1. Field of the Invention
This invention concerns plant protection instrumentation equipment of, for example, a nuclear power plant.
2. Description of the Related Art
In a power generation plant, such as a nuclear power generation plant, a safety protection system is installed to prevent an abnormal situation which may compromise safety of the plant when the abnormality is anticipated or to control such abnormality. Conventionally, plant protection instrumentation equipment, as shown in FIG. 13, has been arranged as one of the safety protection systems in the plant. This plant protection instrumentation equipment has instrumentation circuits LA-1 and LA-2. This instrumentation circuit LA-1 (LA-2) has a sensor group {A1-1, . . . , A1-n} ({A2-1, . . . , A2-n}) which detects a plurality of process signals of temperature, pressure, output of the reactor, and so on, and outputs process signals, and a set value comparison circuit group {MS1-1, . . . , MS1-n} ({MS2-1, . . . , MS2-n}) which receives the process signals from the respective sensor group {A1-1, . . . , A1-n} ({A2-1, . . . , A2-n}) to compare these signals with predetermined set values, and outputs an operation signal when the signals exceed the set values. These instrumentation circuits LA-1, LA-2 constitute channel A composed of two channels. Two instrumentation circuits LB-1, LB-2, which have similar components as the instrumentation circuits LA-1, LA-2, respectively, constitute channel B composed of two channels. That is, this overall instrumentation equipment is separated into two channels A, B each of which has two sectional channels. And this instrumentation equipment has a control circuit C which outputs an operation signal such as a trip signal to each pieces of plant equipment based on combination of output signals from the instrumentation circuits. The signals outputted from the instrumentation circuits are processed with adopting two sets of one-out-of-two logic. In other words, in each channel A or B, when one trip signal is outputted, that is, one set value comparison circuit judges a process signal exceeding a set value, the corresponding channel is tripped, and an operation signal 15 shown in FIG. 13 is generated when both channels A, B are tripped simultaneously. One channel of each instrumentation circuit has a single configuration, i.e., it is not multiplexed.
As for such plant protection instrumentation equipment, instrumentation circuits that compare and detect each process signal with a set value may be constituted by hardware device as exclusive use of the instrumentation, or they may be constituted by a microprocessor programmed with software. In case of an exclusively hardware device, a plurality of hardware devices are necessary with respect to each of a plurality of the process signals. On the other hand, in case of a microprocessor configuration, all signal processing toward a plurality of process signals can be performed by one microprocessor.
Since safety protection system of a plant is important, it requires a highly reliable design. For this reason, in case of constituting the instrument circuit by a microprocessor, V & V (verification and validation) is performed for preventing failure due to common factor of the software and for securing high reliability of the software. V&V is an activity for quality assurance composed of verification operation of confirming that function required to digital safety protection system is properly reflected from superordinate process to subordinate process on each process of design and manufacture of the software, and validation operation of confirming soundness that required function is properly realized on system manufactured through the verification operation. Specifically, as a verification operation for confirming that the software is manufactured in accordance with a design specification, a confirmation process of mutual relation between specification in which design information is written and specification for manufacturing is carried out. And as a validation process, an imitation signal similar to an actual input signal is inputted into the instrumentation equipment constituted by a microprocessor for checking that an operation output is made according to the design specification. It is preferred that a third party different from a designer or a manufacturer of the software should perform such V & V.
Moreover, the instrumentation circuit using a microprocessor that is performed with software has a self-diagnostic function, such as watchdog timer surveillance, that is equipped with the microprocessor as a standard function, for automatic by-pass of multiplexed systems, alarm output, and so on.
In a conventional plant protection instrumentation equipment, a test input signal for confirming comparison and detection between a process signal and a set value are perfectly performed is inputted from a parallel circuit of a line other than an input terminal to which the process signal is actually inputted.
Moreover, concerning the microprocessor operated by software, maintenance device exclusively used to adjusting set value for the comparison, which has enough actual performance, is arranged for enabling visualization of the program mounted in the microprocessor and comparison and extraction of changed part before and after the change.
However, in the above-mentioned conventional plant protection instrumentation equipment with the microprocessor, operated by software, applied as the instrumentation circuit, it is necessary to perform both verification of adequate manufacturing of the software in accordance with required matter of the design specification and validation of an accurate output along with the design specification. Therefore, it requires a lot of tasks and time compared with design and manufacture of ordinary software used outside the usual safety protection function, and this becomes a major factor for raising product cost.
On the other hand, in case of applying hardware device for exclusive use without using software in the instrumentation circuit, it is also necessary to confirm adequacy of the product manufacture along with control logic written in the design specification by means of visualization, test or other means. However, it is extremely difficult to visualize dense control logic such as a logical integrated circuit constituting the hardware device and its operation status. For this reason, it is necessary to input all input patterns of ON and OFF of every digital input of the control logic of the hardware device and check agreement of the result of logical operation and the design specification, so such confirmation implementation increases the number of whole points of the digital input, and accordingly, all input patterns multiplies exponentially and increases time and the work for the test.
And concerning the conventional plant protection instrumentation equipment composed of two sets of one-out-of-two logic, when a single failure is occurred and a plant signal of a sensor is by-passed and moreover another one sensor of power source same as the sensor in failure also fails, even if the plant status is actually changed so that it becomes necessary to operate devices of protection system, the two sets of one-out-of-two logic cannot becomes ON state and the operation signal is not outputted, thus there is no by-pass function. Similarly, in maintenance or surveillance test while the plant is in operation, the two sets of one-out-of-two logic cannot be ON state, thus it is necessary to perform the maintenance or the test with one group being in operation. Under this circumstance, when additionally failure or operation mistake occurs, the operation is changed into a safety protection system side. To reduce risk from suspension of the plant, the system should be configured so that half trip can be avoided even when single failure, exchange work or surveillance test of the equipment is performed in plant operating. Moreover, in applying software, the possibility that multiplexed control devices fail simultaneously due to bugs which the software potentially includes cannot be eliminated completely.
When a logical integrated circuit is applied to the instrumentation circuit constituting a logic circuit, a self-diagnostic function, which the microprocessor has, cannot be given as a standard function. Thus, when equipment breaks down due to malfunction or inoperation, this breakdown cannot be detected in advance. Consequently, it is necessary to detect the failure of a malfunction side or an inoperative side by multiplexing each process signal and using an input of one of the multiplexing signal, which can become convoluted.
The examination incoming signal for performing comparison detection with a process signal and set value is making the process signal input in the plant protection instrumentation equipment of a nuclear power generation plant from the parallel circuit from another line different from the actually inputted input terminal. For this reason, the function of the instrumentation equipment of an input, processing, and an output was not able to be checked simultaneously consistently. Moreover, even when a signal was inputted from a different line, as for the output end, the trip output was performed at the time of an examination for a real circuit and combination. In case of constituting the plant protection instrumentation equipment of a plant such as a nuclear power plant by the microprocessor, it is necessary to arrange a maintenance equipment of exclusive use of adjusting a set value for comparing and detecting the process signal, and the verification and validation works should be performed after adjusting the set value. The adjustment of the set value by the maintenance equipment and the verification and validation works are so complicated that skill is required to perform securely. Thus, it is preferable that it is unnecessary to use software in the adjustment work of the set value and the equipment is constituted such that contents thereof after the change of the set value can be easily understood.