(1) Field of the Invention
The present invention is applicable to industrial process monitoring and control. The present invention is particularly directed toward safety critical control systems, including nuclear plant reactor protection systems, where reliability and integrity are of the highest importance.
(2) Description of Related Art
In the field of industrial control systems, including process control systems, redundant monitoring and control paths are used to ensure reliable operation. In the nuclear power industry, it is common to use several levels of redundancy to assure that a particular measurement is known to be valid. In nuclear power plants, independent shut-down and safe-operation systems are added to monitor operational and safety related parameters throughout the control processes. In the event a measurement indicates an unsafe condition, the system enters a safe operational mode, or alternately, operated safely according to predetermined logic. It is critical that the safety related control system, known as a plant protection system, operates with an exceptionally high level of reliability and predictability.
One difficulty in creating a reliable plant protection system is the use of a software based microprocessor. Software has inherent operational problems that are difficult to resolve. Even relatively simple systems require a significant amount of program code. A software-microprocessor system is subject to common mode failure where redundant systems may fail simultaneously due to a fault condition.
In spite of redundancy that may be included within software-microprocessor systems, a fault may occasionally affect enough redundant functions that it is not possible to correctly pick a non-faulty result, and the system will experience a common-mode failure. The common-mode failure may result from a single fault or several faults. It is known that microprocessor based systems are vulnerable to common-mode failures where redundant copies of software fail under the same fault.
The common-mode fault, in particular, makes software-microprocessor systems undesirable in a plant protection system.
Others have worked on various aspects of plant protection systems. For example, U.S. Pat. No. 6,701,258 describes a system for a plant protection system utilizing distributed voting logic. The system does not include sufficient redundancy in communications or control logic to be suitable for a safety critical system.
U.S. Pat. No. 6,167,547 describes a fault logic scheme for a plant protection system. Although a logic decision structure is described, it is only a small part of an actual plant protection system. Other important and vital features needed for redundant and reliable system monitoring are not described.
U.S. Pat. No. 4,804,515 describes a redundant path system suitable for a very complicated control system. Independent channels measure and communicate the same process information and are monitored by software based microcomputers. The parallel configuration and redundancy requires many software based microcomputers. The complexity of the system increases the number of components, and therefore, reducing the reliability of the system.
Others have worked on controller systems. The following US patents describe microprocessor based programmable controller systems which utilize software programming: U.S. Pat. No. 5,978,593, U.S. Pat. No. 5,056,001, U.S. Pat. No. 4,839,852, U.S. Pat. No. 4,442,504, U.S. Pat. No. 4,326,263, U.S. Pat. No. 4,249,248, and U.S. Pat. No. 3,942,158. They all have problems associated with software based systems previously described, and they have not been architecturally designed with the kind of redundancy suitable for a safety critical system or a system demanding high reliability.
U.S. Pat. No. 4,535,456 describes a method of monitoring one microprocessor by utilizing another microprocessor. It is not a parallel operation by utilizing redundant or duplicated control logic and is therefore undesirable for a safety critical system or a system demanding high reliability.