BR102018014317A2 - digital protection system for nuclear power plant - Google Patents

Abstract

digital protection system for nuclear power plant describes a digital protection system that includes a process protection system having at least two channels, and a reactor protection system having at least two branches. the process protection system includes, in one channel, a first and a second comparative logic controller of different types, which are mutually independent of each other and respectively receive process variables as inputs, with each controller producing logical comparison results. the reactor protection system includes, in a branch, a first and a second competing logic controller of different types, which are mutually independent of each other and respectively receive the logical comparison results as inputs, with each controller producing competing logic results. the reactor protection system includes initiation circuits, with each circuit including a plurality of relays connected in series and a plurality of relays connected in parallel. a relay connected in series is controlled by one of two different competing logic outputs, and a relay connected in parallel is controlled by the other competing logic output.

Description

DIGITAL PROTECTION SYSTEM FOR NUCLEAR POWER PLANT

FIELD OF THE INVENTION [001] The present invention relates, in general, to a technique to improve safety and reliability in a protection system, composed of a process protection system and a reactor protection system, which perform safety functions of a nuclear power plant. More particularly, the present invention relates to a digital protection system for a nuclear power plant, capable of eliminating a single point vulnerability (SPV) and responding to a common cause failure (CCF) Failure) in an existing protection system, applying two different and mutually independent controllers to the protection system, and appropriately combining the processing results of the two controllers.

RELATED ART STATUS DESCRIPTION [002] Nuclear power generation refers to the generation of electricity, using the thermal energy generated by a fission chain reaction to heat the steam that drives a turbine generator through boiling water. An enormous amount of power is generated as the energy needed to completely separate atomic nuclei into protons and neutrons that are emitted as free particles, and thus nuclear power generation is the most desirable power source capable of achieving large amounts of energy. , using an extremely small amount of fuel. Most countries around the world produce electricity using nuclear power generation.

[003] However, in the case of nuclear power generation, the use of which presents many risks, numerous safety devices and highly trained operators are required.

[004] The protection system serves to monitor the condition (status) of a nuclear steam supply system (NSSS - Nuclear Steam Supply System), and mitigates the effect of an accident by allowing the reactor to be turned off when a monitored process reaches a prescribed protection system setting.

[005] An SPV event is a component failure that results in a shutdown

Petition 870180060402, of 07/13/2018, p. 8/68

2/36 of the reactor or turbine due to a failure present in a single component. Several SPVs can be present in any existing nuclear power plant, and the number of SPVs can reach 70 ~ 90 in reactor protection systems for nuclear power plants in operation built in the 1980s. SPVs are caused by several devices analog signals that are not multiplexed within the reactor protection system.

[006] A CCF event is a situation in which a failure occurs simultaneously in multiple components, due to a cause common to the various components. The performance of the safety functions unique to the protection system can be seriously affected when a CCF occurs in a protection system. An example of CCF that can be easily understood is the bug of the year 2000 (Y2K), or bug of the millennium in 1999. It meant that, at the arrival of the year 2000, computers unable to recognize the year 2000 could malfunction. However, in the case of the Y2K bug, preparatory measures were taken to allow the problem to be removed in advance, and ended to the point where only a few errors occurred in some fields. SUMMARY OF THE INVENTION [007] An objective of the present invention is to provide a digital protection system for a nuclear power plant, including a process protection system and a reactor protection system, which are made up of competing logic controllers and controllers. comparative logics of different types (contrasting) from each other, in order to address the problems of vulnerability to SPVs and CCFs that can occur in the existing protection systems of nuclear power plants.

[008] It is another objective of the present invention to provide a digital protection system for a nuclear power plant, in which safety is improved through an improvement of a reactor shutdown function.

[009] It is another objective of the present invention to provide a digital protection system for a nuclear power plant, in which reliability is improved by eliminating the component failure that would result in the failure of the reactor due to a single failure.

[010] The technical problem to be solved by the present invention is not limited to the

Petition 870180060402, of 07/13/2018, p. 9/68

3/36 technical problems mentioned above, and several technical problems can be included within the scope of what will be evident to the expert having common experience in the technique, from the description below.

[011] In accordance with an aspect of the present invention, a digital protection system having at least two channels and at least two branches is provided, which may include a process protection system and a reactor protection system. The process protection system can have, on one channel, a first and a second comparative logic controller of different types that are mutually independent of each other, with the first and second comparative logic controllers each receiving process variables as inputs , with each one producing logical results of comparison. The reactor protection system may have, in one branch, a first and a second competing logic controller of different types that are mutually independent of each other, with the first and second competing controllers each receiving the logical comparison results as inputs, with each producing competing logical results. The reactor protection system can include at least two initiation circuits, with each initiation circuit including a series circuit in which a plurality of relays are connected in series, and a parallel circuit in which a plurality of relays are connected in parallel. , in which one of the relays of the series circuit is controlled by the reception of one of the competing logic results as an input, and one of the relays of the parallel circuit is controlled by the reception of another of the competing logic results as an input.

[012] At least two channels can include a first channel, a second channel, a third channel and a fourth channel, and at least two branches can include a first branch and a second branch.

[013] The different types of comparative logic controllers can include one of the FPGA (Field Programmable Gate Array) type and one of the PLC {Programmable Logic Controller - Programmable Logic Controller) type. Preferably, the comparative logic controllers each transmit the logical comparison results only to competing logic controllers of one type.

Petition 870180060402, of 07/13/2018, p. 10/68

4/36 [014] Process variables can include information indicative of at least a reactor cooling tube hot temperature, a reactor cooling tube cold temperature, a reactor cooling flow rate, a pressurizer pressure, pressurizer water level, neutron flow value, containment building pressure, steam generator water level, steam pipe pressure, and level of the replenishment water tank.

[015] Logical comparison results can include a normal signal and an abnormal signal. The first competing logic controller can produce the competing logic results based on the number of logical comparison results and the number of abnormal signals received from the first comparative logic controllers included in each channel, and the competing logic results produced by the first competing logic controller can include a first output signal being introduced into a relay included in the series circuit, and a second output signal being introduced into a relay included in the parallel circuit. The second competing logic controller can produce the competing logic results based on the number of logical comparison results and the number of abnormal signals received from the second comparative logic controllers included in each channel, and the competing logic results produced by the second comparative logic controllers can include a third output signal being introduced into a relay included in the series circuit, and a fourth output signal being introduced into a relay included in the parallel circuit. Here, the first and second output signals have opposite logic values, and the third and fourth output signals have opposite logic values.

[016] The first competing logic controller can produce the competing logic results when the received logical comparison results include at least one abnormal signal, emitting a first logic value for the series circuit and a second logic value for the parallel circuit, and the a second concurrent logic controller can produce concurrent logic results when the received comparison logic results include at least one abnormal signal, emitting the first logic value for the series circuit and the second logic value for the parallel circuit.

Petition 870180060402, of 07/13/2018, p. 11/68

5/36

However, the first competing logic controller can produce the competing logic results when the received logical comparison results include at least one normal signal, emitting a first logic value for the series circuit and a second logic value for the parallel circuit, and the second Concurrent logic controller can produce concurrent logic results when the received comparison logic results include at least one normal signal, emitting the first logic value for the series circuit and the second logic value for the parallel circuit.

[017] The digital protection system may also comprise an RTSS {Reactor Trip Switchgear System - Reactor Stop Switch System), which may include a first NO contact (normally open) connected between a power supply and a central node; a second NO contact connected between the power supply and the central node; a third NA contact connected between the central node and a CEDM (ControlElement Drive Mechanism); and a fourth NO contact connected between the central node and the CEDM. When at least one of the first NA contact and the second NA contact is closed, and at least one of the third NA contact and the fourth NA contact is closed, power can be supplied from a motor-generator set to the CEDM . On the other hand, when both the first NA contact and the second NA contact are open, or both the third NA contact and the fourth NA contact are open, the power supplied from a generator set to the CEDM can be interrupted.

[018] Each initiation circuit can include a first series circuit to control the first NO contact according to an output signal from the concurrent logic controller; a first parallel circuit to control the second NO contact according to the output signal from the concurrent logic controller; a second parallel circuit for controlling the third NO contact according to the output signal from the concurrent logic controller; and a second series circuit to control the fourth NO contact according to the output signal from the concurrent logic controller.

[019] The first series circuit and the first parallel circuit can receive, as inputs, the output signals from the first competing logic controller and the second competing logic controller included in a first branch of at least two branches.

Petition 870180060402, of 07/13/2018, p. 12/68

The second series circuit and the second parallel circuit can receive, as inputs, the output signals from the first competing logic controller and the second competing logic controller included in a second branch of at least two branches.

[020] Each initiation circuit can also include a third circuit including a relay to control the second NA contact, with that relay to control the second NA contact being controlled by the first parallel circuit; and a fourth circuit including a relay to control the third NA contact, with such a relay to control the third NA contact being controlled by the first parallel circuit. Here, the relays included in the third circuit and in the fourth circuit are normally closed (NC) contacts.

[021] The first series circuit or the second series circuit can include two relays connected in series, with the two series relays being respectively turned on or off according to the output signal coming from the competing logic controller. The first NA contact or the fourth NA contact can be closed when the two relays are both connected, and the first NA contact or the fourth NA contact can be open when at least one of the two relays is off.

[022] The first parallel circuit or the second parallel circuit can include two relays connected in parallel, with the two parallel relays being turned on or off according to the output signal coming from the competing logic controller. The relay included in the third or fourth circuit can be switched on when the relays included in the first parallel circuit or the second parallel circuit are switched off, and the relays included in the third circuit or the fourth circuit can be switched off when at least one of the included relays on the first parallel circuit or the second parallel circuit is connected.

[023] The digital protection system according to the present invention is a protection system consisting of a process protection system and a reactor protection system, which perform safety functions of a nuclear power plant. The digital protection system according to the present invention can prevent a nuclear power plant from being shut down in the event of a single failure (ie, a single point vulnerability, or SPV), by eliminating a component failure that would result in a reactor shutdown due to an SPV fault condition present

Petition 870180060402, of 07/13/2018, p. 13/68

7/36 on existing devices. The digital protection system according to the present invention allows the protection system to be operated safely even in the case of a CCF, when applying multiplexing to the digital protection system itself.

[024] In addition, the digital protection system according to the present invention, considering the diversity and independence of the protection system itself, includes comparative logic controllers and competing logic controllers of different (contrasting) types to correspond to the CCF , thus eliminating disconnections by SPV and effectively preparing for the case of a termination by CCF.

[025] In addition, according to the digital protection system of the present invention, it is possible to perform the reactor safety function in the case of CCF, which results in better safety and reliability.

[026] Furthermore, according to the digital protection system of the present invention, it is possible to operate the power plant with zero SPVs and to improve maintenance conditions.

BRIEF DESCRIPTION OF THE DRAWINGS [027] The above objectives and other characteristics and advantages of the present invention will be more clearly understood from the following detailed description, when taken in conjunction with the accompanying drawings, in which:

- Fig. 1 is a block diagram of a protection system according to the state of the art;

- Fig. 2 is a comparative view of the appearance of a prior art reactor protection system enclosure and a reactor protection system enclosure of the present invention;

- Fig. 3 is a block diagram of a digital protection system of the present invention;

- Fig. 4 is a detailed block diagram of a portion of the digital protection system in fig. 3;

- Fig. 5 is a block diagram of a digital protection system according to an embodiment of the present invention; and

Petition 870180060402, of 07/13/2018, p. 14/68

8/36

- Figs. 6a to 6n are views of the digital protection system shown in fig. 5, respectively illustrating the operation of the system according to various types of failure.

DETAILED DESCRIPTION OF THE INVENTION [028] In the following, a digital protection system according to the present invention will be described in detail with reference to the accompanying drawings. The present invention is not limited to the forms of incorporation described above, and various changes and modifications can be made without departing from the scope of the present invention. In addition, the material described in the accompanying drawings may be different from those actually implemented by the schematic drawings to easily describe the embodiments of the present invention.

[029] However, each component described below is just an example to implement the present invention. Thus, in other implementations of the present invention, other components can be used without departing from the spirit and scope of the present invention.

[030] Also, the term comprising is intended merely to denote that such elements are present as inclusive, and should not be understood as excluding any additional elements.

[031] Likewise, expressions like 'first', 'second', etc. they are expressions used only to distinguish a plurality of components, and do not limit the order or other characteristics between the components.

[032] In the description of the forms of incorporation, it should be understood that forming each layer (film), area, pattern or structure on or under a substrate, and forming each layer (film), area, block or pattern, includes forming them directly, or interpose another layer between them. The criteria for over or under with respect to each layer are described with reference to the drawings.

[033] When a party is connected to another party, this includes not only being directly connected, but also indirectly connected by interposing another party between them. In addition, when a certain portion is said to comprise certain components, this means that it may include other components and does not exclude other components, unless specifically indicated by

Petition 870180060402, of 07/13/2018, p. 15/68

9/36 another way.

[034] Fig. 1 illustrates a SPV that can occur in the structure of a protection system according to a state of the art.

[035] Referring to fig. 1, a single fault occurs in a branch (branch A) of the reactor protection system to cause a reactor stop circuit breaker (RTB - Reactor Trip Breaker) to open, which can lead to the reactor shutting down.

[036] Fig. 2 compares the appearance of the enclosure of a reactor protection system according to the present invention with a related state of the art reactor protection system.

[037] Referring to fig. 2, as the existing reactor protection system is an analog system and each logic port is configured in the form of a hardware board, each board must be connected through several hardware wires to transmit signals to implement concurrent logic in the control systems. protection of the reactor, with disadvantages because of this, because the size of the cabinet is increased, cabling is complicated, and maintenance is difficult.

[038] Meanwhile, in the case of the digital protection system according to the present invention, the concurrent logic of the protection system is implemented using software operated on a CPU (CentralProcess Unit), or in an array of field programmable doors (FPGA), where the advantages of the cabinet size are reduced, cabling is simple and maintenance is easy.

[039] To avoid the occurrence of a CCF, the digital protection system of the present invention duplexes the controllers in different types and implements the existing analog protection system as a digital protection system, thus facilitating maintenance.

[040] Fig. 3 illustrates a configuration of the digital protection system according to the present invention, and fig. 4 illustrates in more detail the configuration of fig. 3, showing a process protection system and a reactor protection system included in the digital protection system.

[041] Referring to figs. 3 and 4, the digital protection system according to the present invention can include four channels 221, 222, 223 and 224 of the process protection system, and two branches 231 and 232 of the reactor protection systems.

Petition 870180060402, of 07/13/2018, p. 16/68

10/36 [042] The four channels 221, 222, 223 and 224 of the process protection system may include the first comparison logic controllers 221-1 and 222-1 and the second comparison logic controllers 221-2 and 222- 2, of different types, which transmit the logical results of comparison to the two branches 231 and 232 of the reactor protection system.

[043] Despite the fig. 3 illustrate a form of incorporation in which the process protection system includes four channels, the system is not limited to this. The process protection system of the present invention can include at least two channels.

[044] More specifically, the comparative logic controllers 221-1, 222-1, 221-2 and 222-2 of the respective channels 221, 222, 223 and 224 in the process protection system generate logical comparison results based on different process variables, collected from sensors 110, 120, 130 and 140 installed in the nuclear steam supply system 210. In addition, the comparative logic controllers 221-1, 222-1, 221-2 and 222-2 can transmit the results comparison logic to the concurrent logic controller of each branch 231 and 232 in the reactor protection system. The comparative logic controllers 221-1, 222-1, 221-2 and 222-2 of the respective channels receive signals from sensors 110, 120, 130 and 140 which are multiplexed, thus performing comparative logic algorithms independently of each other.

[045] For example, the comparative logic controller included in at least one channel of the process protection system can determine whether the hot tube temperature information that has been detected has reached a predetermined protection system configuration, and based on this determination can transmit a signal indicating whether or not there is an abnormality in the respective branches 231 and 232 of the reactor protection system. Here, each channel of the process protection system is physically and electrically isolated, and independently derives its own result signal for each channel. For example, in the case of concurrent logic 2/4, the concurrent logic controller generates a reactor shutdown signal when an abnormal signal is output by the comparison logic controller in at least two quadriplexed variable process channels.

[046] Even if the process protection system is multiplexed with four channels

Petition 870180060402, of 07/13/2018, p. 17/68

11/36 in the present invention, the process variables can be triplexed or duplexed depending on the type, where the signals can be assigned only to three channels of the process protection system, and the concurrent logic 2/3 is executed based on the logical comparison results received from these three channels in the reactor protection system, to determine whether a reactor shutdown signal is generated or not in the case of triplexed process variables, and the signals can be assigned to only two channels of the protection system process, with concurrent logic 1/2 being performed in the reactor protection system to determine whether a reactor shutdown signal is generated or not in the case of duplexed process variables.

[047] Concurrent logic is not limited to 1/2, 2/3 and 3/4, as the concurrent logic can be 2/2, 1/3, 3/3, 3/4, and so on. When the concurrent logic described here is defined as n / m, any concurrent logic is possible, as long as n is greater than or equal to m.

[048] Each process protection system channel is configured with the first comparative logic controller and the second comparative logic controller, of different types, which are mutually independent. For example, the first comparative logic controller can be configured based on an FPGA, and the second comparative logic controller can be configured based on a programmable logic controller (PLC), in which two comparative logic controllers can be controlled independently of each other. . Therefore, even if a CCF occurs in one controller, the other controller can perform the unique functions of the process protection system, thereby effectively dealing with both an SPV and a CCF.

[049] Here, the comparative logic controllers can each transmit the logical comparison results to all competing logic controllers of the same type. The first comparative logic controllers 221-1, 222-1, 223-1 and 224-1 and the second comparative logic controllers 221-2, 222-2, 223-2 and 224-2 of the process protection system are configured with different types, and the first concurrent logic controllers 231-1 and 232-1 and the second concurrent logic controllers 231-2 and 232-2 in the reactor protection system are also configured with different types. Therefore, the entire protection system, from the protection system

Petition 870180060402, of 07/13/2018, p. 18/68

12/36 process (comparative logic controllers) to the reactor protection system (competing logic controllers), is controlled independently only by a device of the same type, so that two protection systems can be operated practically. For example, an FPGA-based device allows its controllers to be operated independently of a PLC-based device, without being influenced by each other, so that the protection system can perform the safety function even when a CCF occurs.

[050] Each of the branches 231 and 232 of the reactor protection system includes the first concurrent logic controllers 231-1 and 232-1 and the second concurrent logic controllers 231-2 and 232-2 of different types, executing a concurrent logic according to the logical comparison result, and transmitting the resulting control signal to a reactor stop switch system (to be described later), or RTSS, through an initiation circuit as described below.

[051] Here, the reactor protection system can include a first branch 231 and a second branch 232. The first branch 231 can include a first concurrent logic controller 231-1, a second concurrent logic controller 231-2, a first circuit branch 231-3 series initiation, and a second branch 231-4 parallel initiation circuit; and the second branch 232 can include a first concurrent logic controller 232-1, a second concurrent logic controller 232-2, a second parallel branch initiation circuit 232-3, and a second serial branch initiation circuit 232-4.

[052] Concurrent logic controllers 231-1, 232-1, 231-2 and 232-2 of the reactor protection system receive the logical comparison results transmitted by the process protection system. Here, logical comparison results are received from all multiplexed channels of the process protection system.

[053] More specifically, concurrent logic controllers 231-1, 232-1, 231-2 and 232-2 are provided to execute concurrent logic according to the number of channel stops (abnormal signals) included in the logic results comparisons received, and to transmit the resulting signal, indicating whether or not the reactor should be switched off, to an RTSS 240 through initiation circuits 231-3, 232-3, 231-4 and 232Petition 870180060402, 07/13/ 2018, p. 19/68

13/36

4.

[054] For example, when logic 2/4 is applied to quadriplexed process variables, it can be determined that the reactor condition is abnormal when the logical comparison results include at least two abnormal signals. Therefore, when the reactor condition abnormality is detected in at least two channels between four channels of the process protection system, the digital protection system determines that the reactor condition is abnormal and therefore performs an action, such as lowering a control rod.

[055] RTSS 240 is provided for the reactor to be normally operated when a nuclear steam supply system 210 is normal, and the reactor is shut down when the condition of the nuclear steam supply system 210 is abnormal, according to control signals transmitted by initiation circuits 231-3, 232-3, 231-4 and 232-4 of each branch of the reactor protection system. Here, the RTSS 240 can perform the safety function even if a single fault or a CCF occurs in the comparative logic controllers or competing logic controllers. This is because the controllers in the reactor protection system are made up of competing logic controllers of different types. Therefore, even if a CCF occurs on any competing logic controller, one control signal path is protected by the other competing logic controller.

[056] Fig. 5 is a representative view of the present invention, illustrating a form of detailed embodiment in which the digital protection system, the RTSS 240, a motor-generator set (MG) 241, and a control element drive mechanism (CEDM) 242 are associated. The MG 241 set may include a first MG MG1 set and a second MG MG2 set. Here, controllers of the same type are shown in a grouped manner, to allow the paths of the control signals to be clearly identified.

[057] In accordance with the present invention, the digital protection system includes a process protection system and a reactor protection system. The process protection system has, in one channel, a first comparative logic controller and a second comparative logic controller. The first and second logic controllers

Petition 870180060402, of 07/13/2018, p. 20/68

14/36 comparatives of the present invention are of different types (i.e., contrasting), being mutually independent of each other, and so the first and second comparative logic controllers receive process variables as inputs, and produce logical comparison results independently.

[058] In addition, the reactor protection system has, in one branch, a first concurrent logic controller and a second concurrent logic controller. The first and second competing controllers of the present invention are of different types (i.e., contrasting), being mutually independent of each other, and so the first and second competing controllers receive (from the comparative logic controllers) the logical comparison results as inputs, and produce competing logical results independently. The reactor protection system further includes at least two initiation circuits, each including a series circuit in which a plurality of relays are connected in series, and a parallel circuit in which a plurality of relays are connected in parallel. One of the series circuit relays is controlled (ie, on and off) receiving one of the simultaneous logic results as an input, and one of the parallel circuit relays is controlled (ie, on and off) receiving the other concurrent logic result as an entry. Here, competing logic results are received (by relays) from competing logic controllers of different types.

[059] The process protection system channels include the first comparative logic controllers 221-1, 222-1, 223-1 and 224-1 and the second comparative logic controllers 221-2 and 222-2, 223-2 and 224-2 of different types, which are mutually independent, respectively, and the first comparative logic controllers 221-1,

222-1, 223-1 and 224-1 and the second comparative logic controllers 221-2, 222-2,

223-2 and 224-2, which generate logical comparison results by receiving process variables as an input, with the process protection system having at least two channels.

[060] As shown in fig. 5, the reactor protection system includes at least two channels. Channels can include the first comparative logic controllers 221-1, 222-1, 223-1 and 224-1 and the second comparative logic controllers 221-2, 222-2,

Petition 870180060402, of 07/13/2018, p. 21/68

15/36

223-2 and 224-2 of different types, which are mutually independent, respectively. [061] The first comparative logic controllers 221-1, 222-1, 223-1 and 224-1 can be configured based on an FPGA, and the second comparative logic controllers 221-2, 222-2, 223-2 and 224-2 can be configured based on a programmable logic controller (PLC), in which two comparative logic controllers can be controlled to be mutually independent.

[062] The branches of the reactor protection system include the first concurrent logic controllers 231-1 and 232-1 and the second concurrent logic controllers 2312 and 232-2 of different types, which are mutually independent, respectively, with the first concurrent logic controllers 231-1 and 232-1 and the second concurrent logic controllers 231-2 and 232-2 producing the concurrent logic results by receiving the logical comparison results as an input, and with the reactor protection system having at least two branches.

[063] As shown in fig. 5, the reactor protection system includes at least two branches. The branches include the first concurrent logic controllers 231-1 and 232-1 and the second concurrent logic controllers 231-2 and 232-2 of different types, which are mutually independent, respectively.

[064] The first concurrent logic controllers 231-1 and 232-1 can be configured based on an FPGA, and the second concurrent logic controllers 231-2 and 232-2 can be configured based on a PLC, in which two controllers Comparative logics can be controlled to be mutually independent.

[065] The digital protection system also includes at least two initiation circuits. Here, the initiation circuits 231-3 and 231-4 included in the first branch comprise a series circuit 251 in which a plurality of relays 251-1 and 251-2 are connected in series, and a parallel circuit in which a plurality of relays 252-1 and 252-2 are connected in parallel, and initiation circuits 232-3 and 232-4 included in the second branch include a series circuit 254 in which a plurality of relays 254-1 and 254-2 are connected in series, and a parallel circuit 253 in which a plurality of relays 253-1 and 253-2 are connected in parallel.

[066] The plurality of relays 251-1, 251-2, 254-1 and 254-2 included in series circuits

Petition 870180060402, of 07/13/2018, p. 22/68

16/36

251 and 254 are switched on and off when receiving competing logic results from competing logic controllers of different types, and the plurality of relays 252-1, 252-2, 253-1 and 253-2 included in parallel circuits 252 and 253 are switched on / off when competing logic results from competing logic controllers of different types are input.

[067] More specifically, relay 251-1 included in series circuit 251 is switched on or off when receiving a concurrent AF-1 logic result as input, and relay 251-2 included in series circuit 251 is switched on or off when receiving a competing logical result AP-1 different from the competing logical result AF-1.

[068] Relay 254-1 included in series circuit 254 is switched on / off when receiving a competing logic result BF-1, and relay 254-2 included in series circuit 254 is switched on / off when receiving as input a competing logical result BP-1 different from the competing logical result BF-1.

[069] Relay 252-1 included in parallel circuit 252 is switched on / off when receiving a concurrent AF-2 logic result as input, and relay 252-2 included in parallel circuit

252 is turned on / off when receiving a concurrent AP-2 logical result as input other than the concurrent AF-2 logical result.

[070] Relay 253-1 included in parallel circuit 253 is switched on / off when receiving a concurrent logic result BF-2, and relay 253-2 included in parallel circuit

253 is switched on / off when receiving a competing logic result BP-2 different from the competing logic result BF-2.

[071] The process protection system is configured to include a first channel, a second channel, a third channel and a fourth channel. The number of channels is not limited to this, and can be from one channel or more channels.

[072] The reactor protection system can include a first branch (Branch A) and a second branch (Branch B).

[073] The process protection system can include the first comparative logic controllers 221-1, 222-1, 223-1 and 224-1 based on FPGA, and the second comparative logic controllers 221-2, 222-2, 223 -2 and 224-2 based on PLC.

[074] The comparative logic controllers each transmit the logical results

Petition 870180060402, of 07/13/2018, p. 23/68

17/36 comparison for all simultaneous logic controllers of the same type.

[075] The reactor protection system includes the first concurrent logic controllers based on FPGA 231-1 and 232-1, and the second concurrent logic controllers based on PLC 231-2 and 232-2, of the same type.

[076] The first comparative logic controllers based on FPGA 221-1, 222-1, 223-1 and 224-1 transmit the comparison logic results to the first competing logic controllers based on FPGA 231-1 and 232-1, of the same type.

[077] The second comparative logic controllers based on PLC 221-2, 222-2, 223-2 and 224-2 transmit the logic comparison results to the second competing logic controllers based on PLC 231-2 and 232-2, of the same type.

[078] Process variables include at least hot tube and cold tube temperature information from the reactor, and / or pressurizer pressure information, and / or pressurizer water level information, and / or neutron flow information, and / or reactor cooling flow rate information, and / or containment building pressure information, and / or steam generator water level information, and / or a steam pipe pressure information, and / or a refill water tank level information.

[079] The sensor described above transmits at least one information included in the process variables to at least one channel of the process protection system. Each channel receives at least one information included in the process variable, with the number and type of process variables received by the first channel, the second channel, the third channel and the fourth channel, which may be the same or different.

[080] The first competing logic controllers 231-1 and 232-1 receive the logical comparison results, including normal signal or abnormal signal, from the first comparative logic controllers 221-1, 222-1, 223-1 and 224-1 included in each protection system process channel, and the concurrent logic results are output based on the number of logical comparison results and the number of abnormal signals, with the concurrent logic results including two different output signals, one output signal being introduced in an AF-1 or BF-1 relay included in the series circuit, and the other output signal being introduced in an AF-2 or BF-2 relay included in the

Petition 870180060402, of 07/13/2018, p. 24/68

18/36 parallel circuit.

[081] Each of the first comparative logic controllers 221-1, 222-1, 223-1 and

224-1 compares the received process variable with settings to determine whether to emit a normal signal or an abnormal signal. Each of the first comparative logic controllers 221-1, 222-1, 223-1 and 224-1 issues as many logical comparison results as the number of process variables received. That is, if the first comparative logic controller 221-1 receives three process variables, it compares the three process variables with the respective settings, to output three logical comparison results.

[082] The first concurrent logic controllers 231-1 and 232-1 emit the concurrent logic results based on the number of abnormal signal comparison logic results compared to the total number of received comparison logic results. In this case, the first concurrent logic controllers 231-1 and 232-1 execute the concurrent logic n / m, defined by the total number (m) of logical comparison results and the number (n) of abnormal signal comparison results for each variable process, and emit concurrent logic results, which are a signal of reactor shutdown when the n / m concurrent logic defined above is satisfied for at least one process variable.

[083] Referring to fig. 5, when the first concurrent logic controllers 231-1 and 232-1 emit the concurrent logic results of the reactor shutdown signals, AF-1 is 0, AF-2 is 1, BF-1 is 0, and BF-2 is 1.

[084] The second competing logic controller receives the logical comparison results, including normal or abnormal signal, from the second comparative logic controller included in each channel of the process protection system, and outputs the competing logic results based on the number of logical comparison results and the number of abnormal signals, where competing logic results include two different output signals, with one output signal being introduced in the other AP-1 or BP-1 relay included in the series circuit, and the other output signal being inserted into the other AP-2 or BP-2 relay.

[085] The second comparative logic controllers 221-2, 222-2, 223-2 and 224-2

Petition 870180060402, of 07/13/2018, p. 25/68

19/36 compare the received process variables with the settings, to determine whether to emit a normal signal or an abnormal signal. The second comparative logic controllers 221-2, 222-2, 223-2 and 224-2 each emit as many logical comparison results as the number of process variables received. That is, when the second comparative logic controllers 221-2, 222-2, 223-2 and 224-2 receive three process variables, they compare the three process variables with each configuration, to produce three logical comparison results.

[086] The second concurrent logic controllers 231-2 and 232-2 output the concurrent logic results based on the number of abnormal signal comparison logic results compared to the total number of comparison logic results received. In this case, the second concurrent logic controllers 231-2 and 232-2 execute the concurrent logic n / m, defined by the total number (m) of logical comparison results and the number (n) of abnormal signal comparison results for each process variable, and output the concurrent logic results, which are a signal of shutdown of the reactor when the concurrent n / m logic defined above is satisfied for at least one process variable.

[087] Referring to fig. 5, when the second concurrent logic controllers 231-2 and 232-2 emit the concurrent logic results from the reactor shutdown signals, AP-1 is 0, AP-2 is 1, BP-1 is 0, and BP-2 is 1.

[088] The first concurrent logic controllers 231-1 and 232-1 emit concurrent logic results when the comparison logic results include at least one abnormal signal, where the output signals AF-1 and BF-1 equal to 0 between concurrent logic results are input to relays 251-1 and 254-1 included in each of the series circuits, and output signals AF-2 and BF-2 equal to 1 are input to relays 252-1 and 253-1 included in each of the parallel circuits. The concurrent logical result signifies a reactor shutdown signal.

[089] The second concurrent logic controllers 231-2 and 232-2 output the concurrent logic results when the comparison logic result includes at least one abnormal signal, where the output signals AP-1 and BP-1 equal to 0 between competing logic results are introduced in relays 251-2 and 254-2 included in

Petition 870180060402, of 07/13/2018, p. 26/68

20/36 each of the circuits in series, and the output signals AP-2 and BP-2 equal to 1 are introduced in relays 252-2 and 253-2 included in each of the parallel circuits. The concurrent logical result signifies a reactor shutdown signal.

[090] The first concurrent logic controllers 231-1 and 232-1 emit concurrent logic results when the comparison logic result includes at least one normal signal, where the output signals AF-1 and BF-1 equal to 1 between concurrent logic results are input to relays 251-1 and 254-1 included in each of the series circuits, and output signals AF-2 and BF-2 equal to 0 are input to relays 252-1 and 253-1 included in each of the parallel circuits. The concurrent logical result signifies a reactor shutdown signal.

[091] The second concurrent logic controllers 231-2 and 232-2 output the concurrent logic results when the comparison logic result includes at least one normal signal, where the output signals AF-1 and BF-1 equal to 1 between competing logic results are introduced in the other relays 251-2, 254-2 included in each of the series circuits, and output signals AP-2 and BP-2 equal to 0 are introduced in the other relays 252-2 and 253 -2 included in each of the parallel circuits. The concurrent logical result signifies a reactor shutdown signal.

[092] Here, in the case where the logical comparison result includes at least one abnormal signal, the output signals AF-1 and BF-1, which have a logical value equal to 0, according to the form of incorporation, have a first logical value according to the present invention; conversely, the output signals AF-2 and BF-2, which have a logic value equal to 1 according to the embodiment, have a second logic value according to the present invention. On the other hand, in the case where the logical comparison result includes at least one normal signal, the output signals AF-1 and BF-1, which have a logical value equal to 1 according to the form of incorporation, have a first logical value according to the present invention; conversely, the output signals AF-2 and BF-2, which have a logic value equal to 0 according to the embodiment, have a second logic value according to the present invention. In other words, the first and second logical values are opposite logical values. In addition, when concurrent logic results are input to a relay

Petition 870180060402, of 07/13/2018, p. 27/68

21/36 included in each of the series circuits, or in a relay included in each of the parallel circuits, this means that the competing logic results are effectively inserted, accordingly, in the series or parallel circuits.

[093] The digital protection system also includes an RTSS 240, and the RTSS 240 is configured with four RTBs, in which each of the RTBs can include a first normally open contact (NA) 243, a second contact NA 244, a third contact NA 245, and a fourth contact NA 246.

[094] The MG 241 set provides drive energy to operate a control element drive (CEDM) 242.

[095] In the case of the RTSS 240 of the present invention, the contacts NA 243, 244, 245 and 246 are located between the MG 241 and the CEDM 242 and therefore the power may or may not be supplied to the CEDM 242 according to switching on or off of the NO 243, 244, 245 and 246 contacts.

[096] More specifically, when at least one of the first NA contacts or the second NA contact is closed, and at least a third NA contact or a fourth NA contact is closed, power is supplied to CEDM 242. This is because the first NA contact and second NA contact are connected in parallel to each other, and the third NA contact and the fourth NA contact are connected in parallel to each other, so that a ladder-shaped circuit can selectively supply power to the CEDM .

[097] When both the first NA 243 contact and the second NA 244 contact are open, or both the third NA 245 contact and the fourth NA 246 contact are closed, the MG 241 assembly is activated to interrupt the power of the CEDM 242.

[098] CEDM 242 can control the position of a control rod that controls a nuclear reaction in a reactor. In addition, CEDM 242 directly picks up the control rod with the energy supplied by the MG 241 set, to allow the control rod to be released and thus lowered by gravity, when the power is interrupted by RTSS 240.

[099] More specifically, the CEDM 242 is activated so that the control rod is lowered to cause the reactor to shut down when the power supply is not

Petition 870180060402, of 07/13/2018, p. 28/68

22/36 applied, and the position of the control rod is maintained to allow the reactor to operate normally when the power supply is applied. When the control rod is lowered, the reactor is immediately turned off, so it is possible to take quick action when an abnormal reactor condition is detected.

[0100] As the RTSS 240 of the present invention has four RTBs, with each of the RTBs being configured with NA contacts 243, 244, 245 and 246, the protection system can be operated stably together with series circuits and parallel circuits, even when a common component failure occurs.

[0101] In the case of an NO contact, a fixed contact and a mobile contact are initially separated from each other, and the fixed contact and the mobile contact come into contact with each other to allow the current to flow when an external force is applied. In other words, when a force (for example, electromagnetic force) is generated from the outside, the NO contact is connected and therefore changed from the normally open state to the closed state. In the case of fig. 5, the NO 243, 244, 245 and 246 contacts can be switched from the open state to the closed state due to an electromagnetic force generated in the coil when a current flows through the series circuit.

[0102] In the case of a normally closed contact (NC), described above, the fixed contact and the mobile contact are initially kept connected to each other, and are disconnected from each other to prevent the current from flowing when an external force is applied. In other words, when a force (for example, electromagnetic force) is generated from the outside, the NC contact is disconnected and, therefore, changed from a normally closed state to an open state. In the case of fig. 5, the NC contact 255-1 of the relay included in the third circuit can be changed from the closed state to the open state due to the electromagnetic force generated in the coil when a current flows through the first parallel circuit.

[0103] The first contact NO 243 is connected between the MG 241 set and a central node 247.

[0104] The second contact NO 244 is connected between the MG 241 set and the central node 247.

Petition 870180060402, of 07/13/2018, p. 29/68

23/36 [0105] The third contact ΝΑ 245 is connected between central node 247 and CEDM 242. [0106] The fourth contact NA 246 is connected between central node 247 and CEDM 242. [0107] The protection system digital according to an embodiment of the present invention is provided so that the RTSS 240, which receives the operating result of each branch of the reactor protection system, is configured in the form of a ladder, in order to protect the functions protection system and adopt behavior that minimizes unnecessary shutdown of the reactor.

[0108] Additionally, the RTSS 240 of the present invention may include a first series circuit 251, a first parallel circuit 252, a second parallel circuit 253, and a second series circuit 254. Series circuits 251 and 254 or parallel circuits 252 and 253 can control so that power can be supplied to the CEDM 242 by allowing the NO 243, 244, 245 and 246 contacts to be closed or opened.

[0109] The first parallel circuit and the second parallel circuit can indirectly control the NO 244 and 245 contacts, respectively. As will be described later, the first parallel circuit controls contact 255-1 of the relay included in the third circuit, with the third circuit directly controlling the opening or closing of the second NA contact. The second parallel circuit controls contact 256-1 of the relay included in the fourth circuit, with the fourth circuit directly controlling the opening or closing of the third NA contact.

[0110] For this purpose, the output signal from the concurrent logic controller includes the control signals AF-1, AP-1, BF-1 and BP-1, of the series circuits, and the control signals AF-2, AP-2, BF-2 and BP-2, from parallel circuits, and the first concurrent logic controllers 231-1 and 232-1 or the second concurrent logic controllers 232-1 and 232-2 generate the AF-1 control signals , AP-1, BF 1 and BP-1, of series circuits, and control signals AF-2, AP-2, BF-2 and BP-2, of parallel circuits.

[0111] For example, the output signal from the concurrent logic controller exerts a control so that series circuits 251 and 254 are switched on or off, and NO contacts 243 and 246 connected to series circuits 251 and 254 are repeatedly connected and disconnected according to series circuits 251 and 254 are connected or

Petition 870180060402, of 07/13/2018, p. 30/68

24/36 off.

[0112] The initiation circuit includes a first series circuit to control the closing or opening of the first NO contact according to an output signal from the competing logic controller; a first parallel circuit to control the closing or opening of the second NO contact according to an output signal from the concurrent logic controller; a second parallel circuit for controlling the closing or opening of the third NA contact according to an output signal from the concurrent logic controller; and a second series circuit to control the closing or opening of the fourth NO contact according to an output signal from the concurrent logic controller.

[0113] The first series circuit 251 can control the closing / opening of the first contact NO 243 according to an output signal from the competing logic controller.

[0114] The first parallel circuit 252 can control the closing or opening of the second contact NO 244 according to the output signal from the concurrent logic controller. In more detail, the first parallel circuit 252 can control the closing or opening of the second contact NO 244 through the third circuit 255, according to the output signal from the competing logic controller.

[0115] The second parallel circuit 253 can control the closing / opening of the third contact NO 245 according to the output signal of the competing logic controller. In more detail, the second parallel circuit 252 can control the closing / opening of the third contact NO 245 through the fourth circuit 256, according to the output signal from the competing logic controller.

[0116] The second series circuit 254 can control the closing / opening of the fourth contact NO 246 according to the output signal from the competing logic controller.

[0117] The first series circuit 251 and the first parallel circuit 252 receive output signals AF-1, AF-2, AP-1 and AP-2 from the first competing logic controller 231-1 and the second competing logic controller 231-2 included in any of the branches.

[0118] The second series circuit 253 and the first parallel circuit 254 receive the output signals BF-1, BF-2, BP-1 and BP-2 coming from the first competing logic controller

Petition 870180060402, of 07/13/2018, p. 31/68

25/36

232-1 and the second competing logic controller 232-2 included in the other branch.

[0119] The initiation circuit includes a third circuit 255 including a relay 255-1 and controlling the closing or opening of the second contact NO 244 as relay 255-1 is switched on or off; and a fourth circuit 256 including a relay 256-1 and controlling the closing or opening of the third contact NO 245 as relay 256-1 is switched on or off, with the first parallel circuit 252 controlling the on / off action of relay 255- 1 included in the third circuit 255, and the second parallel circuit 253 controlling the on / off action of the relay 256-1 included in the fourth circuit 256.

[0120] Relays 255-1 and 256-1 that are included in third circuit 255 and fourth circuit 256 have NC contacts.

[0121] Here, the first series circuit 251, the first parallel circuit 252, the second parallel circuit 253 and the second series circuit 254 all receive control signals from competing logic controllers of different types. As the series circuits or parallel circuits that make up the initiating circuit of the present invention all receive control signals from competing logic controllers of different types, it is possible to ensure the safety of the reactor even if any competing logic controller stops. operate.

[0122] More specifically, the first series circuit 251 or the second series circuit 254 includes two relays connected in series, and the relay is switched on / off according to the output signal from the competing logic controller, with the first contact NA 243 or the fourth contact NA 246 being switched on when all relays are switched on, and the first contact NA 243 or the fourth contact NA 246 being switched off when at least one of the relays is switched off.

[0123] Considering the first series circuit 251 with respect to the characteristics described above, the first series circuit 251 includes two relays 251-1 and 251-2 connected in series, with relays 251-1 and 251-2 being connected / switched off by the competing logic controller output signal, the first contact NO 243 being switched on when all relays 251-1 and 251-2 are switched on, and the first contact NO 243 being switched off when at least one of relays 251-1 and 251 -2 is turned off.

[0124] Considering the second series circuit 254 with respect to the characteristics

Petition 870180060402, of 07/13/2018, p. 32/68

26/36 described above, the second series circuit 254 includes two relays 254-1 and 254-2 connected in series, with relays 254-1 and 254-2 being turned on / off by the output signal from the competing logic controller, the fourth contact NO 246 being switched on when all relays 254-1 and 254-2 are switched on, and the fourth contact NO 246 being switched off when at least one of relays 254-1 and 254-2 is switched off.

[0125] The relays in the series circuit are provided to receive the output signals from the different competing logic controllers. For example, when a signal to connect is received from the concurrent FPGA-based logic controller and the concurrent PLC-based logic controller, the first series circuit 251 connects both relays, causing the first contact 243 to be closed.

[0126] On the contrary, due to the characteristics of the series circuit, when the output signal to disconnect is received, coming from at least one competing logic controller based on FPGA or at least one competing logic controller based on PLC, the circuit in series is turned off, causing the first contact NO 243 to be opened.

[0127] More specifically, the first parallel circuit 252 or the second parallel circuit 253 includes two relays connected in parallel, with the relays being turned on or off by the output signals of the competing logic controllers, the relay included in the third circuit 255 or in fourth circuit 256 being switched on when all relays are switched off, and the relay included on third circuit 255 or fourth circuit 256 being switched off when at least one of the relays is switched on.

[0128] Considering the first parallel circuit 252 with respect to the characteristics described above, the first parallel circuit 252 includes two relays 252-1 and 252-2 connected in parallel, with relays 252-1 and 252-2 being switched on / off by output signals from competing logic controllers, relay 255-1 included in third circuit NA 255 being switched on when all relays 252-1 and 252-2 are switched off, and relay 255-1 included in third circuit 255 being switched off when at least least one of relays 252-1 and 252-2 is switched on.

[0129] Considering the second parallel circuit 253 with respect to the characteristics described above, the second parallel circuit 253 includes two relays 253-1 and 253-2 connected in series, with relays 253-1 and 253-2 being switched on / off by exit signals from

Petition 870180060402, of 07/13/2018, p. 33/68

27/36 concurrent logic controllers, relay 256-1 included in fourth circuit 256 being switched on when all relays 253-1 and 253-2 are switched off, and relay 256-1 included in fourth circuit 256 being switched off when at least one relays 253-1 and 253-2 are switched on.

[0130] As a result, when the relays included in the first parallel circuit 252 are all switched off, the relay included in the third circuit 255 is switched on to allow the second contact NO 244 to be closed.

[0131] In addition, when the relays included in the second parallel circuit 253 are all switched off, the relay on the fourth circuit 256 is switched on to allow the third contact NO 245 to be closed.

[0132] When at least one of the relays included in the first parallel circuit 252 is switched on, the relay included in the third circuit 255 is switched off to allow the second contact NO 244 to be opened.

[0133] Furthermore, when at least one of the relays included in the second parallel circuit 253 is switched on, the relay included in the fourth circuit 256 is switched off to allow the third contact NO 245 to be opened. Here, the relays included in the third circuit 255 and in the fourth circuit 256 are the NC contacts 255-1 and 256-1, respectively.

[0134] The relays included in the parallel circuit are provided to receive control signals from the different competing logic controllers. For example, when the control signal (to shut down) is received from the concurrent FPGA-based logic controller and the control signal (to shut down) is received from the concurrent PLC-based logic controller, the first parallel circuit 252 turns off both relays, thus allowing the second contact NO 244 to be opened.

[0135] On the contrary, due to the characteristics of the parallel circuit, when at least one competing logic controller based on FPGA or at least one competing logic controller based on PLC is connected, the parallel circuit is closed to allow the second contact NA 244 to be Open.

[0136] Therefore, the digital protection system of the present invention is configured so that power is supplied, in that order, to the MG 241, RTSS 240 and CEDM 242, and CEDM 242 lowers the control rod to do with

Petition 870180060402, of 07/13/2018, p. 34/68

28/36 that the reactor is turned off when the power is not supplied to CEDM 242, according to the closed / open state of the contacts in RTSS 240.

[0137] Figs. 6a to 6n are seen illustrating various forms of incorporation in which the digital protection system of the present invention is provided, to control normal operation of the reactor or a shutdown of the reactor according to various types of failure. Each configuration in figs. 6a to 6z is the same as in fig. 5.

[0138] FIG. 6a illustrates the operations of the initiation circuit of the present invention in the event that the power plant is under a normal condition and a safety system is under a normal condition. When the nuclear power plant is normal and the safety system is normal, the first contact NA 243 to the fourth contact NA 246 included in the initiation circuit of the present invention are all kept closed, and power is supplied to CEDM 242. Therefore, CEDM 242 does not lower the control rod, to allow the reactor to be operated normally.

[0139] FIG. 6b illustrates the operations of the invention initiation circuit in the event that the power plant is under an abnormal condition and the safety system is under a normal condition. When the nuclear power plant is abnormal and the safety system is normal, the first contact NA 243 to the fourth contact NA 246 included in the initiation circuit of the present invention are all kept open, and power is not supplied to CEDM 242. Therefore, CEDM 242 lowers the control rod to cause the reactor to be shut down.

[0140] Fig. 6c illustrates the operations of the initiation circuit of the present invention in the event that the power plant is under a normal condition and the security system is under an abnormal condition. Although the nuclear power plant is normal, the concurrent PLC-based logic controller of the safety system may have the AP-2 signal and the BP-2 signal detected as an abnormal (on) signal, rather than an original signal ( off).

[0141] Here, any of the two relays on the first parallel circuit and on the second parallel circuit are connected, so that the relays on the third series circuit and the fourth series circuit are switched off and the second NA contact and the third NA contact are kept open. However, as the first NA 243 contact and the fourth NA contact

Petition 870180060402, of 07/13/2018, p. 35/68

29/36

246 controlled by the first series circuit and the second series circuit are still being kept closed, power is normally supplied to the CEDM 242 through the first contact NA 243 and the fourth contact NA 246, thus allowing the reactor to operate normally.

[0142] FIG. 6d illustrates the operations of the initiation circuit of the present invention in the event that the power plant is under an abnormal condition and the safety system is under a normal condition. This corresponds to the worst case, in which the nuclear power plant is abnormal and the security system is also abnormal. In this case, since the nuclear power plant operates abnormally, the safety system must immediately lower the control rod to cause the reactor to be shut down. However, the security system may not be able to lower the control rod properly, due to a problem that is occurring in the security system.

[0143] However, the protection system of the present invention can solve this problem. For example, the concurrent PLC-based logic controller of the safety system may have the AP-1 signal and the BP-1 signal detected as an abnormal (on) signal, rather than an original (off) signal. At this time, as either of the two relays on the first series circuit 251 and the fourth circuit 256 is switched off, the first NA contact and the fourth NA contact 246 are kept open. As the two relays included in the first parallel circuit 252 and the second parallel circuit 253 are all connected, the relay included in the third circuit 255 and in the fourth circuit 256 is switched off. Therefore, as the first NA 243 contact, the second NA 244 contact, the third NA 245 contact and the fourth NA 246 contact are kept open, energy is not supplied to CEDM 242, to cause the control rod to lower and thus , the reactor shutdown.

[0144] FIG. 6e illustrates the operations of the initiation circuit of the present invention in the event that the power plant is under a normal condition and the security system is under an abnormal condition. The AP-1 signal and the BP-1 signal on the concurrent PLC-based logic controller of the safety system can be detected as an abnormal (off) signal, rather than an original (on) signal.

[0145] Here, like any of the relays on the first 251 series circuit and the fourth

Petition 870180060402, of 07/13/2018, p. 36/68

30/36 circuit 256 is switched off, the first NA 243 contact and the fourth NA 246 contact are kept open. However, the relays on the third circuit 255 and on the fourth circuit 256 controlled by the first parallel circuit 252 and the second parallel circuit 253 are kept connected, so that the second contact NO 244 and the third contact NO 245 are kept connected. As a result, power can normally be supplied to CEDM 242 via the second contact NA 244 and the third contact 245.

[0146] FIG. 6f illustrates the operations of the initiation circuit of the present invention in the event that the power plant is under an abnormal condition and the safety system is under an abnormal condition. This corresponds to the worst case, in which the nuclear power plant is abnormal and the security system is also abnormal. In this case, as the nuclear power plant is abnormal, the security system must immediately lower the control rod, but the control rod may not be lowered properly due to a problem that is occurring in the security system.

[0147] However, the protection system of the present invention can solve this problem. For example, the concurrent PLC-based logic controller of the safety system may have the AP-2 signal and the BP-2 signal detected as an abnormal (off) signal, rather than an original (on) signal. Then, any one of the two relays included in each of the first parallel circuit 252 and the second parallel circuit 253 is connected, and thus the relays included in the third circuit 255 and in the fourth circuit 256 are disconnected. Therefore, as the first NA 243 contact, the second NA 244 contact, the third NA 245 contact and the fourth NA 246 contact are kept open, energy is not supplied to CEDM 242, to cause the control rod to lower and thus , the reactor shutdown.

[0148] Fig. 6g illustrates the operations of the initiation circuit of the present invention when a first PW1 power supply, inside the enclosure and included in the first series circuit 251, is abnormal, in case the plant is under a normal condition and the security system is under a normal condition.

[0149] The relays included in the first series circuit 251 are all connected, but no current is supplied from the first PW1 power supply inside the cabinet, so the first contact NO 243 is open.

Petition 870180060402, of 07/13/2018, p. 37/68

31/36 [0150] The relays included in the first parallel circuit 252 are all switched off, so the relay included in the third circuit 255 is connected. Therefore, the second NA contact

244 is closed.

[0151] The relays included in the second parallel circuit 253 are all switched off, so the relay included in the fourth circuit 256 is switched on. Therefore, the third NA contact

245 is closed.

[0152] The relays included in the second circuit in series 254 are all connected, so the fourth contact NO 246 is closed.

[0153] Power can normally be supplied to CEDM 242 through the second contact NA 244 and the third contact NA 245, or through the fourth contact NA 246, thus allowing the reactor to be operated normally.

[0154] Fig. 6h illustrates the operations of the initiation circuit of the present invention when the first PW1 power supply, inside the cabinet and included in the first series circuit 251, is abnormal, in case the power plant is under an abnormal condition and the security system be under a normal condition.

[0155] The relays included in the first series circuit 251 are all switched off and the relay included in the third circuit 255 is switched off. Therefore, the second contact NA 243 is open.

[0156] The relays included in the first parallel circuit 252 are all connected and the relay included in the third circuit 255 is disconnected. Therefore, the second contact NA 244 is open.

[0157] The relays included in the second parallel circuit 253 are all connected and the relay included in the fourth circuit 256 is disconnected. Therefore, the third contact NA 245 is open.

[0158] The relays included in the second series circuit 254 are all switched off, so the fourth contact NO 246 is open.

[0159] Power is not supplied to CEDM 242 and the control rod is lowered, causing the reactor to be shut down.

[0160] Fig. 6i illustrates the operations of the initiation circuit of the present invention when the PW2 power supplies, inside the cabinet and included in the first parallel circuit

Petition 870180060402, of 07/13/2018, p. 38/68

32/36

252 and on the third circuit 255, they are all abnormal, in case the power plant is in a normal condition and the security system is in a normal condition.

[0161] The relays included in the first series circuit 251 are all connected, so the first contact NO 243 is closed.

[0162] The relays included in the first parallel circuit 252 are all switched off, so the relay included in the third circuit 255 is connected. However, since no current is supplied from a second PW2 power supply inside the cabinet, the second contact NO 244 is open.

[0163] The relays included in the second parallel circuit 253 are all switched off and so the relays included in the fourth circuit 256 are switched on. Therefore, the third contact NA 245 is closed.

[0164] The relays included in the second circuit in series 254 are all connected and, therefore, the fourth contact NA 246 is closed.

[0165] Power can be supplied normally from the MG 241 set to CEDM 242, through the first NA 243 contact and the third NA 245 contact, or through the fourth NA 246 contact, thus allowing the reactor to be operated normally.

[0166] Fig. 6j illustrates the operations of the initiation circuit of the present invention when the second PW2 power supplies, inside the cabinet and included in the first parallel circuit 252 and the third circuit 255, are abnormal, in case the power plant is under an abnormal condition and the security system is in a normal condition.

[0167] The relays included in the first series circuit 251 are all switched off, so the first contact NO 243 is open.

[0168] The relays included in the first parallel circuit 252 are all connected, but no current is supplied by the second PW2 power supply inside the cabinet, so the relay included in the third circuit 255 is connected. However, there is also no current supplied by the second PW2 power supply inside the cabinet and included in the third circuit 255, so that the second contact NO 244 is open. [0169] The relays included in the second parallel circuit 253 are all connected, so the relay included in the fourth circuit 256 is disconnected, so the third contact NO 245 is

Petition 870180060402, of 07/13/2018, p. 39/68

33/36 open.

[0170] The relays included in the second circuit in series 254 are all switched off, so the fourth contact NO 246 is open.

[0171] Power is not supplied to CEDM 242, causing the control rod to be lowered and the reactor to be turned off.

[0172] FIG. 6k illustrates the operations of the initiation circuit of the present invention when the first PW1 power supply, inside the cabinet and included in the first series circuit 251, and the second PW2 power supplies, inside the cabinet and included in the first parallel circuit 252 and on the third circuit 255, they are all abnormal, in case the power plant is in a normal condition and the security system is in a normal condition.

[0173] The relays included in the first 251 series circuit are all connected, but no current is supplied by the first PW1 power supply inside the cabinet, so the first contact NO 243 is open.

[0174] The relays included in the first parallel circuit 252 are all switched off and the relay included in the third circuit 255 is switched on. However, no current is supplied by the second PW2 power supply inside the case, so the second contact NO 244 is open.

[0175] The relays included in the second parallel circuit 253 are all switched off, so the relay included in the fourth circuit 256 is on, so the third contact NO 245 is closed.

[0176] The relays included in the second circuit in series 254 are all connected, so the fourth contact NO 246 is closed.

[0177] Power is not supplied to CEDM 242, causing the control rod to be lowered and the reactor to be turned off.

[0178] FIG. 61 illustrates the operations of the starter circuit of the present invention when the first PW1 power supply, inside the cabinet and included in the first series circuit 251, and the second PW2 power supplies, inside the cabinet and included in the first parallel circuit 252 and on the third circuit 255, they are all abnormal, in case the power plant is in an abnormal condition and the security system is in

Petition 870180060402, of 07/13/2018, p. 40/68

34/36 a normal condition.

[0179] The relays included in the first series circuit 251 are all turned off and the power is not supplied by the first PW1 power supply inside the cabinet, so the first contact NO 243 is open.

[0180] The relays included in the first parallel circuit 252 are all connected, but no current is supplied by the PW2 power supply inside the cabinet, and for this reason the relay included in the third circuit 255 is connected. However, there is also no current supplied by the second PW2 power supply inside the cabinet and included in the third circuit 255, so the second contact NO 244 is open.

[0181] The relays included in the second parallel circuit 253 are all connected and the relay included in the fourth circuit 256 is disconnected, so the third contact NO 245 is open.

[0182] The relays included in the second series circuit 254 are all switched off, so the fourth contact NO 246 is open.

[0183] Power is not supplied to CEDM 242, causing the control rod to be lowered and the reactor to be turned off.

[0184] Fig. 6m illustrates the operations of the initiating circuit of the present invention when the first PW1 power supply, inside the cabinet and included in the first series circuit 251, the second PW2 power supplies, inside the cabinet and included in the first parallel circuit 252 and in third circuit 255, the PW3 power supply, inside the case and included in the second series circuit 254, and the fourth PW4 power supplies, inside the case and included in the second parallel circuit 253 and the fourth circuit 256, are all abnormal, in case the power plant is in normal condition and the security system is in a normal condition.

[0185] The relays included in the first 251 series circuit are all connected, but no current is supplied by the first PW1 power supply inside the cabinet, with the first NA 243 contact remaining open.

[0186] The relays included in the first parallel circuit 252 are all switched off, so the relay included in the third circuit 255 is connected. However, no current is supplied by the second PW2 power supply inside the case, so the second

Petition 870180060402, of 07/13/2018, p. 41/68

35/36 contact ΝΑ 244 is open.

[0187] The relays included in the second parallel circuit 253 are all switched off, and the relay included in the fourth circuit 256 is switched on. However, as no current is supplied by the third PW3 power supply inside the cabinet, the third contact NO 245 is open.

[0188] The relays included in the second series 254 circuit are all connected, but no current is supplied by a fourth PW4 power supply inside the cabinet, so the fourth contact NO 246 is open.

[0189] Power is not supplied to CEDM 242, causing the control rod to be lowered and the reactor to be turned off.

[0190] Fig. 6n illustrates the operations of the initiation circuit of the present invention when the first PW1 power supply, inside the cabinet and included in the first series circuit 251, the second PW2 power supplies, inside the cabinet and included in the first parallel circuit 252 and in third circuit 255, the third PW3 power supply, inside the case and included in the second series circuit 254, and the fourth PW4 power supplies, inside the case and included in the second parallel circuit 253 and the fourth circuit 256, are all abnormal , in case the power plant is in a normal condition and the security system is in a normal condition.

[0191] The relays on the 251 series circuit are all switched off and no current is supplied by the first PW1 power supply inside the cabinet, with the first NA 243 contact remaining open.

[0192] The relays are all connected and no current is supplied by the second PW2 power supply inside the cabinet on the first parallel circuit 252, and so the relay included in the third circuit 255 is on. However, there is also no current supplied by the second PW2 power supply inside the cabinet and included in the third circuit 255, making the second contact NO 244 open.

[0193] The relays on the second parallel circuit 253 are all connected and no current is supplied by the third PW3 power supply inside the cabinet, so the relay included in the fourth circuit 256 is connected. The third contact NA 245 is therefore open.

Petition 870180060402, of 07/13/2018, p. 42/68

36/36 [0194] The relays on the second series 254 circuit are all switched off and no current is supplied by a fourth PW4 power supply inside the cabinet, so the first contact NO 243 is open.

[0195] Power is not supplied to CEDM 242, thus causing the control rod to lower and the reactor to shut down.

[0196] With reference to figs. 6a to 6n, in an emergency where a lowering signal from the control rod must be generated, even if a fault occurs in any relay or contact of the security system, the digital protection system of the present invention can control the CEDM, allowing the remaining relays and contacts are compensated with each other, and so the nuclear power plant's security system can normally be operated even in a situation with an SPV or CCF; therefore, normal reactor operation or reactor shutdown can be processed.

[0197] The embodiments of the present invention explained above are described for purposes of illustration only, and the invention is not limited to them. In addition, it will be apparent to those skilled in the art that various modifications and variations can be made to the present invention, without departing from the spirit and scope of the invention, and such modifications and changes are considered to be within the scope of the present invention.

Claims (19)

Claims 1. Digital protection system having at least two channels and at least two branches, such a system being characterized by comprising: a process protection system having, on one channel, a first and a second comparative logic controller of different types, mutually independent of each other, with the first and second comparative logic controllers each receiving process variables as inputs, with each one producing logical results of comparison; a reactor protection system having, in one branch, a first and a second competing logic controller of different types, mutually independent of each other, with the first and second competing controllers each receiving the logical comparison results as inputs , with each producing competing logical results; the reactor protection system includes at least two initiation circuits, with each initiation circuit including a series circuit in which a plurality of relays are connected in series, and a parallel circuit in which a plurality of relays are connected in parallel, wherein one of the relays of the series circuit is controlled by receiving one of the competing logic results as an input, and one of the relays of the parallel circuit is controlled by receiving the other of the competing logic results as an input. 2. Digital protection system according to claim 1, characterized in that at least two channels include a first channel, a second channel, a third channel, and a fourth channel. 3. Digital protection system according to claim 1, characterized in that at least two branches include a first branch and a second branch. 4. Digital protection system, according to claim 1, characterized in that the different types of comparative logic controllers include a field programmable door arrangement (FPGA) type controller and a programmable logic controller (PLC) type controller. 5. Digital protection system, according to claim 1, characterized in that the comparative logic controllers each transmit the logical results Petition 870180060402, of 07/13/2018, p. 44/68 2/5 comparison only for competing logic controllers of a type. 6. Digital protection system, according to claim 1, characterized in that the process variables include information indicative of at least a reactor cooling tube hot temperature, a reactor cooling tube cold temperature, a reactor cooling flow rate, a pressurizer pressure, a pressurizer water level, a neutron flow value, a containment building pressure, a steam generator water level, a pressure of the steam pipe, and a level of the replenishing water tank. 7. Digital protection system, according to claim 1, characterized in that the logical comparison results include a normal signal or an abnormal signal; with the first competing logic controller producing the competing logic results based on the number of logical comparison results and the number of signals received from the first comparative logic controllers included in each channel, where the competing logic results issued by the first competing logic controller include a first output signal, which is fed into a relay included in the series circuit, and a second output signal, which is fed into a relay included in the parallel circuit, with the first and second output signals having opposite logic values; and with the second competing logic controller producing the competing logic results based on the number of logical comparison results and the number of abnormal signals received from the second comparative logic controllers included in each channel, where the competing logic results emitted by the second comparative logic controllers include a third output signal, which is fed into a relay included in the series circuit, and a fourth output signal, which is fed into a relay included in the parallel circuit, with the third and fourth output signals having opposite logic values . 8. Digital protection system according to claim 7, characterized in that the first competing logic controller outputs the competing logic results when the received logical comparison results include at least one signal Petition 870180060402, of 07/13/2018, p. 45/68 3/5 abnormal, emitting a first logic value for the series circuit and a second logic value for the parallel circuit; and the second concurrent logic controller outputs the concurrent logic results when the received comparison logic results include at least one abnormal signal, emitting the first logic value for the series circuit and the second logic value for the parallel circuit. 9. Digital protection system according to claim 7, characterized in that the first competing logic controller outputs the competing logic results when the received logical comparison results include at least one normal signal, emitting a first logic value for the series circuit and a second logic value for the parallel circuit; and the second concurrent logic controller outputs the concurrent logic results when the received comparison logic results include at least one normal signal, emitting the first logic value for the series circuit and the second logic value for the parallel circuit. 10. Digital protection system, according to claim 1, characterized by also comprising a reactor stop switching system (RTSS) including: a first normally open contact (NO) connected between a power supply and a central node; a second NO contact connected between the power supply and the central node; a third NO contact connected between the central node and a control element actuation mechanism (CEDM); and a fourth NO contact connected between the central node and the CEDM. 11. Digital protection system according to claim 10, characterized in that, when at least a first NA contact or a second NA contact is closed, and at least a third NA contact or a fourth NA contact is closed, the energy is supplied to the CEDM from a motor-generator set. 12. Digital protection system, according to claim 10, characterized in that, when both the first NA contact and the second NA contact are open, or both the third NA contact and the fourth NA contact are open, the energy supplied Petition 870180060402, of 07/13/2018, p. 46/68 4/5 for the CEDM from a motor-generator set to be interrupted. 13. Digital protection system, according to claim 10, characterized in that each initiation circuit includes: a first series circuit to control the first NO contact according to an output signal from the concurrent logic controller; a first parallel circuit to control the second NO contact according to the output signal from the concurrent logic controller; a second parallel circuit for controlling the third NO contact according to the output signal from the concurrent logic controller; and a second series circuit to control the fourth NO contact according to the output signal from the concurrent logic controller. 14. Digital protection system according to claim 13, characterized in that the first series circuit and the first parallel circuit receive, as inputs, the output signals of the first competing logic controller and the second competing logic controller included in a first branch between at least two branches. 15. Digital protection system according to claim 14, characterized in that the second series circuit and the second parallel circuit receive, as inputs, the output signals of the first competing logic controller and the second competing logic controller included in a second branch among at least two branches. 16. Digital protection system, according to claim 13, characterized in that each initiation circuit also includes: a third circuit including a relay to control the second NA contact, such a relay to control the second NA contact being controlled by the first parallel circuit; and a fourth circuit including a relay to control the third NA contact, such a relay to control the third NA contact being controlled by the first parallel circuit. 17. Digital protection system, according to claim 16, characterized in that the relays included in the third circuit and in the fourth circuit have normally closed contacts (NC). 18. Digital protection system, according to claim 13, characterized Petition 870180060402, of 07/13/2018, p. 47/68 5/5 because the first series circuit or the second series circuit includes two relays connected in series, with the two series relays being turned on / off respectively according to the output signal from the competing logic controller; and with the first NA contact or the fourth NA contact being closed when the two relays are both connected, and the first NA contact or the fourth NA contact is open when at least one of the two relays is off. 19. Digital protection system according to claim 16, characterized in that the first parallel circuit or the second parallel circuit includes two relays connected in parallel, with the two parallel relays being switched on / off according to the output signal from the controller competing logic; with the relay included in the third circuit or the fourth circuit being connected when the relays included in the first parallel circuit or in the second parallel circuit are all switched off; and with the relays included in the third circuit or the fourth circuit being switched off when at least one of the relays included in the first parallel circuit or in the second parallel circuit is connected.