WO1997018502A1 - Apparatus and method for prioritization of multiple commands in an instrumentation and control system - Google Patents

Apparatus and method for prioritization of multiple commands in an instrumentation and control system Download PDF

Info

Publication number
WO1997018502A1
WO1997018502A1 PCT/US1996/016541 US9616541W WO9718502A1 WO 1997018502 A1 WO1997018502 A1 WO 1997018502A1 US 9616541 W US9616541 W US 9616541W WO 9718502 A1 WO9718502 A1 WO 9718502A1
Authority
WO
WIPO (PCT)
Prior art keywords
command
control means
independent control
final
commands
Prior art date
Application number
PCT/US1996/016541
Other languages
French (fr)
Inventor
Glenn E. Lang
Original Assignee
Westinghouse Electric Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Westinghouse Electric Corporation filed Critical Westinghouse Electric Corporation
Publication of WO1997018502A1 publication Critical patent/WO1997018502A1/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems

Definitions

  • This invention relates to apparatus and method for instrumentation and control of processes such as the operation of a nuclear reactor. More particularly, it relates to such a method and apparatus for prioritizing multiple control signals provided to a component in a process control system.
  • duplication may take the form of redundant systems. For instance duplicate sensors, controllers and actuators may be provided in separate independent channels to perform the identical function.
  • the hardware and logic are identical in each channel.
  • multiple, identical channels are provided to generate independent control signals which are voted to determine the final control signal to be applied to a single component.
  • protection systems which include four separate channels, each with its own sensors and controllers for generating a reactor trip signal in response to certain conditions in the plant. Voting logic trips the plant only if, for instance, two or more of the four channels generate a channel trip signal.
  • common mode failure it is meant, simultaneous, similar failures in corresponding elements, either hardware or software, of the system.
  • One application for which these concerns are raised is the retrofitting of existing process control systems, like some existing nuclear power plants, where it is desired to control a single component with commands from two separate subsystems.
  • the two commands may have equal priority or different priority, such as where one subsystem is safety grade and the other is not.
  • the signals have equal priority, provision must be made for resolving conflicts, always assuring that the plant remains in or is guided toward a safe state.
  • the invention is directed to apparatus and a method for controlling a process control component, such as, for example, in a nuclear reactor, using commands from multiple independent control means.
  • a process control component such as, for example, in a nuclear reactor
  • prior art instrumentation and control systems utilize redundant control means, that is, identical but independent control channels, to control a single component
  • the present invention utilizes diverse control means to form the independent control channels.
  • diverse control means it is meant that the processing means and/or the software utilized in the independent control means are different to preclude common mode failures.
  • control means inco ⁇ orating digital processors this means that different types of processors, e.g. from different manufacturers, are used to run different routines implementing common algorithms.
  • Prioritizing means receives the commands from the independent control means and determines a final command which is applied to the process control component.
  • the process control component has at least two operating states, such as on/ open and off/closed to which the component can be commanded by the final command from the prioritizing means.
  • this prioritizing means is diverse from each of the independent control means to further preclude common mode failures.
  • two diverse control means each generate commands for the single process control component.
  • the commands from one of the diverse control means is given priority.
  • the independent control means can each generate an on command, an off command, or no command, an on command or off command from the control means with priority prevails.
  • the priority in a nuclear reactor application this could be the safety grade subsystem where only one of the two systems is safety grade.
  • the two independent diverse control means are given equal priority.
  • identical commands are passed on to the process control component. If one control means gives no command, then the command from the other control means is used. If only one control means is providing an unambiguous command, it is used. If the two independent diverse control means of equal priority are providing conflicting commands, the pri ⁇ " tizing means generates a command which provides a safe state.
  • the command providing a safe state may also be used to place a related component in a safe state.
  • the command producing a safe state can also enable manual control for the component.
  • Figure 1 is a schematic diagram of a portion of a process control system incorporating the invention.
  • FIG 2 is a schematic diagram of a prioritizer forming part of the control system illustrated in Figure 1 in accordance with a first embodiment of the invention wherein the control subsystems are given equal priority.
  • Figure 3 is a schematic diagram similar to Figure 2 illustrating another embodiment of the invention in which one of the control subsystems is given priority over the other.
  • Figure 4 is a schematic diagram of a pressurized water reactor nuclear steam supply system illustrating application of the first embodiment of the invention.
  • Figure 5 is a schematic diagram of a portion of a nuclear steam supply system illustrating application of a second embodiment of the invention in which one of the control subsystems is given priority.
  • FIG. 1 illustrates a control system 1 for controlling a component 3 such as a process control component in a process control system.
  • the control system 1 includes a plurality of control subsystems 5 A through 5N. Each of the subsystems 5A through 5N generates commands 7A through 7N for operating the component 3 to different operating states.
  • the operating states of the component 3 can include, for instance, on and off states for components such as motors, pumps, and the like, and open and closed positions such as for valves, switches and the like.
  • Prioritization logic 9 evaluates the commands 7A through 7N provided by the control subsystems 5A through 5N for deteirnining a final command 11 which is provided to the component 3.
  • the control system 1 is a diverse system in that the control subsystems
  • each of these subsystems utilizes preferably both different hardware and software (if the hardware includes a microcomputer) to generate the associated commands 7A-7N.
  • the hardware is diverse in that microcomputers from different
  • the independent control subsystems to generate the associated commands 7A-7N is implemented in different software language in each of the microcomputers. Where more than two independent control subsystems are used, it is preferred that they be diverse from each other, but it is within the scope of the invention that at least some of them are diverse.
  • the prioritization logic 9 is diverse from each of the control subsystems 5 A through 5N.
  • the prioritization logic 9 is implemented with programmable array logic (PAL). This further precludes common mode failures.
  • the prioritization logic 9 generates the final control signal 1 1 applied to the component 3 using a selected logic. In one embodiment of the invention, equal priority is given to the commands generated by the independent control subsystems 5.
  • Table 1 illustrates the logic applied where there are two independent control subsystems, each of which is given the same priority.
  • the commands indicated in the table represent the final command 11 provided by the prioritization logic 9 to the component 3. It will be noted that the commands provided by the control subsystems have three states: ON, OFF, and no command. Obviously, where the commands generated by the two subsystems agree, the final command corresponds. Where one subsystem generates an ON or OFF command and the other generates no command, the former command is used for the final command. This situation could occur where one of the subsystems has failed, for instance. Where one of the subsystems generates an ambiguous command, such as a simultaneous ON and OFF command, the command generated by the other subsystem is used, unless both subsystems generate an ambiguous command in which case no command is provided to the component.
  • the prioritization logic 9 generates a command which produces a safe state.
  • the command used to produce this safe state depends upon the component, and in some cases, its function in the process control system.
  • the safe state could be an ON command, an OFF command, or no command.
  • the command which produces a safe state also enables manual control so that the operator may take over the operation of the component.
  • FIG. 2 illustrates prioritization logic 9 implemented by a PAL configured to provide the logic of Table 1.
  • the commands 7 from each of the control subsystems are input to the PAL 9 as either an ON/OPEN command or an OFF/CLOSE command and are represented by a high logic signal on the appropriate input.
  • the logic of Table 1 is implemented by AND, OR and NOR gates to generate the final command at output 11 1 which generates an ON/OPEN command, or output 11 2 , which generates and OFF/CLOSE command. Again, the output generates a high
  • priority is given to one of two control subsystems 5 providing commands for the component 3.
  • An example of such logic is illustrated in Table 2 wherein subsystem 1 is given priority over subsystem 3. This embodiment could be utilized, for instance, where one subsystem is more reliable, for instance, safety grade in the case of a nuclear reactor, or more secure, than the other subsystem.
  • the command from the priority subsystem, subsystem No. 1 in the example predominates unless it is ambiguous (simultaneously generating ON and OFF commands) in which case the command from subsystem No. 3 is used.
  • Figure 3 illustrates an example of a second embodiment of the prioritizing logic 9' implementing the logic of Table 2 in which one of the control subsystems, in the case, the first control subsystem 5A, has priority.
  • the exemplary logic is implemented by AND, OR and NOR gates in a PAL.
  • the command 7A provided by the first control subsystem prevails.
  • the command can be an ON/OPEN command on one input, an OFF/CLOSED command on a second input, or no command in which case both inputs are low. Only when the first control subsystem 5A provides an ambiguous input by providing high signals on both the ON/OPEN and OFF/CLOSED inputs does the PAL 9' generate a final command using the command from the subsystem 5B.
  • FIG 4 illustrates application of the invention to a pressurized water reactor (PWR) nuclear steam supply system (NSSS) 13 in accordance with the first embodiment in which signals from a pair of control subsystems are given equal priority.
  • the NSSS 13 includes a reactor vessel 15 having a core 17 of fissionable material.
  • Reactor coolant in the form of light water is passed through the core 1 where it is heated by the fission reactions.
  • the heated coolant is circulated in four primary loops: 19A - 19D.
  • Each primary loop 19 includes a hot leg 21 A-2 ID which delivers heated coolant to a steam generator 23 A through 23D.
  • the steam generators 23 use the heat carried by the coolant to generate steam in secondary loops (not shown)
  • Coolant is returned to the reactor vessel 15 through cold legs 25 A through 25D by reactor coolant pumps 27 A through 27D.
  • the reactor vessel 15 and the primary loops 19A-19D are housed within containment 29.
  • a safety injection system 31 injects borated water from a boron tank 33 into the primary system through the cold legs 25 A and 25B, in the example.
  • the emergency supply of water is pumped by a safety injection pump 35 through a motor-operated discharge valve 37 and a check valve 39. Additional water for safety injection can be drawn from a sump
  • Recirculation valves 45 (only one shown) protect the safety injection pump 35 by providing a recirculating path for the output of the safety injection pump should excessive resistance to flow or a closed discharge valve 37 be encountered.
  • the recirculation valve 45 is opened if the pump 35 is running but its flow rate is below a minimum threshold.
  • the control system 47 for this valve includes two independent control subsystems 49A and 49B, each of which has its own separate flow indicator 51 A or 5 IB.
  • Control subsystems 49A and 49B separately compare the flow indication provided by the flow indicator 51 A or 5 IB to the predetermined threshold in generating a command for the recirculation valve 45.
  • Each of these control subsystems 49 A and 49B can generate an OPEN command on a lead 53A and 53B, respectively, or a CLOSE command on leads 55A and 55B.
  • Priority logic 57 implementing the equal priority logic of Table 1 from the commands received from the control subsystems 49A and 49B, generates
  • a final command which is an OPEN command on lead 59A or a CLOSED comman ⁇ on lead 59B.
  • the safe state for the recirculation valve 45 is the OPEN position to prevent burnup of the safety injection pump 35. Therefore, when conflicting commands are generated by the control subsystems 49A and 49B, the valve 45 is commanded open and manual control 61 is enabled.
  • a PAL configured as in Figure 2 is suitable for use as the priority logic 57.
  • FIG. 5 illustrates an application of the second embodiment of the invention, where priority is given to one control subsystem over another.
  • This example involves the ventilation system for compartment 63 in containment 29.
  • Motor controlled damper 65 controls the flow of ventilating air provided by HVAC fan 67. Normally, the damper 65 is controlled on temperature in the compartment 63 as measured by the sensor 69.
  • a first control subsystem 71 uses the temperature signal to generate a command, either open or close to priority logic 73.
  • the command 7A provided by the control subsystem 5A is provided on two leads 75 A and 77A. Containment pressure is monitored by a pressure sensor 79.
  • This pressure is provided to the second diverse control subsystem 71B. If the pressure in containment exceeds a selected limit, the control subsystem 71B generates a CLOSE command. This a safety signal and is given priority by the priority logic 73 which then generates a final close command which is applied to the damper 65 to close the damper and therefore isolate containment.
  • the pressure sensor 79 and control subsystem 7 IB are protection grade, while the temperature sensor 69 and control subsystem 71A are not.
  • the pressure generated CLOSE command is more reliable, and, in any event, represents a safety condition which must be addressed.
  • the subsystem 71B only provides a CLOSE command on the lead 77B. Thus, in the absence of a safety signal, no
  • command is provided to the priority logic 73 by the subsystem 7 IB, and hence the commands from the subsystem 71 A are used by the priority logic 73 to control the damper 65.
  • the priority logic 73 generates an ON/OPEN final command to the damper 65 on output 81 and an OFF/CLOSE final command on output 83.
  • the OFF/CLOSE final command applied to the damper 65 is also applied to the fan 67 in order to assure that the fan 67 does not burn up by continuing to run when the damper 65 is closed.
  • a PAL configured as in Figure 3 can be used for the priority logic 73. While specific embodiments of the invention have been described in detail, it will be appreciated by those skilled in the art that various modifications and alternatives to those details could be developed in light of the overall teachings of the disclosure. Accordingly, the particular arrangements disclosed are meant to be illustrative only and not limiting as to the scope of invention which is to be given full breadth of the claims appended and any and all equivalents thereof.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

Prioritization logic determines the final commmand applied to a process control component (3) from a plurality of commands generated by diverse independent control subsystems (5A, 5B, 5N), each utilizing different hardware and software to implement a common algorithm to preclude common mode failures. In one embodiment, priority is given to commands generated by one control subsystem, such as a safety grade subsystem, over commands provided by a second, non-safety grade control subsystem. In another embodiment, equal priority is given to commands from two control subsystems. In this case, ambiguous commands from either or both subsystems are ignored, but conflicting commands produce a final command which provides a safe state.

Description

APPARATUS AND METHOD FOR PRIORITIZATION OF MULTIPLE COMMANDS IN AN INSTRUMENTATION AND CONTROL
SYSTEM
BACKGROUND OF THE INVENTION
Field of the Invention
This invention relates to apparatus and method for instrumentation and control of processes such as the operation of a nuclear reactor. More particularly, it relates to such a method and apparatus for prioritizing multiple control signals provided to a component in a process control system.
Background of the Invention
Many instrumentation and control systems require duplication in at least some portions of the system for safety and reliability. This duplication may take the form of redundant systems. For instance duplicate sensors, controllers and actuators may be provided in separate independent channels to perform the identical function.
Typically in such a case, the hardware and logic are identical in each channel.
In other cases, multiple, identical channels are provided to generate independent control signals which are voted to determine the final control signal to be applied to a single component. For instance, in a nuclear power plant, it is common to have protection systems which include four separate channels, each with its own sensors and controllers for generating a reactor trip signal in response to certain conditions in the plant. Voting logic trips the plant only if, for instance, two or more of the four channels generate a channel trip signal. In this instance also, it is conventional to have identical hardware and logic in each channel, thereby providing redundancy.
There is a growing concern over common mode failures in redundant instrumentation and control systems. By common mode failure, it is meant, simultaneous, similar failures in corresponding elements, either hardware or software, of the system. One application for which these concerns are raised is the retrofitting of existing process control systems, like some existing nuclear power plants, where it is desired to control a single component with commands from two separate subsystems. The two commands may have equal priority or different priority, such as where one subsystem is safety grade and the other is not. Where the signals have equal priority, provision must be made for resolving conflicts, always assuring that the plant remains in or is guided toward a safe state.
There is a need, therefore, for an improved instrumentation and control system and a method of operating the same which minimizes the possibility of common mode failures.
There is a particular need for such an improved apparatus and method which is applicable to a system in which commands from two subsystems are applied to a single component.
There is also a need for such an improved apparatus and method which assures that a process will always be maintained in or guided toward a safe condition.
There is another need for such an apparatus and method which can be used when the two logic control signals are of equal or unequal priority.
There is yet another need for such an apparatus and method which assures safe operation when the two commands are in conflict.
SUMMARY OF THE INVENTION
These needs and others are satisfied by the invention which is directed to apparatus and a method for controlling a process control component, such as, for example, in a nuclear reactor, using commands from multiple independent control means. While prior art instrumentation and control systems utilize redundant control means, that is, identical but independent control channels, to control a single component, the present invention utilizes diverse control means to form the independent control channels. By diverse control means it is meant that the processing means and/or the software utilized in the independent control means are different to preclude common mode failures. In the case of control means incoφorating digital processors, this means that different types of processors, e.g. from different manufacturers, are used to run different routines implementing common algorithms. Prioritizing means receives the commands from the independent control means and determines a final command which is applied to the process control component. The process control component has at least two operating states, such as on/ open and off/closed to which the component can be commanded by the final command from the prioritizing means. Preferably, this prioritizing means is diverse from each of the independent control means to further preclude common mode failures.
In the preferred embodiment of the invention, two diverse control means each generate commands for the single process control component. In one embodiment, the commands from one of the diverse control means is given priority. In a nuclear reactor application this could be the safety grade subsystem where only one of the two systems is safety grade. Where the independent control means can each generate an on command, an off command, or no command, an on command or off command from the control means with priority prevails. However, where the priority
subsystem provides no command or an ambiguous command; that is, both an on command and an off command, commands from the nonpriority control means are utilized, unless it too provides no command or an ambiguous command. In the latter case, no command is provided to the process control component which maintains its existing state.
In another embodiment of the invention, the two independent diverse control means are given equal priority. In this case, identical commands are passed on to the process control component. If one control means gives no command, then the command from the other control means is used. If only one control means is providing an unambiguous command, it is used. If the two independent diverse control means of equal priority are providing conflicting commands, the pri^" tizing means generates a command which provides a safe state. The command providing a safe state may also be used to place a related component in a safe state. The command producing a safe state can also enable manual control for the component.
BRIEF DESCRIPTION OF THE DRAWINGS
A full understanding of the invention can be gained from the following description of the preferred embodiments when read in conjunction with the accompanying drawings in which:
Figure 1 is a schematic diagram of a portion of a process control system incorporating the invention.
Figure 2 is a schematic diagram of a prioritizer forming part of the control system illustrated in Figure 1 in accordance with a first embodiment of the invention wherein the control subsystems are given equal priority.
Figure 3 is a schematic diagram similar to Figure 2 illustrating another embodiment of the invention in which one of the control subsystems is given priority over the other.
Figure 4 is a schematic diagram of a pressurized water reactor nuclear steam supply system illustrating application of the first embodiment of the invention.
Figure 5 is a schematic diagram of a portion of a nuclear steam supply system illustrating application of a second embodiment of the invention in which one of the control subsystems is given priority.
DESCRIPTION OF THE PREFERRED EMBODIMENTS Figure 1 illustrates a control system 1 for controlling a component 3 such as a process control component in a process control system. The control system 1 includes a plurality of control subsystems 5 A through 5N. Each of the subsystems 5A through 5N generates commands 7A through 7N for operating the component 3 to different operating states. The operating states of the component 3 can include, for instance, on and off states for components such as motors, pumps, and the like, and open and closed positions such as for valves, switches and the like. Prioritization logic 9 evaluates the commands 7A through 7N provided by the control subsystems 5A through 5N for deteirnining a final command 11 which is provided to the component 3. The control system 1 is a diverse system in that the control subsystems
5A through 5N are diverse. That is, each of these subsystems utilizes preferably both different hardware and software (if the hardware includes a microcomputer) to generate the associated commands 7A-7N. Thus, where the control subsystems 5A through 5N utilize microcomputers, the hardware is diverse in that microcomputers from different
manufacturers are utilized. In addition, the common algorithm used by the independent control subsystems to generate the associated commands 7A-7N is implemented in different software language in each of the microcomputers. Where more than two independent control subsystems are used, it is preferred that they be diverse from each other, but it is within the scope of the invention that at least some of them are diverse.
Also preferably, the prioritization logic 9 is diverse from each of the control subsystems 5 A through 5N. In fact, in the preferred embodiment of the invention, the prioritization logic 9 is implemented with programmable array logic (PAL). This further precludes common mode failures.
The prioritization logic 9 generates the final control signal 1 1 applied to the component 3 using a selected logic. In one embodiment of the invention, equal priority is given to the commands generated by the independent control subsystems 5.
Table 1 illustrates the logic applied where there are two independent control subsystems, each of which is given the same priority.
TABLE I
Typical Priority Logic for a Component With
Commands From Two Subsystems With Equal Priority
Subsystem #1 Subsystem #2 Commands Commands
No ON ON and OFF OFF Command Command Commands Command
No Command None ON None OFF
ON Command ON ON ON Safe State
ON and OFF None ON None OFF Command
OFF OFF Safe State OFF OFF Command
The commands indicated in the table represent the final command 11 provided by the prioritization logic 9 to the component 3. It will be noted that the commands provided by the control subsystems have three states: ON, OFF, and no command. Obviously, where the commands generated by the two subsystems agree, the final command corresponds. Where one subsystem generates an ON or OFF command and the other generates no command, the former command is used for the final command. This situation could occur where one of the subsystems has failed, for instance. Where one of the subsystems generates an ambiguous command, such as a simultaneous ON and OFF command, the command generated by the other subsystem is used, unless both subsystems generate an ambiguous command in which case no command is provided to the component. Where the commands generated by the two subsystems are in conflict; that is, one generates and ON command and the other generates an OFF command, the prioritization logic 9 generates a command which produces a safe state. The command used to produce this safe state depends upon the component, and in some cases, its function in the process control system. Thus, the safe state could be an ON command, an OFF command, or no command. Preferably, the command which produces a safe state also enables manual control so that the operator may take over the operation of the component.
Figure 2 illustrates prioritization logic 9 implemented by a PAL configured to provide the logic of Table 1. The commands 7 from each of the control subsystems are input to the PAL 9 as either an ON/OPEN command or an OFF/CLOSE command and are represented by a high logic signal on the appropriate input. The logic of Table 1 is implemented by AND, OR and NOR gates to generate the final command at output 111 which generates an ON/OPEN command, or output 112, which generates and OFF/CLOSE command. Again, the output generates a high
logic signal for the appropriate output. The no command output is represented by low- level logic signals on both of the outputs. When the commands 7A and 7B are in conflict, an ON/OPEN final command is generated to provide the safe state.
In accordance with another embodiment of the invention, priority is given to one of two control subsystems 5 providing commands for the component 3. An example of such logic is illustrated in Table 2 wherein subsystem 1 is given priority over subsystem 3. This embodiment could be utilized, for instance, where one subsystem is more reliable, for instance, safety grade in the case of a nuclear reactor, or more secure, than the other subsystem.
TABLE II
Typical Priority Logic for a Component With
Commands From Two Subsystems In Which
One System has Priority
Subsystem #1 Subsystem #3 Commands Commands
No ON ON and OFF OFF Command Command Commands Command
No Command None ON None OFF
ON ON ON ON ON Command
ON and OFF None ON None OFF Command
OFF OFF OFF OFF OFF
Command
As can be seen, the command from the priority subsystem, subsystem No. 1 in the example, predominates unless it is ambiguous (simultaneously generating ON and OFF commands) in which case the command from subsystem No. 3 is used.
If both subsystems are generating ambiguous signals, then no final command is provided to the component 3.
Figure 3 illustrates an example of a second embodiment of the prioritizing logic 9' implementing the logic of Table 2 in which one of the control subsystems, in the case, the first control subsystem 5A, has priority. Again, the exemplary logic is implemented by AND, OR and NOR gates in a PAL. In this case, the command 7A provided by the first control subsystem prevails. Again, the command can be an ON/OPEN command on one input, an OFF/CLOSED command on a second input, or no command in which case both inputs are low. Only when the first control subsystem 5A provides an ambiguous input by providing high signals on both the ON/OPEN and OFF/CLOSED inputs does the PAL 9' generate a final command using the command from the subsystem 5B. It can be seen from Figure 3, that when both subsystems are providing both ON and OFF commands to the PAL 9' , both the ON/OPEN output 11 ', command and the OFF/CLOSED output command 11 ', are low, providing no final control signal. In such a case, the controlled component will remain in the state that it is in.
Figure 4 illustrates application of the invention to a pressurized water reactor (PWR) nuclear steam supply system (NSSS) 13 in accordance with the first embodiment in which signals from a pair of control subsystems are given equal priority. The NSSS 13 includes a reactor vessel 15 having a core 17 of fissionable material. Reactor coolant in the form of light water is passed through the core 1 where it is heated by the fission reactions. The heated coolant is circulated in four primary loops: 19A - 19D. Each primary loop 19 includes a hot leg 21 A-2 ID which delivers heated coolant to a steam generator 23 A through 23D. The steam generators 23 use the heat carried by the coolant to generate steam in secondary loops (not shown)
tO drive turbine generators which produce electric power. Coolant is returned to the reactor vessel 15 through cold legs 25 A through 25D by reactor coolant pumps 27 A through 27D.
The reactor vessel 15 and the primary loops 19A-19D are housed within containment 29. In the event of a depressurization in the primary loops 19 such as could occur with a break in one of the loops, causing a loss of coolant, a safety injection system 31 injects borated water from a boron tank 33 into the primary system through the cold legs 25 A and 25B, in the example. The emergency supply of water is pumped by a safety injection pump 35 through a motor-operated discharge valve 37 and a check valve 39. Additional water for safety injection can be drawn from a sump
41 into which water from a broken line and condensation from escaping steam accumulates. This additional supply of water is drawn through a check valve 43. Recirculation valves 45 (only one shown) protect the safety injection pump 35 by providing a recirculating path for the output of the safety injection pump should excessive resistance to flow or a closed discharge valve 37 be encountered. The recirculation valve 45 is opened if the pump 35 is running but its flow rate is below a minimum threshold. In order to assure proper operation of the recirculation valve 45, the control system 47 for this valve includes two independent control subsystems 49A and 49B, each of which has its own separate flow indicator 51 A or 5 IB. Control subsystems 49A and 49B separately compare the flow indication provided by the flow indicator 51 A or 5 IB to the predetermined threshold in generating a command for the recirculation valve 45. Each of these control subsystems 49 A and 49B can generate an OPEN command on a lead 53A and 53B, respectively, or a CLOSE command on leads 55A and 55B. Priority logic 57, implementing the equal priority logic of Table 1 from the commands received from the control subsystems 49A and 49B, generates
a final command which is an OPEN command on lead 59A or a CLOSED commanα on lead 59B. In this particular situation, the safe state for the recirculation valve 45 is the OPEN position to prevent burnup of the safety injection pump 35. Therefore, when conflicting commands are generated by the control subsystems 49A and 49B, the valve 45 is commanded open and manual control 61 is enabled. A PAL configured as in Figure 2 is suitable for use as the priority logic 57.
Figure 5 illustrates an application of the second embodiment of the invention, where priority is given to one control subsystem over another. This example involves the ventilation system for compartment 63 in containment 29. Motor controlled damper 65 controls the flow of ventilating air provided by HVAC fan 67. Normally, the damper 65 is controlled on temperature in the compartment 63 as measured by the sensor 69. A first control subsystem 71 uses the temperature signal to generate a command, either open or close to priority logic 73. As mentioned, the command 7A provided by the control subsystem 5A is provided on two leads 75 A and 77A. Containment pressure is monitored by a pressure sensor 79.
This pressure is provided to the second diverse control subsystem 71B. If the pressure in containment exceeds a selected limit, the control subsystem 71B generates a CLOSE command. This a safety signal and is given priority by the priority logic 73 which then generates a final close command which is applied to the damper 65 to close the damper and therefore isolate containment. In this example, the pressure sensor 79 and control subsystem 7 IB are protection grade, while the temperature sensor 69 and control subsystem 71A are not. Thus, the pressure generated CLOSE command is more reliable, and, in any event, represents a safety condition which must be addressed. It should be noted, that in the example, the subsystem 71B only provides a CLOSE command on the lead 77B. Thus, in the absence of a safety signal, no
command is provided to the priority logic 73 by the subsystem 7 IB, and hence the commands from the subsystem 71 A are used by the priority logic 73 to control the damper 65.
In the example of Figure 5, the priority logic 73 generates an ON/OPEN final command to the damper 65 on output 81 and an OFF/CLOSE final command on output 83. In order to place the plant in a safe condition, the OFF/CLOSE final command applied to the damper 65 is also applied to the fan 67 in order to assure that the fan 67 does not burn up by continuing to run when the damper 65 is closed. A PAL configured as in Figure 3 can be used for the priority logic 73. While specific embodiments of the invention have been described in detail, it will be appreciated by those skilled in the art that various modifications and alternatives to those details could be developed in light of the overall teachings of the disclosure. Accordingly, the particular arrangements disclosed are meant to be illustrative only and not limiting as to the scope of invention which is to be given full breadth of the claims appended and any and all equivalents thereof.

Claims

What is Claimed is:
1. A process control system comprising: a process control component controlling conditions in a process control system in response to a final command; a plurality of independent control means, each generating an associated command for controlling said process control component, at least two of said independent control means being diverse; prioritizing means generating said final command as a function of said associated commands provided by said plurality of independent control means.
2. The system of Claim 1 wherein said prioritizing means comprises means diverse from each of said at least two diverse independent control means.
3. The system of Claim 1 wherein said plurality of independent control means comprises two diverse independent control means.
4. The system of Claim 3 wherein said prioritizing means comprises means diverse from each of said two diverse independent control means.
5. The system of Claim 4 wherein said two diverse control means comprise different microcomputer means running different software to implement a common algorithm.
6. The system of Claim 3 wherein said prioritizing means comprises means giving priority to said associated command provided by a selected one of said two independent control means.
7. The system of Claim 6 wherein said prioritizing means comprises means using the associated command from the other of said two independent control means, when the associated command from the control means given priority is ambiguous.
8. The system of Claim 3 wherein said prioritizing means gives equal priority to said associated commands from said two independent control means, and provides a safe final command when said associated commands are conflicting.
9. An instrumentation and control system for a nuclear reactor comprising: a process control component operable to at least two operating states in response to a final command; first independent control means generating a first command for operating said process control component to one of said operating states; second independent control means generating a second command for operating said process control component to one of said operating states; and prioritizing means generating said final command for operating said process control system to an operating state based upon predetermined logic applied to said first command and said second command.
10. The system of Claim 9 wherein said prioritizing means comprises means in which said selected logic gives said first command priority over said second command in generating said final command.
11. The system of Claim 10 wherein said prioritizing means includes means using said second command to generate said final command when said first command is ambiguous.
12. The system of Claim 9 wherein said prioritizing means comprises means implementing selected logic which gives equal priority to said first command and said second command and generates said final command providing a safe state when said first command and second command command different ones of said operating states.
13. The system of Claim 12 wherein said nuclear reactor includes a related device to said process control component and means applying said final command providing said safe state to said related device in providing said safe state.
14. A method of controlling a process control component compnsmg the steps of: generating a first command for said component using first independent control means; generating a second command for said component using a second independent control means which is diverse from said first independent control means; and evaluating said first and said second commands using said prioritizing means which is diverse from both said first independent control means and said second independent control means for generating a final command for operating said component.
15. The method of Claim 14 wherein said step of evaluating comprises giving one of said first command and said second command priority over the other in generating said final command.
16. The method of Claim 15 wherein evaluating step further comprises using said other command to generate said final command when said one command which is given priority is ambiguous.
17. The method of Claim 14 wherein said step of evaluating comprises giving said first command and said second command equal priority.
18. The method of Claim 17 wherein said step of evaluating said first command and said second command using equal priority, further comprises generating a final command which provides a safe state when said first command and said second command are conflicting.
PCT/US1996/016541 1995-11-14 1996-10-15 Apparatus and method for prioritization of multiple commands in an instrumentation and control system WO1997018502A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US56753295A 1995-11-14 1995-11-14
US08/567,532 1995-11-14

Publications (1)

Publication Number Publication Date
WO1997018502A1 true WO1997018502A1 (en) 1997-05-22

Family

ID=24267553

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1996/016541 WO1997018502A1 (en) 1995-11-14 1996-10-15 Apparatus and method for prioritization of multiple commands in an instrumentation and control system

Country Status (1)

Country Link
WO (1) WO1997018502A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2993548A1 (en) * 2014-08-06 2016-03-09 Siemens AG Österreich Control of a voltage feed-in
GB2530886A (en) * 2014-08-14 2016-04-06 Zodiac Aero Electric System and method for controlling at least one switching device, especially for use in aircraft

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0096510A2 (en) * 1982-06-03 1983-12-21 LUCAS INDUSTRIES public limited company Control system primarily responsive to signals from digital computers
EP0250317A1 (en) * 1986-06-18 1987-12-23 Telemecanique Process and device for the redundant control of a power element
GB2220280A (en) * 1988-07-04 1990-01-04 Rolls Royce & Ass A control system for industrial plant
EP0478289A2 (en) * 1990-09-26 1992-04-01 Honeywell Inc. Fault detection in relay drive circuits
EP0526418A1 (en) * 1991-07-31 1993-02-03 FIAT AUTO S.p.A. System for the inherently safe control of the steering of the rear wheels of a motor vehicle

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0096510A2 (en) * 1982-06-03 1983-12-21 LUCAS INDUSTRIES public limited company Control system primarily responsive to signals from digital computers
EP0250317A1 (en) * 1986-06-18 1987-12-23 Telemecanique Process and device for the redundant control of a power element
GB2220280A (en) * 1988-07-04 1990-01-04 Rolls Royce & Ass A control system for industrial plant
EP0478289A2 (en) * 1990-09-26 1992-04-01 Honeywell Inc. Fault detection in relay drive circuits
EP0526418A1 (en) * 1991-07-31 1993-02-03 FIAT AUTO S.p.A. System for the inherently safe control of the steering of the rear wheels of a motor vehicle

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2993548A1 (en) * 2014-08-06 2016-03-09 Siemens AG Österreich Control of a voltage feed-in
GB2530886A (en) * 2014-08-14 2016-04-06 Zodiac Aero Electric System and method for controlling at least one switching device, especially for use in aircraft
US9935539B2 (en) 2014-08-14 2018-04-03 Zodiac Aero Electric System and method for controlling at least one switching device, especially for use in aircraft
GB2530886B (en) * 2014-08-14 2021-04-14 Zodiac Aero Electric System and method for controlling at least one switching device, especially for use in aircraft

Similar Documents

Publication Publication Date Title
US5745539A (en) Apparatus and method for prioritization of multiple commands in an instrumentation and control system
US5621776A (en) Fault-tolerant reactor protection system
US5586156A (en) Reactor protection system with automatic self-testing and diagnostic
US20240087761A1 (en) Nuclear reactor protection systems and methods
US5291190A (en) Operator interface for plant component control system
US5392320A (en) Core automated monitoring system
KR970003786B1 (en) Compact work station control room
EP0781451B1 (en) Reactor protection system
KR100788826B1 (en) Apparatus and method for automatic test and self-diagnosis in digital reactor protection system
US4113561A (en) Valve arrangement for a nuclear plant residual heat removal system
KR100875467B1 (en) Digital Reactor Protection System with Independent Redundancy Structure Redundancy
WO1997018502A1 (en) Apparatus and method for prioritization of multiple commands in an instrumentation and control system
JPH08170998A (en) Reinforcement protective system against transient excessive output
KR100850484B1 (en) Method and apparatus for adjusting trip set values of programmable logic controller based digital reactor protection system
US6928132B2 (en) Methods and apparatus for operating a system
WO2003046929A2 (en) System for and method of controlling a nuclear power plant
US5960049A (en) Pump selection logic
Wei-zhi et al. Study of AP1000 Protection System Based on FirmSys
EP3904640B1 (en) Safety-level functional control system and method for steam atmospheric emissions system of nuclear power plant
Hellmerichs Extensions and renovations of reactor protection systems
Kim et al. A Study on Improving the Level of Automation for Small and Modular Reactor Operation using Computer-based Operating Procedures
Shin et al. DIVERSITY AND DEFENSE-IN-DEPTH ANALYSIS FOR I&C SYSTEMS OF RESEARCH REACTORS: A CASE STUDY ON TWO RESEARCH REACTORS
GB2286907A (en) Compact work station control room
Mourlevat et al. Instrumentation and control revamping
Kang et al. Development strategies on an integrated operator decision aid support system for nuclear power plants

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): BG CZ DE HU RU SK UA

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642