Patent Application
20250155887
The present disclosure relates to a safety protection system backup device.
In a nuclear power plant, a reactor trip breaker is used as one device in a protection-system facility for shutting down a nuclear reactor in a case where abnormality has occurred. A control rod drive device is supplied with power from a power bus via a power converter and the reactor trip breaker, and when the reactor trip breaker is released, the control rod drive device is no longer supplied with power and a control rod is inserted in a nuclear reactor, to shut down the nuclear reactor. In addition, the protection-system facility includes safety system equipment such as pumps and valves for injecting cooling water into the nuclear reactor and urgently cooling the nuclear reactor in the case of abnormality, other than the reactor trip breaker.
The protection-system facility receives signals from various detection sensors, and, if a protection logic has determined that the nuclear reactor needs to be shut down or urgently cooled, a nuclear reactor shutdown signal is generated and an operation (release) request signal is transmitted to the reactor trip breaker or the safety system equipment.
The protection-system facility is configured so as to be multiplexed in order to achieve high reliability, but, when a common cause failure (CCF) occurs between multiplexed devices, there is a possibility that the operation (release) request signal cannot be transmitted to the reactor trip breaker and the like even in a case where abnormality has occurred in a plant.
To correctly shut down a nuclear reactor in a case where a CCF has occurred in a protection-system facility, a method of installing a CCF countermeasure facility for backing up the protection-system facility is disclosed (e.g., see Patent Document 1). The main cause of a CCF that occurs in the multiplexed protection-system facility is a software error. Therefore, the CCF countermeasure facility is an analog facility composed of electric circuit parts such as switches and relays, and, in response to a signal from a detection sensor, the CCF countermeasure facility determines whether the nuclear reactor needs to be shut down. Upon receiving a nuclear reactor shutdown signal from the CCF countermeasure facility, a power conversion device interrupts power supply to a reactor trip breaker. Thus, a control rod drive device comes to a power loss state, and a control rod is inserted into the nuclear reactor, so that the nuclear reactor is shut down.
However, when the CCF countermeasure facility is composed of an analog facility including switches, relays, and the like as in Patent Document 1, signal input devices corresponding to the number of detectors are required. Further, signal output devices corresponding to the number of site devices in the protection-system facility are required.
In addition, a CCF device is allowed to be designed and produced such that a design grade thereof is relaxed as compared to that of the protection-system facility as a regular system facility, but, in order to prevent an electric fault in the CCF device from influencing the protection-system facility, a separation device such as a relay or a fuse for interrupting the influence of the electric fault is required to be provided between the CCF device and the protection-system facility. Therefore, the number of functions implemented in the CCF device is increased, thereby increasing the scale of the CCF device according to the number of inputs and outputs.
The present disclosure has been made to solve the above problem and an object of the present disclosure is to provide a safety protection system backup device in which the scale of a CCF device is not increased even if the number of detectors and safety-system local components is increased.
A safety protection system backup device according to the present disclosure detects a state of a plant, and, if an abnormality is found, issues an instruction to a safety-system local component according to an output of a first safety protection logic in a safety protection device and, if a common cause failure is found in the safety protection device, issues an instruction to the safety-system local component according to an output of a second safety protection logic in a CCF device. The safety protection system backup device includes: a detector which detects a state of the plant; first and second analog/digital conversion circuits which are disposed in an input device of the safety protection device and perform digital conversion on an output of the detector; a first communication control circuit which is disposed in the input device and transmits to a calculation processing unit a signal outputted from the first analog/digital conversion circuit; a second communication control circuit which is disposed in the input device and transmits to the CCF device a signal outputted from the second analog/digital conversion circuit; a third communication control circuit which is disposed in a first calculation processing unit of the safety protection device, receives an output of the first communication control circuit, and transmits the output to the first safety protection logic of the calculation processing unit; a fourth communication control circuit which receives an output of the second communication control circuit and transmits the output to the second safety protection logic disposed in a second calculation processing unit of the CCF device; a fifth communication control circuit which is disposed in the first calculation processing unit and transmits an output of the first safety protection logic; a sixth communication control circuit which is disposed in the second calculation processing unit and transmits an output of the second safety protection logic; a seventh communication control circuit which receives a signal transmitted from the fifth communication control circuit and is disposed in an output device region of the safety protection device; an eighth communication control circuit which receives a signal transmitted from the sixth communication control circuit and is disposed in the output device region; a first digital/analog conversion circuit which is disposed in the output device region and performs analog conversion on a signal of the seventh communication control circuit; a second digital/analog conversion circuit which is disposed in the output device region and performs analog conversion on a signal of the eighth communication control circuit; and a hardware circuit to which a signal of the first or second digital/analog conversion circuit is inputted and which performs output to the safety-system local component. The first safety protection logic and the second safety protection logic execute digital signal processings based on logical configurations different from each other. The first analog/digital conversion circuit and the second analog/digital conversion circuit are composed of circuits or parts different from each other. The first digital/analog conversion circuit and the second digital/analog conversion circuit are composed of circuits or parts different from each other. A communication protocol between the first communication control circuit and the third communication control circuit is different from a communication protocol between the second communication control circuit and the fourth communication control circuit. A communication protocol between the fifth communication control circuit and the seventh communication control circuit is different from a communication protocol between the sixth communication control circuit and the eighth communication control circuit.
In the safety protection system backup device according to the present disclosure, the first safety protection logic in the safety protection device and the second safety protection logic in the CCF device are configured to respectively execute different application software, whereby the input device and the output device can be shared by the safety protection device and the CCF device, an input device and an output device exclusive to the CCF device need not be provided, and increase in the number of the detectors and the safety-system local components can also be dealt with without increasing the scale of the CCF device.
Hereinafter, preferred embodiments of a safety protection system backup device according to the present disclosure will be described with reference to the drawings. The same or corresponding things and parts are denoted by the same reference characters, and the detailed description thereof is omitted. Also, in the following embodiments, components denoted by the same reference characters will not be described repeatedly.
The detection signal is converted to a digital signal by the A/D conversion circuit 211, and the digital signal is transmitted to a calculation processing unit 22 via a first communication control circuit 213 of the safety protection device 2. The transmitted digital signal is received by a third communication control circuit 221 which is an input at the calculation processing unit 22, and is used, by a safety protection logic 222 implemented as execution of a previously designed protection logic (hereinafter, referred to as application software) by a microprocessor or a FPGA, to generate an operation command signal of the protection-system facility to a safety-system local component 4. The operation command signal, generated by the safety protection logic 222, to the safety-system local component 4 is transmitted to an output device 23 via a fifth communication control circuit 223 which is an output at the calculation processing unit 22. Here, the function of application software includes four analog arithmetic operations, in addition to a logical operation.
In the output device 23, the operation command signal transmitted from the fifth communication control circuit 223 is received by a seventh communication control circuit 231 and then is converted to an analog signal by a digital/analog (D/A) conversion circuit 232, and the analog signal is transmitted to a hardware (H/W) circuit 236 which is a final output end. The H/W circuit executes priority processing on the inputted signal. Examples of the H/W circuit include an OR circuit, an AND circuit, an ON priority circuit, and an OFF priority circuit. However, the H/W circuit is not limited thereto.
On the other hand, the digital signal inputted to the A/D conversion circuit 212 is transmitted to a second communication control circuit 214 for the CCF device 3.
The A/D conversion circuit 211 and the A/D conversion circuit 212 are respectively composed of and implemented with circuits or devices (parts) different from each other. Similarly, the first communication control circuit 213 and the second communication control circuit 214 are also respectively composed of and implemented with circuits or parts different from each other.
The second communication control circuit 214 transmits the inputted digital signal to a fourth communication control circuit 311 connected to a calculation processing unit 31 of the CCF device 3 in the same manner as for the calculation processing unit 22. The transmitted digital signal is received by the fourth communication control circuit 311, and then is used, by the safety protection logic 312 configured by a microprocessor or a field-programmable gate array (FPGA) in which application software is implemented, to generate an operation request signal to the safety-system local component 4.
Here, in order to ensure diversity, the following is applied to each component:
(1) As a communication protocol between the second communication control circuit 214 and the fourth communication control circuit 311, a communication protocol different from a communication protocol to be applied between the first communication control circuit 213 and the third communication control circuit 221 is applied.
(2) The calculation processing unit 31 and the calculation processing unit 22 respectively execute similar digital signal processings by different circuits. For example, as a microprocessor of the calculation processing unit 31, a device different from a microprocessor of the calculation processing unit 22 is applied, or a FPGA is used in the calculation processing unit 31.
(3) The safety protection logic 312 and the safety protection logic 222 are respectively designed on the basis of different ideas for similar digital signal processings. For example, in a case where microprocessors are used in the calculation processing unit 31 and the calculation processing unit 22, design concepts of application software to be implemented are made different, and the microprocessors are designed by different designers so as not to make determination on the basis of the same logical configuration. In a case where a FPGA is used in the calculation processing unit 31, the FPGA is programmed by a different designer so that processing similar to the digital signal processing by the microprocessor in the calculation processing unit 22 has a logical configuration based on a different design concept.
(4) The CCF device 3 and the safety protection device 2 are designed by different designers in different departments so as to have different design concepts and provide protection on the basis of different logical configurations, respectively.
The operation request signal, generated by the safety protection logic 312, to the safety-system local component 4 is transmitted to the output device 23 of the safety protection device 2 from a sixth communication control circuit 313 which is an output at the calculation processing unit 31. The transmitted operation request signal is received by an eighth communication control circuit 235 for the CCF device 3 and then is converted to an analog signal by a D/A conversion circuit 234 for the CCF device 3, and then the analog signal is outputted to the H/W circuit 236.
The D/A conversion circuit 232 and the D/A conversion circuit 234 are respectively composed of and implemented with circuits or devices (parts) different from each other. Similarly, the seventh communication control circuit 231 and the eighth communication control circuit 235 are respectively composed of circuits or parts different from each other. Further, as a communication protocol between the sixth communication control circuit 313 and the eighth communication control circuit 235, a communication protocol different from a communication protocol between the fifth communication control circuit 223 and the seventh communication control circuit 231 is applied.
The safety protection system backup device is configured as described above, whereby the input device and the output device can be shared by the safety protection equipment and the CCF device. Thus, an input device and an output device exclusive to the CCF device need not be provided, and increase in the number of the detectors and the safety-system local components can also be dealt with without increasing the scale of the CCF device.
In the configuration of embodiment 1, a photoelectric (E/O) conversion circuit 24 which converts to an optical signal an electric signal transmitted from the second communication control circuit 214 of the safety protection device 2, and an O/E conversion circuit 32 which converts to an electric signal the optical signal received by the CCF device, are applied.
Similarly, an E/O conversion circuit 33 which converts to an optical signal an output signal of the sixth communication control circuit 313 of the CCF device 3, and an O/E conversion circuit 25 which converts to an electric signal the signal received by the safety protection device 2, are applied.
Thus, optical signals are transmitted and received between the safety protection device 2 and the CCF device 3, whereby, in a case where an electric fault or the like has occurred in the CCF device 3, the influence of the failure is prevented from spreading to the safety protection device 2. Further, since signals are transmitted through optical cables, a transmission distance can be extended as compared to a case where electric signals are used, and a constraint condition for an installation place of the CCF device 3 can be relaxed.
As described above, in the configuration of embodiment 2, the CCF device is connected to the input device and the output device through the optical cables, whereby an electric fault in the CCF device can be prevented from influencing the safety protection system, and a separation device need not be provided.
As shown in
As shown in
One example of hardware of the safety protection logics 222, 312 is shown in
Although the disclosure is described above in terms of various exemplary embodiments and implementations, it should be understood that the various features, aspects, and functionality described in one or more of the individual embodiments are not limited in their applicability to the particular embodiment with which they are described, but instead can be applied, alone or in various combinations to one or more of the embodiments of the disclosure.
It is therefore understood that numerous modifications which have not been exemplified can be devised without departing from the scope of the present disclosure. For example, at least one of the constituent components may be modified, added, or eliminated. At least one of the constituent components mentioned in at least one of the preferred embodiments may be selected and combined with the constituent components mentioned in another preferred embodiment.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2022/005280 | 2/10/2022 | WO |
