WO1996020439A1 - Computer-assisted device for detecting the cause of a malfunction in a technical plant - Google Patents

Computer-assisted device for detecting the cause of a malfunction in a technical plant Download PDF

Info

Publication number
WO1996020439A1
WO1996020439A1 PCT/DE1995/001792 DE9501792W WO9620439A1 WO 1996020439 A1 WO1996020439 A1 WO 1996020439A1 DE 9501792 W DE9501792 W DE 9501792W WO 9620439 A1 WO9620439 A1 WO 9620439A1
Authority
WO
WIPO (PCT)
Prior art keywords
decision
accident
steb
computer
decision tree
Prior art date
Application number
PCT/DE1995/001792
Other languages
German (de)
French (fr)
Inventor
Heinrich Reiner
Heinrich Pfadler
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO1996020439A1 publication Critical patent/WO1996020439A1/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0218Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
    • G05B23/0243Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model
    • G05B23/0245Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model based on a qualitative model, e.g. rule based; if-then decisions
    • G05B23/0248Causal models, e.g. fault tree; digraphs; qualitative physics
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/418Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
    • G05B19/4184Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by fault tolerance, reliability of production system
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0275Fault isolation and identification, e.g. classify fault; estimate cause or root of failure
    • G05B23/0278Qualitative, e.g. if-then rules; Fuzzy logic; Lookup tables; Symptomatic search; FMEA
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/30Nc systems
    • G05B2219/33Director till display
    • G05B2219/33303Expert system for diagnostic, monitoring use of tree and probability
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Definitions

  • Computer-aided device for recognizing a cause of an accident in a technical installation
  • the invention relates to a computer-aided device for recognizing a cause of an accident in a technical system that triggers a malfunction, the malfunction possibly triggering a shutdown of the technical system into an operationally safe system state.
  • a technical plant such as a fossil-fueled or nuclear power plant, or a production plant or a process plant, usually has a system for processing process data.
  • a system can be part of a distributed real-time process information system in which large amounts of data have to be recorded, processed and processed and are to be represented visually.
  • a real-time process information system is usually integrated in the control system of the technical system.
  • a malfunction can occur, which triggers the shutdown of a production line in a manufacturing plant or, for example, even a rapid reactor shutdown in a nuclear power plant.
  • the plant operator is willing to identify and control one or more causes of the malfunction which cause the malfunction particularly quickly, so that the malfunction caused by the malfunction Damage to materials and / or people and the environment remains as low as possible.
  • the strategy of accident management e.g. According to the operating manual of the technical system, it is usually designed in such a way that there are basically two ways in which the technical system can be brought into a safe operating state in the event of an accident.
  • the first, event-oriented way is to identify a fault failure with the help of a fault decision tree and then to bring the system into a long-term safe state in accordance with the assigned description in the operating manual.
  • the second, protection-goal-oriented path is only followed if the accident cannot be clearly classified according to the first event-oriented path, or if a criterion for the violation of a particularly important protection target is reached.
  • the event-oriented driving style is relieved to a certain degree by the possibility of a protection-oriented driving style, because it is no longer the only way to master accidents.
  • it has so far been customary for an operator of the technical system to make the decision in the event of a fault using the fault decision tree described in the operating manual as to which cause of the fault is or has existed.
  • the operator usually has to read individual displays in the control room of the technical system in a relatively short time and use them, for example, to answer yes / no decisions.
  • the time required for this is relatively large and can increase if an advertisement is disrupted by a loss of air and / or has to be replaced by other advertisements.
  • the invention is therefore based on the object of providing the operator in the control room of a technical system particularly well with means for detecting and controlling faults.
  • This object is achieved according to the invention by a computer-aided device for recognizing a cause of an accident causing a malfunction in a technical system, the malfunction possibly triggering a shutdown of the technical system in an operationally reliable system state, with the following components: a) a system-specific system stored in a memory
  • Plant top signals that can be measured in the event of an accident with decision criteria arranged in a logical hierarchy in the accident decision tree
  • the computer-aided device provides the operator with a complete diagnosis in the event of a malfunction
  • interference-free, measurable system top signals ie measured values with particular relevance for system safety
  • time-differentiated manner can also be a time-based and only time-related limits the occurrence of an accident and the cause of the accident. It can also be achieved by this time differentiation that, in the case of inferences made from two specific measured values, a distinction can be made as to which of the inferences is to be drawn depending on the arrival of the two measured values, ie in particular also a classification depending on which of the two or more further measured values occurred first.
  • Decision criteria arranged in a logical hierarchy mean that the cause of the accident can be narrowed down more and more when decision criteria which are increasingly arranged further down in the logical hierarchy are reached in the accident decision tree.
  • triggering a decision limiting the cause of the accident is understood to mean that such decisions are triggered, for example, fully automatically by the computer of the device.
  • the operator has to make a specific decision here, the data required for such a decision being measured and made available in an accident-proof manner.
  • Means for displaying the accident decision tree are understood to mean, for example, a data display device in the control room of the technical system, in which an image of the accident decision tree is shown and by appropriate color or other optical classification of the symbols arranged in the accident decision tree, the decision path determined by the facility and along this decision path the cause of the accident is displayed.
  • means for measuring the system top signals are provided, which are, for example, of redundant design. In this way it is possible, for example, to make "two out of three" decisions and, moreover, to recognize the failure of a single measuring point or a single measuring path which is triplicate.
  • system top signals can be stored in a memory provided for this purpose. In this way, it is possible to use the system top signals required to identify the cause of the accident, which were measured in the past and / or were only present for a short time, for the detection of the accident.
  • FIG. 1 shows the schematic structure of a device for detecting an accident triggering an accident
  • FIG. 2 shows a schematic diagram of an accident decision tree.
  • a system bus 4 can be recognized, by means of which the measured values coming from the system and signals affecting the system are transported.
  • a measured value evaluator 6 accesses the plant bus 4 and detects so-called plant top signals 8a to 8c, the data acquisition and structure of which are triple redundant. The measured value evaluator 6 forwards the system top signals 8a to 8c, which are only briefly present on the system bus, to a redundant data memory 10 for storage.
  • the measured value evaluator 6 can also read data from the data memory 10 into the process in the opposite direction.
  • the measured value evaluator 6 transmits the triple redundant system top signals 8a to 8c to the computer module 12, which here has three microprocessor subunits 14a to 14c working independently of one another.
  • a routine is routinely run independently, which checks the system top signals 8a to 8c coming from the measured value evaluator 6 for limit values or other criteria that are important for system operation.
  • a system top signal 8a to 8c is now present on two of three microprocessor subunits 14a to 14c, which triggers a particularly relevant criterion for triggering the shutdown of the technical system, that is to say a serious fault, the system may be shutdown by a control system (not shown).
  • the computer module 12 loads from a further memory 16 a fault decision tree STEB which is specific to the system and outputs this to a data display device 18 which is located, for example, in the control room (not shown further here).
  • a fault decision tree STEB which is specific to the system and outputs this to a data display device 18 which is located, for example, in the control room (not shown further here).
  • the cause of the fault is limited and determined step by step with the aid of the program running in the microprocessor subunits from 14a to 14c.
  • decision criteria arranged at certain points in the accident decision tree STEB are linked with the system top signals 8a to 8c assigned according to this criterion.
  • the microprocessor subunits 14a to 14c By means of this link, the microprocessor subunits 14a to 14c, provided that two of the microprocessor subunits 14a to 14c come to the same result, trigger a decision that limits the cause of the disturbance.
  • the accident decision tree SFEB displayed in the data display device 18 has a decision path, in the course of which three decisions can be measured using the link between the accident-proof measure Ren plant top signals 8a to 8c had to be felled so that the cause of the accident causing the accident could be determined.
  • an input unit 20 it is also possible, for example, for the operator of the technical installation to make certain decisions himself on a case-by-case basis and thus trigger the further decision-making path which follows the logical hierarchy.
  • the content and the representation of the interference decryption tree STEB in the data display device 18 have a transparency which allows the operator to check certain decision-making paths in a way that the operator remains involved in the process, which is the case, for example, with the sole representation of an analysis Result would not be the case.
  • commands implemented by the operator can be processed in the computer module 12 and corresponding data can be output to the system bus 4.
  • FIG. 2 shows an accident decision tree STEB as it is displayed, for example, on the data display device 18 m in the control room of a nuclear power plant in the presence of a cause of an accident that triggers a failure.
  • the incidents and causes of accidents dealt with in the accident decision tree SFEB according to the decision-making paths result from the design, ie the nuclear power plant is for this stor cases designed. This also means that the plant top signals required to determine certain decision criteria are measured in a fail-safe manner and generally in triplicate redundancy.
  • the decision path triggered in the present accident decision tree SFE3 is shaded.
  • the top field in the drawing with the inscription “RESA” stands for the triggering of a reactor cutoff due to an accident.
  • the reactor is shut down until it reaches a safe operating state.
  • To the side of the R marineSA field is the field “t”, in which the actual time at which a reactor fast shutdown (RESA) is triggered is recorded.
  • the "Dew point T loop 1/2/3/4" field is triggered when two of three of the dew point temperature measurements or "one of three” of these dew point temperature measurements and a dew point temperature measurement on the corresponding circulating air coolers respond.
  • the "Kond AR” field is triggered when the amount of condensate that exceeds a certain limit value is measured on the loop 1/2 or the Lopp 3/4 air cooler and at the same time the level in one of the two sumps of the air cooler rises above a maximum value.
  • the "Betr Ra” field is triggered when the amount of condensate in the operating rooms of the nuclear power plant on two out of four circulating air coolers exceeds a maximum value. Likewise, the water level in one of the two swamps
  • the next step is to query whether the emergency cooling criterion is present.
  • the emergency cooling criterion there is no emergency cooling criterion based on the measured plant top values, so that the decision criterion "No" and the field "Leak in the reactor cooling system” following in the decision path are triggered. Because there was no emergency cooling criterion, a mini leak in the reactor cooling system is identified as the cause of the accident. This means that the "Minileck" field with the associated description in the operating manual, here in Chapter 3-1.1, will be drawn.
  • the "No” decision is triggered. It is then checked next whether the pressure holder maintaining the reactor pressure maintains the prescribed level. If there is a “Yes” decision here , the "Kl / M RKL” field is triggered, which means that there is a small to medium leak in the reactor cooling system. If the "No” decision is drawn above, there is a leak in the pressure holder, which is indicated by triggering the "DH leak” field.
  • the device 2 explained above thus contributes in an almost fully automatic manner to the control of system accidents for which the system and, accordingly, the accident decision tree are designed. Because the measured value acquisition and processing are designed to be accident-proof in relation to the design accidents, the described device fully supports the event-oriented driving style of the technical system and completely safeguards its operation. In addition, once the cause of the accident causing the malfunction has been identified, a therapeutic procedure that eliminates the malfunction can be started automatically.
  • the device 2 triggers a decision by analyzing the criteria relevant to the system top signals 8a to 8c. By analyzing the chronological order of arrival and / or the length of time that system top signals 8a to 8c are present, a decision is drawn and, in particular, a time differentiation of these variables for decision-making.

Abstract

The invention concerns a computer-assisted device for detecting the cause of an incident in a technical plant, the incident possibly triggering deceleration of the technical plant in an operationally reliable state of the plant. The device comprises the following components: a) a plant-specific incident decision tree (STEB) stored in a memory (16); b) means (14a to 14c) for linking, in a manner which can be differentiated in terms of time, plant top signals (8a to 8c), which can be measured even in the event of an incident, to decision criteria arranged in the incident decision tree (STEB) in a logical hierarchy; c) means (14a to 14c) for triggering a decision locating the cause of the incident according to the result of the preceding linkage and a possible further decision path, following the preceding linkage in a logical hierarchy, in the incident decision tree (STEB); and d) means (18) for displaying the corresponding incident decision tree (STEB).

Description

Beschreibung  description
Rechnergestützte Einrichtung zur Erkennung einer einen Störfall auslösenden Störfallursache in einer technischen Anlage Computer-aided device for recognizing a cause of an accident in a technical installation
Die Erfindung bezieht sich auf eine rechnergestützte Einrichtung zur Erkennung einer einen Störfall auslösenden Störfallursache in einer technischen Anlage, wobei der Störfail gegebenenfalls ein Herunterfahren der technischen Anlage in einen betriebssicheren Anlagenzustand auslöst. The invention relates to a computer-aided device for recognizing a cause of an accident in a technical system that triggers a malfunction, the malfunction possibly triggering a shutdown of the technical system into an operationally safe system state.
Eine technische Anlage, wie beispielsweise eine fossil befeuerte oder nukleare Kraftwerksanlage oder eine Produktionsanlage oder eine verfahrenstechnische Anlage, weist üblicherweise ein System zur Verarbeitung von Prozeßdaten auf. Ein solches System kann Bestandteil eines verteilten Echtzeit-Prozeßinformationssystems sein, bei dem große Datenmenger zu erfassen, zu verarbeiten und aufzubereiten sowie visuell dar zustellen sind. Ein Echtzeitprozeßinformationssystem ist ύblicherweise in das Leitsystem der technischen Anlage eingebunden. A technical plant, such as a fossil-fueled or nuclear power plant, or a production plant or a process plant, usually has a system for processing process data. Such a system can be part of a distributed real-time process information system in which large amounts of data have to be recorded, processed and processed and are to be represented visually. A real-time process information system is usually integrated in the control system of the technical system.
Mit zunehmender Energie- und/oder Arbeitsausnutzung solcher technischer Anlagen und mit zunehmender Steigerung des Sicherheitsstandards, insbesondere bei einer nuklearen Kraftwerksanlage, wachsen auch die Anforderungen an das System zur Verarbeitung der Meßdaten der technischen Anlage. With increasing use of energy and / or work of such technical systems and with increasing security standards, in particular in the case of a nuclear power plant, the requirements for the system for processing the measurement data of the technical system also increase.
In der technischen Anlage kann beispielsweise ein Störfall auftreten, durch den die Stillegung einer Produktionsstraße in einer Fertigungsanlage oder beispielsweise sogar eine Reaktorschnellabschaltung in einer nuklearen Kraftwerksanlage ausgelöst wird. In solchen Betriebsphasen ist der Anlagenbetreiber gewillt, eine oder mehrere den Störfail auslösenden Störfallursachen besonders schnell zu erkennen und beherrschen zu können, so daß der durch den Störfail ausgelöste Schaden für Material und/oder Mensch und Umwelt möglichst gering bleibt. In the technical plant, for example, a malfunction can occur, which triggers the shutdown of a production line in a manufacturing plant or, for example, even a rapid reactor shutdown in a nuclear power plant. In such operating phases, the plant operator is willing to identify and control one or more causes of the malfunction which cause the malfunction particularly quickly, so that the malfunction caused by the malfunction Damage to materials and / or people and the environment remains as low as possible.
Die Strategie einer Störfallbehandlung, z.B. gemäß dem Betriebshandbuch der technischen Anlage, ist meist so aufgebaut, daß es grundsätzlich zwei Wege gibt, über welche die technische Anlage bei einem Störfall in einen sicheren Betriebszustand überführt werden kann. Der erste, ereignisorientierte Weg besteht darin, einen Störfail mit Hilfe eines Störfallentscheidungsbaumes zu erkennen und danach die Anlage entsprechend der zugeordneten Beschreibung im Betriebshandbuch in einen langfristig sicheren Zustand zu überführen. Der zweite, schutzzielorientierte Weg wird erst dann beschritten, wenn der Störfall entsprechend dem ersten ereignisorientierten Weg nicht klar einzuordnen ist, oder wenn ein Kriterium für die Verletzung eines besonders bedeutsamen Schutzziels erreicht wird. The strategy of accident management, e.g. According to the operating manual of the technical system, it is usually designed in such a way that there are basically two ways in which the technical system can be brought into a safe operating state in the event of an accident. The first, event-oriented way is to identify a fault failure with the help of a fault decision tree and then to bring the system into a long-term safe state in accordance with the assigned description in the operating manual. The second, protection-goal-oriented path is only followed if the accident cannot be clearly classified according to the first event-oriented path, or if a criterion for the violation of a particularly important protection target is reached.
Durch die Möglichkeit der schutzzielorientierten Fahrweise erfährt die ereignisorientierte Fahrweise eine gewisse Entlastung, weil sie nicht mehr den einzigen Weg zu einer Störfallbeherrschung darstellt. Grundsätzlich ist es aber bisher üblich, daß ein Operator der technischen Anlage bei einem Störfall mit Hilfe des im Betriebshandbuch beschriebenen Störfallentscheidungsbaumes die Entscheidung fällen muß, weiche Störfallursache vorliegt oder vorgelegen hat. Hierfür muß der Operator meist in relativ kurzer Zeit einzelne Anzeigen in der Leitwarte der technischen Anlage ablesen und beispielsweise zur Beantwortung von ja/nein-Entscheidungen verwenden. Der hierfür benötigte Zeitaufwand ist relativ groß und kann sich noch erhöhen, wenn eine Anzeige durch einen lufallsausfall gestört und/oder durch andere Anzeigen ersetzt werden muß. Insbesondere dann, wenn die Störfallursache nur zeitlich befristet in der Vergangenheit vorgelegen hat, ist es dem Operator nur unter hohem Zeitaufwand möglich, eine solche Störfallursache noch nachträglich zu erkennen. Der Erfindung liegt daher die Aufgabe zugrunde, den Operator in der Leitwarte einer technischen Anlage besonders gut mit Mitteln zur Storfallerkennung und -beherrschung auszustatten. Diese Aufgabe wird erfindungsgemäß durch eine rechnergestützte Einrichtung zur Erkennung einer einen Störfail auslosenden Störfallursache m einer technischen Anlage, wobei der Störfail gegebenenfalls ein Herunterfahren der technischen Anlage in einem betriebssicheren Anlagenzustand auslöst, mit folgenden Komponenten gelöst: a) einem in einem Speicher abgelegten anlagenspezifischen The event-oriented driving style is relieved to a certain degree by the possibility of a protection-oriented driving style, because it is no longer the only way to master accidents. In principle, however, it has so far been customary for an operator of the technical system to make the decision in the event of a fault using the fault decision tree described in the operating manual as to which cause of the fault is or has existed. For this purpose, the operator usually has to read individual displays in the control room of the technical system in a relatively short time and use them, for example, to answer yes / no decisions. The time required for this is relatively large and can increase if an advertisement is disrupted by a loss of air and / or has to be replaced by other advertisements. In particular, if the cause of the accident was only available for a limited time in the past, it is only possible for the operator to recognize such a cause of the accident after a long time. The invention is therefore based on the object of providing the operator in the control room of a technical system particularly well with means for detecting and controlling faults. This object is achieved according to the invention by a computer-aided device for recognizing a cause of an accident causing a malfunction in a technical system, the malfunction possibly triggering a shutdown of the technical system in an operationally reliable system state, with the following components: a) a system-specific system stored in a memory
Störfallentscheidungsbaum,  Accident decision tree,
b) Mitteln zur zeitlich differenzierbaren Verknüpfung von b) Means for the temporally differentiable linking of
störfallsicher meßbaren Anlagentopsignalen mit im Störfallentscheidungsbaum in logischer Hierarchie angeordneten Entscheidungskriterien,  Plant top signals that can be measured in the event of an accident with decision criteria arranged in a logical hierarchy in the accident decision tree,
c) Mitteln zur Auslösung einer die Störfallursache eingrenzenden Entscheidung gemäß dem Ergebnis einer der vorange- gangenen Verknüpfung und gegebenenfalls eines sich m logischer Hierarchie daran anschließenden weiteren Entscheidungsweges im Störfallentscheidungsbaum, und c) means for triggering a decision restricting the cause of the accident in accordance with the result of one of the preceding links and, if appropriate, a further decision path in the accident decision tree, which follows the logical hierarchy, and
d) Mitteln zur Darstellung des entsprechenden Störfallentscheidungsbaumes. d) means for displaying the corresponding accident decision tree.
Auf diese Weise wird der Operator m der Leitwarte einer technischen Anlage beim Betrieb der Anlage mit ereignisorientierter Fahrweise durch die rechnergestüzte Einrichtung unterstützt. Die rechnergestύtzte Einrichtung liefert dem Operator bei einem Störfail eine Komplette Diagnose In this way, the operator m of the control room of a technical system is supported in the operation of the system with an event-oriented driving style by the computer-aided device. The computer-aided device provides the operator with a complete diagnosis in the event of a malfunction
(entsprechend dem vorliegenden aniagenspezifischen Störfallentscheidungsbaum im Betriebshandouch) hinsichtlich der Ermittlung der vorliegenden Storfailursache. Im besonderen durcn die Möglichkeit, daß storfailsicher meßoare AnlagentopSignale, d.h. Meßwerte mit besonderer Relevanz für die Anlagensicherheit, zeitlich differenzierbar verknūpfbar sind, kann auch ein zeitlich zurückliegender und nur zeitlich be grenzt aufgetretener Störfall und dessen Storfallursache erkannt werden. Ebenso kann durch diese zeitliche Differenzierung erreicht werden, daß bei aus zwei bestimmten Meßwerten vorgenommenen Folgerungen unterschieden werden kann, welche der Folgerungen in Abhängigkeit vom Eintreffen der beiden Meßwerten zu ziehen ist, d.h. insbesondere auch eine Klassifizierung, abhängig davon, welcher der beiden oder auch mehrerer weiterer Meßwerte zuerst aufgetreten ist. Unter in logischer Hierarchie angeordneten Entscheidungskriterien wird verstanden, daß mit Erreichen von zunehmend in der logischen Hierarchie weiter unten angeordneten Entscheidungskriterien im Störfallentscheidungsbaum die Störfallursache immer stärker eingegrenzt werden kann. Unter Mittein zur Auslösung einer die Störfallursache eingrenzenden Entscheidung wird verstanden, daß solche Entscheidungen beispielsweise vollautomatisch durch den Rechner der Einrichtung ausgelöst werden. Es wird aber auch verstanden, daß hier ganz konkret vom Operator eine Entscheidung zu fällen ist, wobei die für eine solche Entscheidung erforderlichen Daten störfallsicher gemessen und bereitgestellt werden. Unter Mitteln zur Darstellung des Störfallentscheidungsbaumes wird beispielsweise ein Datensichtgerät in der Leitwarte der technischen Anlage verstanden, m dem ein Abbild des Störfallentscheidungsbaumes dargestellt ist und durch entsprechende farbliche oder sonstige optische Klassifizierung der im Störfallentscheidungsbaum angeordneten Symbole der von der Einrichtung ermittelte Entscheidungsweg und die entlang dieses Entscheidungsweges ernannte Störfallursache angezeigt werden. In besonders vorteilhafter Ausgestaltung der Erfindung sind Mittel zur Messung der Anlagentopsignale vorgesehen, die z.B. mehrfach redundant ausgeführt sind. Auf diese Weise ist es möglich, beispielsweise "zwei von drei" - Entscheidungen zu fällen und darüber hinaus den Ausfall einer einzigen Meß- stelle oder eines einzigen Meßweges, die bzw. der dreifach vorliegt, zu erkennen. Für die Erkennung einer zeitlich zurückliegenden und nur zeitlich begrenzt vorgelegenen Störfallursache ist es besonders vorteilhaft, wenn kurzzeitig anstehende Anlagentopsignale in einem dafür vorgesehenen Speicher speicherbar sind. Auf diese Weise ist es möglich, die zur Erkennung der Störfallursache erforderlichen Anlagentopsignale, die zeitlich zurückliegend gemessen worden sind und/oder nur kurzfristig vorgelegen haben, noch für die Störfallerkennung heranziehen zu können. (in accordance with the anise-specific accident decision tree in the operating manual) with regard to determining the cause of the fault. In particular, the possibility that interference-free, measurable system top signals, ie measured values with particular relevance for system safety, can be linked in a time-differentiated manner can also be a time-based and only time-related limits the occurrence of an accident and the cause of the accident. It can also be achieved by this time differentiation that, in the case of inferences made from two specific measured values, a distinction can be made as to which of the inferences is to be drawn depending on the arrival of the two measured values, ie in particular also a classification depending on which of the two or more further measured values occurred first. Decision criteria arranged in a logical hierarchy mean that the cause of the accident can be narrowed down more and more when decision criteria which are increasingly arranged further down in the logical hierarchy are reached in the accident decision tree. By means of triggering a decision limiting the cause of the accident is understood to mean that such decisions are triggered, for example, fully automatically by the computer of the device. However, it is also understood that the operator has to make a specific decision here, the data required for such a decision being measured and made available in an accident-proof manner. Means for displaying the accident decision tree are understood to mean, for example, a data display device in the control room of the technical system, in which an image of the accident decision tree is shown and by appropriate color or other optical classification of the symbols arranged in the accident decision tree, the decision path determined by the facility and along this decision path the cause of the accident is displayed. In a particularly advantageous embodiment of the invention, means for measuring the system top signals are provided, which are, for example, of redundant design. In this way it is possible, for example, to make "two out of three" decisions and, moreover, to recognize the failure of a single measuring point or a single measuring path which is triplicate. For the detection of a past and only temporary cause of a fault, it is particularly advantageous if briefly occurring system top signals can be stored in a memory provided for this purpose. In this way, it is possible to use the system top signals required to identify the cause of the accident, which were measured in the past and / or were only present for a short time, for the detection of the accident.
Ausführungsbeispiele der Erfindung werden anhand einer Zeichnung näher erläutert. Dabei zeigen: Embodiments of the invention are explained in more detail with reference to a drawing. Show:
FIG 1 den schematischen Aufbau einer Einrichtung zur Erkennung einer einen Störfall auslösenden Störfallursache; und 1 shows the schematic structure of a device for detecting an accident triggering an accident; and
FIG 2 in schematischer Darstellung einen Störfallentscheidungsbaum. In der in FIG 1 dargestellten Einrichtung 2 zur Erkennung einer einen Störfall auslösenden Störfallursache in einer hier nicht weiter dargestellten technischen Anlage erkennt man einen Anlagenbus 4, über den die von der Anlage kommenden Meßwerte und auf die Anlage zurückwirkenden Signale transportiert werden. Ein Meßwertauswerter 6 greift auf den Anlagenbus 4 zu und erfaßt sogenannte Anlagentopsignale 8a bis 8c, deren Datenerfassung und -struktur dreifach redundant ausgeführt sind. Der Meßwertauswerter 6 gibt die Anlagentopsignale 8a bis 8c, die nur kurzzeitig auf den Anlagenbus anstehen, an einen redundant ausgeführten Datenspeicher 10 zur Speicherung weiter.  2 shows a schematic diagram of an accident decision tree. In the device 2 shown in FIG. 1 for recognizing a cause of an accident which triggers an accident in a technical system (not shown further here), a system bus 4 can be recognized, by means of which the measured values coming from the system and signals affecting the system are transported. A measured value evaluator 6 accesses the plant bus 4 and detects so-called plant top signals 8a to 8c, the data acquisition and structure of which are triple redundant. The measured value evaluator 6 forwards the system top signals 8a to 8c, which are only briefly present on the system bus, to a redundant data memory 10 for storage.
Ebenso kann der Meßwertauswerter 6 nach entsprechender Aufforderung durch einen Rechnerbaustein 12 auch in umgekehrter Richtung Daten aus dem Datenspeicher 10 in den Prozeß einlesen. Der Meßwertauswerter 6 gibt die dreifach redundant erfaßten Anlagentopsignale 8a bis 8c weiter an den Rechnerbaustein 12, der hier drei voneinander unabhängig arbeitende Mikroprozessoruntereinheiten 14a bis 14c aufweist. In den Mikroprozessoruntereinheiten 14a bis 14c wird routinemäßig jeweils unabhängig ein Programm gefahren, das die vom Meßwertauswerter 6 kommenden Anlagentopsignale 8a bis 8c auf Grenzwerte oder sonstige für den Anlagenbetrieb bedeutsame Kriterien prüft. Liegt nun an zwei von drei Mikroprozessoruntereinheiten 14a bis 14c ein Anlagentopsignal 8a bis 8c vor, das ein besonders oetπebsrelevantes Kriterium für das Auslosen des Herunterfahrens der technischen Anlage, also eines gravierenden Storfalls, auslöst, wird die Anlage gegebenenfalls von einem nicht weiter dargestellten Leitsystem heruntergefahren. Likewise, after a corresponding request from a computer module 12, the measured value evaluator 6 can also read data from the data memory 10 into the process in the opposite direction. The measured value evaluator 6 transmits the triple redundant system top signals 8a to 8c to the computer module 12, which here has three microprocessor subunits 14a to 14c working independently of one another. In the microprocessor subunits 14a to 14c, a routine is routinely run independently, which checks the system top signals 8a to 8c coming from the measured value evaluator 6 for limit values or other criteria that are important for system operation. If a system top signal 8a to 8c is now present on two of three microprocessor subunits 14a to 14c, which triggers a particularly relevant criterion for triggering the shutdown of the technical system, that is to say a serious fault, the system may be shutdown by a control system (not shown).
Gleichzeitig lädt der Rechnerbaustein 12 aus einem weiteren Speicher 16 einen für die Anlage spezifischen Störfallentscheidungsbaum STEB und gibt diesen an ein Datensichtgerät 18 aus, das sich beispielsweise m der hier nicht weiter dargestellten Leitwarte befindet. Nach Ausgabe des Störfailentscheidungsbaums STEB an das Datensichtgerät 18 wird die Storfallursache mit Hilfe des in den Mikroprozessorunteremheiten ab 14a bis 14c ablaufenden Programms Schritt für Scnritt eingegrenzt und bestimmt. Hierzu werden an bestimmten Stellen im Störfallentscheidungsbaum STEB angeordnete Entscheidungskriterien mit den entsprechend diesen Kriterium zugeordneten Anlagentopsignalen 8a bis 8c verknüpft. Mittels dieser Verknüpfung wird von den Mikroprozessoruntereinheiten 14a bis 14c, sofern zwei der Mikroprozessoruntereinheiten 14a ois 14c zu demselben Resultat Kommen, eine die Storfallursache eingrenzende Entscheidung ausgelost Gleichzeitig wird der sie m logischer Hierarchie an die zuletzt ausgeloste Entscheidung anschließende weitere Entscneidungsweg im Störfallentscheidungsbaumm STEB ausgelöst. So weist oeispielsweise der im Datensichtgerät 18 angezeigte Störfallentscheidungsbaum SFEB einen Entscheidungsweg auf, in dessen Verlauf drei Entscheidungen anhand der Verknüpfung der störfallsicher meßba ren Anlagentopsignale 8a bis 8c gefällt werden mußten, damit die den Störfall auslösende Storfallursache bestimmt werden konnte. Mittels einer Eingabeeinheit 20 ist es beispielsweise auch dem Operator der technischen Anlage von Fall zu Fall möglich, bestimmte Entscheidungen selbst zu treffen und damit den sich m logischer Hierarchie anschließenden weiteren Entscheidungsweg auszulösen. Hierbei ist es vorgesenen, daß der Inhalt und die Darstellung des Storfallentscneidungsbaums STEB im Datensichtgerät 18 eine Transparenz aufweisen, die es dem Operator erlaubt, bestimmte Entscheidungswege prüfend nachzuvollziehen, so daß der Operator am Prozeß beteiligt bleibt, was beispielsweise bei der alleinigen Darstellung eines Analyse-Ergebisses nicht der Fall wäre. Mittels der vorstehend erläuterten Einrichtung 2 wird ein Operator der technischen Anlage bei ereignisorientierter Fahrweise der Anlage durch den rechnergestützten Störfallentscheidungsbaum STEB so unterstützt, daß ihm im Datensichtgerät 18 eine vollständige und fehlerfreie Diagnose hmsicht- lieh der Ermittlung der vorliegenden Störfallursache geliefert wird. Es ist weiter möglich, daß der Operator mitteis der Emgabeemheit 20 aufgrund der aus dem Störfallentscheidungsbaum STEB abgeleiteten Diagnose m den Betrieb der At the same time, the computer module 12 loads from a further memory 16 a fault decision tree STEB which is specific to the system and outputs this to a data display device 18 which is located, for example, in the control room (not shown further here). After the fault failure decision tree STEB has been output to the visual display device 18, the cause of the fault is limited and determined step by step with the aid of the program running in the microprocessor subunits from 14a to 14c. For this purpose, decision criteria arranged at certain points in the accident decision tree STEB are linked with the system top signals 8a to 8c assigned according to this criterion. By means of this link, the microprocessor subunits 14a to 14c, provided that two of the microprocessor subunits 14a to 14c come to the same result, trigger a decision that limits the cause of the disturbance. For example, the accident decision tree SFEB displayed in the data display device 18 has a decision path, in the course of which three decisions can be measured using the link between the accident-proof measure Ren plant top signals 8a to 8c had to be felled so that the cause of the accident causing the accident could be determined. By means of an input unit 20, it is also possible, for example, for the operator of the technical installation to make certain decisions himself on a case-by-case basis and thus trigger the further decision-making path which follows the logical hierarchy. It is provided here that the content and the representation of the interference decryption tree STEB in the data display device 18 have a transparency which allows the operator to check certain decision-making paths in a way that the operator remains involved in the process, which is the case, for example, with the sole representation of an analysis Result would not be the case. By means of the device 2 explained above, an operator of the technical system is supported by the computer-assisted accident decision tree STEB when the system is operating in an event-oriented manner in such a way that a complete and error-free diagnosis of the determination of the cause of the accident is provided in the data display device 18. It is also possible for the operator to operate the device by means of the transmitter unit 20 on the basis of the diagnosis derived from the accident decision tree STEB
Kraftwerκsanlage eingreift. Hierzu können vom Operator aoge- setzte Befehle in dem Rechnerbaustein 12 bearbeitet und entsprechende Daten an den Anlagenbus 4 ausgegeben werden. Power plant intervenes. For this purpose, commands implemented by the operator can be processed in the computer module 12 and corresponding data can be output to the system bus 4.
In FIG 2 ist ein Störfallentscheidungsbaum STEB dargestellt, wie dieser beispielsweise auf dem Datensichtgerät 18 m der Leitwarte einer nuklearen Kraftwerκsanlage bei Vorliegen eines einen Störfail auslosenαer Störfallursache angezeigt wird Der Störfallentscheidungsbaum SFEB kennt definierte Entscheidungswege, die sich aufgrund des teennologisenen Wissens über die Kraftwerksanlage ergeoen. Die im Störfallentscheidungsbaum SFEB abgehandelten Störfälle und Störfallursachen gemäß der Entscheidungswege ergeben sien auslegungsbedingt, d.h. die nukleare Kraftwerksanlage ist für diese Stor fälle ausgelegt. Das heißt auch, daß die zur Ermittlung bestimmter Entscheidungskriterien erforderlichen Anlagentopsignale störfallsicher und im allgemeinen dreifach redundant gemessen werden. FIG. 2 shows an accident decision tree STEB as it is displayed, for example, on the data display device 18 m in the control room of a nuclear power plant in the presence of a cause of an accident that triggers a failure. The incidents and causes of accidents dealt with in the accident decision tree SFEB according to the decision-making paths result from the design, ie the nuclear power plant is for this stor cases designed. This also means that the plant top signals required to determine certain decision criteria are measured in a fail-safe manner and generally in triplicate redundancy.
Der im vorliegenden Störfallentscheidungsbaum SFE3 ausgelöste Entscheidungsweg ist schraffiert unterlegt. Das in der zeichnerischen Darstellung oberste Feld mit der Inschrift "RESA" steht für das störfallbedingte Auslösen einer Reaktorschneilabschaltung. Der Reaktor wird dabei bis zum Erreichen eines betriebssicheren Zustandes heruntergefahren. Dem RΞSA-Feld nebengeordnet ist das Feld "t", in dem der tatsächliche Zeitpunkt der Auslösung einer Reaktorschnellabschaltung (RESA) aufgenommen wird. Das Feld "Taupunkt T loop 1/2/3/4" wird ausgelöst, wenn zwei von drei der Taupunkttemperaturmessungen oder "eine von drei" dieser Taupunkttemperaturmessungen und eine Taupunkttemperaturmessung an den entsprechenden Umluftkühlern anspricht. Das Feld "Kond AR" wird ausgelöst, wenn an den Umluftkühler der Loop 1/2 oder der Lopp 3/4 ein einen gewissen Grenzwert übersteigender Kondensatanfall gemessen wird und gleichzeitig der Füllstand in einem der beiden Sümpfe der Umluftkühlern über einen Maximalwert ansteigt. Das Feld "Betr Ra" wird ausgelöst, wenn der Kondensatanfall in den Betriebsräumen der nuklearen Kraftwerksanlage an zwei von vier Umluftkühlern einen Maximalwert überschreitet. Ebenso kann der Wasserstand in einem der beiden Sümpfe den The decision path triggered in the present accident decision tree SFE3 is shaded. The top field in the drawing with the inscription "RESA" stands for the triggering of a reactor cutoff due to an accident. The reactor is shut down until it reaches a safe operating state. To the side of the R nebenSA field is the field "t", in which the actual time at which a reactor fast shutdown (RESA) is triggered is recorded. The "Dew point T loop 1/2/3/4" field is triggered when two of three of the dew point temperature measurements or "one of three" of these dew point temperature measurements and a dew point temperature measurement on the corresponding circulating air coolers respond. The "Kond AR" field is triggered when the amount of condensate that exceeds a certain limit value is measured on the loop 1/2 or the Lopp 3/4 air cooler and at the same time the level in one of the two sumps of the air cooler rises above a maximum value. The "Betr Ra" field is triggered when the amount of condensate in the operating rooms of the nuclear power plant on two out of four circulating air coolers exceeds a maximum value. Likewise, the water level in one of the two swamps
Maximalwert übersteigen und gleichzeitig an einen von vier Umluftkühlern ein den Grenzwert überschreitender Kondensatoranfali vorliegen. Führt die logische und anlagenspezifisehe Verknüpfung der vorgenannten Meßkriterien zu dem Ergebnis "ja" wird als nächstes festgestellt., ob in dem Reaktorsicherheitsbehälter Aktivität freigesetzt ist. Ergänzend sei noch angemerkt, daß bei Vorliegen der Entscheidung "nein" ein in der Figur 2 nicht weiter dargestellter Teil des Störfallentscheidungsbaumes STEB durchlaufen wird. Für die Erkennung von kleinen Primärlecks sind storfallsicnere Aktivitätsmessungen der Raumluft im Reaktorsicherheitsbehälter vorgesehen, die bei Überschreiten von Grenzwerten zu einem Auslosen des Feldes "Aktivität RSB" führen. Als DetailInformation werden die ausgelösten Grenzwerte wie Exceed the maximum value and at the same time there is a condenser attack on one of four circulating air coolers. If the logical and plant-specific combination of the abovementioned measurement criteria leads to the result "yes", the next step is to determine whether activity is released in the reactor containment. In addition, it should be noted that if the decision "no" is present, a part of the accident decision tree STEB, which is not shown in FIG. 2, is run through. For the detection of small primary leaks, interference-safe activity measurements of the room air in the reactor containment are provided, which lead to the triggering of the "Activity RSB" field if limit values are exceeded. The triggered limit values such as
"Ortsdosisleistung zu hoch" oder "Hochdosislestung zu hoch" angezeigt. Führt die Messung der Aktivitäten nicht zum Auslösen des Feldes "Aktivität RSB", wird der Nein-Pfad ausgelöst und das Analyse-Ergebnis "Sekundärleck innerhalb des ReaktorSicherheitsbehälters (RSB)" ausgegeben.  "Local dose rate too high" or "High dose test too high" is displayed. If the measurement of the activities does not trigger the "Activity RSB" field, the no path is triggered and the analysis result "secondary leak within the reactor containment (RSB)" is output.
Liegt - wie im Ausfuhrungsbeispiel vorgesehen - das "Ja" -Kriterium vor, wird im nächsten Schritt abgefragt, ob das Notkühlkriterium vorliegt. In diesem Fall liegt ein Notkühlkriterium aufgrund der gemessenen Anlagentopwerte nicht vor, so daß das Entscheidungskriterium "Nein" und das im Entscheidungsweg nachfolgende Feld "Leck im Reaktorkühlsystem" ausgelöst wird. Weil ein Notkühlkriterium nicht vorlag, wird als den Störfall auslosende Störfallursache ein Minileck im Reaktorkühlsystem identifiziert. Das heißt das Feld "Minileck" mit der zugehörigen Beschreibung im Betriebshandbuch, hier in Kapitel 3-1.1, wird ausgelost. If the "yes" criterion is present, as provided in the exemplary embodiment, the next step is to query whether the emergency cooling criterion is present. In this case, there is no emergency cooling criterion based on the measured plant top values, so that the decision criterion "No" and the field "Leak in the reactor cooling system" following in the decision path are triggered. Because there was no emergency cooling criterion, a mini leak in the reactor cooling system is identified as the cause of the accident. This means that the "Minileck" field with the associated description in the operating manual, here in Chapter 3-1.1, will be drawn.
Würde das Vorliegen eines Notkühlkriteriums bejaht, was das Auslösen des "Ja "-Feldes zur Folge hatte, schloße sich im Entscheidungsweg die Überprüfung des Kriteriums an, ob der If the existence of an emergency cooling criterion was answered in the affirmative, which resulted in the activation of the "yes" field, the criterion would then be checked in the decision-making process as to whether the
Druckabfall des Kühlmittels innerhalb einer bestimmten Zeit einen bestimmten Wert erreicht. Wird das Feld "Δp KMD<9bar" ausgelost, d.h. liegt eine "Ja"-Entscheidung vor, wird im weiteren Entscheidungsweg das Feld "Groß-Leck" ausgelöst. Pressure drop of the coolant reaches a certain value within a certain time. If the field "Δp KMD <9bar" is drawn, i.e. if there is a "yes" decision, the "large leak" field is triggered in the further decision-making process.
Ist dieser innerhalb einer Destimmten Zeit vorliegende Druckabfall kleiner als der zulassige Grenzwert, wird die "Nein'- Entscheidung ausglöst. Es wird dann als nächstes geprüft, ob der den Reaktordruck aufrechterhaltene Druckhalter das vorgeschriebene Niveau hält. Liegt hier eine "Ja"-Entscheidung vor, wird das Feld "Kl/M RKL" ausgelöst. Dies bedeutet, daß ein kleines bis mittleres Leck im Reaktorkühlsystem vorliegt. Wird vorstehend die "Nein" -Entscheidung ausgelost, liegt ein Leck im Druckhalter vor, was durch Auslösen des Feldes "DH¬Leck" angezeigt wird. If this pressure drop present within a certain time is less than the permissible limit value, the "No" decision is triggered. It is then checked next whether the pressure holder maintaining the reactor pressure maintains the prescribed level. If there is a "Yes" decision here , the "Kl / M RKL" field is triggered, which means that there is a small to medium leak in the reactor cooling system. If the "No" decision is drawn above, there is a leak in the pressure holder, which is indicated by triggering the "DH leak" field.
Die vorstehend erläuterte Einrichtung 2 tragt damit in nahezu vollautomatischer Weise zur Beherrschung von Anlagenstörfallen bei, für die die Anlage und dementsprechend der Störfallentscheidungsbaum ausgelegt sind. Weil die Meßwerterfassung und -Verarbeitung im Bezug auf die Auslegungsstörfällen störfallsicher ausgelegt sind, unterstützt die erläuterte Einrichtung voll die ereignisorientierte Fahrweise der technischen Anlage und sichert deren Betrieb vollkommen ab. Zusätzlich kann nach dem Erkennen der den Störfail auslösenden Störfallursache automatisch ein den Störfall behebendes Therapieverfahren gestartet werden. The device 2 explained above thus contributes in an almost fully automatic manner to the control of system accidents for which the system and, accordingly, the accident decision tree are designed. Because the measured value acquisition and processing are designed to be accident-proof in relation to the design accidents, the described device fully supports the event-oriented driving style of the technical system and completely safeguards its operation. In addition, once the cause of the accident causing the malfunction has been identified, a therapeutic procedure that eliminates the malfunction can be started automatically.
Die Einrichtung 2 löst dabei durch Analyse der für die Anlagentopsignale 8a bis 8c relevanten Kriterien eine Entscheidüng aus. Dabei erfolgt durch Analyse der zeitlichen Reihenfolge des Eintreffens und/oder der Zeitdauer des Anstehens von Anlagentopsignalen 8a bis 8c eine Entscheidungsauslosung und damit im besonderen eine zeitliche Differenzierung dieser Großen zur Entscheidungsfindung. The device 2 triggers a decision by analyzing the criteria relevant to the system top signals 8a to 8c. By analyzing the chronological order of arrival and / or the length of time that system top signals 8a to 8c are present, a decision is drawn and, in particular, a time differentiation of these variables for decision-making.

Claims

Patentansprüche claims
1. Rechnergestützte Einrichtung (2) zur Erkennung einer einen Störfall auslösenden Störfallursache in einer technischen Anlage, wobei der Störfall gegebenenfalls ein Herunterfahren der technischen Anlage in einem betriebssicheren Anlagenzustand auslöst, mit folgenden Komponenten: a) einem in einem Speicher (16) abgelegten anlagenspezifisehen Störfallentscheidungsbaum (STEB), 1.Computer-supported device (2) for recognizing a cause of an accident in a technical system, the accident possibly triggering a shutdown of the technical system in an operationally safe system state, with the following components: a) a system-specific accident decision tree stored in a memory (16) (STEB),
b) Mitteln zur zeitlich differenzierbaren Verknüpfung von b) Means for the temporally differentiable linking of
störfallsicher meßbaren Anlagentopsignalen (8a bis 8c) mit im Störfallentscheidungsbaum (STEB) in logischer Hierarchie angeordneten Entscheidungskriterien,  Plant top signals (8a to 8c) that can be measured in a fail-safe manner with decision criteria arranged in a logical hierarchy in the incident decision tree (STEB),
c) Mitteln (14a bis 14c) zur Auslösung einer die Stόrfallursache eingrenzenden Entscheidung gemäß dem Ergebnis einer vorangegangenen Verknüpfung und gegebenenfalls eines sich in logischer Hierarchie daran anschließenden weiteren Entscheidungsweges im Störfallentscheidungsbaum (STEB), und d) Mitteln (18) zur Darstellung des entsprechenden Störfallentscheidungsbaumes (STEB). c) means (14a to 14c) for triggering a decision limiting the cause of the accident in accordance with the result of a previous link and, if appropriate, a further decision path in the hierarchical hierarchy following this in the accident decision tree (STEB), and d) means (18) for representing the corresponding accident decision tree (STEB).
2. Rechnergestützte Einrichtung nach Anspruch 1, 2. Computer-aided device according to claim 1,
d a d u r c h g e k e n n z e i c h n e t , daß Mittel zur Messung der Anlagentopsignale (8a bis 8c) vorgesehen sind, die mehrfach redundant ausgeführt sind. That means that means for measuring the system top signals (8a to 8c) are provided, which are designed with multiple redundancies.
3. Rechnergestützte Einrichtung nach Anspruch 1 oder 2, d a d u r c h g e k e n n z e i c h n e t , daß kurzfristig anstehende Anlagentopsignale (8a bis 8c) in einem dafür vorgesehenen Speicher (10) speicherbar sind. 3. Computer-aided device according to claim 1 or 2, characterized in that short-term system top signals (8a to 8c) can be stored in a memory (10) provided for this purpose.
4. Rechnergestützte Einrichtung nach Anspruch 3, 4. Computer-aided device according to claim 3,
d a d u r c h g e k e n n z e i c h n e t, daß durch Analyse der für die Anlagentopsignale (8, 8a bis 8c) relevanten Kriterien eine Entscheidung auslösbar ist. that a decision can be triggered by analyzing the criteria relevant to the plant top signals (8, 8a to 8c).
5. Rechnergsetützte Ennchtung nach Anspruch 3 oder 4, d a d u r c h g e k e n n z e i c h n e t, daß durch Analyse der zeitlichen Reihenfolge und/oder der Zeitdauer des Anstehens von Anlagentopsignalen (8, 8a bis 8c) eine Entscheidungsauslόsung erfolgt. 5. Computer-based device according to claim 3 or 4, so that a decision is made by analyzing the chronological order and / or the duration of the pending system top signals (8, 8a to 8c).
PCT/DE1995/001792 1994-12-27 1995-12-14 Computer-assisted device for detecting the cause of a malfunction in a technical plant WO1996020439A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE4446863 1994-12-27
DEP4446863.6 1994-12-27

Publications (1)

Publication Number Publication Date
WO1996020439A1 true WO1996020439A1 (en) 1996-07-04

Family

ID=6537297

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DE1995/001792 WO1996020439A1 (en) 1994-12-27 1995-12-14 Computer-assisted device for detecting the cause of a malfunction in a technical plant

Country Status (1)

Country Link
WO (1) WO1996020439A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2772880A1 (en) * 1997-12-24 1999-06-25 Alpes Systeme Automation DEVICE AND METHOD FOR MONITORING THE OPERATION OF AN INDUSTRIAL INSTALLATION
WO2001009694A1 (en) * 1999-07-28 2001-02-08 Siemens Aktiengesellschaft Method and system for diagnosing a technical installation
EP1243989A1 (en) * 2001-03-23 2002-09-25 Siemens Aktiengesellschaft Process to reduce the programming efforts of a programmable logic controller with a central-unit and an operating device
EP1243988A1 (en) * 2001-03-23 2002-09-25 Siemens Aktiengesellschaft Process to reduce the programming efforts of a programmable logic controller with a central-unit and an operating device
EP1394759A2 (en) * 2002-08-23 2004-03-03 Link Systemtechnik GmbH Failure and/or state analysis
WO2005036290A1 (en) * 2003-09-19 2005-04-21 Siemens Aktiengesellschaft Provision of diagnosis information
FR2987690A1 (en) * 2012-03-05 2013-09-06 Schneider Electric Ind Sas METHOD AND DEVICE FOR MAINTENANCE OF AN ELECTRICAL INSTALLATION

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS60151705A (en) * 1984-01-18 1985-08-09 Hitachi Ltd Multiplex controller
EP0263636A2 (en) * 1986-09-29 1988-04-13 Westinghouse Electric Corporation Machine implemented system for determining compliance of a complex process plant with technical specifications
EP0364151A2 (en) * 1988-10-11 1990-04-18 Texas Instruments Incorporated Automated diagnostic system
EP0428135A2 (en) * 1989-11-13 1991-05-22 Komatsu Ltd. Fault diagnosing apparatus and method
US5305426A (en) * 1991-05-15 1994-04-19 Kabushiki Kaisha Toshiba Plant operation support system for diagnosing malfunction of plant
US5311562A (en) * 1992-12-01 1994-05-10 Westinghouse Electric Corp. Plant maintenance with predictive diagnostics

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS60151705A (en) * 1984-01-18 1985-08-09 Hitachi Ltd Multiplex controller
EP0263636A2 (en) * 1986-09-29 1988-04-13 Westinghouse Electric Corporation Machine implemented system for determining compliance of a complex process plant with technical specifications
EP0364151A2 (en) * 1988-10-11 1990-04-18 Texas Instruments Incorporated Automated diagnostic system
EP0428135A2 (en) * 1989-11-13 1991-05-22 Komatsu Ltd. Fault diagnosing apparatus and method
US5305426A (en) * 1991-05-15 1994-04-19 Kabushiki Kaisha Toshiba Plant operation support system for diagnosing malfunction of plant
US5311562A (en) * 1992-12-01 1994-05-10 Westinghouse Electric Corp. Plant maintenance with predictive diagnostics

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
D. NEUPERT & M. SCHLEE: "MODI - an expert system supporting reliable, economical power plant control", ABB REVIEW, no. 6/7, 1994, ZURICH CH, pages 38 - 46, XP000460962 *
GERRARD P. B.: "An integrated system for computer aided drafting and fault tree evaluation for reliability analysis of power plant systems", PROCEEDINGS OF THE AMERICAN POWER CONFERENCE. VOL.45, CHICAGO, IL, USA, 18-20 APRIL 1983, 1983, CHICAGO, IL, USA, ILLINOIS INSTITUTE OF TECHNOLOGY, USA, pages 735 - 738, XP000568997 *
OTTINO C.: "USER INTERFACE IN THE 1990'S", ADVANCES IN INSTRUMENTATION AND CONTROL, vol. 47, no. PART 02, 1992, RESEARCH TRIANGLE PARK, NC, USA, pages 659 - 700, XP000328861 *
PATENT ABSTRACTS OF JAPAN vol. 9, no. 327 (P - 415) 21 December 1985 (1985-12-21) *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0926430A1 (en) * 1997-12-24 1999-06-30 Alpes Systeme Automation Apparatus and method for the control of the function of an industrial installation
US6288650B2 (en) 1997-12-24 2001-09-11 Alpes Systeme Automation Device and method for monitoring the operation of an industrial installation
FR2772880A1 (en) * 1997-12-24 1999-06-25 Alpes Systeme Automation DEVICE AND METHOD FOR MONITORING THE OPERATION OF AN INDUSTRIAL INSTALLATION
US6910156B2 (en) 1999-07-28 2005-06-21 Siemens Aktiengesellschaft Method and system for diagnosing a technical installation
WO2001009694A1 (en) * 1999-07-28 2001-02-08 Siemens Aktiengesellschaft Method and system for diagnosing a technical installation
EP1243989A1 (en) * 2001-03-23 2002-09-25 Siemens Aktiengesellschaft Process to reduce the programming efforts of a programmable logic controller with a central-unit and an operating device
EP1243988A1 (en) * 2001-03-23 2002-09-25 Siemens Aktiengesellschaft Process to reduce the programming efforts of a programmable logic controller with a central-unit and an operating device
EP1394759A2 (en) * 2002-08-23 2004-03-03 Link Systemtechnik GmbH Failure and/or state analysis
EP1394759A3 (en) * 2002-08-23 2007-06-27 Link Systemtechnik GmbH Failure and/or state analysis
WO2005036290A1 (en) * 2003-09-19 2005-04-21 Siemens Aktiengesellschaft Provision of diagnosis information
US7774167B2 (en) 2003-09-19 2010-08-10 Siemens Aktiengesellschaft System and method for providing diagnosis information
FR2987690A1 (en) * 2012-03-05 2013-09-06 Schneider Electric Ind Sas METHOD AND DEVICE FOR MAINTENANCE OF AN ELECTRICAL INSTALLATION
EP2637071A1 (en) * 2012-03-05 2013-09-11 Schneider Electric Industries SAS Method and device for maintenance of an electric installation
AU2013201193B2 (en) * 2012-03-05 2014-09-18 Schneider Electric Industries Sas Electric installation maintenance method and device
US9517534B2 (en) 2012-03-05 2016-12-13 Schneider Electric Industries Sas Electric installation maintenance method and device
RU2622473C2 (en) * 2012-03-05 2017-06-15 Шнейдер Электрик Эндюстри Сас Method and device for electric plant maintenance

Similar Documents

Publication Publication Date Title
EP2092499B1 (en) Procedures and device for optimizing an alarm configuration
DE102017107284B4 (en) METHOD AND CONTROL UNIT FOR MONITORING AN ON-BOARD NETWORK OF A VEHICLE
DE4438859C2 (en) Process for analyzing process data of a technical system
DE2549467C2 (en) Procedure for determining the malfunction in an electrical device
EP2008352B1 (en) Method for monitoring the electrical energy quality in an electrical energy supply system, power quality field device and power quality system
DE2622120A1 (en) PROCEDURE AND DEVICE FOR AUTOMATIC MONITORING OF SYSTEMS
DE102008060010A1 (en) Safety control and method for controlling an automated plant
EP0789864B1 (en) Monitoring system for an industrial plant
EP2927819B1 (en) Method for automatically processing a number of protocol files of an automation system
DE102007035977A1 (en) Electronic flow sensor
DE19919504A1 (en) Engine controller, engine and method for controlling an engine
EP0645711A1 (en) Method for operating a data display unit and devices for carrying out this method
DE112016004630T5 (en) System and method for providing a visualization of security events of a process control system over time
EP1191415A2 (en) Flight control system
WO1996020439A1 (en) Computer-assisted device for detecting the cause of a malfunction in a technical plant
DE202010008137U1 (en) Sensor system for system monitoring
EP1910903A1 (en) Failure identifying and analysing system
EP4185932A2 (en) Monitoring of a converter
EP1598717B1 (en) Method for monitoring of a plurality of gas plants
DE19825733B4 (en) Process for processing process signals of a technical installation
DE102019114463A1 (en) Overload and breakage monitoring method and system for an aircraft high lift system
DE10115897C2 (en) Method and device for providing information for the analysis of faults in a technical installation
EP3963291B1 (en) Sensor array for monitoring a technical system, and method for operating a sensor array
DE2023117B2 (en) Fail safe control for digital information - three channel supervisory control built into processing unit provides full transfer
DE3606518A1 (en) METHOD FOR DETECTING AND REPORTING ERRORS AND CAUSES FOR FAULTS IN THE PROCESS OF PROCESSES CONTROLLED OR CONTROLLED BY AUTOMATION MEANS

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): CN JP KR RU US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase