Towards Resilient Process Networks - Designing Booster Stations via Quantified Programming

Resilience of a technical system is the ability to overcome minor failures and thus to avoid a complete breakdown of its vital functions. A possible failure of the system's components is one critical case the system designer should keep in mind. From another perspective resilience can be interpreted as the existence of alternative paths in a process network if resources break down. In this context we deal with process networks corresponding to systems which must be designed to operate in different scenarios. In order to ensure the system's functionality and to step in as a replacement in case of failure a set of optional resources must be available. This means that the process network must have several degrees of freedom allowing to react to uncertain events. With those restrictions we try to find a preferably resource-efficient network. Hence, an optimization problem arises which can be modeled using quantified mixed-integer linear programming. As an example of a process which can be modeled using process networks we investigate the problem of finding cost-efficient resilient topologies of fluid systems that are able to fulfill different load scenarios.


Introduction
In order to describe processes and correlations in complex frameworks like manufacturing companies, IT infrastructures or technical systems several modeling languages have been developed during the last decades. One famous example originates from Carl Adam Petri's dissertation in 1962 in which he introduced a universal framework to describe information processing systems [1]. These so called Petri Nets became a precious inspiration for specialized modeling languages like Unified Modelling Language (UML) or Event-driven Process Chains (EPC) in the environments of software architecture and business processes, respectively [2]. Indeed, all these approaches concern the world of discrete process networks and are not designated to handle continuous cases like manufacturing fractional amounts of a good or carrying arbitrary quantities of a fluid.
A generalization of process networks is the consideration of stochastic impacts through different environmental scenarios. For example [3] examines chemical process networks with stochastic demand and supply by using mixed-integer non-linear programming (MINLP) whereas [4] handles a similar problem by conducting a so-called policy-based approximation for the respective multistage model. In fact, these approaches reveal precious techniques to obtain more robust systems but do not consider partial network breakdowns.
In the following, we investigate booster stations, sometimes referred to as pressure booster systems, as a specific class of fluid systems. Like most fluid systems, booster stations can be considered as networks of interconnected single rotary pumps. A main field of application is the supply of buildings or higher floors with drinking water if the supply pressure provided by the water company is not high enough to satisfy the demand at any time. In some cases, one single pump is sufficient but typically multiple pumps are used in order to be capable to deal with flows which are subject to strong fluctuations. For this paper, we use a design concept with continuously variable speed-controlled pumps only. These systems are able to operate efficiently in a wide range of conditions. Our work is based on the insight of previous research on fluid systems. In [5] an approach to automatically find optimal pump system designs was presented using mathematical optimization methods in order to act as an "artificial fluid system designer".
Further work focused specifically on the operation of pumps. In [6], the optimal operation of booster stations with different single pumps was investigated and [7] determined the best operational strategy with regard to the energy efficiency index. Besides that different modeling and solving techniques were applied. For example [8] compared linear and non-linear programming techniques while [9] studied favorable combinations between model formulations and mathematical solver packages. In this spirit, [10] used a non-linear model formulation to design decentralized water supply systems for skyscrapers. In addition to generic solver packages, problem specific primal and dual solution algorithms for the linear formulation were developed in [11] to speed up the solution process. In an attempt to generate robust control strategies for uncertain loads, [12] introduced a robust but energy-efficient activation strategy for switching between the operating and non-operating pumps of booster stations. In [13] so-called "availability scenarios" are considered in order to take the downtime costs of a pump system into account. Thus, their approach focuses on the optimal costs regarding a multicriterial objective, but not explicitly on the systems' resilience.
If a single pump breaks down, a resilient booster station should be able to satisfy the full demand at any time. Thus, finding a cost-optimal resilient system emerges as an optimization problem under uncertainty. For such problems several generic approaches like stochastic programming [14] and robust optimization [15] exist. As the specific problem of designing a resilient booster station is a worst case optimization (in every case the system must maintain its vital functions; not only in the average case) the former cannot be applied. Since the system design process can be conducted in several consecutive steps the arising problem is a multistage optimization problem. Hence, quantified mixed-integer programs (QMIP) are used [16].

Process Networks and their Application to Booster Stations
Process networks. We consider a network (G, s G , t G ) with directed multigraph G := (V, E), where V is an arbitrary finite node set, E denotes the set of edges in G and s G , t G ∈ V are two distinguished nodes. Let s : E → V and t : E → V be the functions that assign to each edge its source and target node, respectively. Note that for a multigraph it does not suffice to define an edge by (u, v) ∈ V × V as multiple edges might exist between any two nodes u, v ∈ V . We claim that G is connected and acyclic. Further, for any node v ∈ V a (directed) path from the network source s G to v and from v to the network target t G exists.
The multigraph G can be interpreted as a process network in the following sense: we say that s G is some raw product, t G is some end product, V is a set of (intermediate) products and an edge e ∈ E converts a given amount of (intermediate) product s(e) to the same amount of (intermediate) product t(e). As a consequence of this interpretation of G we call the edges e ∈ E processes.
Certainly, this specific modeling of process networks assumes the absence of assembly-like tasks where one (intermediate) product is generated through two or more sub-products. The existence of one raw product and one end product is a further simplification which maintains the derived analogy to classical flow networks with one source and one target.
The usage of a multigraph in the definition of our network was motivated by the intention to permit parallel processes through multiple edges between two nodes. Self-evidently, these edges have to exhibit a uniform direction to avoid forbidden cycles with a length of two. On the other hand, succeeding edges e 1 , e 2 ∈ E with t(e 1 ) = s(e 2 ) can be interpreted as sequential processes.
Modeling booster stations as process networks. A possible application can be found in a systematic description of fluid systems, especially booster stations. In this context we identify edges as pumps with specific properties (given by characteristic maps) and nodes as water with specific pressure. This approach is in perfect accordance with the requirement that components of the booster station whose exits merge at the same intersection have to deliver a uniform water pressure at this point.

Uncertainty in Mechanical Engineering III
For any pump e ∈ E the correlation between the physical quantities volume flow Q(e), pressure increase (in technical terms also referred to as head) H(e), rotational speed n(e) and power consumption P(e) is described by its characteristic map. There is an opposite relation between volume flow Q(e) and pressure increase H(e). Furthermore, an actual state of e can be described by means of the current rotational speed n(e) and the power consumption P(e) which correlate with Q(e) and H(e) through the so-called affinity laws: Q(e) ∼ n(e), H(e) ∼ n(e) 2 and P(e) ∼ n(e) 3 . [17] In fact, two of the above four quantities characterize the remaining ones and hence the operating point of e. In Figure 1 the correlations between these characteristics are depicted for a generic pump. In the spirit of classical flow network theory we claim the conservation of the flow at any intersection v ∈ V . Capacity functions for each edge e ∈ E come along automatically with the characteristic map of the associated pump regarding the current head H(e). Note that for given H(e) the minimal volume flow through pump e cannot be arbitrarily small and is also given by the pump's characteristic map. We define p : V → R 0 + to be a function which allocates the pressure values to the intersections v ∈ V such that H : E → R, H(e) := p(t(e)) − p(s(e)), has a strictly positive range. Moreover, the functions Q min H , Q max H : E → R 0 + yield minimal resp. maximal volume flows for e ∈ E by evaluating the characteristic map of the considered pump at the given head H(e). In mathematical terms, the above conditions are: As commonly used we write δ − (v) and δ + (v) for the ingoing resp. outgoing edges of a node v ∈ V . Thus, each edge capacity is not only enhanced by a lower bound but both capacity bounds even depend on the selected head H(e) of this edge. In other words, the volume flow through each pump has to comply with the desired head and vice versa. Beyond that, the pumps' operating points Applied Mechanics and Materials Vol. 885 201 determine the energy costs of our running system and should be adjusted very carefully for each pump by considering the specific properties.
Assuming that the pressure p(s G ) at source s G , the desired pressure p(t G ) at target t G and the expected load are known, we are faced with the challenge of finding a control decision (H, Q) that minimizes the total operational costs of our booster station.
However, this setting only covers parts of the truth since realistic booster stations are confronted with several load scenarios. This comprises different demands of pressure increase and volume flow occurring with varying relative frequency. Let S = {1, ...,S} be the set of load scenarios. The vectors is the demanded pressure increase. Thus, for every scenario i ∈ S an optimal control decision (H i , Q i ) must be computed.

Resilience and Robust Multistage Optimization
Resilient system design. An interesting problem arises when we expand the decisional power from only controlling the pump settings of a given booster station to the design of the booster station itself. This challenge can lead to different optimization models that could involve costs for investment, energy or maintenance on the basis of the given load scenarios [5]. As an extension to this approach one could enlarge the decision basis of the system designer by adding possible breakdown scenarios in order to achieve resilient booster stations.
In this spirit we consider the following special case: starting from a valid configuration (G, s G , t G ) that is able to satisfy the desired volume flow and pressure increase of any scenario i ∈ S we are allowed to add some additional edges resp. pumps to the graph G = (V, E) to make the system more robust against breakdowns.
More concrete, we define I := E as the set of initial pumps, A as the set of additional pumps and try to find a subset A ′ ⊆ A such that G ′ := ((V, I ∪ A ′ ), s G , t G ) fulfills resilience in the following sense: for each scenario i ∈ S it has to be ensured that if a single pump e ∈ I is affected by breakdown a valid head/flow combination in G ′′ := ((V, (I ∪ A ′ )\{e}), s G , t G ) must exist such that the demanded volume flow and pressure increase in scenario i can always be satisfied.
Hence, a multistage optimization problem arises: the set of bought additional pumps A ′ must be selected such that the lifetime costs of the resulting booster station, i.e. investment costs and operational costs, are minimal. The optimal resilient system configuration can be found by solving a quantified mixed-integer linear program (QMIP).
Quantified programming. Quantified mixed-integer linear programming is a direct and formal extension to mixed-integer linear programming (MIP) utilizing uncertainty bits. In QMIPs the variables are ordered explicitly and they are quantified either existentially or universally resulting in a multistage optimization problem under uncertainty:

Definition (Quantified Mixed-Integer Linear Program).
Let there be a vector of n variables x = (x 1 , . . . , x n ) T ∈ Q n , lower and upper bounds l ∈ Q n and u ∈ Q n with l i ≤

Uncertainty in Mechanical Engineering III
Note that the objective function is actually a minmax function alternating according to the quantifier sequence: existential variables are set with the goal of minimizing the objective value while obeying the constraint system whereas universal variables are aiming at a maximized objective value. For more details, we refer to [18]. QMIPs allow a straightforward modeling of multistage optimization problems and the domain of universal variables might be modeled explicitly using a second linear constraint system [19].
Solutions of QMIPs are strategies for assigning existentially quantified variables such that the linear constraint system Ax ≤ b is fulfilled. One way to deal with quantified programs is to build the corresponding deterministic equivalent program (DEP) [18,20] and to solve the resulting MIP using standard MIP-solvers. Further, a novel open-source solver for QMIPs is available [21] performing an enhanced game tree search.

Problem Statement and Approach
Problem statement. Our goal is to generate cost-efficient resilient booster stations out of non-resilient ones. The requirements for the case of resilient booster stations are manifested in the DVGW 1 code of practice "DIN 1988-500: Pressure boosting stations with RPM-regulated pumps" [22]. It states that booster stations must have at least one stand-by pump. If one pump breaks down, the system must be able to satisfy the peak flow and thus all demanded loads at any time. In order to avoid stagnation water, an automatic, cyclic interchange between all pumps including the stand-by pumps is necessary. Therefore, all pumps have to operate at least once in 24 hours. This additional requirement is strongly connected to the cost-efficiency goal.
In this work the relevant costs for a booster station are the investment costs for the stand-by pumps as well as the operational costs of the overall system over a predefined lifespan. As the breakdown cases are expected to only take place in a small amount of time compared to the lifespan, due to short repair times, they do not significantly affect the operational costs of the system and are therefore neglected. However, the requirement for all pumps to operate once in 24 hours, i.e. in at least one of the daily repeating load scenarios, massively affects the operational costs. Given this circumstance, it is not a trivial task to determine by which stand-by pumps the system should be extended in order to obtain a cost-optimal system. Theoretically, a set of pumps or entire subsystems can be connected either in parallel or in series. However, according to today's practice only parallel connections are favorable from a technical point of view [23]. As mentioned in [8] two major reasons exist for considering parallel arrangements: Firstly, heavy part loads caused by the deactivation of single pumps are avoided. Secondly, in case of failure of a single pump the remaining system components are not directly affected and retain their full functionality. Although serial arrangements are generally conceivable, the resulting control strategies between two operating points are very difficult to realize in practice. We make use of this circumstance to obtain significantly smaller pump networks by using parallel connections only. Figure 2 shows such a network with four parallel pumps.
Quantified optimization model. Our model consists of five stages corresponding to variable blocks in the QMIP. The first existential block primarily represents the investment decision concerning the additional pumps. In the universal second variable block the load scenario is selected. The existential third variable block is used to determine the cost-optimal operating point of the available pumps for the given scenario. In the following universal variable block one of the initial pumps is chosen for breakdown. The final existential block is used to check whether the remaining pumps (without the broken one) are able to fulfill the selected load scenario.
As the handling of the breakdown-and standard-control is independent -and only depends on the first stage investment decision -we could also have built a three-stage model: investment decision (first stage), selection of a load and a breakdown scenario (second stage), and finally computing the standard-and breakdown-control (third stage). However, using five stages has severe advantages. Firstly, the chosen variable sequence indicates the processing order more accurately: for any scenario, we must provide a standard-control first and subsequently valid breakdown-controls must be ensured for the particular scenario. Secondly, the DEP contains significantly less variables, since the standardcontrol decision variables do not have to be duplicated for each breakdown scenario [18]. A similar argument is valid for game tree search methods: if modeled as a three-stage QMIP the standard-control found for one breakdown scenario must be rediscovered for another breakdown scenario, even though it could simply stay the same.  Table 2 the variables used for the QMIP. For the sake of compact presentation, we do not explicitly state the quantification vector Q • x. However, in Table 2 both the stage and thus the variable order as well as the variable quantification is given.

204
Uncertainty in Mechanical Engineering III x B p + β p ≤ 1 ∀p ∈ I (10) ρ p = ρ p (q p , n p ) ∀p ∈ P (11) The objective function (1) aims at minimizing the weighted operational costs in the scenarios as well as the costs resulting from buying additional pumps. Constraint (2) links the first and third variable block as well as the first and fifth variable block by demanding that only purchased pumps can be used. The feature that each pump must be used in at least one of the appearing load scenarios is guaranteed by Constraints (3), (4) and (5). Constraints (6) -(9) link the universal variable decision of the selected scenario and the selected broken pump with the corresponding existential variables while Constraint (10) prohibits the use of a broken pump. The operating point of a used pump must lie on its characteristic curve, which describes the non-linear relation between h p , q p , n p and ρ p . This coherence is outlined in (11) and (12) and is modeled using the linearization technique presented in [24]. As the power consumption of the booster station in the case of a breakdown is not subject of the optimization the non-linear relation between h B p and q B p can be modeled more easily: (13) ensures that the selected operating point (h B p , q B p ) lies somewhere within the characteristic map without specifying the speed of the pump. Hence, linearizing the boundaries of the map and checking their fulfillment suffices. Constraints (14) - (17) ensure that the demanded volume flow and pressure increase of the selected load scenario are fulfilled in both the standard-control and the breakdown-control. Note that resolving the non-linearity in (14) and (15) is a trivial task by using a Big M formulation. Constraints (18) - (21) set bounds on the volume flow and the pressure increase of a used pump and deal with unused pumps in particular. In (22) the power consumption resulting from the selected standard-control is transformed into energy costs. Note that the universal integer variables s and b and the existential binary variables σ and β are very similar and closely linked through Constraints (6) - (9). One might suggest that the binary variables σ and β could just as well be universal variables and thus replacing s and b. However, exactly one load and one breakdown scenario each must be selected. This would lead to a restriction of these variables as it is done in Constraint (6) and (8). But restricting universal variables using linear constraints (instead of simple variable bounds) requires further actions and a certain overhead [19].

Computational Study
Setting. In order to demonstrate the impact of our research, we investigate two artificial examples. Figure 3 schematically illustrates the characteristic maps of the used Wilo Economy MHIE model

Uncertainty in Mechanical Engineering III
As the game tree search itself can only deal with continuous variables in the final variable block we use the option of creating and solving the corresponding DEP. As the run times of the inspected instances where in the range of seconds we will not deepen this subject any further.  Example 1. As a first example, we investigate a system which is already optimized regarding the sum of investment and operational costs over a predefined set of load scenarios for the non-resilient case, shown on the left-hand side of Table 3. This system consists of one pump each of the types 206, 403, 406 and 803 connected in parallel and has initial operational costs of 75 288.88 e assuming a lifetime of ten years. In order to transform this given (functional) booster station into a resilient one, we apply the presented optimization model. The set of selectable pumps A contains each pump of the Wilo MHIE series once. According to the solution of the QMIP, it is optimal to add the additional pump 205 with investment costs of 1 805 e to the system. This might seem somewhat surprising at the first glance given that even though the system was optimized for the non-resilient case none of the already installed pumps is doubled and instead a new type is added to the network in order to compensate for the breakdown of one of the initial pumps. This shows that even for an optimized system finding a resilient configuration is a non-trivial task. Compared to the original system the selected additional pump is operational in the first scenario which results in an increase of the lifetime operational costs of only 3.52e compared to the non-resilient case. Summing up, the minimal additional costs to make the initial booster station resilient are 1 808.52e . Example 2. As a second example, we consider the case of an initial system with multiple identical pumps connected in parallel following the common conventional design approach. The obvious way to achieve the addressed sense of resilience for such a system is to add another pump of the same type to the network. However, cheaper configurations might exist. For this example, we investigate such a system with three pumps of the 406-type. The corresponding load scenarios can be found on the right-hand side of Table 3 and the system is projected to be operational for five years. Again, as in the previous example we want to transform the not yet resilient system into a resilient one by adding pumps of the Wilo Economy MHIE series at most once. After solving the arising QMIP, it is suggested to buy the not yet present pump type 403 as an expansion of the network. Following this suggestion the operational costs decrease in scenarios 2, 3 and 4 in comparison to the initial system. This is due to the fact that the initial system was not optimal itself for the given load scenarios -a circumstance occurring frequently as systems are often designed to cover a broad range of conditions for various applications. Regarding the financial effects of this investment decision 2 243.30e can be saved over the five years compared to adding a fourth pump of the 406-type in order to reach resilience. These savings result out of two different reasons: firstly, selecting the 404 pump with lower investment costs and secondly, being able to operate more efficiently in the individual load scenarios as a better system operating point can be reached with the addition of a 404-type pump.

Conclusion and Outlook
In this paper, we presented an approach to design cost-efficient resilient process networks exemplified by booster stations. Therefore, we introduced a generic abstract representation for networks of continuous processes. In a subsequent step, quantified programming was utilized in order to design resilient process networks. The presented approach is suited for booster stations but adjusting it for other tasks in the domain of process networks can be considered straightforward paying attention to the problem-specific properties.
The application to booster stations has the potential to support system designers in two different ways. Firstly, achieving resilience is made easy. The system designer can focus on the main functionality while the approach takes care of resilience. Also existing non-resilient systems can be transformed into resilient ones without questioning the initial system. Secondly, the approach helps to overcome smaller design disadvantages: on top of achieving resilience it can help to save energy. This is also beneficial with regard to off-the-shelf systems as they can be made resilient as well as adapted to the actual load conditions simultaneously. Thus, the presented approach combines resource-efficiency and reliability. Further, the resulting systems are in line with the "DIN standard 1988-500" and easy to integrate in the design process due to reasonable run times for practical system sizes.
For future research there are several potential directions. The approach might be extended to the entire design process of booster stations including advanced systems which are not limited to the parallel placement of pumps. Furthermore, other applications in the field of process networks can be examined.