1. Field of the Invention
This invention relates generally to control systems for nuclear reactor power generation systems. More particularly, this invention relates to such a control system that functionally isolates safety and non-safety controls by using a soft control design concept, thus eliminating confirmation switches and channel demultiplexers. Still more particularly, this invention relates to such a control system that improves the man-machine (MMI) interface while permitting use of data encryption for command control data received by a control channel gateway.
2. Brief Description of the Prior Art
Complex control schemes are in place for nuclear reactor power generation systems to prevent component failures that could lead to catastrophic failure. Such control schemes have as their design basis the use of a human operator controlling continuous and discrete control functions from a single display device cooperating with an associated information processing system (IPS) and cathode ray tube (CRT) or flat panel display (FPD) and a display processor (DP). In current systems, controllers are provided on each operator workstation and remote shutdown control panel. The controllers are linked to safety-related engineered safety featuresxe2x80x94component control system (ESF-CCS) or non-safety-related processxe2x80x94component controlled systems (P-CCS) by way of control channel gateways (CCGs). A priority interlock is incorporated in the CCG to block any effect from the controllers on the safety CCS when an ESF actuation is in progress.
The controller usually provides continuous display of all parameters being controlled as well as, in some cases, parameters of components associated with the component selected for control. To insure that an operator has all information necessary for optimal process control, a continuous display of all controlled parameters is provided. It has long been sought in this control art to improve the human factors and operator efficiency in the use of the controller, while reducing the amount of hardware and design necessary to implement the control functions, and while maintaining if not improving reliability.
In such systems, and from a human factors perspective, there are three steps required of the previous control design that incorporated confirmation switches to carry out a control function. The operator would first need to make a selection from the IPS display, then press a confirmation switch, and third, manipulate the selected component from the control display. For certain control actions, these steps proved to be very monotonous and time-consuming. Accordingly, it is an aim of those making improvements on nuclear power plant control systems to reduce the number of hardware controls, such as by reducing or eliminating the confirmation switches without sacrificing reliability or safety.
When considering hardware/software implementation in such systems, certain functionalities made the prior designs complex and costly to integrate. Moreover, the multiple hardware elements needed to implement the prior designs would result in a less reliable configuration. Additionally, every software-based element in the design added development time not only to simplify implementing the function, but also to support the tasks associated with software and related safety analysis. Thus, it is an aim in improving control designs to address these kinds of issues while maintaining a defensible design from a regulatory point of view.
Data security has long been a matter of interest in assessing the functionality and efficiency of nuclear power plant safety systems. While redundancy as a concept has often been used with probability and statistical analysis to ensure data security and system integrity, it is an overall aim of this invention to introduce the latest, most secure encryption technology to the optimized control design. For simplicity, when discussing prior efforts, the term xe2x80x9ccontrolxe2x80x9d, or the like, will be used, while when discussing this invention, the term xe2x80x9csoft controlxe2x80x9d will be used as distinguishing nomenclature. Current control systems communicate with error detection protocols of various kinds that can be susceptible to undetected bit errors. Accordingly; it is expected that data encryption will provide a powerful tool to transmit data and to certify that data as received as accurate in nuclear power plant control systems of the type to which this invention is primarily, but not necessarily exclusively, aimed.
Improved designs must meet current codes and standards. IEEE 603-1991, xe2x80x9cCriteria for Safety Systems for Nuclear Power Generating Stations,xe2x80x9d addresses specific minimum functional criteria required of safety related systems that have direct application for Power, Instrumentation and Control systems for use in a nuclear power plant (NPP) application. The single failure criterion of section 5.1 of the standard specifies that:
xe2x80x9cThe safety systems shall perform all safety functions for a design basis even in the present of 1) any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures.xe2x80x9d
This criterion is further clarified by stating that:
xe2x80x9cThe performance of a probability assessment of the safety systems may be used to demonstrate that certain postulated failures need not be considered in the application of the criterion. A probability assessment is intended to eliminate consideration of events and failures that are not credible.xe2x80x9d
IEEE Std. 352-1987 is cited as applicable guidance in the performance of the reliability analysis.
Additionally, IEEE 603, Section 5.6.3 states:
xe2x80x9cThe safety system design shall be such that credible failures in and consequential actions by other systems [which include non-safety systems] shall not prevent the safety systems from meeting the requirements [of the standard]xe2x80x9d.
Thus, under this section, the classification of equipment as part of a safety system is determined by establishing that the equipment is used for both safety and non-safety functions or that the equipment is used as an isolation device in the boundary of a safety system.
Prior systems often use confirmation switches as a security mechanism to ensure the accuracy of a control command. Such switches provided a xe2x80x9csafety breakxe2x80x9d between the safety systems and the non-safety related MMI. No control commands could pass, in a typical prior system, to the control channel gateways unless specific confirmation and channel selection had occurred. Such a task proved inefficient. Accordingly, it is an aim of this invention to provide a component control system for a nuclear power plant that eliminates a need for confirmation switches and complex multiplexer arrangements.
It is thus an overall object of this invention to provide a component control system for a nuclear reactor power generation system that eliminates a need for confirmation or channel selection switches, while maintaining compliance with codes, standards, and regulations.
It is another general object of this invention to provide such a control system that functionally isolates safety and non-safety controls by using a soft design concept.
It is still another general object of this invention to provide such a control system that features encryption of component control action commands with decryption at the control channel gateway level.
In its main aspect, the invention relates to a control system for a nuclear power plant, comprising: means, including an information processing system and display processor (IPS-DP), for issuing an encrypted command for a selected component in a component control system (CCS) in the nuclear power plant; means, including a soft controller, for receiving the encrypted command from the IPS-DP means, matching the encrypted command with the selected component in the CCS; and issuing a control command for the selected component; and means, including a control channel gateway, for receiving the encrypted command from the IPS-DP means and the soft controller, and deciphering the encrypted command and, if authenticated, issuing a control command for the selected component in said CCS. The IPS-DP and the soft controller are classified as non-safety components of the control system.
The IPS-DP includes a database of control components in the control system and their routing information, and includes means for providing an encrypted command key that contains at least one of an incremental value, origin information, and component routing data associated with the control components. The means for issuing an encrypted command further includes means for issuing an unencrypted object ID tag, the soft controller being responsive to the object ID tag to call up an associated component template. The issuance of an encrypted command is solely a function of the IPS-DP.
The soft controller maintains a set of display pages that acts as a plurality of control templates for generation of analog and discrete control commands for the selected component. Upon receiving a command key and an object ID tag from the IPS-DP, the soft controller associates the ID tag with a corresponding display page to permit an operator to take a desired action on a selected component. The soft controller includes a timeout capability wherin, if an operator takes no control action within a preset period, the control template is cleared from the display on the soft controller and the encrypted command key received from the IPS-DP is destroyed. It is a feature of the invention that the soft controller has no capability to provide encrypted command keys independent of the IPS-DP.
The control channel gateway is a safety control that deciphers data generated by the IPS-DP and the soft controller, to enable action of the selected component. Alternatively, the system includes a channel having a group controller and at least a loop controller, said channel being connected to the control channel gateway for receiving command signals for enabling said selected component when located in said channel.
It is a more specific feature of the invention that the encrypted command provided by the IPS-DP includes a data packet with routing, control and origin information for a single component, the data packet being deciphered by said control channel gateway, and that the encrypted command provided by the IPS-DP affects only a single component at a time, whereupon risk of command error is minimized. Preferably, the encrypted command for a selected command includes a sequence tag applied by the IPS-DP when the command key is issued, wherein the sequence tag identifies the validity of a command key according to its sequence.
In another aspect, the invention features a corresponding method for controlling components in a component control system (CCS) for a nuclear power plant, comprising the steps of: issuing an encrypted command for a selected component in a component command system (CCS) in the nuclear power plant from an image processing system and display processor (IPS-DP); receiving the encrypted command from the IPS-DP at a soft controller; matching the encrypted command with the selected component in the CCS; and issuing a control command for the selected component; receiving the encrypted command from the IPS-DP and the soft controller means at a control channel gateway, and deciphering the encrypted command and, if authenticated, issuing a control command for the selected component in said CCS. Additional method features for the invention are also disclosed and claimed.