PLCs’ communication errors/malfunctions were investigated, and the missing data were replaced on the database by the results of tailored regressions. Suitable data preprocessing techniques (e.g., validity limits and spike and freezing checks) were applied in order to detect the bad data, which were discarded. The validity limits and spike and freezing thresholds were tuned based on the sensors’ data sheets and the historical data. Furthermore, mobile window filters were used to improve the robustness of the selected measurements. The applied mobile window filters had the following form:
        where 
 is the discrete-time instant, 
 is the number of samples of the window, 
 represents the sensor measurements, and 
 is the filtered measurement at instant 
.
The local control loops’ performance evaluation sub-phase consisted of an assessment of the performances of the local controllers of the Beikircher regulation gate and of the downstream reservoir outlet water flow. Some experimental tests were performed consisting of suitable step moves on the gate setpoint, evaluating the rise time, the overshoot, and the settling time. Furthermore, deviation conditions between the setpoints and process variables were investigated [
43,
44,
45]. In order to motivate the potential abnormal behaviors of the local controllers—and especially of the regulation gate controller—the Torricelli law [
23,
24,
25] was exploited:
        where 
 is the discrete-time instant, 
 (m
3/s) is the maximum reachable value by the regulation gate’s flow rate, 
 (m
2) is the pipeline section, 
 (m/s
2) is the acceleration of gravity (constant), and 
 (m) is the height of the water level above the reservoir outlet conduct. Equation (2) is derived from the Bernoulli equation [
23,
24,
25]. 
Table 1 reports the values of the parameters involved in Equation (2) for the regulation gate’s flow rate. The involved pipeline connects the upstream reservoir to the regulation gate, so the water height has to be considered with respect to the level of the upstream reservoir outlet. The minimum level detectable by the upstream reservoir’s level sensor was taken into account, i.e., 1216.80 m (see 
Table 1). If the upstream reservoir’s level (
 in 
Table 1) is greater than or equal to about 1218.35 m asl, a flow rate of up to 8 m
3/s can be required on the regulation gate. If the upstream reservoir’s level is greater than or equal to about 1218 m, a maximum flow rate of up to 7 m
3/s can be required on the regulation gate. On the other hand, if the upstream reservoir’s level is lower than the computed thresholds, the physically reachable flow rate setpoint on the regulation gate decreases (see 
Table 1). For these reasons, as explained in 
Section 2.7, Equation (2) was also used for real-time modifications of the MV upper constraints.
The electric energy production plan data were evaluated in order to verify the implemented data-exchange procedure between the SCADA and the high-level supervisory systems (see 
Figure 6). Furthermore, an in-depth verification of the compliance of the defined electric energy production plan was performed.
The previously mentioned data analysis procedures were customized in order to be implemented in the real-time APC system. A module was designed, named 
Bad Detection, 
Data Conditioning, and DV Prediction module which, among its functions, includes an ad hoc bad data detection algorithm together with an algorithm that performs data filtering on mobile windows. Furthermore, the local control loops are checked for malfunction and compliance with the electric energy production plan is verified within this module. An overall 
data analysis reliability flag results from the aforementioned checks. This flag is exploited by the APC system (see 
Section 2.7); in this way, bad data detection, local control loop malfunctions, and f inefficient conditions are included in the real-time implementation of the APC system.
To the best of the authors’ knowledge, the proposed methods for data selection, acquisition, storage, and analysis represent an innovation in the literature on APC systems for hydropower plants. Not using accurate methods of data selection, acquisition, storage, and analysis may represent a missing key prerequisite for designing a robust APC system.
  2.4. Modelization
In order to design an MPC solution for the process under consideration, the modelization is a fundamental requirement, because MPC techniques strictly depend on the goodness of the obtained process model. A linear modelization approach, based on first-principles equations [
21,
24,
46,
47] and empirical data-based time delay identification [
48], was adopted. The resulting continuous-time model was as follows:
        where 
 is the continuous time variable (min), 
 (m
3) and 
 (m
3) are the upstream and downstream reservoirs’ water volumes, respectively, and 
 (m
3/s) is the regulation gate flow rate setpoint. 
 (m
3/s) is the upstream reservoir’s intake flow rate, 
 (m
3/s) is the upstream reservoir’s subsidiary intakes’ flow rate, 
 (m
3/s) is the downstream reservoir’s sand trap inlet flow rate, and 
 (m
3/s) is the downstream reservoir’s outlet flow rate (see 
Figure 3). In Equations (3) and (4), note the sign of each term—the inlet flow rates have a positive sign, while the outlet ones have a negative sign. Furthermore, note that the flow rate of the regulation gate has an immediate effect on the upstream reservoir, while its action on the downstream reservoir is delayed (delay equal to 43 min). Finally, it should be noted that due to the regulation and flow rate sensors’ location, a delay (3 min) is also present in the outlet flow rate of the downstream reservoir (see 
Section 2.1). For this reason, the resulting process model is a MIMO process with time delays on the inputs (i.e., MVs and DVs). The empirical data-based time-delay identification phase was executed by performing suitable step test procedures on the regulation gate’s flow rate setpoint (MVs) and from data analysis on the downstream reservoir’s outlet flow rate (DVs) [
48]. Equations (3) and (4) consider the regulation gate setpoint. In fact, the dynamics of the lower-level controller were negligible with respect to the adopted controller’s sampling time (equal to 60 s).
The reservoirs’ water volume dynamic behavior was modeled through Equations (3) and (4). Since the reservoirs’ field data are level measurements, an ad hoc volume-level conversion was investigated and implemented. Equations (3) and (4), enriched with the aspects reported in 
Section 2.6, were recast in order to obtain a continuous-time state-space model. The state-space description provides the dynamics as a set of coupled first-order differential equations in a set of internal variables (state variables), together with a set of algebraic equations that combine the state variables into physical output variables [
49]. Subsequently, a discretization procedure was performed, using a zero-order hold and a sample time equal to 60 s, and time delays were included in the process dynamics [
49,
50]. In this way, the following discrete-time state-space model was obtained:
        where 
 is the discrete-time instant, 
 is the state vector, 
 is the MV vector (scalar), 
 is the DV vector that acts on the state, 
 is the output vector, 
 is an unmeasured DV vector which acts on the output, and 
, 
, 
, and 
 are matrices of suitable dimensions [
39,
49,
50]. 
, i.e., the state DVs vector, includes the measured DVs reported in Equations (3) and (4), along with the additional fictitious DVs added for model mismatch compensation (see 
Section 2.6). 
, i.e., the output DV vector, includes the unmeasured disturbances added for model mismatch compensation (see 
Section 2.6).
In Equations (3) and (4), the upstream and downstream reservoirs’ volume is considered. In order to exploit the reservoirs’ level feedback, a volume-level relationship was formulated. Poor information on the shape and geometry of the reservoirs was available, so an estimation of the volume-level relationships was obtained. Based on known volume-level pairs, different mathematical laws were tested and compared, e.g., nonlinear, linear, and piecewise linear laws. The best results were obtained using the following piecewise linear law:
        where 
 (m) is the level value to be converted into the volume 
 (m
3), while 
 and 
, 
 are known volume-level pairs. The volume-level pairs were provided by the plant managers and covered the entire operating range of the reservoirs.
  2.7. APC Design
As reported in 
Figure 5, the APC design phase was executed after the data analysis and modelization steps. Thanks to the modelization and forecasting results (see 
Section 3), MPC was selected as the control strategy [
39,
50,
51,
52]. The main difficulty faced in the APC design phase was the need to propose a solution that could handle all process conditions. According to the process dynamic behavior and control specifications, a sampling time equal to one minute was defined for the APC system.
Figure 7 reports the schematic representation of the APC system’s architecture. At each control instant 
, plant data and parameters (
Figure 7, 
plant data and parameters) were provided by the 
SCADA and Database module (see 
Figure 6 for further details on this module). Furthermore, the 
SCADA and Database module provides an initial APC status flag (
Figure 7, 
APC status) that defines the permission for the APC system to set the MV setpoint for the process. In other words, this flag defines whether the APC system can really be used to operate the plant. For example, if a watchdog communication error is detected in the communication between the SCADA system and the PLCs (see 
Figure 6), the APC system’s conduction is disabled. Plant data and parameters and APC status were processed using the previously defined 
Bad Detection, Data Conditioning, and DVs Prediction module (see 
Section 2.3 and 
Section 2.6). This module provides smart alarms to the plant (see below). Furthermore, this module performs the checks and the operations described in 
Section 2.3 and 
Section 2.6, computing an overall 
data analysis reliability flag (see 
Section 2.3). This flag influences the final APC status flag, which is provided by the module together with the conditioned plant data and the prediction of the DVs (see 
Figure 7). For example, if a bad condition is detected on a plant measurement, the APC status flag is used to inhibit the APC system’s actions. Some of the outputs computed by the 
Bad Detection, Data Conditioning, and DVs Prediction module were provided to the 
MPC Parameters Selector module. This module, based on the current and predicted process conditions, defines the MPC constraints, reference trajectories, and tuning parameters in real time (see below). The outputs computed by the 
MPC Parameters Selector module are provided to the 
MPC module (see 
Figure 7). The 
MPC module, based on a receding horizon strategy (see below), computes the MV value to be applied to the plant (
Figure 7, 
). Furthermore, smart alarms are also provided by the 
MPC module (see below).
 A detailed analysis was performed based on the obtained process model and the DVs’ forecasting in order to define a reliable prediction horizon 
. The selected prediction horizon was equal to 130 min. No move-blocking strategies [
53] were implemented, and the control horizon 
 was set equal to 
. The proposed MPC strategy is based on a quadratic programming (QP) problem. The quadratic cost function to be minimized is as follows:
        subject to the following linear constraints:
In Equation (10), 
 represents the Euclidean norm, 
 and 
 are the predictions of the MVs and the CVs, respectively, and 
 represents the future control moves on the MVs. 
 and 
 are parametrized based on the known information up to the current control instant 
 and on 
 terms [
39]. Within the known information up to the current control instant 
, the DV predictions are included. The 
 terms are the reference trajectories on the CVs. The MVs’ magnitude and moves are penalized over the control horizon in Equation (10), while the CVs’ tracking errors are penalized on the prediction horizon. The suitable positive semidefinite matrices 
, 
, and 
 can weight the described terms. In Equation (11), 
, 
, 
, and 
 define the MVs constraints over the control horizon. The MVs’ constraints are 
hard constraints, i.e., they can never be violated. On the other hand, two groups of CVs constraints were included in the formulation: The first group is represented by the terms 
 and 
 in Equation (11). These constraints are initially set as 
hard constraints, i.e., the related 
 terms are equal to zero in Equation (11); then, based on the process conditions, they can be converted to 
soft constraints (see below). These CV constraints refer to the reservoir volume constraints associated with the minimum and maximum volumes (i.e., water shortage and water overflow). A second group is represented by the 
 and 
 terms in Equation (11); these constraints are defined based on the process conditions and are always 
soft constraints; these constraints are always tighter with respect to the first group. Their relaxation is allowed through a slack variable 
. The slack variable 
 is included in the constraints (see Equation (11)) through suitable 
 coefficients, while its introduction in the cost function Equation (10) is performed through a positive coefficient 
 [
54].
In order to meet the specifications reported in 
Section 2.1, the downstream reservoir volume (CV) was set with a greater priority with respect to the upstream reservoir volume (CV); the 
 coefficients related to the associated 
soft constraints in Equation (11) were used for this purpose. In Equation (11), 
 represents the first prediction instant where the associated CV can be constrained; its definition is based on the obtained process model considering the MV time delays. The decision variables were included in the 
 and 
 terms. The QP problem was solved through the MATLAB quadprog solver [
55]. At each control instant 
, the 
MPC Parameters Selector module of 
Figure 7 considers the upper MV constraints provided by the SCADA system taking into account the Torricelli law (see 
Section 2.3) for their potential modification.
At predetermined hours of the day (typically every six hours starting from midnight), the MPC Parameters Selector module computes a long-range prediction of the reservoirs’ volume up to the next prediction time instant. When exploiting a defined lower volume threshold for each reservoir, a potential water shortage indication is given. This indication can be exploited as smart alarm and for the setup of the MPC problem reported in Equations (10) and (11). If a water shortage condition is predicted at the current control instant, none of the soft CVs are considered in Equation (11), and all of the MVs’ weights are zeroed in Equation (10). However, the  and  constraints are maintained in Equation (11). Furthermore, a reference trajectory is assigned to the reservoirs’ volume—the upstream reservoir’s volume tracks its hard lower constraint, while the downstream reservoir’s volume tracks its hard upper constraint. In this way, the best action to fill the downstream reservoir is guaranteed through the introduction of reference trajectories. If a water shortage condition is not predicted at the current control instant, the MPC Parameters Selector module evaluates the DVs’ prediction and, in particular, the prediction of the  flow rate in order to check whether there will be electric energy production on the prediction horizon. If no production is detected and the downstream reservoir volume is lower than a defined threshold (), the MPC Parameters Selector module defines a zone control from the MPC formulation as shown in Equations (10) and (11); the  matrix weights are zeroed in Equation (10). In Equation (11),  and  are considered to be hard constraints, while  and  are not. In this way, an optimal solution can be sought in order to guarantee the transit of the only needed water from the upstream reservoir to the downstream reservoir. On the other hand, if production is detected, the  and  soft constraints are added, but the  matrices’ weights are zeroed in Equation (10) by the MPC Parameters Selector module, in order to avoid minimizing the regulation gate opening.
If the 
MPC module finds a solution (whether in cases of water shortage or not), the first term of the computed control sequence 
—i.e., 
—is sent to the plant. If the 
MPC module does not find a solution (i.e., infeasibility), a suitable 
optimization flag is computed by the 
MPC module and provided to the 
MPC Parameters Selector module (see 
Figure 7). The 
optimization flag reports the cause of the failure—the MPC formulation needs to be adjusted, and a new MPC problem is solved to find a solution. If the current volume of the upstream reservoir violates its 
 constraint—i.e., an overflow condition is likely to occur for the upstream reservoir—and the downstream reservoir’s current volume is no greater than its 
soft upper constraint, the 
hard upper constraint of the upstream reservoir’s volume is set as 
soft. Furthermore, two conditions are distinguished, depending on the violation of the 
soft lower constraint of the downstream reservoir level. If the violation takes place, the same solution for the water shortage condition is adopted. If the condition is not verified, the CVs’ constraints are not considered, and the upstream reservoir volume tracks its 
soft lower constraint while the downstream reservoir volume tracks its 
soft upper constraint. Furthermore, the MVs’ weights are not zeroed in Equation (10). In this way, the best action to avoid wasted water is guaranteed through the introduction of suitable reference trajectories.
If the second MPC attempt fails or the previous conditions are not satisfied, a heuristic law is applied to adjust the MPC formulation in order to find a solution. The heuristic law takes into account the current downstream reservoir volume and computes the desired MV target. This computation is performed by the 
MPC Parameters Selector module, which suitably processes the constraints of the MV, taking into account the desired target. A range 
 is defined for the downstream reservoir volume, represented by a lower and an upper threshold. If the downstream reservoir’s volume is greater than a defined threshold (
), a zero value is desired for the MV; the 
MPC Parameters Selector module suitably processes the constraints of the MV, taking into account the desired target. Otherwise, if the lower threshold is violated, the MV target must be equal to the allowed maximum value. Finally, if the downstream reservoir’s volume is within the defined range, the following equation is used:
        where 
 and 
 are the defined thresholds, 
 is the upper constraint of the MV (see Equation (11)), and 
 is the current downstream reservoir volume obtained thanks to the volume-level relationship reported in Equation (6).
Through the aforementioned procedural steps, the APC system can properly handle the feasibility issues associated with the MPC optimization problem. Moreover, if the optimizer does not find a solution on the first or second attempt, the proposed heuristic law allows the APC system to efficiently control the process.
A set of smart alarms was designed in order to improve the reliability of the proposed APC system. Smart alarms were computed and sent by the 
Bad Detection, Data Conditioning, and DVs Prediction module and by the 
MPC module. Smart alarms computed by the 
Bad Detection, Data Conditioning, and DVs Prediction module refer to the aspects reported in 
Section 2.3—for example, a smart alarm on the detected missed compliance with respect to the electric energy production plan. Examples of smart alarms sent by the 
MPC module refer to the different checks described above, e.g., water overflow or shortage prediction.
To the best of the authors’ knowledge, the proposed APC system, which takes into account bad data detection, local control loop malfunctions, and lack of efficiency flags used in real time, represents an innovation in the literature on hydropower plants. Additional novelties are represented by the proposed 
MPC Parameters Selector module reported in 
Figure 7 and by the designed smart alarms.