1. Field of the Invention
This invention is directed to a safety or protection system and, more particularly, to such a system for a critical process such as a nuclear power plant.
2. Background Information
Many safety or protection systems require duplication in at least some portions of the system for safety and reliability. This duplication may take the form of redundant systems. For example, duplicate sensors, controllers, actuators and communication channels may be provided in separate independent subsystems to perform the identical function. Typically, in such a redundant case, the hardware and logic are identical in each of the subsystems.
In other cases, multiple, identical channels are provided to generate independent control signals which are voted to determine the final control signal to be applied to a single component. For instance, in a nuclear power plant, it is common to have protection systems which include four separate channels, each with its own sensors and controllers for generating a reactor trip signal in response to certain conditions in the plant. Voting logic trips the plant only if, for instance, two or more of the four channels generate a channel trip signal. In this instance also, it is conventional to have identical hardware and logic in each channel, thereby providing redundancy. See, for example, U.S. Pat. No. 4,804,515.
There is a growing concern over common mode failures in redundant safety or protection systems. By a common mode failure, it is meant, simultaneous, similar failures in corresponding elements, either hardware or software, of the system. One application for which these concerns are raised is the retrofitting of existing process control systems, like some existing nuclear power plants, where it is desired to control a single component with commands from two separate subsystems.
As disclosed in U.S. patent application Ser. No. 08/557,532, filed Nov. 14, 1995, it is known in prior art instrumentation and control systems to utilize diverse redundant primary and backup control mechanisms, in which the processors and/or the software utilized therein are different, in order to preclude common mode failures. In the case of control mechanisms incorporating digital processors, different types of processors (e.g., from different manufacturers) are used to run different routines (e.g., implemented in different software languages) implementing common algorithms. Although diverse redundant control mechanisms are known, further improvements are possible.
As disclosed in U.S. patent application Ser. No. 08/628,586, filed Apr. 4, 1996, it is also known to employ reflective memories for transmitting sensor signals and control signals between a modeling or simulation system and a stimulation system for such modeling or simulation system.
There is a need, therefore, for an improved safety or protection system which minimizes the possibility of common mode failures.