CN1175428C - Fault tolerant control system - Google Patents
Fault tolerant control system Download PDFInfo
- Publication number
- CN1175428C CN1175428C CNB991052110A CN99105211A CN1175428C CN 1175428 C CN1175428 C CN 1175428C CN B991052110 A CNB991052110 A CN B991052110A CN 99105211 A CN99105211 A CN 99105211A CN 1175428 C CN1175428 C CN 1175428C
- Authority
- CN
- China
- Prior art keywords
- control system
- fault
- tolerant
- time
- output
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Classifications
-
- G—PHYSICS
- G21—NUCLEAR PHYSICS; NUCLEAR ENGINEERING
- G21D—NUCLEAR POWER PLANT
- G21D3/00—Control of nuclear power plant
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02E—REDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
- Y02E30/00—Energy generation of nuclear origin
Landscapes
- Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Plasma & Fusion (AREA)
- General Engineering & Computer Science (AREA)
- High Energy & Nuclear Physics (AREA)
- Testing And Monitoring For Control Systems (AREA)
- Safety Devices In Control Systems (AREA)
Abstract
A fault-tolerant control system, has a plurality of tolerant sensors provided in the electricity generating station, which provides information to the essentially identical main programmable logic control system and secondary programmable logic control system. The normal operation of the control systems is not subject to any actual t any real individual fault in the control systems. During work, the output signal from the main control system to the field equipment is interrupted only when the health signal indicates the misoperation of the main control system.
Description
Technical field
A kind of fault-tolerant control system that the present invention relates to use in the nuclear power plant.More particularly, the present invention relates to a kind of as feed water control system, reactor regulating system or as the hardware control system equipment steam by-pass control system, that can survive any real single failure of appearance system in.
Background technology
Nuclear steam power plant adopts the automatic control system ensemble of reactor regulating system (RRS), Feed Water Regulation System (FWCS) and steam by-pass control system (SBCS) usually.These control system of nuclear reactor are many for many years all, can adopt process computer to fulfil its control task.This class process control computer receives the information of nuclear reactor by some sensors and signal calibrator.By detected information is carried out a series of mathematic(al) manipulations, all control system produce output signal automatically and are added on each executive system or each control device, are adjusted the operating process of reactor conversely by executive system or control device.For example, RRS can change the active region reactivity of nuclear reactor according to the information requirements of each sensor acquisition outside the active region.
Because these control system, many working control processes of nuclear power plant are all carried out automatically.Along with requiring to improve effective rate of utilization, efficient and safety etc., just growing to the degree of dependence of nuclear power plant's process computer, by using digital process-computer, significantly improved above-mentioned desired each side.In the more novel design of nuclear power plant's process computer, introduced the notion of function modoularization at the level of hardware, with the application and the adjustment process of simplified control system.This type systematic has been helped solve nuclear power plant's control owing to the complicated problems day by day that requires effective rate of utilization to greatest extent to produce, and still can satisfy the strict demand of safety and environmental protection aspect.
The module controls system, for example RRS, FWCS and SBCS, when all constituents operate as normal, can work effectively, but when a certain ingredient is out of order, no matter be that maloperation or other reason cause, the capital produces complicated transient process, and at this moment not only the boundary condition of a nuclear power plant can produce the mistake response.Owing to the control system complicacy with owing to the interaction by the shared parameter of control system between the various controls makes these transient process be difficult to control.When each control system was malfunctioning, the operation of nuclear power plant changed manual control usually over to, can not avoid control system or even nuclear power plant out of service.
In addition, in the past the several years, the construction cost of nuclear power plant progressively rises, and operating cost also is like this.As a result, the staff of nuclear power plant will promise to undertake the efficient of improving power plant, comprises that the off-time that will hinder for some reason and cause is reduced to the shortest.Be the benefit that raises the cost to greatest extent, power plant's design is all increasing aspect scale and the complicacy, and the thing followed is the raising that management and control system aspect require.But along with the increase of complicacy, thereby indivedual malfunctioning possibility that the operation of power plant is had a negative impact of ingredient has also increased.In addition, the adjustment of control system of power plant and maintenance need system shutdown usually, thereby make the further variation of efficient of power plant.
Summary of the invention
Therefore, the objective of the invention is to overcome the above-mentioned shortcoming in the malfunctioning and maintenance of Control System Component, be provided for resembling the fault-tolerant control system of the nuclear power plant system of RRS, FWGS and SBCS and so on." fault-tolerant " speech is interpreted as the influence of any real single failure in the uncontrolled system of the normal running that is meant control system.
Another object of the present invention provides a kind of nuclear power plant of shortening to greatest extent because of the assembly fault-tolerant control system of the malfunctioning shut down time that causes.
The fault-tolerant control system that the operate as normal that the present invention also has another order to provide a kind of system is not influenced by its maintenance.
A kind of fault-tolerant control system that is used to control field apparatus of the present invention, comprise: identical in essence master control system and time control system, have identical in essence input function unit, the identical output function unit and identical in essence processing function unit of essence, wherein, described master control system also comprises a main health monitor that is used for each described main function unit, and described time the control system also comprises an inferior health monitor that is used for each described subfunction unit; With the control transfer device, be used to respond from the main health signal of described main health monitor output and will transfer to the control system described time from described master control system to the control of field apparatus, response will not transferred to described master control system from described control system to the control of field apparatus from the inferior health signal of described health monitor output.
Fault-tolerant control system according to the present invention has a plurality of redundant sensors that are placed in the nuclear power plant, in order to provide information to identical, programmable main logic control system and inferior logic control system.In normal work period, the primary and secondary control system all provides parallel digital output signal to field apparatus.At least the health status of master control system constantly comes under observation.Under normal circumstances, field apparatus receives the output signal of self-control system.In illustrated embodiments, the output signal of master control system only shows in health status that master control system turns round and just interrupts when not normal.When the output signal of master control system was interrupted, the output signal of inferior control system made state of a control continuous with regard to the field apparatus that is transported to power plant.
The purpose of the present invention's design is fundamentally to eliminate the system failure that causes because of intrasystem real indivedual point failures.The present invention also substantially eliminates the adjoint system that caused by general indivedual point failure reasons or the shut-down of power plant.Owing to eliminated the indivedual point failures in the control system in fact, can reach these purposes of the present invention.Like this.The present invention makes system have high validity, and disadvantageous behavior appears in anti-locking system when individual component is out of order.If main system is malfunctioning, just interrupt the output of master control system, in case wrong output signal passes to field apparatus.Output signal to field apparatus but inferior control system is identical with normal master control system output.Because the primary and secondary system all is continuous working, thereby control procedure is with the clearly steadily formal transformation for power plant's course of work.Like this, detect main portion when fault is arranged, control task just is converted to time control processor from main processing controller automatically.
Description of drawings
Reading following detailed description, claims and consult accompanying drawing can clearer understanding characteristics of the present invention and creationary each side.In the accompanying drawing:
Fig. 1 is the structural drawing of the model configuration of general fault-tolerant control system of the present invention;
Figure 1A is the structural drawing of the numeric structure of general fault-tolerant control system of the present invention;
Fig. 2 is the simulation composition of the fault-tolerant control system of the automatic control system ensemble that is used for reactor regulating system (RRS), feed water control system (FWCS) and steam by-pass control system (SBCS) of the present invention;
Fig. 2 A is the numeric structure figure of the fault-tolerant control system of Fig. 2;
Fig. 3 is the typical flowchart of the fault-tolerant control system of model configuration of the present invention;
Fig. 3 A is the typical flowchart of the fault-tolerant control system of numeric structure of the present invention.
Embodiment
Fig. 1 represents the synoptic diagram according to fault-tolerant control system of the present invention.This paper uses the influence that is interpreted as any real single failure in the uncontrolled system of the normal running that is meant control system with " fault-tolerant " speech.
Among Fig. 1, control system 10 of the present invention generally includes the standby inferior control system 13 of a master control system 12 and, and the both receives the input data from public sensor 14.But the input data from sensor 14 transmit by discrete main isolator 15 and time isolator 16 respectively. Isolator 15 and 16 effect are to prevent to produce between sensor 14 and each control system superpotential or feedback.Then, send discrete primary input module and time load module (all not shown among the figure) to, provide data to each control system by these two modules from the data of isolator 15 and 16.The information that offers control system 12 and 13 from each load module can be produced by the sensor in power plant's function element, also can be produced by the output of other control system in the power plant.Modern power plant's design makes control system can use the data from redundant sensor when a certain faulty sensor adopting the sensor of settling a plurality of redundancies in nuclear power plant system on the strategy, so that power plant continues normal operation.
Equally, the present invention provides redundant process control in the mode of master control system 12 and time control system 13.Two systems all receive same input information, and main system 12 is the same fully with subsystem 13.Like this, under normal operation, main output 19 and time output 20 essence are identical.Output 19 and 20 is by output isolator 17 and 18.In that analoglike control system structure shown in Figure 1, the control circuit 22 of configuration sends output data 24 to other place 25 in field apparatus or the power plant selectively.
In the digital fault-tolerant control system structure shown in Figure 1A, master control system 12 and time control system 13 provide identical in essence output signal concurrently to field apparatus 25.It still is all unimportant from inferior control system 13 that the output signal that drives field apparatus 25 is come self-control system 12, and that the control system shown in Figure 1A has only when primary and secondary control system all malfunctioning (multiple spot fault) is just malfunctioning.Removing master control system 12 or inferior control system 13 can not influence the running of field apparatus 25.
Because control system 12 and 13 is identical in essence, thereby can be chosen as main system and subsystem arbitrarily during beginning.But once being appointed as master control system, fault-tolerant control system of the present invention just constitutes by master control system preferentially controls field apparatus, as shown in fig. 1.Therefore, in the model configuration of Fig. 1, in case specified control system 12 is a master control system, control circuit 22 just naturally and understandably in the future the output data 19 of self-control system 12 as its output data 24.Have only when master control system 12 because of any reason when malfunctioning.Just with inferior output 20 as output data 24.Under the situation of the numeric structure of Figure 1A, because the output of master control system 12 and time control system 13 is identical in essence, thereby hypothesis master control system driving field apparatus 25.But as mentioned above, master control system 12 or inferior control system 13 are out of order and can influence field apparatus 25.
Fig. 2 and Fig. 2 A illustrate the system ensemble of each automatic control system of nuclear power plant system.Specifically, there is shown the feed water control system 28,30 (FWCS) that is used for reactor regulating system 26 (RRS), each steam generator and the complex control system of steam by-pass control system 32,34 (SBCS).All control system all demonstrate the fault-tolerant situation with reference to top Fig. 1 explanation.Like this, each system among Fig. 2 comprises a master control system and a global function full redundancy time control system.Among Fig. 2, every pair of identical control system also comprises a control circuit 22, in order to selectively in power plant other local (not shown) send output data from normal operation control system.Among Fig. 2 A, every pair of same control system structure becomes in the future that the output signal of autonomous time control system transfers to other place in the power plant.
Consult Fig. 3 now and the model configuration of control system of the present invention is described so that understand its whole fault freedoms better.Two identical control system 40,60 parallel connections are configured to handle the information from power plant's sensors X and Y, and provide output data to scene control program 80.Among Fig. 3, specified control system 40 is a master control system arbitrarily, and 60 of control system are decided to be time control system.A plurality of redundant sensor X and Y are configured in the power plant, to provide information to control system 40,60.The sort of complex control system of control RRS, FWCS and SBCS need be from the data of many places in the reactor system.But in Fig. 3, all intrasystem sensors all use sensors X and Y to represent.
Then, come the data of self-sensing X and Y to send master control system 40 and time control system 60 to through discrete signal isolator (not shown), and receive by load module 42 and 62 in identical mode.46,66 receptions of the processed functional unit of data by load module 42,62 receptions. Processing function unit 46,66 are requiring according to power plant system that data are automatic carries out identical pre-programmed treatment step when controlled, and according to the data of importing, through individual output signals isolator (not shown) to output function unit 48,68 provide signal, preparation sends each field apparatus to, to keep the control to power plant system.Under normal circumstances, output function unit 48,68 transmits identical in essence data to control circuit 82 (representing with switch among Fig. 3).Under normal operation, i.e. during master control system 40 normal runnings, main output function unit 48 provides output data to scene control program 80.
In master control system 40 and time control system 60, each subsystem is all respectively by health monitoring functional unit 50,70 monitoring its when whether breaking down signal, when health monitoring functional unit 50 or 70 detects the maloperation signal, just provide diagnostic message to the control system watch-dog.If health monitoring functional unit 50,70 any its sub-ingredients are received the maloperation signal that influences master control system 40 normal runnings, just provide signal receiving subsystem 60 from the output information circulation of system 40 to gauge tap 82.Health monitoring system functional unit also with regard to each control system provide the indication of alarm, health status and diagnostic message, comprise fault detect, thereby improve the maintenance levels of system, and improved the Mean Time To Repair of these control system.Be equipped with known manual switchover functional unit 86 in addition,, and can have manually booted each system of power plant, thereby can on main system or subsystem, carry out maintaining and need not to interrupt the normal operation of power plant so that in case of necessity can the manual override control system.Like this, when carrying out the change of programming or other control procedure, need not to make system or power plant to stop work.As can see from Figure 3, the unlikely influence that is controlled any real individual component fault in the system of normal operation of any control system is guaranteed in the design of fault-tolerant control system.
During work, master control system 40 and time control system 60 are all in parallel and work in real time.Therefore, output 48 and 68 does not have under the situation of maloperation just the same in essence in normal operation and system, when therefore receiving the maloperation signal of autonomous system 40 from main system 40 to subsystem 60 switching be scene control program 80 completely known to.
The flow process degree of the process flow diagram of the control system numeric structure shown in Fig. 3 A and Fig. 3 control system model configuration is structurally similar.But do not have control circuit 82 in the numeric structure, on the contrary the master control system of Fig. 3 A and time control system also comprise corresponding maximum impulse generation circuit 90 and 92, and maximum impulse generation circuit 90 and 92 comprises path 91 and 93 respectively.During operate as normal, identical in essence output 94,96 constantly and offer field apparatus 80 from the primary and secondary control system concurrently.If the health monitoring circuit 50 in the master control system 40 detects in the master control system break down, maximum impulse generation circuit 90 does not influence output 96 with regard to interrupting output 94.Because output 96 is kept, thereby exports 94 interruption, field device 80 is known fully.In most preferred embodiment, interrupt the output 94 of master control system only.But fault-tolerant control system also can design to such an extent that make master control system 40 identical with time control system 60, can interrupt main output 94 or inferior output 96 when one of them control system is out of order thereby detect.
Fault-tolerant control system of the present invention can be eliminated the real indivedual dot system faults that caused by general reason.Be actually and fundamentally eliminated indivedual point failures in the system.Each subsystem of being designed to of control system adopts redundant processor, I/O and communicates by letter to eliminate the indivedual point failures in the redundancy control system.Detect when breaking down in the main portion, control task is transferred to time control processor from main processing controller automatically.Control is to transfer to the reserve part in the known mode that leaves no trace fully of production control process.Therefore, the malfunctioning operation to power plant that has reduced individual component to greatest extent produces dysgenic potential possibility, and this point can be proved by the improvement of mean time between failures (MTBF) of these control system.Like this, the possibility that produces complicated transient process because of the control system fault has just reduced widely, because the raising of system effectiveness has improved the general performance of power plant.
The more selected most preferred embodiments of the present invention more than have been described.But those skilled in the art know, are to propose certain modification and variation under the prerequisite that does not break away from teachings of the present invention.Therefore, should study following claims to determine real scope and the content of the present invention.
Claims (14)
1. fault-tolerant control system that is used to control field apparatus comprises:
Identical in essence master control system and time control system, have identical in essence input function unit, the identical output function unit and identical in essence processing function unit of essence, wherein, described master control system also comprises a main health monitor that is used for each described main function unit, and described time the control system also comprises an inferior health monitor that is used for each described subfunction unit; With
The control transfer device, be used to respond from the main health signal of described main health monitor output and will transfer to the control system described time from described master control system to the control of field apparatus, response will not transferred to described master control system from described control system to the control of field apparatus from the inferior health signal of described health monitor output.
2. fault-tolerant control system as claimed in claim 1 is characterized in that, described master control system and time control system provide simulation output.
3. fault-tolerant control system as claimed in claim 2, it is characterized in that, described control transfer device comprises a switch that is configured between the field apparatus that described output function unit and control system control, and makes described switch have only when described main health monitor shows described master control system maloperation and just described control system output function unit is connected with described field apparatus.
4. fault-tolerant control system as claimed in claim 2 is characterized in that, described time health signal is subjected to continuous monitoring.
5. fault-tolerant control system as claimed in claim 4 is characterized in that, a switch is equipped with the manual switchover functional unit, can be selectively with operation control system from described master control system and time control system manual transfer.
6. fault-tolerant control system as claimed in claim 5 is characterized in that, described primary and secondary control system can the extract real-time data.
7. fault-tolerant control system as claimed in claim 1 is characterized in that, described primary and secondary control system can the extract real-time data.
8. fault-tolerant control system as claimed in claim 1 is characterized in that, a switch is equipped with the manual switchover functional unit, selectively from described master control system and time control system manual transfer operation control system.
9. fault-tolerant control system as claimed in claim 1 is characterized in that, described master control system and time control system all provide identical in essence numeral output in parallel to field apparatus.
10. fault-tolerant control system as claimed in claim 9, it is characterized in that, described control transfer device has a maximum impulse generation circuit arrangement between the field apparatus that described main digital output end and control system are controlled, thereby makes described maximum impulse generation circuit only just interrupt described main numeral output when described main health monitor shows described master control system maloperation.
11. fault-tolerant control system as claimed in claim 10, it is characterized in that, described control system also has a maximum impulse generation circuit arrangement between the field apparatus that described digital output terminal and control system are controlled, and exports thereby make described maximum impulse generation circuit only just interrupt described numeral when described health monitor shows described control system misoperation.
12. fault-tolerant control system as claimed in claim 11 is characterized in that, main health signal and time health signal are subjected to continuous monitoring.
13. fault-tolerant control system as claimed in claim 11 is characterized in that, described digital output end is equipped with the manual switchover functional unit, can shift control system from described master control system and time control system selectively.
14. fault-tolerant control system as claimed in claim 13 is characterized in that, described master control system and time control system can the extract real-time data.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US6178898A | 1998-04-17 | 1998-04-17 | |
| US09/061788 | 1998-04-17 | ||
| US09/061,788 | 1998-04-17 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1233061A CN1233061A (en) | 1999-10-27 |
| CN1175428C true CN1175428C (en) | 2004-11-10 |
Family
ID=22038141
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB991052110A Expired - Lifetime CN1175428C (en) | 1998-04-17 | 1999-04-17 | Fault tolerant control system |
Country Status (2)
| Country | Link |
|---|---|
| KR (1) | KR19990082957A (en) |
| CN (1) | CN1175428C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101783192B (en) * | 2009-10-23 | 2012-07-18 | 中广核工程有限公司 | Common control net for nuclear power station |
| EP2691820B1 (en) * | 2011-03-30 | 2020-08-05 | Vestas Wind Systems A/S | Wind power plant with highly reliable real-time power control |
| CN102707716B (en) * | 2012-06-28 | 2014-07-23 | 南京理工大学常熟研究院有限公司 | Generalized fault-tolerance control method for sensor |
| CN103235568B (en) * | 2013-04-03 | 2016-05-11 | 电子科技大学 | A kind of nuclear power plant equipment condition monitoring wireless detection device |
-
1999
- 1999-04-06 KR KR1019990011860A patent/KR19990082957A/en active IP Right Grant
- 1999-04-17 CN CNB991052110A patent/CN1175428C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| KR19990082957A (en) | 1999-11-25 |
| CN1233061A (en) | 1999-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2080903B2 (en) | Fail-safe system for controlling wind turbines | |
| CN202230380U (en) | Industrial online redundancy control system | |
| CN201607962U (en) | Nuclear power station conventional island switchgear redundancy control system | |
| EP2452410B1 (en) | Substation automation system with remote redundant protection function | |
| CN109681443B (en) | Rotation speed control system and method for steam-driven main feed pump of nuclear power station | |
| CN102324258A (en) | Method and system for preventing error drive of ATWT (Anticipated Transients without Trip) equipment cabinet | |
| WO2012079699A1 (en) | Drive device | |
| EP2595019B1 (en) | Method and apparatus for analogue output current control | |
| CN1175428C (en) | Fault tolerant control system | |
| CN108733021B (en) | Method for dispersing double-AP fault risk of DCS (distributed control system) | |
| JP3876562B2 (en) | System linkage method for natural energy power generation equipment | |
| US11537110B2 (en) | Programmable electronic power regulator | |
| US20050225173A1 (en) | Electrical system, and control module and smart power supply for electrical system | |
| CN100511057C (en) | Fail-safe processing method, device and industrial automation control appliance | |
| KR100412301B1 (en) | Dual control method in hierarchical control system and apparatus thereof | |
| CN113778519A (en) | Execution mechanism output instruction control method and device and computer equipment | |
| KR100380658B1 (en) | Out put device using serial communication of triple type control device and control method thereof | |
| CN114255895A (en) | Instrument control system of nuclear power station | |
| CN117590787A (en) | Control system and method for regulating valve and electronic equipment | |
| JPH11338555A (en) | Power supply control system | |
| CN112727678B (en) | Fan variable pitch control system based on multiple fault-tolerant modes | |
| CN219392514U (en) | DCS control system for chemical principle experiments | |
| CN213482649U (en) | Double-machine data interaction device for speed regulator of water turbine | |
| RU2574289C2 (en) | Set of electric equipment of nuclear reactors control and protection system | |
| CN206848436U (en) | A kind of power station Power Regulation relay on-line monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C53 | Correction of patent for invention or patent application | ||
| CB02 | Change of applicant information |
Applicant after: ABB Combustion Engineering Nuclear Power Inc. Applicant before: Combustion Engineering Co. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: BURNING ENGINEERING CO., LTD. TO: ABB BURNING ENGINEERING NUCLEAR FORCE CO., LTD. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20041110 |