The present invention relates to apparatus and methods for monitoring and controlling the operation of nuclear power plants. A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office, patent file or records, but otherwise reserves all copyright rights whatsoever.
International Patent Application PCT/US89/04899, published as International Publication WO 91/06960 on 16 May, 1991, for "Advanced Nuclear Plant Control Complex", (corresponding to U.S. patent application Ser. No. 430,792 filed Nov. 2, 1989, now U.S. Pat. No. 5,267,277 issued Nov. 30, 1993) and U.S. patent application Ser. No. 676,795, filed Mar. 28, 1991, for "Operator Interface for Plant Component Control System", (now U.S. Pat. No. 5,291,190 issued Mar. 1, 1994) describe and claim apparatus and methods associated with the Nuplex 80+ Advanced Control Complex, a plant-wide computer based monitoring, control and protection system available from ABB Combustion Engineering, Inc., Windsor, Conn. This will hereinafter be referred to as the Advanced Control Complex, or ACC. In said publication, the disclosure of which is hereby incorporated by reference, a master console includes a reactor coolant system panel, a chemical volume control system panel, a reactor core panel, a feedwater control system panel, and a turbine system panel. A separate, safety console is situated at one side of the control room and a separate, auxiliary systems console is situated on the other side of the control room. These three spatially distinct consoles incorporate over a dozen functionally distinct panels.
The ACC was developed based on several key driving forces including improving the Man-Machine Interface (MMI) by a focused effort to utilize human factors engineering concepts, while improving plant safety in a cost-effective manner and complying with U.S. Nuclear Regulatory Commission requirements as well as other desirable criteria, such as those proposed by the Electric Power Research Institute Advanced Light Water Reactor program. These high level design bases were implemented using the following more detailed design principles.
Information processing was structured to reduce the quantity of data that must be mentally processed by the operator (to minimize stimulus overload), while allowing rapid comprehension and ease-of-access to all plant data. Design alarm processing was configured to reduce the number of alarms which are generated, minimize the occurrence of nuisance alarms, and allow the operator to quickly correlate the impact of an alarm on plant safety or performance. Signal multiplexing and data communication networking were incorporated to maximize cost effectiveness for data communications. The maintainability, usability and flexibility of the control complex was expanded to support operational needs over the plant life cycle. Separation between control and monitoring functions was maintained to avoid data communication bottlenecks, improve the MMI and reduce the potential for operator error.
The auxiliary and safety consoles were designed for stand-up operation during other modes of plant operation and emergency conditions. They contain the same types of MMI devices as the master control console (MCC) and are designed to the same common set of display and control criteria.
An Integrated Process Status Overview (IPSO) big board was included to provide the operators and supervisory staff with a quick means of assessing plant status from anywhere in the controlling work space.
Adjacent offices and an overlooking Technical Support Center (TSC) were provided for the operating staff. Each office includes a viewing window into the control room, and a CRT that provides access to the same display pages as are provided by the control room CRT's.
Six major Instrumentation and Controls (I&C) Systems perform the required monitoring and control functions for the plant:
(a) Data Processing System (DPS)--which is based on distributed mini-micro processor architecture; PA1 (b) Discrete Indication and Alarm System (DIAS)--which is based on distributed microprocessor architecture; PA1 (c) Plant Protection System (PPS)--which is based on Programmable Logic Controllers (PLC's) and minicomputers; PA1 (d) Engineered Safety Feature Component Control System (ESF-CCS)--which is based on PLC's; PA1 (e) Process Component Control System (P-CCS)--which is based on PLC's and microprocessors; and PA1 (f) Power Control System--which is based on PLC's and distributed microprocessors.
The display of plant information was accomplished via a three level information hierarchy which consists of a big board plant overview mimic (IPSO), discrete indicators implemented with electroluminescent flat panel display technology, and CRTs which incorporate touch screen access. The information hierarchy is designed to critically support the role of the operator so he is more focused on operational tasks, rather than data gathering.
IPSO is a large board display mimic (approx. 1.5.times.2 meters) which is positioned within the control room so that it is readily visible from all locations within the controlling workspace. The IPSO board provides a comprehensive overview of the current plant state. The display incorporates standard MMI symbology, dynamic display of key plant variables, high priority alarms and plant critical functions into a convenient and easily comprehensible depiction of the current plant state. Plant data for the IPSO display is acquired from both the DPS and DIAS.
The plant status information is presented using a relatively small quantity of easily understood dynamic symbols and variables that are the result of highly processed data. The IPSO display thus relieves the operator of the necessity to scan many parameters located on dispersed control panels and display, while simultaneously trying to mentally assemble a cohesive picture of plant status.
Discrete indicators are the second level in the information display hierarchy. These devices consist of microcomputer driven solid state electroluminescent (ELD) indicators which allow tailoring of display readouts specifically for nuclear applications. Their software basis readily accommodates design changes from initial development throughout the life cycle of the plant. The indicators and microprocessors are part of the DIAS System.
These indicators display single process representation values based on algorithms that validate and average data from multiple sensors, thereby reducing the amount of data the operator must process during various plant conditions. Data is presented in digital, analog and time trend formats.
Touch screens allow menu selection of individual sensor channels, including PAMI, while providing quick and easy data access. This eliminates the need for a separate meter for each sensor by consolidating many like parameters, thereby significantly reducing control panel space requirements.
Key plant parameters are assigned to various ELD discrete indicators which are "spatially dedicated" at various control panel locations, thus offering rapid access to these parameters by the operator since they are continuously displayed at a fixed location within the control room. Further, a CRT selection "soft switch" on each indicator allows direct access to related CRT display pages to improve information recall by the operator.
DIAS is comprised of two channels; DIAS-N and DIAS-P. DIAS-N processes and outputs key plant data representative of critical functions for both safety and power production, primary indication parameters for plant systems, parameters associated with investment protection, parameters which support technical specification monitoring (for a 24 hours period), and PAMI parameters. DIAS-P, which is a fully qualified system, outputs the requisite RG1.97 category 1 parameters.
CRT's provide the MMI for the Data Processing System (DPS), which is independent from the DIAS System (that controls the ELD discrete indicators). The color graphic CRT's are coupled with touch screens for ease in accessing displays, acknowledging alarms and obtaining additional plant information.
The CRT displays include plant, system and component level status and data, but do not include the ability for direct component control. A major benefit of this approach is elimination of the need to analyze and protect against all possible DPS failures which could cause undesirable control actions.
To further support the operator's information needs, CRT display pages are logically arranged in a three level hierarchy where information at each level is designed to support specific operator tasks. Level 1 displays provide for overall monitoring of major plant systems; Level 2 displays provide additional information to support control actions; Level 3 displays provide for detailed monitoring of specific components to support diagnostic tasks.
The DPS performs its own signal validation based on raw sensor input and plant equipment status data. It then compares its results to that obtained from the DIAS and control systems. Any significant discrepancies between these independent systems are alarmed to the operator.
Innovative alarm processing methodologies have been incorporated into ACC to reduce the frequency of alarm conditions, minimize the generation of nuisance/spurious alarms and to prioritize alarms so their severity can be clearly distinguished. Alarms are independently processed by the DIAS and DPS. The DPS further cross checks the alarm processing between these two systems for consistency. Signal validation is applied to data prior to alarming to distinguish between control process alarms and single instrument failures. Alarm annunciation caused by spurious input data or instrument failures are assigned lower priorities than process alarms. Where appropriate, time delays are utilized such that if an alarm condition clears prior to the completion of the delay, the alarm is not generated. This avoids nuisance alarms during certain transient situations.
To reduce the number of generated alarm messages, dynamic alarm processing is employed. Information on the current plant operational mode (e.g. at power, post reactor trip, heatup/cooldown, etc.) and correlations with equipment states are utilized to eliminate unnecessary alarms.
Alarm prioritization is provided so that the operator can determine which alarms require his immediate attention. Three alarm priority classes exist: Alarm Priority-1 requires immediate action by operator to avoid/correct a critical function or technical specification violation or to prevent equipment damage. Alarm Priority-2 requires prompt operator action but can be deferred in the presence of priority 1 alarms at the operator's discretion. Alarm Priority-3 provides cautionary messages.
All non-alarm information, such as status information, is removed from the alarm annunciation process. A separate "operator aid" message is provided for these outputs so that these messages are clearly distinguishable from true alarm conditions. The priority 1 and 2 alarms are available on spatially dedicated alarm tiles on each control panel. The alarm tiles are implemented via solid state electroluminescent displays which are driven by microprocessors. Use of touch screens allows alarm acknowledgement and access to the current alarm list. The microprocessor nature of this system readily supports modifications during the life of the plant. The CRT display system provides all three priority alarm levels as well as the "operator aid" message.
Alarm display features have consistent characteristics regardless of the output media (IPSO mimic, discrete DIAS alarm tiles, CRT display pages). To simplify the operator workload, a single point alarm acknowledgement methodology is implemented between DIAS and DPS. That is, alarms acknowledged on a DIAS ELD alarm tile are simultaneously acknowledged on DPS CRT pages and vice versa.
The ACC Plant Protection System (PPS) prevents exceeding core fuel design limits and the reactor coolant system pressure boundary for anticipated operational occurrences. This function is provided through an interface to the Reactor Trip Switchgear System. Also, the PPS provides assistance in mitigating the consequences of accidents through actuation of Engineered Safety Feature (ESF) systems via the ESF-CCS. The PPS consists of measurement channel sensors, bistable trips, local coincidence logic, and reactor trip initiation logic. Automatic testing and use of four independent channels assures high availability for the protection system.
Non-safety process control is implemented within the Power Control System (PCS) and the Process Component Control System (P-CCS). The PCS integrates an established group of functions which control reactor power level. These functions include Reactor Regulating which provides manual and automatic control of the Control Element Assemblies in the reactor core; Reactor Power Cutback which initiates a partial rod insertion for certain events thus preventing a full plant trip; Megawatt Demand Setter which regulates automatic or manual demands for plant load changes; and CEA Drive Mechanism Control which provides logic and sequencing for Control Element Assemblies which effect reactor control and core power distribution.
The Process Component Control System (P-CCS) is a microprocessor-based interposing logic and control system which controls plant systems and components such as control valves, circuit breakers, motor starters and solenoids. Control sources are logically combined within the P-CCS to effect the final state of the controlled components.
Both the ESF and P-CCS are designed to use validated signals where multiple sensors are available. This significantly improves fault tolerance and plant availability.
The operator performs control actions via dedicated process controllers, component control switches or system operator modules. The process controllers (which replace conventional PID stations) are implemented with programmable electroluminescent micro-computer driven devices that allow easy tailoring of MMI controls and data displays for specific process control loops. Each controller is capable of being configured to control multiple control loops, a master with sub-loop slaves or functionally related but independent loops. Each of these arrangements serve to reduce the amount of required control panel space. Touch access is provided on each ELD flat panel to allow quick and easy mode selection, sensor input signal selection, setpoint changes and manual control for each control loop.
Discrete control switches are also provided for component control. Shape coded pushbuttons with backlighted intelligent status indicators are utilized to provide the operator with important component inoperable and position discrepancy status information for pumps, valves, breakers, fans, etc.
Operators' modules for the major I&C systems such as the Plant Protection System, ESF-Component Control System and Power Control System provide capabilities for system mode changes, bypass, automatic test surveillance and display of status information. The P-CCS and ESF-CCS operators modules also provide an alternate method of plant component control should the normal control panel switches and supporting electronics require maintenance.
Further, to achieve the desired high levels of availability and reliability the design methodologies of Redundancy, Diversity and Segmentation have been incorporated. Redundancy greatly enhances reliability and availability by providing either multiple I&C channels or a backup system component which can immediately assume the operations and functions of a failed primary system component. Redundancy is utilized within ACC for all major processor components within the safety, control and monitoring systems. Redundant backup components are maintained in a "hot-standby" mode where they can immediately replace a failed unit. Switchover, from the primary to backup component, occurs automatically and in a "bumpless" manner that is transparent to the on-line process.
Design diversity is employed to protect against common-mode failures within the control complex. Where applied to the I&C systems, diversity is carried out through the processor chip and operating system level. This assures that any unrecognized potential hardware failure or software system error will not effect all I&C systems since complementary systems implemented with diverse technology will not be affected by the fault.
For the ACC design, diversity is incorporated for the areas of reactor trip, fluid systems control, reactivity control and alarm/information presentation. Within each of these areas, diverse technology is utilized to assure that two independent and diverse I&C pathways exist for control/operation of these functions. This assures continued function availability should a common mode failure occur since the failure will be contained in only one of the two diverse I&C pathways. The following summarizes how diversity is employed in ACC system designs.
______________________________________ ACC DESIGN DIVERSITY Function Design Type 1 Design Type 2 ______________________________________ Reactor Trip Plant Protection Alternate trip System via Process-CCS Fluid System Emergency Success Normal Success Paths Control Paths (e.g. (e.g. Main Feedwater Emergency Feedwater) via Process-CCS via ESF-CCS Reactivity Emergency Boration Normal CEA Control- Control via ESF-CCS via Power Control System Alarm and Alarm Tiles and CRT Displays-via DPS Indication Discrete Indicators-via DIAS Emergency Diesel Gas Turbine Site Power ______________________________________
For example, per 10CFR50.62, diversity is required between the reactor trip system and actuation of the emergency feedwater system. ACC meets this requirement by actuating reactor trip from the PPS and actuating the EFW system from both the PPS and Process-CCS (i.e., Alternate Feedwater Actuation Signal).
Segmentation is employed to minimize the impact of a component failure on system operation. Segmentation removes multiple control/monitoring functions from a single large processor and distributes them over many smaller processors, thus limiting the impact of a processor failure. Segmentation has only recently become economically feasible with the advent of readily available low-cost microprocessors. Segmentation is employed with ACC for the ESF-Component Control System, the Process-Component Control System, the Discrete Indication and Alarm System, and the Data Processing System.
Although the foregoing features and advantages of the ACC represent significant advances relative to current generation control complexes, the continued use of spatially separated consoles and functionally distinct panels requires large control rooms and multiple operators. Many forecasters in the nuclear power industry anticipate that the future development of nuclear steam supply systems will shift dramatically away from the mere evolution of current pressurized water and boiling water designs, to designs that are fundamentally different in a number of respects. This includes new plant designs which feature multiple modular reactor units situated at a single site which are all controlled from a single common control room; revolutionary passive plant designs which eliminate the need for immediate operator intervention during upset transients or unplanned events and which assure plant safety regardless of operator action; simplified modular plant designs which have correspondingly reduced monitoring and control requirements (such as gas cooled modular reactor designs which feature a single secondary loop with only one steam generator and one helium circulator); and operational philosophies that promote reduced staffing (such as incorporation of various degrees of automatic control).