The invention relates generally to a computerized control system for complex systems and, more particularly to a method for operating a nuclear reactor using a digital computer.
As a result of the events at the Three Mile Island nuclear power plant in Pennsylvania, much interest was created in the operational safety aspects of nuclear power plants. A problem which has become evident is the dependence upon written operating procedures.
Often human operators of any system have often looked at procedures as a hinderance more than a help in performing the function of system control. The reason procedures are not the useful guides they are intended to be is that they have never been able to cover all possible situations. Normal plant evolution procedures, such as system startup or shutdown, have the characteristic of a known starting and ending point. These normal procedures tend to be complete and accurate.
The problem with operating procedures arise in connection with off-normal failure states. We cannot know the particular failures that will occur before they happen, therefore, the particular scenario is unknown before hand. Since the starting point is unknown a complete written procedure would have to consider all failures and all the possible combinations. Current procedures are generally written for single component failures for the simple reason that the set of all possible failures and combinations of system states with failures is very large. It is, therefore, extremely difficult or near impossible to write a general procedure to accommodate all possible failure combinations.
To avoid this difficulty in the past (and present) the failures that were most probable or which had unacceptable consequences were defined. Procedures for these "standard accidents" or scenarios were written. This is clearly only a partial set of procedures. The root cause of procedures being scorned would then apparently be that current procedures are only a partial set of rules which do not cover all possible events. Currently an operator is required to search a procedure decision or "response" tree to determine if instructions for a particular situation exist, if found they can be executed. If the procedure for the system does not cover the specific situation, the operator has to evaluate whether or not an acceptable state exists which can be reached using normal plant controls or if an acceptable state can only be reached by abnormal plant control actions. This allows many opportunities for `operator error.` The source of these `operator errors` may be operator overload under stressful conditions.
It is, accordingly, a general object of the invention to provide a method for the explicit control of a complex system such as a nuclear reactor in order to enhance safety.
It is a further object of the invention to provide a method for safe control of a nuclear reactor which is not dependent upon exhaustive written procedures which cover every conceivable combination of component failure.
Other objects, advantages and novel features of the invention will be apparent to those of ordinary skill in the art upon examination of the following detailed description of a preferred embodiment of the invention and the accompanying drawings.