Patent Application
20250022623
The present disclosure relates to a monitoring and controlling system.
A monitoring and controlling system includes a non-safety system for performing operation control of a plant in a normal case, and a safety system for performing protection of the plant in an abnormal case. The safety system and the non-safety system each include local equipment such as a human machine interface (hereinafter, referred to as HMI) system, a distributed control system (hereinafter, referred to as DCS), a sensor, and an actuator. In particular, in a case where a monitoring target is a nuclear power plant, the safety system is required to execute the function of a safety protection device for the plant independently of the non-safety system, and it is necessary to make such designing that the safety function is not hampered and a plurality of safety devices do not perform unnecessary operations, even if the non-safety system transmits any erroneous signal.
As a designing method for addressing such requirements, it is conceivable that a safety HMI system transmits and receives signals to and from only a safety DCS, and a non-safety HMI system transmits and receives signals to and from only a non-safety DCS. However, in this method, it is necessary to monitor and operate both of the safety HMI system and the non-safety DCS in monitoring operation for a plant, so that a load on a plant operator increases. Therefore, in terms of load reduction, it is required to achieve monitoring operation for the entire plant by one of the HMI systems.
For example, Patent Document 1 discloses technology that enables monitoring operation also for safety devices by a non-safety HMI system and achieves independence of a safety system from a non-safety system. That is, this technology makes it possible to perform monitoring operations for both of a safety DCS and a non-safety DCS by the non-safety DCS in a normal case and makes it possible to ensure safety of a plant by a safety HMI system in a case where abnormality has occurred in the non-safety system.
In the technology disclosed in Patent Document 1, in a case where an operator of the plant has detected abnormality of the non-safety system, the operator operates a blocking device provided to the safety HMI system so that a signal from the non-safety HMI system to the safety system is blocked. Thus, even if abnormality has occurred in the non-safety HMI system, the safety system is not influenced.
However, in this designing, in order to block an erroneous signal from the non-safety HMI system, the plant operator needs to detect abnormality and operate the blocking device, and therefore the plant operator needs to detect abnormality assuredly and quickly. Further, in a case where the non-safety HMI system transmits an erroneous signal in a period until the plant operator detects abnormality after the abnormality has occurred in the non-safety HMI system, the safety DCS and the safety protection device which is a monitoring target might be induced to perform unnecessary operations, although the safety function might not be hampered.
The present disclosure has been made to solve the above problem, and an object of the present disclosure is to provide a monitoring and controlling system having improved safety.
A monitoring and controlling system according to the present disclosure is a monitoring and controlling system of which monitoring-and-control targets are a plant control device for controlling a plant and a safety protection device for performing safety protection of the plant, the monitoring and controlling system including: a non-safety system which monitors and controls the plant control device and the safety protection device; and a safety system which monitors and controls the safety protection device. The non-safety system includes a first operation switch for operating the safety protection device. The safety system includes a second operation switch for operating the safety protection device, a parameter generation circuit which transmits a parameter to the non-safety system, and a coincidence determination circuit which determines whether or not a parameter returned from the non-safety system and the parameter transmitted from the parameter generation circuit coincide with each other. In a case where the coincidence determination circuit determines that the parameters do not coincide with each other, the safety system blocks an output signal from the first operation switch of the non-safety system.
In the monitoring and controlling system according to the present disclosure, a safety system automatically blocks a signal from a non-safety system when the non-safety system is abnormal, thus improving safety of the monitoring and controlling system.
Hereinafter, embodiments will be described with reference to the drawings. A case where a monitoring target of a monitoring and controlling system is a nuclear power plant will be described as an example, but the monitoring target is not limited thereto. Another plant may be a target. In the drawings, the same reference characters denote the same or corresponding parts.
Hereinafter, a monitoring and controlling system according to embodiment 1 will be described with reference to
In
The safety HMI system 1 is provided with an ON-operation switch 11 and an OFF-operation switch 12 for operating a safety protection device 200, and by operating the switches 11, 12, an operation signal is outputted to the safety protection device 200 via the safety DCS 3.
The non-safety HMI system 2 is provided with a switch (not shown) for operating a nuclear reactor control device 300, and an ON-operation switch 21 and an OFF-operation switch 22 for operating the safety protection device 200. By operating the switches 21, 22, an operation signal is outputted to the safety protection device 200 via the safety DCS 3, and by the switch (not shown), an operation signal is outputted to the nuclear reactor control device 300 via the non-safety DCS 4.
Here, description of monitoring and control for the nuclear reactor control device is omitted.
The safety DCS 3 includes a coincidence determination circuit 31, an AND circuit (logical conjunction circuit) 32, a parameter generation circuit 33, and an OR circuit (logical disjunction circuit) 34.
The safety DCS 3 transmits a parameter generated by the parameter generation circuit 33, to the non-safety HMI system 2. The non-safety HMI system 2 returns the parameter received from the parameter generation circuit 33 of the safety DCS 3, to the safety DCS 3.
In the safety DCS 3, the coincidence determination circuit 31 receives the parameter generated by the parameter generation circuit 33 and the parameter returned from the non-safety HMI system 2, and if both signals coincide with each other, an ON signal is outputted to the AND circuit 32.
The AND circuit 32 receives an operation signal from the non-safety HMI system 2, i.e., either an ON signal from the ON-operation switch 21 or an OFF signal from the OFF-operation switch 22, and an output signal from the coincidence determination circuit 31, and only when both signals are ON, the AND circuit 32 outputs an ON signal to the OR circuit 34.
The OR circuit 34 receives an output signal from the AND circuit 32, and an operation signal from the safety HMI system 1, i.e., either an ON signal from the ON-operation switch 11 or an OFF signal from the OFF-operation switch 12. If one of the signals inputted to the OR circuit 34 is ON, the OR circuit 34 outputs an operation signal to the safety protection device 200.
In a case where abnormality has occurred in the non-safety system 20, a signal from the parameter generation circuit 33 of the safety DCS 3 cannot be returned or an abnormality signal is returned. In this case, a parameter generated by the parameter generation circuit 33 and inputted to the coincidence determination circuit 31 and a parameter returned from the non-safety HMI system 2 do not coincide with each other, so that the AND circuit 32 automatically blocks an operation signal outputted from the safety HMI system 1.
For example, a parameter P1 is generated by the parameter generation circuit 33, and then, in a case where the non-safety system 20 is normal, the parameter P1 is returned to the coincidence determination circuit 31, and the coincidence determination circuit 31 outputs an ON signal to the AND circuit 32.
At this time, if an operation signal from the non-safety HMI system 2 is an ON signal, an ON signal is outputted to the OR circuit 34 and an operation signal is outputted from the safety DCS 3 to local equipment related to safety. On the other hand, if an operation signal from the non-safety HMI system 2 is an OFF signal, an ON signal is not outputted to the OR circuit 34, but if an operation signal from the safety HMI system 1 is ON, an operation signal is outputted from the OR circuit 34 to the safety protection device 200.
For example, a parameter P1 is generated from the parameter generation circuit 33, and then, in a case where abnormality has occurred in the non-safety system 20, a parameter P2 is returned to the coincidence determination circuit 31, or no parameter is returned. Thus, the coincidence determination circuit 31 does not output an ON signal to the AND circuit 32. In a case where abnormality has occurred, irrespective of whether an operation signal from the non-safety HMI system 2 is an ON signal or an OFF signal, an ON signal is not outputted from the AND circuit 32 to the OR circuit 34. That is, an operation signal from the non-safety HMI system 2 is blocked. Therefore, if an operation signal from the safety HMI system 1 is an ON signal, an operation signal is outputted from the OR circuit 34 to local equipment related to safety, and if an operation signal from the safety HMI system 1 is an OFF signal, an operation signal is not outputted from the OR circuit 34 to the safety protection device 200.
Thus, since an operation signal from the non-safety HMI system 2 is blocked, there is no possibility of causing local equipment related to safety to erroneously operate. If an operation signal from the safety HMI system 1 is switched to an ON signal by the ON-operation switch 11, an operation signal is outputted from the OR circuit 34, whereby the safety protection device 200 can be continuously operated.
In a case where the non-safety HMI system 2 is abnormal, it is desirable that an operation signal from the non-safety HMI system 2 is blocked from being outputted to the nuclear reactor control device 300 via the non-safety DCS 4. For example, as shown by a broken-line arrow in
By the way, there is known a technology in which check data is transmitted with its destination set to an own device, and if received data and the transmitted data do not coincide with each other, transmission and reception of signals other than check data are stopped (e.g., Japanese Laid-Open Patent Publication No. 61-290836). However, the monitoring and controlling system 100 according to the present embodiment is not for merely stopping transmission and reception of signals. In a case where abnormality has occurred in the non-safety system, an operation signal from the non-safety HMI system 2 is blocked and therefore there is no possibility of causing the safety protection device 200 to erroneously operate. Further, if an operation signal from the safety HMI system 1 is switched to an ON signal by the ON-operation switch 11, an operation signal is outputted from the OR circuit 34, whereby the safety protection device 200 can be continuously operated. Thus, safety of the monitoring and controlling system configured as a duplex system as described above is improved.
As described above, according to the present embodiment 1, in a case where the non-safety system 20 is abnormal, the safety system 10 automatically blocks an output signal from the non-safety system 20, thus enabling improvement in safety of the monitoring and controlling system 100.
That is, a parameter is transmitted from the safety DCS 3 to the non-safety system 20 which performs transmission to the safety DCS 3, and the non-safety HMI system 2 of the non-safety system 20 that has received the parameter returns a signal to the safety DCS 3, whereby not only a transmission path but also soundness of the non-safety HMI system 2 is confirmed. Thus, in a case where the non-safety HMI system 2 is abnormal, the safety DCS 3 does not permit a signal from the non-safety DCS 4, whereby it is possible to prevent unnecessary operation of the safety function from being performed due to an erroneous signal from the non-safety system 20. In addition, if an operation signal from the safety HMI system 1 is switched to an ON signal by the ON-operation switch 11, an operation signal is outputted from the OR circuit 34, whereby the safety protection device 200 can be continuously operated.
Hereinafter, the configuration of a monitoring and controlling system according to embodiment 2 will be described with reference to
In
In the safety DCS 3, the parameter returned from the non-safety HMI system 2 is inputted to the coincidence determination circuit 31 through the signal switchover circuit 35.
If a permission signal is inputted from the permission switch 5, the signal switchover circuit 35 outputs the parameter returned from the non-safety HMI system 2, as it is. On the other hand, if a permission signal is not inputted from the permission switch 5, the signal switchover circuit 35 outputs a signal different from the parameter generated by the parameter generation circuit 33.
In the safety DCS 3, the coincidence determination circuit 31 receives the parameter generated by the parameter generation circuit 33 and a signal outputted from the signal switchover circuit 35, and if both signals coincide with each other, the coincidence determination circuit 31 outputs an ON signal to the AND circuit 32. The subsequent operation is the same as that in embodiment 1.
In the above configuration, in a case where operation from the non-safety HMI system 2 is permitted by the permission switch 5, the coincidence determination circuit 31 compares the parameter returned from the non-safety HMI system 2 and the parameter generated by the parameter generation circuit 33, and if both parameters coincide with each other, operation from the non-safety HMI system 2 is accepted. However, in a case where the permission switch 5 does not output a permission signal, signals to be inputted to the coincidence determination circuit 31 can be forcibly controlled not to coincide with each other through operation of the signal switchover circuit 35. Thus, as shown in
For example, in a case where an operator of the plant has detected abnormality in the non-safety system, the permission switch 5 is operated so as not to output a permission signal, whereby soundness of the system can be kept. In addition, it is also possible to cope with such a situation that the same parameter as a parameter generated by the parameter generation circuit 33 is accidentally returned even though abnormality has occurred in the non-safety system.
As described above, according to embodiment 2, the same effects as those in embodiment 1 are provided. Further, since the permission switch 5 is provided, if abnormality of the non-safety system 20 is detected, the safety DCS 3 can operate so as not to permit a signal from the non-safety DCS 4, whereby safety of the monitoring and controlling system 100 can be further improved.
Hereinafter, the configuration of a monitoring and controlling system according to embodiment 3 will be described with reference to
As described also in embodiment 1, in
Next, operation will be described.
The safety DCS 3 transmits a parameter generated by the parameter generation circuit 33, to the non-safety DCS 4. The non-safety DCS 4 returns the parameter received from the parameter generation circuit 33 of the safety DCS 3, to the safety DCS 3.
In the safety DCS 3, the parameter returned from the non-safety DCS 4 is inputted to the coincidence determination circuit 31 through the signal switchover circuit 35.
If a permission signal is inputted from the permission switch 5, the signal switchover circuit 35 outputs the parameter returned from the non-safety DCS 4, as it is.
On the other hand, if a permission signal is not inputted from the permission switch 5, the signal switchover circuit 35 outputs a signal different from the parameter generated by the parameter generation circuit 33. That is, as in embodiment 2, the signal switchover circuit 35 switches a signal to be inputted to the coincidence determination circuit 31, by the signal from the permission switch 5.
Thus, since an operation signal from the non-safety HMI system 2 is inputted to the safety DCS 3 through the non-safety DCS 4, not only an operation signal from the non-safety HMI system 2 but also an automatic control signal from the non-safety DCS 4 to the safety DCS 3 becomes a determination target in the coincidence determination circuit 31. In this way, soundness of the non-safety HMI system 2 and the non-safety DCS 4 can be confirmed.
As described above, according to embodiment 3, the same effects as those in embodiments 1 and 2 are provided. Further, since soundness of both of the non-safety HMI system 2 and the non-safety DCS 4 is confirmed, safety of the monitoring and controlling system 100 can be further improved.
In embodiments 1 to 3, it has been described that a parameter generated from the parameter generation circuit 33 is transmitted. In this regard, the parameter to be generated by the parameter generation circuit 33 may be changed at certain time intervals. In a case where an abnormal state in which a return signal from the non-safety HMI system 2 or a signal outputted from the non-safety DCS 4 is fixed has occurred, if the parameter is changed at certain time intervals, the abnormal state can be found on the basis of whether or not the non-safety HMI system 2 or the non-safety DCS 4 successfully responds to the changed parameter. That is, in such an abnormal state as described above, the parameters do not coincide with each other in the coincidence determination circuit 31 and thus abnormality can be detected.
In the above embodiments 1 to 4, the safety system 10 and the non-safety system 20 of the monitoring and controlling system 100 is formed by a processor 101 and a storage device 102 as shown in a hardware example in
The safety HMI system 1 and the safety DCS 3 of the safety system 10 and the non-safety HMI system 2 and the non-safety DCS 4 of the non-safety system 20 may each have the configuration of hardware as shown in
In the above embodiments 1 to 4, in a case where monitoring target equipment is a general plant, it can be construed that the non-safety system 20 monitors and controls a control device for a plant and a safety protection device for the plant, and the safety system 10 monitors and controls the safety protection device for the plant. That is, an example of the plant is a nuclear power plant, and an example of the most preferable target of monitoring and control in the present disclosure is a nuclear power plant.
Although the disclosure is described above in terms of various exemplary embodiments and implementations, it should be understood that the various features, aspects, and functionality described in one or more of the individual embodiments are not limited in their applicability to the particular embodiment with which they are described, but instead can be applied, alone or in various combinations to one or more of the embodiments of the disclosure.
It is therefore understood that numerous modifications which have not been exemplified can be devised without departing from the scope of the present disclosure. For example, at least one of the constituent components may be modified, added, or eliminated. At least one of the constituent components mentioned in at least one of the preferred embodiments may be selected and combined with the constituent components mentioned in another preferred embodiment.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2022/002513 | 1/25/2022 | WO |
