A continuous effort is being made to provide increased safety in the operation of nuclear power plants. Standards have been established which require basic reactor control circuits to meet single-failure fail-safe criteria. This means that any single failure of any component should either shut down the reactor or not significantly affect the operation of the safety channel. The growing complexity and cost of reactor installations and operations make it imperative that safety monitoring systems work reliably at all stages and levels of reactor operation. With the advent of larger reactors and electric-power-generating nuclear reactors, it has become important that the reactor not be shut down as long as it is in a safe condition; that is, in the event of some instrument failure which does not affect reactor safety, it is important that the reactor continue to run normally. Schemes such as redundancy, automatic self-checking and others have been used to implement these requirements.
One of the methods used to insure the safe operation of the reactor has been to use coincident trip circuits. Several identical channels (typically at least three) are provided, and at least two of the three channels must indicate a reactor malfunction or unsafe condition before the reactor is shut down. The redundancy of this system provides additional safety. It also provides the possibility of removing one of the safety channels from the system for on-line testing at periodic intervals. By requiring that at least two of the three channels indicate a coincident reactor malfunction or unsafe condition, the probability of a shutdown when the reactor was, in fact, in a safe condition is reduced significantly.
If there are two undetected failures in separate channels and a reactor fault occurs at the same time, the two out of three voting technique would reduce the over-all safety of the reactor, as it would not be protected against this unsafe condition. The reactor might fail to shut down when safety requires that it be shut down or there may be a shutdown of the reactor when, in fact, there was no failure in the reactor but the failure occurred in the safety channels. Also, if one of the safety channels were removed from the reactor for testing, the safety of the system is reduced.
It is therefore an object of this invention to provide an improved monitoring circuit for nuclear reactor safety channels.
Another object of this invention is to provide a circuit for continuously monitoring the safety channels of a nuclear reactor without removing the safety channel from the reactor.
Another object of this invention is to provide a monitoring circuit for reactor safety channels which can operate over a wide dynamic range.