The present invention relates to electronic modules used for controlling plant processes, or for protecting plant equipment such as nuclear power plant reactors.
For the purposes of this disclosure, the following definitions are utilized. The term "digital module" is defined as an assembly of electronic and structural components which can be installed and removed from an electronic system as one piece, and which is electrically connected to the system using one or more multi-circuit connectors, and which employs one or more digital processors to accept and manipulate input signals and generate output signals for process control, protection, or indication. The term "trip output contact" is defined as a mechanical or electronic relay contact which is part of a trip string. The term "trip string" is defined as a circuit consisting of a series connection of trip output contacts in which any of the contacts may open the circuit and deenergize (trip) the load fed by the string. The function of a trip string is to shut down a process in order to prevent damage to equipment or danger to public safety.
Prior art digital modules used in protection systems compute their protection functions all or in part by a single processor. These modules do not have an additional processor of diverse design that computes the same protection function. Therefore, a design fault in the processor or a peculiar susceptibility of the processor design to external influences will result in the failure of the processor to compute the protection function. If a multiple channel protection system uses the same type of digital module to compute the same protection function in each channel, the common failure mode susceptibility of the one processor design can result in the failure of the system to perform the protection function. For example, a design fault which causes a processor in a channel to cease operation due to an induced electrical transient can theoretically cause the counterpart processors in the remaining channels to also cease operation in the presence of the same transient. Common mode failures such as these can render a control or protection system inoperable, regardless of the number of redundant channels.
In prior art digital modules, a nameplate or label attached to the module is typically used to indicate the system function programmed into the module. This identification technique relies on individual diligence of those installing the label to assure correct labelling. Therefore, unless each module is tested to verify its function, it is possible that a labelling error can remain undetected and result in improper system operation. Also, this technique does not provide an electronic error indication when a digital module is inserted into an incorrect location in the system rack.
Control and protection system modules read process signals generated by the monitored plant process and use the data from these signals in control or protection algorithms. In order to verify the operability of the modules, test input signals are substituted for the process signals, and the module output response is compared to an expected correct response. For prior art modules, the input signal substitution usually requires that the process signal wires be disconnected from the modules and test signals connected in their place. This process is time consuming and creates the potential for errors in reconnecting the process signal wires after the test has been completed. An alternative method of the prior art is to accomplish selection between the test and process signals using switching means external to the module. The additional external switching hardware increases the cost and space requirements of the system.
Prior art testing of a series of module trip output contacts arranged in a trip string consists of tripping one or more module trip output contacts and observing the actual response of the trip string load. This test method does not provide a direct measurement of the operability and effect of a particular trip output contact on the trip string.
Some modules used in reactor protection systems perform two or more protection functions using a common input parameter, for example, reactor coolant pressure. Due to the dependency of the functions on the common input, prior art modules have no provisions for separately testing each function automatically.
Typical prior art digital module construction uses printed circuit boards which plug in at one end of each board to connectors which interface to the other electronics in the module. When analog and digital signals are utilized on the same board, using this connection arrangement means that both types of signals must pass through the same connector, and therefore must be routed in relatively close proximity to each other. This condition increases the potential for digital signal noise to be induced into the analog circuits, and cause the analog signals to be degraded. The single connector usually does not provide sufficient mechanical support to hold the board in place, particularly if the module must withstand seismic events. Therefore, additional hardware, such as card guides, must be used to retain the board in place, thus adding to the cost to manufacture the module.