1. Field of the Invention
This invention relates to an information system for assisting an operator in operating a complex plant having automatic controls including controls which automatically initiate protective actions in response to abnormal process changes in the plant. More particularly, it relates to such a system which includes an alarm display which notifies the operator of abnormal process changes for which automatic protective actuations have not been successfully accomplished, and therefore require operator intervention, separately from process changes being effected by automatic protective actuations and displayed on a spatially removed accomplished action display.
2. Background Information
It has been recognized in recent years that the complex technical processes normally encountered in the commercial world can be separated into two categories. In one category fall those processes that, under sufficiently abnormal conditions, could pose a credible threat to the health of the general public because of the presence of various hazardous or potentially hazardous materials in the process facility. The second category contains those processes that do not pose a credible risk to the health and safety of the general public even under severely adverse circumstances by virtue of the absence of significant quantities of hazardous or potentially hazardous materials. Examples of the first category of processes are the primary side of conventional nuclear power plants, which contain significant inventories of radioactive fission and transmutation products, and certain chemical plants where inadvertent operation would yield an easily dispersed toxic gas. In the second category one finds, for example, the secondary side of conventional nuclear power plants, especially pressurized water reactors (PWR's) and typical manufacturing production lines such as automobile assembly lines. Note that the key to distinguishing the two categories for present purposes is threat to the health and safety of the general public, not the threat of financial disaster for the operators or owners of the various processes.
Although automatic control and protection devices are common in most types of complex processes, it has been an essentially universal policy to maintain trained human operators to oversee and, if necessary, to assume direct control of complex processes that fall into the first category noted above. The reasoning behind this practice appears to be that preprogrammed automatic protection devices cannot be guaranteed to drily terminate aberrant processes under all possible conditions and the consequences of failure to terminate the process could be unacceptable in terms of health and safety of the general public. Processes making up the second category do not have the potential to put the health and safety of the general public at risk and so failure of automatic protective devices to terminate an aberrant process is tolerable, apart from the financial consequences. With these thoughts in mind, we may explore in more detail the functions and needs of human operators in relation to complex processes, particularly those that fall in the second category.
Complex processes are frequently designed to be operated in a virtually steady state mode. Inputs and outputs remain essentially constant over significant periods of time and the configuration of components that carry out the process is fixed. Automatic process controllers are utilized to hold process parameters at close to optimum values for the operation being carded on. The fluctuations in the process that result from automatic controller actuation are, by design, minimal. Human operator intervention at this level is negligible and occurs, in principle, only when the process must be shifted from one steady state regime to another.
Since it is recognized that both the components supporting the process and the controllers directing the process are vulnerable, to a non-negligible degree, to malfunction or outright failure, protective devices and mechanisms are provided to limit the propagation of the consequences of component or controller failure to other components supporting the process and, if possible, to the process itself. Protective functions may involve either interruption of part or all of the process or realignment of the process component configuration by component start-up or shutdown or a combination of the two without significant immediate effect on the process itself. The human operator's role with regard to the process protection functions is more active than is his role with regard to the process controllers. He must be aware at all times of both recent and impending changes in the process in terms of cause or potential cause, nature of the change and, if the change has already been initiated, successfulness of the protective actuation. If an automatic change in the process occurs, the human operator will be called upon to restore the process, if interrupted, or to return the process component alignment to its original form, if the alignment is altered, and in any event to initiate repairs to, or replacement of, malfunctioning components. If the process change is impending but has not yet occurred, the human operator may be expected to directly intervene in the process by imposing manual control over that of a malfunctioning automatic controller, for example, to maintain the process or to bring it to an orderly shutdown, before an automatic protective function is activated.
The issue of providing human operators of complex processes with appropriate information regarding the states and trends of the processes they are overseeing or controlling directly has prompted much study and product development, especially in recent years. A significant part of this attention has been directed to the design of alarm management systems whose functions are the identification of process anomalies and the presentation of the information developed to the process operators in an unambiguous way. U.S. Pat. No. 4,816,208 to Woods et al. is representative of relatively recent attempts to define an alarm management system that is particularly designed to support the human operators of complex process in the first category in directly controlling and terminating an aberrant process that has not responded to automatic protection system actuations. While the approach described appears as though it would be effective in the intended application, it does not appear to be suitable for supporting human operators of processes in the second category, or in the first category for that matter, where the operator's role is more nearly one of overseeing the workings of the automatic protection systems than of directly controlling the process.
There is a need for an information system for assisting operators in the operation of plants of the second category which makes the operator aware of a situation in which he cannot rely upon the automatic protection system and will have to, or advantageously can, intervene. These include situations where the automatic protection system itself experiences a malfunction and therefore does not accomplish the required protective actuations, and those situations in which although the protection system performs as designed, it is inadequate to address the situation. There is also a need for a system which will notify the operator of abnormal process changes which precede actuation of the automatic protection system so that the operator may have the opportunity to intervene if desired to avoid the need for the automatic system to take corrective action, especially considering that the corrective action might include shut down of the plant. There is an additional need for such a system which makes available to the operator information regarding successful operation of the automatic protection systems. This information should be presented separately from the information on unsuccessful operation of the protection system so that the operator is clearly apprised of the situations where intervention will be likely to be required. There is also a need for making the operator aware of the failures in the automatic protection system. There is an additional need for making the operator aware of conditions which have been corrected.