1. Field of the Invention
This invention relates to a method and apparatus for processing the signals generated by sensors monitoring selected parameters in a complex process such as a nuclear reactor. In particular, it relates to such a method and apparatus which utilizes a plurality of independent, digital, signal processors arranged in a number of redundant channel sets with each signal processor in each channel set generating one or more digital signals suitable for use in a process protection system and analog signals suitable for use in surveillance and control systems, but with related signals generated by different, independent signal processors to enhance system reliability.
2. Prior Art
In a complex process, such as a nuclear power plant, numerous sensors are provided to measure various physical conditions in the process, such as for example, pressures, temperatures, flows, levels, radiation, and the state of various components, such as, the position of valves and whether a pump is operating or not. These measurements are generally used to perform three different functions: process control, surveillance and protection. Process control involves automatic or semi-automatic regulation of process conditions to achieve the desired result. Surveillance encompasses monitoring of process conditions to determine that the desired results are being achieved. Protection is concerned with automatic response to abnormal conditions in the process to prevent operating conditions from exceeding predetermined design limits and to take steps to mitigate the adverse effects of operation outside the design limits. In the case of a nuclear power plant in particular, the protection function is the most demanding of the three. In order to assure reliability of the protection system, redundant sets of critical sensors are provided. In order to improve the availability of the plant, correlation between the signals produced by the redundant sensors is made a prerequisite to initiation of the response to thereby reduce the probability of spurious interruption of normal operations. For instance, typically four redundant sets of sensors are provided, and an indication by at least two out of the four sensors is required to actuate the emergency or safety system.
Some of the critical process conditions can be measured directly, such as pressurizer pressure in the case of a pressurized water reactor (PWR). Others are calculated from measured parameters, such as the departure from nucleant boiling ratio, (DNBR) in the PWR. In either case, the existing condition is compared with a preselected limiting value, and if the limit is exceeded, a digital signal is generated. These digital signals will be referred to as protection system actuation signals and include trip signals which are used to activate a system which shuts down or "trips" the reactor and engineered safeguard actuation signals which are used to initiate the operation of other plant emergency systems as is well known in the art. Since more than one such actuation signal is required to initiate the response, they are referred to as "partial trips" or "partial engineered safeguard actuation signals".
In the typical prior art system, the sensor signals are grouped for processing in channel sets with each channel set including one sensor signal from each set of redundant sensor signals, although in instances where a particularly expensive sensor is required to generate a signal, such a signal may not be included in every channel set. As previously mentioned, a common arrangement is to provide four redundant sensors for most parameters, which therefore, are arranged in four channel sets for processing. In the prior art systems, each channel set includes a number of analog circuits each of which converts the applied sensor signal(s) to the appropriate range, calculates the desired parameter from the measured values where necessary, compares the resultant signal with a selected limit value and generates a protection system actuation signal when the limit is exceeded. Typically, the inputs to the analog circuits are provided with surge protection, electrical isolation and a buffer stage. The outputs of the analog circuits are bistables which provide a fail safe indication of a partial trip or engineered safeguard actuation signal by remaining active under normal conditions and by going inactive when the appropriate limit is exceeded.
In the typical prior art protection system, the four partial trip and partial engineered safeguard actuation signals from each channel set for each parameter are applied to two redundant logic circuits which each perform the selected voting logic, such as two out of four as previously mentioned, on the partial protection system actuation signals. If two out of four of the corresponding partial actuation signals in either of the two logic circuits are inactive, appropriate emergency and safety control systems are actuated.
An example of a prior art protection system is shown in commonly assigned U.S. Pat. No. 3,888,772. This system includes a semi-automatic tester for the voting logic which is described in commonly owned U.S. Pat. No. 3,892,954. To test the voting logic, the partial protection system actuation signals are removed from the voting logic for all of the actuation functions in one logic train and then an operator manually positions a selector switch so that preprogrammed test signals are rapidly and automatically applied to one logic module in the train being tested. Upon the completion of the test, the operator advances the selector switch to the next logic module. The duration of the test signals is so short that the actuation devices do not have time to react to the actuation signals generated and monitored by the tester, however, as an extra precaution, and to provide the capability of manually generating test signals, bypass breakers can be provided to avoid undesired actuation of the emergency and safety actions.
A more recent form of an integrated protection system for a nuclear power plant is described in commonly owned U.S. Pat. No. 4,434,132 entitled "Power Supply with Nuclear Reactor". In this system, the redundant partial actuation signals generated by analog circuits are applied to four separate logic trains each of which performs the voting logic. The voting logic in each logic train or channel set is carried out in part by a microcomputer which exchanges information on partial actuations with a microcomputer in each of the other channel sets through fiber optic data links. If one of the sensors is out of service, its logic module in the assigned channel set can be bypassed singly, and the voting logic in the other channel sets for that actuation function only is changed by the associated microcomputer to two out of three. Each of the channel sets also contains a second microprocessor which monitors the status of the other channel sets and initiates bypassing of the entire channel set during testing of the individual actuation functions. A modification of this integrated protection system utilizing pulse logic is described in commonly owned U.S. patent application Ser. No. 546,604 filed on Oct. 17, 1983 and entitled "Pulsed Multichannel Protection System with Saturable Core Magnetic Logic Units".
All of these prior art systems utilize analog circuits for generating the partial trip and partial engineered safeguard actuation signa1s wilh a11 the attendant shortcomings of such circuits including: size, cost, power consumption, heat generation, stability, limited life and inflexibility.