JP2011191855A - Digital safety protection system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a digital safety protection system for readily confirming the occurrence of common factor failures. <P>SOLUTION: The digital safety protection system 2 includes an arithmetic logic unit 4 for executing a program of 2-out-of-4 logic operation of negative logic; a hard backup arithmetic logic unit 9 having a 2-out-of-4 logic circuit configured with hardware; and a determination unit 20. Each detection signal from a quad detector 1 is input to the arithmetic logic unit 4 and the arithmetic logic unit 9. The arithmetic logic unit 4 performs 2-out-of-4 logic operation of the negative logic, based on four detection signals input to output a digital signal. The arithmetic logic unit 9 outputs an electrical signal from the 2-out-of-4 logic circuit to which the four detection signals are input. The determination unit 20 determines whether the output of the arithmetic logic unit 4 through a NOT circuit agrees with the output of the arithmetic logic unit 9. If both outputs agree, the program of the 2-out-of-4 logic operation of the negative logic is determined as being normal. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a digital safety protection device, and more particularly to a digital safety protection device suitable for application to a nuclear power plant.

  In a nuclear power plant, a digital controller having a software logic circuit using a microprocessor is used. This digital control device is used for devices such as pumps and valves installed in nuclear power plants when process values such as reactors and pipes detected by detectors such as pressure gauges and flow meters reach set values. Digital control that outputs digital control signals is performed.

  In the nuclear power plant, for the purpose of ensuring the safety of the plant, a safety protection device is provided to prevent an abnormal transient state or the like when it may occur. An example of a safety protection device is described in JP-A-63-140305. This safety protection device operates a scram solenoid valve in order to urgently insert a control rod into the reactor core during a reactor scram. As the safety protection device, there is a safety protection device using a software logic circuit (see FIG. 6 of JP-A-63-140305). This safety protection device performs signal processing by two out-of-four logics based on signals output from a plurality of digital trip modules (DTMs) that input detection signals from quadruple detectors. It has a signal processing device. The output of each signal processing device is input to a corresponding switch among a plurality of switches (relays or contactors) in the power circuit.

  Furthermore, the nuclear power plant is provided with an emergency core water injection device that supplies cooling water to the nuclear reactor in the event of a loss of coolant. The emergency core water injection device has three independent safety systems, and each safety system has a high pressure core water injection system and a low pressure core water injection system. The safety high-pressure core water injection system in one of the three categories is an isolated cooling system (RCIC). Safety protection devices are used in the control devices that drive the pumps of these core water injection systems. As this safety protection device, there is used a safety protection device constituted by a microprocessor for performing signal processing by 2-out-of-four logic as shown in FIG. 9 of Japanese Patent Laid-Open No. 63-140305.

  Each of the above-described safety protection devices is a digital safety protection device that performs signal processing using 2 out of 4 logic using software.

JP-A 63-140305

  The digital security protection device performs signal processing based on multiplexed 2 out-of-four logic in order to increase reliability, but performs signal processing based on multiplexed 2 out-of-four logic in the same software logic circuit. ing. In other words, in the digital security protection device, signal processing by 2 out of 4 logic is multiplexed using the same software logic circuit.

  For this reason, when a problem or failure occurs in the software logic circuit itself, the same failure may occur simultaneously in all control devices having the same software logic circuit, and the control function may be lost. This problem is called common cause failure (CCF).

  Since the digital safety protection device described in Japanese Patent Application Laid-Open No. 63-140305 does not have a function of detecting the occurrence of a common factor failure, there is a possibility that an operator's response operation is delayed.

  An object of the present invention is to provide a digital safety protection device that can easily confirm the occurrence of a common factor failure.

  A feature of the present invention that achieves the above-described object is that a quadruple is provided in which each detection signal output from each of the quadruple detectors is separately input and a trip signal is output for the detection signal exceeding the threshold. The output signals from the first set value comparison device and the quadruple first set value comparison device are input, and a 2 out of 4 logic operation program is executed using a 2 out of 4 logic operation program. Each of the detection signals output from each of the two out-of-four logic operation devices and the quadruple detectors is separately input, and a trip signal is output in response to the detection signal exceeding the threshold value. 2 out-of-four logic device configured by using a plurality of hardware elements to input the second set value comparison device that is duplicated and the respective output signals from the second set value comparison device that is quadruple And 2 out of 4 logic The output signal of the calculation device, and in that a determination device that performs the first abnormality determination based on the output signal of the 2-out-of-4 logic device.

  Since the first abnormality determination is performed based on the output signal of the 2-out-of-4 logic operation device and the output signal of the 2-out-of-4 logic device, the 2-out-of-4 used in the 2-out-of-4 logic operation device It is possible to easily know the abnormality of the logical operation program, that is, the occurrence of the common factor failure.

  A quadruple first set value comparison device for separately inputting each detection signal output from each of the quadruple detectors and outputting a trip signal for the detection signal exceeding the threshold; A 2-out-of-4 logic operation device that inputs an output signal from each of the first set value comparison devices that are duplicated and executes a 2-out-of-4 logic operation using a 2-out-of-4 logic operation program; An output device that is connected to an of-four logic operation device by an optical fiber and outputs an output signal output from the 2-out-of-four logic operation device to an object to be controlled from an output unit; The above-described object can also be achieved by including a determination device that performs abnormality determination based on the output signal of the unit.

  Since the determination device makes an abnormality determination based on the output signal of the 2-out-of-4 logic operation device and the output signal of the output unit, the electric / light arranged on the line connected to the 2-out-of-4 logic operation device It is possible to easily know the abnormality of the conversion device or the optical / electrical conversion device, that is, the occurrence of the common factor failure.

  According to the present invention, it is possible to easily confirm the occurrence of a common factor failure in a digital safety protection device.

It is a block diagram of the digital security protection apparatus of Example 1 which is one preferable Example of this invention. It is a specific block diagram of the digital safety protection apparatus shown in FIG. 1 applied to a boiling water nuclear power plant. It is a detailed block diagram of the power supply circuit shown in FIG. It is a block diagram of the determination apparatus shown in FIG. It is a block diagram of the digital security protection apparatus of Example 2 which is another Example of this invention. It is a specific block diagram of the digital safety protection apparatus shown in FIG. 5 applied to a boiling water nuclear power plant. It is a block diagram of the determination apparatus shown in FIG. It is a block diagram of the digital security protection apparatus of Example 3 which is another Example of this invention. It is a specific block diagram of the digital safety protection apparatus shown in FIG. 8 applied to a boiling water nuclear power plant. It is a block diagram of the determination apparatus shown in FIG. It is a block diagram of the digital security protection apparatus of Example 4 which is another Example of this invention. It is a block diagram of the digital security protection apparatus of Example 5 which is another Example of this invention. It is a block diagram of the digital security protection apparatus of Example 6 which is another Example of this invention. It is a block diagram of the digital security protection apparatus of Example 7 which is another Example of this invention. It is a specific block diagram of the digital safety protection apparatus shown in FIG. 14 applied to the boiling water nuclear power plant. It is a block diagram of the digital security protection apparatus of Example 8 which is another Example of this invention.

  Examples of the present invention will be described below.

  A digital security protection device according to Embodiment 1, which is a preferred embodiment of the present invention, will be described with reference to FIGS. 1, 2, 3, and 4. FIG.

  The digital safety protection device 2 of this embodiment includes an input device 3, a logical operation device 4, a hard backup logical operation device 9, an output device 8, and a determination device 20 (see FIG. 1), for example, boiling water nuclear power Used in plants. A reactor (not shown) in a boiling water nuclear power plant is provided with a plurality of control rods (not shown) for controlling the reactor power. Each control rod is connected to a control rod drive mechanism (not shown) provided at the bottom of the reactor, and is inserted into and removed from the core by operation of the control rod drive mechanism to control the reactor output. When scramming a nuclear reactor, pressurized water must be supplied from a scram accumulator (not shown) to the control rod drive mechanism and the control rod must be quickly inserted into the core. The on-off valve is provided in a pressurized water supply pipe (not shown) for supplying pressurized water from the scrum accumulator to the control rod drive mechanism. When the reactor is scrammed, the on-off valve is opened to supply pressurized water in the scram accumulator into the control rod drive mechanism through the pressurized water supply pipe. The on-off valve is an air operated valve, and the scram solenoid valve 40 is provided in a working air pipe for operating the on-off valve. The digital safety protection device 2 of this embodiment is used for opening control of the scram solenoid valve 40.

  A multiplexed detector 1 for measuring one process quantity is connected to the input device 3. The logical operation device 4 and the hard backup logical operation device 9 are connected to the input device 3 and the determination device 20, respectively. The logical operation device 4 is connected to the output device 8. A display device 27 is connected to each of the logical operation device 4, the hard backup logical operation device 9, and the determination device 20.

  A specific configuration of the digital security protection device 2 will be described with reference to FIG. As quadruple detectors 1 for measuring one process quantity, detectors 1A, 1B, 1C, and 1D are installed in piping of a nuclear power plant or the like and arranged close to each other. The input device 3 has field transmission boards RMU-A, RMU-B, RMU-C, and RMU-D. Detector 1A is connected to field transmission board RMU-A, and detector 1B is connected to field transmission board RMU-B. Detector 1C is connected to field transmission board RMU-C, and detector 1D is connected to field transmission board RMU-D.

  The logical operation device 4 includes a set value comparison device 5 and a logical operation unit 6. The set value comparison device 5 includes set value comparison units (digital trip modules) DTM-A, DTM-B, DTM-C, and DTM-D, and the logic operation unit 6 is a 3 out-of-four logic operation unit 7A. 7B, 7C, 7D. Each of the 3 out-of-4 logic operation units 7A, 7B, 7C, and 7D is a software operation device, and has the same program for executing the 3 out-of-4 logic operation. The set value comparison unit DTM-A is connected to the on-site transmission panel RMU-A and the 3 out-of-4 logic operation unit 7A, and the set value comparison unit DTM-B is connected to the on-site transmission panel RMU-B and the 3 out of 4 logic operation unit 7B. Connected to. The set value comparison unit DTM-C is connected to the on-site transmission board RMU-C and the 3 out of 4 logic operation unit 7C. The set value comparison unit DTM-D is connected to the on-site transmission board RMU-D and the 3 out of 4 logic operation unit 7D. Each field transmission board RMU and each set value comparison unit DTM are connected by optical fibers. Each set value comparison unit DTM and each out-of-four logic operation unit are also connected by an optical fiber. Each set value comparison unit (first set value comparison unit) DTM-A, DTM-B, DTM-C, and DTM-D is a software arithmetic unit (microprocessor), and a signal determination unit (not shown). And a NOT circuit (not shown). The signal determination unit and the NOT circuit perform a predetermined function using a program.

  The output device 8 includes output logic units OLU-A, OLU-B, OLU-C, and OLU-D, and load drive circuits (output units) LDM-A, LDM-B, LDM-C, and LDM-D. The output logic unit OLU-A is connected to the 3 out-of-four logic operation unit 7A and the load driving circuit LDM-A by an optical fiber. The output logic unit OLU-B is connected to the 3 out of 4 logic operation unit 7B and the load driving circuit LDM-B by an optical fiber. The output logic unit OLU-C is connected to the 3 out of 4 logic operation unit 7C and the load driving circuit LDM-C by an optical fiber. The output logic unit OLU-D is connected to the 3 out-of-four logic operation unit 7D and the load driving circuit LDM-D by an optical fiber.

  The hard backup logical operation device 9 includes analog / digital converters (second set value comparison devices) A / D-A, A / D-B, A / D-C, A / D-D, and hardware logic device 10. Have The analog / digital converter A / D-A is connected to the field transmission board RMU-A, and the analog / digital converter A / D-B is connected to the field transmission board RMU-B. The analog / digital converter A / D-C is connected to the field transmission board RMU-C, and the analog / digital converter A / D-D is connected to the field transmission board RMU-D.

  The hardware logic device 10 includes switches (for example, any one of relays and contactors) 11 to 18 which are switch devices (see FIG. 3). The input ends of the switch 11 and the switch 12 arranged in parallel are connected to each other, and these connection points are connected to the power source 41. The output terminals of the switch 11 and the switch 12 are also connected to each other. The input ends of the switch 15 and the switch 16 arranged in parallel are connected to each other, and these connection points are connected to the connection points of the output ends of the switch 11 and the switch 12. The output terminals of the switch 15 and the switch 16 are also connected to each other. The switch 13 and the switch 17 are connected in series, and the input end of the switch 13 is connected to the power supply 41. The switch 14 and the switch 18 are connected in series, and the input end of the switch 14 is connected to the power supply 41. The connection point of each output end of the switch 15 and the switch 16, the output end of the switch 17, and the output end of the switch 18 are connected to each other to form a connection point 43. This connection point 43 is connected to the determination device 20. The hardware logic device 10 configured by connecting the switches 11 to 18 as hardware elements as described above constitutes a 2-out-of-four logic circuit by hardware.

  Each of the 3 out-of-four logical operation units 7A, 7B, 7C, and 7D is also connected to the determination device 20. The 3-out-of-four logic operation unit 7A is connected to the determination device 20 via the NOT circuit 29A. The 3 out-of-four logical operation unit 7B is connected to the determination device 20 via the NOT circuit 29B. The 3-out-of-four logic operation unit 7C is connected to the determination device 20 via the NOT circuit 29C. The 3-out-of-four logic operation unit 7D is connected to the determination device 20 via the NOT circuit 29D.

  Although not shown in FIG. 2, the determination device 20 includes four determination circuits 21. As shown in FIG. 4, each determination circuit 21 includes an AND circuit 22, OR circuits 23 and 25, NOT circuits 24 and 27, and a timer 26.

  The determination circuit 21 to which the 3 out-of-4 logic operation unit 7A is connected will be described. A NOT circuit 29A is connected to each input terminal of the AND circuit 22 and the OR circuit 23 of the determination circuit 21. A connection point 43 of the hardware logic device 10 is connected to each input terminal of the AND circuit 22 and the OR circuit 23. The OR circuit 23 is connected to the NOT circuit 24. An AND circuit 22 and a NOT circuit 24 are connected to the OR circuit 25. The OR circuit 25 is connected to the NOT circuit 27A via the timer 26.

  The connection point 43 is connected to each input terminal of the AND circuit 22 and the OR circuit 23 of the remaining three determination circuits 21. A NOT circuit 29 </ b> B connected to the 3 out-of-four logic operation unit 7 </ b> B is connected to each input terminal of the AND circuit 22 and the OR circuit 23 of one determination device 20 among the remaining three determination circuits 21. A NOT circuit 29 </ b> C connected to the 3 out-of-four logic operation unit 7 </ b> C is connected to each input terminal of the AND circuit 22 and the OR circuit 23 of the other determination device 20 among the remaining three determination circuits 21. . A NOT circuit 29D connected to the 3-out-of-4 logic operation unit 7D is connected to each input terminal of the AND circuit 22 and the OR circuit 23 of the last determination device 20 among the remaining three determination circuits 21.

  As shown in FIG. 3, the power supply circuit 31 includes power supply circuits 31A and 31B. The power circuit 31A includes switches 32 to 35, and the power circuit 31B includes switches (switch devices) 36 to 39. These switches are, for example, relays (or contactors). A switch 32 is connected to each input end of switches 33 and 34 arranged in parallel. The output ends of the switches 33 and 34 are connected to the switch 35. A switch 36 is connected to each input end of switches 37 and 38 arranged in parallel. The output ends of the switches 37 and 38 are connected to the switch 39. The switches 32 and 36 are connected to the power source 41.

  The scram solenoid valve 40 is provided with an electromagnet (not shown) for opening and closing the valve body. Two exciting coils 42A and 42B are provided in the electromagnet. The switch 35 is connected to the excitation coil 42A, and the switch 39 is connected to the excitation coil 42B. When the exciting coils 42A and 42B are in a non-excited state, the electromagnet operates to open the scram solenoid valve 40.

  A two-out-of-four logic circuit includes a power circuit 31A having the switches 32 to 35 connected as described above, a power circuit 31B having the switches 36 to 39 connected as described above, and exciting coils 42A and 42B. Is configured.

  Electric / optical converters such as the electric / optical converters 44A and 44B used in this embodiment use the same program. The optical / electrical converters such as the optical / electrical converters 45A and 45B use the same program. The program used in the electrical / optical converter is functionally different from the program used in the optical / electrical converter.

  The operation of the digital safety protection device 2 will be described. Detection signals output from the detectors 1A, 1B, 1C, and 1D that measure one process amount are input to the input device 3. Specifically, the detection signal from the detector 1A is input to the field transmission board RMU-A, the detection signal from the detector 1B is input to the field transmission board RMU-B, and the detection signal from the detector 1C is input to the field. The signal is input to the transmission board RMU-C, and the detection signal from the detector 1D is input to the field transmission board RMU-D. These on-site transmission boards RMU convert the detection signal, which is an analog signal output from the above-described detector, into an optical signal by the electrical / optical converter 44A provided therein.

  The optical signal output from the electrical / optical converter 44A of the on-site transmission board RMU is input to the logic operation device 4. Specifically, the optical signal output from the on-site transmission board RMU-A is converted into an electrical signal by the optical / electrical converter 45B, and this electrical signal is input to the set value comparison unit DTM-A. The optical signal output from the electrical / optical converter 44A of the on-site transmission board RMU-B is converted into an electrical signal by the optical / electrical converter 45B, and this electrical signal is input to the set value comparison unit DTM-B. The optical signal output from the electrical / optical converter 44A of the on-site transmission board RMU-C is converted into an electrical signal by the optical / electrical converter 45B, and this electrical signal is input to the set value comparison unit DTM-C. The optical signal output from the electrical / optical converter 44A of the field transmission board RMU-D is converted into an electrical signal by the optical / electrical converter 45B, and this electrical signal is converted into the set value comparison unit DTM-D and the analog / digital converter A. / D-D. Each optical signal output from the electrical / optical converter 44A is a digital signal.

  The detection signal from the detector input to the on-site transmission board RMU is input to the hard backup logic arithmetic unit 9 in the state of an electric signal without passing through the electric / optical converter 44A. Specifically, the detection signal from the detector 1A input to the on-site transmission board RMU-A does not pass through the electrical / optical converter 44A, but is in the state of an electrical signal, and the analog / digital converter A / DA Is input. The detection signal from the detector 1B input to the on-site transmission board RMU-B is input to the analog / digital converter A / D-B in the state of an electric signal without passing through the electric / optical converter 44A. The detection signal from the detector 1C input to the on-site transmission board RMU-C is input to the analog / digital converter A / D-C in the state of an electric signal without passing through the electric / optical converter 44A. The detection signal from the detector 1D input to the on-site transmission board RMU-D is input to the analog / digital converter A / D-D in the state of an electric signal without passing through the electric / optical converter 44A.

  First, signal processing in the logical operation device 4 will be described. The signal determination unit of the set value comparison unit DTM-A outputs a logic “0”, which is a digital signal, when the input electrical signal does not exceed the threshold value that requires the operation of the scram solenoid valve 40. The signal determination unit outputs a digital signal of logic “1” when the electrical signal exceeds a threshold value that requires the operation of the scram solenoid valve 40. In the set value comparison unit DTM-A, a NOT circuit that inputs a digital signal generated by the signal determination unit outputs a logic “1” digital signal when a logic “0” digital signal is input. When a digital signal of “0” is input, a digital signal of logic “0” is output. As a result, the set value comparison unit DTM-A outputs a digital signal of logic “1” when the input electric signal does not exceed the threshold value, and outputs a logic “0” when the electric signal exceeds the threshold value. Output a digital signal. The set value comparison unit DTM-A converts the digital signal generated by the NOT circuit into an optical signal and outputs the optical signal to the 3 out-of-4 logic operation units 7A, 7B, 7C, and 7D, respectively.

  The set value comparison units DTM-B, DTM-C and DTM-D also perform the same signal processing as the set value comparison unit DTM-A, and output a digital signal of logic “1” when the electric signal does not exceed the threshold value. When the electric signal exceeds the threshold value, a digital signal of logic “0” is output. In this embodiment, a digital signal of logic “0” that is output when each set value comparison unit DTM exceeds a threshold value is a trip signal. The set value comparison units DTM-A to D perform a process of comparing an electric signal with a threshold value and a NOT circuit, respectively, using software. The set value comparison units DTM-B, DTM-C, and DTM-D convert the digital signal generated by each NOT circuit into an optical signal by an electric / optical converter (not shown), and perform a three-out-of-four logical operation. Output to the sections 7A, 7B, 7C, and 7D, respectively.

  The three out-of-four logic operation units 7A, 7B, 7C, and 7D are optical / electrical circuits provided with the digital signals of the optical signals output from the set value comparison units DTM-B, DTM-C, and DTM-D, respectively. The electric signal is converted by a converter (not shown). Each of the 3 out-of-4 logic operation units 7A, 7B, 7C, and 7D performs a 3 out-of-4 logic operation by a program, and inputs a logic “1” when three or more logic “1” digital signals are input. The digital signal is output. These three out-of-four logic operation units, when there are two or less digital signals of logic “1” among the four input digital signals, the three out-of-four logic is not established, and the logic “0” Output digital signals.

  A digital signal converted into an optical signal by the electrical / optical converter 44B in each of the 3 out-of-4 logic operation units is input to each output logic unit OLU. The digital signal output from the 3 out-of-four logic operation unit 7A is input to the output logic unit OLU-A of the output device 8, and is converted into an electrical signal by the optical / electrical converter 45B. The digital signal output from the 3 out-of-four logic operation unit 7B is input to the output logic unit OLU-B and converted into an electrical signal. The digital signal output from the 3 out-of-four logic operation unit 7C is input to the output logic unit OLU-C and converted into an electrical signal. The digital signal output from the 3 out-of-4 logic operation unit 7D is input to the output logic unit OLU-D and converted into an electrical signal. An optical / electrical converter 45B is provided at each input end of the output logic units OLU-B, OLU-C, and OLU-D. The output logic units OLU-A, OLU-B, OLU-C, and OLU-D each receive a logic “0” as a trip signal when a digital signal of logic “0” is input from the corresponding 3 out-of-four logic operation unit. A digital signal of “0” is output. The output logic unit OLU to which the logic “1” digital signal output from the 3 out-of-four logic operation unit 7D is input performs a bypass process and outputs a logic “1” digital signal. Each output logic unit OLU converts a digital signal into an optical signal by an electric / optical converter (not shown) and outputs the optical signal.

  Each load driving circuit LDM converts a digital signal input from each output logic unit OLU into an electric signal by an optical / electrical converter. The load driving circuit LDM-A closes the switches 32 and 37 when a logic “1” digital signal is input from the output logic unit OLU-A, and inputs a logic “0” digital signal from the output logic unit OLU-A. Then, the switches 32 and 37 are opened. The load driving circuit LDM-B closes the switches 33 and 36 when a logic “1” digital signal is input from the output logic unit OLU-B, and inputs a logic “0” digital signal from the output logic unit OLU-A. Then, the switches 33 and 36 are opened. The load driving circuit LDM-C closes the switches 34 and 39 when a logic “1” digital signal is input from the output logic unit OLU-C, and inputs a logic “0” digital signal from the output logic unit OLU-A. Then, the switches 34 and 39 are opened. The load driving circuit LDM-D closes the switches 35 and 38 when a logic “1” digital signal is input from the output logic unit OLU-D, and inputs a logic “0” digital signal from the output logic unit OLU-A. Then, the switches 35 and 38 are opened.

  A case will be described in which each of the detectors 1A and 1B outputs a detection signal that exceeds the threshold value, and each of the detectors 1C and 1D outputs a detection signal that does not exceed the threshold value. Since the respective detection signals from the detectors 1A and 1B exceed the threshold value, the set value comparison units DTM-A and DTM-B each output a digital signal of logic “0”. Since the detection signals from each of the detectors 1C and 1D do not exceed the threshold value, the set value comparison units DTM-C and DTM-D each output a digital signal of logic “1”. At this time, in each of the three out-of-four logic operation units 7A, 7B, 7C, and 7D to which the output of each set value comparison unit DTM is input, two digital signals among the four input digital signals are logical “0”. Therefore, 3 out of 4 logic is not established, and a digital signal of logic “0” is output. As a result, the output logic units OLU-A, OLU-B, OLU-C, and OLU-D output digital signals of logic “0” as trip signals, respectively, and load drive circuits LDM-A and LDM-B. , LDM-C, and LDM-D each output a digital signal of logic “0”. For this reason, all the switches 32 to 39 are opened, and excitation of the excitation coils 42A and 42B is stopped. The scram solenoid valve 40 is opened to open the on-off valve, and pressurized water in the scrum accumulator is supplied to the control rod drive mechanism. Control rods are quickly inserted into the core and the reactor is scrammed.

  Next, the case where the detectors 1A, 1B, and 1C output detection signals that are equal to or lower than the threshold value and the detector 1D detects that the threshold value is exceeded will be described. The set value comparison units DTM-A, DTM-B, and DTM-C, to which the detection signals of the detectors 1A, 1B, and 1C are input, respectively output digital signals of logic “1”. The set value comparison unit DTM-D that has received the detection signal from the detector 1D outputs a digital signal of logic “0”. Digital signals output from the set value comparison units DTM-A, DTM-B, DTM-C, and DTM-D are input to the three out-of-four logic operation units 7A, 7B, 7C, and 7D, respectively. At this time, each of the three out-of-four logic operation units 7A, 7B, 7C, and 7D has three out-of-four logics because three of the four input digital signals are logic “1”. , A digital signal of logic “1” is output. Each of the load driving circuits LDM-A, LDM-B, LDM-C, and LDM-D outputs a digital signal of logic “1”. As a result, all the switches 32 to 39 are closed.

  In this state, the exciting coil 42A is excited by the current supplied from the power source 41 via the switches 32 to 35, and the exciting coil 42B is excited by the current supplied from the power source 41 via the switches 36 to 39. . Since the excited exciting coils 42A and 42B function the electromagnet, the valve body of the scram solenoid valve 40 is closed. For this reason, the on-off valve provided in the pressurized water supply pipe is also closed, and the pressurized water in the scrum accumulator is not supplied to the control rod drive mechanism.

  Each of the three out-of-four logic operation units 7A, 7B, 7C, and 7D outputs a negative logic that outputs a logic “0” when two or more of the input four digital signals are a logic “0”. 2 out of 4 logic operation section.

  The function of the hard backup logical arithmetic unit 9 provided in the digital security protection device 2 of the present embodiment will be described. The on-site transmission board RMU-A outputs the detection signal input from the detector 1A to the analog / digital converter A / DA in the state of an electric signal. When the electrical signal (detection signal) exceeds a threshold value, the analog / digital converter A / DA outputs a digital signal of logic “1” (trip signal in the hard backup logic arithmetic unit 9). This digital signal of logic “1” closes the switches 15 and 17. The analog-to-digital converter A / DA outputs a digital signal of logic “0” when the electrical signal does not exceed the threshold value. This digital signal of logic “0” opens the switches 15 and 17.

  The on-site transmission board RMU-B outputs the detection signal input from the detector 1B to the analog / digital converter A / D-B in the state of an electric signal. The analog / digital converter A / D-B outputs a digital signal of logic “1” when the electrical signal (detection signal) exceeds a threshold value. This logic “1” digital signal closes switches 13 and 16. The analog / digital converter A / D-B outputs a digital signal of logic “0” when the electrical signal does not exceed the threshold value. This digital signal of logic “0” opens the switches 13 and 16.

  The on-site transmission board RMU-C outputs the detection signal input from the detector 1C to the analog / digital converter A / D-C in the form of an electric signal. The analog / digital converter A / D-C outputs a digital signal of logic “1” when the electrical signal (detection signal) exceeds a threshold value. This logic “1” digital signal closes switches 12 and 18. The analog / digital converter A / D-C outputs a digital signal of logic “0” when the electrical signal does not exceed the threshold value. This digital signal of logic “0” opens the switches 12 and 18.

  The on-site transmission board RMU-D outputs the detection signal input from the detector 1D to the analog / digital converter A / D-D in the form of an electric signal. The analog / digital converter A / D-D outputs a digital signal of logic “1” when the electrical signal (detection signal) exceeds a threshold value. This digital signal of logic “1” closes the switches 11 and 14. The analog-digital converter A / D-D outputs a digital signal of logic “0” when the electrical signal does not exceed the threshold value. This digital signal of logic “0” opens the switches 11 and 14.

  The switches 11 to 19 are closed by a logic “1” digital signal and energized, and opened by a logic “0” digital signal to stop energization. The hardware logic device 10 having the switches 11 to 19 in which such switching operations are performed is a digital in which at least two of the four electrical signals output from the four analog-to-digital converters A / D are logic “1”. When it is a signal, the voltage of the power supply 41 from the connection point of each output end of the switch 15 and the switch 16, the output end of the switch 17, and the output end of the switch 18, that is, An electrical signal of logic “1” is output. Of the four electrical signals output from the four analog-to-digital converters A / D, when only one electrical signal is a digital signal having a logic “1”, or all the electrical signals are digital signals having a logic “0” The hardware logic device 10 outputs an electrical signal of logic “0” from the connection point 43. The electric signal output from the connection point 43 is input to each input terminal of each of the AND circuit 22 and the OR circuit 23 of the four determination circuits 21 provided in the determination device 20.

  The digital signal output from the 3 out-of-four logic operation unit 7A passes through a NOT circuit 29A, and the AND circuit 22 and the OR circuit 23 of one determination circuit 21 out of four determination circuits 21 provided in the determination device 20 Input to each input terminal. The digital signal output from the 3 out-of-four logic operation unit 7B passes through the NOT circuit 29B, and the AND circuit 22 and the OR circuit of the other determination circuit 21 among the four determination circuits 21 provided in the determination device 20 23 is input to each input terminal. The digital signal output from the 3 out-of-four logic operation unit 7C passes through the NOT circuit 29C, and the AND circuit 22 and the OR circuit of the other determination circuit 21 among the four determination circuits 21 provided in the determination device 20 23 is input to each input terminal. The digital signal output from the 3 out-of-four logic operation unit 7D passes through the NOT circuit 29D, and the AND circuit 22 and the OR circuit of the other determination circuit 21 among the four determination circuits 21 provided in the determination device 20 23 is input to each input terminal.

  Since the four determination circuits 21 provided in the determination device 20 function in the same manner, the contents of processing performed by the determination circuit 21 for the determination circuit 21 connected to the connection point 43 and the 3 out-of-four logic operation unit 7A are described. This will be specifically described with reference to FIG. The AND circuit 22 outputs a logic “1” only when the electrical signal input from the connection point 43 and the digital signal input from the NOT circuit 29A are both logic “1”, and at least one of these electrical signals and digital signals is output. When one is logic “0”, a logic “0” is output. The OR circuit 23 outputs logic “1” when at least one of the input electric signal and digital signal is logic “1”, and the NOT circuit 24 inverts the logic output from the OR circuit 23 (for example, logic “1” to logic “0”). The OR circuit 25 outputs a logic “1” when at least one of the signals output from the AND circuit 22 and the NOT circuit 24 is a logic “1”. The output of the OR circuit 25 is input to the timer 26.

  Since the logical operation device 4 involves calculation processing by a program, the time required to output the output signal obtained in the calculation processing of the input signal is longer than that of the hard backup logical operation device 9. That is, the operation speed of the hard backup logic operation device 9 is faster than that of the logic operation device 4. The timer 26 is provided to compensate for the difference in the calculation speed. When a signal (logic “0”) indicating the occurrence of the common factor failure is input from the OR circuit 25, the timer 26 indicates the occurrence of the common factor failure. The signal is set time (the time required to output the output signal obtained by the arithmetic processing of the input signal in the logic arithmetic unit 4 and the output signal obtained by the arithmetic processing of the input signal in the hard backup logical arithmetic unit 9 The output is delayed by the difference from the time required for output. The timer 26 outputs a logic “1” during the set time after inputting a signal (logic “0”) indicating the occurrence of the common factor failure, and inputs a signal indicating the occurrence of the common factor failure. When the set time has elapsed, a logic “0” is output. By installing the timer 26, it is possible to reliably detect the occurrence of a common factor failure without causing an erroneous common factor failure (CCF) determination due to the difference in the computation speed between the logic operation device 4 and the hard backup logic operation device 9. I can do it now.

  The display device 27 (see FIG. 1) receives the output of the timer 26 and the output of the NOT circuit 27A. The NOT circuit 27A receives the output from the timer 26, inverts the logic of this output (for example, changes the logic “1” to the logic “0”), and outputs it. When the output of the timer 26 is logic “1”, the logic operation device 4 is normal, and when the output of the timer 26 is logic “0”, a common factor failure has occurred in the logic operation device 4. When the timer 26 outputs the logic “1”, the display device 27 inputs the logic “1” output from the timer 26 to display the display information “3 out-of-four logic operation unit 7A is normal”. To do. At this time, since the NOT circuit 27A outputs logic “0”, display information “common cause failure occurrence” is not displayed on the display device 27. When the logic “0” is output from the timer 26, the display device 27 displays display information “common cause failure occurrence”. This is because the NOT circuit 27A changes the logic “0” output from the timer 26 to the logic “1” and outputs it. The logic “0” output from the timer 26 is input to the display device 27 as it is, but the display device 27 does not display the display information “3 out-of-four logic operation unit 7A is normal”.

  Each determination circuit 21 connected to the NOT circuits 29B, 29C, and 29D performs the same processing as the determination circuit 21 connected to the NOT circuit 29A, and outputs the obtained determination information to the display device 27. The outputs of the 3 out-of-four logic operation units 7A, 7B, 7C, and 7D and the output from the connection point 43 are also displayed on the display device 27.

  When the detection signals output from each of the detectors 1A, 1B, 1C, and 1D are equal to or less than the threshold value, the set value comparison units DTM-A, DTM-B, DTM-C, and DTM-D each have a logical “1”. Is output as a digital signal. For this reason, in the 3 out-of-four logic operation units 7A, 7B, 7C, and 7D that input the digital signals of logic “1” output from these set value comparison units DTM, multiple out-of-four logic multiple logic If the arithmetic program functions normally, all three out-of-four logical operation units each output a digital signal of logic “1”. However, the 3 out-of-4 logic operation units 7A, 7B, and 7C function normally and output a logic "1" digital signal, but the 3 out-of-4 logic operation unit 7D has a logic "0" due to an abnormal program. Is output as a digital signal.

  As a result, each of the NOT circuits 29A, 29B, and 29C that input a logic “1” digital signal outputs a logic “0” digital signal. A NOT circuit 29D that inputs a digital signal of logic “0” outputs a digital signal of logic “1”. The logic “0” digital signals output from the NOT circuits 29A, 29B, and 29C and the logic “1” digital signal output from the NOT circuit 29D are among the four determination circuits 21 provided in the determination device 20. Is input to each of the determination circuits 21.

  The analog-digital converters A / DA, A / D-B, A / D-C, and A / D-D, to which the detection signals output from the detectors 1A, 1B, 1C, and 1D are separately input, Since each detection signal does not exceed the threshold value, a digital signal of logic “0” is output. All of the switches 11 to 19 of the hardware logic device 10 are logic “0” output from the analog-digital converters A / D-A, A / D-B, A / D-C, and A / D-D. Open by each digital signal. Therefore, a logic “0” digital signal is output from the connection point 43 of the hardware logic device 10, and the logic “0” digital signal is input to each of the four determination circuits 21 provided in the determination device 20. .

  Each AND circuit 22 of the three determination circuits 21 separately connected to the NOT circuits 29A, 29B, and 29C is a digital signal of logic “0” that is an output of the corresponding NOT circuit and an output signal from the connection point 43. Since a digital signal having a certain logic “0” is input, a digital signal having a logic “0” is output. Each of the OR circuits 23 of these three determination circuits 21 outputs a logic “0” because the two input signals are both a logic “0”. The NOT circuit 24 inputs the output of the OR circuit 23 and outputs a logic “1”. Each of the OR circuits 25 of these three determination circuits 21 receives a logic “0” from the AND circuit 22, a logic “1” from the NOT circuit 24, and outputs a logic “1”. The timer 26 having received this logic “1” outputs a logic “1” as a result. The logic “1” output from the timers 26 of these three determination circuits 21 is output to the display device 27. The NOT circuit 27A of these three determination circuits 21 outputs a logic “0”. For this reason, the display device 27 displays display information “3 out-of-four logic operation units 7A, 7B, and 7C are normal”.

  The AND circuit 22 of the determination circuit 21 connected to the NOT circuit 29D has a logic “1” digital signal that is an output of the corresponding NOT circuit 29D and a logic “0” digital signal that is an output signal from the connection point 43. Therefore, a digital signal of logic “0” is output. The OR circuit 23 of the determination circuit 21 connected to the NOT circuit 29D receives the logic “1” digital signal that is the output of the NOT circuit 29D and the logic “0” digital signal that is the output signal from the connection point 43. Therefore, logic “1” is output. The NOT circuit 24 that inputs this logic “1” outputs a logic “0”. The OR circuit 25 of the determination circuit 21 connected to the NOT circuit 29D, to which the logic “0” is input from the AND circuit 22 and the NOT circuit 34, outputs the logic “0” to the timer 26. As described above, the timer 26 having inputted the logic “0” outputs the logic “0” when the set time has elapsed from the time when the logic “0” was inputted. The logic circuit “0” is input from the timer 26 and the NOT circuit 27A of the determination circuit 21 connected to the NOT circuit 29D outputs the logic “1”. The display device 27 that has input the logic “1” from the NOT circuit 27A displays the display information “3 out-of-four logic operation unit 7D has a common factor failure”. The display device 27 inputs the logic “0” that is the output of the timer 26, but the display information “3 out-of-four logic operation unit 7 </ b> D is normal” is displayed because the output of the timer 26 is not the logic “1”. do not do.

  The operator can know whether each of the 3 out-of-four logical operation units 7A, 7B, 7C, and 7D is normal or not by looking at the information displayed on the display device 27. In the example described above, it can be known that a common factor failure has occurred in the 3 out-of-four logic operation unit 7D. In order to notify the operator of the occurrence of the common factor failure, the determination circuit 21 connected to the NOT circuit 29D generates an alarm when the timer 26 outputs a digital signal of logic “0”. In each determination circuit 21 connected to the NOT circuits 29A, 29B, and 29C, each timer 26 outputs a digital signal of logic “1”, so that the three out-of-four logic operation units 7A, 7B, and 7C are out of three. Each program of 4 logic operations is normal.

  According to the present embodiment, the digital signal generated by the 2 out-of-four logic operation unit configured by software and the electrical output from the hardware logic device 10 having the 2 out-of-four logic circuit configured by hardware. Since the signals are compared, it can be easily understood that the common cause failure has occurred in the 2-out-of-4 logic operation unit configured by software. In particular, in this embodiment, the determination device 20 includes four determination circuits 21, and the digital signals output from the four 2-out-of-four logic operation units and the electrical signals output from the hardware logic device 10 are received. Since the comparison is made, it is possible to identify the 2-out-of-4 logic operation unit in which the common factor failure has occurred among the four 2-out-of-4 logic operation units. In this embodiment, the three out-of-four logic operation units 7A, 7B, and 7C that output a logic “1” digital signal when there are at least three logic “1” digital signals among the four input digital signals. , 7D are negative logic 2-out-of-4 logic operation units as described above.

  The hardware 2 out-of-four logic circuit in the hardware logic device 10 connects the switches 32 to 39 like the power supply circuits 31A and 31B shown in FIG. 2, and the output terminal of the switch 35 and the output of the switch 39 The connection point 43 may be the end connection point.

  A digital security protection device according to embodiment 2, which is another embodiment of the present invention, will be described with reference to FIGS.

  The digital safety protection device 2A according to the present embodiment has a configuration in which the determination device 20 is replaced with the determination device 20A in the digital safety protection device 2 according to the first embodiment, and the output of each load driving circuit LDM is input to the determination device 20A. Other configurations of the digital security protection device 2A are the same as those of the digital security protection device 2. In addition to the function of comparing the output of the 2 out-of-four logic operation unit configured by software in the digital safety protection device 2 with the output of the hardware logic device 10, the digital safety protection device 2A has a 2 out-of-four logic operation unit And the output of the load drive circuit LDM. The digital security protection device 2A will be described by focusing on the configuration that performs the latter function.

  20 A of determination apparatuses have four determination circuits 21A other than the four determination circuits 21 (refer FIG. 7). Each determination circuit 21 </ b> A has the same configuration as the determination circuit 21. For convenience of explanation, in the determination circuit 21A, the AND circuit 22 is referred to as an AND circuit 22A, and the OR circuit 23 is referred to as an OR circuit 23A.

  The output terminal of the load driving circuit LDM-A is connected to the NOT circuit 30A, and the output terminal of the load driving circuit LDM-B is connected to the NOT circuit 30B. The output terminal of the load driving circuit LDM-C is connected to the NOT circuit 30C, and the output terminal of the load driving circuit LDM-D is connected to the NOT circuit 30D.

  A NOT circuit 30A is connected to each input terminal of the AND circuit 22A and the OR circuit 23A of one of the four determination circuits 21A. A NOT circuit 29A connected to the 3-out-of-4 logic operation unit 7A is also connected to each input terminal of the AND circuit 22A and the OR circuit 23A of the determination circuit 21A. NOT circuits 29B and 30B are connected to input terminals of the AND circuit 22A and the OR circuit 23A of the other determination circuit 21A among the four determination circuits 21A, respectively. Of the four determination circuits 21A, NOT circuits 29C and 30C are connected to the input terminals of the AND circuit 22A and the OR circuit 23A of the other determination circuit 21A, respectively. Of the four determination circuits 21A, NOT circuits 29D and 30D are respectively connected to the input terminals of the AND circuit 22A and the OR circuit 23A of the remaining determination circuit 21A.

  In this embodiment, as in the first embodiment, the determination circuit 21 includes a digital signal generated by a 2-out-of-4 logic operation unit configured by software, and a 2-out-of-4 logic circuit configured by hardware. The electrical signals output from the hardware logic device 10 are compared. For this reason, as in the first embodiment, it is possible to grasp the 3 out-of-4 logic operation unit in which the common factor failure has occurred, that is, the negative 2 out-of-4 logic operation unit.

  The function of the determination circuit 21A will be described with reference to the determination circuit 21A connected to the NOT circuit 29A and the NOT circuit 30A. The determination circuit 21A exhibits the same function as the determination circuit 21. The AND circuit 22A outputs a logic “1” only when the logic of each digital signal input from both the NOT circuit 29A and the NOT circuit 30A is a logic “1”, and at least the electric signal and the digital signal are output. When one is logic “0”, logic “0” is output. The OR circuit 23A outputs a logic “1” when at least one of the logic of the input electrical signal and the digital signal is a logic “1”. The NOT circuit 24, the OR circuit 23, and the timer 26 perform the same processes as those of the determination circuit 21 described in the first embodiment.

  In the present embodiment, the display device 27 inputs the outputs of the timer 26 of the determination circuit 21A and the NOT circuit 27A.

  Another determination circuit 21A to which the NOT circuit 29B and the NOT circuit 30B are connected, another determination circuit 21A to which the NOT circuit 29C and the NOT circuit 30C are connected, and the remaining determination to which the NOT circuit 29D and the NOT circuit 30D are connected The circuit 21A also performs the same processing, and the output of these determination circuits 21A is input to the display device 27 in the same manner as the determination circuit 21A connected to the NOT circuit 29A and the NOT circuit 30A. The outputs from the three out-of-four logic operation units 7A, 7B, 7C, and 7D and the output of each load driving circuit LDM are also displayed on the display device 27.

  When each detection signal from each of the detectors 1A, 1B, 1C, and 1D does not exceed the threshold value, when the 3-out-of-4 logic operation unit 7A outputs a digital signal of logic “1”, the NOT circuit 29A A digital signal of logic “0” is output. At this time, it is assumed that the logic signal “0” is output from the load driving circuit LDM-A, and the NOT circuit 30A outputs the logic signal “1”. A digital signal of logic “0” is output from the connection point 43 of the hardware logic device 10. Each of the three out-of-four logic operation units 7B, 7C, and 7D outputs a logic “1” digital signal, and each of the load drive circuits LDM-B, LDM-C, and LDM-D outputs a logic “1” digital signal. Is output.

  In the determination circuit 21 to which the logic “0” digital signal from the NOT circuit 29A and the logic “0” digital signal from the connection point 43 are input, the OR circuit 25 outputs a logic “1” digital signal. In the other three determination circuits 21, each OR circuit 25 outputs a digital signal of logic “1”. In the determination circuit 21A to which the NOT circuit 29A and the NOT circuit 30A are connected, the logic “0” digital signal from the NOT circuit 29A and the logic “1” digital signal from the NOT circuit 30A are input. Outputs a digital signal of logic “0”. In the other three determination circuits 21A, each OR circuit 25 outputs a digital signal of logic “1”. The outputs of all the determination circuits 21 and 21A are input to the display device 27 as in the first embodiment.

  When the timer 26 of the determination circuit 21A outputs a digital signal of logic “0”, the electrical / optical converter 44B provided at the output terminal of the 3 out of 4 logic operation unit and the output device 8 (a plurality of electrical signals) / At least one of the optical converter and the plurality of optical / electrical converters) is abnormal. In the above example, since the timer 26 of the determination circuit 21A connected to the NOT circuit 29A and the NOT circuit 30A outputs a digital signal of logic “0”, the 3-out-of-four logic operation unit 7A and the load drive circuit LDM are output. The above abnormality has occurred in the line connecting -A.

  The operator who sees the information displayed on the display device 27 is connected to each of the 3 out-of-four logic operation units 7B, 7C, 7D and the 3 out-of-4 logic operation units 7B, 7C, 7D. It is understood that the optical / optical converter 44B, the plurality of electrical / optical converters in the output device 8, and the plurality of optical / electrical converters are normal. Since the output logic unit OLU and the load driving circuit LDM have a hardware configuration, no common factor failure occurs. Further, the operator inputs a logic “0” digital signal from the timer 26 in the determination circuit 21A connected to the NOT circuit 29A and the NOT circuit 30A, so that the NOT circuit 27A outputs a logic “1” digital signal. By looking at the information displayed on the display device 27, a plurality of electric / optical converters using the same program arranged on a line connecting the 3 out-of-four logic operation unit 7A and the load driving circuit LDM-A A common factor failure (including the electrical / optical converter 44B) and / or a common factor failure of a plurality of optical / electrical converters arranged on the line using the same program have occurred. You can know that you are.

  In the present embodiment, each effect produced in the first embodiment can be obtained. Further, since the determination circuit 21A is included, at least one of a plurality of electrical / optical converters and a plurality of optical / electrical converters arranged downstream of the 3 out-of-4 logical operation unit in the digital safety protection device 2A. Can confirm that a common cause failure has occurred.

  A digital security protection device according to Embodiment 3, which is another embodiment of the present invention, will be described with reference to FIGS.

  The digital safety protection device 2B of the present embodiment is configured by replacing the determination device 20A with the determination device 20B in the digital safety protection device 2A of the second embodiment, and further removing the connection between each 3 out-of-four logic operation unit and the determination device. Have Other configurations of the digital security protection device 2B are the same as those of the digital security protection device 2A. The digital safety protection device 2B has a function of comparing the output of the 2 out-of-4 logic operation unit and the output of the hardware logic device 10 in the digital safety protection device 2A, and the output of the 2 out of 4 logic operation unit and the load drive circuit. Instead of the function of comparing the output of the LDM, it has a function of comparing the output of the hardware logic device 10 and the output of the load driving circuit LDM. Description will be made focusing on the configuration for executing the function of the digital security protection device 2B.

  The determination device 20B has four determination circuits 21B. Each determination circuit 21 </ b> B has the same configuration as the determination circuit 21. For convenience of explanation, in the determination circuit 21B, the AND circuit 22 is referred to as an AND circuit 22B, and the OR circuit 23 is referred to as an OR circuit 23B. The four determination circuits 21B include a determination circuit 21B connected to the NOT circuit 30A, a determination circuit 21B connected to the NOT circuit 30B, a determination circuit 21B connected to the NOT circuit 30C, and a determination circuit 21B connected to the NOT circuit 30D. It is.

  Each input terminal of the AND circuit 22B and the OR circuit 23B of the determination circuit 21B connected to the NOT circuit 30A is connected to a connection point 43 of the NOT circuit 30A and the hardware logic device 10. Each input terminal of the AND circuit 22B and the OR circuit 23B of the determination circuit 21B connected to the NOT circuit 30B is connected to a connection point 43 of the NOT circuit 30B and the hardware logic device 10. Each input terminal of the AND circuit 22B and the OR circuit 23B of the determination circuit 21B connected to the NOT circuit 30C is connected to the connection point 43 of the NOT circuit 30C and the hardware logic device 10. Each input terminal of the AND circuit 22B and the OR circuit 23B of the determination circuit 21B connected to the NOT circuit 30D is connected to a connection point 43 of the NOT circuit 30D and the hardware logic device 10.

  When each detection signal from each of the detectors 1A, 1B, 1C, and 1D does not exceed the threshold value, the 3 out of 4 logic operation unit 7A is normal and outputs a digital signal of logic “1”, and 3 outputs Electric / optical converter 44B of Ob-4 logic operation unit 7A, all electric / optical converters and all optical / optical converters arranged on the downstream side (load drive circuit LDM-A side) of 3 out of 4 logic operation unit 7A When the electrical converter is in a normal state, the load driving circuit LDM-A also outputs a digital signal of logic “1”. At this time, the NOT circuit 30A outputs a digital signal of logic “0”.

  On the other hand, a digital signal of logic “0” is output from the connection point 43 of the hardware logic device 10. The OR circuit 25 of the determination circuit 21B, which inputs a logic “0” digital signal from the connection point 43 and the NOT circuit 30A, outputs a logic “1” digital signal, and inputs this logic “1” digital signal. The timer 26 also outputs this logic “1” digital signal. The output of the determination circuit 21B is also input to the display device 27 in the same manner as the output of the determination circuit 21. Since a digital signal of logic “1” is output from the timer 26 of the determination circuit 21B connected to the NOT circuit 30A, the operator can program 3 out of 4 logic operations in the 3 out of 4 logic operation unit 7A. The electrical / optical converter 44B of the out-of-four logic operation unit 7A, and the plurality of electrical / optical converters and the plurality of light arranged downstream of the out-of-four logic operation unit 7A (load drive circuit LDM-A side) / It can be understood that all electrical converters are in a normal state. In the present embodiment, as in the second embodiment, the output of each 3 out-of-four logic operation unit and the output of each load drive circuit LDM are displayed on the display device 27.

  Even though each detection signal from each of the detectors 1A, 1B, 1C, and 1D does not exceed the threshold value, the load driving circuit LDM-C outputs a digital signal of logic “0”, and the NOT circuit 30C is logic. Assume that a digital signal of “1” is output. In this case, the AND circuit 22B and the OR circuit 22B of the determination circuit 21B to which the NOT circuit 30C is connected receive a logic “0” digital signal from the connection point 43 of the hardware logic device 10 and a logic “0” from the NOT circuit 30C. Since the digital signal of “1” is input, the timer 26 of the determination circuit 21B to which the NOT circuit 30C is connected outputs the digital signal of logic “0”. The display device 27 displays display information (common factor failure occurrence) based on the logic “1” digital signal output from the NOT circuit 27A. The operator can confirm whether or not a common factor failure has occurred by looking at the information displayed on the display device 27.

  When the timer 26 of the determination circuit 21B outputs a digital signal of logic “0”, as described in the second embodiment, a plurality of circuits arranged downstream of the 3 out-of-4 logic operation unit in the digital safety protection device 2A. An abnormality has occurred in at least one of the electrical / optical converters and the plurality of optical / electrical converters, or in the program of 3 out of 4 logic operation in the 3 out of 4 logic operation unit. In the above example, since the timer 26 of the determination circuit 21B to which the NOT circuit 30C is connected outputs a digital signal of logic “0”, an abnormality occurs on the line including the 3 out of 4 logic operation unit 7C. Yes.

  The operator confirms the output of the 3 out-of-four logic operation unit 7C displayed on the display device 27 and the output of the load drive circuit LDM-C. When the output of the 3 out of 4 logic operation unit 7C is a digital signal of logic “0”, it is grasped that the program of 3 out of 4 logic operation in the 3 out of 4 logic operation unit 7C is in an abnormal state. be able to. When the digital signal from the 3 out-of-four logic operation unit 7C is logic “1” and the digital signal from the load driving circuit LDM-C is logic “0”, the digital safety protection device 2A An abnormality (common factor failure) has occurred in at least one of the plurality of electrical / optical converters and the plurality of optical / electrical converters arranged downstream of the 3-out-of-4 logic operation unit.

  As described above, the present embodiment can obtain each effect produced in the second embodiment. The determination device 20B having four determination circuits 21B has four determination circuits 21B, and the configuration can be simplified compared to the determination device 20A used in the second embodiment. For this reason, the configuration of the digital security protection device 2B of the present embodiment can be simplified as compared with the digital security protection device 2A.

  A digital security protection device according to Embodiment 4 which is another embodiment of the present invention will be described with reference to FIG.

  The digital safety protection device 2C of the present embodiment has a configuration in which the logical operation device 4 and the output device 8 in the digital safety protection device 2 of the first embodiment are replaced with the logical operation device 4A and the output device 8A. Used in boiling water nuclear power plants. Other configurations of the digital security protection device 2C are the same as those of the digital security protection device 2. The boiling water nuclear power plant is provided with an emergency core water injection system in preparation for a coolant loss accident. This emergency core water injection system has three safety systems. The safety system of each category has a high pressure core water injection system and a low pressure core water injection system. In one category of safety systems, decay heat removal systems are used as high-pressure core water injection systems. The digital safety protection device 2C of the present embodiment is used for drive control of pumps 30A, 30B, and 30C (see FIG. 11) respectively provided in the low-pressure core water injection system installed in the safety system of each section, for example.

  The logical operation device 4A includes a set value comparison device 5 and a logical operation unit 6A. The set value comparison device 5 is the same as the set value comparison device 5 used in the digital security protection device 2 of the first embodiment. The logical operation unit 6A includes 2 out-of-four logical operation units 19A, 19B, and 19C. Each of the 2 out-of-four logic operation units 19A, 19B, and 19C is a software operation device, and has the same program that executes the 2 out-of-four logic. Setting value comparison units DTM-A, DTM-B, DTM-C, and DTM-D are connected to the two out-of-four logic operation units 19A, 19B, and 19C, respectively. The 2-out-of-4 logic operation units 19A, 19B, and 19C are positive-logic 2-out-of-4 logic operation units.

  Each of the set value comparison units DTM-A, DTM-B, DTM-C, and DTM-D is a software arithmetic unit, and has a signal determination unit (not shown) that exhibits a predetermined function using a program. The set value comparison units DTM-A, DTM-B, DTM-C, and DTM-D used in the present embodiment are the set value comparison units DTM-A, DTM-B, DTM-C, and DTM used in the first embodiment. Unlike -D, it does not have a NOT circuit.

  The output device 8A includes an on-site transmission board RMU2-A, RMU2-B, and RMU2-C that are output units. The on-site transmission board RMU2-A is connected to the 2-out-of-4 logic operation unit 19A by an optical fiber, and the on-site transmission board RMU2-B is connected to the 2-out-of-4 logic operation unit 19B by an optical fiber. The on-site transmission board RMU3-C is connected to the 2-out-of-4 logic operation unit 19C by an optical fiber.

  The input terminals of the AND circuit 22 and the OR circuit 23 of the three determination circuits 21 provided in the determination device 20 are connected to the connection point 43 of the hardware logic device 10. The other input terminals of the AND circuit 22 and the OR circuit 23 of one of the three determination circuits 21 are connected to the 2-out-of-four logic operation unit 19A. The other input terminals of the AND circuit 22 and the OR circuit 23 of the other determination circuit 21 among the three determination circuits 21 are connected to the 2-out-of-four logic operation unit 19B. The other input terminals of the AND circuit 22 and the OR circuit 23 of the remaining determination circuits 21 among the three determination circuits 21 are connected to the 2-out-of-4 logic operation unit 19C. The other configuration of each determination circuit 21 is the same as that of the determination circuit 21 used in the first embodiment.

  The operation of the digital safety protection device 2C will be described. The detection signals output from the detectors 1A, 1B, 1C, and 1D are sent to the set value comparison unit DTM- of the logical operation device 4A via the corresponding on-site transmission board RMU of the input device 3 as in the first embodiment. A, DTM-B, DTM-C, and DTM-D are input. When the signal determination unit of each set value comparison unit DTM does not exceed the threshold for requesting the activation of the pump, the electrical signal converted in the same manner as in the first embodiment from the optical signal input from the field transmission board RMU, A logic “0” that is a digital signal is output. The signal determination unit of each set value comparison unit DTM outputs a digital signal of logic “1” when the electrical signal exceeds the threshold value. The logic “1” digital signal output when the input signal exceeds the threshold value is a trip signal.

  Each digital signal output from each of the set value comparison units DTM-A, DTM-B, DTM-C, and DTM-D is converted into an electric / optical converter (see FIG. (Not shown) and input to each of the two out-of-four logic operation units 19A, 19B, and 19C. Each of the 2 out-of-four logic operation units 19A, 19B, and 19C is provided with an optical / electrical converter (not shown) at the input end and an electrical / optical converter (not shown) at the output end. Each digital signal input to each of the two out-of-four logic operation units 19A, 19B, and 19C is converted into an electric signal by an optical / electrical converter. The two out-of-four logic operation units 19A, 19B, and 19C receive two or more digital signals among the four digital signals input from the set value comparison units DTM-A, DTM-B, DTM-C, and DTM-D. When “1”, 2 out of 4 logic is established, and a digital signal of logic “1” is output. The two out-of-four logic operation units 19A, 19B, and 19C have two out-of-four logics not established when three or more of the four input digital signals are at a logic “0”, and the logic “0”. The digital signal is output. Each digital signal output from the 2-out-of-four logic operation units 19A, 19B, and 19C is converted into an optical signal by the electrical / optical converter.

  The on-site transmission boards RMU2-A, RMU2-B, and RMU2-C are each provided with an optical / electrical converter at the input end. The on-site transmission board RMU2-A outputs a logic “1” digital signal when a logic “1” digital signal is input from the 2 out-of-four logic operation unit 19A. The digital signal of logic “1” output from the on-site transmission board RMU2-A activates the pump 30A. The on-site transmission board RMU2-B outputs a logic “1” digital signal when a logic “1” digital signal is input from the 2 out-of-four logic operation unit 19B. The digital signal of logic “1” output from the on-site transmission board RMU2-B activates the pump 30B. The on-site transmission board RMU2-C outputs a logic “1” digital signal when a logic “1” digital signal is input from the 2 out-of-four logic operation unit 19C. The digital signal of logic “1” output from the on-site transmission board RMU2-C activates the pump 30C. Each of the on-site transmission boards RMU2-A, RMU2-B, and RMU2-C outputs a logic “0” digital signal when a logic “0” digital signal is input. Pumps 30A, 30B, and 30C are not activated by a digital signal of logic “0”.

  In the determination apparatus 20 provided in the present embodiment, each digital signal from the connection point 43 of the hardware logic device 10 and the 2 out-of-four logic operation unit 19A is logic “1” (or logic “0”). When the OR circuit 25 of the determination circuit 21 connected to the 2-out-of-four logic operation unit 19A outputs a logic “1” digital signal, the timer 26 that receives this signal also outputs a logic “1” digital signal. Output. Similarly to the determination circuit 21 of the first embodiment, the output of the determination circuit 21 of this embodiment is also output to the display device 27. When the digital signal output from the timer 26 is logic “1”, the 2-out-of-4 logic operation program in the 2-out-of-4 logic operation unit 19A functions normally. The digital signal from the connection point 43 is logic “1” and the digital signal from the 2 out-of-four logic operation unit 19A is logic “0” (or the digital signal from the connection point 43 is logic “0” and 2 out of 4 logic) When the digital signal from the arithmetic unit 19A is logic “1”), the OR circuit 25 of the determination circuit 21 connected to the 2-out-of-four logic arithmetic unit 19A outputs a digital signal of logic “0”. The timer 26 for inputting the signal also outputs a digital signal of logic “0”. When the timer 26 of the determination circuit 21 connected to the 2-out-of-4 logic operation unit 19A outputs a digital signal of logic “0”, the 2-out-of-4 logic operation program in the 2-out-of-4 logic operation unit 19A is An abnormal state has occurred, and a common factor failure has occurred in the 2-out-of-4 logic operation unit 19A.

  When the respective digital signals from the connection point 43 and the 2 out-of-4 logic operation unit 19B of the hardware logic device 10 are logic “1” (or logic “0”), they are connected to the 2 out-of-4 logic operation unit 19B. The OR circuit 25 and the timer 26 of the determination circuit 21 thus output each output a digital signal of logic “1”. The output of the determination circuit 21 is input to the display device 27. When the digital signal output from the timer 26 is logic “1”, the 2-out-of-4 logic operation program in the 2-out-of-4 logic operation unit 19B functions normally. The digital signal from the connection point 43 is logic “1” and the digital signal from the 2 out-of-4 logic operation unit 19B is logic “0” (or the digital signal from the connection point 43 is logic “0” and 2 out of 4 logic. When the digital signal from the operation unit 19B is logic “1”), the OR circuit 25 and the timer 26 of the determination circuit 21 connected to the 2-out-of-4 logic operation unit 19B output a digital signal of logic “0”. To do. When the timer 26 of the determination circuit 21 connected to the 2-out-of-4 logic operation unit 19B outputs a digital signal of logic “0”, the 2-out-of-4 logic operation program in the 2-out-of-4 logic operation unit 19B is An abnormal state has occurred, and a common factor failure has occurred in the 2-out-of-4 logic operation unit 19B.

  When the respective digital signals from the connection point 43 and the 2 out-of-4 logic operation unit 19C of the hardware logic device 10 are logic “1” (or logic “0”), they are connected to the 2 out-of-4 logic operation unit 19C. Each of the OR circuit 25 and the timer 26 of the determination circuit 21 outputs a digital signal of logic “1”. The output of the determination circuit 21 is input to the display device 27. When the digital signal output from the timer 26 of the determination circuit 21 connected to the 2-out-of-4 logic operation unit 19C is logic “1”, the 2-out-of-4 logic operation unit 19C performs the 2-out-of-4 logic operation. The program is functioning normally. The digital signal from the connection point 43 is logic “1” and the digital signal from the 2 out of 4 logic operation unit 19C is logic “0” (or the digital signal from the connection point 43 is logic “0” and 2 out of 4 logic. When the digital signal from the arithmetic unit 19C is logic “1”), the timer 26 of the determination circuit 21 connected to the 2-out-of-four logic arithmetic unit 19C outputs a digital signal of logic “0”. When the timer 26 of the determination circuit 21 connected to the 2-out-of-4 logic operation unit 19C outputs a digital signal of logic “0”, the 2-out-of-4 logic operation program in the 2-out-of-4 logic operation unit 19C is An abnormal state has occurred, and a common factor failure has occurred in the 2-out-of-4 logic operation unit 19C.

  In the present embodiment, each effect produced in the first embodiment can be obtained.

  A digital security protection apparatus according to embodiment 5 which is another embodiment of the present invention will be described with reference to FIG.

  In the digital security protection device 2D of the present embodiment, the determination device 20 in the digital security protection device 2C of the fourth embodiment is replaced with the determination device 20A used in the second embodiment, and the output of each field transmission panel RMU2 is input to the determination device 20A. The configuration is Other configurations of the digital security protection device 2D are the same as those of the digital security protection device 2C. In addition to the function of comparing the output of the 2 out-of-four logic operation unit configured by software in the digital safety protection device 2C with the output of the hardware logic device 10, the digital safety protection device 2D has a 2 out-of-four logic operation unit And the output of the field transmission panel RMU2 are compared. The digital safety protection device 2D will be described by focusing on the configuration that performs the latter function.

  Unlike the determination circuit 20A of the second embodiment, the determination device 20A includes three determination circuits 21 and three determination circuits 21A. Each determination circuit 21A has the same configuration as the determination circuit 21A used in the second embodiment. Each input terminal of each of the AND circuit 22 and the OR circuit 23 of the three determination circuits 21 is connected to any one of the two out-of-four logic operation units 19A, 19B, and 19C, and the hardware as in the fourth embodiment. Hardware logic device 10.

  The output terminals of the 2-out-of-four logic operation unit 19A and the on-site transmission board RMU2-A are connected to the input terminals of the AND circuit 22A and the OR circuit 23A of one determination circuit 21A among the three determination circuits 21A. . The output terminals of the 2-out-of-four logic operation unit 19B and the field transmission board RMU2-B are connected to the input terminals of the AND circuit 22A and the OR circuit 23A of the other determination circuit 21A among the three determination circuits 21A. Is done. The output terminals of the 2-out-of-4 logic operation unit 19C and the field transmission board RMU2-C are connected to the input terminals of the AND circuit 22A and the OR circuit 23A of the remaining determination circuit 21A among the three determination circuits 21A. .

  In this embodiment, as in the first embodiment, the determination circuit 21 includes a digital signal generated by a 2-out-of-4 logic operation unit configured by software, and a 2-out-of-4 logic circuit configured by hardware. The electrical signals output from the connection point 43 of the hardware logic device 10 are compared. For this reason, it is possible to grasp a 2-out-of-4 logic operation unit in which a common factor failure has occurred, that is, a positive-out 2-out-of-4 logic operation unit.

  When each detection signal from each of the detectors 1A, 1B, 1C, and 1D does not exceed the threshold value, the 2 out-of-four logic operation unit 19A outputs a digital signal of logic “0”, and the on-site transmission board RMU2- Assume that A outputs a digital signal of logic “1”. A digital signal of logic “0” is output from the connection point 43 of the hardware logic device 10. At this time, each of the 2 out-of-four logic operation units 19B and 19C outputs a logic “0” digital signal, and each of the field transmission boards RMU2-B and RMU-C outputs a logic “0” digital signal. The

  The OR circuit 25 and the timer 26 of the determination circuit 21 that inputs the logic “0” digital signal from the 2-out-of-four logic operation unit 19A and the logic “0” digital signal from the connection point 43 are respectively logic “ 1 "digital signal is output. The timers 26 of the other three determination circuits 21 also output digital signals of logic “1”. In the determination circuit 21A to which the 2-out-of-4 logic operation unit 19A and the on-site transmission board RMU2-A are connected, the OR circuit 25 and the timer 26 each output a digital signal of logic “0”. The timers 26 of the other three determination circuits 21A each output a digital signal of logic “1”. The outputs of all the determination circuits and all the determination circuits 21 </ b> A are input to the display device 27. The display device 27 also displays outputs from each of the 2 out-of-four logic operation units 19A, 19B, 19C and each field transmission board RMU2.

  When the timer 26 of the determination circuit 21A outputs a digital signal of logic “0”, the electrical / optical converter 44B of the 2-out-of-4 logic operation unit, a plurality of lines on the line connected to the 2-out-of-4 logic operation unit An abnormality (common factor failure) has occurred somewhere in the electrical / optical converter and the plurality of optical / electrical converters. In the above example, the timer 26 of the determination circuit 21A connected to the 2 out-of-four logic operation unit 19A and the on-site transmission board RMU2-A outputs a digital signal of logic “0”. An abnormality (common factor failure) has occurred somewhere in the plurality of electric / optical converters and the plurality of optical / electrical converters on the line connected to the arithmetic unit 19A.

  The operator who has viewed the information displayed on the display device 27 can program each of the 2 out-of-four logic operation units 19A, 19B, and 19C, and the 2 out-of-four logic operation units 19B and 19C. It is grasped that a plurality of electric / optical converters and a plurality of optical / electrical converters arranged on a line connected to each are normal. Further, the operator looks at the display information on the display device 27, and thereby, the plurality of electric / optical converters and the plurality of optical / electrical converters arranged on the line connected to the 2-out-of-four logic operation unit 19A. Recognize that an abnormality (common cause failure) has occurred somewhere.

  In the present embodiment, each effect produced in the fourth embodiment can be obtained. Further, since the determination circuit 21A is provided, any of the plurality of electrical / optical converters and the plurality of optical / electrical converters arranged downstream of the 2-out-of-4 logic operation unit in the digital safety protection device 2C. Can confirm that a common cause failure has occurred.

  A digital security protection device according to Embodiment 6 which is another embodiment of the present invention will be described with reference to FIG.

  The digital safety protection device 2E of the present embodiment has a configuration in which the determination device 20A is replaced with a determination device 20B in the digital safety protection device 2D of the fifth embodiment. Other configurations of the digital security protection device 2E are the same as those of the digital security protection device 2D. The digital safety protection device 2E has a function of comparing the output of the 2 out-of-4 logic operation unit configured by software with the output of the hardware logic device 10 in the digital safety protection device 2D, and the function of the 2 out of 4 logic operation unit. Instead of the function of comparing the output with the output of the field transmission board RMU2, it has a function of comparing the output of the hardware logic device 10 with the output of the field transmission board RMU2. Description will be made focusing on the configuration for executing the function of the digital safety protection device 2E.

  Unlike the third embodiment, the determination device 20B includes three determination circuits 21B. Each determination circuit 21B has the same configuration as the determination circuit 21B used in the third embodiment. The three determination circuits 21B are a determination circuit 21B connected to the on-site transmission board RMU2-A, a determination circuit 21B connected to the on-site transmission board RMU2-B, and a determination circuit 21B connected to the on-site transmission board RMU2-C. is there.

  Each input terminal of the AND circuit 22B and the OR circuit 23B of the determination circuit 21B connected to the field transmission board RMU2-A is connected to the connection point 43 of the field transmission board RMU2-A and the hardware logic device 10. Each input terminal of the AND circuit 22B and the OR circuit 23B of the determination circuit 21B connected to the on-site transmission board RMU2-B is connected to the on-site transmission board RMU2-B and the connection point 43 described above. Each input terminal of the AND circuit 22B and the OR circuit 23B of the determination circuit 21B connected to the on-site transmission board RMU2-C is connected to the on-site transmission board RMU2-C and the connection point 43 described above.

  When each detection signal from each of the detectors 1A, 1B, 1C, and 1D does not exceed the threshold value, the 2-out-of-four logic operation unit 7A is in a normal state and outputs a logic “0” digital signal. The transmission board RMU2-A also outputs a digital signal of logic “0”.

  At this time, a digital signal of logic “0” is output from the connection point 43 of the hardware logic device 10. The OR circuit 25 and the timer 26 of the determination circuit 21B that input the digital signal of logic “0” from the connection point 43 and the field transmission panel RMU2-A respectively output the logic signal of “1”. The output of the determination circuit 21B is input to the display device 27 in the same manner as the determination circuit 21 of the first embodiment. Since the digital signal of logic “1” is output from the timer 26 of the determination circuit 21B, the operator looks at the information displayed on the display device 27, so that the 2 out of 4 logic operation unit 19A performs the 2 out of 4 logic operation. A logic operation program, a plurality of electrical / optical converters and a plurality of optical / electrical converters arranged on a line connecting the 2 out-of-four logical operation unit 19A and the field transmission board RMU2-A are all in a normal state. Know that it is. In the present embodiment, as in the fifth embodiment, the respective outputs of the 2-out-of-four logic operation units and the on-site transmission boards RMU2 are displayed on the display device 27.

  Assume that the on-site transmission board RMU2-C outputs a digital signal of logic “1” even though each detection signal from each of the detectors 1A, 1B, 1C, 1D does not exceed the threshold value. In this case, the AND circuit 22B and the OR circuit 23B of the determination circuit 21B to which the field transmission board RMU2-C is connected are connected to the digital signal of logic “0” from the connection point 43 of the hardware logic device 10 and the field transmission board. Since the digital signal of logic “1” is input from the RMU2-C, the OR circuit 25 and the timer 26 each output a digital signal of logic “0”. The display device 27 displays display information based on the logic “1” digital signal output from the NOT circuit 27A. The output from the connection point 43 of the hardware logic device 10 is also displayed on the display device 27.

  The operator confirms the output from the connection point 43 displayed on the display device 27, the output from the 2 out-of-four logic operation unit 19C, and the output from the field transmission panel RMU2-C. When the output from the connection point 43 is a logic “0” digital signal and the output of the 2 out-of-4 logic operation unit 19C is a logic “1” digital signal, the 2 out of the 2 out of 4 logic operation unit 19C It is possible to grasp that the program of Ob-4 logic operation is in an abnormal state. If the output from the connection point 43 and the digital signal from the 2 out-of-four logic operation unit 19C are logic “0” and the digital signal from the field transmission panel RMU2-C is logic “1”, 2 out It can be understood that an abnormality (common factor failure) has occurred in the plurality of electric / optical converters and the plurality of optical / electrical converters arranged on the line to which the Ob-4 logic operation unit 19C is connected.

  In the present embodiment, each effect produced in the fifth embodiment can be obtained. The determination device 20B including the three determination circuits 21B includes the three determination circuits 21B, but does not include the determination circuit 21. For this reason, the configuration of the determination device 20B can be simplified compared to the determination device 20A used in the fifth embodiment. For this reason, the configuration of the digital safety protection device 2E of the present embodiment can be simplified as compared with the digital security protection device 2D.

  A digital security protection device according to embodiment 7, which is another embodiment of the present invention, will be described with reference to FIGS.

  The digital security protection device 2F of the present embodiment has a configuration in which the hard backup logic operation device 9 is removed from the digital security protection device 2A of the second embodiment, and the determination device 20A is replaced with a determination device 20C. Other configurations of the digital security protection device 2F are the same as those of the digital security protection device 2F. The digital safety protection device 2F does not have a function of detecting the occurrence of a common factor failure in the 3 out-of-four logic operation unit (23 out-of-four logic operation unit of negative logic). A plurality of electrical / optical converters arranged on a line connected to (a negative logic 23 out-of-four logical operation unit) and a function of detecting occurrence of a common factor failure in the plurality of optical / electrical converters.

  The determination device 20C includes the determination circuit 21A among the determination circuits provided in the determination device 20A, and does not include the determination circuit 21. The determination device 20C includes four determination circuits 21A, that is, a determination circuit 21A connected to the NOT circuits 29A and 30A, a determination circuit 21A connected to the NOT circuits 29B and 30B, and a determination circuit connected to the NOT circuits 29C and 30C. And a determination circuit 21A connected to the NOT circuits 29D and 30D.

  For example, when each detection signal from each of the detectors 1A, 1B, 1C, and 1D does not exceed the threshold value, each of the 3 out-of-four logic operation units 7A, 7B, 7C, and 7D is logical “1”. The digital signal of “0” is output from the load drive circuit LDM-A, and the logic “1” is output from each of the load drive circuits (output units) LDM-B, LDM-C, and LDM-D. It is assumed that the digital signal is output. In this case, the timer 26 of each determination circuit 21A to which each of the load drive circuits LDM-B, LDM-C, and LDM-D is connected outputs a digital signal of logic “1”. On the other hand, the timer 26 of the determination circuit 21A to which the load driving circuit LDM-A is connected outputs a digital signal of logic “0”. The output of each determination circuit 21A is input to the display device 27.

  The operator displays on the display device 27 a NOT circuit 27A for inputting logic “0”, which is the output of the timer 26 of the determination circuit 21A to which the load driving circuit LDM-A is connected, based on the digital signal of logic “1”. By viewing the displayed information, an abnormality (common factor failure) has occurred in the plurality of electric / optical converters and the plurality of optical / electrical converters arranged on the line connected to the 3 out-of-four logical operation unit 7A. I can understand that. Further, the operator looks at each display information displayed on the display device 27 based on the logic “1” that is the output of each timer 26 of the remaining determination circuit 21A, so that the three out-of-four logic operation units 7B and 7C. , 7D, it is grasped that a common factor failure has not occurred in the plurality of electric / optical converters and the plurality of optical / electrical converters arranged on each line.

  In the present embodiment, each 3 out-of-four logic operation unit includes a determination circuit 21A, and thus common to the electrical / optical converter and the optical / electrical converter on the line connected to any 3 out-of-four logic operation unit. It is possible to recognize whether a cause failure has occurred.

  According to the present embodiment, a common factor failure occurs in at least one of the plurality of electric / optical converters and the plurality of optical / electrical converters arranged downstream of the 3 out-of-four logic operation unit in the digital safety protection device 2F. You can know what happened.

  A digital security protection device according to embodiment 8, which is another embodiment of the present invention, will be described with reference to FIG.

  The digital security protection device 2G of the present embodiment has a configuration in which the hard backup logic operation device 9 is removed and the determination device 20A is replaced with the determination device 20D in the digital security protection device 2D of the fifth embodiment. Other configurations of the digital security protection device 2G are the same as those of the digital security protection device 2D. Similarly to the seventh embodiment, the digital safety protection device 2G does not have a function of detecting the occurrence of a common factor failure in the 2 out-of-4 logic operation unit, and is on a line connected to the 2 out-of-4 logic operation unit. A plurality of arranged electrical / optical converters and a function of detecting the occurrence of a common factor failure in the plurality of optical / electrical converters.

  The determination device 20D includes the determination circuit 21A among the determination circuits provided in the determination device 20A used in the fifth embodiment, and does not include the determination circuit 21. The determination device 20D includes three determination circuits 21A, that is, a determination circuit 21A connected to the 2-out-of-4 logic operation unit 19A and the on-site transmission panel RMU2-A, an out-of-four logic operation unit 19B, and the on-site transmission panel RMU2-. A determination circuit 21A connected to B, and a determination circuit 21A connected to the 2 out-of-four logic operation unit 19C and the on-site transmission board RMU2-C.

  For example, in the case where each detection signal from each of the detectors 1A, 1B, 1C, and 1D does not exceed the threshold value, each of the 2 out-of-four logic operation units 19A, 19B, and 19C is a digital of logic “0”. Assume that a digital signal of logic “1” is output from the field transmission board RMU2-A, and a digital signal of logic “0” is output from each of the field transmission boards RMU2-B and RMU2-C. In this case, the timer 26 of each determination circuit 21A to which each of the on-site transmission boards RMU2-B and RMU2-C is connected outputs a digital signal of logic “1”. On the other hand, the timer 26 of each determination circuit 21A to which the on-site transmission board RMU2-A is connected outputs a digital signal of logic “0”. The output of each determination circuit 21A is input to the display device 27.

  The operator displays the display device based on the digital signal of logic “1” output from the NOT circuit 27A that has input logic “0” that is the output of the timer 26 of each determination circuit 21A to which the field transmission panel RMU2-A is connected. 27. By looking at the display information displayed on the line 27, abnormalities in the plurality of electrical / optical converters and the multiple optical / electrical converters arranged on the line connected to the 2-out-of-3 logical operation unit 19A (common cause failure) It can be understood that has occurred. In addition, the operator views each display information displayed on the display device 27 based on the logic “1” that is the output of each timer 26 of the remaining determination circuit 21A, whereby the two out-of-four logic operation units 19B and 19C. It is grasped that no common factor failure has occurred in the plurality of electric / optical converters and the plurality of optical / electrical converters arranged on each line connected to each of the two.

  In the present embodiment, each 3 out-of-four logic operation unit includes a determination circuit 21A, and thus common to the electrical / optical converter and the optical / electrical converter on the line connected to any 3 out-of-four logic operation unit. It is possible to recognize whether a cause failure has occurred.

  According to the present embodiment, each effect produced in the seventh embodiment can be obtained.

  Each of the digital safety protection device 2 according to the first embodiment, the digital safety protection device 2A according to the second embodiment, the digital safety protection device 2B according to the third embodiment, and the digital safety protection device 2F according to the seventh embodiment is a boiling water nuclear power plant. It is possible to apply to the control of the equipment of the pressurized water nuclear power plant. For example, in addition to the scram solenoid valve 40, the digital safety protection device 2 of this embodiment is applied to the control of the main steam isolation valve provided in the main steam piping of each of the boiling water nuclear plant and the pressurized water nuclear plant. Can do.

  Each of the digital safety protection device 2C of the fourth embodiment, the digital safety protection device 2D of the fifth embodiment, the digital safety protection device 2E of the sixth embodiment, and the digital safety protection device 2G of the eighth embodiment is applied to a pressurized water nuclear plant. be able to. For example, it can be used for start-up control of a low pressure core water injection pump provided in a pressurized water nuclear power plant.

  The present invention can be applied to nuclear plants such as a boiling water nuclear plant and a pressurized water nuclear plant.

  DESCRIPTION OF SYMBOLS 1,1A-1D ... Detector, 2, 2A, 2B, 2C, 2D, 2E, 2F, 2G ... Digital safety protection device, 3 ... Input device, 4, 4A ... Logic operation device, 5 ... Setting value comparison device, 6, 6A ... logic operation unit, 7A, 7B, 7C, 7D ... 3 out of 4 logic operation unit, 8, 8A ... output device, 9 ... hard backup logic operation device, 10 ... hardware logic device, 11-18, 32 to 39, switch, 19A, 19B, 19C, 2 out-of-four logic operation unit, 20, 20A, 20B, 20C, 20D, determination device, 21, 21A, 21B, determination circuit, 30A, 30B, 30C, pump , 31, 31A, 31B ... power supply circuit, 40 ... scram solenoid valve, 43 ... connection point, DTM-A, DTM-B, DTM-C, DTM-D ... set value comparison unit, LDM-A, LDM-B , LDM-C LDM-D ... load driving circuit, RMU-A, RMU-B, RMU-C, RMU-D, RMU2-A, RMU2-B, RMU2-C, RMU2-D ... field transmission board.

Claims (13)

A quadruple first set value comparison device for separately inputting each detection signal output from each of the quadruple detectors and outputting a trip signal for the detection signal exceeding the threshold;
A 2-out-of-4 logic operation device that receives the output signals from each of the quadruple first set value comparison devices and executes a 2-out-of-4 logic operation using a 2-out-of-4 logic operation program;
A quadruple second set value comparison device for separately inputting each detection signal output from each of the quadruple detectors and outputting a trip signal for the detection signal exceeding the threshold. When,
A 2-out-of-4 logic device configured by using a plurality of hardware elements, each of which receives a respective output signal from the quadruple second set value comparison device;
A digital safety protection device comprising: a determination device that performs a first abnormality determination based on an output signal of the 2-out-of-4 logic operation device and an output signal of the 2-out-of-4 logic device.   A plurality of the 2-out-of-4 logic operation devices are provided, and the determination device is a determination device that performs the first abnormality determination for each output signal from each of the plurality of 2-out-of-4 logic operation devices. Item 2. The digital safety protection device according to Item 1. An output device connected to the 2-out-of-4 logic operation device by an optical fiber, and outputting an output signal output from the 2-out-of-4 logic operation device to an object to be controlled;
2. The digital safety according to claim 1, wherein, in addition to the first abnormality determination, the determination device performs a second abnormality determination based on an output signal of the 2 out-of-four logic operation device and an output signal of the output unit. Protective device. A plurality of output units for outputting the output signals output from the plurality of 2-out-of-4 logic operation devices to a control target for each 2-out-of-4 logic operation device; An apparatus comprising an output device connected to the output by an optical fiber;
In addition to the first abnormality determination, the determination device has a second output for each output signal from each of the output units based on the output signal of the 2 out-of-four logic operation device and the output signal of the output unit. The digital safety protection device according to claim 2, wherein abnormality determination is performed. The 2-out-of-4 logic operation device is a negative-logic 2-out-of-4 logic operation device, and the negative-logic 2-out-of-4 logic operation device is connected to the determination device via a NOT circuit;
3. The digital safety protection device according to claim 1, wherein the determination device performs the first abnormality determination using an output signal of the NOT circuit as an output signal of the 2 out-of-four logic operation device. The 2-out-of-4 logic operation device is a negative-logic 2-out-of-4 logic operation device, and the negative-logic 2-out-of-4 logic operation device is connected to the determination device via a first NOT circuit;
The output unit is connected to the determination device via a second NOT circuit;
The determination device performs the first abnormality determination using an output signal of the first NOT circuit as an output signal of the 2-out-of-4 logic operation device, and outputs an output signal of the first NOT circuit and an output of the output unit The digital safety protection device according to claim 3 or 4, wherein the second abnormality determination is performed using an output signal of the second NOT circuit as a signal. A quadruple first set value comparison device for separately inputting each detection signal output from each of the quadruple detectors and outputting a trip signal for the detection signal exceeding the threshold;
A 2-out-of-4 logic operation device that receives the output signals from each of the quadruple first set value comparison devices and executes a 2-out-of-4 logic operation using a 2-out-of-4 logic operation program;
A quadruple second set value comparison device for separately inputting each detection signal output from each of the quadruple detectors and outputting a trip signal for the detection signal exceeding the threshold. When,
A 2-out-of-four logic device configured using a plurality of hardware elements for inputting an output signal from each of the quadruple second set value comparison devices;
An output device connected to the 2-out-of-4 logic operation device by an optical fiber, and outputting an output signal output from the 2-out-of-4 logic operation device to an object to be controlled;
A digital safety protection device comprising: a determination device that performs an abnormality determination based on an output signal of the 2-out-of-four logic device and an output signal of the output unit. A plurality of the two out-of-four logic operation devices are provided, and the output device is provided with a plurality of the output units corresponding to the plurality of two out-of-four logic operation devices;
The digital safety protection device according to claim 7, wherein the determination device is a determination device that performs the abnormality determination for each output signal from the plurality of output units. The 2-out-of-4 logic operation device is a negative-logic 2-out-of-4 logic operation device, and an output unit is connected to the determination device via a NOT circuit;
The digital safety protection device according to claim 7 or 8, wherein the determination device performs the abnormality determination using an output signal of the NOT circuit as an output signal of the output unit. A quadruple first set value comparison device for separately inputting each detection signal output from each of the quadruple detectors and outputting a trip signal for the detection signal exceeding the threshold;
A 2-out-of-4 logic operation device that receives the output signals from each of the quadruple first set value comparison devices and executes a 2-out-of-4 logic operation using a 2-out-of-4 logic operation program;
An output device connected to the 2-out-of-4 logic operation device by an optical fiber, and outputting an output signal output from the 2-out-of-4 logic operation device to an object to be controlled;
A digital safety protection device comprising: a determination device that performs an abnormality determination based on an output signal of the 2-out-of-4 logic operation device and an output signal of the output unit. A plurality of the two out-of-four logic operation devices are provided, and the output device is provided with a plurality of the output units corresponding to the plurality of two out-of-four logic operation devices;
The digital safety protection device according to claim 10, wherein the determination device is a determination device that performs the abnormality determination for each output signal from each of the plurality of output units. The 2-out-of-4 logic operation device is a negative-logic 2-out-of-4 logic operation device, and an output unit is connected to the determination device via a NOT circuit;
The digital safety protection device according to claim 10 or 11, wherein the determination device performs the abnormality determination using an output signal of the NOT circuit as an output signal of the output unit.   The digital safety protection device according to any one of claims 1 to 12, wherein the hardware element is a switchgear.

Images