1. Field of the Invention
The invention relates to a protection system for a complex process, and particularly, for a nuclear reactor. The system includes redundant logic trains, each including redundant voting processors which apply voting logic on partial trip signals and partial safeguard function signals from a plurality of redundant process protection sets.
2. Background Information
Complex processes are typically controlled automatically with provision for various degrees of operator oversight appropriate for the application. Critical processes, such as nuclear reactors, are equipped with a protection system in addition to the automatic control system. The protection system shuts down the process and performs other functions which assure the safe condition of the process. For instance, in a nuclear reactor, the protection system trips the reactor by inserting shutdown rods into the reactor core to render the system subcritical. It also initiates a number of safeguard functions, such as for instance, injection of a moderator into the reactor coolant, containment isolation, containment spray and others.
Redundancy is provided in the protection system to assure safe operation despite equipment failures. It is common in protection systems for nuclear reactors to have four redundant protection channel sets. Some monitored process variables, such as certain pressures and temperatures, can be directly read. Others require calculation from measured values. The redundant channel sets each separately process the monitored process variables and generate what are referred to as partial trip and partial safeguard actuation signals. A voting system then generates a reactor trip or safeguard actuation signal based on the number of redundant partial signals generated compared to the number of channels monitoring that condition. The voting is adjusted when one channel set is taken out of service for maintenance or test. Thus, generation of the reactor trip or safeguard actuation signal can be based, for example, upon {fraction (2/4)}, ⅔, xc2xd voting logic. Such voting logic increases the availability of the protection system.
It is known to have two trains of voting logic, each receiving partial trip and partial safeguard actuation signals from all of the channel sets, and with the trip or safeguard actuation signals being initiated in response to either train. This further assures availability and provides more flexibility for maintenance and testing.
Early protection systems were implemented with analog circuitry. Newer systems utilize solid state digital circuitry, and current systems are implemented with microprocessor-based controllers. Certain of such current systems utilize two diverse microprocessor-based controllers in each channel set such that primary and secondary protection functions of a given initiating event are processed in the separate controllers to enhance functional diversity.
Protection systems also include a set of indicators which present visual and/or audio indications of process conditions determined by the protection system for use by an operator monitoring the process and, if appropriate, to override the automatic system. The information generated by the protection system is also provided to an automatic monitoring system for use as a historical record and for post event analysis.
Many of the early analog protection systems are reaching the end of their useful lives, and replacement components are no longer available. There is also an interest in providing improved functionality and availability inherent with the current protection systems in the retrofits for the older systems.
Thus, there is a need for an improved complex process protection system and which can also be used as a retrofit for older existing systems.
There is a more specific need for such an improved protection system which provides improved availability.
More specifically, there is a need for such an improved protection system which not only assures that an appropriate response is made to an initiating event but also reduces the likelihood of an inadvertent abnormal condition which could lead to an automatic action or inappropriate override action by an operator.
These needs, and others, are satisfied by the invention which is directed to a protection system for a complex process such as, for instance, a nuclear reactor. The protection system includes a plurality of redundant process protection sets, each independently computing partial reactor trip and safeguard actuation signals. A voting logic system has two independent and redundant logic trains, each of which includes a pair of redundant microprocessor-based voting logic controllers. Each voting logic controller of each logic train, receives the partial protection signals from each of the process protection sets and has a voting processor which generates an intermediate protection signal in response to partial protection signals from a pre-determined number of the protection sets. Logic, associated with each logic train, generates a train protection signal only when each voting processor in the train generates an intermediate protection signal. Finally, an output device produces a protection output in response to a train protection signal from either of the logic trains.
Thus, the output device ORs the intermediate protection signals generated by the separate voting logic trains. As either logic train can trigger the protection signal, the system provides high reliability that a condition requiring action will receive an appropriate response. In addition, both of the voting processors in a logic train must agree that a protection action is needed in order for that logic train to generate an intermediate protection signal. In other words, the outputs of the two voting processors in a channel set are ANDed. This feature reduces the likelihood of a false automatic protection signal or a false indication which could be taken by the operator as a need for override action thereby reducing the availability of the process.
In the preferred embodiment of the invention, the protection signals generated by the system are both reactor trip signals and safeguard actuation signals. Separate redundant voting logic is provided in each logic train for reactor trip and safeguard actuation.
The protection system also includes an indication system which ANDs the intermediate protection signals from the two voting processors in each channel set to generate intermediate indicator signals. The intermediate indicator signals from the trains are ORed from the trains to generate indicator signals which are used to actuate indicators, such as, for example, annunciators, lights and outputs to a computer system.
Therefore, it is an object of the invention to provide an improved process protection system for a complex process. It is a further object of the invention to provide such a system which can also be used to retrofit existing process protection systems while providing improved functionality and reliability. It is an additional object of the invention to provide such a system which also reduces the likelihood of inadvertent reactor trips or safeguard actuations.