The present invention relates to a process for the automatic signalling of faults of a static automatic module and a module for realising the process. It is utilised in the construction of automatic safety systems which can be used for controlling the satisfactory operation of certain equipment or installations, such as for example nuclear reactors.
An automatic safety unit receives data from sensors (for example thermocouples, radiation detectors, etc.) and controls the safety devices (for example valves, control rods, etc.) in such a way that if one of the parameters measured by the sensors passes out of the safety range assigned to it, the safety members are actuated to prevent any risk of an accident.
The term static automatic unit is generally understood to mean an automatic unit whose operation is based on stable logic states which can be assumed by the components thereof as opposed to so-called dynamic automatic units in which at least one of the states corresponds to a commutation from one state to another, for example, the commutation from the 0 state into a 1 state.
The module according to the present invention advantageously functions according to a so-called "summation increase logic." This means that the logic output signal is the arithmetic sum of the elementary signals supplied by the different logic channels. If there are, for example, four elementary logics in parallel distributed into two half-blocks of two logics each, the arithmetic sum of the four elementary signals is formed at the logic output. If three of the four signals are sufficient for maintaining the output summation logic state, a three/four redundancy is obtained.
When the first fault of a three/four redundancy summation logic system appears, nothing happens and the operating safety is ensured. However, it is indispensable to supplement such a system with fault signalling to enable it to be immediately remedied because a second fault could appear which on this occasion would cause an output logic fault.
It is possible to use a periodic test procedure for the elements of the system in order to check their satisfactory operation. However, this procedure is relativey little used because the test period must be short because the redundant elements being identical, the probability of successive faults in the early and late periods of the system is relatively great.
No matter what type of test device is used it must be infallible which is the cause of the high price of redundant systems. For a closer definition of the price it is necessary to assume as a basis the conventional undervoltage electromechanical relay which gives a modest degree of safety or security limited to the orientation of the most frequently occurring faults (the undervoltage controlling the safety action). The price of three/four redundancy systems with signalling of faults and the possibility of replacing the defective component without interrupting the operation of the complete system is about four to five times that of the electromechanical relay.
In the present invention consideration is given to automatic units having substantially the same performances (safety, fault signalling, possibility of fault clearance with system operating) but which lead to a lower price of the order of 1.6 to 2 times the price of an ordinary electromagnetic relay.
The price is much the same as that of validation and 2-redundancy systems in which a comparator validates the commands in the case of agreement and blocks them in the case of non-agreement, whereby said comparator is not generally redundant but is periodically checked. The system according to the invention, whose price is much the same, performs better than validation and 2-redundancy systems because it is equipped with automatic signalling means which have an absolute security.