KR102003748B1 - Local component interface modle characterizing common cause failure tolerance and condition/performance monitoring capability and method for developing the same - Google Patents

Abstract

The present invention provides a safety system field apparatus field operation module which is robust to a common type failure and monitors apparatus condition/performance. The safety system field apparatus operation module comprises: a relay actuator including a voltage monitor and a current monitor; a priority logic receiving a signal from various systems in a power plant and generating an operation signal for a field apparatus based on a priority for the received signals; a control logic operating the relay actuator in accordance with the operation signal to operate the field apparatus; a test and diagnosis logic testing operability of the field apparatus; and a connection test logic.

Description

TECHNICAL FIELD The present invention relates to a safety system field device operation module and a method of developing the same, which is robust against a common type failure and features device state / performance monitoring, and a development method thereof. BACKGROUND OF THE INVENTION Field of the Invention [0001]

The present invention relates to a safety facility monitoring module.

In case of OPR1000 and APR1400 type nuclear power plants in Korea (Korean standard nuclear power plant built after Uljin 3,4), nuclear power plant engineering safety equipment operation system is installed. This system functions to operate the safety device to mitigate the result of the design basis accident to within tolerance. When the plant process variables are at a level that will cause the protective action, the following operating signals are generated to prevent the radioactive material from diffusing into the atmosphere outside the reactor building.

- Safety injection operation system

- containment building isolation operating system

- Containment building water spraying system

- Main Steam Isolation Signal Operating System

- auxiliary water supply operating system

The engineering safety system operating system adopts the multi-stage signal as shown in Fig. 1 and establishes a multi-protection system so that the above-mentioned five operating systems always maintain their functions even if the malfunction or human error occurs.

Referring to FIG. 1, a device associated with the engineering safety system of the nuclear power plant 1000 is manually controlled by a switch for minimum volume control or a computer-linked soft controller. This control is executed by the operator. Two different signals are provided with OR logic tied to the engineering safety equipment operating system input. Two different signals are provided to allow the operator to actuate the associated device by pressing the physical switch installed on the control panel if the control by the computer fails.

These two signals are intercepted by the NOT logic when an automatically initiated engineering safety signal is provided in the plant protection system and the operating signal of the plant protection system is injected directly. Signals from the plant protection system are also blocked by the NOT logic when the multi-control manual switch is pressed by the operator, and the field devices (component, pump, valve, breaker) are activated directly by the multi-control manual signal. This multiple operating system is due to the design, which is the subject of the present invention, to impart robustness to common faults.

Products used in the APR1400 Nuclear Power Plant (domestic: Shinrimi 3,4,5,6, overseas: UAE Baraka Nuclear Power Plant 1, 2, 3 and 4) manage multiple protection circuits by priority . 2 is a representative diagram of the system described in the prior patent (patent name: component interface module, registration number: 1009045770000). (The preceding patent has translated the term "component of the engineering safety equipment" as "component".) The contents of the patent summarized in the preceding patent are as follows.

The component interface module (CIM) of the prior patent modulates through the priority logic component command signal from the redundant system and integrates the selected priority command signal with the component feedback signal in the component logic, And generates control signals for the components in the complex plant. Non-software based CIMs are programmable for use with various plant components. The component logic includes blocking logic to prevent or terminate the generation of a control signal when the component actuation is complete. Diagnostics integrated within the CIM include input port interface testing, pulse testing to continuously check proper propagation of test pulses through priority and component logic, and functional testing of CIM output devices such as repeaters.

3 is a block diagram of a diagnostic function implemented in the FPGA 25 of FIG. (As shown in Figure 5 in the prior patent specification)

 The prior art discloses that the priority of the operation input is set using the 22 jumpers (Table 1 below), and the operation states of the various devices such as the valve, the pump, and the breaker are also set (Table 2 below). Table 1 illustrates the concept of prioritizing four operational inputs with a priority mode jumper. There is an advantage that four priorities can be set with one logic.

Table 2 below defines the configuration jumpers for each device.

The prior art has the advantage that one module can be commonly used regardless of the types of field devices such as pumps, valves, and circuit breakers by using a single FPGA (field programmable gate array) control logic.

However, the CIM disclosed in the prior patent deals with engineering safety system field devices operating in the abnormal / emergency condition of the nuclear power plant, and in the case of logic not connected by a jumper, Is partially unsatisfactory. In addition, if the jumper is set incorrectly, it may cause malfunction of the engineering safety system field device, or because there is no automatic diagnosis function for the jumper setting, it takes a lot of time and manpower because the maintenance person has to manually determine the adequacy and diagnose .

A safety system field-of-site instrumentation operating module that is robust against common-type faults and features device status / performance monitoring can be provided.

The technical problem to be solved by this embodiment is not limited to the above-described technical problems, and other technical problems can be deduced from the following embodiments.

The safety system field instrument operating module comprises: a relay driver including a voltage monitor and a current monitor; a signal generator for generating an operating signal for a field device based on priorities of signals received and input from various systems in the plant; Priority logic, control logic for operating the field device by operating the relay driver in accordance with the activation signal, test and diagnostic logic for testing the operability of the field device, and linkage test logic.

The input of the priority logic may include at least one of a reactor protection system, an engineering safety facility operating system, a diversity protection system, a control room direct manual control, and an on-site manual control system.

Each of the priority logic and the control logic may include a dedicated logic circuit for each operation type of the field device.

The type of operation of the field device includes at least one of an electric breaker for a large motor, a motor drive valve, a non-reversing motor drive pump, a solenoid valve, a main steam isolation valve, a diesel generator power sequential feeder, .

The relay driver may monitor the state and performance of the field device based on voltage and current information obtained from the voltage monitor and the current monitor, respectively.

Determining an RMS value using an instantaneous current value measured by operating a field device, determining a derivative value for the RMS, determining time intervals based on a time point at which the differential value is zero, Comparing the size of time and current for each of the plurality of fault modes with predetermined fault modes, and determining the state of the field device as at least one of the fault modes as a result of the pattern comparison.

The on-site device is a SOV and the failure modes include a state in which the SOV is not open, a state in which the SOV is slightly open, a state in which the SOV is at least partially closed due to an operation failure, a noise over state, . ≪ / RTI >

And outputting the detailed reason for the determined failure mode by inputting the determined failure mode to the prediction model, wherein the prediction model is a model of the artificial neural network in which machine learning is performed using data on domestic / Model.

A safety system field-of-site instrumentation operating module that is robust against common-type faults and features device status / performance monitoring can be provided.

1 shows a control system of a nuclear power plant according to an embodiment.
2 shows a representative view of the prior patent.
3 is a block diagram of a diagnostic function implemented in the FPGA 25 of FIG.
FIG. 4 is a block diagram of an ESC Local Component Interface Module (ELCIM) according to one embodiment.
5 is an overall block diagram of an ELCIM applied to a motor-operated valve, in accordance with one embodiment.
6 shows a block diagram of priority logic, in accordance with one embodiment.
Figure 7 illustrates the concept of a dual FPGA implementation design for a common type fault tolerant design, in accordance with one embodiment.
8 is a conceptual diagram of a system for a failure and malfunction discrimination function of a field device according to an embodiment.
9 is a flowchart illustrating an algorithm for measuring an instantaneous value of a current / voltage when an SOV (Solenoid Operated Valves) valve is operated and analyzing the tendency thereof to determine the presence or absence of a failure and the location of a failure FIG.
10A is an alternating current waveform measured when a steady state SOV is operated, according to one embodiment.
Figure 10B is a current waveform during operation taken in a steady state SOV, according to one embodiment.
11 shows a flowchart of a signal processing method according to an embodiment.
12 is a graph showing a current value and a differential value of a current with respect to time according to an embodiment.
FIG. 13 is a logic diagram illustrating a reason for inferring the cause of a failure of a field device operated by a CIM by a Big Data method according to an exemplary embodiment and presenting an action item through empirical data.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In the following, several embodiments will be described in detail and with reference to the accompanying drawings so that those skilled in the art will readily understand the present invention. will be.

Also, the term "module" as used herein may mean a hardware component, component, circuit or device, such as an FPGA or ASIC.

FIG. 4 is a block diagram of an ESC Local Component Interface Module (ELCIM) according to one embodiment.

Referring to FIG. 4, the safety system instrument field actuation module 4000 may include priority logic, control logic, test and diagnostic logic, linkage test logic, and a relay driver.

 The priority logic may generate signals for field devices based on priorities for signals received and input from various systems in the plant. According to one embodiment, the priority logic may have three input ports: Port X, Port Y, and Port Z. A signal input from the diversity protection system can be received through Port Y when a signal input from the plant protection system and the engineering safety system operation system is abnormally increased through the port X and the steam generator level change or the containment vessel pressure abnormally increases. In addition, a signal generated from the multi-control passive switch can also be received by Port Z (see FIG. 1).

The control logic activates the relay driver according to the type of operation signal to operate the field devices such as pumps, valves, breakers and the like. At this time, the field device (component) feedback signal is inputted to the control logic to judge whether the operation of the device is performed well in the predetermined order. If the machine operation can not be performed in the prescribed order, a trouble alarm is output to be displayed on the control room operator's computer. The relay driver may include a voltage monitor and a current monitor. The relay drive signal is monitored by the voltage monitor and the current monitor to constantly monitor whether a proper signal is output. If the signal does not come out smoothly, send a Disable alarm to the control room operator so that you can take action. In the present invention, a diagnosis function for monitoring the state and performance of the field device at all times is also implemented using the voltage monitor signal and the current monitor signal (see FIGS. 8 to 13).

The linkage test logic is a facility that performs logic control for equipment operation of a power plant. The input signal of the connection test logic uses the automatic control signal which is received by the operation command coming in through the switch, the control system and the condition and condition signal of the field device, and at the same time, the alarm occurrence, the status light, have.

The safety system appliance field operating module (4000) shall be operable through periodic tests. Test and diagnostic logic can be implemented for this. The test and diagnostic logic tests the priority logic and control logic by the first checksum, the operability of the relay driver, and the proper operation of the voltage monitor and current monitor. The test can be manually initiated and automatically tested by a maintenance person, and the test signal is given as the linkage test logic so that the priority logic and control logic can not output the signal during the test period. Since the priority logic and control logic are redundant, only one channel is bypassed when the field device is required to be operated during the test, so that the desired field device can be operated by the second channel. Referring to FIG. 5, it can be seen that the priority logic and control logic are bypassed by test and diagnostic logic.

6 shows a block diagram of priority logic, in accordance with one embodiment.

Inputs of priority logic include reactor protection system, diversity protection system, control room direct manual control system, and field direct manual control system. All of the signal inputs except the diversity protection system have a structure that is directly connected as a contact signal. Unlike the previous patent, it can be seen that the direct connection is made without any jumper.

Examples. On-site device control Safety module for each group

In the present invention, as shown in the following Table 3, the field devices operated by the safety system device field operation module 4000 are classified into the control groups according to the operation type to simplify the logic circuit between the input and the signal, thereby reducing the malfunction and the failure probability .

Control group name Group 1 Electric circuit breaker for large motors Group 2 Motor drive valve Group 3 Non-reversing motor-driven pump Group 4 Solenoid valve Group 5 Main Steam Isolation Valve / Main Water Isolation Valve Group 6 Diesel generator power sequential feeder Group 7 Power-operated safety release valve

As described above, the CIM of the prior patent is characterized by implementing all the logic on the FPGA such as priority logic (41), universal component logic (45), and using 22 jumpers as needed In addition, there is a possibility that the gate is erroneous, and if the jumper setting is wrong, the field device itself may fail. As shown in Table 3, And control logic. This does not use an internal jumper, which simplifies the logic between the input and the signal, greatly reducing the likelihood of malfunction and failure.

Examples. Redundant FPGA adoption and methodology for common type fault-tolerant design

For common-type fault tolerant designs, redundant FPGAs can be employed. The FPGA according to one embodiment features a redundancy design that configures the association test logic, the priority logic, the control logic, and the test and diagnostic logic in one channel, respectively. This is a design concept in which different types of FPGAs are used in parallel. An anti-fuse type FPGA is used for channel A and an SRAM type FPGA is used for channel B, Maintains independence and meets guidelines for nuclear instrumentation and control equipment as required by BTP 7-19 (USNRC, US Nuclear Energy Commission, Evaluation Guideline for Common Type Faults).

The use of multiple FPGAs also increases the availability of the facility. This can be implemented through the simplest configuration (or "redundant model"). That is, the FPGA 2 of the channel B is "waiting" while the FPGA 1 of the channel A is "activated".

FPGA 2, which is in the "standby" state, continuously monitors the activity of FPGA 1 and can immediately transition from the "standby" state to the "active" state in the event of a problem. This design has a lower priority than the FPGA 2 in the "active" state. The design connects the outputs of the two FPGAs through an OR gate logic circuit so that no time lag occurs during the transition. It shows the concept of dual-FPGA adoption design for common type fault-tolerant design.

Examples. On-site device status and performance diagnosis using voltage monitor and current monitor signal

The safety system instrument field operating module 4000 monitors the state of the field instrument operating by the operating signal of the safety system instrument field operating module 4000 from the safety system instrument field operating module 4000 to the power signal And current signal) detection method, and it is possible to have a function of automatically determining malfunction and malfunction as shown in Table 4, and notifying the field worker and the operator of the main control room. Table 4 shows the outline of fault and malfunction discrimination function by power signal detection method. In addition, the power and torque applied to the device can be calculated by an automatic algorithm and converted into a thrust quantity so that the performance deterioration of the device can be predicted.

Control group name Measurement signal waveform Discrimination contents Electric circuit breaker for large motor drive control Motor current / torque Fault type, operating status, instrument performance Motor drive valve Motor Torque Efficiency, operational status Non-reversing motor-driven pump Motor current / torque efficiency. Head, operating status, instrument performance Solenoid valve Current trend, lowering of starting current voltage Operational status Diesel generator power sequential feeder Voltage, current Operational status Power-operated safety release valve Motor torque, current Operational status

The fault detection and malfunction discrimination function of the field device by the power signal detection method can be used because all field devices operate on electricity.

8 shows a conceptual diagram of a system for monitoring the status and performance of a large motor-driven device, according to one embodiment.

It can be seen that 3-phase voltage and 3-phase current can be used as a set of algorithms for monitoring condition and performance of large motor-driven equipment. According to one embodiment, the three-phase voltage and the three-phase current can be obtained by the voltage monitor and the current monitor of Fig. 4, respectively. Referring to FIG. 8, Fast Fourier Transform (FFT) is a fast pre-converter used to convert a current signal into a frequency signal. The torque is calculated using the three-phase voltage and current as shown in Equation (1) below. Where P is the number of motor poles, i is the current, v is the voltage, and RS is half of the stator resistance.

Safety System The field operation module (4000) or at least one processor determines whether a specific frequency has occurred based on the current value converted to frequency and compares the diagnostic result with the existing state diagnostic formula stored in the form of a database Can be output.

The safety system instrument field operating module (4000) or at least one processor, based on the voltage and current values converted to torque, converts the instrument efficiency and conversion factor to a thrust value and then uses the internally stored performance diagnostic database And the diagnostic result can be output.

Safety System The field operation module (4000) or at least one processor uses the voltage and current monitor output to diagnose another device condition and performance, and provides repair crews to the maintenance worker and operator based on the diagnosis. can do.

Examples. Diagnosis of on-site device using instantaneous current / voltage value

9 shows an algorithm for measuring the instantaneous value of a current / voltage when an SOV (Solenoid Operated Valves) valve is operated and analyzing the tendency thereof to determine the presence or absence of a failure and the location of a failure according to an embodiment As shown in the flowchart.

The flowchart shown in FIG. 9 may be performed by the safety system appliance field operating module 4000 or at least one processor, but is not limited thereto. According to one embodiment, the voltage and current (including instantaneous values) can be obtained by the voltage and current monitors of FIG. 4, respectively.

According to one embodiment, when the field device is SOV, there are five operation monitoring routines (SOV is not opened, SOV is slightly opened, operation failure is closed / partial closing, valve noise is excessive, Non-response), and based on this, the voltage and current are monitored and the tendency is analyzed to determine whether there is a failure or not. For example, if it is determined that the SOV does not open, it can predict power supply failure / voltage anomalies, coil burnout, applied pressure low / high, SOV armature damage / diaphragm, sheet inlet contamination, and corrosion. For example, if the SOV is judged to be slightly open, a low applied pressure / bending of the electric vehicle tube can be predicted. If it is judged that it is closed / partially closed due to the operation failure, it is possible to predict the remaining power component in the coil, the upstream pressure pulp generation, the input / output pressure deviation, the outlet pressure higher than the inlet pressure, and the pilot orifice part corrosion. If the valve noise is judged to be excessive, it can be predicted such as bump vibration, water hammer phenomenon, pipe banging at valve opening / closing, very high differential pressure / repeated dynamic pressure generation in the line. If it is judged that the coil is burned / unapplied when the power is applied, it is possible to predict the applied voltage failure, the short circuit / coil armature Slow,

10A is an alternating current waveform measured when a steady state SOV is operated, according to one embodiment. The waveform contains the information such as the size of the current, the operating time, and the progress time of the peak, so that the state of the apparatus can be automatically monitored using the waveform.

10B is a current waveform during operation obtained in the steady-state SOV. Pickup time / current, drop-out time / current, and the time when the current value changes after the pick-up is subjected to precise diagnosis for the start-up current and the hold current are classified by intervals to identify the type of failure. The waveform can be easily judged by the human eye, but a separate signal processing method is required to perform the automatic diagnosis by the software. According to one embodiment, a signal processing method may be disclosed.

11 shows a flowchart of a signal processing method according to an embodiment. The flowchart shown in Fig. 11 may be performed by the safety system instrument field actuation module 4000 or at least one processor.

In step 11100, the instantaneous current value is used to determine the RMS value.

In step 11200, the current value acquired based on the determined RMS is differentiated. For example, the derivative value can be obtained by taking a derivative with respect to the RMS value.

In step 11300, time intervals may be determined based on a time point at which the derivative value is zero.

In step 11400, a comparison is made between the state and the pattern of the steady state and the state of each failure mode.

At step 11500, the pattern comparison result may determine the state of the field device to at least one of the failure modes. For example, if it is located within the threshold value, it outputs a failure mode based on this.

12 is a graph showing a current value and a differential value of a current with respect to time according to an embodiment.

The graph of FIG. 12 shows eight time intervals from t1 to t7 and T_total, current values (indicated by solid lines, NORMAL CURRENT) and differential values (indicated by dashed lines, DIFFERETIATED) with respect to time.

Examples. Identification and inference engine for similar faults in the field, combining big data and machine learning technique

FIG. 13 is a logic diagram illustrating a reason for inferring the cause of a failure of a field device operated by a CIM by a Big Data method according to an exemplary embodiment and presenting an action item through empirical data.

The device operation signal obtained using the voltage and current supplied to the field device is firstly identified by the analysis algorithm as the failure mode. Each failure mode goes through the Big Data Engine again, followed by a pseudo-fault case identification and reasoning process. For example, the signal processing method of FIG. 11 may further comprise determining, through an inference unit, the reason for the failure mode determined in step 11500. FIG. For example, the reason may be that the determined failure mode is input to the prediction model and the prediction model can determine the reason for the determined failure mode.

The reasoner outputs a detailed analysis result on the cause of the failure of the relevant safety system device. A reasoner can be generated based on machine learning. Machine learning can mean an algorithmic technique that classifies / learns the characteristics of input data by itself. For example, machine learning on reasoners can be performed by using PCA (Principle Component Analysis) technique, Deep Network Learning technique, SVD (Singular Value Decomposition) technique Or < / RTI >

The US Nuclear Regulatory Authority (USNRC) licensing event report (LER), the US Nuclear Energy Association (NEI), and the US Nuclear Energy Association (NEI) And event records provided by the Ministry of Justice.

Referring to FIG. 13, prediction model 13000 represents one embodiment of the reasoner. The prediction model 1300 may be an artificial neural network model in the form of a neural network including an input layer, a hidden layer, and an output layer. According to one embodiment, the prediction model 13000 is a model for receiving information on a failure mode and outputting a detailed analysis result. Learning for the prediction model 13000 uses a Back Propagation algorithm that updates the synapse weights to reduce the error rate or loss between the current output and the target output corresponding to the input . ≪ / RTI > For example, learning about the prediction model 13000 is performed by applying information on the failure mode to the input layers (Input 1 to 4) and applying the failure cause detail information to be finally obtained to the output layer (Output) . The weights can be optimized by being updated several times according to the learning process according to the back propagation algorithm.

According to one embodiment, the detailed analysis of the cause of the failure may be based on ineffective noise input, lightning strike, single failure vulnerability, manufacturing defects in maintenance procedures, inadequate testing, software design, hardware design, component defects, operator errors, .

The foregoing description is intended to provide exemplary configurations and operations for implementing the invention. The technical spirit of the present invention will include implementations not only described above, but also implementations that can be obtained by simply modifying or modifying the above embodiments. In addition, the technical spirit of the present invention will also include implementations that can be achieved by easily modifying or modifying the embodiments described above.

Claims (8)

delete delete delete delete delete Determining an RMS value using an instantaneous current value measured by operating the field instrument;
Determining a derivative value for the RMS;
Determining time intervals based on a time point at which the differential value is zero;
Comparing a size of time and current for each of the time intervals with a predetermined failure mode; And
And determining the state of the field device as at least one of the failure modes as a result of the pattern comparison. The method according to claim 6,
Wherein the field device is an SOV,
Wherein said failure modes include an on-site device condition diagnosis including a state in which the SOV is not open, a state in which the SOV is slightly opened, an at least partially closed state due to an operation failure of the SOV, a noise over state, and a coil burn- Way. The method according to claim 6,
Further comprising the step of outputting the detailed reason for the determined failure mode by inputting the determined failure mode to the prediction model,
Wherein the prediction model is an artificial neural network model in which machine learning is performed using data on domestic and overseas nuclear plant incidents / accidents.

Images