1. Field of the Invention:
This invention is related to highly reliable, redundant channel protection systems for complex closely controlled processes and is particularly suitable for an integrated protection system for a nuclear power plant. More particularly, it is directed to a fail-safe, multichannel protection system which utilizes rectangular hysteresis loop magnetic core logic units controlled by the monitored parameters to gate pulsed signals to converters which energize the undervoltage coils of the reactor trip switch-gear with voting logic between redundant channels being modified by bypasses to accommodate for failed sensors or the removal of an entire channel from service for testing or maintenance.
2. Description of the Prior Art:
Many industrial and commercial processes require close monitoring and rapid, reliable response to deviations from established criteria for an array of process parameters. The protection systems which carry out these functions must be reliable and fail-safe but must also be resistant to spurious responses to avoid costly down time. Nowhere is the need for a dependable protection system more essential than in a nuclear power plant. In such a plant, a large number of parameters must be continuously monitored to assure that conditions remain within specified operating limitations. Deviations from certain of the established criteria require that the reactor be immediately shutdown. Shutdown or tripping of the reactor is accomplished by removing power from mechanisms holding control rods above the reactor core so that the rods fall by gravity into the core where they absorb sufficient neutrons to lower the reactivity to the subcritical level. Regulations for the operation of nuclear power plants require that the protection system meet the single failure criterion under which the reactor must be tripped in response to deviations from any of the specified operating limitations despite the existence of any possible single failure in the protection system.
Since the advent of commercial nuclear reactors, it has been the practice to provide redundant sensors, and where required, signal processors, for the critical parameters, and to utilize the signals thus generated in separate protection channels or actuation trains. Typically, a set of four signals is generated for each parameter, with one signal from each set being utilized in one of four protection channels. Thus, each protection channel incorporates a signal representative of the state of each of the monitored parameters, any one of which can generate a trip signal in that channel. The redundant channels provide reliability, however, in order to reduce the occurrence of spurious trips, coincidence of trip signals in the same set in more than one channel is required to trip the reactor. Typically, the coincidence of two out of four signals in a set, in other words, two of the channels, is required to remove power from the control rod actuators. The two out of four voting logic is carried out by the arrangement of the trip breakers which control the flow of electric power to the control rod actuators and by tie-ins between channels which assure that the trip signals in the two channels are from the same set. Since a trip signal is required in more than one channel to trip the reactor, the trip signal generated by an individual sensor is referred to as a partial trip signal.
At times, a sensor in a set will fail and in some instances cannot be repaired until the reactor is shut down. In addition, regulations require that various components of the protection system be tested periodically. In many of the prior art protection systems, a failed sensor or a sensor taken out of service for maintenance or test generates a trip signal in the associated protection channel. This trip in one channel caused by an out of service sensor reduces the protection system from a two out of four voting system to a one out of three system, and therefore, reduces the availability of the system by subjecting it to a greater likelihood of a spurious trip caused by a failure or transient in only one other channel.
The protection system described in commonly owned U.S. patent application Ser. No. 252,515 entitled "Power Supply With Nuclear Reactor" and filed on Apr. 9, 1981 in the name of Bruce M. Cook avoids these problems by bypassing the signals generated by the affected sensors. Two types of bypasses are provided. The channel level or local bypass bypasses in the appropriate channel the logic module associated with the sensor which has failed or has been taken out of service for maintenance. The remainder of that channel is not affected and a trip signal can be generated by it in response to an abnormal condition detected by any of the other sensors associated with that channel. The second type of bypass is the global bypass which bypasses the entire channel to prevent actuation of the trip breakers associated with that channel when the channel is taken out of service for maintenance or testing. The occurrence of a local bypass modifies the voting logic in the channels to two out of three of the remaining channels in the case of one bypass and to one out of two where two logic modules in a set are bypassed. If an attempt is made to bypass the logic modules associated with three sensors in a set, a trip is generated. This modification in the voting logic is carried out by microprocessors associated with each channel.
The trip and bypass status of each of the logic modules associated with each monitored parameter in each channel is communicated between channels by fiber optics, multiplexed data links which also provide electrical isolation between channels. The appropriate voting logic for each of the monitored parameters in each channel is bypass status of each channel is also transmitted to microprocessors in the other channels by the isolated, multiplexed data links. Since the reactor trip breakers are arranged in a matrix so that a trip signal from any two channels removes power from the control rod actuators, the first global bypass need do nothing more than block any trip signal from the bypassed channel and the system reverts to two out of three voting logic on the remaining channels. Bypassing of a second channel by a global bypass opens the trip breakers associated with the second channel to initiate one out of two voting logic on the remaining two channels. If an attempt is made to bypass a third channel, the opening of the associated reactor trip breakers in addition to those already opened by the second global bypass results in tripping of the reactor.
The trip breakers through which current flows to hold the control rods in the retracted position are held in the closed position by undervoltage coils on the switchgear. Deenergization of these undervoltage coils results in opening of the associated trip breakers. In the system described in the above identified patent application, the undervoltage coils are energized through an output transistor in the associated protection channel. The output transistor is held on by the channel trip bus which normally "floats" at the d-c logic voltage. However, the channel trip bus can be pulled down to ground potential by any of the channel logic units to thereby turn off the output transistor and open the associated reactor trip switchgear. In this system, the logic units comprise either relays or solid state switches. While this system is very effective for detecting failures, there are some limitations. Most notably, a short circuit failure in the output transistor or a build-up of film on the relay contacts could prevent a trip.
Toroidal cores of magnetic material having a rectangular hysteresis loop characteristic have been widely used as memory and switching elements in logic circuitry. In addition, a specialized form of such a "square loop" device called a Laddic is used in some nuclear power plant protection systems. The Laddic is a ladder-like structure cut out of the rectangular hysteresis loop material having an input winding on the first rung and an output winding on the last rung. Starting with a suitable saturation flux pattern which is induced by a current pulse applied through a reset winding on one of the side rails of the ladder structure, a drive pulse applied to the input winding so as to switch flux in the first rung will switch the flux almost entirely through the closest available rung rather than split it among all available rungs. Thus, normally there is no change in flux and thus no output in the last rung of the ladder which carries the output winding. However, if inhibiting fields produced by current pulses are applied to all of the rungs intervening between the input and output rungs, the switched flux must return through the output rung and an output pulse will be obtained. In this protection system, a clock pulse is applied to the input rung of the Laddic and the signals representing the trip status of the selected parameters are the input variables applied to the intermediate rungs of the ladder. If none of the parameters are in an abnormal state so that all of the alternate paths are blocked, a pulse is generated in the output. By repetitively resetting the flux pattern with the reset pulses and reapplying the clock pulses, a continuous pulse signal is generated at the output. This pulse signal is applied to a converter which produces a d-c output of sufficient voltage to maintain the undervoltage coils of the reactor trip switchgear energized. If any of the monitored parameters are in the trip state, the switching pulses cease to trip the reactor trip breakers. In this arrangement, each Laddic forms a channel of a multichannel system with the two out of three voting logic being accomplished by additional windings on the intervening rungs to which signals from the other sensors in the set are applied. In some systems employing Laddics, two out of four voting logic is achieved by use of an arrangement including additional Laddic devices.
While the protection system utilizing Laddics has the advantage that transmission through a protection channel of a pulse signal is required to prevent tripping of the reactor so that a failure which causes a d-c signal will not prevent a trip, it still has some unacceptable failure modes. For instance, certain cracks in the ladder lattice can prevent a trip and certain failures in the converter could mask a trip command where reset pulses were still being applied to the converter. Furthermore, the multichannel Laddic protection system lacks electrical isolation between channels and has no means for implementing the bypass logic described above but rather reverts to one out of three voting logic when a sensor fails, both of which adversely affect the availability of the system.