JP7413205B2 - Autonomous traffic control device, autonomous traffic control system, and design method - Google Patents

Description

The present invention relates to an autonomous traffic control device, an autonomous traffic control system, and a design method.

BACKGROUND ART Control systems that control plants and the like include automatic control systems and autonomous systems, and the following are known as conventional technologies.

For example, Patent Document 1 describes a first storage system that stores in time series data output from equipment constituting the plant as the plant operates, and data output from a measuring instrument that measures the processing target of the plant. a database, a second database in which conditions for analysis or diagnosis are defined, and analyzing the data read from the first database based on the conditions read from the second database using a first statistical method. a first diagnostic unit for diagnosing the presence or absence of an abnormality in the measuring instrument; a diagnosis result for the presence or absence of an abnormality in the measuring instrument; a second diagnostic unit that diagnoses the presence or absence of a performance abnormality in the equipment by analyzing the data using a second statistical method; a condition evaluation section that selects information for giving work instructions to an operator of the plant based on evaluation results of the conditions of the measuring instrument and the plant based on diagnosis results; A data processing device is disclosed that includes a presentation unit that presents information.

Further, Patent Document 2 describes, regarding operation data that is at least one of data measured from a plant to be controlled and input data for controlling the plant, a method for operating the plant according to the operation data. The evaluation value of the plant and the spatial distance from the first position on the n-dimensional space (n≧2) where the current operational data is mapped to the second position on the n-dimensional space where each of the operational data is mapped. and a target extracting unit that extracts a plurality of target driving data candidates based on the evaluation value and the spatial distance that have been calculated respectively, and a target extraction unit that extracts a plurality of target driving data candidates, and extracts the current driving data candidate for each extracted driving data candidate. By evaluating the operation route of each candidate using the operation content leading from the data to the target driving data as the operation route, the operation route to be adopted and the target driving data that is the end point of the operation route are determined. A plant operation support device is disclosed that includes a route determination unit that determines a route, and a display unit that displays the operation route from the operation data that is a starting point of the operation route to the target operation data as map data. .

Further, Patent Document 3 describes a plant state monitoring unit that collects measurement data and state data of various devices constituting the plant and monitors the state of the plant, and presents the monitoring results by the plant state monitoring unit to the operator. a human-machine interface unit that receives operations based on various commands from operators; a plant operation unit that acquires operation information from the human-machine interface unit and performs operations on the various equipment based on the operation information; and a plant operating unit that operates the various equipment during normal times. an expected effect database that stores plant state changes caused by operations as expected effects of the operations; an alternative operation database that stores alternative operations for obtaining the expected effects stored in the expected effect database; and after operations by the plant operation section. an operation result determination unit that acquires a monitoring result of the plant state from the plant status monitoring unit and determines whether the expected effect of the operation is obtained by referring to the expected effect database; As a result of the determination, if the expected effect of the operation is not obtained, an alternative operation for obtaining the expected effect is searched from the alternative operation database, and the alternative operation is presented to the operator via the human machine interface unit. A plant operation support system is disclosed that includes an acquisition unit.

Further, Patent Document 4 describes a measurement value database in which various measurement value data in a plant is accumulated, an operation history database in which operation history data of the plant monitoring and control system is accumulated, and one or more operation steps. an individual operation database in which individual operation data indicating the operation procedure of the individual operation is accumulated, past operation procedures obtained based on the measurement value data and the operation history data, and individual operation data corresponding to each of the individual operation data. an operation procedure scoring section that scores the degree of similarity with the operation; a recommended operation selection section that estimates the individual operation currently being performed based on the degree of similarity and selects the next recommended operation to be performed based on the estimation result; , and a user interface unit capable of presenting the selected recommended operation to an operator.

JP 2019-153045 Publication JP2019-016214A Japanese Patent Application Publication No. 2015-005083 Japanese Patent Application Publication No. 2010-231591

An automatic control system operates passively according to preprogrammed control rules to achieve specified operating instructions in a closed environment that satisfies operating assumptions determined or assumed at the time of design. . In the operation of such an automatic control system, the operator executes control by setting operation commands as appropriate; however, in an open environment, the operation commands may not be achieved due to conflicts caused by too many constraints. sell. If an automatic control system finds itself in a situation where it deviates from such operating assumptions, it will be unable to detect the occurrence of a conflict on its own, resulting in unexpected behavior. Furthermore, since the operator has no means of knowing the cause of the unexpected operation, there is a risk that the operator may set an incorrect operation command as a countermeasure, further worsening the situation.

On the other hand, autonomous systems have the ability to reconstruct how to achieve their own operational objectives, that is, control methods, in response to changing operating environments over time. Appropriately reset the operation instructions to resolve conflicts. In other words, an autonomous system dynamically reconstructs the state of the operating environment and a model of the operating environment, and determines and modifies the feasibility of the operating instructions itself, independently of the design, during production time. This allows them to adapt to the changing external environment. In this respect, autonomous systems are distinguished from automatically controlled systems.

By the way, when applying an autonomous system to a high-safety plant where no-fault liability is imposed, it is necessary to provide some kind of recovery control means to deal with various hazard scenarios whose root events are internal or external factors. There is. On the other hand, implementing intrinsically safe design and functionally safe design for all known internal and external factors and hazard scenarios that have them as root events conflicts with cost constraints. Furthermore, there are theoretical limits to work, control, and state measurement functions; for example, installed sensors have a functional limit in that the amount of physical information that can be directly measured is limited.

Therefore, in functional safety design, rather than incorporating all the response functions for hazard scenarios related to internal factors into the measurement and control system, only one response function such as inspection and monitoring of equipment operating status, abnormality reporting, emergency response work, etc. By placing field operators in charge of this part, they were able to avoid cost constraints while compensating for the theoretical limitations. In other words, for example, a plant operator working at a control center can control operations via a plant automatic control device, and at the same time perform site work, patrols, and inspection/monitoring work as appropriate while communicating with field operators. The plant to be controlled was operated.

Such an operating system is realized through cooperation between field operators and plant operators based on various non-mechanical work instructions and reports. In other words, information such as the content of the work, conditions for generating work instructions, requirements for work completion, means of confirming work completion, and conditions for discontinuing work if it is difficult to complete the work is specified in a format that cannot be determined mechanically (non-mechanical format). has been done. In addition, the method of specifying this information is often accumulated as layman's know-how through inheritance among successive plant operators.

Therefore, information may be insufficiently passed down among plant operation personnel, or it may be difficult for plant operators to make appropriate choices from a large amount of accumulated information, and plant operators may take appropriate action. There is a possibility that you may not be able to do so. Furthermore, as the design becomes more complex due to plant expansion or renovation, it may become difficult for plant operators to rely on manuals. Therefore, during plant operation, a control system that can systematically oversee the entire plant operation, including field operators, is needed by assisting the plant operator by efficiently interpreting a large amount of sensor data related to situation analysis and decision-making. It has been demanded.

Additionally, as the working population decreases, there is a growing shortage of field operators who are familiar with plant design constraints and can flexibly perform dangerous work. Therefore, it is necessary to replace robots that can perform dangerous tasks and eliminate the risk of industrial accidents through remote or unmanned operations, and control systems must be able to generate work instructions in a format that can be interpreted mechanically. It has been demanded.

In the conventional technology described in Patent Document 1, the plant diagnosis determines whether the result of category analysis using a data set including measuring instruments is abnormal, and gives work instructions to the operator according to the result of the category analysis. A data analysis system is disclosed. However, the actual state space that can be taken is not comprehensively classified without duplication, and the boundary conditions depend on the analysis algorithm, meaning that the semantic interpretation is unclear, and the content of the work instructions themselves is unclear. There is a possibility that some spaces may remain as defined.

The prior art described in Patent Document 2 discloses a plant operation support device that classifies operational data into categories, determines an operation route from an initial category to a target category, and instructs an operator. However, the correspondence between plant operation details and actual plant behavior is not guaranteed, and only past records are reproduced. Therefore, it is not possible to solve the fundamental limitations of automatic control systems, such as the inability to detect cases where low-frequency events occur or cases where operation commands cannot be accomplished due to conflicts caused by too many constraints.

The prior art described in Patent Document 3 discloses a plant operation support system that determines the expected effect of an operation from measurement data of plant equipment and presents alternative operations. However, only part of the plant operation process is automated, and this measure is meaningless in the case of low-frequency hazard events that rely on manual operation.

In the conventional technology described in Patent Document 4, similar individual operations are determined from plant data and operation history, and operation guidance is presented to the operator. However, this method is limited to reproducing past operation history, and the fundamental limitations of automatic control systems have not been resolved.

The present invention has been made in view of the above, and provides an autonomous control system and an autonomous control device that can systematically control the entire plant operation, including automatic recovery control based on functional safety design and recovery work by field operators. , and a design method.

The present application includes a plurality of means for solving the above-mentioned problems. To give one example, the control target is controlled based on a sensor value sequence consisting of time-series detected values of sensors installed in the plant to be controlled. When calculating a state value vector representing a state and dividing a region defined by a set of the state value vectors that are valid as the state of the controlled object into a plurality of convex closed regions each corresponding to a plurality of predetermined requirements. A binary vector conversion unit that converts into a binary vector that is a truth value with respect to a separation criterion, and the meaning of the truth value with respect to a separation criterion surrounding a convex closed region to which the state value vector converted into the binary vector belongs, The binary vector is presented to a plant operator who directs the control of the plant, and the binary vector transitions through a convex closed region that satisfies predetermined requirements to a convex closed region corresponding to a goal condition set by the plant operator. and a binary vector transition route search unit that generates and outputs work instructions to field operators who perform site work in the plant.

According to the present invention, it is possible to systematically control the entire plant operation including automatic recovery control based on functional safety design and recovery work performed by field operators.

FIG. 1 is a diagram schematically showing the overall configuration of an autonomous air traffic control system. FIG. 2 is a functional block diagram showing the autonomous air traffic control device along with related components. It is a figure showing an example of state transition of a plant by control of an autonomous control control device. FIG. 2 is a diagram schematically showing an example of a transition model between binary vectors. This indicates information used as input when constructing a transition model between binary vectors. FIG. 2 is a functional block diagram showing processing functions of a binary vector transition model design device that designs a binary vector transition model. 7 is a flowchart showing processing contents of a convex closed region division processing section. 12 is a flowchart showing the processing contents of the binary vector transition model construction unit. It is a figure which shows the operation know-how which matched the transition between convex closed regions as a trigger condition.

Embodiments of the present invention will be described below with reference to FIGS. 1 to 9.

In this embodiment, a power generation plant will be described as an example of a controlled object, but the present invention can also be applied to other controlled objects.

FIG. 1 is a diagram schematically showing the overall configuration of an autonomous traffic control system according to the present embodiment.

In FIG. 1, an autonomous traffic control system 100 is roughly configured from a plant 10, a plant automatic control device 20, a field operator 30, a control center 40, and an autonomous traffic control device 50.

The plant 10 that is controlled by the autonomous control system 100 is, for example, a nuclear power plant, and includes a nuclear reactor 11 that generates steam using thermal energy from nuclear fission, and a steam turbine 12 that is rotationally driven by the steam from the nuclear reactor 11. , a generator 13 that generates power by rotationally driving a steam turbine 12 and outputs the generated power to power transmission equipment 14 .

Nuclear reactor 11 is provided with many sensors for detecting various information related to the state of nuclear reactor 11, such as temperature and pressure. In addition, in FIG. 1, a plurality of sensors related to the nuclear reactor 11 are collectively shown as a sensor 111.

The steam turbine 12 is provided with many sensors for detecting various information related to the state of the steam turbine 12, such as temperature, pressure, and rotational speed. Note that in FIG. 1, a plurality of sensors related to the steam turbine 12 are collectively shown as a sensor 121.

The generator 13 is provided with many sensors for detecting various information related to the state of the generator 13, such as voltage, current, and rotation speed. In addition, in FIG. 1, a plurality of sensors related to the generator 13 are collectively shown as a sensor 131.

The automatic plant control device 20 controls the operation of the plant 10, and controls the operation of power plants such as the nuclear reactor 11, steam turbine 12, and generator 13 according to the detection results from the sensors 111, 121, and 131. Output instructions.

The field operator 30 performs direct work (direct work 31) on each component of the plant 10, such as site work, patrol, inspection/monitoring work, etc. in the present embodiment. An example is shown in which the robot is a field work robot that performs various tasks according to the requirements. Work instructions to the field operator 30, which is a field work robot, are sent in a mechanically interpretable format. The conventional operation status monitoring work using visual confirmation is reproduced by the work of transmitting imaged data, and the content of the work instruction is realized by specifying the spatial coordinates of the imaged object and the object to be imaged. For example, a field work robot sequentially executes and completes a task of moving to a corresponding position and a task of capturing an image of a corresponding object within a frame and transmitting the image.

The automatic plant control device 20 sends detected values from the sensors 111, 121, and 131 provided in the plant 10 to the control center 40 and the autonomous control device 50. The plant automatic control device 20 also controls the plant 10 based on control instructions from the control center 40, control instructions from the autonomous control device 50, detected values from sensors 111, 121, 131 provided in the plant 10, etc. control the behavior of

A plant operator who operates the plant 10 works in the control center 40 . The control center 40 is equipped with a central control panel 41 that is in charge of overall control of the plant 10, and displays information from the plant automatic control device 20 and the autonomous control device 50 to present it to the plant operator. Control instructions and setting information are transmitted to the plant automatic control device 20 and the autonomous control device 50 in accordance with the operator's operations.

The autonomous control device 50 calculates an operation plan that satisfies the goal conditions set by the plant operator of the control center 40 via the central control panel 41 using a binary vector transition model, which will be described later. In order to realize the plan, control instructions are given to the plant automatic control device 20 (output of a control command sequence), and field operators (field work robots) 30 are provided in a mechanically interpretable format (binary vector values to be described later). It generates and outputs work instructions, on-site status confirmation instructions, inspection instructions, etc., and displays the contents of the operation plan, control instructions, work instructions, etc. on the central control panel 41 in a form that is understandable to the operator.

For example, when recovery control based on functional safety design is not required, such as during steady operation of the plant 10, the autonomous control device 50 controls the plant to maintain a state specified in advance by control instructions from the control center 40. The operation of the plant 10 is controlled by the automatic control device 20. Further, when the control center 40 or the autonomous control device 50 issues a control instruction for recovery control based on functional safety design, the automatic plant control device 20 performs recovery control of the plant 10 .

For example, if a certain event is not responded to by recovery control based on the functional safety design of the plant automatic control device 20, but it is necessary to perform recovery control that involves site work by the field operator (field work robot) 30, A work instruction is sent to the field operator 30. The work instructions sent to the field operator 30 are mainly a pair of a binary vector value indicating the current state of the plant 10 and a binary vector value after the transition that should be reached upon completion of the work.

In this way, in this embodiment, the field operator (field work robot) 30 is responsible for some of the functions of recovery control based on the expensive functional safety design, and the field operator (field work robot) 30 performs site work. Perform recovery work to restore normal operating conditions from an abnormal state to prevent unnecessary declines in operating rates. The person who executes the restoration work is not the plant automatic control device 102 but the field operator (field work robot) 30, and it is the autonomous control device that issues specific work instructions. That is, the autonomous control device 50 is a control tower for site work by the field operator (field work robot) 30, which compensates for imperfections in the functional safety design of the plant automatic control device 102.

The autonomous traffic control device 50 has an event-driven control function that issues work instructions and confirms work completion using mechanically interpretable binary vector values. The event serving as the trigger condition corresponds to the inversion of the truth value of a binary vector indicating the occurrence of some kind of trouble or the detection of an abnormality. The event-driven control function includes a function of selecting a transition destination binary vector, with the control content being the process of issuing a work instruction associated with each binary vector, and the confirmation of the work completion condition being the post-condition. Furthermore, if it is difficult to complete the task, an exception handling design may be designed in which a timeout or the like is used as a trigger to select a state transition to another binary vector. Field operators (field work robots) can be controlled by repeating state transition control between binary vectors using the task completion or completion difficulty determination as a trigger. That is, the autonomous control device 50 can systematically control the entire plant operation, including automatic recovery control based on functional safety design and recovery work performed by the field operator (field work robot) 30.

Here, the functions of the autonomous traffic control device 50 and the transition model between binary vectors will be explained.

FIG. 2 is a functional block diagram showing the autonomous traffic control device along with related components. Further, FIG. 3 is a diagram showing an example of a state transition of a plant under control of the autonomous control device, and FIG. 4 is a diagram schematically showing an example of a transition model between binary vectors.

As shown in FIG. 2, the autonomous control device 50 represents the state of the controlled object based on a sensor value sequence consisting of time-series detected values of the sensors 111, 121, and 131 installed in the controlled object plant 10. The truth about separation criteria when calculating state value vectors and dividing a region defined by a set of state value vectors that are valid as the state of the controlled object into multiple convex closed regions each corresponding to multiple predetermined requirements. The control of the plant 10 is performed by the binary vector converting unit 51 that converts into a binary vector that is a false value, and the meaning of the truth value with respect to the separation criterion surrounding the convex closed region to which the state value vector converted to the binary vector belongs. The plant automatic control device 20 displays the binary vector to the commanding plant operator and causes the binary vector to transition through the convex closed region that satisfies predetermined requirements up to the convex closed region that corresponds to the goal condition set by the plant operator. and a binary vector transition route search unit 52 that generates and outputs work instructions to a field operator (field work robot) 30 that performs site work in the plant 10.

The binary vector conversion unit 51 receives time-series detected values (sensor value strings) from the sensors 111, 121, and 131 sent via the plant automatic control device 20, and transforms the received sensor value strings into a binary vector model ( (described later) to convert it into a binary vector (binary vector value). Furthermore, the binary vector conversion unit 51 is equipped with a reference function that calls information (interpretation information) indicating how the internal and external conditions of the plant 10 can be interpreted according to the converted binary vector values. There is.

The binary vector transition path searching unit 52 searches for a binary vector value so that the binary vector value from the binary vector converting unit 51 transitions to the binary vector value of the goal condition input into the central control panel 41 by the plant operator. Search for state transition paths between vectors. The transition path between the binary vectors includes the current binary vector value (initial value: current internal/external state of the plant 10), the binary vector value set as the goal condition (target value: target internal/external state of the plant 10), ), and one or more binary vector values (transition values) that complement the transition state path between those two binary vector values. However, depending on the relationship between the initial value of the binary vector value and the target value, a transition value may not necessarily exist, and there may also be a transition from the initial value to the target value without passing through the transition value. The former means that the goal condition is invalid, so the plant operator is notified. The latter means that an abnormality has occurred that causes an unintended state transition path, so the cause of the abnormality can be estimated by comparing the pair of binary vectors before and after the transition path and identifying the incorrect truth value inversion part.

If at least part of the transitions in the state transition route searched by the binary vector transition route search unit 52 is realized by recovery control implemented by functional safety design, the plant automatic control device At step 20, an operation instruction for recovery control is given using a binary vector.

In addition, if at least part of the transition of the searched state transition route is realized by the work of a field operator, the pre-transition state is the pre-work confirmation item, the post-transition state is the work completion condition, and this state transition route is Call up the assigned work details and transmit them to field operators as work instructions.

As shown in Figure 4, the transition model between binary vectors uses a state space partitioning algorithm based on the inside and outside of the separation boundary, which can be regarded as qualitatively different state values, based on operating assumptions, safety requirements, functional requirements, etc. , is constructed by assigning a binary vector to each closed region.

In Figure 3, the stopped state and the initial starting state are not the same family from the viewpoint of functional requirements, the initial starting state and the stop preparation state are not the same family from the viewpoint of functional requirements, and the steady operating state and the abnormal state are not the same family from the viewpoint of safety requirements. Therefore, the accident occurrence state and the abnormal occurrence state are not the same family from the viewpoint of safety requirements. A similar distinction can be made regarding state transition paths between binary vectors in the binary vector transition model. If the transition from the abnormality occurrence state to the shutdown preparation state is appropriately designed for functional safety, the feasibility of the transition path will be supported by what is described in the shutdown control section of the safety requirements.

Three types of closed region separation criteria in the transition model between binary vectors shown in FIG. 4 are exemplified: those resulting from the above-mentioned operating assumptions, those resulting from safety requirements, and those resulting from functional requirements.

The sensors 111 , 121 , 131 installed in the plant 10 are in an observable state and can collect only measurable state values as data and transmit the data to the plant automatic control device 20 . There are also state values that are observable but for which there is no physical means of direct measurement. A model-based state estimation algorithm is designed and complemented for each such state value. This constraint on the state value corresponds to the separation criterion.

On the other hand, there are some state values that are not observable due to insufficient coverage of events to be measured by the sensors 111, 121, and 131, or due to the complexity of the state estimation model. A non-observable state value is an example of a system's external state. For example, although a rupture in a high-pressure pipe cannot be directly measured, the occurrence of the event can be detected observationally through a drop in internal steam pressure as a result of the rupture, and field operators can check on-site and collect status values. conduct.

In designing the automatic plant control device 20, the operating precondition A, which is a form of separation criterion, describes a constraint regarding the boundedness of measurements of possible state value vectors. This includes not only data loss and data abnormalities, but also the operational range that can be guaranteed due to cost constraints.

Corresponding to safety requirements, a separation criterion for classifying a state value vector into a safe state and an unsafe state can be similarly set.

Since it is not possible to follow the large amount of data generated by hundreds of sensors one by one, some kind of dimension reduction processing is necessary to enable plant operators to interpret the dynamic behavior of the system. Using the binary vector model shown in Figure 3, for the transition path of the state value vector, we use partial closed sets that can be considered homologous from the perspective of functional requirements and pairs of adjacent partial closed sets that can be considered dissimilar, and calculate the relationship between them. By reducing the dimensionality of the transition path, plant operators can easily understand the current state and interpret the validity of control contents.

When a hazard that can be dealt with by functional safety design occurs, it can be confirmed that a binary vector belonging to a safe state has transitioned to a binary vector that is interpreted as an unsafe state. Furthermore, by visualizing the state transition path that is to be realized by the control operation, it can be confirmed that as long as the automatic plant control device correctly performs the recovery operation, the state will return to the binary vector belonging to the safe state.

FIG. 5 shows information used as input when constructing a transition model between binary vectors.

The transition model between binary vectors shown in FIG. 3 is constructed using a so-called Voronoi partitioning algorithm that partitions an arbitrary group of representative points into convex closed regions. A two-dimensional point group subjected to Voronoi division is known as a Voronoi diagram, which can be extended to any dimension. There is a mathematical fact that each convex closed region contains only one representative point, and its boundary is a half-plane that perpendicularly bisects a line segment connecting adjacent representative points.

Each data point is assigned a binary vector label based on the truth/false determination result based on separation criteria related to operating assumptions, safety requirements, and functional requirements.

Separation criteria regarding operating assumptions and safety requirements are usually determined at the time of design or when the operating environment is assumed, and are constraints that only allow operation within the state subspace that satisfies the operating assumptions. Any deviation from this transition relationship between binary vectors must be detected correctly. This converts the state value into a binary vector V[k] and maps the corresponding label value map[V[k]]. It is sufficient to refer to the truth value of L_assumption[l].

The separation criterion for determining safety requirement-related label values is the corresponding label value map[V[k]] of a binary vector that separates safe and unsafe states. It consists of a constraint on L_safety[l] and a constraint on the transition relationship between binary vectors.

Functional requirement related label value map[V[k]]. The separation criterion for determining L_function[l] is designed such that its truth value inversion corresponds to the functional requirements regarding the state transition of the system.

In this way, the transition model between binary vectors is realized by labeling the transition relationship between adjacent convex closed regions defined in the state space pointed to by the binary vector. Various operational know-hows are in a form that can be processed mechanically by labeling the binary vectors themselves and the transition relationships between the binary vectors, and can be interpreted by the operator by calling up the explanation of the label. Become.

The transition model between binary vectors as described above is designed in advance before being incorporated into the autonomous traffic control device 50. The design of the transition model between binary vectors will be described below.

FIG. 6 is a functional block diagram showing processing functions of a binary vector transition model design device that designs a binary vector transition model.

As shown in FIG. 6, the binary vector transition model design device 150 includes a convex closed region division processing section 151 and a binary vector transition model construction section 152. A transition model between binary vectors can be obtained by assigning meaning to each convex closed region divided by the convex closed region division processing unit 151, and classifying and constraining the transition relationships between the obtained convex closed regions.

FIG. 7 is a flowchart showing the processing contents of the convex closed region division processing section.

In FIG. 7, when a binary vector labeled data point is input, the convex closed region division processing unit 151 selects one unprocessed data point V (step S100). The data point V is expressed by the following (Equation 1).

Next, coordinate transformation is performed on all other data points {V[i]} so that the data point V[k] selected in step S100 becomes the origin, and a data point group VX is calculated (step S110). The data point group VX is expressed by the following (Equation 2).

Next, the point group WX that is the pole of the convex hull (Convex Hull: the smallest convex polygon/convex polyhedron that includes all given points) of the data point group VX after coordinate transformation is selected (step S120). . The subset WX is expressed by (Equation 3) below.

Next, a data point group W before coordinate transformation is obtained (step S130). The data point group W is expressed by the following (Equation 4).

Subsequently, a convex closed region near the data point V[k] is constructed (step S140). At this time, the half-plane bisecting the data point V[k] and the adjacent data point group W before coordinate transformation becomes the boundary hyperplane of the convex closed region to which the data point V[k] belongs. The boundary hyperplane is expressed by the following (Equation 5).

Next, it is determined whether the processing of steps S110 to S140 has been completed for all data points V[k] (step S150), and if the determination result is NO, the unprocessed data points V are The processing of steps S100 to S150 is repeated for that case. Further, if the determination result in step S150 is YES, the process ends.

FIG. 8 is a flowchart showing the processing contents of the binary vector transition model construction unit. The binary vector transition model construction unit 152 generates a binary vector transition model by constraining the transition relationship between binary vectors using the three types of separation criteria shown in FIG.

In FIG. 8, the binary vector transition model construction unit 152 first selects one unprocessed data point V (step S200). The data point V is expressed by an equation similar to (Equation 1) above.

Next, one unprocessed point is selected from the adjacent data point group W (step S210). Adjacent data points W are expressed by (Equation 6) below.

Next, for the data point V[k] selected in step S200 and the data point V[j] selected in step S210, an arbitrary binary vector pair V that satisfies the operating assumption shown in (Equation 7) below is determined. The transition relationship between [k] and V[j] (see (Equation 8) below) is registered (step S220).

A transition between an arbitrary binary vector that satisfies the operating assumption and an arbitrary binary vector that does not satisfy the operating assumption is not registered as a transition relationship because it is considered that it cannot actually occur. Note that a state transition that deviates from the operating assumptions can be detected by obtaining a binary vector that does not satisfy the operating assumptions and is not valid.

Next, for the data point V[k] selected in step S200 and the data point V[j] selected in step S210, a data point pair that satisfies the safety requirements shown in (Equation 9) or (Equation 10) below is determined. In other words, a transition relationship between a pair of data points in which the safety requirement related label value of the post-transition data point V[j] is true (see (Formula 8) above) is registered (step S230).

This occurs when the safety requirement-related label values of the data points V[k] and V[j] before and after the transition are both true, or when the safety requirement label value of the data point V[j] before the transition is false. means that only transition paths in which the safety requirement-related label value V[j] becomes true after the transition are allowed. Also, transitions that would no longer satisfy safety requirements are not registered.

Subsequently, for the data point V[k] selected in step S200 and the data point V[j] selected in step S210, a transition relationship between the data point pair that satisfies the functional requirement shown in (Equation 11) below, In other words, the transition relationship (the above (Equation 8 ) is registered (step S240).

Next, it is determined whether the processing of steps S220 to S240 has been completed for all adjacent data points W (step S250), and if the determination result is NO, the processing for unprocessed adjacent data points W is determined. Then, the processing of steps S210 to S250 is repeated.

Further, if the determination result in step S250 is YES, then it is determined whether or not the processing of steps S210 to S250 has been completed for all data points V[k] (step S260). If the determination result in step S260 is NO, the processing in steps S200 to S260 is repeated for the unprocessed data point V. Further, if the determination result in step S260 is YES, the process ends.

The operation of this embodiment configured as above will be explained.

As shown in FIG. 2, the binary vector conversion unit 51 of the autonomous air traffic control device 50 inputs the sensor value sequence and converts the convex closed region to which the state value vector calculated using the model-based state estimation method etc. The search is performed, the binary vector value of the data point associated with the convex closed region is read out, and the state value vector is converted into a binary vector.

In the binary vector transition model, the binary vector transition route search unit 52 uses the binary vector converted value of the current state value vector as a starting point to find a binary vector pointed to by a goal condition specified by the plant operator of the control center 40. It has a function to search the transition path leading to a value, and is realized by graph search.

Transition paths between binary vectors associated with transitions between adjacent convex closed regions may be guided by the plant automatic control device 20 or carried out by the field operator (field work robot) 30, and this automatic Operation know-how is the part that satisfies safety requirements by dividing the roles between the control system and the manual operation system.

FIG. 9 is a diagram showing operational know-how in which transitions between convex closed regions are associated as trigger conditions.

As shown in FIG. 9, operational know-how is formalized as a description of the entity implementing the transition relationship between binary vectors.

When the automatic control system induces a state transition between binary vectors, the convex closed region ConvexPartition (V[t]) pointed to by the pre-transition binary vector for the state value vector and the convex closed region ConvexPartition (V[t]) pointed to by the transition destination binary vector are created. The area ConvexPartition (V[t+1]) is a control command for the plant automatic control device.

The process of guiding the state value vector in the convex closed region ConvexPartition (V[0]) to the state value vector in ConvexPartition (V[1]) in FIG. 9 does not change any element of the binary vector label, This is considered normal operation.

When a transition occurs from the state value vector in the convex closed region ConvexPartition (V[0]) to the state value vector in ConvexPartition (V[2]) in FIG. 9, the truth value of the component L_safety of the binary vector Spotting is happening. This means that an abnormality has occurred.

According to the operation know-how in FIG. 9, when the state value vector reaches ConvexPartition (V[2]), the plant automatic control device performs recovery control and can be guided to the state value vector in ConvexPartition (V[1]). It has been described. Therefore, plant operators can delegate recovery control.

On the other hand, if some abnormality occurs and the state value vector transitions into ConvexPartition (V[3]), the truth value of the binary vector component L_assumption is inverted. This can be immediately detected as a violation of the operating assumptions, and according to operational know-how, recovery control in this case must be performed by the field operator (field work robot) 30 during site work. .

When the field operator (field work robot) 30 performs site work to induce state transition between binary vectors, the current state and the post-work state are similarly confirmed. The completion of the work itself is confirmed by the autonomous control device 50 that issued the work instruction, by actually converting the state value vector into a binary vector and comparing it.

The field operator (field work robot) 30 has a role other than site work, such as instructing the field situation confirmation to supplement the observability limits of the sensors 111, 121, and 131, and There is also work to complement value vector components. Similarly, site patrols and monitoring/inspection work correspond to confirming the absence of external factors that impede plant operations, and complement the point that these external factors are not observable from the sensors 111, 121, and 131. are doing.

Since the target of issuing work instructions to the field operator is a human being who can respond flexibly, even if the field work robot 30 is replaced, the binary vector pair before and after the work can formally describe the work content. By defining this and introducing methods such as remote work assistance as necessary, it will be possible to achieve significant unmanned work and automation of manual work.

The transition process between the binary vectors is monitored by a plant operator on a central control panel 41 installed in the control center 40. The autonomous control device 50 acquires a state value vector every control cycle, converts it into a binary vector, and monitors the interpretation information of each component of the binary vector value and the transition path toward the goal condition specified by the plant operator. and confirm that unintended state transitions between binary vectors have not occurred.

The effects of this embodiment configured as above will be explained.

An automatic control system responsible for controlling a plant passively determines how to accomplish specified operating instructions according to pre-programmed control rules in a closed environment designed or envisioned to meet operating assumptions established at the time of design. This is something that works. Autonomous systems, on the other hand, are distinguished by their ability to adapt to changing operating environments over time and reconfigure control methods that correspond to how they achieve their operating objectives.

The operator of this autonomous system sets operational commands as appropriate, but in an open operating environment, the operational commands may not be accomplished due to conflicts caused by too many constraints. An automatic control system that has fallen into a situation that deviates from the above operating assumptions cannot detect this conflict on its own, leading to unintended operation, and the operator has no way to know the cause, and in such a situation, it may cause incorrect operation. Orders can also make matters worse.

On the other hand, the autonomous system must at least correctly detect said conflict and reconfigure its operating instructions appropriately to resolve the detected conflict. In order to adapt to the changing external environment, autonomous functions that dynamically construct the state of the operating environment and a model of the operating environment, and determine and modify the feasibility of operating instructions, do not depend on the designer. A distinction is made between automatic control systems and autonomous systems in terms of whether something is done at runtime or not.

When delegating the operation of a huge, high-safety plant that is subject to no-fault liability to the above-mentioned autonomous system, it is necessary to provide some kind of recovery control means to deal with external factors that cause hazards. Intrinsically safe designs that aim to be robust against all known internal and external factors and hazard scenarios that have them as root events also run afoul of cost constraints. Implementing a functional safety design into an automatic control system that deals with all known hazard scenarios by designing a FDIR (Fault Detection, Identification and Recovery) system also conflicts with cost constraints.

This problem of cost constraints becomes particularly noticeable when safety design is performed for low-frequency events or unexpected events. Therefore, instead of implementing a function to deal with hazard scenarios caused by system internal factors in the automatic measurement and control system using control equipment, field operators can inspect and monitor the operating status of equipment, report abnormalities, and perform emergency response work. , we have responded to hazard scenarios that cannot be fully covered.

External conditions that characterize the external environment are predictable in the sense that they change only within a bounded range over a short period of time, but they are potentially uncertain in the sense that changes over time cannot be predicted deterministically and with high precision. are doing.

Factors external to the system are not limited to physical or external factors, but include whether or not they are included in the range that the plant automatic control device has decided to deal with in the functional safety design of the system.

For example, a plant operator working at a control center operates a controlled plant via a plant automatic control device, and in parallel performs site work, patrols, inspections, and monitoring work as appropriate while communicating with field operators. Consider the current operating method. At this time, there are two types of hazard modes that can occur in the controlled plant. The first is a hazard that can be dealt with automatically according to the functional safety design built into the automatic plant control system, and the second is a hazard that can be dealt with by field operators by performing tasks such as work, recovery, shutdown, status confirmation, etc. There is a hazard. Recall that cost constraints reduce the first hazard and increase the second hazard.

Since automatic plant control equipment is only equipped with a functionally safe design for detecting the root cause of hazards and performing recovery operations, dealing with Type 2 hazard scenarios that are not covered by these systems mainly depends on the judgment of the plant operator. . These are often described in operational know-how.

This division of labor system in which imperfections in the automatic control system are dealt with manually is due to the above-mentioned fundamental limitations of the automatic control system. This is not limited to work or control, but there is a similar theoretical limit regarding the state measurement function.

For example, installed sensors have a limited amount of physical information that can be directly measured. In order to supplement this, as a means of supplementing the measurement functions of automatic control systems, model-aided state estimation algorithms are used, and field operators are dispatched directly to the site to confirm the number and function of installed sensors. The state values of the plant and operator integrated system are updated while compensating for the limitations of the system. In particular, in order to deal with the risk of misjudgment related to anomaly detection, direct on-site confirmation is performed as a final confirmation method.

Various work instructions to field operators are realized through non-mechanical cooperation with plant operators. However, the content of the work, the conditions for generating work instructions, the requirements for completing the work, the means of confirming the completion of the work, the conditions for discontinuing the work if it is difficult to complete the work, etc., are not specified in a manner that can be determined mechanically. This know-how has been passed down among plant operation personnel.

Since this know-how is mainly related to safe operation, it is not selected or selected by plant expansion or renovation, but is only accumulated, and there are many cases where the relationship between the situation and the response is not consistent. In addition, the hazard scenarios that the initial designers had given up on and decided to deal with manually have not been properly passed on to subsequent plant operators, and only a partial description remains in the manual, making it impossible for future plant operators to deal with them appropriately. In some cases, this may cause a hazard that is mistaken for an operational error by a plant operator.

On the other hand, in the present embodiment, a state value vector representing the state of the controlled object is generated based on a sensor value sequence consisting of time-series detected values of sensors 111, 121, and 131 installed in the controlled object plant. It is a truth value for separation criteria when dividing a region defined by a set of state value vectors that are calculated and are valid as the state of the controlled object into a plurality of convex closed regions each corresponding to a plurality of predetermined requirements. The binary vector conversion unit 51 that converts into a binary vector and the meaning of the truth value for the separation criteria surrounding the convex closed region to which the state value vector converted to the binary vector belongs are provided to the plant operator who directs the control of the plant. At the same time, the information is presented to the field operator 30 who performs site work at the plant so that the binary vector transitions through the convex closed region that satisfies predetermined requirements up to the convex closed region corresponding to the goal condition set by the plant operator. Since the system is equipped with a binary vector transition path search unit 52 that generates and outputs work instructions, it is possible to systematically control the entire plant operation including automatic recovery control based on functional safety design and recovery work by field operators. I can do it.

<Additional notes>
Note that the present invention is not limited to the above-described embodiments, and includes various modifications and combinations within the scope of the invention. Furthermore, the present invention is not limited to having all the configurations described in the above embodiments, but also includes configurations in which some of the configurations are deleted. Moreover, each of the above-mentioned configurations, functions, etc. may be realized in part or in whole by, for example, designing an integrated circuit. Furthermore, each of the above configurations, functions, etc. may be realized by software by a processor interpreting and executing a program for realizing each function.

10... Plant, 11... Nuclear reactor, 12... Steam turbine, 13... Generator, 20... Plant automatic control device, 30... Field operator (field work robot), 31... Direct work, 40... Control center, 41... Central control Board, 50... Autonomous traffic control device, 51... Binary vector converter, 52... Binary vector transition route search unit, 100... Autonomous traffic control system, 102... Plant automatic control device, 111... Sensor, 121... Sensor, 131...Sensor, 150...Binary vector transition model design device, 151...Convex closed region division processing unit, 152...Binary vector transition model construction unit

Claims (7)

A state value vector representing the state of the controlled object is calculated based on a sensor value sequence consisting of time-series detection values of sensors installed in the plant to be controlled, and the state value that is valid as the state of the controlled object is calculated. a binary vector conversion unit that converts a region defined by a set of vectors into a binary vector that is a truth value for a separation criterion when dividing the region into a plurality of convex closed regions each corresponding to a plurality of predetermined requirements;
The meaning of the truth value for the separation criterion surrounding the convex closed region to which the state value vector converted into the binary vector belongs is presented to the plant operator who directs the control of the plant, and the goal conditions set by the plant operator are Generate and output a work instruction to a field work robot that performs site work in the plant so that the binary vector transitions to a convex closed region corresponding to the convex closed region that satisfies predetermined requirements. An autonomous air traffic control device comprising: a binary vector transition route search unit. The autonomous traffic control device according to claim 1,
The plurality of convex closed regions are divided by a separation criterion according to operating assumptions that are constraints regarding the safety requirements, functional requirements, and boundedness of measurement of possible state value vectors of the plant. Autonomous air traffic control device. The autonomous traffic control device according to claim 1,
A transition model between binary vectors whose constraints are transition relationships between the plurality of convex closed regions is defined in advance, and a work instruction to the field work robot is output in accordance with the transition model between binary vectors. Autonomous air traffic control device. The autonomous traffic control device according to claim 1,
The binary vector transition path search unit calculates a binary vector transition sequence indicating a transition path when the binary vector transitions to a convex closed region corresponding to a goal condition set by the plant operator. Autonomous air traffic control device. The autonomous traffic control device according to claim 4,
Specific instructions for the field working robot to realize binary vector transition according to the binary vector transition route represented by the binary vector transition sequence calculated by the binary vector transition route search unit. An autonomous control device characterized by calling and outputting work instructions. Sensors installed in the plant to be controlled,
an automatic control device that automatically controls at least part of the operation of the plant based on the detected value of the sensor;
a field work robot that performs site work in the plant;
An autonomous control device comprising: an autonomous control device according to claim 1, which outputs an operation instruction to the automatic control device and a work instruction to the field work robot according to a detected value of the sensor. control system. 4. A method for designing a transition model between binary vectors used for generating work instructions to the field work robot in the autonomous control system according to claim 3,
a step of dividing a region defined by the state value vector that is valid as the state of the plant into a plurality of convex closed regions each corresponding to a plurality of predetermined requirements;
A method for designing a transition model between binary vectors, comprising: defining a transition model between binary vectors using a transition relationship between the plurality of convex closed regions as a constraint.

Images