JPH1153664A - Safety support device for plant or machinery - Google Patents

Abstract

PROBLEM TO BE SOLVED: To attract operator's proper attention when an abnormal state is announced by manifesting a latent error of the plant by providing a performance predicting means or the like which predicts state changes of the plant so as to extract a manifest or latent error. SOLUTION: When a command arrives from a central control board 1 or attention attracting device 3 or troubleshooting device 4, a performance predicting device 2 calculates and predicts the transition of a relative system in the case wherein the operation is carried out by using necessary physical data of the system from a plant data monitor device 20 so as to grasp the actual plant state. If it is judged that safety can not be obtained from past trouble experience or data predicted values right after the operation for the execution of the operation, the attention attracting device 3 generates an alarm finally.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an operation control device for a plant, and more particularly to an operation control device for a plant or a mechanical device (hereinafter, referred to as a "plant"). The present invention relates to a support device for avoiding a risk and reliably executing a safe operation of a plant.

[0002]

2. Description of the Related Art As a conventional apparatus, FIG. 8 shows a configuration of an output control apparatus of a BWR plant. When the coolant flowing from the lower part of the reactor 2 rises between the fuel rods by the recirculation pump 4, the coolant boils down by the calorific value of the fuel rods of the reactor 2 stored in the dry well 1. After the generated steam is separated from the moisture, it flows into the turbine 9 from the reactor via the control valve 19 to drive the turbine 9, and the power is output by the generator 10.

[0003] The power level of the reactor 2 is controlled by a control rod 3 inserted from below. In order to operate the reactor safely and efficiently, it is necessary that the neutron flux, temperature, pressure, flow rate, etc. are sufficient and adequate for the limit values, and that the average power density of the core is increased. You. For this purpose, many detectors are placed in a reactor, their local physical quantities are known, and operation is performed sufficiently high to near an allowable value.

[0004] As for the control of the reactor, control of the power level of the reactor, control of the power distribution for the purpose of adjusting the distribution of heat generation in the reactor core to an appropriate form, at the time of start-up and shutdown at the time of general operation, , Load change control, and the like.

[0005] Further, the plant is a complex system in which a cooling system, a steam system, a turbine power generation system, an auxiliary system, and the like are combined in addition to the above-described reactor system, and comprehensive control including these systems is performed. Must be targeted.

[0008] As shown in the configuration of the output control device of the BWR plant in FIG. 8, in the case of BWR, the void coefficient of the reactivity is negative and large. Output can be controlled.
When an increase in load is required, increasing the recirculation flow rate reduces the voids in the furnace, increases the reactivity, increases the furnace power,
The voids increase, the reactivity becomes zero, and a state of equilibrium is reached.

Next, in the BWR, a reactor water level control system is important from the viewpoint of safety and protection. Furnace water level control is performed by increasing or decreasing the feedwater, and is called a feedwater control system.

This control system has a 3
An element (water level, steam flow, feedwater flow) type water supply control device is used. FIG. 9 shows a block diagram of a water supply control system in the BWR.

The pressure difference between the pressure 131 in the reactor 2 and the gas phase region in the reactor is determined by a differential pressure gauge 133 to obtain a water level signal 134 in the reactor. On the other hand, the main steam flow 139, which is the output of the reactor 2, is measured, and after performing density correction and adiabatic expansion correction based on pressure, a main steam flow signal 1310 is obtained. The feedwater flow rate, which is the output of the steam turbine-driven feedwater pump 135, is subjected to density correction, and then a feedwater flow signal 1311 is obtained.

Based on the difference between the main steam flow signal 1310 and the feedwater flow signal 1311 and the reactor water level signal, the output of the feedwater pump is determined. Whether to set the single element mode based on only 134 is selected by the mode switch 1312.

In addition, a water level program signal 1313 which is separately set based on the main steam flow rate 1310 of the reactor output is also input to the feed water flow main controller 136 which controls the steam flow rate for driving the feed water pump. .

By the way, a safety protection system is provided for detecting an abnormal state of a nuclear power plant, preventing an accident from occurring, or suppressing an accident, and operating safety equipment and safety equipment. Further, regarding the plant data at the time of starting, stopping, and steady / partial load operation of the plant, data processing and recording of the items shown in FIG. 10 are performed. The amount of data obtained by processing these data and calculating the performance should be monitored for margins or fluctuations from the operating limit values. Inform.

However, as shown in FIG. 4, even for one variation (the recirculation flow rate is abrupt), what level of variation is within the entire plant, and what is the ripple Enormous, complex, and non-linear relationships, such as what operating procedures should be taken by the operator, and how the system's state changes as a result of performing those operations. In the environment where parameters existed, even though the backup of hardware aspects such as protection system and interlock system for the entire plant was in place, the operator was mentally close to panic. Will be forced to respond.

The following is a description of a case of an accident at a nuclear power plant.

A power plant operator inadvertently closed C and D while trying to close pump outlet valves A and B. As a result, the natural environment to the reactor core has all stopped.

The operator at the B power plant pressed the wrong button on the control panel in an attempt to manually start up the steam supply control system, but did not notice the error.

The A power plant operator misunderstood the annulus level as the water level in the shroud. These two levels would normally have the same value. However, at this time, the shroud level was only 56 inches above the fuel element (due to the error in closing the valve). The low-water warning sounded three minutes after the event and continued to sound, but an error was found 30 minutes later.

The operator at the C power plant did not notice that the relief valve of the pressurizer was open and not closed. On the panel display, the relief valve switch was closed. They mistakenly thought that the switch was only open and closed, but the valve was closed. They did not expect the mechanism to be faulty (although it did, in fact) and that the valve would remain open and not be displayed on the control panel.

D Power Plant In an attempt to depressurize the reactor cooling system, operators have taken the wrong strategy regarding the pressure relief valve. The operator repeatedly opened and closed, and remained open the fourth time.

E power plant Reactor power is reduced by 10%
It was below. Operators and electricians continued testing as originally planned, despite safety procedures banning operation at less than 20%. The initial error and subsequent breach of safety procedures resulted in a double explosion in the reactor core, destroying the containment and releasing large quantities of radioactive material into the atmosphere.

The above case is described in J. Reason, "Human Error", 1994, Kaibundo.

Obviously, the intention was appropriate, but he did not act as planned.

Although the behavior of the operator was as planned, the plan was inappropriate in terms of safely operating the plant.

However, does not apply to either category. These include a mistake factor of incorrectly evaluating the system state. Perhaps
These errors are caused by an incorrect IF (status X) THEN
It is most appropriate to consider that this is caused by adopting a diagnostic rule of the form (system state is Y).
In both cases, the rules that were in effect in the past led to incorrect answers in these extremely dangerous abnormal situations.

As shown in the above accident example, in a very high risk plant such as a nuclear power plant, a double or triple safety device and an interlock mechanism are designed. The interface between the system and the target system allows only a fairly defined interaction between humans and the current remote operation, and the drastic advancement in driving automation has led to The motivation can also be that the task has been reduced to a monitoring task to make sure that the system continues to function within normal limits for a set amount of time.

The main reason why human operators are still present is that they can use the unique power of doing knowledge-based reasoning to handle system abnormal conditions. However, this is an incompatible area for human perceptions of human strength and weakness.

Operator experience is monitoring and sometimes normal operation when the plant is within safe operating limits. In this case, it is required to suddenly enter the control loop, and a situation arises as to how to appropriately execute the control loop. Even if you repeatedly struggled with how to deal with them and how to prevent recurrence in case studies of accidents and breakdowns up to the present, their experiences may be slightly affected by complex system abnormalities that suddenly occurred at one point. But if they are different, their progress is hardly predictable.

Rasmussen points out "the wrong idea of thorough protection". In other words, an important meaning in the essence of this philosophy is that the system rarely responds actively to a single (one of the various manipulated variables and physical state variables in many systems). When only one change occurs, it is rare that the change exactly corresponds to one of the other state quantities.) As a result, many of the errors and failures committed by operators and maintenance personnel do not directly appear in the functional response from the system, leaving the potential effects of negligence inside the system. When such errors can be present in the system for an extended period of time, the probability of simultaneous occurrence of multiple faults, which always exists in the onset of an accident, will increase dramatically.

Rasmussen classified human behavior into three levels: "skills, rules, and knowledge". The major errors were categorized as follows.

Recognition stage Error format Planning Mistake Planning failure Consideration Lapse Failure during execution Slip Failure during execution Slip and collapse occurring at the level of the skill base (SB), rule base (RB) And a mistake that occurs at the level of knowledge (KB).

Further, an error due to a slip in SB occurs prior to problem detection. It is said that an error due to RB and KB mistaking occurs when searching for a subsequent solution (in this case, it is obvious that a problem exists).

The conditions for the occurrence of the slip correspond to, for example, distraction or engrossed attention. However, the RB and KB mistakes have the property that a limited focus of attention is not departed from the problem.

The three-level failure model proposed by Rasmussen is described in By Reason,
Improvement proposals have been made for thinking in two areas, "failure of monitoring" and "failure of problem solving". Also, J.I. Reason describes the philosophy of integrating the above two areas by considering the essence of errors made by humans and the environmental conditions in which they occur, but lacks the specificity, It is not practical.

As described above, errors and failures made by humans have become predictable because of appropriate research and elucidation of the theoretical and methodological aspects of cognitive psychology. However, there is a need for inventions regarding the construction and applicability of these specific means.

The prior art for this is described in the following publications, but the object of the present invention is to prevent human errors, extract errors latent in the target system, and set a time zone to be monitored. It holds issues to be solved in terms of law.

(1) "Plant operation monitoring device"; Japanese Patent Application Laid-Open No. 03-192498, short-term information and long-term information required for operation are created and displayed based on operation results. It does not mention when to monitor the information or prevent human error.

(2) "Driving guidance device";
Japanese Patent Application Laid-Open No. 4-44511 discloses that a procedure for operating operation is created and displayed by means for predicting a state transition of a plant when an operation fails, but the prediction means only compares the knowledge with the operation. Is directed to a case where an operation failure is apparent, and does not solve the above-described problem.

(3) "Plant monitoring device";
No. 175511, current and future plant statuses are selected and combined with a knowledge base (in order to determine whether or not each status of the currently operating plant is in a correct range, it is already stored. Selecting a corresponding one from the knowledge base or combining some of the stored data) to infer whether or not there is an abnormality, and does not solve the above-mentioned problem.

(4) "Process monitoring control device"; Japanese Patent Application Laid-Open No. 08-83388, for judging whether or not a change in operating condition is related to a specified physical quantity to be noted, and displaying it when it is related; It does not solve the above-mentioned problem.

As described above, an example of an accident at a nuclear power plant has been described above. However, factors related to the occurrence and failure of essential human errors include the operation and maintenance work of other plants and machinery. The same, and human-designed,
Obviously, it is also related to the occurrence of defects in manufacturing, inspection, testing, adjustment work, and the like.

[0041]

According to the above prior art, in the operation, maintenance, and monitoring of a plant, a machine, and the like, when an abnormal state occurs due to a change from a certain normal state, inspection and monitoring of the target equipment are performed. If you try to do so, the action guidance or maintenance / monitoring procedures for the operator may not be complete, or the physical condition of the target plant or mechanical equipment may change suddenly, and a person trying to deal with it may take action. No consideration has been given to the execution of operations that should be performed and immediate recovery, and no measures have been taken to prevent errors such as omitting necessary procedures during maintenance and monitoring work. Even a skilled technician, maintenance, or oversight can panic or inadvertently perform wrong procedures,
Failures based on so-called human errors were unavoidable, and efficient and safe long-term operation of the target plant and machinery was not guaranteed.

Further, even if it is determined from the output from the control device or the monitor device that the operating state is normal, when the operator attempts to perform any operation, a potential error is generated in the target system. It is not possible to check whether abnormal conditions or inefficiencies are likely to occur due to being embedded in the system or errors remaining in the system due to past operations,
Safe and adaptive operation of the entire plant and machinery was not guaranteed.

Although the simulation technology of a plant or a mechanical device has been greatly advanced, a large plant is formed by combining a target system and many other systems, and a large number of operations and disturbances are input to the large plant. Therefore, the number of combinations of various conditions that affect the driving state is enormous, and the conventional driving support technology has a limit in detecting potential errors and preventing human errors.

An object of the present invention is to measure a potential error that cannot be extracted only by ascertaining the state quantity of a target plant or a mechanical device, and to provide a control device that is notified of the detection of an abnormal situation. Of course, even if it is normal, if the operator tries to perform any operation, the operator is appropriately alerted, and the appropriate operation, maintenance, and monitoring are performed by managing the appropriateness of the operation itself. It is an object of the present invention to provide a safety support device for a plant or a mechanical device capable of performing the above.

[0045]

In order to solve the above problems, the present invention mainly employs the following configuration.

A monitoring device for monitoring plant data from measuring instruments mounted on the plant, an operation control device required for operation of the plant, and an abnormality at the site based on detection data from a sensor arranged at the plant site. In a plant safety support device comprising a monitoring system that discovers early, and the monitor device, the operation control device, and a display device that presents a change over time in output information and data from the monitoring system, an actual or potential A performance prediction unit that predicts a state change of a plant to extract an error existing in the verification unit, and a verification unit that confirms an allowable range of the performance value based on the result of the performance prediction unit and that matches a past failure case. An alerting means for alerting an operator when a result of the judgment by the performance prediction means is in doubt about safety; and Operation management means for comparing a past operation history related to the performance value and a database storing the precautions when a driving operation is required, and determining whether the operation is appropriate or not. Safety support equipment.

[0047]

DESCRIPTION OF THE PREFERRED EMBODIMENTS FIG. 1 shows a system configuration relating to operation, control and monitoring of a plant such as a nuclear power plant and a thermal power plant when the present invention is applied. In FIG. 1, 1 is a central control panel, 2 is a performance prediction device, 3 is a warning device, 4 is a collation device, 5 is a site monitoring system abnormality determination device, 6 is an image processing device, 7
Is a sound processing device, 8 is a live image switch, 9 is a live sound switch, 10 is a microphone preamplifier, 11 is a site monitoring system controller, 12 is a camera ((visible, infrared), 1
3 is a microphone, 14 is a monitoring robot, 15 is a vibrometer, 16 is a preamplifier, 17 is a vibration output switch, 18 is a rotating machine diagnostic device, 19 is plant data instruments, 20 is a plant data monitoring device, and 21 is plant control. apparatus,
22 is a plant site controller, 23 is an operation management device, 24
Represents a large screen, 25 and 26 represent a trouble check result display monitor and a sound annunciator, 27 represents a travel database, and 28 represents an operation history database.

In this embodiment, the camera 1 is installed at the plant site.
The image data sent from the surveillance robot equipped with the camera 2 and the microphone 13 is processed by a raw image switch 8 in which a predetermined target image is selected by a command from the abnormality determination device 5, and then the image processing device 6 and the abnormality determination device 5 is used to determine, by a predetermined processing algorithm, whether the monitoring target is normal, something different from normal, or abnormal.

On the other hand, the sound entering the microphone 13 is amplified by the preamplifier 10, and then the sound near a predetermined target site is selected by the live sound switch 9 in accordance with a command from the abnormality determination device 5, and then the sound processing is performed. The device 7 and the abnormality determination device 5 determine whether the status is normal, something different from normal, or abnormal based on a predetermined processing algorithm.

Information on the results of the above site monitoring system and on abnormal locations when abnormal, and plant information as needed (information from the plant data monitoring device 20)
Are input to the troubleshooting device 4.

Vibration data detected by a vibrometer 15 attached to a rotating machine such as a pump or a fan (blower) is amplified by a preamplifier 16 and predetermined data is selected by a vibration output device 17 to diagnose a rotating machine. The diagnosis is performed by the device 18. This diagnosis result is input to the troubleshooting device 4.

In the central control panel 1, the operator visually confirms whether the physical state quantities of the respective component systems of the current plant are normal, for example, by a graph or a trend displayed on the large screen 24. Usually, there is no special operation by the operator because it is automatic operation with a certain target load, but for the purpose of starting, changing the load, stopping, etc., the operation of the operator and the careful transition of the plant data over time are not a little. Monitoring is required.

In either the automatic operation or the manual operation, a command from the central control panel 1 passes through the plant control device 21 to activate each controller 22 at the site. As a result of this operation, the state of each system changes and data such as pressure, flow rate, and temperature are sent to the plant data monitoring device 20 by the instruments 19. These plant data are fed back to the plant data control device 22 and are necessary for determining control values every moment. The information is also sent to the performance prediction device 2, the alert device 3, and the troubleshooting device 4, which are one of the embodiments of the present invention.

The troubleshooting (collating) device 4 receives a command issued from the central control panel 1 and
In performing the operation, troubles and accidents up to now,
The trouble database 2 is used to judge whether the operation is comparable to the operation related to the cause of the trouble event, or whether it is a safe command or not, or whether it is safe for the operation of the plant.
7 and compared. This collation result is displayed in text on the trouble check result display monitor 25 as guidance, and if it is not determined that the operation is safe, a warning is issued to the operator by the audio annunciator 26.

The alerting device 3 receives the output of the troubleshooting device 4, the output of the performance prediction device 2 and the output of the plant data monitoring device 20, and instructs the operator on the safety of the operation. In addition to posting the judgment result such as the problem in the above or the lack of the indispensable operation, or the necessity of reconsideration of the execution, on the large screen 24 in the form of a character display, and also by sound notification from the sound notifier 26, introduce. If the operation is a normal operation and there is no problem, the fact is notified to the performance prediction device 2.

In the performance prediction device 2, the central control panel 1
If there is a command from the alerting device 3 or the troubleshooting device 4, the operation using physical data of the necessary system from the plant data monitoring device 20 to grasp the current plant state is performed. Is executed, the transition of the related system is calculated and predicted. Then, the result is transmitted to the alert device 3 and the operation management device 23.

In the operation management device 23, the command signal from the central control panel 1 and the predicted value of the plant data from the performance prediction device 2 are inputted, and when the warning device 3 issues a warning, The operation history database 28 storing the operation history is compared with the operation to check the validity of the operation, and the result is notified to the operator by the large screen 24 and the audio annunciator 26 in the central operation room.

In summary, when the driving operation is performed, if it is determined that the driving operation is not safe based on the past trouble experience or the data prediction value immediately after the operation, the warning device 3 finally issues a warning. Can be

On the other hand, if the operation is different from the procedure previously adjusted and determined in the design stage or the test operation stage, a warning is given to the operator from the operation management device 23, and a request for reconsideration of the operation is requested, and Will be presented.

(1) Detection of Potential Error A potential error, whose behavior is affected by some random disturbance or forced operation, if the physical quantity is linear in nature. Since the control can be performed within the target control range by the already-controlled algorithm, no problem occurs in the operation of the system.

This can be determined by monitoring the temporal behavior of the simulation of the plant triggered by each operation. This simulation is constantly calculated by the performance prediction means of the present invention.

FIG. 2 shows this principle. Based on input data U (t) of the actual system, data Y output by a model M of the dynamic characteristic of the target plant or mechanical device
_M (t) is obtained by adding V (t) such as an external disturbance to the actual output value of the plant to obtain the value of Y (t).

The difference between Y _M (t) and Y (t) corresponds to the difference between the real system and the model M. The automatic operation is continued by feeding back this difference and operating the related operating device. This difference includes the error of the model M itself, but this deviation can be ignored for the continuation of the operation due to the performance of the plant or adjustment at the time of the trial operation. In the present invention, the temporal behavior of the output Y _M (t) by the model M is monitored.

In this performance prediction means, the temporal behavior of the error ε (t) is monitored. And this error ε
Even if (t) is linear and can be controlled within the allowable range by the current control device and logic, errors and failures created during the design, manufacture, test run, commercial operation, etc. of the plant or machinery concerned Are potentially present, and may cause extensive instability in response to an operation or disturbance by a certain operator.

It is important to determine whether the deviation ε (t) can be controlled to an allowable range or expanded non-linearly even if the temporal transition of the deviation ε (t) deviates from the linear region. This judgment is a big problem that if you move from a linear area to a strong nonlinear area, it will go through a chaotic area, and finally it will be difficult to recover even with conventional control logic and emergency operation. This is a point for the performance prediction means.

Whether or not this region is chaotic depends on whether the physical quantity f (t) related to the error ε (t), here the output Y _M (t) of the model M, deviates from the control range with time. Whether or not it is possible to restore the normal state even after the critical time tc shown by the following equation (1) has elapsed, that is, when it is unlikely that the normal state can be restored by the predetermined logic or the operation by the operator within this critical time, The operator is alerted, and the display device promptly presents a plurality of operation procedures, prohibited operations, and check items as treatment guidance.

Tc〜λ ⁻¹ · lnε ⁻¹ (1) where λ is called Lyapunov exponent, and
Indicates that the left side is equal to the right side in order.

The Lyapunov exponent λ can be calculated by the following equation (2).

[0069] Here, f is a certain physical quantity of the system, and |
f '| is the absolute value of the time variation.

If the Lyapunov exponent λ (f) is negative, it converges to a certain appropriate point, but if it becomes positive, the initial error ε (t) diverges with time.

Thus, the monitoring of the Lyapunov exponent and the monitoring of the critical time are effective and necessary conditions for detecting errors potentially lurking in the system.

That is, based on the time series data of chaotic phenomena, the plant state is reconstructed to estimate its nonlinear dynamic, and how much the instability of the system shifts is determined by the critical time. By monitoring how far it is, if you use a stochastic prediction method at most conventionally, there is a danger that a certain physical quantity of the system enters the danger area and it becomes difficult to control, In such an emergency, humans tend to make simple errors, but they can escape such delays. Such highly accurate prediction can be performed, and is called deterministic nonlinear prediction.

FIG. 3 shows the relationship between the conventional linear prediction, the stochastic prediction, and the deterministic nonlinear prediction in the embodiment of the present invention.

This is the case where the plant or the machine is operating stably and is usually in the area of linear prediction, and the operation is continued according to the previously designed automatic control and operation procedure manual. However, as the target system becomes more complicated, potential incorporation into the system, such as errors and disturbances during the design, commissioning, and operation stages, is unavoidable. The good news is that traditional prediction methods are powerless.

On the other hand, human operators and maintenance personnel have a very wide variety of factors such as inattentiveness, excessive attention, omission of checks, degree of experience, etc. The operation of a plant or machine as a joint operation between a human and a complex system can be dangerous from the point in time when a certain number of operations, failures and errors accumulate, or triggered by certain operations It has potential.

FIG. 4 shows that the recirculation flow rate of the BWR plant is about 5%.
5 shows the dynamic characteristics when% is increased. The time change of the reactor pressure set point, neutron flux, heat flux, steam flow rate, average void, core pressure, reactor water level, feedwater flow rate, and core enthalpy are shown.
While the increase of about 5% of the recirculation flow rate is almost stable in about 20 to 30 seconds, each property value is at least about 60 seconds.
It can be seen that the state has shifted to the equilibrium state at ec.

Therefore, in this system, it is possible to have a time series range of about 1 minute. In this system, if there is a measurement error of a certain physical quantity or an error of about 5% in the set value, the Lyapunov exponent λ changes from negative to positive for some reason (this includes an error built in the system), For example, assume that λ = 0.3. Then the critical time for this system is:

Tc〜 (0.3) ⁻¹ · ln (0.05) ⁻¹ = 10.0 (3) In other words, the present invention is based on an area where linear prediction can be performed with respect to a change in the recirculation flow rate of the BWR plant. From the equation (3), the time until the area where the deterministic nonlinear prediction is effective is about 1 minute because the system establishment time is about 1 minute (system establishment time; about 1 minute) × 10.0 = about 60 minutes. That is, a certain operation, about 60
Minutes can be said to be important time periods for which prediction is effective. Of course, since the Lyapunov exponent λ changes with time, the critical time tc always changes.

FIG. 5 shows the change over time of the steam amount when the recirculation flow rate of the BWR plant is rapidly increased. This figure shows the relationship with subsequent operations.

This figure shows the results of a simulation of a change in the flow rate of steam generated when the recirculation flow rate is suddenly changed and a subsequent operation appropriate for design is performed.
From this result, it can be confirmed that the three operations A, B, and (1) are within the control range as a result, but the subsequent operation and operation C are inappropriate (see FIG. 3). As shown, in the case of a chaotic case where the initial deviation amount increases with time, for example, in the operation of FIG.
Clearly cannot prevent the steam flow rate from exceeding the upper limit value).

The operation after the occurrence of such a disturbance (here, a sudden change in the recirculation flow rate) involves not only the target system but also a number of related systems, each of which has a different time delay and a different degree of reaction. Because there is,
In particular, it is not always possible to take sufficient measures at the time of design.

In some cases, it is not obvious that the operation (1) or the operation is not directly effective in controlling the steam amount in advance. In situations like this that have never been experienced before, operators and maintenance personnel are overloaded.
In addition, it becomes easy to commit human error.

Even if the operation C in FIG. 5 is normally an operation that has a direct effect on reducing the amount of steam, it is understood that the effect is not effective in this case. Also, it is often unclear whether the deviation indicated by the crosses in the figure is merely a linear disturbance or a potential error.

Therefore, in order to avoid such a situation, the above problem can be solved by enhancing the monitoring within the critical time of the equation (1) and monitoring the sign of the Lyapunov exponent of the equation (2) according to the present invention. .

(2) Collation Apparatus and Operation Management Apparatus The results and prediction data obtained by the performance prediction apparatus described in the above item (1) are input to the collation apparatus. In this system, first, it is checked whether the time variation of the physical quantity such as pressure, temperature, flow rate, level, etc. of the system is within a proper range, and whether the magnitude of the time derivative is within a predetermined limit value. If it is out of the range or is likely to be out of the range, the time change of the related physical quantity in the performance prediction device of the above (1) is evaluated in order from the newest operation in the past operation procedure of the real system. To understand how much the latest operation has affected the system.

The degree of influence is to be evaluated over at least the critical time obtained by the performance prediction device 2.

The collation apparatus 4 determines whether the operation procedure operation is newly performed or has been performed in the past based on the treatment guidance stored in the trouble database 27. .

Further, the operation management device 23 lists operation items close to past execution experience based on the result of comparison with the operation history database 28 and
And the operator is informed by the audio notifier 26.

FIG. 11 shows an example of the treatment guidance when the recirculation flow rate of the BWR plant increases rapidly. The treatment guidance in this embodiment is NO. 1 to NO. The five major items are composed of operation items, priority of each operation, operation symbol, and global operation classification. For the time being, the operation item to be executed is collated with the global operation classification symbol, and then collated with each operation symbol and fixed.

At this time, if the corresponding operation symbol does not exist in the database, the operator is informed through the alert device 3 to that effect.

Further, the trouble database 27 includes
The trouble cases so far are stored as the operation symbols that caused the trouble. Then, it is possible to derive peripheral plant data and considerations related to the cause from the operation symbol. This related information is displayed on the trouble check result display monitor 25 as character information.

Further, since the risk or the priority is also included in the trouble check result display, the operator can operate in a mentally stable state and can perform other check operations.

Further, based on information such as past trouble cases and trouble-related events, the actual plant data 20, the on-site monitoring system abnormality judging device 5, the rotating machine diagnosing device 18 and the operation do not cause any problem in future plant operation. If it is not possible to judge whether the operation is normal or not, a message to that effect is displayed on the trouble check result display monitor 25 and, at the same time, the operator is notified by the audio notifier 26.

When the operation state of the plant is normal,
If the result of the check is the result of the check by the performance prediction device 2 and the result of the prediction by the simulation, the operation procedure is newly stored in the trouble database 27 to be added or updated. Naturally, when a trouble occurs unfortunately and a matter to be noted arises, the plant data at this time, the executed operation procedure, the peripheral conditions, and the like are added to the trouble database 27.

The collation device 4 or the operation management device 23
When the help function is activated, the operator or maintenance personnel has a built-in help function when the current plant condition is unknown or before the relevant operation is performed. The prediction device 2, the alert device 3, the collation device 4, and the operation management device 23 are activated, and their outputs are output to the large screen 24, the trouble check result display monitor 25, and the audio annunciator 26. Guidance can be obtained at the timing desired by the operator.

(3) Operation Management Apparatus The operation management apparatus 23 shown in FIG. 1 stores a past operation history of the plant or the machine based on a command from the central operation panel 1 and information from the performance prediction apparatus 2. This can be realized by performing collation with the stored operation history database 28.

In the collation with the operation history, as shown in FIG. 11, the operation symbols are made to correspond one to one for each operation item. Control rod in form; α, steam pressure; β,
Water supply amount; γ, steam flow rate: ζ, engineering safety system; θ.

Of the global operation classifications, two to four are determined in advance in the design stage, the magnitude of the influence of the operation on the target system, that is, the priority of each operation item in FIG. As an example, one or a plurality of combinations, that is, two, three, or four combinations are selected.

Then, an operation panel, which allows the operator to make a direct contact diagnosis, is mounted on the operation management device 23 in a geometric figure as shown in FIG. If this geometrical figure is displayed on the operation panel, the selected combination of the two to four types of operations can be appealed to the operator visually, and furthermore, the operation panel is touched by the operator. By doing so, it is possible to select a combination that is appropriate or to be considered from the above combinations, so that an operation that also serves as confirmation by human touch can be performed.

The effect of appealing to the human visual sense is that short-term memory has a limit of 7 ± 2 types. Therefore, there are four types in the above general classification, that is, nine types of combinations. The limit of the divisional display of the geometrical figure of was limited. Presenting more than these nine combinations causes visual confusion.

When one of the combinations in the operation panel is selected by palpation, a system diagram relating to the operation is automatically displayed on the large screen 24, and at the same time, the operation is compared and collated with the operation history database 28. At the same time, if it is determined that the evaluation result including the temporal change of the related physical quantity in the performance prediction device 2 is not a linear region and is not stable,
A line to be noted on the system diagram for the operation is notified via the alerting device 3 by a method such as coloring the line with a color different from the normal state.

In the operation panel, when the operator selects one time, only the combination portion of the operation changes color, so that the selection can be confirmed, and the combination that causes a missing check can be eliminated. Further, the operation items are listed on the large screen 24 in accordance with the operation on the operation panel.

The display on the operation panel will be described by taking as an example a case where four operations are applied to FIG.

First, when each operation is independent, A, B,
Touching the circles C and D selects the operation. Next, in the case of selecting two combinations, touching any of the positions of 図 in the figure allows the corresponding combination to be selected. Next, in the case of selecting three combinations, touching any of the positions of 図 in the figure allows the corresponding combination to be selected. Finally, when it is desired to select a combination of all four operations, the selection can be made automatically and reliably by touching.

Similarly, in the case of two or three cases, the combinations are all represented by one figure.

Further, the progress of a certain operation by the operator and the operation sequence for each step during automatic operation are registered in the operation history database 28, and when the operation is called from this database when necessary, the operation Be sure to output the previous and next operations. This purpose is conceived as a measure to prevent human beings from making the following errors.

For example, when inspecting a valve in preventive maintenance of a compressor, the following mistakes are likely to occur. "Check and clean suction and pressure valves. Replace damaged valves. Replace packing. Clean around valves." Here, the most common step is replacing the packing. This is due to the strong impression of the event that the valve was damaged, and the subsequent routine work was inadvertently forgotten.

(4) Error handling at three levels As described in the prior art, Rasmussen and Rea
For errors and failures at the three levels (skill level, rule level, and knowledge level) proposed by Son et al., the detection and problem solving are arranged in series, and the transition from one level to the next is extremely It is stated only with ambiguous criteria.

In the present invention, the skill level, the rule level, and the knowledge level are processed in parallel. As a specific measure for this, the present embodiment is as follows.

Skill level In order to correspond to routine actions in a familiar environment, troubles are recorded in the operation procedure manual that summarizes past operation results related to the target plant or mechanical device or the results of design and test operation adjustment for each system. Each operation is symbolized and stored in the database 27 and the operation history database 28.

Rule Level The feature of this rule base is that the underlying IF-THEN
The operation is guided from the state by the form.
In the present embodiment, the performance management device 23 compares the temporal behavior of the target system in the performance prediction device 2 with the state change using the plant model M and the operation procedure of the skill level described above. Evaluate the validity of

Knowledge level In the present embodiment, the performance prediction device 2 and the collation device 4 track the temporal behavior of the system and monitor its physical stability within the critical time by monitoring the positive / negative of the Lyapunov exponent. Monitoring can be prioritized.

As described above, in the present embodiment, the causes of the above-mentioned levels or the solutions thereof are determined by the practical use of the four devices of the performance prediction device 2, the alerting device 3, the collation device 4, and the operation management device 23. The measures can now be executed in parallel.

Other embodiments of the present invention include (1) application to various plants such as thermal power plants and chemical plants, (2) application to transportation means such as railways, airplanes, ships, and automobiles, and (3) ) In addition, it is preferable to apply the method to a target field that requires human decision-making other than natural science and is likely to cause errors and failures.

As described above, the present invention includes those having the following configuration examples and functions.

(1) A monitoring device for monitoring plant data from measuring instruments mounted on a plant or a mechanical device, an operation control device necessary for operation of the plant, and detection data from sensors arranged at the plant site A plant operation control device comprising: a monitoring system that detects an abnormality at a site at an early stage based on the information; and a display device that presents output information and data from the monitoring system over time. Has performance prediction means for predicting plant state changes in order to extract potential or potential errors, based on the results of the prediction means, confirming the permissible range of the performance value and collating it with past failure cases Collating means to perform, an alerting device that alerts the operator when the judgment result of the performance prediction means has a question about safety, and the performance prediction means Operation management means for comparing a past operation history related to the performance value and a database storing the precautions when the operation operation of the plant is required, and determining whether the operation is appropriate or not. Plant or machinery safety support equipment.

(2) A monitoring device for monitoring plant data from measuring instruments arranged in a plant or a mechanical device, an operation control device for starting / stopping / changing a load and stably operating a plant, and a device installed at a plant site. A plant operation comprising: a monitoring system that detects an abnormality at a site based on data from monitoring sensors such as a camera, a microphone, and a vibrometer; and a display unit that displays output information from the monitoring device, the control device, and the monitoring system. In the control device,
A display device is provided for displaying the system diagram including at least the operation target device operated by the operator and the automatic operation target device in the automatic operation in the entire system diagram of the plant, and each time the target operation device is operated, A safety support device for a plant or a mechanical device provided with a warning device that displays only a system related to the predicted performance on the display device and issues an alarm when the result of the prediction by the performance prediction device cannot be confirmed to be safe.

(3) In the performance predicting means of the above (1), the evaluation criterion of the predicting means is a method of predicting an irregular time-series signal based on deterministic nonlinear theory, and changes in a short time by the normal operation. By estimating whether or not the physical quantity of the plant exceeds a predetermined normal range of the system, it is possible to extract or avoid errors created during the design of the target plant, adjustment of test operation, etc. A safety support device for a plant or a mechanical device provided with operation management means for issuing an instruction to reconsider the execution of an operation.

(4) In the performance prediction means of (3), the monitoring time of the physical quantity of the system is determined by using a method of predicting an irregular time-series signal based on deterministic nonlinear theory, which is an evaluation criterion of the prediction means. A safety support device for a plant or a mechanical device based on the critical time obtained by the time variation of the physical quantity.

(5) In the operation management means of the above (1), when a plurality of operations are executed in combination at the time of manual or automatic driving, the performance is predicted by the operation management means and the management of the operation by the operation management means. A safety support device for a plant or a mechanical device in which an operation panel having a geometrical figure is installed to examine the validity.

(6) When the operator manually operates the entire or partial system of the target plant or the mechanical device, the operation management means of (1) displays at least the guidance for executing the preceding and following operations. And a safety support method for a plant or a mechanical device that can always check operations before and after the operation as the operation of the operator progresses.

According to the present invention, when an operation is to be executed not only when an abnormality occurs but also when the operation is normal in the continuation of the operation of the plant or the mechanical device, a display such as coloring is displayed on a system diagram related to the operation. Attention is paid by performing the above, and there is a performance prediction means for predicting the effect of the operation on the target plant or the mechanical device, and by displaying the result and precautions on the display device as guidance, at least in the past Errors, breakdowns, and accidents can be presented to the operator.

Furthermore, since the operation can be compared with a procedure set and adjusted in advance, and the degree of validity or another operation to be performed can be presented, for example, the technical level, the driving experience, etc. Regardless of the nature of the content, the situation will cause a mental panic, prevent accidents and failures from progressing due to malfunctions, forgetting to take measures, delays in response, etc., and promptly and reliably recovering from abnormal conditions. .

Further, an error that is lurking in the target system and has not become apparent cannot be particularly detected by the above-mentioned alerting device. The transition of the data is evaluated by the performance prediction means and the result is displayed on the display device, so that the potential error can be detected, and furthermore, the safety operation of the target plant or the target device can be continued or immediately from the abnormal state. Recovery is possible.

[0125]

According to the present invention, it is easy for humans to inadvertently omit checking of the influence of the operation on the related system during normal operation of the plant or machine during operation. Errors can be prevented, and even if a potential error exists in the system, it can be positively revealed, so by combining operations in a complex system, etc.
It is possible to prevent a large abnormal situation from occurring after a sufficient time has passed. And after an event,
It is possible to evaluate how much time is important time zone to be monitored, so that monitoring can be prioritized and efficiency can be improved.

Also, while a human operator or a maintenance person has excellent capabilities such as perception, inference, and judgment, the computer system outputs results based on certain mechanically determined rules. Compared to being good at it, it has the disadvantage that it depends on the mental state and environmental conditions.
According to the present invention, even such a simple operation can be performed without fail, and even in an abnormal situation, an operation such as proper operation continuation or emergency stop can be reliably executed.

[Brief description of the drawings]

FIG. 1 is a diagram showing a configuration of a plant safety support system according to an embodiment of the present invention.

FIG. 2 is a diagram showing a conventional simulation model in a plant.

FIG. 3 is a diagram showing a deterministic nonlinear prediction method according to the embodiment of the present invention.

FIG. 4 is a diagram showing dynamic characteristics of a BWR plant.

FIG. 5 is a diagram showing a change over time of a BWR / steam flow rate in a conventional technique.

FIG. 6 is a diagram illustrating a display example of a combination of operations on an operation panel according to the embodiment of the present invention.

FIG. 7 is a display explanatory diagram for selecting an operation on an operation panel according to the embodiment of the present invention.

FIG. 8 is a configuration diagram of a conventional output control device of a BWR plant.

FIG. 9 is a block diagram of a BWR water supply control system according to the related art.

FIG. 10 is a diagram showing performance calculation of a nuclear reactor plant according to the related art.

FIG. 11 is a diagram showing an example of treatment guidance when the recirculation flow rate is rapidly increased.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 Central control panel 2 Performance prediction device 3 Warning device 4 Verification device 5 On-site monitoring system abnormality judgment device 6 Image processing device 7 Sound processing device 8 Raw image switch 9 Raw sound switch 10 Microphone preamplifier 11 Site monitoring system control device 12 Camera (visible, infrared) 13 Microphone 14 Monitoring robot 15 Vibrometer 16 Preamplifier 17 Vibration output switch 18 Rotating machine diagnostic device 19 Plant data instruments 20 Plant data monitoring device 21 Plant control device 22 Plant site controller 23 Operation management device 24 Large screen 25, 26 Trouble check result display monitor and audio annunciator 27 Travel database 28 Operation history database

──────────────────────────────────────────────────の Continued on the front page (51) Int.Cl. ⁶ Identification symbol FI G08B 31/00 G08B 31/00 A G21D 3/00 GDB G21D 3/00 GBDB

Claims (6)

[Claims] 1. A monitoring device for monitoring plant data from measuring instruments mounted on a plant or a mechanical device (hereinafter referred to as a “plant”), an operation control device necessary for operating the plant, and A monitoring system that detects an abnormality at the site at an early stage based on detection data from the sensor, and a display device that presents output information and data over time from the monitoring device, the operation control device, and the monitoring system. In a plant safety support device, a performance prediction means for predicting a change in the state of the plant in order to extract an actual or potential error, and confirming an allowable range of the performance value based on a result of the performance prediction means. And a collating means for collating with a past failure case, and a caution alerting the operator when the judgment result of the performance predicting means has a question about safety. Originating means, when the operation of the plant is required by the performance prediction means, a comparison is made between a past operation history related to the performance value and a database storing notes thereof, and whether the operation is appropriate or not. And an operation management means for judging the condition. 2. A monitoring device for monitoring plant data from measuring instruments disposed in a plant, an operation control device for starting / stopping / changing a load and stably operating the plant, and a camera and a microphone installed at the plant site. A monitoring system that detects an abnormality at the site by data from a monitoring sensor including a vibration meter, and the monitoring device, an operation control device,
A display device for displaying output information from a monitoring system; a plant safety support device comprising: a performance prediction means for predicting a change in the state of the plant in order to extract an actual or potential error; and a plant. The display device that displays the system diagram including at least the operation target device operated by the operator and the automatic operation target device in the automatic operation in the entire system diagram, and each time the operator operation target device is operated. A warning device that displays only a system related to the predicted performance on the display device and issues an alarm when the result of prediction by the performance prediction device cannot be confirmed to be safe. Safety support equipment. 3. The plant safety support device according to claim 1, wherein the performance predicting means sets the evaluation criterion to a method of predicting an irregular time-series signal based on deterministic nonlinear theory, and shortens the normal operation. By estimating whether the physical quantity of the plant that changes over time exceeds the normal range of the predetermined plant configuration system, it is possible to reduce errors created during the design of the target plant, test run adjustment, etc. A safety support device for a plant, which is extracted or avoided. 4. The plant safety support apparatus according to claim 3, wherein the performance prediction means uses a method of predicting an irregular time-series signal based on a deterministic nonlinear theory as an evaluation criterion,
A plant safety support apparatus characterized in that a monitoring time of a physical quantity of a constituent system of a plant is based on a critical time obtained from a time variation of the physical quantity. 5. The plant safety support apparatus according to claim 1, wherein the operation management unit is configured to execute a combination of a plurality of operations during a manual or automatic operation. A safety support system for a plant, wherein an operation panel having a geometrical figure is installed in order to predict the performance of the system and to examine the validity of the operation by the operation management means. 6. The plant safety support device according to claim 1, wherein, when an operator manually operates the whole or partial system of the plant, at least the operation before and after the operation is performed by the operation management unit. A plant safety support device, wherein execution guidance is displayed on the display device, and operations before and after the operation can be constantly checked as the operation of the operator progresses.