The present invention relates to digital plant protection systems for nuclear power plants and, more particularly, to a Digital Plant Protection System (DPPS) for pressurized water reactors.
In nuclear power plants, independent shut-down and safe-operation systems are dedicated to monitoring plant operation and evaluating numerous safety-related parameters. In the event one or more measured parameters indicate the existence of an unsafe condition, the shut-down system designed to mitigate the effects of an anticipated transient condition and/or the safe-operation system can automatically effect the appropriate remedial action. It is imperative that these safety control systems, known as plant protection systems, operate reliably, and accordingly, it is imperative that all measured and sensed parameters be valid.
In the context of nuclear plant protection systems, it is not uncommon to measure a multitude of parameters related to plant operation. These parameters include, for example, temperatures, pressures, flow rates, power density, neutron flux, fluid levels etc. Other functions of the plant protection system include the status-monitoring of various components including valves, pumps, motors, control devices and generators.
Additionally, the plant protection system, under certain defined conditions, may initiate a reactor trip (RT), i.e., the rapid, controlled, and safe shut-down of the reactor by actuating various field systems and remote actuation devices. In the case of a pressurized light water reactor, the shut-down is often accomplished by the dropping of moderating control rods into the reactor core to cause the reactor to become sub-critical.
In co-pending U.S. application Ser. No. 08/848,556 noted above, an invention for use in the nuclear industry is disclosed for providing an Automatic Self-Testing system for remote sensors utilizing multi-sensor, multi-channel redundant monitoring and control circuits. The system senses or measures a parameter by a plurality of independent and sensor specific processing paths, each of which is provided with parallel redundant sub-paths that can each be sequentially inserted into the processing path to effect normal processing or be disassociated from the processing path to effect testing. Each sensor provides, either directly or indirectly, a digital value to a comparator which compares the measured value with a predetermined value that is, in turn, provided to coincidence logic that evaluates the output of its comparator with the input of the comparators of the other processing paths to provide an output indicative of a pass/fail condition. That invention advantageously provides an automatic self-testing system for verifying both the signal path processing functions and the validity of various logic states in parameter sensing systems, particularly parameter sensing systems using multiple redundant processing paths.
In copending U.S. Provisional Application Ser. No. 60/048,923, noted above, an invention for use in the nuclear industry is disclosed for providing a Digital Engineered Safety Features Actuation System (DESFAS) which acts as an interface between a Plant Protection System and Engineered Safety Features in a nuclear power plant. The DESFAS continuously monitors the Plant Protection System initiation circuit for each remotely actuated Engineered Safety Feature system to effect remedial action in the event that the Plant Protection System generates a `trip` signal. By using actuation inputs from the Plant Protection System and manual, operator implemented inputs, controls are provided for remote equipment components, such as solenoid valves, motor operated valves, pumps, fans and dampers. Together, the DPPS of the present invention, the Automatic Self Testing System described above and the DESFAS described above constitute a nuclear plant reactor protection system.
Most plant protection systems in use are of the analog variety in which analog values are processed via dedicated hard-wiring to various active devices, e.g., operational amplifiers. These systems are typically complex and require substantial maintenance. More problematic, however, is the functional "drift" associated with the use of numerous operational amplifiers.
Operational amplifier drift is a condition in which the gain of the amplifier changes over time, usually due to the aging of the semiconductor material and the resistive and capacitive devices within the operational amplifier.
As can be appreciated, in a worst case situation, drift errors can concatenate to produce less than valid output values. Analog systems can be particularly difficult to troubleshoot where the problem is an out of specification component that is otherwise fully operational. Thus, the problem of locating those operational amplifiers that have drifted to an out-of-specification condition can be time consuming and, of course, expensive.
The problem of operational amplifier drift has been addressed at the design stage by incorporating risk/uncertainty factors that are larger than those required if drift was not a problem. These risk/uncertainty factors oftentimes require the power plant to operate at lower power output levels than otherwise would be possible.