1. Field of the Invention
The present invention relates to a plant apparatus operated by touch operation.
2. Description of the Prior Art
Because there is a requirement to maintain safety functions (that is, based on a single failure criteria) of safety system equipment for an atomic power plant or a nuclear power plant as a plant operation apparatus, even if a single failure occurs in any devices or channels forming the plant operation apparatus, it must be required that the safety system equipments for the atomic power plant are the equipments, each is physically separated, electrically isolated, and independently from other equipments, systems, and multiplicity systems.
For example, there is the literature 1 as one of conventional examples that satisfy the requirement of the safety protection function described above.
Literature 1: "Development of the BWR safety protection system with a new digital control system", IAEA International system on nuclear power plant instrument and control, TOKYO, Japan, pp. 18-22, May, 1992.
FIGS. 1A-B are a pictorial view and a diagram showing a configuration of a conventional safety system including touch operated equipment shown in the literature 1 described above. In FIG. 1(b), the reference numbers 152, 153, 154, and 155 designate train control devices as separated into four sections in order to control the operation of trains. That is, the configuration of the conventional safety protection system comprises the four trains. In FIG. 1(a) the reference number 159 designates a central control panel having a plurality of flat displays corresponding to the train control devices DIV-1, DIV-2, DIV-3, and DIV-4, respectively. Each of the trains 152 to 155 is physically separated by the separation means 151.
Because the safety protection equipment in the conventional system shown in FIG. 1(a) and 1(b) has the configuration described above, the supervision operation devices, to be separated to each other, in the central control panel 159 such as flat display panels (FDP) and the like must have the configuration in which they are completely and physically separated like the safety protection system downstream from the flat display panels in order to satisfy the separation criteria. It must be required to independently install a flat display panel in each train as the supervision operation panel, as it is described in FIG. 1(b) as "to DIV-1 flat display", for example. Thus, the supervision operation panel is divided independently for each train. Thereby, there is a drawback in the conventional plant operation apparatus that the operation efficiency of operators decreases and the scale or size of the system increases.
The conventional example shown in FIG. 1(b) must require at least three flat displays, or it must require at least six flat displays when two flat displays are installed in each train because each train requires at least one flat display for the use of the supervision operation.
In addition to the separated flat displays described above, the multiplicity equipment and the switching devices to be required for increasing the reliability and for easy maintenance are commonly and widely used in conventional apparatuses. For example, Japanese patent publication number JP-B-62/75704 discloses a conventional control apparatus.
FIG. 2 is a block diagram showing the conventional process control apparatus disclosed in Japanese patent publication number JP-B-62/75704 described above. In this process control apparatus, when an operator operates the operation panel 111, the auxiliary control unit 110 and control units 101, 102, and 103 forming the multiplicity control unit generate operation signals and output them through lines L11, L12, L13, L14, and other wires to a field panel 100, an electrical instrument unit 400, an annunciator 500, and other control units. Thereby, a switch unit 202 switches back and forth between the output signal transferred from the control multiplicity unit and the output signal transferred from the auxiliary control unit 110. The selected output signal is transferred to the process 300 through the wire L2. It is thereby possible to increase the efficiency of the maintenance operation and the reliability. That is, because the conventional control device 100 has the configuration as shown in FIG. 2, the control device 100 can execute normally and can output the normal output operation signal to the process 300 even if one of the control units 101, 102, and 103 breaks down as a result of errors. Furthermore, when the control function of the control units is renewed, the switch unit 202 can switch the output transferred from the control unit to the output transferred from the auxiliary control unit 110 in order to execute the normal operation.
However, although the conventional commonly used apparatus comprising the control multiplicity units and the switch unit 202 satisfies the general reliability and maintenance criteria to be required commonly, it is difficult and impossible to apply it to a safety system equipment for atomic power plants or nuclear power plants that require a strict single failure criteria (for separation and independence requirement) in the highest safety requirement.
It must be required that the safety system equipment for atomic power plants guarantee the safety protection function when any single failure of component devices occurs. In the conventional example as shown in FIG. 2, there are possibilities of influences from a failure caused when the switch unit 202 breaks down, or to extend to each of the control units 101 to 103 the failure caused when the auxiliary control unit 110 fails, or to lose the safety function caused when all of the functions of the control device 100 fail in a fire. These are drawbacks of the conventional safety protection function.
Like the conventional example described above, because the conventional common multiplicity and switching mechanism can not satisfy the separation criteria for atomic power plants. Accordingly, the conventional safety protection system for atomic power plants comprises at least two or four separated trains (in order to form separated equipments). In addition to this configuration, a desired device or devices are multiplicity in each separated train. That is, the conventional safety protection system is designed by using a multiplicity design method.
FIG. 3 is a diagram showing the conceptual configuration of a train separation based on the conventional multiplicity design method. In the conventional train separation shown in FIG. 3, the supervision operation flat display panels (FDPS) 171 to 174 are integrated into the central control panel 170. Both the FDP 171 and FDP 172 belong to the A train, both FDP 173 and FDP 174 belong to the B train. Each train is separated from other trains for fire protection by the separator as the separation means such as the metal plate and the like in the central control panel 170.
The operation signal transferred from each FDP is transferred to each of the safety protection devices 183 to 186 through the FDP controllers 175 to 178 and the multiplexers (MPX) 179 to 182. The safety protection equipments 183 to 186 operate plant devices in plant processes. All of this equipment placed downstream from the central control panel 170 is divided into trains. The train A and train B are shown in FIG. 3. The control panel includes independent flat display panels 171 to 174 for controlling downstream devices such as the FDP controllers 175 to 178. These devices are not connected to each other in order to protect them from fire and to reduce the effect of any single failure on other devices.
Proper separation devices are provided for devices requiring a cross-over wiring) By using the configuration, even if a component device in the train A fails, the train B can maintain its function and can guarantee its operation. Here, if only one of the train A and the train B has the function required for atomic power plants, it is possible to maintain the plant safety functions for any single failure.
In addition, there is a case that it is required to multiply the configuration of each train. For example, in the conventional example shown in FIG. 2, the FDP controller and the multiplexer and the like are multiplexed. This multiple in the conventional example shown in FIG. 2 is different in conception from the separation design using the train configuration. Therefore the multiple design in each train can be executed by using the conventional reliability analysis method, for example. The supervision operation equipment in the conventional safety system shown in FIG. 1 is designed and formed. In the conventional example shown in FIG. 1, the devices in the apparatus are separated by using three divided trains DIV-1 to DIV-3. In each train, the required parts such as a safety logic unit (SLU) and a digital trip module (DTM) and the like are redundantly included.
Hereinafter, the explanation regarding the general multiple design applied to each of the trains is omitted and conventional drawbacks involved in the conventional method satisfying the train separation to satisfy the single failure criteria, relating to the plant operation apparatus of the present invention, and integrating the supervision operation panel will be explained.
Because the conventional plant operation apparatus has the configuration described above, the following matters (1) to (4) must be required to the touch operation devices in the safety protection equipment in atomic power plant based on the safety design examination guidance, the fire guidance like the safety protection system for an atomic reactor.
(1) Multiplicity or Diversity
It is requested to maintain safety functions (namely, the single failure criteria) even if any device forming a system or channel fails. Therefore it must be required for equipment in the safety protection system to have the multiplicity and diversity function.
(2) Independence
From the same reason of the case (1) described above, it is requested to design channels forming a system so that the channels are separated from each other and independent from each other as completely for practical applications as possible. Because it is required to electrically isolate devices and to physically separate the devices in the separation satisfying this requirement, the devices to be used for this separation are limited in general.
(3) Separation from measurement control system
In order to prevent the influence of failure caused by a general measuring control system that is not adapted to the requirements (1) and (2) described above, it must be necessary to design devices and equipment in the safety protection system in a different way from the measuring control system.
(4) Preventing occurrence of a fire, detection of a fire, and fighting of a fire, and influence of a fire
As the countermeasure to reduce the influence of a fire, it is required to separate devices based on a fire-proofing wall, a bulkhead, an interval (distance), and the like.
Because it must be required to separate the supervision operation panel for each train in order to satisfy the separation criteria (the physical separation, the electrical isolation, and the separation to prevent the spreading fire for fire protection), it is thereby necessary to increase the amount of the hardware of the system, the size of the system, the working space for operators, the working time of the operators, the costs of the system, and so on. Accordingly, there is the requirement in the conventional plant operation apparatus, specifically in the atomic power plant field, to increase the operation efficiency of the supervision working, and to obtain the plant operation apparatus that is capable of reducing the cost of the plant operation apparatus by decreasing the hardware size of equipment and devices in the plant operation apparatus under the state in which the separation criteria is satisfied.