1. Field of the Invention
The present invention relates to a logic safety or security system for triggering off the protective action of a safety actuator. It more particularly applies to any emergency triggering of safety actuators controlling the shutdown of a nuclear reactor.
2. Description of the Prior Art
It is known that a nuclear reactor for example comprises a large number of devices making it possible to control its operation, said devices being called safety actuators. In the case of an accident or incident, these actuators must be triggerable with maximum rapidity, so that their protective action can stop the accident or incident in question. In such reactors, the values of a certain number of physical magnitudes such as the pressure, temperature, neutron flux, etc are measured at a certain number of points. The values of these magnitudes are then compared with reference values in different pieces of equipment. Such equipment normally supplies a logic comparison signal which is, for example, of no-zero value when the values of the physical magnitudes are in a predetermined value range corresponding to the normal operation of the reactor. When the physical magnitudes pass beyond this safety range, the equipment of the system supplies a logic output signal of e.g. zero value. The outputs of said equipment are connected to each of the four channels of the logic safety system according to the invention and which will be described in greater detail hereinafter.
It is known that logic safety systems making it possible to trigger the protective action of a safety actuator generally comprise a plurality of redundant channels connected by their outputs to inputs of a logic circuit for controlling the triggering of the protective action. This logic control circuit is designed in such a way that a protective action is triggered off whenever more than one channel supplies a signal for controlling the triggering of the protective action in response to an actuating signal received by the various channels. For example, it is possible to trigger off the protective action if p among m of the said channels emit a triggering signal. Generally, p is equal to 2 and m is equal to 4 if it is desired to be able to inhibit one channel of the system for testing purposes. For the purposes of describing the invention, it will be assumed that the system has 4 redundant channels and that the protective action is triggered off from signals having at least two channels. Positive safety circuits are also well known to specialists dealing with safety problems. The so-called positive safety of a circuit is its capacity to evolve in the sense of initiating the action for which it has been designed in the case of "safe" breakdowns, the number of non-safe breakdowns being reduced to a value very close to zero. It is obvious that such circuits can be used not only in the nuclear field, but in any other field requiring the triggering off of protective actions.
It is also known that certain logic safety systems comprise for each of the control channels a logic alarm circuit making it possible to actuate the control channel when it receives an alarm signal at its input, as well as a logic circuit for inhibiting this logic alarm circuit making it possible, when it receives an inhibition control signal, to isolate the control channel from the logic circuit controlling the triggering of the protective action. This inhibition of the control channel is necessary in logic safety systems, e.g. for testing circuits upstream of the logic actuating circuit. These upstream circuits may be, for example, signal amplification and processing chains connected to sensors. These sensors make it possible to determine physical parameters characterizing the operation of an installation incorporating actuators, whose protective action must be triggered off in the case of an incident. This possible inhibition of the control channels in a logic safety system, although necessary for testing purposes, must not be carried out within taking precautions. In a so-called 2/4 safety circuit, it is possible to envisage the inhibition of one of the channels for inspection or maintenance purposes. However, it is not permissible to simultaneously inhibit two of the four channels. Thus, any logic safety system must respect the criterion of a single failure imposing that the protective action is triggered off in the case of an incident. The inhibition of a single channel in a 2/4 safety circuit makes it possible to respect this criterion, but the inhibition of two channels or, a fortiori, three channels must not be permitted. Thus, if two channels were inhibited and a fault occurred (non-safe breakdown) in one of the two remaining channels, the safety system would not trigger off the protective action if this was required. Although it is known to operate logic safety circuits of the 2/4 type having four redundant channels and comprising logic alarm and inhibition circuits, it is not known in the case of such 2/4 circuits how to simply and reliably prevent the inhibition of several channels.