JP2014006694A - Plant safety device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To perform a change of setting data under strict management by bypassing a safety device of a change target channel when changing the setting data of the safety control device of the change target channel of a plurality of channels in a plant such as a nuclear power generation plant and the like.SOLUTION: A bypass selection part 103 makes a bypass signal 3 to a safety control device 101B of the change target channel effective and makes a bypass signal 3 other than the bypass signal 3 to the safety control device 101B null and void. When values of monitor data 5A, 5C and 5D exceed over a setting value, safety control devices 101A, 101C and 101D make trip signals 1A, 1C and 1D effective and make the trip signals null and void in a case other than the case where the values thereof exceed over the setting value. When the bypass signal 3 is effective, the safety control device 101B makes the trip signal null and void, and changes setting data 10B to data newly set in accordance with a data change request command 4 transmitted from a data change part 104.

Description

  Embodiments described herein relate generally to a plant safety device applied to a plant such as a nuclear power plant.

  In a nuclear power plant, a plant safety device is provided to ensure safety.

  Some plant safety devices include a safety control device assigned to a plurality of channels and a determination unit. Each of the safety control devices of the plurality of channels receives the monitoring data from the sensor installed in the plant, compares the value of the monitoring data with a setting value determined in advance as a parameter, and the value of the monitoring data is the setting value. Enable trip signal when exceeded. The determination unit transmits a control signal for starting a safety function for the plant when a trip signal of more than half of the trip signals transmitted from the safety control devices of a plurality of channels is valid. Examples of safety functions include emergency reactor shutdown, containment isolation, or engineered safety facility activation.

  In recent plants, a digital safety control device that uses a digital technology, particularly a logic circuit such as a microprocessor or FPGA, is used as a safety control device that controls a safety function. The digital safety control device stores a set value and a safety control program as setting data in a semiconductor memory. By changing this setting data, it is possible to change the activation timing or conditions of the safety function.

  Changing the setting data is not performed frequently, but it is expected that the setting data will need to be changed due to operation or regulation. However, in order to guarantee the safe operation of the plant, the setting data needs to be changed under strict management.

  As for the plant safety device, a technology has been proposed in which a hardware logic device composed of hardware is added in addition to a safety control device (logic operation device) configured by software and controlling a safety function (patent) Reference 1).

JP 2011-191855 A

  In the technique described in Patent Document 1, the value of the digital signal transmitted from the safety control device is compared with the value of the electrical signal transmitted from the hardware logic device, and the software has a failure based on the comparison result. By grasping whether or not, the reliability of the safety control device is improved, but the setting data is not changed under strict management.

  In the plant safety device, when changing the setting data (setting value or safety control program) of the safety control device, the safety control device is bypassed with the selected one of the plurality of channels as the change target channel, and the change target channel It is desirable not to affect the safe operation of the plant even if an abnormal behavior occurs while changing the setting data of the safety control device.

  Therefore, the problem to be solved by the present embodiment is that when changing the setting data of the safety control device of the change target channel among a plurality of channels, the setting data is bypassed by the safety control device of the change target channel. Is to make changes under strict control.

  The plant safety device of the embodiment is assigned to each of a plurality of channels, stores a setting value including a setting value and a safety control program, an input unit that inputs monitoring data from a sensor installed in the plant, and A safety control program is executed to enable a trip signal when the monitored data value exceeds the set value, and when the monitored data value does not exceed the set value, or a bypass signal is enabled A plurality of safety control devices having an execution unit that disables the trip signal, and the bypass signal to the safety control device of the change target channel of the plurality of channels is enabled and other than the change target channel A bypass selector for disabling the bypass signal to the channel safety control device; A determination unit that transmits a control signal for activating a safety function for the plant when a trip signal of more than half of the trip signals transmitted from the control device is valid, and a data change including new setting data A data changing unit that transmits a request command to the safety control device for the change target channel, and the execution unit of the safety control device for the change target channel includes the data change unit when the bypass signal is valid. The data change request command transmitted from the server is received, and the setting data stored in the storage unit is changed to the new setting data in response to the data change request command.

  The operation method of the plant safety device of the embodiment is an operation method of a plant safety device including a plurality of safety control devices that are respectively assigned to a plurality of channels and in which setting data including a set value and a safety control program are set. The step of inputting the monitoring data from the sensors installed in the plant by the safety control devices of the plurality of channels, and enabling the bypass signal to the safety control device of the channel to be changed among the plurality of channels, and the change Invalidating the bypass signal to a safety control device of a channel other than the target channel; a safety control device of a channel other than the change target channel executing the safety control program; When the set value is exceeded, the trip signal is enabled and the monitoring data value is Disabling the trip signal when a set value is not exceeded, the step of disabling the trip signal when the bypass signal is valid, the safety control device of the channel to be changed, and the plurality of channels A step of transmitting a control signal for starting a safety function for the plant when more than half of the trip signals transmitted from the safety control device are valid, and data including new setting data A step of transmitting a change request command to the safety control device of the change target channel, and the safety control device of the change target channel, when the bypass signal is valid, the data change request transmitted from the data change unit A command is received, and the setting data is sent in response to the data change request command. Characterized by comprising the step of changing to the new setting data.

  According to the embodiment of the present invention, when changing the setting data of the safety control device of the change target channel among the plurality of channels, the setting data is strictly changed by bypassing the safety control device of the change target channel. Can be done under proper control.

It is a block diagram which shows the structure of the plant safety apparatus which concerns on 1st Embodiment. It is a block diagram which shows the structure of the plant safety apparatus which concerns on 2nd Embodiment. It is a circuit diagram which shows the structure of a rotary switch as a structure of the bypass selection part of the plant safety apparatus which concerns on 1st Embodiment. In the plant safety device concerning a 1st embodiment, it is a block diagram showing composition of a safety control device, and an example of connection with a safety control device, a bypass selection part, and a data change part of a change object channel among a plurality of channels FIG. It is a flowchart which shows operation | movement of the plant safety apparatus which concerns on 1st Embodiment. In the plant safety device concerning a 2nd embodiment, it is a circuit diagram showing the composition of the 2nd safety control device. In the plant safety device concerning a 3rd embodiment, it is a block diagram showing composition of a safety control device, and an example of connection with a safety control device of a change object channel among a plurality of channels, a bypass selection part, and a data change part FIG. In the plant safety device concerning a 4th embodiment, it is a block diagram showing composition of a safety control device, and an example of connection with a safety control device of a change object channel among a plurality of channels, a bypass selection part, and a data change part FIG.

  Hereinafter, an embodiment of a plant safety device according to the present invention will be described with reference to the drawings.

[First Embodiment]
(Constitution)
FIG. 1 is a block diagram illustrating a configuration of a plant safety device according to the first embodiment.

  The plant safety device according to the first embodiment includes safety control devices 101A to 101D, a determination unit 102, a bypass selection unit 103, and a data change unit 104.

  The safety control devices 101A to 101D are assigned to a plurality of channels, respectively. Specifically, the safety control device 101A is assigned to the first channel, the safety control device 101B is assigned to the second channel, the safety control device 101C is assigned to the third channel, and the safety control device 101D is assigned to the fourth channel. Assigned.

  Setting data 10A to 10D including a set value and a safety control program are set in the safety control devices 101A to 101D, respectively.

  One or more types of sensors 501A to 501D are installed in the plant, and the sensors 501A to 501D transmit monitoring data 5A to 5D, respectively. The safety control devices 101A to 101D input monitoring data 5A to 5D, respectively. The monitoring data 5A to 5D are important measurement values for protecting the safety of the nuclear power plant such as the reactor water level, the reactor pressure, or the containment vessel pressure.

  Each of the safety control devices 101A to 101D executes a safety control program and compares the values of the monitoring data 5A to 5D with the set values. The comparison between the monitoring data and the set value is performed for each type of monitoring data. That is, a measured value such as a reactor water level, a reactor pressure, or a containment vessel pressure is compared with a set value corresponding thereto.

  The safety control devices 101A to 101D enable the trip signals 1A to 1D to be “ON” when the values of the monitoring data 5A to 5D exceed the set values, respectively. On the other hand, when the values of the monitoring data 5A to 5D do not exceed the set value, the trip signals 1A to 1D are invalidated “OFF”.

  Here, when the trip signals 1A to 1D are valid “ON”, the potential is set to a high potential. That is, the digital values of the trip signals 1A to 1D are set to “1”. On the other hand, when the trip signals 1A to 1D are invalid “OFF”, the potential is set to a low potential. That is, the digital values of the trip signals 1A to 1D are set to “0”.

  Further, when one channel (for example, the second channel) of the plurality of channels is selected as the change target channel and the bypass signal 3 to the safety control device 101B of the change target channel is valid “ON”, the change is made. The safety control device 101B of the target channel disables the trip signal 1B to “OFF”.

  Safety control apparatuses 101A to 101D transmit trip signals 1A to 1D to determination unit 102, respectively.

  The determination unit 102 receives the trip signals 1A to 1D transmitted from the safety control devices 101A to 101D of a plurality of channels.

  The determination unit 102 activates the safety function by majority logic. 2-out-of-4 is a majority logic used in nuclear power plants. This activates the safety function when two or more trip signals of the four channels are valid “ON”. Specifically, the determination unit 102 transmits the control signal 2 for starting the safety function for the plant when at least two of the trip signals 1A to 1D are valid “ON”. In this case, the control signal 2 is enabled “ON”.

  In the nuclear power plant, the trip signals 1A to 1D can be validated and invalidated by a logic opposite to the above (hereinafter, negative logic). The negative logic is intended for fail-safe, and when the trip signals 1A to 1D are invalid “OFF”, the potential is set to a high potential. That is, the digital values of the trip signals 1A to 1D are set to “1”. On the other hand, when the trip signals 1A to 1D are valid “ON”, the potential is set to a low potential. That is, the digital values of the trip signals 1A to 1D are set to “0”. In this case, the determination unit 102 makes the control signal 2 invalid “OFF” when at least three of the trip signals 1A to 1D are invalid “OFF”.

  The bypass selection unit 103 transmits a bypass signal 3 to the safety control devices 101A to 101D.

  When the bypass selecting unit 103 selects one of the plurality of channels (the second channel in the above example) as the change target channel, the bypass selection unit 103 enables the bypass signal 3 to the safety control device 101B of the change target channel. And the bypass signal 3 to the safety control devices 101A, 101C and 101D of the channels other than the channel to be changed is disabled “OFF”.

  When the bypass signal 3 is valid “ON”, its potential is set to a high potential. That is, the digital value of the bypass signal 3 is set to “1”. On the other hand, when the bypass signal 3 is invalid “OFF”, its potential is set to a low potential. That is, the digital value of the bypass signal 3 is set to “0”.

  In the plant safety device according to the first embodiment, by configuring the bypass selection unit 103 with, for example, a rotary switch or a joystick, it can be ensured that the safety control devices of two or more channels are not bypassed at the same time.

  FIG. 3 is a circuit diagram illustrating a configuration of a rotary switch as a configuration of the bypass selection unit 103 of the plant safety device according to the first embodiment.

  The bypass selection unit 103, the operation unit 301, the first channel selection terminal 302A, the second channel selection terminal 302B, the third channel selection terminal 302C, the fourth channel selection terminal 302D, the non-selection terminal 303, which are contacts, And a terminal 306.

  One end of the operation unit 301 is connected to the common terminal 306, and the other end is rotated about an operation shaft (not shown) so that the other end is a first channel selection terminal 302A, a second channel selection terminal 302B, and a third channel selection terminal 302C. The fourth channel selection terminal 302D and the non-selection terminal 303 are connected to any one of the terminals. That is, the one terminal and the common terminal 306 are connected.

  The first channel selection terminal 302A, the second channel selection terminal 302B, the third channel selection terminal 302C, and the fourth channel selection terminal 302D are connected to one ends of the wirings 305A, 305B, 305C, and 305D, respectively. The other ends of the wirings 305A, 305B, 305C, and 305D are connected to the safety control devices 101A to 101D. The non-selection terminal 303 is not connected to any safety control device.

  During normal operation, the other end of the operation unit 301 is connected to the non-selection terminal 303, and no safety control device is selected.

  At the time of changing the setting data, one of the first channel selection terminal 302A, the second channel selection terminal 302B, the third channel selection terminal 302C, and the fourth channel selection terminal 302D is connected to the common terminal 306. In this case, the safety control device is selected using any one of the safety control devices 101A to 101D as a change target channel through wiring from the one selection terminal.

  The common terminal 306 is connected to one end of the wiring 304, the other end of the wiring 304 is connected to a DC power supply (not shown), and a closed loop is configured between the DC power supply and the safety control device of the change target channel. The DC power supply outputs a high potential for making the bypass signal 3 effective “ON”, and the potential of the wiring 304 is always high.

  As shown in FIG. 3, when the other end of the operation unit 301 is connected to the second channel selection terminal 302B, the wiring 304, the common terminal 306, the operation unit 301, the second channel selection terminal 302B, and the wiring 305B are connected from the DC power supply. A circuit that connects the safety control device 101B via the terminal is configured. The safety control device 101B recognizes that the bypass signal 3 is valid “ON” when the potential of the wiring 305B becomes a high potential. The safety control devices 101A, 101C, and 101D recognize that the bypass signal 3 is invalid “OFF” when the potentials of the wirings 305A, 305C, and 305D remain low.

  As described above, in the plant safety apparatus according to the first embodiment, the bypass selection unit 103 is configured as a rotary switch, thereby making it impossible to bypass two or more channels simultaneously. Even when the bypass selection unit 103 is configured as a joystick, the same five contacts as the rotary switch are provided so that two or more channels cannot be bypassed at the same time.

  As shown in FIG. 1, the data changing unit 104 is connected to the safety control device 101B of the change target channel among the plurality of channels. The data changing unit 104 transmits a data change request command 4 including new setting data to the safety control device 101B of the change target channel. In this case, when the bypass signal 3 is valid “ON”, the safety control device 101B of the change target channel receives the data change request command 4 transmitted from the data change unit 104, and responds to the data change request command 4. Then, the setting data 10B is changed to new setting data.

  In the plant safety device according to the first embodiment, the setting data needs to be changed under strict management in order to guarantee safe operation of the plant. For this reason, it is necessary for the safety control devices 101A to 101D to have a configuration capable of handling management of the setting data 10A to 10D, determination of the contents of the bypass signal 3, determination of whether or not the data changing unit 104 is connected, and the like. There is.

  FIG. 4 is a block diagram showing the configuration of the safety control devices 101A to 101D in the plant safety device according to the first embodiment. The safety control device 101B and the bypass selection unit 103 for the channel to be changed among a plurality of channels. 5 is a diagram illustrating an example of connection with a data changing unit 104. FIG.

  The plant safety apparatus according to the first embodiment can further include a mode setting unit 412.

  The mode setting unit 412 transmits a mode setting signal 6 to the safety control devices 101A to 101D. The mode setting signal 6 is set to the operation mode or the test mode. The mode setting unit 412 sets a test mode for the mode setting signal 6 transmitted to the safety control device 101B of the change target channel, and the mode setting signal 6 transmitted to the safety control devices 101A, 101C, and 101D of the other channels. Set the operation mode for.

  First, the configuration of each of the safety control apparatuses 101A to 101D having a plurality of channels will be described with reference to FIG.

  Each of the safety control devices 101A to 101D includes a processor 401 as an execution unit, a flash memory 402, a RAM (Random Access Memory) 403, an input unit 404, an output unit 409, and a tool input / output unit 410. ing.

  The flash memory 402 is a storage unit that stores setting data (setting values and safety control program) used by the processor 401. The storage unit is not limited to the flash memory 402, and may be realized by a nonvolatile storage device such as an EEPROM (Electrically Erasable Programmable Read-Only Memory) or a FeRAM (Ferroelectric Random Access Memory). Alternatively, it is realized as a hard disk.

  The input unit 404 inputs the above-described monitoring data, the mode setting signal 6 transmitted from the mode setting unit 412, and the bypass signal 3 transmitted from the bypass selection unit 103. In addition, it is also possible to divide the part which inputs monitoring data, the mode setting signal 6, and the bypass signal 3. FIG.

  The processor 401 performs initialization when the safety control device is activated, periodically executes the safety control program, and changes the setting data according to the data change request command 4 from the data change unit 104. The processor 401 is realized as a general-purpose microprocessor or a programmable device such as an FPGA or an ASIC.

  The processor 401 stores, in the RAM 403, copy data representing a copy of the setting data (setting value and safety control program) stored in the flash memory 402 at the time of initialization. In addition to the setting data, the copy data includes a change program for changing the setting data.

  When the operation mode is set for the mode setting signal 6, the processor 401 executes the copy data safety control program stored in the RAM 403, and the value of the monitoring data is the copy data stored in the RAM 403. When the set value is exceeded, the trip signal is enabled “ON”, and when the monitoring data value does not exceed the set value, the trip signal is disabled “OFF”. When the bypass signal 3 is valid “ON”, the processor 401 invalidates the trip signal “OFF” regardless of the value of the monitoring data.

  The processor 401 transmits the trip signal to the determination unit 102 via the output unit 409.

  Next, the connection of the safety control device 101B, the bypass selection unit 103, and the data change unit 104 of the change target channel will be described with reference to FIG.

  In the bypass selection unit 103, the wiring 305 </ b> B is connected to one end of the resistance element 405 through the node 407, and the other end of the resistance element 405 is grounded by the ground terminal 411. The other end of the wiring 304 is connected to the DC power source 408 which is the above-described DC power source. The same applies to the safety control devices 101A, 101C, and 101D.

  In the safety control device 101B of the change target channel, the flash memory 402 stores setting data 10B (setting value, safety control program).

  When the other end of the operation unit 301 is connected to the second channel selection terminal 302B, the safety control device 101B is connected from the DC power source 408 via the wiring 304, the common terminal 306, the operation unit 301, the second channel selection terminal 302B, and the wiring 305B. A circuit connecting the two is configured. In this case, the potential of the wiring 305B, that is, the potential of the bypass signal 3 is a high potential, and the bypass signal 3 is valid “ON”. Since the channel selection terminals 302A, 302C, and 302D to which the other end of the operation unit 301 is not connected are not supplied with power from the DC power supply 408, the potential of the bypass signal 3 is low, and the bypass signal 3 is disabled “OFF”. is there.

  The input unit 404 inputs the monitoring data 5B, the mode setting signal 6 in which the test mode is set, and the valid “ON” bypass signal 3. Since the bypass signal 3 is valid “ON”, the processor 401 invalidates the trip signal 1B “OFF”. The processor 401 transmits a trip signal 1B indicating invalid “OFF” to the determination unit 102 via the output unit 409.

  When the tool input / output unit 410 is connected to the data change unit 104, the tool input / output unit 410 receives the data change request command 4 transmitted from the data change unit 104 and transmits it to the processor 401. The connection with the data changing unit 104 is realized by serial communication, Ethernet (registered trademark) or the like, and the tool input / output unit 410 is realized as a device for serial communication or an Ethernet (registered trademark) interface.

  The processor 401 receives the data change request command 4 when the test mode is set for the mode setting signal 6 and the bypass signal 3 input to the input unit 404 is valid “ON”. At this time, the processor 401 executes a copy data change program stored in the RAM 403 in response to the data change request command 4 and includes the setting data 10B stored in the flash memory 402 in the data change request command 4. Change to new setting data.

(Function)
FIG. 5 is a flowchart showing the operation of the plant safety device according to the first embodiment.

  Here, the mode setting unit 412 sets a test mode for the mode setting signal 6 transmitted to the safety control device 101B of the change target channel, and transmits to the safety control devices 101A, 101C, and 101D of other channels. It is assumed that the operation mode is set for the setting signal 6. The bypass selection unit 103 enables “ON” the bypass signal 3 to the safety control device 101B of the change target channel, and disables “OFF” the bypass signal 3 to the safety control devices 101A, 101C, and 101D of channels other than the change target channel. ”.

  First, initialization processing is executed. The processor 401 of the safety control apparatuses 101A to 101D of a plurality of channels copies a setting data (setting value and safety control program) stored in the flash memory 402 and changes to change the setting data at initialization. Copy data including the program is stored in the RAM 403 (step S11).

  The input units 404 of the safety control devices 101A to 101D for a plurality of channels input monitoring data 5A to 5D from sensors 501A to 501D installed in the plant, respectively. The input unit 404 of the safety control devices 101A to 101D inputs the mode setting signal 6 transmitted from the mode setting unit 412 and the bypass signal 3 transmitted from the bypass selecting unit 103. The processor 401 of the safety control devices 101A to 101D checks whether or not the mode setting signal 6 is in the test mode, whether or not the bypass signal 3 is valid “ON” (step S12).

  When the operation mode is set with respect to the mode setting signal 6, the processors 401 of the safety control devices 101A, 101C, and 101D of the channels other than the change target channel respectively control the safety of the copy data stored in the RAM 403. Run the program. The processor 401 of the safety control devices 101A, 101C, and 101D enables the trip signals 1A, 1C, and 1D when the values of the monitoring data 5A, 5C, and 5D exceed the set values of the copy data stored in the RAM 403. “ON” and transmit to the determination unit 102 via the output unit 409. On the other hand, when the values of the monitoring data 5A, 5C, and 5D do not exceed the set value, the trip signal is invalidated “OFF” and transmitted to the determination unit 102 via the output unit 409 (steps S12-No, S13). .

  Further, the processor 401 of the safety control device 101B of the channel to be changed disables the trip signal 1B “OFF” when the test mode is set with respect to the mode setting signal 6 and the bypass signal 3 is “ON”. ”And transmitted to the determination unit 102 via the output unit 409 (steps S12—Yes, S14).

  When connected to the safety control device 101B of the change target channel, the data change unit 104 transmits a data change request command 4 including new setting data to the safety control device 101B of the change target channel. The processor 401 of the safety control device 101B receives the data change request command 4 transmitted from the data change unit 104 when the test mode is set for the mode setting signal 6 and the bypass signal 3 is valid “ON”. Is received (step S15-Yes).

  At this time, the processor 401 of the safety control device 101B of the change target channel executes the copy data change program stored in the RAM 403 in response to the data change request command 4, and the setting stored in the flash memory 402 The data 10B is changed to new setting data included in the data change request command 4 (step S16).

  The determination unit 102 receives the trip signals 1A to 1D transmitted from the safety control devices 101A to 101D of a plurality of channels. The determination unit 102 transmits the control signal 2 when more than half of the trip signals 1A to 1D are valid “ON” (step S17).

  In step S16, in order for the processor 401 of the safety control device 101B to use the new setting data, it is necessary to restart the safety control device 101B. That is, the mode setting unit 412 sets the operation mode for the mode setting signal 6 transmitted to the safety control device 101B of the change target channel, and the bypass selection unit 103 bypasses the bypass control signal to the safety control device 101B of the change target channel. 3 is disabled “OFF”, and step S11 and subsequent steps are executed to restart the safety control device 101B of the change target channel.

  In step S16, the processor 401 of the change target channel safety control apparatus 101B executes the change program stored in the RAM 403 in response to the data change request command 4, and the setting stored in the flash memory 402. The data 10B can be changed to new setting data included in the data change request command 4, and the copy data setting data 10B stored in the RAM 403 can be changed to new setting data. In this case, it is not necessary to restart the safety control device 101B of the change target channel, and step S12 and subsequent steps are executed.

(effect)
According to the plant safety device according to the first embodiment, the setting data (setting value and safety control program) of the safety control device composed of a plurality of channels can be changed only for the bypassed channel. Also, the number of channels that can be bypassed at a time is limited to one.

  Therefore, according to the plant safety device according to the first embodiment, the risk of malfunction such as sending a trip signal by mistake while changing the setting data (setting value and safety control program) of the safety control device is significantly reduced, While complying with regulations, it can contribute to guaranteeing safe operation of the plant.

  As described above, according to the plant safety device according to the first embodiment, when changing the setting data of the safety control device of the change target channel among the plurality of channels, the safety control device of the change target channel is bypassed. Thus, the setting data can be changed under strict management.

[Second Embodiment]
In the plant safety device according to the second embodiment, a device to which the majority logic is applied is provided between the safety control device and the determination unit in the first embodiment. Only changes in the first embodiment will be described in the second embodiment.

(Constitution)
FIG. 2 is a block diagram showing the configuration of the plant safety device according to the second embodiment.

  The plant safety device according to the second embodiment includes digital trip modules (hereinafter referred to as DTM) 201A to 201D which are safety control devices, trip logic units (hereinafter referred to as TLU) 202A to 202D, Output logic units (hereinafter referred to as OLU) 203A to 203D, a determination unit 102, a bypass selection unit 103, and a data change unit 104 are provided.

  Each of the DTMs 201A to 201D has the same configuration as the safety control devices 101A to 101D in the first embodiment.

  Setting data 20A to 20D are set in the DTMs 201A to 201D of the plurality of channels, respectively. Each of the setting data 20A to 20D includes a setting value and a safety control program, like the setting data 10A to 10D in the first embodiment.

  The DTMs 201 </ b> A to 201 </ b> D of the plurality of channels are transmitted from the monitoring data from the two or more types of sensors (not shown) provided in the plant, the mode setting signal 6 transmitted from the mode setting unit 412, and the bypass selecting unit 103. The bypass signal 3 is input. The DTMs 201 </ b> A to 201 </ b> D output a sensor-specific trip signal that is the aforementioned trip signal based on the monitoring data, the mode setting signal 6, and the bypass signal 3.

  Here, when the trip signal for each sensor is valid “ON”, the potential is set to a high potential. That is, the digital value of the sensor-specific trip signal is set to “1”. On the other hand, when the sensor-specific trip signal is invalid “OFF”, the potential is set to a low potential. That is, the digital value of the trip signal for each sensor is set to “0”.

  Further, the bypass selecting unit 103 enables “ON” the bypass signal 3 to the DTM (for example, DTM201D) of the change target channel, and disables the bypass signal 3 to the DTMs 201A, 201B, and 201C of the channels other than the change target channel. It shall be “OFF”. When the bypass signal 3 is valid “ON”, the digital value of the bypass signal 3 is “0”, and when the bypass signal 3 is invalid “OFF”, the digital value of the bypass signal 3 is “1” And

  The TLUs 202A to 202D are provided in the same number as the DTMs 201A to 201D, and each is connected to the outputs of the DTMs 201A to 201D. The OLUs 203A to 203D are provided in the same number as the TLUs 202A to 202D, and are connected to the outputs of the TLUs 202A to 202D, respectively.

  The TLUs 202A to 202D of the plurality of channels receive the trip signal for each sensor from the DTMs 201A to 201D of the plurality of channels and the bypass signal 3 transmitted to the DTMs 201A to 201D of the plurality of channels, and transmit the trip signal for each output. .

  FIG. 6 is a circuit diagram showing a configuration of TLUs 202A to 202D in the plant safety device according to the second embodiment.

  Each of the TLUs 202A to 202D of the plurality of channels includes AND circuits 601A to 601D and a majority logic circuit 602.

  Each of the AND circuits 601A to 601D is assigned to a plurality of channels. Specifically, the AND circuit 601A is assigned to the first channel, the AND circuit 601B is assigned to the second channel, the AND circuit 601C is assigned to the third channel, and the AND circuit 601D is assigned to the fourth channel. .

  Each of the AND circuits 601A to 601D inputs the sensor-specific trip signals from the DTMs 201A to 201D of the plurality of channels and the bypass signal 3 transmitted to the DTMs 201A to 201D of the plurality of channels, and outputs the output signal as the majority logic circuit 602. Output to.

  Specifically, the AND circuit 601A determines that the bypass signal 3 transmitted to the first channel DTM 201A is invalid “OFF” and the sensor-specific trip signal from the first channel DTM 201A is valid “ON”. Set the output signal to “ON”. That is, when the digital values of the sensor-specific trip signal and the bypass signal 3 are both “1”, the digital value of the output signal is set to “1”. In other cases, the output signal is disabled “OFF”.

  Similarly, the AND circuit 601B outputs an output signal when the bypass signal 3 transmitted to the DTM 201B of the second channel is invalid “OFF” and the trip signal for each sensor from the DTM 201B of the second channel is valid “ON”. Enable “ON”. In other cases, the output signal is disabled “OFF”. The same operation is performed for the AND circuits 601C and 601D.

  The majority logic circuit 602 performs the above-described 2-out-of-4 and transmits a trip signal for each output to the determination unit 102. Specifically, the majority logic circuit 602 sets the trip signal for each output to valid “ON” when at least two of the output signals output from the AND circuits 601A to 601D are valid “ON”. Output. In other cases, the trip signal for each output is disabled “OFF”.

  The OLUs 203 </ b> A to 203 </ b> D of the plurality of channels transmit the output-specific trip signals transmitted from the TLUs 202 </ b> A to 202 </ b> D of the plurality of channels to the determination unit 102.

  The determination unit 102 transmits the control signal 2 when more than half of the output-specific trip signals transmitted from the OLUs 203A to 203D of the plurality of channels are valid “ON”. In this case, the control signal 2 is enabled “ON”.

  In the second embodiment, as in the first embodiment, the reverse logic (negative logic) described above can also be performed for the purpose of fail-safe.

(Function)
The operation of the plant safety device according to the second embodiment will be described with reference to FIG. FIG. 5 is similar to the first embodiment, but the operation of the plant safety device according to the second embodiment is slightly different from the operation of the plant safety device according to the first embodiment.

  Here, the mode setting unit 412 sets the test mode for the mode setting signal 6 transmitted to the DTM 201D of the channel to be changed, and for the mode setting signal 6 transmitted to the DTMs 201A, 201B and 201C of the other channels. It is assumed that the operation mode is set. The bypass selection unit 103 sets the bypass signal 3 to the DTM 201D of the channel to be changed to valid “ON” and disables the bypass signal 3 to the DTMs 201A, 201B, and 201C of channels other than the channel to be changed to “OFF”. To do.

  First, the DTMs 201A to 201D of a plurality of channels execute initialization processing and check whether the mode setting signal 6 is in the test mode, whether the bypass signal 3 is valid “ON”, and the like ( Steps S11 and S12).

  The DTMs 201A, 201B, and 201C of channels other than the change target channel each executed the safety control program when the operation mode was set for the mode setting signal 6, and the value of the monitoring data exceeded the set value In this case, the trip signal for each sensor is enabled “ON”. On the other hand, when the value of the monitoring data does not exceed the set value, the sensor-specific trip signal is disabled “OFF” (steps S12-No, S13).

  In addition, the DTM 201D of the channel to be changed turns the trip signal for each sensor invalid “OFF” when the test mode is set for the mode setting signal 6 and the bypass signal 3 is valid “ON” (step S1). S12-Yes, S14).

  When the data changing unit 104 is connected to the DTM 201D of the change target channel, the data change unit 104 transmits a data change request command 4 including new setting data to the DTM 201D of the change target channel. The DTM 201D receives the data change request command 4 transmitted from the data change unit 104 when the test mode is set with respect to the mode setting signal 6 and the bypass signal 3 is valid “ON” (step S15). -Yes).

  At this time, the DTM 201D of the change target channel executes the change program in response to the data change request command 4, and changes the setting data 20D set therein to new setting data included in the data change request command 4. (Step S16).

  Next, a determination process is executed (step S17).

  In step S17, each of the TLUs 202A to 202D of the plurality of channels has the sensor-specific trip signals more than half effective in the channels in which the bypass signal 3 is invalid “OFF” among the sensor-specific trip signals in the plurality of channels “ON”. If it is “”, the trip signal for each output is enabled “ON”, otherwise the trip signal for each output is disabled “OFF”. Here, because the trip signal for each sensor transmitted from the DTM 201D of the channel to be changed is invalid “OFF”, the trip signal for each output is determined by the 2-out-of-3 majority logic of the remaining three channels. .

  In step S <b> 17, the OLUs 203 </ b> A to 203 </ b> D of the plurality of channels transmit to the determination unit 102 the output-specific trip signals transmitted from the TLUs 202 </ b> A to 202 </ b> D of the plurality of channels, respectively. The determination unit 102 transmits the control signal 2 when more than half of the output-specific trip signals transmitted from the OLUs 203A to 203D of the plurality of channels are valid “ON”. Here, since the sensor-specific trip signal transmitted from the DTM 201D of the change target channel is invalid “OFF”, the control signal 2 is determined by the 2-out-of-3 majority logic of the remaining three channels. .

(effect)
According to the plant safety device according to the second embodiment, even in the configuration in which the TLUs 202A to 202D to which the majority logic is applied are provided between the DTMs 201A to 201D and the determination unit 102, safety control including a plurality of channels. The setting data (setting value and safety control program) of the device can be changed only for the bypassed channel. Also, the number of channels that can be bypassed at a time is limited to one.

  Therefore, according to the plant safety apparatus according to the second embodiment, the risk of erroneously changing DTM setting data (setting values and safety control program) is significantly reduced, the regulations are observed, and safe operation of the plant is guaranteed. Can contribute to.

  Thus, according to the plant safety device concerning a 2nd embodiment, when changing DTM setting data of a change object channel among a plurality of channels, setting data is bypassed by bypassing DTM of a change object channel. Changes can be made under strict control.

[Third Embodiment]
In the third embodiment, only the changes in the first embodiment will be described. Here, the parts other than the explanation part are the same as those in the first embodiment.

(Constitution)
FIG. 7 is a block diagram illustrating the configuration of the safety control devices 101A to 101D in the plant safety device according to the third embodiment. The safety control device 101B and the bypass selection unit 103 for the channel to be changed among a plurality of channels. 5 is a diagram illustrating an example of connection with a data changing unit 104. FIG.

  In the plant safety device according to the first embodiment, the monitoring data, the mode setting signal 6 and the bypass signal 3 are input to the input unit 404. In the plant safety device according to the third embodiment, the input unit 404 is monitored. Data and mode setting signal 6 are input, and bypass signal 3 is input to tool input / output unit 410.

  The tool input / output unit 410 receives the data change request command 4 transmitted from the data change unit 104 and outputs it to the processor 401 only when the bypass signal 3 is valid. When the bypass signal 3 is invalid, since the data change request command 4 transmitted from the data change unit 104 is not received, the data change request command 4 is not output to the processor 401.

(Function)
The operation of the plant safety device according to the third embodiment will be described with reference to FIG. Although FIG. 5 is the same as that of 1st Embodiment, about the operation | movement of the plant safety apparatus which concerns on 3rd Embodiment, the part different from the operation | movement of the plant safety apparatus which concerns on 1st Embodiment is demonstrated.

  First, the same step S11 as in the first embodiment is executed.

  In step S12, in addition to the same processing as in the first embodiment, the tool input / output unit 410 of the safety control devices 101A to 101D receives the bypass signal 3 transmitted from the bypass selection unit 103, and the bypass signal 3 is valid. Check whether it is “ON” or not.

  Here, when the operation mode is set with respect to the mode setting signal 6 (step S12-No), the same step S13 as 1st Embodiment is performed.

  On the other hand, when the test mode is set for the mode setting signal 6 (step S12—Yes), in step S14, in addition to the same processing as in the first embodiment, the tool input of the safety control device 101B of the change target channel is entered. When the input bypass signal 3 is valid “ON”, the output unit 410 receives the data change request command 4 from the data change unit 104 and transmits it to the processor 401.

  The processor 401 of the change target channel safety control apparatus 101B receives the data change request command 4 transmitted from the tool input / output unit 410 (step S15-Yes), and the same steps S16 and S17 as in the first embodiment are executed. Is done.

  The bypass signal 3 may be a power source for the tool input / output unit 410. That is, the tool input / output unit 410 of the safety control device 101B of the change target channel operates when the input bypass signal 3 is valid “ON”. In this case, when the bypass signal 3 is invalid “OFF”, no power is supplied to the tool input / output unit 410 and the tool input / output unit 410 does not operate, so that safety can be further improved.

(effect)
According to the plant safety apparatus according to the third embodiment, in addition to realizing the same effect as that of the first embodiment, whether the data can be changed is determined not by software processing by the processor 401 but by the hardware configured in the tool input / output unit 410. It can also be realized as wear. As a result, it is not necessary to store software related to whether or not data can be changed in the flash memory 402 or RAM 403, and the capacity can be reduced. In addition, it is possible to prevent a malfunction caused by execution of software related to whether or not data can be changed in the processor 401. it can.

[Fourth Embodiment]
Only the changes of the third embodiment will be described in the fourth embodiment. Here, the parts other than the explanation part are the same as in the third embodiment.

(Constitution)
FIG. 8 is a block diagram showing the configuration of the safety control devices 101A to 101D in the plant safety device according to the fourth embodiment. The safety control device 101B and the bypass selection unit 103 for the channel to be changed among a plurality of channels. 5 is a diagram illustrating an example of connection with a data changing unit 104. FIG.

  Each of the safety control devices 101A to 101D further includes a flash memory controller 801 as a control unit.

  The flash memory controller 801 controls reading and writing of data to the flash memory 402. Further, the bypass signal 3 is input. The flash memory controller 801 does not change the setting data in the flash memory 402 when the bypass signal 3 is invalid “OFF”.

  The data changing unit 104 has a monitoring function for monitoring the internal operation of the safety control device for the channel to be changed, in addition to the data changing function for changing the setting data. The data changing unit 104 transmits the internal operation monitoring command 7 for monitoring the internal operation of the safety control device for the change target channel, or transmits the data change request command 4 for changing the setting data. It is connected to the tool input / output unit 410 of the safety control device.

(Function)
The operation of the plant safety device according to the fourth embodiment will be described with reference to FIG. Although FIG. 5 is the same as that of 1st Embodiment, about the operation | movement of the plant safety apparatus which concerns on 4th Embodiment, a different part from operation | movement of the plant safety apparatus which concerns on 1st Embodiment is demonstrated.

  Here, the bypass selection unit 103 assumes that the bypass signal 3 to the safety control device 101B of the channel to be changed is initially disabled “OFF” and then enabled “ON”.

  First, the same step S11 as in the first embodiment is executed.

  In step S12, in addition to the same processing as in the first embodiment, the tool input / output unit 410 and the flash memory controller 801 of the safety control devices 101A to 101D receive the bypass signal 3 transmitted from the bypass selection unit 103, and perform bypass. It is checked whether or not the signal 3 is valid “ON”.

  Here, when the operation mode is set with respect to the mode setting signal 6 (step S12-No), the same step S13 as 1st Embodiment is performed.

  On the other hand, when the test mode is set for the mode setting signal 6 (step S12—Yes), the same step S14 as in the first embodiment is executed.

  In step S 14, the tool input / output unit 410 of the safety control device 101 B of the change target channel receives the internal operation monitoring command 7 transmitted from the data change unit 104 and transmits it to the processor 401. The processor 401 of the safety control device 101B of the change target channel receives the internal operation monitoring command 7 transmitted from the tool input / output unit 410.

  In step S14, the tool input / output unit 410 of the safety control device 101B of the channel to be changed only receives the data change request command 4 from the data change unit 104 when the input bypass signal 3 is valid “ON”. Is transmitted to the processor 401.

  The flash memory controller 801 of the safety control device 101B of the change target channel transmits a change permission signal for permitting acceptance of the data change request command 4 to the processor 401 only when the input bypass signal 3 is valid. . In response to the change permission signal, the processor 401 of the change target channel safety control device 101B receives the data change request command 4 transmitted from the tool input / output unit 410 (step S15-Yes), and the first embodiment and the first embodiment. The same steps S16 and S17 are executed.

(effect)
According to the plant safety apparatus according to the fourth embodiment, the flash memory controller 801 determines whether or not the data stored in the flash memory 402 can be changed based on the bypass signal 3 while realizing the same effect as the first embodiment. Thus, the data changing unit 104 can be connected for the purpose of monitoring the internal operation of the safety control device of the change target channel and the purpose of changing the setting data.

[Other Embodiments]
As mentioned above, although some embodiment of this invention was described, these embodiment is shown as an example and is not intending limiting the range of invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, modifications, and features of the embodiments can be combined without departing from the spirit of the invention. . These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

1A to 1D ... Trip signal 2 ... Control signal 3 ... Bypass signal 4 ... Data change request command 5A to 5D ... Monitoring data 6 ... Mode setting signal 7 ... Internal operation monitoring command 10A to 10D ... Setting data 20A to 20D ... Setting data 101A ˜101D ... safety control device 102 ... determining unit 103 ... bypass selection unit 104 ... data changing unit 201A-201D ... DTM (safety control device)
202A to 202D ... TLU
203A-203D ... OLU
301 ... Operation unit 302A ... First channel selection terminal 302B ... Second channel selection terminal 302C ... Third channel selection terminal 302D ... Fourth channel selection terminal 303 ... Non-selection terminal 304 ... Wiring 305A-305D ... Wiring 306 ... Common terminal 401 ... Processor 402 ... Flash memory 403 ... RAM
404 ... Input unit 405 ... Resistance element 407 ... Node 408 ... DC power supply 409 ... Output unit 410 ... Tool input / output unit 411 ... Ground terminal 412 ... Mode setting unit 501A-501D ... Sensor 601A-601D ... AND circuit 602 ... Majority logic circuit 801 ... Flash memory controller (control unit)

Claims (8)

A storage unit that is assigned to each of a plurality of channels and stores setting data including a setting value and a safety control program, an input unit that inputs monitoring data from a sensor installed in the plant, and executes the safety control program, The trip signal is enabled when the value of the monitoring data exceeds the set value, and the trip signal is disabled when the value of the monitoring data does not exceed the set value or when the bypass signal is valid. A plurality of safety control devices having an execution unit to perform,
A bypass selection unit that enables the bypass signal to the safety control device of the channel to be changed among the plurality of channels and invalidates the bypass signal to the safety control device of a channel other than the channel to be changed;
A determination unit that transmits a control signal for starting a safety function for the plant when a trip signal of more than half of the trip signals transmitted from the safety control devices of the plurality of channels is valid;
A data change unit that transmits a data change request command including new setting data to the safety control device of the change target channel;
Comprising
The execution unit of the safety control device of the change target channel receives the data change request command transmitted from the data change unit when the bypass signal is valid, and in response to the data change request command, Changing the setting data stored in the storage unit to the new setting data;
Plant safety device characterized by that.   The bypass selection unit connects the input unit of the safety control device for the change target channel and a power source for enabling the bypass signal, and sends the bypass signal indicating the validity to the safety control device for the change target channel. The plant safety device according to claim 1, wherein Each of the plurality of channels of the safety control device further includes a tool input / output unit connectable to the data change unit,
Each input unit of the plurality of channels of the safety control device inputs the bypass signal,
The execution unit of the safety control device for the change target channel, when the bypass signal input to the input unit is valid, the data change request transmitted from the data change unit via the tool input / output unit Receive commands,
The plant safety device according to claim 1 or 2, wherein Each of the plurality of channels of the safety control device further includes a tool input / output unit connectable to the data change unit,
Each input unit and tool input / output unit of the safety control device of the plurality of channels inputs the bypass signal,
The tool input / output unit of the safety control device for the change target channel receives the data change request command from the data change unit and transmits the command to the execution unit when the input bypass signal is valid. ,
The execution unit of the safety control device for the change target channel receives the data change request command transmitted from the tool input / output unit when the bypass signal input to the input unit is valid.
The plant safety device according to claim 1 or 2, wherein The data changing unit transmits the internal operation monitoring command for monitoring the internal operation of the safety control device of the change target channel, or transmits the data change request command to the safety control device of the change target channel. Connected,
Each of the safety control devices of the plurality of channels further includes a control unit that controls reading and writing of data to the storage unit and inputs the bypass signal,
The tool input / output unit of the safety control device for the change target channel receives the internal operation monitoring command transmitted from the data change unit, transmits the command to the execution unit, and the bypass signal input is valid. Only when the data change request command transmitted from the data change unit is received and transmitted to the execution unit,
The control unit of the safety control device for the change target channel transmits a change permission signal for permitting the acceptance of the data change request command to the execution unit only when the input bypass signal is valid,
The execution unit of the safety control device for the change target channel receives the internal operation monitoring command transmitted from the tool input / output unit, and the data transmitted from the tool input / output unit in response to the change permission signal. Receiving a change request command,
The plant safety device according to claim 3 or 4, characterized in that. The input unit of each of the plurality of channels of safety control devices inputs a mode setting signal in which an operation mode or a test mode is set,
The plant safety device sets the test mode with respect to the mode setting signal transmitted to the safety control device of the change target channel, and the mode setting signal transmitted to the safety control device of other channels. It further comprises a mode setting unit for setting the operation mode,
The execution unit of the safety control device of the channel other than the change target channel executes the safety control program when the operation mode is set with respect to the mode setting signal, and the value of the monitoring data is the value of the monitoring data When the set value is exceeded, the trip signal is enabled, and when the monitoring data value does not exceed the set value, the trip signal is disabled.
The execution unit of the change target channel safety control device invalidates the trip signal when the bypass signal is valid when the test mode is set with respect to the mode setting signal, and the data change unit Receiving the data change request command transmitted from
The plant safety device according to any one of claims 1 to 5, wherein A trip logic unit provided in the same number as the plurality of channels of safety control devices;
The execution unit of the safety control device of a channel other than the channel to be changed executes the safety control program and validates the trip signal for each sensor that is the trip signal when the value of the monitoring data exceeds the set value. When the value of the monitoring data does not exceed the set value, the trip signal for each sensor is invalidated,
The execution unit of the safety control device for the change target channel invalidates the trip signal for each sensor when the bypass signal is valid,
The plurality of channel trip logic units receive the sensor-specific trip signal from the plurality of channel safety control devices and the bypass signal transmitted to the plurality of channel safety control devices, and Of the trip signals by sensor in a plurality of channels, the trip signal by output is validated when more than half of the trip signals by sensor are valid in the channel where the bypass signal is invalid, and otherwise Disable trip signal by output,
The determination unit transmits the control signal when an output-specific trip signal of more than half of the output-specific trip signals transmitted from the trip logic units of the plurality of channels is valid,
The execution unit of the safety control device of the change target channel receives the data change request command transmitted from the data change unit when the bypass signal is valid, and in response to the data change request command, Changing the setting data stored in the storage unit to the new setting data;
The plant safety device according to any one of claims 1 to 6, wherein the plant safety device is characterized. A method for operating a plant safety device comprising a plurality of safety control devices, each of which is assigned to a plurality of channels and set with setting data including a set value and a safety control program,
The plurality of channels of safety control devices inputting monitoring data from sensors installed in the plant;
Enabling a bypass signal to a safety control device of a channel to be changed among the plurality of channels, and invalidating the bypass signal to a safety control device of a channel other than the channel to be changed;
A safety control device of a channel other than the channel to be changed executes the safety control program to enable a trip signal when the value of the monitoring data exceeds the set value, and the value of the monitoring data is set to the setting Invalidating the trip signal if the value is not exceeded;
The safety controller of the channel to be changed invalidates the trip signal when the bypass signal is valid;
Transmitting a control signal for activating a safety function for the plant when more than half of the trip signals transmitted from the safety control devices of the plurality of channels are valid;
Transmitting a data change request command including new setting data to the safety control device of the change target channel;
When the bypass control signal is valid, the safety control device of the change target channel receives the data change request command transmitted from the data change unit, and sets the setting data according to the data change request command. Changing to the new setting data;
A method for operating a plant safety device, comprising:

Images